diff --git a/SOURCES/libreswan-3.21-xauth-passwd.patch b/SOURCES/libreswan-3.21-xauth-passwd.patch
new file mode 100644
index 0000000..38cad62
--- /dev/null
+++ b/SOURCES/libreswan-3.21-xauth-passwd.patch
@@ -0,0 +1,13 @@
+diff --git a/programs/pluto/ikev1_xauth.c b/programs/pluto/ikev1_xauth.c
+index 5a8e92b68..f023e119f 100644
+--- a/programs/pluto/ikev1_xauth.c
++++ b/programs/pluto/ikev1_xauth.c
+@@ -2103,7 +2103,7 @@ static stf_status xauth_client_resp(struct state *st,
+ 					}
+ 
+ 					if (st->st_xauth_password.ptr == NULL) {
+-						char xauth_password[64];
++						char xauth_password[XAUTH_MAX_PASS_LENGTH];
+ 
+ 						if (st->st_whack_sock == -1) {
+ 							loglog(RC_LOG_SERIOUS,
diff --git a/SOURCES/libreswan-3.21-xauth-state.patch b/SOURCES/libreswan-3.21-xauth-state.patch
new file mode 100644
index 0000000..fae458c
--- /dev/null
+++ b/SOURCES/libreswan-3.21-xauth-state.patch
@@ -0,0 +1,45 @@
+diff -Naur libreswan-3.21-orig/programs/pluto/ikev1.c libreswan-3.21/programs/pluto/ikev1.c
+--- libreswan-3.21-orig/programs/pluto/ikev1.c	2017-08-09 13:47:34.000000000 -0700
++++ libreswan-3.21/programs/pluto/ikev1.c	2017-10-16 14:43:10.057639590 -0700
+@@ -2273,16 +2273,17 @@
+ 		 * actual end of phase 1. With modecfg, negotiation ends with
+ 		 * STATE_MAIN_I4 already.
+ 		 */
+-#if 0	/* ??? what's this code for? */
+ 		if (st->st_connection->spd.this.xauth_client
+-		    && st->hidden_variables.st_xauth_client_done
+-		    && !st->st_connection->spd.this.modecfg_client
+-		    && st->st_state == STATE_XAUTH_I1) {
+-			DBG(DBG_CONTROL,
+-				DBG_log("As XAUTH is done and modecfg is not configured, so Phase 1 neogtiation finishes successfully"));
+-			change_state(st, STATE_MAIN_I4);
++			&& st->hidden_variables.st_xauth_client_done
++			&& !st->st_connection->spd.this.modecfg_client
++			&& st->st_state == STATE_XAUTH_I1)
++		{
++			bool aggrmode = (st->st_connection->policy & POLICY_AGGRESSIVE);
++
++			libreswan_log("XAUTH completed, ModeCFG skipped as per configuration");
++			change_state(st, aggrmode ? STATE_AGGR_I2 : STATE_MAIN_I4);
++			st->st_msgid_phase15 = v1_MAINMODE_MSGID;
+ 		}
+-#endif
+ 
+ 		/* Schedule for whatever timeout is specified */
+ 		if (!md->event_already_set) {
+@@ -2332,6 +2333,15 @@
+ 			bool agreed_time = FALSE;
+ 			struct connection *c = st->st_connection;
+ 
++			/* fixup in case of state machine jump for xauth without modecfg */
++			if (c->spd.this.xauth_client
++				&& st->hidden_variables.st_xauth_client_done
++				&& !c->spd.this.modecfg_client
++				&& (st->st_state == STATE_MAIN_I4 || st->st_state == STATE_AGGR_I2)) {
++					DBG(DBG_CONTROL, DBG_log("fixup XAUTH without ModeCFG event from EVENT_v1_RETRANSMIT to EVENT_SA_REPLACE"));
++					kind = EVENT_SA_REPLACE;
++			}
++
+ 			switch (kind) {
+ 			case EVENT_v1_RETRANSMIT: /* Retransmit packet */
+ 				delay_ms = c->r_interval;
diff --git a/SPECS/libreswan.spec b/SPECS/libreswan.spec
index 96c007b..eb3c4c4 100644
--- a/SPECS/libreswan.spec
+++ b/SPECS/libreswan.spec
@@ -5,7 +5,7 @@
 %global USE_NM true
 %global USE_LINUX_AUDIT true
 %global USE_SECCOMP 0
-%global USE_DNSSEC false
+%global USE_DNSSEC true
 
