Bump epoch

Patch vici for NHRP
2019-12-31 11:33:53 +01:00 · 2019-12-31 09:55:38 +01:00
14 changed files with 917 additions and 983 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,19 +1 @@
-/strongswan-5.8.4.tar.bz2
-/strongswan-5.9.0.tar.bz2
-/strongswan-5.9.1.tar.bz2
-/strongswan-5.9.2.tar.bz2
-/strongswan-5.9.3.tar.bz2
-/strongswan-5.9.4.tar.bz2
-/948F158A4E76A27BF3D07532DF42C170B34DBA77
-/strongswan-5.9.5.tar.bz2
-/strongswan-5.9.5.tar.bz2.sig
-/strongswan-5.9.6.tar.bz2
-/strongswan-5.9.6.tar.bz2.sig
-/strongswan-5.9.8.tar.bz2
-/strongswan-5.9.8.tar.bz2.sig
-/strongswan-5.9.9.tar.bz2
-/strongswan-5.9.9.tar.bz2.sig
-/strongswan-5.9.10.tar.bz2
-/strongswan-5.9.10.tar.bz2.sig
-/strongswan-5.9.11.tar.bz2
-/strongswan-5.9.11.tar.bz2.sig
+/strongswan-5.6.3.tar.bz2
--- a/0001-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
+++ b/0001-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
@@ -0,0 +1,104 @@
+From 9d85d221f1bf330d31fa334d1bb7760fee90317e Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 17 Jul 2015 11:53:58 +0200
+Subject: [PATCH 1/6] ike: Adhere to IKE_SA limit when checking out by config
+
+This prevents new SAs from getting created if we hit the global IKE_SA
+limit (we still allow checkout_new(), which is used for rekeying).
+---
+ src/libcharon/sa/ike_sa_manager.c | 71 ++++++++++++++++---------------
+ 1 file changed, 37 insertions(+), 34 deletions(-)
+
+diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
+index 2a499db40..74f2a933c 100644
+--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
+@@ -1419,48 +1419,51 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+ 
+ 	DBG2(DBG_MGR, "checkout IKE_SA by config");
+ 
+-	if (!this->reuse_ikesa && peer_cfg->get_ike_version(peer_cfg) != IKEV1)
+-	{	/* IKE_SA reuse disabled by config (not possible for IKEv1) */
+-		ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
+-		charon->bus->set_sa(charon->bus, ike_sa);
+-		goto out;
+-	}
+-
+-	enumerator = create_table_enumerator(this);
+-	while (enumerator->enumerate(enumerator, &entry, &segment))
+	if (this->reuse_ikesa || peer_cfg->get_ike_version(peer_cfg) == IKEV1)
+ 	{
+-		if (!wait_for_entry(this, entry, segment))
+		enumerator = create_table_enumerator(this);
+		while (enumerator->enumerate(enumerator, &entry, &segment))
+ 		{
+-			continue;
+-		}
+-		if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING ||
+-			entry->ike_sa->get_state(entry->ike_sa) == IKE_REKEYED)
+-		{	/* skip IKE_SAs which are not usable, wake other waiting threads */
+-			entry->condvar->signal(entry->condvar);
+-			continue;
+-		}
+-
+-		current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
+-		if (current_peer && current_peer->equals(current_peer, peer_cfg))
+-		{
+-			current_ike = current_peer->get_ike_cfg(current_peer);
+-			if (current_ike->equals(current_ike, peer_cfg->get_ike_cfg(peer_cfg)))
+			if (!wait_for_entry(this, entry, segment))
+ 			{
+-				entry->checked_out = thread_current();
+-				ike_sa = entry->ike_sa;
+-				DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config",
+-						ike_sa->get_unique_id(ike_sa),
+-						current_peer->get_name(current_peer));
+-				break;
+				continue;
+ 			}
+			if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING ||
+				entry->ike_sa->get_state(entry->ike_sa) == IKE_REKEYED)
+			{	/* skip IKE_SAs which are not usable, wake other waiting threads */
+				entry->condvar->signal(entry->condvar);
+				continue;
+			}
+			current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
+			if (current_peer && current_peer->equals(current_peer, peer_cfg))
+			{
+				current_ike = current_peer->get_ike_cfg(current_peer);
+				if (current_ike->equals(current_ike,
+										peer_cfg->get_ike_cfg(peer_cfg)))
+				{
+					entry->checked_out = thread_current();
+					ike_sa = entry->ike_sa;
+					DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config",
+							ike_sa->get_unique_id(ike_sa),
+							current_peer->get_name(current_peer));
+					break;
+				}
+			}
+			/* other threads might be waiting for this entry */
+			entry->condvar->signal(entry->condvar);
+ 		}
+-		/* other threads might be waiting for this entry */
+-		entry->condvar->signal(entry->condvar);
+		enumerator->destroy(enumerator);
+ 	}
+-	enumerator->destroy(enumerator);
+ 
+ 	if (!ike_sa)
+-	{	/* no IKE_SA using such a config, hand out a new */
+	{	/* no IKE_SA using such a config, or reuse disabled, hand out a new */
+		if (this->ikesa_limit &&
+			this->public.get_count(&this->public) >= this->ikesa_limit)
+		{
+			DBG1(DBG_MGR, "IKE_SA creation failed, hitting IKE_SA limit (%u)",
+				 this->ikesa_limit);
+			return NULL;
+		}
+ 		ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
+ 	}
+ 	charon->bus->set_sa(charon->bus, ike_sa);
+-- 
+2.24.1
+
--- a/0002-charon-add-optional-source-and-remote-overrides-for-.patch
+++ b/0002-charon-add-optional-source-and-remote-overrides-for-.patch
@@ -1,7 +1,7 @@
-From ec53b2914730f08d151d14e9b48557196ec0cc49 Mon Sep 17 00:00:00 2001
+From bf75041bd4a2c0f18b1db80f5cf9124a4b0538a0 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Mon, 21 Sep 2015 13:41:58 +0300
-Subject: [PATCH 1/3] charon: add optional source and remote overrides for
+Subject: [PATCH 2/6] charon: add optional source and remote overrides for
 initiate
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -18,66 +18,46 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
 ---
 src/charon-cmd/cmd/cmd_connection.c           |  2 +-
 src/charon-nm/nm/nm_service.c                 |  2 +-
- src/conftest/actions.c                        |  2 +-
- src/libcharon/control/controller.c            | 43 +++++++++++++-
+ src/libcharon/control/controller.c            | 43 ++++++++++++-
 src/libcharon/control/controller.h            |  3 +
- .../plugins/load_tester/load_tester_control.c |  1 +
- .../plugins/load_tester/load_tester_plugin.c  |  1 +
- src/libcharon/plugins/medcli/medcli_config.c  |  2 +-
- src/libcharon/plugins/smp/smp.c               |  3 +-
 src/libcharon/plugins/stroke/stroke_control.c |  5 +-
- src/libcharon/plugins/uci/uci_control.c       |  3 +-
 src/libcharon/plugins/vici/vici_config.c      |  2 +-
- src/libcharon/plugins/vici/vici_control.c     | 59 +++++++++++++++++--
- .../processing/jobs/initiate_mediation_job.c  |  1 +
+ src/libcharon/plugins/vici/vici_control.c     | 63 ++++++++++++++++---
 .../processing/jobs/start_action_job.c        |  2 +-
- src/libcharon/sa/ike_sa_manager.c             | 49 ++++++++++++++-
+ src/libcharon/sa/ike_sa_manager.c             | 51 ++++++++++++++-
 src/libcharon/sa/ike_sa_manager.h             |  8 ++-
- src/libcharon/sa/trap_manager.c               | 44 ++++++--------
- src/swanctl/commands/initiate.c               | 40 ++++++++++++-
- 21 files changed, 225 insertions(+), 50 deletions(-)
+ src/libcharon/sa/trap_manager.c               | 45 ++++++-------
+ src/swanctl/commands/initiate.c               | 40 +++++++++++-
+ 12 files changed, 218 insertions(+), 48 deletions(-)

 diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
-index 2e2cb3ca2..b9369a8a2 100644
+index 1cf431ff2..ae406393f 100644
 --- a/src/charon-cmd/cmd/cmd_connection.c
 +++ b/src/charon-cmd/cmd/cmd_connection.c
-@@ -439,7 +439,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this)
+@@ -436,7 +436,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this)
 	child_cfg = create_child_cfg(this, peer_cfg);
 
 	if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
-				controller_cb_empty, NULL, LEVEL_SILENT, 0, FALSE) != SUCCESS)
-+				NULL, NULL, controller_cb_empty, NULL, LEVEL_SILENT, 0, FALSE) != SUCCESS)
+-								controller_cb_empty, NULL, 0, FALSE) != SUCCESS)
+								NULL, NULL, controller_cb_empty, NULL, 0, FALSE) != SUCCESS)
 	{
 		terminate(pid);
 	}
 diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
-index 7f88514a7..4c3491984 100644
+index a12f008a7..59e053318 100644
 --- a/src/charon-nm/nm/nm_service.c
 +++ b/src/charon-nm/nm/nm_service.c
-@@ -942,7 +942,7 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
+@@ -622,7 +622,7 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
 	 * Prepare IKE_SA
 	 */
 	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
 -														peer_cfg);
 +														peer_cfg, NULL, NULL);
- 	peer_cfg->destroy(peer_cfg);
 	if (!ike_sa)
 	{
-diff --git a/src/conftest/actions.c b/src/conftest/actions.c
-index b6b186117..21e329e3e 100644
--- a/src/conftest/actions.c
-+++ b/src/conftest/actions.c
-@@ -66,7 +66,7 @@ static job_requeue_t initiate(char *config)
- 	{
- 		DBG1(DBG_CFG, "initiating IKE_SA for CHILD_SA config '%s'", config);
- 		charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
-									 NULL, NULL, 0, 0, FALSE);
-+									 NULL, NULL, NULL, NULL, 0, 0, FALSE);
- 	}
- 	else
- 	{
+ 		peer_cfg->destroy(peer_cfg);
 diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
-index 027f48e93..9109b20e4 100644
+index 589c536d2..037e6a72d 100644
 --- a/src/libcharon/control/controller.c
 +++ b/src/libcharon/control/controller.c
@@ -15,6 +15,28 @@
@@ -109,7 +89,7 @@ index 027f48e93..9109b20e4 100644
 #include "controller.h"
 
 #include <sys/types.h>
-@@ -107,6 +129,16 @@ struct interface_listener_t {
+@@ -102,6 +124,16 @@ struct interface_listener_t {
 	 */
 	ike_sa_t *ike_sa;
 
@@ -126,7 +106,7 @@ index 027f48e93..9109b20e4 100644
 	/**
 	 * unique ID, used for various methods
 	 */
-@@ -417,10 +449,16 @@ METHOD(job_t, initiate_execute, job_requeue_t,
+@@ -409,9 +441,14 @@ METHOD(job_t, initiate_execute, job_requeue_t,
 	ike_sa_t *ike_sa;
 	interface_listener_t *listener = &job->listener;
 	peer_cfg_t *peer_cfg = listener->peer_cfg;
@@ -136,23 +116,29 @@ index 027f48e93..9109b20e4 100644
 	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
 -														peer_cfg);
 +														peer_cfg, my_host, other_host);
- 	peer_cfg->destroy(peer_cfg);
-+
-+	if (my_host) my_host->destroy(my_host);
-+	if (other_host) other_host->destroy(other_host);
+	DESTROY_IF(my_host);
+	DESTROY_IF(other_host);
 +
 	if (!ike_sa)
 	{
- 		DESTROY_IF(listener->child_cfg);
-@@ -499,6 +537,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
+ 		listener->child_cfg->destroy(listener->child_cfg);
+@@ -420,6 +457,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
+ 		listener_done(listener);
+ 		return JOB_REQUEUE_NONE;
+ 	}
+
+ 	listener->lock->lock(listener->lock);
+ 	listener->ike_sa = ike_sa;
+ 	listener->lock->unlock(listener->lock);
+@@ -492,6 +530,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
 
 METHOD(controller_t, initiate, status_t,
 	private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
 +	host_t *my_host, host_t *other_host,
- 	controller_cb_t callback, void *param, level_t max_level, u_int timeout,
- 	bool limits)
+ 	controller_cb_t callback, void *param, u_int timeout, bool limits)
 {
-@@ -523,6 +562,8 @@ METHOD(controller_t, initiate, status_t,
+ 	interface_job_t *job;
+@@ -514,6 +553,8 @@ METHOD(controller_t, initiate, status_t,
 			.status = FAILED,
 			.child_cfg = child_cfg,
 			.peer_cfg = peer_cfg,
@@ -162,132 +148,67 @@ index 027f48e93..9109b20e4 100644
 			.options.limits = limits,
 		},
 diff --git a/src/libcharon/control/controller.h b/src/libcharon/control/controller.h
-index 36a1d4631..a130fbb6b 100644
+index af9baca01..02f17a8e3 100644
 --- a/src/libcharon/control/controller.h
 +++ b/src/libcharon/control/controller.h
-@@ -81,6 +81,8 @@ struct controller_t {
+@@ -79,6 +79,8 @@ struct controller_t {
 	 *
 	 * @param peer_cfg		peer_cfg to use for IKE_SA setup
- 	 * @param child_cfg		optional child_cfg to set up CHILD_SA from
+ 	 * @param child_cfg		child_cfg to set up CHILD_SA from
 +	 * @param my_host		optional address hint for source
-+	 * @param other_host		optional address hint for destination
+	 * @param other_host	optional address hint for destination
 	 * @param cb			logging callback
 	 * @param param			parameter to include in each call of cb
- 	 * @param max_level		maximum log level for which cb is invoked
-@@ -95,6 +97,7 @@ struct controller_t {
+ 	 * @param timeout		timeout in ms to wait for callbacks, 0 to disable
+@@ -92,6 +94,7 @@ struct controller_t {
 	 */
 	status_t (*initiate)(controller_t *this,
 						 peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
 +						 host_t *my_host, host_t *other_host,
- 						 controller_cb_t callback, void *param,
- 						 level_t max_level, u_int timeout, bool limits);
+ 						 controller_cb_t callback, void *param, u_int timeout,
+ 						 bool limits);
 
