Permalink
Cannot retrieve contributors at this time
| ######################################################################### | |
| # Openswan 2.X Release Notes | |
| ######################################################################### | |
| Openswan is an IPsec implementation for Linux. It has support for most | |
| of the extensions (RFC + IETF drafts) related to IPsec, including | |
| IKEv2, X.509 Digital Certificates, NAT Traversal, and many others. | |
| Openswan was originally based on FreeS/WAN 2.04 CVS with the X.509 Patch | |
| from Andreas Steffen, the NAT-T patch from Arkoon networks and some minor | |
| bug fixes from 2.05 and 2.06. See CREDITS for the history. | |
| Download it from | |
| https://download.openswan.org/openswan/ | |
| ######################################################################### | |
| # REQUIREMENTS | |
| ######################################################################### | |
| A recent Linux distribution based on either Kernel 2.4.x, or 2.6.x are | |
| the currently supported platforms. | |
| Most recent distributions have package support for openswan. Unless | |
| a source based build is truly needed, it is often best to use the pre-built | |
| distributions packaged version. | |
| There are a few packages required for Openswan to compile from source: | |
| 1. The GNU Math Precision Library: | |
| Debian package names: libgmp-dev | |
| Rpm package names: gmp, gmp-devel | |
| Rpm users may need to install gcc if it is not installed on their system already | |
| 2. make, flex and bison: | |
| Debian package names: make, flex, bison | |
| Rpm package names: same as for Debian | |
| 3. iproute2, iptables, sed, awk, bash, cut and possibly other tools | |
| are required at runtime. | |
| Debian package names: iproute2, iptables, the rest are usually there | |
| Rpm package names: same as for Debian | |
| python is also required for "ipsec verify". | |
| 4. Running unit test: | |
| Debian package names: libpcap0.8-dev, libpcap0.8, electric-fence, tcpdump | |
| Rpm package names: libpcap, libpcap-devel, ElectricFence, tcpdump | |
| 5. Building with LIBNSS: | |
| Debian package names: libnspr4-dev, libnss3-dev, libnss3-tools | |
| Rpm package names: same as for Debian | |
| ######################################################################### | |
| # HOW TO INSTALL on Kernel 2.6 (And Kernels with 2.6 IPsec backport) | |
| ######################################################################### | |
| NETKEY (Native linux IPsec stack) | |
| --------------------------------- | |
| To use Openswan with the linux native (builtin) IPsec stack, then the | |
| following steps should be all that are needed. Please use at least kernel | |
| version 2.6.9, as prior versions of the kernel have serious bugs in the | |
| native IPsec stack. From the Openswan directory: | |
| make programs | |
| sudo make install | |
| Note: The ipsec-tools package is no longer needed. Instead iproute2 >= 2.6.8 | |
| is required. For backported kernels, setkey and thus ipsec-tools might still | |
| be required. Run 'ipsec verify' to determine if your system has either one | |
| of the requirements. | |
| KLIPS/KLIPSNG (Openswan IPsec stack) | |
| ------------------------------------ | |
| To use the Openswan KLIPS IPsec stack (ipsec0 devices) for Linux | |
| Kernels 2.6.23 and higher, the following steps should work. From the | |
| Openswan directory: | |
| make programs | |
| make KERNELSRC=/lib/modules/`uname -r`/build module | |
| sudo make KERNELSRC=/lib/modules/`uname -r`/build install minstall | |
| For Linux 2.6 Kernels before 2.6.23, including 2.4 linux systems, the kernel | |
| requires patching if NAT-T support or SAref tracking is required. Full kernel | |
| source will be required as the kernel sources are being patched, built and | |
| installed. It is good practice to build and install an unpatched kernel | |
| before starting to ensure the process is correct. See your distribution | |
| documentation on how to build and install a new kernel | |
| Determine the linux source directory, for example /usr/src/linux on | |
| most full source installs. It may also be /usr/src/linux-2.[46].X | |
| Add NAT-T support (if required). | |
| From the Openswan source directory: | |
| make KERNELSRC=/usr/src/linux nattpatch | patch -d /usr/src/linux -p1 | |
| Add SAref tracking support (if required). | |
| Premade patches for some distributions kernels can be found in | |
| patches/kernel/ It is recommended that kernel 2.6.32 or higher is | |
