Android.common.mk

@@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \
               )
 
 # strongSwan version, replaced by top Makefile
-strongswan_VERSION := "5.7.2"
+strongswan_VERSION := "5.8.0"
 

Makefile.in

@@ -350,6 +350,7 @@ SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
+WOLFSSL_LIB = @WOLFSSL_LIB@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
 abs_builddir = @abs_builddir@

NEWS

+strongswan-5.8.0
+----------------
+
+- The systemd service units have been renamed. The modern unit, which was called
+  strongswan-swanctl, is now called strongswan (the previous name is configured
+  as alias). The legacy unit is now called strongswan-starter.
+
+- Support for XFRM interfaces (available since Linux 4.19) has been added.
+  Configuration is possible via swanctl.conf.  Interfaces may be created
+  dynamically via updown/vici scripts, or statically before or after
+  establishing the SAs. Routes must be added manually as needed (the daemon will
+  not install any routes for outbound policies with an interface ID).
+
+- Initiation of childless IKE_SAs is supported (RFC 6023). If enabled and
+  supported by the responder, no CHILD_SA is established during IKE_AUTH. This
+  allows using a separate DH exchange even for the first CHILD_SA, which is
+  otherwise created with keys derived from the IKE_SA's key material.
+
+- The NetworkManager backend and plugin support IPv6.
+
+- The new wolfssl plugin is a wrapper around the wolfSSL crypto library. Thanks
+  to Sean Parkinson of wolfSSL Inc. for the initial patch.
+
+- IKE SPIs may optionally be labeled via the charon.spi_mask|label options. This
+  feature was extracted from charon-tkm, however, now applies the mask/label in
+  network order.
+
+- The openssl plugin supports ChaCha20-Poly1305 when built with OpenSSL 1.1.0.
+
+- The PB-TNC finite state machine according to section 3.2 of RFC 5793 was not
+  correctly implemented when sending either a CRETRY or SRETRY batch. These
+  batches can only be sent in the "Decided" state and a CRETRY batch can
+  immediately carry all messages usually transported by a CDATA batch. It is
+  currently not possible to send a SRETRY batch since full-duplex mode for
+  PT-TLS transport is not supported.
+
+- Instead of marking virtual IPv6 addresses as deprecated, the kernel-netlink
+  plugin uses address labels to avoid their use for non-VPN traffic.
+
+- The agent plugin creates sockets to the ssh/gpg-agent dynamically and does not
+  keep them open, which otherwise can prevent the agent from getting terminated.
+
+- To avoid broadcast loops the forecast plugin now only reinjects packets that
+  are marked or received from the configured interface.
+
+- UTF-8 encoded passwords are supported via EAP-MSCHAPv2, which internally uses
+  an UTF-16LE encoding to calculate the NT hash.
+
+- Adds the build-certs script to generate the keys and certificates used for
+  regression tests dynamically.  They are built with the pki version installed
+  in the KVM root image so it's not necessary to have an up-to-date version with
+  all required plugins installed on the host system.
+
+
 strongswan-5.7.2
 ----------------
 

conf/Makefile.am

@@ -101,6 +101,7 @@ plugins = \
 	plugins/updown.opt \
 	plugins/vici.opt \
 	plugins/whitelist.opt \
+	plugins/wolfssl.opt \
 	plugins/xauth-eap.opt \
 	plugins/xauth-pam.opt
 
@@ -173,7 +174,7 @@ install-data-local: $(plugins_install_src)
 	test -e "$(DESTDIR)${strongswanconfdir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanconfdir)" || true
 	test -e "$(DESTDIR)${strongswanddir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanddir)" || true
 	test -e "$(DESTDIR)${charonconfdir}" || $(INSTALL) -d "$(DESTDIR)$(charonconfdir)" || true
-	test -e "$(DESTDIR)$(strongswanconfdir)/strongswan.conf" || $(INSTALL) -m 644 $(srcdir)/strongswan.conf $(DESTDIR)$(strongswanconfdir)/strongswan.conf || true
+	test -e "$(DESTDIR)$(strongswan_conf)" || $(INSTALL) -m 644 $(srcdir)/strongswan.conf $(DESTDIR)$(strongswan_conf) || true
 	for f in $(options_install_src); do \
 		name=`basename $$f`; \
 		test -f "$(DESTDIR)$(strongswanddir)/$$name" || $(INSTALL) -m 644 "$(srcdir)/$$f" "$(DESTDIR)$(strongswanddir)/$$name" || true; \

