FERRAMENTAS LINUX: StrongSwan VPN Servers: The Infinite Loop Risk (And How to Lock Down Your IPsec for Good)

Multiple StrongSwan vulnerabilities (CVE-2026-35328 to CVE-2026-35334) can crash your VPN via infinite loops. Learn how to check, patch, and automate fixes on SUSE/Debian. Includes iptables mitigation and affiliate resources.

On April 22, 2026, Debian published fixing seven distinct vulnerabilities in (versions 5.9.8 and 6.0.1). While that date matters for patch history, the real story is this: StrongSwan – the most popular open-source stack – had multiple crash vectors.

Why should you care months later? Because infinite loops and heap overflows in , , and EAP-SIM/AKA handlers don’t expire. If you run a VPN gateway, a remote unauthenticated attacker can send a single malformed TLS "supported_versions" extension or a broken RADIUS attribute and kill your . No VPN = no remote access.

Let’s make this fix permanent in your runbooks.

1. How to Check If Your StrongSwan Is Vulnerable (SUSE & Debian)

Run these commands on any SUSE Linux Enterprise Server (SLES), openSUSE Leap, or Debian / Ubuntu system.

For SUSE (zypper based)

# Check installed version
zypper info strongswan | grep Version

# Compare with fixed versions:
# SLES 15 SP5+ needs strongswan >= 5.9.8-150300.4.19.1
# openSUSE Leap 15.5 needs strongswan >= 5.9.8-150300.4.19.1

# Quick test: does it crash on crafted TLS packet?
# (Safe test - checks only version)
strongswan version | grep -E "5\.9\.[0-7]|6\.0\.[0-4]"
if [ $? -eq 0 ]; then echo "VULNERABLE"; else echo "Check manually"; fi

For Debian / Ubuntu (apt based)

apt show strongswan | grep Version
# Fixed versions:
# Debian oldstable (bookworm): 5.9.8-5+deb12u4
# Debian stable (trixie):      6.0.1-6+deb13u5

# Detection script
dpkg -l strongswan | awk '{print $3}' | grep -E "5\.9\.[0-7]|6\.0\.[0-4]" && echo "VULNERABLE: Update now" || echo "Not obviously vulnerable, but check manually"

What to look for: Any version below 5.9.8-5+deb12u4 (Debian) or the SUSE equivalents listed above.

2. Automation Script to Apply the Fix (Works on Debian, SUSE, RHEL)

Save this as fix-strongswan.sh – it detects your distro and updates safely.

#!/bin/bash
# Evergreen StrongSwan patch script - covers CVE-2026-35328 through CVE-2026-35334
set -e

echo "Checking OS..."
if [ -f /etc/os-release ]; then
    . /etc/os-release
    OS=$ID
else
    echo "Cannot detect OS"
    exit 1
fi

case $OS in
    debian|ubuntu)
        echo "Updating StrongSwan on Debian/Ubuntu..."
        sudo apt update
        sudo apt install --only-upgrade strongswan strongswan-swanctl strongswan-pki
        ;;
    suse|opensuse-leap|opensuse-tumbleweed)
        echo "Updating StrongSwan on SUSE..."
        sudo zypper refresh
        sudo zypper update strongswan
        ;;
    rhel|centos|fedora)
        echo "Updating StrongSwan on RHEL/Fedora..."
        # Note: EPEL required for RHEL
        sudo dnf update strongswan
        ;;
    *)
        echo "Unsupported OS. Please update strongswan manually."
        exit 1
        ;;
esac

echo "Restarting strongswan..."
sudo systemctl restart strongswan
sudo systemctl status strongswan --no-pager

echo "Verification:"
ipsec version
echo "If version >= fixed versions above, you're safe."

Make it executable and run:

chmod +x fix-strongswan.sh
sudo ./fix-strongswan.sh

3. Alternative Mitigation If You Can’t Update Now

You have a production VPN gateway that cannot restart right now. Use these immediate workarounds.

Option A: to Drop Malformed Packets

The infinite loop (CVE-2026-35328) triggers on specific TLS extensions. Block unrecognized TLS handshake extensions at the firewall:

# Block TLS packets with malformed extensions (port 4500 and 500 for IPsec)
iptables -A INPUT -p udp --dport 500 -m string --string "\x00\x2b" --algo bm -j DROP
iptables -A INPUT -p udp --dport 4500 -m string --string "\x00\x2b" --algo bm -j DROP
# Note: This is a heuristic. Test first with -j LOG.

Better: Rate-limit new IKE connections to reduce crash impact:

iptables -A INPUT -p udp --dport 500 -m connlimit --connlimit-above 20 -j DROP
iptables -A INPUT -p udp --dport 4500 -m connlimit --connlimit-above 20 -j DROP

Option B: Disable Vulnerable Plugins (Quickest)

Edit /etc/strongswan.conf and comment out or remove:

plugins {
   # Remove or disable these if you don't need them
   # pkcs7
   # simaka
   # constraints
   # gmp (use openssl plugin instead)
}

Then restart: sudo systemctl restart strongswan

Option C: /

Even with a crash, AppArmor can prevent RCE. On SUSE:

sudo aa-enforce /usr/sbin/strongswan
sudo aa-status | grep strongswan

4. Affiliate Resource: Why You Need This Book

IPSec Protocols and Deployment: Definitive Reference for Developers and Engineers by - Amazon

Why it fits the CVE:

The vulnerabilities you wrote about (CVE-2026-35331, CVE-2026-35329) stem from improper handling of and PKCS#7 containers. This book is the definitive reference for IPSec theory .

It teaches you how IKE and IPSec should work, which gives you the "baseline" knowledge to spot when a config is insecure.

Best for: Engineers who want to stop relying on copy-paste scripts.

Affiliate Justification: Helps debug the root cause of certificate validation failures.

Affiliate disclosure: As an Amazon Associate, I earn from qualifying purchases. This helps me keep writing in-depth security guides – at no extra cost to you.).