Bump version with .nhrp

.gitignore

@@ -1,2 +1,2 @@
-/strongswan-5.8.4.tar.bz2
+/strongswan-5.7.1.tar.bz2
-/strongswan-5.9.0.tar.bz2
+/strongswan-5.7.2.tar.bz2

0001-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch

@@ -1,7 +1,7 @@
-From ffc2fc151cf78204bd482340dee7c5e7d0c24e51 Mon Sep 17 00:00:00 2001
+From 4904344754c2884e36b40532a8b65229c3355ff6 Mon Sep 17 00:00:00 2001
 From: Tobias Brunner <tobias@strongswan.org>
 Date: Fri, 17 Jul 2015 11:53:58 +0200
-Subject: [PATCH 1/5] ike: Adhere to IKE_SA limit when checking out by config
+Subject: [PATCH 1/6] ike: Adhere to IKE_SA limit when checking out by config
 
 This prevents new SAs from getting created if we hit the global IKE_SA
 limit (we still allow checkout_new(), which is used for rekeying).
@@ -10,10 +10,10 @@ limit (we still allow checkout_new(), which is used for rekeying).
  1 file changed, 37 insertions(+), 34 deletions(-)
 
 diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
-index f95ff19af..1e0ae42fe 100644
+index 3bac4b109..8a3178674 100644
 --- a/src/libcharon/sa/ike_sa_manager.c
 +++ b/src/libcharon/sa/ike_sa_manager.c
-@@ -1434,48 +1434,51 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+@@ -1419,48 +1419,51 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
  
  	DBG2(DBG_MGR, "checkout IKE_SA by config");
  
@@ -100,5 +100,5 @@ index f95ff19af..1e0ae42fe 100644
  	}
  	charon->bus->set_sa(charon->bus, ike_sa);
 -- 
-2.30.2
+2.24.1
 

0002-charon-add-optional-source-and-remote-overrides-for-.patch

@@ -1,7 +1,7 @@
-From 07e7ae0c9a9cac8c16361dc73412867d7a303054 Mon Sep 17 00:00:00 2001
+From bc5cee05ee42b7566ed3539546757c3183aa7053 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Mon, 21 Sep 2015 13:41:58 +0300
-Subject: [PATCH 2/5] charon: add optional source and remote overrides for
+Subject: [PATCH 2/6] charon: add optional source and remote overrides for
  initiate
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -18,23 +18,23 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
 ---
  src/charon-cmd/cmd/cmd_connection.c           |  2 +-
  src/charon-nm/nm/nm_service.c                 |  2 +-
- src/libcharon/control/controller.c            | 43 +++++++++++++-
+ src/libcharon/control/controller.c            | 43 ++++++++++++-
  src/libcharon/control/controller.h            |  3 +
  src/libcharon/plugins/stroke/stroke_control.c |  5 +-
  src/libcharon/plugins/vici/vici_config.c      |  2 +-
- src/libcharon/plugins/vici/vici_control.c     | 59 +++++++++++++++++--
+ src/libcharon/plugins/vici/vici_control.c     | 63 ++++++++++++++++---
  .../processing/jobs/start_action_job.c        |  2 +-
- src/libcharon/sa/ike_sa_manager.c             | 51 +++++++++++++++-
+ src/libcharon/sa/ike_sa_manager.c             | 51 ++++++++++++++-
  src/libcharon/sa/ike_sa_manager.h             |  8 ++-
- src/libcharon/sa/trap_manager.c               | 45 ++++++--------
+ src/libcharon/sa/trap_manager.c               | 45 ++++++-------
- src/swanctl/commands/initiate.c               | 40 ++++++++++++-
+ src/swanctl/commands/initiate.c               | 40 +++++++++++-
- 12 files changed, 217 insertions(+), 45 deletions(-)
+ 12 files changed, 218 insertions(+), 48 deletions(-)
 
 diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
-index 0481d78d4..805d6f198 100644
+index 1cf431ff2..ae406393f 100644
 --- a/src/charon-cmd/cmd/cmd_connection.c
 +++ b/src/charon-cmd/cmd/cmd_connection.c
-@@ -438,7 +438,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this)
+@@ -436,7 +436,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this)
  	child_cfg = create_child_cfg(this, peer_cfg);
  
  	if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
@@ -44,10 +44,10 @@ index 0481d78d4..805d6f198 100644
  		terminate(pid);
  	}
 diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
-index 83fcaf898..187953b29 100644
+index fb9044d29..b47a0c7f5 100644
 --- a/src/charon-nm/nm/nm_service.c
 +++ b/src/charon-nm/nm/nm_service.c
-@@ -864,7 +864,7 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
+@@ -622,7 +622,7 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
  	 * Prepare IKE_SA
  	 */
  	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
@@ -57,7 +57,7 @@ index 83fcaf898..187953b29 100644
  	{
  		peer_cfg->destroy(peer_cfg);
 diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
-index 0c86275e2..baa83f440 100644
+index 589c536d2..037e6a72d 100644
 --- a/src/libcharon/control/controller.c
 +++ b/src/libcharon/control/controller.c
 @@ -15,6 +15,28 @@
@@ -106,7 +106,7 @@ index 0c86275e2..baa83f440 100644
  	/**
  	 * unique ID, used for various methods
  	 */
-@@ -414,9 +446,14 @@ METHOD(job_t, initiate_execute, job_requeue_t,
+@@ -409,9 +441,14 @@ METHOD(job_t, initiate_execute, job_requeue_t,
  	ike_sa_t *ike_sa;
  	interface_listener_t *listener = &job->listener;
  	peer_cfg_t *peer_cfg = listener->peer_cfg;
@@ -121,8 +121,8 @@ index 0c86275e2..baa83f440 100644
 +
  	if (!ike_sa)
  	{
- 		DESTROY_IF(listener->child_cfg);
+ 		listener->child_cfg->destroy(listener->child_cfg);
-@@ -425,6 +462,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
+@@ -420,6 +457,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
  		listener_done(listener);
  		return JOB_REQUEUE_NONE;
  	}
@@ -130,7 +130,7 @@ index 0c86275e2..baa83f440 100644
  	listener->lock->lock(listener->lock);
  	listener->ike_sa = ike_sa;
  	listener->lock->unlock(listener->lock);
-@@ -497,6 +535,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
+@@ -492,6 +530,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
  
  METHOD(controller_t, initiate, status_t,
  	private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
@@ -138,7 +138,7 @@ index 0c86275e2..baa83f440 100644
  	controller_cb_t callback, void *param, u_int timeout, bool limits)
  {
  	interface_job_t *job;
-@@ -519,6 +558,8 @@ METHOD(controller_t, initiate, status_t,
+@@ -514,6 +553,8 @@ METHOD(controller_t, initiate, status_t,
  			.status = FAILED,
  			.child_cfg = child_cfg,
  			.peer_cfg = peer_cfg,
@@ -148,13 +148,13 @@ index 0c86275e2..baa83f440 100644
  			.options.limits = limits,
  		},
 diff --git a/src/libcharon/control/controller.h b/src/libcharon/control/controller.h
-index b4ccfced2..9945b78ad 100644
+index af9baca01..02f17a8e3 100644
 --- a/src/libcharon/control/controller.h
 +++ b/src/libcharon/control/controller.h
 @@ -79,6 +79,8 @@ struct controller_t {
  	 *
  	 * @param peer_cfg		peer_cfg to use for IKE_SA setup
- 	 * @param child_cfg		optional child_cfg to set up CHILD_SA from
+ 	 * @param child_cfg		child_cfg to set up CHILD_SA from
 +	 * @param my_host		optional address hint for source
 +	 * @param other_host	optional address hint for destination
  	 * @param cb			logging callback
@@ -192,10 +192,10 @@ index 8d84b934e..b00d0e62d 100644
  		switch (status)
  		{
 diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
-index 2a4d58eab..0e9d24d11 100644
+index ace7a4528..f0fd8a989 100644
 --- a/src/libcharon/plugins/vici/vici_config.c
 +++ b/src/libcharon/plugins/vici/vici_config.c
-@@ -2149,7 +2149,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
+@@ -2057,7 +2057,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
  			DBG1(DBG_CFG, "initiating '%s'", child_cfg->get_name(child_cfg));
  			charon->controller->initiate(charon->controller,
  					peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg),
@@ -205,7 +205,7 @@ index 2a4d58eab..0e9d24d11 100644
  		case ACTION_ROUTE:
  			DBG1(DBG_CFG, "installing '%s'", child_cfg->get_name(child_cfg));
 diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
-index 4c09b578d..1e8e788c3 100644
+index 16e49fdbc..9c6b86741 100644
 --- a/src/libcharon/plugins/vici/vici_control.c
 +++ b/src/libcharon/plugins/vici/vici_control.c
 @@ -16,6 +16,28 @@
@@ -237,29 +237,33 @@ index 4c09b578d..1e8e788c3 100644
  #include "vici_control.h"
  #include "vici_builder.h"
  