conf/Makefile.in

@@ -273,6 +273,7 @@ SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
+WOLFSSL_LIB = @WOLFSSL_LIB@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
 abs_builddir = @abs_builddir@
@@ -508,6 +509,7 @@ plugins = \
 	plugins/updown.opt \
 	plugins/vici.opt \
 	plugins/whitelist.opt \
+	plugins/wolfssl.opt \
 	plugins/xauth-eap.opt \
 	plugins/xauth-pam.opt
 
@@ -899,7 +901,7 @@ install-data-local: $(plugins_install_src)
 	test -e "$(DESTDIR)${strongswanconfdir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanconfdir)" || true
 	test -e "$(DESTDIR)${strongswanddir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanddir)" || true
 	test -e "$(DESTDIR)${charonconfdir}" || $(INSTALL) -d "$(DESTDIR)$(charonconfdir)" || true
-	test -e "$(DESTDIR)$(strongswanconfdir)/strongswan.conf" || $(INSTALL) -m 644 $(srcdir)/strongswan.conf $(DESTDIR)$(strongswanconfdir)/strongswan.conf || true
+	test -e "$(DESTDIR)$(strongswan_conf)" || $(INSTALL) -m 644 $(srcdir)/strongswan.conf $(DESTDIR)$(strongswan_conf) || true
 	for f in $(options_install_src); do \
 		name=`basename $$f`; \
 		test -f "$(DESTDIR)$(strongswanddir)/$$name" || $(INSTALL) -m 644 "$(srcdir)/$$f" "$(DESTDIR)$(strongswanddir)/$$name" || true; \

conf/options/charon.conf

@@ -254,6 +254,13 @@ charon {
     # Whether to enable constraints against IKEv2 signature schemes.
     # signature_authentication_constraints = yes
 
+    # Value mixed into the local IKE SPIs after applying spi_mask.
+    # spi_label = 0x0000000000000000
+
+    # Mask applied to local IKE SPIs before mixing in spi_label (bits set will
+    # be replaced with spi_label).
+    # spi_mask = 0x0000000000000000
+
     # The upper limit for SPIs requested from the kernel for IPsec SAs.
     # spi_max = 0xcfffffff
 

conf/options/charon.opt

@@ -370,6 +370,13 @@ charon.signature_authentication_constraints = yes
 	certificate chain, are also used as constraints against the signature scheme
 	used by peers during IKEv2.
 
+charon.spi_label = 0x0000000000000000
+	Value mixed into the local IKE SPIs after applying _spi_mask_.
+
+charon.spi_mask = 0x0000000000000000
+	Mask applied to local IKE SPIs before mixing in _spi_label_ (bits set will
+	be replaced with _spi_label_).
+
 charon.spi_min = 0xc0000000
 	The lower limit for SPIs requested from the kernel for IPsec SAs.
 

conf/plugins/wolfssl.conf

+wolfssl {
+
+    # Enable to prevent loading the plugin if wolfSSL is not in FIPS mode.
+    # fips_mode = no
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+}
+

conf/plugins/wolfssl.opt

+charon.plugins.wolfssl.fips_mode = no
+	Enable to prevent loading the plugin if wolfSSL is not in FIPS mode.

conf/strongswan.conf.5.main

@@ -1755,6 +1755,10 @@ Enable loaded whitelist plugin.
 .BR charon.plugins.whitelist.socket " [unix://${piddir}/charon.wlst]"
 Socket provided by the whitelist plugin.
 
