Friday, January 04, 2013

strongSwan 5.0.1 on Ubuntu 12.04 and 12.10

Could we get any older versions included in distros? kthanksbye



# Get Stronswan rebuild deps
apt-get update
apt-get -y install devscripts
apt-get -y build-dep strongswan

# Create build environment
adduser bobbuilder --shell /bin/bash \
        --disabled-password --gecos bobbuilder

# Switch to non-priviledged user for build
sudo su - bobbuilder

# Download Strongswan 5.0.1 sources
mkdir -p ~/build/ss5
cd ~/build/ss5
apt-get source strongswan
wget http://download.strongswan.org/strongswan-5.0.1.tar.bz2

# Apply Ubuntu changes from 4.5.2 over 5.0.1
cd strongswan-4.5.2
uupdate ../strongswan-5.0.1.tar.bz2 -v 5.0.1

# Some fixes needed due differences between versions
# Also enables kernel crypto algos and blowfish
# and tries to fix missing medsrv plugin.
cd ../strongswan-5.0.1
sed -i.bak debian/patches/series \
    -e 's/^0001/#0001/g' \
    -e 's/^0002/#0002/g' \
    -e 's/^glib-include/#glib-include/g' 
sed -i.bak debian/rules \
    -e 's/enable-led/enable-led --enable-af-alg --enable-blowfish /g' \
    -e 's|\$(CFLAGS)|\$(CFLAGS) -include \$(CURDIR)/config.h|g' \
    -e 's|-Xmedsrv||g'

# IKEv1 "Pluto" is no longer present in 5.0
sed -i.bak debian/strongswan/DEBIAN/control \
    -e 's|strongswan-ikev1, ||g'
sed -i.bak debian/control \
    -e 's|, strongswan-ikev1||g' \
    -e '/Package: strongswan-ikev1/,/IKEv2 daemon./d'

# Neither CREDITS file
sed -i.bak debian/strongswan.docs \
    -e '/CREDITS/d'

# Libs have moved to new location
sed -i.bak debian/libstrongswan.install \
    -e 's|usr/lib/lib|usr/lib/ipsec/lib|g' \
    -e 's|usr/lib/$|usr/lib/ipsec/|g'
sed -i.bak debian/strongswan-ikev2.install \
    -e 's|usr/lib/lib|usr/lib/ipsec/lib|g' \
    -e 's|usr/lib/$|usr/lib/ipsec/|g'

# Xauth module has been renamed
sed -i.bak debian/libstrongswan.install \
    -e 's|libstrongswan-xauth.so|libstrongswan-xauth-generic.so|g'

# Smells like networkmanager
sed -i.bak2 debian/rules \
    -e 's|plugins/libstrongswan-nm.so\*|charon-nm|g' \
    -e 's|strongswan-nm/usr/lib/ipsec/plugins/|strongswan-nm/usr/lib/ipsec/|g' \
    -e 's|-Xlibstrongswan-nm.so|-Xcharon-nm|g'

# Include also modules not present earlier
echo "usr/lib/ipsec/medsrv/* usr/lib/ipsec/medsrv/" \
     >>debian/libstrongswan.install
echo "usr/lib/ipsec/libtls.so* usr/lib/ipsec/" \
     >>debian/libstrongswan.install
echo "usr/lib/ipsec/libsimaka.so* usr/lib/ipsec/" \
     >>debian/libstrongswan.install
echo "usr/lib/ipsec/libradius.so* usr/lib/ipsec/" \
     >>debian/libstrongswan.install
echo "usr/lib/ipsec/libtnccs.so* usr/lib/ipsec/" \
     >>debian/libstrongswan.install
echo "usr/lib/ipsec/plugins/libstrongswan-af-alg.so* usr/lib/ipsec/plugins/" \
     >>debian/libstrongswan.install
echo "usr/lib/ipsec/plugins/libstrongswan-blowfish.so* usr/lib/ipsec/plugins/" \
     >>debian/libstrongswan.install
echo "usr/lib/ipsec/plugins/libstrongswan-cmac.so* usr/lib/ipsec/plugins/" \
     >>debian/libstrongswan.install
echo "usr/lib/ipsec/plugins/libstrongswan-pkcs8.so* usr/lib/ipsec/plugins/" \
     >>debian/libstrongswan.install
echo "usr/lib/ipsec/plugins/libstrongswan-nonce.so* usr/lib/ipsec/plugins/" \
     >>debian/libstrongswan.install
echo "usr/lib/ipsec/plugins/libstrongswan-tnc-tnccs.so* usr/lib/ipsec/plugins/" \
     >>debian/libstrongswan.install

# Make sure package name does not look like real Ubuntu package
sed -i.bak debian/changelog \
    -e's/(5.0.1-0ubuntu1)/(5.0.1-0hackhackbork0'$(lsb_release -cs)')/g'

# And finally compile binary.. or at least try to.
dpkg-buildpackage -j2 -b -us -uc -tc -nc

# On 12.04 compile will barf after generating binaries doing 
# some sort of cleanup but we just ignore error and keep going on

# Install new binaries (as root)
# I'm quite sure at least network-manager integration is
# broken so we won't even try installing it.
cd ~bobbuilder/build/ss5
apt-get -y install ipsec-tools
DEBIAN_FRONTEND=noninteractive dpkg -i \
   strongswan_5.0.1-0hackhackbork0*.deb \
   strongswan-ikev2_5.0.1-0hackhackbork0*.deb \
   strongswan-starter_5.0.1-0hackhackbork0*.deb \
   libstrongswan_5.0.1-0hackhackbork0*.deb

# Block updates from repo
echo "strongswan hold"|dpkg --set-selections 
echo "strongswan-ikev2 hold"|dpkg --set-selections 
echo "strongswan-starter hold"|dpkg --set-selections 
echo "libstrongswan hold"|dpkg --set-selections

# Done... Might work or might not.

1 comment:

  1. Thanks for this article, I was able to get 5.0.4 to compile on 12.04 server.

    At first, the directions wouldn't work with my stock-install. Adding "--enable-attr-sql" to CONFIGUREARGS in debian/rules allowed it to compile and create working .debs for me. Hope this helps someone else.

    ReplyDelete

Got something to say?!