CHANGES

Please see docs/KNOWN_BUGS file for more information

v2.6.07
* IKEv2 retransmit fixes [mcr]

v2.6.06
* Added IKEv2 X.509 CERTREQ [antony]
* Interop fix for IKEv2 PSK - Use correct IETF Key Pad without \0 [paul]
* Fixed a few IKEv2 related crashers on receiving a NOTIFY in R1 [paul]

v2.6.05
* Added IKEv2 X.509 CERT [antony/paul]

v2.6.04
* Added IKEv2 PSK AUTH [antony/paul]

v2.6.03
* Added IKEv2 RSA AUTH [mcr]

#stable
* Merged in XAUTH DNS/WINS server-side patch from Anna Wiejak [paul]
  See: http://popoludnica.pl/?id=10100110 
* Various fixes to the scripts for NETKEY [paul]
* KLIPS support for the 2.6.23+ UDP ENCAP sockets [mcr]
  Userland support not yet finished. This should obsolete the NAT-T patch
  when finished.
* incorporated changes between 2.4.8 and 2.4.9
* incorporated changes between 2.4.9 and 2.4.10
* Notice and gracefully fail to load KLIPS when we try to load esp/ah/ipcomp
  protocol and another module already has registered these (eg esp4, ah4,
  ipcomp) [paul]
* Fix for KLIPS NAT-T dropping all packets on 64bit big endian machines [dhr]
* FIx for KLIPS on 2.6.23.1 without CONFIG_NF_CONNTRACK* [paul]
* Bugtracker bugs fixed:
  #708: vanilla kernel-2.6.19, KLIPS compile error (sock_unregister) [sergeil]
  #654: XAUTH strips space out of username/password + patch [Dustin Lang]
  #641: Herein patches to fix warnings if -Wshadow is used [andygay/paul]
  #580: kernel 2.4.x cryptoapi broken [espakman]
  #582: Cannot initiate on demand a connection with traffic selectors [Ilia Sotnikov]
  #590: serpent lib used private kernel header [paul]
  #544: the following error should only show up for x509 debugging: ... [paul]
  #185: Deadlock in function "scx_release()" daemon pluto.(SMARTCARD) [Kurodo]

v2.5.15
   change ipsec_breakroute to permit non-existant eroute's to be replaced.  
   fix for NAT-T negotiation with IP address changes during negotiation.
   adjusted addconn to support nat-t debug keywords.

v2.5.14
   failed attempt to fix ipsec_breakroute.
   fixed leftsendcert= to be implemented in keyword parser.
   introduced startnetkey functions.
   UML kernel configuration canonicalization updated.

v2.5.13
   move DNS lookups from libipsecconf into pluto, where they belong. DNS lookups
	are still only done once during conn load time, and are done synchronously.

v2.5.12
   A fix to detect that XEN has been patched into the kernel, and set
   some of the 2.6.18 changes.
   never log starter_log() things to stdout, they always go to stderr.
   when a packet is passed through, do not call NF_IP_LOCAL_OUT, as it has already 
	passed through the output hooks, and doing it again, confuses things
	causing ip_route_me_harder() which creates a look, since it does the flow
	lookup again. (This doesn't happen if the kernel hasn't got XFRM support)
   fixed parsing of config file so that "version 2" is accepted.
   fixed addconn to respect "right/left"sourceip=, new test case sourceip-01 
   fixed processing of "first"/"last" packet for %trap/%hold conns in KLIPS, it now
	properly forwards the packets when the packet is released.
   

v2.5.11
   Some fixes in KLIPS for "ipsec eroute --clear" bug. It is not clear
   why this suddendly became an issue, or if it would have been an issue
   previously, given the right compiler optimization.
   
v2.5.10
   Includes fixes for xmlto generation for _confread directory.

v2.5.09
   Minor fix to build process, updated CHANGES file.

v2.5.08
   Correct release.
   Includes some changes to permit OE to work without nexthop,
   however this seems to cause it to return an unreachable on 
   the first message.

v2.5.07	-dud due to release script error.

v2.5.06
   set LANGUAGE, LANG and LC_ALL in setup script.
   change OE off by default note and scripts.
   Merge of additional code from 2.4.
   
v2.5.05
   2.5.03 and 2.5.04 were not properly released, and 2.5.05 now
   is properly released and includes below items
    
v2.5.04
    zero peer_ca to avoid crashes.
    (include glob's may still not work correctly)

v2.5.03
    ipsec.conf parsing should ignore keywords that start with x-
	they are a form of structured comment.
    added in forceencaps= keyword.
    process wildcards with glob() in include statements.

