Load /tmp/tmp.dFxzTv5957/strongswan-2.7.2 into

branches/source-dist/debian/strongswan.

19 files changed, 193 insertions, 96 deletions

diff --git a/CHANGES b/CHANGES
index e87a5da33..4feaa188d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,35 @@
+strongswan-2.7.2
+----------------
+
+- The mixed PSK/RSA roadwarrior detection capability introduced by the
+  strongswan-2.7.0 release necessitated the pre-parsing of the IKE proposal
+  payloads by the responder right before any defined IKE Main Mode state had
+  been established. Although any form of bad proposal syntax was being correctly
+  detected by the payload parser, the subsequent error handler didn't check
+  the state pointer before logging current state information, causing an
+  immediate crash of the pluto keying daemon due to a NULL pointer.
+
+  We strongly recommend to update to the 2.7.2 released which fixes this
+  vulnerability to malformed proposal payload that could otherwise be
+  exploited by Denial-of-Service attacks.
+
+
+strongswan-2.7.1
+----------------
+
+- Calling ipsec up|down|route|unroute with a non-empty connection name
+  caused pluto to crash. As a fix argument checks have been added both
+  to the ipsec command on the sender end and pluto/rcv_whack.c on the
+  receiver end.
+
+- reactivated the PPP pointopoint code in starter/interfaces.c which
+  creates an ipsecN interface when used with Linux 2.4 KLIPS.
+
+- replaced free() by curl_free() in pluto/fetch.c thus fixing pluto
+  crashes occuring on some 64 bit hardware platforms when curl couldn't
+  successfully resolve a DNS request prior to fetching a CRL.
+
+
 strongswan-2.7.0
 ----------------
 
diff --git a/INSTALL b/INSTALL
index 0ed541936..ff5b2f80c 100644
--- a/INSTALL
+++ b/INSTALL
@@ -125,9 +125,9 @@ Contents
    in "Makefile.inc" 
 
       # Uncomment this line if using OpenSC <= 0.9.6
-      PKCS11_DEFAULT_LIB=\"/usr/lib/pkcs11/opensc-pkcs11.so\"
+      #PKCS11_DEFAULT_LIB=\"/usr/lib/pkcs11/opensc-pkcs11.so\"
       # Uncomment tis line if using OpenSC >= 0.10.0
-      #PKCS11_DEFAULT_LIB=\"usr/lib/opensc-pkcs11.so\"
+      PKCS11_DEFAULT_LIB=\"usr/lib/opensc-pkcs11.so\"
 
    This default path to the easily-obtainable OpenSC library module can be
    simply overridden during run-time by specifying an alternative path in
@@ -156,10 +156,8 @@ Contents
 
    * Now change into the  strongswan-2.x.x  source directory.
 
-     First uncomment any desired compile options in "programs/pluto/Makefile"
-     (see section 2. Optional packages).
-
-     Then in the top source directory type
+     First select any desired compile options in "Makefile.inc" (see section 2.
+     Optional packages). Then in the top source directory type
 
          make menumod
 
@@ -186,9 +184,10 @@ Contents
 
      and then install and boot the modified kernel.
 
-   * Next add your connections to "/etc/ipsec.conf" and start strongSwan with
+   * Next add your connections to "/etc/ipsec.conf" and your secrets to
+     "/etc/ipsec.secrets" and start strongSwan with
 
-         ipsec setup start
+         ipsec start
 
 
 4. Updating strongSwan with a Linux 2.4 kernel
@@ -197,10 +196,8 @@ Contents
    * If you have already successfully installed  strongSwan and want to update
      to a newer version then the following shortcut can be taken:
 
-     First uncomment any desired compile options in "programs/pluto/Makefile"
-     (see section 2. Optional packages).
-
-     Then in the  strongwan-2.x.x  top directory type
+     First select any desired compile options in "Makefile.inc" (see section 2.
+     Optional packages). Then in the strongwan-2.x.x top directory type
 
          make programs; make install
 
@@ -210,7 +207,7 @@ Contents
 
    * You can then start the updated strongSwan version with
 
-         ipsec setup restart
+         ipsec restart
 
 
 5. Building strongSwan with a Linux 2.6 kernel
@@ -225,14 +222,13 @@ Contents
          o esp4
          o ipcomp
          o xfrm_user
-
+         o xfrm4_tunnel
+	 
      Also the built-in kernel Cryptoapi modules with selected encryption and 
      hash algorithms should be available.
 
