Version history: ---------------- 0.8 - 18 March 2011 o Fix authentication method ambiguity with kerberos and xauth o RFC2253 compliant escaping of asn1dn identifiers (Cyrus Rahman) o Local address code rewrite to speed things up o Improved MIPv6 support (Arnaud Ebalard) o ISAKMP SA (phase1) rekeying o Improved scheduler (faster algorithm, support monotonic clock) o Handle RESPONDER-LIFETIME in quick mode o Handle INITIAL-CONTACT in from main mode too o Rewritten event handling framework for admin port o Ability to initiate IPsec SA through admin port o NAT-T Original Address handling (transport mode NAT-T support) o clean NAT-T - PFkey support o support for multiple anonymous remoteconfs o Remove various obsolete configuration options o A lot of other bug fixes, performance improvements and clean ups
Created attachment 276049 [details] ipsec-tools-0.8.0.ebuild I can confirm. In particular I'm after the improved NAT-T support. I've also got a patch that I refer to as "default PSK", which will look up a "*" in psk.txt should it fail to look up the remote ID as well as the peer IP in psk.txt (This creates roadwarrior type setup with a PSK to which Windows clients can more readily connect without requiring PKI). Other than that the single patch that was part of the ebuild is now removed and those are the only two effective changes that I've made. Will attach my patch shortly, the two conf.d and init.d files remain identical although I would request that the default -4 for RACOON_OPTS please be removed.
Created attachment 276051 [details, diff] ipsec-tools-def-psk.patch
Thank for the ebuild. I would also like to see it in portage...
Please get this in portage! Bug first, can someone remove the --enable-stats config option? See bug #269450
How do we get this unorphaned and released???
"Me too."
(In reply to comment #5) > How do we get this unorphaned and released??? Some overworked dev comes along and takes pity. Seeing as I use this on a daily basis, I guess I can take it on. @Jaco Kroon - can you give me some history on that patch @Gary E. Miller - I'll add a local USE flag on --enable-stats. Some people may want it.
Thank you overworked dev. Let us know how we can help.
(In reply to comment #8) > Thank you overworked dev. Let us know how we can help. I will ask for testing. I was going to put it on my overlay to bang at it first but the overlay server is down :) So if it looks like I'm not acting on this for a while, its not that its low on my priority list.
Okay ipsec-0.8.0 is on the tree now. A few things to note: 1) I did not add the patch from comment #1. While I see what its trying to do, I'm not familiar enough with the code that I can forsee any side effects. Also there is no history on that patch. (An ebuild with the patch is on my overlay, if anyone wants.) 2) I have added a new USE flag to turn off stats, see bug #269450. 3) I don't like the entire linux-info eclass stuff. a) The build system itself should not be looking in /usr/src/linux/include/linux/ for *any* headers --- in this case its looking for just pfkeyv2.h. It should use the publicly exported headers in /usr/include/linux/. b) While it is nice to have an eclass look at your config file to make sure everything in there is correctly configured, /usr/src/linux does not necessarily point to the current running kernel OR maybe it does, and the config file in there has been changed. This leads to false positives or negatives. Bad. I have not yet addressed point 3, but I will in a future rev bump. I'm going to patch the build system to look in the right place for pfkeyv2.h and remove linux-info in favor of a pkg_postinst() which alerts the user to what is needed in the linux config. I'll leave this bug open for people to comment on my decisions. Please open a different bug if the issue is not about this.
> 3 b) While it is nice to > have an eclass look at your config file to make sure everything in there is > correctly configured, /usr/src/linux does not necessarily point to the > current running kernel OR maybe it does, and the config file in there has > been changed. This leads to false positives or negatives. Bad. Okay I've added ample warnings here. I'm okay with letting linux-info.eclass do its work. See bug #335510. So now I'm just down to hacking against configure.ac so that it doesn't look in /usr/src/linux for headers.
(In reply to comment #11) > > 3 b) While it is nice to > > have an eclass look at your config file to make sure everything in there is > > correctly configured, /usr/src/linux does not necessarily point to the > > current running kernel OR maybe it does, and the config file in there has > > been changed. This leads to false positives or negatives. Bad. > > Okay I've added ample warnings here. I'm okay with letting > linux-info.eclass do its work. See bug #335510. > > So now I'm just down to hacking against configure.ac so that it doesn't look > in /usr/src/linux for headers. Okay, now the build system is looking in /usr/include/linux for the kernel headers rather than /usr/src/linux. Anyone that wants to help, please test/abuse ipsec-tools-0.8.0-r2 in every possible way. I'm hoping its the next stabilization candidate. I'm closing this for since the version bump is complete. Please open another bug for any issues you might find.
