On Wed, 25 Jan 2017, Daniel Kahn Gillmor wrote: (Added swan@ to list for larger exposure)
i've just uploaded libreswan 3.19 to debian unstable. thanks very much for all your work on libreswan!
Awesome! Thank you very much!!
I've also posted a couple pull requests and issues on github related to minor nitpicks i found while packaging. I hope they're helpful.
They've been merged in and will be in 3.20.
Unauthenticated Opportunistic Encryption ---------------------------------------- I've been trying to test out the unauthenticated opportunistic mode, and i haven't had as much luck with it as i'd like yet. in particular, i was hoping that i could just get the package installed, and then do: cp oe-upgrade-authnull.conf /etc/ipsec.d/ systemctl start ipsec ipsec whack --trafficstatus ping -c 4 libreswan.org sleep 5 ipsec whack --trafficstatus
I've talked to Daniel and we got it to work. Our test server was not up and running, and his config needed a tweak. The tweak has been pushed to the docs/example in git as well.
[…] 000 W.X.Y.Z/32:0 -0-> 188.127.201.229/32:0 => %pass 0 oe-failing (188.127.201.229 is the IP address i'm seeing for libreswan.org; i've anonymized the source IP address, but i'd be happy to share it in private debugging conversation)
We have not yet enabled OE for the libreswan.org domain itself. We don't want to lock out people (yet :)
I've also tried browsing to http://oe.libreswan.org/ and gotten the "Oh no! You are NOT protected by Opportunistic IPsec!" message, and seen "ipsec whack --shuntstatus" tell me:
This is the one we fixed together.
Despite failing to get this OE mode working, I've uploaded the package to debian unstable so that it can reach a wider audience. It's possible (though unlikely) that this package could migrate to debian testing in time for the upcoming freeze for debian "stretch" (the next stable release). To do that, there would need to be no serious bugs found in it over the next 10 days.
We should be good, but I hope we can get some other people testing too!
That said, i'm not sure we necessarily want it in debian stable yet anyway. Committing to 3.19 being in debian stable means being willing to support that version for several years, and i'm not yet convinced i have the bandwidth to do that without serious upstream support. I don't know how much y'all want to commit to 3.19 long term anyway.
In that case, I agree it would be nicer to do that for 3.20, which we are also aiming at RHEL-7.4.
If it stays out of debian stable for now, but it stabilizes in the near future, we can always use the stretch-backports repository to make it available for stretch users without committing to a long-term stable release (backports are allowed/expected to change more frequently). I suspect this approach would give libreswan the better balance between exposure and stability for this debian release cycle, but if y'all feel differently as upstream, i'd be happy to hear about it. Please let me know!
We'll be in touch! Paul _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
