diff --git a/.gitignore b/.gitignore
index f797522..f2c7a6e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -30,3 +30,4 @@
 /libreswan-3.27.tar.gz
 /libreswan-3.28.tar.gz
 /libreswan-3.29.tar.gz
+/libreswan-3.30.tar.gz
diff --git a/libreswan-3.30-s390x.patch b/libreswan-3.30-s390x.patch
new file mode 100644
index 0000000..a229d8a
--- /dev/null
+++ b/libreswan-3.30-s390x.patch
@@ -0,0 +1,21 @@
+commit 8b067b47b1e2306c83bed49ecada1bddfb1c1a38
+Author: Paul Wouters <pwouters@redhat.com>
+Date:   Fri Feb 14 15:22:21 2020 -0500
+
+    pluto: fixup: 'incl' may be used uninitialized in init_virtual_ip()
+    
+    For some reason, only the s390x compiler complains.
+
+diff --git a/programs/pluto/virtual.c b/programs/pluto/virtual.c
+index ce94d5a5ee..74d77a3ab0 100644
+--- a/programs/pluto/virtual.c
++++ b/programs/pluto/virtual.c
+@@ -172,7 +172,7 @@ void init_virtual_ip(const char *private_list)
+ 			if (next == NULL)
+ 				next = str + strlen(str);
+ 
+-			bool incl;
++			bool incl = FALSE;
+ 			if (read_subnet(str, next - str,
+ 					 &(private_net_incl[i_incl]),
+ 					 &(private_net_excl[i_excl]),
diff --git a/libreswan.spec b/libreswan.spec
index 88d3030..a88ebd4 100644
--- a/libreswan.spec
+++ b/libreswan.spec
@@ -11,14 +11,19 @@
     INC_RCDEFAULT=%{_initrddir} \\\
     INC_USRLOCAL=%{_prefix} \\\
     INITSYSTEM=systemd \\\
+    PYTHON_BINARY=%{__python3} \\\
+    SHELL_BINARY=%{_bindir}/sh \\\
     USE_DNSSEC=true \\\
     USE_FIPSCHECK=true \\\
+    USE_KLIPS=false \\\
     USE_LABELED_IPSEC=true \\\
     USE_LDAP=true \\\
     USE_LIBCAP_NG=true \\\
     USE_LIBCURL=true \\\
     USE_LINUX_AUDIT=true \\\
     USE_NM=true \\\
+    USE_NSS_IPSEC_PROFILE=true \\\
+    USE_NSS_PRF=true \\\
     USE_SECCOMP=true \\\
     USE_XAUTHPAM=true \\\
 %{nil}
@@ -26,10 +31,10 @@
 #global prever rc1
 
 Name: libreswan
-Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
+Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
 # version is generated in the release script
-Version: 3.29
-Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
+Version: 3.30
+Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
 License: GPLv2
 Url: https://libreswan.org/
 Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
@@ -39,7 +44,7 @@ Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
 Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
 %endif
 
-Patch1: libreswan-3.29-updown-syntax.patch
+Patch1: libreswan-3.30-s390x.patch
 
 Requires(post): bash coreutils systemd
 Requires(preun): systemd
@@ -88,22 +93,20 @@ decrypted by the gateway at the other end of the tunnel.  The resulting
 tunnel is a virtual private network or VPN.
 
 This package contains the daemons and userland tools for setting up
-Libreswan. To build KLIPS, see the kmod-libreswan.spec file.
+Libreswan.
 
-Libreswan also supports IKEv2 (RFC4309) and Secure Labeling
+Libreswan also supports IKEv2 (RFC7296) and Secure Labeling
 
 Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
 
 %prep
 %setup -q -n libreswan-%{version}%{?prever}
+%patch1 -p1
 # Fedora should really figure this versioning out itself, not burden upstream
-sed -i "s:/usr/bin/python:/usr/bin/python3:" programs/verify/verify.in
-sed -i "s:/usr/bin/python:/usr/bin/python3:" programs/show/show.in
 sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/cert_verify/usage_test
 sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/pluto/ikev1-01-fuzzer/cve-2015-3204.py
 sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/pluto/ikev2-15-fuzzer/send_bad_packets.py
 sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/x509/dist_certs.py
-sed -i "s:/usr/bin/python:/usr/bin/python3:" programs/_unbound-hook/_unbound-hook.in
 # enable crypto-policies support
 sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" programs/configs/ipsec.conf.in
 # linking to freebl is no longer needed
@@ -112,18 +115,16 @@ sed -i "s/-lfreebl //" mk/config.mk
 %patch1 -p1
 
