.NetworkManager-libreswan.metadata

@@ -1 +1 @@
-a3ec22a8e76f3358d9f69dc505d22267e936dbae SOURCES/NetworkManager-libreswan-1.2.10.tar.xz
+705a4dded50d26bd005bb68ea851f79453ea4252 SOURCES/NetworkManager-libreswan-1.2.14.tar.xz

.gitignore

@@ -1 +1 @@
-SOURCES/NetworkManager-libreswan-1.2.10.tar.xz
+SOURCES/NetworkManager-libreswan-1.2.14.tar.xz

SOURCES/0002-properties-set-advanced-dialog-modal.patch

@@ -1,26 +0,0 @@
-From eaf501ab7cb732a152097d2af5636b03fd3f029d Mon Sep 17 00:00:00 2001
-From: Francesco Giudici <fgiudici@redhat.com>
-Date: Mon, 15 Apr 2019 14:51:26 +0200
-Subject: [PATCH] properties: set advanced dialog modal
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1697329
----
- properties/nm-libreswan-dialog.ui | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/properties/nm-libreswan-dialog.ui b/properties/nm-libreswan-dialog.ui
-index 73522d4..e355c08 100644
---- a/properties/nm-libreswan-dialog.ui
-+++ b/properties/nm-libreswan-dialog.ui
-@@ -451,6 +451,8 @@
-     <property name="can_focus">False</property>
-     <property name="border_width">12</property>
-     <property name="title" translatable="yes">IPsec Advanced Options</property>
-+    <property name="modal">True</property>
-+    <property name="destroy_with_parent">True</property>
-     <property name="type_hint">dialog</property>
-     <child internal-child="vbox">
-       <object class="GtkBox" id="dialog-vbox1">
--- 
-2.20.1
-

