1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
These notes apply to Openswan 2.4.2
1. Aggressive Mode support is included. You enable it by:
aggrmode=yes|no
Default is no
2. Mode Config support is included. This is most useful when you are a
client to something like a Cisco VPN concentrator. See contrib/cisco for
a handy tool to convert Cisco .pcf files to Openswan ipsec.conf and
ipsec.secrets entries. A sample config below:
conn cisco-client
ike=3des-md5-modp1024
aggrmode=yes
authby=secret
left=%defaultroute
leftmodecfgclient=yes
leftxauthclient=yes
leftid= GROUPID, prefixed with @ (eg: @xelerance)
right= IP of Cisco Concentrator
rightxauthserver=yes
rightmodecfgserver=yes
modecfgpull=yes
pfs=no
auto=add
You can then 'ipsec whack --name cisco-client --initiate' to start it.
You will be prompted for your username and password.
3. KLIPS for kernel 2.6 support.
This version will build in most situations on the 2.6 kernel.
There will be warnings, and in some cases it will fail. The essential
instructions are:
1) export KERNELSRC=your built kernel sources.
Defaults to /usr/src/linux-2.6
2) export MOD26BUILDDIR=some place to put stuff
Defaults to modobj26.
3) "make module26"
So for instance we can do:
export KERNELSRC=/corp/network/elros/kernel2.6
export MOD26BUILDDIR=/corp/network/elros/mod26
make module26
This will result in a file:
=========================================================
KLIPS26 module built successfully.
ipsec.ko is in /corp/network/elros/mod26/modobj26
-rw-r--r-- 1 mcr mcr 403544 Sep 21 18:13 ipsec.ko
text data bss dec hex filename
304788 10328 5852 320968 4e5c8 ipsec.ko
This file should be installed in /lib/modules, using
make m26install
Please note that it creates a ".ko" file.
If using User-Mode-Linux, please set "KERNVER=26" in the umlsetup.sh,
and see the example in testing/utils/umlsetup-sample.sh.
*************************************************************************
These notes apply to Openswan 2.2.0 developer release 2 ("dr2")
Client side XAUTH is broken.
There is a bad interaction between XAUTH policy and Algorithm policy such
that XAUTH is not enabled properly.
Note: This is fixed in 2.3.0dr3
*************************************************************************
These notes apply to Openswan 2.2.0 developer release 1 ("dr1")
The major feature is that JuanJo's "alg" branch has been incorporated into
the code. This includes both AES and 3DES code at the moment. Other
modules likely will work, but are not tested.
Note: The AES module has been incorporated into the single ipsec.o module.
It is untested with 2.6's cryptoAPI at the moment.
To enable IKE algo support, add the ike= and esp= parameters to your
connection definition - eg:
conn westnet-eastnet-aes
ike=aes256
esp=aes256-sha1
There is now a "x509" debug level for pluto. Many error messages have been
revised in the X.509 code. To view these messages, add
plutodebug="x509"
to your ipsec.conf file. DR1 contains the X.509 patch v1.4.8 code only.
Work to merge 1.5.4 is underway, but not yet complete. 1.5.4 may appear
in 2.2dr2, but if not, it will appear in 2.2.0 final.
New test cases have been created for sending X.509 certificates via IKE,
with and without CRLs, and with a variety of CA options. Some bugs were
fixed in x509.c relating to what constitutes a root CA.
Dead Peer Detection (RFC3706) has been included, as well as test cases.
|
