diff --git a/.gitignore b/.gitignore
index a1d30d3..373aff2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,4 @@
 SOURCES/ikev1_dsa.fax.bz2
 SOURCES/ikev1_psk.fax.bz2
 SOURCES/ikev2.fax.bz2
-SOURCES/libreswan-3.32.tar.gz
+SOURCES/libreswan-4.3.tar.gz
diff --git a/.libreswan.metadata b/.libreswan.metadata
index 8a34fc6..2725d11 100644
--- a/.libreswan.metadata
+++ b/.libreswan.metadata
@@ -1,4 +1,4 @@
 b35cd50b8bc0a08b9c07713bf19c72d53bfe66bb SOURCES/ikev1_dsa.fax.bz2
 861d97bf488f9e296cad8c43ab72f111a5b1a848 SOURCES/ikev1_psk.fax.bz2
 fcaf77f3deae3d8e99cdb3b1f8abea63167a0633 SOURCES/ikev2.fax.bz2
-d752c8df37c90733a01c24849d439733acd4e8f0 SOURCES/libreswan-3.32.tar.gz
+6f86811420df8873f43e8ff98f718f1aee5836f3 SOURCES/libreswan-4.3.tar.gz
diff --git a/SOURCES/libreswan-3.32-1544463-seccomp.patch b/SOURCES/libreswan-3.32-1544463-seccomp.patch
deleted file mode 100644
index 3b78fd2..0000000
--- a/SOURCES/libreswan-3.32-1544463-seccomp.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-diff -Naur libreswan-3.32-orig/programs/pluto/pluto_seccomp.c libreswan-3.32/programs/pluto/pluto_seccomp.c
---- libreswan-3.32-orig/programs/pluto/pluto_seccomp.c	2020-05-11 10:13:41.000000000 -0400
-+++ libreswan-3.32/programs/pluto/pluto_seccomp.c	2020-07-01 20:33:38.918685784 -0400
-@@ -59,6 +59,7 @@
- 
- 	/* needed for pluto and updown, not helpers */
- 	if (main) {
-+		LSW_SECCOMP_ADD(ctx, _llseek);
- 		LSW_SECCOMP_ADD(ctx, accept);
- 		LSW_SECCOMP_ADD(ctx, access);
- 		LSW_SECCOMP_ADD(ctx, bind);
-@@ -69,6 +70,7 @@
- 		LSW_SECCOMP_ADD(ctx, connect);
- 		LSW_SECCOMP_ADD(ctx, dup);
- 		LSW_SECCOMP_ADD(ctx, dup2);
-+		LSW_SECCOMP_ADD(ctx, dup3);
- 		LSW_SECCOMP_ADD(ctx, epoll_create);
- 		LSW_SECCOMP_ADD(ctx, epoll_ctl);
- 		LSW_SECCOMP_ADD(ctx, epoll_wait);
-@@ -85,7 +87,7 @@
- 		LSW_SECCOMP_ADD(ctx, getgid);
- 		LSW_SECCOMP_ADD(ctx, getgroups);
- 		LSW_SECCOMP_ADD(ctx, getpgrp);
--		LSW_SECCOMP_ADD(ctx, getpid);
-+		LSW_SECCOMP_ADD(ctx, getpgid);
- 		LSW_SECCOMP_ADD(ctx, getppid);
- 		LSW_SECCOMP_ADD(ctx, getrandom); /* for unbound */
- 		LSW_SECCOMP_ADD(ctx, getrlimit);
-@@ -102,10 +104,12 @@
- 		LSW_SECCOMP_ADD(ctx, pipe);
- 		LSW_SECCOMP_ADD(ctx, pipe2);
- 		LSW_SECCOMP_ADD(ctx, poll);
-+		LSW_SECCOMP_ADD(ctx, ppoll);
- 		LSW_SECCOMP_ADD(ctx, prctl);
- 		LSW_SECCOMP_ADD(ctx, pread64);
- 		LSW_SECCOMP_ADD(ctx, prlimit64);
- 		LSW_SECCOMP_ADD(ctx, readlink);
-+		LSW_SECCOMP_ADD(ctx, readlinkat);
- 		LSW_SECCOMP_ADD(ctx, recvfrom);
- 		LSW_SECCOMP_ADD(ctx, recvmsg);
- 		LSW_SECCOMP_ADD(ctx, select);
-@@ -126,6 +130,7 @@
- 	LSW_SECCOMP_ADD(ctx, arch_prctl);
- 	LSW_SECCOMP_ADD(ctx, exit_group);
- 	LSW_SECCOMP_ADD(ctx, exit);
-+	LSW_SECCOMP_ADD(ctx, getpid);
- 	LSW_SECCOMP_ADD(ctx, gettid);
- 	LSW_SECCOMP_ADD(ctx, gettimeofday);
- 	LSW_SECCOMP_ADD(ctx, fstat);
-@@ -139,6 +144,7 @@
- 	LSW_SECCOMP_ADD(ctx, rt_sigprocmask);
- 	LSW_SECCOMP_ADD(ctx, rt_sigreturn);
- 	LSW_SECCOMP_ADD(ctx, sched_setparam);
-+	LSW_SECCOMP_ADD(ctx, send);
- 	LSW_SECCOMP_ADD(ctx, sendto);
- 	LSW_SECCOMP_ADD(ctx, set_tid_address);
- 	LSW_SECCOMP_ADD(ctx, sigaltstack);
diff --git a/SOURCES/libreswan-3.32-1840212-nss-gcm.patch b/SOURCES/libreswan-3.32-1840212-nss-gcm.patch
deleted file mode 100644
index 5c47f71..0000000
--- a/SOURCES/libreswan-3.32-1840212-nss-gcm.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff -Naur libreswan-3.32-orig/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c libreswan-3.32/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c
---- libreswan-3.32-orig/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c	2020-05-11 10:13:41.000000000 -0400
-+++ libreswan-3.32/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c	2020-06-17 15:06:12.340210966 -0400
-@@ -16,6 +16,12 @@
- #include <stdio.h>
- #include <stdlib.h>
- 
-+/*
-+ * Special advise from Bob Relyea - needs to go before any nss include
-+ *
-+ */
-+#define NSS_PKCS11_2_0_COMPAT 1
-+
- #include "lswlog.h"
- #include "lswnss.h"
- #include "prmem.h"
diff --git a/SOURCES/libreswan-3.32-1842597-accounting.patch b/SOURCES/libreswan-3.32-1842597-accounting.patch
deleted file mode 100644
index 7204372..0000000
--- a/SOURCES/libreswan-3.32-1842597-accounting.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-diff --git a/programs/pluto/kernel.c b/programs/pluto/kernel.c
-index 28726cf82a..25ee52179a 100644
---- a/programs/pluto/kernel.c
-+++ b/programs/pluto/kernel.c
-@@ -600,8 +600,8 @@ bool fmt_common_shell_out(char *buf, size_t blen, const struct connection *c,
- 	 * true==inbound: inbound updates OUR_BYTES; !inbound updates
- 	 * PEER_BYTES.