-diff --git a/src/libcharon/plugins/load_tester/load_tester_control.c b/src/libcharon/plugins/load_tester/load_tester_control.c
-index b5356289a..ddef85b4a 100644
--- a/src/libcharon/plugins/load_tester/load_tester_control.c
-+++ b/src/libcharon/plugins/load_tester/load_tester_control.c
-@@ -240,6 +240,7 @@ static bool on_accept(private_load_tester_control_t *this, stream_t *io)
- 
- 		switch (charon->controller->initiate(charon->controller,
- 							peer_cfg, child_cfg->get_ref(child_cfg),
-+							NULL, NULL,
- 							(void*)initiate_cb, listener, LEVEL_CTRL, 0, FALSE))
- 		{
- 			case NEED_MORE:
-diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c
-index 695e75b83..e3f740281 100644
--- a/src/libcharon/plugins/load_tester/load_tester_plugin.c
-+++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c
-@@ -152,6 +152,7 @@ static job_requeue_t do_load_test(private_load_tester_plugin_t *this)
- 
- 		charon->controller->initiate(charon->controller,
- 					peer_cfg, child_cfg->get_ref(child_cfg),
-+					NULL, NULL,
- 					NULL, NULL, 0, 0, FALSE);
- 		if (s)
- 		{
-diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c
-index 3211a49f1..f98b3eac8 100644
--- a/src/libcharon/plugins/medcli/medcli_config.c
-+++ b/src/libcharon/plugins/medcli/medcli_config.c
-@@ -350,7 +350,7 @@ static job_requeue_t initiate_config(peer_cfg_t *peer_cfg)
- 		peer_cfg->get_ref(peer_cfg);
- 		enumerator->destroy(enumerator);
- 		charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
-									 NULL, NULL, 0, 0, FALSE);
-+									 NULL, NULL, NULL, NULL, 0, 0, FALSE);
- 	}
- 	else
- 	{
-diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c
-index 91dddfeaa..1e9326822 100644
--- a/src/libcharon/plugins/smp/smp.c
-+++ b/src/libcharon/plugins/smp/smp.c
-@@ -494,7 +494,8 @@ static void request_control_initiate(xmlTextReaderPtr reader,
- 			if (child)
- 			{
- 				status = charon->controller->initiate(charon->controller,
-							peer, child, (controller_cb_t)xml_callback,
-+							peer, child, NULL, NULL,
-+							(controller_cb_t)xml_callback,
- 							writer, LEVEL_CTRL, 0, FALSE);
- 			}
- 			else
 diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
-index 2824c93cb..21ff6b31f 100644
+index 8d84b934e..b00d0e62d 100644
 --- a/src/libcharon/plugins/stroke/stroke_control.c
 +++ b/src/libcharon/plugins/stroke/stroke_control.c
-@@ -109,7 +109,7 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg
+@@ -108,7 +108,7 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg
 	if (msg->output_verbosity < 0)
 	{
 		charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
-									 NULL, NULL, 0, 0, FALSE);
-+									 NULL, NULL, NULL, NULL, 0, 0, FALSE);
+-									 NULL, NULL, 0, FALSE);
+									 NULL, NULL, NULL, NULL, 0, FALSE);
 	}
 	else
 	{
-@@ -117,7 +117,8 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg
+@@ -116,7 +116,8 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg
 		status_t status;
 
 		status = charon->controller->initiate(charon->controller,
 -							peer_cfg, child_cfg, (controller_cb_t)stroke_log,
 +							peer_cfg, child_cfg, NULL, NULL,
 +							(controller_cb_t)stroke_log,
- 							&info, msg->output_verbosity, this->timeout, FALSE);
+ 							&info, this->timeout, FALSE);
 		switch (status)
 		{
-diff --git a/src/libcharon/plugins/uci/uci_control.c b/src/libcharon/plugins/uci/uci_control.c
-index b033c832c..f8d1be745 100644
--- a/src/libcharon/plugins/uci/uci_control.c
-+++ b/src/libcharon/plugins/uci/uci_control.c
-@@ -147,7 +147,8 @@ static void initiate(private_uci_control_t *this, char *name)
- 		enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
- 		if (enumerator->enumerate(enumerator, &child_cfg) &&
- 			charon->controller->initiate(charon->controller, peer_cfg,
-							child_cfg->get_ref(child_cfg), controller_cb_empty,
-+							child_cfg->get_ref(child_cfg), NULL, NULL,
-+							controller_cb_empty,
- 							NULL, LEVEL_SILENT, 0, FALSE) == SUCCESS)
- 		{
- 			write_fifo(this, "connection '%s' established\n", name);
 diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
-index 522122562..b1486e337 100644
+index f4e9e33ee..56292696b 100644
 --- a/src/libcharon/plugins/vici/vici_config.c
 +++ b/src/libcharon/plugins/vici/vici_config.c
-@@ -2252,7 +2252,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
- 		DBG1(DBG_CFG, "initiating '%s'", child_cfg->get_name(child_cfg));
- 		charon->controller->initiate(charon->controller,
+@@ -1978,7 +1978,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
+ 			DBG1(DBG_CFG, "initiating '%s'", child_cfg->get_name(child_cfg));
+ 			charon->controller->initiate(charon->controller,
 					peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg),
-					NULL, NULL, 0, 0, FALSE);
-+					NULL, NULL, NULL, NULL, 0, 0, FALSE);
- 	}
- }
- 
+-					NULL, NULL, 0, FALSE);
+					NULL, NULL, NULL, NULL, 0, FALSE);
+ 			break;
+ 		case ACTION_ROUTE:
+ 			DBG1(DBG_CFG, "installing '%s'", child_cfg->get_name(child_cfg));
 diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
-index 1c236d249..b3a76efa2 100644
+index ce19608dc..e378ca2e7 100644
 --- a/src/libcharon/plugins/vici/vici_control.c
 +++ b/src/libcharon/plugins/vici/vici_control.c
-@@ -15,6 +15,28 @@
+@@ -16,6 +16,28 @@
  * for more details.
  */
 
@@ -316,32 +237,33 @@ index 1c236d249..b3a76efa2 100644
 #include "vici_control.h"
 #include "vici_builder.h"
 
-@@ -173,9 +195,12 @@ static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out)
+@@ -169,9 +191,11 @@ static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out)
 CALLBACK(initiate, vici_message_t*,
 	private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
 {
 +	vici_message_t* msg;
- 	peer_cfg_t *peer_cfg = NULL;
- 	child_cfg_t *child_cfg;
- 	char *child, *ike, *type, *sa;
+ 	child_cfg_t *child_cfg = NULL;
+ 	peer_cfg_t *peer_cfg;
+-	char *child, *ike;
 +	host_t *my_host = NULL, *other_host = NULL;
-+	char *my_host_str, *other_host_str;
+	char *child, *ike, *my_host_str, *other_host_str;
 	int timeout;
 	bool limits;
 	controller_cb_t log_cb = NULL;
-@@ -189,6 +214,8 @@ CALLBACK(initiate, vici_message_t*,
+@@ -185,6 +209,8 @@ CALLBACK(initiate, vici_message_t*,
 	timeout = request->get_int(request, 0, "timeout");
 	limits = request->get_bool(request, FALSE, "init-limits");
 	log.level = request->get_int(request, 1, "loglevel");
 +	my_host_str = request->get_str(request, NULL, "my-host");
 +	other_host_str = request->get_str(request, NULL, "other-host");
 
- 	if (!child && !ike)
+ 	if (!child)
 	{
-@@ -202,28 +229,48 @@ CALLBACK(initiate, vici_message_t*,
- 	type = child ? "CHILD_SA" : "IKE_SA";
- 	sa = child ?: ike;
+@@ -195,28 +221,47 @@ CALLBACK(initiate, vici_message_t*,
+ 		log_cb = (controller_cb_t)log_vici;
+ 	}
 
+-	DBG1(DBG_CFG, "vici initiate '%s'", child);
 +	if (my_host_str)
 +	{
 +		my_host = host_create_from_string(my_host_str, 0);
@@ -351,39 +273,39 @@ index 1c236d249..b3a76efa2 100644
 +		other_host = host_create_from_string(other_host_str, 0);
 +	}
 +
-+	DBG1(DBG_CFG, "vici initiate %s '%s', me %H, other %H, limits %d", type, sa, my_host, other_host, limits);
-+
- 	child_cfg = find_child_cfg(child, ike, &peer_cfg);
+	DBG1(DBG_CFG, "vici initiate '%s', me %H, other %H, limits %d", child, my_host, other_host, limits);
 
-	DBG1(DBG_CFG, "vici initiate %s '%s'", type, sa);
- 	if (!peer_cfg)
+ 	child_cfg = find_child_cfg(child, ike, &peer_cfg);
+ 	if (!child_cfg)
 	{
-		return send_reply(this, "%s config '%s' not found", type, sa);
-+		msg = send_reply(this, "%s config '%s' not found", type, sa);
+-		return send_reply(this, "CHILD_SA config '%s' not found", child);
+		msg = send_reply(this, "CHILD_SA config '%s' not found", child);
 +		goto ret;
 	}
- 	switch (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
-+										 my_host, other_host,
- 										 log_cb, &log, log.level, timeout, limits))
+-	switch (charon->controller->initiate(charon->controller, peer_cfg,
+-									child_cfg, log_cb, &log, timeout, limits))
+	switch (charon->controller->initiate(charon->controller,
+				peer_cfg, child_cfg, my_host, other_host,
+				log_cb, &log, timeout, limits))
 	{
 		case SUCCESS:
 -			return send_reply(this, NULL);
 +			msg = send_reply(this, NULL);
 +			break;
 		case OUT_OF_RES:
-			return send_reply(this, "%s '%s' not established after %dms", type,
-+			msg = send_reply(this, "%s '%s' not established after %dms", type,
- 							  sa, timeout);
+-			return send_reply(this, "CHILD_SA '%s' not established after %dms",
+			msg = send_reply(this, "CHILD_SA '%s' not established after %dms",
+ 							  child, timeout);
 +			break;
 		case INVALID_STATE:
-			return send_reply(this, "establishing %s '%s' not possible at the "
-+			msg = send_reply(this, "establishing %s '%s' not possible at the "
- 							  "moment due to limits", type, sa);
+-			return send_reply(this, "establishing CHILD_SA '%s' not possible "
+			msg = send_reply(this, "establishing CHILD_SA '%s' not possible "
+ 							  "at the moment due to limits", child);
 +			break;
 		case FAILED:
 		default:
-			return send_reply(this, "establishing %s '%s' failed", type, sa);
-+			msg = send_reply(this, "establishing %s '%s' failed", type, sa);
+-			return send_reply(this, "establishing CHILD_SA '%s' failed", child);
+			msg = send_reply(this, "establishing CHILD_SA '%s' failed", child);
 +			break;
 	}
 +ret:
@@ -392,37 +314,25 @@ index 1c236d249..b3a76efa2 100644
 +	return msg;
 }
 
- /**
-diff --git a/src/libcharon/processing/jobs/initiate_mediation_job.c b/src/libcharon/processing/jobs/initiate_mediation_job.c
-index ed493bc76..9a1cdcda4 100644
--- a/src/libcharon/processing/jobs/initiate_mediation_job.c
-+++ b/src/libcharon/processing/jobs/initiate_mediation_job.c
-@@ -138,6 +138,7 @@ METHOD(job_t, initiate, job_requeue_t,
- 		mediation_cfg->get_ref(mediation_cfg);
- 
- 		if (charon->controller->initiate(charon->controller, mediation_cfg, NULL,
-+							NULL, NULL,
- 							(controller_cb_t)initiate_callback, this, LEVEL_CTRL,
- 							0, FALSE) != SUCCESS)
- 		{
+ CALLBACK(terminate, vici_message_t*,
 diff --git a/src/libcharon/processing/jobs/start_action_job.c b/src/libcharon/processing/jobs/start_action_job.c
-index 122e5cee9..dec458c84 100644
+index 3a0ed879f..e3399007b 100644
 --- a/src/libcharon/processing/jobs/start_action_job.c
 +++ b/src/libcharon/processing/jobs/start_action_job.c
-@@ -84,7 +84,7 @@ METHOD(job_t, execute, job_requeue_t,
- 				charon->controller->initiate(charon->controller,
- 											 peer_cfg->get_ref(peer_cfg),
- 											 child_cfg->get_ref(child_cfg),
-											 NULL, NULL, 0, 0, FALSE);
-+											 NULL, NULL, NULL, NULL, 0, 0, FALSE);
- 			}
- 		}
- 		children->destroy(children);
+@@ -61,7 +61,7 @@ METHOD(job_t, execute, job_requeue_t,
+ 					charon->controller->initiate(charon->controller,
+ 												 peer_cfg->get_ref(peer_cfg),
+ 												 child_cfg->get_ref(child_cfg),
+-												 NULL, NULL, 0, FALSE);
+												 NULL, NULL, NULL, NULL, 0, FALSE);
+ 					break;
+ 				case ACTION_ROUTE:
+ 					DBG1(DBG_JOB, "start action: route '%s'", name);
 diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
-index fc31c2a7c..0836b8c78 100644
+index 74f2a933c..93de04d3d 100644
 --- a/src/libcharon/sa/ike_sa_manager.c
 +++ b/src/libcharon/sa/ike_sa_manager.c
-@@ -16,6 +16,28 @@
+@@ -17,6 +17,28 @@
  * for more details.
  */
 
