[Openswan dev] First pass README update

Harald Jenny harald at a-little-linux-box.at
Wed Oct 13 02:41:44 EDT 2010 

On Wed, Oct 13, 2010 at 10:17:34AM +1000, David McCullough wrote:
> 
> Hi all,

Hi David

> 
> Here's a first pass update to the README to try and get it current,
> feedback appreciated.  If it's mostly ok I'll commit it.

Sounds better although there are some points:

*) Paul, is the method for getting NAT-T patches still functional (I guess
nobody really uses it anymore)?
*) SECURITY HOLES - None :-) sounds a bit to cocky to me - "Currently none
know" maybe with a link to some site which holds a comprehensive list
(http://openswan.org/support/vuln/ seems really outdated btw)?
*) BUGS - aren't we using Redmine now?

> 
> Harald, I haven't added the Wiki yet,  just add a comment below where you
> want it ;-)

Well there are links to the old wiki in there, maybe Paul can shed a light on
the future plans for openswan wiki?

> 
> Cheers,
> Davidm

Kind regards
Harald

> 
> #########################################################################
> #            Openswan 2.X Release Notes
> #########################################################################
> ************ See docs/RELEASE-NOTES.txt for more information ************
> 
> Openswan is an IPsec implementation for Linux. It has support for most 
> of the extensions (RFC + IETF drafts) related to IPsec, including 
> IKEv2, X.509 Digital Certificates, NAT Traversal, and many others.
> 
> Openswan was originally based on FreeS/WAN 2.04 CVS, along with some
> minor bug fixes from 2.05 and 2.06.  See CREDITS for the history.
> 
> Download it from http://www.openswan.org/code
> 
> #########################################################################
> # REQUIREMENTS
> #########################################################################
> 
> A recent Linux distribution based on either Kernel 2.4.x, or 2.6.x are 
> the currently supported platforms.
> 
> Most recent distributions have package support for openswan.  Unless
> a source based build is truly needed,  it is often best to use the pre-built
> distributions packaged version.
> 
> There a few packages required for Openswan to compile from source:
> 
> 1. libgmp + libgmp-devel headers.  (GNU Math Precision Library)
> 
> 2. gawk, flex and bison (usually included in all distributions)
> 
> #########################################################################
> # HOW TO INSTALL on Kernel 2.6 (And Kernels with 2.6 IPsec backport)
> #########################################################################
> 
> NETKEY (Native linux IPsec stack)
> ---------------------------------
> 
> To use Openswan with the linux native (builtin) IPsec stack,  then the
> following steps should be all that are needed. Please use at least kernel
> version 2.6.6, as prior versions of the kernel have serious bugs in the
> native IPsec stack.  From the openswan directory:
> 
>     make programs
>     sudo make install
> 
> Note: The ipsec-tools package is no longer needed. Instead iproute2 >= 2.6.8
> is required. For backported kernels, setkey and thus ipsec-tools might still
> be required. Run 'ipsec verify' to determine if your system has either one
> of the requirements.
> 
> KLIPS (Openswan IPsec stack)
> ----------------------------
> 
> To use the Openswan KLIPS IPsec stack (ipsec0 devices) for Linux
> Kernels 2.6.23 and higher, the following steps should work.  From the
> openswan directory:
> 
>     make programs
>     sudo make install
>     make KERNELSRC=/lib/modules/`uname -r`/build module minstall
> 
> For Linux 2.6 Kernels before 2.6.23, the kernel requires patching if
> NAT-T support is required.
> 
>     Add NAT-T support.
> 
>         NAT-T support needs to patch the kernel and build a new bzImage.
>         From the Openswan source directory:
> 
>           make nattpatch | (cd /usr/src/linux-2.6 && patch -p1 && make bzImage)
>     
>         Note: Build and install kernel as normal, as you have modified
>         the TCP/IP stack in the kernel, so it needs to be recompiled and
>         installed.
> 
>           eg: cd /usr/src/linux && make dep bzImage install
> 
>         See your distribution documentation on how to install a new kernel
> 
>     From the openswan directory:
> 
>         make programs
>         make KERNELSRC=/lib/modules/`uname -r`/build module
>         sudo make KERNELSRC=/lib/modules/`uname -r`/build install minstall
> 
>     For OCF HW offloading support, you need a patched kernel
>     See: http://ocf-linux.sourceforge.net/
> 
> #########################################################################
