New and notable in 1.91: The big news this time is prototype opportunistic encryption, and bug fixes. This release goes back to the "main line" of development; it's not an offshoot like 1.9 was. This means it incorporates some code that's a bit more experimental than 1.9, but the divergence has just gotten too large to back-port all the important fixes to 1.9. Opportunistic encryption is starting to be usable; see doc/opportunism.howto for the gory details. (Better docs are coming.) There is now a sample opportunistic connection description in ipsec.conf. We think all the memory leaks in KLIPS have been fixed. It works with current 2.4.x kernels (2.4.5 as of the time of writing). Compatibility with earlier 2.4.x kernels may have been sacrificed to some extent. When the hardware device "underneath" an ipsecN device goes down, the ipsecN device doesn't actually go down, to prevent loss of routes and packets going out in the clear if the hardware device comes back up. The assembler assist for compression has been re-enabled, thanks to a fix from Svenning Soerensen (who has also been very helpful with the memory leaks, and with updating to match the current 2.4.x kernels). The spin-lock bug, which caused kernel hangs in SMP-enabled kernels when AH+ESP or compression was used, has been fixed. The ipsec_setup script has been extensively rewritten, and the machinery behind it has changed quite substantially. The only user-visible effect should be that the plutobackgroundload parameter is now ignored, because the connection setup is always done in the background. (Another effect, possibly visible in unfortunate cases, is that if Pluto dies a messy death, the scripts will log the fact and restart it.) Oh, and the exit status of ipsec_setup should now be more accurate. A 2.2.x kernel's net/Config.in file is now patched using a patch appropriate to 2.2.19, BUT NOT to earlier 2.2.x kernels. (If you must use an earlier 2.2.x, "cp klips/patches2.2/net.Config.in klips/patches2.3" before building.) While continuing to offer a nice large MTU, KLIPS now detects attempts at path-MTU discovery, and deals with them honestly, so that systems trying to do things right will not be misled (perhaps disastrously). (This is mostly another Svenning Soerensen fix.) The "honest" MTU is also now reported in the ipsec_tncfg output. As a first step toward avoiding kernel rebuilds, there is now an experimental facility for doing *just* a module build as part of the installation, bypassing the rest of the kernel build. Where you'd normally type (e.g.) "make xgo" and "make kinstall", type "make xmod" and "make minstall" instead. (You still get to do a kernel configure, but the only essential bit is to set IPsec to install as a module.) Not perfect, and not yet tested on any great diversity of systems, but it's a start. The default handling of packets for which no eroute exists is now controlled by a packetdefault parameter in the config-setup section of ipsec.conf, instead of always defaulting to "drop". This supersedes the no_eroute_pass parameter, which no longer exists. There is a new family of special "shunt" eroutes, implementing this and also relevant to opportunistic encryption. (A side effect of this is that SPI values supplied for manual keying are now *required* to be 0x100 or higher, whereas formerly this was merely strongly encouraged.) Incoming policy checking has been beefed up slightly, and in particular IPIP encapsulation will be removed only if it is expected. (Incoming checking still does not, alas, check the most important thing: whether the addresses inside the encapsulation are acceptable.) Vestigial code for the ESP transforms with no encryption, which have not really been supported for some time, has been taken out. There is a new value for the auto parameter, "route", probably useful mostly for opportunistic encryption. The _updown script now handles one case specially: a far-end subnet of 0.0.0.0/0 is routed with a pair of routes, one for 0.0.0.0/1 and one for 128.0.0.0/1, to kludge around a problem found during opportunistic testing. Rsasigkey's "pubkey" output (used by showhostkey) is now in base64 rather than hex, for slightly greater compactness and easier eyeball comparison of keys. Setup will attempt to load a KLIPS module only if the kernel has modules, will refuse to start IPsec if it appears to be started already, and will comment (but continue) if asked to stop IPsec when it does not appear to be running. (The exit status from a stop request reflects this.) Also, "ipsec setup status" now gives a (terse) report of whether IPsec appears to be running or not, and reports in more detail if inconsistencies are found (e.g. no Pluto running). CAUTION: the status-report syntax has changed slightly from its original version. Showhostkey has a --txt option (which takes a gateway parameter) to generate the TXT record used in opportunistic encryption. Auto now defaults (left/right)nexthop to %direct, instead of trying to fill in right/left, to avoid problems in opportunistic setup in particular. The prototype ipsec.secrets file no longer includes a shared-secret example. The startup/shutdown priority of IPsec, in the fallback case of systems which do not have chkconfig available, has been fixed to be compatible with what chkconfig will do. The default build-a-kernel target is now "boot" for any non-x86, not just for the Alpha. (Unfortunately, "boot" doesn't do the right thing on the x86 at present.) The distribution now includes preliminary KLIPS2 documentation, to facilitate comments and review. KLIPS's utility programs no longer accept one-letter options, to avoid confusion in cases of misspellings etc. Private (x- etc.) parameters are now stripped from _confread's output, to avoid shell complaints in some situations. There should be no user-visible effects, except perhaps to folks who have been unwisely relying on undocumented properties of the implementation. Eroutes now have accounting data associated with them, to aid Pluto in managing them (especially in the opportunistic case). Should be no user-visible effects, except for slightly different output from ipsec_look. Pluto has been fixed so that all preparations necessary for whack to talk to it are done before it spins off into the background, eliminating an old race condition. The IPSECDIR variable supplied by the ipsec prefix command is now IPSEC_DIR, and there is a new IPSEC_VERSION variable also supplied. Most scripts now use this in their --version reporting. The old manual-keying stuff in the sample ipsec.conf has been removed. As usual, there are assorted small bug fixes and improvements to docs and messages. New and notable in 1.9: The big change is that it works with the 2.4.x kernels (specifically, 2.4.2 at the moment). KLIPS Makefiles have been converted to the new 2.4.x style, with backwards compatibility for use under 2.2.x