@@ -451,8 +361,8 @@ index fc31c2a7c..0836b8c78 100644
 #include <string.h>
 #include <inttypes.h>
 
-@@ -1497,7 +1519,8 @@ typedef struct {
- } config_entry_t;
+@@ -1408,7 +1430,8 @@ out:
+ }
 
 METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
 -	private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg)
@@ -461,9 +371,9 @@ index fc31c2a7c..0836b8c78 100644
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
-@@ -1508,7 +1531,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+@@ -1417,7 +1440,17 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+ 	ike_cfg_t *current_ike;
 	u_int segment;
- 	int i;
 
 -	DBG2(DBG_MGR, "checkout IKE_SA by config");
 +	if (my_host && my_host->get_port(my_host) == 0)
@@ -474,43 +384,45 @@ index fc31c2a7c..0836b8c78 100644
 +	{
 +		other_host->set_port(other_host, IKEV2_UDP_PORT);
 +	}
-+	DBG2(DBG_MGR, "checkout IKE_SA by config '%s', me %H, other %H",
-+		peer_cfg->get_name(peer_cfg), my_host, other_host);
- 
- 	if (!this->reuse_ikesa && peer_cfg->get_ike_version(peer_cfg) != IKEV1)
- 	{	/* IKE_SA reuse disabled by config (not possible for IKEv1) */
-@@ -1566,6 +1598,15 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
- 			continue;
- 		}
- 
-+		if (my_host && !my_host->ip_equals(my_host, entry->ike_sa->get_my_host(entry->ike_sa)))
-+		{
-+			continue;
-+		}
-+		if (other_host && !other_host->ip_equals(other_host, entry->ike_sa->get_other_host(entry->ike_sa)))
-+		{
-+			continue;
-+		}
 +
- 		current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
- 		if (current_peer && current_peer->equals(current_peer, peer_cfg))
- 		{
-@@ -1592,6 +1633,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
- 		{
- 			ike_sa->set_peer_cfg(ike_sa, peer_cfg);
- 			checkout_new(this, ike_sa);
-+			if (my_host || other_host)
+	DBG2(DBG_MGR, "checkout IKE_SA by config '%s', me %H, other %H",
+		 peer_cfg->get_name(peer_cfg), my_host, other_host);
+ 
+ 	if (this->reuse_ikesa || peer_cfg->get_ike_version(peer_cfg) == IKEV1)
+ 	{
+@@ -1434,6 +1467,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+ 				entry->condvar->signal(entry->condvar);
+ 				continue;
+ 			}
+
+			if (my_host && !my_host->ip_equals(my_host, entry->ike_sa->get_my_host(entry->ike_sa)))
 +			{
-+				ike_sa->update_hosts(ike_sa, my_host, other_host, TRUE);
+				continue;
 +			}
+			if (other_host && !other_host->ip_equals(other_host, entry->ike_sa->get_other_host(entry->ike_sa)))
+			{
+				continue;
+			}
+
+ 			current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
+ 			if (current_peer && current_peer->equals(current_peer, peer_cfg))
+ 			{
+@@ -1465,6 +1508,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+ 			return NULL;
 		}
+ 		ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
+		if (my_host || other_host)
+		{
+			ike_sa->update_hosts(ike_sa, my_host, other_host, TRUE);
+		}
 	}
 	charon->bus->set_sa(charon->bus, ike_sa);
+ 
 diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h
-index 004cc2216..56ef869be 100644
+index efad2e4d6..c43edabbb 100644
 --- a/src/libcharon/sa/ike_sa_manager.h
 +++ b/src/libcharon/sa/ike_sa_manager.h
-@@ -123,7 +123,8 @@ struct ike_sa_manager_t {
+@@ -93,7 +93,8 @@ struct ike_sa_manager_t {
 	ike_sa_t* (*checkout_by_message) (ike_sa_manager_t* this, message_t *message);
 
 	/**
@@ -520,25 +432,26 @@ index 004cc2216..56ef869be 100644
 	 *
 	 * To initiate, a CHILD_SA may be established within an existing IKE_SA.
 	 * This call checks for an existing IKE_SA by comparing the configuration.
-@@ -136,9 +137,12 @@ struct ike_sa_manager_t {
- 	 * @note The peer_config is always set on the returned IKE_SA.
+@@ -103,10 +104,13 @@ struct ike_sa_manager_t {
+ 	 * the found IKE_SA is in the DELETING state.
 	 *
 	 * @param peer_cfg			configuration used to find an existing IKE_SA
 +	 * @param my_host			source host address for wildcard peer_cfg
 +	 * @param other_host		remote host address for wildcard peer_cfg
 	 * @return					checked out/created IKE_SA
 	 */
-	ike_sa_t *(*checkout_by_config)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg);
-+	ike_sa_t *(*checkout_by_config)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg,
+ 	ike_sa_t* (*checkout_by_config) (ike_sa_manager_t* this,
+-									 peer_cfg_t *peer_cfg);
+									 peer_cfg_t *peer_cfg,
 +									 host_t *my_host, host_t *other_host);
 
 	/**
 	 * Reset initiator SPI.
 diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
-index d8d8a421a..f458ee0f1 100644
+index 979f9290a..b727370ed 100644
 --- a/src/libcharon/sa/trap_manager.c
 +++ b/src/libcharon/sa/trap_manager.c
-@@ -523,7 +523,7 @@ METHOD(trap_manager_t, acquire, void,
+@@ -421,7 +421,7 @@ METHOD(trap_manager_t, acquire, void,
 	peer_cfg_t *peer;
 	child_cfg_t *child;
 	ike_sa_t *ike_sa;
@@ -547,12 +460,12 @@ index d8d8a421a..f458ee0f1 100644
 	bool wildcard, ignore = FALSE;
 
 	this->lock->read_lock(this->lock);
-@@ -600,36 +600,26 @@ METHOD(trap_manager_t, acquire, void,
+@@ -497,36 +497,27 @@ METHOD(trap_manager_t, acquire, void,
 	this->lock->unlock(this->lock);
 
 	if (wildcard)
 -	{	/* the peer config would match IKE_SAs with other peers */
-		ike_sa = charon->ike_sa_manager->create_new(charon->ike_sa_manager,
+-		ike_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
 -											peer->get_ike_version(peer), TRUE);
 -		if (ike_sa)
 -		{
@@ -568,17 +481,17 @@ index d8d8a421a..f458ee0f1 100644
 +		uint8_t mask;
 
 -			port = ike_cfg->get_other_port(ike_cfg);
-			data->dst->to_subnet(data->dst, &host, &mask);
+-			dst->to_subnet(dst, &host, &mask);
 -			host->set_port(host, port);
 -			ike_sa->set_other_host(ike_sa, host);
 +		ike_cfg = peer->get_ike_cfg(peer);
 
 -			port = ike_cfg->get_my_port(ike_cfg);
-			data->src->to_subnet(data->src, &host, &mask);
+-			src->to_subnet(src, &host, &mask);
 -			host->set_port(host, port);
 -			ike_sa->set_my_host(ike_sa, host);
 +		port = ike_cfg->get_other_port(ike_cfg);
-+		data->dst->to_subnet(data->dst, &other_host, &mask);
+		dst->to_subnet(dst, &other_host, &mask);
 +		other_host->set_port(other_host, port);
 
 -			charon->bus->set_sa(charon->bus, ike_sa);
@@ -589,22 +502,23 @@ index d8d8a421a..f458ee0f1 100644
 -		ike_sa = charon->ike_sa_manager->checkout_by_config(
 -											charon->ike_sa_manager, peer);
 +		port = ike_cfg->get_my_port(ike_cfg);
-+		data->src->to_subnet(data->src, &my_host, &mask);
+		src->to_subnet(src, &my_host, &mask);
 +		my_host->set_port(my_host, port);
 	}
 +	ike_sa = charon->ike_sa_manager->checkout_by_config(
 +											charon->ike_sa_manager, peer,
 +											my_host, other_host);
-+	if (my_host) my_host->destroy(my_host);
-+	if (other_host) other_host->destroy(other_host);
- 	peer->destroy(peer);
- 
+	DESTROY_IF(my_host);
+	DESTROY_IF(other_host);
+
 	if (ike_sa)
+ 	{
+ 		if (ike_sa->get_peer_cfg(ike_sa) == NULL)
 diff --git a/src/swanctl/commands/initiate.c b/src/swanctl/commands/initiate.c
-index e0fffb907..dcaded59d 100644
+index 8e452a6f6..b27bb8194 100644
 --- a/src/swanctl/commands/initiate.c
 +++ b/src/swanctl/commands/initiate.c
-@@ -14,6 +14,28 @@
+@@ -13,6 +13,28 @@
  * for more details.
  */
 
@@ -633,7 +547,7 @@ index e0fffb907..dcaded59d 100644
 #include "command.h"
 
 #include <errno.h>
-@@ -38,7 +60,7 @@ static int initiate(vici_conn_t *conn)
+@@ -37,7 +59,7 @@ static int initiate(vici_conn_t *conn)
 	vici_req_t *req;
 	vici_res_t *res;
 	command_format_options_t format = COMMAND_FORMAT_NONE;
@@ -642,7 +556,7 @@ index e0fffb907..dcaded59d 100644
 	int ret = 0, timeout = 0, level = 1;
 
 	while (TRUE)
-@@ -65,6 +87,12 @@ static int initiate(vici_conn_t *conn)
+@@ -64,6 +86,12 @@ static int initiate(vici_conn_t *conn)
 			case 'l':
 				level = atoi(arg);
 				continue;
@@ -655,7 +569,7 @@ index e0fffb907..dcaded59d 100644
 			case EOF:
 				break;
 			default:
-@@ -88,6 +116,14 @@ static int initiate(vici_conn_t *conn)
+@@ -87,6 +115,14 @@ static int initiate(vici_conn_t *conn)
 	{
 		vici_add_key_valuef(req, "ike", "%s", ike);
 	}
@@ -670,15 +584,15 @@ index e0fffb907..dcaded59d 100644
 	if (timeout)
 	{
 		vici_add_key_valuef(req, "timeout", "%d", timeout * 1000);
-@@ -134,6 +170,8 @@ static void __attribute__ ((constructor))reg()
+@@ -133,6 +169,8 @@ static void __attribute__ ((constructor))reg()
 			{"help",		'h', 0, "show usage information"},
- 			{"child",		'c', 1, "initiate a CHILD_SA configuration"},
- 			{"ike",			'i', 1, "initiate an IKE_SA, or name of child's parent"},
+ 			{"child",		'c', 1, "initate a CHILD_SA configuration"},
+ 			{"ike",			'i', 1, "name of the connection to which the child belongs"},
 +			{"source",		'S', 1, "override source address"},
 +			{"remote",		'R', 1, "override remote address"},
 			{"timeout",		't', 1, "timeout in seconds before detaching"},
 			{"raw",			'r', 0, "dump raw response message"},
 			{"pretty",		'P', 0, "dump raw response message in pretty print"},
 -- 
-2.41.0
+2.24.1

--- a/0003-vici-send-certificates-for-ike-sa-events.patch
+++ b/0003-vici-send-certificates-for-ike-sa-events.patch
@@ -1,21 +1,21 @@
-From 0a1ee45f16f61cb68f526aeacd58ed275e7d8c48 Mon Sep 17 00:00:00 2001
+From b4aa8404810032287a01d599238ec3a0d43bd153 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Mon, 21 Sep 2015 13:42:05 +0300
-Subject: [PATCH 2/3] vici: send certificates for ike-sa events
+Subject: [PATCH 3/6] vici: send certificates for ike-sa events
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

 Signed-off-by: Timo Teräs <timo.teras@iki.fi>
 ---
- src/libcharon/plugins/vici/vici_query.c | 50 +++++++++++++++++++++----
- 1 file changed, 42 insertions(+), 8 deletions(-)
+ src/libcharon/plugins/vici/vici_query.c | 48 +++++++++++++++++++++----
+ 1 file changed, 41 insertions(+), 7 deletions(-)

 diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
-index bacb7b101..19acc0789 100644
+index 82c3d7855..d3092270d 100644
 --- a/src/libcharon/plugins/vici/vici_query.c
 +++ b/src/libcharon/plugins/vici/vici_query.c
-@@ -402,7 +402,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b,
+@@ -337,7 +337,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b,
  * List details of an IKE_SA
  */
 static void list_ike(private_vici_query_t *this, vici_builder_t *b,
@@ -24,8 +24,8 @@ index bacb7b101..19acc0789 100644
 {
 	time_t t;
 	ike_sa_id_t *id;
-@@ -411,6 +411,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
- 	uint32_t if_id;
+@@ -345,6 +345,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
+ 	proposal_t *proposal;
 	uint16_t alg, ks;
 	host_t *host;
 +	auth_cfg_t *auth_cfg;
@@ -33,7 +33,7 @@ index bacb7b101..19acc0789 100644
 
 	b->add_kv(b, "uniqueid", "%u", ike_sa->get_unique_id(ike_sa));
 	b->add_kv(b, "version", "%u", ike_sa->get_version(ike_sa));
-@@ -420,11 +422,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
+@@ -354,11 +356,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
 	b->add_kv(b, "local-host", "%H", host);
 	b->add_kv(b, "local-port", "%d", host->get_port(host));
 	b->add_kv(b, "local-id", "%Y", ike_sa->get_my_id(ike_sa));
@@ -77,7 +77,7 @@ index bacb7b101..19acc0789 100644
 
 	eap = ike_sa->get_other_eap_id(ike_sa);
 
-@@ -556,7 +590,7 @@ CALLBACK(list_sas, vici_message_t*,
+@@ -476,7 +510,7 @@ CALLBACK(list_sas, vici_message_t*,
 		b = vici_builder_create();
 		b->begin_section(b, ike_sa->get_name(ike_sa));
 