+.TP
+.BR charon.plugins.wolfssl.fips_mode " [no]"
+Enable to prevent loading the plugin if wolfSSL is not in FIPS mode.
+
 .TP
 .BR charon.plugins.xauth-eap.backend " [radius]"
 EAP plugin to be used as backend for XAuth credential verification.
@@ -1913,6 +1917,21 @@ used as constraints against signature schemes employed in the certificate chain,
 are also used as constraints against the signature scheme used by peers during
 IKEv2.
 
+.TP
+.BR charon.spi_label " [0x0000000000000000]"
+Value mixed into the local IKE SPIs after applying
+.RI "" "spi_mask" "."
+
+
+.TP
+.BR charon.spi_mask " [0x0000000000000000]"
+Mask applied to local IKE SPIs before mixing in
+.RI "" "spi_label" ""
+(bits set will be
+replaced with
+.RI "" "spi_label" ")."
+
+
 .TP
 .BR charon.spi_max " [0xcfffffff]"
 The upper limit for SPIs requested from the kernel for IPsec SAs.

configure.ac

@@ -19,7 +19,7 @@
 #  initialize & set some vars
 # ============================
 
-AC_INIT([strongSwan],[5.7.2])
+AC_INIT([strongSwan],[5.8.0])
 AM_INIT_AUTOMAKE(m4_esyscmd([
 	echo tar-ustar
 	echo subdir-objects
@@ -145,6 +145,7 @@ ARG_ENABL_SET([newhope],        [enable New Hope crypto plugin.])
 ARG_DISBL_SET([nonce],          [disable nonce generation plugin.])
 ARG_ENABL_SET([ntru],           [enables the NTRU crypto plugin.])
 ARG_ENABL_SET([openssl],        [enables the OpenSSL crypto plugin.])
+ARG_ENABL_SET([wolfssl],        [enables the wolfSSL crypto plugin.])
 ARG_ENABL_SET([padlock],        [enables VIA Padlock crypto plugin.])
 ARG_DISBL_SET([random],         [disable RNG implementation on top of /dev/(u)random.])
 ARG_DISBL_SET([rc2],            [disable RC2 software implementation plugin.])
@@ -444,7 +445,7 @@ if test x$imc_test = xtrue -o x$imv_test = xtrue -o x$imc_scanner = xtrue -o x$i
 fi
 
 if test x$fips_prf = xtrue; then
-	if test x$openssl = xfalse; then
+	if test x$openssl = xfalse -a x$wolfssl = xfalse; then
 		sha1=true;
 	fi
 fi
@@ -1136,6 +1137,14 @@ if test x$openssl = xtrue; then
 	AC_CHECK_HEADER([openssl/evp.h],,[AC_MSG_ERROR([OpenSSL header openssl/evp.h not found!])])
 fi
 
+if test x$wolfssl = xtrue; then
+	wolfssl_lib=wolfssl
+	AC_CHECK_LIB([$wolfssl_lib],[wolfSSL_Init],[LIBS="$LIBS"],
+		[AC_MSG_ERROR([wolfSSL lib$wolfssl_lib not found])],[$DLLIB])
+	AC_SUBST(WOLFSSL_LIB, [-l$wolfssl_lib])
+	AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header wolfssl/options.h not found!])])
+fi
+
 if test x$gcrypt = xtrue; then
 	AC_CHECK_LIB([gcrypt],[gcry_control],[LIBS="$LIBS"],[AC_MSG_ERROR([gcrypt library not found])],[-lgpg-error])
 	AC_CHECK_HEADER([gcrypt.h],,[AC_MSG_ERROR([gcrypt header gcrypt.h not found!])])
@@ -1312,7 +1321,7 @@ fi
 AM_CONDITIONAL(RUBY_GEMS_INSTALL, [test "x$ruby_gems_install" = xtrue])
 