and 2.0.x. Various small KLIPS fixes have been done for 2.4.x kernels. Inability to start KLIPS now causes a quicker and cleaner abort of the whole startup operation. Routing failure in _updown is now diagnosed in more detail, at Claudia's suggestion; mysterious difficulties there are a frequent user problem. Incorporated Olivier Kurzweg's fixes so that auto= parameters can now be picked up from %default sections or sections appended by also=. Pluto (and rsasigkey) have been fixed to do the "lcm" optimization for RSA private keys... which means that Pluto should no longer reject most keys generated by modern versions of PGP. There is a new --noopt option for rsasigkey, which suppresses the optimization, to generate private keys compatible with the old Pluto. (Note that public keys are unaffected; for the normal way RSA keys are used, all that matters is that a host's own Pluto is compatible with the rsasigkey used to generate that host's key.) showhostkey now has options to produce ipsec.conf (left/right)rsasigkey lines. It retains information on when and how the key was generated, as comments. The default hostname, for DNS format, now comes from the hostname supplied by rsasigkey (NOTE INCOMPATIBLE CHANGE) rather than from "hostname --fqdn". Inability to communicate with Pluto (e.g. because Pluto has died or was never started) is diagnosed better. An obscure bug that caused Pluto to die midway through negotiating a connection has been fixed. Pluto now notices whether the kernel supports compression, and will refuse to negotiate it if there is no kernel support. Better diagnosis of the %any-plus-no-id-plus-RSA-key case in ipsec.conf, not a sensible usage but some people ran into it accidentally. The ipsec command now has a --directory option, reporting where the IPsec commands are kept, and a report of this is included in barf output. There is now a global overridemtu parameter in ipsec.conf, which can be used to force a smaller value for the MTU of the ipsecN devices. A bunch of utilities used for building the docs have moved out of utils and into a subdirectory of doc. Should be no user-visible effects. As usual, there are assorted small bug fixes and improvements to docs and messages. New and notable in 1.8: FreeS/WAN now uses the system's GMP library (WHICH MUST EXIST) rather than carrying its own private copy. This requires not only the GMP library itself, but also any "GMP development" package too -- these ship with all normal Linuxes, but might not be installed by default. (Note, "GMP" and "GPM" are completely different libraries, despite the similarity of name.) The problem with ping and tcpdump (and possibly some other software) being unable to see large packets emerging from a compressed connection has been fixed. KLIPS locking has been extensively revised, curing a number of mysterious performance problems. (We hope it hasn't introduced any new bugs...) The default updown script's comments have been extensively revised, in hopes of making its workings clearer and facilitating customization. IPComp has been smartened up (thanks again to Svenning Soerensen) and is now somewhat more intelligent about when it should try to compress. The internal configuration-file reader is progressively getting fussier about what it will accept, which may cause problems for illegal ipsec.conf files whose sins previously passed unnoticed. IN PARTICULAR, the "auto" parameter's values are now checked for legality everywhere. Pluto has some experimental code in it to give better reports of who's to blame when our packets are being refused. This depends on some new (non-FreeS/WAN) kernel stuff (IP_RECVERR) that isn't well documented yet... The ipsec_setup code implementing the forwardcontrol parameter is now smart enough to turn forwarding on only if it was previously off, and turn it back off only if it was originally off. Ipsec_manual has been updated: it copes with inbound policy checking properly, and invokes updown scripts rather than having its own default commands wired in. Several scripts which depend on being able to standardize output from certain commands now unset even more environment variables, in an attempt to keep up with the latest vagaries of the internationalization botches. The distribution no longer contains any binary files (a couple of them sneaked in deep in the mysterious innards of libdes, but they appear to have been spurious) or symbolic links. The top-level Makefile now supports "make backup" (makes a tarball in the current directory, name of the form backup-2000-Nov-29.tar.gz, containing everything FreeS/WAN install touches except the kernel and its sources) and "make unpatch" (takes all of our patches out of the kernel sources; note that a couple of kernel-source files get altered by other means, but they are included in "make backup"). The verb Pluto supplies to the updown script was wrong when the local subnet contained only a single host (should have ended in -client, was ending in -host); this has been fixed. The output of "ipsec auto --status" has changed in several small ways, for the better we hope. As usual, there are assorted small bug fixes and improvements to docs and messages. New and notable in 1.7: Fix for nasty Pluto bug: When starting to negotiate a connection, Pluto has to guess which connection is the appropriate one. Shortly thereafter, it finds out for sure, and may have to switch; this switch did not work if the guessed connection had a subnet and the right one didn't, or vice versa. The symptom was mysterious and inappropriate complaints about being unable to negotiate because "no connection is known for..." Another, not quite as bad but serious in the context of our slightly unstable IPComp: with compress=no or no compress parameter, Pluto wouldn't propose compression but would accept a proposal with compression, if the other end made it. Now it refuses. (Finer control is really needed, but this will do for now.) A null-pointer KLIPS bug which caused a hard crash on the first incoming packet in a number of situations (manual keying, IPComp negotiated but not supported in kernel, etc.) has been worked around. New and notable in 1.6: The documentation has been re-organised and parts of it re-written. There is a better table of contents (doc/toc.html), or you can have the docs as one big file (doc/Howto.html). Installation is now in a separate section (doc/install.html) and the configuration section now assumes auto keying and RSA authentication as defaults. We now implement IPComp, the protocol for pre-encryption data compression. (Because encrypted data doesn't compress much, hardware compression is useless for encrypted connections, and compression *before* encryption is necessary.) We do only the Deflate algorithm, the control code is not too smart yet, and the whole thing is STILL A LITTLE BIT EXPERIMENTAL... so it defaults to "off" in the