 %global _hardened_build 1
 %global buildefence 0
@@ -21,7 +21,7 @@
 Name: libreswan
 Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
 Version: 3.20
-Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist}
+Release: %{?prever:0.}5%{?prever:.%{prever}}%{?dist}
 License: GPLv2
 Group: System Environment/Daemons
 Url: https://libreswan.org/
@@ -34,6 +34,8 @@ Patch1: libreswan-3.20-1372279-down-error.patch
 Patch2: libreswan-3.20-1444115-fips-F4.patch
 Patch3: libreswan-3.20-1341353-psk-fips.patch
 Patch4: libreswan-3.2-1458227-cavp-fips.patch
+Patch5: libreswan-3.21-xauth-state.patch
+Patch6: libreswan-3.21-xauth-passwd.patch
 
 Requires: iproute >= 2.6.8 nss-tools nss-softokn
 
@@ -117,8 +119,8 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
-echo "USE_LINUX_AUDIT=true" > Makefile.inc.local
-echo "USE_DNSSEC=false" >> Makefile.inc.local
+%patch5 -p1
+%patch6 -p1
 
 %build
 %if %{buildefence}
@@ -200,6 +202,26 @@ make \
 %else
   INITSYSTEM=systemd \
 %endif
+  USE_NM=%{USE_NM} \
+  USE_XAUTHPAM=true \
+%if %{USE_FIPSCHECK}
+  USE_FIPSCHECK="%{USE_FIPSCHECK}" \
+  FIPSPRODUCTCHECK=/etc/system-fips \
+%endif
+  USE_LIBCAP_NG="%{USE_LIBCAP_NG}" \
+  USE_LABELED_IPSEC="%{USE_LABELED_IPSEC}" \
+  USE_LINUX_AUDIT=true \
+%if %{USE_CRL_FETCHING}
+  USE_LDAP=true \
+  USE_LIBCURL=true \
+%endif
+  USE_DNSSEC=true \
+  INC_USRLOCAL=%{_prefix} \
+  FINALLIBDIR=%{_libexecdir}/ipsec \
+  FINALLIBEXECDIR=%{_libexecdir}/ipsec \
+  MODPROBE="modprobe -q -b" \
+  USE_DH22=true \
+  USE_SECCOMP="%{USE_SECCOMP}" \
   install
 FS=$(pwd)
 rm -rf %{buildroot}/usr/share/doc/libreswan
@@ -313,6 +335,13 @@ fi
 %endif
 
 %changelog
+* Tue Oct 24 2017 Paul Wouters <pwouters@redhat.com> - 3.20-5
+- Resolves: rhbz#1503949 [updated - USE_DNSSEC setting was updated]
+
+* Thu Oct 19 2017 Paul Wouters <pwouters@redhat.com> - 3.20-4
+- Resolves: rhbz#1501809 libreswan does not establish IKE with xauth enabled but modecfg disabled
+- Resolves: rhbz#1503949 xauth password length limited to 64 bytes while XAUTH_MAX_PASS_LENGTH (128)
+
 * Mon Jun 12 2017 Paul Wouters <pwouters@redhat.com> - 3.20-3
 - Resolves: rhbz#1372279 ipsec auto --down CONNECTION returns error for tunnels [updated]
 - Resolves: rhbz#1458227 CAVS test driver does not work in FIPS mode