2
Openswan 2.1.3 Release Notes
1
Openswan 2.3.0 Release Notes
5
1) AES-SHA1 is now the default proposal. This has changed from 3DES-MD5
6
in prior versions. Openswan still proposes both 3DES and MD5, but
7
AES-SHA1 is preferred. If you want/need the old behaviour back, add
12
to your conn's. We have done this in response to the MD5 collisions that
13
have been demonstrated in recent months, and speculation that MD5 could be
14
broken in the coming months/years.
16
We changed to prefer AES, as that is the direction the VPN industry is
17
moving, so we want to stay near the front of the line. As well, AES is now
18
part of ISCA Lab's testing for IPsec Certification, and numerous vendors
19
repackage Openswan into products submitted for certification.
21
2) Aggressive Mode, XAUTH, and MODE Config client and server functionality
24
See docs/RELEASE-NOTES.txt for more details about these changes.
4
29
Openswan is based on code from the FreeS/WAN project (www.freeswan.org)
5
30
It has support for most of the extensions (RFC + IETF drafts) related
6
31
to IPsec, including X.509 Digital Certificates, NAT Traversal, and many
9
The release was based on FreeS/WAN 2.04 CVS, along with some minor bug
10
fixes from 2.05 and 2.06.
12
It also includes Andreas Steffan's X.509 Digital Certificate patch,
13
NAT-Traversal code (based on Mathieu Lafon's work for Arkoon) and XAUTH
14
Server support (based on Columbris's code).
34
Openswan was originally based on FreeS/WAN 2.04 CVS, along with some
35
minor bug fixes from 2.05 and 2.06. See CREDITS for the history.
16
37
Download it from http://www.openswan.org/code
22
Ideally, Linux Kernel 2.4.x, or 2.6.x are the best supported platforms.
24
We do not support obsolete kernels (e.g. 2.2.xx, xx < 20), and using them
25
is generally a bad idea anyway due to known security holes.
27
We do not test with 2.0 kernels earlier than 2.0.39.
29
A number of folks have reported problems where pluto and/or whack don't
30
compile properly. As well if you upgraded over top of another FreeS/WAN
31
installation, you may see errors like this:
33
ipsec__plutorun: /usr/local/lib/ipsec/whack: option `--ike' is ambiguous
35
Or pfkey read/write errors. These indicate mismatched versions of the
36
Openswan userland tools, and the kernel module(s). To resolve this,
37
ensure you have all of the dependancies installed and recompile.
39
There a few packages required for Openswan to compile:
42
Linux Kernel 2.4.x, or 2.6.x are the currently supported platforms
44
There a few additional packages required for Openswan to compile:
41
46
1. libgmp + libgmp-devel headers. (GNU Math Precision Library)
43
2. On RedHat 7.x systems, kernel-headers 2.4.9-34 or higher. 2.4.7-10 is
44
broken, and you will see __fswab32 errors during compilation of some of
45
the crypto modules. On non RedHat systems, you'll probably need kernel
48
4. A non-corrupt kernel source tree. This seems to fix many reported
49
problems - starting with a fresh tree, either vendor supplied or from
50
http://www.kernel.org. The best test is to build a kernel from your
51
source tree before patching in Openswan.
48
2. flex, and bison (usually included in all non-embedded distributions)
50
#########################################################################
51
# HOW TO INSTALL on Kernel 2.6 (And Kernels with 2.6 IPsec backport)
52
# This includes Debian Stable
53
#########################################################################
55
For Linux Kernels 2.6.0 and higher (or with the 2.6 IPsec stack
56
backported), Openswan can use the built in IPsec support (aka, NETKEY).
57
Only the userland component of Openswan is required when using a 2.6
58
series kernel. Please use at least version 2.6.6, as prior versions of
59
the kernel have serious bugs in the IPsec stack.
61
1.0) From the openswan source directory:
65
2.0) As root, install the userland tools:
69
Note: you will need setkey from the ipsec-tools package, available from
70
http://ipsec-tools.sourceforge.net
53
73
#########################################################################
54
74
# HOW TO INSTALL on Linux Kernel 2.4 systems
58
78
/usr/src/linux-2.4. If this isn't the case, simply change the
59
79
parameters in the instructions below.
61
1.0) It's best if you're already installed FreeS/WAN or Super FreeS/WAN
62
before, so you'll be familiar with the steps outlined below.
64
2.0) Uncompress linux-2.#.#.tar.bz2 in /usr/src (or elsewhere), build a
81
1.0) Uncompress linux-2.#.#.tar.bz2 in /usr/src (or elsewhere), build a
65
82
normal working kernel. This ensures any compiliation problems
66
83
that occur are isolated and resolved *before* any Openswan patches
67
84
are applied to the kernel.
69
2.1) If you want NAT-T support, you need to patch your kernel and build
86
1.1) If you want NAT-T support, you need to patch your kernel and build
70
87
a new bzImage. From the Openswan source directory:
72
89
make nattpatch | (cd /usr/src/linux-2.4 && patch -p1 && make bzImage)
78
95
eg: cd /usr/src/linux && make dep bzImage install
81
3.0) From the openswan source directory, build the userland tools, and
99
2.0) From the openswan source directory, build the userland tools, and
82
100
ipsec.o kernel module:
84
102
make KERNELSRC=/usr/src/linux-2.4 programs module
87
4.0) As root, install the userland tools, and the ipsec.o module:
104
3.0) As root, install the userland tools, and the ipsec.o module:
89
106
make KERNELSRC=/usr/src/linux-2.4 install minstall
93
#########################################################################
94
# HOW TO INSTALL on Kernel 2.6
95
#########################################################################
97
For Linux Kernels 2.6.0 and higher, Openswan uses the built in IPsec
98
support. Only the userland component of Openswan is required to use
99
Openswan with a 2.6 series kernel. Please use at least version 2.6.4,
100
as prior versions have bugs in the IPsec stack, causing complete machine
104
1.0) From the openswan source directory:
108
2.0) As root, install the userland tools:
112
Note: you will need setkey from the ipsec-tools package, available from
113
http://ipsec-tools.sourceforge.net
118
1. Just install overtop of your old version - it won't replace your
119
/etc/ipsec.* config files
121
2. If you are upgrading from a 1.x product to Openswan 2.1.0, you will
111
1. If you are upgrading from a 1.x product to Openswan 2.x, you will
122
112
need to adjust your config files. See doc/upgrading.html for details
115
2. You can 'make install' overtop of your old version - it won't replace
116
your /etc/ipsec.* config files
129
123
http://lists.openswan.org is home of the mailing lists. Note: these are
130
closed lists - you must be subscribed to post. This is different from the
131
FreeS/WAN lists which were open.
135
The legacy FreeS/WAN docs are still in doc/, and included in various
136
forms. You can also check the Openswan WIKI, @ http://wiki.openswan.org
137
for newer documentation.
124
closed lists - you *must* be subscribed to post.
142
129
irc.freenode.net. If you need more information on our IRC channel, see
143
130
http://www.openswan.org/support/irc.php
146
132
Commercial support for Openswan is also available - see
147
http://www.xelerance.com/openswan/support.php for more information, or
133
http://www.xelerance.com/openswan/support for more information, or
148
134
email sales@xelerance.com
152
Bugs with the package can be filed into our Mantis system, at
138
Bugs with the software can be filed with our Mantis system, located at
153
139
http://bugs.openswan.org
144
None :) If you find one, please email vuln@xelerance.com with details.
145
Please use GPG (finger vuln@xelerance.com for GPG key) for this.
158
149
Those interested in the development, patches, beta releases of Openswan