SOURCES/service-properties-add-support-for-leftmodecfgclient.patch

@@ -0,0 +1,450 @@
+From 0f0b2d375901e302e8a619e3911321f511b52885 Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Tue, 9 Jan 2024 23:30:42 +0100
+Subject: [PATCH 1/5] service,properties: add support for leftmodecfgclient
+
+Previously the plugin always set leftmodecfgclient=yes, which is used
+for roaming clients to obtain a dynamic IP. In a server-to-server
+scenario we don't want that option; allow omitting it by passing
+leftmodecfgclient=no. It's somehow confusing that the new option has
+the opposite default value than Libreswan, but that's the only way to
+keep backwards compatibility for existing configurations.
+---
+ properties/nm-libreswan-dialog.ui       | 26 +++++++++++++++++++++++++
+ properties/nm-libreswan-editor-plugin.c |  2 ++
+ properties/nm-libreswan-editor.c        |  9 +++++++++
+ shared/nm-service-defines.h             |  1 +
+ shared/utils.c                          |  8 +++++++-
+ src/nm-libreswan-service.c              |  1 +
+ 6 files changed, 46 insertions(+), 1 deletion(-)
+
+diff --git a/properties/nm-libreswan-editor-plugin.c b/properties/nm-libreswan-editor-plugin.c
+index b5c0d9e..89243cc 100644
+--- a/properties/nm-libreswan-editor-plugin.c
++++ b/properties/nm-libreswan-editor-plugin.c
+@@ -186,6 +186,8 @@ import_from_file (NMVpnEditorPlugin *self,
+ 			nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTUSERNAME, &str[13]);
+ 		else if (g_str_has_prefix (str, "leftcert="))
+ 			nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTCERT, &str[9]);
++		else if (nm_streq0 (str, "leftmodecfgclient=no"))
++			nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTMODECFGCLIENT, "no");
+ 		else if (g_str_has_prefix (str, "pfs=no"))
+ 			nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_PFS, "no");
+ 		else if (g_str_has_prefix (str, "cisco-unity=yes"))
+diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h
+index 3fdf2ef..14170ad 100644
+--- a/shared/nm-service-defines.h
++++ b/shared/nm-service-defines.h
+@@ -41,6 +41,7 @@
+ #define NM_LIBRESWAN_KEY_LEFTID                     "leftid"
+ #define NM_LIBRESWAN_KEY_LEFTRSASIGKEY              "leftrsasigkey"
+ #define NM_LIBRESWAN_KEY_LEFTCERT                   "leftcert"
++#define NM_LIBRESWAN_KEY_LEFTMODECFGCLIENT          "leftmodecfgclient"
+ #define NM_LIBRESWAN_KEY_AUTHBY                     "authby"
+ #define NM_LIBRESWAN_KEY_PSK_VALUE                  "pskvalue"
+ #define NM_LIBRESWAN_KEY_PSK_INPUT_MODES            "pskinputmodes"
+diff --git a/shared/utils.c b/shared/utils.c
+index cbc117c..0bac9e6 100644
+--- a/shared/utils.c
++++ b/shared/utils.c
+@@ -191,7 +191,13 @@ nm_libreswan_config_write (gint fd,
+ 	else
+ 		WRITE_CHECK (fd, debug_write_fcn, error, " left=%%defaultroute");
+ 
+-	WRITE_CHECK (fd, debug_write_fcn, error, " leftmodecfgclient=yes");
++	item = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTMODECFGCLIENT);
++	if (nm_streq0 (item, "no")) {
++		WRITE_CHECK (fd, debug_write_fcn, error, " leftmodecfgclient=no");
++	} else {
++		WRITE_CHECK (fd, debug_write_fcn, error, " leftmodecfgclient=yes");
++	}
++
+ 	if (leftupdown_script)
+ 		WRITE_CHECK (fd, debug_write_fcn, error, " leftupdown=%s", leftupdown_script);
+ 
+diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c
+index fc470a6..874f767 100644
+--- a/src/nm-libreswan-service.c
++++ b/src/nm-libreswan-service.c
+@@ -256,6 +256,7 @@ static ValidProperty valid_properties[] = {
+ 	{ NM_LIBRESWAN_KEY_LEFTUSERNAME,               G_TYPE_STRING, 0, 0 },
+ 	{ NM_LIBRESWAN_KEY_LEFTRSASIGKEY,              G_TYPE_STRING, 0, 0 },
+ 	{ NM_LIBRESWAN_KEY_LEFTCERT,                   G_TYPE_STRING, 0, 0 },
++	{ NM_LIBRESWAN_KEY_LEFTMODECFGCLIENT,          G_TYPE_STRING, 0, 0 },
+ 	{ NM_LIBRESWAN_KEY_AUTHBY,                     G_TYPE_STRING, 0, 0 },
+ 	{ NM_LIBRESWAN_KEY_DOMAIN,                     G_TYPE_STRING, 0, 0 },
+ 	{ NM_LIBRESWAN_KEY_DHGROUP,                    G_TYPE_STRING, 0, 0 },
+-- 
+GitLab
+
+
+From 09ee8838162cb6ea097375fb7d8b698566bb1c4d Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Wed, 10 Jan 2024 09:29:50 +0100
+Subject: [PATCH 2/5] service: use new API to send configuration to NM
+
+Instead of emitting the "Ip4Config" signal that contains both generic
+and IPv4 configurations, use the more recent API and send two signals:
+"Config" for the generic configuration and "Ip4Config" for IPv4
+configuration.
+
+In this way, it will be possible in the next commit to return no IPv4
+configuration at all.
+---
+ src/nm-libreswan-service.c | 61 +++++++++++++++++++++++++-------------
+ 1 file changed, 40 insertions(+), 21 deletions(-)
+
+diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c
+index 874f767..2aca78f 100644
+--- a/src/nm-libreswan-service.c
++++ b/src/nm-libreswan-service.c
+@@ -1270,16 +1270,14 @@ handle_callback (NMDBusLibreswanHelper *object,
+ 		goto out;
+ 	}
+ 
++	/* First build and send the generic config */
+ 	g_variant_builder_init (&config, G_VARIANT_TYPE_VARDICT);
+ 
+-	/* Right peer (or Gateway) */
+-	val = addr4_to_gvariant (lookup_string (env, "PLUTO_PEER"));
+-	if (val)
+-		g_variant_builder_add (&config, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_GATEWAY, val);
+-	else {
+-		_LOGW ("IPsec/Pluto Right Peer (VPN Gateway)");
+-		goto out;
+-	}
++	/*
++	 * Enabled address families
++	 */
++	g_variant_builder_add (&config, "{sv}", NM_VPN_PLUGIN_CONFIG_HAS_IP4, g_variant_new_boolean (TRUE));
++	g_variant_builder_add (&config, "{sv}", NM_VPN_PLUGIN_CONFIG_HAS_IP6, g_variant_new_boolean (FALSE));
+ 
+ 	/*
+ 	 * Tunnel device
+@@ -1290,15 +1288,43 @@ handle_callback (NMDBusLibreswanHelper *object,
+ 	} else {
+ 		val = g_variant_new_string (NM_VPN_PLUGIN_IP4_CONFIG_TUNDEV_NONE);
+ 	}
++	g_variant_builder_add (&config, "{sv}", NM_VPN_PLUGIN_CONFIG_TUNDEV, val);
++
++	/* Banner */
++	val = str_to_gvariant (lookup_string (env, "PLUTO_PEER_BANNER"), TRUE);
++	if (val)
++		g_variant_builder_add (&config, "{sv}", NM_VPN_PLUGIN_CONFIG_BANNER, val);
++
++	/* Right peer (or Gateway) */
++	val = addr4_to_gvariant (lookup_string (env, "PLUTO_PEER"));
++	if (val)