kernel configuration. (NOTE NEW KERNEL OPTION, which you won't see if you drop 1.6 in on top of an existing FreeS/WAN -- this is a bug in the installation machinery.) Beware: if you ask Pluto to negotiate a compressed connection, it *assumes* that the kernel is configured to do IPComp, and chaos will ensue if it's not. Also beware: neither ping nor tcpdump cope well with compressed connections, although more mundane programs like ftp don't have any trouble. (Credits: Svenning Soerensen contributed preliminary versions of most of this code.) The internal library has been extensively overhauled for IPv6 support, as have Pluto and the KLIPS utilities. KLIPS itself can't do IPv6 yet, though, so this isn't too useful so far. Some IPv6 loose ends like user interface haven't been tidied up yet either. Diffie-Hellman modp 768 Group, aka "Group 1", which is cryptographically unacceptably weak, is NO LONGER SUPPORTED. Automatic keying will now work only with systems supporting the stronger Group 2 or the still-stronger Group 5; almost everybody does at least Group 2 anyway. As part of the IPv6 support, changes were made to the Pluto/updown interface. See pluto(8) for the details. One oft-requested feature is some new environment variables in net/mask format. The changes are "upward compatible", so the version environment variable was changed from 1.0 to 1.1. Unfortunately, the version-variable change WILL BREAK many customized updown scripts. The standard _updown now rejects attempts to run it from older versions of Pluto, but accepts attempts to run it from newer ones. Older _updown versions, which many people have used as the basis for their own custom ones, were fussier and will *not* run with newer Plutos -- e.g., this one -- so they will need to be updated. Various changes have been made to prefer RSA authentication, the patent having expired. IN PARTICULAR, authby=rsasig is now in the "conn %default" section in the sample ipsec.conf. There are new configuration parameters to control several kernel options, which can now be changed at startup time instead of having to be fixed at kernel-configuration time. The defaults are the same as the old behavior. There is now a configuration parameter controlling whether the TOS field of a tunnel packet is cleared or copied from the enclosed packet. The default IS DIFFERENT from the old (copy) behavior, which we believe represented a security flaw: default is now to clear TOS. There is a new configuration parameter, uniqueids, to control a new Pluto option: when a new connection is negotiated with the same ID as an old one, the old one is deleted immediately. This should help eliminate dangling Road Warrior connections when the same Road Warrior reconnects. It thus requires that IDs not be shared by hosts (a previously legal but probably useless capability). NOTE WELL: the sample ipsec.conf now has uniqueids=yes in its config-setup section. Pluto has prototype experimental support for initiating and responding to opportunistic negotiation. A connection is considered for instantiation for opportunism if it has a peer of %opportunistic (the connection description must not specify a client for the peer). Currently, the only way to provoke an opportunistic initiation is to use whack to simulate the interception of an outbound flow (do a "whack --help" and look at opportunistic initiation). These features are lightly documented because they are experimental. Limitations: no actual interception of packets, DNS query synchronous. Auto (and hence whack and Pluto) now recognize some magic keywords for special addresses, instead of overloading 0.0.0.0 and such: + --host %any signifying any IP address, for Road Warrior, replacing 0.0.0.0 or 0::0 + --nexthop %direct signifying "same IP as peer", replacing 0.0.0.0 or 0::0 + %any and %any6 as indices in ipsec.secrets to match IP addresses of Road Warriors (replacing 0.0.0.0 or 0::0) + --host %opportunistic signifying that the peer is actually to be discovered from the reverse DNS entry for the peer's client. This replaces --host 0.0.0.0 --client 0.0.0.0/32 (and IPv6 variants). The old 0.0.0.0 forms continue to work... for now. In ipsec.secrets, if multiple entries are the best match for the connection, they must all have the same secret. In the past there was no code to compare RSA keys, so separate RSA entries were assumed to be different. Now they are compared. The Pluto compile tries to figure out whether it's on a system that has a modern resolver library, by looking at __RES in . Possibly it gets some borderline cases wrong; we would appreciate bug reports. Pluto now tries to defend itself against the clock being set backwards. The risk is that events might be delayed a lot. Still no protection against clock being moved forward. Interfaces that share IP addresses with others are ignored by Pluto, avoiding a case it cannot handle gracefully yet. The ipsec command has had its copyright goo split off into --copyright, to reduce clutter in --version output. Also, its --version option now checks to see if it can determine the KLIPS version; if so, it checks that against the userland version, and adjusts its output if the two are different. Ranbits and rsasigkey have had their key-size limits expanded. Rsasigkey hasn't gotten any faster, though; it will now blithely attempt to generate a 20000-bit key, but your machine will probably die of old age before it finishes. Pluto now rejects some forms of ID payloads that it doesn't support. Manual now recognizes %default to mean 0.0.0.0/0. The sample ipsec.secrets now uses the explicit "PSK" format for its sample shared-secret entry. Barf now shows the values of the /proc/net/ipsec/* flags. IPsec startup now checks for the presence of both /dev/random and /dev/urandom, since various things use both. The last vestiges of support for the old netlink user-kernel interface are vanishing fast. Progress is being made toward more sophisticated PFKEY2 Pluto-KLIPS communication; no spectacular new features to report yet. The KLIPS bypass for UDP/500 and type=passthrough used to misbehave on very large packets; fixed. In ipsec.conf, parameters with names starting with x_ and X_ are now reserved for user customization, like ones starting with x- and X-. /proc/net/ipsec_spinew is gone; it was never used and is no longer useful. Rsasigkey now puts the host name in its output (and accepts an option to override the automatically-determined one), which makes keys more self-identifying. Look bug fixed: the sorting of the route info was affected strangely by environment variables in some (now obsolete) Red Hat releases. Setup now unsets MODPATH and MODULECONF before calling modprobe, to ensure that only system modules get loaded. Auto gives --id to whack only if an id parameter was explicitly given, solving some subtle problems with doing Road Warrior with shared-secret authentication. As