- 	 */
--	bool outbytes = st != NULL && IS_IKE_SA(st) && get_sa_info(st, false, NULL);
--	bool inbytes = st != NULL && IS_IKE_SA(st) && get_sa_info(st, true, NULL);
-+	bool outbytes = st != NULL && get_sa_info(st, false, NULL);
-+	bool inbytes = st != NULL && get_sa_info(st, true, NULL);
- 	jambuf_t jambuf = array_as_jambuf(buf, blen);
- 	jam_common_shell_out(&jambuf, c, sr, st, inbytes, outbytes);
- 	return jambuf_ok(&jambuf);
diff --git a/SOURCES/libreswan-3.32-1847766-xfrmi.patch b/SOURCES/libreswan-3.32-1847766-xfrmi.patch
deleted file mode 100644
index f7b69ec..0000000
--- a/SOURCES/libreswan-3.32-1847766-xfrmi.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-commit 790a79ba9f8f16532040d9c8a51a27c20e13c154
-Author: Paul Wouters <pwouters@redhat.com>
-Date:   Tue Jun 16 20:57:01 2020 -0400
-
-    pluto: find_pluto_xfrmi_interface() would only check first interface
-
-diff --git a/programs/pluto/kernel_xfrm_interface.c b/programs/pluto/kernel_xfrm_interface.c
-index 8fc27b727d..0dc1a7ec8c 100644
---- a/programs/pluto/kernel_xfrm_interface.c
-+++ b/programs/pluto/kernel_xfrm_interface.c
-@@ -586,9 +586,10 @@ static struct pluto_xfrmi *find_pluto_xfrmi_interface(uint32_t if_id)
- 	struct pluto_xfrmi *ret = NULL;
- 
- 	for (h = pluto_xfrm_interfaces;  h != NULL; h = h->next) {
--		if (h->if_id == if_id)
--		ret = h;
--		break;
-+		if (h->if_id == if_id) {
-+			ret = h;
-+			break;
-+		}
- 	}
- 
- 	return ret;
diff --git a/SOURCES/libreswan-3.32-1880466-labeled-ipsec.patch b/SOURCES/libreswan-3.32-1880466-labeled-ipsec.patch
deleted file mode 100644
index fe22d8d..0000000
--- a/SOURCES/libreswan-3.32-1880466-labeled-ipsec.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-diff -Naur libreswan-3.32-orig/lib/libipsecconf/starterwhack.c libreswan-3.32/lib/libipsecconf/starterwhack.c
---- libreswan-3.32-orig/lib/libipsecconf/starterwhack.c	2020-05-11 10:13:41.000000000 -0400
-+++ libreswan-3.32/lib/libipsecconf/starterwhack.c	2020-09-24 10:01:14.275131341 -0400
-@@ -663,7 +663,7 @@
- #endif
- 
- #ifdef HAVE_LABELED_IPSEC
--	if (conn->options_set[KSCF_POLICY_LABEL]) {
-+	if (conn->strings_set[KSCF_POLICY_LABEL]) {
- 		msg.policy_label = conn->policy_label;
- 		starter_log(LOG_LEVEL_DEBUG, "conn: \"%s\" policy_label=%s",
- 			conn->name, msg.policy_label);
-diff -Naur libreswan-3.32-orig/programs/pluto/ikev1_spdb_struct.c libreswan-3.32/programs/pluto/ikev1_spdb_struct.c
---- libreswan-3.32-orig/programs/pluto/ikev1_spdb_struct.c	2020-05-11 10:13:41.000000000 -0400
-+++ libreswan-3.32/programs/pluto/ikev1_spdb_struct.c	2020-09-24 10:01:31.996278599 -0400
-@@ -59,8 +59,7 @@
- #include "nat_traversal.h"
- 
- 
--#ifndef USE_LABELED_IPSEC
--
-+#ifndef HAVE_LABELED_IPSEC
- static bool parse_secctx_attr(pb_stream *pbs UNUSED, struct state *st UNUSED)
- {
- 	/*
diff --git a/SOURCES/libreswan-3.32-maintain-different-v1v2-split.patch b/SOURCES/libreswan-3.32-maintain-different-v1v2-split.patch
deleted file mode 100644
index 423e871..0000000
--- a/SOURCES/libreswan-3.32-maintain-different-v1v2-split.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-diff -Naur libreswan-3.32rc1-orig/lib/libipsecconf/confread.c libreswan-3.32rc1/lib/libipsecconf/confread.c
---- libreswan-3.32rc1-orig/lib/libipsecconf/confread.c	2020-04-28 22:27:20.000000000 -0400
-+++ libreswan-3.32rc1/lib/libipsecconf/confread.c	2020-04-30 13:41:18.612751661 -0400
-@@ -1332,13 +1332,16 @@
- 
- 		switch (conn->options[KNCF_IKEv2]) {
- 		case fo_never:
--		case fo_permit:
- 			conn->policy |= POLICY_IKEV1_ALLOW;
- 			/* clear any inherited default */
- 			conn->policy &= ~POLICY_IKEV2_ALLOW;
- 			break;
--
-+		case fo_permit:
-+			starter_error_append(perrl, "ikev2=permit is no longer accepted. Use ikev2=insist or ikev2=no|never");
-+			return TRUE;
- 		case fo_propose:
-+			starter_error_append(perrl, "ikev2=propose or ikev2=yes is no longer accepted. Use ikev2=insist or ikev2=no|never");
-+			return TRUE;
- 		case fo_insist:
- 			conn->policy |= POLICY_IKEV2_ALLOW;
- 			/* clear any inherited default */
-diff -Naur libreswan-3.32rc1-orig/programs/configs/d.ipsec.conf/ikev2.xml libreswan-3.32rc1/programs/configs/d.ipsec.conf/ikev2.xml
---- libreswan-3.32rc1-orig/programs/configs/d.ipsec.conf/ikev2.xml	2020-04-28 22:27:20.000000000 -0400
-+++ libreswan-3.32rc1/programs/configs/d.ipsec.conf/ikev2.xml	2020-04-30 13:45:14.847694267 -0400
-@@ -1,15 +1,15 @@
-   <varlistentry>
-   <term><emphasis remap='B'>ikev2</emphasis></term>
-   <listitem>
--<para>Whether to use IKEv1 (RFC 4301) or IKEv2 (RFC 7296) settings to be used.
--Currently the accepted values are <emphasis remap='B'>no</emphasis>(the default),
--signifying only IKEv1 is accepted, or <emphasis remap='B'>yes</emphasis>,
-+<para>Wether to use IKEv1 (RFC 4301) or IKEv2 (RFC 7296) as the Internet Key Exchange (IKE) protcol.
-+Currently the accepted values are <emphasis remap='B'>no</emphasis> (or <emphasis remap='B'>never</emphasis>)
-+signifying only IKEv1 is accepted, or <emphasis remap='B'>insist</emphasis>(the default),
- signifying only IKEv2 is accepted. Previous versions allowed the keywords
--<emphasis remap='B'>propose</emphasis> or <emphasis remap='B'>permit</emphasis>
--that would allow either IKEv1 or IKEv2, but this is no longer supported. The
--permit option is interpreted as no and the propose option is interpreted as
--yes. Older versions also supported keyword
--<emphasis remap='B'>insist</emphasis> which is now interpreted as yes.
-+<emphasis remap='B'>propose</emphasis>, <emphasis remap='B'>yes</emphasis> or <emphasis remap='B'>permit</emphasis>
-+that would allow either IKEv1 or IKEv2, but this is no longer supported and both options
-+now cause the connection to fail to load. <emphasis remap='B'>WARNING:</emphasis> This behaviour differs from upstream
-+libreswan, which only accepts <emphasis remap='B'>yes</emphasis> or <emphasis remap='B'>no</emphasis> where yes means
-+the same as insist.