-@@ -177,6 +199,9 @@ CALLBACK(initiate, vici_message_t*,
+@@ -169,9 +191,11 @@ static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out)
- 	peer_cfg_t *peer_cfg = NULL;
+ CALLBACK(initiate, vici_message_t*,
- 	child_cfg_t *child_cfg;
+ 	private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
- 	char *child, *ike, *type, *sa;
+ {
-+	char *my_host_str, *other_host_str;
 +	vici_message_t* msg;
+ 	child_cfg_t *child_cfg = NULL;
+ 	peer_cfg_t *peer_cfg;
+-	char *child, *ike;
 +	host_t *my_host = NULL, *other_host = NULL;
++	char *child, *ike, *my_host_str, *other_host_str;
  	int timeout;
  	bool limits;
  	controller_cb_t log_cb = NULL;
-@@ -190,6 +215,8 @@ CALLBACK(initiate, vici_message_t*,
+@@ -185,6 +209,8 @@ CALLBACK(initiate, vici_message_t*,
  	timeout = request->get_int(request, 0, "timeout");
  	limits = request->get_bool(request, FALSE, "init-limits");
  	log.level = request->get_int(request, 1, "loglevel");
 +	my_host_str = request->get_str(request, NULL, "my-host");
 +	other_host_str = request->get_str(request, NULL, "other-host");
  
- 	if (!child && !ike)
+ 	if (!child)
  	{
-@@ -203,6 +230,17 @@ CALLBACK(initiate, vici_message_t*,
+@@ -195,28 +221,47 @@ CALLBACK(initiate, vici_message_t*,
- 	type = child ? "CHILD_SA" : "IKE_SA";
+ 		log_cb = (controller_cb_t)log_vici;
- 	sa = child ?: ike;
+ 	}
  
+-	DBG1(DBG_CFG, "vici initiate '%s'", child);
 +	if (my_host_str)
 +	{
 +		my_host = host_create_from_string(my_host_str, 0);
@@ -270,13 +274,13 @@ index 4c09b578d..1e8e788c3 100644
 +	}
 +
 +	DBG1(DBG_CFG, "vici initiate '%s', me %H, other %H, limits %d", child, my_host, other_host, limits);
-+
- 	child_cfg = find_child_cfg(child, ike, &peer_cfg);
  
- 	DBG1(DBG_CFG, "vici initiate %s '%s'", type, sa);
+ 	child_cfg = find_child_cfg(child, ike, &peer_cfg);
-@@ -210,21 +248,30 @@ CALLBACK(initiate, vici_message_t*,
+ 	if (!child_cfg)
  	{
- 		return send_reply(this, "%s config '%s' not found", type, sa);
+-		return send_reply(this, "CHILD_SA config '%s' not found", child);
++		msg = send_reply(this, "CHILD_SA config '%s' not found", child);
++		goto ret;
  	}
 -	switch (charon->controller->initiate(charon->controller, peer_cfg,
 -									child_cfg, log_cb, &log, timeout, limits))
@@ -289,22 +293,22 @@ index 4c09b578d..1e8e788c3 100644
 +			msg = send_reply(this, NULL);
 +			break;
  		case OUT_OF_RES:
--			return send_reply(this, "%s '%s' not established after %dms", type,
+-			return send_reply(this, "CHILD_SA '%s' not established after %dms",
-+			msg = send_reply(this, "%s '%s' not established after %dms", type,
++			msg = send_reply(this, "CHILD_SA '%s' not established after %dms",
- 							  sa, timeout);
+ 							  child, timeout);
 +			break;
  		case INVALID_STATE:
--			return send_reply(this, "establishing %s '%s' not possible at the "
+-			return send_reply(this, "establishing CHILD_SA '%s' not possible "
-+			msg = send_reply(this, "establishing %s '%s' not possible at the "
++			msg = send_reply(this, "establishing CHILD_SA '%s' not possible "
- 							  "moment due to limits", type, sa);
+ 							  "at the moment due to limits", child);
 +			break;
  		case FAILED:
  		default:
--			return send_reply(this, "establishing %s '%s' failed", type, sa);
+-			return send_reply(this, "establishing CHILD_SA '%s' failed", child);
-+			msg = send_reply(this, "establishing %s '%s' failed", type, sa);
++			msg = send_reply(this, "establishing CHILD_SA '%s' failed", child);
 +			break;
  	}
-+
++ret:
 +	if (my_host) my_host->destroy(my_host);
 +	if (other_host) other_host->destroy(other_host);
 +	return msg;
@@ -325,7 +329,7 @@ index 3a0ed879f..e3399007b 100644
  				case ACTION_ROUTE:
  					DBG1(DBG_JOB, "start action: route '%s'", name);
 diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
-index 1e0ae42fe..52a18e3c2 100644
+index 8a3178674..ad338b04c 100644
 --- a/src/libcharon/sa/ike_sa_manager.c
 +++ b/src/libcharon/sa/ike_sa_manager.c
 @@ -17,6 +17,28 @@
@@ -357,7 +361,7 @@ index 1e0ae42fe..52a18e3c2 100644
  #include <string.h>
  #include <inttypes.h>
  
-@@ -1423,7 +1445,8 @@ out:
+@@ -1408,7 +1430,8 @@ out:
  }
  
  METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
@@ -367,7 +371,7 @@ index 1e0ae42fe..52a18e3c2 100644
  {
  	enumerator_t *enumerator;
  	entry_t *entry;
-@@ -1432,7 +1455,17 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+@@ -1417,7 +1440,17 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
  	ike_cfg_t *current_ike;
  	u_int segment;
  