-   * First uncomment any desired compile options in "programs/pluto/Makefile"
-     (see section 2. Optional packages).
-
-     Then in the  strongwan-2.x.x  top directory type
+   * First select any desired compile options in "Makefile.inc" (see section 2.
+     Optional packages). Then in the  strongwan-2.x.x  top directory type
 
          make programs
 
@@ -240,10 +236,11 @@ Contents
 
          make install
 
-   * Next add your connections to "etc/ipsec.conf" and start strongSwan with
+   * Next add your connections to "/etc/ipsec.conf" and your secrets to
+     "/etc/ipsec.secrets" and start strongSwan with
 
-         ipsec setup start
+         ipsec start
 
 -----------------------------------------------------------------------------
 
-This file is RCSID $Id: INSTALL,v 1.8 2006/01/22 16:22:23 as Exp $
+This file is RCSID $Id: INSTALL,v 1.11 2006/05/19 06:44:17 as Exp $
diff --git a/Makefile.ver b/Makefile.ver
index 435dd7311..252fc3bf4 100644
--- a/Makefile.ver
+++ b/Makefile.ver
@@ -1 +1 @@
-IPSECVERSION=2.7.0
+IPSECVERSION=2.7.2
diff --git a/README b/README
index d40d887a3..415c002ef 100644
--- a/README
+++ b/README
@@ -2650,7 +2650,7 @@ and can be used when the following prerequisites are fulfilled:
   - Linux 2.4.x kernel, KLIPS IPsec stack, and arbitrary iptables version.
     Filtering of tunneled traffic is based on ipsecN interfaces.
 
-  - Linux 2.4.16 kernel or newer, native NETKEY IPsec stack, and
+  - Linux 2.6.16 kernel or newer, native NETKEY IPsec stack, and
     iptables-1.3.5 or newer. Filtering of tunneled traffic is based on
     IPsec policy matching rules.
 
@@ -3087,5 +3087,5 @@ an LDAP-based lookup mechanism will be supported.
   for more details.
 -----------------------------------------------------------------------------
 
-This file is RCSID $Id: README,v 1.33 2006/04/24 21:27:49 as Exp $
+This file is RCSID $Id: README,v 1.34 2006/04/26 18:19:34 as Exp $
 
diff --git a/programs/ipsec/ipsec.in b/programs/ipsec/ipsec.in
index 0616561d8..1c657b9e7 100755
--- a/programs/ipsec/ipsec.in
+++ b/programs/ipsec/ipsec.in
@@ -12,7 +12,7 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: ipsec.in,v 1.13 2006/03/09 20:09:33 as Exp $
+# RCSID $Id: ipsec.in,v 1.14 2006/05/25 11:52:03 as Exp $
 
