On 2016-02-13 10:03 PM, Ryan Harper wrote: > On Sat, Feb 13, 2016 at 7:51 PM, Simon Déziel <1535...@bugs.launchpad.net> > wrote: > >> On 2016-02-13 05:09 PM, Ryan Harper wrote: >>> On Sat, Feb 13, 2016 at 12:27 PM, mrq1 <tempusfugit...@gmail.com> wrote: >>> >>>> great! starts now :-) >>>> >>>> what about the chapoly plugin? can you enable it in the extra package? >>>> it would be very important for me! >>>> >>> >>> I can look at enabling it. It's new in 5.3.5. >> >> +1 >> >> ChaCha20/Poly1305 actually made it in 5.3.3 [1] and I haven't heard of >> any problem on the mailing list. >> >>> If enabled, can you test and confirm it works? >> >> I too would be glad to give it a spin and report about it. >> >>> Looks like something quite interesting. >>> https://en.wikipedia.org/wiki/Poly1305 >> >> Indeed! Chacha20 and Poly1305 are cool and getting quite some traction >> these days [2]. >> > > Excellent! I've just uploaded a new version to the PPA; should be ready in > a bit with the new plugin > and updated apparmor profiles from your repo.
Thanks, will try it out. > One question, the profile included /dev/tun, and in my Xenial setups, I > need > /dev/net/tun so I've both allowed in the profile. Not clear to me if it's > useful/needed > to have both, or if only one is sufficient. Good catch. The path always have been /dev/net/tun even in previous releases so please drop the erroneous /dev/tun rule I added. >>> Comments here in the Debian bug indicate that this requires at least 4.2 >>> kernel. >> >> For the IKE part, the kernel version shouldn't matter. For the ESP part, >> you indeed need a recent kernel or you can always use the userspace >> implementation (libipsec). >> >> > OK > > >> libipsec support is very cool (thanks for enabling it!) as it should >> allow running a IPsec in containers. >> >> > Please do confirm if that's working. I suspect they'll need to be > privileged containers > or will need some additional permissions/configs for unprivileged since > it'll want access to > /dev/net/tun which won't be present by default. > > I'd like to capture how to run strongswan in containers like LXD so if > you've any experience I'd expect it to be pretty close to running OpenVPN in a container. I'll check that out on LXD and let you know. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to strongswan in Ubuntu. https://bugs.launchpad.net/bugs/1535951 Title: Please merge strongswan 5.3.5-1 (main) from Debian unstable (main) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