@@ -386,7 +390,7 @@ index 1e0ae42fe..52a18e3c2 100644
  
  	if (this->reuse_ikesa || peer_cfg->get_ike_version(peer_cfg) == IKEV1)
  	{
-@@ -1449,6 +1482,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+@@ -1434,6 +1467,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
  				entry->condvar->signal(entry->condvar);
  				continue;
  			}
@@ -403,7 +407,7 @@ index 1e0ae42fe..52a18e3c2 100644
  			current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
  			if (current_peer && current_peer->equals(current_peer, peer_cfg))
  			{
-@@ -1480,6 +1523,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+@@ -1465,6 +1508,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
  			return NULL;
  		}
  		ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
@@ -444,10 +448,10 @@ index efad2e4d6..c43edabbb 100644
  	/**
  	 * Reset initiator SPI.
 diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
-index 2bc531b38..7220ea597 100644
+index 148df3923..901a8ba10 100644
 --- a/src/libcharon/sa/trap_manager.c
 +++ b/src/libcharon/sa/trap_manager.c
-@@ -432,7 +432,7 @@ METHOD(trap_manager_t, acquire, void,
+@@ -421,7 +421,7 @@ METHOD(trap_manager_t, acquire, void,
  	peer_cfg_t *peer;
  	child_cfg_t *child;
  	ike_sa_t *ike_sa;
@@ -456,7 +460,7 @@ index 2bc531b38..7220ea597 100644
  	bool wildcard, ignore = FALSE;
  
  	this->lock->read_lock(this->lock);
-@@ -508,36 +508,27 @@ METHOD(trap_manager_t, acquire, void,
+@@ -497,36 +497,27 @@ METHOD(trap_manager_t, acquire, void,
  	this->lock->unlock(this->lock);
  
  	if (wildcard)
@@ -511,7 +515,7 @@ index 2bc531b38..7220ea597 100644
  	{
  		if (ike_sa->get_peer_cfg(ike_sa) == NULL)
 diff --git a/src/swanctl/commands/initiate.c b/src/swanctl/commands/initiate.c
-index 8ade8bf41..03b2cb0f4 100644
+index bf8d2cd79..29d95d85c 100644
 --- a/src/swanctl/commands/initiate.c
 +++ b/src/swanctl/commands/initiate.c
 @@ -13,6 +13,28 @@
@@ -583,12 +587,12 @@ index 8ade8bf41..03b2cb0f4 100644
 @@ -133,6 +169,8 @@ static void __attribute__ ((constructor))reg()
  			{"help",		'h', 0, "show usage information"},
  			{"child",		'c', 1, "initiate a CHILD_SA configuration"},
- 			{"ike",			'i', 1, "initiate an IKE_SA, or name of child's parent"},
+ 			{"ike",			'i', 1, "name of the connection to which the child belongs"},
 +			{"source",		'S', 1, "override source address"},
 +			{"remote",		'R', 1, "override remote address"},
  			{"timeout",		't', 1, "timeout in seconds before detaching"},
  			{"raw",			'r', 0, "dump raw response message"},
  			{"pretty",		'P', 0, "dump raw response message in pretty print"},
 -- 
-2.30.2
+2.24.1
 

0003-vici-send-certificates-for-ike-sa-events.patch

@@ -1,7 +1,7 @@
-From 42dc827df278ff1304fe7414c68fae756a9863f1 Mon Sep 17 00:00:00 2001
+From 0220ba579f8df26f90a1152f115f2a339a755708 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Mon, 21 Sep 2015 13:42:05 +0300
-Subject: [PATCH 3/5] vici: send certificates for ike-sa events
+Subject: [PATCH 3/6] vici: send certificates for ike-sa events
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -12,10 +12,10 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
  1 file changed, 41 insertions(+), 7 deletions(-)
 
 diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
-index ad07ff12d..e3f6a0d26 100644
+index d7b61ca72..f986ef8ab 100644
 --- a/src/libcharon/plugins/vici/vici_query.c
 +++ b/src/libcharon/plugins/vici/vici_query.c
-@@ -379,7 +379,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b,
+@@ -337,7 +337,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b,
   * List details of an IKE_SA
   */
  static void list_ike(private_vici_query_t *this, vici_builder_t *b,
@@ -24,8 +24,8 @@ index ad07ff12d..e3f6a0d26 100644
  {
  	time_t t;
  	ike_sa_id_t *id;
-@@ -388,6 +388,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
+@@ -345,6 +345,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
- 	uint32_t if_id;
+ 	proposal_t *proposal;
  	uint16_t alg, ks;
  	host_t *host;
 +	auth_cfg_t *auth_cfg;
@@ -33,7 +33,7 @@ index ad07ff12d..e3f6a0d26 100644
  
  	b->add_kv(b, "uniqueid", "%u", ike_sa->get_unique_id(ike_sa));
  	b->add_kv(b, "version", "%u", ike_sa->get_version(ike_sa));
-@@ -397,11 +399,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
+@@ -354,11 +356,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
  	b->add_kv(b, "local-host", "%H", host);
  	b->add_kv(b, "local-port", "%d", host->get_port(host));
  	b->add_kv(b, "local-id", "%Y", ike_sa->get_my_id(ike_sa));
@@ -77,7 +77,7 @@ index ad07ff12d..e3f6a0d26 100644
  
  	eap = ike_sa->get_other_eap_id(ike_sa);
  
-@@ -531,7 +565,7 @@ CALLBACK(list_sas, vici_message_t*,
+@@ -477,7 +511,7 @@ CALLBACK(list_sas, vici_message_t*,
  		b = vici_builder_create();
  		b->begin_section(b, ike_sa->get_name(ike_sa));
  
@@ -86,7 +86,7 @@ index ad07ff12d..e3f6a0d26 100644
  
  		b->begin_section(b, "child-sas");
  		csas = ike_sa->create_child_sa_enumerator(ike_sa);
-@@ -1717,7 +1751,7 @@ METHOD(listener_t, ike_updown, bool,
+@@ -1650,7 +1684,7 @@ METHOD(listener_t, ike_updown, bool,
  	}
  
  	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -95,7 +95,7 @@ index ad07ff12d..e3f6a0d26 100644
  	b->end_section(b);
  
  	this->dispatcher->raise_event(this->dispatcher,
-@@ -1742,10 +1776,10 @@ METHOD(listener_t, ike_rekey, bool,
+@@ -1675,10 +1709,10 @@ METHOD(listener_t, ike_rekey, bool,
  	b = vici_builder_create();
  	b->begin_section(b, old->get_name(old));
  	b->begin_section(b, "old");
@@ -108,7 +108,7 @@ index ad07ff12d..e3f6a0d26 100644
  	b->end_section(b);
  	b->end_section(b);
  
-@@ -1776,7 +1810,7 @@ METHOD(listener_t, child_updown, bool,
+@@ -1708,7 +1742,7 @@ METHOD(listener_t, child_updown, bool,
  	}
  
  	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -116,8 +116,8 @@ index ad07ff12d..e3f6a0d26 100644
 +	list_ike(this, b, ike_sa, now, up);
  	b->begin_section(b, "child-sas");
  
- 	snprintf(buf, sizeof(buf), "%s-%u", child_sa->get_name(child_sa),
+ 	b->begin_section(b, child_sa->get_name(child_sa));
-@@ -1811,7 +1845,7 @@ METHOD(listener_t, child_rekey, bool,
+@@ -1740,7 +1774,7 @@ METHOD(listener_t, child_rekey, bool,
  	b = vici_builder_create();
  
  	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -127,5 +127,5 @@ index ad07ff12d..e3f6a0d26 100644
  
  	b->begin_section(b, old->get_name(old));
 -- 
-2.30.2
+2.24.1
 

0004-vici-add-support-for-individual-sa-state-changes.patch

@@ -1,7 +1,7 @@
-From c4e25fe6bb5338a2c5067ba74808d68183226420 Mon Sep 17 00:00:00 2001
+From 5ad4fd199b718d8281021a6e31d682872b59a34c Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Mon, 21 Sep 2015 13:42:11 +0300
-Subject: [PATCH 4/5] vici: add support for individual sa state changes
+Subject: [PATCH 4/6] vici: add support for individual sa state changes
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -14,10 +14,10 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
  1 file changed, 105 insertions(+)
 
 diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
-index e3f6a0d26..9968cdd3c 100644
+index f986ef8ab..c7b07fca0 100644
 --- a/src/libcharon/plugins/vici/vici_query.c
 +++ b/src/libcharon/plugins/vici/vici_query.c
-@@ -1717,8 +1717,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
+@@ -1650,8 +1650,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
  	this->dispatcher->manage_event(this->dispatcher, "list-cert", reg);
  	this->dispatcher->manage_event(this->dispatcher, "ike-updown", reg);
  	this->dispatcher->manage_event(this->dispatcher, "ike-rekey", reg);
@@ -34,7 +34,7 @@ index e3f6a0d26..9968cdd3c 100644
  	manage_command(this, "list-sas", list_sas, reg);
  	manage_command(this, "list-policies", list_policies, reg);
  	manage_command(this, "list-conns", list_conns, reg);
-@@ -1789,6 +1797,45 @@ METHOD(listener_t, ike_rekey, bool,
+@@ -1722,6 +1730,45 @@ METHOD(listener_t, ike_rekey, bool,
  	return TRUE;
  }
  
