[Openswan dev] First pass README update

Thu Oct 14 03:04:29 EDT 2010

Thanks for your work!

On Thu, Oct 14, 2010 at 01:59:20PM +1000, David McCullough wrote:
> 
> Jivin Paul Wouters lays it down ...
> > 
> > 
> > My comments :)
> > 
> > > #########################################################################
> > > #            Openswan 2.X Release Notes
> > > #########################################################################
> > > ************ See docs/RELEASE-NOTES.txt for more information ************
> > >
> > > Openswan is an IPsec implementation for Linux. It has support for most
> > > of the extensions (RFC + IETF drafts) related to IPsec, including
> > > IKEv2, X.509 Digital Certificates, NAT Traversal, and many others.
> > >
> > > Openswan was originally based on FreeS/WAN 2.04 CVS, along with some
> > > minor bug fixes from 2.05 and 2.06.  See CREDITS for the history.
> > 
> > I would probably say FreeS/WAN 2.04 CVS with the X.509 Patch from Andreas
> > and the NAT-T patch from Arkoon networks. I know Andreas doesn't like to
> > credit us for anything, but we try give proper credits.
> > 
> > > Download it from http://www.openswan.org/code
> > 
> > or ftp://ftp.openswan.org/openswan/
> > 
> > > 1. libgmp + libgmp-devel headers.  (GNU Math Precision Library)
> > 
> > Maybe explain this is gmp/gmp-devel on rpm and libgmp3/libgmp3-devel on apt distros?
> > 
> > > 2. gawk, flex and bison (usually included in all distributions)
> > 
> > Perhaps add runtime requirements too? iproute2, iptables, if used on embedded
> > systems a busybox with enough features enabled to get a mostly full /bin/sh
> 
> done.
> 
> > 
> > > #########################################################################
> > > # HOW TO INSTALL on Kernel 2.6 (And Kernels with 2.6 IPsec backport)
> > > #########################################################################
> > >
> > > NETKEY (Native linux IPsec stack)
> > > ---------------------------------
> > >
> > > To use Openswan with the linux native (builtin) IPsec stack,  then the
> > > following steps should be all that are needed. Please use at least kernel
> > > version 2.6.6, as prior versions of the kernel have serious bugs in the
> > 
> > I would say 2.6.9 as the earliest version.
> 
> done
> 
> > 
> > > native IPsec stack.  From the openswan directory:
> > >
> > >    make programs
> > >    sudo make install
> > 
> > This reminds me we should fix not creating man pages as root in the install phase......
> 
> Perhaps we should build them in the programs step and only install them
> in the install step,  what could possibly go wrong :-) :-)
> 
> > > Note: The ipsec-tools package is no longer needed. Instead iproute2 >= 2.6.8
> > > is required. For backported kernels, setkey and thus ipsec-tools might still
> > > be required. Run 'ipsec verify' to determine if your system has either one
> > > of the requirements.
> > 
> > of course "ipsec verify" requires perl (and I'd like to redo it in python)
> 
> added.
> 
> > 
> > > KLIPS (Openswan IPsec stack)
> > > ----------------------------
> > >
> > > To use the Openswan KLIPS IPsec stack (ipsec0 devices) for Linux
> > > Kernels 2.6.23 and higher, the following steps should work.  From the
> > > openswan directory:
> > >
> > >    make programs
> > >    make KERNELSRC=/lib/modules/`uname -r`/build module
> > >    sudo make KERNELSRC=/lib/modules/`uname -r`/build install minstall
> > >
> > > For Linux 2.6 Kernels before 2.6.23, the kernel requires patching if
> > > NAT-T support is required.
> > 
> > Perhaps say "including linux 2.4 kernels"
> 
> joined it all together
> 
> > >    Add NAT-T support.
> > >
> > >        NAT-T support needs to patch the kernel and build a new bzImage.
> > >        From the Openswan source directory:
> > >
> > >          make KERNELSRC=/lib/modules/`uname -r`/build nattpatch | \
> > >            (cd /usr/src/linux-2.6 && patch -p1 && make bzImage)
> > 
> > Add the bit about make sarefpatch here for KLIPSNG (Mast) support with SAref tracking?
> > 
> > Premade patches for some (distro kernels) are found in patches/kernel/
> > Recommended kernel is 2.6.32 and up. Documentation on SAref/MAST can be found in
> > docs/HACKING/Mast* and doc/klips/mast.xml. To understand what SAref tracking does,
