[Announce] Openswan 2.4.7 Released

Paul Wouters paul at xelerance.com
Tue Nov 14 13:20:34 EST 2006

Xelerance releases Openswan-2.4.7

This is a maintenance release. It removes unsafe usage of unverified
hardware random, fixes a crasher in KLIPS and pluto, support for Fedora
initscripts, extended 'ipsec verify' checks, support for 2.6.18 kernels,
updated man pages, ESP_NULL for the foolish people who want it and fixes
to the scripts that should ensure an explicit leftnexthop= setting is
no longer needed in most cases.

Openswan-2.4.x is the stable release branch. No major features will be
added to this tree. Active development is now done on the GIT branch,
for which initial test releases have been sent out (version 2.5.00 and
version 3.0.00). See the openswan website for details.

As always, the source code is available via web and ftp:



* Remove direct use of /dev/hw* for random on Linux. It is not guranteed
  to be secure (FIPS compliant) random [paul]
* Fix bugs introduced in 2.4.6 using KLIPS and CryptoAPI on
* fixes for displaying proper NAT-T draft/rfc used [jacco]
* Various fixes to lwdnsq [mcr]
* Extensively updated man pages [paul]
* Added rootservers to the clear policy [idea by mcr]
* Fix for pluto to allow NETKEY's ESP_NULL by JuanJo Ciarlante
* Added ESP_NULL support to KLIPS by JuanJo Ciarlante (disabled per default)
* Support Fedora style default RSA hostkey [paul]
* Clarified various log messages
* Possible interop fix for Sonicwall
* Fixes to _startklips and logging cleanup [paul]
* Fix for handling defaultroute to a p-t-p interface without gw ip. [bleve]
  - this might also fix #693
* Extended ipsec verify to complain misconfigured hardware random [paul]
* Extended ipsec verify to complain about SElinux in enforced mode, until
  working security policies are known to exist as it breaks with both
  NETKEY and KLIPS [paul]
* Cleanup of crypto module modprobing. It is now silent [paul]
* bugtracker bugs fixed:
  #474 ASSERTION FAILED at spdb_struct.c:1233: trans->attr_cnt > == 4"
  #642: ipsec_xmit.c and CONFIG_KLIPS_DEBUG [completed fix]
  #655: /etc/rc.d/ipsec --status breaks connection
  #671: oops from __module_get during pfkey_create

More information about the Announce mailing list