@@ -80,7 +80,7 @@ index e3f6a0d26..9968cdd3c 100644
  METHOD(listener_t, child_updown, bool,
  	private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up)
  {
-@@ -1868,6 +1915,62 @@ METHOD(listener_t, child_rekey, bool,
+@@ -1797,6 +1844,62 @@ METHOD(listener_t, child_rekey, bool,
  	return TRUE;
  }
  
@@ -143,7 +143,7 @@ index e3f6a0d26..9968cdd3c 100644
  METHOD(vici_query_t, destroy, void,
  	private_vici_query_t *this)
  {
-@@ -1887,8 +1990,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
+@@ -1816,8 +1919,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
  			.listener = {
  				.ike_updown = _ike_updown,
  				.ike_rekey = _ike_rekey,
@@ -155,5 +155,5 @@ index e3f6a0d26..9968cdd3c 100644
  			.destroy = _destroy,
  		},
 -- 
-2.30.2
+2.24.1
 

0005-vici-add-deprecated-async-parameter.patch

@@ -0,0 +1,49 @@
+From b251c17bfba838ee565a4f4af35b249024e35e77 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Date: Mon, 21 Sep 2015 13:42:15 +0300
+Subject: [PATCH 5/6] vici: add (deprecated) async parameter
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is obsoleted by the new "timeout=-1" option that achieves
+the same. Only for compatibility with old versions of quagga-nhrp.
+
+Signed-off-by: Timo Teräs <timo.teras@iki.fi>
+---
+ src/libcharon/plugins/vici/vici_control.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
+index 9c6b86741..718d14b3c 100644
+--- a/src/libcharon/plugins/vici/vici_control.c
++++ b/src/libcharon/plugins/vici/vici_control.c
+@@ -197,7 +197,7 @@ CALLBACK(initiate, vici_message_t*,
+ 	host_t *my_host = NULL, *other_host = NULL;
+ 	char *child, *ike, *my_host_str, *other_host_str;
+ 	int timeout;
+-	bool limits;
++	bool limits, async;
+ 	controller_cb_t log_cb = NULL;
+ 	log_info_t log = {
+ 		.dispatcher = this->dispatcher,
+@@ -208,6 +208,7 @@ CALLBACK(initiate, vici_message_t*,
+ 	ike = request->get_str(request, NULL, "ike");
+ 	timeout = request->get_int(request, 0, "timeout");
+ 	limits = request->get_bool(request, FALSE, "init-limits");
++	async = request->get_bool(request, FALSE, "async");
+ 	log.level = request->get_int(request, 1, "loglevel");
+ 	my_host_str = request->get_str(request, NULL, "my-host");
+ 	other_host_str = request->get_str(request, NULL, "other-host");
+@@ -216,7 +217,7 @@ CALLBACK(initiate, vici_message_t*,
+ 	{
+ 		return send_reply(this, "missing configuration name");
+ 	}
+-	if (timeout >= 0)
++	if (timeout >= 0 && !async)
+ 	{
+ 		log_cb = (controller_cb_t)log_vici;
+ 	}
+-- 
+2.24.1
+

0005-vyos-terminate-connections-source-dest.patch

@@ -1,124 +0,0 @@
-From 2f864ddad4c36726427cd0d4f19b00e226d2b2f9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zpericic@netst.org>
-Date: Wed, 22 Jan 2020 13:12:39 +0100
-Subject: [PATCH 5/5] vyos-terminate-connections-source-dest
-
----
- src/libcharon/plugins/vici/vici_control.c | 27 ++++++++++++++++++++---
- src/swanctl/commands/terminate.c          | 18 ++++++++++++++-
- 2 files changed, 41 insertions(+), 4 deletions(-)
-
-diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
-index 1e8e788c3..914574ac3 100644
---- a/src/libcharon/plugins/vici/vici_control.c
-+++ b/src/libcharon/plugins/vici/vici_control.c
-@@ -278,12 +278,13 @@ CALLBACK(terminate, vici_message_t*,
- 	private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
- {
- 	enumerator_t *enumerator, *isas, *csas;
--	char *child, *ike, *errmsg = NULL;
-+	char *child, *ike, *errmsg = NULL, *my_host_str, *other_host_str;
- 	u_int child_id, ike_id, current, *del, done = 0;
- 	bool force;
- 	int timeout;
- 	ike_sa_t *ike_sa;
- 	child_sa_t *child_sa;
-+	host_t *my_host = NULL, *other_host = NULL;
- 	array_t *ids;
- 	vici_builder_t *builder;
- 	controller_cb_t log_cb = NULL;
-@@ -299,12 +300,23 @@ CALLBACK(terminate, vici_message_t*,
- 	force = request->get_bool(request, FALSE, "force");
- 	timeout = request->get_int(request, 0, "timeout");
- 	log.level = request->get_int(request, 1, "loglevel");
-+	my_host_str = request->get_str(request, NULL, "my-host");
-+	other_host_str = request->get_str(request, NULL, "other-host");
- 
--	if (!child && !ike && !ike_id && !child_id)
-+	if (!child && !ike && !ike_id && !child_id && !my_host_str &&!other_host_str)
- 	{
- 		return send_reply(this, "missing terminate selector");
- 	}
--
-+	if (my_host_str && !other_host_str || other_host_str && !my_host_str)
-+	{
-+		return send_reply(this, "missing source or remote");
-+	}
-+	else
-+	{
-+		my_host = host_create_from_string(my_host_str, 0);
-+		other_host = host_create_from_string(other_host_str, 0);
-+		DBG1(DBG_CFG, "vici terminate with source me %H and other %H", my_host, other_host);
-+	}
- 	if (ike_id)
- 	{
- 		DBG1(DBG_CFG, "vici terminate IKE_SA #%d", ike_id);
-@@ -367,6 +379,15 @@ CALLBACK(terminate, vici_message_t*,
- 		{
- 			array_insert(ids, ARRAY_TAIL, &ike_id);
- 		}
-+		else if (my_host && other_host)
-+		{
-+			if (!my_host->ip_equals(my_host, ike_sa->get_my_host(ike_sa)) || !other_host->ip_equals(other_host, ike_sa->get_other_host(ike_sa)))
-+			{
-+				continue;
-+			}
-+			current = ike_sa->get_unique_id(ike_sa);
-+			array_insert(ids, ARRAY_TAIL, &current);
-+		}
- 	}
- 	isas->destroy(isas);
- 
-diff --git a/src/swanctl/commands/terminate.c b/src/swanctl/commands/terminate.c
-index 2309843b2..37d0bde3f 100644
---- a/src/swanctl/commands/terminate.c
-+++ b/src/swanctl/commands/terminate.c
-@@ -37,7 +37,7 @@ static int terminate(vici_conn_t *conn)
- 	vici_req_t *req;
- 	vici_res_t *res;
- 	command_format_options_t format = COMMAND_FORMAT_NONE;
--	char *arg, *child = NULL, *ike = NULL;
-+	char *arg, *child = NULL, *ike = NULL, *my_host = NULL, *other_host = NULL;
- 	int ret = 0, timeout = 0, level = 1, child_id = 0, ike_id = 0;
- 	bool force = FALSE;
- 
-@@ -74,6 +74,12 @@ static int terminate(vici_conn_t *conn)
- 			case 'l':
- 				level = atoi(arg);
- 				continue;
-+			case 'S':
-+				my_host = arg;
-+				continue;
-+			case 'R':
-+				other_host = arg;
-+				continue;
- 			case EOF:
- 				break;
- 			default:
-@@ -109,6 +115,14 @@ static int terminate(vici_conn_t *conn)
- 	{
- 		vici_add_key_valuef(req, "force", "yes");
- 	}
-+	if (my_host)
-+	{
-+		vici_add_key_valuef(req, "my-host", "%s", my_host);
-+	}
-+	if (other_host)
-+	{
-+		vici_add_key_valuef(req, "other-host", "%s", other_host);
-+	}
- 	if (timeout)
- 	{
- 		vici_add_key_valuef(req, "timeout", "%d", timeout * 1000);
-@@ -155,6 +169,8 @@ static void __attribute__ ((constructor))reg()
- 		{
- 			{"help",		'h', 0, "show usage information"},
- 			{"child",		'c', 1, "terminate by CHILD_SA name"},
-+			{"source",		'S', 1, "override source address"},
-+			{"remote",		'R', 1, "override remote address"},
- 			{"ike",			'i', 1, "terminate by IKE_SA name"},
- 			{"child-id",	'C', 1, "terminate by CHILD_SA reqid"},
- 			{"ike-id",		'I', 1, "terminate by IKE_SA unique identifier"},
--- 
-2.30.2
-

