Skip to content
Openswan
C Roff Makefile Shell Objective-C Assembly Other
Branch: master
Clone or download

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
contrib pluto-log-merge.pl - improve parsing of the message ID string Oct 21, 2019
debian Move source package lintian overrides to debian/source. Mar 18, 2020
docs Adding reference to BUGS in docs/KNOWN_BUGS.txt Aug 21, 2018
include Clean compile connections.c & decrementing warns in pluto_constants.c Nov 12, 2019
lib lib/libpluto/writehackmsg.c: fix build on musl Jan 11, 2020
linux wo#8100 . remove some unused-const-variables Jan 25, 2019
macports Added a macports directory with updated versions of nss and nspr. May 15, 2009
nat-t Revert "added osx app and put the source code inside" May 3, 2009
ng-patch Revert "added osx app and put the source code inside" May 3, 2009
osxApp * OSX: Delete old compiled .a files from source tree Feb 8, 2012
packaging Update VERSION to 2.6.52.1 Mar 17, 2020
patches SAREF: kernel patches updated to linux 3.11.0 Feb 21, 2014
ports wo#8100 . remove incorrect calls to linux/types.h Jan 25, 2019
programs fix warning about switch fallthrough in parse_isakmp_sa_body() Feb 6, 2020
security Add a list and copy of all CVE's related to openswan. Oct 7, 2010
tests Merge remote-tracking branch 'mcr/t9219-examine-ike-des-setting' into… Dec 13, 2019
.gitignore Ignore swp files (created by vim) Jan 29, 2017
.travis.yml wo#8419 - refactor Travis test matrix, add validate-libpluto test Apr 15, 2019
BUGS Specify compatibility issues with strongSwan & Openswan. Provided Aug 21, 2018
CHANGES Update VERSION to 2.6.52.1 Mar 17, 2020
COMPATIBILITY_ISSUES update COMPATIBILITY_ISSUES to reflect outstanding pfs=yes DH group c… Oct 29, 2019
CONTRIBUTION.md Add CONTRIBUTION.md Jul 25, 2019
COPYING * Updated FSF address on the GPLv2 COPYING file Jan 27, 2014
CREDITS Pointing email back to Xelerance. Jan 27, 2014
CROSSCOMPILE.sh Fix CROSSCOMPILE.sh doc Oct 26, 2010
INSTALL Revert "added osx app and put the source code inside" May 3, 2009
LICENSE Revert "added osx app and put the source code inside" May 3, 2009
Makefile wo#8180 - do not pass MAKEFLAGS explicitly Apr 29, 2019
Makefile.common task #4270 using short notation, using GNUmakefile notdir, and making… Jul 31, 2015
Makefile.inc removed references to libmd2 Jul 4, 2019
Makefile.top Bump version to 2.6.52dev May 23, 2019
Makefile.vendor make -lgmp into a variable Sep 5, 2014
Makefile.ver Update VERSION to 2.6.52.1 Mar 17, 2020
README Update README for dependencies Apr 8, 2019
build-nss wo#7817 . additional tweaks to build and test NSS version correctly Dec 17, 2018
buildlin.sh Update path to gmp.h for buildlin.sh (Thanks to jejayhe) Oct 23, 2017
buildwin.sh Revert "added osx app and put the source code inside" May 3, 2009
noise.dat wo#7817 . when generating private keys, do it from captured noise, to… Dec 17, 2018
snapshotsigs.pgp Revert "added osx app and put the source code inside" May 3, 2009

README

#########################################################################
#            Openswan 2.X Release Notes
#########################################################################

Openswan is an IPsec implementation for Linux. It has support for most 
of the extensions (RFC + IETF drafts) related to IPsec, including 
IKEv2, X.509 Digital Certificates, NAT Traversal, and many others.

Openswan was originally based on FreeS/WAN 2.04 CVS with the X.509 Patch
from Andreas Steffen, the NAT-T patch from Arkoon networks and some minor
bug fixes from 2.05 and 2.06.  See CREDITS for the history.

Download it from

    https://download.openswan.org/openswan/

#########################################################################
# REQUIREMENTS
#########################################################################

A recent Linux distribution based on either Kernel 2.4.x, or 2.6.x are 
the currently supported platforms.

Most recent distributions have package support for openswan.  Unless
a source based build is truly needed,  it is often best to use the pre-built
distributions packaged version.

There are a few packages required for Openswan to compile from source:

1. The GNU Math Precision Library:

   Debian package names: libgmp-dev
   Rpm package names:    gmp, gmp-devel

   Rpm users may need to install gcc if it is not installed on their system already

2. make, flex and bison:

   Debian package names: make, flex, bison
   Rpm package names:    same as for Debian

3. iproute2, iptables, sed, awk, bash, cut and possibly other tools
   are required at runtime.

   Debian package names: iproute2, iptables, the rest are usually there
   Rpm package names:    same as for Debian

   python is also required for "ipsec verify".