- </para>
-   </listitem>
-   </varlistentry>
-diff -Naur libreswan-3.32rc1-orig/programs/whack/whack.c libreswan-3.32rc1/programs/whack/whack.c
---- libreswan-3.32rc1-orig/programs/whack/whack.c	2020-04-28 22:27:20.000000000 -0400
-+++ libreswan-3.32rc1/programs/whack/whack.c	2020-04-30 13:41:18.615751749 -0400
-@@ -775,7 +775,7 @@
- 
- 	PS("ikev1-allow", IKEV1_ALLOW),
- 	PS("ikev2-allow", IKEV2_ALLOW),
--	PS("ikev2-propose", IKEV2_ALLOW), /* map onto allow */
-+	/* not in RHEL8 PS("ikev2-propose", IKEV2_ALLOW),*/
- 
- 	PS("allow-narrowing", IKEV2_ALLOW_NARROWING),
- #ifdef XAUTH_HAVE_PAM
-@@ -1737,7 +1737,7 @@
- 
- 		/* --ikev1-allow */
- 		case CDP_SINGLETON + POLICY_IKEV1_ALLOW_IX:
--		/* --ikev2-allow (now also --ikev2-propose) */
-+		/* --ikev2-allow */
- 		case CDP_SINGLETON + POLICY_IKEV2_ALLOW_IX:
- 
- 		/* --allow-narrowing */
diff --git a/SOURCES/libreswan-3.32-rebase-fixups.patch b/SOURCES/libreswan-3.32-rebase-fixups.patch
deleted file mode 100644
index a3199a5..0000000
--- a/SOURCES/libreswan-3.32-rebase-fixups.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-diff -Naur libreswan-3.32-orig/lib/libipsecconf/interfaces.c libreswan-3.32/lib/libipsecconf/interfaces.c
---- libreswan-3.32-orig/lib/libipsecconf/interfaces.c	2020-05-11 10:13:41.000000000 -0400
-+++ libreswan-3.32/lib/libipsecconf/interfaces.c	2020-06-04 18:51:39.508280352 -0400
-@@ -71,7 +71,11 @@
- 		if (sa->sa.sa_family == af) {
- 			/* XXX: sizeof right? */
- 			ip_endpoint nhe;
--			happy(sockaddr_to_endpoint(sa, sizeof(*sa), &nhe));
-+			err_t e = sockaddr_to_endpoint(sa, sizeof(*sa), &nhe);
-+			if (e != NULL) {
-+			 	pexpect(e != NULL);
-+				return false;
-+			}
- 			pexpect(endpoint_hport(&nhe) == 0);
- 			*nh = endpoint_address(&nhe);
- 		}
-@@ -84,7 +88,11 @@
- 		if (sa->sa.sa_family == af) {
- 			/* XXX: sizeof right? */
- 			ip_endpoint dste;
--			happy(sockaddr_to_endpoint(sa, sizeof(*sa), &dste));
-+			err_t e = sockaddr_to_endpoint(sa, sizeof(*sa), &dste);
-+			if (e != NULL) {
-+			 	pexpect(e != NULL);
-+				return false;
-+			}
- 			pexpect(endpoint_hport(&dste) == 0);
- 			*dst = endpoint_address(&dste);
- 		}
-diff -Naur libreswan-3.32-orig/lib/libswan/ip_endpoint.c libreswan-3.32/lib/libswan/ip_endpoint.c
---- libreswan-3.32-orig/lib/libswan/ip_endpoint.c	2020-05-11 10:13:41.000000000 -0400
-+++ libreswan-3.32/lib/libswan/ip_endpoint.c	2020-06-04 18:51:39.508280352 -0400
-@@ -54,20 +54,12 @@
- 	switch (sa->sa.sa_family) {
- 	case AF_INET:
- 	{
--		/* XXX: to strict? */
--		if (sa_len != sizeof(sa->sin)) {
--			return "wrong length";
--		}
- 		address = address_from_in_addr(&sa->sin.sin_addr);
- 		port = ntohs(sa->sin.sin_port);
- 		break;
- 	}
- 	case AF_INET6:
- 	{
--		/* XXX: to strict? */
--		if (sa_len != sizeof(sa->sin6)) {
--			return "wrong length";
--		}
- 		address = address_from_in6_addr(&sa->sin6.sin6_addr);
- 		port = ntohs(sa->sin6.sin6_port);
- 		break;
diff --git a/SOURCES/libreswan-4.1-maintain-obsolete-keywords.patch b/SOURCES/libreswan-4.1-maintain-obsolete-keywords.patch
new file mode 100644
index 0000000..539dcd1
--- /dev/null
+++ b/SOURCES/libreswan-4.1-maintain-obsolete-keywords.patch
@@ -0,0 +1,123 @@
+diff -Naur libreswan-4.2-orig/lib/libipsecconf/keywords.c libreswan-4.2/lib/libipsecconf/keywords.c
+--- libreswan-4.2-orig/lib/libipsecconf/keywords.c	2021-02-02 20:36:01.000000000 -0500
++++ libreswan-4.2/lib/libipsecconf/keywords.c	2021-02-04 19:22:05.880228930 -0500
+@@ -374,6 +374,8 @@
+   { "interfaces",  kv_config,  kt_string,  KSF_INTERFACES, NULL, NULL, },
+   { "curl-iface",  kv_config,  kt_string,  KSF_CURLIFACE, NULL, NULL, },
+   { "curl-timeout",  kv_config,  kt_time,  KBF_CURLTIMEOUT, NULL, NULL, },
++  { "curl_iface",  kv_config | kv_alias,  kt_string,  KSF_CURLIFACE, NULL, NULL, },  /* obsolete _ */
++  { "curl_timeout",  kv_config | kv_alias,  kt_time,  KBF_CURLTIMEOUT, NULL, NULL, },  /* obsolete _ */
+ 
+   { "myvendorid",  kv_config,  kt_string,  KSF_MYVENDORID, NULL, NULL, },
+   { "syslog",  kv_config,  kt_string,  KSF_SYSLOG, NULL, NULL, },
+@@ -381,6 +383,7 @@
+   { "logfile",  kv_config,  kt_filename,  KSF_LOGFILE, NULL, NULL, },
+   { "plutostderrlog",  kv_config,  kt_filename,  KSF_LOGFILE, NULL, NULL, }, /* obsolete name, but very common :/ */
+   { "logtime",  kv_config,  kt_bool,  KBF_LOGTIME, NULL, NULL, },
++  { "plutostderrlogtime",  kv_config | kv_alias,  kt_bool,  KBF_LOGTIME, NULL, NULL, },  /* obsolete */
+   { "logappend",  kv_config,  kt_bool,  KBF_LOGAPPEND, NULL, NULL, },
+   { "logip",  kv_config,  kt_bool,  KBF_LOGIP, NULL, NULL, },
+   { "audit-log",  kv_config,  kt_bool,  KBF_AUDIT_LOG, NULL, NULL, },
+@@ -400,13 +403,20 @@
+   { "global-redirect-to", kv_config, kt_string, KSF_GLOBAL_REDIRECT_TO, NULL, NULL, },
+ 
+   { "crl-strict",  kv_config,  kt_bool,  KBF_CRL_STRICT, NULL, NULL, },
++  { "crl_strict",  kv_config | kv_alias,  kt_bool,  KBF_CRL_STRICT, NULL, NULL, },  /* obsolete _ */
+   { "crlcheckinterval",  kv_config,  kt_time,  KBF_CRL_CHECKINTERVAL, NULL, NULL, },
++  { "strictcrlpolicy",  kv_config | kv_alias,  kt_bool,  KBF_CRL_STRICT, NULL, NULL, },  /* obsolete; used on openswan */
+ 
+   { "ocsp-strict",  kv_config,  kt_bool,  KBF_OCSP_STRICT, NULL, NULL, },
++  { "ocsp_strict",  kv_config | kv_alias,  kt_bool,  KBF_OCSP_STRICT, NULL, NULL, },  /* obsolete _ */
+   { "ocsp-enable",  kv_config,  kt_bool,  KBF_OCSP_ENABLE, NULL, NULL, },
++  { "ocsp_enable",  kv_config | kv_alias,  kt_bool,  KBF_OCSP_ENABLE, NULL, NULL, },  /* obsolete _ */
+   { "ocsp-uri",  kv_config,  kt_string,  KSF_OCSP_URI, NULL, NULL, },
++  { "ocsp_uri",  kv_config | kv_alias,  kt_string,  KSF_OCSP_URI, NULL, NULL, },  /* obsolete _ */
+   { "ocsp-timeout",  kv_config,  kt_number,  KBF_OCSP_TIMEOUT, NULL, NULL, },
++  { "ocsp_timeout",  kv_config | kv_alias,  kt_number,  KBF_OCSP_TIMEOUT, NULL, NULL, },  /* obsolete _ */
+   { "ocsp-trustname",  kv_config,  kt_string,  KSF_OCSP_TRUSTNAME, NULL, NULL, },
++  { "ocsp_trust_name",  kv_config | kv_alias,  kt_string,  KSF_OCSP_TRUSTNAME, NULL, NULL, },  /* obsolete _ */
+   { "ocsp-cache-size",  kv_config,  kt_number,  KBF_OCSP_CACHE_SIZE, NULL, NULL, },
+   { "ocsp-cache-min-age",  kv_config,  kt_time,  KBF_OCSP_CACHE_MIN, NULL, NULL, },
+   { "ocsp-cache-max-age",  kv_config,  kt_time,  KBF_OCSP_CACHE_MAX, NULL, NULL, },
+@@ -426,6 +436,7 @@
