Ubuntu
strongswan package

  1. Bug #1535951
  2. Comment #16

Comment 16 for bug 1535951

Revision history for this message
Ryan Harper (raharper) wrote : Re: [Bug 1535951] Re: Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

On Sat, Feb 13, 2016 at 7:51 PM, Simon Déziel <email address hidden>
wrote:

> On 2016-02-13 05:09 PM, Ryan Harper wrote:
> > On Sat, Feb 13, 2016 at 12:27 PM, mrq1 <email address hidden> wrote:
> >
> >> great! starts now :-)
> >>
> >> what about the chapoly plugin? can you enable it in the extra package?
> >> it would be very important for me!
> >>
> >
> > I can look at enabling it. It's new in 5.3.5.
>
> +1
>
> ChaCha20/Poly1305 actually made it in 5.3.3 [1] and I haven't heard of
> any problem on the mailing list.
>
> > If enabled, can you test and confirm it works?
>
> I too would be glad to give it a spin and report about it.
>
> > Looks like something quite interesting.
> > https://en.wikipedia.org/wiki/Poly1305
>
> Indeed! Chacha20 and Poly1305 are cool and getting quite some traction
> these days [2].
>

Excellent! I've just uploaded a new version to the PPA; should be ready in
a bit with the new plugin
and updated apparmor profiles from your repo.

One question, the profile included /dev/tun, and in my Xenial setups, I
need
/dev/net/tun so I've both allowed in the profile. Not clear to me if it's
useful/needed
to have both, or if only one is sufficient.

> > Comments here in the Debian bug indicate that this requires at least 4.2
> > kernel.
>
> For the IKE part, the kernel version shouldn't matter. For the ESP part,
> you indeed need a recent kernel or you can always use the userspace
> implementation (libipsec).
>
>
OK

> libipsec support is very cool (thanks for enabling it!) as it should
> allow running a IPsec in containers.
>
>
Please do confirm if that's working. I suspect they'll need to be
privileged containers
or will need some additional permissions/configs for unprivileged since
it'll want access to
/dev/net/tun which won't be present by default.

I'd like to capture how to run strongswan in containers like LXD so if
you've any experience
with getting that working it'd be very helpful for us to document.

> > For Xenial, this will be sufficient I suppose.
> >
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803787
>
> The reporter was looking for NTRU (enabled in your PPA build IIRC) and
>

Yes

> BLISS. That said, I'm sure the reporter would welcome having another
> AEAD cipher available because they are well regarded [3] in terms of
> security.
>
> Thanks,
> Simon
>
> 1: https://wiki.strongswan.org/versions/58
> 2:
>
> https://en.wikipedia.org/w/index.php?title=Salsa20&redirect=no#ChaCha20_adoption
> 3: https://www.imperialviolet.org/2015/05/16/aeads.html
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1535951
>
> Title:
> Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
>