@@ -86,7 +86,7 @@ index bacb7b101..19acc0789 100644
 
 		b->begin_section(b, "child-sas");
 		csas = ike_sa->create_child_sa_enumerator(ike_sa);
-@@ -1774,7 +1808,7 @@ METHOD(listener_t, ike_updown, bool,
+@@ -1624,7 +1658,7 @@ METHOD(listener_t, ike_updown, bool,
 	}
 
 	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -95,7 +95,7 @@ index bacb7b101..19acc0789 100644
 	b->end_section(b);
 
 	this->dispatcher->raise_event(this->dispatcher,
-@@ -1799,10 +1833,10 @@ METHOD(listener_t, ike_rekey, bool,
+@@ -1649,10 +1683,10 @@ METHOD(listener_t, ike_rekey, bool,
 	b = vici_builder_create();
 	b->begin_section(b, old->get_name(old));
 	b->begin_section(b, "old");
@@ -108,16 +108,7 @@ index bacb7b101..19acc0789 100644
 	b->end_section(b);
 	b->end_section(b);
 
-@@ -1833,7 +1867,7 @@ METHOD(listener_t, ike_update, bool,
- 	b->add_kv(b, "remote-port", "%d", remote->get_port(remote));
- 
- 	b->begin_section(b, ike_sa->get_name(ike_sa));
-	list_ike(this, b, ike_sa, now);
-+	list_ike(this, b, ike_sa, now, TRUE);
- 	b->end_section(b);
- 
- 	this->dispatcher->raise_event(this->dispatcher,
-@@ -1863,7 +1897,7 @@ METHOD(listener_t, child_updown, bool,
+@@ -1682,7 +1716,7 @@ METHOD(listener_t, child_updown, bool,
 	}
 
 	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -125,8 +116,8 @@ index bacb7b101..19acc0789 100644
 +	list_ike(this, b, ike_sa, now, up);
 	b->begin_section(b, "child-sas");
 
- 	snprintf(buf, sizeof(buf), "%s-%u", child_sa->get_name(child_sa),
-@@ -1898,7 +1932,7 @@ METHOD(listener_t, child_rekey, bool,
+ 	b->begin_section(b, child_sa->get_name(child_sa));
+@@ -1714,7 +1748,7 @@ METHOD(listener_t, child_rekey, bool,
 	b = vici_builder_create();
 
 	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -136,5 +127,5 @@ index bacb7b101..19acc0789 100644
 
 	b->begin_section(b, old->get_name(old));
 -- 
-2.41.0
+2.24.1

--- a/0004-Support-GRE-key-in-selectors.patch
+++ b/0004-Support-GRE-key-in-selectors.patch
@@ -1,258 +0,0 @@
-From 027c90f6808d451f3bbcd4b2dc4b8ad04806dc64 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zoran.pericic@infomaas.com>
-Date: Sun, 21 Jan 2024 03:11:32 +0100
-Subject: [PATCH 4/4] Support GRE key in selectors.
-
---
- .../kernel_netlink/kernel_netlink_ipsec.c     | 12 +++++++++++
- .../plugins/load_tester/load_tester_config.c  | 16 ++++++++++++++
- src/libcharon/plugins/stroke/stroke_config.c  | 15 +++++++++++++
- src/libcharon/plugins/vici/vici_config.c      | 21 ++++++++++++++++++-
- .../selectors/traffic_selector.c              | 20 ++++++++++++++++++
- .../selectors/traffic_selector.h              | 12 +++++++++++
- src/starter/confread.c                        | 18 ++++++++++++++++
- 7 files changed, 113 insertions(+), 1 deletion(-)
-
-diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
-index 7596f0c18..fdfc9d51e 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
-+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
-@@ -864,6 +864,7 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
- {
- 	struct xfrm_selector sel;
- 	uint16_t port;
-+	uint32_t gre_key;
- 
- 	memset(&sel, 0, sizeof(sel));
- 	sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
-@@ -884,6 +885,17 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
- 		sel.dport = htons(traffic_selector_icmp_code(port));
- 		sel.dport_mask = sel.dport ? ~0 : 0;
- 	}
-+	if (sel.proto == IPPROTO_GRE)
-+	{
-+		/* the kernel expects the GRE key in the source and destination
-+		 * port fields, respectively. */
-+		gre_key = htons(traffic_selector_gre_key(dst->get_from_port(dst), dst->get_to_port(dst)));
-+		DBG2(DBG_KNL, "Policy GRE key: %d (%d-%d) %d", gre_key, dst->get_from_port(dst), dst->get_to_port(dst), traffic_selector_gre_key(dst->get_from_port(dst), dst->get_to_port(dst)));
-+		sel.sport = gre_key >> 16;
-+		sel.sport_mask = ~0;
-+		sel.dport = gre_key & 0xffff;
-+		sel.dport_mask = ~0;
-+	}
- 	sel.ifindex = interface ? if_nametoindex(interface) : 0;
- 	sel.user = 0;
- 
-diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c
-index 58e1cd98a..436116361 100644
--- a/src/libcharon/plugins/load_tester/load_tester_config.c
-+++ b/src/libcharon/plugins/load_tester/load_tester_config.c
-@@ -16,6 +16,8 @@
- 
- #include "load_tester_config.h"
- 
-+#include <utils/utils.h>
-+
- #include <netdb.h>
- 
- #include <daemon.h>
-@@ -512,6 +514,20 @@ static bool parse_protoport(char *token, uint16_t *from_port,
- 	{
- 		*from_port = *to_port = 0;
- 	}
-+	else if (*port && *protocol == IPPROTO_GRE)
-+	{
-+		p = strtol(port, &endptr, 0);
-+		if (p < 0 || p > 0xffffffff)
-+		{
-+			return FALSE;
-+		}
-+		end->from_port = (p >> 16) & 0xffff;
-+		end->to_port = p & 0xffff;
-+		if (*endptr)
-+		{
-+			return FALSE;
-+		}
-+	}
- 	else if (*port)
- 	{
- 		svc = getservbyname(port, NULL);
-diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
-index 55db379ff..9ee4c6463 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
-+++ b/src/libcharon/plugins/stroke/stroke_config.c
-@@ -20,6 +20,7 @@
- #include <daemon.h>
- #include <threading/mutex.h>
- #include <utils/lexparser.h>
-+#include <utils/utils.h>
- 
- #include <netdb.h>
- 
-@@ -937,6 +938,20 @@ static bool parse_protoport(char *token, uint16_t *from_port,
- 		*from_port = 0xffff;
- 		*to_port = 0;
- 	}
-+	else if (*port && *protocol == IPPROTO_GRE)
-+	{
-+		p = strtol(port, &endptr, 0);
-+		if (p < 0 || p > 0xffffffff)
-+		{
-+			return FALSE;
-+		}
-+		*from_port = (p >> 16) & 0xffff;
-+		*to_port = p & 0xffff;
-+		if (*endptr)
-+		{
-+			return FALSE;
-+		}
-+	}
- 	else if (*port)
- 	{
- 		svc = getservbyname(port, NULL);
-diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
-index b1486e337..35c4df1b0 100644
--- a/src/libcharon/plugins/vici/vici_config.c
-+++ b/src/libcharon/plugins/vici/vici_config.c
-@@ -718,7 +718,25 @@ CALLBACK(parse_ts, bool,
- 			from = 0xffff;
- 			to = 0;
- 		}
-		else if (*port && !streq(port, "any"))
-+		else if (*port && !streq(port, "any") && proto == IPPROTO_GRE)
-+		{
-+			DBG2(DBG_CFG, "   GRE key %s", port);
-+			p = strtol(port, &end, 0);
-+			if (p < 0 || p > 0xffffffff)
-+			{
-+				DBG2(DBG_CFG, "   Invalid GRE key %s", port);
-+				return FALSE;
-+			}
-+			from = (p >> 16) & 0xffff;
-+			to = p & 0xffff;
-+			DBG2(DBG_CFG, "   Parsed GRE key %d-%d(%d)", from, to, p);
-+			if (*end)
-+			{
-+				DBG2(DBG_CFG, "   Invalid GRE key %s", port);
-+				return FALSE;
-+			}
-+		}
-+		else if (*port && !streq(port, "any") && proto != IPPROTO_GRE)
- 		{
- 			svc = getservbyname(port, NULL);
- 			if (svc)
-@@ -752,6 +770,7 @@ CALLBACK(parse_ts, bool,
- 	}
- 	if (streq(buf, "dynamic"))
- 	{
-+		DBG2(DBG_CFG, "   Create dynamic selector GRE key proto=%d, from_port=%d, to_port=%d", proto, from, to);
- 		ts = traffic_selector_create_dynamic(proto, from, to);
- 	}
- 	else if (strchr(buf, '-'))
-diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
-index fe61e3768..29ffbffbd 100644
--- a/src/libstrongswan/selectors/traffic_selector.c
-+++ b/src/libstrongswan/selectors/traffic_selector.c
-@@ -205,6 +205,18 @@ static int print_icmp(printf_hook_data_t *data, uint16_t port)
- 	return print_in_hook(data, "%d", type);
- }
- 
-+/**
-+ * Print GRE key
-+ */
-+static int print_gre(printf_hook_data_t *data, uint16_t from_port, uint16_t to_port)
-+{
-+	uint32_t gre_key;
-+
-+	gre_key = traffic_selector_gre_key(from_port, to_port);
-+
-+	return print_in_hook(data, "%d", gre_key);
-+}
-+
- /**
-  * Described in header.
-  */
-@@ -319,6 +331,10 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
- 			{
- 				written += print_icmp(data, this->from_port);
- 			}
-+			else if (this->protocol == IPPROTO_GRE)
-+			{
-+				written += print_gre(data, this->from_port, this->to_port);
-+			}
- 			else
- 			{
- 				serv = getservbyport(htons(this->from_port), serv_proto);
-@@ -343,6 +359,10 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
- 			written += print_in_hook(data, "-");
- 			written += print_icmp(data, this->to_port);
- 		}
-+		else if (this->protocol == IPPROTO_GRE)
-+		{
-+			written += print_gre(data, this->from_port, this->to_port);
-+		}
- 		else
- 		{
- 			written += print_in_hook(data, "%d-%d",
-diff --git a/src/libstrongswan/selectors/traffic_selector.h b/src/libstrongswan/selectors/traffic_selector.h
-index 367b4fff9..b7010e4a7 100644
--- a/src/libstrongswan/selectors/traffic_selector.h
-+++ b/src/libstrongswan/selectors/traffic_selector.h
-@@ -272,6 +272,18 @@ static inline uint8_t traffic_selector_icmp_code(uint16_t port)
- 	return port & 0xff;
- }
- 
-+/**
-+ * Extract the GRE key from a source and destination port in host order
-+ *
-+ * @param from_port		port number in host order
-+ * @param to_port		port number in host order
-+ * @return				GRE key
-+ */
-+static inline uint8_t traffic_selector_gre_key(uint16_t from_port, uint16_t to_port)
-+{
-+	return (from_port & 0xffff) << 16 | (to_port & 0xffff);
-+}
-+
- /**
-  * Compare two traffic selectors, usable as sort function
-  *
-diff --git a/src/starter/confread.c b/src/starter/confread.c
-index 5065bc369..e2c03694d 100644
--- a/src/starter/confread.c
-+++ b/src/starter/confread.c
-@@ -25,6 +25,7 @@
- 
- #include <library.h>
- #include <utils/debug.h>
-+#include <utils/utils.h>
- 
- #include "keywords.h"
- #include "confread.h"
-@@ -335,6 +336,23 @@ static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token,
- 				end->from_port = 0xffff;
- 				end->to_port = 0;
- 			}
-+			else if (*port && end->protocol == IPPROTO_GRE)
-+			{
-+				DBG1(DBG_APP, "# GRE key: %s=%s", key, port);
-+				p = strtol(port, &endptr, 0);
-+				if (p < 0 || p > 0xffffffff)
-+				{
-+					DBG1(DBG_APP, "# bad GRE key: %s=%s", key, port);
-+					goto err;
-+				}
-+				end->from_port = (p >> 16) & 0xffff;
-+				end->to_port = p & 0xffff;
-+				if (*endptr)
-+				{
-+					DBG1(DBG_APP, "# bad GRE key: %s=%s", key, port);
-+					goto err;
-+				}
-+			}
- 			else if (*port)
- 			{
- 				svc = getservbyname(port, NULL);
-- 
-2.43.0
-
--- a/0004-vici-add-support-for-individual-sa-state-changes.patch
+++ b/0004-vici-add-support-for-individual-sa-state-changes.patch
@@ -1,7 +1,7 @@
-From 39f70df4d1846f9044c270fa8cb6149d42067736 Mon Sep 17 00:00:00 2001
+From a2c2426e64c34e81a81abd6fc6b358384593be96 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Mon, 21 Sep 2015 13:42:11 +0300
-Subject: [PATCH 3/3] vici: add support for individual sa state changes
+Subject: [PATCH 4/6] vici: add support for individual sa state changes
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -10,17 +10,17 @@ Useful for monitoring and tracking full SA.