++		g_variant_builder_add (&config, "{sv}", NM_VPN_PLUGIN_CONFIG_EXT_GATEWAY, val);
++	else {
++		_LOGW ("IPsec/Pluto Right Peer (VPN Gateway) is missing");
++		goto out;
++	}
++
++	nm_vpn_service_plugin_set_config (NM_VPN_SERVICE_PLUGIN (user_data),
++	                                  g_variant_builder_end (&config));
+ 
+-	g_variant_builder_add (&config, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_TUNDEV, val);
++	/* Then build and send the IPv4 config */
++	g_variant_builder_init (&config, G_VARIANT_TYPE_VARDICT);
++
++	/* Right peer (or Gateway) */
++	val = addr4_to_gvariant (lookup_string (env, "PLUTO_PEER"));
++	if (val)
++		g_variant_builder_add (&config, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_GATEWAY, val);
++	else {
++		_LOGW ("IPsec/Pluto Right Peer (VPN Gateway) is missing");
++		goto out;
++	}
+ 
+ 	/* IP address */
+ 	val = addr4_to_gvariant (lookup_string (env, "PLUTO_MY_SOURCEIP"));
+ 	if (val)
+ 		g_variant_builder_add (&config, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS, val);
+ 	else {
+-		_LOGW ("IP4 Address");
++		_LOGW ("IP4 Address is missing");
+ 		goto out;
+ 	}
+ 
+@@ -1307,7 +1333,7 @@ handle_callback (NMDBusLibreswanHelper *object,
+ 	if (val)
+ 		g_variant_builder_add (&config, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_PTP, val);
+ 	else {
+-		_LOGW ("IP4 PTP Address");
++		_LOGW ("IP4 PTP Address is missing");
+ 		goto out;
+ 	}
+ 
+@@ -1324,7 +1350,6 @@ handle_callback (NMDBusLibreswanHelper *object,
+ 	if (val)
+ 		g_variant_builder_add (&config, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_DNS, val);
+ 
+-
+ 	/* Default domain */
+ 	val = str_to_gvariant (lookup_string (env, "PLUTO_CISCO_DOMAIN_INFO"), TRUE);
+ 	if (!val) {
+@@ -1334,11 +1359,6 @@ handle_callback (NMDBusLibreswanHelper *object,
+ 	if (val)
+ 		g_variant_builder_add (&config, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_DOMAIN, val);
+ 
+-	/* Banner */
+-	val = str_to_gvariant (lookup_string (env, "PLUTO_PEER_BANNER"), TRUE);
+-	if (val)
+-		g_variant_builder_add (&config, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_BANNER, val);
+-
+ 	/* Indicates whether the VPN is using a XFRM interface (via option ipsec-interface=) */
+ 	is_xfrmi = nm_streq0 (lookup_string (env, "PLUTO_XFRMI_ROUTE"), "yes");
+ 
+@@ -1369,12 +1389,11 @@ handle_callback (NMDBusLibreswanHelper *object,
+ 		g_variant_builder_add (&config, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_NEVER_DEFAULT, g_variant_new_boolean (TRUE));
+ 
+ 	success = TRUE;
++	nm_vpn_service_plugin_set_ip4_config (NM_VPN_SERVICE_PLUGIN (user_data),
++	                                      g_variant_builder_end (&config));
+ 
+ out:
+-	if (success) {
+-		nm_vpn_service_plugin_set_ip4_config (NM_VPN_SERVICE_PLUGIN (user_data),
+-		                                      g_variant_builder_end (&config));
+-	} else {
++	if (!success) {
+ 		connect_failed (NM_LIBRESWAN_PLUGIN (user_data), NULL,
+ 		                NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED);
+ 	}
+-- 
+GitLab
+
+
+From 74ec0f7dc18939dd4a5992584527ab044b284fc0 Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Wed, 10 Jan 2024 09:31:48 +0100
+Subject: [PATCH 3/5] service: don't send IPv4 config if mode config client is
+ disabled
+
+If the mode config client is disabled (i.e. in server-to-server
+scenario) we are not going to receive a dynamic IP. The IP address
+already configured on the existing interface is enough.
+---
+ src/nm-libreswan-service.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c
+index 2aca78f..12cf6f2 100644
+--- a/src/nm-libreswan-service.c
++++ b/src/nm-libreswan-service.c
+@@ -1253,6 +1253,7 @@ handle_callback (NMDBusLibreswanHelper *object,
+                  gpointer user_data)
+ {
+ 	NMLibreswanPluginPrivate *priv = NM_LIBRESWAN_PLUGIN_GET_PRIVATE (user_data);
++	NMSettingVpn *s_vpn;
+ 	GVariantBuilder config;
+ 	GVariantBuilder builder;
+ 	GVariant *val;
+@@ -1260,7 +1261,9 @@ handle_callback (NMDBusLibreswanHelper *object,
+ 	guint i;
+ 	const char *verb;
+ 	const char *virt_if;
++	const char *str;
+ 	gboolean is_xfrmi = FALSE;
++	gboolean has_ip4;
+ 
+ 	_LOGI ("Configuration from the helper received.");
+ 
+@@ -1273,10 +1276,21 @@ handle_callback (NMDBusLibreswanHelper *object,
+ 	/* First build and send the generic config */
+ 	g_variant_builder_init (&config, G_VARIANT_TYPE_VARDICT);
+ 
++	if (   priv->connection
++	    && (s_vpn = nm_connection_get_setting_vpn (priv->connection))
++	    && (str = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTMODECFGCLIENT))
++	    && nm_streq (str, "no")) {
++		has_ip4 = FALSE;
++	} else {
++		has_ip4 = TRUE;
++	}
++
++	_LOGD ("Configuration has IPv4: %d", has_ip4);
++
+ 	/*
+ 	 * Enabled address families
+ 	 */
+-	g_variant_builder_add (&config, "{sv}", NM_VPN_PLUGIN_CONFIG_HAS_IP4, g_variant_new_boolean (TRUE));
++	g_variant_builder_add (&config, "{sv}", NM_VPN_PLUGIN_CONFIG_HAS_IP4, g_variant_new_boolean (has_ip4));
+ 	g_variant_builder_add (&config, "{sv}", NM_VPN_PLUGIN_CONFIG_HAS_IP6, g_variant_new_boolean (FALSE));
+ 
+ 	/*
+@@ -1306,6 +1320,10 @@ handle_callback (NMDBusLibreswanHelper *object,
+ 
+ 	nm_vpn_service_plugin_set_config (NM_VPN_SERVICE_PLUGIN (user_data),
+ 	                                  g_variant_builder_end (&config));
++	if (!has_ip4) {
++		success = TRUE;
++		goto out;
++	}
+ 
+ 	/* Then build and send the IPv4 config */
+ 	g_variant_builder_init (&config, G_VARIANT_TYPE_VARDICT);
+-- 
+GitLab
+
+
+From 8ceb901719acac3778e1d76779d9c14289185157 Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Sat, 13 Jan 2024 18:10:02 +0100
+Subject: [PATCH 4/5] service: fix wrong refcounting in D-Bus handler for
+ Callback()
+
+The Callback() D-Bus method is handled via a GDBus-generated skeleton
+code in nm-libreswan-helper-service-dbus.c, function
+_nmdbus_libreswan_helper_skeleton_handle_method_call(). The function
+emits signal "handle-callback" to let the program handle the incoming
+method. As documented in the GDoc comments, the signal handler must
+return TRUE if it handles the call.
+
+```
+  /**
+   * NMDBusLibreswanHelper::handle-callback:
+   * @object: A #NMDBusLibreswanHelper.
+   * @invocation: A #GDBusMethodInvocation.
+   * @arg_environment: Argument passed by remote caller.
+
+   * Signal emitted when a remote caller is invoking the Callback()
+     D-Bus method.
+
+   * If a signal handler returns %TRUE, it means the signal handler
+     will handle the invocation (e.g. take a reference to @invocation
+     and eventually call nmdbus_libreswan_helper_complete_callback()
+     or e.g. g_dbus_method_invocation_return_error() on it) and no
+     other signal handlers will run. If no signal handler handles the
+     invocation, the %G_DBUS_ERROR_UNKNOWN_METHOD error is returned.
+
+   * Returns: %G_DBUS_METHOD_INVOCATION_HANDLED or %TRUE if the
+     invocation was handled, %G_DBUS_METHOD_INVOCATION_UNHANDLED or
+     %FALSE to let other signal handlers run.
+   */
+```
+
+At the moment, in case of error the handler first calls
+nmdbus_libreswan_helper_complete_callback() which decreases the
+refcount of "invocation", and then returns FALSE which tells the
+skeleton code to return an error, also unreferencing the
+invocation. This causes a crash.
+
+Since the G_DBUS_METHOD_INVOCATION_HANDLED alias for TRUE is only
+available since GLib 2.68 (while we target 2.36), just return TRUE.
+
+Fixes: acb9eb9de50b ('service: process the configuration in the service, not the helper')
+---
+ src/nm-libreswan-service.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c
+index 12cf6f2..0d5c4b8 100644
+--- a/src/nm-libreswan-service.c
++++ b/src/nm-libreswan-service.c
+@@ -1417,7 +1417,8 @@ out:
+ 	}
+ 
+ 	nmdbus_libreswan_helper_complete_callback (object, invocation);
+-	return success;
++
++	return TRUE;
+ }
+ 
+ /****************************************************************/
+-- 
+GitLab
+
+
+From b4ba2add64bd9d362fe2e66748f23449f072216b Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Mon, 15 Jan 2024 13:23:45 +0100
+Subject: [PATCH 5/5] service,properties: support type, hostaddrfamily,
+ clientaddrfamily
+
+Add support for:
+ - type
+ - hostaddrfamily
+ - clientaddrfamily
+
+Since those are very advanced options, don't implement the GUI part
+for now.
+---
+ properties/nm-libreswan-editor-plugin.c |  6 ++++++
+ shared/nm-service-defines.h             |  3 +++
+ shared/utils.c                          | 12 ++++++++++++
+ src/nm-libreswan-service.c              |  3 +++
+ 4 files changed, 24 insertions(+)
+
+diff --git a/properties/nm-libreswan-editor-plugin.c b/properties/nm-libreswan-editor-plugin.c
+index 89243cc..fe85c81 100644
+--- a/properties/nm-libreswan-editor-plugin.c
++++ b/properties/nm-libreswan-editor-plugin.c
+@@ -210,6 +210,12 @@ import_from_file (NMVpnEditorPlugin *self,
+ 			nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_IPSEC_INTERFACE, &str[16]);
+ 		else if (g_str_has_prefix (str, "authby="))
+ 			nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_AUTHBY, &str[7]);
++		else if (g_str_has_prefix (str, "type="))
++			nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_TYPE, str + NM_STRLEN("type="));
++		else if (g_str_has_prefix (str, "hostaddrfamily="))
++			nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_HOSTADDRFAMILY, str + NM_STRLEN("hostaddrfamily="));
++		else if (g_str_has_prefix (str, "clientaddrfamily="))
++			nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_CLIENTADDRFAMILY, str + NM_STRLEN("clientaddrfamily="));
+ 		else if (g_str_has_prefix (str, "rightsubnet=")) {
+ 			if (!g_str_has_prefix (str, "rightsubnet=0.0.0.0/0"))
+ 				nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REMOTENETWORK, &str[12]);
+diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h
+index 14170ad..95e19d4 100644
+--- a/shared/nm-service-defines.h
++++ b/shared/nm-service-defines.h
+@@ -68,6 +68,9 @@
+ #define NM_LIBRESWAN_KEY_FRAGMENTATION              "fragmentation"
+ #define NM_LIBRESWAN_KEY_MOBIKE                     "mobike"
+ #define NM_LIBRESWAN_KEY_IPSEC_INTERFACE            "ipsec-interface"
++#define NM_LIBRESWAN_KEY_TYPE                       "type"
++#define NM_LIBRESWAN_KEY_HOSTADDRFAMILY             "hostaddrfamily"
++#define NM_LIBRESWAN_KEY_CLIENTADDRFAMILY           "clientaddrfamily"
+ 
+ #define NM_LIBRESWAN_IKEV2_NO      "no"
+ #define NM_LIBRESWAN_IKEV2_NEVER   "never"
+diff --git a/shared/utils.c b/shared/utils.c
+index 0bac9e6..9e616f8 100644
+--- a/shared/utils.c
++++ b/shared/utils.c
+@@ -325,6 +325,18 @@ nm_libreswan_config_write (gint fd,
+ 	if (item && strlen (item))
+ 		WRITE_CHECK (fd, debug_write_fcn, error, " ipsec-interface=%s", item);
+ 
++	item = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_TYPE);
++	if (item && strlen (item))
++		WRITE_CHECK (fd, debug_write_fcn, error, " type=%s", item);
++
++	item = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_HOSTADDRFAMILY);
++	if (item && strlen (item))
++		WRITE_CHECK (fd, debug_write_fcn, error, " hostaddrfamily=%s", item);
++
++	item = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_CLIENTADDRFAMILY);
++	if (item && strlen (item))
++		WRITE_CHECK (fd, debug_write_fcn, error, " clientaddrfamily=%s", item);
++
+ 	WRITE_CHECK (fd, debug_write_fcn, error, " nm-configured=yes");
+ 
+ 	WRITE_CHECK_NEWLINE (fd, trailing_newline, debug_write_fcn, error, " auto=add");
+diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c
+index 0d5c4b8..7e96230 100644
+--- a/src/nm-libreswan-service.c
++++ b/src/nm-libreswan-service.c
+@@ -277,6 +277,9 @@ static ValidProperty valid_properties[] = {
+ 	{ NM_LIBRESWAN_KEY_FRAGMENTATION,              G_TYPE_STRING, 0, 0 },
+ 	{ NM_LIBRESWAN_KEY_MOBIKE,                     G_TYPE_STRING, 0, 0 },
+ 	{ NM_LIBRESWAN_KEY_IPSEC_INTERFACE,            G_TYPE_STRING, 0, 0 },
++	{ NM_LIBRESWAN_KEY_TYPE,                       G_TYPE_STRING, 0, 0 },
++	{ NM_LIBRESWAN_KEY_HOSTADDRFAMILY,             G_TYPE_STRING, 0, 0 },
++	{ NM_LIBRESWAN_KEY_CLIENTADDRFAMILY,           G_TYPE_STRING, 0, 0 },
+ 	/* Ignored option for internal use */
+ 	{ NM_LIBRESWAN_KEY_PSK_INPUT_MODES,            G_TYPE_NONE, 0, 0 },
+ 	{ NM_LIBRESWAN_KEY_XAUTH_PASSWORD_INPUT_MODES, G_TYPE_NONE, 0, 0 },
+-- 
+GitLab
+

