[strongSwan-dev] Chrome OS -- upgrade to strongSwan 5.x and 4.x Pluto patches

Darin Petkov petkov at chromium.org
Thu Dec 6 11:11:08 CET 2012


I'm not sure if this is the right mailing list for these questions -- if
it's not, feel free to kick me out :-)

I'm one of the Chromium developers responsible for VPN support in Chrome
OS. Chrome OS is using strongSwan 4.x with some local Pluto patches to
support L2TP/IPSec.  We're considering upgrading to strongSwan 5.x (
crosbug.com/36959), mostly driven by crosbug.com/15900 (support for groups
in IKEv1 aggressive mode). An alternative is to switch to Android's
L2TP/IPSec libraries (ipsec-tools, I think).

However, we've made some local patches to Pluto that we'll need to
re-evaluate and drop obsolete ones, re-implement necessary ones in Charon,
or maybe come up with better solutions, hopefully upstream. I'd really
appreciate your feedback on this. Here's a list of our local Pluto patches
-- issue report along with patch code review URL:

   - crosbug.com/16252: initialize supplementary groups (
   - crosbug.com/24476: disable peer ID check (
   - crosbug.com/25675: disable XAUTH ID (
   https://gerrit.chromium.org/gerrit/#/c/15071/) -- this one just changes
   the 4.x default configure/build options.
   - crosbug.com/32738: ISAKMP commit bit -- this one is not resolved yet
   because it will require making strongSwan non-compliant with rfc 3947.

Do you have any thoughts or feedback? Do you think some of these issues can
be addressed properly upstream, to ease the upgrade path?

Thanks in advance,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20121206/25c44a4b/attachment.html>

More information about the Dev mailing list