 Signed-off-by: Timo Teräs <timo.teras@iki.fi>
 ---
- src/libcharon/plugins/vici/vici_query.c | 106 ++++++++++++++++++++++++
- 1 file changed, 106 insertions(+)
+ src/libcharon/plugins/vici/vici_query.c | 105 ++++++++++++++++++++++++
+ 1 file changed, 105 insertions(+)

 diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
-index 19acc0789..fa1aca953 100644
+index d3092270d..8a5231473 100644
 --- a/src/libcharon/plugins/vici/vici_query.c
 +++ b/src/libcharon/plugins/vici/vici_query.c
-@@ -1774,8 +1774,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
+@@ -1624,8 +1624,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
+ 	this->dispatcher->manage_event(this->dispatcher, "list-cert", reg);
 	this->dispatcher->manage_event(this->dispatcher, "ike-updown", reg);
 	this->dispatcher->manage_event(this->dispatcher, "ike-rekey", reg);
- 	this->dispatcher->manage_event(this->dispatcher, "ike-update", reg);
 +	this->dispatcher->manage_event(this->dispatcher, "ike-state-established", reg);
 +	this->dispatcher->manage_event(this->dispatcher, "ike-state-destroying", reg);
 	this->dispatcher->manage_event(this->dispatcher, "child-updown", reg);
@@ -34,11 +34,10 @@ index 19acc0789..fa1aca953 100644
 	manage_command(this, "list-sas", list_sas, reg);
 	manage_command(this, "list-policies", list_policies, reg);
 	manage_command(this, "list-conns", list_conns, reg);
-@@ -1876,6 +1884,46 @@ METHOD(listener_t, ike_update, bool,
+@@ -1696,6 +1704,45 @@ METHOD(listener_t, ike_rekey, bool,
 	return TRUE;
 }
 
-+
 +METHOD(listener_t, ike_state_change, bool,
 +	private_vici_query_t *this, ike_sa_t *ike_sa, ike_sa_state_t state)
 +{
@@ -81,7 +80,7 @@ index 19acc0789..fa1aca953 100644
 METHOD(listener_t, child_updown, bool,
 	private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up)
 {
-@@ -1955,6 +2003,62 @@ METHOD(listener_t, child_rekey, bool,
+@@ -1771,6 +1818,62 @@ METHOD(listener_t, child_rekey, bool,
 	return TRUE;
 }
 
@@ -144,10 +143,10 @@ index 19acc0789..fa1aca953 100644
 METHOD(vici_query_t, destroy, void,
 	private_vici_query_t *this)
 {
-@@ -1975,8 +2079,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
+@@ -1790,8 +1893,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
+ 			.listener = {
 				.ike_updown = _ike_updown,
 				.ike_rekey = _ike_rekey,
- 				.ike_update = _ike_update,
 +				.ike_state_change = _ike_state_change,
 				.child_updown = _child_updown,
 				.child_rekey = _child_rekey,
@@ -156,5 +155,5 @@ index 19acc0789..fa1aca953 100644
 			.destroy = _destroy,
 		},
 -- 
-2.41.0
+2.24.1

