22
22
<A HREF="quickstart.html">Next</A>
24
24
<A NAME="upgrading"></A>
25
<H1><A NAME="2">Upgrading to Openswan 2.x</A></H1>
25
<H1><A NAME="2">Upgrading to FreeS/WAN 2.x</A></H1>
26
26
<H2><A NAME="2_1">New! Built in Opportunistic connections</A></H2>
27
<P>Out of the box, Openswan 2.x will attempt to encrypt all your IP
27
<P>Out of the box, FreeS/WAN 2.x will attempt to encrypt all your IP
28
28
traffic. It will try to establish IPsec connections for:</P>
30
30
<LI> IP traffic from the Linux box on which you have installed
32
32
<LI> outbound IP traffic routed through that Linux box (eg. from a
33
33
protected subnet).</LI>
35
<P>Openswan uses<STRONG> hidden, automatically enabled<VAR>
35
<P>FreeS/WAN 2.x uses<STRONG> hidden, automatically enabled<VAR>
36
36
ipsec.conf</VAR> connections</STRONG> to do this.</P>
37
<P>Many users will want to disable this, please see <A
38
HREF="policygroups.html#disable_policygroups">how to disable the policy
40
<P>This behaviour is part of our campaign to get Opportunistic
37
<P>This behaviour is part of our campaign to get Opportunistic
41
38
Encryption (OE) widespread in the Linux world, so that any two Linux
42
39
boxes can encrypt to one another without prearrangement. There's one
43
40
catch, however: you must<A HREF="quickstart.html#quickstart"> set up a
44
41
few DNS records</A> to distribute RSA public keys and (if applicable)
45
42
IPsec gateway information.</P>
46
<P>If you start Openswan before you have set up these DNS records, your
43
<P>If you start FreeS/WAN before you have set up these DNS records, your
47
44
connectivity will be slow, and messages relating to the built in
48
45
connections will clutter your logs. If you are unable to set up DNS for
49
46
OE, you will wish to<A HREF="policygroups.html#disable_policygroups">
51
48
<A NAME="upgrading.flagday"></A>
52
49
<H3><A NAME="2_1_1">Upgrading Opportunistic Encryption to 2.01 (or
54
<P>As of Openswan 2.0, Opportunistic Encryption (OE) uses DNS TXT
51
<P>As of FreeS/WAN 2.01, Opportunistic Encryption (OE) uses DNS TXT
55
52
resource records (RRs) only (rather than TXT with KEY). This change
56
causes a "flag day". Users of Openswan 2.00 (or earlier) OE who are
53
causes a "flag day". Users of FreeS/WAN 2.00 (or earlier) OE who are
57
54
upgrading may need to post additional resource records.</P>
58
55
<P>If you are running<A HREF="glossary.html#initiate-only">
59
56
initiate-only OE</A>, you<EM> must</EM> put up a TXT record in any
90
87
<LI>For any other communication, try to encrypt, but it's okay if we
93
<P>Openswan then implements these policies, creating OE connections if
90
<P>FreeS/WAN then implements these policies, creating OE connections if
94
91
and when needed. You can use Policy Groups along with connections you
95
92
explicitly define in ipsec.conf.</P>
96
93
<P>For more information, see our<A HREF="policygroups.html"> Policy
97
94
Group HOWTO</A>.</P>
98
95
<H2><A NAME="2_3">New! Packetdefault Connection</A></H2>
99
<P>Openswan 2.0 ships with the<STRONG> automatically enabled, hidden
96
<P>Free/SWAN 2.x ships with the<STRONG> automatically enabled, hidden
100
97
connection</STRONG><VAR> packetdefault</VAR>. This configures a
101
Openswan box as an OE gateway for any hosts located behind it. As
98
FreeS/WAN box as an OE gateway for any hosts located behind it. As
102
99
mentioned above, you must configure some<A HREF="quickstart.html"> DNS
103
100
records</A> for OE to work.</P>
104
101
<P>As the name implies, this connection functions as a default. If you
105
102
have more specific connections, such as policy groups which configure
106
your Openswan box as an OE gateway for a local subnet, these will
103
your FreeS/WAN box as an OE gateway for a local subnet, these will
107
104
apply before<VAR> packetdefault</VAR>. You can view<VAR> packetdefault</VAR>
108
105
's specifics in<A HREF="manpage.d/ipsec.conf.5.html"> man ipsec.conf</A>
110
<H2><A NAME="2_4">Openswan now disables Reverse Path Filtering</A></H2>
111
<P>Openswan often doesn't work with reverse path filtering. At start
112
time, Openswan now turns rp_filter off, and logs a warning.</P>
113
<P>Openswan does not turn it back on again. You can do this yourself
107
<H2><A NAME="2_4">FreeS/WAN now disables Reverse Path Filtering</A></H2>
108
<P>FreeS/WAN often doesn't work with reverse path filtering. At start
109
time, FreeS/WAN now turns rp_filter off, and logs a warning.</P>
110
<P>FreeS/WAN does not turn it back on again. You can do this yourself
114
111
with a command like:</P>
115
112
<PRE> echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter</PRE>
116
<P>For eth0, substitute the interface which Openswan was affecting.</P>
113
<P>For eth0, substitute the interface which FreeS/WAN was affecting.</P>
117
114
<A NAME="ipsec.conf_v2"></A>
118
115
<H2><A NAME="2_5">Revised<VAR> ipsec.conf</VAR></A></H2>
119
116
<H3><A NAME="2_5_1">No promise of compatibility</A></H3>
120
<P>The Openswan team promised config-file compatibility throughout the
121
1.x series. That means a FreeS/WAN 1.5 config file can be directly
122
imported into a fresh Openswan 1.0 install with no problems.</P>
123
<P>With Openswan 2.x, we've given ourselves permission to make the
124
config file easier to use. The cost: some Openswan 1.x configurations
117
<P>The FreeS/WAN team promised config-file compatibility throughout the
118
1.x series. That means a 1.5 config file can be directly imported into
119
a fresh 1.99 install with no problems.</P>
120
<P>With FreeS/WAN 2.x, we've given ourselves permission to make the
121
config file easier to use. The cost: some FreeS/WAN 1.x configurations
125
122
will not work properly. Many of the new features are, however, backward
127
124
<H3><A NAME="2_5_2">Most<VAR> ipsec.conf</VAR> files will work fine</A></H3>