 IPSEC_NAME=strongSwan
 
@@ -122,6 +122,11 @@ case "$1" in
 	;;
 down)
 	shift
+	if [ "$#" -ne 1 ]
+	then
+	    echo "Usage: ipsec down <connection name>"
+	    exit 1
+	fi
 	$IPSEC_EXECDIR/whack --name "$1" --terminate
 	exit 0
 	;;
@@ -161,6 +166,11 @@ restart)
 route|unroute)
 	op="$1"
 	shift
+	if [ "$#" -ne 1 ]
+	then
+	    echo "Usage: ipsec $op <connection name>"
+	    exit 1
+	fi
 	$IPSEC_EXECDIR/whack --name "$1" "--$op"
 	exit 0
 	;;
@@ -197,6 +207,11 @@ stop)
 	;;
 up)
 	shift
+	if [ "$#" -ne 1 ]
+	then
+	    echo "Usage: ipsec up <connection name>"
+	    exit 1
+	fi
 	$IPSEC_EXECDIR/whack --name "$1" --initiate
 	exit 0
 	;;
diff --git a/programs/pluto/connections.c b/programs/pluto/connections.c
index 263bdbd1e..6cf6a6a8b 100644
--- a/programs/pluto/connections.c
+++ b/programs/pluto/connections.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: connections.c,v 1.42 2006/04/22 21:59:20 as Exp $
+ * RCSID $Id: connections.c,v 1.43 2006/04/29 18:16:02 as Exp $
  */
 
 #include <string.h>
@@ -4022,7 +4022,7 @@ show_connections_status(bool all, const char *name)
     /* sort it! */
     qsort(array, count, sizeof(struct connection *), connection_compare_qsort);
 
-    for (i=0; i<count; i++)
+    for (i = 0; i < count; i++)
     {
 	const char *ifn;
 	char instance[1 + 10 + 1];
@@ -4076,7 +4076,7 @@ show_connections_status(bool all, const char *name)
 	    if (c->spd.that.groups != NULL)
 	    {
 		char buf[BUF_LEN];
-	    
+	
 		format_groups(c->spd.that.groups, buf, BUF_LEN);
 		whack_log(RC_COMMENT
 		    , "\"%s\"%s:   groups: %s"
@@ -4097,7 +4097,7 @@ show_connections_status(bool all, const char *name)
 		, (unsigned long) c->sa_keying_tries);
 
 	    /* show DPD parameters if defined */
-	    
+	
 	    if (c->dpd_action != DPD_ACTION_NONE)
 		whack_log(RC_COMMENT
 		    , "\"%s\"%s:   dpd_action: %s;"
@@ -4141,6 +4141,9 @@ show_connections_status(bool all, const char *name)
 	    kernel_alg_show_connection(c, instance);
 	}
     }
+    if (count > 0)
+	whack_log(RC_COMMENT, BLANK_FORMAT);	/* spacer */
+
     pfree(array);
 }
 
diff --git a/programs/pluto/demux.c b/programs/pluto/demux.c
index 2f8fb9a8f..db7f1c4a6 100644
--- a/programs/pluto/demux.c
+++ b/programs/pluto/demux.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: demux.c,v 1.13 2005/02/18 21:08:59 as Exp $
+ * RCSID $Id: demux.c,v 1.14 2006/06/22 11:58:25 as Exp $
  */
 
 /* Ordering Constraints on Payloads
@@ -2397,7 +2397,8 @@ complete_state_transition(struct msg_digest **mdp, stf_status result)
 	     * whatever retrying was in place, remains in place.
 	     */
 	    whack_log(RC_NOTIFICATION + md->note
-		, "%s: %s", enum_name(&state_names, st->st_state)
+		, "%s: %s"
+		, enum_name(&state_names, (st == NULL)? STATE_MAIN_R0:st->st_state)
 		, enum_name(&notification_names, md->note));
 
 	    SEND_NOTIFICATION(md->note);
diff --git a/programs/pluto/fetch.c b/programs/pluto/fetch.c
index 075b88fd2..4bfb6031b 100644
--- a/programs/pluto/fetch.c
+++ b/programs/pluto/fetch.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: fetch.c,v 1.11 2005/11/25 10:08:00 as Exp $
+ * RCSID $Id: fetch.c,v 1.12 2006/05/16 14:19:27 as Exp $
  */
 
