These notes apply to Openswan 2.5.x 1. The targets module26 and m26install are obsoleted. Just use the regular 'make module' and 'make module_install' 2. Kernel's up to 2.6.23 are supported for KLIPS (and NETKEY). updown scripts are now seperate for KLIPS and NETKEY. Select your stack with the new keyword protostack=netkey|klips 3. parsing scripts have been phased out for a parsing library, see lib/libipsecconf and programs/addcon/ 4. The ipsec "starter" code has been fully integrated and is obsolete 5. XAUTH DNS/WINS support 6. new keyword: subnets= 7. XAUTH can now store username in the conn, and password in ipsec.secrets [insecure, but people insist] 8. The updown.protostack scripts handle most required NETKEY routes automatically now (eg when leftsourceip= is specified) ************************************************************************* Please see CHANGES for a full updated changelog. This file is not as well maintained as it should be. ************************************************************************* These notes apply to Openswan 2.4.2 1. Aggressive Mode support is included. You enable it by: aggrmode=yes|no Default is no 2. Mode Config support is included. This is most useful when you are a client to something like a Cisco VPN concentrator. See contrib/cisco for a handy tool to convert Cisco .pcf files to Openswan ipsec.conf and ipsec.secrets entries. A sample config below: conn cisco-client ike=3des-md5-modp1024 aggrmode=yes authby=secret left=%defaultroute leftmodecfgclient=yes leftxauthclient=yes leftid= GROUPID, prefixed with @ (eg: @xelerance) right= IP of Cisco Concentrator rightxauthserver=yes rightmodecfgserver=yes modecfgpull=yes pfs=no auto=add You can then 'ipsec whack --name cisco-client --initiate' to start it. You will be prompted for your username and password. 3. KLIPS for kernel 2.6 support. This version will build in most situations on the 2.6 kernel. There will be warnings, and in some cases it will fail. The essential instructions are: 1) export KERNELSRC=your built kernel sources. Defaults to /usr/src/linux-2.6 2) export MOD26BUILDDIR=some place to put stuff Defaults to modobj26. 3) "make module26" So for instance we can do: export KERNELSRC=/corp/network/elros/kernel2.6 export MOD26BUILDDIR=/corp/network/elros/mod26 make module26 This will result in a file: ========================================================= KLIPS26 module built successfully. ipsec.ko is in /corp/network/elros/mod26/modobj26 -rw-r--r-- 1 mcr mcr 403544 Sep 21 18:13 ipsec.ko text data bss dec hex filename 304788 10328 5852 320968 4e5c8 ipsec.ko This file should be installed in /lib/modules, using make m26install Please note that it creates a ".ko" file. If using User-Mode-Linux, please set "KERNVER=26" in the umlsetup.sh, and see the example in testing/utils/umlsetup-sample.sh. ************************************************************************* These notes apply to Openswan 2.2.0 developer release 2 ("dr2") Client side XAUTH is broken. There is a bad interaction between XAUTH policy and Algorithm policy such that XAUTH is not enabled properly. Note: This is fixed in 2.3.0dr3 ************************************************************************* These notes apply to Openswan 2.2.0 developer release 1 ("dr1") The major feature is that JuanJo's "alg" branch has been incorporated into the code. This includes both AES and 3DES code at the moment. Other modules likely will work, but are not tested. Note: The AES module has been incorporated into the single ipsec.o module. It is untested with 2.6's cryptoAPI at the moment. To enable IKE algo support, add the ike= and esp= parameters to your connection definition - eg: conn westnet-eastnet-aes ike=aes256 esp=aes256-sha1 There is now a "x509" debug level for pluto. Many error messages have been revised in the X.509 code. To view these messages, add plutodebug="x509" to your ipsec.conf file. DR1 contains the X.509 patch v1.4.8 code only. Work to merge 1.5.4 is underway, but not yet complete. 1.5.4 may appear in 2.2dr2, but if not, it will appear in 2.2.0 final. New test cases have been created for sending X.509 certificates via IKE, with and without CRLs, and with a variety of CA options. Some bugs were fixed in x509.c relating to what constitutes a root CA. Dead Peer Detection (RFC3706) has been included, as well as test cases.