v2.5.02
    fixed bug in ipsec.conf parser, where it could not read values
       that had = in them (such as base64 encoded keys)
    fixed bug in key continuation code that could cause a crash
	if the DNS request timed out after the state was deleted
	for other reasons.
 
v2.5.01
    merged xauthusername code base + multinet tests in.
    removed /dev/hw_random from list of valid random sources on linux.
        use "rngd" instead to feed /dev/random.

v2.5.00 
    fixed various bugs with lifetime values in ipsec.conf parser
    AES-128 (group 5, MD5 or SHA1 for PRF) is now accepted for phase 1,
	and it is now the preferred cipher as well. This should be the
	case for Main mode, Aggressive mode, and for XAUTH client and
	XAUTH server, and PSK and RSA sig mode.

    fixes so that starter will now compile
    move whacklib to lib/libwhack
    adjust makefiles to work with OBJDIR version of Makefile.program
    switch to OBJDIR in programs/* and lib/* if it is defined

    added sanitizer for PID files
    be smarter about including git version info into version
    We need to use /dev/urandom first, as it has more random than /dev/random.
       Otherwise, we run out really fast (within a few minutes)
    Use endian.h when comiling out-of-kernel
    patch to turn error about 17/500,0/0 vs 17/0 error with Cisco VPN3000
       into a warning.
    remove test for NAT-T VID vs NATD payload test. It fails for reasons
       that are unknown at this time, and this check is really being pedantic.
    MAJOR: use starter code for "addconn"
    MAJOR: always use OBJDIRs, and compile on Windows (no kernel)
    MAJOR: includes "Taproom" code --- TCL call outs from pluto at IKE
		transition states. 

v2.4.10
* Fix for sock.sk_stamp type change in 2.6.22 [dhr]
* Workaround for implementations that propose port 0 for l2tp to allow
  us to connect to all their ports (instead of only 1701). This happens
  with Cisco VPN 3000, OSX and Windows XP. This relates to various
  reported bugs about rightprotoport=17/%any and CK_INSTANCE crashers [mcr]
  Use the workaround for OSX clients using rightprotoport=17/0
* Backport of fix for xauth name containing a space [paul]
* Fix for final next payload in Aggressive Mode [David McCullough]
* Fixes for compliling against 2.6.22 [David McCullough / Hugh Redelmeier]
  (note: NAT-T KLIPS patch will not work on 2.6.23+)
* Speed gains in the scripts on systems with many interfaces [David McCullough]
* passert declaration fix [David McCullough]
* A missed nfmark -> mark case in ipsec_sa.h [David McCullough]
* Fix for ktime_to_timeval to use proper kernel versions [paul]
* Added back -DCONFIG_KLIPS_ALG in KLIPSCOMPILE, which we require when not
  building KLIPS with David's OCF patch [paul]
* Added SElinux patch in contrib/ [Venkat Yekkirala]
* Bugtracker bugs fixed:
  #449: 17/%any is a template conn problem [mcr]
  #708: vanilla kernel-2.6.19, KLIPS compile error (sock_unregister) [sergeil]
  #796: can't compile 2.4.8 on kernel 2.4.34 (module_param fix) [sergeil]
  #802: Error: "our client ID returned doesn't match my proposal" [mcr/paul]
  #813: incorporate bleve's lsb patch [tuomo]
  #824: defaultroute detection fails with PPP default route [sergeil]
  (this is also the bug introduced in 2.4.9 that causes failed subnet tunnels)
  #855: Pluto restart impossible on busybox [paul]

v2.4.9
* Fix for Aggressive Mode with NAT-T (no negotiation in aggrmode) [mcr]
* Integrated most openwrt workarounds - tested on whiterussian  [paul]
* Typofix for smartcard support [andreas zwicker]
* Fix for when responder PSK incorrectly uses pfs and has nhelpers=0
  [Matthias Haas]
  #801: Patch for fixing type-punned compiler warnings [Alin Nastac]
  #811: Patch for using custom algs with CONFIG_KLIPS_ALG [iamscard]
  #812: Bogus defaultroute nexthop for PPPoE (& PPP?) [BruceS]