> > take a look at doc/ipsecsaref.png and the overlapip= entry in the ipsec.conf man page.
> 
> done
> 
> > >        Note: Build and install kernel as normal, as you have modified
> > >        the TCP/IP stack in the kernel, so it needs to be recompiled and
> > >        installed.
> > >
> > >          eg: cd /usr/src/linux-2.6 && make dep bzImage install
> > >
> > >        See your distribution documentation on how to install a new kernel
> > >
> > >    From the openswan directory:
> > >
> > >        make programs
> > >        make KERNELSRC=/lib/modules/`uname -r`/build module
> > >        sudo make KERNELSRC=/lib/modules/`uname -r`/build install minstall
> > 
> > Stacks can be switched at runtime using protostack=<klips|netkey|mast>
> 
> done
> 
> > >    For OCF HW offloading support, you need a patched kernel
> > >    See: http://ocf-linux.sourceforge.net/
> > >
> > > #########################################################################
> > > # HOW TO INSTALL on Linux Kernel 2.4 systems
> > > #########################################################################
> > >
> > > The following instructions assume the kernel source tree is in
> > > /usr/src/linux-2.4.  If this isn't the case, simply change the
> > > parameters in the instructions below.
> > >
> > > 1)  Uncompress linux-2.#.#.tar.bz2 in /usr/src (or elsewhere), build a
> > >    normal working kernel.  This ensures any compiliation problems
> > >    that occur are isolated and resolved *before* any Openswan patches
> > >    are applied to the kernel.
> > >
> > > 2)  If you want NAT-T support, you need to patch your kernel and build
> > >    a new bzImage.  From the Openswan source directory:
> > >
> > >    make KERNELSRC=/usr/src/linux-2.4 nattpatch | \
> > >        (cd /usr/src/linux-2.4 && patch -p1 && make bzImage)
> > >
> > >    Note: Build and install kernel as normal, as you have modified
> > >    the TCP/IP stack in the kernel, so it needs to be recompiled and
> > >    installed.
> > >
> > >        eg: cd /usr/src/linux-2.4 && make dep bzImage install
> > 
> > The only difference here is the "make dep" step right? Why not integrate in the
> > text above to avoid repeats?
> > 
> > > 3)  From the openswan source directory, build the userland tools, and
> > >    ipsec.o kernel module:
> > 
> > well the one other diff is ipsec.o vs ipsec.ko I guess.
> > 
> > > Bugs with the package can be filed into our Mantis system, at
> > > http://bugs.openswan.org
> > 
> > redmine :)
> > 
> > > #########################################################################
> > > # SECURITY HOLES
> > > #########################################################################
> > >
> > > Hopefully none :-)  If you find one, please email vuln at xelerance.com with
> > > details.  Please use GPG (finger vuln at xelerance.com for GPG key) for this.
> > 
> > I'd say:
> > 
> > All security vulnerabilities found that require public disclosure will receive
> > proper CVE tracking numbers (see http://mitre.org/) and co-ordinated via the
> > vendor-sec mailing list. A complete list of known security vulnerabilities is
> > available at: http://www.openswan.org/security/
> 
> done
> 
> > 
> > > #########################################################################
> > > # DEVELOPMENT
> > > #########################################################################
> > >
> > > Those interested in the development, patches, beta releases of Openswan
> > > can join the development mailing list (http://lists.openswan.org -
> > > dev at lists.openswan.org) or join the development team on IRC in
> > > #openswan-dev on irc.freenode.net
> > 
> > For those who want to track things a bit more closely, the commits@ mailinglist
> > will mail all the commit messages.
> 
> done
> 
> > > #########################################################################
> > > # DOCUMENTATION
> > > #########################################################################
> > >
> > > The most up to date docs are at http://wiki.openswan.org.
> > 
> > No trailing dots on urls please :)
> 
> done
> 
> Thanks,
> Davidm
> 
> -- 
> David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
> McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org