 if test x$python_eggs = xtrue; then
-	PYTHON_PACKAGE_VERSION=`echo "$PACKAGE_VERSION" | $SED 's/dr/dev/'`
+	PYTHON_PACKAGE_VERSION=`echo "$PACKAGE_VERSION" | $SED 's/dr/.dev/'`
 	AC_SUBST([PYTHON_PACKAGE_VERSION])
 	if test x$python_eggs_install = xtrue; then
 		AC_PATH_PROG([EASY_INSTALL], [easy_install], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
@@ -1408,6 +1417,7 @@ ADD_PLUGIN([ipseckey],             [c charon])
 ADD_PLUGIN([pem],                  [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen fuzz])
 ADD_PLUGIN([padlock],              [s charon])
 ADD_PLUGIN([openssl],              [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
+ADD_PLUGIN([wolfssl],              [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
 ADD_PLUGIN([gcrypt],               [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
 ADD_PLUGIN([botan],                [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
 ADD_PLUGIN([af-alg],               [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
@@ -1578,6 +1588,7 @@ AM_CONDITIONAL(USE_MYSQL, test x$mysql = xtrue)
 AM_CONDITIONAL(USE_SQLITE, test x$sqlite = xtrue)
 AM_CONDITIONAL(USE_PADLOCK, test x$padlock = xtrue)
 AM_CONDITIONAL(USE_OPENSSL, test x$openssl = xtrue)
+AM_CONDITIONAL(USE_WOLFSSL, test x$wolfssl = xtrue)
 AM_CONDITIONAL(USE_GCRYPT, test x$gcrypt = xtrue)
 AM_CONDITIONAL(USE_BOTAN, test x$botan = xtrue)
 AM_CONDITIONAL(USE_AGENT, test x$agent = xtrue)
@@ -1808,7 +1819,7 @@ AC_CONFIG_FILES([
 	man/Makefile
 	init/Makefile
 	init/systemd/Makefile
-	init/systemd-swanctl/Makefile
+	init/systemd-starter/Makefile
 	src/Makefile
 	src/include/Makefile
 	src/libstrongswan/Makefile
@@ -1857,6 +1868,7 @@ AC_CONFIG_FILES([
 	src/libstrongswan/plugins/sqlite/Makefile
 	src/libstrongswan/plugins/padlock/Makefile
 	src/libstrongswan/plugins/openssl/Makefile
+	src/libstrongswan/plugins/wolfssl/Makefile
 	src/libstrongswan/plugins/gcrypt/Makefile
 	src/libstrongswan/plugins/botan/Makefile
 	src/libstrongswan/plugins/agent/Makefile
@@ -2009,6 +2021,7 @@ AC_CONFIG_FILES([
 	src/sw-collector/Makefile
 	src/sec-updater/Makefile
 	src/swanctl/Makefile
+	src/xfrmi/Makefile
 	scripts/Makefile
 	testing/Makefile
 ])

debian/NEWS

+strongswan (5.8.0-1) unstable; urgency=medium
+
+  With 5.8.0, systemd service files for strongSwan have been renamed.
+  The strongswan service file, previously in the strongswan-starter package
+  and associated with the ipsec(8) command, is now called strongswan-starter.
+  The strongswan-swanctl service file in the strongswan-swanctl package and
+  associated to the swanctl (8) command, is now called strongswan.
+  .
+  Thus strongswan.service file has thus been moved from the strongswan-starter
+  to the strongswan-swanctl service and administrator should ensure they're
+  calling the right service for their usage.
+
+ -- Yves-Alexis Perez <corsac@debian.org>  Mon, 26 Aug 2019 16:29:57 +0200
+
 strongswan (5.6.2-1) unstable; urgency=medium
 
   Starting 5.6.1, several algorithms were removed from the default ESP/AH and

debian/changelog

+strongswan (5.8.0-1) unstable; urgency=medium
+
+  [ Christian Ehrhardt ]
+  * Fix fails in debian CI (Closes: #926479)
+
+  [ Simon Deziel ]
+  * d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP to
+    apparmor to allow dropping caps
+  * d/usr.sbin.swanctl: add attach_disconnected to work inside containers
+  * d/usr.sbin.charon-systemd: allow accessing the binary
+  * d/usr.sbin.swanctl: allow reading own binary
+
+  [ Yves-Alexis Perez ]
+  * New upstream version 5.8.0
+  * d/control: update standards version to 4.4.0
+  * use debhelper-compat b-d for dh compat level
+  * d/control: bump dh compat level to 11
+  * d/rules: drop systemd addon, useless in compat 11
+  * strongswan-libcharon: install xfrmi binary
+  * d/patches refreshed for new upstream release
+  * handle renaming of systemd service files
+  * d/control: remove obsolete breaks/replaces
+
+ -- Yves-Alexis Perez <corsac@debian.org>  Mon, 26 Aug 2019 12:58:23 +0200
+
 strongswan (5.7.2-1) unstable; urgency=medium
 