+   { "virtual_private",  kv_config,  kt_string,  KSF_VIRTUALPRIVATE, NULL, NULL, }, /* obsolete variant, very common */
+   { "seedbits",  kv_config,  kt_number,  KBF_SEEDBITS, NULL, NULL, },
+   { "keep-alive",  kv_config,  kt_number,  KBF_KEEPALIVE, NULL, NULL, },
++  { "keep_alive",  kv_config | kv_alias,  kt_number,  KBF_KEEPALIVE, NULL, NULL, },  /* obsolete _ */
+ 
+   { "listen-tcp", kv_config, kt_bool, KBF_LISTEN_TCP, NULL, NULL },
+   { "listen-udp", kv_config, kt_bool, KBF_LISTEN_UDP, NULL, NULL },
+@@ -437,6 +448,8 @@
+ #ifdef HAVE_LABELED_IPSEC
+   { "ikev1-secctx-attr-type",  kv_config,  kt_number,  KBF_SECCTX, NULL, NULL, },  /* obsolete: not a value, a type */
+   { "secctx-attr-type",  kv_config | kv_alias,  kt_number,  KBF_SECCTX, NULL, NULL, },
++  { "secctx_attr_value",  kv_config | kv_alias,  kt_number,  KBF_SECCTX, NULL, NULL, },  /* obsolete _ */
++  { "secctx-attr-value",  kv_config,  kt_number,  KBF_SECCTX, NULL, NULL, },  /* obsolete: not a value, a type */
+ #endif
+ 
+   /* these options are obsoleted (and not old aliases) */
+@@ -467,6 +480,7 @@
+   { "username",  kv_conn | kv_leftright,  kt_string,  KSCF_USERNAME, NULL, NULL, },
+   /* xauthusername is still used in NetworkManager-libreswan :/ */
+   { "xauthusername",  kv_conn | kv_leftright,  kt_string,  KSCF_USERNAME, NULL, NULL, }, /* old alias */
++  { "xauthname",  kv_conn | kv_leftright,  kt_string,  KSCF_USERNAME, NULL, NULL, }, /* old alias */
+   { "addresspool",  kv_conn | kv_leftright,  kt_range,  KSCF_ADDRESSPOOL, NULL, NULL, },
+   { "auth",  kv_conn | kv_leftright, kt_enum,  KNCF_AUTH,  &kw_authby_lr_list, NULL, },
+   { "cat",  kv_conn | kv_leftright,  kt_bool,  KNCF_CAT, NULL, NULL, },
+@@ -489,6 +503,8 @@
+   { "esn",  kv_conn | kv_processed,  kt_enum,  KNCF_ESN,  &kw_esn_list, NULL, },
+   { "decap-dscp",  kv_conn | kv_processed,  kt_bool,  KNCF_DECAP_DSCP,  NULL, NULL, },
+   { "nopmtudisc",  kv_conn | kv_processed,  kt_bool,  KNCF_NOPMTUDISC,  NULL, NULL, },
++  { "ike_frag",  kv_conn | kv_processed | kv_alias,  kt_enum,  KNCF_IKE_FRAG,  &kw_ynf_list, NULL, },  /* obsolete _ */
++  { "ike-frag",  kv_conn | kv_processed | kv_alias,  kt_enum,  KNCF_IKE_FRAG,  &kw_ynf_list, NULL, },  /* obsolete name */
+   { "fragmentation",  kv_conn | kv_processed,  kt_enum,  KNCF_IKE_FRAG,  &kw_ynf_list, NULL, },
+   { "mobike",  kv_conn,  kt_bool,  KNCF_MOBIKE, NULL, NULL, },
+   { "narrowing",  kv_conn,  kt_bool,  KNCF_IKEv2_ALLOW_NARROWING, NULL, NULL, },
+@@ -499,13 +515,18 @@
+   { "accept-redirect-to",  kv_conn,  kt_string, KSCF_ACCEPT_REDIRECT_TO, NULL, NULL, },
+   { "pfs",  kv_conn,  kt_bool,  KNCF_PFS, NULL, NULL, },
+ 
++  { "nat_keepalive",  kv_conn | kv_alias,  kt_bool,  KNCF_NAT_KEEPALIVE, NULL, NULL, },  /* obsolete _ */
+   { "nat-keepalive",  kv_conn,  kt_bool,  KNCF_NAT_KEEPALIVE, NULL, NULL, },
+ 
++  { "initial_contact",  kv_conn | kv_alias,  kt_bool,  KNCF_INITIAL_CONTACT, NULL, NULL, },  /* obsolete _ */
+   { "initial-contact",  kv_conn,  kt_bool,  KNCF_INITIAL_CONTACT, NULL, NULL, },
++  { "cisco_unity",  kv_conn | kv_alias,  kt_bool,  KNCF_CISCO_UNITY, NULL, NULL, },  /* obsolete _ */
+   { "cisco-unity",  kv_conn,  kt_bool,  KNCF_CISCO_UNITY, NULL, NULL, },
+   { "send-no-esp-tfc",  kv_conn,  kt_bool,  KNCF_NO_ESP_TFC, NULL, NULL, },
+   { "fake-strongswan",  kv_conn,  kt_bool,  KNCF_VID_STRONGSWAN, NULL, NULL, },
++  { "send_vendorid",  kv_conn | kv_alias,  kt_bool,  KNCF_SEND_VENDORID, NULL, NULL, },  /* obsolete _ */
+   { "send-vendorid",  kv_conn,  kt_bool,  KNCF_SEND_VENDORID, NULL, NULL, },
++  { "sha2_truncbug",  kv_conn | kv_alias,  kt_bool,  KNCF_SHA2_TRUNCBUG, NULL, NULL, },  /* obsolete _ */
+   { "sha2-truncbug",  kv_conn,  kt_bool,  KNCF_SHA2_TRUNCBUG, NULL, NULL, },
+   { "ms-dh-downgrade",  kv_conn,  kt_bool,  KNCF_MSDH_DOWNGRADE, NULL, NULL, },
+   { "require-id-on-certificate",  kv_conn,  kt_bool,  KNCF_SAN_ON_CERT, NULL, NULL, },
+@@ -520,7 +541,10 @@
+   {"ikepad",  kv_conn,  kt_bool,  KNCF_IKEPAD, NULL, NULL, },
+   { "nat-ikev1-method",  kv_conn | kv_processed,  kt_enum,  KNCF_IKEV1_NATT,  &kw_ikev1natt_list, NULL, },
+ 
++  { "labeled_ipsec",  kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
++  { "labeled-ipsec",  kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
+   { "policy-label",  kv_conn,  kt_string,  KSCF_SA_SEC_LABEL, NULL, NULL, }, /* obsolete variant */
++  { "policy_label",  kv_conn,  kt_string,  KSCF_SA_SEC_LABEL, NULL, NULL, }, /* obsolete variant */
+   { "sec-label",  kv_conn,  kt_string,  KSCF_SA_SEC_LABEL, NULL, NULL, }, /* really stored into struct end */
+ 
+   /* Cisco interop: remote peer type */
+@@ -531,13 +555,17 @@
+   /* Network Manager support */
+ #ifdef HAVE_NM
+   { "nm-configured",  kv_conn,  kt_bool,  KNCF_NMCONFIGURED, NULL, NULL, },
++  { "nm_configured",  kv_conn,  kt_bool,  KNCF_NMCONFIGURED, NULL, NULL, }, /* obsolete _ */
+ #endif
+ 
+   { "xauthby",  kv_conn,  kt_enum,  KNCF_XAUTHBY,  &kw_xauthby, NULL, },
+   { "xauthfail",  kv_conn,  kt_enum,  KNCF_XAUTHFAIL,  &kw_xauthfail, NULL, },
+   { "modecfgpull",  kv_conn,  kt_invertbool,  KNCF_MODECONFIGPULL, NULL, NULL, },
+   { "modecfgdns",  kv_conn,  kt_string,  KSCF_MODECFGDNS, NULL, NULL, },
++  { "modecfgdns1",  kv_conn | kv_alias, kt_string, KSCF_MODECFGDNS, NULL, NULL, }, /* obsolete */
++  { "modecfgdns2",  kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
+   { "modecfgdomains",  kv_conn,  kt_string,  KSCF_MODECFGDOMAINS, NULL, NULL, },
++  { "modecfgdomain",  kv_conn | kv_alias,  kt_string,  KSCF_MODECFGDOMAINS, NULL, NULL, }, /* obsolete */
+   { "modecfgbanner",  kv_conn,  kt_string,  KSCF_MODECFGBANNER, NULL, NULL, },
+   { "ignore-peer-dns",  kv_conn,  kt_bool,  KNCF_IGNORE_PEER_DNS, NULL, NULL, },
+   { "mark",  kv_conn,  kt_string,  KSCF_CONN_MARK_BOTH, NULL, NULL, },
diff --git a/SOURCES/libreswan-4.3-1934186-config.patch b/SOURCES/libreswan-4.3-1934186-config.patch
new file mode 100644
index 0000000..022fb47
--- /dev/null
+++ b/SOURCES/libreswan-4.3-1934186-config.patch
@@ -0,0 +1,11 @@
+diff -Naur libreswan-4.3-orig/configs/ipsec.conf.in libreswan-4.3/configs/ipsec.conf.in
+--- libreswan-4.3-orig/configs/ipsec.conf.in	2021-03-04 14:29:50.591912834 -0500
++++ libreswan-4.3/configs/ipsec.conf.in	2021-03-04 14:30:27.227389433 -0500
+@@ -32,6 +32,7 @@
+ 	# listen-tcp=yes
+ 	# To enable IKE and IPsec over TCP for VPN client, also specify
+ 	# tcp-remote-port=4500 in the client's conn section.