 #include <stdlib.h>
@@ -339,7 +339,7 @@ fetch_curl(char *url, chunk_t *blob)
 	}
 	curl_easy_cleanup(curl);
 	/* not using freeanychunk because of realloc (no leak detective) */
-	free(response.ptr);
+	curl_free(response.ptr);
     }
     return strlen(errorbuffer) > 0 ? "libcurl error" : NULL;
 #else   /* !LIBCURL */
@@ -728,7 +728,7 @@ fetch_ocsp_status(ocsp_location_t* location)
 	curl_easy_cleanup(curl);
 	pfree(uri);
 	/* not using freeanychunk because of realloc (no leak detective) */
-	free(response.ptr);
+	curl_free(response.ptr);
     }
     freeanychunk(location->nonce);
     freeanychunk(request);
diff --git a/programs/pluto/kernel.c b/programs/pluto/kernel.c
index 5d7c5f78a..d2070c0d4 100644
--- a/programs/pluto/kernel.c
+++ b/programs/pluto/kernel.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: kernel.c,v 1.25 2006/04/17 14:58:09 as Exp $
+ * RCSID $Id: kernel.c,v 1.26 2006/04/29 18:16:02 as Exp $
  */
 
 #include <stddef.h>
@@ -934,6 +934,8 @@ show_shunt_status(void)
 	    , ourst, ourport, hist, hisport, sat, bs->transport_proto
 	    , prio, bs->why);
     }
+    if (bare_shunts != NULL)
+	whack_log(RC_COMMENT, BLANK_FORMAT);	/* spacer */
 }
 
 /* Setup an IPsec route entry.
diff --git a/programs/pluto/log.c b/programs/pluto/log.c
index 137e92980..73ffceccd 100644
--- a/programs/pluto/log.c
+++ b/programs/pluto/log.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: log.c,v 1.7 2005/07/11 18:33:45 as Exp $
+ * RCSID $Id: log.c,v 1.8 2006/04/29 18:16:02 as Exp $
  */
 
 #include <stdio.h>
@@ -770,13 +770,11 @@ show_status(bool all, const char *name)
 	show_ifaces_status();
 	show_myid_status();
 	show_debug_status();
+	whack_log(RC_COMMENT, BLANK_FORMAT);	/* spacer */
     }
-    whack_log(RC_COMMENT, BLANK_FORMAT);	/* spacer */
     show_connections_status(all, name);
-    whack_log(RC_COMMENT, BLANK_FORMAT);	/* spacer */
     show_states_status(name);
 #ifdef KLIPS
-    whack_log(RC_COMMENT, BLANK_FORMAT);	/* spacer */
     show_shunt_status();
 #endif
 }
diff --git a/programs/pluto/rcv_whack.c b/programs/pluto/rcv_whack.c
index 164a4f249..99c377765 100644
--- a/programs/pluto/rcv_whack.c
+++ b/programs/pluto/rcv_whack.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: rcv_whack.c,v 1.17 2005/12/25 12:41:23 as Exp $
+ * RCSID $Id: rcv_whack.c,v 1.18 2006/05/25 11:33:57 as Exp $
  */
 
 #include <stdio.h>
@@ -557,7 +557,14 @@ whack_handle(int whackctlfd)
     if (msg.whack_route)
     {
 	if (!listening)
+	{
 	    whack_log(RC_DEAF, "need --listen before --route");
+	}
+	if (msg.name == NULL)
+	{
+	    whack_log(RC_UNKNOWN_NAME
+		, "whack --route requires a connection name");
+	}
 	else
 	{
 	    struct connection *c = con_by_name(msg.name, TRUE);
@@ -579,37 +586,54 @@ whack_handle(int whackctlfd)
 
     if (msg.whack_unroute)
     {
-	struct connection *c = con_by_name(msg.name, TRUE);
-
-	if (c != NULL)
+	if (msg.name == NULL)
 	{
-	    struct spd_route *sr;
-	    int fail = 0;
-
-	    set_cur_connection(c);
+	    whack_log(RC_UNKNOWN_NAME
+		, "whack --unroute requires a connection name");
+	}
+	else
+	{
+	    struct connection *c = con_by_name(msg.name, TRUE);
 
