[Openswan dev] Status on openswan 2.6.x

Paul Wouters paul at xelerance.com
Thu Jun 5 12:54:32 EDT 2008


Since we were using this list internally, I figured we might as well
post it here for reference.

The Openswan 2.6.x is moving towards becoming the new stable openswan,
replaceing 2.4.12, as well as the 2.5.x tree. The 2.6.x tree features
IKEv2. With the 2.5.x tree it gained the new parser replacing a lot
of the old scripting.

Here are some of the important bugs. We believe with these fixed, there
is no more reason to use openswan 2.4.x

- Some IKEv1 problems
   * PFS mismatch issue
     - http://bugs.xelerance.com/view.php?id=928 / http://bugs.xelerance.com/view.php?id=784
   * crlcheckinterval plus broken DNS:
     - http://bugs.xelerance.com/view.php?id=939
   * Some regression from openswan 2.4.x - not sure yet what is the problem or cause
     - http://bugs.xelerance.com/view.php?id=942
     - http://bugs.xelerance.com/view.php?id=943
   * leak: 2 * struct event in event_schedule() (hits especially during failed negotiations)
     - http://bugs.xelerance.com/view.php?id=652

- IKEv2 problems (might be related to refineconnection bug)
   * INVALID_CERT_AUTHORITY. This happens in interop-ikev2-strongswan-04
     - http://bugs.xelerance.com/view.php?id=927

- Known other issues:
   * NETKEY policy issue:
     - http://bugs.xelerance.com/view.php?id=888
     - http://bugs.xelerance.com/view.php?id=907
   * kernel_ops functions in kernel_netlink.c need to be verified for proper functioning
      on rekey, expire, etc.
   * when using leftcert=, the ID should default to ID_ASN1_DN (interop problems for upgrades from 2.4.x to 2.6.x)
     - http://bugs.xelerance.com/view.php?id=933
   * refineconnection bug (needing rightca=%any to let it pick up the recevied cert from remote)
     - see refineconnection testcase
   * cryptoapi not working when trying to support 1des (all of cryptoapi broken on 2.6.19+ ?)
   * some attempts to alloc 0 bytes [harmless but should be fixed]
   * Using leftcert= should send ID_ASN1_DN
     - http://bugs.xelerance.com/view.php?id=933

You can find the latest openswan 2.6.x in ftp://ftp.openswan.org/openswan/development/

Paul


More information about the Dev mailing list