packages/net/strongswan/files, branch master

strongswan: Add support for EAP-TLS authentication

2026-01-11T18:34:18Z

Support for configuring EAP-TLS authentication scheme is added. Similar to EAP-MSCHAPv2, this one is usually asymmetric in the way that server auth method (pubkey) is different from the client auth method (eap-tls). The code handles this asymmetry automatically. Signed-off-by: Torbjorn Tyridal

strongswan: swanctl: Add support for send_certreq

2025-05-18T17:35:35Z

Support the [send_certreq] connection configuration option to disable offering trusted root CA certificates and reduce the size of the initial IKE packets. This work is based on a patch by @aleks-mariusz in https://forum.openwrt.org/t/confusion-regarding-setting-up-ikev2-vpn-service-with-strongswan-using-ipsec-and-swanctl/169587/9 [send_certreq]: https://docs.strongswan.org/docs/latest/swanctl/swanctlConf.html#_connections Signed-off-by: Kevin Locke

strongswan: swanctl: make overtime local

2025-04-27T19:40:39Z

$overtime has been used since swanctl.init was added in f9d91f1f47. However, there's no need for it to be global. Make it local like the other config variables to avoid polluting the global namespace and make the code easier to reason about. Fixes: f9d91f1f470a ("strongswan: migrate to swanctl configs") Signed-off-by: Kevin Locke

strongswan: swanctl: make send_cert local

2025-04-27T19:40:39Z

When support for send_cert was added in 4b9453b9a4, the $send_cert variable was inadvertently global. Make it local to avoid polluting the global namespace and make the code easier to reason about. Fixes: 4b9453b9a4c8 ("strongswan: Add support for send_cert option") Signed-off-by: Kevin Locke

strongswan: swanctl: Add support for encap

2025-04-27T19:35:50Z

Support the [encap] connection configuration option to force UDP encapsulation of ESP packets to work around connectivity issues with middleboxes which block ESP packets. This work is based on a patch by @aleks-mariusz in https://forum.openwrt.org/t/confusion-regarding-setting-up-ikev2-vpn-service-with-strongswan-using-ipsec-and-swanctl/169587/9 [encap]: https://docs.strongswan.org/docs/latest/swanctl/swanctlConf.html#_connections Signed-off-by: Kevin Locke

strongswan: Add support for EAP-MSCHAPv2 authentication

2024-11-19T16:05:33Z

Support for EAP-MSCHAPv2 authentication scheme is added. Different from the previously supported schemes, this one is usually asymmetric in the way that server auth method (pubkey) is different from the client auth method (eap-mschapv2). The code handles this asymmetry automatically. A new UCI config section mschapv2_secrets is added where the user can specify the EAP identities and their passwords that are accepted by the server. AFAIK, there is no way to select which EAP IDs should be accepted by which remote, except setting `eap_id` to something different than `%any`. But `eap_id` does not support template matching, so either only a single identity or all can be configured for one remote. This is why the EAP identities are not subsections of remotes, but are a standalone section. Signed-off-by: Martin Pecka Signed-off-by: Martin Pecka

strongswan: Fix pools to be only generated once

2024-11-19T16:05:33Z

Before this commit, if a user configures multiple remotes in UCI, each remote generates one output section of pools. This doesn't hurt because swanctl just merges all of them, but it is apparently not needed to have N copies of the same. This commit changes the behavior to only create one pools section at the end of the generated swanctl config. Signed-off-by: Martin Pecka Signed-off-by: Martin Pecka

strongswan: Add support for send_cert option

2024-11-19T16:05:33Z

This option is required by some clients, e.g. iOS. Signed-off-by: Martin Pecka

strongswan: comma separated list for {left,right}subnet

2024-07-28T21:56:17Z

Translate local_subnet and remote_subnet in /etc/config/ipsec into a comma separated list for leftsubnet and rightsubnet in /var/ipsec/ipsec.conf

strongswan: Add missing declarations in swanctl

2024-05-07T02:51:12Z

Signed-off-by: Philip Prindeville