Contents Previous Next

Upgrading to FreeS/WAN 2.x

New in 2.01: Opportunistic Encryption "flag day"

As of Linux FreeS/WAN 2.01, Opportunistic Encryption (OE) relies on DNS TXT resource records (RRs) only (rather than a mixture of KEY and TXT records) to publicize IPsec keying and gateway information. We call the 2.01 release date a "flag day" because this constitutes a protocol incompatibility with older FreeS/WAN versions (2.00 and earlier).

In the past we used three records (two KEYs and a TXT) in two domain zones for a single fully capable OE host. Our new, simpler convention recommends two TXT records (a forward and reverse RR) for any OE host. You can, however, run limited forms of OE using a single TXT record in one of the two zones. For details, see initiator-only OE instructions or our full OE instructions.

The change is not backward compatible. In particular, a FreeS/WAN 2.01 (or later) box for which no KEY record is posted cannot initiate OE connections to older FreeS/WAN versions (2.00 and earlier). Meanwhile, older boxes can initiate to newer boxes, and users of the older software may not notice a problem. See our OE trouble chart for a description of the error and a suggested workaround.

For ease of transition, FreeS/WAN 2.01 continues to fetch information from KEY records, but the team expects to phase this out soon. Note that ipsec verify now complains about outdated KEY records.

For new OE users:

Set up OE using the instructions in our quickstart guide. Note that you will not be able to initiate OE to FreeS/WAN 2.00 or earlier. The symptoms and a workaround are described in our OE trouble chart .

For experienced OE users:

When you upgrade to 2.01, post a TXT record in a forward domain for each of your OE hosts. Choose a QNAME (DNS query name) for your record within that domain. For full OE on a single host or gateway, the name should, if possible, resolve to the IP of your IPsec interface. For initiator-only OE, choose any name within a domain you can post to. In many cases, your chosen name will also be your hostname. If so, you can create your TXT record by pasting this command into a root window:

    ipsec showhostkey --txt @`hostname --fqdn`

Otherwise, use a command like this one (again in a root window):

    ipsec showhostkey --txt

Substitute your chosen name for Detailed instructions for new style OE setup are in our quickstart guide.

Additionally, we offer these recommendations to ease your transition:

New! Built in Opportunistic connections

Out of the box, FreeS/WAN 2.x will attempt to encrypt all your IP traffic. It will try to establish IPsec connections for:

FreeS/WAN 2.x uses hidden, automatically enabled ipsec.conf connections to do this.

This behaviour is part of our campaign to get Opportunistic Encryption (OE) widespread in the Linux world, so that any two Linux boxes can encrypt to one another without prearrangement. There's one catch, however: you must set up a few DNS records to distribute RSA public keys and (if applicable) IPsec gateway information.

If you start FreeS/WAN before you have set up these DNS records, your connectivity will be slow, and messages relating to the built in connections will clutter your logs. If you are unable to set up DNS for OE, you will wish to disable the hidden connections.

New! Policy Groups

We want to make it easy for you to declare security policy as it applies to IPsec connections.

Policy Groups make it simple to say:

FreeS/WAN then implements these policies, creating OE connections if and when needed. You can use Policy Groups along with connections you explicitly define in ipsec.conf.

For more information, see our Policy Group HOWTO.

New! Packetdefault Connection

Free/SWAN 2.x ships with the automatically enabled, hidden connection packetdefault. This configures a FreeS/WAN box as an OE gateway for any hosts located behind it. As mentioned above, you must configure some DNS records for OE to work.

As the name implies, this connection functions as a default. If you have more specific connections, such as policy groups which configure your FreeS/WAN box as an OE gateway for a local subnet, these will apply before packetdefault. You can view packetdefault 's specifics in man ipsec.conf .

FreeS/WAN now disables Reverse Path Filtering

FreeS/WAN often doesn't work with reverse path filtering. At start time, FreeS/WAN now turns rp_filter off, and logs a warning.

FreeS/WAN does not turn it back on again. You can do this yourself with a command like:

   echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter

For eth0, substitute the interface which FreeS/WAN was affecting.

Revised ipsec.conf

No promise of compatibility

The FreeS/WAN team promised config-file compatibility throughout the 1.x series. That means a 1.5 config file can be directly imported into a fresh 1.99 install with no problems.

With FreeS/WAN 2.x, we've given ourselves permission to make the config file easier to use. The cost: some FreeS/WAN 1.x configurations will not work properly. Many of the new features are, however, backward compatible.

Most ipsec.conf files will work fine

... so long as you paste this line, with no preceding whitespace, at the top of your config file:

    version 2

Backward compatibility patch

If the new defaults bite you, use this ipsec.conf fragment to simulate the old default values.


We've obsoleted various directives which almost no one was using:


For most of these, there is some other way to elicit the desired behaviour. See this post.

We've made some settings, which almost everyone was using, defaults. For example:


We've also changed some default values to help with OE and Policy Groups:

    authby=rsasig   ## not secret!!!
    leftrsasigkey=%dnsondemand ## looks up missing keys in DNS when needed.

Of course, you can still override any defaults by explictly declaring something else in your connection.

A post with a list of many ipsec.conf changes.
Current ipsec.conf manual.

Upgrading from 1.x RPMs to 2.x RPMs

Note: When upgrading from 1-series to 2-series RPMs, rpm -U will not work.

You must instead erase the 1.x RPMs, then install the 2.x set:

    rpm -e freeswan
    rpm -e freeswan-module

On erasing, your old ipsec.conf should be moved to ipsec.conf.rpmsave. Keep this. You will probably want to copy your existing connections to the end of your new 2.x file.

Install the RPMs suitable for your kernel version, such as:

    rpm -ivh freeswan-module-2.00_2.4.18_3-0.i386.rpm
    rpm -ivh freeswan-userland-2.00_2.4.18_3-0.i386.rpm

Or, to splice the files:

    cat /etc/ipsec.conf /etc/ipsec.conf.rpmsave > /etc/ipsec.conf.tmp
    mv /etc/ipsec.conf.tmp /etc/ipsec.conf

Then, remove the redundant conn %default and config setup sections. Unless you have done any special configuring here, you'll likely want to remove the 1.x versions. Remove conn OEself, if present.

Contents Previous Next