0006-support-gre-key-in-ikev1.patch

@@ -0,0 +1,507 @@
+From b2e130f8ce765d5bd0f12ad16ef2434c820c11b1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Date: Mon, 21 Sep 2015 13:42:18 +0300
+Subject: [PATCH 6/6] support gre key in ikev1
+
+this implements gre key negotiation in ikev1 similarly to the
+ipsec-tools patch in alpine.
+
+the from/to port pair is internally used as gre key for gre
+protocol traffic selectors. since from/to pairs 0/0xffff and
+0xffff/0 have special meaning, the gre keys 0xffff and 0xffff0000
+will not work.
+
+this is not standard compliant, and should probably not be upstreamed
+or used widely, but it is applied for interoperability with alpine
+racoon for the time being.
+---
+ src/libcharon/encoding/payloads/id_payload.c  | 68 ++++++++++++++-----
+ src/libcharon/encoding/payloads/id_payload.h  |  6 +-
+ .../kernel_netlink/kernel_netlink_ipsec.c     | 40 ++++++++---
+ src/libcharon/plugins/stroke/stroke_config.c  |  5 ++
+ src/libcharon/plugins/unity/unity_narrow.c    |  2 +-
+ src/libcharon/plugins/vici/vici_config.c      |  9 ++-
+ src/libcharon/sa/ikev1/tasks/quick_mode.c     | 16 +++--
+ .../selectors/traffic_selector.c              | 33 ++++++++-
+ .../selectors/traffic_selector.h              | 31 +++++++++
+ 9 files changed, 171 insertions(+), 39 deletions(-)
+
+diff --git a/src/libcharon/encoding/payloads/id_payload.c b/src/libcharon/encoding/payloads/id_payload.c
+index b2f1adbbc..6b44d0cf6 100644
+--- a/src/libcharon/encoding/payloads/id_payload.c
++++ b/src/libcharon/encoding/payloads/id_payload.c
+@@ -245,18 +245,20 @@ METHOD(id_payload_t, get_identification, identification_t*,
+  * Create a traffic selector from an range ID
+  */
+ static traffic_selector_t *get_ts_from_range(private_id_payload_t *this,
+-											 ts_type_t type)
++											 ts_type_t type,
++											 uint16_t from_port, uint16_t to_port)
+ {
+ 	return traffic_selector_create_from_bytes(this->protocol_id, type,
+-		chunk_create(this->id_data.ptr, this->id_data.len / 2), this->port,
+-		chunk_skip(this->id_data, this->id_data.len / 2), this->port ?: 65535);
++		chunk_create(this->id_data.ptr, this->id_data.len / 2), from_port,
++		chunk_skip(this->id_data, this->id_data.len / 2), to_port);
+ }
+ 
+ /**
+  * Create a traffic selector from an subnet ID
+  */
+ static traffic_selector_t *get_ts_from_subnet(private_id_payload_t *this,
+-											  ts_type_t type)
++											  ts_type_t type,
++											  uint16_t from_port, uint16_t to_port)
+ {
+ 	traffic_selector_t *ts;
+ 	chunk_t net, netmask;
+@@ -269,7 +271,7 @@ static traffic_selector_t *get_ts_from_subnet(private_id_payload_t *this,
+ 		netmask.ptr[i] = (netmask.ptr[i] ^ 0xFF) | net.ptr[i];
+ 	}
+ 	ts = traffic_selector_create_from_bytes(this->protocol_id, type,
+-								net, this->port, netmask, this->port ?: 65535);
++								net, from_port, netmask, to_port);
+ 	chunk_free(&netmask);
+ 	return ts;
+ }
+@@ -278,51 +280,76 @@ static traffic_selector_t *get_ts_from_subnet(private_id_payload_t *this,
+  * Create a traffic selector from an IP ID
+  */
+ static traffic_selector_t *get_ts_from_ip(private_id_payload_t *this,
+-										  ts_type_t type)
++										  ts_type_t type,
++										  uint16_t from_port, uint16_t to_port)
+ {
+ 	return traffic_selector_create_from_bytes(this->protocol_id, type,
+-				this->id_data, this->port, this->id_data, this->port ?: 65535);
++				this->id_data, from_port, this->id_data, to_port);
+ }
+ 
+ METHOD(id_payload_t, get_ts, traffic_selector_t*,
+-	private_id_payload_t *this)
++	private_id_payload_t *this, id_payload_t *other_, bool initiator)
+ {
++	private_id_payload_t *other = (private_id_payload_t *) other_;
++	uint16_t from_port, to_port;
++
++	if (other && this->protocol_id == IPPROTO_GRE && other->protocol_id == IPPROTO_GRE)
++	{
++		if (initiator)
++		{
++			from_port = this->port;
++			to_port = other->port;
++		}
++		else
++		{
++			from_port = other->port;
++			to_port = this->port;
++		}
++		if (from_port == 0 && to_port == 0)
++			to_port = 0xffff;
++	}
++	else
++	{
++		from_port = this->port;
++		to_port = this->port ?: 0xffff;
++	}
++
+ 	switch (this->id_type)
+ 	{
+ 		case ID_IPV4_ADDR_SUBNET:
+ 			if (this->id_data.len == 8)
+ 			{
+-				return get_ts_from_subnet(this, TS_IPV4_ADDR_RANGE);
++				return get_ts_from_subnet(this, TS_IPV4_ADDR_RANGE, from_port, to_port);
+ 			}
+ 			break;
+ 		case ID_IPV6_ADDR_SUBNET:
+ 			if (this->id_data.len == 32)
+ 			{
+-				return get_ts_from_subnet(this, TS_IPV6_ADDR_RANGE);
++				return get_ts_from_subnet(this, TS_IPV6_ADDR_RANGE, from_port, to_port);
+ 			}
+ 			break;
+ 		case ID_IPV4_ADDR_RANGE:
+ 			if (this->id_data.len == 8)
+ 			{
+-				return get_ts_from_range(this, TS_IPV4_ADDR_RANGE);
++				return get_ts_from_range(this, TS_IPV4_ADDR_RANGE, from_port, to_port);
+ 			}
+ 			break;
+ 		case ID_IPV6_ADDR_RANGE:
+ 			if (this->id_data.len == 32)
+ 			{
+-				return get_ts_from_range(this, TS_IPV6_ADDR_RANGE);
++				return get_ts_from_range(this, TS_IPV6_ADDR_RANGE, from_port, to_port);
+ 			}
+ 			break;
+ 		case ID_IPV4_ADDR:
+ 			if (this->id_data.len == 4)
+ 			{
+-				return get_ts_from_ip(this, TS_IPV4_ADDR_RANGE);
++				return get_ts_from_ip(this, TS_IPV4_ADDR_RANGE, from_port, to_port);
+ 			}
+ 			break;
+ 		case ID_IPV6_ADDR:
+ 			if (this->id_data.len == 16)
+ 			{
+-				return get_ts_from_ip(this, TS_IPV6_ADDR_RANGE);
++				return get_ts_from_ip(this, TS_IPV6_ADDR_RANGE, from_port, to_port);
+ 			}
+ 			break;
+ 		default:
+@@ -397,7 +424,7 @@ id_payload_t *id_payload_create_from_identification(payload_type_t type,
+ /*
+  * Described in header.
+  */
+-id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts)
++id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts, bool initiator)
+ {