--- a/0005-vici-add-deprecated-async-parameter.patch
+++ b/0005-vici-add-deprecated-async-parameter.patch
@@ -0,0 +1,49 @@
+From a2ff6e9951a784d192ec7f7abd48a9e3da01e2bd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Date: Mon, 21 Sep 2015 13:42:15 +0300
+Subject: [PATCH 5/6] vici: add (deprecated) async parameter
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is obsoleted by the new "timeout=-1" option that achieves
+the same. Only for compatibility with old versions of quagga-nhrp.
+
+Signed-off-by: Timo Teräs <timo.teras@iki.fi>
+---
+ src/libcharon/plugins/vici/vici_control.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
+index e378ca2e7..dcc6c853f 100644
+--- a/src/libcharon/plugins/vici/vici_control.c
+++ b/src/libcharon/plugins/vici/vici_control.c
+@@ -197,7 +197,7 @@ CALLBACK(initiate, vici_message_t*,
+ 	host_t *my_host = NULL, *other_host = NULL;
+ 	char *child, *ike, *my_host_str, *other_host_str;
+ 	int timeout;
+-	bool limits;
+	bool limits, async;
+ 	controller_cb_t log_cb = NULL;
+ 	log_info_t log = {
+ 		.dispatcher = this->dispatcher,
+@@ -208,6 +208,7 @@ CALLBACK(initiate, vici_message_t*,
+ 	ike = request->get_str(request, NULL, "ike");
+ 	timeout = request->get_int(request, 0, "timeout");
+ 	limits = request->get_bool(request, FALSE, "init-limits");
+	async = request->get_bool(request, FALSE, "async");
+ 	log.level = request->get_int(request, 1, "loglevel");
+ 	my_host_str = request->get_str(request, NULL, "my-host");
+ 	other_host_str = request->get_str(request, NULL, "other-host");
+@@ -216,7 +217,7 @@ CALLBACK(initiate, vici_message_t*,
+ 	{
+ 		return send_reply(this, "missing configuration name");
+ 	}
+-	if (timeout >= 0)
+	if (timeout >= 0 && !async)
+ 	{
+ 		log_cb = (controller_cb_t)log_vici;
+ 	}
+-- 
+2.24.1
+
--- a/0006-support-gre-key-in-ikev1.patch
+++ b/0006-support-gre-key-in-ikev1.patch
@@ -0,0 +1,507 @@
+From a88eece36be240bb0240760a0b2a9056a69a3e71 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Date: Mon, 21 Sep 2015 13:42:18 +0300
+Subject: [PATCH 6/6] support gre key in ikev1
+
+this implements gre key negotiation in ikev1 similarly to the
+ipsec-tools patch in alpine.
+
+the from/to port pair is internally used as gre key for gre
+protocol traffic selectors. since from/to pairs 0/0xffff and
+0xffff/0 have special meaning, the gre keys 0xffff and 0xffff0000
+will not work.
+
+this is not standard compliant, and should probably not be upstreamed
+or used widely, but it is applied for interoperability with alpine
+racoon for the time being.
+---
+ src/libcharon/encoding/payloads/id_payload.c  | 68 ++++++++++++++-----
+ src/libcharon/encoding/payloads/id_payload.h  |  6 +-
+ .../kernel_netlink/kernel_netlink_ipsec.c     | 40 ++++++++---
+ src/libcharon/plugins/stroke/stroke_config.c  |  5 ++
+ src/libcharon/plugins/unity/unity_narrow.c    |  2 +-
+ src/libcharon/plugins/vici/vici_config.c      |  9 ++-
+ src/libcharon/sa/ikev1/tasks/quick_mode.c     | 16 +++--
+ .../selectors/traffic_selector.c              | 33 ++++++++-
+ .../selectors/traffic_selector.h              | 31 +++++++++
+ 9 files changed, 171 insertions(+), 39 deletions(-)
+
+diff --git a/src/libcharon/encoding/payloads/id_payload.c b/src/libcharon/encoding/payloads/id_payload.c
+index b2f1adbbc..6b44d0cf6 100644
+--- a/src/libcharon/encoding/payloads/id_payload.c
+++ b/src/libcharon/encoding/payloads/id_payload.c
+@@ -245,18 +245,20 @@ METHOD(id_payload_t, get_identification, identification_t*,
+  * Create a traffic selector from an range ID
+  */
+ static traffic_selector_t *get_ts_from_range(private_id_payload_t *this,
+-											 ts_type_t type)
+											 ts_type_t type,
+											 uint16_t from_port, uint16_t to_port)
+ {
+ 	return traffic_selector_create_from_bytes(this->protocol_id, type,
+-		chunk_create(this->id_data.ptr, this->id_data.len / 2), this->port,
+-		chunk_skip(this->id_data, this->id_data.len / 2), this->port ?: 65535);
+		chunk_create(this->id_data.ptr, this->id_data.len / 2), from_port,
+		chunk_skip(this->id_data, this->id_data.len / 2), to_port);
+ }
+ 
+ /**
+  * Create a traffic selector from an subnet ID
+  */
+ static traffic_selector_t *get_ts_from_subnet(private_id_payload_t *this,
+-											  ts_type_t type)
+											  ts_type_t type,
+											  uint16_t from_port, uint16_t to_port)
+ {
+ 	traffic_selector_t *ts;
+ 	chunk_t net, netmask;
+@@ -269,7 +271,7 @@ static traffic_selector_t *get_ts_from_subnet(private_id_payload_t *this,
+ 		netmask.ptr[i] = (netmask.ptr[i] ^ 0xFF) | net.ptr[i];
+ 	}
+ 	ts = traffic_selector_create_from_bytes(this->protocol_id, type,
+-								net, this->port, netmask, this->port ?: 65535);
+								net, from_port, netmask, to_port);
+ 	chunk_free(&netmask);
+ 	return ts;
+ }
+@@ -278,51 +280,76 @@ static traffic_selector_t *get_ts_from_subnet(private_id_payload_t *this,
+  * Create a traffic selector from an IP ID
+  */
+ static traffic_selector_t *get_ts_from_ip(private_id_payload_t *this,
+-										  ts_type_t type)
+										  ts_type_t type,
+										  uint16_t from_port, uint16_t to_port)
+ {
+ 	return traffic_selector_create_from_bytes(this->protocol_id, type,
+-				this->id_data, this->port, this->id_data, this->port ?: 65535);
+				this->id_data, from_port, this->id_data, to_port);
+ }
+ 
+ METHOD(id_payload_t, get_ts, traffic_selector_t*,
+-	private_id_payload_t *this)
+	private_id_payload_t *this, id_payload_t *other_, bool initiator)
+ {
+	private_id_payload_t *other = (private_id_payload_t *) other_;
+	uint16_t from_port, to_port;
+
+	if (other && this->protocol_id == IPPROTO_GRE && other->protocol_id == IPPROTO_GRE)
+	{
+		if (initiator)
+		{
+			from_port = this->port;
+			to_port = other->port;
+		}
+		else
+		{
+			from_port = other->port;
+			to_port = this->port;
+		}
+		if (from_port == 0 && to_port == 0)
+			to_port = 0xffff;
+	}
+	else
+	{
+		from_port = this->port;
+		to_port = this->port ?: 0xffff;
+	}
+
+ 	switch (this->id_type)
+ 	{
+ 		case ID_IPV4_ADDR_SUBNET:
+ 			if (this->id_data.len == 8)
+ 			{
+-				return get_ts_from_subnet(this, TS_IPV4_ADDR_RANGE);
+				return get_ts_from_subnet(this, TS_IPV4_ADDR_RANGE, from_port, to_port);
+ 			}
+ 			break;
+ 		case ID_IPV6_ADDR_SUBNET:
+ 			if (this->id_data.len == 32)
+ 			{
+-				return get_ts_from_subnet(this, TS_IPV6_ADDR_RANGE);
+				return get_ts_from_subnet(this, TS_IPV6_ADDR_RANGE, from_port, to_port);
+ 			}
+ 			break;
+ 		case ID_IPV4_ADDR_RANGE:
+ 			if (this->id_data.len == 8)
+ 			{
+-				return get_ts_from_range(this, TS_IPV4_ADDR_RANGE);
+				return get_ts_from_range(this, TS_IPV4_ADDR_RANGE, from_port, to_port);
+ 			}
+ 			break;
+ 		case ID_IPV6_ADDR_RANGE:
+ 			if (this->id_data.len == 32)
+ 			{
+-				return get_ts_from_range(this, TS_IPV6_ADDR_RANGE);
+				return get_ts_from_range(this, TS_IPV6_ADDR_RANGE, from_port, to_port);
+ 			}
+ 			break;
+ 		case ID_IPV4_ADDR:
+ 			if (this->id_data.len == 4)
+ 			{
+-				return get_ts_from_ip(this, TS_IPV4_ADDR_RANGE);
+				return get_ts_from_ip(this, TS_IPV4_ADDR_RANGE, from_port, to_port);
+ 			}
+ 			break;
+ 		case ID_IPV6_ADDR:
+ 			if (this->id_data.len == 16)
+ 			{
+-				return get_ts_from_ip(this, TS_IPV6_ADDR_RANGE);
+				return get_ts_from_ip(this, TS_IPV6_ADDR_RANGE, from_port, to_port);
+ 			}
+ 			break;
+ 		default:
+@@ -397,7 +424,7 @@ id_payload_t *id_payload_create_from_identification(payload_type_t type,
+ /*
+  * Described in header.
+  */
+-id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts)
+id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts, bool initiator)
+ {
+ 	private_id_payload_t *this;
+ 	uint8_t mask;
+@@ -460,8 +487,17 @@ id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts)
+ 							ts->get_from_address(ts), ts->get_to_address(ts));
+ 		net->destroy(net);
+ 	}
+-	this->port = ts->get_from_port(ts);
+ 	this->protocol_id = ts->get_protocol(ts);
+	if (initiator || this->protocol_id != IPPROTO_GRE)
+	{
+		this->port = ts->get_from_port(ts);
+	}
+	else
+	{
+		this->port = ts->get_to_port(ts);
+		if (this->port == 0xffff && ts->get_from_port(ts) == 0)
+			this->port = 0;
+	}
+ 	this->payload_length += this->id_data.len;
+ 
+ 	return &this->public;
+diff --git a/src/libcharon/encoding/payloads/id_payload.h b/src/libcharon/encoding/payloads/id_payload.h
+index 283780624..fafeca8bc 100644
+--- a/src/libcharon/encoding/payloads/id_payload.h
+++ b/src/libcharon/encoding/payloads/id_payload.h
+@@ -48,11 +48,11 @@ struct id_payload_t {
+ 	identification_t *(*get_identification) (id_payload_t *this);
+ 
+ 	/**
+-	 * Creates a traffic selector form a ID_ADDR_SUBNET/RANGE identity.
+	 * Creates a traffic selector form a ID_ADDR_SUBNET/RANGE identity pair.
+ 	 *
+ 	 * @return				traffic selector, NULL on failure
+ 	 */
+-	traffic_selector_t* (*get_ts)(id_payload_t *this);
+	traffic_selector_t* (*get_ts)(id_payload_t *this, id_payload_t *other, bool initiator);
+ 
+ 	/**
+ 	 * Get encoded payload without fixed payload header (used for IKEv1).
+@@ -91,6 +91,6 @@ id_payload_t *id_payload_create_from_identification(payload_type_t type,
+  * @param ts		traffic selector
+  * @return			PLV1_ID id_paylad_t object.
+  */
+-id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts);
+id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts, bool initiator);
+ 
+ #endif /** ID_PAYLOAD_H_ @}*/
+diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+index 4926c3de8..820780f3c 100644
+--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+@@ -869,7 +869,18 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
+ 	ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
+ 	ts2ports(dst, &sel.dport, &sel.dport_mask);
+ 	ts2ports(src, &sel.sport, &sel.sport_mask);
+-	if ((sel.proto == IPPROTO_ICMP || sel.proto == IPPROTO_ICMPV6) &&
+	if (sel.proto == IPPROTO_GRE)
+	{
+		sel.sport = htons(src->get_from_port(src));
+		sel.dport = htons(src->get_to_port(src));
+		sel.sport_mask = ~0;
+		sel.dport_mask = ~0;
+		if (sel.sport == htons(0) && sel.dport == htons(0xffff))
+		{
+			sel.sport = sel.dport = sel.sport_mask = sel.dport_mask = 0;
+		}
+	}
+	else if ((sel.proto == IPPROTO_ICMP || sel.proto == IPPROTO_ICMPV6) &&
+ 		(sel.dport || sel.sport))
+ 	{
+ 		/* the kernel expects the ICMP type and code in the source and
+@@ -893,7 +904,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
+ {
+ 	u_char *addr;
+ 	uint8_t prefixlen;
+-	uint16_t port = 0;
+	uint16_t from_port = 0, to_port = 65535;
+ 	host_t *host = NULL;
+ 
+ 	if (src)
+@@ -902,7 +913,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
+ 		prefixlen = sel->prefixlen_s;
+ 		if (sel->sport_mask)
+ 		{
+-			port = ntohs(sel->sport);
+			from_port = to_port = ntohs(sel->sport);
+ 		}
+ 	}
+ 	else
+@@ -911,14 +922,27 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
+ 		prefixlen = sel->prefixlen_d;
+ 		if (sel->dport_mask)
+ 		{
+-			port = ntohs(sel->dport);
+			from_port = to_port = ntohs(sel->dport);
+		}
+	}
+	if (sel->proto == IPPROTO_GRE)
+	{
+		if (sel->sport_mask)
+		{
+			from_port = ntohs(sel->sport);
+			to_port = ntohs(sel->dport);
+		}
+		else
+		{
+			from_port = 0;
+			to_port = 0xffff;
+ 		}
+ 	}
+-	if (sel->proto == IPPROTO_ICMP || sel->proto == IPPROTO_ICMPV6)
+	else if (sel->proto == IPPROTO_ICMP || sel->proto == IPPROTO_ICMPV6)
+ 	{	/* convert ICMP[v6] message type and code as supplied by the kernel in
+ 		 * source and destination ports (both in network order) */
+-		port = (sel->sport >> 8) | (sel->dport & 0xff00);
+-		port = ntohs(port);
+		from_port = (sel->sport >> 8) | (sel->dport & 0xff00);
+		from_port = to_port = ntohs(from_port);
+ 	}
+ 	/* The Linux 2.6 kernel does not set the selector's family field,
+ 	 * so as a kludge we additionally test the prefix length.
+@@ -935,7 +959,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
+ 	if (host)
+ 	{
+ 		return traffic_selector_create_from_subnet(host, prefixlen,
+-											sel->proto, port, port ?: 65535);
+											sel->proto, from_port, to_port);
+ 	}
+ 	return NULL;
+ }
+diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
+index 8cdb5ef48..a81949c09 100644
+--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
+@@ -936,6 +936,11 @@ static bool parse_protoport(char *token, uint16_t *from_port,
+ 		*from_port = 0xffff;
+ 		*to_port = 0;
+ 	}
+	else if (*port && *protocol == IPPROTO_GRE)
+	{
+		p = strtol(port, &endptr, 0);
+		traffic_selector_split_grekey(p, from_port, to_port);
+	}
+ 	else if (*port)
+ 	{
+ 		svc = getservbyname(port, NULL);
+diff --git a/src/libcharon/plugins/unity/unity_narrow.c b/src/libcharon/plugins/unity/unity_narrow.c
+index 05ae8d504..8545c415d 100644
+--- a/src/libcharon/plugins/unity/unity_narrow.c
+++ b/src/libcharon/plugins/unity/unity_narrow.c
+@@ -247,7 +247,7 @@ METHOD(listener_t, message, bool,
+ 			if (!first)
+ 			{
+ 				id_payload = (id_payload_t*)payload;
+-				tsr = id_payload->get_ts(id_payload);
+				tsr = id_payload->get_ts(id_payload, NULL, FALSE);
+ 				break;
+ 			}
+ 			first = FALSE;
+diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
+index 56292696b..214ed9b52 100644
+--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
+@@ -680,8 +680,13 @@ CALLBACK(parse_ts, bool,
+ 		}
+ 		else if (*port && !streq(port, "any"))
+ 		{
+-			svc = getservbyname(port, NULL);
+-			if (svc)
+			if (proto == IPPROTO_GRE)
+			{
+				p = strtol(port, &end, 0);
+				if (*end) return FALSE;
+				traffic_selector_split_grekey(p, &from, &to);
+			}
+			else if ((svc = getservbyname(port, NULL)) != NULL)
+ 			{
+ 				from = to = ntohs(svc->s_port);
+ 			}
+diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
+index 5e5b61e7f..1027e3006 100644
+--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
+@@ -567,9 +567,9 @@ static void add_ts(private_quick_mode_t *this, message_t *message)
+ {
+ 	id_payload_t *id_payload;
+ 
+-	id_payload = id_payload_create_from_ts(this->tsi);
+	id_payload = id_payload_create_from_ts(this->tsi, TRUE);
+ 	message->add_payload(message, &id_payload->payload_interface);
+-	id_payload = id_payload_create_from_ts(this->tsr);
+	id_payload = id_payload_create_from_ts(this->tsr, FALSE);
+ 	message->add_payload(message, &id_payload->payload_interface);
+ }
+ 
+@@ -580,7 +580,7 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
+ {
+ 	traffic_selector_t *tsi = NULL, *tsr = NULL;
+ 	enumerator_t *enumerator;
+-	id_payload_t *id_payload;
+	id_payload_t *idi = NULL, *idr = NULL;
+ 	payload_t *payload;
+ 	host_t *hsi, *hsr;
+ 	bool first = TRUE;
+@@ -590,20 +590,22 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
+ 	{
+ 		if (payload->get_type(payload) == PLV1_ID)
+ 		{
+-			id_payload = (id_payload_t*)payload;
+-
+ 			if (first)
+ 			{
+-				tsi = id_payload->get_ts(id_payload);
+				idi = (id_payload_t*)payload;
+ 				first = FALSE;
+ 			}
+ 			else
+ 			{
+-				tsr = id_payload->get_ts(id_payload);
+				idr = (id_payload_t*)payload;
+ 				break;
+ 			}
+ 		}
+ 	}
+	if (idi && idr) {
+		tsi = idi->get_ts(idi, idr, TRUE);
+		tsr = idr->get_ts(idr, idi, FALSE);
+	}
+ 	enumerator->destroy(enumerator);
+ 
+ 	/* create host2host selectors if ID payloads missing */
+diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
+index cfd2b029d..d01e2ccec 100644
+--- a/src/libstrongswan/selectors/traffic_selector.c
+++ b/src/libstrongswan/selectors/traffic_selector.c
+@@ -198,6 +198,14 @@ static int print_icmp(printf_hook_data_t *data, uint16_t port)
+ 	return print_in_hook(data, "%d", type);
+ }
+ 
+/**
+ * Print GRE key
+ */
+static int print_grekey(printf_hook_data_t *data, uint16_t from_port, uint16_t to_port)
+{
+	return print_in_hook(data, "%d", traffic_selector_grekey(from_port, to_port));
+}
+
+ /**
+  * Described in header.
+  */
+@@ -303,7 +311,11 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
+ 	{
+ 		written += print_in_hook(data, "/");
+ 
+-		if (this->from_port == this->to_port)
+		if (this->protocol == IPPROTO_GRE)
+		{
+			written += print_grekey(data, this->from_port, this->to_port);
+		}
+		else if (this->from_port == this->to_port)
+ 		{
+ 			struct servent *serv;
+ 
+@@ -377,7 +389,24 @@ METHOD(traffic_selector_t, get_subset, traffic_selector_t*,
+ 	/* select protocol, which is not zero */
+ 	protocol = max(this->protocol, other->protocol);
+ 
+-	if ((is_opaque(this) && is_opaque(other)) ||
+	if (this->protocol == IPPROTO_GRE)
+	{
+		if (is_any(this))
+		{
+			from_port = other->from_port;
+			to_port = other->to_port;
+		}
+		else if (is_any(other) ||
+			 (this->from_port == other->from_port &&
+			  this->to_port == other->to_port))
+		{
+			from_port = this->from_port;
+			to_port = this->to_port;
+		}
+		else
+			return NULL;
+	}
+	else if ((is_opaque(this) && is_opaque(other)) ||
+ 		(is_opaque(this) && is_any(other)) ||
+ 		(is_opaque(other) && is_any(this)))
+ 	{
+diff --git a/src/libstrongswan/selectors/traffic_selector.h b/src/libstrongswan/selectors/traffic_selector.h
+index dd9ad7e1b..9ea360d90 100644
+--- a/src/libstrongswan/selectors/traffic_selector.h
+++ b/src/libstrongswan/selectors/traffic_selector.h
+@@ -120,6 +120,9 @@ struct traffic_selector_t {
+ 	 * 8 bits and the code in the least significant 8 bits.  Use the utility
+ 	 * functions to extract them.
+ 	 *
+	 * If the protocol is GRE, the high 16-bits of the 32-bit GRE key is stored
+	 * in the from port. Use the utility function to merge and split them.
+	 *
+ 	 * @return			port
+ 	 */
+ 	uint16_t (*get_from_port)(traffic_selector_t *this);
+@@ -134,6 +137,9 @@ struct traffic_selector_t {
+ 	 * 8 bits and the code in the least significant 8 bits.  Use the utility
+ 	 * functions to extract them.
+ 	 *
+	 * If the protocol is GRE, the low 16-bits of the 32-bit GRE key is stored
+	 * in the to port. Use the utility function to merge and split them.
+	 *
+ 	 * @return			port
+ 	 */
+ 	uint16_t (*get_to_port)(traffic_selector_t *this);
+@@ -277,6 +283,31 @@ static inline uint8_t traffic_selector_icmp_code(uint16_t port)
+ int traffic_selector_cmp(traffic_selector_t *a, traffic_selector_t *b,
+ 						 void *opts);
+ 
+/**
+ * Reconstruct the 32-bit GRE KEY in host order from a from/to ports.
+ *
+ * @param from_port			port number in host order
+ * @param to_port			port number in host order
+ * @return				GRE KEY in host order
+ */
+static inline uint32_t traffic_selector_grekey(uint16_t from_port, uint16_t to_port)
+{
+	return (from_port << 16) | to_port;
+}
+
+/**
+ * Split 32-bit GRE KEY in host order to from/to ports.
+ *
+ * @param grekey			grekey in host order
+ * @param from_port			from port in host order
+ * @param to_port			to port in host order
+ */
+static inline void traffic_selector_split_grekey(uint32_t grekey, uint16_t *from_port, uint16_t *to_port)
+{
+	*from_port = grekey >> 16;
+	*to_port = grekey & 0xffff;
+}
+
+ /**
+  * Create a new traffic selector using human readable params.
+  *
+-- 
+2.24.1
+
--- a/48
+++ b/48
@@ -1,48 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQGNBEoycP0BDACzL8ymURD7gnaNbGx2VGieNQr/gNISWhqgHaeUxuSkrInxl89A
-ClvN7DoF2cD7slEqIMQh/8t6xVzmh9teu5uyeV1eyG/CuFMUqawXqpn/sYa2SkgX
-C/qHB2hIbFg2K4k5LJHxzqHb1OdtOcU6lHg9yrvYcoO+FTVR+rYaVgYbbbziTB/v
-hAAzvdTdgwMgoQMSXA7FsJ0mALny4IeiCoi6S6qRVDm4zcu11UFT9g1VmhmeHqtU
-SQso72bPKKhYvu7ZaQrLhkvY9inWr6m9dxV8Zgb1ivZGhzsNzrhGAsz9jmiB5POF
-Mfph0hREMiS33ph/YMJducGQHYGEza9mKBdUaaAAEL3fCpde7vRa+c5Gc/Y5RUB7
-iUsb2KQY+7xTiSUnCHbsMwhndG0dJspVXcz6X+2S3Ty4GaiqkvxI9KLiwiECNl0I
-oLX5s/FIW6KW+GnxJTp/3h6vvqm8i0+yIwk+ETM4XfhHMwuPkDyf6km1ag3nIUw6
-pSSfnQMPhj5rXIMAEQEAAbQwQW5kcmVhcyBTdGVmZmVuIDxhbmRyZWFzLnN0ZWZm
-ZW5Ac3Ryb25nc3dhbi5vcmc+iQG3BBMBAgAhBQJKMnD9AhsDBwsJCAcDAgEEFQII
-AwQWAgMBAh4BAheAAAoJEN9CwXCzTbp3t5AL/jrXnnGIHLn8M9rmyoeNe7JQUE5A
-GSV3UFaZHgHmjbvIHA+dRvh1MPlHuWbaZkHVPtRFvFtEgksc944+XcKoNoExKGKr
-wLQcUExUiQ0IyNwH70u7f1uFNcbY85Oue5ASzm+wAntnmIlNsN+MHewRWC6f6gYn
-1aHwsvh09fz0A34v9wdtim2ek/Voxe3AIDIw2MTNmwF61pXEsrH0wqYnGhYLZ7Qb
-thnDnHQaUd3IPSa6uAgOOiCoCbKCvP4u/iVm0rmXN9uzmm/i4Y0cE3DopGsqrR5D
-fWYJjgP4KBCln0LgWtYI8pcYcmA5E+l+fijNcMidtzWHMW2Mj0oZZsO+wlRUYLGh
-/jRASgq7rXuxV+oGKcBn4RqSHlZ5/BYlvowUxnNFC4tLLlneHidS8TurjacM3fwR
-MP5NMmcS5d9sVLG1uxl+/g2cRMtphHiziz+79jDc+tSxqRO5lhqyItAD6LC2GxB3
-iC5afnMx49+YWzhUTeL/KfkrD9w3/n7O00kLtLkDDQRKjOHDEAwAxdh8W7j/QhE3
-KZNmJGsK/QtJ72zZRGRcdUPH6GG//GaAG5hSCjM8q+0MR/G+31uk32RbzRIj1sHQ
-8fY0znxPmaeD1wow0hCbDTq+Ep3K8ouaqoqjlP4rd+I94OtxNfXgmllf7BDOZ6lI
-wUY8ba8cFCPYsv8ZvRXo82XfwFYevQ9kTLqkJT52mMyPZLwYx4DNwuqFtQQEBLKg
-IVXVgpK6SE72MFP8vyFsdrL0ORgxoWI6PIHbnIRY1KiWUzOSrqirZUHH9MPuzFuB
-R0+jEAajeKoxycn0ILLM5PBAEFXFgBdtNNCtshe1fR5aPsXcGZsZRjc7mbAHLRqa
-pVhk7oX31WrGqGHkSM/GAnf3aAzsnCkO5+Tje2iyuoG5OhQbHsvMBOtdvQrwnorl
-56EguzuK1mGDsczNsuAYRcKiasCWpsjoytDH+dGEQmKXydD9r06cxPx+mWmWKLo4
-w+k4mMC0lFRYKi83cwTpaMpHOeW4+3d1tJfkCQy+vjUz4aZJ/WSXAAMFDACqmeXA
-Al7WssHkjVZ/vwQfHLHNMZsGEEucvV7KNqMF4Fe6nRbbE6GJOuz6taeFkJIppBqV
-xhSNOsf5soOXfGp0IgYoC37GPI6AAb4UnG5GVcaAMQAXUYcwfDGGuV/EO5pPrEyP
-jy++GvjhxcKV3HmUuAfcgyhTGhDOVPxU28Roz3+8Eig085v+lyqAsgFduBrf+ZV+
-lHjIOSXSWmTiT8EVSA3fpN14/qhltudhdGIZ/pCW303H9Bd9c4Uc9OzYhRr1VpO6
-lpYfTFNey8KQL4z9Kjt0RPscz2hYDOJ1cTFWs/4Z+9mBJODwrnIiORLlgV2NlP5E
-ZY4MccVFd9K7E/OPQdt3Uv6+6BjYRntY7wsX617T5Rmj8n6AhbpngmWg2D6wRfm7
-TyI0Wtz5icCoJIEHQwB/3EhBzQl7tBc0cClwCYm7nTYRt+SL2tfylWy9Leail+ay
-M6zwMW0klV42E4u8DCy/aJrwmEiVwuwGbXL6z46M9EZguof38MTEmLsHls+JAZ8E
-GAECAAkFAkqM4cMCGwwACgkQ30LBcLNNunffBgv/b/v3eQoZTWgOB5MnXhIrg/Ki
-kYTYbnEG9wWM7XIST8bpP7f/UKyD44CCVJH7SVTGAXeyjglnuYXy4FwaTdFmm6al
-W0sCp4rnmADi5BLLzQlCUa5J0iZ+oAZnAH60BezUM+CYz/QBW3NJmP3323PeM4H4
-MZ0vLv3wgaLkFlaK/eASBoC7KuZWAnvsNOdLQ29L4BYgW2Jwk1+PxszjT369DsMU
-Y3iY6gM9rM71Ajd8x98hd1r26LILGntAEEXxs+13Kka7J4GCqf8/J9ZR01dDp8QM
-+M9EHFLnthpAyUuSXm5Qlglavnf7tU6AA0SFuA0pP5CXVLG1DLT1fJvNOqjdzPsf
-u/48AM2Lpxj0gKt1yDQc890GxwnOL1iZ6+XMh9/ujWy7Q7dI4M2mthwYFXldWrPS
-CmMToWfl62BxPdY5FIECXeRwTIO9sI0LQVc2eAG8lDsge05q1nJFxo9WKr7ewAdF
-b/fMIr7XMwoMj2SQSy/tZVCBnDXR5Gw5HSxRnIAS
-=ze82
-----END PGP PUBLIC KEY BLOCK-----
--- a/3
+++ b/3
@@ -1,2 +1 @@
-SHA512 (strongswan-5.9.11.tar.bz2) = d500523215f5ec5c5550c4d2c49060b350ae396d8c60170792c46775d04fc7a132aa70a6242145477753668351d26ed957e08903683ecc340aa8d84fb2ae5498
-SHA512 (strongswan-5.9.11.tar.bz2.sig) = a434dc338641c808d3461de17c893a0d3b761cdba6cea5db0551fc75df498cfae26db379a86fd2a0a0e7710676a1cd657c01da435054a6814ec4ce6099db2b68
+SHA512 (strongswan-5.6.3.tar.bz2) = 080402640952b1a08e95bfe9c7f33c6a7dd01ac401b5e7e2e78257c0f2bf0a4d6078141232ac62abfacef892c493f6824948b3165d54d72b4e436ed564fd2609
--- a/strongswan-5.6.2-CVE-2018-5388.patch
+++ b/strongswan-5.6.2-CVE-2018-5388.patch
@@ -0,0 +1,15 @@
+diff -Naur strongswan-5.6.2-orig/src/libcharon/plugins/stroke/stroke_socket.c strongswan-5.6.2/src/libcharon/plugins/stroke/stroke_socket.c
+--- strongswan-5.6.2-orig/src/libcharon/plugins/stroke/stroke_socket.c	2017-11-09 10:57:30.000000000 -0500
+++ strongswan-5.6.2/src/libcharon/plugins/stroke/stroke_socket.c	2018-05-24 00:00:32.382953618 -0400
+@@ -628,6 +628,11 @@
+ 		return FALSE;
+ 	}
+ 
+	if (len < offsetof(stroke_msg_t, buffer))
+	{
+		DBG1(DBG_CFG, "invalid stroke message length %d", len);
+		return FALSE;
+	}
+ 	/* read message (we need an additional byte to terminate the buffer) */
+ 	msg = malloc(len + 1);
+ 	msg->length = len;
--- a/strongswan-5.9.7-error-no-format.patch
+++ b/strongswan-5.9.7-error-no-format.patch
@@ -1,12 +0,0 @@
-diff --git a/configure.ac b/configure.ac
-index f9e6e55c2..247d055d8 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -1480,7 +1480,6 @@ else
- fi
- # disable some warnings, whether explicitly enabled above or by default
- # these are not compatible with our custom printf specifiers
-WARN_CFLAGS="$WARN_CFLAGS -Wno-format"
- WARN_CFLAGS="$WARN_CFLAGS -Wno-format-security"
- # we generally use comments, but GCC doesn't seem to recognize many of them
- WARN_CFLAGS="$WARN_CFLAGS -Wno-implicit-fallthrough"
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -1,77 +1,42 @@
 %global _hardened_build 1
 #%%define prerelease dr1
-%global dist .nhrp.11%{?dist}
-
-%bcond_without python3
-%bcond_without perl
-%bcond_with    check
-
-%if (0%{?fedora} && 0%{?fedora} < 36) || (0%{?rhel} && 0%{?rhel} < 9)
-# trousers was retired for F36+ and no longer available in RHEL with 9+
-%bcond_without tss_trousers
-%else
-%bcond_with tss_trousers
-%endif
-
-%global forgeurl0 https://github.com/strongswan/strongswan
+Epoch:          1

