1 #########################################################################
2 # Openswan 2.X Release Notes
3 #########################################################################
4 ************ See docs/RELEASE-NOTES.txt for more information ************
6 Openswan is an IPsec implementation for Linux. It has support for most
7 of the extensions (RFC + IETF drafts) related to IPsec, including
8 IKEv2, X.509 Digital Certificates, NAT Traversal, and many others.
10 Openswan was originally based on FreeS/WAN 2.04 CVS with the X.509 Patch
11 from Andreas Steffen, the NAT-T patch from Arkoon networks and some minor
12 bug fixes from 2.05 and 2.06. See CREDITS for the history.
16 http://www.openswan.org/code/
17 ftp://ftp.openswan.org/openswan/
19 #########################################################################
21 #########################################################################
23 A recent Linux distribution based on either Kernel 2.4.x, or 2.6.x are
24 the currently supported platforms.
26 Most recent distributions have package support for openswan. Unless
27 a source based build is truly needed, it is often best to use the pre-built
28 distributions packaged version.
30 There are a few packages required for Openswan to compile from source:
32 1. The GNU Math Precision Library:
34 Debian package names: libgmp3, libgmp3-dev
35 Rpm package names: gmp, gmp-devel
37 2. awk, flex and bison
39 Debian package names: gawk/mawk, flex, bison
40 Rpm package names: ????
42 3. iproute2, iptables, sed, awk, bash, cut and possible other tools
43 are required at runtime.
45 Debian package names: iproute, iptables, the rest are usually there
46 Rpm package names: ????
48 perl is also required for "ipsec verify".
50 #########################################################################
51 # HOW TO INSTALL on Kernel 2.6 (And Kernels with 2.6 IPsec backport)
52 #########################################################################
54 NETKEY (Native linux IPsec stack)
55 ---------------------------------
57 To use Openswan with the linux native (builtin) IPsec stack, then the
58 following steps should be all that are needed. Please use at least kernel
59 version 2.6.9, as prior versions of the kernel have serious bugs in the
60 native IPsec stack. From the openswan directory:
65 Note: The ipsec-tools package is no longer needed. Instead iproute2 >= 2.6.8
66 is required. For backported kernels, setkey and thus ipsec-tools might still
67 be required. Run 'ipsec verify' to determine if your system has either one
70 KLIPS/KLIPSNG (Openswan IPsec stack)
71 ------------------------------------
73 To use the Openswan KLIPS IPsec stack (ipsec0 devices) for Linux
74 Kernels 2.6.23 and higher, the following steps should work. From the
78 make KERNELSRC=/lib/modules/`uname -r`/build module
79 sudo make KERNELSRC=/lib/modules/`uname -r`/build install minstall
81 For Linux 2.6 Kernels before 2.6.23, including 2.4 linux systems, the kernel
82 requires patching if NAT-T support or SAref tracking is required. Full kernel
83 source will be required as the kernel sources are being patched, built and
84 installed. It is good practice to build and install an unpatched kernel
85 before starting to ensure the process is correct. See your distribution
86 documentation on how to build and install a new kernel
88 Determine the linux source directory, for example /usr/src/linux on
89 most full source installs. It may also be /usr/src/linux-2.[46].X
91 Add NAT-T support (if required).
93 From the Openswan source directory:
95 make KERNELSRC=/usr/src/linux nattpatch | patch -d /usr/src/linux -p1
97 Add SAref tracking support (if required).
99 Premade patches for some distributions kernels can be found in
100 patches/kernel/ It is recommended that kernel 2.6.32 or higher is
101 used. Documentation on SAref/MAST can be found in docs/HACKING/Mast*
102 and doc/klips/mast.xml. To understand what SAref tracking does, see
103 doc/ipsecsaref.png and the overlapip= entry in the ipsec.conf man page.
105 From the Openswan source directory:
107 make KERNELSRC=/usr/src/linux sarefpatch | patch -d /usr/src/linux -p1
109 Add OCF HW offloading support
111 For OCF HW offloading support, you need also need a patched kernel
112 See: http://ocf-linux.sourceforge.net/ for more details.
114 Build and install a new kernel
116 See your distribution documentation on how to install a new kernel.
117 It should be something similar to:
121 make dep - this step is ignore on 2.6 systems)
126 From the Openswan source directory:
129 make KERNELSRC=/usr/src/linux module
130 sudo make KERNELSRC=/usr/src/linux install minstall
132 The Openswan configuration file can select which ipsec stack to use at
133 runtime by using the "protostack=<klips|netkey|mast>" options in ipsec.conf.
134 See the ipsec.conf man page for more information on configuration options.
136 #########################################################################
138 #########################################################################
140 1. If you are upgrading from a 1.x product to Openswan 2.x, you will
141 need to adjust your config files. See doc/upgrading.html for details
144 2. You can 'make install' overtop of your old version - it won't replace
145 your /etc/ipsec.* config files
147 #########################################################################
149 #########################################################################
153 http://lists.openswan.org is home of the mailing lists. Note: these are
154 closed lists - you *must* be subscribed to post.
158 http://wiki.openswan.org is home to the Openswan WIKI. It has the most
159 up to date documentation, interop guides and other related information.
163 Openswan developers and users can be found on IRC, on #openswan on
164 irc.freenode.net. If you need more information on our IRC channel, see
165 http://www.openswan.org/support/irc.php
167 Commercial support for Openswan is also available - see
168 http://www.xelerance.com/openswan/support.php for more information, or
169 email sales@xelerance.com
171 #########################################################################
173 #########################################################################
175 Bugs with the package can be filed into our Mantis system, at
176 http://bugs.openswan.org
178 #########################################################################
180 #########################################################################
182 All security vulnerabilities found that require public disclosure will
183 receive proper CVE tracking numbers (see http://mitre.org/) and co-ordinated
184 via the vendor-sec mailing list. A complete list of known security
185 vulnerabilities is available at: http://www.openswan.org/security/
187 #########################################################################
189 #########################################################################
191 Those interested in the development, patches, beta releases of Openswan
192 can join the development mailing list (http://lists.openswan.org -
193 dev@lists.openswan.org) or join the development team on IRC in
194 #openswan-dev on irc.freenode.net
196 For those who want to track things a bit more closely, the
197 commits@lists.openswan.org mailinglist will mail all the commit messages.
199 #########################################################################
201 #########################################################################
203 The most up to date docs are at http://wiki.openswan.org/
205 Several high-level documents are in the doc directory. Most are in HTML
206 format; See doc/index.html for the top level index. These are now
209 To build from source, you will need at least 60MB free (Source tree is
212 The bulk of this software is under the GNU General Public License; see
213 LICENSE. Some parts of it are not; see CREDITS for the details.