-	    for (sr = &c->spd; sr != NULL; sr = sr->next)
+	    if (c != NULL)
 	    {
-		if (sr->routing >= RT_ROUTED_TUNNEL)
-		    fail++;
+		struct spd_route *sr;
+		int fail = 0;
+
+		set_cur_connection(c);
+
+		for (sr = &c->spd; sr != NULL; sr = sr->next)
+		{
+		    if (sr->routing >= RT_ROUTED_TUNNEL)
+			fail++;
+		}
+		if (fail > 0)
+		    whack_log(RC_RTBUSY, "cannot unroute: route busy");
+		else if (c->policy & POLICY_GROUP)
+		    unroute_group(c);
+		else
+		    unroute_connection(c);
+		reset_cur_connection();
 	    }
-	    if (fail > 0)
-		whack_log(RC_RTBUSY, "cannot unroute: route busy");
-	    else if (c->policy & POLICY_GROUP)
-		unroute_group(c);
-	    else
-		unroute_connection(c);
-	    reset_cur_connection();
 	}
     }
 
     if (msg.whack_initiate)
     {
 	if (!listening)
+	{
 	    whack_log(RC_DEAF, "need --listen before --initiate");
+	}
+	else if (msg.name == NULL)
+	{
+	    whack_log(RC_UNKNOWN_NAME
+		, "whack --initiate requires a connection name");
+	}
 	else
+	{
 	    initiate_connection(msg.name
 		, msg.whack_async? NULL_FD : dup_any(whackfd));
+	}
     }
 
     if (msg.whack_oppo_initiate)
@@ -623,7 +647,17 @@ whack_handle(int whackctlfd)
     }
 
     if (msg.whack_terminate)
-	terminate_connection(msg.name);
+    {
+	if (msg.name == NULL)
+	{
+	    whack_log(RC_UNKNOWN_NAME
+		, "whack --terminate requires a connection name");
+	}
+	else
+	{
+	    terminate_connection(msg.name);
+	}
+    }
 
     if (msg.whack_status)
 	show_status(msg.whack_statusall, msg.name);
diff --git a/programs/pluto/state.c b/programs/pluto/state.c
index 5957654e3..0781d2eb3 100644
--- a/programs/pluto/state.c
+++ b/programs/pluto/state.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: state.c,v 1.12 2006/04/03 15:49:36 as Exp $
+ * RCSID $Id: state.c,v 1.13 2006/04/29 18:16:02 as Exp $
  */
 
 #include <stdio.h>
@@ -902,6 +902,8 @@ show_states_status(const char *name)
 	if (IS_PHASE1(st->st_state))
 	    show_pending_phase2(st->st_connection->host_pair, st);
     }
+    if (count > 0)
+	whack_log(RC_COMMENT, BLANK_FORMAT);	/* spacer */
 
     /* free the array */
     pfree(array);
diff --git a/programs/pluto/vendor.c b/programs/pluto/vendor.c
index 51931c239..3a8ac15a9 100644
--- a/programs/pluto/vendor.c
+++ b/programs/pluto/vendor.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: vendor.c,v 1.35 2006/04/12 16:44:28 as Exp $
+ * RCSID $Id: vendor.c,v 1.38 2006/06/04 09:42:35 as Exp $
  */
 