 Name:           strongswan
-Version:        5.9.11
+Version:        5.6.3
 Release:        3%{?dist}
 Summary:        An OpenSource IPsec-based VPN and TNC solution
 License:        GPLv2+
-URL:            https://www.strongswan.org/
-VCS:            git:%{forgeurl0}
-Source0:        https://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2
-Source1:        https://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2.sig
-Source2:        https://download.strongswan.org/STRONGSWAN-RELEASE-PGP-KEY
-Source3:        tmpfiles-strongswan.conf
-Patch0:         strongswan-5.6.0-uintptr_t.patch
-# https://github.com/strongswan/strongswan/issues/1198
-Patch1:         strongswan-5.9.7-error-no-format.patch
+URL:            http://www.strongswan.org/
+Source0:        http://download.strongswan.org/%{name}-%{version}%{?prerelease}.tar.bz2
+Patch1:         strongswan-5.6.0-uintptr_t.patch
+Patch3:         strongswan-5.6.2-CVE-2018-5388.patch

-Patch10:        0001-charon-add-optional-source-and-remote-overrides-for-.patch
-Patch11:        0002-vici-send-certificates-for-ike-sa-events.patch
-Patch12:        0003-vici-add-support-for-individual-sa-state-changes.patch
-Patch13:        0004-Support-GRE-key-in-selectors.patch
+Patch10:        0001-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
+Patch11:        0002-charon-add-optional-source-and-remote-overrides-for-.patch
+Patch12:        0003-vici-send-certificates-for-ike-sa-events.patch
+Patch13:        0004-vici-add-support-for-individual-sa-state-changes.patch
+Patch14:        0005-vici-add-deprecated-async-parameter.patch
+Patch15:        0006-support-gre-key-in-ikev1.patch
+
+# only needed for pre-release versions
+#BuildRequires:  autoconf automake

-BuildRequires:  autoconf
-BuildRequires:  automake
-BuildRequires:  gnupg2
-BuildRequires:  make
 BuildRequires:  gcc
-BuildRequires:  systemd
 BuildRequires:  systemd-devel
-BuildRequires:  systemd-rpm-macros
 BuildRequires:  gmp-devel
 BuildRequires:  libcurl-devel
 BuildRequires:  openldap-devel
 BuildRequires:  openssl-devel
 BuildRequires:  sqlite-devel
 BuildRequires:  gettext-devel
+BuildRequires:  trousers-devel
 BuildRequires:  libxml2-devel
 BuildRequires:  pam-devel
 BuildRequires:  json-c-devel
 BuildRequires:  libgcrypt-devel
+BuildRequires:  systemd-devel
 BuildRequires:  iptables-devel
-BuildRequires:  libcap-devel
-BuildRequires:  tpm2-tss-devel
-Recommends:     tpm2-tools
-
-%if %{with python3}
-BuildRequires:  python3-devel
-BuildRequires:  python3-setuptools
-BuildRequires:  python3-pytest
-%endif
-
-%if %{with perl}
-BuildRequires:  perl-devel perl-generators
-BuildRequires:  perl(ExtUtils::MakeMaker)
-%endif
-
-%if %{with tss_trousers}
-BuildRequires:  trousers-devel
-%endif

 BuildRequires:  NetworkManager-libnm-devel
 Requires(post): systemd
@@ -92,8 +57,8 @@ in userland, using TUN devices and its own IPsec implementation libipsec.
 %package charon-nm
 Summary:        NetworkManager plugin for Strongswan
 Requires:       dbus
-Obsoletes:      strongswan-NetworkManager < 0:5.0.4-5
-Conflicts:      strongswan-NetworkManager < 0:5.0.4-5
+Obsoletes:      %{name}-NetworkManager < 0:5.0.4-5
+Conflicts:      %{name}-NetworkManager < 0:5.0.4-5
 Conflicts:      NetworkManager-strongswan < 1.4.2-1
 %description charon-nm
 NetworkManager plugin integrates a subset of Strongswan capabilities
@@ -101,14 +66,14 @@ to NetworkManager.

 %package sqlite
 Summary: SQLite support for strongSwan
-Requires: strongswan = %{version}-%{release}
+Requires: %{name} = %{version}-%{release}
 %description sqlite
 The sqlite plugin adds an SQLite database backend to strongSwan.

 %package tnc-imcvs
 Summary: Trusted network connect (TNC)'s IMC/IMV functionality
-Requires: strongswan = %{version}-%{release}
-Requires: strongswan-sqlite = %{version}-%{release}
+Requires: %{name} = %{version}-%{release}
+Requires: %{name}-sqlite = %{version}-%{release}
 %description tnc-imcvs
 This package provides Trusted Network Connect's (TNC) architecture support.
 It includes support for TNC client and server (IF-TNCCS), IMC and IMV message
@@ -119,39 +84,17 @@ modules can be used by any third party TNC Client/Server implementation
 possessing a standard IF-IMC/IMV interface. In addition, it implements
 PT-TLS to support TNC over TLS.

