These notes apply to Openswan 2.5.x

1.	The targets module26 and m26install are obsoleted. Just use the
	regular 'make module' and 'make module_install'

2.      Kernel's up to 2.6.23 are supported for KLIPS (and NETKEY). updown
        scripts are now seperate for KLIPS and NETKEY. Select your stack
        with the new keyword protostack=netkey|klips

3.	parsing scripts have been phased out for a parsing library,
	see lib/libipsecconf and programs/addcon/

4.	The ipsec "starter" code has been fully integrated and is obsolete

5.	XAUTH DNS/WINS support

6.      new keyword: subnets=

7.      XAUTH can now store username in the conn, and password in
        ipsec.secrets [insecure, but people insist]

8.	The updown.protostack scripts handle most required NETKEY routes
	automatically now (eg when leftsourceip= is specified)

*************************************************************************
Please see CHANGES for a full updated changelog. This file is not as well
maintained as it should be.
*************************************************************************
These notes apply to Openswan 2.4.2


1.   Aggressive Mode support is included.  You enable it by:

	aggrmode=yes|no

	Default is no

2.  Mode Config support is included.  This is most useful when you are a 
client to something like a Cisco VPN concentrator.  See contrib/cisco for
a handy tool to convert Cisco .pcf files to Openswan ipsec.conf and 
ipsec.secrets entries.  A sample config below:

conn cisco-client
        ike=3des-md5-modp1024
        aggrmode=yes
        authby=secret
        left=%defaultroute
        leftmodecfgclient=yes
        leftxauthclient=yes
        leftid= GROUPID, prefixed with @  (eg: @xelerance)
        right= IP of Cisco Concentrator
        rightxauthserver=yes
        rightmodecfgserver=yes
        modecfgpull=yes
	pfs=no
        auto=add


You can then 'ipsec whack --name cisco-client --initiate' to start it.  
You will be prompted for your username and password.


3. KLIPS for kernel 2.6 support.

This version will build in most situations on the 2.6 kernel.
There will be warnings, and in some cases it will fail. The essential
instructions are:
	     1) export KERNELSRC=your built kernel sources.
		Defaults to /usr/src/linux-2.6
	     2) export MOD26BUILDDIR=some place to put stuff
		Defaults to modobj26.
             3) "make module26"

So for instance we can do:
       export KERNELSRC=/corp/network/elros/kernel2.6 
       export MOD26BUILDDIR=/corp/network/elros/mod26 
       make module26

This will result in a file:

   =========================================================

   KLIPS26 module built successfully. 
   ipsec.ko is in /corp/network/elros/mod26/modobj26

   -rw-r--r--  1 mcr mcr 403544 Sep 21 18:13 ipsec.ko
      text    data     bss     dec     hex filename
    304788   10328    5852  320968   4e5c8 ipsec.ko

This file should be installed in /lib/modules, using
     make m26install

Please note that it creates a ".ko" file.

If using User-Mode-Linux, please set "KERNVER=26" in the umlsetup.sh,
and see the example in testing/utils/umlsetup-sample.sh.



*************************************************************************
These notes apply to Openswan 2.2.0 developer release 2 ("dr2")

Client side XAUTH is broken.
There is a bad interaction between XAUTH policy and Algorithm policy such
that XAUTH is not enabled properly.

Note: This is fixed in 2.3.0dr3


*************************************************************************
These notes apply to Openswan 2.2.0 developer release 1 ("dr1")

The major feature is that JuanJo's "alg" branch has been incorporated into
the code. This includes both AES and 3DES code at the moment. Other
modules likely will work, but are not tested.

Note: The AES module has been incorporated into the single ipsec.o module.
It is untested with 2.6's cryptoAPI at the moment.

To enable IKE algo support, add the ike= and esp= parameters to your
connection definition - eg:

    conn westnet-eastnet-aes
	 ike=aes256
	 esp=aes256-sha1


There is now a "x509" debug level for pluto. Many error messages have been
revised in the X.509 code.  To view these messages, add

plutodebug="x509" 

to your ipsec.conf file.  DR1 contains the X.509 patch v1.4.8 code only.  
Work to merge 1.5.4 is underway, but not yet complete.  1.5.4 may appear
in 2.2dr2, but if not, it will appear in 2.2.0 final.

New test cases have been created for sending X.509 certificates via IKE,
with and without CRLs, and with a variety of CA options. Some bugs were 
fixed in x509.c relating to what constitutes a root CA. 

Dead Peer Detection (RFC3706) has been included, as well as test cases.