++	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
+ 
+ # if it exists, include system wide crypto-policy defaults
+ # include /etc/crypto-policies/back-ends/libreswan.config
diff --git a/SOURCES/libreswan-4.3-ikev2-tcp.patch b/SOURCES/libreswan-4.3-ikev2-tcp.patch
new file mode 100644
index 0000000..ffc8428
--- /dev/null
+++ b/SOURCES/libreswan-4.3-ikev2-tcp.patch
@@ -0,0 +1,146 @@
+commit 9a69641b34675de26c3989082795ab97325db55c
+Author: Paul Wouters <pwouters@redhat.com>
+Date:   Mon Mar 1 14:57:31 2021 -0500
+
+    IKEv2: Fix TCP socket to have IP_XFRM_POLICY sockopt set.
+    
+    Without this, transport mode or host-to-host will not properly work
+    on a number of kernels, such as RHEL8 4.18.0-291.el8.x86_64
+    
+    Reported by: Sabrina Dubroca <sdubroca@redhat.com>
+
+diff --git a/programs/pluto/iface_tcp.c b/programs/pluto/iface_tcp.c
+index 9a66343f3f..3b4f57d07d 100644
+--- a/programs/pluto/iface_tcp.c
++++ b/programs/pluto/iface_tcp.c
+@@ -52,6 +52,16 @@
+ #include "nat_traversal.h"	/* for nat_traversal_enabled which seems like a broken idea */
+ #include "pluto_stats.h"
+ 
++/* work around weird combo's of glibc and kernel header conflicts */
++#ifndef GLIBC_KERN_FLIP_HEADERS
++# include "linux/xfrm.h" /* local (if configured) or system copy */
++# include "libreswan.h"
++#else
++# include "libreswan.h"
++# include "linux/xfrm.h" /* local (if configured) or system copy */
++#endif
++
++
+ static void accept_ike_in_tcp_cb(struct evconnlistener *evcon UNUSED,
+ 				 int accepted_fd,
+ 				 struct sockaddr *sockaddr, int sockaddr_len,
+@@ -383,6 +393,8 @@ static void iketcp_message_listener_cb(evutil_socket_t unused_fd UNUSED,
+ 	struct logger from_logger = logger_from(&global_logger, &ifp->iketcp_remote_endpoint);
+ 	struct logger *logger = &from_logger;
+ 
++	bool v6 = ifp->ip_dev->id_address.version == 6;
++
+ 	switch (ifp->iketcp_state) {
+ 
+ 	case IKETCP_OPEN:
+@@ -443,7 +455,19 @@ static void iketcp_message_listener_cb(evutil_socket_t unused_fd UNUSED,
+ 		if (impair.tcp_skip_setsockopt_espintcp) {
+ 			llog(RC_LOG, logger, "IMPAIR: TCP: skipping setsockopt(ESPINTCP)");
+ 		} else {
++			struct xfrm_userpolicy_info policy_in = {
++				.action = XFRM_POLICY_ALLOW,
++				.sel.family = v6 ? AF_INET6 :AF_INET,
++				.dir = XFRM_POLICY_IN,
++			};
++			struct xfrm_userpolicy_info policy_out = {
++				.action = XFRM_POLICY_ALLOW,
++				.sel.family = v6 ? AF_INET6 :AF_INET,
++				.dir = XFRM_POLICY_OUT,
++			};
++
+ 			dbg("TCP: OPEN: socket %d enabling ESPINTCP", ifp->fd);
++
+ 			if (setsockopt(ifp->fd, IPPROTO_TCP, TCP_ULP,
+ 				      "espintcp", sizeof("espintcp"))) {
+ 				int e = errno;
+@@ -459,6 +483,24 @@ static void iketcp_message_listener_cb(evutil_socket_t unused_fd UNUSED,
+ 				free_any_iface_endpoint(&ifp);
+ 				return;
+ 			}
++
++			if (setsockopt(ifp->fd, IPPROTO_IP, IP_XFRM_POLICY, &policy_in, sizeof(policy_in))) {
++				int e = errno;
++				llog(RC_LOG, logger,
++					    "TCP: setsockopt(%d, SOL_TCP, IP_XFRM_POLICY, \"policy_in\") failed; closing socket "PRI_ERRNO,
++					    ifp->fd, pri_errno(e));
++				free_any_iface_endpoint(&ifp);
++				return;
++			}
++			if (setsockopt(ifp->fd, IPPROTO_IP, IP_XFRM_POLICY, &policy_out, sizeof(policy_out))) {
++				int e = errno;
++				llog(RC_LOG, logger,
++					    "TCP: setsockopt(%d, SOL_TCP, IP_XFRM_POLICY, \"policy_out\") failed; closing socket "PRI_ERRNO,
++					    ifp->fd, pri_errno(e));
++				free_any_iface_endpoint(&ifp);
++				return;
++			}
++
+ 		}
+ 
+ 		/*
+@@ -650,6 +692,17 @@ stf_status create_tcp_interface(struct state *st)
+ 	if (impair.tcp_skip_setsockopt_espintcp) {
+ 		log_state(RC_LOG, st, "IMPAIR: TCP: skipping setsockopt(espintcp)");
+ 	} else {
++		bool v6 = st->st_remote_endpoint.version == 6;
++		struct xfrm_userpolicy_info policy_in = {
++			.action = XFRM_POLICY_ALLOW,
++			.sel.family = v6 ? AF_INET6 :AF_INET,
++			.dir = XFRM_POLICY_IN,
++		};
++		struct xfrm_userpolicy_info policy_out = {
++			.action = XFRM_POLICY_ALLOW,
++			.sel.family = v6 ? AF_INET6 :AF_INET,
++			.dir = XFRM_POLICY_OUT,
++		};
+ 		dbg("TCP: socket %d enabling \"espintcp\"", fd);
+ 		if (setsockopt(fd, IPPROTO_TCP, TCP_ULP, "espintcp", sizeof("espintcp"))) {
+ 			log_errno(st->st_logger, errno,
+@@ -657,6 +710,18 @@ stf_status create_tcp_interface(struct state *st)
+ 			close(fd);
+ 			return STF_FATAL;
+ 		}
++		if (setsockopt(fd, IPPROTO_IP, IP_XFRM_POLICY, &policy_in, sizeof(policy_in))) {
++			log_errno(st->st_logger, errno,
++				  "setsockopt(PPROTO_IP, IP_XFRM_POLICY(in)) failed in netlink_espintcp()");
++			close(fd);
++			return STF_FATAL;
++		}
++		if (setsockopt(fd, IPPROTO_IP, IP_XFRM_POLICY, &policy_out, sizeof(policy_out))) {
++			log_errno(st->st_logger, errno,
++				  "setsockopt(PPROTO_IP, IP_XFRM_POLICY(out)) failed in netlink_espintcp()");
++			close(fd);
++			return STF_FATAL;
++		}
+ 	}
+ 
+ 	struct iface_endpoint *ifp = alloc_thing(struct iface_endpoint, "TCP iface initiator");
+commit 7c38cd473d89b8c860ee7e3b8b31cfe012370f1d
+Author: Paul Wouters <pwouters@redhat.com>
+Date:   Mon Mar 1 15:09:16 2021 -0500
+
+    documentation: small TCP doc update in ipsec.conf.in
+
+diff --git a/configs/ipsec.conf.in b/configs/ipsec.conf.in
+index bb2cc16e64..9fa3300176 100644
+--- a/configs/ipsec.conf.in
++++ b/configs/ipsec.conf.in
+@@ -28,9 +28,10 @@ config setup
+ 	# dnssec-enable=no
+ 	#
+ 	# To enable IKE and IPsec over TCP for VPN server. Requires at least
+-	# Linux 5.7 kernel. For TCP support as a VPN client, specify
+-	# tcp-remote-port=4500 in the client conn section.