 #include <stdlib.h>
@@ -198,7 +198,12 @@ static struct vid_struct _vid_tab[] = {
 	/*
 	 * strongSwan
 	 */
-	DEC_MD5_VID(STRONGSWAN,       "strongSwan 2.7.0")
+	DEC_MD5_VID(STRONGSWAN_4_0_0, "strongSwan 4.0.0")
+	DEC_MD5_VID(STRONGSWAN_4_0_1, "strongSwan 4.0.1")
+
+	DEC_MD5_VID(STRONGSWAN,       "strongSwan 2.7.2")
+	DEC_MD5_VID(STRONGSWAN_2_7_1, "strongSwan 2.7.1")
+	DEC_MD5_VID(STRONGSWAN_2_7_0, "strongSwan 2.7.0")
 	DEC_MD5_VID(STRONGSWAN_2_6_4, "strongSwan 2.6.4")
 	DEC_MD5_VID(STRONGSWAN_2_6_3, "strongSwan 2.6.3")
 	DEC_MD5_VID(STRONGSWAN_2_6_2, "strongSwan 2.6.2")
diff --git a/programs/pluto/vendor.h b/programs/pluto/vendor.h
index d6b414be2..e0c3a5f30 100644
--- a/programs/pluto/vendor.h
+++ b/programs/pluto/vendor.h
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: vendor.h,v 1.30 2006/04/12 16:44:28 as Exp $
+ * RCSID $Id: vendor.h,v 1.33 2006/06/04 09:42:35 as Exp $
  */
 
 #ifndef _VENDOR_H_
@@ -76,6 +76,11 @@ enum known_vendorid {
   VID_STRONGSWAN_2_6_2		= 55,
   VID_STRONGSWAN_2_6_3		= 56,
   VID_STRONGSWAN_2_6_4		= 57,
+  VID_STRONGSWAN_2_7_0		= 58,
+  VID_STRONGSWAN_2_7_1		= 59,
+
+  VID_STRONGSWAN_4_0_0		= 70,
+  VID_STRONGSWAN_4_0_1		= 71,
 
   /* 101 - 200 : NAT-Traversal */
   VID_NATT_STENBERG_01		=101,
diff --git a/programs/starter/confread.c b/programs/starter/confread.c
index cf12d05ca..af0f00877 100644
--- a/programs/starter/confread.c
+++ b/programs/starter/confread.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: confread.c,v 1.37 2006/04/17 19:35:07 as Exp $
+ * RCSID $Id: confread.c,v 1.38 2006/06/20 21:52:53 as Exp $
  */
 
 #include <stddef.h>
@@ -31,6 +31,9 @@
 #include "args.h"
 #include "interfaces.h"
 
+/* strings containing a colon are interpreted as an IPv6 address */
+#define ip_version(string)	(strchr(string, ':') != NULL)? AF_INET6 : AF_INET;
+
 static const char ike_defaults[] = "3des-sha, 3des-md5";
 static const char esp_defaults[] = "3des-sha1, 3des-md5";
 
@@ -166,8 +169,13 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
 		goto err;
 	    }
 	}
-	else if (streq(value,"%any"))
-        {
+	else if (streq(value, "%any"))
+	{
+	    anyaddr(conn->addr_family, &end->addr);
+	}
+	else if (streq(value, "%any6"))
+	{
+	    conn->addr_family = AF_INET6;
 	    anyaddr(conn->addr_family, &end->addr);
 	}
 	else if (value[0] == '%')
@@ -183,6 +191,7 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
 	}
 	else
 	{
+	    conn->addr_family = ip_version(value);
 	    ugh = ttoaddr(value, 0, conn->addr_family, &end->addr);
 	    if (ugh != NULL)
 	    {
@@ -203,10 +212,14 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
 	    }
 	}
 	else if (streq(value, "%direct"))
+	{
 	    ugh = anyaddr(conn->addr_family, &end->nexthop);
+	}
 	else
+	{
+	    conn->addr_family = ip_version(value);
 	    ugh = ttoaddr(value, 0, conn->addr_family, &end->nexthop);
-
+	}
 	if (ugh != NULL)
 	{
 	    plog("# bad addr: %s=%s [%s]", name, value, ugh);
@@ -222,6 +235,7 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
 	else
 	{
 	    end->has_client = TRUE;
+	    conn->tunnel_addr_family = ip_version(value);
 	    ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &end->subnet);
 	    if (ugh != NULL)
 	    {
@@ -233,6 +247,7 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
     case KW_SUBNETWITHIN:
 	end->has_client = TRUE;
 	end->has_client_wildcard = TRUE;
+	conn->tunnel_addr_family = ip_version(value);
 	ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &end->subnet);
 	break;
     case KW_PROTOPORT:
@@ -246,7 +261,8 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
 	}
 	else
 	{
-	    ugh = ttoaddr(value, 0, conn->addr_family, &end->srcip);
+	    conn->tunnel_addr_family = ip_version(value);
+	    ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &end->srcip);
 	    if (ugh != NULL)
 	    {
 		plog("# bad addr: %s=%s [%s]", name, value, ugh);
diff --git a/programs/starter/interfaces.c b/programs/starter/interfaces.c
index 9926ea059..3b24e2faf 100644
--- a/programs/starter/interfaces.c
+++ b/programs/starter/interfaces.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: interfaces.c,v 1.15 2006/02/05 10:51:55 as Exp $
+ * RCSID $Id: interfaces.c,v 1.16 2006/05/25 12:10:15 as Exp $
  */
 
