[Openswan Users]

Paul Wouters paul at xelerance.com
Thu Jan 5 18:00:06 CET 2006


On Wed, 4 Jan 2006, frode at fritid.as wrote:

> I'm down to one connection (it worked with all of them, but I removed and merged as suggested).
> What will the next version of OpenSwan give me ? (I'm still on 2.2.0)

v2.4.5 [to be released today or tomorrow]
* Fix for ipsec: Unknown symbol sysctl_ip_default_ttl
* Fix for compiling on 2.6.14 kernels
* Fix patching against 2.6.14 kernels
* Additions to barf and verify commands for various kernel internals
* load hw_random and padlock modules before aes module so hardware routines
  are prefered over software routines.
* allow rightsubnet= with type=transport for L2TP behind NAT.
* Refactored natd_lookup / hash code, probably fixes lot of NAT related bugs
* Fix for interop with Cisco devices which propose port 0 (eg: VPN3000)
* When DPD rcookie is invalid, just warn instead of ignoring entirely
* Redid all the DPD log messages
  #401 l2tp connection is not work with 2.6 build in IPSEC
  #442 Pluto uses wrong port in NAT-D calculation
  #450 macosx (possible generic PSK+NAT-T rekey bug: eroute already in use.
  #454 klips module refcount bug (found by Matthias Haas)
       (prevented klips from unloading on 2.4 kernels)
  #462 updated patch for Openswan and OS X with NAT-T
  #509 KLIPS compilation fail with kernel-2.6.14.2
  #518: Incorrect physical interface MTU detection
  #545 unnecessary warnings from _updown script

v2.4.4
  #487 ASSERTION FAILED at state.c:120:IS_ISAKMP_ENCRYPTED(isakmp_sa->st_state)
  (see http://www.openswan.org/niscc2/)
  (proper fix in pluto_constants.h)
* Fix for kernels having strstr
* Various gcc4 warning fixes
* disable CONFIG_IPSEC_NAT_TRAVERSAL per default so we can build KLIPS on
  Fedora systems.
* questionable spin_unlock commented out. Might fix reported SMP crashers.
* update to permit alg code without module support
* Fix for detecting proper kernel source/header directory on fedora
* Various bugfixes as reported on http://bugs.openswan.org/
  #499: check for module support in kernel for IPsec Modular Extensions
  #500: recent awk breaks on 'setdefault' command


v2.4.3
  #487 ASSERTION FAILED at state.c:120:IS_ISAKMP_ENCRYPTED(isakmp_sa->st_state)
  (see http://www.openswan.org/niscc2/)
  (incorrect fixed. version not released)

v2.4.2
* Fixes for compiling on 2.6.14 by David McCullough
* Minor fixes to accomodate FC4 2.6.11 kernels.
* Fix for compilation of KLIPS on 2.4.x kernels.
* Fix for NAT-T on 2.4.31
* Fix for 'short' packets with KLIPS on 2.4.x
* Merged in Jacco's l2tp configuration examples
* Various bugfixes as reported on http://bugs.openswan.org/
  #286 Incorrect links in intro.html
  #344 netkey-acquire patch
  #376 install_ipsec_sa and install_inbound_ipsec_sa
  #486 ASSERTION FAILED at crypto.c:258: key_size==(DES_CBC_BLOCK_SIZE * 3)
  (see http://www.openswan.org/niscc2/)

v2.4.1
* Not publically released

v2.4.0
* NAT-T support for KLIPS on 2.6 (Sponsored by Astaro)
* Additional Cipher support with KLIPS on 2.6 (Sponsored by Astaro)
* Fix for NAT-T/PSK rekey (Ulrich @ Astaro)
* Delete _updown.c and _updown.posix versions as they were obsolete
* Fixes for aggressive mode and policy mode
* Various bugfixes as reported on http://bugs.openswan.org/
  #201 pluto not accepting negotiations on port 500 after port floating to 4500
  #249 two default routes confuses scripts
  #261 2 RW's w/DPD behind a NAT kick each other off at rekey time
  #267 pluto crashes on inbound X.509 roadwarrior
  #269 informational crasher in demux.c
  #301 kernel_netkey.c lists invalid ESP algorithm
  #302 pluto assumes it has 3DES
  #305 passert_fail (pred_str=0x80b88e3 "st->st_suspended_md->st == st", file_str=0x80b86a0 "state.c"
  #306 st->st_suspended_md->st == st passert()
  #316 Patch for ALG support from Astaro
  #324 Impossible to disable AGGRESSIVE mode
  #327 pluto nat-t detection on 2.6 without klips nat-t patch fails to
       disable nat-t
  #328 ipsec setup fxies for awk compiled with --enable-switch
  #341 Pluto crashes with: ipsec__plutorun: !pluto failure!: exited with error
       status 134 (signal 6)
  #342 fix for 2.6.12 undocumented API fixes for sk_zapped and sk_alloc()
       (based on fix from Sergeil.
  #350 fix for passert() at connections.c:1353: isanyaddr(&c->spd.that.host_addr)
  #355 dpdaction restart fix from Astaro
  #357 secure_xauth_username_str fix from Astaro
  #360 checkv199install creates bogus "old" files
  #361/#363 fix for passert() demux.c:1204: unknown address family in
       anyaddr/unspecaddr
  #368 Fix for ipsec --setup --status output and eroute counting
  #372 Netkey and device labels (eth#:#)
  #373 _updown_x509 still uses obsolete 'route add' commands
  #377 pluto crashes processing first connection if nhelpers=0
  #380 pluto crashes when sent an IKEPING
  #381 assertion failure in init_demux if AGGRESSIVE not defined
  #383 MODP >= 4096 FIX
  #386 undefined symbols compiling klips as module
  #387 / #420 pfkey_ops undefined error on SMP kernel compiles.
              possibly fixed, but may result in SMP unsafe-ness.
  #342 KLIPS cannot be compiled for 2.6.12+
  #415 RPM packaging errors for 2.4 based kernels
  #416 Need a way to tell if NAT-T is compiled in the IPSec kernel

v2.3.1
* NAT-T RFC support (mlafon/mcr)
* NAT-T Server Side rewrite - handles rekeying alot better
* NAT-T Client Side rekey bug fixed
* Removed HowTo (obselete)
* IPKG packaging updates
* Log message updates
* dpdaction=restart support

v2.3.0
* KLIPS for 2.6 support (Experimental)
  [ good results on FC3-AMD and vanilla/debian kernel source, but not
    FC3-intel. Might be the grsecurity patch  ]
* Aggressive Mode Support (client and server)
* IKE Mode Config support (Experimental)
* Cisco VPN 3xxx client Interop (Experimental)
* Cryptographic helpers framework
* Fixes for NAT-T on 2.4.28+ kernels.

Needless to say, no one should be using 2.2.0 :)

> My only concerne now, is that the passwords for the VPN is in cleartext in chap.secrets.
> Do you have any knowledge of when PAM will be available in OpenSwan by default ?

It is available, but we havent really tested it much. You can change the
setting in Makefile.inc and recompile with PAM enabled, and share your
experience.

Paul


More information about the Users mailing list