4. Running unit test:

   Debian package names: libpcap0.8-dev, libpcap0.8, electric-fence, tcpdump
   Rpm package names:    libpcap, libpcap-devel, ElectricFence, tcpdump

5. Building with LIBNSS:

   Debian package names: libnspr4-dev, libnss3-dev, libnss3-tools
   Rpm package names:    same as for Debian

#########################################################################
# HOW TO INSTALL on Kernel 2.6 (And Kernels with 2.6 IPsec backport)
#########################################################################

NETKEY (Native linux IPsec stack)
---------------------------------

To use Openswan with the linux native (builtin) IPsec stack,  then the
following steps should be all that are needed. Please use at least kernel
version 2.6.9, as prior versions of the kernel have serious bugs in the
native IPsec stack.  From the Openswan directory:

    make programs
    sudo make install

Note: The ipsec-tools package is no longer needed. Instead iproute2 >= 2.6.8
is required. For backported kernels, setkey and thus ipsec-tools might still
be required. Run 'ipsec verify' to determine if your system has either one
of the requirements.

KLIPS/KLIPSNG (Openswan IPsec stack)
------------------------------------

To use the Openswan KLIPS IPsec stack (ipsec0 devices) for Linux
Kernels 2.6.23 and higher, the following steps should work.  From the
Openswan directory:

    make programs
    make KERNELSRC=/lib/modules/`uname -r`/build module
    sudo make KERNELSRC=/lib/modules/`uname -r`/build install minstall

For Linux 2.6 Kernels before 2.6.23, including 2.4 linux systems, the kernel
requires patching if NAT-T support or SAref tracking is required. Full kernel
source will be required as the kernel sources are being patched, built and
installed.  It is good practice to build and install an unpatched kernel
before starting to ensure the process is correct.  See your distribution
documentation on how to build and install a new kernel

    Determine the linux source directory,  for example /usr/src/linux on
    most full source installs.  It may also be /usr/src/linux-2.[46].X

    Add NAT-T support (if required).

        From the Openswan source directory:

          make KERNELSRC=/usr/src/linux nattpatch | patch -d /usr/src/linux -p1

    Add SAref tracking support (if required).

        Premade patches for some distributions kernels can be found in
        patches/kernel/  It is recommended that kernel 2.6.32 or higher is
        used. Documentation on SAref/MAST can be found in docs/HACKING/Mast*
        and doc/klips/mast.xml. To understand what SAref tracking does, see
        doc/ipsecsaref.png and the overlapip= entry in the ipsec.conf man page.

        From the Openswan source directory:

          make KERNELSRC=/usr/src/linux sarefpatch | patch -d /usr/src/linux -p1

    Add OCF HW offloading support

        For OCF HW offloading support, you need also need a patched kernel
        See: http://ocf-linux.sourceforge.net/ for more details.

    Build and install a new kernel

        See your distribution documentation on how to install a new kernel.
        It should be something similar to:

          cd /usr/src/linux
          make oldconfig
          make dep                    - this step is ignore on 2.6 systems)
          make bzImage install

    Build Openswan

        From the Openswan source directory:

            make programs
            make KERNELSRC=/usr/src/linux module
            sudo make KERNELSRC=/usr/src/linux install minstall

The Openswan configuration file can select which ipsec stack to use at
runtime by using the "protostack=<klips|netkey|mast>" options in ipsec.conf.
See the ipsec.conf man page for more information on configuration options.

#########################################################################
# UPGRADING
#########################################################################

1. If you are upgrading from a 1.x product to Openswan 2.x, you will
   need to adjust your config files.  See doc/upgrading.html for details
   on what has changed.

2. You can 'make install' overtop of your old version - it won't replace
   your /etc/ipsec.* config files

#########################################################################
# SUPPORT
#########################################################################

Mailing Lists:

    https://lists.openswan.org is home of the mailing lists.  Note: these are
    closed lists - you *must* be subscribed to post.

Wiki:

    https://github.com/xelerance/Openswan/wiki is home to the Openswan Wiki.
    It has the most up to date documentation, interop guides and other related
    information.

IRC:

    Openswan developers and users can be found on IRC, on #openswan on
    irc.freenode.net.

Commercial support for Openswan is also available - see
https://www.xelerance.com/incidents for more information, or
email sales@xelerance.com

#########################################################################
# BUGS
#########################################################################

Bugs with the package can be report on:
https://github.com/xelerance/Openswan/issues

Security vulnerabilities can be e-mailed to: security@xelerance.com

#########################################################################
# SECURITY HOLES
#########################################################################

All security vulnerabilities found that require public disclosure will
receive proper CVE tracking numbers (see http://mitre.org/) and co-ordinated
via the vendor-sec mailing list. A complete list of known security
vulnerabilities is available at:
https://github.com/xelerance/Openswan/wiki/Security-and-vulnerability-information

#########################################################################
# DEVELOPMENT
#########################################################################

Those interested in the development, patches, beta releases of Openswan
can join the development mailing list (https://lists.openswan.org -
dev@lists.openswan.org) or join the development team on IRC in
#openswan-dev on irc.freenode.net

#########################################################################
# DOCUMENTATION
#########################################################################

The most up to date docs are at https://github.com/xelerance/Openswan/wiki

Several high-level documents are in the doc directory.  Most are in HTML
format; See doc/index.html for the top level index.  These are now
considered obsolete.

To build from source, you will need at least 60MB free (Source tree is 
currently 40MB)

The bulk of this software is under the GNU General Public License; see
LICENSE.  Some parts of it are not; see CREDITS for the details.

You can’t perform that action at this time.