strongswan uses `modprobe` to load IPSec-related kernel modules. The
full path needs to be specified to `modprobe` for it to be able to be
found.
(cherry picked from commit 7143062172f6bad877a87c8e239f2421e0a48e2d)
This fixes an issue where the strongswan NM client is not able to
connect to a VPN. By default it tries to load the trust CA from
/usr/share/ca-certificates which doesn't exist in NixOS and most modern
distros.
See debian-related issue:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835095
* treewide: http -> https sources
This updates the source urls of all top-level packages from http to
https where possible.
* buildtorrent: fix url and tab -> spaces
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools.
This update was made based on information from https://repology.org/metapackage/strongswan/versions.
These checks were done:
- built on NixOS
- /nix/store/9qicaqwg2cvmahh3hqwig5bcqpd41k9a-strongswan-5.6.3/bin/pki passed the binary check.
- /nix/store/9qicaqwg2cvmahh3hqwig5bcqpd41k9a-strongswan-5.6.3/bin/charon-cmd passed the binary check.
- Warning: no invocation of /nix/store/9qicaqwg2cvmahh3hqwig5bcqpd41k9a-strongswan-5.6.3/bin/charon-systemd had a zero exit code or showed the expected version
- /nix/store/9qicaqwg2cvmahh3hqwig5bcqpd41k9a-strongswan-5.6.3/bin/ipsec passed the binary check.
- /nix/store/9qicaqwg2cvmahh3hqwig5bcqpd41k9a-strongswan-5.6.3/bin/swanctl passed the binary check.
- 4 of 5 passed binary check by having a zero exit code.
- 1 of 5 passed binary check by having the new version present in output.
- found 5.6.3 with grep in /nix/store/9qicaqwg2cvmahh3hqwig5bcqpd41k9a-strongswan-5.6.3
- directory tree listing: https://gist.github.com/258736889db4e822d054b65e7035147b
- du listing: https://gist.github.com/478dbb4f44b4ed18b112076b17451a4e
Semi-automatic update. These checks were performed:
- built on NixOS
- ran `/nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2/bin/pki -h` got 0 exit code
- ran `/nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2/bin/pki --help` got 0 exit code
- ran `/nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2/bin/pki -h` and found version 5.6.2
- ran `/nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2/bin/pki --help` and found version 5.6.2
- ran `/nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2/bin/charon-cmd --help` got 0 exit code
- ran `/nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2/bin/charon-cmd --version` and found version 5.6.2
- ran `/nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2/bin/charon-cmd --help` and found version 5.6.2
- ran `/nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2/bin/ipsec --help` got 0 exit code
- ran `/nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2/bin/ipsec --version` and found version 5.6.2
- ran `/nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2/bin/ipsec version` and found version 5.6.2
- ran `/nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2/bin/swanctl -h` got 0 exit code
- ran `/nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2/bin/swanctl --help` got 0 exit code
- ran `/nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2/bin/swanctl -h` and found version 5.6.2
- ran `/nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2/bin/swanctl --help` and found version 5.6.2
- found 5.6.2 with grep in /nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2
- found 5.6.2 in filename of file in /nix/store/jd04xpik9zwmy39nh0axfss0m4hmw8yv-strongswan-5.6.2
l2tp saves its secrets into /etc/ipsec.d but strongswan would not read
them. l2tp checks for /etc/ipsec.secrets includes /etc/ipsec.d and if
not tries to write into it.
Solution:
Have the strongswan module create /etc/ipsec.d and /etc/ipsec.secrets
when networkmanager_l2tp is installed.
Include /etc/ipsec.secrets in
/nix/store/hash-strongswan/etc/ipsec.secrets so that it can find l2tp
secrets.
Also when the ppp 'nopeerdns' option is used, the DNS resolver tries to
write into an alternate file /etc/ppp/resolv.conf. This fails when
/etc/ppp does not exist so the module creates it by default.
Added the boolean option:
networking.networkmanager.enableStrongSwan
which enables the networkmanager_strongswan plugin and adds
strongswanNM to the dbus packages.
This was contributed by @wucke13, @eqyiel and @globin.
Fixes: #29873
The NIST elliptic curve groups (ecp192 etc.) are only available if the
OpenSSL plugin is enabled, and these groups are currently the only EC
groups supported on iOS and macOS devices.
Strongswan fails to compile on armv7l-linux with `--enable-aesni` and `--enable-rdrand` enabled. Errors are thrown about impossible constraints in asm (`--enable-rdrand`) or about gcc getting unknown command line parameters about aes (`--enable-aesni`). The options only makes sense on X86_64 processors.
The rdrand plugin is designed for Ivy Bridge processors:
> High quality / high performance random source using the Intel rdrand instruction found on Ivy Bridge processors
The aes-ni plugin also only exists on X86 processors (which have the AES instruction set)
Tested with a local override. The change triggers a (successful) rebuild on my X86_64 system. On armv7-linux this change fixes build errors.
See:
https://wiki.strongswan.org/issues/337