-%if %{with python3}
-%package -n python3-vici
-Summary: Strongswan Versatile IKE Configuration Interface python bindings
-BuildArch: noarch
-%description -n python3-vici
-VICI is an attempt to improve the situation for system integrators by providing
-a stable IPC interface, allowing external tools to query, configure
-and control the IKE daemon.
-
-The Versatile IKE Configuration Interface (VICI) python bindings provides module
-for Strongswan runtime configuration from python applications.
-
-%endif
-
-%if %{with perl}
-%package -n perl-vici
-Summary: Strongswan Versatile IKE Configuration Interface perl bindings
-BuildArch: noarch
-%description -n perl-vici
-VICI is an attempt to improve the situation for system integrators by providing
-a stable IPC interface, allowing external tools to query, configure
-and control the IKE daemon.
-
-The Versatile IKE Configuration Interface (VICI) perl bindings provides module
-for Strongswan runtime configuration from perl applications.
-%endif
-
-# TODO: make also ruby-vici
-
-
 %prep
-%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
-%autosetup -n %{name}-%{version}%{?prerelease} -p1
+%setup -q -n %{name}-%{version}%{?prerelease}
+%patch1 -p1
+%patch3 -p1
+
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1

 %build
 # only for snapshots
@@ -167,10 +110,9 @@ for Strongswan runtime configuration from perl applications.
    --with-ipsecdir=%{_libexecdir}/strongswan \
    --bindir=%{_libexecdir}/strongswan \
    --with-ipseclibdir=%{_libdir}/strongswan \
-    --with-piddir=%{_rundir}/strongswan \
-    --with-nm-ca-dir=%{_sysconfdir}/strongswan/ipsec.d/cacerts/ \
+    --with-fips-mode=2 \
    --enable-bypass-lan \
-    --enable-tss-tss2 \
+    --enable-tss-trousers \
    --enable-nm \
    --enable-systemd \
    --enable-openssl \
@@ -225,6 +167,8 @@ for Strongswan runtime configuration from perl applications.
    --enable-imv-attestation \
    --enable-imv-os \
    --enable-imc-os \
+    --enable-imc-swid \
+    --enable-imv-swid \
    --enable-imc-swima \
    --enable-imv-swima \
    --enable-imc-hcd \
@@ -232,77 +176,25 @@ for Strongswan runtime configuration from perl applications.
    --enable-curl \
    --enable-cmd \
    --enable-acert \
+    --enable-aikgen \
    --enable-vici \
    --enable-swanctl \
    --enable-duplicheck \
 %ifarch x86_64 %{ix86}
    --enable-aesni \
 %endif
-%if %{with python3}
-    PYTHON=%{python3} --enable-python-eggs \
-%endif
-%if %{with perl}
-    --enable-perl-cpan \
-%endif
-%if %{with check}
-    --enable-test-vectors \
-%endif
-%if %{with tss_trousers}
-    --enable-tss-trousers \
-    --enable-aikgen \
-%endif
-    --enable-kernel-libipsec \
-    --with-capabilities=libcap \
-    CPPFLAGS="-DSTARTER_ALLOW_NON_ROOT"
-# TODO: --enable-python-eggs-install not python3 ready
+    --enable-kernel-libipsec

 # disable certain plugins in the daemon configuration by default
 for p in bypass-lan; do
    echo -e "\ncharon.plugins.${p}.load := no" >> conf/plugins/${p}.opt
 done

-# ensure manual page is regenerated with local configuration
-rm -f src/ipsec/_ipsec.8
-
-%make_build
-
-pushd src/libcharon/plugins/vici
-
-%if %{with python3}
-  pushd python
-    %make_build
-    sed -e "s,/var/run/charon.vici,%{_rundir}/strongswan/charon.vici," -i vici/session.py
-    #py3_build
-  popd
-%endif
-
-%if %{with perl}
-  pushd perl/Vici-Session/
-    perl Makefile.PL INSTALLDIRS=vendor
-    %make_build
-  popd
-%endif
-
-popd
+make %{?_smp_mflags}

 %install
-%make_install
-
-
-pushd src/libcharon/plugins/vici
-%if %{with python3}
-  pushd python
-    # TODO: --enable-python-eggs breaks our previous build. Do it now
-    # propose better way to upstream
-    %py3_build
-    %py3_install
-  popd
-%endif
-%if %{with perl}
-  %make_install -C perl/Vici-Session
-  rm -f %{buildroot}{%{perl_archlib}/perllocal.pod,%{perl_vendorarch}/auto/Vici/Session/.packlist}
-%endif
-popd
+make install DESTDIR=%{buildroot}
+mv %{buildroot}%{_sysconfdir}/strongswan/dbus-1 %{buildroot}%{_sysconfdir}/
 # prefix man pages
 for i in %{buildroot}%{_mandir}/*/*; do
    if echo "$i" | grep -vq '/strongswan[^\/]*$'; then
@@ -320,44 +212,27 @@ install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d
 for i in aacerts acerts certs cacerts crls ocspcerts private reqs; do
    install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d/${i}
 done
-install -d -m 0700 %{buildroot}%{_rundir}/strongswan
-install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
-install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.conf
-
-
-%check
-%if %{with check}
-  # Seen some tests hang. Ensure we do not block builder forever
-  export TESTS_VERBOSITY=1
-  timeout 600 %make_build check
-%endif
-%if %{with python}
-  pushd src/libcharon/plugins/vici
-    %pytest
-  popd
-%endif
-:

 %post
-%systemd_post strongswan.service strongswan-starter.service
+%systemd_post %{name}.service

 %preun
-%systemd_preun strongswan.service strongswan-starter.service
+%systemd_preun %{name}.service

 %postun
-%systemd_postun_with_restart strongswan.service strongswan-starter.service
+%systemd_postun_with_restart %{name}.service

 %files
 %doc README NEWS TODO ChangeLog
 %license COPYING
-%dir %attr(0755,root,root) %{_sysconfdir}/strongswan
+%dir %attr(0700,root,root) %{_sysconfdir}/strongswan
 %config(noreplace) %{_sysconfdir}/strongswan/*
 %dir %{_libdir}/strongswan
 %exclude %{_libdir}/strongswan/imcvs
 %dir %{_libdir}/strongswan/plugins
 %dir %{_libexecdir}/strongswan
 %{_unitdir}/strongswan.service
-%{_unitdir}/strongswan-starter.service
+%{_unitdir}/strongswan-swanctl.service
 %{_sbindir}/charon-cmd
 %{_sbindir}/charon-systemd
 %{_sbindir}/strongswan
@@ -378,9 +253,6 @@ install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co
 %{_mandir}/man?/*.gz
 %{_datadir}/strongswan/templates/config/
 %{_datadir}/strongswan/templates/database/
-%attr(0755,root,root) %dir %{_rundir}/strongswan
-%attr(0644,root,root) %{_tmpfilesdir}/strongswan.conf
-%attr(0644,root,root) %{_tmpfilesdir}/strongswan-starter.conf

 %files sqlite
 %{_libdir}/strongswan/plugins/libstrongswan-sqlite.so
@@ -404,189 +276,10 @@ install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co

 %files charon-nm
 %doc COPYING
-%{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
+%{_sysconfdir}/dbus-1/system.d/nm-strongswan-service.conf
 %{_libexecdir}/strongswan/charon-nm

-%if %{with python3}
-%files -n python3-vici
-%license COPYING
-%doc src/libcharon/plugins/vici/python/README.rst
-%{python3_sitelib}/vici
-%{python3_sitelib}/vici-%{version}-py*.egg-info
-%endif
-
-%if %{with perl}
-%license COPYING
-%files -n perl-vici
-%{perl_vendorlib}/Vici
-%endif
-
 %changelog
-* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.11-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.11-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
-
-* Fri Jul 14 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.11-1
- Resolves: rhbz#2214186 strongswan-5.9.11 is available
-
-* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 5.9.10-2
- Rebuilt for Python 3.12
-
-* Thu Mar 02 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.10-1
- Update to 5.9.10
-
-* Tue Feb 28 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.9-3
- Resolves: CVE-2023-26463 authorization bypass in TLS-based EAP methods
-
-* Mon Jan 16 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-2
- Use configure paths in manual pages (#2106120)
-
-* Sun Jan 15 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-1
- Update to 5.9.9 (#2157850)
-
-* Thu Dec 08 2022 Jitka Plesnikova <jplesnik@redhat.com> - 5.9.8-2
- Add BR perl-generators to automatically generates run-time dependencies
-  for installed Perl files
-
-* Sun Oct 16 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.8-1
- Resolves rhbz#2112274 strongswan-5.9.8 is available
- Patch1 removes CFLAGS -Wno-format which interferes with -Werror=format-security
- Add BuildRequire for autoconf and automake, now required for release
- Remove obsolete patches
-
-* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Wed Jun 22 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.6-1
- Resolves rhbz#2080070 strongswan-5.9.6 is available
- Fixed missing format string in enum_flags_to_string()
-
-* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 5.9.5-4
- Rebuilt for Python 3.11
-
-* Fri Feb 25 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.5-3
- Resolves: rhbz#2048108 - segfault at 18 ip 00007f4c7c0d841c sp 00007ffe49f61b70 error 4 in libc.so.6
-
-* Tue Jan 25 2022 Paul Wouters <paul.wouters@aiven.io> - 5.9.5-2
- Use newly published/cleaned strongswan gpg key
-
-* Mon Jan 24 2022 Paul Wouters <paul.wouters@aiven.io> - 5.9.5-1
- Resolves rhbz#2044361 strongswan-5.9.5 is available (CVE-2021-45079)
-
-* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.4-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Thu Dec 16 2021 Neal Gompa <ngompa@datto.com> - 5.9.4-4
- Disable TPM/TSS 1.2 support for F36+ / RHEL9+
- Resolves: rhbz#2033299 Drop TPM/TSS 1.2 support (trousers)
-
-* Thu Nov 11 2021 Petr Menšík <pemensik@redhat.com> - 5.9.4-3
- Resolves rhbz#1419441 Add python and perl vici bindings
- Adds optional tests run
-
-* Tue Nov 09 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-2
- Resolves rhbz#2018547 'strongswan restart' breaks ipsec started with strongswan-starter
- Return to using tmpfiles, but extend to cover strongswan-starter service too
- Cleanup old patches
-
-* Wed Oct 20 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-1
- Resolves: rhbz#2015165 strongswan-5.9.4 is available
- Resolves: rhbz#2015611 CVE-2021-41990 strongswan: gmp plugin: integer overflow via a crafted certificate with an RSASSA-PSS signature
- Resolves: rhbz#2015614 CVE-2021-41991 strongswan: integer overflow when replacing certificates in cache
- Add BuildRequire for tpm2-tss-devel and weak dependency for tpm2-tools
-
-* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 5.9.3-4
- Rebuilt with OpenSSL 3.0.0
-
-* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Sat Jul 10 2021 Björn Esser <besser82@fedoraproject.org> - 5.9.3-2
- Rebuild for versioned symbols in json-c
-
-* Tue Jul 06 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.3-1
- Resolves: rhbz#1979574 strongswan-5.9.3 is available
- Make strongswan main dir world readable so apps can find strongswan.conf
-
-* Thu Jun 03 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.2-1
- Resolves: rhbz#1896545 strongswan-5.9.2 is available
-
-* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 5.9.1-2
- Rebuilt for updated systemd-rpm-macros
-  See https://pagure.io/fesco/issue/2583.
-
-* Fri Feb 12 2021 Paul Wouters <pwouters@redhat.com> - 5.9.1-1
- Resolves: rhbz#1896545 strongswan-5.9.1 is available
-
-* Thu Feb 11 2021 Davide Cavalca <dcavalca@fedoraproject.org> - 5.9.0-4
- Build with with capabilities support
- Resolves: rhbz#1911572 StrongSwan not configured with libcap support
-
-* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Thu Oct 22 12:43:48 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-2
- Resolves: rhbz#1886759 charon looking for certificates in the wrong place
-
-* Mon Sep 28 12:36:45 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-1
- Resolves: rhbz#1861747 strongswan-5.9.0 is available
- Remove --enable-fips-mode=2, which defaults strongswan to FIPS only.
-  (use fips_mode = 2 in plugins {} openssl {} in strongswan.conf to enable FIPS)
-
-* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.4-5
- Second attempt - Rebuilt for
-  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.4-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 5.8.4-3
- Rebuild (json-c)
-
-* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.4-2
- Patch0: Add RuntimeDirectory options to service files (#1789263)
-
-* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.4-1
- Updated to 5.8.4
- Patch4 has been applied upstream
-
-* Sat Feb 22 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-5
- Patch to declare a global variable with extern (#1800117)
-
-* Mon Feb 10 2020 Paul Wouters <pwouters@redhat.com> - 5.8.2-4
- use tmpfile to ensure rundir is present
-
-* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Sat Dec 28 2019 Paul Wouters <pwouters@redhat.com> - 5.8.2-2
- Use /run/strongswan as rundir to support strongswans in namespaces
-
-* Tue Dec 17 2019 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-1
- Update to 5.8.2 (#1784457)
- The D-Bus config file moved under datadir
-
-* Mon Sep 02 2019 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.1-1
- Update to 5.8.1 (#1711920)
- No more separate strongswan-swanctl.service to start out of order (#1775548)
- Added strongswan-starter.service
-
-* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Wed Jan 09 2019 Paul Wouters <pwouters@redhat.com> - 5.7.2-1
- Updated to 5.7.2
-
-* Thu Oct 04 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.7.1-1
- Updated to 5.7.1
- Resolves rhbz#1635872 CVE-2018-16152
- Resolves rhbz#1635875 CVE-2018-16151
-
 * Thu Aug 23 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.6.3-3
 - Add plugin bypass-lan, disabled by default
 - Resolves rhbz#1554479 Update to strongswan-charon-nm fails
@@ -934,10 +627,10 @@ install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co
 * Mon Mar 11 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.2-1
 - Update to upstream release 5.0.2
 - Created sub package strongswan-tnc-imcvs that provides trusted network
-  connect's IMC and IMV funtionality. Specifically it includes PTS
-  based IMC/IMV for TPM based remote attestation and scanner and test
-  IMCs and IMVs. The Strongswan's IMC/IMV dynamic libraries can be used
-  by any third party TNC Client/Server implementation possessing a
+  connect's IMC and IMV funtionality. Specifically it includes PTS 
+  based IMC/IMV for TPM based remote attestation and scanner and test 
+  IMCs and IMVs. The Strongswan's IMC/IMV dynamic libraries can be used 
+  by any third party TNC Client/Server implementation possessing a 
  standard IF-IMC/IMV interface.

 * Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.0.1-2
--- a/tmpfiles-strongswan.conf
+++ b/tmpfiles-strongswan.conf
@@ -1 +0,0 @@
-D /run/strongswan 0755 root root -
Author	SHA1	Message	Date
Zoran Peričić	7ee24810b2	Bump epoch	2019-12-31 11:33:53 +01:00
Zoran Peričić	4401ae909d	Patch vici for NHRP	2019-12-31 09:55:38 +01:00