usual, there are assorted small bug fixes and improvements to docs and messages. New and notable in 1.5: Netlink support for user-kernel communication is gone. Pluto's logging has been revised, although it still needs more work. There are now manpages for the /proc files that KLIPS provides. Pluto now avoids generating SPIs in the range 0x100-0xfff, effectively reserving that range for manual keying. Rsasigkey is now capable of taking old-key input from standard input. Also, a buffer-size bug in it, which fouled up generation of keys larger than about 2048 bits, has been fixed. The update to the kernel configuration files is now done by copying and renaming, which breaks hard links; this solves some problems and with luck won't cause others... Some of Gerhard Gessler's mods for IPv6 support have been added. (This is only a very small first step; full IPv6 support is still far away.) Barf now tries harder to find the right files in /var/log, and also makes a first attempt at finding updown scripts. A bug in AH hash setup has been fixed. This breaks interoperability with previous PF_KEY FreeS/WAN, but fixes it with other implementations. Only people using AH -- not many -- should be affected. There are now prepluto and postpluto parameters in the "config setup" section of ipsec.conf, to permit running user-supplied commands just before and after Pluto startup (e.g., to briefly decrypt an encrypted version of ipsec.secrets). The startup output about version and devices has gotten much shorter (a somewhat more complete version is still found in the logs). Print a debug warning about bogus packets received by the outgoing processing machinery only when KLIPS debugging is on. Added configure option to shut off NO_EROUTE_PASSTHROUGH default (arcane special requirement, most users should not have to care). Some small changes have been made to minimize warning messages in compiles. A bug in Pluto Road Warrior support has been fixed: in responding to Phase 2 / Quick Mode, once the client subnets (if any) are known, Pluto must reselect which connection to use. If it didn't happen to be using the right one already, and no ID was explicitly specified for the peer, and the right one is a Road Warrior connection, the right one would not be found. Pluto now uses exponential backoff in retransmitting packets. It also has a special provision to attempt retransmission more times in the case of an initiating message when an unlimited number of retries is specified. The ipsec_look output has changed a bit, adding more information and revising the format slightly. Some bugs in barf's key/secret censoring have been fixed. As usual, there are assorted small bug fixes and improvements to docs and messages. New and notable in 1.4: A nasty bug in which a corrupted sequence number in a packet could paralyze a connection, causing all subsequent packets to be rejected as "duplicate", has been fixed. Setting DESTDIR in the top-level Makefile now puts everything under there (and suppresses the chkconfig run), for building systems to be installed elsewhere. Beware, the lower-level Makefiles don't explicitly know about this yet, the override works only from the top. Pluto has the beginnings of DNS key fetching. "leftrsasigkey=%dns" will arrange for that key to be fetched. It's a bit slow as yet. ipsec_rsasigkey now generates a DNS KEY record as part of its output, and has a --oldkey option that can be used to update old keys (previously generated by it) to the current format with the new information. There is now an "ipsec showhostkey" command, which (given suitable permissions, i.e. usually root) will build a DNS KEY record based on /etc/ipsec.secrets. In the absence of an existing /etc/ipsec.secrets, installation includes automatic generation of an RSA host key. Comments have been added to the default updown script, warning people that installing a new release overwrites it. (They should use a different name for a locally-customized version.) There is a new "config setup" parameter, "plutobackgroundload", which moves initial connection loading and startup into the background. This is experimental, but may be of use to people who need fast system boots. Startup and shutdown are now quieter, with less blow-by-blow narrative from ipsec_setup. ipsec.conf include processing has been made much more efficient, as the first step in faster FreeS/WAN startup in large configurations. The PFKEY2 kernel interface is now the only one supported. Accordingly, /dev/ipsec is no longer needed or created. KLIPS's PMTU messages are now disabled by default, because they caused problems for some people. The hole that exempts IKE packets from IPSEC processing was a little too wide -- it could let IKE packets from other machines through in clear -- and so it has been narrowed. As usual, there are assorted small bug fixes and improvements to docs and messages. New and notable in 1.3: Pluto now uses a separate "updown" script (changeable via ipsec.conf, the default is "ipsec _updown") to manipulate routing and firewalls. This should make it much easier to customize this stuff for local needs. Pluto now supports per-connection debugging flags. The conversion of userland-kernel communications from netlink to PFKEY2 is nearly complete; netlink is increasingly unsupported. PFKEY2 support is now defaulted to y in kernel configuration. New command, ipsec showdefaults, to show %defaultroute defaults (if any). left/rightnexthop=%defaultroute can be used even if left/right is specified explicitly. (Limitation: some cases with %defaultroute used on one side but not the other will be rejected as errors, incorrectly.) Left=leftnexthop, or right=rightnexthop, is now diagnosed as an error. Fixed a bug in ipsec_look: it didn't deal with %defaultroute properly. Various small improvements to rsasigkey, including ensuring that the key is exactly the specified number of bits. Barf's secret-censoring has been fixed to censor private parts of RSA keys. The patcher now tries to ensure that a weird user umask doesn't mess up file permissions during patch application. (It's hard to get this really right, but this is a first attempt.) The internal ipsec.conf-reader utility, and the text-to-address conversion routine, now object to unprintable characters. The INSTALL file has been trimmed back severely, and is now aimed at experts only; the HTML docs provide full install instructions for novices, as they can do it better. /proc/net/ipsec_spi contents have changed, to show individual stats only if non-zero, and shorten and clarify a number of details. Added inbound policy-checking code, currently experimental and temporarily disabled, to reduce the number of packet leak paths. Shortened KLIPS debug output per packet. Spigrp now has an (undocumented) --said option to use more modern syntax. Support for 2.3.xx kernels has improved (our thanks to Marc Boucher), and