Ubuntu
strongswan package

Bug #1535951
Comment #19

Comment 19 for bug 1535951

Revision history for this message

Simon Déziel (sdeziel) wrote on 2016-02-14: Re: [Bug 1535951] Re: Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

#19

On 2016-02-13 10:03 PM, Ryan Harper wrote:
> On Sat, Feb 13, 2016 at 7:51 PM, Simon Déziel <email address hidden>
> wrote:
>
>> On 2016-02-13 05:09 PM, Ryan Harper wrote:
>>> On Sat, Feb 13, 2016 at 12:27 PM, mrq1 <email address hidden> wrote:
>>>
>>>> great! starts now :-)
>>>>
>>>> what about the chapoly plugin? can you enable it in the extra package?
>>>> it would be very important for me!
>>>>
>>>
>>> I can look at enabling it. It's new in 5.3.5.
>>
>> +1
>>
>> ChaCha20/Poly1305 actually made it in 5.3.3 [1] and I haven't heard of
>> any problem on the mailing list.
>>
>>> If enabled, can you test and confirm it works?
>>
>> I too would be glad to give it a spin and report about it.
>>
>>> Looks like something quite interesting.
>>> https://en.wikipedia.org/wiki/Poly1305
>>
>> Indeed! Chacha20 and Poly1305 are cool and getting quite some traction
>> these days [2].
>>
>
> Excellent! I've just uploaded a new version to the PPA; should be ready in
> a bit with the new plugin
> and updated apparmor profiles from your repo.

Thanks, will try it out.

> One question, the profile included /dev/tun, and in my Xenial setups, I
> need
> /dev/net/tun so I've both allowed in the profile. Not clear to me if it's
> useful/needed
> to have both, or if only one is sufficient.

Good catch. The path always have been /dev/net/tun even in previous
releases so please drop the erroneous /dev/tun rule I added.

>>> Comments here in the Debian bug indicate that this requires at least 4.2
>>> kernel.
>>
>> For the IKE part, the kernel version shouldn't matter. For the ESP part,
>> you indeed need a recent kernel or you can always use the userspace
>> implementation (libipsec).
>>
>>
> OK
>
>
>> libipsec support is very cool (thanks for enabling it!) as it should
>> allow running a IPsec in containers.
>>
>>
> Please do confirm if that's working. I suspect they'll need to be
> privileged containers
> or will need some additional permissions/configs for unprivileged since
> it'll want access to
> /dev/net/tun which won't be present by default.
>
> I'd like to capture how to run strongswan in containers like LXD so if
> you've any experience

I'd expect it to be pretty close to running OpenVPN in a container. I'll
check that out on LXD and let you know.

On 2016-02-13 10:03 PM, Ryan Harper wrote:
> On Sat, Feb 13, 2016 at 7:51 PM, Simon Déziel <1535951@bugs.launchpad.net>
> wrote:
> 
>> On 2016-02-13 05:09 PM, Ryan Harper wrote:
>>> On Sat, Feb 13, 2016 at 12:27 PM, mrq1 <tempusfugit991@gmail.com> wrote:
>>>
>>>> great! starts now :-)
>>>>
>>>> what about the chapoly plugin? can you enable it in the extra package?
>>>> it would be very important for me!
>>>>
>>>
>>> I can look at enabling it.  It's new in 5.3.5.
>>
>> +1
>>
>> ChaCha20/Poly1305 actually made it in 5.3.3 [1] and I haven't heard of
>> any problem on the mailing list.
>>
>>>  If enabled, can you test and confirm it works?
>>
>> I too would be glad to give it a spin and report about it.
>>
>>> Looks like something quite interesting.
>>> https://en.wikipedia.org/wiki/Poly1305
>>
>> Indeed! Chacha20 and Poly1305 are cool and getting quite some traction
>> these days [2].
>>
> 
> Excellent!  I've just uploaded a new version to the PPA; should be ready in
> a bit with the new plugin
> and updated apparmor profiles from your repo.

Thanks, will try it out.

Good catch. The path always have been /dev/net/tun even in previous
releases so please drop the erroneous /dev/tun rule I added.

>>> Comments here in the Debian bug indicate that this requires at least 4.2
>>> kernel.
>>
>> For the IKE part, the kernel version shouldn't matter. For the ESP part,
>> you indeed need a recent kernel or you can always use the userspace
>> implementation (libipsec).
>>
>>
> OK
> 
> 
>> libipsec support is very cool (thanks for enabling it!) as it should
>> allow running a IPsec in containers.
>>
>>
> Please do confirm if that's working.  I suspect they'll need to be
> privileged containers
> or will need some additional permissions/configs for unprivileged since
> it'll want access to
> /dev/net/tun which won't be present by default.
> 
> I'd like to capture how to run strongswan in containers like LXD so if
> you've any experience

I'd expect it to be pretty close to running OpenVPN in a container. I'll
check that out on LXD and let you know.

Ubuntustrongswan package

Comment 19 for bug 1535951

Ubuntu
strongswan package