
			Openswan 1.0.1 Release Notes

Openswan is based on code from the FreeS/WAN project (www.freeswan.org)
It has support for most of the extensions (RFC + IETF drafts) related
to IPsec, include X.509 Digital Certificates, multiple ciphers (3DES, 
AES, Twofish, Blowfish) and many other features.

This version includes the following major patches:

X.509 Digital Certificate Support (Now includes RFC 2401 IKE Port Selectors)
ALG 0.8.1 (All ciphers/hashes enabled)
Notify/Delete SA
NAT Traversal
MODP 768bit
MTS Keepalive Support
Aggressive Mode Support
Dead Peer Detection (DPD) Support
XAUTH Server Support
64bit Support

As well, various bugfixes have been applied on top of these patches - for
a full list, see CHANGES for an exhaustive list.

Download it from http://www.openswan.org/code


				IMPORTANT NOTES

1. For NAT Traversal information, including how to turn it on and use it, 
   please see README.NAT-Traversal
2. For Aggressive Mode information, including how to turn it on, 
   please see README.AggressiveMode
3. For Dead Peer Detection, including how to enable it and setting the 
   timeouts, please see README.DPD and "man ipsec.conf"
4. For XAUTH Server support information, see README.XAUTH


				REQUIREMENTS


We do not support obsolete kernels (e.g. 2.2.xx, xx < 20), and using them 
is generally a bad idea anyway due to known security holes.

We do not test with 2.0 kernels earlier than 2.0.39.

A number of folks have reported problems where pluto and/or whack don't
compile properly.  As well if you upgraded over top of another FreeS/WAN
installation, you may see errors like this:

ipsec__plutorun: /usr/local/lib/ipsec/whack: option `--ike' is ambiguous 

Or pfkey read/write errors.  These indicate mismatched versions of the 
Openswan userland tool, and the kernel module.

There a few packages required for Openswan to compile:

1. libgmp + libgmp-devel headers.  (GNU Math Precision Library)

2. On RedHat 7.x systems, kernel-headers 2.4.9-34 or higher.  2.4.7-10 is
broken, and you will see __fswab32 errors during compilation of some of
the crypto modules.  On non RedHat systems, you'll probably need kernel
2.4.10 or higher.

3. OpenSSL headers (openssl-devel on RedHat).  These are needed because a
few of the crypto ciphers are taken from the OpenSSL package.

4. A non-corrupt kernel source tree.  This seems to fix many reported
problems - starting with a fresh tree, either vendor supplied or from
http://www.kernel.org.  The best test is to build a kernel from your
source tree before patching in Openswan.

5. (Optional) CryptoAPI support - you can get a copy of this from here:
http://www.kernel.org/pub/linux/kernel/crypto/v2.4/cryptoapi-0.1.0.tar.gz
Note: Some Distros (RedHat) already include this.  If you get errors
about libdes.a not compiling as part of ipsec_alg_3des, then you need this.

Note: Kernels 2.4.22 and higher include CryptoAPI

5. (Optional) XAUTH Server support - you will need the pam-devel package 
installed.

				HOW TO INSTALL

1. It's best if you're already installed FreeS/WAN or Super FreeS/WAN 
before, so you'll be familiar with the steps outlined below.

2. If you want NAT-Traversal, you need to build a new kernel, since this
patch touches the TCP/IP stack in the kernel - otherwise, you can build a
module.

3. For those interested in exactly how I build/install it, the steps are:
 i) 	Uncompress linux-2.4.#.tar.bz2 in /usr/src/linux, build a normal
	working kernel. With recent RedHat kernels (2.4.18+) you will 
	probably need to run "make mrproper" immediately after installing
	the source rpm.
 ii) 	Ensure that your new kernel works before proceeding
 iii) 	In the Openswan source dir:
 	Quick way: "make menugo && make minstall"
 	Step by step way: 
	"make insert && make oldmod && make programs && make minstall" 


				UPGRADING

1. Just install overtop - it won't replace your /etc/ipsec.* config files 

2. If you are already running a kernel with ESPinUDP support, you don't
need to recompile your kernel - just build the new Openswan package as you
did before and install.

				EXTRA NOTES

1. Building this a module works, however if you want to the NAT Traversal,
you'll need to build a new kernel, as the EDPinUDP patch touches the
TCP/IP stack in the kernel.

This is tested to compile + play happily with 2.4.18 and higher.
It's been reported to work as far back as 2.4.9, but it won't work with
2.4.2. 

				SUPPORT

Mailing Lists:

http://lists.openswan.org is home of the mailing lists.  Note: these are 
closed lists - you must be subscribed to post.  This is different from the
FreeS/WAN lists which were open.

IRC:

Openswan developers and users can be found on IRC, on #openswan on
irc.freenode.net.  If you need more information on our IRC channel, see
http://www.openswan.org/support/irc.php


Commercial support for Openswan is also available - see
http://www.xelerance.com/openswan/support.php for more information, or
email sales@xelerance.com

				BUGS

Bugs with the package can be filed into our Mantis system, at
http://bugs.openswan.org


				DEVELOPMENT

Those interested in the development, patches, beta releases of Openswan
can join the development mailing list (http://lists.openswan.org -
dev@lists.openswan.org) or join the development team on IRC in
#openswan-dev on irc.freenode.net

				DOCUMENTATION

Several high-level documents are in the doc directory.  Most are in HTML
format; See doc/index.html for the top level index.

See doc/README for two methods of getting plain-text versions if needed.  
See doc/roadmap.html for a guide to what's where in this distribution.

Unpacking the distribution needs about 12MB, and compiling it requires
another 50MB of space.  For setup procedures, start at doc/intro.html

The bulk of this software is under the GNU General Public License; see
COPYING.  Some parts of it are not; see CREDITS for the details.

$Id: README,v 1.1.1.1 2004/08/17 13:06:27 ysc Exp $.