some bugs introduced by 2.3.xx kernel evolution have been fixed. A bug in virtual interfaces (IP aliasing) has been fixed. In general, a bunch of bugs in the hurriedly-prepared 1.2 release have been fixed. As usual, there are assorted small bug fixes and improvements to docs and messages. New and notable in 1.2: [Later addition: somewhere around this release, the ESP transforms using null encryption -- providing authentication only -- stopped being supported, as a policy decision.] The patcher has been improved to handle the case where a patch has gone away (give it no key+patchfile arguments) and the old version must be undone. A number of the kernel patches have, in fact, gone away; for example, all device, proc_fs and protocol registrations are now done dynamically even for static-linked configurations. A %defaultroute feature has been added for automatic configuration in the simplest case (IPSEC on only one interface, the one the default route points to); it can supply both the interfaces parameter and the address and nexthop of one host. The sample ipsec.conf has been simplified to exploit %defaultroute, and has generally been cleaned up. User-kernel communication is being converted to use PFKEY2 (RFC 2367), although not quite everything has yet been taken care of. The old netlink-based code still works, for now. There are new facilities in the library for doing PFKEY2 communication. All of this should produce no user-visible changes except in log messages (which have changed a lot). NB, Peter Onion helped out greatly in this. Experimental facilities for RSA digital-signature authentication have been added to Pluto and ipsec_auto, and there is an rsasigkey utility for key generation. This stuff is not yet well shaken down, or well documented. There is a new configuration parameter, spi, for ipsec_manual, simplifying SPI assignment for FreeS/WAN-to-FreeS/WAN cases. Standard manual-setup keys are supplied in the sample ipsec.conf to aid testing. The kernel now builds its own copy of the internal library, avoiding some perennial problems with compile-option mismatches etc. (Marc Boucher did a lot of this.) The KLIPS code now gets symlinked into the kernel tree file by file, instead of with one symlink to the directory. This has pros and cons, but in particular it does work much better with the standard Makefiles, and various little things have been done for better kernel integration. The ipsec command now supplies PATH and IPSECDIR to commands under it, and IPSECDIR is filled in at build time rather than being hardwired; also, it can be different from where things are being installed. Various undocumented aspects of the /proc output have changed; be warned. Of note are rather more per-SA statistics. KLIPS now has IPSEC SA expiry based on reaching hard limits of allocations, bytes, addtime, usetime, and replay counter rolling. A double locking bug which hit 2.0.36 (but not 2.0.38) has been fixed. As usual, there are assorted small bug fixes and improvements to docs and messages. New and notable in 1.1: It now runs on the 2.2.xx kernels (we strongly recommend 2.2.12, not earlier ones, for non-FreeS/WAN reasons), although there may still be some bugs in transport mode. Preliminary 2.3.xx support is in too. Automatic rekeying has been heavily revised to fix some subtle bugs (notably the "shoelacing" problem), and to vary its timing (see the new "rekeyfuzz" parameter in ipsec.conf) so that sites with many connections don't try to rekey all of them simultaneously. The bugs which made our interim Road Warrior support not work have been (we hope) fully fixed. type=tunnel and keyexchange=ike are now defaults in the ipsec.conf file, cutting down the bulk of a simple connection entry. Also, an empty value for a parameter is now exactly equivalent to the default value (whereas previously the meaning of this was parameter-specific and ill-defined). The documentation now includes a permuted index. Pluto has been fixed to use the correct length for DH values, which does create a problem: about one time in 256, it won't interoperate properly with older Plutos (because the older ones got this wrong when the DH value had a leading zero byte). As a transition measure, there is a kludge in place which *should* cause Pluto to retry immediately in that case; cautious people who don't have to deal with old Plutos might want to switch that off (look for the DODGE_DH_MISSING_ZERO_BUG macro in the Pluto Makefile). The kernel-patch applier has been changed so that if the patch seems to have been applied already but there is no record of that, it assumes that everything is okay. THIS MEANS IT WILL NOT TRY TO BACK OUT AN OBSOLETE PATCH FROM A PRE-1.00 RELEASE. Anyone upgrading from a pre-1.00 release to this release will have to start with a virgin kernel. (The reason for this change is that some of our kernel fixes are now showing up in the official Linux kernel releases.) Also, patch-applier output is now saved in out.kpatch for later inspection, and a failed patch results in the target file being restored to its original state (with the evidence saved in foo.c.mangled). The ipsec[0123] device is configured down if the attached physical device disappears. This is useful to prevent laptops from crashing when a PCMCIA card is removed. KLIPS now does data-structure locking to prevent some race conditions. The kernel "make oldconfig" is now supported, via "make oldgo". Variable length PPP headers are now supported (Thanks MB). Some attempts have been made to smarten up the logic which tries to figure out where boot scripts go. It's still not perfect. "ipsec look" now sorts each section of its output, and generally has had some small format changes to make it more helpful. ipsec --version reports the version of FreeS/WAN (even if KLIPS etc. is not running at the moment). There is now a default mechanism in ipsec.conf, so it's possible to set defaults which apply for the rest of the file, to simplify repetitive connection descriptions. (Look for %default in the manpage.) The machinery which reads ipsec.conf now detects unknown parameter names and considers them an error. (Names beginning with x- or X- are exempt, they are permanently reserved for user customization.) A bug in script handling of virtual interfaces (for IP aliasing) has been fixed. The manual pages are now installed more intelligently, under all the appropriate names rather than just some. Several scripts which depend on the output of ifconfig now set environment variables to try to ensure that the output is in English even if the user is set up for another language. We've begun using an ip_address type internally, to hide the details of addresses with an eye on long-term IPv6 compatibility. There is now a dumpdir parameter in ipsec.conf, to specify where Pluto core dumps should occur if they are allowed at all (of relevance to advanced developers