   * d/control: remove Rene from Uploaders, thanks!

debian/charon-systemd.install

 etc/strongswan.d/charon-systemd.conf
-lib/systemd/system/strongswan-swanctl.service
+lib/systemd/system/strongswan.service
 usr/sbin/charon-systemd
 usr/share/strongswan/templates/config/strongswan.d/charon-systemd.conf
 debian/usr.sbin.charon-systemd /etc/apparmor.d/

debian/compat

-10

debian/control

@@ -3,12 +3,12 @@ Section: net
 Priority: optional
 Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org>
 Uploaders: Yves-Alexis Perez <corsac@debian.org>
-Standards-Version: 4.3.0
+Standards-Version: 4.4.0
 Vcs-Browser: https://salsa.debian.org/debian/strongswan
 Vcs-Git: https://salsa.debian.org/debian/strongswan.git
 Build-Depends: bison,
                bzip2,
-               debhelper (>= 10),
+               debhelper-compat (= 11),
                dh-apparmor,
                dpkg-dev (>= 1.16.2),
                flex,
@@ -46,8 +46,6 @@ Description: IPsec VPN solution metapackage
 Package: libstrongswan
 Architecture: any
 Depends: ${misc:Depends}, ${shlibs:Depends}
-Breaks: strongswan-starter (<< 5.3.5-2)
-Replaces: strongswan-starter (<< 5.3.5-2)
 Recommends: libstrongswan-standard-plugins
 Suggests: libstrongswan-extra-plugins
 Description: strongSwan utility and crypto library
@@ -99,8 +97,6 @@ Architecture: any
 Depends: libstrongswan (= ${binary:Version}),
          ${misc:Depends},
          ${shlibs:Depends}
-Breaks: libstrongswan (<= 5.1.1-1), strongswan-ike (<= 5.1.1-1)
-Replaces: libstrongswan (<= 5.1.1-1), strongswan-ike (<= 5.1.1-1)
 Description: strongSwan utility and crypto library (standard plugins)
  The strongSwan VPN suite uses the native IPsec stack in the standard
  Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
@@ -119,8 +115,8 @@ Architecture: any
 Depends: libstrongswan (= ${binary:Version}),
          ${misc:Depends},
          ${shlibs:Depends}
-Breaks: libstrongswan (<= 5.1.1-1), strongswan-ike (<= 5.1.1-1), libcharon-extra-plugins (<= 5.5.3-1)
-Replaces: libstrongswan (<= 5.1.1-1), strongswan-ike (<= 5.1.1-1), libcharon-extra-plugins (<= 5.5.3-1)
+Breaks: libcharon-extra-plugins (<= 5.5.3-1)
+Replaces: libcharon-extra-plugins (<= 5.5.3-1)
 Description: strongSwan utility and crypto library (extra plugins)
  The strongSwan VPN suite uses the native IPsec stack in the standard
  Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
@@ -151,8 +147,6 @@ Architecture: any
 Depends: libstrongswan (= ${binary:Version}),
          ${misc:Depends},
          ${shlibs:Depends}
-Breaks: libstrongswan (<= 5.1.1-1), strongswan-ike (<= 5.1.1-1)
-Replaces: libstrongswan (<= 5.1.1-1), strongswan-ike (<= 5.1.1-1)
 Description: strongSwan charon library (extra plugins)
  The strongSwan VPN suite uses the native IPsec stack in the standard
  Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
@@ -221,6 +215,10 @@ Description: strongSwan charon library
    - socket-default
    - counters
    - bypass-lan (disabled by default)
+ .
+ It also contains the xfrmi binary which can be used on Linux 4.19+ to create
+ XFRM interfaces (for more information, see
+ https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN)
 