SOURCES/service-properties-support-DPD-parameters.patch

@@ -0,0 +1,425 @@
+From 6c35e460d393e73c478c7e885e875ea8c4918133 Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Thu, 23 Nov 2023 14:13:59 +0100
+Subject: [PATCH 2/5] service,properties: support DPD parameters
+
+Add support for parameters related to Dead Peer Detection (DPD), a
+mechanism to check for reachability of IKE peers.
+---
+ man/nm-settings-libreswan.5.in          |  21 +++-
+ properties/nm-libreswan-editor-plugin.c |   6 +
+ shared/nm-service-defines.h             |   2 +
+ shared/utils.c                          |  13 +++
+ src/nm-libreswan-service.c              |   4 +-
+ 7 files changed, 239 insertions(+), 4 deletions(-)
+
+diff --git a/man/nm-settings-libreswan.5.in b/man/nm-settings-libreswan.5.in
+index 5a81d1b..79617af 100644
+--- a/man/nm-settings-libreswan.5.in
++++ b/man/nm-settings-libreswan.5.in
+@@ -85,7 +85,26 @@ ignored.
+ ignored.
+ .TP
+ .I "dpdtimeout"
+-ignored.
++the length of time that we will idle without hearing back from our peer. After
++this period has elapsed with no response and no traffic, we will declare the
++peer dead, and remove the SA. Set value bigger than dpddelay to enable. If
++dpdtimeout is set, dpddelay also needs to be set. Must be a number optionally
++followed by a time unit: 's' (seconds), 'm' (minutes), 'h', (hours) or 'd'
++(days); if the unit is not specified, it defaults to seconds. Corresponds to the
++Libreswan parameter of the same name.
++.TP
++.I "dpddelay"
++the delay between Dead Peer Detection (IKEv1 RFC 3706) or IKEv2 Liveness
++keepalives that are sent for this connection. Must be a number optionally
++followed by a time unit: 's' (seconds), 'm' (minutes), 'h', (hours) or 'd'
++(days); if the unit is not specified, it defaults to seconds. Corresponds to the
++Libreswan parameter of the same name.
++.TP
++.I "dpdaction"
++When a DPD enabled peer is declared dead, what action should be taken.  "hold"
++(default) means the eroute will be put into %hold status, while "clear" means
++the eroute and SA with both be cleared. "restart" means that ALL SAs to the dead
++peer will renegotiated. Corresponds to the Libreswan parameter of the same name.
+ .TP
+ .I "ike"
+ allowed ciphers to be negotiatied to establish the IKE SAs. Corresponds to the
+diff --git a/properties/nm-libreswan-editor-plugin.c b/properties/nm-libreswan-editor-plugin.c
+index af72425..428eb1c 100644
+--- a/properties/nm-libreswan-editor-plugin.c
++++ b/properties/nm-libreswan-editor-plugin.c
+@@ -198,6 +198,12 @@ import_from_file (NMVpnEditorPlugin *self,
+ 			nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_FRAGMENTATION, &str[14]);
+ 		else if (g_str_has_prefix (str, "mobike="))
+ 			nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_MOBIKE, &str[7]);
++		else if (g_str_has_prefix (str, "dpddelay="))
++			nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_DPDDELAY, &str[9]);
++		else if (g_str_has_prefix (str, "dpdtimeout="))
++			nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_DPDTIMEOUT, &str[11]);
++		else if (g_str_has_prefix (str, "dpdaction="))
++			nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_DPDACTION, &str[10]);
+ 		else if (g_str_has_prefix (str, "rightsubnet=")) {
+ 			if (!g_str_has_prefix (str, "rightsubnet=0.0.0.0/0"))
+ 				nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REMOTENETWORK, &str[12]);
+diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h
+index a01a00f..c613fb7 100644
+--- a/shared/nm-service-defines.h
++++ b/shared/nm-service-defines.h
+@@ -52,6 +52,8 @@
+ #define NM_LIBRESWAN_KEY_PFS                        "pfs"
+ #define NM_LIBRESWAN_KEY_PFSGROUP                   "pfsgroup"
+ #define NM_LIBRESWAN_KEY_DPDTIMEOUT                 "dpdtimeout"
++#define NM_LIBRESWAN_KEY_DPDDELAY                   "dpddelay"
++#define NM_LIBRESWAN_KEY_DPDACTION                  "dpdaction"
+ #define NM_LIBRESWAN_KEY_IKE                        "ike"
+ #define NM_LIBRESWAN_KEY_ESP                        "esp"
+ #define NM_LIBRESWAN_KEY_IKELIFETIME                "ikelifetime"
+diff --git a/shared/utils.c b/shared/utils.c
+index 1d762cf..9c70437 100644
+--- a/shared/utils.c
++++ b/shared/utils.c
+@@ -118,6 +118,7 @@ nm_libreswan_config_write (gint fd,
+ 	const char *fragmentation;
+ 	const char *mobike;
+ 	const char *pfs;
++	const char *item;
+ 	gboolean is_ikev2 = FALSE;
+ 
+ 	g_return_val_if_fail (fd > 0, FALSE);
+@@ -297,6 +298,18 @@ nm_libreswan_config_write (gint fd,
+ 	if (mobike && strlen (mobike))
+ 		WRITE_CHECK (fd, debug_write_fcn, error, " mobike=%s", mobike);
+ 
++	item = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_DPDDELAY);
++	if (item && strlen (item))
++		WRITE_CHECK (fd, debug_write_fcn, error, " dpddelay=%s", item);
++
++	item = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_DPDTIMEOUT);
++	if (item && strlen (item))
++		WRITE_CHECK (fd, debug_write_fcn, error, " dpdtimeout=%s", item);
++
++	item = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_DPDACTION);
++	if (item && strlen (item))
++		WRITE_CHECK (fd, debug_write_fcn, error, " dpdaction=%s", item);
++
+ 	WRITE_CHECK (fd, debug_write_fcn, error, " nm-configured=yes");
+ 
+ 	WRITE_CHECK_NEWLINE (fd, trailing_newline, debug_write_fcn, error, " auto=add");
+diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c
+index a101946..c1519d4 100644
+--- a/src/nm-libreswan-service.c
++++ b/src/nm-libreswan-service.c
+@@ -260,7 +260,9 @@ static ValidProperty valid_properties[] = {
+ 	{ NM_LIBRESWAN_KEY_DHGROUP,                    G_TYPE_STRING, 0, 0 },
+ 	{ NM_LIBRESWAN_KEY_PFS,                        G_TYPE_STRING, 0, 0 },
+ 	{ NM_LIBRESWAN_KEY_PFSGROUP,                   G_TYPE_STRING, 0, 0 },
+-	{ NM_LIBRESWAN_KEY_DPDTIMEOUT,                 G_TYPE_INT, 0, 86400 },
++	{ NM_LIBRESWAN_KEY_DPDACTION,                  G_TYPE_STRING, 0, 0 },
++	{ NM_LIBRESWAN_KEY_DPDDELAY,                   G_TYPE_STRING, 0, 0 },
++	{ NM_LIBRESWAN_KEY_DPDTIMEOUT,                 G_TYPE_STRING, 0, 0 },
+ 	{ NM_LIBRESWAN_KEY_IKE,                        G_TYPE_STRING, 0, 0 },
+ 	{ NM_LIBRESWAN_KEY_ESP,                        G_TYPE_STRING, 0, 0 },
+ 	{ NM_LIBRESWAN_KEY_IKELIFETIME,                G_TYPE_STRING, 0, 0 },
+-- 
+GitLab
+
+
+From f5e8bf1ebe17d13c49780647973dd742f40f112c Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Fri, 24 Nov 2023 16:27:18 +0100
+Subject: [PATCH 3/5] service,properties: support the "ipsec-interface" option
+
