Permalink
Cannot retrieve contributors at this time
######################################################################### | |
# Openswan 2.X Release Notes | |
######################################################################### | |
Openswan is an IPsec implementation for Linux. It has support for most | |
of the extensions (RFC + IETF drafts) related to IPsec, including | |
IKEv2, X.509 Digital Certificates, NAT Traversal, and many others. | |
Openswan was originally based on FreeS/WAN 2.04 CVS with the X.509 Patch | |
from Andreas Steffen, the NAT-T patch from Arkoon networks and some minor | |
bug fixes from 2.05 and 2.06. See CREDITS for the history. | |
Download it from | |
https://download.openswan.org/openswan/ | |
######################################################################### | |
# REQUIREMENTS | |
######################################################################### | |
A recent Linux distribution based on either Kernel 2.4.x, or 2.6.x are | |
the currently supported platforms. | |
Most recent distributions have package support for openswan. Unless | |
a source based build is truly needed, it is often best to use the pre-built | |
distributions packaged version. | |
There are a few packages required for Openswan to compile from source: | |
1. The GNU Math Precision Library: | |
Debian package names: libgmp-dev | |
Rpm package names: gmp, gmp-devel | |
Rpm users may need to install gcc if it is not installed on their system already | |
2. make, flex and bison: | |
Debian package names: make, flex, bison | |
Rpm package names: same as for Debian | |
3. iproute2, iptables, sed, awk, bash, cut and possibly other tools | |
are required at runtime. | |
Debian package names: iproute2, iptables, the rest are usually there | |
Rpm package names: same as for Debian | |
python is also required for "ipsec verify". | |
4. Running unit test: | |
Debian package names: libpcap0.8-dev, libpcap0.8, electric-fence, tcpdump | |
Rpm package names: libpcap, libpcap-devel, ElectricFence, tcpdump | |
5. Building with LIBNSS: | |
Debian package names: libnspr4-dev, libnss3-dev, libnss3-tools | |
Rpm package names: same as for Debian | |
######################################################################### | |
# HOW TO INSTALL on Kernel 2.6 (And Kernels with 2.6 IPsec backport) | |
######################################################################### | |
NETKEY (Native linux IPsec stack) | |
--------------------------------- | |
To use Openswan with the linux native (builtin) IPsec stack, then the | |
following steps should be all that are needed. Please use at least kernel | |
version 2.6.9, as prior versions of the kernel have serious bugs in the | |
native IPsec stack. From the Openswan directory: | |
make programs | |
sudo make install | |
Note: The ipsec-tools package is no longer needed. Instead iproute2 >= 2.6.8 | |
is required. For backported kernels, setkey and thus ipsec-tools might still | |
be required. Run 'ipsec verify' to determine if your system has either one | |
of the requirements. | |
KLIPS/KLIPSNG (Openswan IPsec stack) | |
------------------------------------ | |
To use the Openswan KLIPS IPsec stack (ipsec0 devices) for Linux | |
Kernels 2.6.23 and higher, the following steps should work. From the | |
Openswan directory: | |
make programs | |
make KERNELSRC=/lib/modules/`uname -r`/build module | |
sudo make KERNELSRC=/lib/modules/`uname -r`/build install minstall | |
For Linux 2.6 Kernels before 2.6.23, including 2.4 linux systems, the kernel | |
requires patching if NAT-T support or SAref tracking is required. Full kernel | |
source will be required as the kernel sources are being patched, built and | |
installed. It is good practice to build and install an unpatched kernel | |
before starting to ensure the process is correct. See your distribution | |
documentation on how to build and install a new kernel | |
Determine the linux source directory, for example /usr/src/linux on | |
most full source installs. It may also be /usr/src/linux-2.[46].X | |
Add NAT-T support (if required). | |
From the Openswan source directory: | |
make KERNELSRC=/usr/src/linux nattpatch | patch -d /usr/src/linux -p1 | |
Add SAref tracking support (if required). | |
Premade patches for some distributions kernels can be found in | |
patches/kernel/ It is recommended that kernel 2.6.32 or higher is | |
used. Documentation on SAref/MAST can be found in docs/HACKING/Mast* | |
and doc/klips/mast.xml. To understand what SAref tracking does, see | |
doc/ipsecsaref.png and the overlapip= entry in the ipsec.conf man page. | |
From the Openswan source directory: | |
make KERNELSRC=/usr/src/linux sarefpatch | patch -d /usr/src/linux -p1 | |
Add OCF HW offloading support | |
For OCF HW offloading support, you need also need a patched kernel | |
See: http://ocf-linux.sourceforge.net/ for more details. | |
Build and install a new kernel | |
See your distribution documentation on how to install a new kernel. | |
It should be something similar to: | |
cd /usr/src/linux | |
make oldconfig | |
make dep - this step is ignore on 2.6 systems) | |
make bzImage install | |
Build Openswan | |
From the Openswan source directory: | |
make programs | |
make KERNELSRC=/usr/src/linux module | |
sudo make KERNELSRC=/usr/src/linux install minstall | |
The Openswan configuration file can select which ipsec stack to use at | |
runtime by using the "protostack=<klips|netkey|mast>" options in ipsec.conf. | |
See the ipsec.conf man page for more information on configuration options. | |
######################################################################### | |
# UPGRADING | |
######################################################################### | |
1. If you are upgrading from a 1.x product to Openswan 2.x, you will | |
need to adjust your config files. See doc/upgrading.html for details | |
on what has changed. | |
2. You can 'make install' overtop of your old version - it won't replace | |
your /etc/ipsec.* config files | |
######################################################################### | |
# SUPPORT | |
######################################################################### | |
Mailing Lists: | |
https://lists.openswan.org is home of the mailing lists. Note: these are | |
closed lists - you *must* be subscribed to post. | |
Wiki: | |
https://github.com/xelerance/Openswan/wiki is home to the Openswan Wiki. | |
It has the most up to date documentation, interop guides and other related | |
information. | |
IRC: | |
Openswan developers and users can be found on IRC, on #openswan on | |
irc.freenode.net. | |
Commercial support for Openswan is also available - see | |
https://www.xelerance.com/incidents for more information, or | |
email sales@xelerance.com | |
######################################################################### | |
# BUGS | |
######################################################################### | |
Bugs with the package can be report on: | |
https://github.com/xelerance/Openswan/issues | |
Security vulnerabilities can be e-mailed to: security@xelerance.com | |
######################################################################### | |
# SECURITY HOLES | |
######################################################################### | |
All security vulnerabilities found that require public disclosure will | |
receive proper CVE tracking numbers (see http://mitre.org/) and co-ordinated | |
via the vendor-sec mailing list. A complete list of known security | |
vulnerabilities is available at: | |
https://github.com/xelerance/Openswan/wiki/Security-and-vulnerability-information | |
######################################################################### | |
# DEVELOPMENT | |
######################################################################### | |
Those interested in the development, patches, beta releases of Openswan | |
can join the development mailing list (https://lists.openswan.org - | |
dev@lists.openswan.org) or join the development team on IRC in | |
#openswan-dev on irc.freenode.net | |
######################################################################### | |
# DOCUMENTATION | |
######################################################################### | |
The most up to date docs are at https://github.com/xelerance/Openswan/wiki | |
Several high-level documents are in the doc directory. Most are in HTML | |
format; See doc/index.html for the top level index. These are now | |
considered obsolete. | |
To build from source, you will need at least 60MB free (Source tree is | |
currently 40MB) | |
The bulk of this software is under the GNU General Public License; see | |
LICENSE. Some parts of it are not; see CREDITS for the details. | |