Upgrading to FreeS/WAN 2.x

New! Built in Opportunistic connection

ipsec.conf now has a built in connection to facilitate Opportunistic Encryption (OE). OE allows you to encrypt to virtual strangers, and, if widely adopted, would reduce eavesdropping on the 'net.

You do need to set up a few DNS records to use this feature. See our OE quickstart guide for details.

You can disable the feature by commenting out the oeself section in ipsec.conf.

New! Policy Groups

We want to make it easy for you to declare security policy.

Policy Groups make it simple to say:

These are the folks I want to talk to in the clear.
These spammers' domains -- I don't want to talk to them at all.
To talk to the finance department, I must use a VPN.
For any other communication, try to encrypt, but it's okay if we can't.

FreeS/WAN then implements these policies using OE connections. You can use Policy Groups right alongside the VPN connections you've explictly defined in ipsec.conf.

For more information, see our Policy Group HOWTO.

FreeS/WAN now punches hole in rpfilter

FreeS/WAN often doesn't work with Reverse Path filtering. At start time, FreeS/WAN now turns rp_filter off, and logs a warning.

FreeS/WAN does not turn it back on again. You can do this yourself with a command like:

   echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter

Revised `ipsec.conf`

No promise of compatibility

The FreeS/WAN team promised config-file compatibility throughout the 1.x series. That means a 1.5 config file can be directly imported into a fresh 1.99 install with no problems.

With FreeS/WAN 2.x, we've given ourselves permission to make the config file easier to use. The cost: some FreeS/WAN 1.x configurations will not work properly. Many of the new features are, however, backward compatible.

Most `ipsec.conf`s will work fine

... so long as you paste this line, with no preceding whitespace , at the top of your config file:

    version 2

Backward compatibility patch

If the new defaults bite you, use thisipsec.conf fragment to simulate the old default values.

Details

We've obsoleted various directives which almost no one was using:

    dump
    plutobackgroundload
    no_eroute_pass
    lifetime
    rekeystart
    rekeytries

For most of these, there is some other way to elicit the desired behaviour. See this post.

We've made some settings, which almost everyone was using, defaults. For example:

    interfaces=%defaultroute
    plutoload=%search
    plutostart=%search
    uniqueids=yes

We've also changed some default values to help with OE and Policy Groups:

    authby=rsasig   ## not secret!!!
    leftrsasigkey=%dnsondemand ## looks up missing keys in DNS when needed.
    rightrsasigkey=%dnsondemand

Of course, you can still override any defaults by explictly declaring something else in your connection.

A post with a list of many ipsec.conf changes.
Current ipsec.conf manual.

Contents Previous Next