+Introduce a new option "ipsec-interface" to create a XFRM virtual
+interface for "Routing based VPNs" (as opposed to "Policy based
+VPNs").
+---
+ man/nm-settings-libreswan.5.in          |  7 +++
+ properties/nm-libreswan-editor-plugin.c |  2 +
+ shared/nm-service-defines.h             |  1 +
+ shared/utils.c                          |  4 ++
+ src/nm-libreswan-service.c              | 11 +++-
+ 7 files changed, 109 insertions(+), 3 deletions(-)
+
+diff --git a/man/nm-settings-libreswan.5.in b/man/nm-settings-libreswan.5.in
+index 79617af..8c3b59b 100644
+--- a/man/nm-settings-libreswan.5.in
++++ b/man/nm-settings-libreswan.5.in
+@@ -153,6 +153,13 @@ Matches the Libreswan parameter of the same name.
+ Allowed values are: 'yes' and 'no'.
+ Matches the Libreswan parameter of the same name.
+ .TP
++.I "ipsec-interface"
++If set, create or use an existing virtual interface ipsecXXX for "Routing based
++VPNs" (as opposed to "Policy based VPNs"). Valid options are 'yes', 'no' or a
++number. When using a number, the IPsec interface created and/or used will use
++that number as part of the interface name. Corresponds to the Libreswan
++parameter of the same name.
++.TP
+ .I "pskinputmodes"
+ where the 'pskvalue' can be retrieved. Used internally by the plugin. Allowed values are: 'unused', 'save', 'ask'.
+ .TP
+diff --git a/properties/nm-libreswan-editor-plugin.c b/properties/nm-libreswan-editor-plugin.c
+index 428eb1c..c0e6c81 100644
+--- a/properties/nm-libreswan-editor-plugin.c
++++ b/properties/nm-libreswan-editor-plugin.c
+@@ -204,6 +204,8 @@ import_from_file (NMVpnEditorPlugin *self,
+ 			nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_DPDTIMEOUT, &str[11]);
+ 		else if (g_str_has_prefix (str, "dpdaction="))
+ 			nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_DPDACTION, &str[10]);
++		else if (g_str_has_prefix (str, "ipsec-interface="))
++			nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_IPSEC_INTERFACE, &str[16]);
+ 		else if (g_str_has_prefix (str, "rightsubnet=")) {
+ 			if (!g_str_has_prefix (str, "rightsubnet=0.0.0.0/0"))
+ 				nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REMOTENETWORK, &str[12]);
+diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h
+index c613fb7..78193f2 100644
+--- a/shared/nm-service-defines.h
++++ b/shared/nm-service-defines.h
+@@ -65,6 +65,7 @@
+ #define NM_LIBRESWAN_KEY_REKEY                      "rekey"
+ #define NM_LIBRESWAN_KEY_FRAGMENTATION              "fragmentation"
+ #define NM_LIBRESWAN_KEY_MOBIKE                     "mobike"
++#define NM_LIBRESWAN_KEY_IPSEC_INTERFACE            "ipsec-interface"
+ 
+ #define NM_LIBRESWAN_IKEV2_NO      "no"
+ #define NM_LIBRESWAN_IKEV2_NEVER   "never"
+diff --git a/shared/utils.c b/shared/utils.c
+index 9c70437..1928b1b 100644
+--- a/shared/utils.c
++++ b/shared/utils.c
+@@ -310,6 +310,10 @@ nm_libreswan_config_write (gint fd,
+ 	if (item && strlen (item))
+ 		WRITE_CHECK (fd, debug_write_fcn, error, " dpdaction=%s", item);
+ 
++	item = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_IPSEC_INTERFACE);
++	if (item && strlen (item))
++		WRITE_CHECK (fd, debug_write_fcn, error, " ipsec-interface=%s", item);
++
+ 	WRITE_CHECK (fd, debug_write_fcn, error, " nm-configured=yes");
+ 
+ 	WRITE_CHECK_NEWLINE (fd, trailing_newline, debug_write_fcn, error, " auto=add");
+diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c
+index c1519d4..90a0488 100644
+--- a/src/nm-libreswan-service.c
++++ b/src/nm-libreswan-service.c
+@@ -274,6 +274,7 @@ static ValidProperty valid_properties[] = {
+ 	{ NM_LIBRESWAN_KEY_REKEY,                      G_TYPE_STRING, 0, 0 },
+ 	{ NM_LIBRESWAN_KEY_FRAGMENTATION,              G_TYPE_STRING, 0, 0 },
+ 	{ NM_LIBRESWAN_KEY_MOBIKE,                     G_TYPE_STRING, 0, 0 },
++	{ NM_LIBRESWAN_KEY_IPSEC_INTERFACE,            G_TYPE_STRING, 0, 0 },
+ 	/* Ignored option for internal use */
+ 	{ NM_LIBRESWAN_KEY_PSK_INPUT_MODES,            G_TYPE_NONE, 0, 0 },
+ 	{ NM_LIBRESWAN_KEY_XAUTH_PASSWORD_INPUT_MODES, G_TYPE_NONE, 0, 0 },
+@@ -1252,6 +1253,7 @@ handle_callback (NMDBusLibreswanHelper *object,
+ 	gboolean success = FALSE;
+ 	guint i;
+ 	const char *verb;
++	const char *virt_if;
+ 
+ 	_LOGI ("Configuration from the helper received.");
+ 
+@@ -1274,9 +1276,14 @@ handle_callback (NMDBusLibreswanHelper *object,
+ 
+ 	/*
+ 	 * Tunnel device
+-	 * Indicate that this plugin doesn't use tun/tap device
+ 	 */
+-	val = g_variant_new_string (NM_VPN_PLUGIN_IP4_CONFIG_TUNDEV_NONE);
++	virt_if = lookup_string (env, "PLUTO_VIRT_INTERFACE");
++	if (virt_if && !nm_streq (virt_if, "NULL")) {
++		val = g_variant_new_string (virt_if);
++	} else {
++		val = g_variant_new_string (NM_VPN_PLUGIN_IP4_CONFIG_TUNDEV_NONE);
++	}
++
+ 	g_variant_builder_add (&config, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_TUNDEV, val);
+ 
+ 	/* IP address */
+-- 
+GitLab
+
+
+From aa14380637a3de20ce9a59abc8b927368b1ab926 Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Tue, 28 Nov 2023 11:59:05 +0100
+Subject: [PATCH 4/5] service: ignore next hop in routed mode
+
+In routed mode, the traffic needs to be sent directly over the
+interface without a gateway.
+---
+ src/nm-libreswan-service.c | 24 ++++++++++++++++++------
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c
+index 90a0488..c5562d7 100644
+--- a/src/nm-libreswan-service.c
++++ b/src/nm-libreswan-service.c
+@@ -1197,7 +1197,7 @@ _take_route (GPtrArray *routes, GVariant *new, gboolean alive)
+ }
+ 
+ static void
+-handle_route (GPtrArray *routes, GVariant *env, gboolean alive)
++handle_route (GPtrArray *routes, GVariant *env, gboolean alive, gboolean is_xfrmi)
+ {
+ 	GVariantBuilder builder;
+ 	const gchar *net, *mask, *next_hop, *my_sourceip;
+@@ -1210,9 +1210,13 @@ handle_route (GPtrArray *routes, GVariant *env, gboolean alive)
+ 	next_hop = lookup_string (env, "PLUTO_NEXT_HOP");
+ 	my_sourceip = lookup_string (env, "PLUTO_MY_SOURCEIP");
+ 
++
+ 	if (!net || !mask || !next_hop || !my_sourceip)
+ 		return;
+ 
++	if (is_xfrmi)
++		next_hop = "0.0.0.0";
++
+ 	if (g_strcmp0 (net, "0.0.0.0") == 0 && g_strcmp0 (mask, "0")) {
+ 		g_variant_builder_init (&builder, G_VARIANT_TYPE ("au"));
+ 		g_variant_builder_add_value (&builder, addr4_to_gvariant ("0.0.0.0"));
+@@ -1254,6 +1258,7 @@ handle_callback (NMDBusLibreswanHelper *object,
+ 	guint i;
+ 	const char *verb;
+ 	const char *virt_if;
++	gboolean is_xfrmi = FALSE;
+ 
+ 	_LOGI ("Configuration from the helper received.");
+ 
