amazon-linux-2023
amazon-linux-2023 copied to clipboard
amazonlinux
[Package Request] - strongswan
What package is missing from Amazon Linux 2022? Please describe and include package name.
The strongswan package is missing
Is this an update to existing package or new package request?
New package
Is this package available in Amazon Linux 2? If it is available via external sources such as EPEL, please specify.
Available in AmazonLinux 2 via EPEL
Any additional information you'd like to include. (use-cases, etc)
Useful to maintain IPsec VPNs access with special constraint (ip-space over-lap, partial access through firewall or local proxy service)
libreswan was in AL2, but they've chosen to take it out.
VPNs can be terminated by the AWS service "VPNConnections" so having it easily available as a package may be reducing the usage of that service.
I'd like the same - any of the *swan packages compiled for AWS Linux 2023, so I don't have to faff with self-packaging.
AWS service "VPNConnections" is not covering a lot of network functionalities like NAT / Double Nating.
Libreswan has been removed from AL2023 packages list (https://docs.aws.amazon.com/linux/al2023/release-notes/removed-packages.html). However, as AL2023 is based on Fodera, I though I 'll be able to install it with the package libreswan-4.11-1.fc38.x86_64.rpm where the package is available for download from Fodera Project website (https://download-ib01.fedoraproject.org/pub/fedora/linux/updates/38/Everything/x86_64/Packages/l/libreswan-4.11-1.fc38.x86_64.rpm ).
I get multiple libraries /conflicts issues when trying to install it... I'm looking for a way to install it , all advices are welcome.
yum install /tmp/Packages/libreswan-4.11-1.fc38.x86_64.rpm Last metadata expiration check: 1 day, 0:14:42 ago on Mon May 22 12:31:41 2023. Error: Problem: conflicting requests
- nothing provides liblber.so.2()(64bit) needed by libreswan-4.11-1.fc38.x86_64
- nothing provides liblber.so.2(OPENLDAP_2.200)(64bit) needed by libreswan-4.11-1.fc38.x86_64
- nothing provides libldap.so.2()(64bit) needed by libreswan-4.11-1.fc38.x86_64
- nothing provides libldap.so.2(OPENLDAP_2.200)(64bit) needed by libreswan-4.11-1.fc38.x86_64
- nothing provides libldns.so.3()(64bit) needed by libreswan-4.11-1.fc38.x86_64
yum whatprovides 'liblber.so.2' Error: No matches found. If searching for a file, try specifying the full path or using a wildcard prefix ("*/") at the beginning.
yum whatprovides 'libldap.so.2' Error: No matches found. If searching for a file, try specifying the full path or using a wildcard prefix ("*/") at the beginning.
yum whatprovides 'libldns.so.3' Error: No matches found. If searching for a file, try specifying the full path or using a wildcard prefix ("*/") at the beginning.
yum list installed | grep openldap openldap.x86_64 2.4.57-6.amzn2023.0.4 @System openldap-devel.x86_64 2.4.57-6.amzn2023.0.4 @amazonlinux
You can try these which I compiled on my test box: libreswan and ldns x86_64.zip
TL;DR
You can build the following source packages on a AL2023 host:
https://kojipkgs.fedoraproject.org//packages/ldns/1.8.1/7.fc37/src/ldns-1.8.1-7.fc37.src.rpm
https://kojipkgs.fedoraproject.org//packages/libreswan/4.11/1.fc37/src/libreswan-4.11-1.fc37.src.rpm
to build libreswan you need ldns-devel installed which was not found in AL2023.
Required packages excluding ldns-devel: perl-ExtUtils-MakeMaker perl-devel perl-generators libpcap-devel curl-devel audit-libs-devel hostname libcap-ng-devel libevent-devel libseccomp-devel libselinux-devel nspr-devel nss-devel nss-tools openldap-devel pam-devel systemd-devel unbound-devel xmlto
Libreswan has been removed from AL2023 packages list (https://docs.aws.amazon.com/linux/al2023/release-notes/removed-packages.html). However, as AL2023 is based on Fodera, I though I 'll be able to install it with the package libreswan-4.11-1.fc38.x86_64.rpm where the package is available for download from Fodera Project website (https://download-ib01.fedoraproject.org/pub/fedora/linux/updates/38/Everything/x86_64/Packages/l/libreswan-4.11-1.fc38.x86_64.rpm ).
As per https://docs.aws.amazon.com/linux/al2023/ug/relationship-to-fedora.html
The Generally Available (GA) version of AL2023 isn't directly comparable to any specific Fedora release. The AL2023 GA version includes components from Fedora 34, 35, and 36. Some of the components are the same as the components in Fedora and some are modified. Other components more closely resemble the components in CentOS 9 Streams or were developed independently. The Amazon Linux kernel is sourced from the long-term support options that are on kernel.org, chosen independently from Fedora.
So it's not terribly unexpected that rebuilding packages from Fedora can work, trying to install them directly is quite likely not to.
Thank you @stewartsmith / @daniejstriata for your comment. I will update this topic soon...
Is there no way to install EPEL on Amazon Linux 2023?
i don't think the issue is at that level, since they hacked a release which is not a direct descendant of any redhat release, EPEL would need to have dedicated builds for this distribution.
It doesn't look like they have even discussed of the subject on the devel mailing list
I can assure you this is not a factor in our decisions. This request is still under evaluation
Just wondering if the main reason is to boost their own VPN service?
https://github.com/amazonlinux/amazon-linux-2023/issues/123 is the request to package the client for the AWS service, as it hasn't been packaged for Amazon Linux.
@stewartsmith is strongswan still under consideration after libreswan was added with https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.3.20231218.html .
would like to still use strongswan configurations but also get patches from Amazon.
Strongswan is vital to our business, the AWS managed service(s) do not support our use cases, including the features already mentioned here. Of course extending the feature set of the managed services would be the best, including NAT, EIPs etc.
Is
libreswannot sufficient for your use case ?
We are currently evaluating if the other side of the connection is able to change certain parameters, which would make libreswan a viable option.
Unfortunately we were unable to get Libreswan working with some of our partners using ikev2 + left subnet space defined by the right side + SNAT. We tried pretty much every combination of Libreswan parameters as well as PRE- and POST routing setups to no avail.
We simply didn't receive any responses back to our UDP encapsulated ESP packets, even though after debug-decrypting the packets looked exactly the same as with Strongswan (using tcpdump and Wireshark). Strongswan worked fine straight out of the box.
Libreswan worked fine with some of the more simple setups though, but we don't want to run two different clients.