 Package: strongswan-charon
 Architecture: any
@@ -270,8 +268,6 @@ Architecture: any
 Depends: libstrongswan (= ${binary:Version}),
          ${misc:Depends},
          ${shlibs:Depends}
-Breaks: strongswan-starter (<< 5.3.5-2)
-Replaces: strongswan-starter (<< 5.3.5-2)
 Description: strongSwan IPsec client, pki command
  The strongSwan VPN suite uses the native IPsec stack in the standard
  Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
@@ -284,8 +280,6 @@ Architecture: any
 Depends: libstrongswan (= ${binary:Version}),
          ${misc:Depends},
          ${shlibs:Depends}
-Breaks: strongswan-starter (<< 5.3.5-2)
-Replaces: strongswan-starter (<< 5.3.5-2)
 Description: strongSwan IPsec client, SCEP client
  The strongSwan VPN suite uses the native IPsec stack in the standard
  Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
@@ -298,6 +292,8 @@ Architecture: any
 Depends: libstrongswan (= ${binary:Version}),
          ${misc:Depends},
          ${shlibs:Depends}
+Breaks: strongswan-starter (<< 5.8.0-1)
+Replaces: strongswan-starter (<< 5.8.0-1)
 Description: strongSwan IPsec client, swanctl command
  The strongSwan VPN suite uses the native IPsec stack in the standard
  Linux kernel. It supports both the IKEv1 and IKEv2 protocols.

debian/patches/03_systemd-service.patch

@@ -5,13 +5,13 @@ Subject: Tune the ipsec systemd service file
 - add a reload argument
 - don't wait on syslog
 ---
- init/systemd/strongswan.service.in | 3 ++-
+ init/systemd-starter/strongswan-starter.service.in | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)
 
-diff --git a/init/systemd/strongswan.service.in b/init/systemd/strongswan.service.in
+diff --git a/init/systemd-starter/strongswan-starter.service.in b/init/systemd-starter/strongswan-starter.service.in
 index 474284a..8060d1e 100644
---- a/init/systemd/strongswan.service.in
-+++ b/init/systemd/strongswan.service.in
+--- a/init/systemd-starter/strongswan-starter.service.in
++++ b/init/systemd-starter/strongswan-starter.service.in
 @@ -1,9 +1,10 @@
  [Unit]
  Description=strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf

debian/rules

@@ -129,7 +129,7 @@ ifeq ($(DEB_HOST_ARCH_OS),linux)
 	dh_install -p libstrongswan-extra-plugins usr/share/strongswan/templates/config/plugins/af-alg.conf
 	dh_install -p libstrongswan-extra-plugins etc/strongswan.d/charon/af-alg.conf
 	# the systemd service file only gets generated on Linux
-	dh_install -p strongswan-starter lib/systemd/system/strongswan.service
+	dh_install -p strongswan-starter lib/systemd/system/strongswan-starter.service
 endif
 
 ifeq ($(DEB_HOST_ARCH_OS),kfreebsd)
@@ -180,7 +180,7 @@ endif
 		-Xlibstrongswan-rdrand.so -X rdrand.conf \
 		-Xlibstrongswan-aesni.so -X aesni.conf \
 		-Xlibstrongswan-af-alg.so -X af-alg.conf \
-		-Xstrongswan.service
+		-Xstrongswan-starter.service
 
 	# AppArmor.
 	dh_apparmor --profile-name=usr.lib.ipsec.charon -p strongswan-charon
@@ -257,4 +257,4 @@ override_dh_missing-indep:
 	dh_missing --list-missing
 
 %:
-	dh $@ --with systemd
+	dh $@

debian/strongswan-libcharon.install

 usr/lib/ipsec/libcharon*
+usr/lib/ipsec/xfrmi
 ## libcharon plugins
 # socket-default
 usr/lib/ipsec/plugins/libstrongswan-socket-default.so