+ 	private_id_payload_t *this;
+ 	uint8_t mask;
+@@ -460,8 +487,17 @@ id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts)
+ 							ts->get_from_address(ts), ts->get_to_address(ts));
+ 		net->destroy(net);
+ 	}
+-	this->port = ts->get_from_port(ts);
+ 	this->protocol_id = ts->get_protocol(ts);
++	if (initiator || this->protocol_id != IPPROTO_GRE)
++	{
++		this->port = ts->get_from_port(ts);
++	}
++	else
++	{
++		this->port = ts->get_to_port(ts);
++		if (this->port == 0xffff && ts->get_from_port(ts) == 0)
++			this->port = 0;
++	}
+ 	this->payload_length += this->id_data.len;
+ 
+ 	return &this->public;
+diff --git a/src/libcharon/encoding/payloads/id_payload.h b/src/libcharon/encoding/payloads/id_payload.h
+index 283780624..fafeca8bc 100644
+--- a/src/libcharon/encoding/payloads/id_payload.h
++++ b/src/libcharon/encoding/payloads/id_payload.h
+@@ -48,11 +48,11 @@ struct id_payload_t {
+ 	identification_t *(*get_identification) (id_payload_t *this);
+ 
+ 	/**
+-	 * Creates a traffic selector form a ID_ADDR_SUBNET/RANGE identity.
++	 * Creates a traffic selector form a ID_ADDR_SUBNET/RANGE identity pair.
+ 	 *
+ 	 * @return				traffic selector, NULL on failure
+ 	 */
+-	traffic_selector_t* (*get_ts)(id_payload_t *this);
++	traffic_selector_t* (*get_ts)(id_payload_t *this, id_payload_t *other, bool initiator);
+ 
+ 	/**
+ 	 * Get encoded payload without fixed payload header (used for IKEv1).
+@@ -91,6 +91,6 @@ id_payload_t *id_payload_create_from_identification(payload_type_t type,
+  * @param ts		traffic selector
+  * @return			PLV1_ID id_paylad_t object.
+  */
+-id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts);
++id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts, bool initiator);
+ 
+ #endif /** ID_PAYLOAD_H_ @}*/
+diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+index 40fff7e05..0743f7a95 100644
+--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
++++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+@@ -869,7 +869,18 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
+ 	ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
+ 	ts2ports(dst, &sel.dport, &sel.dport_mask);
+ 	ts2ports(src, &sel.sport, &sel.sport_mask);
+-	if ((sel.proto == IPPROTO_ICMP || sel.proto == IPPROTO_ICMPV6) &&
++	if (sel.proto == IPPROTO_GRE)
++	{
++		sel.sport = htons(src->get_from_port(src));
++		sel.dport = htons(src->get_to_port(src));
++		sel.sport_mask = ~0;
++		sel.dport_mask = ~0;
++		if (sel.sport == htons(0) && sel.dport == htons(0xffff))
++		{
++			sel.sport = sel.dport = sel.sport_mask = sel.dport_mask = 0;
++		}
++	}
++	else if ((sel.proto == IPPROTO_ICMP || sel.proto == IPPROTO_ICMPV6) &&
+ 		(sel.dport || sel.sport))
+ 	{
+ 		/* the kernel expects the ICMP type and code in the source and
+@@ -893,7 +904,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
+ {
+ 	u_char *addr;
+ 	uint8_t prefixlen;
+-	uint16_t port = 0;
++	uint16_t from_port = 0, to_port = 65535;
+ 	host_t *host = NULL;
+ 
+ 	if (src)
+@@ -902,7 +913,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
+ 		prefixlen = sel->prefixlen_s;
+ 		if (sel->sport_mask)
+ 		{
+-			port = ntohs(sel->sport);
++			from_port = to_port = ntohs(sel->sport);
+ 		}
+ 	}
+ 	else
+@@ -911,14 +922,27 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
+ 		prefixlen = sel->prefixlen_d;
+ 		if (sel->dport_mask)
+ 		{
+-			port = ntohs(sel->dport);
++			from_port = to_port = ntohs(sel->dport);
++		}
++	}
++	if (sel->proto == IPPROTO_GRE)
++	{
++		if (sel->sport_mask)
++		{
++			from_port = ntohs(sel->sport);
++			to_port = ntohs(sel->dport);
++		}
++		else
++		{
++			from_port = 0;
++			to_port = 0xffff;
+ 		}
+ 	}
+-	if (sel->proto == IPPROTO_ICMP || sel->proto == IPPROTO_ICMPV6)
++	else if (sel->proto == IPPROTO_ICMP || sel->proto == IPPROTO_ICMPV6)
+ 	{	/* convert ICMP[v6] message type and code as supplied by the kernel in
+ 		 * source and destination ports (both in network order) */
+-		port = (sel->sport >> 8) | (sel->dport & 0xff00);
+-		port = ntohs(port);
++		from_port = (sel->sport >> 8) | (sel->dport & 0xff00);
++		from_port = to_port = ntohs(from_port);
+ 	}
+ 	/* The Linux 2.6 kernel does not set the selector's family field,
+ 	 * so as a kludge we additionally test the prefix length.
+@@ -935,7 +959,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
+ 	if (host)
+ 	{
+ 		return traffic_selector_create_from_subnet(host, prefixlen,
+-											sel->proto, port, port ?: 65535);
++											sel->proto, from_port, to_port);
+ 	}
+ 	return NULL;
+ }
+diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
+index 8cdb5ef48..a81949c09 100644
+--- a/src/libcharon/plugins/stroke/stroke_config.c
++++ b/src/libcharon/plugins/stroke/stroke_config.c
+@@ -936,6 +936,11 @@ static bool parse_protoport(char *token, uint16_t *from_port,
+ 		*from_port = 0xffff;
+ 		*to_port = 0;
+ 	}
++	else if (*port && *protocol == IPPROTO_GRE)
++	{
++		p = strtol(port, &endptr, 0);
++		traffic_selector_split_grekey(p, from_port, to_port);
++	}
+ 	else if (*port)
+ 	{
+ 		svc = getservbyname(port, NULL);
+diff --git a/src/libcharon/plugins/unity/unity_narrow.c b/src/libcharon/plugins/unity/unity_narrow.c
+index afbd6cc7e..911fe70c6 100644
+--- a/src/libcharon/plugins/unity/unity_narrow.c
++++ b/src/libcharon/plugins/unity/unity_narrow.c
+@@ -248,7 +248,7 @@ METHOD(listener_t, message, bool,
+ 			if (!first)
+ 			{
+ 				id_payload = (id_payload_t*)payload;
+-				tsr = id_payload->get_ts(id_payload);
++				tsr = id_payload->get_ts(id_payload, NULL, FALSE);
+ 				break;
+ 			}
+ 			first = FALSE;
+diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
+index f0fd8a989..9f9dcfa45 100644
+--- a/src/libcharon/plugins/vici/vici_config.c
++++ b/src/libcharon/plugins/vici/vici_config.c
+@@ -691,8 +691,13 @@ CALLBACK(parse_ts, bool,