++	# Linux 5.7 kernel or a kernel with TCP backport (like RHEL8 4.18.0-291)
+ 	# listen-tcp=yes
++	# To enable IKE and IPsec over TCP for VPN client, also specify
++	# tcp-remote-port=4500 in the client's conn section.
+ 
+ # if it exists, include system wide crypto-policy defaults
+ # include /etc/crypto-policies/back-ends/libreswan.config
diff --git a/SOURCES/libreswan-4.3-labeled-ipsec.patch b/SOURCES/libreswan-4.3-labeled-ipsec.patch
new file mode 100644
index 0000000..9dd18f0
--- /dev/null
+++ b/SOURCES/libreswan-4.3-labeled-ipsec.patch
@@ -0,0 +1,191 @@
+diff -Naur libreswan-4.3-orig/programs/pluto/connections.c libreswan-4.3/programs/pluto/connections.c
+--- libreswan-4.3-orig/programs/pluto/connections.c	2021-02-21 12:03:03.000000000 -0500
++++ libreswan-4.3/programs/pluto/connections.c	2021-02-24 16:28:05.608119041 -0500
+@@ -2475,9 +2475,8 @@
+ 			    endpoint_in_selector(local_client, &sr->this.client) &&
+ 			    endpoint_in_selector(remote_client, &sr->that.client)
+ #ifdef HAVE_LABELED_IPSEC
+-			    && ((sec_label.ptr == NULL &&
+-			      sr->this.sec_label.ptr == NULL) ||
+-			     /* don't call with NULL, it confuses it */
++			    && ((sec_label.ptr == NULL && sr->this.sec_label.ptr == NULL) ||
++			     hunk_eq(sec_label, sr->this.sec_label) || 
+ 			     within_range((const char *)sec_label.ptr,
+ 					  (const char *)sr->this.sec_label.ptr, logger))
+ #endif
+diff -Naur libreswan-4.3-orig/programs/pluto/ikev1_spdb_struct.c libreswan-4.3/programs/pluto/ikev1_spdb_struct.c
+--- libreswan-4.3-orig/programs/pluto/ikev1_spdb_struct.c	2021-02-21 12:03:03.000000000 -0500
++++ libreswan-4.3/programs/pluto/ikev1_spdb_struct.c	2021-02-24 16:28:59.819791102 -0500
+@@ -113,7 +113,9 @@
+ 		return false;
+ 	}
+ 
+-	if (!within_range(sec_label.ptr, /* we ensured NUL termination above */
++
++	 if (!hunk_eq(sec_label, c->spd.this.sec_label) &&
++               !within_range(sec_label.ptr, /* we ensured NUL termination above */
+ 			  (const char *)c->spd.this.sec_label.ptr,  /* we ensured NUL termination earlier? */
+ 			  st->st_logger)) {
+ 		LLOG_JAMBUF(RC_LOG_SERIOUS, st->st_logger, buf) {
+diff -Naur libreswan-4.3-orig/programs/pluto/ikev2_ts.c libreswan-4.3/programs/pluto/ikev2_ts.c
+--- libreswan-4.3-orig/programs/pluto/ikev2_ts.c	2021-02-21 12:03:03.000000000 -0500
++++ libreswan-4.3/programs/pluto/ikev2_ts.c	2021-02-24 16:30:19.639780631 -0500
+@@ -862,7 +862,8 @@
+ }
+ 
+ #ifdef HAVE_LABELED_IPSEC
+-static bool score_ends_seclabel(const struct ends *ends,
++static bool score_ends_seclabel(const chunk_t **selected_sec_label,
++				const struct ends *ends,
+ 				const struct connection *d,
+ 				const struct traffic_selectors *tsi,
+ 				const struct traffic_selectors *tsr,
+@@ -875,6 +876,10 @@
+ 	bool match_i = false;
+ 	bool match_r = false;
+ 
++	if (selected_sec_label != NULL) {
++		*selected_sec_label = NULL;
++	}
++
+ 	for (unsigned tsi_n = 0; tsi_n < tsi->nr; tsi_n++) {
+ 		const struct traffic_selector *cur = &tsi->ts[tsi_n];
+ 		if (cur->ts_type == IKEv2_TS_SECLABEL) {
+@@ -883,7 +888,8 @@
+ 				// complain loudly
+ 				continue;
+ 			} else {
+-				if (within_range((const char *)cur->sec_label.ptr, (const char *)d->spd.this.sec_label.ptr, logger)) {
++				if (hunk_eq(cur->sec_label, d->spd.this.sec_label) ||
++				    within_range((const char *)cur->sec_label.ptr, (const char *)d->spd.this.sec_label.ptr, logger)) {
+ 					match_i = true;
+ 					dbg("ikev2ts #1: received label within range of our security label");
+ 				} else {
+@@ -902,9 +908,13 @@
+ 						dbg("IKEv2_TS_SECLABEL but zero length cur->sec_label");
+ 						continue;
+ 					} else {
+-						if (within_range((const char *)ends->r->sec_label.ptr, (const char *)d->spd.this.sec_label.ptr, logger)) {
++						if (hunk_eq(ends->r->sec_label, d->spd.this.sec_label) ||
++						    within_range((const char *)ends->r->sec_label.ptr, (const char *)d->spd.this.sec_label.ptr, logger)) {
+ 							dbg("ikev2ts #2: received label within range of our security label");
+ 							match_r = true;
++							if (selected_sec_label != NULL) {
++								*selected_sec_label = &cur->sec_label;
++							}
+ 						} else {
+ 							dbg("ikev2ts #2: received label not within range of our security label");
+ 							DBG_dump_hunk("ends->r->sec_label", ends->r->sec_label);
+@@ -926,7 +936,8 @@
+ 	return require_label == recv_label_i && match_i && match_r;
+ }
+ #else
+-static bool score_ends_seclabel(const struct ends *ends UNUSED,
++static bool score_ends_seclabel(const chunk_t **selected_sec_label,
++				const struct ends *ends UNUSED,
+ 				const struct connection *d UNUSED,
+ 				const struct traffic_selectors *tsi UNUSED,
+ 				const struct traffic_selectors *tsr UNUSED,
+@@ -1030,6 +1041,7 @@
+ 	struct best_score best_score = NO_SCORE;
+ 	const struct spd_route *best_spd_route = NULL;
+ 	struct connection *best_connection = c;
++	const chunk_t *best_sec_label = NULL;
+ 
+ 	/* find best spd in c */
+ 
+@@ -1042,7 +1054,8 @@
+ 			.r = &sra->this,
+ 		};
+ 
+-		if (!score_ends_seclabel(&ends, c, &tsi, &tsr, child->sa.st_logger)) {
++		const chunk_t* selected_sec_label = NULL;
++		if (!score_ends_seclabel(&selected_sec_label, &ends, c, &tsi, &tsr, child->sa.st_logger)) {