 #include <sys/socket.h>
@@ -192,9 +192,6 @@ _iface_up (int sock,  struct st_ipsec_if *iface, char *phys
     struct ipsectunnelconf *shc=(struct ipsectunnelconf *)&req.ifr_data;
     short phys_flags;
     int ret = 0;
-    /* sscholz@astaro.com: for network mask 32 bit
-    struct sockaddr_in *inp;
-    */
 
     strncpy(req.ifr_name, phys, IFNAMSIZ);
     if (ioctl(sock, SIOCGIFFLAGS, &req) !=0 )
@@ -239,13 +236,6 @@ _iface_up (int sock,  struct st_ipsec_if *iface, char *phys
     if (ioctl(sock, SIOCGIFNETMASK, &req) == 0)
     {
 	strncpy(req.ifr_name, iface->name, IFNAMSIZ);
-	/* sscholz@astaro.com: changed netmask to 32 bit
-	 * in order to prevent network routes from being created
-
-	inp = (struct sockaddr_in *)&req.ifr_addr;
-	inp->sin_addr.s_addr = 0xFFFFFFFFL;
-
-         */
 	ioctl(sock, SIOCSIFNETMASK, &req);
     }
 
@@ -253,8 +243,7 @@ _iface_up (int sock,  struct st_ipsec_if *iface, char *phys
     strncpy(req.ifr_name, iface->name, IFNAMSIZ);
     if (ioctl(sock, SIOCGIFFLAGS, &req)==0)
     {
-/* removed by sscholz@astaro.com (caused trouble with DSL/ppp0) */
-/*	if (phys_flags & IFF_POINTOPOINT)
+	if (phys_flags & IFF_POINTOPOINT)
 	{
 	    req.ifr_flags |= IFF_POINTOPOINT;
 	    req.ifr_flags &= ~IFF_BROADCAST;
@@ -266,9 +255,7 @@ _iface_up (int sock,  struct st_ipsec_if *iface, char *phys
 		ioctl(sock, SIOCSIFDSTADDR, &req);
 	    }
 	}
-	else
- */
-	if (phys_flags & IFF_BROADCAST)
+	else if (phys_flags & IFF_BROADCAST)
 	{
 	    req.ifr_flags &= ~IFF_POINTOPOINT;
 	    req.ifr_flags |= IFF_BROADCAST;
diff --git a/programs/starter/starterwhack.c b/programs/starter/starterwhack.c
index a671c560c..0d7a3715e 100644
--- a/programs/starter/starterwhack.c
+++ b/programs/starter/starterwhack.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: starterwhack.c,v 1.17 2006/04/17 10:32:36 as Exp $
+ * RCSID $Id: starterwhack.c,v 1.18 2006/06/20 21:52:53 as Exp $
  */
 
