[Announce] Openswan-2.4.5 released

Paul Wouters paul at xelerance.com
Thu Apr 6 19:16:45 EDT 2006

Xelerance releases Openswan-2.4.5

After some extra delay in order to address the SMP issues people were
seeing, we have finally released Openswan-2.4.5. This release is hopefully
the last release of the Openswan-2.4 series.

As always, the source code is available via web and ftp:


* Fix for prefering RFC3947 over OSX-workaround by Jacco de Leeuw
* Fix for openswan as l2tp server behind NAT by Bernd Galonska
* Fix for compiling + working on SMP (including HyperThreaded) machines
* Fix for arp_broken_ops relocation in 2.6.16
* Fix for compiling on 2.6.14 kernels
* Fix patching against 2.6.15 kernels (NAT-T Patch)
* Fix patching against 2.6.14 kernels
* Fix for strict mode
* Fix for ipsec module unload. Fix by Ankit Desai <ankit at elitecore.com>
* Fix for ipsec: Unknown symbol sysctl_ip_default_ttl
* Fix for AH hash by Ronen Shitrit <rshitrit at marvell.com>
* Additions to barf and verify commands for various kernel internals
* load hw_random and padlock modules before aes module so hardware routines
  are prefered over software routines.
* allow rightsubnet= with type=transport for L2TP behind NAT.
* Refactored natd_lookup / hash code, probably fixes lot of NAT related bugs
* Fix for interop with Cisco devices which propose port 0 (eg: VPN3000)
* When DPD rcookie is invalid, just warn instead of ignoring entirely
* Redid all the DPD log messages
* Fix for manual.in to not use a complicated sed line that some embedded
  sed versions (busybox?) cannot handle.
* Fix for NAT-T detection when Openswan is the initiator
* Reported buugs fixed:
  #401 l2tp connection is not work with 2.6 build in IPSEC
  #442 Pluto uses wrong port in NAT-D calculation
  #450 macosx (possible generic PSK+NAT-T rekey bug: eroute already in use.
  #454 klips module refcount bug (found by Matthias Haas)
       (prevented klips from unloading on 2.4 kernels)
  #462 updated patch for Openswan and OS X with NAT-T
  #509 KLIPS compilation fail with kernel-
  #518 Incorrect physical interface MTU detection
  #521 KLIPS module crash for kernel 2.6.12+
  #545 unnecessary warnings from _updown script, remove weird control character.
  #558 two machines using incompatible ike= settings still establish a
       connection. (fix by Matthias Haas <mh at pompase.net>)
  #560 Pluto crash (memory leak fixes in pluto by Ilia Sotnikov)
  #563 Error when unload ipsec.ko module "rmmod ipsec" [dupl bug]
  #568 uninitialized struct in ipsec_tunnel.c coud break routing under 2.6
  #569 ipsec module unload crasher
  #573 Openswan fails to compile with NAT_TRAVERSAL=false
  #574 Openswan fails to compile with NAT_TRAVERSAL=false #2
  #581 _Updown script installs direct (scope link) routes even for remote
  #589 userspace with USE_EXTRACRYPTO won't compile without kernel sourcecode

Features we are working on for the next openswan release include:

- Binaries to replace the shell scripts
- Crypto hardware offloading
- Support for Multiple L2TP clients behind the same NAT router
- Support for Overlapping Virtual IP's with multiple L2TP clients

The next major release will also mark the change from CVS to GIT. See
the Openswan website for more details on how to use git.

The Openswan Team
Xelerance Corp.

More information about the Announce mailing list