> # HOW TO INSTALL on Linux Kernel 2.4 systems
> #########################################################################
> 
> The following instructions assume the kernel source tree is in
> /usr/src/linux-2.4.  If this isn't the case, simply change the 
> parameters in the instructions below.
> 
> 1)  Uncompress linux-2.#.#.tar.bz2 in /usr/src (or elsewhere), build a 
>     normal working kernel.  This ensures any compiliation problems 
>     that occur are isolated and resolved *before* any Openswan patches 
>     are applied to the kernel.
> 
> 2)  If you want NAT-T support, you need to patch your kernel and build
>     a new bzImage.  From the Openswan source directory:
> 
>     make nattpatch | (cd /usr/src/linux-2.4 && patch -p1 && make bzImage)
>     
>     Note: Build and install kernel as normal, as you have modified
>     the TCP/IP stack in the kernel, so it needs to be recompiled and
>     installed.
> 
>         eg: cd /usr/src/linux && make dep bzImage install
> 
> 3)  From the openswan source directory, build the userland tools, and
>     ipsec.o kernel module:
> 
>     make KERNELSRC=/usr/src/linux-2.4 programs module
> 
> 4)  As root, install the userland tools, and the ipsec.o module:
> 
>     make KERNELSRC=/usr/src/linux-2.4 install minstall
> 
> #########################################################################
> # UPGRADING
> #########################################################################
> 
> 1. If you are upgrading from a 1.x product to Openswan 2.x, you will
>    need to adjust your config files.  See doc/upgrading.html for details
>    on what has changed.
> 
> 2. You can 'make install' overtop of your old version - it won't replace
>    your /etc/ipsec.* config files
> 
> #########################################################################
> # SUPPORT
> #########################################################################
> 
> Mailing Lists:
> 
>     http://lists.openswan.org is home of the mailing lists.  Note: these are 
>     closed lists - you *must* be subscribed to post.
> 
> Wiki:
> 
>     http://wiki.openswan.org is home to the Openswan WIKI.  It has the most
>     up to date documentation, interop guides and other related information.
> 
> IRC:
> 
>     Openswan developers and users can be found on IRC, on #openswan on
>     irc.freenode.net.  If you need more information on our IRC channel, see
>     http://www.openswan.org/support/irc.php
> 
> Commercial support for Openswan is also available - see
> http://www.xelerance.com/openswan/support.php for more information, or
> email sales at xelerance.com
> 
> #########################################################################
> # BUGS
> #########################################################################
> 
> Bugs with the package can be filed into our Mantis system, at
> http://bugs.openswan.org
> 
> #########################################################################
> # SECURITY HOLES
> #########################################################################
> 
> None :-)  If you find one, please email vuln at xelerance.com with details.
> Please use GPG (finger vuln at xelerance.com for GPG key) for this.
> 
> #########################################################################
> # DEVELOPMENT
> #########################################################################
> 
> Those interested in the development, patches, beta releases of Openswan
> can join the development mailing list (http://lists.openswan.org -
> dev at lists.openswan.org) or join the development team on IRC in
> #openswan-dev on irc.freenode.net
> 
> #########################################################################
> # DOCUMENTATION
> #########################################################################
> 
> The most up to date docs are at http://wiki.openswan.org.
> 
> Several high-level documents are in the doc directory.  Most are in HTML
> format; See doc/index.html for the top level index.  These are now
> considered obselete.
> 
> To build from source, you will need at least 60MB free (Source tree is 
> currently 40MB)
> 
> The bulk of this software is under the GNU General Public License; see
> LICENSE.  Some parts of it are not; see CREDITS for the details.
> 
> -- 
> David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
> McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org
> _______________________________________________
> Dev mailing list
> Dev at openswan.org
> http://lists.openswan.org/mailman/listinfo/dev

More information about the Dev mailing list