v2.4.5
* Fix for compiling on 2.6.14 kernels 
* Refactored natd_lookup / hash code, probably fixes lot of NAT related bugs
  #401 l2tp connection is not work with 2.6 build in IPSEC
  #442 Pluto uses wrong port in NAT-D calculation
  #450 macosx (possible generic PSK+NAT-T rekey bug: eroute already in use.
  #462 updated patch for Openswan and OS X with NAT-T
  #509 KLIPS compilation fail with kernel-2.6.14.2 


v2.4.4
  #487 ASSERTION FAILED at state.c:120:IS_ISAKMP_ENCRYPTED(isakmp_sa->st_state) 
  (see http://www.openswan.org/niscc2/)
  (proper fix in pluto_constants.h)
* Fix for kernels having strstr
* Various gcc4 warning fixes
* disable CONFIG_IPSEC_NAT_TRAVERSAL per default so we can build KLIPS on
  Fedora systems.
* questionable spin_unlock commented out. Might fix reported SMP crashers.
* update to permit alg code without module support
* Fix for detecting proper kernel source/header directory on fedora
* Various bugfixes as reported on http://bugs.openswan.org/
  #499: check for module support in kernel for IPsec Modular Extensions
  #500: recent awk breaks on 'setdefault' command


v2.4.3
  #487 ASSERTION FAILED at state.c:120:IS_ISAKMP_ENCRYPTED(isakmp_sa->st_state) 
  (see http://www.openswan.org/niscc2/)
  (incorrect fixed. version not released)

v2.4.2
* Fixes for compiling on 2.6.14 by David McCullough
* Minor fixes to accomodate FC4 2.6.11 kernels.
* Fix for compilation of KLIPS on 2.4.x kernels.
* Fix for NAT-T on 2.4.31
* Fix for 'short' packets with KLIPS on 2.4.x
* Merged in Jacco's l2tp configuration examples
* Various bugfixes as reported on http://bugs.openswan.org/
  #286 Incorrect links in intro.html
  #344 netkey-acquire patch
  #376 install_ipsec_sa and install_inbound_ipsec_sa
  #486 ASSERTION FAILED at crypto.c:258: key_size==(DES_CBC_BLOCK_SIZE * 3)
  (see http://www.openswan.org/niscc2/)

v2.4.1
* Not publically released

v2.4.0
* NAT-T support for KLIPS on 2.6 (Sponsored by Astaro)
* Additional Cipher support with KLIPS on 2.6 (Sponsored by Astaro)
* Fix for NAT-T/PSK rekey (Ulrich @ Astaro)
* Various bugfixes: #269, #328, #342, #350, #355, #357, #361, #363

v2.3.1
* NAT-T RFC support (mlafon/mcr)
* NAT-T Server Side rewrite - handles rekeying alot better
* NAT-T Client Side rekey bug fixed
* Removed HowTo (obselete)
* IPKG packaging updates
* Log message updates
* dpdaction=restart support 

v2.3.0
* KLIPS for 2.6 support (Experimental)
  [ good results on FC3-AMD and vanilla/debian kernel source, but not
    FC3-intel. Might be the grsecurity patch  ]
* Aggressive Mode Support (client and server)
* IKE Mode Config support (Experimental)
* Cisco VPN 3xxx client Interop (Experimental)
* Cryptographic helpers framework
* Fixes for NAT-T on 2.4.28+ kernels.

v2.2.0
* Added RFC 3706 DPD support (see README.DPD)
* Added AES from JuanJo's ALG patches
* Fixes for /proc filesystem issues that started to appear in 2.4.25

v2.1.2
* Fix loading of 2.6 modules 
* Fix for snprintfs() in /proc, new for 2.4.25 kernels (dhr/pw)
* Fix checks for some log files/dirs in case they are sockets or pipes (pw)
* Fix for crl.pem crash/core (dhr/as/kb)

v2.1.1
* Fix _pluto_adns installation path (kb)
* Fix sending of X.509 CR's when no CA present (mcr)

v2.1.0
* NAT-T support (Mathieu Lafon - Arkoon)
* X.509 fixes (Andreas Steffan)
* New configuration file directive, {left|right}sourceip=#.#.#.# 
  This will set the source address when talking to a particular 
  connection.  This is very usefull to assign a static IP to your laptop 
  while travelling.  This is based on Tuomo Soini's Advanced Routing 
  patch.

<<<<<<< HEAD:CHANGES
RCSID $Id: CHANGES,v 1.326.2.31 2005/11/24 05:35:43 ken Exp $
=======
RCSID $Id: CHANGES,v 1.326.2.118 2007/07/09 23:11:56 paul Exp $
>>>>>>> 1121e33... changes for 2.4.9:CHANGES