-
Notifications
You must be signed in to change notification settings - Fork 213
/
README
224 lines (154 loc) · 8.32 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
#########################################################################
# Openswan 2.X Release Notes
#########################################################################
Openswan is an IPsec implementation for Linux. It has support for most
of the extensions (RFC + IETF drafts) related to IPsec, including
IKEv2, X.509 Digital Certificates, NAT Traversal, and many others.
Openswan was originally based on FreeS/WAN 2.04 CVS with the X.509 Patch
from Andreas Steffen, the NAT-T patch from Arkoon networks and some minor
bug fixes from 2.05 and 2.06. See CREDITS for the history.
Download it from
https://download.openswan.org/openswan/
#########################################################################
# REQUIREMENTS
#########################################################################
A recent Linux distribution based on either Kernel 2.4.x, or 2.6.x are
the currently supported platforms.
Most recent distributions have package support for openswan. Unless
a source based build is truly needed, it is often best to use the pre-built
distributions packaged version.
There are a few packages required for Openswan to compile from source:
1. The GNU Math Precision Library:
Debian package names: libgmp-dev
Rpm package names: gmp, gmp-devel
Rpm users may need to install gcc if it is not installed on their system already
2. make, flex and bison:
Debian package names: make, flex, bison
Rpm package names: same as for Debian
3. iproute2, iptables, sed, awk, bash, cut and possibly other tools
are required at runtime.
Debian package names: iproute2, iptables, the rest are usually there
Rpm package names: same as for Debian
python is also required for "ipsec verify".
4. Running unit test:
Debian package names: libpcap0.8-dev, libpcap0.8, electric-fence, tcpdump
Rpm package names: libpcap, libpcap-devel, ElectricFence, tcpdump
5. Building with LIBNSS:
Debian package names: libnspr4-dev, libnss3-dev, libnss3-tools
Rpm package names: same as for Debian
#########################################################################
# HOW TO INSTALL on Kernel 2.6 (And Kernels with 2.6 IPsec backport)
#########################################################################
NETKEY (Native linux IPsec stack)
---------------------------------
To use Openswan with the linux native (builtin) IPsec stack, then the
following steps should be all that are needed. Please use at least kernel
version 2.6.9, as prior versions of the kernel have serious bugs in the
native IPsec stack. From the Openswan directory:
make programs
sudo make install
Note: The ipsec-tools package is no longer needed. Instead iproute2 >= 2.6.8
is required. For backported kernels, setkey and thus ipsec-tools might still
be required. Run 'ipsec verify' to determine if your system has either one
of the requirements.
KLIPS/KLIPSNG (Openswan IPsec stack)
------------------------------------
To use the Openswan KLIPS IPsec stack (ipsec0 devices) for Linux
Kernels 2.6.23 and higher, the following steps should work. From the
Openswan directory:
make programs
make KERNELSRC=/lib/modules/`uname -r`/build module
sudo make KERNELSRC=/lib/modules/`uname -r`/build install minstall
For Linux 2.6 Kernels before 2.6.23, including 2.4 linux systems, the kernel
requires patching if NAT-T support or SAref tracking is required. Full kernel
source will be required as the kernel sources are being patched, built and
installed. It is good practice to build and install an unpatched kernel
before starting to ensure the process is correct. See your distribution
documentation on how to build and install a new kernel
Determine the linux source directory, for example /usr/src/linux on
most full source installs. It may also be /usr/src/linux-2.[46].X
Add NAT-T support (if required).
From the Openswan source directory:
make KERNELSRC=/usr/src/linux nattpatch | patch -d /usr/src/linux -p1
Add SAref tracking support (if required).
Premade patches for some distributions kernels can be found in
patches/kernel/ It is recommended that kernel 2.6.32 or higher is
used. Documentation on SAref/MAST can be found in docs/HACKING/Mast*
and doc/klips/mast.xml. To understand what SAref tracking does, see
doc/ipsecsaref.png and the overlapip= entry in the ipsec.conf man page.
From the Openswan source directory:
make KERNELSRC=/usr/src/linux sarefpatch | patch -d /usr/src/linux -p1
Add OCF HW offloading support
For OCF HW offloading support, you need also need a patched kernel
See: http://ocf-linux.sourceforge.net/ for more details.
Build and install a new kernel
See your distribution documentation on how to install a new kernel.
It should be something similar to:
cd /usr/src/linux
make oldconfig
make dep - this step is ignore on 2.6 systems)
make bzImage install
Build Openswan
From the Openswan source directory:
make programs
make KERNELSRC=/usr/src/linux module
sudo make KERNELSRC=/usr/src/linux install minstall
The Openswan configuration file can select which ipsec stack to use at
runtime by using the "protostack=<klips|netkey|mast>" options in ipsec.conf.
See the ipsec.conf man page for more information on configuration options.
#########################################################################
# UPGRADING
#########################################################################
1. If you are upgrading from a 1.x product to Openswan 2.x, you will
need to adjust your config files. See doc/upgrading.html for details
on what has changed.
2. You can 'make install' overtop of your old version - it won't replace
your /etc/ipsec.* config files
#########################################################################
# SUPPORT
#########################################################################
Mailing Lists:
https://lists.openswan.org is home of the mailing lists. Note: these are
closed lists - you *must* be subscribed to post.
Wiki:
https://github.com/xelerance/Openswan/wiki is home to the Openswan Wiki.
It has the most up to date documentation, interop guides and other related
information.
IRC:
Openswan developers and users can be found on IRC, on #openswan on
irc.freenode.net.
Commercial support for Openswan is also available - see
https://www.xelerance.com/incidents for more information, or
email [email protected]
#########################################################################
# BUGS
#########################################################################
Bugs with the package can be report on:
https://github.com/xelerance/Openswan/issues
Security vulnerabilities can be e-mailed to: [email protected]
#########################################################################
# SECURITY HOLES
#########################################################################
All security vulnerabilities found that require public disclosure will
receive proper CVE tracking numbers (see http://mitre.org/) and co-ordinated
via the vendor-sec mailing list. A complete list of known security
vulnerabilities is available at:
https://github.com/xelerance/Openswan/wiki/Security-and-vulnerability-information
#########################################################################
# DEVELOPMENT
#########################################################################
Those interested in the development, patches, beta releases of Openswan
can join the development mailing list (https://lists.openswan.org -
[email protected]) or join the development team on IRC in
#openswan-dev on irc.freenode.net
#########################################################################
# DOCUMENTATION
#########################################################################
The most up to date docs are at https://github.com/xelerance/Openswan/wiki
Several high-level documents are in the doc directory. Most are in HTML
format; See doc/index.html for the top level index. These are now
considered obsolete.
To build from source, you will need at least 60MB free (Source tree is
currently 40MB)
The bulk of this software is under the GNU General Public License; see
LICENSE. Some parts of it are not; see CREDITS for the details.