+@@ -1332,16 +1337,23 @@ handle_callback (NMDBusLibreswanHelper *object,
+ 	if (val)
+ 		g_variant_builder_add (&config, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_BANNER, val);
+ 
++	/* Indicates whether the VPN is using a XFRM interface (via option ipsec-interface=) */
++	is_xfrmi = nm_streq0 (lookup_string (env, "PLUTO_XFRMI_ROUTE"), "yes");
+ 
+-	val = addr4_to_gvariant (lookup_string (env, "PLUTO_NEXT_HOP"));
+-	if (val)
+-		g_variant_builder_add (&config, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_INT_GATEWAY, val);
++	if (is_xfrmi) {
++		/* The traffic needs to be sent directly over the interface without a gateway.
++		 * Ignore the next hop. */
++	} else {
++		val = addr4_to_gvariant (lookup_string (env, "PLUTO_NEXT_HOP"));
++		if (val)
++			g_variant_builder_add (&config, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_INT_GATEWAY, val);
++	}
+ 
+ 	/* This route */
+ 	if (g_strcmp0 (verb, "route-client") == 0 || g_strcmp0 (verb, "route-host"))
+-		handle_route (priv->routes, env, TRUE);
++		handle_route (priv->routes, env, TRUE, is_xfrmi);
+ 	else if (g_strcmp0 (verb, "unroute-client") == 0 || g_strcmp0 (verb, "unroute-host"))
+-		handle_route (priv->routes, env, FALSE);
++		handle_route (priv->routes, env, FALSE, is_xfrmi);
+ 
+ 	/* Routes */
+ 	g_variant_builder_init (&builder, G_VARIANT_TYPE ("aau"));
+-- 
+GitLab
+
+
+From 320b9daa2369cf2f76504544dc071911e2802421 Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Thu, 30 Nov 2023 16:45:15 +0100
+Subject: [PATCH 5/5] service,properties: support the "authby" option
+
+Add support for the "authby" option, used to specify the mutual
+authentication mechanism.
+---
+ man/nm-settings-libreswan.5.in          |  4 +++
+ properties/nm-libreswan-editor-plugin.c |  2 ++
+ shared/nm-service-defines.h             |  1 +
+ shared/utils.c                          |  9 ++++--
+ src/nm-libreswan-service.c              |  1 +
+ 7 files changed, 62 insertions(+), 2 deletions(-)
+
+diff --git a/man/nm-settings-libreswan.5.in b/man/nm-settings-libreswan.5.in
+index 8c3b59b..b421986 100644
+--- a/man/nm-settings-libreswan.5.in
++++ b/man/nm-settings-libreswan.5.in
+@@ -56,6 +56,10 @@ parameter of the same name.
+ specifies the remote's public key for RSA authentication.
+ When the 'leftcert' key is defined a default value of "%cert" is assumed.
+ .TP
++.I "authby"
++How the two security gateways should authenticate each other. Corresponds to the
++Libreswan parameter of the same name.
++.TP
+ .I "left"
+ contains the local address that should be used during IKE negotiation. If not specified, the value
+ "%defaultroute" is assumed. Corresponds to the Libreswan parameter of the same name.
+diff --git a/properties/nm-libreswan-editor-plugin.c b/properties/nm-libreswan-editor-plugin.c
+index c0e6c81..b5c0d9e 100644
+--- a/properties/nm-libreswan-editor-plugin.c
++++ b/properties/nm-libreswan-editor-plugin.c
+@@ -206,6 +206,8 @@ import_from_file (NMVpnEditorPlugin *self,
+ 			nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_DPDACTION, &str[10]);
+ 		else if (g_str_has_prefix (str, "ipsec-interface="))
+ 			nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_IPSEC_INTERFACE, &str[16]);
++		else if (g_str_has_prefix (str, "authby="))
++			nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_AUTHBY, &str[7]);
+ 		else if (g_str_has_prefix (str, "rightsubnet=")) {
+ 			if (!g_str_has_prefix (str, "rightsubnet=0.0.0.0/0"))
+ 				nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REMOTENETWORK, &str[12]);
+diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h
+index 78193f2..3fdf2ef 100644
+--- a/shared/nm-service-defines.h
++++ b/shared/nm-service-defines.h
+@@ -41,6 +41,7 @@
+ #define NM_LIBRESWAN_KEY_LEFTID                     "leftid"
+ #define NM_LIBRESWAN_KEY_LEFTRSASIGKEY              "leftrsasigkey"
+ #define NM_LIBRESWAN_KEY_LEFTCERT                   "leftcert"
++#define NM_LIBRESWAN_KEY_AUTHBY                     "authby"
+ #define NM_LIBRESWAN_KEY_PSK_VALUE                  "pskvalue"
+ #define NM_LIBRESWAN_KEY_PSK_INPUT_MODES            "pskinputmodes"
+ #define NM_LIBRESWAN_KEY_LEFTXAUTHUSER              "leftxauthusername"
+diff --git a/shared/utils.c b/shared/utils.c
+index 1928b1b..cbc117c 100644
+--- a/shared/utils.c
++++ b/shared/utils.c
+@@ -110,6 +110,7 @@ nm_libreswan_config_write (gint fd,
+ 	const char *leftcert;
+ 	const char *leftrsasigkey;
+ 	const char *rightrsasigkey;
++	const char *authby;
+ 	const char *remote_network;
+ 	const char *ikev2 = NULL;
+ 	const char *rightid;
+@@ -164,6 +165,7 @@ nm_libreswan_config_write (gint fd,
+ 	leftrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTRSASIGKEY);
+ 	rightrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTRSASIGKEY);
+ 	leftcert = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTCERT);
++	authby = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_AUTHBY);
+ 	if (leftcert && strlen (leftcert)) {
+ 		WRITE_CHECK (fd, debug_write_fcn, error, " leftcert=%s", leftcert);
+ 		if (!leftrsasigkey)
+@@ -175,8 +177,11 @@ nm_libreswan_config_write (gint fd,
+ 		WRITE_CHECK (fd, debug_write_fcn, error, " leftrsasigkey=%s", leftrsasigkey);
+ 	if (rightrsasigkey && strlen (rightrsasigkey))
+ 		WRITE_CHECK (fd, debug_write_fcn, error, " rightrsasigkey=%s", rightrsasigkey);
+-	if (   !(leftrsasigkey && strlen (leftrsasigkey))
+-	    && !(rightrsasigkey && strlen (rightrsasigkey))) {
++
++	if (authby && strlen (authby)) {
++		WRITE_CHECK (fd, debug_write_fcn, error, " authby=%s", authby);
++	} else if (   !(leftrsasigkey && strlen (leftrsasigkey))
++	           && !(rightrsasigkey && strlen (rightrsasigkey))) {
+ 		WRITE_CHECK (fd, debug_write_fcn, error, " authby=secret");
+ 	}
+ 
+diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c
+index c5562d7..fc470a6 100644
+--- a/src/nm-libreswan-service.c
++++ b/src/nm-libreswan-service.c
+@@ -256,6 +256,7 @@ static ValidProperty valid_properties[] = {
+ 	{ NM_LIBRESWAN_KEY_LEFTUSERNAME,               G_TYPE_STRING, 0, 0 },
+ 	{ NM_LIBRESWAN_KEY_LEFTRSASIGKEY,              G_TYPE_STRING, 0, 0 },
+ 	{ NM_LIBRESWAN_KEY_LEFTCERT,                   G_TYPE_STRING, 0, 0 },
++	{ NM_LIBRESWAN_KEY_AUTHBY,                     G_TYPE_STRING, 0, 0 },
+ 	{ NM_LIBRESWAN_KEY_DOMAIN,                     G_TYPE_STRING, 0, 0 },
+ 	{ NM_LIBRESWAN_KEY_DHGROUP,                    G_TYPE_STRING, 0, 0 },
+ 	{ NM_LIBRESWAN_KEY_PFS,                        G_TYPE_STRING, 0, 0 },
+-- 
+GitLab
+

