ChangeLog also says: * Bugtracker bugs fixed: #1004: L2TP broken with NAT'ed clients [dhr/Tuomo/Paul] Don't forget about /usr/portage/profiles/package.mask :).
*** Bug 310153 has been marked as a duplicate of this bug. ***
2.6.25 released on 2010/03/21
Just move openswan-2.6.23-r2.ebuild to openswan-2.6.25.ebuild doesn't work. There will be a sandbox warning, and /etc/init.d/ipsec doesn't work. Hope someone can provide an ebuild ASAP,thx :-)
(In reply to comment #3) > Just move openswan-2.6.23-r2.ebuild to openswan-2.6.25.ebuild doesn't work. > > There will be a sandbox warning, and /etc/init.d/ipsec doesn't work. > > Hope someone can provide an ebuild ASAP,thx :-) > Witch USE flags you merge openswan?
(In reply to comment #4) > (In reply to comment #3) > > Just move openswan-2.6.23-r2.ebuild to openswan-2.6.25.ebuild doesn't work. > > > > There will be a sandbox warning, and /etc/init.d/ipsec doesn't work. > > > > Hope someone can provide an ebuild ASAP,thx :-) > > > Witch USE flags you merge openswan? > -curl -extra-algorithms -ldap -ms-bad-proposal -nocrypto-algorithms -smartcard -weak-algorithms
Created attachment 229693 [details, diff] openswan-2.6.25-sandbox.patch OK, this patch will fix sandbox violation. It seems upstream tried to add some "uninstall" actions for previous versions.
Note that since v2.6.23 (inclusive), quote "Removed old USE_SMARTCARD code. Smartcards are now supported via NSS". There is no USE_SMARTCARD check in Makefile anymore, so the ebuild flag is bogus, same for ebuild handling of it, since it no longer makes any difference. There seem to be no USE_LIBNSS flag on the other hand, and it's off by default, so I'd say it makes sense to completely replace "smartcard" flag with "nss". Also, there seem to be no ebuild flags for lots of features openswan has in Makefile.inc these days (as of 2.6.26): XAuth system (http://wiki.openswan.org/index.php/Openswan/XAUTH), posix capabilities (via libcap-ng), Network Manager, openssl.
I've hacked up a working ebuild for 2.6.26, and it's far from perfect. Most things there should apply to 2.6.25 as well. A few notes: * This version suffers from https://bugs.xelerance.com/issues/1112, if KLIPS is disabled in favor of native NETKEY Linux kernel-level IPSec support from KAME project. * "-lnss3" hard-coded in Makefiles fails w/o "-L/usr/lib/nss", include paths there also wrong ("/usr/include/nss3", "/usr/include/nspr4"). I don't know any other way to fix these but patch or find/sed, the latter is used, which is probably wrong. * xmlto seem to fail to generate some manpages, resulting in an errors in "mv" afterwards (programs/Makefile.manpages), I've just added "|| true" to skip these, but I guess the right way would be to fix either xmls or xmlto tool. * I've removed all 2.4 stuff from ebuild since it wasn't needed in my case, and judging by how it works with 2.6, I bet it needs some testing at least. * "weak" and "nocrypto" flags are dropped there as well. * It's possible to add fipscheck flag, but it needs dependency (https://fedorahosted.org/fipscheck/) and fips support in openssl. * openssl flag allows linking against libcrypto instead of using bundled hashing functions. * As noted above, "smartcard" flag is obsolete since 2.6.23 in favor of nss.
Created attachment 235201 [details] openswan-2.6.26 ebuild
Created attachment 235203 [details, diff] https://bugs.xelerance.com/issues/1112
Created attachment 238549 [details, diff] Patch ebuild to -r1: Fix filenames Actually, this ebuild doesn't work as-is, a few of the patches it pulls in have the wrong version numbers, also the name of init scripts it pulls is in wrong too. This patch fixes all these problem and compiles successfully
Created attachment 239281 [details] openswan 2.6.27 ebuild Update to latest openswan, also fixes https://gsoc.xelerance.com/issues/1074
Version 2.6.28 is now in the tree. It is still masked because I didn't had the time to test it properly, I will probably unmask it in a week or so. smartcard USE flag was replaced with nss. ssl USE flag was added. Kernel 2.4 support was not removed and neither the weak and nocrypto options. xmlto worked fine in my case so I changed nothing regarding that. PFKEY prototypes patch looks more like warning cleanup to me, better leave upstream deal with it.