 %build
-%if 0%{with_efence}
-%global efence "-lefence"
-%endif
-
-#796683: -fno-strict-aliasing
 make %{?_smp_mflags} \
 %if 0%{with_development}
-    USERCOMPILE="-g -DGCC_LINT %(echo %{optflags} | sed -e s/-O[0-9]*/ /) %{?efence} -fPIE -pie -fno-strict-aliasing -Wformat-nonliteral -Wformat-security" \
+    OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \
 %else
-    USERCOMPILE="-g -DGCC_LINT %{optflags} %{?efence} -fPIE -pie -fno-strict-aliasing -Wformat-nonliteral -Wformat-security" \
+    OPTIMIZE_CFLAGS="%{optflags}" \
 %endif
-    USERLINK="-g -pie -Wl,-z,relro,-z,now %{?efence}" \
+%if 0%{with_efence}
+    USE_EFENCE=true \
+%endif
+    USERLINK="%{?__global_ldflags}" \
     %{libreswan_config} \
     programs
 FS=$(pwd)
@@ -144,7 +145,7 @@ make \
 FS=$(pwd)
 rm -rf %{buildroot}/usr/share/doc/libreswan
 
-install -d -m 0700 %{buildroot}%{_rundir}/pluto
+install -d -m 0755 %{buildroot}%{_rundir}/pluto
 # used when setting --perpeerlog without --perpeerlogbase
 install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer
 install -d %{buildroot}%{_sbindir}
@@ -212,6 +213,14 @@ export NSS_DISABLE_HW_GCM=1
 %{_libdir}/fipscheck/pluto.hmac
 
 %changelog
+* Fri Feb 14 2020 Paul Wouters <pwouters@redhat.com> - 3.30-1
+- Resolves: rhbz#1802896 libreswan-3.30 is available
+- Resolves: rhbz#1799598 libreswan: FTBFS in Fedora rawhide/f32
+- Resolves: rhbz#1760571 [abrt] libreswan: configsetupcheck(): verify:366:configsetupcheck:TypeError:
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.29-2.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
 * Thu Jan 09 2020 Paul Wouters <pwouters@redhat.com> - 3.29-2
 - _updown.netkey: fix syntax error in checking routes
 
@@ -219,7 +228,7 @@ export NSS_DISABLE_HW_GCM=1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 
 * Mon Jun 10 2019 Paul Wouters <pwouters@redhat.com> - 3.29-1
-- Updated to 3.29 for CVE-2019-10155
+- Resolves: rhbz#1718986 Updated to 3.29 for CVE-2019-10155
 
 * Tue May 21 2019 Paul Wouters <pwouters@redhat.com> - 3.28-1
 - Updated to 3.28 (many imported bugfixes, including CVE-2019-12312)
diff --git a/sources b/sources
index 971f925..9358c0a 100644
--- a/sources
+++ b/sources
@@ -1,4 +1,4 @@
 SHA512 (ikev1_dsa.fax.bz2) = 627cbac14248bd68e8d22fbca247668a7749ef0c2e41df8d776d62df9a21403d3a246c0bd82c3faedce62de90b9f91a87f753e17b056319000bba7d2038461ac
 SHA512 (ikev1_psk.fax.bz2) = 1b2daec32edc56b410c036db2688c92548a9bd9914994bc7e555b301dd6db4497a6b3e89dc12ddf36826ae90b40fcde501a5a45c0d59098e07839073d219d467
 SHA512 (ikev2.fax.bz2) = 0d3748d1bd574f6f1f3e4db847eca126ce649566ea710ef227426f433122752b80d1d6b8acf9d0df07b5597c1e45447e3a2fcb3391756e834e8e75f99df8e51e
-SHA512 (libreswan-3.29.tar.gz) = 4b4d91204d8b1724e0a9ad3ed55fc232c9a526211c3b47b6cc33fd160feb72538ef1661becca250bde815b9d7b75709bf16c7b372476605557b47c785cdf2535
+SHA512 (libreswan-3.30.tar.gz) = 1ea3505938231bacb762ec13c278b584239660e20994030423f0200ff32fcc0f0a0c74649b1470bbfc1165a762d3b60d0b1c5c56bff81a52415c7666736b5b99
diff --git a/tests/tests.yml b/tests/tests.yml
new file mode 100644
index 0000000..1d79939
--- /dev/null
+++ b/tests/tests.yml
@@ -0,0 +1,14 @@
+# Tests for libreswan using NM's tests
+- hosts: localhost
+  roles:
+  - role: standard-test-basic
+    tags:
+    - classic
+    repositories:
+    - repo: "https://gitlab.freedesktop.org/NetworkManager/NetworkManager-ci"
+      dest: "NetworkManager-ci"
+    tests:
+    - sanity-tests:
+        dir: NetworkManager-ci
+        run: run/osci/run-tests libreswan
+