[Openswan dev] First pass README update

Harald Jenny harald at a-little-linux-box.at
Thu Oct 14 03:06:35 EDT 2010 

Sounds really good :-)

On Thu, Oct 14, 2010 at 02:04:05PM +1000, David McCullough wrote:
> 
> Hi all,
> 
> Here's the current version inline below for anyone following :-)
> 
> Cheers,
> Davidm
> 
> #########################################################################
> #            Openswan 2.X Release Notes
> #########################################################################
> ************ See docs/RELEASE-NOTES.txt for more information ************
> 
> Openswan is an IPsec implementation for Linux. It has support for most 
> of the extensions (RFC + IETF drafts) related to IPsec, including 
> IKEv2, X.509 Digital Certificates, NAT Traversal, and many others.
> 
> Openswan was originally based on FreeS/WAN 2.04 CVS with the X.509 Patch
> from Andreas, the NAT-T patch from Arkoon networks and some minor bug
> fixes from 2.05 and 2.06.  See CREDITS for the history.
> 
> Download it from
> 
>     http://www.openswan.org/code/
>     ftp://ftp.openswan.org/openswan/
> 
> #########################################################################
> # REQUIREMENTS
> #########################################################################
> 
> A recent Linux distribution based on either Kernel 2.4.x, or 2.6.x are 
> the currently supported platforms.
> 
> Most recent distributions have package support for openswan.  Unless
> a source based build is truly needed,  it is often best to use the pre-built
> distributions packaged version.
> 
> There are a few packages required for Openswan to compile from source:
> 
> 1. The GNU Math Precision Library:
> 
>    Debian package names: libgmp3, libgmp3-dev
>    Rpm package names:    gmp, gmp-devel
> 
> 2. awk, flex and bison
> 
>    Debian package names: gawk/mawk, flex, bison
>    Rpm package names:    ????
> 
> 3. iproute2, iptables, sed, awk, bash, cut and possible other tools
>    are required at runtime.
> 
>    Debian package names: iproute, iptables, the rest are usually there
>    Rpm package names:    ????
> 
>    perl is also required for "ipsec verify".
> 
> #########################################################################
> # HOW TO INSTALL on Kernel 2.6 (And Kernels with 2.6 IPsec backport)
> #########################################################################
> 
> NETKEY (Native linux IPsec stack)
> ---------------------------------
> 
> To use Openswan with the linux native (builtin) IPsec stack,  then the
> following steps should be all that are needed. Please use at least kernel
> version 2.6.9, as prior versions of the kernel have serious bugs in the
> native IPsec stack.  From the openswan directory:
> 
>     make programs
>     sudo make install
> 
> Note: The ipsec-tools package is no longer needed. Instead iproute2 >= 2.6.8
> is required. For backported kernels, setkey and thus ipsec-tools might still
> be required. Run 'ipsec verify' to determine if your system has either one
> of the requirements.
> 
> KLIPS/KLIPSNG (Openswan IPsec stack)
> ------------------------------------
> 
> To use the Openswan KLIPS IPsec stack (ipsec0 devices) for Linux
> Kernels 2.6.23 and higher, the following steps should work.  From the
> openswan directory:
> 
>     make programs
>     make KERNELSRC=/lib/modules/`uname -r`/build module
>     sudo make KERNELSRC=/lib/modules/`uname -r`/build install minstall
> 
> For Linux 2.6 Kernels before 2.6.23, including 2.4 linux systems, the kernel
> requires patching if NAT-T support or SAref tracking is required. Full kernel
> source will be required as the kernel sources are being patched, built and
> installed.  It is good practice to build and install an unpatched kernel
> before starting to ensure the process is correct.  See your distribution
> documentation on how to build and install a new kernel
> 
>     Determine the linux source directory,  for example /usr/src/linux on
>     most full source installs.  It may also be /usr/src/linux-2.[46].X
> 
>     Add NAT-T support (if required).
> 
>         From the Openswan source directory:
> 
>           make KERNELSRC=/usr/src/linux nattpatch | patch -d /usr/src/linux -p1
> 
>     Add SAref tracking support (if required).
> 
>         Premade patches for some distributions kernels can be found in
>         patches/kernel/  It is recommended that kernel 2.6.32 or higher is
>         used. Documentation on SAref/MAST can be found in docs/HACKING/Mast*
>         and doc/klips/mast.xml. To understand what SAref tracking does, see
>         doc/ipsecsaref.png and the overlapip= entry in the ipsec.conf man page.
> 
>         From the Openswan source directory:
> 
>           make KERNELSRC=/usr/src/linux sarefpatch | patch -d /usr/src/linux -p1
> 
>     Add OCF HW offloading support
> 
>         For OCF HW offloading support, you need also need a patched kernel
>         See: http://ocf-linux.sourceforge.net/ for more details.
> 
>     Build and install a new kernel
> 
>         See your distribution documentation on how to install a new kernel.
>         It should be something similar to:
> 
>           cd /usr/src/linux
>           make oldconfig
>           make dep                    - this step is ignore on 2.6 systems)
>           make bzImage install
> 
>     Build Openswan
> 
>         From the Openswan source directory:
> 
>             make programs
>             make KERNELSRC=/usr/src/linux module
>             sudo make KERNELSRC=/usr/src/linux install minstall
> 
> The Openswan configuration file can select which ipsec stack to use at
> runtime by using the "protostack=<klips|netkey|mast>" options in ipsec.conf.
> See the ipsec.conf man page for more information on configuration options.
> 
> #########################################################################
> # UPGRADING
> #########################################################################
> 
> 1. If you are upgrading from a 1.x product to Openswan 2.x, you will
>    need to adjust your config files.  See doc/upgrading.html for details
>    on what has changed.
> 
> 2. You can 'make install' overtop of your old version - it won't replace
>    your /etc/ipsec.* config files
> 
> #########################################################################
> # SUPPORT
> #########################################################################
> 
> Mailing Lists:
> 
>     http://lists.openswan.org is home of the mailing lists.  Note: these are 
>     closed lists - you *must* be subscribed to post.
> 
> Wiki:
> 
>     http://wiki.openswan.org is home to the Openswan WIKI.  It has the most
>     up to date documentation, interop guides and other related information.
> 
> IRC:
> 
>     Openswan developers and users can be found on IRC, on #openswan on
>     irc.freenode.net.  If you need more information on our IRC channel, see
>     http://www.openswan.org/support/irc.php
> 
> Commercial support for Openswan is also available - see
> http://www.xelerance.com/openswan/support.php for more information, or
> email sales at xelerance.com
> 
> #########################################################################
> # BUGS
> #########################################################################
> 
> Bugs with the package can be filed into our Mantis system, at
> http://bugs.openswan.org
> 
> #########################################################################
> # SECURITY HOLES
> #########################################################################
> 
> All security vulnerabilities found that require public disclosure will
> receive proper CVE tracking numbers (see http://mitre.org/) and co-ordinated
> via the vendor-sec mailing list. A complete list of known security
> vulnerabilities is   available at: http://www.openswan.org/security/ 
> 
> #########################################################################
> # DEVELOPMENT
> #########################################################################
> 
> Those interested in the development, patches, beta releases of Openswan
> can join the development mailing list (http://lists.openswan.org -
> dev at lists.openswan.org) or join the development team on IRC in
> #openswan-dev on irc.freenode.net
> 
> For those who want to track things a bit more closely, the
> commits at lists.openswan.org mailinglist will mail all the commit messages.
> 
> #########################################################################
> # DOCUMENTATION
> #########################################################################
> 
> The most up to date docs are at http://wiki.openswan.org/
> 
> Several high-level documents are in the doc directory.  Most are in HTML
> format; See doc/index.html for the top level index.  These are now
> considered obselete.
> 
> To build from source, you will need at least 60MB free (Source tree is 
> currently 40MB)
> 
> The bulk of this software is under the GNU General Public License; see
> LICENSE.  Some parts of it are not; see CREDITS for the details.
> 
> 
> -- 
> David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
> McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org
> _______________________________________________
> Dev mailing list
> Dev at openswan.org
> http://lists.openswan.org/mailman/listinfo/dev

More information about the Dev mailing list