+ 			continue;
+ 		}
+ 
+@@ -1060,6 +1073,7 @@
+ 			    score.tsi - tsi.ts, score.tsr - tsr.ts);
+ 			best_score = score;
+ 			best_spd_route = sra;
++			best_sec_label = selected_sec_label;
+ 			passert(best_connection == c);
+ 		}
+ 	}
+@@ -1143,7 +1157,8 @@
+ 					? END_NARROWER_THAN_TS
+ 					: END_EQUALS_TS;
+ 
+-				if (!score_ends_seclabel(&ends, d, &tsi, &tsr,
++				const chunk_t* selected_sec_label = NULL;
++				if (!score_ends_seclabel(&selected_sec_label, &ends, d, &tsi, &tsr,
+ 					    child->sa.st_logger))
+ 					continue;
+ 
+@@ -1159,6 +1174,7 @@
+ 					best_connection = d;
+ 					best_score = score;
+ 					best_spd_route = sr;
++					best_sec_label = selected_sec_label;
+ 				}
+ 			}
+ 		}
+@@ -1389,6 +1405,13 @@
+ 	 */
+ 	update_state_connection(&child->sa, best_connection);
+ 
++	if (best_sec_label != NULL) {
++		if (child->sa.st_seen_sec_label.len != 0) {
++			free_chunk_content(&child->sa.st_seen_sec_label);
++		}
++		child->sa.st_seen_sec_label = clone_hunk(*best_sec_label, "st_seen_sec_label");
++	}
++
+ 	child->sa.st_ts_this = ikev2_end_to_ts(&best_spd_route->this, child->sa.st_acquired_sec_label);
+ 	child->sa.st_ts_that = ikev2_end_to_ts(&best_spd_route->that, child->sa.st_seen_sec_label);
+ 
+@@ -1424,7 +1447,8 @@
+ 		? END_WIDER_THAN_TS
+ 		: END_EQUALS_TS;
+ 
+-	if (!score_ends_seclabel(&e, c, &tsi, &tsr, child->sa.st_logger))
++	const chunk_t *selected_sec_label = NULL;
++	if (!score_ends_seclabel(&selected_sec_label, &e, c, &tsi, &tsr, child->sa.st_logger))
+ 		return false;
+ 
+ 	struct best_score best = score_ends_iprange(initiator_widening, c, &e, &tsi, &tsr);
+@@ -1435,6 +1459,13 @@
+ 		return false;
+ 	}
+ 
++	if (selected_sec_label != NULL) {
++		if (child->sa.st_seen_sec_label.len != 0) {
++			free_chunk_content(&child->sa.st_seen_sec_label);
++		}
++		child->sa.st_seen_sec_label = clone_hunk(*selected_sec_label, "st_seen_sec_label");
++	}
++
+ 	/* XXX: check conversions */
+ 	dbg("initiator saving acceptable TSi response in this");
+ 	ts_to_end(best.tsi, &c->spd.this, &child->sa.st_ts_this);
+@@ -1489,7 +1520,7 @@
+ 
+ 	enum fit fitness = END_NARROWER_THAN_TS;
+ 
+-	if (!score_ends_seclabel(&ends, c, &their_tsis, &their_tsrs,
++	if (!score_ends_seclabel(NULL, &ends, c, &their_tsis, &their_tsrs,
+ 				 child->sa.st_logger)) {
+ 		log_state(RC_LOG_SERIOUS, &child->sa,
+ 			  "rekey: received Traffic Selectors mismatch configured selectors for Security Label");
+diff -Naur libreswan-4.3-orig/programs/pluto/ikev2_parent.c libreswan-4.3/programs/pluto/ikev2_parent.c
+--- libreswan-4.3-orig/programs/pluto/ikev2_parent.c	2021-02-21 12:03:03.000000000 -0500
++++ libreswan-4.3/programs/pluto/ikev2_parent.c	2021-03-01 10:31:49.667207958 -0500
+@@ -5943,8 +5943,6 @@
+ 			 * from a policy we gave the kernel, so it _should_ be within our range?
+ 			 */
+ 			child->sa.st_acquired_sec_label = clone_hunk(p->sec_label, "st_acquired_sec_label");
+-			c->spd.this.sec_label = clone_hunk(p->sec_label, "updated conn label");
+-			c->spd.that.sec_label = clone_hunk(p->sec_label, "updated conn label");
+ 		}
+ 
+ 	} else {
diff --git a/SOURCES/libreswan-4.3-maintain-different-v1v2-split.patch b/SOURCES/libreswan-4.3-maintain-different-v1v2-split.patch
new file mode 100644
index 0000000..33bf0fb
--- /dev/null
+++ b/SOURCES/libreswan-4.3-maintain-different-v1v2-split.patch
@@ -0,0 +1,70 @@
+diff -Naur libreswan-4.3-orig/configs/d.ipsec.conf/ikev2.xml libreswan-4.3/configs/d.ipsec.conf/ikev2.xml
+--- libreswan-4.3-orig/configs/d.ipsec.conf/ikev2.xml	2021-02-21 12:03:03.000000000 -0500
++++ libreswan-4.3/configs/d.ipsec.conf/ikev2.xml	2021-02-21 12:33:36.226284499 -0500
+@@ -1,15 +1,15 @@
+   <varlistentry>
+   <term><emphasis remap='B'>ikev2</emphasis></term>
+   <listitem>
+-<para>Whether to use IKEv1 (RFC 4301) or IKEv2 (RFC 7296) settings to be used.
+-Currently the accepted values are <emphasis remap='B'>no</emphasis>(the default),
+-signifying only IKEv1 is accepted, or <emphasis remap='B'>yes</emphasis>,
++<para>Wether to use IKEv1 (RFC 4301) or IKEv2 (RFC 7296) as the Internet Key Exchange (IKE) protcol.
++Currently the accepted values are <emphasis remap='B'>no</emphasis> (or <emphasis remap='B'>never</emphasis>)
++signifying only IKEv1 is accepted, or <emphasis remap='B'>insist</emphasis>(the default),
+ signifying only IKEv2 is accepted. Previous versions allowed the keywords
+-<emphasis remap='B'>propose</emphasis> or <emphasis remap='B'>permit</emphasis>
+-that would allow either IKEv1 or IKEv2, but this is no longer supported. The
+-permit option is interpreted as no and the propose option is interpreted as
+-yes. Older versions also supported keyword
+-<emphasis remap='B'>insist</emphasis> which is now interpreted as yes.
++<emphasis remap='B'>propose</emphasis>, <emphasis remap='B'>yes</emphasis> or <emphasis remap='B'>permit</emphasis>
++that would allow either IKEv1 or IKEv2, but this is no longer supported and both options
++now cause the connection to fail to load. <emphasis remap='B'>WARNING:</emphasis> This behaviour differs from upstream
++libreswan, which only accepts <emphasis remap='B'>yes</emphasis> or <emphasis remap='B'>no</emphasis> where yes means
++the same as insist.
