
			Openswan 2.1.3 Release Notes

Openswan is based on code from the FreeS/WAN project (www.freeswan.org)
It has support for most of the extensions (RFC + IETF drafts) related
to IPsec, including X.509 Digital Certificates, NAT Traversal, and many 
others.

The release was based on FreeS/WAN 2.04 CVS, along with some minor bug
fixes from 2.05 and 2.06.  

It also includes Andreas Steffan's X.509 Digital Certificate patch,
NAT-Traversal code (based on Mathieu Lafon's work for Arkoon) and XAUTH
Server support (based on Columbris's code).

Download it from http://www.openswan.org/code


				REQUIREMENTS


Ideally, Linux Kernel 2.4.x, or 2.6.x are the best supported platforms.

We do not support obsolete kernels (e.g. 2.2.xx, xx < 20), and using them 
is generally a bad idea anyway due to known security holes.

We do not test with 2.0 kernels earlier than 2.0.39.

A number of folks have reported problems where pluto and/or whack don't
compile properly.  As well if you upgraded over top of another FreeS/WAN
installation, you may see errors like this:

ipsec__plutorun: /usr/local/lib/ipsec/whack: option `--ike' is ambiguous 

Or pfkey read/write errors.  These indicate mismatched versions of the 
Openswan userland tools, and the kernel module(s).  To resolve this, 
ensure you have all of the dependancies installed and recompile.

There a few packages required for Openswan to compile:

1. libgmp + libgmp-devel headers.  (GNU Math Precision Library)

2. On RedHat 7.x systems, kernel-headers 2.4.9-34 or higher.  2.4.7-10 is
broken, and you will see __fswab32 errors during compilation of some of
the crypto modules.  On non RedHat systems, you'll probably need kernel
2.4.10 or higher.

4. A non-corrupt kernel source tree.  This seems to fix many reported
problems - starting with a fresh tree, either vendor supplied or from
http://www.kernel.org.  The best test is to build a kernel from your
source tree before patching in Openswan.

#########################################################################
# HOW TO INSTALL on Linux Kernel 2.4 systems
#########################################################################

0.0)	The following instructions assume the kernel source tree is in 
	/usr/src/linux-2.4.  If this isn't the case, simply change the 
	parameters in the instructions below.

1.0)	It's best if you're already installed FreeS/WAN or Super FreeS/WAN 
	before, so you'll be familiar with the steps outlined below.

2.0) 	Uncompress linux-2.#.#.tar.bz2 in /usr/src (or elsewhere), build a 
	normal working kernel.  This ensures any compiliation problems 
	that occur are isolated and resolved *before* any Openswan patches 
	are applied to the kernel.

2.1)	If you want NAT-T support, you need to patch your kernel and build
	a new bzImage.  From the Openswan source directory:

	make nattpatch | (cd /usr/src/linux-2.4 && patch -p1 && make bzImage)
	
	Note: Build and install kernel as normal, as you have modified
	the TCP/IP stack in the kernel, so it needs to be recompiled and
	installed.

        eg: cd /usr/src/linux && make dep bzImage install


3.0)	From the openswan source directory, build the userland tools, and
	ipsec.o kernel module:

	make KERNELSRC=/usr/src/linux-2.4 programs module


4.0)	As root, install the userland tools, and the ipsec.o module:

	make KERNELSRC=/usr/src/linux-2.4 install minstall



#########################################################################
# HOW TO INSTALL on Kernel 2.6
#########################################################################

For Linux Kernels 2.6.0 and higher, Openswan uses the built in IPsec
support.  Only the userland component of Openswan is required to use
Openswan with a 2.6 series kernel.  Please use at least version 2.6.4, 
as prior versions have bugs in the IPsec stack, causing complete machine
crashes.


1.0)	From the openswan source directory:

	make programs

2.0)	As root, install the userland tools:

	make install

Note: you will need setkey from the ipsec-tools package, available from 
http://ipsec-tools.sourceforge.net 


				UPGRADING

1. Just install overtop of your old version - it won't replace your 
/etc/ipsec.* config files 

2. If you are upgrading from a 1.x product to Openswan 2.1.0, you will
need to adjust your config files.  See doc/upgrading.html for details
on what's changed.

				SUPPORT

Mailing Lists:

http://lists.openswan.org is home of the mailing lists.  Note: these are 
closed lists - you must be subscribed to post.  This is different from the
FreeS/WAN lists which were open.

Documentation:

The legacy FreeS/WAN docs are still in doc/, and included in various 
forms.  You can also check the Openswan WIKI, @ http://wiki.openswan.org
for newer documentation.

IRC:

Openswan developers and users can be found on IRC, on #openswan on
irc.freenode.net.  If you need more information on our IRC channel, see
http://www.openswan.org/support/irc.php


Commercial support for Openswan is also available - see
http://www.xelerance.com/openswan/support.php for more information, or
email sales@xelerance.com

				BUGS

Bugs with the package can be filed into our Mantis system, at
http://bugs.openswan.org


				DEVELOPMENT

Those interested in the development, patches, beta releases of Openswan
can join the development mailing list (http://lists.openswan.org -
dev@lists.openswan.org) or join the development team on IRC in
#openswan-dev on irc.freenode.net

				DOCUMENTATION

Several high-level documents are in the doc directory.  Most are in HTML
format; See doc/index.html for the top level index.

See doc/README for two methods of getting plain-text versions if needed.  
See doc/roadmap.html for a guide to what's where in this distribution.

Unpacking the distribution needs about 33MB, and compiling it requires
another 50MB of space.  For setup procedures, start at doc/intro.html

The bulk of this software is under the GNU General Public License; see
COPYING.  Some parts of it are not; see CREDITS for the details.

$Id: README,v 1.93.2.9 2004/06/17 00:41:35 ken Exp $.
