			Openswan 2.3.0 Release Notes

Major changes:

1) AES-SHA1 is now the default proposal.  This has changed from 3DES-MD5
in prior versions.  Openswan still proposes both 3DES and MD5, but
AES-SHA1 is preferred.  If you want/need the old behaviour back, add

ike=3des-md5
esp=3des-md5

to your conn's.  We have done this in response to the MD5 collisions that
have been demonstrated in recent months, and speculation that MD5 could be
broken in the coming months/years.

We changed to prefer AES, as that is the direction the VPN industry is 
moving, so we want to stay near the front of the line.  As well, AES is now
part of ISCA Lab's testing for IPsec Certification, and numerous vendors
repackage Openswan into products submitted for certification.  

2) Aggressive Mode, XAUTH, and MODE Config client and server functionality 
is now included.

See docs/RELEASE-NOTES.txt for more details about these changes.


				ABOUT

Openswan is based on code from the FreeS/WAN project (www.freeswan.org)
It has support for most of the extensions (RFC + IETF drafts) related
to IPsec, including X.509 Digital Certificates, NAT Traversal, and many 
others.

Openswan was originally based on FreeS/WAN 2.04 CVS, along with some
minor bug fixes from 2.05 and 2.06.  See CREDITS for the history.

Download it from http://www.openswan.org/code


				REQUIREMENTS

Linux Kernel 2.4.x, or 2.6.x are the currently supported platforms

There a few additional packages required for Openswan to compile:

1. libgmp + libgmp-devel headers.  (GNU Math Precision Library)

2. flex, and bison (usually included in all non-embedded distributions)

#########################################################################
# HOW TO INSTALL on Kernel 2.6 (And Kernels with 2.6 IPsec backport)
#				This includes Debian Stable
#########################################################################

For Linux Kernels 2.6.0 and higher (or with the 2.6 IPsec stack
backported), Openswan can use the built in IPsec support (aka, NETKEY). 
Only the userland component of Openswan is required when using a 2.6
series kernel.  Please use at least version 2.6.6, as prior versions of
the kernel have serious bugs in the IPsec stack.

1.0)	From the openswan source directory:

	make programs

2.0)	As root, install the userland tools:

	make install

Note: you will need setkey from the ipsec-tools package, available from 
http://ipsec-tools.sourceforge.net 


#########################################################################
# HOW TO INSTALL on Linux Kernel 2.4 systems
#########################################################################

0.0)	The following instructions assume the kernel source tree is in 
	/usr/src/linux-2.4.  If this isn't the case, simply change the 
	parameters in the instructions below.

1.0) 	Uncompress linux-2.#.#.tar.bz2 in /usr/src (or elsewhere), build a 
	normal working kernel.  This ensures any compiliation problems 
	that occur are isolated and resolved *before* any Openswan patches 
	are applied to the kernel.

1.1)	If you want NAT-T support, you need to patch your kernel and build
	a new bzImage.  From the Openswan source directory:

	make nattpatch | (cd /usr/src/linux-2.4 && patch -p1 && make bzImage)
	
	Note: Build and install kernel as normal, as you have modified
	the TCP/IP stack in the kernel, so it needs to be recompiled and
	installed.

        eg: cd /usr/src/linux && make dep bzImage install



2.0)	From the openswan source directory, build the userland tools, and
	ipsec.o kernel module:

	make KERNELSRC=/usr/src/linux-2.4 programs module

3.0)	As root, install the userland tools, and the ipsec.o module:

	make KERNELSRC=/usr/src/linux-2.4 install minstall


				UPGRADING

1. If you are upgrading from a 1.x product to Openswan 2.x, you will
need to adjust your config files.  See doc/upgrading.html for details
on what has changed.

2. You can 'make install' overtop of your old version - it won't replace
your /etc/ipsec.* config files


				SUPPORT

Mailing Lists:

http://lists.openswan.org is home of the mailing lists.  Note: these are 
closed lists - you *must* be subscribed to post.

IRC:

Openswan developers and users can be found on IRC, on #openswan on
irc.freenode.net.  If you need more information on our IRC channel, see
http://www.openswan.org/support/irc.php

Commercial support for Openswan is also available - see
http://www.xelerance.com/openswan/support for more information, or
email sales@xelerance.com

				BUGS

Bugs with the software can be filed with our Mantis system, located at 
http://bugs.openswan.org


				SECURITY HOLES

None :)  If you find one, please email vuln@xelerance.com with details.
Please use GPG (finger vuln@xelerance.com for GPG key) for this.

				DEVELOPMENT

Those interested in the development, patches, beta releases of Openswan
can join the development mailing list (http://lists.openswan.org -
dev@lists.openswan.org) or join the development team on IRC in
#openswan-dev on irc.freenode.net

				DOCUMENTATION

Several high-level documents are in the doc directory.  Most are in HTML
format; See doc/index.html for the top level index.

See doc/README for two methods of getting plain-text versions if needed.  
See doc/roadmap.html for a guide to what's where in this distribution.

To build from source, you will need at least 60MB free (Source tree is 
currently 40MB)

The bulk of this software is under the GNU General Public License; see
LICENSE.  Some parts of it are not; see CREDITS for the details.

$Id: README,v 1.99.2.1 2005/01/01 00:43:07 ken Exp $.