+ 		}
+ 		else if (*port && !streq(port, "any"))
+ 		{
+-			svc = getservbyname(port, NULL);
+-			if (svc)
++			if (proto == IPPROTO_GRE)
++			{
++				p = strtol(port, &end, 0);
++				if (*end) return FALSE;
++				traffic_selector_split_grekey(p, &from, &to);
++			}
++			else if ((svc = getservbyname(port, NULL)) != NULL)
+ 			{
+ 				from = to = ntohs(svc->s_port);
+ 			}
+diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
+index b0a42b8bd..4ef4bf324 100644
+--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
++++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
+@@ -567,9 +567,9 @@ static void add_ts(private_quick_mode_t *this, message_t *message)
+ {
+ 	id_payload_t *id_payload;
+ 
+-	id_payload = id_payload_create_from_ts(this->tsi);
++	id_payload = id_payload_create_from_ts(this->tsi, TRUE);
+ 	message->add_payload(message, &id_payload->payload_interface);
+-	id_payload = id_payload_create_from_ts(this->tsr);
++	id_payload = id_payload_create_from_ts(this->tsr, FALSE);
+ 	message->add_payload(message, &id_payload->payload_interface);
+ }
+ 
+@@ -580,7 +580,7 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
+ {
+ 	traffic_selector_t *tsi = NULL, *tsr = NULL;
+ 	enumerator_t *enumerator;
+-	id_payload_t *id_payload;
++	id_payload_t *idi = NULL, *idr = NULL;
+ 	payload_t *payload;
+ 	host_t *hsi, *hsr;
+ 	bool first = TRUE;
+@@ -590,20 +590,22 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
+ 	{
+ 		if (payload->get_type(payload) == PLV1_ID)
+ 		{
+-			id_payload = (id_payload_t*)payload;
+-
+ 			if (first)
+ 			{
+-				tsi = id_payload->get_ts(id_payload);
++				idi = (id_payload_t*)payload;
+ 				first = FALSE;
+ 			}
+ 			else
+ 			{
+-				tsr = id_payload->get_ts(id_payload);
++				idr = (id_payload_t*)payload;
+ 				break;
+ 			}
+ 		}
+ 	}
++	if (idi && idr) {
++		tsi = idi->get_ts(idi, idr, TRUE);
++		tsr = idr->get_ts(idr, idi, FALSE);
++	}
+ 	enumerator->destroy(enumerator);
+ 
+ 	/* create host2host selectors if ID payloads missing */
+diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
+index cfd2b029d..d01e2ccec 100644
+--- a/src/libstrongswan/selectors/traffic_selector.c
++++ b/src/libstrongswan/selectors/traffic_selector.c
+@@ -198,6 +198,14 @@ static int print_icmp(printf_hook_data_t *data, uint16_t port)
+ 	return print_in_hook(data, "%d", type);
+ }
+ 
++/**
++ * Print GRE key
++ */
++static int print_grekey(printf_hook_data_t *data, uint16_t from_port, uint16_t to_port)
++{
++	return print_in_hook(data, "%d", traffic_selector_grekey(from_port, to_port));
++}
++
+ /**
+  * Described in header.
+  */
+@@ -303,7 +311,11 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
+ 	{
+ 		written += print_in_hook(data, "/");
+ 
+-		if (this->from_port == this->to_port)
++		if (this->protocol == IPPROTO_GRE)
++		{
++			written += print_grekey(data, this->from_port, this->to_port);
++		}
++		else if (this->from_port == this->to_port)
+ 		{
+ 			struct servent *serv;
+ 
+@@ -377,7 +389,24 @@ METHOD(traffic_selector_t, get_subset, traffic_selector_t*,
+ 	/* select protocol, which is not zero */
+ 	protocol = max(this->protocol, other->protocol);
+ 
+-	if ((is_opaque(this) && is_opaque(other)) ||
++	if (this->protocol == IPPROTO_GRE)
++	{
++		if (is_any(this))
++		{
++			from_port = other->from_port;
++			to_port = other->to_port;
++		}
++		else if (is_any(other) ||
++			 (this->from_port == other->from_port &&
++			  this->to_port == other->to_port))
++		{
++			from_port = this->from_port;
++			to_port = this->to_port;
++		}
++		else
++			return NULL;
++	}
++	else if ((is_opaque(this) && is_opaque(other)) ||
+ 		(is_opaque(this) && is_any(other)) ||
+ 		(is_opaque(other) && is_any(this)))
+ 	{
+diff --git a/src/libstrongswan/selectors/traffic_selector.h b/src/libstrongswan/selectors/traffic_selector.h
+index 03f7a6d8c..b27ca4ad1 100644
+--- a/src/libstrongswan/selectors/traffic_selector.h
++++ b/src/libstrongswan/selectors/traffic_selector.h
+@@ -120,6 +120,9 @@ struct traffic_selector_t {
+ 	 * 8 bits and the code in the least significant 8 bits.  Use the utility
+ 	 * functions to extract them.
+ 	 *
++	 * If the protocol is GRE, the high 16-bits of the 32-bit GRE key is stored
++	 * in the from port. Use the utility function to merge and split them.
++	 *
+ 	 * @return			port
+ 	 */
+ 	uint16_t (*get_from_port)(traffic_selector_t *this);
+@@ -134,6 +137,9 @@ struct traffic_selector_t {
+ 	 * 8 bits and the code in the least significant 8 bits.  Use the utility
+ 	 * functions to extract them.
+ 	 *
++	 * If the protocol is GRE, the low 16-bits of the 32-bit GRE key is stored
++	 * in the to port. Use the utility function to merge and split them.
++	 *
+ 	 * @return			port
+ 	 */
+ 	uint16_t (*get_to_port)(traffic_selector_t *this);
+@@ -277,6 +283,31 @@ static inline uint8_t traffic_selector_icmp_code(uint16_t port)
+ int traffic_selector_cmp(traffic_selector_t *a, traffic_selector_t *b,
+ 						 void *opts);
+ 
++/**
++ * Reconstruct the 32-bit GRE KEY in host order from a from/to ports.
++ *
++ * @param from_port			port number in host order
++ * @param to_port			port number in host order
++ * @return				GRE KEY in host order
++ */
++static inline uint32_t traffic_selector_grekey(uint16_t from_port, uint16_t to_port)
++{
++	return (from_port << 16) | to_port;
++}
++
++/**
++ * Split 32-bit GRE KEY in host order to from/to ports.
++ *
++ * @param grekey			grekey in host order
++ * @param from_port			from port in host order
++ * @param to_port			to port in host order
++ */
++static inline void traffic_selector_split_grekey(uint32_t grekey, uint16_t *from_port, uint16_t *to_port)
++{
++	*from_port = grekey >> 16;
++	*to_port = grekey & 0xffff;
++}
++
+ /**
+  * Create a new traffic selector using human readable params.
+  *
+-- 
+2.24.1
+