SPECS/NetworkManager-libreswan.spec

@@ -1,24 +1,35 @@
 %if 0%{?fedora} < 28 && 0%{?rhel} < 8
 %bcond_without libnm_glib
 %else
-# Disable the legacy version by default
 %bcond_with libnm_glib
 %endif
 
-%global nm_version        1:1.2.0
+%global real_version     1.2.14
-%global nma_version       1.2.0
+%global rpm_version      1.2.14
+%global release_version  3
+
+%global real_version_major %(printf '%s' '%{real_version}' | sed -n 's/^\\([1-9][0-9]*\\.[1-9][0-9]*\\)\\.[1-9][0-9]*$/\\1/p')
+
+%global nm_version       1:1.2.0
+%global nma_version      1.2.0
+
 
 Summary:   NetworkManager VPN plug-in for IPsec VPN
 Name:      NetworkManager-libreswan
-Version:   1.2.10
+Version:   %{rpm_version}
-Release:   4%{?dist}
+Release:   %{release_version}%{?dist}.alma.1
 License:   GPLv2+
 URL:       http://www.gnome.org/projects/NetworkManager/
-Group:     System Environment/Base
+Source0:   https://download.gnome.org/sources/NetworkManager-libreswan/%{real_version_major}/%{name}-%{real_version}.tar.xz
-Source0:   https://download.gnome.org/sources/NetworkManager-libreswan/1.2/%{name}-%{version}.tar.xz
-Patch0:    0001-po-import-translations-from-Red-Hat-translators.patch
-Patch1:    0002-properties-set-advanced-dialog-modal.patch
 
+# Patches were taken from:
+# https://gitlab.gnome.org/GNOME/NetworkManager-libreswan/-/merge_requests/25
+Patch1: service-properties-support-DPD-parameters.patch
+# https://gitlab.gnome.org/GNOME/NetworkManager-libreswan/-/merge_requests/27
+Patch2: service-properties-add-support-for-leftmodecfgclient.patch
+
+BuildRequires: make
+BuildRequires:  gcc
 BuildRequires: gtk3-devel
 BuildRequires: libnl3-devel
 BuildRequires: NetworkManager-libnm-devel >= %{nm_version}
@@ -43,13 +54,14 @@ Obsoletes: NetworkManager-openswan < %{version}-%{release}
 %global __provides_exclude ^(%{_privatelibs})$
 %global __requires_exclude ^(%{_privatelibs})$
 
+
 %description
 This package contains software for integrating the libreswan VPN software
 with NetworkManager and the GNOME desktop
 
+
 %package -n NetworkManager-libreswan-gnome
 Summary: NetworkManager VPN plugin for libreswan - GNOME files
-Group:   System Environment/Base
 
 Requires: %{name}%{?_isa} = %{version}-%{release}
 Requires: shared-mime-info
@@ -61,8 +73,10 @@ Obsoletes: NetworkManager-openswan-gnome < %{version}-%{release}
 This package contains software for integrating VPN capabilities with
 the libreswan server with NetworkManager (GNOME files).
 
+
 %prep
-%autosetup -p1 -n %{name}-%{version}
+%autosetup -p1 -n "%{name}-%{real_version}"
+
 
 %build
 %configure \
@@ -74,18 +88,13 @@ the libreswan server with NetworkManager (GNOME files).
         --with-dist-version=%{version}-%{release}
 make %{?_smp_mflags}
 
+
 %install
 make install DESTDIR=%{buildroot}
 rm -f %{buildroot}%{_libdir}/NetworkManager/lib*.la
 
 %find_lang %{name}
 
-%post
-update-desktop-database &> /dev/null || :
-
-%postun
-update-desktop-database &> /dev/null || :
-
 %files -f %{name}.lang
 %{_libdir}/NetworkManager/libnm-vpn-plugin-libreswan.so
 %{_sysconfdir}/dbus-1/system.d/nm-libreswan-service.conf
@@ -96,6 +105,7 @@ update-desktop-database &> /dev/null || :
 %doc AUTHORS ChangeLog NEWS
 %license COPYING
 
+
 %files -n NetworkManager-libreswan-gnome
 %{_libexecdir}/nm-libreswan-auth-dialog
 %{_libdir}/NetworkManager/libnm-vpn-plugin-libreswan-editor.so
@@ -108,31 +118,52 @@ update-desktop-database &> /dev/null || :
 %{_sysconfdir}/NetworkManager/VPN/nm-libreswan-service.name
 %endif
 
+
 %changelog
-* Tue Jul  9 2019 Francesco Giudici <fgiudici@redhat.com> - 1.2.10-4
+* Tue Jan 23 2024 Eduard Abdullin <eabdullin@almalinux.org> - 1.2.14-3.alma.1
-- Fix Gnome IPsec advanced options dialog (rh #1697329)
+- service,properties: add support for leftmodecfgclient
 
-* Mon Dec 10 2018 Lubomir Rintel <lkundrak@v3.sk> - 1.2.10-3
+* Wed Jan 03 2024 Eduard Abdullin <eabdullin@almalinux.org> - 1.2.14-2.alma.1
-- Update the translations (rh #1608329)
+- service,properties: support DPD parameters
 
-* Thu Oct 16 2018 Lubomir Rintel <lkundrak@v3.sk> - 1.2.10-2
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.2.14-1.3
-- Import the translations (rh #1608329)
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Mon Oct 15 2018 Francesco Giudici <fgiudici@redhat.com> - 1.2.10-1
+* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.2.14-1.2
-- Update to 1.2.10 release (rh #1637867)
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
-- Fix import functionality (rh #1633174)
 
-* Wed Oct  3 2018 Beniamino Galvani <bgalvani@redhat.com> - 1.2.8-2
+* Mon Jan 25 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.14-1.1
-- Rebuild with updated annobin (rh #1630605)
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 
-* Mon Sep 17 2018 Francesco Giudici <fgiudici@redhat.com> - 1.2.8-1
+* Tue Jan 12 2021 Beniamino Galvani <bgalvani@redhat.com> - 1.2.14-1
-- Update to 1.2.8 release
+- Update to 1.2.14 release
 
-* Mon Aug 13 2018 Francesco Giudici <fgiudici@redhat.com> - 1.2.8-0.1
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.12-1.2
-- Update to latest development snapshot of NetworkManager-libreswan 1.2.8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-- Introduced IKEv2 support (rh #1557035)
+
-- Introduced support to more Libreswan properties (rh #1557035)
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.12-1.1
-- Updated translations
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Wed Jul 31 2019 Francesco Giudici <fgiudici@redhat.com> - 1.2.12-1
+- Updated to 1.2.12
+
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.10-1.2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.10-1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Thu Oct 18 2018 Francesco Giudici <fgiudici@redhat.com> - 1.2.10-1
+- Updated to 1.2.10
+- Import latest translations from upstream
+
+* Wed Aug 22 2018 Paul Wouters <pwouters@redhat.com> - 1.2.6-1
+- Updated to 1.2.6
+- Upstream patches for IKEv2 support
+
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.4-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.4-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild