[Openswan Users] [Announce] Openswan 2.4.10 Released

Paul Wouters paul at xelerance.com
Tue Nov 6 16:41:48 EST 2007

Xelerance releases Openswan-2.4.10

This is a major bugfix release.

KLIPS now works again upto 2.6.22. The userland has various fixes in
the scripts, the NAT-T handling, and some work arounds for interoperablity.

Most importantly, you can now use leftprotoport=17/0 to mean "any single
udp port", which is required for some L2TP implementations that use a
random high port but don't negotiate that port properly (eg OSX). There is
still a confirmed bug with interoperating with Microsoft ISA server and
Microsoft Vista clients when using subnet-subnet tunnels where Microsoft
seems to midway through the negotiation flips leftsubnet/rightsubnet on us.

Openswan 2.4.x is in maintenance mode only. We strongly recommend people to
switch to openswan 2.5.x trees for their development.

As always, the GPG signed source code is available via web and ftp:


Since this release also fixes several openwrt issues, we
also released a binary package for openwrt, tested on a Linksys WRTG54gs
with kamikaze 7.07, which successfully send this message through its tunnel



Paul Wouters
Xelerance Corp.

* Some workarounds for openwrt related to starter and lack of modprobe [paul]
* Fix for sock.sk_stamp type change in 2.6.22 [dhr]
* Workaround for implementations that propose port 0 for l2tp to allow
  us to connect to all their ports (instead of only 1701) [mcr]
  This happens with Cisco VPN 3000, OSX and Windows XP. This relates to various
  reported bugs about rightprotoport=17/%any and CK_INSTANCE crashers
  Use the workaround for OSX clients using rightprotoport=17/0
* Backport of fix for xauth name containing a space [paul]
* Fix for final next payload in Aggressive Mode [David McCullough]
* Fixes for compliling against 2.6.22 [David McCullough / Hugh Redelmeier]
  (note: NAT-T KLIPS patch will not work on 2.6.23+)
* Speed gains in the scripts on systems with many interfaces [David McCullough]
* passert declaration fix [David McCullough]
* A missed nfmark -> mark case in ipsec_sa.h [David McCullough]
* Fix for ktime_to_timeval to use proper kernel versions [paul]
* Added back -DCONFIG_KLIPS_ALG in KLIPSCOMPILE, which we require when not
  building KLIPS with David's OCF patch [paul]
* Added SElinux patch in contrib/ [Venkat Yekkirala]
* Bugtracker bugs fixed:
  #449: 17/%any is a template conn problem [mcr]
  #708: vanilla kernel-2.6.19, KLIPS compile error (sock_unregister) [sergeil]
  #796: can't compile 2.4.8 on kernel 2.4.34 (module_param fix) [sergeil]
  #802: Error: "our client ID returned doesn't match my proposal" [mcr/paul]
  #813: incorporate bleve's lsb patch [tuomo]
  #824: defaultroute detection fails with PPP default route [sergeil]
  (this is also the bug introduced in 2.4.9 that causes failed subnet tunnels)
  #855: Pluto restart impossible on busybox [paul]

Announce mailing list
Announce at openswan.org

More information about the Users mailing list