+ </para>
+   </listitem>
+   </varlistentry>
+diff -Naur libreswan-4.3-orig/lib/libipsecconf/confread.c libreswan-4.3/lib/libipsecconf/confread.c
+--- libreswan-4.3-orig/lib/libipsecconf/confread.c	2021-02-21 12:03:03.000000000 -0500
++++ libreswan-4.3/lib/libipsecconf/confread.c	2021-02-21 12:37:43.138031929 -0500
+@@ -1310,11 +1310,17 @@
+ 
+ 		switch (conn->options[KNCF_IKEv2]) {
+ 		case fo_never:
+-		case fo_permit:
+ 			conn->ike_version = IKEv1;
+ 			break;
+ 
++		case fo_permit:
++			starter_error_append(perrl, "ikev2=permit is no longer accepted. Use ikev2=insist or ikev2=no|never");
++			return TRUE;
++
+ 		case fo_propose:
++			starter_error_append(perrl, "ikev2=propose or ikev2=yes is no longer accepted. Use ikev2=insist or ikev2=no|never");
++			return TRUE;
++
+ 		case fo_insist:
+ 			conn->ike_version = IKEv2;
+ 			break;
+diff -Naur libreswan-4.3-orig/programs/whack/whack.c libreswan-4.3/programs/whack/whack.c
+--- libreswan-4.3-orig/programs/whack/whack.c	2021-02-21 12:03:03.000000000 -0500
++++ libreswan-4.3/programs/whack/whack.c	2021-02-21 12:39:27.066188354 -0500
+@@ -801,7 +801,7 @@
+ 	{ "ikev1-allow", no_argument, NULL, CD_IKEv1 + OO }, /* obsolete name */
+ 	{ "ikev2", no_argument, NULL, CD_IKEv2 +OO },
+ 	{ "ikev2-allow", no_argument, NULL, CD_IKEv2 +OO }, /* obsolete name */
+-	{ "ikev2-propose", no_argument, NULL, CD_IKEv2 +OO }, /* obsolete, map onto allow */
++	/* not in RHEL8 { "ikev2-propose", no_argument, NULL, CD_IKEv2 +OO }, */
+ 
+ 	PS("allow-narrowing", IKEV2_ALLOW_NARROWING),
+ #ifdef AUTH_HAVE_PAM
+@@ -1762,7 +1762,7 @@
+ 			end_seen = LEMPTY;
+ 			continue;
+ 
+-		/* --ikev1 --ikev2 --ikev2-propose */
++		/* --ikev1 --ikev2  */
+ 		case CD_IKEv1:
+ 		case CD_IKEv2:
+ 		{
diff --git a/SPECS/libreswan.spec b/SPECS/libreswan.spec
index 1e2f78b..07cbf57 100644
--- a/SPECS/libreswan.spec
+++ b/SPECS/libreswan.spec
@@ -5,17 +5,18 @@
 %global with_cavstests 1
 # minimum version for support for rhbz#1651314
 # should prob update for nss with IKEv1 quick mode support
-%global nss_version 3.53.1-3
+%global nss_version 3.53.1
 %global unbound_version 1.6.6
 %global libreswan_config \\\
     FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
     FINALMANDIR=%{_mandir} \\\
-    INC_RCDEFAULT=%{_initrddir} \\\
-    INC_USRLOCAL=%{_prefix} \\\
+    FINALNSSDIR=%{_sysconfdir}/ipsec.d \\\
     INITSYSTEM=systemd \\\
-    NSS_REQ_AVA_COPY=false \\\
     NSS_HAS_IPSEC_PROFILE=true \\\
+    NSS_REQ_AVA_COPY=false \\\
+    PREFIX=%{_prefix} \\\
     PYTHON_BINARY=%{__python3} \\\
+    SHELL_BINARY=%{_bindir}/sh \\\
     USE_DNSSEC=true \\\
     USE_FIPSCHECK=false \\\
     USE_LABELED_IPSEC=true \\\
@@ -24,11 +25,9 @@
     USE_LIBCURL=true \\\
     USE_LINUX_AUDIT=true \\\
     USE_NM=true \\\
+    USE_NSS_KDF=true \\\
     USE_SECCOMP=true \\\
-    USE_XAUTHPAM=true \\\
-    USE_KLIPS=false \\\
-    USE_NSS_PRF=true \\\
-    USE_PRF_AES_XCBC=true \\\
+    USE_AUTHPAM=true \\\
     USE_DH2=true \\\
 %{nil}
 
@@ -37,8 +36,8 @@
 Name: libreswan
 Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
 # version is generated in the release script
-Version: 3.32
-Release: %{?prever:0.}7%{?prever:.%{prever}}%{?dist}
+Version: 4.3
+Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist}
 License: GPLv2
 Url: https://libreswan.org/
 
@@ -49,20 +48,18 @@ Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
 Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
 %endif
 
-Patch1: libreswan-3.32-maintain-different-v1v2-split.patch
-Patch2: libreswan-3.32-rebase-fixups.patch
-Patch3: libreswan-3.32-1842597-accounting.patch
-Patch4: libreswan-3.32-1847766-xfrmi.patch
-Patch5: libreswan-3.32-1840212-nss-gcm.patch
-Patch6: libreswan-3.32-1544463-seccomp.patch
-Patch7: libreswan-3.32-1861360-nodefault-rsa-pss.patch
-Patch8: libreswan-3.32-1880466-labeled-ipsec.patch
+Patch1: libreswan-4.3-maintain-different-v1v2-split.patch
+Patch2: libreswan-3.32-1861360-nodefault-rsa-pss.patch
+Patch3: libreswan-4.1-maintain-obsolete-keywords.patch
+Patch4: libreswan-4.3-labeled-ipsec.patch
+Patch5: libreswan-4.3-ikev2-tcp.patch
+Patch6: libreswan-4.3-1934186-config.patch
 
 BuildRequires: audit-libs-devel
 BuildRequires: bison
 BuildRequires: curl-devel
 BuildRequires: flex
-BuildRequires: gcc
+BuildRequires: gcc make
 BuildRequires: ldns-devel
 BuildRequires: libcap-ng-devel
 BuildRequires: libevent-devel
@@ -70,7 +67,7 @@ BuildRequires: libseccomp-devel
 BuildRequires: libselinux-devel
 BuildRequires: nspr-devel
 BuildRequires: nss-devel >= %{nss_version}
-buildRequires: nss-tools
+BuildRequires: nss-tools
 BuildRequires: openldap-devel
 BuildRequires: pam-devel
 BuildRequires: pkgconfig
@@ -117,21 +114,12 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
-%patch7 -p1
-%patch8 -p1
-
-pathfix.py -i %{__python3} -pn testing/cert_verify/usage_test \
-  testing/pluto/ikev1-01-fuzzer/cve-2015-3204.py \
-  testing/pluto/ikev2-15-fuzzer/send_bad_packets.py
-
-# replace unsupported KLIPS README
-echo "KLIPS is not supported with RHEL8" > README.KLIPS
 
 # linking to freebl is not needed
 sed -i "s/-lfreebl //" mk/config.mk
 
 # enable crypto-policies support
-sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" programs/configs/ipsec.conf.in
+sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in
 
 %build
 make %{?_smp_mflags} \
@@ -159,8 +147,6 @@ rm -rf %{buildroot}/usr/share/doc/libreswan
 rm -rf %{buildroot}%{_libexecdir}/ipsec/*check
 
 install -d -m 0755 %{buildroot}%{_rundir}/pluto
-# used when setting --perpeerlog without --perpeerlogbase
-install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer
 install -d %{buildroot}%{_sbindir}
 
 install -d %{buildroot}%{_sysconfdir}/sysctl.d
@@ -221,19 +207,33 @@ certutil -N -d sql:$tmpdir --empty-password
 %attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf
-%attr(0700,root,root) %dir %{_localstatedir}/log/pluto
-%attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer
 %attr(0755,root,root) %dir %{_rundir}/pluto
 %attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
 %attr(0644,root,root) %{_unitdir}/ipsec.service
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
+%config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
 %{_sbindir}/ipsec
 %{_libexecdir}/ipsec
 %attr(0644,root,root) %doc %{_mandir}/*/*
 
 %changelog
-* Thu Sep 24 10:03:36 EDT 2020 Paul Wouters <pwouters@redhat.com> - 3.32-7
-- Resolves: rhbz#1882449 Labeled IPsec not working [rhel-8.3.0.z]
+* Thu Mar 04 2021 Paul Wouters <pwouters@redhat.com> - 4.3-3
+- Resolves: rhbz#1372050 RFE: Support IKE and ESP over TCP: RFC 8229
+- Resolves: rhbz#1934186 virtual_private setting is missing in the default config
+
+* Mon Mar 01 2021 Paul Wouters <pwouters@redhat.com> - 4.3-2
+- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec [update]
+
+* Sun Feb 21 2021 Paul Wouters <pwouters@redhat.com> - 4.3-1
+- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec [update]
+
+* Thu Feb 04 2021 Paul Wouters <pwouters@redhat.com> - 4.2-1
+- Resolves: rhbz#1891128 [Rebase] rebase libreswan to 4.2
+- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec
+
+* Tue Oct 27 22:11:42 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.1-1
+- Resolves: rhbz#1891128 [Rebase] rebase libreswan to 4.1
+- Resolves: rhbz#1889836 libreswan: add 3.x compat patches for obsoleted/removed keywords of 4.0 and re-port ikev2= patch
 
 * Wed Jul 29 2020 Paul Wouters <pwouters@redhat.com> - 3.32-6
 - Resolves: rhbz#1861360 authby=rsasig must not imply usage of rsa-pss