sources

@@ -1 +1 @@
-SHA512 (strongswan-5.9.0.tar.bz2) = b982ce7c3e940ad75ab71b02ce3e2813b41c6b098cde5b6f3f3513d095f409fe989ae6e38a31eff51c57423bf452c3610cd5cd8cd7f45ff932581d9859df1821
+SHA512 (strongswan-5.7.2.tar.bz2) = e2169dbbc0c03737e34af90d7bc07e444408c5e2ac1f81764eeccbac8b142b984ce9ed512a89071075a930e0997632267f6912aa5b352eee2edbd551b5a64e7e

strongswan-5.8.2-extern-global.patch

@@ -1,11 +0,0 @@
---- strongswan-5.8.2/src/swanctl/swanctl.h.orig	2020-02-23 00:35:39.051000000 +0200
-+++ strongswan-5.8.2/src/swanctl/swanctl.h	2020-02-23 00:35:51.930355656 +0200
-@@ -30,7 +30,7 @@
- /**
-  * Base directory for credentials and config
-  */
--char *swanctl_dir;
-+extern char *swanctl_dir;
- 
- /**
-  * Configuration file for connections, etc.

strongswan-5.8.4-runtime-dir.patch

@@ -1,24 +0,0 @@
-diff -ur strongswan-5.8.4.orig/init/systemd/strongswan.service.in strongswan-5.8.4/init/systemd/strongswan.service.in
---- strongswan-5.8.4.orig/init/systemd/strongswan.service.in	2019-08-27 16:26:53.000000000 +0300
-+++ strongswan-5.8.4/init/systemd/strongswan.service.in	2020-04-12 12:05:57.383596844 +0300
-@@ -9,6 +9,8 @@
- ExecReload=@SBINDIR@/swanctl --reload
- ExecReload=@SBINDIR@/swanctl --load-all --noprompt
- Restart=on-abnormal
-+RuntimeDirectory=strongswan
-+RuntimeDirectoryMode=0755
- 
- [Install]
- WantedBy=multi-user.target
-diff -ur strongswan-5.8.4.orig/init/systemd-starter/strongswan-starter.service.in strongswan-5.8.4/init/systemd-starter/strongswan-starter.service.in
---- strongswan-5.8.4.orig/init/systemd-starter/strongswan-starter.service.in	2019-08-27 16:26:53.000000000 +0300
-+++ strongswan-5.8.4/init/systemd-starter/strongswan-starter.service.in	2020-04-12 12:05:51.810559482 +0300
-@@ -6,6 +6,8 @@
- ExecStart=@SBINDIR@/@IPSEC_SCRIPT@ start --nofork
- StandardOutput=syslog
- Restart=on-abnormal
-+RuntimeDirectory=strongswan
-+RuntimeDirectoryMode=0755
- 
- [Install]
- WantedBy=multi-user.target

strongswan.spec

@@ -1,16 +1,13 @@
 %global _hardened_build 1
 #%%define prerelease dr1
-%global dist .nhrp.4%{?dist}
 
 Name:           strongswan
-Version:        5.9.0
+Version:        5.7.2
-Release:        2%{?dist}
+Release:        1.nhrp%{?dist}
 Summary:        An OpenSource IPsec-based VPN and TNC solution
 License:        GPLv2+
 URL:            http://www.strongswan.org/
 Source0:        http://download.strongswan.org/%{name}-%{version}%{?prerelease}.tar.bz2
-Source1:        tmpfiles-strongswan.conf
-Patch0:         strongswan-5.8.4-runtime-dir.patch
 Patch1:         strongswan-5.6.0-uintptr_t.patch
 Patch3:         strongswan-5.6.2-CVE-2018-5388.patch
 
@@ -18,7 +15,8 @@ Patch10:        0001-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
 Patch11:        0002-charon-add-optional-source-and-remote-overrides-for-.patch
 Patch12:        0003-vici-send-certificates-for-ike-sa-events.patch
 Patch13:        0004-vici-add-support-for-individual-sa-state-changes.patch
-Patch14:        0005-vyos-terminate-connections-source-dest.patch
+Patch14:        0005-vici-add-deprecated-async-parameter.patch
+Patch15:        0006-support-gre-key-in-ikev1.patch
 
 # only needed for pre-release versions
 #BuildRequires:  autoconf automake
@@ -87,7 +85,6 @@ PT-TLS to support TNC over TLS.
 
 %prep
 %setup -q -n %{name}-%{version}%{?prerelease}
-%patch0 -p1
 %patch1 -p1
 %patch3 -p1
 
@@ -96,6 +93,8 @@ PT-TLS to support TNC over TLS.
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
+%patch15 -p1
+
 
 %build
 # only for snapshots
@@ -111,8 +110,7 @@ PT-TLS to support TNC over TLS.
     --with-ipsecdir=%{_libexecdir}/strongswan \
     --bindir=%{_libexecdir}/strongswan \
     --with-ipseclibdir=%{_libdir}/strongswan \
-    --with-piddir=%{_rundir}/strongswan \
+    --with-fips-mode=2 \
-    --with-nm-ca-dir=%{_sysconfdir}/strongswan/ipsec.d/cacerts/ \
     --enable-bypass-lan \
     --enable-tss-trousers \
     --enable-nm \
@@ -196,6 +194,7 @@ make %{?_smp_mflags}
 
 %install
 make install DESTDIR=%{buildroot}
+mv %{buildroot}%{_sysconfdir}/strongswan/dbus-1 %{buildroot}%{_sysconfdir}/
 # prefix man pages
 for i in %{buildroot}%{_mandir}/*/*; do
     if echo "$i" | grep -vq '/strongswan[^\/]*$'; then
@@ -213,8 +212,6 @@ install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d
 for i in aacerts acerts certs cacerts crls ocspcerts private reqs; do
     install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d/${i}
 done
-install -d -m 0700 %{buildroot}%{_rundir}/strongswan
-install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
 
 %post
 %systemd_post %{name}.service
@@ -235,7 +232,7 @@ install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
 %dir %{_libdir}/strongswan/plugins
 %dir %{_libexecdir}/strongswan
 %{_unitdir}/strongswan.service
-%{_unitdir}/strongswan-starter.service
+%{_unitdir}/strongswan-swanctl.service
 %{_sbindir}/charon-cmd
 %{_sbindir}/charon-systemd
 %{_sbindir}/strongswan
@@ -256,8 +253,6 @@ install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
 %{_mandir}/man?/*.gz
 %{_datadir}/strongswan/templates/config/
 %{_datadir}/strongswan/templates/database/
-%attr(0755,root,root) %dir %{_rundir}/strongswan
-%attr(0644,root,root) %{_tmpfilesdir}/strongswan.conf
 
 %files sqlite
 %{_libdir}/strongswan/plugins/libstrongswan-sqlite.so
@@ -281,55 +276,10 @@ install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
 
 %files charon-nm
 %doc COPYING
-%{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
+%{_sysconfdir}/dbus-1/system.d/nm-strongswan-service.conf
 %{_libexecdir}/strongswan/charon-nm
 
 %changelog
-* Thu Oct 22 12:43:48 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-2
-- Resolves: rhbz#1886759 charon looking for certificates in the wrong place
-
-* Mon Sep 28 12:36:45 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-1
-- Resolves: rhbz#1861747 strongswan-5.9.0 is available
-- Remove --enable-fips-mode=2, which defaults strongswan to FIPS only.
-  (use fips_mode = 2 in plugins {} openssl {} in strongswan.conf to enable FIPS)
-
-* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.4-2
-- Patch0: Add RuntimeDirectory options to service files (#1789263)
-
-* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.4-1
-- Updated to 5.8.4
-- Patch4 has been applied upstream
-
-* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-6
-- Patch0: Add RuntimeDirectory options to service files (#1789263)
-
-* Sat Feb 22 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-5
-- Patch to declare a global variable with extern (#1800117)
-
-* Mon Feb 10 2020 Paul Wouters <pwouters@redhat.com> - 5.8.2-4
-- use tmpfile to ensure rundir is present
-
-* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.2-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Sat Dec 28 2019 Paul Wouters <pwouters@redhat.com> - 5.8.2-2
-- Use /run/strongswan as rundir to support strongswans in namespaces
-
-* Tue Dec 17 2019 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-1
-- Update to 5.8.2 (#1784457)
-- The D-Bus config file moved under datadir
-
-* Mon Sep 02 2019 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.1-1
-- Update to 5.8.1 (#1711920)
-- No more separate strongswan-swanctl.service to start out of order (#1775548)
-- Added strongswan-starter.service
-
-* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.2-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.2-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
 * Wed Jan 09 2019 Paul Wouters <pwouters@redhat.com> - 5.7.2-1
 - Updated to 5.7.2
 

tmpfiles-strongswan.conf

@@ -1 +0,0 @@
-D /run/strongswan 0755 root root -