Your message dated Sun, 18 Sep 2016 12:20:41 +0000
with message-id <>
and subject line Bug#838194: fixed in strongswan 5.5.0-2
has caused the Debian Bug report #838194,
regarding support for network-manager-strongswan 1.4?
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact

Debian Bug Tracking System
Contact with problems
--- Begin Message ---
Package: strongswan-nm
Version: 5.5.0-1
Severity: wishlist
Tags: patch

Hi Yves,

I would like to upgrade the network-manager-strongswan package
for Stretch to version 1.4.0, but this requires 2 patches to
charon-nm. See and
the attachment.

Do you think it would be possible to add these patches to
strongswan 5.5.0?

Of course I see that upstream plans to release strongswan 5.5.1
(including the patches) in about 3 weeks. Adding the patches to
5.5.0 now would save the time.

Thanx very much
From 9e74a0952e27e3ac0055b0831919aaddfef1e1b5 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <>
Date: Mon, 5 Sep 2016 10:54:07 +0200
Subject: [PATCH] nm: Enforce min. length for PSKs in backend

 src/charon-nm/nm/nm_service.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
index 5991c24..c0c78ef 100644
--- a/src/charon-nm/nm/nm_service.c
+++ b/src/charon-nm/nm/nm_service.c
@@ -428,6 +428,16 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 			user = identification_create_from_string((char*)str);
 			str = nm_setting_vpn_get_secret(vpn, "password");
+			if (auth_class == AUTH_CLASS_PSK &&
+				strlen(str) < 20)
+			{
+				g_set_error(err, NM_VPN_PLUGIN_ERROR,
+							"pre-shared key is too short.");
+				gateway->destroy(gateway);
+				user->destroy(user);
+				return FALSE;
+			}
 			priv->creds->set_username_password(priv->creds, user, (char*)str);

From f201d86debb12731b634625a0278e289e3e05e10 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <>
Date: Mon, 5 Sep 2016 14:34:07 +0200
Subject: [PATCH] nm: Pass external gateway to NM

This seems to be required by newer versions.
 src/charon-nm/nm/nm_service.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
index c0c78ef..0fe10e0 100644
--- a/src/charon-nm/nm/nm_service.c
+++ b/src/charon-nm/nm/nm_service.c
@@ -88,12 +88,19 @@ static void signal_ipv4_config(NMVPNPlugin *plugin,
 	GValue *val;
 	GHashTable *config;
 	enumerator_t *enumerator;
-	host_t *me;
+	host_t *me, *other;
 	nm_handler_t *handler;
 	config = g_hash_table_new(g_str_hash, g_str_equal);
 	handler = priv->handler;
+	/* NM apparently requires to know the gateway */
+	val = g_slice_new0 (GValue);
+	g_value_init (val, G_TYPE_UINT);
+	other = ike_sa->get_other_host(ike_sa);
+	g_value_set_uint (val, *(uint32_t*)other->get_address(other).ptr);
+	g_hash_table_insert (config, NM_VPN_PLUGIN_IP4_CONFIG_EXT_GATEWAY, val);
 	/* NM requires a tundev, but netkey does not use one. Passing the physical
 	 * interface does not work, as NM fiddles around with it. So we pass a dummy
 	 * TUN device along for NM to play with... */

Attachment: signature.asc
Description: OpenPGP digital signature

--- End Message ---
--- Begin Message ---
Source: strongswan
Source-Version: 5.5.0-2

We believe that the bug you reported is fixed in the latest version of
strongswan, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Yves-Alexis Perez <> (supplier of updated strongswan package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA512

Format: 1.8
Date: Sun, 18 Sep 2016 13:47:41 +0200
Source: strongswan
Binary: strongswan libstrongswan libstrongswan-standard-plugins 
libstrongswan-extra-plugins libcharon-extra-plugins strongswan-starter 
strongswan-libcharon strongswan-charon strongswan-ike strongswan-nm 
strongswan-ikev1 strongswan-ikev2 charon-cmd strongswan-pki 
strongswan-scepclient strongswan-swanctl charon-systemd
Architecture: source
Version: 5.5.0-2
Distribution: unstable
Urgency: medium
Maintainer: strongSwan Maintainers <>
Changed-By: Yves-Alexis Perez <>
 charon-cmd - standalone IPsec client
 charon-systemd - strongSwan IPsec client, systemd support
 libcharon-extra-plugins - strongSwan charon library (extra plugins)
 libstrongswan - strongSwan utility and crypto library
 libstrongswan-extra-plugins - strongSwan utility and crypto library (extra 
 libstrongswan-standard-plugins - strongSwan utility and crypto library 
(standard plugins)
 strongswan - IPsec VPN solution metapackage
 strongswan-charon - strongSwan Internet Key Exchange daemon
 strongswan-ike - strongSwan Internet Key Exchange daemon (transitional package)
 strongswan-ikev1 - strongSwan IKEv1 daemon, transitional package
 strongswan-ikev2 - strongSwan IKEv2 daemon, transitional package
 strongswan-libcharon - strongSwan charon library
 strongswan-nm - strongSwan plugin to interact with NetworkManager
 strongswan-pki - strongSwan IPsec client, pki command
 strongswan-scepclient - strongSwan IPsec client, SCEP client
 strongswan-starter - strongSwan daemon starter and configuration file parser
 strongswan-swanctl - strongSwan IPsec client, swanctl command
Closes: 835095 838194
 strongswan (5.5.0-2) unstable; urgency=medium
   * debian/rules:
     - add patch from Raphaƫl Geissert to use /etc/ssl/certs instead of
       /usr/share/ca-certificates for strongswan-nm.             closes: #835095
     - update argument name for dh_strip dbgsym migration
   * debian/control:
     - update debhelper dependency to a version which supports dbgsym
   * debian/patches:
     - 05_network-manager-strongswan-1.4 added, backport two upstream patches
       to support network-manager-strongswan 1.4 in charon-nm.   closes: #838194
 8c15a7b9e4ed5426e1a5b83396f7e2747e8ba0af 3239 strongswan_5.5.0-2.dsc
 918672c6df512032b27af735e8800ae675372627 122064 
 2f0cc0cc1dc0f4badc511c00c49499a0b02c8043eeee2fe9b5dd6bfd9e41216e 3239 
 015a12e3dde32970320b00c82c000c873ff3f945212b37b9e7d38b9d1cf6932b 122064 
 646378d9a38352c41e9cae5ceadf359e 3239 net optional strongswan_5.5.0-2.dsc
 b28ae10f33486fe0c460693f2be2d249 122064 net optional 



--- End Message ---

Reply via email to