only). Pluto's innards have generally been revised and cleaned up. Devices ipsec2 and ipsec3 have been added, to increase the number of interfaces which can have IPSEC on them. /proc/net/ipsec_klipsdebug has been added to provide feedback about the current KLIPS_DEBUG settings. It is read-only. There is much new code in the innards for PF_KEY2 support, although it is not active by default yet, because it is still highly experimental. As usual, there are assorted small bug fixes and improvements to docs and messages. New and notable in 1.00: INSTALL procedures have changed, to require less typing by having the Makefile do most of the dirty work. The old procedures are still available; see doc/impl.notes if required. More attention is paid to the fact that many people do not use the kernel "make install" to install their kernels... although there are limits to how much help we can offer, considering the complexity of the problem. doc/kernel.notes offers some observations on our experiences. The default permissions on ipsec.conf are now rw-r--r--, not rw-------. Command syntax for manual and auto has changed; for example, to bring an auto connection up, say "ipsec auto --up name", not "ipsec auto name up". The old syntax is still accepted, temporarily, but will draw warning messages. Communication to Pluto (auto+whack) now uses Unix-domain sockets, so that permissions can be used to control access. Configuration parameters for automatically-keyed connections have changed, with the "encrypt" parameter gone and "auth" replacing "authenticate" (with different values). A new config-file parameter, "also", permits putting a connection description together piece by piece (with some pieces possibly in other files, for greater security). A new config-file parameter, "auto", cooperates with a new "%search" value for the plutoload and plutostart setup parameters to allow connections to be loaded and started automatically at IPSEC startup time, without having to list all the names in plutoload or plutostart. A new connection type, "passthrough", supports having some types of traffic bypass IPSEC processing altogether. (Manual "keying" only.) Auto's --replace operation now also does --rereadsecrets. The kernel patches are now applied by a more sophisticated script, which in particular can undo old patches when the patches change (and can tell when this has happened). The downside is that everybody gets to install from virgin kernel sources *once*, because the patcher can't undo patches made by previous versions (they didn't leave enough information around). Many of the more obscure examples formerly found in ipsec.conf are now in doc/examples instead. PMTU and fragmentation issues have been cleaned up w.r.t. RFCs. The kernel configuration includes a switch to shut off ICMP PMTUD messages if hosts get confused by receiving ICMP PMTUD messages *and* ACKs. Several of the configuration parameters for automatically-keyed connections have changed name; notably, "lifetime" is now "keylife", and "rekeystart" is now "rekeymargin". Wildcard file includes are supported within ipsec.conf and ipsec.secrets. The ipsec.conf processing has been cleaned up, made fussier about errors, and centralized for easy changes. ipsec_barf output is more complete. The censoring of keys and shared secrets in barf output is smarter: now it prints checksums instead of just deleting the sensitive information, so there is some hope of being able to tell whether (for example) two keys are identical. The "ipsec" wrapper command is no longer willing to run commands from anywhere except its own directory. The rekeytries parameter has become keyingtries, and applies to initial setup as well as rekeying. (Whack and ipsec_auto return after the first try, but tries continue if keyingtries>1.) A value of 0 means "a really big number". Pluto now respects the policy options of a connection (e.g., "--pfs") even if the other end is initiating the connection. Various rough edges in Pluto associated with disagreements between the two ends have been cleared up. Error messages and logging have generally been improved, and there have been the usual assorted bug fixes. Installation now uses "install" instead of "cp". New in 0.92: The biggest change is that the configuration/control files are completely different. /etc/sysconfig/ipsec, /etc/ipsec-manual, and /etc/ipsec-auto have merged to become /etc/ipsec.conf, there is now a unified connection- description format within it that either manual or auto can use, and various other touchups have been done. /etc/isakmp-secrets also has changed format, and is now /etc/ipsec.secrets. It implements the same "include" mechanism as the configuration file, and the new format permits easier sharing of identical files between machines. ipsec_manual's {left|right}masquerade parameters have been renamed to {left|right}firewall, and ipsec_auto understands them too. There are several new configuration parameters, including provisions for asynchronous connection negotiation (in which Pluto starts negotiation of all desired connections simultaneously, and IPSEC startup does not wait for it to finish). Pluto's innards have been reorganized; interoperability is much improved. Also, Pluto now supports multiple interfaces. The documentation has been massively improved, although there is still much to be done. The DES library has (finally) been updated to the latest. The speed improvement on x86 CPUs is especially large. Support for single-DES (as opposed to 3DES) has been largely discontinued. (The timing of this was a management decision which not all members of the technical team agree with.) KLIPS now sends all packets with different inner and outer destinations directly to the attached physical device, rather than back through ip_forward, preventing the "route stealing" problem (in which a route being set up to a subnet could clobber the route to its gateway, causing total packet loss). The downside of this is that it is now important to get the {left|right}nexthop parameters in the configuration file *right*. ipsec_auto now supports transport mode. Fragment handling has been shaken up and improved, generally for the better, but the new stuff has not been tested well yet. IPIP tunnels are now processed internally, not requiring the IPIP module to be loaded or configured. We now decrement TTL in outgoing packet and set TTL on new IPIP_TUNNEL to default value, not from existing packet TTL value. That is, a tunnel looks like one hop, as it should. The SA ID %passthrough now signifies a magic SA which means that packets should be passed through untouched. (There is no ipsec_manual/auto support for this yet.) The '--said' command-line parameter is now accepted by the 'spi' and 'eroute' commands to enable cut-and-paste of /proc/net/ipsec_* and debug output. Initialization vectors (IVs) are now generated in the