| used. Documentation on SAref/MAST can be found in docs/HACKING/Mast* | |
| and doc/klips/mast.xml. To understand what SAref tracking does, see | |
| doc/ipsecsaref.png and the overlapip= entry in the ipsec.conf man page. | |
| From the Openswan source directory: | |
| make KERNELSRC=/usr/src/linux sarefpatch | patch -d /usr/src/linux -p1 | |
| Add OCF HW offloading support | |
| For OCF HW offloading support, you need also need a patched kernel | |
| See: http://ocf-linux.sourceforge.net/ for more details. | |
| Build and install a new kernel | |
| See your distribution documentation on how to install a new kernel. | |
| It should be something similar to: | |
| cd /usr/src/linux | |
| make oldconfig | |
| make dep - this step is ignore on 2.6 systems) | |
| make bzImage install | |
| Build Openswan | |
| From the Openswan source directory: | |
| make programs | |
| make KERNELSRC=/usr/src/linux module | |
| sudo make KERNELSRC=/usr/src/linux install minstall | |
| The Openswan configuration file can select which ipsec stack to use at | |
| runtime by using the "protostack=<klips|netkey|mast>" options in ipsec.conf. | |
| See the ipsec.conf man page for more information on configuration options. | |
| ######################################################################### | |
| # UPGRADING | |
| ######################################################################### | |
| 1. If you are upgrading from a 1.x product to Openswan 2.x, you will | |
| need to adjust your config files. See doc/upgrading.html for details | |
| on what has changed. | |
| 2. You can 'make install' overtop of your old version - it won't replace | |
| your /etc/ipsec.* config files | |
| ######################################################################### | |
| # SUPPORT | |
| ######################################################################### | |
| Mailing Lists: | |
| https://lists.openswan.org is home of the mailing lists. Note: these are | |
| closed lists - you *must* be subscribed to post. | |
| Wiki: | |
| https://github.com/xelerance/Openswan/wiki is home to the Openswan Wiki. | |
| It has the most up to date documentation, interop guides and other related | |
| information. | |
| IRC: | |
| Openswan developers and users can be found on IRC, on #openswan on | |
| irc.freenode.net. | |
| Commercial support for Openswan is also available - see | |
| https://www.xelerance.com/incidents for more information, or | |
| email sales@xelerance.com | |
| ######################################################################### | |
| # BUGS | |
| ######################################################################### | |
| Bugs with the package can be report on: | |
| https://github.com/xelerance/Openswan/issues | |
| Security vulnerabilities can be e-mailed to: security@xelerance.com | |
| ######################################################################### | |
| # SECURITY HOLES | |
| ######################################################################### | |
| All security vulnerabilities found that require public disclosure will | |
| receive proper CVE tracking numbers (see http://mitre.org/) and co-ordinated | |
| via the vendor-sec mailing list. A complete list of known security | |
| vulnerabilities is available at: | |
| https://github.com/xelerance/Openswan/wiki/Security-and-vulnerability-information | |
| ######################################################################### | |
| # DEVELOPMENT | |
| ######################################################################### | |
| Those interested in the development, patches, beta releases of Openswan | |
| can join the development mailing list (https://lists.openswan.org - | |
| dev@lists.openswan.org) or join the development team on IRC in | |
| #openswan-dev on irc.freenode.net | |
| ######################################################################### | |
| # DOCUMENTATION | |
| ######################################################################### | |
| The most up to date docs are at https://github.com/xelerance/Openswan/wiki | |
| Several high-level documents are in the doc directory. Most are in HTML | |
| format; See doc/index.html for the top level index. These are now | |
| considered obsolete. | |
| To build from source, you will need at least 60MB free (Source tree is | |
| currently 40MB) | |
| The bulk of this software is under the GNU General Public License; see | |
| LICENSE. Some parts of it are not; see CREDITS for the details. | |