diff --git a/0003-shared-utils-only-set-phase2alg-esp-for-ikev1-in-agg.patch b/0003-shared-utils-only-set-phase2alg-esp-for-ikev1-in-agg.patch new file mode 100644 index 0000000..0eb9756 --- /dev/null +++ b/0003-shared-utils-only-set-phase2alg-esp-for-ikev1-in-agg.patch @@ -0,0 +1,69 @@ +From 43f3df676e827e343bae9455dc1eb82c5a805574 Mon Sep 17 00:00:00 2001 +From: Beniamino Galvani +Date: Fri, 27 Jun 2025 18:21:51 +0200 +Subject: [PATCH] shared/utils: only set phase2alg/esp for ikev1 in aggressive + mode + +Commit f3c6f38f3be3 ("shared: make ipsec.conf formatting declarative") +changed the logic to write option phase2alg/esp. Before the commit, it +was automatically set to NM_LIBRESWAN_AGGRMODE_DEFAULT_ESP only for +IKEv1 in aggressive mode ("leftid" set). After, the option is set for +IKEv2. Restore the old behavior. + +Fixes: f3c6f38f3be3 ("shared: make ipsec.conf formatting declarative") +Signed-off-by: Gris Ge +--- + shared/test-utils.c | 3 --- + shared/utils.c | 5 ++++- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/shared/test-utils.c b/shared/test-utils.c +index 2dc4532..ec47fe5 100644 +--- a/shared/test-utils.c ++++ b/shared/test-utils.c +@@ -103,7 +103,6 @@ test_config_write (void) + " leftmodecfgclient=yes\n" + " rightsubnet=0.0.0.0/0\n" + " rekey=yes\n" +- " phase2alg=aes256-sha1\n" + " keyingtries=1\n" + " rightmodecfgserver=yes\n" + " modecfgpull=yes\n"); +@@ -127,7 +126,6 @@ test_config_write (void) + " leftmodecfgclient=yes\n" + " rightsubnet=0.0.0.0/0\n" + " rekey=yes\n" +- " phase2alg=aes256-sha1\n" + " keyingtries=1\n" + " rightmodecfgserver=yes\n" + " modecfgpull=yes\n"); +@@ -372,7 +370,6 @@ test_config_read (void) + " leftmodecfgclient=yes\n" + " rightsubnet=0.0.0.0/0\n" + " rekey=yes\n" +- " phase2alg=aes256-sha1\n" + " keyingtries=1\n" + " rightmodecfgserver=yes\n" + " modecfgpull=yes\n", +diff --git a/shared/utils.c b/shared/utils.c +index 9c33315..a2e5b9a 100644 +--- a/shared/utils.c ++++ b/shared/utils.c +@@ -223,10 +223,13 @@ add_ike (NMSettingVpn *s_vpn, const char *key, const char *val) + static void + add_phase2alg (NMSettingVpn *s_vpn, const char *key, const char *val) + { ++ const char *leftid; ++ + if (val == NULL || val[0] == '\0') + val = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_ESP); + if (val == NULL || val[0] == '\0') { +- if (nm_libreswan_utils_setting_is_ikev2 (s_vpn)) ++ leftid = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTID); ++ if (!nm_libreswan_utils_setting_is_ikev2 (s_vpn) && leftid && leftid[0] != '\0') + val = NM_LIBRESWAN_AGGRMODE_DEFAULT_ESP; + } + nm_setting_vpn_add_data_item (s_vpn, key, val); +-- +2.50.0 + diff --git a/NetworkManager-libreswan.spec b/NetworkManager-libreswan.spec index cd80dfe..731548b 100644 --- a/NetworkManager-libreswan.spec +++ b/NetworkManager-libreswan.spec @@ -11,7 +11,7 @@ %global real_version 1.2.26 %global rpm_version 1.2.26 -%global release_version 2 +%global release_version 3 %global real_version_major %(printf '%s' '%{real_version}' | sed -n 's/^\\([1-9][0-9]*\\.[1-9][0-9]*\\)\\.[1-9][0-9]*$/\\1/p') @@ -29,6 +29,7 @@ Source0: https://download.gnome.org/sources/NetworkManager-libreswan/%{real_ve Patch0: https://gitlab.gnome.org/GNOME/NetworkManager-libreswan/-/commit/3ea80883fefc.patch#/0001-Add-nm-auto-defaults-option.patch Patch1: https://gitlab.gnome.org/GNOME/NetworkManager-libreswan/-/commit/9b4467bd226d.patch#/0002-Treat-leftmodecfgserver-differently-according-to-nm-.patch +Patch2: https://gitlab.gnome.org/GNOME/NetworkManager-libreswan/-/commit/43f3df676e82.patch#/0003-shared-utils-only-set-phase2alg-esp-for-ikev1-in-agg.patch BuildRequires: make BuildRequires: gcc @@ -130,6 +131,9 @@ rm -f %{buildroot}%{_libdir}/NetworkManager/lib*.la %endif %changelog +* Tue Jul 01 2025 Gris Ge - 1.2.26-3 +- Fix regression on phase2alg/esp for IKEv1 (RHEL-85768) + * Mon May 12 2025 Lubomir Rintel - 1.2.26-2 - Add support for nm-auto-defaults (RHEL-85768)