kernel; user-level support for specifying particular IV values has been discontinued. KLIPS has changed from transform switching to algorithm switching to reduce redundancy (and accomodate PFKEYv2 switchover). A major code cleanup has also been done, reducing both source and binary size by 40%. There have been many minor improvements, cleanups, and bug fixes. New in 0.91: Various new items of documentation, most notably doc/vpn.how, an intro to setting up virtual private networks with FreeS/WAN. Plus assorted updates and improvements to old docs too. Most of the contents of the ietf-drafts directory have been superseded by RFCs 2401-2412 and 2451. All the manual pages now are installed under names beginning with ipsec_, to avoid name clashes. Caution: there is nothing that automatically *removes* the older versions, if you've installed an earlier release. The configuration file (/etc/sysconfig/ipsec) has been extensively reworked, repeatedly. The latest version supports multiple interfaces and does not need to know addresses etc. There is an "ipsec manual" command for taking manually-keyed connections up and down, with a corresponding control file containing some examples (which are realistic enough to use as the basis for real ones). There is a corresponding "ipsec auto" command for Pluto-run connections. The boot-time startup/shutdown script is now accessible as "ipsec setup", and includes a "restart" facility. It now allows for the possibility that Klips may be a module, and clears out eroutes and spis at startup and shutdown. Setup errors and messages go to syslog as well as stderr. There are provisions for boot-time setup of multiple connections, both manually and automatically keyed. There is now an optional facility for having the boot-time startup script enable IP forwarding *after* basic IPSEC setup is done, to avoid timing windows in which cleartext packets might leak out. Rationalised all the klips kernel file headers. They are much shorter now and won't conflict under RH5.2. "make insert" now sets up various IPSEC-related issues in the kernel configuration right, so the sysadmin shouldn't need to make many changes by hand. Discard packets for which there is no eroute if outbound on ipsec0. Added temporary udp/500 IPSEC bypass for IKE daemons, so that they can continue to talk "in clear" even when all other traffic gets encrypted. /proc/net/ipsec_* formats have been cleaned up for easy parsing by scripts. There is a new concise format for identifying SAs, e.g. "ah0x507@1.2.3.4", and many things now use it (and the utility functions that convert it to and from internal forms). Klips now has separate SPI number spaces for AH, ESP, and tunneling internally. The default of no replay checking can be overridden in manually-keyed ESP xforms. Pluto has been substantially reworked internally, has an internal database of potential connections (against which incoming requests are checked), and does timed rekeying. Whack talks to Pluto with TCP rather than UDP, which permits Pluto to actually provide feedback on how things are going (although the details of the feedback still need work). Standardise on '-96' notation for AH transforms and '-128' notation for ESP transforms in the 'spi' command. The old notation without any authenticator bit length still works and still refers to the '-96' transform for AH transforms and '-128' transform for ESP transforms. The output of "ipsec barf" has been reordered to put the more interesting items first. "ipsec look" has been added as a terse way to look at the most important things. New command, "ipsec ranbits", for generating good random bits for keys and such. (/dev/random does the work, but this provides a convenient scripting interface to it.) The sample isakmp-secrets and ipsec-manual files are now built using this, so they no longer contain keys that everyone will know. There is a new character (0t) key format, for weird people who like to write keys as one ASCII character per byte. Pluto now does PFS (Perfect Forward Secrecy), based on code contributed by Kai Martius. Various output formats have been cleaned up and improved, and assorted minor and major bugs fixed. New in 0.90: klips/doc/modes.html documents the setup of various possible types of connection in a half-readable form. Everything now runs under Red Hat 5.1 and the 2.0.35 kernel. There is now an rc.d startup/shutdown script for Klips and Pluto, set up during a normal installation, driven by a configuration file located in /etc/sysconfig/ipsec. There is a manual page for Pluto (and whack). Pluto is now smart enough to tear down what it sets up. The following xforms have been added and interop tested against OpenBSD with the exception of the NULL xforms: ESP_DES ESP_3DES ESP_DES_SHA1_96 ESP_3DES_SHA1_96 ESP_NULL_MD5_96 ESP_NULL_SHA1_96 All keys and IV's to the spi command must be in hexadecimal with a '0x' prefix or in base64 with a '0s' prefix. SPI's to the spi, spigrp and eroute commands are hexadecimal (preferred) if preceded by '0x' or decimal if preceded by a digit in the range 1-9. Beware of leading '0's being interpreted as octal. A --clear option has been added to the eroute and spi commands to clear the entire eroute and SA tables respectively and to the tncfg command to clear all virtual I/Fs. The eroute, tncfg, klipsdebug and spi commands have been converted to long option names. All command line parameters have been converted from positional to long option args. All script calls to these utils will have to be updated. The usage text and manpages have been updated accordingly. The spi and spigrp commands now accept name lookups for hosts. The eroute command now condenses the src, srcmask and dst, dstmask arguments in a 'add' or 'del' call with a delimiting '/'. It will now accept symbolic names for hosts, nets or masks and will accept the mask as a number of significant bits. Any scripts that call eroute will need to be changed. All the klips utils now have --version and --help directives. Klips utils cleaned up to check more thoroughly about improper arguments and report more specific error information. Kernel error codes made more specific to help in debugging and identifying automatically, bad command syntax. Cleaned up some useless references to unused resources that prevent compilation under RH 5.x. Packets with more than one IPSEC wrapper will only be counted once in the stats, before they were counted as many times as there were wrappers. The skb's pointer to dev is now set to the corresponding ipsecx I/F. Make clean now does something useful in the klips/net/ipsec directory. Dependancies have also been added to force recompile of the klips kernel objects when the kernel config changes. Klips is now statically linkable. The config procedure has been changed to allow options to a 'y' answer for CONFIG_IPSEC. There are now more patches to the kernel and several have