 #include <sys/types.h>
@@ -161,13 +161,13 @@ set_whack_end(whack_end_t *w, starter_end_t *end)
     w->host_addr           = end->addr;
     w->host_nexthop        = end->nexthop;
     w->host_srcip          = end->srcip;
+    w->has_client          = end->has_client;
 
-    if (end->has_client)
-	w->client = end->subnet;
+    if (w->has_client)
+	w->client          = end->subnet;
     else
-	w->client.addr.u.v4.sin_family = AF_INET;
+	w->client.addr.u.v4.sin_family = addrtypeof(&w->host_addr);
 
-    w->has_client          = end->has_client;
     w->has_client_wildcard = end->has_client_wildcard;
     w->has_port_wildcard   = end->has_port_wildcard;
     w->has_srcip           = end->has_srcip;
diff --git a/testing/INSTALL b/testing/INSTALL
index dfe21cc04..5fc87a6c7 100644
--- a/testing/INSTALL
+++ b/testing/INSTALL
@@ -53,7 +53,7 @@ are required for the strongSwan testing environment:
     * A vanilla Linux kernel on which the UML kernel will be based on.
       We recommend the use of
 
-      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.16.9.tar.bz2
+      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.17.1.tar.bz2
 
     * Starting with Linux kernel 2.6.9 no patch must be applied any more in order
       to make the vanilla kernel UML-capable. For older kernels you'll find
@@ -63,7 +63,7 @@ are required for the strongSwan testing environment:
 
     * The matching .config file required to compile the UML kernel:
 
-      http://download.strongswan.org/uml/.config-2.6.16
+      http://download.strongswan.org/uml/.config-2.6.17
 
     * A gentoo-based UML file system (compressed size 130 MBytes) found at
 
@@ -71,7 +71,7 @@ are required for the strongSwan testing environment:
 
     * The latest strongSwan distribution
 
-      http://download.strongswan.org/strongswan-2.7.0.tar.gz
+      http://download.strongswan.org/strongswan-2.7.2.tar.gz
 
 
 3. Creating the environment
@@ -146,5 +146,5 @@ README document.
 
 -----------------------------------------------------------------------------
 
-This file is RCSID $Id: INSTALL,v 1.39 2006/04/24 16:58:03 as Exp $
+This file is RCSID $Id: INSTALL,v 1.41 2006/06/22 13:07:24 as Exp $
 
diff --git a/testing/testing.conf b/testing/testing.conf
index 92a138288..dc5c74fbf 100755
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -14,27 +14,27 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: testing.conf,v 1.52 2006/04/24 16:58:03 as Exp $
+# RCSID $Id: testing.conf,v 1.54 2006/06/22 13:07:24 as Exp $
 
 # Root directory of testing
 UMLTESTDIR=~/strongswan-testing
 
 # Bzipped kernel sources
 # (file extension .tar.bz2 required)
-KERNEL=$UMLTESTDIR/linux-2.6.16.9.tar.bz2
+KERNEL=$UMLTESTDIR/linux-2.6.17.1.tar.bz2
 
 # Extract kernel version
 KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
 
 # Kernel configuration file
-KERNELCONFIG=$UMLTESTDIR/.config-2.6.16
+KERNELCONFIG=$UMLTESTDIR/.config-2.6.17
 
 # Bzipped uml patch for kernel
 # (not needed anymore for 2.6.9 kernel or higher)
 UMLPATCH=
 
 # Bzipped source of strongSwan
-STRONGSWAN=$UMLTESTDIR/strongswan-2.7.0.tar.bz2
+STRONGSWAN=$UMLTESTDIR/strongswan-2.7.2.tar.bz2
 
 # strongSwan compile options (use "yes" or "no")
 USE_LIBCURL="yes"