[PATCH] strongswan: enable more sensible defaults.

  • Done
  • quality assurance status badge
Details
2 participants
  • Domagoj Stolfa
  • Tobias Geerinckx-Rice
Owner
unassigned
Submitted by
Domagoj Stolfa
Severity
normal
D
D
Domagoj Stolfa wrote on 24 May 2021 17:35
(address . guix-patches@gnu.org)
YKvHpny1wBT6pjja@pepehands
Presently, the strongswan defaults are too minimal to be used with most
common VPN setups. This commit enables support for a number of things
that should make strongswan much more usable in Guix. It also explicitly
disables AESNI in order to not rely on an Intel implementation.
---
gnu/packages/networking.scm | 52 +++++++++++++++++++++++++++++++++++--
1 file changed, 50 insertions(+), 2 deletions(-)

Toggle diff (71 lines)
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 8bcaa98fbb..1ce7adfde9 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2863,14 +2863,62 @@ displays the results in real time.")
(list
;; Disable bsd-4 licensed plugins.
"--disable-des"
- "--disable-blowfish")))
+ "--disable-blowfish"
+ ;; Disable AESNI
+ "--disable-aesni"
+ ;; Disable systemd
+ "--disable-systemd"
+ ;; Don't use mysql or OpenLDAP
+ "--disable-mysql"
+ "--disable-ldap"
+ ;; Enable the rest needed for a sensible configuration
+ "--enable-attr-sql"
+ "--enable-chapoly"
+ "--enable-curl"
+ "--enable-dhcp"
+ "--enable-farp"
+ "--enable-md4"
+ "--enable-eap-aka"
+ "--enable-eap-aka-3gpp"
+ "--enable-eap-dynamic"
+ "--enable-eap-identity"
+ "--enable-eap-md5"
+ "--enable-eap-mschapv2"
+ "--enable-eap-peap"
+ "--enable-eap-radius"
+ "--enable-eap-sim"
+ "--enable-eap-sim-file"
+ "--enable-eap-simaka-pseudonym"
+ "--enable-eap-simaka-reauth"
+ "--enable-eap-simaka-sql"
+ "--enable-eap-tls"
+ "--enable-eap-tnc"
+ "--enable-eap-ttls"
+ "--enable-xauth-eap"
+ "--enable-ext-auth"
+ "--enable-led"
+ "--enable-ha"
+ "--enable-mediation"
+ "--enable-soup"
+ "--enable-sql"
+ "--enable-sqlite"
+ "--enable-openssl"
+ "--enable-xauth-eap"
+ "--enable-xauth-noauth"
+ "--enable-xauth-pam"
+ ;; Use libcap by default
+ "--with-capabilities=libcap")))
(inputs
`(("curl" ,curl)
("gmp" ,gmp)
("libgcrypt" ,libgcrypt)
- ("openssl" ,openssl)))
+ ("openssl" ,openssl)
+ ("libsoup" ,libsoup)
+ ("libcap" ,libcap)
+ ("linux-pam" ,linux-pam)))
(native-inputs
`(("coreutils" ,coreutils)
+ ("pkg-config" ,pkg-config)
("tzdata" ,tzdata-for-tests)))
(synopsis "IKEv1/v2 keying daemon")
(description "StrongSwan is an IPsec implementation originally based upon
--
2.31.1
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE7JyU1wrLyiw5G92zcc2InUujXj0FAmCrx6UACgkQcc2InUuj
Xj0wQg/8DMHZ1SI1YNqEZYDZ4P3Sp8mhUt6XIM4Q3cT0DiXeLKojzDhtpRWf/QdK
Xua06YeRteWg+mkaMU7RoTLpBxNHNHvIQXedpy4DE5GxMX92mTbdPvqVd6mzd+Z7
/hz3qGvo111qnAAdy/YvqaIltLkB8h9gIDYUWTJJAFhnwaYwXlY5xDZcmPDDm+7b
LOB/3gPsYS2DvArW4Vf7sPUVP+v2CxevxnwzqxflPgYkYoKtSoV0rw2M8wGH6ojR
FgsmWA3ppCbSNc4urU47NjbTwHk/l+8dHOW18KYdF4dvchC0IheEYz3cMeqFKfMp
k1NtqQuSEnaB6exQsICJ3ZoE8L5DRTuoJrscbuxkjXcqt1S84b5FSYlNaqyucM37
snDpiZx8q8IQi4rkdgwWl8c3XkJhWRFmixjSie+VQ3xfoK5eMDl5eN8luoVZAQMO
d2QbahRMP19BZOjwCGk/sJ/ikpNTnKr1weg7WHMflpAl2cLLGO4YfmMk5ntyzVbU
6aBICifCNVYvyYRdsdR6g5RrKpTL6+e+TduyOtoYcs49EUWadgqsUN4SMDc9vNMv
umkBgEK5gGXQtXq0ljdDinU1yuVwdc+N6E6Xi1z7uKdDJiMPMptt62LewZD7VxHl
OHFs1/sdCSH4lrGE6abAIPq9fvZ1QWcP6NKSHgkqxcWbkeo/dsE=
=Nzae
-----END PGP SIGNATURE-----


D
D
Domagoj Stolfa wrote on 24 May 2021 22:11
(address . 48626@debbugs.gnu.org)
YKwIizUy3VHw2L/4@pepehands
Presently, the strongswan defaults are too minimal to be used with most
common VPN setups. This commit enables support for a number of things
that should make strongswan much more usable in Guix.
---
gnu/packages/networking.scm | 47 +++++++++++++++++++++++++++++++++++--
1 file changed, 45 insertions(+), 2 deletions(-)