changed. It is advisable to repatch a fresh kernel or back out the previous patches made for an earlier version of klips. Don't forget to remove any references to 'insmod ipsec' or 'modprobe ipsec' in any automatic or manual scripts if you use static linking. Depending on the size of your existing kernel, you may have to use 'make bzImage' and install this kernel manually. The INSTALL instructions now specify static linking, for simplicity. The Klips sources are no longer copied into the kernel, hurrah. Some reshuffling of directories has made it possible to use a symlink. Most of the utilities now go in /usr/local/lib/ipsec, with the "ipsec" wrapper command used to access them. Added a warning on module load if IPIP protocol is not available to decode tunnel mode packets. Additionally, kernel message advising of receipt of IPIP packets if the protocol is not loaded has been added. New in 0.85: There is now a general-utilities directory, notably including a new command ("barf") that dumps a bunch of debugging info on stdout. INSTALL, and the top-level Makefile, have been simplified to do all the user-level code in one fell swoop ("make" and "make install"). Provisions are also in for putting the user-level programs off in their own directory and using the "ipsec" prefix command to invoke them, but this has not been activated yet. The manual keying utils' manpages are now installed in the default location (/usr/local/man/man8) when the utils are installed. 'spi' utils now complains unless the exact key and iv sizes are supplied. RX packets received and bogus are both now reported. Note that packets will be reported as many times as there are esp or ah headers per packet. This will be fixed with the 2.1.x series kernel work. Added check for self-describing padding. It only reports possible bad packets. It does not discard them. Reporting can be shut off with debug options. Experimental/Obsolete transforms are obvious in the kernel config and can be disabled. /proc/net/ipsec_version has been added which prints out the freeswan version as well as the cvs id of each transform. /proc/net/ipsec_spinew has been added which gives a fresh spi each time it is read. It increments by two each time due to proc subsystem operation. This counter will eventually roll over, so this needs to be kept in mind for the long term (ie. todo: garbage collection, etc.). There is now an organized internal mechanism for providing release version numbers to Klips and Pluto, so they can display them. (Note, this is done by symlinks made by the top-level Makefile at compile time.) i/r specifier in 'spi' util has been removed. It was obsolete. Automated commands that use spi will need to be updated. The encr. and auth. keys have been split in the spi utility. Version information added to all xform attach routines and klips utils. Module releases all structures allocated at init to prevent memory leaks from multiple insmod/rmmod operations. All the /proc/net/ipsec_* pseudo-files now have no limit of output data. Previously, *very bad* things happenned if you had more than 3k text output from ipsec_eroute and ipsec_spi. All the /proc/net/ipsec_* interfaces have a banner to announce what it is and blank lines to make it easier to read. The names of the proc files have been changed to be consistent with the rest of the files in the directory, in particular, note the change from '-' to '_': /proc/net/ipsec-* have become /proc/net/ipsec_*. /proc/net/ipsec_spi lists what algorithm is in use and does NOT list keys. /proc/net/ipsec_spigrp lists all existing groups of spi's set by spigrp. /proc/net/ipsec_tncfg lists all existing virtual IPSEC to physical network connections. Further debug output modifications so that klips will be much quieter with debugging off. Finer control of kernel debug messages from user space with subsystem switches in klipsdebug. All keys are zeroed after use in the manual keying utilities and in klips. All kernel messages referring to IP's are in decimal dotted quad notation now (they were in hex, or even in network order hex before). Spigrp with one parameter set will ungroup an existing SA chain. Deleting one SA will also remove all the rest in the chain. New in 0.8: The Klips (nee "IPSEC") and Pluto distributions have been integrated for the first time, and some duplications cleared out. We're also now including the GMP library which Pluto needs. Both Klips and Pluto have finally been updated to support separate ESP encryption and authentication keys. The Pluto code for this hasn't been tested extensively yet. Klips is now capable of operation with devices other than Ethernet interfaces. Internal cleanup of Pluto is underway. This release of Pluto supports and uses more than one Transformation Payload within the Phase 1 SA Payload. One result of this is that it will not interoperate with older versions of Pluto. Work is underway on compatibility with later versions of Linux. Klips's virtual ipsec devices can now be detached from the physical device, and eroutes and sa's can now be deleted, so the last two commands have been changed to "eroute" and "spi" from "addrt" and "setsa" respectively. "addrt" and "setsa" are obsolete. Tunnel mode inside transport mode now works with no delay (How useful this is, is debatable). Transmit statistics now work. The klips transforms: AH-HMAC-MD5-96, AH-HMAC-SHA1-96, ESP-3DES-MD5-96 and ESP-DES-HMAC-MD5-96 have been updated from the old specs (RFC192[5-9]) to the new proposed draft standards (as of March 1998). A second ipsec device has been hard-wired into the kernel module for use with a second interface. This is temporary and will change when the kernel routing is overhauled and updated to 2.1.xx series kernels. Kernel instrumentation was corrected, extended and added. /proc/net/ipsec-route (originally /proc/net/ipsec-rt) is now /proc/net/ipsec-eroute for consistency with the command name. A user-space utility has been added (klipsdebug) to dynamically change klips debug output switches. This change has removed all but one config debug comile switch (ie. rerun kernel make {menu,x,}config). ipsec_md5 and ipsec_sha1 files no longer have nested header files so they can be used by userspace utilities. tncfg no longer dumps core when invoked for usage message. Manpages have been added for the (5) userspace klips utilities. The klips README has been split and overhauled. Added a tunnel mode and transport mode example based on current setup. Added a patch for the Linux netlink code to clean up after a badly behaved module (not likely to be significant in normal use, but having to reboot after each test during debugging is impossibly painful). Added a patch for the Linux kernel config utility help menus to explain what the IPSEC option is, where to find the standards and where to find the latest development. RCSID $Id: CHANGES,v 1.207 2001/06/17 16:02:52 henry Exp $