Toggle diff (68 lines)
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 8bcaa98fbb..bfaf8a8535 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2861,16 +2861,59 @@ displays the results in real time.")
#t)))
#:configure-flags
(list
- ;; Disable bsd-4 licensed plugins.
+ ;; Disable bsd-4 licensed plugins (Blowfish, DES).
+ "--disable-blowfish"
"--disable-des"
- "--disable-blowfish")))
+ "--disable-ldap"
+ "--disable-mysql"
+ "--disable-systemd"
+ "--enable-aesni"
+ "--enable-attr-sql"
+ "--enable-chapoly"
+ "--enable-curl"
+ "--enable-dhcp"
+ "--enable-eap-aka"
+ "--enable-eap-aka-3gpp"
+ "--enable-eap-dynamic"
+ "--enable-eap-identity"
+ "--enable-eap-md5"
+ "--enable-eap-mschapv2"
+ "--enable-eap-peap"
+ "--enable-eap-radius"
+ "--enable-eap-sim"
+ "--enable-eap-sim-file"
+ "--enable-eap-simaka-pseudonym"
+ "--enable-eap-simaka-reauth"
+ "--enable-eap-simaka-sql"
+ "--enable-eap-tls"
+ "--enable-eap-tnc"
+ "--enable-eap-ttls"
+ "--enable-ext-auth"
+ "--enable-farp"
+ "--enable-ha"
+ "--enable-led"
+ "--enable-md4"
+ "--enable-mediation"
+ "--enable-openssl"
+ "--enable-soup"
+ "--enable-sql"
+ "--enable-sqlite"
+ "--enable-xauth-eap"
+ "--enable-xauth-noauth"
+ "--enable-xauth-pam"
+ ;; Use libcap by default
+ "--with-capabilities=libcap")))
(inputs
`(("curl" ,curl)
("gmp" ,gmp)
+ ("libcap" ,libcap)
("libgcrypt" ,libgcrypt)
+ ("libsoup" ,libsoup)
+ ("linux-pam" ,linux-pam)
("openssl" ,openssl)))
(native-inputs
`(("coreutils" ,coreutils)
+ ("pkg-config" ,pkg-config)
("tzdata" ,tzdata-for-tests)))
(synopsis "IKEv1/v2 keying daemon")
(description "StrongSwan is an IPsec implementation originally based upon
--
2.31.1
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE7JyU1wrLyiw5G92zcc2InUujXj0FAmCsCIsACgkQcc2InUuj
Xj0aqQ/+OZhWBkudCq17VRI3JEm5OSB8St6IO5GQkpC7bcueteSeN6cNHLTLm8sA
GZNgSqGgSa3se+NOKdeakTyooewP9Rf1RkjeVLoT4MMukI35FK9qU8S/MT7TTtXk
bzDLzSEMEmw78L3VaiU8mHP4Squct9jdUxtMOmCkBORmhEuiW+KQv1bsf1rgHZPf
vLR+PzANbBs9A5nui/Qmu+O+J+Ipiq6WdLbEKSJ/QZX2cbHVnJgqYVpGiZ7LcelG
Vmn6Fn0ekuy4nM4TODMgU6oO9TI7AqDOHdlkT6UefO++6MLMGK8UPOuihtPiHcCl
6BnRGZl1Ynz1x3fsxBPm76xKDU0wv4NLX0KVyF3DwY7lDFv5A7wQUnhv6P3tZ4uM
sORHk6lLvSimF/wqikpvR91AoKdprVrYgFhqTAnn89HRTNg4HmnD1aPfoMs6cZ/F
B3O9uQTGR+N7xJ6N6Rt4aRs3nlFCGpGoiXiLTYnIIJmkApH4XIIoiWKEDe8Sikk7
082xxM6oPPRlMoSolYMFBbf7xW2YeKxKEqPYO1y6wDpmoXSzclUYYjvIkhLMIvcu
eTVkrNVEsv9Tu9MGtGImi14O8pf7DX8NcBGcPbDdtbDo8mOVIMspJyihhD2wrUG4
/vo62t/PhtmrISUrei6prGl8k+9OYt87y1dhBdp4nsM2i3CnXnQ=
=4sX4
-----END PGP SIGNATURE-----


T
T
Tobias Geerinckx-Rice wrote on 6 Jun 2021 15:44
(name . Domagoj Stolfa)(address . ds815@gmx.com)(address . 48626-done@debbugs.gnu.org)
87y2bnt8dl.fsf@nckx
Domagoj,

Domagoj Stolfa ???
Toggle quote (6 lines)
> Presently, the strongswan defaults are too minimal to be used
> with most
> common VPN setups. This commit enables support for a number of
> things
> that should make strongswan much more usable in Guix.

Thanks! I moved this to a comment, added a commit message
following our conventions[0], and pushed it as
77056478a2de22db6613d24ed37f7496afba42db.

Kind regards,

T G-R

[0]: Of course this one's bonkers because of all the options,
which probably don't need to be explicitly listed, but what else
are computers for than to automate such things.
-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYLzRVg0cbWVAdG9iaWFz
LmdyAAoJEA2w/4hPVW159I8BAK+6vNF7yQJ/nLVbc7v57ZMKEV3vLBPgUEYKPQ4n
K3u4AQDMT14KLxSqlKzHM7RWc4qUptGc4cBvcXncn9SVzSE4BA==
=juzn
-----END PGP SIGNATURE-----

Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 48626@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 48626
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch