[svn-upgrade] Integrating new upstream version, strongswan (2.8.2)

107 files changed, 251 insertions, 65249 deletions

diff --git a/CHANGES b/CHANGES
index 5398c0959..2e2d657c8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,14 @@
+strongswan-2.8.2
+----------------
+
+- strongSwan now interoperates with the NCP Secure Entry Client,
+  the Shrew Soft VPN Client, and the Cisco VPN client, doing both
+  XAUTH and Mode Config.
+
+- UNITY attributes are now recognized and UNITY_BANNER is set
+  to a default string.
+
+
 strongswan-2.8.1
 ----------------
 
diff --git a/Makefile.inc b/Makefile.inc
index 8abbbf55c..f09ec409b 100644
--- a/Makefile.inc
+++ b/Makefile.inc
@@ -11,7 +11,7 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: Makefile.inc,v 1.13 2007/01/11 21:42:11 as Exp $
+# RCSID $Id: Makefile.inc,v 1.14 2007/01/29 08:19:56 as Exp $
 
 
 # Variables in this file with names starting with INC_ are not for use
@@ -244,10 +244,6 @@ USE_IPROUTE2?=true
 #  2.4  - iptables
 IPSEC_FIREWALLTYPE=iptables
 
-# whether or not to include ipsec policy code into pluto.
-# false for now, since it is still experimental.
-USE_IPSECPOLICY?=false
-
 # include IKEPING in the distribution
 USE_IKEPING?=false
 
@@ -286,9 +282,9 @@ USE_SMARTCARD?=false
 
 # Default PKCS11 library
 # Uncomment this line if using OpenSC <= 0.9.6
-PKCS11_DEFAULT_LIB=\"/usr/lib/pkcs11/opensc-pkcs11.so\"
+#PKCS11_DEFAULT_LIB=\"/usr/lib/pkcs11/opensc-pkcs11.so\"
 # Uncomment this line if using OpenSC >= 0.10.0
-#PKCS11_DEFAULT_LIB=\"/usr/lib/opensc-pkcs11.so\"
+PKCS11_DEFAULT_LIB=\"/usr/lib/opensc-pkcs11.so\"
 # Uncomment and complete this line if using another default library
 #PKCS11_DEFAULT_LIB=\"/usr/lib/...\"
 
diff --git a/Makefile.ver b/Makefile.ver
index 07b052019..f42026a56 100644
--- a/Makefile.ver
+++ b/Makefile.ver
@@ -1 +1 @@
-IPSECVERSION=2.8.1
+IPSECVERSION=2.8.2
diff --git a/doc/.cvsignore b/doc/.cvsignore
deleted file mode 100644
index a523b809d..000000000
--- a/doc/.cvsignore
+++ /dev/null
@@ -1,66 +0,0 @@
-HowTo.html
-HowTo.html
-adv_config.html
-adv_config.html
-background.html
-background.html
-biblio.html
-biblio.html
-compat.html
-compat.html
-config.html
-config.html
-draft-richardson-ipsec-opportunistic.nr
-draft-richardson-ipsec-rr.nr
-draft-richardson-ipsec-rr.txt
-faq.html
-faq.html
-firewall.html
-firewall.html
-glossary.html
-glossary.html
-index.html
-index.html
-install.html
-install.html
-interop.html
-interop.html
-intro.html
-intro.html
-ipsec.html
-ipsec.html
-kernel.html
-kernel.html
-mail.html
-mail.html
-makecheck.html
-manpage.d
-manpage.d
-manpages.html
-manpages.html
-multi_netjig.png
-nightly.html
-performance.html
-performance.html
-policygroups.html
-politics.html
-politics.html
-quickstart.html
-rfc.html
-rfc.html
-rfc_pg
-roadmap.html
-roadmap.html
-single_netjig.png
-testing.html
-testing.html
-toc.html
-toc.html
-trouble.html
-trouble.html
-umltesting.html
-upgrading.html
-user_examples.html
-user_examples.html
-web.html
-web.html
diff --git a/doc/HowTo.html b/doc/HowTo.html
deleted file mode 100644
index a6f92dda9..000000000
--- a/doc/HowTo.html
+++ /dev/null
@@ -1,18733 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<CENTER><A HREF="#CONTENTS"><H1>Introduction to FreeS/WAN</H1></A><BR>
-</CENTER>
-<HR>
-<H1 ALIGN="CENTER"><A NAME="CONTENTS">Table of Contents</A></H1>
-<BR>
-<BR><B><A HREF="#intro">Introduction</A></B>
-<UL>
-<LI><A HREF="#ipsec.intro">IPsec, Security for the Internet Protocol</A></LI>
-<UL>
-<LI><A HREF="#intro.interop">Interoperating with other IPsec
- implementations</A></LI>
-<LI><A HREF="#advantages">Advantages of IPsec</A></LI>
-<LI><A HREF="#applications">Applications of IPsec</A></LI>
-<UL>
-<LI><A HREF="#makeVPN">Using secure tunnels to create a VPN</A></LI>
-<LI><A HREF="#road.intro">Road Warriors</A></LI>
-<LI><A HREF="#opp.intro">Opportunistic encryption</A></LI>
-</UL>
-<LI><A HREF="#types">The need to authenticate gateways</A></LI>
-</UL>
-<LI><A HREF="#project">The FreeS/WAN project</A></LI>
-<UL>
-<LI><A HREF="#goals">Project goals</A></LI>
-<LI><A HREF="#staff">Project team</A></LI>
-</UL>
-<LI><A HREF="#products">Products containing FreeS/WAN</A></LI>
-<UL>
-<LI><A HREF="#distwith">Full Linux distributions</A></LI>
-<LI><A HREF="#kernel_dist">Linux kernel distributions</A></LI>
-<LI><A HREF="#office_dist">Office server distributions</A></LI>
-<LI><A HREF="#fw_dist">Firewall distributions</A></LI>
-<LI><A HREF="#turnkey">Firewall and VPN products</A></LI>
-</UL>
-<LI><A HREF="#docs">Information sources</A></LI>
-<UL>
-<LI><A HREF="#docformats">This HowTo, in multiple formats</A></LI>
-<LI><A HREF="#rtfm">RTFM (please Read The Fine Manuals)</A></LI>
-<LI><A HREF="#text">Other documents in the distribution</A></LI>
-<LI><A HREF="#assumptions">Background material</A></LI>
-<LI><A HREF="#archives">Archives of the project mailing list</A></LI>
-<LI><A HREF="#howto">User-written HowTo information</A></LI>
-<LI><A HREF="#applied">Papers on FreeS/WAN</A></LI>
-<LI><A HREF="#licensing">License and copyright information</A></LI>
-</UL>
-<LI><A HREF="#sites">Distribution sites</A></LI>
-<UL>
-<LI><A HREF="#1_5_1">Primary site</A></LI>
-<LI><A HREF="#mirrors">Mirrors</A></LI>
-<LI><A HREF="#munitions">The &quot;munitions&quot; archive of Linux crypto
- software</A></LI>
-</UL>
-<LI><A HREF="#1_6">Links to other sections</A></LI>
-</UL>
-<B><A HREF="#2">Upgrading to FreeS/WAN 2.x</A></B>
-<UL>
-<LI><A HREF="#2_1">New! Built in Opportunistic connections</A></LI>
-<UL>
-<LI><A HREF="#2_1_1">Upgrading Opportunistic Encryption to 2.01 (or
- later)</A></LI>
-</UL>
-<LI><A HREF="#2_2">New! Policy Groups</A></LI>
-<LI><A HREF="#2_3">New! Packetdefault Connection</A></LI>
-<LI><A HREF="#2_4">FreeS/WAN now disables Reverse Path Filtering</A></LI>
-<LI><A HREF="#2_5">Revised ipsec.conf</A></LI>
-<UL>
-<LI><A HREF="#2_5_1">No promise of compatibility</A></LI>
-<LI><A HREF="#2_5_2">Most ipsec.conf files will work fine</A></LI>
-<LI><A HREF="#2_5_3">Backward compatibility patch</A></LI>
-<LI><A HREF="#2_5_4">Details</A></LI>
-<LI><A HREF="#2_5_5">Upgrading from 1.x RPMs to 2.x RPMs</A></LI>
-</UL>
-</UL>
-<B><A HREF="#quickstart">Quickstart Guide to Opportunistic Encryption</A>
-</B>
-<UL>
-<LI><A HREF="#opp.setup">Purpose</A></LI>
-<UL>
-<LI><A HREF="#3_1_1">OE &quot;flag day&quot;</A></LI>
-</UL>
-<LI><A HREF="#opp.dns">Requirements</A></LI>
-<LI><A HREF="#easy.install">RPM install</A></LI>
-<UL>
-<LI><A HREF="#3_3_1">Download RPMs</A></LI>
-<LI><A HREF="#3_3_2">Check signatures</A></LI>
-<LI><A HREF="#3_3_3">Install the RPMs</A></LI>
-<LI><A HREF="#testinstall">Test</A></LI>
-</UL>
-<LI><A HREF="#opp.setups.list">Our Opportunistic Setups</A></LI>
-<UL>
-<LI><A HREF="#3_4_1">Full or partial opportunism?</A></LI>
-</UL>
-<LI><A HREF="#opp.client">Initiate-only setup</A></LI>
-<UL>
-<LI><A HREF="#3_5_1">Restrictions</A></LI>
-<LI><A HREF="#forward.dns">Create and publish a forward DNS record</A></LI>
-<UL>
-<LI><A HREF="#3_5_2_1">Find a domain you can use</A></LI>
-<LI><A HREF="#3_5_2_2">Choose your ID</A></LI>
-<LI><A HREF="#3_5_2_3">Create a forward TXT record</A></LI>
-<LI><A HREF="#3_5_2_4">Publish the forward TXT record</A></LI>
-</UL>
-<LI><A HREF="#3_5_3">Test that your key has been published</A></LI>
-<LI><A HREF="#3_5_4">Configure, if necessary</A></LI>
-<LI><A HREF="#3_5_5">Test</A></LI>
-</UL>
-<LI><A HREF="#3_6">Full Opportunism</A></LI>
-<UL>
-<LI><A HREF="#3_6_1">Put a TXT record in a Forward Domain</A></LI>
-<LI><A HREF="#3_6_2">Put a TXT record in Reverse DNS</A></LI>
-<UL>
-<LI><A HREF="#3_6_2_1">Create a Reverse DNS TXT record</A></LI>
-<LI><A HREF="#3_6_2_2">Publish your TXT record</A></LI>
-</UL>
-<LI><A HREF="#3_6_3">Test your DNS record</A></LI>
-<LI><A HREF="#3_6_4">No Configuration Needed</A></LI>
-<LI><A HREF="#3_6_5">Consider Firewalling</A></LI>
-<LI><A HREF="#3_6_6">Test</A></LI>
-<LI><A HREF="#3_6_7">Test</A></LI>
-</UL>
-<LI><A HREF="#opp.test">Testing opportunistic connections</A></LI>
-<LI><A HREF="#3_8">Now what?</A></LI>
-<LI><A HREF="#3_9">Notes</A></LI>
-<LI><A HREF="#3_10">Troubleshooting OE</A></LI>
-<LI><A HREF="#3_11">Known Issues</A></LI>
-</UL>
-<B><A HREF="#4">How to Configure Linux FreeS/WAN with Policy Groups</A></B>
-<UL>
-<LI><A HREF="#4_1">What are Policy Groups?</A></LI>
-<UL>
-<LI><A HREF="#4_1_1">Built-In Security Options</A></LI>
-</UL>
-<LI><A HREF="#4_2">Using Policy Groups</A></LI>
-<UL>
-<LI><A HREF="#4_2_1">Example 1: Using a Base Policy Group</A></LI>
-<LI><A HREF="#4_2_2">Example 2: Defining IPsec Security Policy with
- Groups</A></LI>
-<LI><A HREF="#4_2_3">Example 3: Creating a Simple IPsec VPN with the
- private Group</A></LI>
-<LI><A HREF="#4_2_4">Example 4: New Policy Groups to Protect a Subnet</A>
-</LI>
-<LI><A HREF="#4_2_5">Example 5: Adding a Subnet to the VPN</A></LI>
-</UL>
-<LI><A HREF="#4_3">Appendix</A></LI>
-<UL>
-<LI><A HREF="#4_3_1">Our Hidden Connections</A></LI>
-<LI><A HREF="#4_3_2">Custom Policy Groups</A></LI>
-<LI><A HREF="#4_3_3">Disabling Opportunistic Encryption</A></LI>
-</UL>
-</UL>
-<B><A HREF="#5">FreeS/WAN FAQ</A></B>
-<UL>
-<LI><A HREF="#questions">Index of FAQ questions</A></LI>
-<LI><A HREF="#whatzit">What is FreeS/WAN?</A></LI>
-<LI><A HREF="#problems">How do I report a problem or seek help?</A></LI>
-<LI><A HREF="#generic">Can I get ...</A></LI>
-<UL>
-<LI><A HREF="#lemme_out">Can I get an off-the-shelf system that includes
- FreeS/WAN?</A></LI>
-<LI><A HREF="#consultant">Can I hire consultants or staff who know
- FreeS/WAN?</A></LI>
-<LI><A HREF="#commercial">Can I get commercial support?</A></LI>
-</UL>
-<LI><A HREF="#release">Release questions</A></LI>
-<UL>
-<LI><A HREF="#rel.current">What is the current release?</A></LI>
-<LI><A HREF="#relwhen">When is the next release?</A></LI>
-<LI><A HREF="#rel.bugs">Are there known bugs in the current release?</A></LI>
-</UL>
-<LI><A HREF="#mod_cons">Modifications and contributions</A></LI>
-<UL>
-<LI><A HREF="#modify.faq">Can I modify FreeS/WAN to ...?</A></LI>
-<LI><A HREF="#contrib.faq">Can I contribute to the project?</A></LI>
-<LI><A HREF="#ddoc.faq">Is there detailed design documentation?</A></LI>
-</UL>
-<LI><A HREF="#interact">Will FreeS/WAN work in my environment?</A></LI>
-<UL>
-<LI><A HREF="#interop.faq">Can FreeS/WAN talk to ...?</A></LI>
-<LI><A HREF="#old_to_new">Can different FreeS/WAN versions talk to each
- other?</A></LI>
-<LI><A HREF="#faq.bandwidth">Is there a limit on throughput?</A></LI>
-<LI><A HREF="#faq.number">Is there a limit on number of tunnels?</A></LI>
-<LI><A HREF="#faq.speed">Is a ... fast enough to handle FreeS/WAN with
- my loads?</A></LI>
-</UL>
-<LI><A HREF="#work_on">Will FreeS/WAN work on ... ?</A></LI>
-<UL>
-<LI><A HREF="#versions">Will FreeS/WAN run on my version of Linux?</A></LI>
-<LI><A HREF="#nonIntel.faq">Will FreeS/WAN run on non-Intel CPUs?</A></LI>
-<LI><A HREF="#multi.faq">Will FreeS/WAN run on multiprocessors?</A></LI>
-<LI><A HREF="#k.old">Will FreeS/WAN work on an older kernel?</A></LI>
-<LI><A HREF="#k.versions">Will FreeS/WAN run on the latest kernel
- version?</A></LI>
-<LI><A HREF="#interface.faq">Will FreeS/WAN work on unusual network
- hardware?</A></LI>
-<LI><A HREF="#vlan">Will FreeS/WAN work on a VLAN (802.1q) network?</A></LI>
-</UL>
-<LI><A HREF="#features.faq">Does FreeS/WAN support ...</A></LI>
-<UL>
-<LI><A HREF="#VPN.faq">Does FreeS/WAN support site-to-site VPN (Virtual
- Private Network) applications?</A></LI>
-<LI><A HREF="#warrior.faq">Does FreeS/WAN support remote users
- connecting to a LAN?</A></LI>
-<LI><A HREF="#road.shared.possible">Does FreeS/WAN support remote users
- using shared secret authentication?</A></LI>
-<LI><A HREF="#wireless.faq">Does FreeS/WAN support wireless networks?</A>
-</LI>
-<LI><A HREF="#PKIcert">Does FreeS/WAN support X.509 or other PKI
- certificates?</A></LI>
-<LI><A HREF="#Radius">Does FreeS/WAN support user authentication
- (Radius, SecureID, Smart Card...)?</A></LI>
-<LI><A HREF="#NATtraversal">Does FreeS/WAN support NAT traversal?</A></LI>
-<LI><A HREF="#virtID">Does FreeS/WAN support assigning a &quot;virtual
- identity&quot; to a remote system?</A></LI>
-<LI><A HREF="#noDES.faq">Does FreeS/WAN support single DES encryption?</A>
-</LI>
-<LI><A HREF="#AES.faq">Does FreeS/WAN support AES encryption?</A></LI>
-<LI><A HREF="#other.cipher">Does FreeS/WAN support other encryption
- algorithms?</A></LI>
-</UL>
-<LI><A HREF="#canI">Can I ...</A></LI>
-<UL>
-<LI><A HREF="#policy.preconfig">Can I use policy groups along with
- explicitly configured connections?</A></LI>
-<LI><A HREF="#policy.off">Can I turn off policy groups?</A></LI>
-<LI><A HREF="#reload">Can I reload connection info without restarting?</A>
-</LI>
-<LI><A HREF="#masq.faq">Can I use several masqueraded subnets?</A></LI>
-<LI><A HREF="#dup_route">Can I use subnets masqueraded to the same
- addresses?</A></LI>
-<LI><A HREF="#road.masq">Can I assign a road warrior an address on my
- net (a virtual identity)?</A></LI>
-<LI><A HREF="#road.many">Can I support many road warriors with one
- gateway?</A></LI>
-<LI><A HREF="#road.PSK">Can I have many road warriors using shared
- secret authentication?</A></LI>
-<LI><A HREF="#QoS">Can I use Quality of Service routing with FreeS/WAN?</A>
-</LI>
-<LI><A HREF="#deadtunnel">Can I recognise dead tunnels and shut them
- down?</A></LI>
-<LI><A HREF="#demanddial">Can I build IPsec tunnels over a demand-dialed
- link?</A></LI>
-<LI><A HREF="#GRE">Can I build GRE, L2TP or PPTP tunnels over IPsec?</A></LI>
-<LI><A HREF="#NetBIOS">... use Network Neighborhood (Samba, NetBIOS)
- over IPsec?</A></LI>
-</UL>
-<LI><A HREF="#setup.faq">Life's little mysteries</A></LI>
-<UL>
-<LI><A HREF="#cantping">I cannot ping ....</A></LI>
-<LI><A HREF="#forever">It takes forever to ...</A></LI>
-<LI><A HREF="#route">I send packets to the tunnel with route(8) but they
- vanish</A></LI>
-<LI><A HREF="#down_route">When a tunnel goes down, packets vanish</A></LI>
-<LI><A HREF="#firewall_ate">The firewall ate my packets!</A></LI>
-<LI><A HREF="#dropconn">Dropped connections</A></LI>
-<LI><A HREF="#defaultroutegone">Disappearing %defaultroute</A></LI>
-<LI><A HREF="#tcpdump.faq">TCPdump on the gateway shows strange things</A>
-</LI>
-<LI><A HREF="#no_trace">Traceroute does not show anything between the
- gateways</A></LI>
-</UL>
-<LI><A HREF="#man4debug">Testing in stages</A></LI>
-<UL>
-<LI><A HREF="#nomanual">Manually keyed connections don't work</A></LI>
-<LI><A HREF="#spi_error">One manual connection works, but second one
- fails</A></LI>
-<LI><A HREF="#man_no_auto">Manual connections work, but automatic keying
- doesn't</A></LI>
-<LI><A HREF="#nocomp">IPsec works, but connections using compression
- fail</A></LI>
-<LI><A HREF="#pmtu.broken">Small packets work, but large transfers fail</A>
-</LI>
-<LI><A HREF="#subsub">Subnet-to-subnet works, but tests from the
- gateways don't</A></LI>
-</UL>
-<LI><A HREF="#compile.faq">Compilation problems</A></LI>
-<UL>
-<LI><A HREF="#gmp.h_missing">gmp.h: No such file or directory</A></LI>
-<LI><A HREF="#noVM">... virtual memory exhausted</A></LI>
-</UL>
-<LI><A HREF="#error">Interpreting error messages</A></LI>
-<UL>
-<LI><A HREF="#route-client">route-client (or host) exited with status 7</A>
-</LI>
-<LI><A HREF="#unreachable">SIOCADDRT:Network is unreachable</A></LI>
-<LI><A HREF="#modprobe">ipsec_setup: modprobe: Can't locate module ipsec</A>
-</LI>
-<LI><A HREF="#noKLIPS">ipsec_setup: Fatal error, kernel appears to lack
- KLIPS</A></LI>
-<LI><A HREF="#noDNS">ipsec_setup: ... failure to fetch key for ... from
- DNS</A></LI>
-<LI><A HREF="#dup_address">ipsec_setup: ... interfaces ... and ... share
- address ...</A></LI>
-<LI><A HREF="#kflags">ipsec_setup: Cannot adjust kernel flags</A></LI>
-<LI><A HREF="#message_num">Message numbers (MI3, QR1, et cetera) in
- Pluto messages</A></LI>
-<LI><A HREF="#conn_name">Connection names in Pluto error messages</A></LI>
-<LI><A HREF="#cantorient">Pluto: ... can't orient connection</A></LI>
-<LI><A HREF="#no.interface">... we have no ipsecN interface for either
- end of this connection</A></LI>
-<LI><A HREF="#noconn">Pluto: ... no connection is known</A></LI>
-<LI><A HREF="#nosuit">Pluto: ... no suitable connection ...</A></LI>
-<LI><A HREF="#noconn.auth">Pluto: ... no connection has been authorized</A>
-</LI>
-<LI><A HREF="#noDESsupport">Pluto: ... OAKLEY_DES_CBC is not supported.</A>
-</LI>
-<LI><A HREF="#notransform">Pluto: ... no acceptable transform</A></LI>
-<LI><A HREF="#rsasigkey">rsasigkey dumps core</A></LI>
-<LI><A HREF="#sig4">!Pluto failure!: ... exited with ... signal 4</A></LI>
-<LI><A HREF="#econnrefused">ECONNREFUSED error message</A></LI>
-<LI><A HREF="#no_eroute">klips_debug: ... no eroute!</A></LI>
-<LI><A HREF="#SAused">... trouble writing to /dev/ipsec ... SA already
- in use</A></LI>
-<LI><A HREF="#ignore">... ignoring ... payload</A></LI>
-<LI><A HREF="#unknown_rightcert">unknown parameter name &quot;rightcert&quot;</A></LI>
-</UL>
-<LI><A HREF="#spam">Why don't you restrict the mailing lists to reduce
- spam?</A></LI>
-</UL>
-<B><A HREF="#manpages">FreeS/WAN manual pages</A></B>
-<UL>
-<LI><A HREF="#man.file">Files</A></LI>
-<LI><A HREF="#man.command">Commands</A></LI>
-<LI><A HREF="#man.lib">Library routines</A></LI>
-</UL>
-<B><A HREF="#firewall">FreeS/WAN and firewalls</A></B>
-<UL>
-<LI><A HREF="#filters">Filtering rules for IPsec packets</A></LI>
-<LI><A HREF="#examplefw">Firewall configuration at boot</A></LI>
-<UL>
-<LI><A HREF="#simple.rules">A simple set of rules</A></LI>
-<LI><A HREF="#complex.rules">Other rules</A></LI>
-<UL>
-<LI><A HREF="#7_2_2_1">Adding additional rules</A></LI>
-<LI><A HREF="#7_2_2_2">Modifying existing rules</A></LI>
-</UL>
-<LI><A HREF="#rules.pub">Published rule sets</A></LI>
-<UL>
-<LI><A HREF="#Ranch.trinity">Scripts based on Ranch's work</A></LI>
-<LI><A HREF="#seawall">The Seattle firewall</A></LI>
-<LI><A HREF="#rcf">The RCF scripts</A></LI>
-<LI><A HREF="#asgard">Asgard scripts</A></LI>
-<LI><A HREF="#user.scripts">User scripts from the mailing list</A></LI>
-</UL>
-</UL>
-<LI><A HREF="#updown">Calling firewall scripts, named in ipsec.conf(5)</A>
-</LI>
-<UL>
-<LI><A HREF="#pre_post">Scripts called at IPsec start and stop</A></LI>
-<LI><A HREF="#up_down">Scripts called at connection up and down</A></LI>
-<UL>
-<LI><A HREF="#fw.default">The default script</A></LI>
-<LI><A HREF="#userscript">User-written scripts</A></LI>
-</UL>
-<LI><A HREF="#ipchains.script">Scripts for ipchains or iptables</A></LI>
-</UL>
-<LI><A HREF="#NAT">A complication: IPsec vs. NAT</A></LI>
-<UL>
-<LI><A HREF="#nat_ok">NAT on or behind the IPsec gateway works</A></LI>
-<LI><A HREF="#nat_bad">NAT between gateways is problematic</A></LI>
-<LI><A HREF="#NAT.ref">Other references on NAT and IPsec</A></LI>
-</UL>
-<LI><A HREF="#complications">Other complications</A></LI>
-<UL>
-<LI><A HREF="#through">IPsec through the gateway</A></LI>
-<LI><A HREF="#ipsec_only">Preventing non-IPsec traffic</A></LI>
-<LI><A HREF="#unknowngate">Filtering packets from unknown gateways</A></LI>
-</UL>
-<LI><A HREF="#otherfilter">Other packet filters</A></LI>
-<UL>
-<LI><A HREF="#ICMP">ICMP filtering</A></LI>
-<LI><A HREF="#traceroute">UDP packets for traceroute</A></LI>
-<LI><A HREF="#l2tp">UDP for L2TP</A></LI>
-</UL>
-<LI><A HREF="#packets">How it all works: IPsec packet details</A></LI>
-<UL>
-<LI><A HREF="#noport">ESP and AH do not have ports</A></LI>
-<LI><A HREF="#header">Header layout</A></LI>
-<LI><A HREF="#dhr">DHR on the updown script</A></LI>
-</UL>
-</UL>
-<B><A HREF="#trouble">Linux FreeS/WAN Troubleshooting Guide</A></B>
-<UL>
-<LI><A HREF="#overview">Overview</A></LI>
-<LI><A HREF="#install">1. During Install</A></LI>
-<UL>
-<LI><A HREF="#8_2_1">1.1 RPM install gotchas</A></LI>
-<LI><A HREF="#8_2_2">1.2 Problems installing from source</A></LI>
-<LI><A HREF="#install.check">1.3 Install checks</A></LI>
-<LI><A HREF="#oe.trouble">1.3 Troubleshooting OE</A></LI>
-</UL>
-<LI><A HREF="#negotiation">2. During Negotiation</A></LI>
-<UL>
-<LI><A HREF="#state">2.1 Determine Connection State</A></LI>
-<UL>
-<LI><A HREF="#8_3_1_1">Finding current state</A></LI>
-<LI><A HREF="#8_3_1_2">What's this supposed to look like?</A></LI>
-</UL>
-<LI><A HREF="#find.pluto.error">2.2 Finding error text</A></LI>
-<UL>
-<LI><A HREF="#8_3_2_1">Verbose start for more information</A></LI>
-<LI><A HREF="#8_3_2_2">Debug levels count</A></LI>
-<LI><A HREF="#8_3_2_3">ipsec barf for lots of debugging information</A></LI>
-<LI><A HREF="#8_3_2_4">Find the error</A></LI>
-<LI><A HREF="#8_3_2_5">Play both sides</A></LI>
-</UL>
-<LI><A HREF="#interpret.pluto.error">2.3 Interpreting a Negotiation
- Error</A></LI>
-<UL>
-<LI><A HREF="#ikepath">Connection stuck at STATE_MAIN_I1</A></LI>
-<LI><A HREF="#8_3_3_2">Other errors</A></LI>
-</UL>
-</UL>
-<LI><A HREF="#use">3. Using a Connection</A></LI>
-<UL>
-<LI><A HREF="#8_4_1">3.1 Orienting yourself</A></LI>
-<UL>
-<LI><A HREF="#8_4_1_1">How do I know if it works?</A></LI>
-<LI><A HREF="#8_4_1_2">ipsec barf is useful again</A></LI>
-</UL>
-<LI><A HREF="#8_4_2">3.2 Those pesky configuration errors</A></LI>
-<LI><A HREF="#route.firewall">3.3 Check Routing and Firewalling</A></LI>
-<UL>
-<LI><A HREF="#8_4_3_1">Background:</A></LI>
-<LI><A HREF="#ifconfig">View Interface and Firewall Statistics</A></LI>
-</UL>
-<LI><A HREF="#sniff">3.4 When in doubt, sniff it out</A></LI>
-<UL>
-<LI><A HREF="#8_4_4_1">Anticipate your packets' path</A></LI>
-</UL>
-<LI><A HREF="#find.use.error">3.5 Check your logs</A></LI>
-<UL>
-<LI><A HREF="#interpret.use.error">Interpreting log text</A></LI>
-</UL>
-<LI><A HREF="#bigpacket">3.6 More testing for the truly thorough</A></LI>
-<UL>
-<LI><A HREF="#8_4_6_1">Large Packets</A></LI>
-<LI><A HREF="#8_4_6_2">Stress Tests</A></LI>
-</UL>
-</UL>
-<LI><A HREF="#prob.report">4. Problem Reporting</A></LI>
-<UL>
-<LI><A HREF="#8_5_1">4.1 How to ask for help</A></LI>
-<LI><A HREF="#8_5_2">4.2 Where to ask</A></LI>
-</UL>
-<LI><A HREF="#notes">5. Additional Notes on Troubleshooting</A></LI>
-<UL>
-<LI><A HREF="#system.info">5.1 Information available on your system</A></LI>
-<UL>
-<LI><A HREF="#logusage">Logs used</A></LI>
-<LI><A HREF="#pages">man pages provided</A></LI>
-<LI><A HREF="#statusinfo">Status information</A></LI>
-</UL>
-<LI><A HREF="#testgates"> 5.2 Testing between security gateways</A></LI>
-<LI><A HREF="#ifconfig1">5.3 ifconfig reports for KLIPS debugging</A></LI>
-<LI><A HREF="#gdb"> 5.4 Using GDB on Pluto</A></LI>
-</UL>
-</UL>
-<B><A HREF="#compat">Linux FreeS/WAN Compatibility Guide</A></B>
-<UL>
-<LI><A HREF="#spec">Implemented parts of the IPsec Specification</A></LI>
-<UL>
-<LI><A HREF="#in">In Linux FreeS/WAN</A></LI>
-<LI><A HREF="#dropped">Deliberately omitted</A></LI>
-<LI><A HREF="#not">Not (yet) in Linux FreeS/WAN</A></LI>
-</UL>
-<LI><A HREF="#pfkey">Our PF-Key implementation</A></LI>
-<UL>
-<LI><A HREF="#pfk.port">PF-Key portability</A></LI>
-</UL>
-<LI><A HREF="#otherk">Kernels other than the latest 2.2.x and 2.4.y</A></LI>
-<UL>
-<LI><A HREF="#kernel.2.0">2.0.x kernels</A></LI>
-<LI><A HREF="#kernel.production">2.2 and 2.4 kernels</A></LI>
-</UL>
-<LI><A HREF="#otherdist">Intel Linux distributions other than Redhat</A></LI>
-<UL>
-<LI><A HREF="#rh7">Redhat 7.0</A></LI>
-<LI><A HREF="#suse">SuSE Linux</A></LI>
-<UL>
-<LI><A HREF="#9_4_2_1">SuSE Linux 5.3</A></LI>
-</UL>
-<LI><A HREF="#slack">Slackware</A></LI>
-<LI><A HREF="#deb">Debian</A></LI>
-<LI><A HREF="#caldera">Caldera</A></LI>
-</UL>
-<LI><A HREF="#CPUs">CPUs other than Intel</A></LI>
-<UL>
-<LI><A HREF="# strongarm">Corel Netwinder (StrongARM CPU)</A></LI>
-<LI><A HREF="#yellowdog">Yellow Dog Linux on Power PC</A></LI>
-<LI><A HREF="#mklinux">Mklinux</A></LI>
-<LI><A HREF="#alpha">Alpha 64-bit processors</A></LI>
-<LI><A HREF="#SPARC">Sun SPARC processors</A></LI>
-<LI><A HREF="#mips">MIPS processors</A></LI>
-<LI><A HREF="#crusoe">Transmeta Crusoe</A></LI>
-<LI><A HREF="#coldfire">Motorola Coldfire</A></LI>
-</UL>
-<LI><A HREF="#multiprocessor">Multiprocessor machines</A></LI>
-<LI><A HREF="#hardware">Support for crypto hardware</A></LI>
-<LI><A HREF="#ipv6">IP version 6 (IPng)</A></LI>
-<UL>
-<LI><A HREF="#v6.back">IPv6 background</A></LI>
-</UL>
-</UL>
-<B><A HREF="#10">Interoperating with FreeS/WAN</A></B>
-<UL>
-<LI><A HREF="#10_1">Interop at a Glance</A></LI>
-<UL>
-<LI><A HREF="#10_1_1">Key</A></LI>
-</UL>
-<LI><A HREF="#10_2">Basic Interop Rules</A></LI>
-<LI><A HREF="#10_3">Longer Stories</A></LI>
-<UL>
-<LI><A HREF="#10_3_1">For More Compatible Implementations</A></LI>
-<UL>
-<LI><A HREF="#freeswan">FreeS/WAN</A></LI>
-<LI><A HREF="#isakmpd">isakmpd (OpenBSD)</A></LI>
-<LI><A HREF="#kame">Kame</A></LI>
-<LI><A HREF="#mcafee">PGPNet/McAfee</A></LI>
-<LI><A HREF="#microsoft">Microsoft Windows 2000/XP</A></LI>
-<LI><A HREF="#ssh">SSH Sentinel</A></LI>
-<LI><A HREF="#safenet">Safenet SoftPK/SoftRemote</A></LI>
-</UL>
-<LI><A HREF="#10_3_2">For Other Implementations</A></LI>
-<UL>
-<LI><A HREF="#6wind">6Wind</A></LI>
-<LI><A HREF="#alcatel">Alcatel Timestep</A></LI>
-<LI><A HREF="#apple">Apple Macintosh System 10+</A></LI>
-<LI><A HREF="#ashleylaurent">AshleyLaurent VPCom</A></LI>
-<LI><A HREF="#borderware">Borderware</A></LI>
-<LI><A HREF="#checkpoint">Check Point VPN-1 or FW-1</A></LI>
-<LI><A HREF="#cisco">Cisco</A></LI>
-<LI><A HREF="#equinux">Equinux VPN tracker (for Mac OS X)</A></LI>
-<LI><A HREF="#fsecure">F-Secure</A></LI>
-<LI><A HREF="#gauntlet">Gauntlet GVPN</A></LI>
-<LI><A HREF="#aix">IBM AIX</A></LI>
-<LI><A HREF="#as400">IBM AS/400</A></LI>
-<LI><A HREF="#intel">Intel Shiva LANRover / Net Structure</A></LI>
-<LI><A HREF="#lancom">LanCom (formerly ELSA)</A></LI>
-<LI><A HREF="#linksys">Linksys</A></LI>
-<LI><A HREF="#lucent">Lucent</A></LI>
-<LI><A HREF="#netasq">Netasq</A></LI>
-<LI><A HREF="#netcelo">Netcelo</A></LI>
-<LI><A HREF="#netgear">Netgear fvs318</A></LI>
-<LI><A HREF="#netscreen">Netscreen 100 or 5xp</A></LI>
-<LI><A HREF="#nortel">Nortel Contivity</A></LI>
-<LI><A HREF="#radguard">Radguard</A></LI>
-<LI><A HREF="#raptor">Raptor (NT or Solaris)</A></LI>
-<LI><A HREF="#redcreek">Redcreek Ravlin</A></LI>
-<LI><A HREF="#sonicwall">SonicWall</A></LI>
-<LI><A HREF="#sun">Sun Solaris</A></LI>
-<LI><A HREF="#symantec">Symantec</A></LI>
-<LI><A HREF="#watchguard">Watchguard Firebox</A></LI>
-<LI><A HREF="#xedia">Xedia Access Point/QVPN</A></LI>
-<LI><A HREF="#zyxel">Zyxel</A></LI>
-</UL>
-</UL>
-</UL>
-<B><A HREF="#performance">Performance of FreeS/WAN</A></B>
-<UL>
-<LI><A HREF="#pub.bench">Published material</A></LI>
-<LI><A HREF="#perf.estimate">Estimating CPU overheads</A></LI>
-<UL>
-<LI><A HREF="#perf.more">Higher performance alternatives</A></LI>
-<LI><A HREF="#11_2_2">Other considerations</A></LI>
-</UL>
-<LI><A HREF="#biggate">Many tunnels from a single gateway</A></LI>
-<LI><A HREF="#low-end">Low-end systems</A></LI>
-<LI><A HREF="#klips.bench">Measuring KLIPS</A></LI>
-<LI><A HREF="#speed.compress">Speed with compression</A></LI>
-<LI><A HREF="#methods">Methods of measuring</A></LI>
-</UL>
-<B><A HREF="#test.freeswan">Testing FreeS/WAN</A></B>
-<UL>
-<LI><A HREF="#test.oe">Testing opportunistic connections</A></LI>
-<UL>
-<LI><A HREF="#12_1_1">Basic OE Test</A></LI>
-<LI><A HREF="#12_1_2">OE Gateway Test</A></LI>
-<LI><A HREF="#12_1_3">Additional OE tests</A></LI>
-</UL>
-<LI><A HREF="#test.uml">Testing with User Mode Linux</A></LI>
-<LI><A HREF="#testnet">Configuration for a testbed network</A></LI>
-<UL>
-<LI><A HREF="#testbed">Testbed network</A></LI>
-<LI><A HREF="#tcpdump.test">Using packet sniffers in testing</A></LI>
-</UL>
-<LI><A HREF="#verify.crypt">Verifying encryption</A></LI>
-<LI><A HREF="#mail.test">Mailing list pointers</A></LI>
-</UL>
-<B><A HREF="#kernelconfig">Kernel configuration for FreeS/WAN</A></B>
-<UL>
-<LI><A HREF="#notall">Not everyone needs to worry about kernel
- configuration</A></LI>
-<LI><A HREF="#assume">Assumptions and notation</A></LI>
-<UL>
-<LI><A HREF="#labels">Labels used</A></LI>
-</UL>
-<LI><A HREF="#kernelopt">Kernel options for FreeS/WAN</A></LI>
-</UL>
-<B><A HREF="#adv_config">Other configuration possibilities</A></B>
-<UL>
-<LI><A HREF="#thumb">Some rules of thumb about configuration</A></LI>
-<UL>
-<LI><A HREF="#cheap.tunnel">Tunnels are cheap</A></LI>
-<LI><A HREF="#subnet.size">Subnet sizes</A></LI>
-<LI><A HREF="#example.more">Other network layouts</A></LI>
-<UL>
-<LI><A HREF="#internet.subnet">The Internet as a big subnet</A></LI>
-<LI><A HREF="#wireless.config">Wireless</A></LI>
-</UL>
-</UL>
-<LI><A HREF="#choose">Choosing connection types</A></LI>
-<UL>
-<LI><A HREF="#man-auto">Manual vs. automatic keying</A></LI>
-<LI><A HREF="#auto-auth">Authentication methods for auto-keying</A></LI>
-<LI><A HREF="#adv-pk">Advantages of public key methods</A></LI>
-</UL>
-<LI><A HREF="#prodsecrets">Using shared secrets in production</A></LI>
-<UL>
-<LI><A HREF="#secrets">Putting secrets in ipsec.secrets(5)</A></LI>
-<LI><A HREF="#securing.secrets">File security</A></LI>
-<LI><A HREF="#notroadshared">Shared secrets for road warriors</A></LI>
-</UL>
-<LI><A HREF="#prodman">Using manual keying in production</A></LI>
-<UL>
-<LI><A HREF="#ranbits">Creating keys with ranbits</A></LI>
-</UL>
-<LI><A HREF="#boot">Setting up connections at boot time</A></LI>
-<LI><A HREF="#multitunnel">Multiple tunnels between the same two
- gateways</A></LI>
-<UL>
-<LI><A HREF="#advroute">One tunnel plus advanced routing</A></LI>
-</UL>
-<LI><A HREF="#opp.gate">An Opportunistic Gateway</A></LI>
-<UL>
-<LI><A HREF="#14_7_1">Start from full opportunism</A></LI>
-<LI><A HREF="#14_7_2">Reverse DNS TXT records for each protected machine</A>
-</LI>
-<LI><A HREF="#14_7_3">Publish your records</A></LI>
-<LI><A HREF="#14_7_4">...and test them</A></LI>
-<LI><A HREF="#14_7_5">No Configuration Needed</A></LI>
-</UL>
-<LI><A HREF="#extruded.config">Extruded Subnets</A></LI>
-<LI><A HREF="#roadvirt">Road Warrior with virtual IP address</A></LI>
-<LI><A HREF="#dynamic">Dynamic Network Interfaces</A></LI>
-<UL>
-<LI><A HREF="#basicdyn">Basics</A></LI>
-<LI><A HREF="#bootdyn">Boot Time</A></LI>
-<LI><A HREF="#changedyn">Change Time</A></LI>
-</UL>
-<LI><A HREF="#unencrypted">Unencrypted tunnels</A></LI>
-</UL>
-<B><A HREF="#install">Installing FreeS/WAN</A></B>
-<UL>
-<LI><A HREF="#15_1">Requirements</A></LI>
-<LI><A HREF="#15_2">Choose your install method</A></LI>
-<LI><A HREF="#15_3">FreeS/WAN ships with some Linuxes</A></LI>
-<UL>
-<LI><A HREF="#15_3_1">FreeS/WAN may be altered...</A></LI>
-<LI><A HREF="#15_3_2">You might need to create an authentication keypair</A>
-</LI>
-<LI><A HREF="#15_3_3">Start and test FreeS/WAN</A></LI>
-</UL>
-<LI><A HREF="#15_4">RPM install</A></LI>
-<UL>
-<LI><A HREF="#15_4_1">Download RPMs</A></LI>
-<LI><A HREF="#15_4_2">For freeswan.org RPMs: check signatures</A></LI>
-<LI><A HREF="#15_4_3">Install the RPMs</A></LI>
-<LI><A HREF="#15_4_4">Start and Test FreeS/WAN</A></LI>
-</UL>
-<LI><A HREF="#15_5">Install from Source</A></LI>
-<UL>
-<LI><A HREF="#15_5_1">Decide what functionality you need</A></LI>
-<LI><A HREF="#15_5_2">Download FreeS/WAN</A></LI>
-<LI><A HREF="#15_5_3">For freeswan.org source: check its signature</A></LI>
-<LI><A HREF="#15_5_4">Untar, unzip</A></LI>
-<LI><A HREF="#15_5_5">Patch if desired</A></LI>
-<LI><A HREF="#15_5_6">... and Make</A></LI>
-<UL>
-<LI><A HREF="#15_5_6_1">Userland-only Install for 2.6 kernels</A></LI>
-<LI><A HREF="#15_5_6_2">KLIPS install for 2.2, 2.4, or 2.6 kernels</A></LI>
-</UL>
-</UL>
-<LI><A HREF="#15_6">Start FreeS/WAN and test your install</A></LI>
-<LI><A HREF="#15_7">Test your install</A></LI>
-<LI><A HREF="#15_8">Making FreeS/WAN play well with others</A></LI>
-<LI><A HREF="#15_9">Configure for your needs</A></LI>
-</UL>
-<B><A HREF="#config">How to configure FreeS/WAN</A></B>
-<UL>
-<LI><A HREF="#16_1">Requirements</A></LI>
-<LI><A HREF="#config.netnet">Net-to-Net connection</A></LI>
-<UL>
-<LI><A HREF="#netnet.info.ex">Gather information</A></LI>
-<UL>
-<LI><A HREF="#16_2_1_1">Get your leftrsasigkey</A></LI>
-<LI><A HREF="#16_2_1_2">...and your rightrsasigkey</A></LI>
-</UL>
-<LI><A HREF="#16_2_2">Edit /etc/ipsec.conf</A></LI>
-<LI><A HREF="#16_2_3">Start your connection</A></LI>
-<LI><A HREF="#16_2_4">Do not MASQ or NAT packets to be tunneled</A></LI>
-<LI><A HREF="#16_2_5">Test your connection</A></LI>
-<LI><A HREF="#16_2_6">Finishing touches</A></LI>
-</UL>
-<LI><A HREF="#config.rw">Road Warrior Configuration</A></LI>
-<UL>
-<LI><A HREF="#rw.info.ex">Gather information</A></LI>
-<UL>
-<LI><A HREF="#16_3_1_1">Get your leftrsasigkey...</A></LI>
-<LI><A HREF="#16_3_1_2">...and your rightrsasigkey</A></LI>
-</UL>
-<LI><A HREF="#16_3_2">Customize /etc/ipsec.conf</A></LI>
-<LI><A HREF="#16_3_3">Start your connection</A></LI>
-<LI><A HREF="#16_3_4">Do not MASQ or NAT packets to be tunneled</A></LI>
-<LI><A HREF="#16_3_5">Test your connection</A></LI>
-<LI><A HREF="#16_3_6">Finishing touches</A></LI>
-<LI><A HREF="#16_3_7">Multiple Road Warriors</A></LI>
-</UL>
-<LI><A HREF="#16_4">What next?</A></LI>
-</UL>
-<B><A HREF="#background">Linux FreeS/WAN background</A></B>
-<UL>
-<LI><A HREF="#dns.background">Some DNS background</A></LI>
-<UL>
-<LI><A HREF="#forward.reverse">Forward and reverse maps</A></LI>
-<LI><A HREF="#17_1_2">Hierarchy and delegation</A></LI>
-<LI><A HREF="#17_1_3">Syntax of DNS records</A></LI>
-<LI><A HREF="#17_1_4">Cacheing, TTL and propagation delay</A></LI>
-</UL>
-<LI><A HREF="#MTU.trouble">Problems with packet fragmentation</A></LI>
-<LI><A HREF="#nat.background">Network address translation (NAT)</A></LI>
-<UL>
-<LI><A HREF="#17_3_1">NAT to non-routable addresses</A></LI>
-<LI><A HREF="#17_3_2">NAT to routable addresses</A></LI>
-</UL>
-</UL>
-<B><A HREF="#user.examples">FreeS/WAN script examples</A></B>
-<UL>
-<LI><A HREF="#poltorak">Poltorak's Firewall script</A></LI>
-</UL>
-<B><A HREF="#makecheck">How to configure to use &quot;make check&quot;</A></B>
-<UL>
-<LI><A HREF="#19_1">What is &quot;make check&quot;</A></LI>
-<LI><A HREF="#19_2">Running &quot;make check&quot;</A></LI>
-</UL>
-<B><A HREF="#20">How to write a &quot;make check&quot; test</A></B>
-<UL>
-<LI><A HREF="#20_1">Structure of a test</A></LI>
-<LI><A HREF="#20_2">The TESTLIST</A></LI>
-<LI><A HREF="#20_3">Test kinds</A></LI>
-<LI><A HREF="#20_4">Common parameters</A></LI>
-<LI><A HREF="#20_5">KLIPStest paramaters</A></LI>
-<LI><A HREF="#20_6">mkinsttest paramaters</A></LI>
-<LI><A HREF="#20_7">rpm_build_install_test paramaters</A></LI>
-<LI><A HREF="#20_8">libtest paramaters</A></LI>
-<LI><A HREF="#20_9">umlplutotest paramaters</A></LI>
-<LI><A HREF="#20_10">umlXhost parameters</A></LI>
-<LI><A HREF="#20_11">kernel_patch_test paramaters</A></LI>
-<LI><A HREF="#20_12">module_compile paramaters</A></LI>
-</UL>
-<B><A HREF="#21">Current pitfalls</A></B>
-<BR>
-<BR><B><A HREF="#umltesting">User-Mode-Linux Testing guide</A></B>
-<UL>
-<LI><A HREF="#22_1">Preliminary Notes on BIND</A></LI>
-<LI><A HREF="#22_2">Steps to Install UML for FreeS/WAN</A></LI>
-</UL>
-<B><A HREF="#23">Debugging the kernel with GDB</A></B>
-<UL>
-<LI><A HREF="#23_1">Other notes about debugging</A></LI>
-</UL>
-<B><A HREF="#24">User-Mode-Linux mysteries</A></B>
-<BR>
-<BR><B><A HREF="#25">Getting more info from uml_netjig</A></B>
-<BR>
-<BR><B><A HREF="#politics">History and politics of cryptography</A></B>
-<UL>
-<LI><A HREF="#intro.politics">Introduction</A></LI>
-<UL>
-<LI><A HREF="#26_1_1">History</A></LI>
-<UL>
-<LI><A HREF="#26_1_1_1">World War II</A></LI>
-<LI><A HREF="#postwar">Postwar and Cold War</A></LI>
-<LI><A HREF="#recent">Recent history -- the crypto wars</A></LI>
-</UL>
-<LI><A HREF="#intro.poli">Politics</A></LI>
-<LI><A HREF="#26_1_3">Links</A></LI>
-<LI><A HREF="#26_1_4">Outline of this section</A></LI>
-</UL>
-<LI><A HREF="#leader">From our project leader</A></LI>
-<UL>
-<LI><A HREF="#gilmore">Swan: Securing the Internet against Wiretapping</A>
-</LI>
-<UL>
-<LI><A HREF="#26_2_1_1">Deployment of IPSEC</A></LI>
-<LI><A HREF="#26_2_1_2">Current status</A></LI>
-<LI><A HREF="#26_2_1_3">Why?</A></LI>
-<LI><A HREF="#26_2_1_4">What You Can Do</A></LI>
-<LI><A HREF="#26_2_1_5">Related projects</A></LI>
-</UL>
-<LI><A HREF="#policestate">Stopping wholesale monitoring</A></LI>
-</UL>
-<LI><A HREF="#weak">Government promotion of weak crypto</A></LI>
-<UL>
-<LI><A HREF="#escrow">Escrowed encryption</A></LI>
-<LI><A HREF="#shortkeys">Limited key lengths</A></LI>
-<UL>
-<LI><A HREF="#26_3_2_1">Some real trade-offs</A></LI>
-</UL>
-</UL>
-<LI><A HREF="#exlaw">Cryptography Export Laws</A></LI>
-<UL>
-<LI><A HREF="#USlaw">US Law</A></LI>
-<UL>
-<LI><A HREF="#UScontrib">US contributions to FreeS/WAN</A></LI>
-</UL>
-<LI><A HREF="#wrong">What's wrong with restrictions on cryptography</A></LI>
-<LI><A HREF="#Wassenaar">The Wassenaar Arrangement</A></LI>
-<LI><A HREF="#status">Export status of Linux FreeS/WAN</A></LI>
-<LI><A HREF="#help">Help spread IPsec around</A></LI>
-</UL>
-<LI><A HREF="#desnotsecure">DES is Not Secure</A></LI>
-<UL>
-<LI><A HREF="#deshware">Dedicated hardware breaks DES in a few days</A></LI>
-<LI><A HREF="#spooks">Spooks may break DES faster yet</A></LI>
-<LI><A HREF="#desnet">Networks break DES in a few weeks</A></LI>
-<LI><A HREF="#no_des">We disable DES</A></LI>
-<LI><A HREF="#40joke">40-bits is laughably weak</A></LI>
-<LI><A HREF="#altdes">Triple DES is almost certainly secure</A></LI>
-<LI><A HREF="#aes.ipsec">AES in IPsec</A></LI>
-</UL>
-<LI><A HREF="#press">Press coverage of Linux FreeS/WAN:</A></LI>
-<UL>
-<LI><A HREF="#26_6_1">FreeS/WAN 1.0 press</A></LI>
-<LI><A HREF="#release">Press release for version 1.0</A></LI>
-</UL>
-</UL>
-<B><A HREF="#ipsec.detail">The IPsec protocols</A></B>
-<UL>
-<LI><A HREF="#27_1">Protocols and phases</A></LI>
-<LI><A HREF="#others">Applying IPsec</A></LI>
-<UL>
-<LI><A HREF="#advantages">Advantages of IPsec</A></LI>
-<LI><A HREF="#limitations">Limitations of IPsec</A></LI>
-<LI><A HREF="#uses">IPsec is a general mechanism for securing IP</A></LI>
-<LI><A HREF="#authonly">Using authentication without encryption</A></LI>
-<LI><A HREF="#encnoauth">Encryption without authentication is dangerous</A>
-</LI>
-<LI><A HREF="#multilayer">Multiple layers of IPsec processing are
- possible</A></LI>
-<LI><A HREF="#traffic.resist">Resisting traffic analysis</A></LI>
-<UL>
-<LI><A HREF="#extra">Using &quot;unnecessary&quot; encryption</A></LI>
-<LI><A HREF="#multi-encrypt">Using multiple encryption</A></LI>
-<LI><A HREF="#fewer">Using fewer tunnels</A></LI>
-</UL>
-</UL>
-<LI><A HREF="#primitives">Cryptographic components</A></LI>
-<UL>
-<LI><A HREF="#block.cipher">Block ciphers</A></LI>
-<LI><A HREF="#hash.ipsec">Hash functions</A></LI>
-<UL>
-<LI><A HREF="#hmac.ipsec">The HMAC construct</A></LI>
-<LI><A HREF="#27_3_2_2">Choice of hash algorithm</A></LI>
-</UL>
-<LI><A HREF="#DH.keying">Diffie-Hellman key agreement</A></LI>
-<LI><A HREF="#RSA.auth">RSA authentication</A></LI>
-</UL>
-<LI><A HREF="#structure">Structure of IPsec</A></LI>
-<UL>
-<LI><A HREF="#IKE.ipsec">IKE (Internet Key Exchange)</A></LI>
-<UL>
-<LI><A HREF="#phases">Phases of IKE</A></LI>
-<LI><A HREF="#sequence">Sequence of messages in IKE</A></LI>
-<LI><A HREF="#struct.exchange">Structure of IKE messages</A></LI>
-</UL>
-<LI><A HREF="#services">IPsec Services, AH and ESP</A></LI>
-<LI><A HREF="#AH.ipsec">The Authentication Header (AH)</A></LI>
-<UL>
-<LI><A HREF="#keyed">Keyed MD5 and Keyed SHA</A></LI>
-<LI><A HREF="#sequence">Sequence numbers</A></LI>
-</UL>
-<LI><A HREF="#ESP.ipsec">Encapsulated Security Payload (ESP)</A></LI>
-</UL>
-<LI><A HREF="#modes">IPsec modes</A></LI>
-<UL>
-<LI><A HREF="#tunnel.ipsec">Tunnel mode</A></LI>
-<LI><A HREF="#transport.ipsec">Transport mode</A></LI>
-</UL>
-<LI><A HREF="#parts">FreeS/WAN parts</A></LI>
-<UL>
-<LI><A HREF="#KLIPS.ipsec">KLIPS: Kernel IPsec Support</A></LI>
-<LI><A HREF="#Pluto.ipsec">The Pluto daemon</A></LI>
-<LI><A HREF="#command">The ipsec(8) command</A></LI>
-<LI><A HREF="#ipsec.conf">Linux FreeS/WAN configuration file</A></LI>
-</UL>
-<LI><A HREF="#key">Key management</A></LI>
-<UL>
-<LI><A HREF="#current">Currently Implemented Methods</A></LI>
-<UL>
-<LI><A HREF="#manual">Manual keying</A></LI>
-<LI><A HREF="#auto">Automatic keying</A></LI>
-</UL>
-<LI><A HREF="#notyet">Methods not yet implemented</A></LI>
-<UL>
-<LI><A HREF="#noauth">Unauthenticated key exchange</A></LI>
-<LI><A HREF="#DNS">Key exchange using DNS</A></LI>
-<LI><A HREF="#PKI">Key exchange using a PKI</A></LI>
-<LI><A HREF="#photuris">Photuris</A></LI>
-<LI><A HREF="#skip">SKIP</A></LI>
-</UL>
-</UL>
-</UL>
-<B><A HREF="#lists">Mailing lists and newsgroups</A></B>
-<UL>
-<LI><A HREF="#list.fs">Mailing lists about FreeS/WAN</A></LI>
-<UL>
-<LI><A HREF="#projlist">The project mailing lists</A></LI>
-<UL>
-<LI><A HREF="#which.list">Which list should I use?</A></LI>
-<LI><A HREF="#policy.list">List policies</A></LI>
-</UL>
-<LI><A HREF="#archive">Archives of the lists</A></LI>
-</UL>
-<LI><A HREF="#indexes">Indexes of mailing lists</A></LI>
-<LI><A HREF="#otherlists">Lists for related software and topics</A></LI>
-<UL>
-<LI><A HREF="#28_3_1">Products that include FreeS/WAN</A></LI>
-<LI><A HREF="#linux.lists">Linux mailing lists</A></LI>
-<LI><A HREF="#ietf">Lists for IETF working groups</A></LI>
-<LI><A HREF="#other">Other mailing lists</A></LI>
-</UL>
-<LI><A HREF="#newsgroups">Usenet newsgroups</A></LI>
-</UL>
-<B><A HREF="#weblink">Web links</A></B>
-<UL>
-<LI><A HREF="#freeswan">The Linux FreeS/WAN Project</A></LI>
-<UL>
-<LI><A HREF="#patch">Add-ons and patches for FreeS/WAN</A></LI>
-<UL>
-<LI><A HREF="#29_1_1_1">Current patches</A></LI>
-<LI><A HREF="#29_1_1_2">Older patches</A></LI>
-<LI><A HREF="#VPN.masq">VPN masquerade patches</A></LI>
-</UL>
-<LI><A HREF="#dist">Distributions including FreeS/WAN</A></LI>
-<LI><A HREF="#used">Things FreeS/WAN uses or could use</A></LI>
-<LI><A HREF="#alternatives">Other approaches to VPNs for Linux</A></LI>
-</UL>
-<LI><A HREF="#ipsec.link">The IPsec Protocols</A></LI>
-<UL>
-<LI><A HREF="#general">General IPsec or VPN information</A></LI>
-<LI><A HREF="#overview">IPsec overview documents or slide sets</A></LI>
-<LI><A HREF="#otherlang">IPsec information in languages other than
- English</A></LI>
-<LI><A HREF="#RFCs1">RFCs and other reference documents</A></LI>
-<LI><A HREF="#analysis">Analysis and critiques of IPsec protocols</A></LI>
-<LI><A HREF="#IP.background">Background information on IP</A></LI>
-</UL>
-<LI><A HREF="#implement">IPsec Implementations</A></LI>
-<UL>
-<LI><A HREF="#linuxprod">Linux products</A></LI>
-<LI><A HREF="#router">IPsec in router products</A></LI>
-<LI><A HREF="#fw.web">IPsec in firewall products</A></LI>
-<LI><A HREF="#ipsecos">Operating systems with IPsec support</A></LI>
-<LI><A HREF="#29_3_5">IPsec on network cards</A></LI>
-<LI><A HREF="#opensource">Open source IPsec implementations</A></LI>
-<UL>
-<LI><A HREF="#linuxipsec">Other Linux IPsec implementations</A></LI>
-<LI><A HREF="#BSD">IPsec for BSD Unix</A></LI>
-<LI><A HREF="#misc">IPsec for other systems</A></LI>
-</UL>
-<LI><A HREF="#interop.web">Interoperability</A></LI>
-<UL>
-<LI><A HREF="#result">Interoperability results</A></LI>
-<LI><A HREF="#test1">Interoperability test sites</A></LI>
-</UL>
-</UL>
-<LI><A HREF="#linux.link">Linux links</A></LI>
-<UL>
-<LI><A HREF="#linux.basic">Basic and tutorial Linux information</A></LI>
-<LI><A HREF="#general">General Linux sites</A></LI>
-<LI><A HREF="#docs.ldp">Documentation</A></LI>
-<LI><A HREF="#advroute.web">Advanced routing</A></LI>
-<LI><A HREF="#linsec">Security for Linux</A></LI>
-<LI><A HREF="#firewall.linux">Linux firewalls</A></LI>
-<LI><A HREF="#linux.misc">Miscellaneous Linux information</A></LI>
-</UL>
-<LI><A HREF="#crypto.link">Crypto and security links</A></LI>
-<UL>
-<LI><A HREF="#security">Crypto and security resources</A></LI>
-<UL>
-<LI><A HREF="#std.links">The standard link collections</A></LI>
-<LI><A HREF="#FAQ">Frequently Asked Question (FAQ) documents</A></LI>
-<LI><A HREF="#cryptover">Tutorials</A></LI>
-<LI><A HREF="#standards">Crypto and security standards</A></LI>
-<LI><A HREF="#quotes">Crypto quotes</A></LI>
-</UL>
-<LI><A HREF="#policy">Cryptography law and policy</A></LI>
-<UL>
-<LI><A HREF="#legal">Surveys of crypto law</A></LI>
-<LI><A HREF="#oppose">Organisations opposing crypto restrictions</A></LI>
-<LI><A HREF="#other.policy">Other information on crypto policy</A></LI>
-</UL>
-<LI><A HREF="#crypto.tech">Cryptography technical information</A></LI>
-<UL>
-<LI><A HREF="#cryptolinks">Collections of crypto links</A></LI>
-<LI><A HREF="#papers">Lists of online cryptography papers</A></LI>
-<LI><A HREF="#interesting">Particularly interesting papers</A></LI>
-</UL>
-<LI><A HREF="#compsec">Computer and network security</A></LI>
-<UL>
-<LI><A HREF="#seclink">Security links</A></LI>
-<LI><A HREF="#firewall.web">Firewall links</A></LI>
-<LI><A HREF="#vpn">VPN links</A></LI>
-<LI><A HREF="#tools">Security tools</A></LI>
-</UL>
-<LI><A HREF="#people">Links to home pages</A></LI>
-</UL>
-</UL>
-<B><A HREF="#ourgloss">Glossary for the Linux FreeS/WAN project</A></B>
-<UL>
-<LI><A HREF="#jump">Jump to a letter in the glossary</A></LI>
-<LI><A HREF="#gloss">Other glossaries</A></LI>
-<LI><A HREF="#definitions">Definitions</A></LI>
-</UL>
-<B><A HREF="#biblio">Bibliography for the Linux FreeS/WAN project</A></B>
-<BR>
-<BR><B><A HREF="#RFC">IPsec RFCs and related documents</A></B>
-<UL>
-<LI><A HREF="#RFCfile">The RFCs.tar.gz Distribution File</A></LI>
-<LI><A HREF="#sources">Other sources for RFCs &amp; Internet drafts</A></LI>
-<UL>
-<LI><A HREF="#RFCdown">RFCs</A></LI>
-<LI><A HREF="#drafts">Internet Drafts</A></LI>
-<LI><A HREF="#FIPS1">FIPS standards</A></LI>
-</UL>
-<LI><A HREF="#RFCs.tar.gz">What's in the RFCs.tar.gz bundle?</A></LI>
-<UL>
-<LI><A HREF="#rfc.ov">Overview RFCs</A></LI>
-<LI><A HREF="#basic.prot">Basic protocols</A></LI>
-<LI><A HREF="#key.ike">Key management</A></LI>
-<LI><A HREF="#rfc.detail">Details of various things used</A></LI>
-<LI><A HREF="#rfc.ref">Older RFCs which may be referenced</A></LI>
-<LI><A HREF="#rfc.dns">RFCs for secure DNS service, which IPsec may use</A>
-</LI>
-<LI><A HREF="#rfc.exp">RFCs labelled &quot;experimental&quot;</A></LI>
-<LI><A HREF="#rfc.rel">Related RFCs</A></LI>
-</UL>
-</UL>
-<B><A HREF="#roadmap">Distribution Roadmap: What's Where in Linux
- FreeS/WAN</A></B>
-<UL>
-<LI><A HREF="#top">Top directory</A></LI>
-<LI><A HREF="#doc">Documentation</A></LI>
-<LI><A HREF="#klips.roadmap">KLIPS: kernel IP security</A></LI>
-<LI><A HREF="#pluto.roadmap">Pluto key and connection management daemon</A>
-</LI>
-<LI><A HREF="#utils">Utils</A></LI>
-<LI><A HREF="#lib">Libraries</A></LI>
-<UL>
-<LI><A HREF="#fswanlib">FreeS/WAN Library</A></LI>
-<LI><A HREF="#otherlib">Imported Libraries</A></LI>
-<UL>
-<LI><A HREF="#33_6_2_1">LibDES</A></LI>
-<LI><A HREF="#33_6_2_2">GMP</A></LI>
-</UL>
-</UL>
-</UL>
-<B><A HREF="#umltesting">User-Mode-Linux Testing guide</A></B>
-<UL>
-<LI><A HREF="#34_1">Preliminary Notes on BIND</A></LI>
-<LI><A HREF="#34_2">Steps to Install UML for FreeS/WAN</A></LI>
-</UL>
-<B><A HREF="#35">Debugging the kernel with GDB</A></B>
-<UL>
-<LI><A HREF="#35_1">Other notes about debugging</A></LI>
-</UL>
-<B><A HREF="#36">User-Mode-Linux mysteries</A></B>
-<BR>
-<BR><B><A HREF="#37">Getting more info from uml_netjig</A></B>
-<BR>
-<BR><B><A HREF="#makecheck">How to configure to use &quot;make check&quot;</A></B>
-<UL>
-<LI><A HREF="#38_1">What is &quot;make check&quot;</A></LI>
-<LI><A HREF="#38_2">Running &quot;make check&quot;</A></LI>
-</UL>
-<B><A HREF="#39">How to write a &quot;make check&quot; test</A></B>
-<UL>
-<LI><A HREF="#39_1">Structure of a test</A></LI>
-<LI><A HREF="#39_2">The TESTLIST</A></LI>
-<LI><A HREF="#39_3">Test kinds</A></LI>
-<LI><A HREF="#39_4">Common parameters</A></LI>
-<LI><A HREF="#39_5">KLIPStest paramaters</A></LI>
-<LI><A HREF="#39_6">mkinsttest paramaters</A></LI>
-<LI><A HREF="#39_7">rpm_build_install_test paramaters</A></LI>
-<LI><A HREF="#39_8">libtest paramaters</A></LI>
-<LI><A HREF="#39_9">umlplutotest paramaters</A></LI>
-<LI><A HREF="#39_10">umlXhost parameters</A></LI>
-<LI><A HREF="#39_11">kernel_patch_test paramaters</A></LI>
-<LI><A HREF="#39_12">module_compile paramaters</A></LI>
-</UL>
-<B><A HREF="#40">Current pitfalls</A></B>
-<BR>
-<BR><B><A HREF="#nightly">Nightly regression testing</A></B>
-<BR>
-<BR><B><A HREF="#nightlyhowto">How to setup the nightly build</A></B>
-<UL>
-<LI><A HREF="#42_1"> Files you need to know about</A></LI>
-<LI><A HREF="#42_2">Configuring freeswan-regress-env.sh</A></LI>
-</UL>
-<HR>
-<H1><A name="intro">Introduction</A></H1>
-<P>This section gives an overview of:</P>
-<UL>
-<LI>what IP Security (IPsec) does</LI>
-<LI>how IPsec works</LI>
-<LI>why we are implementing it for Linux</LI>
-<LI>how this implementation works</LI>
-</UL>
-<P>This section is intended to cover only the essentials,<EM> things you
- should know before trying to use FreeS/WAN.</EM></P>
-<P>For more detailed background information, see the<A href="#politics">
- history and politics</A> and<A href="#ipsec.detail"> IPsec protocols</A>
- sections.</P>
-<H2><A name="ipsec.intro">IPsec, Security for the Internet Protocol</A></H2>
-<P>FreeS/WAN is a Linux implementation of the IPsec (IP security)
- protocols. IPsec provides<A href="#encryption"> encryption</A> and<A href="#authentication">
- authentication</A> services at the IP (Internet Protocol) level of the
- network protocol stack.</P>
-<P>Working at this level, IPsec can protect any traffic carried over IP,
- unlike other encryption which generally protects only a particular
- higher-level protocol --<A href="#PGP"> PGP</A> for mail,<A href="#ssh">
- SSH</A> for remote login,<A href="#SSL"> SSL</A> for web work, and so
- on. This approach has both considerable advantages and some
- limitations. For discussion, see our<A href="#others"> IPsec section</A>
-</P>
-<P>IPsec can be used on any machine which does IP networking. Dedicated
- IPsec gateway machines can be installed wherever required to protect
- traffic. IPsec can also run on routers, on firewall machines, on
- various application servers, and on end-user desktop or laptop
- machines.</P>
-<P>Three protocols are used</P>
-<UL>
-<LI><A href="#AH">AH</A> (Authentication Header) provides a packet-level
- authentication service</LI>
-<LI><A href="#ESP">ESP</A> (Encapsulating Security Payload) provides
- encryption plus authentication</LI>
-<LI><A href="#IKE">IKE</A> (Internet Key Exchange) negotiates connection
- parameters, including keys, for the other two</LI>
-</UL>
-<P>Our implementation has three main parts:</P>
-<UL>
-<LI><A href="#KLIPS">KLIPS</A> (kernel IPsec) implements AH, ESP, and
- packet handling within the kernel</LI>
-<LI><A href="#Pluto">Pluto</A> (an IKE daemon) implements IKE,
- negotiating connections with other systems</LI>
-<LI>various scripts provide an adminstrator's interface to the machinery</LI>
-</UL>
-<P>IPsec is optional for the current (version 4) Internet Protocol.
- FreeS/WAN adds IPsec to the Linux IPv4 network stack. Implementations
- of<A href="#ipv6.gloss"> IP version 6</A> are required to include
- IPsec. Work toward integrating FreeS/WAN into the Linux IPv6 stack has<A
-href="#ipv6"> started</A>.</P>
-<P>For more information on IPsec, see our<A href="#ipsec.detail"> IPsec
- protocols</A> section, our collection of<A href="#ipsec.link"> IPsec
- links</A> or the<A href="#RFC"> RFCs</A> which are the official
- definitions of these protocols.</P>
-<H3><A name="intro.interop">Interoperating with other IPsec
- implementations</A></H3>
-<P>IPsec is designed to let different implementations work together. We
- provide:</P>
-<UL>
-<LI>a<A href="#implement"> list</A> of some other implementations</LI>
-<LI>information on<A href="#interop"> using FreeS/WAN with other
- implementations</A></LI>
-</UL>
-<P>The VPN Consortium fosters cooperation among implementers and
- interoperability among implementations. Their<A href="http://www.vpnc.org/">
- web site</A> has much more information.</P>
-<H3><A name="advantages">Advantages of IPsec</A></H3>
-<P>IPsec has a number of security advantages. Here are some
- independently written articles which discuss these:</P>
-<P><A HREF="http://www.sans.org/rr/"> SANS institute papers</A>. See the
- section on Encryption &amp;VPNs.
-<BR><A HREF="http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns128/networking_solutions_white_papers_list.html">
- Cisco's white papers on &quot;Networking Solutions&quot;</A>.
-<BR><A HREF="http://iscs.sourceforge.net/HowWhyBrief/HowWhyBrief.html">
- Advantages of ISCS (Linux Integrated Secure Communications System;
- includes FreeS/WAN and other software)</A>.</P>
-<H3><A name="applications">Applications of IPsec</A></H3>
-<P>Because IPsec operates at the network layer, it is remarkably
- flexible and can be used to secure nearly any type of Internet traffic.
- Two applications, however, are extremely widespread:</P>
-<UL>
-<LI>a<A href="#VPN"> Virtual Private Network</A>, or VPN, allows
- multiple sites to communicate securely over an insecure Internet by
- encrypting all communication between the sites.</LI>
-<LI>&quot;Road Warriors&quot; connect to the office from home, or perhaps from a
- hotel somewhere</LI>
-</UL>
-<P>There is enough opportunity in these applications that vendors are
- flocking to them. IPsec is being built into routers, into firewall
- products, and into major operating systems, primarily to support these
- applications. See our<A href="#implement"> list</A> of implementations
- for details.</P>
-<P>We support both of those applications, and various less common IPsec
- applications as well, but we also add one of our own:</P>
-<UL>
-<LI>opportunistic encryption, the ability to set up FreeS/WAN gateways
- so that any two of them can encrypt to each other, and will do so
- whenever packets pass between them.</LI>
-</UL>
-<P>This is an extension we are adding to the protocols. FreeS/WAN is the
- first prototype implementation, though we hope other IPsec
- implementations will adopt the technique once we demonstrate it. See<A href="#goals">
- project goals</A> below for why we think this is important.</P>
-<P>A somewhat more detailed description of each of these applications is
- below. Our<A href="#quick_guide"> quickstart</A> section will show you
- how to build each of them.</P>
-<H4><A name="makeVPN">Using secure tunnels to create a VPN</A></H4>
-<P>A VPN, or<STRONG> V</STRONG>irtual<STRONG> P</STRONG>rivate<STRONG> N</STRONG>
-etwork lets two networks communicate securely when the only connection
- between them is over a third network which they do not trust.</P>
-<P>The method is to put a security gateway machine between each of the
- communicating networks and the untrusted network. The gateway machines
- encrypt packets entering the untrusted net and decrypt packets leaving
- it, creating a secure tunnel through it.</P>
-<P>If the cryptography is strong, the implementation is careful, and the
- administration of the gateways is competent, then one can reasonably
- trust the security of the tunnel. The two networks then behave like a
- single large private network, some of whose links are encrypted tunnels
- through untrusted nets.</P>
-<P>Actual VPNs are often more complex. One organisation may have fifty
- branch offices, plus some suppliers and clients, with whom it needs to
- communicate securely. Another might have 5,000 stores, or 50,000
- point-of-sale devices. The untrusted network need not be the Internet.
- All the same issues arise on a corporate or institutional network
- whenever two departments want to communicate privately with each other.</P>
-<P>Administratively, the nice thing about many VPN setups is that large
- parts of them are static. You know the IP addresses of most of the
- machines involved. More important, you know they will not change on
- you. This simplifies some of the admin work. For cases where the
- addresses do change, see the next section.</P>
-<H4><A name="road.intro">Road Warriors</A></H4>
-<P>The prototypical &quot;Road Warrior&quot; is a traveller connecting to home
- base from a laptop machine. Administratively, most of the same problems
- arise for a telecommuter connecting from home to the office, especially
- if the telecommuter does not have a static IP address.</P>
-<P>For purposes of this document:</P>
-<UL>
-<LI>anyone with a dynamic IP address is a &quot;Road Warrior&quot;.</LI>
-<LI>any machine doing IPsec processing is a &quot;gateway&quot;. Think of the
- single-user road warrior machine as a gateway with a degenerate subnet
- (one machine, itself) behind it.</LI>
-</UL>
-<P>These require somewhat different setup than VPN gateways with static
- addresses and with client systems behind them, but are basically not
- problematic.</P>
-<P>There are some difficulties which appear for some road warrior
- connections:</P>
-<UL>
-<LI>Road Wariors who get their addresses via DHCP may have a problem.
- FreeS/WAN can quite happily build and use a tunnel to such an address,
- but when the DHCP lease expires, FreeS/WAN does not know that. The
- tunnel fails, and the only recovery method is to tear it down and
- re-build it.</LI>
-<LI>If<A href="#NAT.gloss"> Network Address Translation</A> (NAT) is
- applied between the two IPsec Gateways, this breaks IPsec. IPsec
- authenticates packets on an end-to-end basis, to ensure they are not
- altered en route. NAT rewrites packets as they go by. See our<A href="#NAT">
- firewalls</A> document for details.</LI>
-</UL>
-<P>In most situations, however, FreeS/WAN supports road warrior
- connections just fine.</P>
-<H4><A name="opp.intro">Opportunistic encryption</A></H4>
-<P>One of the reasons we are working on FreeS/WAN is that it gives us
- the opportunity to add what we call opportuntistic encryption. This
- means that any two FreeS/WAN gateways will be able to encrypt their
- traffic, even if the two gateway administrators have had no prior
- contact and neither system has any preset information about the other.</P>
-<P>Both systems pick up the authentication information they need from
- the<A href="#DNS"> DNS</A> (domain name service), the service they
- already use to look up IP addresses. Of course the administrators must
- put that information in the DNS, and must set up their gateways with
- opportunistic encryption enabled. Once that is done, everything is
- automatic. The gateways look for opportunities to encrypt, and encrypt
- whatever they can. Whether they also accept unencrypted communication
- is a policy decision the administrator can make.</P>
-<P>This technique can give two large payoffs:</P>
-<UL>
-<LI>It reduces the administrative overhead for IPsec enormously. You
- configure your gateway and thereafter everything is automatic. The need
- to configure the system on a per-tunnel basis disappears. Of course,
- FreeS/WAN allows specifically configured tunnels to co-exist with
- opportunistic encryption, but we hope to make them unnecessary in most
- cases.</LI>
-<LI>It moves us toward a more secure Internet, allowing users to create
- an environment where message privacy is the default. All messages can
- be encrypted, provided the other end is willing to co-operate. See our<A
-href="#politics"> history and politics of cryptography</A> section for
- discussion of why we think this is needed.</LI>
-</UL>
-<P>Opportunistic encryption is not (yet?) a standard part of the IPsec
- protocols, but an extension we are proposing and demonstrating. For
- details of our design, see<A href="#applied"> links</A> below.</P>
-<P>Only one current product we know of implements a form of
- opportunistic encryption.<A href="#ssmail"> Secure sendmail</A> will
- automatically encrypt server-to-server mail transfers whenever
- possible.</P>
-<H3><A name="types">The need to authenticate gateways</A></H3>
-<P>A complication, which applies to any type of connection -- VPN, Road
- Warrior or opportunistic -- is that a secure connection cannot be
- created magically.<EM> There must be some mechanism which enables the
- gateways to reliably identify each other.</EM> Without this, they
- cannot sensibly trust each other and cannot create a genuinely secure
- link.</P>
-<P>Any link they do create without some form of<A href="#authentication">
- authentication</A> will be vulnerable to a<A href="#middle">
- man-in-the-middle attack</A>. If<A href="#alicebob"> Alice and Bob</A>
- are the people creating the connection, a villian who can re-route or
- intercept the packets can pose as Alice while talking to Bob and pose
- as Bob while talking to Alice. Alice and Bob then both talk to the man
- in the middle, thinking they are talking to each other, and the villain
- gets everything sent on the bogus &quot;secure&quot; connection.</P>
-<P>There are two ways to build links securely, both of which exclude the
- man-in-the middle:</P>
-<UL>
-<LI>with<STRONG> manual keying</STRONG>, Alice and Bob share a secret
- key (which must be transmitted securely, perhaps in a note or via PGP
- or SSH) to encrypt their messages. For FreeS/WAN, such keys are stored
- in the<A href="manpage.d/ipsec.conf.5.html"> ipsec.conf(5)</A> file. Of
- course, if an enemy gets the key, all is lost.</LI>
-<LI>with<STRONG> automatic keying</STRONG>, the two systems authenticate
- each other and negotiate their own secret keys. The keys are
- automatically changed periodically.</LI>
-</UL>
-<P>Automatic keying is much more secure, since if an enemy gets one key
- only messages between the previous re-keying and the next are exposed.
- It is therefore the usual mode of operation for most IPsec deployment,
- and the mode we use in our setup examples. FreeS/WAN does support
- manual keying for special circumstanes. See this<A href="#prodman">
- section</A>.</P>
-<P>For automatic keying, the two systems must authenticate each other
- during the negotiations. There is a choice of methods for this:</P>
-<UL>
-<LI>a<STRONG> shared secret</STRONG> provides authentication. If Alice
- and Bob are the only ones who know a secret and Alice recives a message
- which could not have been created without that secret, then Alice can
- safely believe the message came from Bob.</LI>
-<LI>a<A href="#public"> public key</A> can also provide authentication.
- If Alice receives a message signed with Bob's private key (which of
- course only he should know) and she has a trustworthy copy of his
- public key (so that she can verify the signature), then she can safely
- believe the message came from Bob.</LI>
-</UL>
-<P>Public key techniques are much preferable, for reasons discussed<A href="#choose">
- later</A>, and will be used in all our setup examples. FreeS/WAN does
- also support auto-keying with shared secret authentication. See this<A href="#prodsecrets">
- section</A>.</P>
-<H2><A name="project">The FreeS/WAN project</A></H2>
-<P>For complete information on the project, see our web site,<A href="http://liberty.freeswan.org">
- freeswan.org</A>.</P>
-<P>In summary, we are implementing the<A href="#IPSEC"> IPsec</A>
- protocols for Linux and extending them to do<A href="#carpediem">
- opportunistic encryption</A>.</P>
-<H3><A name="goals">Project goals</A></H3>
-<P>Our overall goal in FreeS/WAN is to make the Internet more secure and
- more private.</P>
-<P>Our IPsec implementation supports VPNs and Road Warriors of course.
- Those are important applications. Many users will want FreeS/WAN to
- build corporate VPNs or to provide secure remote access.</P>
-<P>However, our goals in building it go beyond that. We are trying to
- help<STRONG> build security into the fabric of the Internet</STRONG> so
- that anyone who choses to communicate securely can do so, as easily as
- they can do anything else on the net.</P>
-<P>More detailed objectives are:</P>
-<UL>
-<LI>extend IPsec to do<A href="#carpediem"> opportunistic encryption</A>
- so that
-<UL>
-<LI>any two systems can secure their communications without a
- pre-arranged connection</LI>
-<LI><STRONG>secure connections can be the default</STRONG>, falling back
- to unencrypted connections only if:
-<UL>
-<LI><EM>both</EM> the partner is not set up to co-operate on securing
- the connection</LI>
-<LI><EM>and</EM> your policy allows insecure connections</LI>
-</UL>
-</LI>
-<LI>a significant fraction of all Internet traffic is encrypted</LI>
-<LI>wholesale monitoring of the net (<A href="#intro.poli">examples</A>)
- becomes difficult or impossible</LI>
-</UL>
-</LI>
-<LI>help make IPsec widespread by providing an implementation with no
- restrictions:
-<UL>
-<LI>freely available in source code under the<A href="#GPL"> GNU General
- Public License</A></LI>
-<LI>running on a range of readily available hardware</LI>
-<LI>not subject to US or other nations'<A href="#exlaw"> export
- restrictions</A>.
-<BR> Note that in order to avoid<EM> even the appearance</EM> of being
- subject to those laws, the project cannot accept software contributions
- --<EM> not even one-line bug fixes</EM> -- from US residents or
- citizens.</LI>
-</UL>
-</LI>
-<LI>provide a high-quality IPsec implementation for Linux
-<UL>
-<LI>portable to all CPUs Linux supports:<A href="#CPUs"> (current list)</A>
-</LI>
-<LI>interoperable with other IPsec implementations:<A href="#interop">
- (current list)</A></LI>
-</UL>
-</LI>
-</UL>
-<P>If we can get opportunistic encryption implemented and widely
- deployed, then it becomes impossible for even huge well-funded agencies
- to monitor the net.</P>
-<P>See also our section on<A href="#politics"> history and politics</A>
- of cryptography, which includes our project leader's<A href="#gilmore">
- rationale</A> for starting the project.</P>
-<H3><A name="staff">Project team</A></H3>
-<P>Two of the team are from the US and can therefore contribute no code:</P>
-<UL>
-<LI>John Gilmore: founder and policy-maker (<A href="http://www.toad.com/gnu/">
-home page</A>)</LI>
-<LI>Hugh Daniel: project manager, Most Demented Tester, and occasionally
- Pointy-Haired Boss</LI>
-</UL>
-<P>The rest of the team are Canadians, working in Canada. (<A href="#status">
-Why Canada?</A>)</P>
-<UL>
-<LI>Hugh Redelmeier:<A href="#Pluto"> Pluto daemon</A> programmer</LI>
-<LI>Richard Guy Briggs:<A href="#KLIPS"> KLIPS</A> programmer</LI>
-<LI>Michael Richardson: hacker without portfolio</LI>
-<LI>Claudia Schmeing: documentation</LI>
-<LI>Sam Sgro: technical support via the<A href="#lists"> mailing lists</A>
-</LI>
-</UL>
-<P>The project is funded by civil libertarians who consider our goals
- worthwhile. Most of the team are paid for this work.</P>
-<P>People outside this core team have made substantial contributions.
- See</P>
-<UL>
-<LI>our<A href="../CREDITS"> CREDITS</A> file</LI>
-<LI>the<A href="#patch"> patches and add-ons</A> section of our web
- references file</LI>
-<LI>lists below of user-written<A href="#howto"> HowTos</A> and<A href="#applied">
- other papers</A></LI>
-</UL>
-<P>Additional contributions are welcome. See the<A href="#contrib.faq">
- FAQ</A> for details.</P>
-<H2><A name="products">Products containing FreeS/WAN</A></H2>
-<P>Unfortunately the<A href="#exlaw"> export laws</A> of some countries
- restrict the distribution of strong cryptography. FreeS/WAN is
- therefore not in the standard Linux kernel and not in all CD or web
- distributions.</P>
-<P>FreeS/WAN is, however, quite widely used. Products we know of that
- use it are listed below. We would appreciate hearing, via the<A href="#lists">
- mailing lists</A>, of any we don't know of.</P>
-<H3><A name="distwith">Full Linux distributions</A></H3>
-<P>FreeS/WAN is included in various general-purpose Linux distributions,
- mostly from countries (shown in brackets) with more sensible laws:</P>
-<UL>
-<LI><A href="http://www.suse.com/">SuSE Linux</A> (Germany)</LI>
-<LI><A href="http://www.conectiva.com">Conectiva</A> (Brazil)</LI>
-<LI><A href="http://www.linux-mandrake.com/en/">Mandrake</A> (France)</LI>
-<LI><A href="http://www.debian.org">Debian</A></LI>
-<LI>the<A href="http://www.pld.org.pl/"> Polish(ed) Linux Distribution</A>
- (Poland)</LI>
-<LI><A>Best Linux</A> (Finland)</LI>
-</UL>
-<P>For distributions which do not include FreeS/WAN and are not Redhat
- (which we develop and test on), there is additional information in our<A
-href="#otherdist"> compatibility</A> section.</P>
-<P>The server edition of<A href="http://www.corel.com"> Corel</A> Linux
- (Canada) also had FreeS/WAN, but Corel have dropped that product line.</P>
-<H3><A name="kernel_dist">Linux kernel distributions</A></H3>
-<UL>
-<LI><A href="http://sourceforge.net/projects/wolk/">Working Overloaded
- Linux Kernel (WOLK)</A></LI>
-</UL>
-<H3><A name="office_dist">Office server distributions</A></H3>
-<P>FreeS/WAN is also included in several distributions aimed at the
- market for turnkey business servers:</P>
-<UL>
-<LI><A href="http://www.e-smith.com/">e-Smith</A> (Canada), which has
- recently been acquired and become the Network Server Solutions group of<A
-href="http://www.mitel.com/"> Mitel Networks</A> (Canada)</LI>
-<LI><A href="http://www.clarkconnect.org/">ClarkConnect</A> from Point
- Clark Networks (Canada)</LI>
-<LI><A href="http://www.trustix.net/">Trustix Secure Linux</A> (Norway)</LI>
-</UL>
-<H3><A name="fw_dist">Firewall distributions</A></H3>
-<P>Several distributions intended for firewall and router applications
- include FreeS/WAN:</P>
-<UL>
-<LI>The<A href="http://www.linuxrouter.org/"> Linux Router Project</A>
- produces a Linux distribution that will boot from a single floppy. The<A
-href="http://leaf.sourceforge.net"> LEAF</A> firewall project provides
- several different LRP-based firewall packages. At least one of them,
- Charles Steinkuehler's Dachstein, includes FreeS/WAN with X.509
- patches.</LI>
-<LI>there are several distributions bootable directly from CD-ROM,
- usable on a machine without hard disk.
-<UL>
-<LI>Dachstein (see above) can be used this way</LI>
-<LI><A href="http://www.gibraltar.at/">Gibraltar</A> is based on Debian
- GNU/Linux.</LI>
-<LI>at time of writing,<A href="www.xiloo.com"> Xiloo</A> is available
- only in Chinese. An English version is expected.</LI>
-</UL>
-</LI>
-<LI><A href="http://www.astaro.com/products/index.html">Astaro Security
- Linux</A> includes FreeS/WAN. It has some web-based tools for managing
- the firewall that include FreeS/WAN configuration management.</LI>
-<LI><A href="http://www.linuxwall.de">Linuxwall</A></LI>
-<LI><A href="http://www.smoothwall.org/">Smoothwall</A></LI>
-<LI><A href="http://www.devil-linux.org/">Devil Linux</A></LI>
-<LI>Coyote Linux has a<A href="http://embedded.coyotelinux.com/wolverine/index.php">
- Wolverine</A> firewall/VPN server</LI>
-</UL>
-<P>There are also several sets of scripts available for managing a
- firewall which is also acting as a FreeS/WAN IPsec gateway. See this<A href="#rules.pub">
- list</A>.</P>
-<H3><A name="turnkey">Firewall and VPN products</A></H3>
-<P>Several vendors use FreeS/WAN as the IPsec component of a turnkey
- firewall or VPN product.</P>
-<P>Software-only products:</P>
-<UL>
-<LI><A href="http://www.linuxmagic.com/vpn/index.html">Linux Magic</A>
- offer a VPN/Firewall product using FreeS/WAN</LI>
-<LI>The Software Group's<A href="http://www.wanware.com/sentinet/">
- Sentinet</A> product uses FreeS/WAN</LI>
-<LI><A href="http://www.merilus.com">Merilus</A> use FreeS/WAN in their
- Gateway Guardian firewall product</LI>
-</UL>
-<P>Products that include the hardware:</P>
-<UL>
-<LI>The<A href="http://www.lasat.com"> LASAT SafePipe[tm]</A> series. is
- an IPsec box based on an embedded MIPS running Linux with FreeS/WAN and
- a web-config front end. This company also host our freeswan.org web
- site.</LI>
-<LI>Merilus<A href="http://www.merilus.com/products/fc/index.shtml">
- Firecard</A> is a Linux firewall on a PCI card.</LI>
-<LI><A href="http://www.kyzo.com/">Kyzo</A> have a &quot;pizza box&quot; product
- line with various types of server, all running from flash. One of them
- is an IPsec/PPTP VPN server</LI>
-<LI><A href="http://www.pfn.com">PFN</A> use FreeS/WAN in some of their
- products</LI>
-</UL>
-<P><A href="www.rebel.com">Rebel.com</A>, makers of the Netwinder Linux
- machines (ARM or Crusoe based), had a product that used FreeS/WAN. The
- company is in receivership so the future of the Netwinder is at best
- unclear.<A href="#patch"> PKIX patches</A> for FreeS/WAN developed at
- Rebel are listed in our web links document.</P>
-<H2><A name="docs">Information sources</A></H2>
-<H3><A name="docformats">This HowTo, in multiple formats</A></H3>
-<P>FreeS/WAN documentation up to version 1.5 was available only in HTML.
- Now we ship two formats:</P>
-<UL>
-<LI>as HTML, one file for each doc section plus a global<A href="toc.html">
- Table of Contents</A></LI>
-<LI><A href="HowTo.html">one big HTML file</A> for easy searching</LI>
-</UL>
-<P>and provide a Makefile to generate other formats if required:</P>
-<UL>
-<LI><A href="HowTo.pdf">PDF</A></LI>
-<LI><A href="HowTo.ps">Postscript</A></LI>
-<LI><A href="HowTo.txt">ASCII text</A></LI>
-</UL>
-<P>The Makefile assumes the htmldoc tool is available. You can download
- it from<A href="http://www.easysw.com"> Easy Software</A>.</P>
-<P>All formats should be available at the following websites:</P>
-<UL>
-<LI><A href="http://www.freeswan.org/doc.html">FreeS/WAN project</A></LI>
-<LI><A href="http://www.linuxdoc.org">Linux Documentation Project</A></LI>
-</UL>
-<P>The distribution tarball has only the two HTML formats.</P>
-<P><STRONG>Note:</STRONG> If you need the latest doc version, for
- example to see if anyone has managed to set up interoperation between
- FreeS/WAN and whatever, then you should download the current snapshot.
- What is on the web is documentation as of the last release. Snapshots
- have all changes I've checked in to date.</P>
-<H3><A name="rtfm">RTFM (please Read The Fine Manuals)</A></H3>
-<P>As with most things on any Unix-like system, most parts of Linux
- FreeS/WAN are documented in online manual pages. We provide a list of<A href="/mnt/floppy/manpages.html">
- FreeS/WAN man pages</A>, with links to HTML versions of them.</P>
-<P>The man pages describing configuration files are:</P>
-<UL>
-<LI><A href="/mnt/floppy/manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A></LI>
-<LI><A href="/mnt/floppy/manpage.d/ipsec.secrets.5.html">
-ipsec.secrets(5)</A></LI>
-</UL>
-<P>Man pages for common commands include:</P>
-<UL>
-<LI><A href="/mnt/floppy/manpage.d/ipsec.8.html">ipsec(8)</A></LI>
-<LI><A href="/mnt/floppy/manpage.d/ipsec_pluto.8.html">ipsec_pluto(8)</A>
-</LI>
-<LI><A href="/mnt/floppy/manpage.d/ipsec_newhostkey.8.html">
-ipsec_newhostkey(8)</A></LI>
-<LI><A href="/mnt/floppy/manpage.d/ipsec_auto.8.html">ipsec_auto(8)</A></LI>
-</UL>
-<P>You can read these either in HTML using the links above or with the<VAR>
- man(1)</VAR> command.</P>
-<P>In the event of disagreement between this HTML documentation and the
- man pages, the man pages are more likely correct since they are written
- by the implementers. Please report any such inconsistency on the<A href="#lists">
- mailing list</A>.</P>
-<H3><A name="text">Other documents in the distribution</A></H3>
-<P>Text files in the main distribution directory are README, INSTALL,
- CREDITS, CHANGES, BUGS and COPYING.</P>
-<P>The Libdes encryption library we use has its own documentation. You
- can find it in the library directory..</P>
-<H3><A name="assumptions">Background material</A></H3>
-<P>Throughout this documentation, I write as if the reader had at least
- a general familiarity with Linux, with Internet Protocol networking,
- and with the basic ideas of system and network security. Of course that
- will certainly not be true for all readers, and quite likely not even
- for a majority.</P>
-<P>However, I must limit amount of detail on these topics in the main
- text. For one thing, I don't understand all the details of those topics
- myself. Even if I did, trying to explain everything here would produce
- extremely long and almost completely unreadable documentation.</P>
-<P>If one or more of those areas is unknown territory for you, there are
- plenty of other resources you could look at:</P>
-<DL>
-<DT>Linux</DT>
-<DD>the<A href="http://www.linuxdoc.org"> Linux Documentation Project</A>
- or a local<A href="http://www.linux.org/groups/"> Linux User Group</A>
- and these<A href="#linux.link"> links</A></DD>
-<DT>IP networks</DT>
-<DD>Rusty Russell's<A href="http://netfilter.samba.org/unreliable-guides/networking-concepts-HOWTO/index.html">
- Networking Concepts HowTo</A> and these<A href="#IP.background"> links</A>
-</DD>
-<DT>Security</DT>
-<DD>Schneier's book<A href="#secrets"> Secrets and Lies</A> and these<A href="#crypto.link">
- links</A></DD>
-</DL>
-<P>Also, I do make an effort to provide some background material in
- these documents. All the basic ideas behind IPsec and FreeS/WAN are
- explained here. Explanations that do not fit in the main text, or that
- not everyone will need, are often in the<A href="#ourgloss"> glossary</A>
-, which is the largest single file in this document set. There is also a<A
-href="#background"> background</A> file containing various explanations
- too long to fit in glossary definitions. All files are heavily
- sprinkled with links to each other and to the glossary.<STRONG> If some
- passage makes no sense to you, try the links</STRONG>.</P>
-<P>For other reference material, see the<A href="#biblio"> bibliography</A>
- and our collection of<A href="web.html#weblinks"> web links</A>.</P>
-<P>Of course, no doubt I get this (and other things) wrong sometimes.
- Feedback via the<A href="#lists"> mailing lists</A> is welcome.</P>
-<H3><A name="archives">Archives of the project mailing list</A></H3>
-<P>Until quite recently, there was only one FreeS/WAN mailing list, and
- archives of it were:</P>
-<UL>
-<LI><A href="http://www.sandelman.ottawa.on.ca/linux-ipsec">Canada</A></LI>
-<LI><A href="http://www.nexial.com">Holland</A></LI>
-</UL>
- The two archives use completely different search engines. You might
- want to try both.
-<P>More recently we have expanded to five lists, each with its own
- archive.</P>
-<P><A href="#lists">More information</A> on mailing lists.</P>
-<H3><A name="howto">User-written HowTo information</A></H3>
-<P>Various user-written HowTo documents are available. The ones covering
- FreeS/WAN-to-FreeS/WAN connections are:</P>
-<UL>
-<LI>Jean-Francois Nadeau's<A href="http://jixen.tripod.com/"> practical
- configurations</A> document</LI>
-<LI>Jens Zerbst's HowTo on<A href="http://dynipsec.tripod.com/"> Using
- FreeS/WAN with dynamic IP addresses</A>.</LI>
-<LI>an entry in Kurt Seifried's<A href="http://www.securityportal.com/lskb/kben00000013.html">
- Linux Security Knowledge Base</A>.</LI>
-<LI>a section of David Ranch's<A href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos">
- Trinity OS Guide</A></LI>
-<LI>a section in David Bander's book<A href="#bander"> Linux Security
- Toolkit</A></LI>
-</UL>
-<P>User-wriiten HowTo material may be<STRONG> especially helpful if you
- need to interoperate with another IPsec implementation</STRONG>. We
- have neither the equipment nor the manpower to test such
- configurations. Users seem to be doing an admirable job of filling the
- gaps.</P>
-<UL>
-<LI>list of user-written<A href="interop.html#otherpub"> interoperation
- HowTos</A> in our interop document</LI>
-</UL>
-<P>Check what version of FreeS/WAN user-written documents cover. The
- software is under active development and the current version may be
- significantly different from what an older document describes.</P>
-<H3><A name="applied">Papers on FreeS/WAN</A></H3>
-<P>Two design documents show team thinking on new developments:</P>
-<UL>
-<LI><A href="opportunism.spec">Opportunistic Encryption</A> by technical
- lead Henry Spencer and Pluto programmer Hugh Redelemeier</LI>
-<LI>discussion of<A href="http://www.sandelman.ottawa.on.ca/SSW/freeswan/klips2req/">
- KLIPS redesign</A></LI>
-</UL>
-<P>Both documents are works in progress and are frequently revised. For
- the latest version, see the<A href="#lists"> design mailing list</A>.
- Comments should go to that list.</P>
-<P>There is now an<A href="http://www.ietf.org/internet-drafts/draft-richardson-ipsec-opportunistic-06.txt">
- Internet Draft on Opportunistic Encryption</A> by Michael Richardson,
- Hugh Redelmeier and Henry Spencer. This is a first step toward getting
- the protocol standardised so there can be multiple implementations of
- it. Discussion of it takes place on the<A href="http://www.ietf.org/html.charters/ipsec-charter.html">
- IETF IPsec Working Group</A> mailing list.</P>
-<P>A number of papers giving further background on FreeS/WAN, or
- exploring its future or its applications, are also available:</P>
-<UL>
-<LI>Both Henry and Richard gave talks on FreeS/WAN at the 2000<A href="http://www.linuxsymposium.org">
- Ottawa Linux Symposium</A>.
-<UL>
-<LI>Richard's<A href="http://www.conscoop.ottawa.on.ca/rgb/freeswan/ols2k/">
- slides</A></LI>
-<LI>Henry's paper</LI>
-<LI>MP3 audio of their talks is available from the<A href="http://www.linuxsymposium.org/">
- conference page</A></LI>
-</UL>
-</LI>
-<LI><CITE>Moat: A Virtual Private Network Appliances and Services
- Platform</CITE> is a paper about large-scale (a few 100 links) use of
- FreeS/WAN in a production application at AT&amp;T Research. It is available
- in Postscript or PDF from co-author Steve Bellovin's<A href="http://www.research.att.com/~smb/papers/index.html">
- papers list page</A>.</LI>
-<LI>One of the Moat co-authors, John Denker, has also written
-<UL>
-<LI>a<A href="http://www.av8n.com/vpn/ipsec+routing.htm"> proposal</A>
- for how future versions of FreeS/WAN might interact with routing
- protocols</LI>
-<LI>a<A href="http://www.av8n.com/vpn/wishlist.htm"> wishlist</A> of
- possible new features</LI>
-</UL>
-</LI>
-<LI>Bart Trojanowski's web page has a draft design for<A href="http://www.jukie.net/~bart/linux-ipsec/">
- hardware acceleration</A> of FreeS/WAN</LI>
-</UL>
-<P>Several of these provoked interesting discussions on the mailing
- lists, worth searching for in the<A href="#archive"> archives</A>.</P>
-<P>There are also several papers in languages other than English, see
- our<A href="#otherlang"> web links</A>.</P>
-<H3><A name="licensing">License and copyright information</A></H3>
-<P>All code and documentation written for this project is distributed
- under either the GNU General Public License (<A href="#GPL">GPL</A>) or
- the GNU Library General Public License. For details see the COPYING
- file in the distribution.</P>
-<P>Not all code in the distribution is ours, however. See the CREDITS
- file for details. In particular, note that the<A href="#LIBDES"> Libdes</A>
- library and the version of<A href="#MD5"> MD5</A> that we use each have
- their own license.</P>
-<H2><A name="sites">Distribution sites</A></H2>
-<P>FreeS/WAN is available from a number of sites.</P>
-<H3><A NAME="1_5_1">Primary site</A></H3>
-<P>Our primary site, is at xs4all (Thanks, folks!) in Holland:</P>
-<UL>
-<LI><A href="http://www.xs4all.nl/~freeswan">HTTP</A></LI>
-<LI><A href="ftp://ftp.xs4all.nl/pub/crypto/freeswan">FTP</A></LI>
-</UL>
-<H3><A name="mirrors">Mirrors</A></H3>
-<P>There are also mirror sites all over the world:</P>
-<UL>
-<LI><A href="http://www.flora.org/freeswan">Eastern Canada</A> (limited
- resouces)</LI>
-<LI><A href="ftp://ludwig.doculink.com/pub/freeswan/">Eastern Canada</A>
- (has older versions too)</LI>
-<LI><A href="ftp://ntsc.notBSD.org/pub/crypto/freeswan/">Eastern Canada</A>
- (has older versions too)</LI>
-<LI><A href="ftp://ftp.kame.net/pub/freeswan/">Japan</A></LI>
-<LI><A href="ftp://ftp.futuredynamics.com/freecrypto/FreeSWAN/">Hong
- Kong</A></LI>
-<LI><A href="ftp://ipsec.dk/pub/freeswan/">Denmark</A></LI>
-<LI><A href="ftp://ftp.net.lut.ac.uk/freeswan">the UK</A></LI>
-<LI><A href="http://storm.alert.sk/comp/mirrors/freeswan/">Slovak
- Republic</A></LI>
-<LI><A href="http://the.wiretapped.net/security/vpn-tunnelling/freeswan/">
-Australia</A></LI>
-<LI><A href="http://freeswan.technolust.cx/">technolust</A></LI>
-<LI><A href="http://freeswan.devguide.de/">Germany</A></LI>
-<LI>Ivan Moore's<A href="http://snowcrash.tdyc.com/freeswan/"> site</A></LI>
-<LI>the<A href="http://www.cryptoarchive.net/"> Crypto Archive</A> on
- the<A href="http://www.securityportal.com/"> Security Portal</A> site</LI>
-<LI><A href="http://www.wiretapped.net/">Wiretapped.net</A> in Australia</LI>
-</UL>
-<P>Thanks to those folks as well.</P>
-<H3><A name="munitions">The &quot;munitions&quot; archive of Linux crypto software</A>
-</H3>
-<P>There is also an archive of Linux crypto software called &quot;munitions&quot;,
- with its own mirrors in a number of countries. It includes FreeS/WAN,
- though not always the latest version. Some of its sites are:</P>
-<UL>
-<LI><A href="http://munitions.vipul.net/">Germany</A></LI>
-<LI><A href="http://munitions.iglu.cjb.net/">Italy</A></LI>
-<LI><A href="http://munitions2.xs4all.nl/">Netherlands</A></LI>
-</UL>
-<P>Any of those will have a list of other &quot;munitions&quot; mirrors. There is
- also a CD available.</P>
-<H2><A NAME="1_6">Links to other sections</A></H2>
-<P>For more detailed background information, see:</P>
-<UL>
-<LI><A href="#politics">history and politics</A> of cryptography</LI>
-<LI><A href="#ipsec.detail">IPsec protocols</A></LI>
-</UL>
-<P>To begin working with FreeS/WAN, go to our<A href="quickstart.html#quick.guide">
- quickstart</A> guide.</P>
-<HR>
-<A NAME="upgrading"></A>
-<H1><A NAME="2">Upgrading to FreeS/WAN 2.x</A></H1>
-<H2><A NAME="2_1">New! Built in Opportunistic connections</A></H2>
-<P>Out of the box, FreeS/WAN 2.x will attempt to encrypt all your IP
- traffic. It will try to establish IPsec connections for:</P>
-<UL>
-<LI> IP traffic from the Linux box on which you have installed
- FreeS/WAN, and</LI>
-<LI> outbound IP traffic routed through that Linux box (eg. from a
- protected subnet).</LI>
-</UL>
-<P>FreeS/WAN 2.x uses<STRONG> hidden, automatically enabled<VAR>
- ipsec.conf</VAR> connections</STRONG> to do this.</P>
-<P>This behaviour is part of our campaign to get Opportunistic
- Encryption (OE) widespread in the Linux world, so that any two Linux
- boxes can encrypt to one another without prearrangement. There's one
- catch, however: you must<A HREF="#quickstart"> set up a few DNS records</A>
- to distribute RSA public keys and (if applicable) IPsec gateway
- information.</P>
-<P>If you start FreeS/WAN before you have set up these DNS records, your
- connectivity will be slow, and messages relating to the built in
- connections will clutter your logs. If you are unable to set up DNS for
- OE, you will wish to<A HREF="#disable_policygroups"> disable the hidden
- connections</A>.</P>
-<A NAME="upgrading.flagday"></A>
-<H3><A NAME="2_1_1">Upgrading Opportunistic Encryption to 2.01 (or
- later)</A></H3>
-<P>As of FreeS/WAN 2.01, Opportunistic Encryption (OE) uses DNS TXT
- resource records (RRs) only (rather than TXT with KEY). This change
- causes a &quot;flag day&quot;. Users of FreeS/WAN 2.00 (or earlier) OE who are
- upgrading may need to post additional resource records.</P>
-<P>If you are running<A HREF="#initiate-only"> initiate-only OE</A>, you<EM>
- must</EM> put up a TXT record in any forward domain as per our<A HREF="#opp.client">
- quickstart instructions</A>. This replaces your old forward KEY.</P>
-<P> If you are running full OE, you require no updates. You already have
- the needed TXT record in the reverse domain. However, to facilitate
- future features, you may also wish to publish that TXT record in a
- forward domain as instructed<A HREF="#opp.incoming"> here</A>.</P>
-<P>If you are running OE on a gateway (and encrypting on behalf of
- subnetted boxes) you require no updates. You already have the required
- TXT record in your gateway's reverse map, and the TXT records for any
- subnetted boxes require no updating. However, to facilitate future
- features, you may wish to publish your gateway's TXT record in a
- forward domain as shown<A HREF="#opp.incoming"> here</A>.</P>
-<P> During the transition, you may wish to leave any old KEY records up
- for some time. They will provide limited backward compatibility.
-<!--
-For more
-detail on that compatibility, see <A HREF="oe.known-issues">Known Issues with
-OE</A>.
--->
-</P>
-<H2><A NAME="2_2">New! Policy Groups</A></H2>
-<P>We want to make it easy for you to declare security policy as it
- applies to IPsec connections.</P>
-<P>Policy Groups make it simple to say:</P>
-<UL>
-<LI>These are the folks I want to talk to in the clear.</LI>
-<LI>These spammers' domains -- I don't want to talk to them at all.</LI>
-<LI>To talk to the finance department, I must use IPsec.</LI>
-<LI>For any other communication, try to encrypt, but it's okay if we
- can't.</LI>
-</UL>
-<P>FreeS/WAN then implements these policies, creating OE connections if
- and when needed. You can use Policy Groups along with connections you
- explicitly define in ipsec.conf.</P>
-<P>For more information, see our<A HREF="policygroups.html"> Policy
- Group HOWTO</A>.</P>
-<H2><A NAME="2_3">New! Packetdefault Connection</A></H2>
-<P>Free/SWAN 2.x ships with the<STRONG> automatically enabled, hidden
- connection</STRONG><VAR> packetdefault</VAR>. This configures a
- FreeS/WAN box as an OE gateway for any hosts located behind it. As
- mentioned above, you must configure some<A HREF="quickstart.html"> DNS
- records</A> for OE to work.</P>
-<P>As the name implies, this connection functions as a default. If you
- have more specific connections, such as policy groups which configure
- your FreeS/WAN box as an OE gateway for a local subnet, these will
- apply before<VAR> packetdefault</VAR>. You can view<VAR> packetdefault</VAR>
-'s specifics in<A HREF="manpage.d/ipsec.conf.5.html"> man ipsec.conf</A>
-.</P>
-<H2><A NAME="2_4">FreeS/WAN now disables Reverse Path Filtering</A></H2>
-<P>FreeS/WAN often doesn't work with reverse path filtering. At start
- time, FreeS/WAN now turns rp_filter off, and logs a warning.</P>
-<P>FreeS/WAN does not turn it back on again. You can do this yourself
- with a command like:</P>
-<PRE>   echo 1 &gt; /proc/sys/net/ipv4/conf/eth0/rp_filter</PRE>
-<P>For eth0, substitute the interface which FreeS/WAN was affecting.</P>
-<A NAME="ipsec.conf_v2"></A>
-<H2><A NAME="2_5">Revised<VAR> ipsec.conf</VAR></A></H2>
-<H3><A NAME="2_5_1">No promise of compatibility</A></H3>
-<P>The FreeS/WAN team promised config-file compatibility throughout the
- 1.x series. That means a 1.5 config file can be directly imported into
- a fresh 1.99 install with no problems.</P>
-<P>With FreeS/WAN 2.x, we've given ourselves permission to make the
- config file easier to use. The cost: some FreeS/WAN 1.x configurations
- will not work properly. Many of the new features are, however, backward
- compatible.</P>
-<H3><A NAME="2_5_2">Most<VAR> ipsec.conf</VAR> files will work fine</A></H3>
-<P>... so long as you paste this line,<STRONG> with no preceding
- whitespace</STRONG>, at the top of your config file:</P>
-<PRE>    version 2</PRE>
-<H3><A NAME="2_5_3">Backward compatibility patch</A></H3>
-<P>If the new defaults bite you, use<A HREF="ipsec.conf.2_to_1"> this<VAR>
- ipsec.conf</VAR> fragment</A> to simulate the old default values.</P>
-<H3><A NAME="2_5_4">Details</A></H3>
-<P> We've obsoleted various directives which almost no one was using:</P>
-<PRE>    dump
-    plutobackgroundload
-    no_eroute_pass
-    lifetime
-    rekeystart
-    rekeytries</PRE>
-<P>For most of these, there is some other way to elicit the desired
- behaviour. See<A HREF="http://lists.freeswan.org/pipermail/design/2002-August/003243.html">
- this post</A>.</P>
-<P> We've made some settings, which almost everyone was using, defaults.
- For example:</P>
-<PRE>    interfaces=%defaultroute
-    plutoload=%search
-    plutostart=%search
-    uniqueids=yes</PRE>
-<P>We've also changed some default values to help with OE and Policy
- Groups:</P>
-<PRE>    authby=rsasig   ## not secret!!!
-    leftrsasigkey=%dnsondemand ## looks up missing keys in DNS when needed.
-    rightrsasigkey=%dnsondemand</PRE>
-<P> Of course, you can still override any defaults by explictly
- declaring something else in your connection.</P>
-<P><A HREF="http://lists.freeswan.org/pipermail/design/2002-August/003243.html">
- A post with a list of many ipsec.conf changes.</A>
-<BR><A HREF="manpage.d/ipsec.conf.5.html"> Current ipsec.conf manual.</A>
-</P>
-<A NAME="upgrading.rpms"></A>
-<H3><A NAME="2_5_5">Upgrading from 1.x RPMs to 2.x RPMs</A></H3>
-<P>Note: When upgrading from 1-series to 2-series RPMs,<VAR> rpm -U</VAR>
- will not work.</P>
-<P>You must instead erase the 1.x RPMs, then install the 2.x set:</P>
-<PRE>    rpm -e freeswan</PRE>
-<PRE>    rpm -e freeswan-module</PRE>
-<P>On erasing, your old<VAR> ipsec.conf</VAR> should be moved to<VAR>
- ipsec.conf.rpmsave</VAR>. Keep this. You will probably want to copy
- your existing connections to the end of your new 2.x file.</P>
-<P>Install the RPMs suitable for your kernel version, such as:</P>
-<PRE>    rpm -ivh freeswan-module-2.04_2.4.20_20.9-0.i386.rpm</PRE>
-<PRE>    rpm -ivh freeswan-userland-2.04_2.4.20_20.9-0.i386.rpm</PRE>
-<P>Or, to splice the files:</P>
-<PRE>    cat /etc/ipsec.conf /etc/ipsec.conf.rpmsave &gt; /etc/ipsec.conf.tmp
-    mv /etc/ipsec.conf.tmp /etc/ipsec.conf</PRE>
-<P>Then, remove the redundant<VAR> conn %default</VAR> and<VAR> config
- setup</VAR> sections. Unless you have done any special configuring
- here, you'll likely want to remove the 1.x versions. Remove<VAR> conn
- OEself</VAR>, if present.</P>
-<HR>
-<H1><A name="quickstart">Quickstart Guide to Opportunistic Encryption</A>
-</H1>
-<A name="quick_guide"></A>
-<H2><A name="opp.setup">Purpose</A></H2>
-<P>This page will get you started using Linux FreeS/WAN with
- opportunistic encryption (OE). OE enables you to set up IPsec tunnels
- without co-ordinating with another site administrator, and without hand
- configuring each tunnel. If enough sites support OE, a &quot;FAX effect&quot;
- occurs, and many of us can communicate without eavesdroppers.</P>
-<H3><A NAME="3_1_1">OE &quot;flag day&quot;</A></H3>
-<P>As of FreeS/WAN 2.01, OE uses DNS TXT resource records (RRs) only
- (rather than TXT with KEY). This change causes a<A href="http://jargon.watson-net.com/jargon.asp?w=flag+day">
- &quot;flag day&quot;</A>. Users of FreeS/WAN 2.00 (or earlier) OE who are
- upgrading may require additional resource records, as detailed in our<A href="#upgrading.flagday">
- upgrading document</A>. OE setup instructions here are for 2.02 or
- later.</P>
-<H2><A name="opp.dns">Requirements</A></H2>
-<P>To set up opportunistic encryption, you will need:</P>
-<UL>
-<LI>a Linux box. For OE to the public Internet, this box must NOT be
- behind<A HREF="#NAT.gloss"> Network Address Translation</A> (NAT).</LI>
-<LI>to install Linux FreeS/WAN 2.02 or later</LI>
-<LI>either control over your reverse DNS (for full opportunism) or the
- ability to write to some forward domain (for initiator-only).<A HREF="http://www.fdns.net">
- This free DNS service</A> explicitly supports forward TXT records for
- FreeS/WAN use.</LI>
-<LI>(for full opportunism) a static IP</LI>
-</UL>
-<P>Note: Currently, only Linux FreeS/WAN supports opportunistic
- encryption.</P>
-<H2><A name="easy.install">RPM install</A></H2>
-<P>Our instructions are for a recent Red Hat with a 2.4-series stock or
- Red Hat updated kernel. For other ways to install, see our<A href="#install">
- install document</A>.</P>
-<H3><A NAME="3_3_1">Download RPMs</A></H3>
-<P>If we have prebuilt RPMs for your Red Hat system, this command will
- get them:</P>
-<PRE>    ncftpget ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs/`uname -r | tr -d 'a-wy-z'`/\*</PRE>
-<P>If that fails, you will need to try<A HREF="install.html"> another
- install method</A>. Our kernel modules<B> will only work on the Red Hat
- kernel they were built for</B>, since they are very sensitive to small
- changes in the kernel.</P>
-<P>If it succeeds, you will have userland tools, a kernel module, and an
- RPM signing key:</P>
-<PRE>    freeswan-module-2.04_2.4.20_20.9-0.i386.rpm
-    freeswan-userland-2.04_2.4.20_20.9-0.i386.rpm
-    freeswan-rpmsign.asc</PRE>
-<H3><A NAME="3_3_2">Check signatures</A></H3>
-<P>If you're running RedHat 8.x or later, import the RPM signing key
- into the RPM database:</P>
-<PRE>    rpm --import freeswan-rpmsign.asc</PRE>
-<P>For RedHat 7.x systems, you'll need to add it to your<A HREF="#PGP">
- PGP</A> keyring:</P>
-<PRE>    pgp -ka freeswan-rpmsign.asc</PRE>
-<P>Check the digital signatures on both RPMs using:</P>
-<PRE>    rpm --checksig freeswan*.rpm </PRE>
-<P>You should see that these signatures are good:</P>
-<PRE>    freeswan-module-2.04_2.4.20_20.9-0.i386.rpm: pgp md5 OK
-    freeswan-userland-2.04_2.4.20_20.9-0.i386.rpm: pgp md5 OK</PRE>
-<H3><A NAME="3_3_3">Install the RPMs</A></H3>
-<P>Become root:</P>
-<PRE>    su</PRE>
-<P>Install your RPMs with:</P>
-<P></P>
-<PRE>    rpm -ivh freeswan*.rpm</PRE>
-<P>If you're upgrading from FreeS/WAN 1.x RPMs, and have problems with
- that command, see<A HREF="#upgrading.rpms"> this note</A>.</P>
-<P>Then, start FreeS/WAN:</P>
-<PRE>    service ipsec start</PRE>
-<H3><A name="testinstall">Test</A></H3>
-<P>To check that you have a successful install, run:</P>
-<PRE>    ipsec verify</PRE>
-<P>You should see as part of the<VAR> verify</VAR> output:</P>
-<PRE>
-    Checking your system to see if IPsec got installed and started correctly
-    Version check and ipsec on-path                             [OK]
-    Checking for KLIPS support in kernel                        [OK]
-    Checking for RSA private key (/etc/ipsec.secrets)           [OK]
-    Checking that pluto is running                              [OK]
-    ...</PRE>
-<P>If any of these first four checks fails, see our<A href="#install.check">
- troubleshooting guide</A>.</P>
-<H2><A name="opp.setups.list">Our Opportunistic Setups</A></H2>
-<H3><A NAME="3_4_1">Full or partial opportunism?</A></H3>
-<P>Determine the best form of opportunism your system can support.</P>
-<UL>
-<LI>For<A HREF="#opp.incoming"> full opportunism</A>, you'll need a
- static IP and and either control over your reverse DNS or an ISP that
- can add the required TXT record for you.</LI>
-<LI>If you have a dynamic IP, and/or write access to forward DNS only,
- you can do<A HREF="#opp.client"> initiate-only opportunism</A></LI>
-<LI>To protect traffic bound for real IPs behind your gateway, use<A HREF="#opp.gate">
- this form of full opportunism</A>.</LI>
-</UL>
-<H2><A name="opp.client">Initiate-only setup</A></H2>
-<H3><A NAME="3_5_1">Restrictions</A></H3>
-<P>When you set up initiate-only Opportunistic Encryption (iOE):</P>
-<UL>
-<LI>there will be<STRONG> no incoming connection requests</STRONG>; you
- can initiate all the IPsec connections you need.</LI>
-<LI><STRONG>only one machine is visible</STRONG> on your end of the
- connection.</LI>
-<LI>iOE also protects traffic on behalf of<A HREF="#NAT.gloss"> NATted</A>
- hosts behind the iOE box.</LI>
-</UL>
-<P>You cannot network a group of initiator-only machines if none of
- these is capable of responding to OE. If one is capable of responding,
- you may be able to create a hub topology using routing.</P>
-<H3><A name="forward.dns">Create and publish a forward DNS record</A></H3>
-<H4><A NAME="3_5_2_1">Find a domain you can use</A></H4>
-<P>Find a DNS forward domain (e.g. example.com) where you can publish
- your key. You'll need access to the DNS zone files for that domain.
- This is common for a domain you own. Some free DNS providers, such as<A HREF="http://www.fdns.net">
- this one</A>, also provide this service.</P>
-<P>Dynamic IP users take note: the domain where you place your key need
- not be associated with the IP address for your system, or even with
- your system's usual hostname.</P>
-<H4><A NAME="3_5_2_2">Choose your ID</A></H4>
-<P>Choose a name within that domain which you will use to identify your
- machine. It's convenient if this can be the same as your hostname:</P>
-<PRE>    [root@xy root]# hostname --fqdn
-    xy.example.com</PRE>
-<P>This name in FQDN (fully-qualified domain name) format will be your
- ID, for DNS key lookup and IPsec negotiation.</P>
-<H4><A NAME="3_5_2_3">Create a forward TXT record</A></H4>
-<P>Generate a forward TXT record containing your system's public key
- with a command like:</P>
-<PRE>    ipsec showhostkey --txt @xy.example.com</PRE>
-<P>using your chosen ID in place of xy.example.com. This command takes
- the contents of /etc/ipsec.secrets and reformats it into something
- usable by ISC's BIND. The result should look like this (with the key
- data trimmed down for clarity):</P>
-<PRE>
-    ; RSA 2192 bits   xy.example.com   Thu Jan  2 12:41:44 2003
-        IN      TXT     &quot;X-IPsec-Server(10)=@xy.example.com&quot; 
-    &quot;AQOF8tZ2... ...+buFuFn/&quot;
-</PRE>
-<H4><A NAME="3_5_2_4">Publish the forward TXT record</A></H4>
-<P>Insert the record into DNS, or have a system adminstrator do it for
- you. It may take up to 48 hours for the record to propagate, but it's
- usually much quicker.</P>
-<H3><A NAME="3_5_3">Test that your key has been published</A></H3>
-<P>Check your DNS work</P>
-<PRE>    ipsec verify --host xy.example.com</PRE>
-<P>As part of the<VAR> verify</VAR> output, you ought to see something
- like:</P>
-<PRE>    ...
-    Looking for TXT in forward map: xy.example.com          [OK]
-    ...</PRE>
-<P>For this type of opportunism, only the forward test is relevant; you
- can ignore the tests designed to find reverse records.</P>
-<H3><A NAME="3_5_4">Configure, if necessary</A></H3>
-<P> If your ID is the same as your hostname, you're ready to go.
- FreeS/WAN will use its<A HREF="policygroups.html"> built-in connections</A>
- to create your iOE functionality.</P>
-<P>If you have chosen a different ID, you must tell FreeS/WAN about it
- via<A HREF="manpage.d/ipsec.conf.5.html"><VAR> ipsec.conf</VAR></A>:</P>
-<PRE>    config setup
-        myid=@myname.freedns.example.com</PRE>
-<P>and restart FreeS/WAN:</P>
-<PRE>    service ipsec restart</PRE>
-<P>The new ID will be applied to the built-in connections.</P>
-<P>Note: you can create more complex iOE configurations as explained in
- our<A HREF="#policygroups"> policy groups document</A>, or disable OE
- using<A HREF="#disable_policygroups"> these instructions</A>.</P>
-<H3><A NAME="3_5_5">Test</A></H3>
-<P>That's it!<A HREF="#opp.test"> Test your connections</A>.</P>
-<A name="opp.incoming"></A>
-<H2><A NAME="3_6">Full Opportunism</A></H2>
-<P>Full opportunism allows you to initiate and receive opportunistic
- connections on your machine.</P>
-<A name="incoming.opp.dns"></A>
-<H3><A NAME="3_6_1">Put a TXT record in a Forward Domain</A></H3>
-<P>To set up full opportunism, first<A HREF="#forward.dns"> set up a
- forward TXT record</A> as for<A HREF="#opp.client"> initiator-only OE</A>
-, using an ID (for example, your hostname) that resolves to your IP. Do
- not configure<VAR> /etc/ipsec.conf</VAR>, but continue with the
- instructions for full opportunism, below.</P>
-<P>Note that this forward record is not currently necessary for full OE,
- but will facilitate future features.</P>
-<A name="incoming.opp.dns"></A>
-<H3><A NAME="3_6_2">Put a TXT record in Reverse DNS</A></H3>
-<P>You must be able to publish your DNS RR directly in the reverse
- domain. FreeS/WAN will not follow a PTR which appears in the reverse,
- since a second lookup at connection start time is too costly.</P>
-<H4><A NAME="3_6_2_1">Create a Reverse DNS TXT record</A></H4>
-<P>This record serves to publicize your FreeS/WAN public key. In
- addition, it lets others know that this machine can receive
- opportunistic connections, and asserts that the machine is authorized
- to encrypt on its own behalf.</P>
-<P>Use the command:</P>
-<PRE>    ipsec showhostkey --txt 192.0.2.11</PRE>
-<P>where you replace 192.0.2.11 with your public IP.</P>
-<P>The record (with key shortened) looks like:</P>
-<PRE>    ; RSA 2048 bits  xy.example.com   Sat Apr 15 13:53:22 2000
-    IN TXT  &quot;X-IPsec-Server(10)=192.0.2.11&quot; &quot; AQOF8tZ2...+buFuFn/&quot;</PRE>
-<H4><A NAME="3_6_2_2">Publish your TXT record</A></H4>
-<P>Send these records to your ISP, to be published in your IP's reverse
- map. It may take up to 48 hours for these to propagate, but usually
- takes much less time.</P>
-<H3><A NAME="3_6_3">Test your DNS record</A></H3>
-<P>Check your DNS work with</P>
-<PRE>    ipsec verify --host xy.example.com</PRE>
-<P>As part of the<VAR> verify</VAR> output, you ought to see something
- like:</P>
-<PRE>    ...
-    Looking for TXT in reverse map: 11.2.0.192.in-addr.arpa [OK]
-    ...</PRE>
-<P>which indicates that you've passed the reverse-map test.</P>
-<H3><A NAME="3_6_4">No Configuration Needed</A></H3>
-<P>FreeS/WAN 2.x ships with full OE enabled, so you don't need to
- configure anything. To enable OE out of the box, FreeS/WAN 2.x uses the
- policy group<VAR> private-or-clear</VAR>, which creates IPsec
- connections if possible (using OE if needed), and allows traffic in the
- clear otherwise. You can create more complex OE configurations as
- described in our<A HREF="#policygroups"> policy groups document</A>, or
- disable OE using<A HREF="#disable_policygroups"> these instructions</A>
-.</P>
-<P>If you've previously configured for initiator-only opportunism,
- remove<VAR> myid=</VAR> from<VAR> config setup</VAR>, so that peer
- FreeS/WANs will look up your key by IP. Restart FreeS/WAN so that your
- change will take effect, with</P>
-<PRE>    service ipsec restart</PRE>
-<H3><A NAME="3_6_5">Consider Firewalling</A></H3>
-<P>If you are running a default install of RedHat 8.x, take note: you
- will need to alter your iptables rule setup to allow IPSec traffic
- through your firewall. See<A HREF="#simple.rules"> our firewall
- document</A> for sample<VAR> iptables</VAR> rules.</P>
-<H3><A NAME="3_6_6">Test</A></H3>
-<P>That's it. Now,<A HREF="#opp.test"> test your connection</A>.</P>
-<H3><A NAME="3_6_7">Test</A></H3>
-<P>Instructions are in the next section.</P>
-<H2><A NAME="opp.test">Testing opportunistic connections</A></H2>
-<P>Be sure IPsec is running. You can see whether it is with:</P>
-<PRE>    ipsec setup status</PRE>
-<P>If need be, you can restart it with:</P>
-<PRE>    service ipsec restart</PRE>
-<P>Load a FreeS/WAN test website from the host on which you're running
- FreeS/WAN. Note: the feds may be watching these sites. Type one of:</P>
-<P></P>
-<PRE>   links oetest.freeswan.org</PRE>
-<PRE>   links oetest.freeswan.nl</PRE>
-
-<!--<PRE>   links oetest.freeswan.ca</PRE>-->
-<P>A positive result looks like this:</P>
-<PRE>
-   You  seem  to  be  connecting  from:  192.0.2.11 which DNS says is:
-   gateway.example.com
-     _________________________________________________________________
-
-   Status E-route
-   OE    enabled    16    192.139.46.73/32    -&gt;    192.0.2.11/32   =&gt;
-   tun0x2097@192.0.2.11
-   OE    enabled    176    192.139.46.77/32    -&gt;   192.0.2.11/32   =&gt;
-   tun0x208a@192.0.2.11
-</PRE>
-<P>If you see this, congratulations! Your OE host or gateway will now
- encrypt its own traffic whenever it can. For more OE tests, please see
- our<A HREF="#test.oe"> testing document</A>. If you have difficulty,
- see our<A HREF="#oe.trouble"> OE troubleshooting tips</A>.</P>
-<H2><A NAME="3_8">Now what?</A></H2>
-<P>Please see our<A HREF="policygroups.html"> policy groups document</A>
- for more ways to set up Opportunistic Encryption.</P>
-<P>You may also wish to make some<A HREF="config.html"> pre-configured
- connections</A>.</P>
-<H2><A NAME="3_9">Notes</A></H2>
-<UL>
-<LI>We assume some facts about your system in order to make
- Opportunistic Encryption easier to configure. For example, we assume
- that you wish to have FreeS/WAN secure your default interface.</LI>
-<LI>You may change this, and other settings, by altering the<VAR> config
- setup</VAR> section in<VAR> /etc/ipsec.conf</VAR>.</LI>
-<LI>Note that the built-in connections used to build policy groups do
- not inherit from<VAR> conn default</VAR>.</LI>
-
-<!--
-<LI>If you do not define your local identity
-(eg. <VAR>leftid</VAR>), this will be the IP address of your default
-FreeS/WAN interface.  
--->
-<LI> If you fail to define your local identity and do not fill in your
- reverse DNS entry, you will not be able to use OE.</LI>
-</UL>
-<A NAME="oe.trouble"></A>
-<H2><A NAME="3_10">Troubleshooting OE</A></H2>
-<P>See the OE troubleshooting hints in our<A HREF="#oe.trouble">
- troubleshooting guide</A>.</P>
-<A NAME="oe.known-issues"></A>
-<H2><A NAME="3_11">Known Issues</A></H2>
-<P>Please see<A HREF="opportunism.known-issues"> this list</A> of known
- issues with Opportunistic Encryption.</P>
-<HR>
-<H1><A NAME="4">How to Configure Linux FreeS/WAN with Policy Groups</A></H1>
-<A NAME="policygroups"></A>
-<H2><A NAME="4_1">What are Policy Groups?</A></H2>
-<P><STRONG>Policy Groups</STRONG> are an elegant general mechanism to
- configure FreeS/WAN. They are useful for many FreeS/WAN users.</P>
-<P>In previous FreeS/WAN versions, you needed to configure each IPsec
- connection explicitly, on both local and remote hosts. This could
- become complex.</P>
-<P>By contrast, Policy Groups allow you to set local IPsec policy for
- lists of remote hosts and networks, simply by listing the hosts and
- networks which you wish to have special treatment in one of several
- Policy Group files. FreeS/WAN then internally creates the connections
- needed to implement each policy.</P>
-<P>In the next section we describe our five Base Policy Groups, which
- you can use to configure IPsec in many useful ways. Later, we will show
- you how to create an IPsec VPN using one line of configuration for each
- remote host or network.</P>
-<A NAME="builtin_policygroups"></A>
-<H3><A NAME="4_1_1">Built-In Security Options</A></H3>
-<P>FreeS/WAN offers these Base Policy Groups:</P>
-<DL>
-<DT>private</DT>
-<DD> FreeS/WAN only communicates privately with the listed<A HREF="#CIDR">
- CIDR</A> blocks. If needed, FreeS/WAN attempts to create a connection
- opportunistically. If this fails, FreeS/WAN blocks communication.
- Inbound blocking is assumed to be done by the firewall. FreeS/WAN
- offers firewall hooks but no modern firewall rules to help with inbound
- blocking.</DD>
-<DT>private-or-clear</DT>
-<DD> FreeS/WAN prefers private communication with the listed CIDR
- blocks. If needed, FreeS/WAN attempts to create a connection
- opportunistically. If this fails, FreeS/WAN allows traffic in the
- clear.</DD>
-<DT>clear-or-private</DT>
-<DD> FreeS/WAN communicates cleartext with the listed CIDR blocks, but
- also accepts inbound OE connection requests from them. Also known as<A HREF="#passive.OE">
- passive OE (pOE)</A>, this policy may be used to create an<A HREF="#responder">
- opportunistic responder</A>.</DD>
-<DT>clear</DT>
-<DD> FreeS/WAN only communicates cleartext with the listed CIDR blocks.</DD>
-<DT>block</DT>
-<DD>FreeS/WAN blocks traffic to and from and the listed CIDR blocks.
- Inbound blocking is assumed to be done by the firewall. FreeS/WAN
- offers firewall hooks but no modern firewall rules to help with inbound
- blocking.
-<!-- also called "blockdrop".-->
-</DD>
-</DL>
-<A NAME="policy.group.notes"></A>
-<P>Notes:</P>
-<UL>
-<LI>Base Policy Groups apply to communication with this host only.</LI>
-<LI>The most specific rule (whether policy or pre-configured connection)
- applies. This has several practical applications:
-<UL>
-<LI>If CIDR blocks overlap, FreeS/WAN chooses the most specific
- applicable block.</LI>
-<LI>This decision also takes into account any pre-configured connections
- you may have.</LI>
-<LI>If the most specific connection is a pre-configured connection, the
- following procedure applies. If that connection is up, it will be used.
- If it is routed, it will be brought up. If it is added, no action will
- be taken.</LI>
-</UL>
-</LI>
-<LI>Base Policy Groups are created using built-in connections. Details
- in<A HREF="manpage.d/ipsec.conf.5.html"> man ipsec.conf</A>.</LI>
-<LI>All Policy Groups are bidirectional.<A HREF="src/policy-groups-table.html">
- This chart</A> shows some technical details. FreeS/WAN does not support
- one-way encryption, since it can give users a false sense of security.</LI>
-</UL>
-<H2><A NAME="4_2">Using Policy Groups</A></H2>
-<P>The Base Policy Groups which build IPsec connections rely on
- Opportunistic Encryption. To use the following examples, you must first
- become OE-capable, as described in our<A HREF="#quickstart"> quickstart
- guide</A>.<A NAME="example1"></A></P>
-<H3><A NAME="4_2_1">Example 1: Using a Base Policy Group</A></H3>
-<P>Simply place CIDR blocks (<A HREF="#dnswarning">names</A>, IPs or IP
- ranges) in /etc/ipsec.d/policies/<VAR>[groupname]</VAR>, and reread the
- policy group files.</P>
-<P>For example, the<VAR> private-or-clear</VAR> policy tells FreeS/WAN
- to prefer encrypted communication to the listed CIDR blocks. Failing
- that, it allows talk in the clear.</P>
-<P>To make this your default policy, place<A HREF="#fullnet"> fullnet</A>
- in the<VAR> private-or-clear</VAR> policy group file:</P>
-<PRE>    [root@xy root]# cat /etc/ipsec.d/policies/private-or-clear
-    # This file defines the set of CIDRs (network/mask-length) to which
-    # communication should be private, if possible, but in the clear otherwise.
-    ....
-    0.0.0.0/0</PRE>
-<P>and reload your policies with</P>
-<PRE>    ipsec auto --rereadgroups</PRE>
-<P>Use<A HREF="#opp.test"> this test</A> to verify opportunistic
- connections.</P>
-<A NAME="example2"></A>
-<H3><A NAME="4_2_2">Example 2: Defining IPsec Security Policy with
- Groups</A></H3>
-<P>Defining IPsec security policy with Base Policy Groups is like
- creating a shopping list: just put CIDR blocks in the appropriate group
- files. For example:</P>
-<PRE>    [root@xy root]# cd /etc/ipsec.d/policies
-    [root@xy policies]# cat private
-        192.0.2.96/27              # The finance department
-        192.0.2.192/29             # HR
-	192.0.2.12                 # HR gateway
-        irc.private.example.com    # Private IRC server
-  
-    [root@xy policies]# cat private-or-clear
-        0.0.0.0/0                  # My default policy: try to encrypt.
-
-    [root@xy policies]# cat clear
-        192.0.2.18/32              # My POP3 server
-        192.0.2.19/32              # My Web proxy
-
-    [root@xy policies]# cat block
-        spamsource.example.com</PRE>
-<P>To make these settings take effect, type:</P>
-<PRE>    ipsec auto --rereadgroups</PRE>
-<P>Notes:</P>
-<UL>
-<LI>For opportunistic connection attempts to succeed, all participating
- FreeS/WAN hosts and gateways must be configured for OE.</LI>
-<LI>Examples 3 through 5 show how to implement a detailed<VAR> private</VAR>
- policy.</LI>
-<LI><A NAME="dnswarning"></A><FONT COLOR="RED"> Warning:</FONT> Using
- DNS names in policy files and ipsec.conf can be tricky. If the name
- does not resolve, the policy will not be implemented for that name. It
- is therefore safer either to use IPs, or to put any critical names in
- /etc/hosts. We plan to implement periodic DNS retry to help with this.
-<BR> Names are resolved at FreeS/WAN startup, or when the policies are
- reloaded. Unfortunately, name lookup can hold up the startup process.
- If you have fast DNS servers, the problem may be less severe.</LI>
-</UL>
-<A HREF="example3"></A>
-<H3><A NAME="4_2_3">Example 3: Creating a Simple IPsec VPN with the<VAR>
- private</VAR> Group</A></H3>
-<P>You can create an IPsec VPN between several hosts, with only one line
- of configuration per host, using the<VAR> private</VAR> policy group.</P>
-<P>First, use our<A HREF="quickstart.html"> quickstart guide</A> to set
- up each participating host with a FreeS/WAN install and OE.</P>
-<P>In one host's<VAR> /etc/ipsec.d/policies/private</VAR>, list the
- peers to which you wish to protect traffic. For example:</P>
-<PRE>    [root@xy root]# cd /etc/ipsec.d/policies
-    [root@xy policies]# cat private
-        192.0.2.9              # several hosts at example.com
-        192.0.2.11             
-        192.0.2.12                 
-        irc.private.example.com 
-</PRE>
-<P>Copy the<VAR> private</VAR> file to each host. Remove the local host,
- and add the initial host.</P>
-<PRE>    scp2 /etc/ipsec.d/policies/private root@192.0.2.12:/etc/ipsec.d/policies/private</PRE>
-<P>On each host, reread the policy groups with</P>
-<PRE>    ipsec auto --rereadgroups</PRE>
-<P>That's it! You're configured.</P>
-<P>Test by pinging between two hosts. After a second or two, traffic
- should flow, and</P>
-<PRE>    ipsec eroute</PRE>
-<P>should yield something like</P>
-<PRE>    192.0.2.11/32   -&gt; 192.0.2.8/32  =&gt; tun0x149f@192.0.2.8</PRE>
-<P>where your host IPs are substituted for 192.0.2.11 and 192.0.2.8.</P>
-<P>If traffic does not flow, there may be an error in your OE setup.
- Revisit our<A HREF="quickstart.html"> quickstart guide</A>.</P>
-<P>Our next two examples show you how to add subnets to this IPsec VPN.</P>
-<A NAME="example4"></A>
-<H3><A NAME="4_2_4">Example 4: New Policy Groups to Protect a Subnet</A></H3>
-<P>To protect traffic to a subnet behind your FreeS/WAN gateway, you'll
- need additional DNS records, and new policy groups. To set up the DNS,
- see our<A HREF="#opp.gate"> quickstart guide</A>. To create five new
- policy groups for your subnet, copy these connections to<VAR>
- /etc/ipsec.conf</VAR>. Substitute your subnet's IPs for 192.0.2.128/29.</P>
-<PRE>
-conn private-net
-    also=private  # inherits settings (eg. auto=start) from built in conn
-    leftsubnet=192.0.2.128/29  # your subnet's IPs here
-
-conn private-or-clear-net
-    also=private-or-clear
-    leftsubnet=192.0.2.128/29
-
-conn clear-or-private-net
-    also=clear-or-private
-    leftsubnet=192.0.2.128/29
-
-conn clear-net
-    also=clear
-    leftsubnet=192.0.2.128/29
-
-conn block-net
-    also=block
-    leftsubnet=192.0.2.128/29
-</PRE>
-<P>Copy the gateway's files to serve as the initial policy group files
- for the new groups:</P>
-<PRE>
-    cp -p /etc/ipsec.d/policies/private /etc/ipsec.d/policies/private-net
-    cp -p /etc/ipsec.d/policies/private-or-clear /etc/ipsec.d/policies/private-or-clear-net
-    cp -p /etc/ipsec.d/policies/clear-or-private /etc/ipsec.d/policies/clear-or-private-net
-    cp -p /etc/ipsec.d/policies/clear /etc/ipsec.d/policies/clear-net
-    cp -p /etc/ipsec.d/policies/block /etc/ipsec.d/policies/block
-</PRE>
-<P><STRONG>Tip: Since a missing policy group file is equivalent to a
- file with no entries, you need only create files for the connections
- you'll use.</STRONG></P>
-<P>To test one of your new groups, place the fullnet 0.0.0.0/0 in<VAR>
- private-or-clear-net</VAR>. Perform the subnet test in<A HREF="#opp.test">
- our quickstart guide</A>. You should see a connection, and</P>
-<PRE>    ipsec eroute</PRE>
-<P>should include an entry which mentions the subnet node's IP and the
- OE test site IP, like this:</P>
-<PRE>    192.0.2.131/32   -&gt; 192.139.46.77/32  =&gt; tun0x149f@192.0.2.11</PRE>
-<A HREF="example5"></A>
-<H3><A NAME="4_2_5">Example 5: Adding a Subnet to the VPN</A></H3>
-<P>Suppose you wish to secure traffic to a subnet 192.0.2.192/29 behind
- a FreeS/WAN box 192.0.2.12.</P>
-<P>First, add DNS entries to configure 192.0.2.12 as an opportunistic
- gateway for that subnet. Instructions are in our<A HREF="#opp.gate">
- quickstart guide</A>. Next, create a<VAR> private-net</VAR> group on
- 192.0.2.12 as described in<A HREF="#example4"> Example 4</A>.</P>
-<P>On each other host, add the subnet 192.0.2.192/29 to<VAR> private</VAR>
-, yielding for example</P>
-<PRE>    [root@xy root]# cd /etc/ipsec.d/policies
-    [root@xy policies]# cat private
-        192.0.2.9              # several hosts at example.com
-        192.0.2.11
-        192.0.2.12             # HR department gateway
-        192.0.2.192/29         # HR subnet
-        irc.private.example.com
-</PRE>
-<P>and reread policy groups with</P>
-<PRE>    ipsec auto --rereadgroups</PRE>
-<P>That's all the configuration you need.</P>
-<P>Test your VPN by pinging from a machine on 192.0.2.192/29 to any
- other host:</P>
-<PRE>    [root@192.0.2.194]# ping 192.0.2.11</PRE>
-<P>After a second or two, traffic should flow, and</P>
-<PRE>    ipsec eroute</PRE>
-<P>should yield something like</P>
-<PRE>    192.0.2.11/32   -&gt; 192.0.2.194/32  =&gt; tun0x149f@192.0.2.12
-</PRE>
-<P>Key:</P>
-<TABLE>
-<TR><TD>1.</TD><TD>192.0.2.11/32</TD><TD>Local start point of the
- protected traffic.</TD></TR>
-<TR><TD>2.</TD><TD>192.0.2.194/32</TD><TD>Remote end point of the
- protected traffic.</TD></TR>
-<TR><TD>3.</TD><TD>192.0.2.12</TD><TD>Remote FreeS/WAN node (gateway or
- host). May be the same as (2).</TD></TR>
-<TR><TD>4.</TD><TD>[not shown]</TD><TD>Local FreeS/WAN node (gateway or
- host), where you've produced the output. May be the same as (1).</TD></TR>
-</TABLE>
-<P>For additional assurance, you can verify with a packet sniffer that
- the traffic is being encrypted.</P>
-<P>Note</P>
-<UL>
-<LI>Because strangers may also connect via OE, this type of VPN may
- require a stricter firewalling policy than a conventional VPN.</LI>
-</UL>
-<H2><A NAME="4_3">Appendix</A></H2>
-<A NAME="hiddenconn"></A>
-<H3><A NAME="4_3_1">Our Hidden Connections</A></H3>
-<P>Our Base Policy Groups are created using hidden connections. These
- are spelled out in<A HREF="manpage.d/ipsec.conf.5.html"> man ipsec.conf</A>
- and defined in<VAR> /usr/local/lib/ipsec/_confread</VAR>.</P>
-<A NAME="custom_policygroups"></A>
-<H3><A NAME="4_3_2">Custom Policy Groups</A></H3>
-<P>A policy group is built using a special connection description in<VAR>
- ipsec.conf</VAR>, which:</P>
-<UL>
-<LI>is<STRONG> generic</STRONG>. It uses<VAR>
- right=[%group|%opportunisticgroup]</VAR> rather than specific IPs. The
- connection is cloned for every name or IP range listed in its Policy
- Group file.</LI>
-<LI>often has a<STRONG> failure rule</STRONG>. This rule, written<VAR>
- failureshunt=[passthrough|drop|reject|none]</VAR>, tells FreeS/WAN what
- to do with packets for these CIDRs if it fails to establish the
- connection. Default is<VAR> none</VAR>.</LI>
-</UL>
-<P>To create a new group:</P>
-<OL>
-<LI>Create its connection definition in<VAR> ipsec.conf</VAR>.</LI>
-<LI>Create a Policy Group file in<VAR> /etc/ipsec.d/policies</VAR> with
- the same name as your connection.</LI>
-<LI>Put a CIDR block in that file.</LI>
-<LI>Reread groups with<VAR> ipsec auto --rereadgroups</VAR>.</LI>
-<LI>Test:<VAR> ping</VAR> to activate any OE connection, and view
- results with<VAR> ipsec eroute</VAR>.</LI>
-</OL>
-<A NAME="disable_oe"></A><A NAME="disable_policygroups"></A>
-<H3><A NAME="4_3_3">Disabling Opportunistic Encryption</A></H3>
-<P>To disable OE (eg. policy groups and packetdefault), cut and paste
- the following lines to<VAR> /etc/ipsec.conf</VAR>:</P>
-<PRE>conn block
-    auto=ignore
-
-conn private
-    auto=ignore
-
-conn private-or-clear
-    auto=ignore
-
-conn clear-or-private
-    auto=ignore
-
-conn clear
-    auto=ignore
-
-conn packetdefault
-    auto=ignore</PRE>
-<P>Restart FreeS/WAN so that the changes take effect:</P>
-<PRE>    ipsec setup restart</PRE>
-<HR>
-<H1><A NAME="5">FreeS/WAN FAQ</A></H1>
-<P>This is a collection of questions and answers, mostly taken from the
- FreeS/WAN<A href="mail.html"> mailing list</A>. See the project<A href="http://www.freeswan.org/">
- web site</A> for more information. All the FreeS/WAN documentation is
- online there.</P>
-<P>Contributions to the FAQ are welcome. Please send them to the project<A
-href="mail.html"> mailing list</A>.</P>
-<HR>
-<H2><A name="questions">Index of FAQ questions</A></H2>
-<UL>
-<LI><A href="#whatzit">What is FreeS/WAN?</A></LI>
-<LI><A href="#problems">How do I report a problem or seek help?</A></LI>
-<LI><A href="#generic">Can I get ...</A>
-<UL>
-<LI><A href="#lemme_out">... an off-the-shelf system that includes
- FreeS/WAN?</A></LI>
-<LI><A href="#contractor">... contractors or staff who know FreeS/WAN?</A>
-</LI>
-<LI><A href="#commercial">... commercial support?</A></LI>
-</UL>
-</LI>
-<LI><A href="#release">Release questions</A>
-<UL>
-<LI><A href="#rel.current">What is the current release?</A></LI>
-<LI><A href="#relwhen">When is the next release?</A></LI>
-<LI><A href="#rel.bugs">Are there known bugs in the current release?</A></LI>
-</UL>
-</LI>
-<LI><A href="mod_cons">Modifications and contributions</A>
-<UL>
-<LI><A href="#modify.faq">Can I modify FreeS/WAN to ...?</A></LI>
-<LI><A href="#contrib.faq">Can I contribute to the project?</A></LI>
-<LI><A href="#ddoc.faq">Is there detailed design documentation?</A></LI>
-</UL>
-</LI>
-<LI><A href="#interact">Will FreeS/WAN work in my environment?</A>
-<UL>
-<LI><A href="#interop.faq">Can FreeS/WAN talk to ... ?</A></LI>
-<LI><A href="#old_to_new">Can different FreeS/WAN versions talk to each
- other?</A></LI>
-<LI><A href="#faq.bandwidth">Is there a limit on throughput?</A></LI>
-<LI><A href="#faq.number">Is there a limit on number of connections?</A></LI>
-<LI><A href="#faq.speed">Is a ... fast enough to handle FreeS/WAN with
- my loads?</A></LI>
-</UL>
-</LI>
-<LI><A href="#work_on">Will FreeS/WAN work on ...</A>
-<UL>
-<LI><A href="#versions">... my version of Linux?</A></LI>
-<LI><A href="#nonIntel.faq">... non-Intel CPUs?</A></LI>
-<LI><A href="#multi.faq">... multiprocessors?</A></LI>
-<LI><A href="#k.old">... an older kernel?</A></LI>
-<LI><A href="#k.versions">... the latest kernel version?</A></LI>
-<LI><A href="#interface.faq">... unusual network hardware?</A></LI>
-<LI><A href="#vlan">... a VLAN (802.1q) network?</A></LI>
-</UL>
-</LI>
-<LI><A href="#features.faq">Does FreeS/WAN support ...</A>
-<UL>
-<LI><A href="#VPN.faq">... site-to-site VPN applications</A></LI>
-<LI><A href="#warrior.faq">... remote users connecting to a LAN</A></LI>
-<LI><A href="#road.shared.possible">... remote users using shared secret
- authentication?</A></LI>
-<LI><A href="#wireless.faq">... wireless networks</A></LI>
-<LI><A href="#PKIcert">... X.509 or other PKI certificates?</A></LI>
-<LI><A href="#Radius">... user authentication (Radius, SecureID, Smart
- Card ...)?</A></LI>
-<LI><A href="#NATtraversal">... NAT traversal</A></LI>
-<LI><A href="#virtID">... assigning a &quot;virtual identity&quot; to a remote
- system?</A></LI>
-<LI><A href="#noDES.faq">... single DES encryption?</A></LI>
-<LI><A href="#AES.faq">... AES encryption?</A></LI>
-<LI><A href="#other.cipher">... other encryption algorithms?</A></LI>
-</UL>
-</LI>
-<LI><A href="#canI">Can I ...</A>
-<UL>
-<LI><A href="#policy.preconfig">...use policy groups along with
- explicitly configured connections?</A></LI>
-<LI><A href="#policy.off">...turn off policy groups?</A></LI>
-
-<!--
-      <li><a href="#policy.otherinterface">...use policy groups
-      on an interface other than <VAR>%defaultroute</VAR>?</a></li>
--->
-<LI><A href="#reload">... reload connection info without restarting?</A></LI>
-<LI><A href="#masq.faq">... use several masqueraded subnets?</A></LI>
-<LI><A href="#dup_route">... use subnets masqueraded to the same
- addresses?</A></LI>
-<LI><A href="#road.masq">... assign a road warrior an address on my net
- (a virtual identity)?</A></LI>
-<LI><A href="#road.many">... support many road warriors with one
- gateway?</A></LI>
-<LI><A href="#road.PSK">... have many road warriors using shared secret
- authentication?</A></LI>
-<LI><A href="#QoS">... use Quality of Service routing with FreeS/WAN?</A>
-</LI>
-<LI><A href="#deadtunnel">... recognise dead tunnels and shut them down?</A>
-</LI>
-<LI><A href="#demanddial">... build IPsec tunnels over a demand-dialed
- link?</A></LI>
-<LI><A href="#GRE">... build GRE, L2TP or PPTP tunnels over IPsec?</A></LI>
-<LI><A href="#NetBIOS">... use Network Neighborhood (Samba, NetBIOS)
- over IPsec?</A></LI>
-</UL>
-</LI>
-<LI><A href="#setup.faq">Life's little mysteries</A>
-<UL>
-<LI><A href="#cantping">I cannot ping ....</A></LI>
-<LI><A href="#forever">It takes forever to ...</A></LI>
-<LI><A href="#route">I send packets to the tunnel with route(8) but they
- vanish</A></LI>
-<LI><A href="#down_route">When a tunnel goes down, packets vanish</A></LI>
-<LI><A href="#firewall_ate">The firewall ate my packets!</A></LI>
-<LI><A href="#dropconn">Dropped connections</A></LI>
-<LI><A href="#defaultroutegone">Disappearing %defaultroute</A></LI>
-<LI><A href="#tcpdump.faq">TCPdump on the gateway shows strange things</A>
-</LI>
-<LI><A href="#no_trace">Traceroute does not show anything between the
- gateways</A></LI>
-</UL>
-</LI>
-<LI><A href="#man4debug">Testing in stages (or .... works but ...
- doesn't)</A>
-<UL>
-<LI><A href="#nomanual">Manually keyed connections don't work</A></LI>
-<LI><A href="#spi_error">One manual connection works, but second one
- fails</A></LI>
-<LI><A href="#man_no_auto">Manual connections work, but automatic keying
- doesn't</A></LI>
-<LI><A href="#nocomp">IPsec works, but connections using compression
- fail</A></LI>
-<LI><A href="#pmtu.broken">Small packets work, but large transfers fail</A>
-</LI>
-<LI><A href="#subsub">Subnet-to-subnet works, but tests from the
- gateways don't</A></LI>
-</UL>
-</LI>
-<LI><A href="#compile.faq">Compilation problems</A>
-<UL>
-<LI><A href="#gmp.h_missing">gmp.h: No such file or directory</A></LI>
-<LI><A href="#noVM">... virtual memory exhausted</A></LI>
-</UL>
-</LI>
-<LI><A href="#error">Interpreting error messages</A>
-<UL>
-<LI><A href="#route-client">route-client (or host) exited with status 7</A>
-</LI>
-<LI><A href="#unreachable">SIOCADDRT:Network is unreachable</A></LI>
-<LI><A href="#modprobe">ipsec_setup: modprobe: Can't locate moduleipsec</A>
-</LI>
-<LI><A href="#noKLIPS">ipsec_setup: Fatal error, kernel appears to lack
- KLIPS</A></LI>
-<LI><A href="#noDNS">ipsec_setup: ... failure to fetch key for ... from
- DNS</A></LI>
-<LI><A href="#dup_address">ipsec_setup: ... interfaces ... and ... share
- address ...</A></LI>
-<LI><A href="#kflags">ipsec_setup: Cannot adjust kernel flags</A></LI>
-<LI><A href="#message_num">Message numbers (MI3, QR1, et cetera) in
- Pluto messages</A></LI>
-<LI><A href="#conn_name">Connection names in Pluto error messages</A></LI>
-<LI><A href="#cantorient">Pluto: ... can't orient connection</A></LI>
-<LI><A href="#no.interface">... we have no ipsecN interface for either
- end of this connection</A></LI>
-<LI><A href="#noconn">Pluto: ... no connection is known</A></LI>
-<LI><A href="#nosuit">Pluto: ... no suitable connection ...</A></LI>
-<LI><A href="#noconn.auth">Pluto: ... no connection has been authorized</A>
-</LI>
-<LI><A href="#noDESsupport">Pluto: ... OAKLEY_DES_CBC is not supported.</A>
-</LI>
-<LI><A href="#notransform">Pluto: ... no acceptable transform</A></LI>
-<LI><A href="#rsasigkey">rsasigkey dumps core</A></LI>
-<LI><A href="#sig4">!Pluto failure!: ... exited with ... signal 4</A></LI>
-<LI><A href="#econnrefused">ECONNREFUSED error message</A></LI>
-<LI><A href="#no_eroute">klips_debug: ... no eroute!</A></LI>
-<LI><A href="#SAused">... trouble writing to /dev/ipsec ... SA already
- in use</A></LI>
-<LI><A href="#ignore">... ignoring ... payload</A></LI>
-<LI><A href="#unknown_rightcert">unknown parameter name &quot;rightcert&quot;</A></LI>
-</UL>
-</LI>
-<LI><A href="#spam">Why don't you restrict the mailing lists to reduce
- spam?</A></LI>
-</UL>
-<HR>
-<H2><A name="whatzit">What is FreeS/WAN?</A></H2>
-<P>FreeS/WAN is a Linux implementation of the<A href="#IPSEC"> IPsec</A>
- protocols, providing security services at the IP (Internet Protocol)
- level of the network.</P>
-<P>For more detail, see our<A href="intro.html"> introduction</A>
- document or the FreeS/WAN project<A href="http://www.freeswan.org/">
- web site</A>.</P>
-<P>To start setting it up, go to our<A href="quickstart.html">
- quickstart guide</A>.</P>
-<P>Our<A href="web.html"> web links</A> document has information on<A href="#implement">
- IPsec for other systems</A>.</P>
-<H2><A name="problems">How do I report a problem or seek help?</A></H2>
-<DL>
-<DT>Read our<A href="trouble.html"> troubleshooting</A> document.</DT>
-<DD>
-<P>It may guide you to a solution. If not, see its<A href="#prob.report">
- problem reporting</A> section.</P>
-<P>Basically, what it says is<STRONG> give us the output from<VAR> ipsec
- barf</VAR> from both gateways</STRONG>. Without full information, we
- cannot diagnose a problem. However,<VAR> ipsec barf</VAR> produces a
- lot of output. If at all possible,<STRONG> please make barfs accessible
- via the web or FTP</STRONG> rather than sending enormous mail messages.</P>
-</DD>
-<DT><STRONG>Use the<A href="mail.html"> users mailing list</A> for
- problem reports</STRONG>, rather than mailing developers directly.</DT>
-<DD>
-<UL>
-<LI>This gives you access to more expertise, including users who may
- have encountered and solved the same problems.</LI>
-<LI>It is more likely to get a quick response. Developers may get behind
- on email, or even ignore it entirely for a while, but a list message
- (given a reasonable Subject: line) is certain to be read by a fair
- number of people within hours.</LI>
-<LI>It may also be important because of<A href="#exlaw"> cryptography
- export laws</A>. A US citizen who provides technical assistance to
- foreign cryptographic work might be charged under the arms export
- regulations. Such a charge would be easier to defend if the discussion
- took place on a public mailing list than if it were done in private
- mail.</LI>
-</UL>
-</DD>
-<DT>Try irc.freenode.net#freeswan.</DT>
-<DD>
-<P>FreeS/WAN developers, volunteers and users can often be found there.
- Be patient and be prepared to provide lots of information to support
- your question.</P>
-<P>If your question was really interesting, and you found an answer,
- please share that with the class by posting to the<A href="mail.html">
- users mailing list</A>. That way others with the same problem can find
- your answer in the archives.</P>
-</DD>
-<DT>Premium support is also available.</DT>
-<DD>
-<P>See the next several questions.</P>
-</DD>
-</DL>
-<H2><A name="generic">Can I get ...</A></H2>
-<H3><A name="lemme_out">Can I get an off-the-shelf system that includes
- FreeS/WAN?</A></H3>
-<P>There are a number of Linux distributions or firewall products which
- include FreeS/WAN. See this<A href="#products"> list</A>. Using one of
- these, chosen to match your requirements and budget, may save you
- considerable time and effort.</P>
-<P>If you don't know your requirements, start by reading Schneier's<A href="#secrets">
- Secrets and Lies</A>. That gives the best overview of security issues I
- have seen. Then consider hiring a consultant (see next question) to
- help define your requirements.</P>
-<H3><A name="consultant">Can I hire consultants or staff who know
- FreeS/WAN?</A></H3>
-<P>If you want the help of a contractor, or to hire staff with FreeS/WAN
- expertise, you could:</P>
-<UL>
-<LI>check availability in your area through your local Linux User Group
- (<A href="http://lugww.counter.li.org/">LUG Index</A>)</LI>
-<LI>try asking on our<A href="mail.html"> mailing list</A></LI>
-</UL>
-<P>For companies offerring support, see the next question.</P>
-<H3><A name="commercial">Can I get commercial support?</A></H3>
-<P>Many of the distributions or firewall products which include
- FreeS/WAN (see this<A href="#products"> list</A>) come with commercial
- support or have it available as an option.</P>
-<P>Various companies specialize in commercial support of open source
- software. Our project leader was a founder of the first such company,
- Cygnus Support. It has since been bought by<A href="http://www.redhat.com">
- Redhat</A>. Another such firm is<A href="http://www.linuxcare.com">
- Linuxcare</A>.</P>
-<H2><A name="release">Release questions</A></H2>
-<H3><A name="rel.current">What is the current release?</A></H3>
-<P>The current release is the highest-numbered tarball on our<A href="ftp://ftp.xs4all.nl/pub/crypto/freeswan">
- distribution site</A>. Almost always, any of<A href="#mirrors"> the
- mirrors</A> will have the same file, though perhaps not for a day or so
- after a release.</P>
-<P>Unfortunately, the web site is not always updated as quickly as it
- should be.</P>
-<H3><A name="relwhen">When is the next release?</A></H3>
-<P>We try to do a release approximately every six to eight weeks.</P>
-<P>If pre-release tests fail and the fix appears complex, or more
- generally if the code does not appear stable when a release is
- scheduled, we will just skip that release.</P>
-<P>For serious bugs, we may bring out an extra bug-fix release. These
- get numbers in the normal release series. For example, there was a bug
- found in FreeS/WAN 1.6, so we did another release less than two weeks
- later. The bug-fix release was called 1.7.</P>
-<H3><A name="rel.bugs">Are there known bugs in the current release?</A></H3>
-<P>Any problems we are aware of at the time of a release are documented
- in the<A href="../BUGS"> BUGS</A> file for that release. You should
- also look at the<A href="../CHANGES"> CHANGES</A> file.</P>
-<P>Bugs discovered after a release are discussed on the<A href="mail.html">
- mailing lists</A>. The easiest way to check for any problems in the
- current code would be to peruse the<A href="http://lists.freeswan.org/pipermail/briefs">
- List In Brief</A>.</P>
-<H2><A name="mod_cons">Modifications and contributions</A></H2>
-<H3><A name="modify.faq">Can I modify FreeS/WAN to ...?</A></H3>
-<P>You are free to modify FreeS/WAN in any way. See the discussion of<A href="#licensing">
- licensing</A> in our introduction document.</P>
-<P>Before investing much energy in any such project, we suggest that you</P>
-<UL>
-<LI>check the list of<A href="#patch"> existing patches</A></LI>
-<LI>post something about your project to the<A href="mail.html"> design
- mailing list</A></LI>
-</UL>
-<P>This may prevent duplicated effort, or lead to interesting
- collaborations.</P>
-<H3><A name="contrib.faq">Can I contribute to the project?</A></H3>
- In general, we welcome contributions from the community. Various
- contributed patches, either to fix bugs or to add features, have been
- incorporated into our distribution. Other patches, not yet included in
- the distribution, are listed in our<A href="#patch"> web links</A>
- section.
-<P>Users have also contributed heavily to documentation, both by
- creating their own<A href="#howto"> HowTos</A> and by posting things on
- the<A href="mail.html"> mailing lists</A> which I have quoted in these
- HTML docs.</P>
-<P>There are, however, some caveats.</P>
-<P>FreeS/WAN is being implemented in Canada, by Canadians, largely to
- ensure that is it is entirely free of export restrictions. See this<A href="#status">
- discussion</A>. We<STRONG> cannot accept code contributions from US
- residents or citizens</STRONG>, not even one-line bugs fixes. The
- reasons for this were recently discussed extensively on the mailing
- list, in a thread starting<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/01/msg00111.html">
- here</A>.</P>
-<P>Not all contributions are of interest to us. The project has a set of
- fairly ambitious and quite specific goals, described in our<A href="#goals">
- introduction</A>. Contributions that lead toward these goals are likely
- to be welcomed enthusiastically. Other contributions may be seen as
- lower priority, or even as a distraction.</P>
-<P>Discussion of possible contributions takes place on the<A href="mail.html">
- design mailing list</A>.</P>
-<H3><A name="ddoc.faq">Is there detailed design documentation?</A></H3>
- There are:
-<UL>
-<LI><A href="rfc.html">RFCs</A> specifying the protocols we implement</LI>
-<LI><A href="manpages.html">man pages</A> for our utilities, library
- functions and file formats</LI>
-<LI>comments in the source code</LI>
-<LI><A href="index.html">HTML documentation</A> written primarily for
- users</LI>
-<LI>archived discussions from the<A href="mail.html"> mailing lists</A></LI>
-<LI>other papers mentioned in our<A href="#applied"> introduction</A></LI>
-</UL>
-<P>The only formal design documents are a few papers in the last
- category above. All the other categories, however, have things to say
- about design as well.</P>
-<H2><A name="interact">Will FreeS/WAN work in my environment?</A></H2>
-<H3><A name="interop.faq">Can FreeS/WAN talk to ...?</A></H3>
-<P>The IPsec protocols are designed to support interoperation. In
- theory, any two IPsec implementations should be able to talk to each
- other. In practice, it is considerably more complex. We have a whole<A href="interop.html">
- interoperation document</A> devoted to this problem.</P>
-<P>An important part of that document is links to the many<A href="interop.html#otherpub">
- user-written HowTos</A> on interoperation between FreeS/WAN and various
- other implementations. Often the users know more than the developers
- about these issues (and almost always more than me :-), so these
- documents may be your best resource.</P>
-<H3><A name="old_to_new">Can different FreeS/WAN versions talk to each
- other?</A></H3>
-<P>Linux FreeS/WAN can interoperate with many IPsec implementations,
- including earlier versions of Linux FreeS/WAN itself.</P>
-<P>In a few cases, there are some complications. See our<A href="interop.html#oldswan">
- interoperation</A> document for details.</P>
-<H3><A name="faq.bandwidth">Is there a limit on throughput?</A></H3>
-<P>There is no hard limit, but see below.</P>
-<H3><A name="faq.number">Is there a limit on number of tunnels?</A></H3>
-<P>There is no hard limit, but see next question.</P>
-<H3><A name="faq.speed">Is a ... fast enough to handle FreeS/WAN with my
- loads?</A></H3>
-<P>A quick summary:</P>
-<DL>
-<DT>Even a limited machine can be useful</DT>
-<DD>A 486 can handle a T1, ADSL or cable link, though the machine may be
- breathing hard.</DD>
-<DT>A mid-range PC (say 800 MHz with good network cards) can do a lot of
- IPsec</DT>
-<DD>With up to roughly 50 tunnels and aggregate bandwidth of 20 Megabits
- per second, it willl have cycles left over for other tasks.</DD>
-<DT>There are limits</DT>
-<DD>Even a high end CPU will not come close to handling a fully loaded
- 100 Mbit/second Ethernet link.
-<P>Beyond about 50 tunnels it needs careful management.</P>
-</DD>
-</DL>
-<P>See our<A href="performance.html"> FreeS/WAN performance</A> document
- for details.</P>
-<H2><A name="work_on">Will FreeS/WAN work on ... ?</A></H2>
-<H3><A name="versions">Will FreeS/WAN run on my version of Linux?</A></H3>
-<P>We build and test on Redhat distributions, but FreeS/WAN runs just
- fine on several other distributions, sometimes with minor fiddles to
- adapt to the local environment. Details are in our<A href="#otherdist">
- compatibility</A> document. Also, some distributions or products come
- with<A href="#products"> FreeS/WAN included</A>.</P>
-<H3><A name="nonIntel.faq">Will FreeS/WAN run on non-Intel CPUs?</A></H3>
-<P>FreeS/WAN is<STRONG> intended to run on all CPUs Linux supports</STRONG>
-. We know of it being used in production on x86, ARM, Alpha and MIPS. It
- has also had successful tests on PPC and SPARC, though we don't know of
- actual use there. Details are in our<A href="#CPUs"> compatibility</A>
- document.</P>
-<H3><A name="multi.faq">Will FreeS/WAN run on multiprocessors?</A></H3>
-<P>FreeS/WAN is designed to work on any SMP architecture Linux supports,
- and has been tested successfully on at least dual processor Intel
- architecture machines. Details are in our<A href="#multiprocessor">
- compatibility</A> document.</P>
-<H3><A name="k.old">Will FreeS/WAN work on an older kernel?</A></H3>
-<P>It might, but we strongly recommend using a recent 2.2 or 2.4 series
- kernel. Sometimes the newer versions include security fixes which can
- be quite important on a gateway.</P>
-<P>Also, we use recent kernels for development and testing, so those are
- better tested and, if you do encounter a problem, more easily
- supported. If something breaks applying recent FreeS/WAN patches to an
- older kernel, then &quot;update your kernel&quot; is almost certain to be the
- first thing we suggest. It may be the only suggestion we have.</P>
-<P>The precise kernel versions supported by a particular FreeS/WAN
- release are given in the<A href="XX"> README</A> file of that release.</P>
-<P>See the following question for more on kernels.</P>
-<H3><A name="k.versions">Will FreeS/WAN run on the latest kernel
- version?</A></H3>
-<P>Sometimes yes, but quite often, no.</P>
-<P>Kernel versions supported are given in the<A href="../README"> README</A>
- file of each FreeS/WAN release. Typically, they are whatever production
- kernels were current at the time of our release (or shortly before; we
- might release for kernel<VAR> n</VAR> just as Linus releases<VAR> n+1</VAR>
-). Often FreeS/WAN will work on slightly later kernels as well, but of
- course this cannot be guaranteed.</P>
-<P>For example, FreeS/WAN 1.91 was released for kernels 2.2.19 or 2.4.5,
- the current kernels at the time. It also worked on 2.4.6, 2.4.7 and
- 2.4.8, but 2.4.9 had changes that caused compilation errors if it was
- patched with FreeS/WAN 1.91.</P>
-<P>When such changes appear, we put a fix in the FreeS/WAN snapshots,
- and distribute it with our next release. However, this is not a high
- priority for us, and it may take anything from a few days to several
- weeks for such a problem to find its way to the top of our kernel
- programmer's To-Do list. In the meanwhile, you have two choices:</P>
-<UL>
-<LI>either stick with a slightly older kernel, even if it is not the
- latest and greatest. This is recommended for production systems; new
- versions may have new bugs.</LI>
-<LI>or fix the problem yourself and send us a patch, via the<A href="mail.html">
- Users mailing list</A>.</LI>
-</UL>
-<P>We don't even try to keep up with kernel changes outside the main 2.2
- and 2.4 branches, such as the 2.4.x-ac patched versions from Alan Cox
- or the 2.5 series of development kernels. We'd rather work on
- developing the FreeS/WAN code than on chasing these moving targets. We
- are, however, happy to get patches for problems discovered there.</P>
-<P>See also the<A href="install.html#choosek"> Choosing a kernel</A>
- section of our installation document.</P>
-<H3><A name="interface.faq">Will FreeS/WAN work on unusual network
- hardware?</A></H3>
-<P>IPsec is designed to work over any network that IP works over, and
- FreeS/WAN is intended to work over any network interface hardware that
- Linux supports.</P>
-<P>If you have working IP on some unusual interface -- perhaps Arcnet,
- Token Ring, ATM or Gigabit Ethernet -- then IPsec should &quot;just work&quot;.</P>
-<P>That said, practice is sometimes less tractable than theory. Our
- testing is done almost entirely on:</P>
-<UL>
-<LI>10 or 100 Mbit Ethernet</LI>
-<LI>ADSL or cable connections, with and without PPPoE</LI>
-<LI>IEEE 802.11 wireless LANs (see<A href="#wireless.faq"> below</A>)</LI>
-</UL>
-<P>If you have some other interface, especially an uncommon one, it is
- entirely possible you will get bitten either by a FreeS/WAN bug which
- our testing did not turn up, or by a bug in the driver that shows up
- only with our loads.</P>
-<P>If IP works on your interface and FreeS/WAN doesn't, seek help on the<A
-href="mail.html"> mailing lists</A>.</P>
-<P>Another FAQ section describes<A href="#pmtu.broken"> MTU problems</A>
-. These are a possibility for some interfaces.</P>
-<H3><A name="vlan">Will FreeS/WAN work on a VLAN (802.1q) network?</A></H3>
-<P> Yes, FreeSwan works fine, though some network drivers have problems
- with jumbo sized ethernet frames. If you used interfaces=%defaultroute
- you do not need to change anything, but if you specified an interface
- (eg eth0) then remember you must change that to reflect the VLAN
- interface (eg eth0.2 for VLAN ID 2).</P>
-<P> The &quot;eepro100&quot; module is known to be broken, use the e100 driver for
- those cards instead (included in 2.4 as 'alternative driver' for the
- Intel EtherExpressPro/100.</P>
-<P> You do not need to change any MTU setting (those are workarounds
- that are only needed for buggy drivers)</P>
-<P><EM>This FAQ contributed by Paul Wouters.</EM></P>
-<H2><A name="features.faq">Does FreeS/WAN support ...</A></H2>
-<P>For a discussion of which parts of the IPsec specifications FreeS/WAN
- does and does not implement, see our<A href="#spec"> compatibility</A>
- document.</P>
-<P>For information on some often-requested features, see below.</P>
-<H3><A name="VPN.faq"></A>Does FreeS/WAN support site-to-site VPN (<A HREF="#VPN">
-Virtual Private Network</A>) applications?</H3>
-<P>Absolutely. See this FreeS/WAN-FreeS/WAN<A HREF="config.html">
- configuration example</A>. If only one site is using FreeS/WAN, there
- may be a relevant HOWTO on our<A HREF="interop.html"> interop page</A>.</P>
-<H3><A name="warrior.faq">Does FreeS/WAN support remote users connecting
- to a LAN?</A></H3>
-<P>Yes. We call the remote users &quot;Road Warriors&quot;. Check out our
- FreeS/WAN-FreeS/WAN<A HREF="#config.rw"> Road Warrior Configuration
- Example</A>.</P>
-<P>If your Road Warrior is a Windows or Mac PC, you may need to install
- an IPsec implementation on that machine. Our<A HREF="interop.html">
- interop</A> page lists many available brands, and features links to
- several HOWTOs.</P>
-<H3><A name="road.shared.possible">Does FreeS/WAN support remote users
- using shared secret authentication?</A></H3>
-<P><STRONG>Yes, but</STRONG> there are severe restrictions, so<STRONG>
- we strongly recommend using</STRONG><A href="#RSA"><STRONG> RSA</STRONG>
-</A><STRONG> keys for</STRONG><A href="#authentication"><STRONG>
- authentication</STRONG></A><STRONG> instead</STRONG>.</P>
-<P>See this<A href="#road.PSK"> FAQ question</A>.</P>
-<H3><A name="wireless.faq">Does FreeS/WAN support wireless networks?</A></H3>
-<P>Yes, it is a common practice to use IPsec over wireless networks
- because their built-in encryption,<A href="#WEP"> WEP</A>, is insecure.</P>
-<P>There is some<A href="#wireless.config"> discussion</A> in our
- advanced configuration document. See also the<A HREF="http://www.wavesec.org">
- WaveSEC site</A>.</P>
-<H3><A name="PKIcert">Does FreeS/WAN support X.509 or other PKI
- certificates?</A></H3>
-<P>Vanilla FreeS/WAN does not support X.509, but Andreas Steffen and
- others have provided a popular, well-supported X.509 patch.</P>
-<UL>
-<LI><A HREF="http://www.strongsec.com/freeswan">patch</A></LI>
-<LI><A HREF="http://www.freeswan.ca">Super FreeS/WAN</A> incorporates
- this and other user-contributed patches.</LI>
-<LI> Kai Martius'<A HREF="http://www.strongsec.com/freeswan/install.htm">
- X.509 Installation and Configuration Guide</A></LI>
-</UL>
-<P> Linux FreeS/WAN features<A HREF="quickstart.html"> Opportunistic
- Encryption</A>, an alternative Public Key Infrastructure based on
- Secure DNS.</P>
-<H3><A name="Radius">Does FreeS/WAN support user authentication (Radius,
- SecureID, Smart Card...)?</A></H3>
-<P>Andreas Steffen's<A HREF="http://www.strongsec.com/freeswan"> X.509
- patch</A> (v. 1.42+) supports Smart Cards. The patch does not ship with
- vanilla FreeS/WAN, but will be incorporated into<A HREF="http://www.freeswan.ca/">
- Super FreeS/WAN 2.01+</A>. The patch implements the PCKS#15
- Cryptographic Token Information Format Standard, using the OpenSC
- smartcard library functions.</P>
-<P>Older news:</P>
-<P>A user-supported patch to FreeS/WAN 1.3, for smart card style
- authentication, is available on<A HREF="http://alcatraz.webcriminals.com/~bastiaan/ipsec">
- Bastiaan's site</A>. It supports skeyid and ibutton. This patch is not
- part of Super FreeS/WAN.</P>
-<P>For a while progress on this front was impeded by a lack of standard.
- The IETF<A href="http://www.ietf.org/html.charters/ipsra-charter.html">
- working group</A> has now nearly completed its recommended solution to
- the problem; meanwhile several vendors have implemented various things.</P>
-
-<!--
-<p>The <a href="web.html#patch">patches</a> section of our web links document
-has links to some user work on this.</p>
--->
-<P>Of course, there are various ways to avoid any requirement for user
- authentication in IPsec. Consider the situation where road warriors
- build IPsec tunnels to your office net and you are considering
- requiring user authentication during tunnel negotiation. Alternatives
- include:</P>
-<UL>
-<LI>If you can trust the road warrior machines, then set them up so that
- only authorised users can create tunnels. If your road warriors use
- laptops, consider the possibility of theft.</LI>
-<LI>If the tunnel only provides access to particular servers and you can
- trust those servers, then set the servers up to require user
- authentication.</LI>
-</UL>
-<P>If either of those is trustworthy, it is not clear that you need user
- authentication in IPsec.</P>
-<H3><A name="NATtraversal">Does FreeS/WAN support NAT traversal?</A></H3>
-<P>Vanilla FreeS/WAN does not, but thanks to Mathieu Lafon and Arkoon
- Network Security, there's a patch to support this.</P>
-<UL>
-<LI><A HREF="http://open-source.arkoon.net">patch and documentation</A></LI>
-<LI><A HREF="http://www.freeswan.ca">Super FreeS/WAN</A> incorporates
- this and other user-contributed patches.</LI>
-</UL>
-<P>The NAT traversal patch has some issues with PSKs, so you may wish to
- authenticate with RSA keys, or X.509 (requires a patch which is also
- included in Super FreeS/WAN). Doing the latter also has advantages when
- dealing with large numbers of clients who may be behind NAT; instead of
- having to make an individual Roadwarrior connection for each virtual
- IP, you can use the &quot;rightsubnetwithin&quot; parameter to specify a range.
- See<A HREF="http://www.strongsec.com/freeswan/install.htm#section_4.4">
- these<VAR> rightsubnetwithin</VAR> instructions</A>.</P>
-<H3><A name="virtID">Does FreeS/WAN support assigning a &quot;virtual
- identity&quot; to a remote system?</A></H3>
-<P>Some IPsec implementations allow you to make the source address on
- packets sent by a Road Warrior machine be something other than the
- address of its interface to the Internet. This is sometimes described
- as assigning a virtual identity to that machine.</P>
-<P>FreeS/WAN does not directly support this, but it can be done. See
- this<A href="#road.masq"> FAQ question</A>.</P>
-<H3><A name="noDES.faq">Does FreeS/WAN support single DES encryption?</A>
-</H3>
-<P><STRONG>No</STRONG>, single DES is not used either at the<A href="#IKE">
- IKE</A> level for negotiating connections or at the<A href="#IPSEC">
- IPsec</A> level for actually building them.</P>
-<P>Single DES is<A href="#desnotsecure"> insecure</A>. As we see it, it
- is more important to deliver real security than to comply with a
- standard which has been subverted into allowing use of inadequate
- methods. See this<A href="#weak"> discussion</A>.</P>
-<P>If you want to interoperate with an IPsec implementation which offers
- only DES, see our<A href="interop.html#noDES"> interoperation</A>
- document.</P>
-<H3><A name="AES.faq">Does FreeS/WAN support AES encryption?</A></H3>
-<P><A href="#AES">AES</A> is a new US government<A href="#block"> block
- cipher</A> standard to replace the obsolete<A href="#DES"> DES</A>.</P>
-<P>At time of writing (March 2002), the FreeS/WAN distribution does not
- yet support AES but user-written<A href="#patch"> patches</A> are
- available to add it. Our kernel programmer is working on integrating
- those patches into the distribution, and there is active discussion of
- this on the design mailimg list.</P>
-<H3><A name="other.cipher">Does FreeS/WAN support other encryption
- algorithms?</A></H3>
-<P>Currently<A href="#3DES"> triple DES</A> is the only cipher
- supported. AES will almost certainly be added (see previous question),
- and it is likely that in the process we will also add the other two AES
- finalists with open licensing, Twofish and Serpent.</P>
-<P>We are extremely reluctant to add other ciphers. This would make both
- use and maintenance of FreeS/WAN more complex without providing any
- clear benefit. Complexity is emphatically not desirable in a security
- product.</P>
-<P>Various users have written patches to add other ciphers. We provide<A href="#patch">
- links</A> to these.</P>
-<H2><A name="canI">Can I ...</A></H2>
-<H3><A name="policy.preconfig">Can I use policy groups along with
- explicitly configured connections?</A></H3>
-<P>Yes, you can, so long as you pay attention to the selection rule,
- which can be summarized &quot;the most specific connection wins&quot;. We
- describe the rule in our<A HREF="#policy.group.notes"> policy groups</A>
- document, and provide a more technical explanation in<A HREF="manpage.d/ipsec.conf.5.html">
- man ipsec.conf</A>.</P>
-<P>A good guideline: If you have a regular connection defined in<VAR>
- ipsec.conf</VAR>, ensure that a subset of that connection is not listed
- in a less restrictive policy group. Otherwise, FreeS/WAN will use the
- subset, with its more specific source/destination pair.</P>
-<P>Here's an example. Suppose you are the system administrator at
- 192.0.2.2. You have this connection in ipsec.conf:<VAR> ipsec.conf</VAR>
-:</P>
-<PRE>conn net-to-net
-    left=192.0.2.2           # you are here
-    right=192.0.2.8
-    rightsubnet=192.0.2.96/27
-    ....
-</PRE>
-<P>If you then place a host or net within<VAR> rightsubnet</VAR>, (let's
- say 192.0.2.98) in<VAR> private-or-clear</VAR>, you may find that
- 192.0.2.2 at times communicates in the clear with 192.0.2.98. That's
- consistent with the rule, but may be contrary to your expectations.</P>
-<P>On the other hand, it's safe to put a larger subnet in a less
- restrictive policy group file. If<VAR> private-or-clear</VAR> contains
- 192.0.2.0/24, then the more specific<VAR> net-to-net</VAR> connection
- is used for any communication to 192.0.2.96/27. The more general policy
- applies only to communication with hosts or subnets in 192.0.2.0/24
- without a more specific policy or connection.</P>
-<H3><A name="policy.off">Can I turn off policy groups?</A></H3>
-<P>Yes. Use<A HREF="#disable_policygroups"> these instructions</A>.</P>
-
-<!--
-<h3><a name="policy.otherinterface">Can I use policy groups
- on an interface other than <VAR>%defaultroute</VAR>?</a></h3>
-
-<p>??<p>
--->
-<H3><A name="reload">Can I reload connection info without restarting?</A>
-</H3>
-<P>Yes, you can do this. Here are the details, in a mailing list message
- from Pluto programmer Hugh Redelmeier:</P>
-<PRE>| How can I reload config's without restarting all of pluto and klips?  I am using
-| FreeSWAN -&gt; PGPNet in a medium sized production environment, and would like to be
-| able to add new connections ( i am using include config/* ) without dropping current
-| SA's.
-| 
-| Can this be done?
-| 
-| If not, are there plans to add this kind of feature?
-
-        ipsec auto --add whatever
-This will look in the usual place (/etc/ipsec.conf) for a conn named
-whatever and add it.
-
-If you added new secrets, you need to do
-        ipsec auto --rereadsecrets
-before Pluto needs to know those secrets.
-
-| I have looked (perhaps not thoroughly enough tho) to see how to do this:
-
-There may be more bits to look for, depending on what you are trying
-to do.</PRE>
-<P>Another useful command here is<VAR> ipsec auto --replace &lt;conn_name&gt;</VAR>
- which re-reads data for a named connection.</P>
-<H3><A name="masq.faq">Can I use several masqueraded subnets?</A></H3>
-<P>Yes. This is done all the time. See the discussion in our<A href="config.html#route_or_not">
- setup</A> document. The only restriction is that the subnets on the two
- ends must not overlap. See the next question.</P>
-<P>Here is a mailing list message on the topic. The user incorrectly
- thinks you need a 2.4 kernel for this -- actually various people have
- been doing it on 2.0 and 2.2 for quite some time -- but he has it right
- for 2.4.</P>
-<PRE>Subject: Double NAT and freeswan working :)
-   Date: Sun, 11 Mar 2001
-   From: Paul Wouters &lt;paul@xtdnet.nl&gt;
-
-Just to share my pleasure, and make an entry for people who are searching
-the net on how to do this. Here's the very simple solution to have a double
-NAT'ed network working with freeswan. (Not sure if this is old news, but I'm
-not on the list (too much spam) and I didn't read this in any HOWTO/FAQ/doc
-on the freeswan site yet (Sandy, put it in! :)
-
-10.0.0.0/24 --- 10.0.0.1 a.b.c.d  ---- a.b.c.e {internet} ----+
-                                                              |
-10.0.1.0/24 --- 10.0.1.1 f.g.h.i  ---- f.g.h.j {internet} ----+
-
-the goal is to have the first network do a VPN to the second one, yet also
-have NAT in place for connections not destinated for the other side of the
-NAT. Here the two Linux security gateways have one real IP number (cable
-modem, dialup, whatever.
-
-The problem with NAT is you don't want packets from 10.*.*.* to 10.*.*.*
-to be NAT'ed. While with Linux 2.2, you can't, with Linux 2.4 you can.
-
-(This has been tested and works for 2.4.2 with Freeswan snapshot2001mar8b)
-
-relevant parts of /etc/ipsec.conf:
-
-        left=f.g.h.i
-        leftsubnet=10.0.1.0/24
-        leftnexthop=f.g.h.j
-        leftfirewall=yes
-        leftid=@firewall.netone.nl
-        leftrsasigkey=0x0........
-        right=a.b.c.d
-        rightsubnet=10.0.0.0/24
-        rightnexthop=a.b.c.e
-        rightfirewall=yes
-        rightid=@firewall.nettwo.nl
-        rightrsasigkey=0x0......
-        # To authorize this connection, but not actually start it, at startup,
-        # uncomment this.
-        auto=add
-
-and now the real trick. Setup the NAT correctly on both sites:
-
-iptables -t nat -F
-iptables -t nat -A POSTROUTING -o eth0 -d \! 10.0.0.0/8 -j MASQUERADE
-
-This tells the NAT code to only do NAT for packets with destination other then
-10.* networks. note the backslash to mask the exclamation mark to protect it
-against the shell.
-
-Happy painting :)
-
-Paul</PRE>
-<H3><A name="dup_route">Can I use subnets masqueraded to the same
- addresses?</A></H3>
-<P><STRONG>No.</STRONG> The notion that IP addresses are unique is one
- of the fundamental principles of the IP protocol. Messing with it is
- exceedingly perilous.</P>
-<P>Fairly often a situation comes up where a company has several
- branches, all using the same<A href="#non-routable"> non-routable
- addresses</A>, perhaps 192.168.0.0/24. This works fine as long as those
- nets are kept distinct. The<A href="#masq"> IP masquerading</A> on
- their firewalls ensures that packets reaching the Internet carry the
- firewall address, not the private address.</P>
-<P>This can break down when IPsec enters the picture. FreeS/WAN builds a
- tunnel that pokes through both masquerades and delivers packets from<VAR>
- leftsubnet</VAR> to<VAR> rightsubnet</VAR> and vice versa. For this to
- work, the two subnets<EM> must</EM> be distinct.</P>
-<P>There are several solutions to this problem.</P>
-<P>Usually, you<STRONG> re-number the subnets</STRONG>. Perhaps the
- Vancouver office becomes 192.168.101.0/24, Calgary 192.168.102.0/24 and
- so on. FreeS/WAN can happily handle this. With, for example<VAR>
- leftsubnet=192.168.101.0/24</VAR> and<VAR> rightsubnet=192.168.102.0/24</VAR>
- in a connection description, any machine in Calgary can talk to any
- machine in Vancouver. If you want to be more restrictive and use
- something like<VAR> leftsubnet=192.168.101.128/25</VAR> and<VAR>
- rightsubnet=192.168.102.240/28</VAR> so only certain machines on each
- end have access to the tunnel, that's fine too.</P>
-<P>You could also<STRONG> split the subnet</STRONG> into smaller ones,
- for example using<VAR> 192.168.1.0/25</VAR> in Vancouver and<VAR>
- rightsubnet=192.168.0.128/25</VAR> in Calgary.</P>
-<P>Alternately, you can just<STRONG> give up routing</STRONG> directly
- to machines on the subnets. Omit the<VAR> leftsubnet</VAR> and<VAR>
- rightsubnet</VAR> parameters from your connection descriptions. Your
- IPsec tunnels will then run between the public interfaces of the two
- firewalls. Packets will be masqueraded both before they are put into
- tunnels and after they emerge. Your Vancouver client machines will see
- only one Calgary machine, the firewall.</P>
-<H3><A name="road.masq">Can I assign a road warrior an address on my net
- (a virtual identity)?</A></H3>
-<P>Often it would be convenient to be able to give a Road Warrior an IP
- address which appears to be on the local network. Some IPsec
- implementations have support for this, sometimes calling the feature
- &quot;virtual identity&quot;.</P>
-<P>Currently (Sept 2002) FreeS/WAN does not support this, and we have no
- definite plans to add it. The difficulty is that is not yet a standard
- mechanism for it. There is an Internet Draft for a method of doing it
- using<A href="#DHCP"> DHCP</A> which looks promising. FreeS/WAN may
- support that in a future release.</P>
-<P>In the meanwhile, you can do it yourself using the Linux iproute2(8)
- facilities. Details are in<A href="http://www.av8n.com/vpn/iproute2.htm">
- this paper</A>.</P>
-<P>Another method has also been discussed on the mailing list.:</P>
-<UL>
-<LI>You can use a variant of the<A href="#extruded.config"> extruded
- subnet</A> procedure.</LI>
-<LI>You have to avoid having the road warrior's assigned address within
- the range you actually use at home base. See previous question.</LI>
-<LI>On the other hand, you want the roadwarrior's address to be within
- the range that<EM> seems</EM> to be on your network.</LI>
-</UL>
-<P>For example, you might have:</P>
-<DL>
-<DT>leftsubnet=a.b.c.0/25</DT>
-<DD>head office network</DD>
-<DT>rightsubnet=a.b.c.129/32</DT>
-<DD>extruded to a road warrior. Note that this is not in a.b.c.0/25</DD>
-<DT>a.b.c.0/24</DT>
-<DD>whole network, including both the above</DD>
-</DL>
-<P>You then set up routing so that the office machines use the IPsec
- gateway as their route to a.b.c.128/25. The leftsubnet parameter tells
- the road warriors to use tunnels to reach a.b.c.0/25, so you should
- have two-way communication. Depending or your network and applications,
- there may be some additional work to do on DNS or Windows configuration</P>
-<H3><A name="road.many">Can I support many road warriors with one
- gateway?</A></H3>
-<P>Yes. This is easily done, using</P>
-<DL>
-<DT>either RSA authentication</DT>
-<DD>standard in the FreeS/WAN distribution</DD>
-<DT>or X.509 certificates</DT>
-<DD>requires<A href="#PKIcert"> Super FreeS/WAN or a patch</A>.</DD>
-</DL>
-<P>In either case, each Road Warrior must have a different key or
- certificate.</P>
-<P>It is also possible using pre-shared key authentication, though we
- don't recommend this; see the<A href="#road.PSK"> next question</A> for
- details.</P>
-<P>If you expect to have more than a few dozen Road Warriors connecting
- simultaneously, you may need a fairly powerful gateway machine. See our
- document on<A href="performance.html"> FreeS/WAN performance</A>.</P>
-<H3><A name="road.PSK">Can I have many road warriors using shared secret
- authentication?</A></H3>
-<P><STRONG>Yes, but avoid it if possible</STRONG>.</P>
-<P>You can have multiple Road Warriors using shared secret
- authentication<STRONG> only if they all use the same secret</STRONG>.
- You must also set:</P>
-<P></P>
-<PRE>   uniqueids=no   </PRE>
-<P>in the connection definition.</P>
-<P>Why it's less secure:</P>
-<UL>
-<LI>If you have many users, it becomes almost certain the secret will
- leak</LI>
-<LI>The secret becomes quite valuable to an attacker</LI>
-<LI>All users authenticate the same way, so the gateway cannot tell them
- apart for logging or access control purposes</LI>
-<LI>Changing the secret is difficult. You have to securely notify all
- users.</LI>
-<LI>If you find out the secret has been compromised, you can change it,
- but then what? None of your users can connect without the new secret.
- How will you notify them all, quickly and securely, without using the
- VPN?</LI>
-</UL>
-<P>This is a designed-in limitation of the<A href="#IKE"> IKE</A> key
- negotiation protocol, not a problem with our implementation.</P>
-<P><STRONG>We very strongly recommend that you avoid using shared secret
- authentication for multiple Road Warriors.</STRONG> Use RSA
- authentication instead.</P>
-<P>The longer story: When using shared secrets, the protocol requires
- that the responding gateway be able to determine which secret to use at
- a time when all it knows about the initiator is an IP address. This
- works fine if you know the initiator's address in advance and can use
- it to look up the appropiriate secret. However, it fails for Road
- Warriors since the gateway cannot know their IP addresses in advance.</P>
-<P>With RSA signatures (or certificates) the protocol is slightly
- different. The initiator provides an identifier early in the exchange
- and the responder can use that identifier to look up the correct key or
- certificate. See<A href="#road.many"> above</A>.</P>
-<H3><A name="QoS">Can I use Quality of Service routing with FreeS/WAN?</A>
-</H3>
-<P>From project technical lead Henry Spencer:</P>
-<PRE>&gt; Do QoS add to FreeS/WAN?
-&gt; For example integrating DiffServ and FreeS/WAN?
-
-With a current version of FreeS/WAN, you will have to add hidetos=no to
-the config-setup section of your configuration file.  By default, the TOS
-field of tunnel packets is zeroed; with hidetos=no, it is copied from the
-packet inside.  (This is a modest security hole, which is why it is no
-longer the default.)
-
-DiffServ does not interact well with tunneling in general.  Ways of
-improving this are being studied.</PRE>
-<P>Copying the<A href="#TOS"> TOS</A> (type of service) information from
- the encapsulated packet to the outer header reveals the TOS information
- to an eavesdropper. This does not tell him much, but it might be of use
- in<A href="#traffic"> traffic analysis</A>. Since we do not have to
- give it to him, our default is not to.</P>
-<P>Even with the TOS hidden, you can still:</P>
-<UL>
-<LI>apply QOS rules to the tunneled (ESP) packets; for example, by
- giving ESP packets a certain priority.</LI>
-<LI>apply QOS rules to the packets as they enter or exit the tunnel via
- an IPsec virtual interface (eg.<VAR> ipsec0</VAR>).</LI>
-</UL>
-<P>See<A href="manpage.d/ipsec.conf.5.html"> ipsec.conf(5)</A> for more
- on the<VAR> hidetos=</VAR> parameter.</P>
-<H3><A name="deadtunnel">Can I recognise dead tunnels and shut them
- down?</A></H3>
-<P>There is no general mechanism to do this is in the IPsec protocols.</P>
-<P>From time to time, there is discussion on the IETF Working Group<A href="#ietf">
- mailing list</A> of adding a &quot;keep-alive&quot; mechanism (which some say
- should be called &quot;make-dead&quot;), but it is a fairly complex problem and
- no consensus has been reached on whether or how it should be done.</P>
-<P>The protocol does have optional<A href="#ignore"> delete-SA</A>
- messages which one side can send when it closes a connection in hopes
- this will cause the other side to do the same. FreeS/WAN does not
- currently support these. In any case, they would not solve the problem
- since:</P>
-<UL>
-<LI>a gateway that crashes or hangs would not send the messages</LI>
-<LI>the sender is not required to send them</LI>
-<LI>they are not authenticated, so any receiver that trusts them leaves
- itself open to a<A href="#DOS"> denial of service</A> attack</LI>
-<LI>the receiver is not required to do anything about them</LI>
-<LI>the receiver cannot acknowledge them; the protocol provides no
- mechanism for that</LI>
-<LI>since they are not acknowledged, the sender cannot rely on them</LI>
-</UL>
-<P>However, connections do have limited lifetimes and you can control
- how many attempts your gateway makes to rekey before giving up. For
- example, you can set:</P>
-<PRE>conn default
-        keyingtries=3
-        keylife=30m</PRE>
-<P>With these settings old connections will be cleaned up. Within 30
- minutes of the other end dying, rekeying will be attempted. If it
- succeeds, the new connection replaces the old one. If it fails, no new
- connection is created. Either way, the old connection is taken down
- when its lifetime expires.</P>
-<P>Here is a mailing list message on the topic from FreeS/WAN tech
- support person Claudia Schmeing:</P>
-<PRE>You ask how to determine whether a tunnel is redundant:
-
-&gt; Can anybody explain the best way to determine this. Esp when a RW has
-&gt; disconnected? I thought 'ipsec auto --status' might be one way.
-
-If a tunnel goes down from one end, Linux FreeS/WAN on the
-other end has no way of knowing this until it attempts to rekey.
-Once it tries to rekey and fails, it will 'know' that the tunnel is 
-down.
-
-Because it doesn't have a way of knowing the state until this point, 
-it will also not be able to tell you the state via ipsec auto --status.
-
-&gt; However, comparing output from a working tunnel with that of one that
-&gt; was closed 
-&gt; did not show clearly show tunnel status.
-
-If your tunnel is down but not 'unrouted' (see man ipsec_auto), you
-should not be able to ping the opposite side of the tunnel. You can
-use this as an indicator of tunnel status.
-
-On a related note, you may be interested to know that as of 1.7, 
-redundant tunnels caused by RW disconnections are likely to be 
-less of a pain. From doc/CHANGES:
-
-    There is a new configuration parameter, uniqueids, to control a new Pluto
-    option:  when a new connection is negotiated with the same ID as an old
-    one, the old one is deleted immediately.  This should help eliminate
-    dangling Road Warrior connections when the same Road Warrior reconnects. 
-    It thus requires that IDs not be shared by hosts (a previously legal but
-    probably useless capability).  NOTE WELL:  the sample ipsec.conf now has
-    uniqueids=yes in its config-setup section.
-
-
-Cheers,
-
-Claudia</PRE>
-<H3><A name="demanddial">Can I build IPsec tunnels over a demand-dialed
- link?</A></H3>
-<P>This is possible, but not easy. FreeS/WAN technical lead Henry
- Spencer wrote:</P>
-<PRE>&gt; 5. If the ISDN link goes down in between and is reestablished, the SAs
-&gt; are still up but the eroute are deleted and the IPsec interface shows
-&gt; garbage (with ifconfig)
-&gt; 6. Only restarting IPsec will bring the VPN back online.
-
-This one is awkward to solve.  If the real interface that the IPsec
-interface is mounted on goes down, it takes most of the IPsec machinery
-down with it, and a restart is the only good way to recover. 
-
-The only really clean fix, right now, is to split the machines in two: 
-
-1. A minimal machine serves as the network router, and only it is aware
-that the link goes up and down. 
-
-2. The IPsec is done on a separate gateway machine, which thinks it has
-a permanent network connection, via the router.
-
-This is clumsy but it does work.  Trying to do both functions within a
-single machine is tricky.  There is a software package (diald) which will
-give the illusion of a permanent connection for demand-dialed modem
-connections; I don't know whether it's usable for ISDN, or whether it can
-be made to cooperate properly with FreeS/WAN. 
-
-Doing a restart each time the interface comes up *does* work, although it
-is a bit painful.  I did that with PPP when I was running on a modem link;
-it wasn't hard to arrange the PPP scripts to bring IPsec up and down at
-the right times.  (I'd meant to investigate diald but never found time.)
-
-In principle you don't need to do a complete restart on reconnect, but you
-do have to rebuild some things, and we have no nice clean way of doing
-only the necessary parts.</PRE>
-<P>In the same thread, one user commented:</P>
-<PRE>Subject: Re: linux-ipsec: IPsec and Dial Up Connections
-   Date: Wed, 22 Nov 2000
-   From: Andy Bradford &lt;andyb@calderasystems.com&gt;
-
-On Wed, 22 Nov 2000 19:47:11 +0100, Philip Reetz wrote:
-
-&gt; Are there any ideas what might be the cause of the problem and any way
-&gt; to work around it.
-&gt; Any help is highly appreciated.
-
-On my laptop, when using ppp there is a ip-up script in /etc/ppp that 
-will be executed each time that the ppp interface is brought up.  
-Likewise there is an ip-down script that is called when it is taken 
-down.  You might consider custimzing those to stop and start FreeS/WAN 
-with each connection.  I believe that ISDN uses the same files, though 
-I could be wrong---there should be something similar though.</PRE>
-<H3><A name="GRE">Can I build GRE, L2TP or PPTP tunnels over IPsec?</A></H3>
-<P>Yes. Normally this is not necessary, but it is useful in a few
- special cases. For example, if you must route non-IP packets such as
- IPX, you will need to use a tunneling protocol that can route these
- packets. IPsec can be layered around it for extra security. Another
- example: you can provide failover protection for high availability (HA)
- environments by combining IPsec with other tools. Ken Bantoft describes
- one such setup in<A HREF="http://www.freeswan.ca/docs/HA"> Using
- FreeS/WAN with Linux-HA, GRE, OSPF and BGP for enterprise grade VPN
- solutions</A>.</P>
-<P>GRE over IPsec is covered as part of<A HREF="http://www.freeswan.ca/docs/HA">
- that document</A>.<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/07/msg00209.html">
- Here are links</A> to other GRE resources. Jacco de Leuw has created<A HREF="http://www.jacco2.dds.nl/networking/">
- this page on L2TP over IPsec</A> with instructions for FreeS/WAN and
- several other brands of IPsec software.</P>
-<P>Please let us know of other useful links via the<A HREF="mail.html">
- mailing lists</A>.</P>
-<H3><A name="NetBIOS">... use Network Neighborhood (Samba, NetBIOS) over
- IPsec?</A></H3>
-<P>Your local PC needs to know how to translate NetBIOS names to IP
- addresses. It may do this either via a local LMHOSTS file, or using a
- local or remote WINS server. The WINS server is preferable since it
- provides a centralized source of the information to the entire network.
- To use a WINS server over the<A HREF="#VPN"> VPN</A> (or any IP-based
- network), you must enable &quot;NetBIOS over TCP&quot;.</P>
-<P><A HREF="http://www.samba.org">Samba</A> can emulate a WINS server on
- Linux.</P>
-<P> See also several discussions in our<A HREF="http://lists.freeswan.org/pipermail/users/2002-September/thread.html">
- September 2002 Users archives</A></P>
-<H2><A name="setup.faq">Life's little mysteries</A></H2>
-<P>FreeS/WAN is a fairly complex product. (Neither the networks it runs
- on nor the protocols it uses are simple, so it could hardly be
- otherwise.) It therefore sometimes exhibits behaviour which can be
- somewhat confusing, or has problems which are not easy to diagnose.
- This section tries to explain those problems.</P>
-<P>Setup and configuration of FreeS/WAN are covered in other
- documentation sections:</P>
-<UL>
-<LI><A href="quickstart.html">basic setup and configuration</A></LI>
-<LI><A href="adv_config.html">advanced configuration</A></LI>
-<LI><A href="trouble.html">Troubleshooting</A></LI>
-</UL>
-<P>However, we also list some of the commonest problems here.</P>
-<H3><A name="cantping">I cannot ping ....</A></H3>
-<P>This question is dealt with in the advanced configuration section
- under the heading<A href="#multitunnel"> multiple tunnels</A>.</P>
-<P>The standard subnet-to-subnet tunnel protects traffic<STRONG> only
- between the subnets</STRONG>. To test it, you must use pings that go
- from one subnet to the other.</P>
-<P>For example, suppose you have:</P>
-<PRE>      subnet a.b.c.0/24
-             |
-      eth1 = a.b.c.1
-         gate1
-      eth0 = 192.0.2.8
-             |
-
-       ~ internet ~
-
-             |
-      eth0 = 192.0.2.11
-         gate2
-      eth1 = x.y.z.1
-              |
-       subnet x.y.z.0/24</PRE>
-<P>and the connection description:</P>
-<PRE>conn abc-xyz
-     left=192.0.2.8
-     leftsubnet=a.b.c.0/24
-     right=192.0.2.11
-     rightsubnet=x.y.z.0/24</PRE>
-<P>You can test this connection description only by sending a ping that
- will actually go through the tunnel. Assuming you have machines at
- addresses a.b.c.2 and x.y.z.2, pings you might consider trying are:</P>
-<DL>
-<DT>ping from x.y.z.2 to a.b.c.2 or vice versa</DT>
-<DD>Succeeds if tunnel is working. This is the<STRONG> only valid test
- of the tunnel</STRONG>.</DD>
-<DT>ping from gate2 to a.b.c.2 or vice versa</DT>
-<DD><STRONG>Does not use tunnel</STRONG>. gate2 is not on protected
- subnet.</DD>
-<DT>ping from gate1 to x.y.z.2 or vice versa</DT>
-<DD><STRONG>Does not use tunnel</STRONG>. gate1 is not on protected
- subnet.</DD>
-<DT>ping from gate1 to gate2 or vice versa</DT>
-<DD><STRONG>Does not use tunnel</STRONG>. Neither gate is on a protected
- subnet.</DD>
-</DL>
-<P>Only the first of these is a useful test of this tunnel. The others
- do not use the tunnel. Depending on other details of your setup and
- routing, they:</P>
-<UL>
-<LI>either fail, telling you nothing about the tunnel</LI>
-<LI>or succeed, telling you nothing about the tunnel since these packets
- use some other route</LI>
-</UL>
-<P>In some cases, you may be able to get around this. For the example
- network above, you could use:</P>
-<PRE>        ping -I a.b.c.1 x.y.z.1</PRE>
-<P>Both the adresses given are within protected subnets, so this should
- go through the tunnel.</P>
-<P>If required, you can build additional tunnels so that all the
- machines involved can talk to all the others. See<A href="#multitunnel">
- multiple tunnels</A> in the advanced configuration document for
- details.</P>
-<H3><A name="forever">It takes forever to ...</A></H3>
-<P>Users fairly often report various problems involving long delays,
- sometimes on tunnel setup and sometimes on operations done through the
- tunnel, occasionally on simple things like ping or more often on more
- complex operations like doing NFS or Samba through the tunnel.</P>
-<P>Almost always, these turn out to involve failure of a DNS lookup. The
- timeouts waiting for DNS are typically set long so that you won't time
- out when a query involves multiple lookups or long paths. Genuine
- failures therefore produce long delays before they are detected.</P>
-<P>A mailing list message from project technical lead Henry Spencer:</P>
-<PRE>&gt; ... when i run /etc/rc.d/init.d/ipsec start, i get:
-&gt; ipsec_setup: Starting FreeS/WAN IPsec 1.5...
-&gt; and it just sits there, doesn't give back my bash prompt.
-
-Almost certainly, the problem is that you're using DNS names in your
-ipsec.conf, but DNS lookups are not working for some reason.  You will
-get your prompt back... eventually.  But the DNS timeouts are long.
-Doing something about this is on our list, but it is not easy.</PRE>
-<P>In the meanwhile, we recommend that connection descriptions in<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5)</A> use numeric IP addresses rather than names which will
- require a DNS lookup.</P>
-<P>Names that do not require a lookup are fine. For example:</P>
-<UL>
-<LI>a road warrior might use the identity<VAR>
- rightid=@lancelot.example.org</VAR></LI>
-<LI>the gateway might use<VAR> leftid=@camelot.example.org</VAR></LI>
-</UL>
-<P>These are fine. The @ sign prevents any DNS lookup. However, do not
- attempt to give the gateway address as<VAR> left=camelot.example.org</VAR>
-. That requires a lookup.</P>
-<P>A post from one user after solving a problem with long delays:</P>
-<PRE>Subject: Final Answer to Delay!!!
-   Date: Mon, 19 Feb 2001
-   From: &quot;Felippe Solutions&quot; &lt;felippe@solutionstecnologia.com.br&gt;
-
-Sorry people, but seems like the Delay problem had nothing to do with
-freeswan.
-
-The problem was DNS as some people sad from the beginning, but not the way
-they thought it was happening. Samba, ssh, telnet and other apps try to
-reverse lookup addresses when you use IP numbers (Stupid that ahh).
-
-I could ping very fast because I always ping with &quot;-n&quot; option, but I don't
-know the option on the other apps to stop reverse addressing so I don't use
-it.</PRE>
-<P>This post is fairly typical. These problems are often tricky and
- frustrating to diagnose, and most turn out to be DNS-related.</P>
-<P>One suggestion for diagnosis: test with both names and addresses if
- possible. For example, try all of:</P>
-<UL>
-<LI>ping<VAR> address</VAR></LI>
-<LI>ping -n<VAR> address</VAR></LI>
-<LI>ping<VAR> name</VAR></LI>
-</UL>
-<P>If these behave differently, the problem must be DNS-related since
- the three commands do exactly the same thing except for DNS lookups.</P>
-<H3><A name="route">I send packets to the tunnel with route(8) but they
- vanish</A></H3>
-<P>IPsec connections are designed to carry only packets travelling
- between pre-defined connection endpoints. As project technical lead
- Henry Spencer put it:</P>
-<BLOCKQUOTE> IPsec tunnels are not just virtual wires; they are virtual
- wires with built-in access controls. Negotiation of an IPsec tunnel
- includes negotiation of access rights for it, which don't include
- packets to/from other IP addresses. (The protocols themselves are quite
- inflexible about this, so there are limits to what we can do about it.)</BLOCKQUOTE>
-<P>For fairly obvious security reasons, and to comply with the IPsec
- RFCs,<A href="#KLIPS"> KLIPS</A> drops any packets it receives that are
- not allowed on the tunnels currently defined. So if you send it packets
- with<VAR> route(8)</VAR>, and suitable tunnels are not defined, the
- packets vanish. Whether this is reported in the logs depends on the
- setting of<VAR> klipsdebug</VAR> in your<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5)</A> file.</P>
-<P>To rescue vanishing packets, you must ensure that suitable tunnels
- for them exist, by editing the connection descriptions in<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5)</A>. For example, supposing you have a simple setup:</P>
-<PRE>         leftsubnet -- leftgateway === internet === roadwarrior</PRE>
-<P>If you want to give the roadwarrior access to some resource that is
- located behind the left gateway but is not in the currently defined
- left subnet, then the usual procedure is to define an additional tunnel
- for those packets by creating a new connection description.</P>
-<P>In some cases, it may be easier to alter an existing connection
- description, enlarging the definition of<VAR> leftsubnet</VAR>. For
- example, instead of two connection descriptions with 192.168.8.0/24 and
- 192.168.9.0/24 as their<VAR> leftsubnet</VAR> parameters, you can use a
- single description with 192.168.8.0/23.</P>
-<P>If you have multiple endpoints on each side, you need to ensure that
- there is a route for each pair of endpoints. See this<A href="#multitunnel">
- example</A>.</P>
-<H3><A name="down_route">When a tunnel goes down, packets vanish</A></H3>
-<P>This is a special case of the vanishing packet problem described in
- the previous question. Whenever KLIPS sees packets for which it does
- not have a tunnel, it drops them.</P>
-<P>When a tunnel goes away, either because negotiations with the other
- gateway failed or because you gave an<VAR> ipsec auto --down</VAR>
- command, the route to its other end is left pointing into KLIPS, and
- KLIPS will drop packets it has no tunnel for.</P>
-<P>This is a documented design decision, not a bug. FreeS/WAN must not
- automatically adjust things to send packets via another route. The
- other route might be insecure.</P>
-<P>Of course, re-routing may be necessary in many cases. In those cases,
- you have to do it manually or via scripts. We provide the<VAR> ipsec
- auto --unroute</VAR> command for these cases.</P>
-<P>From<A href="manpage.d/ipsec_auto.8.html"> ipsec_auto(8)</A>:</P>
-<BLOCKQUOTE> Normally, pluto establishes a route to the destination
- specified for a connection as part of the --up operation. However, the
- route and only the route can be established with the --route operation.
- Until and unless an actual connection is established, this discards any
- packets sent there, which may be preferable to having them sent
- elsewhere based on a more general route (e.g., a default route).</BLOCKQUOTE><BLOCKQUOTE>
- Normally, pluto's route to a destination remains in place when a --down
- operation is used to take the connection down (or if connection setup,
- or later automatic rekeying, fails). This permits establishing a new
- connection (perhaps using a different specification; the route is
- altered as necessary) without having a ``window'' in which packets
- might go elsewhere based on a more general route. Such a route can be
- removed using the --unroute operation (and is implicitly removed by
- --delete).</BLOCKQUOTE>
-<P>See also this mailing list<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00523.html">
- message</A>.</P>
-<H3><A name="firewall_ate">The firewall ate my packets!</A></H3>
-<P>If firewalls filter out:</P>
-<UL>
-<LI>either the UDP port 500 packets used in IKE negotiations</LI>
-<LI>or the ESP and AH (protocols 50 and 51) packets used to implement
- the IPsec tunnel</LI>
-</UL>
-<P>then IPsec cannot work. The first thing to check if packets seem to
- be vanishing is the firewall rules on the two gateway machines and any
- other machines along the path that you have access to.</P>
-<P>For details, see our document on<A href="firewall.html"> firewalls</A>
-.</P>
-<P>Some advice from technical lead Henry Spencer on diagnosing such
- problems:</P>
-<PRE>&gt; &gt; Packets vanishing between the hardware interface and the ipsecN interface
-&gt; &gt; is usually the result of firewalls not being configured to let them in...
-&gt; 
-&gt; Thanks for the suggestion. If only it were that simple! My ipchains startup
-&gt; script does take care of that, but just in case I manually inserted rules 
-&gt; accepting everything from london on dublin. No difference.
-
-The other thing to check is whether the &quot;RX packets dropped&quot; count on the
-ipsecN interface (run &quot;ifconfig ipsecN&quot;, for N=1 or whatever, to see the
-counts) is rising.  If so, then there's some sort of configuration mismatch
-between the two ends, and IPsec itself is rejecting them.  If none of the
-ipsecN counts is rising, then the packets are never reaching the IPsec
-machinery, and the problem is almost certainly in firewalls etc.</PRE>
-<H3><A name="dropconn">Dropped connections</A></H3>
-<P>Networks being what they are, IPsec connections can be broken for any
- number of reasons, ranging from hardware failures to various software
- problems such as the path MTU problems discussed<A href="#pmtu.broken">
- elsewhere in the FAQ</A>. Fortunately, various diagnostic tools exist
- that help you sort out many of the possible problems.</P>
-<P>There is one situation, however, where FreeS/WAN (using default
- settings) may destroy a connection for no readily apparent reason. This
- occurs when things are<STRONG> misconfigured</STRONG> so that<STRONG>
- two tunnels</STRONG> from the same gateway expect<STRONG> the same
- subnet on the far end</STRONG>.</P>
-<P>In this situation, the first tunnel comes up fine and works until the
- second is established. At that point, because of the way we track
- connections internally, the first tunnel ceases to exist as far as this
- gateway is concerned. Of course the far end does not know that, and a
- storm of error messages appears on both systems as it tries to use the
- tunnel.</P>
-<P>If the far end gives up, goes back to square one and negotiates a new
- tunnel, then that wipes out the second tunnel and ...</P>
-<P>The solution is simple.<STRONG> Do not build multiple conn
- descriptions with the same remote subnet</STRONG>.</P>
-<P>This is actually intended to be a feature, rather than a bug.
- Consider the situation where a single remote system goes down, then
- comes back up and reconnects to the gateway. It is useful to have the
- gateway tear down the old tunnel and recover resources when the
- reconnection is made. It recognises that situation by checking the
- remote subnet for each tunnel it builds and discarding duplicates. This
- works fine as long as you don't configure multiple tunnels with the
- same remote subnet.</P>
-<P>If this behaviour is inconvenient for you, you can disable it by
- setting<VAR> uniqueids=no</VAR> in<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5)</A>.</P>
-<H3><A name="defaultroutegone">Disappearing %defaultroute</A></H3>
-<P>When an underlying connection (eg. ppp) goes down, FreeS/WAN will not
- recover properly without a little help. Here are the symptoms that
- FreeS/WAN user Michael Carmody noticed:</P>
-<PRE>
-&gt; After about 24 hours the freeswan connection takes over the default route.
-&gt; 
-&gt; i.e instead of deafult gateway pointing to the router via eth0, it becomes a 
-&gt; pointer to the router via ipsec0.
- 
-&gt; All internet access is then lost as all replies (and not just the link I 
-&gt; wanted) are routed out ipsec0 and the router doesn't respond to the ipsec 
-&gt; traffic.
-</PRE>
-<P>If you're using a FreeS/WAN 2.x/KLIPS system, simply re-attach the
- IPsec virtual interface with<EM> ipsec tnconfig</EM> command such as:</P>
-<PRE>    ipsec tnconfig --attach --virtual ipsec0 --physical ppp0</PRE>
-<P>In your command, name the physical and virtual interfaces as they
- appear paired on your system during regular uptime. For a system with
- several physical/virtual interface pairs on flaky links, you'll need
- more than one such command. If you're using FreeS/WAN 1.x, you must
- restart FreeS/WAN, which is more time consuming.</P>
-<P><A href="http://lists.freeswan.org/pipermail/design/2002-July/003070.html">
- Here</A> is a script which can help to automate the process of
- FreeS/WAN restart at need. It could easily be adapted to use tnconfig
- instead.</P>
-<H3><A name="tcpdump.faq">TCPdump on the gateway shows strange things</A>
-</H3>
- As another user pointed out, keeping the connect
-<P>Attempting to look at IPsec packets by running monitoring tools on
- the IPsec gateway machine can produce silly results. That machine is
- mangling the packets for IPsec, and possibly for firewall or NAT
- purposes as well. If the internals of the machine's IP stack are not
- what the monitoring tool expects, then the tool can misinterpret them
- and produce nonsense output.</P>
-<P>See our<A href="#tcpdump.test"> testing</A> document for more detail.</P>
-<H3><A name="no_trace">Traceroute does not show anything between the
- gateways</A></H3>
-<P>As far as traceroute can see, the two gateways are one hop apart; the
- data packet goes directly from one to the other through the tunnel. Of
- course the outer packets that implement the tunnel pass through
- whatever lies between the gateways, but those packets are built and
- dismantled by the gateways. Traceroute does not see them and cannot
- report anything about their path.</P>
-<P>Here is a mailing list message with more detail.</P>
-<PRE>Date: Mon, 14 May 2001
-To: linux-ipsec@freeswan.org
-From: &quot;John S. Denker&quot; &lt;jsd@research.att.com&lt;
-Subject: Re: traceroute: one virtual hop
-
-At 02:20 PM 5/14/01 -0400, Claudia Schmeing wrote:
-&gt;
-&gt;&gt; &gt; A bonus question: traceroute in subnet to subnet enviroment looks like:
-&gt;&gt; &gt; 
-&gt;&gt; &gt; traceroute to andris.dmz (172.20.24.10), 30 hops max, 38 byte packets
-&gt;&gt; &gt; 1  drama (172.20.1.1)  0.716 ms  0.942 ms  0.434 ms
-&gt;&gt; &gt; 2  * * *
-&gt;&gt; &gt; 3  andris.dmz (172.20.24.10)  73.576 ms  78.858 ms  79.434 ms
-&gt;&gt; &gt; 
-&gt;&gt; &gt; Why aren't there the other hosts which take part in the delivery during 
-&gt;    * * * ?
-&gt;
-&gt;If there is an ipsec tunnel between GateA and Gate B, this tunnel forms a 
-&gt;'virtual wire'.  When it is tunneled, the original packet becomes an inner 
-&gt;packet, and new ESP and/or AH headers are added to create an outer packet 
-&gt;around it. You can see an example of how this is done for AH at 
-&gt;doc/ipsec.html#AH . For ESP it is similar.
-&gt;
-&gt;Think about the packet's path from the inner packet's perspective.
-&gt;It leaves the subnet, goes into the tunnel, and re-emerges in the second
-&gt;subnet. This perspective is also the only one available to the
-&gt;'traceroute' command when the IPSec tunnel is up.
-
-Claudia got this exactly right.  Let me just expand on a couple of points:
-
-*) GateB is exactly one (virtual) hop away from GateA.  This is how it
-would be if there were a physically private wire from A to B.  The
-virtually private connection should work the same, and it does.
-
-*) While the information is in transit from GateA to GateB, the hop count
-of the outer header (the &quot;envelope&quot;) is being decremented.  The hop count
-of the inner header (the &quot;contents&quot; of the envelope) is not decremented and
-should not be decremented.  The hop count of the outer header is not
-derived from and should not be derived from the hop count of the inner header.
-
-Indeed, even if the packets did time out in transit along the tunnel, there
-would be no way for traceroute to find out what happened.  Just as
-information cannot leak _out_ of the tunnel to the outside, information
-cannot leak _into_ the tunnel from outside, and this includes ICMP messages
-from routers along the path.
-
-There are some cases where one might wish for information about what is
-happening at the IP layer (below the tunnel layer) -- but the protocol
-makes no provision for this.  This raises all sorts of conceptual issues.
-AFAIK nobody has ever cared enough to really figure out what _should_
-happen, let alone implement it and standardize it.
-
-*) I consider the &quot;* * *&quot; to be a slight bug.  One might wish for it to be
-replaced by &quot;GateB GateB GateB&quot;.  It has to do with treating host-to-subnet
-traffic different from subnet-to-subnet traffic (and other gory details).
-I fervently hope KLIPS2 will make this problem go away.
-
-*) If you want to ask questions about the link from GateA to GateB at the
-IP level (below the tunnel level), you have to ssh to GateA and launch a
-traceroute from there.</PRE>
-<H2><A name="man4debug">Testing in stages</A></H2>
-<P>It is often useful in debugging to test things one at a time:</P>
-<UL>
-<LI>disable IPsec entirely, for example by turning it off with
- chkconfig(8), and make sure routing works</LI>
-<LI>Once that works, try a manually keyed connection. This does not
- require key negotiation between Pluto and the key daemon on the other
- end.</LI>
-<LI>Once that works, try automatically keyed connections</LI>
-<LI>Once IPsec works, add packet compression</LI>
-<LI>Once everything seems to work, try stress tests with large
- transfers, many connections, frequent re-keying, ...</LI>
-</UL>
-<P>FreeS/WAN releases are tested for all of these, so you can be
- reasonably certain they<EM> can</EM> do them all. Of course, that does
- not mean they<EM> will</EM> on the first try, especially if you have
- some unusual configuration.</P>
-<P>The rest of this section gives information on diagnosing the problem
- when each of the above steps fails.</P>
-<H3><A name="nomanual">Manually keyed connections don't work</A></H3>
-<P>Suspect one of:</P>
-<UL>
-<LI>mis-configuration of IPsec system in the /etc/ipsec.conf file
-<BR> common errors are incorrect interface or next hop information</LI>
-<LI>mis-configuration of manual connection in the /etc/ipsec.conf file</LI>
-<LI>routing problems causing IPsec packets to be lost</LI>
-<LI>bugs in KLIPS</LI>
-<LI>mismatch between the transforms we support and those another IPsec
- implementation offers.</LI>
-</UL>
-<H3><A name="spi_error">One manual connection works, but second one
- fails</A></H3>
-<P>This is a fairly common problem when attempting to configure multiple
- manually keyed connections from a single gateway.</P>
-<P>Each connection must be identified by a unique<A href="#SPI"> SPI</A>
- value. For automatic connections, these values are assigned
- automatically. For manual connections, you must set them with<VAR> spi=</VAR>
- statements in<A href="manpage.d/ipsec.conf.5.html"> ipsec.conf(5)</A>.</P>
-<P>Each manual connection must have a unique SPI value in the range
- 0x100 to 0x999. Two or more with the same value will fail. For details,
- see our doc section<A href="#prodman"> Using manual keying in
- production</A> and the man page<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5)</A>.</P>
-<H3><A name="man_no_auto">Manual connections work, but automatic keying
- doesn't</A></H3>
-<P>The most common reason for this behaviour is a firewall dropping the
- UDP port 500 packets used in key negotiation.</P>
-<P>Other possibilities:</P>
-<UL>
-<LI>mis-configuration of auto connection in the /etc/ipsec.conf file.
-<P>One common configuration error is forgetting that you need<VAR>
- auto=add</VAR> to load the connection description on the receiving end
- so it recognises the connection when the other end asks for it.</P>
-</LI>
-<LI>error in shared secret in /etc/ipsec.secrets</LI>
-<LI>one gateway lacks a route to the other so Pluto's UDP packets are
- lost</LI>
-<LI>bugs in Pluto</LI>
-<LI>incompatibilities between Pluto's<A href="#IKE"> IKE</A>
- implementation and the IKE at the other end of the tunnel.
-<P>Some possibile problems are discussed in out<A href="interop.html#interop.problem">
- interoperation</A> document.</P>
-</LI>
-</UL>
-<H3><A name="nocomp">IPsec works, but connections using compression fail</A>
-</H3>
-<P>When we first added compression, we saw some problems:</P>
-<UL>
-<LI>compatibility issues with other implementations. We followed the
- RFCs and omitted some extra material that many compression libraries
- add by default. Some other implementations left the extras in</LI>
-<LI>bugs in assembler compression routines on non-Intel CPUs. The
- workaround is to use C code instead of possibly problematic assembler.</LI>
-</UL>
-<P>We have not seen either problem in some time (at least six months as
- I write in March 2002), but if you have some unusual configuration then
- you may see them.</P>
-<H3><A name="pmtu.broken">Small packets work, but large transfers fail</A>
-</H3>
-<P>If tests with ping(1) and a small packet size succeed, but tests or
- transfers with larger packet sizes fail, suspect problems with packet
- fragmentation and perhaps<A href="#pathMTU"> path MTU discovery</A>.</P>
-<P>Our<A href="#bigpacket"> troubleshooting document</A> covers these
- problems. Information on the underlying mechanism is in our<A href="#MTU.trouble">
- background</A> document.</P>
-<H3><A name="subsub">Subnet-to-subnet works, but tests from the gateways
- don't</A></H3>
-<P>This is described under<A href="#cantping"> I cannot ping...</A>
- above.</P>
-<H2><A name="compile.faq">Compilation problems</A></H2>
-<H3><A name="gmp.h_missing">gmp.h: No such file or directory</A></H3>
-<P>Pluto needs the GMP (<STRONG>G</STRONG>NU</P>
-<P><STRONG>M</STRONG>ulti-<STRONG>P</STRONG>recision) library for the
- large integer calculations it uses in<A href="#public"> public key</A>
- cryptography. This error message indicates a failure to find the
- library. You must install it before Pluto will compile.</P>
-<P>The GMP library is included in most Linux distributions. Typically,
- there are two RPMs, libgmp and libgmp-devel, You need to<EM> install
- both</EM>, either from your distribution CDs or from your vendor's web
- site.</P>
-<P>On Debian, a mailing list message reports that the command to give is<VAR>
- apt-get install gmp2</VAR>.</P>
-<P>For more information and the latest version, see the<A href="http://www.swox.com/gmp/">
- GMP home page</A>.</P>
-<H3><A name="noVM">... virtual memory exhausted</A></H3>
-<P>We have had several reports of this message appearing, all on SPARC
- Linux. Here is a mailing message on a solution:</P>
-<PRE>&gt; ipsec_sha1.c: In function `SHA1Transform':
-&gt; ipsec_sha1.c:95: virtual memory exhausted
-
-I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
-MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.
-
-I can get around this by using -O instead of -O2 for the optimization
-level.  So it is probably a bug in the optimizer on the sparc complier. 
-I'll try and chase this down on the sparc lists.</PRE>
-<H2><A name="error">Interpreting error messages</A></H2>
-<H3><A name="route-client">route-client (or host) exited with status 7</A>
-</H3>
-<P>Here is a discussion of this error from FreeS/WAN &quot;listress&quot; (mailing
- list tech support person) Claudia Schmeing. The &quot;FAQ on the network
- unreachable error&quot; which she refers to is the next question below.</P>
-<PRE>&gt; I reached the point where the two boxes (both on dial-up connections, but
-&gt; treated as static IPs by getting the IP and editing ipsec.conf after the
-&gt; connection is established) to the point where they exchange some info, but I
-&gt; get an error like &quot;route-client command exited with status 7 \n internal
-&gt; error&quot;.
-&gt; Where can I find a description of this error?
-
-In general, if the FAQ doesn't cover it, you can search the mailing list 
-archives - I like to use
-http://www.sandelman.ottawa.on.ca/linux-ipsec/
-but you can see doc/mail.html for different archive formats.
-
-
-Your error comes from the _updown script, which performs some
-routing and firewall functions to help Linux FreeS/WAN. More info
-is available at doc/firewall.html and man ipsec.conf. Its routing
-is integral to the health of Linux FreeS/WAN; it also provides facility
-to insert custom firewall rules to be executed when you create or destroy
-a connection.
-
-Yours is, of course, a routing error. You can be fairly sure the routing 
-machinery is saying &quot;network is unreachable&quot;. There's a FAQ on the 
-&quot;network is unreachable&quot; error, but more information is available now; read on.
-
-If your _updown script is recent (for example if it shipped with 
-Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
-that looks something like this:
-
-&gt; output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
-&gt; netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed
-
-This is, of course, the system route command that exited with status 7, 
-(ie. failed). Man route for details. Seeing the command typed out yields 
-more information. If your _updown script is older, you may wish to update 
-it to show the command explicitly.
-
-Three parameters fed to the route command: net, netmask and gw [gateway] 
-are derived from things you've put in ipsec.conf.
-
-Net and netmask are derived from the peer's IP and mask. In more detail:
-
-You may see a routing error when routing to a client (ie. subnet), or 
-to a host (IPSec gateway or freestanding host; a box that does IPSec for
-itself). In _updown, the &quot;route-client&quot; section  is responsible to set up 
-the route for IPSec'd (usually, read 'tunneled') packets headed to a 
-peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
-or IPSec gateway.
-
-When routing to a 'client', net and netmask are ipsec.conf's left- or 
-rightsubnet (whichever is not local). Similarly, when routing to a 
-'host' the net is left or right. Host netmask is always /32, indicating a 
-single machine.
-
-Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
-whichever is local. Where left/right or left-/rightnexthop has the special 
-value %defaultroute (described in man ipsec.conf), gw will automagically get
-the value of the next hop on the default route.
-
-Q: &quot;What's a nexthop and why do I need one?&quot;
-
-A: 'nexthop' is a routing kluge; its value is the next hop away
-   from the machine that's doing IPSec, and toward your IPSec peer. 
-   You need it to get the processed packets out of the local system and 
-   onto the wire. While we often route other packets through the machine 
-   that's now doing IPSec, and are done with it, this does not suffice here. 
-   After packets are processed with IPSec, this machine needs to know where 
-   they go next. Of course using the 'IPSec gateway' as their routing gateway 
-   would cause an infinite loop! [To visualize this, see the packet flow 
-   diagram at doc/firewall.html.] To avoid this, we route packets through 
-   the next hop down their projected path.
-
-Now that you know the background, consider:
-1. Did you test routing between the gateways in the absence of Linux
-   FreeS/WAN, as recommended? You need to ensure the two machines that
-   will be running Linux FreeS/WAN can route to one another before trying to 
-   make a secure connection.
-2. Is there anything obviously wrong with the sense of your route command?
-
-Normally, this problem is caused by an incorrect local nexthop parameter.
-Check out the use of %defaultroute, described in man ipsec.conf. This is
-a simple way to set nexthop for most people. To figure nexthop out by hand,
-traceroute in-the-clear to your IPSec peer. Nexthop is the traceroute's 
-first hop after your IPSec gateway.</PRE>
-<H3><A name="unreachable">SIOCADDRT:Network is unreachable</A></H3>
-<P>This message is not from FreeS/WAN, but from the Linux IP stack
- itself. That stack is seeing packets it has no route for, either
- because your routing was broken before FreeS/WAN started or because
- FreeS/WAN's changes broke it.</P>
-<P>Here is a message from Claudia suggesting ways to diagnose and fix
- such problems:</P>
-<PRE>You write,
-&gt; I have correctly installed freeswan-1.8 on RH7.0 kernel 2.2.17, but when 
-&gt; I setup a VPN connection with the other machine(RH5.2 Kernel 2.0.36 
-&gt; freeswan-1.0, it works well.) it told me that 
-&gt; &quot;SIOCADDRT:Network is unreachable&quot;!  But the network connection is no 
-&gt; problem.
-
-Often this error is the result of a misconfiguration. 
-
-Be sure that you can route successfully in the absence of Linux
-FreeS/WAN. (You say this is no problem, so proceed to the next step.)
-
-Use a custom copy of the default updownscript. Do not change the route 
-commands, but add a diagnostic message revealing the exact text of the 
-route command. Is there a problem with the sense of the route command
-that you can see? If so, then re-examine those ipsec.conf settings
-that are being sent to the route command. 
-
-You may wish to use the ipsec auto --route and --unroute commands to 
-troubleshoot the problem. See man ipsec_auto for details.</PRE>
-<P>Since the above message was written, we have modified the updown
- script to provide a better diagnostic for this problem. Check<VAR>
- /var/log/messages</VAR>.</P>
-<P>See also the FAQ question<A href="#route-client"> route-client (or
- host) exited with status 7</A>.</P>
-<H3><A name="modprobe">ipsec_setup: modprobe: Can't locate module ipsec</A>
-</H3>
-<H3><A name="noKLIPS">ipsec_setup: Fatal error, kernel appears to lack
- KLIPS</A></H3>
-<P>These messages indicate an installation failure. The kernel you are
- running does not contain the<A href="#KLIPS"> KLIPS (kernel IPsec)</A>
- code.</P>
-<P>Note that the &quot;modprobe: Can't locate module ipsec&quot; message appears
- even if you are not using modules. If there is no KLIPS in your kernel,
- FreeS/WAN tries to load it as a module. If that fails, you get this
- message.</P>
-<P>Commands you can quickly try are:</P>
-<DL>
-<DT><VAR>uname -a</VAR></DT>
-<DD>to get details, including compilation date and time, of the
- currently running kernel</DD>
-<DT><VAR>ls /</VAR></DT>
-<DT><VAR>ls /boot</VAR></DT>
-<DD>to ensure a new kernel is where it should be. If kernel compilation
- puts it in<VAR> /</VAR> but<VAR> lilo</VAR> wants it in<VAR> /boot</VAR>
-, then you should uncomment the<VAR> INSTALL_PATH=/boot</VAR> line in
- the kernel<VAR> Makefile</VAR>.</DD>
-<DT><VAR>more /etc/lilo.conf</VAR></DT>
-<DD>to see that<VAR> lilo</VAR> has correct information</DD>
-<DT><VAR>lilo</VAR></DT>
-<DD>to ensure that information in<VAR> /etc/lilo.conf</VAR> has been
- transferred to the boot sector</DD>
-</DL>
-<P>If those don't find the problem, you have to go back and check
- through the<A href="install.html"> install</A> procedure to see what
- was missed.</P>
-<P>Here is one of Claudia's messages on the topic:</P>
-<PRE>&gt; I tried to install freeswan 1.8 on my mandrake 7.2 test box. ...
-
-&gt; It does show version and some output for whack.
-
-Yes, because the Pluto (daemon) part of ipsec is installed correctly, but
-as we see below the kernel portion is not.
-
-&gt; However, I get the following from /var/log/messages:
-&gt; 
-&gt; Mar 11 22:11:55 pavillion ipsec_setup: Starting FreeS/WAN IPsec 1.8...
-&gt; Mar 11 22:12:02 pavillion ipsec_setup: modprobe: Can't locate module ipsec
-&gt; Mar 11 22:12:02 pavillion ipsec_setup: Fatal error, kernel appears to lack
-&gt; KLIPS.
-
-This is your problem. You have not successfully installed a kernel with
-IPSec machinery in it. 
-
-Did you build Linux FreeS/WAN as a module? If so, you need to ensure that 
-your new module has been installed in the directory where your kernel 
-loader normally finds your modules. If not, you need to ensure
-that the new IPSec-enabled kernel is being loaded correctly.
-
-See also doc/install.html, and INSTALL in the distro.</PRE>
-<H3><A name="noDNS">ipsec_setup: ... failure to fetch key for ... from
- DNS</A></H3>
-<P>Quoting Henry:</P>
-<PRE>Note that by default, FreeS/WAN is now set up to
-     (a) authenticate with RSA keys, and
-     (b) fetch the public key of the far end from DNS.
-Explicit attention to  ipsec.conf will be needed if you want
-to do something different.</PRE>
-<P>and Claudia, responding to the same user:</P>
-<PRE>You write,
-
-&gt;       My current setup in ipsec.conf is leftrsasigkey=%dns I have 
-&gt; commented this and authby=rsasig out. I am able to get ipsec running, 
-&gt; but what I find is that the documentation only specifies for %dns are 
-&gt; there any other values that can be placed in this variable other than 
-&gt; %dns and the key? I am also assuming that this is where I would place 
-&gt; my public key for the left and right side as well is this correct?
-
-Valid values for authby= are rsasig and secret, which entail authentication
-by RSA signature or by shared secret, respectively. Because you have 
-commented authby=rsasig out, you are using the default value of authby=secret. 
-
-When using RSA signatures, there are two ways to get the public key for the
-IPSec peer: either copy it directly into *rsasigkey= in ipsec.conf, or
-fetch it from dns. The magic value %dns for *rsasigkey parameters says to 
-try to fetch the peer's key from dns.
-
-For any parameters, you may find their significance and special values in
-man ipsec.conf. If you are setting up keys or secrets, be sure also to
-reference man ipsec.secrets.</PRE>
-<H3><A name="dup_address">ipsec_setup: ... interfaces ... and ... share
- address ...</A></H3>
-<P>This is a fatal error. FreeS/WAN cannot cope with two or more
- interfaces using the same IP address. You must re-configure to avoid
- this.</P>
-<P>A mailing list message on the topic from Pluto developer Hugh
- Redelmeier:</P>
-<PRE>| I'm trying to get freeswan working between two machine where one has a ppp
-| interface.
-| I've already suceeded with  two machines with ethernet ports but  the ppp
-| interface is causing me problems.
-|  basically when I run ipsec start  i get
-| ipsec_setup: Starting FreeS/WAN IPsec 1.7...
-| ipsec_setup: 003 IP interfaces ppp1 and ppp0 share address 192.168.0.10!
-| ipsec_setup: 003 IP interfaces ppp1 and ppp2 share address 192.168.0.10!
-| ipsec_setup: 003 IP interfaces ppp0 and ppp2 share address 192.168.0.10!
-| ipsec_setup: 003 no public interfaces found
-|
-| followed by lots of cannot work out interface for connection messages
-|
-| now I can specify the interface in ipsec.conf to be ppp0 , but this does
-| not affect the above behaviour. A quick look in server.c indicates that the
-| interfaces value  is not used but some sort of raw detect happens.
-|
-| I guess I could prevent the formation of the extra ppp interfaces or
-| allocate them different ip but I'd  rather not. if at all possible. Any
-| suggestions please.
-
-Pluto won't touch an interface that shares an IP address with another.
-This will eventually change, but it probably won't happen soon.
-
-For now, you will have to give the ppp1 and ppp2 different addresses.</PRE>
-<H3><A name="kflags">ipsec_setup: Cannot adjust kernel flags</A></H3>
-<P>A mailing list message form technical lead Henry Spencer:</P>
-<PRE>&gt; When FreeS/WAN IPsec 1.7 is starting on my 2.0.38 Linux kernel the following
-&gt; error message is generated:
-&gt; ipsec_setup: Cannot adjust kernel flags, no /proc/sys/net/ipsec directory!
-&gt; What is supposed to create this directory and how can I fix this problem?
-
-I think that directory is a 2.2ism, although I'm not certain (I don't have
-a 2.0.xx system handy any more for testing).  Without it, some of the
-ipsec.conf config-setup flags won't work, but otherwise things should
-function. </PRE>
-<P>You also need to enable the<VAR> /proc</VAR> filesystem in your
- kernel configuration for these operations to work.</P>
-<H3><A name="message_num">Message numbers (MI3, QR1, et cetera) in Pluto
- messages</A></H3>
-<P>Pluto messages often indicate where Pluto is in the IKE protocols.
- The letters indicate<STRONG> M</STRONG>ain mode or<STRONG> Q</STRONG>
-uick mode and<STRONG> I</STRONG>nitiator or<STRONG> R</STRONG>esponder.
- The numerals are message sequence numbers. For more detail, see our<A href="#sequence">
- IPsec section</A>.</P>
-<H3><A name="conn_name">Connection names in Pluto error messages</A></H3>
-<P>From Pluto programmer Hugh Redelmeier:</P>
-<PRE>| Jan 17 16:21:10 remus Pluto[13631]: &quot;jumble&quot; #1: responding to Main Mode from Road Warrior 130.205.82.46
-| Jan 17 16:21:11 remus Pluto[13631]: &quot;jumble&quot; #1: no suitable connection for peer @banshee.wittsend.com
-| 
-|     The connection &quot;jumble&quot; has nothing to do with the incoming
-| connection requests, which were meant for the connection &quot;banshee&quot;.
-
-You are right.  The message tells you which Connection Pluto is
-currently using, which need not be the right one.  It need not be the
-right one now for the negotiation to eventually succeed!  This is
-described in ipsec_pluto(8) in the section &quot;Road Warrior Support&quot;.
-
-There are two times when Pluto will consider switching Connections for
-a state object.  Both are in response to receiving ID payloads (one in
-Phase 1 / Main Mode and one in Phase 2 / Quick Mode).  The second is
-not unique to Road Warriors.  In fact, neither is the first any more
-(two connections for the same pair of hosts could differ in Phase 1 ID
-payload; probably nobody else has tried this).</PRE>
-<H3><A name="cantorient">Pluto: ... can't orient connection</A></H3>
-<P>Older versions of FreeS/WAN used this message. The same error now
- gives the &quot;we have no ipsecN ...&quot; error described just below.</P>
-<H3><A name="no.interface">... we have no ipsecN interface for either
- end of this connection</A></H3>
-<P>Your tunnel has no IP address which matches the IP address of any of
- the available IPsec interfaces. Either you've misconfigured the
- connection, or you need to define an appropriate IPsec interface
- connection.<VAR> interfaces=%defaultroute</VAR> works in many cases.</P>
-<P>A longer story: Pluto needs to know whether it is running on the
- machine which the connection description calls<VAR> left</VAR> or on<VAR>
- right</VAR>. It figures that out by:</P>
-<UL>
-<LI>looking at the interfaces given in<VAR> interfaces=</VAR> lines in
- the<VAR> config setup</VAR> section</LI>
-<LI>discovering the IP addresses for those interfaces</LI>
-<LI>searching for a match between those addresses and the ones given in<VAR>
- left=</VAR> or<VAR> right=</VAR> lines.</LI>
-</UL>
-<P>Normally a match is found. Then Pluto knows where it is and can set
- up other things (for example, if it is<VAR> left</VAR>) using
- parameters such as<VAR> leftsubnet</VAR> and<VAR> leftnexthop</VAR>,
- and sending its outgoing packets to<VAR> right</VAR>.</P>
-<P>If no match is found, it emits the above error message.</P>
-<H3><A name="noconn">Pluto: ... no connection is known</A></H3>
-<P>This error message occurs when a remote system attempts to negotiate
- a connection and Pluto does not have a connection description that
- matches what the remote system has requested. The most common cause is
- a configuration error on one end or the other.</P>
-<P>Parameters involved in this match are<VAR> left</VAR>,<VAR> right</VAR>
-,<VAR> leftsubnet</VAR> and<VAR> rightsubnet</VAR>.</P>
-<P><STRONG>The match must be exact</STRONG>. For example, if your left
- subnet is a.b.c.0/24 then neither a single machine in that net nor a
- smaller subnet such as a.b.c.64/26 will be considered a match.</P>
-<P>The message can also occur when an appropriate description exists but
- Pluto has not loaded it. Use an<VAR> auto=add</VAR> statement in the
- connection description, or an<VAR> ipsec auto --add &lt;conn_name&gt;</VAR>
- command, to correct this.</P>
-<P>An explanation from the Pluto developer:</P>
-<PRE>| Jul 12 15:00:22 sohar58 Pluto[574]: &quot;corp_road&quot; #2: cannot respond to IPsec
-| SA request because no connection is known for
-| 216.112.83.112/32===216.112.83.112...216.67.25.118
-
-This is the first message from the Pluto log showing a problem.  It
-means that PGPnet is trying to negotiate a set of SAs with this
-topology:
-
-216.112.83.112/32===216.112.83.112...216.67.25.118
-^^^^^^^^^^^^^^^^^   ^^^^^^^^^^^^^^   ^^^^^^^^^^^^^
-client on our side  our host         PGPnet host, no client
-
-None of the conns you showed look like this.
-
-Use
-        ipsec auto --status
-to see a snapshot of what connections are in pluto, what
-negotiations are going on, and what SAs are established.
-
-The leftsubnet= (client) in your conn is 216.112.83.64/26.  It must
-exactly match what pluto is looking for, and it does not.</PRE>
-<H3><A name="nosuit">Pluto: ... no suitable connection ...</A></H3>
-<P>This is similar to the<A href="#noconn"> no connection known</A>
- error, but occurs at a different point in Pluto processing.</P>
-<P>Here is one of Claudia's messages explaining the problem:</P>
-<PRE>You write,
-
-&gt; What could be the reason of the following error? 
-&gt; &quot;no suitable connection for peer '@xforce'&quot;
-
-When a connection is initiated by the peer, Pluto must choose which entry in 
-the conf file best matches the incoming connection. A preliminary choice is 
-made on the basis of source and destination IPs, since that information is 
-available at that time. 
-
-A payload containing an ID arrives later in the negotiation. Based on this
-id and the *id= parameters, Pluto refines its conn selection. ...
-
-The message &quot;no suitable connection&quot; indicates that in this refining step,
-Pluto does not find a connection that matches that ID.
-
-Please see &quot;Selecting a connection when responding&quot; in man ipsec_pluto for
-more details.</PRE>
-<P>See also<A href="#conn_name"> Connection names in Pluto error
- messages</A>.</P>
-<H3><A name="noconn.auth">Pluto: ... no connection has been authorized</A>
-</H3>
-<P>Here is one of Claudia's messages discussing this problem:</P>
-<PRE>You write,
-
-&gt;  May 22 10:46:31 debian Pluto[25834]: packet from x.y.z.p:10014: 
-&gt;  initial Main Mode message from x.y.z.p:10014 
-                            but no connection has been authorized
-
-This error occurs early in the connection negotiation process,
-at the first step of IKE negotiation (Main Mode), which is itself the 
-first of two negotiation phases involved in creating an IPSec connection.
-
-Here, Linux FreeS/WAN receives a packet from a potential peer, which 
-requests that they begin discussing a connection.
-
-The &quot;no connection has been authorized&quot; means that there is no connection 
-description in Linux FreeS/WAN's internal database that can be used to 
-link your ipsec interface with that peer.
-
-&quot;But of course I configured that connection!&quot; 
-
-It may be that the appropriate connection description exists in ipsec.conf 
-but has not been added to the database with ipsec auto --add myconn or the 
-auto=add method. Or, the connection description may be misconfigured.
-
-The only parameters that are relevant in this decision are left= and right= .
-Local and remote ports are also taken into account -- we see that the port 
-is printed in the message above -- but there is no way to control these
-in ipsec.conf.
-
-
-Failure at &quot;no connection has been authorized&quot; is similar to the
-&quot;no connection is known for...&quot; error in the FAQ, and the &quot;no suitable
-connection&quot; error described in the snapshot's FAQ. In all three cases,
-Linux FreeS/WAN is trying to match parameters received in the
-negotiation with the connection description in the local config file.
-
-As it receives more information, its matches take more parameters into 
-account, and become more precise:  first the pair of potential peers,
-then the peer IDs, then the endpoints (including any subnets).
-
-The &quot;no suitable connection for peer *&quot; occurs toward the end of IKE 
-(Main Mode) negotiation, when the IDs are matched.
-
-&quot;no connection is known for a/b===c...d&quot; is seen at the beginning of IPSec 
-(Quick Mode, phase 2) negotiation, when the connections are matched using
-left, right, and any information about the subnets.</PRE>
-<H3><A name="noDESsupport">Pluto: ... OAKLEY_DES_CBC is not supported.</A>
-</H3>
-<P>This message occurs when the other system attempts to negotiate a
- connection using<A href="#DES"> single DES</A>, which we do not support
- because it is<A href="#desnotsecure"> insecure</A>.</P>
-<P>Our interoperation document has suggestions for<A href="interop.html#noDES">
- how to deal with</A> systems that attempt to use single DES.</P>
-<H3><A name="notransform">Pluto: ... no acceptable transform</A></H3>
-<P>This message means that the other gateway has made a proposal for
- connection parameters, but nothing they proposed is acceptable to
- Pluto. Possible causes include:</P>
-<UL>
-<LI>misconfiguration on either end</LI>
-<LI>policy incompatibilities, for example we require encrypted
- connections but they are trying to create one with just authentication</LI>
-<LI>interoperation problems, for example they offer only single DES and
- FreeS/WAN does not support that. See<A href="interop.html#interop.problem">
- discussion</A> in our interoperation document.</LI>
-</UL>
-<P>A more detailed explanation, from Pluto programmer Hugh Redelmeier:</P>
-<PRE>Background:
-
-When one IKE system (for example, Pluto) is negotiating with another
-to create an SA, the Initiator proposes a bunch of choices and the
-Responder replies with one that it has selected.
-
-The structure of the choices is fairly complicated.  An SA payload
-contains a list of lists of &quot;Proposals&quot;.  The outer list is a set of
-choices: the selection must be from one element of this list.
-
-Each of these elements is a list of Proposals.  A selection must be
-made from each of the elements of the inner list.  In other words,
-*all* of them apply (that is how, for example, both AH and ESP can
-apply at once).
-
-Within each of these Proposals is a list of Transforms.  For each
-Proposal selected, one Transform must be selected (in other words,
-each Proposal provides a choice of Transforms).
-
-Each Transform is made up of a list of Attributes describing, well,
-attributes.  Such as lifetime of the SA.  Such as algorithm to be
-used.  All the Attributes apply to a Transform.
-
-You will have noticed a pattern here: layers alternate between being
-disjunctions (&quot;or&quot;) and conjunctions (&quot;and&quot;).
-
-For Phase 1 / Main Mode (negotiating an ISAKMP SA), this structure is
-cut back.  There must be exactly one Proposal.  So this degenerates to
-a list of Transforms, one of which must be chosen.
-
-In your case, no proposal was considered acceptable to Pluto (the
-Responder).  So negotiation ceased.  Pluto logs the reason it rejects
-each Transform.  So look back in the log to see what is going wrong.</PRE>
-<H3><A name="rsasigkey">rsasigkey dumps core</A></H3>
- A comment on this error from Henry:
-<PRE>On Fri, 29 Jun 2001, Rodrigo Gruppelli wrote:
-&gt; ...Well, it seem that there's
-&gt; another problem with it. When I try to generate a pair of RSA keys,
-&gt; rsasigkey cores dump...
-
-*That* is a neon sign flashing &quot;GMP LIBRARY IS BROKEN&quot;.  Rsasigkey calls
-GMP a lot, and our own library a little bit, and that's very nearly all it
-does.  Barring bugs in its code or our library -- which have happened, but
-not very often -- a problem in rsasigkey is a problem in GMP.</PRE>
-<P>See the next question for how to deal with GMP errors.</P>
-<H3><A name="sig4">!Pluto failure!: ... exited with ... signal 4</A></H3>
-<P>Pluto has died. Signal 4 is SIGILL, illegal instruction.</P>
-<P>The most likely cause is that your<A href="#GMP"> GMP</A> (GNU
- multi-precision) library is compiled for a different processor than
- what you are running on. Pluto uses that library for its public key
- calculations.</P>
-<P>Try getting the GMP sources and recompile for your processor type.
- Most Linux distributions will include this source, or you can download
- it from the<A href="http://www.swox.com/gmp/"> GMP home page</A>.</P>
-<H3><A name="econnrefused">ECONNREFUSED error message</A></H3>
-<P>From John Denker, on the mailing list:</P>
-<PRE>1)  The log message
-  some IKE message we sent has been rejected with 
-  ECONNREFUSED (kernel supplied no details)
-is much more suitable than the previous version.  Thanks.
-
-2) Minor suggestion for further improvement: it might be worth mentioning
-that the command
-  tcpdump -i eth1 icmp[0] != 8 and icmp[0] != 0
-is useful for tracking down the details in question.  We shouldn't expect
-all IPsec users to figure that out on their own.  The log message might
-even provide a hint as to where to look in the docs.</PRE>
-<P>Reply From Pluto developer Hugh Redelmeier</P>
-<PRE>Good idea.
-
-I've added a bit pluto(8)'s BUGS section along these lines.
-I didn't have the heart to lengthen this message.</PRE>
-<H3><A name="no_eroute">klips_debug: ... no eroute!</A></H3>
-<P>This message means<A href="#KLIPS"> KLIPS</A> has received a packet
- for which no IPsec tunnel has been defined.</P>
-<P>Here is a more detailed duscussion from the team's tech support
- person Claudia Schmeing, responding to a query on the mailing list:</P>
-<PRE>&gt; Why ipsec reports no eroute! ???? IP Masq... is disabled.
-
-In general, more information is required so that people on the list may
-give you informed input. See doc/prob.report.</PRE>
-<P>The document she refers to has since been replaced by a<A href="#prob.report">
- section</A> of the troubleshooting document.</P>
-<PRE>However, I can make some general comments on this type of error.
-
-This error usually looks something like this (clipped from an archived
-message):
-
-&gt; ttl:64 proto:1 chk:45459 saddr:192.168.1.2 daddr:192.168.100.1
-&gt; ... klips_debug:ipsec_findroute: 192.168.1.2-&gt;192.168.100.1
-&gt; ... klips_debug:rj_match: * See if we match exactly as a host destination
-&gt; ... klips_debug:rj_match: ** try to match a leaf, t=0xc1a260b0
-&gt; ... klips_debug:rj_match: *** start searching up the tree, t=0xc1a260b0
-&gt; ... klips_debug:rj_match: **** t=0xc1a260c8
-&gt; ... klips_debug:rj_match: **** t=0xc1fe5960
-&gt; ... klips_debug:rj_match: ***** not found.
-&gt; ... klips_debug:ipsec_tunnel_start_xmit: Original head/tailroom: 2, 28
-&gt; ... klips_debug:ipsec_tunnel_start_xmit: no eroute!: ts=47.3030, dropping.
-
-
-What does this mean?
-- --------------------
-
-&quot;eroute&quot; stands for &quot;extended route&quot;, and is a special type of route 
-internal to Linux FreeS/WAN. For more information about this type of route, 
-see the section of man ipsec_auto on ipsec auto --route.
-
-&quot;no eroute!&quot; here means, roughly, that Linux FreeS/WAN cannot find an 
-appropriate tunnel that should have delivered this packet. Linux 
-FreeS/WAN therefore drops the packet, with the message &quot;no eroute! ...
-dropping&quot;, on the assumption that this packet is not a legitimate 
-transmission through a properly constructed tunnel.
-
-
-How does this situation come about?
-- -----------------------------------
-
-Linux FreeS/WAN has a number of connection descriptions defined in 
-ipsec.conf. These must be successfully brought &quot;up&quot; to form actual tunnels.
-(see doc/setup.html's step 15, man ipsec.conf and man ipsec_auto 
-for details).
-
-Such connections are often specific to the endpoints' IPs. However, in 
-some cases they may be more general, for example in the case of 
-Road Warriors where left or right is the special value %any.
-
-When Linux FreeS/WAN receives a packet, it verifies that the packet has
-come through a legitimate channel, by checking that there is an
-appropriate tunnel through which this packet might legitimately have
-arrived. This is the process we see above.
-
-First, it checks for an eroute that exactly matches the packet. In the 
-example above, we see it checking for a route that begins at 192.168.1.2
-and ends at 192.168.100.1. This search favours the most specific match that
-would apply to the route between these IPs. So, if there is a connection 
-description exactly matching these IPs, the search will end there. If not, 
-the code will search for a more general description matching the IPs.
-If there is no match, either specific or general, the packet will be
-dropped, as we see, above.
-
-Unless you are working with Road Warriors, only the first, specific part 
-of the matching process is likely to be relevant to you.
-
-
-&quot;But I defined the tunnel, and it came up, why do I have this error?&quot;
-- ---------------------------------------------------------------------
-
-One of the most common causes of this error is failure to specify enough
-connection descriptions to cover all needed tunnels between any two 
-gateways and their respective subnets. As you have noticed, troubleshooting
-this error may be complicated by the use of IP Masq. However, this error is
-not limited to cases where IP Masq is used. 
-
-See doc/configuration.html#multitunnel for a detailed example of the 
-solution to this type of problem.</PRE>
-<P>The documentation section she refers to is now<A href="#multitunnel">
- here</A>.</P>
-<H3><A name="SAused">... trouble writing to /dev/ipsec ... SA already in
- use</A></H3>
-<P>This error message occurs when two manual connections are set up with
- the same SPI value.</P>
-<P>See the FAQ for<A href="#spi_error"> One manual connection works, but
- second one fails</A>.</P>
-<H3><A name="ignore">... ignoring ... payload</A></H3>
-<P>This message is harmless. The IKE protocol provides for a number of
- optional messages types:</P>
-<UL>
-<LI>delete SA</LI>
-<LI>initial contact</LI>
-<LI>vendor ID</LI>
-<LI>...</LI>
-</UL>
-<P>An implementation is never required to send these, but they are
- allowed to. The receiver is not required to do anything with them.
- FreeS/WAN ignores them, but notifies you via the logs.</P>
-<P>For the &quot;ignoring delete SA Payload&quot; message, see also our discussion
- of cleaning up<A href="#deadtunnel"> dead tunnels</A>.</P>
-<H3><A name="unknown_rightcert">unknown parameter name &quot;rightcert&quot;</A></H3>
-<P>This message can appear when you've upgraded an X.509-enabled Linux
- FreeS/WAN with a vanilla Linux FreeS/WAN. To use your X.509 configs you
- will need to overwrite the new install with<A HREF="http://www.freeswan.ca">
- Super FreeS/WAN</A>, or add the<A HREF="http://www.strongsec.ca/freeswan">
- X.509 patch</A> by hand.</P>
-<H2><A name="spam">Why don't you restrict the mailing lists to reduce
- spam?</A></H2>
-<P>As a matter of policy, some of our<A href="mail.html"> mailing lists</A>
- need to be open to non-subscribers. Project management feel strongly
- that maintaining this openness is more important than blocking spam.</P>
-<UL>
-<LI>Users should be able to get help or report bugs without subscribing.</LI>
-<LI>Even a user who is subscribed may not have access to his or her
- subscribed account when he or she needs help, miles from home base in
- the middle of setting up a client's gateway.</LI>
-<LI>There is arguably a legal requirement for this policy. A US resident
- or citizen could be charged under munitions export laws for providing
- technical assistance to a foreign cryptographic project. Such a charge
- would be more easily defended if the discussion takes place in public,
- on an open list.</LI>
-</UL>
-<P>This has been discussed several times at some length on the list. See
- the<A href="#archive"> list archives</A>. Bringing the topic up again
- is unlikely to be useful. Please don't. Or at the very least, please
- don't without reading the archives and being certain that whatever you
- are about to suggest has not yet been discussed.</P>
-<P>Project technical lead Henry Spencer summarised one discussion:</P>
-<BLOCKQUOTE> For the third and last time: this list *will* *not* do
- address-based filtering. This is a policy decision, not an
- implementation problem. The decision is final, and is not open to
- discussion. This needs to be communicated better to people, and steps
- are being taken to do that.</BLOCKQUOTE>
-<P>Adding this FAQ section is one of the steps he refers to.</P>
-<P>You have various options other than just putting up with the spam,
- filtering it yourself, or unsubscribing:</P>
-<UL>
-<LI>subscribe only to one or both of our lists with restricted posting
- rules:
-<UL>
-<LI><A href="mailto:briefs@lists.freeswan.org?body=subscribe">briefs</A>
-, weekly list summaries</LI>
-<LI><A href="mailto:announce@lists.freeswan.org?body=subscribe">announce</A>
-, project-related announcements</LI>
-</UL>
-</LI>
-<LI>read the other lists via the<A href="#archive"> archives</A></LI>
-</UL>
-<P>A number of tools are available to filter mail.</P>
-<UL>
-<LI>Many mail readers include some filtering capability.</LI>
-<LI>Many Linux distributions include<A href="http://www.procmail.org/">
- procmail(8)</A> for server-side filtering.</LI>
-<LI>The<A href="http://www.spambouncer.org/"> Spam Bouncer</A> is a set
- of procmail(8) filters designed to combat spam.</LI>
-<LI>Roaring Penguin have a<A href="http://www.roaringpenguin.com/mimedefang/">
- MIME defanger</A> that removes potentially dangerous attachments.</LI>
-</UL>
-<P>If you use your ISP's mail server rather than running your own,
- consider suggesting to the ISP that they tag suspected spam as<A href="http://www.msen.com/1997/spam.html#SUSPECTED">
- this ISP</A> does. They could just refuse mail from dubious sources,
- but that is tricky and runs some risk of losing valuable mail or
- senselessly annoying senders and their admins. However, they can safely
- tag and deliver dubious mail. The tags can greatly assist your
- filtering.</P>
-<P>For information on tracking down spammers, see these<A href="http://www.rahul.net/falk/#howtos">
- HowTos</A>, or the<A href="http://www.sputum.com/index2.html"> Sputum</A>
- site. Sputum have a Linux anti-spam screensaver available for download.</P>
-<P>Here is a more detailed message from Henry:</P>
-<PRE>On Mon, 15 Jan 2001, Jay Vaughan wrote:
-&gt; I know I'm flogging a dead horse here, but I'm curious as to the reasons for
-&gt; an aversion for a subscriber-only mailing list?
-
-Once again:  for legal reasons, it is important that discussions of these
-things be held in a public place -- the list -- and we do not want to
-force people to subscribe to the list just to ask one question, because
-that may be more than merely inconvenient for them.  There are also real
-difficulties with people who are temporarily forced to use alternate
-addresses; that is precisely the time when they may be most in need of
-help, yet a subscribers-only policy shuts them out.
-
-These issues do not apply to most mailing lists, but for a list that is
-(necessarily) the primary user support route for a crypto package, they
-are very important.  This is *not* an ordinary mailing list; it has to
-function under awkward constraints that make various simplistic solutions
-inapplicable or undesirable. 
-
-&gt; We're *ALL* sick of hearing about list management problems, not just you
-&gt; old-timers, so why don't you DO SOMETHING EFFECTIVE ABOUT IT...
-
-Because it's a lot harder than it looks, and many existing &quot;solutions&quot;
-have problems when examined closely.
-
-&gt; A suggestion for you, based on 10 years of experience with management of my
-&gt; own mailing lists would be to use mailman, which includes pretty much every
-&gt; feature under the sun that you guys need and want, plus some.  The URL for
-&gt; mailman...
-
-I assure you, we're aware of mailman.  Along with a whole bunch of others,
-including some you almost certainly have never heard of (I hadn't!).
-
-&gt; As for the argument that the list shouldn't be configured to enforce
-&gt; subscription - I contend that it *SHOULD* AT LEAST require manual address
-&gt; verification in order for posts to be redirected.
-
-You do realize, I hope, that interposing such a manual step might cause
-your government to decide that this is not truly a public forum, and thus
-you could go to jail if you don't get approval from them before mailing to
-it?  If you think this sounds irrational, your government is noted for
-making irrational decisions in this area; we can't assume that they will
-suddenly start being sensible.  See above about awkward constraints.  You
-may be willing to take the risk, but we can't, in good conscience, insist
-that all users with problems do so. 
-
-                                                          Henry Spencer
-                                                       henry@spsystems.net</PRE>
-<P>and a message on the topic from project leader John Gilmore:</P>
-<PRE>Subject: Re: The linux-ipsec list's topic
-   Date: Sat, 30 Dec 2000
-   From: John Gilmore &lt;gnu@toad.com&gt;
-
-I'll post this single message, once only, in this discussion, and then
-not burden the list with any further off-topic messages.  I encourage
-everyone on the list to restrain themself from posting ANY off-topic
-messages to the linux-ipsec list.
-
-The topic of the linux-ipsec mailing list is the FreeS/WAN software.
-
-I frequently see &quot;discussions about spam on a list&quot; overwhelm the
-volume of &quot;actual spam&quot; on a list. BOTH kinds of messages are
-off-topic messages.  Twenty anti-spam messages take just as long to
-detect and discard as twenty spam messages.
-
-The Linux-ipsec list encourages on-topic messages from people who have
-not joined the list itself.  We will not censor messages to the list
-based on where they originate, or what return address they contain.
-In other words, non-subscribers ARE allowed to post, and this will not
-change.  My own valid contributions have been rejected out-of-hand by
-too many other mailing lists for me to want to impose that censorship
-on anybody else's contributions.  And every day I see the damage that
-anti-spam zeal is causing in many other ways; that zeal is far more
-damaging to the culture of the Internet than the nuisance of spam.
-
-In general, it is the responsibility of recipients to filter,
-prioritize, or otherwise manage the handling of email that comes to
-them.  It is not the responsibility of the rest of the Internet
-community to refrain from sending messages to recipients that they
-might not want to see.  If your software infrastructure for managing
-your incoming email is insufficient, then improve it.  If you think
-the signal-to-noise ratio on linux-ipsec is too poor, then please
-unsubscribe.  But don't further increase the noise by posting to the
-linux-ipsec list about those topics.
-
-        John Gilmore
-        founder &amp; sponsor, FreeS/WAN project</PRE>
-<HR>
-<H1><A name="manpages">FreeS/WAN manual pages</A></H1>
-<P>The various components of Linux FreeS/WAN are of course documented in
- standard Unix manual pages, accessible via the man(1) command.</P>
-<P>Links here take you to an HTML version of the man pages.</P>
-<H2><A name="man.file">Files</A></H2>
-<DL>
-<DT><A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A></DT>
-<DD>IPsec configuration and connections</DD>
-<DT><A href="manpage.d/ipsec.secrets.5.html">ipsec.secrets(5)</A></DT>
-<DD>secrets for IKE authentication, either pre-shared keys or RSA
- private keys</DD>
-</DL>
-<P>These files are also discussed in the<A href="config.html">
- configuration</A> section.</P>
-<H2><A name="man.command">Commands</A></H2>
-<P>Many users will never give most of the FreeS/WAN commands directly.
- Configure the files listed above correctly and everything should be
- automatic.</P>
-<P>The exceptions are commands for mainpulating the<A href="#RSA"> RSA</A>
- keys used in Pluto authentication:</P>
-<DL>
-<DT><A href="manpage.d/ipsec_rsasigkey.8.html">ipsec_rsasigkey(8)</A></DT>
-<DD>generate keys</DD>
-<DT><A href="manpage.d/ipsec_newhostkey.8.html">ipsec_newhostkey(8)</A></DT>
-<DD>generate keys in a convenient format</DD>
-<DT><A href="manpage.d/ipsec_showhostkey.8.html">ipsec_showhostkey(8)</A>
-</DT>
-<DD>extract<A href="#RSA"> RSA</A> keys from<A href="manpage.d/ipsec.secrets.5.html">
- ipsec.secrets(5)</A> (or optionally, another file) and format them for
- insertion in<A href="manpage.d/ipsec.conf.5.html"> ipsec.conf(5)</A> or
- in DNS records</DD>
-</DL>
-<P>Note that:</P>
-<UL>
-<LI>These keys are for<STRONG> authentication only</STRONG>. They are<STRONG>
- not secure for encryption</STRONG>.</LI>
-<LI>The utility uses random(4) as a source of<A href="#random"> random
- numbers</A>. This may block for some time if there is not enough
- activity on the machine to provide the required entropy. You may want
- to give it some bogus activity such as random mouse movements or some
- command such as<NOBR> <TT>du /usr &gt; /dev/null &amp;</TT>.</LI>
-</UL>
-<P>The following commands are fairly likely to be used, if only for
- testing and status checks:</P>
-<DL>
-<DT><A href="manpage.d/ipsec.8.html">ipsec(8)</A></DT>
-<DD>invoke IPsec utilities</DD>
-<DT><A href="manpage.d/ipsec_setup.8.html">ipsec_setup(8)</A></DT>
-<DD>control IPsec subsystem</DD>
-<DT><A href="manpage.d/ipsec_auto.8.html">ipsec_auto(8)</A></DT>
-<DD>control automatically-keyed IPsec connections</DD>
-<DT><A href="manpage.d/ipsec_manual.8.html">ipsec_manual(8)</A></DT>
-<DD>take manually-keyed IPsec connections up and down</DD>
-<DT><A href="manpage.d/ipsec_ranbits.8.html">ipsec_ranbits(8)</A></DT>
-<DD>generate random bits in ASCII form</DD>
-<DT><A href="manpage.d/ipsec_look.8.html">ipsec_look(8)</A></DT>
-<DD>show minimal debugging information</DD>
-<DT><A href="manpage.d/ipsec_barf.8.html">ipsec_barf(8)</A></DT>
-<DD>spew out collected IPsec debugging information</DD>
-</DL>
-<P>The lower-level utilities listed below are normally invoked via
- scripts listed above, but they can also be used directly when required.</P>
-<DL>
-<DT><A href="manpage.d/ipsec_eroute.8.html">ipsec_eroute(8)</A></DT>
-<DD>manipulate IPsec extended routing tables</DD>
-<DT><A href="manpage.d/ipsec_klipsdebug.8.html">ipsec_klipsdebug(8)</A></DT>
-<DD>set Klips (kernel IPsec support) debug features and level</DD>
-<DT><A href="manpage.d/ipsec_pluto.8.html">ipsec_pluto(8)</A></DT>
-<DD>IPsec IKE keying daemon</DD>
-<DT><A href="manpage.d/ipsec_spi.8.html">ipsec_spi(8)</A></DT>
-<DD>manage IPsec Security Associations</DD>
-<DT><A href="manpage.d/ipsec_spigrp.8.html">ipsec_spigrp(8)</A></DT>
-<DD>group/ungroup IPsec Security Associations</DD>
-<DT><A href="manpage.d/ipsec_tncfg.8.html">ipsec_tncfg(8)</A></DT>
-<DD>associate IPsec virtual interface with real interface</DD>
-<DT><A href="manpage.d/ipsec_whack.8.html">ipsec_whack(8)</A></DT>
-<DD>control interface for IPsec keying daemon</DD>
-</DL>
-<H2><A name="man.lib">Library routines</A></H2>
-<DL>
-<DT><A href="manpage.d/ipsec_atoaddr.3.html">ipsec_atoaddr(3)</A></DT>
-<DT><A href="manpage.d/ipsec_addrtoa.3.html">ipsec_addrtoa(3)</A></DT>
-<DD>convert Internet addresses to and from ASCII</DD>
-<DT><A href="manpage.d/ipsec_atosubnet.3.html">ipsec_atosubnet(3)</A></DT>
-<DT><A href="manpage.d/ipsec_subnettoa.3.html">ipsec_subnettoa(3)</A></DT>
-<DD>convert subnet/mask ASCII form to and from addresses</DD>
-<DT><A href="manpage.d/ipsec_atoasr.3.html">ipsec_atoasr(3)</A></DT>
-<DD>convert ASCII to Internet address, subnet, or range</DD>
-<DT><A href="manpage.d/ipsec_rangetoa.3.html">ipsec_rangetoa(3)</A></DT>
-<DD>convert Internet address range to ASCII</DD>
-<DT>ipsec_atodata(3)</DT>
-<DT><A href="manpage.d/ipsec_datatoa.3.html">ipsec_datatoa(3)</A></DT>
-<DD>convert binary data from and to ASCII formats</DD>
-<DT><A href="manpage.d/ipsec_atosa.3.html">ipsec_atosa(3)</A></DT>
-<DT><A href="manpage.d/ipsec_satoa.3.html">ipsec_satoa(3)</A></DT>
-<DD>convert IPsec Security Association IDs to and from ASCII</DD>
-<DT><A href="manpage.d/ipsec_atoul.3.html">ipsec_atoul(3)</A></DT>
-<DT><A href="manpage.d/ipsec_ultoa.3.html">ipsec_ultoa(3)</A></DT>
-<DD>convert unsigned-long numbers to and from ASCII</DD>
-<DT><A href="manpage.d/ipsec_goodmask.3.html">ipsec_goodmask(3)</A></DT>
-<DD>is this Internet subnet mask a valid one?</DD>
-<DT><A href="manpage.d/ipsec_masktobits.3.html">ipsec_masktobits(3)</A></DT>
-<DD>convert Internet subnet mask to bit count</DD>
-<DT><A href="manpage.d/ipsec_bitstomask.3.html">ipsec_bitstomask(3)</A></DT>
-<DD>convert bit count to Internet subnet mask</DD>
-<DT><A href="manpage.d/ipsec_optionsfrom.3.html">ipsec_optionsfrom(3)</A>
-</DT>
-<DD>read additional ``command-line'' options from file</DD>
-<DT><A href="manpage.d/ipsec_subnetof.3.html">ipsec_subnetof(3)</A></DT>
-<DD>given Internet address and subnet mask, return subnet number</DD>
-<DT><A href="manpage.d/ipsec_hostof.3.html">ipsec_hostof(3)</A></DT>
-<DD>given Internet address and subnet mask, return host part</DD>
-<DT><A href="manpage.d/ipsec_broadcastof.3.html">ipsec_broadcastof(3)</A>
-</DT>
-<DD>given Internet address and subnet mask, return broadcast address</DD>
-</DL>
-<HR>
-<H1><A name="firewall">FreeS/WAN and firewalls</A></H1>
-<P>FreeS/WAN, or other IPsec implementations, frequently run on gateway
- machines, the same machines running firewall or packet filtering code.
- This document discusses the relation between the two.</P>
-<P>The firewall code in 2.4 and later kernels is called Netfilter. The
- user-space utility to manage a firewall is iptables(8). See the<A href="http://netfilter.samba.org">
- netfilter/iptables web site</A> for details.</P>
-<H2><A name="filters">Filtering rules for IPsec packets</A></H2>
-<P>The basic constraint is that<STRONG> an IPsec gateway must have
- packet filters that allow IPsec packets</STRONG>, at least when talking
- to other IPsec gateways:</P>
-<UL>
-<LI>UDP port 500 for<A href="#IKE"> IKE</A> negotiations</LI>
-<LI>protocol 50 if you use<A href="#ESP"> ESP</A> encryption and/or
- authentication (the typical case)</LI>
-<LI>protocol 51 if you use<A href="#AH"> AH</A> packet-level
- authentication</LI>
-</UL>
-<P>Your gateway and the other IPsec gateways it communicates with must
- be able to exchange these packets for IPsec to work. Firewall rules
- must allow UDP 500 and at least one of<A href="#AH"> AH</A> or<A href="#ESP">
- ESP</A> on the interface that communicates with the other gateway.</P>
-<P>For nearly all FreeS/WAN applications, you must allow UDP port 500
- and the ESP protocol.</P>
-<P>There are two ways to set this up:</P>
-<DL>
-<DT>easier but less flexible</DT>
-<DD>Just set up your firewall scripts at boot time to allow IPsec
- packets to and from your gateway. Let FreeS/WAN reject any bogus
- packets.</DD>
-<DT>more work, giving you more precise control</DT>
-<DD>Have the<A href="manpage.d/ipsec_pluto.8.html"> ipsec_pluto(8)</A>
- daemon call scripts to adjust firewall rules dynamically as required.
- This is done by naming the scripts in the<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5)</A> variables<VAR> prepluto=</VAR>,<VAR> postpluto=</VAR>
-,<VAR> leftupdown=</VAR> and<VAR> rightupdown=</VAR>.</DD>
-</DL>
-<P>Both methods are described in more detail below.</P>
-<H2><A name="examplefw">Firewall configuration at boot</A></H2>
-<P>It is possible to set up both firewalling and IPsec with appropriate
- scripts at boot and then not use<VAR> leftupdown=</VAR> and<VAR>
- rightupdown=</VAR>, or use them only for simple up and down operations.</P>
-<P>Basically, the technique is</P>
-<UL>
-<LI>allow IPsec packets (typically, IKE on UDP port 500 plus ESP,
- protocol 50)
-<UL>
-<LI>incoming, if the destination address is your gateway (and
- optionally, only from known senders)</LI>
-<LI>outgoing, with the from address of your gateway (and optionally,
- only to known receivers)</LI>
-</UL>
-</LI>
-<LI>let<A href="#Pluto"> Pluto</A> deal with IKE</LI>
-<LI>let<A href="#KLIPS"> KLIPS</A> deal with ESP</LI>
-</UL>
-<P>Since Pluto authenticates its partners during the negotiation, and
- KLIPS drops packets for which no tunnel has been negotiated, this may
- be all you need.</P>
-<H3><A name="simple.rules">A simple set of rules</A></H3>
-<P>In simple cases, you need only a few rules, as in this example:</P>
-<PRE># allow IPsec
-#
-# IKE negotiations
-iptables -I INPUT  -p udp --sport 500 --dport 500 -j ACCEPT
-iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
-# ESP encryption and authentication
-iptables -I INPUT  -p 50 -j ACCEPT
-iptables -I OUTPUT -p 50 -j ACCEPT
-</PRE>
-<P>This should be all you need to allow IPsec through<VAR> lokkit</VAR>,
- which ships with Red Hat 9, on its medium security setting. Once you've
- tweaked to your satisfaction, save your active rule set with:</P>
-<PRE>service iptables save</PRE>
-<H3><A name="complex.rules">Other rules</A></H3>
- You can add additional rules, or modify existing ones, to work with
- IPsec and with your network and policies. We give a some examples in
- this section.
-<P>However, while it is certainly possible to create an elaborate set of
- rules yourself (please let us know via the<A href="mail.html"> mailing
- list</A> if you do), it may be both easier and more secure to use a set
- which has already been published and tested.</P>
-<P>The published rule sets we know of are described in the<A href="#rules.pub">
- next section</A>.</P>
-<H4><A NAME="7_2_2_1">Adding additional rules</A></H4>
- If necessary, you can add additional rules to:
-<DL>
-<DT>reject IPsec packets that are not to or from known gateways</DT>
-<DD>This possibility is discussed in more detail<A href="#unknowngate">
- later</A></DD>
-<DT>allow systems behind your gateway to build IPsec tunnels that pass
- through the gateway</DT>
-<DD>This possibility is discussed in more detail<A href="#through">
- later</A></DD>
-<DT>filter incoming packets emerging from KLIPS.</DT>
-<DD>Firewall rules can recognise packets emerging from IPsec. They are
- marked as arriving on an interface such as<VAR> ipsec0</VAR>, rather
- than<VAR> eth0</VAR>,<VAR> ppp0</VAR> or whatever.</DD>
-</DL>
-<P>It is therefore reasonably straightforward to filter these packets in
- whatever way suits your situation.</P>
-<H4><A NAME="7_2_2_2">Modifying existing rules</A></H4>
-<P>In some cases rules that work fine before you add IPsec may require
- modification to work with IPsec.</P>
-<P>This is especially likely for rules that deal with interfaces on the
- Internet side of your system. IPsec adds a new interface; often the
- rules must change to take account of that.</P>
-<P>For example, consider the rules given in<A href="http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-5.html">
- this section</A> of the Netfilter documentation:</P>
-<PRE>Most people just have a single PPP connection to the Internet, and don't
-want anyone coming back into their network, or the firewall:
-
-    ## Insert connection-tracking modules (not needed if built into kernel).
-    # insmod ip_conntrack
-    # insmod ip_conntrack_ftp
-
-    ## Create chain which blocks new connections, except if coming from inside.
-    # iptables -N block
-    # iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
-    # iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
-    # iptables -A block -j DROP
-
-    ## Jump to that chain from INPUT and FORWARD chains.
-    # iptables -A INPUT -j block
-    # iptables -A FORWARD -j block</PRE>
-<P>On an IPsec gateway, those rules may need to be modified. The above
- allows new connections from<EM> anywhere except ppp0</EM>. That means
- new connections from ipsec0 are allowed.</P>
-<P>Do you want to allow anyone who can establish an IPsec connection to
- your gateway to initiate TCP connections to any service on your
- network? Almost certainly not if you are using opportunistic
- encryption. Quite possibly not even if you have only explicitly
- configured connections.</P>
-<P>To disallow incoming connections from ipsec0, change the middle
- section above to:</P>
-<PRE>    ## Create chain which blocks new connections, except if coming from inside.
-    # iptables -N block
-    # iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
-    # iptables -A block -m state --state NEW -i ppp+ -j DROP
-    # iptables -A block -m state --state NEW -i ipsec+ -j DROP
-    # iptables -A block -m state --state NEW -i -j ACCEPT
-    # iptables -A block -j DROP</PRE>
-<P>The original rules accepted NEW connections from anywhere except
- ppp0. This version drops NEW connections from any PPP interface (ppp+)
- and from any ipsec interface (ipsec+), then accepts the survivors.</P>
-<P>Of course, these are only examples. You will need to adapt them to
- your own situation.</P>
-<H3><A name="rules.pub">Published rule sets</A></H3>
-<P>Several sets of firewall rules that work with FreeS/WAN are
- available.</P>
-<H4><A name="Ranch.trinity">Scripts based on Ranch's work</A></H4>
-<P>One user, Rob Hutton, posted his boot time scripts to the mailing
- list, and we included them in previous versions of this documentation.
- They are still available from our<A href="http://www.freeswan.org/freeswan_trees/freeswan-1.5/doc/firewall.html#examplefw">
- web site</A>. However, they were for an earlier FreeS/WAN version so we
- no longer recommend them. Also, they had some bugs. See this<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/04/msg00316.html">
- message</A>.</P>
-<P>Those scripts were based on David Ranch's scripts for his &quot;Trinity
- OS&quot; for setting up a secure Linux. Check his<A href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html">
- home page</A> for the latest version and for information on his<A href="#ranch">
- book</A> on securing Linux. If you are going to base your firewalling
- on Ranch's scripts, we recommend using his latest version, and sending
- him any IPsec modifications you make for incorporation into later
- versions.</P>
-<H4><A name="seawall">The Seattle firewall</A></H4>
-<P>We have had several mailing lists reports of good results using
- FreeS/WAN with Seawall (the Seattle Firewall). See that project's<A href="http://seawall.sourceforge.net/">
- home page</A> on Sourceforge.</P>
-<H4><A name="rcf">The RCF scripts</A></H4>
-<P>Another set of firewall scripts with IPsec support are the RCF or
- rc.firewall scripts. See their<A href="http://jsmoriss.mvlan.net/linux/rcf.html">
- home page</A>.</P>
-<H4><A name="asgard">Asgard scripts</A></H4>
-<P><A href="http://heimdall.asgardsrealm.net/linux/firewall/">Asgard's
- Realm</A> has set of firewall scripts with FreeS/WAN support, for 2.4
- kernels and iptables.</P>
-<H4><A name="user.scripts">User scripts from the mailing list</A></H4>
-<P>One user gave considerable detail on his scripts, including
- supporting<A href="#IPX"> IPX</A> through the tunnel. His message was
- too long to conveniently be quoted here, so I've put it in a<A href="user_examples.html">
- separate file</A>.</P>
-<H2><A name="updown">Calling firewall scripts, named in ipsec.conf(5)</A>
-</H2>
-<P>The<A href="manpage.d/ipsec.conf.5.html"> ipsec.conf(5)</A>
- configuration file has three pairs of parameters used to specify an
- interface between FreeS/WAN and firewalling code.</P>
-<P>Note that using these is not required if you have a static firewall
- setup. In that case, you just set your firewall up at boot time (in a
- way that permits the IPsec connections you want) and do not change it
- thereafter. Omit all the FreeS/WAN firewall parameters and FreeS/WAN
- will not attempt to adjust firewall rules at all. See<A href="#examplefw">
- above</A> for some information on appropriate scripts.</P>
-<P>However, if you want your firewall rules to change when IPsec
- connections change, then you need to use these parameters.</P>
-<H3><A name="pre_post">Scripts called at IPsec start and stop</A></H3>
-<P>One pair of parmeters are set in the<VAR> config setup</VAR> section
- of the<A href="manpage.d/ipsec.conf.5.html"> ipsec.conf(5)</A> file and
- affect all connections:</P>
-<DL>
-<DT>prepluto=</DT>
-<DD>script to be called before<A href="manpage.d/ipsec_pluto.8.html">
- pluto(8)</A> IKE daemon is started.</DD>
-<DT>postpluto=</DT>
-<DD>script to be called after<A href="manpage.d/ipsec_pluto.8.html">
- pluto(8)</A> IKE daemon is stopped.</DD>
-</DL>
- These parameters allow you to change firewall parameters whenever IPsec
- is started or stopped.
-<P>They can also be used in other ways. For example, you might have<VAR>
- prepluto</VAR> add a module to your kernel for the secure network
- interface or make a dialup connection, and then have<VAR> postpluto</VAR>
- remove the module or take the connection down.</P>
-<H3><A name="up_down">Scripts called at connection up and down</A></H3>
-<P>The other parameters are set in connection descriptions. They can be
- set in individual connection descriptions, and could even call
- different scripts for each connection for maximum flexibility. In most
- applications, however, it makes sense to use only one script and to
- call it from<VAR> conn %default</VAR> section so that it applies to all
- connections.</P>
-<P>You can:</P>
-<DL>
-<DT><STRONG>either</STRONG></DT>
-<DD>set<VAR> leftfirewall=yes</VAR> or<VAR> rightfirewall=yes</VAR> to
- use our supplied default script</DD>
-<DT><STRONG>or</STRONG></DT>
-<DD>assign a name in a<VAR> leftupdown=</VAR> or<VAR> rightupdown=</VAR>
- line to use your own script</DD>
-</DL>
-<P>Note that<STRONG> only one of these should be used</STRONG>. You
- cannot sensibly use both. Since<STRONG> our default script is obsolete</STRONG>
- (designed for firewalls using<VAR> ipfwadm(8)</VAR> on 2.0 kernels),
- most users who need this service will<STRONG> need to write a custom
- script</STRONG>.</P>
-<H4><A name="fw.default">The default script</A></H4>
-<P>We supply a default script named<VAR> _updown</VAR>.</P>
-<DL>
-<DT>leftfirewall=</DT>
-<DD></DD>
-<DT>rightfirewall=</DT>
-<DD>indicates that the gateway is doing firewalling and that<A href="manpage.d/ipsec_pluto.8.html">
- pluto(8)</A> should poke holes in the firewall as required.</DD>
-</DL>
-<P>Set these to<VAR> yes</VAR> and Pluto will call our default script<VAR>
- _updown</VAR> with appropriate arguments whenever it:</P>
-<UL>
-<LI>starts or stops IPsec services</LI>
-<LI>brings a connection up or down</LI>
-</UL>
-<P>The supplied default<VAR> _updown</VAR> script is appropriate for
- simple cases using the<VAR> ipfwadm(8)</VAR> firewalling package.</P>
-<H4><A name="userscript">User-written scripts</A></H4>
-<P>You can also write your own script and have Pluto call it. Just put
- the script's name in one of these<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5)</A> lines:</P>
-<DL>
-<DT>leftupdown=</DT>
-<DD></DD>
-<DT>rightupdown=</DT>
-<DD>specifies a script to call instead of our default script<VAR>
- _updown</VAR>.</DD>
-</DL>
-<P>Your script should take the same arguments and use the same
- environment variables as<VAR> _updown</VAR>. See the &quot;updown command&quot;
- section of the<A href="manpage.d/ipsec_pluto.8.html"> ipsec_pluto(8)</A>
- man page for details.</P>
-<P>Note that<STRONG> you should not modify our _updown script in place</STRONG>
-. If you did that, then upgraded FreeS/WAN, the upgrade would install a
- new default script, overwriting your changes.</P>
-<H3><A name="ipchains.script">Scripts for ipchains or iptables</A></H3>
-<P>Our<VAR> _updown</VAR> is for firewalls using<VAR> ipfwadm(8)</VAR>,
- the firewall code for the 2.0 series of Linux kernels. If you are using
- the more recent packages<VAR> ipchains(8)</VAR> (for 2.2 kernels) or<VAR>
- iptables(8)</VAR> (2.4 kernels), then you must do one of:</P>
-<UL>
-<LI>use static firewall rules which are set up at boot time as described<A
-href="#examplefw"> above</A> and do not need to be changed by Pluto</LI>
-<LI>limit yourself to ipchains(8)'s ipfwadm(8) emulation mode in order
- to use our script</LI>
-<LI>write your own script and call it with<VAR> leftupdown</VAR> and<VAR>
- rightupdown</VAR>.</LI>
-</UL>
-<P>You can write a script to do whatever you need with firewalling.
- Specify its name in a<VAR> [left|right]updown=</VAR> parameter in<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5)</A> and Pluto will automatically call it for you.</P>
-<P>The arguments Pluto passes such a script are the same ones it passes
- to our default _updown script, so the best way to build yours is to
- copy ours and modify the copy.</P>
-<P>Note, however, that<STRONG> you should not modify our _updown script
- in place</STRONG>. If you did that, then upgraded FreeS/WAN, the
- upgrade would install a new default script, overwriting your changes.</P>
-<H2><A name="NAT">A complication: IPsec vs. NAT</A></H2>
-<P><A href="#NAT.gloss">Network Address Translation</A>, also known as
- IP masquerading, is a method of allocating IP addresses dynamically,
- typically in circumstances where the total number of machines which
- need to access the Internet exceeds the supply of IP addresses.</P>
-<P>Any attempt to perform NAT operations on IPsec packets<EM> between
- the IPsec gateways</EM> creates a basic conflict:</P>
-<UL>
-<LI>IPsec wants to authenticate packets and ensure they are unaltered on
- a gateway-to-gateway basis</LI>
-<LI>NAT rewrites packet headers as they go by</LI>
-<LI>IPsec authentication fails if packets are rewritten anywhere between
- the IPsec gateways</LI>
-</UL>
-<P>For<A href="#AH"> AH</A>, which authenticates parts of the packet
- header including source and destination IP addresses, this is fatal. If
- NAT changes those fields, AH authentication fails.</P>
-<P>For<A href="#IKE"> IKE</A> and<A href="#ESP"> ESP</A> it is not
- necessarily fatal, but is certainly an unwelcome complication.</P>
-<H3><A name="nat_ok">NAT on or behind the IPsec gateway works</A></H3>
-<P>This problem can be avoided by having the masquerading take place<EM>
- on or behind</EM> the IPsec gateway.</P>
-<P>This can be done physically with two machines, one physically behind
- the other. A picture, using SG to indicate IPsec<STRONG> S</STRONG>
-ecurity<STRONG> G</STRONG>ateways, is:</P>
-<PRE>      clients --- NAT ----- SG ---------- SG
-                  two machines</PRE>
-<P>In this configuration, the actual client addresses need not be given
- in the<VAR> leftsubnet=</VAR> parameter of the FreeS/WAN connection
- description. The security gateway just delivers packets to the NAT box;
- it needs only that machine's address. What that machine does with them
- does not affect FreeS/WAN.</P>
-<P>A more common setup has one machine performing both functions:</P>
-<PRE>      clients ----- NAT/SG ---------------SG
-                  one machine</PRE>
-<P>Here you have a choice of techniques depending on whether you want to
- make your client subnet visible to clients on the other end:</P>
-<UL>
-<LI>If you want the single gateway to behave like the two shown above,
- with your clients hidden behind the NAT, then omit the<VAR> leftsubnet=</VAR>
- parameter. It then defaults to the gateway address. Clients on the
- other end then talk via the tunnel only to your gateway. The gateway
- takes packets emerging from the tunnel, applies normal masquerading,
- and forwards them to clients.</LI>
-<LI>If you want to make your client machines visible, then give the
- client subnet addresses as the<VAR> leftsubnet=</VAR> parameter in the
- connection description and
-<DL>
-<DT>either</DT>
-<DD>set<VAR> leftfirewall=yes</VAR> to use the default<VAR> updown</VAR>
- script</DD>
-<DT>or</DT>
-<DD>use your own script by giving its name in a<VAR> leftupdown=</VAR>
- parameter</DD>
-</DL>
- These scripts are described in their own<A href="#updown"> section</A>.
-<P>In this case, no masquerading is done. Packets to or from the client
- subnet are encrypted or decrypted without any change to their client
- subnet addresses, although of course the encapsulating packets use
- gateway addresses in their headers. Clients behind the right security
- gateway see a route via that gateway to the left subnet.</P>
-</LI>
-</UL>
-<H3><A name="nat_bad">NAT between gateways is problematic</A></H3>
-<P>We recommend not trying to build IPsec connections which pass through
- a NAT machine. This setup poses problems:</P>
-<PRE>      clients --- SG --- NAT ---------- SG</PRE>
-<P>If you must try it, some references are:</P>
-<UL>
-<LI>Jean_Francois Nadeau's document on doing<A href="http://jixen.tripod.com/#NATed gateways">
- IPsec behind NAT</A></LI>
-<LI><A href="#VPN.masq">VPN masquerade patches</A> to make a Linux NAT
- box handle IPsec packets correctly</LI>
-</UL>
-<H3><A name="NAT.ref">Other references on NAT and IPsec</A></H3>
-<P>Other documents which may be relevant include:</P>
-<UL>
-<LI>an Internet Draft on<A href="http://search.ietf.org/internet-drafts/draft-aboba-nat-ipsec-04.txt">
- IPsec and NAT</A> which may eventually evolve into a standard solution
- for this problem.</LI>
-<LI>an informational<A href="http://www.cis.ohio-state.edu/rfc/rfc2709.txt">
- RFC</A>,<CITE> Security Model with Tunnel-mode IPsec for NAT Domains</CITE>
-.</LI>
-<LI>an<A href="http://www.cisco.com/warp/public/759/ipj_3-4/ipj_3-4_nat.html">
- article</A> in Cisco's<CITE> Internet Protocol Journal</CITE></LI>
-</UL>
-<H2><A name="complications">Other complications</A></H2>
-<P>Of course simply allowing UDP 500 and ESP packets is not the whole
- story. Various other issues arise in making IPsec and packet filters
- co-exist and even co-operate. Some of them are summarised below.</P>
-<H3><A name="through">IPsec<EM> through</EM></A> the gateway</H3>
-<P>Basic IPsec packet filtering rules deal only with packets addressed
- to or sent from your IPsec gateway.</P>
-<P>It is a separate policy decision whether to permit such packets to
- pass through the gateway so that client machines can build end-to-end
- IPsec tunnels of their own. This may not be practical if you are using<A
-href="#NAT"> NAT (IP masquerade)</A> on your gateway, and may conflict
- with some corporate security policies.</P>
-<P>Where possible, allowing this is almost certainly a good idea. Using
- IPsec on an end-to-end basis is more secure than gateway-to-gateway.</P>
-<P>Doing it is quite simple. You just need firewall rules that allow UDP
- port 500 and protocols 50 and 51 to pass through your gateway. If you
- wish, you can of course restrict this to certain hosts.</P>
-<H3><A name="ipsec_only">Preventing non-IPsec traffic</A></H3>
- You can also filter<EM> everything but</EM> UDP port 500 and ESP or AH
- to restrict traffic to IPsec only, either for anyone communicating with
- your host or just for specific partners.
-<P>One application of this is for the telecommuter who might have:</P>
-<PRE>     Sunset==========West------------------East ================= firewall --- the Internet
-         home network      untrusted net        corporate network</PRE>
-<P>The subnet on the right is 0.0.0.0/0, the whole Internet. The West
- gateway is set up so that it allows only IPsec packets to East in or
- out.</P>
-<P>This configuration is used in AT&amp;T Research's network. For details,
- see the<A href="#applied"> papers</A> links in our introduction.</P>
-<P>Another application would be to set up firewall rules so that an
- internal machine, such as an employees-only web server, could not talk
- to the outside world except via specific IPsec tunnels.</P>
-<H3><A name="unknowngate">Filtering packets from unknown gateways</A></H3>
-<P>It is possible to use firewall rules to restrict UDP 500, ESP and AH
- packets so that these packets are accepted only from known gateways.
- This is not strictly necessary since FreeS/WAN will discard packets
- from unknown gateways. You might, however, want to do it for any of a
- number of reasons. For example:</P>
-<UL>
-<LI>Arguably, &quot;belt and suspenders&quot; is the sensible approach to
- security. If you can block a potential attack in two ways, use both.
- The only question is whether to look for a third way after implementing
- the first two.</LI>
-<LI>Some admins may prefer to use the firewall code this way because
- they prefer firewall logging to FreeS/WAN's logging.</LI>
-<LI>You may need it to implement your security policy. Consider an
- employee working at home, and a policy that says traffic from the home
- system to the Internet at large must go first via IPsec to the
- corporate LAN and then out to the Internet via the corporate firewall.
- One way to do that is to make<VAR> ipsec0</VAR> the default route on
- the home gateway and provide exceptions only for UDP 500 and ESP to the
- corporate gateway. Everything else is then routed via the tunnel to the
- corporate gateway.</LI>
-</UL>
-<P>It is not possible to use only static firewall rules for this
- filtering if you do not know the other gateways' IP addresses in
- advance, for example if you have &quot;road warriors&quot; who may connect from a
- different address each time or if want to do<A href="#carpediem">
- opportunistic encryption</A> to arbitrary gateways. In these cases, you
- can accept UDP 500 IKE packets from anywhere, then use the<A href="#updown">
- updown</A> script feature of<A href="manpage.d/ipsec_pluto.8.html">
- pluto(8)</A> to dynamically adjust firewalling for each negotiated
- tunnel.</P>
-<P>Firewall packet filtering does not much reduce the risk of a<A href="#DOS">
- denial of service attack</A> on FreeS/WAN. The firewall can drop
- packets from unknown gateways, but KLIPS does that quite efficiently
- anyway, so you gain little. The firewall cannot drop otherwise
- legitmate packets that fail KLIPS authentication, so it cannot protect
- against an attack designed to exhaust resources by making FreeS/WAN
- perform many expensive authentication operations.</P>
-<P>In summary, firewall filtering of IPsec packets from unknown gateways
- is possible but not strictly necessary.</P>
-<H2><A name="otherfilter">Other packet filters</A></H2>
-<P>When the IPsec gateway is also acting as your firewall, other packet
- filtering rules will be in play. In general, those are outside the
- scope of this document. See our<A href="#firewall.linux"> Linux
- firewall links</A> for information. There are a few types of packet,
- however, which can affect the operation of FreeS/WAN or of diagnostic
- tools commonly used with it. These are discussed below.</P>
-<H3><A name="ICMP">ICMP filtering</A></H3>
-<P><A href="#ICMP.gloss">ICMP</A> is the<STRONG> I</STRONG>nternet<STRONG>
- C</STRONG>ontrol<STRONG> M</STRONG>essage<STRONG> P</STRONG>rotocol. It
- is used for messages between IP implementations themselves, whereas IP
- used is used between the clients of those implementations. ICMP is,
- unsurprisingly, used for control messages. For example, it is used to
- notify a sender that a desination is not reachable, or to tell a router
- to reroute certain packets elsewhere.</P>
-<P>ICMP handling is tricky for firewalls.</P>
-<UL>
-<LI>You definitely want some ICMP messages to get through; things won't
- work without them. For example, your clients need to know if some
- destination they ask for is unreachable.</LI>
-<LI>On the other hand, you do equally definitely do not want untrusted
- folk sending arbitrary control messages to your machines. Imagine what
- someone moderately clever and moderately malicious could do to you,
- given control of your network's routing.</LI>
-</UL>
-<P>ICMP does not use ports. Messages are distinguished by a &quot;message
- type&quot; field and, for some types, by an additional &quot;code&quot; field. The
- definitive list of types and codes is on the<A href="http://www.iana.org">
- IANA</A> site.</P>
-<P>One expert uses this definition for ICMP message types to be dropped
- at the firewall.</P>
-<PRE># ICMP types which lack socially redeeming value.
-#  5     Redirect
-#  9     Router Advertisement
-# 10     Router Selection
-# 15     Information Request
-# 16     Information Reply
-# 17     Address Mask Request
-# 18     Address Mask Reply
-
-badicmp='5 9 10 15 16 17 18'</PRE>
-<P>A more conservative approach would be to make a list of allowed types
- and drop everything else.</P>
-<P>Whichever way you do it, your ICMP filtering rules on a FreeS/WAN
- gateway should allow at least the following ICMP packet types:</P>
-<DL>
-<DT>echo (type 8)</DT>
-<DD></DD>
-<DT>echo reply (type 0)</DT>
-<DD>These are used by ping(1). We recommend allowing both types through
- the tunnel and to or from your gateway's external interface, since
- ping(1) is an essential testing tool.
-<P>It is fairly common for firewalls to drop ICMP echo packets addressed
- to machines behind the firewall. If that is your policy, please create
- an exception for such packets arriving via an IPsec tunnel, at least
- during intial testing of those tunnels.</P>
-</DD>
-<DT>destination unreachable (type 3)</DT>
-<DD>This is used, with code 4 (Fragmentation Needed and Don't Fragment
- was Set) in the code field, to control<A href="#pathMTU"> path MTU
- discovery</A>. Since IPsec processing adds headers, enlarges packets
- and may cause fragmentation, an IPsec gateway should be able to send
- and receive these ICMP messages<STRONG> on both inside and outside
- interfaces</STRONG>.</DD>
-</DL>
-<H3><A name="traceroute">UDP packets for traceroute</A></H3>
-<P>The traceroute(1) utility uses UDP port numbers from 33434 to
- approximately 33633. Generally, these should be allowed through for
- troubleshooting.</P>
-<P>Some firewalls drop these packets to prevent outsiders exploring the
- protected network with traceroute(1). If that is your policy, consider
- creating an exception for such packets arriving via an IPsec tunnel, at
- least during intial testing of those tunnels.</P>
-<H3><A name="l2tp">UDP for L2TP</A></H3>
-<P> Windows 2000 does, and products designed for compatibility with it
- may, build<A href="#l2tp"> L2TP</A> tunnels over IPsec connections.</P>
-<P>For this to work, you must allow UDP protocol 1701 packets coming out
- of your tunnels to continue to their destination. You can, and probably
- should, block such packets to or from your external interfaces, but
- allow them from<VAR> ipsec0</VAR>.</P>
-<P>See also our Windows 2000<A href="interop.html#win2k"> interoperation
- discussion</A>.</P>
-<H2><A name="packets">How it all works: IPsec packet details</A></H2>
-<P>IPsec uses three main types of packet:</P>
-<DL>
-<DT><A href="#IKE">IKE</A> uses<STRONG> the UDP protocol and port 500</STRONG>
-.</DT>
-<DD>Unless you are using only (less secure, not recommended) manual
- keying, you need IKE to negotiate connection parameters, acceptable
- algorithms, key sizes and key setup. IKE handles everything required to
- set up, rekey, repair or tear down IPsec connections.</DD>
-<DT><A href="#ESP">ESP</A> is<STRONG> protocol number 50</STRONG></DT>
-<DD>This is required for encrypted connections.</DD>
-<DT><A href="#AH">AH</A> is<STRONG> protocol number 51</STRONG></DT>
-<DD>This can be used where only authentication, not encryption, is
- required.</DD>
-</DL>
-<P>All of those packets should have appropriate IPsec gateway addresses
- in both the to and from IP header fields. Firewall rules can check this
- if you wish, though it is not strictly necessary. This is discussed in
- more detail<A href="#unknowngate"> later</A>.</P>
-<P>IPsec processing of incoming packets authenticates them then removes
- the ESP or AH header and decrypts if necessary. Successful processing
- exposes an inner packet which is then delivered back to the firewall
- machinery, marked as having arrived on an<VAR> ipsec[0-3]</VAR>
- interface. Firewall rules can use that interface label to distinguish
- these packets from unencrypted packets which are labelled with the
- physical interface they arrived on (or perhaps with a non-IPsec virtual
- interface such as<VAR> ppp0</VAR>).</P>
-<P>One of our users sent a mailing list message with a<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00006.html">
- diagram</A> of the packet flow.</P>
-<H3><A name="noport">ESP and AH do not have ports</A></H3>
-<P>Some protocols, such as TCP and UDP, have the notion of ports. Others
- protocols, including ESP and AH, do not. Quite a few IPsec newcomers
- have become confused on this point. There are no ports<EM> in</EM> the
- ESP or AH protocols, and no ports used<EM> for</EM> them. For these
- protocols,<EM> the idea of ports is completely irrelevant</EM>.</P>
-<H3><A name="header">Header layout</A></H3>
-<P>The protocol numbers for ESP or AH are used in the 'next header'
- field of the IP header. On most non-IPsec packets, that field would
- have one of:</P>
-<UL>
-<LI>1 for ICMP</LI>
-<LI>4 for IP-in-IP encapsulation</LI>
-<LI>6 for TCP</LI>
-<LI>17 for UDP</LI>
-<LI>... or one of about 100 other possibilities listed by<A href="http://www.iana.org">
- IANA</A></LI>
-</UL>
-<P>Each header in the sequence tells what the next header will be. IPsec
- adds headers for ESP or AH near the beginning of the sequence. The
- original headers are kept and the 'next header' fields adjusted so that
- all headers can be correctly interpreted.</P>
-<P>For example, using<STRONG> [</STRONG><STRONG> ]</STRONG> to indicate
- data protected by ESP and unintelligible to an eavesdropper between the
- gateways:</P>
-<UL>
-<LI>a simple packet might have only IP and TCP headers with:
-<UL>
-<LI>IP header says next header --&gt; TCP</LI>
-<LI>TCP header port number --&gt; which process to send data to</LI>
-<LI>data</LI>
-</UL>
-</LI>
-<LI>with ESP<A href="#transport"> transport mode</A> encapsulation, that
- packet would have:
-<UL>
-<LI>IP header says next header --&gt; ESP</LI>
-<LI>ESP header<STRONG> [</STRONG> says next --&gt; TCP</LI>
-<LI>TCP header port number --&gt; which process to send data to</LI>
-<LI>data<STRONG> ]</STRONG></LI>
-</UL>
- Note that the IP header is outside ESP protection, visible to an
- attacker, and that the final destination must be the gateway.</LI>
-<LI>with ESP in<A href="#tunnel"> tunnel mode</A>, we might have:
-<UL>
-<LI>IP header says next header --&gt; ESP</LI>
-<LI>ESP header<STRONG> [</STRONG> says next --&gt; IP</LI>
-<LI>IP header says next header --&gt; TCP</LI>
-<LI>TCP header port number --&gt; which process to send data to</LI>
-<LI>data<STRONG> ]</STRONG></LI>
-</UL>
- Here the inner IP header is protected by ESP, unreadable by an
- attacker. Also, the inner header can have a different IP address than
- the outer IP header, so the decrypted packet can be routed from the
- IPsec gateway to a final destination which may be another machine.</LI>
-</UL>
-<P>Part of the ESP header itself is encrypted, which is why the<STRONG>
- [</STRONG> indicating protected data appears in the middle of some
- lines above. The next header field of the ESP header is protected. This
- makes<A href="#traffic"> traffic analysis</A> more difficult. The next
- header field would tell an eavesdropper whether your packet was UDP to
- the gateway, TCP to the gateway, or encapsulated IP. It is better not
- to give this information away. A clever attacker may deduce some of it
- from the pattern of packet sizes and timings, but we need not make it
- easy.</P>
-<P>IPsec allows various combinations of these to match local policies,
- including combinations that use both AH and ESP headers or that nest
- multiple copies of these headers.</P>
-<P>For example, suppose my employer has an IPsec VPN running between two
- offices so all packets travelling between the gateways for those
- offices are encrypted. If gateway policies allow it (The admins could
- block UDP 500 and protocols 50 and 51 to disallow it), I can build an
- IPsec tunnel from my desktop to a machine in some remote office. Those
- packets will have one ESP header throughout their life, for my
- end-to-end tunnel. For part of the route, however, they will also have
- another ESP layer for the corporate VPN's encapsulation. The whole
- header scheme for a packet on the Internet might be:</P>
-<UL>
-<LI>IP header (with gateway address) says next header --&gt; ESP</LI>
-<LI>ESP header<STRONG> [</STRONG> says next --&gt; IP</LI>
-<LI>IP header (with receiving machine address) says next header --&gt; ESP</LI>
-<LI>ESP header<STRONG> [</STRONG> says next --&gt; TCP</LI>
-<LI>TCP header port number --&gt; which process to send data to</LI>
-<LI>data<STRONG> ]]</STRONG></LI>
-</UL>
-<P>The first ESP (outermost) header is for the corporate VPN. The inner
- ESP header is for the secure machine-to-machine link.</P>
-<H3><A name="dhr">DHR on the updown script</A></H3>
-<P>Here are some mailing list comments from<A href="manpage.d/ipsec_pluto.8.html">
- pluto(8)</A> developer Hugh Redelmeier on an earlier draft of this
- document:</P>
-<PRE>There are many important things left out
-
-- firewalling is important but must reflect (implement) policy.  Since
-  policy isn't the same for all our customers, and we're not experts,
-  we should concentrate on FW and MASQ interactions with FreeS/WAN.
-
-- we need a diagram to show packet flow WITHIN ONE MACHINE, assuming
-  IKE, IPsec, FW, and MASQ are all done on that machine.  The flow is
-  obvious if the components are run on different machines (trace the
-  cables).
-
-  IKE input:
-        + packet appears on public IF, as UDP port 500
-        + input firewalling rules are applied (may discard)
-        + Pluto sees the packet.
-
-  IKE output:
-        + Pluto generates the packet &amp; writes to public IF, UDP port 500
-        + output firewalling rules are applied (may discard)
-        + packet sent out public IF
-
-  IPsec input, with encapsulated packet, outer destination of this host:
-        + packet appears on public IF, protocol 50 or 51.  If this
-          packet is the result of decapsulation, it will appear
-          instead on the paired ipsec IF.
-        + input firewalling rules are applied (but packet is opaque)
-        + KLIPS decapsulates it, writes result to paired ipsec IF
-        + input firewalling rules are applied to resulting packet
-          as input on ipsec IF
-        + if the destination of the packet is this machine, the
-          packet is passed on to the appropriate protocol handler.
-          If the original packet was encapsulated more than once
-          and the new outer destination is this machine, that
-          handler will be KLIPS.
-        + otherwise:
-          * routing is done for the resulting packet.  This may well
-            direct it into KLIPS for encoding or encrypting.  What
-            happens then is described elsewhere.
-          * forwarding firewalling rules are applied
-          * output firewalling rules are applied
-          * the packet is sent where routing specified
-
- IPsec input, with encapsulated packet, outer destination of another host:
-        + packet appears on some IF, protocol 50 or 51
-        + input firewalling rules are applied (but packet is opaque)
-        + routing selects where to send the packet
-        + forwarding firewalling rules are applied (but packet is opaque)
-        + packet forwarded, still encapsulated
-
-  IPsec output, from this host or from a client:
-        + if from a client, input firewalling rules are applied as the
-          packet arrives on the private IF
-        + routing directs the packet to an ipsec IF (this is how the
-          system decides KLIPS processing is required)
-        + if from a client, forwarding firewalling rules are applied
-        + KLIPS eroute mechanism matches the source and destination
-          to registered eroutes, yielding a SPI group.  This dictates
-          processing, and where the resulting packet is to be sent
-          (the destinations SG and the nexthop).
-        + output firewalling is not applied to the resulting
-          encapsulated packet
-
-- Until quite recently, KLIPS would double encapsulate packets that
-  didn't strictly need to be.  Firewalling should be prepared for
-  those packets showing up as ESP and AH protocol input packets on
-  an ipsec IF.
-
-- MASQ processing seems to be done as if it were part of the
-  forwarding firewall processing (this should be verified).
-
-- If a firewall is being used, it is likely the case that it needs to
-  be adjusted whenever IPsec SAs are added or removed.  Pluto invokes
-  a script to do this (and to adjust routing) at suitable times.  The
-  default script is only suitable for ipfwadm-managed firewalls.  Under
-  LINUX 2.2.x kernels, ipchains can be managed by ipfwadm (emulation),
-  but ipchains more powerful if manipulated using the ipchains command.
-  In this case, a custom updown script must be used.
-
-  We think that the flexibility of ipchains precludes us supplying an
-  updown script that would be widely appropriate.</PRE>
-<HR>
-<H1><A NAME="trouble"></A>Linux FreeS/WAN Troubleshooting Guide</H1>
-<H2><A NAME="overview"></A>Overview</H2>
-<P> This document covers several general places where you might have a
- problem:</P>
-<OL>
-<LI><A HREF="#install">During install</A>.</LI>
-<LI><A HREF="#negotiation">During the negotiation process</A>.</LI>
-<LI><A HREF="#use">Using an established connection</A>.</LI>
-</OL>
-<P>This document also contains<A HREF="#notes"> notes</A> which expand
- on points made in these sections, and tips for<A HREF="#prob.report">
- problem reporting</A>. If the other end of your connection is not
- FreeS/WAN, you'll also want to read our<A HREF="interop.html#interop.problem">
- interoperation</A> document.</P>
-<H2><A NAME="install"></A>1. During Install</H2>
-<H3><A NAME="8_2_1">1.1 RPM install gotchas</A></H3>
-<P>With the RPM method:</P>
-<UL>
-<LI>Be sure you have installed both the userland tools and the kernel
- components. One will not work without the other. For example, when
- using FreeS/WAN-produced RPMs for our 2.04 release, you need both:
-<PRE>    freeswan-userland-2.04_2.4.20_20.9-0.i386.rpm
-    freeswan-module-2.04_2.4.20_20.9-0.i386.rpm
-</PRE>
-</LI>
-</UL>
-<H3><A NAME="8_2_2">1.2 Problems installing from source</A></H3>
-<P>When installing from source, you may find these problems:</P>
-<UL>
-<LI>Missing library. See<A HREF="#gmp.h_missing"> this</A> FAQ.</LI>
-<LI>Missing utilities required for compile. See this<A HREF="install.html#tool.lib">
- checklist</A>.</LI>
-<LI>Kernel version incompatibility. See<A HREF="#k.versions"> this</A>
- FAQ.</LI>
-<LI>Another compile problem. Find information in the out.* files, ie.
- out.kpatch, out.kbuild, created at compile time in the top-level Linux
- FreeS/WAN directory. Error messages generated by KLIPS during the boot
- sequence are accessible with the<VAR> dmesg</VAR> command.
-<BR> Check the list archives and the List in Brief to see if this is a
- known issue. If it is not, report it to the bugs list as described in
- our<A HREF="#prob.report"> problem reporting</A> section. In some
- cases, you may be asked to provide debugging information using gdb;
- details<A HREF="#gdb"> below</A>.</LI>
-<LI>If your kernel compiles but you fail to install your new
- FreeS/WAN-enabled kernel, review the sections on<A HREF="install.html#newk">
- installing the patched kernel</A>, and<A HREF="#testinstall"> testing</A>
- to see if install succeeded.</LI>
-</UL>
-<H3><A NAME="install.check"></A>1.3 Install checks</H3>
-<P><VAR>ipsec verify</VAR> checks a number of FreeS/WAN essentials. Here
- are some hints on what do to when your system doesn't check out:</P>
-<P></P>
-<TABLE border="1">
-<TR><TD><STRONG>Problem</STRONG></TD><TD><STRONG>Status</STRONG></TD><TD>
-<STRONG>Action</STRONG></TD></TR>
-<TR><TD><VAR>ipsec</VAR> not on-path</TD><TD>&nbsp;</TD><TD>
-<P>Add<VAR> /usr/local/sbin</VAR> to your PATH.</P>
-</TD></TR>
-<TR><TD>Missing KLIPS support</TD><TD><FONT COLOR="#FF0000">critical</FONT>
-</TD><TD>See<A HREF="#noKLIPS"> this FAQ.</A></TD></TR>
-<TR><TD>No RSA private key</TD><TD>&nbsp;</TD><TD>
-<P>Follow<A HREF="install.html#genrsakey"> these instructions</A> to
- create an RSA key pair for your host. RSA keys are:</P>
-<UL>
-<LI>required for opportunistic encryption, and</LI>
-<LI>our preferred method to authenticate pre-configured connections.</LI>
-</UL>
-</TD></TR>
-<TR><TD><VAR>pluto</VAR> not running</TD><TD><FONT COLOR="#FF0000">
-critical</FONT></TD><TD>
-<PRE>service ipsec start</PRE>
-</TD></TR>
-<TR><TD>No port 500 hole</TD><TD><FONT COLOR="#FF0000">critical</FONT></TD><TD>
-Open port 500 for IKE negotiation.</TD></TR>
-<TR><TD>Port 500 check N/A</TD><TD>&nbsp;</TD><TD>Check that port 500 is open
- for IKE negotiation.</TD></TR>
-<TR><TD>Failed DNS checks</TD><TD>&nbsp;</TD><TD>Opportunistic encryption
- requires information from DNS. To set this up, see<A HREF="#opp.setup">
- our instructions</A>.</TD></TR>
-<TR><TD>No public IP address</TD><TD>&nbsp;</TD><TD>Check that the interface
- which you want to protect with IPSec is up and running.</TD></TR>
-</TABLE>
-<H3><A NAME="oe.trouble"></A>1.3 Troubleshooting OE</H3>
-<P>OE should work with no local configuration, if you have posted DNS
- TXT records according to the instructions in our<A HREF="quickstart.html">
- quickstart guide</A>. If you encounter trouble, try these hints. We
- welcome additional hints via the<A HREF="mail.html"> users' mailing
- list</A>.</P>
-<TABLE border="1">
-<TR><TD><STRONG>Symptom</STRONG></TD><TD><STRONG>Problem</STRONG></TD><TD>
-<STRONG>Action</STRONG></TD></TR>
-<TR><TD> You're running FreeS/WAN 2.01 (or later), and initiating a
- connection to FreeS/WAN 2.00 (or earlier). In your logs, you see a
- message like:
-<PRE>no RSA public key known for '192.0.2.13';
-DNS search for KEY failed (no KEY record
-for 13.2.0.192.in-addr.arpa.)</PRE>
- The older FreeS/WAN logs no error.</TD><TD><A NAME="oe.trouble.flagday">
-</A> A protocol level incompatibility between 2.01 (or later) and 2.00
- (or earlier) causes this error. It occurs when a FreeS/WAN 2.01 (or
- later) box for which no KEY record is posted attempts to initiate an OE
- connection to older FreeS/WAN versions (2.00 and earlier). Note that
- older versions can initiate to newer versions without this error.</TD><TD>
-If you control the peer host, upgrade its FreeS/WAN to 2.01 (or later),
- and post new style TXT records for it. If not, but if you know its
- sysadmin, perhaps a quick note is in order. If neither option is
- possible, you can ease the transition by posting an old style KEY
- record (created with a command like &quot;ipsec&nbsp;showhostkey&nbsp;--key&quot;) to the
- reverse map for the FreeS/WAN 2.01 (or later) box.</TD></TR>
-<TR><TD>OE host is very slow to contact other hosts.</TD><TD>Slow DNS
- service while running OE.</TD><TD>It's a good idea to run a caching DNS
- server on your OE host, as outlined in<A HREF="http://lists.freeswan.org/pipermail/design/2003-January/004205.html">
- this mailing list message</A>. If your DNS servers are elsewhere, put
- their IPs in the<VAR> clear</VAR> policy group, and re-read groups with
-<PRE>ipsec auto --rereadgroups</PRE>
-</TD></TR>
-<TR><TD>
-<PRE>Can't Opportunistically initiate for
-192.0.2.2 to 192.0.2.3: no TXT record
-for 13.2.0.192.in-addr.arpa.</PRE>
-</TD><TD>Peer is not set up for OE.</TD><TD>
-<P>None. Plenty of hosts on the Internet do not run OE. If, however, you
- have set OE up on that peer, this may indicate that you need to wait up
- to 48 hours for its DNS records to propagate.</P>
-</TD></TR>
-<TR><TD><VAR>ipsec verify</VAR> does not find DNS records:
-<PRE>...
-Looking for TXT in forward map:
-                xy.example.com...[FAILED]
-Looking for TXT in reverse map...[FAILED]
-...</PRE>
- You also experience authentication failure:
-<BR>
-<PRE>Possible authentication failure:
-no acceptable response to our
-first encrypted message</PRE>
-</TD><TD>DNS records are not posted or have not propagated.</TD><TD>Did
- you post the DNS records necessary for OE? If not, do so using the
- instructions in our<A HREF="#quickstart"> quickstart guide</A>. If so,
- wait up to 48 hours for the DNS records to propagate.</TD></TR>
-<TR><TD><VAR>ipsec verify</VAR> does not find DNS records, and you
- experience authentication failure.</TD><TD>For iOE, your ID does not
- match location of forward DNS record.</TD><TD>In<VAR> config setup</VAR>
-, change<VAR> myid=</VAR> to match the forward DNS where you posted the
- record. Restart FreeS/WAN. For reference, see our<A HREF="#opp.client">
- iOE instructions</A>.</TD></TR>
-<TR><TD><VAR>ipsec verify</VAR> finds DNS records, yet there is still
- authentication failure. ( ? )</TD><TD>DNS records are malformed.</TD><TD>
-Re-create the records and send new copies to your DNS administrator.</TD>
-</TR>
-<TR><TD><VAR>ipsec verify</VAR> finds DNS records, yet there is still
- authentication failure. ( ? )</TD><TD>DNS records show different keys
- for a gateway vs. its subnet hosts.</TD><TD>All TXT records for boxes
- protected by an OE gateway must contain the gateway's public key.
- Re-create and re-post any incorrect records using<A HREF="#opp.incoming">
- these instructions</A>.</TD></TR>
-<TR><TD>OE gateway loses connectivity to its subnet. The gateway's
- routing table shows routes to the subnet through IPsec interfaces.</TD><TD>
-The subnet is part of the<VAR> private</VAR> or<VAR> block</VAR> policy
- group on the gateway.</TD><TD>Remove the subnet from the group, and
- reread groups with
-<PRE>ipsec auto --rereadgroups</PRE>
-</TD></TR>
-<TR><TD>OE does not work to hosts on the local LAN.</TD><TD>This is a
- known issue.</TD><TD>See<A HREF="opportunism.known-issues"> this list</A>
- of known issues with OE.</TD></TR>
-<TR><TD>FreeS/WAN does not seem to be executing your default policy. In
- your logs, you see a message like:
-<PRE>/etc/ipsec.d/policies/iprivate-or-clear&quot;
-line 14: subnet &quot;0.0.0.0/0&quot;,
-source 192.0.2.13/32,
-already &quot;private-or-clear&quot;</PRE>
-</TD><TD><A HREF="#fullnet">Fullnet</A> in a policy group file defines
- your default policy. Fullnet should normally be present in only one
- policy group file. The fine print: you can have two default policies
- defined so long as they protect different local endpoints (e.g. the
- FreeS/WAN gateway and a subnet).</TD><TD> Find all policies which
- contain fullnet with:
-<BR>
-<PRE>grep -F 0.0.0.0/0 /etc/ipsec.d/policies/*</PRE>
- then remove the unwanted occurrence(s).</TD></TR>
-</TABLE>
-<H2><A NAME="negotiation"></A>2. During Negotiation</H2>
-<P>When you fail to bring up a tunnel, you'll need to find out:</P>
-<UL>
-<LI><A HREF="#state">what your connection state is,</A> and often</LI>
-<LI><A HREF="#find.pluto.error">an error message</A>.</LI>
-</UL>
-<P>before you can<A HREF="#interpret.pluto.error"> diagnose your problem</A>
-.</P>
-<H3><A NAME="state"></A>2.1 Determine Connection State</H3>
-<H4><A NAME="8_3_1_1">Finding current state</A></H4>
-<P>You can see connection states (STATE_MAIN_I1 and so on) when you
- bring up a connection on the command line. If you have missed this, or
- brought up your connection automatically, use:</P>
-<PRE>ipsec auto --status</PRE>
-<P>The most relevant state is the last one reached.</P>
-<H4><A NAME="8_3_1_2"><VAR>What's this supposed to look like?</VAR></A></H4>
-<P>Negotiations should proceed though various states, in the processes
- of:</P>
-<OL>
-<LI>IKE negotiations (aka Phase 1, Main Mode, STATE_MAIN_*)</LI>
-<LI>IPSEC negotiations (aka Phase 2, Quick Mode, STATE_QUICK_*)</LI>
-</OL>
-<P>These are done and a connection is established when you see messages
- like:</P>
-<PRE>    000 #21: &quot;myconn&quot; STATE_MAIN_I4 (ISAKMP SA established)...
-    000 #2: &quot;myconn&quot; STATE_QUICK_I2 (sent QI2, IPsec SA established)...</PRE>
-<P> Look for the key phrases are &quot;ISAKMP SA established&quot; and &quot;IPSec SA
- established&quot;, with the relevant connection name. Often, this happens at
- STATE_MAIN_I4 and STATE_QUICK_I2, respectively.</P>
-<P><VAR>ipsec auto --status</VAR> will tell you what states<STRONG> have
- been achieved</STRONG>, rather than the current state. Since
- determining the current state is rather more difficult to do, current
- state information is not available from Linux FreeS/WAN. If you are
- actively bringing a connection up, the status report's last states for
- that connection likely reflect its current state. Beware, though, of
- the case where a connection was correctly brought up but is now downed:
- Linux FreeS/WAN will not notice this until it attempts to rekey.
- Meanwhile, the last known state indicates that the connection has been
- established.</P>
-<P>If your connection is stuck at STATE_MAIN_I1, skip straight to<A HREF="#ikepath">
- here</A>.</P>
-<H3><A NAME="find.pluto.error"></A>2.2 Finding error text</H3>
-<P>Solving most errors will require you to find verbose error text,
- either on the command line or in the logs.</P>
-<H4><A NAME="8_3_2_1">Verbose start for more information</A></H4>
-<P> Note that you can get more detail from<VAR> ipsec auto</VAR> using
- the --verbose flag:</P>
-<PRE STYLE="margin-bottom: 0.2in">    ipsec auto --verbose --up west-east</PRE>
-<P> More complete information can be gleaned from the<A HREF="#logusage">
- log files</A>.</P>
-<H4><A NAME="8_3_2_2">Debug levels count</A></H4>
-<P>The amount of description you'll get here depends on ipsec.conf debug
- settings,<VAR> klipsdebug</VAR>= and<VAR> plutodebug</VAR>=. When
- troubleshooting, set at least one of these to<VAR> all</VAR>, and when
- done, reset it to<VAR> none</VAR> so your logs don't fill up. Note that
- you must have enabled the<VAR> klipsdebug</VAR><A HREF="install.html#allbut">
- compile-time option</A> for the<VAR> klipsdebug</VAR> configuration
- switch to work.</P>
-<P>For negotiation problems<VAR> plutodebug</VAR> is most relevant.<VAR>
- klipsdebug</VAR> applies mainly to attempts to use an
- already-established connection. See also<A HREF="#parts"> this</A>
- description of the division of duties within Linux FreeS/WAN.</P>
-<P>After raising your debug levels, restart Linux FreeS/WAN to ensure
- that ipsec.conf is reread, then recreate the error to generate verbose
- logs.</P>
-<H4><A NAME="8_3_2_3"><VAR>ipsec barf</VAR> for lots of debugging
- information</A></H4>
-<P><A HREF="manpage.d/ipsec_barf.8.html"><VAR> ipsec barf (8)</VAR></A>
- collects a bunch of useful debugging information, including these logs
- Use the command</P>
-<PRE>
-    ipsec barf &gt; barf.west
-</PRE>
-<P>to generate one.</P>
-<H4><A NAME="8_3_2_4">Find the error</A></H4>
-<P>Search out the failure point in your logs. Are there a handful of
- lines which succinctly describe how things are going wrong or contrary
- to your expectation? Sometimes the failure point is not immediately
- obvious: Linux FreeS/WAN's errors are usually not marked &quot;Error&quot;. Have
- a look in the<A HREF="faq.html"> FAQ</A> for what some common failures
- look like.</P>
-<P>Tip: problems snowball. Focus your efforts on the first problem,
- which is likely to be the cause of later errors.</P>
-<H4><A NAME="8_3_2_5">Play both sides</A></H4>
-<P>Also find error text on the peer IPSec box. This gives you two
- perspectives on the same failure.</P>
-<P>At times you will require information which only one side has. The
- peer can merely indicate the presence of an error, and its approximate
- point in the negotiations. If one side keeps retrying, it may be
- because there is a show stopper on the other side. Have a look at the
- other side and figure out what it doesn't like.</P>
-<P>If the other end is not Linux FreeS/WAN, the principle is the same:
- replicate the error with its most verbose logging on, and capture the
- output to a file.</P>
-<H3><A NAME="interpret.pluto.error"></A>2.3 Interpreting a Negotiation
- Error</H3>
-<H4><A NAME="ikepath"></A>Connection stuck at STATE_MAIN_I1</H4>
-<P>This error commonly happens because IKE (port 500) packets, needed to
- negotiate an IPSec connection, cannot travel freely between your IPSec
- gateways. See<A HREF="#packets"> our firewall document</A> for details.</P>
-<H4><A NAME="8_3_3_2">Other errors</A></H4>
-<P>Other errors require a bit more digging. Use the following resources:</P>
-<UL>
-<LI><A HREF="faq.html">the FAQ</A> . Since this document is constantly
- updated, the snapshot's FAQ may have a new entry relevant to your
- problem.</LI>
-<LI>our<A HREF="background.html"> background document</A> . Special
- considerations which, while not central to Linux FreeS/WAN, are often
- tripped over. Includes problems with<A href="#MTU.trouble"> packet
- fragmentation</A>, and considerations for testing opportunism.</LI>
-<LI>the<A HREF="#lists"> list archives</A>. Each of the searchable
- archives works differently, so it's worth checking each. Use a search
- term which is generic, but identifies your error, for example &quot;No
- connection is known for&quot;.
-<BR> Often, you will find that your question has been answered in the
- past. Finding an archived answer is quicker than asking the list. You
- may, however, find similar questions without answers. If you do, send
- their URLs to the list with your trouble report. The additional
- examples may help the list tech support person find your answer.</LI>
-<LI>Look into the code where the error is being generated. The pluto
- code is nicely documented with comments and meaningful variable names.</LI>
-</UL>
-<P>If you have failed to solve your problem with the help of these
- resources, send a detailed problem report to the users list, following
- these<A HREF="#prob.report"> guidelines</A>.</P>
-<H2><A NAME="use"></A>3. Using a Connection</H2>
-<H3><A NAME="8_4_1">3.1 Orienting yourself</A></H3>
-<H4><A NAME="8_4_1_1"><VAR>How do I know if it works?</VAR></A></H4>
-<P>Test your connection by sending packets through it. The simplest way
- to do this is with ping, but the ping needs to<STRONG> test the correct
- tunnel.</STRONG> See<A HREF="#testgates"> this example scenario</A> if
- you don't understand this.</P>
-<P></P>
-<P>If your ping returns, test any other connections you've brought u all
- check out, great. You may wish to<A HREF="#bigpacket"> test with large
- packets</A> for MTU problems.</P>
-<H4><A NAME="8_4_1_2"><VAR>ipsec barf</VAR> is useful again</A></H4>
-<P>If your ping fails to return, generate an ipsec barf debugging report
- on each IPSec gateway. On a non-Linux FreeS/WAN implementation, gather
- equivalent information. Use this, and the tips in the next sections, to
- troubleshoot. Are you sure that both endpoints are capable of hearing
- and responding to ping?</P>
-<H3><A NAME="8_4_2">3.2 Those pesky configuration errors</A></H3>
-<P>IPSec may be dropping your ping packets since they do not belong in
- the tunnels you have constructed:</P>
-<UL>
-<LI>Your ping may not test the tunnel you intend to test. For details,
- see our<A HREF="#cantping"> &quot;I can't ping&quot;</A> FAQ.</LI>
-<LI> Alternately, you may have a configuration error. For example, you
- may have configured one of the four possible tunnels between two
- gateways, but not the one required to secure the important traffic
- you're now testing. In this case, add and start the tunnel, and try
- again.</LI>
-</UL>
-<P>In either case, you will often see a message like:</P>
-<PRE>klipsdebug... no eroute</PRE>
-<P>which we discuss in<A HREF="#no_eroute"> this FAQ</A>.</P>
-<P>Note:</P>
-<UL>
-<LI><A HREF="#NAT.gloss">Network Address Translation (NAT)</A> and<A HREF="#masq">
- IP masquerade</A> may have an effect on which tunnels you need to
- configure.</LI>
-<LI>When testing a tunnel that protects a multi-node subnet, try several
- subnet nodes as ping targets, in case one node is routing incorrectly.</LI>
-</UL>
-<H3><A NAME="route.firewall"></A>3.3 Check Routing and Firewalling</H3>
-<P>If you've confirmed your configuration assumptions, the problem is
- almost certainly with routing or firewalling. Isolate the problem using
- interface statistics, firewall statistics, or a packet sniffer.</P>
-<H4><A NAME="8_4_3_1">Background:</A></H4>
-<UL>
-<LI>Linux FreeS/WAN supplies all the special routing it needs; you need
- only route packets out through your IPSec gateway. Verify that on the<VAR>
- subnetted</VAR> machines you are using for your ping-test, your routing
- is as expected. I have seen a tunnel &quot;fail&quot; because the subnet machine
- sending packets out an alternate gateway (not our IPSec gateway) on
- their return path.</LI>
-<LI>Linux FreeS/WAN requires particular<A HREF="firewall.html">
- firewalling considerations</A>. Check the firewall rules on your IPSec
- gateways and ensure that they allow IPSec traffic through. Be sure that
- no other machine - for example a router between the gateways - is
- blocking your IPSec packets.</LI>
-</UL>
-<H4><A NAME="ifconfig"></A>View Interface and Firewall Statistics</H4>
-<P>Interface reports and firewall statistics can help you track down
- lost packets at a glance. Check any firewall statistics you may be
- keeping on your IPSec gateways, for dropped packets.</P>
-<P><STRONG>Tip</STRONG>: You can take a snapshot of the packets
- processed by your firewall with:</P>
-<PRE>    iptables -L -n -v</PRE>
-<P>You can get creative with &quot;diff&quot; to find out what happens to a
- particular packet during transmission.</P>
-<P>Both<VAR> cat /proc/net/dev</VAR> and<VAR> ifconfig</VAR> display
- interface statistics, and both are included in<VAR> ipsec barf</VAR>.
- Use either to check if any interface has dropped packets. If you find
- that one has, test whether this is related to your ping. While you ping
- continuously, print that interface's statistics several times. Does its
- drop count increase in proportion to the ping? If so, check why the
- packets are dropped there.</P>
-<P>To do this, look at the firewall rules that apply to that interface.
- If the interface is an IPSec interface, more information may be
- available in the log. Grep for the word &quot;drop&quot; in a log which was
- created with<VAR> klipsdebug=all</VAR> as the error happened.</P>
-<P>See also this<A HREF="#ifconfig1"> discussion</A> on interpreting<VAR>
- ifconfig</VAR> statistics.</P>
-<H3><A NAME="sniff"></A>3.4 When in doubt, sniff it out</H3>
-<P>If you have checked configuration assumptions, routing, and firewall
- rules, and your interface statistics yield no clue, it remains for you
- to investigate the mystery of the lost packet by the most thorough
- method: with a packet sniffer (providing, of course, that this is legal
- where you are working).</P>
-<P>In order to detect packets on the ipsec virtual interfaces, you will
- need an up-to-date sniffer (tcpdump, ethereal, ksnuffle) on your IPSec
- gateway machines. You may also find it useful to sniff the ping
- endpoints.</P>
-<H4><A NAME="8_4_4_1">Anticipate your packets' path</A></H4>
-<P>Ping, and examine each interface along the projected path, checking
- for your ping's arrival. If it doesn't get to the the next stop, you
- have narrowed down where to look for it. In this way, you can isolate a
- problem area, and narrow your troubleshooting focus.</P>
-<P>Within a machine running Linux FreeS/WAN, this<A HREF="#packets">
- packet flow diagram</A> will help you anticipate a packet's path.</P>
-<P>Note that:</P>
-<UL>
-<LI> from the perspective of the tunneled packet, the entire tunnel is
- one hop. That's explained in<A HREF="#no_trace"> this</A> FAQ.</LI>
-<LI> an encapsulated IPSec packet will look different, when sniffed,
- from the plaintext packet which generated it. You can see plaintext
- packets entering an IPSec interface and the resulting cyphertext
- packets as they emerge from the corresponding physical interface.</LI>
-</UL>
-<P>Once you isolate where the packet is lost, take a closer look at
- firewall rules, routing and configuration assumptions as they affect
- that specific area. If the packet is lost on an IPSec gateway, comb
- through<VAR> klipsdebug</VAR> output for anomalies.</P>
-<P>If the packet goes through both gateways successfully and reaches the
- ping target, but does not return, suspect routing. Check that the ping
- target routes packets back to the IPSec gateway.</P>
-<H3><A NAME="find.use.error"></A>3.5 Check your logs</H3>
-<P>Here, too, log information can be useful. Start with the<A HREF="#find.pluto.error">
- guidelines above</A>.</P>
-<P>For connection use problems, set<VAR> klipsdebug=all</VAR>. Note that
- you must have enabled the<VAR> klipsdebug</VAR><A HREF="install.html#allbut">
- compile-time option</A> to do this. Restart Linux FreeS/WAN so that it
- rereads<VAR> ipsec.conf</VAR>, then recreate the error condition. When
- searching through<VAR> klipsdebug</VAR> data, look especially for the
- keywords &quot;drop&quot; (as in dropped packets) and &quot;error&quot;.</P>
-<P>Often the problem with connection use is not software error, but
- rather that the software is behaving contrary to expectation.</P>
-<H4><A NAME="interpret.use.error"></A>Interpreting log text</H4>
-<P>To interpret the Linux FreeS/WAN log text you've found, use the same
- resources as indicated for troubleshooting connection negotiation:<A HREF="faq.html">
- the FAQ</A> , our<A HREF="background.html"> background document</A>,
- and the<A HREF="#lists"> list archives</A>. Looking in the KLIPS code
- is only for the very brave.</P>
-<P>If you are still stuck, send a<A HREF="#prob.report"> detailed
- problem report</A> to the users' list.</P>
-<H3><A NAME="bigpacket"></A>3.6 More testing for the truly thorough</H3>
-<H4><A NAME="8_4_6_1">Large Packets</A></H4>
-<P>If each of your connections passed the ping test, you may wish to
- test by pinging with large packets (2000 bytes or larger). If it does
- not return, suspect MTU issues, and see this<A HREF="#MTU.trouble">
- discussion</A>.</P>
-<H4><A NAME="8_4_6_2">Stress Tests</A></H4>
-<P>In most users' view, a simple ping test, and perhaps a large-packet
- ping test suffice to indicate a working IPSec connection.</P>
-<P>Some people might like to do additional stress tests prior to
- production use. They may be interested in this<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00224.html">
- testing protocol</A> we use at interoperation conferences, aka
- &quot;bakeoffs&quot;. We also have a<VAR> testing</VAR> directory that ships with
- the release.</P>
-<H2><A NAME="prob.report"></A>4. Problem Reporting</H2>
-<H3><A NAME="8_5_1">4.1 How to ask for help</A></H3>
-<P>Ask for troubleshooting help on the users' mailing list,<A HREF="mailto:users@lists.freeswan.org">
- users@lists.freeswan.org</A>. While sometimes an initial query with a
- quick description of your intent and error will twig someone's memory
- of a similar problem, it's often necessary to send a second mail with a
- complete problem report.</P>
-<P>When reporting problems to the mailing list(s), please include:</P>
-<UL>
-<LI>a brief description of the problem</LI>
-<LI>if it's a compile problem, the actual output from make, showing the
- problem. Try to edit it down to only the relevant part, but when in
- doubt, be as complete as you can. If it's a kernel compile problem, any
- relevant out.* files</LI>
-<LI>if it's a run-time problem, pointers to where we can find the
- complete output from &quot;ipsec barf&quot; from BOTH ENDS (not just one of
- them). Remember that it's common outside the US and Canada to pay for
- download volume, so if you can't post barfs on the web and send the URL
- to the mailing list, at least compress them with tar or gzip.
-<BR> If you can, try to simplify the case that is causing the problem.
- In particular, if you clear your logs, start FreeS/WAN with no other
- connections running, cause the problem to happen, and then do<VAR>
- ipsec barf</VAR> on both ends immediately, that gives the smallest and
- least cluttered output.</LI>
-<LI>any other error messages, complaints, etc. that you saw. Please send
- the complete text of the messages, not just a summary.</LI>
-<LI>what your network setup is. Include subnets, gateway addresses, etc.
- A schematic diagram is a good format for this information.</LI>
-<LI>exactly what you were trying to do with Linux FreeS/WAN, and exactly
- what went wrong</LI>
-<LI>a fix, if you have one. But remember, you are sending mail to people
- all over the world; US residents and US citizens in particular, please
- read doc/exportlaws.html before sending code -- even small bug fixes --
- to the list or to us.</LI>
-<LI>When in doubt about whether to include some seemingly-trivial item
- of information, include it. It is rare for problem reports to have too
- much information, and common for them to have too little.</LI>
-</UL>
-<P>Here are some good general guidelines on bug reporting:<A href="http://tuxedo.org/~esr/faqs/smart-questions.html">
- How To Ask Questions The Smart Way</A> and<A href="http://www.chiark.greenend.org.uk/~sgtatham/bugs.html">
- How to Report Bugs Effectively</A>.</P>
-<H3><A NAME="8_5_2">4.2 Where to ask</A></H3>
-<P>To report a problem, send mail about it to the users' list. If you
- are certain that you have found a bug, report it to the bugs list. If
- you encounter a problem while doing your own coding on the Linux
- FreeS/WAN codebase and think it is of interest to the design team,
- notify the design list. When in doubt, default to the users' list. More
- information about the mailing lists is found<A HREF="#lists"> here</A>.</P>
-<P>For a number of reasons -- including export-control regulations
- affecting almost any<STRONG> private</STRONG> discussion of encryption
- software -- we prefer that problem reports and discussions go to the
- lists, not directly to the team. Beware that the list goes worldwide;
- US citizens, read this important information about your<A HREF="#exlaw">
- export laws</A>. If you're using this software, you really should be on
- the lists. To get onto them, visit<A HREF="http://lists.freeswan.org/">
- lists.freeswan.org</A>.</P>
-<P>If you do send private mail to our coders or want a private reply
- from them, please make sure that the return address on your mail (From
- or Reply-To header) is a valid one. They have more important things to
- do than to unravel addresses that have been mangled in an attempt to
- confuse spammers.</P>
-<H2><A NAME="notes"></A>5. Additional Notes on Troubleshooting</H2>
-<P>The following sections supplement the Guide:<A HREF="#system.info">
- information available on your system</A>;<A HREF="#testgates"> testing
- between security gateways</A>;<A HREF="#ifconfig1"> ifconfig reports
- for KLIPS debugging</A>;<A HREF="#gdb"> using GDB on Pluto</A>.</P>
-<H3><A NAME="system.info"></A>5.1 Information available on your system</H3>
-<H4><A NAME="logusage"></A>Logs used</H4>
-<P>Linux FreeS/WAN logs to:</P>
-<UL>
-<LI>/var/log/secure (or, on Debian, /var/log/auth.log)</LI>
-<LI>/var/log/messages</LI>
-</UL>
-<P>Check both places to get full information. If you find nothing, check
- your<VAR> syslogd.conf(5)</VAR> to see where your /etc/syslog.conf or
- equivalent is directing<VAR> authpriv</VAR> messages.</P>
-<H4><A NAME="pages"></A>man pages provided</H4>
-<DL>
-<DT><A HREF="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A></DT>
-<DD> Manual page for IPSEC configuration file.</DD>
-<DT><A HREF="manpage.d/ipsec.8.html"> ipsec(8)</A></DT>
-<DD STYLE="margin-bottom: 0.2in"> Primary man page for ipsec utilities.</DD>
-</DL>
-<P> Other man pages are on<A HREF="manpages.html"> this list</A> and in</P>
-<UL>
-<LI>/usr/local/man/man3</LI>
-<LI>/usr/local/man/man5</LI>
-<LI>/usr/local/man/man8/ipsec_*</LI>
-</UL>
-<H4><A NAME="statusinfo"></A>Status information</H4>
-<DL>
-<DT>ipsec auto --status</DT>
-<DD> Command to get status report from running system. Displays Pluto's
- state. Includes the list of connections which are currently &quot;added&quot; to
- Pluto's internal database; lists state objects reflecting ISAKMP and
- IPsec SAs being negotiated or installed.</DD>
-<DT> ipsec look</DT>
-<DD> Brief status info.</DD>
-<DT> ipsec barf</DT>
-<DD STYLE="margin-bottom: 0.2in"> Copious debugging info.</DD>
-</DL>
-<H3><A NAME="testgates"></A> 5.2 Testing between security gateways</H3>
-<P>Sometimes you need to test a subnet-subnet tunnel. This is a tunnel
- between two security gateways, which protects traffic on behalf of the
- subnets behind these gateways. On this network:</P>
-<PRE>     Sunset==========West------------------East=========Sunrise
-                     IPSec gateway         IPSec gateway
-           local net       untrusted net       local net</PRE>
-<P> you might name this tunnel sunset-sunrise. You can test this tunnel
- by having a machine behind one gateway ping a machine behind the other
- gateway, but this is not always convenient or even possible.</P>
-<P>Simply pinging one gateway from the other is not useful. Such a ping
- does not normally go through the tunnel.<STRONG> The tunnel handles
- traffic between the two protected subnets, not between the gateways</STRONG>
- . Depending on the routing in place, a ping might</P>
-<UL>
-<LI>either succeed by finding an unencrypted route</LI>
-<LI>or fail by finding no route. Packets without an IPSEC eroute are
- discarded.</LI>
-</UL>
-<P><STRONG>Neither event tells you anything about the tunnel</STRONG>.
- You can explicitly create an eroute to force such packets through the
- tunnel, or you can create additional tunnels as described in our<A HREF="#multitunnel">
- configuration document</A>, but those may be unnecessary complications
- in your situation.</P>
-<P>The trick is to explicitly test between<STRONG> both gateways'
- private-side IP addresses</STRONG>. Since the private-side interfaces
- are on the protected subnets, the resulting packets do go via the
- tunnel. Use either ping -I or traceroute -i, both of which allow you to
- specify a source interface. (Note: unsupported on older Linuxes). The
- same principles apply for a road warrior (or other) case where only one
- end of your tunnel is a subnet.</P>
-<H3><A NAME="ifconfig1"></A>5.3 ifconfig reports for KLIPS debugging</H3>
-<P>When diagnosing problems using ifconfig statistics, you may wonder
- what type of activity increments a particular counter for an ipsecN
- device. Here's an index, posted by KLIPS developer Richard Guy Briggs:</P>
-<PRE>Here is a catalogue of the types of errors that can occur for which
-statistics are kept when transmitting and receiving packets via klips.
-I notice that they are not necessarily logged in the right counter.
-. . .
-
-Sources of ifconfig statistics for ipsec devices
-
-rx-errors:
-- packet handed to ipsec_rcv that is not an ipsec packet.
-- ipsec packet with payload length not modulo 4.
-- ipsec packet with bad authenticator length.
-- incoming packet with no SA.
-- replayed packet.
-- incoming authentication failed.
-- got esp packet with length not modulo 8.
-
-tx_dropped:
-- cannot process ip_options.
-- packet ttl expired.
-- packet with no eroute.
-- eroute with no SA.
-- cannot allocate sk_buff.
-- cannot allocate kernel memory.
-- sk_buff internal error.
-
-
-The standard counters are:
-
-struct enet_statistics
-{
-        int        rx_packets;                /* total packets received */
-        int        tx_packets;                /* total packets transmitted */
-        int        rx_errors;                /* bad packets received */
-        int        tx_errors;                /* packet transmit problems */
-        int        rx_dropped;                /* no space in linux buffers */
-        int        tx_dropped;                /* no space available in linux */
-        int        multicast;                /* multicast packets received */
-        int        collisions;
-
-        /* detailed rx_errors: */
-        int        rx_length_errors;
-        int        rx_over_errors;                /* receiver ring buff overflow */
-        int        rx_crc_errors;                /* recved pkt with crc error */
-        int        rx_frame_errors;        /* recv'd frame alignment error */
-        int        rx_fifo_errors;                /* recv'r fifo overrun */
-        int        rx_missed_errors;        /* receiver missed packet */
-
-        /* detailed tx_errors */
-        int        tx_aborted_errors;
-        int        tx_carrier_errors;
-        int        tx_fifo_errors;
-        int        tx_heartbeat_errors;
-        int        tx_window_errors;
-};
-
-of which I think only the first 6 are useful.</PRE>
-<H3><A NAME="gdb"></A> 5.4 Using GDB on Pluto</H3>
-<P>You may need to use the GNU debugger, gdb(1), on Pluto. This should
- be necessary only in unusual cases, for example if you encounter a
- problem which the Pluto developer cannot readily reproduce or if you
- are modifying Pluto.</P>
-<P>Here are the Pluto developer's suggestions for doing this:</P>
-<PRE>Can you get a core dump and use gdb to find out what Pluto was doing
-when it died?
-
-To get a core dump, you will have to set dumpdir to point to a
-suitable directory (see <A HREF="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A>).
-
-To get gdb to tell you interesting stuff:
-        $ script
-        $ cd dump-directory-you-chose
-        $ gdb /usr/local/lib/ipsec/pluto core
-        (gdb) where
-        (gdb) quit
-        $ exit
-
-The resulting output will have been captured by the script command in
-a file called &quot;typescript&quot;.  Send it to the list.
-
-Do not delete the core file.  I may need to ask you to print out some
-more relevant stuff.</PRE>
-<P> Note that the<VAR> dumpdir</VAR> parameter takes effect only when
- the IPsec subsystem is restarted -- reboot or ipsec setup restart.</P>
-<P>
-<BR>
-<BR></P>
-<HR>
-<H1><A name="compat">Linux FreeS/WAN Compatibility Guide</A></H1>
-<P>Much of this document is quoted directly from the Linux FreeS/WAN<A href="mail.html">
- mailing list</A>. Thanks very much to the community of testers,
- patchers and commenters there, especially the ones quoted below but
- also various contributors we haven't quoted.</P>
-<H2><A name="spec">Implemented parts of the IPsec Specification</A></H2>
-<P>In general, do not expect Linux FreeS/WAN to do everything yet. This
- is a work-in-progress and some parts of the IPsec specification are not
- yet implemented.</P>
-<H3><A name="in">In Linux FreeS/WAN</A></H3>
-<P>Things we do, as of version 1.96:</P>
-<UL>
-<LI>key management methods
-<DL>
-<DT>manually keyed</DT>
-<DD>using keys stored in /etc/ipsec.conf</DD>
-<DT>automatically keyed</DT>
-<DD>Automatically negotiating session keys as required. All connections
- are automatically re-keyed periodically. The<A href="#Pluto"> Pluto</A>
- daemon implements this using the<A href="#IKE"> IKE</A> protocol.</DD>
-</DL>
-</LI>
-<LI>Methods of authenticating gateways for IKE
-<DL>
-<DT>shared secrets</DT>
-<DD>stored in<A href="manpage.d/ipsec.secrets.5.html"> ipsec.secrets(5)</A>
-</DD>
-<DT><A href="#RSA">RSA</A> signatures</DT>
-<DD>For details, see<A href="manpage.d/ipsec_pluto.8.html"> pluto(8)</A>
-.</DD>
-<DT>looking up RSA authentication keys from<A href="#DNS"> DNS</A>.</DT>
-<DD>Note that this technique cannot be fully secure until<A href="#SDNS">
- secure DNS</A> is widely deployed.</DD>
-</DL>
-</LI>
-<LI>groups for<A href="#DH"> Diffie-Hellman</A> key negotiation
-<DL>
-<DT>group 2, modp 1024-bit</DT>
-<DT>group 5, modp 1536-bit</DT>
-<DD>We implement these two groups.
-<P>In negotiating a keying connection (ISAKMP SA, Phase 1) we propose
- both groups when we are the initiator, and accept either when a peer
- proposes them. Once the keying connection is made, we propose only the
- alternative agreed there for data connections (IPsec SA's, Phase 2)
- negotiated over that keying connection.</P>
-</DD>
-</DL>
-</LI>
-<LI>encryption transforms
-<DL>
-<DT><A href="#DES">DES</A></DT>
-<DD>DES is in the source code since it is needed to implement 3DES, but
- single DES is not made available to users because<A href="#desnotsecure">
- DES is insecure</A>.</DD>
-<DT><A href="#3DES">Triple DES</A></DT>
-<DD>implemented, and used as the default encryption in Linux FreeS/WAN.</DD>
-</DL>
-</LI>
-<LI>authentication transforms
-<DL>
-<DT><A href="#HMAC">HMAC</A> using<A href="#MD5"> MD5</A></DT>
-<DD>implemented, may be used in IKE or by by AH or ESP transforms.</DD>
-<DT><A href="#HMAC">HMAC</A> using<A href="#SHA"> SHA</A></DT>
-<DD>implemented, may be used in IKE or by AH or ESP transforms.</DD>
-</DL>
-<P>In negotiations, we propose both of these and accept either.</P>
-</LI>
-<LI>compression transforms
-<DL>
-<DT>IPComp</DT>
-<DD>IPComp as described in RFC 2393 was added for FreeS/WAN 1.6. Note
- that Pluto becomes confused if you ask it to do IPComp when the kernel
- cannot.</DD>
-</DL>
-</LI>
-</UL>
-<P>All combinations of implemented transforms are supported. Note that
- some form of packet-level<STRONG> authentication is required whenever
- encryption is used</STRONG>. Without it, the encryption will not be
- secure.</P>
-<H3><A name="dropped">Deliberately omitted</A></H3>
- We do not implement everything in the RFCs because some of those things
- are insecure. See our discussions of avoiding<A href="#weak"> bogus
- security</A>.
-<P>Things we deliberately omit which are required in the RFCs are:</P>
-<UL>
-<LI>null encryption (to use ESP as an authentication-only service)</LI>
-<LI>single DES</LI>
-<LI>DH group 1, a 768-bit modp group</LI>
-</UL>
-<P>Since these are the only encryption algorithms and DH group the RFCs
- require, it is possible in theory to have a standards-conforming
- implementation which will not interpoperate with FreeS/WAN. Such an
- implementation would be inherently insecure, so we do not consider this
- a problem.</P>
-<P>Anyway, most implementations sensibly include more secure options as
- well, so dropping null encryption, single DES and Group 1 does not
- greatly hinder interoperation in practice.</P>
-<P>We also do not implement some optional features allowed by the RFCs:</P>
-<UL>
-<LI>aggressive mode for negotiation of the keying channel or ISAKMP SA.
- This mode is a little faster than main mode, but exposes more
- information to an eavesdropper.</LI>
-</UL>
-<P>In theory, this should cause no interoperation problems since all
- implementations are required to support the more secure main mode,
- whether or not they also allow aggressive mode.</P>
-<P>In practice, it does sometimes produce problems with implementations
- such as Windows 2000 where aggressive mode is the default. Typically,
- these are easily solved with a configuration change that overrides that
- default.</P>
-<H3><A name="not">Not (yet) in Linux FreeS/WAN</A></H3>
-<P>Things we don't yet do, as of version 1.96:</P>
-<UL>
-<LI>key management methods
-<UL>
-<LI>authenticate key negotiations via local<A href="#PKI"> PKI</A>
- server, but see links to user<A href="#patch"> patches</A></LI>
-<LI>authenticate key negotiations via<A href="#SDNS"> secure DNS</A></LI>
-<LI>unauthenticated key management, using<A href="#DH"> Diffie-Hellman</A>
- key agreement protocol without authentication. Arguably, this would be
- worth doing since it is secure against all passive attacks. On the
- other hand, it is vulnerable to an active<A href="#middle">
- man-in-the-middle attack</A>.</LI>
-</UL>
-</LI>
-<LI>encryption transforms
-<P>Currently<A href="#3DES"> Triple DES</A> is the only encryption
- method Pluto will negotiate.</P>
-<P>No additional encryption transforms are implemented, though the RFCs
- allow them and some other IPsec implementations support various of
- them. We are not eager to add more. See this<A href="#other.cipher">
- FAQ question</A>.</P>
-<P><A href="#AES">AES</A>, the successor to the DES standard, is an
- excellent candidate for inclusion in FreeS/WAN, see links to user<A href="#patch">
- patches</A>.</P>
-</LI>
-<LI>authentication transforms
-<P>No optional additional authentication transforms are currently
- implemented. Likely<A href="#SHA-256"> SHA-256, SHA-384 and SHA-512</A>
- will be added when AES is.</P>
-</LI>
-<LI>Policy checking on decrypted packets
-<P>To fully comply with the RFCs, it is not enough just to accept only
- packets which survive any firewall rules in place to limit what IPsec
- packets get in, and then pass KLIPS authentication. That is what
- FreeS/WAN currently does.</P>
-<P>We should also apply additional tests, for example ensuring that all
- packets emerging from a particular tunnel have source and destination
- addresses that fall within the subnets defined for that tunnel, and
- that packets with those addresses that did not emerge from the
- appropriate tunnel are disallowed.</P>
-<P>This will be done as part of a KLIPS rewrite. See these<A href="#applied">
- links</A> and the<A href="mail.html"> design mailing list</A> for
- discussion.</P>
-</LI>
-</UL>
-<H2><A name="pfkey">Our PF-Key implementation</A></H2>
-<P>We use PF-key Version Two for communication between the KLIPS kernel
- code and the Pluto Daemon. PF-Key v2 is defined by<A href="http://www.normos.org/ietf/rfc/rfc2367.txt">
- RFC 2367</A>.</P>
-<P>The &quot;PF&quot; stands for Protocol Family. PF-Inet defines a
- kernel/userspace interface for the TCP/IP Internet protocols (TCP/IP),
- and other members of the PF series handle Netware, Appletalk, etc.
- PF-Key is just a PF for key-related matters.</P>
-<H3><A name="pfk.port">PF-Key portability</A></H3>
-<P>PF-Key came out of Berkeley Unix work and is used in the various BSD
- IPsec implementations, and in Solaris. This means there is some hope of
- porting our Pluto(8) to one of the BSD distributions, or of running
- their photurisd(8) on Linux if you prefer<A href="#photuris"> Photuris</A>
- key management over IKE.</P>
-<P>It is, however, more complex than that. The PK-Key RFC deliberately
- deals only with keying, not policy management. The three PF-Key
- implementations we have looked at -- ours, OpenBSD and KAME -- all have
- extensions to deal with security policy, and the extensions are
- different. There have been discussions aimed at sorting out the
- differences, perhaps for a version three PF-Key spec. All players are
- in favour of this, but everyone involved is busy and it is not clear
- whether or when these discussions might bear fruit.</P>
-<H2><A name="otherk">Kernels other than the latest 2.2.x and 2.4.y</A></H2>
-<P>We develop and test on Redhat Linux using the most recent kernel in
- the 2.2 and 2.4 series. In general, we recommend you use the latest
- kernel in one of those series. Complications and caveats are discussed
- below.</P>
-<H3><A name="kernel.2.0">2.0.x kernels</A></H3>
-<P>Consider upgrading to the 2.2 kernel series. If you want to stay with
- the 2.0 series, then we strongly recommend 2.0.39. Some useful security
- patches were added in 2.0.38.</P>
-<P>Various versions of the code have run at various times on most 2.0.xx
- kernels, but the current version is only lightly tested on 2.0.39, and
- not at all on older kernels.</P>
-<P>Some of our patches for older kernels are shipped in 2.0.37 and
- later, so they are no longer provided in FreeS/WAN. This means recent
- versions of FreeS/WAN will probably not compile on anything earlier
- than 2.0.37.</P>
-<H3><A name="kernel.production">2.2 and 2.4 kernels</A></H3>
-<DL>
-<DT>FreeS/WAN 1.0</DT>
-<DD>ran only on 2.0 kernels</DD>
-<DT>FreeS/WAN 1.1 to 1.8</DT>
-<DD>ran on 2.0 or 2.2 kernels
-<BR> ran on some development kernels, 2.3 or 2.4-test</DD>
-<DT>FreeS/WAN 1.9 to 1.96</DT>
-<DD>runs on 2.0, 2.2 or 2.4 kernels</DD>
-</DL>
-<P>In general,<STRONG> we suggest the latest 2.2 kernel or 2.4 for
- production use</STRONG>.</P>
-<P>Of course no release can be guaranteed to run on kernels more recent
- than it is, so quite often there will be no stable FreeS/WAN for the
- absolute latest kernel. See the<A href="#k.versions"> FAQ</A> for
- discussion.</P>
-<H2><A name="otherdist">Intel Linux distributions other than Redhat</A></H2>
-<P>We develop and test on Redhat 6.1 for 2.2 kernels, and on Redhat 7.1
- or 7.2 for 2.4, so minor changes may be required for other
- distributions.</P>
-<H3><A name="rh7">Redhat 7.0</A></H3>
-<P>There are some problems with FreeS/WAN on Redhat 7.0. They are
- soluble, but we recommend you upgrade to a later Redhat instead..</P>
-<P>Redhat 7 ships with two compilers.</P>
-<UL>
-<LI>Their<VAR> gcc</VAR> is version 2.96. Various people, including the
- GNU compiler developers and Linus, have said fairly emphatically that
- using this was a mistake. 2.96 is a development version, not intended
- for production use. In particular, it will not compile a Linux kernel.</LI>
-<LI>Redhat therefore also ship a separate compiler, which they call<VAR>
- kgcc</VAR>, for compiling kernels.</LI>
-</UL>
-<P>Kernel Makefiles have<VAR> gcc</VAR> as a default, and must be
- adjusted to use<VAR> kgcc</VAR> before a kernel will compile on 7.0.
- This mailing list message gives details:</P>
-<PRE>Subject: Re: AW: Installing IPsec on Redhat 7.0
-   Date: Thu, 1 Feb 2001 14:32:52 -0200 (BRST)
-  From: Mads Rasmussen &lt;mads@cit.com.br&gt;
- 
-&gt; From www.redhat.com/support/docs/gotchas/7.0/gotchas-7-6.html#ss6.1
-
-cd to /usr/src/linux and open the Makefile in your favorite editor. You
-will need to look for a line similar to this:
-
-CC = $(CROSS_COMPILE)gcc -D__KERNEL__ -I$(HPATH)
-
-This line specifies which C compiler to use to build the kernel. It should
-be changed to:
-
-CC = $(CROSS_COMPILE)kgcc -D__KERNEL__ -I$(HPATH)
-
-for Red Hat Linux 7. The kgcc compiler is egcs 2.91.66. From here you can
-proceed with the typical compiling steps.</PRE>
-<P>Check the<A href="mail.html"> mailing list</A> archive for more
- recent news.</P>
-<H3><A name="suse">SuSE Linux</A></H3>
-<P>SuSE 6.3 and later versions, at least in Europe, ship with FreeS/WAN
- included.</P>
-<P>FreeS/WAN packages distributed for SuSE 7.0-7.2 were somehow
- miscompiled. You can find fixed packages on<A HREF="http://www.suse.de/~garloff/linux/FreeSWAN">
- Kurt Garloff's page</A>.</P>
-<P>Here are some notes for an earlier SuSE version.</P>
-<H4><A NAME="9_4_2_1">SuSE Linux 5.3</A></H4>
-<PRE>Date: Mon, 30 Nov 1998
-From: Peter Onion &lt;ponion@srd.bt.co.uk&gt;
-
-... I got Saturdays snapshot working between my two SUSE5.3 machines at home.
-
-The mods to the install process are quite simple.  From memory and looking at
-the files on the SUSE53 machine here at work....
-
-And extra link in each of the /etc/init.d/rc?.d directories called K35ipsec
-which SUSE use to shut a service down.
-
-A few mods in /etc/init.d/ipsec  to cope with the different places that SUSE
-put config info, and remove the inculsion of /etc/rc.d/init.d/functions and .
-/etc/sysconfig/network as they don't exists and 1st one isn't needed anyway.
-
-insert &quot;. /etc/rc.config&quot; to pick up the SUSE config info and use 
-
-  if test -n &quot;$NETCONFIG&quot; -a &quot;$NETCONFIG&quot; != &quot;YAST_ASK&quot; ; then
-
-to replace 
-
-  [ ${NETWORKING} = &quot;no&quot; ] &amp;&amp; exit 0
-
-Create /etc/sysconfig  as SUSE doesn't have one.
-
-I think that was all (but I prob forgot something)....</PRE>
-<P>You may also need to fiddle initialisation scripts to ensure that<VAR>
- /var/run/pluto.pid</VAR> is removed when rebooting. If this file is
- present, Pluto does not come up correctly.</P>
-<H3><A name="slack">Slackware</A></H3>
-<PRE>Subject: Re: linux-IPsec: Slackware distribution
-  Date:  Thu, 15 Apr 1999 12:07:01 -0700
-  From:  Evan Brewer &lt;dmessiah@silcon.com&gt;
-
-&gt; Very shortly, I will be needing to install IPsec on at least gateways that
-&gt; are running Slackware. . . .
-
-The only trick to getting it up is that on the slackware dist there is no
-init.d directory in /etc/rc.d .. so create one.  Then, what I do is take the
-IPsec startup script which normally gets put into the init.d directory, and
-put it in /etc/rc.d and name ir rc.ipsec .. then I symlink it to the file
-in init.d.  The only file in the dist you need to really edit is the
-utils/Makefile, setup4:
-
-Everything else should be just fine.</PRE>
-<P>A year or so later:</P>
-<PRE>Subject: Re: HTML Docs- Need some cleanup?
-   Date: Mon, 8 Jan 2001
-   From: Jody McIntyre &lt;jodym@oeone.com&gt;
-
-I have successfully installed FreeS/WAN on several Slackware 7.1 machines.
-FreeS/WAN installed its rc.ipsec file in /etc/rc.d.  I had to manually call
-this script from rc.inet2.  This seems to be an easier method than Evan
-Brewer's.</PRE>
-<H3><A name="deb">Debian</A></H3>
-<P>A recent (Nov 2001) mailing list points to a<A href="http://www.thing.dyndns.org/debian/vpn.htm">
- web page</A> on setting up several types of tunnel, including IPsec, on
- Debian.</P>
-<P>Some older information:</P>
-<PRE>Subject: FreeS/WAN 1.0 on Debian 2.1
-   Date: Tue, 20 Apr 1999
-  From:  Tim Miller &lt;cerebus+counterpane@haybaler.sackheads.org&gt;
-
-        Compiled and installed without error on a Debian 2.1 system
-with kernel-source-2.0.36 after pointing RCDIR in utils/Makefile to
-/etc/init.d.
-
-        /var/lock/subsys/ doesn't exist on Debian boxen, needs to be
-created; not a fatal error.
-
-        Finally, IPsec scripts appear to be dependant on GNU awk
-(gawk); the default Debian awk (mawk-1.3.3-2) had fatal difficulties.
-With gawk installed and /etc/alternatives/awk linked to /usr/bin/gawk
-operation appears flawless.</PRE>
-<P>The scripts in question have been modified since this was posted. Awk
- versions should no longer be a problem.</P>
-<H3><A name="caldera">Caldera</A></H3>
-<PRE>Subject: Re: HTML Docs- Need some cleanup?
-   Date: Mon, 08 Jan 2001
-   From: Andy Bradford &lt;andyb@calderasystems.com&gt;
-
-On Sun, 07 Jan 2001 22:59:05 EST, Sandy Harris wrote:
-
-&gt;     Intel Linux distributions other than Redhat 5.x and 6.x 
-&gt;         Redhat 7.0 
-&gt;         SuSE Linux 
-&gt;             SuSE Linux 5.3 
-&gt;         Slackware 
-&gt;         Debian 
-
-Can you please include Caldera in this list?  I have tested it since 
-FreeS/Wan 1.1 and it works great with our systems---provided one 
-follows the FreeS/Wan documentation. :-)
-
-Thank you,
-Andy</PRE>
-<H2><A name="CPUs">CPUs other than Intel</A></H2>
-<P>FreeS/WAN has been run sucessfully on a number of different CPU
- architectures. If you have tried it on one not listed here, please post
- to the<A href="mail.html"> mailing list</A>.</P>
-<H3><A name=" strongarm">Corel Netwinder (StrongARM CPU)</A></H3>
-<PRE>Subject: linux-ipsec: Netwinder diffs
-Date: Wed, 06 Jan 1999
-From: rhatfield@plaintree.com
-
-I had a mistake in my IPsec-auto, so I got things working this morning.
-
-Following are the diffs for my changes.  Probably not the best and cleanest way 
-of doing it, but it works. . . . </PRE>
-<P>These diffs are in the 0.92 and later distributions, so these should
- work out-of-the-box on Netwinder.</P>
-<H3><A name="yellowdog">Yellow Dog Linux on Power PC</A></H3>
-<PRE>Subject:  Compiling FreeS/WAN 1.1 on YellowDog Linux (PPC)
-   Date:  11 Dec 1999
-   From:  Darron Froese &lt;darron@fudgehead.com&gt;
-
-I'm summarizing here for the record - because it's taken me many hours to do
-this (multiple times) and because I want to see IPsec on more linuxes than
-just x86.
-
-Also, I can't remember if I actually did summarize it before... ;-) I'm
-working too many late hours.
-
-That said - here goes.
-
-1. Get your linux kernel and unpack into /usr/src/linux/ - I used 2.2.13.
-&lt;http://www.kernel.org/pub/linux/kernel/v2.2/linux-2.2.13.tar.bz2&gt;
-
-2. Get FreeS/WAN and unpack into /usr/src/freeswan-1.1
-&lt;ftp://ftp.xs4all.nl/pub/crypto/freeswan/freeswan-1.1.tar.gz&gt;
-
-3. Get the gmp src rpm from here:
-&lt;ftp://ftp.yellowdoglinux.com//pub/yellowdog/champion-1.1/SRPMS/SRPMS/gmp-2.0.2-9a.src.rpm&gt;
-
-4. Su to root and do this: rpm --rebuild gmp-2.0.2-9a.src.rpm
-
-You will see a lot of text fly by and when you start to see the rpm
-recompiling like this:
-
-Executing: %build
-+ umask 022
-+ cd /usr/src/redhat/BUILD
-+ cd gmp-2.0.2
-+ libtoolize --copy --force
-Remember to add `AM_PROG_LIBTOOL' to `configure.in'.
-You should add the contents of `/usr/share/aclocal/libtool.m4' to
-`aclocal.m4'.
-+ CFLAGS=-O2 -fsigned-char
-+ ./configure --prefix=/usr
-
-Hit Control-C to stop the rebuild. NOTE: We're doing this because for some
-reason the gmp source provided with FreeS/WAN 1.1 won't build properly on
-ydl.
-
-cd /usr/src/redhat/BUILD/
-cp -ar gmp-2.0.2 /usr/src/freeswan-1.1/
-cd /usr/src/freeswan-1.1/
-rm -rf gmp
-mv gmp-2.0.2 gmp
-
-5. Open the freeswan Makefile and change the line that says:
-KERNEL=$(b)zimage (or something like that) to
-KERNEL=vmlinux
-
-6. cd ../linux/
-
-7. make menuconfig
-Select an option or two and then exit - saving your changes.
-
-8. cd ../freeswan-1.1/ ; make menugo
-
-That will start the whole process going - once that's finished compiling,
-you have to install your new kernel and reboot.
-
-That should build FreeS/WAN on ydl (I tried it on 1.1).</PRE>
- And a later message on the same topic:
-<PRE>Subject: Re: FreeS/WAN, PGPnet and E-mail
-   Date: Sat, 22 Jan 2000
-   From: Darron Froese &lt;darron@fudgehead.com&gt;
-
-on 1/22/00 6:47 PM, Philip Trauring at philip@trauring.com wrote:
-
-&gt; I have a PowerMac G3 ...
-
-The PowerMac G3 can run YDL 1.1 just fine. It should also be able to run
-FreeS/WAN 1.2patch1 with a couple minor modifications:
-
-1. In the Makefile it specifies a bzimage for the kernel compile - you have
-to change that to vmlinux for the PPC.
-
-2. The gmp source that comes with FreeS/WAN (for whatever reason) fails to
-compile. I have gotten around this by getting the gmp src rpm from here:
-
-ftp://ftp.yellowdoglinux.com//pub/yellowdog/champion-1.1/SRPMS/SRPMS/gmp-2.0.2-9a.src.rpm
-
-If you rip the source out of there - and place it where the gmp source
-resides it will compile just fine.</PRE>
-<P>FreeS/WAN no longer includes GMP source.</P>
-<H3><A name="mklinux">Mklinux</A></H3>
-<P>One user reports success on the Mach-based<STRONG> m</STRONG>icro<STRONG>
-k</STRONG>ernel Linux.</P>
-<PRE>Subject: Smiles on sparc and ppc
-   Date: Fri, 10 Mar 2000
-   From: Jake Hill &lt;jah@alien.bt.co.uk&gt;
-
-You may or may not be interested to know that I have successfully built
-FreeS/WAN on a number of non intel alpha architectures; namely on ppc
-and sparc and also on osfmach3/ppc (MkLinux). I can report that it just
-works, mostly, with few changes.</PRE>
-<H3><A name="alpha">Alpha 64-bit processors</A></H3>
-<PRE>Subject: IT WORKS (again) between intel &amp; alpha :-)))))
-   Date: Fri, 29 Jan 1999
-   From: Peter Onion &lt;ponion@srd.bt.co.uk&gt;
-
-Well I'm happy to report that I've got an IPsec connection between by intel &amp; alpha machines again :-))
-
-If you look back on this list to 7th of December I wrote...
-
--On 07-Dec-98 Peter Onion wrote:
--&gt; 
--&gt; I've about had enuf of wandering around inside the kernel trying to find out
--&gt; just what is corrupting outgoing packets...
--
--Its 7:30 in the evening .....
--
--I FIXED IT  :-))))))))))))))))))))))))))))))))
--
--It was my own fault :-((((((((((((((((((
--
--If you ask me very nicly I'll tell you where I was a little too over keen to
--change unsigned long int __u32 :-)  OPSE ...
--
--So tomorrow it will full steam ahead to produce a set of diffs/patches against
--0.91 
--
--Peter Onion.</PRE>
-<P>In general (there have been some glitches), FreeS/WAN has been
- running on Alphas since then.</P>
-<H3><A name="SPARC">Sun SPARC processors</A></H3>
-<P>Several users have reported success with FreeS/WAN on SPARC Linux.
- Here is one mailing list message:</P>
-<PRE>Subject: Smiles on sparc and ppc
-   Date: Fri, 10 Mar 2000
-   From: Jake Hill &lt;jah@alien.bt.co.uk&gt;
-
-You may or may not be interested to know that I have successfully built
-FreeS/WAN on a number of non intel alpha architectures; namely on ppc
-and sparc and also on osfmach3/ppc (MkLinux). I can report that it just
-works, mostly, with few changes.
-
-I have a question, before I make up some patches. I need to hack
-gmp/mpn/powerpc32/*.s to build them. Is this ok? The changes are
-trivial, but could I also use a different version of gmp? Is it vanilla
-here?
-
-I guess my only real headache is from ipchains, which appears to stop
-running when IPsec has been started for a while. This is with 2.2.14 on
-sparc.</PRE>
-<P>This message, from a different mailing list, may be relevant for
- anyone working with FreeS/WAN on Suns:</P>
-<PRE>Subject: UltraSPARC DES assembler
-   Date: Thu, 13 Apr 2000
-   From: svolaf@inet.uni2.dk (Svend Olaf Mikkelsen)
-     To: coderpunks@toad.com
-
-An UltraSPARC assembler version of the LibDES/SSLeay/OpenSSL des_enc.c
-file is available at http://inet.uni2.dk/~svolaf/des.htm.
-
-This brings DES on UltraSPARC from slower than Pentium at the same
-clock speed to significantly faster.</PRE>
-<H3><A name="mips">MIPS processors</A></H3>
-<P>We know FreeS/WAN runs on at least some MIPS processors because<A href="http://www.lasat.com">
- Lasat</A> manufacture an IPsec box based on an embedded MIPS running
- Linux with FreeS/WAN. We have no details.</P>
-<H3><A name="crusoe">Transmeta Crusoe</A></H3>
-<P>The Merilus<A href="http://www.merilus.com/products/fc/index.shtml">
- Firecard</A>, a Linux firewall on a PCI card, is based on a Crusoe
- processor and supports FreeS/WAN.</P>
-<H3><A name="coldfire">Motorola Coldfire</A></H3>
-<PRE>Subject: Re: Crypto hardware support
-   Date: Mon, 03 Jul 2000
-   From: Dan DeVault &lt;devault@tampabay.rr.com&gt;
-
-.... I have been running
-uClinux with FreeS/WAN 1.4 on a system built by Moreton Bay  (
-http://www.moretonbay.com )  and it was using a Coldfire processor
-and was able to do the Triple DES encryption at just about
-1 mbit / sec rate.......  they put a Hi/Fn 7901 hardware encryption
-chip on their board and now their system does over 25 mbit of 3DES
-encryption........ pretty significant increase if you ask me.</PRE>
-<H2><A name="multiprocessor">Multiprocessor machines</A></H2>
-<P>FreeS/WAN is designed to work on SMP (symmetric multi-processing)
- Linux machines and is regularly tested on dual processor x86 machines.</P>
-<P>We do not know of any testing on multi-processor machines with other
- CPU architectures or with more than two CPUs. Anyone who does test
- this, please report results to the<A href="mail.html"> mailing list</A>
-.</P>
-<P>The current design does not make particularly efficient use of
- multiprocessor machines; some of the kernel work is single-threaded.</P>
-<H2><A name="hardware">Support for crypto hardware</A></H2>
-<P>Supporting hardware cryptography accelerators has not been a high
- priority for the development team because it raises a number of fairly
- complex issues:</P>
-<UL>
-<LI>Can you trust the hardware? If it is not Open Source, how do you
- audit its security? Even if it is, how do you check that the design has
- no concealed traps?</LI>
-<LI>If an interface is added for such hardware, can that interface be
- subverted or misused?</LI>
-<LI>Is hardware acceleration actually a performance win? It clearly is
- in many cases, but on a fast machine it might be better to use the CPU
- for the encryption than to pay the overheads of moving data to and from
- a crypto board.</LI>
-<LI>the current KLIPS code does not provide a clean interface for
- hardware accelerators</LI>
-</UL>
-<P>That said, we have a<A href="#coldfire"> report</A> of FreeS/WAN
- working with one crypto accelerator and some work is going on to modify
- KLIPS to create a clean generic interface to such products. See this<A href="http://www.jukie.net/~bart/linux-ipsec/">
- web page</A> for some of the design discussion.</P>
-<P>More recently, a patch to support some hardware accelerators has been
- posted:</P>
-<PRE>Subject: [Design] [PATCH] H/W acceleration patch
-   Date: Tue, 18 Sep 2001
-   From: &quot;Martin Gadbois&quot; &lt;martin.gadbois@colubris.com&gt;
- 
-Finally!!
-Here's a web site with H/W acceleration patch for FreeS/WAN 1.91, including
-S/W and Hifn 7901 crypto support.
-
-http://sources.colubris.com/
-
-Martin Gadbois</PRE>
-<P>Hardware accelerators could take performance well beyond what
- FreeS/WAN can do in software (discussed<A href="performance.html"> here</A>
-). Here is some discussion off the IETF IPsec list, October 2001:</P>
-<PRE> ... Currently shipping chips deliver, 600 mbps throughput on a single
- stream of 3DES IPsec traffic.  There are also chips that use multiple
- cores to do 2.4 gbps.  We (Cavium) and others have announced even faster
- chips. ... Mid 2002 versions will handle at line rate (OC48 and OC192)
- IPsec and SSL/TLS traffic not only 3DES CBC but also AES and arc4.</PRE>
-<P>The patches to date support chips that have been in production for
- some time, not the state-of-the-art latest-and-greatest devices
- described in that post. However, they may still outperform software and
- they almost certainly reduce CPU overhead.</P>
-<H2><A name="ipv6">IP version 6 (IPng)</A></H2>
-<P>The Internet currently runs on version four of the IP protocols. IPv4
- is what is in the standard Linux IP stack, and what FreeS/WAN was built
- for. In IPv4, IPsec is an optional feature.</P>
-<P>The next version of the IP protocol suite is version six, usually
- abbreviated either as &quot;IPv6&quot; or as &quot;IPng&quot; for &quot;IP: the next
- generation&quot;. For IPv6, IPsec is a required feature. Any machine doing
- IPv6 is required to support IPsec, much as any machine doing (any
- version of) IP is required to support ICMP.</P>
-<P>There is a Linux implementation of IPv6 in Linux kernels 2.2 and
- above. For details, see the<A href="http://www.cs-ipv6.lancs.ac.uk/ipv6/systems/linux/faq/">
- FAQ</A>. It does not yet support IPsec. The<A href="http://www.linux-ipv6.org/">
- USAGI</A> project are also working on IPv6 for Linux.</P>
-<P>FreeS/WAN was originally built for the current standard, IPv4, but we
- are interested in seeing it work with IPv6. Some progress has been
- made, and a patched version with IPv6 support is<A href="http://www.ipv6.iabg.de/downloadframe/index.html">
- available</A>. For more recent information, check the<A href="mail.html">
- mailing list</A>.</P>
-<H3><A name="v6.back">IPv6 background</A></H3>
-<P>IPv6 has been specified by an IETF<A href="http://www.ietf.org/html.charters/ipngwg-charter.html">
- working group</A>. The group's page lists over 30 RFCs to date, and
- many Internet Drafts as well. The overview is<A href="http://www.ietf.org/rfc/rfc2460.txt">
- RFC 2460</A>. Major features include:</P>
-<UL>
-<LI>expansion of the address space from 32 to 128 bits,</LI>
-<LI>changes to improve support for
-<UL>
-<LI>mobile IP</LI>
-<LI>automatic network configuration</LI>
-<LI>quality of service routing</LI>
-<LI>...</LI>
-</UL>
-</LI>
-<LI>improved security via IPsec</LI>
-</UL>
-<P>A number of projects are working on IPv6 implementation. A prominent
- Open Source effort is<A href="http://www.kame.net/"> KAME</A>, a
- collaboration among several large Japanese companies to implement IPv6
- for Berkeley Unix. Other major players are also working on IPv6. For
- example, see pages at:</P>
-<UL>
-<LI><A href="http://playground.sun.com/pub/ipng/html/ipng-main.html">Sun</A>
-</LI>
-<LI><A href="http://www.cisco.com/warp/public/732/ipv6/index.html">Cisco</A>
-</LI>
-<LI><A href="http://www.microsoft.com/windows2000/techinfo/howitworks/communications/networkbasics/IPv6.asp">
-Microsoft</A></LI>
-</UL>
-<P>The<A href="http://www.6bone.net/"> 6bone</A> (IPv6 backbone) testbed
- network has been up for some time. There is an active<A href="http://www.ipv6.org/">
- IPv6 user group</A>.</P>
-<P>One of the design goals for IPv6 was that it must be possible to
- convert from v4 to v6 via a gradual transition process. Imagine the
- mess if there were a &quot;flag day&quot; after which the entire Internet used
- v6, and all software designed for v4 stopped working. Almost every
- computer on the planet would need major software changes! There would
- be huge costs to replace older equipment. Implementers would be worked
- to death before &quot;the day&quot;, systems administrators and technical support
- would be completely swamped after it. The bugs in every implementation
- would all bite simultaneously. Large chunks of the net would almost
- certainly be down for substantial time periods. ...</P>
-<P>Fortunately, the design avoids any &quot;flag day&quot;. It is therefore a
- little tricky to tell how quickly IPv6 will take over. The transition
- has certainly begun. For examples, see announcements from<A href="http://www.mailbase.ac.uk/lists/internet2/2000-03/0016.html">
- NTT</A> and<A href="http://www.vnunet.com/News/1102383"> Nokia</A>.
- However, it is not yet clear how quickly the process will gain
- momentum, or when it will be completed. Likely large parts of the
- Internet will remain with IPv4 for years to come.</P>
-<HR>
-<A NAME="interop"></A>
-<H1><A NAME="10">Interoperating with FreeS/WAN</A></H1>
-<P>The FreeS/WAN project needs you! We rely on the user community to
- keep up to date. Mail users@lists.freeswan.org with your interop
- success stories.</P>
-<P><STRONG>Please note</STRONG>: Most of our interop examples feature
- Linux FreeS/WAN 1.x config files. You can convert them to 2.x files
- fairly easily with the patch in our<A HREF="#ipsec.conf_v2"> Upgrading
- Guide</A>.</P>
-<H2><A NAME="10_1">Interop at a Glance</A></H2>
-<TABLE BORDER="1">
-<TR><TD>&nbsp;</TD><TD colspan="5">FreeS/WAN VPN</TD><TD>Road Warrior</TD><TD>
-OE</TD></TR>
-<TR><TD>&nbsp;</TD><TD>PSK</TD><TD>RSA Secret</TD><TD>X.509
-<BR><SMALL><A HREF="#interoprules">(requires patch)</A></SMALL></TD><TD>
-NAT-Traversal
-<BR><SMALL><A HREF="#interoprules">(requires patch)</A></SMALL></TD><TD>
-Manual
-<BR>Keying</TD><TD>&nbsp;</TD><TD>&nbsp;</TD></TR>
-<TR><TD colspan="8">More Compatible</TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#freeswan">FreeS/WAN</A><A NAME="freeswan.top"> &nbsp;</A></TD><TD>
-<FONT color="#00cc00">Yes</FONT></TD><TD><FONT color="#00cc00">Yes</FONT>
-</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD><FONT color="#00cc00">Yes</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#isakmpd">isakmpd (OpenBSD)</A><A NAME="isakmpd.top"> &nbsp;</A>
-</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>
-<FONT color="#cc0000">No&nbsp;&nbsp;&nbsp;&nbsp;</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#kame">Kame (FreeBSD,
-<BR> NetBSD, MacOSX)
-<BR> <SMALL>aka racoon</SMALL></A><A NAME="kame.top"> &nbsp;</A></TD><TD><FONT
-color="#00cc00">Yes</FONT></TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>
-<FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#mcafee">McAfee VPN
-<BR><SMALL>was PGPNet</SMALL></A><A NAME="mcafee.top"> &nbsp;</A></TD><TD><FONT
-color="#00cc00">Yes</FONT></TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>
-<FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#microsoft">Microsoft
-<BR> Windows 2000/XP</A><A NAME="microsoft.top"> &nbsp;</A></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD><FONT color="#cc0000">
-No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#ssh">SSH Sentinel</A><A NAME="ssh.top"> &nbsp;</A></TD><TD><FONT
-color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">Yes</FONT>
-</TD><TD><FONT color="#cccc00">Maybe</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#safenet">Safenet SoftPK
-<BR>/SoftRemote</A><A NAME="safenet.top"> &nbsp;</A></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD><FONT color="#cc0000">
-No</FONT></TD></TR>
-<TR><TD colspan="8">Other</TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#6wind">6Wind</A><A NAME="6wind.top"> &nbsp;</A></TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>
-<FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#alcatel">Alcatel Timestep</A><A NAME="alcatel.top"> &nbsp;</A>
-</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#apple">Apple Macintosh
-<BR>System 10+</A><A NAME="apple.top"> &nbsp;</A></TD><TD><FONT color="#cccc00">
-Maybe</FONT></TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD><FONT color="#cccc00">
-Maybe</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#cccc00">Maybe</FONT></TD><TD>
-&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#ashleylaurent">AshleyLaurent
-<BR> VPCom</A><A NAME="ashleylaurent.top"> &nbsp;</A></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT
-color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#borderware">Borderware</A><A NAME="borderware.top"> &nbsp;</A>
-</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD><TD><FONT color="#cc0000">
-No</FONT></TD></TR>
-
-<!--
-http://www.cequrux.com/vpn-guides.php3
-"coming soon" guide to connect with FreeS/WAN.
--->
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#checkpoint">Check Point FW-1/VPN-1</A><A NAME="checkpoint.top">
- &nbsp;</A></TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>
-<FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#cisco">Cisco with 3DES</A><A NAME="cisco.top"> &nbsp;</A></TD><TD>
-<FONT color="#00cc00">Yes</FONT></TD><TD><FONT color="#cccc00">Maybe</FONT>
-</TD><TD>&nbsp;</TD><TD><FONT color="#cccc00">Maybe</FONT></TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#equinux">Equinux VPN Tracker
-<BR> (for Mac OS X)</A><A NAME="equinux.top"> &nbsp;</A></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#cccc00">Maybe</FONT></TD><TD>
-&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#fsecure">F-Secure</A><A NAME="fsecure.top"> &nbsp;</A></TD><TD>
-<FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#cccc00">
-Maybe</FONT></TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#gauntlet">Gauntlet GVPN</A><A NAME="gauntlet.top"> &nbsp;</A>
-</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#cc0000">
-No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#aix">IBM AIX</A><A NAME="aix.top"> &nbsp;</A></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#cccc00">Maybe</FONT></TD><TD>
-&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#as400">IBM AS/400</A><A NAME="as400"> &nbsp;</A></TD><TD><FONT
-color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#intel">Intel Shiva
-<BR>LANRover/Net Structure</A><A NAME="intel.top"> &nbsp;</A></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT
-color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#lancom">LanCom (formerly ELSA)</A><A NAME="lancom.top">
- &nbsp;</A></TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#linksys">Linksys</A><A NAME="linksys.top"> &nbsp;</A></TD><TD>
-<FONT color="#cccc00">Maybe</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#cc0000">
-No</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>
-<FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#lucent">Lucent</A><A NAME="lucent.top"> &nbsp;</A></TD><TD><FONT
-color="#cccc00">Partial</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#netasq">Netasq</A><A NAME="netasq.top"> &nbsp;</A></TD><TD>
-&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#netcelo">netcelo</A><A NAME="netcelo.top"> &nbsp;</A></TD><TD>
-&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#netgear">Netgear fvs318</A><A NAME="netgear.top"> &nbsp;</A>
-</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#netscreen">Netscreen 100
-<BR>or 5xp</A><A NAME="netscreen.top"> &nbsp;</A></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#cccc00">
-Maybe</FONT></TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#nortel">Nortel Contivity</A><A NAME="nortel.top"> &nbsp;</A>
-</TD><TD><FONT color="#cccc00">Partial</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD><FONT color="#cccc00">Maybe</FONT></TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#radguard">RadGuard</A><A NAME="radguard.top"> &nbsp;</A></TD><TD>
-<FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#raptor">Raptor</A><A NAME="raptor"> &nbsp;</A></TD><TD><FONT
-color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#redcreek">Redcreek Ravlin</A><A NAME="redcreek.top"> &nbsp;</A>
-</TD><TD><FONT color="#00cc00">Yes</FONT><FONT color="#cccc00">/Partial</FONT>
-</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#cc0000">
-No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#sonicwall">SonicWall</A><A NAME="sonicwall.top"> &nbsp;</A></TD><TD>
-<FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT
-color="#cccc00">Maybe</FONT></TD><TD><FONT color="#cc0000">No</FONT></TD><TD>
-<FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#sun">Sun Solaris</A><A NAME="sun.top"> &nbsp;</A></TD><TD><FONT
-color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">Yes</FONT>
-</TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT
-color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#symantec">Symantec</A><A NAME="symantec.top"> &nbsp;</A></TD><TD>
-<FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#watchguard">Watchguard
-<BR> Firebox</A><A NAME="watchguard.top"> &nbsp;</A></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#xedia">Xedia Access Point
-<BR>/QVPN</A><A NAME="xedia.top"> &nbsp;</A></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT
-color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#zyxel">Zyxel Zywall
-<BR>/Prestige</A><A NAME="zyxel.top"> &nbsp;</A></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT
-color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE
-
-
-<TR>
-<TD><A HREF="#sample">sample</A></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
--->
-<TR><TD>&nbsp;</TD><TD>PSK</TD><TD>RSA Secret</TD><TD>X.509
-<BR><SMALL><A HREF="#interoprules">(requires patch)</A></SMALL></TD><TD>
-NAT-Traversal
-<BR><SMALL><A HREF="#interoprules">(requires patch)</A></SMALL></TD><TD>
-Manual
-<BR>Keying</TD><TD>&nbsp;</TD><TD>&nbsp;</TD></TR>
-<TR><TD>&nbsp;</TD><TD colspan="5">FreeS/WAN VPN</TD><TD>Road Warrior</TD><TD>
-OE</TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-</TABLE>
-<H3><A NAME="10_1_1">Key</A></H3>
-<TABLE BORDER="1">
-<TR><TD><FONT color="#00cc00">Yes</FONT></TD><TD>People report that this
- works for them.</TD></TR>
-<TR><TD>[Blank]</TD><TD>We don't know.</TD></TR>
-<TR><TD><FONT color="#cc0000">No</FONT></TD><TD>We have reason to
- believe it was, at some point, not possible to get this to work.</TD></TR>
-<TR><TD><FONT color="#cccc00">Partial</FONT></TD><TD>Partial success.
- For example, a connection can be created from one end only.</TD></TR>
-<TR><TD><FONT color="#00cc00">Yes</FONT><FONT color="#cccc00">/Partial</FONT>
-</TD><TD>Mixed reports.</TD></TR>
-<TR><TD><FONT color="#cccc00">Maybe</FONT></TD><TD>We think the answer
- is &quot;yes&quot;, but need confirmation.</TD></TR>
-</TABLE>
-<A NAME="interoprules"></A>
-<H2><A NAME="10_2">Basic Interop Rules</A></H2>
-<P>Vanilla FreeS/WAN implements<A HREF="#compat"> these parts</A> of the
- IPSec specifications. You can add more with<A HREF="http://www.freeswan.ca">
- Super FreeS/WAN</A>, but what we offer may be enough for many users.</P>
-<UL>
-<LI> To use X.509 certificates with FreeS/WAN, you will need the<A HREF="http://www.strongsec.org/freeswan">
- X.509 patch</A> or<A HREF="http://www.freeswan.ca"> Super FreeS/WAN</A>
-, which includes that patch.</LI>
-<LI> To use<A HREF="#NAT.gloss"> Network Address Translation</A> (NAT)
- traversal with FreeS/WAN, you will need Arkoon Network Security's<A HREF="http://open-source.arkoon.net">
- NAT traversal patch</A> or<A HREF="http://www.freeswan.ca"> Super
- FreeS/WAN</A>, which includes it.</LI>
-</UL>
-<P>We offer a set of proposals which is not user-adjustable, but covers
- all combinations that we can offer. FreeS/WAN always proposes triple
- DES encryption and Perfect Forward Secrecy (PFS). In addition, we
- propose Diffie Hellman groups 5 and 2 (in that order), and MD5 and
- SHA-1 hashes. We accept the same proposals, in the same order of
- preference.</P>
-<P>Other interop notes:</P>
-<UL>
-<LI> A<A HREF="http://lists.freeswan.org/archives/users/2003-September/msg00462.html">
- SHA-1 bug in FreeS/WAN 2.00, 2.01 and 2.02</A> may affect some interop
- scenarios. It does not affect 1.x versions, and is fixed in 2.03 and
- later.</LI>
-<LI> Some other implementations will close a connection with FreeS/WAN
- after some time. This may be a problem with rekey lifetimes. Please see<A
-HREF="http://lists.freeswan.org/archives/users/2003-October/msg00293.html">
- this tip</A> and<A HREF="http://lists.freeswan.org/pipermail/users/2001-December/005758.html">
- this workaround</A>.</LI>
-</UL>
-<H2><A NAME="10_3">Longer Stories</A></H2>
-<H3><A NAME="10_3_1">For<EM> More Compatible</EM> Implementations</A></H3>
-<H4><A NAME="freeswan">FreeS/WAN</A></H4>
-<P> See our documentation at<A HREF="http://www.freeswan.org">
- freeswan.org</A> and the Super FreeS/WAN docs at<A HREF="http://www.freeswan.ca">
- freeswan.ca</A>. Some user-written HOWTOs for FreeS/WAN-FreeS/WAN
- connections are listed in<A HREF="#howto"> our Introduction</A>.</P>
-<P>See also:</P>
-<UL>
-<LI><A HREF="http://lugbe.ch/action/reports/ipsec_htbe.phtml"> A German
- FreeS/WAN-FreeS/WAN page by Markus Wernig (X.509)</A></LI>
-</UL>
-<P><A HREF="#freeswan.top">Back to chart</A></P>
-<H4><A NAME="isakmpd">isakmpd (OpenBSD)</A></H4>
-<P><A HREF="http://www.openbsd.org/faq/faq13.html">OpenBSD FAQ: Using
- IPsec</A>
-<BR><A HREF="http://www.rommel.stw.uni-erlangen.de/~hshoexer/ipsec-howto/HOWTO.html">
- Hans-Joerg Hoexer's interop Linux-OpenBSD (PSK)</A>
-<BR><A HREF="http://www.segfault.net/ipsec/"> Skyper's configuration
- (PSK)</A>
-<BR><A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2001/#config">
- French page with configs (X.509)</A></P>
-<P><A HREF="#isakmpd.top">Back to chart</A></P>
-<H4><A NAME="kame">Kame</A></H4>
-<UL>
-<LI>For FreeBSD and NetBSD. Ships with Mac OS X; see also our<A HREF="#apple">
- Mac</A> section.</LI>
-<LI>Also known as<EM> racoon</EM>, its keying daemon.</LI>
-</UL>
-<P><A HREF="http://www.kame.net">Kame homepage, with FAQ</A>
-<BR><A HREF="http://www.netbsd.org/Documentation/network/ipsec">
- NetBSD's IPSec FAQ</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00560.html">
- Ghislaine's post explaining some interop peculiarities</A></P>
-<P><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/09/msg00511.html">
- Itojun's Kame-FreeS/WAN interop tips (PSK)</A>
-<BR><A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2000"> Ghislaine
- Labouret's French page with links to matching FreeS/WAN and Kame
- configs (RSA)</A>
-<BR><A HREF="http://lugbe.ch/lostfound/contrib/freebsd_router/"> Markus
- Wernig's HOWTO (X.509, BSD gateway)</A>
-<BR><A HREF="http://web.morgul.net/~frodo/docs/kame+freeswan_interop.html">
- Frodo's Kame-FreeS/WAN interop (X.509)</A>
-<BR><A HREF="http://www.wavesec.org/kame.phtml"> Kame as a WAVEsec
- client.</A></P>
-<P><A HREF="#kame.top">Back to chart</A></P>
-<H4><A NAME="mcafee">PGPNet/McAfee</A></H4>
-<P></P>
-<UL>
-<LI>Now called McAfee VPN Client.</LI>
-<LI>PGPNet also came in a freeware version which did not support subnets</LI>
-<LI>To support dhcp-over-ipsec, you need the X.509 patch, which is
- included in<A HREF="http://www.freeswan.ca"> Super FreeS/WAN</A>.</LI>
-</UL>
-<P><A HREF="http://www.freeswan.ca/docs/WindowsInterop"> Tim Carr's
- Windows Interop Guide (X.509)</A>
-<BR><A HREF="http://www.rommel.stw.uni-erlangen.de/~hshoexer/ipsec-howto/HOWTO.html#Interop2">
- Hans-Joerg Hoexer's Guide for Linux-PGPNet (PSK)</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/04/msg00339.html">
- Kai Martius' instructions using RSA Key-Extractor Tool (RSA)</A>
-<BR> &nbsp;&nbsp;&nbsp;&nbsp;<A HREF="http://www.zengl.net/freeswan/english.html">Christian
- Zeng's page (RSA)</A> based on Kai's work. English or German.
-<BR><A HREF="http://tirnanog.ls.fi.upm.es/CriptoLab/Biblioteca/InfTech/InfTech_CriptoLab.htm">
- Oscar Delgado's PDF (X.509, no configs)</A>
-<BR><A HREF="http://www-ec.njit.edu/~rxt1077/Howto.txt"> Ryan's HOWTO
- for FreeS/WAN-PGPNet (X.509)</A>. Through a Linksys Router with IPsec
- Passthru enabled.
-<BR><A HREF="http://jixen.tripod.com/#RW-PGP-to-Fwan"> Jean-Francois
- Nadeau's Practical Configuration (Road Warrior with PSK)</A>
-<BR><A HREF="http://www.evolvedatacom.nl/freeswan.html#toc"> Wouter
- Prins' HOWTO (Road Warrior with X.509)</A>
-<BR></P>
-<P><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/01/msg00271.html">
- Rekeying problem with FreeS/WAN and older PGPNets</A>
-<BR></P>
-<P><A HREF="http://www.strongsec.com/freeswan/dhcprelay/index.htm"> DHCP
- over IPSEC HOWTO for FreeS/WAN (requires X.509 and dhcprelay patches)</A>
-</P>
-<P><A HREF="#mcafee.top">Back to chart</A></P>
-<H4><A NAME="microsoft">Microsoft Windows 2000/XP</A></H4>
-<UL>
-<LI>IPsec comes with Win2k, and with XP Support Tools. May require<A HREF="http://www.microsoft.com/windows2000/downloads/recommended/encryption/default.asp">
- High Encryption Pack</A>. WinXP users have also reported better results
- with Service Pack 1.</LI>
-<LI>The Road Warrior setup works either way round. Windows (XP or 2K)
- IPsec can connect as a Road Warrior to FreeS/WAN. However, FreeS/WAN
- can also successfully connect as a Road Warrior to Windows IPsec (see
- Nate Carlson's configs below).</LI>
-<LI>FreeS/WAN version 1.92 or later is required to avoid an
- interoperation problem with Windows native IPsec. Earlier FreeS/WAN
- versions did not process the Commit Bit as Windows native IPsec
- expected.</LI>
-</UL>
-<P><A HREF="http://www.freeswan.ca/docs/WindowsInterop"> Tim Carr's
- Windows Interop Guide (X.509)</A>
-<BR><A HREF="http://ipsec.math.ucla.edu/services/ipsec.html"> James
- Carter's instructions (X.509, NAT-T)</A>
-<BR><A HREF="http://jixen.tripod.com/#Win2000-Fwan"> Jean-Francois
- Nadeau's Net-net Configuration (PSK)</A>
-<BR><A HREF="http://security.nta.no/freeswan-w2k.html"> Telenor's
- Node-node Config (Transport-mode PSK)</A>
-<BR><A HREF="http://vpn.ebootis.de"> Marcus Mueller's HOWTO using his
- VPN config tool (X.509).</A> Tool also works with PSK.
-<BR><A HREF="http://www.natecarlson.com/include/showpage.php?cat=linux&page=ipsec-x509">
- Nate Carlson's HOWTO using same tool (Road Warrior with X.509)</A>.
- Unusually, FreeS/WAN is the Road Warrior here.
-<BR><A HREF="http://tirnanog.ls.fi.upm.es/CriptoLab/Biblioteca/InfTech/InfTech_CriptoLab.htm">
- Oscar Delgado's PDF (X.509, no configs)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2003-July/022425.html">
- Tim Scannell's Windows XP Additional Checklist (X.509)</A>
-<BR></P>
-
-<!-- Note to self: Include L2TP references? -->
-<P><A HREF="http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_TCPIP_ovr_secfeatures.htm">
- Microsoft's page on Win2k TCP/IP security features</A>
-<BR><A HREF="http://support.microsoft.com/support/kb/articles/Q257/2/25.ASP">
- Microsoft's Win2k IPsec debugging tips</A>
-<BR>
-<!-- Alt-URL http://support.microsoft.com/default.aspx?scid=kb;EN-US;q257225
-Perhaps newer? -->
-<A HREF="http://www.wired.com/news/technology/0,1282,36336,00.html">
- MS VPN may fall back to 1DES</A></P>
-<P><A HREF="#microsoft.top">Back to chart</A></P>
-<H4><A NAME="ssh">SSH Sentinel</A></H4>
-<UL>
-<LI>Popular and well tested.</LI>
-<LI>Also rebranded in<A HREF="http://www.zyxel.com"> Zyxel Zywall</A>.
- Our Zyxel interop notes are<A HREF="#zyxel"> here</A>.</LI>
-<LI> SSH supports IPsec-over-UDP NAT traversal.</LI>
-<LI>There is this<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/12/msg00370.html">
- potential problem</A> if you're not using the Legacy Proposal option.</LI>
-</UL>
-<P><A HREF="http://www.ssh.com/support/sentinel/documents.cfm"> SSH's
- Sentinel-FreeSWAN interop PDF (X.509)</A>
-<BR><A HREF="http://www.nadmm.com/show.php?story=articles/vpn.inc">
- Nadeem Hassan's SUSE-to-Sentinel article (Road warrior with X.509)</A>
-<BR><A HREF="http://www.zerozone.it/documents/Linux/HowTo/VPN-IPsec-Freeswan-HOWTO.html">
- O-Zone's Italian HOWTO (Road Warrior, X.509, DHCP)</A>
-<BR></P>
-<P><A HREF="#ssh.top">Back to chart</A></P>
-<H4><A NAME="safenet">Safenet SoftPK/SoftRemote</A></H4>
-<UL>
-<LI>People recommend SafeNet as a low cost Windows client.</LI>
-<LI>SoftRemote seems to be the newer name for SoftPK.</LI>
-</UL>
-<P><A HREF="http://lists.freeswan.org/pipermail/users/2001-November/005061.html">
- Whit Blauvelt's SoftRemote tips</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-October/015591.html">
- Tim Wilson's tips (X.509)</A><A HREF="http://lists.freeswan.org/archives/users/2003-October/msg00607.html">
- Workaround for a &quot;gotcha&quot;</A></P>
-<P><A HREF="http://jixen.tripod.com/#Rw-IRE-to-Fwan"> Jean-Francois
- Nadeau's Practical Configuration (Road Warrior with PSK)</A>
-<BR><A HREF="http://www.terradoncommunications.com/security/whitepapers/safe_net-to-free_swan.pdf">
- Terradon Communications' PDF (Road Warrior with PSK)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-October/?????.html">
- Seaan.net's PDF (Road Warrior to Subnet, with PSK)</A>
-<BR><A HREF="http://www.redbaronconsulting.com/freeswan/fswansafenet.pdf">
- Red Baron Consulting's PDF (Road Warrior with X.509)</A></P>
-<P><A HREF="#safenet.top">Back to chart</A></P>
-<H3><A NAME="10_3_2">For<EM> Other Implementations</EM></A></H3>
-<H4><A NAME="6wind">6Wind</A></H4>
-<P><A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2001/#config">
- French page with configs (X.509)</A></P>
-<P><A HREF="#6wind.top">Back to chart</A></P>
-<H4><A NAME="alcatel">Alcatel Timestep</A></H4>
-<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-June/011878.html">
- Alain Sabban's settings (PSK or PSK road warrior; through static NAT)</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/06/msg00100.html">
- Derick Cassidy's configs (PSK)</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/08/msg00194.html">
- David Kerry's Timestep settings (PSK)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-August/013711.html">
- Kevin Gerbracht's ipsec.conf (X.509)</A></P>
-<P><A HREF="#alcatel.top">Back to chart</A></P>
-<H4><A NAME="apple">Apple Macintosh System 10+</A></H4>
-<UL>
-<LI>Since the system is based on FreeBSD, this should interoperate<A HREF="#kame">
- just like FreeBSD</A>.</LI>
-<LI> To use Appletalk over IPsec tunnels,<A HREF="http://lists.freeswan.org/pipermail/users/2001-November/005116.html">
- run it over TCP/IP</A>, or use Open Door Networks' Shareway IP tool,<A HREF="http://lists.freeswan.org/pipermail/users/2001-November/005426.html">
- described here.</A></LI>
-<LI>See also the<A HREF="#equinux"> Equinux VPN Tracker</A> for Mac OS
- X.</LI>
-</UL>
-<P><A HREF="http://ipsec.math.ucla.edu/services/ipsec.html"> James
- Carter's instructions (X.509, NAT-T)</A></P>
-<P><A HREF="#apple.top">Back to chart</A></P>
-<H4><A NAME="ashleylaurent">AshleyLaurent VPCom</A></H4>
-<P><A HREF="http://www.ashleylaurent.com/newsletter/01-28-00.htm">
- Successful interop report, no details</A></P>
-<P><A HREF="#ashleylaurent.top">Back to chart</A></P>
-<H4><A NAME="borderware">Borderware</A></H4>
-<UL>
-<LI>I suspect the Borderware client is a rebranded Safenet. If that's
- true, our<A HREF="#safenet"> Safenet section</A> will help.</LI>
-</UL>
-<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-March/008288.html">
- Philip Reetz' configs (PSK)</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/09/msg00217.html">
- Borderware server does not support FreeS/WAN road warriors</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-February/007733.html">
- Older Borderware may not support Diffie Hellman groups 2, 5</A>
-<BR></P>
-<P><A HREF="#borderware.top">Back to chart</A></P>
-<H4><A NAME="checkpoint">Check Point VPN-1 or FW-1</A></H4>
-<UL>
-<LI><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00099.html">
- Caveat about IP-range inclusion on Check Point.</A></LI>
-<LI> Some versions of Check Point may require an aggressive mode patch
- to interoperate with FreeS/WAN.
-<BR><A HREF="http://www.freeswan.ca/code/super-freeswan"> Super
- FreeS/WAN</A> now features this patch.
-<!--
-<A HREF="http://www.freeswan.ca/patches/aggressivemode">Steve Harvey's 
-aggressive mode patch for FreeS/WAN 1.5</A>
--->
-</LI>
-<LI></LI>
-<LI>A Linux FreeS/WAN-Checkpoint connection may close after some time.
- Try<A HREF="http://lists.freeswan.org/archives/users/2003-October/msg00293.html">
- this tip</A> toward a workaround.</LI>
-</UL>
-<P><A HREF="http://www.fw-1.de/aerasec/ng/vpn-freeswan/CPNG+Linux-FreeSWAN.html">
- AERAsec's Firewall-1 NG site (PSK, X.509, Road Warrior with X.509,
- other algorithms)</A>
-<BR> &nbsp;&nbsp;&nbsp;&nbsp;<A HREF="http://www.fw-1.de/aerasec/ng/vpn-freeswan/CPNG+Linux-FreeSWAN.html#support-matrix">
- AERAsec's detailed Check Point-FreeS/WAN support matrix</A>
-<BR><A HREF="http://support.checkpoint.com/kb/docs/public/firewall1/4_1/pdf/fw-linuxvpn.pdf">
- Checkpoint.com PDF: Linux as a VPN Client to FW-1 (PSK)</A>
-<BR><A HREF="http://www.phoneboy.com"> PhoneBoy's Check Point FAQ (on
- Check Point only, not FreeS/WAN)</A>
-<BR></P>
-<P><A HREF="http://lists.freeswan.org/pipermail/users/2001-August/002351.html">
- Chris Harwell's tips FreeS/WAN configs (PSK)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-April/009362.html">
- Daniel Tombeil's configs (PSK)</A></P>
-<P><A HREF="#checkpoint.top">Back to chart</A></P>
-<H4><A NAME="cisco">Cisco</A></H4>
-<UL>
-<LI> Cisco supports IPsec-over-UDP NAT traversal.</LI>
-<LI>Cisco VPN Client appears to use nonstandard IPsec and does not work
- with FreeS/WAN.<A HREF="https://mj2.freeswan.org/archives/2003-August/maillist.html">
- This message</A> concerns Cisco VPN Client 4.01.
-<!-- fix link -->
-</LI>
-<LI>A Linux FreeS/WAN-Cisco connection may close after some time.<A HREF="http://lists.freeswan.org/pipermail/users/2001-December/005758.html">
- Here</A> is a workaround, and<A HREF="http://lists.freeswan.org/archives/users/2003-October/msg00293.html">
- here</A> is another comment on the same subject.</LI>
-<LI><A HREF="http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t2/3desips.htm">
-Older Ciscos</A> purchased outside the United States may not have 3DES,
- which FreeS/WAN requires.</LI>
-<LI><A HREF="http://lists.freeswan.org/pipermail/users/2001-June/000406.html">
-RSA keying may not be possible between Cisco and FreeS/WAN.</A></LI>
-<LI><A HREF="http://lists.freeswan.org/pipermail/users/2001-October/004357.html">
-In ipsec.conf, VPN3000 DN (distinguished name) must be in binary (X.509
- only)</A></LI>
-</UL>
-<P><A HREF="http://rr.sans.org/encryption/cisco_router.php"> SANS
- Institute HOWTO (PSK).</A> Detailed, with extensive references.
-<BR><A HREF="http://www.worldbank.ro/IPSEC/cisco-linux.txt"> Short HOWTO
- (PSK)</A>
-<BR><A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2001/#config">
- French page with configs for Cisco IOS, PIX and VPN 3000 (X.509)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2001-August/002966.html">
- Dave McFerren's sample configs (PSK)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2001-September/003422.html">
- Wolfgang Tremmel's sample configs (PSK road warrior)</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00578.html">
- Old doc from Pete Davis, with William Watson's updated Tips (PSK)</A>
-<BR></P>
-<P><STRONG>Some PIX specific information:</STRONG>
-<BR><A HREF="http://www.wlug.org.nz/FreeSwanToCiscoPix"> Waikato Linux
- Users' Group HOWTO. Nice detail (PSK)</A>
-<BR><A HREF="http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html">
- John Leach's configs (PSK)</A>
-<BR><A HREF="http://www.diverdown.cc/vpn/freeswanpix.html"> Greg
- Robinson's settings (PSK)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-February/007901.html">
- Scott's ipsec.conf for PIX (PSK, FreeS/WAN side only)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2001-October/003949.html">
- Rick Trimble's PIX and FreeS/WAN settings (PSK)</A>
-<BR></P>
-<P><A href="http://www.cisco.com/public/support/tac"> Cisco VPN support
- page</A>
-<BR><A href="http://www.ieng.com/warp/public/707/index.shtml#ipsec">
- Cisco IPsec information page</A></P>
-<P><A HREF="#cisco.top">Back to chart</A></P>
-<H4><A NAME="equinux">Equinux VPN tracker (for Mac OS X)</A></H4>
-<UL>
-<LI>Graphical configurator for Mac OS X IPsec. May be an interface to
- the<A HREF="#apple"> native Mac OS X IPsec</A>, which is essentially<A HREF="#kame">
- KAME</A>.</LI>
-<LI>To use Appletalk over IPsec tunnels,<A HREF="http://lists.freeswan.org/pipermail/users/2001-November/005116.html">
- run it over TCP/IP</A>, or use Open Door Networks' Shareway IP tool,<A HREF="http://lists.freeswan.org/pipermail/users/2001-November/005426.html">
- described here.</A></LI>
-</UL>
-<P> Equinux provides<A HREF="http://www.equinux.com/download/HowTo_FreeSWAN.pdf">
- this excellent interop PDF</A> (PSK, RSA, X.509).</P>
-<P><A HREF="#equinux.top">Back to chart</A></P>
-<H4><A NAME="fsecure">F-Secure</A></H4>
-<UL>
-<LI>
-<!-- <A HREF="http://lists.freeswan.org/pipermail/users/2002-February/007596.html"> -->
- F-Secure supports IPsec-over-UDP NAT traversal.</LI>
-</UL>
-<P><A HREF="http://www.pingworks.de/tech/vpn/vpn.txt">pingworks.de's
- &quot;Connecting F-Secure's VPN+ to Linux FreeS/WAN&quot; (PSK road warrior)</A>
-<BR> &nbsp;&nbsp;&nbsp;&nbsp;<A HREF="http://www.pingworks.de/tech/vpn/vpn.pdf">Same thing
- as PDF</A>
-<BR><A HREF="http://www.exim.org/pipermail/linux-ipsec/Week-of-Mon-20010122/000061.html">
- Success report, no detail (PSK)</A>
-<BR><A HREF="http://www.exim.org/pipermail/linux-ipsec/Week-of-Mon-20010122/000041.html">
- Success report, no detail (Manual)</A></P>
-
-<!-- Other NAT traversers:
-http://lists.freeswan.org/pipermail/users/2002-April/009136.html
-and ssh sentinel:
-http://lists.freeswan.org/pipermail/users/2001-September/003108.html
--->
-<P><A HREF="#fsecure.top">Back to chart</A></P>
-<H4><A NAME="gauntlet">Gauntlet GVPN</A></H4>
-<P><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00535.html">
- Richard Reiner's ipsec.conf (PSK)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-June/011434.html">
- Might work without that pesky firewall... (PSK)</A>
-<BR>
-<!-- insert archive link -->
- In late July, 2003 Alexandar Antik reported success interoperating
- with Gauntlet 6.0 for Solaris (X.509). Unfortunately the message is not
- properly archived at this time.</P>
-<P><A HREF="#gauntlet.top">Back to chart</A></P>
-<H4><A NAME="aix">IBM AIX</A></H4>
-<P><A HREF="http://www-1.ibm.com/servers/esdd/articles/security.html">
- IBM's &quot;Built-In Network Security with AIX&quot; (PSK, X.509)</A>
-<BR><A HREF="http://www-1.ibm.com/servers/aix/products/ibmsw/security/vpn/faqandtips/#ques20">
- IBM's tip: importing Linux FreeS/WAN settings into AIX's<VAR> ikedb</VAR>
- (PSK)</A></P>
-<P><A HREF="#aix.top">Back to chart</A></P>
-<H4><A NAME="as400">IBM AS/400</A></H4>
-<UL>
-<LI><A HREF="http://lists.freeswan.org/pipermail/users/2002-April/009106.html">
- Road Warriors may act flaky</A>.</LI>
-</UL>
-<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-September/014264.html">
- Richard Welty's tips and tricks</A>
-<BR></P>
-<P><A HREF="#as400.top">Back to chart</A></P>
-<H4><A NAME="intel">Intel Shiva LANRover / Net Structure</A></H4>
-<UL>
-<LI>Intel Shiva LANRover is now known as Intel Net Structure.</LI>
-<LI><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/01/msg00298.html">
- Shiva seems to have two modes: IPsec or the proprietary &quot;Shiva Tunnel&quot;.</A>
- Of course, FreeS/WAN will only create IPsec tunnels.</LI>
-<LI><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00293.html">
- AH may not work for Shiva-FreeS/WAN.</A> That's OK, since FreeS/WAN has
- phased out the use of AH.</LI>
-</UL>
-<P><A HREF="http://snowcrash.tdyc.com/freeswan/"> Snowcrash's configs
- (PSK)</A>
-<BR><A HREF="http://www.opus1.com/vpn/index.html"> Old configs from an
- interop (PSK)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2001-October/003831.html">
- The day Shiva tickled a Pluto bug (PSK)</A>
-<BR> &nbsp;&nbsp;&nbsp;&nbsp;<A HREF="http://lists.freeswan.org/pipermail/users/2001-October/004270.html">
- Follow up: success!</A></P>
-<P><A HREF="#intel.top">Back to chart</A></P>
-<H4><A NAME="lancom">LanCom (formerly ELSA)</A></H4>
-<UL>
-<LI>This router is popular in Germany.</LI>
-</UL>
-<P> Jakob Curdes successfully created a PSK connection with the LanCom
- 1612 in August 2003.
-<!-- add ML link when it appears -->
-</P>
-<P><A HREF="#lancom.top">Back to chart</A></P>
-<H4><A NAME="linksys">Linksys</A></H4>
-<UL>
-<LI>Linksys may be used as an IPsec tunnel endpoint,<STRONG> OR</STRONG>
- as a router in &quot;IPsec passthrough&quot; mode, so that the IPsec tunnel
- passes through the Linksys.</LI>
-</UL>
-<H5>As tunnel endpoint</H5>
-<P><A HREF="http://www.freeswan.ca/docs/BEFVP41/"> Ken Bantoft's
- instructions (Road Warrior with PSK)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-February/007814.html">
- Nate Carlson's caveats</A></P>
-<H5>In IPsec passthrough mode</H5>
-<P><A HREF="http://www-ec.njit.edu/~rxt1077/Howto.txt"> Sample HOWTO
- through a Linksys Router</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2002/02/msg00114.html">
- Nadeem Hasan's configs</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2002/02/msg00180.html">
- Brock Nanson's tips</A>
-<BR></P>
-<P><A HREF="#linksys.top">Back to chart</A></P>
-<H4><A NAME="lucent">Lucent</A></H4>
-<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-May/010976.html">
- Partial success report; see also the next message in thread</A></P>
-
-<!-- section done -->
-<P><A HREF="#lucent.top">Back to chart</A></P>
-<H4><A NAME="netasq">Netasq</A></H4>
-<P><A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2001/#config">
- French page with configs (X.509)</A></P>
-
-<!-- section done -->
-<P><A HREF="#netasq.top">Back to chart</A></P>
-<H4><A NAME="netcelo">Netcelo</A></H4>
-<P><A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2001/#config">
- French page with configs (X.509)</A>
-<!-- section done -->
-</P>
-<P><A HREF="#netcelo.top">Back to chart</A></P>
-<H4><A NAME="netgear">Netgear fvs318</A></H4>
-<UL>
-<LI>With a recent Linux FreeS/WAN, you will require the latest (12/2002)
- Netgear firmware, which supports Diffie-Hellman (DH) group 2. For
- security reasons, we phased out DH 1 after Linux FreeS/WAN 1.5.</LI>
-<LI><A HREF="http://lists.freeswan.org/pipermail/users/2002-June/011833.html">
- This message</A> reports the incompatibility between Linux FreeS/WAN
- 1.6+ and Netgear fvs318 without the firmware upgrade.</LI>
-<LI>We believe Linux FreeS/WAN 1.5 and earlier will interoperate with
- any NetGear firmware.</LI>
-</UL>
-<P><A HREF="http://lists.freeswan.org/pipermail/users/2003-February/017891.html">
- John Morris' setup (PSK)</A></P>
-<P><A HREF="#netgear.top">Back to chart</A></P>
-<H4><A NAME="netscreen">Netscreen 100 or 5xp</A></H4>
-<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-August/013409.html">
- Errol Neal's settings (PSK)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-October/015265.html">
- Corey Rogers' configs (PSK, no PFS)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-August/013051.html">
- Jordan Share's configs (PSK, 2 subnets, through static NAT)</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/08/msg00404.html">
- Set src proxy_id to your protected subnet/mask</A>
-<BR><A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2001/#config">
- French page with ipsec.conf, Netscreen screen shots (X.509, may need to
- revert to PSK...)</A></P>
-<P><A HREF="http://archives.neohapsis.com/archives/sf/linux/2001-q2/0123.html">
- A report of a company using Netscreen with FreeS/WAN on a large scale
- (FreeS/WAN road warriors?)</A></P>
-<P><A HREF="#netscreen.top">Back to chart</A></P>
-<H4><A NAME="nortel">Nortel Contivity</A></H4>
-<UL>
-<LI> Nortel supports IPsec-over-UDP NAT traversal.</LI>
-<LI><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00417.html">
- Some older versions of Contivity and FreeS/WAN will not communicate.</A>
-</LI>
-<LI><A HREF="http://lists.freeswan.org/pipermail/users/2002-May/010924.html">
- FreeS/WAN cannot be used as a &quot;client&quot; to a Nortel Contivity server,
- but can be used as a branch-office tunnel.</A></LI>
-
-<!--  Probably obsoleted by Ken's post
-<LI>
-(Matthias siebler from old interop)
-At one point you could not configure Nortel-FreeS/WAN tunnels as 
-"Client Tunnels" since FreeS/WAN does not support Aggressive Mode.
-Current status of this problem: unknown.
-<LI>
-<A HREF="http://lists.freeswan.org/pipermail/users/2001-November/004612.html">
-How do we map group and user passwords onto the data that FreeS/WAN wants?
-</A>
-</LI>
--->
-<LI><A HREF="http://lists.freeswan.org/pipermail/users/2002-October/015455.html">
- Contivity does not send Distinguished Names in the order FS wants them
- (X.509).</A></LI>
-<LI><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/03/msg00137.html">
- Connections may time out after 30-40 minutes idle.</A></LI>
-</UL>
-<P><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/03/msg00137.html">
- JJ Streicher-Bremer's mini HOWTO for old new software. (PSK with two
- subnets)</A>
-<BR><A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2001/#config">
- French page with configs (X.509)</A>. This succeeds using the above
- X.509 tip.</P>
-
-<!-- I could do more searching but this is a solid start. -->
-<P><A HREF="#nortel.top">Back to chart</A></P>
-<H4><A NAME="radguard">Radguard</A></H4>
-<P><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/05/msg00009.html">
- Marko Hausalo's configs (PSK).</A> Note: These do create a connection,
- as you can see by &quot;IPsec SA established&quot;.
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-October/???.html">
- Claudia Schmeing's comments</A></P>
-<P><A HREF="#radguard.top">Back to chart</A></P>
-<H4><A NAME="raptor">Raptor (NT or Solaris)</A></H4>
-<P></P>
-<UL>
-<LI>Now known as Symantec Enterprise Firewall.</LI>
-<LI>The Raptor does not normally come with X.509, but this may be
- available as an add-on.</LI>
-<LI><A HREF="http://lists.freeswan.org/pipermail/users/2002-May/010256.html">
- Raptor requires alphanumberic PSK values, whereas FreeS/WAN uses hex.</A>
-</LI>
-<LI>Raptor's tunnel endpoint may be a host, subnet or group of subnets
- (see<A HREF="http://lists.freeswan.org/pipermail/design/2001-November/001295.html">
- this message</A> ). FreeS/WAN cannot handle the group of subnets; you
- must create separate connections for each in order to interoperate.</LI>
-<LI><A HREF="http://lists.freeswan.org/pipermail/users/2002-May/010113.html">
- Some versions of Raptor accept only single DES.</A> According to this
- German message,<A HREF="http://radawana.cg.tuwien.ac.at/mail-archives/lll/200012/msg00065.html">
- the Raptor Mobile Client demo offers single DES only.</A></LI>
-</UL>
-<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-January/006935.html">
- Peter Mazinger's settings (PSK)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2001-November/005522.html">
- Peter Gerland's configs (PSK)</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/07/msg00597.html">
- Charles Griebel's configs (PSK).</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-July/012275.html">
- Lumir Srch's tips (PSK)</A></P>
-<P><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/05/msg00214.html">
- John Hardy's configs (Manual)</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/01/msg00236.html">
- Older Raptors want 3DES keys in 3 parts (Manual).</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/06/msg00480.html">
- Different keys for each direction? (Manual)</A>
-<BR></P>
-<P><A HREF="#raptor.top">Back to chart</A></P>
-<H4><A NAME="redcreek">Redcreek Ravlin</A></H4>
-<UL>
-<LI>Known issue #1: The Ravlin expects a quick mode renegotiation right
- after every Main Mode negotiation.</LI>
-<LI> Known issue #2: The Ravlin tries to negotiate a zero connection
- lifetime, which it takes to mean &quot;infinite&quot;.<A HREF="http://www.bear-cave.org.uk/linux/ravlin/">
- Jim Hague's patch</A> addresses both issues.</LI>
-<LI><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/03/msg00191.html">
- Interop works with Ravlin Firmware &gt; 3.33. Includes tips (PSK).</A></LI>
-</UL>
-<P><A HREF="#redcreek.top">Back to chart</A></P>
-<H4><A NAME="sonicwall">SonicWall</A></H4>
-<UL>
-<LI><A HREF="http://lists.freeswan.org/pipermail/users/2001-June/000998.html">
- Sonicwall cannot be used for Road Warrior setups</A></LI>
-<LI> At one point,<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/05/msg00217.html">
- only Sonicwall PRO supported triple DES</A>.</LI>
-<LI><A HREF="http://lists.freeswan.org/pipermail/users/2002-March/008600.html">
- Older Sonicwalls (before Nov 2001) feature Diffie Hellman group 1 only</A>
-.</LI>
-</UL>
-<P><A HREF="http://www.xinit.cx/docs/freeswan.html"> Paul Wouters'
- config (PSK)</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00073.html">
- Dilan Arumainathan's configuration (PSK)</A>
-<BR><A HREF="http://www.gravitas.co.uk/vpndebug"> Dariush's setup...
- only opens one way (PSK)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2003-July/022302.html">
- Andreas Steffen's tips (X.509)</A>
-<BR></P>
-<P><A HREF="#sonicwall.top">Back to chart</A></P>
-<H4><A NAME="sun">Sun Solaris</A></H4>
-<UL>
-<LI> Solaris 8+ has a native (in kernel) IPsec implementation.</LI>
-<LI><A HREF="http://lists.freeswan.org/pipermail/users/2002-May/010503.html">
- Solaris does not seem to support tunnel mode, but you can make IP-in-IP
- tunnels instead, like this.</A></LI>
-</UL>
-<P><A HREF="http://lists.freeswan.org/pipermail/users/2003-June/022216.html">
- Reports of some successful interops</A> from a fellow @sun.com. See
- also<A HREF="http://lists.freeswan.org/pipermail/users/2003-July/022247.html">
- these follow up posts</A>.
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/03/msg00332.html">
- Aleks Shenkman's configs (Manual in transport mode)</A>
-<BR>
-<!--sparc 64 stuff goes where?-->
-</P>
-<P><A HREF="#solaris.top">Back to chart</A></P>
-<H4><A NAME="symantec">Symantec</A></H4>
-<UL>
-<LI>The Raptor, covered<A HREF="#raptor"> above</A>, is now known as
- Symantec Enterprise Firewall.</LI>
-<LI>Symantec's &quot;distinguished name&quot; is a KEY_ID. See Andreas Steffen's
- post, below.</LI>
-</UL>
-<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-April/009037.html">
- Andreas Steffen's configs for Symantec 200R (PSK)</A></P>
-<P><A HREF="#symantec.top">Back to chart</A></P>
-<H4><A NAME="watchguard">Watchguard Firebox</A></H4>
-<UL>
-<LI>Automatic keying works with WatchGuard 5.0+ only.</LI>
-<LI>Seen to interoperate with WatchGuard 1000, II, III; firmware v. 5,
- 6..</LI>
-<LI>For manual keying, Watchguard's Policy Manager expects SPI numbers
- and encryption and authentication keys in decimal (not hex).</LI>
-</UL>
-<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-July/012595.html">
- WatchGuard's HOWTO (PSK)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-August/013342.html">
- Ronald C. Riviera's Settings (PSK)</A>
-<BR><A HREF="http://lists.freeswan.org/archives/users/2003-October/msg00179.html">
- Walter Wickersham's Notes (PSK)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-October/015587.html">
- Max Enders' Configs (Manual)</A></P>
-<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-April/009404.html">
- Old known issue with auto keying</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00124.html">
- Tips on key generation and format (Manual)</A>
-<BR></P>
-<P><A HREF="#watchguard.top">Back to chart</A></P>
-<H4><A NAME="xedia">Xedia Access Point/QVPN</A></H4>
-<P><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/12/msg00520.html">
- Hybrid IPsec/L2TP connection settings (X.509)</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/ipsec/1999/08/msg00140.html">
- Xedia's LAN-LAN links don't use multiple tunnels</A>
-<BR> &nbsp;&nbsp;&nbsp;&nbsp;<A HREF="http://www.sandelman.ottawa.on.ca/ipsec/1999/08/msg00140.html">
- That explanation, continued</A></P>
-<P><A HREF="#xedia.top">Back to chart</A></P>
-<H4><A NAME="zyxel">Zyxel</A></H4>
-<UL>
-<LI>The Zyxel Zywall is a rebranded SSH Sentinel box. See also our
- section on<A HREF="#ssh"> SSH</A>.</LI>
-<LI>There seems to be a problem with keeping this connection alive. This
- is caused at the Zyxel end. See this brief<A HREF="http://lists.freeswan.org/archives/users/2003-October/msg00141.html">
- discussion and solution.</A></LI>
-</UL>
-<P><A HREF="http://www.zyxel.com/support/supportnote/zywall/app/zw_freeswan.htm">
- Zyxel's Zywall to FreeS/WAN instructions (PSK)</A>
-<BR><A HREF="http://www.zyxel.com/support/supportnote/p652/app/zw_freeswan.htm">
- Zyxel's Prestige to FreeS/WAN instructions (PSK)</A>. Note: not all
- Prestige versions include VPN software.
-<BR><A HREF="http://www.lancry.net/techdocs/freeswan-zyxel.txt"> Fabrice
- Cahen's HOWTO (PSK)</A>
-<BR> &nbsp;&nbsp;&nbsp;&nbsp;</P>
-<P><A HREF="#zyxel.top">Back to chart</A></P>
-
-<!-- SAMPLE ENTRY
-
-<H4><A NAME="timestep">Timestep</A></H4>
-
-<P>Text goes here.
-</P>
-
--->
-<HR>
-<H1><A name="performance">Performance of FreeS/WAN</A></H1>
- The performance of FreeS/WAN is adequate for most applications.
-<P>In normal operation, the main concern is the overhead for encryption,
- decryption and authentication of the actual IPsec (<A href="#ESP">ESP</A>
- and/or<A href="#AH"> AH</A>) data packets. Tunnel setup and rekeying
- occur so much less frequently than packet processing that, in general,
- their overheads are not worth worrying about.</P>
-<P>At startup, however, tunnel setup overheads may be significant. If
- you reboot a gateway and it needs to establish many tunnels, expect
- some delay. This and other issues for large gateways are discussed<A href="#biggate">
- below</A>.</P>
-<H2><A name="pub.bench">Published material</A></H2>
-<P>The University of Wales at Aberystwyth has done quite detailed speed
- tests and put<A href="http://tsc.llwybr.org.uk/public/reports/SWANTIME/">
- their results</A> on the web.</P>
-<P>Davide Cerri's<A href="http://www.linux.it/~davide/doc/"> thesis (in
- Italian)</A> includes performance results for FreeS/WAN and for<A href="#TLS">
- TLS</A>. He posted an<A href="http://lists.freeswan.org/pipermail/users/2001-December/006303.html">
- English summary</A> on the mailing list.</P>
-<P>Steve Bellovin used one of AT&amp;T Research's FreeS/WAN gateways as his
- data source for an analysis of the cache sizes required for key
- swapping in IPsec. Available as<A href="http://www.research.att.com/~smb/talks/key-agility.email.txt">
- text</A> or<A href="http://www.research.att.com/~smb/talks/key-agility.pdf">
- PDF slides</A> for a talk on the topic.</P>
-<P>See also the NAI work mentioned in the next section.</P>
-<H2><A name="perf.estimate">Estimating CPU overheads</A></H2>
-<P>We can come up with a formula that roughly relates CPU speed to the
- rate of IPsec processing possible. It is far from exact, but should be
- usable as a first approximation.</P>
-<P>An analysis of authentication overheads for high-speed networks,
- including some tests using FreeS/WAN, is on the<A href="http://www.pgp.com/research/nailabs/cryptographic/adaptive-cryptographic.asp">
- NAI Labs site</A>. In particular, see figure 3 in this<A href="http://download.nai.com/products/media/pgp/pdf/acsa_final_report.pdf">
- PDF document</A>. Their estimates of overheads, measured in Pentium II
- cycles per byte processed are:</P>
-<TABLE align="center" border="1"><TBODY></TBODY>
-<TR><TH></TH><TH>IPsec</TH><TH>authentication</TH><TH>encryption</TH><TH>
-cycles/byte</TH></TR>
-<TR><TD>Linux IP stack alone</TD><TD>no</TD><TD>no</TD><TD>no</TD><TD align="right">
-5</TD></TR>
-<TR><TD>IPsec without crypto</TD><TD>yes</TD><TD>no</TD><TD>no</TD><TD align="right">
-11</TD></TR>
-<TR><TD>IPsec, authentication only</TD><TD>yes</TD><TD>SHA-1</TD><TD>no</TD><TD
-align="right">24</TD></TR>
-<TR><TD>IPsec with encryption</TD><TD>yes</TD><TD>yes</TD><TD>yes</TD><TD
-align="right">not tested</TD></TR>
-</TABLE>
-<P>Overheads for IPsec with encryption were not tested in the NAI work,
- but Antoon Bosselaers'<A href="http://www.esat.kuleuven.ac.be/~bosselae/fast.html">
- web page</A> gives cost for his optimised Triple DES implementation as
- 928 Pentium cycles per block, or 116 per byte. Adding that to the 24
- above, we get 140 cycles per byte for IPsec with encryption.</P>
-<P>At 140 cycles per byte, a 140 MHz machine can handle a megabyte -- 8
- megabits -- per second. Speeds for other machines will be proportional
- to this. To saturate a link with capacity C megabits per second, you
- need a machine running at<VAR> C * 140/8 = C * 17.5</VAR> MHz.</P>
-<P>However, that estimate is not precise. It ignores the differences
- between:</P>
-<UL>
-<LI>NAI's test packets and real traffic</LI>
-<LI>NAI's Pentium II cycles, Bosselaers' Pentium cycles, and your
- machine's cycles</LI>
-<LI>different 3DES implementations</LI>
-<LI>SHA-1 and MD5</LI>
-</UL>
-<P>and does not account for some overheads you will almost certainly
- have:</P>
-<UL>
-<LI>communication on the client-side interface</LI>
-<LI>switching between multiple tunnels -- re-keying, cache reloading and
- so on</LI>
-</UL>
-<P>so we suggest using<VAR> C * 25</VAR> to get an estimate with a bit
- of a built-in safety factor.</P>
-<P>This covers only IP and IPsec processing. If you have other loads on
- your gateway -- for example if it is also working as a firewall -- then
- you will need to add your own safety factor atop that.</P>
-<P>This estimate matches empirical data reasonably well. For example,
- Metheringham's tests, described<A href="#klips.bench"> below</A>, show
- a 733 topping out between 32 and 36 Mbit/second, pushing data as fast
- as it can down a 100 Mbit link. Our formula suggests you need at least
- an 800 to handle a fully loaded 32 Mbit link. The two results are
- consistent.</P>
-<P>Some examples using this estimation method:</P>
-<TABLE align="center" border="1"><TBODY></TBODY>
-<TR><TH colspan="2">Interface</TH><TH colspan="3">Machine speed in MHz</TH>
-</TR>
-<TR><TH>Type</TH><TH>Mbit per
-<BR> second</TH><TH>Estimate
-<BR> Mbit*25</TH><TH>Minimum IPSEC gateway</TH><TH>Minimum with other
- load
-<P>(e.g. firewall)</P>
-</TH></TR>
-<TR><TD>DSL</TD><TD align="right">1</TD><TD align="right">25 MHz</TD><TD rowspan="2">
-whatever you have</TD><TD rowspan="2">133, or better if you have it</TD></TR>
-<TR><TD>cable modem</TD><TD align="right">3</TD><TD align="right">75 MHz</TD>
-</TR>
-<TR><TD><STRONG>any link, light load</STRONG></TD><TD align="right"><STRONG>
-5</STRONG></TD><TD align="right">125 MHz</TD><TD>133</TD><TD>200+,<STRONG>
- almost any surplus machine</STRONG></TD></TR>
-<TR><TD>Ethernet</TD><TD align="right">10</TD><TD align="right">250 MHz</TD><TD>
-surplus 266 or 300</TD><TD>500+</TD></TR>
-<TR><TD><STRONG>fast link, moderate load</STRONG></TD><TD align="right"><STRONG>
-20</STRONG></TD><TD align="right">500 MHz</TD><TD>500</TD><TD>800+,<STRONG>
- any current off-the-shelf PC</STRONG></TD></TR>
-<TR><TD>T3 or E3</TD><TD align="right">45</TD><TD align="right">1125 MHz</TD><TD>
-1200</TD><TD>1500+</TD></TR>
-<TR><TD>fast Ethernet</TD><TD align="right">100</TD><TD align="right">
-2500 MHz</TD><TD align="center" colspan="2" rowspan="2">// not feasible
- with 3DES in software on current machines //</TD></TR>
-<TR><TD>OC3</TD><TD align="right">155</TD><TD align="right">3875 MHz</TD>
-</TR>
-</TABLE>
-<P>Such an estimate is far from exact, but should be usable as minimum
- requirement for planning. The key observations are:</P>
-<UL>
-<LI>older<STRONG> surplus machines</STRONG> are fine for IPsec gateways
- at loads up to<STRONG> 5 megabits per second</STRONG> or so</LI>
-<LI>a<STRONG> mid-range new machine</STRONG> can handle IPsec at rates
- up to<STRONG> 20 megabits per second</STRONG> or more</LI>
-</UL>
-<H3><A name="perf.more">Higher performance alternatives</A></H3>
-<P><A href="#AES">AES</A> is a new US government block cipher standard,
- designed to replace the obsolete<A href="#DES"> DES</A>. If FreeS/WAN
- using<A href="#3DES"> 3DES</A> is not fast enough for your application,
- the AES<A href="#patch"> patch</A> may help.</P>
-<P>To date (March 2002) we have had only one<A href="http://lists.freeswan.org/pipermail/users/2002-February/007771.html">
- mailing list report</A> of measurements with the patch applied. It
- indicates that, at least for the tested load on that user's network,<STRONG>
- AES roughly doubles IPsec throughput</STRONG>. If further testing
- confirms this, it may prove possible to saturate an OC3 link in
- software on a high-end box.</P>
-<P>Also, some work is being done toward support of<A href="#hardware">
- hardware IPsec acceleration</A> which might extend the range of
- requirements FreeS/WAN could meet.</P>
-<H3><A NAME="11_2_2">Other considerations</A></H3>
-<P>CPU speed may be the main issue for IPsec performance, but of course
- it isn't the only one.</P>
-<P>You need good ethernet cards or other network interface hardware to
- get the best performance. See this<A href="http://www.ethermanage.com/ethernet/ethernet.html">
- ethernet information</A> page and this<A href="http://www.scyld.com/diag">
- Linux network driver</A> page.</P>
-<P>The current FreeS/WAN kernel code is largely single-threaded. It is
- SMP safe, and will run just fine on a multiprocessor machine (<A href="#multiprocessor">
-discussion</A>), but the load within the kernel is not shared
- effectively. This means that, for example to saturate a T3 -- which
- needs about a 1200 MHz machine -- you cannot expect something like a
- dual 800 to do the job.</P>
-<P>On the other hand, SMP machines do tend to share loads well so --
- provided one CPU is fast enough for the IPsec work -- a multiprocessor
- machine may be ideal for a gateway with a mixed load.</P>
-<H2><A name="biggate">Many tunnels from a single gateway</A></H2>
-<P>FreeS/WAN allows a single gateway machine to build tunnels to many
- others. There may, however, be some problems for large numbers as
- indicated in this message from the mailing list:</P>
-<PRE>Subject: Re: Maximum number of ipsec tunnels?
-   Date: Tue, 18 Apr 2000
-   From: &quot;John S. Denker&quot; &lt;jsd@research.att.com&gt;
-
-Christopher Ferris wrote:
-
-&gt;&gt; What are the maximum number ipsec tunnels FreeS/WAN can handle??
-
-Henry Spencer wrote:
-
-&gt;There is no particular limit.  Some of the setup procedures currently
-&gt;scale poorly to large numbers of connections, but there are (clumsy)
-&gt;workarounds for that now, and proper fixes are coming.
-
-1) &quot;Large&quot; numbers means anything over 50 or so.  I routinely run boxes
-with about 200 tunnels.  Once you get more than 50 or so, you need to worry
-about several scalability issues:
-
-a) You need to put a &quot;-&quot; sign in syslogd.conf, and rotate the logs daily
-not weekly.
-
-b) Processor load per tunnel is small unless the tunnel is not up, in which
-case a new half-key gets generated every 90 seconds, which can add up if
-you've got a lot of down tunnels.
-
-c) There's other bits of lore you need when running a large number of
-tunnels.  For instance, systematically keeping the .conf file free of
-conflicts requires tools that aren't shipped with the standard freeswan
-package.
-
-d) The pluto startup behavior is quadratic.  With 200 tunnels, this eats up
-several minutes at every restart.   I'm told fixes are coming soon.
-
-2) Other than item (1b), the CPU load depends mainly on the size of the
-pipe attached, not on the number of tunnels.
-</PRE>
-<P>It is worth noting that item (1b) applies only to repeated attempts
- to re-key a data connection (IPsec SA, Phase 2) over an established
- keying connection (ISAKMP SA, Phase 1). There are two ways to reduce
- this overhead using settings in<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5)</A>:</P>
-<UL>
-<LI>set<VAR> keyingtries</VAR> to some small value to limit repetitions</LI>
-<LI>set<VAR> keylife</VAR> to a short time so that a failing data
- connection will be cleaned up when the keying connection is reset.</LI>
-</UL>
-<P>The overheads for establishing keying connections (ISAKMP SAs, Phase
- 1) are lower because for these Pluto does not perform expensive
- operations before receiving a reply from the peer.</P>
-<P>A gateway that does a lot of rekeying -- many tunnels and/or low
- settings for tunnel lifetimes -- will also need a lot of<A href="#random">
- random numbers</A> from the random(4) driver.</P>
-<H2><A name="low-end">Low-end systems</A></H2>
-<P><EM>Even a 486 can handle a T1 line</EM>, according to this mailing
- list message:</P>
-<PRE>Subject: Re: linux-ipsec: IPSec Masquerade
-   Date: Fri, 15 Jan 1999 11:13:22 -0500
-   From: Michael Richardson 
-
-. . . A 486/66 has been clocked by Phil Karn to do
-10Mb/s encryption.. that uses all the CPU, so half that to get some CPU,
-and you have 5Mb/s. 1/3 that for 3DES and you get 1.6Mb/s....</PRE>
-<P>and a piece of mail from project technical lead Henry Spencer:</P>
-<PRE>Oh yes, and a new timing point for Sandy's docs...  A P60 -- yes, a 60MHz
-Pentium, talk about antiques -- running a host-to-host tunnel to another
-machine shows an FTP throughput (that is, end-to-end results with a real
-protocol) of slightly over 5Mbit/s either way.  (The other machine is much
-faster, the network is 100Mbps, and the ether cards are good ones... so
-the P60 is pretty definitely the bottleneck.)</PRE>
-<P>From the above, and from general user experience as reported on the
- list, it seems clear that a cheap surplus machine -- a reasonable 486,
- a minimal Pentium box, a Sparc 5, ... -- can easily handle a home
- office or a small company connection using any of:</P>
-<UL>
-<LI>ADSL service</LI>
-<LI>cable modem</LI>
-<LI>T1</LI>
-<LI>E1</LI>
-</UL>
-<P>If available, we suggest using a Pentium 133 or better. This should
- ensure that, even under maximum load, IPsec will use less than half the
- CPU cycles. You then have enough left for other things you may want on
- your gateway -- firewalling, web caching, DNS and such.</P>
-<H2><A name="klips.bench">Measuring KLIPS</A></H2>
-<P>Here is some additional data from the mailing list.</P>
-<PRE>Subject: FreeSWAN (specically KLIPS) performance measurements
-   Date: Thu, 01 Feb 2001
-   From: Nigel Metheringham &lt;Nigel.Metheringham@intechnology.co.uk&gt;
-
-I've spent a happy morning attempting performance tests against KLIPS 
-(this is due to me not being able to work out the CPU usage of KLIPS so 
-resorting to the crude measurements of maximum throughput to give a 
-baseline to work out loading of a box).
-
-Measurements were done using a set of 4 boxes arranged in a line, each 
-connected to the next by 100Mbit duplex ethernet.  The inner 2 had an 
-ipsec tunnel between them (shared secret, but I was doing measurements 
-when the tunnel was up and running - keying should not be an issue 
-here).  The outer pair of boxes were traffic generators or traffic sink.
-
-The crypt boxes are Compaq DL380s - Uniprocessor PIII/733 with 256K 
-cache.  They have 128M main memory.  Nothing significant was running on 
-the boxes other than freeswan.  The kernel was a 2.2.19pre7 patched 
-with freeswan and ext3.
-
-Without an ipsec tunnel in the chain (ie the 2 inner boxes just being 
-100BaseT routers), throughput (measured with ttcp) was between 10644 
-and 11320 KB/sec
-
-With an ipsec tunnel in place, throughput was between 3268 and 3402 
-KB/sec
-
-These measurements are for data pushed across a TCP link, so the 
-traffic on the wire between the 2 ipsec boxes would have been higher 
-than this....
-
-vmstat (run during some other tests, so not affecting those figures) on 
-the encrypting box shows approx 50% system &amp; 50% idle CPU - which I 
-don't believe at all.  Interactive feel of the box was significantly 
-sluggish.
-
-I also tried running the kernel profiler (see man readprofile) during 
-test runs.
-
-A box doing primarily decrypt work showed basically nothing happening - 
-I assume interrupts were off.
-A box doing encrypt work showed the following:-
- Ticks Function                                   Load
- ~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    ~~~~~~
-   956 total                                      0.0010
-   532 des_encrypt2                               0.1330
-   110 MD5Transform                               0.0443
-    97 kmalloc                                    0.1880
-    39 des_encrypt3                               0.1336
-    23 speedo_interrupt                           0.0298
-    14 skb_copy_expand                            0.0250
-    13 ipsec_tunnel_start_xmit                    0.0009
-    13 Decode                                     0.1625
-    11 handle_IRQ_event                           0.1019
-    11 .des_ncbc_encrypt_end                      0.0229
-    10 speedo_start_xmit                          0.0188
-     9 satoa                                      0.0225
-     8 kfree                                      0.0118
-     8 ip_fragment                                0.0121
-     7 ultoa                                      0.0365
-     5 speedo_rx                                  0.0071
-     5 .des_encrypt2_end                          5.0000
-     4 _stext                                     0.0140
-     4 ip_fw_check                                0.0035
-     2 rj_match                                   0.0034
-     2 ipfw_output_check                          0.0200
-     2 inet_addr_type                             0.0156
-     2 eth_copy_and_sum                           0.0139
-     2 dev_get                                    0.0294
-     2 addrtoa                                    0.0143
-     1 speedo_tx_buffer_gc                        0.0024
-     1 speedo_refill_rx_buf                       0.0022
-     1 restore_all                                0.0667
-     1 number                                     0.0020
-     1 net_bh                                     0.0021
-     1 neigh_connected_output                     0.0076
-     1 MD5Final                                   0.0083
-     1 kmem_cache_free                            0.0016
-     1 kmem_cache_alloc                           0.0022
-     1 __kfree_skb                                0.0060
-     1 ipsec_rcv                                  0.0001
-     1 ip_rcv                                     0.0014
-     1 ip_options_fragment                        0.0071
-     1 ip_local_deliver                           0.0023
-     1 ipfw_forward_check                         0.0139
-     1 ip_forward                                 0.0011
-     1 eth_header                                 0.0040
-     1 .des_encrypt3_end                          0.0833
-     1 des_decrypt3                               0.0034
-     1 csum_partial_copy_generic                  0.0045
-     1 call_out_firewall                          0.0125
-
-Hope this data is helpful to someone... however the lack of visibility 
-into the decrypt side makes things less clear</PRE>
-<H2><A name="speed.compress">Speed with compression</A></H2>
-<P>Another user reported some results for connections with and without
- IP compression:</P>
-<PRE>Subject: [Users] Speed with compression
-   Date: Fri, 29 Jun 2001
-   From: John McMonagle &lt;johnm@advocap.org&gt;
-
-Did a couple tests with compression using the new 1.91 freeswan.
-
-Running between 2 sites with cable modems.  Both  using approximately
-130 mhz pentium.
-
-Transferred files with ncftp.
-
-Compressed file was a 6mb compressed  installation file.
-Non compressed was 18mb /var/lib/rpm/packages.rpm
-
-                            Compressed vpn          regular vpn
-Compress file                42.59 kBs               42.08 kBs
-regular file                110.84 kBs               41.66 kBs
-
-Load  was about 0 either way.
-Ping times were very similar  a bit above 9 ms.
-
-Compression looks attractive to me.</PRE>
- Later in the same thread, project technical lead Henry Spencer added:
-<PRE>&gt; is there a reason not to switch compression on?  I have large gateway boxes
-&gt; connecting 3 connections, one of them with a measly DS1 link...
-
-Run some timing tests with and without, with data and loads representative
-of what you expect in production.  That's the definitive way to decide. 
-If compression is a net loss, then obviously, leave it turned off.  If it
-doesn't make much difference, leave it off for simplicity and hence
-robustness.  If there's a substantial gain, by all means turn it on. 
-
-If both ends support compression and can successfully negotiate a
-compressed connection (trivially true if both are FreeS/WAN 1.91), then
-the crucial question is CPU cycles. 
-
-Compression has some overhead, so one question is whether *your* data
-compresses well enough to save you more CPU cycles (by reducing the volume
-of data going through CPU-intensive encryption/decryption) than it costs
-you.  Last time I ran such tests on data that was reasonably compressible
-but not deliberately contrived to be so, this generally was not true --
-compression cost extra CPU cycles -- so compression was worthwhile only if
-the link, not the CPU, was the bottleneck.  However, that was before the
-slow-compression bug was fixed.  I haven't had a chance to re-run those
-tests yet, but it sounds like I'd probably see a different result. </PRE>
- The bug he refers to was a problem with the compression libraries that
- had us using C code, rather than assembler, for compression. It was
- fixed before 1.91.
-<H2><A name="methods">Methods of measuring</A></H2>
-<P>If you want to measure the loads FreeS/WAN puts on a system, note
- that tools such as top or measurements such as load average are
- more-or-less useless for this. They are not designed to measure
- something that does most of its work inside the kernel.</P>
-<P>Here is a message from FreeS/WAN kernel programmer Richard Guy Briggs
- on this:</P>
-<PRE>&gt; I have a batch of boxes doing Freeswan stuff.
-&gt; I want to measure the CPU loading of the Freeswan tunnels, but am 
-&gt; having trouble seeing how I get some figures out...
-&gt; 
-&gt;  - Keying etc is in userspace so will show up on the per-process
-&gt;    and load average etc (ie pluto's load)
-
-Correct.
-
-&gt;  - KLIPS is in the kernel space, and does not show up in load average
-&gt;    I think also that the KLIPS per-packet processing stuff is running
-&gt;    as part of an interrupt handler so it does not show up in the
-&gt;    /proc/stat system_cpu or even idle_cpu figures
-
-It is not running in interrupt handler.  It is in the bottom half.
-This is somewhere between user context (careful, this is not
-userspace!) and hardware interrupt context.
-
-&gt; Is this correct, and is there any means of instrumenting how much the 
-&gt; cpu is being loaded - I don't like the idea of a system running out of 
-&gt; steam whilst still showing 100% idle CPU :-)
-
-vmstat seems to do a fairly good job, but use a running tally to get a
-good idea.  A one-off call to vmstat gives different numbers than a
-running stat.  To do this, put an interval on your vmstat command
-line.</PRE>
- and another suggestion from the same thread:
-<PRE>Subject: Re: Measuring the CPU usage of Freeswan
-   Date: Mon, 29 Jan 2001
-   From: Patrick Michael Kane &lt;modus@pr.es.to&gt;
- 
-The only truly accurate way to accurately track FreeSWAN CPU usage is to use
-a CPU soaker. You run it on an unloaded system as a benchmark, then start up
-FreeSWAN and take the difference to determine how much FreeSWAN is eating.
-I believe someone has done this in the past, so you may find something in
-the FreeSWAN archives.  If not, someone recently posted a URL to a CPU
-soaker benchmark tool on linux-kernel.</PRE>
-<HR>
-<H1><A name="test.freeswan">Testing FreeS/WAN</A></H1>
- This document discusses testing FreeS/WAN.
-<P>Not all types of testing are described here. Other parts of the
- documentation describe some tests:</P>
-<DL>
-<DT><A href="#testinstall">installation</A> document</DT>
-<DD>testing for a successful install</DD>
-<DT><A href="config.html#testsetup">configuration</A> document</DT>
-<DD>basic tests for a working configuration</DD>
-<DT><A href="#interop.web">web links</A> document</DT>
-<DD>General information on tests for interoperability between various
- IPsec implementations. This includes links to several test sites.</DD>
-<DT><A href="interop.html">interoperation</A> document.</DT>
-<DD>More specific information on FreeS/WAN interoperation with other
- implementations.</DD>
-<DT><A href="performance.html">performance</A> document</DT>
-<DD>performance measurements</DD>
-</DL>
-<P>The test setups and procedures described here can also be used in
- other testing, but this document focuses on testing the IPsec
- functionality of FreeS/WAN.</P>
-<H2><A NAME="test.oe">Testing opportunistic connections</A></H2>
-<P>This section teaches you how to test your opportunistically encrypted
- (OE) connections. To set up OE, please see the easy instructions in our<A
-HREF="quickstart.html"> quickstart guide</A>.</P>
-<H3><A NAME="12_1_1">Basic OE Test</A></H3>
-<P>This test is for basic OE functionality.
-<!-- You may use it on an 
-<A HREF="quickstart.html#oppo.client">initiate-only OE</A> box or a 
-<A HREF="quickstart.html#opp.incoming">full OE</A> box. -->
- For additional tests, keep
- reading.</P>
-<P>Be sure IPsec is running. You can see whether it is with:</P>
-<PRE>    ipsec setup status</PRE>
-<P>If need be, you can restart it with:</P>
-<PRE>    service ipsec restart</PRE>
-<P>Load a FreeS/WAN test website from the host on which you're running
- FreeS/WAN. Note: the feds may be watching these sites. Type one of:</P>
-<P></P>
-<PRE>   links oetest.freeswan.org</PRE>
-<PRE>   links oetest.freeswan.nl</PRE>
-
-<!--<PRE>   links oetest.freeswan.ca</PRE>-->
-<P>A positive result looks like this:</P>
-<PRE>
-   You  seem  to  be  connecting  from:  192.0.2.11 which DNS says is:
-   gateway.example.com
-     _________________________________________________________________
-                                                                                
-   Status E-route
-   OE    enabled    16    192.139.46.73/32    -&gt;    192.0.2.11/32   =&gt;
-   tun0x2097@192.0.2.11
-   OE    enabled    176    192.139.46.77/32    -&gt;   192.0.2.11/32   =&gt;
-   tun0x208a@192.0.2.11
-</PRE>
-<P>If you see this, congratulations! Your OE box will now encrypt its
- own traffic whenever it can. If you have difficulty, see our<A HREF="#oe.trouble">
- OE troubleshooting tips</A>.</P>
-<H3><A NAME="12_1_2">OE Gateway Test</A></H3>
-<P>If you've set up FreeS/WAN to protect a subnet behind your gateway,
- you'll need to run another simple test, which can be done from a
- machine running any OS. That's right, your Windows box can be protected
- by opportunistic encryption without any FreeS/WAN install or
- configuration on that box. From<STRONG> each protected subnet node</STRONG>
-, load the FreeS/WAN website with:</P>
-<PRE>   links oetest.freeswan.org</PRE>
-<PRE>   links oetest.freeswan.nl</PRE>
-<P>A positive result looks like this:</P>
-<PRE>
-   You  seem  to  be  connecting  from:  192.0.2.98 which DNS says is:
-   box98.example.com
-     _________________________________________________________________
-                                                                                
-   Status E-route
-   OE    enabled    16    192.139.46.73/32    -&gt;    192.0.2.98/32   =&gt;
-   tun0x134ed@192.0.2.11
-   OE    enabled    176    192.139.46.77/32    -&gt;   192.0.2.11/32   =&gt;
-   tun0x134d2@192.0.2.11
-</PRE>
-<P>If you see this, congratulations! Your OE gateway will now encrypt
- traffic for this subnet node whenever it can. If you have difficulty,
- see our<A HREF="#oe.trouble"> OE troubleshooting tips</A>.</P>
-<H3><A NAME="12_1_3">Additional OE tests</A></H3>
-<P>When testing OE, you will often find it useful to execute this
- command on the FreeS/WAN host:</P>
-<PRE>   ipsec eroute</PRE>
-<P>If you have established a connection (either for or for a subnet
- node) you will see a result like:</P>
-<PRE>    192.0.2.11/32   -&gt; 192.139.46.73/32  =&gt; tun0x149f@192.139.46.38
-</PRE>
-<P>Key:</P>
-<TABLE>
-<TR><TD>1.</TD><TD>192.0.2.11/32</TD><TD>Local start point of the
- protected traffic.</TD></TR>
-<TR><TD>2.</TD><TD>192.0.2.194/32</TD><TD>Remote end point of the
- protected traffic.</TD></TR>
-<TR><TD>3.</TD><TD>192.0.48.38</TD><TD>Remote FreeS/WAN node (gateway or
- host). May be the same as (2).</TD></TR>
-<TR><TD>4.</TD><TD>[not shown]</TD><TD>Local FreeS/WAN node (gateway or
- host), where you've produced the output. May be the same as (1).</TD></TR>
-</TABLE>
-<P>For extra assurance, you may wish to use a packet sniffer such as<A HREF="http://www.tcpdump.org">
- tcpdump</A> to verify that packets are being encrypted. You should see
- output that indicates<STRONG> ESP</STRONG> encrypted data, for example:</P>
-<PRE>    02:17:47.353750 PPPoE  [ses 0x1e12] IP 154: xy.example.com &gt; oetest.freeswan.org: ESP(spi=0x87150d16,seq=0x55)</PRE>
-<H2><A name="test.uml">Testing with User Mode Linux</A></H2>
-<P><A href="http://user-mode-linux.sourceforge.net/">User Mode Linux</A>
- allows you to run Linux as a user process on another Linux machine.</P>
-<P>As of 1.92, the distribution has a new directory named testing. It
- contains a collection of test scripts and sample configurations. Using
- these, you can bring up several copies of Linux in user mode and have
- them build tunnels to each other. This lets you do some testing of a
- FreeS/WAN configuration on a single machine.</P>
-<P>You need a moderately well-endowed machine for this to work well.
- Each UML wants about 16 megs of memory by default, which is plenty for
- FreeS/WAN usage. Typical regression testing only occasionally uses as
- many as 4 UMLs. If one is doing nothing else with the machine (in
- particular, not running X on it), then 128 megs and a 500MHz CPU are
- fine.</P>
- Documentation on these scripts is<A href="umltesting.html"> here</A>.
- There is also documentation on automated testing<A href="makecheck.html">
- here</A>.
-<H2><A name="testnet">Configuration for a testbed network</A></H2>
-<P>A common test setup is to put a machine with dual Ethernet cards in
- between two gateways under test. You need at least five machines; two
- gateways, two clients and a testing machine in the middle.</P>
-<P>The central machine both routes packets and provides a place to run
- diagnostic software for checking IPsec packets. See next section for
- discussion of<A href="#tcpdump.faq"> using tcpdump(8)</A> for this.</P>
-<P>This makes things more complicated than if you just connected the two
- gateway machines directly to each other, but it also makes your test
- setup much more like the environment you actually use IPsec in. Those
- environments nearly always involve routing, and quite a few apparent
- IPsec failures turn out to be problems with routing or with firewalls
- dropping packets. This approach lets you deal with those problems on
- your test setup.</P>
-<P>What you end up with looks like:</P>
-<H3><A name="testbed">Testbed network</A></H3>
-<PRE>      subnet a.b.c.0/24
-             |
-      eth1 = a.b.c.1
-         gate1
-      eth0 = 192.168.p.1
-             |
-             |
-      eth0 = 192.168.p.2
-         route/monitor box
-      eth1 = 192.168.q.2
-             |
-             |
-      eth0 = 192.168.q.1
-         gate2
-      eth1 = x.y.z.1
-              |
-       subnet x.y.z.0/24</PRE>
-<PRE>Where p and q are any convenient values that do not interfere with other
-routes you may have. The ipsec.conf(5) file then has, among other things:</PRE>
-<PRE>conn abc-xyz
-      left=192.168.p.1
-      leftnexthop=192.168.p.2
-      right=192.168.q.1
-      rightnexthop=192.168.q.2</PRE>
-<P>Once that works, you can remove the &quot;route/monitor box&quot;, and connect
- the two gateways to the Internet. The only parameters in ipsec.conf(5)
- that need to change are the four shown above. You replace them with
- values appropriate for your Internet connection, and change the eth0 IP
- addresses and the default routes on both gateways.</P>
-<P>Note that nothing on either subnet needs to change. This lets you
- test most of your IPsec setup before connecting to the insecure
- Internet.</P>
-<H3><A name="tcpdump.test">Using packet sniffers in testing</A></H3>
-<P>A number of tools are available for looking at packets. We will
- discuss using<A href="http://www.tcpdump.org/"> tcpdump(8)</A>, a
- common Linux tool included in most distributions. Alternatives
- offerring more-or-less the same functionality include:</P>
-<DL>
-<DT><A href="http://www.ethereal.com">Ethereal</A></DT>
-<DD>Several people on our mailing list report a preference for this over
- tcpdump.</DD>
-<DT><A href="http://netgroup-serv.polito.it/windump/">windump</A></DT>
-<DD>a Windows version of tcpdump(8), possibly handy if you have Windows
- boxes in your network</DD>
-<DT><A href="http://reptile.rug.ac.be/~coder/sniffit/sniffit.html">
-Sniffit</A></DT>
-<DD>A linux sniffer that we don't know much about. If you use it, please
- comment on our mailing list.</DD>
-</DL>
-<P>See also this<A href="http://www.tlsecurity.net/unix/ids/sniffer/">
- index</A> of packet sniffers.</P>
-<P>tcpdump(8) may misbehave if run on the gateways themselves. It is
- designed to look into a normal IP stack and may become confused if you
- ask it to display data from a stack which has IPsec in play.</P>
-<P>At one point, the problem was quite severe. Recent versions of
- tcpdump, however, understand IPsec well enough to be usable on a
- gateway. You can get the latest version from<A href="http://www.tcpdump.org/">
- tcpdump.org</A>.</P>
-<P>Even with a recent tcpdump, some care is required. Here is part of a
- post from Henry on the topic:</P>
-<PRE>&gt; a) data from sunset to sunrise or the other way is not being
-&gt; encrypted (I am using tcpdump (ver. 3.4) -x/ping -p to check
-&gt; packages) 
-
-What *interface* is tcpdump being applied to?  Use the -i option to
-control this.  It matters!  If tcpdump is looking at the ipsecN
-interfaces, e.g. ipsec0, then it is seeing the packets before they are
-encrypted or after they are decrypted, so of course they don't look
-encrypted.  You want to have tcpdump looking at the actual hardware
-interfaces, e.g. eth0. 
-
-Actually, the only way to be *sure* what you are sending on the wire is to
-have a separate machine eavesdropping on the traffic.  Nothing you can do
-on the machines actually running IPsec is 100% guaranteed reliable in this
-area (although tcpdump is a lot better now than it used to be).</PRE>
-<P>The most certain way to examine IPsec packets is to look at them on
- the wire. For security, you need to be certain, so we recommend doing
- that. To do so, you need a<STRONG> separate sniffer machine located
- between the two gateways</STRONG>. This machine can be routing IPsec
- packets, but it must not be an IPsec gateway. Network configuration for
- such testing is discussed<A href="#testnet"> above</A>.</P>
-<P>Here's another mailing list message with advice on using tcpdump(8):</P>
-<PRE>Subject: RE: [Users] Encrypted???
-   Date: Thu, 29 Nov 2001
-   From: &quot;Joe Patterson&quot; &lt;jpatterson@asgardgroup.com&gt;
-
-tcpdump -nl -i $EXT-IF proto 50
-
--nl tells it not to buffer output or resolve names (if you don't do that it
-may confuse you by not outputing anything for a while), -i $EXT-IF (replace
-with your external interface) tells it what interface to listen on, and
-proto 50 is ESP.  Use &quot;proto 51&quot; if for some odd reason you're using AH, and
-&quot;udp port 500&quot; if you want to see the isakmp key exchange/tunnel setup
-packets.
-
-You can also run `tcpdump -nl -i ipsec0` to see what traffic is on that
-virtual interface.  Anything you see there *should* be either encrypted or
-dropped (unless you've turned on some strange options in your ipsec.conf
-file)
-
-Another very handy thing is ethereal (http://www.ethereal.com/) which runs
-on just about anything, has a nice gui interface (or a nice text-based
-interface), and does a great job of protocol  breakdown.  For ESP and AH
-it'll basically just tell you that there's a packet of that protocol, and
-what the spi is, but for isakmp it'll actually show you a lot of the tunnel
-setup information (until it gets to the point in the protocol where isakmp
-is encrypted....)</PRE>
-<H2><A name="verify.crypt">Verifying encryption</A></H2>
-<P>The question of how to verify that messages are actually encrypted
- has been extensively discussed on the mailing list. See this<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/07/msg00262.html">
- thread</A>.</P>
-<P>If you just want to verify that packets are encrypted, look at them
- with a packet sniffer (see<A href="#tcpdump.test"> previous section</A>
-) located between the gateways. The packets should, except for some of
- the header information, be utterly unintelligible.<STRONG> The output
- of good encryption looks<EM> exactly</EM> like random noise</STRONG>.</P>
-<P>A packet sniffer can only tell you that the data you looked at was
- encrypted. If you have stronger requirements -- for example if your
- security policy requires verification that plaintext is not leaked
- during startup or under various anomolous conditions -- then you will
- need to devise much more thorough tests. If you do that, please post
- any results or methodological details which your security policy allows
- you to make public.</P>
-<P>You can put recognizable data into ping packets with something like:</P>
-<PRE>        ping -p feedfacedeadbeef 11.0.1.1</PRE>
-<P>&quot;feedfacedeadbeef&quot; is a legal hexadecimal pattern that is easy to
- pick out of hex dumps.</P>
-<P>For other protocols, you may need to check if you have encrypted data
- or ASCII text. Encrypted data has approximately equal frequencies for
- all 256 possible characters. ASCII text has most characters in the
- printable range 0x20-0x7f, a few control characters less than 0x20, and
- none at all in the range 0x80-0xff. 0x20, space, is a good character to
- look for. In normal English text space occurs about once in seven
- characters, versus about once in 256 for random or encrypted data.</P>
-<P>One thing to watch for: the output of good compression, like that of
- good encryption, looks just like random noise. You cannot tell just by
- looking at a data stream whether it has been compressed, encrypted, or
- both. You need a little care not to mistake compressed data for
- encrypted data in your testing.</P>
-<P>Note also that weak encryption also produces random-looking output.
- You cannot tell whether the encryption is strong by looking at the
- output. To be sure of that, you would need to have both the algorithms
- and the implementation examined by experts.</P>
-<P>For IPsec, you can get partial assurance from interoperability tests.
- See our<A href="interop.html"> interop</A> document. When twenty
- products all claim to implement<A href="#3DES"> 3DES</A>, and they all
- talk to each other, you can be fairly sure they have it right. Of
- course, you might wonder whether all the implementers are consipring to
- trick you or, more plausibly, whether some implementations might have
- &quot;back doors&quot; so they can get also it wrong when required.. If you're
- seriously worried about things like that, you need to get the code you
- use audited (good luck if it is not Open Source), or perhaps to talk to
- a psychiatrist about treatments for paranoia.</P>
-<H2><A name="mail.test">Mailing list pointers</A></H2>
-<P>Additional information on testing can be found in these<A href="mail.html">
- mailing list</A> messages:</P>
-<UL>
-<LI>a user's detailed<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00571.html">
- setup diary</A> for his testbed network</LI>
-<LI>a FreeS/WAN team member's<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00425.html">
- notes</A> from testing at an IPsec interop &quot;bakeoff&quot;</LI>
-</UL>
-<HR>
-<H1><A name="kernelconfig">Kernel configuration for FreeS/WAN</A></H1>
-<P> This section lists many of the options available when configuring a
- Linux kernel, and explains how they should be set on a FreeS/WAN IPsec
- gateway.</P>
-<H2><A name="notall">Not everyone needs to worry about kernel
- configuration</A></H2>
-<P>Note that in many cases you do not need to mess with these.</P>
-<P> You may have a Linux distribution which comes with FreeS/WAN
- installed (see this<A href="#products"> list</A>). In that case, you
- need not do a FreeS/WAN installation or a kernel configuration. Of
- course, you might still want to configure and rebuild your kernel to
- improve performance or security. This can be done with standard tools
- described in the<A href="http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html">
- Kernel HowTo</A>.</P>
-<P>If you need to install FreeS/WAN, then you do need to configure a
- kernel. However, you may choose to do that using the simplest
- procedure:</P>
-<UL>
-<LI>Configure, build and test a kernel for your system before adding
- FreeS/WAN. See the<A href="http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html">
- Kernel HowTo</A> for details.<STRONG> This step cannot be skipped</STRONG>
-. FreeS/WAN needs the results of your configuration.</LI>
-<LI>Then use FreeS/WAN's<VAR> make oldgo</VAR> command. This sets
- everything FreeS/WAN needs and retains your values everywhere else.</LI>
-</UL>
-<P> This document is for those who choose to configure their FreeS/WAN
- kernel themselves.</P>
-<H2><A name="assume">Assumptions and notation</A></H2>
-<P> Help text for most kernel options is included with the kernel files,
- and is accessible from within the configuration utilities. We assume
- you will refer to that, and to the<A href="http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html">
- Kernel HowTo</A>, as necessary. This document covers only the
- FreeS/WAN-specific aspects of the problem.</P>
-<P> To avoid duplication, this document section does not cover settings
- for the additional IPsec-related kernel options which become available
- after you have patched your kernel with FreeS/WAN patches. There is
- help text for those available from within the configuration utility.</P>
-<P> We assume a common configuration in which the FreeS/WAN IPsec
- gateway is also doing ipchains(8) firewalling for a local network, and
- possibly masquerading as well.</P>
-<P> Some suggestions below are labelled as appropriate for &quot;a true
- paranoid&quot;. By this we mean they may cause inconvenience and it is not
- entirely clear they are necessary, but they appear to be the safest
- choice. Not using them might entail some risk. Of course one suggested
- mantra for security administrators is: &quot;I know I'm paranoid. I wonder
- if I'm paranoid enough.&quot;</P>
-<H3><A name="labels">Labels used</A></H3>
-<P> Six labels are used to indicate how options should be set. We mark
- the labels with [square brackets]. For two of these labels, you have no
- choice:</P>
-<DL>
-<DT>[required]</DT>
-<DD>essential for FreeS/WAN operation.</DD>
-<DT>[incompatible]</DT>
-<DD>incompatible with FreeS/WAN.</DD>
-</DL>
-<P>those must be set correctly or FreeS/WAN will not work</P>
-<P>FreeS/WAN should work with any settings of the others, though of
- course not all combinations have been tested. We do label these in
- various ways, but<EM> these labels are only suggestions</EM>.</P>
-<DL>
-<DT>[recommended]</DT>
-<DD>useful on most FreeS/WAN gateways</DD>
-<DT>[disable]</DT>
-<DD>an unwelcome complication on a FreeS/WAN gateway.</DD>
-<DT>[optional]</DT>
-<DD>Your choice. We outline issues you might consider.</DD>
-<DT>[anything]</DT>
-<DD>This option has no direct effect on FreeS/WAN and related tools, so
- you should be able to set it as you please.</DD>
-</DL>
-<P> Of course complexity is an enemy in any effort to build secure
- systems.<STRONG> For maximum security, any feature that can reasonably
- be turned off should be</STRONG>. &quot;If in doubt, leave it out.&quot;</P>
-<H2><A name="kernelopt">Kernel options for FreeS/WAN</A></H2>
-<P> Indentation is based on the nesting shown by 'make menuconfig' with
- a 2.2.16 kernel for the i386 architecture.</P>
-<DL>
-<DT><A name="maturity">Code maturity and level options</A></DT>
-<DD>
-<DL>
-<DT><A name="devel">Prompt for development ... code/drivers</A></DT>
-<DD>[optional] If this is<VAR> no</VAR>, experimental drivers are not
- shown in later menus.
-<P>For most FreeS/WAN work,<VAR> no</VAR> is the preferred setting.
- Using new or untested components is too risky for a security gateway.</P>
-<P>However, for some hardware (such as the author's network cards) the
- only drivers available are marked<VAR> new/experimental</VAR>. In such
- cases, you must enable this option or your cards will not appear under
- &quot;network device support&quot;. A true paranoid would leave this option off
- and replace the cards.</P>
-</DD>
-<DT>Processor type and features</DT>
-<DD>[anything]</DD>
-<DT>Loadable module support</DT>
-<DD>
-<DL>
-<DT>Enable loadable module support</DT>
-<DD>[optional] A true paranoid would disable this. An attacker who has
- root access to your machine can fairly easily install a bogus module
- that does awful things, provided modules are enabled. A common tool for
- attackers is a &quot;rootkit&quot;, a set of tools the attacker uses once he or
- she has become root on your system. The kit introduces assorted
- additional compromises so that the attacker will continue to &quot;own&quot; your
- system despite most things you might do to recovery the situation. For
- Linux, there is a tool called<A href="http://www.sans.org/newlook/resources/IDFAQ/knark.htm">
- knark</A> which is basically a rootkit packaged as a kernel module.
-<P>With modules disabled, an attacker cannot install a bogus module. The
- only way he can achieve the same effects is to install a new kernel and
- reboot. This is considerably more likely to be noticed.</P>
-<P>Many FreeS/WAN gateways run with modules enabled. This simplifies
- some administrative tasks and some ipchains features are available only
- as modules. Once an enemy has root on your machine your security is
- nil, so arguably defenses which come into play only in that situation
- are pointless.</P>
-<P></P>
-</DD>
-<DT>Set version information ....</DT>
-<DD>[optional] This provides a check to prevent loading modules compiled
- for a different kernel.</DD>
-<DT>Kernel module loader</DT>
-<DD>[disable] It gives little benefit on a typical FreeS/WAN gate and
- entails some risk.</DD>
-</DL>
-</DD>
-<DT>General setup</DT>
-<DD>We list here only the options that matter for FreeS/WAN.
-<DL>
-<DT>Networking support</DT>
-<DD>[required]</DD>
-<DT>Sysctl interface</DT>
-<DD>[optional] If this option is turned on and the<VAR> /proc</VAR>
- filesystem installed, then you can control various system behaviours by
- writing to files under<VAR> /proc/sys</VAR>. For example:
-<PRE>        echo 1 &gt; /proc/sys/net/ipv4/ipforward</PRE>
- turns IP forwarding on.
-<P>Disabling this option breaks many firewall scripts. A true paranoid
- would disable it anyway since it might conceivably be of use to an
- attacker.</P>
-</DD>
-</DL>
-</DD>
-<DT>Plug and Play support</DT>
-<DD>[anything]</DD>
-<DT>Block devices</DT>
-<DD>[anything]</DD>
-<DT>Networking options</DT>
-<DD>
-<DL>
-<DT>Packet socket</DT>
-<DD>[optional] This kernel feature supports tools such as tcpdump(8)
- which communicate directly with network hardware, bypassing kernel
- protocols. This is very much a two-edged sword:
-<UL>
-<LI>such tools can be very useful to the firewall admin, especially
- during initial testing</LI>
-<LI>should an evildoer breach your firewall, such tools could give him
- or her a great deal of information about the rest of your network</LI>
-</UL>
- We recommend disabling this option on production gateways.</DD>
-<DT><A name="netlink">Kernel/User netlink socket</A></DT>
-<DD>[optional] Required if you want to use<A href="#adv"> advanced
- router</A> features.</DD>
-<DT>Routing messages</DT>
-<DD>[optional]</DD>
-<DT>Netlink device emulation</DT>
-<DD>[optional]</DD>
-<DT>Network firewalls</DT>
-<DD>[recommended] You need this if the IPsec gateway also functions as a
- firewall.
-<P>Even if the IPsec gateway is not your primary firewall, we suggest
- setting this so that you can protect the gateway with at least basic
- local packet filters.</P>
-</DD>
-<DT>Socket filtering</DT>
-<DD>[disable] This enables an older filtering interface. We suggest
- using ipchains(8) instead. To do that, set the &quot;Network firewalls&quot;
- option just above, and not this one.</DD>
-<DT>Unix domain sockets</DT>
-<DD>[required] These sockets are used for communication between the<A href="manpage.d/ipsec.8.html">
- ipsec(8)</A> commands and the<A href="manpage.d/ipsec_pluto.8.html">
- ipsec_pluto(8)</A> daemon.</DD>
-<DT>TCP/IP networking</DT>
-<DD>[required]
-<DL>
-<DT>IP: multicasting</DT>
-<DD>[anything]</DD>
-<DT><A name="adv">IP: advanced router</A></DT>
-<DD>[optional] This gives you policy routing, which some people have
- used to good advantage in their scripts for FreeS/WAN gateway
- management. It is not used in our distributed scripts, so not required
- unless you want it for custom scripts. It requires the<A href="#netlink">
- netlink</A> interface between kernel code and the iproute2(8) command.</DD>
-<DT>IP: kernel level autoconfiguration</DT>
-<DD>[disable] It gives little benefit on a typical FreeS/WAN gate and
- entails some risk.</DD>
-<DT>IP: firewall packet netlink device</DT>
-<DD>[disable]</DD>
-<DT>IP: transparent proxy support</DT>
-<DD>[optional] This is required in some firewall configurations, but
- should be disabled unless you have a definite need for it.</DD>
-<DT>IP: masquerading</DT>
-<DD>[optional] Required if you want to use<A href="#non-routable">
- non-routable</A> private IP addresses for your local network.</DD>
-<DT>IP: Optimize as router not host</DT>
-<DD>[recommended]</DD>
-<DT>IP: tunneling</DT>
-<DD>[required]</DD>
-<DT>IP: GRE tunnels over IP</DT>
-<DD>[anything]</DD>
-<DT>IP: aliasing support</DT>
-<DD>[anything]</DD>
-<DT>IP: ARP daemon support (EXPERIMENTAL)</DT>
-<DD>Not required on most systems, but might prove useful on
- heavily-loaded gateways.</DD>
-<DT>IP: TCP syncookie support</DT>
-<DD>[recommended] It provides a defense against a<A href="#DOS"> denial
- of service attack</A> which uses bogus TCP connection requests to waste
- resources on the victim machine.</DD>
-<DT>IP: Reverse ARP</DT>
-<DD></DD>
-<DT>IP: large window support</DT>
-<DD>[recommended] unless you have less than 16 meg RAM</DD>
-</DL>
-</DD>
-<DT>IPv6</DT>
-<DD>[optional] FreeS/WAN does not currently support IPv6, though work on
- integrating FreeS/WAN with the Linux IPv6 stack has begun.<A href="#ipv6">
- Details</A>.
-<P> It should be possible to use IPv4 FreeS/WAN on a machine which also
- does IPv6. This combination is not yet well tested. We would be quite
- interested in hearing results from anyone expermenting with it, via the<A
-href="mail.html"> mailing list</A>.</P>
-<P> We do not recommend using IPv6 on production FreeS/WAN gateways
- until more testing has been done.</P>
-</DD>
-<DT>Novell IPX</DT>
-<DD>[disable]</DD>
-<DT>Appletalk</DT>
-<DD>[disable] Quite a few Linux installations use IP but also have some
- other protocol, such as Appletalk or IPX, for communication with local
- desktop machines. In theory it should be possible to configure IPsec
- for the IP side of things without interfering with the second protocol.
-<P>We do not recommend this. Keep the software on your gateway as simple
- as possible. If you need a Linux-based Appletalk or IPX server, use a
- separate machine.</P>
-</DD>
-</DL>
-</DD>
-<DT>Telephony support</DT>
-<DD>[anything]</DD>
-<DT>SCSI support</DT>
-<DD>[anything]</DD>
-<DT>I2O device support</DT>
-<DD>[anything]</DD>
-<DT>Network device support</DT>
-<DD>[anything] should work, but there are some points to note.
-<P>The development team test almost entirely on 10 or 100 megabit
- Ethernet and modems. In principle, any device that can do IP should be
- just fine for IPsec, but in the real world any device that has not been
- well-tested is somewhat risky. By all means try it, but don't bet your
- project on it until you have solid test results.</P>
-<P>If you disabled experimental drivers in the<A href="#maturity"> Code
- maturity</A> section above, then those drivers will not be shown here.
- Check that option before going off to hunt for missing drivers.</P>
-<P>If you want Linux to automatically find more than one ethernet
- interface at boot time, you need to:</P>
-<UL>
-<LI>compile the appropriate driver(s) into your kernel. Modules will not
- work for this</LI>
-<LI>add a line such as
-<PRE>
-   append=&quot;ether=0,0,eth0 ether=0,0,eth1&quot;
-</PRE>
- to your /etc/lilo.conf file. In some cases you may need to specify
- parameters such as IRQ or base address. The example uses &quot;0,0&quot; for
- these, which tells the system to search. If the search does not succeed
- on your hardware, then you should retry with explicit parameters. See
- the lilo.conf(5) man page for details.</LI>
-<LI>run lilo(8)</LI>
-</UL>
- Having Linux find the cards this way is not necessary, but is usually
- more convenient than loading modules in your boot scripts.</DD>
-<DT>Amateur radio support</DT>
-<DD>[anything]</DD>
-<DT>IrDA (infrared) support</DT>
-<DD>[anything]</DD>
-<DT>ISDN subsystem</DT>
-<DD>[anything]</DD>
-<DT>Old CDROM drivers</DT>
-<DD>[anything]</DD>
-<DT>Character devices</DT>
-<DD>The only required character device is:
-<DL>
-<DT>random(4)</DT>
-<DD>[required] This is a source of<A href="#random"> random</A> numbers
- which are required for many cryptographic protocols, including several
- used in IPsec.
-<P>If you are comfortable with C source code, it is likely a good idea
- to go in and adjust the<VAR> #define</VAR> lines in<VAR>
- /usr/src/linux/drivers/char/random.c</VAR> to ensure that all sources
- of randomness are enabled. Relying solely on keyboard and mouse
- randomness is dubious procedure for a gateway machine. You could also
- increase the randomness pool size from the default 512 bytes (128
- 32-bit words).</P>
-</DD>
-</DL>
-</DD>
-<DT>Filesystems</DT>
-<DD>[anything] should work, but we suggest limiting a gateway machine to
- the standard Linux ext2 filesystem in most cases.</DD>
-<DT>Network filesystems</DT>
-<DD>[disable] These systems are an unnecessary risk on an IPsec gateway.</DD>
-<DT>Console drivers</DT>
-<DD>[anything]</DD>
-<DT>Sound</DT>
-<DD>[anything] should work, but we suggest enabling sound only if you
- plan to use audible alarms for firewall problems.</DD>
-<DT>Kernel hacking</DT>
-<DD>[disable] This might be enabled on test machines, but should not be
- on production gateways.</DD>
-</DL>
-</DD>
-</DL>
-<HR>
-<H1><A name="adv_config">Other configuration possibilities</A></H1>
-<P>This document describes various options for FreeS/WAN configuration
- which are less used or more complex (often both) than the standard
- cases described in our<A href="#config"> config</A> and<A href="#quick_guide">
- quickstart</A> documents.</P>
-<H2><A name="thumb">Some rules of thumb about configuration</A></H2>
-<H3><A name="cheap.tunnel">Tunnels are cheap</A></H3>
-<P>Nearly all of the overhead in IPsec processing is in the encryption
- and authentication of packets. Our<A href="performance.html">
- performance</A> document discusses these overheads.</P>
-<P>Beside those overheads, the cost of managing additional tunnels is
- trivial. Whether your gateway supports one tunnel or ten just does not
- matter. A hundred might be a problem; there is a<A href="#biggate">
- section</A> on this in the performance document.</P>
-<P>So, in nearly all cases, if using multiple tunnels gives you a
- reasonable way to describe what you need to do, you should describe it
- that way in your configuration files.</P>
-<P>For example, one user recently asked on a mailing list about this
- network configuration:</P>
-<PRE>        netA---gwA---gwB---netB
-                            |----netC
-
-   netA and B are secured netC not.
-   netA and gwA can not access netC</PRE>
-<P>The user had constructed only one tunnel, netA to netB, and wanted to
- know how to use ip-route to get netC packets into it. This is entirely
- unnecessary. One of the replies was:</P>
-<PRE>  The simplest way and indeed the right way to
-  solve this problem is to set up two connections:
-
-        leftsubnet=NetA
-        left=gwA
-        right=gwB
-        rightsubnet=NetB
-  and
-        leftsubnet=NetA
-        left=gwA
-        right=gwB
-        rightsubnet=NetC</PRE>
-<P>This would still be correct even if we added nets D, E, F, ... to the
- above diagram and needed twenty tunnels.</P>
-<P>Of course another possibility would be to just use one tunnel, with a
- subnet mask that includes both netB and netC (or B, C, D, ...). See
- next section.</P>
-<P>In general, you can construct as many tunnels as you need. Networks
- like netC in this example that do not connect directly to the gateway
- are fine, as long as the gateway can route to them.</P>
-<P>The number of tunnels can become an issue if it reaches 50 or so.
- This is discussed in the<A href="#biggate"> performance</A> document.
- Look there for information on supporting hundreds of Road Warriors from
- one gateway.</P>
-<P>If you find yourself with too many tunnels for some reason like
- having eight subnets at one location and nine at another so you end up
- with 9*8=72 tunnels, read the next section here.</P>
-<H3><A name="subnet.size">Subnet sizes</A></H3>
-<P>The subnets used in<VAR> leftsubnet</VAR> and<VAR> rightsubnet</VAR>
- can be of any size that fits your needs, and they need not correspond
- to physical networks.</P>
-<P>You adjust the size by changing the<A href="#subnet"> subnet mask</A>
-, the number after the slash in the subnet description. For example</P>
-<UL>
-<LI>in 192.168.100.0/24 the /24 mask says 24 bits are used to designate
- the network. This leave 8 bits to label machines. This subnet has 256
- addresses. .0 and .255 are reserved, so it can have 254 machines.</LI>
-<LI>A subnet with a /23 mask would be twice as large, 512 addresses.</LI>
-<LI>A subnet with a /25 mask would be half the size, 128 addresses.</LI>
-<LI>/0 is the whole Internet</LI>
-<LI>/32 is a single machine</LI>
-</UL>
-<P>As an example of using these in connection descriptions, suppose your
- company's head office has four physical networks using the address
- ranges:</P>
-<DL>
-<DT>192.168.100.0/24</DT>
-<DD>development</DD>
-<DT>192.168.101.0/24</DT>
-<DD>production</DD>
-<DT>192.168.102.0/24</DT>
-<DD>marketing</DD>
-<DT>192.168.103.0/24</DT>
-<DD>administration</DD>
-</DL>
-<P>You can use exactly those subnets in your connection descriptions, or
- use larger subnets to grant broad access if required:</P>
-<DL>
-<DT>leftsubnet=192.168.100.0/24</DT>
-<DD>remote hosts can access only development</DD>
-<DT>leftsubnet=192.168.100.0/23</DT>
-<DD>remote hosts can access development or production</DD>
-<DT>leftsubnet=192.168.102.0/23</DT>
-<DD>remote hosts can access marketing or administration</DD>
-<DT>leftsubnet=192.168.100.0/22</DT>
-<DD>remote hosts can access any of the four departments</DD>
-</DL>
-<P>or use smaller subnets to restrict access:</P>
-<DL>
-<DT>leftsubnet=192.168.103.0/24</DT>
-<DD>remote hosts can access any machine in administration</DD>
-<DT>leftsubnet=192.168.103.64/28</DT>
-<DD>remote hosts can access only certain machines in administration.</DD>
-<DT>leftsubnet=192.168.103.42/32</DT>
-<DD>remote hosts can access only one particular machine in
- administration</DD>
-</DL>
-<P>To be exact, 192.68.103.64/28 means all addresses whose top 28 bits
- match 192.168.103.64. There are 16 of these because there are 16
- possibilities for the remainingg 4 bits. Their addresses are
- 192.168.103.64 to 192.168.103.79.</P>
-<P>Each connection description can use a different subnet if required.</P>
-<P>It is possible to use all the examples above on the same FreeS/WAN
- gateway, each in a different connection description, perhaps for
- different classes of user or for different remote offices.</P>
-<P>It is also possible to have multiple tunnels using different<VAR>
- leftsubnet</VAR> descriptions with the same<VAR> right</VAR>. For
- example, when the marketing manager is on the road he or she might have
- access to:</P>
-<DL>
-<DT>leftsubnet=192.168.102.0/24</DT>
-<DD>all machines in marketing</DD>
-<DT>192.168.101.32/29</DT>
-<DD>some machines in production</DD>
-<DT>leftsubnet=192.168.103.42/32</DT>
-<DD>one particular machine in administration</DD>
-</DL>
-<P>This takes three tunnels, but tunnels are cheap. If the laptop is set
- up to build all three tunnels automatically, then he or she can access
- all these machines concurrently, perhaps from different windows.</P>
-<H3><A name="example.more">Other network layouts</A></H3>
-<P>Here is the usual network picture for a site-to-site VPN::</P>
-<PRE>     Sunset==========West------------------East=========Sunrise
-           local net       untrusted net       local net</PRE>
-<P>and for the Road Warrior::</P>
-<PRE>                                           telecommuter's PC or
-                                           traveller's laptop
-     Sunset==========West------------------East
-         corporate LAN     untrusted net</PRE>
-<P>Other configurations are also possible.</P>
-<H4><A name="internet.subnet">The Internet as a big subnet</A></H4>
-<P>A telecommuter might have:</P>
-<PRE>     Sunset==========West------------------East ================= firewall --- the Internet
-         home network      untrusted net        corporate network</PRE>
-<P>This can be described as a special case of the general
- subnet-to-subnet connection. The subnet on the right is 0.0.0.0/0, the
- whole Internet.</P>
-<P>West (the home gateway) can have its firewall rules set up so that
- only IPsec packets to East are allowed out. It will then behave as if
- its only connection to the world was a wire to East.</P>
-<P>When machines on the home network need to reach the Internet, they do
- so via the tunnel, East and the corporate firewall. From the viewpoint
- of the Internet (perhaps of some EvilDoer trying to break in!), those
- home office machines are behind the firewall and protected by it.</P>
-<H4><A name="wireless.config">Wireless</A></H4>
-<P>Another possible configuration comes up when you do not trust the
- local network, either because you have very high security standards or
- because your are using easily-intercepted wireless signals.</P>
-<P>Some wireless networks have built-in encryption called<A href="#WEP">
- WEP</A>, but its security is dubious. It is a fairly common practice to
- use IPsec instead.</P>
-<P>In this case, part of your network may look like this:</P>
-<PRE>          West-----------------------------East == the rest of your network
-     workstation   untrusted wireless net</PRE>
-<P>Of course, there would likely be several wireless workstations, each
- with its own IPsec tunnel to the East gateway.</P>
-<P>The connection descriptions look much like Road Warrior descriptions:</P>
-<UL>
-<LI>each workstation should have its own unique
-<UL>
-<LI>identifier for IPsec</LI>
-<LI>RSA key</LI>
-<LI>connection description.</LI>
-</UL>
-</LI>
-<LI>on the gateway, use<VAR> left=%any</VAR>, or the workstation IP
- address</LI>
-<LI>on workstations,<VAR> left=%defaultroute</VAR>, or the workstation
- IP address</LI>
-<LI><VAR>leftsubnet=</VAR> is not used.</LI>
-</UL>
-<P>The<VAR> rightsubnet=</VAR> parameter might be set in any of several
- ways:</P>
-<DL>
-<DT>rightsubnet=0.0.0.0/0</DT>
-<DD>allowing workstations to access the entire Internet (see<A href="#internet.subnet">
- above</A>)</DD>
-<DT>rightsubnet=a.b.c.0/24</DT>
-<DD>allowing access to your entire local network</DD>
-<DT>rightsubnet=a.b.c.d/32</DT>
-<DD>restricting the workstation to connecting to a particular server</DD>
-</DL>
-<P>Of course you can mix and match these as required. For example, a
- university might allow faculty full Internet access while letting
- student laptops connect only to a group of lab machines.</P>
-<H2><A name="choose">Choosing connection types</A></H2>
-<P>One choice you need to make before configuring additional connections
- is what type or types of connections you will use. There are several
- options, and you can use more than one concurrently.</P>
-<H3><A name="man-auto">Manual vs. automatic keying</A></H3>
-<P>IPsec allows two types of connections, with manual or automatic
- keying. FreeS/WAN starts them with commands such as:</P>
-<PRE>        ipsec manual --up <VAR>name</VAR>
-        ipsec auto --up <VAR>name</VAR></PRE>
-<P>The difference is in how they are keyed.</P>
-<DL>
-<DT><A href="#manual">Manually keyed</A> connections</DT>
-<DD>use keys stored in<A href="manpage.d/ipsec.conf.5.html"> ipsec.conf</A>
-.</DD>
-<DT><A href="#auto">Automatically keyed</A> connections</DT>
-<DD>use keys automatically generated by the Pluto key negotiation
- daemon. The key negotiation protocol,<A href="#IKE"> IKE</A>, must
- authenticate the other system. (It is vulnerable to a<A href="#middle">
- man-in-the-middle attack</A> if used without authentication.) We
- currently support two authentication methods:
-<UL>
-<LI>using shared secrets stored in<A href="manpage.d/ipsec.secrets.5.html">
- ipsec.secrets</A>.</LI>
-<LI>RSA<A href="#public"> public key</A> authentication, with our
- machine's private key in<A href="manpage.d/ipsec.secrets.5.html">
- ipsec.secrets</A>. Public keys for other machines may either be placed
- in<A href="manpage.d/ipsec.conf.5.html"> ipsec.conf</A> or provided via
- DNS.</LI>
-</UL>
-<P>A third method, using RSA keys embedded in<A href="#X509"> X.509</A>
- certtificates, is provided by user<A href="#patch"> patches</A>.</P>
-</DD>
-</DL>
-<P><A href="#manual">Manually keyed</A> connections provide weaker
- security than<A href="#auto"> automatically keyed</A> connections. An
- opponent who reads ipsec.secrets(5) gets your encryption key and can
- read all data encrypted by it. If he or she has an archive of old
- messages, all of them back to your last key change are also readable.</P>
-<P>With automatically-(re)-keyed connections, an opponent who reads
- ipsec.secrets(5) gets the key used to authenticate your system in IKE
- -- the shared secret or your private key, depending what authentication
- mechanism is in use. However, he or she does not automatically gain
- access to any encryption keys or any data.</P>
-<P>An attacker who has your authentication key can mount a<A href="#middle">
- man-in-the-middle attack</A> and, if that succeeds, he or she will get
- encryption keys and data. This is a serious danger, but it is better
- than having the attacker read everyting as soon as he or she breaks
- into ipsec.secrets(5).. Moreover, the keys change often so an opponent
- who gets one key does not get a large amount of data. To read all your
- data, he or she would have to do a man-in-the-middle attack at every
- key change.</P>
-<P>We discuss using<A href="#prodman"> manual keying in production</A>
- below, but this is<STRONG> not recommended</STRONG> except in special
- circumstances, such as needing to communicate with some implementation
- that offers no auto-keyed mode compatible with FreeS/WAN.</P>
-<P>Manual keying may also be useful for testing. There is some
- discussion of this in our<A href="#man4debug"> FAQ</A>.</P>
-<H3><A name="auto-auth">Authentication methods for auto-keying</A></H3>
-<P>The IKE protocol which Pluto uses to negotiate connections between
- gateways must use some form of authentication of peers. A gateway must
- know who it is talking to before it can create a secure connection. We
- support two basic methods for this authentication:</P>
-<UL>
-<LI>shared secrets, stored in<A href="manpage.d/ipsec.secrets.5.html">
- ipsec.secrets(5)</A></LI>
-<LI>RSA authentication</LI>
-</UL>
-<P>There are, howver, several variations on the RSA theme, using
- different methods of managing the RSA keys:</P>
-<UL>
-<LI>our RSA private key in<A href="manpage.d/ipsec.secrets.5.html">
- ipsec.secrets(5)</A> with other gateways' public keys
-<DL>
-<DT>either</DT>
-<DD>stored in<A href="manpage.d/ipsec.conf.5.html"> ipsec.conf(5)</A></DD>
-<DT>or</DT>
-<DD>looked up via<A href="#DNS"> DNS</A></DD>
-</DL>
-</LI>
-<LI>authentication with<A href="#X509"> x.509</A> certificates.; See our<A
-href="#patch"> links section</A> for information on user-contributed
- patches for this.:</LI>
-</UL>
-<P>Public keys in<A href="manpage.d/ipsec.conf.5.html"> ipsec.conf(5</A>
-) give a reasonably straightforward method of specifying keys for
- explicitly configured connections.</P>
-<P>Putting public keys in DNS allows us to support<A href="#carpediem">
- opportunistic encryption</A>. Any two FreeS/WAN gateways can provide
- secure communication, without either of them having any preset
- information about the other.</P>
-<P>X.509 certificates may be required to interface to various<A href="#PKI">
- PKI</A>s.</P>
-<H3><A name="adv-pk">Advantages of public key methods</A></H3>
-<P>Authentication with a<A href="#public"> public key</A> method such as<A
-href="#RSA"> RSA</A> has some important advantages over using shared
- secrets.</P>
-<UL>
-<LI>no problem of secure transmission of secrets
-<UL>
-<LI>A shared secret must be shared, so you have the problem of
- transmitting it securely to the other party. If you get this wrong, you
- have no security.</LI>
-<LI>With a public key technique, you transmit only your public key. The
- system is designed to ensure that it does not matter if an enemy
- obtains public keys. The private key never leaves your machine.</LI>
-</UL>
-</LI>
-<LI>easier management
-<UL>
-<LI>Suppose you have 20 branch offices all connecting to one gateway at
- head office, and all using shared secrets. Then the head office admin
- has 20 secrets to manage. Each of them must be kept secret not only
- from outsiders, but also from 19 of the branch office admins. The
- branch office admins have only one secret each to manage.
-<P>If the branch offices need to talk to each other, this becomes
- problematic. You need another 20*19/2 = 190 secrets for
- branch-to-branch communication, each known to exactly two branches. Now
- all the branch admins have the headache of handling 20 keys, each
- shared with exactly one other branch or with head office.</P>
-<P>For larger numbers of branches, the number of connections and secrets
- increases quadratically and managing them becomes a nightmare. A
- 1000-gateway fully connected network needs 499,500 secrets, each known
- to exactly two players. There are ways to reduce this problem, for
- example by introducing a central key server, but these involve
- additional communication overheads, more administrative work, and new
- threats that must be carefully guarded against.</P>
-</LI>
-<LI>With public key techniques, the<EM> only</EM> thing you have to keep
- secret is your private key, and<EM> you keep that secret from everyone</EM>
-.
-<P>As network size increaes, the number of public keys used increases
- linearly with the number of nodes. This still requires careful
- administration in large applications, but is nothing like the disaster
- of a quadratic increase. On a 1000-gateway network, you have 1000
- private keys, each of which must be kept secure on one machine, and
- 1000 public keys which must be distributed. This is not a trivial
- problem, but it is manageable.</P>
-</LI>
-</UL>
-</LI>
-<LI>does not require fixed IP addresses
-<UL>
-<LI>When shared secrets are used in IPsec, the responder must be able to
- tell which secret to use by looking at the IP address on the incoming
- packets. When the other parties do not have a fixed IP address to be
- identified by (for example, on nearly all dialup ISP connections and
- many cable or ADSL links), this does not work well -- all must share
- the same secret!</LI>
-<LI>When RSA authentication is in use, the initiator can identify itself
- by name before the key must be determined. The responder then checks
- that the message is signed with the public key corresponding to that
- name.</LI>
-</UL>
-</LI>
-</UL>
-<P>There is also a disadvantage:</P>
-<UL>
-<LI>your private key is a single point of attack, extremely valuable to
- an enemy
-<UL>
-<LI>with shared secrets, an attacker who steals your ipsec.secrets file
- can impersonate you or try<A href="#middle"> man-in-the-middle</A>
- attacks, but can only attack connections described in that file</LI>
-<LI>an attacker who steals your private key gains the chance to attack
- not only existing connections<EM> but also any future connections</EM>
- created using that key</LI>
-</UL>
-</LI>
-</UL>
-<P>This is partly counterbalanced by the fact that the key is never
- transmitted and remains under your control at all times. It is likely
- necessary, however, to take account of this in setting security policy.
- For example, you should change gateway keys when an administrator
- leaves the company, and should change them periodically in any case.</P>
-<P>Overall, public key methods are<STRONG> more secure, more easily
- managed and more flexible</STRONG>. We recommend that they be used for
- all connections, unless there is a compelling reason to do otherwise.</P>
-<H2><A name="prodsecrets">Using shared secrets in production</A></H2>
-<P>Generally, public key methods are preferred for reasons given above,
- but shared secrets can be used with no loss of security, just more work
- and perhaps more need to take precautions.</P>
-<P>What I call &quot;shared secrets&quot; are sometimes also called &quot;pre-shared
- keys&quot;. They are used only for for authentication, never for encryption.
- Calling them &quot;pre-shared keys&quot; has confused some users into thinking
- they were encryption keys, so I prefer to avoid the term..</P>
-<P>If you are interoperating with another IPsec implementation, you may
- find its documentation calling them &quot;passphrases&quot;.</P>
-<H3><A name="secrets">Putting secrets in ipsec.secrets(5)</A></H3>
-<P>If shared secrets are to be used to<A href="#authentication">
- authenticate</A> communication for the<A href="#DH"> Diffie-Hellman</A>
- key exchange in the<A href="#IKE"> IKE</A> protocol, then those secrets
- must be stored in<VAR> /etc/ipsec.secrets</VAR>. For details, see the<A href="manpage.d/ipsec.secrets.5.html">
- ipsec.secrets(5)</A> man page.</P>
-<P>A few considerations are vital:</P>
-<UL>
-<LI>make the secrets long and unguessable. Since they need not be
- remembered by humans, very long ugly strings may be used. We suggest
- using our<A href="manpage.d/ipsec_ranbits.8.html"> ipsec_ranbits(8)</A>
- utility to generate long (128 bits or more) random strings.</LI>
-<LI>transmit secrets securely. You have to share them with other
- systems, but you lose if they are intercepted and used against you. Use<A
-href="#PGP"> PGP</A>,<A href="#ssh"> SSH</A>, hand delivery of a floppy
- disk which is then destroyed, or some other trustworthy method to
- deliver them.</LI>
-<LI>store secrets securely, in root-owned files with permissions
- rw------.</LI>
-<LI>limit sharing of secrets. Alice, Bob, Carol and Dave may all talk to
- each other, but only Alice and Bob should know the secret for an
- Alice-Bob link.</LI>
-<LI><STRONG>do not share private keys</STRONG>. The private key for RSA
- authentication of your system is stored in<A href="manpage.d/ipsec.secrets.5.html">
- ipsec.secrets(5)</A>, but it is a different class of secret from the
- pre-shared keys used for the &quot;shared secret&quot; authentication. No-one but
- you should have the RSA private key.</LI>
-</UL>
-<P>Each line has the IP addresses of the two gateways plus the secret.
- It should look something like this:</P>
-<PRE>        10.0.0.1 11.0.0.1 : PSK &quot;jxTR1lnmSjuj33n4W51uW3kTR55luUmSmnlRUuWnkjRj3UuTV4T3USSu23Uk55nWu5TkTUnjT&quot;</PRE>
-<P><VAR>PSK</VAR> indicates the use of a<STRONG> p</STRONG>re-<STRONG>s</STRONG>
-hared<STRONG> k</STRONG>ey. The quotes and the whitespace shown are
- required.</P>
-<P>You can use any character string as your secret. For security, it
- should be both long and extremely hard to guess. We provide a utility
- to generate such strings,<A href="manpage.d/ipsec_ranbits.8.html">
- ipsec_ranbits(8)</A>.</P>
-<P>You want the same secret on the two gateways used, so you create a
- line with that secret and the two gateway IP addresses. The
- installation process supplies an example secret, useful<EM> only</EM>
- for testing. You must change it for production use.</P>
-<H3><A name="securing.secrets">File security</A></H3>
-<P>You must deliver this file, or the relevant part of it, to the other
- gateway machine by some<STRONG> secure</STRONG> means.<EM> Don't just
- FTP or mail the file!</EM> It is vital that the secrets in it remain
- secret. An attacker who knew those could easily have<EM> all the data
- on your &quot;secure&quot; connection</EM>.</P>
-<P>This file must be owned by root and should have permissions<VAR>
- rw-------</VAR>.</P>
-<H3><A name="notroadshared">Shared secrets for road warriors</A></H3>
-<P>You can use a shared secret to support a single road warrior
- connecting to your gateway, and this is a reasonable thing to do in
- some circumstances. Public key methods have advantages, discussed<A href="#choose">
- above</A>, but they are not critical in this case.</P>
-<P>To do this, the line in ipsec.secrets(5) is something like:</P>
-<PRE>        10.0.0.1 0.0.0.0 : PSK &quot;jxTR1lnmSjuj33n4W51uW3kTR55luUmSmnlRUuWnkjRj3UuTV4T3USSu23Uk55nWu5TkTUnjT&quot;</PRE>
- where the<VAR> 0.0.0.0</VAR> means that any IP address is acceptable.
-<P><STRONG>For more than one road warrior, shared secrets are<EM> not</EM>
- recommended.</STRONG> If shared secrets are used, then when the
- responder needs to look up the secret, all it knows about the sender is
- an IP address. This is fine if the sender is at a fixed IP address
- specified in the config file. It is also fine if only one road warrior
- uses the wildcard<VAR> 0.0.0.0</VAR> address. However, if you have more
- than one road warrior using shared secret authentication, then they
- must all use that wildcard and therefore<STRONG> all road warriors
- using PSK autentication must use the same secret</STRONG>. Obviously,
- this is insecure.</P>
-<P><STRONG>For multiple road warriors, use public key authentication.</STRONG>
- Each roadwarrior can then have its own identity (our<VAR> leftid=</VAR>
- or<VAR> rightid=</VAR> parameters), its own public/private key pair,
- and its own secure connection.</P>
-<H2><A name="prodman">Using manual keying in production</A></H2>
-<P>Generally,<A href="#auto"> automatic keying</A> is preferred over<A href="#manual">
- manual keying</A> for production use because it is both easier to
- manage and more secure. Automatic keying frees the admin from much of
- the burden of managing keys securely, and can provide<A href="#PFS">
- perfect forward secrecy</A>. This is discussed in more detail<A href="#man-auto">
- above</A>.</P>
-<P>However, it is possible to use manual keying in production if that is
- what you want to do. This might be necessary, for example, in order to
- interoperate with some device that either does not provide automatic
- keying or provides it in some version we cannot talk to.</P>
-<P>Note that with manual keying<STRONG> all security rests with the keys</STRONG>
-. If an adversary acquires your keys, you've had it. He or she can read
- everything ever sent with those keys, including old messages he or she
- may have archived.</P>
-<P>You need to<STRONG> be really paranoid about keys</STRONG> if you're
- going to rely on manual keying for anything important.</P>
-<UL>
-<LI>keep keys in files with 600 permissions, owned by root</LI>
-<LI>be extremely careful about security of your gateway systems. Anyone
- who breaks into a gateway and gains root privileges can get all your
- keys and read everything ever encrypted with those keys, both old
- messages he has archived and any new ones you may send.</LI>
-<LI>change keys regularly. This can be a considerable bother, (and
- provides an excellent reason to consider automatic keying instead), but
- it is<EM> absolutely essential</EM> for security. Consider a manually
- keyed system in which you leave the same key in place for months:
-<UL>
-<LI>an attacker can have a very large sample of text sent with that key
- to work with. This makes various cryptographic attacks much more likely
- to succeed.</LI>
-<LI>The chances of the key being compromised in some non-cryptographic
- manner -- a spy finds it on a discarded notepad, someone breaks into
- your server or your building and steals it, a staff member is bribed,
- tricked, seduced or coerced into revealing it, etc. -- also increase
- over time.</LI>
-<LI>a successful attacker can read everything ever sent with that key.
- This makes any successful attack extremely damaging.</LI>
-</UL>
- It is clear that you must change keys often to have any useful
- security. The only question is how often.</LI>
-<LI>use<A href="#PGP"> PGP</A> or<A href="#ssh"> SSH</A> for all key
- transfers</LI>
-<LI>don't edit files with keys in them when someone can look over your
- shoulder</LI>
-<LI>worry about network security; could someone get keys by snooping
- packets on the LAN between your X desktop and the gateway?</LI>
-<LI>lock up your backup tapes for the gateway system</LI>
-<LI>... and so on</LI>
-</UL>
-<P>Linux FreeS/WAN provides some facilities to help with this. In
- particular, it is good policy to<STRONG> keep keys in separate files</STRONG>
- so you can edit configuration information in /etc/ipsec.conf without
- exposing keys to &quot;shoulder surfers&quot; or network snoops. We support this
- with the<VAR> also=</VAR> and<VAR> include</VAR> syntax in<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5)</A>.</P>
-<P>See the last example in our<A href="examples"> examples</A> file. In
- the /etc/ipsec.conf<VAR> conn samplesep</VAR> section, it has the line:</P>
-<PRE>        also=samplesep-keys</PRE>
-<P>which tells the &quot;ipsec manual&quot; script to insert the configuration
- description labelled &quot;samplesep-keys&quot; if it can find it. The
- /etc/ipsec.conf file must also have a line such as:</P>
-<PRE>include ipsec.*.conf</PRE>
-<P>which tells it to read other files. One of those other files then
- might contain the additional data:</P>
-<PRE>conn samplesep-keys
-  spi=0x200
-  esp=3des-md5-96
-  espenckey=0x01234567_89abcdef_02468ace_13579bdf_12345678_9abcdef0
-  espauthkey=0x12345678_9abcdef0_2468ace0_13579bdf</PRE>
-<P>The first line matches the label in the &quot;also=&quot; line, so the indented
- lines are inserted. The net effect is exactly as if the inserted lines
- had occurred in the original file in place of the &quot;also=&quot; line.</P>
-<P>Variables set here are:</P>
-<DL>
-<DT>spi</DT>
-<DD>A number needed by the manual keying code. Any 3-digit hex number
- will do, but if you have more than one manual connection then<STRONG>
- spi must be different</STRONG> for each connection.</DD>
-<DT>esp</DT>
-<DD>Options for<A href="#ESP"> ESP</A> (Encapsulated Security Payload),
- the usual IPsec encryption mode. Settings here are for<A href="#encryption">
- encryption</A> using<A href="#3DES"> triple DES</A> and<A href="#authentication">
- authentication</A> using<A href="#MD5"> MD5</A>. Note that encryption
- without authentication should not be used; it is insecure.</DD>
-<DT>espenkey</DT>
-<DD>Key for ESP encryption. Here, a 192-bit hex number for triple DES.</DD>
-<DT>espauthkey</DT>
-<DD>Key for ESP authentication. Here, a 128-bit hex number for MD5.</DD>
-</DL>
-<P><STRONG>Note</STRONG> that the<STRONG> example keys we supply</STRONG>
- are intended<STRONG> only for testing</STRONG>. For real use, you
- should go to automatic keying. If that is not possible, create your own
- keys for manual mode and keep them secret</P>
-<P>Of course, any files containing keys<STRONG> must</STRONG> have 600
- permissions and be owned by root.</P>
-<P>If you connect in this way to multiple sites, we recommend that you
- keep keys for each site in a separate file and adopt some naming
- convention that lets you pick them all up with a single &quot;include&quot; line.
- This minimizes the risk of losing several keys to one error or attack
- and of accidentally giving another site admin keys which he or she has
- no business knowing.</P>
-<P>Also note that if you have multiple manually keyed connections on a
- single machine, then the<VAR> spi</VAR> parameter must be different for
- each one. Any 3-digit hex number is OK, provided they are different for
- each connection. We reserve the range 0x100 to 0xfff for manual
- connections. Pluto assigns SPIs from 0x1000 up for automatically keyed
- connections.</P>
-<P>If<A href="manpage.d/ipsec.conf.5.html"> ipsec.conf(5)</A> contains
- keys for manual mode connections, then it too must have permissions<VAR>
- rw-------</VAR>. We recommend instead that, if you must manual keying
- in production, you keep the keys in separate files.</P>
-<P>Note also that<A href="manpage.d/ipsec.conf.5.html"> ipsec.conf</A>
- is installed with permissions<VAR> rw-r--r--</VAR>. If you plan to use
- manually keyed connections for anything more than initial testing, you<B>
- must</B>:</P>
-<UL>
-<LI>either change permissions to<VAR> rw-------</VAR></LI>
-<LI>or store keys separately in secure files and access them via include
- statements in<A href="manpage.d/ipsec.conf.5.html"> ipsec.conf</A>.</LI>
-</UL>
-<P>We recommend the latter method for all but the simplest
- configurations.</P>
-<H3><A name="ranbits">Creating keys with ranbits</A></H3>
-<P>You can create new<A href="#random"> random</A> keys with the<A href="manpage.d/ipsec_ranbits.8.html">
- ranbits(8)</A> utility. For example, the commands:</P>
-<PRE>      umask 177
-      ipsec ranbits 192  &gt; temp
-      ipsec ranbits 128 &gt;&gt; temp</PRE>
-<P>create keys in the sizes needed for our default algorithms:</P>
-<UL>
-<LI>192-bit key for<A href="#3DES"> 3DES</A> encryption
-<BR> (only 168 bits are used; parity bits are ignored)</LI>
-<LI>128-bit key for keyed<A href="#MD5"> MD5</A> authentication</LI>
-</UL>
-<P>If you want to use<A href="#SHA"> SHA</A> instead of<A href="#MD5">
- MD5</A>, that requires a 160-bit key</P>
-<P>Note that any<STRONG> temporary files</STRONG> used must be kept<STRONG>
- secure</STRONG> since they contain keys. That is the reason for the
- umask command above. The temporary file should be deleted as soon as
- you are done with it. You may also want to change the umask back to its
- default value after you are finished working on keys.</P>
-<P>The ranbits utility may pause for a few seconds if not enough entropy
- is available immediately. See ipsec_ranbits(8) and random(4) for
- details. You may wish to provide some activity to feed entropy into the
- system. For example, you might move the mouse around, type random
- characters, or do<VAR> du /usr &gt; /dev/null</VAR> in the background.</P>
-<H2><A name="boot">Setting up connections at boot time</A></H2>
-<P>You can tell the system to set up connections automatically at boot
- time by putting suitable stuff in /etc/ipsec.conf on both systems. The
- relevant section of the file is labelled by a line reading<VAR> config
- setup</VAR>.</P>
-<P>Details can be found in the<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5)</A> man page. We also provide a file of<A href="examples">
- example configurations</A>.</P>
-<P>The most likely options are something like:</P>
-<DL>
-<DT>interfaces=&quot;ipsec0=eth0 ipsec1=ppp0&quot;</DT>
-<DD>Tells KLIPS which interfaces to use. Up to four interfaces numbered
- ipsec[0-3] are supported. Each interface can support an arbitrary
- number of tunnels.
-<P>Note that for PPP, you give the ppp[0-9] device name here, not the
- underlying device such as modem (or eth1 if you are using PPPoE).</P>
-</DD>
-<DT>interfaces=%defaultroute</DT>
-<DD>Alternative setting, useful in simple cases. KLIPS will pick up both
- its interface and the next hop information from the settings of the
- Linux default route.</DD>
-<DT>forwardcontrol=no</DT>
-<DD>Normally &quot;no&quot;. Set to &quot;yes&quot; if the IP forwarding option is disabled
- in your network configuration. (This can be set as a kernel
- configuration option or later. e.g. on Redhat, it's in
- /etc/sysconfig/network and on SuSE you can adjust it with Yast.) Linux
- FreeS/WAN will then enable forwarding when starting up and turn it off
- when going down. This is used to ensure that no packets will be
- forwarded before IPsec comes up and takes control.</DD>
-<DT>syslog=daemon.error</DT>
-<DD>Used in messages to the system logging daemon (syslogd) to specify
- what type of software is sending the messages. If the settings are
- &quot;daemon.error&quot; as in our example, then syslogd treats the messages as
- error messages from a daemon.
-<P>Note that<A href="#Pluto"> Pluto</A> does not currently pay attention
- to this variable. The variable controls setup messages only.</P>
-</DD>
-<DT>klipsdebug=</DT>
-<DD>Debug settings for<A href="#KLIPS"> KLIPS</A>.</DD>
-<DT>plutodebug=</DT>
-<DD>Debug settings for<A href="#Pluto"> Pluto</A>.</DD>
-<DT>... for both the above DEBUG settings</DT>
-<DD>Normally, leave empty as shown above for no debugging output.
-<BR> Use &quot;all&quot; for maximum information.
-<BR> See ipsec_klipsdebug(8) and ipsec_pluto(8) man page for other
- options. Beware that if you set /etc/ipsec.conf to enable debug output,
- your system's log files may get large quickly.</DD>
-<DT>dumpdir=/safe/directory</DT>
-<DD>Normally, programs started by ipsec setup don't crash. If they do,
- by default, no core dump will be produced because such dumps would
- contain secrets. If you find you need to debug such crashes, you can
- set dumpdir to the name of a directory in which to collect the core
- file.</DD>
-<DT>manualstart=</DT>
-<DD>List of manually keyed connections to be automatically started at
- boot time. Useful for testing, but not for long term use. Connections
- which are automatically started should also be automatically re-keyed.</DD>
-<DT>pluto=yes</DT>
-<DD>Whether to start<A href="#Pluto"> Pluto</A> when ipsec startup is
- done.
-<BR> This parameter is optional and defaults to &quot;yes&quot; if not present.
-<P>&quot;yes&quot; is strongly recommended for production use so that the keying
- daemon (Pluto) will automatically re-key the connections regularly. The
- ipsec-auto parameters ikelifetime, ipseclifetime and reykeywindow give
- you control over frequency of rekeying.</P>
-</DD>
-<DT>plutoload=&quot;reno-van reno-adam reno-nyc&quot;</DT>
-<DD>List of tunnels (by name, e.g. fred-susan or reno-van in our
- examples) to be loaded into Pluto's internal database at startup. In
- this example, Pluto loads three tunnels into its database when it is
- started.
-<P>If plutoload is &quot;%search&quot;, Pluto will load any connections whose
- description includes &quot;auto=add&quot; or &quot;auto=start&quot;.</P>
-</DD>
-<DT>plutostart=&quot;reno-van reno-adam reno-nyc&quot;</DT>
-<DD>List of tunnels to attempt to negotiate when Pluto is started.
-<P>If plutostart is &quot;%search&quot;, Pluto will start any connections whose
- description includes &quot;auto=start&quot;.</P>
-<P>Note that, for a connection intended to be permanent,<STRONG> both
- gateways should be set try to start</STRONG> the tunnel. This allows
- quick recovery if either gateway is rebooted or has its IPsec
- restarted. If only one gateway is set to start the tunnel and the other
- gateway restarts, the tunnel may not be rebuilt.</P>
-</DD>
-<DT>plutowait=no</DT>
-<DD>Controls whether Pluto waits for one tunnel to be established before
- starting to negotiate the next. You might set this to &quot;yes&quot;
-<UL>
-<LI>if your gateway is a very limited machine and you need to conserve
- resources.</LI>
-<LI>for debugging; the logs are clearer if only one connection is
- brought up at a time</LI>
-</UL>
- For a busy and resource-laden production gateway, you likely want &quot;no&quot;
- so that connections are brought up in parallel and the whole process
- takes less time.</DD>
-</DL>
-<P>The example assumes you are at the Reno office and will use IPsec to
- Vancouver, New York City and Amsterdam.</P>
-<H2><A name="multitunnel">Multiple tunnels between the same two gateways</A>
-</H2>
-<P>Consider a pair of subnets, each with a security gateway, connected
- via the Internet:</P>
-<PRE>         192.168.100.0/24           left subnet
-              |
-         192.168.100.1
-         North Gateway
-         101.101.101.101            left
-              |
-         101.101.101.1              left next hop
-         [Internet]
-         202.202.202.1              right next hop
-              |
-         202.202.202.202            right
-         South gateway
-         192.168.200.1
-              |
-         192.168.200.0/24           right subnet</PRE>
-<P>A tunnel specification such as:</P>
-<PRE>conn northnet-southnet
-      left=101.101.101.101
-      leftnexthop=101.101.101.1
-      leftsubnet=192.168.100.0/24
-      leftfirewall=yes
-      right=202.202.202.202
-      rightnexthop=202.202.202.1
-      rightsubnet=192.168.200.0/24
-      rightfirewall=yes</PRE>
- will allow machines on the two subnets to talk to each other. You might
- test this by pinging from polarbear (192.168.100.7) to penguin
- (192.168.200.5).
-<P>However,<STRONG> this does not cover other traffic you might want to
- secure</STRONG>. To handle all the possibilities, you might also want
- these connection descriptions:</P>
-<PRE>conn northgate-southnet
-      left=101.101.101.101
-      leftnexthop=101.101.101.1
-      right=202.202.202.202
-      rightnexthop=202.202.202.1
-      rightsubnet=192.168.200.0/24
-      rightfirewall=yes
-
-conn northnet-southgate
-      left=101.101.101.101
-      leftnexthop=101.101.101.1
-      leftsubnet=192.168.100.0/24
-      leftfirewall=yes
-      right=202.202.202.202
-      rightnexthop=202.202.202.1</PRE>
-<P>Without these, neither gateway can do IPsec to the remote subnet.
- There is no IPsec tunnel or eroute set up for the traffic.</P>
-<P>In our example, with the non-routable 192.168.* addresses used,
- packets would simply be discarded. In a different configuration, with
- routable addresses for the remote subnet,<STRONG> they would be sent
- unencrypted</STRONG> since there would be no IPsec eroute and there
- would be a normal IP route.</P>
-<P>You might also want:</P>
-<PRE>conn northgate-southgate
-      left=101.101.101.101
-      leftnexthop=101.101.101.1
-      right=202.202.202.202
-      rightnexthop=202.202.202.1</PRE>
-<P>This is required if you want the two gateways to speak IPsec to each
- other.</P>
-<P>This requires a lot of duplication of details. Judicious use of<VAR>
- also=</VAR> and<VAR> include</VAR> can reduce this problem.</P>
-<P>Note that, while FreeS/WAN supports all four tunnel types, not all
- implementations do. In particular, some versions of Windows 2000 and
- the freely downloadable version of PGP provide only &quot;client&quot;
- functionality. You cannot use them as gateways with a subnet behind
- them. To get that functionality, you must upgrade to Windows 2000
- server or the commercially available PGP products.</P>
-<H3><A name="advroute">One tunnel plus advanced routing</A></H3>
- It is also possible to use the new routing features in 2.2 and later
- kernels to avoid most needs for multple tunnels. Here is one mailing
- list message on the topic:
-<PRE>Subject: Re: linux-ipsec: IPSec packets not entering tunnel?
-   Date: Mon, 20 Nov 2000
-   From: Justin Guyett &lt;jfg@sonicity.com&gt;
-
-On Mon, 20 Nov 2000, Claudia Schmeing wrote:
-
-&gt; Right                                                         Left
-&gt;                      &quot;home&quot;                &quot;office&quot;
-&gt; 10.92.10.0/24 ---- 24.93.85.110 ========= 216.175.164.91 ---- 10.91.10.24/24
-&gt;
-&gt; I've created all four tunnels, and can ping to test each of them,
-&gt; *except* homegate-officenet.
-
-I keep wondering why people create all four tunnels.  Why not route
-traffic generated from home to 10.91.10.24/24 out ipsec0 with iproute2?
-And 99% of the time you don't need to access &quot;office&quot; directly, which
-means you can eliminate all but the subnet&lt;-&gt;subnet connection.</PRE>
- and FreeS/WAN technical lead Henry Spencer's comment:
-<PRE>&gt; I keep wondering why people create all four tunnels.  Why not route
-&gt; traffic generated from home to 10.91.10.24/24 out ipsec0 with iproute2?
-
-This is feasible, given some iproute2 attention to source addresses, but
-it isn't something we've documented yet... (partly because we're still
-making some attempt to support 2.0.xx kernels, which can't do this, but
-mostly because we haven't caught up with it yet).
-
-&gt; And 99% of the time you don't need to access &quot;office&quot; directly, which
-&gt; means you can eliminate all but the subnet&lt;-&gt;subnet connection.
-
-Correct in principle, but people will keep trying to ping to or from the
-gateways during testing, and sometimes they want to run services on the
-gateway machines too.</PRE>
-
-<!-- Is this in the right spot in this document? -->
-<H2><A name="opp.gate">An Opportunistic Gateway</A></H2>
-<H3><A NAME="14_7_1">Start from full opportunism</A></H3>
-<P>Full opportunism allows you to initiate and receive opportunistic
- connections on your machine. The remaining instructions in this section
- assume you have first set up full opportunism on your gateway using<A HREF="#opp.incoming">
- these instructions</A>. Both sets of instructions require mailing DNS
- records to your ISP. Collect DNS records for both the gateway (above)
- and the subnet nodes (below) before contacting your ISP.</P>
-<H3><A NAME="14_7_2">Reverse DNS TXT records for each protected machine</A>
-</H3>
-<P>You need these so that your Opportunistic peers can:</P>
-<UL>
-<LI>discover the gateway's address, knowing only the IP address that
- packets are bound for</LI>
-<LI>verify that the gateway is authorised to encrypt for that endpoint</LI>
-</UL>
-<P>On the gateway, generate a TXT record with:</P>
-<PRE>    ipsec showhostkey --txt 192.0.2.11</PRE>
-<P>Use your gateway address in place of 192.0.2.11.</P>
-<P>You should see (keys are trimmed for clarity throughout our example):</P>
-<PRE>    ; RSA 2048 bits  gateway.example.com   Sat Apr 15 13:53:22 2000
-    IN TXT  &quot;X-IPsec-Server(10)=192.0.2.11&quot; &quot; AQOF8tZ2...+buFuFn/&quot;</PRE>
-<P><B>This MUST BE the same key as in your gateway's TXT record, or
- nothing will work.</B></P>
-<P>In a text file, make one copy of this TXT record for each subnet
- node:</P>
-<PRE>    ; RSA 2048 bits  gateway.example.com   Sat Apr 15 13:53:22 2000
-    IN TXT  &quot;X-IPsec-Server(10)=192.0.2.11&quot; &quot; AQOF8tZ2...+buFuFn/&quot;
-                                                                                
-    ; RSA 2048 bits  gateway.example.com   Sat Apr 15 13:53:22 2000
-    IN TXT  &quot;X-IPsec-Server(10)=192.0.2.11&quot; &quot; AQOF8tZ2...+buFuFn/&quot;
-                                                                                
-    ; RSA 2048 bits  gateway.example.com   Sat Apr 15 13:53:22 2000
-    IN TXT  &quot;X-IPsec-Server(10)=192.0.2.11&quot; &quot; AQOF8tZ2...+buFuFn/&quot;</PRE>
-<P>Above each entry, insert a line like this:</P>
-<PRE>    98.2.0.192.in-addr.arpa. IN PTR arthur.example.com.</PRE>
-<P>It must include:</P>
-<UL>
-<LI>The subnet node's address in reverse map format. For example,
- 192.0.2.120 becomes<VAR> 120.2.0.192.in-addr.arpa.</VAR>. Note the
- final period.</LI>
-<LI><VAR>IN PTR</VAR></LI>
-<LI>The node's name, ie.<VAR> arthur.example.com.</VAR>. Note the final
- period.</LI>
-</UL>
-<P>The result will be a file of TXT records, like this:</P>
-<PRE>    98.2.0.192.in-addr.arpa. IN PTR arthur.example.com.
-    ; RSA 2048 bits  gateway.example.com   Sat Apr 15 13:53:22 2000
-    IN TXT  &quot;X-IPsec-Server(10)=192.0.2.11&quot; &quot; AQOF8tZ2...+buFuFn/&quot;
-                                                                                
-    99.2.0.192.in-addr.arpa. IN PTR ford.example.com.
-    ; RSA 2048 bits  gateway.example.com   Sat Apr 15 13:53:22 2000
-    IN TXT  &quot;X-IPsec-Server(10)=192.0.2.11&quot; &quot; AQOF8tZ2...+buFuFn/&quot;
-                                                                                
-    100.2.0.192.in-addr.arpa. IN PTR trillian.example.com.
-    ; RSA 2048 bits  gateway.example.com   Sat Apr 15 13:53:22 2000
-    IN TXT  &quot;X-IPsec-Server(10)=192.0.2.11&quot; &quot; AQOF8tZ2...+buFuFn/&quot;</PRE>
-<H3><A NAME="14_7_3">Publish your records</A></H3>
-<P>Ask your ISP to publish all the reverse DNS records you have
- collected. There may be a delay of up to 48 hours as the records
- propagate.</P>
-<H3><A NAME="14_7_4">...and test them</A></H3>
-<P>Check a couple of records with commands like this one:</P>
-<PRE>    ipsec verify --host ford.example.com
-    ipsec verify --host trillian.example.com</PRE>
-<P>The<VAR> verify</VAR> command checks for TXT records for both the
- subnet host and its gateway. You should see output like:</P>
-<PRE>    ...
-    Looking for TXT in reverse map: 99.2.0.192.in-addr.arpa [OK]
-    ...
-    Looking for TXT in reverse map: 11.2.0.192.in-addr.arpa   [OK]
-    ...
-    Looking for TXT in reverse map: 100.2.0.192.in-addr.arpa [OK]
-    ...
-    Looking for TXT in reverse map: 11.2.0.192.in-addr.arpa   [OK]
-    ...</PRE>
-<H3><A NAME="14_7_5">No Configuration Needed</A></H3>
-<P>FreeS/WAN 2.x ships with a built-in, automatically enabled OE
- connection<VAR> conn packetdefault</VAR> which applies OE, if possible,
- to all outbound traffic routed through the FreeS/WAN box. The<A HREF="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5) manual</A> describes this connection in detail. While the
- effect is much the same as<VAR> private-or-clear</VAR>, the
- implementation is different: notably, it does not use policy groups.</P>
-<P>You can create more complex OE configurations for traffic forwarded
- through a FreeS/WAN box, as explained in our<A HREF="#policygroups">
- policy groups document</A>, or disable OE using<A HREF="#disable_policygroups">
- these instructions</A>.</P>
-<H2><A name="extruded.config">Extruded Subnets</A></H2>
-<P>What we call<A href="glossary.html#extruded"> extruded subnets</A>
- are a special case of<A href="glossary.html#VPN.gloss"> VPNs</A>.</P>
-<P>If your buddy has some unused IP addresses, in his subnet far off at
- the other side of the Internet, he can loan them to you... provided
- that the connection between you and him is fast enough to carry all the
- traffic between your machines and the rest of the Internet. In effect,
- he &quot;extrudes&quot; a part of his address space over the network to you, with
- your Internet traffic appearing to originate from behind his Internet
- gateway.</P>
-<P>As far as the Internet is concerned, your new extruded net is behind
- your buddy's gateway. You route all your packets for the Internet at
- large out his gateway, and receive return packets the same way. You
- route your local packets locally.</P>
-<P>Suppose your friend has a.b.c.0/24 and wants to give you
- a.b.c.240/28. The initial situation is:</P>
-<PRE>    subnet           gateway          Internet
-  a.b.c.0/24    a.b.c.1    p.q.r.s</PRE>
- where anything from the Internet destined for any machine in a.b.c.0/24
- is routed via p.q.r.s and that gateway knows what to do from there.
-<P>Of course it is quite normal for various smaller subnets to exist
- behind your friend's gateway. For example, your friend's company might
- have a.b.c.16/28=development, a.b.c.32/28=marketing and so on. The
- Internet neither knows not cares about this; it just delivers packets
- to the p.q.r.s and lets the gateway do whatever needs to be done from
- there.</P>
-<P>What we want to do is take a subnet, perhaps a.b.c.240/28, out of
- your friend's physical location<EM> while still having your friend's
- gateway route to it</EM>. As far as the Internet is concerned, you
- remain behind that gateway.</P>
-<PRE>    subnet           gateway          Internet       your gate  extruded
-
-  a.b.c.0/24   a.b.c.1     p.q.r.s              d.e.f.g         a.b.c.240/28                
-
-                           ========== tunnel ==========</PRE>
-<P>The extruded addresses have to be a complete subnet.</P>
-<P>In our example, the friend's security gateway is also his Internet
- gateway, but this is not necessary. As long as all traffic from the
- Internet to his addresses passes through the Internet gate, the
- security gate could be a machine behind that. The IG would need to
- route all traffic for the extruded subnet to the SG, and the SG could
- handle the rest.</P>
-<P>First, configure your subnet using the extruded addresses. Your
- security gateway's interface to your subnet needs to have an extruded
- address (possibly using a Linux<A href="#virtual"> virtual interface</A>
-, if it also has to have a different address). Your gateway needs to
- have a route to the extruded subnet, pointing to that interface. The
- other machines at your site need to have addresses in that subnet, and
- default routes pointing to your gateway.</P>
-<P>If any of your friend's machines need to talk to the extruded subnet,<EM>
- they</EM> need to have a route for the extruded subnet, pointing at his
- gateway.</P>
-<P>Then set up an IPsec subnet-to-subnet tunnel between your gateway and
- his, with your subnet specified as the extruded subnet, and his subnet
- specified as &quot;0.0.0.0/0&quot;.</P>
-<P>The tunnel description should be:</P>
-<PRE>conn extruded
-        left=p.q.r.s
-        leftsubnet=0.0.0.0/0
-        right=d.e.f.g
-        rightsubnet=a.b.c.0/28</PRE>
-<P>If either side was doing firewalling for the extruded subnet before
- the IPsec connection is set up, you'll need to poke holes in your<A HREF="#firewall">
- firewall</A> to allow packets through.</P>
-<P>And it all just works. Your SG routes traffic for 0.0.0.0/0 -- that
- is, the whole Internet -- through the tunnel to his SG, which then
- sends it onward as if it came from his subnet. When traffic for the
- extruded subnet arrives at his SG, it gets sent through the tunnel to
- your SG, which passes it to the right machine.</P>
-<P>Remember that when ipsec_manual or ipsec_auto takes a connection
- down, it<EM> does not undo the route</EM> it made for that connection.
- This lets you take a connection down and bring up a new one, or a
- modified version of the old one, without having to rebuild the route it
- uses and without any risk of packets which should use IPsec
- accidentally going out in the clear. Because the route always points
- into KLIPS, the packets will always go there. Because KLIPS temporarily
- has no idea what to do with them (no eroute for them), they will be
- discarded.</P>
-<P>If you<EM> do</EM> want to take the route down, this is what the
- &quot;unroute&quot; operation in manual and auto is for. Just do an unroute after
- doing the down.</P>
-<P>Note that the route for a connection may have replaced an existing
- non-IPsec route. Nothing in Linux FreeS/WAN will put that pre-IPsec
- route back. If you need it back, you have to create it with the route
- command.</P>
-<H2><A name="roadvirt">Road Warrior with virtual IP address</A></H2>
-<P>Please note that<A HREF="http://www.freeswan.ca/download.php"> Super
- FreeS/WAN</A> now features DHCP-over-IPsec, which is an alternate
- procedure for Virtual IP address assignment.</P>
-<P></P>
-<P>Here is a mailing list message about another way to configure for
- road warrior support:</P>
-<PRE>Subject: Re: linux-ipsec: understanding the vpn
-   Date: Thu, 28 Oct 1999 10:43:22 -0400
-   From: Irving Reid &lt;irving@nevex.com&gt;
-
-&gt;  local-------linux------internet------mobile
-&gt;  LAN        box                         user
-&gt;  ...
-
-&gt;  now when the mobile user connects to the linux box
-&gt;  it is given a virtual IP address, i have configured it to
-&gt;  be in the 10.x.x.x range. mobile user and linux box 
-&gt;  have a tunnel between them with these IP addresses.
-
-&gt;   Uptil this all is fine.
-
-If it is possible to configure your mobile client software *not* to
-use a virtual IP address, that will make your life easier. It is easier
-to configure FreeS/WAN to use the actual address the mobile user gets
-from its ISP.
-
-Unfortunately, some Windows clients don't let you choose.
-
-&gt;  what i would like to know is that how does the mobile
-&gt;  user communicate with other computers on the local
-&gt;  LAN , of course with the vpn ?
-
-&gt;   what IP address should the local LAN 
-&gt;  computers have ? I guess their default gateway 
-&gt;  should be the linux box ? and does the linux box need
-&gt;  to be a 2 NIC card box or one is fine.
-
-As someone else stated, yes, the Linux box would usually be the default
-IP gateway for the local lan.
-
-However...
-
-If you mobile user has software that *must* use a virtual IP address,
-the whole picture changes. Nobody has put much effort into getting
-FreeS/WAN to play well in this environment, but here's a sketch of one
-approach:
-
-Local Lan 1.0.0.0/24
-    |
-    +- Linux FreeS/WAN 1.0.0.2
-    |
-    | 1.0.0.1
- Router
-    | 2.0.0.1
-    |
-Internet
-    |
-    | 3.0.0.1
-Mobile User
-      Virtual Address: 1.0.0.3
-
-Note that the Local Lan network (1.0.0.x) can be registered, routable
-addresses.
-
-Now, the Mobile User sets up an IPSec security association with the
-Linux box (1.0.0.2); it should ESP encapsulate all traffic to the
-network 1.0.0.x **EXCEPT** UDP port 500. 500/udp is required for the key
-negotiation, which needs to work outside of the IPSec tunnel.
-
-On the Linux side, there's a bunch of stuff you need to do by hand (for
-now). FreeS/WAN should correctly handle setting up the IPSec SA and
-routes, but I haven't tested it so this may not work...
-
-The FreeS/WAN conn should look like:
-
-conn mobile
-        right=1.0.0.2
-        rightsubnet=1.0.0.0/24
-        rightnexthop=1.0.0.1
-        left=0.0.0.0  # The infamous &quot;road warrior&quot;
-        leftsubnet=1.0.0.3/32
-
-Note that the left subnet contains *only* the remote host's virtual
-address.
-
-Hopefully the routing table on the FreeS/WAN box ends up looking like
-this:
-
-% netstat -rn
-Kernel IP routing table
-Destination     Gateway      Genmask         Flags   MSS Window  irtt Iface
-1.0.0.0         0.0.0.0      255.255.255.0   U      1500 0          0 eth0
-127.0.0.0       0.0.0.0      255.0.0.0       U      3584 0          0 lo
-0.0.0.0         1.0.0.1      0.0.0.0         UG     1500 0          0 eth0
-1.0.0.3         1.0.0.1      255.255.255.255 UG     1433 0          0 ipsec0
-
-So, if anybody sends a packet for 1.0.0.3 to the Linux box, it should
-get bundled up and sent through the tunnel. To get the packets for
-1.0.0.3 to the Linux box in the first place, you need to use &quot;proxy
-ARP&quot;.
-
-How this works is: when a host or router on the local Ethernet segment
-wants to send a packet to 1.0.0.3, it sends out an Ethernet level
-broadcast &quot;ARP request&quot;. If 1.0.0.3 was on the local LAN, it would
-reply, saying &quot;send IP packets for 1.0.0.3 to my Ethernet address&quot;.
-
-Instead, you need to set up the Linux box so that _it_ answers ARP
-requests for 1.0.0.3, even though that isn't its IP address. That
-convinces everyone else on the lan to send 1.0.0.3 packets to the Linux
-box, where the usual FreeS/WAN processing and routing take over.
-
-% arp -i eth0 -s 1.0.0.3 -D eth0 pub
-
-This says, if you see an ARP request on interface eth0 asking for
-1.0.0.3, respond with the Ethernet address of interface eth0.
-
-Now, as I said at the very beginning, if it is *at all* possible to
-configure your client *not* to use the virtual IP address, you can avoid
-this whole mess.</PRE>
-<H2><A name="dynamic">Dynamic Network Interfaces</A></H2>
-<P>Sometimes you have to cope with a situation where the network
- interface(s) aren't all there at boot. The common example is notebooks
- with PCMCIA.</P>
-<H3><A name="basicdyn">Basics</A></H3>
-<P>The key issue here is that the<VAR> config setup</VAR> section of the<VAR>
- /etc/ipsec.conf</VAR> configuration file lists the connection between
- ipsecN and hardware interfaces, in the<VAR> interfaces=</VAR> variable.
- At any time when<VAR> ipsec setup start</VAR> or<VAR> ipsec setup
- restart</VAR> is run this variable<STRONG> must</STRONG> correspond to
- the current real situation. More precisely, it<STRONG> must not</STRONG>
- mention any hardware interfaces which don't currently exist. The
- difficulty is that an<VAR> ipsec setup start</VAR> command is normally
- run at boot time so interfaces that are not up then are mis-handled.</P>
-<H3><A name="bootdyn">Boot Time</A></H3>
-<P>Normally, an<VAR> ipsec setup start</VAR> is run at boot time.
- However, if the hardware situation at boot time is uncertain, one of
- two things must be done.</P>
-<UL>
-<LI>One possibility is simply not to have IPsec brought up at boot time.
- To do this:
-<PRE>        chkconfig --level 2345 ipsec off</PRE>
- That's for modern Red Hats or other Linuxes with chkconfig. Systems
- which lack this will require fiddling with symlinks in /etc/rc.d/rc?.d
- or the equivalent.</LI>
-<LI>Another possibility is to bring IPsec up with no interfaces, which
- is less aesthetically satisfying but simpler. Just put
-<PRE>        interfaces=</PRE>
- in the configuration file. KLIPS and Pluto will be started, but won't
- do anything.</LI>
-</UL>
-<H3><A name="changedyn">Change Time</A></H3>
-<P>When the hardware *is* in place, IPsec has to be made aware of it.
- Someday there may be a nice way to do this.</P>
-<P>Right now, the way to do it is to fix the<VAR> /etc/ipsec.conf</VAR>
- file appropriately, so<VAR> interfaces</VAR> reflects the new
- situation, and then restart the IPsec subsystem. This does break any
- existing IPsec connections.</P>
-<P>If IPsec wasn't brought up at boot time, do</P>
-<PRE>        ipsec setup start</PRE>
- while if it was, do
-<PRE>        ipsec setup restart</PRE>
- which won't be as quick.
-<P>If some of the hardware is to be taken out, before doing that, amend
- the configuration file so interfaces no longer includes it, and do</P>
-<PRE>        ipsec setup restart</PRE>
-<P>Again, this breaks any existing connections.</P>
-<H2><A name="unencrypted">Unencrypted tunnels</A></H2>
-<P>Sometimes you might want to create a tunnel without encryption. Often
- this is a bad idea, even if you have some data which need not be
- private. See this<A href="#traffic.resist"> discussion</A>.</P>
-<P>The IPsec protocols provide two ways to do build such tunnels:</P>
-<DL>
-<DT>using ESP with null encryption</DT>
-<DD>not supported by FreeS/WAN</DD>
-<DT>using<A href="#AH"> AH</A> without<A href="#ESP"> ESP</A></DT>
-<DD>supported for manually keyed connections</DD>
-<DD>possible with explicit commands via<A href="manpage.d/ipsec_whack.8.html">
- ipsec_whack(8)</A> (see this<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00190.html">
- list message</A>)</DD>
-<DD>not supported in the<A href="manpage.d/ipsec_auto.8.html">
- ipsec_auto(8)</A> scripts.</DD>
-</DL>
- One situation in which this comes up is when otherwise some data would
- be encrypted twice. Alice wants a secure tunnel from her machine to
- Bob's. Since she's behind one security gateway and he's behind another,
- part of the tunnel that they build passes through the tunnel that their
- site admins have built between the gateways. All of Alice and Bob's
- messages are encrypted twice.
-<P>There are several ways to handle this.</P>
-<UL>
-<LI>Just accept the overhead of double encryption. The site admins might
- choose this if any of the following apply:
-<UL>
-<LI>policy says encrypt everything (usually, it should)</LI>
-<LI>they don't entirely trust Alice and Bob (usually, if they don't have
- to, they shouldn't)</LI>
-<LI>if they don't feel the saved cycles are worth the time they'd need
- to build a non-encrypted tunnel for Alice and Bob's packets (often,
- they aren't)</LI>
-</UL>
-</LI>
-<LI>Use a plain IP-in-IP tunnel. These are not well documented. A good
- starting point is in the Linux kernel source tree, in
- /usr/src/linux/drivers/net/README.tunnel.</LI>
-<LI>Use a manually-keyed AH-only tunnel.</LI>
-</UL>
-<P>Note that if Alice and Bob want end-to-end security, they must build
- a tunnel end-to-end between their machines or use some other end-to-end
- tool such as PGP or SSL that suits their data. The only question is
- whether the admins build some special unencrypted tunnel for those
- already-encrypted packets.</P>
-<HR>
-<H1><A name="install">Installing FreeS/WAN</A></H1>
-<P>This document will teach you how to install Linux FreeS/WAN. If your
- distribution comes with Linux FreeS/WAN, we offer tips to get you
- started.</P>
-<H2><A NAME="15_1">Requirements</A></H2>
-<P>To install FreeS/WAN you must:</P>
-<UL>
-<LI>be running Linux with the 2.4 or 2.2 kernel series. See this<A HREF="http://www.freeswan.ca/download.php#contact">
- kernel compatibility table</A>.
-<BR>We also have experimental support for 2.6 kernels. Here are two
- basic approaches:
-<UL>
-<LI> install FreeS/WAN, including its<A HREF="#parts"> KLIPS</A> kernel
- code. This will remove the native IPsec stack and replace it with
- KLIPS.</LI>
-<LI> install the FreeS/WAN<A HREF="#parts"> userland tools</A> (keying
- daemon and supporting scripts) for use with<A HREF="http://lartc.org/howto/lartc.ipsec.html">
- 2.6 kernel native IPsec</A>,</LI>
-</UL>
- See also these<A HREF="2.6.known-issues"> known issues with 2.6</A>.</LI>
-<LI>have root access to your Linux box</LI>
-<LI>choose the version of FreeS/WAN you wish to install based on<A HREF="http://www.freeswan.org/mail.html">
- mailing list reports</A>
-<!-- or 
-our updates page (coming soon)-->
-</LI>
-</UL>
-<H2><A NAME="15_2">Choose your install method</A></H2>
-<P>There are three basic ways to get FreeS/WAN onto your system:</P>
-<UL>
-<LI>activating and testing a FreeS/WAN that<A HREF="#distroinstall">
- shipped with your Linux distribution</A></LI>
-<LI><A HREF="#rpminstall">RPM install</A></LI>
-<LI><A HREF="#srcinstall">Install from source</A></LI>
-</UL>
-<A NAME="distroinstall"></A>
-<H2><A NAME="15_3">FreeS/WAN ships with some Linuxes</A></H2>
-<P>FreeS/WAN comes with<A HREF="#distwith"> these distributions</A>.</P>
-<P>If you're running one of these, include FreeS/WAN in the choices you
- make during installation, or add it later using the distribution's
- tools.</P>
-<H3><A NAME="15_3_1">FreeS/WAN may be altered...</A></H3>
-<P>Your distribution may have integrated extra features, such as Andreas
- Steffen's X.509 patch, into FreeS/WAN. It may also use custom startup
- script locations or directory names.</P>
-<H3><A NAME="15_3_2">You might need to create an authentication keypair</A>
-</H3>
-<P>If your FreeS/WAN came with your distribution, you may wish to
- generate a fresh RSA key pair. FreeS/WAN will use these keys for
- authentication.</P>
-<P> To do this, become root, and type:</P>
-<PRE>    ipsec newhostkey --output /etc/ipsec.secrets --hostname xy.example.com
-    chmod 600 /etc/ipsec.secrets</PRE>
-<P>where you replace xy.example.com with your machine's fully-qualified
- domain name. Generate some randomness, for example by wiggling your
- mouse, to speed the process.</P>
-<P>The resulting ipsec.secrets looks like:</P>
-<PRE>: RSA   {
-        # RSA 2192 bits   xy.example.com   Sun Jun 8 13:42:19 2003
-        # for signatures only, UNSAFE FOR ENCRYPTION
-        #pubkey=0sAQOFppfeE3cC7wqJi...
-        Modulus: 0x85a697de137702ef0...
-        # everything after this point is secret
-        PrivateExponent: 0x16466ea5033e807...
-        Prime1: 0xdfb5003c8947b7cc88759065...
-        Prime2: 0x98f199b9149fde11ec956c814...
-        Exponent1: 0x9523557db0da7a885af90aee...
-        Exponent2: 0x65f6667b63153eb69db8f300dbb...
-        Coefficient: 0x90ad00415d3ca17bebff123413fc518...
-        }
-# do not change the indenting of that &quot;}&quot;</PRE>
-<P>In the actual file, the strings are much longer.</P>
-<H3><A NAME="15_3_3">Start and test FreeS/WAN</A></H3>
-<P>You can now<A HREF="#starttest"> start FreeS/WAN and test whether
- it's been successfully installed.</A>.</P>
-<A NAME="rpminstall"></A>
-<H2><A NAME="15_4">RPM install</A></H2>
-<P>These instructions are for a recent Red Hat with a stock Red Hat
- kernel. We know that Mandrake and SUSE also produce FreeS/WAN RPMs. If
- you're running either, install using your distribution's tools.</P>
-<H3><A NAME="15_4_1">Download RPMs</A></H3>
-<P>Decide which functionality you need:</P>
-<UL>
-<LI>standard FreeS/WAN RPMs. Use these shortcuts:
-<BR>
-<UL>
-<LI>(for 2.6 kernels: userland only)
-<BR> ncftpget
- ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs/\*userland*
-</LI>
-<LI>(for 2.4 kernels)
-<BR> ncftpget
- ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs/`uname -r
- | tr -d 'a-wy-z'`/\*</LI>
-<LI> or view all the offerings at our<A href="ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs">
- FTP site</A>.</LI>
-</UL>
-</LI>
-<LI>unofficial<A href="http://www.freeswan.ca/download.php"> Super
- FreeS/WAN</A> RPMs, which include Andreas Steffen's X.509 patch and
- more. Super FreeS/WAN RPMs do not currently include<A HREF="#NAT.gloss">
- Network Address Translation</A> (NAT) traversal, but Super FreeS/WAN
- source does.</LI>
-</UL>
-<A NAME="2.6.rpm"></A>
-<P>For 2.6 kernels, get the latest FreeS/WAN userland RPM, for example:</P>
-<PRE>    freeswan-userland-2.04.9-0.i386.rpm</PRE>
-<P>Note: FreeS/WAN's support for 2.6 kernel IPsec is preliminary. Please
- see<A HREf="2.6.known-issues"> 2.6.known-issues</A>, and the latest<A HREF="http://www.freeswan.org/mail.html">
- mailing list reports</A>.</P>
-<P>Change to your new FreeS/WAN directory, and make and install the</P>
-<P>For 2.4 kernels, get both kernel and userland RPMs. Check your kernel
- version with</P>
-<PRE>    uname -r</PRE>
-<P>Get a kernel module which matches that version. For example:</P>
-<PRE>    freeswan-module-2.04_2.4.20_20.9-0.i386.rpm</PRE>
-<P>Note: These modules<B> will only work on the Red Hat kernel they were
- built for</B>, since they are very sensitive to small changes in the
- kernel.</P>
-<P>Get FreeS/WAN utilities to match. For example:</P>
-<PRE>    freeswan-userland-2.04_2.4.20_20.9-0.i386.rpm</PRE>
-<H3><A NAME="15_4_2">For freeswan.org RPMs: check signatures</A></H3>
-<P>While you're at our ftp site, grab the RPM signing key</P>
-<PRE>    freeswan-rpmsign.asc</PRE>
-<P>If you're running RedHat 8.x or later, import this key into the RPM
- database:</P>
-<PRE>    rpm --import freeswan-rpmsign.asc</PRE>
-<P>For RedHat 7.x systems, you'll need to add it to your<A HREF="#PGP">
- PGP</A> keyring:</P>
-<PRE>    pgp -ka freeswan-rpmsign.asc</PRE>
-<P>Check the digital signatures on both RPMs using:</P>
-<PRE>    rpm --checksig freeswan*.rpm </PRE>
-<P>You should see that these signatures are good:</P>
-<PRE>    freeswan-module-2.04_2.4.20_20.9-0.i386.rpm: pgp md5 OK
-    freeswan-userland-2.04_2.4.20_20.9-0.i386.rpm: pgp md5 OK</PRE>
-<H3><A NAME="15_4_3">Install the RPMs</A></H3>
-<P>Become root:</P>
-<PRE>    su</PRE>
-<P>For a first time install, use:</P>
-<PRE>    rpm -ivh freeswan*.rpm</PRE>
-<P>To upgrade existing RPMs (and keep all .conf files in place), use:</P>
-<PRE>    rpm -Uvh freeswan*.rpm</PRE>
-<P>If you're upgrading from FreeS/WAN 1.x to 2.x RPMs, and encounter
- problems, see<A HREF="#upgrading.rpms"> this note</A>.</P>
-<H3><A NAME="15_4_4">Start and Test FreeS/WAN</A></H3>
-<P>Now,<A HREF="#starttest"> start FreeS/WAN and test your install</A>.</P>
-<A NAME="srcinstall"></A>
-<H2><A NAME="15_5">Install from Source</A></H2>
-
-<!-- Most of this section, along with "Start and Test", can replace 
-INSTALL. -->
-<H3><A NAME="15_5_1">Decide what functionality you need</A></H3>
-<P>Your choices are:</P>
-<UL>
-<LI><A HREF="ftp://ftp.xs4all.nl/pub/crypto/freeswan">standard FreeS/WAN</A>
-,</LI>
-<LI>standard FreeS/WAN plus any of these<A HREF="#patch"> user-supported
- patches</A>, or</LI>
-<LI><A HREF="http://www.freeswan.ca/download">Super FreeS/WAN</A>, an
- unofficial FreeS/WAN pre-patched with many of the above. Provides
- additional algorithms, X.509, SA deletion, dead peer detection, and<A HREF="#NAT.gloss">
- Network Address Translation</A> (NAT) traversal.</LI>
-</UL>
-<H3><A NAME="15_5_2">Download FreeS/WAN</A></H3>
-<P>Download the source tarball you've chosen, along with any patches.</P>
-<H3><A NAME="15_5_3">For freeswan.org source: check its signature</A></H3>
-<P>While you're at our ftp site, get our source signing key</P>
-<PRE>    freeswan-sigkey.asc</PRE>
-<P>Add it to your PGP keyring:</P>
-<PRE>    pgp -ka freeswan-sigkey.asc</PRE>
-<P>Check the signature using:</P>
-<PRE>    pgp freeswan-2.04.tar.gz.sig freeswan-2.04.tar.gz</PRE>
-<P>You should see something like:</P>
-<PRE>    Good signature from user &quot;Linux FreeS/WAN Software Team (build@freeswan.org)&quot;.
-    Signature made 2002/06/26 21:04 GMT using 2047-bit key, key ID 46EAFCE1</PRE>
-
-<!-- Note to self: build@freeswan.org has angled brackets in the original.
-     Changed because it conflicts with HTML tags. -->
-<H3><A NAME="15_5_4">Untar, unzip</A></H3>
-<P>As root, unpack your FreeS/WAN source into<VAR> /usr/src</VAR>.</P>
-<PRE>    su
-    mv freeswan-2.04.tar.gz /usr/src
-    cd /usr/src
-    tar -xzf freeswan-2.04.tar.gz
-</PRE>
-<H3><A NAME="15_5_5">Patch if desired</A></H3>
-<P>Now's the time to add any patches. The contributor may have special
- instructions, or you may simply use the patch command.</P>
-<H3><A NAME="15_5_6">... and Make</A></H3>
-<P>Choose one of the methods below.</P>
-<H4><A NAME="15_5_6_1">Userland-only Install for 2.6 kernels</A></H4>
-<A NAME="2.6.src"></A>
-<P>Note: FreeS/WAN's support for 2.6 kernel IPsec is preliminary. Please
- see<A HREf="2.6.known-issues"> 2.6.known-issues</A>, and the latest<A HREF="http://www.freeswan.org/mail.html">
- mailing list reports</A>.</P>
-<P>Change to your new FreeS/WAN directory, and make and install the
- FreeS/WAN userland tools.</P>
-<PRE>    cd /usr/src/freeswan-2.04
-    make programs
-    make install</PRE>
-<P>Now,<A HREF="#starttest"> start FreeS/WAN and test your install</A>.</P>
-<H4><A NAME="15_5_6_2">KLIPS install for 2.2, 2.4, or 2.6 kernels</A></H4>
-<A NAME="modinstall"></A>
-<P>To make a modular version of KLIPS, along with other FreeS/WAN
- programs you'll need, use the command sequence below. This will change
- to your new FreeS/WAN directory, make the FreeS/WAN module (and other
- stuff), and install it all.</P>
-<PRE>    cd /usr/src/freeswan-2.04
-    make oldmod
-    make minstall</PRE>
-<P><A HREF="#starttest">Start FreeS/WAN and test your install</A>.</P>
-<P>To link KLIPS statically into your kernel (using your old kernel
- settings), and install other FreeS/WAN components, do:</P>
-<PRE>    cd /usr/src/freeswan-2.04
-    make oldmod
-    make minstall</PRE>
-<P>Reboot your system and<A HREF="#testonly"> test your install</A>.</P>
-<P>For other ways to compile KLIPS, see our Makefile.</P>
-<A name="starttest"></A>
-<H2><A NAME="15_6">Start FreeS/WAN and test your install</A></H2>
-<P>Bring FreeS/WAN up with:</P>
-<PRE>    service ipsec start</PRE>
-<P>This is not necessary if you've rebooted.</P>
-<A name="testonly"></A>
-<H2><A NAME="15_7">Test your install</A></H2>
-<P>To check that you have a successful install, run:</P>
-<PRE>    ipsec verify</PRE>
-<P>You should see at least:</P>
-<PRE>
-    Checking your system to see if IPsec got installed and started correctly
-    Version check and ipsec on-path                             [OK]
-    Checking for KLIPS support in kernel                        [OK]
-    Checking for RSA private key (/etc/ipsec.secrets)           [OK]
-    Checking that pluto is running                              [OK]
-</PRE>
-<P>If any of these first four checks fails, see our<A href="#install.check">
- troubleshooting guide</A>.</P>
-<H2><A NAME="15_8">Making FreeS/WAN play well with others</A></H2>
-<P>There are at least a couple of things on your system that might
- interfere with FreeS/WAN, and now's a good time to check these:</P>
-<UL>
-<LI>Firewalling. You need to allow UDP 500 through your firewall, plus
- ESP (protocol 50) and AH (protocol 51). For more information, see our
- updated firewalls document (coming soon).</LI>
-<LI>Network address translation. Do not NAT the packets you will be
- tunneling.</LI>
-</UL>
-<H2><A NAME="15_9">Configure for your needs</A></H2>
-<P>You'll need to configure FreeS/WAN for your local site. Have a look
- at our<A HREF="quickstart.html"> opportunism quickstart guide</A> to
- see if that easy method is right for your needs. Or, see how to<A HREF="config.html">
- configure a network-to-network or Road Warrior style VPN</A>.</P>
-<HR>
-<H1><A NAME="config">How to configure FreeS/WAN</A></H1>
-<P>This page will teach you how to configure a simple network-to-network
- link or a Road Warrior connection between two Linux FreeS/WAN boxes.</P>
-<P>See also these related documents:</P>
-<UL>
-<LI>our<A HREF="#quickstart"> quickstart</A> guide to<A HREF="#carpediem">
- opportunistic encryption</A></LI>
-<LI>our guide to configuration with<A HREF="#policygroups"> policy
- groups</A></LI>
-<LI>our<A HREF="#adv_config"> advanced configuration</A> document</LI>
-</UL>
-<P> The network-to-network setup allows you to connect two office
- networks into one Virtual Private Network, while the Road Warrior
- connection secures a laptop's telecommute to work. Our examples also
- show the basic procedure on the Linux FreeS/WAN side where another
- IPsec peer is in play.</P>
-<P> Shortcut to<A HREF="#config.netnet"> net-to-net</A>.
-<BR> Shortcut to<A HREF="#config.rw"> Road Warrior</A>.</P>
-<H2><A NAME="16_1">Requirements</A></H2>
-<P>To configure the network-to-network connection you must have:</P>
-<UL>
-<LI>two Linux gateways with static IPs</LI>
-<LI>a network behind each gate. Networks must have non-overlapping IP
- ranges.</LI>
-<LI>Linux FreeS/WAN<A HREF="#install"> installed</A> on both gateways</LI>
-<LI><A HREF="http://www.tcpdump.org"><VAR>tcpdump</VAR></A> on the local
- gate, to test the connection</LI>
-</UL>
-<P>For the Road Warrior you need:</P>
-<UL>
-<LI>one Linux box with a static IP</LI>
-<LI>a Linux laptop with a dynamic IP</LI>
-<LI>Linux FreeS/WAN installed on both</LI>
-<LI>for testing,<VAR> tcpdump</VAR> on your gateway or laptop</LI>
-</UL>
-<P>If both IPs are dynamic, your situation is a bit trickier. Your best
- bet is a variation on the<A HREF="#config.rw"> Road Warrior</A>, as
- described in<A HREF="http://lists.freeswan.org/archives/users/2003-October/msg00282.html">
- this mailing list message</A>.</P>
-<H2><A name="config.netnet"></A>Net-to-Net connection</H2>
-<H3><A name="netnet.info.ex">Gather information</A></H3>
-<P>For each gateway, compile the following information:</P>
-<UL>
-<LI>gateway IP</LI>
-<LI>IP range of the subnet you will be protecting. This doesn't have to
- be your whole physical subnet.</LI>
-<LI>a name by which that gateway can identify itself for IPsec
- negotiations. Its form is a Fully Qualified Domain Name preceded by an
- @ sign, ie. @xy.example.com.
-<BR> It does not need to be within a domain that you own. It can be a
- made-up name.</LI>
-</UL>
-<H4><A NAME="16_2_1_1">Get your leftrsasigkey</A></H4>
-<P>On your local Linux FreeS/WAN gateway, print your IPsec public key:</P>
-<PRE>    ipsec showhostkey --left</PRE>
-<P>The output should look like this (with the key shortened for easy
- reading):</P>
-<PRE>    # RSA 2048 bits   xy.example.com   Fri Apr 26 15:01:41 2002
-    leftrsasigkey=0sAQOnwiBPt...</PRE>
-<P>Don't have a key? Use<A HREF="manpage.d/ipsec_newhostkey.8.html"><VAR>
- ipsec newhostkey</VAR></A> to create one.</P>
-<H4><A NAME="16_2_1_2">...and your rightrsasigkey</A></H4>
-<P>Get a console on the remote side:</P>
-<PRE>    ssh2 ab.example.com</PRE>
-<P>In that window, type:</P>
-<PRE>    ipsec showhostkey --right</PRE>
-<P>You'll see something like:</P>
-<PRE>    # RSA 2192 bits   ab.example.com   Thu May 16 15:26:20 2002
-    rightrsasigkey=0sAQOqH55O...</PRE>
-<H3><A NAME="16_2_2">Edit<VAR> /etc/ipsec.conf</VAR></A></H3>
-<P>Back on the local gate, copy our template to<VAR> /etc/ipsec.conf</VAR>
-. (on Mandrake,<VAR> /etc/freeswan/ipsec.conf</VAR>). Substitute the
- information you've gathered for our example data.</P>
-<PRE>conn net-to-net
-    left=192.0.2.2                 # Local vitals
-    leftsubnet=192.0.2.128/29      # 
-    leftid=@xy.example.com         #   
-    leftrsasigkey=0s1LgR7/oUM...   #
-    leftnexthop=%defaultroute      # correct in many situations 
-    right=192.0.2.9                # Remote vitals
-    rightsubnet=10.0.0.0/24        #
-    rightid=@ab.example.com        # 
-    rightrsasigkey=0sAQOqH55O...   #
-    rightnexthop=%defaultroute     # correct in many situations
-    auto=add                       # authorizes but doesn't start this 
-                                   # connection at startup</PRE>
-<P> &quot;Left&quot; and &quot;right&quot; should represent the machines that have FreeS/WAN
- installed on them, and &quot;leftsubnet&quot; and &quot;rightsubnet&quot; machines that are
- being protected. /32 is assumed for left/right and left/rightsubnet
- parameters.</P>
-<P>Copy<VAR> conn net-to-net</VAR> to the remote-side /etc/ipsec.conf.
- If you've made no other modifications to either<VAR> ipsec.conf</VAR>,
- simply:</P>
-<PRE>    scp2 ipsec.conf root@ab.example.com:/etc/ipsec.conf</PRE>
-<H3><A NAME="16_2_3">Start your connection</A></H3>
-<P>Locally, type:</P>
-<PRE>    ipsec auto --up net-to-net</PRE>
-<P>You should see:</P>
-<PRE>    104 &quot;net-net&quot; #223: STATE_MAIN_I1: initiate
-    106 &quot;net-net&quot; #223: STATE_MAIN_I2: sent MI2, expecting MR2
-    108 &quot;net-net&quot; #223: STATE_MAIN_I3: sent MI3, expecting MR3
-    004 &quot;net-net&quot; #223: STATE_MAIN_I4: ISAKMP SA established
-    112 &quot;net-net&quot; #224: STATE_QUICK_I1: initiate
-    004 &quot;net-net&quot; #224: STATE_QUICK_I2: sent QI2, IPsec SA established</PRE>
-<P>The important thing is<VAR> IPsec SA established</VAR>. If you're
- unsuccessful, see our<A HREF="#trouble"> troubleshooting tips</A>.</P>
-<H3><A NAME="16_2_4">Do not MASQ or NAT packets to be tunneled</A></H3>
-<P>If you are using<A HREF="#masq"> IP masquerade</A> or<A HREF="#NAT.gloss">
- Network Address Translation (NAT)</A> on either gateway, you must now
- exempt the packets you wish to tunnel from this treatment. For example,
- if you have a rule like:</P>
-<PRE>iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE
-</PRE>
-<P>change it to something like:</P>
-<PRE>iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -d \! 192.0.2.128/29 -j MASQUERADE</PRE>
-<P>This may be necessary on both gateways.</P>
-<H3><A NAME="16_2_5">Test your connection</A></H3>
-<P>Sit at one of your local subnet nodes (not the gateway), and ping a
- subnet node on the other (again, not the gateway).</P>
-<PRE>    ping fileserver.toledo.example.com</PRE>
-<P>While still pinging, go to the local gateway and snoop your outgoing
- interface, for example:</P>
-<PRE>    tcpdump -i ppp0</PRE>
-<P>You want to see ESP (Encapsulating Security Payload) packets moving<B>
- back and forth</B> between the two gateways at the same frequency as
- your pings:</P>
-<PRE>    19:16:32.046220 192.0.2.2 &gt; 192.0.2.9: ESP(spi=0x3be6c4dc,seq=0x3)
-    19:16:32.085630 192.0.2.9 &gt; 192.0.2.2: ESP(spi=0x5fdd1cf8,seq=0x6)</PRE>
-<P>If you see this, congratulations are in order! You have a tunnel
- which will protect any IP data from one subnet to the other, as it
- passes between the two gates. If not, go and<A HREF="#trouble">
- troubleshoot</A>.</P>
-<P>Note: your new tunnel protects only net-net traffic, not
- gateway-gateway, or gateway-subnet. If you need this (for example, if
- machines on one net need to securely contact a fileserver on the IPsec
- gateway), you'll need to create<A HREF="#adv_config"> extra connections</A>
-.</P>
-<H3><A NAME="16_2_6">Finishing touches</A></H3>
-<P>Now that your connection works, name it something sensible, like:</P>
-<PRE>conn winstonnet-toledonet</PRE>
-<P>To have the tunnel come up on-boot, replace</P>
-<PRE>    auto=add</PRE>
-<P>with:</P>
-<PRE>    auto=start</PRE>
-<P>Copy these changes to the other side, for example:</P>
-<PRE>    scp2 ipsec.conf root@ab.example.com:/etc/ipsec.conf</PRE>
-<P>Enjoy!</P>
-<H2><A name="config.rw"></A>Road Warrior Configuration</H2>
-<H3><A name="rw.info.ex">Gather information</A></H3>
-<P>You'll need to know:</P>
-<UL>
-<LI>the gateway's static IP</LI>
-<LI>the IP range of the subnet behind that gateway</LI>
-<LI>a name by which each side can identify itself for IPsec
- negotiations. Its form is a Fully Qualified Domain Name preceded by an
- @ sign, ie. @road.example.com.
-<BR> It does not need to be within a domain that you own. It can be a
- made-up name.</LI>
-</UL>
-<H4><A NAME="16_3_1_1">Get your leftrsasigkey...</A></H4>
-<P>On your laptop, print your IPsec public key:</P>
-<PRE>    ipsec showhostkey --left</PRE>
-<P>The output should look like this (with the key shortened for easy
- reading):</P>
-<PRE>    # RSA 2192 bits   road.example.com   Sun Jun  9 02:45:02 2002
-    leftrsasigkey=0sAQPIPN9uI...</PRE>
-<P>Don't have a key? See<A HREF="old_config.html#genrsakey"> these
- instructions</A>.</P>
-<H4><A NAME="16_3_1_2">...and your rightrsasigkey</A></H4>
-<P>Get a console on the gateway:</P>
-<PRE>    ssh2 xy.example.com</PRE>
-<P>View the gateway's public key with:</P>
-<PRE>    ipsec showhostkey --right</PRE>
-<P>This will yield something like</P>
-<PRE>    # RSA 2048 bits   xy.example.com   Fri Apr 26 15:01:41 2002
-    rightrsasigkey=0sAQOnwiBPt...</PRE>
-<H3><A NAME="16_3_2">Customize<VAR> /etc/ipsec.conf</VAR></A></H3>
-<P>On your laptop, copy this template to<VAR> /etc/ipsec.conf</VAR>. (on
- Mandrake,<VAR> /etc/freeswan/ipsec.conf</VAR>). Substitute the
- information you've gathered for our example data.</P>
-<PRE>conn road
-    left=%defaultroute             # Picks up our dynamic IP 
-    leftnexthop=%defaultroute      # 
-    leftid=@road.example.com       # Local information
-    leftrsasigkey=0sAQPIPN9uI...   #
-    right=192.0.2.10               # Remote information
-    rightsubnet=10.0.0.0/24        #
-    rightid=@xy.example.com        # 
-    rightrsasigkey=0sAQOnwiBPt...  #
-    auto=add                       # authorizes but doesn't start this
-                                   # connection at startup</PRE>
-<P>The template for the gateway is different. Notice how it reverses<VAR>
- left</VAR> and<VAR> right</VAR>, in keeping with our convention that<STRONG>
- L</STRONG>eft is<STRONG> L</STRONG>ocal,<STRONG> R</STRONG>ight<STRONG>
- R</STRONG>emote. Be sure to switch your rsasigkeys in keeping with
- this.</P>
-<PRE>    ssh2 xy.example.com
-    vi /etc/ipsec.conf</PRE>
-<P>and add:</P>
-<PRE>conn road
-    left=192.0.2.2                 # Gateway's information
-    leftid=@xy.example.com         #
-    leftsubnet=192.0.2.128/29      #
-    leftrsasigkey=0sAQOnwiBPt...   #
-    rightnexthop=%defaultroute     # correct in many situations
-    right=%any                     # Wildcard: we don't know the laptop's IP
-    rightid=@road.example.com      #
-    rightrsasigkey=0sAQPIPN9uI...  #
-    auto=add                       # authorizes but doesn't start this
-                                   # connection at startup</PRE>
-<H3><A NAME="16_3_3">Start your connection</A></H3>
-<P>You must start the connection from the Road Warrior side. On your
- laptop, type:</P>
-<PRE>    ipsec auto --start net-to-net</PRE>
-<P>You should see:</P>
-<PRE>104 &quot;net-net&quot; #223: STATE_MAIN_I1: initiate
-106 &quot;road&quot; #301: STATE_MAIN_I2: sent MI2, expecting MR2
-108 &quot;road&quot; #301: STATE_MAIN_I3: sent MI3, expecting MR3
-004 &quot;road&quot; #301: STATE_MAIN_I4: ISAKMP SA established
-112 &quot;road&quot; #302: STATE_QUICK_I1: initiate
-004 &quot;road&quot; #302: STATE_QUICK_I2: sent QI2, IPsec SA established</PRE>
-<P>Look for<VAR> IPsec SA established</VAR>. If you're unsuccessful, see
- our<A HREF="#trouble"> troubleshooting tips</A>.</P>
-<H3><A NAME="16_3_4">Do not MASQ or NAT packets to be tunneled</A></H3>
-<P>If you are using<A HREF="#masq"> IP masquerade</A> or<A HREF="#NAT.gloss">
- Network Address Translation (NAT)</A> on either gateway, you must now
- exempt the packets you wish to tunnel from this treatment. For example,
- if you have a rule like:</P>
-<PRE>iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE
-</PRE>
-<P>change it to something like:</P>
-<PRE>iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -d \! 192.0.2.128/29 -j MASQUERADE</PRE>
-<H3><A NAME="16_3_5">Test your connection</A></H3>
-<P>From your laptop, ping a subnet node behind the remote gateway. Do
- not choose the gateway itself for this test.</P>
-<PRE>    ping ns.winston.example.com</PRE>
-<P>Snoop the packets exiting the laptop, with a command like:</P>
-<PRE>    tcpdump -i wlan0</PRE>
-<P>You have success if you see (Encapsulating Security Payload) packets
- travelling<B> in both directions</B>:</P>
-<PRE>    19:16:32.046220 192.0.2.2 &gt; 192.0.2.9: ESP(spi=0x3be6c4dc,seq=0x3)
-    19:16:32.085630 192.0.2.9 &gt; 192.0.2.2: ESP(spi=0x5fdd1cf8,seq=0x6)</PRE>
-<P>If you do, great! Traffic between your Road Warrior and the net
- behind your gateway is protected. If not, see our<A HREF="#trouble">
- troubleshooting hints</A>.</P>
-<P>Your new tunnel protects only traffic addressed to the net, not to
- the IPsec gateway itself. If you need the latter, you'll want to make
- an<A HREF="#adv_config"> extra tunnel.</A>.</P>
-<H3><A NAME="16_3_6">Finishing touches</A></H3>
-<P>On both ends, name your connection wisely, like:</P>
-<PRE>conn mike-to-office</PRE>
-<P><B>On the laptop only,</B> replace</P>
-<PRE>    auto=add</PRE>
-<P>with:</P>
-<PRE>    auto=start</PRE>
-<P>so that you'll be connected on-boot.</P>
-<P>Happy telecommuting!</P>
-<H3><A NAME="16_3_7">Multiple Road Warriors</A></H3>
-<P>If you're using RSA keys, as we did in this example, you can add as
- many Road Warriors as you like. The left/rightid parameter lets Linux
- FreeS/WAN distinguish between multiple Road Warrior peers, each with
- its own public key.</P>
-<P>The situation is different for shared secrets (PSK). During a PSK
- negotiation, ID information is not available at the time Pluto is
- trying to determine which secret to use, so, effectively, you can only
- define one Roadwarrior connection. All your PSK road warriors must
- therefore share one secret.</P>
-<H2><A NAME="16_4">What next?</A></H2>
-<P>Using the principles illustrated here, you can try variations such
- as:</P>
-<UL>
-<LI>a telecommuter with a static IP</LI>
-<LI>a road warrior with a subnet behind it</LI>
-</UL>
-<P>Or, look at some of our<A HREF="#adv_config"> more complex
- configuration examples.</A>.</P>
-<HR>
-<H1><A name="background">Linux FreeS/WAN background</A></H1>
-<P>This section discusses a number of issues which have three things in
- common:</P>
-<UL>
-<LI>They are not specifically FreeS/WAN problems</LI>
-<LI>You may have to understand them to get FreeS/WAN working right</LI>
-<LI>They are not simple questions</LI>
-</UL>
-<P>Grouping them here lets us provide the explanations some users will
- need without unduly complicating the main text.</P>
-<P>The explanations here are intended to be adequate for FreeS/WAN
- purposes (please comment to the<A href="mail.html"> users mailing list</A>
- if you don't find them so), but they are not trying to be complete or
- definitive. If you need more information, see the references provided
- in each section.</P>
-<H2><A name="dns.background">Some DNS background</A></H2>
-<P><A href="#carpediem">Opportunistic encryption</A> requires that the
- gateway systems be able to fetch public keys, and other IPsec-related
- information, from each other's DNS (Domain Name Service) records.</P>
-<P><A href="#DNS">DNS</A> is a distributed database that maps names to
- IP addresses and vice versa.</P>
-<P>Much good reference material is available for DNS, including:</P>
-<UL>
-<LI>the<A href="http://www.linuxdoc.org/HOWTO/DNS-HOWTO.html"> DNS HowTo</A>
-</LI>
-<LI>the standard<A href="#DNS.book"> DNS reference</A> book</LI>
-<LI><A href="http://www.linuxdoc.org/LDP/nag2/index.html">Linux Network
- Administrator's Guide</A></LI>
-<LI><A href="http://www.nominum.com/resources/whitepapers/bind-white-paper.html">
-BIND overview</A></LI>
-<LI><A href="http://www.nominum.com/resources/documentation/Bv9ARM.pdf">
-BIND 9 Administrator's Reference</A></LI>
-</UL>
-<P>We give only a brief overview here, intended to help you use DNS for
- FreeS/WAN purposes.</P>
-<H3><A name="forward.reverse">Forward and reverse maps</A></H3>
-<P>Although the implementation is distributed, it is often useful to
- speak of DNS as if it were just two enormous tables:</P>
-<UL>
-<LI>the forward map: look up a name, get an IP address</LI>
-<LI>the reverse map: look up an IP address, get a name</LI>
-</UL>
-<P>Both maps can optionally contain additional data. For opportunistic
- encryption, we insert the data need for IPsec authentication.</P>
-<P>A system named gateway.example.com with IP address 10.20.30.40 should
- have at least two DNS records, one in each map:</P>
-<DL>
-<DT>gateway.example.com. IN A 10.20.30.40</DT>
-<DD>used to look up the name and get an IP address</DD>
-<DT>40.30.20.10.in-addr.arpa. IN PTR gateway.example.com.</DT>
-<DD>used for reverse lookups, looking up an address to get the
- associated name. Notice that the digits here are in reverse order; the
- actual address is 10.20.30.40 but we use 40.30.20.10 here.</DD>
-</DL>
-<H3><A NAME="17_1_2">Hierarchy and delegation</A></H3>
-<P>For both maps there is a hierarchy of DNS servers and a system of
- delegating authority so that, for example:</P>
-<UL>
-<LI>the DNS administrator for example.com can create entries of the form<VAR>
- name</VAR>.example.com</LI>
-<LI>the example.com admin cannot create an entry for counterexample.com;
- only someone with authority for .com can do that</LI>
-<LI>an admin might have authority for 20.10.in-addr.arpa.</LI>
-<LI>in either map, authority can be delegated
-<UL>
-<LI>the example.com admin could give you authority for
- westcoast.example.com</LI>
-<LI>the 20.10.in-addr.arpa admin could give you authority for
- 30.20.10.in-addr.arpa</LI>
-</UL>
-</LI>
-</UL>
-<P>DNS zones are the units of delegation. There is a hierarchy of zones.</P>
-<H3><A NAME="17_1_3">Syntax of DNS records</A></H3>
-<P>Returning to the example records:</P>
-<PRE>        gateway.example.com. IN A 10.20.30.40
-        40.30.20.10.in-addr.arpa. IN PTR gateway.example.com.</PRE>
-<P>some syntactic details are:</P>
-<UL>
-<LI>the IN indicates that these records are for<STRONG> In</STRONG>
-ternet addresses</LI>
-<LI>The final periods in '.com.' and '.arpa.' are required. They
- indicate the root of the domain name system.</LI>
-</UL>
-<P>The capitalised strings after IN indicate the type of record.
- Possible types include:</P>
-<UL>
-<LI><STRONG>A</STRONG>ddress, for forward lookups</LI>
-<LI><STRONG>P</STRONG>oin<STRONG>T</STRONG>e<STRONG>R</STRONG>, for
- reverse lookups</LI>
-<LI><STRONG>C</STRONG>anonical<STRONG> NAME</STRONG>, records to support
- aliasing, multiple names for one address</LI>
-<LI><STRONG>M</STRONG>ail e<STRONG>X</STRONG>change, used in mail
- routing</LI>
-<LI><STRONG>SIG</STRONG>nature, used in<A href="#SDNS"> secure DNS</A></LI>
-<LI><STRONG>KEY</STRONG>, used in<A href="#SDNS"> secure DNS</A></LI>
-<LI><STRONG>T</STRONG>e<STRONG>XT</STRONG>, a multi-purpose record type</LI>
-</UL>
-<P>To set up for opportunistic encryption, you add some TXT records to
- your DNS data. Details are in our<A href="quickstart.html"> quickstart</A>
- document.</P>
-<H3><A NAME="17_1_4">Cacheing, TTL and propagation delay</A></H3>
-<P>DNS information is extensively cached. With no caching, a lookup by
- your system of &quot;www.freeswan.org&quot; might involve:</P>
-<UL>
-<LI>your system asks your nameserver for &quot;www.freeswan.org&quot;</LI>
-<LI>local nameserver asks root server about &quot;.org&quot;, gets reply</LI>
-<LI>local nameserver asks .org nameserver about &quot;freeswan.org&quot;, gets
- reply</LI>
-<LI>local nameserver asks freeswan.org nameserver about
- &quot;www.freeswan.org&quot;, gets reply</LI>
-</UL>
-<P>However, this can be a bit inefficient. For example, if you are in
- the Phillipines, the closest a root server is in Japan. That might send
- you to a .org server in the US, and then to freeswan.org in Holland. If
- everyone did all those lookups every time they clicked on a web link,
- the net would grind to a halt.</P>
-<P>Nameservers therefore cache information they look up. When you click
- on another link at www.freeswan.org, your local nameserver has the IP
- address for that server in its cache, and no further lookups are
- required.</P>
-<P>Intermediate results are also cached. If you next go to
- lists.freeswan.org, your nameserver can just ask the freeswan.org
- nameserver for that address; it does not need to query the root or .org
- nameservers because it has a cached address for the freeswan.org zone
- server.</P>
-<P>Of course, like any cacheing mechanism, this can create problems of
- consistency. What if the administrator for freeswan.org changes the IP
- address, or the authentication key, for www.freeswan.org? If you use
- old information from the cache, you may get it wrong. On the other
- hand, you cannot afford to look up fresh information every time. Nor
- can you expect the freeswan.org server to notify you; that isn't in the
- protocols.</P>
-<P>The solution that is in the protocols is fairly simple. Cacheable
- records are marked with Time To Live (TTL) information. When the time
- expires, the caching server discards the record. The next time someone
- asks for it, the server fetches a fresh copy. Of course, a server may
- also discard records before their TTL expires if it is running out of
- cache space.</P>
-<P>This implies that there will be some delay before the new version of
- a changed record propagates around the net. Until the TTLs on all
- copies of the old record expire, some users will see it because that is
- what is in their cache. Other users may see the new record immediately
- because they don't have an old one cached.</P>
-<H2><A name="MTU.trouble">Problems with packet fragmentation</A></H2>
-<P>It seems, from mailing list reports, to be moderately common for
- problems to crop up in which small packets pass through the IPsec
- tunnels just fine but larger packets fail.</P>
-<P>These problems are caused by various devices along the way
- mis-handling either packet fragments or<A href="#pathMTU"> path MTU
- discovery</A>.</P>
-<P>IPsec makes packets larger by adding an ESP or AH header. This can
- tickle assorted bugs in fragment handling in routers and firewalls, or
- in path MTU discovery mechanisms, and cause a variety of symptoms which
- are both annoying and, often, quite hard to diagnose.</P>
-<P>An explanation from project technical lead Henry Spencer:</P>
-<PRE>The problem is IP fragmentation; more precisely, the problem is that the
-second, third, etc. fragments of an IP packet are often difficult for
-filtering mechanisms to classify.
-
-Routers cannot rely on reassembling the packet, or remembering what was in
-earlier fragments, because the fragments may be out of order or may even
-follow different routes.  So any general, worst-case filtering decision
-pretty much has to be made on each fragment independently.  (If the router
-knows that it is the only route to the destination, so all fragments
-*must* pass through it, reassembly would be possible... but most routers
-don't want to bother with the complications of that.)
-
-All fragments carry roughly the original IP header, but any higher-level
-header is (for IP purposes) just the first part of the packet data... so
-only the first fragment carries that.  So, for example, on examining the
-second fragment of a TCP packet, you could tell that it's TCP, but not
-what port number it is destined for -- that information is in the TCP
-header, which appears in the first fragment only. 
-
-The result of this classification difficulty is that stupid routers and
-over-paranoid firewalls may just throw fragments away.  To get through
-them, you must reduce your MTU enough that fragmentation will not occur.
-(In some cases, they might be willing to attempt reassembly, but have very
-limited resources to devote to it, meaning that packets must be small and
-fragments few in number, leading to the same conclusion:  smaller MTU.)</PRE>
-<P>In addition to the problem Henry describes, you may also have trouble
- with<A href="#pathMTU"> path MTU discovery</A>.</P>
-<P>By default, FreeS/WAN uses a large<A href="#MTU"> MTU</A> for the
- ipsec device. This avoids some problems, but may complicate others.
- Here's an explanation from Claudia:</P>
-<PRE>Here are a couple of pieces of background information. Apologies if you
-have seen these already. An excerpt from one of my old posts:
-
-    An MTU of 16260 on ipsec0 is usual. The IPSec device defaults to this 
-    high MTU so that it does not fragment incoming packets before encryption 
-    and encapsulation. If after IPSec processing packets are larger than 1500,
-    [ie. the mtu of eth0] then eth0 will fragment them. 
-
-    Adding IPSec headers adds a certain number of bytes to each packet. 
-    The MTU of the IPSec interface refers to the maximum size of the packet
-    before the IPSec headers are added. In some cases, people find it helpful 
-    to set ipsec0's MTU to 1500-(IPSec header size), which IIRC is about 1430.
-
-    That way, the resulting encapsulated packets don't exceed 1500. On most 
-    networks, packets less than 1500 will not need to be fragmented.
-
-and... (from Henry Spencer)
-
-    The way it *ought* to work is that the MTU advertised by the ipsecN
-    interface should be that of the underlying hardware interface, less a
-    pinch for the extra headers needed. 
-
-    Unfortunately, in certain situations this breaks many applications.
-    There is a widespread implicit assumption that the smallest MTUs are 
-    at the ends of paths, not in the middle, and another that MTUs are 
-    never less than 1500.  A lot of code is unprepared to handle paths 
-    where there is an &quot;interior minimum&quot; in the MTU, especially when it's 
-    less than 1500. So we advertise a big MTU and just let the resulting 
-    big packets fragment.
-
-This usually works, but we do get bitten in cases where some intermediate
-point can't handle all that fragmentation.  We can't win on this one.</PRE>
-<P>The MTU can be changed with an<VAR> overridemtu=</VAR> statement in
- the<VAR> config setup</VAR> section of<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf.5</A>.</P>
-<P>For a discussion of MTU issues and some possible solutions using
- Linux advanced routing facilities, see the<A href="http://www.linuxguruz.org/iptables/howto/2.4routing-15.html#ss15.6">
- Linux 2.4 Advanced Routing HOWTO</A>. For a discussion of MTU and NAT
- (Network Address Translation), see<A HREF="http://harlech.math.ucla.edu/services/ipsec.html">
- James Carter's MTU notes</A>.</P>
-<H2><A name="nat.background">Network address translation (NAT)</A></H2>
-<P><STRONG>N</STRONG>etwork<STRONG> A</STRONG>ddress<STRONG> T</STRONG>
-ranslation is a service provided by some gateway machines. Calling it
- NAPT (adding the word<STRONG> P</STRONG>ort) would be more precise, but
- we will follow the widespread usage.</P>
-<P>A gateway doing NAT rewrites the headers of packets it is forwarding,
- changing one or more of:</P>
-<UL>
-<LI>source address</LI>
-<LI>source port</LI>
-<LI>destination address</LI>
-<LI>destination port</LI>
-</UL>
-<P>On Linux 2.4, NAT services are provided by the<A href="http://netfilter.samba.org">
- netfilter(8)</A> firewall code. There are several<A href="http://netfilter.samba.org/documentation/index.html#HOWTO">
- Netfilter HowTos</A> including one on NAT.</P>
-<P>For older versions of Linux, this was referred to as &quot;IP masquerade&quot;
- and different tools were used. See this<A href="http://www.e-infomax.com/ipmasq/">
- resource page</A>.</P>
-<P>Putting an IPsec gateway behind a NAT gateway is not recommended. See
- our<A href="#NAT"> firewalls document</A>.</P>
-<H3><A NAME="17_3_1">NAT to non-routable addresses</A></H3>
-<P>The most common application of NAT uses private<A href="#non-routable">
- non-routable</A> addresses.</P>
-<P>Often a home or small office network will have:</P>
-<UL>
-<LI>one connection to the Internet</LI>
-<LI>one assigned publicly visible IP address</LI>
-<LI>several machines that all need access to the net</LI>
-</UL>
-<P>Of course this poses a problem since several machines cannot use one
- address. The best solution might be to obtain more addresses, but often
- this is impractical or uneconomical.</P>
-<P>A common solution is to have:</P>
-<UL>
-<LI><A href="#non-routable">non-routable</A> addresses on the local
- network</LI>
-<LI>the gateway machine doing NAT</LI>
-<LI>all packets going outside the LAN rewritten to have the gateway as
- their source address</LI>
-</UL>
-<P>The client machines are set up with reserved<A href="#non-routable">
- non-routable</A> IP addresses defined in RFC 1918. The masquerading
- gateway, the machine with the actual link to the Internet, rewrites
- packet headers so that all packets going onto the Internet appear to
- come from one IP address, that of its Internet interface. It then gets
- all the replies, does some table lookups and more header rewriting, and
- delivers the replies to the appropriate client machines.</P>
-<P>As far as anyone else on the Internet is concerned, the systems
- behind the gateway are completely hidden. Only one machine with one IP
- address is visible.</P>
-<P>For IPsec on such a gateway, you can entirely ignore the NAT in:</P>
-<UL>
-<LI><A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A></LI>
-<LI>firewall rules affecting your Internet-side interface</LI>
-</UL>
-<P>Those can be set up exactly as they would be if your gateway had no
- other systems behind it.</P>
-<P>You do, however, have to take account of the NAT in firewall rules
- which affect packet forwarding.</P>
-<H3><A NAME="17_3_2">NAT to routable addresses</A></H3>
-<P>NAT to routable addresses is also possible, but is less common and
- may make for rather tricky routing problems. We will not discuss it
- here. See the<A href="http://netfilter.samba.org/documentation/index.html#HOWTO">
- Netfilter HowTos</A>.</P>
-<HR>
-<H1><A name="user.examples">FreeS/WAN script examples</A></H1>
- This file is intended to hold a collection of user-written example
- scripts or configuration files for use with FreeS/WAN.
-<P> So far it has only one entry.</P>
-<H2><A name="poltorak">Poltorak's Firewall script</A></H2>
-<PRE>
-From: Poltorak Serguei &lt;poltorak@dataforce.net&gt;
-Subject: [Users] Using FreeS/WAN
-Date: Tue, 16 Oct 2001
-
-Hello.
-
-I'm using FreeS/WAN IPsec for half a year. I learned a lot of things about
-it and I think it would be interesting for someone to see the result of my
-experiments and usage of FreeS/WAN. If you find a mistake in this
-file, please e-mail me. And excuse me for my english... I'm learning.. :)
-
-I'll talk about vary simple configuration:
-
-addresses prefix = 192.168
-
-    lan1          sgw1     .0.0/24 (Internet)       sgw2            lan2
-  .1.0/24---[ .1.1 ; .0.1 ]===================[ .0.10 ; . 2.10 ]---.2.0/24
-
-
-We need to let lan1 see lan2 across Internet like it is behind sgw1. The
-same for lan2. And we need to do IPX bridge for Novel Clients and NDS
-synchronization.
-
-my config:
-------------------- ipsec.conf -------------------
-conn lan1-lan2
-        type=tunnel
-        compress=yes
-        #-------------------
-        left=192.168.0.1
-        leftsubnet=192.168.1.0/24
-        #-------------------
-        right=192.168.0.10
-        rightsubnet=192.168.2.0/24
-        #-------------------
-        auth=esp
-        authby=secret
---------------- end of ipsec.conf ----------------
-
-ping .2.x from .1.y   (y != 1)
-It works?? Fine. Let's continue...
-
-Why y != 1 ?? Because kernel of sgw1 have 2 IP addresses and it will choose
-the first IP (which is used to go to Internet) .0.1 and the packet won't go
-through IPsec tunnel :(  But if do ping on .1.1 kernel will respond from
-that address (.1.1) and the packet will be tunneled. The same problem occurred then
-.2.x sends a packet to .1.2 which is down at the moment. What happens? .1.1
-sends ARP requesting .1.2... after 3 tries it send to .2.x an destunreach,
-but from his &quot;natural&quot; IP or .0.1 . So the error message won't be delivered!
-It's a big problem...
-
-Resolution... One can manipulate with ipsec0 or ipsec0:0 to solve the
-problem (if ipsec0 has .1.1 kernel will send packets correctly), but there
-are powerful and elegant iproute2 :) We simply need to change source address
-of packet that goes to other secure lan. This is done with
-
-ip route replace 192.168.2.0/24 via 192.168.0.10 dev ipsec0 src 192.168.1.1
-
-Cool!! Now it works!!
-
-The second step. We want install firewall on sgw1 and sgw2. Encryption of 
-traffic without security isn't a good idea. I don't use {left|right}firewall, 
-because I'm running firewall from init scripts.
-
-We want IPsec data between lan1-lan2, some ICMP errors (destination
-unreachable, TTL exceeded, parameter problem and source quench), replying on 
-pings from both lans and Internet, ipxtunnel data for IPX and of course SSH
-between sgw1 and sgw2 and from/to one specified host.
-
-I'm using ipchains. With iptables there are some changes.
-
----------------- rc.firewall ---------------------
-#!/bin/sh
-#
-# Firewall for IPsec lan1-lan2
-#
-
-IPC=/sbin/ipchains
-ANY=0.0.0.0/0
-
-# left
-SGW1_EXT=192.168.0.1
-SGW1_INT=192.168.1.1
-LAN1=192.168.1.0/24
-
-# right
-SGW2_EXT=192.168.0.10
-SGW2_INT=192.168.2.10
-LAN2=192.168.2.0/24
-
-# SSH from and to this host
-SSH_PEER_HOST=_SOME_HOST_
-
-# this is for left. exchange these values for right.
-MY_EXT=$SGW1_EXT
-MY_INT=$SGW1_INT
-PEER_EXT=$SGW2_EXT
-PEER_INT=$SGW2_INT
-INT_IF=eth1
-EXT_IF=eth0
-IPSEC_IF=ipsec0
-MY_LAN=$LAN1
-PEER_LAN=$LAN2
-
-$IPC -F
-$IPC -P input DENY
-$IPC -P forward DENY
-$IPC -P output DENY
-
-# Loopback traffic
-$IPC -A input -i lo -j ACCEPT
-$IPC -A output -i lo -j ACCEPT
-
-# for IPsec SGW1-SGW2
-## IKE
-$IPC -A input -p udp -s $PEER_EXT 500 -d $MY_EXT 500 -i $EXT_IF -j ACCEPT
-$IPC -A output -p udp -s $MY_EXT 500 -d $PEER_EXT 500 -i $EXT_IF -j ACCEPT
-## ESP
-$IPC -A input -p 50 -s $PEER_EXT -d $MY_EXT -i $EXT_IF -j ACCEPT
-### we don't need this line ### $IPC -A output -p 50 -s $MY_EXT -d $PEER_EXT -i $EXT_IF -j ACCEPT
-## forward LAN1-LAN2
-$IPC -A forward -s $MY_LAN -d $PEER_LAN -i $IPSEC_IF -j ACCEPT
-$IPC -A forward -s $PEER_LAN -d $MY_LAN -i $INT_IF -j ACCEPT
-$IPC -A output -s $PEER_LAN -d $MY_LAN -i $INT_IF -j ACCEPT
-$IPC -A input -s $PEER_LAN -d $MY_LAN -i $IPSEC_IF -j ACCEPT
-$IPC -A input -s $MY_LAN -d $PEER_LAN -i $INT_IF -j ACCEPT
-$IPC -A output -s $MY_LAN -d $PEER_LAN -i $IPSEC_IF -j ACCEPT
-
-# ICMP
-#
-## Dest unreachable
-### from/to Internet
-$IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
-### from/to Lan
-$IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
-### from/to Peer Lan
-$IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
-#
-## Source quench
-### from/to Internet
-$IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type source-quench -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
-### from/to Lan
-$IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type source-quench -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
-### from/to Peer Lan
-$IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type source-quench -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
-#
-## Parameter problem
-### from/to Internet
-$IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type parameter-problem -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
-### from/to Lan
-$IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type parameter-problem -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
-### from/to Peer Lan
-$IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type parameter-problem -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
-#
-## Time To Live exceeded
-### from/to Internet
-$IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type time-exceeded -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
-### to Lan
-$IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type time-exceeded -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
-### to Peer Lan
-$IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type time-exceeded -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
-
-# ICMP PINGs
-## from Internet
-$IPC -A input -p icmp -s $ANY -d $MY_EXT --icmp-type echo-request  -i $EXT_IF -j ACCEPT
-$IPC -A output -p icmp -s $MY_EXT -d $ANY --icmp-type echo-reply  -i $EXT_IF -j ACCEPT
-## from LAN
-$IPC -A input -p icmp -s $ANY -d $MY_INT --icmp-type echo-request -i $INT_IF -j ACCEPT
-$IPC -A output -p icmp -s $MY_INT -d $ANY --icmp-type echo-reply  -i $INT_IF -j ACCEPT
-## from Peer LAN
-$IPC -A input -p icmp -s $ANY -d $MY_INT --icmp-type echo-request -i $IPSEC_IF -j ACCEPT
-$IPC -A output -p icmp -s $MY_INT -d $ANY --icmp-type echo-reply  -i $IPSEC_IF -j ACCEPT
-
-# SSH
-## from SSH_PEER_HOST
-$IPC -A input -p tcp -s $SSH_PEER_HOST -d $MY_EXT 22 -i $EXT_IF -j ACCEPT
-$IPC -A output -p tcp \! -y -s $MY_EXT 22 -d $SSH_PEER_HOST -i $EXT_IF -j ACCEPT
-## to SSH_PEER_HOST
-$IPC -A input -p tcp \! -y -s $SSH_PEER_HOST 22 -d $MY_EXT -i $EXT_IF -j ACCEPT
-$IPC -A output -p tcp -s $MY_EXT -d $SSH_PEER_HOST 22 -i $EXT_IF -j ACCEPT
-## from PEER
-$IPC -A input -p tcp -s $PEER_EXT -d $MY_EXT 22 -i $EXT_IF -j ACCEPT
-$IPC -A output -p tcp \! -y -s $MY_EXT 22 -d $PEER_EXT -i $EXT_IF -j ACCEPT
-## to PEER
-$IPC -A input -p tcp \! -y -s $PEER_EXT 22 -d $MY_EXT -i $EXT_IF -j ACCEPT
-$IPC -A output -p tcp -s $MY_EXT -d $PEER_EXT 22 -i $EXT_IF -j ACCEPT
-
-# ipxtunnel
-$IPC -A input -p udp -s $PEER_INT 2005 -d $MY_INT 2005 -i $IPSEC_IF -j ACCEPT
-$IPC -A output -p udp -s $MY_INT 2005 -d $PEER_INT 2005 -i $IPSEC_IF -j ACCEPT
-
----------------- end of rc.firewall ----------------------
-
-To understand this we need to look on this scheme:
-
-           ++-----------------------&lt;----------------------------+
-           || ipsec0                                             |
-           \/                                                    |
- eth0  +--------+    /---------/ yes  /---------/ yes +-----------------------+
-------&gt;| INPUT  |--&gt;/ ?local? /-----&gt;/ ?IPsec? /-----&gt;| decrypt decapsulate |
- eth1  +--------+  /---------/      /---------/       +-----------------------+
-                       || no            || no
-                       \/               \/
-                  +----------+      +---------+        +-------+
-                  | routing  |      |  local  |        | local |
-                  | decision |      | deliver |        | send  |
-                  +----------+      +---------+        +-------+
-                       ||                                 ||
-                       \/                                 \/
-                   +---------+                       +----------+
-                   | forward |                       | routing  |
-                   +---------+                       | decision |
-                       ||                            +----------+
-                       ||                                  ||
-                       ++----------------&lt;-----------------++
-                       ||
-                       \/
-                   +--------+ eth0
-                   | OUTPUT | eth1
-                   +--------+ ipsec0
-                       ||
-                       \/
-                   /---------/ yes +-----------------------+
-                  / ?IPsec? /-----&gt;| encrypt encapsulate |
-                 /---------/       +-----------------------+
-                      || no                    ||
-                      ||                       ||
-                      ||                       \/   eth0, eth1
-                      ++-----------------------++--------------&gt;
-
-This explain how a packet traverse TCP/IP stack in IPsec capable kernel.
-
-FIX ME, please, if there are any errors
-
-Test the new firewall now.
-
-
-Now about IPX. I tried 3 programs for tunneling IPX: tipxd, SIB and ipxtunnel
-
-tipxd didn't send packets.. :(
-SIB and ipxtunnel worked fine :)
-With ipxtunnel there was a little problem. In sources there are an error.
-
---------------------- in main.c ------------------------
-&lt;       bytes += p.len;
----
-&gt;       bytes += len;
---------------------------------------------------------
-
-After this FIX everything goes right...
-
-------------------- /etc/ipxtunnel.conf ----------------
-port    2005
-remote  192.168.101.97    2005
-interface eth1
---------------- end of /etc/ipxtunnel.conf -------------
-
-I use IPX tunnel between .1.1 and .2.10 so we don't need to encrypt nor
-authenticate encapsulated IPX packets, it is done with IPsec.
-
-If you don't wont to use iproute2 to change source IP you need to use SIB
-(it is able to bind local address) or establish tunnel between .0.1 and
-.0.10 (external IPs, you need to do encryption in the program, but it isn't
-strong).
-
-For now I'm using ipxtunnel.
-
-I think that's all for the moment. If there are any error, please e-mail me: 
-poltorak@df.ru . It would be cool if someone puts the scheme of TCP/IP in
-kernel and firewall example on FreeS/WAN's manual pages.
-
-PoltoS
-</PRE>
-<HR>
-<H1><A name="makecheck">How to configure to use &quot;make check&quot;</A></H1>
-<H2><A NAME="19_1">What is &quot;make check&quot;</A></H2>
-<P> &quot;make check&quot; is a target in the top level makefile. It takes care of
- running a number of unit and system tests to confirm that FreeSWAN has
- been compiled correctly, and that no new bugs have been introduced.</P>
-<P> As FreeSWAN contains both kernel and userspace components, doing
- testing of FreeSWAN requires that the kernel be simulated. This is
- typically difficult to do as a kernel requires that it be run on bare
- hardware. A technology has emerged that makes this simpler. This is<A HREF="http://user-mode-linux.sourceforge.net">
- User Mode Linux</A>.</P>
-<P> User-Mode Linux is a way to build a Linux kernel such that it can
- run as a process under another Linux (or in the future other) kernel.
- Presently, this can only be done for 2.4 guest kernels. The host kernel
- can be 2.2 or 2.4.</P>
-<P> &quot;make check&quot; expects to be able to build User-Mode Linux kernels
- with FreeSWAN included. To do this it needs to have some files
- downloaded and extracted prior to running &quot;make check&quot;. This is
- described in the<A HREF="umltesting.html"> UML testing</A> document.</P>
-<P> After having run the example in the UML testing document and
- successfully brought up the four machine combination, you are ready to
- use &quot;make check&quot;</P>
-<H2><A NAME="19_2">Running &quot;make check&quot;</A></H2>
-<P> &quot;make check&quot; works by walking the FreeSWAN source tree invoking the
- &quot;check&quot; target at each node. At present there are tests defined only
- for the <CODE>klips</CODE> directory. These tests will use the UML
- infrastructure to test out pieces of the <CODE>klips</CODE> code.</P>
-<P> The results of the tests can be recorded. If the environment
- variable <CODE>$REGRESSRESULTS</CODE> is non-null, then the results of
- each test will be recorded. This can be used as part of a nightly
- regression testing system, see<A HREF="nightly.html"> Nightly testing</A>
- for more details.</P>
-<P> &quot;make check&quot; otherwise prints a minimal amount of output for each
- test, and indicates pass/fail status of each test as they are run.
- Failed tests do not cause failure of the target in the form of exit
- codes.</P>
-<H1><A NAME="20">How to write a &quot;make check&quot; test</A></H1>
-<H2><A NAME="20_1">Structure of a test</A></H2>
-<P> Each test consists of a set of directories under <CODE>testing/</CODE>
-. There are directories for <CODE>klips</CODE>, <CODE>pluto</CODE>, <CODE>
-packaging</CODE> and <CODE>libraries</CODE>. Each directory has a list
- of tests to run is stored in a file called <CODE>TESTLIST</CODE> in
- that directory. e.g. <CODE>testing/klips/TESTLIST</CODE>.</P>
-<H2 NAME="TESTLIST"><A NAME="20_2">The TESTLIST</A></H2>
-<P> This isn't actually a shell script. It just looks like one. Some
- tools other than /bin/sh process it. Lines that start with # are
- comments.</P>
-<PRE>
-# test-kind     directory-containing-test       expectation     [PR#]
-</PRE>
-<P>The first word provides the test type, detailed below.</P>
-<P> The second word is the name of the test to run. This the directory
- in which the test case is to be found..</P>
-<P>The third word may be one of:</P>
-<DL>
-<DT> blank/good</DT>
-<DD>the test is believed to function, report failure</DD>
-<DT> bad</DT>
-<DD> the test is known to fail, report unexpected success</DD>
-<DT> suspended</DT>
-<DD> the test should not be run</DD>
-</DL>
-<P> The fourth word may be a number, which is a PR# if the test is
- failing.</P>
-<H2><A NAME="20_3">Test kinds</A></H2>
- The test types are:
-<DL>
-<DT>skiptest</DT>
-<DD>means run no test.</DD>
-<DT>ctltest</DT>
-<DD>means run a single system without input/output.</DD>
-<DT>klipstest</DT>
-<DD>means run a single system with input/output networks</DD>
-<DT><A HREF="#umlplutotest">umlplutotest</A></DT>
-<DD>means run a pair of systems</DD>
-<DT><A HREF="#umlXhost">umlXhost</A></DT>
-<DD>run an arbitrary number of systems</DD>
-<DT>suntest (TBD)</DT>
-<DD>means run a quad of east/west/sunrise/sunset</DD>
-<DT>roadtest (TBD)</DT>
-<DD>means run a trio of east-sunrise + warrior</DD>
-<DT>extrudedtest (TBD)</DT>
-<DD>means run a quad of east-sunrise + warriorsouth + park</DD>
-<DT>mkinsttest</DT>
-<DD>a test of the &quot;make install&quot; machinery.</DD>
-<DT>kernel_test_patch</DT>
-<DD>a test of the &quot;make kernelpatch&quot; machinery.</DD>
-</DL>
- Tests marked (TBD) have yet to be fully defined.
-<P> Each test directory has a file in it called <CODE>testparams.sh</CODE>
-. This file sets a number of environment variables to define the
- parameters of the test.</P>
-<H2><A NAME="20_4">Common parameters</A></H2>
-<DL>
-<DT>TESTNAME</DT>
-<DD>the name of the test (repeated for checking purposes)</DD>
-<DT>TEST_TYPE</DT>
-<DD>the type of the test (repeat of type type above)</DD>
-<DT>TESTHOST</DT>
-<DD>the name of the UML machine to run for the test, typically &quot;east&quot; or
- &quot;west&quot;</DD>
-<DT>TEST_PURPOSE</DT>
-<DD>The purpose of the test is one of:
-<DL>
-<DT>goal</DT>
-<DD>The goal purpose is where a test is defined for code that is not yet
- finished. The test indicates when the goals have in fact been reached.</DD>
-<DT>regress</DT>
-<DD>This is a test to determine that a previously existing bug has been
- repaired. This test will initially be created to reproduce the bug in
- isolation, and then the bug will be fixed.</DD>
-<DT>exploit</DT>
-<DD>This is a set of packets/programs that causes a vulnerability to be
- exposed. It is a specific variation of the regress option.</DD>
-</DL>
-</DD>
-<DT>TEST_GOAL_ITEM</DT>
-<DT></DT>
-<DD>in the case of a goal test, this is a reference to the requirements
- document</DD>
-<DT>TEST_PROB_REPORT</DT>
-<DD>in the case of regression test, this the problem report number from
- GNATS</DD>
-<DT>TEST_EXPLOIT_URL</DT>
-<DD>in the case of an exploit, this is a URL referencing the paper
- explaining the origin of the test and the origin of exploit software</DD>
-<DT>REF_CONSOLE_OUTPUT</DT>
-<DD>a file in the test directory that contains the sanitized console
- output against which to compare the output of the actual test.</DD>
-<DT>REF_CONSOLE_FIXUPS</DT>
-<DD>a list of scripts (found in <CODE>klips/test/fixups</CODE>) to apply
- to sanitize the console output of the machine under test. These are
- typically perl, awk or sed scripts that remove things in the kernel
- output that change each time the test is run and/or compiled.</DD>
-<DT>INIT_SCRIPT</DT>
-<DD>
-<P>a file of commands that is fed into the virtual machine's console in
- single user mode prior to starting the tests. This file will usually
- set up any eroute's and SADB entries that are required for the test.</P>
-<P>Lines beginning with # are skipped. Blank lines are skipped.
- Otherwise, a shell prompted is waited for each time (consisting of <CODE>
-\n#</CODE>) and then the command is sent. Note that the prompt is waited
- for before the command and not after, so completion of the last command
- in the script is not required. This is often used to invoke a program
- to monitor the system, e.g. <CODE>ipsec pf_key</CODE>.</P>
-</DD>
-<DT>RUN_SCRIPT</DT>
-<DD>
-<P>a file of commands that is fed into the virtual machine's console in
- single user mode, before the packets are sent. On single machine tests,
- this script doesn't provide any more power than INIT_SCRIPT, but is
- implemented for consistency's sake.</P>
-</DD>
-<DT>FINAL_SCRIPT</DT>
-<DD>
-<P>a file of commands that is fed into the virtual machine's console in
- single user mode after the final packet is sent. Similar to
- INIT_SCRIPT, above. If not specified, then the single command &quot;halt&quot; is
- sent. If specified, then the script should end with a halt command to
- nicely shutdown the UML.</P>
-</DD>
-<DT>CONSOLEDIFFDEBUG</DT>
-<DD>If set to &quot;true&quot; then the series of console fixups (see
- REF_CONSOLE_FIXUPS) will be output after it is constructed. (It should
- be set to &quot;false&quot;, or unset otherwise)</DD>
-<DT>NETJIGDEBUG</DT>
-<DD>If set to &quot;true&quot; then the series of console fixups (see
- REF_CONSOLE_FIXUPS) will be output after it is constructed. (It should
- be set to &quot;false&quot;, or unset otherwise)</DD>
-<DT>NETJIGTESTDEBUG</DT>
-<DD> If set to &quot;netjig&quot;, then the results of talking to the <CODE>
-uml_netjig</CODE> will be printed to stderr during the test. In
- addition, the jig will be invoked with --debug, which causes it to log
- its process ID, and wait 60 seconds before continuing. This can be used
- if you are trying to debug the <CODE>uml_netjig</CODE> program itself.</DD>
-<DT>HOSTTESTDEBUG</DT>
-<DD> If set to &quot;hosttest&quot;, then the results of taling to the consoles of
- the UMLs will be printed to stderr during the test.</DD>
-<DT>NETJIGWAITUSER</DT>
-<DD> If set to &quot;waituser&quot;, then the scripts will wait forever for user
- input before they shut the tests down. Use this is if you are debugging
- through the kernel.</DD>
-<DT>PACKETRATE</DT>
-<DD> A number, in miliseconds (default is 500ms) at which packets will
- be replayed by the netjig.</DD>
-</DL>
-<H2><A NAME="20_5">KLIPStest paramaters</A></H2>
-<P> The klipstest function starts a program (<CODE>
-testing/utils/uml_netjig/uml_netjig</CODE>) to setup a bunch of I/O
- sockets (that simulate network interfaces). It then exports the
- references to these sockets to the environment and invokes (using
- system()) a given script. It waits for the script to finish.</P>
-
-<!-- <IMG SRC="single_netjig.png" ALT="block diagram of uml_netjig"> -->
-<P> The script invoked (<CODE>testing/utils/host-test.tcl</CODE>) is a
- TCL<A HREF="http://expect.nist.gov/"> expect</A> script that arranges
- to start the UML and configure it appropriately for the test. The
- configuration is done with the script given above for<VAR> INIT_SCRIPT</VAR>
-. The TCL script then forks, leaves the UML in the background and exits.
- uml_netjig continues. It then starts listening to the simulated network
- answering ARPs and inserting packets as appropriate.</P>
-<P> The klipstest function invokes <CODE>uml_netjig</CODE> with
- arguments to capture output from network interface(s) and insert
- packets as appropriate:</P>
-<DL>
-<DT>PUB_INPUT</DT>
-<DD>a<A HREF="http://www.tcpdump.org/"> pcap</A> file to feed in on the
- public (encrypted) interface. (typically, eth1)</DD>
-<DT>PRIV_INPUT</DT>
-<DD>a pcap file to feed in on the private (plain-text) interface
- (typically, eth0).</DD>
-<DT>REF_PUB_OUTPUT</DT>
-<DD>a text file containing tcpdump output. Packets on the public (eth1)
- interface are captured to a<A HREF="http://www.tcpdump.org/"> pcap</A>
- file by <CODE>uml_netjig</CODE>. The klipstest function then uses
- tcpdump on the file to produce text output, which is compared to the
- file given.</DD>
-<DT>REF_PUB_FILTER</DT>
-<DD>a program that will filter the TCPDUMP output to do further
- processing. Defaults to &quot;cat&quot;.</DD>
-<DT>REF_PRIV_OUTPUT</DT>
-<DD>a text file containing tcpdump output. Packets on the private (eth0)
- interface are captured and compared after conversion by tcpdump, as
- with<VAR> REFPUBOUTPUT</VAR>.</DD>
-<DT>REF_PRIV_FILTER</DT>
-<DD>a program that will filter the TCPDUMP output to do further
- processing. Defaults to &quot;cat&quot;.</DD>
-<DT>EXITONEMPTY</DT>
-<DD>a flag for <CODE>uml_netjig</CODE>. It should contain
- &quot;--exitonempty&quot; of uml_netjig should exit when all of the input (<VAR>
-PUBINPUT</VAR>,<VAR>PRIVINPUT</VAR>) packets have been injected.</DD>
-<DT>ARPREPLY</DT>
-<DD>a flag for <CODE>uml_netjig</CODE>. It should contain &quot;--arpreply&quot;
- if <CODE>uml_netjig</CODE> should reply to ARP requests. One will
- typically set this to avoid having to fudge the ARP cache manually.</DD>
-<DT>TCPDUMPFLAGS</DT>
-<DD>a set of flags for the tcpdump used when converting captured output.
- Typical values will include &quot;-n&quot; to turn off DNS, and often &quot;-E&quot; to set
- the decryption key (tcpdump 3.7.1 and higher only) for ESP packets. The
- &quot;-t&quot; flag (turn off timestamps) is provided automatically</DD>
-<DT>NETJIG_EXTRA</DT>
-<DD>additional comments to be sent to the netjig. This may arrange to
- record or create additional networks, or may toggle options.</DD>
-</DL>
-<H2><A NAME="20_6">mkinsttest paramaters</A></H2>
-<P> The basic concept of the <CODE>mkinsttest</CODE> test type is that
- it performs a &quot;make install&quot; to a temporary $DESTDIR. The resulting
- tree can then be examined to determine if it was done properly. The
- files can be uninstalled to determine if the file list was correct, or
- the contents of files can be examined more precisely.</P>
-<DL>
-<DT>INSTALL_FLAGS</DT>
-<DD>If set, then an install will be done. This provides the set of flags
- to provide for the install. The target to be used (usually &quot;install&quot;)
- must be among the flags.</DD>
-<DT>POSTINSTALL_SCRIPT</DT>
-<DD>If set, a script to run after initial &quot;make install&quot;. Two arguments
- are provided: an absolute path to the root of the FreeSWAN src tree,
- and an absolute path to the temporary installation area.</DD>
-<DT>INSTALL2_FLAGS</DT>
-<DD>If set, a second install will be done using these flags. Similarly
- to INSTALL_FLAGS, the target must be among the flags.</DD>
-<DT>UNINSTALL_FLAGS</DT>
-<DD>If set, an uninstall will be done using these flags. Similarly to
- INSTALL_FLAGS, the target (usually &quot;uninstall&quot;) must be among the
- flags.</DD>
-<DT>REF_FIND_f_l_OUTPUT</DT>
-<DD>If set, a <CODE>find $ROOT ( -type f -or -type -l )</CODE> will be
- done to get a list of a real files and symlinks. The resulting file
- will be compared to the file listed by this option.</DD>
-<DT>REF_FILE_CONTENTS</DT>
-<DD>If set, it should point to a file containing records for the form:
-<PRE>
-  
-<!--VARIABLE-->
-reffile</(null)>   
-<!--VARIABLE-->
-samplefile</(null)>
-</PRE>
- one record per line. A diff between the provided reference file, and
- the sample file (located in the temporary installation root) will be
- done for each record.</DD>
-</DL>
-<H2><A NAME="20_7">rpm_build_install_test paramaters</A></H2>
-<P> The <CODE>rpm_build_install_test</CODE> type is to verify that the
- proper packing list is produced by &quot;make rpm&quot;, and that the mechanisms
- for building the kernel modules produce consistent results.</P>
-<DL>
-<DT>RPM_KERNEL_SOURCE</DT>
-<DD>Point to an extracted copy of the RedHat kernel source code.
- Variables from the environment may be used.</DD>
-<DT>REF_RPM_CONTENTS</DT>
-<DD>This is a file containing one record per line. Each record consists
- of a RPM name (may contain wildcards) and a filename to compare the
- contents to. The RPM will be located and a file list will be produced
- with rpm2cpio.</DD>
-</DL>
-<H2><A NAME="20_8">libtest paramaters</A></H2>
-<P> The libtest test is for testing library routines. The library file
- is expected to provided an <CODE>#ifdef</CODE> by the name of<VAR>
- library</VAR>
-<!--CODE_MAIN</CODE-->
-. The libtest type invokes the C compiler to compile this
- file, links it against <CODE>libfreeswan.a</CODE> (to resolve any other
- dependancies) and runs the test with the <CODE>-r</CODE> argument to
- invoke a regression test.</(null)></P>
-<P>The library test case is expected to do a self-test, exiting with
- status code 0 if everything is okay, and with non-zero otherwise. A
- core dump (exit code greater than 128) is noted specifically.</P>
-<P> Unlike other tests, there are no subdirectories required, or other
- parameters to set.</P>
-<H2 NAME="umlplutotest"><A NAME="20_9">umlplutotest paramaters</A></H2>
-<P> The umlplutotest function starts a pair of user mode line processes.
- This is a 2-host version of umlXhost. The &quot;EAST&quot; and &quot;WEST&quot; slots are
- defined.</P>
-<H2 NAME="umlXhost"><A NAME="20_10">umlXhost parameters</A></H2>
-<P> The umlXtest function starts an arbitrary number of user mode line
- processes.</P>
-
-<!-- <IMG SRC="single_netjig.png" ALT="block diagram of uml_netjig"> -->
-<P> The script invoked (<CODE>testing/utils/Xhost-test.tcl</CODE>) is a
- TCL<A HREF="http://expect.nist.gov/"> expect</A> script that arranges
- to start each UML and configure it appropriately for the test. It then
- starts listening (using uml_netjig) to the simulated network answering
- ARPs and inserting packets as appropriate.</P>
-<P> umlXtest has a series of slots, each of which should be filled by a
- host. The list of slots is controlled by the variable, XHOST_LIST. This
- variable should be set to a space seperated list of slots. The former
- umlplutotest is now implemented as a variation of the umlXhost test,
- with XHOST_LIST=&quot;EAST WEST&quot;.</P>
-<P> For each host slot that is defined, a series of variables should be
- filled in, defining what configuration scripts to use for that host.</P>
-<P> The following are used to control the console input and output to
- the system. Where the string ${host} is present, the host slot should
- be filled in. I.e. for the two host system with XHOST_LIST=&quot;EAST WEST&quot;,
- then the variables: EAST_INIT_SCRIPT and WEST_INIT_SCRIPT will exist.</P>
-<DL>
-<DT>${host}HOST</DT>
-<DD>The name of the UML host which will fill this slot</DD>
-<DT>${host}_INIT_SCRIPT</DT>
-<DD>
-<P>a file of commands that is fed into the virtual machine's console in
- single user mode prior to starting the tests. This file will usually
- set up any eroute's and SADB entries that are required for the test.
- Similar to INIT_SCRIPT, above.</P>
-</DD>
-<DT>${host}_RUN_SCRIPT</DT>
-<DD>
-<P>a file of commands that is fed into the virtual machine's console in
- single user mode, before the packets are sent. This set of commands is
- run after all of the virtual machines are initialized. I.e. after
- EAST_INIT_SCRIPT<B> AND</B> WEST_INIT_SCRIPT. This script can therefore
- do things that require that all machines are properly configured.</P>
-</DD>
-<DT>${host}_RUN2_SCRIPT</DT>
-<DD>
-<P>a file of commands that is fed into the virtual machine's console in
- single user mode, after the packets are sent. This set of commands is
- run before any of the virtual machines have been shut down. (I.e.
- before EAST_FINAL_SCRIPT<B> AND</B> WEST_FINAL_SCRIPT.) This script can
- therefore catch post-activity status reports.</P>
-</DD>
-<DT>${host}_FINAL_SCRIPT</DT>
-<DD>
-<P>a file of commands that is fed into the virtual machine's console in
- single user mode after the final packet is sent. Similar to
- INIT_SCRIPT, above. If not specified, then the single command &quot;halt&quot; is
- sent. Note that when this script is run, the other virtual machines may
- already have been killed. If specified, then the script should end with
- a halt command to nicely shutdown the UML.</P>
-</DD>
-<DT>REF_${host}_CONSOLE_OUTPUT</DT>
-<DD>Similar to REF_CONSOLE_OUTPUT, above.</DD>
-</DL>
-<P>Some additional flags apply to all hosts:</P>
-<DL>
-<DT>REF_CONSOLE_FIXUPS</DT>
-<DD>a list of scripts (found in <CODE>klips/test/fixups</CODE>) to apply
- to sanitize the console output of the machine under test. These are
- typically perl, awk or sed scripts that remove things in the kernel
- output that change each time the test is run and/or compiled.</DD>
-</DL>
-<P> In addition to input to the console, the networks may have input fed
- to them:</P>
-<DL>
-<DT>EAST_INPUT/WEST_INPUT</DT>
-<DD>a<A HREF="http://www.tcpdump.org/"> pcap</A> file to feed in on the
- private network side of each network. The &quot;EAST&quot; and &quot;WEST&quot; here refer
- to the networks, not the hosts.</DD>
-<DT>REF_PUB_FILTER</DT>
-<DD>a program that will filter the TCPDUMP output to do further
- processing. Defaults to &quot;cat&quot;.</DD>
-<DT>REF_EAST_FILTER/REF_WEST_FILTER</DT>
-<DD>a program that will filter the TCPDUMP output to do further
- processing. Defaults to &quot;cat&quot;.</DD>
-&lt;
-<DT>TCPDUMPFLAGS</DT>
-<DD>a set of flags for the tcpdump used when converting captured output.
- Typical values will include &quot;-n&quot; to turn off DNS, and often &quot;-E&quot; to set
- the decryption key (tcpdump 3.7.1 and higher only) for ESP packets. The
- &quot;-t&quot; flag (turn off timestamps) is provided automatically</DD>
-<DT>REF_EAST_OUTPUT/REF_WEST_OUTPUT</DT>
-<DD>a text file containing tcpdump output. Packets on the private (eth0)
- interface are captured and compared after conversion by tcpdump, as
- with<VAR> REF_PUB_OUTPUT</VAR>.</DD>
-<P> There are two additional environment variables that may be set on
- the command line:</P>
-<DL>
-<DT> NETJIGVERBOSE=verbose export NETJIGVERBOSE</DT>
-<DD> If set, then the test output will be &quot;chatty&quot;, and let you know
- what commands it is running, and as packets are sent. Without it set,
- the output is limited to success/failure messages.</DD>
-<DT> NETJIGTESTDEBUG=netjig export NETJIGTESTDEBUG</DT>
-<DD> This will enable debugging of the communication with uml_netjig,
- and turn on debugging in this utility. This does not imply
- NETJIGVERBOSE.</DD>
-</DL>
-<DT> HOSTTESTDEBUG=hosttest export HOSTTESTDEBUG</DT>
-<DD> This will show all interactions with the user-mode-linux consoles</DD>
-</DL>
-<H2 NAME="kernelpatch"><A NAME="20_11">kernel_patch_test paramaters</A></H2>
-<P> The kernel_patch_test function takes some kernel source, copies it
- with lndir, and then applies the patch as produced by &quot;make
- kernelpatch&quot;.</P>
-<P> The following are used to control the input and output to the
- system:</P>
-<DL>
-<DT>KERNEL_NAME</DT>
-<DD>the kernel name, typically something like &quot;linus&quot; or &quot;rh&quot;</DD>
-<DT>KERNEL_VERSION</DT>
-<DD>the kernel version number, as in &quot;2.2&quot; or &quot;2.4&quot;.</DD>
-<DT>KERNEL_${KERNEL_NAME}${KERNEL_VERSION}_SRC</DT>
-<DD>This variable should set in the environment, probably in
- ~/freeswan-regress-env.sh. Examples of this variables would be
- KERNEL_LINUS2_0_SRC or KERNEL_RH7_3_SRC. This variable should point to
- an extracted copy of the kernel source in question.</DD>
-<DT>REF_PATCH_OUTPUT</DT>
-<DD>a copy of the patch output to compare against</DD>
-<DT>KERNEL_PATCH_LEAVE_SOURCE</DT>
-<DD>If set to a non-empty string, then the patched kernel source is not
- removed at the end of the test. This will typically be set in the
- environment while debugging.</DD>
-</DL>
-<H2 NAME="modtest"><A NAME="20_12">module_compile paramaters</A></H2>
-<P> The module_compile test attempts to build the KLIPS module against a
- given set of kernel source. This is also done by the RPM tests, but in
- a very specific manner.</P>
-<P> There are two variations of this test - one where the kernel either
- doesn't need to be configured, or is already done, and tests were there
- is a local configuration file.</P>
-<P> Where the kernel doesn't need to be configured, the kernel source
- that is found is simply used. It may be a RedHat-style kernel, where
- one can cause it to configure itself via rhconfig.h-style definitions.
- Or, it may just be a kernel tree that has been configured.</P>
-<P> If the variable KERNEL_CONFIG_FILE is set, then a new directory is
- created for the kernel source. It is populated with lndir(1). The
- referenced file is then copied in as .config, and &quot;make oldconfig&quot; is
- used to configure the kernel. This resulting kernel is then used as the
- reference source.</P>
-<P> In all cases, the kernel source is found the same was for the
- kernelpatch test, i.e. via KERNEL_VERSION/KERNEL_NAME and
- KERNEL_${KERNEL_NAME}${KERNEL_VERSION}_SRC.</P>
-<P> Once there is kernel source, the module is compiled using the
- top-level &quot;make module&quot; target.</P>
-<P> The test is considered successful if an executable is found in
- OUTPUT/module/ipsec.o at the end of the test.</P>
-<DL>
-<DT>KERNEL_NAME</DT>
-<DD>the kernel name, typically something like &quot;linus&quot; or &quot;rh&quot;</DD>
-<DT>KERNEL_VERSION</DT>
-<DD>the kernel version number, as in &quot;2.2&quot; or &quot;2.4&quot;.</DD>
-<DT>KERNEL_${KERNEL_NAME}${KERNEL_VERSION}_SRC</DT>
-<DD>This variable should set in the environment, probably in
- ~/freeswan-regress-env.sh. Examples of this variables would be
- KERNEL_LINUS2_0_SRC or KERNEL_RH7_3_SRC. This variable should point to
- an extracted copy of the kernel source in question.</DD>
-<DT>KERNEL_CONFIG_FILE</DT>
-<DD>The configuration file for the kernel.</DD>
-<DT>KERNEL_PATCH_LEAVE_SOURCE</DT>
-<DD>If set to a non-empty string, then the configured kernel source is
- not removed at the end of the test. This will typically be set in the
- environment while debugging.</DD>
-<DT>MODULE_DEF_INCLUDE</DT>
-<DD>The include file that will be used to configure the KLIPS module,
- and possibly the kernel source.</DD>
-</DL>
-<H1><A NAME="21">Current pitfalls</A></H1>
-<DL>
-<DT> &quot;tcpdump dissector&quot; not available.</DT>
-<DD> This is a non-fatal warning. If uml_netjig is invoked with the -t
- option, then it will attempt to use tcpdump's dissector to decode each
- packet that it processes. The dissector is presently not available, so
- this option it normally turned off at compile time. The dissector
- library will be released with tcpdump version 4.0.</DD>
-</DL>
-<HR>
-<H1><A name="umltesting">User-Mode-Linux Testing guide</A></H1>
-<P> User mode linux is a way to compile a linux kernel such that it can
- run as a process in another linux system (potentially as a *BSD or
- Windows process later). See<A HREF="http://user-mode-linux.sourceforge.net/">
- http://user-mode-linux.sourceforge.net/</A></P>
-<P> UML is a good platform for testing and experimenting with FreeS/WAN.
- It allows several network nodes to be simulated on a single machine.
- Creating, configuring, installing, monitoring, and controling these
- nodes is generally easier and easier to script with UML than real
- hardware.</P>
-<P> You'll need about 500Mb of disk space for a full
- sunrise-east-west-sunset setup. You can possibly get this down by 130Mb
- if you remove the sunrise/sunset kernel build. If you just want to run,
- then you can even remove the east/west kernel build.</P>
-<P> Nothing need be done as super user. In a couple of steps, we note
- where super user is required to install commands in system-wide
- directories, but ~/bin could be used instead. UML seems to use a
- system-wide /tmp/uml directory so different users may interfere with
- one another. Later UMLs use ~/.uml instead, so multiple users running
- UML tests should not be a problem, but note that a single user running
- the UML tests will only be able run one set. Further, UMLs sometimes
- get stuck and hang around. These &quot;zombies&quot; (most will actually be in
- the &quot;T&quot; state in the process table) will interfere with subsequent
- tests.</P>
-<H2><A NAME="22_1">Preliminary Notes on BIND</A></H2>
-<P> As of 2003/3/1, the Light-Weight Resolver is used by pluto. This
- requires that BIND9 be running. It also requires that BIND9 development
- libraries be present in the build environment. The DNSSEC code is only
- truly functional in BIND9 snapshots. The library code could be 9.2.2,
- we believe. We are using BIND9 20021115 snapshot code from<A HREF="ftp://ftp.isc.org/isc/bind9/snapshots">
- ftp://ftp.isc.org/isc/bind9/snapshots</A>.</P>
-<P> FreeS/WAN may well require a newer BIND than is on your system. Many
- distributions have moved to BIND9.2.2 recently due to a security
- advisory. BIND is five components.</P>
-<OL>
-<LI> named</LI>
-<LI> dnssec-*</LI>
-<LI> client side resolver libraries</LI>
-<LI> client side utility libraries I thought there were lib and named
- parts to dnsssec...</LI>
-<LI> dynamic DNS update utilities</LI>
-</OL>
-<P> The only piece that we need for *building* is #4. That's the only
- part that has to be on the build host. What is the difference between
- resolver and util libs? If you want to edit
- testing/baseconfigs/all/etc/bind, you'll need a snapshot version. The
- resolver library contains the resolver. FreeS/WAN has its own copy of
- that in lib/liblwres.</P>
-<H2><A NAME="22_2">Steps to Install UML for FreeS/WAN</A></H2>
-<OL>
-<LI> Get the following files:
-<OL type="a">
-<LI> from<A HREF="http://www.sandelman.ottawa.on.ca/freeswan/uml/">
- http://www.sandelman.ottawa.on.ca/freeswan/uml/</A>
- umlfreeroot-15.1.tar.gz (or highest numbered one). This is a debian
- potato root file system. You can use this even on a Redhat host, as it
- has the newer GLIBC2.2 libraries as well.
-<!-- If you are using
-  Redhat 7.2 or newer as your development machine, you can create the
-  image from your installation media. See <A HREF="uml-rhroot.html">Building a RedHat root"></A>.
-  A future document will explain how to build this from .DEB files as well.
--->
-
-<!--
-<LI> umlfreesharemini.tar.gz    (or umlfreeshareall.tar.gz). 
-  If you are a Debian potato user, you don't need it you can use your
-  native /usr/share.
-</UL>
--->
-</LI>
-<LI> From<A HREF="ftp://ftp.xs4all.nl/pub/crypto/freeswan/">
- ftp://ftp.xs4all.nl/pub/crypto/freeswan/</A> a snapshot or release
- (1.92 or better)</LI>
-<LI> From a<A HREF="http://www.kernel.org/mirrors/">
- http://www.kernel.org mirror</A>, the virgin 2.4.19 kernel. Please
- realize that we have defaults in our tree for kernel configuration. We
- try to track the latest UML kernels. If you use a newer kernel, you may
- have faults in the kernel build process. You can see what the latest
- that is being regularly tested by visiting<A HREF="http://bugs.freeswan.org:81/regress/HEAD/lastgood/freeswan-regress-env.sh">
- freeswan-regress-env.sh</A>.</LI>
-<LI>
-<!-- Note: this step is refered to as "step 1d" below. -->
- Get<A HREF="http://ftp.nl.linux.org/uml/">
- http://ftp.nl.linux.org/uml/</A> uml-patch-2.4.19-47.bz2 or the one
- associated with your kernel. As of 2003/03/05, uml-patch-2.4.19-47.bz2
- works for us.<STRONG> More recent versions of the patch have not been
- tested by us.</STRONG></LI>
-<LI> You'll probably want to visit<A HREF="http://user-mode-linux.sourceforge.net">
- http://user-mode-linux.sourceforge.net</A> and get the UML utilities.
- These are not needed for the build or interactive use (but
- recommended). They are necessary for the regression testing procedures
- used by &quot;make check&quot;. We currently use uml_utilities_20020212.tar.bz2.</LI>
-<LI> You need tcpdump version 3.7.1 or better. This is newer than the
- version included in most LINUX distributions. You can check the version
- of an installed tcpdump with the --version flag. If you need a newer
- tcpdump fetch both tcpdump and libpcap source tar files from<A HREF="http://www.tcpdump.org/">
- http://www.tcpdump.org/</A> or a mirror.</LI>
-</OL>
-</LI>
-<LI> Pick a suitable place, and extract the following files:
-<OL type="a">
-<LI>
-<!-- Note: this step is refered to as "step 2a" later. -->
- 2.4.19 kernel. For instance:
-<PRE>
- <CODE>           cd /c2/kernel
-           tar xzvf ../download/pub/linux/kernel/v2.4/linux-2.4.19.tar.gz
-</CODE>
-</PRE>
-</LI>
-<LI> extract the umlfreeroot file
-<!-- (unless you <A HREF="uml-rhroot.html">built your own from RPMs</A>) -->
-
-<PRE>
- <CODE>           mkdir -p /c2/user-mode-linux/basic-root
-           cd /c2/user-mode-linux/basic-root
-           tar xzvf ../download/umlfreeroot-15.1.tar.gz
-</CODE>
-</PRE>
-</LI>
-<LI> FreeSWAN itself (or checkout &quot;all&quot; from CVS)
-<PRE>
- <CODE>           mkdir -p /c2/freeswan/sandbox
-           cd /c2/freeswan/sandbox
-           tar xzvf ../download/snapshot.tar.gz
-</CODE>
-</PRE>
-</LI>
-</OL>
-</LI>
-<LI> If you need to build a newer tcpdump:
-<UL>
-<LI> Make sure you have OpenSSL installed -- it is needed for
- cryptographic routines.</LI>
-<LI> Unpack libpcap and tcpdump source in parallel directories (the
- tcpdump build procedures look for libpcap next door).</LI>
-<LI> Change directory into the libpcap source directory and then build
- the library:
-<PRE>
- <CODE>	./configure
-	make
-</CODE>
-</PRE>
-</LI>
-<LI> Change into the tcpdump source directory, build tcpdump, and
- install it.
-<PRE>
- <CODE>	./configure
-	make
-	# Need to be superuser to install in system directories.
-	# Installing in ~/bin would be an alternative.
-	su -c &quot;make install&quot;
-</CODE>
-</PRE>
-</LI>
-</UL>
-</LI>
-<LI> If you need the uml utilities, unpack them somewhere then build and
- install them:
-<PRE>
- <CODE>	cd tools
-	make all
-	# Need to be superuser to install in system directories.
-	# Installing in ~/bin would be an alternative.
-	su -c &quot;make install BIN_DIR=/usr/local/bin&quot;
-</CODE>
-</PRE>
-</LI>
-<LI> set up the configuration file
-<UL>
-<LI> <CODE>cd /c2/freeswan/sandbox/freeswan-1.97/testing/utils</CODE></LI>
-<LI> copy umlsetup-sample.sh to ../../umlsetup.sh: <CODE> cp
- umlsetup-sample.sh ../../umlsetup.sh</CODE></LI>
-<LI> open up ../../umlsetup.sh in your favorite editor.</LI>
-<LI> change POOLSPACE= to point to the place with at least 500Mb of
- disk. Best if it is on the same partition as the &quot;umlfreeroot&quot;
- extraction, as it will attempt to use hard links if possible to save
- disk space.</LI>
-<LI> Set TESTINGROOT if you intend to run the script outside of the
- sandbox/snapshot/release directory. Otherwise, it will configure
- itself.</LI>
-<LI> KERNPOOL should point to the directory with your 2.4.19 kernel
- tree. This tree should be unconfigured! This is the directory you used
- in step 2a.</LI>
-<LI> UMLPATCH should point at the bz2 file you downloaded at 1d. If
- using a kernel that already includes the patch, set this to /dev/null.</LI>
-<LI> FREESWANDIR should point at the directory where you unpacked the
- snapshot/release. Include the &quot;freeswan-snap2001sep16b&quot; or whatever in
- it. If you are running from CVS, then you point at the directory where
- top, klips, etc. are. The script will fix up the directory so that it
- can be used.</LI>
-<LI> BASICROOT should be set to the directory used in 2b, or to the
- directory that you created with RPMs.</LI>
-<LI> SHAREDIR should be set to the directory used in 2c, to /usr/share
- for Debian potato users, or to $BASICROOT/usr/share.</LI>
-</UL>
-</LI>
-<LI>
-<PRE> <CODE>cd $TESTINGROOT/utils
-sh make-uml.sh
-</CODE></PRE>
- It will grind for awhile. If there are errors it will bail. If so, run
- it under &quot;script&quot; and send the output to bugs@lists.freeswan.org.</LI>
-<LI> You will have a bunch of stuff under $POOLSPACE. Open four xterms:
-<PRE> <CODE>    for i in sunrise sunset east west
-    do
-        xterm -name $i -title $i -e $POOLSPACE/$i/start.sh     done
-</CODE></PRE>
-</LI>
-<LI> Login as root. Password is &quot;root&quot; (Note, these virtual machines are
- networked together, but are not configured to talk to the rest of the
- world.)</LI>
-<LI> verify that pluto started on east/west, run &quot;ipsec look&quot;</LI>
-<LI> login to sunrise. run &quot;ping sunset&quot;</LI>
-<LI> login to west. run &quot;tcpdump -p -i eth1 -n&quot; (tcpdump must be version
- 3.7.1 or newer)</LI>
-<LI> Closing a console xterm will shut down that UML.</LI>
-<LI> You can &quot;make check&quot;, if you want to. It is run from
- /c2/freeswan/sandbox/freeswan-1.97.</LI>
-</OL>
-<H1><A NAME="23">Debugging the kernel with GDB</A></H1>
-<P> With User-Mode-Linux, you can debug the kernel using GDB. See
-<!--HREF="http://user-mode-linux.sourceforge.net/debugging.html"-->
-
- http://user-mode-linux.sourceforge.net/debugging.html.</(null)></P>
-<P> Typically, one will want to address a test case for a failing
- situation. Running GDB from Emacs, or from other front ends is
- possible. First start GDB.</P>
-<P> Tell it to open the UMLPOOL/swan/linux program.</P>
-<P> Note the PID of GDB:</P>
-<PRE>
-marajade-[projects/freeswan/mgmt/planning] mcr 1029 %ps ax | grep gdb
- 1659 pts/9    SN     0:00 /usr/bin/gdb -fullname -cd /mara4/freeswan/kernpatch/UMLPOOL/swan/ linux
-</PRE>
-<P> Set the following in the environment:</P>
-<PRE>
-UML_east_OPT=&quot;debug gdb-pid=1659&quot;
-</PRE>
-<P> Then start the user-mode-linux in the test scheme you wish:</P>
-<PRE>
-marajade-[kernpatch/testing/klips/east-icmp-02] mcr 1220 %../../utils/runme.sh
-</PRE>
- The user-mode-linux will stop on boot, giving you a chance to attach to
- the process:
-<PRE>
-(gdb) file linux
-Reading symbols from linux...done.
-(gdb) attach 1
-Attaching to program: /mara4/freeswan/kernpatch/UMLPOOL/swan/linux, process 1
-0xa0118bc1 in kill () at hostfs_kern.c:770
-</PRE>
-<P> At this point, break points should be created as appropriate.</P>
-<H2><A NAME="23_1">Other notes about debugging</A></H2>
-<P> If you are running a standard test, after all the packets are sent,
- the UML will be shutdown. This can cause problems, because the UML may
- get terminated while you are debugging.</P>
-<P> The environment variable <CODE>NETJIGWAITUSER</CODE> can be set to
- &quot;waituser&quot;. If so, then the testing system will prompt before exiting
- the test.</P>
-<H1><A NAME="24">User-Mode-Linux mysteries</A></H1>
-<UL>
-<LI> running more than one UML of the same name (e.g. &quot;west&quot;) can cause
- problems.</LI>
-<LI> running more than one UML from the same root file system is not a
- good idea.</LI>
-<LI> all this means that running &quot;make check&quot; twice on the same machine
- is probably not a good idea.</LI>
-<LI> occationally, UMLs will get stuck. This can happen like:
-<!--BLOCK-->
- 15134 ? T
- 0:00 /spare/hugh/uml/uml2.4.18-sept5/umlbuild/east/linux (east)
- [/bin/sh] 15138 ? T 0:00
- /spare/hugh/uml/uml2.4.18-sept5/umlbuild/east/linux (east) [halt]</(null)>
- these will need to be killed. Note that they are in &quot;T&quot;racing mode.</LI>
-<LI> UMLs can also hang, and will report &quot;Tracing myself and I can't get
- out&quot;. This is a bug in UML. There are ways to find out what is going on
- and report this to the UML people, but we don't know the magic right
- now.</LI>
-</UL>
-<H1><A NAME="25">Getting more info from uml_netjig</A></H1>
-<P> uml_netjig can be compiled with a built-in tcpdump. This uses
- not-yet-released code from<A HREF="http://www.tcpdump.org/">
- www.tcpdump.org</A>. Please see the instructions in <CODE>
-testing/utils/uml_netjig/Makefile</CODE>.</P>
-<HR>
-<H1><A name="politics">History and politics of cryptography</A></H1>
-<P>Cryptography has a long and interesting history, and has been the
- subject of considerable political controversy.</P>
-<H2><A name="intro.politics">Introduction</A></H2>
-<H3><A NAME="26_1_1">History</A></H3>
-<P>The classic book on the history of cryptography is David Kahn's<A href="#Kahn">
- The Codebreakers</A>. It traces codes and codebreaking from ancient
- Egypt to the 20th century.</P>
-<P>Diffie and Landau<A href="#diffie"> Privacy on the Line: The Politics
- of Wiretapping and Encryption</A> covers the history from the First
- World War to the 1990s, with an emphasis on the US.</P>
-<H4><A NAME="26_1_1_1">World War II</A></H4>
-<P>During the Second World War, the British &quot;Ultra&quot; project achieved one
- of the greatest intelligence triumphs in the history of warfare,
- breaking many Axis codes. One major target was the Enigma cipher
- machine, a German device whose users were convinced it was unbreakable.
- The American &quot;Magic&quot; project had some similar triumphs against Japanese
- codes.</P>
-<P>There are many books on this period. See our bibliography for
- several. Two I particularly like are:</P>
-<UL>
-<LI>Andrew Hodges has done a superb<A href="http://www.turing.org.uk/book/">
- biography</A> of Alan Turing, a key player among the Ultra
- codebreakers. Turing was also an important computer pioneer. The terms<A
-href="http://www.abelard.org/turpap/turpap.htm"> Turing test</A> and<A href="http://plato.stanford.edu/entries/turing-machine/">
- Turing machine</A> are named for him, as is the<A href="http://www.acm.org">
- ACM</A>'s highest technical<A href="http://www.acm.org/awards/taward.html">
- award</A>.</LI>
-<LI>Neal Stephenson's<A href="#neal"> Cryptonomicon</A> is a novel with
- cryptography central to the plot. Parts of it take place during WW II,
- other parts today.</LI>
-</UL>
-<P>Bletchley Park, where much of the Ultra work was done, now has a
- museum and a<A href="http://www.bletchleypark.org.uk/"> web site</A>.</P>
-<P>The Ultra work introduced three major innovations.</P>
-<UL>
-<LI>The first break of Enigma was achieved by Polish Intelligence in
- 1931. Until then most code-breakers had been linguists, but a different
- approach was needed to break machine ciphers. Polish Intelligence
- recruited bright young mathematicians to crack the &quot;unbreakable&quot;
- Enigma. When war came in 1939, the Poles told their allies about this,
- putting Britain on the road to Ultra. The British also adopted a
- mathematical approach.</LI>
-<LI>Machines were extensively used in the attacks. First the Polish
- &quot;Bombe&quot; for attacking Enigma, then British versions of it, then
- machines such as Collosus for attacking other codes. By the end of the
- war, some of these machines were beginning to closely resemble digital
- computers. After the war, a team at Manchester University, several old
- Ultra hands included, built one of the world's first actual
- general-purpose digital computers.</LI>
-<LI>Ultra made codebreaking a large-scale enterprise, producing
- intelligence on an industrial scale. This was not a &quot;black chamber&quot;,
- not a hidden room in some obscure government building with a small crew
- of code-breakers. The whole operation -- from wholesale interception of
- enemy communications by stations around the world, through large-scale
- code-breaking and analysis of the decrypted material (with an enormous
- set of files for cross-referencing), to delivery of intelligence to
- field commanders -- was huge, and very carefully managed.</LI>
-</UL>
-<P>So by the end of the war, Allied code-breakers were expert at
- large-scale mechanised code-breaking. The payoffs were enormous.</P>
-<H4><A name="postwar">Postwar and Cold War</A></H4>
-<P>The wartime innovations were enthusiastically adopted by post-war and
- Cold War signals intelligence agencies. Presumably many nations now
- have some agency capable of sophisticated attacks on communications
- security, and quite a few engage in such activity on a large scale.</P>
-<P>America's<A href="#NSA"> NSA</A>, for example, is said to be both the
- world's largest employer of mathematicians and the world's largest
- purchaser of computer equipment. Such claims may be somewhat
- exaggerated, but beyond doubt the NSA -- and similar agencies in other
- countries -- have some excellent mathematicians, lots of powerful
- computers, sophisticated software, and the organisation and funding to
- apply them on a large scale. Details of the NSA budget are secret, but
- there are some published<A href="http://www.fas.org/irp/nsa/nsabudget.html">
- estimates</A>.</P>
-<P>Changes in the world's communications systems since WW II have
- provided these agencies with new targets. Cracking the codes used on an
- enemy's military or diplomatic communications has been common practice
- for centuries. Extensive use of radio in war made large-scale attacks
- such as Ultra possible. Modern communications make it possible to go
- far beyond that. Consider listening in on cell phones, or intercepting
- electronic mail, or tapping into the huge volumes of data on new media
- such as fiber optics or satellite links. None of these targets existed
- in 1950. All of them can be attacked today, and almost certainly are
- being attacked.</P>
-<P>The Ultra story was not made public until the 1970s. Much of the
- recent history of codes and code-breaking has not been made public, and
- some of it may never be. Two important books are:</P>
-<UL>
-<LI>Bamford's<A href="#puzzle"> The Puzzle Palace</A>, a history of the
- NSA</LI>
-<LI>Hager's<A href="http://www.fas.org/irp/eprint/sp/index.html"> Secret
- Power</A>, about the<A href="http://sg.yahoo.com/government/intelligence/echelon_network/">
- Echelon</A> system -- the US, UK, Canada, Australia and New Zealand
- co-operating to monitor much of the world's communications.</LI>
-</UL>
-<P>Note that these books cover only part of what is actually going on,
- and then only the activities of nations open and democratic enough that
- (some of) what they are doing can be discovered. A full picture,
- including:</P>
-<UL>
-<LI>actions of the English-speaking democracies not covered in those
- books</LI>
-<LI>actions of other more-or-less sane governments</LI>
-<LI>the activities of various more-or-less insane governments</LI>
-<LI>possibilities for unauthorized action by government employees</LI>
-<LI>possible actions by large non-government organisations:
- corporations, criminals, or conspiracies</LI>
-</UL>
-<P>might be really frightening.</P>
-<H4><A name="recent">Recent history -- the crypto wars</A></H4>
-<P>Until quite recently, cryptography was primarily a concern of
- governments, especially of the military, of spies, and of diplomats.
- Much of it was extremely secret.</P>
-<P>In recent years, that has changed a great deal. With computers and
- networking becoming ubiquitous, cryptography is now important to almost
- everyone. Among the developments since the 1970s:</P>
-<UL>
-<LI>The US gov't established the Data Encryption Standard,<A href="#DES">
- DES</A>, a<A href="#block"> block cipher</A> for cryptographic
- protection of unclassfied documents.</LI>
-<LI>DES also became widely used in industry, especially regulated
- industries such as banking.</LI>
-<LI>Other nations produced their own standards, such as<A href="glossary.html#GOST">
- GOST</A> in the Soviet Union.</LI>
-<LI><A href="#public">Public key</A> cryptography was invented by Diffie
- and Hellman.</LI>
-<LI>Academic conferences such as<A href="http://www-cse.ucsd.edu/users/mihir/crypto2k.html">
- Crypto</A> and<A href="http://www.esat.kuleuven.ac.be/cosic/eurocrypt2000/">
- Eurocrypt</A> began.</LI>
-<LI>Several companies began offerring cryptographic products:<A href="#RSAco">
- RSA</A>,<A href="#PGPI"> PGP</A>, the many vendors with<A href="#PKI">
- PKI</A> products, ...</LI>
-<LI>Cryptography appeared in other products: operating systems, word
- processors, ...</LI>
-<LI>Network protocols based on crypto were developed:<A href="#ssh"> SSH</A>
-,<A href="#SSL"> SSL</A>,<A href="#IPSEC"> IPsec</A>, ...</LI>
-<LI>Crytography came into widespread use to secure bank cards,
- terminals, ...</LI>
-<LI>The US government replaced<A href="#DES"> DES</A> with the much
- stronger Advanced Encryption Standard,<A href="#AES"> AES</A></LI>
-</UL>
-<P>This has led to a complex ongoing battle between various mainly
- government groups wanting to control the spread of crypto and various
- others, notably the computer industry and the<A href="http://online.offshore.com.ai/security/">
- cypherpunk</A> crypto advocates, wanting to encourage widespread use.</P>
-<P>Steven Levy has written a fine history of much of this, called<A href="#crypto">
- Crypto: How the Code rebels Beat the Government -- Saving Privacy in
- the Digital Age</A>.</P>
-<P>The FreeS/WAN project is to a large extent an outgrowth of cypherpunk
- ideas. Our reasons for doing the project can be seen in these quotes
- from the<A href="http://www.eff.org/pub/Privacy/Crypto_misc/cypherpunk.manifesto">
- Cypherpunk Manifesto</A>:</P>
-<BLOCKQUOTE> Privacy is necessary for an open society in the electronic
- age. ...
-<P>We cannot expect governments, corporations, or other large, faceless
- organizations to grant us privacy out of their beneficence. It is to
- their advantage to speak of us, and we should expect that they will
- speak. ...</P>
-<P>We must defend our own privacy if we expect to have any. ...</P>
-<P>Cypherpunks write code. We know that someone has to write software to
- defend privacy, and since we can't get privacy unless we all do, we're
- going to write it. We publish our code so that our fellow Cypherpunks
- may practice and play with it. Our code is free for all to use,
- worldwide. We don't much care if you don't approve of the software we
- write. We know that software can't be destroyed and that a widely
- dispersed system can't be shut down.</P>
-<P>Cypherpunks deplore regulations on cryptography, for encryption is
- fundamentally a private act. ...</P>
-<P>For privacy to be widespread it must be part of a social contract.
- People must come and together deploy these systems for the common good.
- ...</P>
-</BLOCKQUOTE>
-<P>To quote project leader John Gilmore:</P>
-<BLOCKQUOTE> We are literally in a race between our ability to build and
- deploy technology, and their ability to build and deploy laws and
- treaties. Neither side is likely to back down or wise up until it has
- definitively lost the race.</BLOCKQUOTE>
-<P>If FreeS/WAN reaches its goal of making<A href="#opp.intro">
- opportunistic encryption</A> widespread so that secure communication
- can become the default for a large part of the net, we will have struck
- a major blow.</P>
-<H3><A name="intro.poli">Politics</A></H3>
-<P>The political problem is that nearly all governments want to monitor
- their enemies' communications, and some want to monitor their citizens.
- They may be very interested in protecting some of their own
- communications, and often some types of business communication, but not
- in having everyone able to communicate securely. They therefore attempt
- to restrict availability of strong cryptography as much as possible.</P>
-<P>Things various governments have tried or are trying include:</P>
-<UL>
-<LI>Echelon, a monitor-the-world project of the US, UK, NZ, Australian
- and Canadian<A href="#SIGINT"> signals intelligence</A> agencies. See
- this<A href="http://sg.yahoo.com/government/intelligence/echelon_network/">
- collection</A> of links and this<A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2640682,00.html">
- story</A> on the French Parliament's reaction.</LI>
-<LI>Others governments may well have their own Echelon-like projects. To
- quote the Dutch Minister of Defense, as reported in a German<A href="http://www.heise.de/tp/english/inhalt/te/4729/1.html">
- magazine</A>:<BLOCKQUOTE> The government believes not only the
- governments associated with Echelon are able to intercept communication
- systems, but that it is an activity of the investigative authorities
- and intelligence services of many countries with governments of
- different political signature.</BLOCKQUOTE> Even if they have nothing
- on the scale of Echelon, most intelligence agencies and police forces
- certainly have some interception capability.</LI>
-<LI><A href="#NSA">NSA</A> tapping of submarine communication cables,
- described in<A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2764372,00.html">
- this article</A></LI>
-<LI>A proposal for international co-operation on<A href="http://www.heise.de/tp/english/special/enfo/4306/1.html">
- Internet surveillance</A>.</LI>
-<LI>Alleged<A href="http://cryptome.org/nsa-sabotage.htm"> sabotage</A>
- of security products by the<A href="#NSA"> NSA</A> (the US signals
- intelligence agency).</LI>
-<LI>The German armed forces and some government departments will stop
- using American software for fear of NSA &quot;back doors&quot;, according to this<A
-href="http://www.theregister.co.uk/content/4/17679.html"> news story</A>
-.</LI>
-<LI>The British Regulation of Investigatory Powers bill. See this<A href="http://www.fipr.org/rip/index.html">
- web page.</A> and perhaps this<A href="http://ars.userfriendly.org/cartoons/?id=20000806&amp;mode=classic">
- cartoon</A>.</LI>
-<LI>A Russian<A href="http://www.eff.org/pub/Privacy/Foreign_and_local/Russia/russian_crypto_ban_english.edict">
- ban</A> on cryptography</LI>
-<LI>Chinese<A href="http://www.eff.org/pub/Misc/Publications/Declan_McCullagh/www/global/china">
- controls</A> on net use.</LI>
-<LI>The FBI's carnivore system for covert searches of email. See this<A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2601502,00.html">
- news coverage</A> and this<A href="http://www.crypto.com/papers/carnivore-risks.html">
- risk assessment</A>. The government had an external review of some
- aspects of this system done. See this<A href="http://www.crypto.com/papers/carnivore_report_comments.html">
- analysis</A> of that review. Possible defenses against Carnivore
- include:
-<UL>
-<LI><A href="#PGP">PGP</A> for end-to-end mail encryption</LI>
-<LI><A href="http://www.home.aone.net.au/qualcomm/">secure sendmail</A>
- for server-to-server encryption</LI>
-<LI>IPsec encryption on the underlying IP network</LI>
-</UL>
-</LI>
-<LI>export laws restricting strong cryptography as a munition. See<A href="#exlaw">
- discussion</A> below.</LI>
-<LI>various attempts to convince people that fundamentally flawed
- cryptography, such as encryption with a<A href="#escrow"> back door</A>
- for government access to data or with<A href="#shortkeys"> inadequate
- key lengths</A>, was adequate for their needs.</LI>
-</UL>
-<P>Of course governments are by no means the only threat to privacy and
- security on the net. Other threats include:</P>
-<UL>
-<LI>industrial espionage, as for example in this<A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2626931,00.html">
- news story</A></LI>
-<LI>attacks by organised criminals, as in this<A href="http://www.sans.org/newlook/alerts/NTE-bank.htm">
- large-scale attack</A></LI>
-<LI>collection of personal data by various companies.
-<UL>
-<LI>for example, consider the various corporate winners of Privacy
- International's<A href="http://www.privacyinternational.org/bigbrother/">
- Big Brother Awards</A>.</LI>
-<LI><A href="http://www.zeroknowledge.com">Zero Knowledge</A> sell tools
- to defend against this</LI>
-</UL>
-</LI>
-<LI>individuals may also be a threat in a variety of ways and for a
- variety of reasons</LI>
-<LI>in particular, an individual with access to government or industry
- data collections could do considerable damage using that data in
- unauthorized ways.</LI>
-</UL>
-<P>One<A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2640674,00.html">
- study</A> enumerates threats and possible responses for small and
- medium businesses. VPNs are a key part of the suggested strategy.</P>
-<P>We consider privacy a human right. See the UN's<A href="http://www.un.org/Overview/rights.html">
- Universal Declaration of Human Rights</A>, article twelve:</P>
-<BLOCKQUOTE> No one shall be subjected to arbitrary interference with
- his privacy, family, home or correspondence, nor to attacks upon his
- honor and reputation. Everyone has the right to the protection of the
- law against such interference or attacks.</BLOCKQUOTE>
-<P>Our objective is to help make privacy possible on the Internet using
- cryptography strong enough not even those well-funded government
- agencies are likely to break it. If we can do that, the chances of
- anyone else breaking it are negliible.</P>
-<H3><A NAME="26_1_3">Links</A></H3>
-<P>Many groups are working in different ways to defend privacy on the
- net and elsewhere. Please consider contributing to one or more of these
- groups:</P>
-<UL>
-<LI>the EFF's<A href="http://www.eff.org/crypto/"> Privacy Now!</A>
- campaign</LI>
-<LI>the<A href="http://www.gilc.org"> Global Internet Liberty Campaign</A>
-</LI>
-<LI><A href="http://www.cpsr.org/program/privacy/privacy.html">Computer
- Professionals for Social Responsibility</A></LI>
-</UL>
-<P>For more on these issues see:</P>
-<UL>
-<LI>Steven Levy (Newsweek's chief technology writer and author of the
- classic &quot;Hackers&quot;) new book<A href="#crypto"> Crypto: How the Code
- Rebels Beat the Government--Saving Privacy in the Digital Age</A></LI>
-<LI>Simson Garfinkel (Boston Globe columnist and author of books on<A href="#PGP">
- PGP</A> and<A href="#practical"> Unix Security</A>) book<A href="#Garfinkel">
- Database Nation: the death of privacy in the 21st century</A></LI>
-</UL>
-<P>There are several collections of<A href="#quotes"> crypto quotes</A>
- on the net.</P>
-<P>See also the<A href="biblio.html"> bibliography</A> and our list of<A href="#policy">
- web references</A> on cryptography law and policy.</P>
-<H3><A NAME="26_1_4">Outline of this section</A></H3>
-<P>The remainder of this section includes two pieces of writing by our
- project leader</P>
-<UL>
-<LI>his<A href="#gilmore"> rationale</A> for starting this</LI>
-<LI>another<A href="#policestate"> discussion</A> of project goals</LI>
-</UL>
-<P>and discussions of:</P>
-<UL>
-<LI><A href="#desnotsecure">why we do not use DES</A></LI>
-<LI><A href="#exlaw">cryptography export laws</A></LI>
-<LI>why<A href="#escrow"> government access to keys</A> is not a good
- idea</LI>
-<LI>the myth that<A href="#shortkeys"> short keys</A> are adequate for
- some security requirements</LI>
-</UL>
-<P>and a section on<A href="#press"> press coverage of FreeS/WAN</A>.</P>
-<H2><A name="leader">From our project leader</A></H2>
-<P>FreeS/WAN project founder John Gilmore wrote a web page about why we
- are doing this. The version below is slightly edited, to fit this
- format and to update some links. For a version without these edits, see
- his<A href="http://www.toad.com/gnu/"> home page</A>.</P>
-<CENTER>
-<H3><A name="gilmore">Swan: Securing the Internet against Wiretapping</A>
-</H3>
-</CENTER>
-<P>My project for 1996 was to<B> secure 5% of the Internet traffic
- against passive wiretapping</B>. It didn't happen in 1996, so I'm still
- working on it in 1997, 1998, and 1999! If we get 5% in 1999 or 2000, we
- can secure 20% the next year, against both active and passive attacks;
- and 80% the following year. Soon the whole Internet will be private and
- secure. The project is called S/WAN or S/Wan or Swan for Secure Wide
- Area Network; since it's free software, we call it FreeSwan to
- distinguish it from various commercial implementations.<A href="http://www.rsa.com/rsa/SWAN/">
- RSA</A> came up with the term &quot;S/WAN&quot;. Our main web site is at<A href="http://www.freeswan.org/">
- http://www.freeswan.org/</A>. Want to help?</P>
-<P>The idea is to deploy PC-based boxes that will sit between your local
- area network and the Internet (near your firewall or router) which
- opportunistically encrypt your Internet packets. Whenever you talk to a
- machine (like a Web site) that doesn't support encryption, your traffic
- goes out &quot;in the clear&quot; as usual. Whenever you connect to a machine
- that does support this kind of encryption, this box automatically
- encrypts all your packets, and decrypts the ones that come in. In
- effect, each packet gets put into an &quot;envelope&quot; on one side of the net,
- and removed from the envelope when it reaches its destination. This
- works for all kinds of Internet traffic, including Web access, Telnet,
- FTP, email, IRC, Usenet, etc.</P>
-<P>The encryption boxes are standard PC's that use freely available
- Linux software that you can download over the Internet or install from
- a cheap CDROM.</P>
-<P>This wasn't just my idea; lots of people have been working on it for
- years. The encryption protocols for these boxes are called<A href="#IPSEC">
- IPSEC (IP Security)</A>. They have been developed by the<A href="http://www.ietf.cnri.reston.va.us/html.charters/ipsec-charter.html">
- IP Security Working Group</A> of the<A href="http://www.ietf.org/">
- Internet Engineering Task Force</A>, and will be a standard part of the
- next major version of the Internet protocols (<A href="http://playground.sun.com/pub/ipng/html/ipng-main.html">
-IPv6</A>). For today's (IP version 4) Internet, they are an option.</P>
-<P>The<A href="http://www.iab.org/iab"> Internet Architecture Board</A>
- and<A href="http://www.ietf.org/"> Internet Engineering Steering Group</A>
- have taken a<A href="iab-iesg.stmt"> strong stand</A> that the Internet
- should use powerful encryption to provide security and privacy. I think
- these protocols are the best chance to do that, because they can be
- deployed very easily, without changing your hardware or software or
- retraining your users. They offer the best security we know how to
- build, using the Triple-DES, RSA, and Diffie-Hellman algorithms.</P>
-<P>This &quot;opportunistic encryption box&quot; offers the &quot;fax effect&quot;. As each
- person installs one for their own use, it becomes more valuable for
- their neighbors to install one too, because there's one more person to
- use it with. The software automatically notices each newly installed
- box, and doesn't require a network administrator to reconfigure it.
- Instead of &quot;virtual private networks&quot; we have a &quot;REAL private network&quot;;
- we add privacy to the real network instead of layering a
- manually-maintained virtual network on top of an insecure Internet.</P>
-<H4><A NAME="26_2_1_1">Deployment of IPSEC</A></H4>
-<P>The US government would like to control the deployment of IP Security
- with its<A href="#exlaw"> crypto export laws</A>. This isn't a problem
- for my effort, because the cryptographic work is happening outside the
- United States. A foreign philanthropist, and others, have donated the
- resources required to add these protocols to the Linux operating
- system.<A href="http://www.linux.org/"> Linux</A> is a complete, freely
- available operating system for IBM PC's and several kinds of
- workstation, which is compatible with Unix. It was written by Linus
- Torvalds, and is still maintained by a talented team of expert
- programmers working all over the world and coordinating over the
- Internet. Linux is distributed under the<A href="#GPL"> GNU Public
- License</A>, which gives everyone the right to copy it, improve it,
- give it to their friends, sell it commercially, or do just about
- anything else with it, without paying anyone for the privilege.</P>
-<P>Organizations that want to secure their network will be able to put
- two Ethernet cards into an IBM PC, install Linux on it from a $30 CDROM
- or by downloading it over the net, and plug it in between their
- Ethernet and their Internet link or firewall. That's all they'll have
- to do to encrypt their Internet traffic everywhere outside their own
- local area network.</P>
-<P>Travelers will be able to run Linux on their laptops, to secure their
- connection back to their home network (and to everywhere else that they
- connect to, such as customer sites). Anyone who runs Linux on a
- standalone PC will also be able to secure their network connections,
- without changing their application software or how they operate their
- computer from day to day.</P>
-<P>There will also be numerous commercially available firewalls that use
- this technology.<A href="http://www.rsa.com/"> RSA Data Security</A> is
- coordinating the<A href="http://www.rsa.com/rsa/SWAN"> S/Wan (Secure
- Wide Area Network)</A> project among more than a dozen vendors who use
- these protocols. There's a<A href="http://www.rsa.com/rsa/SWAN/swan_test.htm">
- compatability chart</A> that shows which vendors have tested their
- boxes against which other vendors to guarantee interoperatility.</P>
-<P>Eventually it will also move into the operating systems and
- networking protocol stacks of major vendors. This will probably take
- longer, because those vendors will have to figure out what they want to
- do about the export controls.</P>
-<H4><A NAME="26_2_1_2">Current status</A></H4>
-<P>My initial goal of securing 5% of the net by Christmas '96 was not
- met. It was an ambitious goal, and inspired me and others to work hard,
- but was ultimately too ambitious. The protocols were in an early stage
- of development, and needed a lot more protocol design before they could
- be implemented. As of April 1999, we have released version 1.0 of the
- software (<A href="ftp://ftp.xs4all.nl/freeswan/freeswan-1.0.tar.gz">
-freeswan-1.0.tar.gz</A>), which is suitable for setting up Virtual
- Private Networks using shared secrets for authentication. It does not
- yet do opportunistic encryption, or use DNSSEC for authentication;
- those features are coming in a future release.</P>
-<DL>
-<DT>Protocols</DT>
-<DD>The low-level encrypted packet formats are defined. The system for
- publishing keys and providing secure domain name service is defined.
- The IP Security working group has settled on an NSA-sponsored protocol
- for key agreement (called ISAKMP/Oakley), but it is still being worked
- on, as the protocol and its documentation is too complex and
- incomplete. There are prototype implementations of ISAKMP. The protocol
- is not yet defined to enable opportunistic encryption or the use of
- DNSSEC keys.</DD>
-<DT>Linux Implementation</DT>
-<DD>The Linux implementation has reached its first major release and is
- ready for production use in manually-configured networks, using Linux
- kernel version 2.0.36.</DD>
-<DT>Domain Name System Security</DT>
-<DD>There is now a release of BIND 8.2 that includes most DNS Security
- features.
-<P>The first prototype implementation of Domain Name System Security was
- funded by<A href="#DARPA"> DARPA</A> as part of their<A href="http://www.darpa.mil/ito/research/is/index.html">
- Information Survivability program</A>.<A href="http://www.tis.com">
- Trusted Information Systems</A> wrote a modified version of<A href="http://www.isc.org/bind.html">
- BIND</A>, the widely-used Berkeley implementation of the Domain Name
- System.</P>
-<P>TIS, ISC, and I merged the prototype into the standard version of
- BIND. The first production version that supports KEY and SIG records is<B>
- bind-4.9.5</B>. This or any later version of BIND will do for
- publishing keys. It is available from the<A href="http://www.isc.org/bind.html">
- Internet Software Consortium</A>. This version of BIND is not
- export-controlled since it does not contain any cryptography. Later
- releases starting with BIND 8.2 include cryptography for authenticating
- DNS records, which is also exportable. Better documentation is needed.</P>
-</DD>
-</DL>
-<H4><A NAME="26_2_1_3">Why?</A></H4>
-<P>Because I can. I have made enough money from several successful
- startup companies, that for a while I don't have to work to support
- myself. I spend my energies and money creating the kind of world that
- I'd like to live in and that I'd like my (future) kids to live in.
- Keeping and improving on the civil rights we have in the United States,
- as we move more of our lives into cyberspace, is a particular goal of
- mine.</P>
-<H4><A NAME="26_2_1_4">What You Can Do</A></H4>
-<DL>
-<DT>Install the latest BIND at your site.</DT>
-<DD>You won't be able to publish any keys for your domain, until you
- have upgraded your copy of BIND. The thing you really need from it is
- the new version of<I> named</I>, the Name Daemon, which knows about the
- new KEY and SIG record types. So, download it from the<A href="http://www.isc.org/bind.html">
- Internet Software Consortium</A> and install it on your name server
- machine (or get your system administrator, or Internet Service
- Provider, to install it). Both your primary DNS site and all of your
- secondary DNS sites will need the new release before you will be able
- to publish your keys. You can tell which sites this is by running the
- Unix command &quot;dig MYDOMAIN ns&quot; and seeing which sites are mentioned in
- your NS (name server) records.</DD>
-<DT>Set up a Linux system and run a 2.0.x kernel on it</DT>
-<DD>Get a machine running Linux (say the 5.2 release from<A href="http://www.redhat.com">
- Red Hat</A>). Give the machine two Ethernet cards.</DD>
-<DT>Install the Linux IPSEC (Freeswan) software</DT>
-<DD>If you're an experienced sysadmin or Linux hacker, install the
- freeswan-1.0 release, or any later release or snapshot. These releases
- do NOT provide automated &quot;opportunistic&quot; operation; they must be
- manually configured for each site you wish to encrypt with.</DD>
-<DT>Get on the linux-ipsec mailing list</DT>
-<DD>The discussion forum for people working on the project, and testing
- the code and documentation, is: linux-ipsec@clinet.fi. To join this
- mailing list, send email to<A href="mailto:linux-ipsec-REQUEST@clinet.fi">
- linux-ipsec-REQUEST@clinet.fi</A> containing a line of text that says
- &quot;subscribe linux-ipsec&quot;. (You can later get off the mailing list the
- same way -- just send &quot;unsubscribe linux-ipsec&quot;).</DD>
-<P></P>
-<DT>Check back at this web page every once in a while</DT>
-<DD>I update this page periodically, and there may be new information in
- it that you haven't seen. My intent is to send email to the mailing
- list when I update the page in any significant way, so subscribing to
- the list is an alternative.</DD>
-</DL>
-<P>Would you like to help? I can use people who are willing to write
- documentation, install early releases for testing, write cryptographic
- code outside the United States, sell pre-packaged software or systems
- including this technology, and teach classes for network administrators
- who want to install this technology. To offer to help, send me email at
- gnu@toad.com. Tell me what country you live in and what your
- citizenship is (it matters due to the export control laws; personally I
- don't care). Include a copy of your resume and the URL of your home
- page. Describe what you'd like to do for the project, and what you're
- uniquely qualified for. Mention what other volunteer projects you've
- been involved in (and how they worked out). Helping out will require
- that you be able to commit to doing particular things, meet your
- commitments, and be responsive by email. Volunteer projects just don't
- work without those things.</P>
-<H4><A NAME="26_2_1_5">Related projects</A></H4>
-<DL>
-<DT>IPSEC for NetBSD</DT>
-<DD>This prototype implementation of the IP Security protocols is for
- another free operating system.<A href="ftp://ftp.funet.fi/pub/unix/security/net/ip/BSDipsec.tar.gz">
- Download BSDipsec.tar.gz</A>.</DD>
-<DT>IPSEC for<A href="http://www.openbsd.org"> OpenBSD</A></DT>
-<DD>This prototype implementation of the IP Security protocols is for
- yet another free operating system. It is directly integrated into the
- OS release, since the OS is maintained in Canada, which has freedom of
- speech in software.</DD>
-</DL>
-<H3><A name="policestate">Stopping wholesale monitoring</A></H3>
-<P>From a message project leader John Gilmore posted to the mailing
- list:</P>
-<PRE>John Denker wrote:
-
-&gt; Indeed there are several ways in which the documentation overstates the 
-&gt; scope of what this project does -- starting with the name 
-&gt; FreeS/WAN.  There's a big difference between having an encrypted IP tunnel 
-&gt; versus having a Secure Wide-Area Network.  This software does a fine job of 
-&gt; the former, which is necessary but not sufficient for the latter.
-
-The goal of the project is to make it very hard to tap your wide area
-communications.  The current system provides very good protection
-against passive attacks (wiretapping and those big antenna farms).
-Active attacks, which involve the intruder sending packets to your
-system (like packets that break into sendmail and give them a root
-shell :-) are much harder to guard against.  Active attacks that
-involve sending people (breaking into your house and replacing parts
-of your computer with ones that transmit what you're doing) are also
-much harder to guard against.  Though we are putting effort into
-protecting against active attacks, it's a much bigger job than merely
-providing strong encryption.  It involves general computer security,
-and general physical security, which are two very expensive problems
-for even a site to solve, let alone to build into a whole society.
-
-The societal benefit of building an infrastructure that protects
-well against passive attacks is that it makes it much harder to do
-undetected bulk monitoring of the population.  It's a defense against
-police-states, not against policemen.
-
-Policemen can put in the effort required to actively attack sites that
-they have strong suspicions about.  But police states won't be able to
-build systems that automatically monitor everyone's communications.
-Either they will be able to monitor only a small subset of the
-populace (by targeting those who screwed up their passive security),
-or their monitoring activities will be detectable by those monitored
-(active attacks leave packet traces or footprints), which can then be
-addressed through the press and through political means if they become
-too widespread.
-
-FreeS/WAN does not protect very well against traffic analysis, which
-is a kind of widespread police-state style monitoring that still
-reveals significant information (who's talking to who) without
-revealing the contents of what was said.  Defenses against traffic
-analysis are an open research problem.  Zero Knowledge Systems is
-actively deploying a system designed to thwart it, designed by Ian
-Goldberg.  The jury is out on whether it actually works; a lot more
-experience with it will be needed.</PRE>
-<P>Notes on things mentioned in that message:</P>
-<UL>
-<LI>Denker is a co-author of a<A href="#applied"> paper</A> on a large
- FreeS/WAN application.</LI>
-<LI>Information on Zero Knowledge is on their<A href="http://www.zks.net/">
- web site</A>. Their Freedom product, designed to provide untracable
- pseudonyms for use on the net, is no longer marketed.</LI>
-<LI>Another section of our documentation discusses ways to<A href="#traffic.resist">
- resist traffic analysis</A>.</LI>
-</UL>
-<H2><A name="weak">Government promotion of weak crypto</A></H2>
-<P>Various groups, especially governments and especially the US
- government, have a long history of advocating various forms of bogus
- security.</P>
-<P>We regard bogus security as extremely dangerous. If users are
- deceived into relying on bogus security, then they may be exposed to
- large risks. They would be better off having no security and knowing
- it. At least then they would be careful about what they said.</P>
-<P><STRONG>Avoiding bogus security is a key design criterion for
- everything we do in FreeS/WAN</STRONG>. The most conspicuous example is
- our refusal to support<A href="#desnotsecure"> single DES</A>. Other
- IPsec &quot;features&quot; which we do not implement are discussed in our<A href="#dropped">
- compatibility</A> document.</P>
-<H3><A name="escrow">Escrowed encryption</A></H3>
-<P>Various governments have made persistent attempts to encourage or
- mandate &quot;escrowed encrytion&quot;, also called &quot;key recovery&quot;, or GAK for
- &quot;government access to keys&quot;. The idea is that cryptographic keys be
- held by some third party and turned over to law enforcement or security
- agencies under some conditions.</P>
-<PRE>  Mary had a little key - she kept it in escrow,
-  and every thing that Mary said,
-  the feds were sure to know.</PRE>
-<P>A<A href="#quotes"> crypto quotes</A> page attributes this to<A href="http://www.scramdisk.clara.net/">
- Sam Simpson</A>.</P>
-<P>There is an excellent paper available on<A href="http://www.cdt.org/crypto/risks98/">
- Risks of Escrowed Encryption</A>, from a group of cryptographic
- luminaries which included our project leader.</P>
-<P>Like any unnecessary complication, GAK tends to weaken security of
- any design it infects. For example:</P>
-<UL>
-<LI>Matt Blaze found a fatal flaw in the US government's Clipper chip
- shortly after design information became public. See his paper &quot;Protocol
- Failure in the Escrowed Encryption Standard&quot; on his<A href="http://www.crypto.com/papers/">
- papers</A> page.</LI>
-<LI>a rather<A href="http://www.pgp.com/other/advisories/adk.asp"> nasty
- bug</A> was found in the &quot;additional decryption keys&quot; &quot;feature&quot; of some
- releases of<A href="#PGP"> PGP</A></LI>
-</UL>
-<P>FreeS/WAN does not support escrowed encryption, and never will.</P>
-<H3><A name="shortkeys">Limited key lengths</A></H3>
-<P>Various governments, and some vendors, have also made persistent
- attempts to convince people that:</P>
-<UL>
-<LI>weak systems are sufficient for some data</LI>
-<LI>strong cryptography should be reserved for cases where the extra
- overheads are justified</LI>
-</UL>
-<P><STRONG>This is utter nonsense</STRONG>.</P>
-<P>Weak systems touted include:</P>
-<UL>
-<LI>the ludicrously weak (deliberately crippled) 40-bit ciphers that
- until recently were all various<A href="#exlaw"> export laws</A>
- allowed</LI>
-<LI>56-bit single DES, discussed<A href="#desnotsecure"> below</A></LI>
-<LI>64-bit symmetric ciphers and 512-bit RSA, the maximums for
- unrestricted export under various current laws</LI>
-</UL>
-<P>The notion that choice of ciphers or keysize should be determined by
- a trade-off between security requirements and overheads is pure
- bafflegab.</P>
-<UL>
-<LI>For most<A href="#symmetric"> symmetric ciphers</A>, it is simply a
- lie. Any block cipher has some natural maximum keysize inherent in the
- design -- 128 bits for<A href="#IDEA"> IDEA</A> or<A href="#CAST128">
- CAST-128</A>, 256 for Serpent or Twofish, 448 for<A href="#Blowfish">
- Blowfish</A> and 2048 for<A href="#RC4"> RC4</A>. Using a key size
- smaller than that limit gives<EM> exactly zero</EM> savings in
- overhead. The crippled 40-bit or 64-bit version of the cipher provides<EM>
- no advantage whatsoever</EM>.</LI>
-<LI><A href="#AES">AES</A> uses 10 rounds with 128-bit keys, 12 rounds
- for 192-bit and 14 rounds for 256-bit, so there actually is a small
- difference in overhead, but not enough to matter in most applications.</LI>
-<LI>For<A href="#3DES"> triple DES</A> there is a grain of truth in the
- argument. 3DES is indeed three times slower than single DES. However,
- the solution is not to use the insecure single DES, but to pick a
- faster secure cipher.<A href="#CAST128"> CAST-128</A>,<A href="#Blowfish">
- Blowfish</A> and the<A href="#AES"> AES candidate</A> ciphers are are
- all considerably faster in software than DES (let alone 3DES!), and
- apparently secure.</LI>
-<LI>For<A href="#public"> public key</A> techniques, there are extra
- overheads for larger keys, but they generally do not affect overall
- performance significantly. Practical public key applications are
- usually<A href="#hybrid"> hybrid</A> systems in which the bulk of the
- work is done by a symmetric cipher. The effect of increasing the cost
- of the public key operations is typically negligible because the public
- key operations use only a tiny fraction of total resources.
-<P>For example, suppose public key operations use use 1% of the time in
- a hybrid system and you triple the cost of public key operations. The
- cost of symmetric cipher operations is unchanged at 99% of the original
- total cost, so the overall effect is a jump from 99 + 1 = 100 to 99 + 3
- = 102, a 2% rise in system cost.</P>
-</LI>
-</UL>
-<P>In short,<STRONG> there has never been any technical reason to use
- inadequate ciphers</STRONG>. The only reason there has ever been for
- anyone to use such ciphers is that government agencies want weak
- ciphers used so that they can crack them. The alleged savings are
- simply propaganda.</P>
-<PRE>   Mary had a little key (It's all she could export),
-   and all the email that she sent was opened at the Fort.</PRE>
-<P>A<A href="#quotes"> crypto quotes</A> page attributes this to<A href="http://theory.lcs.mit.edu:80/~rivest/">
- Ron Rivest</A>. NSA headquarters is at Fort Meade, Maryland.</P>
-<P>Our policy in FreeS/WAN is to use only cryptographic components with
- adequate keylength and no known weaknesses.</P>
-<UL>
-<LI>We do not implement single DES because it is clearly<A href="#desnotsecure">
- insecure</A>, so implemeting it would violate our policy of avoiding
- bogus security. Our default cipher is<A href="#3DES"> 3DES</A></LI>
-<LI>Similarly, we do not implement the 768-bit Group 1 for<A href="#DH">
- Diffie-Hellman</A> key negotiation. We provide only the 1024-bit Group
- 2 and 1536-bit Group 5.</LI>
-</UL>
-<P>Detailed discussion of which IPsec features we implement or omit is
- in out<A href="compat.html"> compatibility document</A>.</P>
-<P>These decisions imply that we cannot fully conform to the IPsec RFCs,
- since those have DES as the only required cipher and Group 1 as the
- only required DH group. (In our view, the standards were subverted into
- offerring bogus security.) Fortunately, we can still interoperate with
- most other IPsec implementations since nearly all implementers provide
- at least 3DES and Group 2 as well.</P>
-<P>We hope that eventually the RFCs will catch up with our (and others')
- current practice and reject dubious components. Some of our team and a
- number of others are working on this in<A href="#ietf"> IETF</A>
- working groups.</P>
-<H4><A NAME="26_3_2_1">Some real trade-offs</A></H4>
-<P>Of course, making systems secure does involve costs, and trade-offs
- can be made between cost and security. However, the real trade-offs
- have nothing to do with using weaker ciphers.</P>
-<P>There can be substantial hardware and software costs. There are often
- substantial training costs, both to train administrators and to
- increase user awareness of security issues and procedures. There are
- almost always substantial staff or contracting costs.</P>
-<P>Security takes staff time for planning, implementation, testing and
- auditing. Some of the issues are subtle; you need good (hence often
- expensive) people for this. You also need people to monitor your
- systems and respond to problems. The best safe ever built is insecure
- if an attacker can work on it for days without anyone noticing. Any
- computer is insecure if the administrator is &quot;too busy&quot; to check the
- logs.</P>
-<P>Moreover, someone in your organisation (or on contract to it) needs
- to spend considerable time keeping up with new developments. EvilDoers<EM>
- will</EM> know about new attacks shortly after they are found. You need
- to know about them before your systems are attacked. If your vendor
- provides a patch, you need to apply it. If the vendor does nothing, you
- need to complain or start looking for another vendor.</P>
-<P>For a fairly awful example, see this<A href="http://www.sans.org/newlook/alerts/NTE-bank.htm">
- report</A>. In that case over a million credit card numbers were taken
- from e-commerce sites, using security flaws in Windows NT servers.
- Microsoft had long since released patches for most or all of the flaws,
- but the site administrators had not applied them.</P>
-<P>At an absolute minimum, you must do something about such issues<EM>
- before</EM> an exploitation tool is posted to the net for downloading
- by dozens of &quot;script kiddies&quot;. Such a tool might appear at any time
- from the announcement of the security hole to several months later.
- Once it appears, anyone with a browser and an attitude can break any
- system whose administrators have done nothing about the flaw.</P>
-<P>Compared to those costs, cipher overheads are an insignificant factor
- in the cost of security.</P>
-<P>The only thing using a weak cipher can do for you is to cause all
- your other investment to be wasted.</P>
-<H2><A name="exlaw">Cryptography Export Laws</A></H2>
-<P>Many nations restrict the export of cryptography and some restrict
- its use by their citizens or others within their borders.</P>
-<H3><A name="USlaw">US Law</A></H3>
-<P>US laws, as currently interpreted by the US government, forbid export
- of most cryptographic software from the US in machine-readable form
- without government permission. In general, the restrictions apply even
- if the software is widely-disseminated or public-domain and even if it
- came from outside the US originally. Cryptography is legally a munition
- and export is tightly controlled under the<A href="#EAR"> EAR</A>
- Export Administration Regulations.</P>
-<P>If you are a US citizen, your brain is considered US territory no
- matter where it is physically located at the moment. The US believes
- that its laws apply to its citizens everywhere, not just within the US.
- Providing technical assistance or advice to foreign &quot;munitions&quot;
- projects is illegal. The US government has very little sense of humor
- about this issue and does not consider good intentions to be sufficient
- excuse. Beware.</P>
-<P>The<A href="http://www.bxa.doc.gov/Encryption/"> official website</A>
- for these regulations is run by the Commerce Department's Bureau of
- Export Administration (BXA).</P>
-<P>The<A href="http://www.eff.org/bernstein/"> Bernstein case</A>
- challenges the export restrictions on Constitutional grounds. Code is
- speech so restrictions on export of code violate the First Amendment's
- free speech provisions. This argument has succeeded in two levels of
- court so far. It is quite likely to go on to the Supreme Court.</P>
-<P>The regulations were changed substantially in January 2000,
- apparently as a government attempt to get off the hook in the Bernstein
- case. It is now legal to export public domain source code for
- encryption, provided you notify the<A href="#BXA"> BXA</A>.</P>
-<P>There are, however, still restrictions in force. Moreover, the
- regulations can still be changed again whenever the government chooses
- to do so. Short of a Supreme Court ruling (in the Berstein case or
- another) that overturns the regulations completely, the problem of
- export regulation is not likely to go away in the forseeable future.</P>
-<H4><A name="UScontrib">US contributions to FreeS/WAN</A></H4>
-<P>The FreeS/WAN project<STRONG> cannot accept software contributions,<EM>
- not even small bug fixes</EM>, from US citizens or residents</STRONG>.
- We want it to be absolutely clear that our distribution is not subject
- to US export law. Any contribution from an American might open that
- question to a debate we'd prefer to avoid. It might also put the
- contributor at serious legal risk.</P>
-<P>Of course Americans can still make valuable contributions (many
- already have) by reporting bugs, or otherwise contributing to
- discussions, on the project<A href="mail.html"> mailing list</A>. Since
- the list is public, this is clearly constitutionally protected free
- speech.</P>
-<P>Note, however, that the export laws restrict Americans from providing
- technical assistance to foreign &quot;munitions&quot; projects. The government
- might claim that private discussions or correspondence with FreeS/WAN
- developers were covered by this. It is not clear what the courts would
- do with such a claim, so we strongly encourage Americans to use the
- list rather than risk the complications.</P>
-<H3><A name="wrong">What's wrong with restrictions on cryptography</A></H3>
-<P>Some quotes from prominent cryptography experts:</P>
-<BLOCKQUOTE> The real aim of current policy is to ensure the continued
- effectiveness of US information warfare assets against individuals,
- businesses and governments in Europe and elsewhere.
-<BR><A href="http://www.cl.cam.ac.uk/users/rja14"> Ross Anderson,
- Cambridge University</A></BLOCKQUOTE><BLOCKQUOTE> If the government
- were honest about its motives, then the debate about crypto export
- policy would have ended years ago.
-<BR><A href="http://www.counterpane.com"> Bruce Schneier, Counterpane
- Systems</A></BLOCKQUOTE><BLOCKQUOTE> The NSA regularly lies to people
- who ask it for advice on export control. They have no reason not to;
- accomplishing their goal by any legal means is fine by them. Lying by
- government employees is legal.
-<BR> John Gilmore.</BLOCKQUOTE>
-<P>The Internet Architecture Board (IAB) and the Internet Engineering
- Steering Group (IESG) made a<A href="iab-iesg.stmt"> strong statement</A>
- in favour of worldwide access to strong cryptography. Essentially the
- same statement is in the appropriately numbered<A href="ftp://ftp.isi.edu/in-notes/rfc1984.txt">
- RFC 1984</A>. Two critical paragraphs are:</P>
-<BLOCKQUOTE> ... various governments have actual or proposed policies on
- access to cryptographic technology ...
-<P>(a) ... export controls ...
-<BR> (b) ... short cryptographic keys ...
-<BR> (c) ... keys should be in the hands of the government or ...
-<BR> (d) prohibit the use of cryptology ...</P>
-<P>We believe that such policies are against the interests of consumers
- and the business community, are largely irrelevant to issues of
- military security, and provide only a marginal or illusory benefit to
- law enforcement agencies, ...</P>
-<P>The IAB and IESG would like to encourage policies that allow ready
- access to uniform strong cryptographic technology for all Internet
- users in all countries.</P>
-</BLOCKQUOTE>
-<P>Our goal in the FreeS/WAN project is to build just such &quot;strong
- cryptographic technology&quot; and to distribute it &quot;for all Internet users
- in all countries&quot;.</P>
-<P>More recently, the same two bodies (IESG and IAB) have issued<A href="ftp://ftp.isi.edu/in-notes/rfc2804.txt">
- RFC 2804</A> on why the IETF should not build wiretapping capabilities
- into protocols for the convenience of security or law enforcement
- agenicies. The abstract from that document is:</P>
-<BLOCKQUOTE> The Internet Engineering Task Force (IETF) has been asked
- to take a position on the inclusion into IETF standards-track documents
- of functionality designed to facilitate wiretapping.
-<P>This memo explains what the IETF thinks the question means, why its
- answer is &quot;no&quot;, and what that answer means.</P>
-</BLOCKQUOTE> A quote from the debate leading up to that RFC:<BLOCKQUOTE>
- We should not be building surveillance technology into standards. Law
- enforcement was not supposed to be easy. Where it is easy, it's called
- a police state.
-<BR> Jeff Schiller of MIT, in a discussion of FBI demands for wiretap
- capability on the net, as quoted by<A href="http://www.wired.com/news/politics/0,1283,31895,00.html">
- Wired</A>.</BLOCKQUOTE>
-<P>The<A href="http://www.ietf.org/mailman/listinfo/raven"> Raven</A>
- mailing list was set up for this IETF discussion.</P>
-<P>Our goal is to go beyond that RFC and prevent Internet wiretapping
- entirely.</P>
-<H3><A name="Wassenaar">The Wassenaar Arrangement</A></H3>
-<P>Restrictions on the export of cryptography are not just US policy,
- though some consider the US at least partly to blame for the policies
- of other nations in this area.</P>
-<P>A number of countries:</P>
-<P>Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Czech
- Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland,
- Italy, Japan, Luxembourg, Netherlands, New Zealand, Norway, Poland,
- Portugal, Republic of Korea, Romania, Russian Federation, Slovak
- Republic, Spain, Sweden, Switzerland, Turkey, Ukraine, United Kingdom
- and United States</P>
-<P>have signed the Wassenaar Arrangement which restricts export of
- munitions and other tools of war. Cryptographic sofware is covered
- there.</P>
-<P>Wassenaar details are available from the<A href="http://www.wassenaar.org/">
- Wassenaar Secretariat</A>, and elsewhere in a more readable<A href="http://www.fitug.de/news/wa/index.html">
- HTML version</A>.</P>
-<P>For a critique see the<A href="http://www.gilc.org/crypto/wassenaar">
- GILC site</A>:</P>
-<BLOCKQUOTE> The Global Internet Liberty Campaign (GILC) has begun a
- campaign calling for the removal of cryptography controls from the
- Wassenaar Arrangement.
-<P>The aim of the Wassenaar Arrangement is to prevent the build up of
- military capabilities that threaten regional and international security
- and stability . . .</P>
-<P>There is no sound basis within the Wassenaar Arrangement for the
- continuation of any export controls on cryptographic products.</P>
-</BLOCKQUOTE>
-<P>We agree entirely.</P>
-<P>An interesting analysis of Wassenaar can be found on the<A href="http://www.cyber-rights.org/crypto/wassenaar.htm">
- cyber-rights.org</A> site.</P>
-<H3><A name="status">Export status of Linux FreeS/WAN</A></H3>
-<P>We believe our software is entirely exempt from these controls since
- the Wassenaar<A href="http://www.wassenaar.org/list/GTN%20and%20GSN%20-%2099.pdf">
- General Software Note</A> says:</P>
-<BLOCKQUOTE> The Lists do not control &quot;software&quot; which is either:
-<OL>
-<LI>Generally available to the public by . . . retail . . . or</LI>
-<LI>&quot;In the public domain&quot;.</LI>
-</OL>
-</BLOCKQUOTE>
-<P>There is a note restricting some of this, but it is a sub-heading
- under point 1, so it appears not to apply to public domain software.</P>
-<P>Their glossary defines &quot;In the public domain&quot; as:</P>
-<BLOCKQUOTE> . . . &quot;technology&quot; or &quot;software&quot; which has been made
- available without restrictions upon its further dissemination.
-<P>N.B. Copyright restrictions do not remove &quot;technology&quot; or &quot;software&quot;
- from being &quot;in the public domain&quot;.</P>
-</BLOCKQUOTE>
-<P>We therefore believe that software freely distributed under the<A href="#GPL">
- GNU Public License</A>, such as Linux FreeS/WAN, is exempt from
- Wassenaar restrictions.</P>
-<P>Most of the development work is being done in Canada. Our
- understanding is that the Canadian government accepts this
- interpretation.</P>
-<UL>
-<LI>A web statement of<A href="http://www.dfait-maeci.gc.ca/~eicb/notices/ser113-e.htm">
- Canadian policy</A> is available from the Department of Foreign Affairs
- and International Trade.</LI>
-<LI>Another document from that department states that<A href="http://www.dfait-maeci.gc.ca/~eicb/export/gr1_e.htm">
- public domain software</A> is exempt from the export controls.</LI>
-<LI>A researcher's<A href="http://insight.mcmaster.ca/org/efc/pages/doc/crypto-export.html">
- analysis</A> of Canadian policy is also available.</LI>
-</UL>
-<P>Recent copies of the freely modifiable and distributable source code
- exist in many countries. Citizens all over the world participate in its
- use and evolution, and guard its ongoing distribution. Even if Canadian
- policy were to change, the software would continue to evolve in
- countries which do not restrict exports, and would continue to be
- imported from there into unfree countries. &quot;The Net culture treats
- censorship as damage, and routes around it.&quot;</P>
-<H3><A name="help">Help spread IPsec around</A></H3>
-<P>You can help. If you don't know of a Linux FreeS/WAN archive in your
- own country, please download it now to your personal machine, and
- consider making it publicly accessible if that doesn't violate your own
- laws. If you have the resources, consider going one step further and
- setting up a mirror site for the whole<A href="#munitions"> munitions</A>
- Linux crypto software archive.</P>
-<P>If you make Linux CD-ROMs, please consider including this code, in a
- way that violates no laws (in a free country, or in a domestic-only CD
- product).</P>
-<P>Please send a note about any new archive mirror sites or CD
- distributions to linux-ipsec@clinet.fi so we can update the
- documentation.</P>
-<P>Lists of current<A href="#sites"> mirror sites</A> and of<A href="#distwith">
- distributions</A> which include FreeS/WAN are in our introduction
- section.</P>
-<H2><A name="desnotsecure">DES is Not Secure</A></H2>
-<P>DES, the<STRONG> D</STRONG>ata<STRONG> E</STRONG>ncryption<STRONG> S</STRONG>
-tandard, can no longer be considered secure. While no major flaws in its
- innards are known, it is fundamentally inadequate because its<STRONG>
- 56-bit key is too short</STRONG>. It is vulnerable to<A href="#brute">
- brute-force search</A> of the whole key space, either by large
- collections of general-purpose machines or even more quickly by
- specialized hardware. Of course this also applies to<STRONG> any other
- cipher with only a 56-bit key</STRONG>. The only reason anyone could
- have for using a 56 or 64-bit key is to comply with various<A href="exportlaw.html">
- export laws</A> intended to ensure the use of breakable ciphers.</P>
-<P>Non-government cryptologists have been saying DES's 56-bit key was
- too short for some time -- some of them were saying it in the 70's when
- DES became a standard -- but the US government has consistently
- ridiculed such suggestions.</P>
-<P>A group of well-known cryptographers looked at key lengths in a<A href="http://www.counterpane.com/keylength.html">
- 1996 paper</A>. They suggested a<EM> minimum</EM> of 75 bits to
- consider an existing cipher secure and a<EM> minimum of 90 bits for new
- ciphers</EM>. More recent papers, covering both<A href="#symmetric">
- symmetric</A> and<A href="#public"> public key</A> systems are at<A href="http://www.cryptosavvy.com/">
- cryptosavvy.com</A> and<A href="http://www.rsasecurity.com/rsalabs/bulletins/bulletin13.html">
- rsa.com</A>. For all algorithms, the minimum keylengths recommended in
- such papers are significantly longer than the maximums allowed by
- various export laws.</P>
-<P>In a<A href="http://www.privacy.nb.ca/cryptography/archives/cryptography/html/1998-09/0095.html">
- 1998 ruling</A>, a German court described DES as &quot;out-of-date and not
- safe enough&quot; and held a bank liable for using it.</P>
-<H3><A name="deshware">Dedicated hardware breaks DES in a few days</A></H3>
-<P>The question of DES security has now been settled once and for all.
- In early 1998, the<A href="http://www.eff.org/"> Electronic Frontier
- Foundation</A> built a<A href="http://www.eff.org/descracker.html">
- DES-cracking machine</A>. It can find a DES key in an average of a few
- days' search. The details of all this, including complete code listings
- and complete plans for the machine, have been published in<A href="#EFF">
-<CITE> Cracking DES</CITE></A>, by the Electronic Frontier Foundation.</P>
-<P>That machine cost just over $200,000 to design and build. &quot;Moore's
- Law&quot; is that machines get faster (or cheaper, for the same speed) by
- roughly a factor of two every 18 months. At that rate, their $200,000
- in 1998 becomes $50,000 in 2001.</P>
-<P>However, Moore's Law is not exact and the $50,000 estimate does not
- allow for the fact that a copy based on the published EFF design would
- cost far less than the original. We cannot say exactly what such a
- cracker would cost today, but it would likely be somewhere between
- $10,000 and $100,000.</P>
-<P>A large corporation could build one of these out of petty cash. The
- cost is low enough for a senior manager to hide it in a departmental
- budget and avoid having to announce or justify the project. Any
- government agency, from a major municipal police force up, could afford
- one. Or any other group with a respectable budget -- criminal
- organisations, political groups, labour unions, religious groups, ...
- Or any millionaire with an obsession or a grudge, or just strange taste
- in toys.</P>
-<P>One might wonder if a private security or detective agency would have
- one for rent. They wouldn't need many clients to pay off that
- investment.</P>
-<H3><A name="spooks">Spooks may break DES faster yet</A></H3>
-<P>As for the security and intelligence agencies of various nations,
- they may have had DES crackers for years, and theirs may be much
- faster. It is difficult to make most computer applications work well on
- parallel machines, or to design specialised hardware to accelerate
- them. Cipher-cracking is one of the very few exceptions. It is entirely
- straightforward to speed up cracking by just adding hardware. Within
- very broad limits, you can make it as fast as you like if you have the
- budget. The EFF's $200,000 machine breaks DES in a few days. An<A href="http://www.planepage.com/">
- aviation website</A> gives the cost of a B1 bomber as $200,000,000.
- Spending that much, an intelligence agency could break DES in an
- average time of<EM> six and a half minutes</EM>.</P>
-<P>That estimate assumes they use the EFF's 1998 technology and just
- spend more money. They may have an attack that is superior to brute
- force, they quite likely have better chip technology (Moore's law, a
- bigger budget, and whatever secret advances they may have made) and of
- course they may have spent the price of an aircraft carrier, not just
- one aircraft.</P>
-<P>In short, we have<EM> no idea</EM> how quickly these organisations
- can break DES. Unless they're spectacularly incompetent or horribly
- underfunded, they can certainly break it, but we cannot guess how
- quickly. Pick any time unit between days and milliseconds; none is
- entirely unbelievable. More to the point, none of them is of any
- comfort if you don't want such organisations reading your
- communications.</P>
-<P>Note that this may be a concern even if nothing you do is a threat to
- anyone's national security. An intelligence agency might well consider
- it to be in their national interest for certain companies to do well.
- If you're competing against such companies in a world market and that
- agency can read your secrets, you have a serious problem.</P>
-<P>One might wonder about technology the former Soviet Union and its
- allies developed for cracking DES during the Cold War. They must have
- tried; the cipher was an American standard and widely used. Certainly
- those countries have some fine mathematicians, and those agencies had
- budget. How well did they succeed? Is their technology now for sale or
- rent?</P>
-<H3><A name="desnet">Networks break DES in a few weeks</A></H3>
-<P>Before the definitive EFF effort, DES had been cracked several times
- by people using many machines. See this<A href="http://www.distributed.net/pressroom/DESII-1-PR.html">
- press release</A> for example.</P>
-<P>A major corporation, university, or government department could break
- DES by using spare cycles on their existing collection of computers, by
- dedicating a group of otherwise surplus machines to the problem, or by
- combining the two approaches. It might take them weeks or months,
- rather than the days required for the EFF machine, but they could do
- it.</P>
-<P>What about someone working alone, without the resources of a large
- organisation? For them, cracking DES will not be easy, but it may be
- possible. A few thousand dollars buys a lot of surplus workstations. A
- pile of such machines will certainly heat your garage nicely and might
- break DES in a few months or years. Or enroll at a university and use
- their machines. Or use an employer's machines. Or crack security
- somewhere and steal the resources to crack a DES key. Or write a virus
- that steals small amounts of resources on many machines. Or . . .</P>
-<P>None of these approaches are easy or break DES really quickly, but an
- attacker only needs to find one that is feasible and breaks DES quickly
- enough to be dangerous. How much would you care to bet that this will
- be impossible if the attacker is clever and determined? How valuable is
- your data? Are you authorised to risk it on a dubious bet?</P>
-<H3><A name="no_des">We disable DES</A></H3>
-<P>In short, it is now absolutely clear that<STRONG> DES is not secure</STRONG>
- against</P>
-<UL>
-<LI>any<STRONG> well-funded opponent</STRONG></LI>
-<LI>any opponent (even a penniless one) with access (even stolen access)
- to<STRONG> enough general purpose computers</STRONG></LI>
-</UL>
-<P>That is why<STRONG> Linux FreeS/WAN disables all transforms which use
- plain DES</STRONG> for encryption.</P>
-<P>DES is in the source code, because we need DES to implement our
- default encryption transform,<A href="#3DES"> Triple DES</A>.<STRONG>
- We urge you not to use single DES</STRONG>. We do not provide any easy
- way to enable it in FreeS/WAN, and our policy is to provide no
- assistance to anyone wanting to do so.</P>
-<H3><A name="40joke">40-bits is laughably weak</A></H3>
-<P>The same is true, in spades, of ciphers -- DES or others -- crippled
- by 40-bit keys, as many ciphers were required to be until recently
- under various<A href="#exlaw"> export laws</A>. A brute force search of
- such a cipher's keyspace is 2<SUP>16</SUP> times faster than a similar
- search against DES. The EFF's machine can do a brute-force search of a
- 40-bit key space in<EM> seconds</EM>. One contest to crack a 40-bit
- cipher was won by a student<A href="http://catless.ncl.ac.uk/Risks/18.80.html#subj1">
- using a few hundred idle machines at his university</A>. It took only
- three and half hours.</P>
-<P>We do not, and will not, implement any 40-bit cipher.</P>
-<H3><A name="altdes">Triple DES is almost certainly secure</A></H3>
-<P><A href="#3DES">Triple DES</A>, usually abbreviated 3DES, applies DES
- three times, with three different keys. DES seems to be basically an
- excellent cipher design; it has withstood several decades of intensive
- analysis without any disastrous flaws being found. It's only major flaw
- is that the small keyspace allows brute force attacks to succeeed.
- Triple DES enlarges the key space to 168 bits, making brute-force
- search a ridiculous impossibility.</P>
-<P>3DES is currently the only block cipher implemented in FreeS/WAN.
- 3DES is, unfortunately, about 1/3 the speed of DES, but modern CPUs
- still do it at quite respectable speeds. Some<A href="#benchmarks">
- speed measurements</A> for our code are available.</P>
-<H3><A name="aes.ipsec">AES in IPsec</A></H3>
-<P>The<A href="#AES"> AES</A> project has chosen a replacement for DES,
- a new standard cipher for use in non-classified US government work and
- in regulated industries such as banking. This cipher will almost
- certainly become widely used for many applications, including IPsec.</P>
-<P>The winner, announced in October 2000 after several years of analysis
- and discussion, was the<A href="http://www.esat.kuleuven.ac.be/~rijmen/rijndael/">
- Rijndael</A> cipher from two Belgian designers.</P>
-<P>It is almost certain that FreeS/WAN will add AES support.<A href="#patch">
- AES patches</A> are already available.</P>
-<H2><A name="press">Press coverage of Linux FreeS/WAN:</A></H2>
-<H3><A NAME="26_6_1">FreeS/WAN 1.0 press</A></H3>
-<UL>
-<LI><A href="http://www.wired.com/news/news/technology/story/19136.html">
-Wired</A> &quot;Linux-Based Crypto Stops Snoops&quot;, James Glave April 15 1999</LI>
-<LI><A href="http://slashdot.org/articles/99/04/15/1851212.shtml">
-Slashdot</A></LI>
-<LI><A href="http://dgl.com/itinfo/1999/it990415.html">DGL</A>, Damar
- Group Limited; looking at FreeS/WAN from a perspective of business
- computing</LI>
-<LI><A href="http://linuxtoday.com/stories/5010.html">Linux Today</A></LI>
-<LI><A href="http://www.tbtf.com/archive/1999-04-21.html#Tcep">TBTF</A>,
- Tasty Bits from the Technology Front</LI>
-<LI><A href="http://www.salonmagazine.com/tech/log/1999/04/16/encryption/index.html">
-Salon Magazine</A> &quot;Free Encryption Takes a Big Step&quot;</LI>
-</UL>
-<H3><A name="release">Press release for version 1.0</A></H3>
-<PRE>        Strong Internet Privacy Software Free for Linux Users Worldwide
-
-Toronto, ON, April 14, 1999 - 
-
-The Linux FreeS/WAN project today released free software to protect
-the privacy of Internet communications using strong encryption codes.
-FreeS/WAN automatically encrypts data as it crosses the Internet, to
-prevent unauthorized people from receiving or modifying it.  One
-ordinary PC per site runs this free software under Linux to become a
-secure gateway in a Virtual Private Network, without having to modify
-users' operating systems or application software.  The project built
-and released the software outside the United States, avoiding US
-government regulations which prohibit good privacy protection.
-FreeS/WAN version 1.0 is available immediately for downloading at
-http://www.xs4all.nl/~freeswan/.
-
-&quot;Today's FreeS/WAN release allows network administrators to build
-excellent secure gateways out of old PCs at no cost, or using a cheap
-new PC,&quot; said John Gilmore, the entrepreneur who instigated the
-project in 1996.  &quot;They can build operational experience with strong
-network encryption and protect their users' most important
-communications worldwide.&quot;
-
-&quot;The software was written outside the United States, and we do not
-accept contributions from US citizens or residents, so that it can be
-freely published for use in every country,&quot; said Henry Spencer, who
-built the release in Toronto, Canada.  &quot;Similar products based in the
-US require hard-to-get government export licenses before they can be
-provided to non-US users, and can never be simply published on a Web
-site.  Our product is freely available worldwide for immediate
-downloading, at no cost.&quot;
-
-FreeS/WAN provides privacy against both quiet eavesdropping (such as
-&quot;packet sniffing&quot;) and active attempts to compromise communications
-(such as impersonating participating computers).  Secure &quot;tunnels&quot; carry
-information safely across the Internet between locations such as a
-company's main office, distant sales offices, and roaming laptops.  This
-protects the privacy and integrity of all information sent among those
-locations, including sensitive intra-company email, financial transactions
-such as mergers and acquisitions, business negotiations, personal medical
-records, privileged correspondence with lawyers, and information about
-crimes or civil rights violations.  The software will be particularly
-useful to frequent wiretapping targets such as private companies competing
-with government-owned companies, civil rights groups and lawyers,
-opposition political parties, and dissidents. 
-
-FreeS/WAN provides privacy for Internet packets using the proposed
-standard Internet Protocol Security (IPSEC) protocols.  FreeS/WAN
-negotiates strong keys using Diffie-Hellman key agreement with 1024-bit
-keys, and encrypts each packet with 168-bit Triple-DES (3DES).  A modern
-$500 PC can set up a tunnel in less than a second, and can encrypt
-6 megabits of packets per second, easily handling the whole available
-bandwidth at the vast majority of Internet sites.  In preliminary testing,
-FreeS/WAN interoperated with 3DES IPSEC products from OpenBSD, PGP, SSH,
-Cisco, Raptor, and Xedia.  Since FreeS/WAN is distributed as source code,
-its innards are open to review by outside experts and sophisticated users,
-reducing the chance of undetected bugs or hidden security compromises.
-
-The software has been in development for several years.  It has been
-funded by several philanthropists interested in increased privacy on
-the Internet, including John Gilmore, co-founder of the Electronic
-Frontier Foundation, a leading online civil rights group.
-
-Press contacts:
-Hugh Daniel,   +1 408 353 8124, hugh@toad.com
-Henry Spencer, +1 416 690 6561, henry@spsystems.net
-
-* FreeS/WAN derives its name from S/WAN, which is a trademark of RSA Data
-  Security, Inc; used by permission.</PRE>
-<HR>
-<H1><A name="ipsec.detail">The IPsec protocols</A></H1>
-<P>This section provides information on the IPsec protocols which
- FreeS/WAN implements. For more detail, see the<A href="rfc.html"> RFCs</A>
-.</P>
-<P>The basic idea of IPsec is to provide security functions,<A href="#authentication">
- authentication</A> and<A href="#encryption"> encryption</A>, at the IP
- (Internet Protocol) level. This requires a higher-level protocol (IKE)
- to set things up for the IP-level services (ESP and AH).</P>
-<H2><A NAME="27_1">Protocols and phases</A></H2>
-<P>Three protocols are used in an IPsec implementation:</P>
-<DL>
-<DT>ESP, Encapsulating Security Payload</DT>
-<DD>Encrypts and/or authenticates data</DD>
-<DT>AH, Authentication Header</DT>
-<DD>Provides a packet authentication service</DD>
-<DT>IKE, Internet Key Exchange</DT>
-<DD>Negotiates connection parameters, including keys, for the other two</DD>
-</DL>
-<P>The term &quot;IPsec&quot; (also written as IPSEC) is slightly ambiguous. In
- some contexts, it includes all three of the above but in other contexts
- it refers only to AH and ESP.</P>
-<P>There is more detail below, but a quick summary of how the whole
- thing works is:</P>
-<DL>
-<DT>Phase one IKE (main mode exchange)</DT>
-<DD>sets up a keying channel (ISAKMP SA) between the two gateways</DD>
-<DT>Phase two IKE (quick mode exchange)</DT>
-<DD>sets up data channels (IPsec SAs)</DD>
-<DT>IPsec proper</DT>
-<DD>exchanges data using AH or ESP</DD>
-</DL>
-<P>Both phases of IKE are repeated periodically to automate re-keying.</P>
-<H2><A name="others">Applying IPsec</A></H2>
-<P>Authentication and encryption functions for network data can, of
- course, be provided at other levels. Many security protocols work at
- levels above IP.</P>
-<UL>
-<LI><A href="#PGP">PGP</A> encrypts and authenticates mail messages</LI>
-<LI><A href="#ssh">SSH</A> authenticates remote logins and then encrypts
- the session</LI>
-<LI><A href="#SSL">SSL</A> or<A href="#TLS"> TLS</A> provides security
- at the sockets layer, e.g. for secure web browsing</LI>
-</UL>
-<P>and so on. Other techniques work at levels below IP. For example,
- data on a communications circuit or an entire network can be encrypted
- by specialised hardware. This is common practice in high-security
- applications.</P>
-<H3><A name="advantages">Advantages of IPsec</A></H3>
-<P>There are, however, advantages to doing it at the IP level instead
- of, or as well as, at other levels.</P>
-<P>IPsec is the<STRONG> most general way to provide these services for
- the Internet</STRONG>.</P>
-<UL>
-<LI>Higher-level services protect a<EM> single protocol</EM>; for
- example PGP protects mail.</LI>
-<LI>Lower level services protect a<EM> single medium</EM>; for example a
- pair of encryption boxes on the ends of a line make wiretaps on that
- line useless unless the attacker is capable of breaking the encryption.</LI>
-</UL>
-<P>IPsec, however, can protect<EM> any protocol</EM> running above IP
- and<EM> any medium</EM> which IP runs over. More to the point, it can
- protect a mixture of application protocols running over a complex
- combination of media. This is the normal situation for Internet
- communication; IPsec is the only general solution.</P>
-<P>IPsec can also provide some security services &quot;in the background&quot;,
- with<STRONG> no visible impact on users</STRONG>. To use<A href="#PGP">
- PGP</A> encryption and signatures on mail, for example, the user must
- at least:</P>
-<UL>
-<LI>remember his or her passphrase,</LI>
-<LI>keep it secure</LI>
-<LI>follow procedures to validate correspondents' keys</LI>
-</UL>
-<P>These systems can be designed so that the burden on users is not
- onerous, but any system will place some requirements on users. No such
- system can hope to be secure if users are sloppy about meeting those
- requirements. The author has seen username and password stuck on
- terminals with post-it notes in an allegedly secure environment, for
- example.</P>
-<H3><A name="limitations">Limitations of IPsec</A></H3>
-<P>IPsec is designed to secure IP links between machines. It does that
- well, but it is important to remember that there are many things it
- does not do. Some of the important limitations are:</P>
-<DL>
-<DT><A name="depends">IPsec cannot be secure if your system isn't</A></DT>
-<DD>System security on IPsec gateway machines is an essential
- requirement if IPsec is to function as designed. No system can be
- trusted if the underlying machine has been subverted. See books on Unix
- security such as<A href="#practical"> Garfinkel and Spafford</A> or our
- web references for<A href="#linsec"> Linux security</A> or more general<A
-href="#compsec"> computer security</A>.
-<P>Of course, there is another side to this. IPsec can be a powerful
- tool for improving system and network security. For example, requiring
- packet authentication makes various spoofing attacks harder and IPsec
- tunnels can be extremely useful for secure remote administration of
- various things.</P>
-</DD>
-<DT><A name="not-end-to-end">IPsec is not end-to-end</A></DT>
-<DD>IPsec cannot provide the same end-to-end security as systems working
- at higher levels. IPsec encrypts an IP connection between two machines,
- which is quite a different thing than encrypting messages between users
- or between applications.
-<P>For example, if you need mail encrypted from the sender's desktop to
- the recipient's desktop and decryptable only by the recipient, use<A href="#PGP">
- PGP</A> or another such system. IPsec can encrypt any or all of the
- links involved -- between the two mail servers, or between either
- server and its clients. It could even be used to secure a direct IP
- link from the sender's desktop machine to the recipient's, cutting out
- any sort of network snoop. What it cannot ensure is end-to-end
- user-to-user security. If only IPsec is used to secure mail, then
- anyone with appropriate privileges on any machine where that mail is
- stored (at either end or on any store-and-forward servers in the path)
- can read it.</P>
-<P>In another common setup, IPsec encrypts packets at a security gateway
- machine as they leave the sender's site and decrypts them on arrival at
- the gateway to the recipient's site. This does provide a useful
- security service -- only encrypted data is passed over the Internet --
- but it does not even come close to providing an end-to-end service. In
- particular, anyone with appropriate privileges on either site's LAN can
- intercept the message in unencrypted form.</P>
-</DD>
-<DT><A name="notpanacea">IPsec cannot do everything</A></DT>
-<DD>IPsec also cannot provide all the functions of systems working at
- higher levels of the protocol stack. If you need a document
- electronically signed by a particular person, then you need his or her<A
-href="#signature"> digital signature</A> and a<A href="#public"> public
- key cryptosystem</A> to verify it with.
-<P>Note, however, that IPsec authentication of the underlying
- communication can make various attacks on higher-level protocols more
- difficult. In particular, authentication prevents<A href="#middle">
- man-in-the-middle attacks</A>.</P>
-</DD>
-<DT><A name="no_user">IPsec authenticates machines, not users</A></DT>
-<DD>IPsec uses strong authentication mechanisms to control which
- messages go to which machines, but it does not have the concept of user
- ID, which is vital to many other security mechansims and policies. This
- means some care must be taken in fitting the various security
- mechansims on a network together. For example, if you need to control
- which users access your database server, you need some non-IPsec
- mechansim for that. IPsec can control which machines connect to the
- server, and can ensure that data transfer to those machines is done
- securely, but that is all. Either the machines themselves must control
- user access or there must be some form of user authentication to the
- database, independent of IPsec.</DD>
-<DT><A name="DoS">IPsec does not stop denial of service attacks</A></DT>
-<DD><A href="#DOS">Denial of service</A> attacks aim at causing a system
- to crash, overload, or become confused so that legitimate users cannot
- get whatever services the system is supposed to provide. These are
- quite different from attacks in which the attacker seeks either to use
- the service himself or to subvert the service into delivering incorrect
- results.
-<P>IPsec shifts the ground for DoS attacks; the attacks possible against
- systems using IPsec are different than those that might be used against
- other systems. It does not, however, eliminate the possibility of such
- attacks.</P>
-</DD>
-<DT><A name="traffic">IPsec does not stop traffic analysis</A></DT>
-<DD><A href="#traffic">Traffic analysis</A> is the attempt to derive
- intelligence from messages without regard for their contents. In the
- case of IPsec, it would mean analysis based on things visible in the
- unencrypted headers of encrypted packets -- source and destination
- gateway addresses, packet size, et cetera. Given the resources to
- acquire such data and some skill in analysing it (both of which any
- national intelligence agency should have), this can be a very powerful
- technique.
-<P>IPsec is not designed to defend against this. Partial defenses are
- certainly possible, and some are<A href="#traffic.resist"> described
- below</A>, but it is not clear that any complete defense can be
- provided.</P>
-</DD>
-</DL>
-<H3><A name="uses">IPsec is a general mechanism for securing IP</A></H3>
-<P>While IPsec does not provide all functions of a mail encryption
- package, it can encrypt your mail. In particular, it can ensure that
- all mail passing between a pair or a group of sites is encrypted. An
- attacker looking only at external traffic, without access to anything
- on or behind the IPsec gateway, cannot read your mail. He or she is
- stymied by IPsec just as he or she would be by<A href="#PGP"> PGP</A>.</P>
-<P>The advantage is that IPsec can provide the same protection for<STRONG>
- anything transmitted over IP</STRONG>. In a corporate network example,
- PGP lets the branch offices exchange secure mail with head office. SSL
- and SSH allow them to securely view web pages, connect as terminals to
- machines, and so on. IPsec can support all those applications, plus
- database queries, file sharing (NFS or Windows), other protocols
- encapsulated in IP (Netware, Appletalk, ...), phone-over-IP,
- video-over-IP, ... anything-over-IP. The only limitation is that IP
- Multicast is not yet supported, though there are Internet Draft
- documents for that.</P>
-<P>IPsec creates<STRONG> secure tunnels through untrusted networks</STRONG>
-. Sites connected by these tunnels form VPNs,<A href="#VPN"> Virtual
- Private Networks</A>.</P>
-<P>IPsec gateways can be installed wherever they are required.</P>
-<UL>
-<LI>One organisation might choose to install IPsec only on firewalls
- between their LANs and the Internet. This would allow them to create a
- VPN linking several offices. It would provide protection against anyone
- outside their sites.</LI>
-<LI>Another might install IPsec on departmental servers so everything on
- the corporate backbone net was encrypted. This would protect messages
- on that net from everyone except the sending and receiving department.</LI>
-<LI>Another might be less concerned with information secrecy and more
- with controlling access to certain resources. They might use IPsec
- packet authentication as part of an access control mechanism, with or
- without also using the IPsec encryption service.</LI>
-<LI>It is even possible (assuming adequate processing power and an IPsec
- implementation in each node) to make every machine its own IPsec
- gateway so that everything on a LAN is encrypted. This protects
- information from everyone outside the sending and receiving machine.</LI>
-<LI>These techniques can be combined in various ways. One might, for
- example, require authentication everywhere on a network while using
- encryption only for a few links.</LI>
-</UL>
-<P>Which of these, or of the many other possible variants, to use is up
- to you.<STRONG> IPsec provides mechanisms; you provide the policy</STRONG>
-.</P>
-<P><STRONG>No end user action is required</STRONG> for IPsec security to
- be used; they don't even have to know about it. The site
- administrators, of course, do have to know about it and to put some
- effort into making it work. Poor administration can compromise IPsec as
- badly as the post-it notes mentioned above. It seems reasonable,
- though, for organisations to hope their system administrators are
- generally both more security-conscious than end users and more able to
- follow computer security procedures. If not, at least there are fewer
- of them to educate or replace.</P>
-<P>IPsec can be, and often should be, used with along with security
- protocols at other levels. If two sites communicate with each other via
- the Internet, then IPsec is the obvious way to protect that
- communication. If two others have a direct link between them, either
- link encryption or IPsec would make sense. Choose one or use both.
- Whatever you use at and below the IP level, use other things as
- required above that level. Whatever you use above the IP level,
- consider what can be done with IPsec to make attacks on the higher
- levels harder. For example,<A href="#middle"> man-in-the-middle attacks</A>
- on various protocols become difficult if authentication at packet level
- is in use on the potential victims' communication channel.</P>
-<H3><A name="authonly">Using authentication without encryption</A></H3>
-<P>Where appropriate, IPsec can provide authentication without
- encryption. One might do this, for example:</P>
-<UL>
-<LI>where the data is public but one wants to be sure of getting the
- right data, for example on some web sites</LI>
-<LI>where encryption is judged unnecessary, for example on some company
- or department LANs</LI>
-<LI>where strong encryption is provided at link level, below IP</LI>
-<LI>where strong encryption is provided in other protocols, above IP
-<BR> Note that IPsec authentication may make some attacks on those
- protocols harder.</LI>
-</UL>
-<P>Authentication has lower overheads than encryption.</P>
-<P>The protocols provide four ways to build such connections, using
- either an AH-only connection or ESP using null encryption, and in
- either manually or automatically keyed mode. FreeS/WAN supports only
- one of these, manually keyed AH-only connections, and<STRONG> we do not
- recommend using that</STRONG>. Our reasons are discussed under<A href="#traffic.resist">
- Resisting traffic analysis</A> a few sections further along.</P>
-<H3><A name="encnoauth">Encryption without authentication is dangerous</A>
-</H3>
-<P>Originally, the IPsec encryption protocol<A href="#ESP"> ESP</A>
- didn't do integrity checking. It only did encryption. Steve Bellovin
- found many ways to attack ESP used without authentication. See his
- paper<A href="http://www.research.att.com/~smb/papers/badesp.ps">
- Problem areas for the IP Security Protocols</A>. To make a secure
- connection, you had to add an<A href="#AH"> AH</A> Authentication
- Header as well as ESP. Rather than incur the overhead of several layers
- (and rather than provide an ESP layer that didn't actually protect the
- traffic), the IPsec working group built integrity and replay checking
- directly into ESP.</P>
-<P>Today, typical usage is one of:</P>
-<UL>
-<LI>ESP for encryption and authentication</LI>
-<LI>AH for authentication alone</LI>
-</UL>
-<P>Other variants are allowed by the standard, but not much used:</P>
-<DL>
-<DT>ESP encryption without authentication</DT>
-<DD><STRONG>Bellovin has demonstrated fatal flaws in this. Do not use.</STRONG>
-</DD>
-<DT>ESP encryption with AH authentication</DT>
-<DD>This has higher overheads than using the authentication in ESP, and
- no obvious benefit in most cases. The exception might be a network
- where AH authentication was widely or universally used. If you're going
- to do AH to conform with network policy, why authenticate again in the
- ESP layer?</DD>
-<DT>Authenticate twice, with AH and with ESP</DT>
-<DD>Why? Of course, some folk consider &quot;belt and suspenders&quot; the
- sensible approach to security. If you're among them, you might use both
- protocols here. You might also use both to satisfy different parts of a
- security policy. For example, an organisation might require AH
- authentication everywhere but two users within the organisation might
- use ESP as well.</DD>
-<DT>ESP authentication without encryption</DT>
-<DD>The standard allows this, calling it &quot;null encryption&quot;. FreeS/WAN
- does not support it. We recommend that you use AH instead if
- authentication is all you require. AH authenticates parts of the IP
- header, which ESP-null does not do.</DD>
-</DL>
-<P>Some of these variants cannot be used with FreeS/WAN because we do
- not support ESP-null and do not support automatic keying of AH-only
- connections.</P>
-<P>There are fairly frequent suggestions that AH be dropped entirely
- from the IPsec specifications since ESP and null encryption can handle
- that situation. It is not clear whether this will occur. My guess is
- that it is unlikely.</P>
-<H3><A name="multilayer">Multiple layers of IPsec processing are
- possible</A></H3>
-<P>The above describes combinations possible on a single IPsec
- connection. In a complex network you may have several layers of IPsec
- in play, with any of the above combinations at each layer.</P>
-<P>For example, a connection from a desktop machine to a database server
- might require AH authentication. Working with other host, network and
- database security measures, AH might be just the thing for access
- control. You might decide not to use ESP encryption on such packets,
- since it uses resources and might complicate network debugging. Within
- the site where the server is, then, only AH would be used on those
- packets.</P>
-<P>Users at another office, however, might have their whole connection
- (AH headers and all) passing over an IPsec tunnel connecting their
- office to the one with the database server. Such a tunnel should use
- ESP encryption and authentication. You need authentication in this
- layer because without authentication the encryption is vulnerable and
- the gateway cannot verify the AH authentication. The AH is between
- client and database server; the gateways aren't party to it.</P>
-<P>In this situation, some packets would get multiple layers of IPsec
- applied to them, AH on an end-to-end client-to-server basis and ESP
- from one office's security gateway to the other.</P>
-<H3><A name="traffic.resist">Resisting traffic analysis</A></H3>
-<P><A href="#traffic">Traffic analysis</A> is the attempt to derive
- useful intelligence from encrypted traffic without breaking the
- encryption.</P>
-<P>Is your CEO exchanging email with a venture capital firm? With
- bankruptcy trustees? With an executive recruiting agency? With the
- holder of some important patents? If an eavesdropper learns about any
- of those, then he has interesting intelligence on your company, whether
- or not he can read the messages themselves.</P>
-<P>Even just knowing that there is network traffic between two sites may
- tell an analyst something useful, especially when combined with
- whatever other information he or she may have. For example, if you know
- Company A is having cashflow problems and Company B is looking for
- aquisitions, then knowing that packets are passing between the two is
- interesting. It is more interesting if you can tell it is email, and
- perhaps yet more if you know the sender and recipient.</P>
-<P>Except in the simplest cases, traffic analysis is hard to do well. It
- requires both considerable resources and considerable analytic skill.
- However, intelligence agencies of various nations have been doing it
- for centuries and many of them are likely quite good at it by now.
- Various commercial organisations, especially those working on &quot;targeted
- marketing&quot; may also be quite good at analysing certain types of
- traffic.</P>
-<P>In general, defending against traffic analysis is also difficult.
- Inventing a really good defense could get you a PhD and some
- interesting job offers.</P>
-<P>IPsec is not designed to stop traffic analysis and we know of no
- plausible method of extending it to do so. That said, there are ways to
- make traffic analysis harder. This section describes them.</P>
-<H4><A name="extra">Using &quot;unnecessary&quot; encryption</A></H4>
-<P>One might choose to use encryption even where it appears unnecessary
- in order to make analysis more difficult. Consider two offices which
- pass a small volume of business data between them using IPsec and also
- transfer large volumes of Usenet news. At first glance, it would seem
- silly to encrypt the newsfeed, except possibly for any newsgroups that
- are internal to the company. Why encrypt data that is all publicly
- available from many sites?</P>
-<P>However, if we encrypt a lot of news and send it down the same
- connection as our business data, we make<A href="#traffic"> traffic
- analysis</A> much harder. A snoop cannot now make inferences based on
- patterns in the volume, direction, sizes, sender, destination, or
- timing of our business messages. Those messages are hidden in a mass of
- news messages encapsulated in the same way.</P>
-<P>If we're going to do this we need to ensure that keys change often
- enough to remain secure even with high volumes and with the adversary
- able to get plaintext of much of the data. We also need to look at
- other attacks this might open up. For example, can the adversary use a
- chosen plaintext attack, deliberately posting news articles which, when
- we receive and encrypt them, will help break our encryption? Or can he
- block our business data transmission by flooding us with silly news
- articles? Or ...</P>
-<P>Also, note that this does not provide complete protection against
- traffic analysis. A clever adversary might still deduce useful
- intelligence from statistical analysis (perhaps comparing the input
- newsfeed to encrypted output, or comparing the streams we send to
- different branch offices), or by looking for small packets which might
- indicate establishment of TCP connections, or ...</P>
-<P>As a general rule, though, to improve resistance to traffic analysis,
- you should<STRONG> encrypt as much traffic as possible, not just as
- much as seems necessary.</STRONG></P>
-<H4><A name="multi-encrypt">Using multiple encryption</A></H4>
-<P>This also applies to using multiple layers of encryption. If you have
- an IPsec tunnel between two branch offices, it might appear silly to
- send<A href="#PGP"> PGP</A>-encrypted email through that tunnel.
- However, if you suspect someone is snooping your traffic, then it does
- make sense:</P>
-<UL>
-<LI>it protects the mail headers; they cannot even see who is mailing
- who</LI>
-<LI>it protects against user bungles or software malfunctions that
- accidentally send messages in the clear</LI>
-<LI>it makes any attack on the mail encryption much harder; they have to
- break IPsec or break into your network before they can start on the
- mail encryption</LI>
-</UL>
-<P>Similar arguments apply for<A href="#SSL"> SSL</A>-encrypted web
- traffic or<A href="#ssh"> SSH</A>-encrypted remote login sessions, even
- for end-to-end IPsec tunnels between systems in the two offices.</P>
-<H4><A name="fewer">Using fewer tunnels</A></H4>
-<P>It may also help to use fewer tunnels. For example, if all you
- actually need encrypted is connections between:</P>
-<UL>
-<LI>mail servers at branch and head offices</LI>
-<LI>a few branch office users and the head office database server</LI>
-</UL>
-<P>You might build one tunnel per mail server and one per remote
- database user, restricting traffic to those applications. This gives
- the traffic analyst some information, however. He or she can
- distinguish the tunnels by looking at information in the ESP header
- and, given that distinction and the patterns of tunnel usage, might be
- able to figure out something useful. Perhaps not, but why take the
- risk?</P>
-<P>We suggest instead that you build one tunnel per branch office,
- encrypting everything passing from head office to branches. This has a
- number of advantages:</P>
-<UL>
-<LI>it is easier to build and administer</LI>
-<LI>it resists traffic analysis somewhat better</LI>
-<LI>it provides security for whatever you forgot. For example, if some
- user at a remote office browses proprietary company data on some head
- office web page (that the security people may not even know about!),
- then that data is encrypted before it reaches the Internet.</LI>
-</UL>
-<P>Of course you might also want to add additional tunnels. For example,
- if some of the database data is confidential and should not be exposed
- even within the company, then you need protection from the user's
- desktop to the database server. We suggest you do that in whatever way
- seems appropriate -- IPsec, SSH or SSL might fit -- but, whatever you
- choose, pass it between locations via a gateway-to-gateway IPsec tunnel
- to provide some resistance to traffic analysis.</P>
-<H2><A name="primitives">Cryptographic components</A></H2>
-<P>IPsec combines a number of cryptographic techniques, all of them
- well-known and well-analyzed. The overall design approach was
- conservative; no new or poorly-understood components were included.</P>
-<P>This section gives a brief overview of each technique. It is intended
- only as an introduction. There is more information, and links to
- related topics, in our<A href="glossary.html"> glossary</A>. See also
- our<A href="biblio.html"> bibliography</A> and cryptography<A href="#crypto.link">
- web links</A>.</P>
-<H3><A name="block.cipher">Block ciphers</A></H3>
-<P>The<A href="#encryption"> encryption</A> in the<A href="#ESP"> ESP</A>
- encapsulation protocol is done with a<A href="#block"> block cipher</A>
-.</P>
-<P>We do not implement<A href="#DES"> single DES</A>. It is<A href="#desnotsecure">
- insecure</A>. Our default, and currently only, block cipher is<A href="#3DES">
- triple DES</A>.</P>
-<P>The<A href="#rijndael"> Rijndael</A> block cipher has won the<A href="#AES">
- AES</A> competition to choose a relacement for DES. It will almost
- certainly be added to FreeS/WAN and to other IPsec implementations.<A href="#patch">
- Patches</A> are already available.</P>
-<H3><A name="hash.ipsec">Hash functions</A></H3>
-<H4><A name="hmac.ipsec">The HMAC construct</A></H4>
-<P>IPsec packet authentication is done with the<A href="#HMAC"> HMAC</A>
- construct. This is not just a hash of the packet data, but a more
- complex operation which uses both a hashing algorithm and a key. It
- therefore does more than a simple hash would. A simple hash would only
- tell you that the packet data was not changed in transit, or that
- whoever changed it also regenerated the hash. An HMAC also tells you
- that the sender knew the HMAC key.</P>
-<P>For IPsec HMAC, the output of the hash algorithm is truncated to 96
- bits. This saves some space in the packets. More important, it prevents
- an attacker from seeing all the hash output bits and perhaps creating
- some sort of attack based on that knowledge.</P>
-<H4><A NAME="27_3_2_2">Choice of hash algorithm</A></H4>
-<P>The IPsec RFCs require two hash algorithms --<A href="#MD5"> MD5</A>
- and<A href="#SHA"> SHA-1</A> -- both of which FreeS/WAN implements.</P>
-<P>Various other algorithms -- such as RIPEMD and Tiger -- are listed in
- the RFCs as optional. None of these are in the FreeS/WAN distribution,
- or are likely to be added, although user<A href="#patch"> patches</A>
- exist for several of them.</P>
-<P>Additional hash algorithms --<A href="#SHA-256"> SHA-256, SHA-384 and
- SHA-512</A> -- may be required to give hash strength matching the
- strength of<A href="#AES"> AES</A>. These are likely to be added to
- FreeS/WAN along with AES.</P>
-<H3><A name="DH.keying">Diffie-Hellman key agreement</A></H3>
-<P>The<A href="#DH"> Diffie-Hellman</A> key agreement protocol allows
- two parties (A and B or<A href="#alicebob"> Alice and Bob</A>) to agree
- on a key in such a way that an eavesdropper who intercepts the entire
- conversation cannot learn the key.</P>
-<P>The protocol is based on the<A href="#dlog"> discrete logarithm</A>
- problem and is therefore thought to be secure. Mathematicians have been
- working on that problem for years and seem no closer to a solution,
- though there is no proof that an efficient solution is impossible.</P>
-<H3><A name="RSA.auth">RSA authentication</A></H3>
-<P>The<A href="#RSA"> RSA</A> algorithm (named for its inventors --
- Rivest, Shamir and Adleman) is a very widely used<A href="glossary.html#">
- public key</A> cryptographic technique. It is used in IPsec as one
- method of authenticating gateways for Diffie-Hellman key negotiation.</P>
-<H2><A name="structure">Structure of IPsec</A></H2>
-<P>There are three protocols used in an IPsec implementation:</P>
-<DL>
-<DT>ESP, Encapsulating Security Payload</DT>
-<DD>Encrypts and/or authenticates data</DD>
-<DT>AH, Authentication Header</DT>
-<DD>Provides a packet authentication service</DD>
-<DT>IKE, Internet Key Exchange</DT>
-<DD>Negotiates connection parameters, including keys, for the other two</DD>
-</DL>
-<P>The term &quot;IPsec&quot; is slightly ambiguous. In some contexts, it includes
- all three of the above but in other contexts it refers only to AH and
- ESP.</P>
-<H3><A name="IKE.ipsec">IKE (Internet Key Exchange)</A></H3>
-<P>The IKE protocol sets up IPsec (ESP or AH) connections after
- negotiating appropriate parameters (algorithms to be used, keys,
- connection lifetimes) for them. This is done by exchanging packets on
- UDP port 500 between the two gateways.</P>
-<P>IKE (RFC 2409) was the outcome of a long, complex process in which
- quite a number of protocols were proposed and debated. Oversimplifying
- mildly, IKE combines:</P>
-<DL>
-<DT>ISAKMP (RFC 2408)</DT>
-<DD>The<STRONG> I</STRONG>nternet<STRONG> S</STRONG>ecurity<STRONG> A</STRONG>
-ssociation and<STRONG> K</STRONG>ey<STRONG> M</STRONG>anagement<STRONG>
- P</STRONG>rotocol manages negotiation of connections and defines<A href="#SA">
- SA</A>s (Security Associations) as a means of describing connection
- properties.</DD>
-<DT>IPsec DOI for ISAKMP (RFC 2407)</DT>
-<DD>A<STRONG> D</STRONG>omain<STRONG> O</STRONG>f<STRONG> I</STRONG>
-nterpretation fills in the details necessary to turn the rather abstract
- ISAKMP protocol into a more tightly specified protocol, so it becomes
- applicable in a particular domain.</DD>
-<DT>Oakley key determination protocol (RFC 2412)</DT>
-<DD>Oakley creates keys using the<A href="#DH"> Diffie-Hellman</A> key
- agreement protocol.</DD>
-</DL>
-<P>For all the details, you would need to read the four<A href="rfc.html">
- RFCs</A> just mentioned (over 200 pages) and a number of others. We
- give a summary below, but it is far from complete.</P>
-<H4><A name="phases">Phases of IKE</A></H4>
-<P>IKE negotiations have two phases.</P>
-<DL>
-<DT>Phase one</DT>
-<DD>The two gateways negotiate and set up a two-way ISAKMP SA which they
- can then use to handle phase two negotiations. One such SA between a
- pair of gateways can handle negotiations for multiple tunnels.</DD>
-<DT>Phase two</DT>
-<DD>Using the ISAKMP SA, the gateways negotiate IPsec (ESP and/or AH)
- SAs as required. IPsec SAs are unidirectional (a different key is used
- in each direction) and are always negotiated in pairs to handle two-way
- traffic. There may be more than one pair defined between two gateways.</DD>
-</DL>
-<P>Both of these phases use the UDP protocol and port 500 for their
- negotiations.</P>
-<P>After both IKE phases are complete, you have IPsec SAs to carry your
- encrypted data. These use the ESP or AH protocols. These protocols do
- not have ports. Ports apply only to UDP or TCP.</P>
-<P>The IKE protocol is designed to be extremely flexible. Among the
- things that can be negotiated (separately for each SA) are:</P>
-<UL>
-<LI>SA lifetime before rekeying</LI>
-<LI>encryption algorithm used. We currently support only<A href="#3DES">
- triple DES</A>. Single DES is<A href="#desnotsecure"> insecure</A>. The
- RFCs say you MUST do DES, SHOULD do 3DES and MAY do various others. We
- do not do any of the others.</LI>
-<LI>authentication algorithms. We support<A href="#MD5"> MD5</A> and<A href="#SHA">
- SHA</A>. These are the two the RFCs require.</LI>
-<LI>choice of group for<A href="#DH"> Diffie-Hellman</A> key agreement.
- We currently support Groups 2 and 5 (which are defined modulo primes of
- various lengths) and do not support Group 1 (defined modulo a shorter
- prime, and therefore cryptographically weak) or groups 3 and 4 (defined
- using elliptic curves). The RFCs require only Group 1.</LI>
-</UL>
-<P>The protocol also allows implementations to add their own encryption
- algorithms, authentication algorithms or Diffie-Hellman groups. We do
- not support any such extensions, but there are some<A href="#patch">
- patches</A> that do.</P>
-<P>There are a number of complications:</P>
-<UL>
-<LI>The gateways must be able to authenticate each other's identities
- before they can create a secure connection. This host authentication is
- part of phase one negotiations, and is a required prerequisite for
- packet authentication used later. Host authentication can be done in a
- variety of ways. Those supported by FreeS/WAN are discussed in our<A href="#auto-auth">
- advanced configuration</A> document.</LI>
-<LI>Phase one can be done in two ways.
-<UL>
-<LI>Main Mode is required by the RFCs and supported in FreeS/WAN. It
- uses a 6-packet exzchange.</LI>
-<LI>Aggressive Mode is somewhat faster (only 3 packets) but reveals more
- to an eavesdropper. This is optional in the RFCs, not currently
- supported by FreeS/WAN, and not likely to be.</LI>
-</UL>
-</LI>
-<LI>A new group exchange may take place after phase one but before phase
- two, defining an additional group for use in the<A href="#DH">
- Diffie-Hellman</A> key agreement part of phase two. FreeS/WAN does not
- currently support this.</LI>
-<LI>Phase two always uses Quick Mode, but there are two variants of
- that:
-<UL>
-<LI>One variant provides<A href="#PFS"> Perfect Forward Secrecy (PFS)</A>
-. An attacker that obtains your long-term host authentication key does
- not immediately get any of your short-term packet encryption of packet
- authentication keys. He must conduct another successful attack each
- time you rekey to get the short-term keys. Having some short-term keys
- does not help him learn others. In particular, breaking your system
- today does not let him read messages he archived yestarday, assuming
- you've changed short-term keys in the meanwhile. We enable PFS as the
- default.</LI>
-<LI>The other variant disables PFS and is therefore slightly faster. We
- do not recommend this since it is less secure, but FreeS/WAN does
- support it. You can enable it with a<VAR> pfs=no</VAR> statement in<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5)</A>.</LI>
-<LI>The protocol provides no way to negotiate which variant will be
- used. If one gateway is set for PFS and the other is not, the
- negotiation fails. This has proved a fairly common source of
- interoperation problems.</LI>
-</UL>
-</LI>
-<LI>Several types of notification message may be sent by either side
- during either phase, or later. FreeS/WAN does not currently support
- these, but they are a likely addition in future releases.</LI>
-<LI>There is a commit flag which may optionally be set on some messages.
- The<A href="http://www.lounge.org/ike_doi_errata.html"> errata</A> page
- for the RFCs includes two changes related to this, one to clarify the
- description of its use and one to block a<A href="#DOS"> denial of
- service</A> attack which uses it. We currently do not implement this
- feature.</LI>
-</UL>
-<P>These complications can of course lead to problems, particularly when
- two different implementations attempt to interoperate. For example, we
- have seen problems such as:</P>
-<UL>
-<LI>Some implementations (often products crippled by<A href="#exlaw">
- export laws</A>) have the insecure DES algorithm as their only
- supported encryption method. Other parts of our documentation discuss
- the<A href="#desnotsecure"> reasons we do not implement single DES</A>,
- and<A href="interop.html#noDES"> how to cope with crippled products</A>
-.</LI>
-<LI>Windows 2000 IPsec tries to negotiate using Aggressive Mode, which
- we don't support. Later on, it uses the commit bit, which we also don't
- support.</LI>
-<LI>Various implementations disable PFS by default, and therefore will
- not talk to FreeS/WAN until you either turn on PFS on their end or turn
- it off in FreeS/WAN with a<VAR> pfs=no</VAR> entry in the connection
- description.</LI>
-<LI>FreeS/WAN's interaction with PGPnet is complicated by their use of
- notification messages we do not yet support.</LI>
-</UL>
-<P>Despite this, we do interoperate successfully with many
- implementations, including both Windows 2000 and PGPnet. Details are in
- our<A href="interop.html"> interoperability</A> document.</P>
-<H4><A name="sequence">Sequence of messages in IKE</A></H4>
-<P>Each phase (see<A href="#phases"> previous section</A>)of IKE
- involves a series of messages. In Pluto error messages, these are
- abbreviated using:</P>
-<DL>
-<DT>M</DT>
-<DD><STRONG>M</STRONG>ain mode, settting up the keying channel (ISAKMP
- SA)</DD>
-<DT>Q</DT>
-<DD><STRONG>Q</STRONG>uick mode, setting up the data channel (IPsec SA)</DD>
-<DT>I</DT>
-<DD><STRONG>I</STRONG>nitiator, the machine that starts the negotiation</DD>
-<DT>R</DT>
-<DD><STRONG>R</STRONG>esponder</DD>
-</DL>
-<P>For example, the six messages of a main mode negotiation, in
- sequence, are labelled:</P>
-<PRE>       MI1 ----------&gt;
-           &lt;---------- MR1
-       MI2 ----------&gt; 
-           &lt;---------- MR2
-       MI3 ----------&gt;
-           &lt;---------- MR3</PRE>
-<H4><A name="struct.exchange">Structure of IKE messages</A></H4>
-<P>Here is our Pluto developer explaining some of this on the mailing
- list:</P>
-<PRE>When one IKE system (for example, Pluto) is negotiating with another
-to create an SA, the Initiator proposes a bunch of choices and the
-Responder replies with one that it has selected.
-
-The structure of the choices is fairly complicated.  An SA payload
-contains a list of lists of &quot;Proposals&quot;.  The outer list is a set of
-choices: the selection must be from one element of this list.
-
-Each of these elements is a list of Proposals.  A selection must be
-made from each of the elements of the inner list.  In other words,
-*all* of them apply (that is how, for example, both AH and ESP can
-apply at once).
-
-Within each of these Proposals is a list of Transforms.  For each
-Proposal selected, one Transform must be selected (in other words,
-each Proposal provides a choice of Transforms).
-
-Each Transform is made up of a list of Attributes describing, well,
-attributes.  Such as lifetime of the SA.  Such as algorithm to be
-used.  All the Attributes apply to a Transform.
-
-You will have noticed a pattern here: layers alternate between being
-disjunctions (&quot;or&quot;) and conjunctions (&quot;and&quot;).
-
-For Phase 1 / Main Mode (negotiating an ISAKMP SA), this structure is
-cut back.  There must be exactly one Proposal.  So this degenerates to
-a list of Transforms, one of which must be chosen.</PRE>
-<H3><A name="services">IPsec Services, AH and ESP</A></H3>
-<P>IPsec offers two services,<A href="#authentication"> authentication</A>
- and<A href="#encryption"> encryption</A>. These can be used separately
- but are often used together.</P>
-<DL>
-<DT>Authentication</DT>
-<DD>Packet-level authentication allows you to be confident that a packet
- came from a particular machine and that its contents were not altered
- en route to you. No attempt is made to conceal or protect the contents,
- only to assure their integrity. Packet authentication can be provided
- separately using an<A href="#AH"> Authentication Header</A>, described
- just below, or it can be included as part of the<A href="#ESP"> ESP</A>
- (Encapsulated Security Payload) service, described in the following
- section. That service offers encryption as well as authentication. In
- either case, the<A href="#HMAC"> HMAC</A> construct is used as the
- authentication mechanism.
-<P>There is a separate authentication operation at the IKE level, in
- which each gateway authenticates the other. This can be done in a
- variety of ways.</P>
-</DD>
-<DT>Encryption</DT>
-<DD>Encryption allows you to conceal the contents of a message from
- eavesdroppers.
-<P>In IPsec this is done using a<A href="#block"> block cipher</A>
- (normally<A href="#3DES"> Triple DES</A> for Linux). In the most used
- setup, keys are automatically negotiated, and periodically
- re-negotiated, using the<A href="#IKE"> IKE</A> (Internet Key Exchange)
- protocol. In Linux FreeS/WAN this is handled by the Pluto Daemon.</P>
-<P>The IPsec protocol offering encryption is<A href="#ESP"> ESP</A>,
- Encapsulated Security Payload. It can also include a packet
- authentication service.</P>
-</DD>
-</DL>
-<P>Note that<STRONG> encryption should always be used with some packet
- authentication service</STRONG>. Unauthenticated encryption is
- vulnerable to<A href="#middle"> man-in-the-middle attacks</A>. Also
- note that encryption does not prevent<A href="#traffic"> traffic
- analysis</A>.</P>
-<H3><A name="AH.ipsec">The Authentication Header (AH)</A></H3>
-<P>Packet authentication can be provided separately from encryption by
- adding an authentication header (AH) after the IP header but before the
- other headers on the packet. This is the subject of this section.
- Details are in RFC 2402.</P>
-<P>Each of the several headers on a packet header contains a &quot;next
- protocol&quot; field telling the system what header to look for next. IP
- headers generally have either TCP or UDP in this field. When IPsec
- authentication is used, the packet IP header has AH in this field,
- saying that an Authentication Header comes next. The AH header then has
- the next header type -- usually TCP, UDP or encapsulated IP.</P>
-<P>IPsec packet authentication can be added in transport mode, as a
- modification of standard IP transport. This is shown in this diagram
- from the RFC:</P>
-<PRE>                  BEFORE APPLYING AH
-            ----------------------------
-      IPv4  |orig IP hdr  |     |      |
-            |(any options)| TCP | Data |
-            ----------------------------
-
-                  AFTER APPLYING AH
-            ---------------------------------
-      IPv4  |orig IP hdr  |    |     |      |
-            |(any options)| AH | TCP | Data |
-            ---------------------------------
-            ||
-                 except for mutable fields</PRE>
-<P>Athentication can also be used in tunnel mode, encapsulating the
- underlying IP packet beneath AH and an additional IP header.</P>
-<PRE>                         ||
-IPv4  | new IP hdr* |    | orig IP hdr*  |    |      |
-      |(any options)| AH | (any options) |TCP | Data |
-      ------------------------------------------------
-      ||
-      |           in the new IP hdr                  |</PRE>
-<P>This would normally be used in a gateway-to-gateway tunnel. The
- receiving gateway then strips the outer IP header and the AH header and
- forwards the inner IP packet.</P>
-<P>The mutable fields referred to are things like the time-to-live field
- in the IP header. These cannot be included in authentication
- calculations because they change as the packet travels.</P>
-<H4><A name="keyed">Keyed MD5 and Keyed SHA</A></H4>
-<P>The actual authentication data in the header is typically 96 bits and
- depends both on a secret shared between sender and receiver and on
- every byte of the data being authenticated. The technique used is<A href="#HMAC">
- HMAC</A>, defined in RFC 2104.</P>
-<P>The algorithms involved are the<A href="#MD5"> MD5</A> Message Digest
- Algorithm or<A href="#SHA"> SHA</A>, the Secure Hash Algorithm. For
- details on their use in this application, see RFCs 2403 and 2404
- respectively.</P>
-<P>For descriptions of the algorithms themselves, see RFC 1321 for MD5
- and<A href="#FIPS"> FIPS</A> (Federal Information Processing Standard)
- number 186 from<A href="#NIST"> NIST</A>, the US National Institute of
- Standards and Technology for SHA.<A href="#schneier"><CITE> Applied
- Cryptography</CITE></A> covers both in some detail, MD5 starting on
- page 436 and SHA on 442.</P>
-<P>These algorithms are intended to make it nearly impossible for anyone
- to alter the authenticated data in transit. The sender calculates a
- digest or hash value from that data and includes the result in the
- authentication header. The recipient does the same calculation and
- compares results. For unchanged data, the results will be identical.
- The hash algorithms are designed to make it extremely difficult to
- change the data in any way and still get the correct hash.</P>
-<P>Since the shared secret key is also used in both calculations, an
- interceptor cannot simply alter the authenticated data and change the
- hash value to match. Without the key, he or she (or even the dreaded
- They) cannot produce a usable hash.</P>
-<H4><A name="sequence">Sequence numbers</A></H4>
-<P>The authentication header includes a sequence number field which the
- sender is required to increment for each packet. The receiver can
- ignore it or use it to check that packets are indeed arriving in the
- expected sequence.</P>
-<P>This provides partial protection against<A href="#replay"> replay
- attacks</A> in which an attacker resends intercepted packets in an
- effort to confuse or subvert the receiver. Complete protection is not
- possible since it is necessary to handle legitmate packets which are
- lost, duplicated, or delivered out of order, but use of sequence
- numbers makes the attack much more difficult.</P>
-<P>The RFCs require that sequence numbers never cycle, that a new key
- always be negotiated before the sequence number reaches 2^32-1. This
- protects both against replays attacks using packets from a previous
- cyclce and against<A href="#birthday"> birthday attacks</A> on the the
- packet authentication algorithm.</P>
-<P>In Linux FreeS/WAN, the sequence number is ignored for manually keyed
- connections and checked for automatically keyed ones. In manual mode,
- there is no way to negotiate a new key, or to recover from a sequence
- number problem, so we don't use sequence numbers.</P>
-<H3><A name="ESP.ipsec">Encapsulated Security Payload (ESP)</A></H3>
-<P>The ESP protocol is defined in RFC 2406. It provides one or both of
- encryption and packet authentication. It may be used with or without AH
- packet authentication.</P>
-<P>Note that<STRONG> some form of packet authentication should<EM>
- always</EM> be used whenever data is encrypted</STRONG>. Without
- authentication, the encryption is vulnerable to active attacks which
- may allow an enemy to break the encryption. ESP should<STRONG> always</STRONG>
- either include its own authentication or be used with AH
- authentication.</P>
-<P>The RFCs require support for only two mandatory encryption algorithms
- --<A href="#DES"> DES</A>, and null encryption -- and for two
- authentication methods -- keyed MD5 and keyed SHA. Implementers may
- choose to support additional algorithms in either category.</P>
-<P>The authentication algorithms are the same ones used in the IPsec<A href="#AH">
- authentication header</A>.</P>
-<P>We do not implement single DES since<A href="#desnotsecure"> DES is
- insecure</A>. Instead we provide<A href="#3DES"> triple DES or 3DES</A>
-. This is currently the only encryption algorithm supported.</P>
-<P>We do not implement null encryption since it is obviously insecure.</P>
-<H2><A name="modes">IPsec modes</A></H2>
-<P>IPsec can connect in two modes. Transport mode is a host-to-host
- connection involving only two machines. In tunnel mode, the IPsec
- machines act as gateways and trafiic for any number of client machines
- may be carried.</P>
-<H3><A name="tunnel.ipsec">Tunnel mode</A></H3>
-<P>Security gateways are required to support tunnel mode connections. In
- this mode the gateways provide tunnels for use by client machines
- behind the gateways. The client machines need not do any IPsec
- processing; all they have to do is route things to gateways.</P>
-<H3><A name="transport.ipsec">Transport mode</A></H3>
-<P>Host machines (as opposed to security gateways) with IPsec
- implementations must also support transport mode. In this mode, the
- host does its own IPsec processing and routes some packets via IPsec.</P>
-<H2><A name="parts">FreeS/WAN parts</A></H2>
-<H3><A name="KLIPS.ipsec">KLIPS: Kernel IPsec Support</A></H3>
-<P>KLIPS is<STRONG> K</STRONG>erne<STRONG>L</STRONG><STRONG> IP</STRONG>
-SEC<STRONG> S</STRONG>upport, the modifications necessary to support
- IPsec within the Linux kernel. KILPS does all the actual IPsec
- packet-handling, including</P>
-<UL>
-<LI>encryption</LI>
-<LI>packet authentication calculations</LI>
-<LI>creation of ESP and AH headers for outgoing packets</LI>
-<LI>interpretation of those headers on incoming packets</LI>
-</UL>
-<P>KLIPS also checks all non-IPsec packets to ensure they are not
- bypassing IPsec security policies.</P>
-<H3><A name="Pluto.ipsec">The Pluto daemon</A></H3>
-<P><A href="manpage.d/ipsec_pluto.8.html">Pluto(8)</A> is a daemon which
- implements the IKE protocol. It</P>
-<UL>
-<LI>handles all the Phase one ISAKMP SAs</LI>
-<LI>performs host authentication and negotiates with other gateways</LI>
-<LI>creates IPsec SAs and passes the data required to run them to KLIPS</LI>
-<LI>adjust routing and firewall setup to meet IPsec requirements. See
- our<A href="firewall.html"> IPsec and firewalling</A> document for
- details.</LI>
-</UL>
-<P>Pluto is controlled mainly by the<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5)</A> configuration file.</P>
-<H3><A name="command">The ipsec(8) command</A></H3>
-<P>The<A href="manpage.d/ipsec.8.html"> ipsec(8)</A> command is a front
- end shellscript that allows control over IPsec activity.</P>
-<H3><A name="ipsec.conf">Linux FreeS/WAN configuration file</A></H3>
-<P>The configuration file for Linux FreeS/WAN is</P>
-<PRE>        /etc/ipsec.conf</PRE>
-<P>For details see the<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5)</A> manual page .</P>
-<H2><A name="key">Key management</A></H2>
-<P>There are several ways IPsec can manage keys. Not all are implemented
- in Linux FreeS/WAN.</P>
-<H3><A name="current">Currently Implemented Methods</A></H3>
-<H4><A name="manual">Manual keying</A></H4>
-<P>IPsec allows keys to be manually set. In Linux FreeS/WAN, such keys
- are stored with the connection definitions in /etc/ipsec.conf.</P>
-<P><A href="#manual">Manual keying</A> is useful for debugging since it
- allows you to test the<A href="#KLIPS"> KLIPS</A> kernel IPsec code
- without the<A href="#Pluto"> Pluto</A> daemon doing key negotiation.</P>
-<P>In general, however, automatic keying is preferred because it is more
- secure.</P>
-<H4><A name="auto">Automatic keying</A></H4>
-<P>In automatic keying, the<A href="#Pluto"> Pluto</A> daemon negotiates
- keys using the<A href="#IKE"> IKE</A> Internet Key Exchange protocol.
- Connections are automatically re-keyed periodically.</P>
-<P>This is considerably more secure than manual keying. In either case
- an attacker who acquires a key can read every message encrypted with
- that key, but automatic keys can be changed every few hours or even
- every few minutes without breaking the connection or requiring
- intervention by the system administrators. Manual keys can only be
- changed manually; you need to shut down the connection and have the two
- admins make changes. Moreover, they have to communicate the new keys
- securely, perhaps with<A href="#PGP"> PGP</A> or<A href="#ssh"> SSH</A>
-. This may be possible in some cases, but as a general solution it is
- expensive, bothersome and unreliable. Far better to let<A href="#Pluto">
- Pluto</A> handle these chores; no doubt the administrators have enough
- to do.</P>
-<P>Also, automatic keying is inherently more secure against an attacker
- who manages to subvert your gateway system. If manual keying is in use
- and an adversary acquires root privilege on your gateway, he reads your
- keys from /etc/ipsec.conf and then reads all messages encrypted with
- those keys.</P>
-<P>If automatic keying is used, an adversary with the same privileges
- can read /etc/ipsec.secrets, but this does not contain any keys, only
- the secrets used to authenticate key exchanges. Having an adversary
- able to authenticate your key exchanges need not worry you overmuch.
- Just having the secrets does not give him any keys. You are still
- secure against<A href="#passive"> passive</A> attacks. This property of
- automatic keying is called<A href="#PFS"> perfect forward secrecy</A>,
- abbreviated PFS.</P>
-<P>Unfortunately, having the secrets does allow an<A href="#active">
- active attack</A>, specifically a<A href="#middle"> man-in-the-middle</A>
- attack. Losing these secrets to an attacker may not be quite as
- disastrous as losing the actual keys, but it is<EM> still a serious
- security breach</EM>. These secrets should be guarded as carefully as
- keys.</P>
-<H3><A name="notyet">Methods not yet implemented</A></H3>
-<H4><A name="noauth">Unauthenticated key exchange</A></H4>
-<P>It would be possible to exchange keys without authenticating the
- players. This would support<A href="#carpediem"> opportunistic
- encryption</A> -- allowing any two systems to encrypt their
- communications without requiring a shared PKI or a previously
- negotiated secret -- and would be secure against<A href="#passive">
- passive attacks</A>. It would, however, be highly vulnerable to active<A
-href="#middle"> man-in-the-middle</A> attacks. RFC 2408 therefore
- specifies that all<A href="#ISAKMP"> ISAKMP</A> key management
- interactions<EM> must</EM> be authenticated.</P>
-<P>There is room for debate here. Should we provide immediate security
- against<A href="#passive"> passive attacks</A> and encourage widespread
- use of encryption, at the expense of risking the more difficult<A href="#active">
- active attacks</A>? Or should we wait until we can implement a solution
- that can both be widespread and offer security against active attacks?</P>
-<P>So far, we have chosen the second course, complying with the RFCs and
- waiting for secure DNS (see<A href="#DNS"> below</A>) so that we can do<A
-href="#carpediem"> opportunistic encryption</A> right.</P>
-<H4><A name="DNS">Key exchange using DNS</A></H4>
-<P>The IPsec RFCs allow key exchange based on authentication services
- provided by<A href="#SDNS"> Secure DNS</A>. Once Secure DNS service
- becomes widely available, we expect to make this the<EM> primary key
- management method for Linux FreeS/WAN</EM>. It is the best way we know
- of to support<A href="#carpediem"> opportunistic encryption</A>,
- allowing two systems without a common PKI or previous negotiation to
- secure their communication.</P>
-<P>We currently have code to acquire RSA keys from DNS but do not yet
- have code to validate Secure DNS signatures.</P>
-<H4><A name="PKI">Key exchange using a PKI</A></H4>
-<P>The IPsec RFCs allow key exchange based on authentication services
- provided by a<A href="#PKI"> PKI</A> or Public Key Infrastructure. With
- many vendors selling such products and many large organisations
- building these infrastructures, this will clearly be an important
- application of IPsec and one Linux FreeS/WAN will eventually support.</P>
-<P>On the other hand, this is not as high a priority for Linux FreeS/WAN
- as solutions based on<A href="#SDNS"> secure DNS</A>. We do not expect
- any PKI to become as universal as DNS.</P>
-<P>Some<A href="#patch"> patches</A> to handle authentication with X.509
- certificates, which most PKIs use, are available.</P>
-<H4><A name="photuris">Photuris</A></H4>
-<P><A href="#photuris">Photuris</A> is another key management protocol,
- an alternative to IKE and ISAKMP, described in RFCs 2522 and 2523 which
- are labelled &quot;experimental&quot;. Adding Photuris support to Linux FreeS/WAN
- might be a good project for a volunteer. The likely starting point
- would be the OpenBSD photurisd code.</P>
-<H4><A name="skip">SKIP</A></H4>
-<P><A href="#SKIP">SKIP</A> is yet another key management protocol,
- developed by Sun. At one point it was fairly widely used, but it now
- seems moribund, displaced by IKE. Sun now (as of Solaris 8.0) ship an
- IPsec implementation using IKE. We have no plans to implement SKIP. If
- a user were to implement it, we would almost certainly not want to add
- the code to our distribution.</P>
-<HR>
-<H1><A name="lists">Mailing lists and newsgroups</A></H1>
-<H2><A name="list.fs">Mailing lists about FreeS/WAN</A></H2>
-<H3><A name="projlist">The project mailing lists</A></H3>
-<P>The Linux FreeS/WAN project has several email lists for user support,
- bug reports and software development discussions.</P>
-<P>We had a single list on clinet.fi for several years (Thanks, folks!),
- then one list on freeswan.org, but now we've split into several lists:</P>
-<DL>
-<DT><A href="mailto:users-request@lists.freeswan.org?body=subscribe">
-users</A></DT>
-<DD>
-<UL>
-<LI>The general list for discussing use of the software</LI>
-<LI>The place for seeking<STRONG> help with problems</STRONG> (but
- please check the<A href="faq.html"> FAQ</A> first).</LI>
-<LI>Anyone can post.</LI>
-</UL>
-</DD>
-<DT><A href="mailto:bugs-request@lists.freeswan.org?body=subscribe">bugs</A>
-</DT>
-<DD>
-<UL>
-<LI>For<STRONG> bug reports</STRONG>.</LI>
-<LI>If you are not certain what is going on -- could be a bug, a
- configuration error, a network problem, ... -- please post to the users
- list instead.</LI>
-<LI>Anyone can post.</LI>
-</UL>
-</DD>
-<DT><A href="mailto:design-request@lists.freeswan.org?body=subscribe">
-design</A></DT>
-<DD>
-<UL>
-<LI><STRONG>Design discussions</STRONG>, for people working on FreeS/WAN
- development or others with an interest in design and security issues.</LI>
-<LI>It would be a good idea to read the existing design papers (see this<A
-href="#applied"> list</A>) before posting.</LI>
-<LI>Anyone can post.</LI>
-</UL>
-</DD>
-<DT><A href="mailto:announce-request@lists.freeswan.org?body=subscribe">
-announce</A></DT>
-<DD>
-<UL>
-<LI>A<STRONG> low-traffic</STRONG> list.</LI>
-<LI><STRONG>Announcements</STRONG> about FreeS/WAN and related software.</LI>
-<LI>All posts here are also sent to the users list. You need not
- subscribe to both.</LI>
-<LI>Only the FreeS/WAN team can post.</LI>
-<LI>If you have something you feel should go on this list, send it to<VAR>
- announce-admin@lists.freeswan.org</VAR>. Unless it is obvious, please
- include a short note explaining why we should post it.</LI>
-</UL>
-</DD>
-<DT><A href="mailto:briefs-request@lists.freeswan.org?body=subscribe">
-briefs</A></DT>
-<DD>
-<UL>
-<LI>A<STRONG> low-traffic</STRONG> list.</LI>
-<LI><STRONG>Weekly summaries</STRONG> of activity on the users list.</LI>
-<LI>All posts here are also sent to the users list. You need not
- subscribe to both.</LI>
-<LI>Only the FreeS/WAN team can post.</LI>
-</UL>
-</DD>
-</DL>
-<P>To subscribe to any of these, you can:</P>
-<UL>
-<LI>just follow the links above</LI>
-<LI>use our<A href="http://www.freeswan.org/mail.html"> web interface</A>
-</LI>
-<LI>send mail to<VAR> listname</VAR>-request@lists.freeswan.org with a
- one-line message body &quot;subscribe&quot;</LI>
-</UL>
-<P>Archives of these lists are available via the<A href="http://www.freeswan.org/mail.html">
- web interface</A>.</P>
-<H4><A name="which.list">Which list should I use?</A></H4>
-<P>For most questions, please check the<A href="faq.html"> FAQ</A>
- first, and if that does not have an answer, ask on the users list. &quot;My
- configuration doesn't work.&quot; does not belong on the bugs list, and &quot;Can
- FreeS/WAN do such-and-such&quot; or &quot;How do I configure it to...&quot; do not
- belong in design discussions.</P>
-<P>Cross-posting the same message to two or more of these lists is
- discouraged. Quite a few people read more than one list and getting
- multiple copies is annoying.</P>
-<H4><A name="policy.list">List policies</A></H4>
-<P><STRONG>US citizens or residents are asked not to post code to the
- lists, not even one-line bug fixes</STRONG>. The project cannot accept
- code which might entangle it in US<A href="#exlaw"> export restrictions</A>
-.</P>
-<P>Non-subscribers can post to some of these lists. This is necessary;
- someone working on a gateway install who encounters a problem may not
- have access to a subscribed account.</P>
-<P>Some spam turns up on these lists from time to time. For discussion
- of why we do not attempt to filter it, see the<A href="#spam"> FAQ</A>.
- Please do not clutter the lists with complaints about this.</P>
-<H3><A name="archive">Archives of the lists</A></H3>
-<P>Searchable archives of the old single list have existed for some
- time. At time of writing, it is not yet clear how they will change for
- the new multi-list structure.</P>
-<UL>
-<LI><A href="http://www.sandelman.ottawa.on.ca/linux-ipsec">Canada</A></LI>
-<LI><A href="http://www.nexial.com">Holland</A></LI>
-</UL>
-<P>Note that these use different search engines. Try both.</P>
-<P>Archives of the new lists are available via the<A href="http://www.freeswan.org/mail.html">
- web interface</A>.</P>
-<H2><A name="indexes">Indexes of mailing lists</A></H2>
-<P><A href="http://paml.net/">PAML</A> is the standard reference for<STRONG>
- P</STRONG>ublicly<STRONG> A</STRONG>ccessible<STRONG> M</STRONG>ailing<STRONG>
- L</STRONG>ists. When we last checked, it had over 7500 lists on an
- amazing variety of topics. It also has FAQ information and a search
- engine.</P>
-<P>There is an index of<A href="http://oslab.snu.ac.kr/~djshin/linux/mail-list/index.shtml">
- Linux mailing lists</A> available.</P>
-<P>A list of<A href="http://xforce.iss.net/maillists/otherlists.php">
- computer security mailing lists</A>, with descriptions.</P>
-<H2><A name="otherlists">Lists for related software and topics</A></H2>
-<P>Most links in this section point to subscription addresses for the
- various lists. Send the one-line message &quot;subscribe<VAR> list_name</VAR>
-&quot; to subscribe to any of them.</P>
-<H3><A NAME="28_3_1">Products that include FreeS/WAN</A></H3>
-<P>Our introduction document gives a<A href="#products"> list of
- products that include FreeS/WAN</A>. If you have, or are considering,
- one of those, check the supplier's web site for information on mailing
- lists for their users.</P>
-<H3><A name="linux.lists">Linux mailing lists</A></H3>
-<UL>
-<LI><A href="mailto:majordomo@vger.kernel.org">
-linux-admin@vger.kernel.org</A>, for Linux system administrators</LI>
-<LI><A href="mailto:netfilter-request@lists.samba.org">
-netfilter@lists.samba.org</A>, about Netfilter, which replaces IPchains
- in kernels 2.3.15 and later</LI>
-<LI><A href="mailto:security-audit-request@ferret.lmh.ox.ac.uk">
-security-audit@ferret.lmh.ox.ac.uk</A>, for people working on security
- audits of various Linux programs</LI>
-<LI><A href="mailto:securedistros-request@humbolt.geo.uu.nl">
-securedistros@humbolt.geo.uu.nl</A>, for discussion of issues common to
- all the half dozen projects working on secure Linux distributions.</LI>
-</UL>
-<P>Each of the scure distribution projects also has its own web site and
- mailing list. Some of the sites are:</P>
-<UL>
-<LI><A href="http://bastille-linux.org/">Bastille Linux</A> scripts to
- harden Redhat, e.g. by changing permissions and modifying inialisation
- scripts</LI>
-<LI><A href="http://immunix.org/">Immunix</A> take a different approach,
- using a modified compiler to build kernel and utilities with better
- resistance to various types of overflow and exploit</LI>
-<LI>the<A href="#NSA"> NSA</A> have contractors working on a<A href="#SElinux">
- Security Enhanced Linux</A>, primarily adding stronger access control
- mechanisms. You can download the current version (which interestingly
- is under GPL and not export resrtricted) or subscribe to the mailing
- list from the<A href="http://www.nsa.gov/selinux"> project web page</A>
-.</LI>
-</UL>
-<H3><A name="ietf">Lists for IETF working groups</A></H3>
-<P>Each<A href="#ietf"> IETF</A> working group has an associated mailing
- list where much of the work takes place.</P>
-<UL>
-<LI><A href="mailto:majordomo@lists.tislabs.com">ipsec@lists.tislabs.com</A>
-, the IPsec<A href="http://www.ietf.org/html.charters/ipsec-charter.html">
- working group</A>. This is where the protocols are discussed, new
- drafts announced, and so on. By now, the IPsec working group is winding
- down since the work is essentially complete. A<A href="http://www.sandelman.ottawa.on.ca/ipsec/">
- list archive</A> is available.</LI>
-<LI><A href="mailto:ipsec-policy-request@vpnc.org">IPsec policy</A>
- list, and its<A href="http://www.vpnc.org/ipsec-policy/"> archive</A></LI>
-<LI><A href="mailto:ietf-ipsra-request@vpnc.org">IP secure remote access</A>
- list, and its<A href="http://www.vpnc.org/ietf-ipsra/mail-archive/">
- archive</A></LI>
-</UL>
-<H3><A name="other">Other mailing lists</A></H3>
-<UL>
-<LI><A href="mailto:ipc-announce-request@privacy.org">
-ipc-announce@privacy.org</A> a low-traffic list with announcements of
- developments in privacy, encryption and online civil rights</LI>
-<LI>a VPN mailing list's<A href="http://kubarb.phsx.ukans.edu/~tbird/vpn.html">
- home page</A></LI>
-</UL>
-<H2><A name="newsgroups">Usenet newsgroups</A></H2>
-<UL>
-<LI>sci.crypt</LI>
-<LI>sci.crypt.research</LI>
-<LI>comp.dcom.vpn</LI>
-<LI>talk.politics.crypto</LI>
-</UL>
-<HR>
-<H1><A name="weblink">Web links</A></H1>
-<H2><A name="freeswan">The Linux FreeS/WAN Project</A></H2>
-<P>The main project web site is<A href="http://www.freeswan.org/">
- www.freeswan.org</A>.</P>
-<P>Links to other project-related<A href="#sites"> sites</A> are
- provided in our introduction section.</P>
-<H3><A name="patch">Add-ons and patches for FreeS/WAN</A></H3>
-<P>Some user-contributed patches have been integrated into the FreeS/WAN
- distribution. For a variety of reasons, those listed below have not.</P>
-<P>Note that not all patches are a good idea.</P>
-<UL>
-<LI>There are a number of &quot;features&quot; of IPsec which we do not implement
- because they reduce security. See this<A href="#dropped"> discussion</A>
-. We do not recommend using patches that implement these. One example is
- aggressive mode.</LI>
-<LI>We do not recommend adding &quot;features&quot; of any sort unless they are
- clearly necessary, or at least have clear benefits. For example,
- FreeS/WAN would not become more secure if it offerred a choice of 14
- ciphers. If even one was flawed, it would certainly become less secure
- for anyone using that cipher. Even with 14 wonderful ciphers, it would
- be harder to maintain and administer, hence more vulnerable to various
- human errors.</LI>
-</UL>
-<P>This is not to say that patches are necessarily bad, only that using
- them requires some deliberation. For example, there might be perfectly
- good reasons to add a specific cipher in your application: perhaps GOST
- to comply with government standards in Eastern Europe, or AES for
- performance benefits.</P>
-<H4><A NAME="29_1_1_1">Current patches</A></H4>
-<P>Patches believed current::</P>
-<UL>
-<LI>patches for<A href="http://www.strongsec.com/freeswan/"> X.509
- certificate support</A>, also available from a<A href="http://www.twi.ch/~sna/strongsec/freeswan/">
- mirror site</A></LI>
-<LI>patches to add<A href="http://www.irrigacion.gov.ar/juanjo/ipsec">
- AES and other ciphers</A>. There is preliminary data indicating AES
- gives a substantial<A href="#perf.more"> performance gain</A>.</LI>
-</UL>
-<P>There is also one add-on that takes the form of a modified FreeS/WAN
- distribution, rather than just patches to the standard distribution:</P>
-<UL>
-<LI><A href="http://www.ipv6.iabg.de/downloadframe/index.html">IPv6
- support</A></LI>
-</UL>
-<P>Before using any of the above,, check the<A href="mail.html"> mailing
- lists</A> for news of newer versions and to see whether they have been
- incorporated into more recent versions of FreeS/WAN.</P>
-<H4><A NAME="29_1_1_2">Older patches</A></H4>
-<UL>
-<LI><A href="http://sources.colubris.com/en/projects/FreeSWAN/">hardware
- acceleration</A></LI>
-<LI>a<A href="http://tzukanov.narod.ru/"> series</A> of patches that
-<UL>
-<LI>provide GOST, a Russian gov't. standard cipher, in MMX assembler</LI>
-<LI>add GOST to OpenSSL</LI>
-<LI>add GOST to the International kernel patch</LI>
-<LI>let FreeS/WAN use International kernel patch ciphers</LI>
-</UL>
-</LI>
-<LI>Neil Dunbar's patches for<A href="ftp://hplose.hpl.hp.com/pub/nd/pluto-openssl.tar.gz">
- certificate support</A>, using code from<A href="http://www.openssl.org">
- Open SSL</A>.</LI>
-<LI>Luc Lanthier's<A href="ftp://ftp.netwinder.org/users/f/firesoul/">
- patches</A> for<A href="#PKIX"> PKIX</A> support.</LI>
-<LI><A href="ftp://ftp.heise.de/pub/ct/listings/9916-180.tgz">patches</A>
- to add<A href="#Blowfish"> Blowfish</A>,<A href="#IDEA"> IDEA</A> and<A href="#CAST128">
- CAST-128</A> to FreeS/WAN</LI>
-<LI>patches for FreeS/WAN 1.3, Pluto support for<A href="http://alcatraz.webcriminals.com/~bastiaan/ipsec/">
- external authentication</A>, for example with a smartcard or SKEYID.</LI>
-<LI><A href="http://www.zengl.net/freeswan/download/">patches and
- utilities</A> for using FreeS/WAN with PGPnet</LI>
-<LI><A href="http://www.freelith.com/lithworks/crypto/freeswan_patch.htm">
-Blowfish encryption and Tiger hash</A></LI>
-<LI><A href="http://www.cendio.se/~bellman/aggressive-pluto.snap.tar.gz">
-patches</A> for aggressive mode support</LI>
-</UL>
-<P>These patches are for older versions of FreeS/WAN and will likely not
- work with the current version. Older versions of FreeS/WAN may be
- available on some of the<A href="#sites"> distribution sites</A>, but
- we recommend using the current release.</P>
-<H4><A name="VPN.masq">VPN masquerade patches</A></H4>
-<P>Finally, there are some patches to other code that may be useful with
- FreeS/WAN:</P>
-<UL>
-<LI>a<A href="ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html">
- patch</A> to make IPsec, PPTP and SSH VPNs work through a Linux
- firewall with<A href="#masq"> IP masquerade</A>.</LI>
-<LI><A href="http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html">
-Linux VPN Masquerade HOWTO</A></LI>
-</UL>
-<P>Note that this is not required if the same machine does IPsec and
- masquerading, only if you want a to locate your IPsec gateway on a
- masqueraded network. See our<A href="#NAT"> firewalls</A> document for
- discussion of why this is problematic.</P>
-<P>At last report, this patch could not co-exist with FreeS/WAN on the
- same machine.</P>
-<H3><A name="dist">Distributions including FreeS/WAN</A></H3>
-<P>The introductory section of our document set lists several<A href="#distwith">
- Linux distributions</A> which include FreeS/WAN.</P>
-<H3><A name="used">Things FreeS/WAN uses or could use</A></H3>
-<UL>
-<LI><A href="http://openpgp.net/random">/dev/random</A> support page,
- discussion of and code for the Linux<A href="#random"> random number
- driver</A>. Out-of-date when we last checked (January 2000), but still
- useful.</LI>
-<LI>other programs related to random numbers:
-<UL>
-<LI><A href="http://www.mindrot.org/audio-entropyd.html">audio entropy
- daemon</A> to gather noise from a sound card and feed it into
- /dev/random</LI>
-<LI>an<A href="http://www.lothar.com/tech/crypto/"> entropy-gathering
- daemon</A></LI>
-<LI>a driver for the random number generator in recent<A href="http://sourceforge.net/projects/gkernel/">
- Intel chipsets</A>. This driver is included as standard in 2.4 kernels.</LI>
-</UL>
-</LI>
-<LI>a Linux<A href="http://www.marko.net/l2tp/"> L2TP Daemon</A> which
- might be useful for communicating with Windows 2000 which builds L2TP
- tunnels over its IPsec connections</LI>
-<LI>to use opportunistic encryption, you need a recent version of<A href="#BIND">
- BIND</A>. You can get one from the<A href="http://www.isc.org">
- Internet Software Consortium</A> who maintain BIND.</LI>
-</UL>
-<H3><A name="alternatives">Other approaches to VPNs for Linux</A></H3>
-<UL>
-<LI>other Linux<A href="#linuxipsec"> IPsec implementations</A></LI>
-<LI><A href="http://www.tik.ee.ethz.ch/~skip/">ENskip</A>, a free
- implementation of Sun's<A href="#SKIP"> SKIP</A> protocol</LI>
-<LI><A href="http://sunsite.auc.dk/vpnd/">vpnd</A>, a non-IPsec VPN
- daemon for Linux which creates tunnels using<A href="#Blowfish">
- Blowfish</A> encryption</LI>
-<LI><A href="http://www.winton.org.uk/zebedee/">Zebedee</A>, a simple
- GPLd tunnel-building program with Linux and Win32 versions. The name is
- from<STRONG> Z</STRONG>lib compression,<STRONG> B</STRONG>lowfish
- encryption and<STRONG> D</STRONG>iffie-Hellman key exchange.</LI>
-<LI>There are at least two PPTP implementations for Linux
-<UL>
-<LI>Moreton Bay's<A href="http://www.moretonbay.com/vpn/pptp.html">
- PoPToP</A></LI>
-<LI><A href="http://cag.lcs.mit.edu/~cananian/Projects/PPTP/">PPTP-Linux</A>
-</LI>
-</UL>
-</LI>
-<LI><A href="http://sites.inka.de/sites/bigred/devel/cipe.html">CIPE</A>
- (crypto IP encapsulation) project, using their own lightweight protocol
- to encrypt between routers</LI>
-<LI><A href="http://tinc.nl.linux.org/">tinc</A>, a VPN Daemon</LI>
-</UL>
-<P>There is a list of<A href="http://www.securityportal.com/lskb/10000000/kben10000005.html">
- Linux VPN</A> software in the<A href="http://www.securityportal.com/lskb/kben00000001.html">
- Linux Security Knowledge Base</A>.</P>
-<H2><A name="ipsec.link">The IPsec Protocols</A></H2>
-<H3><A name="general">General IPsec or VPN information</A></H3>
-<UL>
-<LI>The<A href="http://www.vpnc.org"> VPN Consortium</A> is a group for
- vendors of IPsec products. Among other things, they have a good
- collection of<A href="http://www.vpnc.org/white-papers.html"> IPsec
- white papers</A>.</LI>
-<LI>A VPN mailing list with a<A href="http://kubarb.phsx.ukans.edu/~tbird/vpn.html">
- home page</A>, a FAQ, some product comparisons, and many links.</LI>
-<LI><A href="http://www.opus1.com/vpn/index.html">VPN pointer page</A></LI>
-<LI>a<A href="http://www.epm.ornl.gov/~dunigan/vpn.html"> collection</A>
- of VPN links, and some explanation</LI>
-</UL>
-<H3><A name="overview">IPsec overview documents or slide sets</A></H3>
-<UL>
-<LI>the FreeS/WAN<A href="ipsec.html"> document section</A> on these
- protocols</LI>
-</UL>
-<H3><A name="otherlang">IPsec information in languages other than
- English</A></H3>
-<UL>
-<LI><A href="http://www.imib.med.tu-dresden.de/imib/Internet/Literatur/ipsec-docu.html">
-German</A></LI>
-<LI><A href="http://www.kame.net/index-j.html">Japanese</A></LI>
-<LI>Feczak Szabolcs' thesis in<A href="http://feczo.koli.kando.hu/vpn/">
- Hungarian</A></LI>
-<LI>Davide Cerri's thesis and some presentation slides<A href="http://www.linux.it/~davide/doc/">
- Italian</A></LI>
-</UL>
-<H3><A name="RFCs1">RFCs and other reference documents</A></H3>
-<UL>
-<LI><A href="rfc.html">Our document</A> listing the RFCs relevant to
- Linux FreeS/WAN and giving various ways of obtaining both RFCs and
- Internet Drafts.</LI>
-<LI><A href="http://www.vpnc.org/vpn-standards.html">VPN Standards</A>
- page maintained by<A href="#VPNC"> VPNC</A>. This covers both RFCs and
- Drafts, and classifies them in a fairly helpful way.</LI>
-<LI><A href="http://www.rfc-editor.org">RFC archive</A></LI>
-<LI><A href="http://www.ietf.org/ids.by.wg/ipsec.html">Internet Drafts</A>
- related to IPsec</LI>
-<LI>US government<A href="http://www.itl.nist.gov/div897/pubs"> site</A>
- with their<A href="#FIPS"> FIPS</A> standards</LI>
-<LI>Archives of the ipsec@tis.com mailing list where discussion of
- drafts takes place.
-<UL>
-<LI><A href="http://www.sandelman.ottawa.on.ca/ipsec">Eastern Canada</A></LI>
-<LI><A href="http://www.vpnc.org/ietf-ipsec">California</A>.</LI>
-</UL>
-</LI>
-</UL>
-<H3><A name="analysis">Analysis and critiques of IPsec protocols</A></H3>
-<UL>
-<LI>Counterpane's<A href="http://www.counterpane.com/ipsec.pdf">
- evaluation</A> of the protocols</LI>
-<LI>Simpson's<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/06/msg00319.html">
- IKE Considered Dangerous</A> paper. Note that this is a link to an
- archive of our mailing list. There are several replies in addition to
- the paper itself.</LI>
-<LI>Fate Labs<A href="http://www.fatelabs.com/loki-vpn.pdf"> Virual
- Private Problems: the Broken Dream</A></LI>
-<LI>Catherine Meadows' paper<CITE> Analysis of the Internet Key Exchange
- Protocol Using the NRL Protocol Analyzer</CITE>, in<A href="http://chacs.nrl.navy.mil/publications/CHACS/1999/1999meadows-IEEE99.pdf">
- PDF</A> or<A href="http://chacs.nrl.navy.mil/publications/CHACS/1999/1999meadows-IEEE99.ps">
- Postscript</A>.</LI>
-<LI>Perlman and Kaufmnan
-<UL>
-<LI><A href="http://snoopy.seas.smu.edu/ee8392_summer01/week7/perlman2.pdf">
-Key Exchange in IPsec</A></LI>
-<LI>a newer<A href="http://sec.femto.org/wetice-2001/papers/radia-paper.pdf">
- PDF paper</A>,<CITE> Analysis of the IPsec Key Exchange Standard</CITE>
-.</LI>
-</UL>
-</LI>
-<LI>Bellovin's<A href="http://www.research.att.com/~smb/papers/index.html">
- papers</A> page including his:
-<UL>
-<LI><CITE>Security Problems in the TCP/IP Protocol Suite</CITE> (1989)</LI>
-<LI><CITE>Problem Areas for the IP Security Protocols</CITE> (1996)</LI>
-<LI><CITE>Probable Plaintext Cryptanalysis of the IP Security Protocols</CITE>
- (1997)</LI>
-</UL>
-</LI>
-<LI>An<A href="http://www.lounge.org/ike_doi_errata.html"> errata list</A>
- for the IPsec RFCs.</LI>
-</UL>
-<H3><A name="IP.background">Background information on IP</A></H3>
-<UL>
-<LI>An<A href="http://ipprimer.windsorcs.com/"> IP tutorial</A> that
- seems to be written mainly for Netware or Microsoft LAN admins entering
- a new world</LI>
-<LI><A href="http://www.iana.org">IANA</A>, Internet Assigned Numbers
- Authority</LI>
-<LI><A href="http://public.pacbell.net/dedicated/cidr.html">CIDR</A>,
- Classless Inter-Domain Routing</LI>
-<LI>Also see our<A href="biblio.html"> bibliography</A></LI>
-</UL>
-<H2><A name="implement">IPsec Implementations</A></H2>
-<H3><A name="linuxprod">Linux products</A></H3>
-<P>Vendors using FreeS/WAN in turnkey firewall or VPN products are
- listed in our<A href="#turnkey"> introduction</A>.</P>
-<P>Other vendors have Linux IPsec products which, as far as we know, do
- not use FreeS/WAN</P>
-<UL>
-<LI><A href="http://www.redcreek.com/products/shareware.html">Redcreek</A>
- provide an open source Linux driver for their PCI hardware VPN card.
- This card has a 100 Mbit Ethernet port, an Intel 960 CPU plus more
- specialised crypto chips, and claimed encryption performance of 45
- Mbit/sec. The PC sees it as an Ethernet board.</LI>
-<LI><A href="http://linuxtoday.com/stories/8428.html?nn">Paktronix</A>
- offer a Linux-based VPN with hardware encryption</LI>
-<LI><A href="http://www.watchguard.com/">Watchguard</A> use Linux in
- their Firebox product.</LI>
-<LI><A href="http://www.entrust.com">Entrust</A> offer a developers'
- toolkit for using their<A href="#PKI"> PKI</A> for IPsec authentication</LI>
-<LI>According to a report on our mailing list,<A href="http://www.axent.com">
- Axent</A> have a Linux version of their product.</LI>
-</UL>
-<H3><A name="router">IPsec in router products</A></H3>
-<P>All the major router vendors support IPsec, at least in some models.</P>
-<UL>
-<LI><A href="http://www.cisco.com/warp/public/707/16.html">Cisco</A>
- IPsec information</LI>
-<LI>Ascend, now part of<A href="http://www.lucent.com/"> Lucent</A>,
- have some IPsec-based products</LI>
-<LI><A href="http://www.nortelnetworks.com/">Bay Networks</A>, now part
- of Nortel, use IPsec in their Contivity switch product line</LI>
-<LI><A href="http://www.3com.com/products/enterprise.html">3Com</A> have
- a number of VPN products, some using IPsec</LI>
-</UL>
-<H3><A name="fw.web">IPsec in firewall products</A></H3>
-<P>Many firewall vendors offer IPsec, either as a standard part of their
- product, or an optional extra. A few we know about are:</P>
-<UL>
-<LI><A href="http://www.borderware.com/">Borderware</A></LI>
-<LI><A href="http://www.ashleylaurent.com/vpn/ipsec_vpn.htm">Ashley
- Laurent</A></LI>
-<LI><A href="http://www.watchguard.com">Watchguard</A></LI>
-<LI><A href="http://www.fx.dk/firewall/ipsec.html">Injoy</A> for OS/2</LI>
-</UL>
-<P>Vendors using FreeS/WAN in turnkey firewall products are listed in
- our<A href="#turnkey"> introduction</A>.</P>
-<H3><A name="ipsecos">Operating systems with IPsec support</A></H3>
-<P>All the major open source operating systems support IPsec. See below
- for details on<A href="#BSD"> BSD-derived</A> Unix variants.</P>
-<P>Among commercial OS vendors, IPsec players include:</P>
-<UL>
-<LI><A href="http://msdn.microsoft.com/isapi/msdnlib.idc?theURL=/library/backgrnd/html/msdn_ip_security.htm">
-Microsoft</A> have put IPsec in their Windows 2000 and XP products</LI>
-<LI><A href="http://www.s390.ibm.com/stories/1999/os390v2r8_pr.html">IBM</A>
- announce a release of OS390 with IPsec support via a crypto
- co-processor</LI>
-<LI><A href="http://www.sun.com/solaris/ds/ds-security/ds-security.pdf">
-Sun</A> include IPsec in Solaris 8</LI>
-<LI><A href="http://www.hp.com/security/products/extranet-security.html">
-Hewlett Packard</A> offer IPsec for their Unix machines</LI>
-<LI>Certicom have IPsec available for the<A href="http://www.certicom.com/products/movian/movianvpn_tech.html">
- Palm</A>.</LI>
-<LI>There were reports before the release that Apple's Mac OS X would
- have IPsec support built in, but it did not seem to be there when we
- last checked. If you find, it please let us know via the<A href="mail.html">
- mailing list</A>.</LI>
-</UL>
-<H3><A NAME="29_3_5">IPsec on network cards</A></H3>
-<P>Network cards with built-in IPsec acceleration are available from at
- least Intel, 3Com and Redcreek.</P>
-<H3><A name="opensource">Open source IPsec implementations</A></H3>
-<H4><A name="linuxipsec">Other Linux IPsec implementations</A></H4>
-<P>We like to think of FreeS/WAN as<EM> the</EM> Linux IPsec
- implementation, but it is not the only one. Others we know of are:</P>
-<UL>
-<LI><A href="http://www.enst.fr/~beyssac/pipsec/">pipsecd</A>, a
- lightweight implementation of IPsec for Linux. Does not require kernel
- recompilation.</LI>
-<LI>Petr Novak's<A href="ftp://ftp.eunet.cz/icz/ipnsec/"> ipnsec</A>,
- based on the OpenBSD IPsec code and using<A href="#photuris"> Photuris</A>
- for key management</LI>
-<LI>A now defunct project at<A href="http://www.cs.arizona.edu/security/hpcc-blue/linux.html">
- U of Arizona</A> (export controlled)</LI>
-<LI><A href="http://snad.ncsl.nist.gov/cerberus">NIST Cerebus</A>
- (export controlled)</LI>
-</UL>
-<H4><A name="BSD">IPsec for BSD Unix</A></H4>
-<UL>
-<LI><A href="http://www.kame.net/project-overview.html">KAME</A>,
- several large Japanese companies co-operating on IPv6 and IPsec</LI>
-<LI><A href="http://web.mit.edu/network/isakmp">US Naval Research Lab</A>
- implementation of IPv6 and of IPsec for IPv4 (export controlled)</LI>
-<LI><A href="http://www.openbsd.org">OpenBSD</A> includes IPsec as a
- standard part of the distribution</LI>
-<LI><A href="http://www.r4k.net/ipsec">IPsec for FreeBSD</A></LI>
-<LI>a<A href="http://www.netbsd.org/Documentation/network/ipsec/"> FAQ</A>
- on NetBSD's IPsec implementation</LI>
-</UL>
-<H4><A name="misc">IPsec for other systems</A></H4>
-<UL>
-<LI><A href="http://www.tcm.hut.fi/Tutkimus/IPSEC/">Helsinki U of
- Technolgy</A> have implemented IPsec for Solaris, Java and Macintosh</LI>
-</UL>
-<H3><A name="interop.web">Interoperability</A></H3>
-<P>The IPsec protocols are designed so that different implementations
- should be able to work together. As they say &quot;the devil is in the
- details&quot;. IPsec has a lot of details, but considerable success has been
- achieved.</P>
-<H4><A name="result">Interoperability results</A></H4>
-<P>Linux FreeS/WAN has been tested for interoperability with many other
- IPsec implementations. Results to date are in our<A href="interop.html">
- interoperability</A> section.</P>
-<P>Various other sites have information on interoperability between
- various IPsec implementations:</P>
-<UL>
-<LI><A href="http://www.opus1.com/vpn/atl99display.html">interop results</A>
- from a bakeoff in Atlanta, September 1999.</LI>
-<LI>a French company, HSC's,<A href="http://www.hsc.fr/ressources/presentations/ipsec99/index.html.en">
- interoperability</A> test data covers FreeS/WAN, Open BSD, KAME, Linux
- pipsecd, Checkpoint, Red Creek Ravlin, and Cisco IOS</LI>
-<LI><A href="http://www.icsa.net/">ICSA</A> offer certification programs
- for various security-related products. See their list of<A href="http://www.icsa.net/html/communities/ipsec/certification/certified_products/index.shtml">
- certified IPsec</A> products. Linux FreeS/WAN is not currently on that
- list, but several products with which we interoperate are.</LI>
-<LI>VPNC have a page on why they are not yet doing<A href="http://www.vpnc.org/interop.html">
- interoperability</A> testing and a page on the<A href="http://www.vpnc.org/conformance.html">
- spec conformance</A> testing that they are doing</LI>
-<LI>a<A href="http://www.commweb.com/article/COM20000912S0009"> review</A>
- comparing a dozen commercial IPsec implemetations. Unfortunately, the
- reviewers did not look at Open Source implementations such as FreeS/WAN
- or OpenBSD.</LI>
-<LI><A href="http://www.tanu.org/~sakane/doc/public/report-ike-interop0007.html">
-results</A> from interoperability tests at a conference. FreeS/WAN was
- not tested there.</LI>
-<LI>test results from the<A href="http://www.hsc.fr/ressources/veille/ipsec/ipsec2000/">
- IPSEC 2000</A> conference</LI>
-</UL>
-<H4><A name="test1">Interoperability test sites</A></H4>
-<UL>
-<LI><A href="http://www.tahi.org/">TAHI</A>, a Japanese IPv6 testing
- project with free IPsec validation software</LI>
-<LI><A href="http://ipsec-wit.antd.nist.gov">National Institute of
- Standards and Technology</A></LI>
-<LI><A href="http://isakmp-test.ssh.fi/">SSH Communications Security</A></LI>
-</UL>
-<H2><A name="linux.link">Linux links</A></H2>
-<H3><A name="linux.basic">Basic and tutorial Linux information</A></H3>
-<UL>
-<LI>Linux<A href="http://linuxcentral.com/linux/LDP/LDP/gs/gs.html">
- Getting Started</A> HOWTO document</LI>
-<LI>A getting started guide from the<A href="http://darkwing.uoregon.edu/~cchome/linuxgettingstarted.html">
- U of Oregon</A></LI>
-<LI>A large<A href="http://www.herring.org/techie.html"> link collection</A>
- which includes a lot of introductory and tutorial material on Unix,
- Linux, the net, . . .</LI>
-</UL>
-<H3><A name="general">General Linux sites</A></H3>
-<UL>
-<LI><A href="http://www.freshmeat.net">Freshmeat</A> Linux news</LI>
-<LI><A href="http://slashdot.org">Slashdot</A> &quot;News for Nerds&quot;</LI>
-<LI><A href="http://www.linux.org">Linux Online</A></LI>
-<LI><A href="http://www.linuxhq.com">Linux HQ</A></LI>
-<LI><A href="http://www.tux.org">tux.org</A></LI>
-</UL>
-<H3><A name="docs.ldp">Documentation</A></H3>
-<P>Nearly any Linux documentation you are likely to want can be found at
- the<A href="http://metalab.unc.edu/LDP"> Linux Documentation Project</A>
- or LDP.</P>
-<UL>
-<LI><A href="http://metalab.unc.edu/LDP/HOWTO/META-FAQ.html">Meta-FAQ</A>
- guide to Linux information sources</LI>
-<LI>The LDP's HowTo documents are a standard Linux reference. See this<A href="http://www.linuxdoc.org/docs.html#howto">
- list</A>. Documents there most relevant to a FreeS/WAN gateway are:
-<UL>
-<LI><A href="http://metalab.unc.edu/LDP/HOWTO/Kernel-HOWTO.html">Kernel
- HOWTO</A></LI>
-<LI><A href="http://metalab.unc.edu/LDP/HOWTO/Networking-Overview-HOWTO.html">
-Networking Overview HOWTO</A></LI>
-<LI><A href="http://metalab.unc.edu/LDP/HOWTO/Security-HOWTO.html">
-Security HOWTO</A></LI>
-</UL>
-</LI>
-<LI>The LDP do a series of Guides, book-sized publications with more
- detail (and often more &quot;why do it this way?&quot;) than the HowTos. See this<A
-href="http://www.linuxdoc.org/guides.html"> list</A>. Documents there
- most relevant to a FreeS/WAN gateway are:
-<UL>
-<LI><A href="http://www.tml.hut.fi/~viu/linux/sag/">System
- Administrator's Guide</A></LI>
-<LI><A href="http://www.linuxdoc.org/LDP/nag2/index.html">Network
- Adminstrator's Guide</A></LI>
-<LI><A href="http://www.seifried.org/lasg/">Linux Administrator's
- Security Guide</A></LI>
-</UL>
-</LI>
-</UL>
-<P>You may not need to go to the LDP to get this material. Most Linux
- distributions include the HowTos on their CDs and several include the
- Guides as well. Also, most of the Guides and some collections of HowTos
- are available in book form from various publishers.</P>
-<P>Much of the LDP material is also available in languages other than
- English. See this<A href="http://www.linuxdoc.org/links/nenglish.html">
- LDP page</A>.</P>
-<H3><A name="advroute.web">Advanced routing</A></H3>
-<P>The Linux IP stack has some new features in 2.4 kernels. Some HowTos
- have been written:</P>
-<UL>
-<LI>several HowTos for the<A href="http://netfilter.samba.org/unreliable-guides/">
- netfilter</A> firewall code in newer kernels</LI>
-<LI><A href="http://www.ds9a.nl/2.4Networking/HOWTO//cvs/2.4routing/output/2.4networking.html">
-2.4 networking</A> HowTo</LI>
-<LI><A href="http://www.ds9a.nl/2.4Networking/HOWTO//cvs/2.4routing/output/2.4routing.html">
-2.4 routing</A> HowTo</LI>
-</UL>
-<H3><A name="linsec">Security for Linux</A></H3>
-<P>See also the<A href="#docs.ldp"> LDP material</A> above.</P>
-<UL>
-<LI><A href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos">
-Trinity OS guide to setting up Linux</A></LI>
-<LI><A href="http://www.deter.com/unix">Unix security</A> page</LI>
-<LI><A href="http://linux01.gwdg.de/~alatham/">PPDD</A> encrypting
- filesystem</LI>
-<LI><A href="http://EncryptionHOWTO.sourceforge.net/">Linux Encryption
- HowTo</A> (outdated when last checked, had an Oct 2000 revision date in
- March 2002)</LI>
-</UL>
-<H3><A name="firewall.linux">Linux firewalls</A></H3>
-<P>Our<A href="firewall.html"> FreeS/WAN and firewalls</A> document
- includes links to several sets of<A href="#examplefw"> scripts</A>
- known to work with FreeS/WAN.</P>
-<P>Other information sources:</P>
-<UL>
-<LI><A href="http://ipmasq.cjb.net/">IP Masquerade resource page</A></LI>
-<LI><A href="http://netfilter.samba.org/unreliable-guides/">netfilter</A>
- firewall code in 2.4 kernels</LI>
-<LI>Our list of general<A href="#firewall.web"> firewall references</A>
- on the web</LI>
-<LI><A href="http://users.dhp.com/~whisper/mason/">Mason</A>, a tool for
- automatically configuring Linux firewalls</LI>
-<LI>the web cache software<A href="http://www.squid-cache.org/"> squid</A>
- and<A href="http://www.squidguard.org/"> squidguard</A> which turns
- Squid into a filtering web proxy</LI>
-</UL>
-<H3><A name="linux.misc">Miscellaneous Linux information</A></H3>
-<UL>
-<LI><A href="http://lwn.net/current/dists.php3">Linux distribution
- vendors</A></LI>
-<LI><A href="http://www.linux.org/groups/">Linux User Groups</A></LI>
-</UL>
-<H2><A name="crypto.link">Crypto and security links</A></H2>
-<H3><A name="security">Crypto and security resources</A></H3>
-<H4><A name="std.links">The standard link collections</A></H4>
-<P>Two enormous collections of links, each the standard reference in its
- area:</P>
-<DL>
-<DT>Gene Spafford's<A href="http://www.cerias.purdue.edu/coast/hotlist/">
- COAST hotlist</A></DT>
-<DD>Computer and network security.</DD>
-<DT>Peter Gutmann's<A href="http://www.cs.auckland.ac.nz/~pgut001/links.html">
- Encryption and Security-related Resources</A></DT>
-<DD>Cryptography.</DD>
-</DL>
-<H4><A name="FAQ">Frequently Asked Question (FAQ) documents</A></H4>
-<UL>
-<LI><A href="http://www.faqs.org/faqs/cryptography-faq/">Cryptography
- FAQ</A></LI>
-<LI><A href="http://www.interhack.net/pubs/fwfaq">Firewall FAQ</A></LI>
-<LI><A href="http://www.whitefang.com/sup/secure-faq.html">Secure Unix
- Programming FAQ</A></LI>
-<LI>FAQs for specific programs are listed in the<A href="#tools"> tools</A>
- section below.</LI>
-</UL>
-<H4><A name="cryptover">Tutorials</A></H4>
-<UL>
-<LI>Gary Kessler's<A href="http://www.garykessler.net/library/crypto.html">
- Overview of Cryptography</A></LI>
-<LI>Terry Ritter's<A href="http://www.ciphersbyritter.com/LEARNING.HTM">
- introduction</A></LI>
-<LI>Peter Gutman's<A href="http://www.cs.auckland.ac.nz/~pgut001/tutorial/index.html">
- cryptography</A> tutorial (500 slides in PDF format)</LI>
-<LI>Amir Herzberg of IBM's sildes for his course<A href="http://www.hrl.il.ibm.com/mpay/course.html">
- Introduction to Cryptography and Electronic Commerce</A></LI>
-<LI>the<A href="http://www.gnupg.org/gph/en/manual/c173.html"> concepts
- section</A> of the<A href="#GPG"> GNU Privacy Guard</A> documentation</LI>
-<LI>Bruce Schneier's self-study<A href="http://www.counterpane.com/self-study.html">
- cryptanalysis</A> course</LI>
-</UL>
-<P>See also the<A href="#interesting"> interesting papers</A> section
- below.</P>
-<H4><A name="standards">Crypto and security standards</A></H4>
-<UL>
-<LI><A href="http://csrc.nist.gov/cc">Common Criteria</A>, new
- international computer and network security standards to replace the
- &quot;Rainbow&quot; series</LI>
-<LI>AES<A href="http://csrc.nist.gov/encryption/aes/aes_home.htm">
- Advanced Encryption Standard</A> which will replace DES</LI>
-<LI><A href="http://grouper.ieee.org/groups/1363">IEEE P-1363 public key
- standard</A></LI>
-<LI>our collection of links for the<A href="#ipsec.link"> IPsec</A>
- standards</LI>
-<LI>history of<A href="http://www.visi.com/crypto/evalhist/index.html">
- formal evaluation</A> of security policies and implementation</LI>
-</UL>
-<H4><A name="quotes">Crypto quotes</A></H4>
-<P>There are several collections of cryptographic quotes on the net:</P>
-<UL>
-<LI><A href="http://www.eff.org/pub/EFF/quotes.eff">the EFF</A></LI>
-<LI><A href="http://www.samsimpson.com/cquotes.php">Sam Simpson</A></LI>
-<LI><A href="http://www.amk.ca/quotations/cryptography/page-1.html">AM
- Kutchling</A></LI>
-</UL>
-<H3><A name="policy">Cryptography law and policy</A></H3>
-<H4><A name="legal">Surveys of crypto law</A></H4>
-<UL>
-<LI>International survey of<A href="http://cwis.kub.nl/~FRW/PEOPLE/koops/lawsurvy.htm">
- crypto law</A>.</LI>
-<LI>International survey of<A href="http://rechten.kub.nl/simone/ds-lawsu.htm">
- digital signature law</A></LI>
-</UL>
-<H4><A name="oppose">Organisations opposing crypto restrictions</A></H4>
-<UL>
-<LI>The<A href="#EFF"> EFF</A>'s archives on<A href="http://www.eff.org/pub/Privacy/">
- privacy</A> and<A href="http://www.eff.org/pub/Privacy/ITAR_export/">
- export control</A>.</LI>
-<LI><A href="http://www.gilc.org">Global Internet Liberty Campaign</A></LI>
-<LI><A href="http://www.cdt.org/crypto">Center for Democracy and
- Technology</A></LI>
-<LI><A href="http://www.privacyinternational.org/">Privacy International</A>
-, who give out<A href="http://www.bigbrotherawards.org/"> Big Brother
- Awards</A> to snoopy organisations</LI>
-</UL>
-<H4><A name="other.policy">Other information on crypto policy</A></H4>
-<UL>
-<LI><A href="ftp://ftp.isi.edu/in-notes/rfc1984.txt">RFC 1984</A>, the<A href="#IAB">
- IAB</A> and<A href="#IESG"> IESG</A> Statement on Cryptographic
- Technology and the Internet.</LI>
-<LI>John Young's collection of<A href="http://cryptome.org/"> documents</A>
- of interest to the cryptography, open government and privacy movements,
- organized chronologically</LI>
-<LI>AT&amp;T researcher Matt Blaze's Encryption, Privacy and Security<A href="http://www.crypto.com">
- Resource Page</A></LI>
-<LI>A good<A href="http://cryptome.org/crypto97-ne.htm"> overview</A> of
- the issues from Australia.</LI>
-</UL>
-<P>See also our documentation section on the<A href="politics.html">
- history and politics</A> of cryptography.</P>
-<H3><A name="crypto.tech">Cryptography technical information</A></H3>
-<H4><A name="cryptolinks">Collections of crypto links</A></H4>
-<UL>
-<LI><A href="http://www.counterpane.com/hotlist.html">Counterpane</A></LI>
-<LI><A href="http://www.cs.auckland.ac.nz/~pgut001/links.html">Peter
- Gutman's links</A></LI>
-<LI><A href="http://www.pca.dfn.de/eng/team/ske/pem-dok.html">PKI links</A>
-</LI>
-<LI><A href="http://crypto.yashy.com/www/">Robert Guerra's links</A></LI>
-</UL>
-<H4><A name="papers">Lists of online cryptography papers</A></H4>
-<UL>
-<LI><A href="http://www.counterpane.com/biblio">Counterpane</A></LI>
-<LI><A href="http://www.cryptography.com/resources/papers">
-cryptography.com</A></LI>
-<LI><A href="http://www.cryptosoft.com/html/secpub.htm">Cryptosoft</A></LI>
-</UL>
-<H4><A name="interesting">Particularly interesting papers</A></H4>
-<P>These papers emphasize important issues around the use of
- cryptography, and the design and management of secure systems.</P>
-<UL>
-<LI><A href="http://www.counterpane.com/keylength.html">Key length
- requirements for security</A></LI>
-<LI><A href="http://www.cl.cam.ac.uk/users/rja14/wcf.html">Why
- Cryptosystems Fail</A></LI>
-<LI><A href="http://www.cdt.org/crypto/risks98/">Risks of escrowed
- encryption</A></LI>
-<LI><A href="http://www.counterpane.com/pitfalls.html">Security pitfalls
- in cryptography</A></LI>
-<LI><A href="http://www.acm.org/classics/sep95">Reflections on Trusting
- Trust</A>, Ken Thompson on Trojan horse design</LI>
-<LI><A href="http://www.apache-ssl.org/disclosure.pdf">Security against
- Compelled Disclosure</A>, how to maintain privacy in the face of legal
- or other coersion</LI>
-</UL>
-<H3><A name="compsec">Computer and network security</A></H3>
-<H4><A name="seclink">Security links</A></H4>
-<UL>
-<LI><A href="http://www.cs.purdue.edu/coast/hotlist">COAST Hotlist</A></LI>
-<LI>DMOZ open directory project<A href="http://dmoz.org/Computers/Security/">
- computer security</A> links</LI>
-<LI><A href="http://www-cse.ucsd.edu/users/bsy/sec.html">Bennet Yee</A></LI>
-<LI>Mike Fuhr's<A href="http://www.fuhr.org/~mfuhr/computers/security.html">
- link collection</A></LI>
-<LI><A href="http://www.networkintrusion.co.uk/">links</A> with an
- emphasis on intrusion detection</LI>
-</UL>
-<H4><A name="firewall.web">Firewall links</A></H4>
-<UL>
-<LI><A href="http://www.cs.purdue.edu/coast/firewalls">COAST firewalls</A>
-</LI>
-<LI><A href="http://www.zeuros.co.uk">Firewalls Resource page</A></LI>
-</UL>
-<H4><A name="vpn">VPN links</A></H4>
-<UL>
-<LI><A href="http://www.vpnc.org">VPN Consortium</A></LI>
-<LI>First VPN's<A href="http://www.firstvpn.com/research/rhome.html">
- white paper</A> collection</LI>
-</UL>
-<H4><A name="tools">Security tools</A></H4>
-<UL>
-<LI>PGP -- mail encryption
-<UL>
-<LI><A href="http://www.pgp.com/">PGP Inc.</A> (part of NAI) for
- commercial versions</LI>
-<LI><A href="http://web.mit.edu/network/pgp.html">MIT</A> distributes
- the NAI product for non-commercial use</LI>
-<LI><A href="http://www.pgpi.org/">international</A> distribution site</LI>
-<LI><A href="http://gnupg.org">GNU Privacy Guard (GPG)</A></LI>
-<LI><A href="http://www.dk.pgp.net/pgpnet/pgp-faq/">PGP FAQ</A></LI>
-</UL>
- A message in our mailing list archive has considerable detail on<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00029.html">
- available versions</A> of PGP and on IPsec support in them.
-<P><STRONG>Note:</STRONG> A fairly nasty bug exists in all commercial
- PGP versions from 5.5 through 6.5.3. If you have one of those,<STRONG>
- upgrade now</STRONG>.</P>
-</LI>
-<LI>SSH -- secure remote login
-<UL>
-<LI><A href="http://www.ssh.fi">SSH Communications Security</A>, for the
- original software. It is free for trial, academic and non-commercial
- use.</LI>
-<LI><A href="http://www.openssh.com/">Open SSH</A>, the Open BSD team's
- free replacement</LI>
-<LI><A href="http://www.freessh.org/">freessh.org</A>, links to free
- implementations for many systems</LI>
-<LI><A href="http://www.uni-karlsruhe.de/~ig25/ssh-faq">SSH FAQ</A></LI>
-<LI><A href="http://www.chiark.greenend.org.uk/~sgtatham/putty/">Putty</A>
-, an SSH client for Windows</LI>
-</UL>
-</LI>
-<LI>Tripwire saves message digests of your system files. Re-calculate
- the digests and compare to saved values to detect any file changes.
- There are several versions available:
-<UL>
-<LI><A href="http://www.tripwiresecurity.com/">commercial version</A></LI>
-<LI><A href="http://www.tripwire.org/">Open Source</A></LI>
-</UL>
-</LI>
-<LI><A href="http://www.snort.org">Snort</A> and<A href="http://www.lids.org">
- LIDS</A> are intrusion detection system for Linux</LI>
-<LI><A href="http://www.fish.com/~zen/satan/satan.html">SATAN</A> System
- Administrators Tool for Analysing Networks</LI>
-<LI><A href="http://www.insecure.org/nmap/">NMAP</A> Network Mapper</LI>
-<LI><A href="ftp://ftp.porcupine.org/pub/security/index.html">Wietse
- Venema's page</A> with various tools</LI>
-<LI><A href="http://ita.ee.lbl.gov/index.html">Internet Traffic Archive</A>
-, various tools to analyze network traffic, mostly scripts to organise
- and format tcpdump(8) output for specific purposes</LI>
-<LI><A name="ssmail">ssmail -- sendmail patched to do</A><A href="#carpediem">
- opportunistic encryption</A>
-<UL>
-<LI><A href="http://www.home.aone.net.au/qualcomm/">web page</A> with
- links to code and to a Usenix paper describing it, in PDF</LI>
-</UL>
-</LI>
-<LI><A href="http://www.openca.org/">Open CA</A> project to develop a
- freely distributed<A href="#CA"> Certification Authority</A> for
- building a open<A href="#PKI"> Public Key Infrastructure</A>.</LI>
-</UL>
-<H3><A name="people">Links to home pages</A></H3>
-<P>David Wagner at Berkeley provides a set of links to<A href="http://www.cs.berkeley.edu/~daw/people/crypto.html">
- home pages</A> of cryptographers, cypherpunks and computer security
- people.</P>
-<HR>
-<H1><A name="ourgloss">Glossary for the Linux FreeS/WAN project</A></H1>
-<P>Entries are in alphabetical order. Some entries are only one line or
- one paragraph long. Others run to several paragraphs. I have tried to
- put the essential information in the first paragraph so you can skip
- the other paragraphs if that seems appropriate.</P>
-<HR>
-<H2><A name="jump">Jump to a letter in the glossary</A></H2>
-<CENTER> <BIG><B><A href="#0">numeric</A><A href="#A"> A</A><A href="#B">
- B</A><A href="#C"> C</A><A href="#D"> D</A><A href="#E"> E</A><A href="#F">
- F</A><A href="#G"> G</A><A href="#H"> H</A><A href="#I"> I</A><A href="#J">
- J</A><A href="#K"> K</A><A href="#L"> L</A><A href="#M"> M</A><A href="#N">
- N</A><A href="#O"> O</A><A href="#P"> P</A><A href="#Q"> Q</A><A href="#R">
- R</A><A href="#S"> S</A><A href="#T"> T</A><A href="#U"> U</A><A href="#V">
- V</A><A href="#W"> W</A><A href="#X"> X</A><A href="#Y"> Y</A><A href="#Z">
- Z</A></B></BIG></CENTER>
-<HR>
-<H2><A name="gloss">Other glossaries</A></H2>
-<P>Other glossaries which overlap this one include:</P>
-<UL>
-<LI>The VPN Consortium's glossary of<A href="http://www.vpnc.org/terms.html">
- VPN terms</A>.</LI>
-<LI>glossary portion of the<A href="http://www.rsa.com/rsalabs/faq/B.html">
- Cryptography FAQ</A></LI>
-<LI>an extensive crytographic glossary on<A href="http://www.ciphersbyritter.com/GLOSSARY.HTM">
- Terry Ritter's</A> page.</LI>
-<LI>The<A href="#NSA"> NSA</A>'s<A href="http://www.sans.org/newlook/resources/glossary.htm">
- glossary of computer security</A> on the<A href="http://www.sans.org">
- SANS Institute</A> site.</LI>
-<LI>a small glossary for Internet Security at<A href="http://www5.zdnet.com/pcmag/pctech/content/special/glossaries/internetsecurity.html">
- PC magazine</A></LI>
-<LI>The<A href="http://www.visi.com/crypto/inet-crypto/glossary.html">
- glossary</A> from Richard Smith's book<A href="#Smith"> Internet
- Cryptography</A></LI>
-</UL>
-<P>Several Internet glossaries are available as RFCs:</P>
-<UL>
-<LI><A href="http://www.rfc-editor.org/rfc/rfc1208.txt">Glossary of
- Networking Terms</A></LI>
-<LI><A href="http://www.rfc-editor.org/rfc/rfc1983.txt">Internet User's
- Glossary</A></LI>
-<LI><A href="http://www.rfc-editor.org/rfc/rfc2828.txt">Internet
- Security Glossary</A></LI>
-</UL>
-<P>More general glossary or dictionary information:</P>
-<UL>
-<LI>Free Online Dictionary of Computing (FOLDOC)
-<UL>
-<LI><A href="http://www.nightflight.com/foldoc">North America</A></LI>
-<LI><A href="http://wombat.doc.ic.ac.uk/foldoc/index.html">Europe</A></LI>
-<LI><A href="http://www.nue.org/foldoc/index.html">Japan</A></LI>
-</UL>
-<P>There are many more mirrors of this dictionary.</P>
-</LI>
-<LI>The Jargon File, the definitive resource for hacker slang and
- folklore
-<UL>
-<LI><A href="http://www.netmeg.net/jargon">North America</A></LI>
-<LI><A href="http://info.wins.uva.nl/~mes/jargon/">Holland</A></LI>
-<LI><A href="http://www.tuxedo.org/~esr/jargon">home page</A></LI>
-</UL>
-<P>There are also many mirrors of this. See the home page for a list.</P>
-</LI>
-<LI>A general<A href="http://www.trinity.edu/~rjensen/245glosf.htm#Navigate">
- technology glossary</A></LI>
-<LI>An<A href="http://www.yourdictionary.com/"> online dictionary
- resource page</A> with pointers to many dictionaries for many languages</LI>
-<LI>A<A href="http://www.onelook.com/"> search engine</A> that accesses
- several hundred online dictionaries</LI>
-<LI>O'Reilly<A href="http://www.ora.com/reference/dictionary/">
- Dictionary of PC Hardware and Data Communications Terms</A></LI>
-<LI><A href="http://www.FreeSoft.org/CIE/index.htm">Connected</A>
- Internet encyclopedia</LI>
-<LI><A href="http://www.whatis.com/">whatis.com</A></LI>
-</UL>
-<HR>
-<H2><A name="definitions">Definitions</A></H2>
-<DL>
-<DT><A name="0">0</A></DT>
-<DT><A name="3DES">3DES (Triple DES)</A></DT>
-<DD>Using three<A href="#DES"> DES</A> encryptions on a single data
- block, with at least two different keys, to get higher security than is
- available from a single DES pass. The three-key version of 3DES is the
- default encryption algorithm for<A href="#FreeSWAN"> Linux FreeS/WAN</A>
-.
-<P><A href="#IPSEC">IPsec</A> always does 3DES with three different
- keys, as required by RFC 2451. For an explanation of the two-key
- variant, see<A href="#2key"> two key triple DES</A>. Both use an<A href="#EDE">
- EDE</A> encrypt-decrypt-encrpyt sequence of operations.</P>
-<P>Single<A href="#DES"> DES</A> is<A href="#desnotsecure"> insecure</A>
-.</P>
-<P>Double DES is ineffective. Using two 56-bit keys, one might expect an
- attacker to have to do 2<SUP>112</SUP> work to break it. In fact, only
- 2<SUP>57</SUP> work is required with a<A href="#meet">
- meet-in-the-middle attack</A>, though a large amount of memory is also
- required. Triple DES is vulnerable to a similar attack, but that just
- reduces the work factor from the 2<SUP>168</SUP> one might expect to 2<SUP>
-112</SUP>. That provides adequate protection against<A href="#brute">
- brute force</A> attacks, and no better attack is known.</P>
-<P>3DES can be somewhat slow compared to other ciphers. It requires
- three DES encryptions per block. DES was designed for hardware
- implementation and includes some operations which are difficult in
- software. However, the speed we get is quite acceptable for many uses.
- See our<A href="performance.html"> performance</A> document for
- details.</P>
-</DD>
-<DT><A name="A">A</A></DT>
-<DT><A name="active">Active attack</A></DT>
-<DD>An attack in which the attacker does not merely eavesdrop (see<A href="#passive">
- passive attack</A>) but takes action to change, delete, reroute, add,
- forge or divert data. Perhaps the best-known active attack is<A href="#middle">
- man-in-the-middle</A>. In general,<A href="#authentication">
- authentication</A> is a useful defense against active attacks.</DD>
-<DT><A name="AES">AES</A></DT>
-<DD>The<B> A</B>dvanced<B> E</B>ncryption<B> S</B>tandard -- a new<A href="#block">
- block cipher</A> standard to replace<A href="#desnotsecure"> DES</A> --
- developed by<A href="#NIST"> NIST</A>, the US National Institute of
- Standards and Technology. DES used 64-bit blocks and a 56-bit key. AES
- ciphers use a 128-bit block and 128, 192 or 256-bit keys. The larger
- block size helps resist<A href="#birthday"> birthday attacks</A> while
- the large key size prevents<A href="#brute"> brute force attacks</A>.
-<P>Fifteen proposals meeting NIST's basic criteria were submitted in
- 1998 and subjected to intense discussion and analysis, &quot;round one&quot;
- evaluation. In August 1999, NIST narrowed the field to five &quot;round two&quot;
- candidates:</P>
-<UL>
-<LI><A href="http://www.research.ibm.com/security/mars.html">Mars</A>
- from IBM</LI>
-<LI><A href="http://www.rsa.com/rsalabs/aes/">RC6</A> from RSA</LI>
-<LI><A href="http://www.esat.kuleuven.ac.be/~rijmen/rijndael/">Rijndael</A>
- from two Belgian researchers</LI>
-<LI><A href="http://www.cl.cam.ac.uk/~rja14/serpent.html">Serpent</A>, a
- British-Norwegian-Israeli collaboration</LI>
-<LI><A href="http://www.counterpane.com/twofish.html">Twofish</A> from
- the consulting firm<A href="http://www.counterpane.com"> Counterpane</A>
-</LI>
-</UL>
-<P>Three of the five finalists -- Rijndael, Serpent and Twofish -- have
- completely open licenses.</P>
-<P>In October 2000, NIST announced the winner -- Rijndael.</P>
-<P>For more information, see:</P>
-<UL>
-<LI>NIST's<A href="http://csrc.nist.gov/encryption/aes/aes_home.htm">
- AES home page</A></LI>
-<LI>the Block Cipher Lounge<A href="http://www.ii.uib.no/~larsr/aes.html">
- AES page</A></LI>
-<LI>Brian Gladman's<A href="http://fp.gladman.plus.com/cryptography_technology/index.htm">
- code and benchmarks</A></LI>
-<LI>Helger Lipmaa's<A href="http://www.tcs.hut.fi/~helger/aes/"> survey
- of implementations</A></LI>
-</UL>
-<P>AES will be added to a future release of<A href="#FreeSWAN"> Linux
- FreeS/WAN</A>. Likely we will add all three of the finalists with good
- licenses. User-written<A href="#patch"> AES patches</A> are already
- available.</P>
-<P>Adding AES may also require adding stronger hashes,<A href="#SHA-256">
- SHA-256, SHA-384 and SHA-512</A>.</P>
-</DD>
-<DT><A name="AH">AH</A></DT>
-<DD>The<A href="#IPSEC"> IPsec</A><B> A</B>uthentication<B> H</B>eader,
- added after the IP header. For details, see our<A href="#AH.ipsec">
- IPsec</A> document and/or RFC 2402.</DD>
-<DT><A name="alicebob">Alice and Bob</A></DT>
-<DD>A and B, the standard example users in writing on cryptography and
- coding theory. Carol and Dave join them for protocols which require
- more players.
-<P>Bruce Schneier extends these with many others such as Eve the
- Eavesdropper and Victor the Verifier. His extensions seem to be in the
- process of becoming standard as well. See page 23 of<A href="#schneier">
- Applied Cryptography</A></P>
-<P>Alice and Bob have an amusing<A href="http://www.conceptlabs.co.uk/alicebob.html">
- biography</A> on the web.</P>
-</DD>
-<DT>ARPA</DT>
-<DD>see<A href="#DARPA"> DARPA</A></DD>
-<DT><A name="ASIO">ASIO</A></DT>
-<DD>Australian Security Intelligence Organisation.</DD>
-<DT>Asymmetric cryptography</DT>
-<DD>See<A href="#public"> public key cryptography</A>.</DD>
-<DT><A name="authentication">Authentication</A></DT>
-<DD>Ensuring that a message originated from the expected sender and has
- not been altered on route.<A href="#IPSEC"> IPsec</A> uses
- authentication in two places:
-<UL>
-<LI>peer authentication, authenticating the players in<A href="#IKE">
- IKE</A>'s<A href="#DH"> Diffie-Hellman</A> key exchanges to prevent<A href="#middle">
- man-in-the-middle attacks</A>. This can be done in a number of ways.
- The methods supported by FreeS/WAN are discussed in our<A href="#choose">
- advanced configuration</A> document.</LI>
-<LI>packet authentication, authenticating packets on an established<A href="#SA">
- SA</A>, either with a separate<A href="#AH"> authentication header</A>
- or with the optional authentication in the<A href="#ESP"> ESP</A>
- protocol. In either case, packet authentication uses a<A href="#HMAC">
- hashed message athentication code</A> technique.</LI>
-</UL>
-<P>Outside IPsec, passwords are perhaps the most common authentication
- mechanism. Their function is essentially to authenticate the person's
- identity to the system. Passwords are generally only as secure as the
- network they travel over. If you send a cleartext password over a
- tapped phone line or over a network with a packet sniffer on it, the
- security provided by that password becomes zero. Sending an encrypted
- password is no better; the attacker merely records it and reuses it at
- his convenience. This is called a<A href="#replay"> replay</A> attack.</P>
-<P>A common solution to this problem is a<A href="#challenge">
- challenge-response</A> system. This defeats simple eavesdropping and
- replay attacks. Of course an attacker might still try to break the
- cryptographic algorithm used, or the<A href="#random"> random number</A>
- generator.</P>
-</DD>
-<DT><A name="auto">Automatic keying</A></DT>
-<DD>A mode in which keys are automatically generated at connection
- establisment and new keys automaically created periodically thereafter.
- Contrast with<A href="#manual"> manual keying</A> in which a single
- stored key is used.
-<P>IPsec uses the<A href="#DH"> Diffie-Hellman key exchange protocol</A>
- to create keys. An<A href="#authentication"> authentication</A>
- mechansim is required for this. FreeS/WAN normally uses<A href="#RSA">
- RSA</A> for this. Other methods supported are discussed in our<A href="#choose">
- advanced configuration</A> document.</P>
-<P>Having an attacker break the authentication is emphatically not a
- good idea. An attacker that breaks authentication, and manages to
- subvert some other network entities (DNS, routers or gateways), can use
- a<A href="#middle"> man-in-the middle attack</A> to break the security
- of your IPsec connections.</P>
-<P>However, having an attacker break the authentication in automatic
- keying is not quite as bad as losing the key in manual keying.</P>
-<UL>
-<LI>An attacker who reads /etc/ipsec.conf and gets the keys for a
- manually keyed connection can, without further effort, read all
- messages encrypted with those keys, including any old messages he may
- have archived.</LI>
-<LI>Automatic keying has a property called<A href="#PFS"> perfect
- forward secrecy</A>. An attacker who breaks the authentication gets
- none of the automatically generated keys and cannot immediately read
- any messages. He has to mount a successful<A href="#middle">
- man-in-the-middle attack</A> in real time before he can read anything.
- He cannot read old archived messages at all and will not be able to
- read any future messages not caught by man-in-the-middle tricks.</LI>
-</UL>
-<P>That said, the secrets used for authentication, stored in<A href="manpage.d/ipsec.secrets.5.html">
- ipsec.secrets(5)</A>, should still be protected as tightly as
- cryptographic keys.</P>
-</DD>
-<DT><A name="B">B</A></DT>
-<DT><A href="http://www.nortelnetworks.com">Bay Networks</A></DT>
-<DD>A vendor of routers, hubs and related products, now a subsidiary of
- Nortel. Interoperation between their IPsec products and Linux FreeS/WAN
- was problematic at last report; see our<A href="interop.html#bay">
- interoperation</A> section.</DD>
-<DT><A name="benchmarks">benchmarks</A></DT>
-<DD>Our default block cipher,<A href="#3DES"> triple DES</A>, is slower
- than many alternate ciphers that might be used. Speeds achieved,
- however, seem adequate for many purposes. For example, the assembler
- code from the<A href="#LIBDES"> LIBDES</A> library we use encrypts 1.6
- megabytes per second on a Pentium 200, according to the test program
- supplied with the library.
-<P>For more detail, see our document on<A href="performance.html">
- FreeS/WAN performance</A>.</P>
-</DD>
-<DT><A name="BIND">BIND</A></DT>
-<DD><B>B</B>erkeley<B> I</B>nternet<B> N</B>ame<B> D</B>aemon, a widely
- used implementation of<A href="#DNS"> DNS</A> (Domain Name Service).
- See our bibliography for a<A href="#DNS"> useful reference</A>. See the<A
-href="http://www.isc.org/bind.html"> BIND home page</A> for more
- information and the latest version.</DD>
-<DT><A name="birthday">Birthday attack</A></DT>
-<DD>A cryptographic attack based on the mathematics exemplified by the<A href="#paradox">
- birthday paradox</A>. This math turns up whenever the question of two
- cryptographic operations producing the same result becomes an issue:
-<UL>
-<LI><A href="#collision">collisions</A> in<A href="#digest"> message
- digest</A> functions.</LI>
-<LI>identical output blocks from a<A href="#block"> block cipher</A></LI>
-<LI>repetition of a challenge in a<A href="#challenge">
- challenge-response</A> system</LI>
-</UL>
-<P>Resisting such attacks is part of the motivation for:</P>
-<UL>
-<LI>hash algorithms such as<A href="#SHA"> SHA</A> and<A href="#RIPEMD">
- RIPEMD-160</A> giving a 160-bit result rather than the 128 bits of<A href="#MD4">
- MD4</A>,<A href="#MD5"> MD5</A> and<A href="#RIPEMD"> RIPEMD-128</A>.</LI>
-<LI><A href="#AES">AES</A> block ciphers using a 128-bit block instead
- of the 64-bit block of most current ciphers</LI>
-<LI><A href="#IPSEC">IPsec</A> using a 32-bit counter for packets sent
- on an<A href="#auto"> automatically keyed</A><A href="#SA"> SA</A> and
- requiring that the connection always be rekeyed before the counter
- overflows.</LI>
-</UL>
-</DD>
-<DT><A name="paradox">Birthday paradox</A></DT>
-<DD>Not really a paradox, just a rather counter-intuitive mathematical
- fact. In a group of 23 people, the chance of a least one pair having
- the same birthday is over 50%.
-<P>The second person has 1 chance in 365 (ignoring leap years) of
- matching the first. If they don't match, the third person's chances of
- matching one of them are 2/365. The 4th, 3/365, and so on. The total of
- these chances grows more quickly than one might guess.</P>
-</DD>
-<DT><A name="block">Block cipher</A></DT>
-<DD>A<A href="#symmetric"> symmetric cipher</A> which operates on
- fixed-size blocks of plaintext, giving a block of ciphertext for each.
- Contrast with<A href="#stream"> stream cipher</A>. Block ciphers can be
- used in various<A href="#mode"> modes</A> when multiple block are to be
- encrypted.
-<P><A href="#DES">DES</A> is among the the best known and widely used
- block ciphers, but is now obsolete. Its 56-bit key size makes it<A href="#desnotsecure">
- highly insecure</A> today.<A href="#3DES"> Triple DES</A> is the
- default block cipher for<A href="#FreeSWAN"> Linux FreeS/WAN</A>.</P>
-<P>The current generation of block ciphers -- such as<A href="#Blowfish">
- Blowfish</A>,<A href="#CAST128"> CAST-128</A> and<A href="#IDEA"> IDEA</A>
- -- all use 64-bit blocks and 128-bit keys. The next generation,<A href="#AES">
- AES</A>, uses 128-bit blocks and supports key sizes up to 256 bits.</P>
-<P>The<A href="http://www.ii.uib.no/~larsr/bc.html"> Block Cipher Lounge</A>
- web site has more information.</P>
-</DD>
-<DT><A name="Blowfish">Blowfish</A></DT>
-<DD>A<A href="#block"> block cipher</A> using 64-bit blocks and keys of
- up to 448 bits, designed by<A href="#schneier"> Bruce Schneier</A> and
- used in several products.
-<P>This is not required by the<A href="#IPSEC"> IPsec</A> RFCs and not
- currently used in<A href="#FreeSWAN"> Linux FreeS/WAN</A>.</P>
-</DD>
-<DT><A name="brute">Brute force attack (exhaustive search)</A></DT>
-<DD>Breaking a cipher by trying all possible keys. This is always
- possible in theory (except against a<A href="#OTP"> one-time pad</A>),
- but it becomes practical only if the key size is inadequate. For an
- important example, see our document on the<A href="#desnotsecure">
- insecurity of DES</A> with its 56-bit key. For an analysis of key sizes
- required to resist plausible brute force attacks, see<A href="http://www.counterpane.com/keylength.html">
- this paper</A>.
-<P>Longer keys protect against brute force attacks. Each extra bit in
- the key doubles the number of possible keys and therefore doubles the
- work a brute force attack must do. A large enough key defeats<STRONG>
- any</STRONG> brute force attack.</P>
-<P>For example, the EFF's<A href="#EFF"> DES Cracker</A> searches a
- 56-bit key space in an average of a few days. Let us assume an attacker
- that can find a 64-bit key (256 times harder) by brute force search in
- a second (a few hundred thousand times faster). For a 96-bit key, that
- attacker needs 2<SUP>32</SUP> seconds, about 135 years. Against a
- 128-bit key, he needs 2<SUP>32</SUP> times that, over 500,000,000,000
- years. Your data is then obviously secure against brute force attacks.
- Even if our estimate of the attacker's speed is off by a factor of a
- million, it still takes him over 500,000 years to crack a message.</P>
-<P>This is why</P>
-<UL>
-<LI>single<A href="#DES"> DES</A> is now considered<A href="#desnotsecure">
- dangerously insecure</A></LI>
-<LI>all of the current generation of<A href="#block"> block ciphers</A>
- use a 128-bit or longer key</LI>
-<LI><A href="#AES">AES</A> ciphers support keysizes 128, 192 and 256
- bits</LI>
-<LI>any cipher we add to Linux FreeS/WAN will have<EM> at least</EM> a
- 128-bit key</LI>
-</UL>
-<P><STRONG>Cautions:</STRONG>
-<BR><EM> Inadequate keylength always indicates a weak cipher</EM> but it
- is important to note that<EM> adequate keylength does not necessarily
- indicate a strong cipher</EM>. There are many attacks other than brute
- force, and adequate keylength<EM> only</EM> guarantees resistance to
- brute force. Any cipher, whatever its key size, will be weak if design
- or implementation flaws allow other attacks.</P>
-<P>Also,<EM> once you have adequate keylength</EM> (somewhere around 90
- or 100 bits),<EM> adding more key bits make no practical difference</EM>
-, even against brute force. Consider our 128-bit example above that
- takes 500,000,000,000 years to break by brute force. We really don't
- care how many zeroes there are on the end of that, as long as the
- number remains ridiculously large. That is, we don't care exactly how
- large the key is as long as it is large enough.</P>
-<P>There may be reasons of convenience in the design of the cipher to
- support larger keys. For example<A href="#Blowfish"> Blowfish</A>
- allows up to 448 bits and<A href="#RC4"> RC4</A> up to 2048, but beyond
- 100-odd bits it makes no difference to practical security.</P>
-</DD>
-<DT>Bureau of Export Administration</DT>
-<DD>see<A href="#BXA"> BXA</A></DD>
-<DT><A name="BXA">BXA</A></DT>
-<DD>The US Commerce Department's<B> B</B>ureau of E<B>x</B>port<B> A</B>
-dministration which administers the<A href="#EAR"> EAR</A> Export
- Administration Regulations controling the export of, among other
- things, cryptography.</DD>
-<DT><A name="C">C</A></DT>
-<DT><A name="CA">CA</A></DT>
-<DD><B>C</B>ertification<B> A</B>uthority, an entity in a<A href="#PKI">
- public key infrastructure</A> that can certify keys by signing them.
- Usually CAs form a hierarchy. The top of this hierarchy is called the<A href="#rootCA">
- root CA</A>.
-<P>See<A href="#web"> Web of Trust</A> for an alternate model.</P>
-</DD>
-<DT><A name="CAST128">CAST-128</A></DT>
-<DD>A<A href="#block"> block cipher</A> using 64-bit blocks and 128-bit
- keys, described in RFC 2144 and used in products such as<A href="#Entrust">
- Entrust</A> and recent versions of<A href="#PGP"> PGP</A>.
-<P>This is not required by the<A href="#IPSEC"> IPsec</A> RFCs and not
- currently used in<A href="#FreeSWAN"> Linux FreeS/WAN</A>.</P>
-</DD>
-<DT>CAST-256</DT>
-<DD><A href="#Entrust">Entrust</A>'s candidate cipher for the<A href="#AES">
- AES standard</A>, largely based on the<A href="#CAST128"> CAST-128</A>
- design.</DD>
-<DT><A name="CBC">CBC mode</A></DT>
-<DD><B>C</B>ipher<B> B</B>lock<B> C</B>haining<A href="#mode"> mode</A>,
- a method of using a<A href="#block"> block cipher</A> in which for each
- block except the first, the result of the previous encryption is XORed
- into the new block before it is encrypted. CBC is the mode used in<A href="#IPSEC">
- IPsec</A>.
-<P>An<A href="#IV"> initialisation vector</A> (IV) must be provided. It
- is XORed into the first block before encryption. The IV need not be
- secret but should be different for each message and unpredictable.</P>
-</DD>
-<DT><A name="CIDR">CIDR</A></DT>
-<DD><B>C</B>lassless<B> I</B>nter-<B>D</B>omain<B> R</B>outing, an
- addressing scheme used to describe networks not restricted to the old
- Class A, B, and C sizes. A CIDR block is written<VAR> address</VAR>/<VAR>
-mask</VAR>, where<VAR> address</VAR> is a 32-bit Internet address. The
- first<VAR> mask</VAR> bits of<VAR> address</VAR> are part of the
- gateway address, while the remaining bits designate other host
- addresses. For example, the CIDR block 192.0.2.96/27 describes a
- network with gateway 192.0.2.96, hosts 192.0.2.96 through 192.0.2.126
- and broadcast 192.0.2.127.
-<P>FreeS/WAN policy group files accept CIDR blocks of the format<VAR>
- address</VAR>/[<VAR>mask</VAR>], where<VAR> address</VAR> may take the
- form<VAR> name.domain.tld</VAR>. An absent<VAR> mask</VAR> is assumed
- to be /32.</P>
-</DD>
-<DT>Certification Authority</DT>
-<DD>see<A href="#CA"> CA</A></DD>
-<DT><A name="challenge">Challenge-response authentication</A></DT>
-<DD>An<A href="#authentication"> authentication</A> system in which one
- player generates a<A href="#random"> random number</A>, encrypts it and
- sends the result as a challenge. The other player decrypts and sends
- back the result. If the result is correct, that proves to the first
- player that the second player knew the appropriate secret, required for
- the decryption. Variations on this technique exist using<A href="#public">
- public key</A> or<A href="#symmetric"> symmetric</A> cryptography. Some
- provide two-way authentication, assuring each player of the other's
- identity.
-<P>This is more secure than passwords against two simple attacks:</P>
-<UL>
-<LI>If cleartext passwords are sent across the wire (e.g. for telnet),
- an eavesdropper can grab them. The attacker may even be able to break
- into other systems if the user has chosen the same password for them.</LI>
-<LI>If an encrypted password is sent, an attacker can record the
- encrypted form and use it later. This is called a replay attack.</LI>
-</UL>
-<P>A challenge-response system never sends a password, either cleartext
- or encrypted. An attacker cannot record the response to one challenge
- and use it as a response to a later challenge. The random number is
- different each time.</P>
-<P>Of course an attacker might still try to break the cryptographic
- algorithm used, or the<A href="#random"> random number</A> generator.</P>
-</DD>
-<DT><A name="mode">Cipher Modes</A></DT>
-<DD>Different ways of using a block cipher when encrypting multiple
- blocks.
-<P>Four standard modes were defined for<A href="#DES"> DES</A> in<A href="#FIPS">
- FIPS</A> 81. They can actually be applied with any block cipher.</P>
-<TABLE><TBODY></TBODY>
-<TR><TD></TD><TD><A href="#ECB">ECB</A></TD><TD>Electronic CodeBook</TD><TD>
-encrypt each block independently</TD></TR>
-<TR><TD></TD><TD><A href="#CBC">CBC</A></TD><TD>Cipher Block Chaining
-<BR></TD><TD>XOR previous block ciphertext into new block plaintext
- before encrypting new block</TD></TR>
-<TR><TD></TD><TD>CFB</TD><TD>Cipher FeedBack</TD><TD></TD></TR>
-<TR><TD></TD><TD>OFB</TD><TD>Output FeedBack</TD><TD></TD></TR>
-</TABLE>
-<P><A href="#IPSEC">IPsec</A> uses<A href="#CBC"> CBC</A> mode since
- this is only marginally slower than<A href="#ECB"> ECB</A> and is more
- secure. In ECB mode the same plaintext always encrypts to the same
- ciphertext, unless the key is changed. In CBC mode, this does not
- occur.</P>
-<P>Various other modes are also possible, but none of them are used in
- IPsec.</P>
-</DD>
-<DT><A name="ciphertext">Ciphertext</A></DT>
-<DD>The encrypted output of a cipher, as opposed to the unencrypted<A href="#plaintext">
- plaintext</A> input.</DD>
-<DT><A href="http://www.cisco.com">Cisco</A></DT>
-<DD>A vendor of routers, hubs and related products. Their IPsec products
- interoperate with Linux FreeS/WAN; see our<A href="#cisco"> interop</A>
- section.</DD>
-<DT><A name="client">Client</A></DT>
-<DD>This term has at least two distinct uses in discussing IPsec:
-<UL>
-<LI>The<STRONG> clients of an IPsec gateway</STRONG> are the machines it
- protects, typically on one or more subnets behind the gateway. In this
- usage, all the machines on an office network are clients of that
- office's IPsec gateway. Laptop or home machines connecting to the
- office, however, are<EM> not</EM> clients of that gateway. They are
- remote gateways, running the other end of an IPsec connection. Each of
- them is also its own client.</LI>
-<LI><STRONG>IPsec client software</STRONG> is used to describe software
- which runs on various standalone machines to let them connect to IPsec
- networks. In this usage, a laptop or home machine connecting to the
- office is a client, and the office gateway is the server.</LI>
-</UL>
-<P>We generally use the term in the first sense. Vendors of Windows
- IPsec solutions often use it in the second. See this<A href="interop.html#client.server">
- discussion</A>.</P>
-</DD>
-<DT><A name="cc">Common Criteria</A></DT>
-<DD>A set of international security classifications which are replacing
- the old US<A href="#rainbow"> Rainbow Book</A> standards and similar
- standards in other countries.
-<P>Web references include this<A href="http://csrc.nist.gov/cc"> US
- government site</A> and this<A href="http://www.commoncriteria.org">
- global home page</A>.</P>
-</DD>
-<DT>Conventional cryptography</DT>
-<DD>See<A href="#symmetric"> symmetric cryptography</A></DD>
-<DT><A name="collision">Collision resistance</A></DT>
-<DD>The property of a<A href="#digest"> message digest</A> algorithm
- which makes it hard for an attacker to find or construct two inputs
- which hash to the same output.</DD>
-<DT>Copyleft</DT>
-<DD>see GNU<A href="#GPL"> General Public License</A></DD>
-<DT><A name="CSE">CSE</A></DT>
-<DD><A href="http://www.cse-cst.gc.ca/">Communications Security
- Establishment</A>, the Canadian organisation for<A href="#SIGINT">
- signals intelligence</A>.</DD>
-<DT><A name="D">D</A></DT>
-<DT><A name="DARPA">DARPA (sometimes just ARPA)</A></DT>
-<DD>The US government's<B> D</B>efense<B> A</B>dvanced<B> R</B>esearch<B>
- P</B>rojects<B> A</B>gency. Projects they have funded over the years
- have included the Arpanet which evolved into the Internet, the TCP/IP
- protocol suite (as a replacement for the original Arpanet suite), the
- Berkeley 4.x BSD Unix projects, and<A href="#SDNS"> Secure DNS</A>.
-<P>For current information, see their<A href="http://www.darpa.mil/ito">
- web site</A>.</P>
-</DD>
-<DT><A name="DOS">Denial of service (DoS) attack</A></DT>
-<DD>An attack that aims at denying some service to legitimate users of a
- system, rather than providing a service to the attacker.
-<UL>
-<LI>One variant is a flooding attack, overwhelming the system with too
- many packets, to much email, or whatever.</LI>
-<LI>A closely related variant is a resource exhaustion attack. For
- example, consider a &quot;TCP SYN flood&quot; attack. Setting up a TCP connection
- involves a three-packet exchange:
-<UL>
-<LI>Initiator: Connection please (SYN)</LI>
-<LI>Responder: OK (ACK)</LI>
-<LI>Initiator: OK here too</LI>
-</UL>
-<P>If the attacker puts bogus source information in the first packet,
- such that the second is never delivered, the responder may wait a long
- time for the third to come back. If responder has already allocated
- memory for the connection data structures, and if many of these bogus
- packets arrive, the responder may run out of memory.</P>
-</LI>
-<LI>Another variant is to feed the system undigestible data, hoping to
- make it sick. For example, IP packets are limited in size to 64K bytes
- and a fragment carries information on where it starts within that 64K
- and how long it is. The &quot;ping of death&quot; delivers fragments that say,
- for example, that they start at 60K and are 20K long. Attempting to
- re-assemble these without checking for overflow can be fatal.</LI>
-</UL>
-<P>The two example attacks discussed were both quite effective when
- first discovered, capable of crashing or disabling many operating
- systems. They were also well-publicised, and today far fewer systems
- are vulnerable to them.</P>
-</DD>
-<DT><A name="DES">DES</A></DT>
-<DD>The<B> D</B>ata<B> E</B>ncryption<B> S</B>tandard, a<A href="#block">
- block cipher</A> with 64-bit blocks and a 56-bit key. Probably the most
- widely used<A href="#symmetric"> symmetric cipher</A> ever devised. DES
- has been a US government standard for their own use (only for
- unclassified data), and for some regulated industries such as banking,
- since the late 70's. It is now being replaced by<A href="#AES"> AES</A>
-.
-<P><A href="#desnotsecure">DES is seriously insecure against current
- attacks.</A></P>
-<P><A href="#FreeSWAN">Linux FreeS/WAN</A> does not include DES, even
- though the RFCs specify it.<B> We strongly recommend that single DES
- not be used.</B></P>
-<P>See also<A href="#3DES"> 3DES</A> and<A href="#DESX"> DESX</A>,
- stronger ciphers based on DES.</P>
-</DD>
-<DT><A name="DESX">DESX</A></DT>
-<DD>An improved<A href="#DES"> DES</A> suggested by Ron Rivest of RSA
- Data Security. It XORs extra key material into the text before and
- after applying the DES cipher.
-<P>This is not required by the<A href="#IPSEC"> IPsec</A> RFCs and not
- currently used in<A href="#FreeSWAN"> Linux FreeS/WAN</A>. DESX would
- be the easiest additional transform to add; there would be very little
- code to write. It would be much faster than 3DES and almost certainly
- more secure than DES. However, since it is not in the RFCs other IPsec
- implementations cannot be expected to have it.</P>
-</DD>
-<DT>DH</DT>
-<DD>see<A href="#DH"> Diffie-Hellman</A></DD>
-<DT><A name="DHCP">DHCP</A></DT>
-<DD><STRONG>D</STRONG>ynamic<STRONG> H</STRONG>ost<STRONG> C</STRONG>
-onfiguration<STRONG> P</STRONG>rotocol, a method of assigning<A href="#dynamic">
- dynamic IP addresses</A>, and providing additional information such as
- addresses of DNS servers and of gateways. See this<A href="http://www.dhcp.org">
- DHCP resource page.</A></DD>
-<DT><A name="DH">Diffie-Hellman (DH) key exchange protocol</A></DT>
-<DD>A protocol that allows two parties without any initial shared secret
- to create one in a manner immune to eavesdropping. Once they have done
- this, they can communicate privately by using that shared secret as a
- key for a block cipher or as the basis for key exchange.
-<P>The protocol is secure against all<A href="#passive"> passive attacks</A>
-, but it is not at all resistant to active<A href="#middle">
- man-in-the-middle attacks</A>. If a third party can impersonate Bob to
- Alice and vice versa, then no useful secret can be created.
- Authentication of the participants is a prerequisite for safe
- Diffie-Hellman key exchange. IPsec can use any of several<A href="#authentication">
- authentication</A> mechanisims. Those supported by FreeS/WAN are
- discussed in our<A href="#choose"> configuration</A> section.</P>
-<P>The Diffie-Hellman key exchange is based on the<A href="#dlog">
- discrete logarithm</A> problem and is secure unless someone finds an
- efficient solution to that problem.</P>
-<P>Given a prime<VAR> p</VAR> and generator<VAR> g</VAR> (explained
- under<A href="#dlog"> discrete log</A> below), Alice:</P>
-<UL>
-<LI>generates a random number<VAR> a</VAR></LI>
-<LI>calculates<VAR> A = g^a modulo p</VAR></LI>
-<LI>sends<VAR> A</VAR> to Bob</LI>
-</UL>
-<P>Meanwhile Bob:</P>
-<UL>
-<LI>generates a random number<VAR> b</VAR></LI>
-<LI>calculates<VAR> B = g^b modulo p</VAR></LI>
-<LI>sends<VAR> B</VAR> to Alice</LI>
-</UL>
-<P>Now Alice and Bob can both calculate the shared secret<VAR> s =
- g^(ab)</VAR>. Alice knows<VAR> a</VAR> and<VAR> B</VAR>, so she
- calculates<VAR> s = B^a</VAR>. Bob knows<VAR> A</VAR> and<VAR> b</VAR>
- so he calculates<VAR> s = A^b</VAR>.</P>
-<P>An eavesdropper will know<VAR> p</VAR> and<VAR> g</VAR> since these
- are made public, and can intercept<VAR> A</VAR> and<VAR> B</VAR> but,
- short of solving the<A href="#dlog"> discrete log</A> problem, these do
- not let him or her discover the secret<VAR> s</VAR>.</P>
-</DD>
-<DT><A name="signature">Digital signature</A></DT>
-<DD>Sender:
-<UL>
-<LI>calculates a<A href="#digest"> message digest</A> of a document</LI>
-<LI>encrypts the digest with his or her private key, using some<A href="#public">
- public key cryptosystem</A>.</LI>
-<LI>attaches the encrypted digest to the document as a signature</LI>
-</UL>
-<P>Receiver:</P>
-<UL>
-<LI>calculates a digest of the document (not including the signature)</LI>
-<LI>decrypts the signature with the signer's public key</LI>
-<LI>verifies that the two results are identical</LI>
-</UL>
-<P>If the public-key system is secure and the verification succeeds,
- then the receiver knows</P>
-<UL>
-<LI>that the document was not altered between signing and verification</LI>
-<LI>that the signer had access to the private key</LI>
-</UL>
-<P>Such an encrypted message digest can be treated as a signature since
- it cannot be created without<EM> both</EM> the document<EM> and</EM>
- the private key which only the sender should possess. The<A href="#legal">
- legal issues</A> are complex, but several countries are moving in the
- direction of legal recognition for digital signatures.</P>
-</DD>
-<DT><A name="dlog">discrete logarithm problem</A></DT>
-<DD>The problem of finding logarithms in a finite field. Given a field
- defintion (such definitions always include some operation analogous to
- multiplication) and two numbers, a base and a target, find the power
- which the base must be raised to in order to yield the target.
-<P>The discrete log problem is the basis of several cryptographic
- systems, including the<A href="#DH"> Diffie-Hellman</A> key exchange
- used in the<A href="#IKE"> IKE</A> protocol. The useful property is
- that exponentiation is relatively easy but the inverse operation,
- finding the logarithm, is hard. The cryptosystems are designed so that
- the user does only easy operations (exponentiation in the field) but an
- attacker must solve the hard problem (discrete log) to crack the
- system.</P>
-<P>There are several variants of the problem for different types of
- field. The IKE/Oakley key determination protocol uses two variants,
- either over a field modulo a prime or over a field defined by an
- elliptic curve. We give an example modulo a prime below. For the
- elliptic curve version, consult an advanced text such as<A href="#handbook">
- Handbook of Applied Cryptography</A>.</P>
-<P>Given a prime<VAR> p</VAR>, a generator<VAR> g</VAR> for the field
- modulo that prime, and a number<VAR> x</VAR> in the field, the problem
- is to find<VAR> y</VAR> such that<VAR> g^y = x</VAR>.</P>
-<P>For example, let p = 13. The field is then the integers from 0 to 12.
- Any integer equals one of these modulo 13. That is, the remainder when
- any integer is divided by 13 must be one of these.</P>
-<P>2 is a generator for this field. That is, the powers of two modulo 13
- run through all the non-zero numbers in the field. Modulo 13 we have:</P>
-<PRE>          y      x
-        2^0  ==  1
-        2^1  ==  2
-        2^2  ==  4
-        2^3  ==  8
-        2^4  ==  3 that is, the remainder from 16/13 is 3
-        2^5  ==  6          the remainder from 32/13 is 6
-        2^6  == 12 and so on
-        2^7  == 11
-        2^8  ==  9
-        2^9  ==  5
-        2^10 == 10
-        2^11 ==  7
-        2^12 ==  1</PRE>
-<P>Exponentiation in such a field is not difficult. Given, say,<NOBR><VAR>
- y = 11</VAR>,calculating<NOBR><VAR> x = 7</VAR>is straightforward. One
- method is just to calculate<NOBR><VAR> 2^11 = 2048</VAR>,then<NOBR><VAR>
- 2048 mod 13 == 7</VAR>.When the field is modulo a large prime (say a
- few 100 digits) you need a silghtly cleverer method and even that is
- moderately expensive in computer time, but the calculation is still not
- problematic in any basic way.</P>
-<P>The discrete log problem is the reverse. In our example, given<NOBR><VAR>
- x = 7</VAR>,find the logarithm<NOBR><VAR> y = 11</VAR>.When the field
- is modulo a large prime (or is based on a suitable elliptic curve),
- this is indeed problematic. No solution method that is not
- catastrophically expensive is known. Quite a few mathematicians have
- tackled this problem. No efficient method has been found and
- mathematicians do not expect that one will be. It seems likely no
- efficient solution to either of the main variants the discrete log
- problem exists.</P>
-<P>Note, however, that no-one has proven such methods do not exist. If a
- solution to either variant were found, the security of any crypto
- system using that variant would be destroyed. This is one reason<A href="#IKE">
- IKE</A> supports two variants. If one is broken, we can switch to the
- other.</P>
-</DD>
-<DT><A name="discretionary">discretionary access control</A></DT>
-<DD>access control mechanisms controlled by the user, for example Unix
- rwx file permissions. These contrast with<A href="#mandatory">
- mandatory access controls</A>.</DD>
-<DT><A name="DNS">DNS</A></DT>
-<DD><B>D</B>omain<B> N</B>ame<B> S</B>ervice, a distributed database
- through which names are associated with numeric addresses and other
- information in the Internet Protocol Suite. See also the<A href="#dns.background">
- DNS background</A> section of our documentation.</DD>
-<DT>DOS attack</DT>
-<DD>see<A href="#DOS"> Denial Of Service</A> attack</DD>
-<DT><A name="dynamic">dynamic IP address</A></DT>
-<DD>an IP address which is automatically assigned, either by<A href="#DHCP">
- DHCP</A> or by some protocol such as<A href="#PPP"> PPP</A> or<A href="#PPPoE">
- PPPoE</A> which the machine uses to connect to the Internet. This is
- the opposite of a<A href="#static"> static IP address</A>, pre-set on
- the machine itself.</DD>
-<DT><A name="E">E</A></DT>
-<DT><A name="EAR">EAR</A></DT>
-<DD>The US government's<B> E</B>xport<B> A</B>dministration<B> R</B>
-egulations, administered by the<A href="#BXA"> Bureau of Export
- Administration</A>. These have replaced the earlier<A href="#ITAR">
- ITAR</A> regulations as the controls on export of cryptography.</DD>
-<DT><A name="ECB">ECB mode</A></DT>
-<DD><B>E</B>lectronic<B> C</B>ode<B>B</B>ook mode, the simplest way to
- use a block cipher. See<A href="#mode"> Cipher Modes</A>.</DD>
-<DT><A name="EDE">EDE</A></DT>
-<DD>The sequence of operations normally used in either the three-key
- variant of<A href="#3DES"> triple DES</A> used in<A href="#IPSEC">
- IPsec</A> or the<A href="#2key"> two-key</A> variant used in some other
- systems.
-<P>The sequence is:</P>
-<UL>
-<LI><B>E</B>ncrypt with key1</LI>
-<LI><B>D</B>ecrypt with key2</LI>
-<LI><B>E</B>ncrypt with key3</LI>
-</UL>
-<P>For the two-key version, key1=key3.</P>
-<P>The &quot;advantage&quot; of this EDE order of operations is that it makes it
- simple to interoperate with older devices offering only single DES. Set
- key1=key2=key3 and you have the worst of both worlds, the overhead of
- triple DES with the &quot;security&quot; of single DES. Since both the<A href="#desnotsecure">
- security of single DES</A> and the overheads of triple DES are
- seriously inferior to many other ciphers, this is a spectacularly
- dubious &quot;advantage&quot;.</P>
-</DD>
-<DT><A name="Entrust">Entrust</A></DT>
-<DD>A Canadian company offerring enterprise<A href="#PKI"> PKI</A>
- products using<A href="#CAST128"> CAST-128</A> symmetric crypto,<A href="#RSA">
- RSA</A> public key and<A href="#X509"> X.509</A> directories.<A href="http://www.entrust.com">
- Web site</A></DD>
-<DT><A name="EFF">EFF</A></DT>
-<DD><A href="http://www.eff.org">Electronic Frontier Foundation</A>, an
- advocacy group for civil rights in cyberspace.</DD>
-<DT><A name="encryption">Encryption</A></DT>
-<DD>Techniques for converting a readable message (<A href="#plaintext">
-plaintext</A>) into apparently random material (<A href="#ciphertext">
-ciphertext</A>) which cannot be read if intercepted. A key is required
- to read the message.
-<P>Major variants include<A href="#symmetric"> symmetric</A> encryption
- in which sender and receiver use the same secret key and<A href="#public">
- public key</A> methods in which the sender uses one of a matched pair
- of keys and the receiver uses the other. Many current systems,
- including<A href="#IPSEC"> IPsec</A>, are<A href="#hybrid"> hybrids</A>
- combining the two techniques.</P>
-</DD>
-<DT><A name="ESP">ESP</A></DT>
-<DD><B>E</B>ncapsulated<B> S</B>ecurity<B> P</B>ayload, the<A href="#IPSEC">
- IPsec</A> protocol which provides<A href="#encryption"> encryption</A>.
- It can also provide<A href="#authentication"> authentication</A>
- service and may be used with null encryption (which we do not
- recommend). For details see our<A href="#ESP.ipsec"> IPsec</A> document
- and/or RFC 2406.</DD>
-<DT><A name="#extruded">Extruded subnet</A></DT>
-<DD>A situation in which something IP sees as one network is actually in
- two or more places.
-<P>For example, the Internet may route all traffic for a particular
- company to that firm's corporate gateway. It then becomes the company's
- problem to get packets to various machines on their<A href="#subnet">
- subnets</A> in various departments. They may decide to treat a branch
- office like a subnet, giving it IP addresses &quot;on&quot; their corporate net.
- This becomes an extruded subnet.</P>
-<P>Packets bound for it are delivered to the corporate gateway, since as
- far as the outside world is concerned, that subnet is part of the
- corporate network. However, instead of going onto the corporate LAN (as
- they would for, say, the accounting department) they are then
- encapsulated and sent back onto the Internet for delivery to the branch
- office.</P>
-<P>For information on doing this with Linux FreeS/WAN, look in our<A href="#extruded.config">
- advanced configuration</A> section.</P>
-</DD>
-<DT>Exhaustive search</DT>
-<DD>See<A href="#brute"> brute force attack</A>.</DD>
-<DT><A name="F">F</A></DT>
-<DT><A name="FIPS">FIPS</A></DT>
-<DD><B>F</B>ederal<B> I</B>nformation<B> P</B>rocessing<B> S</B>tandard,
- the US government's standards for products it buys. These are issued by<A
-href="#NIST"> NIST</A>. Among other things,<A href="#DES"> DES</A> and<A href="#SHA">
- SHA</A> are defined in FIPS documents. NIST have a<A href="http://www.itl.nist.gov/div897/pubs">
- FIPS home page</A>.</DD>
-<DT><A name="FSF">Free Software Foundation (FSF)</A></DT>
-<DD>An organisation to promote free software, free in the sense of these
- quotes from their web pages</DD>
-<DD><BLOCKQUOTE> &quot;Free software&quot; is a matter of liberty, not price. To
- understand the concept, you should think of &quot;free speech&quot;, not &quot;free
- beer.&quot;
-<P>&quot;Free software&quot; refers to the users' freedom to run, copy,
- distribute, study, change and improve the software.</P>
-</BLOCKQUOTE>
-<P>See also<A href="#GNU"> GNU</A>,<A href="#GPL"> GNU General Public
- License</A>, and<A href="http://www.fsf.org"> the FSF site</A>.</P>
-</DD>
-<DT>FreeS/WAN</DT>
-<DD>see<A href="#FreeSWAN"> Linux FreeS/WAN</A></DD>
-<DT><A name="fullnet">Fullnet</A></DT>
-<DD>The CIDR block containing all IPs of its IP version. The<A HREF="#IPv4">
- IPv4</A> fullnet is written 0.0.0.0/0. Also known as &quot;all&quot; and
- &quot;default&quot;, fullnet may be used in a routing table to specify a default
- route, and in a FreeS/WAN<A HREF="#policygroups"> policy group</A> file
- to specify a default IPsec policy.</DD>
-<DT>FSF</DT>
-<DD>see<A href="#FSF"> Free software Foundation</A></DD>
-<DT><A name="G">G</A></DT>
-<DT><A name="GCHQ">GCHQ</A></DT>
-<DD><A href="http://www.gchq.gov.uk">Government Communications
- Headquarters</A>, the British organisation for<A href="#SIGINT">
- signals intelligence</A>.</DD>
-<DT>generator of a prime field</DT>
-<DD>see<A href="#dlog"> discrete logarithm problem</A></DD>
-<DT><A name="GILC">GILC</A></DT>
-<DD><A href="http://www.gilc.org">Global Internet Liberty Campaign</A>,
- an international organisation advocating, among other things, free
- availability of cryptography. They have a<A href="http://www.gilc.org/crypto/wassenaar">
- campaign</A> to remove cryptographic software from the<A href="#Wassenaar.gloss">
- Wassenaar Arrangement</A>.</DD>
-<DT>Global Internet Liberty Campaign</DT>
-<DD>see<A href="#GILC"> GILC</A>.</DD>
-<DT><A name="GTR">Global Trust Register</A></DT>
-<DD>An attempt to create something like a<A href="#rootCA"> root CA</A>
- for<A href="#PGP"> PGP</A> by publishing both<A href="#GTR"> as a book</A>
- and<A href="http://www.cl.cam.ac.uk/Research/Security/Trust-Register">
- on the web</A> the fingerprints of a set of verified keys for
- well-known users and organisations.</DD>
-<DT><A name="GMP">GMP</A></DT>
-<DD>The<B> G</B>NU<B> M</B>ulti-<B>P</B>recision library code, used in<A href="#FreeSWAN">
- Linux FreeS/WAN</A> by<A href="#Pluto"> Pluto</A> for<A href="#public">
- public key</A> calculations. See the<A href="http://www.swox.com/gmp">
- GMP home page</A>.</DD>
-<DT><A name="GNU">GNU</A></DT>
-<DD><B>G</B>NU's<B> N</B>ot<B> U</B>nix, the<A href="#FSF"> Free
- Software Foundation's</A> project aimed at creating a free system with
- at least the capabilities of Unix.<A href="#Linux"> Linux</A> uses GNU
- utilities extensively.</DD>
-<DT><A name="#GOST">GOST</A></DT>
-<DD>a Soviet government standard<A href="#block"> block cipher</A>.<A href="#schneier">
- Applied Cryptography</A> has details.</DD>
-<DT>GPG</DT>
-<DD>see<A href="#GPG"> GNU Privacy Guard</A></DD>
-<DT><A name="GPL">GNU General Public License</A>(GPL, copyleft)</DT>
-<DD>The license developed by the<A href="#FSF"> Free Software Foundation</A>
- under which<A href="#Linux"> Linux</A>,<A href="#FreeSWAN"> Linux
- FreeS/WAN</A> and many other pieces of software are distributed. The
- license allows anyone to redistribute and modify the code, but forbids
- anyone from distributing executables without providing access to source
- code. For more details see the file<A href="../COPYING"> COPYING</A>
- included with GPLed source distributions, including ours, or<A href="http://www.fsf.org/copyleft/gpl.html">
- the GNU site's GPL page</A>.</DD>
-<DT><A name="GPG">GNU Privacy Guard</A></DT>
-<DD>An open source implementation of Open<A href="#PGP"> PGP</A> as
- defined in RFC 2440. See their<A href="http://www.gnupg.org"> web site</A>
-</DD>
-<DT>GPL</DT>
-<DD>see<A href="#GPL"> GNU General Public License</A>.</DD>
-<DT><A name="H">H</A></DT>
-<DT><A name="hash">Hash</A></DT>
-<DD>see<A href="#digest"> message digest</A></DD>
-<DT><A name="HMAC">Hashed Message Authentication Code (HMAC)</A></DT>
-<DD>using keyed<A href="#digest"> message digest</A> functions to
- authenticate a message. This differs from other uses of these
- functions:
-<UL>
-<LI>In normal usage, the hash function's internal variable are
- initialised in some standard way. Anyone can reproduce the hash to
- check that the message has not been altered.</LI>
-<LI>For HMAC usage, you initialise the internal variables from the key.
- Only someone with the key can reproduce the hash. A successful check of
- the hash indicates not only that the message is unchanged but also that
- the creator knew the key.</LI>
-</UL>
-<P>The exact techniques used in<A href="#IPSEC"> IPsec</A> are defined
- in RFC 2104. They are referred to as HMAC-MD5-96 and HMAC-SHA-96
- because they output only 96 bits of the hash. This makes some attacks
- on the hash functions harder.</P>
-</DD>
-<DT>HMAC</DT>
-<DD>see<A href="#HMAC"> Hashed Message Authentication Code</A></DD>
-<DT>HMAC-MD5-96</DT>
-<DD>see<A href="#HMAC"> Hashed Message Authentication Code</A></DD>
-<DT>HMAC-SHA-96</DT>
-<DD>see<A href="#HMAC"> Hashed Message Authentication Code</A></DD>
-<DT><A name="hybrid">Hybrid cryptosystem</A></DT>
-<DD>A system using both<A href="#public"> public key</A> and<A href="#symmetric">
- symmetric cipher</A> techniques. This works well. Public key methods
- provide key management and<A href="#signature"> digital signature</A>
- facilities which are not readily available using symmetric ciphers. The
- symmetric cipher, however, can do the bulk of the encryption work much
- more efficiently than public key methods.</DD>
-<DT><A name="I">I</A></DT>
-<DT><A name="IAB">IAB</A></DT>
-<DD><A href="http://www.iab.org/iab">Internet Architecture Board</A>.</DD>
-<DT><A name="ICMP.gloss">ICMP</A></DT>
-<DD><STRONG>I</STRONG>nternet<STRONG> C</STRONG>ontrol<STRONG> M</STRONG>
-essage<STRONG> P</STRONG>rotocol. This is used for various IP-connected
- devices to manage the network.</DD>
-<DT><A name="IDEA">IDEA</A></DT>
-<DD><B>I</B>nternational<B> D</B>ata<B> E</B>ncrypion<B> A</B>lgorithm,
- developed in Europe as an alternative to exportable American ciphers
- such as<A href="#DES"> DES</A> which were<A href="#desnotsecure"> too
- weak for serious use</A>. IDEA is a<A href="#block"> block cipher</A>
- using 64-bit blocks and 128-bit keys, and is used in products such as<A href="#PGP">
- PGP</A>.
-<P>IDEA is not required by the<A href="#IPSEC"> IPsec</A> RFCs and not
- currently used in<A href="#FreeSWAN"> Linux FreeS/WAN</A>.</P>
-<P>IDEA is patented and, with strictly limited exceptions for personal
- use, using it requires a license from<A href="http://www.ascom.com">
- Ascom</A>.</P>
-</DD>
-<DT><A name="IEEE">IEEE</A></DT>
-<DD><A href="http://www.ieee.org">Institute of Electrical and Electronic
- Engineers</A>, a professional association which, among other things,
- sets some technical standards</DD>
-<DT><A name="IESG">IESG</A></DT>
-<DD><A href="http://www.iesg.org">Internet Engineering Steering Group</A>
-.</DD>
-<DT><A name="IETF">IETF</A></DT>
-<DD><A href="http://www.ietf.org">Internet Engineering Task Force</A>,
- the umbrella organisation whose various working groups make most of the
- technical decisions for the Internet. The IETF<A href="http://www.ietf.org/html.charters/ipsec-charter.html">
- IPsec working group</A> wrote the<A href="#RFC"> RFCs</A> we are
- implementing.</DD>
-<DT><A name="IKE">IKE</A></DT>
-<DD><B>I</B>nternet<B> K</B>ey<B> E</B>xchange, based on the<A href="#DH">
- Diffie-Hellman</A> key exchange protocol. For details, see RFC 2409 and
- our<A href="ipsec.html"> IPsec</A> document. IKE is implemented in<A href="#FreeSWAN">
- Linux FreeS/WAN</A> by the<A href="#Pluto"> Pluto daemon</A>.</DD>
-<DT>IKE v2</DT>
-<DD>A proposed replacement for<A href="#IKE"> IKE</A>. There are other
- candidates, such as<A href="#JFK"> JFK</A>, and at time of writing
- (March 2002) the choice between them has not yet been made and does not
- appear imminent.</DD>
-<DT><A name="iOE">iOE</A></DT>
-<DD>See<A HREF="#initiate-only"> Initiate-only opportunistic encryption</A>
-.</DD>
-<DT><A name="IP">IP</A></DT>
-<DD><B>I</B>nternet<B> P</B>rotocol.</DD>
-<DT><A name="masq">IP masquerade</A></DT>
-<DD>A mostly obsolete term for a method of allowing multiple machines to
- communicate over the Internet when only one IP address is available for
- their use. The more current term is Network Address Translation or<A href="#NAT.gloss">
- NAT</A>.</DD>
-<DT><A name="IPng">IPng</A></DT>
-<DD>&quot;IP the Next Generation&quot;, see<A href="#ipv6.gloss"> IPv6</A>.</DD>
-<DT><A name="IPv4">IPv4</A></DT>
-<DD>The current version of the<A href="#IP"> Internet protocol suite</A>
-.</DD>
-<DT><A name="ipv6.gloss">IPv6 (IPng)</A></DT>
-<DD>Version six of the<A href="#IP"> Internet protocol suite</A>,
- currently being developed. It will replace the current<A href="#IPv4">
- version four</A>. IPv6 has<A href="#IPSEC"> IPsec</A> as a mandatory
- component.
-<P>See this<A href="http://playground.sun.com/pub/ipng/html/ipng-main.html">
- web site</A> for more details, and our<A href="#ipv6"> compatibility</A>
- document for information on FreeS/WAN and the Linux implementation of
- IPv6.</P>
-</DD>
-<DT><A name="IPSEC">IPsec</A> or IPSEC</DT>
-<DD><B>I</B>nternet<B> P</B>rotocol<B> SEC</B>urity, security functions
- (<A href="#authentication">authentication</A> and<A href="#encryption">
- encryption</A>) implemented at the IP level of the protocol stack. It
- is optional for<A href="#IPv4"> IPv4</A> and mandatory for<A href="#ipv6.gloss">
- IPv6</A>.
-<P>This is the standard<A href="#FreeSWAN"> Linux FreeS/WAN</A> is
- implementing. For more details, see our<A href="ipsec.html"> IPsec
- Overview</A>. For the standards, see RFCs listed in our<A href="#RFC">
- RFCs document</A>.</P>
-</DD>
-<DT><A name="IPX">IPX</A></DT>
-<DD>Novell's Netware protocol tunnelled over an IP link. Our<A href="#user.scripts">
- firewalls</A> document includes an example of using this through an
- IPsec tunnel.</DD>
-<DT><A name="ISAKMP">ISAKMP</A></DT>
-<DD><B>I</B>nternet<B> S</B>ecurity<B> A</B>ssociation and<B> K</B>ey<B>
- M</B>anagement<B> P</B>rotocol, defined in RFC 2408.</DD>
-<DT><A name="ITAR">ITAR</A></DT>
-<DD><B>I</B>nternational<B> T</B>raffic in<B> A</B>rms<B> R</B>
-egulations, US regulations administered by the State Department which
- until recently limited export of, among other things, cryptographic
- technology and software. ITAR still exists, but the limits on
- cryptography have now been transferred to the<A href="#EAR"> Export
- Administration Regulations</A> under the Commerce Department's<A href="#BXA">
- Bureau of Export Administration</A>.</DD>
-<DT>IV</DT>
-<DD>see<A href="#IV"> Initialisation vector</A></DD>
-<DT><A name="IV">Initialisation Vector (IV)</A></DT>
-<DD>Some cipher<A href="#mode"> modes</A>, including the<A href="#CBC">
- CBC</A> mode which IPsec uses, require some extra data at the
- beginning. This data is called the initialisation vector. It need not
- be secret, but should be different for each message. Its function is to
- prevent messages which begin with the same text from encrypting to the
- same ciphertext. That might give an analyst an opening, so it is best
- prevented.</DD>
-<DT><A name="initiate-only">Initiate-only opportunistic encryption (iOE)</A>
-</DT>
-<DD>A form of<A HREF="#carpediem"> opportunistic encryption</A> (OE) in
- which a host proposes opportunistic connections, but lacks the reverse
- DNS records necessary to support incoming opportunistic connection
- requests. Common among hosts on cable or pppoe connections where the
- system administrator does not have write access to the DNS reverse map
- for the host's external IP.
-<P>Configuring for initiate-only opportunistic encryption is described
- in our<A href="#opp.client"> quickstart</A> document.</P>
-</DD>
-<DT><A name="J">J</A></DT>
-<DT><A name="JFK">JFK</A></DT>
-<DD><STRONG>J</STRONG>ust<STRONG> F</STRONG>ast<STRONG> K</STRONG>eying,
- a proposed simpler replacement for<A href="#IKE"> IKE.</A></DD>
-<DT><A name="K">K</A></DT>
-<DT><A name="kernel">Kernel</A></DT>
-<DD>The basic part of an operating system (e.g. Linux) which controls
- the hardware and provides services to all other programs.
-<P>In the Linux release numbering system, an even second digit as in 2.<STRONG>
-2</STRONG>.x indicates a stable or production kernel while an odd number
- as in 2.<STRONG>3</STRONG>.x indicates an experimental or development
- kernel. Most users should run a recent kernel version from the
- production series. The development kernels are primarily for people
- doing kernel development. Others should consider using development
- kernels only if they have an urgent need for some feature not yet
- available in production kernels.</P>
-</DD>
-<DT>Keyed message digest</DT>
-<DD>See<A href="#HMAC"> HMAC</A>.</DD>
-<DT>Key length</DT>
-<DD>see<A href="#brute"> brute force attack</A></DD>
-<DT><A name="KLIPS">KLIPS</A></DT>
-<DD><B>K</B>erne<B>l</B><B> IP</B><B> S</B>ecurity, the<A href="#FreeSWAN">
- Linux FreeS/WAN</A> project's changes to the<A href="#Linux"> Linux</A>
- kernel to support the<A href="#IPSEC"> IPsec</A> protocols.</DD>
-<DT><A name="L">L</A></DT>
-<DT><A name="LDAP">LDAP</A></DT>
-<DD><B>L</B>ightweight<B> D</B>irectory<B> A</B>ccess<B> P</B>rotocol,
- defined in RFCs 1777 and 1778, a method of accessing information stored
- in directories. LDAP is used by several<A href="#PKI"> PKI</A>
- implementations, often with X.501 directories and<A href="#X509"> X.509</A>
- certificates. It may also be used by<A href="#IPSEC"> IPsec</A> to
- obtain key certifications from those PKIs. This is not yet implemented
- in<A href="#FreeSWAN"> Linux FreeS/WAN</A>.</DD>
-<DT><A name="LIBDES">LIBDES</A></DT>
-<DD>A publicly available library of<A href="#DES"> DES</A> code, written
- by Eric Young, which<A href="#FreeSWAN"> Linux FreeS/WAN</A> uses in
- both<A href="#KLIPS"> KLIPS</A> and<A href="#Pluto"> Pluto</A>.</DD>
-<DT><A name="Linux">Linux</A></DT>
-<DD>A freely available Unix-like operating system based on a kernel
- originally written for the Intel 386 architecture by (then) student
- Linus Torvalds. Once his 32-bit kernel was available, the<A href="#GNU">
- GNU</A> utilities made it a usable system and contributions from many
- others led to explosive growth.
-<P>Today Linux is a complete Unix replacement available for several CPU
- architectures -- Intel, DEC/Compaq Alpha, Power PC, both 32-bit SPARC
- and the 64-bit UltraSPARC, SrongARM, . . . -- with support for multiple
- CPUs on some architectures.</P>
-<P><A href="#FreeSWAN">Linux FreeS/WAN</A> is intended to run on all
- CPUs supported by Linux and is known to work on several. See our<A href="#CPUs">
- compatibility</A> section for a list.</P>
-</DD>
-<DT><A name="FreeSWAN">Linux FreeS/WAN</A></DT>
-<DD>Our implementation of the<A href="#IPSEC"> IPsec</A> protocols,
- intended to be freely redistributable source code with<A href="#GPL"> a
- GNU GPL license</A> and no constraints under US or other<A href="#exlaw">
- export laws</A>. Linux FreeS/WAN is intended to interoperate with other<A
-href="#IPSEC"> IPsec</A> implementations. The name is partly taken, with
- permission, from the<A href="#SWAN"> S/WAN</A> multi-vendor IPsec
- compatability effort. Linux FreeS/WAN has two major components,<A href="#KLIPS">
- KLIPS</A> (KerneL IPsec Support) and the<A href="#Pluto"> Pluto</A>
- daemon which manages the whole thing.
-<P>See our<A href="ipsec.html"> IPsec section</A> for more detail. For
- the code see our<A href="http://freeswan.org"> primary site</A> or one
- of the mirror sites on<A href="#mirrors"> this list</A>.</P>
-</DD>
-<DT><A name="LSM">Linux Security Modules (LSM)</A></DT>
-<DD>a project to create an interface in the Linux kernel that supports
- plug-in modules for various security policies.
-<P>This allows multiple security projects to take different approaches
- to security enhancement without tying the kernel down to one particular
- approach. As I understand the history, several projects were pressing
- Linus to incorporate their changes, the various sets of changes were
- incompatible, and his answer was more-or-less &quot;a plague on all your
- houses; I'll give you an interface, but I won't incorporate anything&quot;.</P>
-<P>It seems to be working. There is a fairly active<A href="http://mail.wirex.com/mailman/listinfo/linux-security-module">
- LSM mailing list</A>, and several projects are already using the
- interface.</P>
-</DD>
-<DT>LSM</DT>
-<DD>see<A href="#LSM"> Linux Security Modules</A></DD>
-<DT><A name="M">M</A></DT>
-<DT><A name="list">Mailing list</A></DT>
-<DD>The<A href="#FreeSWAN"> Linux FreeS/WAN</A> project has several
- public email lists for bug reports and software development
- discussions. See our document on<A href="mail.html"> mailing lists</A>.</DD>
-<DT><A name="middle">Man-in-the-middle attack</A></DT>
-<DD>An<A href="#active"> active attack</A> in which the attacker
- impersonates each of the legitimate players in a protocol to the other.
-<P>For example, if<A href="#alicebob"> Alice and Bob</A> are negotiating
- a key via the<A href="#DH"> Diffie-Hellman</A> key agreement, and are
- not using<A href="#authentication"> authentication</A> to be certain
- they are talking to each other, then an attacker able to insert himself
- in the communication path can deceive both players.</P>
-<P>Call the attacker Mallory. For Bob, he pretends to be Alice. For
- Alice, he pretends to be Bob. Two keys are then negotiated,
- Alice-to-Mallory and Bob-to-Mallory. Alice and Bob each think the key
- they have is Alice-to-Bob.</P>
-<P>A message from Alice to Bob then goes to Mallory who decrypts it,
- reads it and/or saves a copy, re-encrypts using the Bob-to-Mallory key
- and sends it along to Bob. Bob decrypts successfully and sends a reply
- which Mallory decrypts, reads, re-encrypts and forwards to Alice.</P>
-<P>To make this attack effective, Mallory must</P>
-<UL>
-<LI>subvert some part of the network in some way that lets him carry out
- the deception
-<BR> possible targets: DNS, router, Alice or Bob's machine, mail server,
- ...</LI>
-<LI>beat any authentication mechanism Alice and Bob use
-<BR> strong authentication defeats the attack entirely; this is why<A href="#IKE">
- IKE</A> requires authentication</LI>
-<LI>work in real time, delivering messages without introducing a delay
- large enough to alert the victims
-<BR> not hard if Alice and Bob are using email; quite difficult in some
- situations.</LI>
-</UL>
-<P>If he manages it, however, it is devastating. He not only gets to
- read all the messages; he can alter messages, inject his own, forge
- anything he likes, . . . In fact, he controls the communication
- completely.</P>
-</DD>
-<DT><A name="mandatory">mandatory access control</A></DT>
-<DD>access control mechanisims which are not settable by the user (see<A href="#discretionary">
- discretionary access control</A>), but are enforced by the system.
-<P>For example, a document labelled &quot;secret, zebra&quot; might be readable
- only by someone with secret clearance working on Project Zebra.
- Ideally, the system will prevent any transfer outside those boundaries.
- For example, even if you can read it, you should not be able to e-mail
- it (unless the recipient is appropriately cleared) or print it (unless
- certain printers are authorised for that classification).</P>
-<P>Mandatory access control is a required feature for some levels of<A href="#rainbow">
- Rainbow Book</A> or<A href="#cc"> Common Criteria</A> classification,
- but has not been widely used outside the military and government. There
- is a good discussion of the issues in Anderson's<A href="#anderson">
- Security Engineering</A>.</P>
-<P>The<A href="#SElinux"> Security Enhanced Linux</A> project is adding
- mandatory access control to Linux.</P>
-</DD>
-<DT><A name="manual">Manual keying</A></DT>
-<DD>An IPsec mode in which the keys are provided by the administrator.
- In FreeS/WAN, they are stored in /etc/ipsec.conf. The alternative,<A href="#auto">
- automatic keying</A>, is preferred in most cases. See this<A href="#man-auto">
- discussion</A>.</DD>
-<DT><A name="MD4">MD4</A></DT>
-<DD><A href="#digest">Message Digest Algorithm</A> Four from Ron Rivest
- of<A href="#RSAco"> RSA</A>. MD4 was widely used a few years ago, but
- is now considered obsolete. It has been replaced by its descendants<A href="#MD5">
- MD5</A> and<A href="#SHA"> SHA</A>.</DD>
-<DT><A name="MD5">MD5</A></DT>
-<DD><A href="#digest">Message Digest Algorithm</A> Five from Ron Rivest
- of<A href="#RSAco"> RSA</A>, an improved variant of his<A href="#MD4">
- MD4</A>. Like MD4, it produces a 128-bit hash. For details see RFC
- 1321.
-<P>MD5 is one of two message digest algorithms available in IPsec. The
- other is<A href="#SHA"> SHA</A>. SHA produces a longer hash and is
- therefore more resistant to<A href="#birthday"> birthday attacks</A>,
- but this is not a concern for IPsec. The<A href="#HMAC"> HMAC</A>
- method used in IPsec is secure even if the underlying hash is not
- particularly strong against this attack.</P>
-<P>Hans Dobbertin found a weakness in MD5, and people often ask whether
- this means MD5 is unsafe for IPsec. It doesn't. The IPsec RFCs discuss
- Dobbertin's attack and conclude that it does not affect MD5 as used for
- HMAC in IPsec.</P>
-</DD>
-<DT><A name="meet">Meet-in-the-middle attack</A></DT>
-<DD>A divide-and-conquer attack which breaks a cipher into two parts,
- works against each separately, and compares results. Probably the best
- known example is an attack on double DES. This applies in principle to
- any pair of block ciphers, e.g. to an encryption system using, say,
- CAST-128 and Blowfish, but we will describe it for double DES.
-<P>Double DES encryption and decryption can be written:</P>
-<PRE>        C = E(k2,E(k1,P))
-        P = D(k1,D(k2,C))</PRE>
-<P>Where C is ciphertext, P is plaintext, E is encryption, D is
- decryption, k1 is one key, and k2 is the other key. If we know a P, C
- pair, we can try and find the keys with a brute force attack, trying
- all possible k1, k2 pairs. Since each key is 56 bits, there are 2<SUP>
-112</SUP> such pairs and this attack is painfully inefficient.</P>
-<P>The meet-in-the middle attack re-writes the equations to calculate a
- middle value M:</P>
-<PRE>        M = E(k1,P)
-        M = D(k2,C)</PRE>
-<P>Now we can try some large number of D(k2,C) decryptions with various
- values of k2 and store the results in a table. Then start doing E(k1,P)
- encryptions, checking each result to see if it is in the table.</P>
-<P>With enough table space, this breaks double DES with<NOBR> 2<SUP>56</SUP>
- + 2<SUP>56</SUP> = 2<SUP>57</SUP>work. Against triple DES, you need<NOBR>
- 2<SUP>56</SUP> + 2<SUP>112</SUP> ~= 2<SUP>112</SUP>.</P>
-<P>The memory requirements for such attacks can be prohibitive, but
- there is a whole body of research literature on methods of reducing
- them.</P>
-</DD>
-<DT><A name="digest">Message Digest Algorithm</A></DT>
-<DD>An algorithm which takes a message as input and produces a hash or
- digest of it, a fixed-length set of bits which depend on the message
- contents in some highly complex manner. Design criteria include making
- it extremely difficult for anyone to counterfeit a digest or to change
- a message without altering its digest. One essential property is<A href="#collision">
- collision resistance</A>. The main applications are in message<A href="#authentication">
- authentication</A> and<A href="#signature"> digital signature</A>
- schemes. Widely used algorithms include<A href="#MD5"> MD5</A> and<A href="#SHA">
- SHA</A>. In IPsec, message digests are used for<A href="#HMAC"> HMAC</A>
- authentication of packets.</DD>
-<DT><A name="MTU">MTU</A></DT>
-<DD><STRONG>M</STRONG>aximum<STRONG> T</STRONG>ransmission<STRONG> U</STRONG>
-nit, the largest size of packet that can be sent over a link. This is
- determined by the underlying network, but must be taken account of at
- the IP level.
-<P>IP packets, which can be up to 64K bytes each, must be packaged into
- lower-level packets of the appropriate size for the underlying
- network(s) and re-assembled on the other end. When a packet must pass
- over multiple networks, each with its own MTU, and many of the MTUs are
- unknown to the sender, this becomes a fairly complex problem. See<A href="#pathMTU">
- path MTU discovery</A> for details.</P>
-<P>Often the MTU is a few hundred bytes on serial links and 1500 on
- Ethernet. There are, however, serial link protocols which use a larger
- MTU to avoid fragmentation at the ethernet/serial boundary, and newer
- (especially gigabit) Ethernet networks sometimes support much larger
- packets because these are more efficient in some applications.</P>
-</DD>
-<DT><A name="N">N</A></DT>
-<DT><A name="NAI">NAI</A></DT>
-<DD><A href="http://www.nai.com">Network Associates</A>, a conglomerate
- formed from<A href="#PGPI"> PGP Inc.</A>, TIS (Trusted Information
- Systems, a firewall vendor) and McAfee anti-virus products. Among other
- things, they offer an IPsec-based VPN product.</DD>
-<DT><A name="NAT.gloss">NAT</A></DT>
-<DD><B>N</B>etwork<B> A</B>ddress<B> T</B>ranslation, a process by which
- firewall machines may change the addresses on packets as they go
- through. For discussion, see our<A href="#nat.background"> background</A>
- section.</DD>
-<DT><A name="NIST">NIST</A></DT>
-<DD>The US<A href="http://www.nist.gov"> National Institute of Standards
- and Technology</A>, responsible for<A href="#FIPS"> FIPS standards</A>
- including<A href="#DES"> DES</A> and its replacement,<A href="#AES">
- AES</A>.</DD>
-<DT><A name="nonce">Nonce</A></DT>
-<DD>A<A href="#random"> random</A> value used in an<A href="#authentication">
- authentication</A> protocol.</DD>
-<DT></DT>
-<DT><A name="non-routable">Non-routable IP address</A></DT>
-<DD>An IP address not normally allowed in the &quot;to&quot; or &quot;from&quot; IP address
- field header of IP packets.
-<P>Almost invariably, the phrase &quot;non-routable address&quot; means one of the
- addresses reserved by RFC 1918 for private networks:</P>
-<UL>
-<LI>10.anything</LI>
-<LI>172.x.anything with 16 &lt;= x &lt;= 31</LI>
-<LI>192.168.anything</LI>
-</UL>
-<P>These addresses are commonly used on private networks, e.g. behind a
- Linux machines doing<A href="#masq"> IP masquerade</A>. Machines within
- the private network can address each other with these addresses. All
- packets going outside that network, however, have these addresses
- replaced before they reach the Internet.</P>
-<P>If any packets using these addresses do leak out, they do not go far.
- Most routers automatically discard all such packets.</P>
-<P>Various other addresses -- the 127.0.0.0/8 block reserved for local
- use, 0.0.0.0, various broadcast and network addresses -- cannot be
- routed over the Internet, but are not normally included in the meaning
- when the phrase &quot;non-routable address&quot; is used.</P>
-</DD>
-<DT><A name="NSA">NSA</A></DT>
-<DD>The US<A href="http://www.nsa.gov"> National Security Agency</A>,
- the American organisation for<A href="#SIGINT"> signals intelligence</A>
-, the protection of US government messages and the interception and
- analysis of other messages. For details, see Bamford's<A href="#puzzle">
- &quot;The Puzzle Palace&quot;</A>.
-<P>Some<A href="http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB23/index.html">
- history of NSA</A> documents were declassified in response to a FOIA
- (Freedom of Information Act) request.</P>
-</DD>
-<DT><A name="O">O</A></DT>
-<DT><A name="oakley">Oakley</A></DT>
-<DD>A key determination protocol, defined in RFC 2412.</DD>
-<DT>Oakley groups</DT>
-<DD>The groups used as the basis of<A href="#DH"> Diffie-Hellman</A> key
- exchange in the Oakley protocol, and in<A href="#IKE"> IKE</A>. Four
- were defined in the original RFC, and a fifth has been<A href="http://www.lounge.org/ike_doi_errata.html">
- added since</A>.
-<P>Linux FreeS/WAN currently supports the three groups based on finite
- fields modulo a prime (Groups 1, 2 and 5) and does not support the
- elliptic curve groups (3 and 4). For a description of the difference of
- the types, see<A href="#dlog"> discrete logarithms</A>.</P>
-</DD>
-<DT><A name="OTP">One time pad</A></DT>
-<DD>A cipher in which the key is:
-<UL>
-<LI>as long as the total set of messages to be enciphered</LI>
-<LI>absolutely<A href="#random"> random</A></LI>
-<LI>never re-used</LI>
-</UL>
-<P>Given those three conditions, it can easily be proved that the cipher
- is perfectly secure, in the sense that an attacker with intercepted
- message in hand has no better chance of guessing the message than an
- attacker who has not intercepted the message and only knows the message
- length. No such proof exists for any other cipher.</P>
-<P>There are, however, several problems with this &quot;perfect&quot; cipher.</P>
-<P>First, it is<STRONG> wildly impractical</STRONG> for most
- applications. Key management is at best difficult, often completely
- impossible.</P>
-<P>Second, it is<STRONG> extremely fragile</STRONG>. Small changes which
- violate the conditions listed above do not just weaken the cipher
- liitle. Quite often they destroy its security completely.</P>
-<UL>
-<LI>Re-using the pad weakens the cipher to the point where it can be
- broken with pencil and paper. With a computer, the attack is trivially
- easy.</LI>
-<LI>Using<EM> anything</EM> less than truly<A href="#random"> random</A>
- numbers<EM> completely</EM> invalidates the security proof.</LI>
-<LI>In particular, using computer-generated pseudo-random numbers may
- give an extremely weak cipher. It might also produce a good stream
- cipher, if the pseudo-random generator is both well-designed and
- properely seeded.</LI>
-</UL>
-<P>Marketing claims about the &quot;unbreakable&quot; security of various products
- which somewhat resemble one-time pads are common. Such claims are one
- of the surest signs of cryptographic<A href="#snake"> snake oil</A>;
- most systems marketed with such claims are worthless.</P>
-<P>Finally, even if the system is implemented and used correctly, it is<STRONG>
- highly vulnerable to a substitution attack</STRONG>. If an attacker
- knows some plaintext and has an intercepted message, he can discover
- the pad.</P>
-<UL>
-<LI>This does not matter if the attacker is just a<A href="#passive">
- passive</A> eavesdropper. It gives him no plaintext he didn't already
- know and we don't care that he learns a pad which we will never re-use.</LI>
-<LI>However, an<A href="#active"> active</A> attacker who knows the
- plaintext can recover the pad, then use it to encode with whatever he
- chooses. If he can get his version delivered instead of yours, this may
- be a disaster. If you send &quot;attack at dawn&quot;, the delivered message can
- be anything the same length -- perhaps &quot;retreat to east&quot; or &quot;shoot
- generals&quot;.</LI>
-<LI>An active attacker with only a reasonable guess at the plaintext can
- try the same attack. If the guess is correct, this works and the
- attacker's bogus message is delivered. If the guess is wrong, a garbled
- message is delivered.</LI>
-</UL>
-<P>In general then, despite its theoretical perfection, the one-time-pad
- has very limited practical application.</P>
-<P>See also the<A href="http://pubweb.nfr.net/~mjr/pubs/otpfaq/"> one
- time pad FAQ</A>.</P>
-</DD>
-<DT><A name="carpediem">Opportunistic encryption (OE)</A></DT>
-<DD>A situation in which any two IPsec-aware machines can secure their
- communications, without a pre-shared secret and without a common<A href="#PKI">
- PKI</A> or previous exchange of public keys. This is one of the goals
- of the Linux FreeS/WAN project, discussed in our<A href="#goals">
- introduction</A> section.
-<P>Setting up for opportunistic encryption is described in our<A href="#quickstart">
- quickstart</A> document.</P>
-</DD>
-<DT><A name="responder">Opportunistic responder</A></DT>
-<DD>A host which accepts, but does not initiate, requests for<A HREF="#carpediem">
- opportunistic encryption</A> (OE). An opportunistic responder has
- enabled OE in its<A HREF="#passive.OE"> passive</A> form (pOE) only. A
- web server or file server may be usefully set up as an opportunistic
- responder.
-<P>Configuring passive OE is described in our<A href="#policygroups">
- policy groups</A> document.</P>
-</DD>
-<DT><A name="orange">Orange book</A></DT>
-<DD>the most basic and best known of the US government's<A href="#rainbow">
- Rainbow Book</A> series of computer security standards.</DD>
-<DT><A name="P">P</A></DT>
-<DT><A name="P1363">P1363 standard</A></DT>
-<DD>An<A href="#IEEE"> IEEE</A> standard for public key cryptography.<A href="http://grouper.ieee.org/groups/1363">
- Web page</A>.</DD>
-<DT><A name="pOE">pOE</A></DT>
-<DD>See<A href="#passive.OE"> Passive opportunistic encryption</A>.</DD>
-<DT><A name="passive">Passive attack</A></DT>
-<DD>An attack in which the attacker only eavesdrops and attempts to
- analyse intercepted messages, as opposed to an<A href="#active"> active
- attack</A> in which he diverts messages or generates his own.</DD>
-<DT><A name="passive.OE">Passive opportunistic encryption (pOE)</A></DT>
-<DD>A form of<A HREF="#carpediem"> opportunistic encryption</A> (OE) in
- which the host will accept opportunistic connection requests, but will
- not initiate such requests. A host which runs OE in its passive form
- only is known as an<A HREF="#responder"> opportunistic responder</A>.
-<P>Configuring passive OE is described in our<A href="#policygroups">
- policy groups</A> document.</P>
-</DD>
-<DT><A name="pathMTU">Path MTU discovery</A></DT>
-<DD>The process of discovering the largest packet size which all links
- on a path can handle without fragmentation -- that is, without any
- router having to break the packet up into smaller pieces to match the<A href="#MTU">
- MTU</A> of its outgoing link.
-<P>This is done as follows:</P>
-<UL>
-<LI>originator sends the largest packets allowed by<A href="#MTU"> MTU</A>
- of the first link, setting the DF (<STRONG>d</STRONG>on't<STRONG> f</STRONG>
-ragment) bit in the packet header</LI>
-<LI>any router which cannot send the packet on (outgoing MTU is too
- small for it, and DF prevents fragmenting it to match) sends back an<A href="#ICMP.gloss">
- ICMP</A> packet reporting the problem</LI>
-<LI>originator looks at ICMP message and tries a smaller size</LI>
-<LI>eventually, you settle on a size that can pass all routers</LI>
-<LI>thereafter, originator just sends that size and no-one has to
- fragment</LI>
-</UL>
-<P>Since this requires co-operation of many systems, and since the next
- packet may travel a different path, this is one of the trickier areas
- of IP programming. Bugs that have shown up over the years have
- included:</P>
-<UL>
-<LI>malformed ICMP messages</LI>
-<LI>hosts that ignore or mishandle these ICMP messages</LI>
-<LI>firewalls blocking the ICMP messages so host does not see them</LI>
-</UL>
-<P>Since IPsec adds a header, it increases packet size and may require
- fragmentation even where incoming and outgoing MTU are equal.</P>
-</DD>
-<DT><A name="PFS">Perfect forward secrecy (PFS)</A></DT>
-<DD>A property of systems such as<A href="#DH"> Diffie-Hellman</A> key
- exchange which use a long-term key (such as the shared secret in IKE)
- and generate short-term keys as required. If an attacker who acquires
- the long-term key<EM> provably</EM> can
-<UL>
-<LI><EM>neither</EM> read previous messages which he may have archived</LI>
-<LI><EM>nor</EM> read future messages without performing additional
- successful attacks</LI>
-</UL>
-<P>then the system has PFS. The attacker needs the short-term keys in
- order to read the trafiic and merely having the long-term key does not
- allow him to infer those. Of course, it may allow him to conduct
- another attack (such as<A href="#middle"> man-in-the-middle</A>) which
- gives him some short-term keys, but he does not automatically get them
- just by acquiring the long-term key.</P>
-<P>See also<A href="http://sandelman.ottawa.on.ca/ipsec/1996/08/msg00123.html">
- Phil Karn's definition</A>.</P>
-</DD>
-<DT>PFS</DT>
-<DD>see Perfect Forward Secrecy</DD>
-<DT><A name="PGP">PGP</A></DT>
-<DD><B>P</B>retty<B> G</B>ood<B> P</B>rivacy, a personal encryption
- system for email based on public key technology, written by Phil
- Zimmerman.
-<P>The 2.xx versions of PGP used the<A href="#RSA"> RSA</A> public key
- algorithm and used<A href="#IDEA"> IDEA</A> as the symmetric cipher.
- These versions are described in RFC 1991 and in<A href="#PGP">
- Garfinkel's book</A>. Since version 5, the products from<A href="#PGPI">
- PGP Inc</A>. have used<A href="#DH"> Diffie-Hellman</A> public key
- methods and<A href="#CAST128"> CAST-128</A> symmetric encryption. These
- can verify signatures from the 2.xx versions, but cannot exchange
- encryted messages with them.</P>
-<P>An<A href="#IETF"> IETF</A> working group has issued RFC 2440 for an
- &quot;Open PGP&quot; standard, similar to the 5.x versions. PGP Inc. staff were
- among the authors. A free<A href="#GPG"> Gnu Privacy Guard</A> based on
- that standard is now available.</P>
-<P>For more information on PGP, including how to obtain it, see our
- cryptography<A href="#tools"> links</A>.</P>
-</DD>
-<DT><A name="PGPI">PGP Inc.</A></DT>
-<DD>A company founded by Zimmerman, the author of<A href="#PGP"> PGP</A>
-, now a division of<A href="#NAI"> NAI</A>. See the<A href="http://www.pgp.com">
- corporate website</A>. Zimmerman left in 2001, and early in 2002 NAI
- announced that they would no longer sell PGP..
-<P>Versions 6.5 and later of the PGP product include PGPnet, an IPsec
- client for Macintosh or for Windows 95/98/NT. See our<A href="interop.html#pgpnet">
- interoperation documen</A>t.</P>
-</DD>
-<DT><A name="photuris">Photuris</A></DT>
-<DD>Another key negotiation protocol, an alternative to<A href="#IKE">
- IKE</A>, described in RFCs 2522 and 2523.</DD>
-<DT><A name="PPP">PPP</A></DT>
-<DD><B>P</B>oint-to-<B>P</B>oint<B> P</B>rotocol, originally a method of
- connecting over modems or serial lines, but see also PPPoE.</DD>
-<DT><A name="PPPoE">PPPoE</A></DT>
-<DD><B>PPP</B><B> o</B>ver<B> E</B>thernet, a somewhat odd protocol that
- makes Ethernet look like a point-to-point serial link. It is widely
- used for cable or ADSL Internet services, apparently mainly because it
- lets the providers use access control and address assignmment
- mechanisms developed for dialup networks.<A href="http://www.roaringpenguin.com">
- Roaring Penguin</A> provide a widely used Linux implementation.</DD>
-<DT><A name="PPTP">PPTP</A></DT>
-<DD><B>P</B>oint-to-<B>P</B>oint<B> T</B>unneling<B> P</B>rotocol, used
- in some Microsoft VPN implementations. Papers discussing weaknesses in
- it are on<A href="http://www.counterpane.com/publish.html">
- counterpane.com</A>. It is now largely obsolete, replaced by L2TP.</DD>
-<DT><A name="PKI">PKI</A></DT>
-<DD><B>P</B>ublic<B> K</B>ey<B> I</B>nfrastructure, the things an
- organisation or community needs to set up in order to make<A href="#public">
- public key</A> cryptographic technology a standard part of their
- operating procedures.
-<P>There are several PKI products on the market. Typically they use a
- hierarchy of<A href="#CA"> Certification Authorities (CAs)</A>. Often
- they use<A href="#LDAP"> LDAP</A> access to<A href="#X509"> X.509</A>
- directories to implement this.</P>
-<P>See<A href="#web"> Web of Trust</A> for a different sort of
- infrastructure.</P>
-</DD>
-<DT><A name="PKIX">PKIX</A></DT>
-<DD><B>PKI</B> e<B>X</B>change, an<A href="#IETF"> IETF</A> standard
- that allows<A href="#PKI"> PKI</A>s to talk to each other.
-<P>This is required, for example, when users of a corporate PKI need to
- communicate with people at client, supplier or government
- organisations, any of which may have a different PKI in place. I should
- be able to talk to you securely whenever:</P>
-<UL>
-<LI>your organisation and mine each have a PKI in place</LI>
-<LI>you and I are each set up to use those PKIs</LI>
-<LI>the two PKIs speak PKIX</LI>
-<LI>the configuration allows the conversation</LI>
-</UL>
-<P>At time of writing (March 1999), this is not yet widely implemented
- but is under quite active development by several groups.</P>
-</DD>
-<DT><A name="plaintext">Plaintext</A></DT>
-<DD>The unencrypted input to a cipher, as opposed to the encrypted<A href="#ciphertext">
- ciphertext</A> output.</DD>
-<DT><A name="Pluto">Pluto</A></DT>
-<DD>The<A href="#FreeSWAN"> Linux FreeS/WAN</A> daemon which handles key
- exchange via the<A href="#IKE"> IKE</A> protocol, connection
- negotiation, and other higher-level tasks. Pluto calls the<A href="#KLIPS">
- KLIPS</A> kernel code as required. For details, see the manual page
- ipsec_pluto(8).</DD>
-<DT><A name="public">Public Key Cryptography</A></DT>
-<DD>In public key cryptography, keys are created in matched pairs.
- Encrypt with one half of a pair and only the matching other half can
- decrypt it. This contrasts with<A href="#symmetric"> symmetric or
- secret key cryptography</A> in which a single key known to both parties
- is used for both encryption and decryption.
-<P>One half of each pair, called the public key, is made public. The
- other half, called the private key, is kept secret. Messages can then
- be sent by anyone who knows the public key to the holder of the private
- key. Encrypt with the public key and you know that only someone with
- the matching private key can decrypt.</P>
-<P>Public key techniques can be used to create<A href="#signature">
- digital signatures</A> and to deal with key management issues, perhaps
- the hardest part of effective deployment of<A href="#symmetric">
- symmetric ciphers</A>. The resulting<A href="#hybrid"> hybrid
- cryptosystems</A> use public key methods to manage keys for symmetric
- ciphers.</P>
-<P>Many organisations are currently creating<A href="#PKI"> PKIs, public
- key infrastructures</A> to make these benefits widely available.</P>
-</DD>
-<DT>Public Key Infrastructure</DT>
-<DD>see<A href="#PKI"> PKI</A></DD>
-<DT><A name="Q">Q</A></DT>
-<DT><A name="R">R</A></DT>
-<DT><A name="rainbow">Rainbow books</A></DT>
-<DD>A set of US government standards for evaluation of &quot;trusted computer
- systems&quot;, of which the best known was the<A href="#orange"> Orange Book</A>
-. One fairly often hears references to &quot;C2 security&quot; or a product
- &quot;evaluated at B1&quot;. The Rainbow books define the standards referred to
- in those comments.
-<P>See this<A href="http://www.fas.org/irp/nsa/rainbow.htm"> reference
- page</A>.</P>
-<P>The Rainbow books are now mainly obsolete, replaced by the
- international<A href="#cc"> Common Criteria</A> standards.</P>
-</DD>
-<DT><A name="random">Random</A></DT>
-<DD>A remarkably tricky term, far too much so for me to attempt a
- definition here. Quite a few cryptosystems have been broken via attacks
- on weak random number generators, even when the rest of the system was
- sound.
-<P>See<A href="http://nis.nsf.net/internet/documents/rfc/rfc1750.txt">
- RFC 1750</A> for the theory.</P>
-<P>See the manual pages for<A href="manpage.d/ipsec_ranbits.8.html">
- ipsec_ranbits(8)</A> and ipsec_prng(3) for more on FreeS/WAN's use of
- randomness. Both depend on the random(4) device driver..</P>
-<P>A couple of years ago, there was extensive mailing list discussion
- (archived<A href="http://www.openpgp.net/random/index.html"> here</A>
-)of Linux /dev/random and FreeS/WAN. Since then, the design of the
- random(4) driver has changed considerably. Linux 2.4 kernels have the
- new driver..</P>
-</DD>
-<DT>Raptor</DT>
-<DD>A firewall product for Windows NT offerring IPsec-based VPN
- services. Linux FreeS/WAN interoperates with Raptor; see our<A href="#raptor">
- interop</A> document for details. Raptor have recently merged with
- Axent.</DD>
-<DT><A name="RC4">RC4</A></DT>
-<DD><B>R</B>ivest<B> C</B>ipher four, designed by Ron Rivest of<A href="#RSAco">
- RSA</A> and widely used. Believed highly secure with adequate key
- length, but often implemented with inadequate key length to comply with
- export restrictions.</DD>
-<DT><A name="RC6">RC6</A></DT>
-<DD><B>R</B>ivest<B> C</B>ipher six,<A href="#RSAco"> RSA</A>'s<A href="#AES">
- AES</A> candidate cipher.</DD>
-<DT><A name="replay">Replay attack</A></DT>
-<DD>An attack in which the attacker records data and later replays it in
- an attempt to deceive the recipient.</DD>
-<DT><A name="reverse">Reverse map</A></DT>
-<DD>In<A href="#DNS"> DNS</A>, a table where IP addresses can be used as
- the key for lookups which return a system name and/or other
- information.</DD>
-<DT>RFC</DT>
-<DD><B>R</B>equest<B> F</B>or<B> C</B>omments, an Internet document.
- Some RFCs are just informative. Others are standards.
-<P>Our list of<A href="#IPSEC"> IPsec</A> and other security-related
- RFCs is<A href="#RFC"> here</A>, along with information on methods of
- obtaining them.</P>
-</DD>
-<DT><A name="rijndael">Rijndael</A></DT>
-<DD>a<A href="#block"> block cipher</A> designed by two Belgian
- cryptographers, winner of the US government's<A href="#AES"> AES</A>
- contest to pick a replacement for<A href="#DES"> DES</A>. See the<A href="http://www.esat.kuleuven.ac.be/~rijmen/rijndael">
- Rijndael home page</A>.</DD>
-<DT><A name="RIPEMD">RIPEMD</A></DT>
-<DD>A<A href="#digest"> message digest</A> algorithm. The current
- version is RIPEMD-160 which gives a 160-bit hash.</DD>
-<DT><A name="rootCA">Root CA</A></DT>
-<DD>The top level<A href="#CA"> Certification Authority</A> in a
- hierachy of such authorities.</DD>
-<DT><A name="routable">Routable IP address</A></DT>
-<DD>Most IP addresses can be used as &quot;to&quot; and &quot;from&quot; addresses in packet
- headers. These are the routable addresses; we expect routing to be
- possible for them. If we send a packet to one of them, we expect (in
- most cases; there are various complications) that it will be delivered
- if the address is in use and will cause an<A href="#ICMP.gloss"> ICMP</A>
- error packet to come back to us if not.
-<P>There are also several classes of<A href="#non-routable">
- non-routable</A> IP addresses.</P>
-</DD>
-<DT><A name="RSA">RSA algorithm</A></DT>
-<DD><B>R</B>ivest<B> S</B>hamir<B> A</B>dleman<A href="#public"> public
- key</A> algorithm, named for its three inventors. It is widely used and
- likely to become moreso since it became free of patent encumbrances in
- September 2000.
-<P>RSA can be used to provide either<A href="#encryption"> encryption</A>
- or<A href="#signature"> digital signatures</A>. In IPsec, it is used
- only for signatures. These provide gateway-to-gateway<A href="#authentication">
- authentication</A> for<A href="#IKE"> IKE</A> negotiations.</P>
-<P>For a full explanation of the algorithm, consult one of the standard
- references such as<A href="#schneier"> Applied Cryptography</A>. A
- simple explanation is:</P>
-<P>The great 17th century French mathematician<A href="http://www-groups.dcs.st-andrews.ac.uk/~history/Mathematicians/Fermat.html">
- Fermat</A> proved that,</P>
-<P>for any prime p and number x, 0 &lt;= x &lt; p:</P>
-<PRE>        x^p == x         modulo p
-        x^(p-1) == 1     modulo p, non-zero x
-      </PRE>
-<P>From this it follows that if we have a pair of primes p, q and two
- numbers e, d such that:</P>
-<PRE>        ed == 1          modulo lcm( p-1, q-1)
-      </PRE>
- where lcm() is least common multiple, then
-<BR> for all x, 0 &lt;= x &lt; pq:
-<PRE>      x^ed == x           modulo pq
-      </PRE>
-<P>So we construct such as set of numbers p, q, e, d and publish the
- product N=pq and e as the public key. Using c for<A href="#ciphertext">
- ciphertext</A> and i for the input<A href="#plaintext"> plaintext</A>,
- encryption is then:</P>
-<PRE>        c = i^e           modulo N
-      </PRE>
-<P>An attacker cannot deduce i from the cyphertext c, short of either
- factoring N or solving the<A href="#dlog"> discrete logarithm</A>
- problem for this field. If p, q are large primes (hundreds or thousands
- of bits) no efficient solution to either problem is known.</P>
-<P>The receiver, knowing the private key (N and d), can readily recover
- the plaintext p since:</P>
-<PRE>        c^d == (i^e)^d    modulo N
-            == i^ed       modulo N
-            == i          modulo N
-      </PRE>
-<P>This gives an effective public key technique, with only a couple of
- problems. It uses a good deal of computer time, since calculations with
- large integers are not cheap, and there is no proof it is necessarily
- secure since no-one has proven either factoring or discrete log cannot
- be done efficiently. Quite a few good mathematicians have tried both
- problems, and no-one has announced success, but there is no proof they
- are insoluble.</P>
-</DD>
-<DT><A name="RSAco">RSA Data Security</A></DT>
-<DD>A company founded by the inventors of the<A href="#RSA"> RSA</A>
- public key algorithm.</DD>
-<DT><A name="S">S</A></DT>
-<DT><A name="SA">SA</A></DT>
-<DD><B>S</B>ecurity<B> A</B>ssociation, the channel negotiated by the
- higher levels of an<A href="#IPSEC"> IPsec</A> implementation (<A href="#IKE">
-IKE</A>) and used by the lower (<A href="#ESP">ESP</A> and<A href="#AH">
- AH</A>). SAs are unidirectional; you need a pair of them for two-way
- communication.
-<P>An SA is defined by three things -- the destination, the protocol (<A href="#AH">
-AH</A> or<A href="#ESP">ESP</A>) and the<A href="SPI"> SPI</A>, security
- parameters index. It is used as an index to look up other things such
- as session keys and intialisation vectors.</P>
-<P>For more detail, see our section on<A href="ipsec.html"> IPsec</A>
- and/or RFC 2401.</P>
-</DD>
-<DT><A name="SElinux">SE Linux</A></DT>
-<DD><STRONG>S</STRONG>ecurity<STRONG> E</STRONG>nhanced Linux, an<A href="#NSA">
- NSA</A>-funded project to add<A href="#mandatory"> mandatory access
- control</A> to Linux. See the<A href="http://www.nsa.gov/selinux">
- project home page</A>.
-<P>According to their web pages, this work will include extending
- mandatory access controls to IPsec tunnels.</P>
-<P>Recent versions of SE Linux code use the<A href="#LSM"> Linux
- Security Module</A> interface.</P>
-</DD>
-<DT><A name="SDNS">Secure DNS</A></DT>
-<DD>A version of the<A href="#DNS"> DNS or Domain Name Service</A>
- enhanced with authentication services. This is being designed by the<A href="#IETF">
- IETF</A> DNS security<A href="http://www.ietf.org/ids.by.wg/dnssec.html">
- working group</A>. Check the<A href="http://www.isc.org/bind.html">
- Internet Software Consortium</A> for information on implementation
- progress and for the latest version of<A href="#BIND"> BIND</A>.
- Another site has<A href="http://www.toad.com/~dnssec"> more information</A>
-.
-<P><A href="#IPSEC">IPsec</A> can use this plus<A href="#DH">
- Diffie-Hellman key exchange</A> to bootstrap itself. This allows<A href="#carpediem">
- opportunistic encryption</A>. Any pair of machines which can
- authenticate each other via DNS can communicate securely, without
- either a pre-existing shared secret or a shared<A href="#PKI"> PKI</A>.</P>
-</DD>
-<DT>Secret key cryptography</DT>
-<DD>See<A href="#symmetric"> symmetric cryptography</A></DD>
-<DT>Security Association</DT>
-<DD>see<A href="#SA"> SA</A></DD>
-<DT>Security Enhanced Linux</DT>
-<DD>see<A href="#SElinux"> SE Linux</A></DD>
-<DT><A name="sequence">Sequence number</A></DT>
-<DD>A number added to a packet or message which indicates its position
- in a sequence of packets or messages. This provides some security
- against<A href="#replay"> replay attacks</A>.
-<P>For<A href="#auto"> automatic keying</A> mode, the<A href="#IPSEC">
- IPsec</A> RFCs require that the sender generate sequence numbers for
- each packet, but leave it optional whether the receiver does anything
- with them.</P>
-</DD>
-<DT><A name="SHA">SHA</A></DT>
-<DT>SHA-1</DT>
-<DD><B>S</B>ecure<B> H</B>ash<B> A</B>lgorithm, a<A href="#digest">
- message digest algorithm</A> developed by the<A href="#NSA"> NSA</A>
- for use in the Digital Signature standard,<A href="#FIPS"> FIPS</A>
- number 186 from<A href="#NIST"> NIST</A>. SHA is an improved variant of<A
-href="#MD4"> MD4</A> producing a 160-bit hash.
-<P>SHA is one of two message digest algorithms available in IPsec. The
- other is<A href="#MD5"> MD5</A>. Some people do not trust SHA because
- it was developed by the<A href="#NSA"> NSA</A>. There is, as far as we
- know, no cryptographic evidence that SHA is untrustworthy, but this
- does not prevent that view from being strongly held.</P>
-<P>The NSA made one small change after the release of the original SHA.
- They did not give reasons. Iit may be a defense against some attack
- they found and do not wish to disclose. Technically the modified
- algorithm should be called SHA-1, but since it has replaced the
- original algorithm in nearly all applications, it is generally just
- referred to as SHA..</P>
-</DD>
-<DT><A name="SHA-256">SHA-256</A></DT>
-<DT>SHA-384</DT>
-<DT>SHA-512</DT>
-<DD>Newer variants of SHA designed to match the strength of the 128, 192
- and 256-bit keys of<A href="#AES"> AES</A>. The work to break an
- encryption algorithm's strength by<A href="#brute"> brute force</A> is
- 2
-<!--math xmlns="http://www.w3.org/1998/Math/MathML"-->
-
-<!--msup-->
-
-<!--mi-->
- keylength</(null)></(null)></(null)> operations but a<A href="birthday">
- birthday attack</A> on a hash needs only 2
-<!--math xmlns="http://www.w3.org/1998/Math/MathML"-->
-
-<!--msup-->
-
-<!--mrow-->
-
-<!--mi-->
- hashlength</(null)>
-<!--mo-->
- /</(null)>
-<!--mn-->
-
- 2</(null)></(null)></(null)></(null)> , so as a general rule you need a
- hash twice the size of the key to get similar strength. SHA-256,
- SHA-384 and SHA-512 are designed to match the 128, 192 and 256-bit key
- sizes of AES, respectively.</DD>
-<DT><A name="SIGINT">Signals intelligence (SIGINT)</A></DT>
-<DD>Activities of government agencies from various nations aimed at
- protecting their own communications and reading those of others.
- Cryptography, cryptanalysis, wiretapping, interception and monitoring
- of various sorts of signals. The players include the American<A href="#NSA">
- NSA</A>, British<A href="#GCHQ"> GCHQ</A> and Canadian<A href="#CSE">
- CSE</A>.</DD>
-<DT><A name="SKIP">SKIP</A></DT>
-<DD><B>S</B>imple<B> K</B>ey management for<B> I</B>nternet<B> P</B>
-rotocols, an alternative to<A href="#IKE"> IKE</A> developed by Sun and
- being marketed by their<A href="http://skip.incog.com"> Internet
- Commerce Group</A>.</DD>
-<DT><A name="snake">Snake oil</A></DT>
-<DD>Bogus cryptography. See the<A href="http://www.interhack.net/people/cmcurtin/snake-oil-faq.html">
- Snake Oil FAQ</A> or<A href="http://www.counterpane.com/crypto-gram-9902.html#snakeoil">
- this paper</A> by Schneier.</DD>
-<DT><A name="SPI">SPI</A></DT>
-<DD><B>S</B>ecurity<B> P</B>arameter<B> I</B>ndex, an index used within<A
-href="#IPSEC"> IPsec</A> to keep connections distinct. A<A href="#SA">
- Security Association (SA)</A> is defined by destination, protocol and
- SPI. Without the SPI, two connections to the same gateway using the
- same protocol could not be distinguished.
-<P>For more detail, see our<A href="ipsec.html"> IPsec</A> section
- and/or RFC 2401.</P>
-</DD>
-<DT><A name="SSH">SSH</A></DT>
-<DD><B>S</B>ecure<B> SH</B>ell, an encrypting replacement for the
- insecure Berkeley commands whose names begin with &quot;r&quot; for &quot;remote&quot;:
- rsh, rlogin, etc.
-<P>For more information on SSH, including how to obtain it, see our
- cryptography<A href="#tools"> links</A>.</P>
-</DD>
-<DT><A name="SSHco">SSH Communications Security</A></DT>
-<DD>A company founded by the authors of<A href="#SSH"> SSH</A>. Offices
- are in<A href="http://www.ssh.fi"> Finland</A> and<A href="http://www.ipsec.com">
- California</A>. They have a toolkit for developers of IPsec
- applications.</DD>
-<DT><A name="SSL">SSL</A></DT>
-<DD><A href="http://home.netscape.com/eng/ssl3">Secure Sockets Layer</A>
-, a set of encryption and authentication services for web browsers,
- developed by Netscape. Widely used in Internet commerce. Also known as<A
-href="#TLS"> TLS</A>.</DD>
-<DT>SSLeay</DT>
-<DD>A free implementation of<A href="#SSL"> SSL</A> by Eric Young (eay)
- and others. Developed in Australia; not subject to US export controls.</DD>
-<DT><A name="static">static IP address</A></DT>
-<DD>an IP adddress which is pre-set on the machine itself, as opposed to
- a<A href="#dynamic"> dynamic address</A> which is assigned by a<A href="#DHCP">
- DHCP</A> server or obtained as part of the process of establishing a<A href="#PPP">
- PPP</A> or<A href="#PPPoE"> PPPoE</A> connection</DD>
-<DT><A name="stream">Stream cipher</A></DT>
-<DD>A<A href="#symmetric"> symmetric cipher</A> which produces a stream
- of output which can be combined (often using XOR or bytewise addition)
- with the plaintext to produce ciphertext. Contrasts with<A href="#block">
- block cipher</A>.
-<P><A href="#IPSEC">IPsec</A> does not use stream ciphers. Their main
- application is link-level encryption, for example of voice, video or
- data streams on a wire or a radio signal.</P>
-</DD>
-<DT><A name="subnet">subnet</A></DT>
-<DD>A group of IP addresses which are logically one network, typically
- (but not always) assigned to a group of physically connected machines.
- The range of addresses in a subnet is described using a subnet mask.
- See next entry.</DD>
-<DT>subnet mask</DT>
-<DD>A method of indicating the addresses included in a subnet. Here are
- two equivalent examples:
-<UL>
-<LI>101.101.101.0/24</LI>
-<LI>101.101.101.0 with mask 255.255.255.0</LI>
-</UL>
-<P>The '24' is shorthand for a mask with the top 24 bits one and the
- rest zero. This is exactly the same as 255.255.255.0 which has three
- all-ones bytes and one all-zeros byte.</P>
-<P>These indicate that, for this range of addresses, the top 24 bits are
- to be treated as naming a network (often referred to as &quot;the
- 101.101.101.0/24 subnet&quot;) while most combinations of the low 8 bits can
- be used to designate machines on that network. Two addresses are
- reserved; 101.101.101.0 refers to the subnet rather than a specific
- machine while 101.101.101.255 is a broadcast address. 1 to 254 are
- available for machines.</P>
-<P>It is common to find subnets arranged in a hierarchy. For example, a
- large company might have a /16 subnet and allocate /24 subnets within
- that to departments. An ISP might have a large subnet and allocate /26
- subnets (64 addresses, 62 usable) to business customers and /29 subnets
- (8 addresses, 6 usable) to residential clients.</P>
-</DD>
-<DT><A name="SWAN">S/WAN</A></DT>
-<DD>Secure Wide Area Network, a project involving<A href="#RSAco"> RSA
- Data Security</A> and a number of other companies. The goal was to
- ensure that all their<A href="#IPSEC"> IPsec</A> implementations would
- interoperate so that their customers can communicate with each other
- securely.</DD>
-<DT><A name="symmetric">Symmetric cryptography</A></DT>
-<DD>Symmetric cryptography, also referred to as conventional or secret
- key cryptography, relies on a<EM> shared secret key</EM>, identical for
- sender and receiver. Sender encrypts with that key, receiver decrypts
- with it. The idea is that an eavesdropper without the key be unable to
- read the messages. There are two main types of symmetric cipher,<A href="#block">
- block ciphers</A> and<A href="#stream"> stream ciphers</A>.
-<P>Symmetric cryptography contrasts with<A href="#public"> public key</A>
- or asymmetric systems where the two players use different keys.</P>
-<P>The great difficulty in symmetric cryptography is, of course, key
- management. Sender and receiver<EM> must</EM> have identical keys and
- those keys<EM> must</EM> be kept secret from everyone else. Not too
- much of a problem if only two people are involved and they can
- conveniently meet privately or employ a trusted courier. Quite a
- problem, though, in other circumstances.</P>
-<P>It gets much worse if there are many people. An application might be
- written to use only one key for communication among 100 people, for
- example, but there would be serious problems. Do you actually trust all
- of them that much? Do they trust each other that much? Should they?
- What is at risk if that key is compromised? How are you going to
- distribute that key to everyone without risking its secrecy? What do
- you do when one of them leaves the company? Will you even know?</P>
-<P>On the other hand, if you need unique keys for every possible
- connection between a group of 100, then each user must have 99 keys.
- You need either 99*100/2 = 4950<EM> secure</EM> key exchanges between
- users or a central authority that<EM> securely</EM> distributes 100 key
- packets, each with a different set of 99 keys.</P>
-<P>Either of these is possible, though tricky, for 100 users. Either
- becomes an administrative nightmare for larger numbers. Moreover, keys<EM>
- must</EM> be changed regularly, so the problem of key distribution
- comes up again and again. If you use the same key for many messages
- then an attacker has more text to work with in an attempt to crack that
- key. Moreover, one successful crack will give him or her the text of
- all those messages.</P>
-<P>In short, the<EM> hardest part of conventional cryptography is key
- management</EM>. Today the standard solution is to build a<A href="#hybrid">
- hybrid system</A> using<A href="#public"> public key</A> techniques to
- manage keys.</P>
-</DD>
-<DT><A name="T">T</A></DT>
-<DT><A name="TIS">TIS</A></DT>
-<DD>Trusted Information Systems, a firewall vendor now part of<A href="#NAI">
- NAI</A>. Their Gauntlet product offers IPsec VPN services. TIS
- implemented the first version of<A href="#SDNS"> Secure DNS</A> on a<A href="#DARPA">
- DARPA</A> contract.</DD>
-<DT><A name="TLS">TLS</A></DT>
-<DD><B>T</B>ransport<B> L</B>ayer<B> S</B>ecurity, a newer name for<A href="#SSL">
- SSL</A>.</DD>
-<DT><A name="TOS">TOS field</A></DT>
-<DD>The<STRONG> T</STRONG>ype<STRONG> O</STRONG>f<STRONG> S</STRONG>
-ervice field in an IP header, used to control qualkity of service
- routing.</DD>
-<DT><A name="traffic">Traffic analysis</A></DT>
-<DD>Deducing useful intelligence from patterns of message traffic,
- without breaking codes or reading the messages. In one case during
- World War II, the British guessed an attack was coming because all
- German radio traffic stopped. The &quot;radio silence&quot; order, intended to
- preserve security, actually gave the game away.
-<P>In an industrial espionage situation, one might deduce something
- interesting just by knowing that company A and company B were talking,
- especially if one were able to tell which departments were involved, or
- if one already knew that A was looking for acquisitions and B was
- seeking funds for expansion.</P>
-<P>In general, traffic analysis by itself is not very useful. However,
- in the context of a larger intelligence effort where quite a bit is
- already known, it can be very useful. When you are solving a complex
- puzzle, every little bit helps.</P>
-<P><A href="#IPSEC">IPsec</A> itself does not defend against traffic
- analysis, but carefully thought out systems using IPsec can provide at
- least partial protection. In particular, one might want to encrypt more
- traffic than was strictly necessary, route things in odd ways, or even
- encrypt dummy packets, to confuse the analyst. We discuss this<A href="#traffic.resist">
- here</A>.</P>
-</DD>
-<DT><A name="transport">Transport mode</A></DT>
-<DD>An IPsec application in which the IPsec gateway is the destination
- of the protected packets, a machine acts as its own gateway. Contrast
- with<A href="#tunnel"> tunnel mode</A>.</DD>
-<DT>Triple DES</DT>
-<DD>see<A href="#3DES"> 3DES</A></DD>
-<DT><A name="TTL">TTL</A></DT>
-<DD><STRONG>T</STRONG>ime<STRONG> T</STRONG>o<STRONG> L</STRONG>ive,
- used to control<A href="#DNS"> DNS</A> caching. Servers discard cached
- records whose TTL expires</DD>
-<DT><A name="tunnel">Tunnel mode</A></DT>
-<DD>An IPsec application in which an IPsec gateway provides protection
- for packets to and from other systems. Contrast with<A href="#transport">
- transport mode</A>.</DD>
-<DT><A name="2key">Two-key Triple DES</A></DT>
-<DD>A variant of<A href="#3DES"> triple DES or 3DES</A> in which only
- two keys are used. As in the three-key version, the order of operations
- is<A href="#EDE"> EDE</A> or encrypt-decrypt-encrypt, but in the
- two-key variant the first and third keys are the same.
-<P>3DES with three keys has 3*56 = 168 bits of key but has only 112-bit
- strength against a<A href="#meet"> meet-in-the-middle</A> attack, so it
- is possible that the two key version is just as strong. Last I looked,
- this was an open question in the research literature.</P>
-<P>RFC 2451 defines triple DES for<A href="#IPSEC"> IPsec</A> as the
- three-key variant. The two-key variant should not be used and is not
- implemented directly in<A href="#FreeSWAN"> Linux FreeS/WAN</A>. It
- cannot be used in automatically keyed mode without major fiddles in the
- source code. For manually keyed connections, you could make Linux
- FreeS/WAN talk to a two-key implementation by setting two keys the same
- in /etc/ipsec.conf.</P>
-</DD>
-<DT><A name="U">U</A></DT>
-<DT><A name="V">V</A></DT>
-<DT><A name="virtual">Virtual Interface</A></DT>
-<DD>A<A href="#Linux"> Linux</A> feature which allows one physical
- network interface to have two or more IP addresses. See the<CITE> Linux
- Network Administrator's Guide</CITE> in<A href="#kirch"> book form</A>
- or<A href="http://metalab.unc.edu/LDP/LDP/nag/node1.html"> on the web</A>
- for details.</DD>
-<DT>Virtual Private Network</DT>
-<DD>see<A href="#VPN"> VPN</A></DD>
-<DT><A name="VPN">VPN</A></DT>
-<DD><B>V</B>irtual<B> P</B>rivate<B> N</B>etwork, a network which can
- safely be used as if it were private, even though some of its
- communication uses insecure connections. All traffic on those
- connections is encrypted.
-<P><A href="#IPSEC">IPsec</A> is not the only technique available for
- building VPNs, but it is the only method defined by<A href="#RFC"> RFCs</A>
- and supported by many vendors. VPNs are by no means the only thing you
- can do with IPsec, but they may be the most important application for
- many users.</P>
-</DD>
-<DT><A name="VPNC">VPNC</A></DT>
-<DD><A href="http://www.vpnc.org">Virtual Private Network Consortium</A>
-, an association of vendors of VPN products.</DD>
-<DT><A name="W">W</A></DT>
-<DT><A name="Wassenaar.gloss">Wassenaar Arrangement</A></DT>
-<DD>An international agreement restricting export of munitions and other
- tools of war. Unfortunately, cryptographic software is also restricted
- under the current version of the agreement.<A href="#Wassenaar">
- Discussion</A>.</DD>
-<DT><A name="web">Web of Trust</A></DT>
-<DD><A href="#PGP">PGP</A>'s method of certifying keys. Any user can
- sign a key; you decide which signatures or combinations of signatures
- to accept as certification. This contrasts with the hierarchy of<A href="#CA">
- CAs (Certification Authorities)</A> used in many<A href="#PKI"> PKIs
- (Public Key Infrastructures)</A>.
-<P>See<A href="#GTR"> Global Trust Register</A> for an interesting
- addition to the web of trust.</P>
-</DD>
-<DT><A name="WEP">WEP (Wired Equivalent Privacy)</A></DT>
-<DD>The cryptographic part of the<A href="#IEEE"> IEEE</A> standard for
- wireless LANs. As the name suggests, this is designed to be only as
- secure as a normal wired ethernet. Anyone with a network conection can
- tap it. Its advocates would claim this is good design, refusing to
- build in complex features beyond the actual requirements.
-<P>Critics refer to WEP as &quot;Wire<EM>tap</EM> Equivalent Privacy&quot;, and
- consider it a horribly flawed design based on bogus &quot;requirements&quot;. You
- do not control radio waves as you might control your wires, so the
- metaphor in the rationale is utterly inapplicable. A security policy
- that chooses not to invest resources in protecting against certain
- attacks which can only be conducted by people physically plugged into
- your LAN may or may not be reasonable. The same policy is completely
- unreasonable when someone can &quot;plug in&quot; from a laptop half a block
- away..</P>
-<P>There has been considerable analysis indicating that WEP is seriously
- flawed. A FAQ on attacks against WEP is available. Part of it reads:</P>
-<BLOCKQUOTE> ... attacks are practical to mount using only inexpensive
- off-the-shelf equipment. We recommend that anyone using an 802.11
- wireless network not rely on WEP for security, and employ other
- security measures to protect their wireless network. Note that our
- attacks apply to both 40-bit and the so-called 128-bit versions of WEP
- equally well.</BLOCKQUOTE>
-<P>WEP appears to be yet another instance of governments, and
- unfortunately some vendors and standards bodies, deliberately promoting
- hopelessly flawed &quot;security&quot; products, apparently mainly for the
- benefit of eavesdropping agencies. See this<A href="#weak"> discussion</A>
-.</P>
-</DD>
-<DT><A name="X">X</A></DT>
-<DT><A name="X509">X.509</A></DT>
-<DD>A standard from the<A href="http://www.itu.int"> ITU (International
- Telecommunication Union)</A>, for hierarchical directories with
- authentication services, used in many<A href="#PKI"> PKI</A>
- implementations.
-<P>Use of X.509 services, via the<A href="#LDAP"> LDAP protocol</A>, for
- certification of keys is allowed but not required by the<A href="#IPSEC">
- IPsec</A> RFCs. It is not yet implemented in<A href="#FreeSWAN"> Linux
- FreeS/WAN</A>.</P>
-</DD>
-<DT>Xedia</DT>
-<DD>A vendor of router and Internet access products, now part of Lucent.
- Their QVPN products interoperate with Linux FreeS/WAN; see our<A href="#xedia">
- interop document</A>.</DD>
-<DT><A name="Y">Y</A></DT>
-<DT><A name="Z">Z</A></DT>
-</DL>
-<HR>
-<H1><A name="biblio">Bibliography for the Linux FreeS/WAN project</A></H1>
-<P>For extensive bibliographic links, see the<A href="http://liinwww.ira.uka.de/bibliography/index.html">
- Collection of Computer Science Bibliographies</A></P>
-<P>See our<A href="web.html"> web links</A> for material available
- online.</P>
-<HR><A name="adams"> Carlisle Adams and Steve Lloyd<CITE> Understanding
- Public Key Infrastructure</CITE>
-<BR></A> Macmillan 1999 ISBN 1-57870-166-x
-<P>An overview, mainly concentrating on policy and strategic issues
- rather than the technical details. Both authors work for<A href="#PKI">
- PKI</A> vendor<A href="http://www.entrust.com/"> Entrust</A>.</P>
-<HR><A name="DNS.book"> Albitz, Liu &amp; Loukides<CITE> DNS &amp; BIND</CITE>
- 3rd edition
-<BR></A> O'Reilly 1998 ISBN 1-56592-512-2
-<P>The standard reference on the<A href="#DNS"> Domain Name Service</A>
- and<A href="#BIND"> Berkeley Internet Name Daemon</A>.</P>
-<HR><A name="anderson"> Ross Anderson</A>,<CITE> Security Engineering -
- a Guide to Building Dependable Distributed Systems</CITE>
-<BR> Wiley, 2001, ISBN 0471389226
-<P>Easily the best book for the security professional I have seen.<STRONG>
- Highly recommended</STRONG>. See the<A href="http://www.cl.cam.ac.uk/~rja14/book.html">
- book web page</A>.</P>
-<P>This is quite readable, but Schneier's<A href="#secrets"> Secrets and
- Lies</A> might be an easier introduction.</P>
-<HR><A name="puzzle"> Bamford<CITE> The Puzzle Palace, A report on NSA,
- Americas's most Secret Agency</CITE>
-<BR> Houghton Mifflin 1982 ISBN 0-395-31286-8</A>
-<HR> Bamford<CITE> Body of Secrets</CITE>
-<P>The sequel.</P>
-<HR><A name="bander"> David Bander</A>,<CITE> Linux Security Toolkit</CITE>
-<BR> IDG Books, 2000, ISBN: 0764546902
-<P>This book has a short section on FreeS/WAN and includes Caldera Linux
- on CD.</P>
-<HR><A name="CZR"> Chapman, Zwicky &amp; Russell</A>,<CITE> Building
- Internet Firewalls</CITE>
-<BR> O'Reilly 1995 ISBN 1-56592-124-0
-<HR><A name="firewall.book"> Cheswick and Bellovin</A><CITE> Firewalls
- and Internet Security: Repelling the Wily Hacker</CITE>
-<BR> Addison-Wesley 1994 ISBN 0201633574
-<P>A fine book on firewalls in particular and security in general from
- two of AT&amp;T's system adminstrators.</P>
-<P>Bellovin has also done a number of<A href="#papers"> papers</A> on
- IPsec and co-authored a<A href="#applied"> paper</A> on a large
- FreeS/WAN application.</P>
-<HR><A name="comer"> Comer<CITE> Internetworking with TCP/IP</CITE>
-<BR> Prentice Hall</A>
-<UL>
-<LI>Vol. I: Principles, Protocols, &amp; Architecture, 3rd Ed. 1995
- ISBN:0-13-216987-8</LI>
-<LI>Vol. II: Design, Implementation, &amp; Internals, 2nd Ed. 1994
- ISBN:0-13-125527-4</LI>
-<LI>Vol. III: Client/Server Programming &amp; Applications
-<UL>
-<LI>AT&amp;T TLI Version 1994 ISBN:0-13-474230-3</LI>
-<LI>BSD Socket Version 1996 ISBN:0-13-260969-X</LI>
-<LI>Windows Sockets Version 1997 ISBN:0-13-848714-6</LI>
-</UL>
-</LI>
-</UL>
-<P>If you need to deal with the details of the network protocols, read
- either this series or the<A href="#stevens"> Stevens and Wright</A>
- series before you start reading the RFCs.</P>
-<HR><A name="diffie"> Diffie and Landau</A><CITE> Privacy on the Line:
- The Politics of Wiretapping and Encryption</CITE>
-<BR> MIT press 1998 ISBN 0-262-04167-7 (hardcover) or 0-262-54100-9
-<BR>
-<HR><A name="d_and_hark"> Doraswamy and Harkins<CITE> IP Sec: The New
- Security Standard for the Internet, Intranets and Virtual Private
- Networks</CITE>
-<BR> Prentice Hall 1999 ISBN: 0130118982</A>
-<HR><A name="EFF"> Electronic Frontier Foundation<CITE> Cracking DES:
- Secrets of Encryption Research, Wiretap Politics and Chip Design</CITE>
-<BR></A> O'Reilly 1998 ISBN 1-56592-520-3
-<P>To conclusively demonstrate that DES is inadequate for continued use,
- the<A href="#EFF"> EFF</A> built a machine for just over $200,000 that
- breaks DES encryption in under five days on average, under nine in the
- worst case.</P>
-<P>The book provides details of their design and, perhaps even more
- important, discusses why they felt the project was necessary.
- Recommended for anyone interested in any of the three topics mentioned
- in the subtitle.</P>
-<P>See also the<A href="http://www.eff.org/descracker.html"> EFF page on
- this project</A> and our discussion of<A href="#desnotsecure"> DES
- insecurity</A>.</P>
-<HR> Martin Freiss<CITE> Protecting Networks with SATAN</CITE>
-<BR> O'Reilly 1998 ISBN 1-56592-425-8
-<BR> translated from a 1996 work in German
-<P>SATAN is a Security Administrator's Tool for Analysing Networks. This
- book is a tutorial in its use.</P>
-<HR> Gaidosch and Kunzinger<CITE> A Guide to Virtual Private Networks</CITE>
-<BR> Prentice Hall 1999 ISBN: 0130839647
-<HR><A name="Garfinkel"> Simson Garfinkel</A><CITE> Database Nation: the
- death of privacy in the 21st century</CITE>
-<BR> O'Reilly 2000 ISBN 1-56592-653-6
-<P>A thoughtful and rather scary book.</P>
-<HR><A name="PGP"> Simson Garfinkel</A><CITE> PGP: Pretty Good Privacy</CITE>
-<BR> O'Reilly 1995 ISBN 1-56592-098-8
-<P>An excellent introduction and user manual for the<A href="#PGP"> PGP</A>
- email-encryption package. PGP is a good package with a complex and
- poorly-designed user interface. This book or one like it is a must for
- anyone who has to use it at length.</P>
-<P>The book covers using PGP in Unix, PC and Macintosh environments,
- plus considerable background material on both the technical and
- political issues around cryptography.</P>
-<P>The book is now seriously out of date. It does not cover recent
- developments such as commercial versions since PGP 5, the Open PGP
- standard or GNU PG..</P>
-<HR><A name="practical"> Garfinkel and Spafford</A><CITE> Practical Unix
- Security</CITE>
-<BR> O'Reilly 1996 ISBN 1-56592-148-8
-<P>A standard reference.</P>
-<P>Spafford's web page has an excellent collection of<A href="http://www.cs.purdue.edu/coast/hotlist">
- crypto and security links</A>.</P>
-<HR><A name="Kahn"> David Kahn</A><CITE> The Codebreakers: the
- Comprehensive History of Secret Communications from Ancient Times to
- the Internet</CITE>
-<BR> second edition Scribner 1996 ISBN 0684831309
-<P>A history of codes and code-breaking from ancient Egypt to the 20th
- century. Well-written and exhaustively researched.<STRONG> Highly
- recommended</STRONG>, even though it does not have much on computer
- cryptography.</P>
-<HR> David Kahn<CITE> Seizing the Enigma, The Race to Break the German
- U-Boat codes, 1939-1943</CITE>
-<BR> Houghton Mifflin 1991 ISBN 0-395-42739-8
-<HR><A name="kirch"> Olaf Kirch</A><CITE> Linux Network Administrator's
- Guide</CITE>
-<BR> O'Reilly 1995 ISBN 1-56592-087-2
-<P>Now becoming somewhat dated in places, but still a good introductory
- book and general reference.</P>
-<HR><A name="LinVPN"> Kolesnikov and Hatch</A>,<CITE> Building Linux
- Virtual Private Networks (VPNs)</CITE>
-<BR> New Riders 2002
-<P>This has had a number of favorable reviews, including<A href="http://www.slashdot.org/article.pl?sid=02/02/27/0115214&amp;mode=thread&amp;tid=172">
- this one</A> on Slashdot. The book has a<A href="http://www.buildinglinuxvpns.net/">
- web site</A>.</P>
-<HR><A name="RFCs"> Pete Loshin<CITE> Big Book of IPsec RFCs</CITE>
-<BR> Morgan Kaufmann 2000 ISBN: 0-12-455839-9</A>
-<HR><A name="crypto"> Steven Levy<CITE> Crypto: How the Code Rebels Beat
- the Government -- Saving Privacy in the Digital Age</CITE></A>
-<BR> Penguin 2001, ISBN 0-670--85950-8
-<P><STRONG>Highly recommended</STRONG>. A fine history of recent (about
- 1970-2000) developments in the field, and the related political
- controversies. FreeS/WAN project founder and leader John Gilmore
- appears several times.</P>
-<P>The book does not cover IPsec or FreeS/WAN, but this project is very
- much another battle in the same war. See our discussion of the<A href="politics.html">
- politics</A>.</P>
-<HR><A name="GTR"> Matyas, Anderson et al.</A><CITE> The Global Trust
- Register</CITE>
-<BR> Northgate Consultants Ltd 1998 ISBN: 0953239705
-<BR> hard cover edition MIT Press 1999 ISBN 0262511053
-<P>From<A href="http://www.cl.cam.ac.uk/Research/Security/Trust-Register">
- their web page:</A></P>
-<BLOCKQUOTE> This book is a register of the fingerprints of the world's
- most important public keys; it implements a top-level certification
- authority (CA) using paper and ink rather than in an electronic system.</BLOCKQUOTE>
-<HR><A name="handbook"> Menezies, van Oorschot and Vanstone<CITE>
- Handbook of Applied Cryptography</CITE></A>
-<BR> CRC Press 1997
-<BR> ISBN 0-8493-8523-7
-<P>An excellent reference. Read<A href="#schneier"> Schneier</A> before
- tackling this.</P>
-<HR> Michael Padlipsky<CITE> Elements of Networking Style</CITE>
-<BR> Prentice-Hall 1985 ISBN 0-13-268111-0 or 0-13-268129-3
-<P>Probably<STRONG> the funniest technical book ever written</STRONG>,
- this is a vicious but well-reasoned attack on the OSI &quot;seven layer
- model&quot; and all that went with it. Several chapters of it are also
- available as RFCs 871 to 875.</P>
-<HR><A name="matrix"> John S. Quarterman</A><CITE> The Matrix: Computer
- Networks and Conferencing Systems Worldwide</CITE>
-<BR> Digital Press 1990 ISBN 155558-033-5
-<BR> Prentice-Hall ISBN 0-13-565607-9
-<P>The best general treatment of computer-mediated communication we have
- seen. It naturally has much to say about the Internet, but also covers
- UUCP, Fidonet and so on.</P>
-<HR><A name="ranch"> David Ranch</A><CITE> Securing Linux Step by Step</CITE>
-<BR> SANS Institute, 1999
-<P><A href="http://www.sans.org/">SANS</A> is a respected organisation,
- this guide is part of a well-known series, and Ranch has previously
- written the useful<A href=" http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos">
- Trinity OS</A> guide to securing Linux, so my guess would be this is a
- pretty good book. I haven't read it yet, so I'm not certain. It can be
- ordered online from<A href="http://www.sans.org/"> SANS</A>.</P>
-<P>Note (Mar 1, 2002): a new edition with different editors in the
- works. Expect it this year.</P>
-<HR><A name="schneier"> Bruce Schneier</A><CITE> Applied Cryptography,
- Second Edition</CITE>
-<BR> John Wiley &amp; Sons, 1996
-<BR> ISBN 0-471-12845-7 hardcover
-<BR> ISBN 0-471-11709-9 paperback
-<P>A standard reference on computer cryptography. For more recent
- essays, see the<A href="http://www.counterpane.com/"> author's
- company's web site</A>.</P>
-<HR><A name="secrets"> Bruce Schneier</A><CITE> Secrets and Lies</CITE>
-<BR> Wiley 2000, ISBN 0-471-25311-1
-<P>An interesting discussion of security and privacy issues, written
- with more of an &quot;executive overview&quot; approach rather than a narrow
- focus on the technical issues.<STRONG> Highly recommended</STRONG>.</P>
-<P>This is worth reading even if you already understand security issues,
- or think you do. To go deeper, follow it with Anderson's<A href="#anderson">
- Security Engineering</A>.</P>
-<HR><A name="VPNbook"> Scott, Wolfe and Irwin<CITE> Virtual Private
- Networks</CITE></A>
-<BR> 2nd edition, O'Reilly 1999 ISBN: 1-56592-529-7
-<P>This is the only O'Reilly book, out of a dozen I own, that I'm
- disappointed with. It deals mainly with building VPNs with various
- proprietary tools --<A href="#PPTP"> PPTP</A>,<A href="#ssh"> SSH</A>,
- Cisco PIX, ... -- and touches only lightly on IPsec-based approaches.</P>
-<P>That said, it appears to deal competently with what it does cover and
- it has readable explanations of many basic VPN and security concepts.
- It may be exactly what some readers require, even if I find the
- emphasis unfortunate.</P>
-<HR><A name="LASG"> Kurt Seifried<CITE> Linux Administrator's Security
- Guide</CITE></A>
-<P>Available online from<A href="http://www.securityportal.com/lasg/">
- Security Portal</A>. It has fairly extensive coverage of IPsec.</P>
-<HR><A name="Smith"> Richard E Smith<CITE> Internet Cryptography</CITE>
-<BR></A> ISBN 0-201-92480-3, Addison Wesley, 1997
-<P>See the book's<A href="http://www.visi.com/crypto/inet-crypto/index.html">
- home page</A></P>
-<HR><A name="neal"> Neal Stephenson<CITE> Cryptonomicon</CITE></A>
-<BR> Hardcover ISBN -380-97346-4, Avon, 1999.
-<P>A novel in which cryptography and the net figure prominently.<STRONG>
- Highly recommended</STRONG>: I liked it enough I immediately went out
- and bought all the author's other books.</P>
-<P>There is also a paperback edition. Sequels are expected.</P>
-<HR><A name="stevens"> Stevens and Wright</A><CITE> TCP/IP Illustrated</CITE>
-<BR> Addison-Wesley
-<UL>
-<LI>Vol. I: The Protocols 1994 ISBN:0-201-63346-9</LI>
-<LI>Vol. II: The Implementation 1995 ISBN:0-201-63354-X</LI>
-<LI>Vol. III: TCP for Transactions, HTTP, NNTP, and the UNIX Domain
- Protocols 1996 ISBN: 0-201-63495-3</LI>
-</UL>
-<P>If you need to deal with the details of the network protocols, read
- either this series or the<A href="#comer"> Comer</A> series before you
- start reading the RFCs.</P>
-<HR><A name="Rubini"> Rubini</A><CITE> Linux Device Drivers</CITE>
-<BR> O'Reilly &amp; Associates, Inc. 1998 ISBN 1-56592-292-1
-<HR><A name="Zeigler"> Robert Zeigler</A><CITE> Linux Firewalls</CITE>
-<BR> Newriders Publishing, 2000 ISBN 0-7537-0900-9
-<P>A good book, with detailed coverage of ipchains(8) firewalls and of
- many related issues.</P>
-<HR>
-<H1><A name="RFC">IPsec RFCs and related documents</A></H1>
-<H2><A name="RFCfile">The RFCs.tar.gz Distribution File</A></H2>
-<P>The Linux FreeS/WAN distribution is available from<A href="http://www.xs4all.nl/~freeswan">
- our primary distribution site</A> and various mirror sites. To give
- people more control over their downloads, the RFCs that define IP
- security are bundled separately in the file RFCs.tar.gz.</P>
-<P>The file you are reading is included in the main distribution and is
- available on the web site. It describes the RFCs included in the<A href="#RFCs.tar.gz">
- RFCs.tar.gz</A> bundle and gives some pointers to<A href="#sources">
- other ways to get them</A>.</P>
-<H2><A name="sources">Other sources for RFCs &amp; Internet drafts</A></H2>
-<H3><A name="RFCdown">RFCs</A></H3>
-<P>RFCs are downloadble at many places around the net such as:</P>
-<UL>
-<LI><A href="http://www.rfc-editor.org">http://www.rfc-editor.org</A></LI>
-<LI><A href="http://nis.nsf.net/internet/documents/rfc">NSF.net</A></LI>
-<LI><A href="http://sunsite.doc.ic.ac.uk/computing/internet/rfc">Sunsite
- in the UK</A></LI>
-</UL>
-<P>browsable in HTML form at others such as:</P>
-<UL>
-<LI><A href="http://www.landfield.com/rfcs/index.html">landfield.com</A></LI>
-<LI><A href="http://www.library.ucg.ie/Connected/RFC">Connected Internet
- Encyclopedia</A></LI>
-</UL>
-<P>and some of them are available in translation:</P>
-<UL>
-<LI><A href="http://www.eisti.fr/eistiweb/docs/normes/">French</A></LI>
-</UL>
-<P>There is also a published<A href="#RFCs"> Big Book of IPSEC RFCs</A>.</P>
-<H3><A name="drafts">Internet Drafts</A></H3>
-<P>Internet Drafts, working documents which sometimes evolve into RFCs,
- are also available.</P>
-<UL>
-<LI><A href="http://www.ietf.org/ID.html">Overall reference page</A></LI>
-<LI><A href="http://www.ietf.org/ids.by.wg/ipsec.html">IPsec</A> working
- group</LI>
-<LI><A href="http://www.ietf.org/ids.by.wg/ipsra.html">IPSRA (IPsec
- Remote Access)</A> working group</LI>
-<LI><A href="http://www.ietf.org/ids.by.wg/ipsp.html">IPsec Policy</A>
- working group</LI>
-<LI><A href="http://www.ietf.org/ids.by.wg/kink.html">KINK (Kerberized
- Internet Negotiation of Keys)</A> working group</LI>
-</UL>
-<P>Note: some of these may be obsolete, replaced by later drafts or by
- RFCs.</P>
-<H3><A name="FIPS1">FIPS standards</A></H3>
-<P>Some things used by<A href="#IPSEC"> IPsec</A>, such as<A href="#DES">
- DES</A> and<A href="#SHA"> SHA</A>, are defined by US government
- standards called<A href="#FIPS"> FIPS</A>. The issuing organisation,<A href="#NIST">
- NIST</A>, have a<A href="http://www.itl.nist.gov/div897/pubs"> FIPS
- home page</A>.</P>
-<H2><A name="RFCs.tar.gz">What's in the RFCs.tar.gz bundle?</A></H2>
-<P>All filenames are of the form rfc*.txt, with the * replaced with the
- RFC number.</P>
-<PRE>RFC#        Title</PRE>
-<H3><A name="rfc.ov">Overview RFCs</A></H3>
-<PRE>2401        Security Architecture for the Internet Protocol
-2411        IP Security Document Roadmap</PRE>
-<H3><A name="basic.prot">Basic protocols</A></H3>
-<PRE>2402        IP Authentication Header
-2406        IP Encapsulating Security Payload (ESP)</PRE>
-<H3><A name="key.ike">Key management</A></H3>
-<PRE>2367        PF_KEY Key Management API, Version 2
-2407        The Internet IP Security Domain of Interpretation for ISAKMP
-2408        Internet Security Association and Key Management Protocol (ISAKMP)
-2409        The Internet Key Exchange (IKE)
-2412        The OAKLEY Key Determination Protocol
-2528        Internet X.509 Public Key Infrastructure</PRE>
-<H3><A name="rfc.detail">Details of various things used</A></H3>
-<PRE>2085        HMAC-MD5 IP Authentication with Replay Prevention
-2104        HMAC: Keyed-Hashing for Message Authentication
-2202        Test Cases for HMAC-MD5 and HMAC-SHA-1
-2207        RSVP Extensions for IPSEC Data Flows
-2403        The Use of HMAC-MD5-96 within ESP and AH
-2404        The Use of HMAC-SHA-1-96 within ESP and AH
-2405        The ESP DES-CBC Cipher Algorithm With Explicit IV
-2410        The NULL Encryption Algorithm and Its Use With IPsec
-2451        The ESP CBC-Mode Cipher Algorithms
-2521        ICMP Security Failures Messages</PRE>
-<H3><A name="rfc.ref">Older RFCs which may be referenced</A></H3>
-<PRE>1321        The MD5 Message-Digest Algorithm
-1828        IP Authentication using Keyed MD5
-1829        The ESP DES-CBC Transform
-1851        The ESP Triple DES Transform
-1852        IP Authentication using Keyed SHA</PRE>
-<H3><A name="rfc.dns">RFCs for secure DNS service, which IPsec may use</A>
-</H3>
-<PRE>2137        Secure Domain Name System Dynamic Update
-2230        Key Exchange Delegation Record for the DNS
-2535        Domain Name System Security Extensions
-2536        DSA KEYs and SIGs in the Domain Name System (DNS)
-2537        RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)
-2538        Storing Certificates in the Domain Name System (DNS)
-2539        Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</PRE>
-<H3><A name="rfc.exp">RFCs labelled &quot;experimental&quot;</A></H3>
-<PRE>2521        ICMP Security Failures Messages
-2522        Photuris: Session-Key Management Protocol
-2523        Photuris: Extended Schemes and Attributes</PRE>
-<H3><A name="rfc.rel">Related RFCs</A></H3>
-<PRE>1750        Randomness Recommendations for Security
-1918        Address Allocation for Private Internets
-1984        IAB and IESG Statement on Cryptographic Technology and the Internet
-2144        The CAST-128 Encryption Algorithm</PRE>
-<HR>
-<H1><A name="roadmap">Distribution Roadmap: What's Where in Linux
- FreeS/WAN</A></H1>
-<P> This file is a guide to the locations of files within the FreeS/WAN
- distribution. Everything described here should be on your system once
- you download, gunzip, and untar the distribution.</P>
-<P>This distribution contains two major subsystems</P>
-<DL>
-<DT><A href="#klips.roadmap">KLIPS</A></DT>
-<DD>the kernel code</DD>
-<DT><A href="#pluto.roadmap">Pluto</A></DT>
-<DD>the user-level key-management daemon</DD>
-</DL>
-<P>plus assorted odds and ends.</P>
-<H2><A name="top">Top directory</A></H2>
-<P>The top directory has essential information in text files:</P>
-<DL>
-<DT>README</DT>
-<DD>introduction to the software</DD>
-<DT>INSTALL</DT>
-<DD>short experts-only installation procedures. More detalied procedures
- are in<A href="install.html"> installation</A> and<A href="config.html">
- configuration</A> HTML documents.</DD>
-<DT>BUGS</DT>
-<DD>major known bugs in the current release.</DD>
-<DT>CHANGES</DT>
-<DD>changes from previous releases</DD>
-<DT>CREDITS</DT>
-<DD>acknowledgement of contributors</DD>
-<DT>COPYING</DT>
-<DD>licensing and distribution information</DD>
-</DL>
-<H2><A name="doc">Documentation</A></H2>
-<P> The doc directory contains the bulk of the documentation, most of it
- in HTML format. See the<A href="index.html"> index file</A> for
- details.</P>
-<H2><A name="klips.roadmap">KLIPS: kernel IP security</A></H2>
-<P><A href="#KLIPS"> KLIPS</A> is<STRONG> K</STRONG>erne<STRONG>L</STRONG><STRONG>
- IP</STRONG><STRONG> S</STRONG>ecurity. It lives in the klips directory,
- of course.</P>
-<DL>
-<DT>klips/doc</DT>
-<DD>documentation</DD>
-<DT>klips/patches</DT>
-<DD>patches for existing kernel files</DD>
-<DT>klips/test</DT>
-<DD>test stuff</DD>
-<DT>klips/utils</DT>
-<DD>low-level user utilities</DD>
-<DT>klips/net/ipsec</DT>
-<DD>actual klips kernel files</DD>
-<DT>klips/src</DT>
-<DD>symbolic link to klips/net/ipsec
-<P>The &quot;make insert&quot; step of installation installs the patches and makes
- a symbolic link from the kernel tree to klips/net/ipsec. The odd name
- of klips/net/ipsec is dictated by some annoying limitations of the
- scripts which build the Linux kernel. The symbolic-link business is a
- bit messy, but all the alternatives are worse.</P>
-<P></P>
-</DD>
-<DT>klips/utils</DT>
-<DD>Utility programs:
-<P></P>
-<DL>
-<DT>eroute</DT>
-<DD>manipulate IPsec extended routing tables</DD>
-<DT>klipsdebug</DT>
-<DD>set Klips (kernel IPsec support) debug features and level</DD>
-<DT>spi</DT>
-<DD>manage IPsec Security Associations</DD>
-<DT>spigrp</DT>
-<DD>group/ungroup IPsec Security Associations</DD>
-<DT>tncfg</DT>
-<DD>associate IPsec virtual interface with real interface</DD>
-</DL>
-<P>These are all normally invoked by ipsec(8) with commands such as</P>
-<PRE>        ipsec tncfg <VAR>arguments</VAR></PRE>
- There are section 8 man pages for all of these; the names have &quot;ipsec_&quot;
- as a prefix, so your man command should be something like:
-<PRE>        man 8 ipsec_tncfg</PRE>
-</DD>
-</DL>
-<H2><A name="pluto.roadmap">Pluto key and connection management daemon</A>
-</H2>
-<P><A href="#Pluto"> Pluto</A> is our key management and negotiation
- daemon. It lives in the pluto directory, along with its low-level user
- utility, whack.</P>
-<P> There are no subdirectories. Documentation is a man page,<A href="manpage.d/ipsec_pluto.8.html">
- pluto.8</A>. This covers whack as well.</P>
-<H2><A name="utils">Utils</A></H2>
-<P> The utils directory contains a growing collection of higher-level
- user utilities, the commands that administer and control the software.
- Most of the things that you will actually have to run yourself are in
- there.</P>
-<DL>
-<DT>ipsec</DT>
-<DD>invoke IPsec utilities
-<P>ipsec(8) is normally the only program installed in a standard
- directory, /usr/local/sbin. It is used to invoke the others, both those
- listed below and the ones in klips/utils mentioned above.</P>
-<P></P>
-</DD>
-<DT>auto</DT>
-<DD>control automatically-keyed IPsec connections</DD>
-<DT>manual</DT>
-<DD>take manually-keyed IPsec connections up and down</DD>
-<DT>barf</DT>
-<DD>generate copious debugging output</DD>
-<DT>look</DT>
-<DD>generate moderate amounts of debugging output</DD>
-</DL>
-<P> There are .8 manual pages for these. look is covered in barf.8. The
- man pages have an &quot;ipsec_&quot; prefix so your man command should be
- something like:</P>
-<PRE>
-        man 8 ipsec_auto
-</PRE>
-<P> Examples are in various files with names utils/*.eg</P>
-<H2><A name="lib">Libraries</A></H2>
-<H3><A name="fswanlib">FreeS/WAN Library</A></H3>
-<P> The lib directory is the FreeS/WAN library, also steadily growing,
- used by both user-level and kernel code.
-<BR /> It includes section 3<A href="manpages.html"> man pages</A> for
- the library routines.</P>
-<H3><A name="otherlib">Imported Libraries</A></H3>
-<H4><A NAME="33_6_2_1">LibDES</A></H4>
- The libdes library, originally from SSLeay, is used by both Klips and
- Pluto for<A href="#3DES"> Triple DES</A> encryption. Single DES is not
- used because<A href="#desnotsecure"> it is insecure</A>.
-<P> Note that this library has its own license, different from the<A href="#GPL">
- GPL</A> used for other code in FreeS/WAN.</P>
-<P> The library includes its own documentation.</P>
-<H4><A NAME="33_6_2_2">GMP</A></H4>
- The GMP (GNU multi-precision) library is used for multi-precision
- arithmetic in Pluto's key-exchange code and public key code.
-<P> Older versions (up to 1.7) of FreeS/WAN included a copy of this
- library in the FreeS/WAN distribution.</P>
-<P> Since 1.8, we have begun to rely on the system copy of GMP.</P>
-<HR>
-<H1><A name="umltesting">User-Mode-Linux Testing guide</A></H1>
-<P> User mode linux is a way to compile a linux kernel such that it can
- run as a process in another linux system (potentially as a *BSD or
- Windows process later). See<A HREF="http://user-mode-linux.sourceforge.net/">
- http://user-mode-linux.sourceforge.net/</A></P>
-<P> UML is a good platform for testing and experimenting with FreeS/WAN.
- It allows several network nodes to be simulated on a single machine.
- Creating, configuring, installing, monitoring, and controling these
- nodes is generally easier and easier to script with UML than real
- hardware.</P>
-<P> You'll need about 500Mb of disk space for a full
- sunrise-east-west-sunset setup. You can possibly get this down by 130Mb
- if you remove the sunrise/sunset kernel build. If you just want to run,
- then you can even remove the east/west kernel build.</P>
-<P> Nothing need be done as super user. In a couple of steps, we note
- where super user is required to install commands in system-wide
- directories, but ~/bin could be used instead. UML seems to use a
- system-wide /tmp/uml directory so different users may interfere with
- one another. Later UMLs use ~/.uml instead, so multiple users running
- UML tests should not be a problem, but note that a single user running
- the UML tests will only be able run one set. Further, UMLs sometimes
- get stuck and hang around. These &quot;zombies&quot; (most will actually be in
- the &quot;T&quot; state in the process table) will interfere with subsequent
- tests.</P>
-<H2><A NAME="34_1">Preliminary Notes on BIND</A></H2>
-<P> As of 2003/3/1, the Light-Weight Resolver is used by pluto. This
- requires that BIND9 be running. It also requires that BIND9 development
- libraries be present in the build environment. The DNSSEC code is only
- truly functional in BIND9 snapshots. The library code could be 9.2.2,
- we believe. We are using BIND9 20021115 snapshot code from<A HREF="ftp://ftp.isc.org/isc/bind9/snapshots">
- ftp://ftp.isc.org/isc/bind9/snapshots</A>.</P>
-<P> FreeS/WAN may well require a newer BIND than is on your system. Many
- distributions have moved to BIND9.2.2 recently due to a security
- advisory. BIND is five components.</P>
-<OL>
-<LI> named</LI>
-<LI> dnssec-*</LI>
-<LI> client side resolver libraries</LI>
-<LI> client side utility libraries I thought there were lib and named
- parts to dnsssec...</LI>
-<LI> dynamic DNS update utilities</LI>
-</OL>
-<P> The only piece that we need for *building* is #4. That's the only
- part that has to be on the build host. What is the difference between
- resolver and util libs? If you want to edit
- testing/baseconfigs/all/etc/bind, you'll need a snapshot version. The
- resolver library contains the resolver. FreeS/WAN has its own copy of
- that in lib/liblwres.</P>
-<H2><A NAME="34_2">Steps to Install UML for FreeS/WAN</A></H2>
-<OL>
-<LI> Get the following files:
-<OL type="a">
-<LI> from<A HREF="http://www.sandelman.ottawa.on.ca/freeswan/uml/">
- http://www.sandelman.ottawa.on.ca/freeswan/uml/</A>
- umlfreeroot-15.1.tar.gz (or highest numbered one). This is a debian
- potato root file system. You can use this even on a Redhat host, as it
- has the newer GLIBC2.2 libraries as well.
-<!-- If you are using
-  Redhat 7.2 or newer as your development machine, you can create the
-  image from your installation media. See <A HREF="uml-rhroot.html">Building a RedHat root"></A>.
-  A future document will explain how to build this from .DEB files as well.
--->
-
-<!--
-<LI> umlfreesharemini.tar.gz    (or umlfreeshareall.tar.gz). 
-  If you are a Debian potato user, you don't need it you can use your
-  native /usr/share.
-</UL>
--->
-</LI>
-<LI> From<A HREF="ftp://ftp.xs4all.nl/pub/crypto/freeswan/">
- ftp://ftp.xs4all.nl/pub/crypto/freeswan/</A> a snapshot or release
- (1.92 or better)</LI>
-<LI> From a<A HREF="http://www.kernel.org/mirrors/">
- http://www.kernel.org mirror</A>, the virgin 2.4.19 kernel. Please
- realize that we have defaults in our tree for kernel configuration. We
- try to track the latest UML kernels. If you use a newer kernel, you may
- have faults in the kernel build process. You can see what the latest
- that is being regularly tested by visiting<A HREF="http://bugs.freeswan.org:81/regress/HEAD/lastgood/freeswan-regress-env.sh">
- freeswan-regress-env.sh</A>.</LI>
-<LI>
-<!-- Note: this step is refered to as "step 1d" below. -->
- Get<A HREF="http://ftp.nl.linux.org/uml/">
- http://ftp.nl.linux.org/uml/</A> uml-patch-2.4.19-47.bz2 or the one
- associated with your kernel. As of 2003/03/05, uml-patch-2.4.19-47.bz2
- works for us.<STRONG> More recent versions of the patch have not been
- tested by us.</STRONG></LI>
-<LI> You'll probably want to visit<A HREF="http://user-mode-linux.sourceforge.net">
- http://user-mode-linux.sourceforge.net</A> and get the UML utilities.
- These are not needed for the build or interactive use (but
- recommended). They are necessary for the regression testing procedures
- used by &quot;make check&quot;. We currently use uml_utilities_20020212.tar.bz2.</LI>
-<LI> You need tcpdump version 3.7.1 or better. This is newer than the
- version included in most LINUX distributions. You can check the version
- of an installed tcpdump with the --version flag. If you need a newer
- tcpdump fetch both tcpdump and libpcap source tar files from<A HREF="http://www.tcpdump.org/">
- http://www.tcpdump.org/</A> or a mirror.</LI>
-</OL>
-</LI>
-<LI> Pick a suitable place, and extract the following files:
-<OL type="a">
-<LI>
-<!-- Note: this step is refered to as "step 2a" later. -->
- 2.4.19 kernel. For instance:
-<PRE>
- <CODE>           cd /c2/kernel
-           tar xzvf ../download/pub/linux/kernel/v2.4/linux-2.4.19.tar.gz
-</CODE>
-</PRE>
-</LI>
-<LI> extract the umlfreeroot file
-<!-- (unless you <A HREF="uml-rhroot.html">built your own from RPMs</A>) -->
-
-<PRE>
- <CODE>           mkdir -p /c2/user-mode-linux/basic-root
-           cd /c2/user-mode-linux/basic-root
-           tar xzvf ../download/umlfreeroot-15.1.tar.gz
-</CODE>
-</PRE>
-</LI>
-<LI> FreeSWAN itself (or checkout &quot;all&quot; from CVS)
-<PRE>
- <CODE>           mkdir -p /c2/freeswan/sandbox
-           cd /c2/freeswan/sandbox
-           tar xzvf ../download/snapshot.tar.gz
-</CODE>
-</PRE>
-</LI>
-</OL>
-</LI>
-<LI> If you need to build a newer tcpdump:
-<UL>
-<LI> Make sure you have OpenSSL installed -- it is needed for
- cryptographic routines.</LI>
-<LI> Unpack libpcap and tcpdump source in parallel directories (the
- tcpdump build procedures look for libpcap next door).</LI>
-<LI> Change directory into the libpcap source directory and then build
- the library:
-<PRE>
- <CODE>	./configure
-	make
-</CODE>
-</PRE>
-</LI>
-<LI> Change into the tcpdump source directory, build tcpdump, and
- install it.
-<PRE>
- <CODE>	./configure
-	make
-	# Need to be superuser to install in system directories.
-	# Installing in ~/bin would be an alternative.
-	su -c &quot;make install&quot;
-</CODE>
-</PRE>
-</LI>
-</UL>
-</LI>
-<LI> If you need the uml utilities, unpack them somewhere then build and
- install them:
-<PRE>
- <CODE>	cd tools
-	make all
-	# Need to be superuser to install in system directories.
-	# Installing in ~/bin would be an alternative.
-	su -c &quot;make install BIN_DIR=/usr/local/bin&quot;
-</CODE>
-</PRE>
-</LI>
-<LI> set up the configuration file
-<UL>
-<LI> <CODE>cd /c2/freeswan/sandbox/freeswan-1.97/testing/utils</CODE></LI>
-<LI> copy umlsetup-sample.sh to ../../umlsetup.sh: <CODE> cp
- umlsetup-sample.sh ../../umlsetup.sh</CODE></LI>
-<LI> open up ../../umlsetup.sh in your favorite editor.</LI>
-<LI> change POOLSPACE= to point to the place with at least 500Mb of
- disk. Best if it is on the same partition as the &quot;umlfreeroot&quot;
- extraction, as it will attempt to use hard links if possible to save
- disk space.</LI>
-<LI> Set TESTINGROOT if you intend to run the script outside of the
- sandbox/snapshot/release directory. Otherwise, it will configure
- itself.</LI>
-<LI> KERNPOOL should point to the directory with your 2.4.19 kernel
- tree. This tree should be unconfigured! This is the directory you used
- in step 2a.</LI>
-<LI> UMLPATCH should point at the bz2 file you downloaded at 1d. If
- using a kernel that already includes the patch, set this to /dev/null.</LI>
-<LI> FREESWANDIR should point at the directory where you unpacked the
- snapshot/release. Include the &quot;freeswan-snap2001sep16b&quot; or whatever in
- it. If you are running from CVS, then you point at the directory where
- top, klips, etc. are. The script will fix up the directory so that it
- can be used.</LI>
-<LI> BASICROOT should be set to the directory used in 2b, or to the
- directory that you created with RPMs.</LI>
-<LI> SHAREDIR should be set to the directory used in 2c, to /usr/share
- for Debian potato users, or to $BASICROOT/usr/share.</LI>
-</UL>
-</LI>
-<LI>
-<PRE> <CODE>cd $TESTINGROOT/utils
-sh make-uml.sh
-</CODE></PRE>
- It will grind for awhile. If there are errors it will bail. If so, run
- it under &quot;script&quot; and send the output to bugs@lists.freeswan.org.</LI>
-<LI> You will have a bunch of stuff under $POOLSPACE. Open four xterms:
-<PRE> <CODE>    for i in sunrise sunset east west
-    do
-        xterm -name $i -title $i -e $POOLSPACE/$i/start.sh     done
-</CODE></PRE>
-</LI>
-<LI> Login as root. Password is &quot;root&quot; (Note, these virtual machines are
- networked together, but are not configured to talk to the rest of the
- world.)</LI>
-<LI> verify that pluto started on east/west, run &quot;ipsec look&quot;</LI>
-<LI> login to sunrise. run &quot;ping sunset&quot;</LI>
-<LI> login to west. run &quot;tcpdump -p -i eth1 -n&quot; (tcpdump must be version
- 3.7.1 or newer)</LI>
-<LI> Closing a console xterm will shut down that UML.</LI>
-<LI> You can &quot;make check&quot;, if you want to. It is run from
- /c2/freeswan/sandbox/freeswan-1.97.</LI>
-</OL>
-<H1><A NAME="35">Debugging the kernel with GDB</A></H1>
-<P> With User-Mode-Linux, you can debug the kernel using GDB. See
-<!--HREF="http://user-mode-linux.sourceforge.net/debugging.html"-->
-
- http://user-mode-linux.sourceforge.net/debugging.html.</(null)></P>
-<P> Typically, one will want to address a test case for a failing
- situation. Running GDB from Emacs, or from other front ends is
- possible. First start GDB.</P>
-<P> Tell it to open the UMLPOOL/swan/linux program.</P>
-<P> Note the PID of GDB:</P>
-<PRE>
-marajade-[projects/freeswan/mgmt/planning] mcr 1029 %ps ax | grep gdb
- 1659 pts/9    SN     0:00 /usr/bin/gdb -fullname -cd /mara4/freeswan/kernpatch/UMLPOOL/swan/ linux
-</PRE>
-<P> Set the following in the environment:</P>
-<PRE>
-UML_east_OPT=&quot;debug gdb-pid=1659&quot;
-</PRE>
-<P> Then start the user-mode-linux in the test scheme you wish:</P>
-<PRE>
-marajade-[kernpatch/testing/klips/east-icmp-02] mcr 1220 %../../utils/runme.sh
-</PRE>
- The user-mode-linux will stop on boot, giving you a chance to attach to
- the process:
-<PRE>
-(gdb) file linux
-Reading symbols from linux...done.
-(gdb) attach 1
-Attaching to program: /mara4/freeswan/kernpatch/UMLPOOL/swan/linux, process 1
-0xa0118bc1 in kill () at hostfs_kern.c:770
-</PRE>
-<P> At this point, break points should be created as appropriate.</P>
-<H2><A NAME="35_1">Other notes about debugging</A></H2>
-<P> If you are running a standard test, after all the packets are sent,
- the UML will be shutdown. This can cause problems, because the UML may
- get terminated while you are debugging.</P>
-<P> The environment variable <CODE>NETJIGWAITUSER</CODE> can be set to
- &quot;waituser&quot;. If so, then the testing system will prompt before exiting
- the test.</P>
-<H1><A NAME="36">User-Mode-Linux mysteries</A></H1>
-<UL>
-<LI> running more than one UML of the same name (e.g. &quot;west&quot;) can cause
- problems.</LI>
-<LI> running more than one UML from the same root file system is not a
- good idea.</LI>
-<LI> all this means that running &quot;make check&quot; twice on the same machine
- is probably not a good idea.</LI>
-<LI> occationally, UMLs will get stuck. This can happen like:
-<!--BLOCK-->
- 15134 ? T
- 0:00 /spare/hugh/uml/uml2.4.18-sept5/umlbuild/east/linux (east)
- [/bin/sh] 15138 ? T 0:00
- /spare/hugh/uml/uml2.4.18-sept5/umlbuild/east/linux (east) [halt]</(null)>
- these will need to be killed. Note that they are in &quot;T&quot;racing mode.</LI>
-<LI> UMLs can also hang, and will report &quot;Tracing myself and I can't get
- out&quot;. This is a bug in UML. There are ways to find out what is going on
- and report this to the UML people, but we don't know the magic right
- now.</LI>
-</UL>
-<H1><A NAME="37">Getting more info from uml_netjig</A></H1>
-<P> uml_netjig can be compiled with a built-in tcpdump. This uses
- not-yet-released code from<A HREF="http://www.tcpdump.org/">
- www.tcpdump.org</A>. Please see the instructions in <CODE>
-testing/utils/uml_netjig/Makefile</CODE>.</P>
-<HR>
-<H1><A name="makecheck">How to configure to use &quot;make check&quot;</A></H1>
-<H2><A NAME="38_1">What is &quot;make check&quot;</A></H2>
-<P> &quot;make check&quot; is a target in the top level makefile. It takes care of
- running a number of unit and system tests to confirm that FreeSWAN has
- been compiled correctly, and that no new bugs have been introduced.</P>
-<P> As FreeSWAN contains both kernel and userspace components, doing
- testing of FreeSWAN requires that the kernel be simulated. This is
- typically difficult to do as a kernel requires that it be run on bare
- hardware. A technology has emerged that makes this simpler. This is<A HREF="http://user-mode-linux.sourceforge.net">
- User Mode Linux</A>.</P>
-<P> User-Mode Linux is a way to build a Linux kernel such that it can
- run as a process under another Linux (or in the future other) kernel.
- Presently, this can only be done for 2.4 guest kernels. The host kernel
- can be 2.2 or 2.4.</P>
-<P> &quot;make check&quot; expects to be able to build User-Mode Linux kernels
- with FreeSWAN included. To do this it needs to have some files
- downloaded and extracted prior to running &quot;make check&quot;. This is
- described in the<A HREF="umltesting.html"> UML testing</A> document.</P>
-<P> After having run the example in the UML testing document and
- successfully brought up the four machine combination, you are ready to
- use &quot;make check&quot;</P>
-<H2><A NAME="38_2">Running &quot;make check&quot;</A></H2>
-<P> &quot;make check&quot; works by walking the FreeSWAN source tree invoking the
- &quot;check&quot; target at each node. At present there are tests defined only
- for the <CODE>klips</CODE> directory. These tests will use the UML
- infrastructure to test out pieces of the <CODE>klips</CODE> code.</P>
-<P> The results of the tests can be recorded. If the environment
- variable <CODE>$REGRESSRESULTS</CODE> is non-null, then the results of
- each test will be recorded. This can be used as part of a nightly
- regression testing system, see<A HREF="nightly.html"> Nightly testing</A>
- for more details.</P>
-<P> &quot;make check&quot; otherwise prints a minimal amount of output for each
- test, and indicates pass/fail status of each test as they are run.
- Failed tests do not cause failure of the target in the form of exit
- codes.</P>
-<H1><A NAME="39">How to write a &quot;make check&quot; test</A></H1>
-<H2><A NAME="39_1">Structure of a test</A></H2>
-<P> Each test consists of a set of directories under <CODE>testing/</CODE>
-. There are directories for <CODE>klips</CODE>, <CODE>pluto</CODE>, <CODE>
-packaging</CODE> and <CODE>libraries</CODE>. Each directory has a list
- of tests to run is stored in a file called <CODE>TESTLIST</CODE> in
- that directory. e.g. <CODE>testing/klips/TESTLIST</CODE>.</P>
-<H2 NAME="TESTLIST"><A NAME="39_2">The TESTLIST</A></H2>
-<P> This isn't actually a shell script. It just looks like one. Some
- tools other than /bin/sh process it. Lines that start with # are
- comments.</P>
-<PRE>
-# test-kind     directory-containing-test       expectation     [PR#]
-</PRE>
-<P>The first word provides the test type, detailed below.</P>
-<P> The second word is the name of the test to run. This the directory
- in which the test case is to be found..</P>
-<P>The third word may be one of:</P>
-<DL>
-<DT> blank/good</DT>
-<DD>the test is believed to function, report failure</DD>
-<DT> bad</DT>
-<DD> the test is known to fail, report unexpected success</DD>
-<DT> suspended</DT>
-<DD> the test should not be run</DD>
-</DL>
-<P> The fourth word may be a number, which is a PR# if the test is
- failing.</P>
-<H2><A NAME="39_3">Test kinds</A></H2>
- The test types are:
-<DL>
-<DT>skiptest</DT>
-<DD>means run no test.</DD>
-<DT>ctltest</DT>
-<DD>means run a single system without input/output.</DD>
-<DT>klipstest</DT>
-<DD>means run a single system with input/output networks</DD>
-<DT><A HREF="#umlplutotest">umlplutotest</A></DT>
-<DD>means run a pair of systems</DD>
-<DT><A HREF="#umlXhost">umlXhost</A></DT>
-<DD>run an arbitrary number of systems</DD>
-<DT>suntest (TBD)</DT>
-<DD>means run a quad of east/west/sunrise/sunset</DD>
-<DT>roadtest (TBD)</DT>
-<DD>means run a trio of east-sunrise + warrior</DD>
-<DT>extrudedtest (TBD)</DT>
-<DD>means run a quad of east-sunrise + warriorsouth + park</DD>
-<DT>mkinsttest</DT>
-<DD>a test of the &quot;make install&quot; machinery.</DD>
-<DT>kernel_test_patch</DT>
-<DD>a test of the &quot;make kernelpatch&quot; machinery.</DD>
-</DL>
- Tests marked (TBD) have yet to be fully defined.
-<P> Each test directory has a file in it called <CODE>testparams.sh</CODE>
-. This file sets a number of environment variables to define the
- parameters of the test.</P>
-<H2><A NAME="39_4">Common parameters</A></H2>
-<DL>
-<DT>TESTNAME</DT>
-<DD>the name of the test (repeated for checking purposes)</DD>
-<DT>TEST_TYPE</DT>
-<DD>the type of the test (repeat of type type above)</DD>
-<DT>TESTHOST</DT>
-<DD>the name of the UML machine to run for the test, typically &quot;east&quot; or
- &quot;west&quot;</DD>
-<DT>TEST_PURPOSE</DT>
-<DD>The purpose of the test is one of:
-<DL>
-<DT>goal</DT>
-<DD>The goal purpose is where a test is defined for code that is not yet
- finished. The test indicates when the goals have in fact been reached.</DD>
-<DT>regress</DT>
-<DD>This is a test to determine that a previously existing bug has been
- repaired. This test will initially be created to reproduce the bug in
- isolation, and then the bug will be fixed.</DD>
-<DT>exploit</DT>
-<DD>This is a set of packets/programs that causes a vulnerability to be
- exposed. It is a specific variation of the regress option.</DD>
-</DL>
-</DD>
-<DT>TEST_GOAL_ITEM</DT>
-<DT></DT>
-<DD>in the case of a goal test, this is a reference to the requirements
- document</DD>
-<DT>TEST_PROB_REPORT</DT>
-<DD>in the case of regression test, this the problem report number from
- GNATS</DD>
-<DT>TEST_EXPLOIT_URL</DT>
-<DD>in the case of an exploit, this is a URL referencing the paper
- explaining the origin of the test and the origin of exploit software</DD>
-<DT>REF_CONSOLE_OUTPUT</DT>
-<DD>a file in the test directory that contains the sanitized console
- output against which to compare the output of the actual test.</DD>
-<DT>REF_CONSOLE_FIXUPS</DT>
-<DD>a list of scripts (found in <CODE>klips/test/fixups</CODE>) to apply
- to sanitize the console output of the machine under test. These are
- typically perl, awk or sed scripts that remove things in the kernel
- output that change each time the test is run and/or compiled.</DD>
-<DT>INIT_SCRIPT</DT>
-<DD>
-<P>a file of commands that is fed into the virtual machine's console in
- single user mode prior to starting the tests. This file will usually
- set up any eroute's and SADB entries that are required for the test.</P>
-<P>Lines beginning with # are skipped. Blank lines are skipped.
- Otherwise, a shell prompted is waited for each time (consisting of <CODE>
-\n#</CODE>) and then the command is sent. Note that the prompt is waited
- for before the command and not after, so completion of the last command
- in the script is not required. This is often used to invoke a program
- to monitor the system, e.g. <CODE>ipsec pf_key</CODE>.</P>
-</DD>
-<DT>RUN_SCRIPT</DT>
-<DD>
-<P>a file of commands that is fed into the virtual machine's console in
- single user mode, before the packets are sent. On single machine tests,
- this script doesn't provide any more power than INIT_SCRIPT, but is
- implemented for consistency's sake.</P>
-</DD>
-<DT>FINAL_SCRIPT</DT>
-<DD>
-<P>a file of commands that is fed into the virtual machine's console in
- single user mode after the final packet is sent. Similar to
- INIT_SCRIPT, above. If not specified, then the single command &quot;halt&quot; is
- sent. If specified, then the script should end with a halt command to
- nicely shutdown the UML.</P>
-</DD>
-<DT>CONSOLEDIFFDEBUG</DT>
-<DD>If set to &quot;true&quot; then the series of console fixups (see
- REF_CONSOLE_FIXUPS) will be output after it is constructed. (It should
- be set to &quot;false&quot;, or unset otherwise)</DD>
-<DT>NETJIGDEBUG</DT>
-<DD>If set to &quot;true&quot; then the series of console fixups (see
- REF_CONSOLE_FIXUPS) will be output after it is constructed. (It should
- be set to &quot;false&quot;, or unset otherwise)</DD>
-<DT>NETJIGTESTDEBUG</DT>
-<DD> If set to &quot;netjig&quot;, then the results of talking to the <CODE>
-uml_netjig</CODE> will be printed to stderr during the test. In
- addition, the jig will be invoked with --debug, which causes it to log
- its process ID, and wait 60 seconds before continuing. This can be used
- if you are trying to debug the <CODE>uml_netjig</CODE> program itself.</DD>
-<DT>HOSTTESTDEBUG</DT>
-<DD> If set to &quot;hosttest&quot;, then the results of taling to the consoles of
- the UMLs will be printed to stderr during the test.</DD>
-<DT>NETJIGWAITUSER</DT>
-<DD> If set to &quot;waituser&quot;, then the scripts will wait forever for user
- input before they shut the tests down. Use this is if you are debugging
- through the kernel.</DD>
-<DT>PACKETRATE</DT>
-<DD> A number, in miliseconds (default is 500ms) at which packets will
- be replayed by the netjig.</DD>
-</DL>
-<H2><A NAME="39_5">KLIPStest paramaters</A></H2>
-<P> The klipstest function starts a program (<CODE>
-testing/utils/uml_netjig/uml_netjig</CODE>) to setup a bunch of I/O
- sockets (that simulate network interfaces). It then exports the
- references to these sockets to the environment and invokes (using
- system()) a given script. It waits for the script to finish.</P>
-
-<!-- <IMG SRC="single_netjig.png" ALT="block diagram of uml_netjig"> -->
-<P> The script invoked (<CODE>testing/utils/host-test.tcl</CODE>) is a
- TCL<A HREF="http://expect.nist.gov/"> expect</A> script that arranges
- to start the UML and configure it appropriately for the test. The
- configuration is done with the script given above for<VAR> INIT_SCRIPT</VAR>
-. The TCL script then forks, leaves the UML in the background and exits.
- uml_netjig continues. It then starts listening to the simulated network
- answering ARPs and inserting packets as appropriate.</P>
-<P> The klipstest function invokes <CODE>uml_netjig</CODE> with
- arguments to capture output from network interface(s) and insert
- packets as appropriate:</P>
-<DL>
-<DT>PUB_INPUT</DT>
-<DD>a<A HREF="http://www.tcpdump.org/"> pcap</A> file to feed in on the
- public (encrypted) interface. (typically, eth1)</DD>
-<DT>PRIV_INPUT</DT>
-<DD>a pcap file to feed in on the private (plain-text) interface
- (typically, eth0).</DD>
-<DT>REF_PUB_OUTPUT</DT>
-<DD>a text file containing tcpdump output. Packets on the public (eth1)
- interface are captured to a<A HREF="http://www.tcpdump.org/"> pcap</A>
- file by <CODE>uml_netjig</CODE>. The klipstest function then uses
- tcpdump on the file to produce text output, which is compared to the
- file given.</DD>
-<DT>REF_PUB_FILTER</DT>
-<DD>a program that will filter the TCPDUMP output to do further
- processing. Defaults to &quot;cat&quot;.</DD>
-<DT>REF_PRIV_OUTPUT</DT>
-<DD>a text file containing tcpdump output. Packets on the private (eth0)
- interface are captured and compared after conversion by tcpdump, as
- with<VAR> REFPUBOUTPUT</VAR>.</DD>
-<DT>REF_PRIV_FILTER</DT>
-<DD>a program that will filter the TCPDUMP output to do further
- processing. Defaults to &quot;cat&quot;.</DD>
-<DT>EXITONEMPTY</DT>
-<DD>a flag for <CODE>uml_netjig</CODE>. It should contain
- &quot;--exitonempty&quot; of uml_netjig should exit when all of the input (<VAR>
-PUBINPUT</VAR>,<VAR>PRIVINPUT</VAR>) packets have been injected.</DD>
-<DT>ARPREPLY</DT>
-<DD>a flag for <CODE>uml_netjig</CODE>. It should contain &quot;--arpreply&quot;
- if <CODE>uml_netjig</CODE> should reply to ARP requests. One will
- typically set this to avoid having to fudge the ARP cache manually.</DD>
-<DT>TCPDUMPFLAGS</DT>
-<DD>a set of flags for the tcpdump used when converting captured output.
- Typical values will include &quot;-n&quot; to turn off DNS, and often &quot;-E&quot; to set
- the decryption key (tcpdump 3.7.1 and higher only) for ESP packets. The
- &quot;-t&quot; flag (turn off timestamps) is provided automatically</DD>
-<DT>NETJIG_EXTRA</DT>
-<DD>additional comments to be sent to the netjig. This may arrange to
- record or create additional networks, or may toggle options.</DD>
-</DL>
-<H2><A NAME="39_6">mkinsttest paramaters</A></H2>
-<P> The basic concept of the <CODE>mkinsttest</CODE> test type is that
- it performs a &quot;make install&quot; to a temporary $DESTDIR. The resulting
- tree can then be examined to determine if it was done properly. The
- files can be uninstalled to determine if the file list was correct, or
- the contents of files can be examined more precisely.</P>
-<DL>
-<DT>INSTALL_FLAGS</DT>
-<DD>If set, then an install will be done. This provides the set of flags
- to provide for the install. The target to be used (usually &quot;install&quot;)
- must be among the flags.</DD>
-<DT>POSTINSTALL_SCRIPT</DT>
-<DD>If set, a script to run after initial &quot;make install&quot;. Two arguments
- are provided: an absolute path to the root of the FreeSWAN src tree,
- and an absolute path to the temporary installation area.</DD>
-<DT>INSTALL2_FLAGS</DT>
-<DD>If set, a second install will be done using these flags. Similarly
- to INSTALL_FLAGS, the target must be among the flags.</DD>
-<DT>UNINSTALL_FLAGS</DT>
-<DD>If set, an uninstall will be done using these flags. Similarly to
- INSTALL_FLAGS, the target (usually &quot;uninstall&quot;) must be among the
- flags.</DD>
-<DT>REF_FIND_f_l_OUTPUT</DT>
-<DD>If set, a <CODE>find $ROOT ( -type f -or -type -l )</CODE> will be
- done to get a list of a real files and symlinks. The resulting file
- will be compared to the file listed by this option.</DD>
-<DT>REF_FILE_CONTENTS</DT>
-<DD>If set, it should point to a file containing records for the form:
-<PRE>
-  
-<!--VARIABLE-->
-reffile</(null)>   
-<!--VARIABLE-->
-samplefile</(null)>
-</PRE>
- one record per line. A diff between the provided reference file, and
- the sample file (located in the temporary installation root) will be
- done for each record.</DD>
-</DL>
-<H2><A NAME="39_7">rpm_build_install_test paramaters</A></H2>
-<P> The <CODE>rpm_build_install_test</CODE> type is to verify that the
- proper packing list is produced by &quot;make rpm&quot;, and that the mechanisms
- for building the kernel modules produce consistent results.</P>
-<DL>
-<DT>RPM_KERNEL_SOURCE</DT>
-<DD>Point to an extracted copy of the RedHat kernel source code.
- Variables from the environment may be used.</DD>
-<DT>REF_RPM_CONTENTS</DT>
-<DD>This is a file containing one record per line. Each record consists
- of a RPM name (may contain wildcards) and a filename to compare the
- contents to. The RPM will be located and a file list will be produced
- with rpm2cpio.</DD>
-</DL>
-<H2><A NAME="39_8">libtest paramaters</A></H2>
-<P> The libtest test is for testing library routines. The library file
- is expected to provided an <CODE>#ifdef</CODE> by the name of<VAR>
- library</VAR>
-<!--CODE_MAIN</CODE-->
-. The libtest type invokes the C compiler to compile this
- file, links it against <CODE>libfreeswan.a</CODE> (to resolve any other
- dependancies) and runs the test with the <CODE>-r</CODE> argument to
- invoke a regression test.</(null)></P>
-<P>The library test case is expected to do a self-test, exiting with
- status code 0 if everything is okay, and with non-zero otherwise. A
- core dump (exit code greater than 128) is noted specifically.</P>
-<P> Unlike other tests, there are no subdirectories required, or other
- parameters to set.</P>
-<H2 NAME="umlplutotest"><A NAME="39_9">umlplutotest paramaters</A></H2>
-<P> The umlplutotest function starts a pair of user mode line processes.
- This is a 2-host version of umlXhost. The &quot;EAST&quot; and &quot;WEST&quot; slots are
- defined.</P>
-<H2 NAME="umlXhost"><A NAME="39_10">umlXhost parameters</A></H2>
-<P> The umlXtest function starts an arbitrary number of user mode line
- processes.</P>
-
-<!-- <IMG SRC="single_netjig.png" ALT="block diagram of uml_netjig"> -->
-<P> The script invoked (<CODE>testing/utils/Xhost-test.tcl</CODE>) is a
- TCL<A HREF="http://expect.nist.gov/"> expect</A> script that arranges
- to start each UML and configure it appropriately for the test. It then
- starts listening (using uml_netjig) to the simulated network answering
- ARPs and inserting packets as appropriate.</P>
-<P> umlXtest has a series of slots, each of which should be filled by a
- host. The list of slots is controlled by the variable, XHOST_LIST. This
- variable should be set to a space seperated list of slots. The former
- umlplutotest is now implemented as a variation of the umlXhost test,
- with XHOST_LIST=&quot;EAST WEST&quot;.</P>
-<P> For each host slot that is defined, a series of variables should be
- filled in, defining what configuration scripts to use for that host.</P>
-<P> The following are used to control the console input and output to
- the system. Where the string ${host} is present, the host slot should
- be filled in. I.e. for the two host system with XHOST_LIST=&quot;EAST WEST&quot;,
- then the variables: EAST_INIT_SCRIPT and WEST_INIT_SCRIPT will exist.</P>
-<DL>
-<DT>${host}HOST</DT>
-<DD>The name of the UML host which will fill this slot</DD>
-<DT>${host}_INIT_SCRIPT</DT>
-<DD>
-<P>a file of commands that is fed into the virtual machine's console in
- single user mode prior to starting the tests. This file will usually
- set up any eroute's and SADB entries that are required for the test.
- Similar to INIT_SCRIPT, above.</P>
-</DD>
-<DT>${host}_RUN_SCRIPT</DT>
-<DD>
-<P>a file of commands that is fed into the virtual machine's console in
- single user mode, before the packets are sent. This set of commands is
- run after all of the virtual machines are initialized. I.e. after
- EAST_INIT_SCRIPT<B> AND</B> WEST_INIT_SCRIPT. This script can therefore
- do things that require that all machines are properly configured.</P>
-</DD>
-<DT>${host}_RUN2_SCRIPT</DT>
-<DD>
-<P>a file of commands that is fed into the virtual machine's console in
- single user mode, after the packets are sent. This set of commands is
- run before any of the virtual machines have been shut down. (I.e.
- before EAST_FINAL_SCRIPT<B> AND</B> WEST_FINAL_SCRIPT.) This script can
- therefore catch post-activity status reports.</P>
-</DD>
-<DT>${host}_FINAL_SCRIPT</DT>
-<DD>
-<P>a file of commands that is fed into the virtual machine's console in
- single user mode after the final packet is sent. Similar to
- INIT_SCRIPT, above. If not specified, then the single command &quot;halt&quot; is
- sent. Note that when this script is run, the other virtual machines may
- already have been killed. If specified, then the script should end with
- a halt command to nicely shutdown the UML.</P>
-</DD>
-<DT>REF_${host}_CONSOLE_OUTPUT</DT>
-<DD>Similar to REF_CONSOLE_OUTPUT, above.</DD>
-</DL>
-<P>Some additional flags apply to all hosts:</P>
-<DL>
-<DT>REF_CONSOLE_FIXUPS</DT>
-<DD>a list of scripts (found in <CODE>klips/test/fixups</CODE>) to apply
- to sanitize the console output of the machine under test. These are
- typically perl, awk or sed scripts that remove things in the kernel
- output that change each time the test is run and/or compiled.</DD>
-</DL>
-<P> In addition to input to the console, the networks may have input fed
- to them:</P>
-<DL>
-<DT>EAST_INPUT/WEST_INPUT</DT>
-<DD>a<A HREF="http://www.tcpdump.org/"> pcap</A> file to feed in on the
- private network side of each network. The &quot;EAST&quot; and &quot;WEST&quot; here refer
- to the networks, not the hosts.</DD>
-<DT>REF_PUB_FILTER</DT>
-<DD>a program that will filter the TCPDUMP output to do further
- processing. Defaults to &quot;cat&quot;.</DD>
-<DT>REF_EAST_FILTER/REF_WEST_FILTER</DT>
-<DD>a program that will filter the TCPDUMP output to do further
- processing. Defaults to &quot;cat&quot;.</DD>
-&lt;
-<DT>TCPDUMPFLAGS</DT>
-<DD>a set of flags for the tcpdump used when converting captured output.
- Typical values will include &quot;-n&quot; to turn off DNS, and often &quot;-E&quot; to set
- the decryption key (tcpdump 3.7.1 and higher only) for ESP packets. The
- &quot;-t&quot; flag (turn off timestamps) is provided automatically</DD>
-<DT>REF_EAST_OUTPUT/REF_WEST_OUTPUT</DT>
-<DD>a text file containing tcpdump output. Packets on the private (eth0)
- interface are captured and compared after conversion by tcpdump, as
- with<VAR> REF_PUB_OUTPUT</VAR>.</DD>
-<P> There are two additional environment variables that may be set on
- the command line:</P>
-<DL>
-<DT> NETJIGVERBOSE=verbose export NETJIGVERBOSE</DT>
-<DD> If set, then the test output will be &quot;chatty&quot;, and let you know
- what commands it is running, and as packets are sent. Without it set,
- the output is limited to success/failure messages.</DD>
-<DT> NETJIGTESTDEBUG=netjig export NETJIGTESTDEBUG</DT>
-<DD> This will enable debugging of the communication with uml_netjig,
- and turn on debugging in this utility. This does not imply
- NETJIGVERBOSE.</DD>
-</DL>
-<DT> HOSTTESTDEBUG=hosttest export HOSTTESTDEBUG</DT>
-<DD> This will show all interactions with the user-mode-linux consoles</DD>
-</DL>
-<H2 NAME="kernelpatch"><A NAME="39_11">kernel_patch_test paramaters</A></H2>
-<P> The kernel_patch_test function takes some kernel source, copies it
- with lndir, and then applies the patch as produced by &quot;make
- kernelpatch&quot;.</P>
-<P> The following are used to control the input and output to the
- system:</P>
-<DL>
-<DT>KERNEL_NAME</DT>
-<DD>the kernel name, typically something like &quot;linus&quot; or &quot;rh&quot;</DD>
-<DT>KERNEL_VERSION</DT>
-<DD>the kernel version number, as in &quot;2.2&quot; or &quot;2.4&quot;.</DD>
-<DT>KERNEL_${KERNEL_NAME}${KERNEL_VERSION}_SRC</DT>
-<DD>This variable should set in the environment, probably in
- ~/freeswan-regress-env.sh. Examples of this variables would be
- KERNEL_LINUS2_0_SRC or KERNEL_RH7_3_SRC. This variable should point to
- an extracted copy of the kernel source in question.</DD>
-<DT>REF_PATCH_OUTPUT</DT>
-<DD>a copy of the patch output to compare against</DD>
-<DT>KERNEL_PATCH_LEAVE_SOURCE</DT>
-<DD>If set to a non-empty string, then the patched kernel source is not
- removed at the end of the test. This will typically be set in the
- environment while debugging.</DD>
-</DL>
-<H2 NAME="modtest"><A NAME="39_12">module_compile paramaters</A></H2>
-<P> The module_compile test attempts to build the KLIPS module against a
- given set of kernel source. This is also done by the RPM tests, but in
- a very specific manner.</P>
-<P> There are two variations of this test - one where the kernel either
- doesn't need to be configured, or is already done, and tests were there
- is a local configuration file.</P>
-<P> Where the kernel doesn't need to be configured, the kernel source
- that is found is simply used. It may be a RedHat-style kernel, where
- one can cause it to configure itself via rhconfig.h-style definitions.
- Or, it may just be a kernel tree that has been configured.</P>
-<P> If the variable KERNEL_CONFIG_FILE is set, then a new directory is
- created for the kernel source. It is populated with lndir(1). The
- referenced file is then copied in as .config, and &quot;make oldconfig&quot; is
- used to configure the kernel. This resulting kernel is then used as the
- reference source.</P>
-<P> In all cases, the kernel source is found the same was for the
- kernelpatch test, i.e. via KERNEL_VERSION/KERNEL_NAME and
- KERNEL_${KERNEL_NAME}${KERNEL_VERSION}_SRC.</P>
-<P> Once there is kernel source, the module is compiled using the
- top-level &quot;make module&quot; target.</P>
-<P> The test is considered successful if an executable is found in
- OUTPUT/module/ipsec.o at the end of the test.</P>
-<DL>
-<DT>KERNEL_NAME</DT>
-<DD>the kernel name, typically something like &quot;linus&quot; or &quot;rh&quot;</DD>
-<DT>KERNEL_VERSION</DT>
-<DD>the kernel version number, as in &quot;2.2&quot; or &quot;2.4&quot;.</DD>
-<DT>KERNEL_${KERNEL_NAME}${KERNEL_VERSION}_SRC</DT>
-<DD>This variable should set in the environment, probably in
- ~/freeswan-regress-env.sh. Examples of this variables would be
- KERNEL_LINUS2_0_SRC or KERNEL_RH7_3_SRC. This variable should point to
- an extracted copy of the kernel source in question.</DD>
-<DT>KERNEL_CONFIG_FILE</DT>
-<DD>The configuration file for the kernel.</DD>
-<DT>KERNEL_PATCH_LEAVE_SOURCE</DT>
-<DD>If set to a non-empty string, then the configured kernel source is
- not removed at the end of the test. This will typically be set in the
- environment while debugging.</DD>
-<DT>MODULE_DEF_INCLUDE</DT>
-<DD>The include file that will be used to configure the KLIPS module,
- and possibly the kernel source.</DD>
-</DL>
-<H1><A NAME="40">Current pitfalls</A></H1>
-<DL>
-<DT> &quot;tcpdump dissector&quot; not available.</DT>
-<DD> This is a non-fatal warning. If uml_netjig is invoked with the -t
- option, then it will attempt to use tcpdump's dissector to decode each
- packet that it processes. The dissector is presently not available, so
- this option it normally turned off at compile time. The dissector
- library will be released with tcpdump version 4.0.</DD>
-</DL>
-<HR>
-<H1><A name="nightly">Nightly regression testing</A></H1>
-<P> The nightly regression testing system consists of several shell
- scripts and some perl scripts. The goal is to check out a fresh tree,
- run &quot;make check&quot; on it, record the results and summarize the results to
- the team and to the web site.</P>
-<P> Output can be found on<A HREF="http://bugs.freeswan.org:81/"> adams</A>
-, although the tests are actually run on another project machine.</P>
-<H1><A name="nightlyhowto">How to setup the nightly build</A></H1>
-<P> The best way to do nightly testing is to setup a new account. We
- call the account &quot;build&quot; - you could call it something else, but there
- may still be some references to ~build in the scripts.</P>
-<H2><A NAME="42_1"> Files you need to know about</A></H2>
-<P> As few files as possible need to be extracted from the source tree -
- files are run from the source tree whenever possible. However, there
- are some bootstrap and configuration files that are necessary.</P>
-<P> There are 7 files in testing/utils that are involved:</P>
-<DL>
-<DT> nightly-sample.sh</DT>
-<DD> This is the root of the build process. This file should be copied
- out of the CVS tree, to $HOME/bin/nightly.sh of the build account. This
- file should be invoked from cron.</DD>
-<DT> freeswan-regress-env-sample.sh</DT>
-<DD> This file should be copied to $HOME/freeswan-regress-env.sh. It
- should be edited to localize the values. See below.</DD>
-<DT> regress-cleanup.pl</DT>
-<DD> This file needs to be copied to $HOME/bin/regress-cleanup.pl. It is
- invoked by the nightly file before doing anything else. It removes
- previous nights builds in order to free up disk space for the build
- about to be done.</DD>
-<DT> teammail-sample.sh</DT>
-<DD> A script used to send results email to the &quot;team&quot;. This sample
- script could be copied to $HOME/bin/teammail.sh. This version will PGP
- encrypt all the output to the team members. If this script is used,
- then PGP will have to be properly setup to have the right keys.</DD>
-<DT> regress-nightly.sh</DT>
-<DD> This is the first stage of the nightly build. This stage will call
- other scripts as appropriate, and will extract the source code from
- CVS. This script should be copied to $HOME/bin/regress-nightly.sh</DD>
-<DT> regress-stage2.sh</DT>
-<DD> This is the second stage of the nightly build. It is called in
- place. It essentially sets up the UML setup in umlsetup.sh, and calls
- &quot;make check&quot;.</DD>
-<DT> regress-summarize-results.pl</DT>
-<DD> This script will summarize the results from the tests to a
- permanent directory set by $REGRESSRESULTS. It is invoked from the
- stage2 nightly script.</DD>
-<DT> regress-chart.sh</DT>
-<DD> This script is called at the end of the build process, and will
- summarize each night's results (as saved into $REGRESSRESULTS by
- regress-summarize-results.pl) as a chart using gnuplot. Note that this
- requires at least gnuplot 3.7.2.</DD>
-</DL>
-<H2><A NAME="42_2">Configuring freeswan-regress-env.sh</A></H2>
-<P>For more info on KERNPOOL, UMLPATCH, BASICROOT and SHAREDIR, see<A HREF="umltesting.html">
- User-Mode-Linux testing guide</A>.</P>
-<DL>
-<DT> KERNPOOL</DT>
-<DD> Extract copy of some kernel source to be used for UML builds</DD>
-<DT> UMLPATCH</DT>
-<DD> matching User-Mode-Linux patch.</DD>
-<DT> BASICROOT</DT>
-<DD> the root file system image (see<A HREF="umltesting.html">
- User-Mode-Linux testing guide</A>).</DD>
-<DT> SHAREDIR=${BASICROOT}/usr/share</DT>
-<DD> The /usr/share to use.</DD>
-<DT> REGRESSTREE</DT>
-<DD> A directory in which to store the nightly regression results.
- Directories will be created by date in this tree.</DD>
-<DT> TCPDUMP=tcpdump-3.7.1</DT>
-<DD> The path to the<A HREF="http://www.tcpdump.org/"> tcpdump</A> to
- use. This must have crypto compiled in, and must be at least 3.7.1</DD>
-<DT> KERNEL_RH7_2_SRC=/a3/kernel_sources/linux-2.4.9-13/</DT>
-<DD> An extracted copy of the RedHat 7.2. kernel source. If set, then
- the packaging/rpm-rh72-install-01 test will be run, and an RPM will be
- built as a test.</DD>
-<DT> KERNEL_RH7_3_SRC=/a3/kernel_sources/rh/linux-2.4.18-5</DT>
-<DD> An extracted copy of the RedHat 7.3. kernel source. If set, then
- the packaging/rpm-rh73-install-01 test will be run, and an RPM will be
- built as a test.</DD>
-<DT> NIGHTLY_WATCHERS=&quot;userid,userid,userid&quot;</DT>
-<DD> The list of people who should receive nightly output. This is used
- by teammail.sh</DD>
-<DT> FAILLINES=128</DT>
-<DD> How many lines of failed test output to include in the nightly
- output</DD>
-<DT> PATH=$PATH:/sandel/bin export PATH</DT>
-<DD> You can also override the path if necessary here.</DD>
-<DT> CVSROOT=:pserver:anoncvs@ip212.xs4net.freeswan.org:/freeswan/MASTER</DT>
-<DD> The CVSROOT to use. This example may work for anonymous CVS, but
- will be 12 hours behind the primary, and is still experimental</DD>
-<DT> SNAPSHOTSIGDIR=$HOME/snapshot-sig</DT>
-<DD> For the release tools, where to put the generated per-snapshot
- signature keys</DD>
-<DT> LASTREL=1.97</DT>
-<DD> the name of the last release branch (to find the right per-snapshot
- signature</DD>
-<DD></DD>
-</DL>
-</BODY>
-</HTML>
diff --git a/doc/Makefile b/doc/Makefile
deleted file mode 100644
index f8209b3a8..000000000
--- a/doc/Makefile
+++ /dev/null
@@ -1,167 +0,0 @@
-# Makefile to generate various formats from HTML source
-#
-# Assumes the htmldoc utility is available.
-# This can be downloaded from www.easysw.com
-#
-# Also needs lynx(1) for HTML-to-text conversion
-
-.SUFFIXES: .png .fig
-
-FREESWANSRCDIR=..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-# Format arguments for htmldoc
-F="--toclevels 4 --header 1cd"
-
-# source files in subdirectory
-# basic stuff
-a=src/intro.html src/upgrading.html src/quickstart.html \
-  src/policygroups.html src/faq.html
-
-# related
-b=src/manpages.html src/firewall.html src/trouble.html
-
-# more advanced
-c=src/compat.html src/interop.html src/performance.html \
-	src/testing.html src/kernel.html src/adv_config.html \
-	src/install.html src/config.html \
-	src/background.html src/user_examples.html \
-	src/makecheck.html src/umltesting.html \
-
-# background and reference material
-d=src/politics.html src/ipsec.html \
-	src/mail.html src/web.html src/glossary.html src/biblio.html \
-	src/rfc.html src/roadmap.html
-
-# build and release related
-e=src/umltesting.html src/makecheck.html src/nightly.html
-
-sections=$a $b $c $d $e
-
-# separate HTML files built in current directory
-separate=intro.html install.html config.html manpages.html \
-	firewall.html trouble.html kernel.html roadmap.html \
-	compat.html interop.html politics.html ipsec.html \
-	mail.html performance.html testing.html web.html \
-	glossary.html biblio.html rfc.html faq.html \
-	adv_config.html user_examples.html background.html \
-	quickstart.html umltesting.html makecheck.html nightly.html \
-        upgrading.html policygroups.html
-
-# various one-big-file formats
-howto=HowTo.html HowTo.ps HowTo.pdf HowTo.txt
-
-alldocs=${seperate} ${howto} index.html toc.html
-
-srcdir=..
-# where are scripts
-SCRIPTDIR=utils
-
-# where
-TESTINGDIR=${srcdir}/testing
-
-# where do we put HTML manpages?
-HMANDIR=manpage.d
-
-# default, build HTML only
-# dependencies build most of it
-# then we add index
-index.html: toc.html HowTo.html manpages src/index.html
-	cp src/index.html index.html
-
-# separate files plus table of contents
-# and then remove HTML formatting added by htmldoc
-toc.html : $(sections)
-	@htmldoc -t html --path ".;${TESTINGDIR}/doc" -d .  $(sections)
-	@$(SCRIPTDIR)/cleanhtml.sh $(SCRIPTDIR)/cleanhtml.sed $(separate)
-
-# one big HTML file
-HowTo.html : $(sections)
-	@htmldoc -t html --toclevels 4 --header ' cf' -f $@ $(sections)
-
-# other HowTo formats
-HowTo.txt: HowTo.html
-	lynx -dump $< > $@
-
-HowTo.ps : $(sections)
-	htmldoc -f $@ $(sections)
-
-HowTo.pdf : $(sections)
-	@htmldoc -f $@ $(sections)
-
-manpages:	manp
-
-manp:	$(SCRIPTDIR)/mkhtmlman
-	@$(SCRIPTDIR)/mkhtmlman $(HMANDIR) `find ../programs ../lib ../linux -type f -name '*.[1-8]' -print | grep -v lwres | grep -v CVS`
-
-programs: 
-
-all: #$(howto) $(manpages) index.html
-
-clean:
-	@rm -f $(howto) $(separate) toc.html index.html
-	@rm -rf $(HMANDIR)
-
-install:
-#install: ${alldocs} manpages
-#	@mkdir -p ${DOCDIR}
-#	@$(foreach f, $(alldocs), \
-#		$(INSTALL) $f ${DOCDIR} || exit 1;\
-#	)
-#	@find ${HMANDIR} -type f -name "*.html" -print | while read file; \
-#	do \
-#		$(INSTALL) $$file ${DOCDIR} || exit 1;\
-#	done;
-
-install_file_list:
-	@$(foreach f, $(alldocs), \
-		echo ${DOCDIR}/$f; \
-	)
-	@if [ -d ${HMANDIR} ]; then find ${HMANDIR} -type f -name "*.html" -print | while read file; \
-	do \
-		echo ${DOCDIR}/$$file; \
-	done; fi;
-
-checkprograms: ;
-
-check: ;
-
-# not enabled by default, because xml2rfc must be installed first.
-drafts: draft-richardson-ipsec-opportunistic.txt src/draft-richardson-ipsec-opportunistic.html \
-	draft-richardson-ipsec-rr.txt src/draft-richardson-ipsec-rr.html
-
-draft-richardson-ipsec-opportunistic.txt: src/draft-richardson-ipsec-opportunistic.xml
-	XML_LIBRARY=$(XML_LIBRARY):./src xml2rfc xml2rfc $? $@
-
-draft-richardson-ipsec-rr.txt: src/draft-richardson-ipsec-rr.xml
-	XML_LIBRARY=$(XML_LIBRARY):./src xml2rfc xml2rfc $? $@
-
-draft-%.nr: src/draft-%.xml
-	XML_LIBRARY=$(XML_LIBRARY):./src xml2rfc xml2nroff $? $@
-
-draft-%.html: draft-%.xml
-	XML_LIBRARY=$(XML_LIBRARY):./src xml2rfc xml2html $? $@
-
-
-.fig.eps: 
-	fig2dev -L ps $< $@
-
-.fig.png: 
-	fig2dev -L png $< $@
-
-single_netjig.png: testing/single_netjig.fig
-multi_netjig.png: testing/multi_netjig.fig
-
-makecheck.html: single_netjig.png multi_netjig.png
-
-#
-# DocBook based documentation
-#
-xmldocs: mast.html klips/mast.4
-	
-mast.html: klips/mast.xml
-	xmlto html klips/mast.xml
-
-klips/mast.4: klips/mast.xml
-	xmlto -o klips man klips/mast.xml
-
diff --git a/doc/adv_config.html b/doc/adv_config.html
deleted file mode 100644
index 4b779c753..000000000
--- a/doc/adv_config.html
+++ /dev/null
@@ -1,1232 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="kernel.html">Previous</A>
-<A HREF="install.html">Next</A>
-<HR>
-<H1><A name="adv_config">Other configuration possibilities</A></H1>
-<P>This document describes various options for FreeS/WAN configuration
- which are less used or more complex (often both) than the standard
- cases described in our<A href="config.html#config"> config</A> and<A href="quickstart.html#quick_guide">
- quickstart</A> documents.</P>
-<H2><A name="thumb">Some rules of thumb about configuration</A></H2>
-<H3><A name="cheap.tunnel">Tunnels are cheap</A></H3>
-<P>Nearly all of the overhead in IPsec processing is in the encryption
- and authentication of packets. Our<A href="performance.html">
- performance</A> document discusses these overheads.</P>
-<P>Beside those overheads, the cost of managing additional tunnels is
- trivial. Whether your gateway supports one tunnel or ten just does not
- matter. A hundred might be a problem; there is a<A href="performance.html#biggate">
- section</A> on this in the performance document.</P>
-<P>So, in nearly all cases, if using multiple tunnels gives you a
- reasonable way to describe what you need to do, you should describe it
- that way in your configuration files.</P>
-<P>For example, one user recently asked on a mailing list about this
- network configuration:</P>
-<PRE>        netA---gwA---gwB---netB
-                            |----netC
-
-   netA and B are secured netC not.
-   netA and gwA can not access netC</PRE>
-<P>The user had constructed only one tunnel, netA to netB, and wanted to
- know how to use ip-route to get netC packets into it. This is entirely
- unnecessary. One of the replies was:</P>
-<PRE>  The simplest way and indeed the right way to
-  solve this problem is to set up two connections:
-
-        leftsubnet=NetA
-        left=gwA
-        right=gwB
-        rightsubnet=NetB
-  and
-        leftsubnet=NetA
-        left=gwA
-        right=gwB
-        rightsubnet=NetC</PRE>
-<P>This would still be correct even if we added nets D, E, F, ... to the
- above diagram and needed twenty tunnels.</P>
-<P>Of course another possibility would be to just use one tunnel, with a
- subnet mask that includes both netB and netC (or B, C, D, ...). See
- next section.</P>
-<P>In general, you can construct as many tunnels as you need. Networks
- like netC in this example that do not connect directly to the gateway
- are fine, as long as the gateway can route to them.</P>
-<P>The number of tunnels can become an issue if it reaches 50 or so.
- This is discussed in the<A href="performance.html#biggate"> performance</A>
- document. Look there for information on supporting hundreds of Road
- Warriors from one gateway.</P>
-<P>If you find yourself with too many tunnels for some reason like
- having eight subnets at one location and nine at another so you end up
- with 9*8=72 tunnels, read the next section here.</P>
-<H3><A name="subnet.size">Subnet sizes</A></H3>
-<P>The subnets used in<VAR> leftsubnet</VAR> and<VAR> rightsubnet</VAR>
- can be of any size that fits your needs, and they need not correspond
- to physical networks.</P>
-<P>You adjust the size by changing the<A href="glossary.html#subnet">
- subnet mask</A>, the number after the slash in the subnet description.
- For example</P>
-<UL>
-<LI>in 192.168.100.0/24 the /24 mask says 24 bits are used to designate
- the network. This leave 8 bits to label machines. This subnet has 256
- addresses. .0 and .255 are reserved, so it can have 254 machines.</LI>
-<LI>A subnet with a /23 mask would be twice as large, 512 addresses.</LI>
-<LI>A subnet with a /25 mask would be half the size, 128 addresses.</LI>
-<LI>/0 is the whole Internet</LI>
-<LI>/32 is a single machine</LI>
-</UL>
-<P>As an example of using these in connection descriptions, suppose your
- company's head office has four physical networks using the address
- ranges:</P>
-<DL>
-<DT>192.168.100.0/24</DT>
-<DD>development</DD>
-<DT>192.168.101.0/24</DT>
-<DD>production</DD>
-<DT>192.168.102.0/24</DT>
-<DD>marketing</DD>
-<DT>192.168.103.0/24</DT>
-<DD>administration</DD>
-</DL>
-<P>You can use exactly those subnets in your connection descriptions, or
- use larger subnets to grant broad access if required:</P>
-<DL>
-<DT>leftsubnet=192.168.100.0/24</DT>
-<DD>remote hosts can access only development</DD>
-<DT>leftsubnet=192.168.100.0/23</DT>
-<DD>remote hosts can access development or production</DD>
-<DT>leftsubnet=192.168.102.0/23</DT>
-<DD>remote hosts can access marketing or administration</DD>
-<DT>leftsubnet=192.168.100.0/22</DT>
-<DD>remote hosts can access any of the four departments</DD>
-</DL>
-<P>or use smaller subnets to restrict access:</P>
-<DL>
-<DT>leftsubnet=192.168.103.0/24</DT>
-<DD>remote hosts can access any machine in administration</DD>
-<DT>leftsubnet=192.168.103.64/28</DT>
-<DD>remote hosts can access only certain machines in administration.</DD>
-<DT>leftsubnet=192.168.103.42/32</DT>
-<DD>remote hosts can access only one particular machine in
- administration</DD>
-</DL>
-<P>To be exact, 192.68.103.64/28 means all addresses whose top 28 bits
- match 192.168.103.64. There are 16 of these because there are 16
- possibilities for the remainingg 4 bits. Their addresses are
- 192.168.103.64 to 192.168.103.79.</P>
-<P>Each connection description can use a different subnet if required.</P>
-<P>It is possible to use all the examples above on the same FreeS/WAN
- gateway, each in a different connection description, perhaps for
- different classes of user or for different remote offices.</P>
-<P>It is also possible to have multiple tunnels using different<VAR>
- leftsubnet</VAR> descriptions with the same<VAR> right</VAR>. For
- example, when the marketing manager is on the road he or she might have
- access to:</P>
-<DL>
-<DT>leftsubnet=192.168.102.0/24</DT>
-<DD>all machines in marketing</DD>
-<DT>192.168.101.32/29</DT>
-<DD>some machines in production</DD>
-<DT>leftsubnet=192.168.103.42/32</DT>
-<DD>one particular machine in administration</DD>
-</DL>
-<P>This takes three tunnels, but tunnels are cheap. If the laptop is set
- up to build all three tunnels automatically, then he or she can access
- all these machines concurrently, perhaps from different windows.</P>
-<H3><A name="example.more">Other network layouts</A></H3>
-<P>Here is the usual network picture for a site-to-site VPN::</P>
-<PRE>     Sunset==========West------------------East=========Sunrise
-           local net       untrusted net       local net</PRE>
-<P>and for the Road Warrior::</P>
-<PRE>                                           telecommuter's PC or
-                                           traveller's laptop
-     Sunset==========West------------------East
-         corporate LAN     untrusted net</PRE>
-<P>Other configurations are also possible.</P>
-<H4><A name="internet.subnet">The Internet as a big subnet</A></H4>
-<P>A telecommuter might have:</P>
-<PRE>     Sunset==========West------------------East ================= firewall --- the Internet
-         home network      untrusted net        corporate network</PRE>
-<P>This can be described as a special case of the general
- subnet-to-subnet connection. The subnet on the right is 0.0.0.0/0, the
- whole Internet.</P>
-<P>West (the home gateway) can have its firewall rules set up so that
- only IPsec packets to East are allowed out. It will then behave as if
- its only connection to the world was a wire to East.</P>
-<P>When machines on the home network need to reach the Internet, they do
- so via the tunnel, East and the corporate firewall. From the viewpoint
- of the Internet (perhaps of some EvilDoer trying to break in!), those
- home office machines are behind the firewall and protected by it.</P>
-<H4><A name="wireless.config">Wireless</A></H4>
-<P>Another possible configuration comes up when you do not trust the
- local network, either because you have very high security standards or
- because your are using easily-intercepted wireless signals.</P>
-<P>Some wireless networks have built-in encryption called<A href="glossary.html#WEP">
- WEP</A>, but its security is dubious. It is a fairly common practice to
- use IPsec instead.</P>
-<P>In this case, part of your network may look like this:</P>
-<PRE>          West-----------------------------East == the rest of your network
-     workstation   untrusted wireless net</PRE>
-<P>Of course, there would likely be several wireless workstations, each
- with its own IPsec tunnel to the East gateway.</P>
-<P>The connection descriptions look much like Road Warrior descriptions:</P>
-<UL>
-<LI>each workstation should have its own unique
-<UL>
-<LI>identifier for IPsec</LI>
-<LI>RSA key</LI>
-<LI>connection description.</LI>
-</UL>
-</LI>
-<LI>on the gateway, use<VAR> left=%any</VAR>, or the workstation IP
- address</LI>
-<LI>on workstations,<VAR> left=%defaultroute</VAR>, or the workstation
- IP address</LI>
-<LI><VAR>leftsubnet=</VAR> is not used.</LI>
-</UL>
-<P>The<VAR> rightsubnet=</VAR> parameter might be set in any of several
- ways:</P>
-<DL>
-<DT>rightsubnet=0.0.0.0/0</DT>
-<DD>allowing workstations to access the entire Internet (see<A href="#internet.subnet">
- above</A>)</DD>
-<DT>rightsubnet=a.b.c.0/24</DT>
-<DD>allowing access to your entire local network</DD>
-<DT>rightsubnet=a.b.c.d/32</DT>
-<DD>restricting the workstation to connecting to a particular server</DD>
-</DL>
-<P>Of course you can mix and match these as required. For example, a
- university might allow faculty full Internet access while letting
- student laptops connect only to a group of lab machines.</P>
-<H2><A name="choose">Choosing connection types</A></H2>
-<P>One choice you need to make before configuring additional connections
- is what type or types of connections you will use. There are several
- options, and you can use more than one concurrently.</P>
-<H3><A name="man-auto">Manual vs. automatic keying</A></H3>
-<P>IPsec allows two types of connections, with manual or automatic
- keying. FreeS/WAN starts them with commands such as:</P>
-<PRE>        ipsec manual --up <VAR>name</VAR>
-        ipsec auto --up <VAR>name</VAR></PRE>
-<P>The difference is in how they are keyed.</P>
-<DL>
-<DT><A href="glossary.html#manual">Manually keyed</A> connections</DT>
-<DD>use keys stored in<A href="manpage.d/ipsec.conf.5.html"> ipsec.conf</A>
-.</DD>
-<DT><A href="glossary.html#auto">Automatically keyed</A> connections</DT>
-<DD>use keys automatically generated by the Pluto key negotiation
- daemon. The key negotiation protocol,<A href="glossary.html#IKE"> IKE</A>
-, must authenticate the other system. (It is vulnerable to a<A href="glossary.html#middle">
- man-in-the-middle attack</A> if used without authentication.) We
- currently support two authentication methods:
-<UL>
-<LI>using shared secrets stored in<A href="manpage.d/ipsec.secrets.5.html">
- ipsec.secrets</A>.</LI>
-<LI>RSA<A href="glossary.html#public"> public key</A> authentication,
- with our machine's private key in<A href="manpage.d/ipsec.secrets.5.html">
- ipsec.secrets</A>. Public keys for other machines may either be placed
- in<A href="manpage.d/ipsec.conf.5.html"> ipsec.conf</A> or provided via
- DNS.</LI>
-</UL>
-<P>A third method, using RSA keys embedded in<A href="glossary.html#X509">
- X.509</A> certtificates, is provided by user<A href="web.html#patch">
- patches</A>.</P>
-</DD>
-</DL>
-<P><A href="glossary.html#manual">Manually keyed</A> connections provide
- weaker security than<A href="glossary.html#auto"> automatically keyed</A>
- connections. An opponent who reads ipsec.secrets(5) gets your
- encryption key and can read all data encrypted by it. If he or she has
- an archive of old messages, all of them back to your last key change
- are also readable.</P>
-<P>With automatically-(re)-keyed connections, an opponent who reads
- ipsec.secrets(5) gets the key used to authenticate your system in IKE
- -- the shared secret or your private key, depending what authentication
- mechanism is in use. However, he or she does not automatically gain
- access to any encryption keys or any data.</P>
-<P>An attacker who has your authentication key can mount a<A href="glossary.html#middle">
- man-in-the-middle attack</A> and, if that succeeds, he or she will get
- encryption keys and data. This is a serious danger, but it is better
- than having the attacker read everyting as soon as he or she breaks
- into ipsec.secrets(5).. Moreover, the keys change often so an opponent
- who gets one key does not get a large amount of data. To read all your
- data, he or she would have to do a man-in-the-middle attack at every
- key change.</P>
-<P>We discuss using<A href="#prodman"> manual keying in production</A>
- below, but this is<STRONG> not recommended</STRONG> except in special
- circumstances, such as needing to communicate with some implementation
- that offers no auto-keyed mode compatible with FreeS/WAN.</P>
-<P>Manual keying may also be useful for testing. There is some
- discussion of this in our<A href="faq.html#man4debug"> FAQ</A>.</P>
-<H3><A name="auto-auth">Authentication methods for auto-keying</A></H3>
-<P>The IKE protocol which Pluto uses to negotiate connections between
- gateways must use some form of authentication of peers. A gateway must
- know who it is talking to before it can create a secure connection. We
- support two basic methods for this authentication:</P>
-<UL>
-<LI>shared secrets, stored in<A href="manpage.d/ipsec.secrets.5.html">
- ipsec.secrets(5)</A></LI>
-<LI>RSA authentication</LI>
-</UL>
-<P>There are, howver, several variations on the RSA theme, using
- different methods of managing the RSA keys:</P>
-<UL>
-<LI>our RSA private key in<A href="manpage.d/ipsec.secrets.5.html">
- ipsec.secrets(5)</A> with other gateways' public keys
-<DL>
-<DT>either</DT>
-<DD>stored in<A href="manpage.d/ipsec.conf.5.html"> ipsec.conf(5)</A></DD>
-<DT>or</DT>
-<DD>looked up via<A href="glossary.html#DNS"> DNS</A></DD>
-</DL>
-</LI>
-<LI>authentication with<A href="glossary.html#x509"> x.509</A>
- certificates.; See our<A href="web.html#patch"> links section</A> for
- information on user-contributed patches for this.:</LI>
-</UL>
-<P>Public keys in<A href="manpage.d/ipsec.conf.5.html"> ipsec.conf(5</A>
-) give a reasonably straightforward method of specifying keys for
- explicitly configured connections.</P>
-<P>Putting public keys in DNS allows us to support<A href="glossary.html#carpediem">
- opportunistic encryption</A>. Any two FreeS/WAN gateways can provide
- secure communication, without either of them having any preset
- information about the other.</P>
-<P>X.509 certificates may be required to interface to various<A href="glossary.html#PKI">
- PKI</A>s.</P>
-<H3><A name="adv-pk">Advantages of public key methods</A></H3>
-<P>Authentication with a<A href="glossary.html#public"> public key</A>
- method such as<A href="glossary.html#RSA"> RSA</A> has some important
- advantages over using shared secrets.</P>
-<UL>
-<LI>no problem of secure transmission of secrets
-<UL>
-<LI>A shared secret must be shared, so you have the problem of
- transmitting it securely to the other party. If you get this wrong, you
- have no security.</LI>
-<LI>With a public key technique, you transmit only your public key. The
- system is designed to ensure that it does not matter if an enemy
- obtains public keys. The private key never leaves your machine.</LI>
-</UL>
-</LI>
-<LI>easier management
-<UL>
-<LI>Suppose you have 20 branch offices all connecting to one gateway at
- head office, and all using shared secrets. Then the head office admin
- has 20 secrets to manage. Each of them must be kept secret not only
- from outsiders, but also from 19 of the branch office admins. The
- branch office admins have only one secret each to manage.
-<P>If the branch offices need to talk to each other, this becomes
- problematic. You need another 20*19/2 = 190 secrets for
- branch-to-branch communication, each known to exactly two branches. Now
- all the branch admins have the headache of handling 20 keys, each
- shared with exactly one other branch or with head office.</P>
-<P>For larger numbers of branches, the number of connections and secrets
- increases quadratically and managing them becomes a nightmare. A
- 1000-gateway fully connected network needs 499,500 secrets, each known
- to exactly two players. There are ways to reduce this problem, for
- example by introducing a central key server, but these involve
- additional communication overheads, more administrative work, and new
- threats that must be carefully guarded against.</P>
-</LI>
-<LI>With public key techniques, the<EM> only</EM> thing you have to keep
- secret is your private key, and<EM> you keep that secret from everyone</EM>
-.
-<P>As network size increaes, the number of public keys used increases
- linearly with the number of nodes. This still requires careful
- administration in large applications, but is nothing like the disaster
- of a quadratic increase. On a 1000-gateway network, you have 1000
- private keys, each of which must be kept secure on one machine, and
- 1000 public keys which must be distributed. This is not a trivial
- problem, but it is manageable.</P>
-</LI>
-</UL>
-</LI>
-<LI>does not require fixed IP addresses
-<UL>
-<LI>When shared secrets are used in IPsec, the responder must be able to
- tell which secret to use by looking at the IP address on the incoming
- packets. When the other parties do not have a fixed IP address to be
- identified by (for example, on nearly all dialup ISP connections and
- many cable or ADSL links), this does not work well -- all must share
- the same secret!</LI>
-<LI>When RSA authentication is in use, the initiator can identify itself
- by name before the key must be determined. The responder then checks
- that the message is signed with the public key corresponding to that
- name.</LI>
-</UL>
-</LI>
-</UL>
-<P>There is also a disadvantage:</P>
-<UL>
-<LI>your private key is a single point of attack, extremely valuable to
- an enemy
-<UL>
-<LI>with shared secrets, an attacker who steals your ipsec.secrets file
- can impersonate you or try<A href="glossary.html#middle">
- man-in-the-middle</A> attacks, but can only attack connections
- described in that file</LI>
-<LI>an attacker who steals your private key gains the chance to attack
- not only existing connections<EM> but also any future connections</EM>
- created using that key</LI>
-</UL>
-</LI>
-</UL>
-<P>This is partly counterbalanced by the fact that the key is never
- transmitted and remains under your control at all times. It is likely
- necessary, however, to take account of this in setting security policy.
- For example, you should change gateway keys when an administrator
- leaves the company, and should change them periodically in any case.</P>
-<P>Overall, public key methods are<STRONG> more secure, more easily
- managed and more flexible</STRONG>. We recommend that they be used for
- all connections, unless there is a compelling reason to do otherwise.</P>
-<H2><A name="prodsecrets">Using shared secrets in production</A></H2>
-<P>Generally, public key methods are preferred for reasons given above,
- but shared secrets can be used with no loss of security, just more work
- and perhaps more need to take precautions.</P>
-<P>What I call &quot;shared secrets&quot; are sometimes also called &quot;pre-shared
- keys&quot;. They are used only for for authentication, never for encryption.
- Calling them &quot;pre-shared keys&quot; has confused some users into thinking
- they were encryption keys, so I prefer to avoid the term..</P>
-<P>If you are interoperating with another IPsec implementation, you may
- find its documentation calling them &quot;passphrases&quot;.</P>
-<H3><A name="secrets">Putting secrets in ipsec.secrets(5)</A></H3>
-<P>If shared secrets are to be used to<A href="glossary.html#authentication">
- authenticate</A> communication for the<A href="glossary.html#DH">
- Diffie-Hellman</A> key exchange in the<A href="glossary.html#IKE"> IKE</A>
- protocol, then those secrets must be stored in<VAR> /etc/ipsec.secrets</VAR>
-. For details, see the<A href="manpage.d/ipsec.secrets.5.html">
- ipsec.secrets(5)</A> man page.</P>
-<P>A few considerations are vital:</P>
-<UL>
-<LI>make the secrets long and unguessable. Since they need not be
- remembered by humans, very long ugly strings may be used. We suggest
- using our<A href="manpage.d/ipsec_ranbits.8.html"> ipsec_ranbits(8)</A>
- utility to generate long (128 bits or more) random strings.</LI>
-<LI>transmit secrets securely. You have to share them with other
- systems, but you lose if they are intercepted and used against you. Use<A
-href="glossary.html#PGP"> PGP</A>,<A href="glossary.html#SSH"> SSH</A>,
- hand delivery of a floppy disk which is then destroyed, or some other
- trustworthy method to deliver them.</LI>
-<LI>store secrets securely, in root-owned files with permissions
- rw------.</LI>
-<LI>limit sharing of secrets. Alice, Bob, Carol and Dave may all talk to
- each other, but only Alice and Bob should know the secret for an
- Alice-Bob link.</LI>
-<LI><STRONG>do not share private keys</STRONG>. The private key for RSA
- authentication of your system is stored in<A href="manpage.d/ipsec.secrets.5.html">
- ipsec.secrets(5)</A>, but it is a different class of secret from the
- pre-shared keys used for the &quot;shared secret&quot; authentication. No-one but
- you should have the RSA private key.</LI>
-</UL>
-<P>Each line has the IP addresses of the two gateways plus the secret.
- It should look something like this:</P>
-<PRE>        10.0.0.1 11.0.0.1 : PSK &quot;jxTR1lnmSjuj33n4W51uW3kTR55luUmSmnlRUuWnkjRj3UuTV4T3USSu23Uk55nWu5TkTUnjT&quot;</PRE>
-<P><VAR>PSK</VAR> indicates the use of a<STRONG> p</STRONG>re-<STRONG>s</STRONG>
-hared<STRONG> k</STRONG>ey. The quotes and the whitespace shown are
- required.</P>
-<P>You can use any character string as your secret. For security, it
- should be both long and extremely hard to guess. We provide a utility
- to generate such strings,<A href="manpage.d/ipsec_ranbits.8.html">
- ipsec_ranbits(8)</A>.</P>
-<P>You want the same secret on the two gateways used, so you create a
- line with that secret and the two gateway IP addresses. The
- installation process supplies an example secret, useful<EM> only</EM>
- for testing. You must change it for production use.</P>
-<H3><A name="securing.secrets">File security</A></H3>
-<P>You must deliver this file, or the relevant part of it, to the other
- gateway machine by some<STRONG> secure</STRONG> means.<EM> Don't just
- FTP or mail the file!</EM> It is vital that the secrets in it remain
- secret. An attacker who knew those could easily have<EM> all the data
- on your &quot;secure&quot; connection</EM>.</P>
-<P>This file must be owned by root and should have permissions<VAR>
- rw-------</VAR>.</P>
-<H3><A name="notroadshared">Shared secrets for road warriors</A></H3>
-<P>You can use a shared secret to support a single road warrior
- connecting to your gateway, and this is a reasonable thing to do in
- some circumstances. Public key methods have advantages, discussed<A href="#choose">
- above</A>, but they are not critical in this case.</P>
-<P>To do this, the line in ipsec.secrets(5) is something like:</P>
-<PRE>        10.0.0.1 0.0.0.0 : PSK &quot;jxTR1lnmSjuj33n4W51uW3kTR55luUmSmnlRUuWnkjRj3UuTV4T3USSu23Uk55nWu5TkTUnjT&quot;</PRE>
- where the<VAR> 0.0.0.0</VAR> means that any IP address is acceptable.
-<P><STRONG>For more than one road warrior, shared secrets are<EM> not</EM>
- recommended.</STRONG> If shared secrets are used, then when the
- responder needs to look up the secret, all it knows about the sender is
- an IP address. This is fine if the sender is at a fixed IP address
- specified in the config file. It is also fine if only one road warrior
- uses the wildcard<VAR> 0.0.0.0</VAR> address. However, if you have more
- than one road warrior using shared secret authentication, then they
- must all use that wildcard and therefore<STRONG> all road warriors
- using PSK autentication must use the same secret</STRONG>. Obviously,
- this is insecure.</P>
-<P><STRONG>For multiple road warriors, use public key authentication.</STRONG>
- Each roadwarrior can then have its own identity (our<VAR> leftid=</VAR>
- or<VAR> rightid=</VAR> parameters), its own public/private key pair,
- and its own secure connection.</P>
-<H2><A name="prodman">Using manual keying in production</A></H2>
-<P>Generally,<A href="glossary.html#auto"> automatic keying</A> is
- preferred over<A href="glossary.html#manual"> manual keying</A> for
- production use because it is both easier to manage and more secure.
- Automatic keying frees the admin from much of the burden of managing
- keys securely, and can provide<A href="glossary.html#PFS"> perfect
- forward secrecy</A>. This is discussed in more detail<A href="#man-auto">
- above</A>.</P>
-<P>However, it is possible to use manual keying in production if that is
- what you want to do. This might be necessary, for example, in order to
- interoperate with some device that either does not provide automatic
- keying or provides it in some version we cannot talk to.</P>
-<P>Note that with manual keying<STRONG> all security rests with the keys</STRONG>
-. If an adversary acquires your keys, you've had it. He or she can read
- everything ever sent with those keys, including old messages he or she
- may have archived.</P>
-<P>You need to<STRONG> be really paranoid about keys</STRONG> if you're
- going to rely on manual keying for anything important.</P>
-<UL>
-<LI>keep keys in files with 600 permissions, owned by root</LI>
-<LI>be extremely careful about security of your gateway systems. Anyone
- who breaks into a gateway and gains root privileges can get all your
- keys and read everything ever encrypted with those keys, both old
- messages he has archived and any new ones you may send.</LI>
-<LI>change keys regularly. This can be a considerable bother, (and
- provides an excellent reason to consider automatic keying instead), but
- it is<EM> absolutely essential</EM> for security. Consider a manually
- keyed system in which you leave the same key in place for months:
-<UL>
-<LI>an attacker can have a very large sample of text sent with that key
- to work with. This makes various cryptographic attacks much more likely
- to succeed.</LI>
-<LI>The chances of the key being compromised in some non-cryptographic
- manner -- a spy finds it on a discarded notepad, someone breaks into
- your server or your building and steals it, a staff member is bribed,
- tricked, seduced or coerced into revealing it, etc. -- also increase
- over time.</LI>
-<LI>a successful attacker can read everything ever sent with that key.
- This makes any successful attack extremely damaging.</LI>
-</UL>
- It is clear that you must change keys often to have any useful
- security. The only question is how often.</LI>
-<LI>use<A href="glossary.html#PGP"> PGP</A> or<A href="glossary.html#SSH">
- SSH</A> for all key transfers</LI>
-<LI>don't edit files with keys in them when someone can look over your
- shoulder</LI>
-<LI>worry about network security; could someone get keys by snooping
- packets on the LAN between your X desktop and the gateway?</LI>
-<LI>lock up your backup tapes for the gateway system</LI>
-<LI>... and so on</LI>
-</UL>
-<P>Linux FreeS/WAN provides some facilities to help with this. In
- particular, it is good policy to<STRONG> keep keys in separate files</STRONG>
- so you can edit configuration information in /etc/ipsec.conf without
- exposing keys to &quot;shoulder surfers&quot; or network snoops. We support this
- with the<VAR> also=</VAR> and<VAR> include</VAR> syntax in<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5)</A>.</P>
-<P>See the last example in our<A href="examples"> examples</A> file. In
- the /etc/ipsec.conf<VAR> conn samplesep</VAR> section, it has the line:</P>
-<PRE>        also=samplesep-keys</PRE>
-<P>which tells the &quot;ipsec manual&quot; script to insert the configuration
- description labelled &quot;samplesep-keys&quot; if it can find it. The
- /etc/ipsec.conf file must also have a line such as:</P>
-<PRE>include ipsec.*.conf</PRE>
-<P>which tells it to read other files. One of those other files then
- might contain the additional data:</P>
-<PRE>conn samplesep-keys
-  spi=0x200
-  esp=3des-md5-96
-  espenckey=0x01234567_89abcdef_02468ace_13579bdf_12345678_9abcdef0
-  espauthkey=0x12345678_9abcdef0_2468ace0_13579bdf</PRE>
-<P>The first line matches the label in the &quot;also=&quot; line, so the indented
- lines are inserted. The net effect is exactly as if the inserted lines
- had occurred in the original file in place of the &quot;also=&quot; line.</P>
-<P>Variables set here are:</P>
-<DL>
-<DT>spi</DT>
-<DD>A number needed by the manual keying code. Any 3-digit hex number
- will do, but if you have more than one manual connection then<STRONG>
- spi must be different</STRONG> for each connection.</DD>
-<DT>esp</DT>
-<DD>Options for<A href="glossary.html#ESP"> ESP</A> (Encapsulated
- Security Payload), the usual IPsec encryption mode. Settings here are
- for<A href="glossary.html#encryption"> encryption</A> using<A href="glossary.html#3DES">
- triple DES</A> and<A href="glossary.html#authentication">
- authentication</A> using<A href="glossary.html#MD5"> MD5</A>. Note that
- encryption without authentication should not be used; it is insecure.</DD>
-<DT>espenkey</DT>
-<DD>Key for ESP encryption. Here, a 192-bit hex number for triple DES.</DD>
-<DT>espauthkey</DT>
-<DD>Key for ESP authentication. Here, a 128-bit hex number for MD5.</DD>
-</DL>
-<P><STRONG>Note</STRONG> that the<STRONG> example keys we supply</STRONG>
- are intended<STRONG> only for testing</STRONG>. For real use, you
- should go to automatic keying. If that is not possible, create your own
- keys for manual mode and keep them secret</P>
-<P>Of course, any files containing keys<STRONG> must</STRONG> have 600
- permissions and be owned by root.</P>
-<P>If you connect in this way to multiple sites, we recommend that you
- keep keys for each site in a separate file and adopt some naming
- convention that lets you pick them all up with a single &quot;include&quot; line.
- This minimizes the risk of losing several keys to one error or attack
- and of accidentally giving another site admin keys which he or she has
- no business knowing.</P>
-<P>Also note that if you have multiple manually keyed connections on a
- single machine, then the<VAR> spi</VAR> parameter must be different for
- each one. Any 3-digit hex number is OK, provided they are different for
- each connection. We reserve the range 0x100 to 0xfff for manual
- connections. Pluto assigns SPIs from 0x1000 up for automatically keyed
- connections.</P>
-<P>If<A href="manpage.d/ipsec.conf.5.html"> ipsec.conf(5)</A> contains
- keys for manual mode connections, then it too must have permissions<VAR>
- rw-------</VAR>. We recommend instead that, if you must manual keying
- in production, you keep the keys in separate files.</P>
-<P>Note also that<A href="manpage.d/ipsec.conf.5.html"> ipsec.conf</A>
- is installed with permissions<VAR> rw-r--r--</VAR>. If you plan to use
- manually keyed connections for anything more than initial testing, you<B>
- must</B>:</P>
-<UL>
-<LI>either change permissions to<VAR> rw-------</VAR></LI>
-<LI>or store keys separately in secure files and access them via include
- statements in<A href="manpage.d/ipsec.conf.5.html"> ipsec.conf</A>.</LI>
-</UL>
-<P>We recommend the latter method for all but the simplest
- configurations.</P>
-<H3><A name="ranbits">Creating keys with ranbits</A></H3>
-<P>You can create new<A href="glossary.html#random"> random</A> keys
- with the<A href="manpage.d/ipsec_ranbits.8.html"> ranbits(8)</A>
- utility. For example, the commands:</P>
-<PRE>      umask 177
-      ipsec ranbits 192  &gt; temp
-      ipsec ranbits 128 &gt;&gt; temp</PRE>
-<P>create keys in the sizes needed for our default algorithms:</P>
-<UL>
-<LI>192-bit key for<A href="glossary.html#3DES"> 3DES</A> encryption
-<BR> (only 168 bits are used; parity bits are ignored)</LI>
-<LI>128-bit key for keyed<A href="glossary.html#MD5"> MD5</A>
- authentication</LI>
-</UL>
-<P>If you want to use<A href="glossary.html#SHA"> SHA</A> instead of<A href="glossary.html#MD5">
- MD5</A>, that requires a 160-bit key</P>
-<P>Note that any<STRONG> temporary files</STRONG> used must be kept<STRONG>
- secure</STRONG> since they contain keys. That is the reason for the
- umask command above. The temporary file should be deleted as soon as
- you are done with it. You may also want to change the umask back to its
- default value after you are finished working on keys.</P>
-<P>The ranbits utility may pause for a few seconds if not enough entropy
- is available immediately. See ipsec_ranbits(8) and random(4) for
- details. You may wish to provide some activity to feed entropy into the
- system. For example, you might move the mouse around, type random
- characters, or do<VAR> du /usr &gt; /dev/null</VAR> in the background.</P>
-<H2><A name="boot">Setting up connections at boot time</A></H2>
-<P>You can tell the system to set up connections automatically at boot
- time by putting suitable stuff in /etc/ipsec.conf on both systems. The
- relevant section of the file is labelled by a line reading<VAR> config
- setup</VAR>.</P>
-<P>Details can be found in the<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5)</A> man page. We also provide a file of<A href="examples">
- example configurations</A>.</P>
-<P>The most likely options are something like:</P>
-<DL>
-<DT>interfaces=&quot;ipsec0=eth0 ipsec1=ppp0&quot;</DT>
-<DD>Tells KLIPS which interfaces to use. Up to four interfaces numbered
- ipsec[0-3] are supported. Each interface can support an arbitrary
- number of tunnels.
-<P>Note that for PPP, you give the ppp[0-9] device name here, not the
- underlying device such as modem (or eth1 if you are using PPPoE).</P>
-</DD>
-<DT>interfaces=%defaultroute</DT>
-<DD>Alternative setting, useful in simple cases. KLIPS will pick up both
- its interface and the next hop information from the settings of the
- Linux default route.</DD>
-<DT>forwardcontrol=no</DT>
-<DD>Normally &quot;no&quot;. Set to &quot;yes&quot; if the IP forwarding option is disabled
- in your network configuration. (This can be set as a kernel
- configuration option or later. e.g. on Redhat, it's in
- /etc/sysconfig/network and on SuSE you can adjust it with Yast.) Linux
- FreeS/WAN will then enable forwarding when starting up and turn it off
- when going down. This is used to ensure that no packets will be
- forwarded before IPsec comes up and takes control.</DD>
-<DT>syslog=daemon.error</DT>
-<DD>Used in messages to the system logging daemon (syslogd) to specify
- what type of software is sending the messages. If the settings are
- &quot;daemon.error&quot; as in our example, then syslogd treats the messages as
- error messages from a daemon.
-<P>Note that<A href="glossary.html#Pluto"> Pluto</A> does not currently
- pay attention to this variable. The variable controls setup messages
- only.</P>
-</DD>
-<DT>klipsdebug=</DT>
-<DD>Debug settings for<A href="glossary.html#KLIPS"> KLIPS</A>.</DD>
-<DT>plutodebug=</DT>
-<DD>Debug settings for<A href="glossary.html#Pluto"> Pluto</A>.</DD>
-<DT>... for both the above DEBUG settings</DT>
-<DD>Normally, leave empty as shown above for no debugging output.
-<BR> Use &quot;all&quot; for maximum information.
-<BR> See ipsec_klipsdebug(8) and ipsec_pluto(8) man page for other
- options. Beware that if you set /etc/ipsec.conf to enable debug output,
- your system's log files may get large quickly.</DD>
-<DT>dumpdir=/safe/directory</DT>
-<DD>Normally, programs started by ipsec setup don't crash. If they do,
- by default, no core dump will be produced because such dumps would
- contain secrets. If you find you need to debug such crashes, you can
- set dumpdir to the name of a directory in which to collect the core
- file.</DD>
-<DT>manualstart=</DT>
-<DD>List of manually keyed connections to be automatically started at
- boot time. Useful for testing, but not for long term use. Connections
- which are automatically started should also be automatically re-keyed.</DD>
-<DT>pluto=yes</DT>
-<DD>Whether to start<A href="glossary.html#Pluto"> Pluto</A> when ipsec
- startup is done.
-<BR> This parameter is optional and defaults to &quot;yes&quot; if not present.
-<P>&quot;yes&quot; is strongly recommended for production use so that the keying
- daemon (Pluto) will automatically re-key the connections regularly. The
- ipsec-auto parameters ikelifetime, ipseclifetime and reykeywindow give
- you control over frequency of rekeying.</P>
-</DD>
-<DT>plutoload=&quot;reno-van reno-adam reno-nyc&quot;</DT>
-<DD>List of tunnels (by name, e.g. fred-susan or reno-van in our
- examples) to be loaded into Pluto's internal database at startup. In
- this example, Pluto loads three tunnels into its database when it is
- started.
-<P>If plutoload is &quot;%search&quot;, Pluto will load any connections whose
- description includes &quot;auto=add&quot; or &quot;auto=start&quot;.</P>
-</DD>
-<DT>plutostart=&quot;reno-van reno-adam reno-nyc&quot;</DT>
-<DD>List of tunnels to attempt to negotiate when Pluto is started.
-<P>If plutostart is &quot;%search&quot;, Pluto will start any connections whose
- description includes &quot;auto=start&quot;.</P>
-<P>Note that, for a connection intended to be permanent,<STRONG> both
- gateways should be set try to start</STRONG> the tunnel. This allows
- quick recovery if either gateway is rebooted or has its IPsec
- restarted. If only one gateway is set to start the tunnel and the other
- gateway restarts, the tunnel may not be rebuilt.</P>
-</DD>
-<DT>plutowait=no</DT>
-<DD>Controls whether Pluto waits for one tunnel to be established before
- starting to negotiate the next. You might set this to &quot;yes&quot;
-<UL>
-<LI>if your gateway is a very limited machine and you need to conserve
- resources.</LI>
-<LI>for debugging; the logs are clearer if only one connection is
- brought up at a time</LI>
-</UL>
- For a busy and resource-laden production gateway, you likely want &quot;no&quot;
- so that connections are brought up in parallel and the whole process
- takes less time.</DD>
-</DL>
-<P>The example assumes you are at the Reno office and will use IPsec to
- Vancouver, New York City and Amsterdam.</P>
-<H2><A name="multitunnel">Multiple tunnels between the same two gateways</A>
-</H2>
-<P>Consider a pair of subnets, each with a security gateway, connected
- via the Internet:</P>
-<PRE>         192.168.100.0/24           left subnet
-              |
-         192.168.100.1
-         North Gateway
-         101.101.101.101            left
-              |
-         101.101.101.1              left next hop
-         [Internet]
-         202.202.202.1              right next hop
-              |
-         202.202.202.202            right
-         South gateway
-         192.168.200.1
-              |
-         192.168.200.0/24           right subnet</PRE>
-<P>A tunnel specification such as:</P>
-<PRE>conn northnet-southnet
-      left=101.101.101.101
-      leftnexthop=101.101.101.1
-      leftsubnet=192.168.100.0/24
-      leftfirewall=yes
-      right=202.202.202.202
-      rightnexthop=202.202.202.1
-      rightsubnet=192.168.200.0/24
-      rightfirewall=yes</PRE>
- will allow machines on the two subnets to talk to each other. You might
- test this by pinging from polarbear (192.168.100.7) to penguin
- (192.168.200.5).
-<P>However,<STRONG> this does not cover other traffic you might want to
- secure</STRONG>. To handle all the possibilities, you might also want
- these connection descriptions:</P>
-<PRE>conn northgate-southnet
-      left=101.101.101.101
-      leftnexthop=101.101.101.1
-      right=202.202.202.202
-      rightnexthop=202.202.202.1
-      rightsubnet=192.168.200.0/24
-      rightfirewall=yes
-
-conn northnet-southgate
-      left=101.101.101.101
-      leftnexthop=101.101.101.1
-      leftsubnet=192.168.100.0/24
-      leftfirewall=yes
-      right=202.202.202.202
-      rightnexthop=202.202.202.1</PRE>
-<P>Without these, neither gateway can do IPsec to the remote subnet.
- There is no IPsec tunnel or eroute set up for the traffic.</P>
-<P>In our example, with the non-routable 192.168.* addresses used,
- packets would simply be discarded. In a different configuration, with
- routable addresses for the remote subnet,<STRONG> they would be sent
- unencrypted</STRONG> since there would be no IPsec eroute and there
- would be a normal IP route.</P>
-<P>You might also want:</P>
-<PRE>conn northgate-southgate
-      left=101.101.101.101
-      leftnexthop=101.101.101.1
-      right=202.202.202.202
-      rightnexthop=202.202.202.1</PRE>
-<P>This is required if you want the two gateways to speak IPsec to each
- other.</P>
-<P>This requires a lot of duplication of details. Judicious use of<VAR>
- also=</VAR> and<VAR> include</VAR> can reduce this problem.</P>
-<P>Note that, while FreeS/WAN supports all four tunnel types, not all
- implementations do. In particular, some versions of Windows 2000 and
- the freely downloadable version of PGP provide only &quot;client&quot;
- functionality. You cannot use them as gateways with a subnet behind
- them. To get that functionality, you must upgrade to Windows 2000
- server or the commercially available PGP products.</P>
-<H3><A name="advroute">One tunnel plus advanced routing</A></H3>
- It is also possible to use the new routing features in 2.2 and later
- kernels to avoid most needs for multple tunnels. Here is one mailing
- list message on the topic:
-<PRE>Subject: Re: linux-ipsec: IPSec packets not entering tunnel?
-   Date: Mon, 20 Nov 2000
-   From: Justin Guyett &lt;jfg@sonicity.com&gt;
-
-On Mon, 20 Nov 2000, Claudia Schmeing wrote:
-
-&gt; Right                                                         Left
-&gt;                      &quot;home&quot;                &quot;office&quot;
-&gt; 10.92.10.0/24 ---- 24.93.85.110 ========= 216.175.164.91 ---- 10.91.10.24/24
-&gt;
-&gt; I've created all four tunnels, and can ping to test each of them,
-&gt; *except* homegate-officenet.
-
-I keep wondering why people create all four tunnels.  Why not route
-traffic generated from home to 10.91.10.24/24 out ipsec0 with iproute2?
-And 99% of the time you don't need to access &quot;office&quot; directly, which
-means you can eliminate all but the subnet&lt;-&gt;subnet connection.</PRE>
- and FreeS/WAN technical lead Henry Spencer's comment:
-<PRE>&gt; I keep wondering why people create all four tunnels.  Why not route
-&gt; traffic generated from home to 10.91.10.24/24 out ipsec0 with iproute2?
-
-This is feasible, given some iproute2 attention to source addresses, but
-it isn't something we've documented yet... (partly because we're still
-making some attempt to support 2.0.xx kernels, which can't do this, but
-mostly because we haven't caught up with it yet).
-
-&gt; And 99% of the time you don't need to access &quot;office&quot; directly, which
-&gt; means you can eliminate all but the subnet&lt;-&gt;subnet connection.
-
-Correct in principle, but people will keep trying to ping to or from the
-gateways during testing, and sometimes they want to run services on the
-gateway machines too.</PRE>
-
-<!-- Is this in the right spot in this document? -->
-<H2><A name="opp.gate">An Opportunistic Gateway</A></H2>
-<H3><A NAME="14_7_1">Start from full opportunism</A></H3>
-<P>Full opportunism allows you to initiate and receive opportunistic
- connections on your machine. The remaining instructions in this section
- assume you have first set up full opportunism on your gateway using<A HREF="quickstart.html#opp.incoming">
- these instructions</A>. Both sets of instructions require mailing DNS
- records to your ISP. Collect DNS records for both the gateway (above)
- and the subnet nodes (below) before contacting your ISP.</P>
-<H3><A NAME="14_7_2">Reverse DNS TXT records for each protected machine</A>
-</H3>
-<P>You need these so that your Opportunistic peers can:</P>
-<UL>
-<LI>discover the gateway's address, knowing only the IP address that
- packets are bound for</LI>
-<LI>verify that the gateway is authorised to encrypt for that endpoint</LI>
-</UL>
-<P>On the gateway, generate a TXT record with:</P>
-<PRE>    ipsec showhostkey --txt 192.0.2.11</PRE>
-<P>Use your gateway address in place of 192.0.2.11.</P>
-<P>You should see (keys are trimmed for clarity throughout our example):</P>
-<PRE>    ; RSA 2048 bits  gateway.example.com   Sat Apr 15 13:53:22 2000
-    IN TXT  &quot;X-IPsec-Server(10)=192.0.2.11&quot; &quot; AQOF8tZ2...+buFuFn/&quot;</PRE>
-<P><B>This MUST BE the same key as in your gateway's TXT record, or
- nothing will work.</B></P>
-<P>In a text file, make one copy of this TXT record for each subnet
- node:</P>
-<PRE>    ; RSA 2048 bits  gateway.example.com   Sat Apr 15 13:53:22 2000
-    IN TXT  &quot;X-IPsec-Server(10)=192.0.2.11&quot; &quot; AQOF8tZ2...+buFuFn/&quot;
-                                                                                
-    ; RSA 2048 bits  gateway.example.com   Sat Apr 15 13:53:22 2000
-    IN TXT  &quot;X-IPsec-Server(10)=192.0.2.11&quot; &quot; AQOF8tZ2...+buFuFn/&quot;
-                                                                                
-    ; RSA 2048 bits  gateway.example.com   Sat Apr 15 13:53:22 2000
-    IN TXT  &quot;X-IPsec-Server(10)=192.0.2.11&quot; &quot; AQOF8tZ2...+buFuFn/&quot;</PRE>
-<P>Above each entry, insert a line like this:</P>
-<PRE>    98.2.0.192.in-addr.arpa. IN PTR arthur.example.com.</PRE>
-<P>It must include:</P>
-<UL>
-<LI>The subnet node's address in reverse map format. For example,
- 192.0.2.120 becomes<VAR> 120.2.0.192.in-addr.arpa.</VAR>. Note the
- final period.</LI>
-<LI><VAR>IN PTR</VAR></LI>
-<LI>The node's name, ie.<VAR> arthur.example.com.</VAR>. Note the final
- period.</LI>
-</UL>
-<P>The result will be a file of TXT records, like this:</P>
-<PRE>    98.2.0.192.in-addr.arpa. IN PTR arthur.example.com.
-    ; RSA 2048 bits  gateway.example.com   Sat Apr 15 13:53:22 2000
-    IN TXT  &quot;X-IPsec-Server(10)=192.0.2.11&quot; &quot; AQOF8tZ2...+buFuFn/&quot;
-                                                                                
-    99.2.0.192.in-addr.arpa. IN PTR ford.example.com.
-    ; RSA 2048 bits  gateway.example.com   Sat Apr 15 13:53:22 2000
-    IN TXT  &quot;X-IPsec-Server(10)=192.0.2.11&quot; &quot; AQOF8tZ2...+buFuFn/&quot;
-                                                                                
-    100.2.0.192.in-addr.arpa. IN PTR trillian.example.com.
-    ; RSA 2048 bits  gateway.example.com   Sat Apr 15 13:53:22 2000
-    IN TXT  &quot;X-IPsec-Server(10)=192.0.2.11&quot; &quot; AQOF8tZ2...+buFuFn/&quot;</PRE>
-<H3><A NAME="14_7_3">Publish your records</A></H3>
-<P>Ask your ISP to publish all the reverse DNS records you have
- collected. There may be a delay of up to 48 hours as the records
- propagate.</P>
-<H3><A NAME="14_7_4">...and test them</A></H3>
-<P>Check a couple of records with commands like this one:</P>
-<PRE>    ipsec verify --host ford.example.com
-    ipsec verify --host trillian.example.com</PRE>
-<P>The<VAR> verify</VAR> command checks for TXT records for both the
- subnet host and its gateway. You should see output like:</P>
-<PRE>    ...
-    Looking for TXT in reverse map: 99.2.0.192.in-addr.arpa [OK]
-    ...
-    Looking for TXT in reverse map: 11.2.0.192.in-addr.arpa   [OK]
-    ...
-    Looking for TXT in reverse map: 100.2.0.192.in-addr.arpa [OK]
-    ...
-    Looking for TXT in reverse map: 11.2.0.192.in-addr.arpa   [OK]
-    ...</PRE>
-<H3><A NAME="14_7_5">No Configuration Needed</A></H3>
-<P>FreeS/WAN 2.x ships with a built-in, automatically enabled OE
- connection<VAR> conn packetdefault</VAR> which applies OE, if possible,
- to all outbound traffic routed through the FreeS/WAN box. The<A HREF="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5) manual</A> describes this connection in detail. While the
- effect is much the same as<VAR> private-or-clear</VAR>, the
- implementation is different: notably, it does not use policy groups.</P>
-<P>You can create more complex OE configurations for traffic forwarded
- through a FreeS/WAN box, as explained in our<A HREF="policygroups.html#policygroups">
- policy groups document</A>, or disable OE using<A HREF="policygroups.html#disable_policygroups">
- these instructions</A>.</P>
-<H2><A name="extruded.config">Extruded Subnets</A></H2>
-<P>What we call<A href="glossary.html#extruded"> extruded subnets</A>
- are a special case of<A href="glossary.html#VPN.gloss"> VPNs</A>.</P>
-<P>If your buddy has some unused IP addresses, in his subnet far off at
- the other side of the Internet, he can loan them to you... provided
- that the connection between you and him is fast enough to carry all the
- traffic between your machines and the rest of the Internet. In effect,
- he &quot;extrudes&quot; a part of his address space over the network to you, with
- your Internet traffic appearing to originate from behind his Internet
- gateway.</P>
-<P>As far as the Internet is concerned, your new extruded net is behind
- your buddy's gateway. You route all your packets for the Internet at
- large out his gateway, and receive return packets the same way. You
- route your local packets locally.</P>
-<P>Suppose your friend has a.b.c.0/24 and wants to give you
- a.b.c.240/28. The initial situation is:</P>
-<PRE>    subnet           gateway          Internet
-  a.b.c.0/24    a.b.c.1    p.q.r.s</PRE>
- where anything from the Internet destined for any machine in a.b.c.0/24
- is routed via p.q.r.s and that gateway knows what to do from there.
-<P>Of course it is quite normal for various smaller subnets to exist
- behind your friend's gateway. For example, your friend's company might
- have a.b.c.16/28=development, a.b.c.32/28=marketing and so on. The
- Internet neither knows not cares about this; it just delivers packets
- to the p.q.r.s and lets the gateway do whatever needs to be done from
- there.</P>
-<P>What we want to do is take a subnet, perhaps a.b.c.240/28, out of
- your friend's physical location<EM> while still having your friend's
- gateway route to it</EM>. As far as the Internet is concerned, you
- remain behind that gateway.</P>
-<PRE>    subnet           gateway          Internet       your gate  extruded
-
-  a.b.c.0/24   a.b.c.1     p.q.r.s              d.e.f.g         a.b.c.240/28                
-
-                           ========== tunnel ==========</PRE>
-<P>The extruded addresses have to be a complete subnet.</P>
-<P>In our example, the friend's security gateway is also his Internet
- gateway, but this is not necessary. As long as all traffic from the
- Internet to his addresses passes through the Internet gate, the
- security gate could be a machine behind that. The IG would need to
- route all traffic for the extruded subnet to the SG, and the SG could
- handle the rest.</P>
-<P>First, configure your subnet using the extruded addresses. Your
- security gateway's interface to your subnet needs to have an extruded
- address (possibly using a Linux<A href="glossary.html#virtual"> virtual
- interface</A>, if it also has to have a different address). Your
- gateway needs to have a route to the extruded subnet, pointing to that
- interface. The other machines at your site need to have addresses in
- that subnet, and default routes pointing to your gateway.</P>
-<P>If any of your friend's machines need to talk to the extruded subnet,<EM>
- they</EM> need to have a route for the extruded subnet, pointing at his
- gateway.</P>
-<P>Then set up an IPsec subnet-to-subnet tunnel between your gateway and
- his, with your subnet specified as the extruded subnet, and his subnet
- specified as &quot;0.0.0.0/0&quot;.</P>
-<P>The tunnel description should be:</P>
-<PRE>conn extruded
-        left=p.q.r.s
-        leftsubnet=0.0.0.0/0
-        right=d.e.f.g
-        rightsubnet=a.b.c.0/28</PRE>
-<P>If either side was doing firewalling for the extruded subnet before
- the IPsec connection is set up, you'll need to poke holes in your<A HREF="firewall.html#firewall">
- firewall</A> to allow packets through.</P>
-<P>And it all just works. Your SG routes traffic for 0.0.0.0/0 -- that
- is, the whole Internet -- through the tunnel to his SG, which then
- sends it onward as if it came from his subnet. When traffic for the
- extruded subnet arrives at his SG, it gets sent through the tunnel to
- your SG, which passes it to the right machine.</P>
-<P>Remember that when ipsec_manual or ipsec_auto takes a connection
- down, it<EM> does not undo the route</EM> it made for that connection.
- This lets you take a connection down and bring up a new one, or a
- modified version of the old one, without having to rebuild the route it
- uses and without any risk of packets which should use IPsec
- accidentally going out in the clear. Because the route always points
- into KLIPS, the packets will always go there. Because KLIPS temporarily
- has no idea what to do with them (no eroute for them), they will be
- discarded.</P>
-<P>If you<EM> do</EM> want to take the route down, this is what the
- &quot;unroute&quot; operation in manual and auto is for. Just do an unroute after
- doing the down.</P>
-<P>Note that the route for a connection may have replaced an existing
- non-IPsec route. Nothing in Linux FreeS/WAN will put that pre-IPsec
- route back. If you need it back, you have to create it with the route
- command.</P>
-<H2><A name="roadvirt">Road Warrior with virtual IP address</A></H2>
-<P>Please note that<A HREF="http://www.freeswan.ca/download.php"> Super
- FreeS/WAN</A> now features DHCP-over-IPsec, which is an alternate
- procedure for Virtual IP address assignment.</P>
-<P></P>
-<P>Here is a mailing list message about another way to configure for
- road warrior support:</P>
-<PRE>Subject: Re: linux-ipsec: understanding the vpn
-   Date: Thu, 28 Oct 1999 10:43:22 -0400
-   From: Irving Reid &lt;irving@nevex.com&gt;
-
-&gt;  local-------linux------internet------mobile
-&gt;  LAN        box                         user
-&gt;  ...
-
-&gt;  now when the mobile user connects to the linux box
-&gt;  it is given a virtual IP address, i have configured it to
-&gt;  be in the 10.x.x.x range. mobile user and linux box 
-&gt;  have a tunnel between them with these IP addresses.
-
-&gt;   Uptil this all is fine.
-
-If it is possible to configure your mobile client software *not* to
-use a virtual IP address, that will make your life easier. It is easier
-to configure FreeS/WAN to use the actual address the mobile user gets
-from its ISP.
-
-Unfortunately, some Windows clients don't let you choose.
-
-&gt;  what i would like to know is that how does the mobile
-&gt;  user communicate with other computers on the local
-&gt;  LAN , of course with the vpn ?
-
-&gt;   what IP address should the local LAN 
-&gt;  computers have ? I guess their default gateway 
-&gt;  should be the linux box ? and does the linux box need
-&gt;  to be a 2 NIC card box or one is fine.
-
-As someone else stated, yes, the Linux box would usually be the default
-IP gateway for the local lan.
-
-However...
-
-If you mobile user has software that *must* use a virtual IP address,
-the whole picture changes. Nobody has put much effort into getting
-FreeS/WAN to play well in this environment, but here's a sketch of one
-approach:
-
-Local Lan 1.0.0.0/24
-    |
-    +- Linux FreeS/WAN 1.0.0.2
-    |
-    | 1.0.0.1
- Router
-    | 2.0.0.1
-    |
-Internet
-    |
-    | 3.0.0.1
-Mobile User
-      Virtual Address: 1.0.0.3
-
-Note that the Local Lan network (1.0.0.x) can be registered, routable
-addresses.
-
-Now, the Mobile User sets up an IPSec security association with the
-Linux box (1.0.0.2); it should ESP encapsulate all traffic to the
-network 1.0.0.x **EXCEPT** UDP port 500. 500/udp is required for the key
-negotiation, which needs to work outside of the IPSec tunnel.
-
-On the Linux side, there's a bunch of stuff you need to do by hand (for
-now). FreeS/WAN should correctly handle setting up the IPSec SA and
-routes, but I haven't tested it so this may not work...
-
-The FreeS/WAN conn should look like:
-
-conn mobile
-        right=1.0.0.2
-        rightsubnet=1.0.0.0/24
-        rightnexthop=1.0.0.1
-        left=0.0.0.0  # The infamous &quot;road warrior&quot;
-        leftsubnet=1.0.0.3/32
-
-Note that the left subnet contains *only* the remote host's virtual
-address.
-
-Hopefully the routing table on the FreeS/WAN box ends up looking like
-this:
-
-% netstat -rn
-Kernel IP routing table
-Destination     Gateway      Genmask         Flags   MSS Window  irtt Iface
-1.0.0.0         0.0.0.0      255.255.255.0   U      1500 0          0 eth0
-127.0.0.0       0.0.0.0      255.0.0.0       U      3584 0          0 lo
-0.0.0.0         1.0.0.1      0.0.0.0         UG     1500 0          0 eth0
-1.0.0.3         1.0.0.1      255.255.255.255 UG     1433 0          0 ipsec0
-
-So, if anybody sends a packet for 1.0.0.3 to the Linux box, it should
-get bundled up and sent through the tunnel. To get the packets for
-1.0.0.3 to the Linux box in the first place, you need to use &quot;proxy
-ARP&quot;.
-
-How this works is: when a host or router on the local Ethernet segment
-wants to send a packet to 1.0.0.3, it sends out an Ethernet level
-broadcast &quot;ARP request&quot;. If 1.0.0.3 was on the local LAN, it would
-reply, saying &quot;send IP packets for 1.0.0.3 to my Ethernet address&quot;.
-
-Instead, you need to set up the Linux box so that _it_ answers ARP
-requests for 1.0.0.3, even though that isn't its IP address. That
-convinces everyone else on the lan to send 1.0.0.3 packets to the Linux
-box, where the usual FreeS/WAN processing and routing take over.
-
-% arp -i eth0 -s 1.0.0.3 -D eth0 pub
-
-This says, if you see an ARP request on interface eth0 asking for
-1.0.0.3, respond with the Ethernet address of interface eth0.
-
-Now, as I said at the very beginning, if it is *at all* possible to
-configure your client *not* to use the virtual IP address, you can avoid
-this whole mess.</PRE>
-<H2><A name="dynamic">Dynamic Network Interfaces</A></H2>
-<P>Sometimes you have to cope with a situation where the network
- interface(s) aren't all there at boot. The common example is notebooks
- with PCMCIA.</P>
-<H3><A name="basicdyn">Basics</A></H3>
-<P>The key issue here is that the<VAR> config setup</VAR> section of the<VAR>
- /etc/ipsec.conf</VAR> configuration file lists the connection between
- ipsecN and hardware interfaces, in the<VAR> interfaces=</VAR> variable.
- At any time when<VAR> ipsec setup start</VAR> or<VAR> ipsec setup
- restart</VAR> is run this variable<STRONG> must</STRONG> correspond to
- the current real situation. More precisely, it<STRONG> must not</STRONG>
- mention any hardware interfaces which don't currently exist. The
- difficulty is that an<VAR> ipsec setup start</VAR> command is normally
- run at boot time so interfaces that are not up then are mis-handled.</P>
-<H3><A name="bootdyn">Boot Time</A></H3>
-<P>Normally, an<VAR> ipsec setup start</VAR> is run at boot time.
- However, if the hardware situation at boot time is uncertain, one of
- two things must be done.</P>
-<UL>
-<LI>One possibility is simply not to have IPsec brought up at boot time.
- To do this:
-<PRE>        chkconfig --level 2345 ipsec off</PRE>
- That's for modern Red Hats or other Linuxes with chkconfig. Systems
- which lack this will require fiddling with symlinks in /etc/rc.d/rc?.d
- or the equivalent.</LI>
-<LI>Another possibility is to bring IPsec up with no interfaces, which
- is less aesthetically satisfying but simpler. Just put
-<PRE>        interfaces=</PRE>
- in the configuration file. KLIPS and Pluto will be started, but won't
- do anything.</LI>
-</UL>
-<H3><A name="changedyn">Change Time</A></H3>
-<P>When the hardware *is* in place, IPsec has to be made aware of it.
- Someday there may be a nice way to do this.</P>
-<P>Right now, the way to do it is to fix the<VAR> /etc/ipsec.conf</VAR>
- file appropriately, so<VAR> interfaces</VAR> reflects the new
- situation, and then restart the IPsec subsystem. This does break any
- existing IPsec connections.</P>
-<P>If IPsec wasn't brought up at boot time, do</P>
-<PRE>        ipsec setup start</PRE>
- while if it was, do
-<PRE>        ipsec setup restart</PRE>
- which won't be as quick.
-<P>If some of the hardware is to be taken out, before doing that, amend
- the configuration file so interfaces no longer includes it, and do</P>
-<PRE>        ipsec setup restart</PRE>
-<P>Again, this breaks any existing connections.</P>
-<H2><A name="unencrypted">Unencrypted tunnels</A></H2>
-<P>Sometimes you might want to create a tunnel without encryption. Often
- this is a bad idea, even if you have some data which need not be
- private. See this<A href="ipsec.html#traffic.resist"> discussion</A>.</P>
-<P>The IPsec protocols provide two ways to do build such tunnels:</P>
-<DL>
-<DT>using ESP with null encryption</DT>
-<DD>not supported by FreeS/WAN</DD>
-<DT>using<A href="glossary.html#AH"> AH</A> without<A href="glossary.html#ESP">
- ESP</A></DT>
-<DD>supported for manually keyed connections</DD>
-<DD>possible with explicit commands via<A href="manpage.d/ipsec_whack.8.html">
- ipsec_whack(8)</A> (see this<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00190.html">
- list message</A>)</DD>
-<DD>not supported in the<A href="manpage.d/ipsec_auto.8.html">
- ipsec_auto(8)</A> scripts.</DD>
-</DL>
- One situation in which this comes up is when otherwise some data would
- be encrypted twice. Alice wants a secure tunnel from her machine to
- Bob's. Since she's behind one security gateway and he's behind another,
- part of the tunnel that they build passes through the tunnel that their
- site admins have built between the gateways. All of Alice and Bob's
- messages are encrypted twice.
-<P>There are several ways to handle this.</P>
-<UL>
-<LI>Just accept the overhead of double encryption. The site admins might
- choose this if any of the following apply:
-<UL>
-<LI>policy says encrypt everything (usually, it should)</LI>
-<LI>they don't entirely trust Alice and Bob (usually, if they don't have
- to, they shouldn't)</LI>
-<LI>if they don't feel the saved cycles are worth the time they'd need
- to build a non-encrypted tunnel for Alice and Bob's packets (often,
- they aren't)</LI>
-</UL>
-</LI>
-<LI>Use a plain IP-in-IP tunnel. These are not well documented. A good
- starting point is in the Linux kernel source tree, in
- /usr/src/linux/drivers/net/README.tunnel.</LI>
-<LI>Use a manually-keyed AH-only tunnel.</LI>
-</UL>
-<P>Note that if Alice and Bob want end-to-end security, they must build
- a tunnel end-to-end between their machines or use some other end-to-end
- tool such as PGP or SSL that suits their data. The only question is
- whether the admins build some special unencrypted tunnel for those
- already-encrypted packets.</P>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="kernel.html">Previous</A>
-<A HREF="install.html">Next</A>
-</BODY>
-</HTML>
diff --git a/doc/background.html b/doc/background.html
deleted file mode 100644
index 8f24cad4a..000000000
--- a/doc/background.html
+++ /dev/null
@@ -1,323 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="config.html">Previous</A>
-<A HREF="user_examples.html">Next</A>
-<HR>
-<H1><A name="background">Linux FreeS/WAN background</A></H1>
-<P>This section discusses a number of issues which have three things in
- common:</P>
-<UL>
-<LI>They are not specifically FreeS/WAN problems</LI>
-<LI>You may have to understand them to get FreeS/WAN working right</LI>
-<LI>They are not simple questions</LI>
-</UL>
-<P>Grouping them here lets us provide the explanations some users will
- need without unduly complicating the main text.</P>
-<P>The explanations here are intended to be adequate for FreeS/WAN
- purposes (please comment to the<A href="mail.html"> users mailing list</A>
- if you don't find them so), but they are not trying to be complete or
- definitive. If you need more information, see the references provided
- in each section.</P>
-<H2><A name="dns.background">Some DNS background</A></H2>
-<P><A href="glossary.html#carpediem">Opportunistic encryption</A>
- requires that the gateway systems be able to fetch public keys, and
- other IPsec-related information, from each other's DNS (Domain Name
- Service) records.</P>
-<P><A href="glossary.html#DNS">DNS</A> is a distributed database that
- maps names to IP addresses and vice versa.</P>
-<P>Much good reference material is available for DNS, including:</P>
-<UL>
-<LI>the<A href="http://www.linuxdoc.org/HOWTO/DNS-HOWTO.html"> DNS HowTo</A>
-</LI>
-<LI>the standard<A href="biblio.html#DNS.book"> DNS reference</A> book</LI>
-<LI><A href="http://www.linuxdoc.org/LDP/nag2/index.html">Linux Network
- Administrator's Guide</A></LI>
-<LI><A href="http://www.nominum.com/resources/whitepapers/bind-white-paper.html">
-BIND overview</A></LI>
-<LI><A href="http://www.nominum.com/resources/documentation/Bv9ARM.pdf">
-BIND 9 Administrator's Reference</A></LI>
-</UL>
-<P>We give only a brief overview here, intended to help you use DNS for
- FreeS/WAN purposes.</P>
-<H3><A name="forward.reverse">Forward and reverse maps</A></H3>
-<P>Although the implementation is distributed, it is often useful to
- speak of DNS as if it were just two enormous tables:</P>
-<UL>
-<LI>the forward map: look up a name, get an IP address</LI>
-<LI>the reverse map: look up an IP address, get a name</LI>
-</UL>
-<P>Both maps can optionally contain additional data. For opportunistic
- encryption, we insert the data need for IPsec authentication.</P>
-<P>A system named gateway.example.com with IP address 10.20.30.40 should
- have at least two DNS records, one in each map:</P>
-<DL>
-<DT>gateway.example.com. IN A 10.20.30.40</DT>
-<DD>used to look up the name and get an IP address</DD>
-<DT>40.30.20.10.in-addr.arpa. IN PTR gateway.example.com.</DT>
-<DD>used for reverse lookups, looking up an address to get the
- associated name. Notice that the digits here are in reverse order; the
- actual address is 10.20.30.40 but we use 40.30.20.10 here.</DD>
-</DL>
-<H3><A NAME="17_1_2">Hierarchy and delegation</A></H3>
-<P>For both maps there is a hierarchy of DNS servers and a system of
- delegating authority so that, for example:</P>
-<UL>
-<LI>the DNS administrator for example.com can create entries of the form<VAR>
- name</VAR>.example.com</LI>
-<LI>the example.com admin cannot create an entry for counterexample.com;
- only someone with authority for .com can do that</LI>
-<LI>an admin might have authority for 20.10.in-addr.arpa.</LI>
-<LI>in either map, authority can be delegated
-<UL>
-<LI>the example.com admin could give you authority for
- westcoast.example.com</LI>
-<LI>the 20.10.in-addr.arpa admin could give you authority for
- 30.20.10.in-addr.arpa</LI>
-</UL>
-</LI>
-</UL>
-<P>DNS zones are the units of delegation. There is a hierarchy of zones.</P>
-<H3><A NAME="17_1_3">Syntax of DNS records</A></H3>
-<P>Returning to the example records:</P>
-<PRE>        gateway.example.com. IN A 10.20.30.40
-        40.30.20.10.in-addr.arpa. IN PTR gateway.example.com.</PRE>
-<P>some syntactic details are:</P>
-<UL>
-<LI>the IN indicates that these records are for<STRONG> In</STRONG>
-ternet addresses</LI>
-<LI>The final periods in '.com.' and '.arpa.' are required. They
- indicate the root of the domain name system.</LI>
-</UL>
-<P>The capitalised strings after IN indicate the type of record.
- Possible types include:</P>
-<UL>
-<LI><STRONG>A</STRONG>ddress, for forward lookups</LI>
-<LI><STRONG>P</STRONG>oin<STRONG>T</STRONG>e<STRONG>R</STRONG>, for
- reverse lookups</LI>
-<LI><STRONG>C</STRONG>anonical<STRONG> NAME</STRONG>, records to support
- aliasing, multiple names for one address</LI>
-<LI><STRONG>M</STRONG>ail e<STRONG>X</STRONG>change, used in mail
- routing</LI>
-<LI><STRONG>SIG</STRONG>nature, used in<A href="glossary.html#SDNS">
- secure DNS</A></LI>
-<LI><STRONG>KEY</STRONG>, used in<A href="glossary.html#SDNS"> secure
- DNS</A></LI>
-<LI><STRONG>T</STRONG>e<STRONG>XT</STRONG>, a multi-purpose record type</LI>
-</UL>
-<P>To set up for opportunistic encryption, you add some TXT records to
- your DNS data. Details are in our<A href="quickstart.html"> quickstart</A>
- document.</P>
-<H3><A NAME="17_1_4">Cacheing, TTL and propagation delay</A></H3>
-<P>DNS information is extensively cached. With no caching, a lookup by
- your system of &quot;www.freeswan.org&quot; might involve:</P>
-<UL>
-<LI>your system asks your nameserver for &quot;www.freeswan.org&quot;</LI>
-<LI>local nameserver asks root server about &quot;.org&quot;, gets reply</LI>
-<LI>local nameserver asks .org nameserver about &quot;freeswan.org&quot;, gets
- reply</LI>
-<LI>local nameserver asks freeswan.org nameserver about
- &quot;www.freeswan.org&quot;, gets reply</LI>
-</UL>
-<P>However, this can be a bit inefficient. For example, if you are in
- the Phillipines, the closest a root server is in Japan. That might send
- you to a .org server in the US, and then to freeswan.org in Holland. If
- everyone did all those lookups every time they clicked on a web link,
- the net would grind to a halt.</P>
-<P>Nameservers therefore cache information they look up. When you click
- on another link at www.freeswan.org, your local nameserver has the IP
- address for that server in its cache, and no further lookups are
- required.</P>
-<P>Intermediate results are also cached. If you next go to
- lists.freeswan.org, your nameserver can just ask the freeswan.org
- nameserver for that address; it does not need to query the root or .org
- nameservers because it has a cached address for the freeswan.org zone
- server.</P>
-<P>Of course, like any cacheing mechanism, this can create problems of
- consistency. What if the administrator for freeswan.org changes the IP
- address, or the authentication key, for www.freeswan.org? If you use
- old information from the cache, you may get it wrong. On the other
- hand, you cannot afford to look up fresh information every time. Nor
- can you expect the freeswan.org server to notify you; that isn't in the
- protocols.</P>
-<P>The solution that is in the protocols is fairly simple. Cacheable
- records are marked with Time To Live (TTL) information. When the time
- expires, the caching server discards the record. The next time someone
- asks for it, the server fetches a fresh copy. Of course, a server may
- also discard records before their TTL expires if it is running out of
- cache space.</P>
-<P>This implies that there will be some delay before the new version of
- a changed record propagates around the net. Until the TTLs on all
- copies of the old record expire, some users will see it because that is
- what is in their cache. Other users may see the new record immediately
- because they don't have an old one cached.</P>
-<H2><A name="MTU.trouble">Problems with packet fragmentation</A></H2>
-<P>It seems, from mailing list reports, to be moderately common for
- problems to crop up in which small packets pass through the IPsec
- tunnels just fine but larger packets fail.</P>
-<P>These problems are caused by various devices along the way
- mis-handling either packet fragments or<A href="glossary.html#pathMTU">
- path MTU discovery</A>.</P>
-<P>IPsec makes packets larger by adding an ESP or AH header. This can
- tickle assorted bugs in fragment handling in routers and firewalls, or
- in path MTU discovery mechanisms, and cause a variety of symptoms which
- are both annoying and, often, quite hard to diagnose.</P>
-<P>An explanation from project technical lead Henry Spencer:</P>
-<PRE>The problem is IP fragmentation; more precisely, the problem is that the
-second, third, etc. fragments of an IP packet are often difficult for
-filtering mechanisms to classify.
-
-Routers cannot rely on reassembling the packet, or remembering what was in
-earlier fragments, because the fragments may be out of order or may even
-follow different routes.  So any general, worst-case filtering decision
-pretty much has to be made on each fragment independently.  (If the router
-knows that it is the only route to the destination, so all fragments
-*must* pass through it, reassembly would be possible... but most routers
-don't want to bother with the complications of that.)
-
-All fragments carry roughly the original IP header, but any higher-level
-header is (for IP purposes) just the first part of the packet data... so
-only the first fragment carries that.  So, for example, on examining the
-second fragment of a TCP packet, you could tell that it's TCP, but not
-what port number it is destined for -- that information is in the TCP
-header, which appears in the first fragment only. 
-
-The result of this classification difficulty is that stupid routers and
-over-paranoid firewalls may just throw fragments away.  To get through
-them, you must reduce your MTU enough that fragmentation will not occur.
-(In some cases, they might be willing to attempt reassembly, but have very
-limited resources to devote to it, meaning that packets must be small and
-fragments few in number, leading to the same conclusion:  smaller MTU.)</PRE>
-<P>In addition to the problem Henry describes, you may also have trouble
- with<A href="glossary.html#pathMTU"> path MTU discovery</A>.</P>
-<P>By default, FreeS/WAN uses a large<A href="glossary.html#MTU"> MTU</A>
- for the ipsec device. This avoids some problems, but may complicate
- others. Here's an explanation from Claudia:</P>
-<PRE>Here are a couple of pieces of background information. Apologies if you
-have seen these already. An excerpt from one of my old posts:
-
-    An MTU of 16260 on ipsec0 is usual. The IPSec device defaults to this 
-    high MTU so that it does not fragment incoming packets before encryption 
-    and encapsulation. If after IPSec processing packets are larger than 1500,
-    [ie. the mtu of eth0] then eth0 will fragment them. 
-
-    Adding IPSec headers adds a certain number of bytes to each packet. 
-    The MTU of the IPSec interface refers to the maximum size of the packet
-    before the IPSec headers are added. In some cases, people find it helpful 
-    to set ipsec0's MTU to 1500-(IPSec header size), which IIRC is about 1430.
-
-    That way, the resulting encapsulated packets don't exceed 1500. On most 
-    networks, packets less than 1500 will not need to be fragmented.
-
-and... (from Henry Spencer)
-
-    The way it *ought* to work is that the MTU advertised by the ipsecN
-    interface should be that of the underlying hardware interface, less a
-    pinch for the extra headers needed. 
-
-    Unfortunately, in certain situations this breaks many applications.
-    There is a widespread implicit assumption that the smallest MTUs are 
-    at the ends of paths, not in the middle, and another that MTUs are 
-    never less than 1500.  A lot of code is unprepared to handle paths 
-    where there is an &quot;interior minimum&quot; in the MTU, especially when it's 
-    less than 1500. So we advertise a big MTU and just let the resulting 
-    big packets fragment.
-
-This usually works, but we do get bitten in cases where some intermediate
-point can't handle all that fragmentation.  We can't win on this one.</PRE>
-<P>The MTU can be changed with an<VAR> overridemtu=</VAR> statement in
- the<VAR> config setup</VAR> section of<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf.5</A>.</P>
-<P>For a discussion of MTU issues and some possible solutions using
- Linux advanced routing facilities, see the<A href="http://www.linuxguruz.org/iptables/howto/2.4routing-15.html#ss15.6">
- Linux 2.4 Advanced Routing HOWTO</A>. For a discussion of MTU and NAT
- (Network Address Translation), see<A HREF="http://harlech.math.ucla.edu/services/ipsec.html">
- James Carter's MTU notes</A>.</P>
-<H2><A name="nat.background">Network address translation (NAT)</A></H2>
-<P><STRONG>N</STRONG>etwork<STRONG> A</STRONG>ddress<STRONG> T</STRONG>
-ranslation is a service provided by some gateway machines. Calling it
- NAPT (adding the word<STRONG> P</STRONG>ort) would be more precise, but
- we will follow the widespread usage.</P>
-<P>A gateway doing NAT rewrites the headers of packets it is forwarding,
- changing one or more of:</P>
-<UL>
-<LI>source address</LI>
-<LI>source port</LI>
-<LI>destination address</LI>
-<LI>destination port</LI>
-</UL>
-<P>On Linux 2.4, NAT services are provided by the<A href="http://netfilter.samba.org">
- netfilter(8)</A> firewall code. There are several<A href="http://netfilter.samba.org/documentation/index.html#HOWTO">
- Netfilter HowTos</A> including one on NAT.</P>
-<P>For older versions of Linux, this was referred to as &quot;IP masquerade&quot;
- and different tools were used. See this<A href="http://www.e-infomax.com/ipmasq/">
- resource page</A>.</P>
-<P>Putting an IPsec gateway behind a NAT gateway is not recommended. See
- our<A href="firewall.html#NAT"> firewalls document</A>.</P>
-<H3><A NAME="17_3_1">NAT to non-routable addresses</A></H3>
-<P>The most common application of NAT uses private<A href="glossary.html#non-routable">
- non-routable</A> addresses.</P>
-<P>Often a home or small office network will have:</P>
-<UL>
-<LI>one connection to the Internet</LI>
-<LI>one assigned publicly visible IP address</LI>
-<LI>several machines that all need access to the net</LI>
-</UL>
-<P>Of course this poses a problem since several machines cannot use one
- address. The best solution might be to obtain more addresses, but often
- this is impractical or uneconomical.</P>
-<P>A common solution is to have:</P>
-<UL>
-<LI><A href="glossary.html#non-routable">non-routable</A> addresses on
- the local network</LI>
-<LI>the gateway machine doing NAT</LI>
-<LI>all packets going outside the LAN rewritten to have the gateway as
- their source address</LI>
-</UL>
-<P>The client machines are set up with reserved<A href="glossary.html#non-routable">
- non-routable</A> IP addresses defined in RFC 1918. The masquerading
- gateway, the machine with the actual link to the Internet, rewrites
- packet headers so that all packets going onto the Internet appear to
- come from one IP address, that of its Internet interface. It then gets
- all the replies, does some table lookups and more header rewriting, and
- delivers the replies to the appropriate client machines.</P>
-<P>As far as anyone else on the Internet is concerned, the systems
- behind the gateway are completely hidden. Only one machine with one IP
- address is visible.</P>
-<P>For IPsec on such a gateway, you can entirely ignore the NAT in:</P>
-<UL>
-<LI><A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A></LI>
-<LI>firewall rules affecting your Internet-side interface</LI>
-</UL>
-<P>Those can be set up exactly as they would be if your gateway had no
- other systems behind it.</P>
-<P>You do, however, have to take account of the NAT in firewall rules
- which affect packet forwarding.</P>
-<H3><A NAME="17_3_2">NAT to routable addresses</A></H3>
-<P>NAT to routable addresses is also possible, but is less common and
- may make for rather tricky routing problems. We will not discuss it
- here. See the<A href="http://netfilter.samba.org/documentation/index.html#HOWTO">
- Netfilter HowTos</A>.</P>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="config.html">Previous</A>
-<A HREF="user_examples.html">Next</A>
-</BODY>
-</HTML>
diff --git a/doc/biblio.html b/doc/biblio.html
deleted file mode 100644
index d54af5cbf..000000000
--- a/doc/biblio.html
+++ /dev/null
@@ -1,274 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="glossary.html">Previous</A>
-<A HREF="rfc.html">Next</A>
-<HR>
-<H1><A name="biblio">Bibliography for the Linux FreeS/WAN project</A></H1>
-<P>For extensive bibliographic links, see the<A href="http://liinwww.ira.uka.de/bibliography/index.html">
- Collection of Computer Science Bibliographies</A></P>
-<P>See our<A href="web.html"> web links</A> for material available
- online.</P>
-<HR><A name="adams"> Carlisle Adams and Steve Lloyd<CITE> Understanding
- Public Key Infrastructure</CITE>
-<BR></A> Macmillan 1999 ISBN 1-57870-166-x
-<P>An overview, mainly concentrating on policy and strategic issues
- rather than the technical details. Both authors work for<A href="glossary.html#PKI">
- PKI</A> vendor<A href="http://www.entrust.com/"> Entrust</A>.</P>
-<HR><A name="DNS.book"> Albitz, Liu &amp; Loukides<CITE> DNS &amp; BIND</CITE>
- 3rd edition
-<BR></A> O'Reilly 1998 ISBN 1-56592-512-2
-<P>The standard reference on the<A href="glossary.html#DNS"> Domain Name
- Service</A> and<A href="glossary.html#BIND"> Berkeley Internet Name
- Daemon</A>.</P>
-<HR><A name="anderson"> Ross Anderson</A>,<CITE> Security Engineering -
- a Guide to Building Dependable Distributed Systems</CITE>
-<BR> Wiley, 2001, ISBN 0471389226
-<P>Easily the best book for the security professional I have seen.<STRONG>
- Highly recommended</STRONG>. See the<A href="http://www.cl.cam.ac.uk/~rja14/book.html">
- book web page</A>.</P>
-<P>This is quite readable, but Schneier's<A href="#secrets"> Secrets and
- Lies</A> might be an easier introduction.</P>
-<HR><A name="puzzle"> Bamford<CITE> The Puzzle Palace, A report on NSA,
- Americas's most Secret Agency</CITE>
-<BR> Houghton Mifflin 1982 ISBN 0-395-31286-8</A>
-<HR> Bamford<CITE> Body of Secrets</CITE>
-<P>The sequel.</P>
-<HR><A name="bander"> David Bander</A>,<CITE> Linux Security Toolkit</CITE>
-<BR> IDG Books, 2000, ISBN: 0764546902
-<P>This book has a short section on FreeS/WAN and includes Caldera Linux
- on CD.</P>
-<HR><A name="CZR"> Chapman, Zwicky &amp; Russell</A>,<CITE> Building
- Internet Firewalls</CITE>
-<BR> O'Reilly 1995 ISBN 1-56592-124-0
-<HR><A name="firewall.book"> Cheswick and Bellovin</A><CITE> Firewalls
- and Internet Security: Repelling the Wily Hacker</CITE>
-<BR> Addison-Wesley 1994 ISBN 0201633574
-<P>A fine book on firewalls in particular and security in general from
- two of AT&amp;T's system adminstrators.</P>
-<P>Bellovin has also done a number of<A href="web.html#papers"> papers</A>
- on IPsec and co-authored a<A href="intro.html#applied"> paper</A> on a
- large FreeS/WAN application.</P>
-<HR><A name="comer"> Comer<CITE> Internetworking with TCP/IP</CITE>
-<BR> Prentice Hall</A>
-<UL>
-<LI>Vol. I: Principles, Protocols, &amp; Architecture, 3rd Ed. 1995
- ISBN:0-13-216987-8</LI>
-<LI>Vol. II: Design, Implementation, &amp; Internals, 2nd Ed. 1994
- ISBN:0-13-125527-4</LI>
-<LI>Vol. III: Client/Server Programming &amp; Applications
-<UL>
-<LI>AT&amp;T TLI Version 1994 ISBN:0-13-474230-3</LI>
-<LI>BSD Socket Version 1996 ISBN:0-13-260969-X</LI>
-<LI>Windows Sockets Version 1997 ISBN:0-13-848714-6</LI>
-</UL>
-</LI>
-</UL>
-<P>If you need to deal with the details of the network protocols, read
- either this series or the<A href="#stevens"> Stevens and Wright</A>
- series before you start reading the RFCs.</P>
-<HR><A name="diffie"> Diffie and Landau</A><CITE> Privacy on the Line:
- The Politics of Wiretapping and Encryption</CITE>
-<BR> MIT press 1998 ISBN 0-262-04167-7 (hardcover) or 0-262-54100-9
-<BR>
-<HR><A name="d_and_hark"> Doraswamy and Harkins<CITE> IP Sec: The New
- Security Standard for the Internet, Intranets and Virtual Private
- Networks</CITE>
-<BR> Prentice Hall 1999 ISBN: 0130118982</A>
-<HR><A name="EFF"> Electronic Frontier Foundation<CITE> Cracking DES:
- Secrets of Encryption Research, Wiretap Politics and Chip Design</CITE>
-<BR></A> O'Reilly 1998 ISBN 1-56592-520-3
-<P>To conclusively demonstrate that DES is inadequate for continued use,
- the<A href="glossary.html#EFF"> EFF</A> built a machine for just over
- $200,000 that breaks DES encryption in under five days on average,
- under nine in the worst case.</P>
-<P>The book provides details of their design and, perhaps even more
- important, discusses why they felt the project was necessary.
- Recommended for anyone interested in any of the three topics mentioned
- in the subtitle.</P>
-<P>See also the<A href="http://www.eff.org/descracker.html"> EFF page on
- this project</A> and our discussion of<A href="politics.html#desnotsecure">
- DES insecurity</A>.</P>
-<HR> Martin Freiss<CITE> Protecting Networks with SATAN</CITE>
-<BR> O'Reilly 1998 ISBN 1-56592-425-8
-<BR> translated from a 1996 work in German
-<P>SATAN is a Security Administrator's Tool for Analysing Networks. This
- book is a tutorial in its use.</P>
-<HR> Gaidosch and Kunzinger<CITE> A Guide to Virtual Private Networks</CITE>
-<BR> Prentice Hall 1999 ISBN: 0130839647
-<HR><A name="Garfinkel"> Simson Garfinkel</A><CITE> Database Nation: the
- death of privacy in the 21st century</CITE>
-<BR> O'Reilly 2000 ISBN 1-56592-653-6
-<P>A thoughtful and rather scary book.</P>
-<HR><A name="PGP"> Simson Garfinkel</A><CITE> PGP: Pretty Good Privacy</CITE>
-<BR> O'Reilly 1995 ISBN 1-56592-098-8
-<P>An excellent introduction and user manual for the<A href="glossary.html#PGP">
- PGP</A> email-encryption package. PGP is a good package with a complex
- and poorly-designed user interface. This book or one like it is a must
- for anyone who has to use it at length.</P>
-<P>The book covers using PGP in Unix, PC and Macintosh environments,
- plus considerable background material on both the technical and
- political issues around cryptography.</P>
-<P>The book is now seriously out of date. It does not cover recent
- developments such as commercial versions since PGP 5, the Open PGP
- standard or GNU PG..</P>
-<HR><A name="practical"> Garfinkel and Spafford</A><CITE> Practical Unix
- Security</CITE>
-<BR> O'Reilly 1996 ISBN 1-56592-148-8
-<P>A standard reference.</P>
-<P>Spafford's web page has an excellent collection of<A href="http://www.cs.purdue.edu/coast/hotlist">
- crypto and security links</A>.</P>
-<HR><A name="Kahn"> David Kahn</A><CITE> The Codebreakers: the
- Comprehensive History of Secret Communications from Ancient Times to
- the Internet</CITE>
-<BR> second edition Scribner 1996 ISBN 0684831309
-<P>A history of codes and code-breaking from ancient Egypt to the 20th
- century. Well-written and exhaustively researched.<STRONG> Highly
- recommended</STRONG>, even though it does not have much on computer
- cryptography.</P>
-<HR> David Kahn<CITE> Seizing the Enigma, The Race to Break the German
- U-Boat codes, 1939-1943</CITE>
-<BR> Houghton Mifflin 1991 ISBN 0-395-42739-8
-<HR><A name="kirch"> Olaf Kirch</A><CITE> Linux Network Administrator's
- Guide</CITE>
-<BR> O'Reilly 1995 ISBN 1-56592-087-2
-<P>Now becoming somewhat dated in places, but still a good introductory
- book and general reference.</P>
-<HR><A name="LinVPN"> Kolesnikov and Hatch</A>,<CITE> Building Linux
- Virtual Private Networks (VPNs)</CITE>
-<BR> New Riders 2002
-<P>This has had a number of favorable reviews, including<A href="http://www.slashdot.org/article.pl?sid=02/02/27/0115214&amp;mode=thread&amp;tid=172">
- this one</A> on Slashdot. The book has a<A href="http://www.buildinglinuxvpns.net/">
- web site</A>.</P>
-<HR><A name="RFCs"> Pete Loshin<CITE> Big Book of IPsec RFCs</CITE>
-<BR> Morgan Kaufmann 2000 ISBN: 0-12-455839-9</A>
-<HR><A name="crypto"> Steven Levy<CITE> Crypto: How the Code Rebels Beat
- the Government -- Saving Privacy in the Digital Age</CITE></A>
-<BR> Penguin 2001, ISBN 0-670--85950-8
-<P><STRONG>Highly recommended</STRONG>. A fine history of recent (about
- 1970-2000) developments in the field, and the related political
- controversies. FreeS/WAN project founder and leader John Gilmore
- appears several times.</P>
-<P>The book does not cover IPsec or FreeS/WAN, but this project is very
- much another battle in the same war. See our discussion of the<A href="politics.html">
- politics</A>.</P>
-<HR><A name="GTR"> Matyas, Anderson et al.</A><CITE> The Global Trust
- Register</CITE>
-<BR> Northgate Consultants Ltd 1998 ISBN: 0953239705
-<BR> hard cover edition MIT Press 1999 ISBN 0262511053
-<P>From<A href="http://www.cl.cam.ac.uk/Research/Security/Trust-Register">
- their web page:</A></P>
-<BLOCKQUOTE> This book is a register of the fingerprints of the world's
- most important public keys; it implements a top-level certification
- authority (CA) using paper and ink rather than in an electronic system.</BLOCKQUOTE>
-<HR><A name="handbook"> Menezies, van Oorschot and Vanstone<CITE>
- Handbook of Applied Cryptography</CITE></A>
-<BR> CRC Press 1997
-<BR> ISBN 0-8493-8523-7
-<P>An excellent reference. Read<A href="#schneier"> Schneier</A> before
- tackling this.</P>
-<HR> Michael Padlipsky<CITE> Elements of Networking Style</CITE>
-<BR> Prentice-Hall 1985 ISBN 0-13-268111-0 or 0-13-268129-3
-<P>Probably<STRONG> the funniest technical book ever written</STRONG>,
- this is a vicious but well-reasoned attack on the OSI &quot;seven layer
- model&quot; and all that went with it. Several chapters of it are also
- available as RFCs 871 to 875.</P>
-<HR><A name="matrix"> John S. Quarterman</A><CITE> The Matrix: Computer
- Networks and Conferencing Systems Worldwide</CITE>
-<BR> Digital Press 1990 ISBN 155558-033-5
-<BR> Prentice-Hall ISBN 0-13-565607-9
-<P>The best general treatment of computer-mediated communication we have
- seen. It naturally has much to say about the Internet, but also covers
- UUCP, Fidonet and so on.</P>
-<HR><A name="ranch"> David Ranch</A><CITE> Securing Linux Step by Step</CITE>
-<BR> SANS Institute, 1999
-<P><A href="http://www.sans.org/">SANS</A> is a respected organisation,
- this guide is part of a well-known series, and Ranch has previously
- written the useful<A href=" http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos">
- Trinity OS</A> guide to securing Linux, so my guess would be this is a
- pretty good book. I haven't read it yet, so I'm not certain. It can be
- ordered online from<A href="http://www.sans.org/"> SANS</A>.</P>
-<P>Note (Mar 1, 2002): a new edition with different editors in the
- works. Expect it this year.</P>
-<HR><A name="schneier"> Bruce Schneier</A><CITE> Applied Cryptography,
- Second Edition</CITE>
-<BR> John Wiley &amp; Sons, 1996
-<BR> ISBN 0-471-12845-7 hardcover
-<BR> ISBN 0-471-11709-9 paperback
-<P>A standard reference on computer cryptography. For more recent
- essays, see the<A href="http://www.counterpane.com/"> author's
- company's web site</A>.</P>
-<HR><A name="secrets"> Bruce Schneier</A><CITE> Secrets and Lies</CITE>
-<BR> Wiley 2000, ISBN 0-471-25311-1
-<P>An interesting discussion of security and privacy issues, written
- with more of an &quot;executive overview&quot; approach rather than a narrow
- focus on the technical issues.<STRONG> Highly recommended</STRONG>.</P>
-<P>This is worth reading even if you already understand security issues,
- or think you do. To go deeper, follow it with Anderson's<A href="#anderson">
- Security Engineering</A>.</P>
-<HR><A name="VPNbook"> Scott, Wolfe and Irwin<CITE> Virtual Private
- Networks</CITE></A>
-<BR> 2nd edition, O'Reilly 1999 ISBN: 1-56592-529-7
-<P>This is the only O'Reilly book, out of a dozen I own, that I'm
- disappointed with. It deals mainly with building VPNs with various
- proprietary tools --<A href="glossary.html#PPTP"> PPTP</A>,<A href="glossary.html#SSH">
- SSH</A>, Cisco PIX, ... -- and touches only lightly on IPsec-based
- approaches.</P>
-<P>That said, it appears to deal competently with what it does cover and
- it has readable explanations of many basic VPN and security concepts.
- It may be exactly what some readers require, even if I find the
- emphasis unfortunate.</P>
-<HR><A name="LASG"> Kurt Seifried<CITE> Linux Administrator's Security
- Guide</CITE></A>
-<P>Available online from<A href="http://www.securityportal.com/lasg/">
- Security Portal</A>. It has fairly extensive coverage of IPsec.</P>
-<HR><A name="Smith"> Richard E Smith<CITE> Internet Cryptography</CITE>
-<BR></A> ISBN 0-201-92480-3, Addison Wesley, 1997
-<P>See the book's<A href="http://www.visi.com/crypto/inet-crypto/index.html">
- home page</A></P>
-<HR><A name="neal"> Neal Stephenson<CITE> Cryptonomicon</CITE></A>
-<BR> Hardcover ISBN -380-97346-4, Avon, 1999.
-<P>A novel in which cryptography and the net figure prominently.<STRONG>
- Highly recommended</STRONG>: I liked it enough I immediately went out
- and bought all the author's other books.</P>
-<P>There is also a paperback edition. Sequels are expected.</P>
-<HR><A name="stevens"> Stevens and Wright</A><CITE> TCP/IP Illustrated</CITE>
-<BR> Addison-Wesley
-<UL>
-<LI>Vol. I: The Protocols 1994 ISBN:0-201-63346-9</LI>
-<LI>Vol. II: The Implementation 1995 ISBN:0-201-63354-X</LI>
-<LI>Vol. III: TCP for Transactions, HTTP, NNTP, and the UNIX Domain
- Protocols 1996 ISBN: 0-201-63495-3</LI>
-</UL>
-<P>If you need to deal with the details of the network protocols, read
- either this series or the<A href="#comer"> Comer</A> series before you
- start reading the RFCs.</P>
-<HR><A name="Rubini"> Rubini</A><CITE> Linux Device Drivers</CITE>
-<BR> O'Reilly &amp; Associates, Inc. 1998 ISBN 1-56592-292-1
-<HR><A name="Zeigler"> Robert Zeigler</A><CITE> Linux Firewalls</CITE>
-<BR> Newriders Publishing, 2000 ISBN 0-7537-0900-9
-<P>A good book, with detailed coverage of ipchains(8) firewalls and of
- many related issues.</P>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="glossary.html">Previous</A>
-<A HREF="rfc.html">Next</A>
-</BODY>
-</HTML>
diff --git a/doc/compat.html b/doc/compat.html
deleted file mode 100644
index f01efa64c..000000000
--- a/doc/compat.html
+++ /dev/null
@@ -1,707 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="trouble.html">Previous</A>
-<A HREF="interop.html">Next</A>
-<HR>
-<H1><A name="compat">Linux FreeS/WAN Compatibility Guide</A></H1>
-<P>Much of this document is quoted directly from the Linux FreeS/WAN<A href="mail.html">
- mailing list</A>. Thanks very much to the community of testers,
- patchers and commenters there, especially the ones quoted below but
- also various contributors we haven't quoted.</P>
-<H2><A name="spec">Implemented parts of the IPsec Specification</A></H2>
-<P>In general, do not expect Linux FreeS/WAN to do everything yet. This
- is a work-in-progress and some parts of the IPsec specification are not
- yet implemented.</P>
-<H3><A name="in">In Linux FreeS/WAN</A></H3>
-<P>Things we do, as of version 1.96:</P>
-<UL>
-<LI>key management methods
-<DL>
-<DT>manually keyed</DT>
-<DD>using keys stored in /etc/ipsec.conf</DD>
-<DT>automatically keyed</DT>
-<DD>Automatically negotiating session keys as required. All connections
- are automatically re-keyed periodically. The<A href="glossary.html#Pluto">
- Pluto</A> daemon implements this using the<A href="glossary.html#IKE">
- IKE</A> protocol.</DD>
-</DL>
-</LI>
-<LI>Methods of authenticating gateways for IKE
-<DL>
-<DT>shared secrets</DT>
-<DD>stored in<A href="manpage.d/ipsec.secrets.5.html"> ipsec.secrets(5)</A>
-</DD>
-<DT><A href="glossary.html#RSA">RSA</A> signatures</DT>
-<DD>For details, see<A href="manpage.d/ipsec_pluto.8.html"> pluto(8)</A>
-.</DD>
-<DT>looking up RSA authentication keys from<A href="glossary.html#DNS">
- DNS</A>.</DT>
-<DD>Note that this technique cannot be fully secure until<A href="glossary.html#SDNS">
- secure DNS</A> is widely deployed.</DD>
-</DL>
-</LI>
-<LI>groups for<A href="glossary.html#DH"> Diffie-Hellman</A> key
- negotiation
-<DL>
-<DT>group 2, modp 1024-bit</DT>
-<DT>group 5, modp 1536-bit</DT>
-<DD>We implement these two groups.
-<P>In negotiating a keying connection (ISAKMP SA, Phase 1) we propose
- both groups when we are the initiator, and accept either when a peer
- proposes them. Once the keying connection is made, we propose only the
- alternative agreed there for data connections (IPsec SA's, Phase 2)
- negotiated over that keying connection.</P>
-</DD>
-</DL>
-</LI>
-<LI>encryption transforms
-<DL>
-<DT><A href="glossary.html#DES">DES</A></DT>
-<DD>DES is in the source code since it is needed to implement 3DES, but
- single DES is not made available to users because<A href="politics.html#desnotsecure">
- DES is insecure</A>.</DD>
-<DT><A href="glossary.html#3DES">Triple DES</A></DT>
-<DD>implemented, and used as the default encryption in Linux FreeS/WAN.</DD>
-</DL>
-</LI>
-<LI>authentication transforms
-<DL>
-<DT><A href="glossary.html#HMAC">HMAC</A> using<A href="glossary.html#MD5">
- MD5</A></DT>
-<DD>implemented, may be used in IKE or by by AH or ESP transforms.</DD>
-<DT><A href="glossary.html#HMAC">HMAC</A> using<A href="glossary.html#SHA">
- SHA</A></DT>
-<DD>implemented, may be used in IKE or by AH or ESP transforms.</DD>
-</DL>
-<P>In negotiations, we propose both of these and accept either.</P>
-</LI>
-<LI>compression transforms
-<DL>
-<DT>IPComp</DT>
-<DD>IPComp as described in RFC 2393 was added for FreeS/WAN 1.6. Note
- that Pluto becomes confused if you ask it to do IPComp when the kernel
- cannot.</DD>
-</DL>
-</LI>
-</UL>
-<P>All combinations of implemented transforms are supported. Note that
- some form of packet-level<STRONG> authentication is required whenever
- encryption is used</STRONG>. Without it, the encryption will not be
- secure.</P>
-<H3><A name="dropped">Deliberately omitted</A></H3>
- We do not implement everything in the RFCs because some of those things
- are insecure. See our discussions of avoiding<A href="politics.html#weak">
- bogus security</A>.
-<P>Things we deliberately omit which are required in the RFCs are:</P>
-<UL>
-<LI>null encryption (to use ESP as an authentication-only service)</LI>
-<LI>single DES</LI>
-<LI>DH group 1, a 768-bit modp group</LI>
-</UL>
-<P>Since these are the only encryption algorithms and DH group the RFCs
- require, it is possible in theory to have a standards-conforming
- implementation which will not interpoperate with FreeS/WAN. Such an
- implementation would be inherently insecure, so we do not consider this
- a problem.</P>
-<P>Anyway, most implementations sensibly include more secure options as
- well, so dropping null encryption, single DES and Group 1 does not
- greatly hinder interoperation in practice.</P>
-<P>We also do not implement some optional features allowed by the RFCs:</P>
-<UL>
-<LI>aggressive mode for negotiation of the keying channel or ISAKMP SA.
- This mode is a little faster than main mode, but exposes more
- information to an eavesdropper.</LI>
-</UL>
-<P>In theory, this should cause no interoperation problems since all
- implementations are required to support the more secure main mode,
- whether or not they also allow aggressive mode.</P>
-<P>In practice, it does sometimes produce problems with implementations
- such as Windows 2000 where aggressive mode is the default. Typically,
- these are easily solved with a configuration change that overrides that
- default.</P>
-<H3><A name="not">Not (yet) in Linux FreeS/WAN</A></H3>
-<P>Things we don't yet do, as of version 1.96:</P>
-<UL>
-<LI>key management methods
-<UL>
-<LI>authenticate key negotiations via local<A href="glossary.html#PKI">
- PKI</A> server, but see links to user<A href="web.html#patch"> patches</A>
-</LI>
-<LI>authenticate key negotiations via<A href="glossary.html#SDNS">
- secure DNS</A></LI>
-<LI>unauthenticated key management, using<A href="glossary.html#DH">
- Diffie-Hellman</A> key agreement protocol without authentication.
- Arguably, this would be worth doing since it is secure against all
- passive attacks. On the other hand, it is vulnerable to an active<A href="glossary.html#middle">
- man-in-the-middle attack</A>.</LI>
-</UL>
-</LI>
-<LI>encryption transforms
-<P>Currently<A href="glossary.html#3DES"> Triple DES</A> is the only
- encryption method Pluto will negotiate.</P>
-<P>No additional encryption transforms are implemented, though the RFCs
- allow them and some other IPsec implementations support various of
- them. We are not eager to add more. See this<A href="faq.html#other.cipher">
- FAQ question</A>.</P>
-<P><A href="glossary.html#AES">AES</A>, the successor to the DES
- standard, is an excellent candidate for inclusion in FreeS/WAN, see
- links to user<A href="web.html#patch"> patches</A>.</P>
-</LI>
-<LI>authentication transforms
-<P>No optional additional authentication transforms are currently
- implemented. Likely<A href="glossary.html#SHA-256"> SHA-256, SHA-384
- and SHA-512</A> will be added when AES is.</P>
-</LI>
-<LI>Policy checking on decrypted packets
-<P>To fully comply with the RFCs, it is not enough just to accept only
- packets which survive any firewall rules in place to limit what IPsec
- packets get in, and then pass KLIPS authentication. That is what
- FreeS/WAN currently does.</P>
-<P>We should also apply additional tests, for example ensuring that all
- packets emerging from a particular tunnel have source and destination
- addresses that fall within the subnets defined for that tunnel, and
- that packets with those addresses that did not emerge from the
- appropriate tunnel are disallowed.</P>
-<P>This will be done as part of a KLIPS rewrite. See these<A href="intro.html#applied">
- links</A> and the<A href="mail.html"> design mailing list</A> for
- discussion.</P>
-</LI>
-</UL>
-<H2><A name="pfkey">Our PF-Key implementation</A></H2>
-<P>We use PF-key Version Two for communication between the KLIPS kernel
- code and the Pluto Daemon. PF-Key v2 is defined by<A href="http://www.normos.org/ietf/rfc/rfc2367.txt">
- RFC 2367</A>.</P>
-<P>The &quot;PF&quot; stands for Protocol Family. PF-Inet defines a
- kernel/userspace interface for the TCP/IP Internet protocols (TCP/IP),
- and other members of the PF series handle Netware, Appletalk, etc.
- PF-Key is just a PF for key-related matters.</P>
-<H3><A name="pfk.port">PF-Key portability</A></H3>
-<P>PF-Key came out of Berkeley Unix work and is used in the various BSD
- IPsec implementations, and in Solaris. This means there is some hope of
- porting our Pluto(8) to one of the BSD distributions, or of running
- their photurisd(8) on Linux if you prefer<A href="glossary.html#photuris">
- Photuris</A> key management over IKE.</P>
-<P>It is, however, more complex than that. The PK-Key RFC deliberately
- deals only with keying, not policy management. The three PF-Key
- implementations we have looked at -- ours, OpenBSD and KAME -- all have
- extensions to deal with security policy, and the extensions are
- different. There have been discussions aimed at sorting out the
- differences, perhaps for a version three PF-Key spec. All players are
- in favour of this, but everyone involved is busy and it is not clear
- whether or when these discussions might bear fruit.</P>
-<H2><A name="otherk">Kernels other than the latest 2.2.x and 2.4.y</A></H2>
-<P>We develop and test on Redhat Linux using the most recent kernel in
- the 2.2 and 2.4 series. In general, we recommend you use the latest
- kernel in one of those series. Complications and caveats are discussed
- below.</P>
-<H3><A name="kernel.2.0">2.0.x kernels</A></H3>
-<P>Consider upgrading to the 2.2 kernel series. If you want to stay with
- the 2.0 series, then we strongly recommend 2.0.39. Some useful security
- patches were added in 2.0.38.</P>
-<P>Various versions of the code have run at various times on most 2.0.xx
- kernels, but the current version is only lightly tested on 2.0.39, and
- not at all on older kernels.</P>
-<P>Some of our patches for older kernels are shipped in 2.0.37 and
- later, so they are no longer provided in FreeS/WAN. This means recent
- versions of FreeS/WAN will probably not compile on anything earlier
- than 2.0.37.</P>
-<H3><A name="kernel.production">2.2 and 2.4 kernels</A></H3>
-<DL>
-<DT>FreeS/WAN 1.0</DT>
-<DD>ran only on 2.0 kernels</DD>
-<DT>FreeS/WAN 1.1 to 1.8</DT>
-<DD>ran on 2.0 or 2.2 kernels
-<BR> ran on some development kernels, 2.3 or 2.4-test</DD>
-<DT>FreeS/WAN 1.9 to 1.96</DT>
-<DD>runs on 2.0, 2.2 or 2.4 kernels</DD>
-</DL>
-<P>In general,<STRONG> we suggest the latest 2.2 kernel or 2.4 for
- production use</STRONG>.</P>
-<P>Of course no release can be guaranteed to run on kernels more recent
- than it is, so quite often there will be no stable FreeS/WAN for the
- absolute latest kernel. See the<A href="faq.html#k.versions"> FAQ</A>
- for discussion.</P>
-<H2><A name="otherdist">Intel Linux distributions other than Redhat</A></H2>
-<P>We develop and test on Redhat 6.1 for 2.2 kernels, and on Redhat 7.1
- or 7.2 for 2.4, so minor changes may be required for other
- distributions.</P>
-<H3><A name="rh7">Redhat 7.0</A></H3>
-<P>There are some problems with FreeS/WAN on Redhat 7.0. They are
- soluble, but we recommend you upgrade to a later Redhat instead..</P>
-<P>Redhat 7 ships with two compilers.</P>
-<UL>
-<LI>Their<VAR> gcc</VAR> is version 2.96. Various people, including the
- GNU compiler developers and Linus, have said fairly emphatically that
- using this was a mistake. 2.96 is a development version, not intended
- for production use. In particular, it will not compile a Linux kernel.</LI>
-<LI>Redhat therefore also ship a separate compiler, which they call<VAR>
- kgcc</VAR>, for compiling kernels.</LI>
-</UL>
-<P>Kernel Makefiles have<VAR> gcc</VAR> as a default, and must be
- adjusted to use<VAR> kgcc</VAR> before a kernel will compile on 7.0.
- This mailing list message gives details:</P>
-<PRE>Subject: Re: AW: Installing IPsec on Redhat 7.0
-   Date: Thu, 1 Feb 2001 14:32:52 -0200 (BRST)
-  From: Mads Rasmussen &lt;mads@cit.com.br&gt;
- 
-&gt; From www.redhat.com/support/docs/gotchas/7.0/gotchas-7-6.html#ss6.1
-
-cd to /usr/src/linux and open the Makefile in your favorite editor. You
-will need to look for a line similar to this:
-
-CC = $(CROSS_COMPILE)gcc -D__KERNEL__ -I$(HPATH)
-
-This line specifies which C compiler to use to build the kernel. It should
-be changed to:
-
-CC = $(CROSS_COMPILE)kgcc -D__KERNEL__ -I$(HPATH)
-
-for Red Hat Linux 7. The kgcc compiler is egcs 2.91.66. From here you can
-proceed with the typical compiling steps.</PRE>
-<P>Check the<A href="mail.html"> mailing list</A> archive for more
- recent news.</P>
-<H3><A name="suse">SuSE Linux</A></H3>
-<P>SuSE 6.3 and later versions, at least in Europe, ship with FreeS/WAN
- included.</P>
-<P>FreeS/WAN packages distributed for SuSE 7.0-7.2 were somehow
- miscompiled. You can find fixed packages on<A HREF="http://www.suse.de/~garloff/linux/FreeSWAN">
- Kurt Garloff's page</A>.</P>
-<P>Here are some notes for an earlier SuSE version.</P>
-<H4>SuSE Linux 5.3</H4>
-<PRE>Date: Mon, 30 Nov 1998
-From: Peter Onion &lt;ponion@srd.bt.co.uk&gt;
-
-... I got Saturdays snapshot working between my two SUSE5.3 machines at home.
-
-The mods to the install process are quite simple.  From memory and looking at
-the files on the SUSE53 machine here at work....
-
-And extra link in each of the /etc/init.d/rc?.d directories called K35ipsec
-which SUSE use to shut a service down.
-
-A few mods in /etc/init.d/ipsec  to cope with the different places that SUSE
-put config info, and remove the inculsion of /etc/rc.d/init.d/functions and .
-/etc/sysconfig/network as they don't exists and 1st one isn't needed anyway.
-
-insert &quot;. /etc/rc.config&quot; to pick up the SUSE config info and use 
-
-  if test -n &quot;$NETCONFIG&quot; -a &quot;$NETCONFIG&quot; != &quot;YAST_ASK&quot; ; then
-
-to replace 
-
-  [ ${NETWORKING} = &quot;no&quot; ] &amp;&amp; exit 0
-
-Create /etc/sysconfig  as SUSE doesn't have one.
-
-I think that was all (but I prob forgot something)....</PRE>
-<P>You may also need to fiddle initialisation scripts to ensure that<VAR>
- /var/run/pluto.pid</VAR> is removed when rebooting. If this file is
- present, Pluto does not come up correctly.</P>
-<H3><A name="slack">Slackware</A></H3>
-<PRE>Subject: Re: linux-IPsec: Slackware distribution
-  Date:  Thu, 15 Apr 1999 12:07:01 -0700
-  From:  Evan Brewer &lt;dmessiah@silcon.com&gt;
-
-&gt; Very shortly, I will be needing to install IPsec on at least gateways that
-&gt; are running Slackware. . . .
-
-The only trick to getting it up is that on the slackware dist there is no
-init.d directory in /etc/rc.d .. so create one.  Then, what I do is take the
-IPsec startup script which normally gets put into the init.d directory, and
-put it in /etc/rc.d and name ir rc.ipsec .. then I symlink it to the file
-in init.d.  The only file in the dist you need to really edit is the
-utils/Makefile, setup4:
-
-Everything else should be just fine.</PRE>
-<P>A year or so later:</P>
-<PRE>Subject: Re: HTML Docs- Need some cleanup?
-   Date: Mon, 8 Jan 2001
-   From: Jody McIntyre &lt;jodym@oeone.com&gt;
-
-I have successfully installed FreeS/WAN on several Slackware 7.1 machines.
-FreeS/WAN installed its rc.ipsec file in /etc/rc.d.  I had to manually call
-this script from rc.inet2.  This seems to be an easier method than Evan
-Brewer's.</PRE>
-<H3><A name="deb">Debian</A></H3>
-<P>A recent (Nov 2001) mailing list points to a<A href="http://www.thing.dyndns.org/debian/vpn.htm">
- web page</A> on setting up several types of tunnel, including IPsec, on
- Debian.</P>
-<P>Some older information:</P>
-<PRE>Subject: FreeS/WAN 1.0 on Debian 2.1
-   Date: Tue, 20 Apr 1999
-  From:  Tim Miller &lt;cerebus+counterpane@haybaler.sackheads.org&gt;
-
-        Compiled and installed without error on a Debian 2.1 system
-with kernel-source-2.0.36 after pointing RCDIR in utils/Makefile to
-/etc/init.d.
-
-        /var/lock/subsys/ doesn't exist on Debian boxen, needs to be
-created; not a fatal error.
-
-        Finally, IPsec scripts appear to be dependant on GNU awk
-(gawk); the default Debian awk (mawk-1.3.3-2) had fatal difficulties.
-With gawk installed and /etc/alternatives/awk linked to /usr/bin/gawk
-operation appears flawless.</PRE>
-<P>The scripts in question have been modified since this was posted. Awk
- versions should no longer be a problem.</P>
-<H3><A name="caldera">Caldera</A></H3>
-<PRE>Subject: Re: HTML Docs- Need some cleanup?
-   Date: Mon, 08 Jan 2001
-   From: Andy Bradford &lt;andyb@calderasystems.com&gt;
-
-On Sun, 07 Jan 2001 22:59:05 EST, Sandy Harris wrote:
-
-&gt;     Intel Linux distributions other than Redhat 5.x and 6.x 
-&gt;         Redhat 7.0 
-&gt;         SuSE Linux 
-&gt;             SuSE Linux 5.3 
-&gt;         Slackware 
-&gt;         Debian 
-
-Can you please include Caldera in this list?  I have tested it since 
-FreeS/Wan 1.1 and it works great with our systems---provided one 
-follows the FreeS/Wan documentation. :-)
-
-Thank you,
-Andy</PRE>
-<H2><A name="CPUs">CPUs other than Intel</A></H2>
-<P>FreeS/WAN has been run sucessfully on a number of different CPU
- architectures. If you have tried it on one not listed here, please post
- to the<A href="mail.html"> mailing list</A>.</P>
-<H3><A name=" strongarm">Corel Netwinder (StrongARM CPU)</A></H3>
-<PRE>Subject: linux-ipsec: Netwinder diffs
-Date: Wed, 06 Jan 1999
-From: rhatfield@plaintree.com
-
-I had a mistake in my IPsec-auto, so I got things working this morning.
-
-Following are the diffs for my changes.  Probably not the best and cleanest way 
-of doing it, but it works. . . . </PRE>
-<P>These diffs are in the 0.92 and later distributions, so these should
- work out-of-the-box on Netwinder.</P>
-<H3><A name="yellowdog">Yellow Dog Linux on Power PC</A></H3>
-<PRE>Subject:  Compiling FreeS/WAN 1.1 on YellowDog Linux (PPC)
-   Date:  11 Dec 1999
-   From:  Darron Froese &lt;darron@fudgehead.com&gt;
-
-I'm summarizing here for the record - because it's taken me many hours to do
-this (multiple times) and because I want to see IPsec on more linuxes than
-just x86.
-
-Also, I can't remember if I actually did summarize it before... ;-) I'm
-working too many late hours.
-
-That said - here goes.
-
-1. Get your linux kernel and unpack into /usr/src/linux/ - I used 2.2.13.
-&lt;http://www.kernel.org/pub/linux/kernel/v2.2/linux-2.2.13.tar.bz2&gt;
-
-2. Get FreeS/WAN and unpack into /usr/src/freeswan-1.1
-&lt;ftp://ftp.xs4all.nl/pub/crypto/freeswan/freeswan-1.1.tar.gz&gt;
-
-3. Get the gmp src rpm from here:
-&lt;ftp://ftp.yellowdoglinux.com//pub/yellowdog/champion-1.1/SRPMS/SRPMS/gmp-2.0.2-9a.src.rpm&gt;
-
-4. Su to root and do this: rpm --rebuild gmp-2.0.2-9a.src.rpm
-
-You will see a lot of text fly by and when you start to see the rpm
-recompiling like this:
-
-Executing: %build
-+ umask 022
-+ cd /usr/src/redhat/BUILD
-+ cd gmp-2.0.2
-+ libtoolize --copy --force
-Remember to add `AM_PROG_LIBTOOL' to `configure.in'.
-You should add the contents of `/usr/share/aclocal/libtool.m4' to
-`aclocal.m4'.
-+ CFLAGS=-O2 -fsigned-char
-+ ./configure --prefix=/usr
-
-Hit Control-C to stop the rebuild. NOTE: We're doing this because for some
-reason the gmp source provided with FreeS/WAN 1.1 won't build properly on
-ydl.
-
-cd /usr/src/redhat/BUILD/
-cp -ar gmp-2.0.2 /usr/src/freeswan-1.1/
-cd /usr/src/freeswan-1.1/
-rm -rf gmp
-mv gmp-2.0.2 gmp
-
-5. Open the freeswan Makefile and change the line that says:
-KERNEL=$(b)zimage (or something like that) to
-KERNEL=vmlinux
-
-6. cd ../linux/
-
-7. make menuconfig
-Select an option or two and then exit - saving your changes.
-
-8. cd ../freeswan-1.1/ ; make menugo
-
-That will start the whole process going - once that's finished compiling,
-you have to install your new kernel and reboot.
-
-That should build FreeS/WAN on ydl (I tried it on 1.1).</PRE>
- And a later message on the same topic:
-<PRE>Subject: Re: FreeS/WAN, PGPnet and E-mail
-   Date: Sat, 22 Jan 2000
-   From: Darron Froese &lt;darron@fudgehead.com&gt;
-
-on 1/22/00 6:47 PM, Philip Trauring at philip@trauring.com wrote:
-
-&gt; I have a PowerMac G3 ...
-
-The PowerMac G3 can run YDL 1.1 just fine. It should also be able to run
-FreeS/WAN 1.2patch1 with a couple minor modifications:
-
-1. In the Makefile it specifies a bzimage for the kernel compile - you have
-to change that to vmlinux for the PPC.
-
-2. The gmp source that comes with FreeS/WAN (for whatever reason) fails to
-compile. I have gotten around this by getting the gmp src rpm from here:
-
-ftp://ftp.yellowdoglinux.com//pub/yellowdog/champion-1.1/SRPMS/SRPMS/gmp-2.0.2-9a.src.rpm
-
-If you rip the source out of there - and place it where the gmp source
-resides it will compile just fine.</PRE>
-<P>FreeS/WAN no longer includes GMP source.</P>
-<H3><A name="mklinux">Mklinux</A></H3>
-<P>One user reports success on the Mach-based<STRONG> m</STRONG>icro<STRONG>
-k</STRONG>ernel Linux.</P>
-<PRE>Subject: Smiles on sparc and ppc
-   Date: Fri, 10 Mar 2000
-   From: Jake Hill &lt;jah@alien.bt.co.uk&gt;
-
-You may or may not be interested to know that I have successfully built
-FreeS/WAN on a number of non intel alpha architectures; namely on ppc
-and sparc and also on osfmach3/ppc (MkLinux). I can report that it just
-works, mostly, with few changes.</PRE>
-<H3><A name="alpha">Alpha 64-bit processors</A></H3>
-<PRE>Subject: IT WORKS (again) between intel &amp; alpha :-)))))
-   Date: Fri, 29 Jan 1999
-   From: Peter Onion &lt;ponion@srd.bt.co.uk&gt;
-
-Well I'm happy to report that I've got an IPsec connection between by intel &amp; alpha machines again :-))
-
-If you look back on this list to 7th of December I wrote...
-
--On 07-Dec-98 Peter Onion wrote:
--&gt; 
--&gt; I've about had enuf of wandering around inside the kernel trying to find out
--&gt; just what is corrupting outgoing packets...
--
--Its 7:30 in the evening .....
--
--I FIXED IT  :-))))))))))))))))))))))))))))))))
--
--It was my own fault :-((((((((((((((((((
--
--If you ask me very nicly I'll tell you where I was a little too over keen to
--change unsigned long int __u32 :-)  OPSE ...
--
--So tomorrow it will full steam ahead to produce a set of diffs/patches against
--0.91 
--
--Peter Onion.</PRE>
-<P>In general (there have been some glitches), FreeS/WAN has been
- running on Alphas since then.</P>
-<H3><A name="SPARC">Sun SPARC processors</A></H3>
-<P>Several users have reported success with FreeS/WAN on SPARC Linux.
- Here is one mailing list message:</P>
-<PRE>Subject: Smiles on sparc and ppc
-   Date: Fri, 10 Mar 2000
-   From: Jake Hill &lt;jah@alien.bt.co.uk&gt;
-
-You may or may not be interested to know that I have successfully built
-FreeS/WAN on a number of non intel alpha architectures; namely on ppc
-and sparc and also on osfmach3/ppc (MkLinux). I can report that it just
-works, mostly, with few changes.
-
-I have a question, before I make up some patches. I need to hack
-gmp/mpn/powerpc32/*.s to build them. Is this ok? The changes are
-trivial, but could I also use a different version of gmp? Is it vanilla
-here?
-
-I guess my only real headache is from ipchains, which appears to stop
-running when IPsec has been started for a while. This is with 2.2.14 on
-sparc.</PRE>
-<P>This message, from a different mailing list, may be relevant for
- anyone working with FreeS/WAN on Suns:</P>
-<PRE>Subject: UltraSPARC DES assembler
-   Date: Thu, 13 Apr 2000
-   From: svolaf@inet.uni2.dk (Svend Olaf Mikkelsen)
-     To: coderpunks@toad.com
-
-An UltraSPARC assembler version of the LibDES/SSLeay/OpenSSL des_enc.c
-file is available at http://inet.uni2.dk/~svolaf/des.htm.
-
-This brings DES on UltraSPARC from slower than Pentium at the same
-clock speed to significantly faster.</PRE>
-<H3><A name="mips">MIPS processors</A></H3>
-<P>We know FreeS/WAN runs on at least some MIPS processors because<A href="http://www.lasat.com">
- Lasat</A> manufacture an IPsec box based on an embedded MIPS running
- Linux with FreeS/WAN. We have no details.</P>
-<H3><A name="crusoe">Transmeta Crusoe</A></H3>
-<P>The Merilus<A href="http://www.merilus.com/products/fc/index.shtml">
- Firecard</A>, a Linux firewall on a PCI card, is based on a Crusoe
- processor and supports FreeS/WAN.</P>
-<H3><A name="coldfire">Motorola Coldfire</A></H3>
-<PRE>Subject: Re: Crypto hardware support
-   Date: Mon, 03 Jul 2000
-   From: Dan DeVault &lt;devault@tampabay.rr.com&gt;
-
-.... I have been running
-uClinux with FreeS/WAN 1.4 on a system built by Moreton Bay  (
-http://www.moretonbay.com )  and it was using a Coldfire processor
-and was able to do the Triple DES encryption at just about
-1 mbit / sec rate.......  they put a Hi/Fn 7901 hardware encryption
-chip on their board and now their system does over 25 mbit of 3DES
-encryption........ pretty significant increase if you ask me.</PRE>
-<H2><A name="multiprocessor">Multiprocessor machines</A></H2>
-<P>FreeS/WAN is designed to work on SMP (symmetric multi-processing)
- Linux machines and is regularly tested on dual processor x86 machines.</P>
-<P>We do not know of any testing on multi-processor machines with other
- CPU architectures or with more than two CPUs. Anyone who does test
- this, please report results to the<A href="mail.html"> mailing list</A>
-.</P>
-<P>The current design does not make particularly efficient use of
- multiprocessor machines; some of the kernel work is single-threaded.</P>
-<H2><A name="hardware">Support for crypto hardware</A></H2>
-<P>Supporting hardware cryptography accelerators has not been a high
- priority for the development team because it raises a number of fairly
- complex issues:</P>
-<UL>
-<LI>Can you trust the hardware? If it is not Open Source, how do you
- audit its security? Even if it is, how do you check that the design has
- no concealed traps?</LI>
-<LI>If an interface is added for such hardware, can that interface be
- subverted or misused?</LI>
-<LI>Is hardware acceleration actually a performance win? It clearly is
- in many cases, but on a fast machine it might be better to use the CPU
- for the encryption than to pay the overheads of moving data to and from
- a crypto board.</LI>
-<LI>the current KLIPS code does not provide a clean interface for
- hardware accelerators</LI>
-</UL>
-<P>That said, we have a<A href="#coldfire"> report</A> of FreeS/WAN
- working with one crypto accelerator and some work is going on to modify
- KLIPS to create a clean generic interface to such products. See this<A href="http://www.jukie.net/~bart/linux-ipsec/">
- web page</A> for some of the design discussion.</P>
-<P>More recently, a patch to support some hardware accelerators has been
- posted:</P>
-<PRE>Subject: [Design] [PATCH] H/W acceleration patch
-   Date: Tue, 18 Sep 2001
-   From: &quot;Martin Gadbois&quot; &lt;martin.gadbois@colubris.com&gt;
- 
-Finally!!
-Here's a web site with H/W acceleration patch for FreeS/WAN 1.91, including
-S/W and Hifn 7901 crypto support.
-
-http://sources.colubris.com/
-
-Martin Gadbois</PRE>
-<P>Hardware accelerators could take performance well beyond what
- FreeS/WAN can do in software (discussed<A href="performance.html"> here</A>
-). Here is some discussion off the IETF IPsec list, October 2001:</P>
-<PRE> ... Currently shipping chips deliver, 600 mbps throughput on a single
- stream of 3DES IPsec traffic.  There are also chips that use multiple
- cores to do 2.4 gbps.  We (Cavium) and others have announced even faster
- chips. ... Mid 2002 versions will handle at line rate (OC48 and OC192)
- IPsec and SSL/TLS traffic not only 3DES CBC but also AES and arc4.</PRE>
-<P>The patches to date support chips that have been in production for
- some time, not the state-of-the-art latest-and-greatest devices
- described in that post. However, they may still outperform software and
- they almost certainly reduce CPU overhead.</P>
-<H2><A name="ipv6">IP version 6 (IPng)</A></H2>
-<P>The Internet currently runs on version four of the IP protocols. IPv4
- is what is in the standard Linux IP stack, and what FreeS/WAN was built
- for. In IPv4, IPsec is an optional feature.</P>
-<P>The next version of the IP protocol suite is version six, usually
- abbreviated either as &quot;IPv6&quot; or as &quot;IPng&quot; for &quot;IP: the next
- generation&quot;. For IPv6, IPsec is a required feature. Any machine doing
- IPv6 is required to support IPsec, much as any machine doing (any
- version of) IP is required to support ICMP.</P>
-<P>There is a Linux implementation of IPv6 in Linux kernels 2.2 and
- above. For details, see the<A href="http://www.cs-ipv6.lancs.ac.uk/ipv6/systems/linux/faq/">
- FAQ</A>. It does not yet support IPsec. The<A href="http://www.linux-ipv6.org/">
- USAGI</A> project are also working on IPv6 for Linux.</P>
-<P>FreeS/WAN was originally built for the current standard, IPv4, but we
- are interested in seeing it work with IPv6. Some progress has been
- made, and a patched version with IPv6 support is<A href="http://www.ipv6.iabg.de/downloadframe/index.html">
- available</A>. For more recent information, check the<A href="mail.html">
- mailing list</A>.</P>
-<H3><A name="v6.back">IPv6 background</A></H3>
-<P>IPv6 has been specified by an IETF<A href="http://www.ietf.org/html.charters/ipngwg-charter.html">
- working group</A>. The group's page lists over 30 RFCs to date, and
- many Internet Drafts as well. The overview is<A href="http://www.ietf.org/rfc/rfc2460.txt">
- RFC 2460</A>. Major features include:</P>
-<UL>
-<LI>expansion of the address space from 32 to 128 bits,</LI>
-<LI>changes to improve support for
-<UL>
-<LI>mobile IP</LI>
-<LI>automatic network configuration</LI>
-<LI>quality of service routing</LI>
-<LI>...</LI>
-</UL>
-</LI>
-<LI>improved security via IPsec</LI>
-</UL>
-<P>A number of projects are working on IPv6 implementation. A prominent
- Open Source effort is<A href="http://www.kame.net/"> KAME</A>, a
- collaboration among several large Japanese companies to implement IPv6
- for Berkeley Unix. Other major players are also working on IPv6. For
- example, see pages at:</P>
-<UL>
-<LI><A href="http://playground.sun.com/pub/ipng/html/ipng-main.html">Sun</A>
-</LI>
-<LI><A href="http://www.cisco.com/warp/public/732/ipv6/index.html">Cisco</A>
-</LI>
-<LI><A href="http://www.microsoft.com/windows2000/techinfo/howitworks/communications/networkbasics/IPv6.asp">
-Microsoft</A></LI>
-</UL>
-<P>The<A href="http://www.6bone.net/"> 6bone</A> (IPv6 backbone) testbed
- network has been up for some time. There is an active<A href="http://www.ipv6.org/">
- IPv6 user group</A>.</P>
-<P>One of the design goals for IPv6 was that it must be possible to
- convert from v4 to v6 via a gradual transition process. Imagine the
- mess if there were a &quot;flag day&quot; after which the entire Internet used
- v6, and all software designed for v4 stopped working. Almost every
- computer on the planet would need major software changes! There would
- be huge costs to replace older equipment. Implementers would be worked
- to death before &quot;the day&quot;, systems administrators and technical support
- would be completely swamped after it. The bugs in every implementation
- would all bite simultaneously. Large chunks of the net would almost
- certainly be down for substantial time periods. ...</P>
-<P>Fortunately, the design avoids any &quot;flag day&quot;. It is therefore a
- little tricky to tell how quickly IPv6 will take over. The transition
- has certainly begun. For examples, see announcements from<A href="http://www.mailbase.ac.uk/lists/internet2/2000-03/0016.html">
- NTT</A> and<A href="http://www.vnunet.com/News/1102383"> Nokia</A>.
- However, it is not yet clear how quickly the process will gain
- momentum, or when it will be completed. Likely large parts of the
- Internet will remain with IPv4 for years to come.</P>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="trouble.html">Previous</A>
-<A HREF="interop.html">Next</A>
-</BODY>
-</HTML>
diff --git a/doc/config.html b/doc/config.html
deleted file mode 100644
index 4e9f0a513..000000000
--- a/doc/config.html
+++ /dev/null
@@ -1,308 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="install.html">Previous</A>
-<A HREF="background.html">Next</A>
-<HR>
-<H1><A NAME="config">How to configure FreeS/WAN</A></H1>
-<P>This page will teach you how to configure a simple network-to-network
- link or a Road Warrior connection between two Linux FreeS/WAN boxes.</P>
-<P>See also these related documents:</P>
-<UL>
-<LI>our<A HREF="quickstart.html#quickstart"> quickstart</A> guide to<A HREF="glossary.html#carpediem">
- opportunistic encryption</A></LI>
-<LI>our guide to configuration with<A HREF="policygroups.html#policygroups">
- policy groups</A></LI>
-<LI>our<A HREF="adv_config.html#adv_config"> advanced configuration</A>
- document</LI>
-</UL>
-<P> The network-to-network setup allows you to connect two office
- networks into one Virtual Private Network, while the Road Warrior
- connection secures a laptop's telecommute to work. Our examples also
- show the basic procedure on the Linux FreeS/WAN side where another
- IPsec peer is in play.</P>
-<P> Shortcut to<A HREF="#config.netnet"> net-to-net</A>.
-<BR> Shortcut to<A HREF="#config.rw"> Road Warrior</A>.</P>
-<H2><A NAME="16_1">Requirements</A></H2>
-<P>To configure the network-to-network connection you must have:</P>
-<UL>
-<LI>two Linux gateways with static IPs</LI>
-<LI>a network behind each gate. Networks must have non-overlapping IP
- ranges.</LI>
-<LI>Linux FreeS/WAN<A HREF="install.html#install"> installed</A> on both
- gateways</LI>
-<LI><A HREF="http://www.tcpdump.org"><VAR>tcpdump</VAR></A> on the local
- gate, to test the connection</LI>
-</UL>
-<P>For the Road Warrior you need:</P>
-<UL>
-<LI>one Linux box with a static IP</LI>
-<LI>a Linux laptop with a dynamic IP</LI>
-<LI>Linux FreeS/WAN installed on both</LI>
-<LI>for testing,<VAR> tcpdump</VAR> on your gateway or laptop</LI>
-</UL>
-<P>If both IPs are dynamic, your situation is a bit trickier. Your best
- bet is a variation on the<A HREF="#config.rw"> Road Warrior</A>, as
- described in<A HREF="http://lists.freeswan.org/archives/users/2003-October/msg00282.html">
- this mailing list message</A>.</P>
-<H2><A name="config.netnet"></A>Net-to-Net connection</H2>
-<H3><A name="netnet.info.ex">Gather information</A></H3>
-<P>For each gateway, compile the following information:</P>
-<UL>
-<LI>gateway IP</LI>
-<LI>IP range of the subnet you will be protecting. This doesn't have to
- be your whole physical subnet.</LI>
-<LI>a name by which that gateway can identify itself for IPsec
- negotiations. Its form is a Fully Qualified Domain Name preceded by an
- @ sign, ie. @xy.example.com.
-<BR> It does not need to be within a domain that you own. It can be a
- made-up name.</LI>
-</UL>
-<H4>Get your leftrsasigkey</H4>
-<P>On your local Linux FreeS/WAN gateway, print your IPsec public key:</P>
-<PRE>    ipsec showhostkey --left</PRE>
-<P>The output should look like this (with the key shortened for easy
- reading):</P>
-<PRE>    # RSA 2048 bits   xy.example.com   Fri Apr 26 15:01:41 2002
-    leftrsasigkey=0sAQOnwiBPt...</PRE>
-<P>Don't have a key? Use<A HREF="manpage.d/ipsec_newhostkey.8.html"><VAR>
- ipsec newhostkey</VAR></A> to create one.</P>
-<H4>...and your rightrsasigkey</H4>
-<P>Get a console on the remote side:</P>
-<PRE>    ssh2 ab.example.com</PRE>
-<P>In that window, type:</P>
-<PRE>    ipsec showhostkey --right</PRE>
-<P>You'll see something like:</P>
-<PRE>    # RSA 2192 bits   ab.example.com   Thu May 16 15:26:20 2002
-    rightrsasigkey=0sAQOqH55O...</PRE>
-<H3><A NAME="16_2_2">Edit<VAR> /etc/ipsec.conf</VAR></A></H3>
-<P>Back on the local gate, copy our template to<VAR> /etc/ipsec.conf</VAR>
-. (on Mandrake,<VAR> /etc/freeswan/ipsec.conf</VAR>). Substitute the
- information you've gathered for our example data.</P>
-<PRE>conn net-to-net
-    left=192.0.2.2                 # Local vitals
-    leftsubnet=192.0.2.128/29      # 
-    leftid=@xy.example.com         #   
-    leftrsasigkey=0s1LgR7/oUM...   #
-    leftnexthop=%defaultroute      # correct in many situations 
-    right=192.0.2.9                # Remote vitals
-    rightsubnet=10.0.0.0/24        #
-    rightid=@ab.example.com        # 
-    rightrsasigkey=0sAQOqH55O...   #
-    rightnexthop=%defaultroute     # correct in many situations
-    auto=add                       # authorizes but doesn't start this 
-                                   # connection at startup</PRE>
-<P> &quot;Left&quot; and &quot;right&quot; should represent the machines that have FreeS/WAN
- installed on them, and &quot;leftsubnet&quot; and &quot;rightsubnet&quot; machines that are
- being protected. /32 is assumed for left/right and left/rightsubnet
- parameters.</P>
-<P>Copy<VAR> conn net-to-net</VAR> to the remote-side /etc/ipsec.conf.
- If you've made no other modifications to either<VAR> ipsec.conf</VAR>,
- simply:</P>
-<PRE>    scp2 ipsec.conf root@ab.example.com:/etc/ipsec.conf</PRE>
-<H3><A NAME="16_2_3">Start your connection</A></H3>
-<P>Locally, type:</P>
-<PRE>    ipsec auto --up net-to-net</PRE>
-<P>You should see:</P>
-<PRE>    104 &quot;net-net&quot; #223: STATE_MAIN_I1: initiate
-    106 &quot;net-net&quot; #223: STATE_MAIN_I2: sent MI2, expecting MR2
-    108 &quot;net-net&quot; #223: STATE_MAIN_I3: sent MI3, expecting MR3
-    004 &quot;net-net&quot; #223: STATE_MAIN_I4: ISAKMP SA established
-    112 &quot;net-net&quot; #224: STATE_QUICK_I1: initiate
-    004 &quot;net-net&quot; #224: STATE_QUICK_I2: sent QI2, IPsec SA established</PRE>
-<P>The important thing is<VAR> IPsec SA established</VAR>. If you're
- unsuccessful, see our<A HREF="trouble.html#trouble"> troubleshooting
- tips</A>.</P>
-<H3><A NAME="16_2_4">Do not MASQ or NAT packets to be tunneled</A></H3>
-<P>If you are using<A HREF="glossary.html#masq"> IP masquerade</A> or<A HREF="glossary.html#NAT.gloss">
- Network Address Translation (NAT)</A> on either gateway, you must now
- exempt the packets you wish to tunnel from this treatment. For example,
- if you have a rule like:</P>
-<PRE>iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE
-</PRE>
-<P>change it to something like:</P>
-<PRE>iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -d \! 192.0.2.128/29 -j MASQUERADE</PRE>
-<P>This may be necessary on both gateways.</P>
-<H3><A NAME="16_2_5">Test your connection</A></H3>
-<P>Sit at one of your local subnet nodes (not the gateway), and ping a
- subnet node on the other (again, not the gateway).</P>
-<PRE>    ping fileserver.toledo.example.com</PRE>
-<P>While still pinging, go to the local gateway and snoop your outgoing
- interface, for example:</P>
-<PRE>    tcpdump -i ppp0</PRE>
-<P>You want to see ESP (Encapsulating Security Payload) packets moving<B>
- back and forth</B> between the two gateways at the same frequency as
- your pings:</P>
-<PRE>    19:16:32.046220 192.0.2.2 &gt; 192.0.2.9: ESP(spi=0x3be6c4dc,seq=0x3)
-    19:16:32.085630 192.0.2.9 &gt; 192.0.2.2: ESP(spi=0x5fdd1cf8,seq=0x6)</PRE>
-<P>If you see this, congratulations are in order! You have a tunnel
- which will protect any IP data from one subnet to the other, as it
- passes between the two gates. If not, go and<A HREF="trouble.html#trouble">
- troubleshoot</A>.</P>
-<P>Note: your new tunnel protects only net-net traffic, not
- gateway-gateway, or gateway-subnet. If you need this (for example, if
- machines on one net need to securely contact a fileserver on the IPsec
- gateway), you'll need to create<A HREF="adv_config.html#adv_config">
- extra connections</A>.</P>
-<H3><A NAME="16_2_6">Finishing touches</A></H3>
-<P>Now that your connection works, name it something sensible, like:</P>
-<PRE>conn winstonnet-toledonet</PRE>
-<P>To have the tunnel come up on-boot, replace</P>
-<PRE>    auto=add</PRE>
-<P>with:</P>
-<PRE>    auto=start</PRE>
-<P>Copy these changes to the other side, for example:</P>
-<PRE>    scp2 ipsec.conf root@ab.example.com:/etc/ipsec.conf</PRE>
-<P>Enjoy!</P>
-<H2><A name="config.rw"></A>Road Warrior Configuration</H2>
-<H3><A name="rw.info.ex">Gather information</A></H3>
-<P>You'll need to know:</P>
-<UL>
-<LI>the gateway's static IP</LI>
-<LI>the IP range of the subnet behind that gateway</LI>
-<LI>a name by which each side can identify itself for IPsec
- negotiations. Its form is a Fully Qualified Domain Name preceded by an
- @ sign, ie. @road.example.com.
-<BR> It does not need to be within a domain that you own. It can be a
- made-up name.</LI>
-</UL>
-<H4>Get your leftrsasigkey...</H4>
-<P>On your laptop, print your IPsec public key:</P>
-<PRE>    ipsec showhostkey --left</PRE>
-<P>The output should look like this (with the key shortened for easy
- reading):</P>
-<PRE>    # RSA 2192 bits   road.example.com   Sun Jun  9 02:45:02 2002
-    leftrsasigkey=0sAQPIPN9uI...</PRE>
-<P>Don't have a key? See<A HREF="old_config.html#genrsakey"> these
- instructions</A>.</P>
-<H4>...and your rightrsasigkey</H4>
-<P>Get a console on the gateway:</P>
-<PRE>    ssh2 xy.example.com</PRE>
-<P>View the gateway's public key with:</P>
-<PRE>    ipsec showhostkey --right</PRE>
-<P>This will yield something like</P>
-<PRE>    # RSA 2048 bits   xy.example.com   Fri Apr 26 15:01:41 2002
-    rightrsasigkey=0sAQOnwiBPt...</PRE>
-<H3><A NAME="16_3_2">Customize<VAR> /etc/ipsec.conf</VAR></A></H3>
-<P>On your laptop, copy this template to<VAR> /etc/ipsec.conf</VAR>. (on
- Mandrake,<VAR> /etc/freeswan/ipsec.conf</VAR>). Substitute the
- information you've gathered for our example data.</P>
-<PRE>conn road
-    left=%defaultroute             # Picks up our dynamic IP 
-    leftnexthop=%defaultroute      # 
-    leftid=@road.example.com       # Local information
-    leftrsasigkey=0sAQPIPN9uI...   #
-    right=192.0.2.10               # Remote information
-    rightsubnet=10.0.0.0/24        #
-    rightid=@xy.example.com        # 
-    rightrsasigkey=0sAQOnwiBPt...  #
-    auto=add                       # authorizes but doesn't start this
-                                   # connection at startup</PRE>
-<P>The template for the gateway is different. Notice how it reverses<VAR>
- left</VAR> and<VAR> right</VAR>, in keeping with our convention that<STRONG>
- L</STRONG>eft is<STRONG> L</STRONG>ocal,<STRONG> R</STRONG>ight<STRONG>
- R</STRONG>emote. Be sure to switch your rsasigkeys in keeping with
- this.</P>
-<PRE>    ssh2 xy.example.com
-    vi /etc/ipsec.conf</PRE>
-<P>and add:</P>
-<PRE>conn road
-    left=192.0.2.2                 # Gateway's information
-    leftid=@xy.example.com         #
-    leftsubnet=192.0.2.128/29      #
-    leftrsasigkey=0sAQOnwiBPt...   #
-    rightnexthop=%defaultroute     # correct in many situations
-    right=%any                     # Wildcard: we don't know the laptop's IP
-    rightid=@road.example.com      #
-    rightrsasigkey=0sAQPIPN9uI...  #
-    auto=add                       # authorizes but doesn't start this
-                                   # connection at startup</PRE>
-<H3><A NAME="16_3_3">Start your connection</A></H3>
-<P>You must start the connection from the Road Warrior side. On your
- laptop, type:</P>
-<PRE>    ipsec auto --start net-to-net</PRE>
-<P>You should see:</P>
-<PRE>104 &quot;net-net&quot; #223: STATE_MAIN_I1: initiate
-106 &quot;road&quot; #301: STATE_MAIN_I2: sent MI2, expecting MR2
-108 &quot;road&quot; #301: STATE_MAIN_I3: sent MI3, expecting MR3
-004 &quot;road&quot; #301: STATE_MAIN_I4: ISAKMP SA established
-112 &quot;road&quot; #302: STATE_QUICK_I1: initiate
-004 &quot;road&quot; #302: STATE_QUICK_I2: sent QI2, IPsec SA established</PRE>
-<P>Look for<VAR> IPsec SA established</VAR>. If you're unsuccessful, see
- our<A HREF="trouble.html#trouble"> troubleshooting tips</A>.</P>
-<H3><A NAME="16_3_4">Do not MASQ or NAT packets to be tunneled</A></H3>
-<P>If you are using<A HREF="glossary.html#masq"> IP masquerade</A> or<A HREF="glossary.html#NAT.gloss">
- Network Address Translation (NAT)</A> on either gateway, you must now
- exempt the packets you wish to tunnel from this treatment. For example,
- if you have a rule like:</P>
-<PRE>iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE
-</PRE>
-<P>change it to something like:</P>
-<PRE>iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -d \! 192.0.2.128/29 -j MASQUERADE</PRE>
-<H3><A NAME="16_3_5">Test your connection</A></H3>
-<P>From your laptop, ping a subnet node behind the remote gateway. Do
- not choose the gateway itself for this test.</P>
-<PRE>    ping ns.winston.example.com</PRE>
-<P>Snoop the packets exiting the laptop, with a command like:</P>
-<PRE>    tcpdump -i wlan0</PRE>
-<P>You have success if you see (Encapsulating Security Payload) packets
- travelling<B> in both directions</B>:</P>
-<PRE>    19:16:32.046220 192.0.2.2 &gt; 192.0.2.9: ESP(spi=0x3be6c4dc,seq=0x3)
-    19:16:32.085630 192.0.2.9 &gt; 192.0.2.2: ESP(spi=0x5fdd1cf8,seq=0x6)</PRE>
-<P>If you do, great! Traffic between your Road Warrior and the net
- behind your gateway is protected. If not, see our<A HREF="trouble.html#trouble">
- troubleshooting hints</A>.</P>
-<P>Your new tunnel protects only traffic addressed to the net, not to
- the IPsec gateway itself. If you need the latter, you'll want to make
- an<A HREF="adv_config.html#adv_config"> extra tunnel.</A>.</P>
-<H3><A NAME="16_3_6">Finishing touches</A></H3>
-<P>On both ends, name your connection wisely, like:</P>
-<PRE>conn mike-to-office</PRE>
-<P><B>On the laptop only,</B> replace</P>
-<PRE>    auto=add</PRE>
-<P>with:</P>
-<PRE>    auto=start</PRE>
-<P>so that you'll be connected on-boot.</P>
-<P>Happy telecommuting!</P>
-<H3><A NAME="16_3_7">Multiple Road Warriors</A></H3>
-<P>If you're using RSA keys, as we did in this example, you can add as
- many Road Warriors as you like. The left/rightid parameter lets Linux
- FreeS/WAN distinguish between multiple Road Warrior peers, each with
- its own public key.</P>
-<P>The situation is different for shared secrets (PSK). During a PSK
- negotiation, ID information is not available at the time Pluto is
- trying to determine which secret to use, so, effectively, you can only
- define one Roadwarrior connection. All your PSK road warriors must
- therefore share one secret.</P>
-<H2><A NAME="16_4">What next?</A></H2>
-<P>Using the principles illustrated here, you can try variations such
- as:</P>
-<UL>
-<LI>a telecommuter with a static IP</LI>
-<LI>a road warrior with a subnet behind it</LI>
-</UL>
-<P>Or, look at some of our<A HREF="adv_config.html#adv_config"> more
- complex configuration examples.</A>.</P>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="install.html">Previous</A>
-<A HREF="background.html">Next</A>
-</BODY>
-</HTML>
diff --git a/doc/faq.html b/doc/faq.html
deleted file mode 100644
index b0fed502e..000000000
--- a/doc/faq.html
+++ /dev/null
@@ -1,2339 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="policygroups.html">Previous</A>
-<A HREF="manpages.html">Next</A>
-<HR>
-<H1><A NAME="5">FreeS/WAN FAQ</A></H1>
-<P>This is a collection of questions and answers, mostly taken from the
- FreeS/WAN<A href="mail.html"> mailing list</A>. See the project<A href="http://www.freeswan.org/">
- web site</A> for more information. All the FreeS/WAN documentation is
- online there.</P>
-<P>Contributions to the FAQ are welcome. Please send them to the project<A
-href="mail.html"> mailing list</A>.</P>
-<HR>
-<H2><A name="questions">Index of FAQ questions</A></H2>
-<UL>
-<LI><A href="#whatzit">What is FreeS/WAN?</A></LI>
-<LI><A href="#problems">How do I report a problem or seek help?</A></LI>
-<LI><A href="#generic">Can I get ...</A>
-<UL>
-<LI><A href="#lemme_out">... an off-the-shelf system that includes
- FreeS/WAN?</A></LI>
-<LI><A href="#contractor">... contractors or staff who know FreeS/WAN?</A>
-</LI>
-<LI><A href="#commercial">... commercial support?</A></LI>
-</UL>
-</LI>
-<LI><A href="#release">Release questions</A>
-<UL>
-<LI><A href="#rel.current">What is the current release?</A></LI>
-<LI><A href="#relwhen">When is the next release?</A></LI>
-<LI><A href="#rel.bugs">Are there known bugs in the current release?</A></LI>
-</UL>
-</LI>
-<LI><A href="mod_cons">Modifications and contributions</A>
-<UL>
-<LI><A href="#modify.faq">Can I modify FreeS/WAN to ...?</A></LI>
-<LI><A href="#contrib.faq">Can I contribute to the project?</A></LI>
-<LI><A href="#ddoc.faq">Is there detailed design documentation?</A></LI>
-</UL>
-</LI>
-<LI><A href="#interact">Will FreeS/WAN work in my environment?</A>
-<UL>
-<LI><A href="#interop.faq">Can FreeS/WAN talk to ... ?</A></LI>
-<LI><A href="#old_to_new">Can different FreeS/WAN versions talk to each
- other?</A></LI>
-<LI><A href="#faq.bandwidth">Is there a limit on throughput?</A></LI>
-<LI><A href="#faq.number">Is there a limit on number of connections?</A></LI>
-<LI><A href="#faq.speed">Is a ... fast enough to handle FreeS/WAN with
- my loads?</A></LI>
-</UL>
-</LI>
-<LI><A href="#work_on">Will FreeS/WAN work on ...</A>
-<UL>
-<LI><A href="#versions">... my version of Linux?</A></LI>
-<LI><A href="#nonIntel.faq">... non-Intel CPUs?</A></LI>
-<LI><A href="#multi.faq">... multiprocessors?</A></LI>
-<LI><A href="#k.old">... an older kernel?</A></LI>
-<LI><A href="#k.versions">... the latest kernel version?</A></LI>
-<LI><A href="#interface.faq">... unusual network hardware?</A></LI>
-<LI><A href="#vlan">... a VLAN (802.1q) network?</A></LI>
-</UL>
-</LI>
-<LI><A href="#features.faq">Does FreeS/WAN support ...</A>
-<UL>
-<LI><A href="#VPN.faq">... site-to-site VPN applications</A></LI>
-<LI><A href="#warrior.faq">... remote users connecting to a LAN</A></LI>
-<LI><A href="#road.shared.possible">... remote users using shared secret
- authentication?</A></LI>
-<LI><A href="#wireless.faq">... wireless networks</A></LI>
-<LI><A href="#PKIcert">... X.509 or other PKI certificates?</A></LI>
-<LI><A href="#Radius">... user authentication (Radius, SecureID, Smart
- Card ...)?</A></LI>
-<LI><A href="#NATtraversal">... NAT traversal</A></LI>
-<LI><A href="#virtID">... assigning a &quot;virtual identity&quot; to a remote
- system?</A></LI>
-<LI><A href="#noDES.faq">... single DES encryption?</A></LI>
-<LI><A href="#AES.faq">... AES encryption?</A></LI>
-<LI><A href="#other.cipher">... other encryption algorithms?</A></LI>
-</UL>
-</LI>
-<LI><A href="#canI">Can I ...</A>
-<UL>
-<LI><A href="#policy.preconfig">...use policy groups along with
- explicitly configured connections?</A></LI>
-<LI><A href="#policy.off">...turn off policy groups?</A></LI>
-
-<!--
-      <li><a href="#policy.otherinterface">...use policy groups
-      on an interface other than <VAR>%defaultroute</VAR>?</a></li>
--->
-<LI><A href="#reload">... reload connection info without restarting?</A></LI>
-<LI><A href="#masq.faq">... use several masqueraded subnets?</A></LI>
-<LI><A href="#dup_route">... use subnets masqueraded to the same
- addresses?</A></LI>
-<LI><A href="#road.masq">... assign a road warrior an address on my net
- (a virtual identity)?</A></LI>
-<LI><A href="#road.many">... support many road warriors with one
- gateway?</A></LI>
-<LI><A href="#road.PSK">... have many road warriors using shared secret
- authentication?</A></LI>
-<LI><A href="#QoS">... use Quality of Service routing with FreeS/WAN?</A>
-</LI>
-<LI><A href="#deadtunnel">... recognise dead tunnels and shut them down?</A>
-</LI>
-<LI><A href="#demanddial">... build IPsec tunnels over a demand-dialed
- link?</A></LI>
-<LI><A href="#GRE">... build GRE, L2TP or PPTP tunnels over IPsec?</A></LI>
-<LI><A href="#NetBIOS">... use Network Neighborhood (Samba, NetBIOS)
- over IPsec?</A></LI>
-</UL>
-</LI>
-<LI><A href="#setup.faq">Life's little mysteries</A>
-<UL>
-<LI><A href="#cantping">I cannot ping ....</A></LI>
-<LI><A href="#forever">It takes forever to ...</A></LI>
-<LI><A href="#route">I send packets to the tunnel with route(8) but they
- vanish</A></LI>
-<LI><A href="#down_route">When a tunnel goes down, packets vanish</A></LI>
-<LI><A href="#firewall_ate">The firewall ate my packets!</A></LI>
-<LI><A href="#dropconn">Dropped connections</A></LI>
-<LI><A href="#defaultroutegone">Disappearing %defaultroute</A></LI>
-<LI><A href="#tcpdump.faq">TCPdump on the gateway shows strange things</A>
-</LI>
-<LI><A href="#no_trace">Traceroute does not show anything between the
- gateways</A></LI>
-</UL>
-</LI>
-<LI><A href="#man4debug">Testing in stages (or .... works but ...
- doesn't)</A>
-<UL>
-<LI><A href="#nomanual">Manually keyed connections don't work</A></LI>
-<LI><A href="#spi_error">One manual connection works, but second one
- fails</A></LI>
-<LI><A href="#man_no_auto">Manual connections work, but automatic keying
- doesn't</A></LI>
-<LI><A href="#nocomp">IPsec works, but connections using compression
- fail</A></LI>
-<LI><A href="#pmtu.broken">Small packets work, but large transfers fail</A>
-</LI>
-<LI><A href="#subsub">Subnet-to-subnet works, but tests from the
- gateways don't</A></LI>
-</UL>
-</LI>
-<LI><A href="#compile.faq">Compilation problems</A>
-<UL>
-<LI><A href="#gmp.h_missing">gmp.h: No such file or directory</A></LI>
-<LI><A href="#noVM">... virtual memory exhausted</A></LI>
-</UL>
-</LI>
-<LI><A href="#error">Interpreting error messages</A>
-<UL>
-<LI><A href="#route-client">route-client (or host) exited with status 7</A>
-</LI>
-<LI><A href="#unreachable">SIOCADDRT:Network is unreachable</A></LI>
-<LI><A href="#modprobe">ipsec_setup: modprobe: Can't locate moduleipsec</A>
-</LI>
-<LI><A href="#noKLIPS">ipsec_setup: Fatal error, kernel appears to lack
- KLIPS</A></LI>
-<LI><A href="#noDNS">ipsec_setup: ... failure to fetch key for ... from
- DNS</A></LI>
-<LI><A href="#dup_address">ipsec_setup: ... interfaces ... and ... share
- address ...</A></LI>
-<LI><A href="#kflags">ipsec_setup: Cannot adjust kernel flags</A></LI>
-<LI><A href="#message_num">Message numbers (MI3, QR1, et cetera) in
- Pluto messages</A></LI>
-<LI><A href="#conn_name">Connection names in Pluto error messages</A></LI>
-<LI><A href="#cantorient">Pluto: ... can't orient connection</A></LI>
-<LI><A href="#no.interface">... we have no ipsecN interface for either
- end of this connection</A></LI>
-<LI><A href="#noconn">Pluto: ... no connection is known</A></LI>
-<LI><A href="#nosuit">Pluto: ... no suitable connection ...</A></LI>
-<LI><A href="#noconn.auth">Pluto: ... no connection has been authorized</A>
-</LI>
-<LI><A href="#noDESsupport">Pluto: ... OAKLEY_DES_CBC is not supported.</A>
-</LI>
-<LI><A href="#notransform">Pluto: ... no acceptable transform</A></LI>
-<LI><A href="#rsasigkey">rsasigkey dumps core</A></LI>
-<LI><A href="#sig4">!Pluto failure!: ... exited with ... signal 4</A></LI>
-<LI><A href="#econnrefused">ECONNREFUSED error message</A></LI>
-<LI><A href="#no_eroute">klips_debug: ... no eroute!</A></LI>
-<LI><A href="#SAused">... trouble writing to /dev/ipsec ... SA already
- in use</A></LI>
-<LI><A href="#ignore">... ignoring ... payload</A></LI>
-<LI><A href="#unknown_rightcert">unknown parameter name &quot;rightcert&quot;</A></LI>
-</UL>
-</LI>
-<LI><A href="#spam">Why don't you restrict the mailing lists to reduce
- spam?</A></LI>
-</UL>
-<HR>
-<H2><A name="whatzit">What is FreeS/WAN?</A></H2>
-<P>FreeS/WAN is a Linux implementation of the<A href="glossary.html#IPSEC">
- IPsec</A> protocols, providing security services at the IP (Internet
- Protocol) level of the network.</P>
-<P>For more detail, see our<A href="intro.html"> introduction</A>
- document or the FreeS/WAN project<A href="http://www.freeswan.org/">
- web site</A>.</P>
-<P>To start setting it up, go to our<A href="quickstart.html">
- quickstart guide</A>.</P>
-<P>Our<A href="web.html"> web links</A> document has information on<A href="web.html#implement">
- IPsec for other systems</A>.</P>
-<H2><A name="problems">How do I report a problem or seek help?</A></H2>
-<DL>
-<DT>Read our<A href="trouble.html"> troubleshooting</A> document.</DT>
-<DD>
-<P>It may guide you to a solution. If not, see its<A href="trouble.html#prob.report">
- problem reporting</A> section.</P>
-<P>Basically, what it says is<STRONG> give us the output from<VAR> ipsec
- barf</VAR> from both gateways</STRONG>. Without full information, we
- cannot diagnose a problem. However,<VAR> ipsec barf</VAR> produces a
- lot of output. If at all possible,<STRONG> please make barfs accessible
- via the web or FTP</STRONG> rather than sending enormous mail messages.</P>
-</DD>
-<DT><STRONG>Use the<A href="mail.html"> users mailing list</A> for
- problem reports</STRONG>, rather than mailing developers directly.</DT>
-<DD>
-<UL>
-<LI>This gives you access to more expertise, including users who may
- have encountered and solved the same problems.</LI>
-<LI>It is more likely to get a quick response. Developers may get behind
- on email, or even ignore it entirely for a while, but a list message
- (given a reasonable Subject: line) is certain to be read by a fair
- number of people within hours.</LI>
-<LI>It may also be important because of<A href="politics.html#exlaw">
- cryptography export laws</A>. A US citizen who provides technical
- assistance to foreign cryptographic work might be charged under the
- arms export regulations. Such a charge would be easier to defend if the
- discussion took place on a public mailing list than if it were done in
- private mail.</LI>
-</UL>
-</DD>
-<DT>Try irc.freenode.net#freeswan.</DT>
-<DD>
-<P>FreeS/WAN developers, volunteers and users can often be found there.
- Be patient and be prepared to provide lots of information to support
- your question.</P>
-<P>If your question was really interesting, and you found an answer,
- please share that with the class by posting to the<A href="mail.html">
- users mailing list</A>. That way others with the same problem can find
- your answer in the archives.</P>
-</DD>
-<DT>Premium support is also available.</DT>
-<DD>
-<P>See the next several questions.</P>
-</DD>
-</DL>
-<H2><A name="generic">Can I get ...</A></H2>
-<H3><A name="lemme_out">Can I get an off-the-shelf system that includes
- FreeS/WAN?</A></H3>
-<P>There are a number of Linux distributions or firewall products which
- include FreeS/WAN. See this<A href="intro.html#products"> list</A>.
- Using one of these, chosen to match your requirements and budget, may
- save you considerable time and effort.</P>
-<P>If you don't know your requirements, start by reading Schneier's<A href="biblio.html#secrets">
- Secrets and Lies</A>. That gives the best overview of security issues I
- have seen. Then consider hiring a consultant (see next question) to
- help define your requirements.</P>
-<H3><A name="consultant">Can I hire consultants or staff who know
- FreeS/WAN?</A></H3>
-<P>If you want the help of a contractor, or to hire staff with FreeS/WAN
- expertise, you could:</P>
-<UL>
-<LI>check availability in your area through your local Linux User Group
- (<A href="http://lugww.counter.li.org/">LUG Index</A>)</LI>
-<LI>try asking on our<A href="mail.html"> mailing list</A></LI>
-</UL>
-<P>For companies offerring support, see the next question.</P>
-<H3><A name="commercial">Can I get commercial support?</A></H3>
-<P>Many of the distributions or firewall products which include
- FreeS/WAN (see this<A href="intro.html#products"> list</A>) come with
- commercial support or have it available as an option.</P>
-<P>Various companies specialize in commercial support of open source
- software. Our project leader was a founder of the first such company,
- Cygnus Support. It has since been bought by<A href="http://www.redhat.com">
- Redhat</A>. Another such firm is<A href="http://www.linuxcare.com">
- Linuxcare</A>.</P>
-<H2><A name="release">Release questions</A></H2>
-<H3><A name="rel.current">What is the current release?</A></H3>
-<P>The current release is the highest-numbered tarball on our<A href="ftp://ftp.xs4all.nl/pub/crypto/freeswan">
- distribution site</A>. Almost always, any of<A href="intro.html#mirrors">
- the mirrors</A> will have the same file, though perhaps not for a day
- or so after a release.</P>
-<P>Unfortunately, the web site is not always updated as quickly as it
- should be.</P>
-<H3><A name="relwhen">When is the next release?</A></H3>
-<P>We try to do a release approximately every six to eight weeks.</P>
-<P>If pre-release tests fail and the fix appears complex, or more
- generally if the code does not appear stable when a release is
- scheduled, we will just skip that release.</P>
-<P>For serious bugs, we may bring out an extra bug-fix release. These
- get numbers in the normal release series. For example, there was a bug
- found in FreeS/WAN 1.6, so we did another release less than two weeks
- later. The bug-fix release was called 1.7.</P>
-<H3><A name="rel.bugs">Are there known bugs in the current release?</A></H3>
-<P>Any problems we are aware of at the time of a release are documented
- in the<A href="../BUGS"> BUGS</A> file for that release. You should
- also look at the<A href="../CHANGES"> CHANGES</A> file.</P>
-<P>Bugs discovered after a release are discussed on the<A href="mail.html">
- mailing lists</A>. The easiest way to check for any problems in the
- current code would be to peruse the<A href="http://lists.freeswan.org/pipermail/briefs">
- List In Brief</A>.</P>
-<H2><A name="mod_cons">Modifications and contributions</A></H2>
-<H3><A name="modify.faq">Can I modify FreeS/WAN to ...?</A></H3>
-<P>You are free to modify FreeS/WAN in any way. See the discussion of<A href="intro.html#licensing">
- licensing</A> in our introduction document.</P>
-<P>Before investing much energy in any such project, we suggest that you</P>
-<UL>
-<LI>check the list of<A href="web.html#patch"> existing patches</A></LI>
-<LI>post something about your project to the<A href="mail.html"> design
- mailing list</A></LI>
-</UL>
-<P>This may prevent duplicated effort, or lead to interesting
- collaborations.</P>
-<H3><A name="contrib.faq">Can I contribute to the project?</A></H3>
- In general, we welcome contributions from the community. Various
- contributed patches, either to fix bugs or to add features, have been
- incorporated into our distribution. Other patches, not yet included in
- the distribution, are listed in our<A href="web.html#patch"> web links</A>
- section.
-<P>Users have also contributed heavily to documentation, both by
- creating their own<A href="intro.html#howto"> HowTos</A> and by posting
- things on the<A href="mail.html"> mailing lists</A> which I have quoted
- in these HTML docs.</P>
-<P>There are, however, some caveats.</P>
-<P>FreeS/WAN is being implemented in Canada, by Canadians, largely to
- ensure that is it is entirely free of export restrictions. See this<A href="politics.html#status">
- discussion</A>. We<STRONG> cannot accept code contributions from US
- residents or citizens</STRONG>, not even one-line bugs fixes. The
- reasons for this were recently discussed extensively on the mailing
- list, in a thread starting<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/01/msg00111.html">
- here</A>.</P>
-<P>Not all contributions are of interest to us. The project has a set of
- fairly ambitious and quite specific goals, described in our<A href="intro.html#goals">
- introduction</A>. Contributions that lead toward these goals are likely
- to be welcomed enthusiastically. Other contributions may be seen as
- lower priority, or even as a distraction.</P>
-<P>Discussion of possible contributions takes place on the<A href="mail.html">
- design mailing list</A>.</P>
-<H3><A name="ddoc.faq">Is there detailed design documentation?</A></H3>
- There are:
-<UL>
-<LI><A href="rfc.html">RFCs</A> specifying the protocols we implement</LI>
-<LI><A href="manpages.html">man pages</A> for our utilities, library
- functions and file formats</LI>
-<LI>comments in the source code</LI>
-<LI><A href="index.html">HTML documentation</A> written primarily for
- users</LI>
-<LI>archived discussions from the<A href="mail.html"> mailing lists</A></LI>
-<LI>other papers mentioned in our<A href="intro.html#applied">
- introduction</A></LI>
-</UL>
-<P>The only formal design documents are a few papers in the last
- category above. All the other categories, however, have things to say
- about design as well.</P>
-<H2><A name="interact">Will FreeS/WAN work in my environment?</A></H2>
-<H3><A name="interop.faq">Can FreeS/WAN talk to ...?</A></H3>
-<P>The IPsec protocols are designed to support interoperation. In
- theory, any two IPsec implementations should be able to talk to each
- other. In practice, it is considerably more complex. We have a whole<A href="interop.html">
- interoperation document</A> devoted to this problem.</P>
-<P>An important part of that document is links to the many<A href="interop.html#otherpub">
- user-written HowTos</A> on interoperation between FreeS/WAN and various
- other implementations. Often the users know more than the developers
- about these issues (and almost always more than me :-), so these
- documents may be your best resource.</P>
-<H3><A name="old_to_new">Can different FreeS/WAN versions talk to each
- other?</A></H3>
-<P>Linux FreeS/WAN can interoperate with many IPsec implementations,
- including earlier versions of Linux FreeS/WAN itself.</P>
-<P>In a few cases, there are some complications. See our<A href="interop.html#oldswan">
- interoperation</A> document for details.</P>
-<H3><A name="faq.bandwidth">Is there a limit on throughput?</A></H3>
-<P>There is no hard limit, but see below.</P>
-<H3><A name="faq.number">Is there a limit on number of tunnels?</A></H3>
-<P>There is no hard limit, but see next question.</P>
-<H3><A name="faq.speed">Is a ... fast enough to handle FreeS/WAN with my
- loads?</A></H3>
-<P>A quick summary:</P>
-<DL>
-<DT>Even a limited machine can be useful</DT>
-<DD>A 486 can handle a T1, ADSL or cable link, though the machine may be
- breathing hard.</DD>
-<DT>A mid-range PC (say 800 MHz with good network cards) can do a lot of
- IPsec</DT>
-<DD>With up to roughly 50 tunnels and aggregate bandwidth of 20 Megabits
- per second, it willl have cycles left over for other tasks.</DD>
-<DT>There are limits</DT>
-<DD>Even a high end CPU will not come close to handling a fully loaded
- 100 Mbit/second Ethernet link.
-<P>Beyond about 50 tunnels it needs careful management.</P>
-</DD>
-</DL>
-<P>See our<A href="performance.html"> FreeS/WAN performance</A> document
- for details.</P>
-<H2><A name="work_on">Will FreeS/WAN work on ... ?</A></H2>
-<H3><A name="versions">Will FreeS/WAN run on my version of Linux?</A></H3>
-<P>We build and test on Redhat distributions, but FreeS/WAN runs just
- fine on several other distributions, sometimes with minor fiddles to
- adapt to the local environment. Details are in our<A href="compat.html#otherdist">
- compatibility</A> document. Also, some distributions or products come
- with<A href="intro.html#products"> FreeS/WAN included</A>.</P>
-<H3><A name="nonIntel.faq">Will FreeS/WAN run on non-Intel CPUs?</A></H3>
-<P>FreeS/WAN is<STRONG> intended to run on all CPUs Linux supports</STRONG>
-. We know of it being used in production on x86, ARM, Alpha and MIPS. It
- has also had successful tests on PPC and SPARC, though we don't know of
- actual use there. Details are in our<A href="compat.html#CPUs">
- compatibility</A> document.</P>
-<H3><A name="multi.faq">Will FreeS/WAN run on multiprocessors?</A></H3>
-<P>FreeS/WAN is designed to work on any SMP architecture Linux supports,
- and has been tested successfully on at least dual processor Intel
- architecture machines. Details are in our<A href="compat.html#multiprocessor">
- compatibility</A> document.</P>
-<H3><A name="k.old">Will FreeS/WAN work on an older kernel?</A></H3>
-<P>It might, but we strongly recommend using a recent 2.2 or 2.4 series
- kernel. Sometimes the newer versions include security fixes which can
- be quite important on a gateway.</P>
-<P>Also, we use recent kernels for development and testing, so those are
- better tested and, if you do encounter a problem, more easily
- supported. If something breaks applying recent FreeS/WAN patches to an
- older kernel, then &quot;update your kernel&quot; is almost certain to be the
- first thing we suggest. It may be the only suggestion we have.</P>
-<P>The precise kernel versions supported by a particular FreeS/WAN
- release are given in the<A href="XX"> README</A> file of that release.</P>
-<P>See the following question for more on kernels.</P>
-<H3><A name="k.versions">Will FreeS/WAN run on the latest kernel
- version?</A></H3>
-<P>Sometimes yes, but quite often, no.</P>
-<P>Kernel versions supported are given in the<A href="../README"> README</A>
- file of each FreeS/WAN release. Typically, they are whatever production
- kernels were current at the time of our release (or shortly before; we
- might release for kernel<VAR> n</VAR> just as Linus releases<VAR> n+1</VAR>
-). Often FreeS/WAN will work on slightly later kernels as well, but of
- course this cannot be guaranteed.</P>
-<P>For example, FreeS/WAN 1.91 was released for kernels 2.2.19 or 2.4.5,
- the current kernels at the time. It also worked on 2.4.6, 2.4.7 and
- 2.4.8, but 2.4.9 had changes that caused compilation errors if it was
- patched with FreeS/WAN 1.91.</P>
-<P>When such changes appear, we put a fix in the FreeS/WAN snapshots,
- and distribute it with our next release. However, this is not a high
- priority for us, and it may take anything from a few days to several
- weeks for such a problem to find its way to the top of our kernel
- programmer's To-Do list. In the meanwhile, you have two choices:</P>
-<UL>
-<LI>either stick with a slightly older kernel, even if it is not the
- latest and greatest. This is recommended for production systems; new
- versions may have new bugs.</LI>
-<LI>or fix the problem yourself and send us a patch, via the<A href="mail.html">
- Users mailing list</A>.</LI>
-</UL>
-<P>We don't even try to keep up with kernel changes outside the main 2.2
- and 2.4 branches, such as the 2.4.x-ac patched versions from Alan Cox
- or the 2.5 series of development kernels. We'd rather work on
- developing the FreeS/WAN code than on chasing these moving targets. We
- are, however, happy to get patches for problems discovered there.</P>
-<P>See also the<A href="install.html#choosek"> Choosing a kernel</A>
- section of our installation document.</P>
-<H3><A name="interface.faq">Will FreeS/WAN work on unusual network
- hardware?</A></H3>
-<P>IPsec is designed to work over any network that IP works over, and
- FreeS/WAN is intended to work over any network interface hardware that
- Linux supports.</P>
-<P>If you have working IP on some unusual interface -- perhaps Arcnet,
- Token Ring, ATM or Gigabit Ethernet -- then IPsec should &quot;just work&quot;.</P>
-<P>That said, practice is sometimes less tractable than theory. Our
- testing is done almost entirely on:</P>
-<UL>
-<LI>10 or 100 Mbit Ethernet</LI>
-<LI>ADSL or cable connections, with and without PPPoE</LI>
-<LI>IEEE 802.11 wireless LANs (see<A href="#wireless.faq"> below</A>)</LI>
-</UL>
-<P>If you have some other interface, especially an uncommon one, it is
- entirely possible you will get bitten either by a FreeS/WAN bug which
- our testing did not turn up, or by a bug in the driver that shows up
- only with our loads.</P>
-<P>If IP works on your interface and FreeS/WAN doesn't, seek help on the<A
-href="mail.html"> mailing lists</A>.</P>
-<P>Another FAQ section describes<A href="#pmtu.broken"> MTU problems</A>
-. These are a possibility for some interfaces.</P>
-<H3><A name="vlan">Will FreeS/WAN work on a VLAN (802.1q) network?</A></H3>
-<P> Yes, FreeSwan works fine, though some network drivers have problems
- with jumbo sized ethernet frames. If you used interfaces=%defaultroute
- you do not need to change anything, but if you specified an interface
- (eg eth0) then remember you must change that to reflect the VLAN
- interface (eg eth0.2 for VLAN ID 2).</P>
-<P> The &quot;eepro100&quot; module is known to be broken, use the e100 driver for
- those cards instead (included in 2.4 as 'alternative driver' for the
- Intel EtherExpressPro/100.</P>
-<P> You do not need to change any MTU setting (those are workarounds
- that are only needed for buggy drivers)</P>
-<P><EM>This FAQ contributed by Paul Wouters.</EM></P>
-<H2><A name="features.faq">Does FreeS/WAN support ...</A></H2>
-<P>For a discussion of which parts of the IPsec specifications FreeS/WAN
- does and does not implement, see our<A href="compat.html#spec">
- compatibility</A> document.</P>
-<P>For information on some often-requested features, see below.</P>
-<H3><A name="VPN.faq"></A>Does FreeS/WAN support site-to-site VPN (<A HREF="glossary.html#VPN">
-Virtual Private Network</A>) applications?</H3>
-<P>Absolutely. See this FreeS/WAN-FreeS/WAN<A HREF="config.html">
- configuration example</A>. If only one site is using FreeS/WAN, there
- may be a relevant HOWTO on our<A HREF="interop.html"> interop page</A>.</P>
-<H3><A name="warrior.faq">Does FreeS/WAN support remote users connecting
- to a LAN?</A></H3>
-<P>Yes. We call the remote users &quot;Road Warriors&quot;. Check out our
- FreeS/WAN-FreeS/WAN<A HREF="config.html#config.rw"> Road Warrior
- Configuration Example</A>.</P>
-<P>If your Road Warrior is a Windows or Mac PC, you may need to install
- an IPsec implementation on that machine. Our<A HREF="interop.html">
- interop</A> page lists many available brands, and features links to
- several HOWTOs.</P>
-<H3><A name="road.shared.possible">Does FreeS/WAN support remote users
- using shared secret authentication?</A></H3>
-<P><STRONG>Yes, but</STRONG> there are severe restrictions, so<STRONG>
- we strongly recommend using</STRONG><A href="glossary.html#RSA"><STRONG>
- RSA</STRONG></A><STRONG> keys for</STRONG><A href="glossary.html#authentication">
-<STRONG> authentication</STRONG></A><STRONG> instead</STRONG>.</P>
-<P>See this<A href="#road.PSK"> FAQ question</A>.</P>
-<H3><A name="wireless.faq">Does FreeS/WAN support wireless networks?</A></H3>
-<P>Yes, it is a common practice to use IPsec over wireless networks
- because their built-in encryption,<A href="glossary.html#WEP"> WEP</A>,
- is insecure.</P>
-<P>There is some<A href="adv_config.html#wireless.config"> discussion</A>
- in our advanced configuration document. See also the<A HREF="http://www.wavesec.org">
- WaveSEC site</A>.</P>
-<H3><A name="PKIcert">Does FreeS/WAN support X.509 or other PKI
- certificates?</A></H3>
-<P>Vanilla FreeS/WAN does not support X.509, but Andreas Steffen and
- others have provided a popular, well-supported X.509 patch.</P>
-<UL>
-<LI><A HREF="http://www.strongsec.com/freeswan">patch</A></LI>
-<LI><A HREF="http://www.freeswan.ca">Super FreeS/WAN</A> incorporates
- this and other user-contributed patches.</LI>
-<LI> Kai Martius'<A HREF="http://www.strongsec.com/freeswan/install.htm">
- X.509 Installation and Configuration Guide</A></LI>
-</UL>
-<P> Linux FreeS/WAN features<A HREF="quickstart.html"> Opportunistic
- Encryption</A>, an alternative Public Key Infrastructure based on
- Secure DNS.</P>
-<H3><A name="Radius">Does FreeS/WAN support user authentication (Radius,
- SecureID, Smart Card...)?</A></H3>
-<P>Andreas Steffen's<A HREF="http://www.strongsec.com/freeswan"> X.509
- patch</A> (v. 1.42+) supports Smart Cards. The patch does not ship with
- vanilla FreeS/WAN, but will be incorporated into<A HREF="http://www.freeswan.ca/">
- Super FreeS/WAN 2.01+</A>. The patch implements the PCKS#15
- Cryptographic Token Information Format Standard, using the OpenSC
- smartcard library functions.</P>
-<P>Older news:</P>
-<P>A user-supported patch to FreeS/WAN 1.3, for smart card style
- authentication, is available on<A HREF="http://alcatraz.webcriminals.com/~bastiaan/ipsec">
- Bastiaan's site</A>. It supports skeyid and ibutton. This patch is not
- part of Super FreeS/WAN.</P>
-<P>For a while progress on this front was impeded by a lack of standard.
- The IETF<A href="http://www.ietf.org/html.charters/ipsra-charter.html">
- working group</A> has now nearly completed its recommended solution to
- the problem; meanwhile several vendors have implemented various things.</P>
-
-<!--
-<p>The <a href="web.html#patch">patches</a> section of our web links document
-has links to some user work on this.</p>
--->
-<P>Of course, there are various ways to avoid any requirement for user
- authentication in IPsec. Consider the situation where road warriors
- build IPsec tunnels to your office net and you are considering
- requiring user authentication during tunnel negotiation. Alternatives
- include:</P>
-<UL>
-<LI>If you can trust the road warrior machines, then set them up so that
- only authorised users can create tunnels. If your road warriors use
- laptops, consider the possibility of theft.</LI>
-<LI>If the tunnel only provides access to particular servers and you can
- trust those servers, then set the servers up to require user
- authentication.</LI>
-</UL>
-<P>If either of those is trustworthy, it is not clear that you need user
- authentication in IPsec.</P>
-<H3><A name="NATtraversal">Does FreeS/WAN support NAT traversal?</A></H3>
-<P>Vanilla FreeS/WAN does not, but thanks to Mathieu Lafon and Arkoon
- Network Security, there's a patch to support this.</P>
-<UL>
-<LI><A HREF="http://open-source.arkoon.net">patch and documentation</A></LI>
-<LI><A HREF="http://www.freeswan.ca">Super FreeS/WAN</A> incorporates
- this and other user-contributed patches.</LI>
-</UL>
-<P>The NAT traversal patch has some issues with PSKs, so you may wish to
- authenticate with RSA keys, or X.509 (requires a patch which is also
- included in Super FreeS/WAN). Doing the latter also has advantages when
- dealing with large numbers of clients who may be behind NAT; instead of
- having to make an individual Roadwarrior connection for each virtual
- IP, you can use the &quot;rightsubnetwithin&quot; parameter to specify a range.
- See<A HREF="http://www.strongsec.com/freeswan/install.htm#section_4.4">
- these<VAR> rightsubnetwithin</VAR> instructions</A>.</P>
-<H3><A name="virtID">Does FreeS/WAN support assigning a &quot;virtual
- identity&quot; to a remote system?</A></H3>
-<P>Some IPsec implementations allow you to make the source address on
- packets sent by a Road Warrior machine be something other than the
- address of its interface to the Internet. This is sometimes described
- as assigning a virtual identity to that machine.</P>
-<P>FreeS/WAN does not directly support this, but it can be done. See
- this<A href="#road.masq"> FAQ question</A>.</P>
-<H3><A name="noDES.faq">Does FreeS/WAN support single DES encryption?</A>
-</H3>
-<P><STRONG>No</STRONG>, single DES is not used either at the<A href="glossary.html#IKE">
- IKE</A> level for negotiating connections or at the<A href="glossary.html#IPsec">
- IPsec</A> level for actually building them.</P>
-<P>Single DES is<A href="politics.html#desnotsecure"> insecure</A>. As
- we see it, it is more important to deliver real security than to comply
- with a standard which has been subverted into allowing use of
- inadequate methods. See this<A href="politics.html#weak"> discussion</A>
-.</P>
-<P>If you want to interoperate with an IPsec implementation which offers
- only DES, see our<A href="interop.html#noDES"> interoperation</A>
- document.</P>
-<H3><A name="AES.faq">Does FreeS/WAN support AES encryption?</A></H3>
-<P><A href="glossary.html#AES">AES</A> is a new US government<A href="glossary.html#block">
- block cipher</A> standard to replace the obsolete<A href="glossary.html#DES">
- DES</A>.</P>
-<P>At time of writing (March 2002), the FreeS/WAN distribution does not
- yet support AES but user-written<A href="web.html#patch"> patches</A>
- are available to add it. Our kernel programmer is working on
- integrating those patches into the distribution, and there is active
- discussion of this on the design mailimg list.</P>
-<H3><A name="other.cipher">Does FreeS/WAN support other encryption
- algorithms?</A></H3>
-<P>Currently<A href="glossary.html#3DES"> triple DES</A> is the only
- cipher supported. AES will almost certainly be added (see previous
- question), and it is likely that in the process we will also add the
- other two AES finalists with open licensing, Twofish and Serpent.</P>
-<P>We are extremely reluctant to add other ciphers. This would make both
- use and maintenance of FreeS/WAN more complex without providing any
- clear benefit. Complexity is emphatically not desirable in a security
- product.</P>
-<P>Various users have written patches to add other ciphers. We provide<A href="web.html#patch">
- links</A> to these.</P>
-<H2><A name="canI">Can I ...</A></H2>
-<H3><A name="policy.preconfig">Can I use policy groups along with
- explicitly configured connections?</A></H3>
-<P>Yes, you can, so long as you pay attention to the selection rule,
- which can be summarized &quot;the most specific connection wins&quot;. We
- describe the rule in our<A HREF="policygroups.html#policy.group.notes">
- policy groups</A> document, and provide a more technical explanation in<A
-HREF="manpage.d/ipsec.conf.5.html"> man ipsec.conf</A>.</P>
-<P>A good guideline: If you have a regular connection defined in<VAR>
- ipsec.conf</VAR>, ensure that a subset of that connection is not listed
- in a less restrictive policy group. Otherwise, FreeS/WAN will use the
- subset, with its more specific source/destination pair.</P>
-<P>Here's an example. Suppose you are the system administrator at
- 192.0.2.2. You have this connection in ipsec.conf:<VAR> ipsec.conf</VAR>
-:</P>
-<PRE>conn net-to-net
-    left=192.0.2.2           # you are here
-    right=192.0.2.8
-    rightsubnet=192.0.2.96/27
-    ....
-</PRE>
-<P>If you then place a host or net within<VAR> rightsubnet</VAR>, (let's
- say 192.0.2.98) in<VAR> private-or-clear</VAR>, you may find that
- 192.0.2.2 at times communicates in the clear with 192.0.2.98. That's
- consistent with the rule, but may be contrary to your expectations.</P>
-<P>On the other hand, it's safe to put a larger subnet in a less
- restrictive policy group file. If<VAR> private-or-clear</VAR> contains
- 192.0.2.0/24, then the more specific<VAR> net-to-net</VAR> connection
- is used for any communication to 192.0.2.96/27. The more general policy
- applies only to communication with hosts or subnets in 192.0.2.0/24
- without a more specific policy or connection.</P>
-<H3><A name="policy.off">Can I turn off policy groups?</A></H3>
-<P>Yes. Use<A HREF="policygroups.html#disable_policygroups"> these
- instructions</A>.</P>
-
-<!--
-<h3><a name="policy.otherinterface">Can I use policy groups
- on an interface other than <VAR>%defaultroute</VAR>?</a></h3>
-
-<p>??<p>
--->
-<H3><A name="reload">Can I reload connection info without restarting?</A>
-</H3>
-<P>Yes, you can do this. Here are the details, in a mailing list message
- from Pluto programmer Hugh Redelmeier:</P>
-<PRE>| How can I reload config's without restarting all of pluto and klips?  I am using
-| FreeSWAN -&gt; PGPNet in a medium sized production environment, and would like to be
-| able to add new connections ( i am using include config/* ) without dropping current
-| SA's.
-| 
-| Can this be done?
-| 
-| If not, are there plans to add this kind of feature?
-
-        ipsec auto --add whatever
-This will look in the usual place (/etc/ipsec.conf) for a conn named
-whatever and add it.
-
-If you added new secrets, you need to do
-        ipsec auto --rereadsecrets
-before Pluto needs to know those secrets.
-
-| I have looked (perhaps not thoroughly enough tho) to see how to do this:
-
-There may be more bits to look for, depending on what you are trying
-to do.</PRE>
-<P>Another useful command here is<VAR> ipsec auto --replace &lt;conn_name&gt;</VAR>
- which re-reads data for a named connection.</P>
-<H3><A name="masq.faq">Can I use several masqueraded subnets?</A></H3>
-<P>Yes. This is done all the time. See the discussion in our<A href="config.html#route_or_not">
- setup</A> document. The only restriction is that the subnets on the two
- ends must not overlap. See the next question.</P>
-<P>Here is a mailing list message on the topic. The user incorrectly
- thinks you need a 2.4 kernel for this -- actually various people have
- been doing it on 2.0 and 2.2 for quite some time -- but he has it right
- for 2.4.</P>
-<PRE>Subject: Double NAT and freeswan working :)
-   Date: Sun, 11 Mar 2001
-   From: Paul Wouters &lt;paul@xtdnet.nl&gt;
-
-Just to share my pleasure, and make an entry for people who are searching
-the net on how to do this. Here's the very simple solution to have a double
-NAT'ed network working with freeswan. (Not sure if this is old news, but I'm
-not on the list (too much spam) and I didn't read this in any HOWTO/FAQ/doc
-on the freeswan site yet (Sandy, put it in! :)
-
-10.0.0.0/24 --- 10.0.0.1 a.b.c.d  ---- a.b.c.e {internet} ----+
-                                                              |
-10.0.1.0/24 --- 10.0.1.1 f.g.h.i  ---- f.g.h.j {internet} ----+
-
-the goal is to have the first network do a VPN to the second one, yet also
-have NAT in place for connections not destinated for the other side of the
-NAT. Here the two Linux security gateways have one real IP number (cable
-modem, dialup, whatever.
-
-The problem with NAT is you don't want packets from 10.*.*.* to 10.*.*.*
-to be NAT'ed. While with Linux 2.2, you can't, with Linux 2.4 you can.
-
-(This has been tested and works for 2.4.2 with Freeswan snapshot2001mar8b)
-
-relevant parts of /etc/ipsec.conf:
-
-        left=f.g.h.i
-        leftsubnet=10.0.1.0/24
-        leftnexthop=f.g.h.j
-        leftfirewall=yes
-        leftid=@firewall.netone.nl
-        leftrsasigkey=0x0........
-        right=a.b.c.d
-        rightsubnet=10.0.0.0/24
-        rightnexthop=a.b.c.e
-        rightfirewall=yes
-        rightid=@firewall.nettwo.nl
-        rightrsasigkey=0x0......
-        # To authorize this connection, but not actually start it, at startup,
-        # uncomment this.
-        auto=add
-
-and now the real trick. Setup the NAT correctly on both sites:
-
-iptables -t nat -F
-iptables -t nat -A POSTROUTING -o eth0 -d \! 10.0.0.0/8 -j MASQUERADE
-
-This tells the NAT code to only do NAT for packets with destination other then
-10.* networks. note the backslash to mask the exclamation mark to protect it
-against the shell.
-
-Happy painting :)
-
-Paul</PRE>
-<H3><A name="dup_route">Can I use subnets masqueraded to the same
- addresses?</A></H3>
-<P><STRONG>No.</STRONG> The notion that IP addresses are unique is one
- of the fundamental principles of the IP protocol. Messing with it is
- exceedingly perilous.</P>
-<P>Fairly often a situation comes up where a company has several
- branches, all using the same<A href="glossary.html#non-routable">
- non-routable addresses</A>, perhaps 192.168.0.0/24. This works fine as
- long as those nets are kept distinct. The<A href="glossary.html#masq">
- IP masquerading</A> on their firewalls ensures that packets reaching
- the Internet carry the firewall address, not the private address.</P>
-<P>This can break down when IPsec enters the picture. FreeS/WAN builds a
- tunnel that pokes through both masquerades and delivers packets from<VAR>
- leftsubnet</VAR> to<VAR> rightsubnet</VAR> and vice versa. For this to
- work, the two subnets<EM> must</EM> be distinct.</P>
-<P>There are several solutions to this problem.</P>
-<P>Usually, you<STRONG> re-number the subnets</STRONG>. Perhaps the
- Vancouver office becomes 192.168.101.0/24, Calgary 192.168.102.0/24 and
- so on. FreeS/WAN can happily handle this. With, for example<VAR>
- leftsubnet=192.168.101.0/24</VAR> and<VAR> rightsubnet=192.168.102.0/24</VAR>
- in a connection description, any machine in Calgary can talk to any
- machine in Vancouver. If you want to be more restrictive and use
- something like<VAR> leftsubnet=192.168.101.128/25</VAR> and<VAR>
- rightsubnet=192.168.102.240/28</VAR> so only certain machines on each
- end have access to the tunnel, that's fine too.</P>
-<P>You could also<STRONG> split the subnet</STRONG> into smaller ones,
- for example using<VAR> 192.168.1.0/25</VAR> in Vancouver and<VAR>
- rightsubnet=192.168.0.128/25</VAR> in Calgary.</P>
-<P>Alternately, you can just<STRONG> give up routing</STRONG> directly
- to machines on the subnets. Omit the<VAR> leftsubnet</VAR> and<VAR>
- rightsubnet</VAR> parameters from your connection descriptions. Your
- IPsec tunnels will then run between the public interfaces of the two
- firewalls. Packets will be masqueraded both before they are put into
- tunnels and after they emerge. Your Vancouver client machines will see
- only one Calgary machine, the firewall.</P>
-<H3><A name="road.masq">Can I assign a road warrior an address on my net
- (a virtual identity)?</A></H3>
-<P>Often it would be convenient to be able to give a Road Warrior an IP
- address which appears to be on the local network. Some IPsec
- implementations have support for this, sometimes calling the feature
- &quot;virtual identity&quot;.</P>
-<P>Currently (Sept 2002) FreeS/WAN does not support this, and we have no
- definite plans to add it. The difficulty is that is not yet a standard
- mechanism for it. There is an Internet Draft for a method of doing it
- using<A href="glossary.html#DHCP"> DHCP</A> which looks promising.
- FreeS/WAN may support that in a future release.</P>
-<P>In the meanwhile, you can do it yourself using the Linux iproute2(8)
- facilities. Details are in<A href="http://www.av8n.com/vpn/iproute2.htm">
- this paper</A>.</P>
-<P>Another method has also been discussed on the mailing list.:</P>
-<UL>
-<LI>You can use a variant of the<A href="adv_config.html#extruded.config">
- extruded subnet</A> procedure.</LI>
-<LI>You have to avoid having the road warrior's assigned address within
- the range you actually use at home base. See previous question.</LI>
-<LI>On the other hand, you want the roadwarrior's address to be within
- the range that<EM> seems</EM> to be on your network.</LI>
-</UL>
-<P>For example, you might have:</P>
-<DL>
-<DT>leftsubnet=a.b.c.0/25</DT>
-<DD>head office network</DD>
-<DT>rightsubnet=a.b.c.129/32</DT>
-<DD>extruded to a road warrior. Note that this is not in a.b.c.0/25</DD>
-<DT>a.b.c.0/24</DT>
-<DD>whole network, including both the above</DD>
-</DL>
-<P>You then set up routing so that the office machines use the IPsec
- gateway as their route to a.b.c.128/25. The leftsubnet parameter tells
- the road warriors to use tunnels to reach a.b.c.0/25, so you should
- have two-way communication. Depending or your network and applications,
- there may be some additional work to do on DNS or Windows configuration</P>
-<H3><A name="road.many">Can I support many road warriors with one
- gateway?</A></H3>
-<P>Yes. This is easily done, using</P>
-<DL>
-<DT>either RSA authentication</DT>
-<DD>standard in the FreeS/WAN distribution</DD>
-<DT>or X.509 certificates</DT>
-<DD>requires<A href="#PKIcert"> Super FreeS/WAN or a patch</A>.</DD>
-</DL>
-<P>In either case, each Road Warrior must have a different key or
- certificate.</P>
-<P>It is also possible using pre-shared key authentication, though we
- don't recommend this; see the<A href="#road.PSK"> next question</A> for
- details.</P>
-<P>If you expect to have more than a few dozen Road Warriors connecting
- simultaneously, you may need a fairly powerful gateway machine. See our
- document on<A href="performance.html"> FreeS/WAN performance</A>.</P>
-<H3><A name="road.PSK">Can I have many road warriors using shared secret
- authentication?</A></H3>
-<P><STRONG>Yes, but avoid it if possible</STRONG>.</P>
-<P>You can have multiple Road Warriors using shared secret
- authentication<STRONG> only if they all use the same secret</STRONG>.
- You must also set:</P>
-<P></P>
-<PRE>   uniqueids=no   </PRE>
-<P>in the connection definition.</P>
-<P>Why it's less secure:</P>
-<UL>
-<LI>If you have many users, it becomes almost certain the secret will
- leak</LI>
-<LI>The secret becomes quite valuable to an attacker</LI>
-<LI>All users authenticate the same way, so the gateway cannot tell them
- apart for logging or access control purposes</LI>
-<LI>Changing the secret is difficult. You have to securely notify all
- users.</LI>
-<LI>If you find out the secret has been compromised, you can change it,
- but then what? None of your users can connect without the new secret.
- How will you notify them all, quickly and securely, without using the
- VPN?</LI>
-</UL>
-<P>This is a designed-in limitation of the<A href="glossary.html#IKE">
- IKE</A> key negotiation protocol, not a problem with our
- implementation.</P>
-<P><STRONG>We very strongly recommend that you avoid using shared secret
- authentication for multiple Road Warriors.</STRONG> Use RSA
- authentication instead.</P>
-<P>The longer story: When using shared secrets, the protocol requires
- that the responding gateway be able to determine which secret to use at
- a time when all it knows about the initiator is an IP address. This
- works fine if you know the initiator's address in advance and can use
- it to look up the appropiriate secret. However, it fails for Road
- Warriors since the gateway cannot know their IP addresses in advance.</P>
-<P>With RSA signatures (or certificates) the protocol is slightly
- different. The initiator provides an identifier early in the exchange
- and the responder can use that identifier to look up the correct key or
- certificate. See<A href="#road.many"> above</A>.</P>
-<H3><A name="QoS">Can I use Quality of Service routing with FreeS/WAN?</A>
-</H3>
-<P>From project technical lead Henry Spencer:</P>
-<PRE>&gt; Do QoS add to FreeS/WAN?
-&gt; For example integrating DiffServ and FreeS/WAN?
-
-With a current version of FreeS/WAN, you will have to add hidetos=no to
-the config-setup section of your configuration file.  By default, the TOS
-field of tunnel packets is zeroed; with hidetos=no, it is copied from the
-packet inside.  (This is a modest security hole, which is why it is no
-longer the default.)
-
-DiffServ does not interact well with tunneling in general.  Ways of
-improving this are being studied.</PRE>
-<P>Copying the<A href="glossary.html#TOS"> TOS</A> (type of service)
- information from the encapsulated packet to the outer header reveals
- the TOS information to an eavesdropper. This does not tell him much,
- but it might be of use in<A href="glossary.html#traffic"> traffic
- analysis</A>. Since we do not have to give it to him, our default is
- not to.</P>
-<P>Even with the TOS hidden, you can still:</P>
-<UL>
-<LI>apply QOS rules to the tunneled (ESP) packets; for example, by
- giving ESP packets a certain priority.</LI>
-<LI>apply QOS rules to the packets as they enter or exit the tunnel via
- an IPsec virtual interface (eg.<VAR> ipsec0</VAR>).</LI>
-</UL>
-<P>See<A href="manpage.d/ipsec.conf.5.html"> ipsec.conf(5)</A> for more
- on the<VAR> hidetos=</VAR> parameter.</P>
-<H3><A name="deadtunnel">Can I recognise dead tunnels and shut them
- down?</A></H3>
-<P>There is no general mechanism to do this is in the IPsec protocols.</P>
-<P>From time to time, there is discussion on the IETF Working Group<A href="mail.html#ietf">
- mailing list</A> of adding a &quot;keep-alive&quot; mechanism (which some say
- should be called &quot;make-dead&quot;), but it is a fairly complex problem and
- no consensus has been reached on whether or how it should be done.</P>
-<P>The protocol does have optional<A href="#ignore"> delete-SA</A>
- messages which one side can send when it closes a connection in hopes
- this will cause the other side to do the same. FreeS/WAN does not
- currently support these. In any case, they would not solve the problem
- since:</P>
-<UL>
-<LI>a gateway that crashes or hangs would not send the messages</LI>
-<LI>the sender is not required to send them</LI>
-<LI>they are not authenticated, so any receiver that trusts them leaves
- itself open to a<A href="glossary.html#DOS"> denial of service</A>
- attack</LI>
-<LI>the receiver is not required to do anything about them</LI>
-<LI>the receiver cannot acknowledge them; the protocol provides no
- mechanism for that</LI>
-<LI>since they are not acknowledged, the sender cannot rely on them</LI>
-</UL>
-<P>However, connections do have limited lifetimes and you can control
- how many attempts your gateway makes to rekey before giving up. For
- example, you can set:</P>
-<PRE>conn default
-        keyingtries=3
-        keylife=30m</PRE>
-<P>With these settings old connections will be cleaned up. Within 30
- minutes of the other end dying, rekeying will be attempted. If it
- succeeds, the new connection replaces the old one. If it fails, no new
- connection is created. Either way, the old connection is taken down
- when its lifetime expires.</P>
-<P>Here is a mailing list message on the topic from FreeS/WAN tech
- support person Claudia Schmeing:</P>
-<PRE>You ask how to determine whether a tunnel is redundant:
-
-&gt; Can anybody explain the best way to determine this. Esp when a RW has
-&gt; disconnected? I thought 'ipsec auto --status' might be one way.
-
-If a tunnel goes down from one end, Linux FreeS/WAN on the
-other end has no way of knowing this until it attempts to rekey.
-Once it tries to rekey and fails, it will 'know' that the tunnel is 
-down.
-
-Because it doesn't have a way of knowing the state until this point, 
-it will also not be able to tell you the state via ipsec auto --status.
-
-&gt; However, comparing output from a working tunnel with that of one that
-&gt; was closed 
-&gt; did not show clearly show tunnel status.
-
-If your tunnel is down but not 'unrouted' (see man ipsec_auto), you
-should not be able to ping the opposite side of the tunnel. You can
-use this as an indicator of tunnel status.
-
-On a related note, you may be interested to know that as of 1.7, 
-redundant tunnels caused by RW disconnections are likely to be 
-less of a pain. From doc/CHANGES:
-
-    There is a new configuration parameter, uniqueids, to control a new Pluto
-    option:  when a new connection is negotiated with the same ID as an old
-    one, the old one is deleted immediately.  This should help eliminate
-    dangling Road Warrior connections when the same Road Warrior reconnects. 
-    It thus requires that IDs not be shared by hosts (a previously legal but
-    probably useless capability).  NOTE WELL:  the sample ipsec.conf now has
-    uniqueids=yes in its config-setup section.
-
-
-Cheers,
-
-Claudia</PRE>
-<H3><A name="demanddial">Can I build IPsec tunnels over a demand-dialed
- link?</A></H3>
-<P>This is possible, but not easy. FreeS/WAN technical lead Henry
- Spencer wrote:</P>
-<PRE>&gt; 5. If the ISDN link goes down in between and is reestablished, the SAs
-&gt; are still up but the eroute are deleted and the IPsec interface shows
-&gt; garbage (with ifconfig)
-&gt; 6. Only restarting IPsec will bring the VPN back online.
-
-This one is awkward to solve.  If the real interface that the IPsec
-interface is mounted on goes down, it takes most of the IPsec machinery
-down with it, and a restart is the only good way to recover. 
-
-The only really clean fix, right now, is to split the machines in two: 
-
-1. A minimal machine serves as the network router, and only it is aware
-that the link goes up and down. 
-
-2. The IPsec is done on a separate gateway machine, which thinks it has
-a permanent network connection, via the router.
-
-This is clumsy but it does work.  Trying to do both functions within a
-single machine is tricky.  There is a software package (diald) which will
-give the illusion of a permanent connection for demand-dialed modem
-connections; I don't know whether it's usable for ISDN, or whether it can
-be made to cooperate properly with FreeS/WAN. 
-
-Doing a restart each time the interface comes up *does* work, although it
-is a bit painful.  I did that with PPP when I was running on a modem link;
-it wasn't hard to arrange the PPP scripts to bring IPsec up and down at
-the right times.  (I'd meant to investigate diald but never found time.)
-
-In principle you don't need to do a complete restart on reconnect, but you
-do have to rebuild some things, and we have no nice clean way of doing
-only the necessary parts.</PRE>
-<P>In the same thread, one user commented:</P>
-<PRE>Subject: Re: linux-ipsec: IPsec and Dial Up Connections
-   Date: Wed, 22 Nov 2000
-   From: Andy Bradford &lt;andyb@calderasystems.com&gt;
-
-On Wed, 22 Nov 2000 19:47:11 +0100, Philip Reetz wrote:
-
-&gt; Are there any ideas what might be the cause of the problem and any way
-&gt; to work around it.
-&gt; Any help is highly appreciated.
-
-On my laptop, when using ppp there is a ip-up script in /etc/ppp that 
-will be executed each time that the ppp interface is brought up.  
-Likewise there is an ip-down script that is called when it is taken 
-down.  You might consider custimzing those to stop and start FreeS/WAN 
-with each connection.  I believe that ISDN uses the same files, though 
-I could be wrong---there should be something similar though.</PRE>
-<H3><A name="GRE">Can I build GRE, L2TP or PPTP tunnels over IPsec?</A></H3>
-<P>Yes. Normally this is not necessary, but it is useful in a few
- special cases. For example, if you must route non-IP packets such as
- IPX, you will need to use a tunneling protocol that can route these
- packets. IPsec can be layered around it for extra security. Another
- example: you can provide failover protection for high availability (HA)
- environments by combining IPsec with other tools. Ken Bantoft describes
- one such setup in<A HREF="http://www.freeswan.ca/docs/HA"> Using
- FreeS/WAN with Linux-HA, GRE, OSPF and BGP for enterprise grade VPN
- solutions</A>.</P>
-<P>GRE over IPsec is covered as part of<A HREF="http://www.freeswan.ca/docs/HA">
- that document</A>.<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/07/msg00209.html">
- Here are links</A> to other GRE resources. Jacco de Leuw has created<A HREF="http://www.jacco2.dds.nl/networking/">
- this page on L2TP over IPsec</A> with instructions for FreeS/WAN and
- several other brands of IPsec software.</P>
-<P>Please let us know of other useful links via the<A HREF="mail.html">
- mailing lists</A>.</P>
-<H3><A name="NetBIOS">... use Network Neighborhood (Samba, NetBIOS) over
- IPsec?</A></H3>
-<P>Your local PC needs to know how to translate NetBIOS names to IP
- addresses. It may do this either via a local LMHOSTS file, or using a
- local or remote WINS server. The WINS server is preferable since it
- provides a centralized source of the information to the entire network.
- To use a WINS server over the<A HREF="glossary.html#VPN"> VPN</A> (or
- any IP-based network), you must enable &quot;NetBIOS over TCP&quot;.</P>
-<P><A HREF="http://www.samba.org">Samba</A> can emulate a WINS server on
- Linux.</P>
-<P> See also several discussions in our<A HREF="http://lists.freeswan.org/pipermail/users/2002-September/thread.html">
- September 2002 Users archives</A></P>
-<H2><A name="setup.faq">Life's little mysteries</A></H2>
-<P>FreeS/WAN is a fairly complex product. (Neither the networks it runs
- on nor the protocols it uses are simple, so it could hardly be
- otherwise.) It therefore sometimes exhibits behaviour which can be
- somewhat confusing, or has problems which are not easy to diagnose.
- This section tries to explain those problems.</P>
-<P>Setup and configuration of FreeS/WAN are covered in other
- documentation sections:</P>
-<UL>
-<LI><A href="quickstart.html">basic setup and configuration</A></LI>
-<LI><A href="adv_config.html">advanced configuration</A></LI>
-<LI><A href="trouble.html">Troubleshooting</A></LI>
-</UL>
-<P>However, we also list some of the commonest problems here.</P>
-<H3><A name="cantping">I cannot ping ....</A></H3>
-<P>This question is dealt with in the advanced configuration section
- under the heading<A href="adv_config.html#multitunnel"> multiple
- tunnels</A>.</P>
-<P>The standard subnet-to-subnet tunnel protects traffic<STRONG> only
- between the subnets</STRONG>. To test it, you must use pings that go
- from one subnet to the other.</P>
-<P>For example, suppose you have:</P>
-<PRE>      subnet a.b.c.0/24
-             |
-      eth1 = a.b.c.1
-         gate1
-      eth0 = 192.0.2.8
-             |
-
-       ~ internet ~
-
-             |
-      eth0 = 192.0.2.11
-         gate2
-      eth1 = x.y.z.1
-              |
-       subnet x.y.z.0/24</PRE>
-<P>and the connection description:</P>
-<PRE>conn abc-xyz
-     left=192.0.2.8
-     leftsubnet=a.b.c.0/24
-     right=192.0.2.11
-     rightsubnet=x.y.z.0/24</PRE>
-<P>You can test this connection description only by sending a ping that
- will actually go through the tunnel. Assuming you have machines at
- addresses a.b.c.2 and x.y.z.2, pings you might consider trying are:</P>
-<DL>
-<DT>ping from x.y.z.2 to a.b.c.2 or vice versa</DT>
-<DD>Succeeds if tunnel is working. This is the<STRONG> only valid test
- of the tunnel</STRONG>.</DD>
-<DT>ping from gate2 to a.b.c.2 or vice versa</DT>
-<DD><STRONG>Does not use tunnel</STRONG>. gate2 is not on protected
- subnet.</DD>
-<DT>ping from gate1 to x.y.z.2 or vice versa</DT>
-<DD><STRONG>Does not use tunnel</STRONG>. gate1 is not on protected
- subnet.</DD>
-<DT>ping from gate1 to gate2 or vice versa</DT>
-<DD><STRONG>Does not use tunnel</STRONG>. Neither gate is on a protected
- subnet.</DD>
-</DL>
-<P>Only the first of these is a useful test of this tunnel. The others
- do not use the tunnel. Depending on other details of your setup and
- routing, they:</P>
-<UL>
-<LI>either fail, telling you nothing about the tunnel</LI>
-<LI>or succeed, telling you nothing about the tunnel since these packets
- use some other route</LI>
-</UL>
-<P>In some cases, you may be able to get around this. For the example
- network above, you could use:</P>
-<PRE>        ping -I a.b.c.1 x.y.z.1</PRE>
-<P>Both the adresses given are within protected subnets, so this should
- go through the tunnel.</P>
-<P>If required, you can build additional tunnels so that all the
- machines involved can talk to all the others. See<A href="adv_config.html#multitunnel">
- multiple tunnels</A> in the advanced configuration document for
- details.</P>
-<H3><A name="forever">It takes forever to ...</A></H3>
-<P>Users fairly often report various problems involving long delays,
- sometimes on tunnel setup and sometimes on operations done through the
- tunnel, occasionally on simple things like ping or more often on more
- complex operations like doing NFS or Samba through the tunnel.</P>
-<P>Almost always, these turn out to involve failure of a DNS lookup. The
- timeouts waiting for DNS are typically set long so that you won't time
- out when a query involves multiple lookups or long paths. Genuine
- failures therefore produce long delays before they are detected.</P>
-<P>A mailing list message from project technical lead Henry Spencer:</P>
-<PRE>&gt; ... when i run /etc/rc.d/init.d/ipsec start, i get:
-&gt; ipsec_setup: Starting FreeS/WAN IPsec 1.5...
-&gt; and it just sits there, doesn't give back my bash prompt.
-
-Almost certainly, the problem is that you're using DNS names in your
-ipsec.conf, but DNS lookups are not working for some reason.  You will
-get your prompt back... eventually.  But the DNS timeouts are long.
-Doing something about this is on our list, but it is not easy.</PRE>
-<P>In the meanwhile, we recommend that connection descriptions in<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5)</A> use numeric IP addresses rather than names which will
- require a DNS lookup.</P>
-<P>Names that do not require a lookup are fine. For example:</P>
-<UL>
-<LI>a road warrior might use the identity<VAR>
- rightid=@lancelot.example.org</VAR></LI>
-<LI>the gateway might use<VAR> leftid=@camelot.example.org</VAR></LI>
-</UL>
-<P>These are fine. The @ sign prevents any DNS lookup. However, do not
- attempt to give the gateway address as<VAR> left=camelot.example.org</VAR>
-. That requires a lookup.</P>
-<P>A post from one user after solving a problem with long delays:</P>
-<PRE>Subject: Final Answer to Delay!!!
-   Date: Mon, 19 Feb 2001
-   From: &quot;Felippe Solutions&quot; &lt;felippe@solutionstecnologia.com.br&gt;
-
-Sorry people, but seems like the Delay problem had nothing to do with
-freeswan.
-
-The problem was DNS as some people sad from the beginning, but not the way
-they thought it was happening. Samba, ssh, telnet and other apps try to
-reverse lookup addresses when you use IP numbers (Stupid that ahh).
-
-I could ping very fast because I always ping with &quot;-n&quot; option, but I don't
-know the option on the other apps to stop reverse addressing so I don't use
-it.</PRE>
-<P>This post is fairly typical. These problems are often tricky and
- frustrating to diagnose, and most turn out to be DNS-related.</P>
-<P>One suggestion for diagnosis: test with both names and addresses if
- possible. For example, try all of:</P>
-<UL>
-<LI>ping<VAR> address</VAR></LI>
-<LI>ping -n<VAR> address</VAR></LI>
-<LI>ping<VAR> name</VAR></LI>
-</UL>
-<P>If these behave differently, the problem must be DNS-related since
- the three commands do exactly the same thing except for DNS lookups.</P>
-<H3><A name="route">I send packets to the tunnel with route(8) but they
- vanish</A></H3>
-<P>IPsec connections are designed to carry only packets travelling
- between pre-defined connection endpoints. As project technical lead
- Henry Spencer put it:</P>
-<BLOCKQUOTE> IPsec tunnels are not just virtual wires; they are virtual
- wires with built-in access controls. Negotiation of an IPsec tunnel
- includes negotiation of access rights for it, which don't include
- packets to/from other IP addresses. (The protocols themselves are quite
- inflexible about this, so there are limits to what we can do about it.)</BLOCKQUOTE>
-<P>For fairly obvious security reasons, and to comply with the IPsec
- RFCs,<A href="glossary.html#KLIPS"> KLIPS</A> drops any packets it
- receives that are not allowed on the tunnels currently defined. So if
- you send it packets with<VAR> route(8)</VAR>, and suitable tunnels are
- not defined, the packets vanish. Whether this is reported in the logs
- depends on the setting of<VAR> klipsdebug</VAR> in your<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5)</A> file.</P>
-<P>To rescue vanishing packets, you must ensure that suitable tunnels
- for them exist, by editing the connection descriptions in<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5)</A>. For example, supposing you have a simple setup:</P>
-<PRE>         leftsubnet -- leftgateway === internet === roadwarrior</PRE>
-<P>If you want to give the roadwarrior access to some resource that is
- located behind the left gateway but is not in the currently defined
- left subnet, then the usual procedure is to define an additional tunnel
- for those packets by creating a new connection description.</P>
-<P>In some cases, it may be easier to alter an existing connection
- description, enlarging the definition of<VAR> leftsubnet</VAR>. For
- example, instead of two connection descriptions with 192.168.8.0/24 and
- 192.168.9.0/24 as their<VAR> leftsubnet</VAR> parameters, you can use a
- single description with 192.168.8.0/23.</P>
-<P>If you have multiple endpoints on each side, you need to ensure that
- there is a route for each pair of endpoints. See this<A href="adv_config.html#multitunnel">
- example</A>.</P>
-<H3><A name="down_route">When a tunnel goes down, packets vanish</A></H3>
-<P>This is a special case of the vanishing packet problem described in
- the previous question. Whenever KLIPS sees packets for which it does
- not have a tunnel, it drops them.</P>
-<P>When a tunnel goes away, either because negotiations with the other
- gateway failed or because you gave an<VAR> ipsec auto --down</VAR>
- command, the route to its other end is left pointing into KLIPS, and
- KLIPS will drop packets it has no tunnel for.</P>
-<P>This is a documented design decision, not a bug. FreeS/WAN must not
- automatically adjust things to send packets via another route. The
- other route might be insecure.</P>
-<P>Of course, re-routing may be necessary in many cases. In those cases,
- you have to do it manually or via scripts. We provide the<VAR> ipsec
- auto --unroute</VAR> command for these cases.</P>
-<P>From<A href="manpage.d/ipsec_auto.8.html"> ipsec_auto(8)</A>:</P>
-<BLOCKQUOTE> Normally, pluto establishes a route to the destination
- specified for a connection as part of the --up operation. However, the
- route and only the route can be established with the --route operation.
- Until and unless an actual connection is established, this discards any
- packets sent there, which may be preferable to having them sent
- elsewhere based on a more general route (e.g., a default route).</BLOCKQUOTE><BLOCKQUOTE>
- Normally, pluto's route to a destination remains in place when a --down
- operation is used to take the connection down (or if connection setup,
- or later automatic rekeying, fails). This permits establishing a new
- connection (perhaps using a different specification; the route is
- altered as necessary) without having a ``window'' in which packets
- might go elsewhere based on a more general route. Such a route can be
- removed using the --unroute operation (and is implicitly removed by
- --delete).</BLOCKQUOTE>
-<P>See also this mailing list<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00523.html">
- message</A>.</P>
-<H3><A name="firewall_ate">The firewall ate my packets!</A></H3>
-<P>If firewalls filter out:</P>
-<UL>
-<LI>either the UDP port 500 packets used in IKE negotiations</LI>
-<LI>or the ESP and AH (protocols 50 and 51) packets used to implement
- the IPsec tunnel</LI>
-</UL>
-<P>then IPsec cannot work. The first thing to check if packets seem to
- be vanishing is the firewall rules on the two gateway machines and any
- other machines along the path that you have access to.</P>
-<P>For details, see our document on<A href="firewall.html"> firewalls</A>
-.</P>
-<P>Some advice from technical lead Henry Spencer on diagnosing such
- problems:</P>
-<PRE>&gt; &gt; Packets vanishing between the hardware interface and the ipsecN interface
-&gt; &gt; is usually the result of firewalls not being configured to let them in...
-&gt; 
-&gt; Thanks for the suggestion. If only it were that simple! My ipchains startup
-&gt; script does take care of that, but just in case I manually inserted rules 
-&gt; accepting everything from london on dublin. No difference.
-
-The other thing to check is whether the &quot;RX packets dropped&quot; count on the
-ipsecN interface (run &quot;ifconfig ipsecN&quot;, for N=1 or whatever, to see the
-counts) is rising.  If so, then there's some sort of configuration mismatch
-between the two ends, and IPsec itself is rejecting them.  If none of the
-ipsecN counts is rising, then the packets are never reaching the IPsec
-machinery, and the problem is almost certainly in firewalls etc.</PRE>
-<H3><A name="dropconn">Dropped connections</A></H3>
-<P>Networks being what they are, IPsec connections can be broken for any
- number of reasons, ranging from hardware failures to various software
- problems such as the path MTU problems discussed<A href="#pmtu.broken">
- elsewhere in the FAQ</A>. Fortunately, various diagnostic tools exist
- that help you sort out many of the possible problems.</P>
-<P>There is one situation, however, where FreeS/WAN (using default
- settings) may destroy a connection for no readily apparent reason. This
- occurs when things are<STRONG> misconfigured</STRONG> so that<STRONG>
- two tunnels</STRONG> from the same gateway expect<STRONG> the same
- subnet on the far end</STRONG>.</P>
-<P>In this situation, the first tunnel comes up fine and works until the
- second is established. At that point, because of the way we track
- connections internally, the first tunnel ceases to exist as far as this
- gateway is concerned. Of course the far end does not know that, and a
- storm of error messages appears on both systems as it tries to use the
- tunnel.</P>
-<P>If the far end gives up, goes back to square one and negotiates a new
- tunnel, then that wipes out the second tunnel and ...</P>
-<P>The solution is simple.<STRONG> Do not build multiple conn
- descriptions with the same remote subnet</STRONG>.</P>
-<P>This is actually intended to be a feature, rather than a bug.
- Consider the situation where a single remote system goes down, then
- comes back up and reconnects to the gateway. It is useful to have the
- gateway tear down the old tunnel and recover resources when the
- reconnection is made. It recognises that situation by checking the
- remote subnet for each tunnel it builds and discarding duplicates. This
- works fine as long as you don't configure multiple tunnels with the
- same remote subnet.</P>
-<P>If this behaviour is inconvenient for you, you can disable it by
- setting<VAR> uniqueids=no</VAR> in<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5)</A>.</P>
-<H3><A name="defaultroutegone">Disappearing %defaultroute</A></H3>
-<P>When an underlying connection (eg. ppp) goes down, FreeS/WAN will not
- recover properly without a little help. Here are the symptoms that
- FreeS/WAN user Michael Carmody noticed:</P>
-<PRE>
-&gt; After about 24 hours the freeswan connection takes over the default route.
-&gt; 
-&gt; i.e instead of deafult gateway pointing to the router via eth0, it becomes a 
-&gt; pointer to the router via ipsec0.
- 
-&gt; All internet access is then lost as all replies (and not just the link I 
-&gt; wanted) are routed out ipsec0 and the router doesn't respond to the ipsec 
-&gt; traffic.
-</PRE>
-<P>If you're using a FreeS/WAN 2.x/KLIPS system, simply re-attach the
- IPsec virtual interface with<EM> ipsec tnconfig</EM> command such as:</P>
-<PRE>    ipsec tnconfig --attach --virtual ipsec0 --physical ppp0</PRE>
-<P>In your command, name the physical and virtual interfaces as they
- appear paired on your system during regular uptime. For a system with
- several physical/virtual interface pairs on flaky links, you'll need
- more than one such command. If you're using FreeS/WAN 1.x, you must
- restart FreeS/WAN, which is more time consuming.</P>
-<P><A href="http://lists.freeswan.org/pipermail/design/2002-July/003070.html">
- Here</A> is a script which can help to automate the process of
- FreeS/WAN restart at need. It could easily be adapted to use tnconfig
- instead.</P>
-<H3><A name="tcpdump.faq">TCPdump on the gateway shows strange things</A>
-</H3>
- As another user pointed out, keeping the connect
-<P>Attempting to look at IPsec packets by running monitoring tools on
- the IPsec gateway machine can produce silly results. That machine is
- mangling the packets for IPsec, and possibly for firewall or NAT
- purposes as well. If the internals of the machine's IP stack are not
- what the monitoring tool expects, then the tool can misinterpret them
- and produce nonsense output.</P>
-<P>See our<A href="testing.html#tcpdump.test"> testing</A> document for
- more detail.</P>
-<H3><A name="no_trace">Traceroute does not show anything between the
- gateways</A></H3>
-<P>As far as traceroute can see, the two gateways are one hop apart; the
- data packet goes directly from one to the other through the tunnel. Of
- course the outer packets that implement the tunnel pass through
- whatever lies between the gateways, but those packets are built and
- dismantled by the gateways. Traceroute does not see them and cannot
- report anything about their path.</P>
-<P>Here is a mailing list message with more detail.</P>
-<PRE>Date: Mon, 14 May 2001
-To: linux-ipsec@freeswan.org
-From: &quot;John S. Denker&quot; &lt;jsd@research.att.com&lt;
-Subject: Re: traceroute: one virtual hop
-
-At 02:20 PM 5/14/01 -0400, Claudia Schmeing wrote:
-&gt;
-&gt;&gt; &gt; A bonus question: traceroute in subnet to subnet enviroment looks like:
-&gt;&gt; &gt; 
-&gt;&gt; &gt; traceroute to andris.dmz (172.20.24.10), 30 hops max, 38 byte packets
-&gt;&gt; &gt; 1  drama (172.20.1.1)  0.716 ms  0.942 ms  0.434 ms
-&gt;&gt; &gt; 2  * * *
-&gt;&gt; &gt; 3  andris.dmz (172.20.24.10)  73.576 ms  78.858 ms  79.434 ms
-&gt;&gt; &gt; 
-&gt;&gt; &gt; Why aren't there the other hosts which take part in the delivery during 
-&gt;    * * * ?
-&gt;
-&gt;If there is an ipsec tunnel between GateA and Gate B, this tunnel forms a 
-&gt;'virtual wire'.  When it is tunneled, the original packet becomes an inner 
-&gt;packet, and new ESP and/or AH headers are added to create an outer packet 
-&gt;around it. You can see an example of how this is done for AH at 
-&gt;doc/ipsec.html#AH . For ESP it is similar.
-&gt;
-&gt;Think about the packet's path from the inner packet's perspective.
-&gt;It leaves the subnet, goes into the tunnel, and re-emerges in the second
-&gt;subnet. This perspective is also the only one available to the
-&gt;'traceroute' command when the IPSec tunnel is up.
-
-Claudia got this exactly right.  Let me just expand on a couple of points:
-
-*) GateB is exactly one (virtual) hop away from GateA.  This is how it
-would be if there were a physically private wire from A to B.  The
-virtually private connection should work the same, and it does.
-
-*) While the information is in transit from GateA to GateB, the hop count
-of the outer header (the &quot;envelope&quot;) is being decremented.  The hop count
-of the inner header (the &quot;contents&quot; of the envelope) is not decremented and
-should not be decremented.  The hop count of the outer header is not
-derived from and should not be derived from the hop count of the inner header.
-
-Indeed, even if the packets did time out in transit along the tunnel, there
-would be no way for traceroute to find out what happened.  Just as
-information cannot leak _out_ of the tunnel to the outside, information
-cannot leak _into_ the tunnel from outside, and this includes ICMP messages
-from routers along the path.
-
-There are some cases where one might wish for information about what is
-happening at the IP layer (below the tunnel layer) -- but the protocol
-makes no provision for this.  This raises all sorts of conceptual issues.
-AFAIK nobody has ever cared enough to really figure out what _should_
-happen, let alone implement it and standardize it.
-
-*) I consider the &quot;* * *&quot; to be a slight bug.  One might wish for it to be
-replaced by &quot;GateB GateB GateB&quot;.  It has to do with treating host-to-subnet
-traffic different from subnet-to-subnet traffic (and other gory details).
-I fervently hope KLIPS2 will make this problem go away.
-
-*) If you want to ask questions about the link from GateA to GateB at the
-IP level (below the tunnel level), you have to ssh to GateA and launch a
-traceroute from there.</PRE>
-<H2><A name="man4debug">Testing in stages</A></H2>
-<P>It is often useful in debugging to test things one at a time:</P>
-<UL>
-<LI>disable IPsec entirely, for example by turning it off with
- chkconfig(8), and make sure routing works</LI>
-<LI>Once that works, try a manually keyed connection. This does not
- require key negotiation between Pluto and the key daemon on the other
- end.</LI>
-<LI>Once that works, try automatically keyed connections</LI>
-<LI>Once IPsec works, add packet compression</LI>
-<LI>Once everything seems to work, try stress tests with large
- transfers, many connections, frequent re-keying, ...</LI>
-</UL>
-<P>FreeS/WAN releases are tested for all of these, so you can be
- reasonably certain they<EM> can</EM> do them all. Of course, that does
- not mean they<EM> will</EM> on the first try, especially if you have
- some unusual configuration.</P>
-<P>The rest of this section gives information on diagnosing the problem
- when each of the above steps fails.</P>
-<H3><A name="nomanual">Manually keyed connections don't work</A></H3>
-<P>Suspect one of:</P>
-<UL>
-<LI>mis-configuration of IPsec system in the /etc/ipsec.conf file
-<BR> common errors are incorrect interface or next hop information</LI>
-<LI>mis-configuration of manual connection in the /etc/ipsec.conf file</LI>
-<LI>routing problems causing IPsec packets to be lost</LI>
-<LI>bugs in KLIPS</LI>
-<LI>mismatch between the transforms we support and those another IPsec
- implementation offers.</LI>
-</UL>
-<H3><A name="spi_error">One manual connection works, but second one
- fails</A></H3>
-<P>This is a fairly common problem when attempting to configure multiple
- manually keyed connections from a single gateway.</P>
-<P>Each connection must be identified by a unique<A href="glossary.html#SPI">
- SPI</A> value. For automatic connections, these values are assigned
- automatically. For manual connections, you must set them with<VAR> spi=</VAR>
- statements in<A href="manpage.d/ipsec.conf.5.html"> ipsec.conf(5)</A>.</P>
-<P>Each manual connection must have a unique SPI value in the range
- 0x100 to 0x999. Two or more with the same value will fail. For details,
- see our doc section<A href="adv_config.html#prodman"> Using manual
- keying in production</A> and the man page<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5)</A>.</P>
-<H3><A name="man_no_auto">Manual connections work, but automatic keying
- doesn't</A></H3>
-<P>The most common reason for this behaviour is a firewall dropping the
- UDP port 500 packets used in key negotiation.</P>
-<P>Other possibilities:</P>
-<UL>
-<LI>mis-configuration of auto connection in the /etc/ipsec.conf file.
-<P>One common configuration error is forgetting that you need<VAR>
- auto=add</VAR> to load the connection description on the receiving end
- so it recognises the connection when the other end asks for it.</P>
-</LI>
-<LI>error in shared secret in /etc/ipsec.secrets</LI>
-<LI>one gateway lacks a route to the other so Pluto's UDP packets are
- lost</LI>
-<LI>bugs in Pluto</LI>
-<LI>incompatibilities between Pluto's<A href="glossary.html#IKE"> IKE</A>
- implementation and the IKE at the other end of the tunnel.
-<P>Some possibile problems are discussed in out<A href="interop.html#interop.problem">
- interoperation</A> document.</P>
-</LI>
-</UL>
-<H3><A name="nocomp">IPsec works, but connections using compression fail</A>
-</H3>
-<P>When we first added compression, we saw some problems:</P>
-<UL>
-<LI>compatibility issues with other implementations. We followed the
- RFCs and omitted some extra material that many compression libraries
- add by default. Some other implementations left the extras in</LI>
-<LI>bugs in assembler compression routines on non-Intel CPUs. The
- workaround is to use C code instead of possibly problematic assembler.</LI>
-</UL>
-<P>We have not seen either problem in some time (at least six months as
- I write in March 2002), but if you have some unusual configuration then
- you may see them.</P>
-<H3><A name="pmtu.broken">Small packets work, but large transfers fail</A>
-</H3>
-<P>If tests with ping(1) and a small packet size succeed, but tests or
- transfers with larger packet sizes fail, suspect problems with packet
- fragmentation and perhaps<A href="glossary.html#pathMTU"> path MTU
- discovery</A>.</P>
-<P>Our<A href="trouble.html#bigpacket"> troubleshooting document</A>
- covers these problems. Information on the underlying mechanism is in
- our<A href="background.html#MTU.trouble"> background</A> document.</P>
-<H3><A name="subsub">Subnet-to-subnet works, but tests from the gateways
- don't</A></H3>
-<P>This is described under<A href="#cantping"> I cannot ping...</A>
- above.</P>
-<H2><A name="compile.faq">Compilation problems</A></H2>
-<H3><A name="gmp.h_missing">gmp.h: No such file or directory</A></H3>
-<P>Pluto needs the GMP (<STRONG>G</STRONG>NU</P>
-<P><STRONG>M</STRONG>ulti-<STRONG>P</STRONG>recision) library for the
- large integer calculations it uses in<A href="glossary.html#public">
- public key</A> cryptography. This error message indicates a failure to
- find the library. You must install it before Pluto will compile.</P>
-<P>The GMP library is included in most Linux distributions. Typically,
- there are two RPMs, libgmp and libgmp-devel, You need to<EM> install
- both</EM>, either from your distribution CDs or from your vendor's web
- site.</P>
-<P>On Debian, a mailing list message reports that the command to give is<VAR>
- apt-get install gmp2</VAR>.</P>
-<P>For more information and the latest version, see the<A href="http://www.swox.com/gmp/">
- GMP home page</A>.</P>
-<H3><A name="noVM">... virtual memory exhausted</A></H3>
-<P>We have had several reports of this message appearing, all on SPARC
- Linux. Here is a mailing message on a solution:</P>
-<PRE>&gt; ipsec_sha1.c: In function `SHA1Transform':
-&gt; ipsec_sha1.c:95: virtual memory exhausted
-
-I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
-MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.
-
-I can get around this by using -O instead of -O2 for the optimization
-level.  So it is probably a bug in the optimizer on the sparc complier. 
-I'll try and chase this down on the sparc lists.</PRE>
-<H2><A name="error">Interpreting error messages</A></H2>
-<H3><A name="route-client">route-client (or host) exited with status 7</A>
-</H3>
-<P>Here is a discussion of this error from FreeS/WAN &quot;listress&quot; (mailing
- list tech support person) Claudia Schmeing. The &quot;FAQ on the network
- unreachable error&quot; which she refers to is the next question below.</P>
-<PRE>&gt; I reached the point where the two boxes (both on dial-up connections, but
-&gt; treated as static IPs by getting the IP and editing ipsec.conf after the
-&gt; connection is established) to the point where they exchange some info, but I
-&gt; get an error like &quot;route-client command exited with status 7 \n internal
-&gt; error&quot;.
-&gt; Where can I find a description of this error?
-
-In general, if the FAQ doesn't cover it, you can search the mailing list 
-archives - I like to use
-http://www.sandelman.ottawa.on.ca/linux-ipsec/
-but you can see doc/mail.html for different archive formats.
-
-
-Your error comes from the _updown script, which performs some
-routing and firewall functions to help Linux FreeS/WAN. More info
-is available at doc/firewall.html and man ipsec.conf. Its routing
-is integral to the health of Linux FreeS/WAN; it also provides facility
-to insert custom firewall rules to be executed when you create or destroy
-a connection.
-
-Yours is, of course, a routing error. You can be fairly sure the routing 
-machinery is saying &quot;network is unreachable&quot;. There's a FAQ on the 
-&quot;network is unreachable&quot; error, but more information is available now; read on.
-
-If your _updown script is recent (for example if it shipped with 
-Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
-that looks something like this:
-
-&gt; output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
-&gt; netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed
-
-This is, of course, the system route command that exited with status 7, 
-(ie. failed). Man route for details. Seeing the command typed out yields 
-more information. If your _updown script is older, you may wish to update 
-it to show the command explicitly.
-
-Three parameters fed to the route command: net, netmask and gw [gateway] 
-are derived from things you've put in ipsec.conf.
-
-Net and netmask are derived from the peer's IP and mask. In more detail:
-
-You may see a routing error when routing to a client (ie. subnet), or 
-to a host (IPSec gateway or freestanding host; a box that does IPSec for
-itself). In _updown, the &quot;route-client&quot; section  is responsible to set up 
-the route for IPSec'd (usually, read 'tunneled') packets headed to a 
-peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
-or IPSec gateway.
-
-When routing to a 'client', net and netmask are ipsec.conf's left- or 
-rightsubnet (whichever is not local). Similarly, when routing to a 
-'host' the net is left or right. Host netmask is always /32, indicating a 
-single machine.
-
-Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
-whichever is local. Where left/right or left-/rightnexthop has the special 
-value %defaultroute (described in man ipsec.conf), gw will automagically get
-the value of the next hop on the default route.
-
-Q: &quot;What's a nexthop and why do I need one?&quot;
-
-A: 'nexthop' is a routing kluge; its value is the next hop away
-   from the machine that's doing IPSec, and toward your IPSec peer. 
-   You need it to get the processed packets out of the local system and 
-   onto the wire. While we often route other packets through the machine 
-   that's now doing IPSec, and are done with it, this does not suffice here. 
-   After packets are processed with IPSec, this machine needs to know where 
-   they go next. Of course using the 'IPSec gateway' as their routing gateway 
-   would cause an infinite loop! [To visualize this, see the packet flow 
-   diagram at doc/firewall.html.] To avoid this, we route packets through 
-   the next hop down their projected path.
-
-Now that you know the background, consider:
-1. Did you test routing between the gateways in the absence of Linux
-   FreeS/WAN, as recommended? You need to ensure the two machines that
-   will be running Linux FreeS/WAN can route to one another before trying to 
-   make a secure connection.
-2. Is there anything obviously wrong with the sense of your route command?
-
-Normally, this problem is caused by an incorrect local nexthop parameter.
-Check out the use of %defaultroute, described in man ipsec.conf. This is
-a simple way to set nexthop for most people. To figure nexthop out by hand,
-traceroute in-the-clear to your IPSec peer. Nexthop is the traceroute's 
-first hop after your IPSec gateway.</PRE>
-<H3><A name="unreachable">SIOCADDRT:Network is unreachable</A></H3>
-<P>This message is not from FreeS/WAN, but from the Linux IP stack
- itself. That stack is seeing packets it has no route for, either
- because your routing was broken before FreeS/WAN started or because
- FreeS/WAN's changes broke it.</P>
-<P>Here is a message from Claudia suggesting ways to diagnose and fix
- such problems:</P>
-<PRE>You write,
-&gt; I have correctly installed freeswan-1.8 on RH7.0 kernel 2.2.17, but when 
-&gt; I setup a VPN connection with the other machine(RH5.2 Kernel 2.0.36 
-&gt; freeswan-1.0, it works well.) it told me that 
-&gt; &quot;SIOCADDRT:Network is unreachable&quot;!  But the network connection is no 
-&gt; problem.
-
-Often this error is the result of a misconfiguration. 
-
-Be sure that you can route successfully in the absence of Linux
-FreeS/WAN. (You say this is no problem, so proceed to the next step.)
-
-Use a custom copy of the default updownscript. Do not change the route 
-commands, but add a diagnostic message revealing the exact text of the 
-route command. Is there a problem with the sense of the route command
-that you can see? If so, then re-examine those ipsec.conf settings
-that are being sent to the route command. 
-
-You may wish to use the ipsec auto --route and --unroute commands to 
-troubleshoot the problem. See man ipsec_auto for details.</PRE>
-<P>Since the above message was written, we have modified the updown
- script to provide a better diagnostic for this problem. Check<VAR>
- /var/log/messages</VAR>.</P>
-<P>See also the FAQ question<A href="#route-client"> route-client (or
- host) exited with status 7</A>.</P>
-<H3><A name="modprobe">ipsec_setup: modprobe: Can't locate module ipsec</A>
-</H3>
-<H3><A name="noKLIPS">ipsec_setup: Fatal error, kernel appears to lack
- KLIPS</A></H3>
-<P>These messages indicate an installation failure. The kernel you are
- running does not contain the<A href="glossary.html#KLIPS"> KLIPS
- (kernel IPsec)</A> code.</P>
-<P>Note that the &quot;modprobe: Can't locate module ipsec&quot; message appears
- even if you are not using modules. If there is no KLIPS in your kernel,
- FreeS/WAN tries to load it as a module. If that fails, you get this
- message.</P>
-<P>Commands you can quickly try are:</P>
-<DL>
-<DT><VAR>uname -a</VAR></DT>
-<DD>to get details, including compilation date and time, of the
- currently running kernel</DD>
-<DT><VAR>ls /</VAR></DT>
-<DT><VAR>ls /boot</VAR></DT>
-<DD>to ensure a new kernel is where it should be. If kernel compilation
- puts it in<VAR> /</VAR> but<VAR> lilo</VAR> wants it in<VAR> /boot</VAR>
-, then you should uncomment the<VAR> INSTALL_PATH=/boot</VAR> line in
- the kernel<VAR> Makefile</VAR>.</DD>
-<DT><VAR>more /etc/lilo.conf</VAR></DT>
-<DD>to see that<VAR> lilo</VAR> has correct information</DD>
-<DT><VAR>lilo</VAR></DT>
-<DD>to ensure that information in<VAR> /etc/lilo.conf</VAR> has been
- transferred to the boot sector</DD>
-</DL>
-<P>If those don't find the problem, you have to go back and check
- through the<A href="install.html"> install</A> procedure to see what
- was missed.</P>
-<P>Here is one of Claudia's messages on the topic:</P>
-<PRE>&gt; I tried to install freeswan 1.8 on my mandrake 7.2 test box. ...
-
-&gt; It does show version and some output for whack.
-
-Yes, because the Pluto (daemon) part of ipsec is installed correctly, but
-as we see below the kernel portion is not.
-
-&gt; However, I get the following from /var/log/messages:
-&gt; 
-&gt; Mar 11 22:11:55 pavillion ipsec_setup: Starting FreeS/WAN IPsec 1.8...
-&gt; Mar 11 22:12:02 pavillion ipsec_setup: modprobe: Can't locate module ipsec
-&gt; Mar 11 22:12:02 pavillion ipsec_setup: Fatal error, kernel appears to lack
-&gt; KLIPS.
-
-This is your problem. You have not successfully installed a kernel with
-IPSec machinery in it. 
-
-Did you build Linux FreeS/WAN as a module? If so, you need to ensure that 
-your new module has been installed in the directory where your kernel 
-loader normally finds your modules. If not, you need to ensure
-that the new IPSec-enabled kernel is being loaded correctly.
-
-See also doc/install.html, and INSTALL in the distro.</PRE>
-<H3><A name="noDNS">ipsec_setup: ... failure to fetch key for ... from
- DNS</A></H3>
-<P>Quoting Henry:</P>
-<PRE>Note that by default, FreeS/WAN is now set up to
-     (a) authenticate with RSA keys, and
-     (b) fetch the public key of the far end from DNS.
-Explicit attention to  ipsec.conf will be needed if you want
-to do something different.</PRE>
-<P>and Claudia, responding to the same user:</P>
-<PRE>You write,
-
-&gt;       My current setup in ipsec.conf is leftrsasigkey=%dns I have 
-&gt; commented this and authby=rsasig out. I am able to get ipsec running, 
-&gt; but what I find is that the documentation only specifies for %dns are 
-&gt; there any other values that can be placed in this variable other than 
-&gt; %dns and the key? I am also assuming that this is where I would place 
-&gt; my public key for the left and right side as well is this correct?
-
-Valid values for authby= are rsasig and secret, which entail authentication
-by RSA signature or by shared secret, respectively. Because you have 
-commented authby=rsasig out, you are using the default value of authby=secret. 
-
-When using RSA signatures, there are two ways to get the public key for the
-IPSec peer: either copy it directly into *rsasigkey= in ipsec.conf, or
-fetch it from dns. The magic value %dns for *rsasigkey parameters says to 
-try to fetch the peer's key from dns.
-
-For any parameters, you may find their significance and special values in
-man ipsec.conf. If you are setting up keys or secrets, be sure also to
-reference man ipsec.secrets.</PRE>
-<H3><A name="dup_address">ipsec_setup: ... interfaces ... and ... share
- address ...</A></H3>
-<P>This is a fatal error. FreeS/WAN cannot cope with two or more
- interfaces using the same IP address. You must re-configure to avoid
- this.</P>
-<P>A mailing list message on the topic from Pluto developer Hugh
- Redelmeier:</P>
-<PRE>| I'm trying to get freeswan working between two machine where one has a ppp
-| interface.
-| I've already suceeded with  two machines with ethernet ports but  the ppp
-| interface is causing me problems.
-|  basically when I run ipsec start  i get
-| ipsec_setup: Starting FreeS/WAN IPsec 1.7...
-| ipsec_setup: 003 IP interfaces ppp1 and ppp0 share address 192.168.0.10!
-| ipsec_setup: 003 IP interfaces ppp1 and ppp2 share address 192.168.0.10!
-| ipsec_setup: 003 IP interfaces ppp0 and ppp2 share address 192.168.0.10!
-| ipsec_setup: 003 no public interfaces found
-|
-| followed by lots of cannot work out interface for connection messages
-|
-| now I can specify the interface in ipsec.conf to be ppp0 , but this does
-| not affect the above behaviour. A quick look in server.c indicates that the
-| interfaces value  is not used but some sort of raw detect happens.
-|
-| I guess I could prevent the formation of the extra ppp interfaces or
-| allocate them different ip but I'd  rather not. if at all possible. Any
-| suggestions please.
-
-Pluto won't touch an interface that shares an IP address with another.
-This will eventually change, but it probably won't happen soon.
-
-For now, you will have to give the ppp1 and ppp2 different addresses.</PRE>
-<H3><A name="kflags">ipsec_setup: Cannot adjust kernel flags</A></H3>
-<P>A mailing list message form technical lead Henry Spencer:</P>
-<PRE>&gt; When FreeS/WAN IPsec 1.7 is starting on my 2.0.38 Linux kernel the following
-&gt; error message is generated:
-&gt; ipsec_setup: Cannot adjust kernel flags, no /proc/sys/net/ipsec directory!
-&gt; What is supposed to create this directory and how can I fix this problem?
-
-I think that directory is a 2.2ism, although I'm not certain (I don't have
-a 2.0.xx system handy any more for testing).  Without it, some of the
-ipsec.conf config-setup flags won't work, but otherwise things should
-function. </PRE>
-<P>You also need to enable the<VAR> /proc</VAR> filesystem in your
- kernel configuration for these operations to work.</P>
-<H3><A name="message_num">Message numbers (MI3, QR1, et cetera) in Pluto
- messages</A></H3>
-<P>Pluto messages often indicate where Pluto is in the IKE protocols.
- The letters indicate<STRONG> M</STRONG>ain mode or<STRONG> Q</STRONG>
-uick mode and<STRONG> I</STRONG>nitiator or<STRONG> R</STRONG>esponder.
- The numerals are message sequence numbers. For more detail, see our<A href="ipsec.html#sequence">
- IPsec section</A>.</P>
-<H3><A name="conn_name">Connection names in Pluto error messages</A></H3>
-<P>From Pluto programmer Hugh Redelmeier:</P>
-<PRE>| Jan 17 16:21:10 remus Pluto[13631]: &quot;jumble&quot; #1: responding to Main Mode from Road Warrior 130.205.82.46
-| Jan 17 16:21:11 remus Pluto[13631]: &quot;jumble&quot; #1: no suitable connection for peer @banshee.wittsend.com
-| 
-|     The connection &quot;jumble&quot; has nothing to do with the incoming
-| connection requests, which were meant for the connection &quot;banshee&quot;.
-
-You are right.  The message tells you which Connection Pluto is
-currently using, which need not be the right one.  It need not be the
-right one now for the negotiation to eventually succeed!  This is
-described in ipsec_pluto(8) in the section &quot;Road Warrior Support&quot;.
-
-There are two times when Pluto will consider switching Connections for
-a state object.  Both are in response to receiving ID payloads (one in
-Phase 1 / Main Mode and one in Phase 2 / Quick Mode).  The second is
-not unique to Road Warriors.  In fact, neither is the first any more
-(two connections for the same pair of hosts could differ in Phase 1 ID
-payload; probably nobody else has tried this).</PRE>
-<H3><A name="cantorient">Pluto: ... can't orient connection</A></H3>
-<P>Older versions of FreeS/WAN used this message. The same error now
- gives the &quot;we have no ipsecN ...&quot; error described just below.</P>
-<H3><A name="no.interface">... we have no ipsecN interface for either
- end of this connection</A></H3>
-<P>Your tunnel has no IP address which matches the IP address of any of
- the available IPsec interfaces. Either you've misconfigured the
- connection, or you need to define an appropriate IPsec interface
- connection.<VAR> interfaces=%defaultroute</VAR> works in many cases.</P>
-<P>A longer story: Pluto needs to know whether it is running on the
- machine which the connection description calls<VAR> left</VAR> or on<VAR>
- right</VAR>. It figures that out by:</P>
-<UL>
-<LI>looking at the interfaces given in<VAR> interfaces=</VAR> lines in
- the<VAR> config setup</VAR> section</LI>
-<LI>discovering the IP addresses for those interfaces</LI>
-<LI>searching for a match between those addresses and the ones given in<VAR>
- left=</VAR> or<VAR> right=</VAR> lines.</LI>
-</UL>
-<P>Normally a match is found. Then Pluto knows where it is and can set
- up other things (for example, if it is<VAR> left</VAR>) using
- parameters such as<VAR> leftsubnet</VAR> and<VAR> leftnexthop</VAR>,
- and sending its outgoing packets to<VAR> right</VAR>.</P>
-<P>If no match is found, it emits the above error message.</P>
-<H3><A name="noconn">Pluto: ... no connection is known</A></H3>
-<P>This error message occurs when a remote system attempts to negotiate
- a connection and Pluto does not have a connection description that
- matches what the remote system has requested. The most common cause is
- a configuration error on one end or the other.</P>
-<P>Parameters involved in this match are<VAR> left</VAR>,<VAR> right</VAR>
-,<VAR> leftsubnet</VAR> and<VAR> rightsubnet</VAR>.</P>
-<P><STRONG>The match must be exact</STRONG>. For example, if your left
- subnet is a.b.c.0/24 then neither a single machine in that net nor a
- smaller subnet such as a.b.c.64/26 will be considered a match.</P>
-<P>The message can also occur when an appropriate description exists but
- Pluto has not loaded it. Use an<VAR> auto=add</VAR> statement in the
- connection description, or an<VAR> ipsec auto --add &lt;conn_name&gt;</VAR>
- command, to correct this.</P>
-<P>An explanation from the Pluto developer:</P>
-<PRE>| Jul 12 15:00:22 sohar58 Pluto[574]: &quot;corp_road&quot; #2: cannot respond to IPsec
-| SA request because no connection is known for
-| 216.112.83.112/32===216.112.83.112...216.67.25.118
-
-This is the first message from the Pluto log showing a problem.  It
-means that PGPnet is trying to negotiate a set of SAs with this
-topology:
-
-216.112.83.112/32===216.112.83.112...216.67.25.118
-^^^^^^^^^^^^^^^^^   ^^^^^^^^^^^^^^   ^^^^^^^^^^^^^
-client on our side  our host         PGPnet host, no client
-
-None of the conns you showed look like this.
-
-Use
-        ipsec auto --status
-to see a snapshot of what connections are in pluto, what
-negotiations are going on, and what SAs are established.
-
-The leftsubnet= (client) in your conn is 216.112.83.64/26.  It must
-exactly match what pluto is looking for, and it does not.</PRE>
-<H3><A name="nosuit">Pluto: ... no suitable connection ...</A></H3>
-<P>This is similar to the<A href="#noconn"> no connection known</A>
- error, but occurs at a different point in Pluto processing.</P>
-<P>Here is one of Claudia's messages explaining the problem:</P>
-<PRE>You write,
-
-&gt; What could be the reason of the following error? 
-&gt; &quot;no suitable connection for peer '@xforce'&quot;
-
-When a connection is initiated by the peer, Pluto must choose which entry in 
-the conf file best matches the incoming connection. A preliminary choice is 
-made on the basis of source and destination IPs, since that information is 
-available at that time. 
-
-A payload containing an ID arrives later in the negotiation. Based on this
-id and the *id= parameters, Pluto refines its conn selection. ...
-
-The message &quot;no suitable connection&quot; indicates that in this refining step,
-Pluto does not find a connection that matches that ID.
-
-Please see &quot;Selecting a connection when responding&quot; in man ipsec_pluto for
-more details.</PRE>
-<P>See also<A href="#conn_name"> Connection names in Pluto error
- messages</A>.</P>
-<H3><A name="noconn.auth">Pluto: ... no connection has been authorized</A>
-</H3>
-<P>Here is one of Claudia's messages discussing this problem:</P>
-<PRE>You write,
-
-&gt;  May 22 10:46:31 debian Pluto[25834]: packet from x.y.z.p:10014: 
-&gt;  initial Main Mode message from x.y.z.p:10014 
-                            but no connection has been authorized
-
-This error occurs early in the connection negotiation process,
-at the first step of IKE negotiation (Main Mode), which is itself the 
-first of two negotiation phases involved in creating an IPSec connection.
-
-Here, Linux FreeS/WAN receives a packet from a potential peer, which 
-requests that they begin discussing a connection.
-
-The &quot;no connection has been authorized&quot; means that there is no connection 
-description in Linux FreeS/WAN's internal database that can be used to 
-link your ipsec interface with that peer.
-
-&quot;But of course I configured that connection!&quot; 
-
-It may be that the appropriate connection description exists in ipsec.conf 
-but has not been added to the database with ipsec auto --add myconn or the 
-auto=add method. Or, the connection description may be misconfigured.
-
-The only parameters that are relevant in this decision are left= and right= .
-Local and remote ports are also taken into account -- we see that the port 
-is printed in the message above -- but there is no way to control these
-in ipsec.conf.
-
-
-Failure at &quot;no connection has been authorized&quot; is similar to the
-&quot;no connection is known for...&quot; error in the FAQ, and the &quot;no suitable
-connection&quot; error described in the snapshot's FAQ. In all three cases,
-Linux FreeS/WAN is trying to match parameters received in the
-negotiation with the connection description in the local config file.
-
-As it receives more information, its matches take more parameters into 
-account, and become more precise:  first the pair of potential peers,
-then the peer IDs, then the endpoints (including any subnets).
-
-The &quot;no suitable connection for peer *&quot; occurs toward the end of IKE 
-(Main Mode) negotiation, when the IDs are matched.
-
-&quot;no connection is known for a/b===c...d&quot; is seen at the beginning of IPSec 
-(Quick Mode, phase 2) negotiation, when the connections are matched using
-left, right, and any information about the subnets.</PRE>
-<H3><A name="noDESsupport">Pluto: ... OAKLEY_DES_CBC is not supported.</A>
-</H3>
-<P>This message occurs when the other system attempts to negotiate a
- connection using<A href="glossary.html#DES"> single DES</A>, which we
- do not support because it is<A href="politics.html#desnotsecure">
- insecure</A>.</P>
-<P>Our interoperation document has suggestions for<A href="interop.html#noDES">
- how to deal with</A> systems that attempt to use single DES.</P>
-<H3><A name="notransform">Pluto: ... no acceptable transform</A></H3>
-<P>This message means that the other gateway has made a proposal for
- connection parameters, but nothing they proposed is acceptable to
- Pluto. Possible causes include:</P>
-<UL>
-<LI>misconfiguration on either end</LI>
-<LI>policy incompatibilities, for example we require encrypted
- connections but they are trying to create one with just authentication</LI>
-<LI>interoperation problems, for example they offer only single DES and
- FreeS/WAN does not support that. See<A href="interop.html#interop.problem">
- discussion</A> in our interoperation document.</LI>
-</UL>
-<P>A more detailed explanation, from Pluto programmer Hugh Redelmeier:</P>
-<PRE>Background:
-
-When one IKE system (for example, Pluto) is negotiating with another
-to create an SA, the Initiator proposes a bunch of choices and the
-Responder replies with one that it has selected.
-
-The structure of the choices is fairly complicated.  An SA payload
-contains a list of lists of &quot;Proposals&quot;.  The outer list is a set of
-choices: the selection must be from one element of this list.
-
-Each of these elements is a list of Proposals.  A selection must be
-made from each of the elements of the inner list.  In other words,
-*all* of them apply (that is how, for example, both AH and ESP can
-apply at once).
-
-Within each of these Proposals is a list of Transforms.  For each
-Proposal selected, one Transform must be selected (in other words,
-each Proposal provides a choice of Transforms).
-
-Each Transform is made up of a list of Attributes describing, well,
-attributes.  Such as lifetime of the SA.  Such as algorithm to be
-used.  All the Attributes apply to a Transform.
-
-You will have noticed a pattern here: layers alternate between being
-disjunctions (&quot;or&quot;) and conjunctions (&quot;and&quot;).
-
-For Phase 1 / Main Mode (negotiating an ISAKMP SA), this structure is
-cut back.  There must be exactly one Proposal.  So this degenerates to
-a list of Transforms, one of which must be chosen.
-
-In your case, no proposal was considered acceptable to Pluto (the
-Responder).  So negotiation ceased.  Pluto logs the reason it rejects
-each Transform.  So look back in the log to see what is going wrong.</PRE>
-<H3><A name="rsasigkey">rsasigkey dumps core</A></H3>
- A comment on this error from Henry:
-<PRE>On Fri, 29 Jun 2001, Rodrigo Gruppelli wrote:
-&gt; ...Well, it seem that there's
-&gt; another problem with it. When I try to generate a pair of RSA keys,
-&gt; rsasigkey cores dump...
-
-*That* is a neon sign flashing &quot;GMP LIBRARY IS BROKEN&quot;.  Rsasigkey calls
-GMP a lot, and our own library a little bit, and that's very nearly all it
-does.  Barring bugs in its code or our library -- which have happened, but
-not very often -- a problem in rsasigkey is a problem in GMP.</PRE>
-<P>See the next question for how to deal with GMP errors.</P>
-<H3><A name="sig4">!Pluto failure!: ... exited with ... signal 4</A></H3>
-<P>Pluto has died. Signal 4 is SIGILL, illegal instruction.</P>
-<P>The most likely cause is that your<A href="glossary.html#GMP"> GMP</A>
- (GNU multi-precision) library is compiled for a different processor
- than what you are running on. Pluto uses that library for its public
- key calculations.</P>
-<P>Try getting the GMP sources and recompile for your processor type.
- Most Linux distributions will include this source, or you can download
- it from the<A href="http://www.swox.com/gmp/"> GMP home page</A>.</P>
-<H3><A name="econnrefused">ECONNREFUSED error message</A></H3>
-<P>From John Denker, on the mailing list:</P>
-<PRE>1)  The log message
-  some IKE message we sent has been rejected with 
-  ECONNREFUSED (kernel supplied no details)
-is much more suitable than the previous version.  Thanks.
-
-2) Minor suggestion for further improvement: it might be worth mentioning
-that the command
-  tcpdump -i eth1 icmp[0] != 8 and icmp[0] != 0
-is useful for tracking down the details in question.  We shouldn't expect
-all IPsec users to figure that out on their own.  The log message might
-even provide a hint as to where to look in the docs.</PRE>
-<P>Reply From Pluto developer Hugh Redelmeier</P>
-<PRE>Good idea.
-
-I've added a bit pluto(8)'s BUGS section along these lines.
-I didn't have the heart to lengthen this message.</PRE>
-<H3><A name="no_eroute">klips_debug: ... no eroute!</A></H3>
-<P>This message means<A href="glossary.html#KLIPS"> KLIPS</A> has
- received a packet for which no IPsec tunnel has been defined.</P>
-<P>Here is a more detailed duscussion from the team's tech support
- person Claudia Schmeing, responding to a query on the mailing list:</P>
-<PRE>&gt; Why ipsec reports no eroute! ???? IP Masq... is disabled.
-
-In general, more information is required so that people on the list may
-give you informed input. See doc/prob.report.</PRE>
-<P>The document she refers to has since been replaced by a<A href="trouble.html#prob.report">
- section</A> of the troubleshooting document.</P>
-<PRE>However, I can make some general comments on this type of error.
-
-This error usually looks something like this (clipped from an archived
-message):
-
-&gt; ttl:64 proto:1 chk:45459 saddr:192.168.1.2 daddr:192.168.100.1
-&gt; ... klips_debug:ipsec_findroute: 192.168.1.2-&gt;192.168.100.1
-&gt; ... klips_debug:rj_match: * See if we match exactly as a host destination
-&gt; ... klips_debug:rj_match: ** try to match a leaf, t=0xc1a260b0
-&gt; ... klips_debug:rj_match: *** start searching up the tree, t=0xc1a260b0
-&gt; ... klips_debug:rj_match: **** t=0xc1a260c8
-&gt; ... klips_debug:rj_match: **** t=0xc1fe5960
-&gt; ... klips_debug:rj_match: ***** not found.
-&gt; ... klips_debug:ipsec_tunnel_start_xmit: Original head/tailroom: 2, 28
-&gt; ... klips_debug:ipsec_tunnel_start_xmit: no eroute!: ts=47.3030, dropping.
-
-
-What does this mean?
-- --------------------
-
-&quot;eroute&quot; stands for &quot;extended route&quot;, and is a special type of route 
-internal to Linux FreeS/WAN. For more information about this type of route, 
-see the section of man ipsec_auto on ipsec auto --route.
-
-&quot;no eroute!&quot; here means, roughly, that Linux FreeS/WAN cannot find an 
-appropriate tunnel that should have delivered this packet. Linux 
-FreeS/WAN therefore drops the packet, with the message &quot;no eroute! ...
-dropping&quot;, on the assumption that this packet is not a legitimate 
-transmission through a properly constructed tunnel.
-
-
-How does this situation come about?
-- -----------------------------------
-
-Linux FreeS/WAN has a number of connection descriptions defined in 
-ipsec.conf. These must be successfully brought &quot;up&quot; to form actual tunnels.
-(see doc/setup.html's step 15, man ipsec.conf and man ipsec_auto 
-for details).
-
-Such connections are often specific to the endpoints' IPs. However, in 
-some cases they may be more general, for example in the case of 
-Road Warriors where left or right is the special value %any.
-
-When Linux FreeS/WAN receives a packet, it verifies that the packet has
-come through a legitimate channel, by checking that there is an
-appropriate tunnel through which this packet might legitimately have
-arrived. This is the process we see above.
-
-First, it checks for an eroute that exactly matches the packet. In the 
-example above, we see it checking for a route that begins at 192.168.1.2
-and ends at 192.168.100.1. This search favours the most specific match that
-would apply to the route between these IPs. So, if there is a connection 
-description exactly matching these IPs, the search will end there. If not, 
-the code will search for a more general description matching the IPs.
-If there is no match, either specific or general, the packet will be
-dropped, as we see, above.
-
-Unless you are working with Road Warriors, only the first, specific part 
-of the matching process is likely to be relevant to you.
-
-
-&quot;But I defined the tunnel, and it came up, why do I have this error?&quot;
-- ---------------------------------------------------------------------
-
-One of the most common causes of this error is failure to specify enough
-connection descriptions to cover all needed tunnels between any two 
-gateways and their respective subnets. As you have noticed, troubleshooting
-this error may be complicated by the use of IP Masq. However, this error is
-not limited to cases where IP Masq is used. 
-
-See doc/configuration.html#multitunnel for a detailed example of the 
-solution to this type of problem.</PRE>
-<P>The documentation section she refers to is now<A href="adv_config.html#multitunnel">
- here</A>.</P>
-<H3><A name="SAused">... trouble writing to /dev/ipsec ... SA already in
- use</A></H3>
-<P>This error message occurs when two manual connections are set up with
- the same SPI value.</P>
-<P>See the FAQ for<A href="#spi_error"> One manual connection works, but
- second one fails</A>.</P>
-<H3><A name="ignore">... ignoring ... payload</A></H3>
-<P>This message is harmless. The IKE protocol provides for a number of
- optional messages types:</P>
-<UL>
-<LI>delete SA</LI>
-<LI>initial contact</LI>
-<LI>vendor ID</LI>
-<LI>...</LI>
-</UL>
-<P>An implementation is never required to send these, but they are
- allowed to. The receiver is not required to do anything with them.
- FreeS/WAN ignores them, but notifies you via the logs.</P>
-<P>For the &quot;ignoring delete SA Payload&quot; message, see also our discussion
- of cleaning up<A href="#deadtunnel"> dead tunnels</A>.</P>
-<H3><A name="unknown_rightcert">unknown parameter name &quot;rightcert&quot;</A></H3>
-<P>This message can appear when you've upgraded an X.509-enabled Linux
- FreeS/WAN with a vanilla Linux FreeS/WAN. To use your X.509 configs you
- will need to overwrite the new install with<A HREF="http://www.freeswan.ca">
- Super FreeS/WAN</A>, or add the<A HREF="http://www.strongsec.ca/freeswan">
- X.509 patch</A> by hand.</P>
-<H2><A name="spam">Why don't you restrict the mailing lists to reduce
- spam?</A></H2>
-<P>As a matter of policy, some of our<A href="mail.html"> mailing lists</A>
- need to be open to non-subscribers. Project management feel strongly
- that maintaining this openness is more important than blocking spam.</P>
-<UL>
-<LI>Users should be able to get help or report bugs without subscribing.</LI>
-<LI>Even a user who is subscribed may not have access to his or her
- subscribed account when he or she needs help, miles from home base in
- the middle of setting up a client's gateway.</LI>
-<LI>There is arguably a legal requirement for this policy. A US resident
- or citizen could be charged under munitions export laws for providing
- technical assistance to a foreign cryptographic project. Such a charge
- would be more easily defended if the discussion takes place in public,
- on an open list.</LI>
-</UL>
-<P>This has been discussed several times at some length on the list. See
- the<A href="mail.html#archive"> list archives</A>. Bringing the topic
- up again is unlikely to be useful. Please don't. Or at the very least,
- please don't without reading the archives and being certain that
- whatever you are about to suggest has not yet been discussed.</P>
-<P>Project technical lead Henry Spencer summarised one discussion:</P>
-<BLOCKQUOTE> For the third and last time: this list *will* *not* do
- address-based filtering. This is a policy decision, not an
- implementation problem. The decision is final, and is not open to
- discussion. This needs to be communicated better to people, and steps
- are being taken to do that.</BLOCKQUOTE>
-<P>Adding this FAQ section is one of the steps he refers to.</P>
-<P>You have various options other than just putting up with the spam,
- filtering it yourself, or unsubscribing:</P>
-<UL>
-<LI>subscribe only to one or both of our lists with restricted posting
- rules:
-<UL>
-<LI><A href="mailto:briefs@lists.freeswan.org?body=subscribe">briefs</A>
-, weekly list summaries</LI>
-<LI><A href="mailto:announce@lists.freeswan.org?body=subscribe">announce</A>
-, project-related announcements</LI>
-</UL>
-</LI>
-<LI>read the other lists via the<A href="mail.html#archive"> archives</A>
-</LI>
-</UL>
-<P>A number of tools are available to filter mail.</P>
-<UL>
-<LI>Many mail readers include some filtering capability.</LI>
-<LI>Many Linux distributions include<A href="http://www.procmail.org/">
- procmail(8)</A> for server-side filtering.</LI>
-<LI>The<A href="http://www.spambouncer.org/"> Spam Bouncer</A> is a set
- of procmail(8) filters designed to combat spam.</LI>
-<LI>Roaring Penguin have a<A href="http://www.roaringpenguin.com/mimedefang/">
- MIME defanger</A> that removes potentially dangerous attachments.</LI>
-</UL>
-<P>If you use your ISP's mail server rather than running your own,
- consider suggesting to the ISP that they tag suspected spam as<A href="http://www.msen.com/1997/spam.html#SUSPECTED">
- this ISP</A> does. They could just refuse mail from dubious sources,
- but that is tricky and runs some risk of losing valuable mail or
- senselessly annoying senders and their admins. However, they can safely
- tag and deliver dubious mail. The tags can greatly assist your
- filtering.</P>
-<P>For information on tracking down spammers, see these<A href="http://www.rahul.net/falk/#howtos">
- HowTos</A>, or the<A href="http://www.sputum.com/index2.html"> Sputum</A>
- site. Sputum have a Linux anti-spam screensaver available for download.</P>
-<P>Here is a more detailed message from Henry:</P>
-<PRE>On Mon, 15 Jan 2001, Jay Vaughan wrote:
-&gt; I know I'm flogging a dead horse here, but I'm curious as to the reasons for
-&gt; an aversion for a subscriber-only mailing list?
-
-Once again:  for legal reasons, it is important that discussions of these
-things be held in a public place -- the list -- and we do not want to
-force people to subscribe to the list just to ask one question, because
-that may be more than merely inconvenient for them.  There are also real
-difficulties with people who are temporarily forced to use alternate
-addresses; that is precisely the time when they may be most in need of
-help, yet a subscribers-only policy shuts them out.
-
-These issues do not apply to most mailing lists, but for a list that is
-(necessarily) the primary user support route for a crypto package, they
-are very important.  This is *not* an ordinary mailing list; it has to
-function under awkward constraints that make various simplistic solutions
-inapplicable or undesirable. 
-
-&gt; We're *ALL* sick of hearing about list management problems, not just you
-&gt; old-timers, so why don't you DO SOMETHING EFFECTIVE ABOUT IT...
-
-Because it's a lot harder than it looks, and many existing &quot;solutions&quot;
-have problems when examined closely.
-
-&gt; A suggestion for you, based on 10 years of experience with management of my
-&gt; own mailing lists would be to use mailman, which includes pretty much every
-&gt; feature under the sun that you guys need and want, plus some.  The URL for
-&gt; mailman...
-
-I assure you, we're aware of mailman.  Along with a whole bunch of others,
-including some you almost certainly have never heard of (I hadn't!).
-
-&gt; As for the argument that the list shouldn't be configured to enforce
-&gt; subscription - I contend that it *SHOULD* AT LEAST require manual address
-&gt; verification in order for posts to be redirected.
-
-You do realize, I hope, that interposing such a manual step might cause
-your government to decide that this is not truly a public forum, and thus
-you could go to jail if you don't get approval from them before mailing to
-it?  If you think this sounds irrational, your government is noted for
-making irrational decisions in this area; we can't assume that they will
-suddenly start being sensible.  See above about awkward constraints.  You
-may be willing to take the risk, but we can't, in good conscience, insist
-that all users with problems do so. 
-
-                                                          Henry Spencer
-                                                       henry@spsystems.net</PRE>
-<P>and a message on the topic from project leader John Gilmore:</P>
-<PRE>Subject: Re: The linux-ipsec list's topic
-   Date: Sat, 30 Dec 2000
-   From: John Gilmore &lt;gnu@toad.com&gt;
-
-I'll post this single message, once only, in this discussion, and then
-not burden the list with any further off-topic messages.  I encourage
-everyone on the list to restrain themself from posting ANY off-topic
-messages to the linux-ipsec list.
-
-The topic of the linux-ipsec mailing list is the FreeS/WAN software.
-
-I frequently see &quot;discussions about spam on a list&quot; overwhelm the
-volume of &quot;actual spam&quot; on a list. BOTH kinds of messages are
-off-topic messages.  Twenty anti-spam messages take just as long to
-detect and discard as twenty spam messages.
-
-The Linux-ipsec list encourages on-topic messages from people who have
-not joined the list itself.  We will not censor messages to the list
-based on where they originate, or what return address they contain.
-In other words, non-subscribers ARE allowed to post, and this will not
-change.  My own valid contributions have been rejected out-of-hand by
-too many other mailing lists for me to want to impose that censorship
-on anybody else's contributions.  And every day I see the damage that
-anti-spam zeal is causing in many other ways; that zeal is far more
-damaging to the culture of the Internet than the nuisance of spam.
-
-In general, it is the responsibility of recipients to filter,
-prioritize, or otherwise manage the handling of email that comes to
-them.  It is not the responsibility of the rest of the Internet
-community to refrain from sending messages to recipients that they
-might not want to see.  If your software infrastructure for managing
-your incoming email is insufficient, then improve it.  If you think
-the signal-to-noise ratio on linux-ipsec is too poor, then please
-unsubscribe.  But don't further increase the noise by posting to the
-linux-ipsec list about those topics.
-
-        John Gilmore
-        founder &amp; sponsor, FreeS/WAN project</PRE>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="policygroups.html">Previous</A>
-<A HREF="manpages.html">Next</A>
-</BODY>
-</HTML>
diff --git a/doc/firewall.html b/doc/firewall.html
deleted file mode 100644
index 0747ab83d..000000000
--- a/doc/firewall.html
+++ /dev/null
@@ -1,767 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="manpages.html">Previous</A>
-<A HREF="trouble.html">Next</A>
-<HR>
-<H1><A name="firewall">FreeS/WAN and firewalls</A></H1>
-<P>FreeS/WAN, or other IPsec implementations, frequently run on gateway
- machines, the same machines running firewall or packet filtering code.
- This document discusses the relation between the two.</P>
-<P>The firewall code in 2.4 and later kernels is called Netfilter. The
- user-space utility to manage a firewall is iptables(8). See the<A href="http://netfilter.samba.org">
- netfilter/iptables web site</A> for details.</P>
-<H2><A name="filters">Filtering rules for IPsec packets</A></H2>
-<P>The basic constraint is that<STRONG> an IPsec gateway must have
- packet filters that allow IPsec packets</STRONG>, at least when talking
- to other IPsec gateways:</P>
-<UL>
-<LI>UDP port 500 for<A href="glossary.html#IKE"> IKE</A> negotiations</LI>
-<LI>protocol 50 if you use<A href="glossary.html#ESP"> ESP</A>
- encryption and/or authentication (the typical case)</LI>
-<LI>protocol 51 if you use<A href="glossary.html#AH"> AH</A>
- packet-level authentication</LI>
-</UL>
-<P>Your gateway and the other IPsec gateways it communicates with must
- be able to exchange these packets for IPsec to work. Firewall rules
- must allow UDP 500 and at least one of<A href="glossary.html#AH"> AH</A>
- or<A href="glossary.html#ESP"> ESP</A> on the interface that
- communicates with the other gateway.</P>
-<P>For nearly all FreeS/WAN applications, you must allow UDP port 500
- and the ESP protocol.</P>
-<P>There are two ways to set this up:</P>
-<DL>
-<DT>easier but less flexible</DT>
-<DD>Just set up your firewall scripts at boot time to allow IPsec
- packets to and from your gateway. Let FreeS/WAN reject any bogus
- packets.</DD>
-<DT>more work, giving you more precise control</DT>
-<DD>Have the<A href="manpage.d/ipsec_pluto.8.html"> ipsec_pluto(8)</A>
- daemon call scripts to adjust firewall rules dynamically as required.
- This is done by naming the scripts in the<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5)</A> variables<VAR> prepluto=</VAR>,<VAR> postpluto=</VAR>
-,<VAR> leftupdown=</VAR> and<VAR> rightupdown=</VAR>.</DD>
-</DL>
-<P>Both methods are described in more detail below.</P>
-<H2><A name="examplefw">Firewall configuration at boot</A></H2>
-<P>It is possible to set up both firewalling and IPsec with appropriate
- scripts at boot and then not use<VAR> leftupdown=</VAR> and<VAR>
- rightupdown=</VAR>, or use them only for simple up and down operations.</P>
-<P>Basically, the technique is</P>
-<UL>
-<LI>allow IPsec packets (typically, IKE on UDP port 500 plus ESP,
- protocol 50)
-<UL>
-<LI>incoming, if the destination address is your gateway (and
- optionally, only from known senders)</LI>
-<LI>outgoing, with the from address of your gateway (and optionally,
- only to known receivers)</LI>
-</UL>
-</LI>
-<LI>let<A href="glossary.html#Pluto"> Pluto</A> deal with IKE</LI>
-<LI>let<A href="glossary.html#KLIPS"> KLIPS</A> deal with ESP</LI>
-</UL>
-<P>Since Pluto authenticates its partners during the negotiation, and
- KLIPS drops packets for which no tunnel has been negotiated, this may
- be all you need.</P>
-<H3><A name="simple.rules">A simple set of rules</A></H3>
-<P>In simple cases, you need only a few rules, as in this example:</P>
-<PRE># allow IPsec
-#
-# IKE negotiations
-iptables -I INPUT  -p udp --sport 500 --dport 500 -j ACCEPT
-iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
-# ESP encryption and authentication
-iptables -I INPUT  -p 50 -j ACCEPT
-iptables -I OUTPUT -p 50 -j ACCEPT
-</PRE>
-<P>This should be all you need to allow IPsec through<VAR> lokkit</VAR>,
- which ships with Red Hat 9, on its medium security setting. Once you've
- tweaked to your satisfaction, save your active rule set with:</P>
-<PRE>service iptables save</PRE>
-<H3><A name="complex.rules">Other rules</A></H3>
- You can add additional rules, or modify existing ones, to work with
- IPsec and with your network and policies. We give a some examples in
- this section.
-<P>However, while it is certainly possible to create an elaborate set of
- rules yourself (please let us know via the<A href="mail.html"> mailing
- list</A> if you do), it may be both easier and more secure to use a set
- which has already been published and tested.</P>
-<P>The published rule sets we know of are described in the<A href="#rules.pub">
- next section</A>.</P>
-<H4>Adding additional rules</H4>
- If necessary, you can add additional rules to:
-<DL>
-<DT>reject IPsec packets that are not to or from known gateways</DT>
-<DD>This possibility is discussed in more detail<A href="#unknowngate">
- later</A></DD>
-<DT>allow systems behind your gateway to build IPsec tunnels that pass
- through the gateway</DT>
-<DD>This possibility is discussed in more detail<A href="#through">
- later</A></DD>
-<DT>filter incoming packets emerging from KLIPS.</DT>
-<DD>Firewall rules can recognise packets emerging from IPsec. They are
- marked as arriving on an interface such as<VAR> ipsec0</VAR>, rather
- than<VAR> eth0</VAR>,<VAR> ppp0</VAR> or whatever.</DD>
-</DL>
-<P>It is therefore reasonably straightforward to filter these packets in
- whatever way suits your situation.</P>
-<H4>Modifying existing rules</H4>
-<P>In some cases rules that work fine before you add IPsec may require
- modification to work with IPsec.</P>
-<P>This is especially likely for rules that deal with interfaces on the
- Internet side of your system. IPsec adds a new interface; often the
- rules must change to take account of that.</P>
-<P>For example, consider the rules given in<A href="http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-5.html">
- this section</A> of the Netfilter documentation:</P>
-<PRE>Most people just have a single PPP connection to the Internet, and don't
-want anyone coming back into their network, or the firewall:
-
-    ## Insert connection-tracking modules (not needed if built into kernel).
-    # insmod ip_conntrack
-    # insmod ip_conntrack_ftp
-
-    ## Create chain which blocks new connections, except if coming from inside.
-    # iptables -N block
-    # iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
-    # iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
-    # iptables -A block -j DROP
-
-    ## Jump to that chain from INPUT and FORWARD chains.
-    # iptables -A INPUT -j block
-    # iptables -A FORWARD -j block</PRE>
-<P>On an IPsec gateway, those rules may need to be modified. The above
- allows new connections from<EM> anywhere except ppp0</EM>. That means
- new connections from ipsec0 are allowed.</P>
-<P>Do you want to allow anyone who can establish an IPsec connection to
- your gateway to initiate TCP connections to any service on your
- network? Almost certainly not if you are using opportunistic
- encryption. Quite possibly not even if you have only explicitly
- configured connections.</P>
-<P>To disallow incoming connections from ipsec0, change the middle
- section above to:</P>
-<PRE>    ## Create chain which blocks new connections, except if coming from inside.
-    # iptables -N block
-    # iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
-    # iptables -A block -m state --state NEW -i ppp+ -j DROP
-    # iptables -A block -m state --state NEW -i ipsec+ -j DROP
-    # iptables -A block -m state --state NEW -i -j ACCEPT
-    # iptables -A block -j DROP</PRE>
-<P>The original rules accepted NEW connections from anywhere except
- ppp0. This version drops NEW connections from any PPP interface (ppp+)
- and from any ipsec interface (ipsec+), then accepts the survivors.</P>
-<P>Of course, these are only examples. You will need to adapt them to
- your own situation.</P>
-<H3><A name="rules.pub">Published rule sets</A></H3>
-<P>Several sets of firewall rules that work with FreeS/WAN are
- available.</P>
-<H4><A name="Ranch.trinity">Scripts based on Ranch's work</A></H4>
-<P>One user, Rob Hutton, posted his boot time scripts to the mailing
- list, and we included them in previous versions of this documentation.
- They are still available from our<A href="http://www.freeswan.org/freeswan_trees/freeswan-1.5/doc/firewall.html#examplefw">
- web site</A>. However, they were for an earlier FreeS/WAN version so we
- no longer recommend them. Also, they had some bugs. See this<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/04/msg00316.html">
- message</A>.</P>
-<P>Those scripts were based on David Ranch's scripts for his &quot;Trinity
- OS&quot; for setting up a secure Linux. Check his<A href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html">
- home page</A> for the latest version and for information on his<A href="biblio.html#ranch">
- book</A> on securing Linux. If you are going to base your firewalling
- on Ranch's scripts, we recommend using his latest version, and sending
- him any IPsec modifications you make for incorporation into later
- versions.</P>
-<H4><A name="seawall">The Seattle firewall</A></H4>
-<P>We have had several mailing lists reports of good results using
- FreeS/WAN with Seawall (the Seattle Firewall). See that project's<A href="http://seawall.sourceforge.net/">
- home page</A> on Sourceforge.</P>
-<H4><A name="rcf">The RCF scripts</A></H4>
-<P>Another set of firewall scripts with IPsec support are the RCF or
- rc.firewall scripts. See their<A href="http://jsmoriss.mvlan.net/linux/rcf.html">
- home page</A>.</P>
-<H4><A name="asgard">Asgard scripts</A></H4>
-<P><A href="http://heimdall.asgardsrealm.net/linux/firewall/">Asgard's
- Realm</A> has set of firewall scripts with FreeS/WAN support, for 2.4
- kernels and iptables.</P>
-<H4><A name="user.scripts">User scripts from the mailing list</A></H4>
-<P>One user gave considerable detail on his scripts, including
- supporting<A href="glossary.html#IPX"> IPX</A> through the tunnel. His
- message was too long to conveniently be quoted here, so I've put it in
- a<A href="user_examples.html"> separate file</A>.</P>
-<H2><A name="updown">Calling firewall scripts, named in ipsec.conf(5)</A>
-</H2>
-<P>The<A href="manpage.d/ipsec.conf.5.html"> ipsec.conf(5)</A>
- configuration file has three pairs of parameters used to specify an
- interface between FreeS/WAN and firewalling code.</P>
-<P>Note that using these is not required if you have a static firewall
- setup. In that case, you just set your firewall up at boot time (in a
- way that permits the IPsec connections you want) and do not change it
- thereafter. Omit all the FreeS/WAN firewall parameters and FreeS/WAN
- will not attempt to adjust firewall rules at all. See<A href="#examplefw">
- above</A> for some information on appropriate scripts.</P>
-<P>However, if you want your firewall rules to change when IPsec
- connections change, then you need to use these parameters.</P>
-<H3><A name="pre_post">Scripts called at IPsec start and stop</A></H3>
-<P>One pair of parmeters are set in the<VAR> config setup</VAR> section
- of the<A href="manpage.d/ipsec.conf.5.html"> ipsec.conf(5)</A> file and
- affect all connections:</P>
-<DL>
-<DT>prepluto=</DT>
-<DD>script to be called before<A href="manpage.d/ipsec_pluto.8.html">
- pluto(8)</A> IKE daemon is started.</DD>
-<DT>postpluto=</DT>
-<DD>script to be called after<A href="manpage.d/ipsec_pluto.8.html">
- pluto(8)</A> IKE daemon is stopped.</DD>
-</DL>
- These parameters allow you to change firewall parameters whenever IPsec
- is started or stopped.
-<P>They can also be used in other ways. For example, you might have<VAR>
- prepluto</VAR> add a module to your kernel for the secure network
- interface or make a dialup connection, and then have<VAR> postpluto</VAR>
- remove the module or take the connection down.</P>
-<H3><A name="up_down">Scripts called at connection up and down</A></H3>
-<P>The other parameters are set in connection descriptions. They can be
- set in individual connection descriptions, and could even call
- different scripts for each connection for maximum flexibility. In most
- applications, however, it makes sense to use only one script and to
- call it from<VAR> conn %default</VAR> section so that it applies to all
- connections.</P>
-<P>You can:</P>
-<DL>
-<DT><STRONG>either</STRONG></DT>
-<DD>set<VAR> leftfirewall=yes</VAR> or<VAR> rightfirewall=yes</VAR> to
- use our supplied default script</DD>
-<DT><STRONG>or</STRONG></DT>
-<DD>assign a name in a<VAR> leftupdown=</VAR> or<VAR> rightupdown=</VAR>
- line to use your own script</DD>
-</DL>
-<P>Note that<STRONG> only one of these should be used</STRONG>. You
- cannot sensibly use both. Since<STRONG> our default script is obsolete</STRONG>
- (designed for firewalls using<VAR> ipfwadm(8)</VAR> on 2.0 kernels),
- most users who need this service will<STRONG> need to write a custom
- script</STRONG>.</P>
-<H4><A name="fw.default">The default script</A></H4>
-<P>We supply a default script named<VAR> _updown</VAR>.</P>
-<DL>
-<DT>leftfirewall=</DT>
-<DD></DD>
-<DT>rightfirewall=</DT>
-<DD>indicates that the gateway is doing firewalling and that<A href="manpage.d/ipsec_pluto.8.html">
- pluto(8)</A> should poke holes in the firewall as required.</DD>
-</DL>
-<P>Set these to<VAR> yes</VAR> and Pluto will call our default script<VAR>
- _updown</VAR> with appropriate arguments whenever it:</P>
-<UL>
-<LI>starts or stops IPsec services</LI>
-<LI>brings a connection up or down</LI>
-</UL>
-<P>The supplied default<VAR> _updown</VAR> script is appropriate for
- simple cases using the<VAR> ipfwadm(8)</VAR> firewalling package.</P>
-<H4><A name="userscript">User-written scripts</A></H4>
-<P>You can also write your own script and have Pluto call it. Just put
- the script's name in one of these<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5)</A> lines:</P>
-<DL>
-<DT>leftupdown=</DT>
-<DD></DD>
-<DT>rightupdown=</DT>
-<DD>specifies a script to call instead of our default script<VAR>
- _updown</VAR>.</DD>
-</DL>
-<P>Your script should take the same arguments and use the same
- environment variables as<VAR> _updown</VAR>. See the &quot;updown command&quot;
- section of the<A href="manpage.d/ipsec_pluto.8.html"> ipsec_pluto(8)</A>
- man page for details.</P>
-<P>Note that<STRONG> you should not modify our _updown script in place</STRONG>
-. If you did that, then upgraded FreeS/WAN, the upgrade would install a
- new default script, overwriting your changes.</P>
-<H3><A name="ipchains.script">Scripts for ipchains or iptables</A></H3>
-<P>Our<VAR> _updown</VAR> is for firewalls using<VAR> ipfwadm(8)</VAR>,
- the firewall code for the 2.0 series of Linux kernels. If you are using
- the more recent packages<VAR> ipchains(8)</VAR> (for 2.2 kernels) or<VAR>
- iptables(8)</VAR> (2.4 kernels), then you must do one of:</P>
-<UL>
-<LI>use static firewall rules which are set up at boot time as described<A
-href="#examplefw"> above</A> and do not need to be changed by Pluto</LI>
-<LI>limit yourself to ipchains(8)'s ipfwadm(8) emulation mode in order
- to use our script</LI>
-<LI>write your own script and call it with<VAR> leftupdown</VAR> and<VAR>
- rightupdown</VAR>.</LI>
-</UL>
-<P>You can write a script to do whatever you need with firewalling.
- Specify its name in a<VAR> [left|right]updown=</VAR> parameter in<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5)</A> and Pluto will automatically call it for you.</P>
-<P>The arguments Pluto passes such a script are the same ones it passes
- to our default _updown script, so the best way to build yours is to
- copy ours and modify the copy.</P>
-<P>Note, however, that<STRONG> you should not modify our _updown script
- in place</STRONG>. If you did that, then upgraded FreeS/WAN, the
- upgrade would install a new default script, overwriting your changes.</P>
-<H2><A name="NAT">A complication: IPsec vs. NAT</A></H2>
-<P><A href="glossary.html#NAT.gloss">Network Address Translation</A>,
- also known as IP masquerading, is a method of allocating IP addresses
- dynamically, typically in circumstances where the total number of
- machines which need to access the Internet exceeds the supply of IP
- addresses.</P>
-<P>Any attempt to perform NAT operations on IPsec packets<EM> between
- the IPsec gateways</EM> creates a basic conflict:</P>
-<UL>
-<LI>IPsec wants to authenticate packets and ensure they are unaltered on
- a gateway-to-gateway basis</LI>
-<LI>NAT rewrites packet headers as they go by</LI>
-<LI>IPsec authentication fails if packets are rewritten anywhere between
- the IPsec gateways</LI>
-</UL>
-<P>For<A href="glossary.html#AH"> AH</A>, which authenticates parts of
- the packet header including source and destination IP addresses, this
- is fatal. If NAT changes those fields, AH authentication fails.</P>
-<P>For<A href="glossary.html#IKE"> IKE</A> and<A href="glossary.html#ESP">
- ESP</A> it is not necessarily fatal, but is certainly an unwelcome
- complication.</P>
-<H3><A name="nat_ok">NAT on or behind the IPsec gateway works</A></H3>
-<P>This problem can be avoided by having the masquerading take place<EM>
- on or behind</EM> the IPsec gateway.</P>
-<P>This can be done physically with two machines, one physically behind
- the other. A picture, using SG to indicate IPsec<STRONG> S</STRONG>
-ecurity<STRONG> G</STRONG>ateways, is:</P>
-<PRE>      clients --- NAT ----- SG ---------- SG
-                  two machines</PRE>
-<P>In this configuration, the actual client addresses need not be given
- in the<VAR> leftsubnet=</VAR> parameter of the FreeS/WAN connection
- description. The security gateway just delivers packets to the NAT box;
- it needs only that machine's address. What that machine does with them
- does not affect FreeS/WAN.</P>
-<P>A more common setup has one machine performing both functions:</P>
-<PRE>      clients ----- NAT/SG ---------------SG
-                  one machine</PRE>
-<P>Here you have a choice of techniques depending on whether you want to
- make your client subnet visible to clients on the other end:</P>
-<UL>
-<LI>If you want the single gateway to behave like the two shown above,
- with your clients hidden behind the NAT, then omit the<VAR> leftsubnet=</VAR>
- parameter. It then defaults to the gateway address. Clients on the
- other end then talk via the tunnel only to your gateway. The gateway
- takes packets emerging from the tunnel, applies normal masquerading,
- and forwards them to clients.</LI>
-<LI>If you want to make your client machines visible, then give the
- client subnet addresses as the<VAR> leftsubnet=</VAR> parameter in the
- connection description and
-<DL>
-<DT>either</DT>
-<DD>set<VAR> leftfirewall=yes</VAR> to use the default<VAR> updown</VAR>
- script</DD>
-<DT>or</DT>
-<DD>use your own script by giving its name in a<VAR> leftupdown=</VAR>
- parameter</DD>
-</DL>
- These scripts are described in their own<A href="#updown"> section</A>.
-<P>In this case, no masquerading is done. Packets to or from the client
- subnet are encrypted or decrypted without any change to their client
- subnet addresses, although of course the encapsulating packets use
- gateway addresses in their headers. Clients behind the right security
- gateway see a route via that gateway to the left subnet.</P>
-</LI>
-</UL>
-<H3><A name="nat_bad">NAT between gateways is problematic</A></H3>
-<P>We recommend not trying to build IPsec connections which pass through
- a NAT machine. This setup poses problems:</P>
-<PRE>      clients --- SG --- NAT ---------- SG</PRE>
-<P>If you must try it, some references are:</P>
-<UL>
-<LI>Jean_Francois Nadeau's document on doing<A href="http://jixen.tripod.com/#NATed gateways">
- IPsec behind NAT</A></LI>
-<LI><A href="web.html#VPN.masq">VPN masquerade patches</A> to make a
- Linux NAT box handle IPsec packets correctly</LI>
-</UL>
-<H3><A name="NAT.ref">Other references on NAT and IPsec</A></H3>
-<P>Other documents which may be relevant include:</P>
-<UL>
-<LI>an Internet Draft on<A href="http://search.ietf.org/internet-drafts/draft-aboba-nat-ipsec-04.txt">
- IPsec and NAT</A> which may eventually evolve into a standard solution
- for this problem.</LI>
-<LI>an informational<A href="http://www.cis.ohio-state.edu/rfc/rfc2709.txt">
- RFC</A>,<CITE> Security Model with Tunnel-mode IPsec for NAT Domains</CITE>
-.</LI>
-<LI>an<A href="http://www.cisco.com/warp/public/759/ipj_3-4/ipj_3-4_nat.html">
- article</A> in Cisco's<CITE> Internet Protocol Journal</CITE></LI>
-</UL>
-<H2><A name="complications">Other complications</A></H2>
-<P>Of course simply allowing UDP 500 and ESP packets is not the whole
- story. Various other issues arise in making IPsec and packet filters
- co-exist and even co-operate. Some of them are summarised below.</P>
-<H3><A name="through">IPsec<EM> through</EM></A> the gateway</H3>
-<P>Basic IPsec packet filtering rules deal only with packets addressed
- to or sent from your IPsec gateway.</P>
-<P>It is a separate policy decision whether to permit such packets to
- pass through the gateway so that client machines can build end-to-end
- IPsec tunnels of their own. This may not be practical if you are using<A
-href="#NAT"> NAT (IP masquerade)</A> on your gateway, and may conflict
- with some corporate security policies.</P>
-<P>Where possible, allowing this is almost certainly a good idea. Using
- IPsec on an end-to-end basis is more secure than gateway-to-gateway.</P>
-<P>Doing it is quite simple. You just need firewall rules that allow UDP
- port 500 and protocols 50 and 51 to pass through your gateway. If you
- wish, you can of course restrict this to certain hosts.</P>
-<H3><A name="ipsec_only">Preventing non-IPsec traffic</A></H3>
- You can also filter<EM> everything but</EM> UDP port 500 and ESP or AH
- to restrict traffic to IPsec only, either for anyone communicating with
- your host or just for specific partners.
-<P>One application of this is for the telecommuter who might have:</P>
-<PRE>     Sunset==========West------------------East ================= firewall --- the Internet
-         home network      untrusted net        corporate network</PRE>
-<P>The subnet on the right is 0.0.0.0/0, the whole Internet. The West
- gateway is set up so that it allows only IPsec packets to East in or
- out.</P>
-<P>This configuration is used in AT&amp;T Research's network. For details,
- see the<A href="intro.html#applied"> papers</A> links in our
- introduction.</P>
-<P>Another application would be to set up firewall rules so that an
- internal machine, such as an employees-only web server, could not talk
- to the outside world except via specific IPsec tunnels.</P>
-<H3><A name="unknowngate">Filtering packets from unknown gateways</A></H3>
-<P>It is possible to use firewall rules to restrict UDP 500, ESP and AH
- packets so that these packets are accepted only from known gateways.
- This is not strictly necessary since FreeS/WAN will discard packets
- from unknown gateways. You might, however, want to do it for any of a
- number of reasons. For example:</P>
-<UL>
-<LI>Arguably, &quot;belt and suspenders&quot; is the sensible approach to
- security. If you can block a potential attack in two ways, use both.
- The only question is whether to look for a third way after implementing
- the first two.</LI>
-<LI>Some admins may prefer to use the firewall code this way because
- they prefer firewall logging to FreeS/WAN's logging.</LI>
-<LI>You may need it to implement your security policy. Consider an
- employee working at home, and a policy that says traffic from the home
- system to the Internet at large must go first via IPsec to the
- corporate LAN and then out to the Internet via the corporate firewall.
- One way to do that is to make<VAR> ipsec0</VAR> the default route on
- the home gateway and provide exceptions only for UDP 500 and ESP to the
- corporate gateway. Everything else is then routed via the tunnel to the
- corporate gateway.</LI>
-</UL>
-<P>It is not possible to use only static firewall rules for this
- filtering if you do not know the other gateways' IP addresses in
- advance, for example if you have &quot;road warriors&quot; who may connect from a
- different address each time or if want to do<A href="glossary.html#carpediem">
- opportunistic encryption</A> to arbitrary gateways. In these cases, you
- can accept UDP 500 IKE packets from anywhere, then use the<A href="#updown">
- updown</A> script feature of<A href="manpage.d/ipsec_pluto.8.html">
- pluto(8)</A> to dynamically adjust firewalling for each negotiated
- tunnel.</P>
-<P>Firewall packet filtering does not much reduce the risk of a<A href="glossary.html#DOS">
- denial of service attack</A> on FreeS/WAN. The firewall can drop
- packets from unknown gateways, but KLIPS does that quite efficiently
- anyway, so you gain little. The firewall cannot drop otherwise
- legitmate packets that fail KLIPS authentication, so it cannot protect
- against an attack designed to exhaust resources by making FreeS/WAN
- perform many expensive authentication operations.</P>
-<P>In summary, firewall filtering of IPsec packets from unknown gateways
- is possible but not strictly necessary.</P>
-<H2><A name="otherfilter">Other packet filters</A></H2>
-<P>When the IPsec gateway is also acting as your firewall, other packet
- filtering rules will be in play. In general, those are outside the
- scope of this document. See our<A href="web.html#firewall.linux"> Linux
- firewall links</A> for information. There are a few types of packet,
- however, which can affect the operation of FreeS/WAN or of diagnostic
- tools commonly used with it. These are discussed below.</P>
-<H3><A name="ICMP">ICMP filtering</A></H3>
-<P><A href="glossary.html#ICMP.gloss">ICMP</A> is the<STRONG> I</STRONG>
-nternet<STRONG> C</STRONG>ontrol<STRONG> M</STRONG>essage<STRONG> P</STRONG>
-rotocol. It is used for messages between IP implementations themselves,
- whereas IP used is used between the clients of those implementations.
- ICMP is, unsurprisingly, used for control messages. For example, it is
- used to notify a sender that a desination is not reachable, or to tell
- a router to reroute certain packets elsewhere.</P>
-<P>ICMP handling is tricky for firewalls.</P>
-<UL>
-<LI>You definitely want some ICMP messages to get through; things won't
- work without them. For example, your clients need to know if some
- destination they ask for is unreachable.</LI>
-<LI>On the other hand, you do equally definitely do not want untrusted
- folk sending arbitrary control messages to your machines. Imagine what
- someone moderately clever and moderately malicious could do to you,
- given control of your network's routing.</LI>
-</UL>
-<P>ICMP does not use ports. Messages are distinguished by a &quot;message
- type&quot; field and, for some types, by an additional &quot;code&quot; field. The
- definitive list of types and codes is on the<A href="http://www.iana.org">
- IANA</A> site.</P>
-<P>One expert uses this definition for ICMP message types to be dropped
- at the firewall.</P>
-<PRE># ICMP types which lack socially redeeming value.
-#  5     Redirect
-#  9     Router Advertisement
-# 10     Router Selection
-# 15     Information Request
-# 16     Information Reply
-# 17     Address Mask Request
-# 18     Address Mask Reply
-
-badicmp='5 9 10 15 16 17 18'</PRE>
-<P>A more conservative approach would be to make a list of allowed types
- and drop everything else.</P>
-<P>Whichever way you do it, your ICMP filtering rules on a FreeS/WAN
- gateway should allow at least the following ICMP packet types:</P>
-<DL>
-<DT>echo (type 8)</DT>
-<DD></DD>
-<DT>echo reply (type 0)</DT>
-<DD>These are used by ping(1). We recommend allowing both types through
- the tunnel and to or from your gateway's external interface, since
- ping(1) is an essential testing tool.
-<P>It is fairly common for firewalls to drop ICMP echo packets addressed
- to machines behind the firewall. If that is your policy, please create
- an exception for such packets arriving via an IPsec tunnel, at least
- during intial testing of those tunnels.</P>
-</DD>
-<DT>destination unreachable (type 3)</DT>
-<DD>This is used, with code 4 (Fragmentation Needed and Don't Fragment
- was Set) in the code field, to control<A href="glossary.html#pathMTU">
- path MTU discovery</A>. Since IPsec processing adds headers, enlarges
- packets and may cause fragmentation, an IPsec gateway should be able to
- send and receive these ICMP messages<STRONG> on both inside and outside
- interfaces</STRONG>.</DD>
-</DL>
-<H3><A name="traceroute">UDP packets for traceroute</A></H3>
-<P>The traceroute(1) utility uses UDP port numbers from 33434 to
- approximately 33633. Generally, these should be allowed through for
- troubleshooting.</P>
-<P>Some firewalls drop these packets to prevent outsiders exploring the
- protected network with traceroute(1). If that is your policy, consider
- creating an exception for such packets arriving via an IPsec tunnel, at
- least during intial testing of those tunnels.</P>
-<H3><A name="l2tp">UDP for L2TP</A></H3>
-<P> Windows 2000 does, and products designed for compatibility with it
- may, build<A href="glossary.html#L2TP"> L2TP</A> tunnels over IPsec
- connections.</P>
-<P>For this to work, you must allow UDP protocol 1701 packets coming out
- of your tunnels to continue to their destination. You can, and probably
- should, block such packets to or from your external interfaces, but
- allow them from<VAR> ipsec0</VAR>.</P>
-<P>See also our Windows 2000<A href="interop.html#win2k"> interoperation
- discussion</A>.</P>
-<H2><A name="packets">How it all works: IPsec packet details</A></H2>
-<P>IPsec uses three main types of packet:</P>
-<DL>
-<DT><A href="glossary.html#IKE">IKE</A> uses<STRONG> the UDP protocol
- and port 500</STRONG>.</DT>
-<DD>Unless you are using only (less secure, not recommended) manual
- keying, you need IKE to negotiate connection parameters, acceptable
- algorithms, key sizes and key setup. IKE handles everything required to
- set up, rekey, repair or tear down IPsec connections.</DD>
-<DT><A href="glossary.html#ESP">ESP</A> is<STRONG> protocol number 50</STRONG>
-</DT>
-<DD>This is required for encrypted connections.</DD>
-<DT><A href="glossary.html#AH">AH</A> is<STRONG> protocol number 51</STRONG>
-</DT>
-<DD>This can be used where only authentication, not encryption, is
- required.</DD>
-</DL>
-<P>All of those packets should have appropriate IPsec gateway addresses
- in both the to and from IP header fields. Firewall rules can check this
- if you wish, though it is not strictly necessary. This is discussed in
- more detail<A href="#unknowngate"> later</A>.</P>
-<P>IPsec processing of incoming packets authenticates them then removes
- the ESP or AH header and decrypts if necessary. Successful processing
- exposes an inner packet which is then delivered back to the firewall
- machinery, marked as having arrived on an<VAR> ipsec[0-3]</VAR>
- interface. Firewall rules can use that interface label to distinguish
- these packets from unencrypted packets which are labelled with the
- physical interface they arrived on (or perhaps with a non-IPsec virtual
- interface such as<VAR> ppp0</VAR>).</P>
-<P>One of our users sent a mailing list message with a<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00006.html">
- diagram</A> of the packet flow.</P>
-<H3><A name="noport">ESP and AH do not have ports</A></H3>
-<P>Some protocols, such as TCP and UDP, have the notion of ports. Others
- protocols, including ESP and AH, do not. Quite a few IPsec newcomers
- have become confused on this point. There are no ports<EM> in</EM> the
- ESP or AH protocols, and no ports used<EM> for</EM> them. For these
- protocols,<EM> the idea of ports is completely irrelevant</EM>.</P>
-<H3><A name="header">Header layout</A></H3>
-<P>The protocol numbers for ESP or AH are used in the 'next header'
- field of the IP header. On most non-IPsec packets, that field would
- have one of:</P>
-<UL>
-<LI>1 for ICMP</LI>
-<LI>4 for IP-in-IP encapsulation</LI>
-<LI>6 for TCP</LI>
-<LI>17 for UDP</LI>
-<LI>... or one of about 100 other possibilities listed by<A href="http://www.iana.org">
- IANA</A></LI>
-</UL>
-<P>Each header in the sequence tells what the next header will be. IPsec
- adds headers for ESP or AH near the beginning of the sequence. The
- original headers are kept and the 'next header' fields adjusted so that
- all headers can be correctly interpreted.</P>
-<P>For example, using<STRONG> [</STRONG><STRONG> ]</STRONG> to indicate
- data protected by ESP and unintelligible to an eavesdropper between the
- gateways:</P>
-<UL>
-<LI>a simple packet might have only IP and TCP headers with:
-<UL>
-<LI>IP header says next header --&gt; TCP</LI>
-<LI>TCP header port number --&gt; which process to send data to</LI>
-<LI>data</LI>
-</UL>
-</LI>
-<LI>with ESP<A href="glossary.html#transport"> transport mode</A>
- encapsulation, that packet would have:
-<UL>
-<LI>IP header says next header --&gt; ESP</LI>
-<LI>ESP header<STRONG> [</STRONG> says next --&gt; TCP</LI>
-<LI>TCP header port number --&gt; which process to send data to</LI>
-<LI>data<STRONG> ]</STRONG></LI>
-</UL>
- Note that the IP header is outside ESP protection, visible to an
- attacker, and that the final destination must be the gateway.</LI>
-<LI>with ESP in<A href="glossary.html#tunnel"> tunnel mode</A>, we might
- have:
-<UL>
-<LI>IP header says next header --&gt; ESP</LI>
-<LI>ESP header<STRONG> [</STRONG> says next --&gt; IP</LI>
-<LI>IP header says next header --&gt; TCP</LI>
-<LI>TCP header port number --&gt; which process to send data to</LI>
-<LI>data<STRONG> ]</STRONG></LI>
-</UL>
- Here the inner IP header is protected by ESP, unreadable by an
- attacker. Also, the inner header can have a different IP address than
- the outer IP header, so the decrypted packet can be routed from the
- IPsec gateway to a final destination which may be another machine.</LI>
-</UL>
-<P>Part of the ESP header itself is encrypted, which is why the<STRONG>
- [</STRONG> indicating protected data appears in the middle of some
- lines above. The next header field of the ESP header is protected. This
- makes<A href="glossary.html#traffic"> traffic analysis</A> more
- difficult. The next header field would tell an eavesdropper whether
- your packet was UDP to the gateway, TCP to the gateway, or encapsulated
- IP. It is better not to give this information away. A clever attacker
- may deduce some of it from the pattern of packet sizes and timings, but
- we need not make it easy.</P>
-<P>IPsec allows various combinations of these to match local policies,
- including combinations that use both AH and ESP headers or that nest
- multiple copies of these headers.</P>
-<P>For example, suppose my employer has an IPsec VPN running between two
- offices so all packets travelling between the gateways for those
- offices are encrypted. If gateway policies allow it (The admins could
- block UDP 500 and protocols 50 and 51 to disallow it), I can build an
- IPsec tunnel from my desktop to a machine in some remote office. Those
- packets will have one ESP header throughout their life, for my
- end-to-end tunnel. For part of the route, however, they will also have
- another ESP layer for the corporate VPN's encapsulation. The whole
- header scheme for a packet on the Internet might be:</P>
-<UL>
-<LI>IP header (with gateway address) says next header --&gt; ESP</LI>
-<LI>ESP header<STRONG> [</STRONG> says next --&gt; IP</LI>
-<LI>IP header (with receiving machine address) says next header --&gt; ESP</LI>
-<LI>ESP header<STRONG> [</STRONG> says next --&gt; TCP</LI>
-<LI>TCP header port number --&gt; which process to send data to</LI>
-<LI>data<STRONG> ]]</STRONG></LI>
-</UL>
-<P>The first ESP (outermost) header is for the corporate VPN. The inner
- ESP header is for the secure machine-to-machine link.</P>
-<H3><A name="dhr">DHR on the updown script</A></H3>
-<P>Here are some mailing list comments from<A href="manpage.d/ipsec_pluto.8.html">
- pluto(8)</A> developer Hugh Redelmeier on an earlier draft of this
- document:</P>
-<PRE>There are many important things left out
-
-- firewalling is important but must reflect (implement) policy.  Since
-  policy isn't the same for all our customers, and we're not experts,
-  we should concentrate on FW and MASQ interactions with FreeS/WAN.
-
-- we need a diagram to show packet flow WITHIN ONE MACHINE, assuming
-  IKE, IPsec, FW, and MASQ are all done on that machine.  The flow is
-  obvious if the components are run on different machines (trace the
-  cables).
-
-  IKE input:
-        + packet appears on public IF, as UDP port 500
-        + input firewalling rules are applied (may discard)
-        + Pluto sees the packet.
-
-  IKE output:
-        + Pluto generates the packet &amp; writes to public IF, UDP port 500
-        + output firewalling rules are applied (may discard)
-        + packet sent out public IF
-
-  IPsec input, with encapsulated packet, outer destination of this host:
-        + packet appears on public IF, protocol 50 or 51.  If this
-          packet is the result of decapsulation, it will appear
-          instead on the paired ipsec IF.
-        + input firewalling rules are applied (but packet is opaque)
-        + KLIPS decapsulates it, writes result to paired ipsec IF
-        + input firewalling rules are applied to resulting packet
-          as input on ipsec IF
-        + if the destination of the packet is this machine, the
-          packet is passed on to the appropriate protocol handler.
-          If the original packet was encapsulated more than once
-          and the new outer destination is this machine, that
-          handler will be KLIPS.
-        + otherwise:
-          * routing is done for the resulting packet.  This may well
-            direct it into KLIPS for encoding or encrypting.  What
-            happens then is described elsewhere.
-          * forwarding firewalling rules are applied
-          * output firewalling rules are applied
-          * the packet is sent where routing specified
-
- IPsec input, with encapsulated packet, outer destination of another host:
-        + packet appears on some IF, protocol 50 or 51
-        + input firewalling rules are applied (but packet is opaque)
-        + routing selects where to send the packet
-        + forwarding firewalling rules are applied (but packet is opaque)
-        + packet forwarded, still encapsulated
-
-  IPsec output, from this host or from a client:
-        + if from a client, input firewalling rules are applied as the
-          packet arrives on the private IF
-        + routing directs the packet to an ipsec IF (this is how the
-          system decides KLIPS processing is required)
-        + if from a client, forwarding firewalling rules are applied
-        + KLIPS eroute mechanism matches the source and destination
-          to registered eroutes, yielding a SPI group.  This dictates
-          processing, and where the resulting packet is to be sent
-          (the destinations SG and the nexthop).
-        + output firewalling is not applied to the resulting
-          encapsulated packet
-
-- Until quite recently, KLIPS would double encapsulate packets that
-  didn't strictly need to be.  Firewalling should be prepared for
-  those packets showing up as ESP and AH protocol input packets on
-  an ipsec IF.
-
-- MASQ processing seems to be done as if it were part of the
-  forwarding firewall processing (this should be verified).
-
-- If a firewall is being used, it is likely the case that it needs to
-  be adjusted whenever IPsec SAs are added or removed.  Pluto invokes
-  a script to do this (and to adjust routing) at suitable times.  The
-  default script is only suitable for ipfwadm-managed firewalls.  Under
-  LINUX 2.2.x kernels, ipchains can be managed by ipfwadm (emulation),
-  but ipchains more powerful if manipulated using the ipchains command.
-  In this case, a custom updown script must be used.
-
-  We think that the flexibility of ipchains precludes us supplying an
-  updown script that would be widely appropriate.</PRE>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="manpages.html">Previous</A>
-<A HREF="trouble.html">Next</A>
-</BODY>
-</HTML>
diff --git a/doc/glossary.html b/doc/glossary.html
deleted file mode 100644
index 3ca33810f..000000000
--- a/doc/glossary.html
+++ /dev/null
@@ -1,2132 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="web.html">Previous</A>
-<A HREF="biblio.html">Next</A>
-<HR>
-<H1><A name="ourgloss">Glossary for the Linux FreeS/WAN project</A></H1>
-<P>Entries are in alphabetical order. Some entries are only one line or
- one paragraph long. Others run to several paragraphs. I have tried to
- put the essential information in the first paragraph so you can skip
- the other paragraphs if that seems appropriate.</P>
-<HR>
-<H2><A name="jump">Jump to a letter in the glossary</A></H2>
-<CENTER> <BIG><B><A href="#0">numeric</A><A href="#A"> A</A><A href="#B">
- B</A><A href="#C"> C</A><A href="#D"> D</A><A href="#E"> E</A><A href="#F">
- F</A><A href="#G"> G</A><A href="#H"> H</A><A href="#I"> I</A><A href="#J">
- J</A><A href="#K"> K</A><A href="#L"> L</A><A href="#M"> M</A><A href="#N">
- N</A><A href="#O"> O</A><A href="#P"> P</A><A href="#Q"> Q</A><A href="#R">
- R</A><A href="#S"> S</A><A href="#T"> T</A><A href="#U"> U</A><A href="#V">
- V</A><A href="#W"> W</A><A href="#X"> X</A><A href="#Y"> Y</A><A href="#Z">
- Z</A></B></BIG></CENTER>
-<HR>
-<H2><A name="gloss">Other glossaries</A></H2>
-<P>Other glossaries which overlap this one include:</P>
-<UL>
-<LI>The VPN Consortium's glossary of<A href="http://www.vpnc.org/terms.html">
- VPN terms</A>.</LI>
-<LI>glossary portion of the<A href="http://www.rsa.com/rsalabs/faq/B.html">
- Cryptography FAQ</A></LI>
-<LI>an extensive crytographic glossary on<A href="http://www.ciphersbyritter.com/GLOSSARY.HTM">
- Terry Ritter's</A> page.</LI>
-<LI>The<A href="#NSA"> NSA</A>'s<A href="http://www.sans.org/newlook/resources/glossary.htm">
- glossary of computer security</A> on the<A href="http://www.sans.org">
- SANS Institute</A> site.</LI>
-<LI>a small glossary for Internet Security at<A href="http://www5.zdnet.com/pcmag/pctech/content/special/glossaries/internetsecurity.html">
- PC magazine</A></LI>
-<LI>The<A href="http://www.visi.com/crypto/inet-crypto/glossary.html">
- glossary</A> from Richard Smith's book<A href="biblio.html#Smith">
- Internet Cryptography</A></LI>
-</UL>
-<P>Several Internet glossaries are available as RFCs:</P>
-<UL>
-<LI><A href="http://www.rfc-editor.org/rfc/rfc1208.txt">Glossary of
- Networking Terms</A></LI>
-<LI><A href="http://www.rfc-editor.org/rfc/rfc1983.txt">Internet User's
- Glossary</A></LI>
-<LI><A href="http://www.rfc-editor.org/rfc/rfc2828.txt">Internet
- Security Glossary</A></LI>
-</UL>
-<P>More general glossary or dictionary information:</P>
-<UL>
-<LI>Free Online Dictionary of Computing (FOLDOC)
-<UL>
-<LI><A href="http://www.nightflight.com/foldoc">North America</A></LI>
-<LI><A href="http://wombat.doc.ic.ac.uk/foldoc/index.html">Europe</A></LI>
-<LI><A href="http://www.nue.org/foldoc/index.html">Japan</A></LI>
-</UL>
-<P>There are many more mirrors of this dictionary.</P>
-</LI>
-<LI>The Jargon File, the definitive resource for hacker slang and
- folklore
-<UL>
-<LI><A href="http://www.netmeg.net/jargon">North America</A></LI>
-<LI><A href="http://info.wins.uva.nl/~mes/jargon/">Holland</A></LI>
-<LI><A href="http://www.tuxedo.org/~esr/jargon">home page</A></LI>
-</UL>
-<P>There are also many mirrors of this. See the home page for a list.</P>
-</LI>
-<LI>A general<A href="http://www.trinity.edu/~rjensen/245glosf.htm#Navigate">
- technology glossary</A></LI>
-<LI>An<A href="http://www.yourdictionary.com/"> online dictionary
- resource page</A> with pointers to many dictionaries for many languages</LI>
-<LI>A<A href="http://www.onelook.com/"> search engine</A> that accesses
- several hundred online dictionaries</LI>
-<LI>O'Reilly<A href="http://www.ora.com/reference/dictionary/">
- Dictionary of PC Hardware and Data Communications Terms</A></LI>
-<LI><A href="http://www.FreeSoft.org/CIE/index.htm">Connected</A>
- Internet encyclopedia</LI>
-<LI><A href="http://www.whatis.com/">whatis.com</A></LI>
-</UL>
-<HR>
-<H2><A name="definitions">Definitions</A></H2>
-<DL>
-<DT><A name="0">0</A></DT>
-<DT><A name="3DES">3DES (Triple DES)</A></DT>
-<DD>Using three<A href="#DES"> DES</A> encryptions on a single data
- block, with at least two different keys, to get higher security than is
- available from a single DES pass. The three-key version of 3DES is the
- default encryption algorithm for<A href="web.html#FreeSWAN"> Linux
- FreeS/WAN</A>.
-<P><A href="#IPSEC">IPsec</A> always does 3DES with three different
- keys, as required by RFC 2451. For an explanation of the two-key
- variant, see<A href="#2key"> two key triple DES</A>. Both use an<A href="#EDE">
- EDE</A> encrypt-decrypt-encrpyt sequence of operations.</P>
-<P>Single<A href="#DES"> DES</A> is<A href="politics.html#desnotsecure">
- insecure</A>.</P>
-<P>Double DES is ineffective. Using two 56-bit keys, one might expect an
- attacker to have to do 2<SUP>112</SUP> work to break it. In fact, only
- 2<SUP>57</SUP> work is required with a<A href="#meet">
- meet-in-the-middle attack</A>, though a large amount of memory is also
- required. Triple DES is vulnerable to a similar attack, but that just
- reduces the work factor from the 2<SUP>168</SUP> one might expect to 2<SUP>
-112</SUP>. That provides adequate protection against<A href="#brute">
- brute force</A> attacks, and no better attack is known.</P>
-<P>3DES can be somewhat slow compared to other ciphers. It requires
- three DES encryptions per block. DES was designed for hardware
- implementation and includes some operations which are difficult in
- software. However, the speed we get is quite acceptable for many uses.
- See our<A href="performance.html"> performance</A> document for
- details.</P>
-</DD>
-<DT><A name="A">A</A></DT>
-<DT><A name="active">Active attack</A></DT>
-<DD>An attack in which the attacker does not merely eavesdrop (see<A href="#passive">
- passive attack</A>) but takes action to change, delete, reroute, add,
- forge or divert data. Perhaps the best-known active attack is<A href="#middle">
- man-in-the-middle</A>. In general,<A href="#authentication">
- authentication</A> is a useful defense against active attacks.</DD>
-<DT><A name="AES">AES</A></DT>
-<DD>The<B> A</B>dvanced<B> E</B>ncryption<B> S</B>tandard -- a new<A href="#block">
- block cipher</A> standard to replace<A href="politics.html#desnotsecure">
- DES</A> -- developed by<A href="#NIST"> NIST</A>, the US National
- Institute of Standards and Technology. DES used 64-bit blocks and a
- 56-bit key. AES ciphers use a 128-bit block and 128, 192 or 256-bit
- keys. The larger block size helps resist<A href="#birthday"> birthday
- attacks</A> while the large key size prevents<A href="#brute"> brute
- force attacks</A>.
-<P>Fifteen proposals meeting NIST's basic criteria were submitted in
- 1998 and subjected to intense discussion and analysis, &quot;round one&quot;
- evaluation. In August 1999, NIST narrowed the field to five &quot;round two&quot;
- candidates:</P>
-<UL>
-<LI><A href="http://www.research.ibm.com/security/mars.html">Mars</A>
- from IBM</LI>
-<LI><A href="http://www.rsa.com/rsalabs/aes/">RC6</A> from RSA</LI>
-<LI><A href="http://www.esat.kuleuven.ac.be/~rijmen/rijndael/">Rijndael</A>
- from two Belgian researchers</LI>
-<LI><A href="http://www.cl.cam.ac.uk/~rja14/serpent.html">Serpent</A>, a
- British-Norwegian-Israeli collaboration</LI>
-<LI><A href="http://www.counterpane.com/twofish.html">Twofish</A> from
- the consulting firm<A href="http://www.counterpane.com"> Counterpane</A>
-</LI>
-</UL>
-<P>Three of the five finalists -- Rijndael, Serpent and Twofish -- have
- completely open licenses.</P>
-<P>In October 2000, NIST announced the winner -- Rijndael.</P>
-<P>For more information, see:</P>
-<UL>
-<LI>NIST's<A href="http://csrc.nist.gov/encryption/aes/aes_home.htm">
- AES home page</A></LI>
-<LI>the Block Cipher Lounge<A href="http://www.ii.uib.no/~larsr/aes.html">
- AES page</A></LI>
-<LI>Brian Gladman's<A href="http://fp.gladman.plus.com/cryptography_technology/index.htm">
- code and benchmarks</A></LI>
-<LI>Helger Lipmaa's<A href="http://www.tcs.hut.fi/~helger/aes/"> survey
- of implementations</A></LI>
-</UL>
-<P>AES will be added to a future release of<A href="web.html#FreeSWAN">
- Linux FreeS/WAN</A>. Likely we will add all three of the finalists with
- good licenses. User-written<A href="web.html#patch"> AES patches</A>
- are already available.</P>
-<P>Adding AES may also require adding stronger hashes,<A href="#SHA-256">
- SHA-256, SHA-384 and SHA-512</A>.</P>
-</DD>
-<DT><A name="AH">AH</A></DT>
-<DD>The<A href="#IPSEC"> IPsec</A><B> A</B>uthentication<B> H</B>eader,
- added after the IP header. For details, see our<A href="ipsec.html#AH.ipsec">
- IPsec</A> document and/or RFC 2402.</DD>
-<DT><A name="alicebob">Alice and Bob</A></DT>
-<DD>A and B, the standard example users in writing on cryptography and
- coding theory. Carol and Dave join them for protocols which require
- more players.
-<P>Bruce Schneier extends these with many others such as Eve the
- Eavesdropper and Victor the Verifier. His extensions seem to be in the
- process of becoming standard as well. See page 23 of<A href="biblio.html#schneier">
- Applied Cryptography</A></P>
-<P>Alice and Bob have an amusing<A href="http://www.conceptlabs.co.uk/alicebob.html">
- biography</A> on the web.</P>
-</DD>
-<DT>ARPA</DT>
-<DD>see<A href="#DARPA"> DARPA</A></DD>
-<DT><A name="ASIO">ASIO</A></DT>
-<DD>Australian Security Intelligence Organisation.</DD>
-<DT>Asymmetric cryptography</DT>
-<DD>See<A href="#public"> public key cryptography</A>.</DD>
-<DT><A name="authentication">Authentication</A></DT>
-<DD>Ensuring that a message originated from the expected sender and has
- not been altered on route.<A href="#IPSEC"> IPsec</A> uses
- authentication in two places:
-<UL>
-<LI>peer authentication, authenticating the players in<A href="#IKE">
- IKE</A>'s<A href="#DH"> Diffie-Hellman</A> key exchanges to prevent<A href="#middle">
- man-in-the-middle attacks</A>. This can be done in a number of ways.
- The methods supported by FreeS/WAN are discussed in our<A href="adv_config.html#choose">
- advanced configuration</A> document.</LI>
-<LI>packet authentication, authenticating packets on an established<A href="#SA">
- SA</A>, either with a separate<A href="#AH"> authentication header</A>
- or with the optional authentication in the<A href="#ESP"> ESP</A>
- protocol. In either case, packet authentication uses a<A href="#HMAC">
- hashed message athentication code</A> technique.</LI>
-</UL>
-<P>Outside IPsec, passwords are perhaps the most common authentication
- mechanism. Their function is essentially to authenticate the person's
- identity to the system. Passwords are generally only as secure as the
- network they travel over. If you send a cleartext password over a
- tapped phone line or over a network with a packet sniffer on it, the
- security provided by that password becomes zero. Sending an encrypted
- password is no better; the attacker merely records it and reuses it at
- his convenience. This is called a<A href="#replay"> replay</A> attack.</P>
-<P>A common solution to this problem is a<A href="#challenge">
- challenge-response</A> system. This defeats simple eavesdropping and
- replay attacks. Of course an attacker might still try to break the
- cryptographic algorithm used, or the<A href="#random"> random number</A>
- generator.</P>
-</DD>
-<DT><A name="auto">Automatic keying</A></DT>
-<DD>A mode in which keys are automatically generated at connection
- establisment and new keys automaically created periodically thereafter.
- Contrast with<A href="ipsec.html#manual"> manual keying</A> in which a
- single stored key is used.
-<P>IPsec uses the<A href="#DH"> Diffie-Hellman key exchange protocol</A>
- to create keys. An<A href="#authentication"> authentication</A>
- mechansim is required for this. FreeS/WAN normally uses<A href="#RSA">
- RSA</A> for this. Other methods supported are discussed in our<A href="adv_config.html#choose">
- advanced configuration</A> document.</P>
-<P>Having an attacker break the authentication is emphatically not a
- good idea. An attacker that breaks authentication, and manages to
- subvert some other network entities (DNS, routers or gateways), can use
- a<A href="#middle"> man-in-the middle attack</A> to break the security
- of your IPsec connections.</P>
-<P>However, having an attacker break the authentication in automatic
- keying is not quite as bad as losing the key in manual keying.</P>
-<UL>
-<LI>An attacker who reads /etc/ipsec.conf and gets the keys for a
- manually keyed connection can, without further effort, read all
- messages encrypted with those keys, including any old messages he may
- have archived.</LI>
-<LI>Automatic keying has a property called<A href="#PFS"> perfect
- forward secrecy</A>. An attacker who breaks the authentication gets
- none of the automatically generated keys and cannot immediately read
- any messages. He has to mount a successful<A href="#middle">
- man-in-the-middle attack</A> in real time before he can read anything.
- He cannot read old archived messages at all and will not be able to
- read any future messages not caught by man-in-the-middle tricks.</LI>
-</UL>
-<P>That said, the secrets used for authentication, stored in<A href="manpage.d/ipsec.secrets.5.html">
- ipsec.secrets(5)</A>, should still be protected as tightly as
- cryptographic keys.</P>
-</DD>
-<DT><A name="B">B</A></DT>
-<DT><A href="http://www.nortelnetworks.com">Bay Networks</A></DT>
-<DD>A vendor of routers, hubs and related products, now a subsidiary of
- Nortel. Interoperation between their IPsec products and Linux FreeS/WAN
- was problematic at last report; see our<A href="interop.html#bay">
- interoperation</A> section.</DD>
-<DT><A name="benchmarks">benchmarks</A></DT>
-<DD>Our default block cipher,<A href="#3DES"> triple DES</A>, is slower
- than many alternate ciphers that might be used. Speeds achieved,
- however, seem adequate for many purposes. For example, the assembler
- code from the<A href="#LIBDES"> LIBDES</A> library we use encrypts 1.6
- megabytes per second on a Pentium 200, according to the test program
- supplied with the library.
-<P>For more detail, see our document on<A href="performance.html">
- FreeS/WAN performance</A>.</P>
-</DD>
-<DT><A name="BIND">BIND</A></DT>
-<DD><B>B</B>erkeley<B> I</B>nternet<B> N</B>ame<B> D</B>aemon, a widely
- used implementation of<A href="ipsec.html#DNS"> DNS</A> (Domain Name
- Service). See our bibliography for a<A href="ipsec.html#DNS"> useful
- reference</A>. See the<A href="http://www.isc.org/bind.html"> BIND home
- page</A> for more information and the latest version.</DD>
-<DT><A name="birthday">Birthday attack</A></DT>
-<DD>A cryptographic attack based on the mathematics exemplified by the<A href="#paradox">
- birthday paradox</A>. This math turns up whenever the question of two
- cryptographic operations producing the same result becomes an issue:
-<UL>
-<LI><A href="#collision">collisions</A> in<A href="#digest"> message
- digest</A> functions.</LI>
-<LI>identical output blocks from a<A href="#block"> block cipher</A></LI>
-<LI>repetition of a challenge in a<A href="#challenge">
- challenge-response</A> system</LI>
-</UL>
-<P>Resisting such attacks is part of the motivation for:</P>
-<UL>
-<LI>hash algorithms such as<A href="#SHA"> SHA</A> and<A href="#RIPEMD">
- RIPEMD-160</A> giving a 160-bit result rather than the 128 bits of<A href="#MD4">
- MD4</A>,<A href="#MD5"> MD5</A> and<A href="#RIPEMD"> RIPEMD-128</A>.</LI>
-<LI><A href="#AES">AES</A> block ciphers using a 128-bit block instead
- of the 64-bit block of most current ciphers</LI>
-<LI><A href="#IPSEC">IPsec</A> using a 32-bit counter for packets sent
- on an<A href="ipsec.html#auto"> automatically keyed</A><A href="#SA">
- SA</A> and requiring that the connection always be rekeyed before the
- counter overflows.</LI>
-</UL>
-</DD>
-<DT><A name="paradox">Birthday paradox</A></DT>
-<DD>Not really a paradox, just a rather counter-intuitive mathematical
- fact. In a group of 23 people, the chance of a least one pair having
- the same birthday is over 50%.
-<P>The second person has 1 chance in 365 (ignoring leap years) of
- matching the first. If they don't match, the third person's chances of
- matching one of them are 2/365. The 4th, 3/365, and so on. The total of
- these chances grows more quickly than one might guess.</P>
-</DD>
-<DT><A name="block">Block cipher</A></DT>
-<DD>A<A href="#symmetric"> symmetric cipher</A> which operates on
- fixed-size blocks of plaintext, giving a block of ciphertext for each.
- Contrast with<A href="#stream"> stream cipher</A>. Block ciphers can be
- used in various<A href="#mode"> modes</A> when multiple block are to be
- encrypted.
-<P><A href="#DES">DES</A> is among the the best known and widely used
- block ciphers, but is now obsolete. Its 56-bit key size makes it<A href="politics.html#desnotsecure">
- highly insecure</A> today.<A href="#3DES"> Triple DES</A> is the
- default block cipher for<A href="web.html#FreeSWAN"> Linux FreeS/WAN</A>
-.</P>
-<P>The current generation of block ciphers -- such as<A href="#Blowfish">
- Blowfish</A>,<A href="#CAST128"> CAST-128</A> and<A href="#IDEA"> IDEA</A>
- -- all use 64-bit blocks and 128-bit keys. The next generation,<A href="#AES">
- AES</A>, uses 128-bit blocks and supports key sizes up to 256 bits.</P>
-<P>The<A href="http://www.ii.uib.no/~larsr/bc.html"> Block Cipher Lounge</A>
- web site has more information.</P>
-</DD>
-<DT><A name="Blowfish">Blowfish</A></DT>
-<DD>A<A href="#block"> block cipher</A> using 64-bit blocks and keys of
- up to 448 bits, designed by<A href="biblio.html#schneier"> Bruce
- Schneier</A> and used in several products.
-<P>This is not required by the<A href="#IPSEC"> IPsec</A> RFCs and not
- currently used in<A href="web.html#FreeSWAN"> Linux FreeS/WAN</A>.</P>
-</DD>
-<DT><A name="brute">Brute force attack (exhaustive search)</A></DT>
-<DD>Breaking a cipher by trying all possible keys. This is always
- possible in theory (except against a<A href="#OTP"> one-time pad</A>),
- but it becomes practical only if the key size is inadequate. For an
- important example, see our document on the<A href="politics.html#desnotsecure">
- insecurity of DES</A> with its 56-bit key. For an analysis of key sizes
- required to resist plausible brute force attacks, see<A href="http://www.counterpane.com/keylength.html">
- this paper</A>.
-<P>Longer keys protect against brute force attacks. Each extra bit in
- the key doubles the number of possible keys and therefore doubles the
- work a brute force attack must do. A large enough key defeats<STRONG>
- any</STRONG> brute force attack.</P>
-<P>For example, the EFF's<A href="#EFF"> DES Cracker</A> searches a
- 56-bit key space in an average of a few days. Let us assume an attacker
- that can find a 64-bit key (256 times harder) by brute force search in
- a second (a few hundred thousand times faster). For a 96-bit key, that
- attacker needs 2<SUP>32</SUP> seconds, about 135 years. Against a
- 128-bit key, he needs 2<SUP>32</SUP> times that, over 500,000,000,000
- years. Your data is then obviously secure against brute force attacks.
- Even if our estimate of the attacker's speed is off by a factor of a
- million, it still takes him over 500,000 years to crack a message.</P>
-<P>This is why</P>
-<UL>
-<LI>single<A href="#DES"> DES</A> is now considered<A href="politics.html#desnotsecure">
- dangerously insecure</A></LI>
-<LI>all of the current generation of<A href="#block"> block ciphers</A>
- use a 128-bit or longer key</LI>
-<LI><A href="#AES">AES</A> ciphers support keysizes 128, 192 and 256
- bits</LI>
-<LI>any cipher we add to Linux FreeS/WAN will have<EM> at least</EM> a
- 128-bit key</LI>
-</UL>
-<P><STRONG>Cautions:</STRONG>
-<BR><EM> Inadequate keylength always indicates a weak cipher</EM> but it
- is important to note that<EM> adequate keylength does not necessarily
- indicate a strong cipher</EM>. There are many attacks other than brute
- force, and adequate keylength<EM> only</EM> guarantees resistance to
- brute force. Any cipher, whatever its key size, will be weak if design
- or implementation flaws allow other attacks.</P>
-<P>Also,<EM> once you have adequate keylength</EM> (somewhere around 90
- or 100 bits),<EM> adding more key bits make no practical difference</EM>
-, even against brute force. Consider our 128-bit example above that
- takes 500,000,000,000 years to break by brute force. We really don't
- care how many zeroes there are on the end of that, as long as the
- number remains ridiculously large. That is, we don't care exactly how
- large the key is as long as it is large enough.</P>
-<P>There may be reasons of convenience in the design of the cipher to
- support larger keys. For example<A href="#Blowfish"> Blowfish</A>
- allows up to 448 bits and<A href="#RC4"> RC4</A> up to 2048, but beyond
- 100-odd bits it makes no difference to practical security.</P>
-</DD>
-<DT>Bureau of Export Administration</DT>
-<DD>see<A href="#BXA"> BXA</A></DD>
-<DT><A name="BXA">BXA</A></DT>
-<DD>The US Commerce Department's<B> B</B>ureau of E<B>x</B>port<B> A</B>
-dministration which administers the<A href="#EAR"> EAR</A> Export
- Administration Regulations controling the export of, among other
- things, cryptography.</DD>
-<DT><A name="C">C</A></DT>
-<DT><A name="CA">CA</A></DT>
-<DD><B>C</B>ertification<B> A</B>uthority, an entity in a<A href="#PKI">
- public key infrastructure</A> that can certify keys by signing them.
- Usually CAs form a hierarchy. The top of this hierarchy is called the<A href="#rootCA">
- root CA</A>.
-<P>See<A href="#web"> Web of Trust</A> for an alternate model.</P>
-</DD>
-<DT><A name="CAST128">CAST-128</A></DT>
-<DD>A<A href="#block"> block cipher</A> using 64-bit blocks and 128-bit
- keys, described in RFC 2144 and used in products such as<A href="#Entrust">
- Entrust</A> and recent versions of<A href="#PGP"> PGP</A>.
-<P>This is not required by the<A href="#IPSEC"> IPsec</A> RFCs and not
- currently used in<A href="web.html#FreeSWAN"> Linux FreeS/WAN</A>.</P>
-</DD>
-<DT>CAST-256</DT>
-<DD><A href="#Entrust">Entrust</A>'s candidate cipher for the<A href="#AES">
- AES standard</A>, largely based on the<A href="#CAST128"> CAST-128</A>
- design.</DD>
-<DT><A name="CBC">CBC mode</A></DT>
-<DD><B>C</B>ipher<B> B</B>lock<B> C</B>haining<A href="#mode"> mode</A>,
- a method of using a<A href="#block"> block cipher</A> in which for each
- block except the first, the result of the previous encryption is XORed
- into the new block before it is encrypted. CBC is the mode used in<A href="#IPSEC">
- IPsec</A>.
-<P>An<A href="#IV"> initialisation vector</A> (IV) must be provided. It
- is XORed into the first block before encryption. The IV need not be
- secret but should be different for each message and unpredictable.</P>
-</DD>
-<DT><A name="CIDR">CIDR</A></DT>
-<DD><B>C</B>lassless<B> I</B>nter-<B>D</B>omain<B> R</B>outing, an
- addressing scheme used to describe networks not restricted to the old
- Class A, B, and C sizes. A CIDR block is written<VAR> address</VAR>/<VAR>
-mask</VAR>, where<VAR> address</VAR> is a 32-bit Internet address. The
- first<VAR> mask</VAR> bits of<VAR> address</VAR> are part of the
- gateway address, while the remaining bits designate other host
- addresses. For example, the CIDR block 192.0.2.96/27 describes a
- network with gateway 192.0.2.96, hosts 192.0.2.96 through 192.0.2.126
- and broadcast 192.0.2.127.
-<P>FreeS/WAN policy group files accept CIDR blocks of the format<VAR>
- address</VAR>/[<VAR>mask</VAR>], where<VAR> address</VAR> may take the
- form<VAR> name.domain.tld</VAR>. An absent<VAR> mask</VAR> is assumed
- to be /32.</P>
-</DD>
-<DT>Certification Authority</DT>
-<DD>see<A href="#CA"> CA</A></DD>
-<DT><A name="challenge">Challenge-response authentication</A></DT>
-<DD>An<A href="#authentication"> authentication</A> system in which one
- player generates a<A href="#random"> random number</A>, encrypts it and
- sends the result as a challenge. The other player decrypts and sends
- back the result. If the result is correct, that proves to the first
- player that the second player knew the appropriate secret, required for
- the decryption. Variations on this technique exist using<A href="#public">
- public key</A> or<A href="#symmetric"> symmetric</A> cryptography. Some
- provide two-way authentication, assuring each player of the other's
- identity.
-<P>This is more secure than passwords against two simple attacks:</P>
-<UL>
-<LI>If cleartext passwords are sent across the wire (e.g. for telnet),
- an eavesdropper can grab them. The attacker may even be able to break
- into other systems if the user has chosen the same password for them.</LI>
-<LI>If an encrypted password is sent, an attacker can record the
- encrypted form and use it later. This is called a replay attack.</LI>
-</UL>
-<P>A challenge-response system never sends a password, either cleartext
- or encrypted. An attacker cannot record the response to one challenge
- and use it as a response to a later challenge. The random number is
- different each time.</P>
-<P>Of course an attacker might still try to break the cryptographic
- algorithm used, or the<A href="#random"> random number</A> generator.</P>
-</DD>
-<DT><A name="mode">Cipher Modes</A></DT>
-<DD>Different ways of using a block cipher when encrypting multiple
- blocks.
-<P>Four standard modes were defined for<A href="#DES"> DES</A> in<A href="#FIPS">
- FIPS</A> 81. They can actually be applied with any block cipher.</P>
-<TABLE><TBODY></TBODY>
-<TR><TD></TD><TD><A href="#ECB">ECB</A></TD><TD>Electronic CodeBook</TD><TD>
-encrypt each block independently</TD></TR>
-<TR><TD></TD><TD><A href="#CBC">CBC</A></TD><TD>Cipher Block Chaining
-<BR></TD><TD>XOR previous block ciphertext into new block plaintext
- before encrypting new block</TD></TR>
-<TR><TD></TD><TD>CFB</TD><TD>Cipher FeedBack</TD><TD></TD></TR>
-<TR><TD></TD><TD>OFB</TD><TD>Output FeedBack</TD><TD></TD></TR>
-</TABLE>
-<P><A href="#IPSEC">IPsec</A> uses<A href="#CBC"> CBC</A> mode since
- this is only marginally slower than<A href="#ECB"> ECB</A> and is more
- secure. In ECB mode the same plaintext always encrypts to the same
- ciphertext, unless the key is changed. In CBC mode, this does not
- occur.</P>
-<P>Various other modes are also possible, but none of them are used in
- IPsec.</P>
-</DD>
-<DT><A name="ciphertext">Ciphertext</A></DT>
-<DD>The encrypted output of a cipher, as opposed to the unencrypted<A href="#plaintext">
- plaintext</A> input.</DD>
-<DT><A href="http://www.cisco.com">Cisco</A></DT>
-<DD>A vendor of routers, hubs and related products. Their IPsec products
- interoperate with Linux FreeS/WAN; see our<A href="interop.html#Cisco">
- interop</A> section.</DD>
-<DT><A name="client">Client</A></DT>
-<DD>This term has at least two distinct uses in discussing IPsec:
-<UL>
-<LI>The<STRONG> clients of an IPsec gateway</STRONG> are the machines it
- protects, typically on one or more subnets behind the gateway. In this
- usage, all the machines on an office network are clients of that
- office's IPsec gateway. Laptop or home machines connecting to the
- office, however, are<EM> not</EM> clients of that gateway. They are
- remote gateways, running the other end of an IPsec connection. Each of
- them is also its own client.</LI>
-<LI><STRONG>IPsec client software</STRONG> is used to describe software
- which runs on various standalone machines to let them connect to IPsec
- networks. In this usage, a laptop or home machine connecting to the
- office is a client, and the office gateway is the server.</LI>
-</UL>
-<P>We generally use the term in the first sense. Vendors of Windows
- IPsec solutions often use it in the second. See this<A href="interop.html#client.server">
- discussion</A>.</P>
-</DD>
-<DT><A name="cc">Common Criteria</A></DT>
-<DD>A set of international security classifications which are replacing
- the old US<A href="#rainbow"> Rainbow Book</A> standards and similar
- standards in other countries.
-<P>Web references include this<A href="http://csrc.nist.gov/cc"> US
- government site</A> and this<A href="http://www.commoncriteria.org">
- global home page</A>.</P>
-</DD>
-<DT>Conventional cryptography</DT>
-<DD>See<A href="#symmetric"> symmetric cryptography</A></DD>
-<DT><A name="collision">Collision resistance</A></DT>
-<DD>The property of a<A href="#digest"> message digest</A> algorithm
- which makes it hard for an attacker to find or construct two inputs
- which hash to the same output.</DD>
-<DT>Copyleft</DT>
-<DD>see GNU<A href="#GPL"> General Public License</A></DD>
-<DT><A name="CSE">CSE</A></DT>
-<DD><A href="http://www.cse-cst.gc.ca/">Communications Security
- Establishment</A>, the Canadian organisation for<A href="#SIGINT">
- signals intelligence</A>.</DD>
-<DT><A name="D">D</A></DT>
-<DT><A name="DARPA">DARPA (sometimes just ARPA)</A></DT>
-<DD>The US government's<B> D</B>efense<B> A</B>dvanced<B> R</B>esearch<B>
- P</B>rojects<B> A</B>gency. Projects they have funded over the years
- have included the Arpanet which evolved into the Internet, the TCP/IP
- protocol suite (as a replacement for the original Arpanet suite), the
- Berkeley 4.x BSD Unix projects, and<A href="#SDNS"> Secure DNS</A>.
-<P>For current information, see their<A href="http://www.darpa.mil/ito">
- web site</A>.</P>
-</DD>
-<DT><A name="DOS">Denial of service (DoS) attack</A></DT>
-<DD>An attack that aims at denying some service to legitimate users of a
- system, rather than providing a service to the attacker.
-<UL>
-<LI>One variant is a flooding attack, overwhelming the system with too
- many packets, to much email, or whatever.</LI>
-<LI>A closely related variant is a resource exhaustion attack. For
- example, consider a &quot;TCP SYN flood&quot; attack. Setting up a TCP connection
- involves a three-packet exchange:
-<UL>
-<LI>Initiator: Connection please (SYN)</LI>
-<LI>Responder: OK (ACK)</LI>
-<LI>Initiator: OK here too</LI>
-</UL>
-<P>If the attacker puts bogus source information in the first packet,
- such that the second is never delivered, the responder may wait a long
- time for the third to come back. If responder has already allocated
- memory for the connection data structures, and if many of these bogus
- packets arrive, the responder may run out of memory.</P>
-</LI>
-<LI>Another variant is to feed the system undigestible data, hoping to
- make it sick. For example, IP packets are limited in size to 64K bytes
- and a fragment carries information on where it starts within that 64K
- and how long it is. The &quot;ping of death&quot; delivers fragments that say,
- for example, that they start at 60K and are 20K long. Attempting to
- re-assemble these without checking for overflow can be fatal.</LI>
-</UL>
-<P>The two example attacks discussed were both quite effective when
- first discovered, capable of crashing or disabling many operating
- systems. They were also well-publicised, and today far fewer systems
- are vulnerable to them.</P>
-</DD>
-<DT><A name="DES">DES</A></DT>
-<DD>The<B> D</B>ata<B> E</B>ncryption<B> S</B>tandard, a<A href="#block">
- block cipher</A> with 64-bit blocks and a 56-bit key. Probably the most
- widely used<A href="#symmetric"> symmetric cipher</A> ever devised. DES
- has been a US government standard for their own use (only for
- unclassified data), and for some regulated industries such as banking,
- since the late 70's. It is now being replaced by<A href="#AES"> AES</A>
-.
-<P><A href="politics.html#desnotsecure">DES is seriously insecure
- against current attacks.</A></P>
-<P><A href="web.html#FreeSWAN">Linux FreeS/WAN</A> does not include DES,
- even though the RFCs specify it.<B> We strongly recommend that single
- DES not be used.</B></P>
-<P>See also<A href="#3DES"> 3DES</A> and<A href="#DESX"> DESX</A>,
- stronger ciphers based on DES.</P>
-</DD>
-<DT><A name="DESX">DESX</A></DT>
-<DD>An improved<A href="#DES"> DES</A> suggested by Ron Rivest of RSA
- Data Security. It XORs extra key material into the text before and
- after applying the DES cipher.
-<P>This is not required by the<A href="#IPSEC"> IPsec</A> RFCs and not
- currently used in<A href="web.html#FreeSWAN"> Linux FreeS/WAN</A>. DESX
- would be the easiest additional transform to add; there would be very
- little code to write. It would be much faster than 3DES and almost
- certainly more secure than DES. However, since it is not in the RFCs
- other IPsec implementations cannot be expected to have it.</P>
-</DD>
-<DT>DH</DT>
-<DD>see<A href="#DH"> Diffie-Hellman</A></DD>
-<DT><A name="DHCP">DHCP</A></DT>
-<DD><STRONG>D</STRONG>ynamic<STRONG> H</STRONG>ost<STRONG> C</STRONG>
-onfiguration<STRONG> P</STRONG>rotocol, a method of assigning<A href="#dynamic">
- dynamic IP addresses</A>, and providing additional information such as
- addresses of DNS servers and of gateways. See this<A href="http://www.dhcp.org">
- DHCP resource page.</A></DD>
-<DT><A name="DH">Diffie-Hellman (DH) key exchange protocol</A></DT>
-<DD>A protocol that allows two parties without any initial shared secret
- to create one in a manner immune to eavesdropping. Once they have done
- this, they can communicate privately by using that shared secret as a
- key for a block cipher or as the basis for key exchange.
-<P>The protocol is secure against all<A href="#passive"> passive attacks</A>
-, but it is not at all resistant to active<A href="#middle">
- man-in-the-middle attacks</A>. If a third party can impersonate Bob to
- Alice and vice versa, then no useful secret can be created.
- Authentication of the participants is a prerequisite for safe
- Diffie-Hellman key exchange. IPsec can use any of several<A href="#authentication">
- authentication</A> mechanisims. Those supported by FreeS/WAN are
- discussed in our<A href="config.html#choose"> configuration</A>
- section.</P>
-<P>The Diffie-Hellman key exchange is based on the<A href="#dlog">
- discrete logarithm</A> problem and is secure unless someone finds an
- efficient solution to that problem.</P>
-<P>Given a prime<VAR> p</VAR> and generator<VAR> g</VAR> (explained
- under<A href="#dlog"> discrete log</A> below), Alice:</P>
-<UL>
-<LI>generates a random number<VAR> a</VAR></LI>
-<LI>calculates<VAR> A = g^a modulo p</VAR></LI>
-<LI>sends<VAR> A</VAR> to Bob</LI>
-</UL>
-<P>Meanwhile Bob:</P>
-<UL>
-<LI>generates a random number<VAR> b</VAR></LI>
-<LI>calculates<VAR> B = g^b modulo p</VAR></LI>
-<LI>sends<VAR> B</VAR> to Alice</LI>
-</UL>
-<P>Now Alice and Bob can both calculate the shared secret<VAR> s =
- g^(ab)</VAR>. Alice knows<VAR> a</VAR> and<VAR> B</VAR>, so she
- calculates<VAR> s = B^a</VAR>. Bob knows<VAR> A</VAR> and<VAR> b</VAR>
- so he calculates<VAR> s = A^b</VAR>.</P>
-<P>An eavesdropper will know<VAR> p</VAR> and<VAR> g</VAR> since these
- are made public, and can intercept<VAR> A</VAR> and<VAR> B</VAR> but,
- short of solving the<A href="#dlog"> discrete log</A> problem, these do
- not let him or her discover the secret<VAR> s</VAR>.</P>
-</DD>
-<DT><A name="signature">Digital signature</A></DT>
-<DD>Sender:
-<UL>
-<LI>calculates a<A href="#digest"> message digest</A> of a document</LI>
-<LI>encrypts the digest with his or her private key, using some<A href="#public">
- public key cryptosystem</A>.</LI>
-<LI>attaches the encrypted digest to the document as a signature</LI>
-</UL>
-<P>Receiver:</P>
-<UL>
-<LI>calculates a digest of the document (not including the signature)</LI>
-<LI>decrypts the signature with the signer's public key</LI>
-<LI>verifies that the two results are identical</LI>
-</UL>
-<P>If the public-key system is secure and the verification succeeds,
- then the receiver knows</P>
-<UL>
-<LI>that the document was not altered between signing and verification</LI>
-<LI>that the signer had access to the private key</LI>
-</UL>
-<P>Such an encrypted message digest can be treated as a signature since
- it cannot be created without<EM> both</EM> the document<EM> and</EM>
- the private key which only the sender should possess. The<A href="web.html#legal">
- legal issues</A> are complex, but several countries are moving in the
- direction of legal recognition for digital signatures.</P>
-</DD>
-<DT><A name="dlog">discrete logarithm problem</A></DT>
-<DD>The problem of finding logarithms in a finite field. Given a field
- defintion (such definitions always include some operation analogous to
- multiplication) and two numbers, a base and a target, find the power
- which the base must be raised to in order to yield the target.
-<P>The discrete log problem is the basis of several cryptographic
- systems, including the<A href="#DH"> Diffie-Hellman</A> key exchange
- used in the<A href="#IKE"> IKE</A> protocol. The useful property is
- that exponentiation is relatively easy but the inverse operation,
- finding the logarithm, is hard. The cryptosystems are designed so that
- the user does only easy operations (exponentiation in the field) but an
- attacker must solve the hard problem (discrete log) to crack the
- system.</P>
-<P>There are several variants of the problem for different types of
- field. The IKE/Oakley key determination protocol uses two variants,
- either over a field modulo a prime or over a field defined by an
- elliptic curve. We give an example modulo a prime below. For the
- elliptic curve version, consult an advanced text such as<A href="biblio.html#handbook">
- Handbook of Applied Cryptography</A>.</P>
-<P>Given a prime<VAR> p</VAR>, a generator<VAR> g</VAR> for the field
- modulo that prime, and a number<VAR> x</VAR> in the field, the problem
- is to find<VAR> y</VAR> such that<VAR> g^y = x</VAR>.</P>
-<P>For example, let p = 13. The field is then the integers from 0 to 12.
- Any integer equals one of these modulo 13. That is, the remainder when
- any integer is divided by 13 must be one of these.</P>
-<P>2 is a generator for this field. That is, the powers of two modulo 13
- run through all the non-zero numbers in the field. Modulo 13 we have:</P>
-<PRE>          y      x
-        2^0  ==  1
-        2^1  ==  2
-        2^2  ==  4
-        2^3  ==  8
-        2^4  ==  3 that is, the remainder from 16/13 is 3
-        2^5  ==  6          the remainder from 32/13 is 6
-        2^6  == 12 and so on
-        2^7  == 11
-        2^8  ==  9
-        2^9  ==  5
-        2^10 == 10
-        2^11 ==  7
-        2^12 ==  1</PRE>
-<P>Exponentiation in such a field is not difficult. Given, say,<NOBR><VAR>
- y = 11</VAR>,calculating<NOBR><VAR> x = 7</VAR>is straightforward. One
- method is just to calculate<NOBR><VAR> 2^11 = 2048</VAR>,then<NOBR><VAR>
- 2048 mod 13 == 7</VAR>.When the field is modulo a large prime (say a
- few 100 digits) you need a silghtly cleverer method and even that is
- moderately expensive in computer time, but the calculation is still not
- problematic in any basic way.</P>
-<P>The discrete log problem is the reverse. In our example, given<NOBR><VAR>
- x = 7</VAR>,find the logarithm<NOBR><VAR> y = 11</VAR>.When the field
- is modulo a large prime (or is based on a suitable elliptic curve),
- this is indeed problematic. No solution method that is not
- catastrophically expensive is known. Quite a few mathematicians have
- tackled this problem. No efficient method has been found and
- mathematicians do not expect that one will be. It seems likely no
- efficient solution to either of the main variants the discrete log
- problem exists.</P>
-<P>Note, however, that no-one has proven such methods do not exist. If a
- solution to either variant were found, the security of any crypto
- system using that variant would be destroyed. This is one reason<A href="#IKE">
- IKE</A> supports two variants. If one is broken, we can switch to the
- other.</P>
-</DD>
-<DT><A name="discretionary">discretionary access control</A></DT>
-<DD>access control mechanisms controlled by the user, for example Unix
- rwx file permissions. These contrast with<A href="#mandatory">
- mandatory access controls</A>.</DD>
-<DT><A name="DNS">DNS</A></DT>
-<DD><B>D</B>omain<B> N</B>ame<B> S</B>ervice, a distributed database
- through which names are associated with numeric addresses and other
- information in the Internet Protocol Suite. See also the<A href="background.html#dns.background">
- DNS background</A> section of our documentation.</DD>
-<DT>DOS attack</DT>
-<DD>see<A href="#DOS"> Denial Of Service</A> attack</DD>
-<DT><A name="dynamic">dynamic IP address</A></DT>
-<DD>an IP address which is automatically assigned, either by<A href="#DHCP">
- DHCP</A> or by some protocol such as<A href="#PPP"> PPP</A> or<A href="#PPPoE">
- PPPoE</A> which the machine uses to connect to the Internet. This is
- the opposite of a<A href="#static"> static IP address</A>, pre-set on
- the machine itself.</DD>
-<DT><A name="E">E</A></DT>
-<DT><A name="EAR">EAR</A></DT>
-<DD>The US government's<B> E</B>xport<B> A</B>dministration<B> R</B>
-egulations, administered by the<A href="#BXA"> Bureau of Export
- Administration</A>. These have replaced the earlier<A href="#ITAR">
- ITAR</A> regulations as the controls on export of cryptography.</DD>
-<DT><A name="ECB">ECB mode</A></DT>
-<DD><B>E</B>lectronic<B> C</B>ode<B>B</B>ook mode, the simplest way to
- use a block cipher. See<A href="#mode"> Cipher Modes</A>.</DD>
-<DT><A name="EDE">EDE</A></DT>
-<DD>The sequence of operations normally used in either the three-key
- variant of<A href="#3DES"> triple DES</A> used in<A href="#IPSEC">
- IPsec</A> or the<A href="#2key"> two-key</A> variant used in some other
- systems.
-<P>The sequence is:</P>
-<UL>
-<LI><B>E</B>ncrypt with key1</LI>
-<LI><B>D</B>ecrypt with key2</LI>
-<LI><B>E</B>ncrypt with key3</LI>
-</UL>
-<P>For the two-key version, key1=key3.</P>
-<P>The &quot;advantage&quot; of this EDE order of operations is that it makes it
- simple to interoperate with older devices offering only single DES. Set
- key1=key2=key3 and you have the worst of both worlds, the overhead of
- triple DES with the &quot;security&quot; of single DES. Since both the<A href="politics.html#desnotsecure">
- security of single DES</A> and the overheads of triple DES are
- seriously inferior to many other ciphers, this is a spectacularly
- dubious &quot;advantage&quot;.</P>
-</DD>
-<DT><A name="Entrust">Entrust</A></DT>
-<DD>A Canadian company offerring enterprise<A href="#PKI"> PKI</A>
- products using<A href="#CAST128"> CAST-128</A> symmetric crypto,<A href="#RSA">
- RSA</A> public key and<A href="#X509"> X.509</A> directories.<A href="http://www.entrust.com">
- Web site</A></DD>
-<DT><A name="EFF">EFF</A></DT>
-<DD><A href="http://www.eff.org">Electronic Frontier Foundation</A>, an
- advocacy group for civil rights in cyberspace.</DD>
-<DT><A name="encryption">Encryption</A></DT>
-<DD>Techniques for converting a readable message (<A href="#plaintext">
-plaintext</A>) into apparently random material (<A href="#ciphertext">
-ciphertext</A>) which cannot be read if intercepted. A key is required
- to read the message.
-<P>Major variants include<A href="#symmetric"> symmetric</A> encryption
- in which sender and receiver use the same secret key and<A href="#public">
- public key</A> methods in which the sender uses one of a matched pair
- of keys and the receiver uses the other. Many current systems,
- including<A href="#IPSEC"> IPsec</A>, are<A href="#hybrid"> hybrids</A>
- combining the two techniques.</P>
-</DD>
-<DT><A name="ESP">ESP</A></DT>
-<DD><B>E</B>ncapsulated<B> S</B>ecurity<B> P</B>ayload, the<A href="#IPSEC">
- IPsec</A> protocol which provides<A href="#encryption"> encryption</A>.
- It can also provide<A href="#authentication"> authentication</A>
- service and may be used with null encryption (which we do not
- recommend). For details see our<A href="ipsec.html#ESP.ipsec"> IPsec</A>
- document and/or RFC 2406.</DD>
-<DT><A name="#extruded">Extruded subnet</A></DT>
-<DD>A situation in which something IP sees as one network is actually in
- two or more places.
-<P>For example, the Internet may route all traffic for a particular
- company to that firm's corporate gateway. It then becomes the company's
- problem to get packets to various machines on their<A href="#subnet">
- subnets</A> in various departments. They may decide to treat a branch
- office like a subnet, giving it IP addresses &quot;on&quot; their corporate net.
- This becomes an extruded subnet.</P>
-<P>Packets bound for it are delivered to the corporate gateway, since as
- far as the outside world is concerned, that subnet is part of the
- corporate network. However, instead of going onto the corporate LAN (as
- they would for, say, the accounting department) they are then
- encapsulated and sent back onto the Internet for delivery to the branch
- office.</P>
-<P>For information on doing this with Linux FreeS/WAN, look in our<A href="adv_config.html#extruded.config">
- advanced configuration</A> section.</P>
-</DD>
-<DT>Exhaustive search</DT>
-<DD>See<A href="#brute"> brute force attack</A>.</DD>
-<DT><A name="F">F</A></DT>
-<DT><A name="FIPS">FIPS</A></DT>
-<DD><B>F</B>ederal<B> I</B>nformation<B> P</B>rocessing<B> S</B>tandard,
- the US government's standards for products it buys. These are issued by<A
-href="#NIST"> NIST</A>. Among other things,<A href="#DES"> DES</A> and<A href="#SHA">
- SHA</A> are defined in FIPS documents. NIST have a<A href="http://www.itl.nist.gov/div897/pubs">
- FIPS home page</A>.</DD>
-<DT><A name="FSF">Free Software Foundation (FSF)</A></DT>
-<DD>An organisation to promote free software, free in the sense of these
- quotes from their web pages</DD>
-<DD><BLOCKQUOTE> &quot;Free software&quot; is a matter of liberty, not price. To
- understand the concept, you should think of &quot;free speech&quot;, not &quot;free
- beer.&quot;
-<P>&quot;Free software&quot; refers to the users' freedom to run, copy,
- distribute, study, change and improve the software.</P>
-</BLOCKQUOTE>
-<P>See also<A href="#GNU"> GNU</A>,<A href="#GPL"> GNU General Public
- License</A>, and<A href="http://www.fsf.org"> the FSF site</A>.</P>
-</DD>
-<DT>FreeS/WAN</DT>
-<DD>see<A href="web.html#FreeSWAN"> Linux FreeS/WAN</A></DD>
-<DT><A name="fullnet">Fullnet</A></DT>
-<DD>The CIDR block containing all IPs of its IP version. The<A HREF="#IPv4">
- IPv4</A> fullnet is written 0.0.0.0/0. Also known as &quot;all&quot; and
- &quot;default&quot;, fullnet may be used in a routing table to specify a default
- route, and in a FreeS/WAN<A HREF="policygroups.html#policygroups">
- policy group</A> file to specify a default IPsec policy.</DD>
-<DT>FSF</DT>
-<DD>see<A href="#FSF"> Free software Foundation</A></DD>
-<DT><A name="G">G</A></DT>
-<DT><A name="GCHQ">GCHQ</A></DT>
-<DD><A href="http://www.gchq.gov.uk">Government Communications
- Headquarters</A>, the British organisation for<A href="#SIGINT">
- signals intelligence</A>.</DD>
-<DT>generator of a prime field</DT>
-<DD>see<A href="#dlog"> discrete logarithm problem</A></DD>
-<DT><A name="GILC">GILC</A></DT>
-<DD><A href="http://www.gilc.org">Global Internet Liberty Campaign</A>,
- an international organisation advocating, among other things, free
- availability of cryptography. They have a<A href="http://www.gilc.org/crypto/wassenaar">
- campaign</A> to remove cryptographic software from the<A href="#Wassenaar.gloss">
- Wassenaar Arrangement</A>.</DD>
-<DT>Global Internet Liberty Campaign</DT>
-<DD>see<A href="#GILC"> GILC</A>.</DD>
-<DT><A name="GTR">Global Trust Register</A></DT>
-<DD>An attempt to create something like a<A href="#rootCA"> root CA</A>
- for<A href="#PGP"> PGP</A> by publishing both<A href="biblio.html#GTR">
- as a book</A> and<A href="http://www.cl.cam.ac.uk/Research/Security/Trust-Register">
- on the web</A> the fingerprints of a set of verified keys for
- well-known users and organisations.</DD>
-<DT><A name="GMP">GMP</A></DT>
-<DD>The<B> G</B>NU<B> M</B>ulti-<B>P</B>recision library code, used in<A href="web.html#FreeSWAN">
- Linux FreeS/WAN</A> by<A href="#Pluto"> Pluto</A> for<A href="#public">
- public key</A> calculations. See the<A href="http://www.swox.com/gmp">
- GMP home page</A>.</DD>
-<DT><A name="GNU">GNU</A></DT>
-<DD><B>G</B>NU's<B> N</B>ot<B> U</B>nix, the<A href="#FSF"> Free
- Software Foundation's</A> project aimed at creating a free system with
- at least the capabilities of Unix.<A href="#Linux"> Linux</A> uses GNU
- utilities extensively.</DD>
-<DT><A name="#GOST">GOST</A></DT>
-<DD>a Soviet government standard<A href="#block"> block cipher</A>.<A href="biblio.html#schneier">
- Applied Cryptography</A> has details.</DD>
-<DT>GPG</DT>
-<DD>see<A href="#GPG"> GNU Privacy Guard</A></DD>
-<DT><A name="GPL">GNU General Public License</A>(GPL, copyleft)</DT>
-<DD>The license developed by the<A href="#FSF"> Free Software Foundation</A>
- under which<A href="#Linux"> Linux</A>,<A href="web.html#FreeSWAN">
- Linux FreeS/WAN</A> and many other pieces of software are distributed.
- The license allows anyone to redistribute and modify the code, but
- forbids anyone from distributing executables without providing access
- to source code. For more details see the file<A href="../COPYING">
- COPYING</A> included with GPLed source distributions, including ours,
- or<A href="http://www.fsf.org/copyleft/gpl.html"> the GNU site's GPL
- page</A>.</DD>
-<DT><A name="GPG">GNU Privacy Guard</A></DT>
-<DD>An open source implementation of Open<A href="#PGP"> PGP</A> as
- defined in RFC 2440. See their<A href="http://www.gnupg.org"> web site</A>
-</DD>
-<DT>GPL</DT>
-<DD>see<A href="#GPL"> GNU General Public License</A>.</DD>
-<DT><A name="H">H</A></DT>
-<DT><A name="hash">Hash</A></DT>
-<DD>see<A href="#digest"> message digest</A></DD>
-<DT><A name="HMAC">Hashed Message Authentication Code (HMAC)</A></DT>
-<DD>using keyed<A href="#digest"> message digest</A> functions to
- authenticate a message. This differs from other uses of these
- functions:
-<UL>
-<LI>In normal usage, the hash function's internal variable are
- initialised in some standard way. Anyone can reproduce the hash to
- check that the message has not been altered.</LI>
-<LI>For HMAC usage, you initialise the internal variables from the key.
- Only someone with the key can reproduce the hash. A successful check of
- the hash indicates not only that the message is unchanged but also that
- the creator knew the key.</LI>
-</UL>
-<P>The exact techniques used in<A href="#IPSEC"> IPsec</A> are defined
- in RFC 2104. They are referred to as HMAC-MD5-96 and HMAC-SHA-96
- because they output only 96 bits of the hash. This makes some attacks
- on the hash functions harder.</P>
-</DD>
-<DT>HMAC</DT>
-<DD>see<A href="#HMAC"> Hashed Message Authentication Code</A></DD>
-<DT>HMAC-MD5-96</DT>
-<DD>see<A href="#HMAC"> Hashed Message Authentication Code</A></DD>
-<DT>HMAC-SHA-96</DT>
-<DD>see<A href="#HMAC"> Hashed Message Authentication Code</A></DD>
-<DT><A name="hybrid">Hybrid cryptosystem</A></DT>
-<DD>A system using both<A href="#public"> public key</A> and<A href="#symmetric">
- symmetric cipher</A> techniques. This works well. Public key methods
- provide key management and<A href="#signature"> digital signature</A>
- facilities which are not readily available using symmetric ciphers. The
- symmetric cipher, however, can do the bulk of the encryption work much
- more efficiently than public key methods.</DD>
-<DT><A name="I">I</A></DT>
-<DT><A name="IAB">IAB</A></DT>
-<DD><A href="http://www.iab.org/iab">Internet Architecture Board</A>.</DD>
-<DT><A name="ICMP.gloss">ICMP</A></DT>
-<DD><STRONG>I</STRONG>nternet<STRONG> C</STRONG>ontrol<STRONG> M</STRONG>
-essage<STRONG> P</STRONG>rotocol. This is used for various IP-connected
- devices to manage the network.</DD>
-<DT><A name="IDEA">IDEA</A></DT>
-<DD><B>I</B>nternational<B> D</B>ata<B> E</B>ncrypion<B> A</B>lgorithm,
- developed in Europe as an alternative to exportable American ciphers
- such as<A href="#DES"> DES</A> which were<A href="politics.html#desnotsecure">
- too weak for serious use</A>. IDEA is a<A href="#block"> block cipher</A>
- using 64-bit blocks and 128-bit keys, and is used in products such as<A href="#PGP">
- PGP</A>.
-<P>IDEA is not required by the<A href="#IPSEC"> IPsec</A> RFCs and not
- currently used in<A href="web.html#FreeSWAN"> Linux FreeS/WAN</A>.</P>
-<P>IDEA is patented and, with strictly limited exceptions for personal
- use, using it requires a license from<A href="http://www.ascom.com">
- Ascom</A>.</P>
-</DD>
-<DT><A name="IEEE">IEEE</A></DT>
-<DD><A href="http://www.ieee.org">Institute of Electrical and Electronic
- Engineers</A>, a professional association which, among other things,
- sets some technical standards</DD>
-<DT><A name="IESG">IESG</A></DT>
-<DD><A href="http://www.iesg.org">Internet Engineering Steering Group</A>
-.</DD>
-<DT><A name="IETF">IETF</A></DT>
-<DD><A href="http://www.ietf.org">Internet Engineering Task Force</A>,
- the umbrella organisation whose various working groups make most of the
- technical decisions for the Internet. The IETF<A href="http://www.ietf.org/html.charters/ipsec-charter.html">
- IPsec working group</A> wrote the<A href="rfc.html#RFC"> RFCs</A> we
- are implementing.</DD>
-<DT><A name="IKE">IKE</A></DT>
-<DD><B>I</B>nternet<B> K</B>ey<B> E</B>xchange, based on the<A href="#DH">
- Diffie-Hellman</A> key exchange protocol. For details, see RFC 2409 and
- our<A href="ipsec.html"> IPsec</A> document. IKE is implemented in<A href="web.html#FreeSWAN">
- Linux FreeS/WAN</A> by the<A href="#Pluto"> Pluto daemon</A>.</DD>
-<DT>IKE v2</DT>
-<DD>A proposed replacement for<A href="#IKE"> IKE</A>. There are other
- candidates, such as<A href="#JFK"> JFK</A>, and at time of writing
- (March 2002) the choice between them has not yet been made and does not
- appear imminent.</DD>
-<DT><A name="iOE">iOE</A></DT>
-<DD>See<A HREF="#initiate-only"> Initiate-only opportunistic encryption</A>
-.</DD>
-<DT><A name="IP">IP</A></DT>
-<DD><B>I</B>nternet<B> P</B>rotocol.</DD>
-<DT><A name="masq">IP masquerade</A></DT>
-<DD>A mostly obsolete term for a method of allowing multiple machines to
- communicate over the Internet when only one IP address is available for
- their use. The more current term is Network Address Translation or<A href="#NAT.gloss">
- NAT</A>.</DD>
-<DT><A name="IPng">IPng</A></DT>
-<DD>&quot;IP the Next Generation&quot;, see<A href="#ipv6.gloss"> IPv6</A>.</DD>
-<DT><A name="IPv4">IPv4</A></DT>
-<DD>The current version of the<A href="#IP"> Internet protocol suite</A>
-.</DD>
-<DT><A name="ipv6.gloss">IPv6 (IPng)</A></DT>
-<DD>Version six of the<A href="#IP"> Internet protocol suite</A>,
- currently being developed. It will replace the current<A href="#IPv4">
- version four</A>. IPv6 has<A href="#IPSEC"> IPsec</A> as a mandatory
- component.
-<P>See this<A href="http://playground.sun.com/pub/ipng/html/ipng-main.html">
- web site</A> for more details, and our<A href="compat.html#ipv6">
- compatibility</A> document for information on FreeS/WAN and the Linux
- implementation of IPv6.</P>
-</DD>
-<DT><A name="IPSEC">IPsec</A> or IPSEC</DT>
-<DD><B>I</B>nternet<B> P</B>rotocol<B> SEC</B>urity, security functions
- (<A href="#authentication">authentication</A> and<A href="#encryption">
- encryption</A>) implemented at the IP level of the protocol stack. It
- is optional for<A href="#IPv4"> IPv4</A> and mandatory for<A href="#ipv6.gloss">
- IPv6</A>.
-<P>This is the standard<A href="web.html#FreeSWAN"> Linux FreeS/WAN</A>
- is implementing. For more details, see our<A href="ipsec.html"> IPsec
- Overview</A>. For the standards, see RFCs listed in our<A href="rfc.html#RFC">
- RFCs document</A>.</P>
-</DD>
-<DT><A name="IPX">IPX</A></DT>
-<DD>Novell's Netware protocol tunnelled over an IP link. Our<A href="firewall.html#user.scripts">
- firewalls</A> document includes an example of using this through an
- IPsec tunnel.</DD>
-<DT><A name="ISAKMP">ISAKMP</A></DT>
-<DD><B>I</B>nternet<B> S</B>ecurity<B> A</B>ssociation and<B> K</B>ey<B>
- M</B>anagement<B> P</B>rotocol, defined in RFC 2408.</DD>
-<DT><A name="ITAR">ITAR</A></DT>
-<DD><B>I</B>nternational<B> T</B>raffic in<B> A</B>rms<B> R</B>
-egulations, US regulations administered by the State Department which
- until recently limited export of, among other things, cryptographic
- technology and software. ITAR still exists, but the limits on
- cryptography have now been transferred to the<A href="#EAR"> Export
- Administration Regulations</A> under the Commerce Department's<A href="#BXA">
- Bureau of Export Administration</A>.</DD>
-<DT>IV</DT>
-<DD>see<A href="#IV"> Initialisation vector</A></DD>
-<DT><A name="IV">Initialisation Vector (IV)</A></DT>
-<DD>Some cipher<A href="#mode"> modes</A>, including the<A href="#CBC">
- CBC</A> mode which IPsec uses, require some extra data at the
- beginning. This data is called the initialisation vector. It need not
- be secret, but should be different for each message. Its function is to
- prevent messages which begin with the same text from encrypting to the
- same ciphertext. That might give an analyst an opening, so it is best
- prevented.</DD>
-<DT><A name="initiate-only">Initiate-only opportunistic encryption (iOE)</A>
-</DT>
-<DD>A form of<A HREF="#carpediem"> opportunistic encryption</A> (OE) in
- which a host proposes opportunistic connections, but lacks the reverse
- DNS records necessary to support incoming opportunistic connection
- requests. Common among hosts on cable or pppoe connections where the
- system administrator does not have write access to the DNS reverse map
- for the host's external IP.
-<P>Configuring for initiate-only opportunistic encryption is described
- in our<A href="quickstart.html#opp.client"> quickstart</A> document.</P>
-</DD>
-<DT><A name="J">J</A></DT>
-<DT><A name="JFK">JFK</A></DT>
-<DD><STRONG>J</STRONG>ust<STRONG> F</STRONG>ast<STRONG> K</STRONG>eying,
- a proposed simpler replacement for<A href="#IKE"> IKE.</A></DD>
-<DT><A name="K">K</A></DT>
-<DT><A name="kernel">Kernel</A></DT>
-<DD>The basic part of an operating system (e.g. Linux) which controls
- the hardware and provides services to all other programs.
-<P>In the Linux release numbering system, an even second digit as in 2.<STRONG>
-2</STRONG>.x indicates a stable or production kernel while an odd number
- as in 2.<STRONG>3</STRONG>.x indicates an experimental or development
- kernel. Most users should run a recent kernel version from the
- production series. The development kernels are primarily for people
- doing kernel development. Others should consider using development
- kernels only if they have an urgent need for some feature not yet
- available in production kernels.</P>
-</DD>
-<DT>Keyed message digest</DT>
-<DD>See<A href="#HMAC"> HMAC</A>.</DD>
-<DT>Key length</DT>
-<DD>see<A href="#brute"> brute force attack</A></DD>
-<DT><A name="KLIPS">KLIPS</A></DT>
-<DD><B>K</B>erne<B>l</B><B> IP</B><B> S</B>ecurity, the<A href="web.html#FreeSWAN">
- Linux FreeS/WAN</A> project's changes to the<A href="#Linux"> Linux</A>
- kernel to support the<A href="#IPSEC"> IPsec</A> protocols.</DD>
-<DT><A name="L">L</A></DT>
-<DT><A name="LDAP">LDAP</A></DT>
-<DD><B>L</B>ightweight<B> D</B>irectory<B> A</B>ccess<B> P</B>rotocol,
- defined in RFCs 1777 and 1778, a method of accessing information stored
- in directories. LDAP is used by several<A href="#PKI"> PKI</A>
- implementations, often with X.501 directories and<A href="#X509"> X.509</A>
- certificates. It may also be used by<A href="#IPSEC"> IPsec</A> to
- obtain key certifications from those PKIs. This is not yet implemented
- in<A href="web.html#FreeSWAN"> Linux FreeS/WAN</A>.</DD>
-<DT><A name="LIBDES">LIBDES</A></DT>
-<DD>A publicly available library of<A href="#DES"> DES</A> code, written
- by Eric Young, which<A href="web.html#FreeSWAN"> Linux FreeS/WAN</A>
- uses in both<A href="#KLIPS"> KLIPS</A> and<A href="#Pluto"> Pluto</A>.</DD>
-<DT><A name="Linux">Linux</A></DT>
-<DD>A freely available Unix-like operating system based on a kernel
- originally written for the Intel 386 architecture by (then) student
- Linus Torvalds. Once his 32-bit kernel was available, the<A href="#GNU">
- GNU</A> utilities made it a usable system and contributions from many
- others led to explosive growth.
-<P>Today Linux is a complete Unix replacement available for several CPU
- architectures -- Intel, DEC/Compaq Alpha, Power PC, both 32-bit SPARC
- and the 64-bit UltraSPARC, SrongARM, . . . -- with support for multiple
- CPUs on some architectures.</P>
-<P><A href="web.html#FreeSWAN">Linux FreeS/WAN</A> is intended to run on
- all CPUs supported by Linux and is known to work on several. See our<A href="compat.html#CPUs">
- compatibility</A> section for a list.</P>
-</DD>
-<DT><A name="FreeSWAN">Linux FreeS/WAN</A></DT>
-<DD>Our implementation of the<A href="#IPSEC"> IPsec</A> protocols,
- intended to be freely redistributable source code with<A href="#GPL"> a
- GNU GPL license</A> and no constraints under US or other<A href="politics.html#exlaw">
- export laws</A>. Linux FreeS/WAN is intended to interoperate with other<A
-href="#IPSEC"> IPsec</A> implementations. The name is partly taken, with
- permission, from the<A href="#SWAN"> S/WAN</A> multi-vendor IPsec
- compatability effort. Linux FreeS/WAN has two major components,<A href="#KLIPS">
- KLIPS</A> (KerneL IPsec Support) and the<A href="#Pluto"> Pluto</A>
- daemon which manages the whole thing.
-<P>See our<A href="ipsec.html"> IPsec section</A> for more detail. For
- the code see our<A href="http://freeswan.org"> primary site</A> or one
- of the mirror sites on<A href="intro.html#mirrors"> this list</A>.</P>
-</DD>
-<DT><A name="LSM">Linux Security Modules (LSM)</A></DT>
-<DD>a project to create an interface in the Linux kernel that supports
- plug-in modules for various security policies.
-<P>This allows multiple security projects to take different approaches
- to security enhancement without tying the kernel down to one particular
- approach. As I understand the history, several projects were pressing
- Linus to incorporate their changes, the various sets of changes were
- incompatible, and his answer was more-or-less &quot;a plague on all your
- houses; I'll give you an interface, but I won't incorporate anything&quot;.</P>
-<P>It seems to be working. There is a fairly active<A href="http://mail.wirex.com/mailman/listinfo/linux-security-module">
- LSM mailing list</A>, and several projects are already using the
- interface.</P>
-</DD>
-<DT>LSM</DT>
-<DD>see<A href="#LSM"> Linux Security Modules</A></DD>
-<DT><A name="M">M</A></DT>
-<DT><A name="list">Mailing list</A></DT>
-<DD>The<A href="web.html#FreeSWAN"> Linux FreeS/WAN</A> project has
- several public email lists for bug reports and software development
- discussions. See our document on<A href="mail.html"> mailing lists</A>.</DD>
-<DT><A name="middle">Man-in-the-middle attack</A></DT>
-<DD>An<A href="#active"> active attack</A> in which the attacker
- impersonates each of the legitimate players in a protocol to the other.
-<P>For example, if<A href="#alicebob"> Alice and Bob</A> are negotiating
- a key via the<A href="#DH"> Diffie-Hellman</A> key agreement, and are
- not using<A href="#authentication"> authentication</A> to be certain
- they are talking to each other, then an attacker able to insert himself
- in the communication path can deceive both players.</P>
-<P>Call the attacker Mallory. For Bob, he pretends to be Alice. For
- Alice, he pretends to be Bob. Two keys are then negotiated,
- Alice-to-Mallory and Bob-to-Mallory. Alice and Bob each think the key
- they have is Alice-to-Bob.</P>
-<P>A message from Alice to Bob then goes to Mallory who decrypts it,
- reads it and/or saves a copy, re-encrypts using the Bob-to-Mallory key
- and sends it along to Bob. Bob decrypts successfully and sends a reply
- which Mallory decrypts, reads, re-encrypts and forwards to Alice.</P>
-<P>To make this attack effective, Mallory must</P>
-<UL>
-<LI>subvert some part of the network in some way that lets him carry out
- the deception
-<BR> possible targets: DNS, router, Alice or Bob's machine, mail server,
- ...</LI>
-<LI>beat any authentication mechanism Alice and Bob use
-<BR> strong authentication defeats the attack entirely; this is why<A href="#IKE">
- IKE</A> requires authentication</LI>
-<LI>work in real time, delivering messages without introducing a delay
- large enough to alert the victims
-<BR> not hard if Alice and Bob are using email; quite difficult in some
- situations.</LI>
-</UL>
-<P>If he manages it, however, it is devastating. He not only gets to
- read all the messages; he can alter messages, inject his own, forge
- anything he likes, . . . In fact, he controls the communication
- completely.</P>
-</DD>
-<DT><A name="mandatory">mandatory access control</A></DT>
-<DD>access control mechanisims which are not settable by the user (see<A href="#discretionary">
- discretionary access control</A>), but are enforced by the system.
-<P>For example, a document labelled &quot;secret, zebra&quot; might be readable
- only by someone with secret clearance working on Project Zebra.
- Ideally, the system will prevent any transfer outside those boundaries.
- For example, even if you can read it, you should not be able to e-mail
- it (unless the recipient is appropriately cleared) or print it (unless
- certain printers are authorised for that classification).</P>
-<P>Mandatory access control is a required feature for some levels of<A href="#rainbow">
- Rainbow Book</A> or<A href="#cc"> Common Criteria</A> classification,
- but has not been widely used outside the military and government. There
- is a good discussion of the issues in Anderson's<A href="biblio.html#anderson">
- Security Engineering</A>.</P>
-<P>The<A href="#SElinux"> Security Enhanced Linux</A> project is adding
- mandatory access control to Linux.</P>
-</DD>
-<DT><A name="manual">Manual keying</A></DT>
-<DD>An IPsec mode in which the keys are provided by the administrator.
- In FreeS/WAN, they are stored in /etc/ipsec.conf. The alternative,<A href="ipsec.html#auto">
- automatic keying</A>, is preferred in most cases. See this<A href="adv_config.html#man-auto">
- discussion</A>.</DD>
-<DT><A name="MD4">MD4</A></DT>
-<DD><A href="#digest">Message Digest Algorithm</A> Four from Ron Rivest
- of<A href="#RSAco"> RSA</A>. MD4 was widely used a few years ago, but
- is now considered obsolete. It has been replaced by its descendants<A href="#MD5">
- MD5</A> and<A href="#SHA"> SHA</A>.</DD>
-<DT><A name="MD5">MD5</A></DT>
-<DD><A href="#digest">Message Digest Algorithm</A> Five from Ron Rivest
- of<A href="#RSAco"> RSA</A>, an improved variant of his<A href="#MD4">
- MD4</A>. Like MD4, it produces a 128-bit hash. For details see RFC
- 1321.
-<P>MD5 is one of two message digest algorithms available in IPsec. The
- other is<A href="#SHA"> SHA</A>. SHA produces a longer hash and is
- therefore more resistant to<A href="#birthday"> birthday attacks</A>,
- but this is not a concern for IPsec. The<A href="#HMAC"> HMAC</A>
- method used in IPsec is secure even if the underlying hash is not
- particularly strong against this attack.</P>
-<P>Hans Dobbertin found a weakness in MD5, and people often ask whether
- this means MD5 is unsafe for IPsec. It doesn't. The IPsec RFCs discuss
- Dobbertin's attack and conclude that it does not affect MD5 as used for
- HMAC in IPsec.</P>
-</DD>
-<DT><A name="meet">Meet-in-the-middle attack</A></DT>
-<DD>A divide-and-conquer attack which breaks a cipher into two parts,
- works against each separately, and compares results. Probably the best
- known example is an attack on double DES. This applies in principle to
- any pair of block ciphers, e.g. to an encryption system using, say,
- CAST-128 and Blowfish, but we will describe it for double DES.
-<P>Double DES encryption and decryption can be written:</P>
-<PRE>        C = E(k2,E(k1,P))
-        P = D(k1,D(k2,C))</PRE>
-<P>Where C is ciphertext, P is plaintext, E is encryption, D is
- decryption, k1 is one key, and k2 is the other key. If we know a P, C
- pair, we can try and find the keys with a brute force attack, trying
- all possible k1, k2 pairs. Since each key is 56 bits, there are 2<SUP>
-112</SUP> such pairs and this attack is painfully inefficient.</P>
-<P>The meet-in-the middle attack re-writes the equations to calculate a
- middle value M:</P>
-<PRE>        M = E(k1,P)
-        M = D(k2,C)</PRE>
-<P>Now we can try some large number of D(k2,C) decryptions with various
- values of k2 and store the results in a table. Then start doing E(k1,P)
- encryptions, checking each result to see if it is in the table.</P>
-<P>With enough table space, this breaks double DES with<NOBR> 2<SUP>56</SUP>
- + 2<SUP>56</SUP> = 2<SUP>57</SUP>work. Against triple DES, you need<NOBR>
- 2<SUP>56</SUP> + 2<SUP>112</SUP> ~= 2<SUP>112</SUP>.</P>
-<P>The memory requirements for such attacks can be prohibitive, but
- there is a whole body of research literature on methods of reducing
- them.</P>
-</DD>
-<DT><A name="digest">Message Digest Algorithm</A></DT>
-<DD>An algorithm which takes a message as input and produces a hash or
- digest of it, a fixed-length set of bits which depend on the message
- contents in some highly complex manner. Design criteria include making
- it extremely difficult for anyone to counterfeit a digest or to change
- a message without altering its digest. One essential property is<A href="#collision">
- collision resistance</A>. The main applications are in message<A href="#authentication">
- authentication</A> and<A href="#signature"> digital signature</A>
- schemes. Widely used algorithms include<A href="#MD5"> MD5</A> and<A href="#SHA">
- SHA</A>. In IPsec, message digests are used for<A href="#HMAC"> HMAC</A>
- authentication of packets.</DD>
-<DT><A name="MTU">MTU</A></DT>
-<DD><STRONG>M</STRONG>aximum<STRONG> T</STRONG>ransmission<STRONG> U</STRONG>
-nit, the largest size of packet that can be sent over a link. This is
- determined by the underlying network, but must be taken account of at
- the IP level.
-<P>IP packets, which can be up to 64K bytes each, must be packaged into
- lower-level packets of the appropriate size for the underlying
- network(s) and re-assembled on the other end. When a packet must pass
- over multiple networks, each with its own MTU, and many of the MTUs are
- unknown to the sender, this becomes a fairly complex problem. See<A href="#pathMTU">
- path MTU discovery</A> for details.</P>
-<P>Often the MTU is a few hundred bytes on serial links and 1500 on
- Ethernet. There are, however, serial link protocols which use a larger
- MTU to avoid fragmentation at the ethernet/serial boundary, and newer
- (especially gigabit) Ethernet networks sometimes support much larger
- packets because these are more efficient in some applications.</P>
-</DD>
-<DT><A name="N">N</A></DT>
-<DT><A name="NAI">NAI</A></DT>
-<DD><A href="http://www.nai.com">Network Associates</A>, a conglomerate
- formed from<A href="#PGPI"> PGP Inc.</A>, TIS (Trusted Information
- Systems, a firewall vendor) and McAfee anti-virus products. Among other
- things, they offer an IPsec-based VPN product.</DD>
-<DT><A name="NAT.gloss">NAT</A></DT>
-<DD><B>N</B>etwork<B> A</B>ddress<B> T</B>ranslation, a process by which
- firewall machines may change the addresses on packets as they go
- through. For discussion, see our<A href="background.html#nat.background">
- background</A> section.</DD>
-<DT><A name="NIST">NIST</A></DT>
-<DD>The US<A href="http://www.nist.gov"> National Institute of Standards
- and Technology</A>, responsible for<A href="#FIPS"> FIPS standards</A>
- including<A href="#DES"> DES</A> and its replacement,<A href="#AES">
- AES</A>.</DD>
-<DT><A name="nonce">Nonce</A></DT>
-<DD>A<A href="#random"> random</A> value used in an<A href="#authentication">
- authentication</A> protocol.</DD>
-<DT></DT>
-<DT><A name="non-routable">Non-routable IP address</A></DT>
-<DD>An IP address not normally allowed in the &quot;to&quot; or &quot;from&quot; IP address
- field header of IP packets.
-<P>Almost invariably, the phrase &quot;non-routable address&quot; means one of the
- addresses reserved by RFC 1918 for private networks:</P>
-<UL>
-<LI>10.anything</LI>
-<LI>172.x.anything with 16 &lt;= x &lt;= 31</LI>
-<LI>192.168.anything</LI>
-</UL>
-<P>These addresses are commonly used on private networks, e.g. behind a
- Linux machines doing<A href="#masq"> IP masquerade</A>. Machines within
- the private network can address each other with these addresses. All
- packets going outside that network, however, have these addresses
- replaced before they reach the Internet.</P>
-<P>If any packets using these addresses do leak out, they do not go far.
- Most routers automatically discard all such packets.</P>
-<P>Various other addresses -- the 127.0.0.0/8 block reserved for local
- use, 0.0.0.0, various broadcast and network addresses -- cannot be
- routed over the Internet, but are not normally included in the meaning
- when the phrase &quot;non-routable address&quot; is used.</P>
-</DD>
-<DT><A name="NSA">NSA</A></DT>
-<DD>The US<A href="http://www.nsa.gov"> National Security Agency</A>,
- the American organisation for<A href="#SIGINT"> signals intelligence</A>
-, the protection of US government messages and the interception and
- analysis of other messages. For details, see Bamford's<A href="biblio.html#puzzle">
- &quot;The Puzzle Palace&quot;</A>.
-<P>Some<A href="http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB23/index.html">
- history of NSA</A> documents were declassified in response to a FOIA
- (Freedom of Information Act) request.</P>
-</DD>
-<DT><A name="O">O</A></DT>
-<DT><A name="oakley">Oakley</A></DT>
-<DD>A key determination protocol, defined in RFC 2412.</DD>
-<DT>Oakley groups</DT>
-<DD>The groups used as the basis of<A href="#DH"> Diffie-Hellman</A> key
- exchange in the Oakley protocol, and in<A href="#IKE"> IKE</A>. Four
- were defined in the original RFC, and a fifth has been<A href="http://www.lounge.org/ike_doi_errata.html">
- added since</A>.
-<P>Linux FreeS/WAN currently supports the three groups based on finite
- fields modulo a prime (Groups 1, 2 and 5) and does not support the
- elliptic curve groups (3 and 4). For a description of the difference of
- the types, see<A href="#dlog"> discrete logarithms</A>.</P>
-</DD>
-<DT><A name="OTP">One time pad</A></DT>
-<DD>A cipher in which the key is:
-<UL>
-<LI>as long as the total set of messages to be enciphered</LI>
-<LI>absolutely<A href="#random"> random</A></LI>
-<LI>never re-used</LI>
-</UL>
-<P>Given those three conditions, it can easily be proved that the cipher
- is perfectly secure, in the sense that an attacker with intercepted
- message in hand has no better chance of guessing the message than an
- attacker who has not intercepted the message and only knows the message
- length. No such proof exists for any other cipher.</P>
-<P>There are, however, several problems with this &quot;perfect&quot; cipher.</P>
-<P>First, it is<STRONG> wildly impractical</STRONG> for most
- applications. Key management is at best difficult, often completely
- impossible.</P>
-<P>Second, it is<STRONG> extremely fragile</STRONG>. Small changes which
- violate the conditions listed above do not just weaken the cipher
- liitle. Quite often they destroy its security completely.</P>
-<UL>
-<LI>Re-using the pad weakens the cipher to the point where it can be
- broken with pencil and paper. With a computer, the attack is trivially
- easy.</LI>
-<LI>Using<EM> anything</EM> less than truly<A href="#random"> random</A>
- numbers<EM> completely</EM> invalidates the security proof.</LI>
-<LI>In particular, using computer-generated pseudo-random numbers may
- give an extremely weak cipher. It might also produce a good stream
- cipher, if the pseudo-random generator is both well-designed and
- properely seeded.</LI>
-</UL>
-<P>Marketing claims about the &quot;unbreakable&quot; security of various products
- which somewhat resemble one-time pads are common. Such claims are one
- of the surest signs of cryptographic<A href="#snake"> snake oil</A>;
- most systems marketed with such claims are worthless.</P>
-<P>Finally, even if the system is implemented and used correctly, it is<STRONG>
- highly vulnerable to a substitution attack</STRONG>. If an attacker
- knows some plaintext and has an intercepted message, he can discover
- the pad.</P>
-<UL>
-<LI>This does not matter if the attacker is just a<A href="#passive">
- passive</A> eavesdropper. It gives him no plaintext he didn't already
- know and we don't care that he learns a pad which we will never re-use.</LI>
-<LI>However, an<A href="#active"> active</A> attacker who knows the
- plaintext can recover the pad, then use it to encode with whatever he
- chooses. If he can get his version delivered instead of yours, this may
- be a disaster. If you send &quot;attack at dawn&quot;, the delivered message can
- be anything the same length -- perhaps &quot;retreat to east&quot; or &quot;shoot
- generals&quot;.</LI>
-<LI>An active attacker with only a reasonable guess at the plaintext can
- try the same attack. If the guess is correct, this works and the
- attacker's bogus message is delivered. If the guess is wrong, a garbled
- message is delivered.</LI>
-</UL>
-<P>In general then, despite its theoretical perfection, the one-time-pad
- has very limited practical application.</P>
-<P>See also the<A href="http://pubweb.nfr.net/~mjr/pubs/otpfaq/"> one
- time pad FAQ</A>.</P>
-</DD>
-<DT><A name="carpediem">Opportunistic encryption (OE)</A></DT>
-<DD>A situation in which any two IPsec-aware machines can secure their
- communications, without a pre-shared secret and without a common<A href="#PKI">
- PKI</A> or previous exchange of public keys. This is one of the goals
- of the Linux FreeS/WAN project, discussed in our<A href="intro.html#goals">
- introduction</A> section.
-<P>Setting up for opportunistic encryption is described in our<A href="quickstart.html#quickstart">
- quickstart</A> document.</P>
-</DD>
-<DT><A name="responder">Opportunistic responder</A></DT>
-<DD>A host which accepts, but does not initiate, requests for<A HREF="#carpediem">
- opportunistic encryption</A> (OE). An opportunistic responder has
- enabled OE in its<A HREF="#passive.OE"> passive</A> form (pOE) only. A
- web server or file server may be usefully set up as an opportunistic
- responder.
-<P>Configuring passive OE is described in our<A href="policygroups.html#policygroups">
- policy groups</A> document.</P>
-</DD>
-<DT><A name="orange">Orange book</A></DT>
-<DD>the most basic and best known of the US government's<A href="#rainbow">
- Rainbow Book</A> series of computer security standards.</DD>
-<DT><A name="P">P</A></DT>
-<DT><A name="P1363">P1363 standard</A></DT>
-<DD>An<A href="#IEEE"> IEEE</A> standard for public key cryptography.<A href="http://grouper.ieee.org/groups/1363">
- Web page</A>.</DD>
-<DT><A name="pOE">pOE</A></DT>
-<DD>See<A href="#passive.OE"> Passive opportunistic encryption</A>.</DD>
-<DT><A name="passive">Passive attack</A></DT>
-<DD>An attack in which the attacker only eavesdrops and attempts to
- analyse intercepted messages, as opposed to an<A href="#active"> active
- attack</A> in which he diverts messages or generates his own.</DD>
-<DT><A name="passive.OE">Passive opportunistic encryption (pOE)</A></DT>
-<DD>A form of<A HREF="#carpediem"> opportunistic encryption</A> (OE) in
- which the host will accept opportunistic connection requests, but will
- not initiate such requests. A host which runs OE in its passive form
- only is known as an<A HREF="#responder"> opportunistic responder</A>.
-<P>Configuring passive OE is described in our<A href="policygroups.html#policygroups">
- policy groups</A> document.</P>
-</DD>
-<DT><A name="pathMTU">Path MTU discovery</A></DT>
-<DD>The process of discovering the largest packet size which all links
- on a path can handle without fragmentation -- that is, without any
- router having to break the packet up into smaller pieces to match the<A href="#MTU">
- MTU</A> of its outgoing link.
-<P>This is done as follows:</P>
-<UL>
-<LI>originator sends the largest packets allowed by<A href="#MTU"> MTU</A>
- of the first link, setting the DF (<STRONG>d</STRONG>on't<STRONG> f</STRONG>
-ragment) bit in the packet header</LI>
-<LI>any router which cannot send the packet on (outgoing MTU is too
- small for it, and DF prevents fragmenting it to match) sends back an<A href="#ICMP.gloss">
- ICMP</A> packet reporting the problem</LI>
-<LI>originator looks at ICMP message and tries a smaller size</LI>
-<LI>eventually, you settle on a size that can pass all routers</LI>
-<LI>thereafter, originator just sends that size and no-one has to
- fragment</LI>
-</UL>
-<P>Since this requires co-operation of many systems, and since the next
- packet may travel a different path, this is one of the trickier areas
- of IP programming. Bugs that have shown up over the years have
- included:</P>
-<UL>
-<LI>malformed ICMP messages</LI>
-<LI>hosts that ignore or mishandle these ICMP messages</LI>
-<LI>firewalls blocking the ICMP messages so host does not see them</LI>
-</UL>
-<P>Since IPsec adds a header, it increases packet size and may require
- fragmentation even where incoming and outgoing MTU are equal.</P>
-</DD>
-<DT><A name="PFS">Perfect forward secrecy (PFS)</A></DT>
-<DD>A property of systems such as<A href="#DH"> Diffie-Hellman</A> key
- exchange which use a long-term key (such as the shared secret in IKE)
- and generate short-term keys as required. If an attacker who acquires
- the long-term key<EM> provably</EM> can
-<UL>
-<LI><EM>neither</EM> read previous messages which he may have archived</LI>
-<LI><EM>nor</EM> read future messages without performing additional
- successful attacks</LI>
-</UL>
-<P>then the system has PFS. The attacker needs the short-term keys in
- order to read the trafiic and merely having the long-term key does not
- allow him to infer those. Of course, it may allow him to conduct
- another attack (such as<A href="#middle"> man-in-the-middle</A>) which
- gives him some short-term keys, but he does not automatically get them
- just by acquiring the long-term key.</P>
-<P>See also<A href="http://sandelman.ottawa.on.ca/ipsec/1996/08/msg00123.html">
- Phil Karn's definition</A>.</P>
-</DD>
-<DT>PFS</DT>
-<DD>see Perfect Forward Secrecy</DD>
-<DT><A name="PGP">PGP</A></DT>
-<DD><B>P</B>retty<B> G</B>ood<B> P</B>rivacy, a personal encryption
- system for email based on public key technology, written by Phil
- Zimmerman.
-<P>The 2.xx versions of PGP used the<A href="#RSA"> RSA</A> public key
- algorithm and used<A href="#IDEA"> IDEA</A> as the symmetric cipher.
- These versions are described in RFC 1991 and in<A href="#PGP">
- Garfinkel's book</A>. Since version 5, the products from<A href="#PGPI">
- PGP Inc</A>. have used<A href="#DH"> Diffie-Hellman</A> public key
- methods and<A href="#CAST128"> CAST-128</A> symmetric encryption. These
- can verify signatures from the 2.xx versions, but cannot exchange
- encryted messages with them.</P>
-<P>An<A href="mail.html#IETF"> IETF</A> working group has issued RFC
- 2440 for an &quot;Open PGP&quot; standard, similar to the 5.x versions. PGP Inc.
- staff were among the authors. A free<A href="#GPG"> Gnu Privacy Guard</A>
- based on that standard is now available.</P>
-<P>For more information on PGP, including how to obtain it, see our
- cryptography<A href="web.html#tools"> links</A>.</P>
-</DD>
-<DT><A name="PGPI">PGP Inc.</A></DT>
-<DD>A company founded by Zimmerman, the author of<A href="#PGP"> PGP</A>
-, now a division of<A href="#NAI"> NAI</A>. See the<A href="http://www.pgp.com">
- corporate website</A>. Zimmerman left in 2001, and early in 2002 NAI
- announced that they would no longer sell PGP..
-<P>Versions 6.5 and later of the PGP product include PGPnet, an IPsec
- client for Macintosh or for Windows 95/98/NT. See our<A href="interop.html#pgpnet">
- interoperation documen</A>t.</P>
-</DD>
-<DT><A name="photuris">Photuris</A></DT>
-<DD>Another key negotiation protocol, an alternative to<A href="#IKE">
- IKE</A>, described in RFCs 2522 and 2523.</DD>
-<DT><A name="PPP">PPP</A></DT>
-<DD><B>P</B>oint-to-<B>P</B>oint<B> P</B>rotocol, originally a method of
- connecting over modems or serial lines, but see also PPPoE.</DD>
-<DT><A name="PPPoE">PPPoE</A></DT>
-<DD><B>PPP</B><B> o</B>ver<B> E</B>thernet, a somewhat odd protocol that
- makes Ethernet look like a point-to-point serial link. It is widely
- used for cable or ADSL Internet services, apparently mainly because it
- lets the providers use access control and address assignmment
- mechanisms developed for dialup networks.<A href="http://www.roaringpenguin.com">
- Roaring Penguin</A> provide a widely used Linux implementation.</DD>
-<DT><A name="PPTP">PPTP</A></DT>
-<DD><B>P</B>oint-to-<B>P</B>oint<B> T</B>unneling<B> P</B>rotocol, used
- in some Microsoft VPN implementations. Papers discussing weaknesses in
- it are on<A href="http://www.counterpane.com/publish.html">
- counterpane.com</A>. It is now largely obsolete, replaced by L2TP.</DD>
-<DT><A name="PKI">PKI</A></DT>
-<DD><B>P</B>ublic<B> K</B>ey<B> I</B>nfrastructure, the things an
- organisation or community needs to set up in order to make<A href="#public">
- public key</A> cryptographic technology a standard part of their
- operating procedures.
-<P>There are several PKI products on the market. Typically they use a
- hierarchy of<A href="#CA"> Certification Authorities (CAs)</A>. Often
- they use<A href="#LDAP"> LDAP</A> access to<A href="#X509"> X.509</A>
- directories to implement this.</P>
-<P>See<A href="#web"> Web of Trust</A> for a different sort of
- infrastructure.</P>
-</DD>
-<DT><A name="PKIX">PKIX</A></DT>
-<DD><B>PKI</B> e<B>X</B>change, an<A href="mail.html#IETF"> IETF</A>
- standard that allows<A href="#PKI"> PKI</A>s to talk to each other.
-<P>This is required, for example, when users of a corporate PKI need to
- communicate with people at client, supplier or government
- organisations, any of which may have a different PKI in place. I should
- be able to talk to you securely whenever:</P>
-<UL>
-<LI>your organisation and mine each have a PKI in place</LI>
-<LI>you and I are each set up to use those PKIs</LI>
-<LI>the two PKIs speak PKIX</LI>
-<LI>the configuration allows the conversation</LI>
-</UL>
-<P>At time of writing (March 1999), this is not yet widely implemented
- but is under quite active development by several groups.</P>
-</DD>
-<DT><A name="plaintext">Plaintext</A></DT>
-<DD>The unencrypted input to a cipher, as opposed to the encrypted<A href="#ciphertext">
- ciphertext</A> output.</DD>
-<DT><A name="Pluto">Pluto</A></DT>
-<DD>The<A href="web.html#FreeSWAN"> Linux FreeS/WAN</A> daemon which
- handles key exchange via the<A href="#IKE"> IKE</A> protocol,
- connection negotiation, and other higher-level tasks. Pluto calls the<A href="#KLIPS">
- KLIPS</A> kernel code as required. For details, see the manual page
- ipsec_pluto(8).</DD>
-<DT><A name="public">Public Key Cryptography</A></DT>
-<DD>In public key cryptography, keys are created in matched pairs.
- Encrypt with one half of a pair and only the matching other half can
- decrypt it. This contrasts with<A href="#symmetric"> symmetric or
- secret key cryptography</A> in which a single key known to both parties
- is used for both encryption and decryption.
-<P>One half of each pair, called the public key, is made public. The
- other half, called the private key, is kept secret. Messages can then
- be sent by anyone who knows the public key to the holder of the private
- key. Encrypt with the public key and you know that only someone with
- the matching private key can decrypt.</P>
-<P>Public key techniques can be used to create<A href="#signature">
- digital signatures</A> and to deal with key management issues, perhaps
- the hardest part of effective deployment of<A href="#symmetric">
- symmetric ciphers</A>. The resulting<A href="#hybrid"> hybrid
- cryptosystems</A> use public key methods to manage keys for symmetric
- ciphers.</P>
-<P>Many organisations are currently creating<A href="#PKI"> PKIs, public
- key infrastructures</A> to make these benefits widely available.</P>
-</DD>
-<DT>Public Key Infrastructure</DT>
-<DD>see<A href="#PKI"> PKI</A></DD>
-<DT><A name="Q">Q</A></DT>
-<DT><A name="R">R</A></DT>
-<DT><A name="rainbow">Rainbow books</A></DT>
-<DD>A set of US government standards for evaluation of &quot;trusted computer
- systems&quot;, of which the best known was the<A href="#orange"> Orange Book</A>
-. One fairly often hears references to &quot;C2 security&quot; or a product
- &quot;evaluated at B1&quot;. The Rainbow books define the standards referred to
- in those comments.
-<P>See this<A href="http://www.fas.org/irp/nsa/rainbow.htm"> reference
- page</A>.</P>
-<P>The Rainbow books are now mainly obsolete, replaced by the
- international<A href="#cc"> Common Criteria</A> standards.</P>
-</DD>
-<DT><A name="random">Random</A></DT>
-<DD>A remarkably tricky term, far too much so for me to attempt a
- definition here. Quite a few cryptosystems have been broken via attacks
- on weak random number generators, even when the rest of the system was
- sound.
-<P>See<A href="http://nis.nsf.net/internet/documents/rfc/rfc1750.txt">
- RFC 1750</A> for the theory.</P>
-<P>See the manual pages for<A href="manpage.d/ipsec_ranbits.8.html">
- ipsec_ranbits(8)</A> and ipsec_prng(3) for more on FreeS/WAN's use of
- randomness. Both depend on the random(4) device driver..</P>
-<P>A couple of years ago, there was extensive mailing list discussion
- (archived<A href="http://www.openpgp.net/random/index.html"> here</A>
-)of Linux /dev/random and FreeS/WAN. Since then, the design of the
- random(4) driver has changed considerably. Linux 2.4 kernels have the
- new driver..</P>
-</DD>
-<DT>Raptor</DT>
-<DD>A firewall product for Windows NT offerring IPsec-based VPN
- services. Linux FreeS/WAN interoperates with Raptor; see our<A href="interop.html#Raptor">
- interop</A> document for details. Raptor have recently merged with
- Axent.</DD>
-<DT><A name="RC4">RC4</A></DT>
-<DD><B>R</B>ivest<B> C</B>ipher four, designed by Ron Rivest of<A href="#RSAco">
- RSA</A> and widely used. Believed highly secure with adequate key
- length, but often implemented with inadequate key length to comply with
- export restrictions.</DD>
-<DT><A name="RC6">RC6</A></DT>
-<DD><B>R</B>ivest<B> C</B>ipher six,<A href="#RSAco"> RSA</A>'s<A href="#AES">
- AES</A> candidate cipher.</DD>
-<DT><A name="replay">Replay attack</A></DT>
-<DD>An attack in which the attacker records data and later replays it in
- an attempt to deceive the recipient.</DD>
-<DT><A name="reverse">Reverse map</A></DT>
-<DD>In<A href="ipsec.html#DNS"> DNS</A>, a table where IP addresses can
- be used as the key for lookups which return a system name and/or other
- information.</DD>
-<DT>RFC</DT>
-<DD><B>R</B>equest<B> F</B>or<B> C</B>omments, an Internet document.
- Some RFCs are just informative. Others are standards.
-<P>Our list of<A href="#IPSEC"> IPsec</A> and other security-related
- RFCs is<A href="rfc.html#RFC"> here</A>, along with information on
- methods of obtaining them.</P>
-</DD>
-<DT><A name="rijndael">Rijndael</A></DT>
-<DD>a<A href="#block"> block cipher</A> designed by two Belgian
- cryptographers, winner of the US government's<A href="#AES"> AES</A>
- contest to pick a replacement for<A href="#DES"> DES</A>. See the<A href="http://www.esat.kuleuven.ac.be/~rijmen/rijndael">
- Rijndael home page</A>.</DD>
-<DT><A name="RIPEMD">RIPEMD</A></DT>
-<DD>A<A href="#digest"> message digest</A> algorithm. The current
- version is RIPEMD-160 which gives a 160-bit hash.</DD>
-<DT><A name="rootCA">Root CA</A></DT>
-<DD>The top level<A href="#CA"> Certification Authority</A> in a
- hierachy of such authorities.</DD>
-<DT><A name="routable">Routable IP address</A></DT>
-<DD>Most IP addresses can be used as &quot;to&quot; and &quot;from&quot; addresses in packet
- headers. These are the routable addresses; we expect routing to be
- possible for them. If we send a packet to one of them, we expect (in
- most cases; there are various complications) that it will be delivered
- if the address is in use and will cause an<A href="#ICMP.gloss"> ICMP</A>
- error packet to come back to us if not.
-<P>There are also several classes of<A href="#non-routable">
- non-routable</A> IP addresses.</P>
-</DD>
-<DT><A name="RSA">RSA algorithm</A></DT>
-<DD><B>R</B>ivest<B> S</B>hamir<B> A</B>dleman<A href="#public"> public
- key</A> algorithm, named for its three inventors. It is widely used and
- likely to become moreso since it became free of patent encumbrances in
- September 2000.
-<P>RSA can be used to provide either<A href="#encryption"> encryption</A>
- or<A href="#signature"> digital signatures</A>. In IPsec, it is used
- only for signatures. These provide gateway-to-gateway<A href="#authentication">
- authentication</A> for<A href="#IKE"> IKE</A> negotiations.</P>
-<P>For a full explanation of the algorithm, consult one of the standard
- references such as<A href="biblio.html#schneier"> Applied Cryptography</A>
-. A simple explanation is:</P>
-<P>The great 17th century French mathematician<A href="http://www-groups.dcs.st-andrews.ac.uk/~history/Mathematicians/Fermat.html">
- Fermat</A> proved that,</P>
-<P>for any prime p and number x, 0 &lt;= x &lt; p:</P>
-<PRE>        x^p == x         modulo p
-        x^(p-1) == 1     modulo p, non-zero x
-      </PRE>
-<P>From this it follows that if we have a pair of primes p, q and two
- numbers e, d such that:</P>
-<PRE>        ed == 1          modulo lcm( p-1, q-1)
-      </PRE>
- where lcm() is least common multiple, then
-<BR> for all x, 0 &lt;= x &lt; pq:
-<PRE>      x^ed == x           modulo pq
-      </PRE>
-<P>So we construct such as set of numbers p, q, e, d and publish the
- product N=pq and e as the public key. Using c for<A href="#ciphertext">
- ciphertext</A> and i for the input<A href="#plaintext"> plaintext</A>,
- encryption is then:</P>
-<PRE>        c = i^e           modulo N
-      </PRE>
-<P>An attacker cannot deduce i from the cyphertext c, short of either
- factoring N or solving the<A href="#dlog"> discrete logarithm</A>
- problem for this field. If p, q are large primes (hundreds or thousands
- of bits) no efficient solution to either problem is known.</P>
-<P>The receiver, knowing the private key (N and d), can readily recover
- the plaintext p since:</P>
-<PRE>        c^d == (i^e)^d    modulo N
-            == i^ed       modulo N
-            == i          modulo N
-      </PRE>
-<P>This gives an effective public key technique, with only a couple of
- problems. It uses a good deal of computer time, since calculations with
- large integers are not cheap, and there is no proof it is necessarily
- secure since no-one has proven either factoring or discrete log cannot
- be done efficiently. Quite a few good mathematicians have tried both
- problems, and no-one has announced success, but there is no proof they
- are insoluble.</P>
-</DD>
-<DT><A name="RSAco">RSA Data Security</A></DT>
-<DD>A company founded by the inventors of the<A href="#RSA"> RSA</A>
- public key algorithm.</DD>
-<DT><A name="S">S</A></DT>
-<DT><A name="SA">SA</A></DT>
-<DD><B>S</B>ecurity<B> A</B>ssociation, the channel negotiated by the
- higher levels of an<A href="#IPSEC"> IPsec</A> implementation (<A href="#IKE">
-IKE</A>) and used by the lower (<A href="#ESP">ESP</A> and<A href="#AH">
- AH</A>). SAs are unidirectional; you need a pair of them for two-way
- communication.
-<P>An SA is defined by three things -- the destination, the protocol (<A href="#AH">
-AH</A> or<A href="#ESP">ESP</A>) and the<A href="SPI"> SPI</A>, security
- parameters index. It is used as an index to look up other things such
- as session keys and intialisation vectors.</P>
-<P>For more detail, see our section on<A href="ipsec.html"> IPsec</A>
- and/or RFC 2401.</P>
-</DD>
-<DT><A name="SElinux">SE Linux</A></DT>
-<DD><STRONG>S</STRONG>ecurity<STRONG> E</STRONG>nhanced Linux, an<A href="#NSA">
- NSA</A>-funded project to add<A href="#mandatory"> mandatory access
- control</A> to Linux. See the<A href="http://www.nsa.gov/selinux">
- project home page</A>.
-<P>According to their web pages, this work will include extending
- mandatory access controls to IPsec tunnels.</P>
-<P>Recent versions of SE Linux code use the<A href="#LSM"> Linux
- Security Module</A> interface.</P>
-</DD>
-<DT><A name="SDNS">Secure DNS</A></DT>
-<DD>A version of the<A href="ipsec.html#DNS"> DNS or Domain Name Service</A>
- enhanced with authentication services. This is being designed by the<A href="mail.html#IETF">
- IETF</A> DNS security<A href="http://www.ietf.org/ids.by.wg/dnssec.html">
- working group</A>. Check the<A href="http://www.isc.org/bind.html">
- Internet Software Consortium</A> for information on implementation
- progress and for the latest version of<A href="#BIND"> BIND</A>.
- Another site has<A href="http://www.toad.com/~dnssec"> more information</A>
-.
-<P><A href="#IPSEC">IPsec</A> can use this plus<A href="#DH">
- Diffie-Hellman key exchange</A> to bootstrap itself. This allows<A href="#carpediem">
- opportunistic encryption</A>. Any pair of machines which can
- authenticate each other via DNS can communicate securely, without
- either a pre-existing shared secret or a shared<A href="#PKI"> PKI</A>.</P>
-</DD>
-<DT>Secret key cryptography</DT>
-<DD>See<A href="#symmetric"> symmetric cryptography</A></DD>
-<DT>Security Association</DT>
-<DD>see<A href="#SA"> SA</A></DD>
-<DT>Security Enhanced Linux</DT>
-<DD>see<A href="#SElinux"> SE Linux</A></DD>
-<DT><A name="sequence">Sequence number</A></DT>
-<DD>A number added to a packet or message which indicates its position
- in a sequence of packets or messages. This provides some security
- against<A href="#replay"> replay attacks</A>.
-<P>For<A href="ipsec.html#auto"> automatic keying</A> mode, the<A href="#IPSEC">
- IPsec</A> RFCs require that the sender generate sequence numbers for
- each packet, but leave it optional whether the receiver does anything
- with them.</P>
-</DD>
-<DT><A name="SHA">SHA</A></DT>
-<DT>SHA-1</DT>
-<DD><B>S</B>ecure<B> H</B>ash<B> A</B>lgorithm, a<A href="#digest">
- message digest algorithm</A> developed by the<A href="#NSA"> NSA</A>
- for use in the Digital Signature standard,<A href="#FIPS"> FIPS</A>
- number 186 from<A href="#NIST"> NIST</A>. SHA is an improved variant of<A
-href="#MD4"> MD4</A> producing a 160-bit hash.
-<P>SHA is one of two message digest algorithms available in IPsec. The
- other is<A href="#MD5"> MD5</A>. Some people do not trust SHA because
- it was developed by the<A href="#NSA"> NSA</A>. There is, as far as we
- know, no cryptographic evidence that SHA is untrustworthy, but this
- does not prevent that view from being strongly held.</P>
-<P>The NSA made one small change after the release of the original SHA.
- They did not give reasons. Iit may be a defense against some attack
- they found and do not wish to disclose. Technically the modified
- algorithm should be called SHA-1, but since it has replaced the
- original algorithm in nearly all applications, it is generally just
- referred to as SHA..</P>
-</DD>
-<DT><A name="SHA-256">SHA-256</A></DT>
-<DT>SHA-384</DT>
-<DT>SHA-512</DT>
-<DD>Newer variants of SHA designed to match the strength of the 128, 192
- and 256-bit keys of<A href="#AES"> AES</A>. The work to break an
- encryption algorithm's strength by<A href="#brute"> brute force</A> is
- 2
-<!--math xmlns="http://www.w3.org/1998/Math/MathML"-->
-
-<!--msup-->
-
-<!--mi-->
- keylength</(null)></(null)></(null)> operations but a<A href="birthday">
- birthday attack</A> on a hash needs only 2
-<!--math xmlns="http://www.w3.org/1998/Math/MathML"-->
-
-<!--msup-->
-
-<!--mrow-->
-
-<!--mi-->
- hashlength</(null)>
-<!--mo-->
- /</(null)>
-<!--mn-->
-
- 2</(null)></(null)></(null)></(null)> , so as a general rule you need a
- hash twice the size of the key to get similar strength. SHA-256,
- SHA-384 and SHA-512 are designed to match the 128, 192 and 256-bit key
- sizes of AES, respectively.</DD>
-<DT><A name="SIGINT">Signals intelligence (SIGINT)</A></DT>
-<DD>Activities of government agencies from various nations aimed at
- protecting their own communications and reading those of others.
- Cryptography, cryptanalysis, wiretapping, interception and monitoring
- of various sorts of signals. The players include the American<A href="#NSA">
- NSA</A>, British<A href="#GCHQ"> GCHQ</A> and Canadian<A href="#CSE">
- CSE</A>.</DD>
-<DT><A name="SKIP">SKIP</A></DT>
-<DD><B>S</B>imple<B> K</B>ey management for<B> I</B>nternet<B> P</B>
-rotocols, an alternative to<A href="#IKE"> IKE</A> developed by Sun and
- being marketed by their<A href="http://skip.incog.com"> Internet
- Commerce Group</A>.</DD>
-<DT><A name="snake">Snake oil</A></DT>
-<DD>Bogus cryptography. See the<A href="http://www.interhack.net/people/cmcurtin/snake-oil-faq.html">
- Snake Oil FAQ</A> or<A href="http://www.counterpane.com/crypto-gram-9902.html#snakeoil">
- this paper</A> by Schneier.</DD>
-<DT><A name="SPI">SPI</A></DT>
-<DD><B>S</B>ecurity<B> P</B>arameter<B> I</B>ndex, an index used within<A
-href="#IPSEC"> IPsec</A> to keep connections distinct. A<A href="#SA">
- Security Association (SA)</A> is defined by destination, protocol and
- SPI. Without the SPI, two connections to the same gateway using the
- same protocol could not be distinguished.
-<P>For more detail, see our<A href="ipsec.html"> IPsec</A> section
- and/or RFC 2401.</P>
-</DD>
-<DT><A name="SSH">SSH</A></DT>
-<DD><B>S</B>ecure<B> SH</B>ell, an encrypting replacement for the
- insecure Berkeley commands whose names begin with &quot;r&quot; for &quot;remote&quot;:
- rsh, rlogin, etc.
-<P>For more information on SSH, including how to obtain it, see our
- cryptography<A href="web.html#tools"> links</A>.</P>
-</DD>
-<DT><A name="SSHco">SSH Communications Security</A></DT>
-<DD>A company founded by the authors of<A href="#SSH"> SSH</A>. Offices
- are in<A href="http://www.ssh.fi"> Finland</A> and<A href="http://www.ipsec.com">
- California</A>. They have a toolkit for developers of IPsec
- applications.</DD>
-<DT><A name="SSL">SSL</A></DT>
-<DD><A href="http://home.netscape.com/eng/ssl3">Secure Sockets Layer</A>
-, a set of encryption and authentication services for web browsers,
- developed by Netscape. Widely used in Internet commerce. Also known as<A
-href="#TLS"> TLS</A>.</DD>
-<DT>SSLeay</DT>
-<DD>A free implementation of<A href="#SSL"> SSL</A> by Eric Young (eay)
- and others. Developed in Australia; not subject to US export controls.</DD>
-<DT><A name="static">static IP address</A></DT>
-<DD>an IP adddress which is pre-set on the machine itself, as opposed to
- a<A href="#dynamic"> dynamic address</A> which is assigned by a<A href="#DHCP">
- DHCP</A> server or obtained as part of the process of establishing a<A href="#PPP">
- PPP</A> or<A href="#PPPoE"> PPPoE</A> connection</DD>
-<DT><A name="stream">Stream cipher</A></DT>
-<DD>A<A href="#symmetric"> symmetric cipher</A> which produces a stream
- of output which can be combined (often using XOR or bytewise addition)
- with the plaintext to produce ciphertext. Contrasts with<A href="#block">
- block cipher</A>.
-<P><A href="#IPSEC">IPsec</A> does not use stream ciphers. Their main
- application is link-level encryption, for example of voice, video or
- data streams on a wire or a radio signal.</P>
-</DD>
-<DT><A name="subnet">subnet</A></DT>
-<DD>A group of IP addresses which are logically one network, typically
- (but not always) assigned to a group of physically connected machines.
- The range of addresses in a subnet is described using a subnet mask.
- See next entry.</DD>
-<DT>subnet mask</DT>
-<DD>A method of indicating the addresses included in a subnet. Here are
- two equivalent examples:
-<UL>
-<LI>101.101.101.0/24</LI>
-<LI>101.101.101.0 with mask 255.255.255.0</LI>
-</UL>
-<P>The '24' is shorthand for a mask with the top 24 bits one and the
- rest zero. This is exactly the same as 255.255.255.0 which has three
- all-ones bytes and one all-zeros byte.</P>
-<P>These indicate that, for this range of addresses, the top 24 bits are
- to be treated as naming a network (often referred to as &quot;the
- 101.101.101.0/24 subnet&quot;) while most combinations of the low 8 bits can
- be used to designate machines on that network. Two addresses are
- reserved; 101.101.101.0 refers to the subnet rather than a specific
- machine while 101.101.101.255 is a broadcast address. 1 to 254 are
- available for machines.</P>
-<P>It is common to find subnets arranged in a hierarchy. For example, a
- large company might have a /16 subnet and allocate /24 subnets within
- that to departments. An ISP might have a large subnet and allocate /26
- subnets (64 addresses, 62 usable) to business customers and /29 subnets
- (8 addresses, 6 usable) to residential clients.</P>
-</DD>
-<DT><A name="SWAN">S/WAN</A></DT>
-<DD>Secure Wide Area Network, a project involving<A href="#RSAco"> RSA
- Data Security</A> and a number of other companies. The goal was to
- ensure that all their<A href="#IPSEC"> IPsec</A> implementations would
- interoperate so that their customers can communicate with each other
- securely.</DD>
-<DT><A name="symmetric">Symmetric cryptography</A></DT>
-<DD>Symmetric cryptography, also referred to as conventional or secret
- key cryptography, relies on a<EM> shared secret key</EM>, identical for
- sender and receiver. Sender encrypts with that key, receiver decrypts
- with it. The idea is that an eavesdropper without the key be unable to
- read the messages. There are two main types of symmetric cipher,<A href="#block">
- block ciphers</A> and<A href="#stream"> stream ciphers</A>.
-<P>Symmetric cryptography contrasts with<A href="#public"> public key</A>
- or asymmetric systems where the two players use different keys.</P>
-<P>The great difficulty in symmetric cryptography is, of course, key
- management. Sender and receiver<EM> must</EM> have identical keys and
- those keys<EM> must</EM> be kept secret from everyone else. Not too
- much of a problem if only two people are involved and they can
- conveniently meet privately or employ a trusted courier. Quite a
- problem, though, in other circumstances.</P>
-<P>It gets much worse if there are many people. An application might be
- written to use only one key for communication among 100 people, for
- example, but there would be serious problems. Do you actually trust all
- of them that much? Do they trust each other that much? Should they?
- What is at risk if that key is compromised? How are you going to
- distribute that key to everyone without risking its secrecy? What do
- you do when one of them leaves the company? Will you even know?</P>
-<P>On the other hand, if you need unique keys for every possible
- connection between a group of 100, then each user must have 99 keys.
- You need either 99*100/2 = 4950<EM> secure</EM> key exchanges between
- users or a central authority that<EM> securely</EM> distributes 100 key
- packets, each with a different set of 99 keys.</P>
-<P>Either of these is possible, though tricky, for 100 users. Either
- becomes an administrative nightmare for larger numbers. Moreover, keys<EM>
- must</EM> be changed regularly, so the problem of key distribution
- comes up again and again. If you use the same key for many messages
- then an attacker has more text to work with in an attempt to crack that
- key. Moreover, one successful crack will give him or her the text of
- all those messages.</P>
-<P>In short, the<EM> hardest part of conventional cryptography is key
- management</EM>. Today the standard solution is to build a<A href="#hybrid">
- hybrid system</A> using<A href="#public"> public key</A> techniques to
- manage keys.</P>
-</DD>
-<DT><A name="T">T</A></DT>
-<DT><A name="TIS">TIS</A></DT>
-<DD>Trusted Information Systems, a firewall vendor now part of<A href="#NAI">
- NAI</A>. Their Gauntlet product offers IPsec VPN services. TIS
- implemented the first version of<A href="#SDNS"> Secure DNS</A> on a<A href="#DARPA">
- DARPA</A> contract.</DD>
-<DT><A name="TLS">TLS</A></DT>
-<DD><B>T</B>ransport<B> L</B>ayer<B> S</B>ecurity, a newer name for<A href="#SSL">
- SSL</A>.</DD>
-<DT><A name="TOS">TOS field</A></DT>
-<DD>The<STRONG> T</STRONG>ype<STRONG> O</STRONG>f<STRONG> S</STRONG>
-ervice field in an IP header, used to control qualkity of service
- routing.</DD>
-<DT><A name="traffic">Traffic analysis</A></DT>
-<DD>Deducing useful intelligence from patterns of message traffic,
- without breaking codes or reading the messages. In one case during
- World War II, the British guessed an attack was coming because all
- German radio traffic stopped. The &quot;radio silence&quot; order, intended to
- preserve security, actually gave the game away.
-<P>In an industrial espionage situation, one might deduce something
- interesting just by knowing that company A and company B were talking,
- especially if one were able to tell which departments were involved, or
- if one already knew that A was looking for acquisitions and B was
- seeking funds for expansion.</P>
-<P>In general, traffic analysis by itself is not very useful. However,
- in the context of a larger intelligence effort where quite a bit is
- already known, it can be very useful. When you are solving a complex
- puzzle, every little bit helps.</P>
-<P><A href="#IPSEC">IPsec</A> itself does not defend against traffic
- analysis, but carefully thought out systems using IPsec can provide at
- least partial protection. In particular, one might want to encrypt more
- traffic than was strictly necessary, route things in odd ways, or even
- encrypt dummy packets, to confuse the analyst. We discuss this<A href="ipsec.html#traffic.resist">
- here</A>.</P>
-</DD>
-<DT><A name="transport">Transport mode</A></DT>
-<DD>An IPsec application in which the IPsec gateway is the destination
- of the protected packets, a machine acts as its own gateway. Contrast
- with<A href="#tunnel"> tunnel mode</A>.</DD>
-<DT>Triple DES</DT>
-<DD>see<A href="#3DES"> 3DES</A></DD>
-<DT><A name="TTL">TTL</A></DT>
-<DD><STRONG>T</STRONG>ime<STRONG> T</STRONG>o<STRONG> L</STRONG>ive,
- used to control<A href="ipsec.html#DNS"> DNS</A> caching. Servers
- discard cached records whose TTL expires</DD>
-<DT><A name="tunnel">Tunnel mode</A></DT>
-<DD>An IPsec application in which an IPsec gateway provides protection
- for packets to and from other systems. Contrast with<A href="#transport">
- transport mode</A>.</DD>
-<DT><A name="2key">Two-key Triple DES</A></DT>
-<DD>A variant of<A href="#3DES"> triple DES or 3DES</A> in which only
- two keys are used. As in the three-key version, the order of operations
- is<A href="#EDE"> EDE</A> or encrypt-decrypt-encrypt, but in the
- two-key variant the first and third keys are the same.
-<P>3DES with three keys has 3*56 = 168 bits of key but has only 112-bit
- strength against a<A href="#meet"> meet-in-the-middle</A> attack, so it
- is possible that the two key version is just as strong. Last I looked,
- this was an open question in the research literature.</P>
-<P>RFC 2451 defines triple DES for<A href="#IPSEC"> IPsec</A> as the
- three-key variant. The two-key variant should not be used and is not
- implemented directly in<A href="web.html#FreeSWAN"> Linux FreeS/WAN</A>
-. It cannot be used in automatically keyed mode without major fiddles in
- the source code. For manually keyed connections, you could make Linux
- FreeS/WAN talk to a two-key implementation by setting two keys the same
- in /etc/ipsec.conf.</P>
-</DD>
-<DT><A name="U">U</A></DT>
-<DT><A name="V">V</A></DT>
-<DT><A name="virtual">Virtual Interface</A></DT>
-<DD>A<A href="#Linux"> Linux</A> feature which allows one physical
- network interface to have two or more IP addresses. See the<CITE> Linux
- Network Administrator's Guide</CITE> in<A href="biblio.html#kirch">
- book form</A> or<A href="http://metalab.unc.edu/LDP/LDP/nag/node1.html">
- on the web</A> for details.</DD>
-<DT>Virtual Private Network</DT>
-<DD>see<A href="#VPN"> VPN</A></DD>
-<DT><A name="VPN">VPN</A></DT>
-<DD><B>V</B>irtual<B> P</B>rivate<B> N</B>etwork, a network which can
- safely be used as if it were private, even though some of its
- communication uses insecure connections. All traffic on those
- connections is encrypted.
-<P><A href="#IPSEC">IPsec</A> is not the only technique available for
- building VPNs, but it is the only method defined by<A href="rfc.html#RFC">
- RFCs</A> and supported by many vendors. VPNs are by no means the only
- thing you can do with IPsec, but they may be the most important
- application for many users.</P>
-</DD>
-<DT><A name="VPNC">VPNC</A></DT>
-<DD><A href="http://www.vpnc.org">Virtual Private Network Consortium</A>
-, an association of vendors of VPN products.</DD>
-<DT><A name="W">W</A></DT>
-<DT><A name="Wassenaar.gloss">Wassenaar Arrangement</A></DT>
-<DD>An international agreement restricting export of munitions and other
- tools of war. Unfortunately, cryptographic software is also restricted
- under the current version of the agreement.<A href="politics.html#Wassenaar">
- Discussion</A>.</DD>
-<DT><A name="web">Web of Trust</A></DT>
-<DD><A href="#PGP">PGP</A>'s method of certifying keys. Any user can
- sign a key; you decide which signatures or combinations of signatures
- to accept as certification. This contrasts with the hierarchy of<A href="#CA">
- CAs (Certification Authorities)</A> used in many<A href="#PKI"> PKIs
- (Public Key Infrastructures)</A>.
-<P>See<A href="#GTR"> Global Trust Register</A> for an interesting
- addition to the web of trust.</P>
-</DD>
-<DT><A name="WEP">WEP (Wired Equivalent Privacy)</A></DT>
-<DD>The cryptographic part of the<A href="#IEEE"> IEEE</A> standard for
- wireless LANs. As the name suggests, this is designed to be only as
- secure as a normal wired ethernet. Anyone with a network conection can
- tap it. Its advocates would claim this is good design, refusing to
- build in complex features beyond the actual requirements.
-<P>Critics refer to WEP as &quot;Wire<EM>tap</EM> Equivalent Privacy&quot;, and
- consider it a horribly flawed design based on bogus &quot;requirements&quot;. You
- do not control radio waves as you might control your wires, so the
- metaphor in the rationale is utterly inapplicable. A security policy
- that chooses not to invest resources in protecting against certain
- attacks which can only be conducted by people physically plugged into
- your LAN may or may not be reasonable. The same policy is completely
- unreasonable when someone can &quot;plug in&quot; from a laptop half a block
- away..</P>
-<P>There has been considerable analysis indicating that WEP is seriously
- flawed. A FAQ on attacks against WEP is available. Part of it reads:</P>
-<BLOCKQUOTE> ... attacks are practical to mount using only inexpensive
- off-the-shelf equipment. We recommend that anyone using an 802.11
- wireless network not rely on WEP for security, and employ other
- security measures to protect their wireless network. Note that our
- attacks apply to both 40-bit and the so-called 128-bit versions of WEP
- equally well.</BLOCKQUOTE>
-<P>WEP appears to be yet another instance of governments, and
- unfortunately some vendors and standards bodies, deliberately promoting
- hopelessly flawed &quot;security&quot; products, apparently mainly for the
- benefit of eavesdropping agencies. See this<A href="politics.html#weak">
- discussion</A>.</P>
-</DD>
-<DT><A name="X">X</A></DT>
-<DT><A name="X509">X.509</A></DT>
-<DD>A standard from the<A href="http://www.itu.int"> ITU (International
- Telecommunication Union)</A>, for hierarchical directories with
- authentication services, used in many<A href="#PKI"> PKI</A>
- implementations.
-<P>Use of X.509 services, via the<A href="#LDAP"> LDAP protocol</A>, for
- certification of keys is allowed but not required by the<A href="#IPSEC">
- IPsec</A> RFCs. It is not yet implemented in<A href="web.html#FreeSWAN">
- Linux FreeS/WAN</A>.</P>
-</DD>
-<DT>Xedia</DT>
-<DD>A vendor of router and Internet access products, now part of Lucent.
- Their QVPN products interoperate with Linux FreeS/WAN; see our<A href="interop.html#Xedia">
- interop document</A>.</DD>
-<DT><A name="Y">Y</A></DT>
-<DT><A name="Z">Z</A></DT>
-</DL>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="web.html">Previous</A>
-<A HREF="biblio.html">Next</A>
-</BODY>
-</HTML>
diff --git a/doc/index.html b/doc/index.html
deleted file mode 100644
index 427ed7ea7..000000000
--- a/doc/index.html
+++ /dev/null
@@ -1,55 +0,0 @@
-<html>
-<head>
-  <meta http-equiv="Content-Type" content="text/html">
-  <title>FreeS/WAN index</title>
-  <meta name="keywords"
-  content="Linux, IPsec, VPN, security, encryption, cryptography, FreeS/WAN, FreeSWAN">
-  <!--
-
-  Written by Claudia Schmeing for the Linux FreeS/WAN project
-  Freely distributable under the GNU General Public License
-
-  More information at www.freeswan.org
-  Feedback to users@lists.freeswan.org
-
-  CVS information:
-  RCS ID:          $Id: index.html,v 1.1 2004/03/15 20:35:21 as Exp $
-  Last changed:    $Date: 2004/03/15 20:35:21 $
-  Revision number: $Revision: 1.1 $
-
-  CVS revision numbers do not correspond to FreeS/WAN release numbers.
-  -->
-</head>
-
-<body>
-<h1>FreeS/WAN documentation</h1>
-
-<ul>
-  <li><a href="intro.html">Introduction</a></li>
-  <li><a href="upgrading.html">Upgrading to 2.x</a></li>
-</ul>
-
-<ul> 
-  <li><a href="quickstart.html">Quickstart guide to Opportunistic Encryption</a></li>
-  <li><a href="install.html">Installing</a></li>
-  <li><a href="config.html">Configuring</a></li>
-  <li><a href="policygroups.html">Policy Groups</a> 
-                   </li>
-  <li><a href="interop.html">Interoperating</a> 
-<FONT COLOR="#FF0000">New and improved!</FONT></li>
-  <li><a href="faq.html">FAQ</a></li>
-  <li><a href="trouble.html">Troubleshooting and problem reporting</a></li>
-</ul>
-
-<ul>
-  <li><a href="toc.html">Full table of contents, with much more</a></li>
-  <li><a href="HowTo.html">All our docs as one big file</a></li>
-</ul>  
-
-<p>For technical support and other questions, use our <a
-href="mail.html">mailing lists</a>.</p>
-
-<pre>        This index last changed:    $Date: 2004/03/15 20:35:21 $</pre>
-
-</body>
-</html>
diff --git a/doc/install.html b/doc/install.html
deleted file mode 100644
index 6cd55535e..000000000
--- a/doc/install.html
+++ /dev/null
@@ -1,286 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="adv_config.html">Previous</A>
-<A HREF="config.html">Next</A>
-<HR>
-<H1><A name="install">Installing FreeS/WAN</A></H1>
-<P>This document will teach you how to install Linux FreeS/WAN. If your
- distribution comes with Linux FreeS/WAN, we offer tips to get you
- started.</P>
-<H2><A NAME="15_1">Requirements</A></H2>
-<P>To install FreeS/WAN you must:</P>
-<UL>
-<LI>be running Linux with the 2.4 or 2.2 kernel series. See this<A HREF="http://www.freeswan.ca/download.php#contact">
- kernel compatibility table</A>.
-<BR>We also have experimental support for 2.6 kernels. Here are two
- basic approaches:
-<UL>
-<LI> install FreeS/WAN, including its<A HREF="ipsec.html#parts"> KLIPS</A>
- kernel code. This will remove the native IPsec stack and replace it
- with KLIPS.</LI>
-<LI> install the FreeS/WAN<A HREF="ipsec.html#parts"> userland tools</A>
- (keying daemon and supporting scripts) for use with<A HREF="http://lartc.org/howto/lartc.ipsec.html">
- 2.6 kernel native IPsec</A>,</LI>
-</UL>
- See also these<A HREF="2.6.known-issues"> known issues with 2.6</A>.</LI>
-<LI>have root access to your Linux box</LI>
-<LI>choose the version of FreeS/WAN you wish to install based on<A HREF="http://www.freeswan.org/mail.html">
- mailing list reports</A>
-<!-- or 
-our updates page (coming soon)-->
-</LI>
-</UL>
-<H2><A NAME="15_2">Choose your install method</A></H2>
-<P>There are three basic ways to get FreeS/WAN onto your system:</P>
-<UL>
-<LI>activating and testing a FreeS/WAN that<A HREF="#distroinstall">
- shipped with your Linux distribution</A></LI>
-<LI><A HREF="#rpminstall">RPM install</A></LI>
-<LI><A HREF="#srcinstall">Install from source</A></LI>
-</UL>
-<A NAME="distroinstall"></A>
-<H2><A NAME="15_3">FreeS/WAN ships with some Linuxes</A></H2>
-<P>FreeS/WAN comes with<A HREF="intro.html#distwith"> these
- distributions</A>.</P>
-<P>If you're running one of these, include FreeS/WAN in the choices you
- make during installation, or add it later using the distribution's
- tools.</P>
-<H3><A NAME="15_3_1">FreeS/WAN may be altered...</A></H3>
-<P>Your distribution may have integrated extra features, such as Andreas
- Steffen's X.509 patch, into FreeS/WAN. It may also use custom startup
- script locations or directory names.</P>
-<H3><A NAME="15_3_2">You might need to create an authentication keypair</A>
-</H3>
-<P>If your FreeS/WAN came with your distribution, you may wish to
- generate a fresh RSA key pair. FreeS/WAN will use these keys for
- authentication.</P>
-<P> To do this, become root, and type:</P>
-<PRE>    ipsec newhostkey --output /etc/ipsec.secrets --hostname xy.example.com
-    chmod 600 /etc/ipsec.secrets</PRE>
-<P>where you replace xy.example.com with your machine's fully-qualified
- domain name. Generate some randomness, for example by wiggling your
- mouse, to speed the process.</P>
-<P>The resulting ipsec.secrets looks like:</P>
-<PRE>: RSA   {
-        # RSA 2192 bits   xy.example.com   Sun Jun 8 13:42:19 2003
-        # for signatures only, UNSAFE FOR ENCRYPTION
-        #pubkey=0sAQOFppfeE3cC7wqJi...
-        Modulus: 0x85a697de137702ef0...
-        # everything after this point is secret
-        PrivateExponent: 0x16466ea5033e807...
-        Prime1: 0xdfb5003c8947b7cc88759065...
-        Prime2: 0x98f199b9149fde11ec956c814...
-        Exponent1: 0x9523557db0da7a885af90aee...
-        Exponent2: 0x65f6667b63153eb69db8f300dbb...
-        Coefficient: 0x90ad00415d3ca17bebff123413fc518...
-        }
-# do not change the indenting of that &quot;}&quot;</PRE>
-<P>In the actual file, the strings are much longer.</P>
-<H3><A NAME="15_3_3">Start and test FreeS/WAN</A></H3>
-<P>You can now<A HREF="install.html#starttest"> start FreeS/WAN and test
- whether it's been successfully installed.</A>.</P>
-<A NAME="rpminstall"></A>
-<H2><A NAME="15_4">RPM install</A></H2>
-<P>These instructions are for a recent Red Hat with a stock Red Hat
- kernel. We know that Mandrake and SUSE also produce FreeS/WAN RPMs. If
- you're running either, install using your distribution's tools.</P>
-<H3><A NAME="15_4_1">Download RPMs</A></H3>
-<P>Decide which functionality you need:</P>
-<UL>
-<LI>standard FreeS/WAN RPMs. Use these shortcuts:
-<BR>
-<UL>
-<LI>(for 2.6 kernels: userland only)
-<BR> ncftpget
- ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs/\*userland*
-</LI>
-<LI>(for 2.4 kernels)
-<BR> ncftpget
- ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs/`uname -r
- | tr -d 'a-wy-z'`/\*</LI>
-<LI> or view all the offerings at our<A href="ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs">
- FTP site</A>.</LI>
-</UL>
-</LI>
-<LI>unofficial<A href="http://www.freeswan.ca/download.php"> Super
- FreeS/WAN</A> RPMs, which include Andreas Steffen's X.509 patch and
- more. Super FreeS/WAN RPMs do not currently include<A HREF="glossary.html#NAT.gloss">
- Network Address Translation</A> (NAT) traversal, but Super FreeS/WAN
- source does.</LI>
-</UL>
-<A NAME="2.6.rpm"></A>
-<P>For 2.6 kernels, get the latest FreeS/WAN userland RPM, for example:</P>
-<PRE>    freeswan-userland-2.04.9-0.i386.rpm</PRE>
-<P>Note: FreeS/WAN's support for 2.6 kernel IPsec is preliminary. Please
- see<A HREf="2.6.known-issues"> 2.6.known-issues</A>, and the latest<A HREF="http://www.freeswan.org/mail.html">
- mailing list reports</A>.</P>
-<P>Change to your new FreeS/WAN directory, and make and install the</P>
-<P>For 2.4 kernels, get both kernel and userland RPMs. Check your kernel
- version with</P>
-<PRE>    uname -r</PRE>
-<P>Get a kernel module which matches that version. For example:</P>
-<PRE>    freeswan-module-2.04_2.4.20_20.9-0.i386.rpm</PRE>
-<P>Note: These modules<B> will only work on the Red Hat kernel they were
- built for</B>, since they are very sensitive to small changes in the
- kernel.</P>
-<P>Get FreeS/WAN utilities to match. For example:</P>
-<PRE>    freeswan-userland-2.04_2.4.20_20.9-0.i386.rpm</PRE>
-<H3><A NAME="15_4_2">For freeswan.org RPMs: check signatures</A></H3>
-<P>While you're at our ftp site, grab the RPM signing key</P>
-<PRE>    freeswan-rpmsign.asc</PRE>
-<P>If you're running RedHat 8.x or later, import this key into the RPM
- database:</P>
-<PRE>    rpm --import freeswan-rpmsign.asc</PRE>
-<P>For RedHat 7.x systems, you'll need to add it to your<A HREF="glossary.html#PGP">
- PGP</A> keyring:</P>
-<PRE>    pgp -ka freeswan-rpmsign.asc</PRE>
-<P>Check the digital signatures on both RPMs using:</P>
-<PRE>    rpm --checksig freeswan*.rpm </PRE>
-<P>You should see that these signatures are good:</P>
-<PRE>    freeswan-module-2.04_2.4.20_20.9-0.i386.rpm: pgp md5 OK
-    freeswan-userland-2.04_2.4.20_20.9-0.i386.rpm: pgp md5 OK</PRE>
-<H3><A NAME="15_4_3">Install the RPMs</A></H3>
-<P>Become root:</P>
-<PRE>    su</PRE>
-<P>For a first time install, use:</P>
-<PRE>    rpm -ivh freeswan*.rpm</PRE>
-<P>To upgrade existing RPMs (and keep all .conf files in place), use:</P>
-<PRE>    rpm -Uvh freeswan*.rpm</PRE>
-<P>If you're upgrading from FreeS/WAN 1.x to 2.x RPMs, and encounter
- problems, see<A HREF="upgrading.html#upgrading.rpms"> this note</A>.</P>
-<H3><A NAME="15_4_4">Start and Test FreeS/WAN</A></H3>
-<P>Now,<A HREF="install.html#starttest"> start FreeS/WAN and test your
- install</A>.</P>
-<A NAME="srcinstall"></A>
-<H2><A NAME="15_5">Install from Source</A></H2>
-
-<!-- Most of this section, along with "Start and Test", can replace 
-INSTALL. -->
-<H3><A NAME="15_5_1">Decide what functionality you need</A></H3>
-<P>Your choices are:</P>
-<UL>
-<LI><A HREF="ftp://ftp.xs4all.nl/pub/crypto/freeswan">standard FreeS/WAN</A>
-,</LI>
-<LI>standard FreeS/WAN plus any of these<A HREF="web.html#patch">
- user-supported patches</A>, or</LI>
-<LI><A HREF="http://www.freeswan.ca/download">Super FreeS/WAN</A>, an
- unofficial FreeS/WAN pre-patched with many of the above. Provides
- additional algorithms, X.509, SA deletion, dead peer detection, and<A HREF="glossary.html#NAT.gloss">
- Network Address Translation</A> (NAT) traversal.</LI>
-</UL>
-<H3><A NAME="15_5_2">Download FreeS/WAN</A></H3>
-<P>Download the source tarball you've chosen, along with any patches.</P>
-<H3><A NAME="15_5_3">For freeswan.org source: check its signature</A></H3>
-<P>While you're at our ftp site, get our source signing key</P>
-<PRE>    freeswan-sigkey.asc</PRE>
-<P>Add it to your PGP keyring:</P>
-<PRE>    pgp -ka freeswan-sigkey.asc</PRE>
-<P>Check the signature using:</P>
-<PRE>    pgp freeswan-2.04.tar.gz.sig freeswan-2.04.tar.gz</PRE>
-<P>You should see something like:</P>
-<PRE>    Good signature from user &quot;Linux FreeS/WAN Software Team (build@freeswan.org)&quot;.
-    Signature made 2002/06/26 21:04 GMT using 2047-bit key, key ID 46EAFCE1</PRE>
-
-<!-- Note to self: build@freeswan.org has angled brackets in the original.
-     Changed because it conflicts with HTML tags. -->
-<H3><A NAME="15_5_4">Untar, unzip</A></H3>
-<P>As root, unpack your FreeS/WAN source into<VAR> /usr/src</VAR>.</P>
-<PRE>    su
-    mv freeswan-2.04.tar.gz /usr/src
-    cd /usr/src
-    tar -xzf freeswan-2.04.tar.gz
-</PRE>
-<H3><A NAME="15_5_5">Patch if desired</A></H3>
-<P>Now's the time to add any patches. The contributor may have special
- instructions, or you may simply use the patch command.</P>
-<H3><A NAME="15_5_6">... and Make</A></H3>
-<P>Choose one of the methods below.</P>
-<H4>Userland-only Install for 2.6 kernels</H4>
-<A NAME="2.6.src"></A>
-<P>Note: FreeS/WAN's support for 2.6 kernel IPsec is preliminary. Please
- see<A HREf="2.6.known-issues"> 2.6.known-issues</A>, and the latest<A HREF="http://www.freeswan.org/mail.html">
- mailing list reports</A>.</P>
-<P>Change to your new FreeS/WAN directory, and make and install the
- FreeS/WAN userland tools.</P>
-<PRE>    cd /usr/src/freeswan-2.04
-    make programs
-    make install</PRE>
-<P>Now,<A HREF="install.html#starttest"> start FreeS/WAN and test your
- install</A>.</P>
-<H4>KLIPS install for 2.2, 2.4, or 2.6 kernels</H4>
-<A NAME="modinstall"></A>
-<P>To make a modular version of KLIPS, along with other FreeS/WAN
- programs you'll need, use the command sequence below. This will change
- to your new FreeS/WAN directory, make the FreeS/WAN module (and other
- stuff), and install it all.</P>
-<PRE>    cd /usr/src/freeswan-2.04
-    make oldmod
-    make minstall</PRE>
-<P><A HREF="install.html#starttest">Start FreeS/WAN and test your
- install</A>.</P>
-<P>To link KLIPS statically into your kernel (using your old kernel
- settings), and install other FreeS/WAN components, do:</P>
-<PRE>    cd /usr/src/freeswan-2.04
-    make oldmod
-    make minstall</PRE>
-<P>Reboot your system and<A HREF="install.html#testonly"> test your
- install</A>.</P>
-<P>For other ways to compile KLIPS, see our Makefile.</P>
-<A name="starttest"></A>
-<H2><A NAME="15_6">Start FreeS/WAN and test your install</A></H2>
-<P>Bring FreeS/WAN up with:</P>
-<PRE>    service ipsec start</PRE>
-<P>This is not necessary if you've rebooted.</P>
-<A name="testonly"></A>
-<H2><A NAME="15_7">Test your install</A></H2>
-<P>To check that you have a successful install, run:</P>
-<PRE>    ipsec verify</PRE>
-<P>You should see at least:</P>
-<PRE>
-    Checking your system to see if IPsec got installed and started correctly
-    Version check and ipsec on-path                             [OK]
-    Checking for KLIPS support in kernel                        [OK]
-    Checking for RSA private key (/etc/ipsec.secrets)           [OK]
-    Checking that pluto is running                              [OK]
-</PRE>
-<P>If any of these first four checks fails, see our<A href="trouble.html#install.check">
- troubleshooting guide</A>.</P>
-<H2><A NAME="15_8">Making FreeS/WAN play well with others</A></H2>
-<P>There are at least a couple of things on your system that might
- interfere with FreeS/WAN, and now's a good time to check these:</P>
-<UL>
-<LI>Firewalling. You need to allow UDP 500 through your firewall, plus
- ESP (protocol 50) and AH (protocol 51). For more information, see our
- updated firewalls document (coming soon).</LI>
-<LI>Network address translation. Do not NAT the packets you will be
- tunneling.</LI>
-</UL>
-<H2><A NAME="15_9">Configure for your needs</A></H2>
-<P>You'll need to configure FreeS/WAN for your local site. Have a look
- at our<A HREF="quickstart.html"> opportunism quickstart guide</A> to
- see if that easy method is right for your needs. Or, see how to<A HREF="config.html">
- configure a network-to-network or Road Warrior style VPN</A>.</P>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="adv_config.html">Previous</A>
-<A HREF="config.html">Next</A>
-</BODY>
-</HTML>
diff --git a/doc/interop.html b/doc/interop.html
deleted file mode 100644
index 1cd7b9e78..000000000
--- a/doc/interop.html
+++ /dev/null
@@ -1,983 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="compat.html">Previous</A>
-<A HREF="performance.html">Next</A>
-<HR>
-<A NAME="interop"></A>
-<H1><A NAME="10">Interoperating with FreeS/WAN</A></H1>
-<P>The FreeS/WAN project needs you! We rely on the user community to
- keep up to date. Mail users@lists.freeswan.org with your interop
- success stories.</P>
-<P><STRONG>Please note</STRONG>: Most of our interop examples feature
- Linux FreeS/WAN 1.x config files. You can convert them to 2.x files
- fairly easily with the patch in our<A HREF="upgrading.html#ipsec.conf_v2">
- Upgrading Guide</A>.</P>
-<H2><A NAME="10_1">Interop at a Glance</A></H2>
-<TABLE BORDER="1">
-<TR><TD>&nbsp;</TD><TD colspan="5">FreeS/WAN VPN</TD><TD>Road Warrior</TD><TD>
-OE</TD></TR>
-<TR><TD>&nbsp;</TD><TD>PSK</TD><TD>RSA Secret</TD><TD>X.509
-<BR><SMALL><A HREF="#interoprules">(requires patch)</A></SMALL></TD><TD>
-NAT-Traversal
-<BR><SMALL><A HREF="#interoprules">(requires patch)</A></SMALL></TD><TD>
-Manual
-<BR>Keying</TD><TD>&nbsp;</TD><TD>&nbsp;</TD></TR>
-<TR><TD colspan="8">More Compatible</TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="web.html#freeswan">FreeS/WAN</A><A NAME="freeswan.top">
- &nbsp;</A></TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD><FONT color="#00cc00">Yes</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#isakmpd">isakmpd (OpenBSD)</A><A NAME="isakmpd.top"> &nbsp;</A>
-</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>
-<FONT color="#cc0000">No&nbsp;&nbsp;&nbsp;&nbsp;</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#kame">Kame (FreeBSD,
-<BR> NetBSD, MacOSX)
-<BR> <SMALL>aka racoon</SMALL></A><A NAME="kame.top"> &nbsp;</A></TD><TD><FONT
-color="#00cc00">Yes</FONT></TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>
-<FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#mcafee">McAfee VPN
-<BR><SMALL>was PGPNet</SMALL></A><A NAME="mcafee.top"> &nbsp;</A></TD><TD><FONT
-color="#00cc00">Yes</FONT></TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>
-<FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#microsoft">Microsoft
-<BR> Windows 2000/XP</A><A NAME="microsoft.top"> &nbsp;</A></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD><FONT color="#cc0000">
-No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="glossary.html#ssh">SSH Sentinel</A><A NAME="ssh.top"> &nbsp;</A>
-</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD><FONT color="#cccc00">Maybe</FONT></TD><TD>&nbsp;</TD><TD><FONT
-color="#00cc00">Yes</FONT></TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#safenet">Safenet SoftPK
-<BR>/SoftRemote</A><A NAME="safenet.top"> &nbsp;</A></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD><FONT color="#cc0000">
-No</FONT></TD></TR>
-<TR><TD colspan="8">Other</TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#6wind">6Wind</A><A NAME="6wind.top"> &nbsp;</A></TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>
-<FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#alcatel">Alcatel Timestep</A><A NAME="alcatel.top"> &nbsp;</A>
-</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#apple">Apple Macintosh
-<BR>System 10+</A><A NAME="apple.top"> &nbsp;</A></TD><TD><FONT color="#cccc00">
-Maybe</FONT></TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD><FONT color="#cccc00">
-Maybe</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#cccc00">Maybe</FONT></TD><TD>
-&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#ashleylaurent">AshleyLaurent
-<BR> VPCom</A><A NAME="ashleylaurent.top"> &nbsp;</A></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT
-color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#borderware">Borderware</A><A NAME="borderware.top"> &nbsp;</A>
-</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD><TD><FONT color="#cc0000">
-No</FONT></TD></TR>
-
-<!--
-http://www.cequrux.com/vpn-guides.php3
-"coming soon" guide to connect with FreeS/WAN.
--->
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#checkpoint">Check Point FW-1/VPN-1</A><A NAME="checkpoint.top">
- &nbsp;</A></TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>
-<FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#cisco">Cisco with 3DES</A><A NAME="cisco.top"> &nbsp;</A></TD><TD>
-<FONT color="#00cc00">Yes</FONT></TD><TD><FONT color="#cccc00">Maybe</FONT>
-</TD><TD>&nbsp;</TD><TD><FONT color="#cccc00">Maybe</FONT></TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#equinux">Equinux VPN Tracker
-<BR> (for Mac OS X)</A><A NAME="equinux.top"> &nbsp;</A></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#cccc00">Maybe</FONT></TD><TD>
-&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#fsecure">F-Secure</A><A NAME="fsecure.top"> &nbsp;</A></TD><TD>
-<FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#cccc00">
-Maybe</FONT></TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#gauntlet">Gauntlet GVPN</A><A NAME="gauntlet.top"> &nbsp;</A>
-</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#cc0000">
-No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#aix">IBM AIX</A><A NAME="aix.top"> &nbsp;</A></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#cccc00">Maybe</FONT></TD><TD>
-&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#as400">IBM AS/400</A><A NAME="as400"> &nbsp;</A></TD><TD><FONT
-color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#intel">Intel Shiva
-<BR>LANRover/Net Structure</A><A NAME="intel.top"> &nbsp;</A></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT
-color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#lancom">LanCom (formerly ELSA)</A><A NAME="lancom.top">
- &nbsp;</A></TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#linksys">Linksys</A><A NAME="linksys.top"> &nbsp;</A></TD><TD>
-<FONT color="#cccc00">Maybe</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#cc0000">
-No</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>
-<FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#lucent">Lucent</A><A NAME="lucent.top"> &nbsp;</A></TD><TD><FONT
-color="#cccc00">Partial</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#netasq">Netasq</A><A NAME="netasq.top"> &nbsp;</A></TD><TD>
-&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#netcelo">netcelo</A><A NAME="netcelo.top"> &nbsp;</A></TD><TD>
-&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#netgear">Netgear fvs318</A><A NAME="netgear.top"> &nbsp;</A>
-</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#netscreen">Netscreen 100
-<BR>or 5xp</A><A NAME="netscreen.top"> &nbsp;</A></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#cccc00">
-Maybe</FONT></TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#nortel">Nortel Contivity</A><A NAME="nortel.top"> &nbsp;</A>
-</TD><TD><FONT color="#cccc00">Partial</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD><FONT color="#cccc00">Maybe</FONT></TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#radguard">RadGuard</A><A NAME="radguard.top"> &nbsp;</A></TD><TD>
-<FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#raptor">Raptor</A><A NAME="raptor"> &nbsp;</A></TD><TD><FONT
-color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#redcreek">Redcreek Ravlin</A><A NAME="redcreek.top"> &nbsp;</A>
-</TD><TD><FONT color="#00cc00">Yes</FONT><FONT color="#cccc00">/Partial</FONT>
-</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#cc0000">
-No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#sonicwall">SonicWall</A><A NAME="sonicwall.top"> &nbsp;</A></TD><TD>
-<FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT
-color="#cccc00">Maybe</FONT></TD><TD><FONT color="#cc0000">No</FONT></TD><TD>
-<FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#sun">Sun Solaris</A><A NAME="sun.top"> &nbsp;</A></TD><TD><FONT
-color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">Yes</FONT>
-</TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT
-color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#symantec">Symantec</A><A NAME="symantec.top"> &nbsp;</A></TD><TD>
-<FONT color="#00cc00">Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>
-&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#watchguard">Watchguard
-<BR> Firebox</A><A NAME="watchguard.top"> &nbsp;</A></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD><FONT color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#xedia">Xedia Access Point
-<BR>/QVPN</A><A NAME="xedia.top"> &nbsp;</A></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT
-color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR><TD><A HREF="#zyxel">Zyxel Zywall
-<BR>/Prestige</A><A NAME="zyxel.top"> &nbsp;</A></TD><TD><FONT color="#00cc00">
-Yes</FONT></TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD><FONT
-color="#cc0000">No</FONT></TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE
-
-
-<TR>
-<TD><A HREF="#sample">sample</A></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
--->
-<TR><TD>&nbsp;</TD><TD>PSK</TD><TD>RSA Secret</TD><TD>X.509
-<BR><SMALL><A HREF="#interoprules">(requires patch)</A></SMALL></TD><TD>
-NAT-Traversal
-<BR><SMALL><A HREF="#interoprules">(requires patch)</A></SMALL></TD><TD>
-Manual
-<BR>Keying</TD><TD>&nbsp;</TD><TD>&nbsp;</TD></TR>
-<TR><TD>&nbsp;</TD><TD colspan="5">FreeS/WAN VPN</TD><TD>Road Warrior</TD><TD>
-OE</TD></TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-</TABLE>
-<H3><A NAME="10_1_1">Key</A></H3>
-<TABLE BORDER="1">
-<TR><TD><FONT color="#00cc00">Yes</FONT></TD><TD>People report that this
- works for them.</TD></TR>
-<TR><TD>[Blank]</TD><TD>We don't know.</TD></TR>
-<TR><TD><FONT color="#cc0000">No</FONT></TD><TD>We have reason to
- believe it was, at some point, not possible to get this to work.</TD></TR>
-<TR><TD><FONT color="#cccc00">Partial</FONT></TD><TD>Partial success.
- For example, a connection can be created from one end only.</TD></TR>
-<TR><TD><FONT color="#00cc00">Yes</FONT><FONT color="#cccc00">/Partial</FONT>
-</TD><TD>Mixed reports.</TD></TR>
-<TR><TD><FONT color="#cccc00">Maybe</FONT></TD><TD>We think the answer
- is &quot;yes&quot;, but need confirmation.</TD></TR>
-</TABLE>
-<A NAME="interoprules"></A>
-<H2><A NAME="10_2">Basic Interop Rules</A></H2>
-<P>Vanilla FreeS/WAN implements<A HREF="compat.html#compat"> these parts</A>
- of the IPSec specifications. You can add more with<A HREF="http://www.freeswan.ca">
- Super FreeS/WAN</A>, but what we offer may be enough for many users.</P>
-<UL>
-<LI> To use X.509 certificates with FreeS/WAN, you will need the<A HREF="http://www.strongsec.org/freeswan">
- X.509 patch</A> or<A HREF="http://www.freeswan.ca"> Super FreeS/WAN</A>
-, which includes that patch.</LI>
-<LI> To use<A HREF="glossary.html#NAT.gloss"> Network Address
- Translation</A> (NAT) traversal with FreeS/WAN, you will need Arkoon
- Network Security's<A HREF="http://open-source.arkoon.net"> NAT
- traversal patch</A> or<A HREF="http://www.freeswan.ca"> Super FreeS/WAN</A>
-, which includes it.</LI>
-</UL>
-<P>We offer a set of proposals which is not user-adjustable, but covers
- all combinations that we can offer. FreeS/WAN always proposes triple
- DES encryption and Perfect Forward Secrecy (PFS). In addition, we
- propose Diffie Hellman groups 5 and 2 (in that order), and MD5 and
- SHA-1 hashes. We accept the same proposals, in the same order of
- preference.</P>
-<P>Other interop notes:</P>
-<UL>
-<LI> A<A HREF="http://lists.freeswan.org/archives/users/2003-September/msg00462.html">
- SHA-1 bug in FreeS/WAN 2.00, 2.01 and 2.02</A> may affect some interop
- scenarios. It does not affect 1.x versions, and is fixed in 2.03 and
- later.</LI>
-<LI> Some other implementations will close a connection with FreeS/WAN
- after some time. This may be a problem with rekey lifetimes. Please see<A
-HREF="http://lists.freeswan.org/archives/users/2003-October/msg00293.html">
- this tip</A> and<A HREF="http://lists.freeswan.org/pipermail/users/2001-December/005758.html">
- this workaround</A>.</LI>
-</UL>
-<H2><A NAME="10_3">Longer Stories</A></H2>
-<H3><A NAME="10_3_1">For<EM> More Compatible</EM> Implementations</A></H3>
-<H4><A NAME="freeswan">FreeS/WAN</A></H4>
-<P> See our documentation at<A HREF="http://www.freeswan.org">
- freeswan.org</A> and the Super FreeS/WAN docs at<A HREF="http://www.freeswan.ca">
- freeswan.ca</A>. Some user-written HOWTOs for FreeS/WAN-FreeS/WAN
- connections are listed in<A HREF="intro.html#howto"> our Introduction</A>
-.</P>
-<P>See also:</P>
-<UL>
-<LI><A HREF="http://lugbe.ch/action/reports/ipsec_htbe.phtml"> A German
- FreeS/WAN-FreeS/WAN page by Markus Wernig (X.509)</A></LI>
-</UL>
-<P><A HREF="#freeswan.top">Back to chart</A></P>
-<H4><A NAME="isakmpd">isakmpd (OpenBSD)</A></H4>
-<P><A HREF="http://www.openbsd.org/faq/faq13.html">OpenBSD FAQ: Using
- IPsec</A>
-<BR><A HREF="http://www.rommel.stw.uni-erlangen.de/~hshoexer/ipsec-howto/HOWTO.html">
- Hans-Joerg Hoexer's interop Linux-OpenBSD (PSK)</A>
-<BR><A HREF="http://www.segfault.net/ipsec/"> Skyper's configuration
- (PSK)</A>
-<BR><A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2001/#config">
- French page with configs (X.509)</A></P>
-<P><A HREF="#isakmpd.top">Back to chart</A></P>
-<H4><A NAME="kame">Kame</A></H4>
-<UL>
-<LI>For FreeBSD and NetBSD. Ships with Mac OS X; see also our<A HREF="#apple">
- Mac</A> section.</LI>
-<LI>Also known as<EM> racoon</EM>, its keying daemon.</LI>
-</UL>
-<P><A HREF="http://www.kame.net">Kame homepage, with FAQ</A>
-<BR><A HREF="http://www.netbsd.org/Documentation/network/ipsec">
- NetBSD's IPSec FAQ</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00560.html">
- Ghislaine's post explaining some interop peculiarities</A></P>
-<P><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/09/msg00511.html">
- Itojun's Kame-FreeS/WAN interop tips (PSK)</A>
-<BR><A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2000"> Ghislaine
- Labouret's French page with links to matching FreeS/WAN and Kame
- configs (RSA)</A>
-<BR><A HREF="http://lugbe.ch/lostfound/contrib/freebsd_router/"> Markus
- Wernig's HOWTO (X.509, BSD gateway)</A>
-<BR><A HREF="http://web.morgul.net/~frodo/docs/kame+freeswan_interop.html">
- Frodo's Kame-FreeS/WAN interop (X.509)</A>
-<BR><A HREF="http://www.wavesec.org/kame.phtml"> Kame as a WAVEsec
- client.</A></P>
-<P><A HREF="#kame.top">Back to chart</A></P>
-<H4><A NAME="mcafee">PGPNet/McAfee</A></H4>
-<P></P>
-<UL>
-<LI>Now called McAfee VPN Client.</LI>
-<LI>PGPNet also came in a freeware version which did not support subnets</LI>
-<LI>To support dhcp-over-ipsec, you need the X.509 patch, which is
- included in<A HREF="http://www.freeswan.ca"> Super FreeS/WAN</A>.</LI>
-</UL>
-<P><A HREF="http://www.freeswan.ca/docs/WindowsInterop"> Tim Carr's
- Windows Interop Guide (X.509)</A>
-<BR><A HREF="http://www.rommel.stw.uni-erlangen.de/~hshoexer/ipsec-howto/HOWTO.html#Interop2">
- Hans-Joerg Hoexer's Guide for Linux-PGPNet (PSK)</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/04/msg00339.html">
- Kai Martius' instructions using RSA Key-Extractor Tool (RSA)</A>
-<BR> &nbsp;&nbsp;&nbsp;&nbsp;<A HREF="http://www.zengl.net/freeswan/english.html">Christian
- Zeng's page (RSA)</A> based on Kai's work. English or German.
-<BR><A HREF="http://tirnanog.ls.fi.upm.es/CriptoLab/Biblioteca/InfTech/InfTech_CriptoLab.htm">
- Oscar Delgado's PDF (X.509, no configs)</A>
-<BR><A HREF="http://www-ec.njit.edu/~rxt1077/Howto.txt"> Ryan's HOWTO
- for FreeS/WAN-PGPNet (X.509)</A>. Through a Linksys Router with IPsec
- Passthru enabled.
-<BR><A HREF="http://jixen.tripod.com/#RW-PGP-to-Fwan"> Jean-Francois
- Nadeau's Practical Configuration (Road Warrior with PSK)</A>
-<BR><A HREF="http://www.evolvedatacom.nl/freeswan.html#toc"> Wouter
- Prins' HOWTO (Road Warrior with X.509)</A>
-<BR></P>
-<P><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/01/msg00271.html">
- Rekeying problem with FreeS/WAN and older PGPNets</A>
-<BR></P>
-<P><A HREF="http://www.strongsec.com/freeswan/dhcprelay/index.htm"> DHCP
- over IPSEC HOWTO for FreeS/WAN (requires X.509 and dhcprelay patches)</A>
-</P>
-<P><A HREF="#mcafee.top">Back to chart</A></P>
-<H4><A NAME="microsoft">Microsoft Windows 2000/XP</A></H4>
-<UL>
-<LI>IPsec comes with Win2k, and with XP Support Tools. May require<A HREF="http://www.microsoft.com/windows2000/downloads/recommended/encryption/default.asp">
- High Encryption Pack</A>. WinXP users have also reported better results
- with Service Pack 1.</LI>
-<LI>The Road Warrior setup works either way round. Windows (XP or 2K)
- IPsec can connect as a Road Warrior to FreeS/WAN. However, FreeS/WAN
- can also successfully connect as a Road Warrior to Windows IPsec (see
- Nate Carlson's configs below).</LI>
-<LI>FreeS/WAN version 1.92 or later is required to avoid an
- interoperation problem with Windows native IPsec. Earlier FreeS/WAN
- versions did not process the Commit Bit as Windows native IPsec
- expected.</LI>
-</UL>
-<P><A HREF="http://www.freeswan.ca/docs/WindowsInterop"> Tim Carr's
- Windows Interop Guide (X.509)</A>
-<BR><A HREF="http://ipsec.math.ucla.edu/services/ipsec.html"> James
- Carter's instructions (X.509, NAT-T)</A>
-<BR><A HREF="http://jixen.tripod.com/#Win2000-Fwan"> Jean-Francois
- Nadeau's Net-net Configuration (PSK)</A>
-<BR><A HREF="http://security.nta.no/freeswan-w2k.html"> Telenor's
- Node-node Config (Transport-mode PSK)</A>
-<BR><A HREF="http://vpn.ebootis.de"> Marcus Mueller's HOWTO using his
- VPN config tool (X.509).</A> Tool also works with PSK.
-<BR><A HREF="http://www.natecarlson.com/include/showpage.php?cat=linux&page=ipsec-x509">
- Nate Carlson's HOWTO using same tool (Road Warrior with X.509)</A>.
- Unusually, FreeS/WAN is the Road Warrior here.
-<BR><A HREF="http://tirnanog.ls.fi.upm.es/CriptoLab/Biblioteca/InfTech/InfTech_CriptoLab.htm">
- Oscar Delgado's PDF (X.509, no configs)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2003-July/022425.html">
- Tim Scannell's Windows XP Additional Checklist (X.509)</A>
-<BR></P>
-
-<!-- Note to self: Include L2TP references? -->
-<P><A HREF="http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_TCPIP_ovr_secfeatures.htm">
- Microsoft's page on Win2k TCP/IP security features</A>
-<BR><A HREF="http://support.microsoft.com/support/kb/articles/Q257/2/25.ASP">
- Microsoft's Win2k IPsec debugging tips</A>
-<BR>
-<!-- Alt-URL http://support.microsoft.com/default.aspx?scid=kb;EN-US;q257225
-Perhaps newer? -->
-<A HREF="http://www.wired.com/news/technology/0,1282,36336,00.html">
- MS VPN may fall back to 1DES</A></P>
-<P><A HREF="#microsoft.top">Back to chart</A></P>
-<H4><A NAME="ssh">SSH Sentinel</A></H4>
-<UL>
-<LI>Popular and well tested.</LI>
-<LI>Also rebranded in<A HREF="http://www.zyxel.com"> Zyxel Zywall</A>.
- Our Zyxel interop notes are<A HREF="#zyxel"> here</A>.</LI>
-<LI> SSH supports IPsec-over-UDP NAT traversal.</LI>
-<LI>There is this<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/12/msg00370.html">
- potential problem</A> if you're not using the Legacy Proposal option.</LI>
-</UL>
-<P><A HREF="http://www.ssh.com/support/sentinel/documents.cfm"> SSH's
- Sentinel-FreeSWAN interop PDF (X.509)</A>
-<BR><A HREF="http://www.nadmm.com/show.php?story=articles/vpn.inc">
- Nadeem Hassan's SUSE-to-Sentinel article (Road warrior with X.509)</A>
-<BR><A HREF="http://www.zerozone.it/documents/Linux/HowTo/VPN-IPsec-Freeswan-HOWTO.html">
- O-Zone's Italian HOWTO (Road Warrior, X.509, DHCP)</A>
-<BR></P>
-<P><A HREF="#ssh.top">Back to chart</A></P>
-<H4><A NAME="safenet">Safenet SoftPK/SoftRemote</A></H4>
-<UL>
-<LI>People recommend SafeNet as a low cost Windows client.</LI>
-<LI>SoftRemote seems to be the newer name for SoftPK.</LI>
-</UL>
-<P><A HREF="http://lists.freeswan.org/pipermail/users/2001-November/005061.html">
- Whit Blauvelt's SoftRemote tips</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-October/015591.html">
- Tim Wilson's tips (X.509)</A><A HREF="http://lists.freeswan.org/archives/users/2003-October/msg00607.html">
- Workaround for a &quot;gotcha&quot;</A></P>
-<P><A HREF="http://jixen.tripod.com/#Rw-IRE-to-Fwan"> Jean-Francois
- Nadeau's Practical Configuration (Road Warrior with PSK)</A>
-<BR><A HREF="http://www.terradoncommunications.com/security/whitepapers/safe_net-to-free_swan.pdf">
- Terradon Communications' PDF (Road Warrior with PSK)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-October/?????.html">
- Seaan.net's PDF (Road Warrior to Subnet, with PSK)</A>
-<BR><A HREF="http://www.redbaronconsulting.com/freeswan/fswansafenet.pdf">
- Red Baron Consulting's PDF (Road Warrior with X.509)</A></P>
-<P><A HREF="#safenet.top">Back to chart</A></P>
-<H3><A NAME="10_3_2">For<EM> Other Implementations</EM></A></H3>
-<H4><A NAME="6wind">6Wind</A></H4>
-<P><A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2001/#config">
- French page with configs (X.509)</A></P>
-<P><A HREF="#6wind.top">Back to chart</A></P>
-<H4><A NAME="alcatel">Alcatel Timestep</A></H4>
-<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-June/011878.html">
- Alain Sabban's settings (PSK or PSK road warrior; through static NAT)</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/06/msg00100.html">
- Derick Cassidy's configs (PSK)</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/08/msg00194.html">
- David Kerry's Timestep settings (PSK)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-August/013711.html">
- Kevin Gerbracht's ipsec.conf (X.509)</A></P>
-<P><A HREF="#alcatel.top">Back to chart</A></P>
-<H4><A NAME="apple">Apple Macintosh System 10+</A></H4>
-<UL>
-<LI>Since the system is based on FreeBSD, this should interoperate<A HREF="#kame">
- just like FreeBSD</A>.</LI>
-<LI> To use Appletalk over IPsec tunnels,<A HREF="http://lists.freeswan.org/pipermail/users/2001-November/005116.html">
- run it over TCP/IP</A>, or use Open Door Networks' Shareway IP tool,<A HREF="http://lists.freeswan.org/pipermail/users/2001-November/005426.html">
- described here.</A></LI>
-<LI>See also the<A HREF="#equinux"> Equinux VPN Tracker</A> for Mac OS
- X.</LI>
-</UL>
-<P><A HREF="http://ipsec.math.ucla.edu/services/ipsec.html"> James
- Carter's instructions (X.509, NAT-T)</A></P>
-<P><A HREF="#apple.top">Back to chart</A></P>
-<H4><A NAME="ashleylaurent">AshleyLaurent VPCom</A></H4>
-<P><A HREF="http://www.ashleylaurent.com/newsletter/01-28-00.htm">
- Successful interop report, no details</A></P>
-<P><A HREF="#ashleylaurent.top">Back to chart</A></P>
-<H4><A NAME="borderware">Borderware</A></H4>
-<UL>
-<LI>I suspect the Borderware client is a rebranded Safenet. If that's
- true, our<A HREF="#safenet"> Safenet section</A> will help.</LI>
-</UL>
-<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-March/008288.html">
- Philip Reetz' configs (PSK)</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/09/msg00217.html">
- Borderware server does not support FreeS/WAN road warriors</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-February/007733.html">
- Older Borderware may not support Diffie Hellman groups 2, 5</A>
-<BR></P>
-<P><A HREF="#borderware.top">Back to chart</A></P>
-<H4><A NAME="checkpoint">Check Point VPN-1 or FW-1</A></H4>
-<UL>
-<LI><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00099.html">
- Caveat about IP-range inclusion on Check Point.</A></LI>
-<LI> Some versions of Check Point may require an aggressive mode patch
- to interoperate with FreeS/WAN.
-<BR><A HREF="http://www.freeswan.ca/code/super-freeswan"> Super
- FreeS/WAN</A> now features this patch.
-<!--
-<A HREF="http://www.freeswan.ca/patches/aggressivemode">Steve Harvey's 
-aggressive mode patch for FreeS/WAN 1.5</A>
--->
-</LI>
-<LI></LI>
-<LI>A Linux FreeS/WAN-Checkpoint connection may close after some time.
- Try<A HREF="http://lists.freeswan.org/archives/users/2003-October/msg00293.html">
- this tip</A> toward a workaround.</LI>
-</UL>
-<P><A HREF="http://www.fw-1.de/aerasec/ng/vpn-freeswan/CPNG+Linux-FreeSWAN.html">
- AERAsec's Firewall-1 NG site (PSK, X.509, Road Warrior with X.509,
- other algorithms)</A>
-<BR> &nbsp;&nbsp;&nbsp;&nbsp;<A HREF="http://www.fw-1.de/aerasec/ng/vpn-freeswan/CPNG+Linux-FreeSWAN.html#support-matrix">
- AERAsec's detailed Check Point-FreeS/WAN support matrix</A>
-<BR><A HREF="http://support.checkpoint.com/kb/docs/public/firewall1/4_1/pdf/fw-linuxvpn.pdf">
- Checkpoint.com PDF: Linux as a VPN Client to FW-1 (PSK)</A>
-<BR><A HREF="http://www.phoneboy.com"> PhoneBoy's Check Point FAQ (on
- Check Point only, not FreeS/WAN)</A>
-<BR></P>
-<P><A HREF="http://lists.freeswan.org/pipermail/users/2001-August/002351.html">
- Chris Harwell's tips FreeS/WAN configs (PSK)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-April/009362.html">
- Daniel Tombeil's configs (PSK)</A></P>
-<P><A HREF="#checkpoint.top">Back to chart</A></P>
-<H4><A NAME="cisco">Cisco</A></H4>
-<UL>
-<LI> Cisco supports IPsec-over-UDP NAT traversal.</LI>
-<LI>Cisco VPN Client appears to use nonstandard IPsec and does not work
- with FreeS/WAN.<A HREF="https://mj2.freeswan.org/archives/2003-August/maillist.html">
- This message</A> concerns Cisco VPN Client 4.01.
-<!-- fix link -->
-</LI>
-<LI>A Linux FreeS/WAN-Cisco connection may close after some time.<A HREF="http://lists.freeswan.org/pipermail/users/2001-December/005758.html">
- Here</A> is a workaround, and<A HREF="http://lists.freeswan.org/archives/users/2003-October/msg00293.html">
- here</A> is another comment on the same subject.</LI>
-<LI><A HREF="http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t2/3desips.htm">
-Older Ciscos</A> purchased outside the United States may not have 3DES,
- which FreeS/WAN requires.</LI>
-<LI><A HREF="http://lists.freeswan.org/pipermail/users/2001-June/000406.html">
-RSA keying may not be possible between Cisco and FreeS/WAN.</A></LI>
-<LI><A HREF="http://lists.freeswan.org/pipermail/users/2001-October/004357.html">
-In ipsec.conf, VPN3000 DN (distinguished name) must be in binary (X.509
- only)</A></LI>
-</UL>
-<P><A HREF="http://rr.sans.org/encryption/cisco_router.php"> SANS
- Institute HOWTO (PSK).</A> Detailed, with extensive references.
-<BR><A HREF="http://www.worldbank.ro/IPSEC/cisco-linux.txt"> Short HOWTO
- (PSK)</A>
-<BR><A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2001/#config">
- French page with configs for Cisco IOS, PIX and VPN 3000 (X.509)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2001-August/002966.html">
- Dave McFerren's sample configs (PSK)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2001-September/003422.html">
- Wolfgang Tremmel's sample configs (PSK road warrior)</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00578.html">
- Old doc from Pete Davis, with William Watson's updated Tips (PSK)</A>
-<BR></P>
-<P><STRONG>Some PIX specific information:</STRONG>
-<BR><A HREF="http://www.wlug.org.nz/FreeSwanToCiscoPix"> Waikato Linux
- Users' Group HOWTO. Nice detail (PSK)</A>
-<BR><A HREF="http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html">
- John Leach's configs (PSK)</A>
-<BR><A HREF="http://www.diverdown.cc/vpn/freeswanpix.html"> Greg
- Robinson's settings (PSK)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-February/007901.html">
- Scott's ipsec.conf for PIX (PSK, FreeS/WAN side only)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2001-October/003949.html">
- Rick Trimble's PIX and FreeS/WAN settings (PSK)</A>
-<BR></P>
-<P><A href="http://www.cisco.com/public/support/tac"> Cisco VPN support
- page</A>
-<BR><A href="http://www.ieng.com/warp/public/707/index.shtml#ipsec">
- Cisco IPsec information page</A></P>
-<P><A HREF="#cisco.top">Back to chart</A></P>
-<H4><A NAME="equinux">Equinux VPN tracker (for Mac OS X)</A></H4>
-<UL>
-<LI>Graphical configurator for Mac OS X IPsec. May be an interface to
- the<A HREF="#apple"> native Mac OS X IPsec</A>, which is essentially<A HREF="#kame">
- KAME</A>.</LI>
-<LI>To use Appletalk over IPsec tunnels,<A HREF="http://lists.freeswan.org/pipermail/users/2001-November/005116.html">
- run it over TCP/IP</A>, or use Open Door Networks' Shareway IP tool,<A HREF="http://lists.freeswan.org/pipermail/users/2001-November/005426.html">
- described here.</A></LI>
-</UL>
-<P> Equinux provides<A HREF="http://www.equinux.com/download/HowTo_FreeSWAN.pdf">
- this excellent interop PDF</A> (PSK, RSA, X.509).</P>
-<P><A HREF="#equinux.top">Back to chart</A></P>
-<H4><A NAME="fsecure">F-Secure</A></H4>
-<UL>
-<LI>
-<!-- <A HREF="http://lists.freeswan.org/pipermail/users/2002-February/007596.html"> -->
- F-Secure supports IPsec-over-UDP NAT traversal.</LI>
-</UL>
-<P><A HREF="http://www.pingworks.de/tech/vpn/vpn.txt">pingworks.de's
- &quot;Connecting F-Secure's VPN+ to Linux FreeS/WAN&quot; (PSK road warrior)</A>
-<BR> &nbsp;&nbsp;&nbsp;&nbsp;<A HREF="http://www.pingworks.de/tech/vpn/vpn.pdf">Same thing
- as PDF</A>
-<BR><A HREF="http://www.exim.org/pipermail/linux-ipsec/Week-of-Mon-20010122/000061.html">
- Success report, no detail (PSK)</A>
-<BR><A HREF="http://www.exim.org/pipermail/linux-ipsec/Week-of-Mon-20010122/000041.html">
- Success report, no detail (Manual)</A></P>
-
-<!-- Other NAT traversers:
-http://lists.freeswan.org/pipermail/users/2002-April/009136.html
-and ssh sentinel:
-http://lists.freeswan.org/pipermail/users/2001-September/003108.html
--->
-<P><A HREF="#fsecure.top">Back to chart</A></P>
-<H4><A NAME="gauntlet">Gauntlet GVPN</A></H4>
-<P><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00535.html">
- Richard Reiner's ipsec.conf (PSK)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-June/011434.html">
- Might work without that pesky firewall... (PSK)</A>
-<BR>
-<!-- insert archive link -->
- In late July, 2003 Alexandar Antik reported success interoperating
- with Gauntlet 6.0 for Solaris (X.509). Unfortunately the message is not
- properly archived at this time.</P>
-<P><A HREF="#gauntlet.top">Back to chart</A></P>
-<H4><A NAME="aix">IBM AIX</A></H4>
-<P><A HREF="http://www-1.ibm.com/servers/esdd/articles/security.html">
- IBM's &quot;Built-In Network Security with AIX&quot; (PSK, X.509)</A>
-<BR><A HREF="http://www-1.ibm.com/servers/aix/products/ibmsw/security/vpn/faqandtips/#ques20">
- IBM's tip: importing Linux FreeS/WAN settings into AIX's<VAR> ikedb</VAR>
- (PSK)</A></P>
-<P><A HREF="#aix.top">Back to chart</A></P>
-<H4><A NAME="as400">IBM AS/400</A></H4>
-<UL>
-<LI><A HREF="http://lists.freeswan.org/pipermail/users/2002-April/009106.html">
- Road Warriors may act flaky</A>.</LI>
-</UL>
-<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-September/014264.html">
- Richard Welty's tips and tricks</A>
-<BR></P>
-<P><A HREF="#as400.top">Back to chart</A></P>
-<H4><A NAME="intel">Intel Shiva LANRover / Net Structure</A></H4>
-<UL>
-<LI>Intel Shiva LANRover is now known as Intel Net Structure.</LI>
-<LI><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/01/msg00298.html">
- Shiva seems to have two modes: IPsec or the proprietary &quot;Shiva Tunnel&quot;.</A>
- Of course, FreeS/WAN will only create IPsec tunnels.</LI>
-<LI><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00293.html">
- AH may not work for Shiva-FreeS/WAN.</A> That's OK, since FreeS/WAN has
- phased out the use of AH.</LI>
-</UL>
-<P><A HREF="http://snowcrash.tdyc.com/freeswan/"> Snowcrash's configs
- (PSK)</A>
-<BR><A HREF="http://www.opus1.com/vpn/index.html"> Old configs from an
- interop (PSK)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2001-October/003831.html">
- The day Shiva tickled a Pluto bug (PSK)</A>
-<BR> &nbsp;&nbsp;&nbsp;&nbsp;<A HREF="http://lists.freeswan.org/pipermail/users/2001-October/004270.html">
- Follow up: success!</A></P>
-<P><A HREF="#intel.top">Back to chart</A></P>
-<H4><A NAME="lancom">LanCom (formerly ELSA)</A></H4>
-<UL>
-<LI>This router is popular in Germany.</LI>
-</UL>
-<P> Jakob Curdes successfully created a PSK connection with the LanCom
- 1612 in August 2003.
-<!-- add ML link when it appears -->
-</P>
-<P><A HREF="#lancom.top">Back to chart</A></P>
-<H4><A NAME="linksys">Linksys</A></H4>
-<UL>
-<LI>Linksys may be used as an IPsec tunnel endpoint,<STRONG> OR</STRONG>
- as a router in &quot;IPsec passthrough&quot; mode, so that the IPsec tunnel
- passes through the Linksys.</LI>
-</UL>
-<H5>As tunnel endpoint</H5>
-<P><A HREF="http://www.freeswan.ca/docs/BEFVP41/"> Ken Bantoft's
- instructions (Road Warrior with PSK)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-February/007814.html">
- Nate Carlson's caveats</A></P>
-<H5>In IPsec passthrough mode</H5>
-<P><A HREF="http://www-ec.njit.edu/~rxt1077/Howto.txt"> Sample HOWTO
- through a Linksys Router</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2002/02/msg00114.html">
- Nadeem Hasan's configs</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2002/02/msg00180.html">
- Brock Nanson's tips</A>
-<BR></P>
-<P><A HREF="#linksys.top">Back to chart</A></P>
-<H4><A NAME="lucent">Lucent</A></H4>
-<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-May/010976.html">
- Partial success report; see also the next message in thread</A></P>
-
-<!-- section done -->
-<P><A HREF="#lucent.top">Back to chart</A></P>
-<H4><A NAME="netasq">Netasq</A></H4>
-<P><A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2001/#config">
- French page with configs (X.509)</A></P>
-
-<!-- section done -->
-<P><A HREF="#netasq.top">Back to chart</A></P>
-<H4><A NAME="netcelo">Netcelo</A></H4>
-<P><A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2001/#config">
- French page with configs (X.509)</A>
-<!-- section done -->
-</P>
-<P><A HREF="#netcelo.top">Back to chart</A></P>
-<H4><A NAME="netgear">Netgear fvs318</A></H4>
-<UL>
-<LI>With a recent Linux FreeS/WAN, you will require the latest (12/2002)
- Netgear firmware, which supports Diffie-Hellman (DH) group 2. For
- security reasons, we phased out DH 1 after Linux FreeS/WAN 1.5.</LI>
-<LI><A HREF="http://lists.freeswan.org/pipermail/users/2002-June/011833.html">
- This message</A> reports the incompatibility between Linux FreeS/WAN
- 1.6+ and Netgear fvs318 without the firmware upgrade.</LI>
-<LI>We believe Linux FreeS/WAN 1.5 and earlier will interoperate with
- any NetGear firmware.</LI>
-</UL>
-<P><A HREF="http://lists.freeswan.org/pipermail/users/2003-February/017891.html">
- John Morris' setup (PSK)</A></P>
-<P><A HREF="#netgear.top">Back to chart</A></P>
-<H4><A NAME="netscreen">Netscreen 100 or 5xp</A></H4>
-<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-August/013409.html">
- Errol Neal's settings (PSK)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-October/015265.html">
- Corey Rogers' configs (PSK, no PFS)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-August/013051.html">
- Jordan Share's configs (PSK, 2 subnets, through static NAT)</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/08/msg00404.html">
- Set src proxy_id to your protected subnet/mask</A>
-<BR><A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2001/#config">
- French page with ipsec.conf, Netscreen screen shots (X.509, may need to
- revert to PSK...)</A></P>
-<P><A HREF="http://archives.neohapsis.com/archives/sf/linux/2001-q2/0123.html">
- A report of a company using Netscreen with FreeS/WAN on a large scale
- (FreeS/WAN road warriors?)</A></P>
-<P><A HREF="#netscreen.top">Back to chart</A></P>
-<H4><A NAME="nortel">Nortel Contivity</A></H4>
-<UL>
-<LI> Nortel supports IPsec-over-UDP NAT traversal.</LI>
-<LI><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00417.html">
- Some older versions of Contivity and FreeS/WAN will not communicate.</A>
-</LI>
-<LI><A HREF="http://lists.freeswan.org/pipermail/users/2002-May/010924.html">
- FreeS/WAN cannot be used as a &quot;client&quot; to a Nortel Contivity server,
- but can be used as a branch-office tunnel.</A></LI>
-
-<!--  Probably obsoleted by Ken's post
-<LI>
-(Matthias siebler from old interop)
-At one point you could not configure Nortel-FreeS/WAN tunnels as 
-"Client Tunnels" since FreeS/WAN does not support Aggressive Mode.
-Current status of this problem: unknown.
-<LI>
-<A HREF="http://lists.freeswan.org/pipermail/users/2001-November/004612.html">
-How do we map group and user passwords onto the data that FreeS/WAN wants?
-</A>
-</LI>
--->
-<LI><A HREF="http://lists.freeswan.org/pipermail/users/2002-October/015455.html">
- Contivity does not send Distinguished Names in the order FS wants them
- (X.509).</A></LI>
-<LI><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/03/msg00137.html">
- Connections may time out after 30-40 minutes idle.</A></LI>
-</UL>
-<P><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/03/msg00137.html">
- JJ Streicher-Bremer's mini HOWTO for old new software. (PSK with two
- subnets)</A>
-<BR><A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2001/#config">
- French page with configs (X.509)</A>. This succeeds using the above
- X.509 tip.</P>
-
-<!-- I could do more searching but this is a solid start. -->
-<P><A HREF="#nortel.top">Back to chart</A></P>
-<H4><A NAME="radguard">Radguard</A></H4>
-<P><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/05/msg00009.html">
- Marko Hausalo's configs (PSK).</A> Note: These do create a connection,
- as you can see by &quot;IPsec SA established&quot;.
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-October/???.html">
- Claudia Schmeing's comments</A></P>
-<P><A HREF="#radguard.top">Back to chart</A></P>
-<H4><A NAME="raptor">Raptor (NT or Solaris)</A></H4>
-<P></P>
-<UL>
-<LI>Now known as Symantec Enterprise Firewall.</LI>
-<LI>The Raptor does not normally come with X.509, but this may be
- available as an add-on.</LI>
-<LI><A HREF="http://lists.freeswan.org/pipermail/users/2002-May/010256.html">
- Raptor requires alphanumberic PSK values, whereas FreeS/WAN uses hex.</A>
-</LI>
-<LI>Raptor's tunnel endpoint may be a host, subnet or group of subnets
- (see<A HREF="http://lists.freeswan.org/pipermail/design/2001-November/001295.html">
- this message</A> ). FreeS/WAN cannot handle the group of subnets; you
- must create separate connections for each in order to interoperate.</LI>
-<LI><A HREF="http://lists.freeswan.org/pipermail/users/2002-May/010113.html">
- Some versions of Raptor accept only single DES.</A> According to this
- German message,<A HREF="http://radawana.cg.tuwien.ac.at/mail-archives/lll/200012/msg00065.html">
- the Raptor Mobile Client demo offers single DES only.</A></LI>
-</UL>
-<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-January/006935.html">
- Peter Mazinger's settings (PSK)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2001-November/005522.html">
- Peter Gerland's configs (PSK)</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/07/msg00597.html">
- Charles Griebel's configs (PSK).</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-July/012275.html">
- Lumir Srch's tips (PSK)</A></P>
-<P><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/05/msg00214.html">
- John Hardy's configs (Manual)</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/01/msg00236.html">
- Older Raptors want 3DES keys in 3 parts (Manual).</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/06/msg00480.html">
- Different keys for each direction? (Manual)</A>
-<BR></P>
-<P><A HREF="#raptor.top">Back to chart</A></P>
-<H4><A NAME="redcreek">Redcreek Ravlin</A></H4>
-<UL>
-<LI>Known issue #1: The Ravlin expects a quick mode renegotiation right
- after every Main Mode negotiation.</LI>
-<LI> Known issue #2: The Ravlin tries to negotiate a zero connection
- lifetime, which it takes to mean &quot;infinite&quot;.<A HREF="http://www.bear-cave.org.uk/linux/ravlin/">
- Jim Hague's patch</A> addresses both issues.</LI>
-<LI><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/03/msg00191.html">
- Interop works with Ravlin Firmware &gt; 3.33. Includes tips (PSK).</A></LI>
-</UL>
-<P><A HREF="#redcreek.top">Back to chart</A></P>
-<H4><A NAME="sonicwall">SonicWall</A></H4>
-<UL>
-<LI><A HREF="http://lists.freeswan.org/pipermail/users/2001-June/000998.html">
- Sonicwall cannot be used for Road Warrior setups</A></LI>
-<LI> At one point,<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/05/msg00217.html">
- only Sonicwall PRO supported triple DES</A>.</LI>
-<LI><A HREF="http://lists.freeswan.org/pipermail/users/2002-March/008600.html">
- Older Sonicwalls (before Nov 2001) feature Diffie Hellman group 1 only</A>
-.</LI>
-</UL>
-<P><A HREF="http://www.xinit.cx/docs/freeswan.html"> Paul Wouters'
- config (PSK)</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00073.html">
- Dilan Arumainathan's configuration (PSK)</A>
-<BR><A HREF="http://www.gravitas.co.uk/vpndebug"> Dariush's setup...
- only opens one way (PSK)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2003-July/022302.html">
- Andreas Steffen's tips (X.509)</A>
-<BR></P>
-<P><A HREF="#sonicwall.top">Back to chart</A></P>
-<H4><A NAME="sun">Sun Solaris</A></H4>
-<UL>
-<LI> Solaris 8+ has a native (in kernel) IPsec implementation.</LI>
-<LI><A HREF="http://lists.freeswan.org/pipermail/users/2002-May/010503.html">
- Solaris does not seem to support tunnel mode, but you can make IP-in-IP
- tunnels instead, like this.</A></LI>
-</UL>
-<P><A HREF="http://lists.freeswan.org/pipermail/users/2003-June/022216.html">
- Reports of some successful interops</A> from a fellow @sun.com. See
- also<A HREF="http://lists.freeswan.org/pipermail/users/2003-July/022247.html">
- these follow up posts</A>.
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/03/msg00332.html">
- Aleks Shenkman's configs (Manual in transport mode)</A>
-<BR>
-<!--sparc 64 stuff goes where?-->
-</P>
-<P><A HREF="#solaris.top">Back to chart</A></P>
-<H4><A NAME="symantec">Symantec</A></H4>
-<UL>
-<LI>The Raptor, covered<A HREF="#raptor"> above</A>, is now known as
- Symantec Enterprise Firewall.</LI>
-<LI>Symantec's &quot;distinguished name&quot; is a KEY_ID. See Andreas Steffen's
- post, below.</LI>
-</UL>
-<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-April/009037.html">
- Andreas Steffen's configs for Symantec 200R (PSK)</A></P>
-<P><A HREF="#symantec.top">Back to chart</A></P>
-<H4><A NAME="watchguard">Watchguard Firebox</A></H4>
-<UL>
-<LI>Automatic keying works with WatchGuard 5.0+ only.</LI>
-<LI>Seen to interoperate with WatchGuard 1000, II, III; firmware v. 5,
- 6..</LI>
-<LI>For manual keying, Watchguard's Policy Manager expects SPI numbers
- and encryption and authentication keys in decimal (not hex).</LI>
-</UL>
-<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-July/012595.html">
- WatchGuard's HOWTO (PSK)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-August/013342.html">
- Ronald C. Riviera's Settings (PSK)</A>
-<BR><A HREF="http://lists.freeswan.org/archives/users/2003-October/msg00179.html">
- Walter Wickersham's Notes (PSK)</A>
-<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-October/015587.html">
- Max Enders' Configs (Manual)</A></P>
-<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-April/009404.html">
- Old known issue with auto keying</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00124.html">
- Tips on key generation and format (Manual)</A>
-<BR></P>
-<P><A HREF="#watchguard.top">Back to chart</A></P>
-<H4><A NAME="xedia">Xedia Access Point/QVPN</A></H4>
-<P><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/12/msg00520.html">
- Hybrid IPsec/L2TP connection settings (X.509)</A>
-<BR><A HREF="http://www.sandelman.ottawa.on.ca/ipsec/1999/08/msg00140.html">
- Xedia's LAN-LAN links don't use multiple tunnels</A>
-<BR> &nbsp;&nbsp;&nbsp;&nbsp;<A HREF="http://www.sandelman.ottawa.on.ca/ipsec/1999/08/msg00140.html">
- That explanation, continued</A></P>
-<P><A HREF="#xedia.top">Back to chart</A></P>
-<H4><A NAME="zyxel">Zyxel</A></H4>
-<UL>
-<LI>The Zyxel Zywall is a rebranded SSH Sentinel box. See also our
- section on<A HREF="glossary.html#ssh"> SSH</A>.</LI>
-<LI>There seems to be a problem with keeping this connection alive. This
- is caused at the Zyxel end. See this brief<A HREF="http://lists.freeswan.org/archives/users/2003-October/msg00141.html">
- discussion and solution.</A></LI>
-</UL>
-<P><A HREF="http://www.zyxel.com/support/supportnote/zywall/app/zw_freeswan.htm">
- Zyxel's Zywall to FreeS/WAN instructions (PSK)</A>
-<BR><A HREF="http://www.zyxel.com/support/supportnote/p652/app/zw_freeswan.htm">
- Zyxel's Prestige to FreeS/WAN instructions (PSK)</A>. Note: not all
- Prestige versions include VPN software.
-<BR><A HREF="http://www.lancry.net/techdocs/freeswan-zyxel.txt"> Fabrice
- Cahen's HOWTO (PSK)</A>
-<BR> &nbsp;&nbsp;&nbsp;&nbsp;</P>
-<P><A HREF="#zyxel.top">Back to chart</A></P>
-
-<!-- SAMPLE ENTRY
-
-<H4><A NAME="timestep">Timestep</A></H4>
-
-<P>Text goes here.
-</P>
-
--->
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="compat.html">Previous</A>
-<A HREF="performance.html">Next</A>
-</BODY>
-</HTML>
diff --git a/doc/intro.html b/doc/intro.html
deleted file mode 100644
index 3afc3e324..000000000
--- a/doc/intro.html
+++ /dev/null
@@ -1,733 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="upgrading.html">Next</A>
-<HR>
-<H1><A name="intro">Introduction</A></H1>
-<P>This section gives an overview of:</P>
-<UL>
-<LI>what IP Security (IPsec) does</LI>
-<LI>how IPsec works</LI>
-<LI>why we are implementing it for Linux</LI>
-<LI>how this implementation works</LI>
-</UL>
-<P>This section is intended to cover only the essentials,<EM> things you
- should know before trying to use FreeS/WAN.</EM></P>
-<P>For more detailed background information, see the<A href="politics.html#politics">
- history and politics</A> and<A href="ipsec.html#ipsec.detail"> IPsec
- protocols</A> sections.</P>
-<H2><A name="ipsec.intro">IPsec, Security for the Internet Protocol</A></H2>
-<P>FreeS/WAN is a Linux implementation of the IPsec (IP security)
- protocols. IPsec provides<A href="glossary.html#encryption"> encryption</A>
- and<A href="glossary.html#authentication"> authentication</A> services
- at the IP (Internet Protocol) level of the network protocol stack.</P>
-<P>Working at this level, IPsec can protect any traffic carried over IP,
- unlike other encryption which generally protects only a particular
- higher-level protocol --<A href="glossary.html#PGP"> PGP</A> for mail,<A
-href="glossary.html#SSH"> SSH</A> for remote login,<A href="glossary.html#SSL">
- SSL</A> for web work, and so on. This approach has both considerable
- advantages and some limitations. For discussion, see our<A href="ipsec.html#others">
- IPsec section</A></P>
-<P>IPsec can be used on any machine which does IP networking. Dedicated
- IPsec gateway machines can be installed wherever required to protect
- traffic. IPsec can also run on routers, on firewall machines, on
- various application servers, and on end-user desktop or laptop
- machines.</P>
-<P>Three protocols are used</P>
-<UL>
-<LI><A href="glossary.html#AH">AH</A> (Authentication Header) provides a
- packet-level authentication service</LI>
-<LI><A href="glossary.html#ESP">ESP</A> (Encapsulating Security Payload)
- provides encryption plus authentication</LI>
-<LI><A href="glossary.html#IKE">IKE</A> (Internet Key Exchange)
- negotiates connection parameters, including keys, for the other two</LI>
-</UL>
-<P>Our implementation has three main parts:</P>
-<UL>
-<LI><A href="glossary.html#KLIPS">KLIPS</A> (kernel IPsec) implements
- AH, ESP, and packet handling within the kernel</LI>
-<LI><A href="glossary.html#Pluto">Pluto</A> (an IKE daemon) implements
- IKE, negotiating connections with other systems</LI>
-<LI>various scripts provide an adminstrator's interface to the machinery</LI>
-</UL>
-<P>IPsec is optional for the current (version 4) Internet Protocol.
- FreeS/WAN adds IPsec to the Linux IPv4 network stack. Implementations
- of<A href="glossary.html#ipv6.gloss"> IP version 6</A> are required to
- include IPsec. Work toward integrating FreeS/WAN into the Linux IPv6
- stack has<A href="compat.html#ipv6"> started</A>.</P>
-<P>For more information on IPsec, see our<A href="ipsec.html#ipsec.detail">
- IPsec protocols</A> section, our collection of<A href="web.html#ipsec.link">
- IPsec links</A> or the<A href="rfc.html#RFC"> RFCs</A> which are the
- official definitions of these protocols.</P>
-<H3><A name="intro.interop">Interoperating with other IPsec
- implementations</A></H3>
-<P>IPsec is designed to let different implementations work together. We
- provide:</P>
-<UL>
-<LI>a<A href="web.html#implement"> list</A> of some other
- implementations</LI>
-<LI>information on<A href="interop.html#interop"> using FreeS/WAN with
- other implementations</A></LI>
-</UL>
-<P>The VPN Consortium fosters cooperation among implementers and
- interoperability among implementations. Their<A href="http://www.vpnc.org/">
- web site</A> has much more information.</P>
-<H3><A name="advantages">Advantages of IPsec</A></H3>
-<P>IPsec has a number of security advantages. Here are some
- independently written articles which discuss these:</P>
-<P><A HREF="http://www.sans.org/rr/"> SANS institute papers</A>. See the
- section on Encryption &amp;VPNs.
-<BR><A HREF="http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns128/networking_solutions_white_papers_list.html">
- Cisco's white papers on &quot;Networking Solutions&quot;</A>.
-<BR><A HREF="http://iscs.sourceforge.net/HowWhyBrief/HowWhyBrief.html">
- Advantages of ISCS (Linux Integrated Secure Communications System;
- includes FreeS/WAN and other software)</A>.</P>
-<H3><A name="applications">Applications of IPsec</A></H3>
-<P>Because IPsec operates at the network layer, it is remarkably
- flexible and can be used to secure nearly any type of Internet traffic.
- Two applications, however, are extremely widespread:</P>
-<UL>
-<LI>a<A href="glossary.html#VPN"> Virtual Private Network</A>, or VPN,
- allows multiple sites to communicate securely over an insecure Internet
- by encrypting all communication between the sites.</LI>
-<LI>&quot;Road Warriors&quot; connect to the office from home, or perhaps from a
- hotel somewhere</LI>
-</UL>
-<P>There is enough opportunity in these applications that vendors are
- flocking to them. IPsec is being built into routers, into firewall
- products, and into major operating systems, primarily to support these
- applications. See our<A href="web.html#implement"> list</A> of
- implementations for details.</P>
-<P>We support both of those applications, and various less common IPsec
- applications as well, but we also add one of our own:</P>
-<UL>
-<LI>opportunistic encryption, the ability to set up FreeS/WAN gateways
- so that any two of them can encrypt to each other, and will do so
- whenever packets pass between them.</LI>
-</UL>
-<P>This is an extension we are adding to the protocols. FreeS/WAN is the
- first prototype implementation, though we hope other IPsec
- implementations will adopt the technique once we demonstrate it. See<A href="#goals">
- project goals</A> below for why we think this is important.</P>
-<P>A somewhat more detailed description of each of these applications is
- below. Our<A href="quickstart.html#quick_guide"> quickstart</A> section
- will show you how to build each of them.</P>
-<H4><A name="makeVPN">Using secure tunnels to create a VPN</A></H4>
-<P>A VPN, or<STRONG> V</STRONG>irtual<STRONG> P</STRONG>rivate<STRONG> N</STRONG>
-etwork lets two networks communicate securely when the only connection
- between them is over a third network which they do not trust.</P>
-<P>The method is to put a security gateway machine between each of the
- communicating networks and the untrusted network. The gateway machines
- encrypt packets entering the untrusted net and decrypt packets leaving
- it, creating a secure tunnel through it.</P>
-<P>If the cryptography is strong, the implementation is careful, and the
- administration of the gateways is competent, then one can reasonably
- trust the security of the tunnel. The two networks then behave like a
- single large private network, some of whose links are encrypted tunnels
- through untrusted nets.</P>
-<P>Actual VPNs are often more complex. One organisation may have fifty
- branch offices, plus some suppliers and clients, with whom it needs to
- communicate securely. Another might have 5,000 stores, or 50,000
- point-of-sale devices. The untrusted network need not be the Internet.
- All the same issues arise on a corporate or institutional network
- whenever two departments want to communicate privately with each other.</P>
-<P>Administratively, the nice thing about many VPN setups is that large
- parts of them are static. You know the IP addresses of most of the
- machines involved. More important, you know they will not change on
- you. This simplifies some of the admin work. For cases where the
- addresses do change, see the next section.</P>
-<H4><A name="road.intro">Road Warriors</A></H4>
-<P>The prototypical &quot;Road Warrior&quot; is a traveller connecting to home
- base from a laptop machine. Administratively, most of the same problems
- arise for a telecommuter connecting from home to the office, especially
- if the telecommuter does not have a static IP address.</P>
-<P>For purposes of this document:</P>
-<UL>
-<LI>anyone with a dynamic IP address is a &quot;Road Warrior&quot;.</LI>
-<LI>any machine doing IPsec processing is a &quot;gateway&quot;. Think of the
- single-user road warrior machine as a gateway with a degenerate subnet
- (one machine, itself) behind it.</LI>
-</UL>
-<P>These require somewhat different setup than VPN gateways with static
- addresses and with client systems behind them, but are basically not
- problematic.</P>
-<P>There are some difficulties which appear for some road warrior
- connections:</P>
-<UL>
-<LI>Road Wariors who get their addresses via DHCP may have a problem.
- FreeS/WAN can quite happily build and use a tunnel to such an address,
- but when the DHCP lease expires, FreeS/WAN does not know that. The
- tunnel fails, and the only recovery method is to tear it down and
- re-build it.</LI>
-<LI>If<A href="glossary.html#NAT.gloss"> Network Address Translation</A>
- (NAT) is applied between the two IPsec Gateways, this breaks IPsec.
- IPsec authenticates packets on an end-to-end basis, to ensure they are
- not altered en route. NAT rewrites packets as they go by. See our<A href="firewall.html#NAT">
- firewalls</A> document for details.</LI>
-</UL>
-<P>In most situations, however, FreeS/WAN supports road warrior
- connections just fine.</P>
-<H4><A name="opp.intro">Opportunistic encryption</A></H4>
-<P>One of the reasons we are working on FreeS/WAN is that it gives us
- the opportunity to add what we call opportuntistic encryption. This
- means that any two FreeS/WAN gateways will be able to encrypt their
- traffic, even if the two gateway administrators have had no prior
- contact and neither system has any preset information about the other.</P>
-<P>Both systems pick up the authentication information they need from
- the<A href="glossary.html#DNS"> DNS</A> (domain name service), the
- service they already use to look up IP addresses. Of course the
- administrators must put that information in the DNS, and must set up
- their gateways with opportunistic encryption enabled. Once that is
- done, everything is automatic. The gateways look for opportunities to
- encrypt, and encrypt whatever they can. Whether they also accept
- unencrypted communication is a policy decision the administrator can
- make.</P>
-<P>This technique can give two large payoffs:</P>
-<UL>
-<LI>It reduces the administrative overhead for IPsec enormously. You
- configure your gateway and thereafter everything is automatic. The need
- to configure the system on a per-tunnel basis disappears. Of course,
- FreeS/WAN allows specifically configured tunnels to co-exist with
- opportunistic encryption, but we hope to make them unnecessary in most
- cases.</LI>
-<LI>It moves us toward a more secure Internet, allowing users to create
- an environment where message privacy is the default. All messages can
- be encrypted, provided the other end is willing to co-operate. See our<A
-href="politics.html#politics"> history and politics of cryptography</A>
- section for discussion of why we think this is needed.</LI>
-</UL>
-<P>Opportunistic encryption is not (yet?) a standard part of the IPsec
- protocols, but an extension we are proposing and demonstrating. For
- details of our design, see<A href="#applied"> links</A> below.</P>
-<P>Only one current product we know of implements a form of
- opportunistic encryption.<A href="web.html#ssmail"> Secure sendmail</A>
- will automatically encrypt server-to-server mail transfers whenever
- possible.</P>
-<H3><A name="types">The need to authenticate gateways</A></H3>
-<P>A complication, which applies to any type of connection -- VPN, Road
- Warrior or opportunistic -- is that a secure connection cannot be
- created magically.<EM> There must be some mechanism which enables the
- gateways to reliably identify each other.</EM> Without this, they
- cannot sensibly trust each other and cannot create a genuinely secure
- link.</P>
-<P>Any link they do create without some form of<A href="glossary.html#authentication">
- authentication</A> will be vulnerable to a<A href="glossary.html#middle">
- man-in-the-middle attack</A>. If<A href="glossary.html#alicebob"> Alice
- and Bob</A> are the people creating the connection, a villian who can
- re-route or intercept the packets can pose as Alice while talking to
- Bob and pose as Bob while talking to Alice. Alice and Bob then both
- talk to the man in the middle, thinking they are talking to each other,
- and the villain gets everything sent on the bogus &quot;secure&quot; connection.</P>
-<P>There are two ways to build links securely, both of which exclude the
- man-in-the middle:</P>
-<UL>
-<LI>with<STRONG> manual keying</STRONG>, Alice and Bob share a secret
- key (which must be transmitted securely, perhaps in a note or via PGP
- or SSH) to encrypt their messages. For FreeS/WAN, such keys are stored
- in the<A href="manpage.d/ipsec.conf.5.html"> ipsec.conf(5)</A> file. Of
- course, if an enemy gets the key, all is lost.</LI>
-<LI>with<STRONG> automatic keying</STRONG>, the two systems authenticate
- each other and negotiate their own secret keys. The keys are
- automatically changed periodically.</LI>
-</UL>
-<P>Automatic keying is much more secure, since if an enemy gets one key
- only messages between the previous re-keying and the next are exposed.
- It is therefore the usual mode of operation for most IPsec deployment,
- and the mode we use in our setup examples. FreeS/WAN does support
- manual keying for special circumstanes. See this<A href="adv_config.html#prodman">
- section</A>.</P>
-<P>For automatic keying, the two systems must authenticate each other
- during the negotiations. There is a choice of methods for this:</P>
-<UL>
-<LI>a<STRONG> shared secret</STRONG> provides authentication. If Alice
- and Bob are the only ones who know a secret and Alice recives a message
- which could not have been created without that secret, then Alice can
- safely believe the message came from Bob.</LI>
-<LI>a<A href="glossary.html#public"> public key</A> can also provide
- authentication. If Alice receives a message signed with Bob's private
- key (which of course only he should know) and she has a trustworthy
- copy of his public key (so that she can verify the signature), then she
- can safely believe the message came from Bob.</LI>
-</UL>
-<P>Public key techniques are much preferable, for reasons discussed<A href="config.html#choose">
- later</A>, and will be used in all our setup examples. FreeS/WAN does
- also support auto-keying with shared secret authentication. See this<A href="adv_config.html#prodsecrets">
- section</A>.</P>
-<H2><A name="project">The FreeS/WAN project</A></H2>
-<P>For complete information on the project, see our web site,<A href="http://liberty.freeswan.org">
- freeswan.org</A>.</P>
-<P>In summary, we are implementing the<A href="glossary.html#IPsec">
- IPsec</A> protocols for Linux and extending them to do<A href="glossary.html#carpediem">
- opportunistic encryption</A>.</P>
-<H3><A name="goals">Project goals</A></H3>
-<P>Our overall goal in FreeS/WAN is to make the Internet more secure and
- more private.</P>
-<P>Our IPsec implementation supports VPNs and Road Warriors of course.
- Those are important applications. Many users will want FreeS/WAN to
- build corporate VPNs or to provide secure remote access.</P>
-<P>However, our goals in building it go beyond that. We are trying to
- help<STRONG> build security into the fabric of the Internet</STRONG> so
- that anyone who choses to communicate securely can do so, as easily as
- they can do anything else on the net.</P>
-<P>More detailed objectives are:</P>
-<UL>
-<LI>extend IPsec to do<A href="glossary.html#carpediem"> opportunistic
- encryption</A> so that
-<UL>
-<LI>any two systems can secure their communications without a
- pre-arranged connection</LI>
-<LI><STRONG>secure connections can be the default</STRONG>, falling back
- to unencrypted connections only if:
-<UL>
-<LI><EM>both</EM> the partner is not set up to co-operate on securing
- the connection</LI>
-<LI><EM>and</EM> your policy allows insecure connections</LI>
-</UL>
-</LI>
-<LI>a significant fraction of all Internet traffic is encrypted</LI>
-<LI>wholesale monitoring of the net (<A href="politics.html#intro.poli">
-examples</A>) becomes difficult or impossible</LI>
-</UL>
-</LI>
-<LI>help make IPsec widespread by providing an implementation with no
- restrictions:
-<UL>
-<LI>freely available in source code under the<A href="glossary.html#GPL">
- GNU General Public License</A></LI>
-<LI>running on a range of readily available hardware</LI>
-<LI>not subject to US or other nations'<A href="politics.html#exlaw">
- export restrictions</A>.
-<BR> Note that in order to avoid<EM> even the appearance</EM> of being
- subject to those laws, the project cannot accept software contributions
- --<EM> not even one-line bug fixes</EM> -- from US residents or
- citizens.</LI>
-</UL>
-</LI>
-<LI>provide a high-quality IPsec implementation for Linux
-<UL>
-<LI>portable to all CPUs Linux supports:<A href="compat.html#CPUs">
- (current list)</A></LI>
-<LI>interoperable with other IPsec implementations:<A href="interop.html#interop">
- (current list)</A></LI>
-</UL>
-</LI>
-</UL>
-<P>If we can get opportunistic encryption implemented and widely
- deployed, then it becomes impossible for even huge well-funded agencies
- to monitor the net.</P>
-<P>See also our section on<A href="politics.html#politics"> history and
- politics</A> of cryptography, which includes our project leader's<A href="politics.html#gilmore">
- rationale</A> for starting the project.</P>
-<H3><A name="staff">Project team</A></H3>
-<P>Two of the team are from the US and can therefore contribute no code:</P>
-<UL>
-<LI>John Gilmore: founder and policy-maker (<A href="http://www.toad.com/gnu/">
-home page</A>)</LI>
-<LI>Hugh Daniel: project manager, Most Demented Tester, and occasionally
- Pointy-Haired Boss</LI>
-</UL>
-<P>The rest of the team are Canadians, working in Canada. (<A href="politics.html#status">
-Why Canada?</A>)</P>
-<UL>
-<LI>Hugh Redelmeier:<A href="glossary.html#Pluto"> Pluto daemon</A>
- programmer</LI>
-<LI>Richard Guy Briggs:<A href="glossary.html#KLIPS"> KLIPS</A>
- programmer</LI>
-<LI>Michael Richardson: hacker without portfolio</LI>
-<LI>Claudia Schmeing: documentation</LI>
-<LI>Sam Sgro: technical support via the<A href="mail.html#lists">
- mailing lists</A></LI>
-</UL>
-<P>The project is funded by civil libertarians who consider our goals
- worthwhile. Most of the team are paid for this work.</P>
-<P>People outside this core team have made substantial contributions.
- See</P>
-<UL>
-<LI>our<A href="../CREDITS"> CREDITS</A> file</LI>
-<LI>the<A href="web.html#patch"> patches and add-ons</A> section of our
- web references file</LI>
-<LI>lists below of user-written<A href="#howto"> HowTos</A> and<A href="#applied">
- other papers</A></LI>
-</UL>
-<P>Additional contributions are welcome. See the<A href="faq.html#contrib.faq">
- FAQ</A> for details.</P>
-<H2><A name="products">Products containing FreeS/WAN</A></H2>
-<P>Unfortunately the<A href="politics.html#exlaw"> export laws</A> of
- some countries restrict the distribution of strong cryptography.
- FreeS/WAN is therefore not in the standard Linux kernel and not in all
- CD or web distributions.</P>
-<P>FreeS/WAN is, however, quite widely used. Products we know of that
- use it are listed below. We would appreciate hearing, via the<A href="mail.html#lists">
- mailing lists</A>, of any we don't know of.</P>
-<H3><A name="distwith">Full Linux distributions</A></H3>
-<P>FreeS/WAN is included in various general-purpose Linux distributions,
- mostly from countries (shown in brackets) with more sensible laws:</P>
-<UL>
-<LI><A href="http://www.suse.com/">SuSE Linux</A> (Germany)</LI>
-<LI><A href="http://www.conectiva.com">Conectiva</A> (Brazil)</LI>
-<LI><A href="http://www.linux-mandrake.com/en/">Mandrake</A> (France)</LI>
-<LI><A href="http://www.debian.org">Debian</A></LI>
-<LI>the<A href="http://www.pld.org.pl/"> Polish(ed) Linux Distribution</A>
- (Poland)</LI>
-<LI><A>Best Linux</A> (Finland)</LI>
-</UL>
-<P>For distributions which do not include FreeS/WAN and are not Redhat
- (which we develop and test on), there is additional information in our<A
-href="compat.html#otherdist"> compatibility</A> section.</P>
-<P>The server edition of<A href="http://www.corel.com"> Corel</A> Linux
- (Canada) also had FreeS/WAN, but Corel have dropped that product line.</P>
-<H3><A name="kernel_dist">Linux kernel distributions</A></H3>
-<UL>
-<LI><A href="http://sourceforge.net/projects/wolk/">Working Overloaded
- Linux Kernel (WOLK)</A></LI>
-</UL>
-<H3><A name="office_dist">Office server distributions</A></H3>
-<P>FreeS/WAN is also included in several distributions aimed at the
- market for turnkey business servers:</P>
-<UL>
-<LI><A href="http://www.e-smith.com/">e-Smith</A> (Canada), which has
- recently been acquired and become the Network Server Solutions group of<A
-href="http://www.mitel.com/"> Mitel Networks</A> (Canada)</LI>
-<LI><A href="http://www.clarkconnect.org/">ClarkConnect</A> from Point
- Clark Networks (Canada)</LI>
-<LI><A href="http://www.trustix.net/">Trustix Secure Linux</A> (Norway)</LI>
-</UL>
-<H3><A name="fw_dist">Firewall distributions</A></H3>
-<P>Several distributions intended for firewall and router applications
- include FreeS/WAN:</P>
-<UL>
-<LI>The<A href="http://www.linuxrouter.org/"> Linux Router Project</A>
- produces a Linux distribution that will boot from a single floppy. The<A
-href="http://leaf.sourceforge.net"> LEAF</A> firewall project provides
- several different LRP-based firewall packages. At least one of them,
- Charles Steinkuehler's Dachstein, includes FreeS/WAN with X.509
- patches.</LI>
-<LI>there are several distributions bootable directly from CD-ROM,
- usable on a machine without hard disk.
-<UL>
-<LI>Dachstein (see above) can be used this way</LI>
-<LI><A href="http://www.gibraltar.at/">Gibraltar</A> is based on Debian
- GNU/Linux.</LI>
-<LI>at time of writing,<A href="www.xiloo.com"> Xiloo</A> is available
- only in Chinese. An English version is expected.</LI>
-</UL>
-</LI>
-<LI><A href="http://www.astaro.com/products/index.html">Astaro Security
- Linux</A> includes FreeS/WAN. It has some web-based tools for managing
- the firewall that include FreeS/WAN configuration management.</LI>
-<LI><A href="http://www.linuxwall.de">Linuxwall</A></LI>
-<LI><A href="http://www.smoothwall.org/">Smoothwall</A></LI>
-<LI><A href="http://www.devil-linux.org/">Devil Linux</A></LI>
-<LI>Coyote Linux has a<A href="http://embedded.coyotelinux.com/wolverine/index.php">
- Wolverine</A> firewall/VPN server</LI>
-</UL>
-<P>There are also several sets of scripts available for managing a
- firewall which is also acting as a FreeS/WAN IPsec gateway. See this<A href="firewall.html#rules.pub">
- list</A>.</P>
-<H3><A name="turnkey">Firewall and VPN products</A></H3>
-<P>Several vendors use FreeS/WAN as the IPsec component of a turnkey
- firewall or VPN product.</P>
-<P>Software-only products:</P>
-<UL>
-<LI><A href="http://www.linuxmagic.com/vpn/index.html">Linux Magic</A>
- offer a VPN/Firewall product using FreeS/WAN</LI>
-<LI>The Software Group's<A href="http://www.wanware.com/sentinet/">
- Sentinet</A> product uses FreeS/WAN</LI>
-<LI><A href="http://www.merilus.com">Merilus</A> use FreeS/WAN in their
- Gateway Guardian firewall product</LI>
-</UL>
-<P>Products that include the hardware:</P>
-<UL>
-<LI>The<A href="http://www.lasat.com"> LASAT SafePipe[tm]</A> series. is
- an IPsec box based on an embedded MIPS running Linux with FreeS/WAN and
- a web-config front end. This company also host our freeswan.org web
- site.</LI>
-<LI>Merilus<A href="http://www.merilus.com/products/fc/index.shtml">
- Firecard</A> is a Linux firewall on a PCI card.</LI>
-<LI><A href="http://www.kyzo.com/">Kyzo</A> have a &quot;pizza box&quot; product
- line with various types of server, all running from flash. One of them
- is an IPsec/PPTP VPN server</LI>
-<LI><A href="http://www.pfn.com">PFN</A> use FreeS/WAN in some of their
- products</LI>
-</UL>
-<P><A href="www.rebel.com">Rebel.com</A>, makers of the Netwinder Linux
- machines (ARM or Crusoe based), had a product that used FreeS/WAN. The
- company is in receivership so the future of the Netwinder is at best
- unclear.<A href="web.html#patch"> PKIX patches</A> for FreeS/WAN
- developed at Rebel are listed in our web links document.</P>
-<H2><A name="docs">Information sources</A></H2>
-<H3><A name="docformats">This HowTo, in multiple formats</A></H3>
-<P>FreeS/WAN documentation up to version 1.5 was available only in HTML.
- Now we ship two formats:</P>
-<UL>
-<LI>as HTML, one file for each doc section plus a global<A href="toc.html">
- Table of Contents</A></LI>
-<LI><A href="HowTo.html">one big HTML file</A> for easy searching</LI>
-</UL>
-<P>and provide a Makefile to generate other formats if required:</P>
-<UL>
-<LI><A href="HowTo.pdf">PDF</A></LI>
-<LI><A href="HowTo.ps">Postscript</A></LI>
-<LI><A href="HowTo.txt">ASCII text</A></LI>
-</UL>
-<P>The Makefile assumes the htmldoc tool is available. You can download
- it from<A href="http://www.easysw.com"> Easy Software</A>.</P>
-<P>All formats should be available at the following websites:</P>
-<UL>
-<LI><A href="http://www.freeswan.org/doc.html">FreeS/WAN project</A></LI>
-<LI><A href="http://www.linuxdoc.org">Linux Documentation Project</A></LI>
-</UL>
-<P>The distribution tarball has only the two HTML formats.</P>
-<P><STRONG>Note:</STRONG> If you need the latest doc version, for
- example to see if anyone has managed to set up interoperation between
- FreeS/WAN and whatever, then you should download the current snapshot.
- What is on the web is documentation as of the last release. Snapshots
- have all changes I've checked in to date.</P>
-<H3><A name="rtfm">RTFM (please Read The Fine Manuals)</A></H3>
-<P>As with most things on any Unix-like system, most parts of Linux
- FreeS/WAN are documented in online manual pages. We provide a list of<A href="/mnt/floppy/manpages.html">
- FreeS/WAN man pages</A>, with links to HTML versions of them.</P>
-<P>The man pages describing configuration files are:</P>
-<UL>
-<LI><A href="/mnt/floppy/manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A></LI>
-<LI><A href="/mnt/floppy/manpage.d/ipsec.secrets.5.html">
-ipsec.secrets(5)</A></LI>
-</UL>
-<P>Man pages for common commands include:</P>
-<UL>
-<LI><A href="/mnt/floppy/manpage.d/ipsec.8.html">ipsec(8)</A></LI>
-<LI><A href="/mnt/floppy/manpage.d/ipsec_pluto.8.html">ipsec_pluto(8)</A>
-</LI>
-<LI><A href="/mnt/floppy/manpage.d/ipsec_newhostkey.8.html">
-ipsec_newhostkey(8)</A></LI>
-<LI><A href="/mnt/floppy/manpage.d/ipsec_auto.8.html">ipsec_auto(8)</A></LI>
-</UL>
-<P>You can read these either in HTML using the links above or with the<VAR>
- man(1)</VAR> command.</P>
-<P>In the event of disagreement between this HTML documentation and the
- man pages, the man pages are more likely correct since they are written
- by the implementers. Please report any such inconsistency on the<A href="mail.html#lists">
- mailing list</A>.</P>
-<H3><A name="text">Other documents in the distribution</A></H3>
-<P>Text files in the main distribution directory are README, INSTALL,
- CREDITS, CHANGES, BUGS and COPYING.</P>
-<P>The Libdes encryption library we use has its own documentation. You
- can find it in the library directory..</P>
-<H3><A name="assumptions">Background material</A></H3>
-<P>Throughout this documentation, I write as if the reader had at least
- a general familiarity with Linux, with Internet Protocol networking,
- and with the basic ideas of system and network security. Of course that
- will certainly not be true for all readers, and quite likely not even
- for a majority.</P>
-<P>However, I must limit amount of detail on these topics in the main
- text. For one thing, I don't understand all the details of those topics
- myself. Even if I did, trying to explain everything here would produce
- extremely long and almost completely unreadable documentation.</P>
-<P>If one or more of those areas is unknown territory for you, there are
- plenty of other resources you could look at:</P>
-<DL>
-<DT>Linux</DT>
-<DD>the<A href="http://www.linuxdoc.org"> Linux Documentation Project</A>
- or a local<A href="http://www.linux.org/groups/"> Linux User Group</A>
- and these<A href="web.html#linux.link"> links</A></DD>
-<DT>IP networks</DT>
-<DD>Rusty Russell's<A href="http://netfilter.samba.org/unreliable-guides/networking-concepts-HOWTO/index.html">
- Networking Concepts HowTo</A> and these<A href="web.html#IP.background">
- links</A></DD>
-<DT>Security</DT>
-<DD>Schneier's book<A href="biblio.html#secrets"> Secrets and Lies</A>
- and these<A href="web.html#crypto.link"> links</A></DD>
-</DL>
-<P>Also, I do make an effort to provide some background material in
- these documents. All the basic ideas behind IPsec and FreeS/WAN are
- explained here. Explanations that do not fit in the main text, or that
- not everyone will need, are often in the<A href="glossary.html#ourgloss">
- glossary</A>, which is the largest single file in this document set.
- There is also a<A href="background.html#background"> background</A>
- file containing various explanations too long to fit in glossary
- definitions. All files are heavily sprinkled with links to each other
- and to the glossary.<STRONG> If some passage makes no sense to you, try
- the links</STRONG>.</P>
-<P>For other reference material, see the<A href="biblio.html#biblio">
- bibliography</A> and our collection of<A href="web.html#weblinks"> web
- links</A>.</P>
-<P>Of course, no doubt I get this (and other things) wrong sometimes.
- Feedback via the<A href="mail.html#lists"> mailing lists</A> is
- welcome.</P>
-<H3><A name="archives">Archives of the project mailing list</A></H3>
-<P>Until quite recently, there was only one FreeS/WAN mailing list, and
- archives of it were:</P>
-<UL>
-<LI><A href="http://www.sandelman.ottawa.on.ca/linux-ipsec">Canada</A></LI>
-<LI><A href="http://www.nexial.com">Holland</A></LI>
-</UL>
- The two archives use completely different search engines. You might
- want to try both.
-<P>More recently we have expanded to five lists, each with its own
- archive.</P>
-<P><A href="mail.html#lists">More information</A> on mailing lists.</P>
-<H3><A name="howto">User-written HowTo information</A></H3>
-<P>Various user-written HowTo documents are available. The ones covering
- FreeS/WAN-to-FreeS/WAN connections are:</P>
-<UL>
-<LI>Jean-Francois Nadeau's<A href="http://jixen.tripod.com/"> practical
- configurations</A> document</LI>
-<LI>Jens Zerbst's HowTo on<A href="http://dynipsec.tripod.com/"> Using
- FreeS/WAN with dynamic IP addresses</A>.</LI>
-<LI>an entry in Kurt Seifried's<A href="http://www.securityportal.com/lskb/kben00000013.html">
- Linux Security Knowledge Base</A>.</LI>
-<LI>a section of David Ranch's<A href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos">
- Trinity OS Guide</A></LI>
-<LI>a section in David Bander's book<A href="biblio.html#bander"> Linux
- Security Toolkit</A></LI>
-</UL>
-<P>User-wriiten HowTo material may be<STRONG> especially helpful if you
- need to interoperate with another IPsec implementation</STRONG>. We
- have neither the equipment nor the manpower to test such
- configurations. Users seem to be doing an admirable job of filling the
- gaps.</P>
-<UL>
-<LI>list of user-written<A href="interop.html#otherpub"> interoperation
- HowTos</A> in our interop document</LI>
-</UL>
-<P>Check what version of FreeS/WAN user-written documents cover. The
- software is under active development and the current version may be
- significantly different from what an older document describes.</P>
-<H3><A name="applied">Papers on FreeS/WAN</A></H3>
-<P>Two design documents show team thinking on new developments:</P>
-<UL>
-<LI><A href="opportunism.spec">Opportunistic Encryption</A> by technical
- lead Henry Spencer and Pluto programmer Hugh Redelemeier</LI>
-<LI>discussion of<A href="http://www.sandelman.ottawa.on.ca/SSW/freeswan/klips2req/">
- KLIPS redesign</A></LI>
-</UL>
-<P>Both documents are works in progress and are frequently revised. For
- the latest version, see the<A href="mail.html#lists"> design mailing
- list</A>. Comments should go to that list.</P>
-<P>There is now an<A href="http://www.ietf.org/internet-drafts/draft-richardson-ipsec-opportunistic-06.txt">
- Internet Draft on Opportunistic Encryption</A> by Michael Richardson,
- Hugh Redelmeier and Henry Spencer. This is a first step toward getting
- the protocol standardised so there can be multiple implementations of
- it. Discussion of it takes place on the<A href="http://www.ietf.org/html.charters/ipsec-charter.html">
- IETF IPsec Working Group</A> mailing list.</P>
-<P>A number of papers giving further background on FreeS/WAN, or
- exploring its future or its applications, are also available:</P>
-<UL>
-<LI>Both Henry and Richard gave talks on FreeS/WAN at the 2000<A href="http://www.linuxsymposium.org">
- Ottawa Linux Symposium</A>.
-<UL>
-<LI>Richard's<A href="http://www.conscoop.ottawa.on.ca/rgb/freeswan/ols2k/">
- slides</A></LI>
-<LI>Henry's paper</LI>
-<LI>MP3 audio of their talks is available from the<A href="http://www.linuxsymposium.org/">
- conference page</A></LI>
-</UL>
-</LI>
-<LI><CITE>Moat: A Virtual Private Network Appliances and Services
- Platform</CITE> is a paper about large-scale (a few 100 links) use of
- FreeS/WAN in a production application at AT&amp;T Research. It is available
- in Postscript or PDF from co-author Steve Bellovin's<A href="http://www.research.att.com/~smb/papers/index.html">
- papers list page</A>.</LI>
-<LI>One of the Moat co-authors, John Denker, has also written
-<UL>
-<LI>a<A href="http://www.av8n.com/vpn/ipsec+routing.htm"> proposal</A>
- for how future versions of FreeS/WAN might interact with routing
- protocols</LI>
-<LI>a<A href="http://www.av8n.com/vpn/wishlist.htm"> wishlist</A> of
- possible new features</LI>
-</UL>
-</LI>
-<LI>Bart Trojanowski's web page has a draft design for<A href="http://www.jukie.net/~bart/linux-ipsec/">
- hardware acceleration</A> of FreeS/WAN</LI>
-</UL>
-<P>Several of these provoked interesting discussions on the mailing
- lists, worth searching for in the<A href="mail.html#archive"> archives</A>
-.</P>
-<P>There are also several papers in languages other than English, see
- our<A href="web.html#otherlang"> web links</A>.</P>
-<H3><A name="licensing">License and copyright information</A></H3>
-<P>All code and documentation written for this project is distributed
- under either the GNU General Public License (<A href="glossary.html#GPL">
-GPL</A>) or the GNU Library General Public License. For details see the
- COPYING file in the distribution.</P>
-<P>Not all code in the distribution is ours, however. See the CREDITS
- file for details. In particular, note that the<A href="glossary.html#LIBDES">
- Libdes</A> library and the version of<A href="glossary.html#MD5"> MD5</A>
- that we use each have their own license.</P>
-<H2><A name="sites">Distribution sites</A></H2>
-<P>FreeS/WAN is available from a number of sites.</P>
-<H3><A NAME="1_5_1">Primary site</A></H3>
-<P>Our primary site, is at xs4all (Thanks, folks!) in Holland:</P>
-<UL>
-<LI><A href="http://www.xs4all.nl/~freeswan">HTTP</A></LI>
-<LI><A href="ftp://ftp.xs4all.nl/pub/crypto/freeswan">FTP</A></LI>
-</UL>
-<H3><A name="mirrors">Mirrors</A></H3>
-<P>There are also mirror sites all over the world:</P>
-<UL>
-<LI><A href="http://www.flora.org/freeswan">Eastern Canada</A> (limited
- resouces)</LI>
-<LI><A href="ftp://ludwig.doculink.com/pub/freeswan/">Eastern Canada</A>
- (has older versions too)</LI>
-<LI><A href="ftp://ntsc.notBSD.org/pub/crypto/freeswan/">Eastern Canada</A>
- (has older versions too)</LI>
-<LI><A href="ftp://ftp.kame.net/pub/freeswan/">Japan</A></LI>
-<LI><A href="ftp://ftp.futuredynamics.com/freecrypto/FreeSWAN/">Hong
- Kong</A></LI>
-<LI><A href="ftp://ipsec.dk/pub/freeswan/">Denmark</A></LI>
-<LI><A href="ftp://ftp.net.lut.ac.uk/freeswan">the UK</A></LI>
-<LI><A href="http://storm.alert.sk/comp/mirrors/freeswan/">Slovak
- Republic</A></LI>
-<LI><A href="http://the.wiretapped.net/security/vpn-tunnelling/freeswan/">
-Australia</A></LI>
-<LI><A href="http://freeswan.technolust.cx/">technolust</A></LI>
-<LI><A href="http://freeswan.devguide.de/">Germany</A></LI>
-<LI>Ivan Moore's<A href="http://snowcrash.tdyc.com/freeswan/"> site</A></LI>
-<LI>the<A href="http://www.cryptoarchive.net/"> Crypto Archive</A> on
- the<A href="http://www.securityportal.com/"> Security Portal</A> site</LI>
-<LI><A href="http://www.wiretapped.net/">Wiretapped.net</A> in Australia</LI>
-</UL>
-<P>Thanks to those folks as well.</P>
-<H3><A name="munitions">The &quot;munitions&quot; archive of Linux crypto software</A>
-</H3>
-<P>There is also an archive of Linux crypto software called &quot;munitions&quot;,
- with its own mirrors in a number of countries. It includes FreeS/WAN,
- though not always the latest version. Some of its sites are:</P>
-<UL>
-<LI><A href="http://munitions.vipul.net/">Germany</A></LI>
-<LI><A href="http://munitions.iglu.cjb.net/">Italy</A></LI>
-<LI><A href="http://munitions2.xs4all.nl/">Netherlands</A></LI>
-</UL>
-<P>Any of those will have a list of other &quot;munitions&quot; mirrors. There is
- also a CD available.</P>
-<H2><A NAME="1_6">Links to other sections</A></H2>
-<P>For more detailed background information, see:</P>
-<UL>
-<LI><A href="politics.html#politics">history and politics</A> of
- cryptography</LI>
-<LI><A href="ipsec.html#ipsec.detail">IPsec protocols</A></LI>
-</UL>
-<P>To begin working with FreeS/WAN, go to our<A href="quickstart.html#quick.guide">
- quickstart</A> guide.</P>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="upgrading.html">Next</A>
-</BODY>
-</HTML>
diff --git a/doc/ipsec.html b/doc/ipsec.html
deleted file mode 100644
index 4fb27b92b..000000000
--- a/doc/ipsec.html
+++ /dev/null
@@ -1,1040 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="politics.html">Previous</A>
-<A HREF="mail.html">Next</A>
-<HR>
-<H1><A name="ipsec.detail">The IPsec protocols</A></H1>
-<P>This section provides information on the IPsec protocols which
- FreeS/WAN implements. For more detail, see the<A href="rfc.html"> RFCs</A>
-.</P>
-<P>The basic idea of IPsec is to provide security functions,<A href="glossary.html#authentication">
- authentication</A> and<A href="glossary.html#encryption"> encryption</A>
-, at the IP (Internet Protocol) level. This requires a higher-level
- protocol (IKE) to set things up for the IP-level services (ESP and AH).</P>
-<H2><A NAME="27_1">Protocols and phases</A></H2>
-<P>Three protocols are used in an IPsec implementation:</P>
-<DL>
-<DT>ESP, Encapsulating Security Payload</DT>
-<DD>Encrypts and/or authenticates data</DD>
-<DT>AH, Authentication Header</DT>
-<DD>Provides a packet authentication service</DD>
-<DT>IKE, Internet Key Exchange</DT>
-<DD>Negotiates connection parameters, including keys, for the other two</DD>
-</DL>
-<P>The term &quot;IPsec&quot; (also written as IPSEC) is slightly ambiguous. In
- some contexts, it includes all three of the above but in other contexts
- it refers only to AH and ESP.</P>
-<P>There is more detail below, but a quick summary of how the whole
- thing works is:</P>
-<DL>
-<DT>Phase one IKE (main mode exchange)</DT>
-<DD>sets up a keying channel (ISAKMP SA) between the two gateways</DD>
-<DT>Phase two IKE (quick mode exchange)</DT>
-<DD>sets up data channels (IPsec SAs)</DD>
-<DT>IPsec proper</DT>
-<DD>exchanges data using AH or ESP</DD>
-</DL>
-<P>Both phases of IKE are repeated periodically to automate re-keying.</P>
-<H2><A name="others">Applying IPsec</A></H2>
-<P>Authentication and encryption functions for network data can, of
- course, be provided at other levels. Many security protocols work at
- levels above IP.</P>
-<UL>
-<LI><A href="glossary.html#PGP">PGP</A> encrypts and authenticates mail
- messages</LI>
-<LI><A href="glossary.html#SSH">SSH</A> authenticates remote logins and
- then encrypts the session</LI>
-<LI><A href="glossary.html#SSL">SSL</A> or<A href="glossary.html#TLS">
- TLS</A> provides security at the sockets layer, e.g. for secure web
- browsing</LI>
-</UL>
-<P>and so on. Other techniques work at levels below IP. For example,
- data on a communications circuit or an entire network can be encrypted
- by specialised hardware. This is common practice in high-security
- applications.</P>
-<H3><A name="advantages">Advantages of IPsec</A></H3>
-<P>There are, however, advantages to doing it at the IP level instead
- of, or as well as, at other levels.</P>
-<P>IPsec is the<STRONG> most general way to provide these services for
- the Internet</STRONG>.</P>
-<UL>
-<LI>Higher-level services protect a<EM> single protocol</EM>; for
- example PGP protects mail.</LI>
-<LI>Lower level services protect a<EM> single medium</EM>; for example a
- pair of encryption boxes on the ends of a line make wiretaps on that
- line useless unless the attacker is capable of breaking the encryption.</LI>
-</UL>
-<P>IPsec, however, can protect<EM> any protocol</EM> running above IP
- and<EM> any medium</EM> which IP runs over. More to the point, it can
- protect a mixture of application protocols running over a complex
- combination of media. This is the normal situation for Internet
- communication; IPsec is the only general solution.</P>
-<P>IPsec can also provide some security services &quot;in the background&quot;,
- with<STRONG> no visible impact on users</STRONG>. To use<A href="glossary.html#PGP">
- PGP</A> encryption and signatures on mail, for example, the user must
- at least:</P>
-<UL>
-<LI>remember his or her passphrase,</LI>
-<LI>keep it secure</LI>
-<LI>follow procedures to validate correspondents' keys</LI>
-</UL>
-<P>These systems can be designed so that the burden on users is not
- onerous, but any system will place some requirements on users. No such
- system can hope to be secure if users are sloppy about meeting those
- requirements. The author has seen username and password stuck on
- terminals with post-it notes in an allegedly secure environment, for
- example.</P>
-<H3><A name="limitations">Limitations of IPsec</A></H3>
-<P>IPsec is designed to secure IP links between machines. It does that
- well, but it is important to remember that there are many things it
- does not do. Some of the important limitations are:</P>
-<DL>
-<DT><A name="depends">IPsec cannot be secure if your system isn't</A></DT>
-<DD>System security on IPsec gateway machines is an essential
- requirement if IPsec is to function as designed. No system can be
- trusted if the underlying machine has been subverted. See books on Unix
- security such as<A href="biblio.html#practical"> Garfinkel and Spafford</A>
- or our web references for<A href="web.html#linsec"> Linux security</A>
- or more general<A href="web.html#compsec"> computer security</A>.
-<P>Of course, there is another side to this. IPsec can be a powerful
- tool for improving system and network security. For example, requiring
- packet authentication makes various spoofing attacks harder and IPsec
- tunnels can be extremely useful for secure remote administration of
- various things.</P>
-</DD>
-<DT><A name="not-end-to-end">IPsec is not end-to-end</A></DT>
-<DD>IPsec cannot provide the same end-to-end security as systems working
- at higher levels. IPsec encrypts an IP connection between two machines,
- which is quite a different thing than encrypting messages between users
- or between applications.
-<P>For example, if you need mail encrypted from the sender's desktop to
- the recipient's desktop and decryptable only by the recipient, use<A href="glossary.html#PGP">
- PGP</A> or another such system. IPsec can encrypt any or all of the
- links involved -- between the two mail servers, or between either
- server and its clients. It could even be used to secure a direct IP
- link from the sender's desktop machine to the recipient's, cutting out
- any sort of network snoop. What it cannot ensure is end-to-end
- user-to-user security. If only IPsec is used to secure mail, then
- anyone with appropriate privileges on any machine where that mail is
- stored (at either end or on any store-and-forward servers in the path)
- can read it.</P>
-<P>In another common setup, IPsec encrypts packets at a security gateway
- machine as they leave the sender's site and decrypts them on arrival at
- the gateway to the recipient's site. This does provide a useful
- security service -- only encrypted data is passed over the Internet --
- but it does not even come close to providing an end-to-end service. In
- particular, anyone with appropriate privileges on either site's LAN can
- intercept the message in unencrypted form.</P>
-</DD>
-<DT><A name="notpanacea">IPsec cannot do everything</A></DT>
-<DD>IPsec also cannot provide all the functions of systems working at
- higher levels of the protocol stack. If you need a document
- electronically signed by a particular person, then you need his or her<A
-href="glossary.html#signature"> digital signature</A> and a<A href="glossary.html#public">
- public key cryptosystem</A> to verify it with.
-<P>Note, however, that IPsec authentication of the underlying
- communication can make various attacks on higher-level protocols more
- difficult. In particular, authentication prevents<A href="glossary.html#middle">
- man-in-the-middle attacks</A>.</P>
-</DD>
-<DT><A name="no_user">IPsec authenticates machines, not users</A></DT>
-<DD>IPsec uses strong authentication mechanisms to control which
- messages go to which machines, but it does not have the concept of user
- ID, which is vital to many other security mechansims and policies. This
- means some care must be taken in fitting the various security
- mechansims on a network together. For example, if you need to control
- which users access your database server, you need some non-IPsec
- mechansim for that. IPsec can control which machines connect to the
- server, and can ensure that data transfer to those machines is done
- securely, but that is all. Either the machines themselves must control
- user access or there must be some form of user authentication to the
- database, independent of IPsec.</DD>
-<DT><A name="DoS">IPsec does not stop denial of service attacks</A></DT>
-<DD><A href="glossary.html#DOS">Denial of service</A> attacks aim at
- causing a system to crash, overload, or become confused so that
- legitimate users cannot get whatever services the system is supposed to
- provide. These are quite different from attacks in which the attacker
- seeks either to use the service himself or to subvert the service into
- delivering incorrect results.
-<P>IPsec shifts the ground for DoS attacks; the attacks possible against
- systems using IPsec are different than those that might be used against
- other systems. It does not, however, eliminate the possibility of such
- attacks.</P>
-</DD>
-<DT><A name="traffic">IPsec does not stop traffic analysis</A></DT>
-<DD><A href="glossary.html#traffic">Traffic analysis</A> is the attempt
- to derive intelligence from messages without regard for their contents.
- In the case of IPsec, it would mean analysis based on things visible in
- the unencrypted headers of encrypted packets -- source and destination
- gateway addresses, packet size, et cetera. Given the resources to
- acquire such data and some skill in analysing it (both of which any
- national intelligence agency should have), this can be a very powerful
- technique.
-<P>IPsec is not designed to defend against this. Partial defenses are
- certainly possible, and some are<A href="#traffic.resist"> described
- below</A>, but it is not clear that any complete defense can be
- provided.</P>
-</DD>
-</DL>
-<H3><A name="uses">IPsec is a general mechanism for securing IP</A></H3>
-<P>While IPsec does not provide all functions of a mail encryption
- package, it can encrypt your mail. In particular, it can ensure that
- all mail passing between a pair or a group of sites is encrypted. An
- attacker looking only at external traffic, without access to anything
- on or behind the IPsec gateway, cannot read your mail. He or she is
- stymied by IPsec just as he or she would be by<A href="glossary.html#PGP">
- PGP</A>.</P>
-<P>The advantage is that IPsec can provide the same protection for<STRONG>
- anything transmitted over IP</STRONG>. In a corporate network example,
- PGP lets the branch offices exchange secure mail with head office. SSL
- and SSH allow them to securely view web pages, connect as terminals to
- machines, and so on. IPsec can support all those applications, plus
- database queries, file sharing (NFS or Windows), other protocols
- encapsulated in IP (Netware, Appletalk, ...), phone-over-IP,
- video-over-IP, ... anything-over-IP. The only limitation is that IP
- Multicast is not yet supported, though there are Internet Draft
- documents for that.</P>
-<P>IPsec creates<STRONG> secure tunnels through untrusted networks</STRONG>
-. Sites connected by these tunnels form VPNs,<A href="glossary.html#VPN">
- Virtual Private Networks</A>.</P>
-<P>IPsec gateways can be installed wherever they are required.</P>
-<UL>
-<LI>One organisation might choose to install IPsec only on firewalls
- between their LANs and the Internet. This would allow them to create a
- VPN linking several offices. It would provide protection against anyone
- outside their sites.</LI>
-<LI>Another might install IPsec on departmental servers so everything on
- the corporate backbone net was encrypted. This would protect messages
- on that net from everyone except the sending and receiving department.</LI>
-<LI>Another might be less concerned with information secrecy and more
- with controlling access to certain resources. They might use IPsec
- packet authentication as part of an access control mechanism, with or
- without also using the IPsec encryption service.</LI>
-<LI>It is even possible (assuming adequate processing power and an IPsec
- implementation in each node) to make every machine its own IPsec
- gateway so that everything on a LAN is encrypted. This protects
- information from everyone outside the sending and receiving machine.</LI>
-<LI>These techniques can be combined in various ways. One might, for
- example, require authentication everywhere on a network while using
- encryption only for a few links.</LI>
-</UL>
-<P>Which of these, or of the many other possible variants, to use is up
- to you.<STRONG> IPsec provides mechanisms; you provide the policy</STRONG>
-.</P>
-<P><STRONG>No end user action is required</STRONG> for IPsec security to
- be used; they don't even have to know about it. The site
- administrators, of course, do have to know about it and to put some
- effort into making it work. Poor administration can compromise IPsec as
- badly as the post-it notes mentioned above. It seems reasonable,
- though, for organisations to hope their system administrators are
- generally both more security-conscious than end users and more able to
- follow computer security procedures. If not, at least there are fewer
- of them to educate or replace.</P>
-<P>IPsec can be, and often should be, used with along with security
- protocols at other levels. If two sites communicate with each other via
- the Internet, then IPsec is the obvious way to protect that
- communication. If two others have a direct link between them, either
- link encryption or IPsec would make sense. Choose one or use both.
- Whatever you use at and below the IP level, use other things as
- required above that level. Whatever you use above the IP level,
- consider what can be done with IPsec to make attacks on the higher
- levels harder. For example,<A href="glossary.html#middle">
- man-in-the-middle attacks</A> on various protocols become difficult if
- authentication at packet level is in use on the potential victims'
- communication channel.</P>
-<H3><A name="authonly">Using authentication without encryption</A></H3>
-<P>Where appropriate, IPsec can provide authentication without
- encryption. One might do this, for example:</P>
-<UL>
-<LI>where the data is public but one wants to be sure of getting the
- right data, for example on some web sites</LI>
-<LI>where encryption is judged unnecessary, for example on some company
- or department LANs</LI>
-<LI>where strong encryption is provided at link level, below IP</LI>
-<LI>where strong encryption is provided in other protocols, above IP
-<BR> Note that IPsec authentication may make some attacks on those
- protocols harder.</LI>
-</UL>
-<P>Authentication has lower overheads than encryption.</P>
-<P>The protocols provide four ways to build such connections, using
- either an AH-only connection or ESP using null encryption, and in
- either manually or automatically keyed mode. FreeS/WAN supports only
- one of these, manually keyed AH-only connections, and<STRONG> we do not
- recommend using that</STRONG>. Our reasons are discussed under<A href="#traffic.resist">
- Resisting traffic analysis</A> a few sections further along.</P>
-<H3><A name="encnoauth">Encryption without authentication is dangerous</A>
-</H3>
-<P>Originally, the IPsec encryption protocol<A href="glossary.html#ESP">
- ESP</A> didn't do integrity checking. It only did encryption. Steve
- Bellovin found many ways to attack ESP used without authentication. See
- his paper<A href="http://www.research.att.com/~smb/papers/badesp.ps">
- Problem areas for the IP Security Protocols</A>. To make a secure
- connection, you had to add an<A href="glossary.html#AH"> AH</A>
- Authentication Header as well as ESP. Rather than incur the overhead of
- several layers (and rather than provide an ESP layer that didn't
- actually protect the traffic), the IPsec working group built integrity
- and replay checking directly into ESP.</P>
-<P>Today, typical usage is one of:</P>
-<UL>
-<LI>ESP for encryption and authentication</LI>
-<LI>AH for authentication alone</LI>
-</UL>
-<P>Other variants are allowed by the standard, but not much used:</P>
-<DL>
-<DT>ESP encryption without authentication</DT>
-<DD><STRONG>Bellovin has demonstrated fatal flaws in this. Do not use.</STRONG>
-</DD>
-<DT>ESP encryption with AH authentication</DT>
-<DD>This has higher overheads than using the authentication in ESP, and
- no obvious benefit in most cases. The exception might be a network
- where AH authentication was widely or universally used. If you're going
- to do AH to conform with network policy, why authenticate again in the
- ESP layer?</DD>
-<DT>Authenticate twice, with AH and with ESP</DT>
-<DD>Why? Of course, some folk consider &quot;belt and suspenders&quot; the
- sensible approach to security. If you're among them, you might use both
- protocols here. You might also use both to satisfy different parts of a
- security policy. For example, an organisation might require AH
- authentication everywhere but two users within the organisation might
- use ESP as well.</DD>
-<DT>ESP authentication without encryption</DT>
-<DD>The standard allows this, calling it &quot;null encryption&quot;. FreeS/WAN
- does not support it. We recommend that you use AH instead if
- authentication is all you require. AH authenticates parts of the IP
- header, which ESP-null does not do.</DD>
-</DL>
-<P>Some of these variants cannot be used with FreeS/WAN because we do
- not support ESP-null and do not support automatic keying of AH-only
- connections.</P>
-<P>There are fairly frequent suggestions that AH be dropped entirely
- from the IPsec specifications since ESP and null encryption can handle
- that situation. It is not clear whether this will occur. My guess is
- that it is unlikely.</P>
-<H3><A name="multilayer">Multiple layers of IPsec processing are
- possible</A></H3>
-<P>The above describes combinations possible on a single IPsec
- connection. In a complex network you may have several layers of IPsec
- in play, with any of the above combinations at each layer.</P>
-<P>For example, a connection from a desktop machine to a database server
- might require AH authentication. Working with other host, network and
- database security measures, AH might be just the thing for access
- control. You might decide not to use ESP encryption on such packets,
- since it uses resources and might complicate network debugging. Within
- the site where the server is, then, only AH would be used on those
- packets.</P>
-<P>Users at another office, however, might have their whole connection
- (AH headers and all) passing over an IPsec tunnel connecting their
- office to the one with the database server. Such a tunnel should use
- ESP encryption and authentication. You need authentication in this
- layer because without authentication the encryption is vulnerable and
- the gateway cannot verify the AH authentication. The AH is between
- client and database server; the gateways aren't party to it.</P>
-<P>In this situation, some packets would get multiple layers of IPsec
- applied to them, AH on an end-to-end client-to-server basis and ESP
- from one office's security gateway to the other.</P>
-<H3><A name="traffic.resist">Resisting traffic analysis</A></H3>
-<P><A href="glossary.html#traffic">Traffic analysis</A> is the attempt
- to derive useful intelligence from encrypted traffic without breaking
- the encryption.</P>
-<P>Is your CEO exchanging email with a venture capital firm? With
- bankruptcy trustees? With an executive recruiting agency? With the
- holder of some important patents? If an eavesdropper learns about any
- of those, then he has interesting intelligence on your company, whether
- or not he can read the messages themselves.</P>
-<P>Even just knowing that there is network traffic between two sites may
- tell an analyst something useful, especially when combined with
- whatever other information he or she may have. For example, if you know
- Company A is having cashflow problems and Company B is looking for
- aquisitions, then knowing that packets are passing between the two is
- interesting. It is more interesting if you can tell it is email, and
- perhaps yet more if you know the sender and recipient.</P>
-<P>Except in the simplest cases, traffic analysis is hard to do well. It
- requires both considerable resources and considerable analytic skill.
- However, intelligence agencies of various nations have been doing it
- for centuries and many of them are likely quite good at it by now.
- Various commercial organisations, especially those working on &quot;targeted
- marketing&quot; may also be quite good at analysing certain types of
- traffic.</P>
-<P>In general, defending against traffic analysis is also difficult.
- Inventing a really good defense could get you a PhD and some
- interesting job offers.</P>
-<P>IPsec is not designed to stop traffic analysis and we know of no
- plausible method of extending it to do so. That said, there are ways to
- make traffic analysis harder. This section describes them.</P>
-<H4><A name="extra">Using &quot;unnecessary&quot; encryption</A></H4>
-<P>One might choose to use encryption even where it appears unnecessary
- in order to make analysis more difficult. Consider two offices which
- pass a small volume of business data between them using IPsec and also
- transfer large volumes of Usenet news. At first glance, it would seem
- silly to encrypt the newsfeed, except possibly for any newsgroups that
- are internal to the company. Why encrypt data that is all publicly
- available from many sites?</P>
-<P>However, if we encrypt a lot of news and send it down the same
- connection as our business data, we make<A href="glossary.html#traffic">
- traffic analysis</A> much harder. A snoop cannot now make inferences
- based on patterns in the volume, direction, sizes, sender, destination,
- or timing of our business messages. Those messages are hidden in a mass
- of news messages encapsulated in the same way.</P>
-<P>If we're going to do this we need to ensure that keys change often
- enough to remain secure even with high volumes and with the adversary
- able to get plaintext of much of the data. We also need to look at
- other attacks this might open up. For example, can the adversary use a
- chosen plaintext attack, deliberately posting news articles which, when
- we receive and encrypt them, will help break our encryption? Or can he
- block our business data transmission by flooding us with silly news
- articles? Or ...</P>
-<P>Also, note that this does not provide complete protection against
- traffic analysis. A clever adversary might still deduce useful
- intelligence from statistical analysis (perhaps comparing the input
- newsfeed to encrypted output, or comparing the streams we send to
- different branch offices), or by looking for small packets which might
- indicate establishment of TCP connections, or ...</P>
-<P>As a general rule, though, to improve resistance to traffic analysis,
- you should<STRONG> encrypt as much traffic as possible, not just as
- much as seems necessary.</STRONG></P>
-<H4><A name="multi-encrypt">Using multiple encryption</A></H4>
-<P>This also applies to using multiple layers of encryption. If you have
- an IPsec tunnel between two branch offices, it might appear silly to
- send<A href="glossary.html#PGP"> PGP</A>-encrypted email through that
- tunnel. However, if you suspect someone is snooping your traffic, then
- it does make sense:</P>
-<UL>
-<LI>it protects the mail headers; they cannot even see who is mailing
- who</LI>
-<LI>it protects against user bungles or software malfunctions that
- accidentally send messages in the clear</LI>
-<LI>it makes any attack on the mail encryption much harder; they have to
- break IPsec or break into your network before they can start on the
- mail encryption</LI>
-</UL>
-<P>Similar arguments apply for<A href="glossary.html#SSL"> SSL</A>
--encrypted web traffic or<A href="glossary.html#SSH"> SSH</A>-encrypted
- remote login sessions, even for end-to-end IPsec tunnels between
- systems in the two offices.</P>
-<H4><A name="fewer">Using fewer tunnels</A></H4>
-<P>It may also help to use fewer tunnels. For example, if all you
- actually need encrypted is connections between:</P>
-<UL>
-<LI>mail servers at branch and head offices</LI>
-<LI>a few branch office users and the head office database server</LI>
-</UL>
-<P>You might build one tunnel per mail server and one per remote
- database user, restricting traffic to those applications. This gives
- the traffic analyst some information, however. He or she can
- distinguish the tunnels by looking at information in the ESP header
- and, given that distinction and the patterns of tunnel usage, might be
- able to figure out something useful. Perhaps not, but why take the
- risk?</P>
-<P>We suggest instead that you build one tunnel per branch office,
- encrypting everything passing from head office to branches. This has a
- number of advantages:</P>
-<UL>
-<LI>it is easier to build and administer</LI>
-<LI>it resists traffic analysis somewhat better</LI>
-<LI>it provides security for whatever you forgot. For example, if some
- user at a remote office browses proprietary company data on some head
- office web page (that the security people may not even know about!),
- then that data is encrypted before it reaches the Internet.</LI>
-</UL>
-<P>Of course you might also want to add additional tunnels. For example,
- if some of the database data is confidential and should not be exposed
- even within the company, then you need protection from the user's
- desktop to the database server. We suggest you do that in whatever way
- seems appropriate -- IPsec, SSH or SSL might fit -- but, whatever you
- choose, pass it between locations via a gateway-to-gateway IPsec tunnel
- to provide some resistance to traffic analysis.</P>
-<H2><A name="primitives">Cryptographic components</A></H2>
-<P>IPsec combines a number of cryptographic techniques, all of them
- well-known and well-analyzed. The overall design approach was
- conservative; no new or poorly-understood components were included.</P>
-<P>This section gives a brief overview of each technique. It is intended
- only as an introduction. There is more information, and links to
- related topics, in our<A href="glossary.html"> glossary</A>. See also
- our<A href="biblio.html"> bibliography</A> and cryptography<A href="web.html#crypto.link">
- web links</A>.</P>
-<H3><A name="block.cipher">Block ciphers</A></H3>
-<P>The<A href="glossary.html#encryption"> encryption</A> in the<A href="glossary.html#ESP">
- ESP</A> encapsulation protocol is done with a<A href="glossary.html#block">
- block cipher</A>.</P>
-<P>We do not implement<A href="glossary.html#DES"> single DES</A>. It is<A
-href="politics.html#desnotsecure"> insecure</A>. Our default, and
- currently only, block cipher is<A href="glossary.html#3DES"> triple DES</A>
-.</P>
-<P>The<A href="glossary.html#rijndael"> Rijndael</A> block cipher has
- won the<A href="glossary.html#AES"> AES</A> competition to choose a
- relacement for DES. It will almost certainly be added to FreeS/WAN and
- to other IPsec implementations.<A href="web.html#patch"> Patches</A>
- are already available.</P>
-<H3><A name="hash.ipsec">Hash functions</A></H3>
-<H4><A name="hmac.ipsec">The HMAC construct</A></H4>
-<P>IPsec packet authentication is done with the<A href="glossary.html#HMAC">
- HMAC</A> construct. This is not just a hash of the packet data, but a
- more complex operation which uses both a hashing algorithm and a key.
- It therefore does more than a simple hash would. A simple hash would
- only tell you that the packet data was not changed in transit, or that
- whoever changed it also regenerated the hash. An HMAC also tells you
- that the sender knew the HMAC key.</P>
-<P>For IPsec HMAC, the output of the hash algorithm is truncated to 96
- bits. This saves some space in the packets. More important, it prevents
- an attacker from seeing all the hash output bits and perhaps creating
- some sort of attack based on that knowledge.</P>
-<H4>Choice of hash algorithm</H4>
-<P>The IPsec RFCs require two hash algorithms --<A href="glossary.html#MD5">
- MD5</A> and<A href="glossary.html#SHA"> SHA-1</A> -- both of which
- FreeS/WAN implements.</P>
-<P>Various other algorithms -- such as RIPEMD and Tiger -- are listed in
- the RFCs as optional. None of these are in the FreeS/WAN distribution,
- or are likely to be added, although user<A href="web.html#patch">
- patches</A> exist for several of them.</P>
-<P>Additional hash algorithms --<A href="glossary.html#SHA-256">
- SHA-256, SHA-384 and SHA-512</A> -- may be required to give hash
- strength matching the strength of<A href="glossary.html#AES"> AES</A>.
- These are likely to be added to FreeS/WAN along with AES.</P>
-<H3><A name="DH.keying">Diffie-Hellman key agreement</A></H3>
-<P>The<A href="glossary.html#DH"> Diffie-Hellman</A> key agreement
- protocol allows two parties (A and B or<A href="glossary.html#alicebob">
- Alice and Bob</A>) to agree on a key in such a way that an eavesdropper
- who intercepts the entire conversation cannot learn the key.</P>
-<P>The protocol is based on the<A href="glossary.html#dlog"> discrete
- logarithm</A> problem and is therefore thought to be secure.
- Mathematicians have been working on that problem for years and seem no
- closer to a solution, though there is no proof that an efficient
- solution is impossible.</P>
-<H3><A name="RSA.auth">RSA authentication</A></H3>
-<P>The<A href="glossary.html#RSA"> RSA</A> algorithm (named for its
- inventors -- Rivest, Shamir and Adleman) is a very widely used<A href="glossary.html#">
- public key</A> cryptographic technique. It is used in IPsec as one
- method of authenticating gateways for Diffie-Hellman key negotiation.</P>
-<H2><A name="structure">Structure of IPsec</A></H2>
-<P>There are three protocols used in an IPsec implementation:</P>
-<DL>
-<DT>ESP, Encapsulating Security Payload</DT>
-<DD>Encrypts and/or authenticates data</DD>
-<DT>AH, Authentication Header</DT>
-<DD>Provides a packet authentication service</DD>
-<DT>IKE, Internet Key Exchange</DT>
-<DD>Negotiates connection parameters, including keys, for the other two</DD>
-</DL>
-<P>The term &quot;IPsec&quot; is slightly ambiguous. In some contexts, it includes
- all three of the above but in other contexts it refers only to AH and
- ESP.</P>
-<H3><A name="IKE.ipsec">IKE (Internet Key Exchange)</A></H3>
-<P>The IKE protocol sets up IPsec (ESP or AH) connections after
- negotiating appropriate parameters (algorithms to be used, keys,
- connection lifetimes) for them. This is done by exchanging packets on
- UDP port 500 between the two gateways.</P>
-<P>IKE (RFC 2409) was the outcome of a long, complex process in which
- quite a number of protocols were proposed and debated. Oversimplifying
- mildly, IKE combines:</P>
-<DL>
-<DT>ISAKMP (RFC 2408)</DT>
-<DD>The<STRONG> I</STRONG>nternet<STRONG> S</STRONG>ecurity<STRONG> A</STRONG>
-ssociation and<STRONG> K</STRONG>ey<STRONG> M</STRONG>anagement<STRONG>
- P</STRONG>rotocol manages negotiation of connections and defines<A href="glossary.html#SA">
- SA</A>s (Security Associations) as a means of describing connection
- properties.</DD>
-<DT>IPsec DOI for ISAKMP (RFC 2407)</DT>
-<DD>A<STRONG> D</STRONG>omain<STRONG> O</STRONG>f<STRONG> I</STRONG>
-nterpretation fills in the details necessary to turn the rather abstract
- ISAKMP protocol into a more tightly specified protocol, so it becomes
- applicable in a particular domain.</DD>
-<DT>Oakley key determination protocol (RFC 2412)</DT>
-<DD>Oakley creates keys using the<A href="glossary.html#DH">
- Diffie-Hellman</A> key agreement protocol.</DD>
-</DL>
-<P>For all the details, you would need to read the four<A href="rfc.html">
- RFCs</A> just mentioned (over 200 pages) and a number of others. We
- give a summary below, but it is far from complete.</P>
-<H4><A name="phases">Phases of IKE</A></H4>
-<P>IKE negotiations have two phases.</P>
-<DL>
-<DT>Phase one</DT>
-<DD>The two gateways negotiate and set up a two-way ISAKMP SA which they
- can then use to handle phase two negotiations. One such SA between a
- pair of gateways can handle negotiations for multiple tunnels.</DD>
-<DT>Phase two</DT>
-<DD>Using the ISAKMP SA, the gateways negotiate IPsec (ESP and/or AH)
- SAs as required. IPsec SAs are unidirectional (a different key is used
- in each direction) and are always negotiated in pairs to handle two-way
- traffic. There may be more than one pair defined between two gateways.</DD>
-</DL>
-<P>Both of these phases use the UDP protocol and port 500 for their
- negotiations.</P>
-<P>After both IKE phases are complete, you have IPsec SAs to carry your
- encrypted data. These use the ESP or AH protocols. These protocols do
- not have ports. Ports apply only to UDP or TCP.</P>
-<P>The IKE protocol is designed to be extremely flexible. Among the
- things that can be negotiated (separately for each SA) are:</P>
-<UL>
-<LI>SA lifetime before rekeying</LI>
-<LI>encryption algorithm used. We currently support only<A href="glossary.html#3DES">
- triple DES</A>. Single DES is<A href="politics.html#desnotsecure">
- insecure</A>. The RFCs say you MUST do DES, SHOULD do 3DES and MAY do
- various others. We do not do any of the others.</LI>
-<LI>authentication algorithms. We support<A href="glossary.html#MD5">
- MD5</A> and<A href="glossary.html#SHA"> SHA</A>. These are the two the
- RFCs require.</LI>
-<LI>choice of group for<A href="glossary.html#DH"> Diffie-Hellman</A>
- key agreement. We currently support Groups 2 and 5 (which are defined
- modulo primes of various lengths) and do not support Group 1 (defined
- modulo a shorter prime, and therefore cryptographically weak) or groups
- 3 and 4 (defined using elliptic curves). The RFCs require only Group 1.</LI>
-</UL>
-<P>The protocol also allows implementations to add their own encryption
- algorithms, authentication algorithms or Diffie-Hellman groups. We do
- not support any such extensions, but there are some<A href="web.html#patch">
- patches</A> that do.</P>
-<P>There are a number of complications:</P>
-<UL>
-<LI>The gateways must be able to authenticate each other's identities
- before they can create a secure connection. This host authentication is
- part of phase one negotiations, and is a required prerequisite for
- packet authentication used later. Host authentication can be done in a
- variety of ways. Those supported by FreeS/WAN are discussed in our<A href="adv_config.html#auto-auth">
- advanced configuration</A> document.</LI>
-<LI>Phase one can be done in two ways.
-<UL>
-<LI>Main Mode is required by the RFCs and supported in FreeS/WAN. It
- uses a 6-packet exzchange.</LI>
-<LI>Aggressive Mode is somewhat faster (only 3 packets) but reveals more
- to an eavesdropper. This is optional in the RFCs, not currently
- supported by FreeS/WAN, and not likely to be.</LI>
-</UL>
-</LI>
-<LI>A new group exchange may take place after phase one but before phase
- two, defining an additional group for use in the<A href="glossary.html#DH">
- Diffie-Hellman</A> key agreement part of phase two. FreeS/WAN does not
- currently support this.</LI>
-<LI>Phase two always uses Quick Mode, but there are two variants of
- that:
-<UL>
-<LI>One variant provides<A href="glossary.html#PFS"> Perfect Forward
- Secrecy (PFS)</A>. An attacker that obtains your long-term host
- authentication key does not immediately get any of your short-term
- packet encryption of packet authentication keys. He must conduct
- another successful attack each time you rekey to get the short-term
- keys. Having some short-term keys does not help him learn others. In
- particular, breaking your system today does not let him read messages
- he archived yestarday, assuming you've changed short-term keys in the
- meanwhile. We enable PFS as the default.</LI>
-<LI>The other variant disables PFS and is therefore slightly faster. We
- do not recommend this since it is less secure, but FreeS/WAN does
- support it. You can enable it with a<VAR> pfs=no</VAR> statement in<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5)</A>.</LI>
-<LI>The protocol provides no way to negotiate which variant will be
- used. If one gateway is set for PFS and the other is not, the
- negotiation fails. This has proved a fairly common source of
- interoperation problems.</LI>
-</UL>
-</LI>
-<LI>Several types of notification message may be sent by either side
- during either phase, or later. FreeS/WAN does not currently support
- these, but they are a likely addition in future releases.</LI>
-<LI>There is a commit flag which may optionally be set on some messages.
- The<A href="http://www.lounge.org/ike_doi_errata.html"> errata</A> page
- for the RFCs includes two changes related to this, one to clarify the
- description of its use and one to block a<A href="glossary.html#DOS">
- denial of service</A> attack which uses it. We currently do not
- implement this feature.</LI>
-</UL>
-<P>These complications can of course lead to problems, particularly when
- two different implementations attempt to interoperate. For example, we
- have seen problems such as:</P>
-<UL>
-<LI>Some implementations (often products crippled by<A href="politics.html#exlaw">
- export laws</A>) have the insecure DES algorithm as their only
- supported encryption method. Other parts of our documentation discuss
- the<A href="politics.html#desnotsecure"> reasons we do not implement
- single DES</A>, and<A href="interop.html#noDES"> how to cope with
- crippled products</A>.</LI>
-<LI>Windows 2000 IPsec tries to negotiate using Aggressive Mode, which
- we don't support. Later on, it uses the commit bit, which we also don't
- support.</LI>
-<LI>Various implementations disable PFS by default, and therefore will
- not talk to FreeS/WAN until you either turn on PFS on their end or turn
- it off in FreeS/WAN with a<VAR> pfs=no</VAR> entry in the connection
- description.</LI>
-<LI>FreeS/WAN's interaction with PGPnet is complicated by their use of
- notification messages we do not yet support.</LI>
-</UL>
-<P>Despite this, we do interoperate successfully with many
- implementations, including both Windows 2000 and PGPnet. Details are in
- our<A href="interop.html"> interoperability</A> document.</P>
-<H4><A name="sequence">Sequence of messages in IKE</A></H4>
-<P>Each phase (see<A href="#phases"> previous section</A>)of IKE
- involves a series of messages. In Pluto error messages, these are
- abbreviated using:</P>
-<DL>
-<DT>M</DT>
-<DD><STRONG>M</STRONG>ain mode, settting up the keying channel (ISAKMP
- SA)</DD>
-<DT>Q</DT>
-<DD><STRONG>Q</STRONG>uick mode, setting up the data channel (IPsec SA)</DD>
-<DT>I</DT>
-<DD><STRONG>I</STRONG>nitiator, the machine that starts the negotiation</DD>
-<DT>R</DT>
-<DD><STRONG>R</STRONG>esponder</DD>
-</DL>
-<P>For example, the six messages of a main mode negotiation, in
- sequence, are labelled:</P>
-<PRE>       MI1 ----------&gt;
-           &lt;---------- MR1
-       MI2 ----------&gt; 
-           &lt;---------- MR2
-       MI3 ----------&gt;
-           &lt;---------- MR3</PRE>
-<H4><A name="struct.exchange">Structure of IKE messages</A></H4>
-<P>Here is our Pluto developer explaining some of this on the mailing
- list:</P>
-<PRE>When one IKE system (for example, Pluto) is negotiating with another
-to create an SA, the Initiator proposes a bunch of choices and the
-Responder replies with one that it has selected.
-
-The structure of the choices is fairly complicated.  An SA payload
-contains a list of lists of &quot;Proposals&quot;.  The outer list is a set of
-choices: the selection must be from one element of this list.
-
-Each of these elements is a list of Proposals.  A selection must be
-made from each of the elements of the inner list.  In other words,
-*all* of them apply (that is how, for example, both AH and ESP can
-apply at once).
-
-Within each of these Proposals is a list of Transforms.  For each
-Proposal selected, one Transform must be selected (in other words,
-each Proposal provides a choice of Transforms).
-
-Each Transform is made up of a list of Attributes describing, well,
-attributes.  Such as lifetime of the SA.  Such as algorithm to be
-used.  All the Attributes apply to a Transform.
-
-You will have noticed a pattern here: layers alternate between being
-disjunctions (&quot;or&quot;) and conjunctions (&quot;and&quot;).
-
-For Phase 1 / Main Mode (negotiating an ISAKMP SA), this structure is
-cut back.  There must be exactly one Proposal.  So this degenerates to
-a list of Transforms, one of which must be chosen.</PRE>
-<H3><A name="services">IPsec Services, AH and ESP</A></H3>
-<P>IPsec offers two services,<A href="glossary.html#authentication">
- authentication</A> and<A href="glossary.html#encryption"> encryption</A>
-. These can be used separately but are often used together.</P>
-<DL>
-<DT>Authentication</DT>
-<DD>Packet-level authentication allows you to be confident that a packet
- came from a particular machine and that its contents were not altered
- en route to you. No attempt is made to conceal or protect the contents,
- only to assure their integrity. Packet authentication can be provided
- separately using an<A href="glossary.html#AH"> Authentication Header</A>
-, described just below, or it can be included as part of the<A href="glossary.html#ESP">
- ESP</A> (Encapsulated Security Payload) service, described in the
- following section. That service offers encryption as well as
- authentication. In either case, the<A href="glossary.html#HMAC"> HMAC</A>
- construct is used as the authentication mechanism.
-<P>There is a separate authentication operation at the IKE level, in
- which each gateway authenticates the other. This can be done in a
- variety of ways.</P>
-</DD>
-<DT>Encryption</DT>
-<DD>Encryption allows you to conceal the contents of a message from
- eavesdroppers.
-<P>In IPsec this is done using a<A href="glossary.html#block"> block
- cipher</A> (normally<A href="glossary.html#3DES"> Triple DES</A> for
- Linux). In the most used setup, keys are automatically negotiated, and
- periodically re-negotiated, using the<A href="glossary.html#IKE"> IKE</A>
- (Internet Key Exchange) protocol. In Linux FreeS/WAN this is handled by
- the Pluto Daemon.</P>
-<P>The IPsec protocol offering encryption is<A href="glossary.html#ESP">
- ESP</A>, Encapsulated Security Payload. It can also include a packet
- authentication service.</P>
-</DD>
-</DL>
-<P>Note that<STRONG> encryption should always be used with some packet
- authentication service</STRONG>. Unauthenticated encryption is
- vulnerable to<A href="glossary.html#middle"> man-in-the-middle attacks</A>
-. Also note that encryption does not prevent<A href="glossary.html#traffic">
- traffic analysis</A>.</P>
-<H3><A name="AH.ipsec">The Authentication Header (AH)</A></H3>
-<P>Packet authentication can be provided separately from encryption by
- adding an authentication header (AH) after the IP header but before the
- other headers on the packet. This is the subject of this section.
- Details are in RFC 2402.</P>
-<P>Each of the several headers on a packet header contains a &quot;next
- protocol&quot; field telling the system what header to look for next. IP
- headers generally have either TCP or UDP in this field. When IPsec
- authentication is used, the packet IP header has AH in this field,
- saying that an Authentication Header comes next. The AH header then has
- the next header type -- usually TCP, UDP or encapsulated IP.</P>
-<P>IPsec packet authentication can be added in transport mode, as a
- modification of standard IP transport. This is shown in this diagram
- from the RFC:</P>
-<PRE>                  BEFORE APPLYING AH
-            ----------------------------
-      IPv4  |orig IP hdr  |     |      |
-            |(any options)| TCP | Data |
-            ----------------------------
-
-                  AFTER APPLYING AH
-            ---------------------------------
-      IPv4  |orig IP hdr  |    |     |      |
-            |(any options)| AH | TCP | Data |
-            ---------------------------------
-            ||
-                 except for mutable fields</PRE>
-<P>Athentication can also be used in tunnel mode, encapsulating the
- underlying IP packet beneath AH and an additional IP header.</P>
-<PRE>                         ||
-IPv4  | new IP hdr* |    | orig IP hdr*  |    |      |
-      |(any options)| AH | (any options) |TCP | Data |
-      ------------------------------------------------
-      ||
-      |           in the new IP hdr                  |</PRE>
-<P>This would normally be used in a gateway-to-gateway tunnel. The
- receiving gateway then strips the outer IP header and the AH header and
- forwards the inner IP packet.</P>
-<P>The mutable fields referred to are things like the time-to-live field
- in the IP header. These cannot be included in authentication
- calculations because they change as the packet travels.</P>
-<H4><A name="keyed">Keyed MD5 and Keyed SHA</A></H4>
-<P>The actual authentication data in the header is typically 96 bits and
- depends both on a secret shared between sender and receiver and on
- every byte of the data being authenticated. The technique used is<A href="glossary.html#HMAC">
- HMAC</A>, defined in RFC 2104.</P>
-<P>The algorithms involved are the<A href="glossary.html#MD5"> MD5</A>
- Message Digest Algorithm or<A href="glossary.html#SHA"> SHA</A>, the
- Secure Hash Algorithm. For details on their use in this application,
- see RFCs 2403 and 2404 respectively.</P>
-<P>For descriptions of the algorithms themselves, see RFC 1321 for MD5
- and<A href="glossary.html#FIPS"> FIPS</A> (Federal Information
- Processing Standard) number 186 from<A href="glossary.html#NIST"> NIST</A>
-, the US National Institute of Standards and Technology for SHA.<A href="biblio.html#schneier">
-<CITE> Applied Cryptography</CITE></A> covers both in some detail, MD5
- starting on page 436 and SHA on 442.</P>
-<P>These algorithms are intended to make it nearly impossible for anyone
- to alter the authenticated data in transit. The sender calculates a
- digest or hash value from that data and includes the result in the
- authentication header. The recipient does the same calculation and
- compares results. For unchanged data, the results will be identical.
- The hash algorithms are designed to make it extremely difficult to
- change the data in any way and still get the correct hash.</P>
-<P>Since the shared secret key is also used in both calculations, an
- interceptor cannot simply alter the authenticated data and change the
- hash value to match. Without the key, he or she (or even the dreaded
- They) cannot produce a usable hash.</P>
-<H4><A name="sequence">Sequence numbers</A></H4>
-<P>The authentication header includes a sequence number field which the
- sender is required to increment for each packet. The receiver can
- ignore it or use it to check that packets are indeed arriving in the
- expected sequence.</P>
-<P>This provides partial protection against<A href="glossary.html#replay">
- replay attacks</A> in which an attacker resends intercepted packets in
- an effort to confuse or subvert the receiver. Complete protection is
- not possible since it is necessary to handle legitmate packets which
- are lost, duplicated, or delivered out of order, but use of sequence
- numbers makes the attack much more difficult.</P>
-<P>The RFCs require that sequence numbers never cycle, that a new key
- always be negotiated before the sequence number reaches 2^32-1. This
- protects both against replays attacks using packets from a previous
- cyclce and against<A href="glossary.html#birthday"> birthday attacks</A>
- on the the packet authentication algorithm.</P>
-<P>In Linux FreeS/WAN, the sequence number is ignored for manually keyed
- connections and checked for automatically keyed ones. In manual mode,
- there is no way to negotiate a new key, or to recover from a sequence
- number problem, so we don't use sequence numbers.</P>
-<H3><A name="ESP.ipsec">Encapsulated Security Payload (ESP)</A></H3>
-<P>The ESP protocol is defined in RFC 2406. It provides one or both of
- encryption and packet authentication. It may be used with or without AH
- packet authentication.</P>
-<P>Note that<STRONG> some form of packet authentication should<EM>
- always</EM> be used whenever data is encrypted</STRONG>. Without
- authentication, the encryption is vulnerable to active attacks which
- may allow an enemy to break the encryption. ESP should<STRONG> always</STRONG>
- either include its own authentication or be used with AH
- authentication.</P>
-<P>The RFCs require support for only two mandatory encryption algorithms
- --<A href="glossary.html#DES"> DES</A>, and null encryption -- and for
- two authentication methods -- keyed MD5 and keyed SHA. Implementers may
- choose to support additional algorithms in either category.</P>
-<P>The authentication algorithms are the same ones used in the IPsec<A href="glossary.html#AH">
- authentication header</A>.</P>
-<P>We do not implement single DES since<A href="politics.html#desnotsecure">
- DES is insecure</A>. Instead we provide<A href="glossary.html#3DES">
- triple DES or 3DES</A>. This is currently the only encryption algorithm
- supported.</P>
-<P>We do not implement null encryption since it is obviously insecure.</P>
-<H2><A name="modes">IPsec modes</A></H2>
-<P>IPsec can connect in two modes. Transport mode is a host-to-host
- connection involving only two machines. In tunnel mode, the IPsec
- machines act as gateways and trafiic for any number of client machines
- may be carried.</P>
-<H3><A name="tunnel.ipsec">Tunnel mode</A></H3>
-<P>Security gateways are required to support tunnel mode connections. In
- this mode the gateways provide tunnels for use by client machines
- behind the gateways. The client machines need not do any IPsec
- processing; all they have to do is route things to gateways.</P>
-<H3><A name="transport.ipsec">Transport mode</A></H3>
-<P>Host machines (as opposed to security gateways) with IPsec
- implementations must also support transport mode. In this mode, the
- host does its own IPsec processing and routes some packets via IPsec.</P>
-<H2><A name="parts">FreeS/WAN parts</A></H2>
-<H3><A name="KLIPS.ipsec">KLIPS: Kernel IPsec Support</A></H3>
-<P>KLIPS is<STRONG> K</STRONG>erne<STRONG>L</STRONG><STRONG> IP</STRONG>
-SEC<STRONG> S</STRONG>upport, the modifications necessary to support
- IPsec within the Linux kernel. KILPS does all the actual IPsec
- packet-handling, including</P>
-<UL>
-<LI>encryption</LI>
-<LI>packet authentication calculations</LI>
-<LI>creation of ESP and AH headers for outgoing packets</LI>
-<LI>interpretation of those headers on incoming packets</LI>
-</UL>
-<P>KLIPS also checks all non-IPsec packets to ensure they are not
- bypassing IPsec security policies.</P>
-<H3><A name="Pluto.ipsec">The Pluto daemon</A></H3>
-<P><A href="manpage.d/ipsec_pluto.8.html">Pluto(8)</A> is a daemon which
- implements the IKE protocol. It</P>
-<UL>
-<LI>handles all the Phase one ISAKMP SAs</LI>
-<LI>performs host authentication and negotiates with other gateways</LI>
-<LI>creates IPsec SAs and passes the data required to run them to KLIPS</LI>
-<LI>adjust routing and firewall setup to meet IPsec requirements. See
- our<A href="firewall.html"> IPsec and firewalling</A> document for
- details.</LI>
-</UL>
-<P>Pluto is controlled mainly by the<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5)</A> configuration file.</P>
-<H3><A name="command">The ipsec(8) command</A></H3>
-<P>The<A href="manpage.d/ipsec.8.html"> ipsec(8)</A> command is a front
- end shellscript that allows control over IPsec activity.</P>
-<H3><A name="ipsec.conf">Linux FreeS/WAN configuration file</A></H3>
-<P>The configuration file for Linux FreeS/WAN is</P>
-<PRE>        /etc/ipsec.conf</PRE>
-<P>For details see the<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5)</A> manual page .</P>
-<H2><A name="key">Key management</A></H2>
-<P>There are several ways IPsec can manage keys. Not all are implemented
- in Linux FreeS/WAN.</P>
-<H3><A name="current">Currently Implemented Methods</A></H3>
-<H4><A name="manual">Manual keying</A></H4>
-<P>IPsec allows keys to be manually set. In Linux FreeS/WAN, such keys
- are stored with the connection definitions in /etc/ipsec.conf.</P>
-<P><A href="glossary.html#manual">Manual keying</A> is useful for
- debugging since it allows you to test the<A href="glossary.html#KLIPS">
- KLIPS</A> kernel IPsec code without the<A href="glossary.html#Pluto">
- Pluto</A> daemon doing key negotiation.</P>
-<P>In general, however, automatic keying is preferred because it is more
- secure.</P>
-<H4><A name="auto">Automatic keying</A></H4>
-<P>In automatic keying, the<A href="glossary.html#Pluto"> Pluto</A>
- daemon negotiates keys using the<A href="glossary.html#IKE"> IKE</A>
- Internet Key Exchange protocol. Connections are automatically re-keyed
- periodically.</P>
-<P>This is considerably more secure than manual keying. In either case
- an attacker who acquires a key can read every message encrypted with
- that key, but automatic keys can be changed every few hours or even
- every few minutes without breaking the connection or requiring
- intervention by the system administrators. Manual keys can only be
- changed manually; you need to shut down the connection and have the two
- admins make changes. Moreover, they have to communicate the new keys
- securely, perhaps with<A href="glossary.html#PGP"> PGP</A> or<A href="glossary.html#SSH">
- SSH</A>. This may be possible in some cases, but as a general solution
- it is expensive, bothersome and unreliable. Far better to let<A href="glossary.html#Pluto">
- Pluto</A> handle these chores; no doubt the administrators have enough
- to do.</P>
-<P>Also, automatic keying is inherently more secure against an attacker
- who manages to subvert your gateway system. If manual keying is in use
- and an adversary acquires root privilege on your gateway, he reads your
- keys from /etc/ipsec.conf and then reads all messages encrypted with
- those keys.</P>
-<P>If automatic keying is used, an adversary with the same privileges
- can read /etc/ipsec.secrets, but this does not contain any keys, only
- the secrets used to authenticate key exchanges. Having an adversary
- able to authenticate your key exchanges need not worry you overmuch.
- Just having the secrets does not give him any keys. You are still
- secure against<A href="glossary.html#passive"> passive</A> attacks.
- This property of automatic keying is called<A href="glossary.html#PFS">
- perfect forward secrecy</A>, abbreviated PFS.</P>
-<P>Unfortunately, having the secrets does allow an<A href="glossary.html#active">
- active attack</A>, specifically a<A href="glossary.html#middle">
- man-in-the-middle</A> attack. Losing these secrets to an attacker may
- not be quite as disastrous as losing the actual keys, but it is<EM>
- still a serious security breach</EM>. These secrets should be guarded
- as carefully as keys.</P>
-<H3><A name="notyet">Methods not yet implemented</A></H3>
-<H4><A name="noauth">Unauthenticated key exchange</A></H4>
-<P>It would be possible to exchange keys without authenticating the
- players. This would support<A href="glossary.html#carpediem">
- opportunistic encryption</A> -- allowing any two systems to encrypt
- their communications without requiring a shared PKI or a previously
- negotiated secret -- and would be secure against<A href="glossary.html#passive">
- passive attacks</A>. It would, however, be highly vulnerable to active<A
-href="glossary.html#middle"> man-in-the-middle</A> attacks. RFC 2408
- therefore specifies that all<A href="glossary.html#ISAKMP"> ISAKMP</A>
- key management interactions<EM> must</EM> be authenticated.</P>
-<P>There is room for debate here. Should we provide immediate security
- against<A href="glossary.html#passive"> passive attacks</A> and
- encourage widespread use of encryption, at the expense of risking the
- more difficult<A href="glossary.html#active"> active attacks</A>? Or
- should we wait until we can implement a solution that can both be
- widespread and offer security against active attacks?</P>
-<P>So far, we have chosen the second course, complying with the RFCs and
- waiting for secure DNS (see<A href="glossary.html#DNS"> below</A>) so
- that we can do<A href="glossary.html#carpediem"> opportunistic
- encryption</A> right.</P>
-<H4><A name="DNS">Key exchange using DNS</A></H4>
-<P>The IPsec RFCs allow key exchange based on authentication services
- provided by<A href="glossary.html#SDNS"> Secure DNS</A>. Once Secure
- DNS service becomes widely available, we expect to make this the<EM>
- primary key management method for Linux FreeS/WAN</EM>. It is the best
- way we know of to support<A href="glossary.html#carpediem">
- opportunistic encryption</A>, allowing two systems without a common PKI
- or previous negotiation to secure their communication.</P>
-<P>We currently have code to acquire RSA keys from DNS but do not yet
- have code to validate Secure DNS signatures.</P>
-<H4><A name="PKI">Key exchange using a PKI</A></H4>
-<P>The IPsec RFCs allow key exchange based on authentication services
- provided by a<A href="glossary.html#PKI"> PKI</A> or Public Key
- Infrastructure. With many vendors selling such products and many large
- organisations building these infrastructures, this will clearly be an
- important application of IPsec and one Linux FreeS/WAN will eventually
- support.</P>
-<P>On the other hand, this is not as high a priority for Linux FreeS/WAN
- as solutions based on<A href="glossary.html#SDNS"> secure DNS</A>. We
- do not expect any PKI to become as universal as DNS.</P>
-<P>Some<A href="web.html#patch"> patches</A> to handle authentication
- with X.509 certificates, which most PKIs use, are available.</P>
-<H4><A name="photuris">Photuris</A></H4>
-<P><A href="glossary.html#photuris">Photuris</A> is another key
- management protocol, an alternative to IKE and ISAKMP, described in
- RFCs 2522 and 2523 which are labelled &quot;experimental&quot;. Adding Photuris
- support to Linux FreeS/WAN might be a good project for a volunteer. The
- likely starting point would be the OpenBSD photurisd code.</P>
-<H4><A name="skip">SKIP</A></H4>
-<P><A href="glossary.html#SKIP">SKIP</A> is yet another key management
- protocol, developed by Sun. At one point it was fairly widely used, but
- it now seems moribund, displaced by IKE. Sun now (as of Solaris 8.0)
- ship an IPsec implementation using IKE. We have no plans to implement
- SKIP. If a user were to implement it, we would almost certainly not
- want to add the code to our distribution.</P>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="politics.html">Previous</A>
-<A HREF="mail.html">Next</A>
-</BODY>
-</HTML>
diff --git a/doc/kernel.html b/doc/kernel.html
deleted file mode 100644
index de305683a..000000000
--- a/doc/kernel.html
+++ /dev/null
@@ -1,353 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="testing.html">Previous</A>
-<A HREF="adv_config.html">Next</A>
-<HR>
-<H1><A name="kernelconfig">Kernel configuration for FreeS/WAN</A></H1>
-<P> This section lists many of the options available when configuring a
- Linux kernel, and explains how they should be set on a FreeS/WAN IPsec
- gateway.</P>
-<H2><A name="notall">Not everyone needs to worry about kernel
- configuration</A></H2>
-<P>Note that in many cases you do not need to mess with these.</P>
-<P> You may have a Linux distribution which comes with FreeS/WAN
- installed (see this<A href="intro.html#products"> list</A>). In that
- case, you need not do a FreeS/WAN installation or a kernel
- configuration. Of course, you might still want to configure and rebuild
- your kernel to improve performance or security. This can be done with
- standard tools described in the<A href="http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html">
- Kernel HowTo</A>.</P>
-<P>If you need to install FreeS/WAN, then you do need to configure a
- kernel. However, you may choose to do that using the simplest
- procedure:</P>
-<UL>
-<LI>Configure, build and test a kernel for your system before adding
- FreeS/WAN. See the<A href="http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html">
- Kernel HowTo</A> for details.<STRONG> This step cannot be skipped</STRONG>
-. FreeS/WAN needs the results of your configuration.</LI>
-<LI>Then use FreeS/WAN's<VAR> make oldgo</VAR> command. This sets
- everything FreeS/WAN needs and retains your values everywhere else.</LI>
-</UL>
-<P> This document is for those who choose to configure their FreeS/WAN
- kernel themselves.</P>
-<H2><A name="assume">Assumptions and notation</A></H2>
-<P> Help text for most kernel options is included with the kernel files,
- and is accessible from within the configuration utilities. We assume
- you will refer to that, and to the<A href="http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html">
- Kernel HowTo</A>, as necessary. This document covers only the
- FreeS/WAN-specific aspects of the problem.</P>
-<P> To avoid duplication, this document section does not cover settings
- for the additional IPsec-related kernel options which become available
- after you have patched your kernel with FreeS/WAN patches. There is
- help text for those available from within the configuration utility.</P>
-<P> We assume a common configuration in which the FreeS/WAN IPsec
- gateway is also doing ipchains(8) firewalling for a local network, and
- possibly masquerading as well.</P>
-<P> Some suggestions below are labelled as appropriate for &quot;a true
- paranoid&quot;. By this we mean they may cause inconvenience and it is not
- entirely clear they are necessary, but they appear to be the safest
- choice. Not using them might entail some risk. Of course one suggested
- mantra for security administrators is: &quot;I know I'm paranoid. I wonder
- if I'm paranoid enough.&quot;</P>
-<H3><A name="labels">Labels used</A></H3>
-<P> Six labels are used to indicate how options should be set. We mark
- the labels with [square brackets]. For two of these labels, you have no
- choice:</P>
-<DL>
-<DT>[required]</DT>
-<DD>essential for FreeS/WAN operation.</DD>
-<DT>[incompatible]</DT>
-<DD>incompatible with FreeS/WAN.</DD>
-</DL>
-<P>those must be set correctly or FreeS/WAN will not work</P>
-<P>FreeS/WAN should work with any settings of the others, though of
- course not all combinations have been tested. We do label these in
- various ways, but<EM> these labels are only suggestions</EM>.</P>
-<DL>
-<DT>[recommended]</DT>
-<DD>useful on most FreeS/WAN gateways</DD>
-<DT>[disable]</DT>
-<DD>an unwelcome complication on a FreeS/WAN gateway.</DD>
-<DT>[optional]</DT>
-<DD>Your choice. We outline issues you might consider.</DD>
-<DT>[anything]</DT>
-<DD>This option has no direct effect on FreeS/WAN and related tools, so
- you should be able to set it as you please.</DD>
-</DL>
-<P> Of course complexity is an enemy in any effort to build secure
- systems.<STRONG> For maximum security, any feature that can reasonably
- be turned off should be</STRONG>. &quot;If in doubt, leave it out.&quot;</P>
-<H2><A name="kernelopt">Kernel options for FreeS/WAN</A></H2>
-<P> Indentation is based on the nesting shown by 'make menuconfig' with
- a 2.2.16 kernel for the i386 architecture.</P>
-<DL>
-<DT><A name="maturity">Code maturity and level options</A></DT>
-<DD>
-<DL>
-<DT><A name="devel">Prompt for development ... code/drivers</A></DT>
-<DD>[optional] If this is<VAR> no</VAR>, experimental drivers are not
- shown in later menus.
-<P>For most FreeS/WAN work,<VAR> no</VAR> is the preferred setting.
- Using new or untested components is too risky for a security gateway.</P>
-<P>However, for some hardware (such as the author's network cards) the
- only drivers available are marked<VAR> new/experimental</VAR>. In such
- cases, you must enable this option or your cards will not appear under
- &quot;network device support&quot;. A true paranoid would leave this option off
- and replace the cards.</P>
-</DD>
-<DT>Processor type and features</DT>
-<DD>[anything]</DD>
-<DT>Loadable module support</DT>
-<DD>
-<DL>
-<DT>Enable loadable module support</DT>
-<DD>[optional] A true paranoid would disable this. An attacker who has
- root access to your machine can fairly easily install a bogus module
- that does awful things, provided modules are enabled. A common tool for
- attackers is a &quot;rootkit&quot;, a set of tools the attacker uses once he or
- she has become root on your system. The kit introduces assorted
- additional compromises so that the attacker will continue to &quot;own&quot; your
- system despite most things you might do to recovery the situation. For
- Linux, there is a tool called<A href="http://www.sans.org/newlook/resources/IDFAQ/knark.htm">
- knark</A> which is basically a rootkit packaged as a kernel module.
-<P>With modules disabled, an attacker cannot install a bogus module. The
- only way he can achieve the same effects is to install a new kernel and
- reboot. This is considerably more likely to be noticed.</P>
-<P>Many FreeS/WAN gateways run with modules enabled. This simplifies
- some administrative tasks and some ipchains features are available only
- as modules. Once an enemy has root on your machine your security is
- nil, so arguably defenses which come into play only in that situation
- are pointless.</P>
-<P></P>
-</DD>
-<DT>Set version information ....</DT>
-<DD>[optional] This provides a check to prevent loading modules compiled
- for a different kernel.</DD>
-<DT>Kernel module loader</DT>
-<DD>[disable] It gives little benefit on a typical FreeS/WAN gate and
- entails some risk.</DD>
-</DL>
-</DD>
-<DT>General setup</DT>
-<DD>We list here only the options that matter for FreeS/WAN.
-<DL>
-<DT>Networking support</DT>
-<DD>[required]</DD>
-<DT>Sysctl interface</DT>
-<DD>[optional] If this option is turned on and the<VAR> /proc</VAR>
- filesystem installed, then you can control various system behaviours by
- writing to files under<VAR> /proc/sys</VAR>. For example:
-<PRE>        echo 1 &gt; /proc/sys/net/ipv4/ipforward</PRE>
- turns IP forwarding on.
-<P>Disabling this option breaks many firewall scripts. A true paranoid
- would disable it anyway since it might conceivably be of use to an
- attacker.</P>
-</DD>
-</DL>
-</DD>
-<DT>Plug and Play support</DT>
-<DD>[anything]</DD>
-<DT>Block devices</DT>
-<DD>[anything]</DD>
-<DT>Networking options</DT>
-<DD>
-<DL>
-<DT>Packet socket</DT>
-<DD>[optional] This kernel feature supports tools such as tcpdump(8)
- which communicate directly with network hardware, bypassing kernel
- protocols. This is very much a two-edged sword:
-<UL>
-<LI>such tools can be very useful to the firewall admin, especially
- during initial testing</LI>
-<LI>should an evildoer breach your firewall, such tools could give him
- or her a great deal of information about the rest of your network</LI>
-</UL>
- We recommend disabling this option on production gateways.</DD>
-<DT><A name="netlink">Kernel/User netlink socket</A></DT>
-<DD>[optional] Required if you want to use<A href="#adv"> advanced
- router</A> features.</DD>
-<DT>Routing messages</DT>
-<DD>[optional]</DD>
-<DT>Netlink device emulation</DT>
-<DD>[optional]</DD>
-<DT>Network firewalls</DT>
-<DD>[recommended] You need this if the IPsec gateway also functions as a
- firewall.
-<P>Even if the IPsec gateway is not your primary firewall, we suggest
- setting this so that you can protect the gateway with at least basic
- local packet filters.</P>
-</DD>
-<DT>Socket filtering</DT>
-<DD>[disable] This enables an older filtering interface. We suggest
- using ipchains(8) instead. To do that, set the &quot;Network firewalls&quot;
- option just above, and not this one.</DD>
-<DT>Unix domain sockets</DT>
-<DD>[required] These sockets are used for communication between the<A href="manpage.d/ipsec.8.html">
- ipsec(8)</A> commands and the<A href="manpage.d/ipsec_pluto.8.html">
- ipsec_pluto(8)</A> daemon.</DD>
-<DT>TCP/IP networking</DT>
-<DD>[required]
-<DL>
-<DT>IP: multicasting</DT>
-<DD>[anything]</DD>
-<DT><A name="adv">IP: advanced router</A></DT>
-<DD>[optional] This gives you policy routing, which some people have
- used to good advantage in their scripts for FreeS/WAN gateway
- management. It is not used in our distributed scripts, so not required
- unless you want it for custom scripts. It requires the<A href="#netlink">
- netlink</A> interface between kernel code and the iproute2(8) command.</DD>
-<DT>IP: kernel level autoconfiguration</DT>
-<DD>[disable] It gives little benefit on a typical FreeS/WAN gate and
- entails some risk.</DD>
-<DT>IP: firewall packet netlink device</DT>
-<DD>[disable]</DD>
-<DT>IP: transparent proxy support</DT>
-<DD>[optional] This is required in some firewall configurations, but
- should be disabled unless you have a definite need for it.</DD>
-<DT>IP: masquerading</DT>
-<DD>[optional] Required if you want to use<A href="glossary.html#non-routable">
- non-routable</A> private IP addresses for your local network.</DD>
-<DT>IP: Optimize as router not host</DT>
-<DD>[recommended]</DD>
-<DT>IP: tunneling</DT>
-<DD>[required]</DD>
-<DT>IP: GRE tunnels over IP</DT>
-<DD>[anything]</DD>
-<DT>IP: aliasing support</DT>
-<DD>[anything]</DD>
-<DT>IP: ARP daemon support (EXPERIMENTAL)</DT>
-<DD>Not required on most systems, but might prove useful on
- heavily-loaded gateways.</DD>
-<DT>IP: TCP syncookie support</DT>
-<DD>[recommended] It provides a defense against a<A href="glossary.html#DOS">
- denial of service attack</A> which uses bogus TCP connection requests
- to waste resources on the victim machine.</DD>
-<DT>IP: Reverse ARP</DT>
-<DD></DD>
-<DT>IP: large window support</DT>
-<DD>[recommended] unless you have less than 16 meg RAM</DD>
-</DL>
-</DD>
-<DT>IPv6</DT>
-<DD>[optional] FreeS/WAN does not currently support IPv6, though work on
- integrating FreeS/WAN with the Linux IPv6 stack has begun.<A href="compat.html#ipv6">
- Details</A>.
-<P> It should be possible to use IPv4 FreeS/WAN on a machine which also
- does IPv6. This combination is not yet well tested. We would be quite
- interested in hearing results from anyone expermenting with it, via the<A
-href="mail.html"> mailing list</A>.</P>
-<P> We do not recommend using IPv6 on production FreeS/WAN gateways
- until more testing has been done.</P>
-</DD>
-<DT>Novell IPX</DT>
-<DD>[disable]</DD>
-<DT>Appletalk</DT>
-<DD>[disable] Quite a few Linux installations use IP but also have some
- other protocol, such as Appletalk or IPX, for communication with local
- desktop machines. In theory it should be possible to configure IPsec
- for the IP side of things without interfering with the second protocol.
-<P>We do not recommend this. Keep the software on your gateway as simple
- as possible. If you need a Linux-based Appletalk or IPX server, use a
- separate machine.</P>
-</DD>
-</DL>
-</DD>
-<DT>Telephony support</DT>
-<DD>[anything]</DD>
-<DT>SCSI support</DT>
-<DD>[anything]</DD>
-<DT>I2O device support</DT>
-<DD>[anything]</DD>
-<DT>Network device support</DT>
-<DD>[anything] should work, but there are some points to note.
-<P>The development team test almost entirely on 10 or 100 megabit
- Ethernet and modems. In principle, any device that can do IP should be
- just fine for IPsec, but in the real world any device that has not been
- well-tested is somewhat risky. By all means try it, but don't bet your
- project on it until you have solid test results.</P>
-<P>If you disabled experimental drivers in the<A href="#maturity"> Code
- maturity</A> section above, then those drivers will not be shown here.
- Check that option before going off to hunt for missing drivers.</P>
-<P>If you want Linux to automatically find more than one ethernet
- interface at boot time, you need to:</P>
-<UL>
-<LI>compile the appropriate driver(s) into your kernel. Modules will not
- work for this</LI>
-<LI>add a line such as
-<PRE>
-   append=&quot;ether=0,0,eth0 ether=0,0,eth1&quot;
-</PRE>
- to your /etc/lilo.conf file. In some cases you may need to specify
- parameters such as IRQ or base address. The example uses &quot;0,0&quot; for
- these, which tells the system to search. If the search does not succeed
- on your hardware, then you should retry with explicit parameters. See
- the lilo.conf(5) man page for details.</LI>
-<LI>run lilo(8)</LI>
-</UL>
- Having Linux find the cards this way is not necessary, but is usually
- more convenient than loading modules in your boot scripts.</DD>
-<DT>Amateur radio support</DT>
-<DD>[anything]</DD>
-<DT>IrDA (infrared) support</DT>
-<DD>[anything]</DD>
-<DT>ISDN subsystem</DT>
-<DD>[anything]</DD>
-<DT>Old CDROM drivers</DT>
-<DD>[anything]</DD>
-<DT>Character devices</DT>
-<DD>The only required character device is:
-<DL>
-<DT>random(4)</DT>
-<DD>[required] This is a source of<A href="glossary.html#random"> random</A>
- numbers which are required for many cryptographic protocols, including
- several used in IPsec.
-<P>If you are comfortable with C source code, it is likely a good idea
- to go in and adjust the<VAR> #define</VAR> lines in<VAR>
- /usr/src/linux/drivers/char/random.c</VAR> to ensure that all sources
- of randomness are enabled. Relying solely on keyboard and mouse
- randomness is dubious procedure for a gateway machine. You could also
- increase the randomness pool size from the default 512 bytes (128
- 32-bit words).</P>
-</DD>
-</DL>
-</DD>
-<DT>Filesystems</DT>
-<DD>[anything] should work, but we suggest limiting a gateway machine to
- the standard Linux ext2 filesystem in most cases.</DD>
-<DT>Network filesystems</DT>
-<DD>[disable] These systems are an unnecessary risk on an IPsec gateway.</DD>
-<DT>Console drivers</DT>
-<DD>[anything]</DD>
-<DT>Sound</DT>
-<DD>[anything] should work, but we suggest enabling sound only if you
- plan to use audible alarms for firewall problems.</DD>
-<DT>Kernel hacking</DT>
-<DD>[disable] This might be enabled on test machines, but should not be
- on production gateways.</DD>
-</DL>
-</DD>
-</DL>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="testing.html">Previous</A>
-<A HREF="adv_config.html">Next</A>
-</BODY>
-</HTML>
diff --git a/doc/mail.html b/doc/mail.html
deleted file mode 100644
index 68b5d8cd8..000000000
--- a/doc/mail.html
+++ /dev/null
@@ -1,216 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="ipsec.html">Previous</A>
-<A HREF="web.html">Next</A>
-<HR>
-<H1><A name="lists">Mailing lists and newsgroups</A></H1>
-<H2><A name="list.fs">Mailing lists about FreeS/WAN</A></H2>
-<H3><A name="projlist">The project mailing lists</A></H3>
-<P>The Linux FreeS/WAN project has several email lists for user support,
- bug reports and software development discussions.</P>
-<P>We had a single list on clinet.fi for several years (Thanks, folks!),
- then one list on freeswan.org, but now we've split into several lists:</P>
-<DL>
-<DT><A href="mailto:users-request@lists.freeswan.org?body=subscribe">
-users</A></DT>
-<DD>
-<UL>
-<LI>The general list for discussing use of the software</LI>
-<LI>The place for seeking<STRONG> help with problems</STRONG> (but
- please check the<A href="faq.html"> FAQ</A> first).</LI>
-<LI>Anyone can post.</LI>
-</UL>
-</DD>
-<DT><A href="mailto:bugs-request@lists.freeswan.org?body=subscribe">bugs</A>
-</DT>
-<DD>
-<UL>
-<LI>For<STRONG> bug reports</STRONG>.</LI>
-<LI>If you are not certain what is going on -- could be a bug, a
- configuration error, a network problem, ... -- please post to the users
- list instead.</LI>
-<LI>Anyone can post.</LI>
-</UL>
-</DD>
-<DT><A href="mailto:design-request@lists.freeswan.org?body=subscribe">
-design</A></DT>
-<DD>
-<UL>
-<LI><STRONG>Design discussions</STRONG>, for people working on FreeS/WAN
- development or others with an interest in design and security issues.</LI>
-<LI>It would be a good idea to read the existing design papers (see this<A
-href="intro.html#applied"> list</A>) before posting.</LI>
-<LI>Anyone can post.</LI>
-</UL>
-</DD>
-<DT><A href="mailto:announce-request@lists.freeswan.org?body=subscribe">
-announce</A></DT>
-<DD>
-<UL>
-<LI>A<STRONG> low-traffic</STRONG> list.</LI>
-<LI><STRONG>Announcements</STRONG> about FreeS/WAN and related software.</LI>
-<LI>All posts here are also sent to the users list. You need not
- subscribe to both.</LI>
-<LI>Only the FreeS/WAN team can post.</LI>
-<LI>If you have something you feel should go on this list, send it to<VAR>
- announce-admin@lists.freeswan.org</VAR>. Unless it is obvious, please
- include a short note explaining why we should post it.</LI>
-</UL>
-</DD>
-<DT><A href="mailto:briefs-request@lists.freeswan.org?body=subscribe">
-briefs</A></DT>
-<DD>
-<UL>
-<LI>A<STRONG> low-traffic</STRONG> list.</LI>
-<LI><STRONG>Weekly summaries</STRONG> of activity on the users list.</LI>
-<LI>All posts here are also sent to the users list. You need not
- subscribe to both.</LI>
-<LI>Only the FreeS/WAN team can post.</LI>
-</UL>
-</DD>
-</DL>
-<P>To subscribe to any of these, you can:</P>
-<UL>
-<LI>just follow the links above</LI>
-<LI>use our<A href="http://www.freeswan.org/mail.html"> web interface</A>
-</LI>
-<LI>send mail to<VAR> listname</VAR>-request@lists.freeswan.org with a
- one-line message body &quot;subscribe&quot;</LI>
-</UL>
-<P>Archives of these lists are available via the<A href="http://www.freeswan.org/mail.html">
- web interface</A>.</P>
-<H4><A name="which.list">Which list should I use?</A></H4>
-<P>For most questions, please check the<A href="faq.html"> FAQ</A>
- first, and if that does not have an answer, ask on the users list. &quot;My
- configuration doesn't work.&quot; does not belong on the bugs list, and &quot;Can
- FreeS/WAN do such-and-such&quot; or &quot;How do I configure it to...&quot; do not
- belong in design discussions.</P>
-<P>Cross-posting the same message to two or more of these lists is
- discouraged. Quite a few people read more than one list and getting
- multiple copies is annoying.</P>
-<H4><A name="policy.list">List policies</A></H4>
-<P><STRONG>US citizens or residents are asked not to post code to the
- lists, not even one-line bug fixes</STRONG>. The project cannot accept
- code which might entangle it in US<A href="politics.html#exlaw"> export
- restrictions</A>.</P>
-<P>Non-subscribers can post to some of these lists. This is necessary;
- someone working on a gateway install who encounters a problem may not
- have access to a subscribed account.</P>
-<P>Some spam turns up on these lists from time to time. For discussion
- of why we do not attempt to filter it, see the<A href="faq.html#spam">
- FAQ</A>. Please do not clutter the lists with complaints about this.</P>
-<H3><A name="archive">Archives of the lists</A></H3>
-<P>Searchable archives of the old single list have existed for some
- time. At time of writing, it is not yet clear how they will change for
- the new multi-list structure.</P>
-<UL>
-<LI><A href="http://www.sandelman.ottawa.on.ca/linux-ipsec">Canada</A></LI>
-<LI><A href="http://www.nexial.com">Holland</A></LI>
-</UL>
-<P>Note that these use different search engines. Try both.</P>
-<P>Archives of the new lists are available via the<A href="http://www.freeswan.org/mail.html">
- web interface</A>.</P>
-<H2><A name="indexes">Indexes of mailing lists</A></H2>
-<P><A href="http://paml.net/">PAML</A> is the standard reference for<STRONG>
- P</STRONG>ublicly<STRONG> A</STRONG>ccessible<STRONG> M</STRONG>ailing<STRONG>
- L</STRONG>ists. When we last checked, it had over 7500 lists on an
- amazing variety of topics. It also has FAQ information and a search
- engine.</P>
-<P>There is an index of<A href="http://oslab.snu.ac.kr/~djshin/linux/mail-list/index.shtml">
- Linux mailing lists</A> available.</P>
-<P>A list of<A href="http://xforce.iss.net/maillists/otherlists.php">
- computer security mailing lists</A>, with descriptions.</P>
-<H2><A name="otherlists">Lists for related software and topics</A></H2>
-<P>Most links in this section point to subscription addresses for the
- various lists. Send the one-line message &quot;subscribe<VAR> list_name</VAR>
-&quot; to subscribe to any of them.</P>
-<H3><A NAME="28_3_1">Products that include FreeS/WAN</A></H3>
-<P>Our introduction document gives a<A href="intro.html#products"> list
- of products that include FreeS/WAN</A>. If you have, or are
- considering, one of those, check the supplier's web site for
- information on mailing lists for their users.</P>
-<H3><A name="linux.lists">Linux mailing lists</A></H3>
-<UL>
-<LI><A href="mailto:majordomo@vger.kernel.org">
-linux-admin@vger.kernel.org</A>, for Linux system administrators</LI>
-<LI><A href="mailto:netfilter-request@lists.samba.org">
-netfilter@lists.samba.org</A>, about Netfilter, which replaces IPchains
- in kernels 2.3.15 and later</LI>
-<LI><A href="mailto:security-audit-request@ferret.lmh.ox.ac.uk">
-security-audit@ferret.lmh.ox.ac.uk</A>, for people working on security
- audits of various Linux programs</LI>
-<LI><A href="mailto:securedistros-request@humbolt.geo.uu.nl">
-securedistros@humbolt.geo.uu.nl</A>, for discussion of issues common to
- all the half dozen projects working on secure Linux distributions.</LI>
-</UL>
-<P>Each of the scure distribution projects also has its own web site and
- mailing list. Some of the sites are:</P>
-<UL>
-<LI><A href="http://bastille-linux.org/">Bastille Linux</A> scripts to
- harden Redhat, e.g. by changing permissions and modifying inialisation
- scripts</LI>
-<LI><A href="http://immunix.org/">Immunix</A> take a different approach,
- using a modified compiler to build kernel and utilities with better
- resistance to various types of overflow and exploit</LI>
-<LI>the<A href="glossary.html#NSA"> NSA</A> have contractors working on
- a<A href="glossary.html#SElinux"> Security Enhanced Linux</A>,
- primarily adding stronger access control mechanisms. You can download
- the current version (which interestingly is under GPL and not export
- resrtricted) or subscribe to the mailing list from the<A href="http://www.nsa.gov/selinux">
- project web page</A>.</LI>
-</UL>
-<H3><A name="ietf">Lists for IETF working groups</A></H3>
-<P>Each<A href="glossary.html#IETF"> IETF</A> working group has an
- associated mailing list where much of the work takes place.</P>
-<UL>
-<LI><A href="mailto:majordomo@lists.tislabs.com">ipsec@lists.tislabs.com</A>
-, the IPsec<A href="http://www.ietf.org/html.charters/ipsec-charter.html">
- working group</A>. This is where the protocols are discussed, new
- drafts announced, and so on. By now, the IPsec working group is winding
- down since the work is essentially complete. A<A href="http://www.sandelman.ottawa.on.ca/ipsec/">
- list archive</A> is available.</LI>
-<LI><A href="mailto:ipsec-policy-request@vpnc.org">IPsec policy</A>
- list, and its<A href="http://www.vpnc.org/ipsec-policy/"> archive</A></LI>
-<LI><A href="mailto:ietf-ipsra-request@vpnc.org">IP secure remote access</A>
- list, and its<A href="http://www.vpnc.org/ietf-ipsra/mail-archive/">
- archive</A></LI>
-</UL>
-<H3><A name="other">Other mailing lists</A></H3>
-<UL>
-<LI><A href="mailto:ipc-announce-request@privacy.org">
-ipc-announce@privacy.org</A> a low-traffic list with announcements of
- developments in privacy, encryption and online civil rights</LI>
-<LI>a VPN mailing list's<A href="http://kubarb.phsx.ukans.edu/~tbird/vpn.html">
- home page</A></LI>
-</UL>
-<H2><A name="newsgroups">Usenet newsgroups</A></H2>
-<UL>
-<LI>sci.crypt</LI>
-<LI>sci.crypt.research</LI>
-<LI>comp.dcom.vpn</LI>
-<LI>talk.politics.crypto</LI>
-</UL>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="ipsec.html">Previous</A>
-<A HREF="web.html">Next</A>
-</BODY>
-</HTML>
diff --git a/doc/makecheck.html b/doc/makecheck.html
deleted file mode 100644
index e77631782..000000000
--- a/doc/makecheck.html
+++ /dev/null
@@ -1,523 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="umltesting.html">Previous</A>
-<A HREF="nightly.html">Next</A>
-<HR>
-<H1><A name="makecheck">How to configure to use &quot;make check&quot;</A></H1>
-<H2><A NAME="38_1">What is &quot;make check&quot;</A></H2>
-<P> &quot;make check&quot; is a target in the top level makefile. It takes care of
- running a number of unit and system tests to confirm that FreeSWAN has
- been compiled correctly, and that no new bugs have been introduced.</P>
-<P> As FreeSWAN contains both kernel and userspace components, doing
- testing of FreeSWAN requires that the kernel be simulated. This is
- typically difficult to do as a kernel requires that it be run on bare
- hardware. A technology has emerged that makes this simpler. This is<A HREF="http://user-mode-linux.sourceforge.net">
- User Mode Linux</A>.</P>
-<P> User-Mode Linux is a way to build a Linux kernel such that it can
- run as a process under another Linux (or in the future other) kernel.
- Presently, this can only be done for 2.4 guest kernels. The host kernel
- can be 2.2 or 2.4.</P>
-<P> &quot;make check&quot; expects to be able to build User-Mode Linux kernels
- with FreeSWAN included. To do this it needs to have some files
- downloaded and extracted prior to running &quot;make check&quot;. This is
- described in the<A HREF="umltesting.html"> UML testing</A> document.</P>
-<P> After having run the example in the UML testing document and
- successfully brought up the four machine combination, you are ready to
- use &quot;make check&quot;</P>
-<H2><A NAME="38_2">Running &quot;make check&quot;</A></H2>
-<P> &quot;make check&quot; works by walking the FreeSWAN source tree invoking the
- &quot;check&quot; target at each node. At present there are tests defined only
- for the <CODE>klips</CODE> directory. These tests will use the UML
- infrastructure to test out pieces of the <CODE>klips</CODE> code.</P>
-<P> The results of the tests can be recorded. If the environment
- variable <CODE>$REGRESSRESULTS</CODE> is non-null, then the results of
- each test will be recorded. This can be used as part of a nightly
- regression testing system, see<A HREF="nightly.html"> Nightly testing</A>
- for more details.</P>
-<P> &quot;make check&quot; otherwise prints a minimal amount of output for each
- test, and indicates pass/fail status of each test as they are run.
- Failed tests do not cause failure of the target in the form of exit
- codes.</P>
-<H1><A NAME="39">How to write a &quot;make check&quot; test</A></H1>
-<H2><A NAME="39_1">Structure of a test</A></H2>
-<P> Each test consists of a set of directories under <CODE>testing/</CODE>
-. There are directories for <CODE>klips</CODE>, <CODE>pluto</CODE>, <CODE>
-packaging</CODE> and <CODE>libraries</CODE>. Each directory has a list
- of tests to run is stored in a file called <CODE>TESTLIST</CODE> in
- that directory. e.g. <CODE>testing/klips/TESTLIST</CODE>.</P>
-<H2 NAME="TESTLIST"><A NAME="39_2">The TESTLIST</A></H2>
-<P> This isn't actually a shell script. It just looks like one. Some
- tools other than /bin/sh process it. Lines that start with # are
- comments.</P>
-<PRE>
-# test-kind     directory-containing-test       expectation     [PR#]
-</PRE>
-<P>The first word provides the test type, detailed below.</P>
-<P> The second word is the name of the test to run. This the directory
- in which the test case is to be found..</P>
-<P>The third word may be one of:</P>
-<DL>
-<DT> blank/good</DT>
-<DD>the test is believed to function, report failure</DD>
-<DT> bad</DT>
-<DD> the test is known to fail, report unexpected success</DD>
-<DT> suspended</DT>
-<DD> the test should not be run</DD>
-</DL>
-<P> The fourth word may be a number, which is a PR# if the test is
- failing.</P>
-<H2><A NAME="39_3">Test kinds</A></H2>
- The test types are:
-<DL>
-<DT>skiptest</DT>
-<DD>means run no test.</DD>
-<DT>ctltest</DT>
-<DD>means run a single system without input/output.</DD>
-<DT>klipstest</DT>
-<DD>means run a single system with input/output networks</DD>
-<DT><A HREF="#umlplutotest">umlplutotest</A></DT>
-<DD>means run a pair of systems</DD>
-<DT><A HREF="#umlXhost">umlXhost</A></DT>
-<DD>run an arbitrary number of systems</DD>
-<DT>suntest (TBD)</DT>
-<DD>means run a quad of east/west/sunrise/sunset</DD>
-<DT>roadtest (TBD)</DT>
-<DD>means run a trio of east-sunrise + warrior</DD>
-<DT>extrudedtest (TBD)</DT>
-<DD>means run a quad of east-sunrise + warriorsouth + park</DD>
-<DT>mkinsttest</DT>
-<DD>a test of the &quot;make install&quot; machinery.</DD>
-<DT>kernel_test_patch</DT>
-<DD>a test of the &quot;make kernelpatch&quot; machinery.</DD>
-</DL>
- Tests marked (TBD) have yet to be fully defined.
-<P> Each test directory has a file in it called <CODE>testparams.sh</CODE>
-. This file sets a number of environment variables to define the
- parameters of the test.</P>
-<H2><A NAME="39_4">Common parameters</A></H2>
-<DL>
-<DT>TESTNAME</DT>
-<DD>the name of the test (repeated for checking purposes)</DD>
-<DT>TEST_TYPE</DT>
-<DD>the type of the test (repeat of type type above)</DD>
-<DT>TESTHOST</DT>
-<DD>the name of the UML machine to run for the test, typically &quot;east&quot; or
- &quot;west&quot;</DD>
-<DT>TEST_PURPOSE</DT>
-<DD>The purpose of the test is one of:
-<DL>
-<DT>goal</DT>
-<DD>The goal purpose is where a test is defined for code that is not yet
- finished. The test indicates when the goals have in fact been reached.</DD>
-<DT>regress</DT>
-<DD>This is a test to determine that a previously existing bug has been
- repaired. This test will initially be created to reproduce the bug in
- isolation, and then the bug will be fixed.</DD>
-<DT>exploit</DT>
-<DD>This is a set of packets/programs that causes a vulnerability to be
- exposed. It is a specific variation of the regress option.</DD>
-</DL>
-</DD>
-<DT>TEST_GOAL_ITEM</DT>
-<DT></DT>
-<DD>in the case of a goal test, this is a reference to the requirements
- document</DD>
-<DT>TEST_PROB_REPORT</DT>
-<DD>in the case of regression test, this the problem report number from
- GNATS</DD>
-<DT>TEST_EXPLOIT_URL</DT>
-<DD>in the case of an exploit, this is a URL referencing the paper
- explaining the origin of the test and the origin of exploit software</DD>
-<DT>REF_CONSOLE_OUTPUT</DT>
-<DD>a file in the test directory that contains the sanitized console
- output against which to compare the output of the actual test.</DD>
-<DT>REF_CONSOLE_FIXUPS</DT>
-<DD>a list of scripts (found in <CODE>klips/test/fixups</CODE>) to apply
- to sanitize the console output of the machine under test. These are
- typically perl, awk or sed scripts that remove things in the kernel
- output that change each time the test is run and/or compiled.</DD>
-<DT>INIT_SCRIPT</DT>
-<DD>
-<P>a file of commands that is fed into the virtual machine's console in
- single user mode prior to starting the tests. This file will usually
- set up any eroute's and SADB entries that are required for the test.</P>
-<P>Lines beginning with # are skipped. Blank lines are skipped.
- Otherwise, a shell prompted is waited for each time (consisting of <CODE>
-\n#</CODE>) and then the command is sent. Note that the prompt is waited
- for before the command and not after, so completion of the last command
- in the script is not required. This is often used to invoke a program
- to monitor the system, e.g. <CODE>ipsec pf_key</CODE>.</P>
-</DD>
-<DT>RUN_SCRIPT</DT>
-<DD>
-<P>a file of commands that is fed into the virtual machine's console in
- single user mode, before the packets are sent. On single machine tests,
- this script doesn't provide any more power than INIT_SCRIPT, but is
- implemented for consistency's sake.</P>
-</DD>
-<DT>FINAL_SCRIPT</DT>
-<DD>
-<P>a file of commands that is fed into the virtual machine's console in
- single user mode after the final packet is sent. Similar to
- INIT_SCRIPT, above. If not specified, then the single command &quot;halt&quot; is
- sent. If specified, then the script should end with a halt command to
- nicely shutdown the UML.</P>
-</DD>
-<DT>CONSOLEDIFFDEBUG</DT>
-<DD>If set to &quot;true&quot; then the series of console fixups (see
- REF_CONSOLE_FIXUPS) will be output after it is constructed. (It should
- be set to &quot;false&quot;, or unset otherwise)</DD>
-<DT>NETJIGDEBUG</DT>
-<DD>If set to &quot;true&quot; then the series of console fixups (see
- REF_CONSOLE_FIXUPS) will be output after it is constructed. (It should
- be set to &quot;false&quot;, or unset otherwise)</DD>
-<DT>NETJIGTESTDEBUG</DT>
-<DD> If set to &quot;netjig&quot;, then the results of talking to the <CODE>
-uml_netjig</CODE> will be printed to stderr during the test. In
- addition, the jig will be invoked with --debug, which causes it to log
- its process ID, and wait 60 seconds before continuing. This can be used
- if you are trying to debug the <CODE>uml_netjig</CODE> program itself.</DD>
-<DT>HOSTTESTDEBUG</DT>
-<DD> If set to &quot;hosttest&quot;, then the results of taling to the consoles of
- the UMLs will be printed to stderr during the test.</DD>
-<DT>NETJIGWAITUSER</DT>
-<DD> If set to &quot;waituser&quot;, then the scripts will wait forever for user
- input before they shut the tests down. Use this is if you are debugging
- through the kernel.</DD>
-<DT>PACKETRATE</DT>
-<DD> A number, in miliseconds (default is 500ms) at which packets will
- be replayed by the netjig.</DD>
-</DL>
-<H2><A NAME="39_5">KLIPStest paramaters</A></H2>
-<P> The klipstest function starts a program (<CODE>
-testing/utils/uml_netjig/uml_netjig</CODE>) to setup a bunch of I/O
- sockets (that simulate network interfaces). It then exports the
- references to these sockets to the environment and invokes (using
- system()) a given script. It waits for the script to finish.</P>
-
-<!-- <IMG SRC="single_netjig.png" ALT="block diagram of uml_netjig"> -->
-<P> The script invoked (<CODE>testing/utils/host-test.tcl</CODE>) is a
- TCL<A HREF="http://expect.nist.gov/"> expect</A> script that arranges
- to start the UML and configure it appropriately for the test. The
- configuration is done with the script given above for<VAR> INIT_SCRIPT</VAR>
-. The TCL script then forks, leaves the UML in the background and exits.
- uml_netjig continues. It then starts listening to the simulated network
- answering ARPs and inserting packets as appropriate.</P>
-<P> The klipstest function invokes <CODE>uml_netjig</CODE> with
- arguments to capture output from network interface(s) and insert
- packets as appropriate:</P>
-<DL>
-<DT>PUB_INPUT</DT>
-<DD>a<A HREF="http://www.tcpdump.org/"> pcap</A> file to feed in on the
- public (encrypted) interface. (typically, eth1)</DD>
-<DT>PRIV_INPUT</DT>
-<DD>a pcap file to feed in on the private (plain-text) interface
- (typically, eth0).</DD>
-<DT>REF_PUB_OUTPUT</DT>
-<DD>a text file containing tcpdump output. Packets on the public (eth1)
- interface are captured to a<A HREF="http://www.tcpdump.org/"> pcap</A>
- file by <CODE>uml_netjig</CODE>. The klipstest function then uses
- tcpdump on the file to produce text output, which is compared to the
- file given.</DD>
-<DT>REF_PUB_FILTER</DT>
-<DD>a program that will filter the TCPDUMP output to do further
- processing. Defaults to &quot;cat&quot;.</DD>
-<DT>REF_PRIV_OUTPUT</DT>
-<DD>a text file containing tcpdump output. Packets on the private (eth0)
- interface are captured and compared after conversion by tcpdump, as
- with<VAR> REFPUBOUTPUT</VAR>.</DD>
-<DT>REF_PRIV_FILTER</DT>
-<DD>a program that will filter the TCPDUMP output to do further
- processing. Defaults to &quot;cat&quot;.</DD>
-<DT>EXITONEMPTY</DT>
-<DD>a flag for <CODE>uml_netjig</CODE>. It should contain
- &quot;--exitonempty&quot; of uml_netjig should exit when all of the input (<VAR>
-PUBINPUT</VAR>,<VAR>PRIVINPUT</VAR>) packets have been injected.</DD>
-<DT>ARPREPLY</DT>
-<DD>a flag for <CODE>uml_netjig</CODE>. It should contain &quot;--arpreply&quot;
- if <CODE>uml_netjig</CODE> should reply to ARP requests. One will
- typically set this to avoid having to fudge the ARP cache manually.</DD>
-<DT>TCPDUMPFLAGS</DT>
-<DD>a set of flags for the tcpdump used when converting captured output.
- Typical values will include &quot;-n&quot; to turn off DNS, and often &quot;-E&quot; to set
- the decryption key (tcpdump 3.7.1 and higher only) for ESP packets. The
- &quot;-t&quot; flag (turn off timestamps) is provided automatically</DD>
-<DT>NETJIG_EXTRA</DT>
-<DD>additional comments to be sent to the netjig. This may arrange to
- record or create additional networks, or may toggle options.</DD>
-</DL>
-<H2><A NAME="39_6">mkinsttest paramaters</A></H2>
-<P> The basic concept of the <CODE>mkinsttest</CODE> test type is that
- it performs a &quot;make install&quot; to a temporary $DESTDIR. The resulting
- tree can then be examined to determine if it was done properly. The
- files can be uninstalled to determine if the file list was correct, or
- the contents of files can be examined more precisely.</P>
-<DL>
-<DT>INSTALL_FLAGS</DT>
-<DD>If set, then an install will be done. This provides the set of flags
- to provide for the install. The target to be used (usually &quot;install&quot;)
- must be among the flags.</DD>
-<DT>POSTINSTALL_SCRIPT</DT>
-<DD>If set, a script to run after initial &quot;make install&quot;. Two arguments
- are provided: an absolute path to the root of the FreeSWAN src tree,
- and an absolute path to the temporary installation area.</DD>
-<DT>INSTALL2_FLAGS</DT>
-<DD>If set, a second install will be done using these flags. Similarly
- to INSTALL_FLAGS, the target must be among the flags.</DD>
-<DT>UNINSTALL_FLAGS</DT>
-<DD>If set, an uninstall will be done using these flags. Similarly to
- INSTALL_FLAGS, the target (usually &quot;uninstall&quot;) must be among the
- flags.</DD>
-<DT>REF_FIND_f_l_OUTPUT</DT>
-<DD>If set, a <CODE>find $ROOT ( -type f -or -type -l )</CODE> will be
- done to get a list of a real files and symlinks. The resulting file
- will be compared to the file listed by this option.</DD>
-<DT>REF_FILE_CONTENTS</DT>
-<DD>If set, it should point to a file containing records for the form:
-<PRE>
-  
-<!--VARIABLE-->
-reffile</(null)>   
-<!--VARIABLE-->
-samplefile</(null)>
-</PRE>
- one record per line. A diff between the provided reference file, and
- the sample file (located in the temporary installation root) will be
- done for each record.</DD>
-</DL>
-<H2><A NAME="39_7">rpm_build_install_test paramaters</A></H2>
-<P> The <CODE>rpm_build_install_test</CODE> type is to verify that the
- proper packing list is produced by &quot;make rpm&quot;, and that the mechanisms
- for building the kernel modules produce consistent results.</P>
-<DL>
-<DT>RPM_KERNEL_SOURCE</DT>
-<DD>Point to an extracted copy of the RedHat kernel source code.
- Variables from the environment may be used.</DD>
-<DT>REF_RPM_CONTENTS</DT>
-<DD>This is a file containing one record per line. Each record consists
- of a RPM name (may contain wildcards) and a filename to compare the
- contents to. The RPM will be located and a file list will be produced
- with rpm2cpio.</DD>
-</DL>
-<H2><A NAME="39_8">libtest paramaters</A></H2>
-<P> The libtest test is for testing library routines. The library file
- is expected to provided an <CODE>#ifdef</CODE> by the name of<VAR>
- library</VAR>
-<!--CODE_MAIN</CODE-->
-. The libtest type invokes the C compiler to compile this
- file, links it against <CODE>libfreeswan.a</CODE> (to resolve any other
- dependancies) and runs the test with the <CODE>-r</CODE> argument to
- invoke a regression test.</(null)></P>
-<P>The library test case is expected to do a self-test, exiting with
- status code 0 if everything is okay, and with non-zero otherwise. A
- core dump (exit code greater than 128) is noted specifically.</P>
-<P> Unlike other tests, there are no subdirectories required, or other
- parameters to set.</P>
-<H2 NAME="umlplutotest"><A NAME="39_9">umlplutotest paramaters</A></H2>
-<P> The umlplutotest function starts a pair of user mode line processes.
- This is a 2-host version of umlXhost. The &quot;EAST&quot; and &quot;WEST&quot; slots are
- defined.</P>
-<H2 NAME="umlXhost"><A NAME="39_10">umlXhost parameters</A></H2>
-<P> The umlXtest function starts an arbitrary number of user mode line
- processes.</P>
-
-<!-- <IMG SRC="single_netjig.png" ALT="block diagram of uml_netjig"> -->
-<P> The script invoked (<CODE>testing/utils/Xhost-test.tcl</CODE>) is a
- TCL<A HREF="http://expect.nist.gov/"> expect</A> script that arranges
- to start each UML and configure it appropriately for the test. It then
- starts listening (using uml_netjig) to the simulated network answering
- ARPs and inserting packets as appropriate.</P>
-<P> umlXtest has a series of slots, each of which should be filled by a
- host. The list of slots is controlled by the variable, XHOST_LIST. This
- variable should be set to a space seperated list of slots. The former
- umlplutotest is now implemented as a variation of the umlXhost test,
- with XHOST_LIST=&quot;EAST WEST&quot;.</P>
-<P> For each host slot that is defined, a series of variables should be
- filled in, defining what configuration scripts to use for that host.</P>
-<P> The following are used to control the console input and output to
- the system. Where the string ${host} is present, the host slot should
- be filled in. I.e. for the two host system with XHOST_LIST=&quot;EAST WEST&quot;,
- then the variables: EAST_INIT_SCRIPT and WEST_INIT_SCRIPT will exist.</P>
-<DL>
-<DT>${host}HOST</DT>
-<DD>The name of the UML host which will fill this slot</DD>
-<DT>${host}_INIT_SCRIPT</DT>
-<DD>
-<P>a file of commands that is fed into the virtual machine's console in
- single user mode prior to starting the tests. This file will usually
- set up any eroute's and SADB entries that are required for the test.
- Similar to INIT_SCRIPT, above.</P>
-</DD>
-<DT>${host}_RUN_SCRIPT</DT>
-<DD>
-<P>a file of commands that is fed into the virtual machine's console in
- single user mode, before the packets are sent. This set of commands is
- run after all of the virtual machines are initialized. I.e. after
- EAST_INIT_SCRIPT<B> AND</B> WEST_INIT_SCRIPT. This script can therefore
- do things that require that all machines are properly configured.</P>
-</DD>
-<DT>${host}_RUN2_SCRIPT</DT>
-<DD>
-<P>a file of commands that is fed into the virtual machine's console in
- single user mode, after the packets are sent. This set of commands is
- run before any of the virtual machines have been shut down. (I.e.
- before EAST_FINAL_SCRIPT<B> AND</B> WEST_FINAL_SCRIPT.) This script can
- therefore catch post-activity status reports.</P>
-</DD>
-<DT>${host}_FINAL_SCRIPT</DT>
-<DD>
-<P>a file of commands that is fed into the virtual machine's console in
- single user mode after the final packet is sent. Similar to
- INIT_SCRIPT, above. If not specified, then the single command &quot;halt&quot; is
- sent. Note that when this script is run, the other virtual machines may
- already have been killed. If specified, then the script should end with
- a halt command to nicely shutdown the UML.</P>
-</DD>
-<DT>REF_${host}_CONSOLE_OUTPUT</DT>
-<DD>Similar to REF_CONSOLE_OUTPUT, above.</DD>
-</DL>
-<P>Some additional flags apply to all hosts:</P>
-<DL>
-<DT>REF_CONSOLE_FIXUPS</DT>
-<DD>a list of scripts (found in <CODE>klips/test/fixups</CODE>) to apply
- to sanitize the console output of the machine under test. These are
- typically perl, awk or sed scripts that remove things in the kernel
- output that change each time the test is run and/or compiled.</DD>
-</DL>
-<P> In addition to input to the console, the networks may have input fed
- to them:</P>
-<DL>
-<DT>EAST_INPUT/WEST_INPUT</DT>
-<DD>a<A HREF="http://www.tcpdump.org/"> pcap</A> file to feed in on the
- private network side of each network. The &quot;EAST&quot; and &quot;WEST&quot; here refer
- to the networks, not the hosts.</DD>
-<DT>REF_PUB_FILTER</DT>
-<DD>a program that will filter the TCPDUMP output to do further
- processing. Defaults to &quot;cat&quot;.</DD>
-<DT>REF_EAST_FILTER/REF_WEST_FILTER</DT>
-<DD>a program that will filter the TCPDUMP output to do further
- processing. Defaults to &quot;cat&quot;.</DD>
-&lt;
-<DT>TCPDUMPFLAGS</DT>
-<DD>a set of flags for the tcpdump used when converting captured output.
- Typical values will include &quot;-n&quot; to turn off DNS, and often &quot;-E&quot; to set
- the decryption key (tcpdump 3.7.1 and higher only) for ESP packets. The
- &quot;-t&quot; flag (turn off timestamps) is provided automatically</DD>
-<DT>REF_EAST_OUTPUT/REF_WEST_OUTPUT</DT>
-<DD>a text file containing tcpdump output. Packets on the private (eth0)
- interface are captured and compared after conversion by tcpdump, as
- with<VAR> REF_PUB_OUTPUT</VAR>.</DD>
-<P> There are two additional environment variables that may be set on
- the command line:</P>
-<DL>
-<DT> NETJIGVERBOSE=verbose export NETJIGVERBOSE</DT>
-<DD> If set, then the test output will be &quot;chatty&quot;, and let you know
- what commands it is running, and as packets are sent. Without it set,
- the output is limited to success/failure messages.</DD>
-<DT> NETJIGTESTDEBUG=netjig export NETJIGTESTDEBUG</DT>
-<DD> This will enable debugging of the communication with uml_netjig,
- and turn on debugging in this utility. This does not imply
- NETJIGVERBOSE.</DD>
-</DL>
-<DT> HOSTTESTDEBUG=hosttest export HOSTTESTDEBUG</DT>
-<DD> This will show all interactions with the user-mode-linux consoles</DD>
-</DL>
-<H2 NAME="kernelpatch"><A NAME="39_11">kernel_patch_test paramaters</A></H2>
-<P> The kernel_patch_test function takes some kernel source, copies it
- with lndir, and then applies the patch as produced by &quot;make
- kernelpatch&quot;.</P>
-<P> The following are used to control the input and output to the
- system:</P>
-<DL>
-<DT>KERNEL_NAME</DT>
-<DD>the kernel name, typically something like &quot;linus&quot; or &quot;rh&quot;</DD>
-<DT>KERNEL_VERSION</DT>
-<DD>the kernel version number, as in &quot;2.2&quot; or &quot;2.4&quot;.</DD>
-<DT>KERNEL_${KERNEL_NAME}${KERNEL_VERSION}_SRC</DT>
-<DD>This variable should set in the environment, probably in
- ~/freeswan-regress-env.sh. Examples of this variables would be
- KERNEL_LINUS2_0_SRC or KERNEL_RH7_3_SRC. This variable should point to
- an extracted copy of the kernel source in question.</DD>
-<DT>REF_PATCH_OUTPUT</DT>
-<DD>a copy of the patch output to compare against</DD>
-<DT>KERNEL_PATCH_LEAVE_SOURCE</DT>
-<DD>If set to a non-empty string, then the patched kernel source is not
- removed at the end of the test. This will typically be set in the
- environment while debugging.</DD>
-</DL>
-<H2 NAME="modtest"><A NAME="39_12">module_compile paramaters</A></H2>
-<P> The module_compile test attempts to build the KLIPS module against a
- given set of kernel source. This is also done by the RPM tests, but in
- a very specific manner.</P>
-<P> There are two variations of this test - one where the kernel either
- doesn't need to be configured, or is already done, and tests were there
- is a local configuration file.</P>
-<P> Where the kernel doesn't need to be configured, the kernel source
- that is found is simply used. It may be a RedHat-style kernel, where
- one can cause it to configure itself via rhconfig.h-style definitions.
- Or, it may just be a kernel tree that has been configured.</P>
-<P> If the variable KERNEL_CONFIG_FILE is set, then a new directory is
- created for the kernel source. It is populated with lndir(1). The
- referenced file is then copied in as .config, and &quot;make oldconfig&quot; is
- used to configure the kernel. This resulting kernel is then used as the
- reference source.</P>
-<P> In all cases, the kernel source is found the same was for the
- kernelpatch test, i.e. via KERNEL_VERSION/KERNEL_NAME and
- KERNEL_${KERNEL_NAME}${KERNEL_VERSION}_SRC.</P>
-<P> Once there is kernel source, the module is compiled using the
- top-level &quot;make module&quot; target.</P>
-<P> The test is considered successful if an executable is found in
- OUTPUT/module/ipsec.o at the end of the test.</P>
-<DL>
-<DT>KERNEL_NAME</DT>
-<DD>the kernel name, typically something like &quot;linus&quot; or &quot;rh&quot;</DD>
-<DT>KERNEL_VERSION</DT>
-<DD>the kernel version number, as in &quot;2.2&quot; or &quot;2.4&quot;.</DD>
-<DT>KERNEL_${KERNEL_NAME}${KERNEL_VERSION}_SRC</DT>
-<DD>This variable should set in the environment, probably in
- ~/freeswan-regress-env.sh. Examples of this variables would be
- KERNEL_LINUS2_0_SRC or KERNEL_RH7_3_SRC. This variable should point to
- an extracted copy of the kernel source in question.</DD>
-<DT>KERNEL_CONFIG_FILE</DT>
-<DD>The configuration file for the kernel.</DD>
-<DT>KERNEL_PATCH_LEAVE_SOURCE</DT>
-<DD>If set to a non-empty string, then the configured kernel source is
- not removed at the end of the test. This will typically be set in the
- environment while debugging.</DD>
-<DT>MODULE_DEF_INCLUDE</DT>
-<DD>The include file that will be used to configure the KLIPS module,
- and possibly the kernel source.</DD>
-</DL>
-<H1><A NAME="40">Current pitfalls</A></H1>
-<DL>
-<DT> &quot;tcpdump dissector&quot; not available.</DT>
-<DD> This is a non-fatal warning. If uml_netjig is invoked with the -t
- option, then it will attempt to use tcpdump's dissector to decode each
- packet that it processes. The dissector is presently not available, so
- this option it normally turned off at compile time. The dissector
- library will be released with tcpdump version 4.0.</DD>
-</DL>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="umltesting.html">Previous</A>
-<A HREF="nightly.html">Next</A>
-</BODY>
-</HTML>
diff --git a/doc/manpages.html b/doc/manpages.html
deleted file mode 100644
index 81ca11ae0..000000000
--- a/doc/manpages.html
+++ /dev/null
@@ -1,145 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="faq.html">Previous</A>
-<A HREF="firewall.html">Next</A>
-<HR>
-<H1><A name="manpages">FreeS/WAN manual pages</A></H1>
-<P>The various components of Linux FreeS/WAN are of course documented in
- standard Unix manual pages, accessible via the man(1) command.</P>
-<P>Links here take you to an HTML version of the man pages.</P>
-<H2><A name="man.file">Files</A></H2>
-<DL>
-<DT><A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A></DT>
-<DD>IPsec configuration and connections</DD>
-<DT><A href="manpage.d/ipsec.secrets.5.html">ipsec.secrets(5)</A></DT>
-<DD>secrets for IKE authentication, either pre-shared keys or RSA
- private keys</DD>
-</DL>
-<P>These files are also discussed in the<A href="config.html">
- configuration</A> section.</P>
-<H2><A name="man.command">Commands</A></H2>
-<P>Many users will never give most of the FreeS/WAN commands directly.
- Configure the files listed above correctly and everything should be
- automatic.</P>
-<P>The exceptions are commands for mainpulating the<A href="glossary.html#RSA">
- RSA</A> keys used in Pluto authentication:</P>
-<DL>
-<DT><A href="manpage.d/ipsec_rsasigkey.8.html">ipsec_rsasigkey(8)</A></DT>
-<DD>generate keys</DD>
-<DT><A href="manpage.d/ipsec_newhostkey.8.html">ipsec_newhostkey(8)</A></DT>
-<DD>generate keys in a convenient format</DD>
-<DT><A href="manpage.d/ipsec_showhostkey.8.html">ipsec_showhostkey(8)</A>
-</DT>
-<DD>extract<A href="glossary.html#RSA"> RSA</A> keys from<A href="manpage.d/ipsec.secrets.5.html">
- ipsec.secrets(5)</A> (or optionally, another file) and format them for
- insertion in<A href="manpage.d/ipsec.conf.5.html"> ipsec.conf(5)</A> or
- in DNS records</DD>
-</DL>
-<P>Note that:</P>
-<UL>
-<LI>These keys are for<STRONG> authentication only</STRONG>. They are<STRONG>
- not secure for encryption</STRONG>.</LI>
-<LI>The utility uses random(4) as a source of<A href="glossary.html#random">
- random numbers</A>. This may block for some time if there is not enough
- activity on the machine to provide the required entropy. You may want
- to give it some bogus activity such as random mouse movements or some
- command such as<NOBR> <TT>du /usr &gt; /dev/null &amp;</TT>.</LI>
-</UL>
-<P>The following commands are fairly likely to be used, if only for
- testing and status checks:</P>
-<DL>
-<DT><A href="manpage.d/ipsec.8.html">ipsec(8)</A></DT>
-<DD>invoke IPsec utilities</DD>
-<DT><A href="manpage.d/ipsec_setup.8.html">ipsec_setup(8)</A></DT>
-<DD>control IPsec subsystem</DD>
-<DT><A href="manpage.d/ipsec_auto.8.html">ipsec_auto(8)</A></DT>
-<DD>control automatically-keyed IPsec connections</DD>
-<DT><A href="manpage.d/ipsec_manual.8.html">ipsec_manual(8)</A></DT>
-<DD>take manually-keyed IPsec connections up and down</DD>
-<DT><A href="manpage.d/ipsec_ranbits.8.html">ipsec_ranbits(8)</A></DT>
-<DD>generate random bits in ASCII form</DD>
-<DT><A href="manpage.d/ipsec_look.8.html">ipsec_look(8)</A></DT>
-<DD>show minimal debugging information</DD>
-<DT><A href="manpage.d/ipsec_barf.8.html">ipsec_barf(8)</A></DT>
-<DD>spew out collected IPsec debugging information</DD>
-</DL>
-<P>The lower-level utilities listed below are normally invoked via
- scripts listed above, but they can also be used directly when required.</P>
-<DL>
-<DT><A href="manpage.d/ipsec_eroute.8.html">ipsec_eroute(8)</A></DT>
-<DD>manipulate IPsec extended routing tables</DD>
-<DT><A href="manpage.d/ipsec_klipsdebug.8.html">ipsec_klipsdebug(8)</A></DT>
-<DD>set Klips (kernel IPsec support) debug features and level</DD>
-<DT><A href="manpage.d/ipsec_pluto.8.html">ipsec_pluto(8)</A></DT>
-<DD>IPsec IKE keying daemon</DD>
-<DT><A href="manpage.d/ipsec_spi.8.html">ipsec_spi(8)</A></DT>
-<DD>manage IPsec Security Associations</DD>
-<DT><A href="manpage.d/ipsec_spigrp.8.html">ipsec_spigrp(8)</A></DT>
-<DD>group/ungroup IPsec Security Associations</DD>
-<DT><A href="manpage.d/ipsec_tncfg.8.html">ipsec_tncfg(8)</A></DT>
-<DD>associate IPsec virtual interface with real interface</DD>
-<DT><A href="manpage.d/ipsec_whack.8.html">ipsec_whack(8)</A></DT>
-<DD>control interface for IPsec keying daemon</DD>
-</DL>
-<H2><A name="man.lib">Library routines</A></H2>
-<DL>
-<DT><A href="manpage.d/ipsec_atoaddr.3.html">ipsec_atoaddr(3)</A></DT>
-<DT><A href="manpage.d/ipsec_addrtoa.3.html">ipsec_addrtoa(3)</A></DT>
-<DD>convert Internet addresses to and from ASCII</DD>
-<DT><A href="manpage.d/ipsec_atosubnet.3.html">ipsec_atosubnet(3)</A></DT>
-<DT><A href="manpage.d/ipsec_subnettoa.3.html">ipsec_subnettoa(3)</A></DT>
-<DD>convert subnet/mask ASCII form to and from addresses</DD>
-<DT><A href="manpage.d/ipsec_atoasr.3.html">ipsec_atoasr(3)</A></DT>
-<DD>convert ASCII to Internet address, subnet, or range</DD>
-<DT><A href="manpage.d/ipsec_rangetoa.3.html">ipsec_rangetoa(3)</A></DT>
-<DD>convert Internet address range to ASCII</DD>
-<DT>ipsec_atodata(3)</DT>
-<DT><A href="manpage.d/ipsec_datatoa.3.html">ipsec_datatoa(3)</A></DT>
-<DD>convert binary data from and to ASCII formats</DD>
-<DT><A href="manpage.d/ipsec_atosa.3.html">ipsec_atosa(3)</A></DT>
-<DT><A href="manpage.d/ipsec_satoa.3.html">ipsec_satoa(3)</A></DT>
-<DD>convert IPsec Security Association IDs to and from ASCII</DD>
-<DT><A href="manpage.d/ipsec_atoul.3.html">ipsec_atoul(3)</A></DT>
-<DT><A href="manpage.d/ipsec_ultoa.3.html">ipsec_ultoa(3)</A></DT>
-<DD>convert unsigned-long numbers to and from ASCII</DD>
-<DT><A href="manpage.d/ipsec_goodmask.3.html">ipsec_goodmask(3)</A></DT>
-<DD>is this Internet subnet mask a valid one?</DD>
-<DT><A href="manpage.d/ipsec_masktobits.3.html">ipsec_masktobits(3)</A></DT>
-<DD>convert Internet subnet mask to bit count</DD>
-<DT><A href="manpage.d/ipsec_bitstomask.3.html">ipsec_bitstomask(3)</A></DT>
-<DD>convert bit count to Internet subnet mask</DD>
-<DT><A href="manpage.d/ipsec_optionsfrom.3.html">ipsec_optionsfrom(3)</A>
-</DT>
-<DD>read additional ``command-line'' options from file</DD>
-<DT><A href="manpage.d/ipsec_subnetof.3.html">ipsec_subnetof(3)</A></DT>
-<DD>given Internet address and subnet mask, return subnet number</DD>
-<DT><A href="manpage.d/ipsec_hostof.3.html">ipsec_hostof(3)</A></DT>
-<DD>given Internet address and subnet mask, return host part</DD>
-<DT><A href="manpage.d/ipsec_broadcastof.3.html">ipsec_broadcastof(3)</A>
-</DT>
-<DD>given Internet address and subnet mask, return broadcast address</DD>
-</DL>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="faq.html">Previous</A>
-<A HREF="firewall.html">Next</A>
-</BODY>
-</HTML>
diff --git a/doc/nightly.html b/doc/nightly.html
deleted file mode 100644
index 580fc0fc5..000000000
--- a/doc/nightly.html
+++ /dev/null
@@ -1,125 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="makecheck.html">Previous</A>
-<HR>
-<H1><A name="nightly">Nightly regression testing</A></H1>
-<P> The nightly regression testing system consists of several shell
- scripts and some perl scripts. The goal is to check out a fresh tree,
- run &quot;make check&quot; on it, record the results and summarize the results to
- the team and to the web site.</P>
-<P> Output can be found on<A HREF="http://bugs.freeswan.org:81/"> adams</A>
-, although the tests are actually run on another project machine.</P>
-<H1><A name="nightlyhowto">How to setup the nightly build</A></H1>
-<P> The best way to do nightly testing is to setup a new account. We
- call the account &quot;build&quot; - you could call it something else, but there
- may still be some references to ~build in the scripts.</P>
-<H2><A NAME="42_1"> Files you need to know about</A></H2>
-<P> As few files as possible need to be extracted from the source tree -
- files are run from the source tree whenever possible. However, there
- are some bootstrap and configuration files that are necessary.</P>
-<P> There are 7 files in testing/utils that are involved:</P>
-<DL>
-<DT> nightly-sample.sh</DT>
-<DD> This is the root of the build process. This file should be copied
- out of the CVS tree, to $HOME/bin/nightly.sh of the build account. This
- file should be invoked from cron.</DD>
-<DT> freeswan-regress-env-sample.sh</DT>
-<DD> This file should be copied to $HOME/freeswan-regress-env.sh. It
- should be edited to localize the values. See below.</DD>
-<DT> regress-cleanup.pl</DT>
-<DD> This file needs to be copied to $HOME/bin/regress-cleanup.pl. It is
- invoked by the nightly file before doing anything else. It removes
- previous nights builds in order to free up disk space for the build
- about to be done.</DD>
-<DT> teammail-sample.sh</DT>
-<DD> A script used to send results email to the &quot;team&quot;. This sample
- script could be copied to $HOME/bin/teammail.sh. This version will PGP
- encrypt all the output to the team members. If this script is used,
- then PGP will have to be properly setup to have the right keys.</DD>
-<DT> regress-nightly.sh</DT>
-<DD> This is the first stage of the nightly build. This stage will call
- other scripts as appropriate, and will extract the source code from
- CVS. This script should be copied to $HOME/bin/regress-nightly.sh</DD>
-<DT> regress-stage2.sh</DT>
-<DD> This is the second stage of the nightly build. It is called in
- place. It essentially sets up the UML setup in umlsetup.sh, and calls
- &quot;make check&quot;.</DD>
-<DT> regress-summarize-results.pl</DT>
-<DD> This script will summarize the results from the tests to a
- permanent directory set by $REGRESSRESULTS. It is invoked from the
- stage2 nightly script.</DD>
-<DT> regress-chart.sh</DT>
-<DD> This script is called at the end of the build process, and will
- summarize each night's results (as saved into $REGRESSRESULTS by
- regress-summarize-results.pl) as a chart using gnuplot. Note that this
- requires at least gnuplot 3.7.2.</DD>
-</DL>
-<H2><A NAME="42_2">Configuring freeswan-regress-env.sh</A></H2>
-<P>For more info on KERNPOOL, UMLPATCH, BASICROOT and SHAREDIR, see<A HREF="umltesting.html">
- User-Mode-Linux testing guide</A>.</P>
-<DL>
-<DT> KERNPOOL</DT>
-<DD> Extract copy of some kernel source to be used for UML builds</DD>
-<DT> UMLPATCH</DT>
-<DD> matching User-Mode-Linux patch.</DD>
-<DT> BASICROOT</DT>
-<DD> the root file system image (see<A HREF="umltesting.html">
- User-Mode-Linux testing guide</A>).</DD>
-<DT> SHAREDIR=${BASICROOT}/usr/share</DT>
-<DD> The /usr/share to use.</DD>
-<DT> REGRESSTREE</DT>
-<DD> A directory in which to store the nightly regression results.
- Directories will be created by date in this tree.</DD>
-<DT> TCPDUMP=tcpdump-3.7.1</DT>
-<DD> The path to the<A HREF="http://www.tcpdump.org/"> tcpdump</A> to
- use. This must have crypto compiled in, and must be at least 3.7.1</DD>
-<DT> KERNEL_RH7_2_SRC=/a3/kernel_sources/linux-2.4.9-13/</DT>
-<DD> An extracted copy of the RedHat 7.2. kernel source. If set, then
- the packaging/rpm-rh72-install-01 test will be run, and an RPM will be
- built as a test.</DD>
-<DT> KERNEL_RH7_3_SRC=/a3/kernel_sources/rh/linux-2.4.18-5</DT>
-<DD> An extracted copy of the RedHat 7.3. kernel source. If set, then
- the packaging/rpm-rh73-install-01 test will be run, and an RPM will be
- built as a test.</DD>
-<DT> NIGHTLY_WATCHERS=&quot;userid,userid,userid&quot;</DT>
-<DD> The list of people who should receive nightly output. This is used
- by teammail.sh</DD>
-<DT> FAILLINES=128</DT>
-<DD> How many lines of failed test output to include in the nightly
- output</DD>
-<DT> PATH=$PATH:/sandel/bin export PATH</DT>
-<DD> You can also override the path if necessary here.</DD>
-<DT> CVSROOT=:pserver:anoncvs@ip212.xs4net.freeswan.org:/freeswan/MASTER</DT>
-<DD> The CVSROOT to use. This example may work for anonymous CVS, but
- will be 12 hours behind the primary, and is still experimental</DD>
-<DT> SNAPSHOTSIGDIR=$HOME/snapshot-sig</DT>
-<DD> For the release tools, where to put the generated per-snapshot
- signature keys</DD>
-<DT> LASTREL=1.97</DT>
-<DD> the name of the last release branch (to find the right per-snapshot
- signature</DD>
-<DD></DD>
-</DL>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="makecheck.html">Previous</A>
-</BODY>
-</HTML>
diff --git a/doc/oppimpl.txt b/doc/oppimpl.txt
deleted file mode 100644
index fe4527d4e..000000000
--- a/doc/oppimpl.txt
+++ /dev/null
@@ -1,514 +0,0 @@
-Implementing Opportunistic Encryption
-
-Henry Spencer & D. Hugh Redelmeier
-
-Version 4+, 15 Dec 2000
-
-
-
-Updates
-
-Major changes since last version:  "Negotiation Issues" section discussing
-some interoperability matters, plus some wording cleanup.  Some issues
-arising from discussions at OLS are not yet resolved, so there will almost
-certainly be another version soon.
-
-xxx incoming could be opportunistic or RW.  xxx any way of saving unaware
-implementations???  xxx compression needs mention.
-
-
-
-Introduction
-
-A major long-term goal of the FreeS/WAN project is opportunistic
-encryption:  a security gateway intercepts an outgoing packet aimed at a
-new remote host, and quickly attempts to negotiate an IPsec tunnel to that
-host's security gateway, so that traffic can be encrypted and
-authenticated without changes to the host software.  (This generalizes
-trivially to the end-to-end case where host and security gateway are one
-and the same.)  If the attempt fails, the packet (or a retry thereof)
-passes through in clear or is dropped, depending on local policy. 
-Prearranged tunnels bypass all this, so static VPNs can coexist with
-opportunistic encryption. 
-
-xxx here Although significant intelligence about all this is necessary at the
-initiator end, it's highly desirable for little or no special machinery
-to be needed at the responder end.  In particular, if none were needed,
-then a security gateway which knows nothing about opportunistic encryption
-could nevertheless participate in some opportunistic connections.
-
-IPSEC gives us the low-level mechanisms, and the key-exchange machinery,
-but there are some vague spots (to put it mildly) at higher levels.
-
-One constraint which deserves comment is that the process of tunnel setup
-should be quick.  Moreover, the decision that no tunnel can be created
-should also be quick, since that will be a common case, at least in the
-beginning.  People will be reluctant to use opportunistic encryption if it
-causes gross startup delays on every connection, even connections which see
-no benefit from it.  Win or lose, the process must be rapid.
-
-There's nothing much we can do to speed up the key exchange itself.  (The
-one thing which conceivably might be done is to use Aggressive Mode, which
-involves fewer round trips, but it has limitations and possible security
-problems, and we're reluctant to touch it.)  What we can do, is to make the
-other parts of the setup process as quick as possible.  This desire will
-come back to haunt us below. :-)
-
-A further note is that we must consider the processing at the responder
-end as well as the initiator end.
-
-Several pieces of new machinery are needed to make this work.  Here's a
-brief list, with details considered below.
-
-+ Outgoing Packet Interception.  KLIPS needs to intercept packets which
-likely would benefit from tunnel setup, and bring them to Pluto's
-attention.  There needs to be enough memory in the process that the same
-tunnel doesn't get proposed too often (win or lose). 
-
-+ Smart Connection Management.  Not only do we need to establish tunnels
-on request, once a tunnel is set up, it needs to be torn down eventually
-if it's not in use.  It's also highly desirable to detect the fact that it
-has stopped working, and do something useful.  Status changes should be
-coordinated between the two security gateways unless one has crashed,
-and even then, they should get back into sync eventually.
-
-+ Security Gateway Discovery.  Given a packet destination, we must decide
-who to attempt to negotiate a tunnel with.  This must be done quickly, win
-or lose, and reliably even in the presence of diverse network setups.
-
-+ Authentication Without Prearrangement.  We need to be sure we're really
-talking to the intended security gateway, without being able to prearrange
-any shared information.  He needs the same assurance about us.
-
-+ More Flexible Policy.  In particular, the responding Pluto needs a way
-to figure out whether the connection it is being asked to make is okay.
-This isn't as simple as just searching our existing conn database -- we
-probably have to specify *classes* of legitimate connections.
-
-Conveniently, we have a three-letter acronym for each of these. :-)
-
-Note on philosophy:  we have deliberately avoided providing six different
-ways to do each step, in favor of specifying one good one.  Choices are
-provided only when they appear to be necessary.  (Or when we are not yet
-quite sure yet how best to do something...)
-
-
-
-OPI, SCM
-
-Smart Connection Management would be quite useful even by itself,
-requiring manual triggering.  (Right now, we do the manual triggering, but
-not the other parts of SCM.)  Outgoing Packet Interception fits together
-with SCM quite well, and improves its usefulness further.  Going through a
-connection's life cycle from the start... 
-
-OPI itself is relatively straightforward, aside from the nagging question
-of whether the intercepted packet is put on hold and then released, or
-dropped.  Putting it on hold is preferable; the alternative is to rely on
-the application or the transport layer re-trying.  The downside of packet
-hold is extra resources; the downside of packet dropping is that IPSEC
-knows *when* the packet can finally go out, and the higher layers don't. 
-Either way, life gets a little tricky because a quickly-retrying
-application may try more than once before we know for sure whether a
-tunnel can be set up, and something has to detect and filter out the
-duplications.  Some ARP implementations use the approach of keeping one
-packet for an as-yet-unresolved address, and throwing away any more that
-appear; that seems a reasonable choice.
-
-(Is it worth intercepting *incoming* packets, from the outside world, and
-attempting tunnel setup based on them?  Perhaps... if, and only if, we
-organize AWP so that non-opportunistic SGs can do it somehow.  Otherwise,
-if the other end has not initiated tunnel setup itself, it will not be
-prepared to do so at our request.)
-
-Once a tunnel is up, packets going into it naturally are not intercepted
-by OPI.  However, we need to do something about the flip side of this too: 
-after deciding that we *cannot* set up a tunnel, either because we don't
-have enough information or because the other security gateway is
-uncooperative, we have to remember that for a while, so we don't keep
-knocking on the same locked door.  One plausible way of doing that is to
-set up a bypass "tunnel" -- the equivalent of our current %passthrough
-connection -- and have it managed like a real SCM tunnel (finite lifespan
-etc.).  This sounds a bit heavyweight, but in practice, the alternatives
-all end up doing something very similar when examined closely.  Note that
-we need an extra variant of this, a block rather than a bypass, to cover
-the case where local policy dictates that packets *not* be passed through;
-we still have to remember the fact that we can't set up a real tunnel.
-
-When to tear tunnels down is a bit problematic, but if we're setting up a
-potentially unbounded number of them, we have to tear them down *somehow*
-*sometime*.  It seems fairly obvious that we set a tentative lifespan,
-probably fairly short (say 1min), and when it expires, we look to see if
-the tunnel is still in use (say, has had traffic in the last half of the
-lifespan).  If so, we assign it a somewhat longer lifespan (say 10min),
-after which we look again.  If not, we close it down.  (This lifespan is
-independent of key lifetime; it is just the time when the tunnel's future
-is next considered.  This should happen reasonably frequently, unlike
-rekeying, which is costly and shouldn't be too frequent.)  Multi-step
-backoff algorithms probably are not worth the trouble; looking every
-10min doesn't seem onerous.
-
-For the tunnel-expiry decision, we need to know how long it has been since
-the last traffic went through.  A more detailed history of the traffic
-does not seem very useful; a simple idle timer (or last-traffic timestamp)
-is both necessary and sufficient.  And KLIPS already has this.
-
-As noted, default initial lifespan should be short.  However, Pluto should
-keep a history of recently-closed tunnels, to detect cases where a tunnel
-is being repeatedly re-established and should be given a longer lifespan. 
-(Not only is tunnel setup costly, but it adds user-visible delay, so
-keeping a tunnel alive is preferable if we have reason to suspect more
-traffic soon.)  Any tunnel re-established within 10min of dying should have
-10min added to its initial lifespan.  (Just leaving all tunnels open longer
-is unappealing -- adaptive lifetimes which are sensitive to the behavior
-of a particular tunnel are wanted.  Tunnels are relatively cheap entities
-for us, but that is not necessarily true of all implementations, and there
-may also be administrative problems in sorting through large accumulations
-of idle tunnels.)
-
-It might be desirable to have detailed information about the initial
-packet when determining lifespans.  HTTP connections in particular are
-notoriously bursty and repetitive. 
-
-Arguably it would be nice to monitor TCP connection status.  A still-open
-TCP connection is almost a guarantee that more traffic is coming, while
-the closing of the only TCP connection through a tunnel is a good hint
-that none is.  But the monitoring is complex, and it doesn't seem worth
-the trouble. 
-
-IKE connections likewise should be torn down when it appears the need has
-passed.  They should linger longer than the last tunnel they administer,
-just in case they are needed again; the cost of retaining them is low.  An
-SG with only a modest number of them open might want to simply retain each
-until rekeying time, with more aggressive management cutting in only when
-the number gets large.  (They should be torn down eventually, if only to
-minimize the length of a status report, but rekeying is the only expensive
-event for them.)
-
-It's worth remembering that tunnels sometimes go down because the other
-end crashes, or disconnects, or has a network link break, and we don't get
-any notice of this in the general case.  (Even in the event of a crash and
-successful reboot, we won't hear about it unless the other end has
-specific reason to talk IKE to us immediately.)  Of course, we have to
-guard against being too quick to respond to temporary network outages,
-but it's not quite the same issue for us as for TCP, because we can tear
-down and then re-establish a tunnel without any user-visible effect except
-a pause in traffic.  And if the other end does go down and come back up,
-we and it can't communicate *at all* (except via IKE) until we tear down
-our tunnel.
-
-So... we need some kind of heartbeat mechanism.  Currently there is none
-in IKE, but there is discussion of changing that, and this seems like the
-best approach.  Doing a heartbeat at the IP level will not tell us about a
-crash/reboot event, and sending heartbeat packets through tunnels has
-various complications (they should stop at the far mouth of the tunnel
-instead of going on to a subnet; they should not count against idle
-timers; etc.).  Heartbeat exchanges obviously should be done only when
-there are tunnels established *and* there has been no recent incoming
-traffic through them.  It seems reasonable to do them at lifespan ends,
-subject to appropriate rate limiting when more than one tunnel goes to the
-same other SG.  When all traffic between the two ends is supposed to go
-via the tunnel, it might be reasonable to do a heartbeat -- subject to a
-rate limiter to avoid DOS attacks -- if the kernel sees a non-tunnel
-non-IKE packet from the other end. 
-
-If a heartbeat gets no response, try a few (say 3) pings to check IP
-connectivity; if one comes back, try another heartbeat; if it gets no
-response, the other end has rebooted, or otherwise been re-initialized,
-and its tunnels should be torn down.  If there's no response to the pings,
-note the fact and try the sequence again at the next lifespan end; if
-there's nothing then either, declare the tunnels dead. 
-
-Finally... except in cases where we've decided that the other end is dead
-or has rebooted, tunnel teardown should always be coordinated with the
-other end.  This means interpreting and sending Delete notifications, and
-also Initial-Contacts.  Receiving a Delete for the other party's tunnel
-SAs should lead us to tear down our end too -- SAs (SA bundles, really)
-need to be considered as paired bidirectional entities, even though the
-low-level protocols don't think of them that way. 
-
-
-
-SGD, AWP
-
-Given a packet destination, how do we decide who to (attempt to) negotiate
-a tunnel with?  And as a related issue, how do the negotiating parties
-authenticate each other?  DNSSEC obviously provides the tools for the
-latter, but how exactly do we use them?
-
-Having intercepted a packet, what we know is basically the IP addresses of
-source and destination (plus, in principle, some information about the
-desired communication, like protocol and port).  We might be able to map
-the source address to more information about the source, depending on how
-well we control our local networks, but we know nothing further about the
-destination. 
-
-The obvious first thing to do is a DNS reverse lookup on the destination
-address; that's about all we can do with available data.  Ideally, we'd
-like to get all necessary information with this one DNS lookup, because
-DNS lookups are time-consuming -- all the more so if they involve a DNSSEC
-signature-checking treewalk by the name server -- and we've got to hurry.
-While it is unusual for a reverse lookup to yield records other than PTR
-records (or possibly CNAME records, for RFC 2317 classless delegation),
-there's no reason why it can't.
-
-(For purposes like logging, a reverse lookup is usually followed by a
-forward lookup, to verify that the reverse lookup wasn't lying about the
-host name.  For our purposes, this is not vital, since we use stronger
-authentication methods anyway.)
-
-While we want to get as much data as possible (ideally all of it) from one
-lookup, it is useful to first consider how the necessary information would
-be obtained if DNS lookups were instantaneous.  Two pieces of information
-are absolutely vital at this point:  the IP address of the other end's
-security gateway, and the SG's public key*. 
-
-(* Actually, knowledge of the key can be postponed slightly -- it's not
-needed until the second exchange of the negotiations, while we can't even
-start negotiations without knowing the IP address.  The SG is not
-necessarily on the plain-IP route to the destination, especially when
-multiple SGs are present.)
-
-Given instantaneous DNS lookups, we would:
-
-+ Start with a reverse lookup to turn the address into a name.
-
-+ Look for something like RFC-2782 SRV records using the name, to find out
-who provides this particular service.  If none comes back, we can abandon
-the whole process. 
-
-+ Select one SRV record, which gives us the name of a target host (plus
-possibly one or more addresses, if the name server has supplied address
-records as Additional Data for the SRV records -- this is recommended
-behavior but is not required). 
-
-+ Use the target name to look up a suitable KEY record, and also address
-record(s) if they are still needed. 
-
-This gives us the desired address(es) and key.  However, it requires three
-lookups, and we don't even find out whether there's any point in trying
-until after the second.
-
-With real DNS lookups, which are far from instantaneous, some optimization
-is needed.  At the very least, typical cases should need fewer lookups.
-
-So when we do the reverse lookup on the IP address, instead of asking for
-PTR, we ask for TXT.  If we get none, we abandon opportunistic
-negotiation, and set up a bypass/block with a relatively long life (say
-6hr) because it's not worth trying again soon.  (Note, there needs to be a
-way to manually force an early retry -- say, by just clearing out all
-memory of a particular address -- to cover cases where a configuration
-error is discovered and fixed.)
-
-xxx need to discuss multi-string TXTs
-
-In the results, we look for at least one TXT record with content
-"X-IPsec-Server(nnn)=a.b.c.d kkk", following RFC 1464 attribute/value
-notation.  (The "X-" indicates that this is tentative and experimental;
-this design will probably need modification after initial experiments.)
-Again, if there is no such record, we abandon opportunistic negotiation. 
-
-"nnn" and the parentheses surrounding it are optional.  If present, it
-specifies a priority (low number high priority), as for MX records, to
-control the order in which multiple servers are tried.  If there are no
-priorities, or there are ties, pick one randomly.
-
-"a.b.c.d" is the dotted-decimal IP address of the SG.  (Suitable extensions
-for IPv6, when the time comes, are straightforward.)
-
-"kkk" is either an RSA-MD5 public key in base-64 notation, as in the text
-form of an RFC 2535 KEY record, or "@hhh".  In the latter case, hhh is a
-DNS name, under which one Host/Authentication/IPSEC/RSA-MD5 KEY record is
-present, giving the server's authentication key.  (The delay of the extra
-lookup is undesirable, but practical issues of key management may make it
-advisable not to duplicate the key itself in DNS entries for many
-clients.)
-
-It unfortunately does appear that the authentication key has to be
-associated with the server, not the client behind it.  At the time when
-the responder has to authenticate our SG, it does not know which of its
-clients we are interested in (i.e., which key to use), and there is no
-good way to tell it.  (There are some bad ways; this decision may merit
-re-examination after experimental use.)
-
-The responder authenticates our SG by doing a reverse lookup on its IP
-address to get a Host/Authentication/IPSEC/RSA-MD5 KEY record.  He can
-attempt this in parallel with the early parts of the negotiation (since he
-knows our SG IP address from the first negotiation packet), at the risk of
-having to abandon the attempt and do a different lookup if we use
-something different as our ID (see below).  Unfortunately, he doesn't yet
-know what client we will claim to represent, so he'll need to do another
-lookup as part of phase 2 negotiation (unless the client *is* our SG), to
-confirm that the client has a TXT X-IPsec-Server record pointing to our
-SG.  (Checking that the record specifies the same key is not important,
-since the responder already has a trustworthy key for our SG.)
-
-Also unfortunately, opportunistic tunnels can only have degenerate subnets
-(/32 subnets, containing one host) at their ends.  It's superficially
-attractive to negotiate broader connections... but without prearrangement,
-you don't know whether you can trust the other end's claim to have a
-specific subnet behind it.  Fixing this would require a way to do a
-reverse lookup on the *subnet* (you cannot trust information in DNS
-records for a name or a single address, which may be controlled by people
-who do not control the whole subnet) with both the address and the mask
-included in the name.  Except in the special case of a subnet masked on a
-byte boundary (in which case RFC 1035's convention of an incomplete
-in-addr.arpa name could be used), this would need extensions to the
-reverse-map name space, which is awkward, especially in the presence of
-RFC 2317 delegation.  (IPv6 delegation is more flexible and it might be
-easier there.)
-
-There is a question of what ID should be used in later steps of
-negotiation.  However, the desire not to put more DNS lookups in the
-critical path suggests avoiding the extra complication of varied IDs,
-except in the Road Warrior case (where an extra lookup is inevitable).
-Also, figuring out what such IDs *mean* gets messy.  To keep things simple,
-except in the RW case, all IDs should be IP addresses identical to those
-used in the packet headers.
-
-For Road Warrior, the RW must be the initiator, since the home-base SG has
-no idea what address the RW will appear at.  Moreover, in general the RW
-does not control the DNS entries for his address.  This inherently denies
-the home base any authentication of the RW's IP address; the most it can
-do is to verify an identity he provides, and perhaps decide whether it
-wishes to talk to someone with that identity, but this does not verify his
-right to use that IP address -- nothing can, really. 
-
-(That may sound like it would permit some man-in-the-middle attacks, but
-the RW can still do full authentication of the home base, so a man in the
-middle cannot successfully impersonate home base.  Furthermore, a man in
-the middle must impersonate both sides for the DH exchange to work.  So
-either way, the IKE negotiation falls apart.)
-
-A Road Warrior provides an FQDN ID, used for a forward lookup to obtain a
-Host/Authentication/IPSEC/RSA-MD5 KEY record.  (Note, an FQDN need not
-actually correspond to a host -- e.g., the DNS data for it need not
-include an A record.)  This suffices, since the RW is the initiator and
-the responder knows his address from his first packet.
-
-Certain situations where a host has a more-or-less permanent IP address,
-but does not control its DNS entries, must be treated essentially like
-Road Warrior.  It is unfortunate that DNS's old inverse-query feature
-cannot be used (nonrecursively) to ask the initiator's local DNS server
-whether it has a name for the address, because the address will almost
-always have been obtained from a DNS name lookup, and it might be a lookup
-of a name whose DNS entries the host *does* control.  (Real examples of
-this exist:  the host has a preferred name whose host-controlled entry
-includes an A record, but a reverse lookup on the address sends you to an
-ISP-controlled name whose entry has an A record but not much else.)  Alas,
-inverse query is long obsolete and is not widely implemented now. 
-
-There are some questions in failure cases.  If we cannot acquire the info
-needed to set up a tunnel, this is the no-tunnel-possible case.  If we
-reach an SG but negotiation fails, this too is the no-tunnel-possible
-case, with a relatively long bypass/block lifespan (say 1hr) since
-fruitless negotiations are expensive.  (In the multiple-SG case, it seems
-unlikely to be worthwhile to try other SGs just in case one of them might
-have a configuration permitting successful negotiation.)
-
-Finally, there is a sticky problem with timeouts.  If the other SG is down
-or otherwise inaccessible, in the worst case we won't hear about this
-except by not getting responses.  Some other, more pathological or even
-evil, failure cases can have the same result.  The problem is that in the
-case where a bypass is permitted, we want to decide whether a tunnel is
-possible quickly.  It gets even worse if there are multiple SGs, in which
-case conceivably we might want to try them all (since some SGs being up
-when others are down is much more likely than SGs differing in policy). 
-
-The patience setting needs to be configurable policy, with a reasonable
-default (to be determined by experiment).  If it expires, we simply have
-to declare the attempt a failure, and set up a bypass/block.  (Setting up
-a tentative bypass/block, and replacing it with a real tunnel if remaining
-attempts do produce one, looks attractive at first glance... but exposing
-the first few seconds of a connection is often almost as bad as exposing
-the whole thing!)  Such a bypass/block should have a short lifespan, say
-10min, because the SG(s) might be only temporarily unavailable.
-
-The flip side of IKE waiting for a timeout is that all other forms of
-feedback, e.g. "host not reachable", should be *ignored*, because you
-cannot trust them!  This may need kernel changes. 
-
-Can AWP be done by non-opportunistic SGs?  Probably not; existing SG
-implementations generally aren't prepared to do anything suitable, except
-perhaps via the messy business of certificates.  There is one borderline
-exception:  some implementations rely on LDAP for at least some of their
-information fetching, and it might be possible to substitute a custom LDAP
-server which does the right things for them.  Feasibility of this depends
-on details, which we don't know well enough. 
-
-[This could do with a full example, a complete packet by packet walkthrough
-including all DNS and IKE traffic.]
-
-
-
-MFP
-
-Our current conn database simply isn't flexible enough to cover all this
-properly.  In particular, the responding Pluto needs a way to figure out
-whether the connection it is being asked to make is legitimate.
-
-This is more subtle than it sounds, given the problem noted earlier, that
-there's no clear way to authenticate claims to represent a non-degenerate
-subnet.  Our database has to be able to say "a connection to any host in
-this subnet is okay" or "a connection to any subnet within this subnet is
-okay", rather than "a connection to exactly this subnet is okay".  (There
-is some analogy to the Road Warrior case here, which may be relevant.)
-This will require at least a re-interpretation of ipsec.conf.
-
-Interim stages of implementation of this will require a bit of thought.
-Notably, we need some way of dealing with the lack of fully signed DNSSEC
-records.  Without user interaction, probably the best we can do is to
-remember the results of old fetches, compare them to the results of new
-fetches, and complain and disbelieve all of it if there's a mismatch. 
-This does mean that somebody who gets fake data into our very first fetch
-will fool us, at least for a while, but that seems an acceptable tradeoff.
-
-
-
-Negotiation Issues
-
-There are various options which are nominally open to negotiation as part
-of setup, but which have to be nailed down at least well enough that
-opportunistic SGs can reliably interoperate.  Somewhat arbitrarily and
-tentatively, opportunistic SGs must support Main Mode, Oakley group 5 for
-D-H, 3DES encryption and MD5 authentication for both ISAKMP and IPsec SAs,
-RSA digital-signature authentication with keys between 2048 and 8192 bits,
-and ESP doing both encryption and authentication.  They must do key PFS
-in Quick Mode, but not identity PFS.
-
-
-
-What we need from DNS
-
-Fortunately, we don't need any new record types or suchlike to make this
-all work.  We do, however, need attention to a couple of areas in DNS
-implementation.
-
-First, size limits.  Although the information we directly need from a
-lookup is not enormous -- the only potentially-big item is the KEY record,
-and there should be only one of those -- there is still a problem with
-DNSSEC authentication signatures.  With a 2048-bit key and assorted
-supporting information, we will fill most of a 512-byte DNS UDP packet...
-and if the data is to have DNSSEC authentication, at least one quite large
-SIG record will come too.  Plus maybe a TSIG signature on the whole
-response, to authenticate it to our resolver.  So:  DNSSEC-capable name
-servers must fix the 512-byte UDP limit.  We're told there are provisions
-for this; implementation of them is mandatory. 
-
-Second, interface.  It is unclear how the resolver interface will let us
-ask for DNSSEC authentication.  We would prefer to ask for "authentication
-where possible", and get back the data with each item flagged by whether
-authentication was available (and successful!) or not available.  Having
-to ask separately for authenticated and non-authenticated data would
-probably be acceptable, *provided* both will be cached on the first
-request, so the two requests incur only one set of (non-local) network
-traffic.  Either way, we want to see the name server and resolver do this
-for us; that makes sense in any case, since it's important that
-verification be done somewhere where it can be cached, the more centrally
-the better. 
-
-Finally, a wistful note:  the ability to do a limited form of inverse
-queries (an almost forgotten feature), to ask the local name server which
-hostname it recently mapped to a particular address, would be quite
-helpful.  Note, this is *NOT* the same as a reverse lookup, and crude
-fakes like putting a dotted-decimal address in brackets do not suffice. 
diff --git a/doc/opportunism-spec.txt b/doc/opportunism-spec.txt
deleted file mode 100644
index fbe319a57..000000000
--- a/doc/opportunism-spec.txt
+++ /dev/null
@@ -1,1254 +0,0 @@
-
-
-
-
-
-
-
-
-
-                  Opportunistic Encryption
-
-                       Henry Spencer
-                     D. Hugh Redelmeier
-                    henry@spsystems.net
-                      hugh@mimosa.com
-                  Linux FreeS/WAN Project
-
-
-
-          Opportunistic   encryption   permits   secure
-     (encrypted, authenticated) communication via IPsec
-     without  connection-by-connection  prearrangement,
-     either explicitly between hosts  (when  the  hosts
-     are  capable  of  it) or transparently via packet-
-     intercepting  security  gateways.   It  uses   DNS
-     records (authenticated with DNSSEC) to provide the
-     necessary information for  gateway  discovery  and
-     gateway authentication, and constrains negotiation
-     enough to guarantee success.
-
-     Substantive  changes  since  draft  3:  write  off
-     inverse  queries  as a lost cause; use Invalid-SPI
-     rather than Delete as notification of unknown  SA;
-     minor  wording  improvements  and  clarifications.
-     This document takes over from the  older  ``Imple-
-     menting Opportunistic Encryption'' document.
-
-
-1.  Introduction
-
-A  major  goal  of  the  FreeS/WAN  project is opportunistic
-encryption: a  (security)  gateway  intercepts  an  outgoing
-packet aimed at a remote host, and quickly attempts to nego-
-tiate an IPsec tunnel to that host's security  gateway.   If
-the  attempt succeeds, traffic can then be secure, transpar-
-ently (without  changes  to  the  host  software).   If  the
-attempt  fails,  the  packet  (or  a  retry  thereof) passes
-through in clear or is dropped, depending on  local  policy.
-Prearranged  tunnels bypass the packet interception etc., so
-static VPNs can coexist with opportunistic encryption.
-
-This generalizes trivially to the end-to-end case: host  and
-security  gateway  simply  are one and the same.  Some opti-
-mizations are possible in that case, but  the  basic  scheme
-need not change.
-
-The  objectives  for  security systems need to be explicitly
-stated.  Opportunistic encryption is meant to achieve secure
-communication, without prearrangement of the individual con-
-nection (although some prearrangement on a per-host basis is
-
-
-
-Draft 4                  3 May 2001                        1
-
-
-
-
-
-                  Opportunistic Encryption
-
-
-required),  between any two hosts which implement the proto-
-col (and, if they act as security  gateways,  between  hosts
-behind  them).   Here ``secure'' means strong encryption and
-authentication of packets, with authentication  of  partici-
-pants--to   prevent   man-in-the-middle   and  impersonation
-attacks--dependent on several factors.  The  biggest  factor
-is  the authentication of DNS records, via DNSSEC or equiva-
-lent means.  A lesser factor is which exact variant  of  the
-setup  procedure (see section 2.2) is used, because there is
-a tradeoff between strong authentication of  the  other  end
-and ability to negotiate opportunistic encryption with hosts
-which have limited or no control of  their  reverse-map  DNS
-records: without reverse-map information, we can verify that
-the host has the right to use a particular FQDN (Fully Qual-
-ified  Domain Name), but not whether that FQDN is authorized
-to use that IP address.  Local policy  must  decide  whether
-authentication or connectivity has higher priority.
-
-Apart  from  careful  attention  to detail in various areas,
-there are three crucial design  problems  for  opportunistic
-encryption.   It  needs a way to quickly identify the remote
-host's security gateway.  It needs a way to  quickly  obtain
-an  authentication  key  for  the security gateway.  And the
-numerous options which can be specified  with  IKE  must  be
-constrained  sufficiently  that  two independent implementa-
-tions  are  guaranteed  to  reach  agreement,  without   any
-explicit  prearrangement  or  preliminary  negotiation.  The
-first two problems are solved using DNS, with DNSSEC  ensur-
-ing  that the data obtained is reliable; the third is solved
-by specifying a minimum standard which must be supported.
-
-A note on philosophy: we have deliberately avoided providing
-six  different  ways  to do each job, in favor of specifying
-one good one.  Choices are provided only when they appear to
-be necessary, or at least important.
-
-A note on terminology: to avoid constant circumlocutions, an
-ISAKMP/IKE SA, possibly recreated occasionally by  rekeying,
-will  be  referred  to as a ``keying channel'', and a set of
-IPsec SAs providing bidirectional communication between  two
-IPsec  hosts,  possibly  recreated occasionally by rekeying,
-will be referred to as a ``tunnel''  (it  could  conceivably
-use transport mode in the host-to-host case, but we advocate
-using tunnel mode even there).  The word  ``connection''  is
-here  used  in  a more generic sense.  The word ``lifetime''
-will be avoided in favor  of  ``rekeying  interval'',  since
-many  of  the connections will have useful lives far shorter
-than any reasonable rekeying interval,  and  hence  the  two
-concepts must be separated.
-
-A note on document structure: Discussions of why things were
-done a particular way, or not done  a  particular  way,  are
-broken  out in paragraphs headed ``Rationale:'' (to preserve
-the flow of the text, many such paragraphs are  deferred  to
-
-
-
-Draft 4                  3 May 2001                        2
-
-
-
-
-
-                  Opportunistic Encryption
-
-
-the ends of sections).  Paragraphs headed ``Ahem:'' are dis-
-cussions of where the problem is  being  made  significantly
-harder  by  problems  elsewhere,  and how that might be cor-
-rected.  Some meta-comments are enclosed in [].
-
-Rationale: The motive is  to  get  the  Internet  encrypted.
-That  requires  encryption  without connection-by-connection
-prearrangement: a system must be able to reliably  negotiate
-an   encrypted,   authenticated   connection  with  a  total
-stranger.  While end-to-end encryption is preferable,  doing
-opportunistic encryption in security gateways gives enormous
-leverage for quick deployment of this technology, in a world
-where  end-host software is often primitive, rigid, and out-
-dated.
-
-Rationale: Speed is of the essence in tunnel setup:  a  con-
-nection-establishment  delay  longer  than  about 10 seconds
-begins to cause problems for users and  applications.   Thus
-the emphasis on rapidity in gateway discovery and key fetch-
-ing.
-
-Ahem: Host-to-host opportunistic encryption would be utterly
-trivial  if a fast public-key encryption/signature algorithm
-was available.  You would do a reverse lookup on the  desti-
-nation  address to obtain a public key for that address, and
-simply encrypt all packets going to it with that key,  sign-
-ing them with your own private key.  Alas, this is impracti-
-cal with current CPU speeds and current algorithms (although
-as  noted  later,  it  might be of some use for limited pur-
-poses).  Nevertheless, it is a useful model.
-
-2.  Connection Setup
-
-For purposes of discussion, the network  is  taken  to  look
-like this:
-
-     Source----Initiator----...----Responder----Destination
-
-The  intercepted packet comes from the Source, bound for the
-Destination, and is intercepted at the Initiator.  The  Ini-
-tiator  communicates  over  the  insecure  Internet  to  the
-Responder.  The Source and the Initiator might be  the  same
-host,  or  the Source might be an end-user host and the Ini-
-tiator a security gateway (SG).  Likewise for the  Responder
-and the Destination.
-
-Given  an  intercepted packet, whose useful information (for
-our purposes)  is  essentially  only  the  Destination's  IP
-address,  the Initiator must quickly determine the Responder
-(the  Destination's  SG)  and  fetch  everything  needed  to
-authenticate  it.   The  Responder  must do likewise for the
-Initiator.  Both must eventually also confirm that the other
-is  authorized to act on behalf of the client host behind it
-(if any).
-
-
-
-Draft 4                  3 May 2001                        3
-
-
-
-
-
-                  Opportunistic Encryption
-
-
-An important subtlety here is that if the alternative to  an
-IPsec  tunnel  is  plaintext  transmission, negative results
-must be obtained quickly.  That is,  the  decision  that  no
-tunnel can be established must also be made rapidly.
-
-2.1.  Packet Interception
-
-Interception  of outgoing packets is relatively straightfor-
-ward in principle.  It is preferable to put the  intercepted
-packet  on  hold rather than dropping it, since higher-level
-retries are not necessarily well-timed.  There is a  problem
-of hosts and applications retrying during negotiations.  ARP
-implementations,  which  face  the  same  problem,  use  the
-approach  of  keeping  the most recent packet for an as-yet-
-unresolved address, and throwing away older  ones.   (Incre-
-menting  of request numbers etc. means that replies to older
-ones may no longer be accepted.)
-
-Is it worth intercepting incoming packets, from the  outside
-world,  and  attempting  tunnel  setup  based  on them?  No,
-unless and until a way can be  devised  to  initiate  oppor-
-tunistic   encryption   to  a  non-opportunistic  responder,
-because if the other end  has  not  initiated  tunnel  setup
-itself, it will not be prepared to do so at our request.
-
-Rationale:  Note,  however,  that most incoming packets will
-promptly be followed by  an  outgoing  packet  in  response!
-Conceivably  it  might  be  useful  to start early stages of
-negotiation, at least as far as looking up  information,  in
-response to an incoming packet.
-
-Rationale: If a plaintext incoming packet indicates that the
-other end is not prepared to do opportunistic encryption, it
-might  seem that this fact should be noted, to avoid consum-
-ing resources and delaying traffic in an attempt  at  oppor-
-tunistic setup which is doomed to fail.  However, this would
-be a major security hole, since the plaintext packet is  not
-authenticated; see section 2.5.
-
-2.2.  Algorithm
-
-For  clarity,  the following defers most discussion of error
-handling to the end.
-
-Step 1.  Initiator does a DNS reverse lookup on the Destina-
-         tion address, asking not for the usual PTR records,
-         but for TXT  records.   Meanwhile,  Initiator  also
-         sends a ping to the Destination, to cause any other
-         dynamic setup actions to  start  happening.   (Ping
-         replies  are  disregarded;  the  host  might not be
-         reachable with plaintext pings.)
-
-Step 2A. If at least one suitable TXT  record  (see  section
-         2.3)   comes   back,   each  contains  a  potential
-
-
-
-Draft 4                  3 May 2001                        4
-
-
-
-
-
-                  Opportunistic Encryption
-
-
-         Responder's IP address and that Responder's  public
-         key (or where to find it).  Initiator picks one TXT
-         record, based on priority (see 2.3), thus picking a
-         Responder.   If  there was no public key in the TXT
-         record, the Initiator also starts a DNS lookup  (as
-         specified by the TXT record) to get KEY records.
-
-Step 2B. If  no suitable TXT record is available, and policy
-         permits,  Initiator  designates   the   Destination
-         itself as the Responder (see section 2.4).  If pol-
-         icy does not permit, or the  Destination  is  unre-
-         sponsive  to  the  negotiation,  then opportunistic
-         encryption is not possible, and Initiator gives  up
-         (see section 2.5).
-
-Step 3.  If there already is a keying channel to the Respon-
-         der's IP address, the Initiator uses  the  existing
-         keying  channel;  skip  to step 10.  Otherwise, the
-         Initiator starts an IKE Phase  1  negotiation  (see
-         section  2.7  for details) with the Responder.  The
-         address family of the Responder's IP  address  dic-
-         tates whether the keying channel and the outside of
-         the tunnel should be IPv4 or IPv6.
-
-Step 4.  Responder gets the first IKE message, and responds.
-         It  also starts a DNS reverse lookup on the Initia-
-         tor's IP address, for KEY records, on  speculation.
-
-Step 5.  Initiator  gets  Responder's reply, and sends first
-         message of IKE's D-H exchange (see 2.4).
-
-Step 6.  Responder  gets  Initiator's   D-H   message,   and
-         responds with a matching one.
-
-Step 7.  Initiator  gets Responder's D-H message; encryption
-         is now established, authentication  remains  to  be
-         done.   Initiator sends IKE authentication message,
-         with an FQDN identity if a reverse  lookup  on  its
-         address  will  not  yield  a  suitable  KEY record.
-         (Note, an FQDN need not actually  correspond  to  a
-         host--e.g., the DNS data for it need not include an
-         A record.)
-
-Step 8.  Responder gets Initiator's authentication  message.
-         If  there  is no identity included, Responder waits
-         for step 4's speculative DNS lookup to  finish;  it
-         should  yield  a suitable KEY record (see 2.3).  If
-         there is an FQDN identity, responder  discards  any
-         data obtained from step 4's DNS lookup; does a for-
-         ward lookup on the FQDN, for a  KEY  record;  waits
-         for  that lookup to return; it should yield a suit-
-         able KEY record.  Either way,  Responder  uses  the
-         KEY  data  to verify the message's hash.  Responder
-         replies with an  authentication  message,  with  an
-
-
-
-Draft 4                  3 May 2001                        5
-
-
-
-
-
-                  Opportunistic Encryption
-
-
-         FQDN  identity  if  a reverse lookup on its address
-         will not yield a suitable KEY record.
-
-Step 9A. (If step 2A was  used.)   The  Initiator  gets  the
-         Responder's  authentication  message.   Step 2A has
-         provided a key (from the  TXT  record  or  via  DNS
-         lookup).   Verify  message's  hash.   Encrypted and
-         authenticated keying channel  established,  man-in-
-         middle attack precluded.
-
-Step 9B. (If  step  2B  was  used.)   The Initiator gets the
-         Responder's authentication message, which must con-
-         tain an FQDN identity (if the Responder can't put a
-         TXT in his reverse map he presumably can't do a KEY
-         either).   Do forward lookup on the FQDN, get suit-
-         able KEY record,  verify  hash.   Encrypted  keying
-         channel   established,  man-in-middle  attack  pre-
-         cluded, but authentication weak (see 2.4).
-
-Step 10. Initiator initiates IKE Phase  2  negotiation  (see
-         2.7)  to  establish  tunnel,  specifying Source and
-         Destination identities as IP addresses  (see  2.6).
-         The  address  family of those addresses also deter-
-         mines whether the inside of the  tunnel  should  be
-         IPv4 or IPv6.
-
-Step 11. Responder  gets  first  Phase  2  message.  Now the
-         Responder finally knows what's  going  on!   Unless
-         the specified Source is identical to the Initiator,
-         Responder initiates DNS reverse lookup on Source IP
-         address,  for  TXT  records; waits for result; gets
-         suitable TXT record(s) (see 2.3), which should con-
-         tain  either  the Initiator's IP address or an FQDN
-         identity identical to that supplied by the  Initia-
-         tor in step 7.  This verifies that the Initiator is
-         authorized to act as SG for the Source.   Responder
-         replies  with  second  Phase  2  message, selecting
-         acceptable details (see 2.7), and establishes  tun-
-         nel.
-
-Step 12. Initiator  gets second Phase 2 message, establishes
-         tunnel (if he didn't  already),  and  releases  the
-         intercepted packet into it, finally.
-
-Step 13. Communication  proceeds.   See  section  3 for what
-         happens later.
-
-As additional  information  becomes  available,  notably  in
-steps 1, 2, 4, 8, 9, 11, and 12, there is always a possibil-
-ity that local policy (e.g., access limitations) might  pre-
-vent  further progress.  Whenever possible, at least attempt
-to inform the other end of this.
-
-
-
-
-
-Draft 4                  3 May 2001                        6
-
-
-
-
-
-                  Opportunistic Encryption
-
-
-At any time, there is a possibility of the negotiation fail-
-ing  due  to  unexpected  responses,  e.g. the Responder not
-responding at all or rejecting  all  Initiator's  proposals.
-If  multiple SGs were found as possible Responders, the Ini-
-tiator should try at least one more before giving  up.   The
-number  tried  should  be influenced by what the alternative
-is: if the traffic will otherwise be discarded,  trying  the
-full  list is probably appropriate, while if the alternative
-is plaintext transmission, it might be based on how long the
-tries  are  taking.   The Initiator should try as many as it
-reasonably can, ideally all of them.
-
-There is a sticky problem with timeouts.  If  the  Responder
-is  down  or  otherwise  inaccessible,  in the worst case we
-won't hear about this except by not getting responses.  Some
-other,  more  pathological  or  even evil, failure cases can
-have the same result.  The problem is that in the case where
-plaintext  is  permitted, we want to decide whether a tunnel
-is possible quickly.  There is no  good  solution  to  this,
-alas; we just have to take the time and do it right.  (Pass-
-ing plaintext meanwhile looks attractive at first  glance...
-but  exposing the first few seconds of a connection is often
-almost as bad as exposing the whole thing.   Worse,  if  the
-user  checks  the status of the connection, after that brief
-window it looks secure!)
-
-The flip side of waiting for a timeout  is  that  all  other
-forms  of  feedback,  e.g.  ``host not reachable'', arguably
-should be ignored, because in the absence  of  authenticated
-ICMP, you cannot trust them!
-
-Rationale:  An  alternative, sometimes suggested, to the use
-of explicit DNS records for  SG  discovery  is  to  directly
-attempt  IKE  negotiation  with  the  destination  host, and
-assume that any relevant SG will be on the packet path, will
-intercept the IKE packets, and will impersonate the destina-
-tion host for the IKE negotiation.   This  is  superficially
-attractive  but is a very bad idea.  It assumes that routing
-is stable throughout negotiation, that  the  SG  is  on  the
-plaintext-packets  path,  and  that  the destination host is
-routable (yes, it is possible to have (private) DNS data for
-an  unroutable host).  Playing extra games in the plaintext-
-packet path hurts performance and  can  be  expected  to  be
-unpopular.  Various difficulties ensue when there are multi-
-ple SGs along the path (there is already bad experience with
-this,  in  RSVP),  and  the presence of even one can make it
-impossible to do IKE direct to the host when that is  what's
-wanted.  Worst of all, such impersonation breaks the IP net-
-work model badly, making problems difficult to diagnose  and
-impossible  to work around (and there is already bad experi-
-ence with this, in areas like web caching).
-
-Rationale: (Step 1.)  Dynamic setup  actions  might  include
-establishment   of  demand-dialed  links.   These  might  be
-
-
-
-Draft 4                  3 May 2001                        7
-
-
-
-
-
-                  Opportunistic Encryption
-
-
-present anywhere along the path, so one cannot rely on  out-
-of-band  communication  at  the  Initiator  to trigger them.
-Hence the ping.
-
-Rationale: (Step 2.)  In many cases, the IP address  on  the
-intercepted  packet will be the result of a name lookup just
-done.  Inverse queries, an obscure DNS feature from the dis-
-tant  past,  in  theory  can  be used to ask a DNS server to
-reverse that lookup,  giving  the  name  that  produced  the
-address.   This is not the same as a reverse lookup, and the
-difference can matter a great deal in  cases  where  a  host
-does  not  control its reverse map (e.g., when the host's IP
-address is dynamically  assigned).   Unfortunately,  inverse
-queries were never widely implemented and are now considered
-obsolete.  Phooey.
-
-Ahem: Support for a small subset of this  admittedly-obscure
-feature  would be useful.  Unfortunately, it seems unlikely.
-
-Rationale: (Step 3.)  Using  only  IP  addresses  to  decide
-whether  there  is  already a relevant keying channel avoids
-some difficult problems.  In particular, it might seem  that
-this  should be based on identities, but those are not known
-until very late in IKE Phase 1 negotiations.
-
-Rationale: (Step 4.)  The DNS lookup is done on  speculation
-because  the data will probably be useful and the lookup can
-be done in parallel with IKE activity, potentially  speeding
-things up.
-
-Rationale:  (Steps  7 and 8.)  If an SG does not control its
-reverse map, there is no way it can prove its right  to  use
-an  IP address, but it can nevertheless supply both an iden-
-tity (as an FQDN) and proof of its right to use  that  iden-
-tity.   This  is  somewhat  better  than nothing, and may be
-quite useful if the SG is representing a client  host  which
-can  prove  its  right  to  its IP address.  (For example, a
-fixed-address subnet might live behind an SG with a  dynami-
-cally-assigned  address; such an SG has to be the Initiator,
-not the Responder, so the subnet's TXT records  can  contain
-FQDN identities, but with that restriction, this works.)  It
-might sound like this would  permit  some  man-in-the-middle
-attacks in important cases like Road Warrior, but the RW can
-still do full authentication of the home base, so a  man  in
-the  middle  cannot  successfully impersonate home base, and
-the D-H exchange doesn't work unless the man in  the  middle
-impersonates both ends.
-
-Rationale:  (Steps  7 and 8.)  Another situation where proof
-of the right to use an identity can be very useful  is  when
-access is deliberately limited.  While opportunistic encryp-
-tion is intended as a general-purpose  connection  mechanism
-between strangers, it may well be convenient for prearranged
-connections to use the same mechanism.
-
-
-
-Draft 4                  3 May 2001                        8
-
-
-
-
-
-                  Opportunistic Encryption
-
-
-Rationale: (Steps 7 and 8.)  FQDNs as identities are avoided
-where  possible,  since  they  can  involve  synchronous DNS
-lookups.
-
-Rationale: (Step 11.)  Note that only here, in Phase 2, does
-the  Responder actually learn who the Source and Destination
-hosts are.  This unfortunately  demands  a  synchronous  DNS
-lookup  to verify that the Initiator is authorized to repre-
-sent the Source, unless they are one and the same.  This and
-the  initial TXT lookup are the only synchronous DNS lookups
-absolutely required by the algorithm, and they appear to  be
-unavoidable.
-
-Rationale:  While  it  might seem unlikely that a refusal to
-cooperate from one SG could be remedied by trying  another--
-presumably  they all use the same policies--it's conceivable
-that one might be misconfigured.  Preferably they should all
-be tried, but it may be necessary to set some limits on this
-if alternatives exist.
-
-2.3.  DNS Records
-
-Gateway discovery and key lookup are based on  TXT  and  KEY
-DNS  records.   The TXT record specifies IP address or other
-identity of a host's SG, and possibly  supplies  its  public
-key  as  well, while the KEY record supplies public keys not
-found in TXT records.
-
-2.3.1.  TXT
-
-Opportunistic-encryption SG discovery uses TXT records  with
-the content:
-
-     X-IPsec-Gateway(nnn)=iii kkk
-
-following  RFC 1464 attribute/value notation.  Records which
-do not contain an ``='', or which do not  have  exactly  the
-specified form to the left of it, are ignored.  (Near misses
-perhaps should be reported.)
-
-The nnn is an unsigned integer which will fit  in  16  bits,
-specifying  an  MX-style preference (lower number = stronger
-preference) to control the order in which multiple  SGs  are
-tried.   If  there  are ties, pick one, randomly enough that
-the choice will probably be different each time.  The  pref-
-erence field is not optional; use ``0'' if there is no mean-
-ingful preference ordering.
-
-The iii part identifies the SG.  Normally this is a  dotted-
-decimal  IPv4 address or a colon-hex IPv6 address.  The sole
-exception is if the SG has no fixed address  (see  2.4)  but
-the  host(s)  behind it do, in which case iii is of the form
-``@fqdn'', where fqdn is the FQDN that the SG  will  use  to
-identify  itself  (in  step 7 of section 2.2); such a record
-
-
-
-Draft 4                  3 May 2001                        9
-
-
-
-
-
-                  Opportunistic Encryption
-
-
-cannot be used for SG discovery by an Initiator, but can  be
-used for SG verification (step 11 of 2.2) by a Responder.
-
-The  kkk  part is optional.  If it is present, it is an RSA-
-MD5 public key in base-64 notation, as in the text  form  of
-an  RFC  2535 KEY record.  If it is not present, this speci-
-fies that the public key  can  be  found  in  a  KEY  record
-located  based  on  the SG's identification: if iii is an IP
-address, do a reverse lookup on that address, else do a for-
-ward lookup on the FQDN.
-
-Rationale:  While  it  is unusual for a reverse lookup to go
-for records  other  than  PTR  records  (or  possibly  CNAME
-records, for RFC 2317 classless delegation), there's no rea-
-son why it can't.  The TXT record is  a  temporary  stand-in
-for  (we  hope, someday) a new DNS record for SG identifica-
-tion and keying.  Keeping the setup  process  fast  requires
-minimizing  the  number  of DNS lookups, hence the desire to
-put all the information in one place.
-
-Rationale: The use of RFC 1464  notation  avoids  collisions
-with other uses of TXT records.  The ``X-'' in the attribute
-name indicates that this format is tentative and  experimen-
-tal;  this design will probably need modification after ini-
-tial experiments.  The format is chosen with an eye on even-
-tual  binary  encoding.   Note,  in particular, that the TXT
-record normally contains the address of the SG, not (repeat,
-not)  its  name.   Name-to-address  conversion is the job of
-whatever generates the TXT record, which is expected to be a
-program,  not a human--this is conceptually a binary record,
-temporarily using a text encoding.  The  ``@fqdn''  form  of
-the  SG identity is for specialized uses and is never mapped
-to an address.
-
-Ahem: A DNS  TXT  record  contains  one  or  more  character
-strings, but RFC 1035 does not describe exactly how a multi-
-string TXT record is interpreted.  This is relevant  because
-a  string can be at most 255 characters, and public keys can
-exceed this.  Empirically, the standard pattern is that each
-string  which  is  both less than 255 characters and not the
-final string of the record should have a blank  appended  to
-it,  and  the  strings of the record should then be concate-
-nated.  (This observation is based on how BIND 8  transforms
-a TXT record from text to DNS binary.)
-
-2.3.2.  KEY
-
-An opportunistic-encryption KEY record is an Authentication-
-permitted,  Entity  (host),  non-Signatory,  IPsec,  RSA/MD5
-record  (that  is,  its first four bytes are 0x42000401), as
-per RFCs 2535 and 2537.  KEY records with other flags,  pro-
-tocol, or algorithm values are ignored.
-
-
-
-
-
-Draft 4                  3 May 2001                       10
-
-
-
-
-
-                  Opportunistic Encryption
-
-
-Rationale:  Unfortunately,  the public key has to be associ-
-ated with the SG,  not  the  client  host  behind  it.   The
-Responder  does  not  know which client it is supposed to be
-representing, or which client the Initiator is representing,
-until far too late.
-
-Ahem: Per-client keys would reduce vulnerability to key com-
-promise, and simplify key changes, but  they  would  require
-changes  to  IKE  Phase 1, to separately identify the SG and
-its initial client(s).  (At present, the  client  identities
-are  not  known  to the Responder until IKE Phase 2.)  While
-the current IKE standard does not actually specify  (!)  who
-is  being  identified by identity payloads, the overwhelming
-consensus is that they identify the SG, and as seen earlier,
-this has important uses.
-
-2.3.3.  Summary
-
-For reference, the minimum set of DNS records needed to make
-this all work is either:
-
-1.  TXT in Destination reverse  map,  identifying  Responder
-    and providing public key.
-
-2.  KEY in Initiator reverse map, providing public key.
-
-3.  TXT  in  Source  reverse  map, verifying relationship to
-    Initiator.
-
-or:
-
-1.  TXT in Destination reverse map, identifying Responder.
-
-2.  KEY in Responder reverse map, providing public key.
-
-3.  KEY in Initiator reverse map, providing public key.
-
-4.  TXT in Source reverse  map,  verifying  relationship  to
-    Initiator.
-
-Slight  complications  ensue  for dynamic addresses, lack of
-control over reverse maps, etc.
-
-2.3.4.  Implementation
-
-In the long run, we need either a tree of trust or a web  of
-trust,  so  we can trust our DNS data.  The obvious approach
-for DNS is a tree of trust, but there are various  practical
-problems  with running all of this through the root servers,
-and a web of trust is arguably more robust anyway.  This  is
-logically  independent  of  opportunistic  encryption, and a
-separate design proposal will be prepared.
-
-
-
-
-
-Draft 4                  3 May 2001                       11
-
-
-
-
-
-                  Opportunistic Encryption
-
-
-Interim stages of implementation of this will require a  bit
-of  thought.   Notably, we need some way of dealing with the
-lack of fully signed DNSSEC  records  right  away.   Without
-user interaction, probably the best we can do is to remember
-the results of old fetches, compare them to the  results  of
-new  fetches,  and  complain  and  disbelieve  all  of it if
-there's a mismatch.  This does mean that somebody  who  gets
-fake  data  into our very first fetch will fool us, at least
-for a while, but that seems an acceptable tradeoff.   (Obvi-
-ously  there  needs to be a way to manually flush the remem-
-bered results for a  specific  host,  to  permit  deliberate
-changes.)
-
-2.4.  Responders Without Credentials
-
-In  cases  where the Destination simply does not control its
-DNS reverse-map entries,  there  is  no  verifiable  way  to
-determine  a  suitable SG.  This does not make communication
-utterly impossible, though.
-
-Simply attempting negotiation directly with the  host  is  a
-last  resort.   (An  aggressive implementation might wish to
-attempt it in parallel,  rather  than  waiting  until  other
-options  are  known  to  be unavailable.)  In particular, in
-many cases involving dynamic addresses, it  will  work.   It
-has  the  disadvantage of delaying the discovery that oppor-
-tunistic encryption is entirely  impossible,  but  the  case
-seems common enough to justify the overhead.
-
-However, there are policy issues here either way, because it
-is possible to impersonate such a host.  The host can supply
-an  FQDN identity and verify its right to use that identity,
-but except by prearrangement, there is no way to verify that
-the  FQDN  is  the right one for that IP address.  (The data
-from forward lookups may be controlled by people who do  not
-own  the  address, so it cannot be trusted.)  The encryption
-is still solid, though, so in many cases this may be useful.
-
-2.5.  Failure of Opportunism
-
-When  there is no way to do opportunistic encryption, a pol-
-icy issue arises: whether to put in a bypass  (which  allows
-plaintext  traffic  through)  or a block (which discards it,
-perhaps with notification back to the sender).   The  choice
-is  very  much  a  matter of local policy, and may depend on
-details such as the higher-level protocol being  used.   For
-example,  an  SG might well permit plaintext HTTP but forbid
-plaintext Telnet, in which case both a block  and  a  bypass
-would be set up if opportunistic encryption failed.
-
-A  bypass/block  must,  in practice, be treated much like an
-IPsec tunnel.  It should persist for a while, so that  high-
-overhead  processing  doesn't  have  to  be  done  for every
-packet, but should go away eventually to  return  resources.
-
-
-
-Draft 4                  3 May 2001                       12
-
-
-
-
-
-                  Opportunistic Encryption
-
-
-It  may  be simplest to treat it as a degenerate tunnel.  It
-should have a relatively long lifetime (say 6h) to keep  the
-frequency  of  negotiation attempts down, except in the case
-where the other SG simply did not respond  to  IKE  packets,
-where  the  lifetime should be short (say 10min) because the
-other SG is presumably down and might come  back  up  again.
-(Cases  where the other SG responded to IKE with unauthenti-
-cated error reports like ``port  unreachable''  are  border-
-line,  and  might  deserve  to be treated as an intermediate
-case: while such reports cannot be trusted unreservedly,  in
-the  absence of any other response, they do give some reason
-to suspect that the other SG is unable or unwilling to  par-
-ticipate in opportunistic encryption.)
-
-As  noted  in section 2.1, one might think that arrival of a
-plaintext incoming packet should cause a bypass/block to  be
-set  up  for its source host: such a packet is almost always
-followed by an outgoing reply packet; the incoming packet is
-clear  evidence  that opportunistic encryption is not avail-
-able at the other end; attempting it  will  waste  resources
-and  delay  traffic to no good purpose.  Unfortunately, this
-means that anyone out on the Internet who can forge a source
-address  can  prevent  encrypted communication!  Since their
-source addresses are not  authenticated,  plaintext  packets
-cannot be taken as evidence of anything, except perhaps that
-communication from that host is likely to occur soon.
-
-There needs to be a way for local administrators to remove a
-bypass/block  ahead  of  its  normal expiry time, to force a
-retry after a problem at the other end is known to have been
-fixed.
-
-2.6.  Subnet Opportunism
-
-In principle, when the Source or Destination host belongs to
-a subnet and the corresponding SG is willing to provide tun-
-nels  to the whole subnet, this should be done.  There is no
-extra overhead,  and  considerable  potential  for  avoiding
-later  overhead  if  similar communication occurs with other
-members of the subnet.  Unfortunately, at the moment, oppor-
-tunistic  tunnels  can  only have degenerate subnets (single
-hosts) at their ends.  (This does, at least, set up the key-
-ing channel, so that negotiations for tunnels to other hosts
-in the same subnets will be considerably faster.)
-
-The crucial problem is step 11 of section 2.2: the Responder
-must  verify  that  the Initiator is authorized to represent
-the Source, and this is  impossible  for  a  subnet  because
-there  is  no way to do a reverse lookup on it.  Information
-in DNS records for a name or  a  single  address  cannot  be
-trusted, because they may be controlled by people who do not
-control the whole subnet.
-
-
-
-
-
-Draft 4                  3 May 2001                       13
-
-
-
-
-
-                  Opportunistic Encryption
-
-
-Ahem: Except in the special case of a  subnet  masked  on  a
-byte  boundary  (in  which  case RFC 1035's convention of an
-incomplete in-addr.arpa name could be used),  subnet  lookup
-would need extensions to the reverse-map name space, perhaps
-along the lines of that commonly done for RFC  2317  delega-
-tion.   IPv6  already  has  suitable  name syntax, as in RFC
-2874, but has no specific provisions for subnet  entries  in
-its  reverse  maps.   Fixing all this is is not conceptually
-difficult, but is  logically  independent  of  opportunistic
-encryption, and will be proposed separately.
-
-A less-troublesome problem is that the Initiator, in step 10
-of 2.2, must know exactly what  subnet  is  present  on  the
-Responder's  end  so  he  can  propose a tunnel to it.  This
-information could be included in the TXT record of the  Des-
-tination (it would have to be verified with a subnet lookup,
-but that could be done in parallel with  other  operations).
-The Initiator presumably can be configured to know what sub-
-net(s) are present on its end.
-
-2.7.  Option Settings
-
-IPsec and IKE have far too many useless options, and  a  few
-useful  ones.  IKE negotiation is quite simplistic, and can-
-not handle even simple discrepancies between  the  two  SGs.
-So it is necessary to be quite specific about what should be
-done and what should be proposed,  to  guarantee  interoper-
-ability  without  prearrangement or other negotiation proto-
-cols.
-
-Rationale: The prohibition of other negotiations  is  simply
-because there is no time.  The setup algorithm (section 2.2)
-is lengthy already.
-
-[Open question: should opportunistic  IKE  use  a  different
-port than normal IKE?]
-
-Somewhat arbitrarily and tentatively, opportunistic SGs must
-support Main Mode, Oakley group 5 for D-H,  3DES  encryption
-and  MD5  authentication  for  both  ISAKMP  and  IPsec SAs,
-RSA/MD5 digital-signature authentication with  keys  between
-2048  and  8192  bits,  and  ESP  doing  both encryption and
-authentication.  They must do key PFS in Quick Mode, but not
-identity  PFS.   They  may  support IPComp, preferably using
-Deflate, but must not insist on it.  They may support AES as
-an alternative to 3DES, but must not insist on it.
-
-Rationale:  Identity PFS essentially requires establishing a
-complete new keying channel for each new tunnel, but key PFS
-just  does  a new Diffie-Hellman exchange for each rekeying,
-which is relatively cheap.
-
-Keying channels must remain in existence at least as long as
-any  tunnel  created with them remains (they are not costly,
-
-
-
-Draft 4                  3 May 2001                       14
-
-
-
-
-
-                  Opportunistic Encryption
-
-
-and keeping the management path up and available  simplifies
-various issues).  See section 3.1 for related issues.  Given
-the use of key PFS, frequent rekeying does not seem critical
-here.   In the absence of strong reason to do otherwise, the
-Initiator  should  propose  rekeying  at  8hr-or-1MB.    The
-Responder  must accept any proposal which specifies a rekey-
-ing time between 1hr and 24hr inclusive and a rekeying  vol-
-ume between 100KB and 10MB inclusive.
-
-Given  the  short  expected useful life of most tunnels (see
-section 3.1), very few of them will survive long  enough  to
-be  rekeyed.   In  the absence of strong reason to do other-
-wise, the Initiator should propose rekeying at 1hr-or-100MB.
-The  Responder  must  accept  any proposal which specifies a
-rekeying time between 10min and 8hr inclusive and a rekeying
-volume between 1MB and 1000MB inclusive.
-
-It  is  highly  desirable  to  add some random jitter to the
-times of actual rekeying attempts, to break  up  ``convoys''
-of rekeying events; this and certain other aspects of robust
-rekeying practice will be the subject of a  separate  design
-proposal.
-
-Rationale:  The numbers used here for rekeying intervals are
-chosen quite arbitrarily and  should  be  re-assessed  after
-some implementation experience is gathered.
-
-3.  Renewal and Teardown
-
-3.1.  Aging
-
-When to tear tunnels down is a bit problematic, but if we're
-setting up a potentially unbounded number of them,  we  have
-to tear them down somehow sometime.
-
-Set a short initial tentative lifespan, say 1min, since most
-net flows in fact  last  only  a  few  seconds.   When  that
-expires,  look to see if the tunnel is still in use (defini-
-tion: has had traffic, in either direction, in the last half
-of  the  tentative  lifespan).   If so, assign it a somewhat
-longer tentative lifespan,  say  20min,  after  which,  look
-again.   If not, close it down.  (This tentative lifespan is
-independent of rekeying; it is just the time when  the  tun-
-nel's future is next considered.  This should happen reason-
-ably  frequently,  unlike  rekeying,  which  is  costly  and
-shouldn't  be  too frequent.)  Multi-step backoff algorithms
-are not worth the trouble; looking every 20min doesn't  seem
-onerous.
-
-If  the security gateway and the client host are one and the
-same, tunnel teardown decisions might wish to pay  attention
-to  TCP  connection  status,  as  reported  by the local TCP
-layer.  A still-open TCP connection is  almost  a  guarantee
-that  more  traffic  is coming, while the demise of the only
-
-
-
-Draft 4                  3 May 2001                       15
-
-
-
-
-
-                  Opportunistic Encryption
-
-
-TCP connection through a tunnel is a strong hint  that  none
-is.   If  the  SG and the client host are separate machines,
-though,  tracking  TCP  connection  status  requires  packet
-snooping,  which is complicated and probably not worthwhile.
-
-IKE keying channels likewise are torn down when  it  appears
-the  need  has  passed.   They always linger longer than the
-last tunnel they administer, in case they are needed  again;
-the  cost of retaining them is low.  Other than that, unless
-the number of keying channels on the SG gets large,  the  SG
-should  simply retain all of them until rekeying time, since
-rekeying is the only costly event.  When about  to  rekey  a
-keying  channel  which has no current tunnels, note when the
-last actual keying-channel traffic occurred, and  close  the
-keying  channel  down  if it wasn't in the last, say, 30min.
-When rekeying a keying channel (or  perhaps  shortly  before
-rekeying  is  expected),  Initiator and Responder should re-
-fetch the public keys used for  SG  authentication,  against
-the possibility that they have changed or disappeared.
-
-See section 2.7 for discussion of rekeying intervals.
-
-Given  the  low user impact of tearing down and rebuilding a
-connection (a tunnel or a keying channel), rekeying attempts
-should  not  be  too persistent: one can always just rebuild
-when needed, so heroic efforts to preserve an existing  con-
-nection  are  unnecessary.   Say, try every 10s for a minute
-and every minute for 5min, and then give up and declare  the
-connection  (and  all  other  connections  to that IKE peer)
-dead.
-
-Rationale: In future, more sophisticated, versions  of  this
-protocol,  examining  the initial packet might permit a more
-intelligent guess at the tunnel's useful life.  HTTP connec-
-tions in particular are notoriously bursty and repetitive.
-
-Rationale:  Note that rekeying a keying connection basically
-consists of building a new keying connection  from  scratch,
-using IKE Phase 1, and abandoning the old one.
-
-3.2.  Teardown and Cleanup
-
-Teardown  should  always  be coordinated with the other end.
-This means interpreting and sending Delete notifications.
-
-On receiving a Delete for the outbound SAs of a  tunnel  (or
-some  subset  of  them), tear down the inbound ones too, and
-notify the other end with a Delete.  Tunnels need to be con-
-sidered as bidirectional entities, even though the low-level
-protocols don't think of them that way.
-
-When the deletion is initiated locally,  rather  than  as  a
-response  to  a received Delete, send a Delete for (all) the
-inbound SAs  of  a  tunnel.   If  no  responding  Delete  is
-
-
-
-Draft 4                  3 May 2001                       16
-
-
-
-
-
-                  Opportunistic Encryption
-
-
-received  for  the outbound SAs, try re-sending the original
-Delete.  Three tries spaced 10s  apart  seems  a  reasonable
-level  of effort.  (Indefinite persistence is not necessary;
-whether the other end isn't cooperating because  it  doesn't
-feel  like  it, or because it is down/disconnected/etc., the
-problem will eventually be cleared up by other means.)
-
-After rekeying, transmission should switch to using the  new
-SAs  (ISAKMP or IPsec) immediately, and the old leftover SAs
-should be cleared out promptly  (and  Deletes  sent)  rather
-than  waiting  for them to expire.  This reduces clutter and
-minimizes confusion.
-
-Since there  is  only  one  keying  channel  per  remote  IP
-address,  the  question of whether a Delete notification has
-appeared on a ``suitable'' keying channel does not arise.
-
-Rationale: The pairing of Delete  notifications  effectively
-constitutes  an  acknowledged Delete, which is highly desir-
-able.
-
-3.3.  Outages and Reboots
-
-Tunnels sometimes go down because the other end crashes,  or
-disconnects,  or  has  a network link break, and there is no
-notice of this in the general case.  (Even in the event of a
-crash  and  successful reboot, other SGs don't hear about it
-unless the rebooted SG has specific reason to talk  to  them
-immediately.)  Over-quick response to temporary network out-
-ages is undesirable...  but note that a tunnel can  be  torn
-down and then re-established without any user-visible effect
-except a pause in traffic, whereas if one end  does  reboot,
-the  other  end  can't  get packets to it at all (except via
-IKE) until the situation is noticed.  So a bias toward quick
-response  is  appropriate,  even  at  the cost of occasional
-false alarms.
-
-Heartbeat mechanisms are somewhat unsatisfactory  for  this.
-Unless  they are very frequent, which causes other problems,
-they do not detect the problem promptly.
-
-Ahem: What is really wanted  is  authenticated  ICMP.   This
-might  be  a case where public-key encryption/authentication
-of network packets is the right thing  to  do,  despite  the
-expense.
-
-In the absence of that, a two-part approach seems warranted.
-
-First, when an SG receives an IPsec packet that is addressed
-to  it,  and  otherwise  appears  healthy,  but specifies an
-unknown SA and is from a host that  the  receiver  currently
-has  no  keying  channel  to,  the  receiver must attempt to
-inform the sender via an  IKE  Initial-Contact  notification
-(necessarily  sent  in plaintext, since there is no suitable
-
-
-
-Draft 4                  3 May 2001                       17
-
-
-
-
-
-                  Opportunistic Encryption
-
-
-keying channel).  This must be severely rate-limited on both
-ends; one notification per SG pair per minute seems ample.
-
-Second,  there  is an obvious difficulty with this: the Ini-
-tial-Contact notification is unauthenticated and  cannot  be
-trusted.   So it must be taken as a hint only: there must be
-a way to confirm it.
-
-What is needed here is something that's desirable for debug-
-ging and testing anyway: an IKE-level ping mechanism.  Ping-
-ing direct at the IP level instead will not tell us about  a
-crash/reboot event.  Sending pings through tunnels has vari-
-ous complications (they should stop at the far mouth of  the
-tunnel  instead  of  going  on  to a subnet; they should not
-count against idle timers; etc.).  What is needed is a  con-
-tinuity check on a keying channel.  (This could also be used
-as a heartbeat, should that seem useful.)
-
-IKE Ping delivery need not  be  reliable,  since  the  whole
-point  of  a  ping  is simply to provoke an acknowledgement.
-They should preferably be authenticated, but it is not clear
-that  this is absolutely necessary, although if they are not
-they need encryption plus a timestamp or a  nonce,  to  foil
-replay  mischief.   How  they are implemented is a secondary
-issue, and a separate design proposal will be prepared.
-
-Ahem: Some existing implementations are already using  (pri-
-vate)  notify value 30000 (``LIKE_HELLO'') as ping and (pri-
-vate) notify value 30002 (``SHUT_UP'') as ping reply.
-
-If an IKE Ping gets no response, try some (say 8) IP  pings,
-spaced a few seconds apart, to check IP connectivity; if one
-comes back, try another IKE Ping; if that gets no  response,
-the  other  end probably has rebooted, or otherwise been re-
-initialized, and its tunnels and keying channel(s) should be
-torn down.
-
-In  a  similar  vein, giving limited rekeying persistence, a
-short network outage could take some  tunnels  down  without
-disrupting  others.  On receiving a packet for an unknown SA
-from a host that a keying channel is currently open to, send
-that host a Invalid-SPI notification for that SA.  The other
-host can then tear down the half-torn-down tunnel, and nego-
-tiate a new tunnel for the traffic it presumably still wants
-to send.
-
-Finally, it would be helpful if SGs  made  some  attempt  to
-deal  intelligently  with crashes and reboots.  A deliberate
-shutdown should include an attempt to notify all  other  SGs
-currently  connected by keying channels, using Deletes, that
-communication is about to fail.  (Again, these will be taken
-as  teardowns;  attempts  by  the other SGs to negotiate new
-tunnels as replacements should be ignored  at  this  point.)
-And   when   possible,   SGs   should  attempt  to  preserve
-
-
-
-Draft 4                  3 May 2001                       18
-
-
-
-
-
-                  Opportunistic Encryption
-
-
-information about currently-connected  SGs  in  non-volatile
-storage,  so  that  after a crash, an Initial-Contact can be
-sent to previous partners to indicate  loss  of  all  previ-
-ously-established connections.
-
-4.  Conclusions
-
-This  design  appears to achieve the objective of setting up
-encryption with strangers.  The authentication aspects  also
-seem  adequately  addressed  if the destination controls its
-reverse-map DNS entries and the DNS data itself can be reli-
-ably  authenticated as having originated from the legitimate
-administrators of that subnet/FQDN.  The authentication sit-
-uation is less satisfactory when DNS is less helpful, but it
-is difficult to see what else could be done about it.
-
-5.  References
-
-[TBW]
-
-6.  Appendix:  Separate Design Proposals TBW
-
-o  How can we build a web of trust with DNSSEC?   (See  sec-
-   tion 2.3.4.)
-
-o  How  can  we extend DNS reverse lookups to permit reverse
-   lookup on a subnet?  (Both address and mask  must  appear
-   in the name to be looked up.)  (See section 2.6.)
-
-o  How  can  rekeying  be done as robustly as possible?  (At
-   least partly, this is just documenting current  FreeS/WAN
-   practice.)  (See section 2.7.)
-
-o  How  should IKE Pings be implemented?  (See section 3.3.)
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Draft 4                  3 May 2001                       19
-
-
diff --git a/doc/opportunism.howto b/doc/opportunism.howto
deleted file mode 100644
index 14b5ed5a2..000000000
--- a/doc/opportunism.howto
+++ /dev/null
@@ -1,415 +0,0 @@
-FreeS/WAN Opportunism HowTo
-===========================
-
-RCSID $Id: opportunism.howto,v 1.1 2004/03/15 20:35:21 as Exp $
-
-D. Hugh Redelmeier
-
-
-FreeS/WAN, the LINUX IPSEC implementation, is intended to allow
-systems to connect through secure tunnels with or without prearrangement.
-We use the term "Opportunism" to describe tunnels set up without
-prearrangement.  This HowTo will show you how to set your system up
-for Opportunism.
-
-You are expected to already have built and used FreeS/WAN.  Much more
-information about FreeS/WAN is provided at http://www.freeswan.org.
-This document is only intended to describe the support for
-opportunism.  The features described here are available in FreeS/WAN
-version 1.91 or later (there were important bugs up until 1.95).
-
-For a more complete description of the design of Opportunism, see our
-paper "Opportunistic Encryption" (available as opportunism.spec in
-the same directory as this document).
-
-
-Steps
-=====
-
-- Understand what you are attempting.  Security requires care.
-  Problems are hard to untangle.  Be sure to read the last section
-  "Important Limitations".
-
-- Install FreeS/WAN (version 1.91 or later).
-
-- Add appropriate DNS records to your reverse-map domains.
-
-- Add suitable conns to /etc/ipsec.conf.
-
-- Try it out: start it, monitor it, fix it.
-
-- Now you understand the system better, reread "Important Limitations"
-
-These steps are also an outline of this document.
-
-
-Theory
-======
-
-FreeS/WAN runs on a machine that we will call a "Security Gateway".
-Usually this machine is a gateway to the internet.  It may be that the
-only machine for which it provides gateway services is itself, but
-that is just a special case -- we will still call it a Security
-Gateway.
-
-A FreeS/WAN Security Gateway implements secure tunnels to other
-Security Gateways.  One problem is to arrange for these tunnels to be
-created and used.  If opportunism is enabled, a Security Gateway
-running FreeS/WAN will intercept the first outbound packet to a
-particular destination (IP address), and try to negotiate a security
-tunnel suitable for traffic to that destination.
-
-To make this work going the other way, the Security Gateway must be
-willing to negotiate with peers trying to protect traffic initiated
-from their side.
-
-The first novel problem is that our Security Gateway needs to discover
-the IP address of the other Security Gateway for the packet that
-prompted the negotiation.  Oh, and quickly discover if there is none
--- that negotiation will be impossible.
-
-The second novel problem is that our Security Gateway needs to
-authenticate the other Security Gateway.  This authentication needs to
-ensure that the other Security Gateway is who it claims to be AND that
-it is authorized to represent the client for which it claims to be the
-gateway.
-
-The roles in a particular negotiation are:
-     Source----Initiator----...----Responder----Destination
-
-The Source and Destination are endpoints of the traffic that is to be
-protected.  The Source is the one that happened to send the first
-packet of traffic.  Neither needs to be aware of IPSEC or FreeS/WAN.
-That is the job of their respective Security Gateways, Initiator and
-Responder.  The names "Initiator" and "Responder" match those used in
-the IPSEC standards for IKE negotiation.  Remember that Source and
-Initiator could be the same machine; similarly, Destination and
-Responder could be the same.  All traffic from Source or Destination
-must flow through their Security Gateways if it is to be considered
-for protection.  These roles are fluid -- they can be different for
-each negotiation.
-
-We use the DNS (the Domain Name System) as a distributed database to
-publish the required information.
-
-
-DNS Records Required
-====================
-
-See section 2.3 of "Opportunistic Encryption" for a fuller
-explanation.
-
-Generally, we need to add records to the reverse-map DNS entries for
-the client machine and its Security Gateway machine.  There are
-special cases that are exceptions.
-
-A Security Gateway that is going to initiate an Opportunistic
-negotiation needs to provide a way for the Responding SG to find a
-public key for the Initiator to allow authentication.  This is
-accomplished by putting the public key in a KEY record in the
-reverse-map of the Initiator.  Conveniently, the KEY record can
-be generated by the ipsec_showhostkey(8) command.
-
-	ipsec showhostkey
-
-Here is an example of the output, with many characters of the key
-itself left out:
-
-	; RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
-	xy.example.com.   IN   KEY   0x4200 4 1 AQOF8tZ2...+buFuFn/
-
-=> Copy the output of the command into the zone information for the
-   reverse-map of the Security Gateway's public interface.
-
-Each client that is to be protected by Opportunistic Encryption must
-include a special TXT record in its reverse-map.  The
-ipsec_showhostkey(8) command can create this too.  Remember:  this
-command must be run on the Security Gateway where the ipsec.secrets
-file resides.  You must tell the command what IP address to put in the
-TXT record.  The IP address is that of the Security Gateway.
-
-	ipsec showhostkey --txt 10.11.12.13
-
-This command might produce the output:
-
-	; RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
-	IN TXT  "X-IPsec-Server(10)=10.11.12.13 AQOF8tZ2...+buFuFn/"
-
-- The quotes matter: this is a single string, as far as DNS is
-  concerned.
-
-- The X-IPsec-Server is a prefix that signifies that the TXT record
-  contains Opportunism configuration information.
-
-- The (10) specifies a precedence for this record.  This is similar
-  to MX record preferences.  Lower numbers have stronger preference.
-
-- 10.11.12.13 specifies the IP address of the Security Gateway for
-  this machine.
-
-- AQOF8tZ2...+buFuFn/ is the (shortened) encoding of the RSA Public
-  key of the Security Gateway.
-
-=> Added this output to the zone information for the reverse-map for
-   each client machine.  This gets a bit dull and repetitive.
-
-Unfortunately, not every administrator has control over the contents
-of the reverse-map.  The only case where we can work around this is
-where the Initiator has no suitable reverse map.  In this case, the
-Source's TXT record gives @FQDN ("Fully Qualified Domain Name") in
-place of its Security Gateway's IP address.  This FQDN must match the
-ID-payload used by the Initiator.  Furthermore, a forward lookup for a
-KEY record on the FQDN must yield the Initiator's public key.
-
-If the Source's IP address is the same as the Initiator's IP address,
-the Responder will assume that the Initiator is authorized to talk for
-the Source (itself!).  In this case, the Responder won't try to fetch
-the Source's TXT record from the reverse map for the Source's IP
-address.
-
-These two features can be combined.  If the Source and the Initiator
-are the same (i.e. the Security Gateway is protecting itself), and the
-Initiator uses a @FQDN ID (leftid=@example.com), then the
-administrator of that machine need only have installed a KEY record in
-the FQDN domain -- he need not control any reverse map.
-
-Obscure fact: the forward lookup is only done by a Responder, and then
-only when the Initiator's ID payload specifies the FQDN.  There is no
-provision for a Responder with no control over its reverse-map.
-
-Beware: DNS changes sometimes take a long time to propagate.
-
-
-Configuring FreeS/WAN
-=====================
-
-To enable opportunism, you must include a suitable conn in
-/etc/ipsec.conf and you must enable it.
-
-A suitable conn looks roughly like an ordinary conn.  It more closely
-resembles a Road Warrior conn (a Road Warrior conn is one that has a
-wildcard %any specified as the other Security Gateway).  But in the
-Opportunistic case, both the other Security Gateway AND its client are
-unknown ahead of time.
-
-conn client-to-anyone	# for our client subnet
-	leftsubnet=10.3.2.1.0/24	# any single client in our subnet
-	also=sg-to-anyone	# rest is same as for SG
-
-conn sg-to-anyone	# for our Security Gateway
-	left=%defaultroute	# our SG (defaults leftnexthop too)
-	right=%opportunistic
-	authby=rsasig	# almost always the right choice
-	keyingtries=2	# don't be persistent -- peer might disappear
-	auto=route	# enable at ipsec startup
-
-(%defaultroute only works if you have specified
-interfaces=%defaultroute.  Since this isn't the topic of the howto,
-you will have to look at the other documentation to find out how to
-handle other cases.)
-
-You can have any number of opportunistic conns, but generally it only
-makes sense to have one for each client subnet and one for the
-Security Gateway itself.
-
-Currently only one interface may be used for opportunism: Pluto knows
-nothing about routing, so would be unable to choose amongst several.
-Almost certainly our side's nexthop must be predetermined
-(%defaultroute will do that).
-
-Note: the routing done for outbound Opportunism will catch any packets
-not covered by a more specific route.  This is what you want for
-packets that are also covered by an eroute.  But packets caught by the
-route and not an eroute will be subject to the no-eroute policy of
-KLIPS, which defaults to %drop.  Remember that routing ignores the
-packet's source address, but erouting pays attention to it.  So if
-Opportunism is enabled, it is best to provide for it covering all IP
-addresses behind or on the Security Gateway.
-
-To enable these conns for inbound opportunistic negotiation, they must be
---added.  auto=add would accomplish this at ipsec startup, but if you cannot
-wait:
-	ipsec auto --add sg-to-anyone
-	ipsec auto --add client-to-anyone
-
-To enable these conns for outbound opportunistic negotiation, they must
-be both --added and --routed.  Outbound packets will then be trapped
-and will trigger negotiation.  auto=route would cause this to happen
-at startup, but if you wish to do this at another time:
-	ipsec auto --add sg-to-anyone
-	ipsec auto --add client-to-anyone
-	ipsec auto --route sg-to-anyone
-	ipsec auto --route client-to-anyone
-
-
-Getting DNS Through
-===================
-
-There is a serious chicken-and-egg problem.  Outbound Opportunism blocks
-communication with an IP address until Pluto discovers whether that IP
-address can have an IPSEC connection negotiated.  This discovery takes
-DNS queries.  These DNS queries might involve communicating with
-arbitrary IP addresses.  Thus we require DNS queries to succeed before
-any communication succeeds, including those same DNS queries!  The way
-out of this conundrum is to exempt at least some DNS query IP traffic
-from Opportunism.
-
-There are several possible solutions, all of which have advantages and
-disadvantages.
-
-1. If you use a single machine, outside your Security Gateway, as DNS
-server, you can build a clear path (or even an IPSEC tunnel, but not
-opportunistically) directly to that machine.
-
-- you could use a type=passthrough conn to provide a clear path
-  between your machine and the DNS machine.
-
-- better still, you could explicitly create an IPSEC connection to
-  your DNS server.  Just be sure that Pluto does not need to access
-  DNS to find the IP addresses or RSA public keys for that connection!
-
-- you could install an explicit route to the DNS machine through
-  your public interface (not ipsecN).  This will bypass KLIPS
-  processing.  You might have to adjust your firewall.  For example:
-
-  	route add host -net ns.example.com gw gw.example.com dev eth1
-
-2. Generally, it is better to run DNS on your Security Gateway.  This
-leads to a need for non-opportunistic paths to an arbitrary number of
-DNS servers in the internet.  One way to accomplish this is to NOT
-have outbound opportunism cover the SG itself, but only the subnet
-behind it.  In other words, leave out the
-	ipsec auto --route sg-to-anyone
-You must also add a type=passthrough eroute specifically for
-sg-to-anyone (without this, the traffic will be handled by the KLIPS
-no-eroute policy).
-
-3. It is actually possible to use a single machine inside your client
-subnet as a DNS server.  The techniques listed in 1 could be used to
-let it communicate with other DNS servers without interference.  This
-might have advantages over 1 if the DNS machine *only* did DNS.
-Another technique (not often possible or reasonable) is to give this
-machine another route to the internet, one that avoids the SG.
-
-4. DNS queries will eventually time out and then Pluto will give up
-and establish %pass eroutes.  So communications should start flowing.
-
-We would like to have better solutions.  Perhaps we will in the
-future.  Suggestions are welcome.
-
-
-Figuring out what is going on
-=============================
-
-Since Opportunism lets your SG operate with less supervision, you may
-be puzzled by what it is up to.  The usual tools exist, but their use
-is more important.  To look at what Pluto is doing, use:
-	ipsec auto --status
-To look at what KLIPS is doing, use
-	ipsec look
-
-To just see the kernel's eroute table, look at the "file"
-/proc/net/ipsec_eroute.  It contains a description of all the eroutes
-in the kernel.  Here is an example:
-
-10         10.2.1.0/24      -> 0.0.0.0/0          => %trap
-259        10.2.1.115/32    -> 10.19.75.161/32    => tun0x1002@10.19.75.145
-71         10.44.73.97/32   -> 0.0.0.0/0          => %trap
-4119       10.44.73.97/32   -> 10.114.121.41/32   => %pass
-
-You read each line as: a packet from within the first subnet, destined
-for the second subnet, will be processed by the Security Association
-Identity (SAID) specified last.  The first column is the number of
-(outbound) packets processed by this eroute.
-
-For shunt eroutes, the SAID is printed as just the type of shunt:
-%pass	pass the packet through with no processing
-%drop	discard the packet
-%reject	discard the packet and notify sender
-%hold	keep the last packet; discard others
-%trap	cause any trapped packet to generate a PF_KEY ACQUIRE
-	to request negotiation; install a corresponding %hold
-	shunt and attach this packet to the %hold
-
-For other eroutes, the SAID is printed as a triple: protocol (three
-letters), SPI (32-bit number in hex), and destination IP address.
-Protocols include:
-
-tun	IP in IP encapsulation (used for most tunnels)
-esp	ESP encapsulation -- part of an IPSEC SA group
-ah	AH packet authentication -- part of an IPSEC SA group
-
-So, looking at our sample eroutes:
-
-10         10.2.1.0/24      -> 0.0.0.0/0          => %trap
-
-	This is a TRAP (int0x104) shunt eroute.  It was installed by
-	Pluto so that it can catch all traffic from its client subnet
-	to the world at large.  Ten outbound packets have been trapped.
-
-259        10.2.1.115/32    -> 10.19.75.161/32    => tun0x1002@10.19.75.145
-
-	This is a tunnel eroute: packets from 10.2.1.115 (within
-	our client subnet) going to 10.19.75.161 will be encrypted
-	and sent to the peer SG 10.19.75.145.  This was the product
-	of an Opportunistic negotiation (a hint is that each client
-	subnet has only one member).  259 packets have been sent
-	through this tunnel.
-
-71         10.44.73.97/32   -> 0.0.0.0/0          => %trap
-
-	This is another TRAP shunt eroute.  It is to catch traffic
-	from the Security Gateway to the world.  It has caught
-	71 outbound packets.
-
-4119       10.44.73.97/32   -> 10.114.121.41/32   => %pass
-
-	This is a %pass (0x100) shunt eroute.  It was installed when an
-	attempted Opportunistic negotiation failed because the reverse
-	domain of 10.114.121.41 had no suitable TXT record.  4119
-	outbound packets have been passed.
-
-
-Important Limitations
-=====================
-
-Pluto's DNS lookup is synchronous (single-threaded).  Not only does
-this slow things down, but it turns out that in extreme cases where
-there are a lot of ACQUIRE messages from KLIPS at once, some of those
-messages can be lost and communications will be blocked by the %hold
-eroute that Pluto doesn't know about.  Pluto now looks every 2 minutes
-for any %holds that it missed.
-
-DNS lookup is not verified -- we don't use Secure DNS.  A spoofed DNS
-could compromise Opportunism.
-
-There are several new opportunities for Denial of Service attacks.
-For example, a Bad Guy could spray our system with pings with forged
-source addresses.  For each unique source address, our system would do
-a (synchronous!) DNS lookup.
-
-Once a %pass eroute is added for a failed negotiation, it will stay
-until it has been inactive for about 15 minutes.  The only activity
-that counts is outbound -- not surprising since a %pass only affects
-outbound traffic.
-
-If a destination's DNS entry specifies the information we need for
-negotiation, Pluto will not let communications proceed without
-negotiating a Security Tunnel.
-
-There is currently no way to tear down a tunnel that is no longer in
-use.  To add insult to injury, when the lifetime is about to be
-exceeded, the initiating Pluto will rekey!  Restarting will clear
-these out.  rekey=no doesn't solve this since SA expiry would be
-uncoordinated and hence cause packets to be lost.
-
-If one side of a Security Tunnel restarts, but doesn't initiate
-negotiation with its peer, the peer will not be able to communicate
-with it until the peer thinks the tunnel needs rekeying due to
-lifetime, or the restarted Security Gateway decides to negotiate for
-its own reasons.
-
-It isn't clear what firewall policies make sense with Opportunism.
-
-If VPN and Opportunism connections coexist, security policies
-implemented via a firewall can only distinguish traffic by IP address.
diff --git a/doc/opportunism.known-issues b/doc/opportunism.known-issues
deleted file mode 100644
index 90752dee3..000000000
--- a/doc/opportunism.known-issues
+++ /dev/null
@@ -1,287 +0,0 @@
-Known issues with Opportunistic Encryption                     Claudia Schmeing
-------------------------------------------
-
-
-This is an overview of known issues with OE.
-
-
-This document supplements:
-
-
-FreeS/WAN Quickstart Guide        doc/quickstart.html
-
-Opportunism HOWTO                 doc/opportunism.howto
-
-Opportunism spec                  doc/opportunism.spec
-
-Internet Draft                    doc/draft-richardson-ipsec-opportunistic.txt
-
-
-
-* Use the most recent Linux FreeS/WAN 2.x release from ftp.xs4all.nl 
-  to try OE.
-
-
-DESIGN LIMITATIONS
-
-
-* Because Opportunistic Encryption relies on DNS:
-  - to authenticate one FreeS/WAN to another, and
-  - to prove that we have the right to protect traffic for a given IP,
-  this authentication/authorization is only as strong as your DNS is 
-  secure.
-
-  Without secure DNS, OE protects against passive snooping only.
-  Because the public key and gateway information that FreeS/WAN gets from 
-  DNS is not authenticated, a man-in-the-middle attack is still possible.  
-  We hope that as DNSsec is widely adopted, OE with strong authentication
-  will become more widespread.
-
-  However, our software does not yet distinguish between strongly and weakly 
-  authenticated OE. This information might be useful for defining local 
-  security policy.
-
-
-* Denial of service attacks are possible against OE. If you rely on OE rather 
-  than VPN to connect several offices, a determined attacker could prevent you 
-  from communicating securely.
-
-
-* OE challenges the notion that all IPsec peers are "friends". With OE, 
-  strangers can potentially tunnel IPsec packets _through_ your defenses 
-  against cleartext packets. This may call for a re-visit to firewall policy.
-
-
-* FreeS/WAN only creates OE connections when it traps an outgoing packet.
-  Since most traffic is two-way, for most traffic, FreeS/WAN 2.x may soon 
-  trap an outgoing packet and create an IPsec connection to
-  protect both incoming and outgoing traffic. However, if a local 
-  FreeS/WAN box accepts inbound traffic from a remote peer but 
-  generates no outbound traffic in response, the local FreeS/WAN will not 
-  attempt to initiate OE. Of course, the peer may also initiate OE upon
-  trapping its own outbound traffic.
-  
-
-* OE is only as reliable as your DNS is.
-  
-  If your DNS service is flaky, you will not be able to reliably establish 
-  OE connections to known OE-capable peers.
-  
-  If you ping a peer, but your FreeS/WAN does not find a TXT record signifying 
-  the peer's ability to respond to OE negotiation), FreeS/WAN will not try to 
-  opportunistically initiate, and communication will fallback to clear.
-
-  For more secure and reliable DNS, we recommend that you run DNS
-  within your security perimeter, either on your security gateway, or
-  on a machine to which you have a VPN connection. It is also possible
-  to have your DNS server located elsewhere on your LAN, though this may
-  cause lag on startup.
-  
-  This mailing list message explains how to run a local caching name server:
-  http://lists.freeswan.org/pipermail/design/2003-January/004205.html
- 
-  See also "Getting DNS through" in opportunism.howto
-  http://lists.freeswan.org/pipermail/design/2002-April/002285.html .
-
-
-
-CURRENT ISSUES
-
-* There are several special issues re: using OE when running FreeS/WAN with
-  kernel native IPsec, introduced in the 2.6 kernel. Please see 
-  doc/2.6.known-issues.
-
-* If A and B have an OE connection, but A is rebooted, normally A will try to 
-  re-connect to B and (if it has no DNS-related failures) it will succeed. 
-  But, if A is set up for responder-only OE, you will have a one-way 
-  connection until B notices that its original tunnel has expired. For details 
-  see:
-
-      http://lists.freeswan.org/pipermail/design/2002-May/002582.html
-      http://lists.freeswan.org/pipermail/design/2002-June/002610.html
-
-  TIP:  If an OE connection isn't behaving, you can recreate it with
-
-      ipsec whack --oppohere sourceIPaddress --oppothere targetIPaddress
-
-
-* There is no good clean facility to delete OE connections.
-  Available are:
-
-      ipsec auto --status to list connections
-      ipsec whack --deletestate to delete by state#.
-   
-
-* You may experience seeming gaps at rekey time. Once you generate traffic,
-  you will find that the OE connection returns.
-
-  By default, OE connections are not rekeyed; if they were we'd have a 
-  mountain of useless connections. As a consequence, if your OE connection is
-  idle at rekey time, it will go down until you generate further traffic.
-  To ensure prompt rekeying, you can run a ping thorough the OE tunnel.
-
-
-* At the moment, you can only run active OE on one physical interface.
-
-  Active means --routed, to trap outbound packets.  It is this route
-  that is a problem.
-
-  Untested theory: you can have multiple active OE conns, for different 
-  source addresses, but they all have to point their traffic out the single 
-  interface.
-
-  When responding: you can only define one OE connection (per host or subnet) 
-  in ipsec.conf, and that conn will apply to one interface. Normally this 
-  will be the public interface which your default route uses; it is, however, 
-  configurable.
-
-  Theoretically, it might make sense to select between multiple OE conns 
-  based on some criterion, such as address ranges. This might be useful for 
-  local OE, or in a complex routing scenario.
-
-  Currently, Pluto expects only one OE connection. If you add another,
-  Pluto may choose randomly between them, producing unpredictable results.
-
-
-* Building OE conns between nodes on a LAN is not possible.
-
-  This is a side effect of conflicts about ARP entries 
-  in the rt_cache and our "stupid routing tricks".
-  There is no known workaround at this time.
-
-  "Stupid routing tricks" are an ongoing issue, and should
-  go away in a future software revision.
-
-  See these explanations:
-      http://lists.freeswan.org/pipermail/design/2002-April/002285.html
-      http://lists.freeswan.org/pipermail/design/2002-August/003249.html
-
-
-* FreeS/WAN may not correctly follow a CNAME (Canonical Name) trail resulting
-  from reverse DNS delegation.
-
-  Solution: Use a recent Bind 9 (we tested with Bind snap-pre9.3) for the 
-  DNS services which the FreeS/WAN box relies on. 
-
-  Reason: This Bind correctly implements "implied helper support" for 
-  traditional DNS records, and so can follow a properly constructed CNAME 
-  record trail which ends in a TXT record. Thus, in cases where a reverse 
-  domain has been delegated, FreeS/WAN + Bind 9 can find a TXT record and 
-  create an OE connection.
-
-  For more on the problem, see "OLD ISSUES", below.
-
-
-* To make OE operation smoother, we may need a script that runs and warns 
-  if we have the reverse DNS records, but not the software running.
-  The reverse records advertise that we can do OE, but when the software is
-  not running this is false advertising.
-
-
-
-OLD ISSUES
-
-* Coterminal OE doesn't work in practise. This includes OE-in-WAVEsec.
-  Solved in 2.02.
-
-  Old diagnosis:
-
-  If you have coterminal OE connections (two OE connections which share
-  one endpoint), you should have use of one of the encrypted links, but it 
-  is not clear which one KLIPS will prefer. In particular, the behaviour 
-  may not be symmetrical.
-
-  Worse yet, it just seems to trip over itself and be generally
-  unworkable.
-
-  Weird but predictable:
-
-  If you have both a gateway and a host who advertise (via DNS) an 
-  ability to do OE you need to be serious about doing host-based
-  OE, or you will be stuck in initiator-only mode. If your host 
-  advertises but does not run OE, then when a peer tries to connect to 
-  your host, it will fail to clear. The peer will then not try to encrypt 
-  traffic bound for that host as it travels to the gateway. To remedy 
-  the situation, restart ipsec on the peer (or otherwise flush out 
-  the %pass eroute), and ping the peer from your host to initiate 
-  OE.
-
-
-* One-way connection was created on rekey. Solved in 2.0.
-
-  If one side (A) has a shorter _keylife_ than the other,
-  and that side also has _rekey=no_, then when the keylife has 
-  expired, it will expect that its peer (B) will make a new conn to replace 
-  the existing one. Unfortunately, B has no idea. 
-
-  B continues to send out encrypted packets on the original connection,
-  while A passes the return packets along in the clear.
-
-  There is a proposed patch for (A) here:
-      http://lists.freeswan.org/pipermail/design/2002-July/003114.html
-
-
-* Failure to look up own host name is a show stopper.
-  Solved in 1.98 and 1.98b.
-
-  Solution: new setting %dnsondemand. Usage:
-
-      leftrsasigkey=%dnsondemand   # now in sample ipsec.conf
-      rightrsasigkey=%dnsondemand.
-
-  From man ipsec.conf:
-
-      The value  %dnsondemand  means  the key is to fetched from DNS 
-      at the time it is needed.
-
-  If Linux FreeS/WAN can't get the key for your public interface from 
-  DNS, it will not keep trying, and you will not be able to do OE.
-
-  The error message is:
-
-  May 14 09:40:24 road Pluto[21210]: failure to fetch key for 193.110.157.18 
-  from DNS: failure querying DNS for KEY of 18.157.110.193.in-addr.arpa.: 
-  Host name lookup failure
-
-  Workaround: 1 or 2
-  1. Supply a key in the conn. leftrsasigkey=0s...
-  2. Fix the KEY lookup failure and try again.
-
-
-* Assertion failure at OE rekey time. Fixed in 2.0pre0. Patch for 1.98b posted 
-  at http://lists.freeswan.org/pipermail/design/2002-August/003347.html
-
-
-* 1.91 to 1.94 have serious problems with %trap and %hold bugs. These bugs, 
-  introduced while coding the support structure for OE, affect both OE and VPN 
-  connections.
-
-
-* OE may not work with reverse delegation (CNAMEs). This problem was once 
-  capable of being a show stopper.
-
-  When relying on Bind versions before 9 for local DNS services, FreeS/WAN 
-  could not follow a well constructed CNAME trail that ended in a TXT or KEY 
-  record. Although OE required both record types, in practise we noticed the 
-  problem with the more common TXT lookups, rather than the rarer KEY lookups. 
-  Bind 9 largely solves the problem, by correctly seeking TXT records in 
-  delegated reverse domains. In addition, OE between two FreeS/WAN 2.02 or 
-  later boxes no longer relies on KEY records.
-    
-  Old symptoms:
-
-  When a DNS server queried by Linux FreeS/WAN follows a CNAME, 
-  it seems to forget what record type it is looking for, and it 
-  returns a PTR, despite the fact that another record type was requested.
-
-  Workaround:
-
-  Send your provider KEY and TXT records for direct insertion into the 
-  reverse ZONE files, rather than asking your provider to delegate authority 
-  using CNAME.
-
-  People who own IP blocks, rather than leasing them, may not 
-  experience this problem. If you were assigned IPs more than 
-  five years ago, you may own your IPs.
-
-
diff --git a/doc/opportunism.nr b/doc/opportunism.nr
deleted file mode 100644
index c5cae757a..000000000
--- a/doc/opportunism.nr
+++ /dev/null
@@ -1,1115 +0,0 @@
-.DA "3 May 2001"
-.ds LH "
-.ds CH "Opportunistic Encryption
-.ds RH "
-.ds LF "Draft 4+
-.ds CF "\\*(DY
-.ds RF %
-.de P
-.LP
-..
-.de R
-.LP
-\fBRationale:\fR
-..
-.de A
-.LP
-\fBAhem:\fR
-..
-.TL
-Opportunistic Encryption
-.AU
-Henry Spencer
-D. Hugh Redelmeier
-.AI
-henry@spsystems.net
-hugh@mimosa.com
-Linux FreeS/WAN Project
-.AB no
-xxx cases where reverses not controlled, all possibilities.
-xxx DHR suggests okay if gateway doesn't control reverse but destination does.
-xxx level of patience where Responder just doesn't answer the phone.
-xxx IKE finger to get basic keying info, to be confirmed via DNSSEC?
-xxx packets from some OE connections might get special status,
-if the other end is definitely someone we trust.
-Opportunistic encryption permits secure (encrypted, authenticated)
-communication via IPsec without connection-by-connection prearrangement,
-either explicitly between hosts (when the hosts are capable of it) or
-transparently via packet-intercepting security gateways.
-It uses DNS records (authenticated with DNSSEC) to provide
-the necessary information for gateway discovery and gateway authentication,
-and constrains negotiation enough to guarantee success.
-.sp
-Substantive changes since draft 3:
-write off inverse queries as a lost cause;
-use Invalid-SPI rather than Delete as notification of unknown SA;
-minor wording improvements and clarifications.
-This document takes over from the older ``Implementing Opportunistic
-Encryption'' document.
-.AE
-.NH 1
-Introduction
-.P
-A major goal of the FreeS/WAN project is opportunistic encryption:
-a (security) gateway intercepts an outgoing packet aimed at a
-remote host, and quickly attempts to negotiate an IPsec tunnel to that
-host's security gateway.
-If the attempt succeeds, traffic can then be secure,
-transparently (without changes to the host software).
-If the attempt fails,
-the packet (or a retry thereof) passes through in clear or is dropped,
-depending on local policy.
-Prearranged tunnels bypass the packet interception etc., so static VPNs
-can coexist with opportunistic encryption.
-.P
-This generalizes trivially to the end-to-end case:
-host and security gateway simply are one and the same.
-Some optimizations are possible in that case,
-but the basic scheme need not change.
-.P
-The objectives for security systems need to be explicitly stated.
-Opportunistic encryption is meant to achieve secure communication,
-without prearrangement of the individual connection
-(although some prearrangement on a per-host basis is required),
-between any two hosts which implement the protocol
-(and, if they act as security gateways,
-between hosts behind them).
-Here ``secure'' means strong encryption and authentication of packets,
-with authentication of participants\(emto prevent man-in-the-middle
-and impersonation attacks\(emdependent on several factors.
-The biggest factor is the authentication of DNS records,
-via DNSSEC or equivalent means.
-A lesser factor is which exact variant
-of the setup procedure (see section 2.2) is used,
-because there is a tradeoff between strong authentication of the other end
-and ability
-to negotiate opportunistic encryption with hosts which have limited
-or no control of their reverse-map DNS records:
-without reverse-map information,
-we can verify that the host has the right to use a particular FQDN
-(Fully Qualified Domain Name),
-but not whether that FQDN is authorized to use that IP address.
-Local policy must decide whether authentication
-or connectivity has higher priority.
-.P
-Apart from careful attention to detail in various areas,
-there are three crucial design problems for opportunistic encryption.
-It needs a way to quickly identify the remote host's security gateway.
-It needs a way to quickly obtain an authentication key for the
-security gateway.
-And the numerous options which can be specified with IKE
-must be constrained sufficiently that two independent implementations are
-guaranteed to reach agreement,
-without any explicit prearrangement or preliminary negotiation.
-The first two problems are solved using DNS,
-with DNSSEC ensuring that the data obtained is reliable;
-the third is solved by specifying a minimum standard which must be supported.
-.P
-A note on philosophy:
-we have deliberately avoided providing six different
-ways to do each job, in favor of specifying one good one.
-Choices are
-provided only when they appear to be necessary,
-or at least important.
-.P
-A note on terminology:
-to avoid constant circumlocutions,
-an ISAKMP/IKE SA, possibly recreated occasionally by rekeying,
-will be referred to as a ``keying channel'',
-and a set of IPsec SAs providing bidirectional communication between
-two IPsec hosts,
-possibly recreated occasionally by rekeying,
-will be referred to as a ``tunnel''
-(it could conceivably use transport mode in the host-to-host case,
-but we advocate using tunnel mode even there).
-The word ``connection'' is here used in a more generic sense.
-The word ``lifetime'' will be avoided in favor of ``rekeying interval'',
-since many of the connections will have useful lives far shorter
-than any reasonable rekeying interval,
-and hence the two concepts must be separated.
-.P
-A note on document structure:
-Discussions of \fIwhy\fR things were done a particular way,
-or not done a particular way,
-are broken out in paragraphs headed ``Rationale:''
-(to preserve the flow of the text, many such paragraphs are deferred
-to the ends of sections).
-Paragraphs headed ``Ahem:'' are discussions of where the problem is being
-made significantly harder by problems elsewhere,
-and how that might be corrected.
-Some meta-comments are enclosed in [].
-.R
-The motive is to get the Internet encrypted.
-That requires encryption without connection-by-connection prearrangement:
-a system must be able to
-reliably negotiate an encrypted, authenticated
-connection with a total stranger.
-While end-to-end encryption is preferable,
-doing opportunistic encryption in security gateways
-gives enormous leverage for quick deployment of this technology,
-in a world where end-host software is often primitive, rigid, and outdated.
-.R
-Speed is of the essence in tunnel setup:
-a connection-establishment delay longer than about 10 seconds
-begins to cause problems for users and applications.
-Thus the emphasis on rapidity in gateway discovery and key fetching.
-.A
-Host-to-host opportunistic encryption
-would be utterly trivial if a fast public-key
-encryption/signature
-algorithm was available.
-You would do a reverse lookup on the destination address to obtain a
-public key for that address,
-and simply encrypt all packets going to it with that key,
-signing them with your own private key.
-Alas, this is impractical with current CPU speeds and current algorithms
-(although as noted later, it might be of some use for limited purposes).
-Nevertheless, it is a useful model.
-.NH 1
-Connection Setup
-.P
-For purposes of discussion, the network is taken to look like this:
-.DS
-Source----Initiator----...----Responder----Destination
-.DE
-The intercepted packet comes from the Source,
-bound for the Destination,
-and is intercepted at the Initiator.
-The Initiator communicates over the insecure Internet to the Responder.
-The Source and the Initiator might be the same host,
-or the Source might be an end-user host and the Initiator a
-security gateway (SG).
-Likewise for the Responder and the Destination.
-.P
-Given an intercepted packet,
-whose useful information (for our purposes)
-is essentially only the Destination's IP address,
-the Initiator
-must quickly determine the Responder (the Destination's SG) and
-fetch everything needed to authenticate it.
-The Responder must do likewise for the Initiator.
-Both must eventually also confirm that the other is authorized to act
-on behalf of the client host behind it (if any).
-.P
-An important subtlety here is that if the alternative to an IPsec tunnel
-is plaintext transmission, negative results must be obtained quickly.
-That is,
-the decision that \fIno\fR tunnel can be established must also be made rapidly.
-.NH 2
-Packet Interception
-.P
-Interception of outgoing packets is relatively straightforward
-in principle.
-It is preferable to put the intercepted packet on hold rather than
-dropping it, since higher-level retries are not necessarily well-timed.
-There is a problem of hosts and applications retrying during negotiations.
-ARP implementations, which face the same problem,
-use the approach of keeping the \fImost recent\fR
-packet for an as-yet-unresolved address,
-and throwing away older ones.
-(Incrementing of request numbers etc. means that replies to older ones may no
-longer be accepted.)
-.P
-Is it worth intercepting \fIincoming\fR packets, from the outside world, and
-attempting tunnel setup based on them?
-No, unless and until a way can be devised to initiate opportunistic encryption
-to a non-opportunistic responder,
-because
-if the other end has not initiated tunnel setup itself, it will not be
-prepared to do so at our request.
-.R
-Note, however, that most incoming packets will promptly be followed by
-an outgoing packet in response!
-Conceivably it might be useful to start early stages of negotiation,
-at least as far as looking up information,
-in response to an incoming packet.
-.R
-If a plaintext incoming packet indicates that the other
-end is not prepared to do opportunistic encryption,
-it might seem that this fact should be noted, to
-avoid consuming resources and delaying
-traffic in an attempt at opportunistic setup which is doomed to fail.
-However, this would be a major security hole,
-since the plaintext packet is not authenticated;
-see section 2.5.
-.NH 2
-Algorithm
-.P
-For clarity,
-the following defers most discussion of error handling to the end.
-.nr x \w'Step 3A.'u+1n
-.de S
-.IP "Step \\$1." \nxu
-..
-.S 1
-Initiator does a DNS reverse lookup on the Destination address,
-asking not for the usual PTR records,
-but for TXT records.
-Meanwhile, Initiator also sends a ping to the Destination,
-to cause any other dynamic setup actions to start happening.
-(Ping replies are disregarded;
-the host might not be reachable with plaintext pings.)
-.S 2A
-If at least one suitable TXT record (see section 2.3) comes back,
-each contains a potential Responder's IP address
-and that Responder's public key (or where to find it).
-Initiator picks one TXT record, based on priority (see 2.3),
-thus picking a Responder.
-If there was no public key in the TXT record,
-the Initiator also starts a DNS lookup (as specified by the TXT record)
-to get KEY records.
-.S 2B
-If no suitable TXT record is available,
-and policy permits,
-Initiator designates the Destination itself as the Responder
-(see section 2.4).
-If policy does not permit,
-or the Destination is unresponsive to the negotiation,
-then opportunistic encryption is not possible,
-and Initiator gives up (see section 2.5).
-.S 3
-If there already is a keying channel to the Responder's IP address,
-the Initiator uses the existing keying channel;
-skip to step 10.
-Otherwise, the Initiator starts an IKE Phase 1 negotiation
-(see section 2.7 for details)
-with the Responder.
-The address family of the Responder's IP address dictates whether
-the keying channel and the outside of the tunnel should be IPv4 or IPv6.
-.S 4
-Responder gets the first IKE message,
-and responds.
-It also starts a DNS reverse lookup on the Initiator's IP address,
-for KEY records, on speculation.
-.S 5
-Initiator gets Responder's reply,
-and sends first message of IKE's D-H exchange (see 2.4).
-.S 6
-Responder gets Initiator's D-H message,
-and responds with a matching one.
-.S 7
-Initiator gets Responder's D-H message;
-encryption is now established, authentication remains to be done.
-Initiator sends IKE authentication message,
-with an FQDN identity if a reverse lookup on its address will not yield a
-suitable KEY record.
-(Note, an FQDN need not
-actually correspond to a host\(eme.g., the DNS data for it need not
-include an A record.)
-.S 8
-Responder gets Initiator's authentication message.
-If there is no identity included,
-Responder waits for step 4's speculative DNS lookup to finish;
-it should yield a suitable KEY record (see 2.3).
-If there is an FQDN identity,
-responder discards any data obtained from step 4's DNS lookup;
-does a forward lookup on the FQDN, for a KEY record;
-waits for that lookup to return;
-it should yield a suitable KEY record.
-Either way, Responder uses the KEY data to verify the message's hash.
-Responder replies with an authentication message,
-with an FQDN identity if a reverse lookup on its address will not yield a
-suitable KEY record.
-.S 9A
-(If step 2A was used.)
-The Initiator gets the Responder's authentication message.
-Step 2A has provided a key (from the TXT record or via DNS lookup).
-Verify message's hash.
-Encrypted and authenticated keying channel established,
-man-in-middle attack precluded.
-.S 9B
-(If step 2B was used.)
-The Initiator gets the Responder's authentication message,
-which must contain an FQDN identity (if the Responder can't put a TXT in his
-reverse map he presumably can't do a KEY either).
-Do forward lookup on the FQDN,
-get suitable KEY record, verify hash.
-Encrypted keying channel established,
-man-in-middle attack precluded,
-but authentication weak (see 2.4).
-.S 10
-Initiator initiates IKE Phase 2 negotiation (see 2.7) to establish tunnel,
-specifying Source and Destination identities as IP addresses (see 2.6).
-The address family of those addresses also determines whether the inside
-of the tunnel should be IPv4 or IPv6.
-.S 11
-Responder gets first Phase 2 message.
-Now the Responder finally knows what's going on!
-Unless the specified Source is identical to the Initiator,
-Responder initiates DNS reverse lookup on Source IP address,
-for TXT records;
-waits for result;
-gets suitable TXT record(s) (see 2.3),
-which should contain either the Initiator's IP address
-or an FQDN identity identical to that supplied by the Initiator in step 7.
-This verifies that the Initiator is authorized
-to act as SG for the Source.
-Responder replies with second Phase 2 message,
-selecting acceptable details (see 2.7),
-and establishes tunnel.
-.S 12
-Initiator gets second Phase 2 message,
-establishes tunnel (if he didn't already),
-and releases the intercepted packet into it, finally.
-.S 13
-Communication proceeds.
-See section 3 for what happens later.
-.P
-As additional information becomes available,
-notably in steps 1, 2, 4, 8, 9, 11, and 12,
-there is always a possibility that local policy
-(e.g., access limitations) might prevent further progress.
-Whenever possible,
-at least attempt to inform the other end of this.
-.P
-At any time, there is a possibility of the negotiation failing due to
-unexpected responses, e.g. the Responder not responding at all
-or rejecting all Initiator's proposals.
-If multiple SGs were found as possible Responders,
-the Initiator should try at least one more before giving up.
-The number tried should be influenced by what the alternative is:
-if the traffic will otherwise be discarded, trying the full list is
-probably appropriate,
-while if the alternative is plaintext transmission,
-it might be based on how long the tries are taking.
-The Initiator should try as many as it reasonably can,
-ideally all of them.
-.P
-There is a sticky problem with timeouts.
-If the Responder is down
-or otherwise inaccessible, in the worst case we won't hear about this
-except by not getting responses.
-Some other, more pathological or even
-evil, failure cases can have the same result.
-The problem is that in the
-case where plaintext is permitted, we want to decide whether a tunnel is
-possible quickly.
-There is no good solution to this, alas;
-we just have to take the time and do it right.
-(Passing plaintext meanwhile
-looks attractive at first glance... but exposing
-the first few seconds of a connection is often almost as bad as exposing
-the whole thing.
-Worse, if the user checks the status of the connection,
-after that brief window it looks secure!)
-.P
-The flip side of waiting for a timeout is that all other forms of
-feedback, e.g. ``host not reachable'',
-arguably should be \fIignored\fR,
-because in the absence of authenticated ICMP,
-you cannot trust them!
-.R
-An alternative, sometimes suggested, to the use of explicit DNS records
-for SG discovery is to directly attempt IKE negotiation with the
-destination host,
-and assume that any relevant SG will be on the packet path,
-will intercept the IKE packets,
-and will impersonate the destination host for the IKE negotiation.
-This is superficially attractive but is a very bad idea.
-It assumes that routing is stable throughout negotiation,
-that the SG is on the plaintext-packets path,
-and that the destination host is routable
-(yes, it is possible to have (private) DNS data for an unroutable host).
-Playing extra games in the plaintext-packet path hurts performance and
-can be expected to be unpopular.
-Various difficulties ensue when there are multiple SGs along the path
-(there is already bad experience with this, in RSVP),
-and the presence of even one can make it impossible
-to do IKE direct to the host when that is what's wanted.
-Worst of all, such impersonation breaks the IP network model badly,
-making problems difficult to diagnose and impossible to work around
-(and there is already bad experience with this, in areas like web caching).
-.R
-(Step 1.)
-Dynamic setup actions might include establishment of demand-dialed links.
-These might be present anywhere along the path,
-so one cannot rely on out-of-band communication at the Initiator to
-trigger them.
-Hence the ping.
-.R
-(Step 2.)
-In many cases, the IP address on the intercepted packet will be the
-result of a name lookup just done.
-Inverse queries, an obscure DNS feature from the distant past,
-in theory can be used to ask a DNS server to reverse that lookup,
-giving the name that produced the address.
-This is not the same as a reverse lookup,
-and the difference can matter a great deal in cases where a host
-does not control its reverse map
-(e.g., when the host's IP address is dynamically assigned).
-Unfortunately, inverse queries were never widely implemented and
-are now considered obsolete.
-Phooey.
-.A
-Support for a small subset of this admittedly-obscure feature
-would be useful.
-Unfortunately, it seems unlikely.
-.R
-(Step 3.)
-Using only IP addresses to decide whether there is already a relevant
-keying channel avoids some
-difficult problems.
-In particular, it might seem that this should be based on identities,
-but those are not known until very late in IKE Phase 1 negotiations.
-.R
-(Step 4.)
-The DNS lookup is done on speculation
-because the data will probably be useful and the lookup can be done
-in parallel with IKE activity,
-potentially speeding things up.
-.R
-(Steps 7 and 8.)
-If an SG does not control its reverse map,
-there is no way it can prove its right to use an IP address,
-but it can nevertheless supply both an identity (as an FQDN) and
-proof of its right to use that identity.
-This is somewhat better than nothing,
-and may be quite useful if the SG is representing a client host
-which \fIcan\fR prove its right to \fIits\fR IP address.
-(For example, a fixed-address subnet might live behind an SG with
-a dynamically-assigned address;
-such an SG has to be the Initiator, not the Responder,
-so the subnet's TXT records can contain FQDN identities,
-but with that restriction, this works.)
-It might sound like this would permit some man-in-the-middle attacks
-in important cases like Road Warrior,
-but the RW can still do full authentication of the home base,
-so a man in the middle cannot successfully impersonate home base,
-and the D-H exchange doesn't work unless the man in the middle
-impersonates \fIboth\fR ends.
-.R
-(Steps 7 and 8.)
-Another situation where proof of the right to use an identity can be
-very useful is when access is deliberately limited.
-While opportunistic encryption is intended as a general-purpose
-connection mechanism between strangers,
-it may well be convenient for prearranged connections to use
-the same mechanism.
-.R
-(Steps 7 and 8.)
-FQDNs as identities are avoided where possible,
-since they can involve synchronous DNS lookups.
-.R
-(Step 11.)
-Note that only here, in Phase 2,
-does the Responder actually learn who the
-Source and Destination hosts are.
-This unfortunately demands a synchronous DNS lookup to verify that the
-Initiator is authorized to represent the Source,
-unless they are one and the same.
-This and the initial TXT lookup are the only synchronous DNS lookups
-absolutely required by the algorithm,
-and they appear to be unavoidable.
-.R
-While it might seem unlikely that a refusal to cooperate from one SG
-could be remedied by trying another\(empresumably they all use the
-same policies\(emit's conceivable that one might be misconfigured.
-Preferably they should all be tried,
-but it may be necessary to set some limits on this
-if alternatives exist.
-.NH 2
-DNS Records
-.P
-Gateway discovery and key lookup are based on TXT and KEY DNS records.
-The TXT record specifies IP address or other identity of a host's SG,
-and possibly supplies its public key as well,
-while the KEY record supplies public keys not found in TXT records.
-.NH 3
-TXT
-.P
-Opportunistic-encryption SG discovery uses TXT records with the content:
-.DS
-X-IPsec-Gateway(\fInnn\fR)=\fIiii\fR\ \fIkkk\fR
-.DE
-following RFC 1464 attribute/value
-notation.
-Records which
-do not contain an ``='',
-or which do not have exactly the specified form to the left of it,
-are ignored.
-(Near misses perhaps should be reported.)
-.P
-The \fInnn\fR is an unsigned integer which will fit in 16 bits,
-specifying an MX-style preference
-(lower number = stronger preference) to
-control the order in which multiple SGs are tried.
-If there are ties, pick one,
-randomly enough that the choice will probably be different each time.
-xxx rollover.
-The preference field is not optional;
-use ``0'' if there is no meaningful preference ordering.
-.P
-The \fIiii\fR part identifies the SG.
-Normally this is a dotted-decimal IPv4 address or
-a colon-hex IPv6 address.
-The sole exception is if the SG has no fixed address (see 2.4) but
-the host(s) behind it do,
-in which case \fIiii\fR is of the form ``@fqdn'',
-where \fIfqdn\fR is the FQDN that the SG will use to
-identify itself (in step 7 of section 2.2);
-such a record cannot be used for SG discovery by an Initiator,
-but can be used for
-SG verification (step 11 of 2.2) by a Responder.
-.P
-The \fIkkk\fR part is optional.
-If it is present,
-it is an RSA-MD5 public key in base-64 notation, as in the text
-form of an RFC 2535 KEY record.
-If it is not present,
-this specifies that the public key can be found in a KEY
-record located based on the SG's identification:
-if \fIiii\fR is an IP address,
-do a reverse lookup on that address,
-else do a forward lookup on the FQDN.
-.R
-While it is unusual for a reverse lookup to go for records other than PTR
-records (or possibly CNAME records, for RFC 2317 classless delegation),
-there's no reason why it can't.
-The TXT record is a temporary stand-in
-for (we hope, someday) a new DNS record for SG identification and keying.
-Keeping the setup process fast requires minimizing the number of DNS
-lookups, hence the desire to put all the information in one place.
-.R
-The use of RFC 1464 notation avoids collisions with other uses of TXT
-records.
-The ``X-'' in the attribute name
-indicates that this format is tentative and experimental;
-this design will probably need modification after initial experiments.
-The format is chosen with an eye on eventual binary encoding.
-Note, in particular,
-that the TXT record normally contains the \fIaddress\fR of the SG,
-not (repeat, not) its name.
-Name-to-address conversion is the job of
-whatever generates the TXT record,
-which is expected to be a program, not a human\(emthis is conceptually
-a \fIbinary\fR record, temporarily using a text encoding.
-The ``@fqdn'' form of the SG identity is
-for specialized uses and is never mapped to an address.
-.A
-A DNS TXT record contains one or more character strings,
-but RFC 1035 does not describe exactly how
-a multi-string TXT record is interpreted.
-This is relevant because a string can be at most 255 characters,
-and public keys can exceed this.
-Empirically, the standard pattern is that
-each string which is
-both less than 255 characters \fIand\fR not the final string of the
-record should have a blank appended to it,
-and the strings of the record
-should then be concatenated.
-(This observation is based on how BIND 8 transforms a TXT record
-from text to DNS binary.)
-.NH 3
-KEY
-.P
-An opportunistic-encryption KEY record
-is an Authentication-permitted,
-Entity (host),
-non-Signatory,
-IPsec,
-RSA/MD5 record
-(that is, its first four bytes are 0x42000401),
-as per RFCs 2535 and 2537.
-KEY records with other \fIflags\fR, \fIprotocol\fR, or \fIalgorithm\fR
-values are ignored.
-.R
-Unfortunately, the public key has to be
-associated with the SG, not the client host behind it.
-The Responder does not know which client it is supposed to be representing,
-or which client the Initiator is representing,
-until far too late.
-.A
-Per-client keys would reduce vulnerability to key compromise,
-and simplify key changes,
-but they would require changes to IKE Phase 1, to separately identify
-the SG and its initial client(s).
-(At present, the client identities are not known to the Responder
-until IKE Phase 2.)
-While the current IKE standard does not actually specify (!) who is
-being identified by identity payloads,
-the overwhelming consensus is that they identify the SG,
-and as seen earlier,
-this has important uses.
-.NH 3
-Summary
-.P
-For reference, the minimum set of DNS records needed to make this
-all work is either:
-.IP 1. \w'1.'u+2n
-TXT in Destination reverse map, identifying Responder and providing public key.
-.IP 2.
-KEY in Initiator reverse map, providing public key.
-.IP 3.
-TXT in Source reverse map, verifying relationship to Initiator.
-.P
-or:
-.IP 1. \w'1.'u+2n
-TXT in Destination reverse map, identifying Responder.
-.IP 2.
-KEY in Responder reverse map, providing public key.
-.IP 3.
-KEY in Initiator reverse map, providing public key.
-.IP 4.
-TXT in Source reverse map, verifying relationship to Initiator.
-.P
-Slight complications ensue for dynamic addresses,
-lack of control over reverse maps, etc.
-.NH 3
-Implementation
-.P
-In the long run, we need either a tree of trust or a web of trust,
-so we can trust our DNS data.
-The obvious approach for DNS is a tree of trust,
-but there are various practical problems with running all of this
-through the root servers,
-and a web of trust is arguably more robust anyway.
-This is logically independent of opportunistic encryption,
-and a separate design proposal will be prepared.
-.P
-Interim stages of implementation of this will require a bit of thought.
-Notably, we need some way of dealing with the lack of fully signed DNSSEC
-records right away.
-Without user interaction, probably the best we can do is to
-remember the results of old fetches, compare them to the results of new
-fetches, and complain and disbelieve all of it if there's a mismatch. 
-This does mean that somebody who gets fake data into our very first fetch
-will fool us, at least for a while, but that seems an acceptable tradeoff.
-(Obviously there needs to be a way to manually flush the remembered results
-for a specific host, to permit deliberate changes.)
-.NH 2
-Responders Without Credentials
-.P
-In cases where the Destination simply does not control its
-DNS reverse-map entries,
-there is no verifiable way to determine a suitable SG.
-This does not make communication utterly impossible, though.
-.P
-Simply attempting negotiation directly with the host is a last resort.
-(An aggressive implementation might wish to attempt it in parallel,
-rather than waiting until other options are known to be unavailable.)
-In particular, in many cases involving dynamic addresses, it will work.
-It has the disadvantage of delaying the discovery that opportunistic
-encryption is entirely impossible,
-but the case seems common enough to justify the overhead.
-.P
-However, there are policy issues here either way, because
-it is possible to impersonate such a host.
-The host can supply an FQDN identity and verify its right to use that
-identity,
-but except by prearrangement,
-there is no way to verify that the FQDN is the right one for that
-IP address.
-(The data from forward lookups may be controlled by people
-who do not own the address, so it cannot be trusted.)
-The encryption is still solid, though,
-so in many cases this may be useful.
-.NH 2
-Failure of Opportunism
-.P
-When there is no way to do opportunistic encryption, a policy issue arises:
-whether to put in a bypass (which allows plaintext traffic through)
-or a block (which discards it, perhaps with notification back to the sender).
-The choice is very much a matter of local policy,
-and may depend on details such as the higher-level protocol being used.
-For example,
-an SG might well permit plaintext HTTP but forbid plaintext Telnet,
-in which case \fIboth\fR a block and a bypass would be set up if
-opportunistic encryption failed.
-.P
-A bypass/block must, in practice,
-be treated much like an IPsec tunnel.
-It should persist for a while,
-so that high-overhead processing doesn't have to be done for every packet,
-but should go away eventually to return resources.
-It may be simplest to treat it as a degenerate tunnel.
-It should have a relatively long lifetime (say 6h) to keep the frequency
-of negotiation attempts down,
-except in the case where the other SG simply did not respond to IKE packets,
-where the lifetime should be short (say 10min) because
-the other SG is presumably down and might come back up again.
-(Cases where the other SG responded to IKE with unauthenticated error
-reports like ``port unreachable'' are borderline,
-and might deserve to be treated as an intermediate case:
-while such reports cannot be trusted unreservedly,
-in the absence of any other response,
-they do give some reason to suspect that the other SG is unable or
-unwilling to participate in opportunistic encryption.)
-.P
-As noted in section 2.1, one might think that
-arrival of a plaintext incoming packet should cause a
-bypass/block to be set up for its source host:
-such a packet is almost always followed by an outgoing reply packet;
-the incoming packet is clear evidence that opportunistic encryption is
-not available at the other end;
-attempting it will waste resources and delay traffic to no good purpose.
-Unfortunately, this means that anyone out on the Internet
-who can forge a source address can prevent encrypted communication!
-Since their source addresses are not authenticated,
-plaintext packets cannot be taken as evidence of anything,
-except perhaps that communication from that host is likely to occur soon.
-.P
-There needs to be a way for local administrators to remove a bypass/block
-ahead of its normal expiry time,
-to force a retry after a problem at the other end is known to have been fixed.
-.NH 2
-Subnet Opportunism
-.P
-In principle, when the Source or Destination host belongs to a subnet
-and the corresponding SG is willing to provide tunnels to the whole subnet,
-this should be done.
-There is no extra overhead,
-and considerable potential for avoiding later overhead if
-similar communication occurs with other members of the subnet.
-Unfortunately,
-at the moment,
-opportunistic tunnels can only have degenerate subnets (single hosts)
-at their ends.
-(This does, at least, set up the keying channel,
-so that negotiations for tunnels to other hosts in the same subnets
-will be considerably faster.)
-.P
-The crucial problem is step 11 of section 2.2:
-the Responder must verify that the Initiator is authorized to represent
-the Source,
-and this is impossible for a subnet because
-there is no way to do a reverse lookup on it.
-Information in DNS
-records for a name or a single address cannot be trusted,
-because they may be controlled by people who do not control the whole subnet.
-.A
-Except in the special case of a subnet masked on a
-byte boundary (in which case RFC 1035's convention of an incomplete
-in-addr.arpa name could be used), subnet lookup would need extensions to the
-reverse-map name space, perhaps along the lines of that commonly done for
-RFC 2317 delegation.
-IPv6 already has suitable name syntax, as in RFC 2874,
-but has no specific provisions for subnet entries in its reverse maps.
-Fixing all this is is not conceptually difficult,
-but is logically independent of opportunistic encryption,
-and will be proposed separately.
-.P
-A less-troublesome problem is that the Initiator,
-in step 10 of 2.2,
-must know exactly what subnet is present on the Responder's end
-so he can propose a tunnel to it.
-This information could be included in the TXT record
-of the Destination
-(it would have to be verified with a subnet lookup,
-but that could be done in parallel with other operations).
-The Initiator presumably
-can be configured to know what subnet(s) are present on its end.
-.NH 2
-Option Settings
-.P
-IPsec and IKE have far too many useless options, and a few useful ones.
-IKE negotiation is quite simplistic, and cannot handle even simple
-discrepancies between the two SGs.
-So it is necessary to be quite specific about what should be done and
-what should be proposed,
-to guarantee interoperability without prearrangement or
-other negotiation protocols.
-.R
-The prohibition of other negotiations is simply because there is no time.
-The setup algorithm (section 2.2) is lengthy already.
-.P
-[Open question:
-should opportunistic IKE use a different port than normal IKE?]
-.P
-Somewhat arbitrarily and
-tentatively, opportunistic SGs must support Main Mode, Oakley group 5 for
-D-H, 3DES encryption and MD5 authentication for both ISAKMP and IPsec SAs,
-RSA/MD5 digital-signature authentication with keys between 2048 and 8192 bits,
-and ESP doing both encryption and authentication.
-They must do key PFS
-in Quick Mode, but not identity PFS.
-They may support IPComp, preferably using Deflate,
-but must not insist on it.
-They may support AES as an alternative to 3DES,
-but must not insist on it.
-.R
-Identity PFS essentially requires establishing
-a complete new keying channel for each new tunnel,
-but key PFS just does a new Diffie-Hellman exchange for each rekeying,
-which is relatively cheap.
-.P
-Keying channels must remain in existence at least as long as any
-tunnel created with them remains (they are not costly, and keeping
-the management path up and available simplifies various issues).
-See section 3.1 for related issues.
-Given the use of key PFS,
-frequent rekeying does not seem critical here.
-In the absence of strong reason to do otherwise,
-the Initiator should propose rekeying at 8hr-or-1MB.
-The Responder must accept any proposal which specifies
-a rekeying time between 1hr and 24hr inclusive
-and a rekeying volume between 100KB and 10MB inclusive.
-.P
-Given the short expected useful life of most tunnels (see section 3.1),
-very few of them will survive long enough to be rekeyed.
-In the absence of strong reason to do otherwise,
-the Initiator should propose rekeying at 1hr-or-100MB.
-The Responder must accept any proposal which specifies
-a rekeying time between 10min and 8hr inclusive
-and a rekeying volume between 1MB and 1000MB inclusive.
-.P
-It is highly desirable to add some random jitter
-to the times of actual rekeying attempts,
-to break up ``convoys'' of rekeying events;
-this and certain other aspects of robust rekeying practice will be the subject
-of a separate design proposal.
-.R
-The numbers used here for rekeying intervals are chosen quite arbitrarily
-and should be re-assessed after some implementation experience is gathered.
-.NH 1
-Renewal and Teardown
-.NH 2
-Aging
-.P
-When to tear tunnels down is a bit problematic, but if we're setting up a
-potentially unbounded number of them,
-we have to tear them down \fIsomehow sometime\fR.
-.P
-Set a short initial tentative lifespan, say 1min,
-since most net flows in fact last only a few seconds.
-When that expires, look to see if
-the tunnel is still in use (definition:
-has had traffic, in either direction,
-in the last half of the tentative lifespan).
-If so, assign it a somewhat longer tentative lifespan, say 20min,
-after which, look again.
-If not, close it down.
-(This tentative lifespan is
-independent of rekeying; it is just the time when the tunnel's future
-is next considered.
-This should happen reasonably frequently, unlike
-rekeying, which is costly and shouldn't be too frequent.)
-Multi-step backoff algorithms are not worth the trouble; looking every
-20min doesn't seem onerous.
-.P
-If the security gateway and the client host are one and the same,
-tunnel teardown decisions might wish to pay attention to TCP connection status,
-as reported by the local TCP layer.
-A still-open
-TCP connection is almost a guarantee that more traffic is coming, while
-the demise of the only TCP connection through a tunnel is a strong hint
-that none is.
-If the SG and the client host are separate machines,
-though, tracking TCP connection status requires packet snooping,
-which is complicated and probably not worthwhile.
-.P
-IKE keying channels likewise are torn down when it appears the need has
-passed.
-They always linger longer than the last tunnel they administer,
-in case they are needed again; the cost of retaining them is low.
-Other than that,
-unless the number of keying channels on the SG gets large,
-the SG should simply retain all of them until rekeying time,
-since rekeying is the only costly event.
-When about to rekey a keying channel which has no current tunnels,
-note when the last actual keying-channel traffic occurred,
-and close the keying channel down if it wasn't in the last, say, 30min.
-When rekeying a keying channel (or perhaps shortly before rekeying is expected),
-Initiator and Responder should re-fetch the public keys used for
-SG authentication,
-against the possibility that they have changed or disappeared.
-.P
-See section 2.7 for discussion of rekeying intervals.
-.P
-Given the low user impact of tearing down and rebuilding a connection
-(a tunnel or a keying channel),
-rekeying attempts should not be too persistent:
-one can always just rebuild when needed,
-so heroic efforts to preserve an existing connection are unnecessary.
-Say, try every 10s for a minute and every minute for 5min,
-and then give up and declare the connection
-(and all other connections to that IKE peer) dead.
-.R
-In future, more sophisticated, versions of this protocol,
-examining the initial packet might permit a more intelligent guess at
-the tunnel's useful life.
-HTTP connections in particular are
-notoriously bursty and repetitive.
-.R
-Note that rekeying a keying connection basically consists of building a
-new keying connection from scratch,
-using IKE Phase 1,
-and abandoning the old one.
-.NH 2
-Teardown and Cleanup
-.P
-Teardown should always be coordinated with the other end.
-This means interpreting and sending Delete notifications.
-.P
-On receiving a Delete for the outbound SAs of a tunnel
-(or some subset of them),
-tear down the inbound ones too, and notify the other end
-with a Delete.
-Tunnels need to be considered as bidirectional entities,
-even though the low-level protocols don't think of them that way.
-.P
-When the deletion is initiated locally,
-rather than as a response to a received Delete,
-send a Delete for (all) the inbound SAs of a tunnel.
-If no responding Delete is received for the outbound SAs,
-try re-sending the original Delete.
-Three tries spaced 10s apart seems a reasonable level of effort.
-(Indefinite persistence is not necessary;
-whether the other end isn't cooperating because it doesn't feel like
-it, or because it is down/disconnected/etc.,
-the problem will eventually be cleared up by other means.)
-.P
-After rekeying,
-transmission should switch to using the new SAs (ISAKMP or IPsec)
-immediately,
-and the old leftover SAs should be cleared out promptly
-(and Deletes sent) rather than waiting for them to expire.
-This reduces clutter and minimizes confusion.
-.P
-Since there is only one keying channel per remote IP address,
-the question of whether a Delete notification has appeared on a
-``suitable'' keying channel does not arise.
-.R
-The pairing of Delete notifications effectively constitutes an
-acknowledged Delete, which is highly desirable.
-.NH 2
-Outages and Reboots
-.P
-Tunnels sometimes go down because the other
-end crashes, or disconnects, or has a network link break,
-and there is no notice of this in the general case.
-(Even in the event of a crash and
-successful reboot, other SGs don't hear about it unless the
-rebooted SG has specific reason to talk to them immediately.)
-Over-quick response to temporary network outages is undesirable...
-but note that a tunnel can be torn
-down and then re-established without any user-visible effect except
-a pause in traffic,
-whereas if one end does reboot,
-the other end can't get packets to it \fIat all\fR (except via IKE)
-until the situation is noticed.
-So a bias toward quick response is appropriate,
-even at the cost of occasional false alarms.
-.P
-Heartbeat mechanisms are somewhat unsatisfactory for this.
-Unless they are very frequent, which causes other problems,
-they do not detect the problem promptly.
-.A
-What is really wanted is authenticated ICMP.
-This might be a case where public-key encryption/authentication
-of network packets is the right thing to do,
-despite the expense.
-.P
-In the absence of that, a two-part approach seems warranted.
-.P
-First,
-when an SG receives an IPsec packet that is addressed to it,
-and otherwise appears healthy,
-but specifies an unknown SA and is from a host that the receiver currently
-has no keying channel to,
-the receiver must attempt to inform the sender
-via an IKE Initial-Contact notification
-(necessarily sent in plaintext,
-since there is no suitable keying channel).
-This must be severely rate-limited on \fIboth\fR ends;
-one notification per SG pair per minute seems ample.
-.P
-Second, there is an obvious difficulty with this:
-the Initial-Contact notification is unauthenticated
-and cannot be trusted.
-So it must be taken as a hint only:
-there must be a way to confirm it.
-.P
-What is needed here is something that's desirable for
-debugging and testing anyway:
-an IKE-level ping mechanism.
-Pinging direct at the IP level instead will not tell us about a
-crash/reboot event.
-Sending pings through tunnels has
-various complications (they should stop at the far mouth of the tunnel
-instead of going on to a subnet; they should not count against idle
-timers; etc.).
-What is needed is a continuity check on a keying channel.
-(This could also be used as a heartbeat,
-should that seem useful.)
-.P
-IKE Ping delivery need not be reliable, since the whole point of a ping is
-simply to provoke an acknowledgement.
-They should preferably be authenticated,
-but it is not clear that this is absolutely necessary,
-although if they are not they need
-encryption plus a timestamp or a nonce,
-to foil replay mischief.
-How they are implemented is a secondary issue,
-and a separate design proposal will be prepared.
-.A
-Some existing implementations are already using
-(private) notify value 30000 (``LIKE_HELLO'') as ping
-and (private) notify value 30002 (``SHUT_UP'') as ping reply.
-.P
-If an IKE Ping gets no response, try some (say 8) IP pings,
-spaced a few seconds apart, to check IP connectivity;
-if one comes back, try another IKE Ping;
-if that gets no response,
-the other end probably has rebooted, or otherwise been re-initialized,
-and its tunnels and keying channel(s) should be torn down.
-.P
-In a similar vein,
-giving limited rekeying persistence,
-a short network outage could take some tunnels down without
-disrupting others.
-On receiving a packet for an unknown SA from a host that a keying
-channel is currently open to,
-send that host a Invalid-SPI notification for that SA.
-xxx that's not what Invalid-SPI is for.
-The other host can then tear down the half-torn-down tunnel,
-and negotiate a new tunnel for the traffic
-it presumably still wants to send.
-.P
-Finally,
-it would be helpful if SGs made some attempt to deal intelligently
-with crashes and reboots.
-A deliberate shutdown should include an attempt to notify all other SGs
-currently connected by keying channels,
-using Deletes,
-that communication is about to fail.
-(Again, these will be taken as teardowns;
-attempts by the other SGs to negotiate new tunnels as replacements
-should be ignored at this point.)
-And when possible, SGs should attempt to preserve information
-about currently-connected SGs in non-volatile storage, 
-so that after a crash,
-an Initial-Contact can be sent to previous partners to
-indicate loss of all previously-established connections.
-.NH 1
-Conclusions
-.P
-This design appears to achieve the objective of setting up encryption
-with strangers.
-The authentication aspects also seem adequately addressed if the
-destination controls its reverse-map DNS entries
-and the DNS data itself can be reliably authenticated
-as having originated from the legitimate administrators of that
-subnet/FQDN.
-The authentication situation is less satisfactory when DNS is less helpful,
-but it is difficult to see what else could be done about it.
-.NH 1
-References
-.P
-[TBW]
-.NH 1
-Appendix:  Separate Design Proposals TBW
-.IP \(bu \w'\(bu'u+2n
-How can we build a web of trust with DNSSEC?
-(See section 2.3.4.)
-.IP \(bu
-How can we extend DNS reverse lookups to permit reverse lookup
-on a subnet?
-(Both address and mask must appear in the name to be looked up.)
-(See section 2.6.)
-.IP \(bu
-How can rekeying be done as robustly as possible?
-(At least partly, this is just documenting current FreeS/WAN practice.)
-(See section 2.7.)
-.IP \(bu
-How should IKE Pings be implemented?
-(See section 3.3.)
diff --git a/doc/performance.html b/doc/performance.html
deleted file mode 100644
index 2258eeeda..000000000
--- a/doc/performance.html
+++ /dev/null
@@ -1,458 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="interop.html">Previous</A>
-<A HREF="testing.html">Next</A>
-<HR>
-<H1><A name="performance">Performance of FreeS/WAN</A></H1>
- The performance of FreeS/WAN is adequate for most applications.
-<P>In normal operation, the main concern is the overhead for encryption,
- decryption and authentication of the actual IPsec (<A href="glossary.html#ESP">
-ESP</A> and/or<A href="glossary.html#AH"> AH</A>) data packets. Tunnel
- setup and rekeying occur so much less frequently than packet processing
- that, in general, their overheads are not worth worrying about.</P>
-<P>At startup, however, tunnel setup overheads may be significant. If
- you reboot a gateway and it needs to establish many tunnels, expect
- some delay. This and other issues for large gateways are discussed<A href="#biggate">
- below</A>.</P>
-<H2><A name="pub.bench">Published material</A></H2>
-<P>The University of Wales at Aberystwyth has done quite detailed speed
- tests and put<A href="http://tsc.llwybr.org.uk/public/reports/SWANTIME/">
- their results</A> on the web.</P>
-<P>Davide Cerri's<A href="http://www.linux.it/~davide/doc/"> thesis (in
- Italian)</A> includes performance results for FreeS/WAN and for<A href="glossary.html#TLS">
- TLS</A>. He posted an<A href="http://lists.freeswan.org/pipermail/users/2001-December/006303.html">
- English summary</A> on the mailing list.</P>
-<P>Steve Bellovin used one of AT&amp;T Research's FreeS/WAN gateways as his
- data source for an analysis of the cache sizes required for key
- swapping in IPsec. Available as<A href="http://www.research.att.com/~smb/talks/key-agility.email.txt">
- text</A> or<A href="http://www.research.att.com/~smb/talks/key-agility.pdf">
- PDF slides</A> for a talk on the topic.</P>
-<P>See also the NAI work mentioned in the next section.</P>
-<H2><A name="perf.estimate">Estimating CPU overheads</A></H2>
-<P>We can come up with a formula that roughly relates CPU speed to the
- rate of IPsec processing possible. It is far from exact, but should be
- usable as a first approximation.</P>
-<P>An analysis of authentication overheads for high-speed networks,
- including some tests using FreeS/WAN, is on the<A href="http://www.pgp.com/research/nailabs/cryptographic/adaptive-cryptographic.asp">
- NAI Labs site</A>. In particular, see figure 3 in this<A href="http://download.nai.com/products/media/pgp/pdf/acsa_final_report.pdf">
- PDF document</A>. Their estimates of overheads, measured in Pentium II
- cycles per byte processed are:</P>
-<TABLE align="center" border="1"><TBODY></TBODY>
-<TR><TH></TH><TH>IPsec</TH><TH>authentication</TH><TH>encryption</TH><TH>
-cycles/byte</TH></TR>
-<TR><TD>Linux IP stack alone</TD><TD>no</TD><TD>no</TD><TD>no</TD><TD align="right">
-5</TD></TR>
-<TR><TD>IPsec without crypto</TD><TD>yes</TD><TD>no</TD><TD>no</TD><TD align="right">
-11</TD></TR>
-<TR><TD>IPsec, authentication only</TD><TD>yes</TD><TD>SHA-1</TD><TD>no</TD><TD
-align="right">24</TD></TR>
-<TR><TD>IPsec with encryption</TD><TD>yes</TD><TD>yes</TD><TD>yes</TD><TD
-align="right">not tested</TD></TR>
-</TABLE>
-<P>Overheads for IPsec with encryption were not tested in the NAI work,
- but Antoon Bosselaers'<A href="http://www.esat.kuleuven.ac.be/~bosselae/fast.html">
- web page</A> gives cost for his optimised Triple DES implementation as
- 928 Pentium cycles per block, or 116 per byte. Adding that to the 24
- above, we get 140 cycles per byte for IPsec with encryption.</P>
-<P>At 140 cycles per byte, a 140 MHz machine can handle a megabyte -- 8
- megabits -- per second. Speeds for other machines will be proportional
- to this. To saturate a link with capacity C megabits per second, you
- need a machine running at<VAR> C * 140/8 = C * 17.5</VAR> MHz.</P>
-<P>However, that estimate is not precise. It ignores the differences
- between:</P>
-<UL>
-<LI>NAI's test packets and real traffic</LI>
-<LI>NAI's Pentium II cycles, Bosselaers' Pentium cycles, and your
- machine's cycles</LI>
-<LI>different 3DES implementations</LI>
-<LI>SHA-1 and MD5</LI>
-</UL>
-<P>and does not account for some overheads you will almost certainly
- have:</P>
-<UL>
-<LI>communication on the client-side interface</LI>
-<LI>switching between multiple tunnels -- re-keying, cache reloading and
- so on</LI>
-</UL>
-<P>so we suggest using<VAR> C * 25</VAR> to get an estimate with a bit
- of a built-in safety factor.</P>
-<P>This covers only IP and IPsec processing. If you have other loads on
- your gateway -- for example if it is also working as a firewall -- then
- you will need to add your own safety factor atop that.</P>
-<P>This estimate matches empirical data reasonably well. For example,
- Metheringham's tests, described<A href="#klips.bench"> below</A>, show
- a 733 topping out between 32 and 36 Mbit/second, pushing data as fast
- as it can down a 100 Mbit link. Our formula suggests you need at least
- an 800 to handle a fully loaded 32 Mbit link. The two results are
- consistent.</P>
-<P>Some examples using this estimation method:</P>
-<TABLE align="center" border="1"><TBODY></TBODY>
-<TR><TH colspan="2">Interface</TH><TH colspan="3">Machine speed in MHz</TH>
-</TR>
-<TR><TH>Type</TH><TH>Mbit per
-<BR> second</TH><TH>Estimate
-<BR> Mbit*25</TH><TH>Minimum IPSEC gateway</TH><TH>Minimum with other
- load
-<P>(e.g. firewall)</P>
-</TH></TR>
-<TR><TD>DSL</TD><TD align="right">1</TD><TD align="right">25 MHz</TD><TD rowspan="2">
-whatever you have</TD><TD rowspan="2">133, or better if you have it</TD></TR>
-<TR><TD>cable modem</TD><TD align="right">3</TD><TD align="right">75 MHz</TD>
-</TR>
-<TR><TD><STRONG>any link, light load</STRONG></TD><TD align="right"><STRONG>
-5</STRONG></TD><TD align="right">125 MHz</TD><TD>133</TD><TD>200+,<STRONG>
- almost any surplus machine</STRONG></TD></TR>
-<TR><TD>Ethernet</TD><TD align="right">10</TD><TD align="right">250 MHz</TD><TD>
-surplus 266 or 300</TD><TD>500+</TD></TR>
-<TR><TD><STRONG>fast link, moderate load</STRONG></TD><TD align="right"><STRONG>
-20</STRONG></TD><TD align="right">500 MHz</TD><TD>500</TD><TD>800+,<STRONG>
- any current off-the-shelf PC</STRONG></TD></TR>
-<TR><TD>T3 or E3</TD><TD align="right">45</TD><TD align="right">1125 MHz</TD><TD>
-1200</TD><TD>1500+</TD></TR>
-<TR><TD>fast Ethernet</TD><TD align="right">100</TD><TD align="right">
-2500 MHz</TD><TD align="center" colspan="2" rowspan="2">// not feasible
- with 3DES in software on current machines //</TD></TR>
-<TR><TD>OC3</TD><TD align="right">155</TD><TD align="right">3875 MHz</TD>
-</TR>
-</TABLE>
-<P>Such an estimate is far from exact, but should be usable as minimum
- requirement for planning. The key observations are:</P>
-<UL>
-<LI>older<STRONG> surplus machines</STRONG> are fine for IPsec gateways
- at loads up to<STRONG> 5 megabits per second</STRONG> or so</LI>
-<LI>a<STRONG> mid-range new machine</STRONG> can handle IPsec at rates
- up to<STRONG> 20 megabits per second</STRONG> or more</LI>
-</UL>
-<H3><A name="perf.more">Higher performance alternatives</A></H3>
-<P><A href="glossary.html#AES">AES</A> is a new US government block
- cipher standard, designed to replace the obsolete<A href="glossary.html#DES">
- DES</A>. If FreeS/WAN using<A href="glossary.html#3DES"> 3DES</A> is
- not fast enough for your application, the AES<A href="web.html#patch">
- patch</A> may help.</P>
-<P>To date (March 2002) we have had only one<A href="http://lists.freeswan.org/pipermail/users/2002-February/007771.html">
- mailing list report</A> of measurements with the patch applied. It
- indicates that, at least for the tested load on that user's network,<STRONG>
- AES roughly doubles IPsec throughput</STRONG>. If further testing
- confirms this, it may prove possible to saturate an OC3 link in
- software on a high-end box.</P>
-<P>Also, some work is being done toward support of<A href="compat.html#hardware">
- hardware IPsec acceleration</A> which might extend the range of
- requirements FreeS/WAN could meet.</P>
-<H3><A NAME="11_2_2">Other considerations</A></H3>
-<P>CPU speed may be the main issue for IPsec performance, but of course
- it isn't the only one.</P>
-<P>You need good ethernet cards or other network interface hardware to
- get the best performance. See this<A href="http://www.ethermanage.com/ethernet/ethernet.html">
- ethernet information</A> page and this<A href="http://www.scyld.com/diag">
- Linux network driver</A> page.</P>
-<P>The current FreeS/WAN kernel code is largely single-threaded. It is
- SMP safe, and will run just fine on a multiprocessor machine (<A href="compat.html#multiprocessor">
-discussion</A>), but the load within the kernel is not shared
- effectively. This means that, for example to saturate a T3 -- which
- needs about a 1200 MHz machine -- you cannot expect something like a
- dual 800 to do the job.</P>
-<P>On the other hand, SMP machines do tend to share loads well so --
- provided one CPU is fast enough for the IPsec work -- a multiprocessor
- machine may be ideal for a gateway with a mixed load.</P>
-<H2><A name="biggate">Many tunnels from a single gateway</A></H2>
-<P>FreeS/WAN allows a single gateway machine to build tunnels to many
- others. There may, however, be some problems for large numbers as
- indicated in this message from the mailing list:</P>
-<PRE>Subject: Re: Maximum number of ipsec tunnels?
-   Date: Tue, 18 Apr 2000
-   From: &quot;John S. Denker&quot; &lt;jsd@research.att.com&gt;
-
-Christopher Ferris wrote:
-
-&gt;&gt; What are the maximum number ipsec tunnels FreeS/WAN can handle??
-
-Henry Spencer wrote:
-
-&gt;There is no particular limit.  Some of the setup procedures currently
-&gt;scale poorly to large numbers of connections, but there are (clumsy)
-&gt;workarounds for that now, and proper fixes are coming.
-
-1) &quot;Large&quot; numbers means anything over 50 or so.  I routinely run boxes
-with about 200 tunnels.  Once you get more than 50 or so, you need to worry
-about several scalability issues:
-
-a) You need to put a &quot;-&quot; sign in syslogd.conf, and rotate the logs daily
-not weekly.
-
-b) Processor load per tunnel is small unless the tunnel is not up, in which
-case a new half-key gets generated every 90 seconds, which can add up if
-you've got a lot of down tunnels.
-
-c) There's other bits of lore you need when running a large number of
-tunnels.  For instance, systematically keeping the .conf file free of
-conflicts requires tools that aren't shipped with the standard freeswan
-package.
-
-d) The pluto startup behavior is quadratic.  With 200 tunnels, this eats up
-several minutes at every restart.   I'm told fixes are coming soon.
-
-2) Other than item (1b), the CPU load depends mainly on the size of the
-pipe attached, not on the number of tunnels.
-</PRE>
-<P>It is worth noting that item (1b) applies only to repeated attempts
- to re-key a data connection (IPsec SA, Phase 2) over an established
- keying connection (ISAKMP SA, Phase 1). There are two ways to reduce
- this overhead using settings in<A href="manpage.d/ipsec.conf.5.html">
- ipsec.conf(5)</A>:</P>
-<UL>
-<LI>set<VAR> keyingtries</VAR> to some small value to limit repetitions</LI>
-<LI>set<VAR> keylife</VAR> to a short time so that a failing data
- connection will be cleaned up when the keying connection is reset.</LI>
-</UL>
-<P>The overheads for establishing keying connections (ISAKMP SAs, Phase
- 1) are lower because for these Pluto does not perform expensive
- operations before receiving a reply from the peer.</P>
-<P>A gateway that does a lot of rekeying -- many tunnels and/or low
- settings for tunnel lifetimes -- will also need a lot of<A href="glossary.html#random">
- random numbers</A> from the random(4) driver.</P>
-<H2><A name="low-end">Low-end systems</A></H2>
-<P><EM>Even a 486 can handle a T1 line</EM>, according to this mailing
- list message:</P>
-<PRE>Subject: Re: linux-ipsec: IPSec Masquerade
-   Date: Fri, 15 Jan 1999 11:13:22 -0500
-   From: Michael Richardson 
-
-. . . A 486/66 has been clocked by Phil Karn to do
-10Mb/s encryption.. that uses all the CPU, so half that to get some CPU,
-and you have 5Mb/s. 1/3 that for 3DES and you get 1.6Mb/s....</PRE>
-<P>and a piece of mail from project technical lead Henry Spencer:</P>
-<PRE>Oh yes, and a new timing point for Sandy's docs...  A P60 -- yes, a 60MHz
-Pentium, talk about antiques -- running a host-to-host tunnel to another
-machine shows an FTP throughput (that is, end-to-end results with a real
-protocol) of slightly over 5Mbit/s either way.  (The other machine is much
-faster, the network is 100Mbps, and the ether cards are good ones... so
-the P60 is pretty definitely the bottleneck.)</PRE>
-<P>From the above, and from general user experience as reported on the
- list, it seems clear that a cheap surplus machine -- a reasonable 486,
- a minimal Pentium box, a Sparc 5, ... -- can easily handle a home
- office or a small company connection using any of:</P>
-<UL>
-<LI>ADSL service</LI>
-<LI>cable modem</LI>
-<LI>T1</LI>
-<LI>E1</LI>
-</UL>
-<P>If available, we suggest using a Pentium 133 or better. This should
- ensure that, even under maximum load, IPsec will use less than half the
- CPU cycles. You then have enough left for other things you may want on
- your gateway -- firewalling, web caching, DNS and such.</P>
-<H2><A name="klips.bench">Measuring KLIPS</A></H2>
-<P>Here is some additional data from the mailing list.</P>
-<PRE>Subject: FreeSWAN (specically KLIPS) performance measurements
-   Date: Thu, 01 Feb 2001
-   From: Nigel Metheringham &lt;Nigel.Metheringham@intechnology.co.uk&gt;
-
-I've spent a happy morning attempting performance tests against KLIPS 
-(this is due to me not being able to work out the CPU usage of KLIPS so 
-resorting to the crude measurements of maximum throughput to give a 
-baseline to work out loading of a box).
-
-Measurements were done using a set of 4 boxes arranged in a line, each 
-connected to the next by 100Mbit duplex ethernet.  The inner 2 had an 
-ipsec tunnel between them (shared secret, but I was doing measurements 
-when the tunnel was up and running - keying should not be an issue 
-here).  The outer pair of boxes were traffic generators or traffic sink.
-
-The crypt boxes are Compaq DL380s - Uniprocessor PIII/733 with 256K 
-cache.  They have 128M main memory.  Nothing significant was running on 
-the boxes other than freeswan.  The kernel was a 2.2.19pre7 patched 
-with freeswan and ext3.
-
-Without an ipsec tunnel in the chain (ie the 2 inner boxes just being 
-100BaseT routers), throughput (measured with ttcp) was between 10644 
-and 11320 KB/sec
-
-With an ipsec tunnel in place, throughput was between 3268 and 3402 
-KB/sec
-
-These measurements are for data pushed across a TCP link, so the 
-traffic on the wire between the 2 ipsec boxes would have been higher 
-than this....
-
-vmstat (run during some other tests, so not affecting those figures) on 
-the encrypting box shows approx 50% system &amp; 50% idle CPU - which I 
-don't believe at all.  Interactive feel of the box was significantly 
-sluggish.
-
-I also tried running the kernel profiler (see man readprofile) during 
-test runs.
-
-A box doing primarily decrypt work showed basically nothing happening - 
-I assume interrupts were off.
-A box doing encrypt work showed the following:-
- Ticks Function                                   Load
- ~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    ~~~~~~
-   956 total                                      0.0010
-   532 des_encrypt2                               0.1330
-   110 MD5Transform                               0.0443
-    97 kmalloc                                    0.1880
-    39 des_encrypt3                               0.1336
-    23 speedo_interrupt                           0.0298
-    14 skb_copy_expand                            0.0250
-    13 ipsec_tunnel_start_xmit                    0.0009
-    13 Decode                                     0.1625
-    11 handle_IRQ_event                           0.1019
-    11 .des_ncbc_encrypt_end                      0.0229
-    10 speedo_start_xmit                          0.0188
-     9 satoa                                      0.0225
-     8 kfree                                      0.0118
-     8 ip_fragment                                0.0121
-     7 ultoa                                      0.0365
-     5 speedo_rx                                  0.0071
-     5 .des_encrypt2_end                          5.0000
-     4 _stext                                     0.0140
-     4 ip_fw_check                                0.0035
-     2 rj_match                                   0.0034
-     2 ipfw_output_check                          0.0200
-     2 inet_addr_type                             0.0156
-     2 eth_copy_and_sum                           0.0139
-     2 dev_get                                    0.0294
-     2 addrtoa                                    0.0143
-     1 speedo_tx_buffer_gc                        0.0024
-     1 speedo_refill_rx_buf                       0.0022
-     1 restore_all                                0.0667
-     1 number                                     0.0020
-     1 net_bh                                     0.0021
-     1 neigh_connected_output                     0.0076
-     1 MD5Final                                   0.0083
-     1 kmem_cache_free                            0.0016
-     1 kmem_cache_alloc                           0.0022
-     1 __kfree_skb                                0.0060
-     1 ipsec_rcv                                  0.0001
-     1 ip_rcv                                     0.0014
-     1 ip_options_fragment                        0.0071
-     1 ip_local_deliver                           0.0023
-     1 ipfw_forward_check                         0.0139
-     1 ip_forward                                 0.0011
-     1 eth_header                                 0.0040
-     1 .des_encrypt3_end                          0.0833
-     1 des_decrypt3                               0.0034
-     1 csum_partial_copy_generic                  0.0045
-     1 call_out_firewall                          0.0125
-
-Hope this data is helpful to someone... however the lack of visibility 
-into the decrypt side makes things less clear</PRE>
-<H2><A name="speed.compress">Speed with compression</A></H2>
-<P>Another user reported some results for connections with and without
- IP compression:</P>
-<PRE>Subject: [Users] Speed with compression
-   Date: Fri, 29 Jun 2001
-   From: John McMonagle &lt;johnm@advocap.org&gt;
-
-Did a couple tests with compression using the new 1.91 freeswan.
-
-Running between 2 sites with cable modems.  Both  using approximately
-130 mhz pentium.
-
-Transferred files with ncftp.
-
-Compressed file was a 6mb compressed  installation file.
-Non compressed was 18mb /var/lib/rpm/packages.rpm
-
-                            Compressed vpn          regular vpn
-Compress file                42.59 kBs               42.08 kBs
-regular file                110.84 kBs               41.66 kBs
-
-Load  was about 0 either way.
-Ping times were very similar  a bit above 9 ms.
-
-Compression looks attractive to me.</PRE>
- Later in the same thread, project technical lead Henry Spencer added:
-<PRE>&gt; is there a reason not to switch compression on?  I have large gateway boxes
-&gt; connecting 3 connections, one of them with a measly DS1 link...
-
-Run some timing tests with and without, with data and loads representative
-of what you expect in production.  That's the definitive way to decide. 
-If compression is a net loss, then obviously, leave it turned off.  If it
-doesn't make much difference, leave it off for simplicity and hence
-robustness.  If there's a substantial gain, by all means turn it on. 
-
-If both ends support compression and can successfully negotiate a
-compressed connection (trivially true if both are FreeS/WAN 1.91), then
-the crucial question is CPU cycles. 
-
-Compression has some overhead, so one question is whether *your* data
-compresses well enough to save you more CPU cycles (by reducing the volume
-of data going through CPU-intensive encryption/decryption) than it costs
-you.  Last time I ran such tests on data that was reasonably compressible
-but not deliberately contrived to be so, this generally was not true --
-compression cost extra CPU cycles -- so compression was worthwhile only if
-the link, not the CPU, was the bottleneck.  However, that was before the
-slow-compression bug was fixed.  I haven't had a chance to re-run those
-tests yet, but it sounds like I'd probably see a different result. </PRE>
- The bug he refers to was a problem with the compression libraries that
- had us using C code, rather than assembler, for compression. It was
- fixed before 1.91.
-<H2><A name="methods">Methods of measuring</A></H2>
-<P>If you want to measure the loads FreeS/WAN puts on a system, note
- that tools such as top or measurements such as load average are
- more-or-less useless for this. They are not designed to measure
- something that does most of its work inside the kernel.</P>
-<P>Here is a message from FreeS/WAN kernel programmer Richard Guy Briggs
- on this:</P>
-<PRE>&gt; I have a batch of boxes doing Freeswan stuff.
-&gt; I want to measure the CPU loading of the Freeswan tunnels, but am 
-&gt; having trouble seeing how I get some figures out...
-&gt; 
-&gt;  - Keying etc is in userspace so will show up on the per-process
-&gt;    and load average etc (ie pluto's load)
-
-Correct.
-
-&gt;  - KLIPS is in the kernel space, and does not show up in load average
-&gt;    I think also that the KLIPS per-packet processing stuff is running
-&gt;    as part of an interrupt handler so it does not show up in the
-&gt;    /proc/stat system_cpu or even idle_cpu figures
-
-It is not running in interrupt handler.  It is in the bottom half.
-This is somewhere between user context (careful, this is not
-userspace!) and hardware interrupt context.
-
-&gt; Is this correct, and is there any means of instrumenting how much the 
-&gt; cpu is being loaded - I don't like the idea of a system running out of 
-&gt; steam whilst still showing 100% idle CPU :-)
-
-vmstat seems to do a fairly good job, but use a running tally to get a
-good idea.  A one-off call to vmstat gives different numbers than a
-running stat.  To do this, put an interval on your vmstat command
-line.</PRE>
- and another suggestion from the same thread:
-<PRE>Subject: Re: Measuring the CPU usage of Freeswan
-   Date: Mon, 29 Jan 2001
-   From: Patrick Michael Kane &lt;modus@pr.es.to&gt;
- 
-The only truly accurate way to accurately track FreeSWAN CPU usage is to use
-a CPU soaker. You run it on an unloaded system as a benchmark, then start up
-FreeSWAN and take the difference to determine how much FreeSWAN is eating.
-I believe someone has done this in the past, so you may find something in
-the FreeSWAN archives.  If not, someone recently posted a URL to a CPU
-soaker benchmark tool on linux-kernel.</PRE>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="interop.html">Previous</A>
-<A HREF="testing.html">Next</A>
-</BODY>
-</HTML>
diff --git a/doc/policygroups.html b/doc/policygroups.html
deleted file mode 100644
index 6a507b1f6..000000000
--- a/doc/policygroups.html
+++ /dev/null
@@ -1,341 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="quickstart.html">Previous</A>
-<A HREF="faq.html">Next</A>
-<HR>
-<H1><A NAME="4">How to Configure Linux FreeS/WAN with Policy Groups</A></H1>
-<A NAME="policygroups"></A>
-<H2><A NAME="4_1">What are Policy Groups?</A></H2>
-<P><STRONG>Policy Groups</STRONG> are an elegant general mechanism to
- configure FreeS/WAN. They are useful for many FreeS/WAN users.</P>
-<P>In previous FreeS/WAN versions, you needed to configure each IPsec
- connection explicitly, on both local and remote hosts. This could
- become complex.</P>
-<P>By contrast, Policy Groups allow you to set local IPsec policy for
- lists of remote hosts and networks, simply by listing the hosts and
- networks which you wish to have special treatment in one of several
- Policy Group files. FreeS/WAN then internally creates the connections
- needed to implement each policy.</P>
-<P>In the next section we describe our five Base Policy Groups, which
- you can use to configure IPsec in many useful ways. Later, we will show
- you how to create an IPsec VPN using one line of configuration for each
- remote host or network.</P>
-<A NAME="builtin_policygroups"></A>
-<H3><A NAME="4_1_1">Built-In Security Options</A></H3>
-<P>FreeS/WAN offers these Base Policy Groups:</P>
-<DL>
-<DT>private</DT>
-<DD> FreeS/WAN only communicates privately with the listed<A HREF="glossary.html#CIDR">
- CIDR</A> blocks. If needed, FreeS/WAN attempts to create a connection
- opportunistically. If this fails, FreeS/WAN blocks communication.
- Inbound blocking is assumed to be done by the firewall. FreeS/WAN
- offers firewall hooks but no modern firewall rules to help with inbound
- blocking.</DD>
-<DT>private-or-clear</DT>
-<DD> FreeS/WAN prefers private communication with the listed CIDR
- blocks. If needed, FreeS/WAN attempts to create a connection
- opportunistically. If this fails, FreeS/WAN allows traffic in the
- clear.</DD>
-<DT>clear-or-private</DT>
-<DD> FreeS/WAN communicates cleartext with the listed CIDR blocks, but
- also accepts inbound OE connection requests from them. Also known as<A HREF="glossary.html#passive.OE">
- passive OE (pOE)</A>, this policy may be used to create an<A HREF="glossary.html#responder">
- opportunistic responder</A>.</DD>
-<DT>clear</DT>
-<DD> FreeS/WAN only communicates cleartext with the listed CIDR blocks.</DD>
-<DT>block</DT>
-<DD>FreeS/WAN blocks traffic to and from and the listed CIDR blocks.
- Inbound blocking is assumed to be done by the firewall. FreeS/WAN
- offers firewall hooks but no modern firewall rules to help with inbound
- blocking.
-<!-- also called "blockdrop".-->
-</DD>
-</DL>
-<A NAME="policy.group.notes"></A>
-<P>Notes:</P>
-<UL>
-<LI>Base Policy Groups apply to communication with this host only.</LI>
-<LI>The most specific rule (whether policy or pre-configured connection)
- applies. This has several practical applications:
-<UL>
-<LI>If CIDR blocks overlap, FreeS/WAN chooses the most specific
- applicable block.</LI>
-<LI>This decision also takes into account any pre-configured connections
- you may have.</LI>
-<LI>If the most specific connection is a pre-configured connection, the
- following procedure applies. If that connection is up, it will be used.
- If it is routed, it will be brought up. If it is added, no action will
- be taken.</LI>
-</UL>
-</LI>
-<LI>Base Policy Groups are created using built-in connections. Details
- in<A HREF="manpage.d/ipsec.conf.5.html"> man ipsec.conf</A>.</LI>
-<LI>All Policy Groups are bidirectional.<A HREF="src/policy-groups-table.html">
- This chart</A> shows some technical details. FreeS/WAN does not support
- one-way encryption, since it can give users a false sense of security.</LI>
-</UL>
-<H2><A NAME="4_2">Using Policy Groups</A></H2>
-<P>The Base Policy Groups which build IPsec connections rely on
- Opportunistic Encryption. To use the following examples, you must first
- become OE-capable, as described in our<A HREF="quickstart.html#quickstart">
- quickstart guide</A>.<A NAME="example1"></A></P>
-<H3><A NAME="4_2_1">Example 1: Using a Base Policy Group</A></H3>
-<P>Simply place CIDR blocks (<A HREF="#dnswarning">names</A>, IPs or IP
- ranges) in /etc/ipsec.d/policies/<VAR>[groupname]</VAR>, and reread the
- policy group files.</P>
-<P>For example, the<VAR> private-or-clear</VAR> policy tells FreeS/WAN
- to prefer encrypted communication to the listed CIDR blocks. Failing
- that, it allows talk in the clear.</P>
-<P>To make this your default policy, place<A HREF="glossary.html#fullnet">
- fullnet</A> in the<VAR> private-or-clear</VAR> policy group file:</P>
-<PRE>    [root@xy root]# cat /etc/ipsec.d/policies/private-or-clear
-    # This file defines the set of CIDRs (network/mask-length) to which
-    # communication should be private, if possible, but in the clear otherwise.
-    ....
-    0.0.0.0/0</PRE>
-<P>and reload your policies with</P>
-<PRE>    ipsec auto --rereadgroups</PRE>
-<P>Use<A HREF="quickstart.html#opp.test"> this test</A> to verify
- opportunistic connections.</P>
-<A NAME="example2"></A>
-<H3><A NAME="4_2_2">Example 2: Defining IPsec Security Policy with
- Groups</A></H3>
-<P>Defining IPsec security policy with Base Policy Groups is like
- creating a shopping list: just put CIDR blocks in the appropriate group
- files. For example:</P>
-<PRE>    [root@xy root]# cd /etc/ipsec.d/policies
-    [root@xy policies]# cat private
-        192.0.2.96/27              # The finance department
-        192.0.2.192/29             # HR
-	192.0.2.12                 # HR gateway
-        irc.private.example.com    # Private IRC server
-  
-    [root@xy policies]# cat private-or-clear
-        0.0.0.0/0                  # My default policy: try to encrypt.
-
-    [root@xy policies]# cat clear
-        192.0.2.18/32              # My POP3 server
-        192.0.2.19/32              # My Web proxy
-
-    [root@xy policies]# cat block
-        spamsource.example.com</PRE>
-<P>To make these settings take effect, type:</P>
-<PRE>    ipsec auto --rereadgroups</PRE>
-<P>Notes:</P>
-<UL>
-<LI>For opportunistic connection attempts to succeed, all participating
- FreeS/WAN hosts and gateways must be configured for OE.</LI>
-<LI>Examples 3 through 5 show how to implement a detailed<VAR> private</VAR>
- policy.</LI>
-<LI><A NAME="dnswarning"></A><FONT COLOR="RED"> Warning:</FONT> Using
- DNS names in policy files and ipsec.conf can be tricky. If the name
- does not resolve, the policy will not be implemented for that name. It
- is therefore safer either to use IPs, or to put any critical names in
- /etc/hosts. We plan to implement periodic DNS retry to help with this.
-<BR> Names are resolved at FreeS/WAN startup, or when the policies are
- reloaded. Unfortunately, name lookup can hold up the startup process.
- If you have fast DNS servers, the problem may be less severe.</LI>
-</UL>
-<A HREF="example3"></A>
-<H3><A NAME="4_2_3">Example 3: Creating a Simple IPsec VPN with the<VAR>
- private</VAR> Group</A></H3>
-<P>You can create an IPsec VPN between several hosts, with only one line
- of configuration per host, using the<VAR> private</VAR> policy group.</P>
-<P>First, use our<A HREF="quickstart.html"> quickstart guide</A> to set
- up each participating host with a FreeS/WAN install and OE.</P>
-<P>In one host's<VAR> /etc/ipsec.d/policies/private</VAR>, list the
- peers to which you wish to protect traffic. For example:</P>
-<PRE>    [root@xy root]# cd /etc/ipsec.d/policies
-    [root@xy policies]# cat private
-        192.0.2.9              # several hosts at example.com
-        192.0.2.11             
-        192.0.2.12                 
-        irc.private.example.com 
-</PRE>
-<P>Copy the<VAR> private</VAR> file to each host. Remove the local host,
- and add the initial host.</P>
-<PRE>    scp2 /etc/ipsec.d/policies/private root@192.0.2.12:/etc/ipsec.d/policies/private</PRE>
-<P>On each host, reread the policy groups with</P>
-<PRE>    ipsec auto --rereadgroups</PRE>
-<P>That's it! You're configured.</P>
-<P>Test by pinging between two hosts. After a second or two, traffic
- should flow, and</P>
-<PRE>    ipsec eroute</PRE>
-<P>should yield something like</P>
-<PRE>    192.0.2.11/32   -&gt; 192.0.2.8/32  =&gt; tun0x149f@192.0.2.8</PRE>
-<P>where your host IPs are substituted for 192.0.2.11 and 192.0.2.8.</P>
-<P>If traffic does not flow, there may be an error in your OE setup.
- Revisit our<A HREF="quickstart.html"> quickstart guide</A>.</P>
-<P>Our next two examples show you how to add subnets to this IPsec VPN.</P>
-<A NAME="example4"></A>
-<H3><A NAME="4_2_4">Example 4: New Policy Groups to Protect a Subnet</A></H3>
-<P>To protect traffic to a subnet behind your FreeS/WAN gateway, you'll
- need additional DNS records, and new policy groups. To set up the DNS,
- see our<A HREF="quickstart.html#opp.gate"> quickstart guide</A>. To
- create five new policy groups for your subnet, copy these connections
- to<VAR> /etc/ipsec.conf</VAR>. Substitute your subnet's IPs for
- 192.0.2.128/29.</P>
-<PRE>
-conn private-net
-    also=private  # inherits settings (eg. auto=start) from built in conn
-    leftsubnet=192.0.2.128/29  # your subnet's IPs here
-
-conn private-or-clear-net
-    also=private-or-clear
-    leftsubnet=192.0.2.128/29
-
-conn clear-or-private-net
-    also=clear-or-private
-    leftsubnet=192.0.2.128/29
-
-conn clear-net
-    also=clear
-    leftsubnet=192.0.2.128/29
-
-conn block-net
-    also=block
-    leftsubnet=192.0.2.128/29
-</PRE>
-<P>Copy the gateway's files to serve as the initial policy group files
- for the new groups:</P>
-<PRE>
-    cp -p /etc/ipsec.d/policies/private /etc/ipsec.d/policies/private-net
-    cp -p /etc/ipsec.d/policies/private-or-clear /etc/ipsec.d/policies/private-or-clear-net
-    cp -p /etc/ipsec.d/policies/clear-or-private /etc/ipsec.d/policies/clear-or-private-net
-    cp -p /etc/ipsec.d/policies/clear /etc/ipsec.d/policies/clear-net
-    cp -p /etc/ipsec.d/policies/block /etc/ipsec.d/policies/block
-</PRE>
-<P><STRONG>Tip: Since a missing policy group file is equivalent to a
- file with no entries, you need only create files for the connections
- you'll use.</STRONG></P>
-<P>To test one of your new groups, place the fullnet 0.0.0.0/0 in<VAR>
- private-or-clear-net</VAR>. Perform the subnet test in<A HREF="quickstart.html#opp.test">
- our quickstart guide</A>. You should see a connection, and</P>
-<PRE>    ipsec eroute</PRE>
-<P>should include an entry which mentions the subnet node's IP and the
- OE test site IP, like this:</P>
-<PRE>    192.0.2.131/32   -&gt; 192.139.46.77/32  =&gt; tun0x149f@192.0.2.11</PRE>
-<A HREF="example5"></A>
-<H3><A NAME="4_2_5">Example 5: Adding a Subnet to the VPN</A></H3>
-<P>Suppose you wish to secure traffic to a subnet 192.0.2.192/29 behind
- a FreeS/WAN box 192.0.2.12.</P>
-<P>First, add DNS entries to configure 192.0.2.12 as an opportunistic
- gateway for that subnet. Instructions are in our<A HREF="quickstart.html#opp.gate">
- quickstart guide</A>. Next, create a<VAR> private-net</VAR> group on
- 192.0.2.12 as described in<A HREF="#example4"> Example 4</A>.</P>
-<P>On each other host, add the subnet 192.0.2.192/29 to<VAR> private</VAR>
-, yielding for example</P>
-<PRE>    [root@xy root]# cd /etc/ipsec.d/policies
-    [root@xy policies]# cat private
-        192.0.2.9              # several hosts at example.com
-        192.0.2.11
-        192.0.2.12             # HR department gateway
-        192.0.2.192/29         # HR subnet
-        irc.private.example.com
-</PRE>
-<P>and reread policy groups with</P>
-<PRE>    ipsec auto --rereadgroups</PRE>
-<P>That's all the configuration you need.</P>
-<P>Test your VPN by pinging from a machine on 192.0.2.192/29 to any
- other host:</P>
-<PRE>    [root@192.0.2.194]# ping 192.0.2.11</PRE>
-<P>After a second or two, traffic should flow, and</P>
-<PRE>    ipsec eroute</PRE>
-<P>should yield something like</P>
-<PRE>    192.0.2.11/32   -&gt; 192.0.2.194/32  =&gt; tun0x149f@192.0.2.12
-</PRE>
-<P>Key:</P>
-<TABLE>
-<TR><TD>1.</TD><TD>192.0.2.11/32</TD><TD>Local start point of the
- protected traffic.</TD></TR>
-<TR><TD>2.</TD><TD>192.0.2.194/32</TD><TD>Remote end point of the
- protected traffic.</TD></TR>
-<TR><TD>3.</TD><TD>192.0.2.12</TD><TD>Remote FreeS/WAN node (gateway or
- host). May be the same as (2).</TD></TR>
-<TR><TD>4.</TD><TD>[not shown]</TD><TD>Local FreeS/WAN node (gateway or
- host), where you've produced the output. May be the same as (1).</TD></TR>
-</TABLE>
-<P>For additional assurance, you can verify with a packet sniffer that
- the traffic is being encrypted.</P>
-<P>Note</P>
-<UL>
-<LI>Because strangers may also connect via OE, this type of VPN may
- require a stricter firewalling policy than a conventional VPN.</LI>
-</UL>
-<H2><A NAME="4_3">Appendix</A></H2>
-<A NAME="hiddenconn"></A>
-<H3><A NAME="4_3_1">Our Hidden Connections</A></H3>
-<P>Our Base Policy Groups are created using hidden connections. These
- are spelled out in<A HREF="manpage.d/ipsec.conf.5.html"> man ipsec.conf</A>
- and defined in<VAR> /usr/local/lib/ipsec/_confread</VAR>.</P>
-<A NAME="custom_policygroups"></A>
-<H3><A NAME="4_3_2">Custom Policy Groups</A></H3>
-<P>A policy group is built using a special connection description in<VAR>
- ipsec.conf</VAR>, which:</P>
-<UL>
-<LI>is<STRONG> generic</STRONG>. It uses<VAR>
- right=[%group|%opportunisticgroup]</VAR> rather than specific IPs. The
- connection is cloned for every name or IP range listed in its Policy
- Group file.</LI>
-<LI>often has a<STRONG> failure rule</STRONG>. This rule, written<VAR>
- failureshunt=[passthrough|drop|reject|none]</VAR>, tells FreeS/WAN what
- to do with packets for these CIDRs if it fails to establish the
- connection. Default is<VAR> none</VAR>.</LI>
-</UL>
-<P>To create a new group:</P>
-<OL>
-<LI>Create its connection definition in<VAR> ipsec.conf</VAR>.</LI>
-<LI>Create a Policy Group file in<VAR> /etc/ipsec.d/policies</VAR> with
- the same name as your connection.</LI>
-<LI>Put a CIDR block in that file.</LI>
-<LI>Reread groups with<VAR> ipsec auto --rereadgroups</VAR>.</LI>
-<LI>Test:<VAR> ping</VAR> to activate any OE connection, and view
- results with<VAR> ipsec eroute</VAR>.</LI>
-</OL>
-<A NAME="disable_oe"></A><A NAME="disable_policygroups"></A>
-<H3><A NAME="4_3_3">Disabling Opportunistic Encryption</A></H3>
-<P>To disable OE (eg. policy groups and packetdefault), cut and paste
- the following lines to<VAR> /etc/ipsec.conf</VAR>:</P>
-<PRE>conn block
-    auto=ignore
-
-conn private
-    auto=ignore
-
-conn private-or-clear
-    auto=ignore
-
-conn clear-or-private
-    auto=ignore
-
-conn clear
-    auto=ignore
-
-conn packetdefault
-    auto=ignore</PRE>
-<P>Restart FreeS/WAN so that the changes take effect:</P>
-<PRE>    ipsec setup restart</PRE>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="quickstart.html">Previous</A>
-<A HREF="faq.html">Next</A>
-</BODY>
-</HTML>
diff --git a/doc/politics.html b/doc/politics.html
deleted file mode 100644
index 5dd1e9f96..000000000
--- a/doc/politics.html
+++ /dev/null
@@ -1,1231 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="umltesting.html">Previous</A>
-<A HREF="ipsec.html">Next</A>
-<HR>
-<H1><A name="politics">History and politics of cryptography</A></H1>
-<P>Cryptography has a long and interesting history, and has been the
- subject of considerable political controversy.</P>
-<H2><A name="intro.politics">Introduction</A></H2>
-<H3><A NAME="26_1_1">History</A></H3>
-<P>The classic book on the history of cryptography is David Kahn's<A href="biblio.html#Kahn">
- The Codebreakers</A>. It traces codes and codebreaking from ancient
- Egypt to the 20th century.</P>
-<P>Diffie and Landau<A href="biblio.html#diffie"> Privacy on the Line:
- The Politics of Wiretapping and Encryption</A> covers the history from
- the First World War to the 1990s, with an emphasis on the US.</P>
-<H4>World War II</H4>
-<P>During the Second World War, the British &quot;Ultra&quot; project achieved one
- of the greatest intelligence triumphs in the history of warfare,
- breaking many Axis codes. One major target was the Enigma cipher
- machine, a German device whose users were convinced it was unbreakable.
- The American &quot;Magic&quot; project had some similar triumphs against Japanese
- codes.</P>
-<P>There are many books on this period. See our bibliography for
- several. Two I particularly like are:</P>
-<UL>
-<LI>Andrew Hodges has done a superb<A href="http://www.turing.org.uk/book/">
- biography</A> of Alan Turing, a key player among the Ultra
- codebreakers. Turing was also an important computer pioneer. The terms<A
-href="http://www.abelard.org/turpap/turpap.htm"> Turing test</A> and<A href="http://plato.stanford.edu/entries/turing-machine/">
- Turing machine</A> are named for him, as is the<A href="http://www.acm.org">
- ACM</A>'s highest technical<A href="http://www.acm.org/awards/taward.html">
- award</A>.</LI>
-<LI>Neal Stephenson's<A href="biblio.html#neal"> Cryptonomicon</A> is a
- novel with cryptography central to the plot. Parts of it take place
- during WW II, other parts today.</LI>
-</UL>
-<P>Bletchley Park, where much of the Ultra work was done, now has a
- museum and a<A href="http://www.bletchleypark.org.uk/"> web site</A>.</P>
-<P>The Ultra work introduced three major innovations.</P>
-<UL>
-<LI>The first break of Enigma was achieved by Polish Intelligence in
- 1931. Until then most code-breakers had been linguists, but a different
- approach was needed to break machine ciphers. Polish Intelligence
- recruited bright young mathematicians to crack the &quot;unbreakable&quot;
- Enigma. When war came in 1939, the Poles told their allies about this,
- putting Britain on the road to Ultra. The British also adopted a
- mathematical approach.</LI>
-<LI>Machines were extensively used in the attacks. First the Polish
- &quot;Bombe&quot; for attacking Enigma, then British versions of it, then
- machines such as Collosus for attacking other codes. By the end of the
- war, some of these machines were beginning to closely resemble digital
- computers. After the war, a team at Manchester University, several old
- Ultra hands included, built one of the world's first actual
- general-purpose digital computers.</LI>
-<LI>Ultra made codebreaking a large-scale enterprise, producing
- intelligence on an industrial scale. This was not a &quot;black chamber&quot;,
- not a hidden room in some obscure government building with a small crew
- of code-breakers. The whole operation -- from wholesale interception of
- enemy communications by stations around the world, through large-scale
- code-breaking and analysis of the decrypted material (with an enormous
- set of files for cross-referencing), to delivery of intelligence to
- field commanders -- was huge, and very carefully managed.</LI>
-</UL>
-<P>So by the end of the war, Allied code-breakers were expert at
- large-scale mechanised code-breaking. The payoffs were enormous.</P>
-<H4><A name="postwar">Postwar and Cold War</A></H4>
-<P>The wartime innovations were enthusiastically adopted by post-war and
- Cold War signals intelligence agencies. Presumably many nations now
- have some agency capable of sophisticated attacks on communications
- security, and quite a few engage in such activity on a large scale.</P>
-<P>America's<A href="glossary.html#NSA"> NSA</A>, for example, is said
- to be both the world's largest employer of mathematicians and the
- world's largest purchaser of computer equipment. Such claims may be
- somewhat exaggerated, but beyond doubt the NSA -- and similar agencies
- in other countries -- have some excellent mathematicians, lots of
- powerful computers, sophisticated software, and the organisation and
- funding to apply them on a large scale. Details of the NSA budget are
- secret, but there are some published<A href="http://www.fas.org/irp/nsa/nsabudget.html">
- estimates</A>.</P>
-<P>Changes in the world's communications systems since WW II have
- provided these agencies with new targets. Cracking the codes used on an
- enemy's military or diplomatic communications has been common practice
- for centuries. Extensive use of radio in war made large-scale attacks
- such as Ultra possible. Modern communications make it possible to go
- far beyond that. Consider listening in on cell phones, or intercepting
- electronic mail, or tapping into the huge volumes of data on new media
- such as fiber optics or satellite links. None of these targets existed
- in 1950. All of them can be attacked today, and almost certainly are
- being attacked.</P>
-<P>The Ultra story was not made public until the 1970s. Much of the
- recent history of codes and code-breaking has not been made public, and
- some of it may never be. Two important books are:</P>
-<UL>
-<LI>Bamford's<A href="biblio.html#puzzle"> The Puzzle Palace</A>, a
- history of the NSA</LI>
-<LI>Hager's<A href="http://www.fas.org/irp/eprint/sp/index.html"> Secret
- Power</A>, about the<A href="http://sg.yahoo.com/government/intelligence/echelon_network/">
- Echelon</A> system -- the US, UK, Canada, Australia and New Zealand
- co-operating to monitor much of the world's communications.</LI>
-</UL>
-<P>Note that these books cover only part of what is actually going on,
- and then only the activities of nations open and democratic enough that
- (some of) what they are doing can be discovered. A full picture,
- including:</P>
-<UL>
-<LI>actions of the English-speaking democracies not covered in those
- books</LI>
-<LI>actions of other more-or-less sane governments</LI>
-<LI>the activities of various more-or-less insane governments</LI>
-<LI>possibilities for unauthorized action by government employees</LI>
-<LI>possible actions by large non-government organisations:
- corporations, criminals, or conspiracies</LI>
-</UL>
-<P>might be really frightening.</P>
-<H4><A name="recent">Recent history -- the crypto wars</A></H4>
-<P>Until quite recently, cryptography was primarily a concern of
- governments, especially of the military, of spies, and of diplomats.
- Much of it was extremely secret.</P>
-<P>In recent years, that has changed a great deal. With computers and
- networking becoming ubiquitous, cryptography is now important to almost
- everyone. Among the developments since the 1970s:</P>
-<UL>
-<LI>The US gov't established the Data Encryption Standard,<A href="glossary.html#DES">
- DES</A>, a<A href="glossary.html#block"> block cipher</A> for
- cryptographic protection of unclassfied documents.</LI>
-<LI>DES also became widely used in industry, especially regulated
- industries such as banking.</LI>
-<LI>Other nations produced their own standards, such as<A href="glossary.html#GOST">
- GOST</A> in the Soviet Union.</LI>
-<LI><A href="glossary.html#public">Public key</A> cryptography was
- invented by Diffie and Hellman.</LI>
-<LI>Academic conferences such as<A href="http://www-cse.ucsd.edu/users/mihir/crypto2k.html">
- Crypto</A> and<A href="http://www.esat.kuleuven.ac.be/cosic/eurocrypt2000/">
- Eurocrypt</A> began.</LI>
-<LI>Several companies began offerring cryptographic products:<A href="glossary.html#RSAco">
- RSA</A>,<A href="glossary.html#PGPI"> PGP</A>, the many vendors with<A href="glossary.html#PKI">
- PKI</A> products, ...</LI>
-<LI>Cryptography appeared in other products: operating systems, word
- processors, ...</LI>
-<LI>Network protocols based on crypto were developed:<A href="glossary.html#SSH">
- SSH</A>,<A href="glossary.html#SSL"> SSL</A>,<A href="glossary.html#IPsec">
- IPsec</A>, ...</LI>
-<LI>Crytography came into widespread use to secure bank cards,
- terminals, ...</LI>
-<LI>The US government replaced<A href="glossary.html#DES"> DES</A> with
- the much stronger Advanced Encryption Standard,<A href="glossary.html#AES">
- AES</A></LI>
-</UL>
-<P>This has led to a complex ongoing battle between various mainly
- government groups wanting to control the spread of crypto and various
- others, notably the computer industry and the<A href="http://online.offshore.com.ai/security/">
- cypherpunk</A> crypto advocates, wanting to encourage widespread use.</P>
-<P>Steven Levy has written a fine history of much of this, called<A href="biblio.html#crypto">
- Crypto: How the Code rebels Beat the Government -- Saving Privacy in
- the Digital Age</A>.</P>
-<P>The FreeS/WAN project is to a large extent an outgrowth of cypherpunk
- ideas. Our reasons for doing the project can be seen in these quotes
- from the<A href="http://www.eff.org/pub/Privacy/Crypto_misc/cypherpunk.manifesto">
- Cypherpunk Manifesto</A>:</P>
-<BLOCKQUOTE> Privacy is necessary for an open society in the electronic
- age. ...
-<P>We cannot expect governments, corporations, or other large, faceless
- organizations to grant us privacy out of their beneficence. It is to
- their advantage to speak of us, and we should expect that they will
- speak. ...</P>
-<P>We must defend our own privacy if we expect to have any. ...</P>
-<P>Cypherpunks write code. We know that someone has to write software to
- defend privacy, and since we can't get privacy unless we all do, we're
- going to write it. We publish our code so that our fellow Cypherpunks
- may practice and play with it. Our code is free for all to use,
- worldwide. We don't much care if you don't approve of the software we
- write. We know that software can't be destroyed and that a widely
- dispersed system can't be shut down.</P>
-<P>Cypherpunks deplore regulations on cryptography, for encryption is
- fundamentally a private act. ...</P>
-<P>For privacy to be widespread it must be part of a social contract.
- People must come and together deploy these systems for the common good.
- ...</P>
-</BLOCKQUOTE>
-<P>To quote project leader John Gilmore:</P>
-<BLOCKQUOTE> We are literally in a race between our ability to build and
- deploy technology, and their ability to build and deploy laws and
- treaties. Neither side is likely to back down or wise up until it has
- definitively lost the race.</BLOCKQUOTE>
-<P>If FreeS/WAN reaches its goal of making<A href="intro.html#opp.intro">
- opportunistic encryption</A> widespread so that secure communication
- can become the default for a large part of the net, we will have struck
- a major blow.</P>
-<H3><A name="intro.poli">Politics</A></H3>
-<P>The political problem is that nearly all governments want to monitor
- their enemies' communications, and some want to monitor their citizens.
- They may be very interested in protecting some of their own
- communications, and often some types of business communication, but not
- in having everyone able to communicate securely. They therefore attempt
- to restrict availability of strong cryptography as much as possible.</P>
-<P>Things various governments have tried or are trying include:</P>
-<UL>
-<LI>Echelon, a monitor-the-world project of the US, UK, NZ, Australian
- and Canadian<A href="glossary.html#SIGINT"> signals intelligence</A>
- agencies. See this<A href="http://sg.yahoo.com/government/intelligence/echelon_network/">
- collection</A> of links and this<A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2640682,00.html">
- story</A> on the French Parliament's reaction.</LI>
-<LI>Others governments may well have their own Echelon-like projects. To
- quote the Dutch Minister of Defense, as reported in a German<A href="http://www.heise.de/tp/english/inhalt/te/4729/1.html">
- magazine</A>:<BLOCKQUOTE> The government believes not only the
- governments associated with Echelon are able to intercept communication
- systems, but that it is an activity of the investigative authorities
- and intelligence services of many countries with governments of
- different political signature.</BLOCKQUOTE> Even if they have nothing
- on the scale of Echelon, most intelligence agencies and police forces
- certainly have some interception capability.</LI>
-<LI><A href="glossary.html#NSA">NSA</A> tapping of submarine
- communication cables, described in<A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2764372,00.html">
- this article</A></LI>
-<LI>A proposal for international co-operation on<A href="http://www.heise.de/tp/english/special/enfo/4306/1.html">
- Internet surveillance</A>.</LI>
-<LI>Alleged<A href="http://cryptome.org/nsa-sabotage.htm"> sabotage</A>
- of security products by the<A href="glossary.html#NSA"> NSA</A> (the US
- signals intelligence agency).</LI>
-<LI>The German armed forces and some government departments will stop
- using American software for fear of NSA &quot;back doors&quot;, according to this<A
-href="http://www.theregister.co.uk/content/4/17679.html"> news story</A>
-.</LI>
-<LI>The British Regulation of Investigatory Powers bill. See this<A href="http://www.fipr.org/rip/index.html">
- web page.</A> and perhaps this<A href="http://ars.userfriendly.org/cartoons/?id=20000806&amp;mode=classic">
- cartoon</A>.</LI>
-<LI>A Russian<A href="http://www.eff.org/pub/Privacy/Foreign_and_local/Russia/russian_crypto_ban_english.edict">
- ban</A> on cryptography</LI>
-<LI>Chinese<A href="http://www.eff.org/pub/Misc/Publications/Declan_McCullagh/www/global/china">
- controls</A> on net use.</LI>
-<LI>The FBI's carnivore system for covert searches of email. See this<A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2601502,00.html">
- news coverage</A> and this<A href="http://www.crypto.com/papers/carnivore-risks.html">
- risk assessment</A>. The government had an external review of some
- aspects of this system done. See this<A href="http://www.crypto.com/papers/carnivore_report_comments.html">
- analysis</A> of that review. Possible defenses against Carnivore
- include:
-<UL>
-<LI><A href="glossary.html#PGP">PGP</A> for end-to-end mail encryption</LI>
-<LI><A href="http://www.home.aone.net.au/qualcomm/">secure sendmail</A>
- for server-to-server encryption</LI>
-<LI>IPsec encryption on the underlying IP network</LI>
-</UL>
-</LI>
-<LI>export laws restricting strong cryptography as a munition. See<A href="#exlaw">
- discussion</A> below.</LI>
-<LI>various attempts to convince people that fundamentally flawed
- cryptography, such as encryption with a<A href="#escrow"> back door</A>
- for government access to data or with<A href="#shortkeys"> inadequate
- key lengths</A>, was adequate for their needs.</LI>
-</UL>
-<P>Of course governments are by no means the only threat to privacy and
- security on the net. Other threats include:</P>
-<UL>
-<LI>industrial espionage, as for example in this<A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2626931,00.html">
- news story</A></LI>
-<LI>attacks by organised criminals, as in this<A href="http://www.sans.org/newlook/alerts/NTE-bank.htm">
- large-scale attack</A></LI>
-<LI>collection of personal data by various companies.
-<UL>
-<LI>for example, consider the various corporate winners of Privacy
- International's<A href="http://www.privacyinternational.org/bigbrother/">
- Big Brother Awards</A>.</LI>
-<LI><A href="http://www.zeroknowledge.com">Zero Knowledge</A> sell tools
- to defend against this</LI>
-</UL>
-</LI>
-<LI>individuals may also be a threat in a variety of ways and for a
- variety of reasons</LI>
-<LI>in particular, an individual with access to government or industry
- data collections could do considerable damage using that data in
- unauthorized ways.</LI>
-</UL>
-<P>One<A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2640674,00.html">
- study</A> enumerates threats and possible responses for small and
- medium businesses. VPNs are a key part of the suggested strategy.</P>
-<P>We consider privacy a human right. See the UN's<A href="http://www.un.org/Overview/rights.html">
- Universal Declaration of Human Rights</A>, article twelve:</P>
-<BLOCKQUOTE> No one shall be subjected to arbitrary interference with
- his privacy, family, home or correspondence, nor to attacks upon his
- honor and reputation. Everyone has the right to the protection of the
- law against such interference or attacks.</BLOCKQUOTE>
-<P>Our objective is to help make privacy possible on the Internet using
- cryptography strong enough not even those well-funded government
- agencies are likely to break it. If we can do that, the chances of
- anyone else breaking it are negliible.</P>
-<H3><A NAME="26_1_3">Links</A></H3>
-<P>Many groups are working in different ways to defend privacy on the
- net and elsewhere. Please consider contributing to one or more of these
- groups:</P>
-<UL>
-<LI>the EFF's<A href="http://www.eff.org/crypto/"> Privacy Now!</A>
- campaign</LI>
-<LI>the<A href="http://www.gilc.org"> Global Internet Liberty Campaign</A>
-</LI>
-<LI><A href="http://www.cpsr.org/program/privacy/privacy.html">Computer
- Professionals for Social Responsibility</A></LI>
-</UL>
-<P>For more on these issues see:</P>
-<UL>
-<LI>Steven Levy (Newsweek's chief technology writer and author of the
- classic &quot;Hackers&quot;) new book<A href="biblio.html#crypto"> Crypto: How
- the Code Rebels Beat the Government--Saving Privacy in the Digital Age</A>
-</LI>
-<LI>Simson Garfinkel (Boston Globe columnist and author of books on<A href="biblio.html#PGP">
- PGP</A> and<A href="biblio.html#practical"> Unix Security</A>) book<A href="biblio.html#Garfinkel">
- Database Nation: the death of privacy in the 21st century</A></LI>
-</UL>
-<P>There are several collections of<A href="web.html#quotes"> crypto
- quotes</A> on the net.</P>
-<P>See also the<A href="biblio.html"> bibliography</A> and our list of<A href="web.html#policy">
- web references</A> on cryptography law and policy.</P>
-<H3><A NAME="26_1_4">Outline of this section</A></H3>
-<P>The remainder of this section includes two pieces of writing by our
- project leader</P>
-<UL>
-<LI>his<A href="#gilmore"> rationale</A> for starting this</LI>
-<LI>another<A href="#policestate"> discussion</A> of project goals</LI>
-</UL>
-<P>and discussions of:</P>
-<UL>
-<LI><A href="#desnotsecure">why we do not use DES</A></LI>
-<LI><A href="#exlaw">cryptography export laws</A></LI>
-<LI>why<A href="#escrow"> government access to keys</A> is not a good
- idea</LI>
-<LI>the myth that<A href="#shortkeys"> short keys</A> are adequate for
- some security requirements</LI>
-</UL>
-<P>and a section on<A href="#press"> press coverage of FreeS/WAN</A>.</P>
-<H2><A name="leader">From our project leader</A></H2>
-<P>FreeS/WAN project founder John Gilmore wrote a web page about why we
- are doing this. The version below is slightly edited, to fit this
- format and to update some links. For a version without these edits, see
- his<A href="http://www.toad.com/gnu/"> home page</A>.</P>
-<CENTER>
-<H3><A name="gilmore">Swan: Securing the Internet against Wiretapping</A>
-</H3>
-</CENTER>
-<P>My project for 1996 was to<B> secure 5% of the Internet traffic
- against passive wiretapping</B>. It didn't happen in 1996, so I'm still
- working on it in 1997, 1998, and 1999! If we get 5% in 1999 or 2000, we
- can secure 20% the next year, against both active and passive attacks;
- and 80% the following year. Soon the whole Internet will be private and
- secure. The project is called S/WAN or S/Wan or Swan for Secure Wide
- Area Network; since it's free software, we call it FreeSwan to
- distinguish it from various commercial implementations.<A href="http://www.rsa.com/rsa/SWAN/">
- RSA</A> came up with the term &quot;S/WAN&quot;. Our main web site is at<A href="http://www.freeswan.org/">
- http://www.freeswan.org/</A>. Want to help?</P>
-<P>The idea is to deploy PC-based boxes that will sit between your local
- area network and the Internet (near your firewall or router) which
- opportunistically encrypt your Internet packets. Whenever you talk to a
- machine (like a Web site) that doesn't support encryption, your traffic
- goes out &quot;in the clear&quot; as usual. Whenever you connect to a machine
- that does support this kind of encryption, this box automatically
- encrypts all your packets, and decrypts the ones that come in. In
- effect, each packet gets put into an &quot;envelope&quot; on one side of the net,
- and removed from the envelope when it reaches its destination. This
- works for all kinds of Internet traffic, including Web access, Telnet,
- FTP, email, IRC, Usenet, etc.</P>
-<P>The encryption boxes are standard PC's that use freely available
- Linux software that you can download over the Internet or install from
- a cheap CDROM.</P>
-<P>This wasn't just my idea; lots of people have been working on it for
- years. The encryption protocols for these boxes are called<A href="glossary.html#IPsec">
- IPSEC (IP Security)</A>. They have been developed by the<A href="http://www.ietf.cnri.reston.va.us/html.charters/ipsec-charter.html">
- IP Security Working Group</A> of the<A href="http://www.ietf.org/">
- Internet Engineering Task Force</A>, and will be a standard part of the
- next major version of the Internet protocols (<A href="http://playground.sun.com/pub/ipng/html/ipng-main.html">
-IPv6</A>). For today's (IP version 4) Internet, they are an option.</P>
-<P>The<A href="http://www.iab.org/iab"> Internet Architecture Board</A>
- and<A href="http://www.ietf.org/"> Internet Engineering Steering Group</A>
- have taken a<A href="iab-iesg.stmt"> strong stand</A> that the Internet
- should use powerful encryption to provide security and privacy. I think
- these protocols are the best chance to do that, because they can be
- deployed very easily, without changing your hardware or software or
- retraining your users. They offer the best security we know how to
- build, using the Triple-DES, RSA, and Diffie-Hellman algorithms.</P>
-<P>This &quot;opportunistic encryption box&quot; offers the &quot;fax effect&quot;. As each
- person installs one for their own use, it becomes more valuable for
- their neighbors to install one too, because there's one more person to
- use it with. The software automatically notices each newly installed
- box, and doesn't require a network administrator to reconfigure it.
- Instead of &quot;virtual private networks&quot; we have a &quot;REAL private network&quot;;
- we add privacy to the real network instead of layering a
- manually-maintained virtual network on top of an insecure Internet.</P>
-<H4>Deployment of IPSEC</H4>
-<P>The US government would like to control the deployment of IP Security
- with its<A href="#exlaw"> crypto export laws</A>. This isn't a problem
- for my effort, because the cryptographic work is happening outside the
- United States. A foreign philanthropist, and others, have donated the
- resources required to add these protocols to the Linux operating
- system.<A href="http://www.linux.org/"> Linux</A> is a complete, freely
- available operating system for IBM PC's and several kinds of
- workstation, which is compatible with Unix. It was written by Linus
- Torvalds, and is still maintained by a talented team of expert
- programmers working all over the world and coordinating over the
- Internet. Linux is distributed under the<A href="glossary.html#GPL">
- GNU Public License</A>, which gives everyone the right to copy it,
- improve it, give it to their friends, sell it commercially, or do just
- about anything else with it, without paying anyone for the privilege.</P>
-<P>Organizations that want to secure their network will be able to put
- two Ethernet cards into an IBM PC, install Linux on it from a $30 CDROM
- or by downloading it over the net, and plug it in between their
- Ethernet and their Internet link or firewall. That's all they'll have
- to do to encrypt their Internet traffic everywhere outside their own
- local area network.</P>
-<P>Travelers will be able to run Linux on their laptops, to secure their
- connection back to their home network (and to everywhere else that they
- connect to, such as customer sites). Anyone who runs Linux on a
- standalone PC will also be able to secure their network connections,
- without changing their application software or how they operate their
- computer from day to day.</P>
-<P>There will also be numerous commercially available firewalls that use
- this technology.<A href="http://www.rsa.com/"> RSA Data Security</A> is
- coordinating the<A href="http://www.rsa.com/rsa/SWAN"> S/Wan (Secure
- Wide Area Network)</A> project among more than a dozen vendors who use
- these protocols. There's a<A href="http://www.rsa.com/rsa/SWAN/swan_test.htm">
- compatability chart</A> that shows which vendors have tested their
- boxes against which other vendors to guarantee interoperatility.</P>
-<P>Eventually it will also move into the operating systems and
- networking protocol stacks of major vendors. This will probably take
- longer, because those vendors will have to figure out what they want to
- do about the export controls.</P>
-<H4>Current status</H4>
-<P>My initial goal of securing 5% of the net by Christmas '96 was not
- met. It was an ambitious goal, and inspired me and others to work hard,
- but was ultimately too ambitious. The protocols were in an early stage
- of development, and needed a lot more protocol design before they could
- be implemented. As of April 1999, we have released version 1.0 of the
- software (<A href="ftp://ftp.xs4all.nl/freeswan/freeswan-1.0.tar.gz">
-freeswan-1.0.tar.gz</A>), which is suitable for setting up Virtual
- Private Networks using shared secrets for authentication. It does not
- yet do opportunistic encryption, or use DNSSEC for authentication;
- those features are coming in a future release.</P>
-<DL>
-<DT>Protocols</DT>
-<DD>The low-level encrypted packet formats are defined. The system for
- publishing keys and providing secure domain name service is defined.
- The IP Security working group has settled on an NSA-sponsored protocol
- for key agreement (called ISAKMP/Oakley), but it is still being worked
- on, as the protocol and its documentation is too complex and
- incomplete. There are prototype implementations of ISAKMP. The protocol
- is not yet defined to enable opportunistic encryption or the use of
- DNSSEC keys.</DD>
-<DT>Linux Implementation</DT>
-<DD>The Linux implementation has reached its first major release and is
- ready for production use in manually-configured networks, using Linux
- kernel version 2.0.36.</DD>
-<DT>Domain Name System Security</DT>
-<DD>There is now a release of BIND 8.2 that includes most DNS Security
- features.
-<P>The first prototype implementation of Domain Name System Security was
- funded by<A href="glossary.html#DARPA"> DARPA</A> as part of their<A href="http://www.darpa.mil/ito/research/is/index.html">
- Information Survivability program</A>.<A href="http://www.tis.com">
- Trusted Information Systems</A> wrote a modified version of<A href="http://www.isc.org/bind.html">
- BIND</A>, the widely-used Berkeley implementation of the Domain Name
- System.</P>
-<P>TIS, ISC, and I merged the prototype into the standard version of
- BIND. The first production version that supports KEY and SIG records is<B>
- bind-4.9.5</B>. This or any later version of BIND will do for
- publishing keys. It is available from the<A href="http://www.isc.org/bind.html">
- Internet Software Consortium</A>. This version of BIND is not
- export-controlled since it does not contain any cryptography. Later
- releases starting with BIND 8.2 include cryptography for authenticating
- DNS records, which is also exportable. Better documentation is needed.</P>
-</DD>
-</DL>
-<H4>Why?</H4>
-<P>Because I can. I have made enough money from several successful
- startup companies, that for a while I don't have to work to support
- myself. I spend my energies and money creating the kind of world that
- I'd like to live in and that I'd like my (future) kids to live in.
- Keeping and improving on the civil rights we have in the United States,
- as we move more of our lives into cyberspace, is a particular goal of
- mine.</P>
-<H4>What You Can Do</H4>
-<DL>
-<DT>Install the latest BIND at your site.</DT>
-<DD>You won't be able to publish any keys for your domain, until you
- have upgraded your copy of BIND. The thing you really need from it is
- the new version of<I> named</I>, the Name Daemon, which knows about the
- new KEY and SIG record types. So, download it from the<A href="http://www.isc.org/bind.html">
- Internet Software Consortium</A> and install it on your name server
- machine (or get your system administrator, or Internet Service
- Provider, to install it). Both your primary DNS site and all of your
- secondary DNS sites will need the new release before you will be able
- to publish your keys. You can tell which sites this is by running the
- Unix command &quot;dig MYDOMAIN ns&quot; and seeing which sites are mentioned in
- your NS (name server) records.</DD>
-<DT>Set up a Linux system and run a 2.0.x kernel on it</DT>
-<DD>Get a machine running Linux (say the 5.2 release from<A href="http://www.redhat.com">
- Red Hat</A>). Give the machine two Ethernet cards.</DD>
-<DT>Install the Linux IPSEC (Freeswan) software</DT>
-<DD>If you're an experienced sysadmin or Linux hacker, install the
- freeswan-1.0 release, or any later release or snapshot. These releases
- do NOT provide automated &quot;opportunistic&quot; operation; they must be
- manually configured for each site you wish to encrypt with.</DD>
-<DT>Get on the linux-ipsec mailing list</DT>
-<DD>The discussion forum for people working on the project, and testing
- the code and documentation, is: linux-ipsec@clinet.fi. To join this
- mailing list, send email to<A href="mailto:linux-ipsec-REQUEST@clinet.fi">
- linux-ipsec-REQUEST@clinet.fi</A> containing a line of text that says
- &quot;subscribe linux-ipsec&quot;. (You can later get off the mailing list the
- same way -- just send &quot;unsubscribe linux-ipsec&quot;).</DD>
-<P></P>
-<DT>Check back at this web page every once in a while</DT>
-<DD>I update this page periodically, and there may be new information in
- it that you haven't seen. My intent is to send email to the mailing
- list when I update the page in any significant way, so subscribing to
- the list is an alternative.</DD>
-</DL>
-<P>Would you like to help? I can use people who are willing to write
- documentation, install early releases for testing, write cryptographic
- code outside the United States, sell pre-packaged software or systems
- including this technology, and teach classes for network administrators
- who want to install this technology. To offer to help, send me email at
- gnu@toad.com. Tell me what country you live in and what your
- citizenship is (it matters due to the export control laws; personally I
- don't care). Include a copy of your resume and the URL of your home
- page. Describe what you'd like to do for the project, and what you're
- uniquely qualified for. Mention what other volunteer projects you've
- been involved in (and how they worked out). Helping out will require
- that you be able to commit to doing particular things, meet your
- commitments, and be responsive by email. Volunteer projects just don't
- work without those things.</P>
-<H4>Related projects</H4>
-<DL>
-<DT>IPSEC for NetBSD</DT>
-<DD>This prototype implementation of the IP Security protocols is for
- another free operating system.<A href="ftp://ftp.funet.fi/pub/unix/security/net/ip/BSDipsec.tar.gz">
- Download BSDipsec.tar.gz</A>.</DD>
-<DT>IPSEC for<A href="http://www.openbsd.org"> OpenBSD</A></DT>
-<DD>This prototype implementation of the IP Security protocols is for
- yet another free operating system. It is directly integrated into the
- OS release, since the OS is maintained in Canada, which has freedom of
- speech in software.</DD>
-</DL>
-<H3><A name="policestate">Stopping wholesale monitoring</A></H3>
-<P>From a message project leader John Gilmore posted to the mailing
- list:</P>
-<PRE>John Denker wrote:
-
-&gt; Indeed there are several ways in which the documentation overstates the 
-&gt; scope of what this project does -- starting with the name 
-&gt; FreeS/WAN.  There's a big difference between having an encrypted IP tunnel 
-&gt; versus having a Secure Wide-Area Network.  This software does a fine job of 
-&gt; the former, which is necessary but not sufficient for the latter.
-
-The goal of the project is to make it very hard to tap your wide area
-communications.  The current system provides very good protection
-against passive attacks (wiretapping and those big antenna farms).
-Active attacks, which involve the intruder sending packets to your
-system (like packets that break into sendmail and give them a root
-shell :-) are much harder to guard against.  Active attacks that
-involve sending people (breaking into your house and replacing parts
-of your computer with ones that transmit what you're doing) are also
-much harder to guard against.  Though we are putting effort into
-protecting against active attacks, it's a much bigger job than merely
-providing strong encryption.  It involves general computer security,
-and general physical security, which are two very expensive problems
-for even a site to solve, let alone to build into a whole society.
-
-The societal benefit of building an infrastructure that protects
-well against passive attacks is that it makes it much harder to do
-undetected bulk monitoring of the population.  It's a defense against
-police-states, not against policemen.
-
-Policemen can put in the effort required to actively attack sites that
-they have strong suspicions about.  But police states won't be able to
-build systems that automatically monitor everyone's communications.
-Either they will be able to monitor only a small subset of the
-populace (by targeting those who screwed up their passive security),
-or their monitoring activities will be detectable by those monitored
-(active attacks leave packet traces or footprints), which can then be
-addressed through the press and through political means if they become
-too widespread.
-
-FreeS/WAN does not protect very well against traffic analysis, which
-is a kind of widespread police-state style monitoring that still
-reveals significant information (who's talking to who) without
-revealing the contents of what was said.  Defenses against traffic
-analysis are an open research problem.  Zero Knowledge Systems is
-actively deploying a system designed to thwart it, designed by Ian
-Goldberg.  The jury is out on whether it actually works; a lot more
-experience with it will be needed.</PRE>
-<P>Notes on things mentioned in that message:</P>
-<UL>
-<LI>Denker is a co-author of a<A href="intro.html#applied"> paper</A> on
- a large FreeS/WAN application.</LI>
-<LI>Information on Zero Knowledge is on their<A href="http://www.zks.net/">
- web site</A>. Their Freedom product, designed to provide untracable
- pseudonyms for use on the net, is no longer marketed.</LI>
-<LI>Another section of our documentation discusses ways to<A href="ipsec.html#traffic.resist">
- resist traffic analysis</A>.</LI>
-</UL>
-<H2><A name="weak">Government promotion of weak crypto</A></H2>
-<P>Various groups, especially governments and especially the US
- government, have a long history of advocating various forms of bogus
- security.</P>
-<P>We regard bogus security as extremely dangerous. If users are
- deceived into relying on bogus security, then they may be exposed to
- large risks. They would be better off having no security and knowing
- it. At least then they would be careful about what they said.</P>
-<P><STRONG>Avoiding bogus security is a key design criterion for
- everything we do in FreeS/WAN</STRONG>. The most conspicuous example is
- our refusal to support<A href="#desnotsecure"> single DES</A>. Other
- IPsec &quot;features&quot; which we do not implement are discussed in our<A href="compat.html#dropped">
- compatibility</A> document.</P>
-<H3><A name="escrow">Escrowed encryption</A></H3>
-<P>Various governments have made persistent attempts to encourage or
- mandate &quot;escrowed encrytion&quot;, also called &quot;key recovery&quot;, or GAK for
- &quot;government access to keys&quot;. The idea is that cryptographic keys be
- held by some third party and turned over to law enforcement or security
- agencies under some conditions.</P>
-<PRE>  Mary had a little key - she kept it in escrow,
-  and every thing that Mary said,
-  the feds were sure to know.</PRE>
-<P>A<A href="web.html#quotes"> crypto quotes</A> page attributes this to<A
-href="http://www.scramdisk.clara.net/"> Sam Simpson</A>.</P>
-<P>There is an excellent paper available on<A href="http://www.cdt.org/crypto/risks98/">
- Risks of Escrowed Encryption</A>, from a group of cryptographic
- luminaries which included our project leader.</P>
-<P>Like any unnecessary complication, GAK tends to weaken security of
- any design it infects. For example:</P>
-<UL>
-<LI>Matt Blaze found a fatal flaw in the US government's Clipper chip
- shortly after design information became public. See his paper &quot;Protocol
- Failure in the Escrowed Encryption Standard&quot; on his<A href="http://www.crypto.com/papers/">
- papers</A> page.</LI>
-<LI>a rather<A href="http://www.pgp.com/other/advisories/adk.asp"> nasty
- bug</A> was found in the &quot;additional decryption keys&quot; &quot;feature&quot; of some
- releases of<A href="glossary.html#PGP"> PGP</A></LI>
-</UL>
-<P>FreeS/WAN does not support escrowed encryption, and never will.</P>
-<H3><A name="shortkeys">Limited key lengths</A></H3>
-<P>Various governments, and some vendors, have also made persistent
- attempts to convince people that:</P>
-<UL>
-<LI>weak systems are sufficient for some data</LI>
-<LI>strong cryptography should be reserved for cases where the extra
- overheads are justified</LI>
-</UL>
-<P><STRONG>This is utter nonsense</STRONG>.</P>
-<P>Weak systems touted include:</P>
-<UL>
-<LI>the ludicrously weak (deliberately crippled) 40-bit ciphers that
- until recently were all various<A href="#exlaw"> export laws</A>
- allowed</LI>
-<LI>56-bit single DES, discussed<A href="#desnotsecure"> below</A></LI>
-<LI>64-bit symmetric ciphers and 512-bit RSA, the maximums for
- unrestricted export under various current laws</LI>
-</UL>
-<P>The notion that choice of ciphers or keysize should be determined by
- a trade-off between security requirements and overheads is pure
- bafflegab.</P>
-<UL>
-<LI>For most<A href="glossary.html#symmetric"> symmetric ciphers</A>, it
- is simply a lie. Any block cipher has some natural maximum keysize
- inherent in the design -- 128 bits for<A href="glossary.html#IDEA">
- IDEA</A> or<A href="glossary.html#CAST128"> CAST-128</A>, 256 for
- Serpent or Twofish, 448 for<A href="glossary.html#Blowfish"> Blowfish</A>
- and 2048 for<A href="glossary.html#RC4"> RC4</A>. Using a key size
- smaller than that limit gives<EM> exactly zero</EM> savings in
- overhead. The crippled 40-bit or 64-bit version of the cipher provides<EM>
- no advantage whatsoever</EM>.</LI>
-<LI><A href="glossary.html#AES">AES</A> uses 10 rounds with 128-bit
- keys, 12 rounds for 192-bit and 14 rounds for 256-bit, so there
- actually is a small difference in overhead, but not enough to matter in
- most applications.</LI>
-<LI>For<A href="glossary.html#3DES"> triple DES</A> there is a grain of
- truth in the argument. 3DES is indeed three times slower than single
- DES. However, the solution is not to use the insecure single DES, but
- to pick a faster secure cipher.<A href="glossary.html#CAST128">
- CAST-128</A>,<A href="glossary.html#Blowfish"> Blowfish</A> and the<A href="glossary.html#AES">
- AES candidate</A> ciphers are are all considerably faster in software
- than DES (let alone 3DES!), and apparently secure.</LI>
-<LI>For<A href="glossary.html#public"> public key</A> techniques, there
- are extra overheads for larger keys, but they generally do not affect
- overall performance significantly. Practical public key applications
- are usually<A href="glossary.html#hybrid"> hybrid</A> systems in which
- the bulk of the work is done by a symmetric cipher. The effect of
- increasing the cost of the public key operations is typically
- negligible because the public key operations use only a tiny fraction
- of total resources.
-<P>For example, suppose public key operations use use 1% of the time in
- a hybrid system and you triple the cost of public key operations. The
- cost of symmetric cipher operations is unchanged at 99% of the original
- total cost, so the overall effect is a jump from 99 + 1 = 100 to 99 + 3
- = 102, a 2% rise in system cost.</P>
-</LI>
-</UL>
-<P>In short,<STRONG> there has never been any technical reason to use
- inadequate ciphers</STRONG>. The only reason there has ever been for
- anyone to use such ciphers is that government agencies want weak
- ciphers used so that they can crack them. The alleged savings are
- simply propaganda.</P>
-<PRE>   Mary had a little key (It's all she could export),
-   and all the email that she sent was opened at the Fort.</PRE>
-<P>A<A href="web.html#quotes"> crypto quotes</A> page attributes this to<A
-href="http://theory.lcs.mit.edu:80/~rivest/"> Ron Rivest</A>. NSA
- headquarters is at Fort Meade, Maryland.</P>
-<P>Our policy in FreeS/WAN is to use only cryptographic components with
- adequate keylength and no known weaknesses.</P>
-<UL>
-<LI>We do not implement single DES because it is clearly<A href="#desnotsecure">
- insecure</A>, so implemeting it would violate our policy of avoiding
- bogus security. Our default cipher is<A href="glossary.html#3DES"> 3DES</A>
-</LI>
-<LI>Similarly, we do not implement the 768-bit Group 1 for<A href="glossary.html#DH">
- Diffie-Hellman</A> key negotiation. We provide only the 1024-bit Group
- 2 and 1536-bit Group 5.</LI>
-</UL>
-<P>Detailed discussion of which IPsec features we implement or omit is
- in out<A href="compat.html"> compatibility document</A>.</P>
-<P>These decisions imply that we cannot fully conform to the IPsec RFCs,
- since those have DES as the only required cipher and Group 1 as the
- only required DH group. (In our view, the standards were subverted into
- offerring bogus security.) Fortunately, we can still interoperate with
- most other IPsec implementations since nearly all implementers provide
- at least 3DES and Group 2 as well.</P>
-<P>We hope that eventually the RFCs will catch up with our (and others')
- current practice and reject dubious components. Some of our team and a
- number of others are working on this in<A href="glossary.html#IETF">
- IETF</A> working groups.</P>
-<H4>Some real trade-offs</H4>
-<P>Of course, making systems secure does involve costs, and trade-offs
- can be made between cost and security. However, the real trade-offs
- have nothing to do with using weaker ciphers.</P>
-<P>There can be substantial hardware and software costs. There are often
- substantial training costs, both to train administrators and to
- increase user awareness of security issues and procedures. There are
- almost always substantial staff or contracting costs.</P>
-<P>Security takes staff time for planning, implementation, testing and
- auditing. Some of the issues are subtle; you need good (hence often
- expensive) people for this. You also need people to monitor your
- systems and respond to problems. The best safe ever built is insecure
- if an attacker can work on it for days without anyone noticing. Any
- computer is insecure if the administrator is &quot;too busy&quot; to check the
- logs.</P>
-<P>Moreover, someone in your organisation (or on contract to it) needs
- to spend considerable time keeping up with new developments. EvilDoers<EM>
- will</EM> know about new attacks shortly after they are found. You need
- to know about them before your systems are attacked. If your vendor
- provides a patch, you need to apply it. If the vendor does nothing, you
- need to complain or start looking for another vendor.</P>
-<P>For a fairly awful example, see this<A href="http://www.sans.org/newlook/alerts/NTE-bank.htm">
- report</A>. In that case over a million credit card numbers were taken
- from e-commerce sites, using security flaws in Windows NT servers.
- Microsoft had long since released patches for most or all of the flaws,
- but the site administrators had not applied them.</P>
-<P>At an absolute minimum, you must do something about such issues<EM>
- before</EM> an exploitation tool is posted to the net for downloading
- by dozens of &quot;script kiddies&quot;. Such a tool might appear at any time
- from the announcement of the security hole to several months later.
- Once it appears, anyone with a browser and an attitude can break any
- system whose administrators have done nothing about the flaw.</P>
-<P>Compared to those costs, cipher overheads are an insignificant factor
- in the cost of security.</P>
-<P>The only thing using a weak cipher can do for you is to cause all
- your other investment to be wasted.</P>
-<H2><A name="exlaw">Cryptography Export Laws</A></H2>
-<P>Many nations restrict the export of cryptography and some restrict
- its use by their citizens or others within their borders.</P>
-<H3><A name="USlaw">US Law</A></H3>
-<P>US laws, as currently interpreted by the US government, forbid export
- of most cryptographic software from the US in machine-readable form
- without government permission. In general, the restrictions apply even
- if the software is widely-disseminated or public-domain and even if it
- came from outside the US originally. Cryptography is legally a munition
- and export is tightly controlled under the<A href="glossary.html#EAR">
- EAR</A> Export Administration Regulations.</P>
-<P>If you are a US citizen, your brain is considered US territory no
- matter where it is physically located at the moment. The US believes
- that its laws apply to its citizens everywhere, not just within the US.
- Providing technical assistance or advice to foreign &quot;munitions&quot;
- projects is illegal. The US government has very little sense of humor
- about this issue and does not consider good intentions to be sufficient
- excuse. Beware.</P>
-<P>The<A href="http://www.bxa.doc.gov/Encryption/"> official website</A>
- for these regulations is run by the Commerce Department's Bureau of
- Export Administration (BXA).</P>
-<P>The<A href="http://www.eff.org/bernstein/"> Bernstein case</A>
- challenges the export restrictions on Constitutional grounds. Code is
- speech so restrictions on export of code violate the First Amendment's
- free speech provisions. This argument has succeeded in two levels of
- court so far. It is quite likely to go on to the Supreme Court.</P>
-<P>The regulations were changed substantially in January 2000,
- apparently as a government attempt to get off the hook in the Bernstein
- case. It is now legal to export public domain source code for
- encryption, provided you notify the<A href="glossary.html#BXA"> BXA</A>
-.</P>
-<P>There are, however, still restrictions in force. Moreover, the
- regulations can still be changed again whenever the government chooses
- to do so. Short of a Supreme Court ruling (in the Berstein case or
- another) that overturns the regulations completely, the problem of
- export regulation is not likely to go away in the forseeable future.</P>
-<H4><A name="UScontrib">US contributions to FreeS/WAN</A></H4>
-<P>The FreeS/WAN project<STRONG> cannot accept software contributions,<EM>
- not even small bug fixes</EM>, from US citizens or residents</STRONG>.
- We want it to be absolutely clear that our distribution is not subject
- to US export law. Any contribution from an American might open that
- question to a debate we'd prefer to avoid. It might also put the
- contributor at serious legal risk.</P>
-<P>Of course Americans can still make valuable contributions (many
- already have) by reporting bugs, or otherwise contributing to
- discussions, on the project<A href="mail.html"> mailing list</A>. Since
- the list is public, this is clearly constitutionally protected free
- speech.</P>
-<P>Note, however, that the export laws restrict Americans from providing
- technical assistance to foreign &quot;munitions&quot; projects. The government
- might claim that private discussions or correspondence with FreeS/WAN
- developers were covered by this. It is not clear what the courts would
- do with such a claim, so we strongly encourage Americans to use the
- list rather than risk the complications.</P>
-<H3><A name="wrong">What's wrong with restrictions on cryptography</A></H3>
-<P>Some quotes from prominent cryptography experts:</P>
-<BLOCKQUOTE> The real aim of current policy is to ensure the continued
- effectiveness of US information warfare assets against individuals,
- businesses and governments in Europe and elsewhere.
-<BR><A href="http://www.cl.cam.ac.uk/users/rja14"> Ross Anderson,
- Cambridge University</A></BLOCKQUOTE><BLOCKQUOTE> If the government
- were honest about its motives, then the debate about crypto export
- policy would have ended years ago.
-<BR><A href="http://www.counterpane.com"> Bruce Schneier, Counterpane
- Systems</A></BLOCKQUOTE><BLOCKQUOTE> The NSA regularly lies to people
- who ask it for advice on export control. They have no reason not to;
- accomplishing their goal by any legal means is fine by them. Lying by
- government employees is legal.
-<BR> John Gilmore.</BLOCKQUOTE>
-<P>The Internet Architecture Board (IAB) and the Internet Engineering
- Steering Group (IESG) made a<A href="iab-iesg.stmt"> strong statement</A>
- in favour of worldwide access to strong cryptography. Essentially the
- same statement is in the appropriately numbered<A href="ftp://ftp.isi.edu/in-notes/rfc1984.txt">
- RFC 1984</A>. Two critical paragraphs are:</P>
-<BLOCKQUOTE> ... various governments have actual or proposed policies on
- access to cryptographic technology ...
-<P>(a) ... export controls ...
-<BR> (b) ... short cryptographic keys ...
-<BR> (c) ... keys should be in the hands of the government or ...
-<BR> (d) prohibit the use of cryptology ...</P>
-<P>We believe that such policies are against the interests of consumers
- and the business community, are largely irrelevant to issues of
- military security, and provide only a marginal or illusory benefit to
- law enforcement agencies, ...</P>
-<P>The IAB and IESG would like to encourage policies that allow ready
- access to uniform strong cryptographic technology for all Internet
- users in all countries.</P>
-</BLOCKQUOTE>
-<P>Our goal in the FreeS/WAN project is to build just such &quot;strong
- cryptographic technology&quot; and to distribute it &quot;for all Internet users
- in all countries&quot;.</P>
-<P>More recently, the same two bodies (IESG and IAB) have issued<A href="ftp://ftp.isi.edu/in-notes/rfc2804.txt">
- RFC 2804</A> on why the IETF should not build wiretapping capabilities
- into protocols for the convenience of security or law enforcement
- agenicies. The abstract from that document is:</P>
-<BLOCKQUOTE> The Internet Engineering Task Force (IETF) has been asked
- to take a position on the inclusion into IETF standards-track documents
- of functionality designed to facilitate wiretapping.
-<P>This memo explains what the IETF thinks the question means, why its
- answer is &quot;no&quot;, and what that answer means.</P>
-</BLOCKQUOTE> A quote from the debate leading up to that RFC:<BLOCKQUOTE>
- We should not be building surveillance technology into standards. Law
- enforcement was not supposed to be easy. Where it is easy, it's called
- a police state.
-<BR> Jeff Schiller of MIT, in a discussion of FBI demands for wiretap
- capability on the net, as quoted by<A href="http://www.wired.com/news/politics/0,1283,31895,00.html">
- Wired</A>.</BLOCKQUOTE>
-<P>The<A href="http://www.ietf.org/mailman/listinfo/raven"> Raven</A>
- mailing list was set up for this IETF discussion.</P>
-<P>Our goal is to go beyond that RFC and prevent Internet wiretapping
- entirely.</P>
-<H3><A name="Wassenaar">The Wassenaar Arrangement</A></H3>
-<P>Restrictions on the export of cryptography are not just US policy,
- though some consider the US at least partly to blame for the policies
- of other nations in this area.</P>
-<P>A number of countries:</P>
-<P>Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Czech
- Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland,
- Italy, Japan, Luxembourg, Netherlands, New Zealand, Norway, Poland,
- Portugal, Republic of Korea, Romania, Russian Federation, Slovak
- Republic, Spain, Sweden, Switzerland, Turkey, Ukraine, United Kingdom
- and United States</P>
-<P>have signed the Wassenaar Arrangement which restricts export of
- munitions and other tools of war. Cryptographic sofware is covered
- there.</P>
-<P>Wassenaar details are available from the<A href="http://www.wassenaar.org/">
- Wassenaar Secretariat</A>, and elsewhere in a more readable<A href="http://www.fitug.de/news/wa/index.html">
- HTML version</A>.</P>
-<P>For a critique see the<A href="http://www.gilc.org/crypto/wassenaar">
- GILC site</A>:</P>
-<BLOCKQUOTE> The Global Internet Liberty Campaign (GILC) has begun a
- campaign calling for the removal of cryptography controls from the
- Wassenaar Arrangement.
-<P>The aim of the Wassenaar Arrangement is to prevent the build up of
- military capabilities that threaten regional and international security
- and stability . . .</P>
-<P>There is no sound basis within the Wassenaar Arrangement for the
- continuation of any export controls on cryptographic products.</P>
-</BLOCKQUOTE>
-<P>We agree entirely.</P>
-<P>An interesting analysis of Wassenaar can be found on the<A href="http://www.cyber-rights.org/crypto/wassenaar.htm">
- cyber-rights.org</A> site.</P>
-<H3><A name="status">Export status of Linux FreeS/WAN</A></H3>
-<P>We believe our software is entirely exempt from these controls since
- the Wassenaar<A href="http://www.wassenaar.org/list/GTN%20and%20GSN%20-%2099.pdf">
- General Software Note</A> says:</P>
-<BLOCKQUOTE> The Lists do not control &quot;software&quot; which is either:
-<OL>
-<LI>Generally available to the public by . . . retail . . . or</LI>
-<LI>&quot;In the public domain&quot;.</LI>
-</OL>
-</BLOCKQUOTE>
-<P>There is a note restricting some of this, but it is a sub-heading
- under point 1, so it appears not to apply to public domain software.</P>
-<P>Their glossary defines &quot;In the public domain&quot; as:</P>
-<BLOCKQUOTE> . . . &quot;technology&quot; or &quot;software&quot; which has been made
- available without restrictions upon its further dissemination.
-<P>N.B. Copyright restrictions do not remove &quot;technology&quot; or &quot;software&quot;
- from being &quot;in the public domain&quot;.</P>
-</BLOCKQUOTE>
-<P>We therefore believe that software freely distributed under the<A href="glossary.html#GPL">
- GNU Public License</A>, such as Linux FreeS/WAN, is exempt from
- Wassenaar restrictions.</P>
-<P>Most of the development work is being done in Canada. Our
- understanding is that the Canadian government accepts this
- interpretation.</P>
-<UL>
-<LI>A web statement of<A href="http://www.dfait-maeci.gc.ca/~eicb/notices/ser113-e.htm">
- Canadian policy</A> is available from the Department of Foreign Affairs
- and International Trade.</LI>
-<LI>Another document from that department states that<A href="http://www.dfait-maeci.gc.ca/~eicb/export/gr1_e.htm">
- public domain software</A> is exempt from the export controls.</LI>
-<LI>A researcher's<A href="http://insight.mcmaster.ca/org/efc/pages/doc/crypto-export.html">
- analysis</A> of Canadian policy is also available.</LI>
-</UL>
-<P>Recent copies of the freely modifiable and distributable source code
- exist in many countries. Citizens all over the world participate in its
- use and evolution, and guard its ongoing distribution. Even if Canadian
- policy were to change, the software would continue to evolve in
- countries which do not restrict exports, and would continue to be
- imported from there into unfree countries. &quot;The Net culture treats
- censorship as damage, and routes around it.&quot;</P>
-<H3><A name="help">Help spread IPsec around</A></H3>
-<P>You can help. If you don't know of a Linux FreeS/WAN archive in your
- own country, please download it now to your personal machine, and
- consider making it publicly accessible if that doesn't violate your own
- laws. If you have the resources, consider going one step further and
- setting up a mirror site for the whole<A href="intro.html#munitions">
- munitions</A> Linux crypto software archive.</P>
-<P>If you make Linux CD-ROMs, please consider including this code, in a
- way that violates no laws (in a free country, or in a domestic-only CD
- product).</P>
-<P>Please send a note about any new archive mirror sites or CD
- distributions to linux-ipsec@clinet.fi so we can update the
- documentation.</P>
-<P>Lists of current<A href="intro.html#sites"> mirror sites</A> and of<A href="intro.html#distwith">
- distributions</A> which include FreeS/WAN are in our introduction
- section.</P>
-<H2><A name="desnotsecure">DES is Not Secure</A></H2>
-<P>DES, the<STRONG> D</STRONG>ata<STRONG> E</STRONG>ncryption<STRONG> S</STRONG>
-tandard, can no longer be considered secure. While no major flaws in its
- innards are known, it is fundamentally inadequate because its<STRONG>
- 56-bit key is too short</STRONG>. It is vulnerable to<A href="glossary.html#brute">
- brute-force search</A> of the whole key space, either by large
- collections of general-purpose machines or even more quickly by
- specialized hardware. Of course this also applies to<STRONG> any other
- cipher with only a 56-bit key</STRONG>. The only reason anyone could
- have for using a 56 or 64-bit key is to comply with various<A href="exportlaw.html">
- export laws</A> intended to ensure the use of breakable ciphers.</P>
-<P>Non-government cryptologists have been saying DES's 56-bit key was
- too short for some time -- some of them were saying it in the 70's when
- DES became a standard -- but the US government has consistently
- ridiculed such suggestions.</P>
-<P>A group of well-known cryptographers looked at key lengths in a<A href="http://www.counterpane.com/keylength.html">
- 1996 paper</A>. They suggested a<EM> minimum</EM> of 75 bits to
- consider an existing cipher secure and a<EM> minimum of 90 bits for new
- ciphers</EM>. More recent papers, covering both<A href="glossary.html#symmetric">
- symmetric</A> and<A href="glossary.html#public"> public key</A> systems
- are at<A href="http://www.cryptosavvy.com/"> cryptosavvy.com</A> and<A href="http://www.rsasecurity.com/rsalabs/bulletins/bulletin13.html">
- rsa.com</A>. For all algorithms, the minimum keylengths recommended in
- such papers are significantly longer than the maximums allowed by
- various export laws.</P>
-<P>In a<A href="http://www.privacy.nb.ca/cryptography/archives/cryptography/html/1998-09/0095.html">
- 1998 ruling</A>, a German court described DES as &quot;out-of-date and not
- safe enough&quot; and held a bank liable for using it.</P>
-<H3><A name="deshware">Dedicated hardware breaks DES in a few days</A></H3>
-<P>The question of DES security has now been settled once and for all.
- In early 1998, the<A href="http://www.eff.org/"> Electronic Frontier
- Foundation</A> built a<A href="http://www.eff.org/descracker.html">
- DES-cracking machine</A>. It can find a DES key in an average of a few
- days' search. The details of all this, including complete code listings
- and complete plans for the machine, have been published in<A href="biblio.html#EFF">
-<CITE> Cracking DES</CITE></A>, by the Electronic Frontier Foundation.</P>
-<P>That machine cost just over $200,000 to design and build. &quot;Moore's
- Law&quot; is that machines get faster (or cheaper, for the same speed) by
- roughly a factor of two every 18 months. At that rate, their $200,000
- in 1998 becomes $50,000 in 2001.</P>
-<P>However, Moore's Law is not exact and the $50,000 estimate does not
- allow for the fact that a copy based on the published EFF design would
- cost far less than the original. We cannot say exactly what such a
- cracker would cost today, but it would likely be somewhere between
- $10,000 and $100,000.</P>
-<P>A large corporation could build one of these out of petty cash. The
- cost is low enough for a senior manager to hide it in a departmental
- budget and avoid having to announce or justify the project. Any
- government agency, from a major municipal police force up, could afford
- one. Or any other group with a respectable budget -- criminal
- organisations, political groups, labour unions, religious groups, ...
- Or any millionaire with an obsession or a grudge, or just strange taste
- in toys.</P>
-<P>One might wonder if a private security or detective agency would have
- one for rent. They wouldn't need many clients to pay off that
- investment.</P>
-<H3><A name="spooks">Spooks may break DES faster yet</A></H3>
-<P>As for the security and intelligence agencies of various nations,
- they may have had DES crackers for years, and theirs may be much
- faster. It is difficult to make most computer applications work well on
- parallel machines, or to design specialised hardware to accelerate
- them. Cipher-cracking is one of the very few exceptions. It is entirely
- straightforward to speed up cracking by just adding hardware. Within
- very broad limits, you can make it as fast as you like if you have the
- budget. The EFF's $200,000 machine breaks DES in a few days. An<A href="http://www.planepage.com/">
- aviation website</A> gives the cost of a B1 bomber as $200,000,000.
- Spending that much, an intelligence agency could break DES in an
- average time of<EM> six and a half minutes</EM>.</P>
-<P>That estimate assumes they use the EFF's 1998 technology and just
- spend more money. They may have an attack that is superior to brute
- force, they quite likely have better chip technology (Moore's law, a
- bigger budget, and whatever secret advances they may have made) and of
- course they may have spent the price of an aircraft carrier, not just
- one aircraft.</P>
-<P>In short, we have<EM> no idea</EM> how quickly these organisations
- can break DES. Unless they're spectacularly incompetent or horribly
- underfunded, they can certainly break it, but we cannot guess how
- quickly. Pick any time unit between days and milliseconds; none is
- entirely unbelievable. More to the point, none of them is of any
- comfort if you don't want such organisations reading your
- communications.</P>
-<P>Note that this may be a concern even if nothing you do is a threat to
- anyone's national security. An intelligence agency might well consider
- it to be in their national interest for certain companies to do well.
- If you're competing against such companies in a world market and that
- agency can read your secrets, you have a serious problem.</P>
-<P>One might wonder about technology the former Soviet Union and its
- allies developed for cracking DES during the Cold War. They must have
- tried; the cipher was an American standard and widely used. Certainly
- those countries have some fine mathematicians, and those agencies had
- budget. How well did they succeed? Is their technology now for sale or
- rent?</P>
-<H3><A name="desnet">Networks break DES in a few weeks</A></H3>
-<P>Before the definitive EFF effort, DES had been cracked several times
- by people using many machines. See this<A href="http://www.distributed.net/pressroom/DESII-1-PR.html">
- press release</A> for example.</P>
-<P>A major corporation, university, or government department could break
- DES by using spare cycles on their existing collection of computers, by
- dedicating a group of otherwise surplus machines to the problem, or by
- combining the two approaches. It might take them weeks or months,
- rather than the days required for the EFF machine, but they could do
- it.</P>
-<P>What about someone working alone, without the resources of a large
- organisation? For them, cracking DES will not be easy, but it may be
- possible. A few thousand dollars buys a lot of surplus workstations. A
- pile of such machines will certainly heat your garage nicely and might
- break DES in a few months or years. Or enroll at a university and use
- their machines. Or use an employer's machines. Or crack security
- somewhere and steal the resources to crack a DES key. Or write a virus
- that steals small amounts of resources on many machines. Or . . .</P>
-<P>None of these approaches are easy or break DES really quickly, but an
- attacker only needs to find one that is feasible and breaks DES quickly
- enough to be dangerous. How much would you care to bet that this will
- be impossible if the attacker is clever and determined? How valuable is
- your data? Are you authorised to risk it on a dubious bet?</P>
-<H3><A name="no_des">We disable DES</A></H3>
-<P>In short, it is now absolutely clear that<STRONG> DES is not secure</STRONG>
- against</P>
-<UL>
-<LI>any<STRONG> well-funded opponent</STRONG></LI>
-<LI>any opponent (even a penniless one) with access (even stolen access)
- to<STRONG> enough general purpose computers</STRONG></LI>
-</UL>
-<P>That is why<STRONG> Linux FreeS/WAN disables all transforms which use
- plain DES</STRONG> for encryption.</P>
-<P>DES is in the source code, because we need DES to implement our
- default encryption transform,<A href="glossary.html#3DES"> Triple DES</A>
-.<STRONG> We urge you not to use single DES</STRONG>. We do not provide
- any easy way to enable it in FreeS/WAN, and our policy is to provide no
- assistance to anyone wanting to do so.</P>
-<H3><A name="40joke">40-bits is laughably weak</A></H3>
-<P>The same is true, in spades, of ciphers -- DES or others -- crippled
- by 40-bit keys, as many ciphers were required to be until recently
- under various<A href="#exlaw"> export laws</A>. A brute force search of
- such a cipher's keyspace is 2<SUP>16</SUP> times faster than a similar
- search against DES. The EFF's machine can do a brute-force search of a
- 40-bit key space in<EM> seconds</EM>. One contest to crack a 40-bit
- cipher was won by a student<A href="http://catless.ncl.ac.uk/Risks/18.80.html#subj1">
- using a few hundred idle machines at his university</A>. It took only
- three and half hours.</P>
-<P>We do not, and will not, implement any 40-bit cipher.</P>
-<H3><A name="altdes">Triple DES is almost certainly secure</A></H3>
-<P><A href="glossary.html#3DES">Triple DES</A>, usually abbreviated
- 3DES, applies DES three times, with three different keys. DES seems to
- be basically an excellent cipher design; it has withstood several
- decades of intensive analysis without any disastrous flaws being found.
- It's only major flaw is that the small keyspace allows brute force
- attacks to succeeed. Triple DES enlarges the key space to 168 bits,
- making brute-force search a ridiculous impossibility.</P>
-<P>3DES is currently the only block cipher implemented in FreeS/WAN.
- 3DES is, unfortunately, about 1/3 the speed of DES, but modern CPUs
- still do it at quite respectable speeds. Some<A href="glossary.html#benchmarks">
- speed measurements</A> for our code are available.</P>
-<H3><A name="aes.ipsec">AES in IPsec</A></H3>
-<P>The<A href="glossary.html#AES"> AES</A> project has chosen a
- replacement for DES, a new standard cipher for use in non-classified US
- government work and in regulated industries such as banking. This
- cipher will almost certainly become widely used for many applications,
- including IPsec.</P>
-<P>The winner, announced in October 2000 after several years of analysis
- and discussion, was the<A href="http://www.esat.kuleuven.ac.be/~rijmen/rijndael/">
- Rijndael</A> cipher from two Belgian designers.</P>
-<P>It is almost certain that FreeS/WAN will add AES support.<A href="web.html#patch">
- AES patches</A> are already available.</P>
-<H2><A name="press">Press coverage of Linux FreeS/WAN:</A></H2>
-<H3><A NAME="26_6_1">FreeS/WAN 1.0 press</A></H3>
-<UL>
-<LI><A href="http://www.wired.com/news/news/technology/story/19136.html">
-Wired</A> &quot;Linux-Based Crypto Stops Snoops&quot;, James Glave April 15 1999</LI>
-<LI><A href="http://slashdot.org/articles/99/04/15/1851212.shtml">
-Slashdot</A></LI>
-<LI><A href="http://dgl.com/itinfo/1999/it990415.html">DGL</A>, Damar
- Group Limited; looking at FreeS/WAN from a perspective of business
- computing</LI>
-<LI><A href="http://linuxtoday.com/stories/5010.html">Linux Today</A></LI>
-<LI><A href="http://www.tbtf.com/archive/1999-04-21.html#Tcep">TBTF</A>,
- Tasty Bits from the Technology Front</LI>
-<LI><A href="http://www.salonmagazine.com/tech/log/1999/04/16/encryption/index.html">
-Salon Magazine</A> &quot;Free Encryption Takes a Big Step&quot;</LI>
-</UL>
-<H3><A name="release">Press release for version 1.0</A></H3>
-<PRE>        Strong Internet Privacy Software Free for Linux Users Worldwide
-
-Toronto, ON, April 14, 1999 - 
-
-The Linux FreeS/WAN project today released free software to protect
-the privacy of Internet communications using strong encryption codes.
-FreeS/WAN automatically encrypts data as it crosses the Internet, to
-prevent unauthorized people from receiving or modifying it.  One
-ordinary PC per site runs this free software under Linux to become a
-secure gateway in a Virtual Private Network, without having to modify
-users' operating systems or application software.  The project built
-and released the software outside the United States, avoiding US
-government regulations which prohibit good privacy protection.
-FreeS/WAN version 1.0 is available immediately for downloading at
-http://www.xs4all.nl/~freeswan/.
-
-&quot;Today's FreeS/WAN release allows network administrators to build
-excellent secure gateways out of old PCs at no cost, or using a cheap
-new PC,&quot; said John Gilmore, the entrepreneur who instigated the
-project in 1996.  &quot;They can build operational experience with strong
-network encryption and protect their users' most important
-communications worldwide.&quot;
-
-&quot;The software was written outside the United States, and we do not
-accept contributions from US citizens or residents, so that it can be
-freely published for use in every country,&quot; said Henry Spencer, who
-built the release in Toronto, Canada.  &quot;Similar products based in the
-US require hard-to-get government export licenses before they can be
-provided to non-US users, and can never be simply published on a Web
-site.  Our product is freely available worldwide for immediate
-downloading, at no cost.&quot;
-
-FreeS/WAN provides privacy against both quiet eavesdropping (such as
-&quot;packet sniffing&quot;) and active attempts to compromise communications
-(such as impersonating participating computers).  Secure &quot;tunnels&quot; carry
-information safely across the Internet between locations such as a
-company's main office, distant sales offices, and roaming laptops.  This
-protects the privacy and integrity of all information sent among those
-locations, including sensitive intra-company email, financial transactions
-such as mergers and acquisitions, business negotiations, personal medical
-records, privileged correspondence with lawyers, and information about
-crimes or civil rights violations.  The software will be particularly
-useful to frequent wiretapping targets such as private companies competing
-with government-owned companies, civil rights groups and lawyers,
-opposition political parties, and dissidents. 
-
-FreeS/WAN provides privacy for Internet packets using the proposed
-standard Internet Protocol Security (IPSEC) protocols.  FreeS/WAN
-negotiates strong keys using Diffie-Hellman key agreement with 1024-bit
-keys, and encrypts each packet with 168-bit Triple-DES (3DES).  A modern
-$500 PC can set up a tunnel in less than a second, and can encrypt
-6 megabits of packets per second, easily handling the whole available
-bandwidth at the vast majority of Internet sites.  In preliminary testing,
-FreeS/WAN interoperated with 3DES IPSEC products from OpenBSD, PGP, SSH,
-Cisco, Raptor, and Xedia.  Since FreeS/WAN is distributed as source code,
-its innards are open to review by outside experts and sophisticated users,
-reducing the chance of undetected bugs or hidden security compromises.
-
-The software has been in development for several years.  It has been
-funded by several philanthropists interested in increased privacy on
-the Internet, including John Gilmore, co-founder of the Electronic
-Frontier Foundation, a leading online civil rights group.
-
-Press contacts:
-Hugh Daniel,   +1 408 353 8124, hugh@toad.com
-Henry Spencer, +1 416 690 6561, henry@spsystems.net
-
-* FreeS/WAN derives its name from S/WAN, which is a trademark of RSA Data
-  Security, Inc; used by permission.</PRE>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="umltesting.html">Previous</A>
-<A HREF="ipsec.html">Next</A>
-</BODY>
-</HTML>
diff --git a/doc/quickstart.html b/doc/quickstart.html
deleted file mode 100644
index 44d73abc5..000000000
--- a/doc/quickstart.html
+++ /dev/null
@@ -1,323 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="upgrading.html">Previous</A>
-<A HREF="policygroups.html">Next</A>
-<HR>
-<H1><A name="quickstart">Quickstart Guide to Opportunistic Encryption</A>
-</H1>
-<A name="quick_guide"></A>
-<H2><A name="opp.setup">Purpose</A></H2>
-<P>This page will get you started using Linux FreeS/WAN with
- opportunistic encryption (OE). OE enables you to set up IPsec tunnels
- without co-ordinating with another site administrator, and without hand
- configuring each tunnel. If enough sites support OE, a &quot;FAX effect&quot;
- occurs, and many of us can communicate without eavesdroppers.</P>
-<H3><A NAME="3_1_1">OE &quot;flag day&quot;</A></H3>
-<P>As of FreeS/WAN 2.01, OE uses DNS TXT resource records (RRs) only
- (rather than TXT with KEY). This change causes a<A href="http://jargon.watson-net.com/jargon.asp?w=flag+day">
- &quot;flag day&quot;</A>. Users of FreeS/WAN 2.00 (or earlier) OE who are
- upgrading may require additional resource records, as detailed in our<A href="upgrading.html#upgrading.flagday">
- upgrading document</A>. OE setup instructions here are for 2.02 or
- later.</P>
-<H2><A name="opp.dns">Requirements</A></H2>
-<P>To set up opportunistic encryption, you will need:</P>
-<UL>
-<LI>a Linux box. For OE to the public Internet, this box must NOT be
- behind<A HREF="glossary.html#NAT.gloss"> Network Address Translation</A>
- (NAT).</LI>
-<LI>to install Linux FreeS/WAN 2.02 or later</LI>
-<LI>either control over your reverse DNS (for full opportunism) or the
- ability to write to some forward domain (for initiator-only).<A HREF="http://www.fdns.net">
- This free DNS service</A> explicitly supports forward TXT records for
- FreeS/WAN use.</LI>
-<LI>(for full opportunism) a static IP</LI>
-</UL>
-<P>Note: Currently, only Linux FreeS/WAN supports opportunistic
- encryption.</P>
-<H2><A name="easy.install">RPM install</A></H2>
-<P>Our instructions are for a recent Red Hat with a 2.4-series stock or
- Red Hat updated kernel. For other ways to install, see our<A href="install.html#install">
- install document</A>.</P>
-<H3><A NAME="3_3_1">Download RPMs</A></H3>
-<P>If we have prebuilt RPMs for your Red Hat system, this command will
- get them:</P>
-<PRE>    ncftpget ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs/`uname -r | tr -d 'a-wy-z'`/\*</PRE>
-<P>If that fails, you will need to try<A HREF="install.html"> another
- install method</A>. Our kernel modules<B> will only work on the Red Hat
- kernel they were built for</B>, since they are very sensitive to small
- changes in the kernel.</P>
-<P>If it succeeds, you will have userland tools, a kernel module, and an
- RPM signing key:</P>
-<PRE>    freeswan-module-2.04_2.4.20_20.9-0.i386.rpm
-    freeswan-userland-2.04_2.4.20_20.9-0.i386.rpm
-    freeswan-rpmsign.asc</PRE>
-<H3><A NAME="3_3_2">Check signatures</A></H3>
-<P>If you're running RedHat 8.x or later, import the RPM signing key
- into the RPM database:</P>
-<PRE>    rpm --import freeswan-rpmsign.asc</PRE>
-<P>For RedHat 7.x systems, you'll need to add it to your<A HREF="glossary.html#PGP">
- PGP</A> keyring:</P>
-<PRE>    pgp -ka freeswan-rpmsign.asc</PRE>
-<P>Check the digital signatures on both RPMs using:</P>
-<PRE>    rpm --checksig freeswan*.rpm </PRE>
-<P>You should see that these signatures are good:</P>
-<PRE>    freeswan-module-2.04_2.4.20_20.9-0.i386.rpm: pgp md5 OK
-    freeswan-userland-2.04_2.4.20_20.9-0.i386.rpm: pgp md5 OK</PRE>
-<H3><A NAME="3_3_3">Install the RPMs</A></H3>
-<P>Become root:</P>
-<PRE>    su</PRE>
-<P>Install your RPMs with:</P>
-<P></P>
-<PRE>    rpm -ivh freeswan*.rpm</PRE>
-<P>If you're upgrading from FreeS/WAN 1.x RPMs, and have problems with
- that command, see<A HREF="upgrading.html#upgrading.rpms"> this note</A>
-.</P>
-<P>Then, start FreeS/WAN:</P>
-<PRE>    service ipsec start</PRE>
-<H3><A name="testinstall">Test</A></H3>
-<P>To check that you have a successful install, run:</P>
-<PRE>    ipsec verify</PRE>
-<P>You should see as part of the<VAR> verify</VAR> output:</P>
-<PRE>
-    Checking your system to see if IPsec got installed and started correctly
-    Version check and ipsec on-path                             [OK]
-    Checking for KLIPS support in kernel                        [OK]
-    Checking for RSA private key (/etc/ipsec.secrets)           [OK]
-    Checking that pluto is running                              [OK]
-    ...</PRE>
-<P>If any of these first four checks fails, see our<A href="trouble.html#install.check">
- troubleshooting guide</A>.</P>
-<H2><A name="opp.setups.list">Our Opportunistic Setups</A></H2>
-<H3><A NAME="3_4_1">Full or partial opportunism?</A></H3>
-<P>Determine the best form of opportunism your system can support.</P>
-<UL>
-<LI>For<A HREF="#opp.incoming"> full opportunism</A>, you'll need a
- static IP and and either control over your reverse DNS or an ISP that
- can add the required TXT record for you.</LI>
-<LI>If you have a dynamic IP, and/or write access to forward DNS only,
- you can do<A HREF="#opp.client"> initiate-only opportunism</A></LI>
-<LI>To protect traffic bound for real IPs behind your gateway, use<A HREF="adv_config.html#opp.gate">
- this form of full opportunism</A>.</LI>
-</UL>
-<H2><A name="opp.client">Initiate-only setup</A></H2>
-<H3><A NAME="3_5_1">Restrictions</A></H3>
-<P>When you set up initiate-only Opportunistic Encryption (iOE):</P>
-<UL>
-<LI>there will be<STRONG> no incoming connection requests</STRONG>; you
- can initiate all the IPsec connections you need.</LI>
-<LI><STRONG>only one machine is visible</STRONG> on your end of the
- connection.</LI>
-<LI>iOE also protects traffic on behalf of<A HREF="glossary.html#NAT.gloss">
- NATted</A> hosts behind the iOE box.</LI>
-</UL>
-<P>You cannot network a group of initiator-only machines if none of
- these is capable of responding to OE. If one is capable of responding,
- you may be able to create a hub topology using routing.</P>
-<H3><A name="forward.dns">Create and publish a forward DNS record</A></H3>
-<H4>Find a domain you can use</H4>
-<P>Find a DNS forward domain (e.g. example.com) where you can publish
- your key. You'll need access to the DNS zone files for that domain.
- This is common for a domain you own. Some free DNS providers, such as<A HREF="http://www.fdns.net">
- this one</A>, also provide this service.</P>
-<P>Dynamic IP users take note: the domain where you place your key need
- not be associated with the IP address for your system, or even with
- your system's usual hostname.</P>
-<H4>Choose your ID</H4>
-<P>Choose a name within that domain which you will use to identify your
- machine. It's convenient if this can be the same as your hostname:</P>
-<PRE>    [root@xy root]# hostname --fqdn
-    xy.example.com</PRE>
-<P>This name in FQDN (fully-qualified domain name) format will be your
- ID, for DNS key lookup and IPsec negotiation.</P>
-<H4>Create a forward TXT record</H4>
-<P>Generate a forward TXT record containing your system's public key
- with a command like:</P>
-<PRE>    ipsec showhostkey --txt @xy.example.com</PRE>
-<P>using your chosen ID in place of xy.example.com. This command takes
- the contents of /etc/ipsec.secrets and reformats it into something
- usable by ISC's BIND. The result should look like this (with the key
- data trimmed down for clarity):</P>
-<PRE>
-    ; RSA 2192 bits   xy.example.com   Thu Jan  2 12:41:44 2003
-        IN      TXT     &quot;X-IPsec-Server(10)=@xy.example.com&quot; 
-    &quot;AQOF8tZ2... ...+buFuFn/&quot;
-</PRE>
-<H4>Publish the forward TXT record</H4>
-<P>Insert the record into DNS, or have a system adminstrator do it for
- you. It may take up to 48 hours for the record to propagate, but it's
- usually much quicker.</P>
-<H3><A NAME="3_5_3">Test that your key has been published</A></H3>
-<P>Check your DNS work</P>
-<PRE>    ipsec verify --host xy.example.com</PRE>
-<P>As part of the<VAR> verify</VAR> output, you ought to see something
- like:</P>
-<PRE>    ...
-    Looking for TXT in forward map: xy.example.com          [OK]
-    ...</PRE>
-<P>For this type of opportunism, only the forward test is relevant; you
- can ignore the tests designed to find reverse records.</P>
-<H3><A NAME="3_5_4">Configure, if necessary</A></H3>
-<P> If your ID is the same as your hostname, you're ready to go.
- FreeS/WAN will use its<A HREF="policygroups.html"> built-in connections</A>
- to create your iOE functionality.</P>
-<P>If you have chosen a different ID, you must tell FreeS/WAN about it
- via<A HREF="manpage.d/ipsec.conf.5.html"><VAR> ipsec.conf</VAR></A>:</P>
-<PRE>    config setup
-        myid=@myname.freedns.example.com</PRE>
-<P>and restart FreeS/WAN:</P>
-<PRE>    service ipsec restart</PRE>
-<P>The new ID will be applied to the built-in connections.</P>
-<P>Note: you can create more complex iOE configurations as explained in
- our<A HREF="policygroups.html#policygroups"> policy groups document</A>
-, or disable OE using<A HREF="policygroups.html#disable_policygroups">
- these instructions</A>.</P>
-<H3><A NAME="3_5_5">Test</A></H3>
-<P>That's it!<A HREF="#opp.test"> Test your connections</A>.</P>
-<A name="opp.incoming"></A>
-<H2><A NAME="3_6">Full Opportunism</A></H2>
-<P>Full opportunism allows you to initiate and receive opportunistic
- connections on your machine.</P>
-<A name="incoming.opp.dns"></A>
-<H3><A NAME="3_6_1">Put a TXT record in a Forward Domain</A></H3>
-<P>To set up full opportunism, first<A HREF="#forward.dns"> set up a
- forward TXT record</A> as for<A HREF="#opp.client"> initiator-only OE</A>
-, using an ID (for example, your hostname) that resolves to your IP. Do
- not configure<VAR> /etc/ipsec.conf</VAR>, but continue with the
- instructions for full opportunism, below.</P>
-<P>Note that this forward record is not currently necessary for full OE,
- but will facilitate future features.</P>
-<A name="incoming.opp.dns"></A>
-<H3><A NAME="3_6_2">Put a TXT record in Reverse DNS</A></H3>
-<P>You must be able to publish your DNS RR directly in the reverse
- domain. FreeS/WAN will not follow a PTR which appears in the reverse,
- since a second lookup at connection start time is too costly.</P>
-<H4>Create a Reverse DNS TXT record</H4>
-<P>This record serves to publicize your FreeS/WAN public key. In
- addition, it lets others know that this machine can receive
- opportunistic connections, and asserts that the machine is authorized
- to encrypt on its own behalf.</P>
-<P>Use the command:</P>
-<PRE>    ipsec showhostkey --txt 192.0.2.11</PRE>
-<P>where you replace 192.0.2.11 with your public IP.</P>
-<P>The record (with key shortened) looks like:</P>
-<PRE>    ; RSA 2048 bits  xy.example.com   Sat Apr 15 13:53:22 2000
-    IN TXT  &quot;X-IPsec-Server(10)=192.0.2.11&quot; &quot; AQOF8tZ2...+buFuFn/&quot;</PRE>
-<H4>Publish your TXT record</H4>
-<P>Send these records to your ISP, to be published in your IP's reverse
- map. It may take up to 48 hours for these to propagate, but usually
- takes much less time.</P>
-<H3><A NAME="3_6_3">Test your DNS record</A></H3>
-<P>Check your DNS work with</P>
-<PRE>    ipsec verify --host xy.example.com</PRE>
-<P>As part of the<VAR> verify</VAR> output, you ought to see something
- like:</P>
-<PRE>    ...
-    Looking for TXT in reverse map: 11.2.0.192.in-addr.arpa [OK]
-    ...</PRE>
-<P>which indicates that you've passed the reverse-map test.</P>
-<H3><A NAME="3_6_4">No Configuration Needed</A></H3>
-<P>FreeS/WAN 2.x ships with full OE enabled, so you don't need to
- configure anything. To enable OE out of the box, FreeS/WAN 2.x uses the
- policy group<VAR> private-or-clear</VAR>, which creates IPsec
- connections if possible (using OE if needed), and allows traffic in the
- clear otherwise. You can create more complex OE configurations as
- described in our<A HREF="policygroups.html#policygroups"> policy groups
- document</A>, or disable OE using<A HREF="policygroups.html#disable_policygroups">
- these instructions</A>.</P>
-<P>If you've previously configured for initiator-only opportunism,
- remove<VAR> myid=</VAR> from<VAR> config setup</VAR>, so that peer
- FreeS/WANs will look up your key by IP. Restart FreeS/WAN so that your
- change will take effect, with</P>
-<PRE>    service ipsec restart</PRE>
-<H3><A NAME="3_6_5">Consider Firewalling</A></H3>
-<P>If you are running a default install of RedHat 8.x, take note: you
- will need to alter your iptables rule setup to allow IPSec traffic
- through your firewall. See<A HREF="firewall.html#simple.rules"> our
- firewall document</A> for sample<VAR> iptables</VAR> rules.</P>
-<H3><A NAME="3_6_6">Test</A></H3>
-<P>That's it. Now,<A HREF="#opp.test"> test your connection</A>.</P>
-<H3><A NAME="3_6_7">Test</A></H3>
-<P>Instructions are in the next section.</P>
-<H2><A NAME="opp.test">Testing opportunistic connections</A></H2>
-<P>Be sure IPsec is running. You can see whether it is with:</P>
-<PRE>    ipsec setup status</PRE>
-<P>If need be, you can restart it with:</P>
-<PRE>    service ipsec restart</PRE>
-<P>Load a FreeS/WAN test website from the host on which you're running
- FreeS/WAN. Note: the feds may be watching these sites. Type one of:</P>
-<P></P>
-<PRE>   links oetest.freeswan.org</PRE>
-<PRE>   links oetest.freeswan.nl</PRE>
-
-<!--<PRE>   links oetest.freeswan.ca</PRE>-->
-<P>A positive result looks like this:</P>
-<PRE>
-   You  seem  to  be  connecting  from:  192.0.2.11 which DNS says is:
-   gateway.example.com
-     _________________________________________________________________
-
-   Status E-route
-   OE    enabled    16    192.139.46.73/32    -&gt;    192.0.2.11/32   =&gt;
-   tun0x2097@192.0.2.11
-   OE    enabled    176    192.139.46.77/32    -&gt;   192.0.2.11/32   =&gt;
-   tun0x208a@192.0.2.11
-</PRE>
-<P>If you see this, congratulations! Your OE host or gateway will now
- encrypt its own traffic whenever it can. For more OE tests, please see
- our<A HREF="testing.html#test.oe"> testing document</A>. If you have
- difficulty, see our<A HREF="#oe.trouble"> OE troubleshooting tips</A>.</P>
-<H2><A NAME="3_8">Now what?</A></H2>
-<P>Please see our<A HREF="policygroups.html"> policy groups document</A>
- for more ways to set up Opportunistic Encryption.</P>
-<P>You may also wish to make some<A HREF="config.html"> pre-configured
- connections</A>.</P>
-<H2><A NAME="3_9">Notes</A></H2>
-<UL>
-<LI>We assume some facts about your system in order to make
- Opportunistic Encryption easier to configure. For example, we assume
- that you wish to have FreeS/WAN secure your default interface.</LI>
-<LI>You may change this, and other settings, by altering the<VAR> config
- setup</VAR> section in<VAR> /etc/ipsec.conf</VAR>.</LI>
-<LI>Note that the built-in connections used to build policy groups do
- not inherit from<VAR> conn default</VAR>.</LI>
-
-<!--
-<LI>If you do not define your local identity
-(eg. <VAR>leftid</VAR>), this will be the IP address of your default
-FreeS/WAN interface.  
--->
-<LI> If you fail to define your local identity and do not fill in your
- reverse DNS entry, you will not be able to use OE.</LI>
-</UL>
-<A NAME="oe.trouble"></A>
-<H2><A NAME="3_10">Troubleshooting OE</A></H2>
-<P>See the OE troubleshooting hints in our<A HREF="trouble.html#oe.trouble">
- troubleshooting guide</A>.</P>
-<A NAME="oe.known-issues"></A>
-<H2><A NAME="3_11">Known Issues</A></H2>
-<P>Please see<A HREF="opportunism.known-issues"> this list</A> of known
- issues with Opportunistic Encryption.</P>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="upgrading.html">Previous</A>
-<A HREF="policygroups.html">Next</A>
-</BODY>
-</HTML>
diff --git a/doc/rfc.html b/doc/rfc.html
deleted file mode 100644
index 29785d8de..000000000
--- a/doc/rfc.html
+++ /dev/null
@@ -1,135 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="biblio.html">Previous</A>
-<A HREF="roadmap.html">Next</A>
-<HR>
-<H1><A name="RFC">IPsec RFCs and related documents</A></H1>
-<H2><A name="RFCfile">The RFCs.tar.gz Distribution File</A></H2>
-<P>The Linux FreeS/WAN distribution is available from<A href="http://www.xs4all.nl/~freeswan">
- our primary distribution site</A> and various mirror sites. To give
- people more control over their downloads, the RFCs that define IP
- security are bundled separately in the file RFCs.tar.gz.</P>
-<P>The file you are reading is included in the main distribution and is
- available on the web site. It describes the RFCs included in the<A href="#RFCs.tar.gz">
- RFCs.tar.gz</A> bundle and gives some pointers to<A href="#sources">
- other ways to get them</A>.</P>
-<H2><A name="sources">Other sources for RFCs &amp; Internet drafts</A></H2>
-<H3><A name="RFCdown">RFCs</A></H3>
-<P>RFCs are downloadble at many places around the net such as:</P>
-<UL>
-<LI><A href="http://www.rfc-editor.org">http://www.rfc-editor.org</A></LI>
-<LI><A href="http://nis.nsf.net/internet/documents/rfc">NSF.net</A></LI>
-<LI><A href="http://sunsite.doc.ic.ac.uk/computing/internet/rfc">Sunsite
- in the UK</A></LI>
-</UL>
-<P>browsable in HTML form at others such as:</P>
-<UL>
-<LI><A href="http://www.landfield.com/rfcs/index.html">landfield.com</A></LI>
-<LI><A href="http://www.library.ucg.ie/Connected/RFC">Connected Internet
- Encyclopedia</A></LI>
-</UL>
-<P>and some of them are available in translation:</P>
-<UL>
-<LI><A href="http://www.eisti.fr/eistiweb/docs/normes/">French</A></LI>
-</UL>
-<P>There is also a published<A href="biblio.html#RFCs"> Big Book of
- IPSEC RFCs</A>.</P>
-<H3><A name="drafts">Internet Drafts</A></H3>
-<P>Internet Drafts, working documents which sometimes evolve into RFCs,
- are also available.</P>
-<UL>
-<LI><A href="http://www.ietf.org/ID.html">Overall reference page</A></LI>
-<LI><A href="http://www.ietf.org/ids.by.wg/ipsec.html">IPsec</A> working
- group</LI>
-<LI><A href="http://www.ietf.org/ids.by.wg/ipsra.html">IPSRA (IPsec
- Remote Access)</A> working group</LI>
-<LI><A href="http://www.ietf.org/ids.by.wg/ipsp.html">IPsec Policy</A>
- working group</LI>
-<LI><A href="http://www.ietf.org/ids.by.wg/kink.html">KINK (Kerberized
- Internet Negotiation of Keys)</A> working group</LI>
-</UL>
-<P>Note: some of these may be obsolete, replaced by later drafts or by
- RFCs.</P>
-<H3><A name="FIPS1">FIPS standards</A></H3>
-<P>Some things used by<A href="glossary.html#IPSEC"> IPsec</A>, such as<A
-href="glossary.html#DES"> DES</A> and<A href="glossary.html#SHA"> SHA</A>
-, are defined by US government standards called<A href="glossary.html#FIPS">
- FIPS</A>. The issuing organisation,<A href="glossary.html#NIST"> NIST</A>
-, have a<A href="http://www.itl.nist.gov/div897/pubs"> FIPS home page</A>
-.</P>
-<H2><A name="RFCs.tar.gz">What's in the RFCs.tar.gz bundle?</A></H2>
-<P>All filenames are of the form rfc*.txt, with the * replaced with the
- RFC number.</P>
-<PRE>RFC#        Title</PRE>
-<H3><A name="rfc.ov">Overview RFCs</A></H3>
-<PRE>2401        Security Architecture for the Internet Protocol
-2411        IP Security Document Roadmap</PRE>
-<H3><A name="basic.prot">Basic protocols</A></H3>
-<PRE>2402        IP Authentication Header
-2406        IP Encapsulating Security Payload (ESP)</PRE>
-<H3><A name="key.ike">Key management</A></H3>
-<PRE>2367        PF_KEY Key Management API, Version 2
-2407        The Internet IP Security Domain of Interpretation for ISAKMP
-2408        Internet Security Association and Key Management Protocol (ISAKMP)
-2409        The Internet Key Exchange (IKE)
-2412        The OAKLEY Key Determination Protocol
-2528        Internet X.509 Public Key Infrastructure</PRE>
-<H3><A name="rfc.detail">Details of various things used</A></H3>
-<PRE>2085        HMAC-MD5 IP Authentication with Replay Prevention
-2104        HMAC: Keyed-Hashing for Message Authentication
-2202        Test Cases for HMAC-MD5 and HMAC-SHA-1
-2207        RSVP Extensions for IPSEC Data Flows
-2403        The Use of HMAC-MD5-96 within ESP and AH
-2404        The Use of HMAC-SHA-1-96 within ESP and AH
-2405        The ESP DES-CBC Cipher Algorithm With Explicit IV
-2410        The NULL Encryption Algorithm and Its Use With IPsec
-2451        The ESP CBC-Mode Cipher Algorithms
-2521        ICMP Security Failures Messages</PRE>
-<H3><A name="rfc.ref">Older RFCs which may be referenced</A></H3>
-<PRE>1321        The MD5 Message-Digest Algorithm
-1828        IP Authentication using Keyed MD5
-1829        The ESP DES-CBC Transform
-1851        The ESP Triple DES Transform
-1852        IP Authentication using Keyed SHA</PRE>
-<H3><A name="rfc.dns">RFCs for secure DNS service, which IPsec may use</A>
-</H3>
-<PRE>2137        Secure Domain Name System Dynamic Update
-2230        Key Exchange Delegation Record for the DNS
-2535        Domain Name System Security Extensions
-2536        DSA KEYs and SIGs in the Domain Name System (DNS)
-2537        RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)
-2538        Storing Certificates in the Domain Name System (DNS)
-2539        Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</PRE>
-<H3><A name="rfc.exp">RFCs labelled &quot;experimental&quot;</A></H3>
-<PRE>2521        ICMP Security Failures Messages
-2522        Photuris: Session-Key Management Protocol
-2523        Photuris: Extended Schemes and Attributes</PRE>
-<H3><A name="rfc.rel">Related RFCs</A></H3>
-<PRE>1750        Randomness Recommendations for Security
-1918        Address Allocation for Private Internets
-1984        IAB and IESG Statement on Cryptographic Technology and the Internet
-2144        The CAST-128 Encryption Algorithm</PRE>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="biblio.html">Previous</A>
-<A HREF="roadmap.html">Next</A>
-</BODY>
-</HTML>
diff --git a/doc/roadmap.html b/doc/roadmap.html
deleted file mode 100644
index ce547582c..000000000
--- a/doc/roadmap.html
+++ /dev/null
@@ -1,167 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="rfc.html">Previous</A>
-<A HREF="umltesting.html">Next</A>
-<HR>
-<H1><A name="roadmap">Distribution Roadmap: What's Where in Linux
- FreeS/WAN</A></H1>
-<P> This file is a guide to the locations of files within the FreeS/WAN
- distribution. Everything described here should be on your system once
- you download, gunzip, and untar the distribution.</P>
-<P>This distribution contains two major subsystems</P>
-<DL>
-<DT><A href="#klips.roadmap">KLIPS</A></DT>
-<DD>the kernel code</DD>
-<DT><A href="#pluto.roadmap">Pluto</A></DT>
-<DD>the user-level key-management daemon</DD>
-</DL>
-<P>plus assorted odds and ends.</P>
-<H2><A name="top">Top directory</A></H2>
-<P>The top directory has essential information in text files:</P>
-<DL>
-<DT>README</DT>
-<DD>introduction to the software</DD>
-<DT>INSTALL</DT>
-<DD>short experts-only installation procedures. More detalied procedures
- are in<A href="install.html"> installation</A> and<A href="config.html">
- configuration</A> HTML documents.</DD>
-<DT>BUGS</DT>
-<DD>major known bugs in the current release.</DD>
-<DT>CHANGES</DT>
-<DD>changes from previous releases</DD>
-<DT>CREDITS</DT>
-<DD>acknowledgement of contributors</DD>
-<DT>COPYING</DT>
-<DD>licensing and distribution information</DD>
-</DL>
-<H2><A name="doc">Documentation</A></H2>
-<P> The doc directory contains the bulk of the documentation, most of it
- in HTML format. See the<A href="index.html"> index file</A> for
- details.</P>
-<H2><A name="klips.roadmap">KLIPS: kernel IP security</A></H2>
-<P><A href="glossary.html#KLIPS"> KLIPS</A> is<STRONG> K</STRONG>erne<STRONG>
-L</STRONG><STRONG> IP</STRONG><STRONG> S</STRONG>ecurity. It lives in
- the klips directory, of course.</P>
-<DL>
-<DT>klips/doc</DT>
-<DD>documentation</DD>
-<DT>klips/patches</DT>
-<DD>patches for existing kernel files</DD>
-<DT>klips/test</DT>
-<DD>test stuff</DD>
-<DT>klips/utils</DT>
-<DD>low-level user utilities</DD>
-<DT>klips/net/ipsec</DT>
-<DD>actual klips kernel files</DD>
-<DT>klips/src</DT>
-<DD>symbolic link to klips/net/ipsec
-<P>The &quot;make insert&quot; step of installation installs the patches and makes
- a symbolic link from the kernel tree to klips/net/ipsec. The odd name
- of klips/net/ipsec is dictated by some annoying limitations of the
- scripts which build the Linux kernel. The symbolic-link business is a
- bit messy, but all the alternatives are worse.</P>
-<P></P>
-</DD>
-<DT>klips/utils</DT>
-<DD>Utility programs:
-<P></P>
-<DL>
-<DT>eroute</DT>
-<DD>manipulate IPsec extended routing tables</DD>
-<DT>klipsdebug</DT>
-<DD>set Klips (kernel IPsec support) debug features and level</DD>
-<DT>spi</DT>
-<DD>manage IPsec Security Associations</DD>
-<DT>spigrp</DT>
-<DD>group/ungroup IPsec Security Associations</DD>
-<DT>tncfg</DT>
-<DD>associate IPsec virtual interface with real interface</DD>
-</DL>
-<P>These are all normally invoked by ipsec(8) with commands such as</P>
-<PRE>        ipsec tncfg <VAR>arguments</VAR></PRE>
- There are section 8 man pages for all of these; the names have &quot;ipsec_&quot;
- as a prefix, so your man command should be something like:
-<PRE>        man 8 ipsec_tncfg</PRE>
-</DD>
-</DL>
-<H2><A name="pluto.roadmap">Pluto key and connection management daemon</A>
-</H2>
-<P><A href="glossary.html#Pluto"> Pluto</A> is our key management and
- negotiation daemon. It lives in the pluto directory, along with its
- low-level user utility, whack.</P>
-<P> There are no subdirectories. Documentation is a man page,<A href="manpage.d/ipsec_pluto.8.html">
- pluto.8</A>. This covers whack as well.</P>
-<H2><A name="utils">Utils</A></H2>
-<P> The utils directory contains a growing collection of higher-level
- user utilities, the commands that administer and control the software.
- Most of the things that you will actually have to run yourself are in
- there.</P>
-<DL>
-<DT>ipsec</DT>
-<DD>invoke IPsec utilities
-<P>ipsec(8) is normally the only program installed in a standard
- directory, /usr/local/sbin. It is used to invoke the others, both those
- listed below and the ones in klips/utils mentioned above.</P>
-<P></P>
-</DD>
-<DT>auto</DT>
-<DD>control automatically-keyed IPsec connections</DD>
-<DT>manual</DT>
-<DD>take manually-keyed IPsec connections up and down</DD>
-<DT>barf</DT>
-<DD>generate copious debugging output</DD>
-<DT>look</DT>
-<DD>generate moderate amounts of debugging output</DD>
-</DL>
-<P> There are .8 manual pages for these. look is covered in barf.8. The
- man pages have an &quot;ipsec_&quot; prefix so your man command should be
- something like:</P>
-<PRE>
-        man 8 ipsec_auto
-</PRE>
-<P> Examples are in various files with names utils/*.eg</P>
-<H2><A name="lib">Libraries</A></H2>
-<H3><A name="fswanlib">FreeS/WAN Library</A></H3>
-<P> The lib directory is the FreeS/WAN library, also steadily growing,
- used by both user-level and kernel code.
-<BR /> It includes section 3<A href="manpages.html"> man pages</A> for
- the library routines.</P>
-<H3><A name="otherlib">Imported Libraries</A></H3>
-<H4>LibDES</H4>
- The libdes library, originally from SSLeay, is used by both Klips and
- Pluto for<A href="glossary.html#3DES"> Triple DES</A> encryption.
- Single DES is not used because<A href="politics.html#desnotsecure"> it
- is insecure</A>.
-<P> Note that this library has its own license, different from the<A href="glossary.html#GPL">
- GPL</A> used for other code in FreeS/WAN.</P>
-<P> The library includes its own documentation.</P>
-<H4>GMP</H4>
- The GMP (GNU multi-precision) library is used for multi-precision
- arithmetic in Pluto's key-exchange code and public key code.
-<P> Older versions (up to 1.7) of FreeS/WAN included a copy of this
- library in the FreeS/WAN distribution.</P>
-<P> Since 1.8, we have begun to rely on the system copy of GMP.</P>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="rfc.html">Previous</A>
-<A HREF="umltesting.html">Next</A>
-</BODY>
-</HTML>
diff --git a/doc/src/.cvsignore b/doc/src/.cvsignore
deleted file mode 100644
index 3ed29bc59..000000000
--- a/doc/src/.cvsignore
+++ /dev/null
@@ -1,3 +0,0 @@
-foo.xml
-foobar.html
-makecheck-2.html
diff --git a/doc/src/adv_config.html b/doc/src/adv_config.html
deleted file mode 100644
index ab6901b5e..000000000
--- a/doc/src/adv_config.html
+++ /dev/null
@@ -1,1412 +0,0 @@
-<html>
-<head>
-  <meta http-equiv="Content-Type" content="text/html">
-  <title>Advanced FreeS/WAN configuration</title>
-  <meta name="keywords"
-  content="Linux, IPsec, VPN, security, FreeSWAN, configuration">
-  <!--
-
-  Written by Sandy Harris for the Linux FreeS/WAN project
-  Maintained by Claudia Schmeing for same.
-  Freely distributable under the GNU General Public License
-
-  More information at www.freeswan.org
-  Feedback to users@lists.freeswan.org
-
-  CVS information:
-  RCS ID:          $Id: adv_config.html,v 1.1 2004/03/15 20:35:24 as Exp $
-  Last changed:    $Date: 2004/03/15 20:35:24 $
-  Revision number: $Revision: 1.1 $
-
-  CVS revision numbers do not correspond to FreeS/WAN release numbers.
-  -->
-</head>
-
-<body>
-<h1><a name="adv_config">Other configuration possibilities</a></h1>
-
-<p>This document describes various options for FreeS/WAN configuration which
-are less used or more complex (often both) than the standard cases described
-in our <a href="config.html#config">config</a> and 
-<a href="quickstart.html#quick_guide">quickstart</a> documents.</p>
-
-<h2><a name="thumb">Some rules of thumb about configuration</a></h2>
-
-<h3><a name="cheap.tunnel">Tunnels are cheap</a></h3>
-
-<p>Nearly all of the overhead in IPsec processing is in the encryption and
-authentication of packets. Our <a href="performance.html">performance</a>
-document discusses these overheads.</p>
-
-<p>Beside those overheads, the cost of managing additional tunnels is
-trivial. Whether your gateway supports one tunnel or ten just does not
-matter. A hundred might be a problem; there is a <a
-href="performance.html#biggate">section</a> on this in the performance
-document.</p>
-
-<p>So, in nearly all cases, if using multiple tunnels gives you a reasonable
-way to describe what you need to do, you should describe it that way in your
-configuration files.</p>
-
-<p>For example, one user recently asked on a mailing list about this network
-configuration:</p>
-<pre>        netA---gwA---gwB---netB
-                            |----netC
-
-   netA and B are secured netC not.
-   netA and gwA can not access netC</pre>
-
-<p>The user had constructed only one tunnel, netA to netB, and wanted to know
-how to use ip-route to get netC packets into it. This is entirely
-unnecessary. One of the replies was:</p>
-<pre>  The simplest way and indeed the right way to
-  solve this problem is to set up two connections:
-
-        leftsubnet=NetA
-        left=gwA
-        right=gwB
-        rightsubnet=NetB
-  and
-        leftsubnet=NetA
-        left=gwA
-        right=gwB
-        rightsubnet=NetC</pre>
-
-<p>This would still be correct even if we added nets D, E, F,
-... to the above diagram and needed twenty tunnels.</p>
-
-<p>Of course another possibility would be to just use one tunnel, with a
-subnet mask that includes both netB and netC (or B, C, D, ...). See next
-section.</p>
-
-<p>In general, you can construct as many tunnels as you need. Networks like
-netC in this example that do not connect directly to the gateway are fine, as
-long as the gateway can route to them.</p>
-
-<p>The number of tunnels can become an issue if it reaches 50 or so. This is
-discussed in the <a href="performance.html#biggate">performance</a> document.
-Look there for information on supporting hundreds of Road Warriors from one
-gateway.</p>
-
-<p>If you find yourself with too many tunnels for some reason like having
-eight subnets at one location and nine at another so you end up with
-9*8=72 tunnels, read the next section here.</p>
-
-<h3><a name="subnet.size">Subnet sizes</a></h3>
-
-<p>The subnets used in <var>leftsubnet</var> and <var>rightsubnet</var> can
-be of any size that fits your needs, and they need not correspond to physical
-networks.</p>
-
-<p>You adjust the size by changing the <a href="glossary.html#subnet">subnet
-mask</a>, the number after the slash in the subnet description. For
-example</p>
-<ul>
-  <li>in 192.168.100.0/24 the /24 mask says 24 bits are used to designate the
-    network. This leave 8 bits to label machines. This subnet has 256
-    addresses. .0 and .255 are reserved, so it can have 254 machines.</li>
-  <li>A subnet with a /23 mask would be twice as large, 512 addresses.</li>
-  <li>A subnet with a /25 mask would be half the size, 128 addresses.</li>
-  <li>/0 is the whole Internet</li>
-  <li>/32 is a single machine</li>
-</ul>
-
-<p>As an example of using these in connection descriptions, suppose your
-company's head office has four physical networks using the address ranges:</p>
-<dl>
-  <dt>192.168.100.0/24</dt>
-    <dd>development</dd>
-  <dt>192.168.101.0/24</dt>
-    <dd>production</dd>
-  <dt>192.168.102.0/24</dt>
-    <dd>marketing</dd>
-  <dt>192.168.103.0/24</dt>
-    <dd>administration</dd>
-</dl>
-
-<p>You can use exactly those subnets in your connection descriptions, or use
-larger subnets to grant broad access if required:</p>
-<dl>
-  <dt>leftsubnet=192.168.100.0/24</dt>
-    <dd>remote hosts can access only development</dd>
-  <dt>leftsubnet=192.168.100.0/23</dt>
-    <dd>remote hosts can access development or production</dd>
-  <dt>leftsubnet=192.168.102.0/23</dt>
-    <dd>remote hosts can access marketing or administration</dd>
-  <dt>leftsubnet=192.168.100.0/22</dt>
-    <dd>remote hosts can access any of the four departments</dd>
-</dl>
-
-<p>or use smaller subnets to restrict access:</p>
-<dl>
-  <dt>leftsubnet=192.168.103.0/24</dt>
-    <dd>remote hosts can access any machine in administration</dd>
-  <dt>leftsubnet=192.168.103.64/28</dt>
-    <dd>remote hosts can access only certain machines in administration.</dd>
-  <dt>leftsubnet=192.168.103.42/32</dt>
-    <dd>remote hosts can access only one particular machine in
-    administration</dd>
-</dl>
-
-<p>To be exact, 192.68.103.64/28 means all addresses whose top 28 bits match
-192.168.103.64. There are 16 of these because there are  16 possibilities for
-the remainingg 4 bits. Their addresses are 192.168.103.64 to
-192.168.103.79.</p>
-
-<p>Each connection description can use a different subnet if required.</p>
-
-<p>It is possible to use all the examples above on the same FreeS/WAN
-gateway, each in a different connection description, perhaps for different
-classes of user or for different remote offices.</p>
-
-<p>It is also possible to have multiple tunnels using different
-<var>leftsubnet</var> descriptions with the same <var>right</var>. For
-example, when the marketing manager is on the road he or she might have
-access to:</p>
-<dl>
-  <dt>leftsubnet=192.168.102.0/24</dt>
-    <dd>all machines in marketing</dd>
-  <dt>192.168.101.32/29</dt>
-    <dd>some machines in production</dd>
-  <dt>leftsubnet=192.168.103.42/32</dt>
-    <dd>one particular machine in administration</dd>
-</dl>
-
-<p>This takes three tunnels, but tunnels are cheap. If the laptop is set up
-to build all three tunnels automatically, then he or she can access all these
-machines concurrently, perhaps from different windows.</p>
-
-<h3><a name="example.more">Other network layouts</a></h3>
-
-<p>Here is the usual network picture for a site-to-site VPN::</p>
-<pre>     Sunset==========West------------------East=========Sunrise
-           local net       untrusted net       local net</pre>
-
-<p>and for the Road Warrior::</p>
-<pre>                                           telecommuter's PC or
-                                           traveller's laptop
-     Sunset==========West------------------East
-         corporate LAN     untrusted net</pre>
-
-<p>Other configurations are also possible.</p>
-
-<h4><a name="internet.subnet">The Internet as a big subnet</a></h4>
-
-<p>A telecommuter might have:</p>
-<pre>     Sunset==========West------------------East ================= firewall --- the Internet
-         home network      untrusted net        corporate network</pre>
-
-<p>This can be described as a special case of the general subnet-to-subnet
-connection. The subnet on the right is 0.0.0.0/0, the whole Internet.</p>
-
-<p>West (the home gateway) can have its firewall rules set up so that only
-IPsec packets to East are allowed out. It will then behave as if its only
-connection to the world was a wire to East.</p>
-
-<p>When machines on the home network need to reach the Internet, they do so
-via the tunnel, East and the corporate firewall. From the viewpoint of the
-Internet (perhaps of some EvilDoer trying to break in!), those home office
-machines are behind the firewall and protected by it.</p>
-
-<h4><a name="wireless.config">Wireless</a></h4>
-
-<p>Another possible configuration comes up when you do not trust the local
-network, either because you have very high security standards or because your
-are using easily-intercepted wireless signals.</p>
-
-<p>Some wireless networks have built-in encryption called <a
-href="glossary.html#WEP">WEP</a>, but its security is dubious. It is a fairly
-common practice to use IPsec instead.</p>
-
-<p>In this case, part of your network may look like this:</p>
-<pre>          West-----------------------------East == the rest of your network
-     workstation   untrusted wireless net</pre>
-
-<p>Of course, there would likely be several wireless workstations, each with
-its own IPsec tunnel to the East gateway.</p>
-
-<p>The connection descriptions look much like Road Warrior descriptions:</p>
-<ul>
-  <li>each workstation should have its own unique
-    <ul>
-      <li>identifier for IPsec</li>
-      <li>RSA key</li>
-      <li>connection description.</li>
-    </ul>
-  </li>
-  <li>on the gateway, use <var>left=%any</var>, or the workstation IP
-  address</li>
-  <li>on workstations, <var>left=%defaultroute</var>, or the workstation IP
-    address</li>
-  <li><var>leftsubnet=</var> is not used.</li>
-</ul>
-
-<p>The <var>rightsubnet=</var> parameter might be set in any of several
-ways:</p>
-<dl>
-  <dt>rightsubnet=0.0.0.0/0</dt>
-    <dd>allowing workstations to access the entire Internet (see <a
-      href="#internet.subnet">above</a>)</dd>
-  <dt>rightsubnet=a.b.c.0/24</dt>
-    <dd>allowing access to your entire local network</dd>
-  <dt>rightsubnet=a.b.c.d/32</dt>
-    <dd>restricting the workstation to connecting to a particular server</dd>
-</dl>
-
-<p>Of course you can mix and match these as required. For example, a
-university might allow faculty full Internet access while letting student
-laptops connect only to a group of lab machines.</p>
-
-<h2><a name="choose">Choosing connection types</a></h2>
-
-<p>One choice you need to make before configuring additional connections is
-what type or types of connections you will use. There are several options,
-and you can use more than one concurrently.</p>
-
-<h3><a name="man-auto">Manual vs. automatic keying</a></h3>
-
-<p>IPsec allows two types of connections, with manual or automatic keying.
-FreeS/WAN starts them with commands such as:</p>
-<pre>        ipsec manual --up <var>name</var>
-        ipsec auto --up <var>name</var></pre>
-
-<p>The difference is in how they are keyed.</p>
-<dl>
-  <dt><a href="glossary.html#manual">Manually keyed</a> connections</dt>
-    <dd>use keys stored in <a
-      href="manpage.d/ipsec.conf.5.html">ipsec.conf</a>.</dd>
-  <dt><a href="glossary.html#auto">Automatically keyed</a> connections</dt>
-    <dd>use keys automatically generated by the Pluto key negotiation daemon.
-      The key negotiation protocol, <a href="glossary.html#IKE">IKE</a>, must
-      authenticate the other system. (It is vulnerable to a <a
-      href="glossary.html#middle">man-in-the-middle attack</a> if used
-      without authentication.) We currently support two authentication
-      methods:
-      <ul>
-        <li>using shared secrets stored in <a
-          href="manpage.d/ipsec.secrets.5.html">ipsec.secrets</a>.</li>
-        <li>RSA <a href="glossary.html#public">public key</a> authentication,
-          with our machine's private key in <a
-          href="manpage.d/ipsec.secrets.5.html">ipsec.secrets</a>. Public
-          keys for other machines may either be placed in <a
-          href="manpage.d/ipsec.conf.5.html">ipsec.conf</a> or provided via
-          DNS.</li>
-      </ul>
-        <p>A third method, using RSA keys embedded in <a
-        href="glossary.html#X509">X.509</a> certtificates, is provided by
-        user <a href="web.html#patch">patches</a>.</p>
-    </dd>
-</dl>
-
-<p><a href="glossary.html#manual">Manually keyed</a> connections provide
-weaker security than <a href="glossary.html#auto">automatically keyed</a>
-connections. An opponent who reads ipsec.secrets(5) gets your encryption key
-and can read all data encrypted by it. If he or she has an archive of old
-messages, all of them back to your last key change are also readable.</p>
-
-<p>With automatically-(re)-keyed connections, an opponent who reads
-ipsec.secrets(5) gets the key used to authenticate your system in IKE -- the
-shared secret or your private key, depending what authentication mechanism is
-in use. However, he or she does not automatically gain access to any
-encryption keys or any data.</p>
-
-<p>An attacker who has your authentication key can mount  a <a
-href="glossary.html#middle">man-in-the-middle attack</a> and, if that
-succeeds, he or she will get encryption keys and data. This is a serious
-danger, but it is better than having the attacker read everyting as soon as
-he or she breaks into ipsec.secrets(5).. Moreover, the keys change often so
-an opponent who gets one key does not get a large amount of data. To read all
-your data, he or she would have to do a man-in-the-middle attack at every key
-change.</p>
-
-<p>We discuss using <a href="#prodman">manual keying in production</a> below,
-but this is <strong>not recommended</strong> except in special circumstances,
-such as needing to communicate with some implementation that offers no
-auto-keyed mode compatible with FreeS/WAN.</p>
-
-<p>Manual keying may also be useful for testing. There is some discussion of
-this in our <a href="faq.html#man4debug">FAQ</a>.</p>
-
-<h3><a name="auto-auth">Authentication methods for auto-keying</a></h3>
-
-<p>The IKE protocol which Pluto uses to negotiate connections between
-gateways must use some form of authentication of peers. A gateway must know
-who it is talking to before it can create a secure connection. We support two
-basic methods for this authentication:</p>
-<ul>
-  <li>shared secrets, stored in <a
-    href="manpage.d/ipsec.secrets.5.html">ipsec.secrets(5)</a></li>
-  <li>RSA authentication</li>
-</ul>
-
-<p>There are, howver, several variations on the RSA theme, using different
-methods of managing the RSA keys:</p>
-<ul>
-  <li>our RSA private key in  <a
-    href="manpage.d/ipsec.secrets.5.html">ipsec.secrets(5)</a> with other
-    gateways' public keys
-    <dl>
-      <dt>either</dt>
-        <dd>stored in <a
-        href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a></dd>
-      <dt>or</dt>
-        <dd>looked up via <a href="glossary.html#DNS">DNS</a></dd>
-    </dl>
-  </li>
-  <li>authentication with <a href="glossary.html#x509">x.509</a>
-    certificates.; See our <a href="web.html#patch">links section</a> for
-    information on user-contributed patches for this.:</li>
-</ul>
-
-<p>Public keys in <a href="manpage.d/ipsec.conf.5.html">ipsec.conf(5</a>)
-give a reasonably straightforward method of specifying keys for explicitly
-configured connections.</p>
-
-<p>Putting public keys in DNS allows us to support <a
-href="glossary.html#carpediem">opportunistic encryption</a>. Any two
-FreeS/WAN gateways can provide secure communication, without either of them
-having any preset information about the other.</p>
-
-<p>X.509 certificates may be required to interface to various <a
-href="glossary.html#PKI">PKI</a>s.</p>
-
-<h3><a name="adv-pk">Advantages of public key methods</a></h3>
-
-<p>Authentication with a <a href="glossary.html#public">public key</a> method
-such as <a href="glossary.html#RSA">RSA</a> has some important advantages
-over using shared secrets.</p>
-<ul>
-  <li>no problem of secure transmission of secrets
-    <ul>
-      <li>A shared secret must be shared, so you have the problem of
-        transmitting it securely to the other party. If you get this wrong,
-        you have no security.</li>
-      <li>With a public key technique, you transmit only your public key. The
-        system is designed to ensure that it does not matter if an enemy
-        obtains public keys. The private key never leaves your machine.</li>
-    </ul>
-  </li>
-  <li>easier management
-    <ul>
-      <li>Suppose you have 20 branch offices all connecting to one gateway at
-        head office, and all using shared secrets. Then the head office admin
-        has 20 secrets to manage. Each of them must be kept secret not only
-        from outsiders, but also from 19 of the branch office admins. The
-        branch office admins have only one secret each to manage.
-        <p>If the branch offices need to talk to each other, this becomes
-        problematic. You need another 20*19/2 = 190 secrets for
-        branch-to-branch communication, each known to exactly two branches.
-        Now all the branch admins have the headache of handling 20 keys, each
-        shared with exactly one other branch or with head office.</p>
-        <p>For larger numbers of branches, the number of connections and
-        secrets increases quadratically  and managing them becomes a
-        nightmare. A 1000-gateway fully connected network needs 499,500
-        secrets, each known to exactly two players. There are ways to reduce
-        this problem, for example by introducing a central key server, but
-        these involve additional communication overheads, more administrative
-        work, and new threats that must be carefully guarded against.</p>
-      </li>
-      <li>With public key techniques, the <em>only</em> thing you have to
-        keep secret is your private key, and <em>you keep that secret from
-        everyone</em>.
-        <p>As network size increaes, the number of public keys used increases
-        linearly with the number of nodes. This still requires careful
-        administration in large applications, but is nothing like the
-        disaster of a quadratic increase. On a 1000-gateway network, you have
-        1000 private keys, each of which must be kept secure on one machine,
-        and 1000 public keys which must be distributed. This is not a trivial
-        problem, but it is manageable.</p>
-      </li>
-    </ul>
-  </li>
-  <li>does not require fixed IP addresses
-    <ul>
-      <li>When shared secrets are used in IPsec, the responder must be able
-        to tell which secret to use by looking at the IP address on the
-        incoming packets.  When the other parties do not have a fixed IP
-        address to be identified by (for example, on nearly all dialup ISP
-        connections and many cable or ADSL links), this does not work well --
-        all must share the same secret!</li>
-      <li>When RSA authentication is in use, the initiator can identify
-        itself by name before the key must be determined.  The responder then
-        checks that the message is signed with the public key corresponding
-        to that name.</li>
-    </ul>
-  </li>
-</ul>
-
-<p>There is also a disadvantage:</p>
-<ul>
-  <li>your private key is a single point of attack, extremely valuable to an
-    enemy
-    <ul>
-      <li>with shared secrets, an attacker who steals your ipsec.secrets file
-        can impersonate you or try <a
-        href="glossary.html#middle">man-in-the-middle</a> attacks, but can
-        only attack connections described in that file</li>
-      <li>an attacker who steals your private key gains the chance to attack
-        not only existing connections <em>but also any future
-        connections</em> created using that key</li>
-    </ul>
-  </li>
-</ul>
-
-<p>This is partly counterbalanced by the fact that the key is never
-transmitted and remains under your control at all times. It is likely
-necessary, however, to take account of this in setting security policy. For
-example, you should change gateway keys when an administrator leaves the
-company, and should change them periodically in any case.</p>
-
-<p>Overall, public key methods are <strong>more secure, more easily managed
-and more flexible</strong>. We recommend that they be used for all
-connections, unless there is a compelling reason to do otherwise.</p>
-
-<h2><a name="prodsecrets">Using shared secrets in production</a></h2>
-
-<p>Generally, public key methods are preferred for reasons given above, but
-shared secrets can be used with no loss of security, just more work and
-perhaps more need to take precautions.</p>
-
-<p>What I call "shared secrets" are sometimes also called "pre-shared keys".
-They are used only for for authentication, never for encryption. Calling them
-"pre-shared keys" has confused some users into thinking they were encryption
-keys, so I prefer to avoid the term..</p>
-
-<p>If you are interoperating with another IPsec implementation, you may find
-its documentation calling them "passphrases".</p>
-
-<h3><a name="secrets">Putting secrets in ipsec.secrets(5)</a></h3>
-
-<p>If shared secrets are to be used to <a
-href="glossary.html#authentication">authenticate</a> communication for the <a
-href="glossary.html#DH">Diffie-Hellman</a> key exchange in the <a
-href="glossary.html#IKE">IKE</a> protocol, then those secrets must be stored
-in <var>/etc/ipsec.secrets</var>. For details, see the <a
-href="manpage.d/ipsec.secrets.5.html">ipsec.secrets(5)</a> man page.</p>
-
-<p>A few considerations are vital:</p>
-<ul>
-  <li>make the secrets long and unguessable. Since they need not be
-    remembered by humans, very long ugly strings may be used. We suggest
-    using our <a href="manpage.d/ipsec_ranbits.8.html">ipsec_ranbits(8)</a>
-    utility to generate long (128 bits or more) random strings.</li>
-  <li>transmit secrets securely. You have to share them with other systems,
-    but you lose if they are intercepted and used against you. Use <a
-    href="glossary.html#PGP">PGP</a>, <a href="glossary.html#SSH">SSH</a>,
-    hand delivery of a floppy disk which is then destroyed, or some other
-    trustworthy method to deliver them.</li>
-  <li>store secrets securely, in root-owned files with permissions
-  rw------.</li>
-  <li>limit sharing of secrets. Alice, Bob, Carol and Dave may all talk to
-    each other, but only Alice and Bob should know the secret for an
-    Alice-Bob link.</li>
-  <li><strong>do not share private keys</strong>. The private key for RSA
-    authentication of your system is stored in <a
-    href="manpage.d/ipsec.secrets.5.html">ipsec.secrets(5)</a>, but it is a
-    different class of secret from the pre-shared keys used for the "shared
-    secret" authentication. No-one but you should have the RSA private
-  key.</li>
-</ul>
-
-<p>Each line has the IP addresses of the two gateways plus the secret. It
-should look something like this:</p>
-<pre>        10.0.0.1 11.0.0.1 : PSK "jxTR1lnmSjuj33n4W51uW3kTR55luUmSmnlRUuWnkjRj3UuTV4T3USSu23Uk55nWu5TkTUnjT"</pre>
-
-<p><var>PSK</var> indicates the use of a
-<strong>p</strong>re-<strong>s</strong>hared <strong>k</strong>ey. The quotes
-and the whitespace shown are required.</p>
-
-<p>You can use any character string as your secret. For security, it should
-be both long and extremely hard to guess. We provide a utility to generate
-such strings, <a
-href="manpage.d/ipsec_ranbits.8.html">ipsec_ranbits(8)</a>.</p>
-
-<p>You want the same secret on the two gateways used, so you create a line
-with that secret and the two gateway IP addresses. The installation process
-supplies an example secret, useful <em>only</em> for testing. You must change
-it for production use.</p>
-
-<h3><a name="securing.secrets">File security</a></h3>
-
-<p>You must deliver this file, or the relevant part of it, to the other
-gateway machine by some <strong>secure</strong> means. <em>Don't just FTP or
-mail the file!</em> It is vital that the secrets in it remain secret. An
-attacker who knew those could easily have <em>all the data on your "secure"
-connection</em>.</p>
-
-<p>This file must be owned by root and should have permissions
-<var>rw-------</var>.</p>
-
-<h3><a name="notroadshared">Shared secrets for road warriors</a></h3>
-
-<p>You can use a shared secret to support a single road warrior connecting to
-your gateway, and this is a reasonable thing to do in some circumstances.
-Public key methods have advantages, discussed <a href="#choose">above</a>,
-but they are not critical in this case.</p>
-
-<p>To do this, the line in ipsec.secrets(5) is something like:</p>
-<pre>        10.0.0.1 0.0.0.0 : PSK "jxTR1lnmSjuj33n4W51uW3kTR55luUmSmnlRUuWnkjRj3UuTV4T3USSu23Uk55nWu5TkTUnjT"</pre>
-where the <var>0.0.0.0</var> means that any IP address is acceptable.
-
-<p><strong>For more than one road warrior, shared secrets are <em>not</em> 
-recommended.</strong> If shared secrets are used, then when the responder
-needs to look up the secret, all it knows about the sender is an IP address.
-This is fine if the sender is at a fixed IP address specified in the config
-file. It is also fine if only one road warrior uses the wildcard
-<var>0.0.0.0</var> address. However, if you have more than one road warrior
-using shared secret authentication, then they must all use that wildcard and
-therefore <strong>all road warriors using PSK autentication must use the same
-secret</strong>. Obviously, this is insecure.</p>
-
-<p><strong>For multiple road warriors, use public key
-authentication.</strong> Each roadwarrior can then have its own identity (our
-<var>leftid=</var> or <var>rightid=</var> parameters), its own public/private
-key pair, and its own secure connection.</p>
-
-<h2><a name="prodman">Using manual keying in production</a></h2>
-
-<p>Generally, <a href="glossary.html#auto">automatic keying</a> is preferred
-over <a href="glossary.html#manual">manual keying</a> for production use
-because it is both easier to manage and more secure. Automatic keying frees
-the admin from much of the burden of managing keys securely, and can provide
-<a href="glossary.html#PFS">perfect forward secrecy</a>. This is discussed in
-more detail <a href="#man-auto">above</a>.</p>
-
-<p>However, it is possible to use manual keying in production if that is what
-you want to do. This might be necessary, for example, in order to
-interoperate with some device that either does not provide automatic keying
-or provides it in some version we cannot talk to.</p>
-
-<p>Note that with manual keying <strong>all security rests with the
-keys</strong>. If an adversary acquires your keys, you've had it. He or she
-can read everything ever sent with those keys, including old messages he or
-she may have archived.</p>
-
-<p>You need to <strong>be really paranoid about keys</strong> if you're going
-to rely on manual keying for anything important.</p>
-<ul>
-  <li>keep keys in files with 600 permissions, owned by root</li>
-  <li>be extremely careful about security of your gateway systems. Anyone who
-    breaks into a gateway and gains root privileges can get all your keys and
-    read everything ever encrypted with those keys, both old messages he has
-    archived and any new ones you may send.</li>
-  <li>change keys regularly. This can be a considerable bother, (and provides
-    an excellent reason to consider automatic keying instead), but it is
-    <em>absolutely essential</em> for security. Consider a manually keyed
-    system in which you leave the same key in place for months:
-    <ul>
-      <li>an attacker can have a very large sample of text sent with that key
-        to work with. This makes various cryptographic attacks much more
-        likely to succeed.</li>
-      <li>The chances of the key being compromised in some non-cryptographic
-        manner -- a spy finds it on a discarded notepad, someone breaks into
-        your server or your building and steals it, a staff member is bribed,
-        tricked, seduced or coerced into revealing it, etc. -- also increase
-        over time.</li>
-      <li>a successful attacker can read everything ever sent with that key.
-        This makes any successful attack extremely damaging.</li>
-    </ul>
-    It is clear that you must change keys often to have any useful security.
-    The only question is how often.</li>
-  <li>use <a href="glossary.html#PGP">PGP</a> or <a
-    href="glossary.html#SSH">SSH</a> for all key transfers</li>
-  <li>don't edit files with keys in them when someone can look over your
-    shoulder</li>
-  <li>worry about network security; could someone get keys by snooping
-    packets on the LAN between your X desktop and the gateway?</li>
-  <li>lock up your backup tapes for the gateway system</li>
-  <li>... and so on</li>
-</ul>
-
-<p>Linux FreeS/WAN provides some facilities to help with this. In particular,
-it is good policy to <strong>keep keys in separate files</strong> so you can
-edit configuration information in /etc/ipsec.conf without exposing keys to
-"shoulder surfers" or network snoops. We support this with the
-<var>also=</var> and <var>include</var> syntax in <a
-href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a>.</p>
-
-<p>See the last example in our <a href="examples">examples</a> file. In the
-/etc/ipsec.conf <var>conn samplesep</var> section, it has the line:</p>
-<pre>        also=samplesep-keys</pre>
-
-<p>which tells the "ipsec manual" script to insert the configuration
-description labelled "samplesep-keys" if it can find it. The /etc/ipsec.conf
-file must also have a line such as:</p>
-<pre>include ipsec.*.conf</pre>
-
-<p>which tells it to read other files. One of those other files then might
-contain the additional data:</p>
-<pre>conn samplesep-keys
-  spi=0x200
-  esp=3des-md5-96
-  espenckey=0x01234567_89abcdef_02468ace_13579bdf_12345678_9abcdef0
-  espauthkey=0x12345678_9abcdef0_2468ace0_13579bdf</pre>
-
-<p>The first line matches the label in the "also=" line, so the indented
-lines are inserted. The net effect is exactly as if the inserted lines had
-occurred in the original file in place of the "also=" line.</p>
-
-<p>Variables set here are:</p>
-<dl>
-  <dt>spi</dt>
-    <dd>A number needed by the manual keying code. Any 3-digit hex number
-      will do, but if you have more than one manual connection then
-      <strong>spi must be different</strong> for each connection.</dd>
-  <dt>esp</dt>
-    <dd>Options for <a href="glossary.html#ESP">ESP</a> (Encapsulated
-      Security Payload), the usual IPsec encryption mode. Settings here are
-      for <a href="glossary.html#encryption">encryption</a> using <a
-      href="glossary.html#3DES">triple DES</a> and <a
-      href="glossary.html#authentication">authentication</a> using <a
-      href="glossary.html#MD5">MD5</a>. Note that encryption without
-      authentication should not be used; it is insecure.</dd>
-  <dt>espenkey</dt>
-    <dd>Key for ESP encryption. Here, a 192-bit hex number for triple
-    DES.</dd>
-  <dt>espauthkey</dt>
-    <dd>Key for ESP authentication. Here, a 128-bit hex number for MD5.</dd>
-</dl>
-
-<p><strong>Note</strong> that the <strong>example keys we supply</strong> are
-intended <strong>only for testing</strong>. For real use, you should go to
-automatic keying. If that is not possible, create your own keys for manual
-mode and keep them secret</p>
-
-<p>Of course, any files containing keys <strong>must</strong> have 600
-permissions and be owned by root.</p>
-
-<p>If you connect in this way to multiple sites, we recommend that you keep
-keys for each site in a separate file and adopt some naming convention that
-lets you pick them all up with a single "include" line. This minimizes the
-risk of losing several keys to one error or attack and of accidentally giving
-another site admin keys which he or she has no business knowing.</p>
-
-<p>Also note that if you have multiple manually keyed connections on a single
-machine, then the <var>spi</var> parameter must be different for each one.
-Any 3-digit hex number is OK, provided they are different for each
-connection. We reserve the range 0x100 to 0xfff for manual connections. Pluto
-assigns SPIs from 0x1000 up for automatically keyed connections.</p>
-
-<p>If <a href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a> contains keys
-for manual mode connections, then it too must have permissions
-<var>rw-------</var>. We recommend instead that, if you must manual keying in
-production, you keep the keys in separate files.</p>
-
-<p>Note also that <a href="manpage.d/ipsec.conf.5.html">ipsec.conf</a> is
-installed with permissions <var>rw-r--r--</var>. If you plan to use manually
-keyed connections for anything more than initial testing, you <b>must</b>:</p>
-<ul>
-  <li>either change permissions to <var>rw-------</var></li>
-  <li>or store keys separately in secure files and access them via include
-    statements in <a href="manpage.d/ipsec.conf.5.html">ipsec.conf</a>.</li>
-</ul>
-
-<p>We recommend the latter method for all but the simplest configurations.</p>
-
-<h3><a name="ranbits">Creating keys with ranbits</a></h3>
-
-<p>You can create new <a href="glossary.html#random">random</a> keys with the
-<a href="manpage.d/ipsec_ranbits.8.html">ranbits(8)</a> utility. For example,
-the commands:</p>
-<pre>      umask 177
-      ipsec ranbits 192  &gt; temp
-      ipsec ranbits 128 &gt;&gt; temp</pre>
-
-<p>create keys in the sizes needed for our default algorithms:</p>
-<ul>
-  <li>192-bit key for <a href="glossary.html#3DES">3DES</a> encryption <br>
-    (only 168 bits are used; parity bits are ignored)</li>
-  <li>128-bit key for keyed <a href="glossary.html#MD5">MD5</a>
-  authentication</li>
-</ul>
-
-<p>If you want to use <a href="glossary.html#SHA">SHA</a> instead of <a
-href="glossary.html#MD5">MD5</a>, that requires a 160-bit key</p>
-
-<p>Note that any <strong>temporary files</strong> used must be kept
-<strong>secure</strong> since they contain keys. That is the reason for the
-umask command above. The temporary file should be deleted as soon as you are
-done with it. You may also want to change the umask back to its default value
-after you are finished working on keys.</p>
-
-<p>The ranbits utility may pause for a few seconds if not enough entropy is
-available immediately. See ipsec_ranbits(8) and random(4) for details. You
-may wish to provide some activity to feed entropy into the system. For
-example, you might move the mouse around, type random characters, or do
-<var>du /usr &gt; /dev/null</var> in the background.</p>
-
-<h2><a name="boot">Setting up connections at boot time</a></h2>
-
-<p>You can tell the system to set up connections automatically at boot time
-by putting suitable stuff in /etc/ipsec.conf on both systems. The relevant
-section of the file is labelled by a line reading <var>config setup</var>.</p>
-
-<p>Details can be found in the <a
-href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a> man page. We also
-provide a file of <a href="examples">example configurations</a>.</p>
-
-<p>The most likely options are something like:</p>
-<dl>
-  <dt>interfaces="ipsec0=eth0 ipsec1=ppp0"</dt>
-    <dd>Tells KLIPS which interfaces to use. Up to four interfaces numbered
-      ipsec[0-3] are supported. Each interface can support an arbitrary
-      number of tunnels.
-      <p>Note that for PPP, you give the ppp[0-9] device name here, not the
-      underlying device such as modem (or eth1 if you are using PPPoE).</p>
-    </dd>
-  <dt>interfaces=%defaultroute</dt>
-    <dd>Alternative setting, useful in simple cases. KLIPS will pick up both
-      its interface and the next hop information from the settings of the
-      Linux default route.</dd>
-  <dt>forwardcontrol=no</dt>
-    <dd>Normally "no". Set to "yes" if the IP forwarding option is disabled
-      in your network configuration. (This can be set as a kernel
-      configuration option or later. e.g. on Redhat, it's in
-      /etc/sysconfig/network and on SuSE you can adjust it with Yast.) Linux
-      FreeS/WAN will then enable forwarding when starting up and turn it off
-      when going down. This is used to ensure that no packets will be
-      forwarded before IPsec comes up and takes control.</dd>
-  <dt>syslog=daemon.error</dt>
-    <dd>Used in messages to the system logging daemon (syslogd) to specify
-      what type of software is sending the messages. If the settings are
-      "daemon.error" as in our example, then syslogd treats the messages as
-      error messages from a daemon.
-      <p>Note that <a href="glossary.html#Pluto">Pluto</a> does not currently
-      pay attention to this variable. The variable controls setup messages
-      only.</p>
-    </dd>
-  <dt>klipsdebug=</dt>
-    <dd>Debug settings for <a href="glossary.html#KLIPS">KLIPS</a>.</dd>
-  <dt>plutodebug=</dt>
-    <dd>Debug settings for <a href="glossary.html#Pluto">Pluto</a>.</dd>
-  <dt>... for both the above DEBUG settings</dt>
-    <dd>Normally, leave empty as shown above for no debugging output.<br>
-      Use "all" for maximum information.<br>
-      See ipsec_klipsdebug(8) and ipsec_pluto(8) man page for other options.
-      Beware that if you set /etc/ipsec.conf to enable debug output, your
-      system's log files may get large quickly.</dd>
-  <dt>dumpdir=/safe/directory</dt>
-    <dd>Normally, programs started by ipsec setup don't crash. If they do, by
-      default, no core dump will be produced because such dumps would contain
-      secrets. If you find you need to debug such crashes, you can set
-      dumpdir to the name of a directory in which to collect the core
-    file.</dd>
-  <dt>manualstart=</dt>
-    <dd>List of manually keyed connections to be automatically started at
-      boot time. Useful for testing, but not for long term use. Connections
-      which are automatically started should also be automatically
-    re-keyed.</dd>
-  <dt>pluto=yes</dt>
-    <dd>Whether to start <a href="glossary.html#Pluto">Pluto</a> when ipsec
-      startup is done.<br>
-      This parameter is optional and defaults to "yes" if not present.
-      <p>"yes" is strongly recommended for production use so that the keying
-      daemon (Pluto) will automatically re-key the connections regularly. The
-      ipsec-auto parameters ikelifetime, ipseclifetime and reykeywindow give
-      you control over frequency of rekeying.</p>
-    </dd>
-  <dt>plutoload="reno-van reno-adam reno-nyc"</dt>
-    <dd>List of tunnels (by name, e.g. fred-susan or reno-van in our
-      examples) to be loaded into Pluto's internal database at startup. In
-      this example, Pluto loads three tunnels into its database when it is
-      started.
-      <p>If plutoload is "%search", Pluto will load any connections whose
-      description includes "auto=add" or "auto=start".</p>
-    </dd>
-  <dt>plutostart="reno-van reno-adam reno-nyc"</dt>
-    <dd>List of tunnels to attempt to negotiate when Pluto is started.
-      <p>If plutostart is "%search", Pluto will start any connections whose
-      description includes "auto=start".</p>
-      <p>Note that, for a connection intended to be permanent, <strong>both
-      gateways should be set try to start</strong> the tunnel. This allows
-      quick recovery if either gateway is rebooted or has its IPsec
-      restarted. If only one gateway is set to start the tunnel and the other
-      gateway restarts, the tunnel may not be rebuilt.</p>
-    </dd>
-  <dt>plutowait=no</dt>
-    <dd>Controls whether Pluto waits for one tunnel to be established before
-      starting to negotiate the next. You might set this to "yes"
-      <ul>
-        <li>if your gateway is a very limited machine and you need to
-          conserve resources.</li>
-        <li>for debugging; the logs are clearer if only one connection is
-          brought up at a time</li>
-      </ul>
-      For a busy and resource-laden production gateway, you likely want "no"
-      so that connections are brought up in parallel and the whole process
-      takes less time.</dd>
-</dl>
-
-<p>The example assumes you are at the Reno office and will use IPsec to
-Vancouver, New York City and Amsterdam.</p>
-
-<h2><a name="multitunnel">Multiple tunnels between the same two
-gateways</a></h2>
-
-<p>Consider a pair of subnets, each with a security gateway, connected via
-the Internet:</p>
-<pre>         192.168.100.0/24           left subnet
-              |
-         192.168.100.1
-         North Gateway
-         101.101.101.101            left
-              |
-         101.101.101.1              left next hop
-         [Internet]
-         202.202.202.1              right next hop
-              |
-         202.202.202.202            right
-         South gateway
-         192.168.200.1
-              |
-         192.168.200.0/24           right subnet</pre>
-
-<p>A tunnel specification such as:</p>
-<pre>conn northnet-southnet
-      left=101.101.101.101
-      leftnexthop=101.101.101.1
-      leftsubnet=192.168.100.0/24
-      leftfirewall=yes
-      right=202.202.202.202
-      rightnexthop=202.202.202.1
-      rightsubnet=192.168.200.0/24
-      rightfirewall=yes</pre>
-will allow machines on the two subnets to talk to each other. You might test
-this by pinging from polarbear (192.168.100.7) to penguin (192.168.200.5).
-
-<p>However, <strong>this does not cover other traffic you might want to
-secure</strong>. To handle all the possibilities, you might also want these
-connection descriptions:</p>
-<pre>conn northgate-southnet
-      left=101.101.101.101
-      leftnexthop=101.101.101.1
-      right=202.202.202.202
-      rightnexthop=202.202.202.1
-      rightsubnet=192.168.200.0/24
-      rightfirewall=yes
-
-conn northnet-southgate
-      left=101.101.101.101
-      leftnexthop=101.101.101.1
-      leftsubnet=192.168.100.0/24
-      leftfirewall=yes
-      right=202.202.202.202
-      rightnexthop=202.202.202.1</pre>
-
-<p>Without these, neither gateway can do IPsec to the remote subnet. There is
-no IPsec tunnel or eroute set up for the traffic.</p>
-
-<p>In our example, with the non-routable 192.168.* addresses used, packets
-would simply be discarded. In a different configuration, with routable
-addresses for the remote subnet, <strong>they would be sent
-unencrypted</strong> since there would be no IPsec eroute and there would be
-a normal IP route.</p>
-
-<p>You might also want:</p>
-<pre>conn northgate-southgate
-      left=101.101.101.101
-      leftnexthop=101.101.101.1
-      right=202.202.202.202
-      rightnexthop=202.202.202.1</pre>
-
-<p>This is required if you want the two gateways to speak IPsec to each
-other.</p>
-
-<p>This requires a lot of duplication of details.  Judicious use of
-<var>also=</var> and <var>include</var> can reduce this problem.</p>
-
-<p>Note that, while FreeS/WAN supports all four tunnel types, not all
-implementations do. In particular, some versions of Windows 2000 and the
-freely downloadable version of PGP provide only "client" functionality. You
-cannot use them as gateways with a subnet behind them. To get that
-functionality, you must upgrade to Windows 2000 server or the commercially
-available PGP products.</p>
-
-<h3><a name="advroute">One tunnel plus advanced routing</a></h3>
-It is also possible to use the new routing features in 2.2 and later kernels
-to avoid most needs for multple tunnels. Here is one mailing list message on
-the topic:
-<pre>Subject: Re: linux-ipsec: IPSec packets not entering tunnel?
-   Date: Mon, 20 Nov 2000
-   From: Justin Guyett &lt;jfg@sonicity.com&gt;
-
-On Mon, 20 Nov 2000, Claudia Schmeing wrote:
-
-&gt; Right                                                         Left
-&gt;                      "home"                "office"
-&gt; 10.92.10.0/24 ---- 24.93.85.110 ========= 216.175.164.91 ---- 10.91.10.24/24
-&gt;
-&gt; I've created all four tunnels, and can ping to test each of them,
-&gt; *except* homegate-officenet.
-
-I keep wondering why people create all four tunnels.  Why not route
-traffic generated from home to 10.91.10.24/24 out ipsec0 with iproute2?
-And 99% of the time you don't need to access "office" directly, which
-means you can eliminate all but the subnet&lt;-&gt;subnet connection.</pre>
-and FreeS/WAN technical lead Henry Spencer's comment:
-<pre>&gt; I keep wondering why people create all four tunnels.  Why not route
-&gt; traffic generated from home to 10.91.10.24/24 out ipsec0 with iproute2?
-
-This is feasible, given some iproute2 attention to source addresses, but
-it isn't something we've documented yet... (partly because we're still
-making some attempt to support 2.0.xx kernels, which can't do this, but
-mostly because we haven't caught up with it yet).
-
-&gt; And 99% of the time you don't need to access "office" directly, which
-&gt; means you can eliminate all but the subnet&lt;-&gt;subnet connection.
-
-Correct in principle, but people will keep trying to ping to or from the
-gateways during testing, and sometimes they want to run services on the
-gateway machines too.</pre>
-
-
-<!-- Is this in the right spot in this document? -->
-<H2><A name="opp.gate">An Opportunistic Gateway</A></H2>
-                                                                                
-<H3>Start from full opportunism</H3>
-                                                                                
-<P>Full opportunism
-allows you to initiate and receive opportunistic connections on your
-machine. The remaining instructions in this section assume
-you have first set up full opportunism on your gateway using
-<A HREF="quickstart.html#opp.incoming">these instructions</A>.
-Both sets of instructions require mailing DNS records to your ISP. Collect
-DNS records for both the gateway (above) and the
-subnet nodes (below) before contacting your ISP.</P>
-                                                                                
-                                                                                
-<H3>Reverse DNS TXT records for each protected machine</H3>
-                                                                                
-<P>You need these so that your Opportunistic peers can:
-<UL>
-<LI>discover the gateway's address, knowing only the IP address
- that packets are bound for</LI>
-<LI>verify that the gateway is authorised to encrypt for that endpoint</LI>
-</UL>
-                                                                                
-<P>On the gateway, generate a TXT record with:
-<PRE>    ipsec showhostkey --txt 192.0.2.11</PRE>
-<P>Use your gateway address in place of 192.0.2.11.</P>
-                                                                                
-<P>You should see (keys are trimmed for clarity throughout our example):</P>
-<PRE>    ; RSA 2048 bits  gateway.example.com   Sat Apr 15 13:53:22 2000
-    IN TXT  &quot;X-IPsec-Server(10)=192.0.2.11&quot; &quot; AQOF8tZ2...+buFuFn/&quot;</PRE>
-                                                                                
-<P><B>This MUST BE the same key as in your gateway's TXT record, or nothing
-will work.</B></P>
-                                                                                
-<P>In a text file, make one copy of this TXT record for each subnet
-  node:</P>
-<PRE>    ; RSA 2048 bits  gateway.example.com   Sat Apr 15 13:53:22 2000
-    IN TXT  &quot;X-IPsec-Server(10)=192.0.2.11&quot; &quot; AQOF8tZ2...+buFuFn/&quot;
-                                                                                
-    ; RSA 2048 bits  gateway.example.com   Sat Apr 15 13:53:22 2000
-    IN TXT  &quot;X-IPsec-Server(10)=192.0.2.11&quot; &quot; AQOF8tZ2...+buFuFn/&quot;
-                                                                                
-    ; RSA 2048 bits  gateway.example.com   Sat Apr 15 13:53:22 2000
-    IN TXT  &quot;X-IPsec-Server(10)=192.0.2.11&quot; &quot; AQOF8tZ2...+buFuFn/&quot;</PRE>
-                                                                                
-<P>Above each entry, insert a line like this:</P>
-<PRE>    98.2.0.192.in-addr.arpa. IN PTR arthur.example.com.</PRE>
-                                                                                
-<P>It must include:</P>
-<UL>
-<LI>The subnet node's address in reverse map format. For example, 192.0.2.120
-becomes <VAR>120.2.0.192.in-addr.arpa.</VAR>.  Note the final period.</LI>
-<LI><VAR>IN PTR</VAR></LI>
-<LI>The node's name, ie. <VAR>arthur.example.com.</VAR>. Note
-the final period.</LI>
-</UL>
-                                                                                
-<P>The result will be a file of TXT records, like this:</P>
-<PRE>    98.2.0.192.in-addr.arpa. IN PTR arthur.example.com.
-    ; RSA 2048 bits  gateway.example.com   Sat Apr 15 13:53:22 2000
-    IN TXT  &quot;X-IPsec-Server(10)=192.0.2.11&quot; &quot; AQOF8tZ2...+buFuFn/&quot;
-                                                                                
-    99.2.0.192.in-addr.arpa. IN PTR ford.example.com.
-    ; RSA 2048 bits  gateway.example.com   Sat Apr 15 13:53:22 2000
-    IN TXT  &quot;X-IPsec-Server(10)=192.0.2.11&quot; &quot; AQOF8tZ2...+buFuFn/&quot;
-                                                                                
-    100.2.0.192.in-addr.arpa. IN PTR trillian.example.com.
-    ; RSA 2048 bits  gateway.example.com   Sat Apr 15 13:53:22 2000
-    IN TXT  &quot;X-IPsec-Server(10)=192.0.2.11&quot; &quot; AQOF8tZ2...+buFuFn/&quot;</PRE>
-                                                                                
-                                                                                
-<H3>Publish your records</H3>
-                                                                                
-<P>Ask your ISP to publish all the reverse DNS records you have collected.
-There may be a delay of up to 48 hours as the records propagate.</P>
-                                                                                
-                                                                                
-<H3>...and test them</H3>
-                                                                                
-<P>Check a couple of records with commands like this one:</P>
-                                                                                
-<PRE>    ipsec verify --host ford.example.com
-    ipsec verify --host trillian.example.com</PRE>
-                                                                                
-<P>The <var>verify</var> command checks for TXT records for both the
-subnet host and its gateway. You should see output like:</P>
-<PRE>    ...
-    Looking for TXT in reverse map: 99.2.0.192.in-addr.arpa [OK]
-    ...
-    Looking for TXT in reverse map: 11.2.0.192.in-addr.arpa   [OK]
-    ...
-    Looking for TXT in reverse map: 100.2.0.192.in-addr.arpa [OK]
-    ...
-    Looking for TXT in reverse map: 11.2.0.192.in-addr.arpa   [OK]
-    ...</PRE>
-<H3>No Configuration Needed</H3>
-                                                                                
-<P>FreeS/WAN 2.x ships with a built-in, automatically
-enabled OE connection <VAR>conn packetdefault</VAR>
-which applies OE, if possible, to all outbound traffic routed
-through the FreeS/WAN box.
-                                                                                
-The
-<A HREF="manpage.d/ipsec.conf.5.html">ipsec.conf(5) manual</A>
-describes this connection in detail.
-While the effect is much the same as <VAR>private-or-clear</VAR>,
-the implementation is different: notably, it does not use policy
-groups.</P>
-                                                                                
-<P>You can create more complex OE configurations
-for traffic forwarded through a FreeS/WAN box, as explained in our
-<A HREF="policygroups.html#policygroups">policy groups document</A>,
-or disable OE using
-<A HREF="policygroups.html#disable_policygroups">these instructions</A>.</P>
-
-
-
-<h2><a name="extruded.config">Extruded Subnets</a></h2>
-
-<p>What we call <a href="glossary.html#extruded">extruded subnets</a> are a
-special case of <a href="glossary.html#VPN.gloss">VPNs</a>.</p>
-
-<p>If your buddy has some unused IP addresses, in his subnet far off at the
-other side of the Internet, he can loan them to you... provided that the
-connection between you and him is fast enough to carry all the traffic
-between your machines and the rest of the Internet.  In effect, he "extrudes"
-a part of his address space over the network to you, with your Internet
-traffic appearing to originate from behind his Internet gateway.</p>
-
-<p>As far as the Internet is concerned, your new extruded net is behind your
-buddy's gateway. You route all your packets for the Internet at large
-out his gateway, and receive return packets the same way. You route your
-local packets locally.</p>
-
-<p>Suppose your friend has a.b.c.0/24 and wants to give you a.b.c.240/28. The
-initial situation is:</p>
-<pre>    subnet           gateway          Internet
-  a.b.c.0/24    a.b.c.1    p.q.r.s</pre>
-where anything from the Internet destined for any machine in a.b.c.0/24 is
-routed via p.q.r.s and that gateway knows what to do from there.
-
-<p>Of course it is quite normal for various smaller subnets to exist behind
-your friend's gateway. For example, your friend's company might have
-a.b.c.16/28=development, a.b.c.32/28=marketing and so on. The Internet
-neither knows not cares about this; it just delivers packets to the p.q.r.s
-and lets the gateway do whatever needs to be done from there.</p>
-
-<p>What we want to do is take a subnet, perhaps a.b.c.240/28, out of your
-friend's physical location <em>while still having your friend's gateway route
-to it</em>. As far as the Internet is concerned, you remain behind that
-gateway.</p>
-<pre>    subnet           gateway          Internet       your gate  extruded
-
-  a.b.c.0/24   a.b.c.1     p.q.r.s              d.e.f.g         a.b.c.240/28                
-
-                           ========== tunnel ==========</pre>
-
-<p>The extruded addresses have to be a complete subnet.</p>
-
-<p>In our example, the friend's security gateway is also his Internet
-gateway, but this is not necessary. As long as all traffic from the Internet
-to his addresses passes through the Internet gate, the security gate could be
-a machine behind that. The IG would need to route all traffic for the
-extruded subnet to the SG, and the SG could handle the rest.</p>
-
-<p>First, configure your subnet using the extruded addresses.  Your security
-gateway's interface to your subnet needs to have an extruded address
-(possibly using a Linux <a href="glossary.html#virtual">virtual
-interface</a>, if it also has to have a different address). Your gateway
-needs to have a route to the extruded subnet, pointing to that interface. The
-other machines at your site need to have addresses in that subnet, and
-default routes pointing to your gateway.</p>
-
-<p>If any of your friend's machines need to talk to the extruded subnet,
-<em>they</em> need to have a route for the extruded subnet, pointing at his
-gateway.</p>
-
-<p>Then set up an IPsec subnet-to-subnet tunnel between your gateway and his,
-with your subnet specified as the extruded subnet, and his subnet specified
-as "0.0.0.0/0".</p>
-
-<p>The tunnel description should be:</p>
-<pre>conn extruded
-        left=p.q.r.s
-        leftsubnet=0.0.0.0/0
-        right=d.e.f.g
-        rightsubnet=a.b.c.0/28</pre>
-
-<p>If either side was doing firewalling for the extruded subnet before the
-IPsec connection is set up, you'll need to poke holes in your
-<A HREF="firewall.html#firewall">firewall</A> to allow packets through.
-</p>
-
-<p>And it all just works.  Your SG routes traffic for 0.0.0.0/0 -- that is,
-the whole Internet -- through the tunnel to his SG, which then sends it
-onward as if it came from his subnet.  When traffic for the extruded subnet
-arrives at his SG, it gets sent through the tunnel to your SG, which passes
-it to the right machine.</p>
-
-<p>Remember that when ipsec_manual or ipsec_auto takes a connection down, it
-<em>does not undo the route</em> it made for that connection. This lets you
-take a connection down and bring up a new one, or a modified version of the
-old one, without having to rebuild the route it uses and without any risk of
-packets which should use IPsec accidentally going out in the clear. Because
-the route always points into KLIPS, the packets will always go there. Because
-KLIPS temporarily has no idea what to do with them (no eroute for them), they
-will be discarded.</p>
-
-<p>If you <em>do</em> want to take the route down, this is what the "unroute"
-operation in manual and auto is for.  Just do an unroute after doing the
-down.</p>
-
-<p>Note that the route for a connection may have replaced an existing
-non-IPsec route. Nothing in Linux FreeS/WAN will put that pre-IPsec route
-back. If you need it back, you have to create it with the route command.</p>
-
-<h2><a name="roadvirt">Road Warrior with virtual IP address</a></h2>
-
-<p>Please note that <A HREF="http://www.freeswan.ca/download.php">Super
-FreeS/WAN</A> now features DHCP-over-IPsec, which is an alternate procedure 
-for Virtual IP address assignment.
-<p>
-
-<p>Here is a mailing list message about another way to configure for road
-warrior support:</p>
-<pre>Subject: Re: linux-ipsec: understanding the vpn
-   Date: Thu, 28 Oct 1999 10:43:22 -0400
-   From: Irving Reid &lt;irving@nevex.com&gt;
-
-&gt;  local-------linux------internet------mobile
-&gt;  LAN        box                         user
-&gt;  ...
-
-&gt;  now when the mobile user connects to the linux box
-&gt;  it is given a virtual IP address, i have configured it to
-&gt;  be in the 10.x.x.x range. mobile user and linux box 
-&gt;  have a tunnel between them with these IP addresses.
-
-&gt;   Uptil this all is fine.
-
-If it is possible to configure your mobile client software *not* to
-use a virtual IP address, that will make your life easier. It is easier
-to configure FreeS/WAN to use the actual address the mobile user gets
-from its ISP.
-
-Unfortunately, some Windows clients don't let you choose.
-
-&gt;  what i would like to know is that how does the mobile
-&gt;  user communicate with other computers on the local
-&gt;  LAN , of course with the vpn ?
-
-&gt;   what IP address should the local LAN 
-&gt;  computers have ? I guess their default gateway 
-&gt;  should be the linux box ? and does the linux box need
-&gt;  to be a 2 NIC card box or one is fine.
-
-As someone else stated, yes, the Linux box would usually be the default
-IP gateway for the local lan.
-
-However...
-
-If you mobile user has software that *must* use a virtual IP address,
-the whole picture changes. Nobody has put much effort into getting
-FreeS/WAN to play well in this environment, but here's a sketch of one
-approach:
-
-Local Lan 1.0.0.0/24
-    |
-    +- Linux FreeS/WAN 1.0.0.2
-    |
-    | 1.0.0.1
- Router
-    | 2.0.0.1
-    |
-Internet
-    |
-    | 3.0.0.1
-Mobile User
-      Virtual Address: 1.0.0.3
-
-Note that the Local Lan network (1.0.0.x) can be registered, routable
-addresses.
-
-Now, the Mobile User sets up an IPSec security association with the
-Linux box (1.0.0.2); it should ESP encapsulate all traffic to the
-network 1.0.0.x **EXCEPT** UDP port 500. 500/udp is required for the key
-negotiation, which needs to work outside of the IPSec tunnel.
-
-On the Linux side, there's a bunch of stuff you need to do by hand (for
-now). FreeS/WAN should correctly handle setting up the IPSec SA and
-routes, but I haven't tested it so this may not work...
-
-The FreeS/WAN conn should look like:
-
-conn mobile
-        right=1.0.0.2
-        rightsubnet=1.0.0.0/24
-        rightnexthop=1.0.0.1
-        left=0.0.0.0  # The infamous "road warrior"
-        leftsubnet=1.0.0.3/32
-
-Note that the left subnet contains *only* the remote host's virtual
-address.
-
-Hopefully the routing table on the FreeS/WAN box ends up looking like
-this:
-
-% netstat -rn
-Kernel IP routing table
-Destination     Gateway      Genmask         Flags   MSS Window  irtt Iface
-1.0.0.0         0.0.0.0      255.255.255.0   U      1500 0          0 eth0
-127.0.0.0       0.0.0.0      255.0.0.0       U      3584 0          0 lo
-0.0.0.0         1.0.0.1      0.0.0.0         UG     1500 0          0 eth0
-1.0.0.3         1.0.0.1      255.255.255.255 UG     1433 0          0 ipsec0
-
-So, if anybody sends a packet for 1.0.0.3 to the Linux box, it should
-get bundled up and sent through the tunnel. To get the packets for
-1.0.0.3 to the Linux box in the first place, you need to use "proxy
-ARP".
-
-How this works is: when a host or router on the local Ethernet segment
-wants to send a packet to 1.0.0.3, it sends out an Ethernet level
-broadcast "ARP request". If 1.0.0.3 was on the local LAN, it would
-reply, saying "send IP packets for 1.0.0.3 to my Ethernet address".
-
-Instead, you need to set up the Linux box so that _it_ answers ARP
-requests for 1.0.0.3, even though that isn't its IP address. That
-convinces everyone else on the lan to send 1.0.0.3 packets to the Linux
-box, where the usual FreeS/WAN processing and routing take over.
-
-% arp -i eth0 -s 1.0.0.3 -D eth0 pub
-
-This says, if you see an ARP request on interface eth0 asking for
-1.0.0.3, respond with the Ethernet address of interface eth0.
-
-Now, as I said at the very beginning, if it is *at all* possible to
-configure your client *not* to use the virtual IP address, you can avoid
-this whole mess.</pre>
-
-<h2><a name="dynamic">Dynamic Network Interfaces</a></h2>
-
-<p>Sometimes you have to cope with a situation where the network interface(s)
-aren't all there at boot. The common example is notebooks with PCMCIA.</p>
-
-<h3><a name="basicdyn">Basics</a></h3>
-
-<p>The key issue here is that the <var>config setup</var> section of the
-<var>/etc/ipsec.conf</var> configuration file lists the connection between
-ipsecN and hardware interfaces, in the <var>interfaces=</var> variable. At
-any time when <var>ipsec setup start</var> or <var>ipsec setup restart</var>
-is run this variable <strong>must</strong> correspond to the current real
-situation. More precisely, it <strong>must not</strong> mention any hardware
-interfaces which don't currently exist. The difficulty is that an <var>ipsec
-setup start</var> command is normally run at boot time so interfaces that are
-not up then are mis-handled.</p>
-
-<h3><a name="bootdyn">Boot Time</a></h3>
-
-<p>Normally, an <var>ipsec setup start</var> is run at boot time. However, if
-the hardware situation at boot time is uncertain, one of two things must be
-done.</p>
-<ul>
-  <li>One possibility is simply not to have IPsec brought up at boot time. To
-    do this:
-    <pre>        chkconfig --level 2345 ipsec off</pre>
-    That's for modern Red Hats or other Linuxes with chkconfig. Systems which
-    lack this will require fiddling with symlinks in /etc/rc.d/rc?.d or the
-    equivalent.</li>
-  <li>Another possibility is to bring IPsec up with no interfaces, which is
-    less aesthetically satisfying but simpler.  Just put
-    <pre>        interfaces=</pre>
-    in the configuration file.  KLIPS and Pluto will be started, but won't do
-    anything.</li>
-</ul>
-
-<h3><a name="changedyn">Change Time</a></h3>
-
-<p>When the hardware *is* in place, IPsec has to be made aware of it. Someday
-there may be a nice way to do this.</p>
-
-<p>Right now, the way to do it is to fix the <var>/etc/ipsec.conf</var> file
-appropriately, so <var>interfaces</var> reflects the new situation, and then
-restart the IPsec subsystem. This does break any existing IPsec
-connections.</p>
-
-<p>If IPsec wasn't brought up at boot time, do</p>
-<pre>        ipsec setup start</pre>
-while if it was, do
-<pre>        ipsec setup restart</pre>
-which won't be as quick.
-
-<p>If some of the hardware is to be taken out, before doing that, amend the
-configuration file so interfaces no longer includes it, and do</p>
-<pre>        ipsec setup restart</pre>
-
-<p>Again, this breaks any existing connections.</p>
-
-<h2><a name="unencrypted">Unencrypted tunnels</a></h2>
-
-<p>Sometimes you might want to create a tunnel without encryption. Often this
-is a bad idea, even if you have some data which need not be private. See this
-<a href="ipsec.html#traffic.resist">discussion</a>.</p>
-
-<p>The IPsec protocols provide two ways to do build such tunnels:</p>
-<dl>
-  <dt>using ESP with null encryption</dt>
-    <dd>not supported by FreeS/WAN</dd>
-  <dt>using <a href="glossary.html#AH">AH</a> without <a
-  href="glossary.html#ESP">ESP</a></dt>
-    <dd>supported for manually keyed connections</dd>
-    <dd>possible with explicit commands via <a
-      href="manpage.d/ipsec_whack.8.html">ipsec_whack(8)</a> (see this <a
-      href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00190.html">list
-      message</a>)</dd>
-    <dd>not supported in the <a
-      href="manpage.d/ipsec_auto.8.html">ipsec_auto(8)</a> scripts.</dd>
-</dl>
-One situation in which this comes up is when otherwise some data would be
-encrypted twice. Alice wants a secure tunnel from her machine to Bob's. Since
-she's behind one security gateway and he's behind another, part of the tunnel
-that they build passes through the tunnel that their site admins have built
-between the gateways. All of Alice and Bob's messages are encrypted twice.
-
-<p>There are several ways to handle this.</p>
-<ul>
-  <li>Just accept the overhead of double encryption. The site admins might
-    choose this if any of the following apply:
-    <ul>
-      <li>policy says encrypt everything (usually, it should)</li>
-      <li>they don't entirely trust Alice and Bob (usually, if they don't
-        have to, they shouldn't)</li>
-      <li>if they don't feel the saved cycles are worth the time they'd need
-        to build a non-encrypted tunnel for Alice and Bob's packets (often,
-        they aren't)</li>
-    </ul>
-  </li>
-  <li>Use a plain IP-in-IP tunnel. These are not well documented. A good
-    starting point is in the Linux kernel source tree, in
-    /usr/src/linux/drivers/net/README.tunnel.</li>
-  <li>Use a manually-keyed AH-only tunnel.</li>
-</ul>
-
-<p>Note that if Alice and Bob want end-to-end security, they must build a
-tunnel end-to-end between their machines or use some other end-to-end tool
-such as PGP or SSL that suits their data. The only question is whether the
-admins build some special unencrypted tunnel for those already-encrypted
-packets.</p>
-</body>
-</html>
diff --git a/doc/src/background.html b/doc/src/background.html
deleted file mode 100644
index e25b9da03..000000000
--- a/doc/src/background.html
+++ /dev/null
@@ -1,376 +0,0 @@
-<html>
-<head>
-  <meta http-equiv="Content-Type" content="text/html">
-  <title>FreeS/WAN background</title>
-  <meta name="keywords" content="Linux, IPSEC, VPN, security, FreeSWAN">
-  <!--
-
-  Written by Sandy Harris for the Linux FreeS/WAN project
-  Freely distributable under the GNU General Public License
-
-  More information at www.freeswan.org
-  Feedback to users@lists.freeswan.org
-
-  CVS information:
-  RCS ID:          $Id: background.html,v 1.1 2004/03/15 20:35:24 as Exp $
-  Last changed:    $Date: 2004/03/15 20:35:24 $
-  Revision number: $Revision: 1.1 $
-
-  CVS revision numbers do not correspond to FreeS/WAN release numbers.
-  -->
-</head>
-
-<body>
-<h1><a name="background">Linux FreeS/WAN background</a></h1>
-
-<p>This section discusses a number of issues which have three things in
-common:</p>
-<ul>
-  <li>They are not specifically FreeS/WAN problems</li>
-  <li>You may have to understand them to get FreeS/WAN working right</li>
-  <li>They are not simple questions</li>
-</ul>
-
-<p>Grouping them here lets us provide the explanations some users will need
-without unduly complicating the main text.</p>
-
-<p>The explanations here are intended to be adequate for FreeS/WAN purposes
-(please comment to the <a href="mail.html">users mailing list</a> if you
-don't find them so), but they are not trying to be complete or definitive. If
-you need more information, see the references provided in each section.</p>
-
-<h2><a name="dns.background">Some DNS background</a></h2>
-
-<p><a href="glossary.html#carpediem">Opportunistic encryption</a> requires
-that the gateway systems be able to fetch public keys, and other
-IPsec-related information, from each other's DNS (Domain Name Service)
-records.</p>
-
-<p><a href="glossary.html#DNS">DNS</a> is a distributed database that maps
-names to IP addresses and vice versa.</p>
-
-<p>Much good reference material is available for DNS, including:</p>
-<ul>
-  <li>the <a href="http://www.linuxdoc.org/HOWTO/DNS-HOWTO.html">DNS
-  HowTo</a></li>
-  <li>the standard <a href="biblio.html#DNS.book">DNS reference</a> book</li>
-  <li><a href="http://www.linuxdoc.org/LDP/nag2/index.html">Linux Network
-    Administrator's Guide</a></li>
-  <li><a
-    href="http://www.nominum.com/resources/whitepapers/bind-white-paper.html">BIND
-    overview</a></li>
-  <li><a
-    href="http://www.nominum.com/resources/documentation/Bv9ARM.pdf">BIND 9
-    Administrator's Reference</a></li>
-</ul>
-
-<p>We give only a brief overview here, intended to help you use DNS for
-FreeS/WAN purposes.</p>
-
-<h3><a name="forward.reverse">Forward and reverse maps</a></h3>
-
-<p>Although the implementation is distributed, it is often useful to speak of
-DNS as if it were just two enormous tables:</p>
-<ul>
-  <li>the forward map: look up a name, get an IP address</li>
-  <li>the reverse map: look up an IP address, get a name</li>
-</ul>
-
-<p>Both maps can optionally contain additional data. For opportunistic
-encryption, we insert the data need for IPsec authentication.</p>
-
-<p>A system named gateway.example.com with IP address 10.20.30.40 should have
-at least two DNS records, one in each map:</p>
-<dl>
-  <dt>gateway.example.com. IN A 10.20.30.40</dt>
-    <dd>used to look up the name and get an IP address</dd>
-  <dt>40.30.20.10.in-addr.arpa. IN PTR gateway.example.com.</dt>
-    <dd>used for reverse lookups, looking up an address to get the associated
-      name. Notice that the digits here are in reverse order; the actual
-      address is 10.20.30.40 but we use 40.30.20.10 here.</dd>
-</dl>
-
-<h3>Hierarchy and delegation</h3>
-
-<p>For both maps there is a hierarchy of DNS servers and a system of
-delegating authority so that, for example:</p>
-<ul>
-  <li>the DNS administrator for example.com can create entries of the form
-    <var>name</var>.example.com</li>
-  <li>the example.com admin cannot create an entry for counterexample.com;
-    only someone with authority for .com can do that</li>
-  <li>an admin might have authority for 20.10.in-addr.arpa.</li>
-  <li>in either map, authority can be delegated
-    <ul>
-      <li>the example.com admin could give you authority for
-        westcoast.example.com</li>
-      <li>the 20.10.in-addr.arpa admin could give you authority for
-        30.20.10.in-addr.arpa</li>
-    </ul>
-  </li>
-</ul>
-
-<p>DNS zones are the units of delegation. There is a hierarchy of zones.</p>
-
-<h3>Syntax of DNS records</h3>
-
-<p>Returning to the example records:</p>
-<pre>        gateway.example.com. IN A 10.20.30.40
-        40.30.20.10.in-addr.arpa. IN PTR gateway.example.com.</pre>
-
-<p>some syntactic details are:</p>
-<ul>
-  <li>the IN indicates that these records are for <strong>In</strong>ternet
-    addresses</li>
-  <li>The final periods in '.com.' and '.arpa.' are required. They indicate
-    the root of the domain name system.</li>
-</ul>
-
-<p>The capitalised strings after IN indicate the type of record. Possible
-types include:</p>
-<ul>
-  <li><strong>A</strong>ddress, for forward lookups</li>
-  <li><strong>P</strong>oin<strong>T</strong>e<strong>R</strong>, for reverse
-    lookups</li>
-  <li><strong>C</strong>anonical <strong>NAME</strong>, records to support
-    aliasing, multiple names for one address</li>
-  <li><strong>M</strong>ail e<strong>X</strong>change, used in mail
-  routing</li>
-  <li><strong>SIG</strong>nature, used in <a href="glossary.html#SDNS">secure
-    DNS</a></li>
-  <li><strong>KEY</strong>, used in <a href="glossary.html#SDNS">secure
-    DNS</a></li>
-  <li><strong>T</strong>e<strong>XT</strong>, a multi-purpose record type</li>
-</ul>
-
-<p>To set up for opportunistic encryption, you add some TXT records
-to your DNS data. Details are in our <a href="quickstart.html">quickstart</a>
-document.</p>
-
-<h3>Cacheing, TTL and propagation delay</h3>
-
-<p>DNS information is extensively cached. With no caching, a lookup by your
-system of "www.freeswan.org" might involve:</p>
-<ul>
-  <li>your system asks your nameserver for "www.freeswan.org"</li>
-  <li>local nameserver asks root server about ".org", gets reply</li>
-  <li>local nameserver asks .org nameserver about "freeswan.org", gets
-  reply</li>
-  <li>local nameserver asks freeswan.org nameserver about "www.freeswan.org",
-    gets reply</li>
-</ul>
-
-<p>However, this can be a bit inefficient. For example, if you are in the
-Phillipines, the closest a root server is in Japan. That might send you to a
-.org server in the US, and then to freeswan.org in Holland. If everyone did
-all those lookups every time they clicked on a web link, the net would grind
-to a halt.</p>
-
-<p>Nameservers therefore cache information they look up. When you click on
-another link at www.freeswan.org, your local nameserver has the IP address
-for that server in its cache, and no further lookups are required. </p>
-
-<p>Intermediate results are also cached. If you next go to
-lists.freeswan.org, your nameserver can just ask the freeswan.org nameserver
-for that address; it does not need to query the root or .org nameservers
-because it has a cached address for the freeswan.org zone server.</p>
-
-<p>Of course, like any cacheing mechanism, this can create problems of
-consistency. What if the administrator for freeswan.org changes the IP
-address, or the authentication key, for www.freeswan.org? If you use old
-information from the cache, you may get it wrong. On the other hand, you
-cannot afford to look up fresh information every time. Nor can you expect the
-freeswan.org server to notify you; that isn't in the protocols.</p>
-
-<p>The solution that is in the protocols is fairly simple. Cacheable records
-are marked with Time To Live (TTL) information. When the time expires, the
-caching server discards the record. The next time someone asks for it, the
-server fetches a fresh copy. Of course, a server may also discard records
-before their TTL expires if it is running out of cache space.</p>
-
-<p>This implies that there will be some delay before the new version of a
-changed record propagates around the net. Until the TTLs on all copies of the
-old record expire, some users will see it because that is what is in their
-cache. Other users may see the new record immediately because they don't have
-an old one cached.</p>
-
-<h2><a name="MTU.trouble">Problems with packet fragmentation</a></h2>
-
-<p>It seems, from mailing list reports, to be moderately common for problems
-to crop up in which small packets pass through the IPsec tunnels just fine
-but larger packets fail.</p>
-
-<p>These problems are caused by various devices along the way mis-handling
-either packet fragments or <a href="glossary.html#pathMTU">path MTU
-discovery</a>.</p>
-
-<p>IPsec makes packets larger by adding an ESP or AH header. This can tickle
-assorted bugs in fragment handling in routers and firewalls, or in path MTU
-discovery mechanisms, and cause a variety of symptoms which are both annoying
-and, often, quite hard to diagnose.</p>
-
-<p>An explanation from project technical lead Henry Spencer:</p>
-<pre>The problem is IP fragmentation; more precisely, the problem is that the
-second, third, etc. fragments of an IP packet are often difficult for
-filtering mechanisms to classify.
-
-Routers cannot rely on reassembling the packet, or remembering what was in
-earlier fragments, because the fragments may be out of order or may even
-follow different routes.  So any general, worst-case filtering decision
-pretty much has to be made on each fragment independently.  (If the router
-knows that it is the only route to the destination, so all fragments
-*must* pass through it, reassembly would be possible... but most routers
-don't want to bother with the complications of that.)
-
-All fragments carry roughly the original IP header, but any higher-level
-header is (for IP purposes) just the first part of the packet data... so
-only the first fragment carries that.  So, for example, on examining the
-second fragment of a TCP packet, you could tell that it's TCP, but not
-what port number it is destined for -- that information is in the TCP
-header, which appears in the first fragment only. 
-
-The result of this classification difficulty is that stupid routers and
-over-paranoid firewalls may just throw fragments away.  To get through
-them, you must reduce your MTU enough that fragmentation will not occur.
-(In some cases, they might be willing to attempt reassembly, but have very
-limited resources to devote to it, meaning that packets must be small and
-fragments few in number, leading to the same conclusion:  smaller MTU.)</pre>
-
-<p>In addition to the problem Henry describes, you may also have trouble with
-<a href="glossary.html#pathMTU">path MTU discovery</a>.</p>
-
-<p>By default, FreeS/WAN uses a large <a href="glossary.html#MTU">MTU</a> for
-the ipsec device. This avoids some problems, but may complicate others.
-Here's an explanation from Claudia:</p>
-<pre>Here are a couple of pieces of background information. Apologies if you
-have seen these already. An excerpt from one of my old posts:
-
-    An MTU of 16260 on ipsec0 is usual. The IPSec device defaults to this 
-    high MTU so that it does not fragment incoming packets before encryption 
-    and encapsulation. If after IPSec processing packets are larger than 1500,
-    [ie. the mtu of eth0] then eth0 will fragment them. 
-
-    Adding IPSec headers adds a certain number of bytes to each packet. 
-    The MTU of the IPSec interface refers to the maximum size of the packet
-    before the IPSec headers are added. In some cases, people find it helpful 
-    to set ipsec0's MTU to 1500-(IPSec header size), which IIRC is about 1430.
-
-    That way, the resulting encapsulated packets don't exceed 1500. On most 
-    networks, packets less than 1500 will not need to be fragmented.
-
-and... (from Henry Spencer)
-
-    The way it *ought* to work is that the MTU advertised by the ipsecN
-    interface should be that of the underlying hardware interface, less a
-    pinch for the extra headers needed. 
-
-    Unfortunately, in certain situations this breaks many applications.
-    There is a widespread implicit assumption that the smallest MTUs are 
-    at the ends of paths, not in the middle, and another that MTUs are 
-    never less than 1500.  A lot of code is unprepared to handle paths 
-    where there is an "interior minimum" in the MTU, especially when it's 
-    less than 1500. So we advertise a big MTU and just let the resulting 
-    big packets fragment.
-
-This usually works, but we do get bitten in cases where some intermediate
-point can't handle all that fragmentation.  We can't win on this one.</pre>
-
-<p>The MTU can be changed with an <var>overridemtu=</var> statement in the
-<var>config setup</var> section of <a
-href="manpage.d/ipsec.conf.5.html">ipsec.conf.5</a>.</p>
-
-<p>For a discussion of MTU issues and some possible solutions using Linux
-advanced routing facilities, see the <a
-href="http://www.linuxguruz.org/iptables/howto/2.4routing-15.html#ss15.6">Linux
-2.4 Advanced Routing HOWTO</a>.
-
-For a discussion of MTU and NAT (Network Address Translation), see
-<A HREF="http://harlech.math.ucla.edu/services/ipsec.html">James Carter's MTU
-notes</A>.</p>
-
-<h2><a name="nat.background">Network address translation (NAT)</a></h2>
-
-<p><strong>N</strong>etwork <strong>A</strong>ddress
-<strong>T</strong>ranslation is a service provided by some gateway machines.
-Calling it NAPT (adding the word  <strong>P</strong>ort) would be more
-precise, but we will follow the widespread usage.</p>
-
-<p>A gateway doing NAT rewrites the headers of packets it is forwarding,
-changing one or more of:</p>
-<ul>
-  <li>source address</li>
-  <li>source port</li>
-  <li>destination address</li>
-  <li>destination port</li>
-</ul>
-
-<p>On Linux 2.4, NAT services are provided by the <a
-href="http://netfilter.samba.org">netfilter(8)</a> firewall code. There are
-several <a
-href="http://netfilter.samba.org/documentation/index.html#HOWTO">Netfilter
-HowTos</a> including one on NAT.</p>
-
-<p>For older versions of Linux, this was referred to as "IP masquerade" and
-different tools were used. See this <a
-href="http://www.e-infomax.com/ipmasq/">resource page</a>.</p>
-
-<p>Putting an IPsec gateway behind a NAT gateway is not recommended. See our
-<a href="firewall.html#NAT">firewalls document</a>.</p>
-
-<h3>NAT to non-routable addresses</h3>
-
-<p>The most common application of NAT uses private <a
-href="glossary.html#non-routable">non-routable</a> addresses.</p>
-
-<p>Often a home or small office network will have:</p>
-<ul>
-  <li>one connection to the Internet</li>
-  <li>one assigned publicly visible IP address</li>
-  <li>several machines that all need access to the net</li>
-</ul>
-
-<p>Of course this poses a problem since several machines cannot use one
-address. The best solution might be to obtain more addresses, but often this
-is impractical or uneconomical.</p>
-
-<p>A common solution is to have:</p>
-<ul>
-  <li><a href="glossary.html#non-routable">non-routable</a> addresses on the
-    local network</li>
-  <li>the gateway machine doing NAT</li>
-  <li>all packets going outside the LAN rewritten to have the gateway as
-    their source address</li>
-</ul>
-
-<p>The client machines are set up with reserved <a
-href="#non-routable">non-routable</a> IP addresses defined in RFC 1918. The
-masquerading gateway, the machine with the actual link to the Internet,
-rewrites packet headers so that all packets going onto the Internet appear to
-come from one IP address, that of its Internet interface. It then gets all
-the replies, does some table lookups and more header rewriting, and delivers
-the replies to the appropriate client machines.</p>
-
-<p>As far as anyone else on the Internet is concerned, the systems behind the
-gateway are completely hidden. Only one machine with one IP address is
-visible.</p>
-
-<p>For IPsec on such a gateway, you can entirely ignore the NAT in:</p>
-<ul>
-  <li><a href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a></li>
-  <li>firewall rules affecting your Internet-side interface</li>
-</ul>
-
-<p>Those can be set up exactly as they would be if your gateway had no other
-systems behind it.</p>
-
-<p>You do, however, have to take account of the NAT in firewall rules which
-affect packet forwarding.</p>
-
-<h3>NAT to routable addresses</h3>
-
-<p>NAT to routable addresses is also possible, but is less common and may
-make for rather tricky routing problems. We will not discuss it here. See the
-<a href="http://netfilter.samba.org/documentation/index.html#HOWTO">Netfilter
-HowTos</a>.</p>
-</body>
-</html>
diff --git a/doc/src/biblio.html b/doc/src/biblio.html
deleted file mode 100644
index d84e4c2cb..000000000
--- a/doc/src/biblio.html
+++ /dev/null
@@ -1,354 +0,0 @@
-<html>
-<head>
-  <meta http-equiv="Content-Type" content="text/html">
-  <title>FreeS/WAN bibliography</title>
-  <meta name="keywords"
-  content="Linux, IPsec, VPN, security, FreeSWAN, bibliography">
-  <!--
-
-  Written by Sandy Harris for the Linux FreeS/WAN project
-  Freely distributable under the GNU General Public License
-
-  More information at www.freeswan.org
-  Feedback to users@lists.freeswan.org
-
-  CVS information:
-  RCS ID:          $Id: biblio.html,v 1.1 2004/03/15 20:35:24 as Exp $
-  Last changed:    $Date: 2004/03/15 20:35:24 $
-  Revision number: $Revision: 1.1 $
-
-  CVS revision numbers do not correspond to FreeS/WAN release numbers.
-  -->
-</head>
-
-<body>
-<h1><a name="biblio">Bibliography for the Linux FreeS/WAN project</a></h1>
-
-<p>For extensive bibliographic links, see the <a
-href="http://liinwww.ira.uka.de/bibliography/index.html">Collection of
-Computer Science Bibliographies</a></p>
-
-<p>See our <a href="web.html">web links</a> for material available online.</p>
-<hr>
-<a name="adams">Carlisle Adams and Steve Lloyd <cite>Understanding Public Key
-Infrastructure</cite><br>
-</a>Macmillan 1999 ISBN 1-57870-166-x
-
-<p>An overview, mainly concentrating on policy and strategic issues rather
-than the technical details. Both authors work for <a
-href="glossary.html#PKI">PKI</a> vendor <a
-href="http://www.entrust.com/">Entrust</a>.</p>
-<hr>
-<a name="DNS.book">Albitz, Liu &amp; Loukides <cite>DNS &amp; BIND</cite> 3rd
-edition<br>
-</a> O'Reilly 1998 ISBN 1-56592-512-2
-
-<p>The standard reference on the <a href="glossary.html#DNS">Domain Name
-Service</a> and <a href="glossary.html#BIND">Berkeley Internet Name
-Daemon</a>.</p>
-<hr>
-<a name="anderson">Ross Anderson</a>, <cite>Security Engineering - a Guide to
-Building Dependable Distributed Systems</cite><br>
-Wiley, 2001, ISBN 0471389226
-
-<p>Easily the best book for the security professional I have seen.
-<strong>Highly recommended</strong>. See the <a
-href="http://www.cl.cam.ac.uk/~rja14/book.html">book web page</a>.</p>
-
-<p>This is quite readable, but Schneier's <a href="#secrets">Secrets and
-Lies</a> might be an easier introduction.</p>
-<hr>
-<a name="puzzle">Bamford <cite>The Puzzle Palace, A report on NSA, Americas's
-most Secret Agency</cite><br>
-Houghton Mifflin 1982 ISBN 0-395-31286-8</a>
-<hr>
-Bamford <cite>Body of Secrets</cite>
-
-<p>The sequel.</p>
-<hr>
-<a name="bander">David Bander</a>, <cite>Linux Security Toolkit</cite><br>
-IDG Books, 2000, ISBN: 0764546902
-
-<p>This book has a short section on FreeS/WAN and includes Caldera Linux on
-CD.</p>
-<hr>
-<a name="CZR">Chapman, Zwicky &amp; Russell</a>, <cite>Building Internet
-Firewalls</cite><br>
-O'Reilly 1995 ISBN 1-56592-124-0
-<hr>
-<a name="firewall.book">Cheswick and Bellovin</a> <cite>Firewalls and
-Internet Security: Repelling the Wily Hacker</cite><br>
-Addison-Wesley 1994 ISBN 0201633574
-
-<p>A fine book on firewalls in particular and security in general from two of
-AT&amp;T's system adminstrators.</p>
-
-<p>Bellovin has also done a number of <a href="web.html#papers">papers</a> on
-IPsec and co-authored a <a href="intro.html#applied">paper</a> on a large
-FreeS/WAN application.</p>
-<hr>
-<a name="comer">Comer <cite>Internetworking with TCP/IP</cite><br>
-Prentice Hall</a>
-<ul>
-  <li>Vol. I: Principles, Protocols, &amp; Architecture, 3rd Ed. 1995
-    ISBN:0-13-216987-8</li>
-  <li>Vol. II: Design, Implementation, &amp; Internals, 2nd Ed. 1994
-    ISBN:0-13-125527-4</li>
-  <li>Vol. III: Client/Server Programming &amp; Applications
-    <ul>
-      <li>AT&amp;T TLI Version  1994 ISBN:0-13-474230-3</li>
-      <li>BSD Socket Version 1996 ISBN:0-13-260969-X</li>
-      <li>Windows Sockets Version 1997 ISBN:0-13-848714-6</li>
-    </ul>
-  </li>
-</ul>
-
-<p>If you need to deal with the details of the network protocols, read either
-this series or the <a href="#stevens">Stevens and Wright</a> series before
-you start reading the RFCs.</p>
-<hr>
-<a name="diffie">Diffie and Landau</a> <cite>Privacy on the Line: The
-Politics of Wiretapping and Encryption</cite><br>
-MIT press 1998 ISBN 0-262-04167-7 (hardcover) or 0-262-54100-9<br>
-
-<hr>
-<a name="d_and_hark">Doraswamy and Harkins <cite>IP Sec: The New Security
-Standard for the Internet, Intranets and Virtual Private Networks</cite><br>
-Prentice Hall 1999 ISBN: 0130118982</a>
-<hr>
-<a name="EFF"> Electronic Frontier Foundation <cite>Cracking DES: Secrets of
-Encryption Research, Wiretap Politics and Chip Design</cite><br>
-</a> O'Reilly 1998 ISBN 1-56592-520-3
-
-<p>To conclusively demonstrate that DES is inadequate for continued use, the
-<a href="glossary.html#EFF">EFF</a> built a machine for just over $200,000
-that breaks DES encryption in under five days on average, under nine in the
-worst case.</p>
-
-<p>The book provides details of their design and, perhaps even more
-important, discusses why they felt the project was necessary. Recommended for
-anyone interested in any of the three topics mentioned in the subtitle.</p>
-
-<p>See also the <a href="http://www.eff.org/descracker.html"> EFF page on
-this project </a> and our discussion of <a
-href="politics.html#desnotsecure">DES insecurity</a>.</p>
-<hr>
-Martin Freiss <cite>Protecting Networks with SATAN</cite><br>
-O'Reilly 1998 ISBN 1-56592-425-8<br>
-translated from a 1996 work in German
-
-<p>SATAN is a Security Administrator's Tool for Analysing Networks. This book
-is a tutorial in its use.</p>
-<hr>
-Gaidosch and Kunzinger<cite> A Guide to Virtual Private Networks</cite><br>
-Prentice Hall 1999 ISBN: 0130839647
-<hr>
-<a name="Garfinkel">Simson Garfinkel</a> <cite>Database Nation: the death of
-privacy in the 21st century</cite><br>
-O'Reilly 2000 ISBN 1-56592-653-6
-
-<p>A thoughtful and rather scary book.</p>
-<hr>
-<a name="PGP">Simson Garfinkel</a> <cite>PGP: Pretty Good Privacy</cite><br>
-O'Reilly 1995 ISBN 1-56592-098-8
-
-<p>An excellent introduction and user manual for the <a
-href="glossary.html#PGP">PGP</a> email-encryption package.  PGP is a good
-package with a complex and poorly-designed user interface. This book or one
-like it is a must for anyone who has to use it at length.</p>
-
-<p>The book covers using PGP in Unix, PC and Macintosh environments, plus
-considerable background material on both the technical and political issues
-around cryptography.</p>
-
-<p>The book is now seriously out of date. It does not cover recent
-developments such as commercial versions since PGP 5, the Open PGP standard
-or GNU PG..</p>
-<hr>
-<a name="practical">Garfinkel and Spafford</a> <cite>Practical Unix
-Security</cite><br>
-O'Reilly 1996 ISBN 1-56592-148-8
-
-<p>A standard reference.</p>
-
-<p>Spafford's web page has an excellent collection of<a
-href="http://www.cs.purdue.edu/coast/hotlist"> crypto and security
-links</a>.</p>
-<hr>
-<a name="Kahn">David Kahn</a> <cite>The Codebreakers: the Comprehensive
-History of Secret Communications from Ancient Times to the Internet</cite><br>
-second edition Scribner 1996 ISBN 0684831309
-
-<p>A history of codes and code-breaking from ancient Egypt to the 20th
-century. Well-written and exhaustively researched. <strong>Highly
-recommended</strong>, even though it does not have much on computer
-cryptography.</p>
-<hr>
-David Kahn <cite>Seizing the Enigma, The Race to Break the German U-Boat
-codes, 1939-1943</cite><br>
-Houghton Mifflin 1991 ISBN 0-395-42739-8
-<hr>
-<a name="kirch">Olaf Kirch</a> <cite>Linux Network Administrator's
-Guide</cite><br>
-O'Reilly 1995 ISBN 1-56592-087-2
-
-<p>Now becoming somewhat dated in places, but still a good introductory book
-and general reference.</p>
-<hr>
-<a name="LinVPN">Kolesnikov and Hatch</a>, <cite>Building Linux Virtual
-Private Networks (VPNs)</cite><br>
-New Riders 2002
-
-<p>This has had a number of favorable reviews, including <a
-href="http://www.slashdot.org/article.pl?sid=02/02/27/0115214&amp;mode=thread&amp;tid=172">this
-one</a> on Slashdot. The book has a <a
-href="http://www.buildinglinuxvpns.net/">web site</a>.</p>
-<hr>
-<a name="RFCs">Pete Loshin <cite>Big Book of IPsec RFCs</cite><br>
-Morgan Kaufmann 2000 ISBN: 0-12-455839-9</a>
-<hr>
-<a name="crypto">Steven Levy <cite>Crypto: How the Code Rebels Beat the
-Government -- Saving Privacy in the Digital Age</cite></a><br>
-Penguin 2001, ISBN 0-670--85950-8
-
-<p><strong>Highly recommended</strong>. A fine history of recent (about
-1970-2000) developments in the field, and the related political
-controversies. FreeS/WAN project founder and leader John Gilmore appears
-several times.</p>
-
-<p>The book does not cover IPsec or FreeS/WAN, but this project is very much
-another battle in the same war.  See our discussion of the <a
-href="politics.html">politics</a>.</p>
-<hr>
-<a name="GTR">Matyas, Anderson et al.</a> <cite>The Global Trust
-Register</cite><br>
-Northgate Consultants Ltd 1998 ISBN: 0953239705<br>
-hard cover edition MIT Press 1999 ISBN 0262511053
-
-<p>From<a href="http://www.cl.cam.ac.uk/Research/Security/Trust-Register">
-their web page:</a></p>
-
-<blockquote>
-  This book is a register of the fingerprints of the world's most important
-  public keys; it implements a top-level certification authority (CA) using
-  paper and ink rather than in an electronic system.</blockquote>
-<hr>
-<a name="handbook">Menezies, van Oorschot and Vanstone <cite>Handbook of
-Applied Cryptography</cite></a><br>
-CRC Press 1997<br>
-ISBN 0-8493-8523-7
-
-<p>An excellent reference. Read <a href="#schneier">Schneier</a> before
-tackling this.</p>
-<hr>
-Michael Padlipsky <cite>Elements of Networking Style</cite><br>
-Prentice-Hall 1985 ISBN 0-13-268111-0 or 0-13-268129-3
-
-<p>Probably <strong>the funniest technical book ever written</strong>, this
-is a vicious but well-reasoned attack on the OSI "seven layer model" and all
-that went with it. Several chapters of it are also available as RFCs 871 to
-875.</p>
-<hr>
-<a name="matrix">John S. Quarterman</a> <cite>The Matrix: Computer Networks
-and Conferencing Systems Worldwide</cite><br>
-Digital Press 1990  ISBN 155558-033-5<br>
-Prentice-Hall ISBN 0-13-565607-9
-
-<p>The best general treatment of computer-mediated communication we have
-seen. It naturally has much to say about the Internet, but also covers UUCP,
-Fidonet and so on.</p>
-<hr>
-<a name="ranch">David Ranch</a> <cite>Securing Linux Step by Step</cite><br>
-SANS Institute, 1999
-
-<p><a href="http://www.sans.org/">SANS</a> is a respected organisation, this
-guide is part of a well-known series, and Ranch has previously written the
-useful <a
-href=" http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos">Trinity
-OS</a> guide to securing Linux, so my guess would be this is a pretty good
-book. I haven't read it yet, so I'm not certain. It can be ordered online
-from <a href="http://www.sans.org/">SANS</a>.</p>
-
-<p>Note (Mar 1, 2002): a new edition with different editors in the works.
-Expect it this year.</p>
-<hr>
-<a name="schneier">Bruce Schneier</a> <cite>Applied Cryptography, Second
-Edition</cite><br>
-John Wiley &amp; Sons, 1996<br>
-ISBN 0-471-12845-7 hardcover<br>
-ISBN 0-471-11709-9 paperback
-
-<p>A standard reference on computer cryptography. For more recent essays, see
-the <a href="http://www.counterpane.com/">author's company's web site</a>.</p>
-<hr>
-<a name="secrets">Bruce Schneier</a><cite> Secrets and Lies</cite><br>
-Wiley 2000, ISBN 0-471-25311-1
-
-<p>An interesting discussion of security and privacy issues, written with
-more of an "executive overview" approach rather than a narrow focus on the
-technical issues. <strong>Highly recommended</strong>.</p>
-
-<p>This is worth reading even if you already understand security issues, or
-think you do. To go deeper, follow it with Anderson's <a
-href="#anderson">Security Engineering</a>.</p>
-<hr>
-<a name="VPNbook">Scott, Wolfe and Irwin <cite>Virtual Private
-Networks</cite></a><br>
-2nd edition, O'Reilly 1999 ISBN: 1-56592-529-7
-
-<p>This is the only O'Reilly book, out of a dozen I own, that I'm
-disappointed with. It deals mainly with building VPNs with various
-proprietary tools -- <a href="glossary.html#PPTP">PPTP</a>, <a
-href="glossary.html#SSH">SSH</a>, Cisco PIX, ... -- and touches only lightly
-on IPsec-based approaches.</p>
-
-<p>That said, it appears to deal competently with what it does cover and it
-has readable explanations of many basic VPN and security concepts. It may be
-exactly what some readers require, even if I find the emphasis
-unfortunate.</p>
-<hr>
-<a name="LASG">Kurt Seifried <cite>Linux Administrator's Security
-Guide</cite></a>
-
-<p>Available online from <a
-href="http://www.securityportal.com/lasg/">Security Portal</a>. It has fairly
-extensive coverage of IPsec.</p>
-<hr>
-<a name="Smith">Richard E Smith <cite>Internet Cryptography</cite><br>
-</a>ISBN 0-201-92480-3, Addison Wesley, 1997
-
-<p>See the book's <a
-href="http://www.visi.com/crypto/inet-crypto/index.html">home page</a></p>
-<hr>
-<a name="neal">Neal Stephenson <cite>Cryptonomicon</cite></a><br>
-Hardcover ISBN -380-97346-4, Avon, 1999.
-
-<p>A novel in which cryptography and the net figure prominently.
-<strong>Highly recommended</strong>: I liked it enough I immediately went out
-and bought all the author's other books.</p>
-
-<p>There is also a paperback edition. Sequels are expected.</p>
-<hr>
-<a name="stevens">Stevens and Wright</a> <cite>TCP/IP Illustrated</cite><br>
-Addison-Wesley
-<ul>
-  <li>Vol. I: The Protocols 1994 ISBN:0-201-63346-9</li>
-  <li>Vol. II: The Implementation 1995 ISBN:0-201-63354-X</li>
-  <li>Vol. III: TCP for Transactions, HTTP, NNTP, and the UNIX Domain
-    Protocols 1996 ISBN: 0-201-63495-3</li>
-</ul>
-
-<p>If you need to deal with the details of the network protocols, read either
-this series or the <a href="#comer">Comer</a> series before you start reading
-the RFCs.</p>
-<hr>
-<a name="Rubini">Rubini</a> <cite>Linux Device Drivers</cite><br>
-O'Reilly &amp; Associates, Inc. 1998 ISBN 1-56592-292-1
-<hr>
-<a name="Zeigler">Robert Zeigler</a> <cite>Linux Firewalls</cite><br>
-Newriders Publishing, 2000 ISBN 0-7537-0900-9
-
-<p>A good book, with detailed coverage of ipchains(8) firewalls and of many
-related issues.</p>
-</body>
-</html>
diff --git a/doc/src/buildtools.html b/doc/src/buildtools.html
deleted file mode 100644
index c8cfa1fc8..000000000
--- a/doc/src/buildtools.html
+++ /dev/null
@@ -1,27 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
-<HTML>
-  <HEAD>
-    <TITLE>Tools used to build FreeSWAN releases (08-Mar-2002)</TITLE>
-    <!-- Created by: Michael Richardson, 08-Mar-2002 -->
-
-
-  </HEAD>
-  <BODY>
-    <H1>Tools used to build FreeSWAN releases</H1>
-
-<H2>man2html</H2>
-
-<P>
-If you are not running RedHat, you will need man2html. This is part of the
-"man" RPM on RedHat, whose sources can be found at <A HREF="ftp://ftp.win.tue.nl/pub/linux-local/utils/man/">ftp://ftp.win.tue.nl/pub/linux-local/utils/man/</A>.
-</P>
-
-<P>
-Note that the Debian package <A HREF="http://packages.debian.org/man2html">man2html</A>
-and the one listed on Freshmeat at
-<A HREF="http://freshmeat.net/projects/man2html/">man2html</A> will
-not work.
-</P>
-
-  </BODY>
-</HTML>
\ No newline at end of file
diff --git a/doc/src/compat.html b/doc/src/compat.html
deleted file mode 100644
index a8e1455bf..000000000
--- a/doc/src/compat.html
+++ /dev/null
@@ -1,795 +0,0 @@
-<html>
-<head>
-  <meta http-equiv="Content-Type" content="text/html">
-  <title>FreeS/WAN compatibility guide</title>
-  <meta name="keywords"
-  content="Linux, IPsec, VPN, security, FreeSWAN, compatibility">
-  <!--
-
-  Written by Sandy Harris for the Linux FreeS/WAN project
-  Freely distributable under the GNU General Public License
-
-  More information at www.freeswan.org
-  Feedback to users@lists.freeswan.org
-
-  CVS information:
-  RCS ID:          $Id: compat.html,v 1.1 2004/03/15 20:35:24 as Exp $
-  Last changed:    $Date: 2004/03/15 20:35:24 $
-  Revision number: $Revision: 1.1 $
-
-  CVS revision numbers do not correspond to FreeS/WAN release numbers.
-  -->
-</head>
-
-<body>
-<h1><a name="compat">Linux FreeS/WAN Compatibility Guide</a></h1>
-
-<p>Much of this document is quoted directly from the Linux FreeS/WAN <a
-href="mail.html">mailing list</a>. Thanks very much to the community of
-testers, patchers and commenters there, especially the ones quoted below but
-also various contributors we haven't quoted.</p>
-
-<h2><a name="spec">Implemented parts of the IPsec Specification</a></h2>
-
-<p>In general, do not expect Linux FreeS/WAN to do everything yet. This is a
-work-in-progress and some parts of the IPsec specification are not yet
-implemented.</p>
-
-<h3><a name="in">In Linux FreeS/WAN</a></h3>
-
-<p>Things we do, as of version 1.96:</p>
-<ul>
-  <li>key management methods
-    <dl>
-      <dt>manually keyed</dt>
-        <dd>using keys stored in /etc/ipsec.conf</dd>
-      <dt>automatically keyed</dt>
-        <dd>Automatically negotiating session keys as required. All
-          connections are automatically re-keyed periodically. The <a
-          href="glossary.html#Pluto">Pluto</a> daemon implements this using
-          the <a href="glossary.html#IKE">IKE</a> protocol.</dd>
-    </dl>
-  </li>
-  <li>Methods of authenticating gateways for IKE
-    <dl>
-      <dt>shared secrets</dt>
-        <dd>stored in <a
-          href="manpage.d/ipsec.secrets.5.html">ipsec.secrets(5)</a></dd>
-      <dt><a href="glossary.html#RSA">RSA</a> signatures</dt>
-        <dd>For details, see <a
-          href="manpage.d/ipsec_pluto.8.html">pluto(8)</a>.</dd>
-      <dt>looking up RSA authentication keys from <a
-      href="glossary.html#DNS">DNS</a>.</dt>
-        <dd>Note that this technique cannot be fully secure until <a
-          href="glossary.html#SDNS">secure DNS</a> is widely deployed.</dd>
-    </dl>
-  </li>
-  <li>groups for <a href="glossary.html#DH">Diffie-Hellman</a> key negotiation
-    <dl>
-      <dt>group 2, modp 1024-bit</dt>
-      <dt>group 5, modp 1536-bit</dt>
-        <dd>We implement these two groups.
-          <p>In negotiating a keying connection (ISAKMP SA, Phase 1) we
-          propose both groups when we are the initiator, and accept either
-          when a peer proposes them. Once the keying connection is made, we
-          propose only the alternative agreed there for data connections
-          (IPsec SA's, Phase 2) negotiated over that keying connection.</p>
-        </dd>
-    </dl>
-  </li>
-  <li>encryption transforms
-    <dl>
-      <dt><a href="glossary.html#DES">DES</a></dt>
-        <dd>DES is in the source code since it is needed to implement 3DES,
-          but single DES is not made available to users because <a
-          href="politics.html#desnotsecure">DES is insecure</a>.</dd>
-      <dt><a href="glossary.html#3DES">Triple DES</a></dt>
-        <dd>implemented, and used as the default encryption in Linux
-          FreeS/WAN.</dd>
-    </dl>
-  </li>
-  <li>authentication transforms
-    <dl>
-      <dt><a href="glossary.html#HMAC">HMAC</a> using <a
-      href="glossary.html#MD5">MD5</a></dt>
-        <dd>implemented, may be used in IKE or by by AH or ESP
-        transforms.</dd>
-      <dt><a href="glossary.html#HMAC">HMAC</a> using <a
-      href="glossary.html#SHA">SHA</a></dt>
-        <dd>implemented, may be used in IKE or by AH or ESP transforms.</dd>
-    </dl>
-    <p>In negotiations, we propose both of these and accept either.</p>
-  </li>
-  <li>compression transforms
-    <dl>
-      <dt>IPComp</dt>
-        <dd>IPComp as described in RFC 2393 was added for FreeS/WAN 1.6. Note
-          that Pluto becomes confused if you ask it to do IPComp when the
-          kernel cannot.</dd>
-    </dl>
-  </li>
-</ul>
-
-<p>All combinations of implemented transforms are supported. Note that some
-form of packet-level <strong>authentication is required whenever encryption
-is used</strong>. Without it, the encryption will not be secure.</p>
-
-<h3><a name="dropped">Deliberately omitted</a></h3>
-We do not implement everything in the RFCs because some of those things are
-insecure. See our discussions of avoiding <a href="politics.html#weak">bogus
-security</a>.
-
-<p>Things we deliberately omit which are required in the RFCs are:</p>
-<ul>
-  <li>null encryption (to use ESP as an authentication-only service)</li>
-  <li>single DES</li>
-  <li>DH group 1, a 768-bit modp group</li>
-</ul>
-
-<p>Since these are the only encryption algorithms and DH group the RFCs
-require, it is possible in theory to have a standards-conforming
-implementation which will not interpoperate with FreeS/WAN. Such an
-implementation would be inherently insecure, so we do not consider this a
-problem.</p>
-
-<p>Anyway, most implementations sensibly include more secure options as well,
-so dropping null encryption, single DES and Group 1 does not greatly hinder
-interoperation in practice.</p>
-
-<p>We also do not implement some optional features allowed by the RFCs:</p>
-<ul>
-  <li>aggressive mode for negotiation of the keying channel or ISAKMP SA.
-    This mode is a little faster than main mode, but exposes more information
-    to an eavesdropper.</li>
-</ul>
-
-<p>In theory, this should cause no interoperation problems since all
-implementations are required to support the more secure main mode, whether or
-not they also allow aggressive mode.</p>
-
-<p>In practice, it does sometimes produce problems with implementations such
-as Windows 2000 where aggressive mode is the default. Typically, these are
-easily solved with a configuration change that overrides that default.</p>
-
-<h3><a name="not">Not (yet) in Linux FreeS/WAN</a></h3>
-
-<p>Things we don't yet do, as of version 1.96:</p>
-<ul>
-  <li>key management methods
-    <ul>
-      <li>authenticate key negotiations via local <a
-        href="glossary.html#PKI">PKI</a> server, but see links to user <a
-        href="web.html#patch">patches</a></li>
-      <li>authenticate key negotiations via <a
-        href="glossary.html#SDNS">secure DNS</a></li>
-      <li>unauthenticated key management, using <a
-        href="glossary.html#DH">Diffie-Hellman</a> key agreement protocol
-        without authentication. Arguably, this would be worth doing since it
-        is secure against all passive attacks. On the other hand, it is
-        vulnerable to an active <a
-        href="glossary.html#middle">man-in-the-middle attack</a>.</li>
-    </ul>
-  </li>
-  <li>encryption transforms
-    <p>Currently <a href="glossary.html#3DES">Triple DES</a> is the only
-    encryption method Pluto will negotiate.</p>
-    <p>No additional encryption transforms are implemented, though the RFCs
-    allow them and some other IPsec implementations support various of them.
-    We are not eager to add more. See this <a
-    href="faq.html#other.cipher">FAQ question</a>.</p>
-    <p><a href="glossary.html#AES">AES</a>, the successor to the DES
-    standard, is an excellent candidate for inclusion in FreeS/WAN, see links
-    to user <a href="web.html#patch">patches</a>.</p>
-  </li>
-  <li>authentication transforms
-    <p>No optional additional authentication transforms are currently
-    implemented. Likely <a href="glossary.html#SHA-256">SHA-256, SHA-384 and
-    SHA-512</a> will be added when AES is.</p>
-  </li>
-  <li>Policy checking on decrypted packets
-    <p>To fully comply with the RFCs, it is not enough just to accept only
-    packets which survive any firewall rules in place to limit what IPsec
-    packets get in, and then pass KLIPS authentication. That is what
-    FreeS/WAN currently does.</p>
-    <p>We should also apply additional tests, for example ensuring that all
-    packets emerging from a particular tunnel have source and destination
-    addresses that fall within the subnets defined for that tunnel, and that
-    packets with those addresses that did not emerge from the appropriate
-    tunnel are disallowed.</p>
-    <p>This will be done as part of a KLIPS rewrite. See these <a
-    href="intro.html#applied">links</a> and the <a href="mail.html">design
-    mailing list</a> for discussion.</p>
-  </li>
-</ul>
-
-<h2><a name="pfkey">Our PF-Key implementation</a></h2>
-
-<p>We use PF-key Version Two for communication between the KLIPS kernel code
-and the Pluto Daemon. PF-Key v2 is defined by <a
-href="http://www.normos.org/ietf/rfc/rfc2367.txt">RFC 2367</a>.</p>
-
-<p>The "PF" stands for Protocol Family. PF-Inet defines a kernel/userspace
-interface for the TCP/IP Internet protocols (TCP/IP), and other members of
-the PF series handle Netware, Appletalk, etc. PF-Key is just a PF for
-key-related matters.</p>
-
-<h3><a name="pfk.port">PF-Key portability</a></h3>
-
-<p>PF-Key came out of Berkeley Unix work and is used in the various BSD IPsec
-implementations, and in Solaris. This means there is some hope of porting our
-Pluto(8) to one of the BSD distributions, or of running their photurisd(8) on
-Linux if you prefer <a href="glossary.html#photuris">Photuris</a> key
-management over IKE.</p>
-
-<p>It is, however, more complex than that. The PK-Key RFC deliberately deals
-only with keying, not policy management. The three PF-Key implementations we
-have looked at -- ours, OpenBSD and KAME -- all have extensions to deal with
-security policy, and the extensions are different. There have been
-discussions aimed at sorting out the differences, perhaps for a version three
-PF-Key spec. All players are in favour of this, but everyone involved is busy
-and it is not clear whether or when these discussions might bear fruit.</p>
-
-<h2><a name="otherk">Kernels other than the latest 2.2.x and 2.4.y</a></h2>
-
-<p>We develop and test on Redhat Linux using the most recent kernel in the
-2.2 and 2.4 series. In general, we recommend you use the latest kernel in one
-of those series. Complications and caveats are discussed below.</p>
-
-<h3><a name="kernel.2.0">2.0.x kernels</a></h3>
-
-<p>Consider upgrading to the 2.2 kernel series. If you want to stay with the
-2.0 series, then we strongly recommend 2.0.39. Some useful security patches
-were added in 2.0.38.</p>
-
-<p>Various versions of the code have run at various times on most 2.0.xx
-kernels, but the current version is only lightly tested on 2.0.39, and not at
-all on older kernels.</p>
-
-<p>Some of our patches for older kernels are shipped in 2.0.37 and later, so
-they are no longer provided in FreeS/WAN. This means recent versions of
-FreeS/WAN will probably not compile on anything earlier than 2.0.37.</p>
-
-<h3><a name="kernel.production">2.2 and 2.4 kernels</a></h3>
-<dl>
-  <dt>FreeS/WAN 1.0</dt>
-    <dd>ran only on 2.0 kernels</dd>
-  <dt>FreeS/WAN 1.1 to 1.8</dt>
-    <dd>ran on 2.0 or 2.2 kernels<br>
-      ran on some development kernels, 2.3 or 2.4-test</dd>
-  <dt>FreeS/WAN 1.9 to 1.96</dt>
-    <dd>runs on 2.0, 2.2 or 2.4 kernels</dd>
-</dl>
-
-<p>In general, <strong>we suggest the latest 2.2 kernel or 2.4 for production
-use</strong>.</p>
-
-<p>Of course no release can be guaranteed to run on kernels more recent than
-it is, so quite often there will be no stable FreeS/WAN for the absolute
-latest kernel. See the <a href="faq.html#k.versions">FAQ</a> for
-discussion.</p>
-
-<h2><a name="otherdist">Intel Linux distributions other than Redhat</a></h2>
-
-<p>We develop and test on Redhat 6.1 for 2.2 kernels, and on Redhat 7.1 or
-7.2 for 2.4, so minor changes may be required for other distributions.</p>
-
-<h3><a name="rh7">Redhat 7.0</a></h3>
-
-<p>There are some problems with FreeS/WAN on Redhat 7.0. They are soluble,
-but we recommend you upgrade to a later Redhat instead..</p>
-
-<p>Redhat 7 ships with two compilers.</p>
-<ul>
-  <li>Their <var>gcc</var> is version 2.96. Various people, including the GNU
-    compiler developers and Linus, have said fairly emphatically that using
-    this was a mistake. 2.96 is a development version, not intended for
-    production use. In particular, it will not compile a Linux kernel.</li>
-  <li>Redhat therefore also ship a separate compiler, which they call
-    <var>kgcc</var>, for compiling kernels.</li>
-</ul>
-
-<p>Kernel Makefiles have <var>gcc</var> as a default, and must be adjusted to
-use <var>kgcc</var> before a kernel will compile on 7.0. This mailing list
-message gives details:</p>
-<pre>Subject: Re: AW: Installing IPsec on Redhat 7.0
-   Date: Thu, 1 Feb 2001 14:32:52 -0200 (BRST)
-  From: Mads Rasmussen &lt;mads@cit.com.br&gt;
- 
-&gt; From www.redhat.com/support/docs/gotchas/7.0/gotchas-7-6.html#ss6.1
-
-cd to /usr/src/linux and open the Makefile in your favorite editor. You
-will need to look for a line similar to this:
-
-CC = $(CROSS_COMPILE)gcc -D__KERNEL__ -I$(HPATH)
-
-This line specifies which C compiler to use to build the kernel. It should
-be changed to:
-
-CC = $(CROSS_COMPILE)kgcc -D__KERNEL__ -I$(HPATH)
-
-for Red Hat Linux 7. The kgcc compiler is egcs 2.91.66. From here you can
-proceed with the typical compiling steps.</pre>
-
-<p>Check the <a href="mail.html">mailing list</a> archive for more recent
-news.</p>
-
-<h3><a name="suse">SuSE Linux</a></h3>
-
-<p>SuSE 6.3 and later versions, at least in Europe, ship with FreeS/WAN
-included.</p>
-
-<P>FreeS/WAN packages distributed for SuSE 7.0-7.2 were somehow
-miscompiled.  You can find fixed packages on 
-<A HREF="http://www.suse.de/~garloff/linux/FreeSWAN">
-Kurt Garloff's page</A>.</P>
-
-<p>Here are some notes for an earlier SuSE version.</p>
-
-<h4>SuSE Linux 5.3</h4>
-<pre>Date: Mon, 30 Nov 1998
-From: Peter Onion &lt;ponion@srd.bt.co.uk&gt;
-
-... I got Saturdays snapshot working between my two SUSE5.3 machines at home.
-
-The mods to the install process are quite simple.  From memory and looking at
-the files on the SUSE53 machine here at work....
-
-And extra link in each of the /etc/init.d/rc?.d directories called K35ipsec
-which SUSE use to shut a service down.
-
-A few mods in /etc/init.d/ipsec  to cope with the different places that SUSE
-put config info, and remove the inculsion of /etc/rc.d/init.d/functions and .
-/etc/sysconfig/network as they don't exists and 1st one isn't needed anyway.
-
-insert ". /etc/rc.config" to pick up the SUSE config info and use 
-
-  if test -n "$NETCONFIG" -a "$NETCONFIG" != "YAST_ASK" ; then
-
-to replace 
-
-  [ ${NETWORKING} = "no" ] &amp;&amp; exit 0
-
-Create /etc/sysconfig  as SUSE doesn't have one.
-
-I think that was all (but I prob forgot something)....</pre>
-
-<p>You may also need to fiddle initialisation scripts to ensure that
-<var>/var/run/pluto.pid</var> is removed when rebooting. If this file is
-present, Pluto does not come up correctly.</p>
-
-<h3><a name="slack">Slackware</a></h3>
-<pre>Subject: Re: linux-IPsec: Slackware distribution
-  Date:  Thu, 15 Apr 1999 12:07:01 -0700
-  From:  Evan Brewer &lt;dmessiah@silcon.com&gt;
-
-&gt; Very shortly, I will be needing to install IPsec on at least gateways that
-&gt; are running Slackware. . . .
-
-The only trick to getting it up is that on the slackware dist there is no
-init.d directory in /etc/rc.d .. so create one.  Then, what I do is take the
-IPsec startup script which normally gets put into the init.d directory, and
-put it in /etc/rc.d and name ir rc.ipsec .. then I symlink it to the file
-in init.d.  The only file in the dist you need to really edit is the
-utils/Makefile, setup4:
-
-Everything else should be just fine.</pre>
-
-<p>A year or so later:</p>
-<pre>Subject: Re: HTML Docs- Need some cleanup?
-   Date: Mon, 8 Jan 2001
-   From: Jody McIntyre &lt;jodym@oeone.com&gt;
-
-I have successfully installed FreeS/WAN on several Slackware 7.1 machines.
-FreeS/WAN installed its rc.ipsec file in /etc/rc.d.  I had to manually call
-this script from rc.inet2.  This seems to be an easier method than Evan
-Brewer's.</pre>
-
-<h3><a name="deb">Debian</a></h3>
-
-<p>A recent (Nov 2001) mailing list points to a <a
-href="http://www.thing.dyndns.org/debian/vpn.htm">web page</a> on setting up
-several types of tunnel, including IPsec, on Debian.</p>
-
-<p>Some older information:</p>
-<pre>Subject: FreeS/WAN 1.0 on Debian 2.1
-   Date: Tue, 20 Apr 1999
-  From:  Tim Miller &lt;cerebus+counterpane@haybaler.sackheads.org&gt;
-
-        Compiled and installed without error on a Debian 2.1 system
-with kernel-source-2.0.36 after pointing RCDIR in utils/Makefile to
-/etc/init.d.
-
-        /var/lock/subsys/ doesn't exist on Debian boxen, needs to be
-created; not a fatal error.
-
-        Finally, IPsec scripts appear to be dependant on GNU awk
-(gawk); the default Debian awk (mawk-1.3.3-2) had fatal difficulties.
-With gawk installed and /etc/alternatives/awk linked to /usr/bin/gawk
-operation appears flawless.</pre>
-
-<p>The scripts in question have been modified since this was posted. Awk
-versions should no longer be a problem.</p>
-
-<h3><a name="caldera">Caldera</a></h3>
-<pre>Subject: Re: HTML Docs- Need some cleanup?
-   Date: Mon, 08 Jan 2001
-   From: Andy Bradford &lt;andyb@calderasystems.com&gt;
-
-On Sun, 07 Jan 2001 22:59:05 EST, Sandy Harris wrote:
-
-&gt;     Intel Linux distributions other than Redhat 5.x and 6.x 
-&gt;         Redhat 7.0 
-&gt;         SuSE Linux 
-&gt;             SuSE Linux 5.3 
-&gt;         Slackware 
-&gt;         Debian 
-
-Can you please include Caldera in this list?  I have tested it since 
-FreeS/Wan 1.1 and it works great with our systems---provided one 
-follows the FreeS/Wan documentation. :-)
-
-Thank you,
-Andy</pre>
-
-<h2><a name="CPUs">CPUs other than Intel</a></h2>
-
-<p>FreeS/WAN has been run sucessfully on a number of different CPU
-architectures. If you have tried it on one not listed here, please post to
-the <a href="mail.html">mailing list</a>.</p>
-
-<h3><a name=" strongarm">Corel Netwinder (StrongARM CPU)</a></h3>
-<pre>Subject: linux-ipsec: Netwinder diffs
-Date: Wed, 06 Jan 1999
-From: rhatfield@plaintree.com
-
-I had a mistake in my IPsec-auto, so I got things working this morning.
-
-Following are the diffs for my changes.  Probably not the best and cleanest way 
-of doing it, but it works. . . . </pre>
-
-<p>These diffs are in the 0.92 and later distributions, so these should work
-out-of-the-box on Netwinder.</p>
-
-<h3><a name="yellowdog">Yellow Dog Linux on Power PC</a></h3>
-<pre>Subject:  Compiling FreeS/WAN 1.1 on YellowDog Linux (PPC)
-   Date:  11 Dec 1999
-   From:  Darron Froese &lt;darron@fudgehead.com&gt;
-
-I'm summarizing here for the record - because it's taken me many hours to do
-this (multiple times) and because I want to see IPsec on more linuxes than
-just x86.
-
-Also, I can't remember if I actually did summarize it before... ;-) I'm
-working too many late hours.
-
-That said - here goes.
-
-1. Get your linux kernel and unpack into /usr/src/linux/ - I used 2.2.13.
-&lt;http://www.kernel.org/pub/linux/kernel/v2.2/linux-2.2.13.tar.bz2&gt;
-
-2. Get FreeS/WAN and unpack into /usr/src/freeswan-1.1
-&lt;ftp://ftp.xs4all.nl/pub/crypto/freeswan/freeswan-1.1.tar.gz&gt;
-
-3. Get the gmp src rpm from here:
-&lt;ftp://ftp.yellowdoglinux.com//pub/yellowdog/champion-1.1/SRPMS/SRPMS/gmp-2.0.2-9a.src.rpm&gt;
-
-4. Su to root and do this: rpm --rebuild gmp-2.0.2-9a.src.rpm
-
-You will see a lot of text fly by and when you start to see the rpm
-recompiling like this:
-
-Executing: %build
-+ umask 022
-+ cd /usr/src/redhat/BUILD
-+ cd gmp-2.0.2
-+ libtoolize --copy --force
-Remember to add `AM_PROG_LIBTOOL' to `configure.in'.
-You should add the contents of `/usr/share/aclocal/libtool.m4' to
-`aclocal.m4'.
-+ CFLAGS=-O2 -fsigned-char
-+ ./configure --prefix=/usr
-
-Hit Control-C to stop the rebuild. NOTE: We're doing this because for some
-reason the gmp source provided with FreeS/WAN 1.1 won't build properly on
-ydl.
-
-cd /usr/src/redhat/BUILD/
-cp -ar gmp-2.0.2 /usr/src/freeswan-1.1/
-cd /usr/src/freeswan-1.1/
-rm -rf gmp
-mv gmp-2.0.2 gmp
-
-5. Open the freeswan Makefile and change the line that says:
-KERNEL=$(b)zimage (or something like that) to
-KERNEL=vmlinux
-
-6. cd ../linux/
-
-7. make menuconfig
-Select an option or two and then exit - saving your changes.
-
-8. cd ../freeswan-1.1/ ; make menugo
-
-That will start the whole process going - once that's finished compiling,
-you have to install your new kernel and reboot.
-
-That should build FreeS/WAN on ydl (I tried it on 1.1).</pre>
-And a later message on the same topic:
-<pre>Subject: Re: FreeS/WAN, PGPnet and E-mail
-   Date: Sat, 22 Jan 2000
-   From: Darron Froese &lt;darron@fudgehead.com&gt;
-
-on 1/22/00 6:47 PM, Philip Trauring at philip@trauring.com wrote:
-
-&gt; I have a PowerMac G3 ...
-
-The PowerMac G3 can run YDL 1.1 just fine. It should also be able to run
-FreeS/WAN 1.2patch1 with a couple minor modifications:
-
-1. In the Makefile it specifies a bzimage for the kernel compile - you have
-to change that to vmlinux for the PPC.
-
-2. The gmp source that comes with FreeS/WAN (for whatever reason) fails to
-compile. I have gotten around this by getting the gmp src rpm from here:
-
-ftp://ftp.yellowdoglinux.com//pub/yellowdog/champion-1.1/SRPMS/SRPMS/gmp-2.0.2-9a.src.rpm
-
-If you rip the source out of there - and place it where the gmp source
-resides it will compile just fine.</pre>
-
-<p>FreeS/WAN no longer includes GMP source.</p>
-
-<h3><a name="mklinux">Mklinux</a></h3>
-
-<p>One user reports success on the Mach-based
-<strong>m</strong>icro<strong>k</strong>ernel Linux.</p>
-<pre>Subject: Smiles on sparc and ppc
-   Date: Fri, 10 Mar 2000
-   From: Jake Hill &lt;jah@alien.bt.co.uk&gt;
-
-You may or may not be interested to know that I have successfully built
-FreeS/WAN on a number of non intel alpha architectures; namely on ppc
-and sparc and also on osfmach3/ppc (MkLinux). I can report that it just
-works, mostly, with few changes.</pre>
-
-<h3><a name="alpha">Alpha 64-bit processors</a></h3>
-<pre>Subject: IT WORKS (again) between intel &amp; alpha :-)))))
-   Date: Fri, 29 Jan 1999
-   From: Peter Onion &lt;ponion@srd.bt.co.uk&gt;
-
-Well I'm happy to report that I've got an IPsec connection between by intel &amp; alpha machines again :-))
-
-If you look back on this list to 7th of December I wrote...
-
--On 07-Dec-98 Peter Onion wrote:
--&gt; 
--&gt; I've about had enuf of wandering around inside the kernel trying to find out
--&gt; just what is corrupting outgoing packets...
--
--Its 7:30 in the evening .....
--
--I FIXED IT  :-))))))))))))))))))))))))))))))))
--
--It was my own fault :-((((((((((((((((((
--
--If you ask me very nicly I'll tell you where I was a little too over keen to
--change unsigned long int __u32 :-)  OPSE ...
--
--So tomorrow it will full steam ahead to produce a set of diffs/patches against
--0.91 
--
--Peter Onion.</pre>
-
-<p>In general (there have been some glitches), FreeS/WAN has been running on
-Alphas since then.</p>
-
-<h3><a name="SPARC">Sun SPARC processors</a></h3>
-
-<p>Several users have reported success with FreeS/WAN on SPARC Linux. Here is
-one mailing list message:</p>
-<pre>Subject: Smiles on sparc and ppc
-   Date: Fri, 10 Mar 2000
-   From: Jake Hill &lt;jah@alien.bt.co.uk&gt;
-
-You may or may not be interested to know that I have successfully built
-FreeS/WAN on a number of non intel alpha architectures; namely on ppc
-and sparc and also on osfmach3/ppc (MkLinux). I can report that it just
-works, mostly, with few changes.
-
-I have a question, before I make up some patches. I need to hack
-gmp/mpn/powerpc32/*.s to build them. Is this ok? The changes are
-trivial, but could I also use a different version of gmp? Is it vanilla
-here?
-
-I guess my only real headache is from ipchains, which appears to stop
-running when IPsec has been started for a while. This is with 2.2.14 on
-sparc.</pre>
-
-<p>This message, from a different mailing list, may be relevant for anyone
-working with FreeS/WAN on Suns:</p>
-<pre>Subject: UltraSPARC DES assembler
-   Date: Thu, 13 Apr 2000
-   From: svolaf@inet.uni2.dk (Svend Olaf Mikkelsen)
-     To: coderpunks@toad.com
-
-An UltraSPARC assembler version of the LibDES/SSLeay/OpenSSL des_enc.c
-file is available at http://inet.uni2.dk/~svolaf/des.htm.
-
-This brings DES on UltraSPARC from slower than Pentium at the same
-clock speed to significantly faster.</pre>
-
-<h3><a name="mips">MIPS processors</a></h3>
-
-<p>We know FreeS/WAN runs on at least some MIPS processors because <a
-href="http://www.lasat.com">Lasat</a> manufacture an IPsec box based on an
-embedded MIPS running Linux with FreeS/WAN. We have no details.</p>
-
-<h3><a name="crusoe">Transmeta Crusoe</a></h3>
-
-<p>The Merilus <a
-href="http://www.merilus.com/products/fc/index.shtml">Firecard</a>, a Linux
-firewall on a PCI card, is based on a Crusoe processor and supports
-FreeS/WAN.</p>
-
-<h3><a name="coldfire">Motorola Coldfire</a></h3>
-<pre>Subject: Re: Crypto hardware support
-   Date: Mon, 03 Jul 2000
-   From: Dan DeVault &lt;devault@tampabay.rr.com&gt;
-
-.... I have been running
-uClinux with FreeS/WAN 1.4 on a system built by Moreton Bay  (
-http://www.moretonbay.com )  and it was using a Coldfire processor
-and was able to do the Triple DES encryption at just about
-1 mbit / sec rate.......  they put a Hi/Fn 7901 hardware encryption
-chip on their board and now their system does over 25 mbit of 3DES
-encryption........ pretty significant increase if you ask me.</pre>
-
-<h2><a name="multiprocessor">Multiprocessor machines</a></h2>
-
-<p>FreeS/WAN is designed to work on SMP (symmetric multi-processing) Linux
-machines and is regularly tested on dual processor x86 machines.</p>
-
-<p>We do not know of any testing on multi-processor machines with other CPU
-architectures or with more than two CPUs. Anyone who does test this, please
-report results to the <a href="mail.html">mailing list</a>.</p>
-
-<p>The current design does not make particularly efficient use of
-multiprocessor machines; some of the kernel work is single-threaded.</p>
-
-<h2><a name="hardware">Support for crypto hardware</a></h2>
-
-<p>Supporting hardware cryptography accelerators has not been a high priority
-for the development team because it raises a number of fairly complex
-issues:</p>
-<ul>
-  <li>Can you trust the hardware? If it is not Open Source, how do you audit
-    its security? Even if it is, how do you check that the design has no
-    concealed traps?</li>
-  <li>If an interface is added for such hardware, can that interface be
-    subverted or misused?</li>
-  <li>Is hardware acceleration actually a performance win? It clearly is in
-    many cases, but on a fast machine it might be better to use the CPU for
-    the encryption than to pay the overheads of moving data to and from a
-    crypto board.</li>
-  <li>the current KLIPS code does not provide a clean interface for hardware
-    accelerators</li>
-</ul>
-
-<p>That said, we have a <a href="#coldfire">report</a> of FreeS/WAN working
-with one crypto accelerator and some work is going on to modify KLIPS to
-create a clean generic interface to such products. See this <a
-href="http://www.jukie.net/~bart/linux-ipsec/">web page</a> for some of the
-design discussion.</p>
-
-<p>More recently, a patch to support some hardware accelerators has been
-posted:</p>
-<pre>Subject: [Design] [PATCH] H/W acceleration patch
-   Date: Tue, 18 Sep 2001
-   From: "Martin Gadbois" &lt;martin.gadbois@colubris.com&gt;
- 
-Finally!!
-Here's a web site with H/W acceleration patch for FreeS/WAN 1.91, including
-S/W and Hifn 7901 crypto support.
-
-http://sources.colubris.com/
-
-Martin Gadbois</pre>
-
-<p>Hardware accelerators could take performance well beyond what FreeS/WAN
-can do in software (discussed <a href="performance.html">here</a>). Here is
-some discussion off the IETF IPsec list, October 2001:</p>
-<pre> ... Currently shipping chips deliver, 600 mbps throughput on a single
- stream of 3DES IPsec traffic.  There are also chips that use multiple
- cores to do 2.4 gbps.  We (Cavium) and others have announced even faster
- chips. ... Mid 2002 versions will handle at line rate (OC48 and OC192)
- IPsec and SSL/TLS traffic not only 3DES CBC but also AES and arc4.</pre>
-
-<p>The patches to date support chips that have been in production for some
-time, not the state-of-the-art latest-and-greatest devices described in that
-post. However, they may still outperform software and they almost certainly
-reduce CPU overhead.</p>
-
-<h2><a name="ipv6">IP version 6 (IPng)</a></h2>
-
-<p>The Internet currently runs on version four of the IP protocols. IPv4 is
-what is in the standard Linux IP stack, and what FreeS/WAN was built for. In
-IPv4, IPsec is an optional feature.</p>
-
-<p>The next version of the IP protocol suite is version six, usually
-abbreviated either as "IPv6" or as "IPng" for "IP: the next generation". For
-IPv6, IPsec is a required feature. Any machine doing IPv6 is required to
-support IPsec, much as any machine doing (any version of) IP is required to
-support ICMP.</p>
-
-<p>There is a Linux implementation of IPv6 in Linux kernels 2.2 and above.
-For details, see the <a
-href="http://www.cs-ipv6.lancs.ac.uk/ipv6/systems/linux/faq/">FAQ</a>. It
-does not yet support IPsec. The <a
-href="http://www.linux-ipv6.org/">USAGI</a> project are also working on IPv6
-for Linux.</p>
-
-<p>FreeS/WAN was originally built for the current standard, IPv4, but we are
-interested in seeing it work with IPv6. Some progress has been made, and a
-patched version with IPv6 support is <a
-href="http://www.ipv6.iabg.de/downloadframe/index.html">available</a>. For
-more recent information, check the <a href="mail.html">mailing list</a>.</p>
-
-<h3><a name="v6.back">IPv6 background</a></h3>
-
-<p>IPv6 has been specified by an IETF <a
-href="http://www.ietf.org/html.charters/ipngwg-charter.html">working
-group</a>. The group's page lists over 30 RFCs to date, and many Internet
-Drafts as well. The overview is <a
-href="http://www.ietf.org/rfc/rfc2460.txt">RFC 2460</a>. Major features
-include:</p>
-<ul>
-  <li>expansion of the address space from 32 to 128 bits,</li>
-  <li>changes to improve support for
-    <ul>
-      <li>mobile IP</li>
-      <li>automatic network configuration</li>
-      <li>quality of service routing</li>
-      <li>...</li>
-    </ul>
-  </li>
-  <li>improved security via IPsec</li>
-</ul>
-
-<p>A number of projects are working on IPv6 implementation. A prominent Open
-Source effort is <a href="http://www.kame.net/">KAME</a>, a collaboration
-among several large Japanese companies to implement IPv6 for Berkeley Unix.
-Other major players are also working on IPv6. For example, see pages at:</p>
-<ul>
-  <li><a
-  href="http://playground.sun.com/pub/ipng/html/ipng-main.html">Sun</a></li>
-  <li><a
-  href="http://www.cisco.com/warp/public/732/ipv6/index.html">Cisco</a></li>
-  <li><a
-    href="http://www.microsoft.com/windows2000/techinfo/howitworks/communications/networkbasics/IPv6.asp">Microsoft</a></li>
-</ul>
-
-<p>The <a href="http://www.6bone.net/">6bone</a> (IPv6 backbone) testbed
-network has been up for some time. There is an active <a
-href="http://www.ipv6.org/">IPv6 user group</a>.</p>
-
-<p>One of the design goals for IPv6 was that it must be possible to convert
-from v4 to v6 via a gradual transition process. Imagine the mess if there
-were a "flag day" after which the entire Internet used v6, and all software
-designed for v4 stopped working. Almost every computer on the planet would
-need major software changes! There would be huge costs to replace older
-equipment. Implementers would be worked to death before "the day", systems
-administrators and technical support would be completely swamped after it.
-The bugs in every implementation would all bite simultaneously. Large chunks
-of the net would almost certainly be down for substantial time periods.
-...</p>
-
-<p>Fortunately, the design avoids any "flag day". It is therefore a little
-tricky to tell how quickly IPv6 will take over. The transition has certainly
-begun. For examples, see announcements from <a
-href="http://www.mailbase.ac.uk/lists/internet2/2000-03/0016.html">NTT</a>
-and <a href="http://www.vnunet.com/News/1102383">Nokia</a>. However, it is
-not yet clear how quickly the process will gain momentum, or when it will be
-completed. Likely large parts of the Internet will remain with IPv4 for years
-to come.</p>
-</body>
-</html>
diff --git a/doc/src/config.html b/doc/src/config.html
deleted file mode 100644
index b98e452db..000000000
--- a/doc/src/config.html
+++ /dev/null
@@ -1,394 +0,0 @@
-<html>
-<head>
-  <meta http-equiv="Content-Type" content="text/html">
-  <title>FreeS/WAN configuration</title>
-  <meta name="keywords"
-  content="Linux, IPsec, VPN, security, FreeSWAN, installation, quickstart">
-  <!--
-
-  Written by Claudia Schmeing for the Linux FreeS/WAN project
-  Freely distributable under the GNU General Public License
-
-  More information at www.freeswan.org
-  Feedback to users@lists.freeswan.org
-
-  CVS information:
-  RCS ID:          $Id: config.html,v 1.1 2004/03/15 20:35:24 as Exp $
-  Last changed:    $Date: 2004/03/15 20:35:24 $
-  Revision number: $Revision: 1.1 $
-
-  CVS revision numbers do not correspond to FreeS/WAN release numbers.
-  -->
-</head>
-<BODY>
-<H1><A NAME="config">How to configure FreeS/WAN</A></H1>
-
-<P>This page will teach you how to configure a simple network-to-network
-link or a Road Warrior connection between two Linux FreeS/WAN boxes.
-</P>
-
-<P>See also these related documents:</P>
-<UL>
-<LI>our <A HREF="quickstart.html#quickstart">quickstart</A> guide
-to <A HREF="glossary.html#carpediem">opportunistic encryption</A></LI>
-<LI>our guide to configuration with 
-<A HREF="policygroups.html#policygroups">policy groups</A></LI>
-<LI>our  
-<A HREF="adv_config.html#adv_config">advanced configuration</A>
-document</LI>
-</UL>
-<P>
-The network-to-network setup allows you to connect two office 
-networks into one Virtual Private Network, while the Road Warrior 
-connection secures a laptop's telecommute to work.
-Our examples also show the basic procedure on the Linux FreeS/WAN side where 
-another IPsec peer is in play.</P>
-
-<P>
-Shortcut to <A HREF="#config.netnet">net-to-net</A>.<BR>
-Shortcut to <A HREF="#config.rw">Road Warrior</A>.
-</P>
-
-<H2>Requirements</H2>
-
-<P>To configure the network-to-network connection you must have:</P>
-<UL>
-<LI>two Linux gateways with static IPs</LI>
-<LI>a network behind each gate. Networks must have non-overlapping IP ranges.</LI>
-<LI>Linux FreeS/WAN <A HREF="install.html#install">installed</A>
-  on both gateways</LI>
-<LI><A HREF="http://www.tcpdump.org"><VAR>tcpdump</VAR></A> on the local gate, 
-  to test the connection</LI>
-</UL>
-<P>For the Road Warrior you need:</P>
-<UL>
-<LI>one Linux box with a static IP</LI>
-<LI>a Linux laptop with a dynamic IP</LI>
-<LI>Linux FreeS/WAN installed on both</LI>
-<LI>for testing, <VAR>tcpdump</VAR> on your gateway or laptop</LI>
-</UL>
-
-<P>If both IPs are dynamic, your situation is a bit trickier. Your best bet
-is a variation on the <A HREF="#config.rw">Road Warrior</A>, as described
-in <A HREF="http://lists.freeswan.org/archives/users/2003-October/msg00282.html">this mailing list message</A>.
-
-<H2><A name="config.netnet"></A>Net-to-Net connection</H2>
-
-
-<H3><A name="netnet.info.ex">Gather information</A></H3>
-
-<P>For each gateway, compile the following information:</P>
-<UL>
-<LI>gateway IP</LI>
-<LI>IP range of the subnet you will be protecting. This doesn't have to 
-  be your whole physical subnet.</LI>
-<LI>a name by which that gateway can identify itself for IPsec
-negotiations. Its form is a Fully Qualified Domain Name preceded by
-an @ sign, ie. @xy.example.com.
-<BR>It does not need to be within a domain that you own. It can be a made-up
-name.</LI>
-</UL>
-
-
-<H4>Get your leftrsasigkey</H4>
-<P>On your local Linux FreeS/WAN gateway, print your IPsec public key:</P>
-<PRE>    ipsec showhostkey --left</PRE>
-<P>The output should look like this (with the key shortened for easy
- reading):</P>
-<PRE>    # RSA 2048 bits   xy.example.com   Fri Apr 26 15:01:41 2002
-    leftrsasigkey=0sAQOnwiBPt...</PRE>
-
-<P>Don't have a key? Use
-<A HREF="manpage.d/ipsec_newhostkey.8.html"><VAR>ipsec newhostkey</VAR></A>
-to create one.
-
-<H4>...and your rightrsasigkey</H4>
-<P>Get a console on the remote side:</P>
-<PRE>    ssh2 ab.example.com</PRE>
-<P>In that window, type:</P>
-<PRE>    ipsec showhostkey --right</PRE>
-<P>You'll see something like:</P>
-<PRE>    # RSA 2192 bits   ab.example.com   Thu May 16 15:26:20 2002
-    rightrsasigkey=0sAQOqH55O...</PRE>
-
-<H3>Edit <VAR>/etc/ipsec.conf</VAR></H3>
-
-<P>Back on the local gate, copy our template to <VAR>/etc/ipsec.conf</VAR>. 
-(on Mandrake, <VAR>/etc/freeswan/ipsec.conf</VAR>).
-Substitute the information you've gathered for our example data.</P>
-<PRE>conn net-to-net
-    left=192.0.2.2                 # Local vitals
-    leftsubnet=192.0.2.128/29      # 
-    leftid=@xy.example.com         #   
-    leftrsasigkey=0s1LgR7/oUM...   #
-    leftnexthop=%defaultroute      # correct in many situations 
-    right=192.0.2.9                # Remote vitals
-    rightsubnet=10.0.0.0/24        #
-    rightid=@ab.example.com        # 
-    rightrsasigkey=0sAQOqH55O...   #
-    rightnexthop=%defaultroute     # correct in many situations
-    auto=add                       # authorizes but doesn't start this 
-                                   # connection at startup</PRE>
-
-<P>
-"Left" and "right" should represent the machines that have FreeS/WAN installed
-on them, and "leftsubnet" and "rightsubnet" machines that are being protected.
-/32 is assumed for left/right and left/rightsubnet parameters.
-</P>
-
-<P>Copy <VAR>conn net-to-net</VAR> to the remote-side /etc/ipsec.conf.
-If you've made no other modifications to either <VAR>ipsec.conf</VAR>, 
-simply:</P>
-<PRE>    scp2 ipsec.conf root@ab.example.com:/etc/ipsec.conf</PRE>
-
-<H3>Start your connection</H3>
-
-<P>Locally, type:</P>
-<PRE>    ipsec auto --up net-to-net</PRE>
-
-<P>You should see:</P>
-<PRE>    104 "net-net" #223: STATE_MAIN_I1: initiate
-    106 "net-net" #223: STATE_MAIN_I2: sent MI2, expecting MR2
-    108 "net-net" #223: STATE_MAIN_I3: sent MI3, expecting MR3
-    004 "net-net" #223: STATE_MAIN_I4: ISAKMP SA established
-    112 "net-net" #224: STATE_QUICK_I1: initiate
-    004 "net-net" #224: STATE_QUICK_I2: sent QI2, IPsec SA established</PRE>
-
-<P>The important thing is <VAR>IPsec SA established</VAR>. If you're 
-unsuccessful, see our 
-<A HREF="trouble.html#trouble">troubleshooting tips</A>.</P>
-
-
-<H3>Do not MASQ or NAT packets to be tunneled</H3>
-
-<P>If you are using <A HREF="glossary.html#masq">IP masquerade</A> or 
-<A HREF="glossary.html#NAT.gloss">Network Address Translation (NAT)</A> 
-on either gateway, 
-you must now exempt the packets you wish to tunnel from this treatment.
-For example, if you have a rule like:</P>
-
-<PRE>iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE
-</PRE>
-
-<P>change it to something like:</P>
-<PRE>iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -d \! 192.0.2.128/29 -j MASQUERADE</PRE>
-
-<P>This may be necessary on both gateways.</P>
-
-
-<H3>Test your connection</H3>
-
-<P>Sit at one of your local subnet nodes (not the gateway), and ping a subnet 
-node on the other (again, not the gateway).</P>
-
-<PRE>    ping fileserver.toledo.example.com</PRE>
-
-<P>While still pinging, go to the local gateway and snoop your outgoing 
-interface, for example:</P>
-<PRE>    tcpdump -i ppp0</PRE>
-<P>You want to see ESP (Encapsulating Security Payload) packets moving
-<B>back and forth</B> between the two gateways at the same frequency as 
-your pings:</P>
-<PRE>    19:16:32.046220 192.0.2.2 > 192.0.2.9: ESP(spi=0x3be6c4dc,seq=0x3)
-    19:16:32.085630 192.0.2.9 > 192.0.2.2: ESP(spi=0x5fdd1cf8,seq=0x6)</PRE>
-
-<P>If you see this, congratulations are in order! You have a tunnel which 
-will protect any IP data from one subnet
-to the other, as it passes between the two gates.
-If not, go and <A HREF="trouble.html#trouble">troubleshoot</A>.</P>
-
-<P>Note: your new tunnel protects only net-net traffic, not 
-gateway-gateway, or gateway-subnet. If you need this (for example, if
-machines on one net need to securely contact a fileserver on the 
-IPsec gateway), you'll need to create
-<A HREF="adv_config.html#adv_config">extra connections</A>.</P>
-
-
-<H3>Finishing touches</H3>
-
-<P>Now that your connection works, name it something sensible, like:</P>
-<PRE>conn winstonnet-toledonet</PRE>
-<P>To have the tunnel come up on-boot, replace</P>
-<PRE>    auto=add</PRE>
-<P>with:</P>
-<PRE>    auto=start</PRE>
-<P>Copy these changes to the other side, for example:</P>
-<PRE>    scp2 ipsec.conf root@ab.example.com:/etc/ipsec.conf</PRE>
-<P>Enjoy!</P>
-
-
-
-<H2><A name="config.rw"></A>Road Warrior Configuration</H2>
-
-<H3><A name="rw.info.ex">Gather information</A></H3>
-
-<P>You'll need to know:</P>
-<UL>
-<LI>the gateway's static IP</LI>
-<LI>the IP range of the subnet behind that gateway</LI>
-<LI>a name by which each side can identify itself for IPsec
-negotiations. Its form is a Fully Qualified Domain Name preceded by
-an @ sign, ie. @road.example.com.
-<BR>It does not need to be within a domain that you own. It can be a made-up
-name.</LI>
-</UL>
-
-<H4>Get your leftrsasigkey...</H4>
-<P>On your laptop, print your IPsec public key:</P>
-<PRE>    ipsec showhostkey --left</PRE>
-<P>The output should look like this (with the key shortened for easy
- reading):</P>
-<PRE>    # RSA 2192 bits   road.example.com   Sun Jun  9 02:45:02 2002
-    leftrsasigkey=0sAQPIPN9uI...</PRE>
-
-<P>Don't have a key? See 
-<A HREF="old_config.html#genrsakey">these instructions</A>.
-
-
-<H4>...and your rightrsasigkey</H4>
-<P>Get a console on the gateway:</P>
-<PRE>    ssh2 xy.example.com</PRE>
-<P>View the gateway's public key with:</P>
-<PRE>    ipsec showhostkey --right</PRE>
-<P>This will yield something like</P>
-<PRE>    # RSA 2048 bits   xy.example.com   Fri Apr 26 15:01:41 2002
-    rightrsasigkey=0sAQOnwiBPt...</PRE>
- 
-
-<H3>Customize <VAR>/etc/ipsec.conf</VAR></H3>
-
-<P>On your laptop, copy this template to <VAR>/etc/ipsec.conf</VAR>. 
-(on Mandrake, <VAR>/etc/freeswan/ipsec.conf</VAR>).
-Substitute the information you've gathered for our example data.</P>
-<PRE>conn road
-    left=%defaultroute             # Picks up our dynamic IP 
-    leftnexthop=%defaultroute      # 
-    leftid=@road.example.com       # Local information
-    leftrsasigkey=0sAQPIPN9uI...   #
-    right=192.0.2.10               # Remote information
-    rightsubnet=10.0.0.0/24        #
-    rightid=@xy.example.com        # 
-    rightrsasigkey=0sAQOnwiBPt...  #
-    auto=add                       # authorizes but doesn't start this
-                                   # connection at startup</PRE>
-
-<P>The template for the gateway is different. Notice how it
-reverses <VAR>left</VAR> and <VAR>right</VAR>, in keeping with our
-convention that <STRONG>L</STRONG>eft is <STRONG>L</STRONG>ocal, 
-<STRONG>R</STRONG>ight <STRONG>R</STRONG>emote. Be sure to switch your
-rsasigkeys in keeping with this.</P>
-
-<PRE>    ssh2 xy.example.com
-    vi /etc/ipsec.conf</PRE>
-
-<P>and add:</P>
-
-<PRE>conn road
-    left=192.0.2.2                 # Gateway's information
-    leftid=@xy.example.com         #
-    leftsubnet=192.0.2.128/29      #
-    leftrsasigkey=0sAQOnwiBPt...   #
-    rightnexthop=%defaultroute     # correct in many situations
-    right=%any                     # Wildcard: we don't know the laptop's IP
-    rightid=@road.example.com      #
-    rightrsasigkey=0sAQPIPN9uI...  #
-    auto=add                       # authorizes but doesn't start this
-                                   # connection at startup</PRE>
-
-
-
-<H3>Start your connection</H3>
-
-<P>You must start the connection from the Road Warrior side. On your laptop,
-type:</P>
-<PRE>    ipsec auto --start net-to-net</PRE>
-
-<P>You should see:</P>
-<PRE>104 "net-net" #223: STATE_MAIN_I1: initiate
-106 "road" #301: STATE_MAIN_I2: sent MI2, expecting MR2
-108 "road" #301: STATE_MAIN_I3: sent MI3, expecting MR3
-004 "road" #301: STATE_MAIN_I4: ISAKMP SA established
-112 "road" #302: STATE_QUICK_I1: initiate
-004 "road" #302: STATE_QUICK_I2: sent QI2, IPsec SA established</PRE>
-
-<P>Look for <VAR>IPsec SA established</VAR>. If you're 
-unsuccessful, see our 
-<A HREF="trouble.html#trouble">troubleshooting tips</A>.</P>
-
-
-
-<H3>Do not MASQ or NAT packets to be tunneled</H3>
-
-<P>If you are using <A HREF="glossary.html#masq">IP masquerade</A> or
-<A HREF="glossary.html#NAT.gloss">Network Address Translation (NAT)</A>
-on either gateway,
-you must now exempt the packets you wish to tunnel from this treatment.
-For example, if you have a rule like:</P>
-
-<PRE>iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE
-</PRE>
-
-<P>change it to something like:</P>
-<PRE>iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -d \! 192.0.2.128/29 -j MASQUERADE</PRE>
-
-
-<H3>Test your connection</H3>
-
-<P>From your laptop, ping a subnet node behind the remote gateway. Do not
-choose the gateway itself for this test.</P>
-
-<PRE>    ping ns.winston.example.com</PRE>
-
-<P>Snoop the packets exiting the laptop, with a command like:</P>
-<PRE>    tcpdump -i wlan0</PRE>
-<P>You have success if you see (Encapsulating Security Payload) packets 
-travelling <B>in both directions</B>:</P>
-
-<PRE>    19:16:32.046220 192.0.2.2 > 192.0.2.9: ESP(spi=0x3be6c4dc,seq=0x3)
-    19:16:32.085630 192.0.2.9 > 192.0.2.2: ESP(spi=0x5fdd1cf8,seq=0x6)</PRE>
-
-
-<P>If you do, great! Traffic between your Road Warrior and the net
-behind your gateway is protected.
-If not, see our 
-<A HREF="trouble.html#trouble">troubleshooting hints</A>.</P>
-
-<P>Your new tunnel protects only traffic addressed to the net, not to 
-the IPsec gateway itself. If you need the latter, you'll want to make an 
-<A HREF="adv_config.html#adv_config">extra tunnel.</A>.</P>
-
-<H3>Finishing touches</H3>
-
-<P>On both ends, name your connection wisely, like:</P>
-<PRE>conn mike-to-office</PRE>
-<P><B>On the laptop only,</B> replace</P>
-<PRE>    auto=add</PRE>
-<P>with:</P>
-<PRE>    auto=start</PRE>
-<P>so that you'll be connected on-boot.</P>
-<P>Happy telecommuting!</P>
-
-<H3>Multiple Road Warriors</H3>
-
-<P>If you're using RSA keys, as we did in this example, you can add
-as many Road Warriors as you like.  The left/rightid
-parameter lets Linux FreeS/WAN distinguish between multiple Road Warrior 
-peers, each with its own public key.</P>
-
-<P>The situation is different for shared secrets (PSK). During a 
-PSK negotiation, ID information is not available at the time Pluto 
-is trying to determine which secret to use, so, effectively, you can 
-only define one Roadwarrior connection. All your PSK road warriors
-must therefore share one secret.</P>
-
-
-<H2>What next?</H2>
-
-<P>Using the principles illustrated here, you can try variations such as:
-<UL>
-<LI>a telecommuter with a static IP</LI>
-<LI>a road warrior with a subnet behind it</LI>
-</UL>
-<P>Or, look at some of our <A HREF="adv_config.html#adv_config">more complex configuration examples.</A>.</P>
-</BODY>
-</HTML>
diff --git a/doc/src/crosscompile.html b/doc/src/crosscompile.html
deleted file mode 100644
index c488957c8..000000000
--- a/doc/src/crosscompile.html
+++ /dev/null
@@ -1,105 +0,0 @@
-<HTML>

-<HEAD>

-	<TITLE>Cross Compiling FreeS/WAN</TITLE>

-      <meta name="keywords" content="Linux, IPSEC, VPN, Security, FreeSWAN, cross, compile">

-<!--

-     Written by Ken Bantoft <ken@freeswan.ca> for the Linux FreeS/WAN project

-     Freely distributable under the GNU General Public License

-

-     More information at www.freeswan.org

-     Feedback to users@lists.freeswan.org

-

-CVS information:

-RCS ID:          $Id: crosscompile.html,v 1.1 2004/03/15 20:35:24 as Exp $

-Last changed:    $Date: 2004/03/15 20:35:24 $

-Revision number: $Revision: 1.1 $

-

-CVS revision numbers do not correspond to FreeS/WAN release numbers.

--->

- 

-</HEAD>

-<BODY>

-

-<H1><A NAME="guide"></A>Linux FreeS/WAN Cross Compiling Guide</H1>

-

-<H2><A NAME="overview"></A>Overview</H2>

-

-<P>

-This document provides general instructions on how to cross compile 

-FreeS/WAN, 

-that is - compile it for another architecture (eg: StrongARM)</P>

-<OL>

-	<LI><A HREF="#setup">Setting up your environment</A>.</LI>

-	<LI><A HREF="#building">Building</A>.</LI>

-	<LI><A HREF="#common">Common Problems</A>.</LI>

-</OL>

-<H2><A NAME="setup"></A>Setting up your Environment</H2>

-<H3>Enviroment Variables</H3>

-<P>There are a number of environment variables you can set to help facilitate

-cross compiling FreeS/WAN.  All examples will are using the bash shell. 

-</P>

-<P>The following is an example of the how to set the environment variables if

-you were cross compiling using the Embedix ARM toolchain, to build for an embedded

-device like the Sharp Zaurus.  Set these while you are in the FreeS/WAN directory.

-It is often simpler to put the entire list into a script (eg: cross-setup.sh), and 

-then "source cross-setup.sh" or similar.

-<pre>

-export ARCH=arm

-export CC=/opt/Embedix/tools/bin/arm-linux-gcc

-export LD=/opt/Embedix/tools/bin/arm-linux-ld

-export RANLIB=/opt/Embedix/tools/bin/arm-linux-ranlib 

-export AR=/opt/Embedix/tools/bin/arm-linux-ar 

-export AS=/opt/Embedix/tools/bin/arm-linux-as 

-export STRIP=/opt/Embedix/tools/bin/arm-linux-strip 

-export KERNELSRC=/zaurus/kernel-2.4.6

-export LD_LIBRARY_PATH=/opt/Embedix/tools/lib/gcc-lib/arm-linux/2.95.2/

-export PATH=$PATH:/opt/Embedix/tools/bin

-export DESTDIR=/zaurus/binaries

-</pre>

-In the example above, we setup all of the usual gcc + bin-utils programs, 

-as well as setting the LD_LIBRARY_PATH to our cross-compiled system libraries, 

-and DESTDIR to our output directory.

-</P>

-

-<H3>Kernel Source</H3>

-<P>Place a copy of the kernel source, setup for your target device somewhere on

-your filesystem and set KERNELSRC= to this directory.  You will need to prepare 

-your kernel source treefirst, by running "make menuconfig && make dep && make 

-modules".  Once this is done, you can move on to building FreeS/WAN</P>

-

-<H2><A NAME="building"></A>Building</H2>

-<H3>The Make Process</H3>

-<P>There are two parts to building FreeS/WAN - the userland programs and utilities, 

-and the ipsec.o kernel module.  Each can be built seperatly, making debugging the

-build process simpler.

-</P>

-<P>Step 1 is to run "make programs".  This will build the required libs 

-(libfreeswan.a) as well as all of the userland tools (pluto, whack, etc...).  

-Provided your environment variables are set correctly, you should see the output

-using your specified gcc (arm-linux-gcc for our example), ld, as, ar and 

-ranlib.</P>

-<P>If this completes successfully, you can run "make install" to install a copy of

-all of the binaries, man pages and other documentation to DESTDIR.</P>

-<P>Step 2 is to build the ipsec.o module.  This is done with "make oldmod", which

-should change into the KERNELSRC directory and then compile and link the required

-files to generate an ipsec.o file.  If this is successful, you will end up with an

-ipsec.o file in your FreeS/WAN directory, under linux/net/ipsec/.</P>

-<P>Remember to install this to /lib/modules/$kernelversion/kernel/net/ipsec/ on 

-your target machine.</P>

-

-

-

-<H2><A NAME="common"></A>Common Problems Building</H2>

-<P>Here is a list of common problems/errors you may run into when cross compiling

-FreeS/WAN.</P>

-<UL>

-<LI>gmp.h, libgmp not found, error with -lgmp.  All of these refer to the GNU Math 

-Precision Library.  You will need to have already built this for your target 

-system.  Place libgmp.so in LD_LIBRARY_PATH, and ensure the headers are in your

-include path as well.

-</UL>

-

-<P><BR><BR>

-</P>

-</BODY>

-</HTML>

diff --git a/doc/src/faq.html b/doc/src/faq.html
deleted file mode 100644
index f62fc1c88..000000000
--- a/doc/src/faq.html
+++ /dev/null
@@ -1,2770 +0,0 @@
-<html>
-<head>
-  <meta http-equiv="Content-Type" content="text/html">
-  <title>FreeS/WAN FAQ</title>
-  <meta name="keywords" content="Linux, IPsec, VPN, security, FreeSWAN, FAQ">
-  <!--
-
-  Written by Sandy Harris for the Linux FreeS/WAN project
-  Freely distributable under the GNU General Public License
-
-  More information at www.freeswan.org
-  Feedback to users@lists.freeswan.org
-
-  CVS information:
-  RCS ID:          $Id: faq.html,v 1.1 2004/03/15 20:35:24 as Exp $
-  Last changed:    $Date: 2004/03/15 20:35:24 $
-  Revision number: $Revision: 1.1 $
-
-  CVS revision numbers do not correspond to FreeS/WAN release numbers.
-  -->
-</head>
-
-<body>
-<h1>FreeS/WAN FAQ</h1>
-
-<p>This is a collection of questions and answers, mostly taken from the
-FreeS/WAN <a href="mail.html">mailing list</a>. See the project <a
-href="http://www.freeswan.org/">web site</a> for more information. All the
-FreeS/WAN documentation is online there.</p>
-
-<p>Contributions to the FAQ are welcome. Please send them to the project <a
-href="mail.html">mailing list</a>.</p>
-<hr>
-
-<h2><a name="questions">Index of FAQ questions</a></h2>
-<ul>
-  <li><a href="#whatzit">What is FreeS/WAN?</a></li>
-  <li><a href="#problems">How do I report a problem or seek help?</a></li>
-  <li><a href="#generic">Can I get ...</a>
-    <ul>
-      <li><a href="#lemme_out">... an off-the-shelf system that includes
-        FreeS/WAN?</a></li>
-      <li><a href="#contractor">... contractors or staff who know
-        FreeS/WAN?</a></li>
-      <li><a href="#commercial">... commercial support?</a></li>
-    </ul>
-  </li>
-  <li><a href="#release">Release questions</a>
-    <ul>
-      <li><a href="#rel.current">What is the current release?</a></li>
-      <li><a href="#relwhen">When is the next release?</a></li>
-      <li><a href="#rel.bugs">Are there known bugs in the current
-      release?</a></li>
-    </ul>
-  </li>
-  <li><a href="mod_cons">Modifications and contributions</a>
-    <ul>
-      <li><a href="#modify.faq">Can I modify FreeS/WAN to ...?</a></li>
-      <li><a href="#contrib.faq">Can I contribute to the project?</a></li>
-      <li><a href="#ddoc.faq">Is there detailed design documentation?</a></li>
-    </ul>
-  </li>
-  <li><a href="#interact">Will FreeS/WAN work in my environment?</a>
-    <ul>
-      <li><a href="#interop.faq">Can FreeS/WAN talk to ... ?</a></li>
-      <li><a href="#old_to_new">Can different FreeS/WAN versions talk to each
-        other?</a></li>
-      <li><a href="#faq.bandwidth">Is there a limit on throughput?</a></li>
-      <li><a href="#faq.number">Is there a limit on number of
-      connections?</a></li>
-      <li><a href="#faq.speed">Is a ... fast enough to handle FreeS/WAN with
-        my loads?</a></li>
-    </ul>
-  </li>
-  <li><a href="#work_on">Will FreeS/WAN work on ...</a>
-    <ul>
-      <li><a href="#versions">... my version of Linux?</a></li>
-      <li><a href="#nonIntel.faq">... non-Intel CPUs?</a></li>
-      <li><a href="#multi.faq">... multiprocessors?</a></li>
-      <li><a href="#k.old">... an older kernel?</a></li>
-      <li><a href="#k.versions">... the latest kernel version?</a></li>
-      <li><a href="#interface.faq">... unusual network hardware?</a></li>
-      <li><a href="#vlan">... a VLAN (802.1q) network?</a></li>
-    </ul>
-  </li>
-  <li><a href="#features.faq">Does FreeS/WAN support ...</a>
-    <ul>
-      <li><a href="#VPN.faq">... site-to-site VPN applications</a></li>
-      <li><a href="#warrior.faq">... remote users connecting to a LAN</a></li>
-      <li><a href="#road.shared.possible">... remote users using shared
-        secret authentication?</a></li>
-      <li><a href="#wireless.faq">... wireless networks</a></li>
-      <li><a href="#PKIcert">... X.509 or other PKI certificates?</a></li>
-      <li><a href="#Radius">... user authentication (Radius, SecureID,
-        Smart Card ...)?</a></li>
-      <li><a href="#NATtraversal">... NAT traversal</a></li>
-      <li><a href="#virtID">... assigning a "virtual identity" to a remote
-        system?</a></li>
-      <li><a href="#noDES.faq">... single DES encryption?</a></li>
-      <li><a href="#AES.faq">... AES encryption?</a></li>
-      <li><a href="#other.cipher">... other encryption algorithms?</a></li>
-    </ul>
-  </li>
-  <li><a href="#canI">Can I ...</a>
-    <ul>
-      <li><a href="#policy.preconfig">...use policy groups along with 
-         explicitly configured connections?</a></li>
-      <li><a href="#policy.off">...turn off policy groups?</a></li>
-<!--
-      <li><a href="#policy.otherinterface">...use policy groups
-      on an interface other than <VAR>%defaultroute</VAR>?</a></li>
--->
-      <li><a href="#reload">... reload connection info without
-      restarting?</a></li>
-      <li><a href="#masq.faq">... use several masqueraded subnets?</a></li>
-      <li><a href="#dup_route">... use subnets masqueraded to the same
-        addresses?</a></li>
-      <li><a href="#road.masq">... assign a road warrior an address on my net
-        (a virtual identity)?</a></li>
-      <li><a href="#road.many">... support many road warriors with one
-        gateway?</a></li>
-      <li><a href="#road.PSK">... have many road warriors using shared secret
-        authentication?</a></li>
-      <li><a href="#QoS">... use Quality of Service routing with
-        FreeS/WAN?</a></li>
-      <li><a href="#deadtunnel">... recognise dead tunnels and shut them
-        down?</a></li>
-      <li><a href="#demanddial">... build IPsec tunnels over a demand-dialed
-        link?</a></li>
-      <li><a href="#GRE">... build GRE, L2TP or PPTP tunnels over IPsec?</a></li>
-      <li><a href="#NetBIOS">... use Network Neighborhood (Samba, NetBIOS) over IPsec?</a></li>
-    </ul>
-  </li>
-  <li><a href="#setup.faq">Life's little mysteries</a>
-    <ul>
-      <li><a href="#cantping">I cannot ping ....</a></li>
-      <li><a href="#forever">It takes forever to ...</a></li>
-      <li><a href="#route">I send packets to the tunnel with route(8) but
-        they vanish</a></li>
-      <li><a href="#down_route">When a tunnel goes down, packets
-      vanish</a></li>
-      <li><a href="#firewall_ate">The firewall ate my packets!</a></li>
-      <li><a href="#dropconn">Dropped connections</a></li>
-      <li><a href="#defaultroutegone">Disappearing %defaultroute</a></li>
-      <li><a href="#tcpdump.faq">TCPdump on the gateway shows strange
-        things</a></li>
-      <li><a href="#no_trace">Traceroute does not show anything between the
-        gateways</a></li>
-    </ul>
-  </li>
-  <li><a href="#man4debug">Testing in stages (or .... works but ...
-    doesn't)</a>
-    <ul>
-      <li><a href="#nomanual">Manually keyed connections don't work</a></li>
-      <li><a href="#spi_error">One manual connection works, but second one
-        fails</a></li>
-      <li><a href="#man_no_auto">Manual connections work, but automatic
-        keying doesn't</a></li>
-      <li><a href="#nocomp">IPsec works, but connections using compression
-        fail</a></li>
-      <li><a href="#pmtu.broken">Small packets work, but large transfers
-        fail</a></li>
-      <li><a href="#subsub">Subnet-to-subnet works, but tests from the
-        gateways don't</a></li>
-    </ul>
-  </li>
-  <li><a href="#compile.faq">Compilation problems</a>
-    <ul>
-      <li><a href="#gmp.h_missing">gmp.h: No such file or directory</a></li>
-      <li><a href="#noVM">... virtual memory exhausted</a></li>
-    </ul>
-  </li>
-  <li><a href="#error">Interpreting error messages</a>
-    <ul>
-      <li><a href="#route-client">route-client (or host) exited with status
-        7</a></li>
-      <li><a href="#unreachable">SIOCADDRT:Network is unreachable</a></li>
-      <li><a href="#modprobe">ipsec_setup: modprobe: Can't locate
-        moduleipsec</a></li>
-      <li><a href="#noKLIPS">ipsec_setup: Fatal error, kernel appears to lack
-        KLIPS</a></li>
-      <li><a href="#noDNS">ipsec_setup: ... failure to fetch key for ... from
-        DNS</a></li>
-      <li><a href="#dup_address">ipsec_setup: ... interfaces ... and ...
-        share address ...</a></li>
-      <li><a href="#kflags">ipsec_setup: Cannot adjust kernel flags</a></li>
-      <li><a href="#message_num">Message numbers (MI3, QR1, et cetera) in
-        Pluto messages</a></li>
-      <li><a href="#conn_name">Connection names in Pluto error
-      messages</a></li>
-      <li><a href="#cantorient">Pluto: ... can't orient connection</a></li>
-      <li><a href="#no.interface">... we have no ipsecN interface for either
-        end of this connection</a></li>
-      <li><a href="#noconn">Pluto: ... no connection is known</a></li>
-      <li><a href="#nosuit">Pluto: ... no suitable connection ...</a></li>
-      <li><a href="#noconn.auth">Pluto: ... no connection has been
-        authorized</a></li>
-      <li><a href="#noDESsupport">Pluto: ... OAKLEY_DES_CBC is not
-        supported.</a></li>
-      <li><a href="#notransform">Pluto: ... no acceptable transform</a></li>
-      <li><a href="#rsasigkey">rsasigkey dumps core</a></li>
-      <li><a href="#sig4">!Pluto failure!: ... exited with ... signal
-      4</a></li>
-      <li><a href="#econnrefused">ECONNREFUSED error message</a></li>
-      <li><a href="#no_eroute">klips_debug: ... no eroute!</a></li>
-      <li><a href="#SAused">... trouble writing to /dev/ipsec ... SA already
-        in use</a></li>
-      <li><a href="#ignore">... ignoring ... payload</a></li>
-      <li><a href="#unknown_rightcert">unknown parameter name "rightcert"</a></li> 
-    </ul>
-  <li><a href="#spam">Why don't you restrict the mailing lists to reduce
-    spam?</a></li>
-</ul>
-<hr>
-
-<h2><a name="whatzit">What is FreeS/WAN?</a></h2>
-
-<p>FreeS/WAN is a Linux implementation of the <a
-href="glossary.html#IPSEC">IPsec</a> protocols, providing security services
-at the IP (Internet Protocol) level of the network.</p>
-
-<p>For more detail, see our <a href="intro.html">introduction</a> document or
-the FreeS/WAN project <a href="http://www.freeswan.org/">web site</a>.</p>
-
-<p>To start setting it up, go to our <a href="quickstart.html">quickstart
-guide</a>.</p>
-
-<p>Our <a href="web.html">web links</a> document has information on <a
-href="web.html#implement">IPsec for other systems</a>.</p>
-
-<h2><a name="problems">How do I report a problem or seek help?</a></h2>
-
-<DL>
-<DT>Read our <a href="trouble.html">troubleshooting</a> document.</DT>
-<DD><p>It may guide you to a solution. If not, see its 
-<a href="trouble.html#prob.report">problem reporting</a> section.</p>
-
-<p>Basically, what it says is <strong>give us the output from <var>ipsec
-barf</var> from both gateways</strong>. Without full information, we cannot
-diagnose a problem. However, <var>ipsec barf</var> produces a lot of output.
-If at all possible, <strong>please make barfs accessible via the web or
-FTP</strong> rather than sending enormous mail messages.</p>
-</DD>
-
-<DT><strong>Use the <a href="mail.html">users mailing list</a> for problem
-reports</strong>, rather than mailing developers directly.
-</DT>
-
-<DD>
-<ul>
-  <li>This gives you access to more expertise, including users who may have
-    encountered and solved the same problems.</li>
-  <li>It is more likely to get a quick response. Developers may get behind on
-    email, or even ignore it entirely for a while, but a list message (given
-    a reasonable Subject: line) is certain to be read by a fair number of
-    people within hours.</li>
-  <li>It may also be important because of <a
-    href="politics.html#exlaw">cryptography export laws</a>. A US citizen who
-    provides technical assistance to foreign cryptographic work might be
-    charged under the arms export regulations. Such a charge would be easier
-    to defend if the discussion took place on a public mailing list than if
-    it were done in private mail.</li>
-</ul>
-</DD>
-
-<DT>Try irc.freenode.net#freeswan.</DT>
-
-<DD>
-<p>FreeS/WAN developers, volunteers and users can often be found there. 
-Be patient and be 
-prepared to provide lots of information to support your question.</p>
-
-<p>If your question was really interesting, and you found an answer,
-please share that with the class by posting to the 
-<a href="mail.html">users mailing list</a>. That way others with the
-same problem can find your answer in the archives.</p>
-</DD>
-
-<DT>Premium support is also available.</DT>
-<DD>
-<p>See the next several questions.</p>
-</DD>
-</DL>
-
-<h2><a name="generic">Can I get ...</a></h2>
-
-<h3><a name="lemme_out">Can I get an off-the-shelf system that includes
-FreeS/WAN?</a></h3>
-
-<p>There are a number of Linux distributions or firewall products which
-include FreeS/WAN. See this <a href="intro.html#products">list</a>. Using one
-of these, chosen to match your requirements and budget, may save you
-considerable time and effort.</p>
-
-<p>If you don't know your requirements, start by reading Schneier's <a
-href="biblio.html#secrets">Secrets and Lies</a>. That gives the best overview
-of security issues I have seen. Then consider hiring a consultant (see next
-question) to help define your requirements.</p>
-
-<h3><a name="consultant">Can I hire consultants or staff who know
-FreeS/WAN?</a></h3>
-
-<p>If you want the help of a contractor, or to hire staff with FreeS/WAN
-expertise, you could:</p>
-<ul>
-  <li>check availability in your area through your local Linux User Group (<a
-    href="http://lugww.counter.li.org/">LUG Index</a>)</li>
-  <li>try asking on our <a href="mail.html">mailing list</a></li>
-</ul>
-
-<p>For companies offerring support, see the next question.</p>
-
-<h3><a name="commercial">Can I get commercial support?</a></h3>
-
-<p>Many of the distributions or firewall products which include FreeS/WAN
-(see this <a href="intro.html#products">list</a>) come with commercial
-support or have it available as an option.</p>
-
-<p>Various companies specialize in commercial support of open source
-software. Our project leader was a founder of the first such company, Cygnus
-Support. It has since been bought by <a
-href="http://www.redhat.com">Redhat</a>. Another such firm is <a
-href="http://www.linuxcare.com">Linuxcare</a>.</p>
-
-<h2><a name="release">Release questions</a></h2>
-
-<h3><a name="rel.current">What is the current release?</a></h3>
-
-<p>The current release is the highest-numbered tarball on our <a
-href="ftp://ftp.xs4all.nl/pub/crypto/freeswan">distribution site</a>. Almost
-always, any of <a href="intro.html#mirrors">the mirrors</a> will have the
-same file, though perhaps not for a day or so after a release.</p>
-
-<p>Unfortunately, the web site is not always updated as quickly as it should
-be.</p>
-
-<h3><a name="relwhen">When is the next release?</a></h3>
-
-<p>We try to do a release approximately every six to eight weeks.
-</p>
-
-<p>If pre-release tests fail and the fix appears complex, or more generally
-if the code does not appear stable when a release is scheduled, we will just
-skip that release.</p>
-
-<p>For serious bugs, we may bring out an extra bug-fix release. These get
-numbers in the normal release series.  For example, there was a bug found in
-FreeS/WAN 1.6, so we did another release less than two weeks later. The
-bug-fix release was called 1.7.</p>
-
-<h3><a name="rel.bugs">Are there known bugs in the current release?</a></h3>
-
-<p>Any problems we are aware of at the time of a release are documented in
-the <a href="../BUGS">BUGS</a> file for that release. You should also look at
-the <a href="../CHANGES">CHANGES</a> file.</p>
-
-<p>Bugs discovered after a release are discussed on the <a
-href="mail.html">mailing lists</a>. The easiest way to check for any problems
-in the current code would be to peruse the 
-<a href="http://lists.freeswan.org/pipermail/briefs">List In Brief</a>.</p>
-
-<h2><a name="mod_cons">Modifications and contributions</a></h2>
-
-<h3><a name="modify.faq">Can I modify FreeS/WAN to ...?</a></h3>
-
-<p>You are free to modify FreeS/WAN in any way. See the discussion of <a
-href="intro.html#licensing">licensing</a> in our introduction document.</p>
-
-<p>Before investing much energy in any such project, we suggest that you</p>
-<ul>
-  <li>check the list of <a href="web.html#patch">existing patches</a></li>
-  <li>post something about your project to the <a href="mail.html">design
-    mailing list</a></li>
-</ul>
-
-<p>This may prevent duplicated effort, or lead to interesting
-collaborations.</p>
-
-<h3><a name="contrib.faq">Can I contribute to the project?</a></h3>
-In general, we welcome contributions from the community. Various contributed
-patches, either to fix bugs or to add features, have been incorporated into
-our distribution. Other patches, not yet included in the distribution, are
-listed in our <a href="web.html#patch">web links</a> section.
-
-<p>Users have also contributed heavily to documentation, both by creating
-their own <a href="intro.html#howto">HowTos</a> and by posting things on the
-<a href="mail.html">mailing lists</a> which I have quoted in these HTML
-docs.</p>
-
-<p>There are, however, some caveats.</p>
-
-<p>FreeS/WAN is being implemented in Canada, by Canadians, largely to ensure
-that is it is entirely free of export restrictions. See this <a
-href="politics.html#status">discussion</a>. We <strong>cannot accept code
-contributions from US residents or citizens</strong>, not even one-line bugs
-fixes. The reasons for this were recently discussed extensively on the
-mailing list, in a thread starting <a
-href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/01/msg00111.html">here</a>.</p>
-
-<p>Not all contributions are of interest to us. The project has a set of
-fairly ambitious and quite specific goals, described in our <a
-href="intro.html#goals">introduction</a>. Contributions that lead toward
-these goals are likely to be welcomed enthusiastically. Other contributions
-may be seen as lower priority, or even as a distraction.</p>
-
-<p>Discussion of possible contributions takes place on the <a
-href="mail.html">design mailing list</a>.</p>
-
-<h3><a name="ddoc.faq">Is there detailed design documentation?</a></h3>
-There are:
-<ul>
-  <li><a href="rfc.html">RFCs</a> specifying the protocols we implement</li>
-  <li><a href="manpages.html">man pages</a> for our utilities, library
-    functions and file formats</li>
-  <li>comments in the source code</li>
-  <li><a href="index.html">HTML documentation</a> written primarily for
-  users</li>
-  <li>archived discussions from the <a href="mail.html">mailing lists</a></li>
-  <li>other papers mentioned in our <a
-    href="intro.html#applied">introduction</a></li>
-</ul>
-
-<p>The only formal design documents are a few papers in the last category
-above. All the other categories, however, have things to say about design as
-well.</p>
-
-<h2><a name="interact">Will FreeS/WAN work in my environment?</a></h2>
-
-<h3><a name="interop.faq">Can FreeS/WAN talk to ...?</a></h3>
-
-<p>The IPsec protocols are designed to support interoperation. In theory, any
-two IPsec implementations should be able to talk to each other. In practice,
-it is considerably more complex. We have a whole <a
-href="interop.html">interoperation document</a> devoted to this problem.</p>
-
-<p>An important part of that document is links to the many <a
-href="interop.html#otherpub">user-written HowTos</a> on interoperation
-between FreeS/WAN and various other implementations. Often the users know
-more than the developers about these issues (and almost always more than me
-:-), so these documents may be your best resource.</p>
-
-<h3><a name="old_to_new">Can different FreeS/WAN versions talk to each
-other?</a></h3>
-
-<p>Linux FreeS/WAN can interoperate with many IPsec implementations,
-including earlier versions of Linux FreeS/WAN itself.</p>
-
-<p>In a few cases, there are some complications. See our <a
-href="interop.html#oldswan">interoperation</a> document for details.</p>
-
-<h3><a name="faq.bandwidth">Is there a limit on throughput?</a></h3>
-
-<p>There is no hard limit, but see below.</p>
-
-<h3><a name="faq.number">Is there a limit on number of tunnels?</a></h3>
-
-<p>There is no hard limit, but see next question.</p>
-
-<h3><a name="faq.speed">Is a ... fast enough to handle FreeS/WAN with my
-loads?</a></h3>
-
-<p>A quick summary:</p>
-<dl>
-  <dt>Even a limited machine can be useful</dt>
-    <dd>A 486 can handle a T1, ADSL or cable link, though the machine may be
-      breathing hard.</dd>
-  <dt>A mid-range PC (say 800 MHz with good network cards) can do a lot of
-  IPsec</dt>
-    <dd>With up to roughly 50 tunnels and aggregate bandwidth of 20 Megabits
-      per second, it willl have cycles left over for other tasks.</dd>
-  <dt>There are limits</dt>
-    <dd>Even a high end CPU will not come close to handling a fully loaded
-      100 Mbit/second Ethernet link.
-      <p>Beyond about 50 tunnels it needs careful management.</p>
-    </dd>
-</dl>
-
-<p>See our <a href="performance.html">FreeS/WAN performance</a> document for
-details.</p>
-
-<h2><a name="work_on">Will FreeS/WAN work on ... ?</a></h2>
-
-<h3><a name="versions">Will FreeS/WAN run on my version of Linux?</a></h3>
-
-<p>We build and test on Redhat distributions, but FreeS/WAN runs just fine on
-several other distributions, sometimes with minor fiddles to adapt to the
-local environment. Details are in our <a
-href="compat.html#otherdist">compatibility</a> document. Also, some
-distributions or products come with <a href="intro.html#products">FreeS/WAN
-included</a>.</p>
-
-<h3><a name="nonIntel.faq">Will FreeS/WAN run on non-Intel CPUs?</a></h3>
-
-<p>FreeS/WAN is <strong>intended to run on all CPUs Linux supports</strong>.
-We know of it being used in production on x86, ARM, Alpha and MIPS. It has
-also had successful tests on PPC and SPARC, though we don't know of actual
-use there. Details are in our <a href="compat.html#CPUs">compatibility</a>
-document.</p>
-
-<h3><a name="multi.faq">Will FreeS/WAN run on multiprocessors?</a></h3>
-
-<p>FreeS/WAN is designed to work on any SMP architecture Linux supports, and
-has been tested successfully on at least dual processor Intel architecture
-machines. Details are in our <a
-href="compat.html#multiprocessor">compatibility</a> document.</p>
-
-<h3><a name="k.old">Will FreeS/WAN work on an older kernel?</a></h3>
-
-<p>It might, but we strongly recommend using a recent 2.2 or 2.4 series
-kernel. Sometimes the newer versions include security fixes which can be
-quite important on a gateway.</p>
-
-<p>Also, we use recent kernels for development and testing, so those are
-better tested and, if you do encounter a problem, more easily supported. If
-something breaks applying recent FreeS/WAN patches to an older kernel, then
-"update your kernel" is almost certain to be the first thing we suggest. It
-may be the only suggestion we have.</p>
-
-<p>The precise kernel versions supported by a particular FreeS/WAN release
-are given in the <a href="XX">README</a> file of that release.</p>
-
-<p>See the following question for more on kernels.</p>
-
-<h3><a name="k.versions">Will FreeS/WAN run on the latest kernel
-version?</a></h3>
-
-<p>Sometimes yes, but quite often, no.</p>
-
-<p>Kernel versions supported are given in the <a href="../README">README</a>
-file of each FreeS/WAN release. Typically, they are whatever production
-kernels were current at the time of our release (or shortly before; we might
-release for kernel <var>n</var> just as Linus releases <var>n+1</var>). Often
-FreeS/WAN will work on slightly later kernels as well, but of course this
-cannot be guaranteed.</p>
-
-<p>For example, FreeS/WAN 1.91 was released for kernels 2.2.19 or 2.4.5, the
-current kernels at the time. It also worked on 2.4.6, 2.4.7 and 2.4.8, but
-2.4.9 had changes that caused compilation errors if it was patched with
-FreeS/WAN 1.91.</p>
-
-<p>When such changes appear, we put a fix in the FreeS/WAN snapshots, and
-distribute it with our next release. However, this is not a high priority for
-us, and it may take anything from a few days to several weeks for such a
-problem to find its way to the top of our kernel programmer's To-Do list. In
-the meanwhile, you have two choices:</p>
-<ul>
-  <li>either stick with a slightly older kernel, even if it is not the latest
-    and greatest. This is recommended for production systems; new versions
-    may have new bugs.</li>
-  <li>or fix the problem yourself and send us a patch, via the <a
-    href="mail.html">Users mailing list</a>.</li>
-</ul>
-
-<p>We don't even try to keep up with kernel changes outside the main 2.2 and
-2.4 branches, such as the 2.4.x-ac patched versions from Alan Cox or the 2.5
-series of development kernels. We'd rather work on developing the FreeS/WAN
-code than on chasing these moving targets. We are, however, happy to get
-patches for problems discovered there.</p>
-
-<p>See also the <a href="install.html#choosek">Choosing a kernel</a> section
-of our installation document.</p>
-
-<h3><a name="interface.faq">Will FreeS/WAN work on unusual network
-hardware?</a></h3>
-
-<p>IPsec is designed to work over any network that IP works over, and
-FreeS/WAN is intended to work over any network interface hardware that Linux
-supports.</p>
-
-<p>If you have working IP on some unusual interface -- perhaps Arcnet, Token
-Ring, ATM or Gigabit Ethernet -- then IPsec should "just work".</p>
-
-<p>That said, practice is sometimes less tractable than theory. Our testing
-is done almost entirely on:</p>
-<ul>
-  <li>10 or 100 Mbit Ethernet</li>
-  <li>ADSL or cable connections, with and without PPPoE</li>
-  <li>IEEE 802.11 wireless LANs (see <a href="#wireless.faq">below</a>)</li>
-</ul>
-
-<p>If you have some other interface, especially an uncommon one, it is
-entirely possible you will get bitten either by a FreeS/WAN bug which our
-testing did not turn up, or by a bug in the driver that shows up only with
-our loads.</p>
-
-<p>If IP works on your interface and FreeS/WAN doesn't, seek help on the <a
-href="mail.html">mailing lists</a>.</p>
-
-<p>Another FAQ section describes <a href="#pmtu.broken">MTU problems</a>.
-These are a possibility for some interfaces.</p>
-
-<h3><a name="vlan">Will FreeS/WAN work on a VLAN (802.1q) network?</a></h3>
-
-<p>
-   Yes, FreeSwan works fine, though some network drivers have problems
-   with jumbo sized ethernet frames. If you used interfaces=%defaultroute
-   you do not need to change anything, but if you specified an interface
-   (eg eth0) then remember you must change that to reflect the VLAN
-   interface (eg eth0.2 for VLAN ID 2).
-</p>
-<p>
-   The "eepro100" module is known to be broken, use the e100 driver
-   for those cards instead (included in 2.4 as 'alternative driver' for
-   the Intel EtherExpressPro/100.
-</p>
-<p>
-   You do not need to change any MTU setting (those are workarounds
-   that are only needed for buggy drivers)
-</p>
-
-<p><em>This FAQ contributed by Paul Wouters.</em></p>
-
-<h2><a name="features.faq">Does FreeS/WAN support ...</a></h2>
-
-<p>For a discussion of which parts of the IPsec specifications FreeS/WAN does
-and does not implement, see our <a href="compat.html#spec">compatibility</a>
-document.</p>
-
-<p>For information on some often-requested features, see below.</p>
-
-<h3><a name="VPN.faq"></a>Does FreeS/WAN support site-to-site VPN
-(<A HREF="glossary.html#VPN">Virtual Private Network</A>)
-applications?</h3>
-
-<p>Absolutely. See this FreeS/WAN-FreeS/WAN 
-<A HREF="config.html">configuration example</A>. 
-If only one site is using FreeS/WAN, there may be a relevant HOWTO on our 
-<A HREF="interop.html">interop page</A>.
-</p>
-
-<h3><a name="warrior.faq">Does FreeS/WAN support remote users connecting to a
-LAN?</a></h3>
-
-<p>Yes. We call the remote users "Road Warriors". Check out our 
-FreeS/WAN-FreeS/WAN
-<A HREF="config.html#config.rw">Road Warrior Configuration Example</A>.</P>
-
-<p>If your Road Warrior is a Windows or Mac PC, you may need to 
-install an IPsec implementation on that machine. 
-Our <A HREF="interop.html">interop</A> page lists many available brands, 
-and features links to several HOWTOs.
-
-
-<h3><a name="road.shared.possible">Does FreeS/WAN support remote users using
-shared secret authentication?</a></h3>
-
-<p><strong>Yes, but</strong> there are severe restrictions, so <strong>we
-strongly recommend using </strong><a
-href="glossary.html#RSA"><strong>RSA</strong></a><strong> keys for
-</strong> <a
-href="glossary.html#authentication"><strong>authentication</strong></a>
-<strong>
-instead</strong>.</p>
-
-<p>See this <a href="#road.PSK">FAQ question</a>.</p>
-
-<h3><a name="wireless.faq">Does FreeS/WAN support wireless networks?</a></h3>
-
-<p>Yes, it is a common practice to use IPsec over wireless networks because
-their built-in encryption, <a href="glossary.html#WEP">WEP</a>, is
-insecure.</p>
-
-<p>There is some <a href="adv_config.html#wireless.config">discussion</a> in
-our advanced configuration document. See also the 
-<A HREF="http://www.wavesec.org">WaveSEC site</A>.</p>
-
-<h3><a name="PKIcert">Does FreeS/WAN support X.509 or other PKI
-certificates?</a></h3>
-
-<P>Vanilla FreeS/WAN does not support X.509, but Andreas Steffen 
-and others have provided a popular, well-supported X.509 patch.</P>
-
-<UL>
-<LI><A HREF="http://www.strongsec.com/freeswan">patch</A>
-</LI>
-<LI><A HREF="http://www.freeswan.ca">Super FreeS/WAN</A> incorporates
-this and other user-contributed patches.
-</LI>
-<LI>
-Kai Martius' <A HREF="http://www.strongsec.com/freeswan/install.htm">X.509 
-Installation and Configuration Guide</A>
-</LI>
-</UL>
-
-<P>
-Linux FreeS/WAN features
-<A HREF="quickstart.html">Opportunistic Encryption</A>, an alternative
-Public Key Infrastructure based on Secure DNS.
-</P>
-
-<h3><a name="Radius">Does FreeS/WAN support user authentication (Radius,
-SecureID, Smart Card...)?</a></h3>
-
-<P>Andreas Steffen's <A HREF="http://www.strongsec.com/freeswan">X.509 patch</A> (v. 1.42+) supports Smart Cards. The patch
-does not ship with vanilla FreeS/WAN, but will be incorporated into 
-<A HREF="http://www.freeswan.ca/">Super FreeS/WAN 
-2.01+</A>. The patch implements the PCKS#15 
-Cryptographic Token Information Format Standard, using the OpenSC smartcard 
-library functions.</P>
-
-<P>Older news:</P>
- 
-<P>A user-supported patch to FreeS/WAN 1.3, for smart card style 
-authentication, is available on
-<A HREF="http://alcatraz.webcriminals.com/~bastiaan/ipsec">Bastiaan's site</A>.
-It supports skeyid and ibutton.
-This patch is not part of Super FreeS/WAN.</p>
-
-<p>For a while progress on this front was impeded by a lack of standard.
-The IETF <a
-href="http://www.ietf.org/html.charters/ipsra-charter.html">working group</a>
-has now nearly completed its recommended solution to the problem; meanwhile 
-several vendors have implemented various things.</p>
-
-<!--
-<p>The <a href="web.html#patch">patches</a> section of our web links document
-has links to some user work on this.</p>
--->
-
-<p>Of course, there are various ways to avoid any requirement for user
-authentication in IPsec. Consider the situation where road warriors build
-IPsec tunnels to your office net and you are considering requiring user
-authentication during tunnel negotiation. Alternatives include:</p>
-<ul>
-  <li>If you can trust the road warrior machines, then set them up so that
-    only authorised users can create tunnels. If your road warriors use
-    laptops, consider the possibility of theft.</li>
-  <li>If the tunnel only provides access to particular servers and you can
-    trust those servers, then set the servers up to require user
-    authentication.</li>
-</ul>
-
-<p>If either of those is trustworthy, it is not clear that you need user
-authentication in IPsec.</p>
-
-
-<h3><a name="NATtraversal">Does FreeS/WAN support NAT traversal?</a></h3>
-
-<p>Vanilla FreeS/WAN does not, but thanks to Mathieu Lafon and
-Arkoon Network Security, there's a patch to support this.</P>
-
-<UL>
-<LI><A HREF="http://open-source.arkoon.net">patch and documentation</A>
-</LI>
-<LI><A HREF="http://www.freeswan.ca">Super FreeS/WAN</A> incorporates
-this and other user-contributed patches.
-</LI>
-</UL>
-
-<P>The NAT traversal patch has some issues with PSKs, so you may wish to 
-authenticate with RSA keys, or X.509 (requires a patch which is also 
-included in Super FreeS/WAN). Doing the latter also has
-advantages when dealing with large numbers of clients who may be behind NAT;
-instead of having to make an individual Roadwarrior connection for each
-virtual IP, you can use the "rightsubnetwithin" parameter to specify a range.
-See
-<A HREF="http://www.strongsec.com/freeswan/install.htm#section_4.4">these
-<VAR>rightsubnetwithin</VAR> instructions</A>.
-</P>
-
-
-<h3><a name="virtID">Does FreeS/WAN support assigning a "virtual identity" to
-a remote system?</a></h3>
-
-<p>Some IPsec implementations allow you to make the source address on packets
-sent by a Road Warrior machine be something other than the address of its
-interface to the Internet. This is sometimes described as assigning a virtual
-identity to that machine.</p>
-
-<p>FreeS/WAN does not directly support this, but it can be done. See this <a
-href="#road.masq">FAQ question</a>.</p>
-
-<h3><a name="noDES.faq">Does FreeS/WAN support single DES encryption?</a></h3>
-
-<p><strong>No</strong>, single DES is not used either at the <a
-href="glossary.html#IKE">IKE</a> level for negotiating connections or at the
-<a href="glossary.html#IPsec">IPsec</a> level for actually building them.</p>
-
-<p>Single DES is <a href="politics.html#desnotsecure">insecure</a>. As we see
-it, it is more important to deliver real security than to comply with a
-standard which has been subverted into allowing use of inadequate methods.
-See this <a href="politics.html#weak">discussion</a>.</p>
-
-<p>If you want to interoperate with an IPsec implementation which offers only
-DES, see our <a href="interop.html#noDES">interoperation</a> document.</p>
-
-<h3><a name="AES.faq">Does FreeS/WAN support AES encryption?</a></h3>
-
-<p><a href="glossary.html#AES">AES</a> is a new US government <a
-href="glossary.html#block">block cipher</a> standard to replace the obsolete
-<a href="glossary.html#DES">DES</a>.</p>
-
-<p>At time of writing (March 2002), the FreeS/WAN distribution does not yet
-support AES but user-written <a href="web.html#patch">patches</a> are
-available to add it. Our kernel programmer is working on integrating those
-patches into the distribution, and there is active discussion of this on the
-design mailimg list.</p>
-
-<h3><a name="other.cipher">Does FreeS/WAN support other encryption
-algorithms?</a></h3>
-
-<p>Currently <a href="glossary.html#3DES">triple DES</a> is the only cipher
-supported. AES will almost certainly be added (see previous question), and it
-is likely that in the process we will also add the other two AES finalists
-with open licensing, Twofish and Serpent.</p>
-
-<p>We are extremely reluctant to add other ciphers. This would make both use
-and maintenance of FreeS/WAN more complex without providing any clear
-benefit. Complexity is emphatically not desirable in a security product.</p>
-
-<p>Various users have written patches to add other ciphers. We provide <a
-href="web.html#patch">links</a> to these.</p>
-
-<h2><a name="canI">Can I ...</a></h2>
-
-
-<h3><a name="policy.preconfig">Can I use policy groups along with
-explicitly configured connections?</a></h3>
-
-<p>Yes, you can, so long as you pay attention to the selection rule, 
-which can be summarized "the most specific 
-connection wins". We describe the rule in our
-<A HREF="policygroups.html#policy.group.notes">policy groups</A> document,
-and provide a more technical explanation in 
-<A HREF="manpage.d/ipsec.conf.5.html">man ipsec.conf</A>.
-</p>
-
-<p>A good guideline: If you have a regular connection defined in 
-<VAR>ipsec.conf</VAR>, ensure that a subset of that connection
-is not listed in a less restrictive policy group. Otherwise, 
-FreeS/WAN will use the subset, with its more specific source/destination 
-pair.</p>
-
-<p>Here's an example. Suppose you are the system administrator at 192.0.2.2.
-You have this connection in ipsec.conf:
-<VAR>ipsec.conf</VAR>:
-
-<PRE>conn net-to-net
-    left=192.0.2.2           # you are here
-    right=192.0.2.8
-    rightsubnet=192.0.2.96/27
-    ....
-</PRE>
-
-<p>If you then place a host or net within <VAR>rightsubnet</VAR>, 
-(let's say 192.0.2.98) in <VAR>private-or-clear</VAR>, you may find 
-that 192.0.2.2 at times communicates in the
-clear with 192.0.2.98. That's consistent with the rule, but may be 
-contrary to your expectations.</p>
-
-<p>On the other hand, it's safe to put a larger subnet in a less
-restrictive policy group file. If <VAR>private-or-clear</VAR>
-contains 192.0.2.0/24, then the more specific <VAR>net-to-net</VAR>
-connection is used for any communication to 192.0.2.96/27. The
-more general policy applies only to communication with hosts or subnets in 
-192.0.2.0/24 without a more specific policy or connection.</p>
-
-
-<h3><a name="policy.off">Can I turn off policy groups?</a></h3>
-
-<p>Yes. Use <A HREF="policygroups.html#disable_policygroups">these
-instructions</A>.</p>
-
-<!--
-<h3><a name="policy.otherinterface">Can I use policy groups
- on an interface other than <VAR>%defaultroute</VAR>?</a></h3>
-
-<p>??<p>
--->
-
-<h3><a name="reload">Can I reload connection info without restarting?</a></h3>
-
-<p>Yes, you can do this. Here are the details, in a mailing list message from
-Pluto programmer Hugh Redelmeier:</p>
-<pre>| How can I reload config's without restarting all of pluto and klips?  I am using
-| FreeSWAN -&gt; PGPNet in a medium sized production environment, and would like to be
-| able to add new connections ( i am using include config/* ) without dropping current
-| SA's.
-| 
-| Can this be done?
-| 
-| If not, are there plans to add this kind of feature?
-
-        ipsec auto --add whatever
-This will look in the usual place (/etc/ipsec.conf) for a conn named
-whatever and add it.
-
-If you added new secrets, you need to do
-        ipsec auto --rereadsecrets
-before Pluto needs to know those secrets.
-
-| I have looked (perhaps not thoroughly enough tho) to see how to do this:
-
-There may be more bits to look for, depending on what you are trying
-to do.</pre>
-
-<p>Another useful command here is <var>ipsec auto --replace
-&lt;conn_name&gt;</var> which re-reads data for a named connection.</p>
-
-<h3><a name="masq.faq">Can I use several masqueraded subnets?</a></h3>
-
-<p>Yes. This is done all the time. See the discussion in our <a
-href="config.html#route_or_not">setup</a> document. The only restriction is
-that the subnets on the two ends must not overlap. See the next question.</p>
-
-<p>Here is a mailing list message on the topic. The user incorrectly thinks
-you need a 2.4 kernel for this -- actually various people have been doing it
-on 2.0 and 2.2 for quite some time -- but he has it right for 2.4.</p>
-<pre>Subject: Double NAT and freeswan working :)
-   Date: Sun, 11 Mar 2001
-   From: Paul Wouters &lt;paul@xtdnet.nl&gt;
-
-Just to share my pleasure, and make an entry for people who are searching
-the net on how to do this. Here's the very simple solution to have a double
-NAT'ed network working with freeswan. (Not sure if this is old news, but I'm
-not on the list (too much spam) and I didn't read this in any HOWTO/FAQ/doc
-on the freeswan site yet (Sandy, put it in! :)
-
-10.0.0.0/24 --- 10.0.0.1 a.b.c.d  ---- a.b.c.e {internet} ----+
-                                                              |
-10.0.1.0/24 --- 10.0.1.1 f.g.h.i  ---- f.g.h.j {internet} ----+
-
-the goal is to have the first network do a VPN to the second one, yet also
-have NAT in place for connections not destinated for the other side of the
-NAT. Here the two Linux security gateways have one real IP number (cable
-modem, dialup, whatever.
-
-The problem with NAT is you don't want packets from 10.*.*.* to 10.*.*.*
-to be NAT'ed. While with Linux 2.2, you can't, with Linux 2.4 you can.
-
-(This has been tested and works for 2.4.2 with Freeswan snapshot2001mar8b)
-
-relevant parts of /etc/ipsec.conf:
-
-        left=f.g.h.i
-        leftsubnet=10.0.1.0/24
-        leftnexthop=f.g.h.j
-        leftfirewall=yes
-        leftid=@firewall.netone.nl
-        leftrsasigkey=0x0........
-        right=a.b.c.d
-        rightsubnet=10.0.0.0/24
-        rightnexthop=a.b.c.e
-        rightfirewall=yes
-        rightid=@firewall.nettwo.nl
-        rightrsasigkey=0x0......
-        # To authorize this connection, but not actually start it, at startup,
-        # uncomment this.
-        auto=add
-
-and now the real trick. Setup the NAT correctly on both sites:
-
-iptables -t nat -F
-iptables -t nat -A POSTROUTING -o eth0 -d \! 10.0.0.0/8 -j MASQUERADE
-
-This tells the NAT code to only do NAT for packets with destination other then
-10.* networks. note the backslash to mask the exclamation mark to protect it
-against the shell.
-
-Happy painting :)
-
-Paul</pre>
-
-<h3><a name="dup_route">Can I use subnets masqueraded to the same
-addresses?</a></h3>
-
-<p><strong>No.</strong> The notion that IP addresses are unique is one of the
-fundamental principles of the IP protocol. Messing with it is exceedingly
-perilous.</p>
-
-<p>Fairly often a situation comes up where a company has several branches,
-all using the same <a href="glossary.html#non-routable">non-routable
-addresses</a>, perhaps 192.168.0.0/24. This works fine as long as those nets
-are kept distinct. The <a href="glossary.html#masq">IP masquerading</a> on
-their firewalls ensures that packets reaching the Internet carry the firewall
-address, not the private address.</p>
-
-<p>This can break down when IPsec enters the picture. FreeS/WAN builds a
-tunnel that pokes through both masquerades and delivers packets from
-<var>leftsubnet</var> to <var>rightsubnet</var> and vice versa. For this to
-work, the two subnets <em>must</em> be distinct.</p>
-
-<p>There are several solutions to this problem.</p>
-
-<p>Usually, you <strong>re-number the subnets</strong>. Perhaps the Vancouver
-office becomes 192.168.101.0/24, Calgary 192.168.102.0/24 and so on.
-FreeS/WAN can happily handle this. With, for example
-<var>leftsubnet=192.168.101.0/24</var> and
-<var>rightsubnet=192.168.102.0/24</var> in a connection description, any
-machine in Calgary can talk to any machine in Vancouver. If you want to be
-more restrictive and use something like
-<var>leftsubnet=192.168.101.128/25</var> and
-<var>rightsubnet=192.168.102.240/28</var> so only certain machines on each
-end have access to the tunnel, that's fine too.</p>
-
-<p>You could also <strong>split the subnet</strong> into smaller ones, for
-example using <var>192.168.1.0/25</var> in Vancouver and
-<var>rightsubnet=192.168.0.128/25</var> in Calgary.</p>
-
-<p>Alternately, you can just <strong>give up routing</strong> directly to
-machines on the subnets. Omit the <var>leftsubnet</var> and
-<var>rightsubnet</var> parameters from your connection descriptions. Your
-IPsec tunnels will then run between the public interfaces of the two
-firewalls. Packets will be masqueraded both before they are put into tunnels
-and after they emerge. Your Vancouver client machines will see only one
-Calgary machine, the firewall.</p>
-
-<h3><a name="road.masq">Can I assign a road warrior an address on my net (a
-virtual identity)?</a></h3>
-
-<p>Often it would be convenient to be able to give a Road Warrior an IP
-address which appears to be on the local network. Some IPsec implementations
-have support for this, sometimes calling the feature "virtual identity".</p>
-
-<p>Currently (Sept 2002) FreeS/WAN does not support this, and we have
-no definite plans to add it. The difficulty is that is not yet a standard
-mechanism for it. There is an Internet Draft for a method of doing it using
-<a href="#DHCP">DHCP</a> which looks promising. FreeS/WAN may support that in
-a future release.</p>
-
-<p>In the meanwhile, you can do it yourself using the Linux iproute2(8)
-facilities. Details are in <a
-href="http://www.av8n.com/vpn/iproute2.htm">this
-paper</a>.</p>
-
-<p>Another method has also been discussed on the mailing list.:</p>
-<ul>
-  <li>You can use a variant of the <a
-    href="adv_config.html#extruded.config">extruded subnet</a> procedure.</li>
-  <li>You have to avoid having the road warrior's assigned address within the
-    range you actually use at home base. See previous question.</li>
-  <li>On the other hand, you want the roadwarrior's address to be within the
-    range that <em>seems</em> to be on your network.</li>
-</ul>
-
-<p>For example, you might have:</p>
-<dl>
-  <dt>leftsubnet=a.b.c.0/25</dt>
-    <dd>head office network</dd>
-  <dt>rightsubnet=a.b.c.129/32</dt>
-    <dd>extruded to a road warrior. Note that this is not in a.b.c.0/25</dd>
-  <dt>a.b.c.0/24</dt>
-    <dd>whole network, including both the above</dd>
-</dl>
-
-<p>You then set up routing so that the office machines use the IPsec gateway
-as their route to a.b.c.128/25. The leftsubnet parameter tells the road
-warriors to use tunnels to reach a.b.c.0/25, so you should have two-way
-communication. Depending or your network and applications, there may be some
-additional work to do on DNS or Windows configuration</p>
-
-<h3><a name="road.many">Can I support many road warriors with one
-gateway?</a></h3>
-
-<p>Yes. This is easily done, using</p>
-<dl>
-  <dt>either RSA authentication</dt>
-    <dd>standard in the FreeS/WAN distribution</dd>
-  <dt>or X.509 certificates</dt>
-    <dd>requires <a href="#PKIcert">Super FreeS/WAN or a patch</a>.</dd>
-</dl>
-
-<p>In either case, each Road Warrior must have a different key or
-certificate.</p>
-
-<p>It is also possible using pre-shared key authentication,
-though we don't recommend this; see the
-<a href="#road.PSK">next question</a> for details.</p>
-
-<p>If you expect to have more than a few dozen Road Warriors connecting
-simultaneously, you may need a fairly powerful gateway machine. See our
-document on <a href="performance.html">FreeS/WAN performance</a>.</p>
-
-<h3><a name="road.PSK">Can I have many road warriors using shared secret
-authentication?</a></h3>
-
-<p><STRONG>Yes, but avoid it if possible</STRONG>.</p>
-
-<p>You can have multiple Road Warriors using shared secret authentication
-<strong>only if they all use the same secret</strong>. You must also 
-set:<p>
-
-<PRE>   uniqueids=no   </PRE>
-
-<p>in the connection definition.</p>
-
-
-<p>Why it's less secure:</p>
-<ul>
-  <li>If you have many users, it becomes almost certain the secret will
-  leak</li>
-  <li>The secret becomes quite valuable to an attacker</li>
-  <li>All users authenticate the same way, so the gateway cannot tell them
-    apart for logging or access control purposes</li>
-  <li>Changing the secret is difficult. You have to securely notify all
-  users.</li>
-  <li>If you find out the secret has been compromised, you can change it, but
-    then what? None of your users can connect without the new secret. How
-    will you notify them all, quickly and securely, without using the
-  VPN?</li>
-</ul>
-
-<p>This is a designed-in limitation of the <a
-href="glossary.html#IKE">IKE</a> key negotiation protocol, not a problem with
-our implementation.</p>
-
-<p><strong>We very strongly recommend that you avoid using shared secret
-authentication for multiple Road Warriors.</strong> Use RSA authentication
-instead.</p>
-
-<p>The longer story: When using shared secrets, the protocol requires 
-that the responding
-gateway be able to determine which secret to use at a time when all it knows
-about the initiator is an IP address. This works fine if you know the
-initiator's address in advance and can use it to look up the appropiriate
-secret. However, it fails for Road Warriors since the gateway cannot know
-their IP addresses in advance.</p>
-
-<p>With RSA signatures (or certificates) the protocol is slightly different.
-The initiator provides an identifier early in the exchange and the responder
-can use that identifier to look up the correct key or certificate. See <a
-href="#road.many">above</a>.</p>
-
-<h3><a name="QoS">Can I use Quality of Service routing with
-FreeS/WAN?</a></h3>
-
-<p>From project technical lead Henry Spencer:</p>
-<pre>&gt; Do QoS add to FreeS/WAN?
-&gt; For example integrating DiffServ and FreeS/WAN?
-
-With a current version of FreeS/WAN, you will have to add hidetos=no to
-the config-setup section of your configuration file.  By default, the TOS
-field of tunnel packets is zeroed; with hidetos=no, it is copied from the
-packet inside.  (This is a modest security hole, which is why it is no
-longer the default.)
-
-DiffServ does not interact well with tunneling in general.  Ways of
-improving this are being studied.</pre>
-
-<p>Copying the <a href="glossary.html#TOS">TOS</a> (type of service)
-information from the encapsulated packet to the outer header reveals the TOS
-information to an eavesdropper. This does not tell him much, but it might be
-of use in <a href="glossary.html#traffic">traffic analysis</a>. Since we do
-not have to give it to him, our default is not to.</p>
-
-<P>Even with the TOS hidden, you can still:</P>
-<UL>
-<LI>apply QOS rules to the tunneled (ESP) packets; for example, by
-giving ESP packets a certain priority.</LI>
-<LI>apply QOS rules to the packets as they enter or exit the tunnel
-via an IPsec virtual interface (eg. <VAR>ipsec0</VAR>).</LI>
-</UL>
-
-<p>See <a href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a> for more on
-the <var>hidetos=</var> parameter.</p>
-
-
-<h3><a name="deadtunnel">Can I recognise dead tunnels and shut them
-down?</a></h3>
-
-<p>There is no general mechanism to do this is in the IPsec protocols.</p>
-
-<p>From time to time, there is discussion on the IETF Working Group <a
-href="mail.html#ietf">mailing list</a> of adding a "keep-alive" mechanism
-(which some say should be called "make-dead"), but it is a fairly complex
-problem and no consensus has been reached on whether or how it should be
-done.</p>
-
-<p>The protocol does have optional <a href="#ignore">delete-SA</a> messages
-which one side can send when it closes a connection in hopes this will cause
-the other side to do the same. FreeS/WAN does not currently support these. In
-any case, they would not solve the problem since:</p>
-<ul>
-  <li>a gateway that crashes or hangs would not send the messages</li>
-  <li>the sender is not required to send them</li>
-  <li>they are not authenticated, so any receiver that trusts them leaves
-    itself open to a <a href="glossary.html#DOS">denial of service</a>
-  attack</li>
-  <li>the receiver is not required to do anything about them</li>
-  <li>the receiver cannot acknowledge them; the protocol provides no
-    mechanism for that</li>
-  <li>since they are not acknowledged, the sender cannot rely on them</li>
-</ul>
-
-<p>However, connections do have limited lifetimes and you can control how
-many attempts your gateway makes to rekey before giving up. For example, you
-can set:</p>
-<pre>conn default
-        keyingtries=3
-        keylife=30m</pre>
-
-<p>With these settings old connections will be cleaned up. Within 30 minutes
-of the other end dying, rekeying will be attempted. If it succeeds, the new
-connection replaces the old one. If it fails, no new connection is created.
-Either way, the old connection is taken down when its lifetime expires.</p>
-
-<p>Here is a mailing list message on the topic from FreeS/WAN tech support
-person Claudia Schmeing:</p>
-<pre>You ask how to determine whether a tunnel is redundant:
-
-&gt; Can anybody explain the best way to determine this. Esp when a RW has
-&gt; disconnected? I thought 'ipsec auto --status' might be one way.
-
-If a tunnel goes down from one end, Linux FreeS/WAN on the
-other end has no way of knowing this until it attempts to rekey.
-Once it tries to rekey and fails, it will 'know' that the tunnel is 
-down.
-
-Because it doesn't have a way of knowing the state until this point, 
-it will also not be able to tell you the state via ipsec auto --status.
-
-&gt; However, comparing output from a working tunnel with that of one that
-&gt; was closed 
-&gt; did not show clearly show tunnel status.
-
-If your tunnel is down but not 'unrouted' (see man ipsec_auto), you
-should not be able to ping the opposite side of the tunnel. You can
-use this as an indicator of tunnel status.
-
-On a related note, you may be interested to know that as of 1.7, 
-redundant tunnels caused by RW disconnections are likely to be 
-less of a pain. From doc/CHANGES:
-
-    There is a new configuration parameter, uniqueids, to control a new Pluto
-    option:  when a new connection is negotiated with the same ID as an old
-    one, the old one is deleted immediately.  This should help eliminate
-    dangling Road Warrior connections when the same Road Warrior reconnects. 
-    It thus requires that IDs not be shared by hosts (a previously legal but
-    probably useless capability).  NOTE WELL:  the sample ipsec.conf now has
-    uniqueids=yes in its config-setup section.
-
-
-Cheers,
-
-Claudia</pre>
-
-<h3><a name="demanddial">Can I build IPsec tunnels over a demand-dialed
-link?</a></h3>
-
-<p>This is possible, but not easy. FreeS/WAN technical lead Henry Spencer
-wrote:</p>
-<pre>&gt; 5. If the ISDN link goes down in between and is reestablished, the SAs
-&gt; are still up but the eroute are deleted and the IPsec interface shows
-&gt; garbage (with ifconfig)
-&gt; 6. Only restarting IPsec will bring the VPN back online.
-
-This one is awkward to solve.  If the real interface that the IPsec
-interface is mounted on goes down, it takes most of the IPsec machinery
-down with it, and a restart is the only good way to recover. 
-
-The only really clean fix, right now, is to split the machines in two: 
-
-1. A minimal machine serves as the network router, and only it is aware
-that the link goes up and down. 
-
-2. The IPsec is done on a separate gateway machine, which thinks it has
-a permanent network connection, via the router.
-
-This is clumsy but it does work.  Trying to do both functions within a
-single machine is tricky.  There is a software package (diald) which will
-give the illusion of a permanent connection for demand-dialed modem
-connections; I don't know whether it's usable for ISDN, or whether it can
-be made to cooperate properly with FreeS/WAN. 
-
-Doing a restart each time the interface comes up *does* work, although it
-is a bit painful.  I did that with PPP when I was running on a modem link;
-it wasn't hard to arrange the PPP scripts to bring IPsec up and down at
-the right times.  (I'd meant to investigate diald but never found time.)
-
-In principle you don't need to do a complete restart on reconnect, but you
-do have to rebuild some things, and we have no nice clean way of doing
-only the necessary parts.</pre>
-
-<p>In the same thread, one user commented:</p>
-<pre>Subject: Re: linux-ipsec: IPsec and Dial Up Connections
-   Date: Wed, 22 Nov 2000
-   From: Andy Bradford &lt;andyb@calderasystems.com&gt;
-
-On Wed, 22 Nov 2000 19:47:11 +0100, Philip Reetz wrote:
-
-&gt; Are there any ideas what might be the cause of the problem and any way
-&gt; to work around it.
-&gt; Any help is highly appreciated.
-
-On my laptop, when using ppp there is a ip-up script in /etc/ppp that 
-will be executed each time that the ppp interface is brought up.  
-Likewise there is an ip-down script that is called when it is taken 
-down.  You might consider custimzing those to stop and start FreeS/WAN 
-with each connection.  I believe that ISDN uses the same files, though 
-I could be wrong---there should be something similar though.</pre>
-
-<h3><a name="GRE">Can I build GRE, L2TP or PPTP tunnels over IPsec?</a></h3>
-
-<p>Yes. Normally this is not necessary, but it is useful in a few special
-cases. For example, if you must route non-IP packets such as IPX, you
-will need to use a tunneling protocol that can route these packets. IPsec
-can be layered around it for extra security. Another example: you 
-can provide failover protection for high availability (HA) environments by
-combining IPsec with other tools. Ken Bantoft describes one such setup in 
-<A HREF="http://www.freeswan.ca/docs/HA">Using FreeS/WAN with Linux-HA, GRE, 
-OSPF and BGP for enterprise grade VPN solutions</A>.</P>
-
-<p>GRE over IPsec is covered as part of 
-<A HREF="http://www.freeswan.ca/docs/HA">that document</A>. 
-<a href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/07/msg00209.html">
-Here are links</a> to other GRE resources.
-
-Jacco de Leuw has created
-<A HREF="http://www.jacco2.dds.nl/networking/">this page on L2TP over IPsec</A> 
-with instructions for FreeS/WAN and several other brands of IPsec software.
-</P>
-
-<P>Please let us know of other useful links via the
-<A HREF="mail.html">mailing lists</A>.
-
-
-<h3><a name="NetBIOS">... use Network Neighborhood (Samba, NetBIOS) over IPsec?</a></h3>
-
-<p>Your local PC needs to know how to translate NetBIOS names to IP addresses.
-It may do this either via a local LMHOSTS file, or using a local or remote
-WINS server. The WINS server is preferable since it provides a centralized
-source of the information to the entire network. To use a WINS server over 
-the <A HREF="glossary.html#VPN">VPN</A>
-(or any IP-based network), you must enable "NetBIOS over TCP".</p>
-
-<p><A HREF="http://www.samba.org">Samba</A> can emulate a WINS server
-on Linux.</p>
-
-<p>
-See also several discussions in our 
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-September/thread.html">September 
-2002 Users archives</A></p>
-
-
-<h2><a name="setup.faq">Life's little mysteries</a></h2>
-
-<p>FreeS/WAN is a fairly complex product. (Neither the networks it runs on
-nor the protocols it uses are simple, so it could hardly be otherwise.) It
-therefore sometimes exhibits behaviour which can be somewhat confusing, or
-has problems which are not easy to diagnose. This section tries to explain
-those problems.</p>
-
-<p>Setup and configuration of FreeS/WAN are covered in other documentation
-sections:</p>
-<ul>
-  <li><a href="quickstart.html">basic setup and configuration</a></li>
-  <li><a href="adv_config.html">advanced configuration</a></li>
-  <li><a href="trouble.html">Troubleshooting</a></li>
-</ul>
-
-<p>However, we also list some of the commonest problems here.</p>
-
-<h3><a name="cantping">I cannot ping ....</a></h3>
-
-<p>This question is dealt with in the advanced configuration section under
-the heading <a href="adv_config.html#multitunnel">multiple tunnels</a>.</p>
-
-<p>The standard subnet-to-subnet tunnel protects traffic <strong>only between
-the subnets</strong>. To test it, you must use pings that go from one subnet
-to the other.</p>
-
-<p>For example, suppose you have:</p>
-<pre>      subnet a.b.c.0/24
-             |
-      eth1 = a.b.c.1
-         gate1
-      eth0 = 192.0.2.8
-             |
-
-       ~ internet ~
-
-             |
-      eth0 = 192.0.2.11
-         gate2
-      eth1 = x.y.z.1
-              |
-       subnet x.y.z.0/24</pre>
-
-<p>and the connection description:</p>
-<pre>conn abc-xyz
-     left=192.0.2.8
-     leftsubnet=a.b.c.0/24
-     right=192.0.2.11
-     rightsubnet=x.y.z.0/24</pre>
-
-<p>You can test this connection description only by sending a ping that will
-actually go through the tunnel. Assuming you have machines at addresses
-a.b.c.2 and x.y.z.2, pings you might consider trying are:</p>
-<dl>
-  <dt>ping from x.y.z.2 to a.b.c.2 or vice versa</dt>
-    <dd>Succeeds if tunnel is working. This is the <strong>only valid test of
-      the tunnel</strong>.</dd>
-  <dt>ping from gate2 to a.b.c.2 or vice versa</dt>
-    <dd><strong>Does not use tunnel</strong>. gate2 is not on protected
-      subnet.</dd>
-  <dt>ping from gate1 to x.y.z.2 or vice versa</dt>
-    <dd><strong>Does not use tunnel</strong>. gate1 is not on protected
-      subnet.</dd>
-  <dt>ping from gate1 to gate2 or vice versa</dt>
-    <dd><strong>Does not use tunnel</strong>. Neither gate is on a protected
-      subnet.</dd>
-</dl>
-
-<p>Only the first of these is a useful test of this tunnel. The others do not
-use the tunnel. Depending on other details of your setup and routing,
-they:</p>
-<ul>
-  <li>either fail, telling you nothing about the tunnel</li>
-  <li>or succeed, telling you nothing about the tunnel since these packets
-    use some other route</li>
-</ul>
-
-<p>In some cases, you may be able to get around this. For the example network
-above, you could use:</p>
-<pre>        ping -I a.b.c.1 x.y.z.1</pre>
-
-<p>Both the adresses given are within protected subnets, so this should go
-through the tunnel.</p>
-
-<p>If required, you can build additional tunnels so that all the machines
-involved can talk to all the others. See <a
-href="adv_config.html#multitunnel">multiple tunnels</a> in the advanced
-configuration document for details.</p>
-
-<h3><a name="forever">It takes forever to ...</a></h3>
-
-<p>Users fairly often report various problems involving long delays,
-sometimes on tunnel setup and sometimes on operations done through the
-tunnel, occasionally on simple things like ping or more often on more complex
-operations like doing NFS or Samba through the tunnel.</p>
-
-<p>Almost always, these turn out to involve failure of a DNS lookup. The
-timeouts waiting for DNS are typically set long so that you won't time out
-when a query involves multiple lookups or long paths. Genuine failures
-therefore produce long delays before they are detected.</p>
-
-<p>A mailing list message from project technical lead Henry Spencer:</p>
-<pre>&gt; ... when i run /etc/rc.d/init.d/ipsec start, i get:
-&gt; ipsec_setup: Starting FreeS/WAN IPsec 1.5...
-&gt; and it just sits there, doesn't give back my bash prompt.
-
-Almost certainly, the problem is that you're using DNS names in your
-ipsec.conf, but DNS lookups are not working for some reason.  You will
-get your prompt back... eventually.  But the DNS timeouts are long.
-Doing something about this is on our list, but it is not easy.</pre>
-
-<p>In the meanwhile, we recommend that connection descriptions in <a
-href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a> use numeric IP addresses
-rather than names which will require a DNS lookup.</p>
-
-<p>Names that do not require a lookup are fine. For example:</p>
-<ul>
-  <li>a road warrior might use the identity
-    <var>rightid=@lancelot.example.org</var></li>
-  <li>the gateway might use <var>leftid=@camelot.example.org</var></li>
-</ul>
-
-<p>These are fine. The @ sign prevents any DNS lookup. However, do not
-attempt to give the gateway address as <var>left=camelot.example.org</var>.
-That requires a lookup.</p>
-
-<p>A post from one user after solving a problem with long delays:</p>
-<pre>Subject: Final Answer to Delay!!!
-   Date: Mon, 19 Feb 2001
-   From: "Felippe Solutions" &lt;felippe@solutionstecnologia.com.br&gt;
-
-Sorry people, but seems like the Delay problem had nothing to do with
-freeswan.
-
-The problem was DNS as some people sad from the beginning, but not the way
-they thought it was happening. Samba, ssh, telnet and other apps try to
-reverse lookup addresses when you use IP numbers (Stupid that ahh).
-
-I could ping very fast because I always ping with "-n" option, but I don't
-know the option on the other apps to stop reverse addressing so I don't use
-it.</pre>
-
-<p>This post is fairly typical. These problems are often tricky and
-frustrating to diagnose, and most turn out to be DNS-related.</p>
-
-<p>One suggestion for diagnosis: test with both names and addresses if
-possible. For example, try all of:</p>
-<ul>
-  <li>ping <var>address</var></li>
-  <li>ping -n <var>address</var></li>
-  <li>ping <var>name</var></li>
-</ul>
-
-<p>If these behave differently, the problem must be DNS-related since the
-three commands do exactly the same thing except for DNS lookups.</p>
-
-<h3><a name="route">I send packets to the tunnel with route(8) but they
-vanish</a></h3>
-
-<p>IPsec connections are designed to carry only packets travelling between
-pre-defined connection endpoints. As project technical lead Henry Spencer put
-it:</p>
-
-<blockquote>
-  IPsec tunnels are not just virtual wires; they are virtual wires with
-  built-in access controls.  Negotiation of an IPsec tunnel includes
-  negotiation of access rights for it, which don't include packets to/from
-  other IP addresses.  (The protocols themselves are quite inflexible about
-  this, so there are limits to what we can do about it.)</blockquote>
-
-<p>For fairly obvious security reasons, and to comply with the IPsec RFCs, <a
-href="glossary.html#KLIPS">KLIPS</a> drops any packets it receives that are
-not allowed on the tunnels currently defined. So if you send it packets with
-<var>route(8)</var>, and suitable tunnels are not defined, the packets
-vanish. Whether this is reported in the logs depends on the setting of
-<var>klipsdebug</var> in your <a
-href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a> file.</p>
-
-<p>To rescue vanishing packets, you must ensure that suitable tunnels for
-them exist, by editing the connection descriptions in <a
-href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a>. For example, supposing
-you have a simple setup:</p>
-<pre>         leftsubnet -- leftgateway === internet === roadwarrior</pre>
-
-<p>If you want to give the roadwarrior access to some resource that is
-located behind the left gateway but is not in the currently defined left
-subnet, then the usual procedure is to define an additional tunnel for those
-packets by creating a new connection description.</p>
-
-<p>In some cases, it may be easier to alter an existing connection
-description, enlarging the definition of <var>leftsubnet</var>. For example,
-instead of two connection descriptions with 192.168.8.0/24 and 192.168.9.0/24
-as their <var>leftsubnet</var> parameters, you can use a single description
-with 192.168.8.0/23.</p>
-
-<p>If you have multiple endpoints on each side, you need to ensure that there
-is a route for each pair of endpoints. See this <a
-href="adv_config.html#multitunnel">example</a>.</p>
-
-<h3><a name="down_route">When a tunnel goes down, packets vanish</a></h3>
-
-<p>This is a special case of the vanishing packet problem described in the
-previous question. Whenever KLIPS sees packets for which it does not have a
-tunnel, it drops them.</p>
-
-<p>When a tunnel goes away, either because negotiations with the other
-gateway failed or because you gave an <var>ipsec auto --down</var> command,
-the route to its other end is left pointing into KLIPS, and KLIPS will drop
-packets it has no tunnel for.</p>
-
-<p>This is a documented design decision, not a bug. FreeS/WAN must not
-automatically adjust things to send packets via another route. The other
-route might be insecure.</p>
-
-<p>Of course, re-routing may be necessary in many cases. In those cases, you
-have to do it manually or via scripts. We provide the <var>ipsec auto
---unroute</var> command for these cases.</p>
-
-<p>From <a href="manpage.d/ipsec_auto.8.html">ipsec_auto(8)</a>:</p>
-
-<blockquote>
-  Normally,  pluto  establishes  a  route to the destination specified for a
-  connection as part of the --up  operation. However,  the  route and only
-  the route can be established with the --route operation.  Until and  unless
-  an  actual connection  is established, this discards any packets sent
-  there, which may be preferable to having them  sent elsewhere based  on  a
-  more  general  route (e.g., a default route).</blockquote>
-
-<blockquote>
-  Normally, pluto's route to a destination remains in  place when  a  --down
-  operation  is used to take the connection down (or if connection setup, or
-  later automatic rekeying, fails).   This permits establishing a new
-  connection (perhaps using a different specification; the route is altered
-  as necessary) without having a ``window'' in which packets might go
-  elsewhere based on a more general route.  Such  a route can be removed
-  using the --unroute operation (and is implicitly removed by
---delete).</blockquote>
-
-<p>See also this mailing list <a
-href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00523.html">message</a>.</p>
-
-<h3><a name="firewall_ate">The firewall ate my packets!</a></h3>
-
-<p>If firewalls filter out:</p>
-<ul>
-  <li>either the UDP port 500 packets used in IKE negotiations</li>
-  <li>or the ESP and AH (protocols 50 and 51) packets used to implement the
-    IPsec tunnel</li>
-</ul>
-
-<p>then IPsec cannot work. The first thing to check if packets seem to be
-vanishing is the firewall rules on the two gateway machines and any other
-machines along the path that you have access to.</p>
-
-<p>For details, see our document on <a href="firewall.html">firewalls</a>.</p>
-
-<p>Some advice from technical lead Henry Spencer on diagnosing such
-problems:</p>
-<pre>&gt; &gt; Packets vanishing between the hardware interface and the ipsecN interface
-&gt; &gt; is usually the result of firewalls not being configured to let them in...
-&gt; 
-&gt; Thanks for the suggestion. If only it were that simple! My ipchains startup
-&gt; script does take care of that, but just in case I manually inserted rules 
-&gt; accepting everything from london on dublin. No difference.
-
-The other thing to check is whether the "RX packets dropped" count on the
-ipsecN interface (run "ifconfig ipsecN", for N=1 or whatever, to see the
-counts) is rising.  If so, then there's some sort of configuration mismatch
-between the two ends, and IPsec itself is rejecting them.  If none of the
-ipsecN counts is rising, then the packets are never reaching the IPsec
-machinery, and the problem is almost certainly in firewalls etc.</pre>
-
-<h3><a name="dropconn">Dropped connections</a></h3>
-
-<p>Networks being what they are, IPsec connections can be broken for any
-number of reasons, ranging from hardware failures to various software
-problems such as the path MTU problems discussed <a
-href="#pmtu.broken">elsewhere in the FAQ</a>. Fortunately, various diagnostic
-tools exist that help you sort out many of the possible problems.</p>
-
-<p>There is one situation, however, where FreeS/WAN (using default settings)
-may destroy a connection for no readily apparent reason. This occurs when
-things are <strong>misconfigured</strong> so that <strong>two
-tunnels</strong> from the same gateway expect <strong>the same subnet on the
-far end</strong>.</p>
-
-<p>In this situation, the first tunnel comes up fine and works until the
-second is established. At that point, because of the way we track connections
-internally, the first tunnel ceases to exist as far as this gateway is
-concerned. Of course the far end does not know that, and a storm of error
-messages appears on both systems as it tries to use the tunnel.</p>
-
-<p>If the far end gives up, goes back to square one and negotiates a new
-tunnel, then that wipes out the second tunnel and ...</p>
-
-<p>The solution is simple. <strong>Do not build multiple conn descriptions
-with the same remote subnet</strong>.</p>
-
-<p>This is actually intended to be a feature, rather than a bug. Consider the
-situation where a single remote system goes down, then comes back up and
-reconnects to the gateway. It is useful to have the gateway tear down the old
-tunnel and recover resources when the reconnection is made. It recognises
-that situation by checking the remote subnet for each tunnel it builds and
-discarding duplicates. This works fine as long as you don't configure
-multiple tunnels with the same remote subnet.</p>
-
-<p>If this behaviour is inconvenient for you, you can disable it by setting
-<var>uniqueids=no</var> in <a
-href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a>.</p>
-
-
-<h3><a name="defaultroutegone">Disappearing %defaultroute</a></h3>
-
-<p>When an underlying connection (eg. ppp) goes down, FreeS/WAN will not 
-recover properly without a little help. Here are the symptoms that FreeS/WAN 
-user Michael Carmody noticed:
-<pre>
-&gt; After about 24 hours the freeswan connection takes over the default route.
-&gt; 
-&gt; i.e instead of deafult gateway pointing to the router via eth0, it becomes a 
-&gt; pointer to the router via ipsec0.
- 
-&gt; All internet access is then lost as all replies (and not just the link I 
-&gt; wanted) are routed out ipsec0 and the router doesn't respond to the ipsec 
-&gt; traffic.
-</pre>
-
-<p>If you're using a  
-FreeS/WAN 2.x/KLIPS system, simply re-attach the IPsec virtual 
-interface with <em>ipsec tnconfig</em> command such as:</p>
-<pre>    ipsec tnconfig --attach --virtual ipsec0 --physical ppp0</pre>
-<p>In your command, name the physical and virtual interfaces as they 
-appear paired on your system during regular uptime. For a system with several
-physical/virtual interface pairs on flaky links, you'll need more than
-one such command.
-If you're using FreeS/WAN 1.x, you must restart FreeS/WAN, which is more time 
-consuming.</p>
-
-<p>
-<A href="http://lists.freeswan.org/pipermail/design/2002-July/003070.html">Here</A> 
-is a script which can help to automate the process of FreeS/WAN restart at 
-need. 
-It could easily be adapted to use tnconfig instead.</p>
-
-<h3><a name="tcpdump.faq">TCPdump on the gateway shows strange things</a></h3>
-
-As another user pointed out, keeping the connect
-<p>Attempting to look at IPsec packets by running monitoring tools on the
-IPsec gateway machine can produce silly results. That machine is mangling the
-packets for IPsec, and possibly for firewall or NAT purposes as well. If the
-internals of the machine's IP stack are not what the monitoring tool expects,
-then the tool can misinterpret them and produce nonsense output.</p>
-
-<p>See our <a href="testing.html#tcpdump.test">testing</a> document for more
-detail.</p>
-
-<h3><a name="no_trace">Traceroute does not show anything between the
-gateways</a></h3>
-
-<p>As far as traceroute can see, the two gateways are one hop apart; the data
-packet goes directly from one to the other through the tunnel. Of course the
-outer packets that implement the tunnel pass through whatever lies between
-the gateways, but those packets are built and dismantled by the gateways.
-Traceroute does not see them and cannot report anything about their path.</p>
-
-<p>Here is a mailing list message with more detail.</p>
-<pre>Date: Mon, 14 May 2001
-To: linux-ipsec@freeswan.org
-From: "John S. Denker" &lt;jsd@research.att.com&lt;
-Subject: Re: traceroute: one virtual hop
-
-At 02:20 PM 5/14/01 -0400, Claudia Schmeing wrote:
-&gt;
-&gt;&gt; &gt; A bonus question: traceroute in subnet to subnet enviroment looks like:
-&gt;&gt; &gt; 
-&gt;&gt; &gt; traceroute to andris.dmz (172.20.24.10), 30 hops max, 38 byte packets
-&gt;&gt; &gt; 1  drama (172.20.1.1)  0.716 ms  0.942 ms  0.434 ms
-&gt;&gt; &gt; 2  * * *
-&gt;&gt; &gt; 3  andris.dmz (172.20.24.10)  73.576 ms  78.858 ms  79.434 ms
-&gt;&gt; &gt; 
-&gt;&gt; &gt; Why aren't there the other hosts which take part in the delivery during 
-&gt;    * * * ?
-&gt;
-&gt;If there is an ipsec tunnel between GateA and Gate B, this tunnel forms a 
-&gt;'virtual wire'.  When it is tunneled, the original packet becomes an inner 
-&gt;packet, and new ESP and/or AH headers are added to create an outer packet 
-&gt;around it. You can see an example of how this is done for AH at 
-&gt;doc/ipsec.html#AH . For ESP it is similar.
-&gt;
-&gt;Think about the packet's path from the inner packet's perspective.
-&gt;It leaves the subnet, goes into the tunnel, and re-emerges in the second
-&gt;subnet. This perspective is also the only one available to the
-&gt;'traceroute' command when the IPSec tunnel is up.
-
-Claudia got this exactly right.  Let me just expand on a couple of points:
-
-*) GateB is exactly one (virtual) hop away from GateA.  This is how it
-would be if there were a physically private wire from A to B.  The
-virtually private connection should work the same, and it does.
-
-*) While the information is in transit from GateA to GateB, the hop count
-of the outer header (the "envelope") is being decremented.  The hop count
-of the inner header (the "contents" of the envelope) is not decremented and
-should not be decremented.  The hop count of the outer header is not
-derived from and should not be derived from the hop count of the inner header.
-
-Indeed, even if the packets did time out in transit along the tunnel, there
-would be no way for traceroute to find out what happened.  Just as
-information cannot leak _out_ of the tunnel to the outside, information
-cannot leak _into_ the tunnel from outside, and this includes ICMP messages
-from routers along the path.
-
-There are some cases where one might wish for information about what is
-happening at the IP layer (below the tunnel layer) -- but the protocol
-makes no provision for this.  This raises all sorts of conceptual issues.
-AFAIK nobody has ever cared enough to really figure out what _should_
-happen, let alone implement it and standardize it.
-
-*) I consider the "* * *" to be a slight bug.  One might wish for it to be
-replaced by "GateB GateB GateB".  It has to do with treating host-to-subnet
-traffic different from subnet-to-subnet traffic (and other gory details).
-I fervently hope KLIPS2 will make this problem go away.
-
-*) If you want to ask questions about the link from GateA to GateB at the
-IP level (below the tunnel level), you have to ssh to GateA and launch a
-traceroute from there.</pre>
-
-<h2><a name="man4debug">Testing in stages</a></h2>
-
-<p>It is often useful in debugging to test things one at a time:</p>
-<ul>
-  <li>disable IPsec entirely, for example by turning it off with
-    chkconfig(8), and make sure routing works</li>
-  <li>Once that works, try a manually keyed connection. This does not require
-    key negotiation between Pluto and the key daemon on the other end.</li>
-  <li>Once that works, try automatically keyed connections</li>
-  <li>Once IPsec works, add packet compression</li>
-  <li>Once everything seems to work, try stress tests with large transfers,
-    many connections, frequent re-keying, ...</li>
-</ul>
-
-<p>FreeS/WAN releases are tested for all of these, so you can be reasonably
-certain they <em>can</em> do them all. Of course, that does not mean they
-<em>will</em> on the first try, especially if you have some unusual
-configuration.</p>
-
-<p>The rest of this section gives information on diagnosing the problem when
-each of the above steps fails.</p>
-
-<h3><a name="nomanual">Manually keyed connections don't work</a></h3>
-
-<p>Suspect one of:</p>
-<ul>
-  <li>mis-configuration of IPsec system in the /etc/ipsec.conf file<br>
-    common errors are incorrect interface or next hop information</li>
-  <li>mis-configuration of manual connection in the /etc/ipsec.conf file</li>
-  <li>routing problems causing IPsec packets to be lost</li>
-  <li>bugs in KLIPS</li>
-  <li>mismatch between the transforms we support and those another IPsec
-    implementation offers.</li>
-</ul>
-
-<h3><a name="spi_error">One manual connection works, but second one
-fails</a></h3>
-
-<p>This is a fairly common problem when attempting to configure multiple
-manually keyed connections from a single gateway.</p>
-
-<p>Each connection must be identified by a unique <a
-href="glossary.html#SPI">SPI</a> value. For automatic connections, these
-values are assigned automatically. For manual connections, you must set them
-with <var>spi=</var> statements in <a
-href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a>.</p>
-
-<p>Each manual connection must have a unique SPI value in the range 0x100 to
-0x999. Two or more with the same value will fail. For details, see our doc
-section <a href="adv_config.html#prodman">Using manual keying in
-production</a> and the man page <a
-href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a>.</p>
-
-<h3><a name="man_no_auto">Manual connections work, but automatic keying
-doesn't</a></h3>
-
-<p>The most common reason for this behaviour is a firewall dropping the UDP
-port 500 packets used in key negotiation.</p>
-
-<p>Other possibilities:</p>
-<ul>
-  <li>mis-configuration of auto connection in the /etc/ipsec.conf file.
-    <p>One common configuration error is forgetting that you need
-    <var>auto=add</var> to load the connection description on the receiving
-    end so it recognises the connection when the other end asks for it.</p>
-  </li>
-  <li>error in shared secret in /etc/ipsec.secrets</li>
-  <li>one gateway lacks a route to the other so Pluto's UDP packets are
-  lost</li>
-  <li>bugs in Pluto</li>
-  <li>incompatibilities between Pluto's <a href="glossary.html#IKE">IKE</a>
-    implementation and the IKE at the other end of the tunnel.
-    <p>Some possibile problems are discussed in out <a
-    href="interop.html#interop.problem">interoperation</a> document.</p>
-  </li>
-</ul>
-
-<h3><a name="nocomp">IPsec works, but connections using compression
-fail</a></h3>
-
-<p>When we first added compression, we saw some problems:</p>
-<ul>
-  <li>compatibility issues with other implementations. We followed the RFCs
-    and omitted some extra material that many compression libraries add by
-    default. Some other implementations left the extras in</li>
-  <li>bugs in assembler compression routines on non-Intel CPUs. The
-    workaround is to use C code instead of possibly problematic
-  assembler.</li>
-</ul>
-
-<p>We have not seen either problem in some time (at least six months as I
-write in March 2002), but if you have some unusual configuration then you may
-see them.</p>
-
-<h3><a name="pmtu.broken">Small packets work, but large transfers
-fail</a></h3>
-
-<p>If tests with ping(1) and a small packet size succeed, but tests or
-transfers with larger packet sizes fail, suspect problems with packet
-fragmentation and perhaps <a href="glossary.html#pathMTU">path MTU
-discovery</a>.</p>
-
-<p>Our <a href="trouble.html#bigpacket">troubleshooting document</a> covers
-these problems. Information on the underlying mechanism is in our <a
-href="background.html#MTU.trouble">background</a> document.</p>
-
-<h3><a name="subsub">Subnet-to-subnet works, but tests from the gateways
-don't</a></h3>
-
-<p>This is described under <a href="#cantping">I cannot ping...</a> above.</p>
-
-<h2><a name="compile.faq">Compilation problems</a></h2>
-
-<h3><a name="gmp.h_missing">gmp.h: No such file or directory</a></h3>
-
-<p>Pluto needs the GMP (<strong>G</strong>NU</p>
-
-<p><strong>M</strong>ulti-<strong>P</strong>recision) library for the large
-integer calculations it uses in <a href="glossary.html#public">public key</a>
-cryptography. This error message indicates a failure to find the library. You
-must install it before Pluto will compile.</p>
-
-<p>The GMP library is included in most Linux distributions. Typically, there
-are two RPMs, libgmp and libgmp-devel, You need to <em>install both</em>,
-either from your distribution CDs or from your vendor's web site.</p>
-
-<p>On Debian, a mailing list message reports that the command to give is
-<var>apt-get install gmp2</var>.</p>
-
-<p>For more information and the latest version, see the <a
-href="http://www.swox.com/gmp/">GMP home page</a>.</p>
-
-<h3><a name="noVM">... virtual memory exhausted</a></h3>
-
-<p>We have had several reports of this message appearing, all on SPARC Linux.
-Here is a mailing message on a solution:</p>
-<pre>&gt; ipsec_sha1.c: In function `SHA1Transform':
-&gt; ipsec_sha1.c:95: virtual memory exhausted
-
-I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
-MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.
-
-I can get around this by using -O instead of -O2 for the optimization
-level.  So it is probably a bug in the optimizer on the sparc complier. 
-I'll try and chase this down on the sparc lists.</pre>
-
-<h2><a name="error">Interpreting error messages</a></h2>
-
-<h3><a name="route-client">route-client (or host) exited with status
-7</a></h3>
-
-<p>Here is a discussion of this error from FreeS/WAN "listress" (mailing list
-tech support person) Claudia Schmeing. The "FAQ on the network unreachable
-error" which she refers to is the next question below.</p>
-<pre>&gt; I reached the point where the two boxes (both on dial-up connections, but
-&gt; treated as static IPs by getting the IP and editing ipsec.conf after the
-&gt; connection is established) to the point where they exchange some info, but I
-&gt; get an error like "route-client command exited with status 7 \n internal
-&gt; error".
-&gt; Where can I find a description of this error?
-
-In general, if the FAQ doesn't cover it, you can search the mailing list 
-archives - I like to use
-http://www.sandelman.ottawa.on.ca/linux-ipsec/
-but you can see doc/mail.html for different archive formats.
-
-
-Your error comes from the _updown script, which performs some
-routing and firewall functions to help Linux FreeS/WAN. More info
-is available at doc/firewall.html and man ipsec.conf. Its routing
-is integral to the health of Linux FreeS/WAN; it also provides facility
-to insert custom firewall rules to be executed when you create or destroy
-a connection.
-
-Yours is, of course, a routing error. You can be fairly sure the routing 
-machinery is saying "network is unreachable". There's a FAQ on the 
-"network is unreachable" error, but more information is available now; read on.
-
-If your _updown script is recent (for example if it shipped with 
-Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
-that looks something like this:
-
-&gt; output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
-&gt; netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed
-
-This is, of course, the system route command that exited with status 7, 
-(ie. failed). Man route for details. Seeing the command typed out yields 
-more information. If your _updown script is older, you may wish to update 
-it to show the command explicitly.
-
-Three parameters fed to the route command: net, netmask and gw [gateway] 
-are derived from things you've put in ipsec.conf.
-
-Net and netmask are derived from the peer's IP and mask. In more detail:
-
-You may see a routing error when routing to a client (ie. subnet), or 
-to a host (IPSec gateway or freestanding host; a box that does IPSec for
-itself). In _updown, the "route-client" section  is responsible to set up 
-the route for IPSec'd (usually, read 'tunneled') packets headed to a 
-peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
-or IPSec gateway.
-
-When routing to a 'client', net and netmask are ipsec.conf's left- or 
-rightsubnet (whichever is not local). Similarly, when routing to a 
-'host' the net is left or right. Host netmask is always /32, indicating a 
-single machine.
-
-Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
-whichever is local. Where left/right or left-/rightnexthop has the special 
-value %defaultroute (described in man ipsec.conf), gw will automagically get
-the value of the next hop on the default route.
-
-Q: "What's a nexthop and why do I need one?"
-
-A: 'nexthop' is a routing kluge; its value is the next hop away
-   from the machine that's doing IPSec, and toward your IPSec peer. 
-   You need it to get the processed packets out of the local system and 
-   onto the wire. While we often route other packets through the machine 
-   that's now doing IPSec, and are done with it, this does not suffice here. 
-   After packets are processed with IPSec, this machine needs to know where 
-   they go next. Of course using the 'IPSec gateway' as their routing gateway 
-   would cause an infinite loop! [To visualize this, see the packet flow 
-   diagram at doc/firewall.html.] To avoid this, we route packets through 
-   the next hop down their projected path.
-
-Now that you know the background, consider:
-1. Did you test routing between the gateways in the absence of Linux
-   FreeS/WAN, as recommended? You need to ensure the two machines that
-   will be running Linux FreeS/WAN can route to one another before trying to 
-   make a secure connection.
-2. Is there anything obviously wrong with the sense of your route command?
-
-Normally, this problem is caused by an incorrect local nexthop parameter.
-Check out the use of %defaultroute, described in man ipsec.conf. This is
-a simple way to set nexthop for most people. To figure nexthop out by hand,
-traceroute in-the-clear to your IPSec peer. Nexthop is the traceroute's 
-first hop after your IPSec gateway.</pre>
-
-<h3><a name="unreachable">SIOCADDRT:Network is unreachable</a></h3>
-
-<p>This message is not from FreeS/WAN, but from the Linux IP stack itself.
-That stack is seeing packets it has no route for, either because your routing
-was broken before FreeS/WAN started or because FreeS/WAN's changes broke
-it.</p>
-
-<p>Here is a message from Claudia suggesting ways to diagnose and fix such
-problems:</p>
-<pre>You write,
-&gt; I have correctly installed freeswan-1.8 on RH7.0 kernel 2.2.17, but when 
-&gt; I setup a VPN connection with the other machine(RH5.2 Kernel 2.0.36 
-&gt; freeswan-1.0, it works well.) it told me that 
-&gt; "SIOCADDRT:Network is unreachable"!  But the network connection is no 
-&gt; problem.
-
-Often this error is the result of a misconfiguration. 
-
-Be sure that you can route successfully in the absence of Linux
-FreeS/WAN. (You say this is no problem, so proceed to the next step.)
-
-Use a custom copy of the default updownscript. Do not change the route 
-commands, but add a diagnostic message revealing the exact text of the 
-route command. Is there a problem with the sense of the route command
-that you can see? If so, then re-examine those ipsec.conf settings
-that are being sent to the route command. 
-
-You may wish to use the ipsec auto --route and --unroute commands to 
-troubleshoot the problem. See man ipsec_auto for details.</pre>
-
-<p>Since the above message was written, we have modified the updown script to
-provide a better diagnostic for this problem. Check
-<var>/var/log/messages</var>.</p>
-
-<p>See also the FAQ question <a href="#route-client">route-client (or host)
-exited with status 7</a>.</p>
-
-<h3><a name="modprobe">ipsec_setup: modprobe: Can't locate module
-ipsec</a></h3>
-
-<h3><a name="noKLIPS">ipsec_setup: Fatal error, kernel appears to lack
-KLIPS</a></h3>
-
-<p>These messages indicate an installation failure. The kernel you are
-running does not contain the <a href="glossary.html#KLIPS">KLIPS (kernel
-IPsec)</a> code.</p>
-
-<p>Note that the "modprobe: Can't locate module ipsec" message appears even
-if you are not using modules. If there is no KLIPS in your kernel, FreeS/WAN
-tries to load it as a module. If that fails, you get this message.</p>
-
-<p>Commands you can quickly try are:</p>
-<dl>
-  <dt><var>uname -a</var></dt>
-    <dd>to get details, including compilation date and time, of the currently
-      running kernel</dd>
-  <dt><var>ls /</var></dt>
-  <dt><var>ls /boot</var></dt>
-    <dd>to ensure a new kernel is where it should be. If kernel compilation
-      puts it in <var>/</var> but <var>lilo</var> wants it in
-      <var>/boot</var>, then you should uncomment the
-      <var>INSTALL_PATH=/boot</var> line in the kernel
-    <var>Makefile</var>.</dd>
-  <dt><var>more /etc/lilo.conf</var></dt>
-    <dd>to see that <var>lilo</var> has correct information</dd>
-  <dt><var>lilo</var></dt>
-    <dd>to ensure that information in <var>/etc/lilo.conf</var> has been
-      transferred to the boot sector</dd>
-</dl>
-
-<p>If those don't find the problem, you have to go back and check through the
-<a href="install.html">install</a> procedure to see what was missed.</p>
-
-<p>Here is one of Claudia's messages on the topic:</p>
-<pre>&gt; I tried to install freeswan 1.8 on my mandrake 7.2 test box. ...
-
-&gt; It does show version and some output for whack.
-
-Yes, because the Pluto (daemon) part of ipsec is installed correctly, but
-as we see below the kernel portion is not.
-
-&gt; However, I get the following from /var/log/messages:
-&gt; 
-&gt; Mar 11 22:11:55 pavillion ipsec_setup: Starting FreeS/WAN IPsec 1.8...
-&gt; Mar 11 22:12:02 pavillion ipsec_setup: modprobe: Can't locate module ipsec
-&gt; Mar 11 22:12:02 pavillion ipsec_setup: Fatal error, kernel appears to lack
-&gt; KLIPS.
-
-This is your problem. You have not successfully installed a kernel with
-IPSec machinery in it. 
-
-Did you build Linux FreeS/WAN as a module? If so, you need to ensure that 
-your new module has been installed in the directory where your kernel 
-loader normally finds your modules. If not, you need to ensure
-that the new IPSec-enabled kernel is being loaded correctly.
-
-See also doc/install.html, and INSTALL in the distro.</pre>
-
-<h3><a name="noDNS">ipsec_setup: ... failure to fetch key for ... from
-DNS</a></h3>
-
-<p>Quoting Henry:</p>
-<pre>Note that by default, FreeS/WAN is now set up to
-     (a) authenticate with RSA keys, and
-     (b) fetch the public key of the far end from DNS.
-Explicit attention to  ipsec.conf will be needed if you want
-to do something different.</pre>
-
-<p>and Claudia, responding to the same user:</p>
-<pre>You write,
-
-&gt;       My current setup in ipsec.conf is leftrsasigkey=%dns I have 
-&gt; commented this and authby=rsasig out. I am able to get ipsec running, 
-&gt; but what I find is that the documentation only specifies for %dns are 
-&gt; there any other values that can be placed in this variable other than 
-&gt; %dns and the key? I am also assuming that this is where I would place 
-&gt; my public key for the left and right side as well is this correct?
-
-Valid values for authby= are rsasig and secret, which entail authentication
-by RSA signature or by shared secret, respectively. Because you have 
-commented authby=rsasig out, you are using the default value of authby=secret. 
-
-When using RSA signatures, there are two ways to get the public key for the
-IPSec peer: either copy it directly into *rsasigkey= in ipsec.conf, or
-fetch it from dns. The magic value %dns for *rsasigkey parameters says to 
-try to fetch the peer's key from dns.
-
-For any parameters, you may find their significance and special values in
-man ipsec.conf. If you are setting up keys or secrets, be sure also to
-reference man ipsec.secrets.</pre>
-
-<h3><a name="dup_address">ipsec_setup: ... interfaces ... and ... share
-address ...</a></h3>
-
-<p>This is a fatal error. FreeS/WAN cannot cope with two or more interfaces
-using the same IP address. You must re-configure to avoid this.</p>
-
-<p>A mailing list message on the topic from Pluto developer Hugh
-Redelmeier:</p>
-<pre>| I'm trying to get freeswan working between two machine where one has a ppp
-| interface.
-| I've already suceeded with  two machines with ethernet ports but  the ppp
-| interface is causing me problems.
-|  basically when I run ipsec start  i get
-| ipsec_setup: Starting FreeS/WAN IPsec 1.7...
-| ipsec_setup: 003 IP interfaces ppp1 and ppp0 share address 192.168.0.10!
-| ipsec_setup: 003 IP interfaces ppp1 and ppp2 share address 192.168.0.10!
-| ipsec_setup: 003 IP interfaces ppp0 and ppp2 share address 192.168.0.10!
-| ipsec_setup: 003 no public interfaces found
-|
-| followed by lots of cannot work out interface for connection messages
-|
-| now I can specify the interface in ipsec.conf to be ppp0 , but this does
-| not affect the above behaviour. A quick look in server.c indicates that the
-| interfaces value  is not used but some sort of raw detect happens.
-|
-| I guess I could prevent the formation of the extra ppp interfaces or
-| allocate them different ip but I'd  rather not. if at all possible. Any
-| suggestions please.
-
-Pluto won't touch an interface that shares an IP address with another.
-This will eventually change, but it probably won't happen soon.
-
-For now, you will have to give the ppp1 and ppp2 different addresses.</pre>
-
-<h3><a name="kflags">ipsec_setup: Cannot adjust kernel flags</a></h3>
-
-<p>A mailing list message form technical lead Henry Spencer:</p>
-<pre>&gt; When FreeS/WAN IPsec 1.7 is starting on my 2.0.38 Linux kernel the following
-&gt; error message is generated:
-&gt; ipsec_setup: Cannot adjust kernel flags, no /proc/sys/net/ipsec directory!
-&gt; What is supposed to create this directory and how can I fix this problem?
-
-I think that directory is a 2.2ism, although I'm not certain (I don't have
-a 2.0.xx system handy any more for testing).  Without it, some of the
-ipsec.conf config-setup flags won't work, but otherwise things should
-function. </pre>
-
-<p>You also need to enable the <var>/proc</var> filesystem in your kernel
-configuration for these operations to work.</p>
-
-<h3><a name="message_num">Message numbers (MI3, QR1, et cetera) in Pluto
-messages</a></h3>
-
-<p>Pluto messages often indicate  where Pluto is in the IKE protocols. The
-letters indicate <strong>M</strong>ain mode or <strong>Q</strong>uick mode
-and <strong>I</strong>nitiator or <strong>R</strong>esponder. The numerals
-are message sequence numbers. For more detail, see our <a
-href="ipsec.html#sequence">IPsec section</a>.</p>
-
-<h3><a name="conn_name">Connection names in Pluto error messages</a></h3>
-
-<p>From Pluto programmer Hugh Redelmeier:</p>
-<pre>| Jan 17 16:21:10 remus Pluto[13631]: "jumble" #1: responding to Main Mode from Road Warrior 130.205.82.46
-| Jan 17 16:21:11 remus Pluto[13631]: "jumble" #1: no suitable connection for peer @banshee.wittsend.com
-| 
-|     The connection "jumble" has nothing to do with the incoming
-| connection requests, which were meant for the connection "banshee".
-
-You are right.  The message tells you which Connection Pluto is
-currently using, which need not be the right one.  It need not be the
-right one now for the negotiation to eventually succeed!  This is
-described in ipsec_pluto(8) in the section "Road Warrior Support".
-
-There are two times when Pluto will consider switching Connections for
-a state object.  Both are in response to receiving ID payloads (one in
-Phase 1 / Main Mode and one in Phase 2 / Quick Mode).  The second is
-not unique to Road Warriors.  In fact, neither is the first any more
-(two connections for the same pair of hosts could differ in Phase 1 ID
-payload; probably nobody else has tried this).</pre>
-
-<h3><a name="cantorient">Pluto: ... can't orient connection</a></h3>
-
-<p>Older versions of FreeS/WAN used this message. The same error now gives
-the "we have no ipsecN ..." error described just below.</p>
-
-<h3><a name="no.interface">... we have no ipsecN interface for either end of
-this connection</a></h3>
-
-<p>Your tunnel has no IP address which matches the IP
-address of any of the available IPsec interfaces. Either you've 
-misconfigured the connection, or you need to define an appropriate 
-IPsec interface connection. <VAR>interfaces=%defaultroute</VAR> works
-in many cases.</p>
-
-<p>A longer story: Pluto needs to know whether it is running on 
-the machine which the
-connection description calls <var>left</var> or on <var>right</var>. It
-figures that out by:</p>
-<ul>
-  <li>looking at the interfaces given in <var>interfaces=</var> lines in the
-    <var>config setup</var> section</li>
-  <li>discovering the IP addresses for those interfaces</li>
-  <li>searching for a match between those addresses and the ones given in
-    <var>left=</var> or <var>right=</var> lines.</li>
-</ul>
-
-<p>Normally a match is found. Then Pluto knows where it is and can set up
-other things (for example, if it is <var>left</var>) using parameters such as
-<var>leftsubnet</var> and <var>leftnexthop</var>, and sending its outgoing
-packets to <var>right</var>.</p>
-
-<p>If no match is found, it emits the above error message.</p>
-
-<h3><a name="noconn">Pluto: ... no connection is known</a></h3>
-
-<p>This error message occurs when a remote system attempts to negotiate a
-connection and Pluto does not have a connection description that matches what
-the remote system has requested. The most common cause is a configuration
-error on one end or the other.</p>
-
-<p>Parameters involved in this match are <var>left</var>, <var>right</var>,
-<var>leftsubnet</var> and <var>rightsubnet</var>.</p>
-
-<p><strong>The match must be exact</strong>. For example, if your left subnet
-is a.b.c.0/24 then neither a single machine in that net nor a smaller subnet
-such as a.b.c.64/26 will be considered a match.</p>
-
-<p>The message can also occur when an appropriate description exists but
-Pluto has not loaded it. Use an <var>auto=add</var> statement in the
-connection description, or an <var>ipsec auto --add &lt;conn_name&gt;</var>
-command, to correct this.</p>
-
-<p>An explanation from the Pluto developer:</p>
-<pre>| Jul 12 15:00:22 sohar58 Pluto[574]: "corp_road" #2: cannot respond to IPsec
-| SA request because no connection is known for
-| 216.112.83.112/32===216.112.83.112...216.67.25.118
-
-This is the first message from the Pluto log showing a problem.  It
-means that PGPnet is trying to negotiate a set of SAs with this
-topology:
-
-216.112.83.112/32===216.112.83.112...216.67.25.118
-^^^^^^^^^^^^^^^^^   ^^^^^^^^^^^^^^   ^^^^^^^^^^^^^
-client on our side  our host         PGPnet host, no client
-
-None of the conns you showed look like this.
-
-Use
-        ipsec auto --status
-to see a snapshot of what connections are in pluto, what
-negotiations are going on, and what SAs are established.
-
-The leftsubnet= (client) in your conn is 216.112.83.64/26.  It must
-exactly match what pluto is looking for, and it does not.</pre>
-
-<h3><a name="nosuit">Pluto: ... no suitable connection ...</a></h3>
-
-<p>This is similar to the <a href="#noconn">no connection known</a> error,
-but occurs at a different point in Pluto processing.</p>
-
-<p>Here is one of Claudia's messages explaining the problem:</p>
-<pre>You write,
-
-&gt; What could be the reason of the following error? 
-&gt; "no suitable connection for peer '@xforce'"
-
-When a connection is initiated by the peer, Pluto must choose which entry in 
-the conf file best matches the incoming connection. A preliminary choice is 
-made on the basis of source and destination IPs, since that information is 
-available at that time. 
-
-A payload containing an ID arrives later in the negotiation. Based on this
-id and the *id= parameters, Pluto refines its conn selection. ...
-
-The message "no suitable connection" indicates that in this refining step,
-Pluto does not find a connection that matches that ID.
-
-Please see "Selecting a connection when responding" in man ipsec_pluto for
-more details.</pre>
-
-<p>See also <a href="#conn_name">Connection names in Pluto error
-messages</a>.</p>
-
-<h3><a name="noconn.auth">Pluto: ... no connection has been
-authorized</a></h3>
-
-<p>Here is one of Claudia's messages discussing this problem:</p>
-<pre>You write,
-
-&gt;  May 22 10:46:31 debian Pluto[25834]: packet from x.y.z.p:10014: 
-&gt;  initial Main Mode message from x.y.z.p:10014 
-                            but no connection has been authorized
-
-This error occurs early in the connection negotiation process,
-at the first step of IKE negotiation (Main Mode), which is itself the 
-first of two negotiation phases involved in creating an IPSec connection.
-
-Here, Linux FreeS/WAN receives a packet from a potential peer, which 
-requests that they begin discussing a connection.
-
-The "no connection has been authorized" means that there is no connection 
-description in Linux FreeS/WAN's internal database that can be used to 
-link your ipsec interface with that peer.
-
-"But of course I configured that connection!" 
-
-It may be that the appropriate connection description exists in ipsec.conf 
-but has not been added to the database with ipsec auto --add myconn or the 
-auto=add method. Or, the connection description may be misconfigured.
-
-The only parameters that are relevant in this decision are left= and right= .
-Local and remote ports are also taken into account -- we see that the port 
-is printed in the message above -- but there is no way to control these
-in ipsec.conf.
-
-
-Failure at "no connection has been authorized" is similar to the
-"no connection is known for..." error in the FAQ, and the "no suitable
-connection" error described in the snapshot's FAQ. In all three cases,
-Linux FreeS/WAN is trying to match parameters received in the
-negotiation with the connection description in the local config file.
-
-As it receives more information, its matches take more parameters into 
-account, and become more precise:  first the pair of potential peers,
-then the peer IDs, then the endpoints (including any subnets).
-
-The "no suitable connection for peer *" occurs toward the end of IKE 
-(Main Mode) negotiation, when the IDs are matched.
-
-"no connection is known for a/b===c...d" is seen at the beginning of IPSec 
-(Quick Mode, phase 2) negotiation, when the connections are matched using
-left, right, and any information about the subnets.</pre>
-
-<h3><a name="noDESsupport">Pluto: ... OAKLEY_DES_CBC is not
-supported.</a></h3>
-
-<p>This message occurs when the other system attempts to negotiate a
-connection using <a href="glossary.html#DES">single DES</a>, which we do not
-support because it is <a href="politics.html#desnotsecure">insecure</a>.</p>
-
-<p>Our interoperation document has suggestions for <a
-href="interop.html#noDES">how to deal with</a> systems that attempt to use
-single DES.</p>
-
-<h3><a name="notransform">Pluto: ... no acceptable transform</a></h3>
-
-<p>This message means that the other gateway has made a proposal for
-connection parameters, but nothing they proposed is acceptable to Pluto.
-Possible causes include:</p>
-<ul>
-  <li>misconfiguration on either end</li>
-  <li>policy incompatibilities, for example we require encrypted connections
-    but they are trying to create one with just authentication</li>
-  <li>interoperation problems, for example they offer only single DES and
-    FreeS/WAN does not support that. See <a
-    href="interop.html#interop.problem">discussion</a> in our interoperation
-    document.</li>
-</ul>
-
-<p>A more detailed explanation, from Pluto programmer Hugh Redelmeier:</p>
-<pre>Background:
-
-When one IKE system (for example, Pluto) is negotiating with another
-to create an SA, the Initiator proposes a bunch of choices and the
-Responder replies with one that it has selected.
-
-The structure of the choices is fairly complicated.  An SA payload
-contains a list of lists of "Proposals".  The outer list is a set of
-choices: the selection must be from one element of this list.
-
-Each of these elements is a list of Proposals.  A selection must be
-made from each of the elements of the inner list.  In other words,
-*all* of them apply (that is how, for example, both AH and ESP can
-apply at once).
-
-Within each of these Proposals is a list of Transforms.  For each
-Proposal selected, one Transform must be selected (in other words,
-each Proposal provides a choice of Transforms).
-
-Each Transform is made up of a list of Attributes describing, well,
-attributes.  Such as lifetime of the SA.  Such as algorithm to be
-used.  All the Attributes apply to a Transform.
-
-You will have noticed a pattern here: layers alternate between being
-disjunctions ("or") and conjunctions ("and").
-
-For Phase 1 / Main Mode (negotiating an ISAKMP SA), this structure is
-cut back.  There must be exactly one Proposal.  So this degenerates to
-a list of Transforms, one of which must be chosen.
-
-In your case, no proposal was considered acceptable to Pluto (the
-Responder).  So negotiation ceased.  Pluto logs the reason it rejects
-each Transform.  So look back in the log to see what is going wrong.</pre>
-
-<h3><a name="rsasigkey">rsasigkey dumps core</a></h3>
-A comment on this error from Henry:
-<pre>On Fri, 29 Jun 2001, Rodrigo Gruppelli wrote:
-&gt; ...Well, it seem that there's
-&gt; another problem with it. When I try to generate a pair of RSA keys,
-&gt; rsasigkey cores dump...
-
-*That* is a neon sign flashing "GMP LIBRARY IS BROKEN".  Rsasigkey calls
-GMP a lot, and our own library a little bit, and that's very nearly all it
-does.  Barring bugs in its code or our library -- which have happened, but
-not very often -- a problem in rsasigkey is a problem in GMP.</pre>
-
-<p>See the next question for how to deal with GMP errors.</p>
-
-<h3><a name="sig4">!Pluto failure!: ... exited with ... signal 4</a></h3>
-
-<p>Pluto has died. Signal 4 is SIGILL, illegal instruction.</p>
-
-<p>The most likely cause is that your <a href="glossary.html#GMP">GMP</a>
-(GNU multi-precision) library is compiled for a different processor than what
-you are running on. Pluto uses that library for its public key
-calculations.</p>
-
-<p>Try getting the GMP sources and recompile for your processor type. Most
-Linux distributions will include this source, or you can download it from the
-<a href="http://www.swox.com/gmp/">GMP home page</a>.</p>
-
-<h3><a name="econnrefused">ECONNREFUSED error message</a></h3>
-
-<p>From John Denker, on the mailing list:</p>
-<pre>1)  The log message
-  some IKE message we sent has been rejected with 
-  ECONNREFUSED (kernel supplied no details)
-is much more suitable than the previous version.  Thanks.
-
-2) Minor suggestion for further improvement: it might be worth mentioning
-that the command
-  tcpdump -i eth1 icmp[0] != 8 and icmp[0] != 0
-is useful for tracking down the details in question.  We shouldn't expect
-all IPsec users to figure that out on their own.  The log message might
-even provide a hint as to where to look in the docs.</pre>
-
-<p>Reply From Pluto developer Hugh Redelmeier</p>
-<pre>Good idea.
-
-I've added a bit pluto(8)'s BUGS section along these lines.
-I didn't have the heart to lengthen this message.</pre>
-
-<h3><a name="no_eroute">klips_debug: ... no eroute!</a></h3>
-
-<p>This message means <a href="glossary.html#KLIPS">KLIPS</a> has received a
-packet for which no IPsec tunnel has been defined.</p>
-
-<p>Here is a more detailed duscussion from the team's tech support person
-Claudia Schmeing, responding to a query on the mailing list:</p>
-<pre>&gt; Why ipsec reports no eroute! ???? IP Masq... is disabled.
-
-In general, more information is required so that people on the list may
-give you informed input. See doc/prob.report.</pre>
-
-<p>The document she refers to has since been replaced by a <a
-href="trouble.html#prob.report">section</a> of the troubleshooting
-document.</p>
-<pre>However, I can make some general comments on this type of error.
-
-This error usually looks something like this (clipped from an archived
-message):
-
-&gt; ttl:64 proto:1 chk:45459 saddr:192.168.1.2 daddr:192.168.100.1
-&gt; ... klips_debug:ipsec_findroute: 192.168.1.2-&gt;192.168.100.1
-&gt; ... klips_debug:rj_match: * See if we match exactly as a host destination
-&gt; ... klips_debug:rj_match: ** try to match a leaf, t=0xc1a260b0
-&gt; ... klips_debug:rj_match: *** start searching up the tree, t=0xc1a260b0
-&gt; ... klips_debug:rj_match: **** t=0xc1a260c8
-&gt; ... klips_debug:rj_match: **** t=0xc1fe5960
-&gt; ... klips_debug:rj_match: ***** not found.
-&gt; ... klips_debug:ipsec_tunnel_start_xmit: Original head/tailroom: 2, 28
-&gt; ... klips_debug:ipsec_tunnel_start_xmit: no eroute!: ts=47.3030, dropping.
-
-
-What does this mean?
-- --------------------
-
-"eroute" stands for "extended route", and is a special type of route 
-internal to Linux FreeS/WAN. For more information about this type of route, 
-see the section of man ipsec_auto on ipsec auto --route.
-
-"no eroute!" here means, roughly, that Linux FreeS/WAN cannot find an 
-appropriate tunnel that should have delivered this packet. Linux 
-FreeS/WAN therefore drops the packet, with the message "no eroute! ...
-dropping", on the assumption that this packet is not a legitimate 
-transmission through a properly constructed tunnel.
-
-
-How does this situation come about?
-- -----------------------------------
-
-Linux FreeS/WAN has a number of connection descriptions defined in 
-ipsec.conf. These must be successfully brought "up" to form actual tunnels.
-(see doc/setup.html's step 15, man ipsec.conf and man ipsec_auto 
-for details).
-
-Such connections are often specific to the endpoints' IPs. However, in 
-some cases they may be more general, for example in the case of 
-Road Warriors where left or right is the special value %any.
-
-When Linux FreeS/WAN receives a packet, it verifies that the packet has
-come through a legitimate channel, by checking that there is an
-appropriate tunnel through which this packet might legitimately have
-arrived. This is the process we see above.
-
-First, it checks for an eroute that exactly matches the packet. In the 
-example above, we see it checking for a route that begins at 192.168.1.2
-and ends at 192.168.100.1. This search favours the most specific match that
-would apply to the route between these IPs. So, if there is a connection 
-description exactly matching these IPs, the search will end there. If not, 
-the code will search for a more general description matching the IPs.
-If there is no match, either specific or general, the packet will be
-dropped, as we see, above.
-
-Unless you are working with Road Warriors, only the first, specific part 
-of the matching process is likely to be relevant to you.
-
-
-"But I defined the tunnel, and it came up, why do I have this error?"
-- ---------------------------------------------------------------------
-
-One of the most common causes of this error is failure to specify enough
-connection descriptions to cover all needed tunnels between any two 
-gateways and their respective subnets. As you have noticed, troubleshooting
-this error may be complicated by the use of IP Masq. However, this error is
-not limited to cases where IP Masq is used. 
-
-See doc/configuration.html#multitunnel for a detailed example of the 
-solution to this type of problem.</pre>
-
-<p>The documentation section she refers to is now <a
-href="adv_config.html#multitunnel">here</a>.</p>
-
-<h3><a name="SAused">... trouble writing to /dev/ipsec ... SA already in
-use</a></h3>
-
-<p>This error message occurs when two manual connections are set up with the
-same SPI value. </p>
-
-<p>See the FAQ for <a href="#spi_error">One manual connection works, but
-second one fails</a>.</p>
-
-<h3><a name="ignore">... ignoring ... payload</a></h3>
-
-<p>This message is harmless. The IKE protocol provides for a number of
-optional messages types:</p>
-<ul>
-  <li>delete SA</li>
-  <li>initial contact</li>
-  <li>vendor ID</li>
-  <li>...</li>
-</ul>
-
-<p>An implementation is never required to send these, but they are allowed
-to. The receiver is not required to do anything with them. FreeS/WAN ignores
-them, but notifies you via the logs.</p>
-
-<p>For the "ignoring delete SA Payload" message, see also our discussion of
-cleaning up <a href="#deadtunnel">dead tunnels</a>.</p>
-
-<h3><a name="unknown_rightcert">unknown parameter name "rightcert"</a></h3>
-
-<P>This message can appear when you've upgraded an X.509-enabled 
-Linux FreeS/WAN with a vanilla Linux FreeS/WAN. To use your X.509 configs
-you will need to overwrite the new install with 
-<A HREF="http://www.freeswan.ca">Super FreeS/WAN</A>, or add the
-<A HREF="http://www.strongsec.ca/freeswan">X.509 patch</A> by hand.
-</P>
-
-<h2><a name="spam">Why don't you restrict the mailing lists to reduce
-spam?</a></h2>
-
-<p>As a matter of policy, some of our <a href="mail.html">mailing lists</a>
-need to be open to non-subscribers. Project management feel strongly that
-maintaining this openness is more important than blocking spam.</p>
-<ul>
-  <li>Users should be able to get help or report bugs without
-  subscribing.</li>
-  <li>Even a user who is subscribed may not have access to his or her
-    subscribed account when he or she needs help, miles from home base in the
-    middle of setting up a client's gateway.</li>
-  <li>There is arguably a legal requirement for this policy. A US resident or
-    citizen could be charged under munitions export laws for providing
-    technical assistance to a foreign cryptographic project. Such a charge
-    would be more easily defended if the discussion takes place in public, on
-    an open list.</li>
-</ul>
-
-<p>This has been discussed several times at some length on the list. See the
-<a href="mail.html#archive">list archives</a>. Bringing the topic up again is
-unlikely to be useful. Please don't. Or at the very least, please don't
-without reading the archives and being certain that whatever you are about to
-suggest has not yet been discussed.</p>
-
-<p>Project technical lead Henry Spencer summarised one discussion:</p>
-
-<blockquote>
-  For the third and last time:  this list *will* *not* do address-based
-  filtering.  This is a policy decision, not an implementation problem. The
-  decision is final, and is not open to discussion.  This needs to be
-  communicated better to people, and steps are being taken to do
-that.</blockquote>
-
-<p>Adding this FAQ section is one of the steps he refers to.</p>
-
-<p>You have various options other than just putting up with the spam,
-filtering it yourself, or unsubscribing:</p>
-<ul>
-  <li>subscribe only to one or both of our lists with restricted posting
-    rules:
-    <ul>
-      <li><a
-        href="mailto:briefs@lists.freeswan.org?body=subscribe">briefs</a>,
-        weekly list summaries</li>
-      <li><a
-        href="mailto:announce@lists.freeswan.org?body=subscribe">announce</a>,
-        project-related announcements</li>
-    </ul>
-  </li>
-  <li>read the other lists via the <a
-  href="mail.html#archive">archives</a></li>
-</ul>
-
-<p>A number of tools are available to filter mail.</p>
-<ul>
-  <li>Many mail readers include some filtering capability.</li>
-  <li>Many Linux distributions include <a
-    href="http://www.procmail.org/">procmail(8)</a> for server-side
-  filtering.</li>
-  <li>The <a href="http://www.spambouncer.org/">Spam Bouncer</a> is a set of
-    procmail(8) filters designed to combat spam.</li>
-  <li>Roaring Penguin have a <a
-    href="http://www.roaringpenguin.com/mimedefang/">MIME defanger</a> that
-    removes potentially dangerous attachments.</li>
-</ul>
-
-<p>If you use your ISP's mail server rather than running your own, consider
-suggesting to the ISP that they tag suspected spam as <a
-href="http://www.msen.com/1997/spam.html#SUSPECTED">this ISP</a> does. They
-could just refuse mail from dubious sources, but that is tricky and runs some
-risk of losing valuable mail or senselessly annoying senders and their
-admins. However, they can safely tag and deliver dubious mail. The tags can
-greatly assist your filtering.</p>
-
-<p>For information on tracking down spammers, see these <a
-href="http://www.rahul.net/falk/#howtos">HowTos</a>, or the <a
-href="http://www.sputum.com/index2.html">Sputum</a> site. Sputum have a Linux
-anti-spam screensaver available for download.</p>
-
-<p>Here is a more detailed message from Henry:</p>
-<pre>On Mon, 15 Jan 2001, Jay Vaughan wrote:
-&gt; I know I'm flogging a dead horse here, but I'm curious as to the reasons for
-&gt; an aversion for a subscriber-only mailing list?
-
-Once again:  for legal reasons, it is important that discussions of these
-things be held in a public place -- the list -- and we do not want to
-force people to subscribe to the list just to ask one question, because
-that may be more than merely inconvenient for them.  There are also real
-difficulties with people who are temporarily forced to use alternate
-addresses; that is precisely the time when they may be most in need of
-help, yet a subscribers-only policy shuts them out.
-
-These issues do not apply to most mailing lists, but for a list that is
-(necessarily) the primary user support route for a crypto package, they
-are very important.  This is *not* an ordinary mailing list; it has to
-function under awkward constraints that make various simplistic solutions
-inapplicable or undesirable. 
-
-&gt; We're *ALL* sick of hearing about list management problems, not just you
-&gt; old-timers, so why don't you DO SOMETHING EFFECTIVE ABOUT IT...
-
-Because it's a lot harder than it looks, and many existing "solutions"
-have problems when examined closely.
-
-&gt; A suggestion for you, based on 10 years of experience with management of my
-&gt; own mailing lists would be to use mailman, which includes pretty much every
-&gt; feature under the sun that you guys need and want, plus some.  The URL for
-&gt; mailman...
-
-I assure you, we're aware of mailman.  Along with a whole bunch of others,
-including some you almost certainly have never heard of (I hadn't!).
-
-&gt; As for the argument that the list shouldn't be configured to enforce
-&gt; subscription - I contend that it *SHOULD* AT LEAST require manual address
-&gt; verification in order for posts to be redirected.
-
-You do realize, I hope, that interposing such a manual step might cause
-your government to decide that this is not truly a public forum, and thus
-you could go to jail if you don't get approval from them before mailing to
-it?  If you think this sounds irrational, your government is noted for
-making irrational decisions in this area; we can't assume that they will
-suddenly start being sensible.  See above about awkward constraints.  You
-may be willing to take the risk, but we can't, in good conscience, insist
-that all users with problems do so. 
-
-                                                          Henry Spencer
-                                                       henry@spsystems.net</pre>
-
-<p>and a message on the topic from project leader John Gilmore:</p>
-<pre>Subject: Re: The linux-ipsec list's topic
-   Date: Sat, 30 Dec 2000
-   From: John Gilmore &lt;gnu@toad.com&gt;
-
-I'll post this single message, once only, in this discussion, and then
-not burden the list with any further off-topic messages.  I encourage
-everyone on the list to restrain themself from posting ANY off-topic
-messages to the linux-ipsec list.
-
-The topic of the linux-ipsec mailing list is the FreeS/WAN software.
-
-I frequently see "discussions about spam on a list" overwhelm the
-volume of "actual spam" on a list. BOTH kinds of messages are
-off-topic messages.  Twenty anti-spam messages take just as long to
-detect and discard as twenty spam messages.
-
-The Linux-ipsec list encourages on-topic messages from people who have
-not joined the list itself.  We will not censor messages to the list
-based on where they originate, or what return address they contain.
-In other words, non-subscribers ARE allowed to post, and this will not
-change.  My own valid contributions have been rejected out-of-hand by
-too many other mailing lists for me to want to impose that censorship
-on anybody else's contributions.  And every day I see the damage that
-anti-spam zeal is causing in many other ways; that zeal is far more
-damaging to the culture of the Internet than the nuisance of spam.
-
-In general, it is the responsibility of recipients to filter,
-prioritize, or otherwise manage the handling of email that comes to
-them.  It is not the responsibility of the rest of the Internet
-community to refrain from sending messages to recipients that they
-might not want to see.  If your software infrastructure for managing
-your incoming email is insufficient, then improve it.  If you think
-the signal-to-noise ratio on linux-ipsec is too poor, then please
-unsubscribe.  But don't further increase the noise by posting to the
-linux-ipsec list about those topics.
-
-        John Gilmore
-        founder &amp; sponsor, FreeS/WAN project</pre>
-</body>
-</html>
diff --git a/doc/src/firewall.html b/doc/src/firewall.html
deleted file mode 100644
index 5051b458d..000000000
--- a/doc/src/firewall.html
+++ /dev/null
@@ -1,895 +0,0 @@
-<html>
-<head>
-  <meta http-equiv="Content-Type" content="text/html">
-  <title>FreeS/WAN and firewalls</title>
-  <meta name="keywords"
-  content="Linux, IPsec, VPN, security, FreeSWAN, firewall, ipchains, iptables">
-  <!--
-
-  Written by Sandy Harris for the Linux FreeS/WAN project
-  Freely distributable under the GNU General Public License
-
-  More information at www.freeswan.org
-  Feedback to users@lists.freeswan.org
-
-  CVS information:
-  RCS ID:          $Id: firewall.html,v 1.1 2004/03/15 20:35:24 as Exp $
-  Last changed:    $Date: 2004/03/15 20:35:24 $
-  Revision number: $Revision: 1.1 $
-
-  CVS revision numbers do not correspond to FreeS/WAN release numbers.
-  -->
-</head>
-
-<body>
-<h1><a name="firewall">FreeS/WAN and firewalls</a></h1>
-
-<p>FreeS/WAN, or other IPsec implementations, frequently run on gateway
-machines, the same machines running firewall or packet filtering code. This
-document discusses the relation between the two.</p>
-
-<p>The firewall code in 2.4 and later kernels is called Netfilter. The
-user-space utility to manage a firewall is iptables(8). See the <a
-href="http://netfilter.samba.org">netfilter/iptables web site</a> for
-details.</p>
-
-<h2><a name="filters">Filtering rules for IPsec packets</a></h2>
-
-<p>The basic constraint is that <strong>an IPsec gateway must have packet
-filters that allow IPsec packets</strong>, at least when talking to other
-IPsec gateways:</p>
-<ul>
-  <li>UDP port 500 for <a href="glossary.html#IKE">IKE</a> negotiations</li>
-  <li>protocol 50 if you use <a href="glossary.html#ESP">ESP</a> encryption
-    and/or authentication (the typical case)</li>
-  <li>protocol 51 if you use <a href="glossary.html#AH">AH</a> packet-level
-    authentication</li>
-</ul>
-
-<p>Your gateway and the other IPsec gateways it communicates with must be
-able to exchange these packets for IPsec to work. Firewall rules must allow
-UDP 500 and at least one of <a href="glossary.html#AH">AH</a> or 
-<a href="glossary.html#ESP">ESP</a> on
-the interface that communicates with the other gateway.</p>
-
-<p>For nearly all FreeS/WAN applications, you must allow UDP port 500 and the
-ESP protocol.</p>
-
-<p>There are two ways to set this up:</p>
-<dl>
-  <dt>easier but less flexible</dt>
-    <dd>Just set up your firewall scripts at boot time to allow IPsec packets
-      to and from your gateway. Let FreeS/WAN reject any bogus packets.</dd>
-  <dt>more work, giving you more precise control</dt>
-    <dd>Have the <a href="manpage.d/ipsec_pluto.8.html">ipsec_pluto(8)</a>
-      daemon call scripts to adjust firewall rules dynamically as required.
-      This is done by naming the scripts in the <a
-      href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a> variables
-      <var>prepluto=</var>, <var>postpluto=</var>, <var>leftupdown=</var> and
-      <var>rightupdown=</var>.</dd>
-</dl>
-
-<p>Both methods are described in more detail below.</p>
-
-<h2><a name="examplefw">Firewall configuration at boot</a></h2>
-
-<p>It is possible to set up both firewalling and IPsec with appropriate
-scripts at boot and then not use <var>leftupdown=</var> and
-<var>rightupdown=</var>, or use them only for simple up and down
-operations.</p>
-
-<p>Basically, the technique is</p>
-<ul>
-  <li>allow IPsec packets (typically, IKE on UDP port 500 plus ESP, protocol
-    50)
-    <ul>
-      <li>incoming, if the destination address is your gateway (and
-        optionally, only from known senders)</li>
-      <li>outgoing, with the from address of your gateway (and optionally,
-        only to known receivers)</li>
-    </ul>
-  </li>
-  <li>let <a href="glossary.html#Pluto">Pluto</a> deal with IKE</li>
-  <li>let <a href="glossary.html#KLIPS">KLIPS</a> deal with ESP</li>
-</ul>
-
-<p>Since Pluto authenticates its partners during the negotiation, and KLIPS
-drops packets for which no tunnel has been negotiated, this may be all you
-need.</p>
-
-<h3><a name="simple.rules">A simple set of rules</a></h3>
-
-<p>In simple cases, you need only a few rules, as in this example:</p>
-<pre># allow IPsec
-#
-# IKE negotiations
-iptables -I INPUT  -p udp --sport 500 --dport 500 -j ACCEPT
-iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
-# ESP encryption and authentication
-iptables -I INPUT  -p 50 -j ACCEPT
-iptables -I OUTPUT -p 50 -j ACCEPT
-</pre>
-
-<P>This should be all you need to allow IPsec through <var>lokkit</var>,
-which ships with Red Hat 9, on its medium security setting.
-Once you've tweaked to your satisfaction, save your active rule set with:</P>
-<PRE>service iptables save</PRE>
-
-<h3><a name="complex.rules">Other rules</a></h3>
-You can add additional rules, or modify existing ones, to work with IPsec and
-with your network and policies. We give a some examples in this section.
-
-<p>However, while it is certainly possible to create an elaborate set of
-rules yourself (please let us know via the <a href="mail.html">mailing
-list</a> if you do), it may be both easier and more secure to use a set which
-has already been published and tested.</p>
-
-<p>The published rule sets we know of are described in the <a
-href="#rules.pub">next section</a>.</p>
-
-<h4>Adding additional rules</h4>
-If necessary, you can add additional rules to:
-<dl>
-  <dt>reject IPsec packets that are not to or from known gateways</dt>
-    <dd>This possibility is discussed in more detail <a
-      href="#unknowngate">later</a></dd>
-  <dt>allow systems behind your gateway to build IPsec tunnels that pass
-  through the gateway</dt>
-    <dd>This possibility is discussed in more detail <a
-      href="#through">later</a></dd>
-  <dt>filter incoming packets emerging from KLIPS.</dt>
-    <dd>Firewall rules can recognise packets emerging from IPsec. They are
-      marked as arriving on an interface such as <var>ipsec0</var>, rather
-      than <var>eth0</var>, <var>ppp0</var> or whatever.</dd>
-</dl>
-
-<p>It is therefore reasonably straightforward to filter these packets in
-whatever way suits your situation.</p>
-
-<h4>Modifying existing rules</h4>
-
-<p>In some cases rules that work fine before you add IPsec may require
-modification to work with IPsec.</p>
-
-<p>This is especially likely for rules that deal with interfaces on the
-Internet side of your system. IPsec adds a new interface; often the rules
-must change to take account of that.</p>
-
-<p>For example, consider the rules given in <a
-href="http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-5.html">this
-section</a> of the Netfilter documentation:</p>
-<pre>Most people just have a single PPP connection to the Internet, and don't
-want anyone coming back into their network, or the firewall:
-
-    ## Insert connection-tracking modules (not needed if built into kernel).
-    # insmod ip_conntrack
-    # insmod ip_conntrack_ftp
-
-    ## Create chain which blocks new connections, except if coming from inside.
-    # iptables -N block
-    # iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
-    # iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
-    # iptables -A block -j DROP
-
-    ## Jump to that chain from INPUT and FORWARD chains.
-    # iptables -A INPUT -j block
-    # iptables -A FORWARD -j block</pre>
-
-<p>On an IPsec gateway, those rules may need to be modified. The above allows
-new connections from <em>anywhere except ppp0</em>. That means new
-connections from ipsec0 are allowed.</p>
-
-<p>Do you want to allow anyone who can establish an IPsec connection to your
-gateway to initiate TCP connections to any service on your network? Almost
-certainly not if you are using opportunistic encryption. Quite possibly not
-even if you have only explicitly configured connections.</p>
-
-<p>To disallow incoming connections from ipsec0, change the middle section
-above to:</p>
-<pre>    ## Create chain which blocks new connections, except if coming from inside.
-    # iptables -N block
-    # iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
-    # iptables -A block -m state --state NEW -i ppp+ -j DROP
-    # iptables -A block -m state --state NEW -i ipsec+ -j DROP
-    # iptables -A block -m state --state NEW -i -j ACCEPT
-    # iptables -A block -j DROP</pre>
-
-<p>The original rules accepted NEW connections from anywhere except ppp0.
-This version drops NEW connections from any PPP interface (ppp+) and from any
-ipsec interface (ipsec+), then accepts the survivors.</p>
-
-<p>Of course, these are only examples. You will need to adapt them to your
-own situation.</p>
-
-<h3><a name="rules.pub">Published rule sets</a></h3>
-
-<p>Several sets of firewall rules that work with FreeS/WAN are available.</p>
-
-<h4><a name="Ranch.trinity">Scripts based on Ranch's work</a></h4>
-
-<p>One user, Rob Hutton, posted his boot time scripts to the mailing list,
-and we included them in previous versions of this documentation. They are
-still available from our <a
-href="http://www.freeswan.org/freeswan_trees/freeswan-1.5/doc/firewall.html#examplefw">web
-site</a>. However, they were for an earlier FreeS/WAN version so we no longer
-recommend them. Also, they had some bugs. See this <a
-href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/04/msg00316.html">message</a>.</p>
-
-<p>Those scripts were based on David Ranch's scripts for his "Trinity OS" for
-setting up a secure Linux. Check his <a
-href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html">home
-page</a> for the latest version and for information on his <a
-href="biblio.html#ranch">book</a> on securing Linux. If you are going to base
-your firewalling on Ranch's scripts, we recommend using his latest version,
-and sending him any IPsec modifications you make for incorporation into later
-versions.</p>
-
-<h4><a name="seawall">The Seattle firewall</a></h4>
-
-<p>We have had several mailing lists reports of good results using FreeS/WAN
-with Seawall (the Seattle Firewall). See that project's <a
-href="http://seawall.sourceforge.net/">home page</a> on Sourceforge.</p>
-
-<h4><a name="rcf">The RCF scripts</a></h4>
-
-<p>Another set of firewall scripts with IPsec support are the RCF or
-rc.firewall scripts. See their <a
-href="http://jsmoriss.mvlan.net/linux/rcf.html">home page</a>.</p>
-
-<h4><a name="asgard">Asgard scripts</a></h4>
-
-<p><a href="http://heimdall.asgardsrealm.net/linux/firewall/">Asgard's
-Realm</a> has set of firewall scripts with FreeS/WAN support, for 2.4 kernels
-and iptables.</p>
-
-<h4><a name="user.scripts">User scripts from the mailing list</a></h4>
-
-<p>One user gave considerable detail on his scripts, including supporting <a
-href="glossary.html#IPX">IPX</a> through the tunnel. His message was too long
-to conveniently be quoted here, so I've put it in a <a
-href="user_examples.html">separate file</a>.</p>
-
-<h2><a name="updown">Calling firewall scripts, named in ipsec.conf(5)</a></h2>
-
-<p>The <a href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a> configuration
-file has three pairs of parameters used to specify an interface between
-FreeS/WAN and firewalling code.</p>
-
-<p>Note that using these is not required if you have a static firewall setup.
-In that case, you just set your firewall up at boot time (in a way that
-permits the IPsec connections you want) and do not change it thereafter. Omit
-all the FreeS/WAN firewall parameters and FreeS/WAN will not attempt to
-adjust firewall rules at all. See <a href="#examplefw">above</a> for some
-information on appropriate scripts.</p>
-
-<p>However, if you want your firewall rules to change when IPsec connections
-change, then you need to use these parameters.</p>
-
-<h3><a name="pre_post">Scripts called at IPsec start and stop</a></h3>
-
-<p>One pair of parmeters are set in the <var>config setup</var> section of
-the <a href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a> file and affect
-all connections:</p>
-<dl>
-  <dt>prepluto=</dt>
-    <dd>script to be called before <a
-      href="manpage.d/ipsec_pluto.8.html">pluto(8)</a> IKE daemon is
-    started.</dd>
-  <dt>postpluto=</dt>
-    <dd>script to be called after <a
-      href="manpage.d/ipsec_pluto.8.html">pluto(8)</a> IKE daemon is
-    stopped.</dd>
-</dl>
-These parameters allow you to change firewall parameters whenever IPsec is
-started or stopped.
-
-<p>They can also be used in other ways. For example, you might have
-<var>prepluto</var> add a module to your kernel for the secure network
-interface or make a dialup connection, and then have <var>postpluto</var>
-remove the module or take the connection down.</p>
-
-<h3><a name="up_down">Scripts called at connection up and down</a></h3>
-
-<p>The other parameters are set in connection descriptions. They can be set
-in individual connection descriptions, and could even call different scripts
-for each connection for maximum flexibility. In most applications, however,
-it makes sense to use only one script and to call it from <var>conn
-%default</var> section so that it applies to all connections.</p>
-
-<p>You can:</p>
-<dl>
-  <dt><strong>either</strong></dt>
-    <dd>set <var>leftfirewall=yes</var> or <var>rightfirewall=yes</var> to
-      use our supplied default script</dd>
-  <dt><strong>or</strong></dt>
-    <dd>assign a name in a <var>leftupdown=</var> or <var>rightupdown=</var>
-      line to use your own script</dd>
-</dl>
-
-<p>Note that <strong>only one of these should be used</strong>. You cannot
-sensibly use both. Since <strong>our default script is obsolete</strong>
-(designed for firewalls using <var>ipfwadm(8)</var> on 2.0 kernels), most
-users who need this service will <strong>need to write a custom
-script</strong>.</p>
-
-<h4><a name="fw.default">The default script</a></h4>
-
-<p>We supply a default script named <var>_updown</var>.</p>
-<dl>
-  <dt>leftfirewall=</dt>
-    <dd></dd>
-  <dt>rightfirewall=</dt>
-    <dd>indicates that the gateway is doing firewalling and that <a
-      href="manpage.d/ipsec_pluto.8.html">pluto(8)</a> should poke holes in
-      the firewall as required.</dd>
-</dl>
-
-<p>Set these to <var>yes</var> and Pluto will call our default script
-<var>_updown</var> with appropriate arguments whenever it:</p>
-<ul>
-  <li>starts or stops IPsec services</li>
-  <li>brings a connection up or down</li>
-</ul>
-
-<p>The supplied default <var>_updown</var> script is appropriate for simple
-cases using the <var>ipfwadm(8)</var> firewalling package.</p>
-
-<h4><a name="userscript">User-written scripts</a></h4>
-
-<p>You can also write your own script and have Pluto call it. Just put the
-script's name in one of these <a
-href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a> lines:</p>
-<dl>
-  <dt>leftupdown=</dt>
-    <dd></dd>
-  <dt>rightupdown=</dt>
-    <dd>specifies a script to call instead of our default script
-      <var>_updown</var>.</dd>
-</dl>
-
-<p>Your script should take the same arguments and use the same environment
-variables as <var>_updown</var>. See the "updown command" section of the <a
-href="manpage.d/ipsec_pluto.8.html">ipsec_pluto(8)</a> man page for
-details.</p>
-
-<p>Note that <strong>you should not modify our _updown script in
-place</strong>. If you did that, then upgraded FreeS/WAN, the upgrade would
-install a new default script, overwriting your changes.</p>
-
-<h3><a name="ipchains.script">Scripts for ipchains or iptables</a></h3>
-
-<p>Our <var>_updown</var> is for firewalls using <var>ipfwadm(8)</var>, the
-firewall code for the 2.0 series of Linux kernels. If you are using the more
-recent packages <var>ipchains(8)</var> (for 2.2 kernels) or
-<var>iptables(8)</var> (2.4 kernels), then you must do one of:</p>
-<ul>
-  <li>use static firewall rules which are set up at boot time as described <a
-    href="#examplefw">above</a> and do not need to be changed by Pluto</li>
-  <li>limit yourself to ipchains(8)'s ipfwadm(8) emulation mode in order to
-    use our script</li>
-  <li>write your own script and call it with <var>leftupdown</var> and
-    <var>rightupdown</var>.</li>
-</ul>
-
-<p>You can write a script to do whatever you need with firewalling. Specify
-its name in a <var>[left|right]updown=</var> parameter in <a
-href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a> and Pluto will
-automatically call it for you.</p>
-
-<p>The arguments Pluto passes such a script are the same ones it passes to
-our default _updown script, so the best way to build yours is to copy ours
-and modify the copy.</p>
-
-<p>Note, however, that <strong>you should not modify our _updown script in
-place</strong>. If you did that, then upgraded FreeS/WAN, the upgrade would
-install a new default script, overwriting your changes.</p>
-
-<h2><a name="NAT">A complication: IPsec vs. NAT</a></h2>
-
-<p><a href="glossary.html#NAT.gloss">Network Address Translation</a>, also
-known as IP masquerading, is a method of allocating IP addresses dynamically,
-typically in circumstances where the total number of machines which need to
-access the Internet exceeds the supply of IP addresses.</p>
-
-<p>Any attempt to perform NAT operations on IPsec packets <em>between the
-IPsec gateways</em> creates a basic conflict:</p>
-<ul>
-  <li>IPsec wants to authenticate packets and ensure they are unaltered on a
-    gateway-to-gateway basis</li>
-  <li>NAT rewrites packet headers as they go by</li>
-  <li>IPsec authentication fails if packets are rewritten anywhere between
-    the IPsec gateways</li>
-</ul>
-
-<p>For <a href="glossary.html#AH">AH</a>, which authenticates parts of the
-packet header including source and destination IP addresses, this is fatal.
-If NAT changes those fields, AH authentication fails.</p>
-
-<p>For <a href="glossary.html#IKE">IKE</a> and <a
-href="glossary.html#ESP">ESP</a> it is not necessarily fatal, but is
-certainly an unwelcome complication.</p>
-
-<h3><a name="nat_ok">NAT on or behind the IPsec gateway works</a></h3>
-
-<p>This problem can be avoided by having the masquerading take place <em>on
-or behind</em> the IPsec gateway.</p>
-
-<p>This can be done physically with two machines, one physically behind the
-other. A picture, using SG to indicate IPsec <strong>S</strong>ecurity
-<strong>G</strong>ateways, is:</p>
-<pre>      clients --- NAT ----- SG ---------- SG
-                  two machines</pre>
-
-<p>In this configuration, the actual client addresses need not be given in
-the <var>leftsubnet=</var> parameter of the FreeS/WAN connection description.
-The security gateway just delivers packets to the NAT box; it needs only that
-machine's address. What that machine does with them does not affect
-FreeS/WAN.</p>
-
-<p>A more common setup has one machine performing both functions:</p>
-<pre>      clients ----- NAT/SG ---------------SG
-                  one machine</pre>
-
-<p>Here you have a choice of techniques depending on whether you want to make
-your client subnet visible to clients on the other end:</p>
-<ul>
-  <li>If you want the single gateway to behave like the two shown above, with
-    your clients hidden behind the NAT, then omit the <var>leftsubnet=</var>
-    parameter. It then defaults to the gateway address. Clients on the other
-    end then talk via the tunnel only to your gateway. The gateway takes
-    packets emerging from the tunnel, applies normal masquerading, and
-    forwards them to clients.</li>
-  <li>If you want to make your client machines visible, then give the client
-    subnet addresses as the <var>leftsubnet=</var> parameter in the
-    connection description and
-    <dl>
-      <dt>either</dt>
-        <dd>set <var>leftfirewall=yes</var> to use the default
-          <var>updown</var> script</dd>
-      <dt>or</dt>
-        <dd>use your own script by giving its name in a
-          <var>leftupdown=</var> parameter</dd>
-    </dl>
-    These scripts are described in their own <a href="#updown">section</a>.
-    <p>In this case, no masquerading is done. Packets to or from the client
-    subnet are encrypted or decrypted without any change to their client
-    subnet addresses, although of course the encapsulating packets use
-    gateway addresses in their headers. Clients behind the right security
-    gateway see a route via that gateway to the left subnet.</p>
-  </li>
-</ul>
-
-<h3><a name="nat_bad">NAT between gateways is problematic</a></h3>
-
-<p>We recommend not trying to build IPsec connections which pass through a
-NAT machine. This setup poses problems:</p>
-<pre>      clients --- SG --- NAT ---------- SG</pre>
-
-<p>If you must try it, some references are:</p>
-<ul>
-  <li>Jean_Francois Nadeau's document on doing <a
-    href="http://jixen.tripod.com/#NATed gateways">IPsec behind NAT</a></li>
-  <li><a href="web.html#VPN.masq">VPN masquerade patches</a> to make a Linux
-    NAT box handle IPsec packets correctly</li>
-</ul>
-
-<h3><a name="NAT.ref">Other references on NAT and IPsec</a></h3>
-
-<p>Other documents which may be relevant include:</p>
-<ul>
-  <li>an Internet Draft on <a
-    href="http://search.ietf.org/internet-drafts/draft-aboba-nat-ipsec-04.txt">IPsec
-    and NAT</a> which may eventually evolve into a standard solution for this
-    problem.</li>
-  <li>an informational <a
-    href="http://www.cis.ohio-state.edu/rfc/rfc2709.txt">RFC</a>,
-    <cite>Security Model with Tunnel-mode IPsec for NAT Domains</cite>.</li>
-  <li>an <a
-    href="http://www.cisco.com/warp/public/759/ipj_3-4/ipj_3-4_nat.html">article</a>
-    in Cisco's <cite>Internet Protocol Journal</cite></li>
-</ul>
-
-<h2><a name="complications">Other complications</a></h2>
-
-<p>Of course simply allowing UDP 500 and ESP packets is not the whole story.
-Various other issues arise in making IPsec and packet filters co-exist and
-even co-operate. Some of them are summarised below.</p>
-
-<h3><a name="through">IPsec <em>through</em></a> the gateway</h3>
-
-<p>Basic IPsec packet filtering rules deal only with packets addressed to or
-sent from your IPsec gateway.</p>
-
-<p>It is a separate policy decision whether to permit such packets to pass
-through the gateway so that client machines can build end-to-end IPsec
-tunnels of their own. This may not be practical if you are using <a
-href="#NAT">NAT (IP masquerade)</a> on your gateway, and may conflict with
-some corporate security policies.</p>
-
-<p>Where possible, allowing this is almost certainly a good idea. Using IPsec
-on an end-to-end basis is more secure than gateway-to-gateway.</p>
-
-<p>Doing it is quite simple. You just need firewall rules that allow UDP port
-500 and protocols 50 and 51 to pass through your gateway. If you wish, you
-can of course restrict this to certain hosts.</p>
-
-<h3><a name="ipsec_only">Preventing non-IPsec traffic</a></h3>
-You can also filter <em>everything but</em> UDP port 500 and ESP or AH to
-restrict traffic to IPsec only, either for anyone communicating with your
-host or just for specific partners.
-
-<p>One application of this is for the telecommuter who might have:</p>
-<pre>     Sunset==========West------------------East ================= firewall --- the Internet
-         home network      untrusted net        corporate network</pre>
-
-<p>The subnet on the right is 0.0.0.0/0, the whole Internet. The West gateway
-is set up so that it allows only IPsec packets to East in or out.</p>
-
-<p>This configuration is used in AT&amp;T Research's network. For details,
-see the <a href="intro.html#applied">papers</a> links in our introduction.</p>
-
-<p>Another application would be to set up firewall rules so that an internal
-machine, such as an employees-only web server, could not talk to the outside
-world except via specific IPsec tunnels.</p>
-
-<h3><a name="unknowngate">Filtering packets from unknown gateways</a></h3>
-
-<p>It is possible to use firewall rules to restrict UDP 500, ESP and AH
-packets so that these packets are accepted only from known gateways. This is
-not strictly necessary since FreeS/WAN will discard packets from unknown
-gateways. You might, however, want to do it for any of a number of reasons.
-For example:</p>
-<ul>
-  <li>Arguably, "belt and suspenders" is the sensible approach to security.
-    If you can block a potential attack in two ways, use both. The only
-    question is whether to look for a third way after implementing the first
-    two.</li>
-  <li>Some admins may prefer to use the firewall code this way because they
-    prefer firewall logging to FreeS/WAN's logging.</li>
-  <li>You may need it to implement your security policy. Consider an employee
-    working at home, and a policy that says traffic from the home system to
-    the Internet at large must go first via IPsec to the corporate LAN and
-    then out to the Internet via the corporate firewall. One way to do that
-    is to make <var>ipsec0</var> the default route on the home gateway and
-    provide exceptions only for UDP 500 and ESP to the corporate gateway.
-    Everything else is then routed via the tunnel to the corporate
-  gateway.</li>
-</ul>
-
-<p>It is not possible to use only static firewall rules for this filtering if
-you do not know the other gateways' IP addresses in advance, for example if
-you have "road warriors" who may connect from a different address each time
-or if want to do <a href="glossary.html#carpediem">opportunistic
-encryption</a> to arbitrary gateways. In these cases, you can accept UDP 500
-IKE packets from anywhere, then use the <a href="#updown">updown</a> script
-feature of <a href="manpage.d/ipsec_pluto.8.html">pluto(8)</a> to dynamically
-adjust firewalling for each negotiated tunnel.</p>
-
-<p>Firewall packet filtering does not much reduce the risk of a <a
-href="glossary.html#DOS">denial of service attack</a> on FreeS/WAN. The
-firewall can drop packets from unknown gateways, but KLIPS does that quite
-efficiently anyway, so you gain little. The firewall cannot drop otherwise
-legitmate packets that fail KLIPS authentication, so it cannot protect
-against an attack designed to exhaust resources by making FreeS/WAN perform
-many expensive authentication operations.</p>
-
-<p>In summary, firewall filtering of IPsec packets from unknown gateways is
-possible but not strictly necessary.</p>
-
-<h2><a name="otherfilter">Other packet filters</a></h2>
-
-<p>When the IPsec gateway is also acting as your firewall, other packet
-filtering rules will be in play. In general, those are outside the scope of
-this document. See our <a href="web.html#firewall.linux">Linux firewall
-links</a> for information. There are a few types of packet, however, which
-can affect the operation of FreeS/WAN or of diagnostic tools commonly used
-with it. These are discussed below.</p>
-
-<h3><a name="ICMP">ICMP filtering</a></h3>
-
-<p><a href="glossary.html#ICMP.gloss">ICMP</a> is the
-<strong>I</strong>nternet <strong>C</strong>ontrol <strong>M</strong>essage
-<strong>P</strong>rotocol. It is used for messages between IP implementations
-themselves, whereas IP used is used between the clients of those
-implementations. ICMP is, unsurprisingly, used for control messages. For
-example, it is used to notify a sender that a desination is not reachable, or
-to tell a router to reroute certain packets elsewhere.</p>
-
-<p>ICMP handling is tricky for firewalls.</p>
-<ul>
-  <li>You definitely want some ICMP messages to get through; things won't
-    work without them. For example, your clients need to know if some
-    destination they ask for is unreachable.</li>
-  <li>On the other hand, you do equally definitely do not want untrusted folk
-    sending arbitrary control messages to your machines. Imagine what someone
-    moderately clever and moderately malicious could do to you, given control
-    of your network's routing.</li>
-</ul>
-
-<p>ICMP does not use ports. Messages are distinguished by a "message type"
-field and, for some types, by an additional "code" field. The definitive list
-of types and codes is on the <a href="http://www.iana.org">IANA</a> site.</p>
-
-<p>One expert uses this definition for ICMP message types to be dropped at
-the firewall.</p>
-<pre># ICMP types which lack socially redeeming value.
-#  5     Redirect
-#  9     Router Advertisement
-# 10     Router Selection
-# 15     Information Request
-# 16     Information Reply
-# 17     Address Mask Request
-# 18     Address Mask Reply
-
-badicmp='5 9 10 15 16 17 18'</pre>
-
-<p>A more conservative approach would be to make a list of allowed types and
-drop everything else.</p>
-
-<p>Whichever way you do it, your ICMP filtering rules on a FreeS/WAN gateway
-should allow at least the following ICMP packet types:</p>
-<dl>
-  <dt>echo (type 8)</dt>
-    <dd></dd>
-  <dt>echo reply (type 0)</dt>
-    <dd>These are used by ping(1). We recommend allowing both types through
-      the tunnel and to or from your gateway's external interface, since
-      ping(1) is an essential testing tool.
-      <p>It is fairly common for firewalls to drop ICMP echo packets
-      addressed to machines behind the firewall. If that is your policy,
-      please create an exception for such packets arriving via an IPsec
-      tunnel, at least during intial testing of those tunnels.</p>
-    </dd>
-  <dt>destination unreachable (type 3)</dt>
-    <dd>This is used, with code 4 (Fragmentation Needed and Don't Fragment
-      was Set) in the code field, to control <a
-      href="glossary.html#pathMTU">path MTU discovery</a>. Since IPsec
-      processing adds headers, enlarges packets and may cause fragmentation,
-      an IPsec gateway should be able to send and receive these ICMP messages
-      <strong>on both inside and outside interfaces</strong>.</dd>
-</dl>
-
-<h3><a name="traceroute">UDP packets for traceroute</a></h3>
-
-<p>The traceroute(1) utility uses UDP port numbers from 33434 to
-approximately 33633. Generally, these should be allowed through for
-troubleshooting.</p>
-
-<p>Some firewalls drop these packets to prevent outsiders exploring the
-protected network with traceroute(1). If that is your policy, consider
-creating an exception for such packets arriving via an IPsec tunnel, at least
-during intial testing of those tunnels.</p>
-
-<h3><a name="l2tp">UDP for L2TP</a></h3>
-<p>
-Windows 2000 does, and products designed for compatibility with it may, build
-<a href="glossary.html#L2TP">L2TP</a> tunnels over IPsec connections.
-
-<p>For this to work, you must allow UDP protocol 1701 packets coming out of
-your tunnels to continue to their destination. You can, and probably should,
-block such packets to or from your external interfaces, but allow them from
-<var>ipsec0</var>.</p>
-
-<p>See also our Windows 2000 <a href="interop.html#win2k">interoperation
-discussion</a>.</p>
-
-<h2><a name="packets">How it all works: IPsec packet details</a></h2>
-
-<p>IPsec uses three main types of packet:</p>
-<dl>
-  <dt><a href="glossary.html#IKE">IKE</a> uses <strong>the UDP protocol and
-  port 500</strong>.</dt>
-    <dd>Unless you are using only (less secure, not recommended) manual
-      keying, you need IKE to negotiate connection parameters, acceptable
-      algorithms, key sizes and key setup. IKE handles everything required to
-      set up, rekey, repair or tear down IPsec connections.</dd>
-  <dt><a href="glossary.html#ESP">ESP</a> is <strong>protocol number
-  50</strong></dt>
-    <dd>This is required for encrypted connections.</dd>
-  <dt><a href="glossary.html#AH">AH</a> is <strong>protocol number
-  51</strong></dt>
-    <dd>This can be used where only authentication, not encryption, is
-      required.</dd>
-</dl>
-
-<p>All of those packets should have appropriate IPsec gateway addresses in
-both the to and from IP header fields. Firewall rules can check this if you
-wish, though it is not strictly necessary. This is discussed in more detail
-<a href="#unknowngate">later</a>.</p>
-
-<p>IPsec processing of incoming packets authenticates them then removes the
-ESP or AH header and decrypts if necessary. Successful processing exposes an
-inner packet which is then delivered back to the firewall machinery, marked
-as having arrived on an <var>ipsec[0-3]</var> interface. Firewall rules can
-use that interface label to distinguish these packets from unencrypted
-packets which are labelled with the physical interface they arrived on (or
-perhaps with a non-IPsec virtual interface such as <var>ppp0</var>).</p>
-
-<p>One of our users sent a mailing list message with a <a
-href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00006.html">diagram</a>
-of the packet flow.</p>
-
-<h3><a name="noport">ESP and AH do not have ports</a></h3>
-
-<p>Some protocols, such as TCP and UDP, have the notion of ports. Others
-protocols, including ESP and AH, do not. Quite a few IPsec newcomers have
-become confused on this point. There are no ports <em>in</em> the ESP or AH
-protocols, and no ports used <em>for</em> them. For these protocols, <em>the
-idea of ports is completely irrelevant</em>.</p>
-
-<h3><a name="header">Header layout</a></h3>
-
-<p>The protocol numbers for ESP or AH are used in the 'next header' field of
-the IP header. On most non-IPsec packets, that field would have one of:</p>
-<ul>
-  <li>1 for ICMP</li>
-  <li>4 for IP-in-IP encapsulation</li>
-  <li>6 for TCP</li>
-  <li>17 for UDP</li>
-  <li>... or one of about 100 other possibilities listed by <a
-    href="http://www.iana.org">IANA</a></li>
-</ul>
-
-<p>Each header in the sequence tells what the next header will be. IPsec adds
-headers for ESP or AH near the beginning of the sequence. The original
-headers are kept and the 'next header' fields adjusted so that all headers
-can be correctly interpreted.</p>
-
-<p>For example, using <strong>[</strong> <strong>]</strong> to indicate data
-protected by ESP and unintelligible to an eavesdropper between the
-gateways:</p>
-<ul>
-  <li>a simple packet might have only IP and TCP headers with:
-    <ul>
-      <li>IP header says next header --&gt; TCP</li>
-      <li>TCP header port number --&gt; which process to send data to</li>
-      <li>data</li>
-    </ul>
-  </li>
-  <li>with ESP <a href="glossary.html#transport">transport mode</a>
-    encapsulation, that packet would have:
-    <ul>
-      <li>IP header says next header --&gt; ESP</li>
-      <li>ESP header <strong>[</strong> says next --&gt; TCP</li>
-      <li>TCP header port number --&gt; which process to send data to</li>
-      <li>data <strong>]</strong></li>
-    </ul>
-    Note that the IP header is outside ESP protection, visible to an
-    attacker, and that the final destination must be the gateway.</li>
-  <li>with ESP in <a href="glossary.html#tunnel">tunnel mode</a>, we might
-    have:
-    <ul>
-      <li>IP header says next header --&gt; ESP</li>
-      <li>ESP header <strong>[</strong> says next --&gt; IP</li>
-      <li>IP header says next header --&gt; TCP</li>
-      <li>TCP header port number --&gt; which process to send data to</li>
-      <li>data <strong>]</strong></li>
-    </ul>
-    Here the inner IP header is protected by ESP, unreadable by an attacker.
-    Also, the inner header can have a different IP address than the outer IP
-    header, so the decrypted packet can be routed from the IPsec gateway to a
-    final destination which may be another machine.</li>
-</ul>
-
-<p>Part of the ESP header itself is encrypted, which is why the
-<strong>[</strong> indicating protected data appears in the middle of some
-lines above. The next header field of the ESP header is protected. This makes
-<a href="glossary.html#traffic">traffic analysis</a> more difficult. The next
-header field would tell an eavesdropper whether your packet was UDP to the
-gateway, TCP to the gateway, or encapsulated IP. It is better not to give
-this information away. A clever attacker may deduce some of it from the
-pattern of packet sizes and timings, but we need not make it easy.</p>
-
-<p>IPsec allows various combinations of these to match local policies,
-including combinations that use both AH and ESP headers or that nest multiple
-copies of these headers.</p>
-
-<p>For example, suppose my employer has an IPsec VPN running between two
-offices so all packets travelling between the gateways for those offices are
-encrypted. If gateway policies allow it (The admins could block UDP 500 and
-protocols 50 and 51 to disallow it), I can build an IPsec tunnel from my
-desktop to a machine in some remote office. Those packets will have one ESP
-header throughout their life, for my end-to-end tunnel. For part of the
-route, however, they will also have another ESP layer for the corporate VPN's
-encapsulation. The whole header scheme for a packet on the Internet might
-be:</p>
-<ul>
-  <li>IP header (with gateway address) says next header --&gt; ESP</li>
-  <li>ESP header <strong>[</strong> says next --&gt; IP</li>
-  <li>IP header (with receiving machine address) says next header --&gt;
-  ESP</li>
-  <li>ESP header <strong>[</strong> says next --&gt; TCP</li>
-  <li>TCP header port number --&gt; which process to send data to</li>
-  <li>data <strong>]]</strong></li>
-</ul>
-
-<p>The first ESP (outermost) header is for the corporate VPN. The inner ESP
-header is for the secure machine-to-machine link.</p>
-
-<h3><a name="dhr">DHR on the updown script</a></h3>
-
-<p>Here are some mailing list comments from <a
-href="manpage.d/ipsec_pluto.8.html">pluto(8)</a> developer Hugh Redelmeier on
-an earlier draft of this document:</p>
-<pre>There are many important things left out
-
-- firewalling is important but must reflect (implement) policy.  Since
-  policy isn't the same for all our customers, and we're not experts,
-  we should concentrate on FW and MASQ interactions with FreeS/WAN.
-
-- we need a diagram to show packet flow WITHIN ONE MACHINE, assuming
-  IKE, IPsec, FW, and MASQ are all done on that machine.  The flow is
-  obvious if the components are run on different machines (trace the
-  cables).
-
-  IKE input:
-        + packet appears on public IF, as UDP port 500
-        + input firewalling rules are applied (may discard)
-        + Pluto sees the packet.
-
-  IKE output:
-        + Pluto generates the packet &amp; writes to public IF, UDP port 500
-        + output firewalling rules are applied (may discard)
-        + packet sent out public IF
-
-  IPsec input, with encapsulated packet, outer destination of this host:
-        + packet appears on public IF, protocol 50 or 51.  If this
-          packet is the result of decapsulation, it will appear
-          instead on the paired ipsec IF.
-        + input firewalling rules are applied (but packet is opaque)
-        + KLIPS decapsulates it, writes result to paired ipsec IF
-        + input firewalling rules are applied to resulting packet
-          as input on ipsec IF
-        + if the destination of the packet is this machine, the
-          packet is passed on to the appropriate protocol handler.
-          If the original packet was encapsulated more than once
-          and the new outer destination is this machine, that
-          handler will be KLIPS.
-        + otherwise:
-          * routing is done for the resulting packet.  This may well
-            direct it into KLIPS for encoding or encrypting.  What
-            happens then is described elsewhere.
-          * forwarding firewalling rules are applied
-          * output firewalling rules are applied
-          * the packet is sent where routing specified
-
- IPsec input, with encapsulated packet, outer destination of another host:
-        + packet appears on some IF, protocol 50 or 51
-        + input firewalling rules are applied (but packet is opaque)
-        + routing selects where to send the packet
-        + forwarding firewalling rules are applied (but packet is opaque)
-        + packet forwarded, still encapsulated
-
-  IPsec output, from this host or from a client:
-        + if from a client, input firewalling rules are applied as the
-          packet arrives on the private IF
-        + routing directs the packet to an ipsec IF (this is how the
-          system decides KLIPS processing is required)
-        + if from a client, forwarding firewalling rules are applied
-        + KLIPS eroute mechanism matches the source and destination
-          to registered eroutes, yielding a SPI group.  This dictates
-          processing, and where the resulting packet is to be sent
-          (the destinations SG and the nexthop).
-        + output firewalling is not applied to the resulting
-          encapsulated packet
-
-- Until quite recently, KLIPS would double encapsulate packets that
-  didn't strictly need to be.  Firewalling should be prepared for
-  those packets showing up as ESP and AH protocol input packets on
-  an ipsec IF.
-
-- MASQ processing seems to be done as if it were part of the
-  forwarding firewall processing (this should be verified).
-
-- If a firewall is being used, it is likely the case that it needs to
-  be adjusted whenever IPsec SAs are added or removed.  Pluto invokes
-  a script to do this (and to adjust routing) at suitable times.  The
-  default script is only suitable for ipfwadm-managed firewalls.  Under
-  LINUX 2.2.x kernels, ipchains can be managed by ipfwadm (emulation),
-  but ipchains more powerful if manipulated using the ipchains command.
-  In this case, a custom updown script must be used.
-
-  We think that the flexibility of ipchains precludes us supplying an
-  updown script that would be widely appropriate.</pre>
-</body>
-</html>
diff --git a/doc/src/forwardingstate.txt b/doc/src/forwardingstate.txt
deleted file mode 100644
index 8853ac84e..000000000
--- a/doc/src/forwardingstate.txt
+++ /dev/null
@@ -1,35 +0,0 @@
-
- 
-      .--------------. 	 
-      | non-existant |
-      |    policy    |
-      `--------------'
-             |        
-             | PF_ACQUIRE
-             |           
-             |<---------.
-             V          | new packet
-      .--------------.  | (maybe resend PF_ACQUIRE)
-      |  hold policy |--'                          
-      |              |--.                          
-      `--------------'   \  pass                   
-         |        |       \ msg    .---------.     
-         |        |        \       V         | forward
-         |        |         .-------------.  | packet 
-  create |        |         | pass policy |--'       
-  IPsec  |        |         `-------------'          
-  SA     |        |                                  
-         |         \                                 
-         |          \                                
-         V           \ 	deny                         
-   .---------.        \ msg                          
-   | encrypt |         \                             
-   | policy  |          \         ,---------.        
-   `---------'           \        |         | discard
-                          \       V         | packet 
-                           .-------------.  |        
-                           | deny policy |--'        
-                           '-------------'          
-                                                   
-    
-$Id: forwardingstate.txt,v 1.1 2004/03/15 20:35:24 as Exp $
diff --git a/doc/src/glossary.html b/doc/src/glossary.html
deleted file mode 100644
index 38d0db7bb..000000000
--- a/doc/src/glossary.html
+++ /dev/null
@@ -1,2257 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html>
-<head>
-  <meta http-equiv="Content-Type" content="text/html">
-  <title>FreeS/WAN glossary</title>
-  <meta name="keywords"
-  content="Linux, IPsec, VPN, security, FreeSWAN, glossary, cryptography">
-  <!--
-
-  Written by Sandy Harris for the Linux FreeS/WAN project
-  Freely distributable under the GNU General Public License
-
-  More information at www.freeswan.org
-  Feedback to users@lists.freeswan.org
-
-  CVS information:
-  RCS ID:          $Id: glossary.html,v 1.1 2004/03/15 20:35:24 as Exp $
-  Last changed:    $Date: 2004/03/15 20:35:24 $
-  Revision number: $Revision: 1.1 $
-
-  CVS revision numbers do not correspond to FreeS/WAN release numbers.
-  -->
-</head>
-
-<body>
-<h1><a name="ourgloss">Glossary for the Linux FreeS/WAN project</a></h1>
-
-<p>Entries are in alphabetical order. Some entries are only one line or one
-paragraph long. Others run to several paragraphs. I have tried to put the
-essential information in the first paragraph so you can skip the other
-paragraphs if that seems appropriate.</p>
-<hr>
-
-<h2><a name="jump">Jump to a letter in the glossary</a></h2>
-
-<center>
-<big><b><a href="#0">numeric</a> <a href="#A">A</a> <a href="#B">B</a> <a
-href="#C">C</a> <a href="#D">D</a> <a href="#E">E</a> <a href="#F">F</a> <a
-href="#G">G</a> <a href="#H">H</a> <a href="#I">I</a> <a href="#J">J</a> <a
-href="#K">K</a> <a href="#L">L</a> <a href="#M">M</a> <a href="#N">N</a> <a
-href="#O">O</a> <a href="#P">P</a> <a href="#Q">Q</a> <a href="#R">R</a> <a
-href="#S">S</a> <a href="#T">T</a> <a href="#U">U</a> <a href="#V">V</a> <a
-href="#W">W</a> <a href="#X">X</a> <a href="#Y">Y</a> <a
-href="#Z">Z</a></b></big></center>
-<hr>
-
-<h2><a name="gloss">Other glossaries</a></h2>
-
-<p>Other glossaries which overlap this one include:</p>
-<ul>
-  <li>The VPN Consortium's glossary of <a
-    href="http://www.vpnc.org/terms.html">VPN terms</a>.</li>
-  <li>glossary portion of the <a
-    href="http://www.rsa.com/rsalabs/faq/B.html">Cryptography FAQ</a></li>
-  <li>an extensive crytographic glossary on <a
-    href="http://www.ciphersbyritter.com/GLOSSARY.HTM">Terry Ritter's</a>
-    page.</li>
-  <li>The <a href="#NSA">NSA</a>'s <a
-    href="http://www.sans.org/newlook/resources/glossary.htm">glossary of
-    computer security</a> on the <a href="http://www.sans.org">SANS
-    Institute</a> site.</li>
-  <li>a small glossary for Internet Security at <a
-    href="http://www5.zdnet.com/pcmag/pctech/content/special/glossaries/internetsecurity.html">
-    PC magazine</a></li>
-  <li>The <a
-    href="http://www.visi.com/crypto/inet-crypto/glossary.html">glossary</a>
-    from Richard Smith's book <a href="#Smith">Internet Cryptography</a></li>
-</ul>
-
-<p>Several Internet glossaries are available as RFCs:</p>
-<ul>
-  <li><a href="http://www.rfc-editor.org/rfc/rfc1208.txt">Glossary of
-    Networking Terms</a></li>
-  <li><a href="http://www.rfc-editor.org/rfc/rfc1983.txt">Internet User's
-    Glossary</a></li>
-  <li><a href="http://www.rfc-editor.org/rfc/rfc2828.txt">Internet Security
-    Glossary</a></li>
-</ul>
-
-<p>More general glossary or dictionary information:</p>
-<ul>
-  <li>Free Online Dictionary of Computing (FOLDOC)
-    <ul>
-      <li><a href="http://www.nightflight.com/foldoc">North America</a></li>
-      <li><a
-      href="http://wombat.doc.ic.ac.uk/foldoc/index.html">Europe</a></li>
-      <li><a href="http://www.nue.org/foldoc/index.html">Japan</a></li>
-    </ul>
-    <p>There are many more mirrors of this dictionary.</p>
-  </li>
-  <li>The Jargon File, the definitive resource for hacker slang and folklore
-    <ul>
-      <li><a href="http://www.netmeg.net/jargon">North America</a></li>
-      <li><a href="http://info.wins.uva.nl/~mes/jargon/">Holland</a></li>
-      <li><a href="http://www.tuxedo.org/~esr/jargon">home page</a></li>
-    </ul>
-    <p>There are also many mirrors of this. See the home page for a list.</p>
-  </li>
-  <li>A general <a
-    href="http://www.trinity.edu/~rjensen/245glosf.htm#Navigate"> technology
-    glossary</a></li>
-  <li>An <a href="http://www.yourdictionary.com/">online dictionary resource
-    page</a> with pointers to many dictionaries for many languages</li>
-  <li>A <a href="http://www.onelook.com/">search engine</a> that accesses
-    several hundred online dictionaries</li>
-  <li>O'Reilly <a href="http://www.ora.com/reference/dictionary/">Dictionary
-    of PC Hardware and Data Communications Terms</a></li>
-  <li><a href="http://www.FreeSoft.org/CIE/index.htm">Connected</a> Internet
-    encyclopedia</li>
-  <li><a href="http://www.whatis.com/">whatis.com</a></li>
-</ul>
-<hr>
-
-<h2><a name="definitions">Definitions</a></h2>
-<dl>
-  <dt><a name="0">0</a></dt>
-  <dt><a name="3DES">3DES (Triple DES)</a></dt>
-    <dd>Using three <a href="#DES">DES</a> encryptions on a single data
-      block, with at least two different keys, to get higher security than is
-      available from a single DES pass. The three-key version of 3DES is the
-      default encryption algorithm for <a href="#FreeSWAN">Linux
-      FreeS/WAN</a>.
-      <p><a href="#IPSEC">IPsec</a> always does 3DES with three different
-      keys, as required by RFC 2451. For an explanation of the two-key
-      variant, see <a href="#2key">two key triple DES</a>. Both use an <a
-      href="#EDE">EDE</a> encrypt-decrypt-encrpyt sequence of operations.</p>
-      <p>Single <a href="#DES">DES</a> is <a
-      href="politics.html#desnotsecure">insecure</a>.</p>
-      <p>Double DES is ineffective. Using two 56-bit keys, one might expect
-      an attacker to have to do 2<sup>112</sup> work to break it. In fact,
-      only 2<sup>57</sup> work is required with a <a
-      href="#meet">meet-in-the-middle attack</a>, though a large amount of
-      memory is also required. Triple DES is vulnerable to a similar attack,
-      but that just reduces the work factor from the 2<sup>168</sup> one
-      might expect to 2<sup>112</sup>. That provides adequate protection
-      against <a href="#brute">brute force</a> attacks, and no better attack
-      is known.</p>
-      <p>3DES can be somewhat slow compared to other ciphers. It requires
-      three DES encryptions per block. DES was designed for hardware
-      implementation and includes some operations which are difficult in
-      software. However, the speed we get is quite acceptable for many uses.
-      See our <a href="performance.html">performance</a> document for
-      details.</p>
-    </dd>
-  <dt><a name="A">A</a></dt>
-  <dt><a name="active">Active attack</a></dt>
-    <dd>An attack in which the attacker does not merely eavesdrop (see <a
-      href="#passive">passive attack</a>) but takes action to change, delete,
-      reroute, add, forge or divert data. Perhaps the best-known active
-      attack is <a href="#middle">man-in-the-middle</a>. In general, <a
-      href="#authentication">authentication</a> is a useful defense against
-      active attacks.</dd>
-  <dt><a name="AES">AES</a></dt>
-    <dd>The <b>A</b>dvanced <b>E</b>ncryption <b>S</b>tandard -- a new <a
-      href="#block">block cipher</a> standard to replace <a
-      href="politics.html#desnotsecure">DES</a> -- developed by <a
-      href="#NIST">NIST</a>, the US National Institute of Standards and
-      Technology. DES used 64-bit blocks and a 56-bit key. AES ciphers use a
-      128-bit block and 128, 192 or 256-bit keys. The larger block size helps
-      resist <a href="#birthday">birthday attacks</a> while the large key
-      size prevents <a href="#brute">brute force attacks</a>.
-      <p>Fifteen proposals meeting NIST's basic criteria were submitted in
-      1998 and subjected to intense discussion and analysis, "round one"
-      evaluation. In August 1999, NIST narrowed the field to five "round two"
-      candidates:</p>
-      <ul>
-        <li><a href="http://www.research.ibm.com/security/mars.html">Mars</a>
-          from IBM</li>
-        <li><a href="http://www.rsa.com/rsalabs/aes/">RC6</a> from RSA</li>
-        <li><a
-          href="http://www.esat.kuleuven.ac.be/~rijmen/rijndael/">Rijndael</a>
-          from two Belgian researchers</li>
-        <li><a
-          href="http://www.cl.cam.ac.uk/~rja14/serpent.html">Serpent</a>, a
-          British-Norwegian-Israeli collaboration</li>
-        <li><a href="http://www.counterpane.com/twofish.html">Twofish</a>
-          from the consulting firm <a
-          href="http://www.counterpane.com">Counterpane</a></li>
-      </ul>
-      <p>Three of the five finalists -- Rijndael, Serpent and Twofish -- have
-      completely open licenses.</p>
-      <p>In October 2000, NIST announced the winner -- Rijndael.</p>
-      <p>For more information, see:</p>
-      <ul>
-        <li>NIST's <a
-          href="http://csrc.nist.gov/encryption/aes/aes_home.htm">AES home
-          page</a></li>
-        <li>the Block Cipher Lounge <a
-          href="http://www.ii.uib.no/~larsr/aes.html">AES page</a></li>
-        <li>Brian Gladman's <a
-          href="http://fp.gladman.plus.com/cryptography_technology/index.htm">code
-          and benchmarks</a></li>
-        <li>Helger Lipmaa's <a
-          href="http://www.tcs.hut.fi/~helger/aes/">survey of
-          implementations</a></li>
-      </ul>
-      <p>AES will be added to a future release of <a href="#FreeSWAN">Linux
-      FreeS/WAN</a>.  Likely we will add all three of the finalists with good
-      licenses. User-written <a href="web.html#patch">AES patches</a> are
-      already available.</p>
-      <p>Adding AES may also require adding stronger hashes, <a
-      href="#SHA-256">SHA-256, SHA-384 and SHA-512</a>.</p>
-    </dd>
-  <dt><a name="AH">AH</a></dt>
-    <dd>The <a href="#IPSEC">IPsec</a> <b>A</b>uthentication <b>H</b>eader,
-      added after the IP header. For details, see our <a
-      href="ipsec.html#AH.ipsec">IPsec</a> document and/or RFC 2402.</dd>
-  <dt><a name="alicebob">Alice and Bob</a></dt>
-    <dd>A and B, the standard example users in writing on cryptography and
-      coding theory. Carol and Dave join them for protocols which require
-      more players.
-      <p>Bruce Schneier extends these with many others such as Eve the
-      Eavesdropper and Victor the Verifier. His extensions seem to be in the
-      process of becoming standard as well. See page 23 of <a
-      href="biblio.html#schneier">Applied Cryptography</a></p>
-      <p>Alice and Bob have an amusing <a
-      href="http://www.conceptlabs.co.uk/alicebob.html"> biography</a> on the
-      web.</p>
-    </dd>
-  <dt>ARPA</dt>
-    <dd>see <a href="#DARPA">DARPA</a></dd>
-  <dt><a name="ASIO">ASIO</a></dt>
-    <dd>Australian Security Intelligence Organisation.</dd>
-  <dt>Asymmetric cryptography</dt>
-    <dd>See <a href="#public">public key cryptography</a>.</dd>
-  <dt><a name="authentication">Authentication</a></dt>
-    <dd>Ensuring that a message originated from the expected sender and has
-      not been altered on route. <a href="#IPSEC">IPsec</a> uses
-      authentication in two places:
-      <ul>
-        <li>peer authentication, authenticating the players in <a
-          href="#IKE">IKE</a>'s <a href="#DH">Diffie-Hellman</a> key
-          exchanges to prevent <a href="#middle">man-in-the-middle
-          attacks</a>. This can be done in a number of ways. The methods
-          supported by FreeS/WAN are discussed in our <a
-          href="adv_config.html#choose">advanced configuration</a>
-        document.</li>
-        <li>packet authentication, authenticating packets on an established
-          <a href="#SA">SA</a>, either with a separate <a
-          href="#AH">authentication header</a> or with the optional
-          authentication in the <a href="#ESP">ESP</a> protocol. In either
-          case, packet authentication uses a <a href="#HMAC">hashed message
-          athentication code</a> technique.</li>
-      </ul>
-      <p>Outside IPsec, passwords are perhaps the most common authentication
-      mechanism. Their function is essentially to authenticate the person's
-      identity to the system. Passwords are generally only as secure as the
-      network they travel over. If you send a cleartext password over a
-      tapped phone line or over a network with a packet sniffer on it, the
-      security provided by that password becomes zero. Sending an encrypted
-      password is no better; the attacker merely records it and reuses it at
-      his convenience. This is called a <a href="#replay">replay</a>
-      attack.</p>
-      <p>A common solution to this problem is a <a
-      href="#challenge">challenge-response</a> system. This defeats simple
-      eavesdropping and replay attacks. Of course an attacker might still try
-      to break the cryptographic algorithm used, or the <a
-      href="#random">random number</a> generator.</p>
-    </dd>
-  <dt><a name="auto">Automatic keying</a></dt>
-    <dd>A mode in which keys are automatically generated at connection
-      establisment and new keys automaically created periodically thereafter.
-      Contrast with <a href="#manual">manual keying</a> in which a single
-      stored key is used.
-      <p>IPsec uses the <a href="#DH">Diffie-Hellman key exchange
-      protocol</a> to create keys. An <a
-      href="#authentication">authentication</a> mechansim is required for
-      this. FreeS/WAN normally uses <a href="#RSA">RSA</a> for this. Other
-      methods supported are discussed in our <a
-      href="adv_config.html#choose">advanced configuration</a> document.</p>
-      <p>Having an attacker break the authentication is emphatically not a
-      good idea. An attacker that breaks authentication, and manages to
-      subvert some other network entities (DNS, routers or gateways), can use
-      a <a href="#middle">man-in-the middle attack</a> to break the security
-      of your IPsec connections.</p>
-      <p>However, having an attacker break the authentication in automatic
-      keying is not quite as bad as losing the key in manual keying.</p>
-      <ul>
-        <li>An attacker who reads /etc/ipsec.conf and gets the keys for a
-          manually keyed connection can, without further effort, read all
-          messages encrypted with those keys, including any old messages he
-          may have archived.</li>
-        <li>Automatic keying has a property called <a href="#PFS">perfect
-          forward secrecy</a>. An attacker who breaks the authentication gets
-          none of the automatically generated keys and cannot immediately
-          read any messages. He has to mount a successful <a
-          href="#middle">man-in-the-middle attack</a> in real time before he
-          can read anything. He cannot read old archived messages at all and
-          will not be able to read any future messages not caught by
-          man-in-the-middle tricks.</li>
-      </ul>
-      <p>That said, the secrets used for authentication, stored in <a
-      href="manpage.d/ipsec.secrets.5.html">ipsec.secrets(5)</a>, should
-      still be protected as tightly as cryptographic keys.</p>
-    </dd>
-  <dt><a name="B">B</a></dt>
-  <dt><a href="http://www.nortelnetworks.com">Bay Networks</a></dt>
-    <dd>A vendor of routers, hubs and related products, now a subsidiary of
-      Nortel. Interoperation between their IPsec products and Linux FreeS/WAN
-      was problematic at last report; see our <a
-      href="interop.html#bay">interoperation</a> section.</dd>
-  <dt><a name="benchmarks">benchmarks</a></dt>
-    <dd>Our default block cipher, <a href="#3DES">triple DES</a>, is slower
-      than many alternate ciphers that might be used. Speeds achieved,
-      however, seem adequate for many purposes. For example, the assembler
-      code from the <a href="#LIBDES">LIBDES</a> library we use encrypts 1.6
-      megabytes per second on a Pentium 200, according to the test program
-      supplied with the library.
-      <p>For more detail, see our document on <a
-      href="performance.html">FreeS/WAN performance</a>.</p>
-    </dd>
-  <dt><a name="BIND">BIND</a></dt>
-    <dd><b>B</b>erkeley <b>I</b>nternet <b>N</b>ame <b>D</b>aemon, a widely
-      used implementation of <a href="#DNS">DNS</a> (Domain Name Service).
-      See our bibliography for a <a href="#DNS">useful reference</a>. See the
-      <a href="http://www.isc.org/bind.html">BIND home page</a> for more
-      information and the latest version.</dd>
-  <dt><a name="birthday">Birthday attack</a></dt>
-    <dd>A cryptographic attack based on the mathematics exemplified by the <a
-      href="#paradox">birthday paradox</a>. This math turns up whenever the
-      question of two cryptographic operations producing the same result
-      becomes an issue:
-      <ul>
-        <li><a href="#collision">collisions</a> in <a href="#digest">message
-          digest</a> functions.</li>
-        <li>identical output blocks from a <a href="#block">block
-        cipher</a></li>
-        <li>repetition of a challenge in a <a
-          href="#challenge">challenge-response</a> system</li>
-      </ul>
-      <p>Resisting such attacks is part of the motivation for:</p>
-      <ul>
-        <li>hash algorithms such as <a href="#SHA">SHA</a> and <a
-          href="#RIPEMD">RIPEMD-160</a> giving a 160-bit result rather than
-          the 128 bits of <a href="#MD4">MD4</a>, <a href="#MD5">MD5</a> and
-          <a href="#RIPEMD">RIPEMD-128</a>.</li>
-        <li><a href="#AES">AES</a> block ciphers using a 128-bit block
-          instead of the 64-bit block of most current ciphers</li>
-        <li><a href="#IPSEC">IPsec</a> using a 32-bit counter for packets
-          sent on an <a href="#auto">automatically keyed</a> <a
-          href="#SA">SA</a> and requiring that the connection always be
-          rekeyed before the counter overflows.</li>
-      </ul>
-    </dd>
-  <dt><a name="paradox">Birthday paradox</a></dt>
-    <dd>Not really a paradox, just a rather counter-intuitive mathematical
-      fact. In a group of 23 people, the chance of a least one pair having
-      the same birthday is over 50%.
-      <p>The second person has 1 chance in 365 (ignoring leap years) of
-      matching the first. If they don't match, the third person's chances of
-      matching one of them are 2/365. The 4th, 3/365, and so on. The total of
-      these chances grows more quickly than one might guess.</p>
-    </dd>
-  <dt><a name="block">Block cipher</a></dt>
-    <dd>A <a href="#symmetric">symmetric cipher</a> which operates on
-      fixed-size blocks of plaintext, giving a block of ciphertext for each.
-      Contrast with <a href="#stream"> stream cipher</a>. Block ciphers can
-      be used in various <a href="#mode">modes</a> when multiple block are to
-      be encrypted.
-      <p><a href="#DES">DES</a> is among the the best known and widely used
-      block ciphers, but is now obsolete. Its 56-bit key size makes it <a
-      href="#desnotsecure">highly insecure</a> today. <a href="#3DES">Triple
-      DES</a> is the default block cipher for <a href="#FreeSWAN">Linux
-      FreeS/WAN</a>.</p>
-      <p>The current generation of block ciphers -- such as <a
-      href="#Blowfish">Blowfish</a>, <a href="#CAST128">CAST-128</a> and <a
-      href="#IDEA">IDEA</a> -- all use 64-bit blocks and 128-bit keys. The
-      next generation, <a href="#AES">AES</a>, uses 128-bit blocks and
-      supports key sizes up to 256 bits.</p>
-      <p>The <a href="http://www.ii.uib.no/~larsr/bc.html"> Block Cipher
-      Lounge</a> web site has more information.</p>
-    </dd>
-  <dt><a name="Blowfish">Blowfish</a></dt>
-    <dd>A <a href="#block">block cipher</a> using 64-bit blocks and keys of
-      up to 448 bits, designed by <a href="#schneier">Bruce Schneier</a> and
-      used in several products.
-      <p>This is not required by the <a href="#IPSEC">IPsec</a> RFCs and not
-      currently used in <a href="#FreeSWAN">Linux FreeS/WAN</a>.</p>
-    </dd>
-  <dt><a name="brute">Brute force attack (exhaustive search)</a></dt>
-    <dd>Breaking a cipher by trying all possible keys. This is always
-      possible in theory (except against a <a href="#OTP">one-time pad</a>),
-      but it becomes practical only if the key size is inadequate. For an
-      important example, see our document on the <a
-      href="#desnotsecure">insecurity of DES</a> with its 56-bit key. For an
-      analysis of key sizes required to resist plausible brute force attacks,
-      see <a href="http://www.counterpane.com/keylength.html">this paper</a>.
-      <p>Longer keys protect against brute force attacks. Each extra bit in
-      the key doubles the number of possible keys and therefore doubles the
-      work a brute force attack must do. A large enough key defeats
-      <strong>any</strong> brute force attack.</p>
-      <p>For example, the EFF's <a href="#EFF">DES Cracker</a> searches a
-      56-bit key space in an average of a few days. Let us assume an attacker
-      that can find a 64-bit key (256 times harder) by brute force search in
-      a second (a few hundred thousand times faster). For a 96-bit key, that
-      attacker needs 2<sup>32</sup> seconds, about 135 years. Against a
-      128-bit key, he needs 2<sup>32</sup> times that, over 500,000,000,000
-      years. Your data is then obviously secure against brute force attacks.
-      Even if our estimate of the attacker's speed is off by a factor of a
-      million, it still takes him over 500,000 years to crack a message.</p>
-      <p>This is why</p>
-      <ul>
-        <li>single <a href="#DES">DES</a> is now considered <a
-          href="#desnotsecure">dangerously insecure</a></li>
-        <li>all of the current generation of <a href="#block">block
-          ciphers</a> use a 128-bit or longer key</li>
-        <li><a href="#AES">AES</a> ciphers support keysizes 128, 192 and 256
-          bits</li>
-        <li>any cipher we add to Linux FreeS/WAN will have <em>at least</em>
-          a 128-bit key</li>
-      </ul>
-      <p><strong>Cautions:</strong><br>
-      <em>Inadequate keylength always indicates a weak cipher</em> but it is
-      important to note that <em>adequate keylength does not necessarily
-      indicate a strong cipher</em>. There are many attacks other than brute
-      force, and adequate keylength <em>only</em> guarantees resistance to
-      brute force. Any cipher, whatever its key size, will be weak if design
-      or implementation flaws allow other attacks.</p>
-      <p>Also, <em>once you have adequate keylength</em> (somewhere around 90
-      or 100 bits), <em>adding more key bits make no practical
-      difference</em>, even against brute force. Consider our 128-bit example
-      above that takes 500,000,000,000 years to break by brute force. We
-      really don't care how many zeroes there are on the end of that, as long
-      as the number remains ridiculously large. That is, we don't care
-      exactly how large the key is as long as it is large enough.</p>
-      <p>There may be reasons of convenience in the design of the cipher to
-      support larger keys. For example <a href="#Blowfish">Blowfish</a>
-      allows up to 448 bits and <a href="#RC4">RC4</a> up to 2048, but beyond
-      100-odd bits it makes no difference to practical security.</p>
-    </dd>
-  <dt>Bureau of Export Administration</dt>
-    <dd>see <a href="#BXA">BXA</a></dd>
-  <dt><a name="BXA">BXA</a></dt>
-    <dd>The US Commerce Department's <b>B</b>ureau of E<b>x</b>port
-      <b>A</b>dministration which administers the <a href="#EAR">EAR</a>
-      Export Administration Regulations controling the export of, among other
-      things, cryptography.</dd>
-  <dt><a name="C">C</a></dt>
-  <dt><a name="CA">CA</a></dt>
-    <dd><b>C</b>ertification <b>A</b>uthority, an entity in a <a
-      href="#PKI">public key infrastructure</a> that can certify keys by
-      signing them. Usually CAs form a hierarchy. The top of this hierarchy
-      is called the <a href="#rootCA">root CA</a>.
-      <p>See <a href="#web">Web of Trust</a> for an alternate model.</p>
-    </dd>
-  <dt><a name="CAST128">CAST-128</a></dt>
-    <dd>A <a href="#block">block cipher</a> using 64-bit blocks and 128-bit
-      keys, described in RFC 2144 and used in products such as <a
-      href="#Entrust">Entrust</a> and recent versions of <a
-      href="#PGP">PGP</a>.
-      <p>This is not required by the <a href="#IPSEC">IPsec</a> RFCs and not
-      currently used in <a href="#FreeSWAN">Linux FreeS/WAN</a>.</p>
-    </dd>
-  <dt>CAST-256</dt>
-    <dd><a href="#Entrust">Entrust</a>'s candidate cipher for the <a
-      href="#AES">AES standard</a>, largely based on the <a
-      href="#CAST128">CAST-128</a> design.</dd>
-  <dt><a name="CBC">CBC mode</a></dt>
-    <dd><b>C</b>ipher <b>B</b>lock <b>C</b>haining <a href="#mode">mode</a>,
-      a method of using a <a href="#block">block cipher</a> in which for each
-      block except the first, the result of the previous encryption is XORed
-      into the new block before it is encrypted. CBC is the mode used in <a
-      href="#IPSEC">IPsec</a>.
-      <p>An <a href="#IV">initialisation vector</a> (IV) must be provided. It
-      is XORed into the first block before encryption. The IV need not be
-      secret but should be different for each message and unpredictable.</p>
-    </dd>
-  <dt><a name="CIDR">CIDR</a></dt>
-    <dd><b>C</b>lassless <b>I</b>nter-<b>D</b>omain <b>R</b>outing,
-      an addressing scheme used to describe networks not
-      restricted to the old Class A, B, and C sizes.
-      A CIDR block is written
-      <VAR>address</VAR>/<VAR>mask</VAR>, where <VAR>address</VAR> is 
-      a 32-bit Internet address. 
-      The first <VAR>mask</VAR> bits of <VAR>address</VAR>
-      are part of the gateway address, while the remaining bits designate
-      other host addresses.
-      For example, the CIDR block 192.0.2.96/27 describes a network with 
-      gateway 
-      192.0.2.96, hosts 192.0.2.96 through 192.0.2.126 and broadcast 
-      192.0.2.127.
-      <p>FreeS/WAN policy group files accept CIDR blocks of the format
-      <VAR>address</VAR>/[<VAR>mask</VAR>], where <VAR>address</VAR> may
-      take the form <VAR>name.domain.tld</VAR>. An absent <VAR>mask</VAR>
-      is assumed to be /32.
-      </p> 
-    </dd>
-
-  <dt>Certification Authority</dt>
-    <dd>see <a href="#CA">CA</a></dd>
-  <dt><a name="challenge">Challenge-response authentication</a></dt>
-    <dd>An <a href="#authentication">authentication</a> system in which one
-      player generates a <a href="#random">random number</a>, encrypts it and
-      sends the result as a challenge. The other player decrypts and sends
-      back the result. If the result is correct, that proves to the first
-      player that the second player knew the appropriate secret, required for
-      the decryption. Variations on this technique exist using <a
-      href="#public">public key</a> or <a href="#symmetric">symmetric</a>
-      cryptography. Some provide two-way authentication, assuring each player
-      of the other's identity.
-      <p>This is more secure than passwords against two simple attacks:</p>
-      <ul>
-        <li>If cleartext passwords are sent across the wire (e.g. for
-          telnet), an eavesdropper can grab them. The attacker may even be
-          able to break into other systems if the user has chosen the same
-          password for them.</li>
-        <li>If an encrypted password is sent, an attacker can record the
-          encrypted form and use it later. This is called a replay
-        attack.</li>
-      </ul>
-      <p>A challenge-response system never sends a password, either cleartext
-      or encrypted.  An attacker cannot record the response to one challenge
-      and use it as a response to a later challenge. The random number is
-      different each time.</p>
-      <p>Of course an attacker might still try to break the cryptographic
-      algorithm used, or the <a href="#random">random number</a>
-      generator.</p>
-    </dd>
-  <dt><a name="mode">Cipher Modes</a></dt>
-    <dd>Different ways of using a block cipher when encrypting multiple
-      blocks.
-      <p>Four standard modes were defined for <a href="#DES">DES</a> in <a
-      href="#FIPS">FIPS</a> 81. They can actually be applied with any block
-      cipher.</p>
-
-      <table>
-        <tbody>
-          <tr>
-            <td></td>
-            <td><a href="#ECB">ECB</a></td>
-            <td>Electronic CodeBook</td>
-            <td>encrypt each block independently</td>
-          </tr>
-          <tr>
-            <td></td>
-            <td><a href="#CBC">CBC</a></td>
-            <td>Cipher Block Chaining<br>
-            </td>
-            <td>XOR previous block ciphertext into new block plaintext before
-              encrypting new block</td>
-          </tr>
-          <tr>
-            <td></td>
-            <td>CFB</td>
-            <td>Cipher FeedBack</td>
-            <td></td>
-          </tr>
-          <tr>
-            <td></td>
-            <td>OFB</td>
-            <td>Output FeedBack</td>
-            <td></td>
-          </tr>
-        </tbody>
-      </table>
-      <p><a href="#IPSEC">IPsec</a> uses <a href="#CBC">CBC</a> mode since
-      this is only marginally slower than <a href="#ECB">ECB</a> and is more
-      secure. In ECB mode the same plaintext always encrypts to the same
-      ciphertext, unless the key is changed. In CBC mode, this does not
-      occur.</p>
-      <p>Various other modes are also possible, but none of them are used in
-      IPsec.</p>
-    </dd>
-  <dt><a name="ciphertext">Ciphertext</a></dt>
-    <dd>The encrypted output of a cipher, as opposed to the unencrypted <a
-      href="#plaintext">plaintext</a> input.</dd>
-  <dt><a href="http://www.cisco.com">Cisco</a></dt>
-    <dd>A vendor of routers, hubs and related products. Their IPsec products
-      interoperate with Linux FreeS/WAN; see our <a
-      href="interop.html#Cisco">interop</a> section.</dd>
-  <dt><a name="client">Client</a></dt>
-    <dd>This term has at least two distinct uses in discussing IPsec:
-      <ul>
-        <li>The <strong>clients of an IPsec gateway</strong> are the machines
-          it protects, typically on one or more subnets behind the gateway.
-          In this usage, all the machines on an office network are clients of
-          that office's IPsec gateway. Laptop or home machines connecting to
-          the office, however, are <em>not</em> clients of that gateway. They
-          are remote gateways, running the other end of an IPsec connection.
-          Each of them is also its own client.</li>
-        <li><strong>IPsec client software</strong> is used to describe
-          software which runs on various standalone machines to let them
-          connect to IPsec networks. In this usage, a laptop or home machine
-          connecting to the office is a client, and the office gateway is the
-          server.</li>
-      </ul>
-      <p>We generally use the term in the first sense. Vendors of Windows
-      IPsec solutions often use it in the second. See this <a
-      href="interop.html#client.server">discussion</a>.</p>
-    </dd>
-  <dt><a name="cc">Common Criteria</a></dt>
-    <dd>A set of international security classifications which are replacing
-      the old US <a href="#rainbow">Rainbow Book</a> standards and similar
-      standards in other countries.
-      <p>Web references include this <a href="http://csrc.nist.gov/cc">US
-      government site</a> and this <a
-      href="http://www.commoncriteria.org">global home page</a>.</p>
-    </dd>
-  <dt>Conventional cryptography</dt>
-    <dd>See <a href="#symmetric">symmetric cryptography</a></dd>
-  <dt><a name="collision">Collision resistance</a></dt>
-    <dd>The property of a <a href="#digest">message digest</a> algorithm
-      which makes it hard for an attacker to find or construct two inputs
-      which hash to the same output.</dd>
-  <dt>Copyleft</dt>
-    <dd>see GNU <a href="#GPL">General Public License</a></dd>
-  <dt><a name="CSE">CSE</a></dt>
-    <dd><a href="http://www.cse-cst.gc.ca/">Communications Security
-      Establishment</a>, the Canadian organisation for <a
-      href="#SIGINT">signals intelligence</a>.</dd>
-  <dt><a name="D">D</a></dt>
-  <dt><a name="DARPA">DARPA (sometimes just ARPA)</a></dt>
-    <dd>The US government's <b>D</b>efense <b>A</b>dvanced <b>R</b>esearch
-      <b>P</b>rojects <b>A</b>gency. Projects they have funded over the years
-      have included the Arpanet which evolved into the Internet, the TCP/IP
-      protocol suite (as a replacement for the original Arpanet suite), the
-      Berkeley 4.x BSD Unix projects, and <a href="#SDNS">Secure DNS</a>.
-      <p>For current information, see their <a
-      href="http://www.darpa.mil/ito">web site</a>.</p>
-    </dd>
-  <dt><a name="DOS">Denial of service (DoS) attack</a></dt>
-    <dd>An attack that aims at denying some service to legitimate users of a
-      system, rather than providing a service to the attacker.
-      <ul>
-        <li>One variant is a flooding attack, overwhelming the system with
-          too many packets, to much email, or whatever.</li>
-        <li>A closely related variant is a resource exhaustion attack. For
-          example, consider a "TCP SYN flood" attack. Setting up a TCP
-          connection involves a three-packet exchange:
-          <ul>
-            <li>Initiator: Connection please (SYN)</li>
-            <li>Responder: OK (ACK)</li>
-            <li>Initiator: OK here too</li>
-          </ul>
-          <p>If the attacker puts bogus source information in the first
-          packet, such that the second is never delivered, the responder may
-          wait a long time for the third to come back. If responder has
-          already allocated memory for the connection data structures, and if
-          many of these bogus packets arrive, the responder may run out of
-          memory.</p>
-        </li>
-        <li>Another variant is to feed the system undigestible data, hoping
-          to make it sick. For example, IP packets are limited in size to 64K
-          bytes and a fragment carries information on where it starts within
-          that 64K and how long it is. The "ping of death" delivers fragments
-          that say, for example, that they start at 60K and are 20K long.
-          Attempting to re-assemble these without checking for overflow can
-          be fatal.</li>
-      </ul>
-      <p>The two example attacks discussed were both quite effective when
-      first discovered, capable of crashing or disabling many operating
-      systems. They were also well-publicised, and today far fewer systems
-      are vulnerable to them.</p>
-    </dd>
-  <dt><a name="DES">DES</a></dt>
-    <dd>The <b>D</b>ata <b>E</b>ncryption <b>S</b>tandard, a <a
-      href="#block">block cipher</a> with 64-bit blocks and a 56-bit key.
-      Probably the most widely used <a href="#symmetric">symmetric cipher</a>
-      ever devised. DES has been a US government standard for their own use
-      (only for unclassified data), and for some regulated industries such as
-      banking, since the late 70's. It is now being replaced by <a
-      href="#AES">AES</a>.
-      <p><a href="politics.html#desnotsecure">DES is seriously insecure
-      against current attacks.</a></p>
-      <p><a href="#FreeSWAN">Linux FreeS/WAN</a> does not include DES, even
-      though the RFCs specify it. <b>We strongly recommend that single DES
-      not be used.</b></p>
-      <p>See also <a href="#3DES">3DES</a> and <a href="#DESX">DESX</a>,
-      stronger ciphers based on DES.</p>
-    </dd>
-  <dt><a name="DESX">DESX</a></dt>
-    <dd>An improved <a href="#DES">DES</a> suggested by Ron Rivest of RSA
-      Data Security. It XORs extra key material into the text before and
-      after applying the DES cipher.
-      <p>This is not required by the <a href="#IPSEC">IPsec</a> RFCs and not
-      currently used in <a href="#FreeSWAN">Linux FreeS/WAN</a>. DESX would
-      be the easiest additional transform to add; there would be very little
-      code to write. It would be much faster than 3DES and almost certainly
-      more secure than DES. However, since it is not in the RFCs other IPsec
-      implementations cannot be expected to have it.</p>
-    </dd>
-  <dt>DH</dt>
-    <dd>see <a href="#DH">Diffie-Hellman</a></dd>
-  <dt><a name="DHCP">DHCP</a></dt>
-    <dd><strong>D</strong>ynamic <strong>H</strong>ost
-      <strong>C</strong>onfiguration <strong>P</strong>rotocol, a method of
-      assigning <a href="#dynamic">dynamic IP addresses</a>, and providing
-      additional information such as addresses of DNS servers and of
-      gateways. See this <a href="http://www.dhcp.org">DHCP resource
-    page.</a></dd>
-  <dt><a name="DH">Diffie-Hellman (DH) key exchange protocol</a></dt>
-    <dd>A protocol that allows two parties without any initial shared secret
-      to create one in a manner immune to eavesdropping. Once they have done
-      this, they can communicate privately by using that shared secret as a
-      key for a block cipher or as the basis for key exchange.
-      <p>The protocol is secure against all <a href="#passive">passive
-      attacks</a>, but it is not at all resistant to active <a
-      href="#middle">man-in-the-middle attacks</a>. If a third party can
-      impersonate Bob to Alice and vice versa, then no useful secret can be
-      created. Authentication of the participants is a prerequisite for safe
-      Diffie-Hellman key exchange. IPsec can use any of several <a
-      href="#authentication">authentication</a> mechanisims. Those supported
-      by FreeS/WAN are discussed in our <a
-      href="config.html#choose">configuration</a> section.</p>
-      <p>The Diffie-Hellman key exchange is based on the <a
-      href="#dlog">discrete logarithm</a> problem and is secure unless
-      someone finds an efficient solution to that problem.</p>
-      <p>Given a prime <var>p</var> and generator <var>g</var> (explained
-      under <a href="#dlog">discrete log</a> below), Alice:</p>
-      <ul>
-        <li>generates a random number <var>a</var></li>
-        <li>calculates <var>A = g^a modulo p</var></li>
-        <li>sends <var>A</var> to Bob</li>
-      </ul>
-      <p>Meanwhile Bob:</p>
-      <ul>
-        <li>generates a random number <var>b</var></li>
-        <li>calculates <var>B = g^b modulo p</var></li>
-        <li>sends <var>B</var> to Alice</li>
-      </ul>
-      <p>Now Alice and Bob can both calculate the shared secret <var>s =
-      g^(ab)</var>. Alice knows <var>a</var> and <var>B</var>, so she
-      calculates <var>s = B^a</var>. Bob knows <var>A</var> and <var>b</var>
-      so he calculates <var>s = A^b</var>.</p>
-      <p>An eavesdropper will know <var>p</var> and <var>g</var> since these
-      are made public, and can intercept <var>A</var> and <var>B</var> but,
-      short of solving the <a href="#dlog">discrete log</a> problem, these do
-      not let him or her discover the secret <var>s</var>.</p>
-    </dd>
-  <dt><a name="signature">Digital signature</a></dt>
-    <dd>Sender:
-      <ul>
-        <li>calculates a <a href="#digest">message digest</a> of a
-        document</li>
-        <li>encrypts the digest with his or her private key, using some <a
-          href="#public">public key cryptosystem</a>.</li>
-        <li>attaches the encrypted digest to the document as a signature</li>
-      </ul>
-      <p>Receiver:</p>
-      <ul>
-        <li>calculates a digest of the document (not including the
-        signature)</li>
-        <li>decrypts the signature with the signer's public key</li>
-        <li>verifies that the two results are identical</li>
-      </ul>
-      <p>If the public-key system is secure and the verification succeeds,
-      then the receiver knows</p>
-      <ul>
-        <li>that the document was not altered between signing and
-        verification</li>
-        <li>that the signer had access to the private key</li>
-      </ul>
-      <p>Such an encrypted message digest can be treated as a signature since
-      it cannot be created without <em>both</em> the document <em>and</em>
-      the private key which only the sender should possess. The <a
-      href="web.html#legal">legal issues</a> are complex, but several
-      countries are moving in the direction of legal recognition for digital
-      signatures.</p>
-    </dd>
-  <dt><a name="dlog">discrete logarithm problem</a></dt>
-    <dd>The problem of finding logarithms in a finite field. Given a field
-      defintion (such definitions always include some operation analogous to
-      multiplication) and two numbers, a base and a target, find the power
-      which the base must be raised to in order to yield the target.
-      <p>The discrete log problem is the basis of several cryptographic
-      systems, including the <a href="#DH">Diffie-Hellman</a> key exchange
-      used in the <a href="#IKE">IKE</a> protocol. The useful property is
-      that exponentiation is relatively easy but the inverse operation,
-      finding the logarithm, is hard. The cryptosystems are designed so that
-      the user does only easy operations (exponentiation in the field) but an
-      attacker must solve the hard problem (discrete log) to crack the
-      system.</p>
-      <p>There are several variants of the problem for different types of
-      field. The IKE/Oakley key determination protocol uses two variants,
-      either over a field modulo a prime or over a field defined by an
-      elliptic curve. We give an example modulo a prime below. For the
-      elliptic curve version, consult an advanced text such as <a
-      href="biblio.html#handbook">Handbook of Applied Cryptography</a>.</p>
-      <p>Given a prime <var>p</var>, a generator <var>g</var> for the field
-      modulo that prime, and a number <var>x</var> in the field, the problem
-      is to find <var>y</var> such that <var>g^y = x</var>.</p>
-      <p>For example, let p = 13. The field is then the integers from 0 to
-      12. Any integer equals one of these modulo 13. That is, the remainder
-      when any integer is divided by 13 must be one of these.</p>
-      <p>2 is a generator for this field.  That is, the powers of two modulo
-      13 run through all the non-zero numbers in the field. Modulo 13 we
-      have:</p>
-      <pre>          y      x
-        2^0  ==  1
-        2^1  ==  2
-        2^2  ==  4
-        2^3  ==  8
-        2^4  ==  3 that is, the remainder from 16/13 is 3
-        2^5  ==  6          the remainder from 32/13 is 6
-        2^6  == 12 and so on
-        2^7  == 11
-        2^8  ==  9
-        2^9  ==  5
-        2^10 == 10
-        2^11 ==  7
-        2^12 ==  1</pre>
-      <p>Exponentiation in such a field is not difficult. Given, say,
-      <nobr><var>y = 11</var>,</nobr>calculating <nobr><var>x =
-      7</var></nobr>is straightforward. One method is just to calculate
-      <nobr><var>2^11 = 2048</var>,</nobr>then <nobr><var>2048 mod 13 ==
-      7</var>.</nobr>When the field is modulo a large prime (say a few 100
-      digits) you need a silghtly cleverer method and even that is moderately
-      expensive in computer time, but the calculation is still not
-      problematic in any basic way.</p>
-      <p>The discrete log problem is the reverse. In our example, given
-      <nobr><var>x = 7</var>,</nobr>find the logarithm <nobr><var>y =
-      11</var>.</nobr>When the field is modulo a large prime (or is based on
-      a suitable elliptic curve), this is indeed problematic. No solution
-      method that is not catastrophically expensive is known. Quite a few
-      mathematicians have tackled this problem. No efficient method has been
-      found and mathematicians do not expect that one will be. It seems
-      likely no efficient solution to either of the main variants the
-      discrete log problem exists.</p>
-      <p>Note, however, that no-one has proven such methods do not exist. If
-      a solution to either variant were found, the security of any crypto
-      system using that variant would be destroyed.  This is one reason <a
-      href="#IKE">IKE</a> supports two variants. If one is broken, we can
-      switch to the other.</p>
-    </dd>
-  <dt><a name="discretionary">discretionary access control</a></dt>
-    <dd>access control mechanisms controlled by the user, for example Unix
-      rwx file permissions. These contrast with <a
-      href="#mandatory">mandatory access controls</a>.</dd>
-  <dt><a name="DNS">DNS</a></dt>
-    <dd><b>D</b>omain <b>N</b>ame <b>S</b>ervice, a distributed database
-      through which names are associated with numeric addresses and other
-      information in the Internet Protocol Suite. See also the <a
-      href="background.html#dns.background">DNS background</a> section of our
-      documentation.</dd>
-  <dt>DOS attack</dt>
-    <dd>see <a href="#DOS">Denial Of Service</a> attack</dd>
-  <dt><a name="dynamic">dynamic IP address</a></dt>
-    <dd>an IP address which is automatically assigned, either by <a
-      href="#DHCP">DHCP</a> or by some protocol such as <a
-      href="#PPP">PPP</a> or <a href="#PPPoE">PPPoE</a> which the machine
-      uses to connect to the Internet. This is the opposite of a <a
-      href="#static">static IP address</a>, pre-set on the machine
-    itself.</dd>
-  <dt><a name="E">E</a></dt>
-  <dt><a name="EAR">EAR</a></dt>
-    <dd>The US government's <b>E</b>xport <b>A</b>dministration
-      <b>R</b>egulations, administered by the <a href="#BXA">Bureau of Export
-      Administration</a>. These have replaced the earlier <a
-      href="#ITAR">ITAR</a> regulations as the controls on export of
-      cryptography.</dd>
-  <dt><a name="ECB">ECB mode</a></dt>
-    <dd><b>E</b>lectronic <b>C</b>ode<b>B</b>ook mode, the simplest way to
-      use a block cipher. See <a href="#mode">Cipher Modes</a>.</dd>
-  <dt><a name="EDE">EDE</a></dt>
-    <dd>The sequence of operations normally used in either the three-key
-      variant of <a href="#3DES">triple DES</a> used in <a
-      href="#IPSEC">IPsec</a> or the <a href="#2key">two-key</a> variant used
-      in some other systems.
-      <p>The sequence is:</p>
-      <ul>
-        <li><b>E</b>ncrypt with key1</li>
-        <li><b>D</b>ecrypt with key2</li>
-        <li><b>E</b>ncrypt with key3</li>
-      </ul>
-      <p>For the two-key version, key1=key3.</p>
-      <p>The "advantage" of this EDE order of operations is that it makes it
-      simple to interoperate with older devices offering only single DES. Set
-      key1=key2=key3 and you have the worst of both worlds, the overhead of
-      triple DES with the "security" of single DES. Since both the <a
-      href="politics.html#desnotsecure">security of single DES</a> and the
-      overheads of triple DES are seriously inferior to many other ciphers,
-      this is a spectacularly dubious "advantage".</p>
-    </dd>
-  <dt><a name="Entrust">Entrust</a></dt>
-    <dd>A Canadian company offerring enterprise <a href="#PKI">PKI</a>
-      products using <a href="#CAST128">CAST-128</a> symmetric crypto, <a
-      href="#RSA">RSA</a> public key and <a href="#X509">X.509</a>
-      directories. <a href="http://www.entrust.com">Web site</a></dd>
-  <dt><a name="EFF">EFF</a></dt>
-    <dd><a href="http://www.eff.org">Electronic Frontier Foundation</a>, an
-      advocacy group for civil rights in cyberspace.</dd>
-  <dt><a name="encryption">Encryption</a></dt>
-    <dd>Techniques for converting a readable message (<a
-      href="#plaintext">plaintext</a>) into apparently random material (<a
-      href="#ciphertext">ciphertext</a>) which cannot be read if intercepted.
-      A key is required to read the message.
-      <p>Major variants include <a href="#symmetric">symmetric</a> encryption
-      in which sender and receiver use the same secret key and <a
-      href="#public">public key</a> methods in which the sender uses one of a
-      matched pair of keys and the receiver uses the other. Many current
-      systems, including <a href="#IPSEC">IPsec</a>, are <a
-      href="#hybrid">hybrids</a> combining the two techniques.</p>
-    </dd>
-  <dt><a name="ESP">ESP</a></dt>
-    <dd><b>E</b>ncapsulated <b>S</b>ecurity <b>P</b>ayload, the <a
-      href="#IPSEC">IPsec</a> protocol which provides <a
-      href="#encryption">encryption</a>. It can also provide <a
-      href="#authentication">authentication</a> service and may be used with
-      null encryption (which we do not recommend). For details see our <a
-      href="ipsec.html#ESP.ipsec">IPsec</a> document and/or RFC 2406.</dd>
-  <dt><a name="#extruded">Extruded subnet</a></dt>
-    <dd>A situation in which something IP sees as one network is actually in
-      two or more places.
-      <p>For example, the Internet may route all traffic for a particular
-      company to that firm's corporate gateway. It then becomes the company's
-      problem to get packets to various machines on their <a
-      href="#subnet">subnets</a> in various departments. They may decide to
-      treat a branch office like a subnet, giving it IP addresses "on" their
-      corporate net. This becomes an extruded subnet.</p>
-      <p>Packets bound for it are delivered to the corporate gateway, since
-      as far as the outside world is concerned, that subnet is part of the
-      corporate network. However, instead of going onto the corporate LAN (as
-      they would for, say, the accounting department) they are then
-      encapsulated and sent back onto the Internet for delivery to the branch
-      office.</p>
-      <p>For information on doing this with Linux FreeS/WAN, look in our <a
-      href="adv_config.html#extruded.config">advanced configuration</a>
-      section.</p>
-    </dd>
-  <dt>Exhaustive search</dt>
-    <dd>See <a href="#brute">brute force attack</a>.</dd>
-  <dt><a name="F">F</a></dt>
-  <dt><a name="FIPS">FIPS</a></dt>
-    <dd><b>F</b>ederal <b>I</b>nformation <b>P</b>rocessing <b>S</b>tandard,
-      the US government's standards for products it buys. These are issued by
-      <a href="#NIST">NIST</a>. Among other things, <a href="#DES">DES</a>
-      and <a href="#SHA">SHA</a> are defined in FIPS documents. NIST have a
-      <a href="http://www.itl.nist.gov/div897/pubs">FIPS home page</a>.</dd>
-  <dt><a name="FSF">Free Software Foundation (FSF)</a></dt>
-    <dd>An organisation to promote free software, free in the sense of these
-      quotes from their web pages</dd>
-    <dd>
-      <blockquote>
-        "Free software" is a matter of liberty, not price. To understand the
-        concept, you should think of "free speech", not "free beer."
-        <p>"Free software" refers to the users' freedom to run, copy,
-        distribute, study, change and improve the software.</p>
-      </blockquote>
-      <p>See also <a href="#GNU">GNU</a>, <a href="#GPL">GNU General Public
-      License</a>, and <a href="http://www.fsf.org">the FSF site</a>.</p>
-    </dd>
-  <dt>FreeS/WAN</dt>
-    <dd>see <a href="#FreeSWAN">Linux FreeS/WAN</a></dd>
-  <dt><a name="fullnet">Fullnet</A></dt>
-    <dd>The CIDR block containing all IPs of its IP version. 
-    The <A HREF="#IPv4">IPv4</A> fullnet is written 0.0.0.0/0. 
-    Also known as "all" and "default",
-    fullnet may be used in a routing table 
-    to specify a default route, 
-    and in a FreeS/WAN 
-    <A HREF="policygroups.html#policygroups">policy group</A> file to 
-    specify a default IPsec policy.</dd>
-  <dt>FSF</dt>
-    <dd>see <a href="#FSF">Free software Foundation</a></dd>
-  <dt><a name="G">G</a></dt>
-  <dt><a name="GCHQ">GCHQ</a></dt>
-    <dd><a href="http://www.gchq.gov.uk">Government Communications
-      Headquarters</a>, the British organisation for <a
-      href="#SIGINT">signals intelligence</a>.</dd>
-  <dt>generator of a prime field</dt>
-    <dd>see <a href="#dlog">discrete logarithm problem</a></dd>
-  <dt><a name="GILC">GILC</a></dt>
-    <dd><a href="http://www.gilc.org">Global Internet Liberty Campaign</a>,
-      an international organisation advocating, among other things, free
-      availability of cryptography. They have a <a
-      href="http://www.gilc.org/crypto/wassenaar">campaign</a> to remove
-      cryptographic software from the <a href="#Wassenaar.gloss">Wassenaar
-      Arrangement</a>.</dd>
-  <dt>Global Internet Liberty Campaign</dt>
-    <dd>see <a href="#GILC">GILC</a>.</dd>
-  <dt><a name="GTR">Global Trust Register</a></dt>
-    <dd>An attempt to create something like a <a href="#rootCA">root CA</a>
-      for <a href="#PGP">PGP</a> by publishing both <a
-      href="biblio.html#GTR">as a book</a> and <a
-      href="http://www.cl.cam.ac.uk/Research/Security/Trust-Register"> on the
-      web</a> the fingerprints of a set of verified keys for well-known users
-      and organisations.</dd>
-  <dt><a name="GMP">GMP</a></dt>
-    <dd>The <b>G</b>NU <b>M</b>ulti-<b>P</b>recision library code, used in <a
-      href="#FreeSWAN">Linux FreeS/WAN</a> by <a href="#Pluto">Pluto</a> for
-      <a href="#public">public key</a> calculations. See the <a
-      href="http://www.swox.com/gmp">GMP  home page</a>.</dd>
-  <dt><a name="GNU">GNU</a></dt>
-    <dd><b>G</b>NU's <b>N</b>ot <b>U</b>nix, the <a href="#FSF">Free Software
-      Foundation's</a> project aimed at creating a free system with at least
-      the capabilities of Unix. <a href="#Linux">Linux</a> uses GNU utilities
-      extensively.</dd>
-  <dt><a name="#GOST">GOST</a></dt>
-    <dd>a Soviet government standard <a href="#block">block cipher</a>. <a
-      href="biblio.html#schneier">Applied Cryptography</a> has details.</dd>
-  <dt>GPG</dt>
-    <dd>see <a href="#GPG">GNU Privacy Guard</a></dd>
-  <dt><a name="GPL">GNU General Public License</a>(GPL, copyleft)</dt>
-    <dd>The license developed by the <a href="#FSF">Free Software
-      Foundation</a> under which <a href="#Linux">Linux</a>, <a
-      href="#FreeSWAN">Linux FreeS/WAN</a> and many other pieces of software
-      are distributed. The license allows anyone to redistribute and modify
-      the code, but forbids anyone from distributing executables without
-      providing access to source code. For more details see the file <a
-      href="../COPYING">COPYING</a> included with GPLed source distributions,
-      including ours, or <a href="http://www.fsf.org/copyleft/gpl.html"> the
-      GNU site's GPL page</a>.</dd>
-  <dt><a name="GPG">GNU Privacy Guard</a></dt>
-    <dd>An open source implementation of Open <a href="#PGP">PGP</a> as
-      defined in RFC 2440. See their <a href="http://www.gnupg.org">web
-      site</a></dd>
-  <dt>GPL</dt>
-    <dd>see <a href="#GPL">GNU General Public License</a>.</dd>
-  <dt><a name="H">H</a></dt>
-  <dt><a name="hash">Hash</a></dt>
-    <dd>see <a href="#digest">message digest</a></dd>
-  <dt><a name="HMAC">Hashed Message Authentication Code (HMAC)</a></dt>
-    <dd>using keyed <a href="#digest">message digest</a> functions to
-      authenticate a message. This differs from other uses of these functions:
-      <ul>
-        <li>In normal usage, the hash function's internal variable are
-          initialised in some standard way. Anyone can reproduce the hash to
-          check that the message has not been altered.</li>
-        <li>For HMAC usage, you initialise the internal variables from the
-          key. Only someone with the key can reproduce the hash. A successful
-          check of the hash indicates not only that the message is unchanged
-          but also that the creator knew the key.</li>
-      </ul>
-      <p>The exact techniques used in <a href="#IPSEC">IPsec</a> are defined
-      in RFC 2104. They are referred to as HMAC-MD5-96 and HMAC-SHA-96
-      because they output only 96 bits of the hash. This makes some attacks
-      on the hash functions harder.</p>
-    </dd>
-  <dt>HMAC</dt>
-    <dd>see <a href="#HMAC">Hashed Message Authentication Code</a></dd>
-  <dt>HMAC-MD5-96</dt>
-    <dd>see <a href="#HMAC">Hashed Message Authentication Code</a></dd>
-  <dt>HMAC-SHA-96</dt>
-    <dd>see <a href="#HMAC">Hashed Message Authentication Code</a></dd>
-  <dt><a name="hybrid">Hybrid cryptosystem</a></dt>
-    <dd>A system using both <a href="#public">public key</a> and <a
-      href="#symmetric">symmetric cipher</a> techniques. This works well.
-      Public key methods provide key management and <a
-      href="#signature">digital signature</a> facilities which are not
-      readily available using symmetric ciphers. The symmetric cipher,
-      however, can do the bulk of the encryption work much more efficiently
-      than public key methods.</dd>
-  <dt><a name="I">I</a></dt>
-  <dt><a name="IAB">IAB</a></dt>
-    <dd><a href="http://www.iab.org/iab">Internet Architecture Board</a>.</dd>
-  <dt><a name="ICMP.gloss">ICMP</a></dt>
-    <dd><strong>I</strong>nternet <strong>C</strong>ontrol
-      <strong>M</strong>essage <strong>P</strong>rotocol. This is used for
-      various IP-connected devices to manage the network.</dd>
-  <dt><a name="IDEA">IDEA</a></dt>
-    <dd><b>I</b>nternational <b>D</b>ata <b>E</b>ncrypion <b>A</b>lgorithm,
-      developed in Europe as an alternative to exportable American ciphers
-      such as <a href="#DES">DES</a> which were <a href="#desnotsecure">too
-      weak for serious use</a>. IDEA is a <a href="#block">block cipher</a>
-      using 64-bit blocks and 128-bit keys, and is used in products such as
-      <a href="#PGP">PGP</a>.
-      <p>IDEA is not required by the <a href="#IPSEC">IPsec</a> RFCs and not
-      currently used in <a href="#FreeSWAN">Linux FreeS/WAN</a>.</p>
-      <p>IDEA is patented and, with strictly limited exceptions for personal
-      use, using it requires a license from <a
-      href="http://www.ascom.com">Ascom</a>.</p>
-    </dd>
-  <dt><a name="IEEE">IEEE</a></dt>
-    <dd><a href="http://www.ieee.org">Institute of Electrical and Electronic
-      Engineers</a>, a professional association which, among other things,
-      sets some technical standards</dd>
-  <dt><a name="IESG">IESG</a></dt>
-    <dd><a href="http://www.iesg.org">Internet Engineering Steering
-    Group</a>.</dd>
-  <dt><a name="IETF">IETF</a></dt>
-    <dd><a href="http://www.ietf.org">Internet Engineering Task Force</a>,
-      the umbrella organisation whose various working groups make most of the
-      technical decisions for the Internet. The IETF <a
-      href="http://www.ietf.org/html.charters/ipsec-charter.html"> IPsec
-      working group</a> wrote the <a href="#RFC">RFCs</a> we are
-    implementing.</dd>
-  <dt><a name="IKE">IKE</a></dt>
-    <dd><b>I</b>nternet <b>K</b>ey <b>E</b>xchange, based on the <a
-      href="#DH">Diffie-Hellman</a> key exchange protocol. For details, see
-      RFC 2409 and our <a href="ipsec.html">IPsec</a> document. IKE is
-      implemented in <a href="#FreeSWAN">Linux FreeS/WAN</a> by the <a
-      href="#Pluto">Pluto daemon</a>.</dd>
-  <dt>IKE v2</dt>
-    <dd>A proposed replacement for <a href="#IKE">IKE</a>. There are other
-      candidates, such as <a href="#JFK">JFK</a>, and at time of writing
-      (March 2002) the choice between them has not yet been made and does not
-      appear imminent.</dd>
-  <dt><a name="iOE">iOE</a></dt>
-    <dd>See <A HREF="#initiate-only">Initiate-only opportunistic 
-     encryption</A>.</dd>
-  <dt><a name="IP">IP</a></dt>
-    <dd><b>I</b>nternet <b>P</b>rotocol.</dd>
-  <dt><a name="masq">IP masquerade</a></dt>
-    <dd>A mostly obsolete term for a method of allowing multiple machines to
-      communicate over the Internet when only one IP address is available for
-      their use. The more current term is Network Address Translation or <a
-      href="#NAT.gloss">NAT</a>.</dd>
-  <dt><a name="IPng">IPng</a></dt>
-    <dd>"IP the Next Generation", see <a href="#ipv6.gloss">IPv6</a>.</dd>
-  <dt><a name="IPv4">IPv4</a></dt>
-    <dd>The current version of the <a href="#IP">Internet protocol
-    suite</a>.</dd>
-  <dt><a name="ipv6.gloss">IPv6 (IPng)</a></dt>
-    <dd>Version six of the <a href="#IP">Internet protocol suite</a>,
-      currently being developed. It will replace the current <a
-      href="#IPv4">version four</a>. IPv6 has <a href="#IPSEC">IPsec</a> as a
-      mandatory component.
-      <p>See this <a
-      href="http://playground.sun.com/pub/ipng/html/ipng-main.html">web
-      site</a> for more details, and our <a
-      href="compat.html#ipv6">compatibility</a> document for information on
-      FreeS/WAN and the Linux implementation of IPv6.</p>
-    </dd>
-  <dt><a name="IPSEC">IPsec</a> or IPSEC</dt>
-    <dd><b>I</b>nternet <b>P</b>rotocol <b>SEC</b>urity, security functions
-      (<a href="#authentication">authentication</a> and <a
-      href="#encryption">encryption</a>) implemented at the IP level of the
-      protocol stack. It is optional for <a href="#IPv4">IPv4</a> and
-      mandatory for <a href="#ipv6.gloss">IPv6</a>.
-      <p>This is the standard <a href="#FreeSWAN">Linux FreeS/WAN</a> is
-      implementing. For more details, see our <a href="ipsec.html">IPsec
-      Overview</a>. For the standards, see RFCs listed in our <a
-      href="rfc.html#RFC">RFCs document</a>.</p>
-    </dd>
-  <dt><a name="IPX">IPX</a></dt>
-    <dd>Novell's Netware protocol tunnelled over an IP link. Our <a
-      href="firewall.html#user.scripts">firewalls</a> document includes an
-      example of using this through an IPsec tunnel.</dd>
-  <dt><a name="ISAKMP">ISAKMP</a></dt>
-    <dd><b>I</b>nternet <b>S</b>ecurity <b>A</b>ssociation and <b>K</b>ey
-      <b>M</b>anagement <b>P</b>rotocol, defined in RFC 2408.</dd>
-  <dt><a name="ITAR">ITAR</a></dt>
-    <dd><b>I</b>nternational <b>T</b>raffic in <b>A</b>rms
-      <b>R</b>egulations, US regulations administered by the State Department
-      which until recently limited export of, among other things,
-      cryptographic technology and software. ITAR still exists, but the
-      limits on cryptography have now been transferred to the <a
-      href="#EAR">Export Administration Regulations</a> under the Commerce
-      Department's <a href="#BXA">Bureau of Export Administration</a>.</dd>
-  <dt>IV</dt>
-    <dd>see <a href="#IV">Initialisation vector</a></dd>
-  <dt><a name="IV">Initialisation Vector (IV)</a></dt>
-    <dd>Some cipher <a href="#mode">modes</a>, including the <a
-      href="#CBC">CBC</a> mode which IPsec uses, require some extra data at
-      the beginning. This data is called the initialisation vector. It need
-      not be secret, but should be different for each message. Its function
-      is to prevent messages which begin with the same text from encrypting
-      to the same ciphertext. That might give an analyst an opening, so it is
-      best prevented.</dd>
-  <dt><a name="initiate-only">Initiate-only opportunistic 
-  encryption (iOE)</a></dt>
-    <dd>A form of 
-     <A HREF="#carpediem">opportunistic encryption</A> (OE) in which 
-     a host proposes opportunistic connections, but lacks the reverse DNS
-     records necessary to support incoming opportunistic connection requests.
-     Common among hosts on cable or pppoe connections where the system 
-     administrator does not have write access to the DNS reverse map
-     for the host's external IP.
-      <p>Configuring for initiate-only opportunistic encryption 
-       is described in our
-      <a href="quickstart.html#opp.client">quickstart</a> document.</p>
-    </dd>
-  <dt><a name="J">J</a></dt>
-  <dt><a name="JFK">JFK</a></dt>
-    <dd><strong>J</strong>ust <strong>F</strong>ast <strong>K</strong>eying,
-      a proposed simpler replacement for <a href="#IKE">IKE.</a></dd>
-  <dt><a name="K">K</a></dt>
-  <dt><a name="kernel">Kernel</a></dt>
-    <dd>The basic part of an operating system (e.g. Linux) which controls the
-      hardware and provides services to all other programs.
-      <p>In the Linux release numbering system, an even second digit as in
-      2.<strong>2</strong>.x indicates a stable or production kernel while an
-      odd number as in 2.<strong>3</strong>.x indicates an experimental or
-      development kernel. Most users should run a recent kernel version from
-      the production series. The development kernels are primarily for people
-      doing kernel development. Others should consider using development
-      kernels only if they have an urgent need for some feature not yet
-      available in production kernels.</p>
-    </dd>
-  <dt>Keyed message digest</dt>
-    <dd>See <a href="#HMAC">HMAC</a>.</dd>
-  <dt>Key length</dt>
-    <dd>see <a href="#brute">brute force attack</a></dd>
-  <dt><a name="KLIPS">KLIPS</a></dt>
-    <dd><b>K</b>erne<b>l</b> <b>IP</b> <b>S</b>ecurity, the <a
-      href="#FreeSWAN">Linux FreeS/WAN</a> project's changes to the <a
-      href="#Linux">Linux</a> kernel to support the <a
-      href="#IPSEC">IPsec</a> protocols.</dd>
-  <dt><a name="L">L</a></dt>
-  <dt><a name="LDAP">LDAP</a></dt>
-    <dd><b>L</b>ightweight <b>D</b>irectory <b>A</b>ccess <b>P</b>rotocol,
-      defined in RFCs 1777 and 1778,  a method of accessing information
-      stored in directories. LDAP is used by several <a href="#PKI">PKI</a>
-      implementations, often with X.501 directories and <a
-      href="#X509">X.509</a> certificates. It may also be used by <a
-      href="#IPSEC">IPsec</a> to obtain key certifications from those PKIs.
-      This is not yet implemented in <a href="#FreeSWAN">Linux
-    FreeS/WAN</a>.</dd>
-  <dt><a name="LIBDES">LIBDES</a></dt>
-    <dd>A publicly available library of <a href="#DES">DES</a> code, written
-      by Eric Young, which <a href="#FreeSWAN">Linux FreeS/WAN</a> uses in
-      both <a href="#KLIPS">KLIPS</a> and <a href="#Pluto">Pluto</a>.</dd>
-  <dt><a name="Linux">Linux</a></dt>
-    <dd>A freely available Unix-like operating system based on a kernel
-      originally written for the Intel 386 architecture by (then) student
-      Linus Torvalds. Once his 32-bit kernel was available, the <a
-      href="#GNU">GNU</a> utilities made it a usable system and contributions
-      from many others led to explosive growth.
-      <p>Today Linux is a complete Unix replacement available for several CPU
-      architectures -- Intel, DEC/Compaq Alpha, Power PC, both 32-bit SPARC
-      and the 64-bit UltraSPARC, SrongARM, . . . -- with support for multiple
-      CPUs on some architectures.</p>
-      <p><a href="#FreeSWAN">Linux FreeS/WAN</a> is intended to run on all
-      CPUs supported by Linux and is known to work on several. See our <a
-      href="compat.html#CPUs">compatibility</a> section for a list.</p>
-    </dd>
-  <dt><a name="FreeSWAN">Linux FreeS/WAN</a></dt>
-    <dd>Our implementation of the <a href="#IPSEC">IPsec</a> protocols,
-      intended to be freely redistributable source code with <a href="#GPL">a
-      GNU GPL license</a> and no constraints under US or other <a
-      href="politics.html#exlaw">export laws</a>. Linux FreeS/WAN is intended
-      to interoperate with other <a href="#IPSEC">IPsec</a> implementations.
-      The name is partly taken, with permission, from the <a
-      href="#SWAN">S/WAN</a> multi-vendor IPsec compatability effort. Linux
-      FreeS/WAN has two major components, <a href="#KLIPS">KLIPS</a> (KerneL
-      IPsec Support) and the <a href="#Pluto">Pluto</a> daemon which manages
-      the whole thing.
-      <p>See our <a href="ipsec.html">IPsec section</a> for more detail. For
-      the code see our <a href="http://freeswan.org"> primary site</a> or one
-      of the mirror sites on <a href="intro.html#mirrors">this list</a>.</p>
-    </dd>
-  <dt><a name="LSM">Linux Security Modules (LSM)</a></dt>
-    <dd>a project to create an interface in the Linux kernel that supports
-      plug-in modules for various security policies.
-      <p>This allows multiple security projects to take different approaches
-      to security enhancement without tying the kernel down to one particular
-      approach. As I understand the history, several projects were pressing
-      Linus to incorporate their changes, the various sets of changes were
-      incompatible, and his answer was more-or-less "a plague on all your
-      houses; I'll give you an interface, but I won't incorporate
-      anything".</p>
-      <p>It seems to be working. There is a fairly active <a
-      href="http://mail.wirex.com/mailman/listinfo/linux-security-module">LSM
-      mailing list</a>, and several projects are already using the
-      interface.</p>
-    </dd>
-  <dt>LSM</dt>
-    <dd>see <a href="#LSM">Linux Security Modules</a></dd>
-  <dt><a name="M">M</a></dt>
-  <dt><a name="list">Mailing list</a></dt>
-    <dd>The <a href="#FreeSWAN">Linux FreeS/WAN</a> project has several
-      public email lists for bug reports and software development
-      discussions. See our document on <a href="mail.html">mailing
-    lists</a>.</dd>
-  <dt><a name="middle">Man-in-the-middle attack</a></dt>
-    <dd>An <a href="#active">active attack</a> in which the attacker
-      impersonates each of the legitimate players in a protocol to the other.
-      <p>For example, if <a href="#alicebob">Alice and Bob</a> are
-      negotiating a key via the <a href="#DH">Diffie-Hellman</a> key
-      agreement, and are not using <a
-      href="#authentication">authentication</a> to be certain they are
-      talking to each other, then an attacker able to insert himself in the
-      communication path can deceive both players.</p>
-      <p>Call the attacker Mallory. For Bob, he pretends to be Alice. For
-      Alice, he pretends to be Bob. Two keys are then negotiated,
-      Alice-to-Mallory and Bob-to-Mallory. Alice and Bob each think the key
-      they have is Alice-to-Bob.</p>
-      <p>A message from Alice to Bob then goes to Mallory who decrypts it,
-      reads it and/or saves a copy, re-encrypts using the Bob-to-Mallory key
-      and sends it along to Bob. Bob decrypts successfully and sends a reply
-      which Mallory decrypts, reads, re-encrypts and forwards to Alice.</p>
-      <p>To make this attack effective, Mallory must</p>
-      <ul>
-        <li>subvert some part of the network in some way that lets him carry
-          out the deception<br>
-          possible targets: DNS, router, Alice or Bob's machine, mail server,
-          ...</li>
-        <li>beat any authentication mechanism Alice and Bob use<br>
-          strong authentication defeats the attack entirely; this is why <a
-          href="#IKE">IKE</a> requires authentication</li>
-        <li>work in real time, delivering messages without introducing a
-          delay large enough to alert the victims<br>
-          not hard if Alice and Bob are using email; quite difficult in some
-          situations.</li>
-      </ul>
-      <p>If he manages it, however, it is devastating. He not only gets to
-      read all the messages; he can alter messages, inject his own, forge
-      anything he likes, . . . In fact, he controls the communication
-      completely.</p>
-    </dd>
-  <dt><a name="mandatory">mandatory access control</a></dt>
-    <dd>access control mechanisims which are not settable by the user (see <a
-      href="#discretionary">discretionary access control</a>), but are
-      enforced by the system.
-      <p>For example, a document labelled "secret, zebra" might be readable
-      only by someone with secret clearance working on Project Zebra.
-      Ideally, the system will prevent any transfer outside those boundaries.
-      For example, even if you can read it, you should not be able to e-mail
-      it (unless the recipient is appropriately cleared) or print it (unless
-      certain printers are authorised for that classification).</p>
-      <p>Mandatory access control is a required feature for some levels of <a
-      href="#rainbow">Rainbow Book</a> or <a href="#cc">Common Criteria</a>
-      classification, but has not been widely used outside the military and
-      government. There is a good discussion of the issues in Anderson's <a
-      href="biblio.html#anderson">Security Engineering</a>.</p>
-      <p>The <a href="#SElinux">Security Enhanced Linux</a> project is adding
-      mandatory access control to Linux.</p>
-    </dd>
-  <dt><a name="manual">Manual keying</a></dt>
-    <dd>An IPsec mode in which the keys are provided by the administrator. In
-      FreeS/WAN, they are stored in /etc/ipsec.conf. The alternative, <a
-      href="#auto">automatic keying</a>, is preferred in most cases. See this
-      <a href="adv_config.html#man-auto">discussion</a>.</dd>
-  <dt><a name="MD4">MD4</a></dt>
-    <dd><a href="#digest">Message Digest Algorithm</a> Four from Ron Rivest
-      of <a href="#RSAco">RSA</a>. MD4 was widely used a few years ago, but
-      is now considered obsolete. It has been replaced by its descendants <a
-      href="#MD5">MD5</a> and <a href="#SHA">SHA</a>.</dd>
-  <dt><a name="MD5">MD5</a></dt>
-    <dd><a href="#digest">Message Digest Algorithm</a> Five from Ron Rivest
-      of <a href="#RSAco">RSA</a>, an improved variant of his <a
-      href="#MD4">MD4</a>. Like MD4, it produces a 128-bit hash. For details
-      see RFC 1321.
-      <p>MD5 is one of two message digest algorithms available in IPsec. The
-      other is <a href="#SHA">SHA</a>. SHA produces a longer hash and is
-      therefore more resistant to <a href="#birthday">birthday attacks</a>,
-      but this is not a concern for IPsec. The <a href="#HMAC">HMAC</a>
-      method used in IPsec is secure even if the underlying hash is not
-      particularly strong against this attack.</p>
-      <p>Hans Dobbertin found a weakness in MD5, and people often ask whether
-      this means MD5 is unsafe for IPsec. It doesn't. The IPsec RFCs discuss
-      Dobbertin's attack and conclude that it does not affect MD5 as used for
-      HMAC in IPsec.</p>
-    </dd>
-  <dt><a name="meet">Meet-in-the-middle attack</a></dt>
-    <dd>A divide-and-conquer attack which breaks a cipher into two parts,
-      works against each separately, and compares results. Probably the best
-      known example is an attack on double DES. This applies in principle to
-      any pair of block ciphers, e.g. to an encryption system using, say,
-      CAST-128 and Blowfish, but we will describe it for double DES.
-      <p>Double DES encryption and decryption can be written:</p>
-      <pre>        C = E(k2,E(k1,P))
-        P = D(k1,D(k2,C))</pre>
-      <p>Where C is ciphertext, P is plaintext, E is encryption, D is
-      decryption, k1 is one key, and k2 is the other key. If we know a P, C
-      pair, we can try and find the keys with a brute force attack, trying
-      all possible k1, k2 pairs. Since each key is 56 bits, there are
-      2<sup>112</sup> such pairs and this attack is painfully inefficient.</p>
-      <p>The meet-in-the middle attack re-writes the equations to calculate a
-      middle value M:</p>
-      <pre>        M = E(k1,P)
-        M = D(k2,C)</pre>
-      <p>Now we can try some large number of D(k2,C) decryptions with various
-      values of k2 and store the results in a table. Then start doing E(k1,P)
-      encryptions, checking each result to see if it is in the table.</p>
-      <p>With enough table space, this breaks double DES with
-      <nobr>2<sup>56</sup> + 2<sup>56</sup> = 2<sup>57</sup></nobr>work.
-      Against triple DES, you need <nobr>2<sup>56</sup> + 2<sup>112</sup> ~=
-      2<sup>112</sup></nobr>.</p>
-      <p>The memory requirements for such attacks can be prohibitive, but
-      there is a whole body of research literature on methods of reducing
-      them.</p>
-    </dd>
-  <dt><a name="digest">Message Digest Algorithm</a></dt>
-    <dd>An algorithm which takes a message as input and produces a hash or
-      digest of it, a fixed-length set of bits which depend on the message
-      contents in some highly complex manner. Design criteria include making
-      it extremely difficult for anyone to counterfeit a digest or to change
-      a message without altering its digest. One essential property is <a
-      href="#collision">collision resistance</a>. The main applications are
-      in message <a href="#authentication">authentication</a> and <a
-      href="#signature">digital signature</a> schemes. Widely used algorithms
-      include <a href="#MD5">MD5</a> and <a href="#SHA">SHA</a>. In IPsec,
-      message digests are used for <a href="#HMAC">HMAC</a> authentication of
-      packets.</dd>
-  <dt><a name="MTU">MTU</a></dt>
-    <dd><strong>M</strong>aximum <strong>T</strong>ransmission
-      <strong>U</strong>nit, the largest size of packet that can be sent over
-      a link. This is determined by the underlying network, but must be taken
-      account of at the IP level.
-      <p>IP packets, which can be up to 64K bytes each, must be packaged into
-      lower-level packets of the appropriate size for the underlying
-      network(s) and re-assembled on the other end. When a packet must pass
-      over multiple networks, each with its own MTU, and many of the MTUs are
-      unknown to the sender, this becomes a fairly complex problem. See <a
-      href="#pathMTU">path MTU discovery</a> for details.</p>
-      <p>Often the MTU is a few hundred bytes on serial links and 1500 on
-      Ethernet. There are, however, serial link protocols which use a larger
-      MTU to avoid fragmentation at the ethernet/serial boundary, and newer
-      (especially gigabit) Ethernet networks sometimes support much larger
-      packets because these are more efficient in some applications.</p>
-    </dd>
-  <dt><a name="N">N</a></dt>
-  <dt><a name="NAI">NAI</a></dt>
-    <dd><a href="http://www.nai.com">Network Associates</a>, a conglomerate
-      formed from <a href="#PGPI">PGP Inc.</a>, TIS (Trusted Information
-      Systems, a firewall vendor) and McAfee anti-virus products. Among other
-      things, they offer an IPsec-based VPN product.</dd>
-  <dt><a name="NAT.gloss">NAT</a></dt>
-    <dd><b>N</b>etwork <b>A</b>ddress <b>T</b>ranslation, a process by which
-      firewall machines may change the addresses on packets as they go
-      through. For discussion, see our <a
-      href="background.html#nat.background">background</a> section.</dd>
-  <dt><a name="NIST">NIST</a></dt>
-    <dd>The US <a href="http://www.nist.gov"> National Institute of Standards
-      and Technology</a>, responsible for <a href="#FIPS">FIPS standards</a>
-      including <a href="#DES">DES</a> and its replacement, <a
-      href="#AES">AES</a>.</dd>
-  <dt><a name="nonce">Nonce</a></dt>
-    <dd>A <a href="#random">random</a> value used in an <a
-      href="#authentication">authentication</a> protocol.</dd>
-  <dt></dt>
-  <dt><a name="non-routable">Non-routable IP address</a></dt>
-    <dd>An IP address not normally allowed in the "to" or "from" IP address
-      field header of IP packets.
-      <p>Almost invariably, the phrase "non-routable address" means one of
-      the addresses reserved by RFC 1918 for private networks:</p>
-      <ul>
-        <li>10.anything</li>
-        <li>172.x.anything with 16 &lt;= x &lt;= 31</li>
-        <li>192.168.anything</li>
-      </ul>
-      <p>These addresses are commonly used on private networks, e.g. behind a
-      Linux machines doing <a href="#masq">IP masquerade</a>. Machines within
-      the private network can address each other with these addresses. All
-      packets going outside that network, however, have these addresses
-      replaced before they reach the Internet.</p>
-      <p>If any packets using these addresses do leak out, they do not go
-      far. Most routers automatically discard all such packets.</p>
-      <p>Various other addresses -- the 127.0.0.0/8 block reserved for local
-      use, 0.0.0.0, various broadcast and network addresses -- cannot be
-      routed over the Internet, but are not normally included in the meaning
-      when the phrase "non-routable address" is used.</p>
-    </dd>
-  <dt><a name="NSA">NSA</a></dt>
-    <dd>The US <a href="http://www.nsa.gov"> National Security Agency</a>,
-      the American organisation for <a href="#SIGINT">signals
-      intelligence</a>, the protection of US government messages and the
-      interception and analysis of other messages. For details, see Bamford's
-      <a href="biblio.html#puzzle">"The Puzzle Palace"</a>.
-      <p>Some <a
-      href="http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB23/index.html">history
-      of NSA</a> documents were declassified in response to a FOIA (Freedom
-      of Information Act) request.</p>
-    </dd>
-  <dt><a name="O">O</a></dt>
-  <dt><a name="oakley">Oakley</a></dt>
-    <dd>A key determination protocol, defined in RFC 2412.</dd>
-  <dt>Oakley groups</dt>
-    <dd>The groups used as the basis of <a href="#DH">Diffie-Hellman</a> key
-      exchange in the Oakley protocol, and in <a href="#IKE">IKE</a>. Four
-      were defined in the original RFC, and a fifth has been <a
-      href="http://www.lounge.org/ike_doi_errata.html">added since</a>.
-      <p>Linux FreeS/WAN currently supports the three groups based on finite
-      fields modulo a prime (Groups 1, 2 and 5) and does not support the
-      elliptic curve groups (3 and 4). For a description of the difference of
-      the types, see <a href="#dlog">discrete logarithms</a>.</p>
-    </dd>
-  <dt><a name="OTP">One time pad</a></dt>
-    <dd>A cipher in which the key is:
-      <ul>
-        <li>as long as the total set of messages to be enciphered</li>
-        <li>absolutely <a href="#random">random</a></li>
-        <li>never re-used</li>
-      </ul>
-      <p>Given those three conditions, it can easily be proved that the
-      cipher is perfectly secure, in the sense that an attacker with
-      intercepted message in hand has no better chance of guessing the
-      message than an attacker who has not intercepted the message and only
-      knows the message length. No such proof exists for any other cipher.</p>
-      <p>There are, however, several problems with this "perfect" cipher.</p>
-      <p>First, it is <strong>wildly impractical</strong> for most
-      applications. Key management is at best difficult, often completely
-      impossible.</p>
-      <p>Second, it is <strong>extremely fragile</strong>. Small changes
-      which violate the conditions listed above do not just weaken the cipher
-      liitle. Quite often they destroy its security completely.</p>
-      <ul>
-        <li>Re-using the pad weakens the cipher to the point where it can be
-          broken with pencil and paper. With a computer, the attack is
-          trivially easy.</li>
-        <li>Using <em>anything</em> less than truly <a
-          href="#random">random</a> numbers <em>completely</em> invalidates
-          the security proof.</li>
-        <li>In particular, using computer-generated pseudo-random numbers may
-          give an extremely weak cipher. It might also produce a good stream
-          cipher, if the pseudo-random generator is both well-designed and
-          properely seeded.</li>
-      </ul>
-      <p>Marketing claims about the "unbreakable" security of various
-      products which somewhat resemble one-time pads are common. Such claims
-      are one of the surest signs of cryptographic <a href="#snake">snake
-      oil</a>; most systems marketed with such claims are worthless.</p>
-      <p>Finally, even if the system is implemented and used correctly, it is
-      <strong>highly vulnerable to a substitution attack</strong>. If an
-      attacker knows some plaintext and has an intercepted message, he can
-      discover the pad.</p>
-      <ul>
-        <li>This does not matter if the attacker is just a <a
-          href="#passive">passive</a> eavesdropper. It gives him no plaintext
-          he didn't already know and we don't care that he learns a pad which
-          we will never re-use.</li>
-        <li>However, an <a href="#active">active</a> attacker who knows the
-          plaintext can recover the pad, then use it to encode with whatever
-          he chooses. If he can get his version delivered instead of yours,
-          this may be a disaster. If you send "attack at dawn", the delivered
-          message can be anything the same length -- perhaps "retreat to
-          east" or "shoot generals".</li>
-        <li>An active attacker with only a reasonable guess at the plaintext
-          can try the same attack. If the guess is correct, this works and
-          the attacker's bogus message is delivered. If the guess is wrong, a
-          garbled message is delivered.</li>
-      </ul>
-      <p>In general then, despite its theoretical perfection, the
-      one-time-pad has very limited practical application.</p>
-      <p>See also the <a href="http://pubweb.nfr.net/~mjr/pubs/otpfaq/">one
-      time pad FAQ</a>.</p>
-    </dd>
-  <dt><a name="carpediem">Opportunistic encryption (OE)</a></dt>
-    <dd>A situation in which any two IPsec-aware machines can secure their
-      communications, without a pre-shared secret and without a common <a
-      href="#PKI">PKI</a> or previous exchange of public keys. This is one of
-      the goals of the Linux FreeS/WAN project, discussed in our <a
-      href="intro.html#goals">introduction</a> section.
-      <p>Setting up for opportunistic encryption is described in our <a
-      href="quickstart.html#quickstart">quickstart</a> document.</p>
-    </dd>
-  <dt><a name="responder">Opportunistic responder</a></dt>
-    <dd>A host which accepts, but does not initiate, requests for 
-     <A HREF="#carpediem">opportunistic encryption</A> (OE). 
-     An opportunistic responder has enabled OE in its
-     <A HREF="#passive.OE">passive</A> form (pOE) only.
-     A web server or file server may be usefully set up as an opportunistic 
-      responder. 
-      <p>Configuring passive OE is described in our
-      <a href="policygroups.html#policygroups">policy groups</a> document.</p>
-    </dd>
-  <dt><a name="orange">Orange book</a></dt>
-    <dd>the most basic and best known of the US government's <a
-      href="#rainbow">Rainbow Book</a> series of computer security
-    standards.</dd>
-  <dt><a name="P">P</a></dt>
-  <dt><a name="P1363">P1363 standard</a></dt>
-    <dd>An <a href="#IEEE">IEEE</a> standard for public key cryptography. <a
-      href="http://grouper.ieee.org/groups/1363">Web page</a>.</dd>
-  <dt><a name="pOE">pOE</a></dt>
-    <dd>See <a href="#passive.OE">Passive opportunistic encryption</a>.</dd>
-  <dt><a name="passive">Passive attack</a></dt>
-    <dd>An attack in which the attacker only eavesdrops and attempts to
-      analyse intercepted messages, as opposed to an <a href="#active">active
-      attack</a> in which he diverts messages or generates his own.</dd>
-  <dt><a name="passive.OE">Passive opportunistic encryption (pOE)</a></dt>
-    <dd>A form of
-     <A HREF="#carpediem">opportunistic encryption</A> (OE) in which the
-     host will accept opportunistic connection requests, but will not 
-     initiate such requests. A host which runs OE in its passive form only 
-     is known as an <A HREF="#responder">opportunistic responder</A>.
-      <p>Configuring passive OE is described in our
-      <a href="policygroups.html#policygroups">policy groups</a> document.</p>
-    </dd>
-  <dt><a name="pathMTU">Path MTU discovery</a></dt>
-    <dd>The process of discovering the largest packet size which all links on
-      a path can handle without fragmentation -- that is, without any router
-      having to break the packet up into smaller pieces to match the <a
-      href="#MTU">MTU</a> of its outgoing link.
-      <p>This is done as follows:</p>
-      <ul>
-        <li>originator sends the largest packets allowed by <a
-          href="#MTU">MTU</a> of the first link, setting the DF
-          (<strong>d</strong>on't <strong>f</strong>ragment) bit in the
-          packet header</li>
-        <li>any router which cannot send the packet on (outgoing MTU is too
-          small for it, and DF prevents fragmenting it to match) sends back
-          an <a href="#ICMP.gloss">ICMP</a> packet reporting the problem</li>
-        <li>originator looks at ICMP message and tries a smaller size</li>
-        <li>eventually, you settle on a size that can pass all routers</li>
-        <li>thereafter, originator just sends that size and no-one has to
-          fragment</li>
-      </ul>
-      <p>Since this requires co-operation of many systems, and since the next
-      packet may travel a different path, this is one of the trickier areas
-      of IP programming. Bugs that have shown up over the years have
-      included:</p>
-      <ul>
-        <li>malformed ICMP messages</li>
-        <li>hosts that ignore or mishandle these ICMP messages</li>
-        <li>firewalls blocking the ICMP messages so host does not see
-        them</li>
-      </ul>
-      <p>Since IPsec adds a header, it increases packet size and may require
-      fragmentation even where incoming and outgoing MTU are equal.</p>
-    </dd>
-  <dt><a name="PFS">Perfect forward secrecy (PFS)</a></dt>
-    <dd>A property of systems such as <a href="#DH">Diffie-Hellman</a> key
-      exchange which use a long-term key (such as the shared secret in IKE)
-      and generate short-term keys as required. If an attacker who acquires
-      the long-term key <em>provably</em> can
-      <ul>
-        <li><em>neither</em> read previous messages which he may have
-        archived</li>
-        <li><em>nor</em> read future messages without performing additional
-          successful attacks</li>
-      </ul>
-      <p>then the system has PFS. The attacker needs the short-term keys in
-      order to read the trafiic and merely having the long-term key does not
-      allow him to infer those. Of course, it may allow him to conduct
-      another attack (such as <a href="#middle">man-in-the-middle</a>) which
-      gives him some short-term keys, but he does not automatically get them
-      just by acquiring the long-term key.</p>
-      <p>See also
-<a href="http://sandelman.ottawa.on.ca/ipsec/1996/08/msg00123.html">Phil 
-Karn's definition</a>.
-    </dd>
-  <dt>PFS</dt>
-    <dd>see Perfect Forward Secrecy</dd>
-  <dt><a name="PGP">PGP</a></dt>
-    <dd><b>P</b>retty <b>G</b>ood <b>P</b>rivacy, a personal encryption
-      system for email based on public key technology, written by Phil
-      Zimmerman.
-      <p>The 2.xx versions of PGP used the <a href="#RSA">RSA</a> public key
-      algorithm and used <a href="#IDEA">IDEA</a> as the symmetric cipher.
-      These versions are described in RFC 1991 and in <a
-      href="#PGP">Garfinkel's book</a>. Since version 5, the products from <a
-      href="#PGPI">PGP Inc</a>. have used <a href="#DH">Diffie-Hellman</a>
-      public key methods and <a href="#CAST128">CAST-128</a> symmetric
-      encryption. These can verify signatures from the 2.xx versions, but
-      cannot exchange encryted messages with them.</p>
-      <p>An <a href="#IETF">IETF</a> working group has issued RFC 2440 for an
-      "Open PGP" standard, similar to the 5.x versions. PGP Inc. staff were
-      among the authors. A free <a href="#GPG">Gnu Privacy Guard</a> based on
-      that standard is now available.</p>
-      <p>For more information on PGP, including how to obtain it, see our
-      cryptography <a href="web.html#tools">links</a>.</p>
-    </dd>
-  <dt><a name="PGPI">PGP Inc.</a></dt>
-    <dd>A company founded by Zimmerman, the author of <a href="#PGP">PGP</a>,
-      now a division of <a href="#NAI">NAI</a>. See the <a
-      href="http://www.pgp.com">corporate website</a>. Zimmerman left in
-      2001, and early in 2002 NAI announced that they would no longer sell
-      PGP..
-      <p>Versions 6.5 and later of the PGP product include PGPnet, an IPsec
-      client for Macintosh or for Windows 95/98/NT. See our <a
-      href="interop.html#pgpnet">interoperation documen</a>t.</p>
-    </dd>
-  <dt><a name="photuris">Photuris</a></dt>
-    <dd>Another key negotiation protocol, an alternative to <a
-      href="#IKE">IKE</a>, described in RFCs 2522 and 2523.</dd>
-  <dt><a name="PPP">PPP</a></dt>
-    <dd><b>P</b>oint-to-<b>P</b>oint <b>P</b>rotocol, originally a method of
-      connecting over modems or serial lines, but see also PPPoE.</dd>
-  <dt><a name="PPPoE">PPPoE</a></dt>
-    <dd><b>PPP</b> <b>o</b>ver <b>E</b>thernet, a somewhat odd protocol that
-      makes Ethernet look like a point-to-point serial link. It is widely
-      used for cable or ADSL Internet services, apparently mainly because it
-      lets the providers use access control and address assignmment
-      mechanisms developed for dialup networks. <a
-      href="http://www.roaringpenguin.com">Roaring Penguin</a> provide a
-      widely used Linux implementation.</dd>
-  <dt><a name="PPTP">PPTP</a></dt>
-    <dd><b>P</b>oint-to-<b>P</b>oint <b>T</b>unneling <b>P</b>rotocol, used
-      in some Microsoft VPN implementations. Papers discussing weaknesses in
-      it are on <a
-      href="http://www.counterpane.com/publish.html">counterpane.com</a>. It
-      is now largely obsolete, replaced by L2TP.</dd>
-  <dt><a name="PKI">PKI</a></dt>
-    <dd><b>P</b>ublic <b>K</b>ey <b>I</b>nfrastructure, the things an
-      organisation or community needs to set up in order to make <a
-      href="#public">public key</a> cryptographic technology a standard part
-      of their operating procedures.
-      <p>There are several PKI products on the market. Typically they use a
-      hierarchy of <a href="#CA">Certification Authorities (CAs)</a>. Often
-      they use <a href="#LDAP">LDAP</a> access to <a href="#X509">X.509</a>
-      directories to implement this.</p>
-      <p>See <a href="#web">Web of Trust</a> for a different sort of
-      infrastructure.</p>
-    </dd>
-  <dt><a name="PKIX">PKIX</a></dt>
-    <dd><b>PKI</b> e<b>X</b>change, an <a href="#IETF">IETF</a> standard that
-      allows <a href="#PKI">PKI</a>s to talk to each other.
-      <p>This is required, for example, when users of a corporate PKI need to
-      communicate with people at client, supplier or government
-      organisations, any of which may have a different PKI in place. I should
-      be able to talk to you securely whenever:</p>
-      <ul>
-        <li>your organisation and mine each have a PKI in place</li>
-        <li>you and I are each set up to use those PKIs</li>
-        <li>the two PKIs speak PKIX</li>
-        <li>the configuration allows the conversation</li>
-      </ul>
-      <p>At time of writing (March 1999), this is not yet widely implemented
-      but is under quite active development by several groups.</p>
-    </dd>
-  <dt><a name="plaintext">Plaintext</a></dt>
-    <dd>The unencrypted input to a cipher, as opposed to the encrypted <a
-      href="#ciphertext">ciphertext</a> output.</dd>
-  <dt><a name="Pluto">Pluto</a></dt>
-    <dd>The <a href="#FreeSWAN">Linux FreeS/WAN</a> daemon which handles key
-      exchange via the <a href="#IKE">IKE</a> protocol, connection
-      negotiation, and other higher-level tasks. Pluto calls the <a
-      href="#KLIPS">KLIPS</a> kernel code as required. For details, see the
-      manual page ipsec_pluto(8).</dd>
-  <dt><a name="public">Public Key Cryptography</a></dt>
-    <dd>In public key cryptography, keys are created in matched pairs.
-      Encrypt with one half of a pair and only the matching other half can
-      decrypt it. This contrasts with <a href="#symmetric">symmetric or
-      secret key cryptography</a> in which a single key known to both parties
-      is used for both encryption and decryption.
-      <p>One half of each pair, called the public key, is made public. The
-      other half, called the private key, is kept secret. Messages can then
-      be sent by anyone who knows the public key to the holder of the private
-      key. Encrypt with the public key and you know that only someone with
-      the matching private key can decrypt.</p>
-      <p>Public key techniques can be used to create <a
-      href="#signature">digital signatures</a> and to deal with key
-      management issues, perhaps the hardest part of effective deployment of
-      <a href="#symmetric"> symmetric ciphers</a>. The resulting <a
-      href="#hybrid">hybrid cryptosystems</a> use public key methods to
-      manage keys for symmetric ciphers.</p>
-      <p>Many organisations are currently creating <a href="#PKI">PKIs,
-      public key infrastructures</a> to make these benefits widely
-      available.</p>
-    </dd>
-  <dt>Public Key Infrastructure</dt>
-    <dd>see <a href="#PKI">PKI</a></dd>
-  <dt><a name="Q">Q</a></dt>
-  <dt><a name="R">R</a></dt>
-  <dt><a name="rainbow">Rainbow books</a></dt>
-    <dd>A set of US government standards for evaluation of "trusted computer
-      systems", of which the best known was the <a href="#orange">Orange
-      Book</a>. One fairly often hears references to "C2 security" or a
-      product "evaluated at B1". The Rainbow books define the standards
-      referred to in those comments.
-      <p>See this <a href="http://www.fas.org/irp/nsa/rainbow.htm">reference
-      page</a>.</p>
-      <p>The Rainbow books are now mainly obsolete, replaced by the
-      international <a href="#cc">Common Criteria</a> standards.</p>
-    </dd>
-  <dt><a name="random">Random</a></dt>
-    <dd>A remarkably tricky term, far too much so for me to attempt a
-      definition here. Quite a few cryptosystems have been broken via attacks
-      on weak random number generators, even when the rest of the system was
-      sound.
-      <p>See <a
-      href="http://nis.nsf.net/internet/documents/rfc/rfc1750.txt">RFC
-      1750</a> for the theory.</p>
-      <p>See the manual pages for <a
-      href="manpage.d/ipsec_ranbits.8.html">ipsec_ranbits(8)</a> and
-      ipsec_prng(3) for more on FreeS/WAN's use of randomness. Both depend on
-      the random(4) device driver..</p>
-      <p>A couple of years ago, there was extensive mailing list discussion
-      (archived <a
-      href="http://www.openpgp.net/random/index.html">here</a>)of Linux
-      /dev/random and FreeS/WAN.  Since then, the design of the random(4)
-      driver has changed considerably. Linux 2.4 kernels have the new
-      driver..</p>
-    </dd>
-  <dt>Raptor</dt>
-    <dd>A firewall product for Windows NT offerring IPsec-based VPN services.
-      Linux FreeS/WAN interoperates with Raptor; see our <a
-      href="interop.html#Raptor">interop</a> document for details. Raptor
-      have recently merged with Axent.</dd>
-  <dt><a name="RC4">RC4</a></dt>
-    <dd><b>R</b>ivest <b>C</b>ipher four, designed by Ron Rivest of <a
-      href="#RSAco">RSA</a> and widely used. Believed highly secure with
-      adequate key length, but often implemented with inadequate key length
-      to comply with export restrictions.</dd>
-  <dt><a name="RC6">RC6</a></dt>
-    <dd><b>R</b>ivest <b>C</b>ipher six, <a href="#RSAco">RSA</a>'s <a
-      href="#AES">AES</a> candidate cipher.</dd>
-  <dt><a name="replay">Replay attack</a></dt>
-    <dd>An attack in which the attacker records data and later replays it in
-      an attempt to deceive the recipient.</dd>
-  <dt><a name="reverse">Reverse map</a></dt>
-    <dd>In <a href="#DNS">DNS</a>, a table where IP addresses can be used as
-      the key for lookups which return a system name and/or other
-    information.</dd>
-  <dt>RFC</dt>
-    <dd><b>R</b>equest <b>F</b>or <b>C</b>omments, an Internet document. Some
-      RFCs are just informative. Others are standards.
-      <p>Our list of <a href="#IPSEC">IPsec</a> and other security-related
-      RFCs is <a href="rfc.html#RFC">here</a>, along with information on
-      methods of obtaining them.</p>
-    </dd>
-  <dt><a name="rijndael">Rijndael</a></dt>
-    <dd>a <a href="#block">block cipher</a> designed by two Belgian
-      cryptographers, winner of the US government's <a href="#AES">AES</a>
-      contest to pick a replacement for <a href="#DES">DES</a>. See the <a
-      href="http://www.esat.kuleuven.ac.be/~rijmen/rijndael">Rijndael home
-      page</a>.</dd>
-  <dt><a name="RIPEMD">RIPEMD</a></dt>
-    <dd>A <a href="#digest">message digest</a> algorithm. The current version
-      is RIPEMD-160 which gives a 160-bit hash.</dd>
-  <dt><a name="rootCA">Root CA</a></dt>
-    <dd>The top level <a href="#CA">Certification Authority</a> in a hierachy
-      of such authorities.</dd>
-  <dt><a name="routable">Routable IP address</a></dt>
-    <dd>Most IP addresses can be used as "to" and "from" addresses in packet
-      headers. These are the routable addresses; we expect routing to be
-      possible for them. If we send a packet to one of them, we expect (in
-      most cases; there are various complications) that it will be delivered
-      if the address is in use and will cause an <a
-      href="#ICMP.gloss">ICMP</a> error packet to come back to us if not.
-      <p>There are also several classes of <a
-      href="#non-routable">non-routable</a> IP addresses.</p>
-    </dd>
-  <dt><a name="RSA">RSA algorithm</a></dt>
-    <dd><b>R</b>ivest <b>S</b>hamir <b>A</b>dleman <a href="#public">public
-      key</a> algorithm, named for its three inventors. It is widely used and
-      likely to become moreso since it became free of patent encumbrances in
-      September 2000.
-      <p>RSA can be used to provide either <a
-      href="#encryption">encryption</a> or <a href="#signature">digital
-      signatures</a>. In IPsec, it is used only for signatures. These provide
-      gateway-to-gateway <a href="#authentication">authentication</a> for <a
-      href="#IKE">IKE </a>negotiations.</p>
-      <p>For a full explanation of the algorithm, consult one of the standard
-      references such as <a href="biblio.html#schneier">Applied
-      Cryptography</a>. A simple explanation is:</p>
-      <p>The great 17th century French mathematician <a
-      href="http://www-groups.dcs.st-andrews.ac.uk/~history/Mathematicians/Fermat.html">Fermat</a>
-      proved that,</p>
-      <p>for any prime p and number x, 0 &lt;= x &lt; p:</p>
-      <pre>        x^p == x         modulo p
-        x^(p-1) == 1     modulo p, non-zero x
-      </pre>
-      <p>From this it follows that if we have a pair of primes p, q and two
-      numbers e, d such that:</p>
-      <pre>        ed == 1          modulo lcm( p-1, q-1)
-      </pre>
-      where lcm() is least common multiple, then<br>
-      for all x, 0 &lt;= x &lt; pq:
-      <pre>      x^ed == x           modulo pq
-      </pre>
-      <p>So we construct such as set of numbers p, q, e, d and publish the
-      product N=pq and e as the public key. Using c for <a
-      href="#ciphertext">ciphertext</a> and i for the input <a
-      href="#plaintext">plaintext</a>, encryption is then:</p>
-      <pre>        c = i^e           modulo N
-      </pre>
-      <p>An attacker cannot deduce i from the cyphertext c, short of either
-      factoring N or solving the <a href="#dlog">discrete logarithm</a>
-      problem for this field. If p, q are large primes (hundreds or thousands
-      of bits) no efficient solution to either problem is known.</p>
-      <p>The receiver, knowing the private key (N and d), can readily recover
-      the plaintext p since:</p>
-      <pre>        c^d == (i^e)^d    modulo N
-            == i^ed       modulo N
-            == i          modulo N
-      </pre>
-      <p>This gives an effective public key technique, with only a couple of
-      problems. It uses a good deal of computer time, since calculations with
-      large integers are not cheap, and there is no proof it is necessarily
-      secure since no-one has proven either factoring or discrete log cannot
-      be done efficiently. Quite a few good mathematicians have tried both
-      problems, and no-one has announced success, but there is no proof they
-      are insoluble.</p>
-    </dd>
-  <dt><a name="RSAco">RSA Data Security</a></dt>
-    <dd>A company founded by the inventors of the <a href="#RSA">RSA</a>
-      public key algorithm.</dd>
-  <dt><a name="S">S</a></dt>
-  <dt><a name="SA">SA</a></dt>
-    <dd><b>S</b>ecurity <b>A</b>ssociation, the channel negotiated by the
-      higher levels of an <a href="#IPSEC">IPsec</a> implementation (<a
-      href="#IKE">IKE</a>) and used by the lower (<a href="#ESP">ESP</a> and
-      <a href="#AH">AH</a>). SAs are unidirectional; you need a pair of them
-      for two-way communication.
-      <p>An SA is defined by three things -- the destination, the protocol
-      (<a href="#AH">AH</a> or<a href="#ESP">ESP</a>) and the <a
-      href="SPI">SPI</a>, security parameters index. It is used as an index
-      to look up other things such as session keys and intialisation
-      vectors.</p>
-      <p>For more detail, see our section on <a href="ipsec.html">IPsec</a>
-      and/or RFC 2401.</p>
-    </dd>
-  <dt><a name="SElinux">SE Linux</a></dt>
-    <dd><strong>S</strong>ecurity <strong>E</strong>nhanced Linux, an <a
-      href="#NSA">NSA</a>-funded project to add <a
-      href="#mandatory">mandatory access control</a> to Linux. See the <a
-      href="http://www.nsa.gov/selinux">project home page</a>.
-      <p>According to their web pages, this work will include extending
-      mandatory access controls to IPsec tunnels.</p>
-      <p>Recent versions of SE Linux code use the <a href="#LSM">Linux
-      Security Module</a> interface.</p>
-    </dd>
-  <dt><a name="SDNS">Secure DNS</a></dt>
-    <dd>A version of the <a href="#DNS">DNS or Domain Name Service</a>
-      enhanced with authentication services. This is being designed by the <a
-      href="#IETF">IETF</a> DNS security <a
-      href="http://www.ietf.org/ids.by.wg/dnssec.html">working group</a>.
-      Check the <a href="http://www.isc.org/bind.html">Internet Software
-      Consortium</a> for information on implementation progress and for the
-      latest version of <a href="#BIND">BIND</a>. Another site has <a
-      href="http://www.toad.com/~dnssec">more information</a>.
-      <p><a href="#IPSEC">IPsec</a> can use this plus <a
-      href="#DH">Diffie-Hellman key exchange</a> to bootstrap itself. This
-      allows <a href="#carpediem">opportunistic encryption</a>. Any pair of
-      machines which can authenticate each other via DNS can communicate
-      securely, without either a pre-existing shared secret or a shared <a
-      href="#PKI">PKI</a>.</p>
-    </dd>
-  <dt>Secret key cryptography</dt>
-    <dd>See <a href="#symmetric">symmetric cryptography</a></dd>
-  <dt>Security Association</dt>
-    <dd>see <a href="#SA">SA</a></dd>
-  <dt>Security Enhanced Linux</dt>
-    <dd>see <a href="#SElinux">SE Linux</a></dd>
-  <dt><a name="sequence">Sequence number</a></dt>
-    <dd>A number added to a packet or message which indicates its position in
-      a sequence of packets or messages. This provides some security against
-      <a href="#replay">replay attacks</a>.
-      <p>For <a href="#auto">automatic keying</a> mode, the <a
-      href="#IPSEC">IPsec</a> RFCs require that the sender generate sequence
-      numbers for each packet, but leave it optional whether the receiver
-      does anything with them.</p>
-    </dd>
-  <dt><a name="SHA">SHA</a></dt>
-  <dt>SHA-1</dt>
-    <dd><b>S</b>ecure <b>H</b>ash <b>A</b>lgorithm, a <a
-      href="#digest">message digest algorithm</a> developed by the <a
-      href="#NSA">NSA</a> for use in the Digital Signature standard, <a
-      href="#FIPS">FIPS</a> number 186 from <a href="#NIST">NIST</a>. SHA is
-      an improved variant of <a href="#MD4">MD4</a> producing a 160-bit hash.
-      <p>SHA is one of two message digest algorithms available in IPsec. The
-      other is <a href="#MD5">MD5</a>. Some people do not trust SHA because
-      it was developed by the <a href="#NSA">NSA</a>. There is, as far as we
-      know, no cryptographic evidence that SHA is untrustworthy, but this
-      does not prevent that view from being strongly held.</p>
-      <p>The NSA made one small change after the release of the original SHA.
-      They did not give reasons. Iit may be a defense against some attack
-      they found and do not wish to disclose.  Technically the modified
-      algorithm should be called SHA-1, but since it has replaced the
-      original algorithm in nearly all applications, it is generally just
-      referred to as SHA..</p>
-    </dd>
-  <dt><a name="SHA-256">SHA-256</a></dt>
-  <dt>SHA-384</dt>
-  <dt>SHA-512</dt>
-    <dd>Newer variants of SHA designed to match the strength of the 128, 192
-      and 256-bit keys of <a href="#AES">AES</a>. The work to break an
-      encryption algorithm's strength by <a href="#brute">brute force</a> is
-      2 
-      <math xmlns="http://www.w3.org/1998/Math/MathML">
-        <msup>
-          <mi>keylength</mi>
-        </msup>
-      </math>
-       operations but a <a href="birthday">birthday attack </a>on a hash
-      needs only 2 
-      <math xmlns="http://www.w3.org/1998/Math/MathML">
-        <msup>
-          <mrow>
-            <mi>hashlength</mi>
-            <mo>/</mo>
-            <mn>2</mn>
-          </mrow>
-        </msup>
-      </math>
-       , so as a general rule you need a hash twice the size of the key to
-      get similar strength. SHA-256, SHA-384 and SHA-512 are designed to
-      match the 128, 192 and 256-bit key sizes of AES, respectively.</dd>
-  <dt><a name="SIGINT">Signals intelligence (SIGINT)</a></dt>
-    <dd>Activities of government agencies from various nations aimed at
-      protecting their own communications and reading those of others.
-      Cryptography, cryptanalysis, wiretapping, interception and monitoring
-      of various sorts of signals. The players include the American <a
-      href="#NSA">NSA</a>, British <a href="#GCHQ">GCHQ</a> and Canadian <a
-      href="#CSE">CSE</a>.</dd>
-  <dt><a name="SKIP">SKIP</a></dt>
-    <dd><b>S</b>imple <b>K</b>ey management for <b>I</b>nternet
-      <b>P</b>rotocols, an alternative to <a href="#IKE">IKE</a> developed by
-      Sun and being marketed by their <a
-      href="http://skip.incog.com">Internet Commerce Group</a>.</dd>
-  <dt><a name="snake">Snake oil</a></dt>
-    <dd>Bogus cryptography. See the <a
-      href="http://www.interhack.net/people/cmcurtin/snake-oil-faq.html">
-      Snake Oil FAQ</a> or <a
-      href="http://www.counterpane.com/crypto-gram-9902.html#snakeoil">this
-      paper</a> by Schneier.</dd>
-  <dt><a name="SPI">SPI</a></dt>
-    <dd><b>S</b>ecurity <b>P</b>arameter <b>I</b>ndex, an index used within
-      <a href="#IPSEC">IPsec</a> to keep connections distinct. A <a
-      href="#SA">Security Association (SA)</a> is defined by destination,
-      protocol and SPI. Without the SPI, two connections to the same gateway
-      using the same protocol could not be distinguished.
-      <p>For more detail, see our <a href="ipsec.html">IPsec</a> section
-      and/or RFC 2401.</p>
-    </dd>
-  <dt><a name="SSH">SSH</a></dt>
-    <dd><b>S</b>ecure <b>SH</b>ell, an encrypting replacement for the
-      insecure Berkeley commands whose names begin with "r" for "remote":
-      rsh, rlogin, etc.
-      <p>For more information on SSH, including how to obtain it, see our
-      cryptography <a href="web.html#tools">links</a>.</p>
-    </dd>
-  <dt><a name="SSHco">SSH Communications Security</a></dt>
-    <dd>A company founded by the authors of <a href="#SSH">SSH</a>. Offices
-      are in <a href="http://www.ssh.fi">Finland</a> and <a
-      href="http://www.ipsec.com">California</a>. They have a toolkit for
-      developers of IPsec applications.</dd>
-  <dt><a name="SSL">SSL</a></dt>
-    <dd><a href="http://home.netscape.com/eng/ssl3">Secure Sockets Layer</a>,
-      a set of encryption and authentication services for web browsers,
-      developed by Netscape. Widely used in Internet commerce. Also known as
-      <a href="#TLS">TLS</a>.</dd>
-  <dt>SSLeay</dt>
-    <dd>A free implementation of <a href="#SSL">SSL</a> by Eric Young (eay)
-      and others. Developed in Australia; not subject to US export
-    controls.</dd>
-  <dt><a name="static">static IP address</a></dt>
-    <dd>an IP adddress which is pre-set on the machine itself, as opposed to
-      a <a href="#dynamic">dynamic address</a> which is assigned by a <a
-      href="#DHCP">DHCP</a> server or obtained as part of the process of
-      establishing a <a href="#PPP">PPP</a> or <a href="#PPPoE">PPPoE</a>
-      connection</dd>
-  <dt><a name="stream">Stream cipher</a></dt>
-    <dd>A <a href="#symmetric">symmetric cipher</a> which produces a stream
-      of output which can be combined (often using XOR or bytewise addition)
-      with the plaintext to produce ciphertext. Contrasts with <a
-      href="#block">block cipher</a>.
-      <p><a href="#IPSEC">IPsec</a> does not use stream ciphers. Their main
-      application is link-level encryption, for example of voice, video or
-      data streams on a wire or a radio signal.</p>
-    </dd>
-  <dt><a name="subnet">subnet</a></dt>
-    <dd>A group of IP addresses which are logically one network, typically
-      (but not always) assigned to a group of physically connected machines.
-      The range of addresses in a subnet is described using a subnet mask.
-      See next entry.</dd>
-  <dt>subnet mask</dt>
-    <dd>A method of indicating the addresses included in a subnet. Here are
-      two equivalent examples:
-      <ul>
-        <li>101.101.101.0/24</li>
-        <li>101.101.101.0 with mask 255.255.255.0</li>
-      </ul>
-      <p>The '24' is shorthand for a mask with the top 24 bits one and the
-      rest zero. This is exactly the same as 255.255.255.0 which has three
-      all-ones bytes and one all-zeros byte.</p>
-      <p>These indicate that, for this range of addresses, the top 24 bits
-      are to be treated as naming a network (often referred to as "the
-      101.101.101.0/24 subnet") while most combinations of the low 8 bits can
-      be used to designate machines on that network. Two addresses are
-      reserved; 101.101.101.0 refers to the subnet rather than a specific
-      machine while 101.101.101.255 is a broadcast address. 1 to 254 are
-      available for machines.</p>
-      <p>It is common to find subnets arranged in a hierarchy. For example, a
-      large company might have a /16 subnet and allocate /24 subnets within
-      that to departments. An ISP might have a large subnet and allocate /26
-      subnets (64 addresses, 62 usable) to business customers and /29 subnets
-      (8 addresses, 6 usable) to residential clients.</p>
-    </dd>
-  <dt><a name="SWAN">S/WAN</a></dt>
-    <dd>Secure Wide Area Network, a project involving <a href="#RSAco">RSA
-      Data Security</a> and a number of other companies. The goal was to
-      ensure that all their <a href="#IPSEC">IPsec</a> implementations would
-      interoperate so that their customers can communicate with each other
-      securely.</dd>
-  <dt><a name="symmetric">Symmetric cryptography</a></dt>
-    <dd>Symmetric cryptography, also referred to as conventional or secret
-      key cryptography, relies on a <em>shared secret key</em>, identical for
-      sender and receiver. Sender encrypts with that key, receiver decrypts
-      with it. The idea is that an eavesdropper without the key be unable to
-      read the messages. There are two main types of symmetric cipher, <a
-      href="#block">block ciphers</a> and <a href="#stream">stream
-      ciphers</a>.
-      <p>Symmetric cryptography contrasts with <a href="#public">public
-      key</a> or asymmetric systems where the two players use different
-      keys.</p>
-      <p>The great difficulty in symmetric cryptography is, of course, key
-      management. Sender and receiver <em>must</em> have identical keys and
-      those keys <em>must</em> be kept secret from everyone else. Not too
-      much of a problem if only two people are involved and they can
-      conveniently meet privately or employ a trusted courier. Quite a
-      problem, though, in other circumstances.</p>
-      <p>It gets much worse if there are many people. An application might be
-      written to use only one key for communication among 100 people, for
-      example, but there would be serious problems. Do you actually trust all
-      of them that much? Do they trust each other that much? Should they?
-      What is at risk if that key is compromised? How are you  going to
-      distribute that key to everyone without risking its secrecy? What do
-      you do when one of them leaves the company? Will you even know?</p>
-      <p>On the other hand, if you need unique keys for every possible
-      connection between a group of 100, then each user must have 99 keys.
-      You need either 99*100/2 = 4950 <em>secure</em> key exchanges between
-      users or a central authority that <em>securely</em> distributes 100 key
-      packets, each with a different set of 99 keys.</p>
-      <p>Either of these is possible, though tricky, for 100 users. Either
-      becomes an administrative nightmare for larger numbers. Moreover, keys
-      <em>must</em> be changed regularly, so the problem of key distribution
-      comes up again and again. If you use the same key for many messages
-      then an attacker has more text to work with in an attempt to crack that
-      key. Moreover, one successful crack will give him or her the text of
-      all those messages.</p>
-      <p>In short, the <em>hardest part of conventional cryptography is key
-      management</em>. Today the standard solution is to build a <a
-      href="#hybrid">hybrid system</a> using <a href="#public">public key</a>
-      techniques to manage keys.</p>
-    </dd>
-  <dt><a name="T">T</a></dt>
-  <dt><a name="TIS">TIS</a></dt>
-    <dd>Trusted Information Systems, a firewall vendor now part of <a
-      href="#NAI">NAI</a>. Their Gauntlet product offers IPsec VPN services.
-      TIS implemented the first version of <a href="#SDNS">Secure DNS</a> on
-      a <a href="#DARPA">DARPA</a> contract.</dd>
-  <dt><a name="TLS">TLS</a></dt>
-    <dd><b>T</b>ransport <b>L</b>ayer <b>S</b>ecurity, a newer name for <a
-      href="#SSL">SSL</a>.</dd>
-  <dt><a name="TOS">TOS field</a></dt>
-    <dd>The <strong>T</strong>ype <strong>O</strong>f
-      <strong>S</strong>ervice field in an IP header, used to control
-      qualkity of service routing.</dd>
-  <dt><a name="traffic">Traffic analysis</a></dt>
-    <dd>Deducing useful intelligence from patterns of message traffic,
-      without breaking codes or reading the messages. In one case during
-      World War II, the British guessed an attack was coming because all
-      German radio traffic stopped. The "radio silence" order, intended to
-      preserve security, actually gave the game away.
-      <p>In an industrial espionage situation, one might deduce something
-      interesting just by knowing that company A and company B were talking,
-      especially if one were able to tell which departments were involved, or
-      if one already knew that A was looking for acquisitions and B was
-      seeking funds for expansion.</p>
-      <p>In general, traffic analysis by itself is not very useful. However,
-      in the context of a larger intelligence effort where quite a bit is
-      already known, it can be very useful. When you are solving a complex
-      puzzle, every little bit helps.</p>
-      <p><a href="#IPSEC">IPsec</a> itself does not defend against traffic
-      analysis, but carefully thought out systems using IPsec can provide at
-      least partial protection. In particular, one might want to encrypt more
-      traffic than was strictly necessary, route things in odd ways, or even
-      encrypt dummy packets, to confuse the analyst. We discuss this <a
-      href="ipsec.html#traffic.resist">here</a>.</p>
-    </dd>
-  <dt><a name="transport">Transport mode</a></dt>
-    <dd>An IPsec application in which the IPsec gateway is the destination of
-      the protected packets, a machine acts as its own gateway. Contrast with
-      <a href="#tunnel">tunnel mode</a>.</dd>
-  <dt>Triple DES</dt>
-    <dd>see <a href="#3DES">3DES</a></dd>
-  <dt><a name="TTL">TTL</a></dt>
-    <dd><strong>T</strong>ime <strong>T</strong>o <strong>L</strong>ive, used
-      to control <a href="#DNS">DNS</a> caching. Servers discard cached
-      records whose TTL expires</dd>
-  <dt><a name="tunnel">Tunnel mode</a></dt>
-    <dd>An IPsec application in which an IPsec gateway provides protection
-      for packets to and from other systems. Contrast with <a
-      href="#transport">transport mode</a>.</dd>
-  <dt><a name="2key">Two-key Triple DES</a></dt>
-    <dd>A variant of <a href="#3DES">triple DES or 3DES</a> in which only two
-      keys are used. As in the three-key version, the order of operations is
-      <a href="#EDE">EDE</a> or encrypt-decrypt-encrypt, but in the two-key
-      variant the first and third keys are the same.
-      <p>3DES with three keys has 3*56 = 168 bits of key but has only 112-bit
-      strength against a <a href="#meet">meet-in-the-middle</a> attack, so it
-      is possible that the two key version is just as strong. Last I looked,
-      this was an open question in the research literature.</p>
-      <p>RFC 2451 defines triple DES for <a href="#IPSEC">IPsec</a> as the
-      three-key variant. The two-key variant should not be used and is not
-      implemented directly in <a href="#FreeSWAN">Linux FreeS/WAN</a>. It
-      cannot be used in automatically keyed mode without major fiddles in the
-      source code. For manually keyed connections, you could make Linux
-      FreeS/WAN talk to a two-key implementation by setting two keys the same
-      in /etc/ipsec.conf.</p>
-    </dd>
-  <dt><a name="U">U</a></dt>
-  <dt><a name="V">V</a></dt>
-  <dt><a name="virtual">Virtual Interface</a></dt>
-    <dd>A <a href="#Linux">Linux</a> feature which allows one physical
-      network interface to have two or more IP addresses. See the <cite>Linux
-      Network Administrator's Guide</cite> in <a
-      href="biblio.html#kirch">book form</a> or <a
-      href="http://metalab.unc.edu/LDP/LDP/nag/node1.html">on the web</a> for
-      details.</dd>
-  <dt>Virtual Private Network</dt>
-    <dd>see <a href="#VPN">VPN</a></dd>
-  <dt><a name="VPN">VPN</a></dt>
-    <dd><b>V</b>irtual <b>P</b>rivate <b>N</b>etwork, a network which can
-      safely be used as if it were private, even though some of its
-      communication uses insecure connections. All traffic on those
-      connections is encrypted.
-      <p><a href="#IPSEC">IPsec</a> is not the only technique available for
-      building VPNs, but it is the only method defined by <a
-      href="#RFC">RFCs</a> and supported by many vendors. VPNs are by no
-      means the only thing you can do with IPsec, but they may be the most
-      important application for many users.</p>
-    </dd>
-  <dt><a name="VPNC">VPNC</a></dt>
-    <dd><a href="http://www.vpnc.org">Virtual Private Network Consortium</a>,
-      an association of vendors of VPN products.</dd>
-  <dt><a name="W">W</a></dt>
-  <dt><a name="Wassenaar.gloss">Wassenaar Arrangement</a></dt>
-    <dd>An international agreement restricting export of munitions and other
-      tools of war. Unfortunately, cryptographic software is also restricted
-      under the current version of the agreement. <a
-      href="politics.html#Wassenaar">Discussion</a>.</dd>
-  <dt><a name="web">Web of Trust</a></dt>
-    <dd><a href="#PGP">PGP</a>'s method of certifying keys. Any user can sign
-      a key; you decide which signatures or combinations of signatures to
-      accept as certification. This contrasts with the hierarchy of <a
-      href="#CA">CAs (Certification Authorities)</a> used in many <a
-      href="#PKI">PKIs (Public Key Infrastructures)</a>.
-      <p>See <a href="#GTR">Global Trust Register</a> for an interesting
-      addition to the web of trust.</p>
-    </dd>
-  <dt><a name="WEP">WEP (Wired Equivalent Privacy)</a></dt>
-    <dd>The cryptographic part of the <a href="#IEEE">IEEE</a> standard for
-      wireless LANs. As the name suggests, this is designed to be only as
-      secure as a normal wired ethernet. Anyone with a network conection can
-      tap it. Its advocates would claim this is good design, refusing to
-      build in complex features beyond the actual requirements.
-      <p>Critics refer to WEP as "Wire<em>tap</em> Equivalent Privacy", and
-      consider it a horribly flawed design based on bogus "requirements". You
-      do not control radio waves as you might control your wires, so the
-      metaphor in the rationale is utterly inapplicable. A security policy
-      that chooses not to invest resources in protecting against certain
-      attacks which can only be conducted by people physically plugged into
-      your LAN may or may not be reasonable. The same policy is completely
-      unreasonable when someone can "plug in" from a laptop half a block
-      away..</p>
-      <p>There has been considerable analysis indicating that WEP is
-      seriously flawed. A FAQ on attacks against WEP is available. Part of it
-      reads:</p>
-
-      <blockquote>
-        ... attacks are practical to mount using only inexpensive
-        off-the-shelf equipment. We recommend that anyone using an 802.11
-        wireless network not rely on WEP for security, and employ other
-        security measures to protect their wireless network. Note that our
-        attacks apply to both 40-bit and the so-called 128-bit versions of
-        WEP equally well.</blockquote>
-      <p>WEP appears to be yet another instance of governments, and
-      unfortunately some vendors and standards bodies, deliberately promoting
-      hopelessly flawed "security" products, apparently mainly for the
-      benefit of eavesdropping agencies. See this <a
-      href="politics.html#weak">discussion</a>.</p>
-    </dd>
-  <dt><a name="X">X</a></dt>
-  <dt><a name="X509">X.509</a></dt>
-    <dd>A standard from the <a href="http://www.itu.int">ITU (International
-      Telecommunication Union)</a>, for hierarchical directories with
-      authentication services, used in many <a href="#PKI">PKI</a>
-      implementations.
-      <p>Use of X.509 services, via the <a href="#LDAP">LDAP protocol</a>,
-      for certification of keys is allowed but not required by the <a
-      href="#IPSEC">IPsec</a> RFCs. It is not yet implemented in <a
-      href="#FreeSWAN">Linux FreeS/WAN</a>.</p>
-    </dd>
-  <dt>Xedia</dt>
-    <dd>A vendor of router and Internet access products, now part of Lucent.
-      Their QVPN products interoperate with Linux FreeS/WAN; see our <a
-      href="interop.html#Xedia">interop document</a>.</dd>
-  <dt><a name="Y">Y</a></dt>
-  <dt><a name="Z">Z</a></dt>
-</dl>
-</body>
-</html>
diff --git a/doc/src/index.html b/doc/src/index.html
deleted file mode 100644
index e2530d711..000000000
--- a/doc/src/index.html
+++ /dev/null
@@ -1,55 +0,0 @@
-<html>
-<head>
-  <meta http-equiv="Content-Type" content="text/html">
-  <title>FreeS/WAN index</title>
-  <meta name="keywords"
-  content="Linux, IPsec, VPN, security, encryption, cryptography, FreeS/WAN, FreeSWAN">
-  <!--
-
-  Written by Claudia Schmeing for the Linux FreeS/WAN project
-  Freely distributable under the GNU General Public License
-
-  More information at www.freeswan.org
-  Feedback to users@lists.freeswan.org
-
-  CVS information:
-  RCS ID:          $Id: index.html,v 1.1 2004/03/15 20:35:24 as Exp $
-  Last changed:    $Date: 2004/03/15 20:35:24 $
-  Revision number: $Revision: 1.1 $
-
-  CVS revision numbers do not correspond to FreeS/WAN release numbers.
-  -->
-</head>
-
-<body>
-<h1>FreeS/WAN documentation</h1>
-
-<ul>
-  <li><a href="intro.html">Introduction</a></li>
-  <li><a href="upgrading.html">Upgrading to 2.x</a></li>
-</ul>
-
-<ul> 
-  <li><a href="quickstart.html">Quickstart guide to Opportunistic Encryption</a></li>
-  <li><a href="install.html">Installing</a></li>
-  <li><a href="config.html">Configuring</a></li>
-  <li><a href="policygroups.html">Policy Groups</a> 
-                   </li>
-  <li><a href="interop.html">Interoperating</a> 
-<FONT COLOR="#FF0000">New and improved!</FONT></li>
-  <li><a href="faq.html">FAQ</a></li>
-  <li><a href="trouble.html">Troubleshooting and problem reporting</a></li>
-</ul>
-
-<ul>
-  <li><a href="toc.html">Full table of contents, with much more</a></li>
-  <li><a href="HowTo.html">All our docs as one big file</a></li>
-</ul>  
-
-<p>For technical support and other questions, use our <a
-href="mail.html">mailing lists</a>.</p>
-
-<pre>        This index last changed:    $Date: 2004/03/15 20:35:24 $</pre>
-
-</body>
-</html>
diff --git a/doc/src/initiatorstate.txt b/doc/src/initiatorstate.txt
deleted file mode 100644
index 315f6da4c..000000000
--- a/doc/src/initiatorstate.txt
+++ /dev/null
@@ -1,66 +0,0 @@
-
-                       |
-	               | PF_ACQUIRE
-		       |     
-                       V
-                .---------------.       
-                |  non-existant |
-                |  connection   |
-                `---------------'
-                 |      |      |
-          send   ,      |      \
-expired   pass  /       |       \ send
-conn.     msg  /        |        \ deny
-  ^           /         |         \ msg
-  |          V          | do       \ 		 
-.---------------.       | DNS       \   .---------------.  
-|  clear-text   |	| lookup     `->|     deny      |---> expired
-|  connection   |	| for 	        |  connection   |     connection
-`---------------'	| destination   `---------------'
-   ^ ^                  |                   ^
-   | | no record        |                   |
-   | | OE-permissive    V                   | no record
-   | |            .---------------.         | OE-paranoid
-   | `------------|  potential OE |---------'
-   |              |  connection   |         ^
-   |              `---------------'         |
-   |                    |                   |
-   |                    | got TXT record    | DNSSEC failure
-   |                    | reply             |
-   |                    V                   | wrong 
-   |              .---------------.         | failure
-   |              |  authenticate |---------'
-   |              | & parse TXT RR|         ^
-   | repeated     `---------------'         |
-   | ICMP               |                   |
-   | failures           | initiate IKE to   |                         
-   | (short-timeout)    | responder         |                         
-   |                    V                   |                          
-   | phase-2      .---------------.         | failure                       
-   | failure      |   pending     |---------'                          
-   | (normal      |     OE        |         ^                          
-   |  timeout)    |               |invalid  | phase-2 failure (short-timeout)
-   |              |               |<--.SPI  | ICMP failures (normal timeout)
-   |              |               |   |     |                          
-   |              | +=======+     |---'     |                          
-   |              | |  IKE  |     |   ^     |                          
-   `--------------| | states|---------------'                          
-                  | +=======+     |   |                                
-                  `---------------'   |                                
-                        |             | invalid SPI                    
-                        |             |                                
-	                V             | rekey time                     
-                  .--------------.    |                                
-                  |   keyed      |<---|-------------------------------.
-                  |  connection  |----'                               |
-                  `--------------'                                    |
-                        |                                             |
-                        |                                             |
-                        V                                             |
-                  .--------------.     connection still active        |
-  clear-text----->|   expired    |------------------------------------'
-        deny----->|  connection  |
-                  `--------------'
-
-
-$Id: initiatorstate.txt,v 1.1 2004/03/15 20:35:24 as Exp $
diff --git a/doc/src/install.html b/doc/src/install.html
deleted file mode 100644
index 09d7c5a67..000000000
--- a/doc/src/install.html
+++ /dev/null
@@ -1,378 +0,0 @@
-<html>
-<head>
-  <meta http-equiv="Content-Type" content="text/html">
-  <title>Installing FreeS/WAN</title>
-  <meta name="keywords"
-  content="Linux, IPsec, VPN, security, FreeSWAN, installation, quickstart">
-  <!--
-
-  Written by Claudia Schmeing for the Linux FreeS/WAN project
-  Freely distributable under the GNU General Public License
-
-  More information at www.freeswan.org
-  Feedback to users@lists.freeswan.org
-
-  CVS information:
-  RCS ID:          $Id: install.html,v 1.1 2004/03/15 20:35:24 as Exp $
-  Last changed:    $Date: 2004/03/15 20:35:24 $
-  Revision number: $Revision: 1.1 $
-
-  CVS revision numbers do not correspond to FreeS/WAN release numbers.
-  -->
-</head>
-<BODY>
-<H1><A name="install">Installing FreeS/WAN</A></H1>
-
-<P>This document will teach you how to install Linux FreeS/WAN. 
-If your distribution comes with Linux FreeS/WAN, we offer
- tips to get you started.</P>
-
-<H2>Requirements</H2>
-
-<P>To install FreeS/WAN you must:</P>
-<UL>
-<LI>be running Linux with the 2.4 or 2.2 kernel series. See 
-this <A HREF="http://www.freeswan.ca/download.php#contact">kernel 
-compatibility table</A>.<BR>We also have experimental support for 
-2.6 kernels. Here are two basic approaches:
-<UL><LI>
-install FreeS/WAN, including its <A HREF="ipsec.html#parts">KLIPS</A>
-kernel code. This will remove the native IPsec stack and replace it
-with KLIPS.</LI>
-<LI>
-install the FreeS/WAN <A HREF="ipsec.html#parts">userland tools</A> 
-(keying daemon and supporting 
-scripts) for use with 
-<A HREF="http://lartc.org/howto/lartc.ipsec.html">2.6 kernel native IPsec</A>,
-</LI>
-</UL>
-See also these <A HREF="2.6.known-issues">known issues with 2.6</A>.
-<LI>have root access to your Linux box</LI>
-<LI>choose the version of FreeS/WAN you wish to install based on
-<A HREF="http://www.freeswan.org/mail.html">mailing list reports</A> <!-- or 
-our updates page (coming soon)--></LI>
-</UL>
-
-<H2>Choose your install method</H2>
-
-<P>There are three basic ways to get FreeS/WAN onto your system:</P>
-<UL>
-<LI>activating and testing a FreeS/WAN that <A HREF="#distroinstall">shipped 
-with your Linux distribution</A></LI>
-<LI><A HREF="#rpminstall">RPM install</A></LI>
-<LI><A HREF="#srcinstall">Install from source</A></LI>
-</UL>
-
-<A NAME="distroinstall"></A><H2>FreeS/WAN ships with some Linuxes</H2>
-
-<P>FreeS/WAN comes with <A HREF="intro.html#distwith">these distributions</A>.
-
-<P>If you're running one of these, include FreeS/WAN in the choices you 
-make during installation, or add it later using the distribution's tools.
-</P>
-
-<H3>FreeS/WAN may be altered...</H3>
-<P>Your distribution may have integrated extra features, such as Andreas
-Steffen's X.509 patch, into FreeS/WAN. It may also use custom
-startup script locations or directory names.</P>
-
-<H3>You might need to create an authentication keypair</H3>
-
-<P>If your FreeS/WAN came with your distribution, you may wish to
- generate a fresh RSA key pair. FreeS/WAN will use these keys
- for authentication.
-
-<P>
-To do this, become root, and type:
-</P>
-
-<PRE>    ipsec newhostkey --output /etc/ipsec.secrets --hostname xy.example.com
-    chmod 600 /etc/ipsec.secrets</PRE>
-
-<P>where you replace xy.example.com with your machine's fully-qualified 
-domain name. Generate some randomness, for example by wiggling your mouse, 
-to speed the process.
-</P>
-
-<P>The resulting ipsec.secrets looks like:</P>
-<PRE>: RSA   {
-        # RSA 2192 bits   xy.example.com   Sun Jun 8 13:42:19 2003
-        # for signatures only, UNSAFE FOR ENCRYPTION
-        #pubkey=0sAQOFppfeE3cC7wqJi...
-        Modulus: 0x85a697de137702ef0...
-        # everything after this point is secret
-        PrivateExponent: 0x16466ea5033e807...
-        Prime1: 0xdfb5003c8947b7cc88759065...
-        Prime2: 0x98f199b9149fde11ec956c814...
-        Exponent1: 0x9523557db0da7a885af90aee...
-        Exponent2: 0x65f6667b63153eb69db8f300dbb...
-        Coefficient: 0x90ad00415d3ca17bebff123413fc518...
-        }
-# do not change the indenting of that "}"</PRE>
-
-<P>In the actual file, the strings are much longer.</P>
-
-
-<H3>Start and test FreeS/WAN</H3>
-
-<P>You can now <A HREF="install.html#starttest">start FreeS/WAN and 
-test whether it's been successfully installed.</A>.</P>
-
-
-<A NAME="rpminstall"></A><H2>RPM install</H2>
-
-<P>These instructions are for a recent Red Hat with a stock Red Hat kernel.
-We know that Mandrake and SUSE also produce FreeS/WAN RPMs. If you're 
-running either, install using your distribution's tools.</P>
- 
-<H3>Download RPMs</H3>
-
-<P>Decide which functionality you need:</P>
-<UL>
-<LI>standard FreeS/WAN RPMs. Use these shortcuts:<BR>
-<UL>
-<LI>(for 2.6 kernels: userland only)<BR>
-ncftpget ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs/\*userland*</LI>
-
-<LI>(for 2.4 kernels)<BR>
-ncftpget ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs/`uname -r | tr -d 'a-wy-z'`/\*</LI>
-<LI>
-or view all the offerings at our
-<A href="ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs">FTP site</A>.
-</LI></UL>
-</LI>
-<LI>unofficial
-<A href="http://www.freeswan.ca/download.php">Super FreeS/WAN</A> 
-RPMs, which include Andreas Steffen's X.509 patch and more. 
-Super FreeS/WAN RPMs do not currently include 
-<A HREF="glossary.html#NAT.gloss">Network Address Translation</A>
-(NAT) traversal, but Super FreeS/WAN source does.</LI>
-</UL>
-
-<A NAME="2.6.rpm"></A>
-<P>For 2.6 kernels, get the latest FreeS/WAN userland RPM, for example:</P>
-<PRE>    freeswan-userland-2.04.9-0.i386.rpm</PRE>
-
-<P>Note: FreeS/WAN's support for 2.6 kernel IPsec is preliminary. Please see 
-<A HREf="2.6.known-issues">2.6.known-issues</A>, and the latest
-<A HREF="http://www.freeswan.org/mail.html">mailing list reports</A>.</P>                                                                                
-<P>Change to your new FreeS/WAN directory, and make and install the 
-
-<P>For 2.4 kernels, get both kernel and userland RPMs.
-Check your kernel version with</P>
-<PRE>    uname -r</PRE>
-
-<P>Get a kernel module which matches that version. For example:</P>
-<PRE>    freeswan-module-2.04_2.4.20_20.9-0.i386.rpm</PRE>
-<P>Note: These modules 
-<B>will only work on the Red Hat kernel they were built for</B>,
-since they are very sensitive to small changes in the kernel.</P>
-
-
-<P>Get FreeS/WAN utilities to match. For example:</P>
-<PRE>    freeswan-userland-2.04_2.4.20_20.9-0.i386.rpm</PRE>
-
-
-<H3>For freeswan.org RPMs: check signatures</H3>
-
-<P>While you're at our ftp site, grab the RPM signing key</P>
-<PRE>    freeswan-rpmsign.asc</PRE>
-
-<P>If you're running RedHat 8.x or later, import this key into the RPM 
-database:</P>
-<PRE>    rpm --import freeswan-rpmsign.asc</PRE>
- 
-<P>For RedHat 7.x systems, you'll need to add it to your 
-<A HREF="glossary.html#PGP">PGP</A> keyring:</P>
-<PRE>    pgp -ka freeswan-rpmsign.asc</PRE>
-
-
-<P>Check the digital signatures on both RPMs using:</P>
-<PRE>    rpm --checksig freeswan*.rpm </PRE>
-
-<P>You should see that these signatures are good:</P>
-<PRE>    freeswan-module-2.04_2.4.20_20.9-0.i386.rpm: pgp md5 OK
-    freeswan-userland-2.04_2.4.20_20.9-0.i386.rpm: pgp md5 OK</PRE>
-
-
-<H3>Install the RPMs</H3>
-
-<P>Become root:</P>
-<PRE>    su</PRE>
-
-<P>For a first time install, use:</P>
-<PRE>    rpm -ivh freeswan*.rpm</PRE>
-
-<P>To upgrade existing RPMs (and keep all .conf files in place), use:</P>
-<PRE>    rpm -Uvh freeswan*.rpm</PRE>
-
-<P>If you're upgrading from FreeS/WAN 1.x to 2.x RPMs, and encounter problems,
-see <A HREF="upgrading.html#upgrading.rpms">this note</A>.</P>
-
-
-<H3>Start and Test FreeS/WAN</H3>
-
-<P>Now, <A HREF="install.html#starttest">start FreeS/WAN and test your 
-install</A>.</P>
-
-
-<A NAME="srcinstall"></A><H2>Install from Source</H2>
-<!-- Most of this section, along with "Start and Test", can replace 
-INSTALL. -->
-
-<H3>Decide what functionality you need</H3>
-
-<P>Your choices are:</P>
-<UL>
-<LI><A HREF="ftp://ftp.xs4all.nl/pub/crypto/freeswan">standard 
-FreeS/WAN</A>,</LI>
-<LI>standard FreeS/WAN plus any of these
- <A HREF="web.html#patch">user-supported patches</A>, or</LI>
-<LI><A HREF="http://www.freeswan.ca/download">Super FreeS/WAN</A>,
-an unofficial FreeS/WAN pre-patched with many of the above. Provides 
-additional algorithms, X.509, SA deletion, dead peer detection, and 
-<A HREF="glossary.html#NAT.gloss">Network Address Translation</A>
-(NAT) traversal.</LI>
-</UL>
-
-<H3>Download FreeS/WAN</H3>
-
-<P>Download the source tarball you've chosen, along with any patches.</P>
-
-<H3>For freeswan.org source: check its signature</H3>
-
-<P>While you're at our ftp site, get our source signing key</P>
-<PRE>    freeswan-sigkey.asc</PRE>
-
-<P>Add it to your PGP keyring:</P>
-<PRE>    pgp -ka freeswan-sigkey.asc</PRE>
-
-
-<P>Check the signature using:</P>
-<PRE>    pgp freeswan-2.04.tar.gz.sig freeswan-2.04.tar.gz</PRE>
-<P>You should see something like:</P>
-<PRE>    Good signature from user "Linux FreeS/WAN Software Team (build@freeswan.org)".
-    Signature made 2002/06/26 21:04 GMT using 2047-bit key, key ID 46EAFCE1</PRE>
-<!-- Note to self: build@freeswan.org has angled brackets in the original.
-     Changed because it conflicts with HTML tags. -->
-
-<H3>Untar, unzip</H3>
-
-<P>As root, unpack your FreeS/WAN source into <VAR>/usr/src</VAR>.</P>
-<PRE>    su
-    mv freeswan-2.04.tar.gz /usr/src
-    cd /usr/src
-    tar -xzf freeswan-2.04.tar.gz
-</PRE>
-
-<H3>Patch if desired</H3>
-
-<P>Now's the time to add any patches. The contributor may have special 
-instructions, or you may simply use the patch command.</P>
-
-<H3>... and Make</H3>
-
-<P>Choose one of the methods below.</P>
-
-<H4>Userland-only Install for 2.6 kernels</H4>
-<A NAME="2.6.src"></A>
-
-<P>Note: FreeS/WAN's support for 2.6 kernel IPsec is preliminary. Please see 
-<A HREf="2.6.known-issues">2.6.known-issues</A>, and the latest
-<A HREF="http://www.freeswan.org/mail.html">mailing list reports</A>.</P>                                                                                
-<P>Change to your new FreeS/WAN directory, and make and install the 
-FreeS/WAN userland tools.</P>
-<PRE>    cd /usr/src/freeswan-2.04
-    make programs
-    make install</PRE>
-                                                                                
-<P>Now, <A HREF="install.html#starttest">start FreeS/WAN and
-test your install</A>.</P>
-
-
-
-<H4>KLIPS install for 2.2, 2.4, or 2.6 kernels</H4>
-
-<A NAME="modinstall"></A>
-
-<P>To make a modular version of KLIPS, along with other FreeS/WAN programs 
-you'll need, use the command sequence below. This will
-change to your new FreeS/WAN directory, make the FreeS/WAN module (and other
-stuff), and install it all.</P>
-<PRE>    cd /usr/src/freeswan-2.04
-    make oldmod
-    make minstall</PRE>
- 
-<P><A HREF="install.html#starttest">Start FreeS/WAN and 
-test your install</A>.</P>
-
-
-
-<P>To link KLIPS statically into your kernel (using your old kernel settings), 
-and install other FreeS/WAN components, do:
-</P>
-<PRE>    cd /usr/src/freeswan-2.04
-    make oldmod
-    make minstall</PRE>
-
-
-<P>Reboot your system and <A HREF="install.html#testonly">test your 
-install</A>.</P>
-
-<P>For other ways to compile KLIPS, see our Makefile.</P>
-
-
-
-<A name="starttest"></A><H2>Start FreeS/WAN and test your install</H2>
-
-<P>Bring FreeS/WAN up with:</P>
-<PRE>    service ipsec start</PRE>
-
-<P>This is not necessary if you've rebooted.</P>
-
-<A name="testonly"></A><H2>Test your install</H2>
-
-<P>To check that you have a successful install, run:</P>
-<PRE>    ipsec verify</PRE>
-
-<P>You should see at least:</P>
-<PRE>
-    Checking your system to see if IPsec got installed and started correctly
-    Version check and ipsec on-path                             [OK]
-    Checking for KLIPS support in kernel                        [OK]
-    Checking for RSA private key (/etc/ipsec.secrets)           [OK]
-    Checking that pluto is running                              [OK]
-</PRE>
-
-<P>If any of these first four checks fails, see our 
-<A href="trouble.html#install.check">troubleshooting guide</A>.
-</P>
-
-
-<H2>Making FreeS/WAN play well with others</H2>
-
-<P>There are at least a couple of things on your system that might 
-interfere with FreeS/WAN, and now's a good time to check these:</P>
-<UL>
-  <LI>Firewalling. You need to allow UDP 500 through your firewall, plus 
- ESP (protocol 50) and AH (protocol 51). For more information, see our
-  updated firewalls document (coming soon).
- </LI>
-  <LI>Network address translation. 
-Do not NAT the packets you will be tunneling.</LI>
-</UL>
-
-
-<H2>Configure for your needs</H2>
-
-<P>You'll need to configure FreeS/WAN for your local site. Have a look at our 
-<A HREF="quickstart.html">opportunism quickstart guide</A> to see if that
-easy method is right for your needs. Or, see how to <A HREF="config.html">
-configure a network-to-network or Road Warrior style VPN</A>.
-</P>
-
-
-
-
-</BODY>
-</HTML>
diff --git a/doc/src/interop.html b/doc/src/interop.html
deleted file mode 100644
index dd4f8c577..000000000
--- a/doc/src/interop.html
+++ /dev/null
@@ -1,1802 +0,0 @@
-<html>
-<head>
-  <meta http-equiv="Content-Type" content="text/html">
-  <title>FreeS/WAN interoperation Grid</title>
-  <meta name="keywords"
-  content="Linux, IPsec, VPN, security, FreeSWAN, interoperation">
-  <!--
-
-  Written by Claudia Schmeing for the Linux FreeS/WAN project
-  With notes from Sandy Harris.
-  Freely distributable under the GNU General Public License
-
-  More information at www.freeswan.org
-  Feedback to users@lists.freeswan.org
-
-  CVS information:
-  RCS ID:          $Id: interop.html,v 1.1 2004/03/15 20:35:24 as Exp $
-  Last changed:    $Date: 2004/03/15 20:35:24 $
-  Revision number: $Revision: 1.1 $
-
-  CVS revision numbers do not correspond to FreeS/WAN release numbers.
-  -->
-</head>
-
-<body>
-<A NAME="interop"></A><H1>Interoperating with FreeS/WAN</H1>
-
-
-<P>The FreeS/WAN project needs you! We rely on the user community to keep
-up to date. Mail users@lists.freeswan.org with your
-interop success stories.</P>
-
-<P><STRONG>Please note</STRONG>: Most of our interop examples feature 
-Linux FreeS/WAN 1.x config files. You can convert them to 2.x files fairly 
-easily with the patch in our 
-<A HREF="upgrading.html#ipsec.conf_v2">Upgrading Guide</A>.
-</P>
-
-<H2>Interop at a Glance</H2>
-
-
-
-<TABLE BORDER="1">
-
-<TR>
-<TD>&nbsp;</TD>
-<TD colspan="5">FreeS/WAN VPN</TD>
-<TD>Road Warrior</TD>
-<TD>OE</TD>
-</TR>
-
-<TR>
-<TD>&nbsp;</TD>
-<TD>PSK</TD>
-<TD>RSA Secret</TD>
-<TD>X.509<BR><SMALL><A HREF="#interoprules">(requires patch)</A></SMALL></TD>
-<TD>NAT-Traversal<BR><SMALL><A HREF="#interoprules">(requires patch)</A></SMALL></TD>
-<TD>Manual<BR>Keying</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-</TR>
-
-
-<TR><TD colspan="8">More Compatible</TD></TR>
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#freeswan">FreeS/WAN</A>
-<A NAME="freeswan.top">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-</TR>
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#isakmpd">isakmpd (OpenBSD)</A>
-<A NAME="isakmpd.top">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No&nbsp;&nbsp;&nbsp;&nbsp;</FONT></TD>
-</TR>
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#kame">Kame (FreeBSD,
-<BR>NetBSD, MacOSX)
-<BR> <SMALL>aka racoon</SMALL></A>
-<A NAME="kame.top">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#mcafee">McAfee VPN<BR><SMALL>was PGPNet</SMALL></A>
-<A NAME="mcafee.top">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#microsoft">Microsoft <BR>Windows 2000/XP</A>
-<A NAME="microsoft.top">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-<TR>
-<TD><A HREF="#ssh">SSH Sentinel</A>
-<A NAME="ssh.top">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD><FONT color="#cccc00">Maybe</FONT></TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#safenet">Safenet SoftPK<BR>/SoftRemote</A>
-<A NAME="safenet.top">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-
-<TR><TD colspan="8">Other</TD></TR>
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#6wind">6Wind</A>
-<A NAME="6wind.top">&nbsp;</A></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#alcatel">Alcatel Timestep</A>
-<A NAME="alcatel.top">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#apple">Apple Macintosh<br>System 10+</A>
-<A NAME="apple.top">&nbsp;</A></TD>
-<TD><FONT color="#cccc00">Maybe</FONT></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD><FONT color="#cccc00">Maybe</FONT></TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cccc00">Maybe</FONT></TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#ashleylaurent">AshleyLaurent <BR>VPCom</A>
-<A NAME="ashleylaurent.top">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#borderware">Borderware</A>
-<A NAME="borderware.top">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-<!--
-http://www.cequrux.com/vpn-guides.php3
-"coming soon" guide to connect with FreeS/WAN.
--->
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#checkpoint">Check Point FW-1/VPN-1</A>
-<A NAME="checkpoint.top">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#cisco">Cisco with 3DES</A>
-<A NAME="cisco.top">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD><FONT color="#cccc00">Maybe</FONT></TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cccc00">Maybe</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#equinux">Equinux VPN Tracker <BR>
-(for Mac OS X)
-</A>
-<A NAME="equinux.top">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cccc00">Maybe</FONT></TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#fsecure">F-Secure</A>
-<A NAME="fsecure.top">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cccc00">Maybe</FONT></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#gauntlet">Gauntlet GVPN</A>
-<A NAME="gauntlet.top">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#aix">IBM AIX</A>
-<A NAME="aix.top">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cccc00">Maybe</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#as400">IBM AS/400</A>
-<A NAME="as400">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#intel">Intel Shiva<BR>LANRover/Net Structure</A>
-<A NAME="intel.top">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#lancom">LanCom (formerly ELSA)</A>
-<A NAME="lancom.top">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#linksys">Linksys</A>
-<A NAME="linksys.top">&nbsp;</A></TD>
-<TD><FONT color="#cccc00">Maybe</FONT></TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#lucent">Lucent</A>
-<A NAME="lucent.top">&nbsp;</A></TD>
-<TD><FONT color="#cccc00">Partial</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#netasq">Netasq</A>
-<A NAME="netasq.top">&nbsp;</A></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#netcelo">netcelo</A>
-<A NAME="netcelo.top">&nbsp;</A></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#netgear">Netgear fvs318</A>
-<A NAME="netgear.top">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#netscreen">Netscreen 100<BR>or 5xp</A>
-<A NAME="netscreen.top">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cccc00">Maybe</FONT></TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#nortel">Nortel Contivity</A>
-<A NAME="nortel.top">&nbsp;</A></TD>
-<TD><FONT color="#cccc00">Partial</FONT></TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD><FONT color="#cccc00">Maybe</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#radguard">RadGuard</A>
-<A NAME="radguard.top">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#raptor">Raptor</A>
-<A NAME="raptor">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#redcreek">Redcreek Ravlin</A>
-<A NAME="redcreek.top">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT><FONT color="#cccc00">/Partial</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#sonicwall">SonicWall</A>
-<A NAME="sonicwall.top">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cccc00">Maybe</FONT></TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#sun">Sun Solaris</A>
-<A NAME="sun.top">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#symantec">Symantec</A>
-<A NAME="symantec.top">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#watchguard">Watchguard <BR>Firebox</A>
-<A NAME="watchguard.top">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#xedia">Xedia Access Point<BR>/QVPN</A>
-<A NAME="xedia.top">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-<TR>
-<TD><A HREF="#zyxel">Zyxel Zywall<BR>/Prestige</A>
-<A NAME="zyxel.top">&nbsp;</A></TD>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
-
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE
-
-
-<TR>
-<TD><A HREF="#sample">sample</A></TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-<TD><FONT color="#cc0000">No</FONT></TD>
-</TR>
-
--->
-
-<TR>
-<TD>&nbsp;</TD>
-<TD>PSK</TD>
-<TD>RSA Secret</TD>
-<TD>X.509<BR><SMALL><A HREF="#interoprules">(requires patch)</A></SMALL></TD>
-<TD>NAT-Traversal<BR><SMALL><A HREF="#interoprules">(requires patch)</A></SMALL></TD>
-<TD>Manual<BR>Keying</TD>
-<TD>&nbsp;</TD>
-<TD>&nbsp;</TD>
-</TR>
-
-<TR>
-<TD>&nbsp;</TD>
-<TD colspan="5">FreeS/WAN VPN</TD>
-<TD>Road Warrior</TD>
-<TD>OE</TD>
-</TR>
-
-
-
-<!-- PSK  RSA  X.509  NAT-T  Manual  RW  OE -->
-
-</TABLE>
-
-
-
-
-<H3>Key</H3>
-<TABLE BORDER="1">
-
-<TR>
-<TD><FONT color="#00cc00">Yes</FONT></TD>
-<TD>People report that this works for them.</TD>
-</TR>
-
-<TR>
-<TD>[Blank]</TD>
-<TD>We don't know.</TD>
-</TR>
-
-<TR>
-<TD><FONT color="#cc0000">No</FONT></TD>
-<TD>We have reason to believe
-it was, at some point, not possible to get this to work.</TD>
-</TR>
-
-<TR>
-<TD><FONT color="#cccc00">Partial</FONT></TD>
-<TD>Partial success. For example, a connection can be 
-created from one end only.</TD>
-</TR>
-
-<TR>
-<TD><FONT color="#00cc00">Yes</FONT><FONT color="#cccc00">/Partial</FONT></TD>
-<TD>Mixed reports.</TD>
-</TR>
-
-
-<TR>
-<TD><FONT color="#cccc00">Maybe</FONT></TD>
-<TD>We think the answer is "yes", but need confirmation.</TD>
-</TR>
-
-
-</TABLE>
-
-<A NAME="interoprules"></A><h2>Basic Interop Rules</h2>
-
-<P>Vanilla
-FreeS/WAN implements <A HREF="compat.html#compat">these parts</A> of the
-IPSec specifications. You can add more with 
-<A HREF="http://www.freeswan.ca">Super FreeS/WAN</A>, 
-but what we offer may be enough for many users.</P>
-<UL>
-<LI>
-To use X.509 certificates with FreeS/WAN, you will need 
-the <A HREF="http://www.strongsec.org/freeswan">X.509 patch</a> 
-or <A HREF="http://www.freeswan.ca">Super FreeS/WAN</A>,
-which includes that patch.</LI>
-<LI>
-To use 
-<A HREF="glossary.html#NAT.gloss">Network Address Translation</A> 
-(NAT) traversal
-with FreeS/WAN, you will need Arkoon Network Security's
-<A HREF="http://open-source.arkoon.net">NAT traversal patch</A>
-or <A HREF="http://www.freeswan.ca">Super FreeS/WAN</A>, which includes it.
-</LI>
-</UL>
-
-
-<P>We offer a set of proposals which is not user-adjustable, but covers
-all combinations that we can offer.
-FreeS/WAN always proposes triple DES encryption and
-Perfect Forward Secrecy (PFS).
-In addition, we propose Diffie Hellman groups 5 and 2 
-(in that order), and MD5 and SHA-1 hashes.
-We accept the same proposals, in the same order of preference. 
-</P>
-
-<P>Other interop notes:</P>
-<UL>
-<LI>
-A <A HREF="http://lists.freeswan.org/archives/users/2003-September/msg00462.html">SHA-1 
-bug in FreeS/WAN 2.00, 2.01 and 2.02</A> may affect some
-interop scenarios. It does not affect 1.x versions, and is fixed in 2.03 and
-later.
-</LI>
-<LI>
-Some other implementations will close a connection with FreeS/WAN
-after some time. This may be a problem with rekey lifetimes. Please see
-<A HREF="http://lists.freeswan.org/archives/users/2003-October/msg00293.html">
-this tip</A> and 
-<A HREF="http://lists.freeswan.org/pipermail/users/2001-December/005758.html">
-this workaround</A>.
-</LI>
-</UL>
-
-<H2>Longer Stories</H2>
-
-
-<H3>For <EM>More Compatible</EM> Implementations</H3>
-
-
-<H4><A NAME="freeswan">FreeS/WAN</A></H4>
-
-<P>
-See our documentation at <A HREF="http://www.freeswan.org">freeswan.org</A>
-and the Super FreeS/WAN docs at 
-<A HREF="http://www.freeswan.ca">freeswan.ca</A>.
-Some user-written HOWTOs for FreeS/WAN-FreeS/WAN connections
-are listed in <A HREF="intro.html#howto">our Introduction</A>.
-</P>
-
-<P>See also:</P>
-
-<UL>
-<LI>
-<A HREF="http://lugbe.ch/action/reports/ipsec_htbe.phtml">A German FreeS/WAN-FreeS/WAN page by Markus Wernig (X.509)</A>
-</LI>
-</UL>
-
-
-<P><A HREF="#freeswan.top">Back to chart</A></P>
-
-
-<H4><A NAME="isakmpd">isakmpd (OpenBSD)</A></H4>
-
-<P><A HREF="http://www.openbsd.org/faq/faq13.html">OpenBSD FAQ: Using IPsec</A><BR>
-<A HREF="http://www.rommel.stw.uni-erlangen.de/~hshoexer/ipsec-howto/HOWTO.html">Hans-Joerg Hoexer's interop Linux-OpenBSD (PSK)</A><BR>
-<A HREF="http://www.segfault.net/ipsec/">Skyper's configuration (PSK)</A>
-<BR>
-<A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2001/#config">
-French page with configs (X.509)</A>
-
-
-</P>
-
-<P><A HREF="#isakmpd.top">Back to chart</A></P>
-
-
-<H4><A NAME="kame">Kame</A></H4>
-
-<UL>
-<LI>For FreeBSD and NetBSD. Ships with Mac OS X; see also our
-<A HREF="#apple">Mac</A> section.</LI>
-<LI>Also known as <EM>racoon</EM>, its keying daemon.</LI>
-</UL>
-
-<P><A HREF="http://www.kame.net">Kame homepage, with FAQ</A><BR>
-<A HREF="http://www.netbsd.org/Documentation/network/ipsec">NetBSD's IPSec FAQ</A><BR>
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00560.html">Ghislaine's post explaining some interop peculiarities</A>
-</P>
-<P>
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/09/msg00511.html">Itojun's Kame-FreeS/WAN interop tips (PSK)</A><BR>
-<A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2000">Ghislaine Labouret's French page with links to matching FreeS/WAN and Kame configs (RSA)</A><BR>
-<A HREF="http://lugbe.ch/lostfound/contrib/freebsd_router/">Markus Wernig's
-HOWTO (X.509, BSD gateway)</A><BR>
-<A HREF="http://web.morgul.net/~frodo/docs/kame+freeswan_interop.html">Frodo's Kame-FreeS/WAN interop (X.509)</A><BR>
-<A HREF="http://www.wavesec.org/kame.phtml">Kame as a WAVEsec client.</A>
-</P>
-
-<P><A HREF="#kame.top">Back to chart</A></P>
-
-
-<H4><A NAME="mcafee">PGPNet/McAfee</A></H4>
-
-<P>
-<UL>
-<LI>Now called McAfee VPN Client.</LI>
-<LI>PGPNet also came in a freeware version which did not support subnets</LI>
-<LI>To support dhcp-over-ipsec, you need the X.509 patch, which is included in
-<A HREF="http://www.freeswan.ca">Super FreeS/WAN</A>.
-</LI>
-</UL>
-<P>
-<A HREF="http://www.freeswan.ca/docs/WindowsInterop">Tim Carr's Windows Interop Guide (X.509)</A><BR>
-<A HREF="http://www.rommel.stw.uni-erlangen.de/~hshoexer/ipsec-howto/HOWTO.html#Interop2"
->Hans-Joerg Hoexer's Guide for Linux-PGPNet (PSK)</A><BR>
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/04/msg00339.html">Kai Martius' instructions using RSA Key-Extractor Tool (RSA)</A><BR>
-&nbsp;&nbsp;&nbsp;&nbsp;<A HREF="http://www.zengl.net/freeswan/english.html">Christian Zeng's page (RSA)</A> based on Kai's work. English or German.<BR>
-<A HREF="http://tirnanog.ls.fi.upm.es/CriptoLab/Biblioteca/InfTech/InfTech_CriptoLab.htm">
-Oscar Delgado's PDF (X.509, no configs)</A><BR>
-<A HREF="http://www-ec.njit.edu/~rxt1077/Howto.txt">Ryan's HOWTO for FreeS/WAN-PGPNet (X.509)</A>. Through a Linksys Router with IPsec Passthru enabled.<BR>
-<A HREF="http://jixen.tripod.com/#RW-PGP-to-Fwan">Jean-Francois Nadeau's Practical Configuration (Road Warrior with PSK)</A><BR>
-<A HREF="http://www.evolvedatacom.nl/freeswan.html#toc">Wouter Prins' HOWTO (Road Warrior with X.509)</A><BR>
-</P>
-<P>
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/01/msg00271.html">Rekeying problem with FreeS/WAN and older PGPNets</A><BR>
-</P>
-
-<P><A HREF="http://www.strongsec.com/freeswan/dhcprelay/index.htm">
-DHCP over IPSEC HOWTO for FreeS/WAN (requires X.509 and dhcprelay patches)
-</A>
-</P>
-
-<P><A HREF="#mcafee.top">Back to chart</A></P>
-
-
-<H4><A NAME="microsoft">Microsoft Windows 2000/XP</A></H4>
-
-<UL>
-<LI>IPsec comes with Win2k, and with XP Support Tools. May require
-<A HREF="http://www.microsoft.com/windows2000/downloads/recommended/encryption/default.asp"> High Encryption Pack</A>. WinXP users have also reported better
-results with Service Pack 1.</LI>
-<LI>The Road Warrior setup works either way round. Windows (XP or 2K) IPsec
-can connect as a Road Warrior to FreeS/WAN. 
-However, FreeS/WAN can also successfully connect as a Road 
-Warrior to Windows IPsec (see Nate Carlson's configs below).</LI>
-<LI>FreeS/WAN version 1.92 or later is required to avoid an interoperation
-problem with Windows native IPsec. Earlier FreeS/WAN versions 
-did not process the Commit Bit as Windows native IPsec expected.</LI>
-</UL>
-
-<P>
-<A HREF="http://www.freeswan.ca/docs/WindowsInterop">Tim Carr's Windows Interop Guide (X.509)</A><BR>
-
-<A HREF="http://ipsec.math.ucla.edu/services/ipsec.html">James Carter's
-instructions (X.509, NAT-T)</A><BR>
-
-<A HREF="http://jixen.tripod.com/#Win2000-Fwan">
-Jean-Francois Nadeau's Net-net Configuration (PSK)</A><BR>
-
-<A HREF="http://security.nta.no/freeswan-w2k.html">
-Telenor's Node-node Config (Transport-mode PSK)</A><BR>
-
-<A HREF="http://vpn.ebootis.de">Marcus Mueller's HOWTO using his VPN config tool (X.509).</A> Tool also works with PSK.<BR>
-
-<A HREF="http://www.natecarlson.com/include/showpage.php?cat=linux&page=ipsec-x509">
-Nate Carlson's HOWTO using same tool (Road Warrior with X.509)</A>. Unusually,
-FreeS/WAN is the Road Warrior here.<BR>
-
-<A HREF="http://tirnanog.ls.fi.upm.es/CriptoLab/Biblioteca/InfTech/InfTech_CriptoLab.htm">
-Oscar Delgado's PDF (X.509, no configs)</A><BR>
-
-<A HREF="http://lists.freeswan.org/pipermail/users/2003-July/022425.html">Tim Scannell's Windows XP Additional Checklist (X.509)</A><BR>
-</P>
-
-<!-- Note to self: Include L2TP references? -->
-
-<P>
-<A HREF="http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_TCPIP_ovr_secfeatures.htm">
-Microsoft's page on Win2k TCP/IP security features</A><BR>
-
-<A HREF="http://support.microsoft.com/support/kb/articles/Q257/2/25.ASP">
-Microsoft's Win2k IPsec debugging tips</A><BR>
-
-<!-- Alt-URL http://support.microsoft.com/default.aspx?scid=kb;EN-US;q257225
-Perhaps newer? -->
-
-<A HREF="http://www.wired.com/news/technology/0,1282,36336,00.html">MS VPN may fall back to 1DES</A>
-</P>
-
-<P><A HREF="#microsoft.top">Back to chart</A></P>
-
-
-<H4><A NAME="ssh">SSH Sentinel</A></H4>
-
-<UL>
-<LI>Popular and well tested.</LI>
-<LI>Also rebranded in <A HREF="http://www.zyxel.com">Zyxel Zywall</A>.
-Our Zyxel interop notes are <A HREF="#zyxel">here</A>.</LI>
-<LI>
-SSH supports IPsec-over-UDP NAT traversal.
-</LI>
-<LI>There is this 
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/12/msg00370.html">
-potential problem</A> if you're not using the Legacy Proposal option.
-</UL>
-
-<P>
-<A HREF="http://www.ssh.com/support/sentinel/documents.cfm">SSH's Sentinel-FreeSWAN interop PDF (X.509)</A><BR>
-<A HREF="http://www.nadmm.com/show.php?story=articles/vpn.inc">Nadeem Hassan's 
-SUSE-to-Sentinel article (Road warrior with X.509)</A><BR>
-<A HREF="http://www.zerozone.it/documents/Linux/HowTo/VPN-IPsec-Freeswan-HOWTO.html">O-Zone's Italian HOWTO (Road Warrior, X.509, DHCP)</A><BR>
-</P>
-
-
-<P><A HREF="#ssh.top">Back to chart</A></P>
-
-
-
-<H4><A NAME="safenet">Safenet SoftPK/SoftRemote</A></H4>
-
-<UL>
-<LI>People recommend SafeNet as a low cost Windows client.</LI>
-<LI>SoftRemote seems to be the newer name for SoftPK.</LI>
-</UL>
-
-<P>
-<A HREF="http://lists.freeswan.org/pipermail/users/2001-November/005061.html">
-Whit Blauvelt's SoftRemote tips</A><BR>
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-October/015591.html">
-Tim Wilson's tips (X.509)</A>
-<A HREF="http://lists.freeswan.org/archives/users/2003-October/msg00607.html">Workaround for a "gotcha"</A>
-</P>
-
-<P>
-<A HREF="http://jixen.tripod.com/#Rw-IRE-to-Fwan">Jean-Francois Nadeau's 
-Practical Configuration (Road Warrior with PSK)</A><BR>
-<A HREF="http://www.terradoncommunications.com/security/whitepapers/safe_net-to-free_swan.pdf">
-Terradon Communications' PDF (Road Warrior with PSK)</A><BR>
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-October/?????.html">
-Seaan.net's PDF (Road Warrior to Subnet, with PSK)
-</A><BR>
-<A HREF="http://www.redbaronconsulting.com/freeswan/fswansafenet.pdf">
-Red Baron Consulting's PDF (Road Warrior with X.509)</A>
-</P>
-
-<P><A HREF="#safenet.top">Back to chart</A></P>
-
-
-
-
-
-
-
-
-<H3>For <EM>Other Implementations</EM></H3>
-
-
-
-<H4><A NAME="6wind">6Wind</A></H4>
-
-<P>
-
-<A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2001/#config">
-French page with configs (X.509)</A>
-
-</P>
-
-<P><A HREF="#6wind.top">Back to chart</A></P>
-
-
-
-<H4><A NAME="alcatel">Alcatel Timestep</A></H4>
-
-<P>
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-June/011878.html">
-Alain Sabban's settings (PSK or PSK road warrior; through static NAT)</A><BR>
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/06/msg00100.html">
-Derick Cassidy's configs (PSK)</A><BR>
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/08/msg00194.html">
-David Kerry's Timestep settings (PSK)</A>
-<BR>
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-August/013711.html">
-Kevin Gerbracht's ipsec.conf (X.509)</A>
-</P>
-
-<P><A HREF="#alcatel.top">Back to chart</A></P>
-
-
-
-<H4><A NAME="apple">Apple Macintosh System 10+</A></H4>
-
-<UL>
-<LI>Since the system is based on FreeBSD, this should
-interoperate <A HREF="#kame">just like FreeBSD</A>.
-</LI>
-
-<LI>
-To use Appletalk over IPsec tunnels,
-<A HREF="http://lists.freeswan.org/pipermail/users/2001-November/005116.html">run 
-it over TCP/IP</A>, or use 
-Open Door Networks' Shareway IP tool, 
-<A HREF="http://lists.freeswan.org/pipermail/users/2001-November/005426.html">described 
-here.</A>
-</LI>
-
-<LI>See also the <A HREF="#equinux">Equinux VPN Tracker</A> 
-for Mac OS X.</LI> 
-</UL>
-
-
-<P>
-<A HREF="http://ipsec.math.ucla.edu/services/ipsec.html">James Carter's
-instructions (X.509, NAT-T)</A>
-</P>
-
-
-<P><A HREF="#apple.top">Back to chart</A></P>
-
-
-
-
-
-
-<H4><A NAME="ashleylaurent">AshleyLaurent VPCom</A></H4>
-
-<P>
-<A HREF="http://www.ashleylaurent.com/newsletter/01-28-00.htm">
-Successful interop report, no details</A>
-</P>
-
-<P><A HREF="#ashleylaurent.top">Back to chart</A></P>
-
-
-<H4><A NAME="borderware">Borderware</A></H4>
-
-<UL>
-<LI>I suspect the Borderware client is a rebranded Safenet.
-If that's true, our <A HREF="#safenet">Safenet section</A> will help.</LI>
-</UL>
-
-<P>
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-March/008288.html">
-Philip Reetz' configs (PSK)</A><BR>
-
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/09/msg00217.html">
-Borderware server does not support FreeS/WAN road warriors</A><BR>
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-February/007733.html">
-Older Borderware may not support Diffie Hellman groups 2, 5</A><BR>
-</P>
-
-
-<P><A HREF="#borderware.top">Back to chart</A></P>
-
-
-
-<H4><A NAME="checkpoint">Check Point VPN-1 or FW-1</A></H4>
-
-<UL>
-<LI>
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00099.html">
-Caveat about IP-range inclusion on Check Point.</A>
-</LI>
-<LI>
-Some versions of Check Point may require an aggressive mode patch to 
-interoperate with FreeS/WAN.<BR>
-<A HREF="http://www.freeswan.ca/code/super-freeswan">Super FreeS/WAN</A> 
-now features this patch.
-<!--
-<A HREF="http://www.freeswan.ca/patches/aggressivemode">Steve Harvey's 
-aggressive mode patch for FreeS/WAN 1.5</A>
--->
-</LI>
-<LI>
-<LI>A Linux FreeS/WAN-Checkpoint connection may close after some time. Try
-<A HREF="http://lists.freeswan.org/archives/users/2003-October/msg00293.html">this tip</A> toward a workaround.
-</LI>
-</UL>
-
-<P>
-<A HREF="http://www.fw-1.de/aerasec/ng/vpn-freeswan/CPNG+Linux-FreeSWAN.html">
-AERAsec's Firewall-1 NG site (PSK, X.509, Road Warrior with X.509, 
-other algorithms)</A><BR>
-&nbsp;&nbsp;&nbsp;&nbsp;
-<A HREF="http://www.fw-1.de/aerasec/ng/vpn-freeswan/CPNG+Linux-FreeSWAN.html#support-matrix">
-AERAsec's detailed Check Point-FreeS/WAN support matrix</A><BR>
-<A HREF="http://support.checkpoint.com/kb/docs/public/firewall1/4_1/pdf/fw-linuxvpn.pdf">Checkpoint.com PDF: Linux as a VPN Client to FW-1 (PSK)</A><BR>
-
-<A HREF="http://www.phoneboy.com">PhoneBoy's Check Point FAQ (on Check Point 
-only, not FreeS/WAN)</A><BR>
-
-</P>
-
-<P>
-<A HREF="http://lists.freeswan.org/pipermail/users/2001-August/002351.html">Chris 
-Harwell's tips & FreeS/WAN configs (PSK)</A><BR>
-
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-April/009362.html">Daniel 
-Tombeil's configs (PSK)</A>
-
-</P>
-
-<P><A HREF="#checkpoint.top">Back to chart</A></P>
-
-
-<H4><A NAME="cisco">Cisco</A></H4>
-
-<UL>
-<LI>
-Cisco supports IPsec-over-UDP NAT traversal.
-</LI>
-<LI>Cisco VPN Client appears to use nonstandard IPsec and 
-does not work with FreeS/WAN. <A HREF="https://mj2.freeswan.org/archives/2003-August/maillist.html">This message</A> concerns Cisco VPN Client 4.01.
-<!-- fix link -->
-</LI>
-<LI>A Linux FreeS/WAN-Cisco connection may close after some time.
-<A HREF="http://lists.freeswan.org/pipermail/users/2001-December/005758.html">
-Here</A>
-is a workaround, and 
-<A HREF="http://lists.freeswan.org/archives/users/2003-October/msg00293.html">here</A>
- is another comment on the same subject.</LI>
-<LI><A HREF="http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t2/3desips.htm">Older Ciscos</A> 
-purchased outside the United States may not have 3DES, which FreeS/WAN requires.</LI>
-<LI><A HREF="http://lists.freeswan.org/pipermail/users/2001-June/000406.html">RSA keying may not be possible between Cisco and FreeS/WAN.</A>
-<LI><A HREF="http://lists.freeswan.org/pipermail/users/2001-October/004357.html">In 
-ipsec.conf, VPN3000 DN (distinguished name) must be in binary (X.509 only)</A></LI>
-
-
-</UL>
-
-
-<P>
-<A HREF="http://rr.sans.org/encryption/cisco_router.php">SANS Institute HOWTO (PSK).</A> Detailed, with extensive references.<BR>
-<A HREF="http://www.worldbank.ro/IPSEC/cisco-linux.txt">Short HOWTO (PSK)</A><BR>
-<A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2001/#config">
-French page with configs for Cisco IOS, PIX and VPN 3000 (X.509)</A>
-<BR>
-
-<A HREF="http://lists.freeswan.org/pipermail/users/2001-August/002966.html">Dave
-McFerren's sample configs (PSK)</A><BR>
-<A HREF="http://lists.freeswan.org/pipermail/users/2001-September/003422.html">Wolfgang 
-Tremmel's sample configs (PSK road warrior)</A><BR>
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00578.html">
-Old doc from Pete Davis, with William Watson's updated Tips (PSK)</A><BR>
-</P>
-
-<P><STRONG>Some PIX specific information:</STRONG><BR>
-
-<A HREF="http://www.wlug.org.nz/FreeSwanToCiscoPix">
-Waikato Linux Users' Group HOWTO. Nice detail (PSK)
-</A><BR>
-<A HREF="http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html">
-John Leach's configs (PSK)
-</A><BR>
-<A HREF="http://www.diverdown.cc/vpn/freeswanpix.html">
-Greg Robinson's settings (PSK)
-</A><BR>
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-February/007901.html">
-Scott's ipsec.conf for PIX (PSK, FreeS/WAN side only)</A><BR>
-<A HREF="http://lists.freeswan.org/pipermail/users/2001-October/003949.html">Rick 
-Trimble's PIX and FreeS/WAN settings (PSK)</A><BR>
-</P>
-
-
-
-<P><A href="http://www.cisco.com/public/support/tac">
-Cisco VPN support page</A><BR>
-<A href="http://www.ieng.com/warp/public/707/index.shtml#ipsec">
-Cisco IPsec information page</A>
-</P>
-
-<P><A HREF="#cisco.top">Back to chart</A></P>
-
-
-
-
-<H4><A NAME="equinux">Equinux VPN tracker (for Mac OS X)</A></H4>
-                                                                                
-<UL>
-<LI>Graphical configurator for Mac OS X IPsec. May be an interface
-to the <A HREF="#apple">native Mac OS X IPsec</A>, which is essentially
-<A HREF="#kame">KAME</A>.</LI>
-<LI>To use Appletalk over IPsec tunnels,
-<A HREF="http://lists.freeswan.org/pipermail/users/2001-November/005116.html">run
-it over TCP/IP</A>, or use
-Open Door Networks' Shareway IP tool,
-<A HREF="http://lists.freeswan.org/pipermail/users/2001-November/005426.html">described
-here.</A> </LI>
-</UL>
-
-                                                                                
-<P>
-Equinux provides <A HREF="http://www.equinux.com/download/HowTo_FreeSWAN.pdf">this 
-excellent interop PDF</A> (PSK, RSA, X.509).
-</P>
-                                                                                
-<P><A HREF="#equinux.top">Back to chart</A></P>
-
-
-<H4><A NAME="fsecure">F-Secure</A></H4>
-
-<UL>
-<LI>
-<!-- <A HREF="http://lists.freeswan.org/pipermail/users/2002-February/007596.html"> -->
-F-Secure supports IPsec-over-UDP NAT traversal.
-</LI>
-</UL>
-
-<P><A HREF="http://www.pingworks.de/tech/vpn/vpn.txt">pingworks.de's
- "Connecting F-Secure's VPN+ to Linux FreeS/WAN" (PSK road warrior)</A><BR>
-&nbsp;&nbsp;&nbsp;&nbsp;<A HREF="http://www.pingworks.de/tech/vpn/vpn.pdf">Same thing as PDF</A><BR>
-<A HREF="http://www.exim.org/pipermail/linux-ipsec/Week-of-Mon-20010122/000061.html">Success report, no detail (PSK)</A><BR>
-<A HREF="http://www.exim.org/pipermail/linux-ipsec/Week-of-Mon-20010122/000041.html">Success report, no detail (Manual)</A>
-</P>
-
-<!-- Other NAT traversers:
-http://lists.freeswan.org/pipermail/users/2002-April/009136.html
-and ssh sentinel:
-http://lists.freeswan.org/pipermail/users/2001-September/003108.html
--->
-
-<P><A HREF="#fsecure.top">Back to chart</A></P>
-
-
-
-<H4><A NAME="gauntlet">Gauntlet GVPN</A></H4>
-
-<P>
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00535.html">Richard Reiner's ipsec.conf (PSK)</A>
-<BR>
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-June/011434.html">
-Might work without that pesky firewall... (PSK)</A><BR>
-<!-- insert archive link -->
-In late July, 2003 Alexandar Antik reported success interoperating 
-with Gauntlet 6.0 for Solaris (X.509). Unfortunately the message is not 
-properly archived at this time.
-</P>
-
-<P><A HREF="#gauntlet.top">Back to chart</A></P>
-
-
-
-<H4><A NAME="aix">IBM AIX</A></H4>
-
-<P><A HREF="http://www-1.ibm.com/servers/esdd/articles/security.html">
-IBM's "Built-In Network Security with AIX" (PSK, X.509)</A><BR>
-<A HREF="http://www-1.ibm.com/servers/aix/products/ibmsw/security/vpn/faqandtips/#ques20">
-IBM's tip: importing Linux FreeS/WAN settings into AIX's <VAR>ikedb</VAR> 
-(PSK)</A>
-</P>
-
-<P><A HREF="#aix.top">Back to chart</A></P>
-
-
-
-<H4><A NAME="as400">IBM AS/400</A></H4>
-
-<UL>
-<LI>
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-April/009106.html">Road
- Warriors may act flaky</A>.
-</LI>
-</UL>
-
-<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-September/014264.html">
-Richard Welty's tips and tricks</A><BR>
-</P>
-
-<P><A HREF="#as400.top">Back to chart</A></P>
-
-
-
-<H4><A NAME="intel">Intel Shiva LANRover / Net Structure</A></H4>
-
-<UL>
-<LI>Intel Shiva LANRover is now known as Intel Net Structure.</LI>
-<LI>
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/01/msg00298.html">
-Shiva seems to have two modes: IPsec or the proprietary
-"Shiva Tunnel".</A>
-Of course, FreeS/WAN will only create IPsec tunnels.
-</LI>
-
-<LI>
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00293.html">
-AH may not work for Shiva-FreeS/WAN.</A>
-That's OK, since FreeS/WAN has phased out the use of AH.
-</LI>
-</UL>
-
-<P>
-<A HREF="http://snowcrash.tdyc.com/freeswan/">
-Snowcrash's configs (PSK)</A><BR>
-
-<A HREF="http://www.opus1.com/vpn/index.html">
-Old configs from an interop (PSK)</A><BR>
-
-<A HREF="http://lists.freeswan.org/pipermail/users/2001-October/003831.html">
-The day Shiva tickled a Pluto bug (PSK)</A><BR>
-
-&nbsp;&nbsp;&nbsp;&nbsp;
-<A HREF="http://lists.freeswan.org/pipermail/users/2001-October/004270.html">
-Follow up: success!</A>
-</P>
-
-<P><A HREF="#intel.top">Back to chart</A></P>
-
-
-
-<H4><A NAME="lancom">LanCom (formerly ELSA)</A></H4>
-
-<UL>
-<LI>This router is popular in Germany.
-</UL>
-
-<P>
-Jakob Curdes successfully created a PSK connection with the LanCom 1612 in 
-August 2003.
-<!-- add ML link when it appears -->
-</P>
-
-<P><A HREF="#lancom.top">Back to chart</A></P>
-
-
-
-<H4><A NAME="linksys">Linksys</A></H4>
-
-<UL>
-<LI>Linksys may be used as an IPsec tunnel endpoint, <STRONG>OR</STRONG>
-as a router in "IPsec passthrough" mode, so that the IPsec tunnel 
-passes through the Linksys.
-</LI>
-</UL>
-
-<H5>As tunnel endpoint</H5>
-<P>
-<A HREF="http://www.freeswan.ca/docs/BEFVP41/">
-Ken Bantoft's instructions (Road Warrior with PSK)</A><BR>
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-February/007814.html">
-Nate Carlson's caveats</A>
-</P>
-
-<H5>In IPsec passthrough mode</H5>
-<P>
-<A HREF="http://www-ec.njit.edu/~rxt1077/Howto.txt">
-Sample HOWTO through a Linksys Router</A><BR>
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2002/02/msg00114.html">
-Nadeem Hasan's configs</A><BR>
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2002/02/msg00180.html">
-Brock Nanson's tips</A><BR>
-</P>
-
-<P><A HREF="#linksys.top">Back to chart</A></P>
-
-
-<H4><A NAME="lucent">Lucent</A></H4>
-
-<P>
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-May/010976.html">
-Partial success report; see also the next message in thread</A>
-</P>
-<!-- section done -->
-
-<P><A HREF="#lucent.top">Back to chart</A></P>
-
-
-<H4><A NAME="netasq">Netasq</A></H4>
-
-<P>
-<A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2001/#config">
-French page with configs (X.509)</A>
-
-</P>
-<!-- section done -->
-
-<P><A HREF="#netasq.top">Back to chart</A></P>
-
-
-
-<H4><A NAME="netcelo">Netcelo</A></H4>
-
-<P>
-<A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2001/#config">
-French page with configs (X.509)</A>
-
-<!-- section done -->
-
-</P>
-
-<P><A HREF="#netcelo.top">Back to chart</A></P>
-
-
-
-<H4><A NAME="netgear">Netgear fvs318</A></H4>
-
-<UL>
-<LI>With a recent Linux FreeS/WAN, you will require the latest 
-(12/2002) Netgear firmware, which supports Diffie-Hellman (DH) group 2.
-For security reasons, we phased out DH 1 after Linux FreeS/WAN 1.5.
-</LI>
-<LI>
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-June/011833.html">
-This message</A> reports the incompatibility between Linux FreeS/WAN 1.6+
-and Netgear fvs318 without the firmware upgrade.
-</LI>
-<LI>We believe Linux FreeS/WAN 1.5 and earlier will interoperate with 
-any NetGear firmware.
-</LI>
-</UL>
-
-<P>
-<A HREF="http://lists.freeswan.org/pipermail/users/2003-February/017891.html">
-John Morris' setup (PSK)</A>
-</P>
-
-<P><A HREF="#netgear.top">Back to chart</A></P>
-
-
-
-<H4><A NAME="netscreen">Netscreen 100 or 5xp</A></H4>
-
-<P>
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-August/013409.html">
-Errol Neal's settings (PSK)</A><BR>
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-October/015265.html">
-Corey Rogers' configs (PSK, no PFS)</A><BR>
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-August/013051.html">
-Jordan Share's configs (PSK, 2 subnets, through static NAT)</A><BR>
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/08/msg00404.html">
-Set src proxy_id to your protected subnet/mask</A><BR>
-
-<A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2001/#config">
-French page with ipsec.conf, Netscreen screen shots (X.509, may
-need to revert to PSK...)</A>
-
-</P>
-<P>
-<A HREF="http://archives.neohapsis.com/archives/sf/linux/2001-q2/0123.html">
-A report of a company using Netscreen with FreeS/WAN on a large scale
-(FreeS/WAN road warriors?)</A>
-</P>
-
-<P><A HREF="#netscreen.top">Back to chart</A></P>
-
-
-
-<H4><A NAME="nortel">Nortel Contivity</A></H4>
-
-<UL>
-<LI>
-Nortel supports IPsec-over-UDP NAT traversal.
-</LI>
-
-<LI>
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00417.html">
-Some older versions of Contivity and FreeS/WAN will not communicate.</A>
-</LI>
-
-<LI>
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-May/010924.html">
-FreeS/WAN cannot be used as a "client" to a Nortel Contivity server,
-but can be used as a branch-office tunnel.</A>
-</LI>
-
-<!--  Probably obsoleted by Ken's post
-<LI>
-(Matthias siebler from old interop)
-At one point you could not configure Nortel-FreeS/WAN tunnels as 
-"Client Tunnels" since FreeS/WAN does not support Aggressive Mode.
-Current status of this problem: unknown.
-<LI>
-<A HREF="http://lists.freeswan.org/pipermail/users/2001-November/004612.html">
-How do we map group and user passwords onto the data that FreeS/WAN wants?
-</A>
-</LI>
--->
-
-<LI>
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-October/015455.html">
-Contivity does not send Distinguished Names in the order FS wants them (X.509).
-</A>
-</LI>
-
-<LI>
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/03/msg00137.html">
-Connections may time out after 30-40 minutes idle.</A>
-</LI>
-
-</UL>
-
-<P>
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/03/msg00137.html">
-JJ Streicher-Bremer's mini HOWTO for old & new software. (PSK with two subnets)
-</A><BR>
-<A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2001/#config">
-French page with configs (X.509)</A>. This succeeds using the above X.509 tip.
-</P>
-
-<!-- I could do more searching but this is a solid start. -->
-
-<P><A HREF="#nortel.top">Back to chart</A></P>
-
-
-<H4><A NAME="radguard">Radguard</A></H4>
-
-<P>
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/05/msg00009.html">
-Marko Hausalo's configs (PSK).</A> Note: These do create a connection,
-as you can see by "IPsec SA established".<BR>
-
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-October/???.html">
-Claudia Schmeing's comments</A>
-</P>
-
-<P><A HREF="#radguard.top">Back to chart</A></P>
-
-
-<H4><A NAME="raptor">Raptor (NT or Solaris)</A></H4>
-
-<P>
-
-<UL>
-<LI>Now known as Symantec Enterprise Firewall.</LI>
-<LI>The Raptor does not normally come with X.509, but this may be available as
-an add-on.</LI>
-<LI><A HREF="http://lists.freeswan.org/pipermail/users/2002-May/010256.html">
-Raptor requires alphanumberic PSK values, whereas FreeS/WAN uses hex.</A>
-</LI>
-<LI>Raptor's tunnel endpoint may be a host, subnet or group of subnets
-(see 
-<A HREF="http://lists.freeswan.org/pipermail/design/2001-November/001295.html">
-this message</A>
-). FreeS/WAN cannot handle the group of subnets; you
-must create separate connections for each in order to interoperate.</LI>
-<LI>
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-May/010113.html">
-Some versions of Raptor accept only single DES.
-</A>
-According to this German message,
-<A HREF="http://radawana.cg.tuwien.ac.at/mail-archives/lll/200012/msg00065.html">
-the Raptor Mobile Client demo offers single DES only.</A>
-</LI>
-</UL>
-
-<P>
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-January/006935.html">
-Peter Mazinger's settings (PSK)</A><BR>
-
-<A HREF="http://lists.freeswan.org/pipermail/users/2001-November/005522.html">
-Peter Gerland's configs (PSK)</A><BR>
-
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/07/msg00597.html">
-Charles Griebel's configs (PSK).</A><BR>
-
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-July/012275.html">
-Lumir Srch's tips (PSK)
-</A>
-</P>
-
-<P>
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/05/msg00214.html">
-John Hardy's configs (Manual)</A><BR>
-
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/01/msg00236.html">
-Older Raptors want 3DES keys in 3 parts (Manual).</A><BR>
-
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/06/msg00480.html">
-Different keys for each direction? (Manual)</A><BR>
-
-</P>
-
-<P><A HREF="#raptor.top">Back to chart</A></P>
-
-
-
-<H4><A NAME="redcreek">Redcreek Ravlin</A></H4>
-
-<UL>
-<LI>Known issue #1: The Ravlin expects a quick mode renegotiation right
-after every Main Mode negotiation.
-</LI>
-<LI>
-Known issue #2: The Ravlin tries to negotiate a zero
-connection lifetime, which it takes to mean "infinite". 
-<A HREF="http://www.bear-cave.org.uk/linux/ravlin/">Jim Hague's patch</A> 
-addresses both issues.
-</LI>
-<LI>
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/03/msg00191.html">
-Interop works with Ravlin Firmware > 3.33. Includes tips (PSK).</A>
-</LI>
-</UL>
-
-<P><A HREF="#redcreek.top">Back to chart</A></P>
-
-
-
-<H4><A NAME="sonicwall">SonicWall</A></H4>
-
-<UL>
-<LI><A HREF="http://lists.freeswan.org/pipermail/users/2001-June/000998.html">
-Sonicwall cannot be used for Road Warrior setups</A></LI>
-<LI>
-At one point, <A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/05/msg00217.html">
-only Sonicwall PRO supported triple DES</A>.</LI>
-<LI>
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-March/008600.html">
-Older Sonicwalls (before Nov 2001) feature Diffie Hellman group 1
-only</A>.</LI>
-</UL>
-
-<P>
-<A HREF="http://www.xinit.cx/docs/freeswan.html">Paul Wouters' config (PSK)</A><BR>
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00073.html">
-Dilan Arumainathan's configuration (PSK)</A><BR>
-<A HREF="http://www.gravitas.co.uk/vpndebug">Dariush's setup... only opens
-one way (PSK)</A><BR>
-<A HREF="http://lists.freeswan.org/pipermail/users/2003-July/022302.html">
-Andreas Steffen's tips (X.509)</A><BR>
-
-</P>
-
-<P><A HREF="#sonicwall.top">Back to chart</A></P>
-
-
-
-<H4><A NAME="sun">Sun Solaris</A></H4>
-
-<UL>
-<LI>
-Solaris 8+ has a native (in kernel) IPsec implementation.
-</LI>
-<LI>
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-May/010503.html">
-Solaris does not seem to support tunnel mode, but you can make
-IP-in-IP tunnels instead, like this.</A>
-</LI>
-</UL>
-<P>
-
-<A HREF="http://lists.freeswan.org/pipermail/users/2003-June/022216.html">Reports of some successful interops</A> from a fellow @sun.com.
-See also <A HREF="http://lists.freeswan.org/pipermail/users/2003-July/022247.html">these follow up posts</A>.<BR>
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/03/msg00332.html">
-Aleks Shenkman's configs (Manual in transport mode)
-</A><BR>
-<!--sparc 64 stuff goes where?-->
-</P>
-
-<P><A HREF="#solaris.top">Back to chart</A></P>
-
-
-
-<H4><A NAME="symantec">Symantec</A></H4>
-
-<UL>
-<LI>The Raptor, covered <A HREF="#raptor">above</A>, is now known as
-Symantec Enterprise Firewall.</LI>
-<LI>Symantec's "distinguished name" is a KEY_ID. See Andreas Steffen's post,
-below.</LI>
-</UL>
-
-<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-April/009037.html">
-Andreas Steffen's configs for Symantec 200R (PSK)</A>
-</P>
-
-<P><A HREF="#symantec.top">Back to chart</A></P>
-
-
-
-
-<H4><A NAME="watchguard">Watchguard Firebox</A></H4>
-
-<UL>
-<LI>Automatic keying works with WatchGuard 5.0+ only.</LI>
-<LI>Seen to interoperate with WatchGuard 1000, II, III; firmware v. 5, 6..</LI>
-<LI>For manual keying, Watchguard's Policy Manager expects SPI numbers and
-encryption and authentication keys in decimal (not hex).</LI>
-</UL>
-
-<P>
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-July/012595.html">
-WatchGuard's HOWTO (PSK)</A><BR>
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-August/013342.html">
-Ronald C. Riviera's Settings (PSK)</A><BR>
-<A HREF="http://lists.freeswan.org/archives/users/2003-October/msg00179.html">
-Walter Wickersham's Notes (PSK)</A><BR>
-
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-October/015587.html">
-Max Enders' Configs (Manual)</A>
-</P>
-
-<P>
-<A HREF="http://lists.freeswan.org/pipermail/users/2002-April/009404.html">
-Old known issue with auto keying</A><BR>
-
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00124.html">
-Tips on key generation and format (Manual)</A><BR>
-</P>
-
-<P><A HREF="#watchguard.top">Back to chart</A></P>
-
-
-
-<H4><A NAME="xedia">Xedia Access Point/QVPN</A></H4>
-
-<P>
-<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/12/msg00520.html">
-Hybrid IPsec/L2TP connection settings (X.509)
-</A><BR>
-<A HREF="http://www.sandelman.ottawa.on.ca/ipsec/1999/08/msg00140.html">
-  Xedia's LAN-LAN links don't use multiple tunnels
-</A><BR>
-&nbsp;&nbsp;&nbsp;&nbsp;
-<A HREF="http://www.sandelman.ottawa.on.ca/ipsec/1999/08/msg00140.html">
-  That explanation, continued
-</A>
-</P>
-
-<P><A HREF="#xedia.top">Back to chart</A></P>
-
-
-
-<H4><A NAME="zyxel">Zyxel</A></H4>
-
-<UL>
-<LI>The Zyxel Zywall is a rebranded SSH Sentinel box. See also our section
-on <A HREF="#ssh">SSH</A>.</LI>
-<LI>There seems to be a problem with keeping this connection alive. This is 
-caused at the Zyxel end. See this brief
-<A HREF="http://lists.freeswan.org/archives/users/2003-October/msg00141.html">
-discussion and solution.
-</A>
-</LI>
-</UL>                                                                                
-<P>
-<A HREF="http://www.zyxel.com/support/supportnote/zywall/app/zw_freeswan.htm">
-Zyxel's Zywall to FreeS/WAN instructions (PSK)</A><BR>
-<A HREF="http://www.zyxel.com/support/supportnote/p652/app/zw_freeswan.htm">
-Zyxel's Prestige to FreeS/WAN instructions (PSK)</A>. Note: not all Prestige 
-versions include VPN software.<BR>
-
-<A HREF="http://www.lancry.net/techdocs/freeswan-zyxel.txt">Fabrice Cahen's 
- HOWTO (PSK)</A><BR>
-&nbsp;&nbsp;&nbsp;&nbsp;
-</P>
-                                                                                
-<P><A HREF="#zyxel.top">Back to chart</A></P>
-
-
-
-<!-- SAMPLE ENTRY
-
-<H4><A NAME="timestep">Timestep</A></H4>
-
-<P>Text goes here.
-</P>
-
--->
-</BODY></HTML>
-
diff --git a/doc/src/intro.html b/doc/src/intro.html
deleted file mode 100644
index 09c352c00..000000000
--- a/doc/src/intro.html
+++ /dev/null
@@ -1,887 +0,0 @@
-<html>
-<head>
-  <meta http-equiv="Content-Type" content="text/html">
-  <title>Introduction to FreeS/WAN</title>
-  <meta name="keywords"
-  content="Linux, IPsec, VPN, security, FreeSWAN, introduction">
-  <!--
-
-  Written by Sandy Harris for the Linux FreeS/WAN project
-  Freely distributable under the GNU General Public License
-
-  More information at www.freeswan.org
-  Feedback to users@lists.freeswan.org
-
-  CVS information:
-  RCS ID:          $Id: intro.html,v 1.1 2004/03/15 20:35:24 as Exp $
-  Last changed:    $Date: 2004/03/15 20:35:24 $
-  Revision number: $Revision: 1.1 $
-
-  CVS revision numbers do not correspond to FreeS/WAN release numbers.
-  -->
-</head>
-
-<body>
-<h1><a name="intro">Introduction</a></h1>
-
-<p>This section gives an overview of:</p>
-<ul>
-  <li>what IP Security (IPsec) does</li>
-  <li>how IPsec works</li>
-  <li>why we are implementing it for Linux</li>
-  <li>how this implementation works</li>
-</ul>
-
-<p>This section is intended to cover only the essentials, <em>things you
-should know before trying to use FreeS/WAN.</em></p>
-
-<p>For more detailed background information, see the <a
-href="politics.html#politics">history and politics</a> and 
-<a href="ipsec.html#ipsec.detail">IPsec protocols</a> sections.</p>
-
-<h2><a name="ipsec.intro">IPsec, Security for the Internet Protocol</a></h2>
-
-<p>FreeS/WAN is a Linux implementation of the IPsec (IP security) protocols.
-IPsec provides <a href="glossary.html#encryption">encryption</a> and <a
-href="glossary.html#authentication">authentication</a> services at the IP
-(Internet Protocol) level of the network protocol stack.</p>
-
-<p>Working at this level, IPsec can protect any traffic carried over IP,
-unlike other encryption which generally protects only a particular
-higher-level protocol -- <a href="glossary.html#PGP">PGP</a> for mail, <a
-href="glossary.html#SSH">SSH</a> for remote login, <a
-href="glossary.html#SSL">SSL</a> for web work, and so on. This approach has
-both considerable advantages and some limitations. For discussion, see our <a
-href="ipsec.html#others">IPsec section</a></p>
-
-<p>IPsec can be used on any machine which does IP networking. Dedicated IPsec
-gateway machines can be installed wherever required to protect traffic. IPsec
-can also run on routers, on firewall machines, on various application
-servers, and on end-user desktop or laptop machines.</p>
-
-<p>Three protocols are used</p>
-<ul>
-  <li><a href="glossary.html#AH">AH</a> (Authentication Header) provides a
-    packet-level authentication service</li>
-  <li><a href="glossary.html#ESP">ESP</a> (Encapsulating Security Payload)
-    provides encryption plus authentication</li>
-  <li><a href="glossary.html#IKE">IKE</a> (Internet Key Exchange) negotiates
-    connection parameters, including keys, for the other two</li>
-</ul>
-
-<p>Our implementation has three main parts:</p>
-<ul>
-  <li><a href="glossary.html#KLIPS">KLIPS</a> (kernel IPsec) implements AH,
-    ESP, and packet handling within the kernel</li>
-  <li><a href="glossary.html#Pluto">Pluto</a> (an IKE daemon) implements IKE,
-    negotiating connections with other systems</li>
-  <li>various scripts provide an adminstrator's interface to the
-  machinery</li>
-</ul>
-
-<p>IPsec is optional for the current (version 4) Internet Protocol. FreeS/WAN
-adds IPsec to the Linux IPv4 network stack. Implementations of <a
-href="glossary.html#ipv6.gloss">IP version 6</a> are required to include
-IPsec. Work toward integrating FreeS/WAN into the Linux IPv6 stack has <a
-href="compat.html#ipv6">started</a>.</p>
-
-<p>For more information on IPsec, see our 
-<a href="ipsec.html#ipsec.detail">IPsec protocols</a> section, 
-our collection of <a href="web.html#ipsec.link">IPsec
-links</a> or the <a href="rfc.html#RFC">RFCs</a> which are the official
-definitions of these protocols.</p>
-
-<h3><a name="intro.interop">Interoperating with other IPsec
-implementations</a></h3>
-
-<p>IPsec is designed to let different implementations work together. We
-provide:</p>
-<ul>
-  <li>a <a href="web.html#implement">list</a> of some other
-  implementations</li>
-  <li>information on <a href="interop.html#interop">using FreeS/WAN 
-  with other implementations</a></li>
-</ul>
-
-<p>The VPN Consortium fosters cooperation among implementers and
-interoperability among implementations. Their <a
-href="http://www.vpnc.org/">web site</a> has much more information.</p>
-
-<h3><a name="advantages">Advantages of IPsec</a></h3>
-
-<p>IPsec has a number of security advantages. Here are some independently 
-written articles which discuss these:</p>
-
-<P>
-<A HREF="http://www.sans.org/rr/">SANS institute papers</A>. See the section
-on Encryption &amp;VPNs.
-<BR>
-<A HREF="http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns128/networking_solutions_white_papers_list.html">Cisco's 
-white papers on "Networking Solutions"</A>.
-<BR>
-<A HREF="http://iscs.sourceforge.net/HowWhyBrief/HowWhyBrief.html">
-Advantages of ISCS (Linux Integrated Secure Communications System; 
-includes FreeS/WAN and other software)</A>.
-
-</P>
-
-
-<h3><a name="applications">Applications of IPsec</a></h3>
-
-<p>Because IPsec operates at the network layer, it is remarkably flexible and
-can be used to secure nearly any type of Internet traffic. Two applications,
-however, are extremely widespread:</p>
-<ul>
-  <li>a <a href="glossary.html#VPN">Virtual Private Network</a>, or VPN,
-    allows multiple sites to communicate securely over an insecure Internet
-    by encrypting all communication between the sites.</li>
-  <li>"Road Warriors" connect to the office from home, or perhaps from a
-    hotel somewhere</li>
-</ul>
-
-<p>There is enough opportunity in these applications that vendors are
-flocking to them. IPsec is being built into routers, into firewall products,
-and into major operating systems, primarily to support these applications.
-See our <a href="web.html#implement">list</a> of implementations for
-details.</p>
-
-<p>We support both of those applications, and various less common IPsec
-applications as well, but we also add one of our own:</p>
-<ul>
-  <li>opportunistic encryption, the ability to set up FreeS/WAN gateways so
-    that any two of them can encrypt to each other, and will do so whenever
-    packets pass between them.</li>
-</ul>
-
-<p>This is an extension we are adding to the protocols. FreeS/WAN is the
-first prototype implementation, though we hope other IPsec implementations
-will adopt the technique once we demonstrate it. See <a href="#goals">project
-goals</a> below for why we think this is important.</p>
-
-<p>A somewhat more detailed description of each of these applications is
-below. Our <a href="quickstart.html#quick_guide">quickstart</a> section will 
-show you how to build each of them.</p>
-
-<h4><a name="makeVPN">Using secure tunnels to create a VPN</a></h4>
-
-<p>A VPN, or <strong>V</strong>irtual <strong>P</strong>rivate
-<strong>N</strong>etwork lets two networks communicate securely when the only
-connection between them is over a third network which they do not trust.</p>
-
-<p>The method is to put a security gateway machine between each of the
-communicating networks and the untrusted network. The gateway machines
-encrypt packets entering the untrusted net and decrypt packets leaving it,
-creating a secure tunnel through it.</p>
-
-<p>If the cryptography is strong, the implementation is careful, and the
-administration of the gateways is competent, then one can reasonably trust
-the security of the tunnel. The two networks then behave like a single large
-private network, some of whose links are encrypted tunnels through untrusted
-nets.</p>
-
-<p>Actual VPNs are often more complex. One organisation may have fifty branch
-offices, plus some suppliers and clients, with whom it needs to communicate
-securely. Another might have 5,000 stores, or 50,000 point-of-sale devices.
-The untrusted network need not be the Internet. All the same issues arise on
-a corporate or institutional network whenever two departments want to
-communicate privately with each other.</p>
-
-<p>Administratively, the nice thing about many VPN setups is that large parts
-of them are static. You know the IP addresses of most of the machines
-involved. More important, you know they will not change on you. This
-simplifies some of the admin work. For cases where the addresses do change,
-see the next section.</p>
-
-<h4><a name="road.intro">Road Warriors</a></h4>
-
-<p>The prototypical "Road Warrior" is a traveller connecting to home base
-from a laptop machine. Administratively, most of the same problems arise for
-a telecommuter connecting from home to the office, especially if the
-telecommuter does not have a static IP address.</p>
-
-<p>For purposes of this document:</p>
-<ul>
-  <li>anyone with a dynamic IP address is a "Road Warrior".</li>
-  <li>any machine doing IPsec processing is a "gateway". Think of the
-    single-user road warrior machine as a gateway with a degenerate subnet
-    (one machine, itself) behind it.</li>
-</ul>
-
-<p>These require somewhat different setup than VPN gateways with static
-addresses and with client systems behind them, but are basically not
-problematic.</p>
-
-<p>There are some difficulties which appear for some road warrior
-connections:</p>
-<ul>
-  <li>Road Wariors who get their addresses via DHCP may have a problem.
-    FreeS/WAN can quite happily build and use a tunnel to such an address,
-    but when the DHCP lease expires, FreeS/WAN does not know that. The tunnel
-    fails, and the only recovery method is to tear it down and re-build
-  it.</li>
-  <li>If <a href="glossary.html#NAT.gloss">Network Address Translation</a>
-    (NAT) is applied between the two IPsec Gateways, this breaks IPsec. IPsec
-    authenticates packets on an end-to-end basis, to ensure they are not
-    altered en route. NAT rewrites packets as they go by. See our <a
-    href="firewall.html#NAT">firewalls</a> document for details.</li>
-</ul>
-
-<p>In most situations, however, FreeS/WAN supports road warrior connections
-just fine.</p>
-
-<h4><a name="opp.intro">Opportunistic encryption</a></h4>
-
-<p>One of the reasons we are working on FreeS/WAN is that it gives us the
-opportunity to add what we call opportuntistic encryption. This means that
-any two FreeS/WAN gateways will be able to encrypt their traffic, even if the
-two gateway administrators have had no prior contact and neither system has
-any preset information about the other.</p>
-
-<p>Both systems pick up the authentication information they need from the <a
-href="glossary.html#DNS">DNS</a> (domain name service), the service they
-already use to look up IP addresses. Of course the administrators must put
-that information in the DNS, and must set up their gateways with
-opportunistic encryption enabled. Once that is done, everything is automatic.
-The gateways look for opportunities to encrypt, and encrypt whatever they
-can. Whether they also accept unencrypted communication is a policy decision
-the administrator can make.</p>
-
-<p>This technique can give two large payoffs:</p>
-<ul>
-  <li>It reduces the administrative overhead for IPsec enormously. You
-    configure your gateway and thereafter everything is automatic. The need
-    to configure the system on a per-tunnel basis disappears. Of course,
-    FreeS/WAN allows specifically configured tunnels to co-exist with
-    opportunistic encryption, but we hope to make them unnecessary in most
-    cases.</li>
-  <li>It moves us toward a more secure Internet, allowing users to create an
-    environment where message privacy is the default. All messages can be
-    encrypted, provided the other end is willing to co-operate. See our <a
-    href="politics.html#politics">history and politics of cryptography</a> 
-    section for discussion of why we think this is needed.</li>
-</ul>
-
-<p>Opportunistic encryption is not (yet?) a standard part of the IPsec
-protocols, but an extension we are proposing and demonstrating. For details
-of our design, see <a href="#applied">links</a> below.</p>
-
-<p>Only one current product we know of implements a form of opportunistic
-encryption. <a href="web.html#ssmail">Secure sendmail</a> will automatically
-encrypt server-to-server mail transfers whenever possible.</p>
-
-<h3><a name="types">The need to authenticate gateways</a></h3>
-
-<p>A complication, which applies to any type of connection -- VPN, Road
-Warrior or opportunistic -- is that a secure connection cannot be created
-magically. <em>There must be some mechanism which enables the gateways to
-reliably identify each other.</em> Without this, they cannot sensibly trust
-each other and cannot create a genuinely secure link.</p>
-
-<p>Any link they do create without some form of <a
-href="glossary.html#authentication">authentication</a> will be vulnerable to
-a <a href="glossary.html#middle">man-in-the-middle attack</a>. If <a
-href="glossary.html#alicebob">Alice and Bob</a> are the people creating the
-connection, a villian who can re-route or intercept the packets can pose as
-Alice while talking to Bob and pose as Bob while talking to Alice. Alice and
-Bob then both talk to the man in the middle, thinking they are talking to
-each other, and the villain gets everything sent on the bogus "secure"
-connection.</p>
-
-<p>There are two ways to build links securely, both of which exclude the
-man-in-the middle:</p>
-<ul>
-  <li>with <strong>manual keying</strong>, Alice and Bob share a secret key
-    (which must be transmitted securely, perhaps in a note or via PGP or SSH)
-    to encrypt their messages. For FreeS/WAN, such keys are stored in the <a
-    href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a> file. Of course, if
-    an enemy gets the key, all is lost.</li>
-  <li>with <strong>automatic keying</strong>, the two systems authenticate
-    each other and negotiate their own secret keys. The keys are
-    automatically changed periodically.</li>
-</ul>
-
-<p>Automatic keying is much more secure, since if an enemy gets one key only
-messages between the previous re-keying and the next are exposed. It is
-therefore the usual mode of operation for most IPsec deployment, and the mode
-we use in our setup examples. FreeS/WAN does support manual keying for
-special circumstanes. See this <a
-href="adv_config.html#prodman">section</a>.</p>
-
-<p>For automatic keying, the two systems must authenticate each other during
-the negotiations. There is a choice of methods for this:</p>
-<ul>
-  <li>a <strong>shared secret</strong> provides authentication. If Alice and
-    Bob are the only ones who know a secret and Alice recives a message which
-    could not have been created without that secret, then Alice can safely
-    believe the message came from Bob.</li>
-  <li>a <a href="glossary.html#public">public key</a> can also provide
-    authentication. If Alice receives a message signed with Bob's private key
-    (which of course only he should know) and she has a trustworthy copy of
-    his public key (so that she can verify the signature), then she can
-    safely believe the message came from Bob.</li>
-</ul>
-
-<p>Public key techniques are much preferable, for reasons discussed <a
-href="config.html#choose">later</a>, and will be used in all our setup
-examples. FreeS/WAN does also support auto-keying with shared secret
-authentication. See this <a
-href="adv_config.html#prodsecrets">section</a>.</p>
-
-<h2><a name="project">The FreeS/WAN project</a></h2>
-
-<p>For complete information on the project, see our web site, <a
-href="http://liberty.freeswan.org">freeswan.org</a>.</p>
-
-<p>In summary, we are implementing the <a
-href="glossary.html#IPsec">IPsec</a> protocols for Linux and extending them
-to do <a href="glossary.html#carpediem">opportunistic encryption</a>.</p>
-
-<h3><a name="goals">Project goals</a></h3>
-
-<p>Our overall goal in FreeS/WAN is to make the Internet more secure and more
-private.</p>
-
-<p>Our IPsec implementation supports VPNs and Road Warriors of course. Those
-are important applications. Many users will want FreeS/WAN to build corporate
-VPNs or to provide secure remote access.</p>
-
-<p>However, our goals in building it go beyond that. We are trying to help
-<strong>build security into the fabric of the Internet</strong> so that
-anyone who choses to communicate securely can do so, as easily as they can do
-anything else on the net.</p>
-
-<p>More detailed objectives are:</p>
-<ul>
-  <li>extend IPsec to do <a href="glossary.html#carpediem">opportunistic
-    encryption</a> so that
-    <ul>
-      <li>any two systems can secure their communications without a
-        pre-arranged connection</li>
-      <li><strong>secure connections can be the default</strong>, falling
-        back to unencrypted connections only if:
-        <ul>
-          <li><em>both</em> the partner is not set up to co-operate on
-            securing the connection</li>
-          <li><em>and</em> your policy allows insecure connections</li>
-        </ul>
-      </li>
-      <li>a significant fraction of all Internet traffic is encrypted</li>
-      <li>wholesale monitoring of the net (<a
-        href="politics.html#intro.poli">examples</a>) becomes difficult or
-        impossible</li>
-    </ul>
-  </li>
-  <li>help make IPsec widespread by providing an implementation with no
-    restrictions:
-    <ul>
-      <li>freely available in source code under the <a
-        href="glossary.html#GPL">GNU General Public License</a></li>
-      <li>running on a range of readily available hardware</li>
-      <li>not subject to US or other nations' <a
-        href="politics.html#exlaw">export restrictions</a>.<br>
-        Note that in order to avoid <em>even the appearance</em> of being
-        subject to those laws, the project cannot accept software
-        contributions -- <em>not even one-line bug fixes</em> -- from US
-        residents or citizens.</li>
-    </ul>
-  </li>
-  <li>provide a high-quality IPsec implementation for Linux
-    <ul>
-      <li>portable to all CPUs Linux supports: <a
-        href="compat.html#CPUs">(current list)</a></li>
-      <li>interoperable with other IPsec implementations: <a
-        href="interop.html#interop">(current list)</a></li>
-    </ul>
-  </li>
-</ul>
-
-<p>If we can get opportunistic encryption implemented and widely deployed,
-then it becomes impossible for even huge well-funded agencies to monitor the
-net.</p>
-
-<p>See also our section on <a href="politics.html#politics">history and 
-politics</a> of cryptography, which includes our project leader's <a
-href="politics.html#gilmore">rationale</a> for starting the project.</p>
-
-<h3><a name="staff">Project team</a></h3>
-
-<p>Two of the team are from the US and can therefore contribute no code:</p>
-<ul>
-  <li>John Gilmore: founder and policy-maker (<a
-    href="http://www.toad.com/gnu/">home page</a>)</li>
-  <li>Hugh Daniel: project manager, Most Demented Tester, and occasionally
-    Pointy-Haired Boss</li>
-</ul>
-
-<p>The rest of the team are Canadians, working in Canada. (<a
-href="politics.html#status">Why Canada?</a>)</p>
-<ul>
-  <li>Hugh Redelmeier: <a href="glossary.html#Pluto">Pluto daemon</a>
-    programmer</li>
-  <li>Richard Guy Briggs: <a href="glossary.html#KLIPS">KLIPS</a>
-  programmer</li>
-  <li>Michael Richardson: hacker without portfolio</li>
-  <li>Claudia Schmeing: documentation</li>
-  <li>Sam Sgro: technical support via the <a href="mail.html#lists">mailing
-    lists</a></li>
-</ul>
-
-<p>The project is funded by civil libertarians who consider our goals
-worthwhile. Most of the team are paid for this work.</p>
-
-<p>People outside this core team have made substantial contributions. See</p>
-<ul>
-  <li>our <a href="../CREDITS">CREDITS</a> file</li>
-  <li>the <a href="web.html#patch">patches and add-ons</a> section of our web
-    references file</li>
-  <li>lists below of user-written <a href="#howto">HowTos</a> and <a
-    href="#applied">other papers</a></li>
-</ul>
-
-<p>Additional contributions are welcome. See the <a
-href="faq.html#contrib.faq">FAQ</a> for details.</p>
-
-<h2><a name="products">Products containing FreeS/WAN</a></h2>
-
-<p>Unfortunately the <a href="politics.html#exlaw">export laws</a> of some
-countries restrict the distribution of strong cryptography. FreeS/WAN is
-therefore not in the standard Linux kernel and not in all CD or web
-distributions.</p>
-
-<p>FreeS/WAN is, however, quite widely used. Products we know of that use it
-are listed below. We would appreciate hearing, via the <a
-href="mail.html#lists">mailing lists</a>, of any we don't know of.</p>
-
-<h3><a name="distwith">Full Linux distributions</a></h3>
-
-<p>FreeS/WAN is included in various general-purpose Linux distributions,
-mostly from countries (shown in brackets) with more sensible laws:</p>
-<ul>
-  <li><a href="http://www.suse.com/">SuSE Linux</a> (Germany)</li>
-  <li><a href="http://www.conectiva.com">Conectiva</a> (Brazil)</li>
-  <li><a href="http://www.linux-mandrake.com/en/">Mandrake</a> (France)</li>
-  <li><a href="http://www.debian.org">Debian</a></li>
-  <li>the <a href="http://www.pld.org.pl/">Polish(ed) Linux Distribution</a>
-    (Poland)</li>
-  <li><a>Best Linux</a> (Finland)</li>
-</ul>
-
-<p>For distributions which do not include FreeS/WAN and are not Redhat (which
-we develop and test on), there is additional information in our <a
-href="compat.html#otherdist">compatibility</a> section.</p>
-
-<p>The server edition of <a href="http://www.corel.com">Corel</a> Linux
-(Canada) also had FreeS/WAN, but Corel have dropped that product line.</p>
-
-<h3><a name="kernel_dist">Linux kernel distributions</a></h3>
-
-<ul>
-<li><a href="http://sourceforge.net/projects/wolk/">Working Overloaded Linux Kernel (WOLK)</a></li>
-</ul>
-
-
-<h3><a name="office_dist">Office server distributions</a></h3>
-
-<p>FreeS/WAN is also included in several distributions aimed at the market
-for turnkey business servers:</p>
-<ul>
-  <li><a href="http://www.e-smith.com/">e-Smith</a> (Canada), which has
-    recently been acquired and become the Network Server Solutions group of
-    <a href="http://www.mitel.com/">Mitel Networks</a> (Canada)</li>
-  <li><a href="http://www.clarkconnect.org/">ClarkConnect</a> from Point Clark Networks (Canada)</li>
-  <li><a href="http://www.trustix.net/">Trustix Secure Linux</a> (Norway)</li>
-   
-</ul>
-
-<h3><a name="fw_dist">Firewall distributions</a></h3>
-
-<p>Several distributions intended for firewall and router applications
-include FreeS/WAN:</p>
-<ul>
-  <li>The <a href="http://www.linuxrouter.org/">Linux Router Project</a>
-    produces a Linux distribution that will boot from a single floppy. The <a
-    href="http://leaf.sourceforge.net">LEAF</a> firewall project provides
-    several different LRP-based firewall packages. At least one of them,
-    Charles Steinkuehler's Dachstein, includes FreeS/WAN with X.509
-  patches.</li>
-  <li>there are several distributions bootable directly from CD-ROM, usable
-    on a machine without hard disk.
-    <ul>
-      <li>Dachstein (see above) can be used this way</li>
-      <li><a href="http://www.gibraltar.at/">Gibraltar</a> is based on Debian
-        GNU/Linux.</li>
-      <li>at time of writing, <a href="www.xiloo.com">Xiloo</a> is available
-        only in Chinese. An English version is expected.</li>
-    </ul>
-  </li>
-  <li><a href="http://www.astaro.com/products/index.html">Astaro Security
-    Linux</a> includes FreeS/WAN. It has some web-based tools for managing
-    the firewall that include FreeS/WAN configuration management.</li>
-  <li><a href="http://www.linuxwall.de">Linuxwall</a></li>
-  <li><a href="http://www.smoothwall.org/">Smoothwall</a></li>
-  <li><a href="http://www.devil-linux.org/">Devil Linux</a></li>
-  <li>Coyote Linux has a <a
-    href="http://embedded.coyotelinux.com/wolverine/index.php">Wolverine</a>
-    firewall/VPN server</li>
-</ul>
-
-<p>There are also several sets of scripts available for managing a firewall
-which is also acting as a FreeS/WAN IPsec gateway. See this <a
-href="firewall.html#rules.pub">list</a>.</p>
-
-<h3><a name="turnkey">Firewall and VPN products</a></h3>
-
-<p>Several vendors use FreeS/WAN as the IPsec component of a turnkey firewall
-or VPN product.</p>
-
-<p>Software-only products:</p>
-<ul>
-  <li><a href="http://www.linuxmagic.com/vpn/index.html">Linux Magic</a>
-    offer a VPN/Firewall product using FreeS/WAN</li>
-  <li>The Software Group's <a
-    href="http://www.wanware.com/sentinet/">Sentinet</a> product uses
-    FreeS/WAN</li>
-  <li><a href="http://www.merilus.com">Merilus</a> use FreeS/WAN in their
-    Gateway Guardian firewall product</li>
-</ul>
-
-<p>Products that include the hardware:</p>
-<ul>
-  <li>The <a href="http://www.lasat.com">LASAT SafePipe[tm]</a> series. is an
-    IPsec box based on an embedded MIPS running Linux with FreeS/WAN and a
-    web-config front end. This company also host our freeswan.org web
-  site.</li>
-  <li>Merilus <a
-    href="http://www.merilus.com/products/fc/index.shtml">Firecard</a> is a
-    Linux firewall on a PCI card.</li>
-  <li><a href="http://www.kyzo.com/">Kyzo</a> have a "pizza box" product line
-    with various types of server, all running from flash. One of them is an
-    IPsec/PPTP VPN server</li>
-  <li><a href="http://www.pfn.com">PFN</a> use FreeS/WAN in some of their
-    products</li>
-</ul>
-
-<p><a href="www.rebel.com">Rebel.com</a>, makers of the Netwinder Linux
-machines (ARM or Crusoe based), had a product that used FreeS/WAN. The
-company is in receivership so the future of the Netwinder is at best unclear.
-<a href="web.html#patch">PKIX patches</a> for FreeS/WAN developed at Rebel
-are listed in our web links document.</p>
-
-
-<h2><a name="docs">Information sources</a></h2>
-
-<h3><a name="docformats">This HowTo, in multiple formats</a></h3>
-
-<p>FreeS/WAN documentation up to version 1.5 was available only in HTML. Now
-we ship two formats:</p>
-<ul>
-  <li>as HTML, one file for each doc section plus a global <a
-    href="toc.html">Table of Contents</a></li>
-  <li><a href="HowTo.html">one big HTML file</a> for easy searching</li>
-</ul>
-
-<p>and provide a Makefile to generate other formats if required:</p>
-<ul>
-  <li><a href="HowTo.pdf">PDF</a></li>
-  <li><a href="HowTo.ps">Postscript</a></li>
-  <li><a href="HowTo.txt">ASCII text</a></li>
-</ul>
-
-<p>The Makefile assumes the htmldoc tool is available. You can download it
-from <a href="http://www.easysw.com">Easy Software</a>.</p>
-
-<p>All formats should be available at the following websites:</p>
-<ul>
-  <li><a href="http://www.freeswan.org/doc.html">FreeS/WAN project</a></li>
-  <li><a href="http://www.linuxdoc.org">Linux Documentation Project</a></li>
-</ul>
-
-<p>The distribution tarball has only the two HTML formats.</p>
-
-<p><strong>Note:</strong> If you need the latest doc version, for example to
-see if anyone has managed to set up interoperation between FreeS/WAN and
-whatever, then you should download the current snapshot. What is on the web
-is documentation as of the last release. Snapshots have all changes I've
-checked in to date.</p>
-
-<h3><a name="rtfm">RTFM (please Read The Fine Manuals)</a></h3>
-
-<p>As with most things on any Unix-like system, most parts of Linux FreeS/WAN
-are documented in online manual pages. We provide a list of <a
-href="/mnt/floppy/manpages.html">FreeS/WAN man pages</a>, with links to HTML
-versions of them.</p>
-
-<p>The man pages describing configuration files are:</p>
-<ul>
-  <li><a href="/mnt/floppy/manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a></li>
-  <li><a
-    href="/mnt/floppy/manpage.d/ipsec.secrets.5.html">ipsec.secrets(5)</a></li>
-</ul>
-
-<p>Man pages for common commands include:</p>
-<ul>
-  <li><a href="/mnt/floppy/manpage.d/ipsec.8.html">ipsec(8)</a></li>
-  <li><a
-  href="/mnt/floppy/manpage.d/ipsec_pluto.8.html">ipsec_pluto(8)</a></li>
-  <li><a
-    href="/mnt/floppy/manpage.d/ipsec_newhostkey.8.html">ipsec_newhostkey(8)</a></li>
-  <li><a href="/mnt/floppy/manpage.d/ipsec_auto.8.html">ipsec_auto(8)</a></li>
-</ul>
-
-<p>You can read these either in HTML using the links above or with the
-<var>man(1)</var> command.</p>
-
-<p>In the event of disagreement between this HTML documentation and the man
-pages, the man pages are more likely correct since they are written by the
-implementers. Please report any such inconsistency on the <a
-href="mail.html#lists">mailing list</a>.</p>
-
-<h3><a name="text">Other documents in the distribution</a></h3>
-
-<p>Text files in the main distribution directory are README, INSTALL,
-CREDITS, CHANGES, BUGS and COPYING.</p>
-
-<p>The Libdes encryption library we use has its own documentation. You can
-find it in the library directory..</p>
-
-<h3><a name="assumptions">Background material</a></h3>
-
-<p>Throughout this documentation, I write as if the reader had at least a
-general familiarity with Linux, with Internet Protocol networking, and with
-the basic ideas of system and network security. Of course that will certainly
-not be true for all readers, and quite likely not even for a majority.</p>
-
-<p>However, I must limit amount of detail on these topics in the main text.
-For one thing, I don't understand all the details of those topics myself.
-Even if I did, trying to explain everything here would produce extremely long
-and almost completely unreadable documentation.</p>
-
-<p>If one or more of those areas is unknown territory for you, there are
-plenty of other resources you could look at:</p>
-<dl>
-  <dt>Linux</dt>
-    <dd>the <a href="http://www.linuxdoc.org">Linux Documentation Project</a>
-      or a local <a href="http://www.linux.org/groups/">Linux User Group</a>
-      and these <a href="web.html#linux.link">links</a></dd>
-  <dt>IP networks</dt>
-    <dd>Rusty Russell's <a
-      href="http://netfilter.samba.org/unreliable-guides/networking-concepts-HOWTO/index.html">Networking
-      Concepts HowTo</a> and these <a
-    href="web.html#IP.background">links</a></dd>
-  <dt>Security</dt>
-    <dd>Schneier's book <a href="biblio.html#secrets">Secrets and Lies</a>
-      and these <a href="web.html#crypto.link">links</a></dd>
-</dl>
-
-<p>Also, I do make an effort to provide some background material in these
-documents. All the basic ideas behind IPsec and FreeS/WAN are explained here.
-Explanations that do not fit in the main text, or that not everyone will
-need, are often in the <a href="glossary.html#ourgloss">glossary</a>, which is 
-the largest single file in this document set. There is also a <a
-href="background.html#background">background</a> file containing various 
-explanations too long to fit in glossary definitions. All files are heavily 
-sprinkled with links to each other and to the glossary. <strong>If some passage 
-makes no sense to you, try the links</strong>.</p>
-
-<p>For other reference material, see the <a
-href="biblio.html#biblio">bibliography</a> and our collection of <a
-href="web.html#weblinks">web links</a>.</p>
-
-<p>Of course, no doubt I get this (and other things) wrong sometimes.
-Feedback via the <a href="mail.html#lists">mailing lists</a> is welcome.</p>
-
-<h3><a name="archives">Archives of the project mailing list</a></h3>
-
-<p>Until quite recently, there was only one FreeS/WAN mailing list, and
-archives of it were:</p>
-<ul>
-  <li><a href="http://www.sandelman.ottawa.on.ca/linux-ipsec">Canada</a></li>
-  <li><a href="http://www.nexial.com">Holland</a></li>
-</ul>
-The two archives use completely different search engines. You might want to
-try both.
-
-<p>More recently we have expanded to five lists, each with its own
-archive.</p>
-
-<p><a href="mail.html#lists">More information</a> on mailing lists.</p>
-
-<h3><a name="howto">User-written HowTo information</a></h3>
-
-<p>Various user-written HowTo documents are available. The ones covering
-FreeS/WAN-to-FreeS/WAN connections are:</p>
-<ul>
-  <li>Jean-Francois Nadeau's <a href="http://jixen.tripod.com/">practical
-    configurations</a> document</li>
-  <li>Jens Zerbst's HowTo on <a href="http://dynipsec.tripod.com/">Using
-    FreeS/WAN with dynamic IP addresses</a>.</li>
-  <li>an entry in Kurt Seifried's <a
-    href="http://www.securityportal.com/lskb/kben00000013.html">Linux
-    Security Knowledge Base</a>.</li>
-  <li>a section of David Ranch's <a
-    href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos">Trinity
-    OS Guide</a></li>
-  <li>a section in David Bander's book <a href="biblio.html#bander">Linux
-    Security Toolkit</a></li>
-</ul>
-
-<p>User-wriiten HowTo material may be <strong>especially helpful if you need
-to interoperate with another IPsec implementation</strong>. We have neither
-the equipment nor the manpower to test such configurations. Users seem to be
-doing an admirable job of filling the gaps.</p>
-<ul>
-  <li>list of user-written <a href="interop.html#otherpub">interoperation
-    HowTos</a> in our interop document</li>
-</ul>
-
-<p>Check what version of FreeS/WAN user-written documents cover. The software
-is under active development and the current version may be significantly
-different from what an older document describes.</p>
-
-<h3><a name="applied">Papers on FreeS/WAN</a></h3>
-
-<p>Two design documents show team thinking on new developments:</p>
-<ul>
-  <li><a href="opportunism.spec">Opportunistic Encryption</a> by technical
-    lead Henry Spencer and Pluto programmer Hugh Redelemeier</li>
-  <li>discussion of <a
-    href="http://www.sandelman.ottawa.on.ca/SSW/freeswan/klips2req/">KLIPS
-    redesign</a></li>
-</ul>
-
-<p>Both documents are works in progress and are frequently revised. For the
-latest version, see the <a href="mail.html#lists">design mailing list</a>. Comments
-should go to that list.</p>
-
-<p>There is now an <a
-href="http://www.ietf.org/internet-drafts/draft-richardson-ipsec-opportunistic-06.txt">Internet
-Draft on Opportunistic Encryption</a> by Michael Richardson, Hugh Redelmeier
-and Henry Spencer. This is a first step toward getting the protocol
-standardised so there can be multiple implementations of it. Discussion of it
-takes place on the <a
-href="http://www.ietf.org/html.charters/ipsec-charter.html">IETF IPsec
-Working Group</a> mailing list.</p>
-
-<p>A number of papers giving further background on FreeS/WAN, or exploring
-its future or its applications, are also available:</p>
-<ul>
-  <li>Both Henry and Richard gave talks on FreeS/WAN at the 2000 <a
-    href="http://www.linuxsymposium.org">Ottawa Linux Symposium</a>.
-    <ul>
-      <li>Richard's <a
-        href="http://www.conscoop.ottawa.on.ca/rgb/freeswan/ols2k/">slides</a></li>
-      <li>Henry's paper</li>
-      <li>MP3 audio of their talks is available from the <a
-        href="http://www.linuxsymposium.org/">conference page</a></li>
-    </ul>
-  </li>
-  <li><cite>Moat: A Virtual Private Network Appliances and Services
-    Platform</cite> is a paper about large-scale (a few 100 links) use of
-    FreeS/WAN in a production application at AT&amp;T Research. It is
-    available in Postscript or PDF from co-author Steve Bellovin's <a
-    href="http://www.research.att.com/~smb/papers/index.html">papers list
-    page</a>.</li>
-  <li>One of the Moat co-authors, John Denker, has also written
-    <ul>
-      <li>a <a
-        href="http://www.av8n.com/vpn/ipsec+routing.htm">proposal</a>
-        for how future versions of FreeS/WAN might interact with routing
-        protocols</li>
-      <li>a <a
-        href="http://www.av8n.com/vpn/wishlist.htm">wishlist</a>
-        of possible new features</li>
-    </ul>
-  </li>
-  <li>Bart Trojanowski's web page has a draft design for <a
-    href="http://www.jukie.net/~bart/linux-ipsec/">hardware acceleration</a>
-    of FreeS/WAN</li>
-</ul>
-
-<p>Several of these provoked interesting discussions on the mailing lists,
-worth searching for in the <a href="mail.html#archive">archives</a>.</p>
-
-<p>There are also several papers in languages other than English, see our <a
-href="web.html#otherlang">web links</a>.</p>
-
-<h3><a name="licensing">License and copyright information</a></h3>
-
-<p>All code and documentation written for this project is distributed under
-either the GNU General Public License (<a href="glossary.html#GPL">GPL</a>)
-or the GNU Library General Public License. For details see the COPYING file
-in the distribution.</p>
-
-<p>Not all code in the distribution is ours, however. See the CREDITS file
-for details. In particular, note that the <a
-href="glossary.html#LIBDES">Libdes</a> library and the version of <a
-href="glossary.html#MD5">MD5</a> that we use each have their own license.</p>
-
-<h2><a name="sites">Distribution sites</a></h2>
-
-<p>FreeS/WAN is available from a number of sites.</p>
-
-<h3>Primary site</h3>
-
-<p>Our primary site, is at xs4all (Thanks, folks!) in Holland:</p>
-<ul>
-  <li><a href="http://www.xs4all.nl/~freeswan">HTTP</a></li>
-  <li><a href="ftp://ftp.xs4all.nl/pub/crypto/freeswan">FTP</a></li>
-</ul>
-
-<h3><a name="mirrors">Mirrors</a></h3>
-
-<p>There are also mirror sites all over the world:</p>
-<ul>
-  <li><a href="http://www.flora.org/freeswan">Eastern Canada</a> (limited
-    resouces)</li>
-  <li><a href="ftp://ludwig.doculink.com/pub/freeswan/">Eastern Canada</a>
-    (has older versions too)</li>
-  <li><a href="ftp://ntsc.notBSD.org/pub/crypto/freeswan/">Eastern Canada</a>
-    (has older versions too)</li>
-  <li><a href="ftp://ftp.kame.net/pub/freeswan/">Japan</a></li>
-  <li><a href="ftp://ftp.futuredynamics.com/freecrypto/FreeSWAN/">Hong
-    Kong</a></li>
-  <li><a href="ftp://ipsec.dk/pub/freeswan/">Denmark</a></li>
-  <li><a href="ftp://ftp.net.lut.ac.uk/freeswan">the UK</a></li>
-  <li><a href="http://storm.alert.sk/comp/mirrors/freeswan/">Slovak
-    Republic</a></li>
-  <li><a
-    href="http://the.wiretapped.net/security/vpn-tunnelling/freeswan/">Australia</a></li>
-  <li><a href="http://freeswan.technolust.cx/">technolust</a></li>
-  <li><a href="http://freeswan.devguide.de/">Germany</a></li>
-  <li>Ivan Moore's <a href="http://snowcrash.tdyc.com/freeswan/">site</a></li>
-  <li>the <a href="http://www.cryptoarchive.net/">Crypto Archive</a> on the
-    <a href="http://www.securityportal.com/">Security Portal</a> site</li>
-  <li><a href="http://www.wiretapped.net/">Wiretapped.net</a> in
-  Australia</li>
-</ul>
-
-<p>Thanks to those folks as well.</p>
-
-<h3><a name="munitions">The "munitions" archive of Linux crypto
-software</a></h3>
-
-<p>There is also an archive of Linux crypto software called "munitions", with
-its own mirrors in a number of countries. It includes FreeS/WAN, though not
-always the latest version. Some of its sites are:</p>
-<ul>
-  <li><a href="http://munitions.vipul.net/">Germany</a></li>
-  <li><a href="http://munitions.iglu.cjb.net/">Italy</a></li>
-  <li><a href="http://munitions2.xs4all.nl/">Netherlands</a></li>
-</ul>
-
-<p>Any of those will have a list of other "munitions" mirrors. There is also
-a CD available.</p>
-
-<h2>Links to other sections</h2>
-
-<p>For more detailed background information, see:</p>
-<ul>
-  <li><a href="politics.html#politics">history and politics</a> of 
-   cryptography</li>
-  <li><a href="ipsec.html#ipsec.detail">IPsec protocols</a></li>
-</ul>
-
-<p>To begin working with FreeS/WAN, go to our <a
-href="quickstart.html#quick.guide">quickstart</a> guide.</p>
-</body>
-</html>
diff --git a/doc/src/ipsec.html b/doc/src/ipsec.html
deleted file mode 100644
index 4647eaf66..000000000
--- a/doc/src/ipsec.html
+++ /dev/null
@@ -1,1206 +0,0 @@
-<html>
-<head>
-  <meta http-equiv="Content-Type" content="text/html">
-  <title>IPsec protocols</title>
-  <meta name="keywords"
-  content="Linux, IPsec, VPN, security, FreeSWAN, protocol, ESP, AH, IKE">
-  <!--
-
-  Written by Sandy Harris for the Linux FreeS/WAN project
-  Freely distributable under the GNU General Public License
-
-  More information at www.freeswan.org
-  Feedback to users@lists.freeswan.org
-
-  CVS information:
-  RCS ID:          $Id: ipsec.html,v 1.1 2004/03/15 20:35:24 as Exp $
-  Last changed:    $Date: 2004/03/15 20:35:24 $
-  Revision number: $Revision: 1.1 $
-
-  CVS revision numbers do not correspond to FreeS/WAN release numbers.
-  -->
-</head>
-
-<body>
-<h1><a name="ipsec.detail">The IPsec protocols</a></h1>
-
-<p>This section provides information on the IPsec protocols which FreeS/WAN
-implements. For more detail, see the <a href="rfc.html">RFCs</a>.</p>
-
-<p>The basic idea of IPsec is to provide security functions, <a
-href="glossary.html#authentication">authentication</a> and <a
-href="glossary.html#encryption">encryption</a>, at the IP (Internet Protocol)
-level. This requires a higher-level protocol (IKE) to set things up for the
-IP-level services (ESP and AH).</p>
-
-<h2>Protocols and phases</h2>
-
-<p>Three protocols are used in an IPsec implementation:</p>
-<dl>
-  <dt>ESP, Encapsulating Security Payload</dt>
-    <dd>Encrypts and/or authenticates data</dd>
-  <dt>AH, Authentication Header</dt>
-    <dd>Provides a packet authentication service</dd>
-  <dt>IKE, Internet Key Exchange</dt>
-    <dd>Negotiates connection parameters, including keys, for the other
-    two</dd>
-</dl>
-
-<p>The term "IPsec" (also written as IPSEC) is slightly ambiguous. In some
-contexts, it includes all three of the above but in other contexts it refers
-only to AH and ESP.</p>
-
-<p>There is more detail below, but a quick summary of how the whole thing
-works is:</p>
-<dl>
-  <dt>Phase one IKE (main mode exchange)</dt>
-    <dd>sets up a keying channel (ISAKMP SA) between the two gateways</dd>
-  <dt>Phase two IKE (quick mode exchange)</dt>
-    <dd>sets up data channels (IPsec SAs)</dd>
-  <dt>IPsec proper</dt>
-    <dd>exchanges data using AH or ESP</dd>
-</dl>
-
-<p>Both phases of IKE are repeated periodically to automate re-keying.</p>
-
-<h2><a name="others">Applying IPsec</a></h2>
-
-<p>Authentication and encryption functions for network data can, of course,
-be provided at other levels. Many security protocols work at levels above
-IP.</p>
-<ul>
-  <li><a href="glossary.html#PGP">PGP</a> encrypts and authenticates mail
-    messages</li>
-  <li><a href="glossary.html#SSH">SSH</a> authenticates remote logins and
-    then encrypts the session</li>
-  <li><a href="glossary.html#SSL">SSL</a> or <a
-    href="glossary.html#TLS">TLS</a> provides security at the sockets layer,
-    e.g. for secure web browsing</li>
-</ul>
-
-<p>and so on. Other techniques work at levels below IP. For example, data on
-a communications circuit or an entire network can be encrypted by specialised
-hardware. This is common practice in high-security applications.</p>
-
-<h3><a name="advantages">Advantages of IPsec</a></h3>
-
-<p>There are, however, advantages to doing it at the IP level instead of, or
-as well as, at other levels.</p>
-
-<p>IPsec is the <strong>most general way to provide these services for the
-Internet</strong>.</p>
-<ul>
-  <li>Higher-level services protect a <em>single protocol</em>; for example
-    PGP protects mail.</li>
-  <li>Lower level services protect a <em>single medium</em>; for example a
-    pair of encryption boxes on the ends of a line make wiretaps on that line
-    useless unless the attacker is capable of breaking the encryption.</li>
-</ul>
-
-<p>IPsec, however, can protect <em>any protocol</em> running above IP and
-<em>any medium</em> which IP runs over. More to the point, it can protect a
-mixture of application protocols running over a complex combination of media.
-This is the normal situation for Internet communication; IPsec is the only
-general solution.</p>
-
-<p>IPsec can also provide some security services "in the background", with
-<strong>no visible impact on users</strong>. To use <a
-href="glossary.html#PGP">PGP</a> encryption and signatures on mail, for
-example, the user must at least:</p>
-<ul>
-  <li>remember his or her passphrase,</li>
-  <li>keep it secure</li>
-  <li>follow procedures to validate correspondents' keys</li>
-</ul>
-
-<p>These systems can be designed so that the burden on users is not onerous,
-but any system will place some requirements on users. No such system can hope
-to be secure if users are sloppy about meeting those requirements. The author
-has seen username and password stuck on terminals with post-it notes in an
-allegedly secure environment, for example.</p>
-
-<h3><a name="limitations">Limitations of IPsec</a></h3>
-
-<p>IPsec is designed to secure IP links between machines. It does that well,
-but it is important to remember that there are many things it does not do.
-Some of the important limitations are:</p>
-<dl>
-  <dt><a name="depends">IPsec cannot be secure if your system isn't</a></dt>
-    <dd>System security on IPsec gateway machines is an essential requirement
-      if IPsec is to function as designed. No system can be trusted if the
-      underlying machine has been subverted. See books on Unix security such
-      as <a href="biblio.html#practical">Garfinkel and Spafford</a> or our
-      web references for <a href="web.html#linsec">Linux security</a> or more
-      general <a href="web.html#compsec">computer security</a>.
-      <p>Of course, there is another side to this. IPsec can be a powerful
-      tool for improving system and network security. For example, requiring
-      packet authentication makes various spoofing attacks harder and IPsec
-      tunnels can be extremely useful for secure remote administration of
-      various things.</p>
-    </dd>
-  <dt><a name="not-end-to-end">IPsec is not end-to-end</a></dt>
-    <dd>IPsec cannot provide the same end-to-end security as systems working
-      at higher levels. IPsec encrypts an IP connection between two machines,
-      which is quite a different thing than encrypting messages between users
-      or between applications.
-      <p>For example, if you need mail encrypted from the sender's desktop to
-      the recipient's desktop and decryptable only by the recipient, use <a
-      href="glossary.html#PGP">PGP</a> or another such system. IPsec can
-      encrypt any or all of the links involved -- between the two mail
-      servers, or between either server and its clients. It could even be
-      used to secure a direct IP link from the sender's desktop machine to
-      the recipient's, cutting out any sort of network snoop. What it cannot
-      ensure is end-to-end user-to-user security. If only IPsec is used to
-      secure mail, then anyone with appropriate privileges on any machine
-      where that mail is stored (at either end or on any store-and-forward
-      servers in the path) can read it.</p>
-      <p>In another common setup, IPsec encrypts packets at a security
-      gateway machine as they leave the sender's site and decrypts them on
-      arrival at the gateway to the recipient's site. This does provide a
-      useful security service -- only encrypted data is passed over the
-      Internet -- but it does not even come close to providing an end-to-end
-      service. In particular, anyone with appropriate privileges on either
-      site's LAN can intercept the message in unencrypted form.</p>
-    </dd>
-  <dt><a name="notpanacea">IPsec cannot do everything</a></dt>
-    <dd>IPsec also cannot provide all the functions of systems working at
-      higher levels of the protocol stack. If you need a document
-      electronically signed by a particular person, then you need his or her
-      <a href="glossary.html#signature">digital signature</a> and a <a
-      href="glossary.html#public">public key cryptosystem</a> to verify it
-      with.
-      <p>Note, however, that IPsec authentication of the underlying
-      communication can make various attacks on higher-level protocols more
-      difficult. In particular, authentication prevents <a
-      href="glossary.html#middle">man-in-the-middle attacks</a>.</p>
-    </dd>
-  <dt><a name="no_user">IPsec authenticates machines, not users</a></dt>
-    <dd>IPsec uses strong authentication mechanisms to control which messages
-      go to which machines, but it does not have the concept of user ID,
-      which is vital to many other security mechansims and policies. This
-      means some care must be taken in fitting the various security
-      mechansims on a network together. For example, if you need to control
-      which users access your database server, you need some non-IPsec
-      mechansim for that. IPsec can control which machines connect to the
-      server, and can ensure that data transfer to those machines is done
-      securely, but that is all. Either the machines themselves must control
-      user access or there must be some form of user authentication to the
-      database, independent of IPsec.</dd>
-  <dt><a name="DoS">IPsec does not stop denial of service attacks</a></dt>
-    <dd><a href="glossary.html#DOS">Denial of service</a> attacks aim at
-      causing a system to crash, overload, or become confused so that
-      legitimate users cannot get whatever services the system is supposed to
-      provide. These are quite different from attacks in which the attacker
-      seeks either to use the service himself or to subvert the service into
-      delivering incorrect results.
-      <p>IPsec shifts the ground for DoS attacks; the attacks possible
-      against systems using IPsec are different than those that might be used
-      against other systems. It does not, however, eliminate the possibility
-      of such attacks.</p>
-    </dd>
-  <dt><a name="traffic">IPsec does not stop traffic analysis</a></dt>
-    <dd><a href="glossary.html#traffic">Traffic analysis</a> is the attempt
-      to derive intelligence from messages without regard for their contents.
-      In the case of IPsec, it would mean analysis based on things visible in
-      the unencrypted headers of encrypted packets -- source and destination
-      gateway addresses, packet size, et cetera. Given the resources to
-      acquire such data and some skill in analysing it (both of which any
-      national intelligence agency should have), this can be a very powerful
-      technique.
-      <p>IPsec is not designed to defend against this. Partial defenses are
-      certainly possible, and some are <a href="#traffic.resist">described
-      below</a>, but it is not clear that any complete defense can be
-      provided.</p>
-    </dd>
-</dl>
-
-<h3><a name="uses">IPsec is a general mechanism for securing IP</a></h3>
-
-<p>While IPsec does not provide all functions of a mail encryption package,
-it can encrypt your mail. In particular, it can ensure that all mail passing
-between a pair or a group of sites is encrypted. An attacker looking only at
-external traffic, without access to anything on or behind the IPsec gateway,
-cannot read your mail. He or she is stymied by IPsec just as he or she would
-be by <a href="glossary.html#PGP">PGP</a>.</p>
-
-<p>The advantage is that IPsec can provide the same protection for <strong>
-anything transmitted over IP</strong>. In a corporate network example, PGP
-lets the branch offices exchange secure mail with head office. SSL and SSH
-allow them to securely view web pages, connect as terminals to machines, and
-so on. IPsec can support all those applications, plus database queries, file
-sharing (NFS or Windows), other protocols encapsulated in IP (Netware,
-Appletalk, ...), phone-over-IP, video-over-IP, ... anything-over-IP. The only
-limitation is that IP Multicast is not yet supported, though there are
-Internet Draft documents for that.</p>
-
-<p>IPsec creates <strong>secure tunnels through untrusted networks</strong>.
-Sites connected by these tunnels form VPNs, <a
-href="glossary.html#VPN">Virtual Private Networks</a>.</p>
-
-<p>IPsec gateways can be installed wherever they are required.</p>
-<ul>
-  <li>One organisation might choose to install IPsec only on firewalls
-    between their LANs and the Internet. This would allow them to create a
-    VPN linking several offices. It would provide protection against anyone
-    outside their sites.</li>
-  <li>Another might install IPsec on departmental servers so everything on
-    the corporate backbone net was encrypted. This would protect messages on
-    that net from everyone except the sending and receiving department.</li>
-  <li>Another might be less concerned with information secrecy and more with
-    controlling access to certain resources. They might use IPsec packet
-    authentication as part of an access control mechanism, with or without
-    also using the IPsec encryption service.</li>
-  <li>It is even possible (assuming adequate processing power and an IPsec
-    implementation in each node) to make every machine its own IPsec gateway
-    so that everything on a LAN is encrypted. This protects information from
-    everyone outside the sending and receiving machine.</li>
-  <li>These techniques can be combined in various ways. One might, for
-    example, require authentication everywhere on a network while using
-    encryption only for a few links.</li>
-</ul>
-
-<p>Which of these, or of the many other possible variants, to use is up to
-you. <strong>IPsec provides mechanisms; you provide the policy</strong>.</p>
-
-<p><strong>No end user action is required</strong> for IPsec security to be
-used; they don't even have to know about it. The site administrators, of
-course, do have to know about it and to put some effort into making it work.
-Poor administration can compromise IPsec as badly as the post-it notes
-mentioned above. It seems reasonable, though, for organisations to hope their
-system administrators are generally both more security-conscious than end
-users and more able to follow computer security procedures. If not, at least
-there are fewer of them to educate or replace.</p>
-
-<p>IPsec can be, and often should be, used with along with security protocols
-at other levels. If two sites communicate with each other via the Internet,
-then IPsec is the obvious way to protect that communication. If two others
-have a direct link between them, either link encryption or IPsec would make
-sense. Choose one or use both. Whatever you use at and below the IP level,
-use other things as required above that level. Whatever you use above the IP
-level, consider what can be done with IPsec to make attacks on the higher
-levels harder. For example, <a href="glossary.html#middle">man-in-the-middle
-attacks</a> on various protocols become difficult if authentication at packet
-level is in use on the potential victims' communication channel.</p>
-
-<h3><a name="authonly">Using authentication without encryption</a></h3>
-
-<p>Where appropriate, IPsec can provide authentication without encryption.
-One might do this, for example:</p>
-<ul>
-  <li>where the data is public but one wants to be sure of getting the right
-    data, for example on some web sites</li>
-  <li>where encryption is judged unnecessary, for example on some company or
-    department LANs</li>
-  <li>where strong encryption is provided at link level, below IP</li>
-  <li>where strong encryption is provided in other protocols, above IP<br>
-    Note that IPsec authentication may make some attacks on those protocols
-    harder.</li>
-</ul>
-
-<p>Authentication has lower overheads than encryption.</p>
-
-<p>The protocols provide four ways to build such connections, using either an
-AH-only connection or ESP using null encryption, and in either manually or
-automatically keyed mode. FreeS/WAN supports only one of these, manually
-keyed AH-only connections, and <strong>we do not recommend using
-that</strong>. Our reasons are discussed under <a
-href="#traffic.resist">Resisting traffic analysis</a> a few sections further
-along.</p>
-
-<h3><a name="encnoauth">Encryption without authentication is
-dangerous</a></h3>
-
-<p>Originally, the IPsec encryption protocol <a
-href="glossary.html#ESP">ESP</a> didn't do integrity checking. It only did
-encryption. Steve Bellovin found many ways to attack ESP used without
-authentication. See his paper <a
-href="http://www.research.att.com/~smb/papers/badesp.ps">Problem areas for
-the IP Security Protocols</a>. To make a secure connection, you had to add an
-<a href="glossary.html#AH">AH</a> Authentication Header as well as ESP.
-Rather than incur the overhead of several layers (and rather than provide an
-ESP layer that didn't actually protect the traffic), the IPsec working group
-built integrity and replay checking directly into ESP.</p>
-
-<p>Today, typical usage is one of:</p>
-<ul>
-  <li>ESP for encryption and authentication</li>
-  <li>AH for authentication alone</li>
-</ul>
-
-<p>Other variants are allowed by the standard, but not much used:</p>
-<dl>
-  <dt>ESP encryption without authentication</dt>
-    <dd><strong>Bellovin has demonstrated fatal flaws in this. Do not
-      use.</strong></dd>
-  <dt>ESP encryption with AH authentication</dt>
-    <dd>This has higher overheads than using the authentication in ESP, and
-      no obvious benefit in most cases. The exception might be a network
-      where AH authentication was widely or universally used. If you're going
-      to do AH to conform with network policy, why authenticate again in the
-      ESP layer?</dd>
-  <dt>Authenticate twice, with AH and with ESP</dt>
-    <dd>Why? Of course, some folk consider "belt and suspenders" the sensible
-      approach to security. If you're among them, you might use both
-      protocols here. You might also use both to satisfy different parts of a
-      security policy. For example, an organisation might require AH
-      authentication everywhere but two users within the organisation might
-      use ESP as well.</dd>
-  <dt>ESP authentication without encryption</dt>
-    <dd>The standard allows this, calling it "null encryption". FreeS/WAN
-      does not support it. We recommend that you use AH instead if
-      authentication is all you require. AH authenticates parts of the IP
-      header, which ESP-null does not do.</dd>
-</dl>
-
-<p>Some of these variants cannot be used with FreeS/WAN because we do not
-support ESP-null and do not support automatic keying of AH-only
-connections.</p>
-
-<p>There are fairly frequent suggestions that AH be dropped entirely from the
-IPsec specifications since ESP and null encryption can handle that situation.
-It is not clear whether this will occur. My guess is that it is unlikely.</p>
-
-<h3><a name="multilayer">Multiple layers of IPsec processing are
-possible</a></h3>
-
-<p>The above describes combinations possible on a single IPsec connection. In
-a complex network you may have several layers of IPsec in play, with any of
-the above combinations at each layer.</p>
-
-<p>For example, a connection from a desktop machine to a database server
-might require AH authentication. Working with other host, network and
-database security measures, AH might be just the thing for access control.
-You might decide not to use ESP encryption on such packets, since it uses
-resources and might complicate network debugging. Within the site where the
-server is, then, only AH would be used on those packets.</p>
-
-<p>Users at another office, however, might have their whole connection (AH
-headers and all) passing over an IPsec tunnel connecting their office to the
-one with the database server. Such a tunnel should use ESP encryption and
-authentication. You need authentication in this layer because without
-authentication the encryption is vulnerable and the gateway cannot verify the
-AH authentication. The AH is between client and database server; the gateways
-aren't party to it.</p>
-
-<p>In this situation, some packets would get multiple layers of IPsec applied
-to them, AH on an end-to-end client-to-server basis and ESP from one office's
-security gateway to the other.</p>
-
-<h3><a name="traffic.resist">Resisting traffic analysis</a></h3>
-
-<p><a href="glossary.html#traffic">Traffic analysis</a> is the attempt to
-derive useful intelligence from encrypted traffic without breaking the
-encryption.</p>
-
-<p>Is your CEO exchanging email with a venture capital firm? With bankruptcy
-trustees? With an executive recruiting agency? With the holder of some
-important patents? If an eavesdropper learns about any of those, then he has
-interesting intelligence on your company, whether or not he can read the
-messages themselves.</p>
-
-<p>Even just knowing that there is network traffic between two sites may tell
-an analyst something useful, especially when combined with whatever other
-information he or she may have. For example, if you know Company A is having
-cashflow problems and Company B is looking for aquisitions, then knowing that
-packets are passing between the two is interesting. It is more interesting if
-you can tell it is email, and perhaps yet more if you know the sender and
-recipient.</p>
-
-<p>Except in the simplest cases, traffic analysis is hard to do well. It
-requires both considerable resources and considerable analytic skill.
-However, intelligence agencies of various nations have been doing it for
-centuries and many of them are likely quite good at it by now. Various
-commercial organisations, especially those working on "targeted marketing"
-may also be quite good at analysing certain types of traffic.</p>
-
-<p>In general, defending against traffic analysis is also difficult.
-Inventing a really good defense could get you a PhD and some interesting job
-offers.</p>
-
-<p>IPsec is not designed to stop traffic analysis and we know of no plausible
-method of extending it to do so. That said, there are ways to make traffic
-analysis harder. This section describes them.</p>
-
-<h4><a name="extra">Using "unnecessary" encryption</a></h4>
-
-<p>One might choose to use encryption even where it appears unnecessary in
-order to make analysis more difficult. Consider two offices which pass a
-small volume of business data between them using IPsec and also transfer
-large volumes of Usenet news. At first glance, it would seem silly to encrypt
-the newsfeed, except possibly for any newsgroups that are internal to the
-company. Why encrypt data that is all publicly available from many sites?</p>
-
-<p>However, if we encrypt a lot of news and send it down the same connection
-as our business data, we make <a href="glossary.html#traffic">traffic
-analysis</a> much harder. A snoop cannot now make inferences based on
-patterns in the volume, direction, sizes, sender, destination, or timing of
-our business messages. Those messages are hidden in a mass of news messages
-encapsulated in the same way.</p>
-
-<p>If we're going to do this we need to ensure that keys change often enough
-to remain secure even with high volumes and with the adversary able to get
-plaintext of much of the data. We also need to look at other attacks this
-might open up. For example, can the adversary use a chosen plaintext attack,
-deliberately posting news articles which, when we receive and encrypt them,
-will help break our encryption? Or can he block our business data
-transmission by flooding us with silly news articles? Or ...</p>
-
-<p>Also, note that this does not provide complete protection against traffic
-analysis. A clever adversary might still deduce useful intelligence from
-statistical analysis (perhaps comparing the input newsfeed to encrypted
-output, or comparing the streams we send to different branch offices), or by
-looking for small packets which might indicate establishment of TCP
-connections, or ...</p>
-
-<p>As a general rule, though, to improve resistance to traffic analysis, you
-should <strong>encrypt as much traffic as possible, not just as much as seems
-necessary.</strong></p>
-
-<h4><a name="multi-encrypt">Using multiple encryption</a></h4>
-
-<p>This also applies to using multiple layers of encryption. If you have an
-IPsec tunnel between two branch offices, it might appear silly to send <a
-href="glossary.html#PGP">PGP</a>-encrypted email through that tunnel.
-However, if you suspect someone is snooping your traffic, then it does make
-sense:</p>
-<ul>
-  <li>it protects the mail headers; they cannot even see who is mailing
-  who</li>
-  <li>it protects against user bungles or software malfunctions that
-    accidentally send messages in the clear</li>
-  <li>it makes any attack on the mail encryption much harder; they have to
-    break IPsec or break into your network before they can start on the mail
-    encryption</li>
-</ul>
-
-<p>Similar arguments apply for <a href="glossary.html#SSL">SSL</a>-encrypted
-web traffic or <a href="glossary.html#SSH">SSH</a>-encrypted remote login
-sessions, even for end-to-end IPsec tunnels between systems in the two
-offices.</p>
-
-<h4><a name="fewer">Using fewer tunnels</a></h4>
-
-<p>It may also help to use fewer tunnels. For example, if all you actually
-need encrypted is connections between:</p>
-<ul>
-  <li>mail servers at branch and head offices</li>
-  <li>a few branch office users and the head office database server</li>
-</ul>
-
-<p>You might build one tunnel per mail server and one per remote database
-user, restricting traffic to those applications. This gives the traffic
-analyst some information, however. He or she can distinguish the tunnels by
-looking at information in the ESP header and, given that distinction and the
-patterns of tunnel usage, might be able to figure out something useful.
-Perhaps not, but why take the risk?</p>
-
-<p>We suggest instead that you build one tunnel per branch office, encrypting
-everything passing from head office to branches. This has a number of
-advantages:</p>
-<ul>
-  <li>it is easier to build and administer</li>
-  <li>it resists traffic analysis somewhat better</li>
-  <li>it provides security for whatever you forgot. For example, if some user
-    at a remote office browses proprietary company data on some head office
-    web page (that the security people may not even know about!), then that
-    data is encrypted before it reaches the Internet.</li>
-</ul>
-
-<p>Of course you might also want to add additional tunnels. For example, if
-some of the database data is confidential and should not be exposed even
-within the company, then you need protection from the user's desktop to the
-database server. We suggest you do that in whatever way seems appropriate --
-IPsec, SSH or SSL might fit -- but, whatever you choose, pass it between
-locations via a gateway-to-gateway IPsec tunnel to provide some resistance to
-traffic analysis.</p>
-
-<h2><a name="primitives">Cryptographic components</a></h2>
-
-<p>IPsec combines a number of cryptographic techniques, all of them
-well-known and well-analyzed. The overall design approach was conservative;
-no new or poorly-understood components were included.</p>
-
-<p>This section gives a brief overview of each technique. It is intended only
-as an introduction. There is more information, and links to related topics,
-in our <a href="glossary.html">glossary</a>. See also our <a
-href="biblio.html">bibliography</a> and cryptography <a
-href="web.html#crypto.link">web links</a>.</p>
-
-<h3><a name="block.cipher">Block ciphers</a></h3>
-
-<p>The <a href="glossary.html#encryption">encryption</a> in the <a
-href="glossary.html#ESP">ESP</a> encapsulation protocol is done with a <a
-href="glossary.html#block">block cipher</a>.</p>
-
-<p>We do not implement <a href="glossary.html#DES">single DES</a>. It is <a
-href="politics.html#desnotsecure">insecure</a>. Our default, and currently
-only, block cipher is <a href="glossary.html#3DES">triple DES</a>.</p>
-
-<p>The <a href="glossary.html#rijndael">Rijndael</a> block cipher has won the
-<a href="glossary.html#AES">AES</a> competition to choose a relacement for
-DES. It will almost certainly be added to FreeS/WAN and to other IPsec
-implementations. <a href="web.html#patch">Patches</a> are already
-available.</p>
-
-<h3><a name="hash.ipsec">Hash functions</a></h3>
-
-<h4><a name="hmac.ipsec">The HMAC construct</a></h4>
-
-<p>IPsec packet authentication is done with the <a
-href="glossary.html#HMAC">HMAC</a> construct. This is not just a hash of the
-packet data, but a more complex operation which uses both a hashing algorithm
-and a key. It therefore does more than a simple hash would. A simple hash
-would only tell you that the packet data was not changed in transit, or that
-whoever changed it also regenerated the hash. An HMAC also tells you that the
-sender knew the HMAC key.</p>
-
-<p>For IPsec HMAC, the output of the hash algorithm is truncated to 96 bits.
-This saves some space in the packets. More important, it prevents an attacker
-from seeing all the hash output bits and perhaps creating some sort of attack
-based on that knowledge.</p>
-
-<h4>Choice of hash algorithm</h4>
-
-<p>The IPsec RFCs require two hash algorithms -- <a
-href="glossary.html#MD5">MD5</a> and <a href="glossary.html#SHA">SHA-1</a> --
-both of which FreeS/WAN implements.</p>
-
-<p>Various other algorithms -- such as RIPEMD and Tiger -- are listed in the
-RFCs as optional. None of these are in the FreeS/WAN distribution, or are
-likely to be added, although user <a href="web.html#patch">patches</a> exist
-for several of them.</p>
-
-<p>Additional hash algorithms -- <a href="glossary.html#SHA-256">SHA-256,
-SHA-384 and SHA-512</a> -- may be required to give hash strength matching the
-strength of <a href="glossary.html#AES">AES</a>. These are likely to be added
-to FreeS/WAN along with AES.</p>
-
-<h3><a name="DH.keying">Diffie-Hellman key agreement</a></h3>
-
-<p>The <a href="glossary.html#DH">Diffie-Hellman</a> key agreement protocol
-allows two parties (A and B or <a href="glossary.html#alicebob">Alice and
-Bob</a>) to agree on a key in such a way that an eavesdropper who intercepts
-the entire conversation cannot learn the key.</p>
-
-<p>The protocol is based on the <a href="glossary.html#dlog">discrete
-logarithm</a> problem and is therefore thought to be secure. Mathematicians
-have been working on that problem for years and seem no closer to a solution,
-though there is no proof that an efficient solution is impossible.</p>
-
-<h3><a name="RSA.auth">RSA authentication</a></h3>
-
-<p>The <a href="glossary.html#RSA">RSA</a> algorithm (named for its inventors
--- Rivest, Shamir and Adleman) is a very widely used <a
-href="glossary.html#">public key</a> cryptographic technique. It is used in
-IPsec as one method of authenticating gateways for Diffie-Hellman key
-negotiation.</p>
-
-<h2><a name="structure">Structure of IPsec</a></h2>
-
-<p>There are three protocols used in an IPsec implementation:</p>
-<dl>
-  <dt>ESP, Encapsulating Security Payload</dt>
-    <dd>Encrypts and/or authenticates data</dd>
-  <dt>AH, Authentication Header</dt>
-    <dd>Provides a packet authentication service</dd>
-  <dt>IKE, Internet Key Exchange</dt>
-    <dd>Negotiates connection parameters, including keys, for the other
-    two</dd>
-</dl>
-
-<p>The term "IPsec" is slightly ambiguous. In some contexts, it includes all
-three of the above but in other contexts it refers only to AH and ESP.</p>
-
-<h3><a name="IKE.ipsec">IKE (Internet Key Exchange)</a></h3>
-
-<p>The IKE protocol sets up IPsec (ESP or AH) connections after negotiating
-appropriate parameters (algorithms to be used, keys, connection lifetimes)
-for them. This is done by exchanging packets on UDP port 500 between the two
-gateways.</p>
-
-<p>IKE (RFC 2409) was the outcome of a long, complex process in which quite a
-number of protocols were proposed and debated. Oversimplifying mildly, IKE
-combines:</p>
-<dl>
-  <dt>ISAKMP (RFC 2408)</dt>
-    <dd>The <strong>I</strong>nternet <strong>S</strong>ecurity
-      <strong>A</strong>ssociation and <strong>K</strong>ey
-      <strong>M</strong>anagement <strong>P</strong>rotocol manages
-      negotiation of connections and defines <a
-      href="glossary.html#SA">SA</a>s (Security Associations) as a means of
-      describing connection properties.</dd>
-  <dt>IPsec DOI for ISAKMP (RFC 2407)</dt>
-    <dd>A <strong>D</strong>omain <strong>O</strong>f
-      <strong>I</strong>nterpretation fills in the details necessary to turn
-      the rather abstract ISAKMP protocol into a more tightly specified
-      protocol, so it becomes applicable in a particular domain.</dd>
-  <dt>Oakley key determination protocol (RFC 2412)</dt>
-    <dd>Oakley creates keys using the <a
-      href="glossary.html#DH">Diffie-Hellman</a> key agreement protocol.</dd>
-</dl>
-
-<p>For all the details, you would need to read the four <a
-href="rfc.html">RFCs</a> just mentioned (over 200 pages) and a number of
-others. We give a summary below, but it is far from complete.</p>
-
-<h4><a name="phases">Phases of IKE</a></h4>
-
-<p>IKE negotiations have two phases.</p>
-<dl>
-  <dt>Phase one</dt>
-    <dd>The two gateways negotiate and set up a two-way ISAKMP SA which they
-      can then use to handle phase two negotiations. One such SA between a
-      pair of gateways can handle negotiations for multiple tunnels.</dd>
-  <dt>Phase two</dt>
-    <dd>Using the ISAKMP SA, the gateways negotiate IPsec (ESP and/or AH) SAs
-      as required. IPsec SAs are unidirectional (a different key is used in
-      each direction) and are always negotiated in pairs to handle two-way
-      traffic. There may be more than one pair defined between two
-    gateways.</dd>
-</dl>
-
-<p>Both of these phases use the UDP protocol and port 500 for their
-negotiations.</p>
-
-<p>After both IKE phases are complete, you have IPsec SAs to carry your
-encrypted data. These use the ESP or AH protocols. These protocols do not
-have ports. Ports apply only to UDP or TCP.</p>
-
-<p>The IKE protocol is designed to be extremely flexible. Among the things
-that can be negotiated (separately for each SA) are:</p>
-<ul>
-  <li>SA lifetime before rekeying</li>
-  <li>encryption algorithm used. We currently support only <a
-    href="glossary.html#3DES">triple DES</a>. Single DES is <a
-    href="politics.html#desnotsecure">insecure</a>. The RFCs say you MUST do
-    DES, SHOULD do 3DES and MAY do various others. We do not do any of the
-    others.</li>
-  <li>authentication algorithms. We support <a
-    href="glossary.html#MD5">MD5</a> and <a href="glossary.html#SHA">SHA</a>.
-    These are the two the RFCs require.</li>
-  <li>choice of group for <a href="glossary.html#DH">Diffie-Hellman</a> key
-    agreement. We currently support Groups 2 and 5 (which are defined modulo
-    primes of various lengths) and do not support Group 1 (defined modulo a
-    shorter prime, and therefore cryptographically weak) or groups 3 and 4
-    (defined using elliptic curves). The RFCs require only Group 1.</li>
-</ul>
-
-<p>The protocol also allows implementations to add their own encryption
-algorithms, authentication algorithms or Diffie-Hellman groups. We do not
-support any such extensions, but there are some <a
-href="web.html#patch">patches</a> that do.</p>
-
-<p>There are a number of complications:</p>
-<ul>
-  <li>The gateways must be able to authenticate each other's identities
-    before they can create a secure connection. This host authentication is
-    part of phase one negotiations, and is a required prerequisite for packet
-    authentication used later. Host authentication can be done in a variety
-    of ways. Those supported by FreeS/WAN are discussed in our <a
-    href="adv_config.html#auto-auth">advanced configuration</a> document.</li>
-  <li>Phase one can be done in two ways.
-    <ul>
-      <li>Main Mode is required by the RFCs and supported in FreeS/WAN. It
-        uses a 6-packet exzchange.</li>
-      <li>Aggressive Mode is somewhat faster (only 3 packets) but reveals
-        more to an eavesdropper. This is optional in the RFCs, not currently
-        supported by FreeS/WAN, and not likely to be.</li>
-    </ul>
-  </li>
-  <li>A new group exchange may take place after phase one but before phase
-    two, defining an additional group for use in the <a
-    href="glossary.html#DH">Diffie-Hellman</a> key agreement part of phase
-    two. FreeS/WAN does not currently support this.</li>
-  <li>Phase two always uses Quick Mode, but there are two variants of that:
-    <ul>
-      <li>One variant provides <a href="glossary.html#PFS">Perfect Forward
-        Secrecy (PFS)</a>. An attacker that obtains your long-term host
-        authentication key does not immediately get any of your short-term
-        packet encryption of packet authentication keys. He must conduct
-        another successful attack each time you rekey to get the short-term
-        keys. Having some short-term keys does not help him learn others. In
-        particular, breaking your system today does not let him read messages
-        he archived yestarday, assuming you've changed short-term keys in the
-        meanwhile. We enable PFS as the default.</li>
-      <li>The other variant disables PFS and is therefore slightly faster. We
-        do not recommend this since it is less secure, but FreeS/WAN does
-        support it. You can enable it with a <var>pfs=no</var> statement in
-        <a href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a>.</li>
-      <li>The protocol provides no way to negotiate which variant will be
-        used. If one gateway is set for PFS and the other is not, the
-        negotiation fails. This has proved a fairly common source of
-        interoperation problems.</li>
-    </ul>
-  </li>
-  <li>Several types of notification message may be sent by either side during
-    either phase, or later. FreeS/WAN does not currently support these, but
-    they are a likely addition in future releases.</li>
-  <li>There is a commit flag which may optionally be set on some messages.
-    The <a href="http://www.lounge.org/ike_doi_errata.html">errata</a> page
-    for the RFCs includes two changes related to this, one to clarify the
-    description of its use and one to block a <a
-    href="glossary.html#DOS">denial of service</a> attack which uses it. We
-    currently do not implement this feature.</li>
-</ul>
-
-<p>These complications can of course lead to problems, particularly when two
-different implementations attempt to interoperate. For example, we have seen
-problems such as:</p>
-<ul>
-  <li>Some implementations (often products crippled by <a
-    href="politics.html#exlaw">export laws</a>) have the insecure DES
-    algorithm as their only supported encryption method. Other parts of our
-    documentation discuss the <a
-    href="politics.html#desnotsecure">reasons we do not implement single
-    DES</a>, and <a href="interop.html#noDES">how to cope with crippled
-    products</a>.</li>
-  <li>Windows 2000 IPsec tries to negotiate using Aggressive Mode, which we
-    don't support. Later on, it uses the commit bit, which we also don't
-    support.</li>
-  <li>Various implementations disable PFS by default, and therefore will not
-    talk to FreeS/WAN until you either turn on PFS on their end or turn it
-    off in FreeS/WAN with a <var>pfs=no</var> entry in the connection
-    description.</li>
-  <li>FreeS/WAN's interaction with PGPnet is complicated by their use of
-    notification messages we do not yet support.</li>
-</ul>
-
-<p>Despite this, we do interoperate successfully with many implementations,
-including both Windows 2000 and PGPnet. Details are in our <a
-href="interop.html">interoperability</a> document.</p>
-
-<h4><a name="sequence">Sequence of messages in IKE</a></h4>
-
-<p>Each phase (see <a href="#phases">previous section</a>)of IKE involves a
-series of messages. In Pluto error messages, these are abbreviated using:</p>
-<dl>
-  <dt>M</dt>
-    <dd><strong>M</strong>ain mode, settting up the keying channel (ISAKMP
-    SA)</dd>
-  <dt>Q</dt>
-    <dd><strong>Q</strong>uick mode, setting up the data channel (IPsec
-    SA)</dd>
-  <dt>I</dt>
-    <dd><strong>I</strong>nitiator, the machine that starts the
-    negotiation</dd>
-  <dt>R</dt>
-    <dd><strong>R</strong>esponder</dd>
-</dl>
-
-<p>For example, the six messages of a main mode negotiation, in sequence, are
-labelled:</p>
-<pre>       MI1 ----------&gt;
-           &lt;---------- MR1
-       MI2 ----------&gt; 
-           &lt;---------- MR2
-       MI3 ----------&gt;
-           &lt;---------- MR3</pre>
-
-<h4><a name="struct.exchange">Structure of IKE messages</a></h4>
-
-<p>Here is our Pluto developer explaining some of this on the mailing
-list:</p>
-<pre>When one IKE system (for example, Pluto) is negotiating with another
-to create an SA, the Initiator proposes a bunch of choices and the
-Responder replies with one that it has selected.
-
-The structure of the choices is fairly complicated.  An SA payload
-contains a list of lists of "Proposals".  The outer list is a set of
-choices: the selection must be from one element of this list.
-
-Each of these elements is a list of Proposals.  A selection must be
-made from each of the elements of the inner list.  In other words,
-*all* of them apply (that is how, for example, both AH and ESP can
-apply at once).
-
-Within each of these Proposals is a list of Transforms.  For each
-Proposal selected, one Transform must be selected (in other words,
-each Proposal provides a choice of Transforms).
-
-Each Transform is made up of a list of Attributes describing, well,
-attributes.  Such as lifetime of the SA.  Such as algorithm to be
-used.  All the Attributes apply to a Transform.
-
-You will have noticed a pattern here: layers alternate between being
-disjunctions ("or") and conjunctions ("and").
-
-For Phase 1 / Main Mode (negotiating an ISAKMP SA), this structure is
-cut back.  There must be exactly one Proposal.  So this degenerates to
-a list of Transforms, one of which must be chosen.</pre>
-
-<h3><a name="services">IPsec Services, AH and ESP</a></h3>
-
-<p>IPsec offers two services, <a
-href="glossary.html#authentication">authentication</a> and <a
-href="glossary.html#encryption">encryption</a>. These can be used separately
-but are often used together.</p>
-<dl>
-  <dt>Authentication</dt>
-    <dd>Packet-level authentication allows you to be confident that a packet
-      came from a particular machine and that its contents were not altered
-      en route to you. No attempt is made to conceal or protect the contents,
-      only to assure their integrity. Packet authentication can be provided
-      separately using an <a href="glossary.html#AH">Authentication
-      Header</a>, described just below, or it can be included as part of the
-      <a href="glossary.html#ESP">ESP</a> (Encapsulated Security Payload)
-      service, described in the following section. That service offers
-      encryption as well as authentication. In either case, the <a
-      href="glossary.html#HMAC">HMAC</a> construct is used as the
-      authentication mechanism.
-      <p>There is a separate authentication operation at the IKE level, in
-      which each gateway authenticates the other. This can be done in a
-      variety of ways.</p>
-    </dd>
-  <dt>Encryption</dt>
-    <dd>Encryption allows you to conceal the contents of a message from
-      eavesdroppers.
-      <p>In IPsec this is done using a <a href="glossary.html#block">block
-      cipher</a> (normally <a href="glossary.html#3DES">Triple DES</a> for
-      Linux). In the most used setup, keys are automatically negotiated, and
-      periodically re-negotiated, using the <a
-      href="glossary.html#IKE">IKE</a> (Internet Key Exchange) protocol. In
-      Linux FreeS/WAN this is handled by the Pluto Daemon.</p>
-      <p>The IPsec protocol offering encryption is <a
-      href="glossary.html#ESP">ESP</a>, Encapsulated Security Payload. It can
-      also include a packet authentication service.</p>
-    </dd>
-</dl>
-
-<p>Note that <strong>encryption should always be used with some packet
-authentication service</strong>. Unauthenticated encryption is vulnerable to
-<a href="glossary.html#middle">man-in-the-middle attacks</a>. Also note that
-encryption does not prevent <a href="glossary.html#traffic">traffic
-analysis</a>.</p>
-
-<h3><a name="AH.ipsec">The Authentication Header (AH)</a></h3>
-
-<p>Packet authentication can be provided separately from encryption by adding
-an authentication header (AH) after the IP header but before the other
-headers on the packet. This is the subject of this section. Details are in
-RFC 2402.</p>
-
-<p>Each of the several headers on a packet header contains a "next protocol"
-field telling the system what header to look for next. IP headers generally
-have either TCP or UDP in this field. When IPsec authentication is used, the
-packet IP header has AH in this field, saying that an Authentication Header
-comes next. The AH header then has the next header type -- usually TCP, UDP
-or encapsulated IP.</p>
-
-<p>IPsec packet authentication can be added in transport mode, as a
-modification of standard IP transport. This is shown in this diagram from the
-RFC:</p>
-<pre>                  BEFORE APPLYING AH
-            ----------------------------
-      IPv4  |orig IP hdr  |     |      |
-            |(any options)| TCP | Data |
-            ----------------------------
-
-                  AFTER APPLYING AH
-            ---------------------------------
-      IPv4  |orig IP hdr  |    |     |      |
-            |(any options)| AH | TCP | Data |
-            ---------------------------------
-            ||
-                 except for mutable fields</pre>
-
-<p>Athentication can also be used in tunnel mode, encapsulating the
-underlying IP packet beneath AH and an additional IP header.</p>
-<pre>                         ||
-IPv4  | new IP hdr* |    | orig IP hdr*  |    |      |
-      |(any options)| AH | (any options) |TCP | Data |
-      ------------------------------------------------
-      ||
-      |           in the new IP hdr                  |</pre>
-
-<p>This would normally be used in a gateway-to-gateway tunnel. The receiving
-gateway then strips the outer IP header and the AH header and forwards the
-inner IP packet.</p>
-
-<p>The mutable fields referred to are things like the time-to-live field in
-the IP header. These cannot be included in authentication calculations
-because they change as the packet travels.</p>
-
-<h4><a name="keyed">Keyed MD5 and Keyed SHA</a></h4>
-
-<p>The actual authentication data in the header is typically 96 bits and
-depends both on a secret shared between sender and receiver and on every byte
-of the data being authenticated. The technique used is <a
-href="glossary.html#HMAC">HMAC</a>, defined in RFC 2104.</p>
-
-<p>The algorithms involved are the <a href="glossary.html#MD5">MD5</a>
-Message Digest Algorithm or <a href="glossary.html#SHA">SHA</a>, the Secure
-Hash Algorithm. For details on their use in this application, see RFCs 2403
-and 2404 respectively.</p>
-
-<p>For descriptions of the algorithms themselves, see RFC 1321 for MD5 and <a
-href="glossary.html#FIPS">FIPS</a> (Federal Information Processing Standard)
-number 186 from <a href="glossary.html#NIST">NIST</a>, the US National
-Institute of Standards and Technology for SHA. <a
-href="biblio.html#schneier"><cite>Applied Cryptography</cite></a> covers both
-in some detail, MD5 starting on page 436 and SHA on 442.</p>
-
-<p>These algorithms are intended to make it nearly impossible for anyone to
-alter the authenticated data in transit. The sender calculates a digest or
-hash value from that data and includes the result in the authentication
-header. The recipient does the same calculation and compares results. For
-unchanged data, the results will be identical. The hash algorithms are
-designed to make it extremely difficult to change the data in any way and
-still get the correct hash.</p>
-
-<p>Since the shared secret key is also used in both calculations, an
-interceptor cannot simply alter the authenticated data and change the hash
-value to match. Without the key, he or she (or even the dreaded They) cannot
-produce a usable hash.</p>
-
-<h4><a name="sequence">Sequence numbers</a></h4>
-
-<p>The authentication header includes a sequence number field which the
-sender is required to increment for each packet. The receiver can ignore it
-or use it to check that packets are indeed arriving in the expected
-sequence.</p>
-
-<p>This provides partial protection against <a
-href="glossary.html#replay">replay attacks</a> in which an attacker resends
-intercepted packets in an effort to confuse or subvert the receiver. Complete
-protection is not possible since it is necessary to handle legitmate packets
-which are lost, duplicated, or delivered out of order, but use of sequence
-numbers makes the attack much more difficult.</p>
-
-<p>The RFCs require that sequence numbers never cycle, that a new key always
-be negotiated before the sequence number reaches 2^32-1. This protects both
-against replays attacks using packets from a previous cyclce and against <a
-href="glossary.html#birthday">birthday attacks</a> on the the packet
-authentication algorithm.</p>
-
-<p>In Linux FreeS/WAN, the sequence number is ignored for manually keyed
-connections and checked for automatically keyed ones. In manual mode, there
-is no way to negotiate a new key, or to recover from a sequence number
-problem, so we don't use sequence numbers.</p>
-
-<h3><a name="ESP.ipsec">Encapsulated Security Payload (ESP)</a></h3>
-
-<p>The ESP protocol is defined in RFC 2406. It provides one or both of
-encryption and packet authentication. It may be used with or without AH
-packet authentication.</p>
-
-<p>Note that <strong>some form of packet authentication should
-<em>always</em> be used whenever data is encrypted</strong>. Without
-authentication, the encryption is vulnerable to active attacks which may
-allow an enemy to break the encryption. ESP should <strong>always</strong>
-either include its own authentication or be used with AH authentication.</p>
-
-<p>The RFCs require support for only two mandatory encryption algorithms --
-<a href="glossary.html#DES">DES</a>, and null encryption -- and for two
-authentication methods -- keyed MD5 and keyed SHA. Implementers may choose to
-support additional algorithms in either category.</p>
-
-<p>The authentication algorithms are the same ones used in the IPsec <a
-href="#AH">authentication header</a>.</p>
-
-<p>We do not implement single DES since <a
-href="politics.html#desnotsecure">DES is insecure</a>. Instead we provide <a
-href="glossary.html#3DES">triple DES or 3DES</a>. This is currently the only
-encryption algorithm supported.</p>
-
-<p>We do not implement null encryption since it is obviously insecure.</p>
-
-<h2><a name="modes">IPsec modes</a></h2>
-
-<p>IPsec can connect in two modes. Transport mode is a host-to-host
-connection involving only two machines. In tunnel mode, the IPsec machines
-act as gateways and trafiic for any number of client machines may be
-carried.</p>
-
-<h3><a name="tunnel.ipsec">Tunnel mode</a></h3>
-
-<p>Security gateways are required to support tunnel mode connections. In this
-mode the gateways provide tunnels for use by client machines behind the
-gateways. The client machines need not do any IPsec processing; all they have
-to do is route things to gateways.</p>
-
-<h3><a name="transport.ipsec">Transport mode</a></h3>
-
-<p>Host machines (as opposed to security gateways) with IPsec implementations
-must also support transport mode. In this mode, the host does its own IPsec
-processing and routes some packets via IPsec.</p>
-
-<h2><a name="parts">FreeS/WAN parts</a></h2>
-
-<h3><a name="KLIPS.ipsec">KLIPS: Kernel IPsec Support</a></h3>
-
-<p>KLIPS is <strong>K</strong>erne<strong>L</strong> <strong>IP</strong>SEC
-<strong>S</strong>upport, the modifications necessary to support IPsec within
-the Linux kernel. KILPS does all the actual IPsec packet-handling,
-including</p>
-<ul>
-  <li>encryption</li>
-  <li>packet authentication calculations</li>
-  <li>creation of ESP and AH headers for outgoing packets</li>
-  <li>interpretation of those headers on incoming packets</li>
-</ul>
-
-<p>KLIPS also checks all non-IPsec packets to ensure they are not bypassing
-IPsec security policies.</p>
-
-<h3><a name="Pluto.ipsec">The Pluto daemon</a></h3>
-
-<p><a href="manpage.d/ipsec_pluto.8.html">Pluto(8)</a> is a daemon which
-implements the IKE protocol. It</p>
-<ul>
-  <li>handles all the Phase one ISAKMP SAs</li>
-  <li>performs host authentication and negotiates with other gateways</li>
-  <li>creates IPsec SAs and passes the data required to run them to KLIPS</li>
-  <li>adjust routing and firewall setup to meet IPsec requirements. See our
-    <a href="firewall.html">IPsec and firewalling</a> document for
-  details.</li>
-</ul>
-
-<p>Pluto is controlled mainly by the <a
-href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a> configuration file.</p>
-
-<h3><a name="command">The ipsec(8) command</a></h3>
-
-<p>The <a href="manpage.d/ipsec.8.html">ipsec(8)</a> command is a front end
-shellscript that allows control over IPsec activity.</p>
-
-<h3><a name="ipsec.conf">Linux FreeS/WAN configuration file</a></h3>
-
-<p>The configuration file for Linux FreeS/WAN is</p>
-<pre>        /etc/ipsec.conf</pre>
-
-<p>For details see the <a
-href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a> manual page .</p>
-
-<h2><a name="key">Key management</a></h2>
-
-<p>There are several ways IPsec can manage keys. Not all are implemented in
-Linux FreeS/WAN.</p>
-
-<h3><a name="current">Currently Implemented Methods</a></h3>
-
-<h4><a name="manual">Manual keying</a></h4>
-
-<p>IPsec allows keys to be manually set. In Linux FreeS/WAN, such keys are
-stored with the connection definitions in /etc/ipsec.conf.</p>
-
-<p><a href="glossary.html#manual">Manual keying</a> is useful for debugging
-since it allows you to test the <a href="glossary.html#KLIPS">KLIPS</a>
-kernel IPsec code without the <a href="glossary.html#Pluto">Pluto</a> daemon
-doing key negotiation.</p>
-
-<p>In general, however, automatic keying is preferred because it is more
-secure.</p>
-
-<h4><a name="auto">Automatic keying</a></h4>
-
-<p>In automatic keying, the <a href="glossary.html#Pluto">Pluto</a> daemon
-negotiates keys using the <a href="glossary.html#IKE">IKE</a> Internet Key
-Exchange protocol. Connections are automatically re-keyed periodically.</p>
-
-<p>This is considerably more secure than manual keying. In either case an
-attacker who acquires a key can read every message encrypted with that key,
-but automatic keys can be changed every few hours or even every few minutes
-without breaking the connection or requiring intervention by the system
-administrators. Manual keys can only be changed manually; you need to shut
-down the connection and have the two admins make changes. Moreover, they have
-to communicate the new keys securely, perhaps with <a
-href="glossary.html#PGP">PGP</a> or <a href="glossary.html#SSH">SSH</a>. This
-may be possible in some cases, but as a general solution it is expensive,
-bothersome and unreliable. Far better to let <a
-href="glossary.html#Pluto">Pluto</a> handle these chores; no doubt the
-administrators have enough to do.</p>
-
-<p>Also, automatic keying is inherently more secure against an attacker who
-manages to subvert your gateway system. If manual keying is in use and an
-adversary acquires root privilege on your gateway, he reads your keys from
-/etc/ipsec.conf and then reads all messages encrypted with those keys.</p>
-
-<p>If automatic keying is used, an adversary with the same privileges can
-read /etc/ipsec.secrets, but this does not contain any keys, only the secrets
-used to authenticate key exchanges. Having an adversary able to authenticate
-your key exchanges need not worry you overmuch. Just having the secrets does
-not give him any keys. You are still secure against <a
-href="glossary.html#passive">passive</a> attacks. This property of automatic
-keying is called <a href="glossary.html#PFS">perfect forward secrecy</a>,
-abbreviated PFS.</p>
-
-<p>Unfortunately, having the secrets does allow an <a
-href="glossary.html#active">active attack</a>, specifically a <a
-href="glossary.html#middle">man-in-the-middle</a> attack. Losing these
-secrets to an attacker may not be quite as disastrous as losing the actual
-keys, but it is <em>still a serious security breach</em>. These secrets
-should be guarded as carefully as keys.</p>
-
-<h3><a name="notyet">Methods not yet implemented</a></h3>
-
-<h4><a name="noauth">Unauthenticated key exchange</a></h4>
-
-<p>It would be possible to exchange keys without authenticating the players.
-This would support <a href="glossary.html#carpediem">opportunistic
-encryption</a> -- allowing any two systems to encrypt their communications
-without requiring a shared PKI or a previously negotiated secret -- and would
-be secure against <a href="glossary.html#passive">passive attacks</a>. It
-would, however, be highly vulnerable to active <a
-href="glossary.html#middle">man-in-the-middle</a> attacks. RFC 2408 therefore
-specifies that all <a href="glossary.html#ISAKMP">ISAKMP</a> key management
-interactions <em>must</em> be authenticated.</p>
-
-<p>There is room for debate here. Should we provide immediate security
-against <a href="glossary.html#passive">passive attacks</a> and encourage
-widespread use of encryption, at the expense of risking the more difficult <a
-href="glossary.html#active">active attacks</a>? Or should we wait until we
-can implement a solution that can both be widespread and offer security
-against active attacks?</p>
-
-<p>So far, we have chosen the second course, complying with the RFCs and
-waiting for secure DNS (see <a href="glossary.html#DNS">below</a>) so that we
-can do <a href="glossary.html#carpediem">opportunistic encryption</a>
-right.</p>
-
-<h4><a name="DNS">Key exchange using DNS</a></h4>
-
-<p>The IPsec RFCs allow key exchange based on authentication services
-provided by <a href="glossary.html#SDNS">Secure DNS</a>. Once Secure DNS
-service becomes widely available, we expect to make this the <em>primary key
-management method for Linux FreeS/WAN</em>. It is the best way we know of to
-support <a href="glossary.html#carpediem">opportunistic encryption</a>,
-allowing two systems without a common PKI or previous negotiation to secure
-their communication.</p>
-
-<p>We currently have code to acquire RSA keys from DNS but do not yet have
-code to validate Secure DNS signatures.</p>
-
-<h4><a name="PKI">Key exchange using a PKI</a></h4>
-
-<p>The IPsec RFCs allow key exchange based on authentication services
-provided by a <a href="glossary.html#PKI">PKI</a> or Public Key
-Infrastructure. With many vendors selling such products and many large
-organisations building these infrastructures, this will clearly be an
-important application of IPsec and one Linux FreeS/WAN will eventually
-support.</p>
-
-<p>On the other hand, this is not as high a priority for Linux FreeS/WAN as
-solutions based on <a href="glossary.html#SDNS">secure DNS</a>. We do not
-expect any PKI to become as universal as DNS.</p>
-
-<p>Some <a href="web.html#patch">patches</a> to handle authentication with
-X.509 certificates, which most PKIs use, are available.</p>
-
-<h4><a name="photuris">Photuris</a></h4>
-
-<p><a href="glossary.html#photuris">Photuris</a> is another key management
-protocol, an alternative to IKE and ISAKMP, described in RFCs 2522 and 2523
-which are labelled "experimental". Adding Photuris support to Linux FreeS/WAN
-might be a good project for a volunteer. The likely starting point would be
-the OpenBSD photurisd code.</p>
-
-<h4><a name="skip">SKIP</a></h4>
-
-<p><a href="glossary.html#SKIP">SKIP</a> is yet another key management
-protocol, developed by Sun. At one point it was fairly widely used, but it
-now seems moribund, displaced by IKE. Sun now (as of Solaris 8.0) ship an
-IPsec implementation using IKE. We have no plans to implement SKIP. If a user
-were to implement it, we would almost certainly not want to add the code to
-our distribution.</p>
-</body>
-</html>
diff --git a/doc/src/kernel.html b/doc/src/kernel.html
deleted file mode 100644
index a4beab417..000000000
--- a/doc/src/kernel.html
+++ /dev/null
@@ -1,392 +0,0 @@
-<html>
-<head>
-<title>Kernel configuration for FreeS/WAN</title>
-<meta name="keywords" content="Linux, IPsec, VPN, security, FreeSWAN, kernel">
-
-<!--
-
-Written by Sandy Harris for the Linux FreeS/WAN project
-Freely distributable under the GNU General Public License
-
-More information at www.freeswan.org
-Feedback to users@lists.freeswan.org
-
-CVS information:
-RCS ID:          $Id: kernel.html,v 1.1 2004/03/15 20:35:24 as Exp $
-Last changed:    $Date: 2004/03/15 20:35:24 $
-Revision number: $Revision: 1.1 $
-
-CVS revision numbers do not correspond to FreeS/WAN release numbers.
--->
-</head>
-
-<body>
-
-<h1><a name="kernelconfig">Kernel configuration for FreeS/WAN</a></h1>
-
-<p>
-This section lists many of the options available when configuring a Linux
-  kernel, and explains how they should be set on a FreeS/WAN IPsec
-  gateway.</p>
-
-  <h2><a name="notall">Not everyone needs to worry about kernel configuration</a></h2>
-
-  <p>Note that in many cases you do not need to mess with these.</p>
-
-<p>
-You may have a Linux distribution which comes with FreeS/WAN installed
-(see this <a href="intro.html#products">list</a>).
-  In that case, you need not do a FreeS/WAN installation or a kernel
-  configuration. Of course, you might still want to configure and rebuild your
-  kernel to improve performance or security. This can be done with standard
-  tools described in the <a href="http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html">Kernel HowTo</a>.</p>
-
-  <p>If you need to install FreeS/WAN, then you do need to configure a kernel.
-  However, you may choose to do that using the simplest procedure:</p>
-  <ul>
-    <li>Configure, build and test a kernel for your system before adding FreeS/WAN. See the <a
-      href="http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html">Kernel HowTo</a> for details. <strong>This step cannot be
-      skipped</strong>. FreeS/WAN needs the results of your configuration.</li>
-    <li>Then use FreeS/WAN's <var>make oldgo</var> command. This sets
-      everything FreeS/WAN needs and retains your values everywhere else.</li>
-  </ul>
-
-<p>
-This document is for those who choose to configure their FreeS/WAN kernel
-themselves.</p>
-
-<h2><a name="assume">Assumptions and notation</a></h2>
-
-<p>
-Help text for most kernel options is included with the kernel files, and
-is accessible from within the configuration utilities. We assume
-you will refer to that, and to the <a href="http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html">Kernel HowTo</a>, as
-necessary. This document covers only the FreeS/WAN-specific aspects of the
-problem.</p>
-
-<p>
-To avoid duplication, this document section does not cover settings for
-the additional IPsec-related kernel options which become available after you
-have patched your kernel with FreeS/WAN patches. There is help text for
-those available from within the configuration utility.</p>
-
-  <p>
-We assume a common configuration in which the FreeS/WAN IPsec gateway is
-also doing ipchains(8) firewalling for a local network, and possibly
-masquerading as well.</p>
-
-<p>
-Some suggestions below are labelled as appropriate for "a true paranoid".
-By this we mean they may cause inconvenience and it is not entirely clear
-  they are necessary, but they appear to be the safest choice. Not using them
-  might entail some risk. Of course one suggested mantra for security
-  administrators is: "I know I'm paranoid. I wonder if I'm paranoid
-  enough."</p>
-
-  <h3><a name="labels">Labels used</a></h3>
-
-<p>
-Six labels are used to indicate how options should be set. We mark the
-labels with [square brackets]. For two of these labels, you have no
-choice:</p>
-  <dl>
-    <dt>[required]</dt>
-      <dd>essential for FreeS/WAN operation.</dd>
-    <dt>[incompatible]</dt>
-      <dd>incompatible with FreeS/WAN.</dd>
-  </dl>
-
-  <p>those must be set correctly or FreeS/WAN will not work</p>
-
-  <p>FreeS/WAN should work with any settings of the others, though of course
-  not all combinations have been tested. We do label these in various ways,
-  but <em>these labels are only suggestions</em>.</p>
-  <dl>
-    <dt>[recommended]</dt>
-      <dd>useful on most FreeS/WAN gateways</dd>
-    <dt>[disable]</dt>
-      <dd>an unwelcome complication on a FreeS/WAN gateway.</dd>
-    <dt>[optional]</dt>
-      <dd>Your choice. We outline issues you might consider.</dd>
-    <dt>[anything]</dt>
-      <dd>This option has no direct effect on FreeS/WAN and related tools, so
-        you should be able to set it as you please.</dd>
-  </dl>
-
-<p>
-Of course complexity is an enemy in any effort to build secure systems.
-<strong>For maximum security, any feature that can reasonably be turned off
-should be</strong>. "If in doubt, leave it out."</p>
-  
-  <h2><a name="kernelopt">Kernel options for FreeS/WAN</a></h2>
-
-<p>
-Indentation is based on the nesting shown by 'make menuconfig' with a
-2.2.16 kernel for the i386 architecture.</p>
-<dl>
-    <dt><a name="maturity">Code maturity and level options</a></dt>
-      <dd>
-      <dl>
-          <dt><a name="devel">Prompt for development ...
-          code/drivers</a></dt>
-            <dd>[optional] If this is <var>no</var>, experimental drivers are
-              not shown in later menus.
-              <p>For most FreeS/WAN work, <var>no</var> is the preferred
-              setting. Using new or untested components is too risky for a
-              security gateway.</p>
-              <p>However, for some hardware (such as the author's network
-              cards) the only drivers available are marked
-              <var>new/experimental</var>. In such cases, you must enable this
-              option or your cards will not appear under &quot;network device
-              support&quot;. A true paranoid would leave this option off and
-              replace the cards.</p>
-            </dd>
-        <dt>Processor type and features</dt>
-            <dd>[anything]</dd>
-          <dt>Loadable module support</dt>
-      <dd>
-      <dl>
-          <dt>Enable loadable module support</dt>
-            <dd>[optional] A true paranoid would disable this. An attacker who
-              has root access to your machine can fairly easily install a
-              bogus module that does awful things, provided modules are
-              enabled. A common tool for attackers is a &quot;rootkit&quot;, a set
-              of tools the attacker uses once he or she has become root on your system.
-              The kit introduces assorted additional compromises so that the attacker
-              will continue to &quot;own&quot; your system despite most things you might
-              do to recovery the situation. For Linux, there is a tool called
-              <a href="http://www.sans.org/newlook/resources/IDFAQ/knark.htm">knark</a>
-              which is basically a rootkit packaged as a kernel module.
-              <p>With modules disabled, an attacker cannot install a bogus module.
-              The only way
-              he can achieve the same effects is to install a new kernel and
-              reboot. This is considerably more likely to be noticed.
-              <p>Many FreeS/WAN gateways run with modules enabled. This
-              simplifies some administrative tasks and some ipchains features
-              are available only as modules. Once an enemy has root on your
-              machine your security is nil, so arguably defenses which come
-              into play only in that situation are pointless.</p>
-              <p>
-             
-            </dd>
-          <dt>Set version information ....</dt>
-            <dd>[optional] This provides a check to prevent loading modules
-              compiled for a different kernel.</dd>
-          <dt>Kernel module loader</dt>
-            <dd>[disable] It gives little benefit on a typical FreeS/WAN gate
-              and entails some risk.</dd>
-        </dl>
-      </dd>
-    <dt>General setup</dt>
-      <dd>We list here only the options that matter for FreeS/WAN.
-        <dl>
-          <dt>Networking support</dt>
-            <dd>[required]</dd>
-          <dt>Sysctl interface</dt>
-            <dd>[optional] If this option is turned on and the
-              <var>/proc</var> filesystem installed, then you can control
-              various system behaviours by writing to files under
-              <var>/proc/sys</var>. For example:
-              <pre>        echo 1 &gt; /proc/sys/net/ipv4/ipforward</pre>
-              turns IP forwarding on.
-              <p>Disabling this option breaks many firewall scripts. A true
-              paranoid would disable it anyway since it might conceivably be
-              of use to an attacker.</p>
-            </dd>
-        </dl>
-      </dd>
-    <dt>Plug and Play support</dt>
-      <dd>[anything]</dd>
-    <dt>Block devices</dt>
-      <dd>[anything]</dd>
-    <dt>Networking options</dt>
-      <dd>
-      <dl>
-          <dt>Packet socket</dt>
-            <dd>[optional] This kernel feature supports tools such as
-              tcpdump(8) which communicate directly with network hardware,
-              bypassing kernel protocols. This is very much a two-edged sword:
-              <ul>
-                <li>such tools can be very useful to the firewall admin,
-                  especially during initial testing</li>
-                <li>should an evildoer breach your firewall, such tools could
-                  give him or her a great deal of information about the rest
-                  of your network</li>
-              </ul>
-              We recommend disabling this option on production gateways.</dd>
-          <dt><a name="netlink">Kernel/User netlink socket</a></dt>
-            <dd>[optional] Required if you want to use <a href="#adv">advanced
-              router</a> features.</dd>
-          <dt>Routing messages</dt>
-            <dd>[optional]</dd>
-          <dt>Netlink device emulation</dt>
-            <dd>[optional]</dd>
-          <dt>Network firewalls</dt>
-            <dd>[recommended] You need this if the IPsec gateway also
-              functions as a firewall.
-              <p>Even if the IPsec gateway is not your primary firewall, we
-              suggest setting this so that you can protect the gateway with at
-              least basic local packet filters.</p>
-            </dd>
-          <dt>Socket filtering</dt>
-            <dd>[disable] This enables an older filtering interface. We suggest
-                using ipchains(8) instead. To do that, set the &quot;Network
-                firewalls&quot; option just above, and not this one.</dd>
-          <dt>Unix domain sockets</dt>
-            <dd>[required] These sockets are used for communication between the
-              <a href="manpage.d/ipsec.8.html">ipsec(8)</a>
-              commands and the <a href="manpage.d/ipsec_pluto.8.html">ipsec_pluto(8)</a>
-              daemon.</dd>
-          <dt>TCP/IP networking</dt>
-            <dd>[required]
-              <dl>
-                <dt>IP: multicasting</dt>
-                  <dd>[anything]</dd>
-                <dt><a name="adv">IP: advanced router</a></dt>
-                  <dd>[optional] This gives you policy routing, which some
-                    people have used to good advantage in their scripts for
-                    FreeS/WAN gateway management. It is not used in our
-                    distributed scripts, so not required unless you want it
-                    for custom scripts. It requires the <a
-                    href="#netlink">netlink</a> interface between kernel code
-                    and the iproute2(8) command.</dd>
-                <dt>IP: kernel level autoconfiguration</dt>
-                  <dd>[disable] It gives little benefit on a typical FreeS/WAN
-                    gate and entails some risk.</dd>
-                <dt>IP: firewall packet netlink device</dt>
-                  <dd>[disable]</dd>
-                <dt>IP: transparent proxy support</dt>
-                  <dd>[optional] This is required in some firewall configurations,
-                    but should be disabled unless you have a definite need for it.
-                    </dd>
-                <dt>IP: masquerading</dt>
-                  <dd>[optional] Required if you want to use
-                    <a href="glossary.html#non-routable">non-routable</a> private
-                     IP addresses for your local network.</dd>
-                <dt>IP: Optimize as router not host</dt>
-                  <dd>[recommended]</dd>
-                <dt>IP: tunneling</dt>
-                  <dd>[required]</dd>
-                <dt>IP: GRE tunnels over IP</dt>
-                  <dd>[anything]</dd>
-                <dt>IP: aliasing support</dt>
-                  <dd>[anything]</dd>
-                <dt>IP: ARP daemon support (EXPERIMENTAL)</dt>
-                  <dd>Not required on most systems, but might prove useful on
-                    heavily-loaded gateways.</dd>
-                <dt>IP: TCP syncookie support</dt>
-                  <dd>[recommended] It provides a defense against a <a
-                    href="glossary.html#DOS">denial of
-                    service attack</a> which uses bogus TCP connection
-                    requests to waste resources on the victim machine.</dd>
-                <dt>IP: Reverse ARP</dt>
-                  <dd></dd>
-                <dt>IP: large window support</dt>
-                  <dd>[recommended] unless you have less than 16 meg RAM</dd>
-              </dl>
-            </dd>
-          <dt>IPv6</dt>
-            <dd>[optional] FreeS/WAN does not currently support IPv6, though work on
-              integrating FreeS/WAN with the Linux IPv6 stack has begun.
-              <a href="compat.html#ipv6">Details</a>.
-              <p>
-              It should be possible to use IPv4 FreeS/WAN on a machine which also
-              does IPv6. This combination is not yet well tested. We would be quite
-              interested in hearing results from anyone expermenting with it, via the
-              <a href="mail.html">mailing list</a>.
-              <p>
-              We do not recommend using IPv6 on production FreeS/WAN gateways until
-              more testing has been done.
-              </dd>
-          <dt>Novell IPX</dt>
-            <dd>[disable]</dd>
-          <dt>Appletalk</dt>
-            <dd>[disable] Quite a few Linux installations use IP but also have
-              some other protocol, such as Appletalk or IPX, for communication
-              with local desktop machines. In theory it should be possible to
-              configure IPsec for the IP side of things without interfering
-              with the second protocol.
-              <p>We do not recommend this. Keep the software on your gateway
-              as simple as possible. If you need a Linux-based Appletalk or
-              IPX server, use a separate machine.</p>
-            </dd>
-        </dl>
-      </dd>
-    <dt>Telephony support</dt>
-      <dd>[anything]</dd>
-    <dt>SCSI support</dt>
-      <dd>[anything]</dd>
-    <dt>I2O device support</dt>
-      <dd>[anything]</dd>
-    <dt>Network device support</dt>
-      <dd>[anything] should work, but there are some points to note.
-        <p>The development team test almost entirely on 10 or 100 megabit
-        Ethernet and modems. In principle, any device that can do IP should be
-        just fine for IPsec, but in the real world any device that has not
-        been well-tested is somewhat risky. By all means try it, but don't bet
-        your project on it until you have solid test results.</p>
-        <p>If you disabled experimental drivers in the <a
-        href="#maturity">Code maturity</a> section above, then those drivers
-        will not be shown here. Check that option before going off to hunt for
-        missing drivers.</p>
-        <p>If you want Linux to automatically find more than one ethernet
-        interface at boot time, you need to:</p>
-        <ul>
-          <li>compile the appropriate driver(s) into your kernel. Modules will
-            not work for this</li>
-          <li>add a line such as
-<pre>
-   append="ether=0,0,eth0 ether=0,0,eth1"
-</pre>
-            to your /etc/lilo.conf file. In some cases you may need to specify
-            parameters such as IRQ or base address. The example uses &quot;0,0&quot;
-            for these, which tells the system to search. If the search does not
-            succeed on your hardware, then you should retry with explicit parameters.
-            See the lilo.conf(5) man page for details.</li>
-          <li>run lilo(8)</li>
-        </ul>
-        Having Linux find the cards this way is not necessary, but is usually more
-        convenient than loading modules in your boot scripts.</dd>
-    <dt>Amateur radio support</dt>
-      <dd>[anything]</dd>
-    <dt>IrDA (infrared) support</dt>
-      <dd>[anything]</dd>
-    <dt>ISDN subsystem</dt>
-      <dd>[anything]</dd>
-    <dt>Old CDROM drivers</dt>
-      <dd>[anything]</dd>
-    <dt>Character devices</dt>
-      <dd>The only required character device is:
-        <dl>
-          <dt>random(4)</dt>
-            <dd>[required] This is a source of <a href="glossary.html#random">random</a>
-              numbers which are required for many cryptographic protocols,
-              including several used in IPsec.
-              <p>If you are comfortable with C source code, it is likely a
-              good idea to go in and adjust the <var>#define</var> lines in
-              <var>/usr/src/linux/drivers/char/random.c</var> to ensure that
-              all sources of randomness are enabled. Relying solely on
-              keyboard and mouse randomness is dubious procedure for a gateway
-              machine. You could also increase the randomness pool size from
-              the default 512 bytes (128 32-bit words).</p>
-            </dd>
-        </dl>
-     <dt>Filesystems</dt>
-       <dd>[anything] should work, but we suggest limiting a gateway
-         machine to the standard Linux ext2 filesystem in most
-         cases.</dd>
-     <dt>Network filesystems</dt>
-       <dd>[disable] These systems are an unnecessary risk on an IPsec
-         gateway.</dd>
-     <dt>Console drivers</dt>
-            <dd>[anything]</dd>
-     <dt>Sound</dt>
-       <dd>[anything] should work, but we suggest enabling sound only if
-              you plan to use audible alarms for firewall problems.</dd>
-     <dt>Kernel hacking</dt>
-       <dd>[disable] This might be enabled on test machines, but should
-         not be on production gateways.</dd>
-   </dl>
-  </dl>
-</body>
-</html>
diff --git a/doc/src/mail.html b/doc/src/mail.html
deleted file mode 100644
index e26f025a0..000000000
--- a/doc/src/mail.html
+++ /dev/null
@@ -1,250 +0,0 @@
-<html>
-<head>
-  <meta http-equiv="Content-Type" content="text/html">
-  <title>FreeS/WAN mailing lists</title>
-  <meta name="keywords"
-  content="Linux, IPsec, VPN, security, FreeSWAN, mailing, list">
-  <!--
-
-  Written by Sandy Harris for the Linux FreeS/WAN project
-  Freely distributable under the GNU General Public License
-
-  More information at www.freeswan.org
-  Feedback to users@lists.freeswan.org
-
-  CVS information:
-  RCS ID:          $Id: mail.html,v 1.1 2004/03/15 20:35:24 as Exp $
-  Last changed:    $Date: 2004/03/15 20:35:24 $
-  Revision number: $Revision: 1.1 $
-
-  CVS revision numbers do not correspond to FreeS/WAN release numbers.
-  -->
-</head>
-
-<body>
-<h1><a name="lists">Mailing lists and newsgroups</a></h1>
-
-<h2><a name="list.fs">Mailing lists about FreeS/WAN</a></h2>
-
-<h3><a name="projlist">The project mailing lists</a></h3>
-
-<p>The Linux FreeS/WAN project has several email lists for user support, bug
-reports and software development discussions.</p>
-
-<p>We had a single list on clinet.fi for several years (Thanks, folks!), then
-one list on freeswan.org, but now we've split into several lists:</p>
-<dl>
-  <dt><a
-  href="mailto:users-request@lists.freeswan.org?body=subscribe">users</a></dt>
-    <dd><ul>
-        <li>The general list for discussing use of the software</li>
-        <li>The place for seeking <strong>help with problems</strong> (but
-          please check the <a href="faq.html">FAQ</a> first).</li>
-        <li>Anyone can post.</li>
-      </ul>
-    </dd>
-  <dt><a
-  href="mailto:bugs-request@lists.freeswan.org?body=subscribe">bugs</a></dt>
-    <dd><ul>
-        <li>For <strong>bug reports</strong>.</li>
-        <li>If you are not certain what is going on -- could be a bug, a
-          configuration error, a network problem, ... -- please post to the
-          users list instead.</li>
-        <li>Anyone can post.</li>
-      </ul>
-    </dd>
-  <dt><a
-  href="mailto:design-request@lists.freeswan.org?body=subscribe">design</a></dt>
-    <dd><ul>
-        <li><strong>Design discussions</strong>, for people working on
-          FreeS/WAN development or others with an interest in design and
-          security issues.</li>
-        <li>It would be a good idea to read the existing design papers (see
-          this <a href="intro.html#applied">list</a>) before posting.</li>
-        <li>Anyone can post.</li>
-      </ul>
-    </dd>
-  <dt><a
-  href="mailto:announce-request@lists.freeswan.org?body=subscribe">announce</a></dt>
-    <dd><ul>
-        <li>A <strong>low-traffic</strong> list.</li>
-        <li><strong>Announcements</strong> about FreeS/WAN and related
-          software.</li>
-        <li>All posts here are also sent to the users list. You need not
-          subscribe to both.</li>
-        <li>Only the FreeS/WAN team can post.</li>
-        <li>If you have something you feel should go on this list, send it to
-          <var>announce-admin@lists.freeswan.org</var>. Unless it is obvious,
-          please include a short note explaining why we should post it.</li>
-      </ul>
-    </dd>
-  <dt><a
-  href="mailto:briefs-request@lists.freeswan.org?body=subscribe">briefs</a></dt>
-    <dd><ul>
-        <li>A <strong>low-traffic</strong> list.</li>
-        <li><strong>Weekly summaries</strong> of activity on the users
-        list.</li>
-        <li>All posts here are also sent to the users list. You need not
-          subscribe to both.</li>
-        <li>Only the FreeS/WAN team can post.</li>
-      </ul>
-    </dd>
-</dl>
-
-<p>To subscribe to any of these, you can:</p>
-<ul>
-  <li>just follow the links above</li>
-  <li>use our <a href="http://www.freeswan.org/mail.html">web
-  interface</a></li>
-  <li>send mail to <var>listname</var>-request@lists.freeswan.org with a
-    one-line message body "subscribe"</li>
-</ul>
-
-<p>Archives of these lists are available via the <a
-href="http://www.freeswan.org/mail.html">web interface</a>.</p>
-
-<h4><a name="which.list">Which list should I use?</a></h4>
-
-<p>For most questions, please check the <a href="faq.html">FAQ</a> first, and
-if that does not have an answer, ask on the users list. "My configuration
-doesn't work." does not belong on the bugs list, and "Can FreeS/WAN do
-such-and-such" or "How do I configure it to..." do not belong in design
-discussions.</p>
-
-<p>Cross-posting the same message to two or more of these lists is
-discouraged. Quite a few people read more than one list and getting multiple
-copies is annoying.</p>
-
-<h4><a name="policy.list">List policies</a></h4>
-
-<p><strong>US citizens or residents are asked not to post code to the lists,
-not even one-line bug fixes</strong>. The project cannot accept code which
-might entangle it in US <a href="politics.html#exlaw">export
-restrictions</a>.</p>
-
-<p>Non-subscribers can post to some of these lists. This is necessary;
-someone working on a gateway install who encounters a problem may not have
-access to a subscribed account.</p>
-
-<p>Some spam turns up on these lists from time to time. For discussion of why
-we do not attempt to filter it, see the <a href="faq.html#spam">FAQ</a>.
-Please do not clutter the lists with complaints about this.</p>
-
-<h3><a name="archive">Archives of the lists</a></h3>
-
-<p>Searchable archives of the old single list have existed for some time. At
-time of writing, it is not yet clear how they will change for the new
-multi-list structure.</p>
-<ul>
-  <li><a href="http://www.sandelman.ottawa.on.ca/linux-ipsec">Canada</a></li>
-  <li><a href="http://www.nexial.com">Holland</a></li>
-</ul>
-
-<p>Note that these use different search engines. Try both.</p>
-
-<p>Archives of the new lists are available via the <a
-href="http://www.freeswan.org/mail.html">web interface</a>.</p>
-
-<h2><a name="indexes">Indexes of mailing lists</a></h2>
-
-<p><a href="http://paml.net/">PAML</a> is the standard reference for
-<strong>P</strong>ublicly <strong>A</strong>ccessible
-<strong>M</strong>ailing <strong>L</strong>ists. When we last checked, it had
-over 7500 lists on an amazing variety of topics. It also has FAQ information
-and a search engine.</p>
-
-<p>There is an index of <a
-href="http://oslab.snu.ac.kr/~djshin/linux/mail-list/index.shtml">Linux
-mailing lists</a> available.</p>
-
-<p>A list of <a
-href="http://xforce.iss.net/maillists/otherlists.php">computer security
-mailing lists</a>, with descriptions.</p>
-
-<h2><a name="otherlists">Lists for related software and topics</a></h2>
-
-<p>Most links in this section point to subscription addresses for the various
-lists. Send the one-line message "subscribe <var>list_name</var>" to
-subscribe to any of them.</p>
-
-<h3>Products that include FreeS/WAN</h3>
-
-<p>Our introduction document gives a <a href="intro.html#products">list of
-products that include FreeS/WAN</a>. If you have, or are considering, one of
-those, check the supplier's web site for information on mailing lists for
-their users.</p>
-
-<h3><a name="linux.lists">Linux mailing lists</a></h3>
-<ul>
-  <li><a
-    href="mailto:majordomo@vger.kernel.org">linux-admin@vger.kernel.org</a>,
-    for Linux system administrators</li>
-  <li><a
-    href="mailto:netfilter-request@lists.samba.org">netfilter@lists.samba.org</a>,
-    about Netfilter, which replaces IPchains in kernels 2.3.15 and later</li>
-  <li><a
-    href="mailto:security-audit-request@ferret.lmh.ox.ac.uk">security-audit@ferret.lmh.ox.ac.uk</a>,
-    for people working on security audits of various Linux programs</li>
-  <li><a
-    href="mailto:securedistros-request@humbolt.geo.uu.nl">securedistros@humbolt.geo.uu.nl</a>,
-    for discussion of issues common to all the half dozen projects working on
-    secure Linux distributions.</li>
-</ul>
-
-<p>Each of the scure distribution projects also has its own web site and
-mailing list. Some of the sites are:</p>
-<ul>
-  <li><a href="http://bastille-linux.org/">Bastille Linux</a> scripts to
-    harden Redhat, e.g. by changing permissions and modifying inialisation
-    scripts</li>
-  <li><a href="http://immunix.org/">Immunix</a> take a different approach,
-    using a modified compiler to build kernel and utilities with better
-    resistance to various types of overflow and exploit</li>
-  <li>the <a href="glossary.html#NSA">NSA</a> have contractors working on a
-    <a href="glossary.html#SElinux">Security Enhanced Linux</a>, primarily
-    adding stronger access control mechanisms. You can download the current
-    version (which interestingly is under GPL and not export resrtricted) or
-    subscribe to the mailing list from the <a
-    href="http://www.nsa.gov/selinux">project web page</a>.</li>
-</ul>
-
-<h3><a name="ietf">Lists for IETF working groups</a></h3>
-
-<p>Each <a href="glossary.html#IETF">IETF</a> working group has an associated
-mailing list where much of the work takes place.</p>
-<ul>
-  <li><a
-    href="mailto:majordomo@lists.tislabs.com">ipsec@lists.tislabs.com</a>,
-    the IPsec <a
-    href="http://www.ietf.org/html.charters/ipsec-charter.html">working
-    group</a>. This is where the protocols are discussed, new drafts
-    announced, and so on. By now, the IPsec working group is winding down
-    since the work is essentially complete. A <a
-    href="http://www.sandelman.ottawa.on.ca/ipsec/">list archive</a> is
-    available.</li>
-  <li><a href="mailto:ipsec-policy-request@vpnc.org">IPsec policy</a> list,
-    and its <a href="http://www.vpnc.org/ipsec-policy/">archive</a></li>
-  <li><a href="mailto:ietf-ipsra-request@vpnc.org">IP secure remote
-    access</a> list, and its <a
-    href="http://www.vpnc.org/ietf-ipsra/mail-archive/">archive</a></li>
-</ul>
-
-<h3><a name="other">Other mailing lists</a></h3>
-<ul>
-  <li><a
-    href="mailto:ipc-announce-request@privacy.org">ipc-announce@privacy.org</a>
-    a low-traffic list with announcements of developments in privacy,
-    encryption and online civil rights</li>
-  <li>a VPN mailing list's <a
-    href="http://kubarb.phsx.ukans.edu/~tbird/vpn.html">home page</a></li>
-</ul>
-
-<h2><a name="newsgroups">Usenet newsgroups</a></h2>
-<ul>
-  <li>sci.crypt</li>
-  <li>sci.crypt.research</li>
-  <li>comp.dcom.vpn</li>
-  <li>talk.politics.crypto</li>
-</ul>
-</body>
-</html>
diff --git a/doc/src/makecheck.html b/doc/src/makecheck.html
deleted file mode 100644
index 7fa3a3bcb..000000000
--- a/doc/src/makecheck.html
+++ /dev/null
@@ -1,684 +0,0 @@
-<html>
-<head>
-<title>FreeS/WAN "make check" guide</title>
-<!-- Changed by: Michael Richardson, 02-Apr-2003 -->
-<meta name="keywords" content="Linux, IPsec, VPN, security, FreeSWAN, testing, User-Mode-Linux, UML">
-
-<!--
-
-Written by Michael Richardson for the Linux FreeS/WAN project
-Freely distributable under the GNU General Public License
-
-More information at www.freeswan.org
-Feedback to users@lists.freeswan.org
-
-$Id: makecheck.html,v 1.1 2004/03/15 20:35:24 as Exp $
-
-$Log: makecheck.html,v $
-Revision 1.1  2004/03/15 20:35:24  as
-added files from freeswan-2.04-x509-1.5.3
-
-Revision 1.25  2003/04/02 20:28:33  mcr
-	document for NETJIGVERBOSE environment variable.
-
-Revision 1.24  2003/04/02 02:17:52  mcr
-	added documentation on "PACKETRATE"
-
-Revision 1.23  2003/02/27 09:28:24  mcr
-	added documentation for *_RUN2_SCRIPT.
-
-Revision 1.22  2003/02/20 20:00:44  mcr
-	added documentation for ${host}HOST.
-
-Revision 1.21  2003/02/20 19:56:11  mcr
-	documented new umlXhost test case.
-
-Revision 1.20  2002/12/06 02:11:42  mcr
-	added new test type, module_compile.
-
-Revision 1.19  2002/12/04 03:47:06  mcr
-	added documentation of various *TESTDEBUG options in
-	the testing environment.
-
-Revision 1.18  2002/10/31 19:01:31  mcr
-	documentation for RUN_*_SCRIPT.
-
-Revision 1.17  2002/09/11 19:43:36  mcr
-	added documentation on format of TESTLIST.
-
-Revision 1.16  2002/09/11 19:26:48  mcr
-	renamed umlpluto -> umlplutotest.
-
-Revision 1.15  2002/07/29 22:27:12  mcr
-	added kernel_patch_test test type.
-
-Revision 1.14  2002/06/19 18:24:44  mcr
-	renamed SCRIPT to INIT_SCRIPT.
-
-Revision 1.13  2002/06/19 10:06:07  mcr
-	added nightly.html to the documentation tree.
-
-Revision 1.12  2002/06/19 09:19:26  mcr
-	wrote documentation for umlpluto parts of makecheck,
-	and adjusted scripts for consistency.
-
-Revision 1.11  2002/06/19 07:26:31  mcr
-	added FINAL_SCRIPT to be run after sending packets through.
-	renamed "SCRIPT" to "INIT_SCRIPT" (left compat variable)
-
-Revision 1.10  2002/06/17 05:40:57  mcr
-	Added test cases for the "make rpm" machinery.
-
-Revision 1.9  2002/06/08 17:12:49  mcr
-	added new libtest test type for use in testing libfreeswan
-
-Revision 1.8  2002/05/27 00:19:38  mcr
-	removed reference to single_netjig.png because mkhtml does not
-	grok it.
-
-Revision 1.7  2002/05/07 01:31:52  mcr
-	documented the new "mkinsttest" target type.
-
-Revision 1.6  2002/05/05 23:10:50  mcr
-	added documentation of $TEST_TYPE variable.
-
-Revision 1.5  2002/04/19 22:48:41  mcr
-	added documentation on NETJIGDEBUG and CONSOLEDIFFDEBUG.
-
-Revision 1.4  2002/04/01 23:59:46  mcr
-	added documentation on REF_{PUB,PRIV}_FILTER.
-
-Revision 1.3  2002/04/01 23:38:46  mcr
-	redo of updates to makecheck
-
-Revision 1.2  2002/03/12 21:12:07  mcr
-	initial stab at documentation on klips testing infrastructure.
-
-
--->
-</head>
-
-<body>
-
-<h1><a name="makecheck">How to configure to use "make check"</a></h1>
-
-<H2>What is "make check"</H2>
-<p>
-"make check" is a target in the top level makefile. It takes care of
-running a number of unit and system tests to confirm that FreeSWAN has 
-been compiled correctly, and that no new bugs have been introduced.
-</p>
-<p>
-As FreeSWAN contains both kernel and userspace components, doing testing
-of FreeSWAN requires that the kernel be simulated. This is typically difficult
-to do as a kernel requires that it be run on bare hardware. A technology
-has emerged that makes this simpler. This is
-<A HREF="http://user-mode-linux.sourceforge.net">User Mode Linux</A>. 
-</p>
-
-<p>
-User-Mode Linux is a way to build a Linux kernel such that it can run as a process
-under another Linux (or in the future other) kernel. Presently, this can only be
-done for 2.4 guest kernels. The host kernel can be 2.2 or 2.4. 
-</p>
-
-<p>
-"make check" expects to be able to build User-Mode Linux kernels with FreeSWAN included. 
-To do this it needs to have some files downloaded and extracted prior
-to running "make check". This is described in the
-<A HREF="umltesting.html">UML testing</A> document.  
-</p>
-
-<p>
-After having run the example in the UML testing document and
-successfully brought up the four machine combination, you are ready to 
-use "make check"
-</p>
-
-<h2>Running "make check"</h2>
-<p>
-"make check" works by walking the FreeSWAN source tree invoking the
-"check" target at each node. At present there are tests defined only
-for the <CODE>klips</CODE> directory. These tests will use the UML
-infrastructure to test out pieces of the <CODE>klips</CODE> code.
-</p>
-<p>
-The results of the tests can be recorded. If the environment variable
-<CODE>$REGRESSRESULTS</CODE> is non-null, then the results of each
-test will be recorded. This can be used as part of a nightly
-regression testing system, see
-<A HREF="nightly.html">Nightly testing</A> for more details.
-</p>
-<p>
-"make check" otherwise prints a minimal amount of output for each
-test, and indicates pass/fail status of each test as they are run.
-Failed tests do not cause failure of the target in the form of exit
-codes. 
-</p>
-
-<H1>How to write a "make check" test</H1>
-
-<h2>Structure of a test</h2>
-
-<p>
-Each test consists of a set of directories under <CODE>testing/</CODE>.
-There are directories for <CODE>klips</CODE>, <CODE>pluto</CODE>, <CODE>packaging</CODE>
-and <CODE>libraries</CODE>.
-Each directory has a list of tests to run is stored in a file called <CODE>TESTLIST</CODE> in that directory. e.g. <CODE>testing/klips/TESTLIST</CODE>.
-</P>
-
-<H2 NAME="TESTLIST">The TESTLIST</H2>
-<P>
-This isn't actually a shell script. It just looks like one. Some tools other than
-/bin/sh process it. Lines that start with # are comments. </P>
-
-<PRE>
-# test-kind     directory-containing-test       expectation     [PR#]
-</PRE>
-
-<P>The first word provides the test type, detailed below. </P>
-<P> The second word is the name of the test to run. This the directory
-in which the test case is to be found..</P>
-<P>The third word may be one of: 
-<DL>
-<DT> blank/good</DT>
-<DD>the test is believed to function, report failure</DD>
-<DT> bad</DT>
-<DD> the test is known to fail, report unexpected success</DD>
-<DT> suspended</DT>
-<DD> the test should not be run</DD>
-</DL>
-
-<P>
-The fourth word may be a number, which is a PR# if the test is
-failing.
-</P>
-
-<H2>Test kinds</H2>
-The test types are:
-
-<DL>
-<DT>skiptest</DT>
-<DD>means run no test.</DD>
-<DT>ctltest</DT>
-<DD>means run a single system without input/output.</DD>
-<DT>klipstest</DT>
-<DD>means run a single system with input/output networks</DD>
-<DT><A HREF="#umlplutotest">umlplutotest</A></DT>
-<DD>means run a pair of systems</DD>
-<DT><A HREF="#umlXhost">umlXhost</A></DT>
-<DD>run an arbitrary number of systems</DT>
-<DT>suntest (TBD)</DT>
-<DD>means run a quad of east/west/sunrise/sunset</DD>
-<DT>roadtest (TBD)</DT>
-<DD>means run a trio of east-sunrise + warrior</DD>
-<DT>extrudedtest (TBD)</DT>
-<DD>means run a quad of east-sunrise + warriorsouth + park</DD>
-<DT>mkinsttest</TD>
-<DD>a test of the "make install" machinery.</DD>
-<DT>kernel_test_patch</TD>
-<DD>a test of the "make kernelpatch" machinery.</DD>
-</DL>
-
-Tests marked (TBD) have yet to be fully defined.
-</p>
-
-<p>
-Each test directory has a file in it called <CODE>testparams.sh</CODE>.
-This file sets a number of environment variables to define the
-parameters of the test.
-</p>
-
-<H2>Common parameters</H2>
-<DL>
-<DT>TESTNAME</DT>
-<DD>the name of the test (repeated for checking purposes)</DD>
-
-<DT>TEST_TYPE</DT>
-<DD>the type of the test (repeat of type type above)</DD>
-
-<DT>TESTHOST</DT>
-<DD>the name of the UML machine to run for the test, typically "east"
-  or "west"</DD>
-
-<DT>TEST_PURPOSE</DT>
-<DD>The purpose of the test is one of: 
-
-<DL>
-<DT>goal</DT>
-<DD>The goal purpose is where a test is defined for code that is not yet
-finished. The test indicates when the goals have in fact been reached.</DD>
-<DT>regress</DT>
-<DD>This is a test to determine that a previously existing bug has been repaired. This 
-test will initially be created to reproduce the bug in isolation, and then the bug will 
-be fixed.</DD> 
-<DT>exploit</DT>
-<DD>This is a set of packets/programs that causes a vulnerability to be
-exposed. It is a specific variation of the regress option.</DD>
-</DL>
-</DD>
-
-<DT>TEST_GOAL_ITEM<DT>
-<DD>in the case of a goal test, this is a reference to the requirements document</DD>
-
-<DT>TEST_PROB_REPORT</DT>
-<DD>in the case of regression test, this the problem report number from GNATS</DD>
-
-<DT>TEST_EXPLOIT_URL</DT>
-<DD>in the case of an exploit, this is a URL referencing the paper explaining 
-the origin of the test and the origin of exploit software</DD>
-
-<DT>REF_CONSOLE_OUTPUT</DT>
-<DD>a file in the test directory that contains the sanitized console
-  output against which to compare the output of the actual test.</DD>
-<DT>REF_CONSOLE_FIXUPS</DT>
-<DD>a list of scripts (found in <CODE>klips/test/fixups</CODE>) to
-  apply to sanitize the console output of the machine under test.
-  These are typically perl, awk or sed scripts that remove things in
-  the kernel output that change each time the test is run and/or
-  compiled.
-</DD>
-<DT>INIT_SCRIPT</DT>
-<DD><p>a file of commands that is fed into the virtual machine's console
-  in single user mode prior to starting the tests. This file will
-  usually set up any eroute's and SADB entries that are required for
-  the test. </p>
-<p>Lines beginning with # are skipped. Blank lines are
-  skipped. Otherwise, a shell prompted is waited for each time
-  (consisting of <CODE>\n#</CODE>) and then the command is sent.
-  Note that the prompt is waited for before the command and not after, 
-  so completion of the last command in the script is not
-  required. This is often used to invoke a program to monitor the
-  system, e.g. <CODE>ipsec pf_key</CODE>.
-</P>
-<DT>RUN_SCRIPT</DT>
-<DD><P>a file of commands that is fed into the virtual machine's console
-      in single user mode, before the packets are sent. On single machine
-      tests, this script doesn't provide any more power than INIT_SCRIPT,
-      but is implemented for consistency's sake.</P>
-<DT>FINAL_SCRIPT</DT>
-<DD><p>a file of commands that is fed into the virtual machine's console
-  in single user mode after the final packet is sent. Similar to INIT_SCRIPT,
-  above. If not specified, then the single command "halt" is sent.
-  If specified, then the script should end with a halt command to
-  nicely shutdown the UML.
-</P>
-<DT>CONSOLEDIFFDEBUG</DT>
-<DD>If set to "true" then the series of console fixups (see REF_CONSOLE_FIXUPS) will be output after it is constructed. (It should be set to "false", or unset otherwise)</DD>
-<DT>NETJIGDEBUG</DT>
-<DD>If set to "true" then the series of console fixups (see REF_CONSOLE_FIXUPS) will be output after it is constructed. (It should be set to "false", or unset otherwise)</DD>
-<DT>NETJIGTESTDEBUG</DT>
-<DD> If set to "netjig", then the results of talking to the <CODE>uml_netjig</CODE>
-will be printed to stderr during the test. In addition, the jig will
-be invoked with --debug, which causes it to log its process ID, and
-wait 60 seconds before continuing. This can be used if you are trying
-to debug the <CODE>uml_netjig</CODE> program itself.</DT>
-<DT>HOSTTESTDEBUG</DT>
-<DD> If set to "hosttest", then the results of taling to the consoles of the UMLs will
-be printed to stderr during the test.</DT>
-<DT>NETJIGWAITUSER</DT>
-<DD> If set to "waituser", then the scripts will wait forever for user
-  input before they shut the tests down. Use this is if you are
-  debugging through the kernel.</DD>
-
-<DT>PACKETRATE</DT>
-<DD> A number, in miliseconds (default is 500ms) at which packets will
-  be replayed by the netjig.</DD>
-</DL>
-
-
-<H2>KLIPStest paramaters</H2>
-<P>
-The klipstest function starts a program
-(<CODE>testing/utils/uml_netjig/uml_netjig</CODE>) to
-setup a bunch of I/O sockets (that simulate network interfaces). It
-then exports the references to these sockets to the environment and
-invokes (using system()) a given script. It waits for the script to
-finish.
-</P>
-
-<!-- <IMG SRC="single_netjig.png" ALT="block diagram of uml_netjig"> -->
-
-<P>
-The script invoked (<CODE>testing/utils/host-test.tcl</CODE>) is a TCL
-<A HREF="http://expect.nist.gov/">expect</A> script that arranges to start the UML 
-and configure it appropriately for the test. The configuration is done 
-with the script given above for <VAR>INIT_SCRIPT</VAR>. The TCL script then forks,
-leaves the UML in the background and exits. uml_netjig continues. It then
-starts listening to the simulated network answering ARPs and inserting
-packets as appropriate.
-</P>
-
-<P>
-The klipstest function invokes <CODE>uml_netjig</CODE> with arguments
-to capture output from network interface(s) and insert packets as
-appropriate:
-<DL>
-<DT>PUB_INPUT</DT>
-<DD>a <A HREF="http://www.tcpdump.org/">pcap</A> file to feed in on
-  the public (encrypted) interface. (typically, eth1)</DD>
-<DT>PRIV_INPUT</DT>
-<DD>a pcap file to feed in on the private (plain-text) interface
-  (typically, eth0).</DD>
-<DT>REF_PUB_OUTPUT</DT>
-<DD>a text file containing tcpdump output. Packets on the public
-  (eth1) interface are captured to a
-  <A HREF="http://www.tcpdump.org/">pcap</A> file by
-  <CODE>uml_netjig</CODE>. The klipstest function then uses tcpdump on 
-  the file to produce text output, which is compared to the file given.</DD>
-<DT>REF_PUB_FILTER</DT>
-<DD>a program that will filter the TCPDUMP output to do further processing. Defaults to "cat".</DD>
-<DT>REF_PRIV_OUTPUT</DT>
-<DD>a text file containing tcpdump output. Packets on the private
-  (eth0) interface are captured and compared after conversion by
-  tcpdump, as with <VAR>REFPUBOUTPUT</VAR>.</DD>
-<DT>REF_PRIV_FILTER</DT>
-<DD>a program that will filter the TCPDUMP output to do further processing. Defaults to "cat".</DD>
-<DT>EXITONEMPTY</DT>
-<DD>a flag for <CODE>uml_netjig</CODE>. It should contain
-  "--exitonempty" of uml_netjig should exit when all of the input
-  (<VAR>PUBINPUT</VAR>,<VAR>PRIVINPUT</VAR>) packets have been injected.</DD>
-<DT>ARPREPLY</DT>
-<DD>a flag for <CODE>uml_netjig</CODE>. It should contain "--arpreply" 
-  if <CODE>uml_netjig</CODE> should reply to ARP requests. One will
-  typically set this to avoid having to fudge the ARP cache manually.</DD>
-<DT>TCPDUMPFLAGS</DT>
-<DD>a set of flags for the tcpdump used when converting captured
-  output. Typical values will include "-n" to turn off DNS, and often
-  "-E" to set the decryption key (tcpdump 3.7.1 and higher only) for
-  ESP packets. The "-t" flag (turn off timestamps) is provided automatically</DD>
-
-<DT>NETJIG_EXTRA</DT>
-<DD>additional comments to be sent to the netjig. This may arrange to
-  record or create additional networks, or may toggle options.
-</DL>
-
-<H2>mkinsttest paramaters</H2>
-<P>
-The basic concept of the <CODE>mkinsttest</CODE> test type is that it 
-performs a "make install" to a temporary $DESTDIR. The resulting tree can then
-be examined to determine if it was done properly. The files can be uninstalled
-to determine if the file list was correct, or the contents of files can be
-examined more precisely.
-</P>
-
-<DL>
-<DT>INSTALL_FLAGS</DT>
-<DD>If set, then an install will be done. This provides the set of flags to 
-provide for the install. The target to be used (usually "install") must be 
-among the flags. </DD>  
-<DT>POSTINSTALL_SCRIPT</DT>
-<DD>If set, a script to run after initial "make install". Two arguments are provided: an absolute path to the root of the FreeSWAN src tree, and an absolute path to the temporary installation area.</DD>
-<DT>INSTALL2_FLAGS</DT>
-<DD>If set, a second install will be done using these flags. Similarly to
-INSTALL_FLAGS, the target must be among the flags. </DD>
-<DT>UNINSTALL_FLAGS</DT>
-<DD>If set, an uninstall will be done using these flags. Similarly to
-INSTALL_FLAGS, the target (usually "uninstall") must be among the flags.</DD> 
-<DT>REF_FIND_f_l_OUTPUT</DT>
-<DD>If set, a <CODE>find $ROOT ( -type f -or -type -l )</CODE> will be done to get a list of a real files and symlinks. The resulting file will be compared
-to the file listed by this option.</DD>
-<DT>REF_FILE_CONTENTS</DT>
-<DD>If set, it should point to a file containing records for the form:
-<PRE>
-  <VARIABLE>reffile</VARIABLE>   <VARIABLE>samplefile</VARIABLE>
-</PRE>
-one record per line. A diff between the provided reference file, and the
-sample file (located in the temporary installation root) will be done for
-each record.
-</DD>
-</DL>
-
-<H2>rpm_build_install_test paramaters</H2>
-<P>
-The <CODE>rpm_build_install_test</CODE> type is to verify that the proper
-packing list is produced by "make rpm", and that the mechanisms for
-building the kernel modules produce consistent results.
-</P>
-
-<DL>
-<DT>RPM_KERNEL_SOURCE</DT>
-<DD>Point to an extracted copy of the RedHat kernel source code. Variables
-from the environment may be used.</DD>  
-<DT>REF_RPM_CONTENTS</DT>
-<DD>This is a file containing one record per line. Each record consists
-of a RPM name (may contain wildcards) and a filename to compare the
-contents to. The RPM will be located and a file list will be produced with
-rpm2cpio.</DD>
-</DL>
-
-<H2>libtest paramaters</H2>
-<P>
-The libtest test is for testing library routines. The library file is
-expected to provided an <CODE>#ifdef</CODE> by the name of
-<VAR>library</VAR><CODE_MAIN</CODE>. 
-The libtest type invokes the C compiler to compile this file, links it against
-<CODE>libfreeswan.a</CODE> (to resolve any other dependancies) and runs the
-test with the <CODE>-r</CODE> argument to invoke a regression test.</P>
-<P>The library test case is expected to do a self-test, exiting with status code 0 if everything is okay, and with non-zero otherwise. A core dump (exit code greater than 128) is noted specifically.
-</P>
-<P>
-Unlike other tests, there are no subdirectories required, or other
-parameters to set.  
-</P>
-
-<H2 NAME="umlplutotest">umlplutotest paramaters</H2>
-<P>
-The umlplutotest function starts a pair of user mode line processes.
-This is a 2-host version of umlXhost. The "EAST" and "WEST" slots are defined.
-</P>
-
-<H2 NAME="umlXhost">umlXhost parameters</H2>
-<P>
-The umlXtest function starts an arbitrary number of user mode line processes.
-</P>
-
-<!-- <IMG SRC="single_netjig.png" ALT="block diagram of uml_netjig"> -->
-
-<P>
-The script invoked (<CODE>testing/utils/Xhost-test.tcl</CODE>) is a TCL
-<A HREF="http://expect.nist.gov/">expect</A> script that arranges to start each
-UML   
-and configure it appropriately for the test. It then starts listening
-(using uml_netjig) to the simulated network answering ARPs and
-inserting packets as appropriate.  
-</P>
-
-<P>
-umlXtest has a series of slots, each of which should be filled by a host.
-The list of slots is controlled by the variable, XHOST_LIST. This variable
-should be set to a space seperated list of slots. The former umlplutotest
-is now implemented as a variation of the umlXhost test,
-with XHOST_LIST="EAST WEST".
-</P>
-
-<P>
-For each host slot that is defined, a series of variables should be
-filled in, defining what configuration scripts to use for that host.
-</P>
-
-<P>
-The following are used to control the console input and output to the system.
-Where the string ${host} is present, the host slot should be filled in.
-I.e. for the two host system with XHOST_LIST="EAST WEST", then the
-variables: EAST_INIT_SCRIPT and WEST_INIT_SCRIPT will exist.
-<DL>
-<DT>${host}HOST</DT>
-<DD>The name of the UML host which will fill this slot</DD>
-<DT>${host}_INIT_SCRIPT</DT>
-<DD><p>a file of commands that is fed into the virtual machine's console
-  in single user mode prior to starting the tests. This file will
-  usually set up any eroute's and SADB entries that are required for
-  the test. Similar to INIT_SCRIPT, above.</p>
-<DT>${host}_RUN_SCRIPT</DT>
-<DD><P>a file of commands that is fed into the virtual machine's console
-      in single user mode, before the packets are sent. This set of 
-      commands is run after all of the virtual machines are initialized.
-      I.e. after EAST_INIT_SCRIPT <B>AND</B> WEST_INIT_SCRIPT. This script
-      can therefore do things that require that all machines are properly
-      configured.</P>
-<DT>${host}_RUN2_SCRIPT</DT>
-<DD><P>a file of commands that is fed into the virtual machine's console
-      in single user mode, after the packets are sent. This set of 
-      commands is run before any of the virtual machines have been shut
-      down. (I.e. before EAST_FINAL_SCRIPT <B>AND</B> WEST_FINAL_SCRIPT.)
-      This script can therefore catch post-activity status reports.</P>
-<DT>${host}_FINAL_SCRIPT</DT>
-<DD><p>a file of commands that is fed into the virtual machine's console
-  in single user mode after the final packet is sent. Similar to INIT_SCRIPT,
-  above. If not specified, then the single command "halt" is sent. Note that
-  when this script is run, the other virtual machines may already have been killed.
-  If specified, then the script should end with a halt command to nicely
-  shutdown the UML. 
-</P>
-<DT>REF_${host}_CONSOLE_OUTPUT</DT>
-<DD>Similar to REF_CONSOLE_OUTPUT, above.</DT>
-</DL>
-</P>
-
-<P>Some additional flags apply to all hosts:
-<DL>
-<DT>REF_CONSOLE_FIXUPS</DT>
-<DD>a list of scripts (found in <CODE>klips/test/fixups</CODE>) to
-  apply to sanitize the console output of the machine under test.
-  These are typically perl, awk or sed scripts that remove things in
-  the kernel output that change each time the test is run and/or
-  compiled.
-</DD>
-</DL>
-</P>
-
-<P> In addition to input to the console, the networks may have input
-fed to them:
-<DL>
-<DT>EAST_INPUT/WEST_INPUT</DT>
-<DD>a <A HREF="http://www.tcpdump.org/">pcap</A> file to feed in on
-  the private network side of each network. The "EAST" and "WEST" here 
-refer to the networks, not the hosts.</DD>
-<DT>REF_PUB_FILTER</DT>
-<DD>a program that will filter the TCPDUMP output to do further processing. Defaults to "cat".</DD>
-<DT>REF_EAST_FILTER/REF_WEST_FILTER</DT>
-<DD>a program that will filter the TCPDUMP output to do further processing. Defaults to "cat".</DD><
-<DT>TCPDUMPFLAGS</DT>
-<DD>a set of flags for the tcpdump used when converting captured
-  output. Typical values will include "-n" to turn off DNS, and often
-  "-E" to set the decryption key (tcpdump 3.7.1 and higher only) for
-  ESP packets. The "-t" flag (turn off timestamps) is provided automatically</DD>
-<DT>REF_EAST_OUTPUT/REF_WEST_OUTPUT</DT>
-<DD>a text file containing tcpdump output. Packets on the private
-  (eth0) interface are captured and compared after conversion by
-  tcpdump, as with <VAR>REF_PUB_OUTPUT</VAR>.</DD>
-</P>
-
-<P>
-There are two additional environment variables that may be set on the
-command line:
-<DL>
-<DT> NETJIGVERBOSE=verbose export NETJIGVERBOSE</DT>
-<DD> If set, then the test output will be "chatty", and let you know what
-  commands it is running, and as packets are sent. Without it set, the
-  output is limited to success/failure messages.</DD>
-<DT> NETJIGTESTDEBUG=netjig export NETJIGTESTDEBUG</DT>
-<DD> This will enable debugging of the communication with uml_netjig,
-  and turn on debugging in this utility.
-  This does not imply NETJIGVERBOSE.</DL>
-<DT> HOSTTESTDEBUG=hosttest export HOSTTESTDEBUG</DT>
-<DD> This will show all interactions with the user-mode-linux
-  consoles</DD>
-</DL>
-</P>
-
-<H2 NAME="kernelpatch">kernel_patch_test paramaters</H2>
-<P>
-The kernel_patch_test function takes some kernel source, copies it with
-lndir, and then applies the patch as produced by "make kernelpatch".
-</P>
-<P>
-The following are used to control the input and output to the system:
-<DL>
-<DT>KERNEL_NAME</DT>
-<DD>the kernel name, typically something like "linus" or "rh"</DD>
-<DT>KERNEL_VERSION</DT>
-<DD>the kernel version number, as in "2.2" or "2.4".</DD>
-<DT>KERNEL_${KERNEL_NAME}${KERNEL_VERSION}_SRC</DT>
-<DD>This variable should set in the environment, probably in
-  ~/freeswan-regress-env.sh. Examples of this variables would be
-  KERNEL_LINUS2_0_SRC or KERNEL_RH7_3_SRC. This variable should point
-  to an extracted copy of the kernel source in question.</DD>
-<DT>REF_PATCH_OUTPUT</DT>
-<DD>a copy of the patch output to compare against</DD>
-<DT>KERNEL_PATCH_LEAVE_SOURCE</DT>
-<DD>If set to a non-empty string, then the patched kernel source is not
-  removed at the end of the test. This will typically be set in the
-  environment while debugging.</DD>
-</DL>
-</P>
-
-<H2 NAME="modtest">module_compile paramaters</H2>
-<P>
-The module_compile test attempts to build the KLIPS module against a
-given set of kernel source. This is also done by the RPM tests, but
-in a very specific manner.
-</P>
-<P>
-There are two variations of this test - one where the kernel either
-doesn't need to be configured, or is already done, and tests were there
-is a local configuration file.
-</P>
-<P>
-Where the kernel doesn't need to be configured, the kernel source that
-is found is simply used. It may be a RedHat-style kernel, where one
-can cause it to configure itself via rhconfig.h-style definitions. Or,
-it may just be a kernel tree that has been configured. 
-</P>
-<P>
-If the variable KERNEL_CONFIG_FILE is set, then a new directory is
-created for the kernel source. It is populated with lndir(1). The referenced
-file is then copied in as .config, and "make oldconfig" is used to configure
-the kernel. This resulting kernel is then used as the reference source.
-</P>
-<p>
-In all cases, the kernel source is found the same was for the kernelpatch
-test, i.e. via KERNEL_VERSION/KERNEL_NAME and KERNEL_${KERNEL_NAME}${KERNEL_VERSION}_SRC.</P>
-<P>
-Once there is kernel source, the module is compiled using the top-level
-"make module" target. 
-</P>
-<P>
-The test is considered successful if an executable is found in OUTPUT/module/ipsec.o at the end of the test.
-</P>
-<DL>
-<DT>KERNEL_NAME</DT>
-<DD>the kernel name, typically something like "linus" or "rh"</DD>
-<DT>KERNEL_VERSION</DT>
-<DD>the kernel version number, as in "2.2" or "2.4".</DD>
-<DT>KERNEL_${KERNEL_NAME}${KERNEL_VERSION}_SRC</DT>
-<DD>This variable should set in the environment, probably in
-  ~/freeswan-regress-env.sh. Examples of this variables would be
-  KERNEL_LINUS2_0_SRC or KERNEL_RH7_3_SRC. This variable should point
-  to an extracted copy of the kernel source in question.</DD>
-<DT>KERNEL_CONFIG_FILE</DT>
-<DD>The configuration file for the kernel.</DD>
-<DT>KERNEL_PATCH_LEAVE_SOURCE</DT>
-<DD>If set to a non-empty string, then the configured kernel source is not
-  removed at the end of the test. This will typically be set in the
-  environment while debugging.</DD>
-<DT>MODULE_DEF_INCLUDE</DT>
-<DD>The include file that will be used to configure the KLIPS module, and
-  possibly the kernel source. </DD>
-</DL>
-
-<H1>Current pitfalls</H1>
-
-<DL>
-<DT> "tcpdump dissector" not available. </DT>
-<DD> This is a non-fatal warning. If uml_netjig is invoked with the -t 
-  option, then it will attempt to use tcpdump's dissector to decode
-  each packet that it processes. The dissector is presently not
-  available, so this option it normally turned off at compile time.
-  The dissector library will be released with tcpdump version
-  4.0.</DD>
-</DL>
-
-</body>
-</html>
\ No newline at end of file
diff --git a/doc/src/manpages.html b/doc/src/manpages.html
deleted file mode 100644
index 27a9aa7b3..000000000
--- a/doc/src/manpages.html
+++ /dev/null
@@ -1,155 +0,0 @@
-<html>
-<head>
-  <meta http-equiv="Content-Type" content="text/html">
-  <title>FreeS/WAN man pages</title>
-  <meta name="keywords"
-  content="Linux, IPsec, VPN, security, FreeSWAN, manpage, manual, page">
-  <!--
-
-  Written by Sandy Harris for the Linux FreeS/WAN project
-  Freely distributable under the GNU General Public License
-
-  More information at www.freeswan.org
-  Feedback to users@lists.freeswan.org
-
-  CVS information:
-  RCS ID:          $Id: manpages.html,v 1.1 2004/03/15 20:35:24 as Exp $
-  Last changed:    $Date: 2004/03/15 20:35:24 $
-  Revision number: $Revision: 1.1 $
-
-  CVS revision numbers do not correspond to FreeS/WAN release numbers.
-  -->
-</head>
-
-<body>
-<h1><a name="manpages">FreeS/WAN manual pages</a></h1>
-
-<p>The various components of Linux FreeS/WAN are of course documented in
-standard Unix manual pages, accessible via the man(1) command.</p>
-
-<p>Links here take you to an HTML version of the man pages.</p>
-
-<h2><a name="man.file">Files</a></h2>
-<dl>
-  <dt><a href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a></dt>
-    <dd>IPsec configuration and connections</dd>
-  <dt><a href="manpage.d/ipsec.secrets.5.html">ipsec.secrets(5)</a></dt>
-    <dd>secrets for IKE authentication, either pre-shared keys or RSA private
-      keys</dd>
-</dl>
-
-<p>These files are also discussed in the <a
-href="config.html">configuration</a> section.</p>
-
-<h2><a name="man.command">Commands</a></h2>
-
-<p>Many users will never give most of the FreeS/WAN commands directly.
-Configure the files listed above correctly and everything should be
-automatic.</p>
-
-<p>The exceptions are commands for mainpulating the <a
-href="glossary.html#RSA">RSA</a> keys used in Pluto authentication:</p>
-<dl>
-  <dt><a href="manpage.d/ipsec_rsasigkey.8.html">ipsec_rsasigkey(8)</a></dt>
-    <dd>generate keys</dd>
-  <dt><a href="manpage.d/ipsec_newhostkey.8.html">ipsec_newhostkey(8)</a></dt>
-    <dd>generate keys in a convenient format</dd>
-  <dt><a
-  href="manpage.d/ipsec_showhostkey.8.html">ipsec_showhostkey(8)</a></dt>
-    <dd>extract <a href="glossary.html#RSA">RSA</a> keys from <a
-      href="manpage.d/ipsec.secrets.5.html">ipsec.secrets(5)</a> (or
-      optionally, another file) and format them for insertion in <a
-      href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a> or in DNS
-    records</dd>
-</dl>
-
-<p>Note that:</p>
-<ul>
-  <li>These keys are for <strong>authentication only</strong>. They are
-    <strong>not secure for encryption</strong>.</li>
-  <li>The utility uses random(4) as a source of <a
-    href="glossary.html#random">random numbers</a>. This may block for some
-    time if there is not enough activity on the machine to provide the
-    required entropy. You may want to give it some bogus activity such as
-    random mouse movements or some command such as <nobr><tt>du /usr &gt; /dev/null
-    &amp;</tt></nobr>.</li>
-</ul>
-
-<p>The following commands are fairly likely to be used, if only for testing
-and status checks:</p>
-<dl>
-  <dt><a href="manpage.d/ipsec.8.html">ipsec(8)</a></dt>
-    <dd>invoke IPsec utilities</dd>
-  <dt><a href="manpage.d/ipsec_setup.8.html">ipsec_setup(8)</a></dt>
-    <dd>control IPsec subsystem</dd>
-  <dt><a href="manpage.d/ipsec_auto.8.html">ipsec_auto(8)</a></dt>
-    <dd>control automatically-keyed IPsec connections</dd>
-  <dt><a href="manpage.d/ipsec_manual.8.html">ipsec_manual(8)</a></dt>
-    <dd>take manually-keyed IPsec connections up and down</dd>
-  <dt><a href="manpage.d/ipsec_ranbits.8.html">ipsec_ranbits(8)</a></dt>
-    <dd>generate random bits in ASCII form</dd>
-  <dt><a href="manpage.d/ipsec_look.8.html">ipsec_look(8)</a></dt>
-    <dd>show minimal debugging information</dd>
-  <dt><a href="manpage.d/ipsec_barf.8.html">ipsec_barf(8)</a></dt>
-    <dd>spew out collected IPsec debugging information</dd>
-</dl>
-
-<p>The lower-level utilities listed below are normally invoked via scripts
-listed above, but they can also be used directly when required.</p>
-<dl>
-  <dt><a href="manpage.d/ipsec_eroute.8.html">ipsec_eroute(8)</a></dt>
-    <dd>manipulate IPsec extended routing tables</dd>
-  <dt><a href="manpage.d/ipsec_klipsdebug.8.html">ipsec_klipsdebug(8)</a></dt>
-    <dd>set Klips (kernel IPsec support) debug features and level</dd>
-  <dt><a href="manpage.d/ipsec_pluto.8.html">ipsec_pluto(8)</a></dt>
-    <dd>IPsec IKE keying daemon</dd>
-  <dt><a href="manpage.d/ipsec_spi.8.html">ipsec_spi(8)</a></dt>
-    <dd>manage IPsec Security Associations</dd>
-  <dt><a href="manpage.d/ipsec_spigrp.8.html">ipsec_spigrp(8)</a></dt>
-    <dd>group/ungroup IPsec Security Associations</dd>
-  <dt><a href="manpage.d/ipsec_tncfg.8.html">ipsec_tncfg(8)</a></dt>
-    <dd>associate IPsec virtual interface with real interface</dd>
-  <dt><a href="manpage.d/ipsec_whack.8.html">ipsec_whack(8)</a></dt>
-    <dd>control interface for IPsec keying daemon</dd>
-</dl>
-
-<h2><a name="man.lib">Library routines</a></h2>
-<dl>
-  <dt><a href="manpage.d/ipsec_atoaddr.3.html">ipsec_atoaddr(3)</a></dt>
-  <dt><a href="manpage.d/ipsec_addrtoa.3.html">ipsec_addrtoa(3)</a></dt>
-    <dd>convert Internet addresses to and from ASCII</dd>
-  <dt><a href="manpage.d/ipsec_atosubnet.3.html">ipsec_atosubnet(3)</a></dt>
-  <dt><a href="manpage.d/ipsec_subnettoa.3.html">ipsec_subnettoa(3)</a></dt>
-    <dd>convert subnet/mask ASCII form to and from addresses</dd>
-  <dt><a href="manpage.d/ipsec_atoasr.3.html">ipsec_atoasr(3)</a></dt>
-    <dd>convert ASCII to Internet address, subnet, or range</dd>
-  <dt><a href="manpage.d/ipsec_rangetoa.3.html">ipsec_rangetoa(3)</a></dt>
-    <dd>convert Internet address range to ASCII</dd>
-  <dt>ipsec_atodata(3)</dt>
-  <dt><a href="manpage.d/ipsec_datatoa.3.html">ipsec_datatoa(3)</a></dt>
-    <dd>convert binary data from and to ASCII formats</dd>
-  <dt><a href="manpage.d/ipsec_atosa.3.html">ipsec_atosa(3)</a></dt>
-  <dt><a href="manpage.d/ipsec_satoa.3.html">ipsec_satoa(3)</a></dt>
-    <dd>convert IPsec Security Association IDs to and from ASCII</dd>
-  <dt><a href="manpage.d/ipsec_atoul.3.html">ipsec_atoul(3)</a></dt>
-  <dt><a href="manpage.d/ipsec_ultoa.3.html">ipsec_ultoa(3)</a></dt>
-    <dd>convert unsigned-long numbers to and from ASCII</dd>
-  <dt><a href="manpage.d/ipsec_goodmask.3.html">ipsec_goodmask(3)</a></dt>
-    <dd>is this Internet subnet mask a valid one?</dd>
-  <dt><a href="manpage.d/ipsec_masktobits.3.html">ipsec_masktobits(3)</a></dt>
-    <dd>convert Internet subnet mask to bit count</dd>
-  <dt><a href="manpage.d/ipsec_bitstomask.3.html">ipsec_bitstomask(3)</a></dt>
-    <dd>convert bit count to Internet subnet mask</dd>
-  <dt><a
-  href="manpage.d/ipsec_optionsfrom.3.html">ipsec_optionsfrom(3)</a></dt>
-    <dd>read additional ``command-line'' options from file</dd>
-  <dt><a href="manpage.d/ipsec_subnetof.3.html">ipsec_subnetof(3)</a></dt>
-    <dd>given Internet address and subnet mask, return subnet number</dd>
-  <dt><a href="manpage.d/ipsec_hostof.3.html">ipsec_hostof(3)</a></dt>
-    <dd>given Internet address and subnet mask, return host part</dd>
-  <dt><a
-  href="manpage.d/ipsec_broadcastof.3.html">ipsec_broadcastof(3)</a></dt>
-    <dd>given Internet address and subnet mask, return broadcast address</dd>
-</dl>
-</body>
-</html>
diff --git a/doc/src/nightly.html b/doc/src/nightly.html
deleted file mode 100644
index d86037884..000000000
--- a/doc/src/nightly.html
+++ /dev/null
@@ -1,164 +0,0 @@
-<html>
-<head>
-<title>FreeS/WAN nightly testing guide</title>
-<!-- Changed by: Michael Richardson, 23-Jul-2002 -->
-<meta name="keywords" content="Linux, IPsec, VPN, security, FreeSWAN, testing, User-Mode-Linux, UML">
-
-<!--
-
-Written by Michael Richardson for the Linux FreeS/WAN project
-Freely distributable under the GNU General Public License
-
-More information at www.freeswan.org
-Feedback to users@lists.freeswan.org
-
-$Id: nightly.html,v 1.1 2004/03/15 20:35:24 as Exp $
-
-$Log: nightly.html,v $
-Revision 1.1  2004/03/15 20:35:24  as
-added files from freeswan-2.04-x509-1.5.3
-
-Revision 1.3  2002/07/23 18:42:16  mcr
-	added instructions on setup of nightly build.
-
-Revision 1.2  2002/06/19 10:06:07  mcr
-	added nightly.html to the documentation tree.
-
-Revision 1.1  2002/05/24 03:33:30  mcr
-	start at document on nightly regression testing.
-
-
--->
-</head>
-
-<body>
-
-<h1><a name="nightly">Nightly regression testing</a></h1>
-
-<p>
-The nightly regression testing system consists of several shell scripts
-and some perl scripts. The goal is to check out a fresh tree, run "make check" on it,
-record the results and summarize the results to the team and to the web site.
-</p>
-
-<P>
-Output can be found on <A HREF="http://bugs.freeswan.org:81/">adams</A>,
-although the tests are actually run on another project machine.</P>
-
-<H1><A name="nightlyhowto">How to setup the nightly build</A></h1>
-
-<P>
-The best way to do nightly testing is to setup a new account. We call the
-account "build" - you could call it something else, but there may
-still be some references to ~build in the scripts.
-</P>
-
-<H2> Files you need to know about </H2>
-<P>
-As few files as possible need to be extracted from the source tree -
-files are run from the source tree whenever possible. However, there
-are some bootstrap and configuration files that are necessary.
-</P>
-
-<P>
-There are 7 files in testing/utils that are involved:
-<DL>
-<DT> nightly-sample.sh </DT>
-<DD> This is the root of the build process. This file should be copied out
-of the CVS tree, to $HOME/bin/nightly.sh of the build account. This
-file should be invoked from cron. </DD>
-<DT> freeswan-regress-env-sample.sh </DT>
-<DD> This file should be copied to $HOME/freeswan-regress-env.sh. It
-  should be edited to localize the values. See below.</DD>
-<DT> regress-cleanup.pl </DT>
-<DD> This file needs to be copied to $HOME/bin/regress-cleanup.pl. It
-  is invoked by the nightly file before doing anything else. It
-  removes previous nights builds in order to free up disk space for
-  the build about to be done.</DD>
-<DT> teammail-sample.sh </DT>
-<DD> A script used to send results email to the "team". This sample
-  script could be copied to $HOME/bin/teammail.sh. This version will
-  PGP encrypt all the output to the team members. If this script is used,
-  then PGP will have to be properly setup to have the right keys.</DD>
-<DT> regress-nightly.sh </DT>
-<DD> This is the first stage of the nightly build. This stage will
-  call other scripts as appropriate, and will extract the source code
-  from CVS. This script should be copied to $HOME/bin/regress-nightly.sh</DD>
-<DT> regress-stage2.sh </DT>
-<DD> This is the second stage of the nightly build. It is called in
-  place. It essentially sets up the UML setup in umlsetup.sh, and
-  calls "make check".</DD>
-<DT> regress-summarize-results.pl
-<DD> This script will summarize the results from the tests to a
-  permanent directory set by $REGRESSRESULTS. It is invoked from the
-  stage2 nightly script.
-<DT> regress-chart.sh </DT>
-<DD> This script is called at the end of the build process, and will
-  summarize each night's results (as saved into $REGRESSRESULTS by
-  regress-summarize-results.pl) as a chart using gnuplot. Note that
-  this requires at least gnuplot 3.7.2.</DD>
-</DL>
-
-<H2>Configuring freeswan-regress-env.sh</H2>
-
-<P>For more info on KERNPOOL, UMLPATCH, BASICROOT and SHAREDIR, see
-  <A HREF="umltesting.html">User-Mode-Linux testing guide</A>.
-</P>
-
-<DL>
-<DT> KERNPOOL </DT>
-<DD> Extract copy of some kernel source to be used for UML builds</DD>
-<DT> UMLPATCH </DT>
-<DD> matching User-Mode-Linux patch.</DD>
-<DT> BASICROOT</DT>
-<DD> the root file system image (see
-  <A HREF="umltesting.html">User-Mode-Linux testing guide</A>).</DD>
-<DT> SHAREDIR=${BASICROOT}/usr/share</DT>
-<DD> The /usr/share to use.</DD>
-<DT> REGRESSTREE</DT>
-<DD> A directory in which to store the nightly regression
-  results. Directories will be created by date in this tree.</DD>
-
-<DT> TCPDUMP=tcpdump-3.7.1</DT>
-<DD> The path to the <A HREF="http://www.tcpdump.org/">tcpdump</A>
-  to use. This must have crypto compiled in, and must be at least 3.7.1</DT>
-
-<DT> KERNEL_RH7_2_SRC=/a3/kernel_sources/linux-2.4.9-13/</DT>
-<DD> An extracted copy of the RedHat 7.2. kernel source. If set, then
-  the packaging/rpm-rh72-install-01 test will be run, and an RPM will
-  be built as a test.</DD>
-  
-<DT> KERNEL_RH7_3_SRC=/a3/kernel_sources/rh/linux-2.4.18-5</DT>
-<DD> An extracted copy of the RedHat 7.3. kernel source. If set, then
-  the packaging/rpm-rh73-install-01 test will be run, and an RPM will
-  be built as a test.</DD>
-  
-<DT> NIGHTLY_WATCHERS="userid,userid,userid"</DT>
-<DD> The list of people who should receive nightly output. This is
-  used by teammail.sh</DD>
-
-<DT> FAILLINES=128</DT>
-<DD> How many lines of failed test output to include in the nightly
-  output</DD>
-
-<DT> PATH=$PATH:/sandel/bin export PATH</DT>
-<DD> You can also override the path if necessary here.</DD>
-
-<DT> CVSROOT=:pserver:anoncvs@ip212.xs4net.freeswan.org:/freeswan/MASTER</DT>
-<DD> The CVSROOT to use. This example may work for anonymous CVS, but
-  will be 12 hours behind the primary, and is still experimental</DD>
-
-<DT> SNAPSHOTSIGDIR=$HOME/snapshot-sig</DT>
-<DD> For the release tools, where to put the generated per-snapshot
-  signature keys</DD>
-
-<DT> LASTREL=1.97</DT>
-<DD> the name of the last release branch (to find the right
-  per-snapshot signature</DT>
-
-<DD>
-
-</DL>
-
-</body>
-</html>
\ No newline at end of file
diff --git a/doc/src/performance.html b/doc/src/performance.html
deleted file mode 100755
index 9d90acc62..000000000
--- a/doc/src/performance.html
+++ /dev/null
@@ -1,576 +0,0 @@
-<html>
-<head>
-  <meta http-equiv="Content-Type" content="text/html">
-  <title>FreeS/WAN performance</title>
-  <meta name="keywords"
-  content="Linux, IPsec, VPN, security, FreeSWAN, performance, benchmark">
-  <!--
-
-  Written by Sandy Harris for the Linux FreeS/WAN project
-  Freely distributable under the GNU General Public License
-
-  More information at www.freeswan.org
-  Feedback to users@lists.freeswan.org
-
-  CVS information:
-  RCS ID:          $Id: performance.html,v 1.1 2004/03/15 20:35:24 as Exp $
-  Last changed:    $Date: 2004/03/15 20:35:24 $
-  Revision number: $Revision: 1.1 $
-
-  CVS revision numbers do not correspond to FreeS/WAN release numbers.
-  -->
-</head>
-
-<body>
-<h1><a name="performance">Performance of FreeS/WAN</a></h1>
-The performance of FreeS/WAN is adequate for most applications.
-
-<p>In normal operation, the main concern is the overhead for encryption,
-decryption and authentication of the actual IPsec (<a
-href="glossary.html#ESP">ESP</a> and/or <a href="glossary.html#AH">AH</a>)
-data packets. Tunnel setup and rekeying occur so much less frequently than
-packet processing that, in general, their overheads are not worth worrying
-about.</p>
-
-<p>At startup, however, tunnel setup overheads may be significant. If you
-reboot a gateway and it needs to establish many tunnels, expect some delay.
-This and other issues for large gateways are discussed <a
-href="#biggate">below</a>.</p>
-
-<h2><a name="pub.bench">Published material</a></h2>
-
-<p>The University of Wales at Aberystwyth has done quite detailed speed tests
-and put <a href="http://tsc.llwybr.org.uk/public/reports/SWANTIME/">their
-results</a> on the web.</p>
-
-<p>Davide Cerri's <a href="http://www.linux.it/~davide/doc/">thesis (in
-Italian)</a> includes performance results for FreeS/WAN and for <a
-href="glossary.html#TLS">TLS</a>. He posted an <a
-href="http://lists.freeswan.org/pipermail/users/2001-December/006303.html">English
-summary</a> on the mailing list.</p>
-
-<p>Steve Bellovin used one of AT&amp;T Research's FreeS/WAN gateways as his
-data source for an analysis of the cache sizes required for key swapping in
-IPsec. Available as <a
-href="http://www.research.att.com/~smb/talks/key-agility.email.txt">text</a>
-or <a href="http://www.research.att.com/~smb/talks/key-agility.pdf">PDF
-slides</a> for a talk on the topic.</p>
-
-<p>See also the NAI work mentioned in the next section.</p>
-
-<h2><a name="perf.estimate">Estimating CPU overheads</a></h2>
-
-<p>We can come up with a formula that roughly relates CPU speed to the rate
-of IPsec processing possible. It is far from exact, but should be usable as a
-first approximation.</p>
-
-<p>An analysis of authentication overheads for high-speed networks, including
-some tests using FreeS/WAN, is on the <a
-href="http://www.pgp.com/research/nailabs/cryptographic/adaptive-cryptographic.asp">NAI
-Labs site</a>. In particular, see figure 3 in this <a
-href="http://download.nai.com/products/media/pgp/pdf/acsa_final_report.pdf">PDF
-document</a>. Their estimates of overheads, measured in Pentium II cycles per
-byte processed are:</p>
-
-<table border="1" align="center">
-  <tbody>
-    <tr>
-      <th></th>
-      <th>IPsec</th>
-      <th>authentication</th>
-      <th>encryption</th>
-      <th>cycles/byte</th>
-    </tr>
-    <tr>
-      <td>Linux IP stack alone</td>
-      <td>no</td>
-      <td>no</td>
-      <td>no</td>
-      <td align="right">5</td>
-    </tr>
-    <tr>
-      <td>IPsec without crypto</td>
-      <td>yes</td>
-      <td>no</td>
-      <td>no</td>
-      <td align="right">11</td>
-    </tr>
-    <tr>
-      <td>IPsec, authentication only</td>
-      <td>yes</td>
-      <td>SHA-1</td>
-      <td>no</td>
-      <td align="right">24</td>
-    </tr>
-    <tr>
-      <td>IPsec with encryption</td>
-      <td>yes</td>
-      <td>yes</td>
-      <td>yes</td>
-      <td align="right">not tested</td>
-    </tr>
-  </tbody>
-</table>
-
-<p>Overheads for IPsec with encryption were not tested in the NAI work, but
-Antoon Bosselaers' <a
-href="http://www.esat.kuleuven.ac.be/~bosselae/fast.html">web page</a> gives
-cost for his optimised Triple DES implementation as 928 Pentium cycles per
-block, or 116 per byte. Adding that to the 24 above, we get 140 cycles per
-byte for IPsec with encryption.</p>
-
-<p>At 140 cycles per byte, a 140 MHz machine can handle a megabyte -- 8
-megabits -- per second. Speeds for other machines will be proportional to
-this. To saturate a link  with capacity C megabits per second, you need a
-machine running at <var>C * 140/8 = C * 17.5</var> MHz.</p>
-
-<p>However, that estimate is not precise. It ignores the differences
-between:</p>
-<ul>
-  <li>NAI's test packets and real traffic</li>
-  <li>NAI's Pentium II cycles, Bosselaers' Pentium cycles, and your machine's
-    cycles</li>
-  <li>different 3DES implementations</li>
-  <li>SHA-1 and MD5</li>
-</ul>
-
-<p>and does not account for some overheads you will almost certainly have:</p>
-<ul>
-  <li>communication on the client-side interface</li>
-  <li>switching between multiple tunnels -- re-keying, cache reloading and so
-    on</li>
-</ul>
-
-<p>so we suggest using <var>C * 25</var> to get an estimate with a bit of a
-built-in safety factor.</p>
-
-<p>This covers only IP and IPsec processing. If you have other loads on your
-gateway -- for example if it is also working as a firewall -- then you will
-need to add your own safety factor atop that.</p>
-
-<p>This estimate matches empirical data reasonably well. For example,
-Metheringham's tests, described <a href="#klips.bench">below</a>, show a 733
-topping out between 32 and 36 Mbit/second, pushing data as fast as it can
-down a 100 Mbit link. Our formula suggests you need at least an 800 to handle
-a fully loaded 32 Mbit link. The two results are consistent.</p>
-
-<p>Some examples using this estimation method:</p>
-
-<table border="1" align="center">
-  <tbody>
-    <tr>
-      <th colspan="2">Interface</th>
-      <th colspan="3">Machine speed in MHz</th>
-    </tr>
-    <tr>
-      <th>Type</th>
-      <th>Mbit per<br>
-        second</th>
-      <th>Estimate<br>
-        Mbit*25</th>
-      <th>Minimum IPSEC gateway</th>
-      <th>Minimum with other load
-
-        <p>(e.g. firewall)</p>
-      </th>
-    </tr>
-    <tr>
-      <td>DSL</td>
-      <td align="right">1</td>
-      <td align="right">25 MHz</td>
-      <td rowspan="2">whatever you have</td>
-      <td rowspan="2">133, or better if you have it</td>
-    </tr>
-    <tr>
-      <td>cable modem</td>
-      <td align="right">3</td>
-      <td align="right">75 MHz</td>
-    </tr>
-    <tr>
-      <td><strong>any link, light load</strong></td>
-      <td align="right"><strong>5</strong></td>
-      <td align="right">125 MHz</td>
-      <td>133</td>
-      <td>200+, <strong>almost any surplus machine</strong></td>
-    </tr>
-    <tr>
-      <td>Ethernet</td>
-      <td align="right">10</td>
-      <td align="right">250 MHz</td>
-      <td>surplus 266 or 300</td>
-      <td>500+</td>
-    </tr>
-    <tr>
-      <td><strong>fast link, moderate load</strong></td>
-      <td align="right"><strong>20</strong></td>
-      <td align="right">500 MHz</td>
-      <td>500</td>
-      <td>800+, <strong>any current off-the-shelf PC</strong></td>
-    </tr>
-    <tr>
-      <td>T3 or E3</td>
-      <td align="right">45</td>
-      <td align="right">1125 MHz</td>
-      <td>1200</td>
-      <td>1500+</td>
-    </tr>
-    <tr>
-      <td>fast Ethernet</td>
-      <td align="right">100</td>
-      <td align="right">2500 MHz</td>
-      <td rowspan="2" colspan="2" align="center">// not feasible with 3DES in
-        software on current machines //</td>
-    </tr>
-    <tr>
-      <td>OC3</td>
-      <td align="right">155</td>
-      <td align="right">3875 MHz</td>
-    </tr>
-  </tbody>
-</table>
-
-<p>Such an estimate is far from exact, but should be usable as minimum
-requirement for planning. The key observations are:</p>
-<ul>
-  <li>older <strong>surplus machines</strong> are fine for IPsec gateways at
-    loads up to <strong>5 megabits per second</strong> or so</li>
-  <li>a <strong>mid-range new machine</strong> can handle IPsec at rates up
-    to <strong>20 megabits per second</strong> or more</li>
-</ul>
-  <h3><a name="perf.more">Higher performance alternatives</a></h3>
-
-  <p><a href="glossary.html#AES">AES</a> is a new US government block cipher
-  standard, designed to replace the obsolete <a
-  href="glossary.html#DES">DES</a>. If FreeS/WAN using <a
-  href="glossary.html#3DES">3DES</a> is not fast enough for your application,
-  the AES <a href="web.html#patch">patch</a> may help.</p>
-
-  <p>To date (March 2002) we have had only one <a
-  href="http://lists.freeswan.org/pipermail/users/2002-February/007771.html">mailing
-  list report</a> of measurements with the patch applied. It indicates that,
-  at least for the tested load on that user's network,  <strong>AES roughly
-  doubles IPsec throughput</strong>. If further testing confirms this, it may
-  prove possible to saturate an OC3 link in software on a high-end box.</p>
-
-  <p>Also, some work is being done toward support of <a
-  href="compat.html#hardware">hardware IPsec acceleration</a> which might
-  extend the range of requirements FreeS/WAN could meet.</p>
-
-  <h3>Other considerations</h3>
-
-  <p>CPU speed may be the main issue for IPsec performance, but of course it
-  isn't the only one.</p>
-
-  <p>You need good ethernet cards or other network interface hardware to get
-  the best performance. See this <a
-  href="http://www.ethermanage.com/ethernet/ethernet.html">ethernet
-  information</a> page and this <a href="http://www.scyld.com/diag">Linux
-  network driver</a> page.</p>
-
-  <p>The current FreeS/WAN kernel code is largely single-threaded. It is SMP
-  safe, and will run just fine on a multiprocessor machine (<a
-  href="compat.html#multiprocessor">discussion</a>), but the load within the
-  kernel is not shared effectively. This means that, for example to saturate
-  a T3 -- which needs about a 1200 MHz machine -- you cannot expect something
-  like a dual 800 to do the job. </p>
-
-  <p>On the other hand, SMP machines do tend to share loads well so --
-  provided one CPU is fast enough for the IPsec work -- a multiprocessor
-  machine may be ideal for a gateway with a mixed load.</p>
-
-  <h2><a name="biggate">Many tunnels from a single gateway</a></h2>
-
-  <p>FreeS/WAN allows a single gateway machine to build tunnels to many
-  others. There may, however, be some problems for large numbers as indicated
-  in this message from the mailing list:</p>
-
-<pre>Subject: Re: Maximum number of ipsec tunnels?
-   Date: Tue, 18 Apr 2000
-   From: "John S. Denker" &lt;jsd@research.att.com&gt;
-
-Christopher Ferris wrote:
-
-&gt;&gt; What are the maximum number ipsec tunnels FreeS/WAN can handle??
-
-Henry Spencer wrote:
-
-&gt;There is no particular limit.  Some of the setup procedures currently
-&gt;scale poorly to large numbers of connections, but there are (clumsy)
-&gt;workarounds for that now, and proper fixes are coming.
-
-1) "Large" numbers means anything over 50 or so.  I routinely run boxes
-with about 200 tunnels.  Once you get more than 50 or so, you need to worry
-about several scalability issues:
-
-a) You need to put a "-" sign in syslogd.conf, and rotate the logs daily
-not weekly.
-
-b) Processor load per tunnel is small unless the tunnel is not up, in which
-case a new half-key gets generated every 90 seconds, which can add up if
-you've got a lot of down tunnels.
-
-c) There's other bits of lore you need when running a large number of
-tunnels.  For instance, systematically keeping the .conf file free of
-conflicts requires tools that aren't shipped with the standard freeswan
-package.
-
-d) The pluto startup behavior is quadratic.  With 200 tunnels, this eats up
-several minutes at every restart.   I'm told fixes are coming soon.
-
-2) Other than item (1b), the CPU load depends mainly on the size of the
-pipe attached, not on the number of tunnels.
-</pre>
-
-<p>It is worth noting that item (1b) applies only to repeated attempts to
-re-key a data connection (IPsec SA, Phase 2) over an established keying
-connection (ISAKMP SA, Phase 1). There are two ways to reduce this overhead
-using settings in <a href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a>:</p>
-<ul>
-  <li>set <var>keyingtries</var> to some small value to limit repetitions</li>
-  <li>set <var>keylife</var> to a short time so that a failing data
-    connection will be cleaned up when the keying connection is reset.</li>
-</ul>
-
-<p>The overheads for establishing keying connections (ISAKMP SAs, Phase 1)
-are lower because for these Pluto does not perform expensive operations
-before receiving a reply from the peer.</p>
-
-<p>A gateway that does a lot of rekeying -- many tunnels and/or low settings
-for tunnel lifetimes -- will also need a lot of <a
-href="glossary.html#random">random numbers</a> from the random(4) driver.</p>
-
-<h2><a name="low-end">Low-end systems</a></h2>
-
-<p><em>Even a 486 can handle a T1 line</em>, according to this mailing list
-message:</p>
-<pre>Subject: Re: linux-ipsec: IPSec Masquerade
-   Date: Fri, 15 Jan 1999 11:13:22 -0500
-   From: Michael Richardson 
-
-. . . A 486/66 has been clocked by Phil Karn to do
-10Mb/s encryption.. that uses all the CPU, so half that to get some CPU,
-and you have 5Mb/s. 1/3 that for 3DES and you get 1.6Mb/s....</pre>
-
-<p>and a piece of mail from project technical lead Henry Spencer:</p>
-<pre>Oh yes, and a new timing point for Sandy's docs...  A P60 -- yes, a 60MHz
-Pentium, talk about antiques -- running a host-to-host tunnel to another
-machine shows an FTP throughput (that is, end-to-end results with a real
-protocol) of slightly over 5Mbit/s either way.  (The other machine is much
-faster, the network is 100Mbps, and the ether cards are good ones... so
-the P60 is pretty definitely the bottleneck.)</pre>
-
-<p>From the above, and from general user experience as reported on the list,
-it seems clear that a cheap surplus machine -- a reasonable 486, a minimal
-Pentium box, a Sparc 5, ... -- can easily handle a home office or a small
-company connection using any of:</p>
-<ul>
-  <li>ADSL service</li>
-  <li>cable modem</li>
-  <li>T1</li>
-  <li>E1</li>
-</ul>
-
-<p>If available, we suggest using a Pentium 133 or better. This should ensure
-that, even under maximum load, IPsec will use less than half the CPU cycles.
-You then have enough left for other things you may want on your gateway --
-firewalling, web caching, DNS and such.</p>
-
-<h2><a name="klips.bench">Measuring KLIPS</a></h2>
-
-<p>Here is some additional data from the mailing list.</p>
-<pre>Subject: FreeSWAN (specically KLIPS) performance measurements
-   Date: Thu, 01 Feb 2001
-   From: Nigel Metheringham &lt;Nigel.Metheringham@intechnology.co.uk&gt;
-
-I've spent a happy morning attempting performance tests against KLIPS 
-(this is due to me not being able to work out the CPU usage of KLIPS so 
-resorting to the crude measurements of maximum throughput to give a 
-baseline to work out loading of a box).
-
-Measurements were done using a set of 4 boxes arranged in a line, each 
-connected to the next by 100Mbit duplex ethernet.  The inner 2 had an 
-ipsec tunnel between them (shared secret, but I was doing measurements 
-when the tunnel was up and running - keying should not be an issue 
-here).  The outer pair of boxes were traffic generators or traffic sink.
-
-The crypt boxes are Compaq DL380s - Uniprocessor PIII/733 with 256K 
-cache.  They have 128M main memory.  Nothing significant was running on 
-the boxes other than freeswan.  The kernel was a 2.2.19pre7 patched 
-with freeswan and ext3.
-
-Without an ipsec tunnel in the chain (ie the 2 inner boxes just being 
-100BaseT routers), throughput (measured with ttcp) was between 10644 
-and 11320 KB/sec
-
-With an ipsec tunnel in place, throughput was between 3268 and 3402 
-KB/sec
-
-These measurements are for data pushed across a TCP link, so the 
-traffic on the wire between the 2 ipsec boxes would have been higher 
-than this....
-
-vmstat (run during some other tests, so not affecting those figures) on 
-the encrypting box shows approx 50% system &amp; 50% idle CPU - which I 
-don't believe at all.  Interactive feel of the box was significantly 
-sluggish.
-
-I also tried running the kernel profiler (see man readprofile) during 
-test runs.
-
-A box doing primarily decrypt work showed basically nothing happening - 
-I assume interrupts were off.
-A box doing encrypt work showed the following:-
- Ticks Function                                   Load
- ~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    ~~~~~~
-   956 total                                      0.0010
-   532 des_encrypt2                               0.1330
-   110 MD5Transform                               0.0443
-    97 kmalloc                                    0.1880
-    39 des_encrypt3                               0.1336
-    23 speedo_interrupt                           0.0298
-    14 skb_copy_expand                            0.0250
-    13 ipsec_tunnel_start_xmit                    0.0009
-    13 Decode                                     0.1625
-    11 handle_IRQ_event                           0.1019
-    11 .des_ncbc_encrypt_end                      0.0229
-    10 speedo_start_xmit                          0.0188
-     9 satoa                                      0.0225
-     8 kfree                                      0.0118
-     8 ip_fragment                                0.0121
-     7 ultoa                                      0.0365
-     5 speedo_rx                                  0.0071
-     5 .des_encrypt2_end                          5.0000
-     4 _stext                                     0.0140
-     4 ip_fw_check                                0.0035
-     2 rj_match                                   0.0034
-     2 ipfw_output_check                          0.0200
-     2 inet_addr_type                             0.0156
-     2 eth_copy_and_sum                           0.0139
-     2 dev_get                                    0.0294
-     2 addrtoa                                    0.0143
-     1 speedo_tx_buffer_gc                        0.0024
-     1 speedo_refill_rx_buf                       0.0022
-     1 restore_all                                0.0667
-     1 number                                     0.0020
-     1 net_bh                                     0.0021
-     1 neigh_connected_output                     0.0076
-     1 MD5Final                                   0.0083
-     1 kmem_cache_free                            0.0016
-     1 kmem_cache_alloc                           0.0022
-     1 __kfree_skb                                0.0060
-     1 ipsec_rcv                                  0.0001
-     1 ip_rcv                                     0.0014
-     1 ip_options_fragment                        0.0071
-     1 ip_local_deliver                           0.0023
-     1 ipfw_forward_check                         0.0139
-     1 ip_forward                                 0.0011
-     1 eth_header                                 0.0040
-     1 .des_encrypt3_end                          0.0833
-     1 des_decrypt3                               0.0034
-     1 csum_partial_copy_generic                  0.0045
-     1 call_out_firewall                          0.0125
-
-Hope this data is helpful to someone... however the lack of visibility 
-into the decrypt side makes things less clear</pre>
-
-<h2><a name="speed.compress">Speed with compression</a></h2>
-
-<p>Another user reported some results for connections with and without IP
-compression:</p>
-<pre>Subject: [Users] Speed with compression
-   Date: Fri, 29 Jun 2001
-   From: John McMonagle &lt;johnm@advocap.org&gt;
-
-Did a couple tests with compression using the new 1.91 freeswan.
-
-Running between 2 sites with cable modems.  Both  using approximately
-130 mhz pentium.
-
-Transferred files with ncftp.
-
-Compressed file was a 6mb compressed  installation file.
-Non compressed was 18mb /var/lib/rpm/packages.rpm
-
-                            Compressed vpn          regular vpn
-Compress file                42.59 kBs               42.08 kBs
-regular file                110.84 kBs               41.66 kBs
-
-Load  was about 0 either way.
-Ping times were very similar  a bit above 9 ms.
-
-Compression looks attractive to me.</pre>
-Later in the same thread, project technical lead Henry Spencer added:
-<pre>&gt; is there a reason not to switch compression on?  I have large gateway boxes
-&gt; connecting 3 connections, one of them with a measly DS1 link...
-
-Run some timing tests with and without, with data and loads representative
-of what you expect in production.  That's the definitive way to decide. 
-If compression is a net loss, then obviously, leave it turned off.  If it
-doesn't make much difference, leave it off for simplicity and hence
-robustness.  If there's a substantial gain, by all means turn it on. 
-
-If both ends support compression and can successfully negotiate a
-compressed connection (trivially true if both are FreeS/WAN 1.91), then
-the crucial question is CPU cycles. 
-
-Compression has some overhead, so one question is whether *your* data
-compresses well enough to save you more CPU cycles (by reducing the volume
-of data going through CPU-intensive encryption/decryption) than it costs
-you.  Last time I ran such tests on data that was reasonably compressible
-but not deliberately contrived to be so, this generally was not true --
-compression cost extra CPU cycles -- so compression was worthwhile only if
-the link, not the CPU, was the bottleneck.  However, that was before the
-slow-compression bug was fixed.  I haven't had a chance to re-run those
-tests yet, but it sounds like I'd probably see a different result. </pre>
-The bug he refers to was a problem with the compression libraries that had us
-using C code, rather than assembler, for compression. It was fixed before
-1.91.
-
-<h2><a name="methods">Methods of measuring</a></h2>
-
-<p>If you want to measure the loads FreeS/WAN puts on a system, note that
-tools such as top or measurements such as load average are more-or-less
-useless for this. They are not designed to measure something that does most
-of its work inside the kernel.</p>
-
-<p>Here is a message from FreeS/WAN kernel programmer Richard Guy Briggs on
-this:</p>
-<pre>&gt; I have a batch of boxes doing Freeswan stuff.
-&gt; I want to measure the CPU loading of the Freeswan tunnels, but am 
-&gt; having trouble seeing how I get some figures out...
-&gt; 
-&gt;  - Keying etc is in userspace so will show up on the per-process
-&gt;    and load average etc (ie pluto's load)
-
-Correct.
-
-&gt;  - KLIPS is in the kernel space, and does not show up in load average
-&gt;    I think also that the KLIPS per-packet processing stuff is running
-&gt;    as part of an interrupt handler so it does not show up in the
-&gt;    /proc/stat system_cpu or even idle_cpu figures
-
-It is not running in interrupt handler.  It is in the bottom half.
-This is somewhere between user context (careful, this is not
-userspace!) and hardware interrupt context.
-
-&gt; Is this correct, and is there any means of instrumenting how much the 
-&gt; cpu is being loaded - I don't like the idea of a system running out of 
-&gt; steam whilst still showing 100% idle CPU :-)
-
-vmstat seems to do a fairly good job, but use a running tally to get a
-good idea.  A one-off call to vmstat gives different numbers than a
-running stat.  To do this, put an interval on your vmstat command
-line.</pre>
-and another suggestion from the same thread:
-<pre>Subject: Re: Measuring the CPU usage of Freeswan
-   Date: Mon, 29 Jan 2001
-   From: Patrick Michael Kane &lt;modus@pr.es.to&gt;
- 
-The only truly accurate way to accurately track FreeSWAN CPU usage is to use
-a CPU soaker. You run it on an unloaded system as a benchmark, then start up
-FreeSWAN and take the difference to determine how much FreeSWAN is eating.
-I believe someone has done this in the past, so you may find something in
-the FreeSWAN archives.  If not, someone recently posted a URL to a CPU
-soaker benchmark tool on linux-kernel.</pre>
-</body>
-</html>
diff --git a/doc/src/policy-groups-table.html b/doc/src/policy-groups-table.html
deleted file mode 100644
index 8e84809cf..000000000
--- a/doc/src/policy-groups-table.html
+++ /dev/null
@@ -1,297 +0,0 @@
-<!DOCTYPE html PUBLIC "-//w3c//dtd html 4.0 transitional//en">
-<html>
-<head>
-            
-  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
-            
-  <meta name="Author" content="Richard Guy Briggs">
-            
-  <meta name="GENERATOR" content="Mozilla/4.78 [en] (X11; U; Linux 2.4.18 i686) [Netscape]">
-  <title></title>
-</head>
-  <body>
-Policy Groups Table<br>
-<br>
-This table lists all the policy group combinations and expected packet flows.<br>
-<br>
-<br>
-   
-<table border="1" cols="14" width="100%" nosave="">
-   <tbody>
-      <tr>
-   <th bgcolor="#cccccc">policy</th>
-    <th bgcolor="#cccccc"><br>
-        </th>
-    <th bgcolor="#cccccc" colspan="2">none</th>
-      <th bgcolor="#cccccc" colspan="2">clear</th>
-      <th bgcolor="#cccccc" colspan="2">clear-or-private</th>
-      <th bgcolor="#cccccc" colspan="2">private-or-clear</th>
-      <th bgcolor="#cccccc" colspan="2">private</th>
-      <th bgcolor="#cccccc" colspan="2">block</th>
-     </tr>
-    <tr>
-   <th bgcolor="#cccccc"><br>
-        </th>
-    <th bgcolor="#cccccc">key?</th>
-    <th bgcolor="#cccccc">no</th>
-    <th bgcolor="#cccccc">yes</th>
-    <th bgcolor="#cccccc">no</th>
-    <th bgcolor="#cccccc">yes</th>
-    <th bgcolor="#cccccc">no</th>
-    <th bgcolor="#cccccc">yes</th>
-    <th bgcolor="#cccccc">no</th>
-    <th bgcolor="#cccccc">yes</th>
-    <th bgcolor="#cccccc">no</th>
-    <th bgcolor="#cccccc">yes</th>
-    <th bgcolor="#cccccc">no</th>
-    <th bgcolor="#cccccc">yes</th>
-   </tr>
-    <tr>
-   <th bgcolor="#cccccc" rowspan="2">none</th>
-    <th bgcolor="#cccccc">no</th>
-    <td>c</td>
-    <td>c</td>
-    <td>c</td>
-    <td>c</td>
-    <td>c</td>
-    <td>c</td>
-    <td>c</td>
-    <td>c</td>
-    <td>c,f</td>
-    <td>c,f</td>
-    <td>c,f</td>
-    <td>c,f</td>
-   </tr>
-    <tr>
-    <th bgcolor="#cccccc">yes</th>
-    <td>c</td>
-    <td>c</td>
-    <td>c</td>
-    <td>c</td>
-    <td>c</td>
-    <td>c</td>
-    <td>c,f?</td>
-    <td>c,f?</td>
-    <td>c,f</td>
-    <td>c,f</td>
-    <td>c,f</td>
-    <td>c,f</td>
-   </tr>
-    <tr>
-   <th bgcolor="#cccccc" rowspan="2">clear</th>
-    <th bgcolor="#cccccc">no</th>
-    <td>c</td>
-    <td>c</td>
-    <td>c</td>
-    <td>c</td>
-    <td>c</td>
-    <td>c</td>
-    <td>c</td>
-    <td>c,c(f?)</td>
-    <td>c,f</td>
-    <td>c,f</td>
-    <td>c,f</td>
-    <td>c,f</td>
-   </tr>
-    <tr>
-    <th bgcolor="#cccccc">yes</th>
-    <td>c</td>
-    <td>c</td>
-    <td>c</td>
-    <td>c</td>
-    <td>c</td>
-    <td>c</td>
-    <td>c,f?</td>
-    <td>c,f?</td>
-    <td>c,f</td>
-    <td>c,f</td>
-    <td>c,f</td>
-    <td>c,f</td>
-   </tr>
-    <tr>
-   <th bgcolor="#cccccc" rowspan="2">clear-or-private</th>
-    <th bgcolor="#cccccc">no</th>
-    <td>c</td>
-    <td>c</td>
-    <td>c</td>
-    <td>c</td>
-    <td>c</td>
-    <td>c</td>
-    <td>c,f?</td>
-    <td>c,c(f?)</td>
-    <td>c,f</td>
-    <td>c,f</td>
-    <td>c,f</td>
-    <td>c,f</td>
-   </tr>
-    <tr>
-    <th bgcolor="#cccccc">yes</th>
-    <td>c</td>
-    <td>c</td>
-    <td>c</td>
-    <td>c</td>
-    <td>c</td>
-    <td>c</td>
-    <td>c,f?</td>
-    <td>c,e</td>
-    <td>c,f</td>
-    <td>c,e</td>
-    <td>c,f</td>
-    <td>c,f</td>
-   </tr>
-    <tr>
-   <th bgcolor="#cccccc" rowspan="2">private-or-clear</th>
-    <th bgcolor="#cccccc">no</th>
-    <td>t,c</td>
-    <td>t,f?</td>
-    <td>t,c</td>
-    <td>t,f?</td>
-    <td>t,c</td>
-    <td>t,f?</td>
-    <td>t,f?</td>
-    <td>t,f?</td>
-    <td>t,f</td>
-    <td>t,f</td>
-    <td>t,f</td>
-    <td>t,f</td>
-   </tr>
-    <tr>
-    <th bgcolor="#cccccc">yes</th>
-    <td>t,c</td>
-    <td>t,f?</td>
-    <td>t,c</td>
-    <td>t,f?</td>
-    <td>t,c</td>
-    <td>t,e</td>
-    <td>t,c(f?)</td>
-    <td>t,e</td>
-    <td>t,f</td>
-    <td>t,e</td>
-    <td>t,f</td>
-    <td>t,f</td>
-   </tr>
-    <tr>
-   <th bgcolor="#cccccc" rowspan="2">private</th>
-    <th bgcolor="#cccccc">no</th>
-    <td>t,f</td>
-    <td>t,f</td>
-    <td>t,f</td>
-    <td>t,f</td>
-    <td>t,f</td>
-    <td>t,f</td>
-    <td>t,f</td>
-    <td>t,f</td>
-    <td>t,f</td>
-    <td>t,f</td>
-    <td>t,f</td>
-    <td>t,f</td>
-   </tr>
-    <tr>
-    <th bgcolor="#cccccc">yes</th>
-    <td>t,f</td>
-    <td>t,f</td>
-    <td>t,f</td>
-    <td>t,f</td>
-    <td>t,f</td>
-    <td>t,e</td>
-    <td>t,f</td>
-    <td>t,e</td>
-    <td>t,f</td>
-    <td>t,e</td>
-    <td>t,f</td>
-    <td>t,f</td>
-   </tr>
-    <tr>
-   <th bgcolor="#cccccc" rowspan="2">block</th>
-    <th bgcolor="#cccccc">no</th>
-    <td>f</td>
-    <td>f</td>
-    <td>f</td>
-    <td>f</td>
-    <td>f</td>
-    <td>f</td>
-    <td>f</td>
-    <td>f</td>
-    <td>f</td>
-    <td>f</td>
-    <td>f</td>
-    <td>f</td>
-   </tr>
-    <tr>
-    <th bgcolor="#cccccc">yes</th>
-    <td>f</td>
-    <td>f</td>
-    <td>f</td>
-    <td>f</td>
-    <td>f</td>
-    <td>f</td>
-    <td>f</td>
-    <td>f</td>
-    <td>f</td>
-    <td>f</td>
-    <td>f</td>
-    <td>f</td>
-   </tr>
-         
-  </tbody>  
-</table>
-    <br>
-  &nbsp;   
-<table border="1" cols="2" nosave="">
-   <tbody>
-      <tr nosave="">
-   <th nosave="">legend</th>
-    <th>packet fate</th>
-   </tr>
-    <tr>
-   <td>c</td>
-    <td>clear</td>
-   </tr>
-    <tr>
-   <td>f</td>
-    <td>fail</td>
-   </tr>
-    <tr>
-   <td>e</td>
-    <td>encrypt</td>
-   </tr>
-    <tr>
-   <td>t</td>
-    <td>trap</td>
-   </tr>
-    <tr>
-      <td valign="Top">c,f<br>
-      </td>
-      <td valign="Top">first packet clear, then fail<br>
-      </td>
-    </tr>
-    <tr>
-      <td valign="Top">c,e<br>
-      </td>
-      <td valign="Top">first packet clear, then encrypt<br>
-      </td>
-    </tr>
-    <tr>
-      <td valign="Top">t,f<br>
-      </td>
-      <td valign="Top">trap, then fail<br>
-      </td>
-    </tr>
-    <tr>
-      <td valign="Top">t,c<br>
-      </td>
-      <td valign="Top">trap, then clear<br>
-      </td>
-    </tr>
-    <tr>
-      <td valign="Top">t,e<br>
-      </td>
-      <td valign="Top">trap, then encrypt<br>
-      </td>
-    </tr>
-         
-  </tbody>  
-</table>
-      
-</body>
-</html>
diff --git a/doc/src/policygroups.html b/doc/src/policygroups.html
deleted file mode 100644
index 0425ade39..000000000
--- a/doc/src/policygroups.html
+++ /dev/null
@@ -1,489 +0,0 @@
-<html>
-<head>
-  <meta http-equiv="Content-Type" content="text/html">
-  <title>Configuring FreeS/WAN with policy groups</title>
-  <meta name="keywords"
-  content="Linux, IPsec, VPN, security, encryption, cryptography, FreeS/WAN, FreeSWAN">
-  <!--
-
-  Written by Claudia Schmeing for the Linux FreeS/WAN project
-  Freely distributable under the GNU General Public License
-
-  More information at www.freeswan.org
-  Feedback to users@lists.freeswan.org
-
-  CVS information:
-  RCS ID:          $Id: policygroups.html,v 1.1 2004/03/15 20:35:24 as Exp $
-  Last changed:    $Date: 2004/03/15 20:35:24 $
-  Revision number: $Revision: 1.1 $
-
-  CVS revision numbers do not correspond to FreeS/WAN release numbers.
-  -->
-</head>
-
-<body>
-<h1>How to Configure Linux FreeS/WAN with Policy Groups</h1>
-
-
-<A NAME="policygroups"></A>
-
-<H2>What are Policy Groups?</H2>
-
-
-<P><STRONG>Policy Groups</STRONG> are an elegant general mechanism 
-to configure FreeS/WAN. They are useful for
-many FreeS/WAN users.</P>
-
-<P>In previous FreeS/WAN versions, you needed to configure each IPsec 
-connection explicitly, on both local and remote hosts.
- This could become complex.</P>
-
-<P>By contrast, Policy Groups allow you to set local IPsec policy
-for lists of remote hosts and networks,
-simply by listing the hosts and networks which you wish to 
-have special treatment in one of several Policy Group files.
-FreeS/WAN then internally creates the connections 
-needed to implement each policy.</P>
-
-<P>In the next section we describe our five Base Policy Groups, which
-you can use to configure IPsec in many useful ways. Later, we will 
-show you how to create an IPsec VPN using one line of configuration for 
-each remote host or network.</P>
-
-
-<A NAME="builtin_policygroups"></A><H3>Built-In Security Options</H3>
-
-<P>FreeS/WAN offers these Base Policy Groups:</P>
-
-<DL>
-
-<DT>private</DT>
-
-<DD>
-FreeS/WAN only communicates privately with the listed 
-<A HREF="glossary.html#CIDR">CIDR</A> blocks.
-If needed, FreeS/WAN attempts to create a connection opportunistically.
-If this fails, FreeS/WAN blocks communication.
-Inbound blocking is assumed to be done by the firewall. FreeS/WAN offers 
-firewall hooks but no modern firewall rules to help with inbound blocking.
-
-</DD>
-
-<DT>private-or-clear</DT>
-<DD>
-
-FreeS/WAN prefers private communication with the listed CIDR blocks.
-If needed, FreeS/WAN attempts to create a connection opportunistically.
-If this fails, FreeS/WAN allows traffic in the clear.
-
-</DD>
-
-<DT>clear-or-private</DT>
-
-<DD>
-FreeS/WAN communicates cleartext with the listed CIDR blocks, but
-also accepts inbound OE connection requests from them.
-Also known as <A HREF="glossary.html#passive.OE">passive OE (pOE)</A>, 
-this policy may be used to create an 
-<A HREF="glossary.html#responder">opportunistic responder</A>.
-</DD>
-
-<DT>clear</DT>
-<DD>
-FreeS/WAN only communicates cleartext with the listed CIDR blocks.
-</DD>
-
-<DT>block</DT>
-<DD>FreeS/WAN blocks traffic to and from and the listed CIDR blocks.
-Inbound blocking is assumed to be done by the firewall. FreeS/WAN offers 
-firewall hooks but no modern firewall rules to help with inbound blocking.
-<!-- also called "blockdrop".-->
-
-</DD>
-
-</DL>
-
-<A NAME="policy.group.notes"></A><P>Notes:</P>
-
-<UL>
-<LI>Base Policy Groups apply to communication with this host only.</LI>
-<LI>The most specific rule (whether policy or pre-configured connection) 
-applies.
-This has several practical applications:
-<UL>
-<LI>If CIDR blocks overlap, FreeS/WAN chooses 
-the most specific applicable block.</LI>
-<LI>This decision also takes into account any pre-configured connections
-you may have.</LI>
-<LI>If the most specific connection is a pre-configured connection,
-the following procedure applies. If that connection is up, it will be
-used. If it is routed, it will be brought up. If it is added, 
-no action will be taken.</LI>
-</UL>
-<LI>Base Policy Groups are created using built-in connections.
-Details in 
-<A HREF="manpage.d/ipsec.conf.5.html">man ipsec.conf</A>.</LI>
-<LI>All Policy Groups are bidirectional. 
-<A HREF="src/policy-groups-table.html">This chart</A> shows some technical 
-details.
-FreeS/WAN does not support one-way encryption, since it can give users
-a false sense of security.</LI>
-</UL>
-
-
-<H2>Using Policy Groups</H2>
-
-<P>The Base Policy Groups which build IPsec connections rely on Opportunistic
-Encryption. To use the following examples, you 
-must first become OE-capable, as described 
-in our <A HREF="quickstart.html#quickstart">quickstart guide</A>.
-
-<A NAME="example1"></A><H3>Example 1: Using a Base Policy Group</H3>
-
-<P>Simply place CIDR blocks (<A HREF="#dnswarning">names</A>, 
-IPs or IP ranges) in /etc/ipsec.d/policies/<VAR>[groupname]</VAR>, 
-and reread the policy group files.</P> 
-
-<P>For example, the <VAR>private-or-clear</VAR> policy tells 
-FreeS/WAN to prefer encrypted communication to the listed CIDR blocks.
-Failing that, it allows talk in the clear.</P>
-
-<P>To make this your default policy, place
-<A HREF="glossary.html#fullnet">fullnet</A>
-in the <VAR>private-or-clear</VAR> policy group file:</P>
-
-<PRE>    [root@xy root]# cat /etc/ipsec.d/policies/private-or-clear
-    # This file defines the set of CIDRs (network/mask-length) to which
-    # communication should be private, if possible, but in the clear otherwise.
-    ....
-    0.0.0.0/0</PRE>
-
-<P>and reload your policies with</P>
-
-<PRE>    ipsec auto --rereadgroups</PRE>
-
-<P>Use <A HREF="quickstart.html#opp.test">this test</A> to verify 
-opportunistic connections.</P>
-
-
-
-<A NAME="example2"></A><H3>Example 2: Defining IPsec Security Policy 
-with Groups</H3>
-
-<P>Defining IPsec security policy with Base Policy Groups is like creating
-a shopping list: just put CIDR blocks in the appropriate group files. 
-For example:</P>
-
-
-<PRE>    [root@xy root]# cd /etc/ipsec.d/policies
-    [root@xy policies]# cat private
-        192.0.2.96/27              # The finance department
-        192.0.2.192/29             # HR
-	192.0.2.12                 # HR gateway
-        irc.private.example.com    # Private IRC server
-  
-    [root@xy policies]# cat private-or-clear
-        0.0.0.0/0                  # My default policy: try to encrypt.
-
-    [root@xy policies]# cat clear
-        192.0.2.18/32              # My POP3 server
-        192.0.2.19/32              # My Web proxy
-
-    [root@xy policies]# cat block
-        spamsource.example.com</PRE>
-
-<P>To make these settings take effect, type:</P>
-<PRE>    ipsec auto --rereadgroups</PRE>
-
-
-<P>Notes:</P>
-<UL>
-<LI>For opportunistic connection attempts to succeed, all participating
-FreeS/WAN hosts and gateways must be configured for OE.</LI>
-<LI>Examples 3 through 5 show how to implement a detailed <VAR>private</VAR>
-policy.</LI>
-<LI>
-<A NAME="dnswarning"></A>
-<FONT COLOR=RED>Warning:</FONT> Using DNS names in policy files and ipsec.conf 
-can be tricky. If the name does not resolve, the policy will not be 
-implemented for that name.
-It is therefore safer either to use IPs, or to put any critical names 
-in /etc/hosts.
-We plan to implement periodic DNS retry to help with this.
-<BR>
-Names are resolved at FreeS/WAN startup, or when the policies are reloaded.
-Unfortunately, name lookup can hold up the startup process. 
-If you have fast DNS servers, the problem may be less severe.
-</LI>
-</UL>
-
-
-<A HREF="example3"></A><H3>Example 3: Creating a Simple IPsec VPN with the 
-<VAR>private</VAR> Group</H3>
-
-
-<P>You can create an IPsec VPN between several hosts, with
-only one line of configuration per host, using the <VAR>private</VAR>
-policy group.</P>
-
-<P>First, use our <A HREF="quickstart.html">quickstart 
-guide</A> to set up each participating host
-with a FreeS/WAN install and OE.</P>
-
-<P>In one host's <VAR>/etc/ipsec.d/policies/private</VAR>, 
-list the peers to which you wish to protect traffic.
-For example:</P>
-
-<PRE>    [root@xy root]# cd /etc/ipsec.d/policies
-    [root@xy policies]# cat private
-        192.0.2.9              # several hosts at example.com
-        192.0.2.11             
-        192.0.2.12                 
-        irc.private.example.com 
-</PRE>
-
-<P>Copy the <VAR>private</VAR> file to each host. Remove the local host, and 
-add the initial host.</P>
-
-<PRE>    scp2 /etc/ipsec.d/policies/private root@192.0.2.12:/etc/ipsec.d/policies/private</PRE>
-
-<P>On each host, reread the policy groups with</P>
-
-<PRE>    ipsec auto --rereadgroups</PRE>
-
-
-<P>That's it! You're configured.</P>
-
-<P>Test by pinging between two hosts. After a second or two, 
-traffic should flow, and</P>
-
-<PRE>    ipsec eroute</PRE>
-
-<P>should yield something like</P>
-
-<PRE>    192.0.2.11/32   -> 192.0.2.8/32  => tun0x149f@192.0.2.8</PRE>
-
-<P>where your host IPs are substituted for 192.0.2.11 and 192.0.2.8.</P>
-
-<P>If traffic does not flow, there may be an error in your OE setup. 
-Revisit our <A HREF="quickstart.html">quickstart guide</A>.</P>
-
-
-<P>Our next two examples show you how to add subnets to this IPsec VPN.</P>
-
-
-<A NAME="example4"></A><H3>Example 4: New Policy Groups to Protect a
-Subnet</H3>
-
-<P>To protect traffic to a subnet behind your FreeS/WAN gateway, 
-you'll need additional DNS records, and new policy groups.
-To set up the DNS, see our <A HREF="quickstart.html#opp.gate">quickstart
-guide</A>. To create five new policy groups for your subnet, 
-copy these connections to <VAR>/etc/ipsec.conf</VAR>. 
-Substitute your subnet's IPs for 192.0.2.128/29.</P>
-
-<PRE>
-conn private-net
-    also=private  # inherits settings (eg. auto=start) from built in conn
-    leftsubnet=192.0.2.128/29  # your subnet's IPs here
-
-conn private-or-clear-net
-    also=private-or-clear
-    leftsubnet=192.0.2.128/29
-
-conn clear-or-private-net
-    also=clear-or-private
-    leftsubnet=192.0.2.128/29
-
-conn clear-net
-    also=clear
-    leftsubnet=192.0.2.128/29
-
-conn block-net
-    also=block
-    leftsubnet=192.0.2.128/29
-</PRE>
-
-<P>Copy the gateway's files to serve as the initial policy group files for the
-new groups:</P>
-
-<PRE>
-    cp -p /etc/ipsec.d/policies/private /etc/ipsec.d/policies/private-net
-    cp -p /etc/ipsec.d/policies/private-or-clear /etc/ipsec.d/policies/private-or-clear-net
-    cp -p /etc/ipsec.d/policies/clear-or-private /etc/ipsec.d/policies/clear-or-private-net
-    cp -p /etc/ipsec.d/policies/clear /etc/ipsec.d/policies/clear-net
-    cp -p /etc/ipsec.d/policies/block /etc/ipsec.d/policies/block
-</PRE>
-
-<P><STRONG>Tip: Since a missing policy group file is equivalent to a file with 
-no entries, you need only create files for the connections 
-you'll use.</STRONG></P>
-
-<P>To test one of your new groups, place the fullnet 0.0.0.0/0 in 
-<VAR>private-or-clear-net</VAR>. 
-Perform the subnet test in
-<A HREF="quickstart.html#opp.test">our quickstart guide</A>. You should
-see a connection, and</P>
-
-<PRE>    ipsec eroute</PRE>
-
-<P>should include an entry which mentions the subnet node's IP and the 
-OE test site IP, like this:</P>
-
-<PRE>    192.0.2.131/32   -> 192.139.46.77/32  => tun0x149f@192.0.2.11</PRE>
-
-
-<A HREF="example5"></A><H3>Example 5: Adding a Subnet to the VPN</H3>
-
-<P>Suppose you wish to secure traffic to a subnet 192.0.2.192/29
-behind a FreeS/WAN box 192.0.2.12.</P>
-
-<P>First, add DNS entries to configure 192.0.2.12 as an opportunistic 
-gateway for that subnet. Instructions are in
- our <A HREF="quickstart.html#opp.gate">quickstart guide</A>.
-Next, create a <VAR>private-net</VAR> group on 192.0.2.12 as described in 
-<A HREF="#example4">Example 4</A>.
-</P>
-
-<P>On each other host, add the subnet 192.0.2.192/29 to <VAR>private</VAR>,
-yielding for example</P>
-
-<PRE>    [root@xy root]# cd /etc/ipsec.d/policies
-    [root@xy policies]# cat private
-        192.0.2.9              # several hosts at example.com
-        192.0.2.11
-        192.0.2.12             # HR department gateway
-        192.0.2.192/29         # HR subnet
-        irc.private.example.com
-</PRE>
-
-
-<P>and reread policy groups with </P>
-
-<PRE>    ipsec auto --rereadgroups</PRE>
-
-<P>That's all the configuration you need.</P>
-
-<P>Test your VPN by pinging from a machine on 192.0.2.192/29 to any other host:
-</P>
-
-<PRE>    [root@192.0.2.194]# ping 192.0.2.11</PRE>
-
-
-<P>After a second or two, traffic should flow, and</P>
-
-<PRE>    ipsec eroute</PRE>
-
-<P>should yield something like</P>
-
-<PRE>    192.0.2.11/32   -> 192.0.2.194/32  => tun0x149f@192.0.2.12
-</PRE>
-
-<P>Key:</P>
-<TABLE>
-<TR><TD>1.</TD>
-    <TD>192.0.2.11/32</TD>
-    <TD>Local start point of the protected traffic.
-    </TD></TR>
-<TR><TD>2.</TD>
-    <TD>192.0.2.194/32</TD>
-    <TD>Remote end point of the protected traffic.
-    </TD></TR>
-<TR><TD>3.</TD>
-    <TD>192.0.2.12</TD>
-    <TD>Remote FreeS/WAN node (gateway or host).
-	May be the same as (2).
-   </TD></TR>
-<TR><TD>4.</TD>
-    <TD>[not shown]</TD>
-    <TD>Local FreeS/WAN node (gateway or host),
-	where you've produced the output.
-	May be the same as (1).
-   </TD></TR>
-</TABLE>
-
-<P>For additional assurance, you can verify with a packet sniffer 
-that the traffic is being encrypted.</P>
-
-
-<P>Note</P>
-<UL>
-<LI>Because strangers may also connect via OE, 
-this type of VPN may require a stricter firewalling policy than a 
-conventional VPN.</LI></UL>
-
-
-
-<H2>Appendix</H2>
-
-<A NAME="hiddenconn"></A><H3>Our Hidden Connections</H3>
-
-
-<P>Our Base Policy Groups are created using hidden connections.
-These are spelled out in 
-<A HREF="manpage.d/ipsec.conf.5.html">man ipsec.conf</A>
- and defined in <VAR>/usr/local/lib/ipsec/_confread</VAR>.
-</P>
-
-
-<A NAME="custom_policygroups"></A><H3>Custom Policy Groups</H3>
-
-<P>A policy group is built using a special connection description
-in <VAR>ipsec.conf</VAR>, which:</P>
-
-<UL>
-<LI>is <STRONG>generic</STRONG>. It uses 
-<VAR>right=[%group|%opportunisticgroup]</VAR> rather than specific IPs. 
-The connection is cloned for every name or IP range listed in its Policy Group
-file.</LI>
-<LI>often has a <STRONG>failure rule</STRONG>. This rule, written
-<VAR>failureshunt=[passthrough|drop|reject|none]</VAR>, tells FreeS/WAN 
-what to do with packets for these CIDRs if it fails to establish the connection.
-Default is <VAR>none</VAR>.
-</LI>
-</UL>
-
-<P>To create a new group:</P>
-<OL>
-<LI>Create its connection definition in <VAR>ipsec.conf</VAR>.</LI>
-<LI>Create a Policy Group file in <VAR>/etc/ipsec.d/policies</VAR> 
-with the same name as your connection.
-</LI>
-<LI>Put a CIDR block in that file.</LI>
-<LI>Reread groups with <VAR>ipsec auto --rereadgroups</VAR>.</LI>
-<LI>Test: <VAR>ping</VAR> to activate any OE connection, and view
-results with <VAR>ipsec eroute</VAR>.</LI>
-</OL>
-
-<A NAME="disable_oe"></A>
-<A NAME="disable_policygroups"></A><H3>Disabling Opportunistic Encryption</H3>
-
-<P>To disable OE (eg. policy groups and packetdefault), cut and paste the following lines 
-to <VAR>/etc/ipsec.conf</VAR>:</P>
-
-<PRE>conn block
-    auto=ignore
-
-conn private
-    auto=ignore
-
-conn private-or-clear
-    auto=ignore
-
-conn clear-or-private
-    auto=ignore
-
-conn clear
-    auto=ignore
-
-conn packetdefault
-    auto=ignore</PRE>
-
-<P>Restart FreeS/WAN so that the changes take effect:</P>
-
-<PRE>    ipsec setup restart</PRE>
-
-</body>
-</html>
-
-
diff --git a/doc/src/politics.html b/doc/src/politics.html
deleted file mode 100644
index 9e87d4f05..000000000
--- a/doc/src/politics.html
+++ /dev/null
@@ -1,1466 +0,0 @@
-<html>
-<head>
-  <meta http-equiv="Content-Type" content="text/html">
-  <title>History and politics of cryptography</title>
-  <meta name="keywords"
-  content="Linux, IPsec, VPN, security, FreeSWAN, cryptography, history, politics">
-  <!--
-
-  Written by Sandy Harris for the Linux FreeS/WAN project
-  Freely distributable under the GNU General Public License
-
-  More information at www.freeswan.org
-  Feedback to users@lists.freeswan.org
-
-  CVS information:
-  RCS ID:          $Id: politics.html,v 1.1 2004/03/15 20:35:24 as Exp $
-  Last changed:    $Date: 2004/03/15 20:35:24 $
-  Revision number: $Revision: 1.1 $
-
-  CVS revision numbers do not correspond to FreeS/WAN release numbers.
-  -->
-</head>
-
-<body>
-<h1><a name="politics">History and politics of cryptography</a></h1>
-
-<p>Cryptography has a long and interesting history, and has been the subject
-of considerable political controversy.</p>
-
-<h2><a name="intro.politics">Introduction</a></h2>
-
-<h3>History</h3>
-
-<p>The classic book on the history of cryptography is David Kahn's <a
-href="biblio.html#Kahn">The Codebreakers</a>. It traces codes and
-codebreaking from ancient Egypt to the 20th century.</p>
-
-<p>Diffie and Landau <a href="biblio.html#diffie">Privacy on the Line: The
-Politics of Wiretapping and Encryption</a> covers the history from the First
-World War to the 1990s, with an emphasis on the US.</p>
-
-<h4>World War II</h4>
-
-<p>During the Second World War, the British "Ultra" project achieved one of
-the greatest intelligence triumphs in the history of warfare, breaking many
-Axis codes. One major target was the Enigma cipher machine, a German device
-whose users were convinced it was unbreakable. The American "Magic" project
-had some similar triumphs against Japanese codes.</p>
-
-<p>There are many books on this period. See our bibliography for several. Two
-I particularly like are:</p>
-<ul>
-  <li>Andrew Hodges has done a superb <a
-    href="http://www.turing.org.uk/book/">biography</a> of Alan Turing, a key
-    player among the Ultra codebreakers. Turing was also an important
-    computer pioneer. The terms <a
-    href="http://www.abelard.org/turpap/turpap.htm">Turing test</a> and <a
-    href="http://plato.stanford.edu/entries/turing-machine/">Turing
-    machine</a> are named for him, as is the <a
-    href="http://www.acm.org">ACM</a>'s highest technical <a
-    href="http://www.acm.org/awards/taward.html">award</a>.</li>
-  <li>Neal Stephenson's <a href="biblio.html#neal">Cryptonomicon</a> is a
-    novel with cryptography central to the plot. Parts of it take place
-    during WW II, other parts today.</li>
-</ul>
-
-<p>Bletchley Park, where much of the Ultra work was done, now has a museum
-and a <a href="http://www.bletchleypark.org.uk/">web site</a>.</p>
-
-<p>The Ultra work introduced three major innovations.</p>
-<ul>
-  <li>The first break of Enigma was achieved by Polish Intelligence in 1931.
-    Until then most code-breakers had been linguists, but a different
-    approach was needed to break machine ciphers. Polish Intelligence
-    recruited bright young mathematicians to crack the "unbreakable" Enigma.
-    When war came in 1939, the Poles told their allies about this, putting
-    Britain on the road to Ultra. The British also adopted a mathematical
-    approach.</li>
-  <li>Machines were extensively used in the attacks. First the Polish "Bombe"
-    for attacking Enigma, then British versions of it, then machines such as
-    Collosus for attacking other codes. By the end of the war, some of these
-    machines were beginning to closely resemble digital computers. After the
-    war, a team at Manchester University, several old Ultra hands included,
-    built one of the world's first actual general-purpose digital
-  computers.</li>
-  <li>Ultra made codebreaking a large-scale enterprise, producing
-    intelligence on an industrial scale. This was not a "black chamber", not
-    a hidden room in some obscure government building with a small crew of
-    code-breakers. The whole operation -- from wholesale interception of
-    enemy communications by stations around the world, through large-scale
-    code-breaking and analysis of the decrypted material (with an enormous
-    set of files for cross-referencing), to delivery of intelligence to field
-    commanders -- was huge, and very carefully managed.</li>
-</ul>
-
-<p>So by the end of the war, Allied code-breakers were expert at large-scale
-mechanised code-breaking. The payoffs were enormous.</p>
-
-<h4><a name="postwar">Postwar and Cold War</a></h4>
-
-<p>The wartime innovations were enthusiastically adopted by post-war and Cold
-War signals intelligence agencies. Presumably many nations now have some
-agency capable of sophisticated attacks on communications security, and quite
-a few engage in such activity on a large scale.</p>
-
-<p>America's <a href="glossary.html#NSA">NSA</a>, for example, is said to be
-both the world's largest employer of mathematicians and the world's largest
-purchaser of computer equipment. Such claims may be somewhat exaggerated, but
-beyond doubt the NSA -- and similar agencies in other countries -- have some
-excellent mathematicians, lots of powerful computers, sophisticated software,
-and the organisation and funding to apply them on a large scale. Details of
-the NSA budget are secret, but there are some published <a
-href="http://www.fas.org/irp/nsa/nsabudget.html">estimates</a>.</p>
-
-<p>Changes in the world's communications systems since WW II have provided
-these agencies with new targets. Cracking the codes used on an enemy's
-military or diplomatic communications has been common practice for centuries.
-Extensive use of radio in war made large-scale attacks such as Ultra
-possible. Modern communications make it possible to go far beyond that.
-Consider listening in on cell phones, or intercepting electronic mail, or
-tapping into the huge volumes of data on new media such as fiber optics or
-satellite links. None of these targets existed in 1950. All of them can be
-attacked today, and almost certainly are being attacked.</p>
-
-<p>The Ultra story was not made public until the 1970s. Much of the recent
-history of codes and code-breaking has not been made public, and some of it
-may never be. Two important books are:</p>
-<ul>
-  <li>Bamford's <a href="biblio.html#puzzle">The Puzzle Palace</a>, a history
-    of the NSA</li>
-  <li>Hager's <a href="http://www.fas.org/irp/eprint/sp/index.html">Secret
-    Power</a>, about the <a
-    href="http://sg.yahoo.com/government/intelligence/echelon_network/">Echelon</a>
-    system -- the US, UK, Canada, Australia and New Zealand co-operating to
-    monitor much of the world's communications.</li>
-</ul>
-
-<p>Note that these books cover only part of what is actually going on, and
-then only the activities of nations open and democratic enough that (some of)
-what they are doing can be discovered. A full picture, including:</p>
-<ul>
-  <li>actions of the English-speaking democracies not covered in those
-  books</li>
-  <li>actions of other more-or-less sane governments</li>
-  <li>the activities of various more-or-less insane governments</li>
-  <li>possibilities for unauthorized action by government employees</li>
-  <li>possible actions by large non-government organisations: corporations,
-    criminals, or conspiracies</li>
-</ul>
-
-<p>might be really frightening.</p>
-
-<h4><a name="recent">Recent history -- the crypto wars</a></h4>
-
-<p>Until quite recently, cryptography was primarily a concern of governments,
-especially of the military, of spies, and of diplomats. Much of it was
-extremely secret.</p>
-
-<p>In recent years, that has changed a great deal. With computers and
-networking becoming ubiquitous, cryptography is now important to almost
-everyone. Among the developments since the 1970s:</p>
-<ul>
-  <li>The US gov't established the Data Encryption Standard, <a
-    href="glossary.html#DES">DES</a>, a <a href="glossary.html#block">block
-    cipher</a> for cryptographic protection of unclassfied documents.</li>
-  <li>DES also became widely used in industry, especially regulated
-    industries such as banking.</li>
-  <li>Other nations produced their own standards, such as <a
-    href="glossary.html#GOST">GOST</a> in the Soviet Union.</li>
-  <li><a href="glossary.html#public">Public key</a> cryptography was invented
-    by Diffie and Hellman.</li>
-  <li>Academic conferences such as <a
-    href="http://www-cse.ucsd.edu/users/mihir/crypto2k.html">Crypto</a> and
-    <a
-    href="http://www.esat.kuleuven.ac.be/cosic/eurocrypt2000/">Eurocrypt</a>
-    began.</li>
-  <li>Several companies began offerring cryptographic products: <a
-    href="glossary.html#RSAco">RSA</a>, <a href="glossary.html#PGPI">PGP</a>,
-    the many vendors with <a href="glossary.html#PKI">PKI</a> products,
-  ...</li>
-  <li>Cryptography appeared in other products: operating systems, word
-    processors, ...</li>
-  <li>Network protocols based on crypto were developed:  <a
-    href="glossary.html#SSH">SSH</a>, <a href="glossary.html#SSL">SSL</a>, <a
-    href="glossary.html#IPsec">IPsec</a>, ...</li>
-  <li>Crytography came into widespread use to secure bank cards, terminals,
-    ...</li>
-  <li>The US government replaced <a href="glossary.html#DES">DES</a> with the
-    much stronger Advanced Encryption Standard, <a
-    href="glossary.html#AES">AES</a></li>
-</ul>
-
-<p>This has led to a complex ongoing battle between various mainly government
-groups wanting to control the spread of crypto and various others, notably
-the computer industry and the <a
-href="http://online.offshore.com.ai/security/">cypherpunk</a> crypto
-advocates, wanting to encourage widespread use.</p>
-
-<p>Steven Levy has written a fine history of much of this, called <a
-href="biblio.html#crypto">Crypto: How the Code rebels Beat the Government --
-Saving Privacy in the Digital Age</a>.</p>
-
-<p>The FreeS/WAN project is to a large extent an outgrowth of cypherpunk
-ideas. Our reasons for doing the project can be seen in these quotes from the
-<a
-href="http://www.eff.org/pub/Privacy/Crypto_misc/cypherpunk.manifesto">Cypherpunk
-Manifesto</a>:</p>
-
-<blockquote>
-  Privacy is necessary for an open society in the electronic age. ...
-
-  <p>We cannot expect governments, corporations, or other large, faceless
-  organizations to grant us privacy out of their beneficence.  It is to their
-  advantage to speak of us, and  we should expect that they will speak.
-  ...</p>
-
-  <p>We must defend our own privacy if we expect to have any. ...</p>
-
-  <p>Cypherpunks write code.  We know that someone has to write software to
-  defend privacy, and since we can't get privacy unless we all do, we're
-  going to write it. We publish our code so that our fellow Cypherpunks may
-  practice and play with it. Our code is free for all to use, worldwide.  We
-  don't much care if you don't approve of the software we write.  We know
-  that software can't be destroyed and that a widely dispersed system can't
-  be shut down.</p>
-
-  <p>Cypherpunks deplore regulations on cryptography, for encryption is
-  fundamentally a private act. ...</p>
-
-  <p>For privacy to be widespread it must be part of a social contract.
-  People must come and together deploy these systems for the common good.
-  ...</p>
-</blockquote>
-
-<p>To quote project leader John Gilmore:</p>
-
-<blockquote>
-  We are literally in a race between our ability to build and deploy
-  technology, and their ability to build and deploy laws and treaties.
-  Neither side is likely to back down or wise up until it has definitively
-  lost the race.</blockquote>
-
-<p>If FreeS/WAN reaches its goal of making <a
-href="intro.html#opp.intro">opportunistic encryption</a> widespread so that
-secure communication can become the default for a large part of the net, we
-will have struck a major blow.</p>
-
-<h3><a name="intro.poli">Politics</a></h3>
-
-<p>The political problem is that nearly all governments want to monitor their
-enemies' communications, and some want to monitor their citizens. They may be
-very interested in protecting some of their own communications, and often
-some types of business communication, but not in having everyone able to
-communicate securely. They therefore attempt to restrict availability of
-strong cryptography as much as possible.</p>
-
-<p>Things various governments have tried or are trying include:</p>
-<ul>
-  <li>Echelon, a monitor-the-world project of the US, UK, NZ, Australian and
-    Canadian <a href="glossary.html#SIGINT">signals intelligence</a>
-    agencies. See this <a
-    href="http://sg.yahoo.com/government/intelligence/echelon_network/">collection</a>
-    of links and this <a
-    href="http://www.zdnet.com/zdnn/stories/news/0,4586,2640682,00.html">story</a>
-    on the French Parliament's reaction.</li>
-  <li>Others governments may well have their own Echelon-like projects. To
-    quote the Dutch Minister of Defense, as reported in a German <a
-    href="http://www.heise.de/tp/english/inhalt/te/4729/1.html">magazine</a>:
-
-    <blockquote>
-      The government believes not only the governments associated with
-      Echelon are able to intercept communication systems, but that it is an
-      activity of the investigative authorities and intelligence services of
-      many countries with governments of different political
-    signature.</blockquote>
-    Even if they have nothing on the scale of Echelon, most intelligence
-    agencies and police forces certainly have some interception
-  capability.</li>
-  <li><a href="glossary.html#NSA">NSA</a> tapping of submarine communication
-    cables, described in <a
-    href="http://www.zdnet.com/zdnn/stories/news/0,4586,2764372,00.html">this
-    article</a></li>
-  <li>A proposal for international co-operation on <a
-    href="http://www.heise.de/tp/english/special/enfo/4306/1.html">Internet
-    surveillance</a>.</li>
-  <li>Alleged <a href="http://cryptome.org/nsa-sabotage.htm">sabotage</a> of
-    security products by the <a href="glossary.html#NSA">NSA</a> (the US
-    signals intelligence agency).</li>
-  <li>The German armed forces and some government departments will stop using
-    American software for fear of NSA "back doors", according to this <a
-    href="http://www.theregister.co.uk/content/4/17679.html">news
-  story</a>.</li>
-  <li>The British Regulation of Investigatory Powers bill. See this <a
-    href="http://www.fipr.org/rip/index.html">web page.</a> and perhaps this
-    <a
-    href="http://ars.userfriendly.org/cartoons/?id=20000806&amp;mode=classic">cartoon</a>.</li>
-  <li>A Russian <a
-    href="http://www.eff.org/pub/Privacy/Foreign_and_local/Russia/russian_crypto_ban_english.edict">ban</a>
-    on cryptography</li>
-  <li>Chinese <a
-    href="http://www.eff.org/pub/Misc/Publications/Declan_McCullagh/www/global/china">controls</a>
-    on net use.</li>
-  <li>The FBI's carnivore system for covert searches of email. See this <a
-    href="http://www.zdnet.com/zdnn/stories/news/0,4586,2601502,00.html">news
-    coverage</a> and this <a
-    href="http://www.crypto.com/papers/carnivore-risks.html">risk
-    assessment</a>. The government had an external review of some aspects of
-    this system done. See this <a
-    href="http://www.crypto.com/papers/carnivore_report_comments.html">analysis</a>
-    of that review. Possible defenses against Carnivore include:
-    <ul>
-      <li><a href="glossary.html#PGP">PGP</a> for end-to-end mail
-      encryption</li>
-      <li><a href="http://www.home.aone.net.au/qualcomm/">secure sendmail</a>
-        for server-to-server encryption</li>
-      <li>IPsec encryption on the underlying IP network</li>
-    </ul>
-  </li>
-  <li>export laws restricting strong cryptography as a munition. See <a
-    href="#exlaw">discussion</a> below.</li>
-  <li>various attempts to convince people that fundamentally flawed
-    cryptography, such as encryption with a <a href="#escrow">back door</a>
-    for government access to data or with <a href="#shortkeys">inadequate key
-    lengths</a>, was adequate for their needs.</li>
-</ul>
-
-<p>Of course governments are by no means the only threat to privacy and
-security on the net. Other threats include:</p>
-<ul>
-  <li>industrial espionage, as for example in this <a
-    href="http://www.zdnet.com/zdnn/stories/news/0,4586,2626931,00.html">news
-    story</a></li>
-  <li>attacks by organised criminals, as in this <a
-    href="http://www.sans.org/newlook/alerts/NTE-bank.htm">large-scale
-    attack</a></li>
-  <li>collection of personal data by various companies.
-    <ul>
-      <li>for example, consider the various corporate winners of Privacy
-        International's <a
-        href="http://www.privacyinternational.org/bigbrother/">Big Brother
-        Awards</a>.</li>
-      <li><a href="http://www.zeroknowledge.com">Zero Knowledge</a> sell
-        tools to defend against this</li>
-    </ul>
-  </li>
-  <li>individuals may also be a threat in a variety of ways and for a variety
-    of reasons</li>
-  <li>in particular, an individual with access to government or industry data
-    collections could do considerable damage using that data in unauthorized
-    ways.</li>
-</ul>
-
-<p>One <a
-href="http://www.zdnet.com/zdnn/stories/news/0,4586,2640674,00.html">study</a>
-enumerates threats and possible responses for small and medium businesses.
-VPNs are a key part of the suggested strategy.</p>
-
-<p>We consider privacy a human right. See the UN's <a href="http://www.un.org/Overview/rights.html">Universal
-Declaration of Human Rights</a>, article twelve:</p>
-
-<blockquote>
-  No one shall be subjected to arbitrary interference with his privacy,
-  family, home or correspondence, nor to attacks upon his honor and
-  reputation. Everyone has the right to the protection of the law against
-  such interference or attacks.</blockquote>
-
-<p>Our objective is to help make privacy possible on the Internet using
-cryptography strong enough not even those well-funded government agencies are
-likely to break it. If we can do that, the chances of anyone else breaking it
-are negliible.</p>
-
-<h3>Links</h3>
-
-<p>Many groups are working in different ways to defend privacy on the net and
-elsewhere. Please consider contributing to one or more of these groups:</p>
-<ul>
-  <li>the EFF's <a href="http://www.eff.org/crypto/">Privacy Now!</a>
-  campaign</li>
-  <li>the <a href="http://www.gilc.org">Global Internet Liberty
-  Campaign</a></li>
-  <li><a href="http://www.cpsr.org/program/privacy/privacy.html">Computer
-    Professionals for Social Responsibility</a></li>
-</ul>
-
-<p>For more on these issues see:</p>
-<ul>
-  <li>Steven Levy (Newsweek's chief technology writer and author of the
-    classic "Hackers") new book <a href="biblio.html#crypto">Crypto: How the
-    Code Rebels Beat the Government--Saving Privacy in the Digital
-  Age</a></li>
-  <li>Simson Garfinkel (Boston Globe columnist and author of books on <a
-    href="biblio.html#PGP">PGP</a> and <a href="biblio.html#practical">Unix
-    Security</a>) book <a href="biblio.html#Garfinkel">Database Nation: the
-    death of privacy in the 21st century</a></li>
-</ul>
-
-<p>There are several collections of <a href="web.html#quotes">crypto
-quotes</a> on the net.</p>
-
-<p>See also the <a href="biblio.html">bibliography</a> and our list of <a
-href="web.html#policy">web references</a> on cryptography law and policy.</p>
-
-<h3>Outline of this section</h3>
-
-<p>The remainder of this section includes two pieces of writing by our
-project leader</p>
-<ul>
-  <li>his <a href="#gilmore">rationale</a> for starting this</li>
-  <li>another <a href="#policestate">discussion</a> of project goals</li>
-</ul>
-
-<p>and discussions of:</p>
-<ul>
-  <li><a href="#desnotsecure">why we do not use DES</a></li>
-  <li><a href="#exlaw">cryptography export laws</a></li>
-  <li>why <a href="#escrow">government access to keys</a> is not a good
-  idea</li>
-  <li>the myth that <a href="#shortkeys">short keys</a> are adequate for some
-    security requirements</li>
-</ul>
-
-<p>and a section on <a href="#press">press coverage of FreeS/WAN</a>.</p>
-
-<h2><a name="leader">From our project leader</a></h2>
-
-<p>FreeS/WAN project founder John Gilmore wrote a web page about why we are
-doing this. The version below is slightly edited, to fit this format and to
-update some links. For a version without these edits, see his <a
-href="http://www.toad.com/gnu/">home page</a>.</p>
-
-<center>
-<h3><a name="gilmore">Swan: Securing the Internet against Wiretapping</a></h3>
-</center>
-
-<p>My project for 1996 was to <b>secure 5% of the Internet traffic against
-passive wiretapping</b>. It didn't happen in 1996, so I'm still working on it
-in 1997, 1998, and 1999! If we get 5% in 1999 or 2000, we can secure 20% the
-next year, against both active and passive attacks; and 80% the following
-year.  Soon the whole Internet will be private and secure. The project is
-called S/WAN or S/Wan or Swan for Secure Wide Area Network; since it's free
-software, we call it FreeSwan to distinguish it from various commercial
-implementations. <a href="http://www.rsa.com/rsa/SWAN/">RSA</a> came up with
-the term "S/WAN". Our main web site is at <a
-href="http://www.freeswan.org/">http://www.freeswan.org/</a>. Want to
-help?</p>
-
-<p>The idea is to deploy PC-based boxes that will sit between your local area
-network and the Internet (near your firewall or router) which
-opportunistically encrypt your Internet packets.  Whenever you talk to a
-machine (like a Web site) that doesn't support encryption, your traffic goes
-out "in the clear" as usual.  Whenever you connect to a machine that does
-support this kind of encryption, this box automatically encrypts all your
-packets, and decrypts the ones that come in.  In effect, each packet gets put
-into an "envelope" on one side of the net, and removed from the envelope when
-it reaches its destination.  This works for all kinds of Internet traffic,
-including Web access, Telnet, FTP, email, IRC, Usenet, etc.</p>
-
-<p>The encryption boxes are standard PC's that use freely available Linux
-software that you can download over the Internet or install from a cheap
-CDROM.</p>
-
-<p>This wasn't just my idea; lots of people have been working on it for
-years. The encryption protocols for these boxes are called <a
-href="glossary.html#IPsec">IPSEC (IP Security)</a>. They have been developed
-by the <a
-href="http://www.ietf.cnri.reston.va.us/html.charters/ipsec-charter.html">IP
-Security Working Group</a> of the <a href="http://www.ietf.org/">Internet
-Engineering Task Force</a>, and will be a standard part of the next major
-version of the Internet protocols (<a
-href="http://playground.sun.com/pub/ipng/html/ipng-main.html">IPv6</a>). For
-today's (IP version 4) Internet, they are an option.</p>
-
-<p>The <a href="http://www.iab.org/iab">Internet Architecture Board</a> and
-<a href="http://www.ietf.org/">Internet Engineering Steering Group</a> have
-taken a <a href="iab-iesg.stmt">strong stand</a> that the Internet should use
-powerful encryption to provide security and privacy.  I think these protocols
-are the best chance to do that, because they can be deployed very easily,
-without changing your hardware or software or retraining your users. They
-offer the best security we know how to build, using the Triple-DES, RSA, and
-Diffie-Hellman algorithms.</p>
-
-<p>This "opportunistic encryption box" offers the "fax effect".  As each
-person installs one for their own use, it becomes more valuable for their
-neighbors to install one too, because there's one more person to use it with.
-The software automatically notices each newly installed box, and doesn't
-require a network administrator to reconfigure it.  Instead of "virtual
-private networks" we have a "REAL private network"; we add privacy to the
-real network instead of layering a manually-maintained virtual network on top
-of an insecure Internet.</p>
-
-<h4>Deployment of IPSEC</h4>
-
-<p>The US government would like to control the deployment of IP Security with
-its <a href="#exlaw">crypto export laws</a>. This isn't a problem for my
-effort, because the cryptographic work is happening outside the United
-States. A foreign philanthropist, and others, have donated the resources
-required to add these protocols to the Linux operating system. <a
-href="http://www.linux.org/">Linux</a> is a complete, freely available
-operating system for IBM PC's and several kinds of workstation, which is
-compatible with Unix.  It was written by Linus Torvalds, and is still
-maintained by a talented team of expert programmers working all over the
-world and coordinating over the Internet.  Linux is distributed under the <a
-href="glossary.html#GPL">GNU Public License</a>, which gives everyone the
-right to copy it, improve it, give it to their friends, sell it commercially,
-or do just about anything else with it, without paying anyone for the
-privilege.</p>
-
-<p>Organizations that want to secure their network will be able to put two
-Ethernet cards into an IBM PC, install Linux on it from a $30 CDROM or by
-downloading it over the net, and plug it in between their Ethernet and their
-Internet link or firewall. That's all they'll have to do to encrypt their
-Internet traffic everywhere outside their own local area network.</p>
-
-<p>Travelers will be able to run Linux on their laptops, to secure their
-connection back to their home network (and to everywhere else that they
-connect to, such as customer sites). Anyone who runs Linux on a standalone PC
-will also be able to secure their network connections, without changing their
-application software or how they operate their computer from day to day.</p>
-
-<p>There will also be numerous commercially available firewalls that use this
-technology. <a href="http://www.rsa.com/">RSA Data Security</a> is
-coordinating the <a href="http://www.rsa.com/rsa/SWAN">S/Wan (Secure Wide
-Area Network)</a> project among more than a dozen vendors who use these
-protocols. There's a <a
-href="http://www.rsa.com/rsa/SWAN/swan_test.htm">compatability chart</a> that
-shows which vendors have tested their boxes against which other vendors to
-guarantee interoperatility.</p>
-
-<p>Eventually it will also move into the operating systems and networking
-protocol stacks of major vendors.  This will probably take longer, because
-those vendors will have to figure out what they want to do about the export
-controls.</p>
-
-<h4>Current status</h4>
-
-<p>My initial goal of securing 5% of the net by Christmas '96 was not met. It
-was an ambitious goal, and inspired me and others to work hard, but was
-ultimately too ambitious.  The protocols were in an early stage of
-development, and needed a lot more protocol design before they could be
-implemented.  As of April 1999, we have released version 1.0 of the software
-(<a
-href="ftp://ftp.xs4all.nl/freeswan/freeswan-1.0.tar.gz">freeswan-1.0.tar.gz</a>),
-which is suitable for setting up Virtual Private Networks using shared
-secrets for authentication.  It does not yet do opportunistic encryption, or
-use DNSSEC for authentication; those features are coming in a future
-release.</p>
-<dl>
-  <dt>Protocols</dt>
-    <dd>The low-level encrypted packet formats are defined.  The system for
-      publishing keys and providing secure domain name service is defined.
-      The IP Security working group has settled on an NSA-sponsored protocol
-      for key agreement (called ISAKMP/Oakley), but it is still being worked
-      on, as the protocol and its documentation is too complex and
-      incomplete. There are prototype implementations of ISAKMP.  The
-      protocol is not yet defined to enable opportunistic encryption or the
-      use of DNSSEC keys.</dd>
-  <dt>Linux Implementation</dt>
-    <dd>The Linux implementation has reached its first major release and is
-      ready for production use in manually-configured networks, using Linux
-      kernel version 2.0.36.</dd>
-  <dt>Domain Name System Security</dt>
-    <dd>There is now a release of BIND 8.2 that includes most DNS Security
-      features.
-      <p>The first prototype implementation of Domain Name System Security
-      was funded by <a href="glossary.html#DARPA">DARPA</a> as part of their
-      <a href="http://www.darpa.mil/ito/research/is/index.html">Information
-      Survivability program</a>. <a href="http://www.tis.com">Trusted
-      Information Systems</a> wrote a modified version of <a
-      href="http://www.isc.org/bind.html">BIND</a>, the widely-used Berkeley
-      implementation of the Domain Name System.</p>
-      <p>TIS, ISC, and I merged the prototype into the standard version of
-      BIND. The first production version that supports KEY and SIG records is
-      <b>bind-4.9.5</b>. This or any later version of BIND will do for
-      publishing keys.  It is available from the <a
-      href="http://www.isc.org/bind.html">Internet Software Consortium</a>.
-      This version of BIND is not export-controlled since it does not contain
-      any cryptography.  Later releases starting with BIND 8.2 include
-      cryptography for authenticating DNS records, which is also exportable.
-      Better documentation is needed.</p>
-    </dd>
-</dl>
-
-<h4>Why?</h4>
-
-<p>Because I can.  I have made enough money from several successful startup
-companies, that for a while I don't have to work to support myself. I spend
-my energies and money creating the kind of world that I'd like to live in and
-that I'd like my (future) kids to live in. Keeping and improving on the civil
-rights we have in the United States, as we move more of our lives into
-cyberspace, is a particular goal of mine.</p>
-
-<h4>What You Can Do</h4>
-<dl>
-  <dt>Install the latest BIND at your site.</dt>
-    <dd>You won't be able to publish any keys for your domain, until you have
-      upgraded your copy of BIND.  The thing you really need from it is the
-      new version of <i>named</i>, the Name Daemon, which knows about the new
-      KEY and SIG record types.  So, download it from the <a
-      href="http://www.isc.org/bind.html">Internet Software Consortium </a>
-      and install it on your name server machine (or get your system
-      administrator, or Internet Service Provider, to install it).  Both your
-      primary DNS site and all of your secondary DNS sites will need the new
-      release before you will be able to publish your keys.  You can tell
-      which sites this is by running the Unix command "dig MYDOMAIN ns" and
-      seeing which sites are mentioned in your NS (name server) records.</dd>
-  <dt>Set up a Linux system and run a 2.0.x kernel on it</dt>
-    <dd>Get a machine running Linux (say the 5.2 release from <a
-      href="http://www.redhat.com">Red Hat</a>). Give the machine two
-      Ethernet cards.</dd>
-  <dt>Install the Linux IPSEC (Freeswan) software</dt>
-    <dd>If you're an experienced sysadmin or Linux hacker, install the
-      freeswan-1.0 release, or any later release or snapshot. These releases
-      do NOT provide automated "opportunistic" operation; they must be
-      manually configured for each site you wish to encrypt with.</dd>
-  <dt>Get on the linux-ipsec mailing list</dt>
-    <dd>The discussion forum for people working on the project, and testing
-      the code and documentation, is: linux-ipsec@clinet.fi. To join this
-      mailing list, send email to <a
-      href="mailto:linux-ipsec-REQUEST@clinet.fi">linux-ipsec-REQUEST@clinet.fi</a>
-      containing a line of text that says "subscribe linux-ipsec". (You can
-      later get off the mailing list the same way -- just send "unsubscribe
-      linux-ipsec").</dd>
-
-  <p></p>
-  <dt>Check back at this web page every once in a while</dt>
-    <dd>I update this page periodically, and there may be new information in
-      it that you haven't seen.  My intent is to send email to the mailing
-      list when I update the page in any significant way, so subscribing to
-      the list is an alternative.</dd>
-</dl>
-
-<p>Would you like to help?  I can use people who are willing to write
-documentation, install early releases for testing, write cryptographic code
-outside the United States, sell pre-packaged software or systems including
-this technology, and teach classes for network administrators who want to
-install this technology. To offer to help, send me email at gnu@toad.com.
-Tell me what country you live in and what your citizenship is (it matters due
-to the export control laws; personally I don't care).  Include a copy of your
-resume and the URL of your home page.  Describe what you'd like to do for the
-project, and what you're uniquely qualified for.  Mention what other
-volunteer projects you've been involved in (and how they worked out). Helping
-out will require that you be able to commit to doing particular things, meet
-your commitments, and be responsive by email.  Volunteer projects just don't
-work without those things.</p>
-
-<h4>Related projects</h4>
-<dl>
-  <dt>IPSEC for NetBSD</dt>
-    <dd>This prototype implementation of the IP Security protocols is for
-      another free operating system. <a
-      href="ftp://ftp.funet.fi/pub/unix/security/net/ip/BSDipsec.tar.gz">Download
-      BSDipsec.tar.gz</a>.</dd>
-  <dt>IPSEC for <a href="http://www.openbsd.org">OpenBSD</a></dt>
-    <dd>This prototype implementation of the IP Security protocols is for yet
-      another free operating system.  It is directly integrated into the OS
-      release, since the OS is maintained in Canada, which has freedom of
-      speech in software.</dd>
-</dl>
-
-<h3><a name="policestate">Stopping wholesale monitoring</a></h3>
-
-<p>From a message project leader John Gilmore posted to the mailing list:</p>
-<pre>John Denker wrote:
-
-&gt; Indeed there are several ways in which the documentation overstates the 
-&gt; scope of what this project does -- starting with the name 
-&gt; FreeS/WAN.  There's a big difference between having an encrypted IP tunnel 
-&gt; versus having a Secure Wide-Area Network.  This software does a fine job of 
-&gt; the former, which is necessary but not sufficient for the latter.
-
-The goal of the project is to make it very hard to tap your wide area
-communications.  The current system provides very good protection
-against passive attacks (wiretapping and those big antenna farms).
-Active attacks, which involve the intruder sending packets to your
-system (like packets that break into sendmail and give them a root
-shell :-) are much harder to guard against.  Active attacks that
-involve sending people (breaking into your house and replacing parts
-of your computer with ones that transmit what you're doing) are also
-much harder to guard against.  Though we are putting effort into
-protecting against active attacks, it's a much bigger job than merely
-providing strong encryption.  It involves general computer security,
-and general physical security, which are two very expensive problems
-for even a site to solve, let alone to build into a whole society.
-
-The societal benefit of building an infrastructure that protects
-well against passive attacks is that it makes it much harder to do
-undetected bulk monitoring of the population.  It's a defense against
-police-states, not against policemen.
-
-Policemen can put in the effort required to actively attack sites that
-they have strong suspicions about.  But police states won't be able to
-build systems that automatically monitor everyone's communications.
-Either they will be able to monitor only a small subset of the
-populace (by targeting those who screwed up their passive security),
-or their monitoring activities will be detectable by those monitored
-(active attacks leave packet traces or footprints), which can then be
-addressed through the press and through political means if they become
-too widespread.
-
-FreeS/WAN does not protect very well against traffic analysis, which
-is a kind of widespread police-state style monitoring that still
-reveals significant information (who's talking to who) without
-revealing the contents of what was said.  Defenses against traffic
-analysis are an open research problem.  Zero Knowledge Systems is
-actively deploying a system designed to thwart it, designed by Ian
-Goldberg.  The jury is out on whether it actually works; a lot more
-experience with it will be needed.</pre>
-
-<p>Notes on things mentioned in that message:</p>
-<ul>
-  <li>Denker is a co-author of a <a href="intro.html#applied">paper</a> on a
-    large FreeS/WAN application.</li>
-  <li>Information on Zero Knowledge is on their <a
-    href="http://www.zks.net/">web site</a>. Their Freedom product, designed
-    to provide untracable pseudonyms for use on the net, is no longer
-    marketed.</li>
-  <li>Another section of our documentation discusses ways to <a
-    href="ipsec.html#traffic.resist">resist traffic analysis</a>.</li>
-</ul>
-
-<h2><a name="weak">Government promotion of weak crypto</a></h2>
-
-<p>Various groups, especially governments and especially the US government,
-have a long history of advocating various forms of bogus security.</p>
-
-<p>We regard bogus security as extremely dangerous. If users are deceived
-into relying on bogus security, then they may be exposed to large risks. They
-would be better off having no security and knowing it. At least then they
-would be careful about what they said.</p>
-
-<p><strong>Avoiding bogus security is a key design criterion for everything
-we do in FreeS/WAN</strong>. The most conspicuous example is our refusal to
-support <a href="#desnotsecure">single DES</a>. Other IPsec "features" which
-we do not implement are discussed in our <a
-href="compat.html#dropped">compatibility</a> document.</p>
-
-<h3><a name="escrow">Escrowed encryption</a></h3>
-
-<p>Various governments have made persistent attempts to encourage or mandate
-"escrowed encrytion", also called "key recovery", or GAK for "government
-access to keys". The idea is that cryptographic keys be held by some third
-party and turned over to law enforcement or security agencies under some
-conditions.</p>
-<pre>  Mary had a little key - she kept it in escrow,
-  and every thing that Mary said,
-  the feds were sure to know.</pre>
-
-<p>A <a href="web.html#quotes">crypto quotes</a> page attributes this to <a
-href="http://www.scramdisk.clara.net/">Sam Simpson</a>.</p>
-
-<p>There is an excellent paper available on <a
-href="http://www.cdt.org/crypto/risks98/">Risks of Escrowed Encryption</a>,
-from a group of cryptographic luminaries which included our project
-leader.</p>
-
-<p>Like any unnecessary complication, GAK tends to weaken security of any
-design it infects. For example:</p>
-<ul>
-  <li>Matt Blaze found a fatal flaw in the US government's Clipper chip
-    shortly after design information became public. See his paper "Protocol
-    Failure in the Escrowed Encryption Standard" on his <a
-    href="http://www.crypto.com/papers/">papers</a> page.</li>
-  <li>a rather <a href="http://www.pgp.com/other/advisories/adk.asp">nasty
-    bug</a> was found in the "additional decryption keys" "feature" of some
-    releases of <a href="glossary.html#PGP">PGP</a></li>
-</ul>
-
-<p>FreeS/WAN does not support escrowed encryption, and never will.</p>
-
-<h3><a name="shortkeys">Limited key lengths</a></h3>
-
-<p>Various governments, and some vendors, have also made persistent attempts
-to convince people that:</p>
-<ul>
-  <li>weak systems are sufficient for some data</li>
-  <li>strong cryptography should be reserved for cases where the extra
-    overheads are justified</li>
-</ul>
-
-<p><strong>This is utter nonsense</strong>.</p>
-
-<p>Weak systems touted include:</p>
-<ul>
-  <li>the ludicrously weak (deliberately crippled) 40-bit ciphers that until
-    recently were all various <a href="#exlaw">export laws</a> allowed</li>
-  <li>56-bit single DES, discussed <a href="#desnotsecure">below</a></li>
-  <li>64-bit symmetric ciphers and 512-bit RSA, the maximums for unrestricted
-    export under various current laws</li>
-</ul>
-
-<p>The notion that choice of ciphers or keysize should be determined by a
-trade-off between security requirements and overheads is pure bafflegab.</p>
-<ul>
-  <li>For most <a href="glossary.html#symmetric">symmetric ciphers</a>, it is
-    simply a lie. Any block cipher has some natural maximum keysize inherent
-    in the design -- 128 bits for <a href="glossary.html#IDEA">IDEA</a> or <a
-    href="glossary.html#CAST128">CAST-128</a>, 256 for Serpent or Twofish,
-    448 for <a href="glossary.html#Blowfish">Blowfish</a> and 2048 for <a
-    href="glossary.html#RC4">RC4</a>. Using a key size smaller than that
-    limit gives <em>exactly zero </em>savings in overhead. The crippled
-    40-bit or 64-bit version of the cipher provides <em>no advantage
-    whatsoever</em>.</li>
-  <li><a href="glossary.html#AES">AES</a> uses 10 rounds with 128-bit keys,
-    12 rounds for 192-bit and 14 rounds for 256-bit, so there actually is a
-    small difference in overhead, but not enough to matter in most
-    applications.</li>
-  <li>For <a href="glossary.html#3DES">triple DES</a> there is a grain of
-    truth in the argument. 3DES is indeed three times slower than single DES.
-    However, the solution is not to use the insecure single DES, but to pick
-    a faster secure cipher. <a href="glossary.html#CAST128">CAST-128</a>, <a
-    href="glossary.html#Blowfish">Blowfish</a> and the <a
-    href="glossary.html#AES">AES candidate</a> ciphers are are all
-    considerably faster in software than DES (let alone 3DES!), and
-    apparently secure.</li>
-  <li>For <a href="glossary.html#public">public key</a> techniques, there are
-    extra overheads for larger keys, but they generally do not affect overall
-    performance significantly. Practical public key applications are usually
-    <a href="glossary.html#hybrid">hybrid</a> systems in which the bulk of
-    the work is done by a symmetric cipher. The effect of increasing the cost
-    of the public key operations is typically negligible because the public
-    key operations use only a tiny fraction of total resources.
-    <p>For example, suppose public key operations use use 1% of the time in a
-    hybrid system and you triple the cost of public key operations. The cost
-    of symmetric cipher operations is unchanged at 99% of the original total
-    cost, so the overall effect is a jump from 99 + 1 = 100 to 99 + 3 = 102,
-    a 2% rise in system cost.</p>
-  </li>
-</ul>
-
-<p>In short, <strong>there has never been any technical reason to use
-inadequate ciphers</strong>. The only reason there has ever been for anyone
-to use such ciphers is that government agencies want weak ciphers used so
-that they can crack them. The alleged savings are simply propaganda.</p>
-<pre>   Mary had a little key (It's all she could export),
-   and all the email that she sent was opened at the Fort.</pre>
-
-<p>A <a href="web.html#quotes">crypto quotes</a> page attributes this to <a
-href="http://theory.lcs.mit.edu:80/~rivest/">Ron Rivest</a>. NSA headquarters
-is at Fort Meade, Maryland.</p>
-
-<p>Our policy in FreeS/WAN is to use only cryptographic components with
-adequate keylength and no known weaknesses.</p>
-<ul>
-  <li>We do not implement single DES because it is clearly <a
-    href="#desnotsecure">insecure</a>, so implemeting it would violate our
-    policy of avoiding bogus security. Our default cipher is <a
-    href="glossary.html#3DES">3DES</a></li>
-  <li>Similarly, we do not implement the 768-bit Group 1 for <a
-    href="glossary.html#DH">Diffie-Hellman</a> key negotiation. We provide
-    only the 1024-bit Group 2 and 1536-bit Group 5.</li>
-</ul>
-
-<p>Detailed discussion of which IPsec features we implement or omit is in out
-<a href="compat.html">compatibility document</a>.</p>
-
-<p>These decisions imply that we cannot fully conform to the IPsec RFCs,
-since those have DES as the only required cipher and Group 1 as the only
-required DH group. (In our view, the standards were subverted into offerring
-bogus security.) Fortunately, we can still interoperate with most other IPsec
-implementations since nearly all implementers provide at least 3DES and Group
-2 as well.</p>
-
-<p>We hope that eventually the RFCs will catch up with our (and others')
-current practice and reject dubious components. Some of our team and a number
-of others are working on this in <a href="glossary.html#IETF">IETF</a>
-working groups.</p>
-
-<h4>Some real trade-offs</h4>
-
-<p>Of course, making systems secure does involve costs, and trade-offs can be
-made between cost and security. However, the real trade-offs have nothing to
-do with using weaker ciphers.</p>
-
-<p>There can be substantial hardware and software costs. There are often
-substantial training costs, both to train administrators and to increase user
-awareness of security issues and procedures. There are almost always
-substantial staff or contracting costs.</p>
-
-<p>Security takes staff time for planning, implementation, testing and
-auditing. Some of the issues are subtle; you need good (hence often
-expensive) people for this. You also need people to monitor your systems and
-respond to problems. The best safe ever built is insecure if an attacker can
-work on it for days without anyone noticing. Any computer is insecure if the
-administrator is "too busy" to check the logs.</p>
-
-<p>Moreover, someone in your organisation (or on contract to it) needs to
-spend considerable time keeping up with new developments. EvilDoers
-<em>will</em> know about new attacks shortly after they are found. You need
-to know about them before your systems are attacked. If your vendor provides
-a patch, you need to apply it. If the vendor does nothing, you need to
-complain or start looking for another vendor.</p>
-
-<p>For a fairly awful example, see this <a
-href="http://www.sans.org/newlook/alerts/NTE-bank.htm">report</a>. In that
-case over a million credit card numbers were taken from e-commerce sites,
-using security flaws in Windows NT servers. Microsoft had long since released
-patches for most or all of the flaws, but the site administrators had not
-applied them.</p>
-
-<p>At an absolute minimum, you must do something about such issues
-<em>before</em> an exploitation tool is posted to the net for downloading by
-dozens of "script kiddies". Such a tool might appear at any time from the
-announcement of the security hole to several months later. Once it appears,
-anyone with a browser and an attitude can break any system whose
-administrators have done nothing about the flaw.</p>
-
-<p>Compared to those costs, cipher overheads are an insignificant factor in
-the cost of security.</p>
-
-<p>The only thing using a weak cipher can do for you is to cause all your
-other investment to be wasted.</p>
-
-<h2><a name="exlaw">Cryptography Export Laws</a></h2>
-
-<p>Many nations restrict the export of cryptography and some restrict its use
-by their citizens or others within their borders.</p>
-
-<h3><a name="USlaw">US Law</a></h3>
-
-<p>US laws, as currently interpreted by the US government, forbid export of
-most cryptographic software from the US in machine-readable form without
-government permission. In general, the restrictions apply even if the
-software is widely-disseminated or public-domain and even if it came from
-outside the US originally. Cryptography is legally a munition and export is
-tightly controlled under the <a href="glossary.html#EAR">EAR</a> Export
-Administration Regulations.</p>
-
-<p>If you are a US citizen, your brain is considered US territory no matter
-where it is physically located at the moment. The US believes that its laws
-apply to its citizens everywhere, not just within the US. Providing technical
-assistance or advice to foreign "munitions" projects is illegal. The US
-government has very little sense of humor about this issue and does not
-consider good intentions to be sufficient excuse. Beware.</p>
-
-<p>The <a href="http://www.bxa.doc.gov/Encryption/">official website</a> for
-these regulations is run by the Commerce Department's Bureau of Export
-Administration (BXA).</p>
-
-<p>The <a href="http://www.eff.org/bernstein/">Bernstein case</a> challenges
-the export restrictions on Constitutional grounds. Code is speech so
-restrictions on export of code violate the First Amendment's free speech
-provisions. This argument has succeeded in two levels of court so far. It is
-quite likely to go on to the Supreme Court.</p>
-
-<p>The regulations were changed substantially in January 2000, apparently as
-a government attempt to get off the hook in the Bernstein case. It is now
-legal to export public domain source code for encryption, provided you notify
-the <a href="glossary.html#BXA">BXA</a>.</p>
-
-<p>There are, however, still restrictions in force.
- Moreover, the regulations can still be changed again whenever the government
-chooses to do so. Short of a Supreme Court ruling (in the Berstein case or
-another) that overturns the regulations completely, the problem of export
-regulation is not likely to go away in the forseeable future.</p>
-
-<h4><a name="UScontrib">US contributions to FreeS/WAN</a></h4>
-
-<p>The FreeS/WAN project <strong>cannot accept software contributions, <em>
-not even small bug fixes</em>, from US citizens or residents</strong>. We
-want it to be absolutely clear that our distribution is not subject to US
-export law. Any contribution from an American might open that question to a
-debate we'd prefer to avoid. It might also put the contributor at serious
-legal risk.</p>
-
-<p>Of course Americans can still make valuable contributions (many already
-have) by reporting bugs, or otherwise contributing to discussions, on the
-project <a href="mail.html">mailing list</a>. Since the list is public, this
-is clearly constitutionally protected free speech.</p>
-
-<p>Note, however, that the export laws restrict Americans from providing
-technical assistance to foreign "munitions" projects. The government might
-claim that private discussions or correspondence with FreeS/WAN developers
-were covered by this. It is not clear what the courts would do with such a
-claim, so we strongly encourage Americans to use the list rather than risk
-the complications.</p>
-
-<h3><a name="wrong">What's wrong with restrictions on cryptography</a></h3>
-
-<p>Some quotes from prominent cryptography experts:</p>
-
-<blockquote>
-  The real aim of current policy is to ensure the continued effectiveness of
-  US information warfare assets against individuals, businesses and
-  governments in Europe and elsewhere.<br>
-  <a href="http://www.cl.cam.ac.uk/users/rja14"> Ross Anderson, Cambridge
-  University</a></blockquote>
-
-<blockquote>
-  If the government were honest about its motives, then the debate about
-  crypto export policy would have ended years ago.<br>
-  <a href="http://www.counterpane.com"> Bruce Schneier, Counterpane
-  Systems</a></blockquote>
-
-<blockquote>
-  The NSA regularly lies to people who ask it for advice on export control.
-  They have no reason not to; accomplishing their goal by any legal means is
-  fine by them. Lying by government employees is legal.<br>
-  John Gilmore.</blockquote>
-
-<p>The Internet Architecture Board (IAB) and the Internet Engineering
-Steering Group (IESG) made a <a href="iab-iesg.stmt">strong statement</a> in
-favour of worldwide access to strong cryptography. Essentially the same
-statement is in the appropriately numbered <a
-href="ftp://ftp.isi.edu/in-notes/rfc1984.txt">RFC 1984</a>. Two critical
-paragraphs are:</p>
-
-<blockquote>
-  ... various governments have actual or proposed policies on access to
-  cryptographic technology ...
-
-  <p>(a) ... export controls ...<br>
-  (b) ... short cryptographic keys ...<br>
-  (c) ... keys should be in the hands of the government or ...<br>
-  (d) prohibit the use of cryptology ...</p>
-
-  <p>We believe that such policies are against the interests of consumers and
-  the business community, are largely irrelevant to issues of military
-  security, and provide only a marginal or illusory benefit to law
-  enforcement agencies, ...</p>
-
-  <p>The IAB and IESG would like to encourage policies that allow ready
-  access to uniform strong cryptographic technology for all Internet users in
-  all countries.</p>
-</blockquote>
-
-<p>Our goal in the FreeS/WAN project is to build just such "strong
-cryptographic technology" and to distribute it "for all Internet users in all
-countries".</p>
-
-<p>More recently, the same two bodies (IESG and IAB) have issued <a
-href="ftp://ftp.isi.edu/in-notes/rfc2804.txt">RFC 2804</a> on why the IETF
-should not build wiretapping capabilities into protocols for the convenience
-of security or law enforcement agenicies. The abstract from that document
-is:</p>
-
-<blockquote>
-  The Internet Engineering Task Force (IETF) has been asked to take a
-  position on the inclusion into IETF standards-track documents of
-  functionality designed to facilitate wiretapping.
-
-  <p>This memo explains what the IETF thinks the question means, why its
-  answer is "no", and what that answer means.</p>
-</blockquote>
-A quote from the debate leading up to that RFC:
-
-<blockquote>
-  We should not be building surveillance technology into standards. Law
-  enforcement was not supposed to be easy. Where it is easy, it's called a
-  police state.<br>
-  Jeff Schiller of MIT, in a discussion of FBI demands for wiretap capability
-  on the net, as quoted by <a
-  href="http://www.wired.com/news/politics/0,1283,31895,00.html">Wired</a>.</blockquote>
-
-<p>The <a href="http://www.ietf.org/mailman/listinfo/raven">Raven</a> mailing
-list was set up for this IETF discussion.</p>
-
-<p>Our goal is to go beyond that RFC and prevent Internet wiretapping
-entirely.</p>
-
-<h3><a name="Wassenaar">The Wassenaar Arrangement</a></h3>
-
-<p>Restrictions on the export of cryptography are not just US policy, though
-some consider the US at least partly to blame for the policies of other
-nations in this area.</p>
-
-<p>A number of countries:</p>
-
-<p>Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Czech Republic,
-Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan,
-Luxembourg, Netherlands, New Zealand, Norway, Poland, Portugal, Republic of
-Korea, Romania, Russian Federation, Slovak Republic, Spain, Sweden,
-Switzerland, Turkey, Ukraine, United Kingdom and United States</p>
-
-<p>have signed the Wassenaar Arrangement which restricts export of munitions
-and other tools of war. Cryptographic sofware is covered there.</p>
-
-<p>Wassenaar details are available from the <a
-href="http://www.wassenaar.org/"> Wassenaar Secretariat</a>, and elsewhere in
-a more readable <a href="http://www.fitug.de/news/wa/index.html"> HTML
-version</a>.</p>
-
-<p>For a critique see the <a href="http://www.gilc.org/crypto/wassenaar">
-GILC site</a>:</p>
-
-<blockquote>
-  The Global Internet Liberty Campaign (GILC) has begun a campaign calling
-  for the removal of cryptography controls from the Wassenaar Arrangement.
-
-  <p>The aim of the Wassenaar Arrangement is to prevent the build up of
-  military capabilities that threaten regional and international security and
-  stability . . .</p>
-
-  <p>There is no sound basis within the Wassenaar Arrangement for the
-  continuation of any export controls on cryptographic products.</p>
-</blockquote>
-
-<p>We agree entirely.</p>
-
-<p>An interesting analysis of Wassenaar can be found on the <a
-href="http://www.cyber-rights.org/crypto/wassenaar.htm">cyber-rights.org</a>
-site.</p>
-
-<h3><a name="status">Export status of Linux FreeS/WAN</a></h3>
-
-<p>We believe our software is entirely exempt from these controls since the
-Wassenaar <a
-href="http://www.wassenaar.org/list/GTN%20and%20GSN%20-%2099.pdf">General
-Software Note</a> says:</p>
-
-<blockquote>
-  The Lists do not control "software" which is either:
-  <ol>
-    <li>Generally available to the public by . . . retail . . . or</li>
-    <li>"In the public domain".</li>
-  </ol>
-</blockquote>
-
-<p>There is a note restricting some of this, but it is a sub-heading under
-point 1, so it appears not to apply to public domain software.</p>
-
-<p>Their glossary defines "In the public domain" as:</p>
-
-<blockquote>
-  . . . "technology" or "software" which has been made available without
-  restrictions upon its further dissemination.
-
-  <p>N.B. Copyright restrictions do not remove "technology" or "software"
-  from being "in the public domain".</p>
-</blockquote>
-
-<p>We therefore believe that software freely distributed under the <a
-href="glossary.html#GPL">GNU Public License</a>, such as Linux FreeS/WAN, is
-exempt from Wassenaar restrictions.</p>
-
-<p>Most of the development work is being done in Canada. Our understanding is
-that the Canadian government accepts this interpretation.</p>
-<ul>
-  <li>A web statement of <a
-    href="http://www.dfait-maeci.gc.ca/~eicb/notices/ser113-e.htm"> Canadian
-    policy</a> is available from the Department of Foreign Affairs and
-    International Trade.</li>
-  <li>Another document from that department states that <a
-    href="http://www.dfait-maeci.gc.ca/~eicb/export/gr1_e.htm">public domain
-    software</a> is exempt from the export controls.</li>
-  <li>A researcher's <a
-    href="http://insight.mcmaster.ca/org/efc/pages/doc/crypto-export.html">analysis</a>
-    of Canadian policy is also available.</li>
-</ul>
-
-<p>Recent copies of the freely modifiable and distributable source code exist
-in many countries. Citizens all over the world participate in its use and
-evolution, and guard its ongoing distribution. Even if Canadian policy were
-to change, the software would continue to evolve in countries which do not
-restrict exports, and would continue to be imported from there into unfree
-countries. "The Net culture treats censorship as damage, and routes around
-it."</p>
-
-<h3><a name="help">Help spread IPsec around</a></h3>
-
-<p>You can help. If you don't know of a Linux FreeS/WAN archive in your own
-country, please download it now to your personal machine, and consider making
-it publicly accessible if that doesn't violate your own laws. If you have the
-resources, consider going one step further and setting up a mirror site for
-the whole <a href="intro.html#munitions">munitions</a> Linux crypto software
-archive.</p>
-
-<p>If you make Linux CD-ROMs, please consider including this code, in a way
-that violates no laws (in a free country, or in a domestic-only CD
-product).</p>
-
-<p>Please send a note about any new archive mirror sites or CD distributions
-to linux-ipsec@clinet.fi so we can update the documentation.</p>
-
-<p>Lists of current <a href="intro.html#sites">mirror sites</a> and of <a
-href="intro.html#distwith">distributions</a> which include FreeS/WAN are in
-our introduction section.</p>
-
-<h2><a name="desnotsecure">DES is Not Secure</a></h2>
-
-<p>DES, the <strong>D</strong>ata <strong>E</strong>ncryption
-<strong>S</strong>tandard, can no longer be considered secure. While no major
-flaws in its innards are known, it is fundamentally inadequate because its
-<strong>56-bit key is too short</strong>. It is vulnerable to <a
-href="glossary.html#brute">brute-force search</a> of the whole key space,
-either by large collections of general-purpose machines or even more quickly
-by specialized hardware. Of course this also applies to <strong>any other
-cipher with only a 56-bit key</strong>. The only reason anyone could have for
-using a 56 or 64-bit key is to comply with various <a
-href="exportlaw.html">export laws</a> intended to ensure the use of breakable
-ciphers.</p>
-
-<p>Non-government cryptologists have been saying DES's 56-bit key was too
-short for some time -- some of them were saying it in the 70's when DES
-became a standard -- but the US government has consistently ridiculed such
-suggestions.</p>
-
-<p>A group of well-known cryptographers looked at key lengths in a <a
-href="http://www.counterpane.com/keylength.html"> 1996 paper</a>. They
-suggested a <em>minimum</em> of 75 bits to consider an existing cipher secure
-and a <em>minimum of 90 bits for new ciphers</em>. More recent papers,
-covering both <a href="glossary.html#symmetric">symmetric</a> and <a
-href="glossary.html#public">public key</a> systems are at <a
-href="http://www.cryptosavvy.com/">cryptosavvy.com</a> and <a
-href="http://www.rsasecurity.com/rsalabs/bulletins/bulletin13.html">rsa.com</a>.
-For all algorithms, the minimum keylengths recommended in such papers are
-significantly longer than the maximums allowed by various export laws.</p>
-
-<p>In a <a
-href="http://www.privacy.nb.ca/cryptography/archives/cryptography/html/1998-09/0095.html">1998
-ruling</a>, a German court described DES as "out-of-date and not safe enough"
-and held a bank liable for using it.</p>
-
-<h3><a name="deshware">Dedicated hardware breaks DES in a few days</a></h3>
-
-<p>The question of DES security has now been settled once and for all. In
-early 1998, the <a href="http://www.eff.org/">Electronic Frontier
-Foundation</a> built a <a
-href="http://www.eff.org/descracker.html">DES-cracking machine</a>. It can
-find a DES key in an average of a few days' search. The details of all this,
-including complete code listings and complete plans for the machine, have
-been published in <a href="biblio.html#EFF"><cite>Cracking DES</cite></a>, by
-the Electronic Frontier Foundation.</p>
-
-<p>That machine cost just over $200,000 to design and build. "Moore's Law" is
-that machines get faster (or cheaper, for the same speed) by roughly a factor
-of two every 18 months. At that rate, their $200,000 in 1998 becomes $50,000
-in 2001.</p>
-
-<p>However, Moore's Law is not exact and the $50,000 estimate does not allow
-for the fact that a copy based on the published EFF design would cost far
-less than the original. We cannot say exactly what such a cracker would cost
-today, but it would likely be somewhere between $10,000 and $100,000.</p>
-
-<p>A large corporation could build one of these out of petty cash. The cost
-is low enough for a senior manager to hide it in a departmental budget and
-avoid having to announce or justify the project. Any government agency, from
-a major municipal police force up, could afford one. Or any other group with
-a respectable budget -- criminal organisations, political groups, labour
-unions, religious groups, ... Or any millionaire with an obsession or a
-grudge, or just strange taste in toys.</p>
-
-<p>One might wonder if a private security or detective agency would have one
-for rent. They wouldn't need many clients to pay off that investment.</p>
-
-<h3><a name="spooks">Spooks may break DES faster yet</a></h3>
-
-<p>As for the security and intelligence agencies of various nations, they may
-have had DES crackers for years, and theirs may be much faster. It is
-difficult to make most computer applications work well on parallel machines,
-or to design specialised hardware to accelerate them. Cipher-cracking is one
-of the very few exceptions. It is entirely straightforward to speed up
-cracking by just adding hardware. Within very broad limits, you can make it
-as fast as you like if you have the budget. The EFF's $200,000 machine breaks
-DES in a few days. An <a href="http://www.planepage.com/">aviation
-website</a> gives the cost of a B1 bomber as $200,000,000. Spending that
-much, an intelligence agency could break DES in an average time of <em>six
-and a half minutes</em>.</p>
-
-<p>That estimate assumes they use the EFF's 1998 technology and just spend
-more money. They may have an attack that is superior to brute force, they
-quite likely have better chip technology (Moore's law, a bigger budget, and
-whatever secret advances they may have made) and of course they may have
-spent the price of an aircraft carrier, not just one aircraft.</p>
-
-<p>In short, we have <em>no idea</em> how quickly these organisations can
-break DES. Unless they're spectacularly incompetent or horribly underfunded,
-they can certainly break it, but we cannot guess how quickly. Pick any time
-unit between days and milliseconds; none is entirely unbelievable. More to
-the point, none of them is  of any comfort if you don't want such
-organisations reading your communications.</p>
-
-<p>Note that this may be a concern even if nothing you do is a threat to
-anyone's national security. An intelligence agency might well consider it to
-be in their national interest for certain companies to do well. If you're
-competing against such companies in a world market and that agency can read
-your secrets, you have a serious problem.</p>
-
-<p>One might wonder about technology the former Soviet Union and its allies
-developed for cracking DES during the Cold War. They must have tried; the
-cipher was an American standard and widely used. Certainly those countries
-have some fine mathematicians, and those agencies had budget. How well did
-they succeed? Is their technology now for sale or rent?</p>
-
-<h3><a name="desnet">Networks break DES in a few weeks</a></h3>
-
-<p>Before the definitive EFF effort, DES had been cracked several times by
-people using many machines. See this <a
-href="http://www.distributed.net/pressroom/DESII-1-PR.html"> press
-release</a> for example.</p>
-
-<p>A major corporation, university, or government department could break DES
-by using spare cycles on their existing collection of computers, by
-dedicating a group of otherwise surplus machines to the problem, or by
-combining the two approaches. It might take them weeks or months, rather than
-the days required for the EFF machine, but they could do it.</p>
-
-<p>What about someone working alone, without the resources of a large
-organisation? For them, cracking DES will not be easy, but it may be
-possible. A few thousand dollars buys a lot of surplus workstations. A pile
-of such machines will certainly heat your garage nicely and might break DES
-in a few months or years. Or enroll at a university and use their machines.
-Or use an employer's machines. Or crack security somewhere and steal the
-resources to crack a DES key. Or write a virus that steals small amounts of
-resources on many machines. Or . . .</p>
-
-<p>None of these approaches are easy or break DES really quickly, but an
-attacker only needs to find one that is feasible and breaks DES quickly
-enough to be dangerous. How much would you care to bet that this will be
-impossible if the attacker is clever and determined? How valuable is your
-data? Are you authorised to risk it on a dubious bet?</p>
-
-<h3><a name="no_des">We disable DES</a></h3>
-
-<p>In short, it is now absolutely clear that <strong>DES is not
-secure</strong> against</p>
-<ul>
-  <li>any <strong>well-funded opponent</strong></li>
-  <li>any opponent (even a penniless one) with access (even stolen access) to
-    <strong>enough general purpose computers</strong></li>
-</ul>
-
-<p>That is why <strong>Linux FreeS/WAN disables all transforms which use
-plain DES</strong> for encryption.</p>
-
-<p>DES is in the source code, because we need DES to implement our default
-encryption transform, <a href="glossary.html#3DES">Triple DES</a>. <strong>We
-urge you not to use single DES</strong>. We do not provide any easy way to
-enable it in FreeS/WAN, and our policy is to provide no assistance to anyone
-wanting to do so.</p>
-
-<h3><a name="40joke">40-bits is laughably weak</a></h3>
-
-<p>The same is true, in spades, of ciphers -- DES or others -- crippled by
-40-bit keys, as many ciphers were required to be until recently under various
-<a href="#exlaw">export laws</a>. A brute force search of such a cipher's
-keyspace is 2<sup>16</sup> times faster than a similar search against DES.
-The EFF's machine can do a brute-force search of a 40-bit key space in
-<em>seconds</em>. One contest to crack a 40-bit cipher was won by a student
-<a href="http://catless.ncl.ac.uk/Risks/18.80.html#subj1"> using a few
-hundred idle machines at his university</a>. It took only three and half
-hours.</p>
-
-<p>We do not, and will not, implement any 40-bit cipher.</p>
-
-<h3><a name="altdes">Triple DES is almost certainly secure</a></h3>
-
-<p><a href="glossary.html#3DES">Triple DES</a>, usually abbreviated 3DES,
-applies DES three times, with three different keys. DES seems to be basically
-an excellent cipher design; it has withstood several decades of intensive
-analysis without any disastrous flaws being found. It's only major flaw is
-that the small keyspace allows brute force attacks to succeeed. Triple DES
-enlarges the key space to 168 bits, making brute-force search a ridiculous
-impossibility.</p>
-
-<p>3DES is currently the only block cipher implemented in FreeS/WAN. 3DES is,
-unfortunately, about 1/3 the speed of DES, but modern CPUs still do it at
-quite respectable speeds. Some <a href="glossary.html#benchmarks">speed
-measurements</a> for our code are available.</p>
-
-<h3><a name="aes.ipsec">AES in IPsec</a></h3>
-
-<p>The <a href="glossary.html#AES">AES</a> project has chosen a replacement
-for DES, a new standard cipher for use in non-classified US government work
-and in regulated industries such as banking. This cipher will almost
-certainly become widely used for many applications, including IPsec.</p>
-
-<p>The winner, announced in October 2000 after several years of analysis and
-discussion, was the <a
-href="http://www.esat.kuleuven.ac.be/~rijmen/rijndael/">Rijndael</a> cipher
-from two Belgian designers.</p>
-
-<p>It is almost certain that FreeS/WAN will add AES support. <a
-href="web.html#patch">AES patches</a> are already available.</p>
-
-<h2><a name="press">Press coverage of Linux FreeS/WAN:</a></h2>
-
-<h3>FreeS/WAN 1.0 press</h3>
-<ul>
-  <li><a
-    href="http://www.wired.com/news/news/technology/story/19136.html">Wired</a>
-    "Linux-Based Crypto Stops Snoops", James Glave April 15 1999</li>
-  <li><a
-    href="http://slashdot.org/articles/99/04/15/1851212.shtml">Slashdot</a></li>
-  <li><a href="http://dgl.com/itinfo/1999/it990415.html">DGL</a>, Damar Group
-    Limited; looking at FreeS/WAN from a perspective of business
-  computing</li>
-  <li><a href="http://linuxtoday.com/stories/5010.html">Linux Today</a></li>
-  <li><a href="http://www.tbtf.com/archive/1999-04-21.html#Tcep">TBTF</a>,
-    Tasty Bits from the Technology Front</li>
-  <li><a
-    href="http://www.salonmagazine.com/tech/log/1999/04/16/encryption/index.html">Salon
-    Magazine</a> "Free Encryption Takes a Big Step"</li>
-</ul>
-
-<h3><a name="release">Press release for version 1.0</a></h3>
-<pre>        Strong Internet Privacy Software Free for Linux Users Worldwide
-
-Toronto, ON, April 14, 1999 - 
-
-The Linux FreeS/WAN project today released free software to protect
-the privacy of Internet communications using strong encryption codes.
-FreeS/WAN automatically encrypts data as it crosses the Internet, to
-prevent unauthorized people from receiving or modifying it.  One
-ordinary PC per site runs this free software under Linux to become a
-secure gateway in a Virtual Private Network, without having to modify
-users' operating systems or application software.  The project built
-and released the software outside the United States, avoiding US
-government regulations which prohibit good privacy protection.
-FreeS/WAN version 1.0 is available immediately for downloading at
-http://www.xs4all.nl/~freeswan/.
-
-"Today's FreeS/WAN release allows network administrators to build
-excellent secure gateways out of old PCs at no cost, or using a cheap
-new PC," said John Gilmore, the entrepreneur who instigated the
-project in 1996.  "They can build operational experience with strong
-network encryption and protect their users' most important
-communications worldwide."
-
-"The software was written outside the United States, and we do not
-accept contributions from US citizens or residents, so that it can be
-freely published for use in every country," said Henry Spencer, who
-built the release in Toronto, Canada.  "Similar products based in the
-US require hard-to-get government export licenses before they can be
-provided to non-US users, and can never be simply published on a Web
-site.  Our product is freely available worldwide for immediate
-downloading, at no cost."
-
-FreeS/WAN provides privacy against both quiet eavesdropping (such as
-"packet sniffing") and active attempts to compromise communications
-(such as impersonating participating computers).  Secure "tunnels" carry
-information safely across the Internet between locations such as a
-company's main office, distant sales offices, and roaming laptops.  This
-protects the privacy and integrity of all information sent among those
-locations, including sensitive intra-company email, financial transactions
-such as mergers and acquisitions, business negotiations, personal medical
-records, privileged correspondence with lawyers, and information about
-crimes or civil rights violations.  The software will be particularly
-useful to frequent wiretapping targets such as private companies competing
-with government-owned companies, civil rights groups and lawyers,
-opposition political parties, and dissidents. 
-
-FreeS/WAN provides privacy for Internet packets using the proposed
-standard Internet Protocol Security (IPSEC) protocols.  FreeS/WAN
-negotiates strong keys using Diffie-Hellman key agreement with 1024-bit
-keys, and encrypts each packet with 168-bit Triple-DES (3DES).  A modern
-$500 PC can set up a tunnel in less than a second, and can encrypt
-6 megabits of packets per second, easily handling the whole available
-bandwidth at the vast majority of Internet sites.  In preliminary testing,
-FreeS/WAN interoperated with 3DES IPSEC products from OpenBSD, PGP, SSH,
-Cisco, Raptor, and Xedia.  Since FreeS/WAN is distributed as source code,
-its innards are open to review by outside experts and sophisticated users,
-reducing the chance of undetected bugs or hidden security compromises.
-
-The software has been in development for several years.  It has been
-funded by several philanthropists interested in increased privacy on
-the Internet, including John Gilmore, co-founder of the Electronic
-Frontier Foundation, a leading online civil rights group.
-
-Press contacts:
-Hugh Daniel,   +1 408 353 8124, hugh@toad.com
-Henry Spencer, +1 416 690 6561, henry@spsystems.net
-
-* FreeS/WAN derives its name from S/WAN, which is a trademark of RSA Data
-  Security, Inc; used by permission.</pre>
-</body>
-</html>
diff --git a/doc/src/quickstart-configs.html b/doc/src/quickstart-configs.html
deleted file mode 100644
index b2ad21bcc..000000000
--- a/doc/src/quickstart-configs.html
+++ /dev/null
@@ -1,144 +0,0 @@
-<html>
-<head>
-  <meta http-equiv="Content-Type" content="text/html">
-  <title>Quick FreeS/WAN installation and configuration</title>
-  <meta name="keywords"
-  content="Linux, IPsec, VPN, security, FreeSWAN, installation, quickstart">
-  <!--
-
-  Written by Sandy Harris for the Linux FreeS/WAN project
-  Revised by Claudia Schmeing for same
-  Freely distributable under the GNU General Public License
-
-  More information at www.freeswan.org
-  Feedback to users@lists.freeswan.org
-
-  This is a new file derived from:
-  RCS ID:          $Id: quickstart-configs.html,v 1.1 2004/03/15 20:35:24 as Exp $
-  Last changed:    $Date: 2004/03/15 20:35:24 $
-  Revision number: $Revision: 1.1 $
-
-  CVS revision numbers do not correspond to FreeS/WAN release numbers.
-  -->
-</head>
-<BODY>
-<H1><A name="quick_configs">FreeS/WAN quick start examples</A></H1>
-<P>These are sample 
-<A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A>
-configuration files for opportunistic encryption, with comments. Much of 
-this configuration will be unnecessary with the new defaults proposed
-for FreeS/WAN 2.x.</P>
-<P>Full instructions are in our
-<A href="quickstart.html#quickstart">quickstart guide</A>.
-
-<H2><A name="qc.opp.client">Configuration for Initiate-only Opportunistic Encryption</A></H2>
-<P>The ipsec.conf file for an initiate-only opportunistic setup is:</P>
-<PRE># general IPsec setup
-config setup
-        # Use the default interface
-        interfaces=%defaultroute
-        # Use auto= parameters in conn descriptions to control startup actions.
-        plutoload=%search
-        plutostart=%search
-        uniqueids=yes
-
-# defaults for subsequent connection descriptions
-conn %default
-        # How to authenticate gateways
-        authby=rsasig
-        # default is
-        # load connection description into Pluto's database
-        # so it can respond if another gatway initiates
-        # individual connection descriptions may override this
-        auto=add
-
-# description for opportunistic connections
-conn me-to-anyone
-        left=%defaultroute         # all connections should use default route
-        right=%opportunistic       # anyone we can authenticate
-        leftrsasigkey=%dnsondemand  # NEW: look up keys in DNS as-needed
-        rightrsasigkey=%dnsondemand # (not at connection load time)
-        rekey=no                   # let unused connections die
-        keylife=1h                 # short
-        auto=route                 # set up for opportunistic
-        leftid=@xy.example.com     # our identity for IPSec negotiations
-                                   # must match DNS and ipsec.secrets</PRE>
-
-<P>Normally, you need to do only two things:</P>
-<UL>
-  <LI>edit <VAR>leftid=</VAR></LI>
-  <LI>set <VAR>auto=route</VAR></LI>
-</UL>
-<P>
- However, some people may need to customize the <VAR>interfaces=</VAR> line
- in the "config setup" section. All other sections are identical for any
- standalone machine doing opportunistic encryption.</P>
-<P>The @ sign in the <VAR>leftid=</VAR> makes the ID go "over the wire"
- as a Fully Qualified Domain Name (FQDN).  Without it, an IP address would
- be used and this won't work.</P>
-<P>The conn is not used to supply either public key. Your private key
- is in <A href="manpage.d/ipsec.secrets.5.html">ipsec.secrets(5)</A>
- and, for opportunistic encryption, the public keys for remote gateways
- are all looked up in DNS.</P>
-<P>FreeS/WAN authenticates opportunistic encryption by <A href="#gen_rsa">RSA
- signature</A> only, so "public key" and "private key" refer to these keys.</P>
-<P>While the <VAR>left</VAR> and <VAR>right</VAR> designations
- here are arbitrary, we follow a convention of using <VAR>left</VAR> for
- local and <VAR>right</VAR> for remote.</P>
-
-<P><A href="quickstart.html#config.opp.client">Continue configuring
-initiate-only opportunism.</A>
-
-<H2><A name="qc.incoming.opp.conf">ipsec.conf for Incoming Opportunistic Encryption</A></H2>
-Use the ipsec.conf above, except that the section describing opportunistic
-connections is now:</P>
-<PRE>
-# description for opportunistic connections
-conn me-to-anyone
-        left=%defaultroute         # all connections should use default route
-        right=%opportunistic       # anyone we can authenticate
-        leftrsasigkey=%dnsondemand  # NEW: look up keys in DNS as-needed
-        rightrsasigkey=%dnsondemand # (not at connection load time)
-        rekey=no                   # let unused connections die
-        keylife=1h                 # short
-        auto=route                 # set up for opportunistic</PRE>
-
-<P>Note that <VAR>leftid=</VAR> has been removed. With no explicit setting,
-<VAR>leftid=</VAR> defaults to the IP of your public interface.</P>
-
-<P><A href="quickstart.html#incoming.opp.conf">Continue configuring
-full opportunism.</A>
-
-
-<H2><A name="qc.gate.opp.conf">ipsec.conf for Opportunistic Gateway</A></H2>
-Use the ipsec.conf above, plus these connections:
-
-<PRE>conn subnet-to-anyone            # must be above me-to-anyone
-       also=me-to-anyone
-       leftsubnet=42.42.42.0/24
-
-conn me-to-anyone                # just like for full opportunism
-        left=%defaultroute
-        right=%opportunistic
-        leftrsasigkey=%dnsondemand
-        rightrsasigkey=%dnsondemand
-        keylife=1h
-        rekey=no
-        auto=route               # be sure this is enabled
-                                 # Note there is NO leftid= </PRE>
-
-
-<P>Note that a subnet described in ipsec.conf(5) need not correspond to a
- physical network segment. This is discussed in more detail in our
-<A href="adv_config.html">advanced configuration</A> document.</P>
-
-<P>If required, a gateway can easily provide this service for more than one
- subnet. You just add a connection description for each.</P>
-
-<P><A href="quickstart.html#config.opp.gate">Continue configuring an
-opportunistic gateway.</A>
-
-
-</BODY>
-</HTML>
-
diff --git a/doc/src/quickstart-firewall.html b/doc/src/quickstart-firewall.html
deleted file mode 100644
index 53c27b5af..000000000
--- a/doc/src/quickstart-firewall.html
+++ /dev/null
@@ -1,187 +0,0 @@
-<html>
-<head>
-  <meta http-equiv="Content-Type" content="text/html">
-  <title>Quick FreeS/WAN installation and configuration</title>
-  <meta name="keywords"
-  content="Linux, IPsec, VPN, security, FreeSWAN, installation, quickstart">
-  <!--
-
-  Written by Sandy Harris for the Linux FreeS/WAN project
-  Revised by Claudia Schmeing for same
-  Freely distributable under the GNU General Public License
-
-  More information at www.freeswan.org
-  Feedback to users@lists.freeswan.org
-
-  RCS ID:          $Id: quickstart-firewall.html,v 1.1 2004/03/15 20:35:24 as Exp $
-  Last changed:    $Date: 2004/03/15 20:35:24 $
-  Revision number: $Revision: 1.1 $
-
-  CVS revision numbers do not correspond to FreeS/WAN release numbers.
-  -->
-</head>
-<BODY>
-<H1><A name="quick_firewall">FreeS/WAN quick start on firewalling</A></H1>
-<P>This firewalling information supplements our
-<A HREF="quickstart.html#quick_guide">quickstart guide.</A></P>
-<P>It includes tips for firewalling:</P>
-<UL>
-<LI><A HREF="#firewall.standalone">a standalone system with initiator-only 
-opportunism</A></LI>
-<LI><A HREF="#incoming.opp.firewall">incoming opportunistic connections</A></LI>
-<LI><A HREF="#opp.gate.firewall">an opportunistic gateway</A></LI>
-</UL>
-<P>and a list of helpful <A HREF="#resources">resources</A>.</P>
-<H2><A name="firewall.standalone">Firewalling a standalone system</A></H2>
-<P>Firewall rules on a standalone system doing IPsec can be very simple.</P>
-<P>The first step is to allow IPsec packets (IKE on UDP port 500 plus
- ESP, protocol 50) in and out of your gateway. A script to set up
- iptables(8) rules for this is:</P>
-<PRE># edit this line to match the interface you use as default route
-# ppp0 is correct for many modem, DSL or cable connections
-# but perhaps not for you
-world=ppp0
-#
-# allow IPsec
-#
-# IKE negotiations
-iptables -A INPUT  -p udp -i $world --sport 500 --dport 500 -j ACCEPT
-iptables -A OUTPUT -p udp -o $world --sport 500 --dport 500 -j ACCEPT
-# ESP encryption and authentication
-iptables -A INPUT  -p 50 -i $world -j ACCEPT
-iptables -A OUTPUT -p 50 -o $world -j ACCEPT</PRE>
-<P>Optionally, you could restrict this, allowing these packets only to
- and from a list of known gateways.</P>
-<P>A second firewalling step -- access controls built into the IPsec
- protocols -- is automatically applied:</P>
-<DL>
-<DT><A href="glossary.html#Pluto">Pluto</A> -- the FreeS/WAN keying
- daemon -- deals with the IKE packets.</DT>
-<DD>Pluto authenticates its partners during the IKE negotiation, and
- drops negotiation if authentication fails.</DD>
-<DT><A href="glossary.html#KLIPS">KLIPS</A> -- the FreeS/WAN kernel
- component -- handles the ESP packets.</DT>
-<DD>
-<DL>
-<DT>KLIPS drops outgoing packets</DT>
-<DD>if they are routed to IPsec, but no tunnel has been negotiated for
- them</DD>
-<DT>KLIPS drops incoming unencrypted packets</DT>
-<DD>if source and destination addresses match a tunnel; the packets
- should have been encrypted</DD>
-<DT>KLIPS drops incoming encrypted packets</DT>
-<DD>if source and destination address do not match the negotiated
- parameters of the tunnel that delivers them</DD>
-<DD>if packet-level authentication fails</DD>
-</DL>
-</DD>
-</DL>
-<P>These errors are logged. See our <A href="trouble.html">
- troubleshooting</A> document for details.</P>
-<P>As an optional third step, you may wish to filter packets emerging from 
- your opportunistic tunnels.
- These packets arrive on an interface such as <VAR>ipsec0</VAR>, rather than
- <VAR>eth0</VAR>, <VAR>ppp0</VAR> or whatever. For example, in an iptables(8)
- rule set, you would use:</P>
-<DL>
-<DT><VAR>-i ipsec+</VAR></DT>
-<DD>to specify packets arriving on any ipsec device</DD>
-<DT><VAR>-o ipsec+</VAR></DT>
-<DD>to specify packets leaving via any ipsec device</DD>
-</DL>
-<P>In this way, you can apply whatever additional filtering you like to these
-packets.</P>
-<P>The packets emerging on <VAR>ipsec0</VAR> are likely
- to be things that a client application on your machine requested: web 
- pages, e-mail, file transfers and so on. However, any time you initiate
- an opportunistic connection, you open a two-way connection to
- another machine (or network). It is conceivable that a Bad Guy there 
- could take advantage of your link.</P>
-<P>For more information, read the next section.</P>
-</P>
-<H2><A name="incoming.opp.firewall">Firewalling incoming opportunistic
- connections</A></H2>
-<P>The basic firewalling for IPsec does not change when you support
- incoming connections as well as connections you initiate. You must
- still allow IKE (UDP port 500) and ESP (protocol 50) packets to and
- from your machine, as in the rules given <A href="#firewall.standalone">
- above</A>.</P>
-<P>However, there is an additional security concern when you allow
- incoming opportunistic connections. Incoming opportunistic packets
- enter your machine via an IPSec tunnel. That is, they all appear as
- ESP (protocol 50) packets, concealing whatever port and protocol
- characteristics the packet within the tunnel has. Contained
- in the tunnel as they pass through <VAR>ppp0</VAR> or <VAR>eth0</VAR>,
- these packets can bypass your usual firewall rules on these interfaces.
-<P>Consequently, you will want to firewall your <VAR>ipsec</VAR> interfaces
- the way you would any publicly accessible interface.</P>
-<P>A simple way to do this is to create one iptables(8) table with
- all your filtering rules for incoming packets, and apply the entire table to
- all public interfaces, including <VAR>ipsec</VAR> interfaces.</P>
-
-<H2><A name="opp.gate.firewall">Firewalling for opportunistic gateways</A></H2>
-<P>On a gateway, the IPsec-related firewall rules applied for input and
- output on the Internet side are exactly as shown 
-<A HREF="#firewall.standalone">above</A>. A gateway
- exchanges exactly the same things -- UDP 500 packets and IPsec packets
- -- with other gateways that a standalone system does, so it can use
- exactly the same firewall rules as a standalone system would.</P>
-<P>However, on a gateway there are additional things to do:</P>
-<UL>
-<LI>you have other interfaces and need rules for them</LI>
-<LI>packets emerging from ipsec processing must be correctly forwarded</LI>
-</UL>
-<P>You need additional rules to handle these things. For example, adding
- some rules to the set shown above we get:</P>
-<PRE># edit this line to match the interface you use as default route
-# ppp0 is correct for many modem, DSL or cable connections
-# but perhaps not for you
-world=ppp0
-#
-# edit these lines to describe your internal subnet and interface
-localnet=42.42.42.0/24
-internal=eth1
-#
-# allow IPsec
-#
-# IKE negotiations
-iptables -A INPUT  -p udp -i $world --sport 500 --dport 500 -j ACCEPT
-iptables -A OUTPUT -p udp -o $world --sport 500 --dport 500 -j ACCEPT
-# ESP encryption and authentication
-iptables -A INPUT  -p 50 -i $world -j ACCEPT
-iptables -A OUTPUT -p 50 -o $world -j ACCEPT
-#
-# packet forwarding for an IPsec gateway
-# simplest possible rules
-$ forward everything, with no attempt to filter
-#
-# handle packets emerging from IPsec
-# ipsec+ means any of ipsec0, ipsec1, ...
-iptables -A FORWARD -d $localnet -i ipsec+ -j ACCEPT
-# simple rule for outbound packets
-# let local net send anything
-# IPsec will encrypt some of it
-iptables -A FORWARD -s $localnet -i $internal -j ACCEPT </PRE>
-<P>On a production gateway, you would no doubt need tighter rules than
- the above.</P>
-<H2><A NAME="resources">Firewall resources</A></H2>
-<P>For more information, see these handy resources:</P>
-<UL>
-<LI><A href="http://www.netfilter.org/documentation/">netfilter
- documentation</A></LI>
-<LI>books such as:
-<UL>
-<LI>Cheswick and Bellovin, <A href="biblio.html#firewall.book">Firewalls
- and Internet Security</A></LI>
-<LI>Zeigler, <A href="biblio.html#Zeigler">Linux Firewalls</A>,</LI>
-</UL>
-</LI>
-<LI><A href="firewall.html#firewall">our firewalls document</A></LI>
-<LI><A href="web.html#firewall.web">our firewall links</A></LI>
-</UL>
-<A HREF="quickstart.html#quick.firewall">Back to our quickstart guide.</A>
-</BODY>
-</HTML>
-
-
-
diff --git a/doc/src/quickstart.html b/doc/src/quickstart.html
deleted file mode 100644
index a74c11774..000000000
--- a/doc/src/quickstart.html
+++ /dev/null
@@ -1,458 +0,0 @@
-<html>
-<head>
-  <meta http-equiv="Content-Type" content="text/html">
-  <title>Quick FreeS/WAN installation and configuration</title>
-  <meta name="keywords"
-  content="Linux, IPsec, VPN, security, FreeSWAN, installation, quickstart">
-  <!--
-
-  Written by Sandy Harris for the Linux FreeS/WAN project
-  Revised by Claudia Schmeing for same
-  Freely distributable under the GNU General Public License
-
-  More information at www.freeswan.org
-  Feedback to users@lists.freeswan.org
-
-  CVS information:
-  RCS ID:          $Id: quickstart.html,v 1.1 2004/03/15 20:35:24 as Exp $
-  Last changed:    $Date: 2004/03/15 20:35:24 $
-  Revision number: $Revision: 1.1 $
-
-  CVS revision numbers do not correspond to FreeS/WAN release numbers.
-  -->
-</head>
-<BODY>
-<H1><A name="quickstart">Quickstart Guide to Opportunistic Encryption</A></H1>
-<A name="quick_guide"></A>
-
-<H2><A name="opp.setup">Purpose</A></H2>
-
-<P>This page will get you started using Linux FreeS/WAN with opportunistic
- encryption (OE). OE enables you to set up IPsec tunnels
- without co-ordinating with another
- site administrator, and without hand configuring each tunnel.
- If enough sites support OE, a &quot;FAX effect&quot; occurs, and
- many of us can communicate without eavesdroppers.</P>
-
-<H3>OE "flag day"</H3>
-
-<P>As of FreeS/WAN 2.01, OE uses DNS TXT resource records (RRs)
-only (rather than TXT with KEY). 
-This change causes a 
-<a href="http://jargon.watson-net.com/jargon.asp?w=flag+day">"flag day"</a>.
-Users of FreeS/WAN 2.00 (or earlier) OE who are upgrading may require 
-additional resource records, as detailed in our 
-<a href="upgrading.html#upgrading.flagday">upgrading document</a>. 
-OE setup instructions here are for 2.02 or later.</P>
-
-
-<H2><A name="opp.dns">Requirements</A></H2>
-
-<P>To set up opportunistic encryption, you will need:</P>
-<UL>
-<LI>a Linux box. For OE to the public Internet, this box must NOT 
-be behind <A HREF="glossary.html#NAT.gloss">Network Address Translation</A>
-(NAT).</LI>
-<LI>to install Linux FreeS/WAN 2.02 or later</LI>
-<LI>either control over your reverse DNS (for full opportunism) or 
-the ability to write to some forward domain (for initiator-only). 
-<A HREF="http://www.fdns.net">This free DNS service</A> explicitly 
-supports forward TXT records for FreeS/WAN use.</LI>
-<LI>(for full opportunism) a static IP</LI>
-</UL>
-
-<P>Note: Currently, only Linux FreeS/WAN supports opportunistic 
-encryption.</P>
-
-<H2><A name="easy.install">RPM install</A></H2>
-
-<P>Our instructions are for a recent Red Hat with a 2.4-series stock or 
-Red Hat updated kernel. For other ways to install, see our 
-<A href="install.html#install">install document</A>.</P>
-
-
-<H3>Download RPMs</H3>
-
-<P>If we have prebuilt RPMs for your Red Hat system, 
-this command will get them:
-</P>
-
-<PRE>    ncftpget ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs/`uname -r | tr -d 'a-wy-z'`/\*</PRE>
-
-<P>If that fails, you will need to try <A HREF="install.html">another install 
-method</A>. 
-Our kernel modules 
-<B>will only work on the Red Hat kernel they were built for</B>,
-since they are very sensitive to small changes in the kernel.</P>
-
-<P>If it succeeds, you will have userland tools, a kernel module, and an 
-RPM signing key:</P>
-
-<PRE>    freeswan-module-2.04_2.4.20_20.9-0.i386.rpm
-    freeswan-userland-2.04_2.4.20_20.9-0.i386.rpm
-    freeswan-rpmsign.asc</PRE>
-
-
-<H3>Check signatures</H3>
-
-<P>If you're running RedHat 8.x or later, import the RPM signing key into the 
-RPM database:</P>
-<PRE>    rpm --import freeswan-rpmsign.asc</PRE>
- 
-<P>For RedHat 7.x systems, you'll need to add it to your 
-<A HREF="glossary.html#PGP">PGP</A> keyring:</P>
-<PRE>    pgp -ka freeswan-rpmsign.asc</PRE>
-
-<P>Check the digital signatures on both RPMs using:</P>
-<PRE>    rpm --checksig freeswan*.rpm </PRE>
-
-<P>You should see that these signatures are good:</P>
-<PRE>    freeswan-module-2.04_2.4.20_20.9-0.i386.rpm: pgp md5 OK
-    freeswan-userland-2.04_2.4.20_20.9-0.i386.rpm: pgp md5 OK</PRE>
-
-
-<H3>Install the RPMs</H3>
-
-<P>Become root:</P>
-<PRE>    su</PRE>
-
-<P>Install your RPMs with:<P>
-<PRE>    rpm -ivh freeswan*.rpm</PRE>
-
-<P>If you're upgrading from FreeS/WAN 1.x RPMs, and have problems with that
-command, see 
-<A HREF="upgrading.html#upgrading.rpms">this note</A>.</P>
-
-<P>Then, start FreeS/WAN:</P>
-<PRE>    service ipsec start</PRE>
-
-
-<H3><A name="testinstall">Test</A></H3>
-<P>To check that you have a successful install, run:</P>
-<PRE>    ipsec verify</PRE>
-
-<P>You should see as part of the <var>verify</var> output:</P>
-<PRE>
-    Checking your system to see if IPsec got installed and started correctly
-    Version check and ipsec on-path                             [OK]
-    Checking for KLIPS support in kernel                        [OK]
-    Checking for RSA private key (/etc/ipsec.secrets)           [OK]
-    Checking that pluto is running                              [OK]
-    ...</PRE>
-
-<P>If any of these first four checks fails, see our 
-<A href="trouble.html#install.check">troubleshooting guide</A>.
-</P>
-
-<H2><A name="opp.setups.list">Our Opportunistic Setups</A></H2>
-<H3>Full or partial opportunism?</H3>
-<P>Determine the best form of opportunism your system can support.</P>
-<UL>
-<LI>For <A HREF="#opp.incoming">full opportunism</A>, you'll need a static
-IP and and either control over your reverse DNS or an ISP
-that can add the required TXT record for you.</LI>
-<LI>If you have a dynamic IP, and/or write access to forward DNS only,
-you can do <A HREF="#opp.client">initiate-only opportunism</A></LI>
-<LI>To protect traffic bound for real IPs behind your gateway, use
-<A HREF="adv_config.html#opp.gate">this form of full opportunism</A>.</LI>
-</UL>
-
-<H2><A name="opp.client">Initiate-only setup</A></H2>
-
-<H3>Restrictions</H3>
-<P>When you set up initiate-only Opportunistic Encryption (iOE):</P>
-<UL>
-<LI>there will be <STRONG> no incoming connection requests</STRONG>; you
- can initiate all the IPsec connections you need.</LI>
-<LI><STRONG>only one machine is visible</STRONG> on your end of the
- connection.</LI>
-<LI>iOE also protects traffic on behalf of 
-<A HREF="glossary.html#NAT.gloss">NATted</A> hosts behind the iOE box.</LI>
-</UL>
-<P>You cannot network a group of initiator-only machines if none
-of these is capable of responding to OE. If one is capable of responding, 
-you may be able to create a hub topology using routing.</P>
-
-
-<H3><A name="forward.dns">Create and publish a forward DNS record</A></H3>
-
-<H4>Find a domain you can use</H4>
-
-<P>Find a DNS forward domain (e.g. example.com) where you can publish your key. 
-You'll need access to the DNS zone files for that domain.  
-This is common for a domain you own. Some free DNS providers, 
-such as <A HREF="http://www.fdns.net">this one</A>, also provide 
-this service.</P>
-
-<P>Dynamic IP users take note: the domain where you place your key
- need not be associated with the IP address for your system, 
- or even with your system's usual hostname.</P>
-
-<H4>Choose your ID</H4>
-
-<P>Choose a name within that domain which you will use to identify your 
- machine. It's convenient if this can be the same as your hostname:</P>
-<PRE>    [root@xy root]# hostname --fqdn
-    xy.example.com</PRE>
-<P>This name in FQDN (fully-qualified domain name)
-format will be your ID, for DNS key lookup and IPsec
-negotiation.</P>
-
-
-<H4>Create a forward TXT record</H4>
-
-<P>Generate a forward TXT record containing your system's public key
- with a command like:</P>
-<PRE>    ipsec showhostkey --txt @xy.example.com</PRE>
-<P>using your chosen ID in place of 
-xy.example.com.
-This command takes the contents of
-/etc/ipsec.secrets and reformats it into something usable by ISC's BIND.
- The result should look like this (with the key data trimmed down for
- clarity):</P>
-<PRE>
-    ; RSA 2192 bits   xy.example.com   Thu Jan  2 12:41:44 2003
-        IN      TXT     "X-IPsec-Server(10)=@xy.example.com" 
-    "AQOF8tZ2... ...+buFuFn/"
-</PRE>
-
-
-<H4>Publish the forward TXT record</H4>
-
-<P>Insert the record into DNS, or have a system adminstrator do it
-for you. It may take up to 48 hours for the record to propagate, but 
-it's usually much quicker.</P>
-
-<H3>Test that your key has been published</H3>
-
-<P>Check your DNS work</P>
-
-<PRE>    ipsec verify --host xy.example.com</PRE>
-
-<P>As part of the <var>verify</var> output, you ought to see something 
-like:</P>
-
-<PRE>    ...
-    Looking for TXT in forward map: xy.example.com          [OK]
-    ...</PRE>
-
-<P>For this type of opportunism, only the forward test is relevant;
-you can ignore the tests designed to find reverse records.</P>
-
-
-<H3>Configure, if necessary</H3>
-
-<P>
-If your ID is the same as your hostname,
-you're ready to go.
-FreeS/WAN will use its 
-<A HREF="policygroups.html">built-in connections</A> to create 
-your iOE functionality.
-</P>
-
-<P>If you have chosen a different ID, you must tell FreeS/WAN about it via
-<A HREF="manpage.d/ipsec.conf.5.html"><VAR>ipsec.conf</VAR></A>:
-
-<PRE>    config setup
-        myid=@myname.freedns.example.com</PRE>
-
-<P>and restart FreeS/WAN:
-</P>
-<PRE>    service ipsec restart</PRE>
-<P>The new ID will be applied to the built-in connections.</P>
-
-<P>Note: you can create more complex iOE configurations as explained in our
-<A HREF="policygroups.html#policygroups">policy groups document</A>, or
-disable OE using
-<A HREF="policygroups.html#disable_policygroups">these instructions</A>.</P>
-
-
-<H3>Test</H3>
-<P>That's it! <A HREF="#opp.test">Test your connections</A>.</P>
-
-<A name="opp.incoming"></A><H2>Full Opportunism</H2>
-
-<P>Full opportunism
-allows you to initiate and receive opportunistic connections on your
-machine.</P>
-
-<A name="incoming.opp.dns"></A><H3>Put a TXT record in a Forward Domain</H3>
-
-<P>To set up full opportunism, first
-<A HREF="#forward.dns">set up a forward TXT record</A> as for 
-<A HREF="#opp.client">initiator-only OE</A>, using
-an ID (for example, your hostname) that resolves to your IP. Do not
-configure <VAR>/etc/ipsec.conf</VAR>, but continue with the
-instructions for full opportunism, below.
-</P>
-
-<P>Note that this forward record is not currently necessary for full OE, 
-but will facilitate future features.</P>
-
-
-<A name="incoming.opp.dns"></A><H3>Put a TXT record in Reverse DNS</H3>
-
-<P>You must be able to publish your DNS RR directly in the reverse domain.
-FreeS/WAN will not follow a PTR which appears in the reverse, since 
-a second lookup at connection start time is too costly.</P>
-
-
-<H4>Create a Reverse DNS TXT record</H4>
-
-<P>This record serves to publicize your FreeS/WAN public key. In 
- addition, it lets others know that this machine can receive opportunistic 
-connections, and asserts that the machine is authorized to encrypt on 
-its own behalf.</P>
-
-<P>Use the command:</P>
-<PRE>    ipsec showhostkey --txt 192.0.2.11</PRE>
-<P>where you replace 192.0.2.11 with your public IP.</P>
-
-<P>The record (with key shortened) looks like:</P>
-<PRE>    ; RSA 2048 bits  xy.example.com   Sat Apr 15 13:53:22 2000
-    IN TXT  &quot;X-IPsec-Server(10)=192.0.2.11&quot; &quot; AQOF8tZ2...+buFuFn/&quot;</PRE>
-
-
-<H4>Publish your TXT record</H4>
-
-<P>Send these records to your ISP, to be published in your IP's reverse map.
-It may take up to 48 hours for these to propagate, but usually takes
-much less time.</P>
-
-
-<H3>Test your DNS record</H3>
-
-<P>Check your DNS work with</P>
-
-<PRE>    ipsec verify --host xy.example.com</PRE>
-
-<P>As part of the <var>verify</var> output, you ought to see something like:</P>
-
-<PRE>    ...
-    Looking for TXT in reverse map: 11.2.0.192.in-addr.arpa [OK]
-    ...</PRE>
-
-<P>which indicates that you've passed the reverse-map test.</P>
-
-<H3>No Configuration Needed</H3>
-
-<P>FreeS/WAN 2.x ships with full OE enabled, so you don't need to configure 
-anything.
-To enable OE out of the box, FreeS/WAN 2.x uses the policy group
-<VAR>private-or-clear</VAR>,
-which creates IPsec connections if possible (using OE if needed), 
-and allows traffic in the clear otherwise. You can create more complex 
-OE configurations as described in our
-<A HREF="policygroups.html#policygroups">policy groups document</A>, or 
-disable OE using 
-<A HREF="policygroups.html#disable_policygroups">these instructions</A>.</P>
-
-<P>If you've previously configured for initiator-only opportunism, remove 
- <VAR>myid=</VAR> from <VAR>config setup</VAR>, so that peer FreeS/WANs 
-will look up your key by IP. Restart FreeS/WAN so that your change will 
-take effect, with</P>
-
-<PRE>    service ipsec restart</PRE>
-
-
-<H3>Consider Firewalling</H3>
-
-<P>If you are running a default install of RedHat 8.x, take note: you will
-need to alter your iptables rule setup to allow IPSec traffic through your
-firewall. See <A HREF="firewall.html#simple.rules">our firewall document</A>
-for sample <VAR>iptables</VAR> rules.</P>
-
-
-<H3>Test</H3>
-
-<P>That's it. Now, <A HREF="#opp.test">test your connection</A>.
-
-
-
-
-<H3>Test</H3>
-
-<P>Instructions are in the next section.</P>
-
-
-<H2><A NAME="opp.test">Testing opportunistic connections</A></H2>
-
-<P>Be sure IPsec is running. You can see whether it is with:</P>
-<PRE>    ipsec setup status</PRE>
-<P>If need be, you can restart it with:</P>
-<PRE>    service ipsec restart</PRE>
-
-<P>Load a FreeS/WAN test website from the host on which you're running
-FreeS/WAN. Note: the feds may be watching these sites. Type one of:<P>
-<PRE>   links oetest.freeswan.org</PRE>
-<PRE>   links oetest.freeswan.nl</PRE>
-<!--<PRE>   links oetest.freeswan.ca</PRE>-->
-
-<P>A positive result looks like this:</P>
-
-<PRE>
-   You  seem  to  be  connecting  from:  192.0.2.11 which DNS says is:
-   gateway.example.com
-     _________________________________________________________________
-
-   Status E-route
-   OE    enabled    16    192.139.46.73/32    ->    192.0.2.11/32   =>
-   tun0x2097@192.0.2.11
-   OE    enabled    176    192.139.46.77/32    ->   192.0.2.11/32   =>
-   tun0x208a@192.0.2.11
-</PRE>
-
-<P>If you see this, congratulations! Your OE host or gateway will now encrypt 
-its own traffic whenever it can. For more OE tests, please see our
-<A HREF="testing.html#test.oe">testing document</A>. If you have difficulty, 
-see our <A HREF="#oe.trouble">OE troubleshooting tips</A>.
-</P>
-
-
-
-<H2>Now what?</H2>
-
-<P>Please see our <A HREF="policygroups.html">policy groups document</A>
-for more ways to set up Opportunistic Encryption.</P>
-
-<P>You may also wish to make some <A HREF="config.html">
-pre-configured connections</A>.
-</P>
-
-<H2>Notes</H2>
-
-<UL>
-<LI>We assume some facts about your system in order to make Opportunistic
-Encryption easier to configure. For example, we assume that you wish
-to have FreeS/WAN secure your default interface.</LI>
-<LI>You may change this, and other settings, by altering the
-<VAR>config setup</VAR> section in 
-<VAR>/etc/ipsec.conf</VAR>.
-</LI>
-<LI>Note that the built-in connections used to build policy groups do 
-not inherit from <VAR>conn default</VAR>.</LI>
-<!--
-<LI>If you do not define your local identity
-(eg. <VAR>leftid</VAR>), this will be the IP address of your default
-FreeS/WAN interface.  
--->
-<LI>
-If you fail to define your local identity and
-do not fill in your reverse DNS entry, you will not be able to use OE.</LI>
-</UL>
-
-<A NAME="oe.trouble"></A><H2>Troubleshooting OE</H2>
-
-<P>See the OE troubleshooting hints in our 
-<A HREF="trouble.html#oe.trouble">troubleshooting guide</A>.
-</P>
-
-<A NAME="oe.known-issues"></A><H2>Known Issues</H2>
-
-<P>Please see 
-<A HREF="opportunism.known-issues">this list</A> of known issues
-with Opportunistic Encryption.</P>
-
-
-</BODY>
-</HTML>
diff --git a/doc/src/reference.ESPUDP.xml b/doc/src/reference.ESPUDP.xml
deleted file mode 100644
index c9b96cef3..000000000
--- a/doc/src/reference.ESPUDP.xml
+++ /dev/null
@@ -1,34 +0,0 @@
-<?xml version='1.0'?>
-<!DOCTYPE reference SYSTEM 'rfc2629.dtd'>
-
-<reference anchor='ESPUDP'>
-
-<front>
-<title abbrev='UDPESP'>UDP Encapsulation of IPsec Packets</title>
-<author initials='A.' surname='Huttunen' fullname='Ari Huttunen'>
-<organization>F-Secure Corporation</organization>
-<address>
-<postal>
-<street>Tammasaarenkatu 7</street>
-<street>FIN-00181 HELSINKI</street>
-<country>Finland</country></postal>
-<email>Ari.Huttunen@F-Secure.com</email></address></author>
-
-<author initials='W.' surname='Dixon' fullname='William Dixon'>
-<organization>Microsoft</organization>
-<address>
-<postal>
-<street>One Microsoft Way</street>
-<street>Redmond</street>
-<street>WA 98052</street>
-<country>USA</country></postal>
-<email>wdixon@microsoft.com</email></address></author>
-
-<date month='June' year='2001'></date>
-<area>Security</area>
-<keyword>IP security protocol</keyword>
-<keyword>IPSEC</keyword>
-<keyword>security</keyword></front>
-
-<seriesInfo name='ID' value='internet-draft (draft-ietf-ipsec-udp-encaps-00) (informative)' />
-</reference>
diff --git a/doc/src/reference.KEYRESTRICT.xml b/doc/src/reference.KEYRESTRICT.xml
deleted file mode 100644
index 62aa1ef96..000000000
--- a/doc/src/reference.KEYRESTRICT.xml
+++ /dev/null
@@ -1,31 +0,0 @@
-<?xml version='1.0'?>
-<!DOCTYPE reference SYSTEM 'rfc2629.dtd'>
-
-<reference anchor='KEYRESTRICT'>
-
-<front>
-<title abbrev='KEYRESTRICT'>Limiting the Scope of the KEY Resource Record</title>
-<author initials='D.' surname='Massey' fullname='Dan Massey'>
-<organization>USC/ISI</organization>
-<address>
-<postal>
-<street>USC Informational Sciences Institute</street>
-<street>3811 North Fairfax Drive, Suite 200</street>
-<street>Arlington, VA 22203</street>
-<country>USA</country></postal>
-<email>masseyd@isi.edu</email></address></author>
-
-<author initials='S.' surname='Rose' fullname='Scott Rose'>
-<organization>National Institute for Standards and Technology</organization>
-<address>
-<postal>
-<street>Gaithersburg, MD</street>
-<country>USA</country></postal>
-<email>scott.rose@nist.gov</email></address></author>
-
-<date month='March' year='2002'></date>
-<area>Internet</area>
-</front>
-
-<seriesInfo name='ID' value='internet-draft (draft-ietf-dnsext-restrict-key-for-dnssec-02) (normative)' />
-</reference>
diff --git a/doc/src/reference.MODPGROUPS.xml b/doc/src/reference.MODPGROUPS.xml
deleted file mode 100644
index 5eaf83f89..000000000
--- a/doc/src/reference.MODPGROUPS.xml
+++ /dev/null
@@ -1,32 +0,0 @@
-<?xml version='1.0'?>
-<!DOCTYPE reference SYSTEM 'rfc2629.dtd'>
-
-<reference anchor='MODPGROUPS'>
-
-<front>
-<title abbrev='MODPGROUPS'>More MODP Diffie-Hellman groups for IKE</title>
-<author initials='T.' surname='Kivinen' fullname='Tero Kivinen'>
-<organization>SSH Communications Security</organization>
-<address>
-<postal>
-<street>Fredrikinkatu 42</street>
-<street>FIN-00100 HELSINKI</street>
-<country>Finland</country></postal>
-<email>kivinen@ssh.fi</email></address></author>
-
-<author initials='M.' surname='Kojo' fullname='Mika Kojo'>
-<organization>University of Helsinki</organization>
-<address>
-<postal>
-<street>HELSINKI</street>
-<country>Finland</country></postal>
-<email>mrskojo@cc.helsinki.fi</email></address></author>
-
-<date month='November' year='2001'></date>
-<area>Security</area>
-<keyword>IP security protocol</keyword>
-<keyword>IPSEC</keyword>
-<keyword>security</keyword></front>
-
-<seriesInfo name='ID' value='internet-draft (draft-ietf-ipsec-ike-modp-groups-03) (normative)' />
-</reference>
diff --git a/doc/src/reference.OEspec.xml b/doc/src/reference.OEspec.xml
deleted file mode 100644
index 29c6d6efd..000000000
--- a/doc/src/reference.OEspec.xml
+++ /dev/null
@@ -1,45 +0,0 @@
-<?xml version='1.0'?>
-<!DOCTYPE reference SYSTEM 'rfc2629.dtd'>
-
-<reference anchor='OEspec'>
-
-<front>
-<title abbrev='OEspec'>Opportunistic Encryption</title>
-
-  <author initials="D.H." surname="Redelmeier"
-          fullname="D. Hugh Redelmeier">
-    <organization abbrev="Mimosa">Mimosa</organization>
-    <address>
-      <postal>   
-      	<street>Somewhere</street>
-        <city>Toronto</city>
-        <region>ON</region>
-        <country>CA</country>
-      </postal>
-      <email>hugh@mimosa.com</email>
-    </address>
-  </author>
-
-  <author initials="H." surname="Spencer"
-          fullname="Henry Spencer">
-    <organization abbrev="SP Systems">SP Systems</organization>
-    <address>
-      <postal>
-      	<street>Box 280 Station A</street>
-	<city>Toronto</city>
-	<region>ON</region>
-	<code>M5W 1B2</code>
-	<country>Canada</country>
-      </postal>
-      <email>henry@spsystems.net</email>
-    </address>
-  </author>
-
-<date month='May' year='2001'></date>
-<keyword>IP security protocol</keyword>
-<keyword>IPSEC</keyword>
-<keyword>security</keyword></front>
-
-<seriesInfo name='paper' value='http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/opportunism.spec' />
-</reference>
-
diff --git a/doc/src/reference.RFC.3526.xml b/doc/src/reference.RFC.3526.xml
deleted file mode 100644
index 54fed705a..000000000
--- a/doc/src/reference.RFC.3526.xml
+++ /dev/null
@@ -1,32 +0,0 @@
-<?xml version='1.0'?>
-<!DOCTYPE reference SYSTEM 'rfc2629.dtd'>
-
-<reference anchor='RFC3526'>
-
-<front>
-<title abbrev='MODPGROUPS'>More MODP Diffie-Hellman groups for IKE</title>
-<author initials='T.' surname='Kivinen' fullname='Tero Kivinen'>
-<organization>SSH Communications Security</organization>
-<address>
-<postal>
-<street>Fredrikinkatu 42</street>
-<street>FIN-00100 HELSINKI</street>
-<country>Finland</country></postal>
-<email>kivinen@ssh.fi</email></address></author>
-
-<author initials='M.' surname='Kojo' fullname='Mika Kojo'>
-<organization>University of Helsinki</organization>
-<address>
-<postal>
-<street>HELSINKI</street>
-<country>Finland</country></postal>
-<email>mrskojo@cc.helsinki.fi</email></address></author>
-
-<date month='March' year='2003'></date>
-<area>Security</area>
-<keyword>IP security protocol</keyword>
-<keyword>IPSEC</keyword>
-<keyword>security</keyword></front>
-
-<seriesInfo name='RFC' value='3526' />
-</reference>
diff --git a/doc/src/responderstate.txt b/doc/src/responderstate.txt
deleted file mode 100644
index f64b82983..000000000
--- a/doc/src/responderstate.txt
+++ /dev/null
@@ -1,43 +0,0 @@
-                |
-                | IKE main mode 
-                |  phase 1
-                V
-        .-----------------.  
-        | unauthenticated | 
-        |     OE peer     |
-        `-----------------'
-                |
-                | lookup KEY RR in in-addr.arpa 
-                |             (if ID_IPV4_ADDR)
-                | lookup KEY RR in forward
-                |             (if ID_FQDN)
-                V
-        .-----------------.  RR not found
-        |   received DNS  |---------------> log failure
-        |     reply       | 
-        `----+--------+---'
-     phase 2 |        \      misformatted 
-    proposal |         `------------------> log failure
-             V
-    .----------------.
-    |  authenticated |  identical initiator 
-    |     OE peer    |--------------------> initiator 
-    `----------------'  connection found    state machine
-         |
-         | look for TXT record for initiator
-	 |
-         V  
-   .---------------.
-   |  authorized   |---------------------> log failure
-   |    OE peer    |
-   `---------------'
-         |
-         |
-         V
-    potential OE
-    connection in
-    initiator state
-	machine
-
-
-$Id: responderstate.txt,v 1.1 2004/03/15 20:35:24 as Exp $
diff --git a/doc/src/rfc.html b/doc/src/rfc.html
deleted file mode 100644
index 762c66c6e..000000000
--- a/doc/src/rfc.html
+++ /dev/null
@@ -1,158 +0,0 @@
-<html>
-<head>
-  <meta http-equiv="Content-Type" content="text/html">
-  <title>IPsec RFCs</title>
-  <meta name="keywords"
-  content="IPsec, VPN, security, FreeSWAN, RFC, standard">
-  <!--
-
-  Written by Sandy Harris for the Linux FreeS/WAN project
-  Freely distributable under the GNU General Public License
-
-  More information at www.freeswan.org
-  Feedback to users@lists.freeswan.org
-
-  CVS information:
-  RCS ID:          $Id: rfc.html,v 1.1 2004/03/15 20:35:24 as Exp $
-  Last changed:    $Date: 2004/03/15 20:35:24 $
-  Revision number: $Revision: 1.1 $
-
-  CVS revision numbers do not correspond to FreeS/WAN release numbers.
-  -->
-</head>
-
-<body>
-<h1><a name="RFC">IPsec RFCs and related documents</a></h1>
-
-<h2><a name="RFCfile">The RFCs.tar.gz Distribution File</a></h2>
-
-<p>The Linux FreeS/WAN distribution is available from <a
-href="http://www.xs4all.nl/~freeswan"> our primary distribution site</a> and
-various mirror sites. To give people more control over their downloads, the
-RFCs that define IP security are bundled separately in the file
-RFCs.tar.gz.</p>
-
-<p>The file you are reading is included in the main distribution and is
-available on the web site. It describes the RFCs included in the <a
-href="#RFCs.tar.gz">RFCs.tar.gz</a> bundle and gives some pointers to <a
-href="#sources">other ways to get them</a>.</p>
-
-<h2><a name="sources">Other sources for RFCs &amp; Internet drafts</a></h2>
-
-<h3><a name="RFCdown">RFCs</a></h3>
-
-<p>RFCs are downloadble at many places around the net such as:</p>
-<ul>
-  <li><a href="http://www.rfc-editor.org">http://www.rfc-editor.org</a></li>
-  <li><a href="http://nis.nsf.net/internet/documents/rfc">NSF.net</a></li>
-  <li><a href="http://sunsite.doc.ic.ac.uk/computing/internet/rfc">Sunsite in
-    the UK</a></li>
-</ul>
-
-<p>browsable in HTML form at others such as:</p>
-<ul>
-  <li><a
-  href="http://www.landfield.com/rfcs/index.html">landfield.com</a></li>
-  <li><a href="http://www.library.ucg.ie/Connected/RFC">Connected Internet
-    Encyclopedia</a></li>
-</ul>
-
-<p>and some of them are available in translation:</p>
-<ul>
-  <li><a href="http://www.eisti.fr/eistiweb/docs/normes/">French</a></li>
-</ul>
-
-<p>There is also a published <a href="biblio.html#RFCs">Big Book of IPSEC
-RFCs</a>.</p>
-
-<h3><a name="drafts">Internet Drafts</a></h3>
-
-<p>Internet Drafts, working documents which sometimes evolve into RFCs, are
-also available.</p>
-<ul>
-  <li><a href="http://www.ietf.org/ID.html">Overall reference page</a></li>
-  <li><a href="http://www.ietf.org/ids.by.wg/ipsec.html">IPsec</a> working
-    group</li>
-  <li><a href="http://www.ietf.org/ids.by.wg/ipsra.html">IPSRA (IPsec Remote
-    Access)</a> working group</li>
-  <li><a href="http://www.ietf.org/ids.by.wg/ipsp.html">IPsec Policy</a>
-    working group</li>
-  <li><a href="http://www.ietf.org/ids.by.wg/kink.html">KINK (Kerberized
-    Internet Negotiation of Keys)</a>  working group</li>
-</ul>
-
-<p>Note: some of these may be obsolete, replaced by later drafts or by
-RFCs.</p>
-
-<h3><a name="FIPS1">FIPS standards</a></h3>
-
-<p>Some things used by <a href="glossary.html#IPSEC">IPsec</a>, such as <a
-href="glossary.html#DES">DES</a> and <a href="glossary.html#SHA">SHA</a>, are
-defined by US government standards called <a
-href="glossary.html#FIPS">FIPS</a>. The issuing organisation, <a
-href="glossary.html#NIST">NIST</a>, have a <a
-href="http://www.itl.nist.gov/div897/pubs">FIPS home page</a>.</p>
-
-<h2><a name="RFCs.tar.gz">What's in the RFCs.tar.gz bundle?</a></h2>
-
-<p>All filenames are of the form rfc*.txt, with the * replaced with the RFC
-number.</p>
-<pre>RFC#        Title</pre>
-
-<h3><a name="rfc.ov">Overview RFCs</a></h3>
-<pre>2401        Security Architecture for the Internet Protocol
-2411        IP Security Document Roadmap</pre>
-
-<h3><a name="basic.prot">Basic protocols</a></h3>
-<pre>2402        IP Authentication Header
-2406        IP Encapsulating Security Payload (ESP)</pre>
-
-<h3><a name="key.ike">Key management</a></h3>
-<pre>2367        PF_KEY Key Management API, Version 2
-2407        The Internet IP Security Domain of Interpretation for ISAKMP
-2408        Internet Security Association and Key Management Protocol (ISAKMP)
-2409        The Internet Key Exchange (IKE)
-2412        The OAKLEY Key Determination Protocol
-2528        Internet X.509 Public Key Infrastructure</pre>
-
-<h3><a name="rfc.detail">Details of various things used</a></h3>
-<pre>2085        HMAC-MD5 IP Authentication with Replay Prevention
-2104        HMAC: Keyed-Hashing for Message Authentication
-2202        Test Cases for HMAC-MD5 and HMAC-SHA-1
-2207        RSVP Extensions for IPSEC Data Flows
-2403        The Use of HMAC-MD5-96 within ESP and AH
-2404        The Use of HMAC-SHA-1-96 within ESP and AH
-2405        The ESP DES-CBC Cipher Algorithm With Explicit IV
-2410        The NULL Encryption Algorithm and Its Use With IPsec
-2451        The ESP CBC-Mode Cipher Algorithms
-2521        ICMP Security Failures Messages</pre>
-
-<h3><a name="rfc.ref">Older RFCs which may be referenced</a></h3>
-<pre>1321        The MD5 Message-Digest Algorithm
-1828        IP Authentication using Keyed MD5
-1829        The ESP DES-CBC Transform
-1851        The ESP Triple DES Transform
-1852        IP Authentication using Keyed SHA</pre>
-
-<h3><a name="rfc.dns">RFCs for secure DNS service, which IPsec may
-use</a></h3>
-<pre>2137        Secure Domain Name System Dynamic Update
-2230        Key Exchange Delegation Record for the DNS
-2535        Domain Name System Security Extensions
-2536        DSA KEYs and SIGs in the Domain Name System (DNS)
-2537        RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)
-2538        Storing Certificates in the Domain Name System (DNS)
-2539        Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</pre>
-
-<h3><a name="rfc.exp">RFCs labelled "experimental"</a></h3>
-<pre>2521        ICMP Security Failures Messages
-2522        Photuris: Session-Key Management Protocol
-2523        Photuris: Extended Schemes and Attributes</pre>
-
-<h3><a name="rfc.rel">Related RFCs</a></h3>
-<pre>1750        Randomness Recommendations for Security
-1918        Address Allocation for Private Internets
-1984        IAB and IESG Statement on Cryptographic Technology and the Internet
-2144        The CAST-128 Encryption Algorithm</pre>
-</body>
-</html>
diff --git a/doc/src/roadmap.html b/doc/src/roadmap.html
deleted file mode 100644
index c9d85047c..000000000
--- a/doc/src/roadmap.html
+++ /dev/null
@@ -1,203 +0,0 @@
-<html>
-<head>
-<title>FreeS/WAN roadmap</title>
-<meta name="keywords" content="Linux, IPsec, VPN, security, FreeSWAN">
-
-<!--
-
-Written by Sandy Harris for the Linux FreeS/WAN project
-Freely distributable under the GNU General Public License
-
-More information at www.freeswan.org
-Feedback to users@lists.freeswan.org
-
-CVS information:
-RCS ID:          $Id: roadmap.html,v 1.1 2004/03/15 20:35:24 as Exp $
-Last changed:    $Date: 2004/03/15 20:35:24 $
-Revision number: $Revision: 1.1 $
-
-CVS revision numbers do not correspond to FreeS/WAN release numbers.
--->
-</head>
-
-<body>
-<h1><a name="roadmap">Distribution Roadmap: What's Where in Linux FreeS/WAN</a></h1>
-
-<p>
-This file is a guide to the locations of files within the FreeS/WAN
-distribution. Everything described here should be on your system once you
-download, gunzip, and untar the distribution.</p>
-
-<p>This distribution contains two major subsystems
-</p>
-<dl>
-  <dt><a href="#klips.roadmap">KLIPS</a></dt>
-    <dd>the kernel code</dd>
-  <dt><a href="#pluto.roadmap">Pluto</a></dt>
-    <dd>the user-level key-management daemon</dd>
-</dl>
-
-<p>plus assorted odds and ends.
-</p>
-<h2><a name="top">Top directory</a></h2>
-
-<p>The top directory has essential information in text files:</p>
-
-<dl>
-  <dt>README</dt>
-    <dd>introduction to the software</dd>
-  <dt>INSTALL</dt>
-    <dd>short experts-only installation procedures. More detalied procedures are in
-      <a href="install.html">installation</a> and
-	<a href="config.html">configuration</a> HTML documents.</dd>
-  <dt>BUGS</dt>
-    <dd>major known bugs in the current release.</dd>
-  <dt>CHANGES</dt>
-    <dd>changes from previous releases</dd>
-  <dt>CREDITS</dt>
-    <dd>acknowledgement of contributors</dd>
-  <dt>COPYING</dt>
-    <dd>licensing and distribution information</dd>
-</dl>
-
-<h2><a name="doc">Documentation</a></h2>
-
-<p>
-The doc directory contains the bulk of the documentation, most of it in
-HTML format. See the <a href="index.html">index file</a> for details.
-</p>
-
-<h2><a name="klips.roadmap">KLIPS: kernel IP security</a></h2>
-</a>
-<p>
-<a href="glossary.html#KLIPS">KLIPS</a> is <strong>K</strong>erne<strong>L</strong>
-<strong>IP</strong> <strong>S</strong>ecurity. It lives in the klips
-directory, of course.
-</p>
-<dl>
-  <dt>klips/doc</dt>
-    <dd>documentation</dd>
-  <dt>klips/patches</dt>
-    <dd>patches for existing kernel files</dd>
-  <dt>klips/test</dt>
-    <dd>test stuff</dd>
-  <dt>klips/utils</dt>
-    <dd>low-level user utilities</dd>
-  <dt>klips/net/ipsec</dt>
-    <dd>actual klips kernel files</dd>
-  <dt>klips/src</dt>
-    <dd>symbolic link to klips/net/ipsec
-      <p>The "make insert" step of installation installs the patches and makes
-      a symbolic link from the kernel tree to klips/net/ipsec. The odd name of
-      klips/net/ipsec is dictated by some annoying limitations of the scripts
-      which build the Linux kernel.  The symbolic-link business is a bit
-      messy, but all the alternatives are worse.</p>
-      <p></p>
-    </dd>
-  <dt>klips/utils</dt>
-    <dd>Utility programs:
-      <p></p>
-      <dl>
-        <dt>eroute</dt>
-          <dd>manipulate IPsec extended routing tables</dd>
-        <dt>klipsdebug</dt>
-          <dd>set Klips (kernel IPsec support) debug features and level</dd>
-        <dt>spi</dt>
-          <dd>manage IPsec Security Associations</dd>
-        <dt>spigrp</dt>
-          <dd>group/ungroup IPsec Security Associations</dd>
-        <dt>tncfg</dt>
-          <dd>associate IPsec virtual interface with real interface</dd>
-      </dl>
-      <p>These are all normally invoked by ipsec(8) with commands such as</p>
-      <pre>        ipsec tncfg <var>arguments</var></pre>
-      There are section 8 man pages for all of these; the names have "ipsec_"
-      as a prefix, so your man command should be something like:
-      <pre>        man 8 ipsec_tncfg</pre>
-    </dd>
-</dl>
-
-<h2><a name="pluto.roadmap">Pluto key and connection management daemon</a></h2>
-
-<p>
-<a href="glossary.html#Pluto">Pluto</a> is our key management and negotiation daemon. It
-lives in the pluto directory, along with its low-level user utility,
-whack.
-</p>
-<p>
-There are no subdirectories. Documentation is a man page,
-<a href="manpage.d/ipsec_pluto.8.html">pluto.8</a>. This covers whack as well.
-</p>
-
-<h2><a name="utils">Utils</a></h2>
-
-<p>
-The utils directory contains a growing collection of higher-level user
-utilities, the commands that administer and control the software.  Most of the
-things that you will actually have to run yourself are in there.
-</p>
-<dl>
-  <dt>ipsec</dt>
-    <dd>invoke IPsec utilities
-      <p>ipsec(8) is normally the only program installed in a standard
-      directory, /usr/local/sbin. It is used to invoke the others, both those
-      listed below and the ones in klips/utils mentioned above.</p>
-      <p></p>
-    </dd>
-  <dt>auto</dt>
-    <dd>control automatically-keyed IPsec connections</dd>
-  <dt>manual</dt>
-    <dd>take manually-keyed IPsec connections up and down</dd>
-  <dt>barf</dt>
-    <dd>generate copious debugging output</dd>
-  <dt>look</dt>
-    <dd>generate moderate amounts of debugging output</dd>
-</dl>
-<p>
-There are .8 manual pages for these. look is covered in barf.8. The man pages
-have an "ipsec_" prefix so your man command should be something like:
-<pre>
-        man 8 ipsec_auto
-</pre>
-<p>
-Examples are in various files with names utils/*.eg</p>
-
-<h2><a name="lib">Libraries</a></h2>
-
-<h3><a name="fswanlib">FreeS/WAN Library</a></h3>
-
-<p>
-The lib directory is the FreeS/WAN library, also steadily growing, used by
-both user-level and kernel code.<br />
-It includes section 3 <a href="manpages.html">man pages</a> for the library routines.
-</p>
-<h3><a name="otherlib">Imported Libraries</a></h3>
-
-<h4>LibDES</h4>
-
-The libdes library, originally from SSLeay, is used by both Klips and Pluto
-for <a href="glossary.html#3DES">Triple DES</a> encryption. Single DES is not
-used because <a href="politics.html#desnotsecure">it is
-insecure</a>.
-<p>
-Note that this library has its own license, different from the
-<a href="glossary.html#GPL">GPL</a> used for other code in FreeS/WAN.
- </p>
-<p>
-The library includes its own documentation.
-
-
-<h4>GMP</h4>
-
-The GMP (GNU multi-precision) library is used for multi-precision arithmetic
-in Pluto's key-exchange code and public key code.
-<p>
-Older versions (up to 1.7) of FreeS/WAN included a copy of this library in
-the FreeS/WAN distribution.
-<p>
-Since 1.8, we have begun to rely on the system copy of GMP.
-</p>
-
-</body>
-</html>
-
diff --git a/doc/src/testing.html b/doc/src/testing.html
deleted file mode 100644
index 8ffcca604..000000000
--- a/doc/src/testing.html
+++ /dev/null
@@ -1,395 +0,0 @@
-<html>
-<head>
-<title>Testing FreeS/WAN</title>
-
-<meta name="keywords" content="Linux, IPsec, VPN, security, FreeSWAN, testing">
-
-<!--
-
-Written by Sandy Harris for the Linux FreeS/WAN project
-Freely distributable under the GNU General Public License
-
-More information at www.freeswan.org
-Feedback to users@lists.freeswan.org
-
-CVS information:
-RCS ID:          $Id: testing.html,v 1.1 2004/03/15 20:35:24 as Exp $
-Last changed:    $Date: 2004/03/15 20:35:24 $
-Revision number: $Revision: 1.1 $
-
-CVS revision numbers do not correspond to FreeS/WAN release numbers.
--->
-</head>
-
-<body>
-<h1><a name="test.freeswan">Testing FreeS/WAN</a></h1>
-This document discusses testing FreeS/WAN.
-
-<p>Not all types of testing are described here. Other parts of the
-documentation describe some tests:</p>
-<dl>
-  <dt><a href="install.html#testinstall">installation</a> document</dt>
-    <dd>testing for a successful install</dd>
-  <dt><a href="config.html#testsetup">configuration</a> document</dt>
-    <dd>basic tests for a working configuration</dd>
-  <dt><a href="web.html#interop.web">web links</a> document</dt>
-    <dd>General information on tests for interoperability between various
-      IPsec implementations. This includes links to several test sites.</dd>
-  <dt><a href="interop.html">interoperation</a> document.</dt>
-    <dd>More specific information on FreeS/WAN interoperation with other
-      implementations.</dd>
-  <dt><a href="performance.html">performance</a> document</dt>
-    <dd>performance measurements</dd>
-</dl>
-
-<p>The test setups and procedures described here can also be used in other
-testing, but this document focuses on testing the IPsec functionality of
-FreeS/WAN.</p>
-
-<H2><A NAME="test.oe">Testing opportunistic connections</A></H2>
-
-<P>This section teaches you how to test your opportunistically encrypted (OE)
-connections. To set up OE, please see the easy instructions in our
-<A HREF="quickstart.html">quickstart guide</A>.</P>
-
-<H3>Basic OE Test</H3>
-
-
-<P>This test is for basic OE functionality. 
-<!-- You may use it on an 
-<A HREF="quickstart.html#oppo.client">initiate-only OE</A> box or a 
-<A HREF="quickstart.html#opp.incoming">full OE</A> box. -->
-For additional tests, keep reading.</P>
-
-<P>Be sure IPsec is running. You can see whether it is with:</P>
-<PRE>    ipsec setup status</PRE>
-<P>If need be, you can restart it with:</P>
-<PRE>    service ipsec restart</PRE>
-                                                                                
-<P>Load a FreeS/WAN test website from the host on which you're running
-FreeS/WAN. Note: the feds may be watching these sites. Type one of:<P>
-<PRE>   links oetest.freeswan.org</PRE>
-<PRE>   links oetest.freeswan.nl</PRE>
-<!--<PRE>   links oetest.freeswan.ca</PRE>-->
-                                                                                
-<P>A positive result looks like this:</P>
-                                                                                
-<PRE>
-   You  seem  to  be  connecting  from:  192.0.2.11 which DNS says is:
-   gateway.example.com
-     _________________________________________________________________
-                                                                                
-   Status E-route
-   OE    enabled    16    192.139.46.73/32    ->    192.0.2.11/32   =>
-   tun0x2097@192.0.2.11
-   OE    enabled    176    192.139.46.77/32    ->   192.0.2.11/32   =>
-   tun0x208a@192.0.2.11
-</PRE>
-                                                                                
-<P>If you see this, congratulations! Your OE box will now encrypt
-its own traffic whenever it can. If you have difficulty,
-see our <A HREF="#oe.trouble">OE troubleshooting tips</A>.
-</P>
-
-<H3>OE Gateway Test</H3>                                                                                
-<P>If you've set up FreeS/WAN to protect a subnet behind your gateway,
-you'll need to run another simple test, which can be done from a machine
-running any OS. That's right, your Windows box can be protected by
-opportunistic encryption without any FreeS/WAN install or configuration
-on that box. From <STRONG>each protected subnet node</STRONG>,
-load the FreeS/WAN website with:</P>
-                                                                                
-<PRE>   links oetest.freeswan.org</PRE>
-<PRE>   links oetest.freeswan.nl</PRE>
-                                                                                
-<P>A positive result looks like this:</P>
-<PRE>
-   You  seem  to  be  connecting  from:  192.0.2.98 which DNS says is:
-   box98.example.com
-     _________________________________________________________________
-                                                                                
-   Status E-route
-   OE    enabled    16    192.139.46.73/32    ->    192.0.2.98/32   =>
-   tun0x134ed@192.0.2.11
-   OE    enabled    176    192.139.46.77/32    ->   192.0.2.11/32   =>
-   tun0x134d2@192.0.2.11
-</PRE>
-                                                                                
-<P>If you see this, congratulations! Your OE gateway will now encrypt
-traffic for this subnet node whenever it can. If you have difficulty, see our
-<A HREF="#oe.trouble">OE troubleshooting tips</A>.
-</P>
-                                                                                
-                                                                                
-<H3>Additional OE tests</H3>
-                                                                                
-<P>When testing OE, you will often find it useful to execute this command
-on the FreeS/WAN host:</P>
-<PRE>   ipsec eroute</PRE>
-                                                                                
-<P>If you have established a connection (either for or for a subnet node)
-you will see a result like:</P>
-                                                                                
-<PRE>    192.0.2.11/32   -> 192.139.46.73/32  => tun0x149f@192.139.46.38
-</PRE>
-                                                                                
-<P>Key:</P>
-<TABLE>
-<TR><TD>1.</TD>
-    <TD>192.0.2.11/32</TD>
-    <TD>Local start point of the protected traffic.
-    </TD></TR>
-<TR><TD>2.</TD>
-    <TD>192.0.2.194/32</TD>
-    <TD>Remote end point of the protected traffic.
-    </TD></TR>
-<TR><TD>3.</TD>
-    <TD>192.0.48.38</TD>
-    <TD>Remote FreeS/WAN node (gateway or host).
-        May be the same as (2).
-   </TD></TR>
-<TR><TD>4.</TD>
-    <TD>[not shown]</TD>
-    <TD>Local FreeS/WAN node (gateway or host), where you've produced the output.
-        May be the same as (1).
-   </TD></TR>
-</TABLE>
-                                                                                
-                                                                                
-<P>For extra assurance, you may wish to use a packet sniffer such as
-<A HREF="http://www.tcpdump.org">tcpdump</A> to verify that packets
-are being encrypted. You should see output that indicates
-<STRONG>ESP</STRONG> encrypted data,
- for example:</P>
-                                                                                
-<PRE>    02:17:47.353750 PPPoE  [ses 0x1e12] IP 154: xy.example.com > oetest.freeswan.org: ESP(spi=0x87150d16,seq=0x55)</PRE>
-                                                                                
-
-
-<h2><a name="test.uml">Testing with User Mode Linux</a></h2>
-
-<p><a href="http://user-mode-linux.sourceforge.net/">User Mode Linux</a>
-allows you to run Linux as a user process on another Linux machine.</p>
-
-<p>As of 1.92, the distribution has a new directory named  testing. It
-contains a collection of test scripts and sample configurations. Using these,
-you can bring up several copies of Linux in user mode and have them build
-tunnels to each other. This lets you do some testing of  a FreeS/WAN
-configuration on a single machine.</p>
-
-<p>You need a moderately well-endowed machine for this to work well. Each UML
-wants about 16 megs of memory by default, which is plenty for FreeS/WAN
-usage. Typical regression testing only occasionally uses as many as 4 UMLs.
-If one is doing nothing else with the machine (in particular, not running X
-on it), then 128 megs and a 500MHz CPU are fine.</p>
-
-Documentation on these
-scripts is <a href="umltesting.html">here</a>. There is also documentation 
-on automated testing <A href="makecheck.html">here</a>.
- 
-<h2><a name="testnet">Configuration for a testbed network</a></h2>
-
-<p>A common test setup is to put a machine with dual Ethernet cards in
-between two gateways under test. You need at least five machines; two
-gateways, two clients and a testing machine in the middle.</p>
-
-<p>The central machine both routes packets and provides a place to run
-diagnostic software for checking IPsec packets. See next section for
-discussion of <a href="#tcpdump.faq">using tcpdump(8)</a> for this.</p>
-
-<p>This makes things more complicated than if you just connected the two
-gateway machines directly to each other, but it also makes your test setup
-much more like the environment you actually use IPsec in. Those environments
-nearly always involve routing, and quite a few apparent IPsec failures turn
-out to be problems with routing or with firewalls dropping packets. This
-approach lets you deal with those problems on your test setup.</p>
-
-<p>What you end up with looks like:</p>
-
-<h3><a name="testbed">Testbed network</a></h3>
-<pre>      subnet a.b.c.0/24
-             |
-      eth1 = a.b.c.1
-         gate1
-      eth0 = 192.168.p.1
-             |
-             |
-      eth0 = 192.168.p.2
-         route/monitor box
-      eth1 = 192.168.q.2
-             |
-             |
-      eth0 = 192.168.q.1
-         gate2
-      eth1 = x.y.z.1
-              |
-       subnet x.y.z.0/24</pre>
-<pre>Where p and q are any convenient values that do not interfere with other
-routes you may have. The ipsec.conf(5) file then has, among other things:</pre>
-<pre>conn abc-xyz
-      left=192.168.p.1
-      leftnexthop=192.168.p.2
-      right=192.168.q.1
-      rightnexthop=192.168.q.2</pre>
-
-<p>Once that works, you can remove the "route/monitor box", and connect the
-two gateways to the Internet. The only parameters in ipsec.conf(5) that need
-to change are the four shown above. You replace them with values appropriate
-for your Internet connection, and change the eth0 IP addresses and the
-default routes on both gateways.</p>
-
-<p>Note that nothing on either subnet needs to change. This lets you test
-most of your IPsec setup before connecting to the insecure Internet.</p>
-
-<h3><a name="tcpdump.test">Using packet sniffers in testing</a></h3>
-
-<p>A number of tools are available for looking at packets. We will discuss
-using <a href="http://www.tcpdump.org/">tcpdump(8)</a>, a common Linux tool
-included in most distributions. Alternatives offerring more-or-less the same
-functionality include:</p>
-<dl>
-  <dt><a href="http://www.ethereal.com">Ethereal</a></dt>
-    <dd>Several people on our mailing list report a preference for this over
-      tcpdump.</dd>
-  <dt><a href="http://netgroup-serv.polito.it/windump/">windump</a></dt>
-    <dd>a Windows version of tcpdump(8), possibly handy if you have Windows
-      boxes in your network</dd>
-  <dt><a
-  href="http://reptile.rug.ac.be/~coder/sniffit/sniffit.html">Sniffit</a></dt>
-    <dd>A linux sniffer that we don't know much about. If you use it, please
-      comment on our mailing list.</dd>
-</dl>
-
-<p>See also this <a
-href="http://www.tlsecurity.net/unix/ids/sniffer/">index</a> of packet
-sniffers.</p>
-
-<p>tcpdump(8) may misbehave if run on the gateways themselves. It is designed
-to look into a normal IP stack and may become confused if you ask it to
-display data from a stack which has IPsec in play.</p>
-
-<p>At one point, the problem was quite severe. Recent versions of tcpdump,
-however, understand IPsec well enough to be usable on a gateway. You can get
-the latest version from <a href="http://www.tcpdump.org/">tcpdump.org</a>.</p>
-
-<p>Even with a recent tcpdump, some care is required. Here is part of a post
-from Henry on the topic:</p>
-<pre>&gt; a) data from sunset to sunrise or the other way is not being
-&gt; encrypted (I am using tcpdump (ver. 3.4) -x/ping -p to check
-&gt; packages) 
-
-What *interface* is tcpdump being applied to?  Use the -i option to
-control this.  It matters!  If tcpdump is looking at the ipsecN
-interfaces, e.g. ipsec0, then it is seeing the packets before they are
-encrypted or after they are decrypted, so of course they don't look
-encrypted.  You want to have tcpdump looking at the actual hardware
-interfaces, e.g. eth0. 
-
-Actually, the only way to be *sure* what you are sending on the wire is to
-have a separate machine eavesdropping on the traffic.  Nothing you can do
-on the machines actually running IPsec is 100% guaranteed reliable in this
-area (although tcpdump is a lot better now than it used to be).</pre>
-
-<p>The most certain way to examine IPsec packets is to look at them on the
-wire. For security, you need to be certain, so we recommend doing that. To do
-so, you need a <strong>separate sniffer machine located between the two
-gateways</strong>. This machine can be routing IPsec packets, but it must not
-be an IPsec gateway. Network configuration for such testing is discussed <a
-href="#testnet">above</a>.</p>
-
-<p>Here's another mailing list message with advice on using tcpdump(8):</p>
-<pre>Subject: RE: [Users] Encrypted???
-   Date: Thu, 29 Nov 2001
-   From: "Joe Patterson" &lt;jpatterson@asgardgroup.com&gt;
-
-tcpdump -nl -i $EXT-IF proto 50
-
--nl tells it not to buffer output or resolve names (if you don't do that it
-may confuse you by not outputing anything for a while), -i $EXT-IF (replace
-with your external interface) tells it what interface to listen on, and
-proto 50 is ESP.  Use "proto 51" if for some odd reason you're using AH, and
-"udp port 500" if you want to see the isakmp key exchange/tunnel setup
-packets.
-
-You can also run `tcpdump -nl -i ipsec0` to see what traffic is on that
-virtual interface.  Anything you see there *should* be either encrypted or
-dropped (unless you've turned on some strange options in your ipsec.conf
-file)
-
-Another very handy thing is ethereal (http://www.ethereal.com/) which runs
-on just about anything, has a nice gui interface (or a nice text-based
-interface), and does a great job of protocol  breakdown.  For ESP and AH
-it'll basically just tell you that there's a packet of that protocol, and
-what the spi is, but for isakmp it'll actually show you a lot of the tunnel
-setup information (until it gets to the point in the protocol where isakmp
-is encrypted....)</pre>
-
-<h2><a name="verify.crypt">Verifying encryption</a></h2>
-
-<p>The question of how to verify that messages are actually encrypted has
-been extensively discussed on the mailing list. See this <a
-href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/07/msg00262.html">thread</a>.</p>
-
-<p>If you just want to verify that packets are encrypted, look at them with a
-packet sniffer (see <a href="#tcpdump.test">previous section</a>) located
-between the gateways. The packets should, except for some of the header
-information, be utterly unintelligible. <strong>The output of good encryption
-looks <em>exactly</em> like random noise</strong>. </p>
-
-<p>A packet sniffer can only tell you that the data you looked at was
-encrypted. If you have stronger requirements -- for example if your security
-policy requires verification that plaintext is not leaked during startup or
-under various anomolous conditions -- then you will need to devise much more
-thorough tests. If you do that, please post any results or methodological
-details which your security policy allows you to make public.</p>
-
-<p>You can put recognizable data into ping packets with something like:</p>
-<pre>        ping -p feedfacedeadbeef 11.0.1.1</pre>
-
-<p>"feedfacedeadbeef" is a legal hexadecimal pattern that is easy to pick out
-of hex dumps.</p>
-
-<p>For other protocols, you may need to check if you have encrypted data or
-ASCII text. Encrypted data has approximately equal frequencies for all 256
-possible characters. ASCII text has most characters in the printable range
-0x20-0x7f, a few control characters less than 0x20, and none at all in the
-range 0x80-0xff. 0x20, space, is a good character to look for. In normal
-English text space occurs about once in seven characters, versus about once
-in 256 for random or encrypted data.</p>
-
-<p>One thing to watch for: the output of good compression, like that of good
-encryption, looks just like random noise. You cannot tell just by looking at
-a data stream whether it has been compressed, encrypted, or both. You need a
-little care not to mistake compressed data for encrypted data in your
-testing.</p>
-
-<p>Note also that weak encryption also produces random-looking output. You
-cannot tell whether the encryption is strong by looking at the output. To be
-sure of that, you would need to have both the algorithms and the
-implementation examined by experts. </p>
-
-<p>For IPsec, you can get partial assurance from interoperability tests. See
-our <a href="interop.html">interop</a> document. When twenty products all
-claim to implement <a href="glossary.html#3DES">3DES</a>, and they all talk
-to each other, you can be fairly sure they have it right. Of course, you
-might wonder whether all the implementers are consipring to trick you or,
-more plausibly, whether some implementations might have "back doors" so they
-can get also it wrong when required.. If you're seriously worried about
-things like that, you need to get the code you use audited (good luck if it
-is not Open Source), or perhaps to talk to a psychiatrist about treatments
-for paranoia. </p>
-
-<h2><a name="mail.test">Mailing list pointers</a></h2>
-
-<p>Additional information on testing can be found in these <a
-href="mail.html">mailing list</a> messages:</p>
-<ul>
-  <li>a user's detailed <a
-    href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00571.html">setup
-    diary</a> for his testbed network</li>
-  <li>a FreeS/WAN team member's <a
-    href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00425.html">notes</a>
-    from testing at an IPsec interop "bakeoff"</li>
-</ul>
-</body>
-</html>
diff --git a/doc/src/testingtools.html b/doc/src/testingtools.html
deleted file mode 100644
index 491b1956c..000000000
--- a/doc/src/testingtools.html
+++ /dev/null
@@ -1,188 +0,0 @@
-<html>
-<head>
-<title>FreeS/WAN survey of testing tools</title>
-<!-- Changed by: Michael Richardson, 02-Jan-2002 -->
-<meta name="keywords" content="Linux, IPsec, VPN, security, FreeSWAN, testing, nettools">
-
-<!--
-
-Written by Michael Richardson for the Linux FreeS/WAN project
-Freely distributable under the GNU General Public License
-
-More information at www.freeswan.org
-Feedback to users@lists.freeswan.org
-
-$Id: testingtools.html,v 1.1 2004/03/15 20:35:24 as Exp $
-
-$Log: testingtools.html,v $
-Revision 1.1  2004/03/15 20:35:24  as
-added files from freeswan-2.04-x509-1.5.3
-
-Revision 1.1  2002/03/12 20:57:25  mcr
-	review of tools used for testing FreeSWAN systems.
-
-
--->
-</head>
-
-<body>
-
-<h1>Survey of testing tools</h1>
-
-<h2><A HREF="http://freshmeat.net/projects/apsend">http://freshmeat.net/projects/apsend</A></h2>
-
-<P>
-About: <A HREF="">APSEND</A> is a TCP/IP packet sender to test firewalls and other
-network applications. It also includes a syn flood option, the land
-DoS attack, a DoS attack against tcpdump running on a UNIX-based
-system, a UDP-flood attack, and a ping flood option. It currently
-supports the following protocols: IP, TCP, UDP, ICMP, Ethernet frames
-and you can also build any other type of protocol using the generic
-option. The scripting language of apsend is already written, but not
-yet public.   
-</P>
-
-<P>
-STATUS: The public web site seems to have died
-</P>
-
-<h2><A HREF="http://freshmeat.net/projects/hping2">http://freshmeat.net/projects/hping2</A></h2>
-
-<P>
-About: <A HREF="http://www.hping.org/">hping2</A> is a network tool
-able to send custom ICMP/UDP/TCP packets and to display target replies
-like ping does with ICMP replies. It handles fragmentation and
-arbitrary packet body and size, and can be used to transfer files
-under supported protocols. Using hping2, you can: test firewall rules,
-perform [spoofed] port scanning, test net performance using different
-protocols, packet size, TOS (type of service), and fragmentation, do
-path MTU discovery, tranfer files (even between really Fascist
-firewall rules), perform traceroute-like actions under different
-protocols, fingerprint remote OSs, audit a TCP/IP stack, etc. hping2
-is a good tool for learning TCP/IP.  
-</P>
-
-<P>
-This utility has rather complicated usage and no man page at present. 
-The documentation is supposed to be in HPING2-HOWTO, but that file
-seems to be absent. 
-</P>
-
-<h2><A HREF="http://freshmeat.net/projects/icmpush">http://freshmeat.net/projects/icmpush</A></h2>
-
-<P>
-About: ICMPush is a tool that send ICMP packets fully customized from command
-line. This release supports the ICMP error types Unreach, Parameter
-Problem, Redirect and Source Quench and the ICMP information types
-Timestamp, Address Mask Request, Information Request, Router
-Solicitation, Router Advertisement and Echo Request. Also supports
-ip-spoofing, broadcasting and other useful features. It's really a
-powerful program for testing and debugging TCP/IP stacks and networks.
-</P>
-
-<P>
-</P>
-
-<h2><A HREF="http://freshmeat.net/projects/isic">http://freshmeat.net/projects/isic</A></h2>
-
-<P>
-ISIC sends randomly generated packets to a target computer. Its
-primary uses are to stress-test an IP stack, to find leaks in a
-firewall, and to test the implementation of IDSes and firewalls. The
-user can specify how often the packets will be frags, have IP options,
-TCP options, an urgent pointer, etc. Programs for TCP, UDP, ICMP,
-IP w/ random protocols, and random ethernet frames are included.  
-</P>
-
-<h2><A HREF="http://freshmeat.net/projects/sendpacket">http://freshmeat.net/projects/sendpacket</A></h2>
-
-<P>
-Send Packet is a small but powerful program to test how your network
-responds to specific packet content. Via a config file and/or command
-line parameters, you can forge (modify the headers of) your own
-TCP/UDP/ICMP/IP packets and send them through your network. Also,
-following the Easy Sniffer modular philosophy, you can specify wich
-modules you'd like to build.  
-</P>
-
-<h2><A HREF="http://freshmeat.net/projects/aicmpsend/">http://freshmeat.net/projects/aicmpsend/</A></h2>
-
-<P>
-AICMPSEND is an ICMP sender with many features including ICMP
-flooding and spoofing. All ICMP flags and codes are implemented. You
-can use this program for various DoS attacks, for ICMP flooding and
-to test firewalls.  
-</P>
-
-<h2><A HREF="http://freshmeat.net/projects/sendip/">http://freshmeat.net/projects/sendip/</A></h2>
-
-<P>
-SendIP is a command-line tool to send arbitrary IP packets. It has a
-large number of options to specify the content of every header of a
-RIP, TCP, UDP, ICMP, or raw IPv4/IPv6 packet. It also allows any data
-to be added to the packet. Checksums can be calculated automatically,
-but if you wish to send out wrong checksums, that is supported too.  
-</P>
-
-<h2><A HREF="http://laurent.riesterer.free.fr/gasp/index.html">http://laurent.riesterer.free.fr/gasp/index.html</A></h2>
-
-<P>
-GASP stands for 'Generator and Analyzer System for Protocols'. It
-allows you to decode and encode any protocols you specify.  
-</P>
-
-<P>
-The main use is probably to test networks applications : you can
-construct packets by hand and test the behavior of your program when
-facing some strange packets. But you can image a lot of other
-application : e.g. manipulating graphical file or executable
-headers. Just describe the specification of the structured data.  
-</P>
-
-<P>
-GASP is divided in two parts : a compiler which take the specification
-of the protocols and generate the code to handle it, this code is a
-new Tcl command as GASP in build upon Tcl/Tk and extends the scripting
-facilities provided by Tcl. 
-</P>
-
-<h2><A HREF="http://pdump.lucidx.com/">http://pdump.lucidx.com/</A></h2>
-<h2><A HREF="http://freshmeat.net/projects/aps/">http://freshmeat.net/projects/aps/</A></h2>
-<h2><A HREF="http://freshmeat.net/projects/netsed/">http://freshmeat.net/projects/netsed/</A></h2>
-<h2><A HREF="http://www.via.ecp.fr/~bbp/netsh/">http://www.via.ecp.fr/~bbp/netsh/</A></h2>
-<h2><A HREF="http://www.elxsi.de/">http://www.elxsi.de/</A></h2>
-<h2><A HREF="http://www.laurentconstantin.com/us/lcrzo/">http://www.laurentconstantin.com/us/lcrzo/</A></h2>
-<h2><A HREF="http://www.joedog.org/libping/index.html">http://www.joedog.org/libping/index.html</A></h2>
-<h2><A HREF="http://feynman.mme.wilkes.edu/projects/xNetTools/">http://feynman.mme.wilkes.edu/projects/xNetTools/</A></h2>
-<h2><A HREF="http://freshmeat.net/projects/pktsrc/">http://freshmeat.net/projects/pktsrc/</A></h2>
-<h2><A HREF="http://freshmeat.net/projects/lcrzoex/">http://freshmeat.net/projects/lcrzoex/</A></h2>
-<h2><A HREF="http://freshmeat.net/projects/rain/">http://freshmeat.net/projects/rain/</A></h2>
-<P>
-rain is a powerful packet builder for testing the stability of
-hardware and software. Its features include support for all IP
-protocols and the ability to fully customize the packets it sends.  
-</P>
-
-<P>(Note, this is not the same as /usr/games/rain)</P>
-
-<h2><A HREF="http://freshmeat.net/projects/libnet">http://freshmeat.net/projects/libnet</A></h2>
-<h2><A HREF="http://freshmeat.net/projects/pftp">http://freshmeat.net/projects/pftp</A></h2>
-<h2><A HREF="http://freshmeat.net/projects/pung">http://freshmeat.net/projects/pung</A></h2>
-
-<P>
-pung is a simple server tester. It tries to connect via TCP/IP to a
-server but does not transfer any data. It is meant to be used in
-scripts that check a list of servers, helping to detect certain common
-problems.  
-</P>
-
-<h2><A HREF="http://freshmeat.net/projects/thesunpacketshell">http://freshmeat.net/projects/thesunpacketshell</A></h2>
-<h2><A HREF="http://freshmeat.net/projects/webperformancetrainer">http://freshmeat.net/projects/webperformancetrainer</A></h2>
-<h2><A HREF="http://sourceforge.net/projects/va-ctcs">http://sourceforge.net/projects/va-ctcs</A></h2>
-<h2><A HREF="http://synscan.nss.nu/programs.php">http://synscan.nss.nu/programs.php</A></h2>
-<h2><A HREF="http://sourceforge.net/projects/va-ctcs">http://sourceforge.net/projects/va-ctcs</A></h2>
-<h2><A HREF="http://freshmeat.net/projects/ettercap/">http://freshmeat.net/projects/ettercap/</A></h2>
-<h2><A HREF="http://www.dtek.chalmers.se/~d3august/xt/index.html">http://www.dtek.chalmers.se/~d3august/xt/index.html</A></h2>
-<h2><A HREF="http://www.opersys.com/LTT/">http://www.opersys.com/LTT/</A></h2>
-<h2><A HREF="http://packetstorm.securify.com/DoS/indexdate.shtml">http://packetstorm.securify.com/DoS/indexdate.shtml</A></h2>
-<H2> <A HREF="http://comnet.technion.ac.il/~cn1w02/">TCP/IP noise simulator</A></H2>
diff --git a/doc/src/trouble.html b/doc/src/trouble.html
deleted file mode 100644
index 604264c01..000000000
--- a/doc/src/trouble.html
+++ /dev/null
@@ -1,840 +0,0 @@
-<HTML>
-<HEAD>
-	<TITLE>FreeS/WAN troubleshooting</TITLE>
-      <meta name="keywords" content="Linux, IPSEC, VPN, security, FreeSWAN, troubleshooting, debugging">
-<!--
-     Written by Claudia Schmeing for the Linux FreeS/WAN project
-     Freely distributable under the GNU General Public License
-
-     More information at www.freeswan.org
-     Feedback to users@lists.freeswan.org
-
-CVS information:
-RCS ID:          $Id: trouble.html,v 1.1 2004/03/15 20:35:24 as Exp $
-Last changed:    $Date: 2004/03/15 20:35:24 $
-Revision number: $Revision: 1.1 $
-
-CVS revision numbers do not correspond to FreeS/WAN release numbers.
--->
- 
-</HEAD>
-<BODY>
-
-<H1><A NAME="trouble"></A>Linux FreeS/WAN Troubleshooting Guide</H1>
-
-<H2><A NAME="overview"></A>Overview</H2>
-
-<P>
-This document covers several general places where you might have a problem:</P>
-<OL>
-	<LI><A HREF="#install">During install</A>.</LI>
-	<LI><A HREF="#negotiation">During the negotiation process</A>.</LI>
-	<LI><A HREF="#use">Using an established connection</A>.</LI>
-</OL>
-<P>This document also contains <A HREF="#notes">notes</A> which
-expand on points made in these sections, and tips for 
-<A HREF="#prob.report">problem
-reporting</A>. If the other end of your connection is not FreeS/WAN,
-you'll also want to read our 
-<A HREF="interop.html#interop.problem">interoperation</A> document.</P>
-<H2><A NAME="install"></A>1. During Install</H2>
-<H3>1.1 RPM install gotchas</H3>
-<P>With the RPM method:</P>
-<UL>
-<LI>Be sure you have installed both the userland tools and the kernel
-  components. One will not work without the other. For example, when using 
-  FreeS/WAN-produced RPMs for our 2.04 release, you need both:
-<PRE>    freeswan-userland-2.04_2.4.20_20.9-0.i386.rpm
-    freeswan-module-2.04_2.4.20_20.9-0.i386.rpm
-</PRE>
-</LI>
-</UL>
-<H3>1.2 Problems installing from source</H3>
-<P>When installing from source, you may find these problems:</P>
-<UL>
-	<LI>Missing library. See <A HREF="faq.html#gmp.h_missing">this</A>
-	FAQ.</LI>
-	<LI>Missing utilities required for compile. See this 
-        <A HREF="install.html#tool.lib">checklist</A>.</LI>
-	<LI>Kernel version incompatibility. See <A HREF="faq.html#k.versions">this</A>
-	FAQ.</LI>
-	<LI>Another compile problem. Find information in the out.* files,
-	ie. out.kpatch, out.kbuild, created at compile time in the top-level
-	Linux FreeS/WAN directory. Error messages generated by KLIPS during
-	the boot sequence are accessible with the <VAR>dmesg</VAR> command. 
-	<BR>
-	Check the list archives and the List in Brief to see if this is a
-	known issue. If it is not, report it to the bugs list as described
-	in our <A HREF="#prob.report">problem reporting</A> section. In some
-	cases, you may be asked to provide debugging information using gdb;
-	details <A HREF="#gdb">below</A>.</LI>
-	<LI>If your kernel compiles but you fail to install your new
-	FreeS/WAN-enabled kernel, review the sections on <A HREF="install.html#newk">installing
-	the patched kernel</A>, and <A HREF="install.html#testinstall">testing</A>
-	to see if install succeeded.</LI>
-</UL>
-<H3><A NAME="install.check"></A>1.3 Install checks</H3>
-<P><VAR>ipsec verify</VAR> checks a number 
-of FreeS/WAN essentials. Here are some hints on what do to when your
-system doesn't check out:</P>
-<P>
-<TABLE border=1>
-<TR>
-<TD><STRONG>Problem</STRONG></TD>
-<TD><STRONG>Status</STRONG></TD>
-<TD><STRONG>Action</STRONG></TD>
-</TR>
-<TR>
-<TD><VAR>ipsec</VAR> not on-path</TD>
-<TD>&nbsp;</TD>
-<TD><P>Add <VAR>/usr/local/sbin</VAR> to your PATH.</P></TD>
-</TR>
-<TR>
-<TD>Missing KLIPS support</TD>
-<TD><FONT COLOR="#FF0000">critical</FONT></TD>
-<TD>See <A HREF="faq.html#noKLIPS">this FAQ.</A></TD>
-</TR>
-<TR>
-<TD>No RSA private key</TD>
-<TD>&nbsp;</TD>
-<TD>
-<P>Follow <A HREF="install.html#genrsakey">these 
-instructions</A> to create an RSA key pair for your host. RSA keys are:</P>
-<UL>
-<LI>required for opportunistic encryption, and</LI>
-<LI>our preferred method to authenticate pre-configured connections.</LI>
-</UL>
-</TD>
-</TR>
-<TR>
-<TD><VAR>pluto</VAR> not running</TD>
-<TD><FONT COLOR="#FF0000">critical</FONT></TD>
-<TD><PRE>service ipsec start</PRE></TD>
-</TR>
-<TR>
-<TD>No port 500 hole</TD>
-<TD><FONT COLOR="#FF0000">critical</FONT></TD>
-<TD>Open port 500 for IKE negotiation.</TD>
-</TR>
-<TR>
-<TD>Port 500 check N/A</TD>
-<TD>&nbsp;</TD>
-<TD>Check that port 500 is open for IKE negotiation.</TD>
-</TR>
-<TR>
-<TD>Failed DNS checks</TD>
-<TD>&nbsp;</TD>
-<TD>Opportunistic encryption requires information from DNS.
-To set this up, see <A HREF="quickstart.html#opp.setup">our instructions</A>.
-</TD>
-</TR>
-<TR>
-<TD>No public IP address</TD>
-<TD>&nbsp;</TD>
-<TD>Check that the interface which you want to protect with IPSec is up and 
-running.</TD>
-</TR>
-</TABLE>
-
-
-<H3><A NAME="oe.trouble"></A>1.3 Troubleshooting OE</H3>
-<P>OE should work with no local configuration, if you have posted
-DNS TXT records according to the instructions in our 
-<A HREF="quickstart.html">quickstart guide</A>.
-If you encounter trouble, try these hints. 
-We welcome additional hints via the
-<A HREF="mail.html">users' mailing list</A>.</P>
-                                                                                
-<TABLE border=1>
-<TR>
-<TD><STRONG>Symptom</STRONG></TD>
-<TD><STRONG>Problem</STRONG></TD>
-<TD><STRONG>Action</STRONG></TD>
-</TR>
-<TR>
-<TD>
-You're running FreeS/WAN 2.01 (or later),
-and initiating a connection to FreeS/WAN
-2.00 (or earlier).
-In your logs, you see a message like:
-<pre>no RSA public key known for '192.0.2.13';
-DNS search for KEY failed (no KEY record
-for 13.2.0.192.in-addr.arpa.)</pre>
-The older FreeS/WAN logs no error.
-</TD>
-<TD>
-<A NAME="oe.trouble.flagday"></A>
-A protocol level incompatibility between 2.01 (or later) and
-2.00 (or earlier) causes this error. It occurs when a FreeS/WAN 2.01
-(or later) box for which no KEY record is posted attempts to initiate an OE
-connection to older FreeS/WAN versions (2.00 and earlier).
-Note that older versions can initiate to newer versions without this error.
-</TD>
-<TD>If you control the peer host, upgrade its FreeS/WAN to 2.01 (or later), and
-post new style TXT records for it. If not, but if you know its sysadmin,
-perhaps a quick note is in order. If neither option is possible, you can
-ease the transition by posting an old style KEY record (created with a
-command like "ipsec&nbsp;showhostkey&nbsp;--key") to the reverse map for
-the FreeS/WAN 2.01 (or later) box.</TD>
-</TR>
-<TR>
-<TD>OE host is very slow to contact other hosts.</TD>
-<TD>Slow DNS service while running OE.</TD>
-<TD>It's a good idea to run a caching DNS server on your OE host,
-as outlined in <A HREF="http://lists.freeswan.org/pipermail/design/2003-January/004205.html">this
-mailing list message</A>. If your DNS servers are elsewhere,
-put their IPs
-in the <VAR>clear</VAR> policy group, and
-re-read groups with <PRE>ipsec auto --rereadgroups</PRE>
-</TD>
-</TR>
-<TR>
-<TD>
-<PRE>Can't Opportunistically initiate for
-192.0.2.2 to 192.0.2.3: no TXT record
-for 13.2.0.192.in-addr.arpa.</PRE>
-</TD>
-<TD>Peer is not set up for OE.</TD>
-<TD><P>None. Plenty of hosts on the Internet
-do not run OE. If, however, you have set OE up on that peer, this may
-indicate that you need to wait up to 48 hours
-for its DNS records to propagate.</P></TD>
-</TR>
-<TR>
-<TD><VAR>ipsec verify</VAR> does not find DNS records:
-<PRE>...
-Looking for TXT in forward map:
-                xy.example.com...[FAILED]
-Looking for TXT in reverse map...[FAILED]
-...</PRE>
-                                                                                
-You also experience authentication failure:<BR>
-<PRE>Possible authentication failure:
-no acceptable response to our
-first encrypted message</PRE>
-</TD>
-                                                                                
-<TD>DNS records are not posted or have not propagated.</TD>
-<TD>Did you post the DNS records necessary for OE? If not,
-do so using the instructions in our
-<A HREF="quickstart.html#quickstart">quickstart guide</A>.
-If so, wait up to 48 hours for the DNS records to propagate.</TD>
-</TR>
-<TR>
-<TD><VAR>ipsec verify</VAR> does not find DNS records, and you experience
-authentication failure.</TD>
-<TD>For iOE, your ID
-does not match location of
-forward DNS record.</TD>
-<TD>In <VAR>config setup</VAR>, change
-<VAR>myid=</VAR> to match the forward DNS where you posted the record.
-Restart FreeS/WAN.
- For reference, see our
-<A HREF="quickstart.html#opp.client">iOE instructions</A>.</TD>
-</TR>
-<TR>
-<TD><VAR>ipsec verify</VAR> finds DNS records, yet there is
-still authentication failure. ( ? )</TD>
-<TD>DNS records are malformed.</TD>
-<TD>Re-create the records and send new copies to your DNS administrator.</TD>
-</TR>
-<TR>
-<TD><VAR>ipsec verify</VAR> finds DNS records, yet there is
-still authentication failure. ( ? )</TD>
-<TD>DNS records show different keys for a gateway vs. its subnet hosts.</TD>
-<TD>All TXT records for boxes protected by an OE gateway must contain the
-gateway's public key. Re-create and re-post any incorrect records using
-<A HREF="quickstart.html#opp.incoming">these instructions</A>.</TD>
-</TR>
-<TR>
-<TD>OE gateway loses connectivity to its subnet. The gateway's
-routing table shows routes to the subnet through IPsec interfaces.</TD>
-<TD>The subnet is part of the <VAR>private</VAR> or <VAR>block</VAR>
-policy group on the gateway.</TD>
-<TD>Remove the subnet from the group, and reread
-groups with <PRE>ipsec auto --rereadgroups</PRE></TD>
-</TR>
-<TR>
-<TD>OE does not work to hosts on the local LAN.</TD>
-<TD>This is a known issue.</TD>
-<TD>See <A HREF="opportunism.known-issues">this list</A> of known issues
-with OE.
-</TD>
-</TR>
-                                                                                
-<TR>
-<TD>FreeS/WAN does not seem to be executing your default policy. In your
-logs, you see a message like:
-<PRE>/etc/ipsec.d/policies/iprivate-or-clear"
-line 14: subnet "0.0.0.0/0",
-source 192.0.2.13/32,
-already "private-or-clear"</PRE>
-</TD>
-<TD><A HREF="glossary.html#fullnet">Fullnet</A> in a policy group file defines
-your default policy. Fullnet should normally be present in only one policy
-group file. The fine print: you can have two default policies defined so long
-as they protect different local endpoints (e.g. the FreeS/WAN gateway and a
-subnet).</TD>
-<TD>
-Find all policies which contain fullnet with:<br>
-<PRE>grep -F 0.0.0.0/0 /etc/ipsec.d/policies/*</PRE>
-then remove the unwanted occurrence(s).
-</TD>
-</TR>
-                                                                                
-</TABLE>
-
-
-<H2><A NAME="negotiation"></A>2. During Negotiation</H2>
-<P>When you fail to bring up a tunnel, you'll need to find out:</P>
-<UL>
-<LI><A HREF="#state">what your connection state is,</A> and often</LI>
-<LI><A HREF="#find.pluto.error">an error message</A>.</LI>
-</UL>
-<P>before you can 
-<A HREF="#interpret.pluto.error">diagnose your problem</A>.</P>
-<H3><A NAME="state"></A>2.1 Determine Connection State</H3>
-<H4>Finding current state</H4>
-<P>You can see connection states (STATE_MAIN_I1 and so on) when you
-bring up a connection on the command line. If you have missed this,
-or brought up your connection automatically, use:
-</P>
-<PRE>ipsec auto --status</PRE>
-<P>The most relevant state is the last one reached.</P>
-<H4><VAR>What's this supposed to look like?</VAR></H4>
-<P>Negotiations should proceed though various states, in the processes of:</P>
-<OL>
-<LI>IKE negotiations (aka Phase 1, Main Mode, STATE_MAIN_*)</LI>
-<LI>IPSEC negotiations (aka Phase 2, Quick Mode, STATE_QUICK_*)</LI>
-</OL>
-<P>These are done and a connection is established when you see messages like:</P>
-<PRE>    000 #21: &quot;myconn&quot; STATE_MAIN_I4 (ISAKMP SA established)...
-    000 #2: &quot;myconn&quot; STATE_QUICK_I2 (sent QI2, IPsec SA established)...</PRE><P>
-Look for the key phrases are &quot;ISAKMP SA established&quot; and &quot;IPSec
-SA established&quot;, with the relevant connection name. Often, this happens 
-at STATE_MAIN_I4 and STATE_QUICK_I2, respectively.</P>
-<P><VAR>ipsec auto --status</VAR> will tell you what states <STRONG>have
-been achieved</STRONG>, rather than the current state. Since
-determining the current state is rather more difficult to do, current
-state information is not available from Linux FreeS/WAN. If you are
-actively bringing a connection up, the status report's last states
-for that connection likely reflect its current state. Beware, though,
-of the case where a connection was correctly brought up but is now
-downed: Linux FreeS/WAN will not notice this until it attempts to
-rekey. Meanwhile, the last known state indicates that the connection
-has been established.</P>
-<P>If your connection is stuck at STATE_MAIN_I1, skip straight to 
-<A HREF="#ikepath">here</A>.
-
-<H3><A NAME="find.pluto.error"></A>2.2 Finding error text</H3>
-<P>Solving most errors will require you to find verbose error text,
-either on the command line or in the logs.</P>
-<H4>Verbose start for more information</H4>
-<P>
-Note that you can get more detail from <VAR>ipsec auto</VAR> using
-the --verbose flag:</P>
-<PRE STYLE="margin-bottom: 0.2in">    ipsec auto --verbose --up west-east</PRE><P>
-More complete information can be gleaned from the <A HREF="#logusage">log
-files</A>.</P>
-
-<H4>Debug levels count</H4>
-<P>The amount of description you'll get here depends on ipsec.conf debug
-settings, <VAR>klipsdebug</VAR>= and <VAR>plutodebug</VAR>=. 
-When troubleshooting, set at least one of these to <VAR>all</VAR>, and 
-when done, reset it to <VAR>none</VAR> so your logs don't fill up.
-Note that you must have enabled the <VAR>klipsdebug</VAR> 
-<A HREF="install.html#allbut">compile-time option</A> for the 
-<VAR>klipsdebug</VAR> configuration switch to work.</P>
-<P>For negotiation problems <VAR>plutodebug</VAR> is most relevant.
-<VAR>klipsdebug</VAR> applies mainly to attempts to use an
-already-established connection. See also <A HREF="ipsec.html#parts">this</A>
-description of the division of duties within Linux FreeS/WAN.</P>
-<P>After raising your debug levels, restart Linux FreeS/WAN to ensure
-that ipsec.conf is reread, then recreate the error to generate
-verbose logs. 
-</P>
-<H4><VAR>ipsec barf</VAR> for lots of debugging information</H4>
-<P>
-<A HREF="manpage.d/ipsec_barf.8.html"><VAR>ipsec barf (8)</VAR></A>
-collects a bunch of useful debugging information, including these logs
-Use the command</P>
-<PRE>
-    ipsec barf &gt; barf.west
-</PRE>
-<P>to generate one.</P>
-<H4>Find the error</H4>
-<P>Search out the failure point in your logs.
- Are there a handful of lines which succinctly describe how
-things are going wrong or contrary to your expectation? Sometimes the
-failure point is not immediately obvious: Linux FreeS/WAN's errors
-are usually not marked &quot;Error&quot;. Have a look in the 
-<A HREF="faq.html">FAQ</A>
-for what some common failures look like.</P>
-<P>Tip: problems snowball.
-Focus your efforts on the first problem, which is likely to be the
-cause of later errors.</P>
-<H4>Play both sides</H4>
-<P>Also find error text on the peer IPSec box.
-This gives you two perspectives on the same failure.</P>
-<P>At times you will require information which only one side has.
-The peer can merely indicate the presence of an error, and its 
-approximate point in the negotiations. If one side keeps retrying, 
-it may be because there is a show stopper on the other side. 
-Have a look at the other side and figure out what it doesn't like.</P>
-<P>If the other end is not Linux FreeS/WAN, the principle is the
-same: replicate the error with its most verbose logging on, and
-capture the output to a file.</P>
-<H3><A NAME="interpret.pluto.error"></A>2.3 Interpreting a Negotiation Error</H3>
-<H4><A NAME="ikepath"></A>Connection stuck at STATE_MAIN_I1</H4>
-<P>This error commonly happens because IKE (port 500) packets, needed 
-to negotiate an IPSec connection, cannot travel freely between your IPSec 
-gateways. See <A HREF="firewall.html#packets">our firewall document</A> 
-for details.</P>
-<H4>Other errors</H4>
-<P>Other errors require a bit more digging. Use the following resources:</P>
-<UL>
-	<LI><A HREF="faq.html">the FAQ</A> . Since this document is
-	constantly updated, the snapshot's FAQ may have a new entry relevant
-	to your problem.</LI>
-	<LI>our <A HREF="background.html">background document</A> .
-	Special considerations which, while not central to Linux FreeS/WAN,
-	are often tripped over. Includes problems with 
-      <a href="background.html#MTU.trouble">packet fragmentation</a>,
-      and considerations for
-	testing opportunism.</LI>
-	<LI>the <A HREF="mail.html#lists">list archives</A>. Each of the
-	searchable archives works differently, so it's worth checking each.
-	Use a search term which is generic, but identifies your error, for
-	example &quot;No connection is known for&quot;.
-	<BR>
-        Often, you will find that your question has been answered in the
-	past. Finding an archived answer is quicker than asking the list.
-	You may, however, find similar questions without answers. If you do,
-	send their URLs to the list with your trouble report. The additional
-	examples may help the list tech support person find your answer.</LI>
-	<LI>Look into the code where the error is being generated. The
-	pluto code is nicely documented with comments and meaningful
-	variable names.</LI>
-</UL>
-<P>If you have failed to solve your problem with the help of these
-resources, send a detailed problem report to the users list,
-following these <A HREF="#prob.report">guidelines</A>.</P>
-<H2><A NAME="use"></A>3. Using a Connection</H2>
-<H3>3.1 Orienting yourself</H3>
-<H4><VAR>How do I know if it works?</VAR></H4>
-<P>Test your connection by sending packets through it. The simplest way
-to do this is with ping, but the ping needs to <STRONG>test the correct 
-tunnel.</STRONG> See <A HREF="#testgates">this example scenario</A> if
-you don't understand this.<P>
-<P>If your ping returns, test any other connections you've brought
-u all check out, great. You may wish to <A HREF="#bigpacket">test
-with large packets</A> for MTU problems.</P>
-<H4><VAR>ipsec barf</VAR> is useful again</H4>
-<P>If your ping fails to return, generate an ipsec barf debugging
-report on each IPSec gateway. On a non-Linux FreeS/WAN
-implementation, gather equivalent information. Use this, and the tips
-in the next sections, to troubleshoot. Are you sure that both
-endpoints are capable of hearing and responding to ping?</P>
-<H3>3.2 Those pesky configuration errors</H3>
-<P>IPSec may be dropping your ping packets since they do not belong in the
-tunnels you have constructed:</P>
-<UL>
-<LI>Your ping may not test the tunnel you intend to test. For details, see our  
-<A HREF="faq.html#cantping">&quot;I can't ping&quot;</A> FAQ.
-</LI>
-<LI>
-Alternately, you may have a configuration error.
-For example, you may have configured one of the four possible tunnels between 
-two gateways, but not the one required to secure the important
-traffic you're now testing. In this case, add and start the tunnel,
-and try again.
-</LI>
-</UL>
-<P>In either case, you will often see a message like:</P>
-<PRE>klipsdebug... no eroute</PRE>
-<P>which we discuss in <A HREF="faq.html#no_eroute">this
-FAQ</A>.</P>
-<P>Note:</P>
-<UL>
-<LI><A HREF="glossary.html#NAT.gloss">Network Address Translation (NAT)</A> 
-and <A HREF="glossary.html#masq">IP masquerade</A> may have an effect on 
-which tunnels you need to configure.</LI>
-<LI>When testing a tunnel that protects a multi-node subnet, try several 
-subnet nodes as ping targets, in case one node is routing incorrectly.</LI>
-</UL>
-<H3><A NAME="route.firewall"></A>3.3 Check Routing and Firewalling</H3>
-<P>If you've confirmed your configuration assumptions, the problem is
-almost certainly with routing or firewalling. Isolate the problem
-using interface statistics, firewall statistics, or a packet sniffer.</P>
-<H4>Background:</H4>
-<UL>
-	<LI>Linux FreeS/WAN supplies all the special routing it needs;
-	you need only route packets out through your IPSec gateway. Verify
-	that on the <VAR>subnetted</VAR> machines you are using for your 
-        ping-test, your routing is as expected. I have seen a tunnel 
-        &quot;fail&quot; because the subnet machine sending packets 
-        out an alternate gateway (not our IPSec gateway) on their return path.
-	<LI>Linux FreeS/WAN requires particular <A HREF="firewall.html"> 
-        firewalling considerations</A>.
-	Check the firewall rules on your IPSec gateways and ensure that they
-	allow IPSec traffic through. Be sure that no other machine - for
-	example a router between the gateways - is blocking your IPSec
-	packets.
-</UL>
-<H4><A NAME="ifconfig"></A>View Interface and Firewall
-Statistics</H4>
-<P>Interface reports and firewall statistics can help you track down
-lost packets at a glance. Check any firewall statistics you may be keeping 
-on your IPSec gateways, for dropped packets.</P>
-
-<P><STRONG>Tip</STRONG>: You can take a snapshot of the packets processed 
-by your firewall with:</P>
-
-<PRE>    iptables -L -n -v</PRE>
-
-<P>You can get creative with "diff" to find out what happens to a
-particular packet during transmission.</P>
-
-<P>Both <VAR>cat /proc/net/dev</VAR> and <VAR>ifconfig</VAR> display
-interface statistics, and both are included in <VAR>ipsec barf</VAR>. Use
-either to check if any interface has dropped packets. If you find
-that one has, test whether this is related to your ping. While you
-ping continuously, print that interface's statistics several times.
-Does its drop count increase in proportion to the ping? If so, check
-why the packets are dropped there.</P>
-
-<P>To do this, look at the firewall rules that apply to that interface. If the
-interface is an IPSec interface, more information may be available in
-the log. Grep for the word &quot;drop&quot; in a log which was
-created with <VAR>klipsdebug=all</VAR> as the error happened.</P>
-<P>See also this <A HREF="#ifconfig1">discussion</A> on interpreting 
-<VAR>ifconfig</VAR> statistics.</P>
-<H3><A NAME="sniff"></A>3.4 When in doubt, sniff it out</H3>
-<P>If you have checked configuration assumptions, routing, and
-firewall rules, and your interface statistics yield no clue, it
-remains for you to investigate the mystery of the lost packet by the
-most thorough method: with a packet sniffer (providing, of course, 
-that this is legal where you are working).
-<P>In order to detect packets on the ipsec virtual interfaces,
-you will need an up-to-date sniffer (tcpdump, ethereal, ksnuffle) on
-your IPSec gateway machines. You may also find it useful to sniff the ping
-endpoints.</P>
-<H4>Anticipate your packets' path</H4>
-<P>Ping, and examine each interface along the projected path, checking for your 
-ping's arrival. If it doesn't get to the the next stop, you have narrowed 
-down where to look for it. In this way, you can isolate a problem area, 
-and narrow your troubleshooting focus.</P>
-<P>Within a machine running Linux FreeS/WAN, this 
-<A HREF="firewall.html#packets">packet flow diagram</A> will help you 
-anticipate a packet's path.
-<P>Note that:</P>
-<UL>
-<LI>
-from the perspective of the tunneled packet, the entire tunnel is one hop. 
-That's explained in <A HREF="faq.html#no_trace">this</A> FAQ.
-</LI>
-<LI>
- an encapsulated IPSec packet will look different, when
-sniffed, from the plaintext packet which generated it. You
-can see plaintext packets entering an IPSec interface and the
-resulting cyphertext packets as they emerge from the corresponding
-physical interface. 
-</LI>
-</UL>
-<P>Once you isolate where the packet is lost, take a closer look at
-firewall rules, routing and configuration assumptions as they affect
-that specific area. If the packet is lost on an IPSec gateway, comb
-through <VAR>klipsdebug</VAR> output for anomalies. 
-</P>
-<P>If the packet goes through both gateways successfully and reaches
-the ping target, but does not return, suspect routing. Check that the
-ping target routes packets back to the IPSec gateway.</P>
-<H3><A NAME="find.use.error"></A>3.5 Check your logs</H3>
-<P>Here, too, log information can be useful. Start with the 
-<A HREF="#find.pluto.error">guidelines above</A>.</P>
-<P>For connection use problems, set <VAR>klipsdebug=all</VAR>. Note
-that you must have enabled the <VAR>klipsdebug</VAR> 
-<A HREF="install.html#allbut">compile-time option</A> to do this. 
-Restart Linux FreeS/WAN so that it rereads <VAR>ipsec.conf</VAR>, 
-then recreate the error condition. When searching through 
-<VAR>klipsdebug</VAR> data, look especially for the keywords
-&quot;drop&quot; (as in dropped packets) and &quot;error&quot;.</P>
-<P>Often the problem with connection use is not software error, but
-rather that the software is behaving contrary to expectation. 
-</P>
-<H4><A NAME="interpret.use.error"></A>Interpreting log text</H4>
-<P>To interpret the Linux FreeS/WAN log text you've found, use the
-same resources as indicated for troubleshooting 
-connection negotiation: 
-<A HREF="faq.html">the FAQ</A> , our
-<A HREF="background.html">background document</A>, and the 
-<A HREF="mail.html#lists">list archives</A>.
-Looking in the KLIPS code is only for the very brave.</P>
-<P>If you are still stuck, send a <A HREF="#prob.report">detailed
-problem report</A> to the users' list.</P>
-<H3><A NAME="bigpacket"></A>3.6 More testing for the truly thorough</H3>
-<H4>Large Packets</H4>
-<P>If each of your connections passed the ping test, you may wish to
-test by pinging with large packets (2000 bytes or larger). If it does
-not return, suspect MTU issues, and see this <A HREF="background.html#MTU.trouble">discussion</A>.</P>
-<H4>Stress Tests</H4>
-<P>In most users' view, a simple ping test, and perhaps a
-large-packet ping test suffice to indicate a working IPSec
-connection.</P>
-<P>Some people might like to do additional stress tests prior to
-production use. They may be interested in this <A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00224.html">testing
-protocol</A> we use at interoperation conferences, aka &quot;bakeoffs&quot;.
-We also have a <VAR>testing</VAR> directory that ships with the
-release.</P>
-<H2><A NAME="prob.report"></A>4. Problem Reporting</H2>
-<H3>4.1 How to ask for help</H3>
-<P>Ask for troubleshooting help on the users' mailing list,
-<A HREF="mailto:users@lists.freeswan.org">users@lists.freeswan.org</A>.
-While sometimes an initial query with a quick description of your
-intent and error will twig someone's memory of a similar problem,
-it's often necessary to send a second mail with a complete problem
-report. 
-</P>
-
-
-<P>When reporting problems to the mailing list(s), please include: 
-</P>
-<UL>
-	<LI>a brief description of the problem</LI>
-	<LI>if it's a compile problem, the actual output from make,
-	showing the problem. Try to edit it down to only the relevant part,
-	but when in doubt, be as complete as you can. If it's a kernel
-	compile problem, any relevant out.* files</LI>
-	<LI>if it's a run-time problem, pointers to where we can find the
-	complete output from &quot;ipsec barf&quot; from BOTH ENDS (not just
-	one of them). Remember that it's common outside the US and Canada to
-	pay for download volume, so if you can't post barfs on the web and
-	send the URL to the mailing list, at least compress them with tar or
-	gzip.<BR>
-	If you can, try to simplify the case that is causing the problem.
-	In particular, if you clear your logs, start FreeS/WAN with no other
-	connections running, cause the problem to happen, and then do <VAR>ipsec
-	barf</VAR> on both ends immediately, that gives the smallest and
-	least cluttered output.</LI>
-	<LI>any other error messages, complaints, etc. that you saw.
-	Please send the complete text of the messages, not just a summary.</LI>
-	<LI>what your network setup is. Include subnets, gateway
-	addresses, etc. A schematic diagram is a
-	good format for this information.</LI>
-	<LI>exactly what you were trying to do with Linux FreeS/WAN, and
-	exactly what went wrong</LI>
-	<LI>a fix, if you have one. But remember, you are sending mail to
-	people all over the world; US residents and US citizens in
-	particular, please read doc/exportlaws.html before sending code --
-	even small bug fixes -- to the list or to us.</LI>
-	<LI>When in doubt about whether to include some seemingly-trivial
-	item of information, include it. It is rare for problem reports to
-	have too much information, and common for them to have too little.</LI>
-</UL>
-
-<P>Here are some good general guidelines on bug reporting:
-<a href="http://tuxedo.org/~esr/faqs/smart-questions.html">How To Ask Questions
-The Smart Way</a> and <a
-href="http://www.chiark.greenend.org.uk/~sgtatham/bugs.html">How to Report
-Bugs Effectively</a>.</p>
-
-
-<H3>4.2 Where to ask</H3>
-<P>To report a problem, send mail about it to the users' list. If you
-are certain that you have found a bug, report it to the bugs list. If
-you encounter a problem while doing your own coding on the Linux
-FreeS/WAN codebase and think it is of interest to the design team,
-notify the design list. When in doubt, default to the users' list.
-More information about the mailing lists is found <A HREF="mail.html#lists">here</A>.</P>
-<P>For a number of reasons -- including export-control regulations
-affecting almost any <STRONG>private</STRONG> discussion of
-encryption software -- we prefer that problem reports and discussions
-go to the lists, not directly to the team. Beware that the list goes
-worldwide; US citizens, read this important information about your
-<A HREF="politics.html#exlaw">export laws</A>. If you're using this
-software, you really should be on the lists. To get onto them, visit
-<A HREF="http://lists.freeswan.org/">lists.freeswan.org</A>.</P>
-<P>If you do send private mail to our coders or want a private reply
-from them, please make sure that the return address on your mail
-(From or Reply-To header) is a valid one. They have more important
-things to do than to unravel addresses that have been mangled in an
-attempt to confuse spammers. 
-</P>
-<H2><A NAME="notes"></A>5. Additional Notes on Troubleshooting</H2>
-<P>The following sections supplement the Guide: <A HREF="#system.info">information
-available on your system</A>; <A HREF="#testgates">testing between
-security gateways</A>; <A HREF="#ifconfig1">ifconfig reports for
-KLIPS debugging</A>; <A HREF="#gdb">using GDB on Pluto</A>.</P>
-<H3><A NAME="system.info"></A>5.1 Information available on your
-system</H3>
-<H4><A NAME="logusage"></A>Logs used</H4>
-<P>Linux FreeS/WAN logs to:</P>
-<UL>
-	<LI>/var/log/secure (or, on Debian, /var/log/auth.log)</LI>
-	<LI>/var/log/messages</LI>
-</UL>
-<P>Check both places to get full information. If you find nothing,
-check your <VAR>syslogd.conf(5)</VAR> to see where your
-/etc/syslog.conf or equivalent is directing <VAR>authpriv</VAR>
-messages.</P>
-<H4><A NAME="pages"></A>man pages provided</H4>
-<DL>
-	<DT><A HREF="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A> 
-	</DT><DD>
-	Manual page for IPSEC configuration file. 
-	</DD><DT>
-	<A HREF="manpage.d/ipsec.8.html">ipsec(8)</A> 
-	</DT><DD STYLE="margin-bottom: 0.2in">
-	Primary man page for ipsec utilities. 
-	</DD></DL>
-<P>
-Other man pages are on <A HREF="manpages.html">this list</A> and in</P>
-<UL>
-	<LI>/usr/local/man/man3</LI>
-	<LI>/usr/local/man/man5</LI>
-	<LI>/usr/local/man/man8/ipsec_*</LI>
-</UL>
-<H4><A NAME="statusinfo"></A>Status information</H4>
-<DL>
-	<DT>ipsec auto --status 
-	</DT><DD>
-	Command to get status report from running system. Displays Pluto's
-	state. Includes the list of connections which are currently &quot;added&quot;
-	to Pluto's internal database; lists state objects reflecting ISAKMP
-	and IPsec SAs being negotiated or installed. 
-	</DD><DT>
-	ipsec look 
-	</DT><DD>
-	Brief status info. 
-	</DD><DT>
-	ipsec barf 
-	</DT><DD STYLE="margin-bottom: 0.2in">
-	Copious debugging info. 
-	</DD></DL>
-<H3>
-<A NAME="testgates"></A>5.2 Testing between security gateways</H3>
-<P>Sometimes you need to test a subnet-subnet tunnel. This is a
-tunnel between two security gateways, which protects traffic on
-behalf of the subnets behind these gateways. On this network:</P>
-<PRE>     Sunset==========West------------------East=========Sunrise
-                     IPSec gateway         IPSec gateway
-           local net       untrusted net       local net</PRE><P>
-you might name this tunnel sunset-sunrise. You can test this tunnel
-by having a machine behind one gateway ping a machine behind the
-other gateway, but this is not always convenient or even possible.</P>
-<P>Simply pinging one gateway from the other is not useful. Such a
-ping does not normally go through the tunnel. <STRONG>The tunnel
-handles traffic between the two protected subnets, not between the
-gateways</STRONG> . Depending on the routing in place, a ping might</P>
-<UL>
-	<LI>either succeed by finding an
-	unencrypted route</LI>
-	<LI>or fail by finding no route. Packets without an IPSEC eroute
-	are discarded.</LI>
-</UL>
-<P><STRONG>Neither event tells you anything about the tunnel</STRONG>.
-You can explicitly create an eroute to force such packets through the
-tunnel, or you can create additional tunnels as described in our
-<A HREF="config.html#multitunnel">configuration document</A>, but
-those may be unnecessary complications in your situation.</P>
-<P>The trick is to explicitly test between <STRONG>both gateways'
-private-side IP addresses</STRONG>. Since the private-side interfaces
-are on the protected subnets, the resulting packets do go via the
-tunnel. Use either ping -I or traceroute -i, both of which allow you
-to specify a source interface. (Note: unsupported on older Linuxes).
-The same principles apply for a road warrior (or other) case where
-only one end of your tunnel is a subnet.</P>
-<H3><A NAME="ifconfig1"></A>5.3 ifconfig reports for KLIPS debugging</H3>
-<P>When diagnosing problems using ifconfig statistics, you may wonder
-what type of activity increments a particular counter for an ipsecN
-device. Here's an index, posted by KLIPS developer Richard Guy
-Briggs:</P>
-<PRE>Here is a catalogue of the types of errors that can occur for which
-statistics are kept when transmitting and receiving packets via klips.
-I notice that they are not necessarily logged in the right counter.
-. . .
-
-Sources of ifconfig statistics for ipsec devices
-
-rx-errors:
-- packet handed to ipsec_rcv that is not an ipsec packet.
-- ipsec packet with payload length not modulo 4.
-- ipsec packet with bad authenticator length.
-- incoming packet with no SA.
-- replayed packet.
-- incoming authentication failed.
-- got esp packet with length not modulo 8.
-
-tx_dropped:
-- cannot process ip_options.
-- packet ttl expired.
-- packet with no eroute.
-- eroute with no SA.
-- cannot allocate sk_buff.
-- cannot allocate kernel memory.
-- sk_buff internal error.
-
-
-The standard counters are:
-
-struct enet_statistics
-{
-        int        rx_packets;                /* total packets received */
-        int        tx_packets;                /* total packets transmitted */
-        int        rx_errors;                /* bad packets received */
-        int        tx_errors;                /* packet transmit problems */
-        int        rx_dropped;                /* no space in linux buffers */
-        int        tx_dropped;                /* no space available in linux */
-        int        multicast;                /* multicast packets received */
-        int        collisions;
-
-        /* detailed rx_errors: */
-        int        rx_length_errors;
-        int        rx_over_errors;                /* receiver ring buff overflow */
-        int        rx_crc_errors;                /* recved pkt with crc error */
-        int        rx_frame_errors;        /* recv'd frame alignment error */
-        int        rx_fifo_errors;                /* recv'r fifo overrun */
-        int        rx_missed_errors;        /* receiver missed packet */
-
-        /* detailed tx_errors */
-        int        tx_aborted_errors;
-        int        tx_carrier_errors;
-        int        tx_fifo_errors;
-        int        tx_heartbeat_errors;
-        int        tx_window_errors;
-};
-
-of which I think only the first 6 are useful.</PRE><H3>
-<A NAME="gdb"></A>5.4 Using GDB on Pluto</H3>
-<P>You may need to use the GNU debugger, gdb(1), on Pluto. This
-should be necessary only in unusual cases, for example if you
-encounter a problem which the Pluto developer cannot readily
-reproduce or if you are modifying Pluto. 
-</P>
-<P>Here are the Pluto developer's suggestions for doing this: 
-</P>
-<PRE>Can you get a core dump and use gdb to find out what Pluto was doing
-when it died?
-
-To get a core dump, you will have to set dumpdir to point to a
-suitable directory (see <A HREF="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A>).
-
-To get gdb to tell you interesting stuff:
-        $ script
-        $ cd dump-directory-you-chose
-        $ gdb /usr/local/lib/ipsec/pluto core
-        (gdb) where
-        (gdb) quit
-        $ exit
-
-The resulting output will have been captured by the script command in
-a file called &quot;typescript&quot;.  Send it to the list.
-
-Do not delete the core file.  I may need to ask you to print out some
-more relevant stuff.</PRE><P>
-Note that the <VAR>dumpdir</VAR> parameter takes effect only when the
-IPsec subsystem is restarted -- reboot or ipsec setup restart.</P>
-<P><BR><BR>
-</P>
-</BODY>
-</HTML>
diff --git a/doc/src/uml-rhroot-list.txt b/doc/src/uml-rhroot-list.txt
deleted file mode 100644
index 198997032..000000000
--- a/doc/src/uml-rhroot-list.txt
+++ /dev/null
@@ -1,91 +0,0 @@
-filesystem-2.1.6-2
-glibc-common-2.2.4-13
-slang-1.4.4-4
-newt-0.50.33-1
-mktemp-1.5-11
-syslinux-1.52-2
-which-2.12-3
-zlib-devel-1.1.3-24
-ntsysv-1.2.24-1
-db1-devel-1.85-7
-e2fsprogs-1.23-2
-iputils-20001110-6
-mingetty-0.9.4-18
-pwdb-0.61.1-3
-bash-2.05-8
-bzip2-1.0.1-4
-libstdc++-2.96-98
-logrotate-3.5.9-1
-rootfiles-7.2-1
-bash-doc-2.05-8
-iproute-2.2.4-14
-ncurses-5.2-12
-diffutils-2.7.2-2
-findutils-4.1.7-1
-gzip-1.3-15
-readline-4.2-2
-tmpwatch-2.8-2
-cpio-2.4.2-23
-gawk-3.1.0-3
-less-358-21
-procps-X11-2.0.7-11
-sed-3.02-10
-vim-minimal-5.8-7
-fileutils-4.1-4
-sysklogd-1.4.1-4
-mount-2.11g-5
-rpm-4.0.3-1.03
-glib-devel-1.2.10-5
-bzip2-libs-1.0.1-4
-tar-1.13.19-6
-cracklib-dicts-2.7-12
-passwd-0.64.1-7
-pam-devel-0.75-14
-SysVinit-2.78-19
-krb5-libs-1.2.2-13
-pam_krb5-1.46-1
-krbafs-utils-1.0.9-2
-setup-2.5.7-1
-basesystem-7.0-2
-glibc-2.2.4-13
-popt-1.6.3-1.03
-setuptool-1.8-2
-shadow-utils-20000902-4
-zlib-1.1.3-24
-chkconfig-1.2.24-1
-db1-1.85-7
-db3-3.2.9-4
-file-3.35-2
-losetup-2.11g-5
-net-tools-1.60-3
-netconfig-0.8.11-7
-libtermcap-2.0.8-28
-libtermcap-devel-2.0.8-28
-bzip2-devel-1.0.1-4
-libstdc++-devel-2.96-98
-modutils-2.4.6-4
-crontabs-1.10-1
-MAKEDEV-3.2-5
-grep-2.4.2-7
-psmisc-20.1-2
-readline-devel-4.2-2
-e2fsprogs-devel-1.23-2
-ed-0.2-21
-vim-common-5.8-7
-procps-2.0.7-11
-redhat-release-7.2-1
-time-1.7-14
-cracklib-2.7-12
-console-tools-19990829-36
-textutils-2.0.14-2
-dev-3.2-5
-glib-1.2.10-5
-termcap-11.0.1-10
-info-4.0b-3
-words-2-17
-pam-0.75-14
-util-linux-2.11f-9
-sh-utils-2.0.11-5
-initscripts-6.40-1
-krbafs-1.0.9-2
-krbafs-devel-1.0.9-2
diff --git a/doc/src/uml-rhroot.html b/doc/src/uml-rhroot.html
deleted file mode 100644
index ca05a2073..000000000
--- a/doc/src/uml-rhroot.html
+++ /dev/null
@@ -1,116 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
-<HTML>
-  <HEAD>
-    <TITLE>Building a RedHat root image</TITLE>
-    <!-- Created by: Michael Richardson, 22-Nov-2001 -->
-    <!-- Changed by: Michael Richardson, 22-Nov-2001 -->
-
-
-  </HEAD>
-  <BODY>
-    <H1>Building a RedHat root image</H1>
-
-<P>
-The image required to use User-Mode-Linux is just a normal set of executables.
-These can be extracted from a RedHat distribution using the following proceedure.
-</P>
-
-<P>
-There is a script in testing/utils called <CODE>uml-rhroot.sh</CODE>. It takes
-two arguments:
-<UL>
-<LI> a directory in which to put resulting directory tree. 
-<LI> a directory tree containing the RedHat distribution RPMs. This may be
-  in one of three forms:
-<UL>
-<LI> a directory containing the directories "disc1" and "disc2". These 
-  could be ISO images that are mounted loopback via, for instance:
-<PRE>
-<CODE>
-mkdir -p /distros/redhat/7.2/disc1 /distros/redhat/7.2/disc1
-mount -t iso9660 -o loop,ro /distros/redhat/7.2/enigma-i386-disc1.iso /distros/redhat/7.2/disc1
-mount -t iso9660 -o loop,ro /distros/redhat/7.2/enigma-i386-disc2.iso /distros/redhat/7.2/disc2 
-</CODE>
-</PRE>
-or even two real CDroms mounted somewhere. In the example above, use "/distros/redhat/7.2" as the distribution directory.
-</LI>
-<LI> a directory containing a "merged" disc1 and disc2 as suggested by RedHat in <A HREF="http://www.redhat.com/docs/manuals/linux/RHL-7.2-Manual/install-guide/s1-install-network.html#S2-INSTALL-SETUPSERVER">http://www.redhat.com/docs/manuals/linux/RHL-7.2-Manual/install-guide/s1-install-network.html under "Setting up the Server"</A>.
-<LI> a directory containing all the required RPMs. (See <A HREF="uml-rhroot-list7.2.txt">list of RPMs</A>)</LI>
-</UL>
-</UL>
-</P>
-
-<P>The unpacked distribution will take approximately 133Mb. You will
-  want to locate this on the same partition as your intended root
-  trees for your User-Mode-Linux's as this will permit hard links to
-  be used, saving disk space.  
-</P>
-
-<P>
-  Because the RPM command used uses the chroot(2) system call and
-  needs to change ownership of the files that it creates, it must be
-  run as root. Afterward, you should chown the entire directory to the
-  userid that you will be using for testing (i.e. probably
-  yours). It should eventually suffices to make sure that you can read
-  every file.
-</P>
-
-<P>
-You should be able to chroot to this directory and run programs. If
-you can not at least run ls, then there is a problem.
-</P>
-<P>
-Expect a couple of errors about install-info.
-</P>
-
-<P>
-An example:
-<PRE>
-<CODE>
-Script started on Thu Nov 22 15:51:15 2001
-cassidy:/c2/user-mode-linux# df
-Filesystem           1k-blocks      Used Available Use% Mounted on
-/dev/hda1              3844408   1673528   1975584  46% /
-/dev/hda3             12495048   1823404  10036884  16% /home
-/dev/hdc1             10325748    805056   8996172   9% /c1
-/dev/hdc2             10325780   4815160   4986100  50% /c2
-/dev/hdc3             10325780   2972480   6828780  31% /c3
-/dev/hdc4              7495084   3059640   4054704  44% /c4
-/distros/redhat/7.2/enigma-i386-disc1.iso
-                        662072    662072         0 100% /distros/redhat/7.2/disc1
-/distros/redhat/7.2/enigma-i386-disc2.iso
-                        653740    653740         0 100% /distros/redhat/7.2/disc2
-cassidy:/c2/user-mode-linux# /c2/freeswan/sandbox-main/testing/utils/uml-rhroot.sh 
-Usage: /c2/freeswan/sandbox-main/testing/utils/uml-rhroot.sh rootdir cdimagedir
-cassidy:/c2/user-mode-linux# /c2/freeswan/sandbox-main/testing/utils/uml-rhroot.sh /c2/user-mode-linux/rpm-root/root /distros/redhat/7.2
-Assuming RH disc1 at /distros/redhat/7.2/disc1/RedHat/RPMS
-        and disc2 at /distros/redhat/7.2/disc2/RedHat/RPMS
-/var/tmp/rpm-tmp.99149: /sbin/install-info: No such file or directory
-error: execution of %post scriptlet from textutils-2.0.14-2 failed, exit status 127
-cat: /proc/mounts: No such file or directory
-warning: /var/lib/rpm/Basenames created as /var/lib/rpm/Basenames.rpmnew
-warning: /var/lib/rpm/Conflictname created as /var/lib/rpm/Conflictname.rpmnew
-warning: /var/lib/rpm/Group created as /var/lib/rpm/Group.rpmnew
-warning: /var/lib/rpm/Name created as /var/lib/rpm/Name.rpmnew
-warning: /var/lib/rpm/Packages created as /var/lib/rpm/Packages.rpmnew
-warning: /var/lib/rpm/Providename created as /var/lib/rpm/Providename.rpmnew
-warning: /var/lib/rpm/Requirename created as /var/lib/rpm/Requirename.rpmnew
-warning: /var/lib/rpm/Triggername created as /var/lib/rpm/Triggername.rpmnew
-You should now chown it to yourself.
-cassidy:/c2/user-mode-linux# chown -R mcr rpm-root/root
-cassidy:/c2/user-mode-linux# ls rpm-root/root
-bin   dev  home    lib	opt   root  tmp  var
-boot  etc  initrd  mnt	proc  sbin  usr
-cassidy:/c2/user-mode-linux# chroot rpm-root/root
-cassidy:/# ls
-bin   dev  home    lib  opt   root  tmp  var
-boot  etc  initrd  mnt  proc  sbin  usr
-cassidy:/# exit
-cassidy:/c2/user-mode-linux# exit
-Script done on Thu Nov 22 15:54:33 2001
-</CODE>
-</PRE>
-
-
-  </BODY>
-</HTML>
\ No newline at end of file
diff --git a/doc/src/uml-stack-trace.html b/doc/src/uml-stack-trace.html
deleted file mode 100644
index 1b08ed7d1..000000000
--- a/doc/src/uml-stack-trace.html
+++ /dev/null
@@ -1,129 +0,0 @@
-<PRE>
-To: Michael Richardson <mcr@sandelman.ottawa.on.ca>
-Cc: user-mode-linux-devel@lists.sourceforge.net
-From: Jeff Dike <jdike@karaya.com>
-Subject: [uml-devel] Re: stack trace
-Date: Mon, 16 Sep 2002 22:36:06 -0500
-
-mcr@sandelman.ottawa.on.ca said:
-> Can you post (on list or web site) a "script" output of you trying to
-> get the right stack out of a stuck uml (tracing myself)...? 
-
-Yup.  Here we go...
-
-Here, I attach to the tracing thread and get the stack of the current thread,
-which happens to be the idle thread.
-
-um 1013: gdb linux 14936
-GNU gdb 5.0rh-5 Red Hat Linux 7.1
-Copyright 2001 Free Software Foundation, Inc.
-GDB is free software, covered by the GNU General Public License, and you are
-welcome to change it and/or distribute copies of it under certain conditions.
-Type "show copying" to see the conditions.
-There is absolutely no warranty for GDB.  Type "show warranty" for details.
-This GDB was configured as "i386-redhat-linux"...
-/home/jdike/linux/2.4/um/14936: No such file or directory.
-Attaching to program: /home/jdike/linux/2.4/um/linux, process 14936
-0xa014efe9 in __wait4 ()
-
-# This is how you get the current task in the tracing thread - get_current()
-# only works in a kernel thread.
-(gdb) p (struct task_struct *)cpu_tasks[0].task
-$2 = (struct task_struct *) 0xa01c0000
-
-# Get the host pid of that task.
-(gdb) p $2.thread.extern_pid
-$3 = 14939
-
-# Get the current ip and sp.
-(gdb) shell cat /proc/14939/stat
-14939 (linux) T 14936 14936 883 34816 14936 64 5 3 806 7 62 12 0 0 9 0 0 2 
-588043 142770176 5008 4294967295 2684358656 2686348640 3221223520 2686205764
-                                                               sp ^^^^^^^^^^ 
-   2685727185 73728 201392128 167776768 268444672 3222308129 0 0 17 0
-ip ^^^^^^^^^^
-
-# the sp and ip are items 4 and 5 after the 4294967295 (on 2.2 hosts, that's
-2^31 - 1 rather than 2^32 - 1).
-
-(gdb) p/x 2686205764
-$4 = 0xa01c3f44
-(gdb) p/x 2685727185
-$5 = 0xa014f1d1
-
-# Where's the ip?
-(gdb) i sym 0xa014f1d1
-nanosleep + 17 in section .text
-
-# look at the stack around the sp
-(gdb) x/32x 0xa01c3f30
-0xa01c3f30 :     0x00000000      0x00000000      0xa01c3f60      0xa00020a8
-0xa01c3f40 :     0x00000004      0xa012e891      0xa01c3f58      0xa01c3f58
-0xa01c3f50 :     0xa01c3f70      0xa0023667      0x00000009      0x3b023380
-0xa01c3f60 :     0xa01c3fa0      0xa012a21d      0x0000000a      0xa01c0000
-0xa01c3f70 :     0xa01c3fa0      0xa012a213      0x00000003      0x00000024
-0xa01c3f80 :     0xa01c3fa0      0xa0011bc4      0xa012b25c      0x00000000
-0xa01c3f90 :     0xa01c3fb0      0x00000000      0xa01c3ffc      0x0000000d
-0xa01c3fa0 :     0xa01c3fb0      0xa000c50e      0xa01812e0      0xa01c3ffc
-
-# The trick here is to locate a frame near the current sp.  You're looking
-# for a consecutive pair of longwords (fp, ip) having the properties that:
-#	fp is on the current kernel stack and points further up it
-#	ip is a text address (if you can't recognize a UML text address by
-# sight, print out &_stext and &_etext)
-#
-# Starting at 0xa01c3f44, the first pair of works satisfying these requirements
-# is at 0xa01c3f50.
-# So, print that pair out as hex.
-(gdb) p/x *((int (*)[2])0xa01c3f50)
-$9 = {0xa01c3f70, 0xa0023667}
-
-# Now, we start climbing the stack.
-(gdb) p/x *((int (*)[2])$[0])
-$10 = {0xa01c3fa0, 0xa012a213}
-(gdb) 
-$11 = {0xa01c3fb0, 0xa000c50e}
-(gdb) 
-$12 = {0xa01c3fc0, 0xa000356d}
-(gdb) 
-$13 = {0xa01c3fd0, 0xa013082f}
-(gdb) 
-$14 = {0xa01c3ff0, 0xa012fbdd}
-# Stop when you see a NULL frame pointer or gdb bitches at you.
-(gdb) 
-$15 = {0x0, 0xa01513aa}
-
-# Now we get the symbolic version of the stack with 'i sym' of the second item
-# in each pair. 
-(gdb) i sym 0xa0023667
-check_pgt_cache + 23 in section .text
-(gdb) i sym 0xa012a213
-cpu_idle + 123 in section .text
-(gdb) i sym 0xa000c50e
-rest_init + 46 in section .text
-(gdb) i sym 0xa000356d
-start_kernel + 361 in section .text.init
-(gdb) i sym 0xa013082f
-start_kernel_proc + 63 in section .text
-(gdb) i sym 0xa012fbdd
-signal_tramp + 209 in section .text
-(gdb) i sym 0xa01513aa
-thread_start + 4 in section .text
-
-# You can also get line number information with 'i line'.
-(gdb) i line *0xa012a213
-Line 488 of "process_kern.c" starts at address 0xa012a213 <cpu_idle+123>
-   and ends at 0xa012a21d <cpu_idle+133>.
-(gdb) 
-
-
--------------------------------------------------------
-Sponsored by: AMD - Your access to the experts on Hammer Technology! 
-Open Source & Linux Developers, register now for the AMD Developer 
-Symposium. Code: EX8664 http://www.developwithamd.com/developerlab
-_______________________________________________
-User-mode-linux-devel mailing list
-User-mode-linux-devel@lists.sourceforge.net
-https://lists.sourceforge.net/lists/listinfo/user-mode-linux-devel
-
-</PRE>
\ No newline at end of file
diff --git a/doc/src/umltesting.html b/doc/src/umltesting.html
deleted file mode 100644
index df62a9ae2..000000000
--- a/doc/src/umltesting.html
+++ /dev/null
@@ -1,478 +0,0 @@
-<html>
-<head>
-<title>FreeS/WAN User-Mode-Linux testing guide</title>
-<!-- Changed by: Michael Richardson, 05-Mar-2003 -->
-<meta name="keywords" content="Linux, IPsec, VPN, security, FreeSWAN, testing, User-Mode-Linux, UML">
-
-<!--
-
-Written by Michael Richardson for the Linux FreeS/WAN project
-Freely distributable under the GNU General Public License
-
-More information at www.freeswan.org
-Feedback to users@lists.freeswan.org
-
-$Id: umltesting.html,v 1.1 2004/03/15 20:35:24 as Exp $
-
-$Log: umltesting.html,v $
-Revision 1.1  2004/03/15 20:35:24  as
-added files from freeswan-2.04-x509-1.5.3
-
-Revision 1.23  2003/09/18 15:12:11  dhr
-
-fix link to kernel.org mirrors page
-
-Revision 1.22  2003/03/07 03:49:25  dhr
-
-fix recommended version of uml-patch
-
-Revision 1.21  2003/03/06 08:37:03  dhr
-
-capture more of MCR's knowledge about BIND
-
-Revision 1.20  2003/03/06 02:15:44  mcr
-	added note about need for bind9.
-
-Revision 1.19  2003/03/05 23:20:39  mcr
-	updates from -47 to -53.
-
-Revision 1.18  2003/02/27 08:25:48  dhr
-
-update to reflect newer umlfreeroot
-
-Revision 1.17  2003/02/27 08:16:45  dhr
-
-make clear what is the latest version of the UML patch that we've used
-
-Revision 1.16  2003/02/21 01:35:31  mcr
-	updated latest umlfreeroot to 15.1.
-
-Revision 1.15  2003/01/21 03:26:34  mcr
-	updated documentation on UML state.
-
-Revision 1.14  2002/11/11 16:43:35  mcr
-	adjusted formatting of uml_netjig notes.
-
-Revision 1.13  2002/11/08 10:13:05  mcr
-	updated documentation for 2.4.19
-
-Revision 1.12  2002/11/03 23:44:23  mcr
-	fixed some formatting in umltesting.html
-	added some notes about NETJIGWAITUSER re: having tests
-	prompt before they exit. Helps with debugging.
-
-Revision 1.11  2002/10/31 19:01:31  mcr
-	documentation for RUN_*_SCRIPT.
-
-Revision 1.10  2002/09/15 23:57:59  dhr
-
-update suggested umlfreeroot
-
-Revision 1.9  2002/09/15 19:28:05  mcr
-	added some comments about problems with UMLs.
-
-Revision 1.8  2002/09/11 20:00:25  mcr
-	updated umlroot rev to 8.0.
-
-Revision 1.7  2002/09/09 21:37:43  mcr
-	updated document to reference currently working kernel+UML.
-
-Revision 1.6  2002/08/02 22:43:35  mcr
-	added section on debugging with UMLs.
-
-Revision 1.5  2002/05/30 18:47:57  dhr
-
-Update from experience:
-- fixed HTML bugs
-- restructure slightly
-- added another intro paragraph
-- mentioned lack of Super User requirements
-- added tcpdump build and install procedure
-- added uml utils build procedure
-- added invitation to try "make check"
-- fixed minor typos and mistakes
-
-Revision 1.4  2002/03/12 21:10:37  mcr
-	removed instruction on downloading umlminishare, as this is
-	now simply included in umlrootXXX. reformated some other text.
-
-Revision 1.3  2002/01/29 02:21:21  mcr
-	updated instructions for 2.4.17, and for newest UMLroot.
-
-Revision 1.2  2001/11/27 05:24:09  mcr
-	added reference to uml-rhroot, but commented out.
-	This proceedure is not yet ready for prime time.
-
-Revision 1.1  2001/11/05 04:35:57  mcr
-	adapted text from design list posting into HTML for Sandy.
-
-
--->
-</head>
-
-<body>
-
-<h1><a name="umltesting">User-Mode-Linux Testing guide</a></h1>
-
-<p>
-User mode linux is a way to compile a linux kernel such that it can run as a
-process in another linux system (potentially as a *BSD or Windows process
-later). See <A HREF="http://user-mode-linux.sourceforge.net/">http://user-mode-linux.sourceforge.net/</A>
-</P>
-
-<p>
-UML is a good platform for testing and experimenting with FreeS/WAN.
-It allows several network nodes to be simulated on a single machine.
-Creating, configuring, installing, monitoring, and controling these
-nodes is generally easier and easier to script with UML than real
-hardware.
-</p>
-
-<p>
-You'll need about 500Mb of disk space for a full sunrise-east-west-sunset
-setup. You can possibly get this down by 130Mb if you remove the
-sunrise/sunset kernel build. If you just want to run, then you can even
-remove the east/west kernel build.
-</p>
-<p>
-Nothing need be done as super user.  In a couple of steps, we note
-where super user is required to install commands in system-wide
-directories, but ~/bin could be used instead.  UML seems to use a
-system-wide /tmp/uml directory so different users may interfere with
-one another. Later UMLs use ~/.uml instead, so multiple users running UML 
-tests should not be a problem, but note that a single user running
-the UML tests will only be able run one set. Further, UMLs sometimes
-get stuck and hang around. These "zombies" (most will actually be in
-the "T" state in the process table) will interfere with subsequent tests.
-</P>
-<H2>Preliminary Notes on BIND</H2>
-
-<P>
-As of 2003/3/1, the Light-Weight Resolver is used by pluto. This requires
-that BIND9 be running. It also requires that BIND9 development libraries
-be present in the build environment. The DNSSEC code is only truly functional
-in BIND9 snapshots. The library code could be 9.2.2, we believe. We are
-using BIND9 20021115 snapshot code from
-<A HREF="ftp://ftp.isc.org/isc/bind9/snapshots">ftp://ftp.isc.org/isc/bind9/snapshots</A>.
-</P>
-<P>
-FreeS/WAN may well require a newer BIND than is on your system.
-Many distributions have moved to BIND9.2.2 recently due to a security advisory.
-BIND is five components.
-</P>
-<OL>
-<LI>
-named
-</LI>
-<LI>
-dnssec-*
-</LI>
-<LI>
-client side resolver libraries
-</LI>
-<LI>
-client side utility libraries
-I thought there were lib and named parts to dnsssec...
-</LI>
-<LI>
-dynamic DNS update utilities
-</LI>
-</OL>
-<P>
-The only piece that we need for *building* is #4. That's the only part that has to be on the build host.
-What is the difference between resolver and util libs?
-If you want to edit testing/baseconfigs/all/etc/bind, you'll need a snapshot version.
-The resolver library contains the resolver.
-FreeS/WAN has its own copy of that in lib/liblwres.
-</P>
-<H2>Steps to Install UML for FreeS/WAN</H2>
-<OL>
-<LI> Get the following files:
-<OL type="a">
-<LI> from <A HREF="http://www.sandelman.ottawa.on.ca/freeswan/uml/">http://www.sandelman.ottawa.on.ca/freeswan/uml/</A>
-umlfreeroot-15.1.tar.gz (or highest numbered one). This is a
-  debian potato root file system. You can use this even on a Redhat
-  host, as it has the newer GLIBC2.2 libraries as well. 
-
-
-<!-- If you are using
-  Redhat 7.2 or newer as your development machine, you can create the
-  image from your installation media. See <A HREF="uml-rhroot.html">Building a RedHat root"></A>.
-  A future document will explain how to build this from .DEB files as well.
--->
-
-<!--
-<LI> umlfreesharemini.tar.gz    (or umlfreeshareall.tar.gz). 
-  If you are a Debian potato user, you don't need it you can use your
-  native /usr/share.
-</UL>
--->
-
-<LI> From <A HREF="ftp://ftp.xs4all.nl/pub/crypto/freeswan/">ftp://ftp.xs4all.nl/pub/crypto/freeswan/</A>
-a snapshot or release (1.92 or better)
-
-<LI> From a
-  <A HREF="http://www.kernel.org/mirrors/">http://www.kernel.org mirror</A>,
-  the virgin 2.4.19 kernel. Please realize that we have defaults in our
-  tree for kernel configuration. We try to track the latest UML
-  kernels. If you   use a newer kernel, you may have faults in the
-  kernel build process. You can see what the latest that is being regularly tested by visiting <A HREF="http://bugs.freeswan.org:81/regress/HEAD/lastgood/freeswan-regress-env.sh">freeswan-regress-env.sh</A>.
-
-<LI>
-<!-- Note: this step is refered to as "step 1d" below. -->
-Get
-  <A HREF="http://ftp.nl.linux.org/uml/">http://ftp.nl.linux.org/uml/</A>
-  uml-patch-2.4.19-47.bz2 or the one associated with your kernel.
-  As of 2003/03/05, uml-patch-2.4.19-47.bz2 works for us.
-<STRONG>More recent versions of the patch have not been tested by us.</STRONG>
-<LI> You'll probably want to visit 
-<A
-  HREF="http://user-mode-linux.sourceforge.net">http://user-mode-linux.sourceforge.net</A> 
-and get the UML utilities. These are not needed for the build or interactive use (but recommended). They are necessary for the regression testing procedures used by "make check". 
-We currently use uml_utilities_20020212.tar.bz2.
-<LI>
-You need tcpdump version 3.7.1 or better.
-This is newer than the version included in most LINUX distributions.
-You can check the version of an installed tcpdump with the --version flag.
-If you need a newer tcpdump
-fetch both tcpdump and libpcap source tar files from 
-<A HREF="http://www.tcpdump.org/">http://www.tcpdump.org/</A> or a mirror.
-</OL>
-
-<LI> Pick a suitable place, and extract the following files:
-<OL type="a"> 
-<LI>
-<!-- Note: this step is refered to as "step 2a" later. -->
-2.4.19 kernel. For instance:
-<PRE>
-<CODE>
-           cd /c2/kernel
-           tar xzvf ../download/pub/linux/kernel/v2.4/linux-2.4.19.tar.gz
-</CODE>
-</PRE>
-
-<LI> extract the umlfreeroot file 
-<!-- (unless you <A HREF="uml-rhroot.html">built your own from RPMs</A>) -->
-<PRE>
-<CODE>
-           mkdir -p /c2/user-mode-linux/basic-root
-           cd /c2/user-mode-linux/basic-root
-           tar xzvf ../download/umlfreeroot-15.1.tar.gz
-</CODE>
-</PRE>
-
-<LI> FreeSWAN itself (or checkout "all" from CVS)
-<PRE>
-<CODE>
-           mkdir -p /c2/freeswan/sandbox
-           cd /c2/freeswan/sandbox
-           tar xzvf ../download/snapshot.tar.gz
-</CODE>
-</PRE>
-</OL>
-
-<LI> If you need to build a newer tcpdump:
-<UL>
-<LI>
-Make sure you have OpenSSL installed -- it is needed for cryptographic routines.
-<LI>
-Unpack libpcap and tcpdump source in parallel directories (the tcpdump
-build procedures look for libpcap next door).
-<LI>
-Change directory into the libpcap source directory and then build the library:
-<PRE>
-<CODE>
-	./configure
-	make
-</CODE>
-</PRE>
-<LI>
-Change into the tcpdump source directory, build tcpdump, and install it.
-<PRE>
-<CODE>
-	./configure
-	make
-	# Need to be superuser to install in system directories.
-	# Installing in ~/bin would be an alternative.
-	su -c "make install"
-</CODE>
-</PRE>
-</UL>
-<LI> If you need the uml utilities, unpack them somewhere then build and install
-them:
-<PRE>
-<CODE>
-	cd tools
-	make all
-	# Need to be superuser to install in system directories.
-	# Installing in ~/bin would be an alternative.
-	su -c "make install BIN_DIR=/usr/local/bin"
-</CODE>
-</PRE>
-<LI> set up the configuration file
-<UL>
-<LI>
-<CODE>
-cd /c2/freeswan/sandbox/freeswan-1.97/testing/utils
-</CODE>
-<LI> copy umlsetup-sample.sh to ../../umlsetup.sh:
-<CODE>
-  cp umlsetup-sample.sh ../../umlsetup.sh
-</CODE>
-
-<LI> open up ../../umlsetup.sh in your favorite editor.
-<LI> change POOLSPACE= to point to the place with at least 500Mb of
-disk. Best if it is on the same partition as the "umlfreeroot" extraction,
-as it will attempt to use hard links if possible to save  disk space.
-
-<LI> Set TESTINGROOT if you intend to run the script outside of the
-     sandbox/snapshot/release directory. Otherwise, it will configure itself.
-
-<LI> KERNPOOL should point to the directory with your 2.4.19 kernel
-   tree. This tree should be unconfigured! This is the directory
-   you used in step 2a.
-
-<LI> UMLPATCH should point at the bz2 file you downloaded at 1d.
-   If using a kernel that already includes the patch, set this to /dev/null.
- 
-<LI> FREESWANDIR should point at the directory where you unpacked
-               the snapshot/release. Include the "freeswan-snap2001sep16b"
-               or whatever in it. If you are running from CVS, then
-               you point at the directory where top, klips, etc. are.
-               The script will fix up the directory so that it can be
-               used.
-
-<LI> BASICROOT should be set to the directory used in 2b, or to the directory
-  that you created with RPMs.
-
-<LI> SHAREDIR should be set to the directory used in 2c, to /usr/share
-             for Debian potato users, or to $BASICROOT/usr/share.
-</UL>
-
-<LI> <PRE><CODE>
-cd $TESTINGROOT/utils
-sh make-uml.sh
-</CODE></PRE>
-    It will grind for awhile. If there are errors it will bail.
-    If so, run it under "script" and send the output to bugs@lists.freeswan.org.  
-
-<LI> You will have a bunch of stuff under $POOLSPACE.
-    Open four xterms:
-
-<PRE><CODE>
-    for i in sunrise sunset east west
-    do
-        xterm -name $i -title $i -e $POOLSPACE/$i/start.sh &
-    done
-</CODE></PRE>
-
-<LI> Login as root. Password is "root"
-    (Note, these virtual machines are networked together, but are not
-    configured to talk to the rest of the world.)
-
-<LI> verify that pluto started on east/west, run "ipsec look"
-
-<LI> login to sunrise. run "ping sunset"
-
-<LI> login to west. run "tcpdump -p -i eth1 -n"
-    (tcpdump must be version 3.7.1 or newer)
-
-<LI> Closing a console xterm will shut down that UML.
-
-<LI> You can "make check", if you want to.
-It is run from /c2/freeswan/sandbox/freeswan-1.97.</LI>
-
-</OL>
-
-<H1>Debugging the kernel with GDB</H1>
-
-<P>
-With User-Mode-Linux, you can debug the kernel using GDB.
-See <HREF="http://user-mode-linux.sourceforge.net/debugging.html">http://user-mode-linux.sourceforge.net/debugging.html</A>.
-</P>
-
-<P>
-Typically, one will want to address a test case for a failing situation.
-Running GDB from Emacs, or from other front ends is possible. First start GDB.
-</P>
-<P>
-Tell it to open the UMLPOOL/swan/linux program.
-</P>
-<P>
-Note the PID of GDB:
-<PRE>
-marajade-[projects/freeswan/mgmt/planning] mcr 1029 %ps ax | grep gdb
- 1659 pts/9    SN     0:00 /usr/bin/gdb -fullname -cd /mara4/freeswan/kernpatch/UMLPOOL/swan/ linux
-</PRE>
-</P>
-
-<P>
-Set the following in the environment:
-<PRE>
-UML_east_OPT="debug gdb-pid=1659"
-</PRE>
-</P>
-
-<P>
-Then start the user-mode-linux in the test scheme you wish:
-<PRE>
-marajade-[kernpatch/testing/klips/east-icmp-02] mcr 1220 %../../utils/runme.sh
-</PRE>
-
-The user-mode-linux will stop on boot, giving you a chance to attach to the process:
-
-<PRE>
-(gdb) file linux
-Reading symbols from linux...done.
-(gdb) attach 1
-Attaching to program: /mara4/freeswan/kernpatch/UMLPOOL/swan/linux, process 1
-0xa0118bc1 in kill () at hostfs_kern.c:770
-</PRE>
-
-<P>
-At this point, break points should be created as appropriate.
-</P>
-
-<H2>Other notes about debugging</H2>
-
-<P>
-If you are running a standard test, after all the packets are sent, the UML will
-be shutdown. This can cause problems, because the UML may get terminated while you
-are debugging.
-</P>
-<P>
-The environment variable <CODE>NETJIGWAITUSER</CODE> can be set to "waituser".
-If so, then the testing system will prompt before exiting the test.
-</P>
-
-<H1>User-Mode-Linux mysteries</H1>
-
-<UL>
-<LI> running more than one UML of the same name (e.g. "west") can cause
-  problems.
-<LI> running more than one UML from the same root file system is not
-  a good idea.
-<LI> all this means that running "make check" twice on the same machine
-  is probably not a good idea.
-<LI> occationally, UMLs will get stuck. This can happen like:
-<BLOCK>
-15134 ?        T      0:00 /spare/hugh/uml/uml2.4.18-sept5/umlbuild/east/linux (east) [/bin/sh]           
-15138 ?        T      0:00 /spare/hugh/uml/uml2.4.18-sept5/umlbuild/east/linux (east) [halt]              
- </BLOCK>
-
-these will need to be killed. Note that they are in "T"racing mode.
-<LI> UMLs can also hang, and will report "Tracing myself and I can't get out".
-This is a bug in UML. There are ways to find out what is going on and
-report this to the UML people, but we don't know the magic right now.
-</UL>
-
-<H1>Getting more info from uml_netjig</H1>
-
-<P>
-uml_netjig can be compiled with a built-in tcpdump. This uses not-yet-released
-code from <A HREF="http://www.tcpdump.org/">www.tcpdump.org</A>.
-Please see the instructions in <CODE>testing/utils/uml_netjig/Makefile</CODE>.
-</P>
-
-</body>
-</html>
diff --git a/doc/src/upgrading.html b/doc/src/upgrading.html
deleted file mode 100644
index 0d6401b96..000000000
--- a/doc/src/upgrading.html
+++ /dev/null
@@ -1,260 +0,0 @@
-<html>
-<head>
-  <meta http-equiv="Content-Type" content="text/html">
-  <title>Introduction to FreeS/WAN</title>
-  <meta name="keywords"
-  content="Linux, IPsec, VPN, security, encryption, cryptography, FreeS/WAN, FreeSWAN">
-  <!--
-
-  Written by Claudia Schmeing for the Linux FreeS/WAN project
-  Freely distributable under the GNU General Public License
-
-  More information at www.freeswan.org
-  Feedback to users@lists.freeswan.org
-
-  CVS information:
-  RCS ID:          $Id: upgrading.html,v 1.1 2004/03/15 20:35:24 as Exp $
-  Last changed:    $Date: 2004/03/15 20:35:24 $
-  Revision number: $Revision: 1.1 $
-
-  CVS revision numbers do not correspond to FreeS/WAN release numbers.
-  -->
-</head>
-
-<body>
-<A NAME="upgrading"></A><h1>Upgrading to FreeS/WAN 2.x</h1>
-
-
-<H2>New! Built in Opportunistic connections</H2>
-
-<P>Out of the box, FreeS/WAN 2.x will attempt to encrypt all your IP traffic.
-It will try to establish IPsec connections for:</P>
-<UL><LI>
-IP traffic from the Linux box on which you have installed FreeS/WAN, and</LI>
-<LI>
-outbound IP traffic routed through that Linux box (eg. from a protected subnet).</LI>
-</UL>
-<P>FreeS/WAN 2.x uses <STRONG>hidden, automatically enabled 
- <VAR>ipsec.conf</VAR> connections</STRONG> to do this.</P>
-
-<P>This behaviour is part of our campaign to get Opportunistic 
-Encryption (OE) widespread in the Linux world, so that any two Linux boxes can
-encrypt to one another without prearrangement.
-There's one catch, however: you must <A HREF="quickstart.html#quickstart">set 
-up a few DNS records</A> 
-to distribute RSA public keys and (if applicable) IPsec gateway
-information.</P>
-
-<P>If you start FreeS/WAN before you have set up these DNS 
-records, your connectivity will be slow, and 
-messages relating to the built in connections will clutter your logs.
-If you are unable to set up DNS for OE, you will wish to 
-<A HREF="policygroups.html#disable_policygroups">disable the 
-hidden connections</A>.</P>
-
-<A NAME="upgrading.flagday"></A>
-
-<H3>Upgrading Opportunistic Encryption
-to 2.01 (or later)</H3>
-
-<P>As of FreeS/WAN 2.01, Opportunistic Encryption (OE)
-uses DNS TXT resource records (RRs) only (rather than TXT with KEY). 
-This change causes a "flag day". 
-Users of FreeS/WAN 2.00 (or earlier) OE who are upgrading may
-need to post additional resource records.
-</P>
-
-<P>If you are running 
-<A HREF="glossary.html#initiate-only">initiate-only OE</A>, 
-you <em>must</em> put up a TXT record in any forward domain as per our 
-<A HREF="quickstart.html#opp.client">quickstart instructions</A>. This
-replaces your old forward KEY.
-</P>
-
-<P>
-If you are running full OE, you require no updates. You already have 
-the needed TXT record in the reverse domain. 
-However, to facilitate future features, you
-may also wish to publish that TXT record in a forward domain as 
-instructed <A HREF="quickstart.html#opp.incoming">here</A>.
-</P>
-
-<P>If you are running OE on a gateway (and encrypting on behalf of subnetted
-boxes) you require no updates. 
-You already have the required TXT record in your gateway's reverse map,
-and the TXT records for any subnetted boxes require no updating.
-However, to facilitate future features, you may wish to publish your gateway's
- TXT record in a forward domain as shown 
-<A HREF="quickstart.html#opp.incoming">here</A>.
-
-
-<P>
-During the transition, you may wish to leave any old KEY records up for
-some time. They will provide limited backward compatibility. 
-<!--
-For more
-detail on that compatibility, see <A HREF="oe.known-issues">Known Issues with
-OE</A>.
--->
-</P>
-
-<H2>New! Policy Groups</H2>
-
-<P>We want to make it easy for you to declare security policy as it
-applies to IPsec connections.</P>
-
-<P>Policy Groups make it simple to say:
-</P>
-
-<UL>
-<LI>These are the folks I want to talk to in the clear.</LI>
-<LI>These spammers' domains -- I don't want to talk to them at all.</LI>
-<LI>To talk to the finance department, I must use IPsec.</LI>
-<LI>For any other communication, try to encrypt, but it's okay if we can't.</LI></UL>
-
-<P>FreeS/WAN then implements these policies, creating OE connections
-if and when needed.
-You can use Policy Groups along with connections you explicitly 
-define in ipsec.conf.</P>
-
-<P>For more information, see our
-<A HREF="policygroups.html">Policy Group HOWTO</A>.</P>
-
-
-<H2>New! Packetdefault Connection</H2>
-
-<P>Free/SWAN 2.x ships with the <STRONG>automatically enabled, hidden
-connection</STRONG> <VAR>packetdefault</VAR>. This configures
-a FreeS/WAN box as an OE gateway for any hosts located
-behind it. As mentioned above, you must configure some 
-<A HREF="quickstart.html">DNS records</A> for 
-OE to work.</P>
-<P>As the name implies, this connection functions as a default. If you
-have more specific connections, such as policy groups which configure 
-your FreeS/WAN box as an OE gateway for a local subnet, these 
-will apply before <VAR>packetdefault</VAR>. You can view 
-<VAR>packetdefault</VAR>'s specifics in 
-<A HREF="manpage.d/ipsec.conf.5.html">man ipsec.conf</A>.
-</P>
-
-
-<H2>FreeS/WAN now disables Reverse Path Filtering</H2>
-
-<P>FreeS/WAN often doesn't work with reverse path filtering. At
-start time, FreeS/WAN now turns rp_filter off, and logs a warning.</P>
-
-<P>FreeS/WAN does not turn it back on again. 
-You can do this yourself with a command like:</P>
-
-<PRE>   echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter</PRE>
-
-<P>For eth0, substitute the interface which FreeS/WAN was affecting.</P>
-
-
-<A NAME="ipsec.conf_v2"></A><H2>Revised <VAR>ipsec.conf</VAR></H2>
-
-<H3>No promise of compatibility</H3>
-
-<P>The FreeS/WAN team promised config-file compatibility throughout
-the 1.x series. That means a 1.5 config file can be directly imported into
-a fresh 1.99 install with no problems.</P>
-
-<P>With FreeS/WAN 2.x, we've given ourselves permission to make the config
-file easier to use. The cost: some FreeS/WAN 1.x configurations will not
-work properly. Many of the new features are, however, backward compatible.</P>
-
-
-<H3>Most <VAR>ipsec.conf</VAR> files will work fine</H3>
-
-<P>... so long as you paste this line, <STRONG>with no preceding 
-whitespace</STRONG>,
- at the top of your config file:
-</P>
-
-<PRE>    version 2</PRE>
-
-<H3>Backward compatibility patch</H3>
-
-<P>If the new defaults bite you, use 
-<A HREF="ipsec.conf.2_to_1">
-this <VAR>ipsec.conf</VAR> fragment</A> to simulate the old default values.</P>
-
-
-<H3>Details</H3>
-
-<P>
-We've obsoleted various directives which almost no one was using:
-</P>
-<PRE>    dump
-    plutobackgroundload
-    no_eroute_pass
-    lifetime
-    rekeystart
-    rekeytries</PRE>
-
-<P>For most of these, there is some other way to elicit the desired behaviour.
-See <A HREF="http://lists.freeswan.org/pipermail/design/2002-August/003243.html">
-this post</A>.
-
-<P>
-We've made some settings, which almost everyone was using, defaults.
-For example:
-</P>
-
-<PRE>    interfaces=%defaultroute
-    plutoload=%search
-    plutostart=%search
-    uniqueids=yes</PRE>
-
-<P>We've also changed some default values to help with OE and Policy Groups:</P>
-
-<PRE>    authby=rsasig   ## not secret!!!
-    leftrsasigkey=%dnsondemand ## looks up missing keys in DNS when needed.
-    rightrsasigkey=%dnsondemand</PRE>
-
-<P>
-Of course, you can still override any defaults by explictly declaring something
-else in your connection.
-</P>
-
-<P>  
-<A HREF="http://lists.freeswan.org/pipermail/design/2002-August/003243.html">A post with a list of many ipsec.conf changes.</A><BR>
-<A HREF="manpage.d/ipsec.conf.5.html">Current ipsec.conf manual.</A>
-</P>
-
-
-<A NAME="upgrading.rpms"></A><H3>Upgrading from 1.x RPMs to 2.x RPMs</H3>
-
-<P>Note: When upgrading from 1-series to 2-series RPMs, 
-<VAR>rpm -U</VAR> will not work.</P>
-
-<P>You must instead erase the 1.x RPMs, then install the 2.x set:</P>
-<PRE>    rpm -e freeswan</PRE>
-<PRE>    rpm -e freeswan-module</PRE>
-
-<P>On erasing, your old <VAR>ipsec.conf</VAR> should be moved to 
-<VAR>ipsec.conf.rpmsave</VAR>.
-Keep this. You will probably want to copy your existing connections to the 
-end of your new 2.x file.</P>
-
-<P>Install the RPMs suitable for your kernel version, such as:</P>
-<PRE>    rpm -ivh freeswan-module-2.04_2.4.20_20.9-0.i386.rpm</PRE>
-<PRE>    rpm -ivh freeswan-userland-2.04_2.4.20_20.9-0.i386.rpm</PRE>
-
-
-
-<P>Or, to splice the files:</P>
-
-<PRE>    cat /etc/ipsec.conf /etc/ipsec.conf.rpmsave > /etc/ipsec.conf.tmp
-    mv /etc/ipsec.conf.tmp /etc/ipsec.conf</PRE>
-
-<P>Then, remove the redundant <VAR>conn %default</VAR> and 
-<VAR>config setup</VAR>
-sections. Unless you have done any special configuring here, you'll likely
-want to remove the 1.x versions. Remove <VAR>conn OEself</VAR>, if
-present.</P>
-
-
-
-</body>
-</html>
diff --git a/doc/src/user_examples.html b/doc/src/user_examples.html
deleted file mode 100755
index 5e3784858..000000000
--- a/doc/src/user_examples.html
+++ /dev/null
@@ -1,322 +0,0 @@
-<html>
-<head>
-<title>FreeS/WAN examples</title>
-<meta name="keywords" content="Linux, IPsec, VPN, security, FreeSWAN, examples">
-
-<!--
-
-Written by Sandy Harris for the Linux FreeS/WAN project
-Freely distributable under the GNU General Public License
-
-More information at www.freeswan.org
-Feedback to users@lists.freeswan.org
-
-CVS information:
-RCS ID:          $Id: user_examples.html,v 1.1 2004/03/15 20:35:24 as Exp $
-Last changed:    $Date: 2004/03/15 20:35:24 $
-Revision number: $Revision: 1.1 $
-
-CVS revision numbers do not correspond to FreeS/WAN release numbers.
--->
-</head>
-
-<body>
-
-<h1><a name="user.examples">FreeS/WAN script examples</a></h1>
-
-This file is intended to hold a collection of user-written example
-scripts or configuration files for use with FreeS/WAN.
-<p>
-So far it has only one entry.
-
-<h2><a name="poltorak">Poltorak's Firewall script</a></h2>
-
-<pre>
-From: Poltorak Serguei &lt;poltorak@dataforce.net&gt;
-Subject: [Users] Using FreeS/WAN
-Date: Tue, 16 Oct 2001
-
-Hello.
-
-I'm using FreeS/WAN IPsec for half a year. I learned a lot of things about
-it and I think it would be interesting for someone to see the result of my
-experiments and usage of FreeS/WAN. If you find a mistake in this
-file, please e-mail me. And excuse me for my english... I'm learning.. :)
-
-I'll talk about vary simple configuration:
-
-addresses prefix = 192.168
-
-    lan1          sgw1     .0.0/24 (Internet)       sgw2            lan2
-  .1.0/24---[ .1.1 ; .0.1 ]===================[ .0.10 ; . 2.10 ]---.2.0/24
-
-
-We need to let lan1 see lan2 across Internet like it is behind sgw1. The
-same for lan2. And we need to do IPX bridge for Novel Clients and NDS
-synchronization.
-
-my config:
-------------------- ipsec.conf -------------------
-conn lan1-lan2
-        type=tunnel
-        compress=yes
-        #-------------------
-        left=192.168.0.1
-        leftsubnet=192.168.1.0/24
-        #-------------------
-        right=192.168.0.10
-        rightsubnet=192.168.2.0/24
-        #-------------------
-        auth=esp
-        authby=secret
---------------- end of ipsec.conf ----------------
-
-ping .2.x from .1.y   (y != 1)
-It works?? Fine. Let's continue...
-
-Why y != 1 ?? Because kernel of sgw1 have 2 IP addresses and it will choose
-the first IP (which is used to go to Internet) .0.1 and the packet won't go
-through IPsec tunnel :(  But if do ping on .1.1 kernel will respond from
-that address (.1.1) and the packet will be tunneled. The same problem occurred then
-.2.x sends a packet to .1.2 which is down at the moment. What happens? .1.1
-sends ARP requesting .1.2... after 3 tries it send to .2.x an destunreach,
-but from his "natural" IP or .0.1 . So the error message won't be delivered!
-It's a big problem...
-
-Resolution... One can manipulate with ipsec0 or ipsec0:0 to solve the
-problem (if ipsec0 has .1.1 kernel will send packets correctly), but there
-are powerful and elegant iproute2 :) We simply need to change source address
-of packet that goes to other secure lan. This is done with
-
-ip route replace 192.168.2.0/24 via 192.168.0.10 dev ipsec0 src 192.168.1.1
-
-Cool!! Now it works!!
-
-The second step. We want install firewall on sgw1 and sgw2. Encryption of 
-traffic without security isn't a good idea. I don't use {left|right}firewall, 
-because I'm running firewall from init scripts.
-
-We want IPsec data between lan1-lan2, some ICMP errors (destination
-unreachable, TTL exceeded, parameter problem and source quench), replying on 
-pings from both lans and Internet, ipxtunnel data for IPX and of course SSH
-between sgw1 and sgw2 and from/to one specified host.
-
-I'm using ipchains. With iptables there are some changes.
-
----------------- rc.firewall ---------------------
-#!/bin/sh
-#
-# Firewall for IPsec lan1-lan2
-#
-
-IPC=/sbin/ipchains
-ANY=0.0.0.0/0
-
-# left
-SGW1_EXT=192.168.0.1
-SGW1_INT=192.168.1.1
-LAN1=192.168.1.0/24
-
-# right
-SGW2_EXT=192.168.0.10
-SGW2_INT=192.168.2.10
-LAN2=192.168.2.0/24
-
-# SSH from and to this host
-SSH_PEER_HOST=_SOME_HOST_
-
-# this is for left. exchange these values for right.
-MY_EXT=$SGW1_EXT
-MY_INT=$SGW1_INT
-PEER_EXT=$SGW2_EXT
-PEER_INT=$SGW2_INT
-INT_IF=eth1
-EXT_IF=eth0
-IPSEC_IF=ipsec0
-MY_LAN=$LAN1
-PEER_LAN=$LAN2
-
-$IPC -F
-$IPC -P input DENY
-$IPC -P forward DENY
-$IPC -P output DENY
-
-# Loopback traffic
-$IPC -A input -i lo -j ACCEPT
-$IPC -A output -i lo -j ACCEPT
-
-# for IPsec SGW1-SGW2
-## IKE
-$IPC -A input -p udp -s $PEER_EXT 500 -d $MY_EXT 500 -i $EXT_IF -j ACCEPT
-$IPC -A output -p udp -s $MY_EXT 500 -d $PEER_EXT 500 -i $EXT_IF -j ACCEPT
-## ESP
-$IPC -A input -p 50 -s $PEER_EXT -d $MY_EXT -i $EXT_IF -j ACCEPT
-### we don't need this line ### $IPC -A output -p 50 -s $MY_EXT -d $PEER_EXT -i $EXT_IF -j ACCEPT
-## forward LAN1-LAN2
-$IPC -A forward -s $MY_LAN -d $PEER_LAN -i $IPSEC_IF -j ACCEPT
-$IPC -A forward -s $PEER_LAN -d $MY_LAN -i $INT_IF -j ACCEPT
-$IPC -A output -s $PEER_LAN -d $MY_LAN -i $INT_IF -j ACCEPT
-$IPC -A input -s $PEER_LAN -d $MY_LAN -i $IPSEC_IF -j ACCEPT
-$IPC -A input -s $MY_LAN -d $PEER_LAN -i $INT_IF -j ACCEPT
-$IPC -A output -s $MY_LAN -d $PEER_LAN -i $IPSEC_IF -j ACCEPT
-
-# ICMP
-#
-## Dest unreachable
-### from/to Internet
-$IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
-### from/to Lan
-$IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
-### from/to Peer Lan
-$IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
-#
-## Source quench
-### from/to Internet
-$IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type source-quench -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
-### from/to Lan
-$IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type source-quench -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
-### from/to Peer Lan
-$IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type source-quench -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
-#
-## Parameter problem
-### from/to Internet
-$IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type parameter-problem -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
-### from/to Lan
-$IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type parameter-problem -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
-### from/to Peer Lan
-$IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type parameter-problem -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
-#
-## Time To Live exceeded
-### from/to Internet
-$IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type time-exceeded -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
-### to Lan
-$IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type time-exceeded -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
-### to Peer Lan
-$IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type time-exceeded -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
-
-# ICMP PINGs
-## from Internet
-$IPC -A input -p icmp -s $ANY -d $MY_EXT --icmp-type echo-request  -i $EXT_IF -j ACCEPT
-$IPC -A output -p icmp -s $MY_EXT -d $ANY --icmp-type echo-reply  -i $EXT_IF -j ACCEPT
-## from LAN
-$IPC -A input -p icmp -s $ANY -d $MY_INT --icmp-type echo-request -i $INT_IF -j ACCEPT
-$IPC -A output -p icmp -s $MY_INT -d $ANY --icmp-type echo-reply  -i $INT_IF -j ACCEPT
-## from Peer LAN
-$IPC -A input -p icmp -s $ANY -d $MY_INT --icmp-type echo-request -i $IPSEC_IF -j ACCEPT
-$IPC -A output -p icmp -s $MY_INT -d $ANY --icmp-type echo-reply  -i $IPSEC_IF -j ACCEPT
-
-# SSH
-## from SSH_PEER_HOST
-$IPC -A input -p tcp -s $SSH_PEER_HOST -d $MY_EXT 22 -i $EXT_IF -j ACCEPT
-$IPC -A output -p tcp \! -y -s $MY_EXT 22 -d $SSH_PEER_HOST -i $EXT_IF -j ACCEPT
-## to SSH_PEER_HOST
-$IPC -A input -p tcp \! -y -s $SSH_PEER_HOST 22 -d $MY_EXT -i $EXT_IF -j ACCEPT
-$IPC -A output -p tcp -s $MY_EXT -d $SSH_PEER_HOST 22 -i $EXT_IF -j ACCEPT
-## from PEER
-$IPC -A input -p tcp -s $PEER_EXT -d $MY_EXT 22 -i $EXT_IF -j ACCEPT
-$IPC -A output -p tcp \! -y -s $MY_EXT 22 -d $PEER_EXT -i $EXT_IF -j ACCEPT
-## to PEER
-$IPC -A input -p tcp \! -y -s $PEER_EXT 22 -d $MY_EXT -i $EXT_IF -j ACCEPT
-$IPC -A output -p tcp -s $MY_EXT -d $PEER_EXT 22 -i $EXT_IF -j ACCEPT
-
-# ipxtunnel
-$IPC -A input -p udp -s $PEER_INT 2005 -d $MY_INT 2005 -i $IPSEC_IF -j ACCEPT
-$IPC -A output -p udp -s $MY_INT 2005 -d $PEER_INT 2005 -i $IPSEC_IF -j ACCEPT
-
----------------- end of rc.firewall ----------------------
-
-To understand this we need to look on this scheme:
-
-           ++-----------------------&lt;----------------------------+
-           || ipsec0                                             |
-           \/                                                    |
- eth0  +--------+    /---------/ yes  /---------/ yes +-----------------------+
-------&gt;| INPUT  |--&gt;/ ?local? /-----&gt;/ ?IPsec? /-----&gt;| decrypt & decapsulate |
- eth1  +--------+  /---------/      /---------/       +-----------------------+
-                       || no            || no
-                       \/               \/
-                  +----------+      +---------+        +-------+
-                  | routing  |      |  local  |        | local |
-                  | decision |      | deliver |        | send  |
-                  +----------+      +---------+        +-------+
-                       ||                                 ||
-                       \/                                 \/
-                   +---------+                       +----------+
-                   | forward |                       | routing  |
-                   +---------+                       | decision |
-                       ||                            +----------+
-                       ||                                  ||
-                       ++----------------&lt;-----------------++
-                       ||
-                       \/
-                   +--------+ eth0
-                   | OUTPUT | eth1
-                   +--------+ ipsec0
-                       ||
-                       \/
-                   /---------/ yes +-----------------------+
-                  / ?IPsec? /-----&gt;| encrypt & encapsulate |
-                 /---------/       +-----------------------+
-                      || no                    ||
-                      ||                       ||
-                      ||                       \/   eth0, eth1
-                      ++-----------------------++--------------&gt;
-
-This explain how a packet traverse TCP/IP stack in IPsec capable kernel.
-
-FIX ME, please, if there are any errors
-
-Test the new firewall now.
-
-
-Now about IPX. I tried 3 programs for tunneling IPX: tipxd, SIB and ipxtunnel
-
-tipxd didn't send packets.. :(
-SIB and ipxtunnel worked fine :)
-With ipxtunnel there was a little problem. In sources there are an error.
-
---------------------- in main.c ------------------------
-&lt;       bytes += p.len;
----
-&gt;       bytes += len;
---------------------------------------------------------
-
-After this FIX everything goes right...
-
-------------------- /etc/ipxtunnel.conf ----------------
-port    2005
-remote  192.168.101.97    2005
-interface eth1
---------------- end of /etc/ipxtunnel.conf -------------
-
-I use IPX tunnel between .1.1 and .2.10 so we don't need to encrypt nor
-authenticate encapsulated IPX packets, it is done with IPsec.
-
-If you don't wont to use iproute2 to change source IP you need to use SIB
-(it is able to bind local address) or establish tunnel between .0.1 and
-.0.10 (external IPs, you need to do encryption in the program, but it isn't
-strong).
-
-For now I'm using ipxtunnel.
-
-I think that's all for the moment. If there are any error, please e-mail me: 
-poltorak@df.ru . It would be cool if someone puts the scheme of TCP/IP in
-kernel and firewall example on FreeS/WAN's manual pages.
-
-PoltoS
-</pre>
-
-</body>
-</html>
\ No newline at end of file
diff --git a/doc/src/web.html b/doc/src/web.html
deleted file mode 100644
index 19df6ffa6..000000000
--- a/doc/src/web.html
+++ /dev/null
@@ -1,905 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
-    "http://www.w3.org/TR/html4/loose.dtd">
-<html>
-<head>
-  <meta http-equiv="Content-Type" content="text/html">
-  <title>FreeS/WAN web links</title>
-  <meta name="keywords"
-  content="Linux, IPsec, VPN, security, FreeSWAN, links, web">
-  <!--
-
-  Written by Sandy Harris for the Linux FreeS/WAN project
-  Freely distributable under the GNU General Public License
-
-  More information at www.freeswan.org
-  Feedback to users@lists.freeswan.org
-
-  CVS information:
-  RCS ID:          $Id: web.html,v 1.1 2004/03/15 20:35:24 as Exp $
-  Last changed:    $Date: 2004/03/15 20:35:24 $
-  Revision number: $Revision: 1.1 $
-
-  CVS revision numbers do not correspond to FreeS/WAN release numbers.
-  -->
-</head>
-
-<body>
-<h1><a name="weblink">Web links</a></h1>
-
-<h2><a name="freeswan">The Linux FreeS/WAN Project</a></h2>
-
-<p>The main project web site is <a
-href="http://www.freeswan.org/">www.freeswan.org</a>.</p>
-
-<p>Links to other project-related <a href="intro.html#sites">sites</a> are
-provided in our introduction section.</p>
-
-<h3><a name="patch">Add-ons and patches for FreeS/WAN</a></h3>
-
-<p>Some user-contributed patches have been integrated into the FreeS/WAN
-distribution. For a variety of reasons, those listed below have not.</p>
-
-<p>Note that not all patches are a good idea.</p>
-<ul>
-  <li>There are a number of "features" of IPsec which we do not implement
-    because they reduce security. See this <a
-    href="compat.html#dropped">discussion</a>. We do not recommend using
-    patches that implement these. One example is aggressive mode.</li>
-  <li>We do not recommend adding "features" of any sort unless they are
-    clearly necessary, or at least have clear benefits. For example,
-    FreeS/WAN would not become more secure if it offerred a choice of 14
-    ciphers. If even one was flawed, it would certainly become less secure
-    for anyone using that cipher. Even with 14 wonderful ciphers, it would be
-    harder to maintain and administer, hence more vulnerable to various human
-    errors.</li>
-</ul>
-
-<p>This is not to say that patches are necessarily  bad, only that using them
-requires some deliberation. For example, there might be perfectly good
-reasons to add a specific cipher in your application: perhaps GOST to comply
-with government standards in Eastern Europe, or AES for performance
-benefits.</p>
-
-<h4>Current patches</h4>
-
-<p>Patches believed current::</p>
-<ul>
-  <li>patches for <a href="http://www.strongsec.com/freeswan/">X.509
-    certificate support</a>, also available from a <a
-    href="http://www.twi.ch/~sna/strongsec/freeswan/">mirror site</a></li>
-  <li>patches to add <a href="http://www.irrigacion.gov.ar/juanjo/ipsec">AES
-    and other ciphers</a>. There is preliminary data indicating AES gives a
-    substantial <a href="performance.html#perf.more">performance
-  gain</a>.</li>
-</ul>
-
-<p>There is also one add-on that takes the form of a modified FreeS/WAN
-distribution, rather than just patches to the standard distribution:</p>
-<ul>
-  <li><a href="http://www.ipv6.iabg.de/downloadframe/index.html">IPv6
-    support</a></li>
-</ul>
-
-<p>Before using any of the above,, check the <a href="mail.html">mailing
-lists</a> for news of newer versions and to see whether they have been
-incorporated into more recent versions of FreeS/WAN.</p>
-
-<h4>Older patches</h4>
-<ul>
-  <li><a href="http://sources.colubris.com/en/projects/FreeSWAN/">hardware
-    acceleration</a></li>
-  <li>a <a href="http://tzukanov.narod.ru/">series</a> of patches that
-    <ul>
-      <li>provide GOST, a Russian gov't. standard cipher, in MMX
-      assembler</li>
-      <li>add GOST to OpenSSL</li>
-      <li>add GOST to the International kernel patch</li>
-      <li>let FreeS/WAN use International kernel patch ciphers</li>
-    </ul>
-  </li>
-  <li>Neil Dunbar's patches for <a
-    href="ftp://hplose.hpl.hp.com/pub/nd/pluto-openssl.tar.gz">certificate
-    support</a>, using code from <a href="http://www.openssl.org">Open
-    SSL</a>.</li>
-  <li>Luc Lanthier's <a
-    href="ftp://ftp.netwinder.org/users/f/firesoul/">patches</a> for <a
-    href="glossary.html#PKIX">PKIX</a> support.</li>
-  <li><a href="ftp://ftp.heise.de/pub/ct/listings/9916-180.tgz">patches</a>
-    to add <a href="glossary.html#blowfish">Blowfish</a>, <a
-    href="glossary.html#IDEA">IDEA</a> and <a
-    href="glossary.html#CAST128">CAST-128</a> to FreeS/WAN</li>
-  <li>patches for FreeS/WAN 1.3, Pluto support for <a
-    href="http://alcatraz.webcriminals.com/~bastiaan/ipsec/">external
-    authentication</a>, for example with a smartcard or SKEYID.</li>
-  <li><a href="http://www.zengl.net/freeswan/download/">patches and
-    utilities</a> for using FreeS/WAN with PGPnet</li>
-  <li><a
-    href="http://www.freelith.com/lithworks/crypto/freeswan_patch.htm">Blowfish
-    encryption and Tiger hash</a></li>
-  <li><a
-    href="http://www.cendio.se/~bellman/aggressive-pluto.snap.tar.gz">patches</a>
-    for aggressive mode support</li>
-</ul>
-
-<p>These patches are for older versions of FreeS/WAN and will likely not work
-with the current version.  Older versions of FreeS/WAN may be available on
-some of the <a href="intro.html#sites">distribution sites</a>, but we
-recommend using the current release.</p>
-
-<h4><a name="VPN.masq">VPN masquerade patches</a></h4>
-
-<p>Finally, there are some patches to other code that may be useful with
-FreeS/WAN:</p>
-<ul>
-  <li>a <a
-    href="ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html">patch</a>
-    to make IPsec, PPTP and SSH VPNs work through a Linux firewall with <a
-    href="glossary.html#masq">IP masquerade</a>.</li>
-  <li><a href="http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html">Linux
-    VPN Masquerade HOWTO</a></li>
-</ul>
-
-<p>Note that this is not required if the same machine does IPsec and
-masquerading, only if you want a to locate your IPsec gateway on a
-masqueraded network. See our <a href="firewall.html#NAT">firewalls</a>
-document for discussion of why this is problematic.</p>
-
-<p>At last report, this patch could not co-exist with FreeS/WAN on the same
-machine.</p>
-
-<h3><a name="dist">Distributions including FreeS/WAN</a></h3>
-
-<p>The introductory section of our document set lists several <a
-href="intro.html#distwith">Linux distributions</a> which include
-FreeS/WAN.</p>
-
-<h3><a name="used">Things FreeS/WAN uses or could use</a></h3>
-<ul>
-  <li><a href="http://openpgp.net/random">/dev/random</a> support page,
-    discussion of and code for the Linux <a
-    href="glossary.html#random">random number driver</a>. Out-of-date when we
-    last checked (January 2000), but still useful.</li>
-  <li>other programs related to random numbers:
-    <ul>
-      <li><a href="http://www.mindrot.org/audio-entropyd.html">audio entropy
-        daemon</a> to gather noise from a sound card and feed it into
-        /dev/random</li>
-      <li>an <a href="http://www.lothar.com/tech/crypto/">entropy-gathering
-        daemon</a></li>
-      <li>a driver for the random number generator in recent <a
-        href="http://sourceforge.net/projects/gkernel/">Intel chipsets</a>.
-        This driver is included as standard in 2.4 kernels.</li>
-    </ul>
-  </li>
-  <li>a Linux <a href="http://www.marko.net/l2tp/">L2TP Daemon</a> which
-    might be useful for communicating with Windows 2000 which builds L2TP
-    tunnels over its IPsec connections</li>
-  <li>to use opportunistic encryption, you need a recent version of <a
-    href="glossary.html#BIND">BIND</a>. You can get one from the <a
-    href="http://www.isc.org">Internet Software Consortium</a> who maintain
-    BIND.</li>
-</ul>
-
-<h3><a name="alternatives">Other approaches to VPNs for Linux</a></h3>
-<ul>
-  <li>other Linux <a href="#linuxipsec">IPsec implementations</a></li>
-  <li><a href="http://www.tik.ee.ethz.ch/~skip/">ENskip</a>, a free
-    implementation of Sun's <a href="glossary.html#SKIP">SKIP</a>
-  protocol</li>
-  <li><a href="http://sunsite.auc.dk/vpnd/">vpnd</a>, a non-IPsec VPN daemon
-    for Linux which creates tunnels using <a
-    href="glossary.html#Blowfish">Blowfish</a> encryption</li>
-  <li><a href="http://www.winton.org.uk/zebedee/">Zebedee</a>, a simple GPLd
-    tunnel-building program with Linux and Win32 versions. The name is from
-    <strong>Z</strong>lib compression, <strong>B</strong>lowfish encryption
-    and <strong>D</strong>iffie-Hellman key exchange.</li>
-  <li>There are at least two  PPTP implementations for Linux
-    <ul>
-      <li>Moreton Bay's <a
-        href="http://www.moretonbay.com/vpn/pptp.html">PoPToP</a></li>
-      <li><a
-        href="http://cag.lcs.mit.edu/~cananian/Projects/PPTP/">PPTP-Linux</a></li>
-    </ul>
-  </li>
-  <li><a href="http://sites.inka.de/sites/bigred/devel/cipe.html">CIPE</a>
-    (crypto IP encapsulation) project, using their own lightweight protocol
-    to encrypt between routers</li>
-  <li><a href="http://tinc.nl.linux.org/">tinc</a>, a VPN Daemon</li>
-</ul>
-
-<p>There is a list of <a
-href="http://www.securityportal.com/lskb/10000000/kben10000005.html">Linux
-VPN</a> software in the <a
-href="http://www.securityportal.com/lskb/kben00000001.html">Linux Security
-Knowledge Base</a>.</p>
-
-<h2><a name="ipsec.link">The IPsec Protocols</a></h2>
-
-<h3><a name="general">General IPsec or VPN information</a></h3>
-<ul>
-  <li>The <a href="http://www.vpnc.org">VPN Consortium</a> is a group for
-    vendors of IPsec products. Among other things, they have a good
-    collection of <a href="http://www.vpnc.org/white-papers.html">IPsec white
-    papers</a>.</li>
-  <li>A VPN mailing list with a <a
-    href="http://kubarb.phsx.ukans.edu/~tbird/vpn.html">home page</a>, a FAQ,
-    some product comparisons, and many links.</li>
-  <li><a href="http://www.opus1.com/vpn/index.html">VPN pointer page</a></li>
-  <li>a <a href="http://www.epm.ornl.gov/~dunigan/vpn.html">collection</a> of
-    VPN links, and some explanation</li>
-</ul>
-
-<h3><a name="overview">IPsec overview documents or slide sets</a></h3>
-<ul>
-  <li>the FreeS/WAN <a href="ipsec.html">document section</a> on these
-    protocols</li>
-</ul>
-
-<h3><a name="otherlang">IPsec information in languages other than
-English</a></h3>
-<ul>
-  <li><a
-    href="http://www.imib.med.tu-dresden.de/imib/Internet/Literatur/ipsec-docu.html">German</a></li>
-  <li><a href="http://www.kame.net/index-j.html">Japanese</a></li>
-  <li>Feczak Szabolcs' thesis in <a
-    href="http://feczo.koli.kando.hu/vpn/">Hungarian</a></li>
-  <li>Davide Cerri's thesis and some presentation slides <a
-    href="http://www.linux.it/~davide/doc/">Italian</a></li>
-</ul>
-
-<h3><a name="RFCs1">RFCs and other reference documents</a></h3>
-<ul>
-  <li><a href="rfc.html">Our document</a> listing the RFCs relevant to Linux
-    FreeS/WAN and giving various ways of obtaining both RFCs and Internet
-    Drafts.</li>
-  <li><a href="http://www.vpnc.org/vpn-standards.html">VPN Standards</a> page
-    maintained by <a href="glossary.html#VPNC">VPNC</a>. This covers both
-    RFCs and Drafts, and classifies them in a fairly helpful way.</li>
-  <li><a href="http://www.rfc-editor.org">RFC archive</a></li>
-  <li><a href="http://www.ietf.org/ids.by.wg/ipsec.html">Internet Drafts</a>
-    related to IPsec</li>
-  <li>US government <a href="http://www.itl.nist.gov/div897/pubs"> site</a>
-    with their <a href="glossary.html#FIPS">FIPS</a> standards</li>
-  <li>Archives of the ipsec@tis.com mailing list where discussion of drafts
-    takes place.
-    <ul>
-      <li><a href="http://www.sandelman.ottawa.on.ca/ipsec">Eastern
-      Canada</a></li>
-      <li><a href="http://www.vpnc.org/ietf-ipsec">California</a>.</li>
-    </ul>
-  </li>
-</ul>
-
-<h3><a name="analysis">Analysis and critiques of IPsec protocols</a></h3>
-<ul>
-  <li>Counterpane's <a
-    href="http://www.counterpane.com/ipsec.pdf">evaluation</a> of the
-    protocols</li>
-  <li>Simpson's <a
-    href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/06/msg00319.html">IKE
-    Considered Dangerous</a> paper. Note that this is a link to an archive of
-    our mailing list. There are several replies in addition to the paper
-    itself.</li>
-  <li>Fate Labs <a href="http://www.fatelabs.com/loki-vpn.pdf">Virual Private
-    Problems: the Broken Dream</a></li>
-  <li>Catherine Meadows' paper <cite>Analysis of the Internet Key Exchange
-    Protocol Using the NRL Protocol Analyzer</cite>, in <a
-    href="http://chacs.nrl.navy.mil/publications/CHACS/1999/1999meadows-IEEE99.pdf">PDF</a>
-    or <a
-    href="http://chacs.nrl.navy.mil/publications/CHACS/1999/1999meadows-IEEE99.ps">Postscript</a>.</li>
-  <li>Perlman and Kaufmnan
-    <ul>
-      <li><a
-        href="http://snoopy.seas.smu.edu/ee8392_summer01/week7/perlman2.pdf">Key
-        Exchange in IPsec</a></li>
-      <li>a newer <a
-        href="http://sec.femto.org/wetice-2001/papers/radia-paper.pdf">PDF
-        paper</a>, <cite>Analysis of the IPsec Key Exchange
-      Standard</cite>.</li>
-    </ul>
-  </li>
-  <li>Bellovin's <a
-    href="http://www.research.att.com/~smb/papers/index.html">papers</a> page
-    including his:
-    <ul>
-      <li><cite>Security Problems in the TCP/IP Protocol Suite</cite>
-      (1989)</li>
-      <li><cite>Problem Areas for the IP Security Protocols</cite> (1996)</li>
-      <li><cite>Probable Plaintext Cryptanalysis of the IP Security
-        Protocols</cite> (1997)</li>
-    </ul>
-  </li>
-  <li>An <a href="http://www.lounge.org/ike_doi_errata.html">errata list</a>
-    for the IPsec RFCs.</li>
-</ul>
-
-<h3><a name="IP.background">Background information on IP</a></h3>
-<ul>
-  <li>An <a href="http://ipprimer.windsorcs.com/">IP tutorial</a> that seems
-    to be written mainly for Netware or Microsoft LAN admins entering a new
-    world</li>
-  <li><a href="http://www.iana.org">IANA</a>, Internet Assigned Numbers
-    Authority</li>
-  <li><a href="http://public.pacbell.net/dedicated/cidr.html">CIDR</a>,
-    Classless Inter-Domain Routing</li>
-  <li>Also see our <a href="biblio.html">bibliography</a></li>
-</ul>
-
-<h2><a name="implement">IPsec Implementations</a></h2>
-
-<h3><a name="linuxprod">Linux products</a></h3>
-
-<p>Vendors using FreeS/WAN in turnkey firewall or VPN products are listed in
-our <a href="intro.html#turnkey">introduction</a>.</p>
-
-<p>Other vendors have Linux IPsec products which, as far as we know, do not
-use FreeS/WAN</p>
-<ul>
-  <li><a href="http://www.redcreek.com/products/shareware.html">Redcreek</a>
-    provide an open source Linux driver for their PCI hardware VPN card. This
-    card has a 100 Mbit Ethernet port, an Intel 960 CPU plus more specialised
-    crypto chips, and claimed encryption performance of 45 Mbit/sec. The PC
-    sees it as an Ethernet board.</li>
-  <li><a href="http://linuxtoday.com/stories/8428.html?nn">Paktronix</a>
-    offer a Linux-based VPN with hardware encryption</li>
-  <li><a href="http://www.watchguard.com/">Watchguard</a> use Linux in their
-    Firebox product.</li>
-  <li><a href="http://www.entrust.com">Entrust</a> offer a developers'
-    toolkit for using their <a href="glossary.html#PKI">PKI</a> for IPsec
-    authentication</li>
-  <li>According to a report on our mailing list, <a
-    href="http://www.axent.com">Axent</a> have a Linux version of their
-    product.</li>
-</ul>
-
-<h3><a name="router">IPsec in router products</a></h3>
-
-<p>All the major router vendors support IPsec, at least in some models.</p>
-<ul>
-  <li><a href="http://www.cisco.com/warp/public/707/16.html">Cisco</a> IPsec
-    information</li>
-  <li>Ascend, now part of <a href="http://www.lucent.com/">Lucent</a>, have
-    some IPsec-based products</li>
-  <li><a href="http://www.nortelnetworks.com/">Bay Networks</a>, now part of
-    Nortel, use IPsec in their Contivity switch product line</li>
-  <li><a href="http://www.3com.com/products/enterprise.html">3Com</a> have a
-    number of VPN products, some using IPsec</li>
-</ul>
-
-<h3><a name="fw.web">IPsec in firewall products</a></h3>
-
-<p>Many firewall vendors offer IPsec, either as a standard part of their
-product, or an optional extra. A few we know about are:</p>
-<ul>
-  <li><a href="http://www.borderware.com/">Borderware</a></li>
-  <li><a href="http://www.ashleylaurent.com/vpn/ipsec_vpn.htm">Ashley
-    Laurent</a></li>
-  <li><a href="http://www.watchguard.com">Watchguard</a></li>
-  <li><a href="http://www.fx.dk/firewall/ipsec.html">Injoy</a> for OS/2</li>
-</ul>
-
-<p>Vendors using FreeS/WAN in turnkey firewall products are listed in our <a
-href="intro.html#turnkey">introduction</a>.</p>
-
-<h3><a name="ipsecos">Operating systems with IPsec support</a></h3>
-
-<p>All the major open source operating systems support IPsec. See below for
-details on <a href="#BSD">BSD-derived</a> Unix variants.</p>
-
-<p>Among commercial OS vendors, IPsec players include:</p>
-<ul>
-  <li><a
-    href="http://msdn.microsoft.com/isapi/msdnlib.idc?theURL=/library/backgrnd/html/msdn_ip_security.htm">Microsoft</a>
-    have put IPsec in their Windows 2000 and XP products</li>
-  <li><a
-    href="http://www.s390.ibm.com/stories/1999/os390v2r8_pr.html">IBM</a>
-    announce a release of OS390 with IPsec support via a crypto
-  co-processor</li>
-  <li><a
-    href="http://www.sun.com/solaris/ds/ds-security/ds-security.pdf">Sun</a>
-    include IPsec in Solaris 8</li>
-  <li><a
-    href="http://www.hp.com/security/products/extranet-security.html">Hewlett
-    Packard</a> offer IPsec for their Unix machines</li>
-  <li>Certicom have IPsec available for the <a
-    href="http://www.certicom.com/products/movian/movianvpn_tech.html">Palm</a>.</li>
-  <li>There were reports before the release that Apple's Mac OS X would have
-    IPsec support built in, but it did not seem to be there when we last
-    checked. If you find, it please let us know via the <a
-    href="mail.html">mailing list</a>.</li>
-</ul>
-
-<h3>IPsec on network cards</h3>
-
-<p>Network cards with built-in IPsec acceleration are available from at least
-Intel, 3Com and Redcreek.</p>
-
-<h3><a name="opensource">Open source IPsec implementations</a></h3>
-
-<h4><a name="linuxipsec">Other Linux IPsec implementations</a></h4>
-
-<p>We like to think of FreeS/WAN as <em>the</em> Linux IPsec implementation,
-but it is not the only one. Others we know of are:</p>
-<ul>
-  <li><a href="http://www.enst.fr/~beyssac/pipsec/">pipsecd</a>, a
-    lightweight implementation of IPsec for Linux. Does not require kernel
-    recompilation.</li>
-  <li>Petr Novak's <a href="ftp://ftp.eunet.cz/icz/ipnsec/">ipnsec</a>, based
-    on the OpenBSD IPsec code and using <a
-    href="glossary.html#photuris">Photuris</a> for key management</li>
-  <li>A now defunct project at <a
-    href="http://www.cs.arizona.edu/security/hpcc-blue/linux.html">U of
-    Arizona</a> (export controlled)</li>
-  <li><a href="http://snad.ncsl.nist.gov/cerberus">NIST Cerebus</a> (export
-    controlled)</li>
-</ul>
-
-<h4><a name="BSD">IPsec for BSD Unix</a></h4>
-<ul>
-  <li><a href="http://www.kame.net/project-overview.html">KAME</a>, several
-    large Japanese companies co-operating on IPv6 and IPsec</li>
-  <li><a href="http://web.mit.edu/network/isakmp">US Naval Research Lab</a>
-    implementation of IPv6 and of IPsec for IPv4 (export controlled)</li>
-  <li><a href="http://www.openbsd.org">OpenBSD</a> includes IPsec as a
-    standard part of the distribution</li>
-  <li><a href="http://www.r4k.net/ipsec">IPsec for FreeBSD</a></li>
-  <li>a <a href="http://www.netbsd.org/Documentation/network/ipsec/">FAQ</a>
-    on NetBSD's IPsec implementation</li>
-</ul>
-
-<h4><a name="misc">IPsec for other systems</a></h4>
-<ul>
-  <li><a href="http://www.tcm.hut.fi/Tutkimus/IPSEC/">Helsinki U of
-    Technolgy</a> have implemented IPsec for Solaris, Java and Macintosh</li>
-</ul>
-
-<h3><a name="interop.web">Interoperability</a></h3>
-
-<p>The IPsec protocols are designed so that different implementations should
-be able to work together. As they say "the devil is in the details". IPsec
-has a lot of details, but considerable success has been achieved.</p>
-
-<h4><a name="result">Interoperability results</a></h4>
-
-<p>Linux FreeS/WAN has been tested for interoperability with many other IPsec
-implementations. Results to date are in our <a
-href="interop.html">interoperability</a> section.</p>
-
-<p>Various other sites have information on interoperability between various
-IPsec implementations:</p>
-<ul>
-  <li><a href="http://www.opus1.com/vpn/atl99display.html">interop
-    results</a> from a bakeoff in Atlanta, September 1999.</li>
-  <li>a French company, HSC's, <a
-    href="http://www.hsc.fr/ressources/presentations/ipsec99/index.html.en">interoperability</a>
-    test data covers FreeS/WAN, Open BSD, KAME, Linux pipsecd, Checkpoint,
-    Red Creek Ravlin, and Cisco IOS</li>
-  <li><a href="http://www.icsa.net/">ICSA</a> offer certification programs
-    for various security-related products. See their list of <a
-    href="http://www.icsa.net/html/communities/ipsec/certification/certified_products/index.shtml">
-    certified IPsec</a> products. Linux FreeS/WAN is not currently on that
-    list, but several products with which we interoperate are.</li>
-  <li>VPNC have a page on why they are not yet doing <a
-    href="http://www.vpnc.org/interop.html">interoperability</a> testing and
-    a page on the <a href="http://www.vpnc.org/conformance.html">spec
-    conformance</a> testing that they are doing</li>
-  <li>a <a href="http://www.commweb.com/article/COM20000912S0009">review</a>
-    comparing a dozen commercial IPsec implemetations. Unfortunately, the
-    reviewers did not look at Open Source implementations such as FreeS/WAN
-    or OpenBSD.</li>
-  <li><a
-    href="http://www.tanu.org/~sakane/doc/public/report-ike-interop0007.html">results</a>
-    from interoperability tests at a conference. FreeS/WAN was not tested
-    there.</li>
-  <li>test results from the <a
-    href="http://www.hsc.fr/ressources/veille/ipsec/ipsec2000/">IPSEC
-    2000</a> conference</li>
-</ul>
-
-<h4><a name="test1">Interoperability test sites</a></h4>
-<ul>
-  <li><a href="http://www.tahi.org/">TAHI</a>, a Japanese IPv6 testing
-    project with free IPsec validation software</li>
-  <li><a href="http://ipsec-wit.antd.nist.gov">National Institute of
-    Standards and Technology</a></li>
-  <li><a href="http://isakmp-test.ssh.fi/">SSH Communications
-  Security</a></li>
-</ul>
-
-<h2><a name="linux.link">Linux links</a></h2>
-
-<h3><a name="linux.basic">Basic and tutorial Linux information</a></h3>
-<ul>
-  <li>Linux <a
-    href="http://linuxcentral.com/linux/LDP/LDP/gs/gs.html">Getting
-    Started</a> HOWTO document</li>
-  <li>A getting started guide from the <a
-    href="http://darkwing.uoregon.edu/~cchome/linuxgettingstarted.html">U of
-    Oregon</a></li>
-  <li>A large <a href="http://www.herring.org/techie.html">link
-    collection</a> which includes a lot of introductory and tutorial material
-    on Unix, Linux, the net, . . .</li>
-</ul>
-
-<h3><a name="general">General Linux sites</a></h3>
-<ul>
-  <li><a href="http://www.freshmeat.net">Freshmeat</a> Linux news</li>
-  <li><a href="http://slashdot.org">Slashdot</a> "News for Nerds"</li>
-  <li><a href="http://www.linux.org">Linux Online</a></li>
-  <li><a href="http://www.linuxhq.com">Linux HQ</a></li>
-  <li><a href="http://www.tux.org">tux.org</a></li>
-</ul>
-
-<h3><a name="docs.ldp">Documentation</a></h3>
-
-<p>Nearly any Linux documentation you are likely to want can be found at the
-<a href="http://metalab.unc.edu/LDP">Linux Documentation Project</a> or
-LDP.</p>
-<ul>
-  <li><a href="http://metalab.unc.edu/LDP/HOWTO/META-FAQ.html">Meta-FAQ</a>
-    guide to Linux information sources</li>
-  <li>The LDP's HowTo documents are a standard Linux reference. See this <a
-    href="http://www.linuxdoc.org/docs.html#howto">list</a>. Documents there
-    most relevant to a FreeS/WAN gateway are:
-    <ul>
-      <li><a href="http://metalab.unc.edu/LDP/HOWTO/Kernel-HOWTO.html">Kernel
-        HOWTO</a></li>
-      <li><a
-        href="http://metalab.unc.edu/LDP/HOWTO/Networking-Overview-HOWTO.html">Networking
-        Overview HOWTO</a></li>
-      <li><a
-        href="http://metalab.unc.edu/LDP/HOWTO/Security-HOWTO.html">Security
-        HOWTO</a></li>
-    </ul>
-  </li>
-  <li>The LDP do a series of Guides, book-sized publications with more detail
-    (and often more "why do it this way?") than the HowTos. See this <a
-    href="http://www.linuxdoc.org/guides.html">list</a>. Documents there most
-    relevant to a FreeS/WAN gateway are:
-    <ul>
-      <li><a href="http://www.tml.hut.fi/~viu/linux/sag/">System
-        Administrator's Guide</a></li>
-      <li><a href="http://www.linuxdoc.org/LDP/nag2/index.html">Network
-        Adminstrator's Guide</a></li>
-      <li><a href="http://www.seifried.org/lasg/">Linux Administrator's
-        Security Guide</a></li>
-    </ul>
-  </li>
-</ul>
-
-<p>You may not need to go to the LDP to get this material. Most Linux
-distributions include the HowTos on their CDs and several include the Guides
-as well. Also, most of the Guides and some collections of HowTos are
-available in book form from various publishers.</p>
-
-<p>Much of the LDP material is also available in languages other than
-English. See this <a href="http://www.linuxdoc.org/links/nenglish.html">LDP
-page</a>.</p>
-
-<h3><a name="advroute.web">Advanced routing</a></h3>
-
-<p>The Linux IP stack has some new features in 2.4 kernels. Some HowTos have
-been written:</p>
-<ul>
-  <li>several HowTos for the <a
-    href="http://netfilter.samba.org/unreliable-guides/">netfilter</a>
-    firewall code in newer kernels</li>
-  <li><a
-    href="http://www.ds9a.nl/2.4Networking/HOWTO//cvs/2.4routing/output/2.4networking.html">2.4
-    networking</a> HowTo</li>
-  <li><a
-    href="http://www.ds9a.nl/2.4Networking/HOWTO//cvs/2.4routing/output/2.4routing.html">2.4
-    routing</a> HowTo</li>
-</ul>
-
-<h3><a name="linsec">Security for Linux</a></h3>
-
-<p>See also the <a href="#docs.ldp">LDP material</a> above.</p>
-<ul>
-  <li><a
-    href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos">Trinity
-    OS guide to setting up Linux</a></li>
-  <li><a href="http://www.deter.com/unix">Unix security</a> page</li>
-  <li><a href="http://linux01.gwdg.de/~alatham/">PPDD</a> encrypting
-    filesystem</li>
-  <li><a href="http://EncryptionHOWTO.sourceforge.net/">Linux Encryption
-    HowTo</a> (outdated when last checked, had an Oct 2000 revision date in
-    March 2002)</li>
-</ul>
-
-<h3><a name="firewall.linux">Linux firewalls</a></h3>
-
-<p>Our <a href="firewall.html">FreeS/WAN and firewalls</a> document includes
-links to several sets of <a href="firewall.html#examplefw">scripts</a> known
-to work with FreeS/WAN.</p>
-
-<p>Other information sources:</p>
-<ul>
-  <li><a href="http://ipmasq.cjb.net/">IP Masquerade resource page</a></li>
-  <li><a href="http://netfilter.samba.org/unreliable-guides/">netfilter</a>
-    firewall code in 2.4 kernels</li>
-  <li>Our list of general <a href="#firewall.web">firewall references</a> on
-    the web</li>
-  <li><a href="http://users.dhp.com/~whisper/mason/">Mason</a>, a tool for
-    automatically configuring Linux firewalls</li>
-  <li>the web cache software <a href="http://www.squid-cache.org/">squid</a>
-    and <a href="http://www.squidguard.org/">squidguard</a> which turns Squid
-    into a filtering web proxy</li>
-</ul>
-
-<h3><a name="linux.misc">Miscellaneous Linux information</a></h3>
-<ul>
-  <li><a href="http://lwn.net/current/dists.php3">Linux distribution
-    vendors</a></li>
-  <li><a href="http://www.linux.org/groups/">Linux User Groups</a></li>
-</ul>
-
-<h2><a name="crypto.link">Crypto and security links</a></h2>
-
-<h3><a name="security">Crypto and security resources</a></h3>
-
-<h4><a name="std.links">The standard link collections</a></h4>
-
-<p>Two enormous collections of links, each the standard reference in its
-area:</p>
-<dl>
-  <dt>Gene Spafford's <a
-  href="http://www.cerias.purdue.edu/coast/hotlist/">COAST hotlist</a></dt>
-    <dd>Computer and network security.</dd>
-  <dt>Peter Gutmann's <a
-  href="http://www.cs.auckland.ac.nz/~pgut001/links.html">Encryption and
-  Security-related Resources</a></dt>
-    <dd>Cryptography.</dd>
-</dl>
-
-<h4><a name="FAQ">Frequently Asked Question (FAQ) documents</a></h4>
-<ul>
-  <li><a href="http://www.faqs.org/faqs/cryptography-faq/">Cryptography
-    FAQ</a></li>
-  <li><a href="http://www.interhack.net/pubs/fwfaq">Firewall FAQ</a></li>
-  <li><a href="http://www.whitefang.com/sup/secure-faq.html">Secure Unix
-    Programming FAQ</a></li>
-  <li>FAQs for specific programs are listed in the <a href="#tools">tools</a>
-    section below.</li>
-</ul>
-
-<h4><a name="cryptover">Tutorials</a></h4>
-<ul>
-  <li>Gary Kessler's <a
-    href="http://www.garykessler.net/library/crypto.html">Overview of
-    Cryptography</a></li>
-  <li>Terry Ritter's <a
-    href="http://www.ciphersbyritter.com/LEARNING.HTM">introduction</a></li>
-  <li>Peter Gutman's <a
-    href="http://www.cs.auckland.ac.nz/~pgut001/tutorial/index.html">cryptography</a>
-    tutorial (500 slides in PDF format)</li>
-  <li>Amir Herzberg of IBM's sildes for his course <a
-    href="http://www.hrl.il.ibm.com/mpay/course.html">Introduction to
-    Cryptography and Electronic Commerce</a></li>
-  <li>the <a href="http://www.gnupg.org/gph/en/manual/c173.html">concepts
-    section</a> of the <a href="glossary.html#GPG">GNU Privacy Guard</a>
-    documentation</li>
-  <li>Bruce Schneier's self-study <a
-    href="http://www.counterpane.com/self-study.html">cryptanalysis</a>
-  course</li>
-</ul>
-
-<p>See also the <a href="#interesting">interesting papers</a> section
-below.</p>
-
-<h4><a name="standards">Crypto and security standards</a></h4>
-<ul>
-  <li><a href="http://csrc.nist.gov/cc">Common Criteria</a>, new
-    international computer and network security standards to replace the
-    "Rainbow" series</li>
-  <li>AES <a href="http://csrc.nist.gov/encryption/aes/aes_home.htm">
-    Advanced Encryption Standard </a> which will replace DES</li>
-  <li><a href="http://grouper.ieee.org/groups/1363">IEEE P-1363 public key
-    standard</a></li>
-  <li>our collection of links for the <a href="#ipsec.link">IPsec</a>
-    standards</li>
-  <li>history of <a
-    href="http://www.visi.com/crypto/evalhist/index.html">formal
-    evaluation</a> of security policies and implementation</li>
-</ul>
-
-<h4><a name="quotes">Crypto quotes</a></h4>
-
-<p>There are several collections of cryptographic quotes on the net:</p>
-<ul>
-  <li><a href="http://www.eff.org/pub/EFF/quotes.eff">the EFF</a></li>
-  <li><a href="http://www.samsimpson.com/cquotes.php">Sam Simpson</a></li>
-  <li><a href="http://www.amk.ca/quotations/cryptography/page-1.html">AM
-    Kutchling</a></li>
-</ul>
-
-<h3><a name="policy">Cryptography law and policy</a></h3>
-
-<h4><a name="legal">Surveys of crypto law</a></h4>
-<ul>
-  <li>International survey of <a
-    href="http://cwis.kub.nl/~FRW/PEOPLE/koops/lawsurvy.htm"> crypto
-  law</a>.</li>
-  <li>International survey of <a
-    href="http://rechten.kub.nl/simone/ds-lawsu.htm"> digital signature
-    law</a></li>
-</ul>
-
-<h4><a name="oppose">Organisations opposing crypto restrictions</a></h4>
-<ul>
-  <li>The <a href="glossary.html#EFF">EFF</a>'s archives on <a
-    href="http://www.eff.org/pub/Privacy/">privacy</a> and <a
-    href="http://www.eff.org/pub/Privacy/ITAR_export/">export
-  control</a>.</li>
-  <li><a href="http://www.gilc.org">Global Internet Liberty Campaign</a></li>
-  <li><a href="http://www.cdt.org/crypto">Center for Democracy and
-    Technology</a></li>
-  <li><a href="http://www.privacyinternational.org/">Privacy
-    International</a>, who give out <a
-    href="http://www.bigbrotherawards.org/">Big Brother Awards</a> to snoopy
-    organisations</li>
-</ul>
-
-<h4><a name="other.policy">Other information on crypto policy</a></h4>
-<ul>
-  <li><a href="ftp://ftp.isi.edu/in-notes/rfc1984.txt">RFC 1984</a>, the <a
-    href="glossary.html#IAB">IAB</a> and <a
-    href="glossary.html#IESG">IESG</a> Statement on Cryptographic Technology
-    and the Internet.</li>
-  <li>John Young's collection of <a href="http://cryptome.org/">documents</a>
-    of interest to the cryptography, open government and privacy movements,
-    organized chronologically</li>
-  <li>AT&amp;T researcher Matt Blaze's Encryption, Privacy and Security <a
-    href="http://www.crypto.com">Resource Page</a></li>
-  <li>A good <a href="http://cryptome.org/crypto97-ne.htm">overview</a> of
-    the issues from Australia.</li>
-</ul>
-
-<p>See also our documentation section on the <a href="politics.html">history
-and politics</a> of cryptography.</p>
-
-<h3><a name="crypto.tech">Cryptography technical information</a></h3>
-
-<h4><a name="cryptolinks">Collections of crypto links</a></h4>
-<ul>
-  <li><a href="http://www.counterpane.com/hotlist.html">Counterpane</a></li>
-  <li><a href="http://www.cs.auckland.ac.nz/~pgut001/links.html">Peter
-    Gutman's links</a></li>
-  <li><a href="http://www.pca.dfn.de/eng/team/ske/pem-dok.html">PKI
-  links</a></li>
-  <li><a href="http://crypto.yashy.com/www/">Robert Guerra's links</a></li>
-</ul>
-
-<h4><a name="papers">Lists of online cryptography papers</a></h4>
-<ul>
-  <li><a href="http://www.counterpane.com/biblio">Counterpane</a></li>
-  <li><a
-    href="http://www.cryptography.com/resources/papers">cryptography.com</a></li>
-  <li><a href="http://www.cryptosoft.com/html/secpub.htm">Cryptosoft</a></li>
-</ul>
-
-<h4><a name="interesting">Particularly interesting papers</a></h4>
-
-<p>These papers emphasize important issues around the use of cryptography,
-and the design and management of secure systems.</p>
-<ul>
-  <li><a href="http://www.counterpane.com/keylength.html">Key length
-    requirements for security</a></li>
-  <li><a href="http://www.cl.cam.ac.uk/users/rja14/wcf.html">Why
-    Cryptosystems Fail</a></li>
-  <li><a href="http://www.cdt.org/crypto/risks98/">Risks of escrowed
-    encryption</a></li>
-  <li><a href="http://www.counterpane.com/pitfalls.html">Security pitfalls in
-    cryptography</a></li>
-  <li><a href="http://www.acm.org/classics/sep95">Reflections on Trusting
-    Trust</a>, Ken Thompson on Trojan horse design</li>
-  <li><a href="http://www.apache-ssl.org/disclosure.pdf">Security against
-    Compelled Disclosure</a>, how to maintain privacy in the face of legal or
-    other coersion</li>
-</ul>
-
-<h3><a name="compsec">Computer and network security</a></h3>
-
-<h4><a name="seclink">Security links</a></h4>
-<ul>
-  <li><a href="http://www.cs.purdue.edu/coast/hotlist">COAST Hotlist</a></li>
-  <li>DMOZ open directory project <a
-    href="http://dmoz.org/Computers/Security/">computer security</a>
-  links</li>
-  <li><a href="http://www-cse.ucsd.edu/users/bsy/sec.html">Bennet Yee</a></li>
-  <li>Mike Fuhr's <a
-    href="http://www.fuhr.org/~mfuhr/computers/security.html">link
-    collection</a></li>
-  <li><a href="http://www.networkintrusion.co.uk/">links</a> with an emphasis
-    on intrusion detection</li>
-</ul>
-
-<h4><a name="firewall.web">Firewall links</a></h4>
-<ul>
-  <li><a href="http://www.cs.purdue.edu/coast/firewalls">COAST
-  firewalls</a></li>
-  <li><a href="http://www.zeuros.co.uk">Firewalls Resource page</a></li>
-</ul>
-
-<h4><a name="vpn">VPN links</a></h4>
-<ul>
-  <li><a href="http://www.vpnc.org">VPN Consortium</a></li>
-  <li>First VPN's <a href="http://www.firstvpn.com/research/rhome.html">white
-    paper</a> collection</li>
-</ul>
-
-<h4><a name="tools">Security tools</a></h4>
-<ul>
-  <li>PGP -- mail encryption
-    <ul>
-      <li><a href="http://www.pgp.com/">PGP Inc.</a> (part of NAI) for
-        commercial versions</li>
-      <li><a href="http://web.mit.edu/network/pgp.html">MIT</a> distributes
-        the NAI product for non-commercial use</li>
-      <li><a href="http://www.pgpi.org/">international</a> distribution
-      site</li>
-      <li><a href="http://gnupg.org">GNU Privacy Guard (GPG)</a></li>
-      <li><a href="http://www.dk.pgp.net/pgpnet/pgp-faq/">PGP FAQ</a></li>
-    </ul>
-    A message in our mailing list archive has considerable detail on <a
-    href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00029.html">available
-    versions</a> of PGP and on IPsec support in them.
-    <p><strong>Note:</strong> A fairly nasty bug exists in all commercial PGP
-    versions from 5.5 through 6.5.3. If you have one of those,
-    <strong>upgrade now</strong>.</p>
-  </li>
-  <li>SSH -- secure remote login
-    <ul>
-      <li><a href="http://www.ssh.fi">SSH Communications Security</a>, for
-        the original software. It is free for trial, academic and
-        non-commercial use.</li>
-      <li><a href="http://www.openssh.com/">Open SSH</a>, the Open BSD team's
-        free replacement</li>
-      <li><a href="http://www.freessh.org/">freessh.org</a>, links to free
-        implementations for many systems</li>
-      <li><a href="http://www.uni-karlsruhe.de/~ig25/ssh-faq">SSH FAQ</a></li>
-      <li><a
-        href="http://www.chiark.greenend.org.uk/~sgtatham/putty/">Putty</a>,
-        an SSH client for Windows</li>
-    </ul>
-  </li>
-  <li>Tripwire saves message digests of your system files. Re-calculate the
-    digests and compare to saved values to detect any file changes. There are
-    several versions available:
-    <ul>
-      <li><a href="http://www.tripwiresecurity.com/">commercial
-      version</a></li>
-      <li><a href="http://www.tripwire.org/">Open Source</a></li>
-    </ul>
-  </li>
-  <li><a href="http://www.snort.org">Snort</a> and <a
-    href="http://www.lids.org">LIDS</a> are intrusion detection system for
-    Linux</li>
-  <li><a href="http://www.fish.com/~zen/satan/satan.html">SATAN</a> System
-    Administrators Tool for Analysing Networks</li>
-  <li><a href="http://www.insecure.org/nmap/">NMAP</a> Network Mapper</li>
-  <li><a href="ftp://ftp.porcupine.org/pub/security/index.html">Wietse
-    Venema's page</a> with various tools</li>
-  <li><a href="http://ita.ee.lbl.gov/index.html">Internet Traffic
-    Archive</a>, various tools to analyze network traffic, mostly scripts to
-    organise and format tcpdump(8) output for specific purposes</li>
-  <li><a name="ssmail">ssmail -- sendmail patched to do</a> <a
-    href="glossary.html#carpediem">opportunistic encryption</a>
-    <ul>
-      <li><a href="http://www.home.aone.net.au/qualcomm/">web page</a> with
-        links to code and to a Usenix paper describing it, in PDF</li>
-    </ul>
-  </li>
-  <li><a href="http://www.openca.org/">Open CA</a> project to develop a
-    freely distributed <a href="glossary.html#CA">Certification Authority</a>
-    for building a open <a href="glossary.html#PKI">Public Key
-    Infrastructure</a>.</li>
-</ul>
-
-<h3><a name="people">Links to home pages</a></h3>
-
-<p>David Wagner at Berkeley provides a set of links to <a
-href="http://www.cs.berkeley.edu/~daw/people/crypto.html">home pages</a> of
-cryptographers, cypherpunks and computer security people.</p>
-</body>
-</html>
diff --git a/doc/testing.html b/doc/testing.html
deleted file mode 100644
index 77626ba5d..000000000
--- a/doc/testing.html
+++ /dev/null
@@ -1,332 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="performance.html">Previous</A>
-<A HREF="kernel.html">Next</A>
-<HR>
-<H1><A name="test.freeswan">Testing FreeS/WAN</A></H1>
- This document discusses testing FreeS/WAN.
-<P>Not all types of testing are described here. Other parts of the
- documentation describe some tests:</P>
-<DL>
-<DT><A href="install.html#testinstall">installation</A> document</DT>
-<DD>testing for a successful install</DD>
-<DT><A href="config.html#testsetup">configuration</A> document</DT>
-<DD>basic tests for a working configuration</DD>
-<DT><A href="web.html#interop.web">web links</A> document</DT>
-<DD>General information on tests for interoperability between various
- IPsec implementations. This includes links to several test sites.</DD>
-<DT><A href="interop.html">interoperation</A> document.</DT>
-<DD>More specific information on FreeS/WAN interoperation with other
- implementations.</DD>
-<DT><A href="performance.html">performance</A> document</DT>
-<DD>performance measurements</DD>
-</DL>
-<P>The test setups and procedures described here can also be used in
- other testing, but this document focuses on testing the IPsec
- functionality of FreeS/WAN.</P>
-<H2><A NAME="test.oe">Testing opportunistic connections</A></H2>
-<P>This section teaches you how to test your opportunistically encrypted
- (OE) connections. To set up OE, please see the easy instructions in our<A
-HREF="quickstart.html"> quickstart guide</A>.</P>
-<H3><A NAME="12_1_1">Basic OE Test</A></H3>
-<P>This test is for basic OE functionality.
-<!-- You may use it on an 
-<A HREF="quickstart.html#oppo.client">initiate-only OE</A> box or a 
-<A HREF="quickstart.html#opp.incoming">full OE</A> box. -->
- For additional tests, keep
- reading.</P>
-<P>Be sure IPsec is running. You can see whether it is with:</P>
-<PRE>    ipsec setup status</PRE>
-<P>If need be, you can restart it with:</P>
-<PRE>    service ipsec restart</PRE>
-<P>Load a FreeS/WAN test website from the host on which you're running
- FreeS/WAN. Note: the feds may be watching these sites. Type one of:</P>
-<P></P>
-<PRE>   links oetest.freeswan.org</PRE>
-<PRE>   links oetest.freeswan.nl</PRE>
-
-<!--<PRE>   links oetest.freeswan.ca</PRE>-->
-<P>A positive result looks like this:</P>
-<PRE>
-   You  seem  to  be  connecting  from:  192.0.2.11 which DNS says is:
-   gateway.example.com
-     _________________________________________________________________
-                                                                                
-   Status E-route
-   OE    enabled    16    192.139.46.73/32    -&gt;    192.0.2.11/32   =&gt;
-   tun0x2097@192.0.2.11
-   OE    enabled    176    192.139.46.77/32    -&gt;   192.0.2.11/32   =&gt;
-   tun0x208a@192.0.2.11
-</PRE>
-<P>If you see this, congratulations! Your OE box will now encrypt its
- own traffic whenever it can. If you have difficulty, see our<A HREF="quickstart.html#oe.trouble">
- OE troubleshooting tips</A>.</P>
-<H3><A NAME="12_1_2">OE Gateway Test</A></H3>
-<P>If you've set up FreeS/WAN to protect a subnet behind your gateway,
- you'll need to run another simple test, which can be done from a
- machine running any OS. That's right, your Windows box can be protected
- by opportunistic encryption without any FreeS/WAN install or
- configuration on that box. From<STRONG> each protected subnet node</STRONG>
-, load the FreeS/WAN website with:</P>
-<PRE>   links oetest.freeswan.org</PRE>
-<PRE>   links oetest.freeswan.nl</PRE>
-<P>A positive result looks like this:</P>
-<PRE>
-   You  seem  to  be  connecting  from:  192.0.2.98 which DNS says is:
-   box98.example.com
-     _________________________________________________________________
-                                                                                
-   Status E-route
-   OE    enabled    16    192.139.46.73/32    -&gt;    192.0.2.98/32   =&gt;
-   tun0x134ed@192.0.2.11
-   OE    enabled    176    192.139.46.77/32    -&gt;   192.0.2.11/32   =&gt;
-   tun0x134d2@192.0.2.11
-</PRE>
-<P>If you see this, congratulations! Your OE gateway will now encrypt
- traffic for this subnet node whenever it can. If you have difficulty,
- see our<A HREF="quickstart.html#oe.trouble"> OE troubleshooting tips</A>
-.</P>
-<H3><A NAME="12_1_3">Additional OE tests</A></H3>
-<P>When testing OE, you will often find it useful to execute this
- command on the FreeS/WAN host:</P>
-<PRE>   ipsec eroute</PRE>
-<P>If you have established a connection (either for or for a subnet
- node) you will see a result like:</P>
-<PRE>    192.0.2.11/32   -&gt; 192.139.46.73/32  =&gt; tun0x149f@192.139.46.38
-</PRE>
-<P>Key:</P>
-<TABLE>
-<TR><TD>1.</TD><TD>192.0.2.11/32</TD><TD>Local start point of the
- protected traffic.</TD></TR>
-<TR><TD>2.</TD><TD>192.0.2.194/32</TD><TD>Remote end point of the
- protected traffic.</TD></TR>
-<TR><TD>3.</TD><TD>192.0.48.38</TD><TD>Remote FreeS/WAN node (gateway or
- host). May be the same as (2).</TD></TR>
-<TR><TD>4.</TD><TD>[not shown]</TD><TD>Local FreeS/WAN node (gateway or
- host), where you've produced the output. May be the same as (1).</TD></TR>
-</TABLE>
-<P>For extra assurance, you may wish to use a packet sniffer such as<A HREF="http://www.tcpdump.org">
- tcpdump</A> to verify that packets are being encrypted. You should see
- output that indicates<STRONG> ESP</STRONG> encrypted data, for example:</P>
-<PRE>    02:17:47.353750 PPPoE  [ses 0x1e12] IP 154: xy.example.com &gt; oetest.freeswan.org: ESP(spi=0x87150d16,seq=0x55)</PRE>
-<H2><A name="test.uml">Testing with User Mode Linux</A></H2>
-<P><A href="http://user-mode-linux.sourceforge.net/">User Mode Linux</A>
- allows you to run Linux as a user process on another Linux machine.</P>
-<P>As of 1.92, the distribution has a new directory named testing. It
- contains a collection of test scripts and sample configurations. Using
- these, you can bring up several copies of Linux in user mode and have
- them build tunnels to each other. This lets you do some testing of a
- FreeS/WAN configuration on a single machine.</P>
-<P>You need a moderately well-endowed machine for this to work well.
- Each UML wants about 16 megs of memory by default, which is plenty for
- FreeS/WAN usage. Typical regression testing only occasionally uses as
- many as 4 UMLs. If one is doing nothing else with the machine (in
- particular, not running X on it), then 128 megs and a 500MHz CPU are
- fine.</P>
- Documentation on these scripts is<A href="umltesting.html"> here</A>.
- There is also documentation on automated testing<A href="makecheck.html">
- here</A>.
-<H2><A name="testnet">Configuration for a testbed network</A></H2>
-<P>A common test setup is to put a machine with dual Ethernet cards in
- between two gateways under test. You need at least five machines; two
- gateways, two clients and a testing machine in the middle.</P>
-<P>The central machine both routes packets and provides a place to run
- diagnostic software for checking IPsec packets. See next section for
- discussion of<A href="faq.html#tcpdump.faq"> using tcpdump(8)</A> for
- this.</P>
-<P>This makes things more complicated than if you just connected the two
- gateway machines directly to each other, but it also makes your test
- setup much more like the environment you actually use IPsec in. Those
- environments nearly always involve routing, and quite a few apparent
- IPsec failures turn out to be problems with routing or with firewalls
- dropping packets. This approach lets you deal with those problems on
- your test setup.</P>
-<P>What you end up with looks like:</P>
-<H3><A name="testbed">Testbed network</A></H3>
-<PRE>      subnet a.b.c.0/24
-             |
-      eth1 = a.b.c.1
-         gate1
-      eth0 = 192.168.p.1
-             |
-             |
-      eth0 = 192.168.p.2
-         route/monitor box
-      eth1 = 192.168.q.2
-             |
-             |
-      eth0 = 192.168.q.1
-         gate2
-      eth1 = x.y.z.1
-              |
-       subnet x.y.z.0/24</PRE>
-<PRE>Where p and q are any convenient values that do not interfere with other
-routes you may have. The ipsec.conf(5) file then has, among other things:</PRE>
-<PRE>conn abc-xyz
-      left=192.168.p.1
-      leftnexthop=192.168.p.2
-      right=192.168.q.1
-      rightnexthop=192.168.q.2</PRE>
-<P>Once that works, you can remove the &quot;route/monitor box&quot;, and connect
- the two gateways to the Internet. The only parameters in ipsec.conf(5)
- that need to change are the four shown above. You replace them with
- values appropriate for your Internet connection, and change the eth0 IP
- addresses and the default routes on both gateways.</P>
-<P>Note that nothing on either subnet needs to change. This lets you
- test most of your IPsec setup before connecting to the insecure
- Internet.</P>
-<H3><A name="tcpdump.test">Using packet sniffers in testing</A></H3>
-<P>A number of tools are available for looking at packets. We will
- discuss using<A href="http://www.tcpdump.org/"> tcpdump(8)</A>, a
- common Linux tool included in most distributions. Alternatives
- offerring more-or-less the same functionality include:</P>
-<DL>
-<DT><A href="http://www.ethereal.com">Ethereal</A></DT>
-<DD>Several people on our mailing list report a preference for this over
- tcpdump.</DD>
-<DT><A href="http://netgroup-serv.polito.it/windump/">windump</A></DT>
-<DD>a Windows version of tcpdump(8), possibly handy if you have Windows
- boxes in your network</DD>
-<DT><A href="http://reptile.rug.ac.be/~coder/sniffit/sniffit.html">
-Sniffit</A></DT>
-<DD>A linux sniffer that we don't know much about. If you use it, please
- comment on our mailing list.</DD>
-</DL>
-<P>See also this<A href="http://www.tlsecurity.net/unix/ids/sniffer/">
- index</A> of packet sniffers.</P>
-<P>tcpdump(8) may misbehave if run on the gateways themselves. It is
- designed to look into a normal IP stack and may become confused if you
- ask it to display data from a stack which has IPsec in play.</P>
-<P>At one point, the problem was quite severe. Recent versions of
- tcpdump, however, understand IPsec well enough to be usable on a
- gateway. You can get the latest version from<A href="http://www.tcpdump.org/">
- tcpdump.org</A>.</P>
-<P>Even with a recent tcpdump, some care is required. Here is part of a
- post from Henry on the topic:</P>
-<PRE>&gt; a) data from sunset to sunrise or the other way is not being
-&gt; encrypted (I am using tcpdump (ver. 3.4) -x/ping -p to check
-&gt; packages) 
-
-What *interface* is tcpdump being applied to?  Use the -i option to
-control this.  It matters!  If tcpdump is looking at the ipsecN
-interfaces, e.g. ipsec0, then it is seeing the packets before they are
-encrypted or after they are decrypted, so of course they don't look
-encrypted.  You want to have tcpdump looking at the actual hardware
-interfaces, e.g. eth0. 
-
-Actually, the only way to be *sure* what you are sending on the wire is to
-have a separate machine eavesdropping on the traffic.  Nothing you can do
-on the machines actually running IPsec is 100% guaranteed reliable in this
-area (although tcpdump is a lot better now than it used to be).</PRE>
-<P>The most certain way to examine IPsec packets is to look at them on
- the wire. For security, you need to be certain, so we recommend doing
- that. To do so, you need a<STRONG> separate sniffer machine located
- between the two gateways</STRONG>. This machine can be routing IPsec
- packets, but it must not be an IPsec gateway. Network configuration for
- such testing is discussed<A href="#testnet"> above</A>.</P>
-<P>Here's another mailing list message with advice on using tcpdump(8):</P>
-<PRE>Subject: RE: [Users] Encrypted???
-   Date: Thu, 29 Nov 2001
-   From: &quot;Joe Patterson&quot; &lt;jpatterson@asgardgroup.com&gt;
-
-tcpdump -nl -i $EXT-IF proto 50
-
--nl tells it not to buffer output or resolve names (if you don't do that it
-may confuse you by not outputing anything for a while), -i $EXT-IF (replace
-with your external interface) tells it what interface to listen on, and
-proto 50 is ESP.  Use &quot;proto 51&quot; if for some odd reason you're using AH, and
-&quot;udp port 500&quot; if you want to see the isakmp key exchange/tunnel setup
-packets.
-
-You can also run `tcpdump -nl -i ipsec0` to see what traffic is on that
-virtual interface.  Anything you see there *should* be either encrypted or
-dropped (unless you've turned on some strange options in your ipsec.conf
-file)
-
-Another very handy thing is ethereal (http://www.ethereal.com/) which runs
-on just about anything, has a nice gui interface (or a nice text-based
-interface), and does a great job of protocol  breakdown.  For ESP and AH
-it'll basically just tell you that there's a packet of that protocol, and
-what the spi is, but for isakmp it'll actually show you a lot of the tunnel
-setup information (until it gets to the point in the protocol where isakmp
-is encrypted....)</PRE>
-<H2><A name="verify.crypt">Verifying encryption</A></H2>
-<P>The question of how to verify that messages are actually encrypted
- has been extensively discussed on the mailing list. See this<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/07/msg00262.html">
- thread</A>.</P>
-<P>If you just want to verify that packets are encrypted, look at them
- with a packet sniffer (see<A href="#tcpdump.test"> previous section</A>
-) located between the gateways. The packets should, except for some of
- the header information, be utterly unintelligible.<STRONG> The output
- of good encryption looks<EM> exactly</EM> like random noise</STRONG>.</P>
-<P>A packet sniffer can only tell you that the data you looked at was
- encrypted. If you have stronger requirements -- for example if your
- security policy requires verification that plaintext is not leaked
- during startup or under various anomolous conditions -- then you will
- need to devise much more thorough tests. If you do that, please post
- any results or methodological details which your security policy allows
- you to make public.</P>
-<P>You can put recognizable data into ping packets with something like:</P>
-<PRE>        ping -p feedfacedeadbeef 11.0.1.1</PRE>
-<P>&quot;feedfacedeadbeef&quot; is a legal hexadecimal pattern that is easy to
- pick out of hex dumps.</P>
-<P>For other protocols, you may need to check if you have encrypted data
- or ASCII text. Encrypted data has approximately equal frequencies for
- all 256 possible characters. ASCII text has most characters in the
- printable range 0x20-0x7f, a few control characters less than 0x20, and
- none at all in the range 0x80-0xff. 0x20, space, is a good character to
- look for. In normal English text space occurs about once in seven
- characters, versus about once in 256 for random or encrypted data.</P>
-<P>One thing to watch for: the output of good compression, like that of
- good encryption, looks just like random noise. You cannot tell just by
- looking at a data stream whether it has been compressed, encrypted, or
- both. You need a little care not to mistake compressed data for
- encrypted data in your testing.</P>
-<P>Note also that weak encryption also produces random-looking output.
- You cannot tell whether the encryption is strong by looking at the
- output. To be sure of that, you would need to have both the algorithms
- and the implementation examined by experts.</P>
-<P>For IPsec, you can get partial assurance from interoperability tests.
- See our<A href="interop.html"> interop</A> document. When twenty
- products all claim to implement<A href="glossary.html#3DES"> 3DES</A>,
- and they all talk to each other, you can be fairly sure they have it
- right. Of course, you might wonder whether all the implementers are
- consipring to trick you or, more plausibly, whether some
- implementations might have &quot;back doors&quot; so they can get also it wrong
- when required.. If you're seriously worried about things like that, you
- need to get the code you use audited (good luck if it is not Open
- Source), or perhaps to talk to a psychiatrist about treatments for
- paranoia.</P>
-<H2><A name="mail.test">Mailing list pointers</A></H2>
-<P>Additional information on testing can be found in these<A href="mail.html">
- mailing list</A> messages:</P>
-<UL>
-<LI>a user's detailed<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00571.html">
- setup diary</A> for his testbed network</LI>
-<LI>a FreeS/WAN team member's<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00425.html">
- notes</A> from testing at an IPsec interop &quot;bakeoff&quot;</LI>
-</UL>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="performance.html">Previous</A>
-<A HREF="kernel.html">Next</A>
-</BODY>
-</HTML>
diff --git a/doc/toc.html b/doc/toc.html
deleted file mode 100644
index 047833020..000000000
--- a/doc/toc.html
+++ /dev/null
@@ -1,1019 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<H1 ALIGN="CENTER"><A NAME="CONTENTS">Table of Contents</A></H1>
-<BR>
-<BR><B><A HREF="intro.html#intro">Introduction</A></B>
-<UL>
-<LI><A HREF="intro.html#ipsec.intro">IPsec, Security for the Internet
- Protocol</A></LI>
-<UL>
-<LI><A HREF="intro.html#intro.interop">Interoperating with other IPsec
- implementations</A></LI>
-<LI><A HREF="ipsec.html#advantages">Advantages of IPsec</A></LI>
-<LI><A HREF="intro.html#applications">Applications of IPsec</A></LI>
-<LI><A HREF="intro.html#types">The need to authenticate gateways</A></LI>
-</UL>
-<LI><A HREF="intro.html#project">The FreeS/WAN project</A></LI>
-<UL>
-<LI><A HREF="intro.html#goals">Project goals</A></LI>
-<LI><A HREF="intro.html#staff">Project team</A></LI>
-</UL>
-<LI><A HREF="intro.html#products">Products containing FreeS/WAN</A></LI>
-<UL>
-<LI><A HREF="intro.html#distwith">Full Linux distributions</A></LI>
-<LI><A HREF="intro.html#kernel_dist">Linux kernel distributions</A></LI>
-<LI><A HREF="intro.html#office_dist">Office server distributions</A></LI>
-<LI><A HREF="intro.html#fw_dist">Firewall distributions</A></LI>
-<LI><A HREF="intro.html#turnkey">Firewall and VPN products</A></LI>
-</UL>
-<LI><A HREF="intro.html#docs">Information sources</A></LI>
-<UL>
-<LI><A HREF="intro.html#docformats">This HowTo, in multiple formats</A></LI>
-<LI><A HREF="intro.html#rtfm">RTFM (please Read The Fine Manuals)</A></LI>
-<LI><A HREF="intro.html#text">Other documents in the distribution</A></LI>
-<LI><A HREF="intro.html#assumptions">Background material</A></LI>
-<LI><A HREF="intro.html#archives">Archives of the project mailing list</A>
-</LI>
-<LI><A HREF="intro.html#howto">User-written HowTo information</A></LI>
-<LI><A HREF="intro.html#applied">Papers on FreeS/WAN</A></LI>
-<LI><A HREF="intro.html#licensing">License and copyright information</A></LI>
-</UL>
-<LI><A HREF="intro.html#sites">Distribution sites</A></LI>
-<UL>
-<LI><A HREF="intro.html#1_5_1">Primary site</A></LI>
-<LI><A HREF="intro.html#mirrors">Mirrors</A></LI>
-<LI><A HREF="intro.html#munitions">The &quot;munitions&quot; archive of Linux
- crypto software</A></LI>
-</UL>
-<LI><A HREF="intro.html#1_6">Links to other sections</A></LI>
-</UL>
-<B><A HREF="upgrading.html#2">Upgrading to FreeS/WAN 2.x</A></B>
-<UL>
-<LI><A HREF="upgrading.html#2_1">New! Built in Opportunistic connections</A>
-</LI>
-<UL>
-<LI><A HREF="upgrading.html#2_1_1">Upgrading Opportunistic Encryption to
- 2.01 (or later)</A></LI>
-</UL>
-<LI><A HREF="upgrading.html#2_2">New! Policy Groups</A></LI>
-<LI><A HREF="upgrading.html#2_3">New! Packetdefault Connection</A></LI>
-<LI><A HREF="upgrading.html#2_4">FreeS/WAN now disables Reverse Path
- Filtering</A></LI>
-<LI><A HREF="upgrading.html#2_5">Revised ipsec.conf</A></LI>
-<UL>
-<LI><A HREF="upgrading.html#2_5_1">No promise of compatibility</A></LI>
-<LI><A HREF="upgrading.html#2_5_2">Most ipsec.conf files will work fine</A>
-</LI>
-<LI><A HREF="upgrading.html#2_5_3">Backward compatibility patch</A></LI>
-<LI><A HREF="upgrading.html#2_5_4">Details</A></LI>
-<LI><A HREF="upgrading.html#2_5_5">Upgrading from 1.x RPMs to 2.x RPMs</A>
-</LI>
-</UL>
-</UL>
-<B><A HREF="quickstart.html#quickstart">Quickstart Guide to
- Opportunistic Encryption</A></B>
-<UL>
-<LI><A HREF="quickstart.html#opp.setup">Purpose</A></LI>
-<UL>
-<LI><A HREF="quickstart.html#3_1_1">OE &quot;flag day&quot;</A></LI>
-</UL>
-<LI><A HREF="quickstart.html#opp.dns">Requirements</A></LI>
-<LI><A HREF="quickstart.html#easy.install">RPM install</A></LI>
-<UL>
-<LI><A HREF="quickstart.html#3_3_1">Download RPMs</A></LI>
-<LI><A HREF="quickstart.html#3_3_2">Check signatures</A></LI>
-<LI><A HREF="quickstart.html#3_3_3">Install the RPMs</A></LI>
-<LI><A HREF="quickstart.html#testinstall">Test</A></LI>
-</UL>
-<LI><A HREF="quickstart.html#opp.setups.list">Our Opportunistic Setups</A>
-</LI>
-<UL>
-<LI><A HREF="quickstart.html#3_4_1">Full or partial opportunism?</A></LI>
-</UL>
-<LI><A HREF="quickstart.html#opp.client">Initiate-only setup</A></LI>
-<UL>
-<LI><A HREF="quickstart.html#3_5_1">Restrictions</A></LI>
-<LI><A HREF="quickstart.html#forward.dns">Create and publish a forward
- DNS record</A></LI>
-<LI><A HREF="quickstart.html#3_5_3">Test that your key has been
- published</A></LI>
-<LI><A HREF="quickstart.html#3_5_4">Configure, if necessary</A></LI>
-<LI><A HREF="quickstart.html#3_5_5">Test</A></LI>
-</UL>
-<LI><A HREF="quickstart.html#3_6">Full Opportunism</A></LI>
-<UL>
-<LI><A HREF="quickstart.html#3_6_1">Put a TXT record in a Forward Domain</A>
-</LI>
-<LI><A HREF="quickstart.html#3_6_2">Put a TXT record in Reverse DNS</A></LI>
-<LI><A HREF="quickstart.html#3_6_3">Test your DNS record</A></LI>
-<LI><A HREF="quickstart.html#3_6_4">No Configuration Needed</A></LI>
-<LI><A HREF="quickstart.html#3_6_5">Consider Firewalling</A></LI>
-<LI><A HREF="quickstart.html#3_6_6">Test</A></LI>
-<LI><A HREF="quickstart.html#3_6_7">Test</A></LI>
-</UL>
-<LI><A HREF="quickstart.html#opp.test">Testing opportunistic connections</A>
-</LI>
-<LI><A HREF="quickstart.html#3_8">Now what?</A></LI>
-<LI><A HREF="quickstart.html#3_9">Notes</A></LI>
-<LI><A HREF="quickstart.html#3_10">Troubleshooting OE</A></LI>
-<LI><A HREF="quickstart.html#3_11">Known Issues</A></LI>
-</UL>
-<B><A HREF="policygroups.html#4">How to Configure Linux FreeS/WAN with
- Policy Groups</A></B>
-<UL>
-<LI><A HREF="policygroups.html#4_1">What are Policy Groups?</A></LI>
-<UL>
-<LI><A HREF="policygroups.html#4_1_1">Built-In Security Options</A></LI>
-</UL>
-<LI><A HREF="policygroups.html#4_2">Using Policy Groups</A></LI>
-<UL>
-<LI><A HREF="policygroups.html#4_2_1">Example 1: Using a Base Policy
- Group</A></LI>
-<LI><A HREF="policygroups.html#4_2_2">Example 2: Defining IPsec Security
- Policy with Groups</A></LI>
-<LI><A HREF="policygroups.html#4_2_3">Example 3: Creating a Simple IPsec
- VPN with the private Group</A></LI>
-<LI><A HREF="policygroups.html#4_2_4">Example 4: New Policy Groups to
- Protect a Subnet</A></LI>
-<LI><A HREF="policygroups.html#4_2_5">Example 5: Adding a Subnet to the
- VPN</A></LI>
-</UL>
-<LI><A HREF="policygroups.html#4_3">Appendix</A></LI>
-<UL>
-<LI><A HREF="policygroups.html#4_3_1">Our Hidden Connections</A></LI>
-<LI><A HREF="policygroups.html#4_3_2">Custom Policy Groups</A></LI>
-<LI><A HREF="policygroups.html#4_3_3">Disabling Opportunistic Encryption</A>
-</LI>
-</UL>
-</UL>
-<B><A HREF="faq.html#5">FreeS/WAN FAQ</A></B>
-<UL>
-<LI><A HREF="faq.html#questions">Index of FAQ questions</A></LI>
-<LI><A HREF="faq.html#whatzit">What is FreeS/WAN?</A></LI>
-<LI><A HREF="faq.html#problems">How do I report a problem or seek help?</A>
-</LI>
-<LI><A HREF="faq.html#generic">Can I get ...</A></LI>
-<UL>
-<LI><A HREF="faq.html#lemme_out">Can I get an off-the-shelf system that
- includes FreeS/WAN?</A></LI>
-<LI><A HREF="faq.html#consultant">Can I hire consultants or staff who
- know FreeS/WAN?</A></LI>
-<LI><A HREF="faq.html#commercial">Can I get commercial support?</A></LI>
-</UL>
-<LI><A HREF="faq.html#release">Release questions</A></LI>
-<UL>
-<LI><A HREF="faq.html#rel.current">What is the current release?</A></LI>
-<LI><A HREF="faq.html#relwhen">When is the next release?</A></LI>
-<LI><A HREF="faq.html#rel.bugs">Are there known bugs in the current
- release?</A></LI>
-</UL>
-<LI><A HREF="faq.html#mod_cons">Modifications and contributions</A></LI>
-<UL>
-<LI><A HREF="faq.html#modify.faq">Can I modify FreeS/WAN to ...?</A></LI>
-<LI><A HREF="faq.html#contrib.faq">Can I contribute to the project?</A></LI>
-<LI><A HREF="faq.html#ddoc.faq">Is there detailed design documentation?</A>
-</LI>
-</UL>
-<LI><A HREF="faq.html#interact">Will FreeS/WAN work in my environment?</A>
-</LI>
-<UL>
-<LI><A HREF="faq.html#interop.faq">Can FreeS/WAN talk to ...?</A></LI>
-<LI><A HREF="faq.html#old_to_new">Can different FreeS/WAN versions talk
- to each other?</A></LI>
-<LI><A HREF="faq.html#faq.bandwidth">Is there a limit on throughput?</A></LI>
-<LI><A HREF="faq.html#faq.number">Is there a limit on number of tunnels?</A>
-</LI>
-<LI><A HREF="faq.html#faq.speed">Is a ... fast enough to handle
- FreeS/WAN with my loads?</A></LI>
-</UL>
-<LI><A HREF="faq.html#work_on">Will FreeS/WAN work on ... ?</A></LI>
-<UL>
-<LI><A HREF="faq.html#versions">Will FreeS/WAN run on my version of
- Linux?</A></LI>
-<LI><A HREF="faq.html#nonIntel.faq">Will FreeS/WAN run on non-Intel
- CPUs?</A></LI>
-<LI><A HREF="faq.html#multi.faq">Will FreeS/WAN run on multiprocessors?</A>
-</LI>
-<LI><A HREF="faq.html#k.old">Will FreeS/WAN work on an older kernel?</A></LI>
-<LI><A HREF="faq.html#k.versions">Will FreeS/WAN run on the latest
- kernel version?</A></LI>
-<LI><A HREF="faq.html#interface.faq">Will FreeS/WAN work on unusual
- network hardware?</A></LI>
-<LI><A HREF="faq.html#vlan">Will FreeS/WAN work on a VLAN (802.1q)
- network?</A></LI>
-</UL>
-<LI><A HREF="faq.html#features.faq">Does FreeS/WAN support ...</A></LI>
-<UL>
-<LI><A HREF="faq.html#VPN.faq">Does FreeS/WAN support site-to-site VPN (
-Virtual Private Network) applications?</A></LI>
-<LI><A HREF="faq.html#warrior.faq">Does FreeS/WAN support remote users
- connecting to a LAN?</A></LI>
-<LI><A HREF="faq.html#road.shared.possible">Does FreeS/WAN support
- remote users using shared secret authentication?</A></LI>
-<LI><A HREF="faq.html#wireless.faq">Does FreeS/WAN support wireless
- networks?</A></LI>
-<LI><A HREF="faq.html#PKIcert">Does FreeS/WAN support X.509 or other PKI
- certificates?</A></LI>
-<LI><A HREF="faq.html#Radius">Does FreeS/WAN support user authentication
- (Radius, SecureID, Smart Card...)?</A></LI>
-<LI><A HREF="faq.html#NATtraversal">Does FreeS/WAN support NAT
- traversal?</A></LI>
-<LI><A HREF="faq.html#virtID">Does FreeS/WAN support assigning a
- &quot;virtual identity&quot; to a remote system?</A></LI>
-<LI><A HREF="faq.html#noDES.faq">Does FreeS/WAN support single DES
- encryption?</A></LI>
-<LI><A HREF="faq.html#AES.faq">Does FreeS/WAN support AES encryption?</A>
-</LI>
-<LI><A HREF="faq.html#other.cipher">Does FreeS/WAN support other
- encryption algorithms?</A></LI>
-</UL>
-<LI><A HREF="faq.html#canI">Can I ...</A></LI>
-<UL>
-<LI><A HREF="faq.html#policy.preconfig">Can I use policy groups along
- with explicitly configured connections?</A></LI>
-<LI><A HREF="faq.html#policy.off">Can I turn off policy groups?</A></LI>
-<LI><A HREF="faq.html#reload">Can I reload connection info without
- restarting?</A></LI>
-<LI><A HREF="faq.html#masq.faq">Can I use several masqueraded subnets?</A>
-</LI>
-<LI><A HREF="faq.html#dup_route">Can I use subnets masqueraded to the
- same addresses?</A></LI>
-<LI><A HREF="faq.html#road.masq">Can I assign a road warrior an address
- on my net (a virtual identity)?</A></LI>
-<LI><A HREF="faq.html#road.many">Can I support many road warriors with
- one gateway?</A></LI>
-<LI><A HREF="faq.html#road.PSK">Can I have many road warriors using
- shared secret authentication?</A></LI>
-<LI><A HREF="faq.html#QoS">Can I use Quality of Service routing with
- FreeS/WAN?</A></LI>
-<LI><A HREF="faq.html#deadtunnel">Can I recognise dead tunnels and shut
- them down?</A></LI>
-<LI><A HREF="faq.html#demanddial">Can I build IPsec tunnels over a
- demand-dialed link?</A></LI>
-<LI><A HREF="faq.html#GRE">Can I build GRE, L2TP or PPTP tunnels over
- IPsec?</A></LI>
-<LI><A HREF="faq.html#NetBIOS">... use Network Neighborhood (Samba,
- NetBIOS) over IPsec?</A></LI>
-</UL>
-<LI><A HREF="faq.html#setup.faq">Life's little mysteries</A></LI>
-<UL>
-<LI><A HREF="faq.html#cantping">I cannot ping ....</A></LI>
-<LI><A HREF="faq.html#forever">It takes forever to ...</A></LI>
-<LI><A HREF="faq.html#route">I send packets to the tunnel with route(8)
- but they vanish</A></LI>
-<LI><A HREF="faq.html#down_route">When a tunnel goes down, packets
- vanish</A></LI>
-<LI><A HREF="faq.html#firewall_ate">The firewall ate my packets!</A></LI>
-<LI><A HREF="faq.html#dropconn">Dropped connections</A></LI>
-<LI><A HREF="faq.html#defaultroutegone">Disappearing %defaultroute</A></LI>
-<LI><A HREF="faq.html#tcpdump.faq">TCPdump on the gateway shows strange
- things</A></LI>
-<LI><A HREF="faq.html#no_trace">Traceroute does not show anything
- between the gateways</A></LI>
-</UL>
-<LI><A HREF="faq.html#man4debug">Testing in stages</A></LI>
-<UL>
-<LI><A HREF="faq.html#nomanual">Manually keyed connections don't work</A>
-</LI>
-<LI><A HREF="faq.html#spi_error">One manual connection works, but second
- one fails</A></LI>
-<LI><A HREF="faq.html#man_no_auto">Manual connections work, but
- automatic keying doesn't</A></LI>
-<LI><A HREF="faq.html#nocomp">IPsec works, but connections using
- compression fail</A></LI>
-<LI><A HREF="faq.html#pmtu.broken">Small packets work, but large
- transfers fail</A></LI>
-<LI><A HREF="faq.html#subsub">Subnet-to-subnet works, but tests from the
- gateways don't</A></LI>
-</UL>
-<LI><A HREF="faq.html#compile.faq">Compilation problems</A></LI>
-<UL>
-<LI><A HREF="faq.html#gmp.h_missing">gmp.h: No such file or directory</A>
-</LI>
-<LI><A HREF="faq.html#noVM">... virtual memory exhausted</A></LI>
-</UL>
-<LI><A HREF="faq.html#error">Interpreting error messages</A></LI>
-<UL>
-<LI><A HREF="faq.html#route-client">route-client (or host) exited with
- status 7</A></LI>
-<LI><A HREF="faq.html#unreachable">SIOCADDRT:Network is unreachable</A></LI>
-<LI><A HREF="faq.html#modprobe">ipsec_setup: modprobe: Can't locate
- module ipsec</A></LI>
-<LI><A HREF="faq.html#noKLIPS">ipsec_setup: Fatal error, kernel appears
- to lack KLIPS</A></LI>
-<LI><A HREF="faq.html#noDNS">ipsec_setup: ... failure to fetch key for
- ... from DNS</A></LI>
-<LI><A HREF="faq.html#dup_address">ipsec_setup: ... interfaces ... and
- ... share address ...</A></LI>
-<LI><A HREF="faq.html#kflags">ipsec_setup: Cannot adjust kernel flags</A>
-</LI>
-<LI><A HREF="faq.html#message_num">Message numbers (MI3, QR1, et cetera)
- in Pluto messages</A></LI>
-<LI><A HREF="faq.html#conn_name">Connection names in Pluto error
- messages</A></LI>
-<LI><A HREF="faq.html#cantorient">Pluto: ... can't orient connection</A></LI>
-<LI><A HREF="faq.html#no.interface">... we have no ipsecN interface for
- either end of this connection</A></LI>
-<LI><A HREF="faq.html#noconn">Pluto: ... no connection is known</A></LI>
-<LI><A HREF="faq.html#nosuit">Pluto: ... no suitable connection ...</A></LI>
-<LI><A HREF="faq.html#noconn.auth">Pluto: ... no connection has been
- authorized</A></LI>
-<LI><A HREF="faq.html#noDESsupport">Pluto: ... OAKLEY_DES_CBC is not
- supported.</A></LI>
-<LI><A HREF="faq.html#notransform">Pluto: ... no acceptable transform</A>
-</LI>
-<LI><A HREF="faq.html#rsasigkey">rsasigkey dumps core</A></LI>
-<LI><A HREF="faq.html#sig4">!Pluto failure!: ... exited with ... signal
- 4</A></LI>
-<LI><A HREF="faq.html#econnrefused">ECONNREFUSED error message</A></LI>
-<LI><A HREF="faq.html#no_eroute">klips_debug: ... no eroute!</A></LI>
-<LI><A HREF="faq.html#SAused">... trouble writing to /dev/ipsec ... SA
- already in use</A></LI>
-<LI><A HREF="faq.html#ignore">... ignoring ... payload</A></LI>
-<LI><A HREF="faq.html#unknown_rightcert">unknown parameter name
- &quot;rightcert&quot;</A></LI>
-</UL>
-<LI><A HREF="faq.html#spam">Why don't you restrict the mailing lists to
- reduce spam?</A></LI>
-</UL>
-<B><A HREF="manpages.html#manpages">FreeS/WAN manual pages</A></B>
-<UL>
-<LI><A HREF="manpages.html#man.file">Files</A></LI>
-<LI><A HREF="manpages.html#man.command">Commands</A></LI>
-<LI><A HREF="manpages.html#man.lib">Library routines</A></LI>
-</UL>
-<B><A HREF="firewall.html#firewall">FreeS/WAN and firewalls</A></B>
-<UL>
-<LI><A HREF="firewall.html#filters">Filtering rules for IPsec packets</A>
-</LI>
-<LI><A HREF="firewall.html#examplefw">Firewall configuration at boot</A></LI>
-<UL>
-<LI><A HREF="firewall.html#simple.rules">A simple set of rules</A></LI>
-<LI><A HREF="firewall.html#complex.rules">Other rules</A></LI>
-<LI><A HREF="firewall.html#rules.pub">Published rule sets</A></LI>
-</UL>
-<LI><A HREF="firewall.html#updown">Calling firewall scripts, named in
- ipsec.conf(5)</A></LI>
-<UL>
-<LI><A HREF="firewall.html#pre_post">Scripts called at IPsec start and
- stop</A></LI>
-<LI><A HREF="firewall.html#up_down">Scripts called at connection up and
- down</A></LI>
-<LI><A HREF="firewall.html#ipchains.script">Scripts for ipchains or
- iptables</A></LI>
-</UL>
-<LI><A HREF="firewall.html#NAT">A complication: IPsec vs. NAT</A></LI>
-<UL>
-<LI><A HREF="firewall.html#nat_ok">NAT on or behind the IPsec gateway
- works</A></LI>
-<LI><A HREF="firewall.html#nat_bad">NAT between gateways is problematic</A>
-</LI>
-<LI><A HREF="firewall.html#NAT.ref">Other references on NAT and IPsec</A>
-</LI>
-</UL>
-<LI><A HREF="firewall.html#complications">Other complications</A></LI>
-<UL>
-<LI><A HREF="firewall.html#through">IPsec through the gateway</A></LI>
-<LI><A HREF="firewall.html#ipsec_only">Preventing non-IPsec traffic</A></LI>
-<LI><A HREF="firewall.html#unknowngate">Filtering packets from unknown
- gateways</A></LI>
-</UL>
-<LI><A HREF="firewall.html#otherfilter">Other packet filters</A></LI>
-<UL>
-<LI><A HREF="firewall.html#ICMP">ICMP filtering</A></LI>
-<LI><A HREF="firewall.html#traceroute">UDP packets for traceroute</A></LI>
-<LI><A HREF="firewall.html#l2tp">UDP for L2TP</A></LI>
-</UL>
-<LI><A HREF="firewall.html#packets">How it all works: IPsec packet
- details</A></LI>
-<UL>
-<LI><A HREF="firewall.html#noport">ESP and AH do not have ports</A></LI>
-<LI><A HREF="firewall.html#header">Header layout</A></LI>
-<LI><A HREF="firewall.html#dhr">DHR on the updown script</A></LI>
-</UL>
-</UL>
-<B><A HREF="trouble.html#trouble">Linux FreeS/WAN Troubleshooting Guide</A>
-</B>
-<UL>
-<LI><A HREF="trouble.html#overview">Overview</A></LI>
-<LI><A HREF="trouble.html#install">1. During Install</A></LI>
-<UL>
-<LI><A HREF="trouble.html#8_2_1">1.1 RPM install gotchas</A></LI>
-<LI><A HREF="trouble.html#8_2_2">1.2 Problems installing from source</A></LI>
-<LI><A HREF="trouble.html#install.check">1.3 Install checks</A></LI>
-<LI><A HREF="quickstart.html#oe.trouble">1.3 Troubleshooting OE</A></LI>
-</UL>
-<LI><A HREF="trouble.html#negotiation">2. During Negotiation</A></LI>
-<UL>
-<LI><A HREF="trouble.html#state">2.1 Determine Connection State</A></LI>
-<LI><A HREF="trouble.html#find.pluto.error">2.2 Finding error text</A></LI>
-<LI><A HREF="trouble.html#interpret.pluto.error">2.3 Interpreting a
- Negotiation Error</A></LI>
-</UL>
-<LI><A HREF="trouble.html#use">3. Using a Connection</A></LI>
-<UL>
-<LI><A HREF="trouble.html#8_4_1">3.1 Orienting yourself</A></LI>
-<LI><A HREF="trouble.html#8_4_2">3.2 Those pesky configuration errors</A>
-</LI>
-<LI><A HREF="trouble.html#route.firewall">3.3 Check Routing and
- Firewalling</A></LI>
-<LI><A HREF="trouble.html#sniff">3.4 When in doubt, sniff it out</A></LI>
-<LI><A HREF="trouble.html#find.use.error">3.5 Check your logs</A></LI>
-<LI><A HREF="trouble.html#bigpacket">3.6 More testing for the truly
- thorough</A></LI>
-</UL>
-<LI><A HREF="trouble.html#prob.report">4. Problem Reporting</A></LI>
-<UL>
-<LI><A HREF="trouble.html#8_5_1">4.1 How to ask for help</A></LI>
-<LI><A HREF="trouble.html#8_5_2">4.2 Where to ask</A></LI>
-</UL>
-<LI><A HREF="trouble.html#notes">5. Additional Notes on Troubleshooting</A>
-</LI>
-<UL>
-<LI><A HREF="trouble.html#system.info">5.1 Information available on your
- system</A></LI>
-<LI><A HREF="trouble.html#testgates"> 5.2 Testing between security
- gateways</A></LI>
-<LI><A HREF="trouble.html#ifconfig1">5.3 ifconfig reports for KLIPS
- debugging</A></LI>
-<LI><A HREF="trouble.html#gdb"> 5.4 Using GDB on Pluto</A></LI>
-</UL>
-</UL>
-<B><A HREF="compat.html#compat">Linux FreeS/WAN Compatibility Guide</A></B>
-<UL>
-<LI><A HREF="compat.html#spec">Implemented parts of the IPsec
- Specification</A></LI>
-<UL>
-<LI><A HREF="compat.html#in">In Linux FreeS/WAN</A></LI>
-<LI><A HREF="compat.html#dropped">Deliberately omitted</A></LI>
-<LI><A HREF="compat.html#not">Not (yet) in Linux FreeS/WAN</A></LI>
-</UL>
-<LI><A HREF="compat.html#pfkey">Our PF-Key implementation</A></LI>
-<UL>
-<LI><A HREF="compat.html#pfk.port">PF-Key portability</A></LI>
-</UL>
-<LI><A HREF="compat.html#otherk">Kernels other than the latest 2.2.x and
- 2.4.y</A></LI>
-<UL>
-<LI><A HREF="compat.html#kernel.2.0">2.0.x kernels</A></LI>
-<LI><A HREF="compat.html#kernel.production">2.2 and 2.4 kernels</A></LI>
-</UL>
-<LI><A HREF="compat.html#otherdist">Intel Linux distributions other than
- Redhat</A></LI>
-<UL>
-<LI><A HREF="compat.html#rh7">Redhat 7.0</A></LI>
-<LI><A HREF="compat.html#suse">SuSE Linux</A></LI>
-<LI><A HREF="compat.html#slack">Slackware</A></LI>
-<LI><A HREF="compat.html#deb">Debian</A></LI>
-<LI><A HREF="compat.html#caldera">Caldera</A></LI>
-</UL>
-<LI><A HREF="compat.html#CPUs">CPUs other than Intel</A></LI>
-<UL>
-<LI><A HREF="compat.html# strongarm">Corel Netwinder (StrongARM CPU)</A></LI>
-<LI><A HREF="compat.html#yellowdog">Yellow Dog Linux on Power PC</A></LI>
-<LI><A HREF="compat.html#mklinux">Mklinux</A></LI>
-<LI><A HREF="compat.html#alpha">Alpha 64-bit processors</A></LI>
-<LI><A HREF="compat.html#SPARC">Sun SPARC processors</A></LI>
-<LI><A HREF="compat.html#mips">MIPS processors</A></LI>
-<LI><A HREF="compat.html#crusoe">Transmeta Crusoe</A></LI>
-<LI><A HREF="compat.html#coldfire">Motorola Coldfire</A></LI>
-</UL>
-<LI><A HREF="compat.html#multiprocessor">Multiprocessor machines</A></LI>
-<LI><A HREF="compat.html#hardware">Support for crypto hardware</A></LI>
-<LI><A HREF="compat.html#ipv6">IP version 6 (IPng)</A></LI>
-<UL>
-<LI><A HREF="compat.html#v6.back">IPv6 background</A></LI>
-</UL>
-</UL>
-<B><A HREF="interop.html#10">Interoperating with FreeS/WAN</A></B>
-<UL>
-<LI><A HREF="interop.html#10_1">Interop at a Glance</A></LI>
-<UL>
-<LI><A HREF="interop.html#10_1_1">Key</A></LI>
-</UL>
-<LI><A HREF="interop.html#10_2">Basic Interop Rules</A></LI>
-<LI><A HREF="interop.html#10_3">Longer Stories</A></LI>
-<UL>
-<LI><A HREF="interop.html#10_3_1">For More Compatible Implementations</A>
-</LI>
-<LI><A HREF="interop.html#10_3_2">For Other Implementations</A></LI>
-</UL>
-</UL>
-<B><A HREF="performance.html#performance">Performance of FreeS/WAN</A></B>
-<UL>
-<LI><A HREF="performance.html#pub.bench">Published material</A></LI>
-<LI><A HREF="performance.html#perf.estimate">Estimating CPU overheads</A>
-</LI>
-<UL>
-<LI><A HREF="performance.html#perf.more">Higher performance alternatives</A>
-</LI>
-<LI><A HREF="performance.html#11_2_2">Other considerations</A></LI>
-</UL>
-<LI><A HREF="performance.html#biggate">Many tunnels from a single
- gateway</A></LI>
-<LI><A HREF="performance.html#low-end">Low-end systems</A></LI>
-<LI><A HREF="performance.html#klips.bench">Measuring KLIPS</A></LI>
-<LI><A HREF="performance.html#speed.compress">Speed with compression</A></LI>
-<LI><A HREF="performance.html#methods">Methods of measuring</A></LI>
-</UL>
-<B><A HREF="testing.html#test.freeswan">Testing FreeS/WAN</A></B>
-<UL>
-<LI><A HREF="testing.html#test.oe">Testing opportunistic connections</A></LI>
-<UL>
-<LI><A HREF="testing.html#12_1_1">Basic OE Test</A></LI>
-<LI><A HREF="testing.html#12_1_2">OE Gateway Test</A></LI>
-<LI><A HREF="testing.html#12_1_3">Additional OE tests</A></LI>
-</UL>
-<LI><A HREF="testing.html#test.uml">Testing with User Mode Linux</A></LI>
-<LI><A HREF="testing.html#testnet">Configuration for a testbed network</A>
-</LI>
-<UL>
-<LI><A HREF="testing.html#testbed">Testbed network</A></LI>
-<LI><A HREF="testing.html#tcpdump.test">Using packet sniffers in testing</A>
-</LI>
-</UL>
-<LI><A HREF="testing.html#verify.crypt">Verifying encryption</A></LI>
-<LI><A HREF="testing.html#mail.test">Mailing list pointers</A></LI>
-</UL>
-<B><A HREF="kernel.html#kernelconfig">Kernel configuration for FreeS/WAN</A>
-</B>
-<UL>
-<LI><A HREF="kernel.html#notall">Not everyone needs to worry about
- kernel configuration</A></LI>
-<LI><A HREF="kernel.html#assume">Assumptions and notation</A></LI>
-<UL>
-<LI><A HREF="kernel.html#labels">Labels used</A></LI>
-</UL>
-<LI><A HREF="kernel.html#kernelopt">Kernel options for FreeS/WAN</A></LI>
-</UL>
-<B><A HREF="adv_config.html#adv_config">Other configuration
- possibilities</A></B>
-<UL>
-<LI><A HREF="adv_config.html#thumb">Some rules of thumb about
- configuration</A></LI>
-<UL>
-<LI><A HREF="adv_config.html#cheap.tunnel">Tunnels are cheap</A></LI>
-<LI><A HREF="adv_config.html#subnet.size">Subnet sizes</A></LI>
-<LI><A HREF="adv_config.html#example.more">Other network layouts</A></LI>
-</UL>
-<LI><A HREF="adv_config.html#choose">Choosing connection types</A></LI>
-<UL>
-<LI><A HREF="adv_config.html#man-auto">Manual vs. automatic keying</A></LI>
-<LI><A HREF="adv_config.html#auto-auth">Authentication methods for
- auto-keying</A></LI>
-<LI><A HREF="adv_config.html#adv-pk">Advantages of public key methods</A>
-</LI>
-</UL>
-<LI><A HREF="adv_config.html#prodsecrets">Using shared secrets in
- production</A></LI>
-<UL>
-<LI><A HREF="biblio.html#secrets">Putting secrets in ipsec.secrets(5)</A>
-</LI>
-<LI><A HREF="adv_config.html#securing.secrets">File security</A></LI>
-<LI><A HREF="adv_config.html#notroadshared">Shared secrets for road
- warriors</A></LI>
-</UL>
-<LI><A HREF="adv_config.html#prodman">Using manual keying in production</A>
-</LI>
-<UL>
-<LI><A HREF="adv_config.html#ranbits">Creating keys with ranbits</A></LI>
-</UL>
-<LI><A HREF="adv_config.html#boot">Setting up connections at boot time</A>
-</LI>
-<LI><A HREF="adv_config.html#multitunnel">Multiple tunnels between the
- same two gateways</A></LI>
-<UL>
-<LI><A HREF="adv_config.html#advroute">One tunnel plus advanced routing</A>
-</LI>
-</UL>
-<LI><A HREF="adv_config.html#opp.gate">An Opportunistic Gateway</A></LI>
-<UL>
-<LI><A HREF="adv_config.html#14_7_1">Start from full opportunism</A></LI>
-<LI><A HREF="adv_config.html#14_7_2">Reverse DNS TXT records for each
- protected machine</A></LI>
-<LI><A HREF="adv_config.html#14_7_3">Publish your records</A></LI>
-<LI><A HREF="adv_config.html#14_7_4">...and test them</A></LI>
-<LI><A HREF="adv_config.html#14_7_5">No Configuration Needed</A></LI>
-</UL>
-<LI><A HREF="adv_config.html#extruded.config">Extruded Subnets</A></LI>
-<LI><A HREF="adv_config.html#roadvirt">Road Warrior with virtual IP
- address</A></LI>
-<LI><A HREF="glossary.html#dynamic">Dynamic Network Interfaces</A></LI>
-<UL>
-<LI><A HREF="adv_config.html#basicdyn">Basics</A></LI>
-<LI><A HREF="adv_config.html#bootdyn">Boot Time</A></LI>
-<LI><A HREF="adv_config.html#changedyn">Change Time</A></LI>
-</UL>
-<LI><A HREF="adv_config.html#unencrypted">Unencrypted tunnels</A></LI>
-</UL>
-<B><A HREF="trouble.html#install">Installing FreeS/WAN</A></B>
-<UL>
-<LI><A HREF="install.html#15_1">Requirements</A></LI>
-<LI><A HREF="install.html#15_2">Choose your install method</A></LI>
-<LI><A HREF="install.html#15_3">FreeS/WAN ships with some Linuxes</A></LI>
-<UL>
-<LI><A HREF="install.html#15_3_1">FreeS/WAN may be altered...</A></LI>
-<LI><A HREF="install.html#15_3_2">You might need to create an
- authentication keypair</A></LI>
-<LI><A HREF="install.html#15_3_3">Start and test FreeS/WAN</A></LI>
-</UL>
-<LI><A HREF="install.html#15_4">RPM install</A></LI>
-<UL>
-<LI><A HREF="install.html#15_4_1">Download RPMs</A></LI>
-<LI><A HREF="install.html#15_4_2">For freeswan.org RPMs: check
- signatures</A></LI>
-<LI><A HREF="install.html#15_4_3">Install the RPMs</A></LI>
-<LI><A HREF="install.html#15_4_4">Start and Test FreeS/WAN</A></LI>
-</UL>
-<LI><A HREF="install.html#15_5">Install from Source</A></LI>
-<UL>
-<LI><A HREF="install.html#15_5_1">Decide what functionality you need</A></LI>
-<LI><A HREF="install.html#15_5_2">Download FreeS/WAN</A></LI>
-<LI><A HREF="install.html#15_5_3">For freeswan.org source: check its
- signature</A></LI>
-<LI><A HREF="install.html#15_5_4">Untar, unzip</A></LI>
-<LI><A HREF="install.html#15_5_5">Patch if desired</A></LI>
-<LI><A HREF="install.html#15_5_6">... and Make</A></LI>
-</UL>
-<LI><A HREF="install.html#15_6">Start FreeS/WAN and test your install</A>
-</LI>
-<LI><A HREF="install.html#15_7">Test your install</A></LI>
-<LI><A HREF="install.html#15_8">Making FreeS/WAN play well with others</A>
-</LI>
-<LI><A HREF="install.html#15_9">Configure for your needs</A></LI>
-</UL>
-<B><A HREF="config.html#config">How to configure FreeS/WAN</A></B>
-<UL>
-<LI><A HREF="config.html#16_1">Requirements</A></LI>
-<LI><A HREF="config.html#config.netnet">Net-to-Net connection</A></LI>
-<UL>
-<LI><A HREF="config.html#netnet.info.ex">Gather information</A></LI>
-<LI><A HREF="config.html#16_2_2">Edit /etc/ipsec.conf</A></LI>
-<LI><A HREF="config.html#16_2_3">Start your connection</A></LI>
-<LI><A HREF="config.html#16_2_4">Do not MASQ or NAT packets to be
- tunneled</A></LI>
-<LI><A HREF="config.html#16_2_5">Test your connection</A></LI>
-<LI><A HREF="config.html#16_2_6">Finishing touches</A></LI>
-</UL>
-<LI><A HREF="config.html#config.rw">Road Warrior Configuration</A></LI>
-<UL>
-<LI><A HREF="config.html#rw.info.ex">Gather information</A></LI>
-<LI><A HREF="config.html#16_3_2">Customize /etc/ipsec.conf</A></LI>
-<LI><A HREF="config.html#16_3_3">Start your connection</A></LI>
-<LI><A HREF="config.html#16_3_4">Do not MASQ or NAT packets to be
- tunneled</A></LI>
-<LI><A HREF="config.html#16_3_5">Test your connection</A></LI>
-<LI><A HREF="config.html#16_3_6">Finishing touches</A></LI>
-<LI><A HREF="config.html#16_3_7">Multiple Road Warriors</A></LI>
-</UL>
-<LI><A HREF="config.html#16_4">What next?</A></LI>
-</UL>
-<B><A HREF="background.html#background">Linux FreeS/WAN background</A></B>
-<UL>
-<LI><A HREF="background.html#dns.background">Some DNS background</A></LI>
-<UL>
-<LI><A HREF="background.html#forward.reverse">Forward and reverse maps</A>
-</LI>
-<LI><A HREF="background.html#17_1_2">Hierarchy and delegation</A></LI>
-<LI><A HREF="background.html#17_1_3">Syntax of DNS records</A></LI>
-<LI><A HREF="background.html#17_1_4">Cacheing, TTL and propagation delay</A>
-</LI>
-</UL>
-<LI><A HREF="background.html#MTU.trouble">Problems with packet
- fragmentation</A></LI>
-<LI><A HREF="background.html#nat.background">Network address translation
- (NAT)</A></LI>
-<UL>
-<LI><A HREF="background.html#17_3_1">NAT to non-routable addresses</A></LI>
-<LI><A HREF="background.html#17_3_2">NAT to routable addresses</A></LI>
-</UL>
-</UL>
-<B><A HREF="user_examples.html#user.examples">FreeS/WAN script examples</A>
-</B>
-<UL>
-<LI><A HREF="user_examples.html#poltorak">Poltorak's Firewall script</A></LI>
-</UL>
-<B><A HREF="makecheck.html#makecheck">How to configure to use &quot;make
- check&quot;</A></B>
-<UL>
-<LI><A HREF="makecheck.html#19_1">What is &quot;make check&quot;</A></LI>
-<LI><A HREF="makecheck.html#19_2">Running &quot;make check&quot;</A></LI>
-</UL>
-<B><A HREF="makecheck.html#20">How to write a &quot;make check&quot; test</A></B>
-<UL>
-<LI><A HREF="makecheck.html#20_1">Structure of a test</A></LI>
-<LI><A HREF="makecheck.html#20_2">The TESTLIST</A></LI>
-<LI><A HREF="makecheck.html#20_3">Test kinds</A></LI>
-<LI><A HREF="makecheck.html#20_4">Common parameters</A></LI>
-<LI><A HREF="makecheck.html#20_5">KLIPStest paramaters</A></LI>
-<LI><A HREF="makecheck.html#20_6">mkinsttest paramaters</A></LI>
-<LI><A HREF="makecheck.html#20_7">rpm_build_install_test paramaters</A></LI>
-<LI><A HREF="makecheck.html#20_8">libtest paramaters</A></LI>
-<LI><A HREF="makecheck.html#20_9">umlplutotest paramaters</A></LI>
-<LI><A HREF="makecheck.html#20_10">umlXhost parameters</A></LI>
-<LI><A HREF="makecheck.html#20_11">kernel_patch_test paramaters</A></LI>
-<LI><A HREF="makecheck.html#20_12">module_compile paramaters</A></LI>
-</UL>
-<B><A HREF="makecheck.html#21">Current pitfalls</A></B>
-<BR>
-<BR><B><A HREF="umltesting.html#umltesting">User-Mode-Linux Testing
- guide</A></B>
-<UL>
-<LI><A HREF="umltesting.html#22_1">Preliminary Notes on BIND</A></LI>
-<LI><A HREF="umltesting.html#22_2">Steps to Install UML for FreeS/WAN</A>
-</LI>
-</UL>
-<B><A HREF="umltesting.html#23">Debugging the kernel with GDB</A></B>
-<UL>
-<LI><A HREF="umltesting.html#23_1">Other notes about debugging</A></LI>
-</UL>
-<B><A HREF="umltesting.html#24">User-Mode-Linux mysteries</A></B>
-<BR>
-<BR><B><A HREF="umltesting.html#25">Getting more info from uml_netjig</A>
-</B>
-<BR>
-<BR><B><A HREF="politics.html#politics">History and politics of
- cryptography</A></B>
-<UL>
-<LI><A HREF="politics.html#intro.politics">Introduction</A></LI>
-<UL>
-<LI><A HREF="politics.html#26_1_1">History</A></LI>
-<LI><A HREF="politics.html#intro.poli">Politics</A></LI>
-<LI><A HREF="politics.html#26_1_3">Links</A></LI>
-<LI><A HREF="politics.html#26_1_4">Outline of this section</A></LI>
-</UL>
-<LI><A HREF="politics.html#leader">From our project leader</A></LI>
-<UL>
-<LI><A HREF="politics.html#gilmore">Swan: Securing the Internet against
- Wiretapping</A></LI>
-<LI><A HREF="politics.html#policestate">Stopping wholesale monitoring</A>
-</LI>
-</UL>
-<LI><A HREF="politics.html#weak">Government promotion of weak crypto</A></LI>
-<UL>
-<LI><A HREF="politics.html#escrow">Escrowed encryption</A></LI>
-<LI><A HREF="politics.html#shortkeys">Limited key lengths</A></LI>
-</UL>
-<LI><A HREF="politics.html#exlaw">Cryptography Export Laws</A></LI>
-<UL>
-<LI><A HREF="politics.html#USlaw">US Law</A></LI>
-<LI><A HREF="politics.html#wrong">What's wrong with restrictions on
- cryptography</A></LI>
-<LI><A HREF="politics.html#Wassenaar">The Wassenaar Arrangement</A></LI>
-<LI><A HREF="politics.html#status">Export status of Linux FreeS/WAN</A></LI>
-<LI><A HREF="politics.html#help">Help spread IPsec around</A></LI>
-</UL>
-<LI><A HREF="politics.html#desnotsecure">DES is Not Secure</A></LI>
-<UL>
-<LI><A HREF="politics.html#deshware">Dedicated hardware breaks DES in a
- few days</A></LI>
-<LI><A HREF="politics.html#spooks">Spooks may break DES faster yet</A></LI>
-<LI><A HREF="politics.html#desnet">Networks break DES in a few weeks</A></LI>
-<LI><A HREF="politics.html#no_des">We disable DES</A></LI>
-<LI><A HREF="politics.html#40joke">40-bits is laughably weak</A></LI>
-<LI><A HREF="politics.html#altdes">Triple DES is almost certainly secure</A>
-</LI>
-<LI><A HREF="politics.html#aes.ipsec">AES in IPsec</A></LI>
-</UL>
-<LI><A HREF="politics.html#press">Press coverage of Linux FreeS/WAN:</A></LI>
-<UL>
-<LI><A HREF="politics.html#26_6_1">FreeS/WAN 1.0 press</A></LI>
-<LI><A HREF="faq.html#release">Press release for version 1.0</A></LI>
-</UL>
-</UL>
-<B><A HREF="ipsec.html#ipsec.detail">The IPsec protocols</A></B>
-<UL>
-<LI><A HREF="ipsec.html#27_1">Protocols and phases</A></LI>
-<LI><A HREF="ipsec.html#others">Applying IPsec</A></LI>
-<UL>
-<LI><A HREF="ipsec.html#advantages">Advantages of IPsec</A></LI>
-<LI><A HREF="ipsec.html#limitations">Limitations of IPsec</A></LI>
-<LI><A HREF="ipsec.html#uses">IPsec is a general mechanism for securing
- IP</A></LI>
-<LI><A HREF="ipsec.html#authonly">Using authentication without
- encryption</A></LI>
-<LI><A HREF="ipsec.html#encnoauth">Encryption without authentication is
- dangerous</A></LI>
-<LI><A HREF="ipsec.html#multilayer">Multiple layers of IPsec processing
- are possible</A></LI>
-<LI><A HREF="ipsec.html#traffic.resist">Resisting traffic analysis</A></LI>
-</UL>
-<LI><A HREF="ipsec.html#primitives">Cryptographic components</A></LI>
-<UL>
-<LI><A HREF="ipsec.html#block.cipher">Block ciphers</A></LI>
-<LI><A HREF="ipsec.html#hash.ipsec">Hash functions</A></LI>
-<LI><A HREF="ipsec.html#DH.keying">Diffie-Hellman key agreement</A></LI>
-<LI><A HREF="ipsec.html#RSA.auth">RSA authentication</A></LI>
-</UL>
-<LI><A HREF="ipsec.html#structure">Structure of IPsec</A></LI>
-<UL>
-<LI><A HREF="ipsec.html#IKE.ipsec">IKE (Internet Key Exchange)</A></LI>
-<LI><A HREF="ipsec.html#services">IPsec Services, AH and ESP</A></LI>
-<LI><A HREF="ipsec.html#AH.ipsec">The Authentication Header (AH)</A></LI>
-<LI><A HREF="ipsec.html#ESP.ipsec">Encapsulated Security Payload (ESP)</A>
-</LI>
-</UL>
-<LI><A HREF="ipsec.html#modes">IPsec modes</A></LI>
-<UL>
-<LI><A HREF="ipsec.html#tunnel.ipsec">Tunnel mode</A></LI>
-<LI><A HREF="ipsec.html#transport.ipsec">Transport mode</A></LI>
-</UL>
-<LI><A HREF="ipsec.html#parts">FreeS/WAN parts</A></LI>
-<UL>
-<LI><A HREF="ipsec.html#KLIPS.ipsec">KLIPS: Kernel IPsec Support</A></LI>
-<LI><A HREF="ipsec.html#Pluto.ipsec">The Pluto daemon</A></LI>
-<LI><A HREF="ipsec.html#command">The ipsec(8) command</A></LI>
-<LI><A HREF="ipsec.html#ipsec.conf">Linux FreeS/WAN configuration file</A>
-</LI>
-</UL>
-<LI><A HREF="ipsec.html#key">Key management</A></LI>
-<UL>
-<LI><A HREF="ipsec.html#current">Currently Implemented Methods</A></LI>
-<LI><A HREF="ipsec.html#notyet">Methods not yet implemented</A></LI>
-</UL>
-</UL>
-<B><A HREF="mail.html#lists">Mailing lists and newsgroups</A></B>
-<UL>
-<LI><A HREF="mail.html#list.fs">Mailing lists about FreeS/WAN</A></LI>
-<UL>
-<LI><A HREF="mail.html#projlist">The project mailing lists</A></LI>
-<LI><A HREF="mail.html#archive">Archives of the lists</A></LI>
-</UL>
-<LI><A HREF="mail.html#indexes">Indexes of mailing lists</A></LI>
-<LI><A HREF="mail.html#otherlists">Lists for related software and topics</A>
-</LI>
-<UL>
-<LI><A HREF="mail.html#28_3_1">Products that include FreeS/WAN</A></LI>
-<LI><A HREF="mail.html#linux.lists">Linux mailing lists</A></LI>
-<LI><A HREF="mail.html#ietf">Lists for IETF working groups</A></LI>
-<LI><A HREF="mail.html#other">Other mailing lists</A></LI>
-</UL>
-<LI><A HREF="mail.html#newsgroups">Usenet newsgroups</A></LI>
-</UL>
-<B><A HREF="web.html#weblink">Web links</A></B>
-<UL>
-<LI><A HREF="web.html#freeswan">The Linux FreeS/WAN Project</A></LI>
-<UL>
-<LI><A HREF="web.html#patch">Add-ons and patches for FreeS/WAN</A></LI>
-<LI><A HREF="web.html#dist">Distributions including FreeS/WAN</A></LI>
-<LI><A HREF="web.html#used">Things FreeS/WAN uses or could use</A></LI>
-<LI><A HREF="web.html#alternatives">Other approaches to VPNs for Linux</A>
-</LI>
-</UL>
-<LI><A HREF="web.html#ipsec.link">The IPsec Protocols</A></LI>
-<UL>
-<LI><A HREF="web.html#general">General IPsec or VPN information</A></LI>
-<LI><A HREF="trouble.html#overview">IPsec overview documents or slide
- sets</A></LI>
-<LI><A HREF="web.html#otherlang">IPsec information in languages other
- than English</A></LI>
-<LI><A HREF="web.html#RFCs1">RFCs and other reference documents</A></LI>
-<LI><A HREF="web.html#analysis">Analysis and critiques of IPsec
- protocols</A></LI>
-<LI><A HREF="web.html#IP.background">Background information on IP</A></LI>
-</UL>
-<LI><A HREF="web.html#implement">IPsec Implementations</A></LI>
-<UL>
-<LI><A HREF="web.html#linuxprod">Linux products</A></LI>
-<LI><A HREF="web.html#router">IPsec in router products</A></LI>
-<LI><A HREF="web.html#fw.web">IPsec in firewall products</A></LI>
-<LI><A HREF="web.html#ipsecos">Operating systems with IPsec support</A></LI>
-<LI><A HREF="web.html#29_3_5">IPsec on network cards</A></LI>
-<LI><A HREF="web.html#opensource">Open source IPsec implementations</A></LI>
-<LI><A HREF="web.html#interop.web">Interoperability</A></LI>
-</UL>
-<LI><A HREF="web.html#linux.link">Linux links</A></LI>
-<UL>
-<LI><A HREF="web.html#linux.basic">Basic and tutorial Linux information</A>
-</LI>
-<LI><A HREF="web.html#general">General Linux sites</A></LI>
-<LI><A HREF="web.html#docs.ldp">Documentation</A></LI>
-<LI><A HREF="web.html#advroute.web">Advanced routing</A></LI>
-<LI><A HREF="web.html#linsec">Security for Linux</A></LI>
-<LI><A HREF="web.html#firewall.linux">Linux firewalls</A></LI>
-<LI><A HREF="web.html#linux.misc">Miscellaneous Linux information</A></LI>
-</UL>
-<LI><A HREF="web.html#crypto.link">Crypto and security links</A></LI>
-<UL>
-<LI><A HREF="web.html#security">Crypto and security resources</A></LI>
-<LI><A HREF="web.html#policy">Cryptography law and policy</A></LI>
-<LI><A HREF="web.html#crypto.tech">Cryptography technical information</A>
-</LI>
-<LI><A HREF="web.html#compsec">Computer and network security</A></LI>
-<LI><A HREF="web.html#people">Links to home pages</A></LI>
-</UL>
-</UL>
-<B><A HREF="glossary.html#ourgloss">Glossary for the Linux FreeS/WAN
- project</A></B>
-<UL>
-<LI><A HREF="glossary.html#jump">Jump to a letter in the glossary</A></LI>
-<LI><A HREF="glossary.html#gloss">Other glossaries</A></LI>
-<LI><A HREF="glossary.html#definitions">Definitions</A></LI>
-</UL>
-<B><A HREF="biblio.html#biblio">Bibliography for the Linux FreeS/WAN
- project</A></B>
-<BR>
-<BR><B><A HREF="rfc.html#RFC">IPsec RFCs and related documents</A></B>
-<UL>
-<LI><A HREF="rfc.html#RFCfile">The RFCs.tar.gz Distribution File</A></LI>
-<LI><A HREF="rfc.html#sources">Other sources for RFCs &amp; Internet drafts</A>
-</LI>
-<UL>
-<LI><A HREF="rfc.html#RFCdown">RFCs</A></LI>
-<LI><A HREF="rfc.html#drafts">Internet Drafts</A></LI>
-<LI><A HREF="rfc.html#FIPS1">FIPS standards</A></LI>
-</UL>
-<LI><A HREF="rfc.html#RFCs.tar.gz">What's in the RFCs.tar.gz bundle?</A></LI>
-<UL>
-<LI><A HREF="rfc.html#rfc.ov">Overview RFCs</A></LI>
-<LI><A HREF="rfc.html#basic.prot">Basic protocols</A></LI>
-<LI><A HREF="rfc.html#key.ike">Key management</A></LI>
-<LI><A HREF="rfc.html#rfc.detail">Details of various things used</A></LI>
-<LI><A HREF="rfc.html#rfc.ref">Older RFCs which may be referenced</A></LI>
-<LI><A HREF="rfc.html#rfc.dns">RFCs for secure DNS service, which IPsec
- may use</A></LI>
-<LI><A HREF="rfc.html#rfc.exp">RFCs labelled &quot;experimental&quot;</A></LI>
-<LI><A HREF="rfc.html#rfc.rel">Related RFCs</A></LI>
-</UL>
-</UL>
-<B><A HREF="roadmap.html#roadmap">Distribution Roadmap: What's Where in
- Linux FreeS/WAN</A></B>
-<UL>
-<LI><A HREF="roadmap.html#top">Top directory</A></LI>
-<LI><A HREF="roadmap.html#doc">Documentation</A></LI>
-<LI><A HREF="roadmap.html#klips.roadmap">KLIPS: kernel IP security</A></LI>
-<LI><A HREF="roadmap.html#pluto.roadmap">Pluto key and connection
- management daemon</A></LI>
-<LI><A HREF="roadmap.html#utils">Utils</A></LI>
-<LI><A HREF="roadmap.html#lib">Libraries</A></LI>
-<UL>
-<LI><A HREF="roadmap.html#fswanlib">FreeS/WAN Library</A></LI>
-<LI><A HREF="roadmap.html#otherlib">Imported Libraries</A></LI>
-</UL>
-</UL>
-<B><A HREF="umltesting.html#umltesting">User-Mode-Linux Testing guide</A>
-</B>
-<UL>
-<LI><A HREF="umltesting.html#34_1">Preliminary Notes on BIND</A></LI>
-<LI><A HREF="umltesting.html#34_2">Steps to Install UML for FreeS/WAN</A>
-</LI>
-</UL>
-<B><A HREF="umltesting.html#35">Debugging the kernel with GDB</A></B>
-<UL>
-<LI><A HREF="umltesting.html#35_1">Other notes about debugging</A></LI>
-</UL>
-<B><A HREF="umltesting.html#36">User-Mode-Linux mysteries</A></B>
-<BR>
-<BR><B><A HREF="umltesting.html#37">Getting more info from uml_netjig</A>
-</B>
-<BR>
-<BR><B><A HREF="makecheck.html#makecheck">How to configure to use &quot;make
- check&quot;</A></B>
-<UL>
-<LI><A HREF="makecheck.html#38_1">What is &quot;make check&quot;</A></LI>
-<LI><A HREF="makecheck.html#38_2">Running &quot;make check&quot;</A></LI>
-</UL>
-<B><A HREF="makecheck.html#39">How to write a &quot;make check&quot; test</A></B>
-<UL>
-<LI><A HREF="makecheck.html#39_1">Structure of a test</A></LI>
-<LI><A HREF="makecheck.html#39_2">The TESTLIST</A></LI>
-<LI><A HREF="makecheck.html#39_3">Test kinds</A></LI>
-<LI><A HREF="makecheck.html#39_4">Common parameters</A></LI>
-<LI><A HREF="makecheck.html#39_5">KLIPStest paramaters</A></LI>
-<LI><A HREF="makecheck.html#39_6">mkinsttest paramaters</A></LI>
-<LI><A HREF="makecheck.html#39_7">rpm_build_install_test paramaters</A></LI>
-<LI><A HREF="makecheck.html#39_8">libtest paramaters</A></LI>
-<LI><A HREF="makecheck.html#39_9">umlplutotest paramaters</A></LI>
-<LI><A HREF="makecheck.html#39_10">umlXhost parameters</A></LI>
-<LI><A HREF="makecheck.html#39_11">kernel_patch_test paramaters</A></LI>
-<LI><A HREF="makecheck.html#39_12">module_compile paramaters</A></LI>
-</UL>
-<B><A HREF="makecheck.html#40">Current pitfalls</A></B>
-<BR>
-<BR><B><A HREF="nightly.html#nightly">Nightly regression testing</A></B>
-<BR>
-<BR><B><A HREF="nightly.html#nightlyhowto">How to setup the nightly
- build</A></B>
-<UL>
-<LI><A HREF="nightly.html#42_1"> Files you need to know about</A></LI>
-<LI><A HREF="nightly.html#42_2">Configuring freeswan-regress-env.sh</A></LI>
-</UL>
-</BODY>
-</HTML>
diff --git a/doc/trouble.html b/doc/trouble.html
deleted file mode 100644
index 2123f3805..000000000
--- a/doc/trouble.html
+++ /dev/null
@@ -1,706 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="firewall.html">Previous</A>
-<A HREF="compat.html">Next</A>
-<HR>
-<H1><A NAME="trouble"></A>Linux FreeS/WAN Troubleshooting Guide</H1>
-<H2><A NAME="overview"></A>Overview</H2>
-<P> This document covers several general places where you might have a
- problem:</P>
-<OL>
-<LI><A HREF="#install">During install</A>.</LI>
-<LI><A HREF="#negotiation">During the negotiation process</A>.</LI>
-<LI><A HREF="#use">Using an established connection</A>.</LI>
-</OL>
-<P>This document also contains<A HREF="#notes"> notes</A> which expand
- on points made in these sections, and tips for<A HREF="#prob.report">
- problem reporting</A>. If the other end of your connection is not
- FreeS/WAN, you'll also want to read our<A HREF="interop.html#interop.problem">
- interoperation</A> document.</P>
-<H2><A NAME="install"></A>1. During Install</H2>
-<H3><A NAME="8_2_1">1.1 RPM install gotchas</A></H3>
-<P>With the RPM method:</P>
-<UL>
-<LI>Be sure you have installed both the userland tools and the kernel
- components. One will not work without the other. For example, when
- using FreeS/WAN-produced RPMs for our 2.04 release, you need both:
-<PRE>    freeswan-userland-2.04_2.4.20_20.9-0.i386.rpm
-    freeswan-module-2.04_2.4.20_20.9-0.i386.rpm
-</PRE>
-</LI>
-</UL>
-<H3><A NAME="8_2_2">1.2 Problems installing from source</A></H3>
-<P>When installing from source, you may find these problems:</P>
-<UL>
-<LI>Missing library. See<A HREF="faq.html#gmp.h_missing"> this</A> FAQ.</LI>
-<LI>Missing utilities required for compile. See this<A HREF="install.html#tool.lib">
- checklist</A>.</LI>
-<LI>Kernel version incompatibility. See<A HREF="faq.html#k.versions">
- this</A> FAQ.</LI>
-<LI>Another compile problem. Find information in the out.* files, ie.
- out.kpatch, out.kbuild, created at compile time in the top-level Linux
- FreeS/WAN directory. Error messages generated by KLIPS during the boot
- sequence are accessible with the<VAR> dmesg</VAR> command.
-<BR> Check the list archives and the List in Brief to see if this is a
- known issue. If it is not, report it to the bugs list as described in
- our<A HREF="#prob.report"> problem reporting</A> section. In some
- cases, you may be asked to provide debugging information using gdb;
- details<A HREF="#gdb"> below</A>.</LI>
-<LI>If your kernel compiles but you fail to install your new
- FreeS/WAN-enabled kernel, review the sections on<A HREF="install.html#newk">
- installing the patched kernel</A>, and<A HREF="install.html#testinstall">
- testing</A> to see if install succeeded.</LI>
-</UL>
-<H3><A NAME="install.check"></A>1.3 Install checks</H3>
-<P><VAR>ipsec verify</VAR> checks a number of FreeS/WAN essentials. Here
- are some hints on what do to when your system doesn't check out:</P>
-<P></P>
-<TABLE border="1">
-<TR><TD><STRONG>Problem</STRONG></TD><TD><STRONG>Status</STRONG></TD><TD>
-<STRONG>Action</STRONG></TD></TR>
-<TR><TD><VAR>ipsec</VAR> not on-path</TD><TD>&nbsp;</TD><TD>
-<P>Add<VAR> /usr/local/sbin</VAR> to your PATH.</P>
-</TD></TR>
-<TR><TD>Missing KLIPS support</TD><TD><FONT COLOR="#FF0000">critical</FONT>
-</TD><TD>See<A HREF="faq.html#noKLIPS"> this FAQ.</A></TD></TR>
-<TR><TD>No RSA private key</TD><TD>&nbsp;</TD><TD>
-<P>Follow<A HREF="install.html#genrsakey"> these instructions</A> to
- create an RSA key pair for your host. RSA keys are:</P>
-<UL>
-<LI>required for opportunistic encryption, and</LI>
-<LI>our preferred method to authenticate pre-configured connections.</LI>
-</UL>
-</TD></TR>
-<TR><TD><VAR>pluto</VAR> not running</TD><TD><FONT COLOR="#FF0000">
-critical</FONT></TD><TD>
-<PRE>service ipsec start</PRE>
-</TD></TR>
-<TR><TD>No port 500 hole</TD><TD><FONT COLOR="#FF0000">critical</FONT></TD><TD>
-Open port 500 for IKE negotiation.</TD></TR>
-<TR><TD>Port 500 check N/A</TD><TD>&nbsp;</TD><TD>Check that port 500 is open
- for IKE negotiation.</TD></TR>
-<TR><TD>Failed DNS checks</TD><TD>&nbsp;</TD><TD>Opportunistic encryption
- requires information from DNS. To set this up, see<A HREF="quickstart.html#opp.setup">
- our instructions</A>.</TD></TR>
-<TR><TD>No public IP address</TD><TD>&nbsp;</TD><TD>Check that the interface
- which you want to protect with IPSec is up and running.</TD></TR>
-</TABLE>
-<H3><A NAME="oe.trouble"></A>1.3 Troubleshooting OE</H3>
-<P>OE should work with no local configuration, if you have posted DNS
- TXT records according to the instructions in our<A HREF="quickstart.html">
- quickstart guide</A>. If you encounter trouble, try these hints. We
- welcome additional hints via the<A HREF="mail.html"> users' mailing
- list</A>.</P>
-<TABLE border="1">
-<TR><TD><STRONG>Symptom</STRONG></TD><TD><STRONG>Problem</STRONG></TD><TD>
-<STRONG>Action</STRONG></TD></TR>
-<TR><TD> You're running FreeS/WAN 2.01 (or later), and initiating a
- connection to FreeS/WAN 2.00 (or earlier). In your logs, you see a
- message like:
-<PRE>no RSA public key known for '192.0.2.13';
-DNS search for KEY failed (no KEY record
-for 13.2.0.192.in-addr.arpa.)</PRE>
- The older FreeS/WAN logs no error.</TD><TD><A NAME="oe.trouble.flagday">
-</A> A protocol level incompatibility between 2.01 (or later) and 2.00
- (or earlier) causes this error. It occurs when a FreeS/WAN 2.01 (or
- later) box for which no KEY record is posted attempts to initiate an OE
- connection to older FreeS/WAN versions (2.00 and earlier). Note that
- older versions can initiate to newer versions without this error.</TD><TD>
-If you control the peer host, upgrade its FreeS/WAN to 2.01 (or later),
- and post new style TXT records for it. If not, but if you know its
- sysadmin, perhaps a quick note is in order. If neither option is
- possible, you can ease the transition by posting an old style KEY
- record (created with a command like &quot;ipsec&nbsp;showhostkey&nbsp;--key&quot;) to the
- reverse map for the FreeS/WAN 2.01 (or later) box.</TD></TR>
-<TR><TD>OE host is very slow to contact other hosts.</TD><TD>Slow DNS
- service while running OE.</TD><TD>It's a good idea to run a caching DNS
- server on your OE host, as outlined in<A HREF="http://lists.freeswan.org/pipermail/design/2003-January/004205.html">
- this mailing list message</A>. If your DNS servers are elsewhere, put
- their IPs in the<VAR> clear</VAR> policy group, and re-read groups with
-<PRE>ipsec auto --rereadgroups</PRE>
-</TD></TR>
-<TR><TD>
-<PRE>Can't Opportunistically initiate for
-192.0.2.2 to 192.0.2.3: no TXT record
-for 13.2.0.192.in-addr.arpa.</PRE>
-</TD><TD>Peer is not set up for OE.</TD><TD>
-<P>None. Plenty of hosts on the Internet do not run OE. If, however, you
- have set OE up on that peer, this may indicate that you need to wait up
- to 48 hours for its DNS records to propagate.</P>
-</TD></TR>
-<TR><TD><VAR>ipsec verify</VAR> does not find DNS records:
-<PRE>...
-Looking for TXT in forward map:
-                xy.example.com...[FAILED]
-Looking for TXT in reverse map...[FAILED]
-...</PRE>
- You also experience authentication failure:
-<BR>
-<PRE>Possible authentication failure:
-no acceptable response to our
-first encrypted message</PRE>
-</TD><TD>DNS records are not posted or have not propagated.</TD><TD>Did
- you post the DNS records necessary for OE? If not, do so using the
- instructions in our<A HREF="quickstart.html#quickstart"> quickstart
- guide</A>. If so, wait up to 48 hours for the DNS records to propagate.</TD>
-</TR>
-<TR><TD><VAR>ipsec verify</VAR> does not find DNS records, and you
- experience authentication failure.</TD><TD>For iOE, your ID does not
- match location of forward DNS record.</TD><TD>In<VAR> config setup</VAR>
-, change<VAR> myid=</VAR> to match the forward DNS where you posted the
- record. Restart FreeS/WAN. For reference, see our<A HREF="quickstart.html#opp.client">
- iOE instructions</A>.</TD></TR>
-<TR><TD><VAR>ipsec verify</VAR> finds DNS records, yet there is still
- authentication failure. ( ? )</TD><TD>DNS records are malformed.</TD><TD>
-Re-create the records and send new copies to your DNS administrator.</TD>
-</TR>
-<TR><TD><VAR>ipsec verify</VAR> finds DNS records, yet there is still
- authentication failure. ( ? )</TD><TD>DNS records show different keys
- for a gateway vs. its subnet hosts.</TD><TD>All TXT records for boxes
- protected by an OE gateway must contain the gateway's public key.
- Re-create and re-post any incorrect records using<A HREF="quickstart.html#opp.incoming">
- these instructions</A>.</TD></TR>
-<TR><TD>OE gateway loses connectivity to its subnet. The gateway's
- routing table shows routes to the subnet through IPsec interfaces.</TD><TD>
-The subnet is part of the<VAR> private</VAR> or<VAR> block</VAR> policy
- group on the gateway.</TD><TD>Remove the subnet from the group, and
- reread groups with
-<PRE>ipsec auto --rereadgroups</PRE>
-</TD></TR>
-<TR><TD>OE does not work to hosts on the local LAN.</TD><TD>This is a
- known issue.</TD><TD>See<A HREF="opportunism.known-issues"> this list</A>
- of known issues with OE.</TD></TR>
-<TR><TD>FreeS/WAN does not seem to be executing your default policy. In
- your logs, you see a message like:
-<PRE>/etc/ipsec.d/policies/iprivate-or-clear&quot;
-line 14: subnet &quot;0.0.0.0/0&quot;,
-source 192.0.2.13/32,
-already &quot;private-or-clear&quot;</PRE>
-</TD><TD><A HREF="glossary.html#fullnet">Fullnet</A> in a policy group
- file defines your default policy. Fullnet should normally be present in
- only one policy group file. The fine print: you can have two default
- policies defined so long as they protect different local endpoints
- (e.g. the FreeS/WAN gateway and a subnet).</TD><TD> Find all policies
- which contain fullnet with:
-<BR>
-<PRE>grep -F 0.0.0.0/0 /etc/ipsec.d/policies/*</PRE>
- then remove the unwanted occurrence(s).</TD></TR>
-</TABLE>
-<H2><A NAME="negotiation"></A>2. During Negotiation</H2>
-<P>When you fail to bring up a tunnel, you'll need to find out:</P>
-<UL>
-<LI><A HREF="#state">what your connection state is,</A> and often</LI>
-<LI><A HREF="#find.pluto.error">an error message</A>.</LI>
-</UL>
-<P>before you can<A HREF="#interpret.pluto.error"> diagnose your problem</A>
-.</P>
-<H3><A NAME="state"></A>2.1 Determine Connection State</H3>
-<H4>Finding current state</H4>
-<P>You can see connection states (STATE_MAIN_I1 and so on) when you
- bring up a connection on the command line. If you have missed this, or
- brought up your connection automatically, use:</P>
-<PRE>ipsec auto --status</PRE>
-<P>The most relevant state is the last one reached.</P>
-<H4><VAR>What's this supposed to look like?</VAR></H4>
-<P>Negotiations should proceed though various states, in the processes
- of:</P>
-<OL>
-<LI>IKE negotiations (aka Phase 1, Main Mode, STATE_MAIN_*)</LI>
-<LI>IPSEC negotiations (aka Phase 2, Quick Mode, STATE_QUICK_*)</LI>
-</OL>
-<P>These are done and a connection is established when you see messages
- like:</P>
-<PRE>    000 #21: &quot;myconn&quot; STATE_MAIN_I4 (ISAKMP SA established)...
-    000 #2: &quot;myconn&quot; STATE_QUICK_I2 (sent QI2, IPsec SA established)...</PRE>
-<P> Look for the key phrases are &quot;ISAKMP SA established&quot; and &quot;IPSec SA
- established&quot;, with the relevant connection name. Often, this happens at
- STATE_MAIN_I4 and STATE_QUICK_I2, respectively.</P>
-<P><VAR>ipsec auto --status</VAR> will tell you what states<STRONG> have
- been achieved</STRONG>, rather than the current state. Since
- determining the current state is rather more difficult to do, current
- state information is not available from Linux FreeS/WAN. If you are
- actively bringing a connection up, the status report's last states for
- that connection likely reflect its current state. Beware, though, of
- the case where a connection was correctly brought up but is now downed:
- Linux FreeS/WAN will not notice this until it attempts to rekey.
- Meanwhile, the last known state indicates that the connection has been
- established.</P>
-<P>If your connection is stuck at STATE_MAIN_I1, skip straight to<A HREF="#ikepath">
- here</A>.</P>
-<H3><A NAME="find.pluto.error"></A>2.2 Finding error text</H3>
-<P>Solving most errors will require you to find verbose error text,
- either on the command line or in the logs.</P>
-<H4>Verbose start for more information</H4>
-<P> Note that you can get more detail from<VAR> ipsec auto</VAR> using
- the --verbose flag:</P>
-<PRE STYLE="margin-bottom: 0.2in">    ipsec auto --verbose --up west-east</PRE>
-<P> More complete information can be gleaned from the<A HREF="#logusage">
- log files</A>.</P>
-<H4>Debug levels count</H4>
-<P>The amount of description you'll get here depends on ipsec.conf debug
- settings,<VAR> klipsdebug</VAR>= and<VAR> plutodebug</VAR>=. When
- troubleshooting, set at least one of these to<VAR> all</VAR>, and when
- done, reset it to<VAR> none</VAR> so your logs don't fill up. Note that
- you must have enabled the<VAR> klipsdebug</VAR><A HREF="install.html#allbut">
- compile-time option</A> for the<VAR> klipsdebug</VAR> configuration
- switch to work.</P>
-<P>For negotiation problems<VAR> plutodebug</VAR> is most relevant.<VAR>
- klipsdebug</VAR> applies mainly to attempts to use an
- already-established connection. See also<A HREF="ipsec.html#parts">
- this</A> description of the division of duties within Linux FreeS/WAN.</P>
-<P>After raising your debug levels, restart Linux FreeS/WAN to ensure
- that ipsec.conf is reread, then recreate the error to generate verbose
- logs.</P>
-<H4><VAR>ipsec barf</VAR> for lots of debugging information</H4>
-<P><A HREF="manpage.d/ipsec_barf.8.html"><VAR> ipsec barf (8)</VAR></A>
- collects a bunch of useful debugging information, including these logs
- Use the command</P>
-<PRE>
-    ipsec barf &gt; barf.west
-</PRE>
-<P>to generate one.</P>
-<H4>Find the error</H4>
-<P>Search out the failure point in your logs. Are there a handful of
- lines which succinctly describe how things are going wrong or contrary
- to your expectation? Sometimes the failure point is not immediately
- obvious: Linux FreeS/WAN's errors are usually not marked &quot;Error&quot;. Have
- a look in the<A HREF="faq.html"> FAQ</A> for what some common failures
- look like.</P>
-<P>Tip: problems snowball. Focus your efforts on the first problem,
- which is likely to be the cause of later errors.</P>
-<H4>Play both sides</H4>
-<P>Also find error text on the peer IPSec box. This gives you two
- perspectives on the same failure.</P>
-<P>At times you will require information which only one side has. The
- peer can merely indicate the presence of an error, and its approximate
- point in the negotiations. If one side keeps retrying, it may be
- because there is a show stopper on the other side. Have a look at the
- other side and figure out what it doesn't like.</P>
-<P>If the other end is not Linux FreeS/WAN, the principle is the same:
- replicate the error with its most verbose logging on, and capture the
- output to a file.</P>
-<H3><A NAME="interpret.pluto.error"></A>2.3 Interpreting a Negotiation
- Error</H3>
-<H4><A NAME="ikepath"></A>Connection stuck at STATE_MAIN_I1</H4>
-<P>This error commonly happens because IKE (port 500) packets, needed to
- negotiate an IPSec connection, cannot travel freely between your IPSec
- gateways. See<A HREF="firewall.html#packets"> our firewall document</A>
- for details.</P>
-<H4>Other errors</H4>
-<P>Other errors require a bit more digging. Use the following resources:</P>
-<UL>
-<LI><A HREF="faq.html">the FAQ</A> . Since this document is constantly
- updated, the snapshot's FAQ may have a new entry relevant to your
- problem.</LI>
-<LI>our<A HREF="background.html"> background document</A> . Special
- considerations which, while not central to Linux FreeS/WAN, are often
- tripped over. Includes problems with<A href="background.html#MTU.trouble">
- packet fragmentation</A>, and considerations for testing opportunism.</LI>
-<LI>the<A HREF="mail.html#lists"> list archives</A>. Each of the
- searchable archives works differently, so it's worth checking each. Use
- a search term which is generic, but identifies your error, for example
- &quot;No connection is known for&quot;.
-<BR> Often, you will find that your question has been answered in the
- past. Finding an archived answer is quicker than asking the list. You
- may, however, find similar questions without answers. If you do, send
- their URLs to the list with your trouble report. The additional
- examples may help the list tech support person find your answer.</LI>
-<LI>Look into the code where the error is being generated. The pluto
- code is nicely documented with comments and meaningful variable names.</LI>
-</UL>
-<P>If you have failed to solve your problem with the help of these
- resources, send a detailed problem report to the users list, following
- these<A HREF="#prob.report"> guidelines</A>.</P>
-<H2><A NAME="use"></A>3. Using a Connection</H2>
-<H3><A NAME="8_4_1">3.1 Orienting yourself</A></H3>
-<H4><VAR>How do I know if it works?</VAR></H4>
-<P>Test your connection by sending packets through it. The simplest way
- to do this is with ping, but the ping needs to<STRONG> test the correct
- tunnel.</STRONG> See<A HREF="#testgates"> this example scenario</A> if
- you don't understand this.</P>
-<P></P>
-<P>If your ping returns, test any other connections you've brought u all
- check out, great. You may wish to<A HREF="#bigpacket"> test with large
- packets</A> for MTU problems.</P>
-<H4><VAR>ipsec barf</VAR> is useful again</H4>
-<P>If your ping fails to return, generate an ipsec barf debugging report
- on each IPSec gateway. On a non-Linux FreeS/WAN implementation, gather
- equivalent information. Use this, and the tips in the next sections, to
- troubleshoot. Are you sure that both endpoints are capable of hearing
- and responding to ping?</P>
-<H3><A NAME="8_4_2">3.2 Those pesky configuration errors</A></H3>
-<P>IPSec may be dropping your ping packets since they do not belong in
- the tunnels you have constructed:</P>
-<UL>
-<LI>Your ping may not test the tunnel you intend to test. For details,
- see our<A HREF="faq.html#cantping"> &quot;I can't ping&quot;</A> FAQ.</LI>
-<LI> Alternately, you may have a configuration error. For example, you
- may have configured one of the four possible tunnels between two
- gateways, but not the one required to secure the important traffic
- you're now testing. In this case, add and start the tunnel, and try
- again.</LI>
-</UL>
-<P>In either case, you will often see a message like:</P>
-<PRE>klipsdebug... no eroute</PRE>
-<P>which we discuss in<A HREF="faq.html#no_eroute"> this FAQ</A>.</P>
-<P>Note:</P>
-<UL>
-<LI><A HREF="glossary.html#NAT.gloss">Network Address Translation (NAT)</A>
- and<A HREF="glossary.html#masq"> IP masquerade</A> may have an effect
- on which tunnels you need to configure.</LI>
-<LI>When testing a tunnel that protects a multi-node subnet, try several
- subnet nodes as ping targets, in case one node is routing incorrectly.</LI>
-</UL>
-<H3><A NAME="route.firewall"></A>3.3 Check Routing and Firewalling</H3>
-<P>If you've confirmed your configuration assumptions, the problem is
- almost certainly with routing or firewalling. Isolate the problem using
- interface statistics, firewall statistics, or a packet sniffer.</P>
-<H4>Background:</H4>
-<UL>
-<LI>Linux FreeS/WAN supplies all the special routing it needs; you need
- only route packets out through your IPSec gateway. Verify that on the<VAR>
- subnetted</VAR> machines you are using for your ping-test, your routing
- is as expected. I have seen a tunnel &quot;fail&quot; because the subnet machine
- sending packets out an alternate gateway (not our IPSec gateway) on
- their return path.</LI>
-<LI>Linux FreeS/WAN requires particular<A HREF="firewall.html">
- firewalling considerations</A>. Check the firewall rules on your IPSec
- gateways and ensure that they allow IPSec traffic through. Be sure that
- no other machine - for example a router between the gateways - is
- blocking your IPSec packets.</LI>
-</UL>
-<H4><A NAME="ifconfig"></A>View Interface and Firewall Statistics</H4>
-<P>Interface reports and firewall statistics can help you track down
- lost packets at a glance. Check any firewall statistics you may be
- keeping on your IPSec gateways, for dropped packets.</P>
-<P><STRONG>Tip</STRONG>: You can take a snapshot of the packets
- processed by your firewall with:</P>
-<PRE>    iptables -L -n -v</PRE>
-<P>You can get creative with &quot;diff&quot; to find out what happens to a
- particular packet during transmission.</P>
-<P>Both<VAR> cat /proc/net/dev</VAR> and<VAR> ifconfig</VAR> display
- interface statistics, and both are included in<VAR> ipsec barf</VAR>.
- Use either to check if any interface has dropped packets. If you find
- that one has, test whether this is related to your ping. While you ping
- continuously, print that interface's statistics several times. Does its
- drop count increase in proportion to the ping? If so, check why the
- packets are dropped there.</P>
-<P>To do this, look at the firewall rules that apply to that interface.
- If the interface is an IPSec interface, more information may be
- available in the log. Grep for the word &quot;drop&quot; in a log which was
- created with<VAR> klipsdebug=all</VAR> as the error happened.</P>
-<P>See also this<A HREF="#ifconfig1"> discussion</A> on interpreting<VAR>
- ifconfig</VAR> statistics.</P>
-<H3><A NAME="sniff"></A>3.4 When in doubt, sniff it out</H3>
-<P>If you have checked configuration assumptions, routing, and firewall
- rules, and your interface statistics yield no clue, it remains for you
- to investigate the mystery of the lost packet by the most thorough
- method: with a packet sniffer (providing, of course, that this is legal
- where you are working).</P>
-<P>In order to detect packets on the ipsec virtual interfaces, you will
- need an up-to-date sniffer (tcpdump, ethereal, ksnuffle) on your IPSec
- gateway machines. You may also find it useful to sniff the ping
- endpoints.</P>
-<H4>Anticipate your packets' path</H4>
-<P>Ping, and examine each interface along the projected path, checking
- for your ping's arrival. If it doesn't get to the the next stop, you
- have narrowed down where to look for it. In this way, you can isolate a
- problem area, and narrow your troubleshooting focus.</P>
-<P>Within a machine running Linux FreeS/WAN, this<A HREF="firewall.html#packets">
- packet flow diagram</A> will help you anticipate a packet's path.</P>
-<P>Note that:</P>
-<UL>
-<LI> from the perspective of the tunneled packet, the entire tunnel is
- one hop. That's explained in<A HREF="faq.html#no_trace"> this</A> FAQ.</LI>
-<LI> an encapsulated IPSec packet will look different, when sniffed,
- from the plaintext packet which generated it. You can see plaintext
- packets entering an IPSec interface and the resulting cyphertext
- packets as they emerge from the corresponding physical interface.</LI>
-</UL>
-<P>Once you isolate where the packet is lost, take a closer look at
- firewall rules, routing and configuration assumptions as they affect
- that specific area. If the packet is lost on an IPSec gateway, comb
- through<VAR> klipsdebug</VAR> output for anomalies.</P>
-<P>If the packet goes through both gateways successfully and reaches the
- ping target, but does not return, suspect routing. Check that the ping
- target routes packets back to the IPSec gateway.</P>
-<H3><A NAME="find.use.error"></A>3.5 Check your logs</H3>
-<P>Here, too, log information can be useful. Start with the<A HREF="#find.pluto.error">
- guidelines above</A>.</P>
-<P>For connection use problems, set<VAR> klipsdebug=all</VAR>. Note that
- you must have enabled the<VAR> klipsdebug</VAR><A HREF="install.html#allbut">
- compile-time option</A> to do this. Restart Linux FreeS/WAN so that it
- rereads<VAR> ipsec.conf</VAR>, then recreate the error condition. When
- searching through<VAR> klipsdebug</VAR> data, look especially for the
- keywords &quot;drop&quot; (as in dropped packets) and &quot;error&quot;.</P>
-<P>Often the problem with connection use is not software error, but
- rather that the software is behaving contrary to expectation.</P>
-<H4><A NAME="interpret.use.error"></A>Interpreting log text</H4>
-<P>To interpret the Linux FreeS/WAN log text you've found, use the same
- resources as indicated for troubleshooting connection negotiation:<A HREF="faq.html">
- the FAQ</A> , our<A HREF="background.html"> background document</A>,
- and the<A HREF="mail.html#lists"> list archives</A>. Looking in the
- KLIPS code is only for the very brave.</P>
-<P>If you are still stuck, send a<A HREF="#prob.report"> detailed
- problem report</A> to the users' list.</P>
-<H3><A NAME="bigpacket"></A>3.6 More testing for the truly thorough</H3>
-<H4>Large Packets</H4>
-<P>If each of your connections passed the ping test, you may wish to
- test by pinging with large packets (2000 bytes or larger). If it does
- not return, suspect MTU issues, and see this<A HREF="background.html#MTU.trouble">
- discussion</A>.</P>
-<H4>Stress Tests</H4>
-<P>In most users' view, a simple ping test, and perhaps a large-packet
- ping test suffice to indicate a working IPSec connection.</P>
-<P>Some people might like to do additional stress tests prior to
- production use. They may be interested in this<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00224.html">
- testing protocol</A> we use at interoperation conferences, aka
- &quot;bakeoffs&quot;. We also have a<VAR> testing</VAR> directory that ships with
- the release.</P>
-<H2><A NAME="prob.report"></A>4. Problem Reporting</H2>
-<H3><A NAME="8_5_1">4.1 How to ask for help</A></H3>
-<P>Ask for troubleshooting help on the users' mailing list,<A HREF="mailto:users@lists.freeswan.org">
- users@lists.freeswan.org</A>. While sometimes an initial query with a
- quick description of your intent and error will twig someone's memory
- of a similar problem, it's often necessary to send a second mail with a
- complete problem report.</P>
-<P>When reporting problems to the mailing list(s), please include:</P>
-<UL>
-<LI>a brief description of the problem</LI>
-<LI>if it's a compile problem, the actual output from make, showing the
- problem. Try to edit it down to only the relevant part, but when in
- doubt, be as complete as you can. If it's a kernel compile problem, any
- relevant out.* files</LI>
-<LI>if it's a run-time problem, pointers to where we can find the
- complete output from &quot;ipsec barf&quot; from BOTH ENDS (not just one of
- them). Remember that it's common outside the US and Canada to pay for
- download volume, so if you can't post barfs on the web and send the URL
- to the mailing list, at least compress them with tar or gzip.
-<BR> If you can, try to simplify the case that is causing the problem.
- In particular, if you clear your logs, start FreeS/WAN with no other
- connections running, cause the problem to happen, and then do<VAR>
- ipsec barf</VAR> on both ends immediately, that gives the smallest and
- least cluttered output.</LI>
-<LI>any other error messages, complaints, etc. that you saw. Please send
- the complete text of the messages, not just a summary.</LI>
-<LI>what your network setup is. Include subnets, gateway addresses, etc.
- A schematic diagram is a good format for this information.</LI>
-<LI>exactly what you were trying to do with Linux FreeS/WAN, and exactly
- what went wrong</LI>
-<LI>a fix, if you have one. But remember, you are sending mail to people
- all over the world; US residents and US citizens in particular, please
- read doc/exportlaws.html before sending code -- even small bug fixes --
- to the list or to us.</LI>
-<LI>When in doubt about whether to include some seemingly-trivial item
- of information, include it. It is rare for problem reports to have too
- much information, and common for them to have too little.</LI>
-</UL>
-<P>Here are some good general guidelines on bug reporting:<A href="http://tuxedo.org/~esr/faqs/smart-questions.html">
- How To Ask Questions The Smart Way</A> and<A href="http://www.chiark.greenend.org.uk/~sgtatham/bugs.html">
- How to Report Bugs Effectively</A>.</P>
-<H3><A NAME="8_5_2">4.2 Where to ask</A></H3>
-<P>To report a problem, send mail about it to the users' list. If you
- are certain that you have found a bug, report it to the bugs list. If
- you encounter a problem while doing your own coding on the Linux
- FreeS/WAN codebase and think it is of interest to the design team,
- notify the design list. When in doubt, default to the users' list. More
- information about the mailing lists is found<A HREF="mail.html#lists">
- here</A>.</P>
-<P>For a number of reasons -- including export-control regulations
- affecting almost any<STRONG> private</STRONG> discussion of encryption
- software -- we prefer that problem reports and discussions go to the
- lists, not directly to the team. Beware that the list goes worldwide;
- US citizens, read this important information about your<A HREF="politics.html#exlaw">
- export laws</A>. If you're using this software, you really should be on
- the lists. To get onto them, visit<A HREF="http://lists.freeswan.org/">
- lists.freeswan.org</A>.</P>
-<P>If you do send private mail to our coders or want a private reply
- from them, please make sure that the return address on your mail (From
- or Reply-To header) is a valid one. They have more important things to
- do than to unravel addresses that have been mangled in an attempt to
- confuse spammers.</P>
-<H2><A NAME="notes"></A>5. Additional Notes on Troubleshooting</H2>
-<P>The following sections supplement the Guide:<A HREF="#system.info">
- information available on your system</A>;<A HREF="#testgates"> testing
- between security gateways</A>;<A HREF="#ifconfig1"> ifconfig reports
- for KLIPS debugging</A>;<A HREF="#gdb"> using GDB on Pluto</A>.</P>
-<H3><A NAME="system.info"></A>5.1 Information available on your system</H3>
-<H4><A NAME="logusage"></A>Logs used</H4>
-<P>Linux FreeS/WAN logs to:</P>
-<UL>
-<LI>/var/log/secure (or, on Debian, /var/log/auth.log)</LI>
-<LI>/var/log/messages</LI>
-</UL>
-<P>Check both places to get full information. If you find nothing, check
- your<VAR> syslogd.conf(5)</VAR> to see where your /etc/syslog.conf or
- equivalent is directing<VAR> authpriv</VAR> messages.</P>
-<H4><A NAME="pages"></A>man pages provided</H4>
-<DL>
-<DT><A HREF="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A></DT>
-<DD> Manual page for IPSEC configuration file.</DD>
-<DT><A HREF="manpage.d/ipsec.8.html"> ipsec(8)</A></DT>
-<DD STYLE="margin-bottom: 0.2in"> Primary man page for ipsec utilities.</DD>
-</DL>
-<P> Other man pages are on<A HREF="manpages.html"> this list</A> and in</P>
-<UL>
-<LI>/usr/local/man/man3</LI>
-<LI>/usr/local/man/man5</LI>
-<LI>/usr/local/man/man8/ipsec_*</LI>
-</UL>
-<H4><A NAME="statusinfo"></A>Status information</H4>
-<DL>
-<DT>ipsec auto --status</DT>
-<DD> Command to get status report from running system. Displays Pluto's
- state. Includes the list of connections which are currently &quot;added&quot; to
- Pluto's internal database; lists state objects reflecting ISAKMP and
- IPsec SAs being negotiated or installed.</DD>
-<DT> ipsec look</DT>
-<DD> Brief status info.</DD>
-<DT> ipsec barf</DT>
-<DD STYLE="margin-bottom: 0.2in"> Copious debugging info.</DD>
-</DL>
-<H3><A NAME="testgates"></A> 5.2 Testing between security gateways</H3>
-<P>Sometimes you need to test a subnet-subnet tunnel. This is a tunnel
- between two security gateways, which protects traffic on behalf of the
- subnets behind these gateways. On this network:</P>
-<PRE>     Sunset==========West------------------East=========Sunrise
-                     IPSec gateway         IPSec gateway
-           local net       untrusted net       local net</PRE>
-<P> you might name this tunnel sunset-sunrise. You can test this tunnel
- by having a machine behind one gateway ping a machine behind the other
- gateway, but this is not always convenient or even possible.</P>
-<P>Simply pinging one gateway from the other is not useful. Such a ping
- does not normally go through the tunnel.<STRONG> The tunnel handles
- traffic between the two protected subnets, not between the gateways</STRONG>
- . Depending on the routing in place, a ping might</P>
-<UL>
-<LI>either succeed by finding an unencrypted route</LI>
-<LI>or fail by finding no route. Packets without an IPSEC eroute are
- discarded.</LI>
-</UL>
-<P><STRONG>Neither event tells you anything about the tunnel</STRONG>.
- You can explicitly create an eroute to force such packets through the
- tunnel, or you can create additional tunnels as described in our<A HREF="config.html#multitunnel">
- configuration document</A>, but those may be unnecessary complications
- in your situation.</P>
-<P>The trick is to explicitly test between<STRONG> both gateways'
- private-side IP addresses</STRONG>. Since the private-side interfaces
- are on the protected subnets, the resulting packets do go via the
- tunnel. Use either ping -I or traceroute -i, both of which allow you to
- specify a source interface. (Note: unsupported on older Linuxes). The
- same principles apply for a road warrior (or other) case where only one
- end of your tunnel is a subnet.</P>
-<H3><A NAME="ifconfig1"></A>5.3 ifconfig reports for KLIPS debugging</H3>
-<P>When diagnosing problems using ifconfig statistics, you may wonder
- what type of activity increments a particular counter for an ipsecN
- device. Here's an index, posted by KLIPS developer Richard Guy Briggs:</P>
-<PRE>Here is a catalogue of the types of errors that can occur for which
-statistics are kept when transmitting and receiving packets via klips.
-I notice that they are not necessarily logged in the right counter.
-. . .
-
-Sources of ifconfig statistics for ipsec devices
-
-rx-errors:
-- packet handed to ipsec_rcv that is not an ipsec packet.
-- ipsec packet with payload length not modulo 4.
-- ipsec packet with bad authenticator length.
-- incoming packet with no SA.
-- replayed packet.
-- incoming authentication failed.
-- got esp packet with length not modulo 8.
-
-tx_dropped:
-- cannot process ip_options.
-- packet ttl expired.
-- packet with no eroute.
-- eroute with no SA.
-- cannot allocate sk_buff.
-- cannot allocate kernel memory.
-- sk_buff internal error.
-
-
-The standard counters are:
-
-struct enet_statistics
-{
-        int        rx_packets;                /* total packets received */
-        int        tx_packets;                /* total packets transmitted */
-        int        rx_errors;                /* bad packets received */
-        int        tx_errors;                /* packet transmit problems */
-        int        rx_dropped;                /* no space in linux buffers */
-        int        tx_dropped;                /* no space available in linux */
-        int        multicast;                /* multicast packets received */
-        int        collisions;
-
-        /* detailed rx_errors: */
-        int        rx_length_errors;
-        int        rx_over_errors;                /* receiver ring buff overflow */
-        int        rx_crc_errors;                /* recved pkt with crc error */
-        int        rx_frame_errors;        /* recv'd frame alignment error */
-        int        rx_fifo_errors;                /* recv'r fifo overrun */
-        int        rx_missed_errors;        /* receiver missed packet */
-
-        /* detailed tx_errors */
-        int        tx_aborted_errors;
-        int        tx_carrier_errors;
-        int        tx_fifo_errors;
-        int        tx_heartbeat_errors;
-        int        tx_window_errors;
-};
-
-of which I think only the first 6 are useful.</PRE>
-<H3><A NAME="gdb"></A> 5.4 Using GDB on Pluto</H3>
-<P>You may need to use the GNU debugger, gdb(1), on Pluto. This should
- be necessary only in unusual cases, for example if you encounter a
- problem which the Pluto developer cannot readily reproduce or if you
- are modifying Pluto.</P>
-<P>Here are the Pluto developer's suggestions for doing this:</P>
-<PRE>Can you get a core dump and use gdb to find out what Pluto was doing
-when it died?
-
-To get a core dump, you will have to set dumpdir to point to a
-suitable directory (see <A HREF="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A>).
-
-To get gdb to tell you interesting stuff:
-        $ script
-        $ cd dump-directory-you-chose
-        $ gdb /usr/local/lib/ipsec/pluto core
-        (gdb) where
-        (gdb) quit
-        $ exit
-
-The resulting output will have been captured by the script command in
-a file called &quot;typescript&quot;.  Send it to the list.
-
-Do not delete the core file.  I may need to ask you to print out some
-more relevant stuff.</PRE>
-<P> Note that the<VAR> dumpdir</VAR> parameter takes effect only when
- the IPsec subsystem is restarted -- reboot or ipsec setup restart.</P>
-<P>
-<BR>
-<BR></P>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="firewall.html">Previous</A>
-<A HREF="compat.html">Next</A>
-</BODY>
-</HTML>
diff --git a/doc/umltesting.html b/doc/umltesting.html
deleted file mode 100644
index 35bcef96d..000000000
--- a/doc/umltesting.html
+++ /dev/null
@@ -1,313 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="roadmap.html">Previous</A>
-<A HREF="makecheck.html">Next</A>
-<HR>
-<H1><A name="umltesting">User-Mode-Linux Testing guide</A></H1>
-<P> User mode linux is a way to compile a linux kernel such that it can
- run as a process in another linux system (potentially as a *BSD or
- Windows process later). See<A HREF="http://user-mode-linux.sourceforge.net/">
- http://user-mode-linux.sourceforge.net/</A></P>
-<P> UML is a good platform for testing and experimenting with FreeS/WAN.
- It allows several network nodes to be simulated on a single machine.
- Creating, configuring, installing, monitoring, and controling these
- nodes is generally easier and easier to script with UML than real
- hardware.</P>
-<P> You'll need about 500Mb of disk space for a full
- sunrise-east-west-sunset setup. You can possibly get this down by 130Mb
- if you remove the sunrise/sunset kernel build. If you just want to run,
- then you can even remove the east/west kernel build.</P>
-<P> Nothing need be done as super user. In a couple of steps, we note
- where super user is required to install commands in system-wide
- directories, but ~/bin could be used instead. UML seems to use a
- system-wide /tmp/uml directory so different users may interfere with
- one another. Later UMLs use ~/.uml instead, so multiple users running
- UML tests should not be a problem, but note that a single user running
- the UML tests will only be able run one set. Further, UMLs sometimes
- get stuck and hang around. These &quot;zombies&quot; (most will actually be in
- the &quot;T&quot; state in the process table) will interfere with subsequent
- tests.</P>
-<H2><A NAME="34_1">Preliminary Notes on BIND</A></H2>
-<P> As of 2003/3/1, the Light-Weight Resolver is used by pluto. This
- requires that BIND9 be running. It also requires that BIND9 development
- libraries be present in the build environment. The DNSSEC code is only
- truly functional in BIND9 snapshots. The library code could be 9.2.2,
- we believe. We are using BIND9 20021115 snapshot code from<A HREF="ftp://ftp.isc.org/isc/bind9/snapshots">
- ftp://ftp.isc.org/isc/bind9/snapshots</A>.</P>
-<P> FreeS/WAN may well require a newer BIND than is on your system. Many
- distributions have moved to BIND9.2.2 recently due to a security
- advisory. BIND is five components.</P>
-<OL>
-<LI> named</LI>
-<LI> dnssec-*</LI>
-<LI> client side resolver libraries</LI>
-<LI> client side utility libraries I thought there were lib and named
- parts to dnsssec...</LI>
-<LI> dynamic DNS update utilities</LI>
-</OL>
-<P> The only piece that we need for *building* is #4. That's the only
- part that has to be on the build host. What is the difference between
- resolver and util libs? If you want to edit
- testing/baseconfigs/all/etc/bind, you'll need a snapshot version. The
- resolver library contains the resolver. FreeS/WAN has its own copy of
- that in lib/liblwres.</P>
-<H2><A NAME="34_2">Steps to Install UML for FreeS/WAN</A></H2>
-<OL>
-<LI> Get the following files:
-<OL type="a">
-<LI> from<A HREF="http://www.sandelman.ottawa.on.ca/freeswan/uml/">
- http://www.sandelman.ottawa.on.ca/freeswan/uml/</A>
- umlfreeroot-15.1.tar.gz (or highest numbered one). This is a debian
- potato root file system. You can use this even on a Redhat host, as it
- has the newer GLIBC2.2 libraries as well.
-<!-- If you are using
-  Redhat 7.2 or newer as your development machine, you can create the
-  image from your installation media. See <A HREF="uml-rhroot.html">Building a RedHat root"></A>.
-  A future document will explain how to build this from .DEB files as well.
--->
-
-<!--
-<LI> umlfreesharemini.tar.gz    (or umlfreeshareall.tar.gz). 
-  If you are a Debian potato user, you don't need it you can use your
-  native /usr/share.
-</UL>
--->
-</LI>
-<LI> From<A HREF="ftp://ftp.xs4all.nl/pub/crypto/freeswan/">
- ftp://ftp.xs4all.nl/pub/crypto/freeswan/</A> a snapshot or release
- (1.92 or better)</LI>
-<LI> From a<A HREF="http://www.kernel.org/mirrors/">
- http://www.kernel.org mirror</A>, the virgin 2.4.19 kernel. Please
- realize that we have defaults in our tree for kernel configuration. We
- try to track the latest UML kernels. If you use a newer kernel, you may
- have faults in the kernel build process. You can see what the latest
- that is being regularly tested by visiting<A HREF="http://bugs.freeswan.org:81/regress/HEAD/lastgood/freeswan-regress-env.sh">
- freeswan-regress-env.sh</A>.</LI>
-<LI>
-<!-- Note: this step is refered to as "step 1d" below. -->
- Get<A HREF="http://ftp.nl.linux.org/uml/">
- http://ftp.nl.linux.org/uml/</A> uml-patch-2.4.19-47.bz2 or the one
- associated with your kernel. As of 2003/03/05, uml-patch-2.4.19-47.bz2
- works for us.<STRONG> More recent versions of the patch have not been
- tested by us.</STRONG></LI>
-<LI> You'll probably want to visit<A HREF="http://user-mode-linux.sourceforge.net">
- http://user-mode-linux.sourceforge.net</A> and get the UML utilities.
- These are not needed for the build or interactive use (but
- recommended). They are necessary for the regression testing procedures
- used by &quot;make check&quot;. We currently use uml_utilities_20020212.tar.bz2.</LI>
-<LI> You need tcpdump version 3.7.1 or better. This is newer than the
- version included in most LINUX distributions. You can check the version
- of an installed tcpdump with the --version flag. If you need a newer
- tcpdump fetch both tcpdump and libpcap source tar files from<A HREF="http://www.tcpdump.org/">
- http://www.tcpdump.org/</A> or a mirror.</LI>
-</OL>
-</LI>
-<LI> Pick a suitable place, and extract the following files:
-<OL type="a">
-<LI>
-<!-- Note: this step is refered to as "step 2a" later. -->
- 2.4.19 kernel. For instance:
-<PRE>
- <CODE>           cd /c2/kernel
-           tar xzvf ../download/pub/linux/kernel/v2.4/linux-2.4.19.tar.gz
-</CODE>
-</PRE>
-</LI>
-<LI> extract the umlfreeroot file
-<!-- (unless you <A HREF="uml-rhroot.html">built your own from RPMs</A>) -->
-
-<PRE>
- <CODE>           mkdir -p /c2/user-mode-linux/basic-root
-           cd /c2/user-mode-linux/basic-root
-           tar xzvf ../download/umlfreeroot-15.1.tar.gz
-</CODE>
-</PRE>
-</LI>
-<LI> FreeSWAN itself (or checkout &quot;all&quot; from CVS)
-<PRE>
- <CODE>           mkdir -p /c2/freeswan/sandbox
-           cd /c2/freeswan/sandbox
-           tar xzvf ../download/snapshot.tar.gz
-</CODE>
-</PRE>
-</LI>
-</OL>
-</LI>
-<LI> If you need to build a newer tcpdump:
-<UL>
-<LI> Make sure you have OpenSSL installed -- it is needed for
- cryptographic routines.</LI>
-<LI> Unpack libpcap and tcpdump source in parallel directories (the
- tcpdump build procedures look for libpcap next door).</LI>
-<LI> Change directory into the libpcap source directory and then build
- the library:
-<PRE>
- <CODE>	./configure
-	make
-</CODE>
-</PRE>
-</LI>
-<LI> Change into the tcpdump source directory, build tcpdump, and
- install it.
-<PRE>
- <CODE>	./configure
-	make
-	# Need to be superuser to install in system directories.
-	# Installing in ~/bin would be an alternative.
-	su -c &quot;make install&quot;
-</CODE>
-</PRE>
-</LI>
-</UL>
-</LI>
-<LI> If you need the uml utilities, unpack them somewhere then build and
- install them:
-<PRE>
- <CODE>	cd tools
-	make all
-	# Need to be superuser to install in system directories.
-	# Installing in ~/bin would be an alternative.
-	su -c &quot;make install BIN_DIR=/usr/local/bin&quot;
-</CODE>
-</PRE>
-</LI>
-<LI> set up the configuration file
-<UL>
-<LI> <CODE>cd /c2/freeswan/sandbox/freeswan-1.97/testing/utils</CODE></LI>
-<LI> copy umlsetup-sample.sh to ../../umlsetup.sh: <CODE> cp
- umlsetup-sample.sh ../../umlsetup.sh</CODE></LI>
-<LI> open up ../../umlsetup.sh in your favorite editor.</LI>
-<LI> change POOLSPACE= to point to the place with at least 500Mb of
- disk. Best if it is on the same partition as the &quot;umlfreeroot&quot;
- extraction, as it will attempt to use hard links if possible to save
- disk space.</LI>
-<LI> Set TESTINGROOT if you intend to run the script outside of the
- sandbox/snapshot/release directory. Otherwise, it will configure
- itself.</LI>
-<LI> KERNPOOL should point to the directory with your 2.4.19 kernel
- tree. This tree should be unconfigured! This is the directory you used
- in step 2a.</LI>
-<LI> UMLPATCH should point at the bz2 file you downloaded at 1d. If
- using a kernel that already includes the patch, set this to /dev/null.</LI>
-<LI> FREESWANDIR should point at the directory where you unpacked the
- snapshot/release. Include the &quot;freeswan-snap2001sep16b&quot; or whatever in
- it. If you are running from CVS, then you point at the directory where
- top, klips, etc. are. The script will fix up the directory so that it
- can be used.</LI>
-<LI> BASICROOT should be set to the directory used in 2b, or to the
- directory that you created with RPMs.</LI>
-<LI> SHAREDIR should be set to the directory used in 2c, to /usr/share
- for Debian potato users, or to $BASICROOT/usr/share.</LI>
-</UL>
-</LI>
-<LI>
-<PRE> <CODE>cd $TESTINGROOT/utils
-sh make-uml.sh
-</CODE></PRE>
- It will grind for awhile. If there are errors it will bail. If so, run
- it under &quot;script&quot; and send the output to bugs@lists.freeswan.org.</LI>
-<LI> You will have a bunch of stuff under $POOLSPACE. Open four xterms:
-<PRE> <CODE>    for i in sunrise sunset east west
-    do
-        xterm -name $i -title $i -e $POOLSPACE/$i/start.sh     done
-</CODE></PRE>
-</LI>
-<LI> Login as root. Password is &quot;root&quot; (Note, these virtual machines are
- networked together, but are not configured to talk to the rest of the
- world.)</LI>
-<LI> verify that pluto started on east/west, run &quot;ipsec look&quot;</LI>
-<LI> login to sunrise. run &quot;ping sunset&quot;</LI>
-<LI> login to west. run &quot;tcpdump -p -i eth1 -n&quot; (tcpdump must be version
- 3.7.1 or newer)</LI>
-<LI> Closing a console xterm will shut down that UML.</LI>
-<LI> You can &quot;make check&quot;, if you want to. It is run from
- /c2/freeswan/sandbox/freeswan-1.97.</LI>
-</OL>
-<H1><A NAME="35">Debugging the kernel with GDB</A></H1>
-<P> With User-Mode-Linux, you can debug the kernel using GDB. See
-<!--HREF="http://user-mode-linux.sourceforge.net/debugging.html"-->
-
- http://user-mode-linux.sourceforge.net/debugging.html.</(null)></P>
-<P> Typically, one will want to address a test case for a failing
- situation. Running GDB from Emacs, or from other front ends is
- possible. First start GDB.</P>
-<P> Tell it to open the UMLPOOL/swan/linux program.</P>
-<P> Note the PID of GDB:</P>
-<PRE>
-marajade-[projects/freeswan/mgmt/planning] mcr 1029 %ps ax | grep gdb
- 1659 pts/9    SN     0:00 /usr/bin/gdb -fullname -cd /mara4/freeswan/kernpatch/UMLPOOL/swan/ linux
-</PRE>
-<P> Set the following in the environment:</P>
-<PRE>
-UML_east_OPT=&quot;debug gdb-pid=1659&quot;
-</PRE>
-<P> Then start the user-mode-linux in the test scheme you wish:</P>
-<PRE>
-marajade-[kernpatch/testing/klips/east-icmp-02] mcr 1220 %../../utils/runme.sh
-</PRE>
- The user-mode-linux will stop on boot, giving you a chance to attach to
- the process:
-<PRE>
-(gdb) file linux
-Reading symbols from linux...done.
-(gdb) attach 1
-Attaching to program: /mara4/freeswan/kernpatch/UMLPOOL/swan/linux, process 1
-0xa0118bc1 in kill () at hostfs_kern.c:770
-</PRE>
-<P> At this point, break points should be created as appropriate.</P>
-<H2><A NAME="35_1">Other notes about debugging</A></H2>
-<P> If you are running a standard test, after all the packets are sent,
- the UML will be shutdown. This can cause problems, because the UML may
- get terminated while you are debugging.</P>
-<P> The environment variable <CODE>NETJIGWAITUSER</CODE> can be set to
- &quot;waituser&quot;. If so, then the testing system will prompt before exiting
- the test.</P>
-<H1><A NAME="36">User-Mode-Linux mysteries</A></H1>
-<UL>
-<LI> running more than one UML of the same name (e.g. &quot;west&quot;) can cause
- problems.</LI>
-<LI> running more than one UML from the same root file system is not a
- good idea.</LI>
-<LI> all this means that running &quot;make check&quot; twice on the same machine
- is probably not a good idea.</LI>
-<LI> occationally, UMLs will get stuck. This can happen like:
-<!--BLOCK-->
- 15134 ? T
- 0:00 /spare/hugh/uml/uml2.4.18-sept5/umlbuild/east/linux (east)
- [/bin/sh] 15138 ? T 0:00
- /spare/hugh/uml/uml2.4.18-sept5/umlbuild/east/linux (east) [halt]</(null)>
- these will need to be killed. Note that they are in &quot;T&quot;racing mode.</LI>
-<LI> UMLs can also hang, and will report &quot;Tracing myself and I can't get
- out&quot;. This is a bug in UML. There are ways to find out what is going on
- and report this to the UML people, but we don't know the magic right
- now.</LI>
-</UL>
-<H1><A NAME="37">Getting more info from uml_netjig</A></H1>
-<P> uml_netjig can be compiled with a built-in tcpdump. This uses
- not-yet-released code from<A HREF="http://www.tcpdump.org/">
- www.tcpdump.org</A>. Please see the instructions in <CODE>
-testing/utils/uml_netjig/Makefile</CODE>.</P>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="roadmap.html">Previous</A>
-<A HREF="makecheck.html">Next</A>
-</BODY>
-</HTML>
diff --git a/doc/upgrading.html b/doc/upgrading.html
deleted file mode 100644
index ce9fba3d2..000000000
--- a/doc/upgrading.html
+++ /dev/null
@@ -1,184 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="intro.html">Previous</A>
-<A HREF="quickstart.html">Next</A>
-<HR>
-<A NAME="upgrading"></A>
-<H1><A NAME="2">Upgrading to FreeS/WAN 2.x</A></H1>
-<H2><A NAME="2_1">New! Built in Opportunistic connections</A></H2>
-<P>Out of the box, FreeS/WAN 2.x will attempt to encrypt all your IP
- traffic. It will try to establish IPsec connections for:</P>
-<UL>
-<LI> IP traffic from the Linux box on which you have installed
- FreeS/WAN, and</LI>
-<LI> outbound IP traffic routed through that Linux box (eg. from a
- protected subnet).</LI>
-</UL>
-<P>FreeS/WAN 2.x uses<STRONG> hidden, automatically enabled<VAR>
- ipsec.conf</VAR> connections</STRONG> to do this.</P>
-<P>This behaviour is part of our campaign to get Opportunistic
- Encryption (OE) widespread in the Linux world, so that any two Linux
- boxes can encrypt to one another without prearrangement. There's one
- catch, however: you must<A HREF="quickstart.html#quickstart"> set up a
- few DNS records</A> to distribute RSA public keys and (if applicable)
- IPsec gateway information.</P>
-<P>If you start FreeS/WAN before you have set up these DNS records, your
- connectivity will be slow, and messages relating to the built in
- connections will clutter your logs. If you are unable to set up DNS for
- OE, you will wish to<A HREF="policygroups.html#disable_policygroups">
- disable the hidden connections</A>.</P>
-<A NAME="upgrading.flagday"></A>
-<H3><A NAME="2_1_1">Upgrading Opportunistic Encryption to 2.01 (or
- later)</A></H3>
-<P>As of FreeS/WAN 2.01, Opportunistic Encryption (OE) uses DNS TXT
- resource records (RRs) only (rather than TXT with KEY). This change
- causes a &quot;flag day&quot;. Users of FreeS/WAN 2.00 (or earlier) OE who are
- upgrading may need to post additional resource records.</P>
-<P>If you are running<A HREF="glossary.html#initiate-only">
- initiate-only OE</A>, you<EM> must</EM> put up a TXT record in any
- forward domain as per our<A HREF="quickstart.html#opp.client">
- quickstart instructions</A>. This replaces your old forward KEY.</P>
-<P> If you are running full OE, you require no updates. You already have
- the needed TXT record in the reverse domain. However, to facilitate
- future features, you may also wish to publish that TXT record in a
- forward domain as instructed<A HREF="quickstart.html#opp.incoming">
- here</A>.</P>
-<P>If you are running OE on a gateway (and encrypting on behalf of
- subnetted boxes) you require no updates. You already have the required
- TXT record in your gateway's reverse map, and the TXT records for any
- subnetted boxes require no updating. However, to facilitate future
- features, you may wish to publish your gateway's TXT record in a
- forward domain as shown<A HREF="quickstart.html#opp.incoming"> here</A>
-.</P>
-<P> During the transition, you may wish to leave any old KEY records up
- for some time. They will provide limited backward compatibility.
-<!--
-For more
-detail on that compatibility, see <A HREF="oe.known-issues">Known Issues with
-OE</A>.
--->
-</P>
-<H2><A NAME="2_2">New! Policy Groups</A></H2>
-<P>We want to make it easy for you to declare security policy as it
- applies to IPsec connections.</P>
-<P>Policy Groups make it simple to say:</P>
-<UL>
-<LI>These are the folks I want to talk to in the clear.</LI>
-<LI>These spammers' domains -- I don't want to talk to them at all.</LI>
-<LI>To talk to the finance department, I must use IPsec.</LI>
-<LI>For any other communication, try to encrypt, but it's okay if we
- can't.</LI>
-</UL>
-<P>FreeS/WAN then implements these policies, creating OE connections if
- and when needed. You can use Policy Groups along with connections you
- explicitly define in ipsec.conf.</P>
-<P>For more information, see our<A HREF="policygroups.html"> Policy
- Group HOWTO</A>.</P>
-<H2><A NAME="2_3">New! Packetdefault Connection</A></H2>
-<P>Free/SWAN 2.x ships with the<STRONG> automatically enabled, hidden
- connection</STRONG><VAR> packetdefault</VAR>. This configures a
- FreeS/WAN box as an OE gateway for any hosts located behind it. As
- mentioned above, you must configure some<A HREF="quickstart.html"> DNS
- records</A> for OE to work.</P>
-<P>As the name implies, this connection functions as a default. If you
- have more specific connections, such as policy groups which configure
- your FreeS/WAN box as an OE gateway for a local subnet, these will
- apply before<VAR> packetdefault</VAR>. You can view<VAR> packetdefault</VAR>
-'s specifics in<A HREF="manpage.d/ipsec.conf.5.html"> man ipsec.conf</A>
-.</P>
-<H2><A NAME="2_4">FreeS/WAN now disables Reverse Path Filtering</A></H2>
-<P>FreeS/WAN often doesn't work with reverse path filtering. At start
- time, FreeS/WAN now turns rp_filter off, and logs a warning.</P>
-<P>FreeS/WAN does not turn it back on again. You can do this yourself
- with a command like:</P>
-<PRE>   echo 1 &gt; /proc/sys/net/ipv4/conf/eth0/rp_filter</PRE>
-<P>For eth0, substitute the interface which FreeS/WAN was affecting.</P>
-<A NAME="ipsec.conf_v2"></A>
-<H2><A NAME="2_5">Revised<VAR> ipsec.conf</VAR></A></H2>
-<H3><A NAME="2_5_1">No promise of compatibility</A></H3>
-<P>The FreeS/WAN team promised config-file compatibility throughout the
- 1.x series. That means a 1.5 config file can be directly imported into
- a fresh 1.99 install with no problems.</P>
-<P>With FreeS/WAN 2.x, we've given ourselves permission to make the
- config file easier to use. The cost: some FreeS/WAN 1.x configurations
- will not work properly. Many of the new features are, however, backward
- compatible.</P>
-<H3><A NAME="2_5_2">Most<VAR> ipsec.conf</VAR> files will work fine</A></H3>
-<P>... so long as you paste this line,<STRONG> with no preceding
- whitespace</STRONG>, at the top of your config file:</P>
-<PRE>    version 2</PRE>
-<H3><A NAME="2_5_3">Backward compatibility patch</A></H3>
-<P>If the new defaults bite you, use<A HREF="ipsec.conf.2_to_1"> this<VAR>
- ipsec.conf</VAR> fragment</A> to simulate the old default values.</P>
-<H3><A NAME="2_5_4">Details</A></H3>
-<P> We've obsoleted various directives which almost no one was using:</P>
-<PRE>    dump
-    plutobackgroundload
-    no_eroute_pass
-    lifetime
-    rekeystart
-    rekeytries</PRE>
-<P>For most of these, there is some other way to elicit the desired
- behaviour. See<A HREF="http://lists.freeswan.org/pipermail/design/2002-August/003243.html">
- this post</A>.</P>
-<P> We've made some settings, which almost everyone was using, defaults.
- For example:</P>
-<PRE>    interfaces=%defaultroute
-    plutoload=%search
-    plutostart=%search
-    uniqueids=yes</PRE>
-<P>We've also changed some default values to help with OE and Policy
- Groups:</P>
-<PRE>    authby=rsasig   ## not secret!!!
-    leftrsasigkey=%dnsondemand ## looks up missing keys in DNS when needed.
-    rightrsasigkey=%dnsondemand</PRE>
-<P> Of course, you can still override any defaults by explictly
- declaring something else in your connection.</P>
-<P><A HREF="http://lists.freeswan.org/pipermail/design/2002-August/003243.html">
- A post with a list of many ipsec.conf changes.</A>
-<BR><A HREF="manpage.d/ipsec.conf.5.html"> Current ipsec.conf manual.</A>
-</P>
-<A NAME="upgrading.rpms"></A>
-<H3><A NAME="2_5_5">Upgrading from 1.x RPMs to 2.x RPMs</A></H3>
-<P>Note: When upgrading from 1-series to 2-series RPMs,<VAR> rpm -U</VAR>
- will not work.</P>
-<P>You must instead erase the 1.x RPMs, then install the 2.x set:</P>
-<PRE>    rpm -e freeswan</PRE>
-<PRE>    rpm -e freeswan-module</PRE>
-<P>On erasing, your old<VAR> ipsec.conf</VAR> should be moved to<VAR>
- ipsec.conf.rpmsave</VAR>. Keep this. You will probably want to copy
- your existing connections to the end of your new 2.x file.</P>
-<P>Install the RPMs suitable for your kernel version, such as:</P>
-<PRE>    rpm -ivh freeswan-module-2.04_2.4.20_20.9-0.i386.rpm</PRE>
-<PRE>    rpm -ivh freeswan-userland-2.04_2.4.20_20.9-0.i386.rpm</PRE>
-<P>Or, to splice the files:</P>
-<PRE>    cat /etc/ipsec.conf /etc/ipsec.conf.rpmsave &gt; /etc/ipsec.conf.tmp
-    mv /etc/ipsec.conf.tmp /etc/ipsec.conf</PRE>
-<P>Then, remove the redundant<VAR> conn %default</VAR> and<VAR> config
- setup</VAR> sections. Unless you have done any special configuring
- here, you'll likely want to remove the 1.x versions. Remove<VAR> conn
- OEself</VAR>, if present.</P>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="intro.html">Previous</A>
-<A HREF="quickstart.html">Next</A>
-</BODY>
-</HTML>
diff --git a/doc/user_examples.html b/doc/user_examples.html
deleted file mode 100644
index d683c92e1..000000000
--- a/doc/user_examples.html
+++ /dev/null
@@ -1,320 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="background.html">Previous</A>
-<A HREF="makecheck.html">Next</A>
-<HR>
-<H1><A name="user.examples">FreeS/WAN script examples</A></H1>
- This file is intended to hold a collection of user-written example
- scripts or configuration files for use with FreeS/WAN.
-<P> So far it has only one entry.</P>
-<H2><A name="poltorak">Poltorak's Firewall script</A></H2>
-<PRE>
-From: Poltorak Serguei &lt;poltorak@dataforce.net&gt;
-Subject: [Users] Using FreeS/WAN
-Date: Tue, 16 Oct 2001
-
-Hello.
-
-I'm using FreeS/WAN IPsec for half a year. I learned a lot of things about
-it and I think it would be interesting for someone to see the result of my
-experiments and usage of FreeS/WAN. If you find a mistake in this
-file, please e-mail me. And excuse me for my english... I'm learning.. :)
-
-I'll talk about vary simple configuration:
-
-addresses prefix = 192.168
-
-    lan1          sgw1     .0.0/24 (Internet)       sgw2            lan2
-  .1.0/24---[ .1.1 ; .0.1 ]===================[ .0.10 ; . 2.10 ]---.2.0/24
-
-
-We need to let lan1 see lan2 across Internet like it is behind sgw1. The
-same for lan2. And we need to do IPX bridge for Novel Clients and NDS
-synchronization.
-
-my config:
-------------------- ipsec.conf -------------------
-conn lan1-lan2
-        type=tunnel
-        compress=yes
-        #-------------------
-        left=192.168.0.1
-        leftsubnet=192.168.1.0/24
-        #-------------------
-        right=192.168.0.10
-        rightsubnet=192.168.2.0/24
-        #-------------------
-        auth=esp
-        authby=secret
---------------- end of ipsec.conf ----------------
-
-ping .2.x from .1.y   (y != 1)
-It works?? Fine. Let's continue...
-
-Why y != 1 ?? Because kernel of sgw1 have 2 IP addresses and it will choose
-the first IP (which is used to go to Internet) .0.1 and the packet won't go
-through IPsec tunnel :(  But if do ping on .1.1 kernel will respond from
-that address (.1.1) and the packet will be tunneled. The same problem occurred then
-.2.x sends a packet to .1.2 which is down at the moment. What happens? .1.1
-sends ARP requesting .1.2... after 3 tries it send to .2.x an destunreach,
-but from his &quot;natural&quot; IP or .0.1 . So the error message won't be delivered!
-It's a big problem...
-
-Resolution... One can manipulate with ipsec0 or ipsec0:0 to solve the
-problem (if ipsec0 has .1.1 kernel will send packets correctly), but there
-are powerful and elegant iproute2 :) We simply need to change source address
-of packet that goes to other secure lan. This is done with
-
-ip route replace 192.168.2.0/24 via 192.168.0.10 dev ipsec0 src 192.168.1.1
-
-Cool!! Now it works!!
-
-The second step. We want install firewall on sgw1 and sgw2. Encryption of 
-traffic without security isn't a good idea. I don't use {left|right}firewall, 
-because I'm running firewall from init scripts.
-
-We want IPsec data between lan1-lan2, some ICMP errors (destination
-unreachable, TTL exceeded, parameter problem and source quench), replying on 
-pings from both lans and Internet, ipxtunnel data for IPX and of course SSH
-between sgw1 and sgw2 and from/to one specified host.
-
-I'm using ipchains. With iptables there are some changes.
-
----------------- rc.firewall ---------------------
-#!/bin/sh
-#
-# Firewall for IPsec lan1-lan2
-#
-
-IPC=/sbin/ipchains
-ANY=0.0.0.0/0
-
-# left
-SGW1_EXT=192.168.0.1
-SGW1_INT=192.168.1.1
-LAN1=192.168.1.0/24
-
-# right
-SGW2_EXT=192.168.0.10
-SGW2_INT=192.168.2.10
-LAN2=192.168.2.0/24
-
-# SSH from and to this host
-SSH_PEER_HOST=_SOME_HOST_
-
-# this is for left. exchange these values for right.
-MY_EXT=$SGW1_EXT
-MY_INT=$SGW1_INT
-PEER_EXT=$SGW2_EXT
-PEER_INT=$SGW2_INT
-INT_IF=eth1
-EXT_IF=eth0
-IPSEC_IF=ipsec0
-MY_LAN=$LAN1
-PEER_LAN=$LAN2
-
-$IPC -F
-$IPC -P input DENY
-$IPC -P forward DENY
-$IPC -P output DENY
-
-# Loopback traffic
-$IPC -A input -i lo -j ACCEPT
-$IPC -A output -i lo -j ACCEPT
-
-# for IPsec SGW1-SGW2
-## IKE
-$IPC -A input -p udp -s $PEER_EXT 500 -d $MY_EXT 500 -i $EXT_IF -j ACCEPT
-$IPC -A output -p udp -s $MY_EXT 500 -d $PEER_EXT 500 -i $EXT_IF -j ACCEPT
-## ESP
-$IPC -A input -p 50 -s $PEER_EXT -d $MY_EXT -i $EXT_IF -j ACCEPT
-### we don't need this line ### $IPC -A output -p 50 -s $MY_EXT -d $PEER_EXT -i $EXT_IF -j ACCEPT
-## forward LAN1-LAN2
-$IPC -A forward -s $MY_LAN -d $PEER_LAN -i $IPSEC_IF -j ACCEPT
-$IPC -A forward -s $PEER_LAN -d $MY_LAN -i $INT_IF -j ACCEPT
-$IPC -A output -s $PEER_LAN -d $MY_LAN -i $INT_IF -j ACCEPT
-$IPC -A input -s $PEER_LAN -d $MY_LAN -i $IPSEC_IF -j ACCEPT
-$IPC -A input -s $MY_LAN -d $PEER_LAN -i $INT_IF -j ACCEPT
-$IPC -A output -s $MY_LAN -d $PEER_LAN -i $IPSEC_IF -j ACCEPT
-
-# ICMP
-#
-## Dest unreachable
-### from/to Internet
-$IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
-### from/to Lan
-$IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
-### from/to Peer Lan
-$IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
-#
-## Source quench
-### from/to Internet
-$IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type source-quench -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
-### from/to Lan
-$IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type source-quench -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
-### from/to Peer Lan
-$IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type source-quench -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
-#
-## Parameter problem
-### from/to Internet
-$IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type parameter-problem -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
-### from/to Lan
-$IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type parameter-problem -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
-### from/to Peer Lan
-$IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type parameter-problem -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
-#
-## Time To Live exceeded
-### from/to Internet
-$IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type time-exceeded -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
-### to Lan
-$IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type time-exceeded -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
-### to Peer Lan
-$IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
-$IPC -A output -p icmp --icmp-type time-exceeded -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
-
-# ICMP PINGs
-## from Internet
-$IPC -A input -p icmp -s $ANY -d $MY_EXT --icmp-type echo-request  -i $EXT_IF -j ACCEPT
-$IPC -A output -p icmp -s $MY_EXT -d $ANY --icmp-type echo-reply  -i $EXT_IF -j ACCEPT
-## from LAN
-$IPC -A input -p icmp -s $ANY -d $MY_INT --icmp-type echo-request -i $INT_IF -j ACCEPT
-$IPC -A output -p icmp -s $MY_INT -d $ANY --icmp-type echo-reply  -i $INT_IF -j ACCEPT
-## from Peer LAN
-$IPC -A input -p icmp -s $ANY -d $MY_INT --icmp-type echo-request -i $IPSEC_IF -j ACCEPT
-$IPC -A output -p icmp -s $MY_INT -d $ANY --icmp-type echo-reply  -i $IPSEC_IF -j ACCEPT
-
-# SSH
-## from SSH_PEER_HOST
-$IPC -A input -p tcp -s $SSH_PEER_HOST -d $MY_EXT 22 -i $EXT_IF -j ACCEPT
-$IPC -A output -p tcp \! -y -s $MY_EXT 22 -d $SSH_PEER_HOST -i $EXT_IF -j ACCEPT
-## to SSH_PEER_HOST
-$IPC -A input -p tcp \! -y -s $SSH_PEER_HOST 22 -d $MY_EXT -i $EXT_IF -j ACCEPT
-$IPC -A output -p tcp -s $MY_EXT -d $SSH_PEER_HOST 22 -i $EXT_IF -j ACCEPT
-## from PEER
-$IPC -A input -p tcp -s $PEER_EXT -d $MY_EXT 22 -i $EXT_IF -j ACCEPT
-$IPC -A output -p tcp \! -y -s $MY_EXT 22 -d $PEER_EXT -i $EXT_IF -j ACCEPT
-## to PEER
-$IPC -A input -p tcp \! -y -s $PEER_EXT 22 -d $MY_EXT -i $EXT_IF -j ACCEPT
-$IPC -A output -p tcp -s $MY_EXT -d $PEER_EXT 22 -i $EXT_IF -j ACCEPT
-
-# ipxtunnel
-$IPC -A input -p udp -s $PEER_INT 2005 -d $MY_INT 2005 -i $IPSEC_IF -j ACCEPT
-$IPC -A output -p udp -s $MY_INT 2005 -d $PEER_INT 2005 -i $IPSEC_IF -j ACCEPT
-
----------------- end of rc.firewall ----------------------
-
-To understand this we need to look on this scheme:
-
-           ++-----------------------&lt;----------------------------+
-           || ipsec0                                             |
-           \/                                                    |
- eth0  +--------+    /---------/ yes  /---------/ yes +-----------------------+
-------&gt;| INPUT  |--&gt;/ ?local? /-----&gt;/ ?IPsec? /-----&gt;| decrypt decapsulate |
- eth1  +--------+  /---------/      /---------/       +-----------------------+
-                       || no            || no
-                       \/               \/
-                  +----------+      +---------+        +-------+
-                  | routing  |      |  local  |        | local |
-                  | decision |      | deliver |        | send  |
-                  +----------+      +---------+        +-------+
-                       ||                                 ||
-                       \/                                 \/
-                   +---------+                       +----------+
-                   | forward |                       | routing  |
-                   +---------+                       | decision |
-                       ||                            +----------+
-                       ||                                  ||
-                       ++----------------&lt;-----------------++
-                       ||
-                       \/
-                   +--------+ eth0
-                   | OUTPUT | eth1
-                   +--------+ ipsec0
-                       ||
-                       \/
-                   /---------/ yes +-----------------------+
-                  / ?IPsec? /-----&gt;| encrypt encapsulate |
-                 /---------/       +-----------------------+
-                      || no                    ||
-                      ||                       ||
-                      ||                       \/   eth0, eth1
-                      ++-----------------------++--------------&gt;
-
-This explain how a packet traverse TCP/IP stack in IPsec capable kernel.
-
-FIX ME, please, if there are any errors
-
-Test the new firewall now.
-
-
-Now about IPX. I tried 3 programs for tunneling IPX: tipxd, SIB and ipxtunnel
-
-tipxd didn't send packets.. :(
-SIB and ipxtunnel worked fine :)
-With ipxtunnel there was a little problem. In sources there are an error.
-
---------------------- in main.c ------------------------
-&lt;       bytes += p.len;
----
-&gt;       bytes += len;
---------------------------------------------------------
-
-After this FIX everything goes right...
-
-------------------- /etc/ipxtunnel.conf ----------------
-port    2005
-remote  192.168.101.97    2005
-interface eth1
---------------- end of /etc/ipxtunnel.conf -------------
-
-I use IPX tunnel between .1.1 and .2.10 so we don't need to encrypt nor
-authenticate encapsulated IPX packets, it is done with IPsec.
-
-If you don't wont to use iproute2 to change source IP you need to use SIB
-(it is able to bind local address) or establish tunnel between .0.1 and
-.0.10 (external IPs, you need to do encryption in the program, but it isn't
-strong).
-
-For now I'm using ipxtunnel.
-
-I think that's all for the moment. If there are any error, please e-mail me: 
-poltorak@df.ru . It would be cool if someone puts the scheme of TCP/IP in
-kernel and firewall example on FreeS/WAN's manual pages.
-
-PoltoS
-</PRE>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="background.html">Previous</A>
-<A HREF="makecheck.html">Next</A>
-</BODY>
-</HTML>
diff --git a/doc/web.html b/doc/web.html
deleted file mode 100644
index 0c084d289..000000000
--- a/doc/web.html
+++ /dev/null
@@ -1,749 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="mail.html">Previous</A>
-<A HREF="glossary.html">Next</A>
-<HR>
-<H1><A name="weblink">Web links</A></H1>
-<H2><A name="freeswan">The Linux FreeS/WAN Project</A></H2>
-<P>The main project web site is<A href="http://www.freeswan.org/">
- www.freeswan.org</A>.</P>
-<P>Links to other project-related<A href="intro.html#sites"> sites</A>
- are provided in our introduction section.</P>
-<H3><A name="patch">Add-ons and patches for FreeS/WAN</A></H3>
-<P>Some user-contributed patches have been integrated into the FreeS/WAN
- distribution. For a variety of reasons, those listed below have not.</P>
-<P>Note that not all patches are a good idea.</P>
-<UL>
-<LI>There are a number of &quot;features&quot; of IPsec which we do not implement
- because they reduce security. See this<A href="compat.html#dropped">
- discussion</A>. We do not recommend using patches that implement these.
- One example is aggressive mode.</LI>
-<LI>We do not recommend adding &quot;features&quot; of any sort unless they are
- clearly necessary, or at least have clear benefits. For example,
- FreeS/WAN would not become more secure if it offerred a choice of 14
- ciphers. If even one was flawed, it would certainly become less secure
- for anyone using that cipher. Even with 14 wonderful ciphers, it would
- be harder to maintain and administer, hence more vulnerable to various
- human errors.</LI>
-</UL>
-<P>This is not to say that patches are necessarily bad, only that using
- them requires some deliberation. For example, there might be perfectly
- good reasons to add a specific cipher in your application: perhaps GOST
- to comply with government standards in Eastern Europe, or AES for
- performance benefits.</P>
-<H4>Current patches</H4>
-<P>Patches believed current::</P>
-<UL>
-<LI>patches for<A href="http://www.strongsec.com/freeswan/"> X.509
- certificate support</A>, also available from a<A href="http://www.twi.ch/~sna/strongsec/freeswan/">
- mirror site</A></LI>
-<LI>patches to add<A href="http://www.irrigacion.gov.ar/juanjo/ipsec">
- AES and other ciphers</A>. There is preliminary data indicating AES
- gives a substantial<A href="performance.html#perf.more"> performance
- gain</A>.</LI>
-</UL>
-<P>There is also one add-on that takes the form of a modified FreeS/WAN
- distribution, rather than just patches to the standard distribution:</P>
-<UL>
-<LI><A href="http://www.ipv6.iabg.de/downloadframe/index.html">IPv6
- support</A></LI>
-</UL>
-<P>Before using any of the above,, check the<A href="mail.html"> mailing
- lists</A> for news of newer versions and to see whether they have been
- incorporated into more recent versions of FreeS/WAN.</P>
-<H4>Older patches</H4>
-<UL>
-<LI><A href="http://sources.colubris.com/en/projects/FreeSWAN/">hardware
- acceleration</A></LI>
-<LI>a<A href="http://tzukanov.narod.ru/"> series</A> of patches that
-<UL>
-<LI>provide GOST, a Russian gov't. standard cipher, in MMX assembler</LI>
-<LI>add GOST to OpenSSL</LI>
-<LI>add GOST to the International kernel patch</LI>
-<LI>let FreeS/WAN use International kernel patch ciphers</LI>
-</UL>
-</LI>
-<LI>Neil Dunbar's patches for<A href="ftp://hplose.hpl.hp.com/pub/nd/pluto-openssl.tar.gz">
- certificate support</A>, using code from<A href="http://www.openssl.org">
- Open SSL</A>.</LI>
-<LI>Luc Lanthier's<A href="ftp://ftp.netwinder.org/users/f/firesoul/">
- patches</A> for<A href="glossary.html#PKIX"> PKIX</A> support.</LI>
-<LI><A href="ftp://ftp.heise.de/pub/ct/listings/9916-180.tgz">patches</A>
- to add<A href="glossary.html#blowfish"> Blowfish</A>,<A href="glossary.html#IDEA">
- IDEA</A> and<A href="glossary.html#CAST128"> CAST-128</A> to FreeS/WAN</LI>
-<LI>patches for FreeS/WAN 1.3, Pluto support for<A href="http://alcatraz.webcriminals.com/~bastiaan/ipsec/">
- external authentication</A>, for example with a smartcard or SKEYID.</LI>
-<LI><A href="http://www.zengl.net/freeswan/download/">patches and
- utilities</A> for using FreeS/WAN with PGPnet</LI>
-<LI><A href="http://www.freelith.com/lithworks/crypto/freeswan_patch.htm">
-Blowfish encryption and Tiger hash</A></LI>
-<LI><A href="http://www.cendio.se/~bellman/aggressive-pluto.snap.tar.gz">
-patches</A> for aggressive mode support</LI>
-</UL>
-<P>These patches are for older versions of FreeS/WAN and will likely not
- work with the current version. Older versions of FreeS/WAN may be
- available on some of the<A href="intro.html#sites"> distribution sites</A>
-, but we recommend using the current release.</P>
-<H4><A name="VPN.masq">VPN masquerade patches</A></H4>
-<P>Finally, there are some patches to other code that may be useful with
- FreeS/WAN:</P>
-<UL>
-<LI>a<A href="ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html">
- patch</A> to make IPsec, PPTP and SSH VPNs work through a Linux
- firewall with<A href="glossary.html#masq"> IP masquerade</A>.</LI>
-<LI><A href="http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html">
-Linux VPN Masquerade HOWTO</A></LI>
-</UL>
-<P>Note that this is not required if the same machine does IPsec and
- masquerading, only if you want a to locate your IPsec gateway on a
- masqueraded network. See our<A href="firewall.html#NAT"> firewalls</A>
- document for discussion of why this is problematic.</P>
-<P>At last report, this patch could not co-exist with FreeS/WAN on the
- same machine.</P>
-<H3><A name="dist">Distributions including FreeS/WAN</A></H3>
-<P>The introductory section of our document set lists several<A href="intro.html#distwith">
- Linux distributions</A> which include FreeS/WAN.</P>
-<H3><A name="used">Things FreeS/WAN uses or could use</A></H3>
-<UL>
-<LI><A href="http://openpgp.net/random">/dev/random</A> support page,
- discussion of and code for the Linux<A href="glossary.html#random">
- random number driver</A>. Out-of-date when we last checked (January
- 2000), but still useful.</LI>
-<LI>other programs related to random numbers:
-<UL>
-<LI><A href="http://www.mindrot.org/audio-entropyd.html">audio entropy
- daemon</A> to gather noise from a sound card and feed it into
- /dev/random</LI>
-<LI>an<A href="http://www.lothar.com/tech/crypto/"> entropy-gathering
- daemon</A></LI>
-<LI>a driver for the random number generator in recent<A href="http://sourceforge.net/projects/gkernel/">
- Intel chipsets</A>. This driver is included as standard in 2.4 kernels.</LI>
-</UL>
-</LI>
-<LI>a Linux<A href="http://www.marko.net/l2tp/"> L2TP Daemon</A> which
- might be useful for communicating with Windows 2000 which builds L2TP
- tunnels over its IPsec connections</LI>
-<LI>to use opportunistic encryption, you need a recent version of<A href="glossary.html#BIND">
- BIND</A>. You can get one from the<A href="http://www.isc.org">
- Internet Software Consortium</A> who maintain BIND.</LI>
-</UL>
-<H3><A name="alternatives">Other approaches to VPNs for Linux</A></H3>
-<UL>
-<LI>other Linux<A href="#linuxipsec"> IPsec implementations</A></LI>
-<LI><A href="http://www.tik.ee.ethz.ch/~skip/">ENskip</A>, a free
- implementation of Sun's<A href="glossary.html#SKIP"> SKIP</A> protocol</LI>
-<LI><A href="http://sunsite.auc.dk/vpnd/">vpnd</A>, a non-IPsec VPN
- daemon for Linux which creates tunnels using<A href="glossary.html#Blowfish">
- Blowfish</A> encryption</LI>
-<LI><A href="http://www.winton.org.uk/zebedee/">Zebedee</A>, a simple
- GPLd tunnel-building program with Linux and Win32 versions. The name is
- from<STRONG> Z</STRONG>lib compression,<STRONG> B</STRONG>lowfish
- encryption and<STRONG> D</STRONG>iffie-Hellman key exchange.</LI>
-<LI>There are at least two PPTP implementations for Linux
-<UL>
-<LI>Moreton Bay's<A href="http://www.moretonbay.com/vpn/pptp.html">
- PoPToP</A></LI>
-<LI><A href="http://cag.lcs.mit.edu/~cananian/Projects/PPTP/">PPTP-Linux</A>
-</LI>
-</UL>
-</LI>
-<LI><A href="http://sites.inka.de/sites/bigred/devel/cipe.html">CIPE</A>
- (crypto IP encapsulation) project, using their own lightweight protocol
- to encrypt between routers</LI>
-<LI><A href="http://tinc.nl.linux.org/">tinc</A>, a VPN Daemon</LI>
-</UL>
-<P>There is a list of<A href="http://www.securityportal.com/lskb/10000000/kben10000005.html">
- Linux VPN</A> software in the<A href="http://www.securityportal.com/lskb/kben00000001.html">
- Linux Security Knowledge Base</A>.</P>
-<H2><A name="ipsec.link">The IPsec Protocols</A></H2>
-<H3><A name="general">General IPsec or VPN information</A></H3>
-<UL>
-<LI>The<A href="http://www.vpnc.org"> VPN Consortium</A> is a group for
- vendors of IPsec products. Among other things, they have a good
- collection of<A href="http://www.vpnc.org/white-papers.html"> IPsec
- white papers</A>.</LI>
-<LI>A VPN mailing list with a<A href="http://kubarb.phsx.ukans.edu/~tbird/vpn.html">
- home page</A>, a FAQ, some product comparisons, and many links.</LI>
-<LI><A href="http://www.opus1.com/vpn/index.html">VPN pointer page</A></LI>
-<LI>a<A href="http://www.epm.ornl.gov/~dunigan/vpn.html"> collection</A>
- of VPN links, and some explanation</LI>
-</UL>
-<H3><A name="overview">IPsec overview documents or slide sets</A></H3>
-<UL>
-<LI>the FreeS/WAN<A href="ipsec.html"> document section</A> on these
- protocols</LI>
-</UL>
-<H3><A name="otherlang">IPsec information in languages other than
- English</A></H3>
-<UL>
-<LI><A href="http://www.imib.med.tu-dresden.de/imib/Internet/Literatur/ipsec-docu.html">
-German</A></LI>
-<LI><A href="http://www.kame.net/index-j.html">Japanese</A></LI>
-<LI>Feczak Szabolcs' thesis in<A href="http://feczo.koli.kando.hu/vpn/">
- Hungarian</A></LI>
-<LI>Davide Cerri's thesis and some presentation slides<A href="http://www.linux.it/~davide/doc/">
- Italian</A></LI>
-</UL>
-<H3><A name="RFCs1">RFCs and other reference documents</A></H3>
-<UL>
-<LI><A href="rfc.html">Our document</A> listing the RFCs relevant to
- Linux FreeS/WAN and giving various ways of obtaining both RFCs and
- Internet Drafts.</LI>
-<LI><A href="http://www.vpnc.org/vpn-standards.html">VPN Standards</A>
- page maintained by<A href="glossary.html#VPNC"> VPNC</A>. This covers
- both RFCs and Drafts, and classifies them in a fairly helpful way.</LI>
-<LI><A href="http://www.rfc-editor.org">RFC archive</A></LI>
-<LI><A href="http://www.ietf.org/ids.by.wg/ipsec.html">Internet Drafts</A>
- related to IPsec</LI>
-<LI>US government<A href="http://www.itl.nist.gov/div897/pubs"> site</A>
- with their<A href="glossary.html#FIPS"> FIPS</A> standards</LI>
-<LI>Archives of the ipsec@tis.com mailing list where discussion of
- drafts takes place.
-<UL>
-<LI><A href="http://www.sandelman.ottawa.on.ca/ipsec">Eastern Canada</A></LI>
-<LI><A href="http://www.vpnc.org/ietf-ipsec">California</A>.</LI>
-</UL>
-</LI>
-</UL>
-<H3><A name="analysis">Analysis and critiques of IPsec protocols</A></H3>
-<UL>
-<LI>Counterpane's<A href="http://www.counterpane.com/ipsec.pdf">
- evaluation</A> of the protocols</LI>
-<LI>Simpson's<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/06/msg00319.html">
- IKE Considered Dangerous</A> paper. Note that this is a link to an
- archive of our mailing list. There are several replies in addition to
- the paper itself.</LI>
-<LI>Fate Labs<A href="http://www.fatelabs.com/loki-vpn.pdf"> Virual
- Private Problems: the Broken Dream</A></LI>
-<LI>Catherine Meadows' paper<CITE> Analysis of the Internet Key Exchange
- Protocol Using the NRL Protocol Analyzer</CITE>, in<A href="http://chacs.nrl.navy.mil/publications/CHACS/1999/1999meadows-IEEE99.pdf">
- PDF</A> or<A href="http://chacs.nrl.navy.mil/publications/CHACS/1999/1999meadows-IEEE99.ps">
- Postscript</A>.</LI>
-<LI>Perlman and Kaufmnan
-<UL>
-<LI><A href="http://snoopy.seas.smu.edu/ee8392_summer01/week7/perlman2.pdf">
-Key Exchange in IPsec</A></LI>
-<LI>a newer<A href="http://sec.femto.org/wetice-2001/papers/radia-paper.pdf">
- PDF paper</A>,<CITE> Analysis of the IPsec Key Exchange Standard</CITE>
-.</LI>
-</UL>
-</LI>
-<LI>Bellovin's<A href="http://www.research.att.com/~smb/papers/index.html">
- papers</A> page including his:
-<UL>
-<LI><CITE>Security Problems in the TCP/IP Protocol Suite</CITE> (1989)</LI>
-<LI><CITE>Problem Areas for the IP Security Protocols</CITE> (1996)</LI>
-<LI><CITE>Probable Plaintext Cryptanalysis of the IP Security Protocols</CITE>
- (1997)</LI>
-</UL>
-</LI>
-<LI>An<A href="http://www.lounge.org/ike_doi_errata.html"> errata list</A>
- for the IPsec RFCs.</LI>
-</UL>
-<H3><A name="IP.background">Background information on IP</A></H3>
-<UL>
-<LI>An<A href="http://ipprimer.windsorcs.com/"> IP tutorial</A> that
- seems to be written mainly for Netware or Microsoft LAN admins entering
- a new world</LI>
-<LI><A href="http://www.iana.org">IANA</A>, Internet Assigned Numbers
- Authority</LI>
-<LI><A href="http://public.pacbell.net/dedicated/cidr.html">CIDR</A>,
- Classless Inter-Domain Routing</LI>
-<LI>Also see our<A href="biblio.html"> bibliography</A></LI>
-</UL>
-<H2><A name="implement">IPsec Implementations</A></H2>
-<H3><A name="linuxprod">Linux products</A></H3>
-<P>Vendors using FreeS/WAN in turnkey firewall or VPN products are
- listed in our<A href="intro.html#turnkey"> introduction</A>.</P>
-<P>Other vendors have Linux IPsec products which, as far as we know, do
- not use FreeS/WAN</P>
-<UL>
-<LI><A href="http://www.redcreek.com/products/shareware.html">Redcreek</A>
- provide an open source Linux driver for their PCI hardware VPN card.
- This card has a 100 Mbit Ethernet port, an Intel 960 CPU plus more
- specialised crypto chips, and claimed encryption performance of 45
- Mbit/sec. The PC sees it as an Ethernet board.</LI>
-<LI><A href="http://linuxtoday.com/stories/8428.html?nn">Paktronix</A>
- offer a Linux-based VPN with hardware encryption</LI>
-<LI><A href="http://www.watchguard.com/">Watchguard</A> use Linux in
- their Firebox product.</LI>
-<LI><A href="http://www.entrust.com">Entrust</A> offer a developers'
- toolkit for using their<A href="glossary.html#PKI"> PKI</A> for IPsec
- authentication</LI>
-<LI>According to a report on our mailing list,<A href="http://www.axent.com">
- Axent</A> have a Linux version of their product.</LI>
-</UL>
-<H3><A name="router">IPsec in router products</A></H3>
-<P>All the major router vendors support IPsec, at least in some models.</P>
-<UL>
-<LI><A href="http://www.cisco.com/warp/public/707/16.html">Cisco</A>
- IPsec information</LI>
-<LI>Ascend, now part of<A href="http://www.lucent.com/"> Lucent</A>,
- have some IPsec-based products</LI>
-<LI><A href="http://www.nortelnetworks.com/">Bay Networks</A>, now part
- of Nortel, use IPsec in their Contivity switch product line</LI>
-<LI><A href="http://www.3com.com/products/enterprise.html">3Com</A> have
- a number of VPN products, some using IPsec</LI>
-</UL>
-<H3><A name="fw.web">IPsec in firewall products</A></H3>
-<P>Many firewall vendors offer IPsec, either as a standard part of their
- product, or an optional extra. A few we know about are:</P>
-<UL>
-<LI><A href="http://www.borderware.com/">Borderware</A></LI>
-<LI><A href="http://www.ashleylaurent.com/vpn/ipsec_vpn.htm">Ashley
- Laurent</A></LI>
-<LI><A href="http://www.watchguard.com">Watchguard</A></LI>
-<LI><A href="http://www.fx.dk/firewall/ipsec.html">Injoy</A> for OS/2</LI>
-</UL>
-<P>Vendors using FreeS/WAN in turnkey firewall products are listed in
- our<A href="intro.html#turnkey"> introduction</A>.</P>
-<H3><A name="ipsecos">Operating systems with IPsec support</A></H3>
-<P>All the major open source operating systems support IPsec. See below
- for details on<A href="#BSD"> BSD-derived</A> Unix variants.</P>
-<P>Among commercial OS vendors, IPsec players include:</P>
-<UL>
-<LI><A href="http://msdn.microsoft.com/isapi/msdnlib.idc?theURL=/library/backgrnd/html/msdn_ip_security.htm">
-Microsoft</A> have put IPsec in their Windows 2000 and XP products</LI>
-<LI><A href="http://www.s390.ibm.com/stories/1999/os390v2r8_pr.html">IBM</A>
- announce a release of OS390 with IPsec support via a crypto
- co-processor</LI>
-<LI><A href="http://www.sun.com/solaris/ds/ds-security/ds-security.pdf">
-Sun</A> include IPsec in Solaris 8</LI>
-<LI><A href="http://www.hp.com/security/products/extranet-security.html">
-Hewlett Packard</A> offer IPsec for their Unix machines</LI>
-<LI>Certicom have IPsec available for the<A href="http://www.certicom.com/products/movian/movianvpn_tech.html">
- Palm</A>.</LI>
-<LI>There were reports before the release that Apple's Mac OS X would
- have IPsec support built in, but it did not seem to be there when we
- last checked. If you find, it please let us know via the<A href="mail.html">
- mailing list</A>.</LI>
-</UL>
-<H3><A NAME="29_3_5">IPsec on network cards</A></H3>
-<P>Network cards with built-in IPsec acceleration are available from at
- least Intel, 3Com and Redcreek.</P>
-<H3><A name="opensource">Open source IPsec implementations</A></H3>
-<H4><A name="linuxipsec">Other Linux IPsec implementations</A></H4>
-<P>We like to think of FreeS/WAN as<EM> the</EM> Linux IPsec
- implementation, but it is not the only one. Others we know of are:</P>
-<UL>
-<LI><A href="http://www.enst.fr/~beyssac/pipsec/">pipsecd</A>, a
- lightweight implementation of IPsec for Linux. Does not require kernel
- recompilation.</LI>
-<LI>Petr Novak's<A href="ftp://ftp.eunet.cz/icz/ipnsec/"> ipnsec</A>,
- based on the OpenBSD IPsec code and using<A href="glossary.html#photuris">
- Photuris</A> for key management</LI>
-<LI>A now defunct project at<A href="http://www.cs.arizona.edu/security/hpcc-blue/linux.html">
- U of Arizona</A> (export controlled)</LI>
-<LI><A href="http://snad.ncsl.nist.gov/cerberus">NIST Cerebus</A>
- (export controlled)</LI>
-</UL>
-<H4><A name="BSD">IPsec for BSD Unix</A></H4>
-<UL>
-<LI><A href="http://www.kame.net/project-overview.html">KAME</A>,
- several large Japanese companies co-operating on IPv6 and IPsec</LI>
-<LI><A href="http://web.mit.edu/network/isakmp">US Naval Research Lab</A>
- implementation of IPv6 and of IPsec for IPv4 (export controlled)</LI>
-<LI><A href="http://www.openbsd.org">OpenBSD</A> includes IPsec as a
- standard part of the distribution</LI>
-<LI><A href="http://www.r4k.net/ipsec">IPsec for FreeBSD</A></LI>
-<LI>a<A href="http://www.netbsd.org/Documentation/network/ipsec/"> FAQ</A>
- on NetBSD's IPsec implementation</LI>
-</UL>
-<H4><A name="misc">IPsec for other systems</A></H4>
-<UL>
-<LI><A href="http://www.tcm.hut.fi/Tutkimus/IPSEC/">Helsinki U of
- Technolgy</A> have implemented IPsec for Solaris, Java and Macintosh</LI>
-</UL>
-<H3><A name="interop.web">Interoperability</A></H3>
-<P>The IPsec protocols are designed so that different implementations
- should be able to work together. As they say &quot;the devil is in the
- details&quot;. IPsec has a lot of details, but considerable success has been
- achieved.</P>
-<H4><A name="result">Interoperability results</A></H4>
-<P>Linux FreeS/WAN has been tested for interoperability with many other
- IPsec implementations. Results to date are in our<A href="interop.html">
- interoperability</A> section.</P>
-<P>Various other sites have information on interoperability between
- various IPsec implementations:</P>
-<UL>
-<LI><A href="http://www.opus1.com/vpn/atl99display.html">interop results</A>
- from a bakeoff in Atlanta, September 1999.</LI>
-<LI>a French company, HSC's,<A href="http://www.hsc.fr/ressources/presentations/ipsec99/index.html.en">
- interoperability</A> test data covers FreeS/WAN, Open BSD, KAME, Linux
- pipsecd, Checkpoint, Red Creek Ravlin, and Cisco IOS</LI>
-<LI><A href="http://www.icsa.net/">ICSA</A> offer certification programs
- for various security-related products. See their list of<A href="http://www.icsa.net/html/communities/ipsec/certification/certified_products/index.shtml">
- certified IPsec</A> products. Linux FreeS/WAN is not currently on that
- list, but several products with which we interoperate are.</LI>
-<LI>VPNC have a page on why they are not yet doing<A href="http://www.vpnc.org/interop.html">
- interoperability</A> testing and a page on the<A href="http://www.vpnc.org/conformance.html">
- spec conformance</A> testing that they are doing</LI>
-<LI>a<A href="http://www.commweb.com/article/COM20000912S0009"> review</A>
- comparing a dozen commercial IPsec implemetations. Unfortunately, the
- reviewers did not look at Open Source implementations such as FreeS/WAN
- or OpenBSD.</LI>
-<LI><A href="http://www.tanu.org/~sakane/doc/public/report-ike-interop0007.html">
-results</A> from interoperability tests at a conference. FreeS/WAN was
- not tested there.</LI>
-<LI>test results from the<A href="http://www.hsc.fr/ressources/veille/ipsec/ipsec2000/">
- IPSEC 2000</A> conference</LI>
-</UL>
-<H4><A name="test1">Interoperability test sites</A></H4>
-<UL>
-<LI><A href="http://www.tahi.org/">TAHI</A>, a Japanese IPv6 testing
- project with free IPsec validation software</LI>
-<LI><A href="http://ipsec-wit.antd.nist.gov">National Institute of
- Standards and Technology</A></LI>
-<LI><A href="http://isakmp-test.ssh.fi/">SSH Communications Security</A></LI>
-</UL>
-<H2><A name="linux.link">Linux links</A></H2>
-<H3><A name="linux.basic">Basic and tutorial Linux information</A></H3>
-<UL>
-<LI>Linux<A href="http://linuxcentral.com/linux/LDP/LDP/gs/gs.html">
- Getting Started</A> HOWTO document</LI>
-<LI>A getting started guide from the<A href="http://darkwing.uoregon.edu/~cchome/linuxgettingstarted.html">
- U of Oregon</A></LI>
-<LI>A large<A href="http://www.herring.org/techie.html"> link collection</A>
- which includes a lot of introductory and tutorial material on Unix,
- Linux, the net, . . .</LI>
-</UL>
-<H3><A name="general">General Linux sites</A></H3>
-<UL>
-<LI><A href="http://www.freshmeat.net">Freshmeat</A> Linux news</LI>
-<LI><A href="http://slashdot.org">Slashdot</A> &quot;News for Nerds&quot;</LI>
-<LI><A href="http://www.linux.org">Linux Online</A></LI>
-<LI><A href="http://www.linuxhq.com">Linux HQ</A></LI>
-<LI><A href="http://www.tux.org">tux.org</A></LI>
-</UL>
-<H3><A name="docs.ldp">Documentation</A></H3>
-<P>Nearly any Linux documentation you are likely to want can be found at
- the<A href="http://metalab.unc.edu/LDP"> Linux Documentation Project</A>
- or LDP.</P>
-<UL>
-<LI><A href="http://metalab.unc.edu/LDP/HOWTO/META-FAQ.html">Meta-FAQ</A>
- guide to Linux information sources</LI>
-<LI>The LDP's HowTo documents are a standard Linux reference. See this<A href="http://www.linuxdoc.org/docs.html#howto">
- list</A>. Documents there most relevant to a FreeS/WAN gateway are:
-<UL>
-<LI><A href="http://metalab.unc.edu/LDP/HOWTO/Kernel-HOWTO.html">Kernel
- HOWTO</A></LI>
-<LI><A href="http://metalab.unc.edu/LDP/HOWTO/Networking-Overview-HOWTO.html">
-Networking Overview HOWTO</A></LI>
-<LI><A href="http://metalab.unc.edu/LDP/HOWTO/Security-HOWTO.html">
-Security HOWTO</A></LI>
-</UL>
-</LI>
-<LI>The LDP do a series of Guides, book-sized publications with more
- detail (and often more &quot;why do it this way?&quot;) than the HowTos. See this<A
-href="http://www.linuxdoc.org/guides.html"> list</A>. Documents there
- most relevant to a FreeS/WAN gateway are:
-<UL>
-<LI><A href="http://www.tml.hut.fi/~viu/linux/sag/">System
- Administrator's Guide</A></LI>
-<LI><A href="http://www.linuxdoc.org/LDP/nag2/index.html">Network
- Adminstrator's Guide</A></LI>
-<LI><A href="http://www.seifried.org/lasg/">Linux Administrator's
- Security Guide</A></LI>
-</UL>
-</LI>
-</UL>
-<P>You may not need to go to the LDP to get this material. Most Linux
- distributions include the HowTos on their CDs and several include the
- Guides as well. Also, most of the Guides and some collections of HowTos
- are available in book form from various publishers.</P>
-<P>Much of the LDP material is also available in languages other than
- English. See this<A href="http://www.linuxdoc.org/links/nenglish.html">
- LDP page</A>.</P>
-<H3><A name="advroute.web">Advanced routing</A></H3>
-<P>The Linux IP stack has some new features in 2.4 kernels. Some HowTos
- have been written:</P>
-<UL>
-<LI>several HowTos for the<A href="http://netfilter.samba.org/unreliable-guides/">
- netfilter</A> firewall code in newer kernels</LI>
-<LI><A href="http://www.ds9a.nl/2.4Networking/HOWTO//cvs/2.4routing/output/2.4networking.html">
-2.4 networking</A> HowTo</LI>
-<LI><A href="http://www.ds9a.nl/2.4Networking/HOWTO//cvs/2.4routing/output/2.4routing.html">
-2.4 routing</A> HowTo</LI>
-</UL>
-<H3><A name="linsec">Security for Linux</A></H3>
-<P>See also the<A href="#docs.ldp"> LDP material</A> above.</P>
-<UL>
-<LI><A href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos">
-Trinity OS guide to setting up Linux</A></LI>
-<LI><A href="http://www.deter.com/unix">Unix security</A> page</LI>
-<LI><A href="http://linux01.gwdg.de/~alatham/">PPDD</A> encrypting
- filesystem</LI>
-<LI><A href="http://EncryptionHOWTO.sourceforge.net/">Linux Encryption
- HowTo</A> (outdated when last checked, had an Oct 2000 revision date in
- March 2002)</LI>
-</UL>
-<H3><A name="firewall.linux">Linux firewalls</A></H3>
-<P>Our<A href="firewall.html"> FreeS/WAN and firewalls</A> document
- includes links to several sets of<A href="firewall.html#examplefw">
- scripts</A> known to work with FreeS/WAN.</P>
-<P>Other information sources:</P>
-<UL>
-<LI><A href="http://ipmasq.cjb.net/">IP Masquerade resource page</A></LI>
-<LI><A href="http://netfilter.samba.org/unreliable-guides/">netfilter</A>
- firewall code in 2.4 kernels</LI>
-<LI>Our list of general<A href="#firewall.web"> firewall references</A>
- on the web</LI>
-<LI><A href="http://users.dhp.com/~whisper/mason/">Mason</A>, a tool for
- automatically configuring Linux firewalls</LI>
-<LI>the web cache software<A href="http://www.squid-cache.org/"> squid</A>
- and<A href="http://www.squidguard.org/"> squidguard</A> which turns
- Squid into a filtering web proxy</LI>
-</UL>
-<H3><A name="linux.misc">Miscellaneous Linux information</A></H3>
-<UL>
-<LI><A href="http://lwn.net/current/dists.php3">Linux distribution
- vendors</A></LI>
-<LI><A href="http://www.linux.org/groups/">Linux User Groups</A></LI>
-</UL>
-<H2><A name="crypto.link">Crypto and security links</A></H2>
-<H3><A name="security">Crypto and security resources</A></H3>
-<H4><A name="std.links">The standard link collections</A></H4>
-<P>Two enormous collections of links, each the standard reference in its
- area:</P>
-<DL>
-<DT>Gene Spafford's<A href="http://www.cerias.purdue.edu/coast/hotlist/">
- COAST hotlist</A></DT>
-<DD>Computer and network security.</DD>
-<DT>Peter Gutmann's<A href="http://www.cs.auckland.ac.nz/~pgut001/links.html">
- Encryption and Security-related Resources</A></DT>
-<DD>Cryptography.</DD>
-</DL>
-<H4><A name="FAQ">Frequently Asked Question (FAQ) documents</A></H4>
-<UL>
-<LI><A href="http://www.faqs.org/faqs/cryptography-faq/">Cryptography
- FAQ</A></LI>
-<LI><A href="http://www.interhack.net/pubs/fwfaq">Firewall FAQ</A></LI>
-<LI><A href="http://www.whitefang.com/sup/secure-faq.html">Secure Unix
- Programming FAQ</A></LI>
-<LI>FAQs for specific programs are listed in the<A href="#tools"> tools</A>
- section below.</LI>
-</UL>
-<H4><A name="cryptover">Tutorials</A></H4>
-<UL>
-<LI>Gary Kessler's<A href="http://www.garykessler.net/library/crypto.html">
- Overview of Cryptography</A></LI>
-<LI>Terry Ritter's<A href="http://www.ciphersbyritter.com/LEARNING.HTM">
- introduction</A></LI>
-<LI>Peter Gutman's<A href="http://www.cs.auckland.ac.nz/~pgut001/tutorial/index.html">
- cryptography</A> tutorial (500 slides in PDF format)</LI>
-<LI>Amir Herzberg of IBM's sildes for his course<A href="http://www.hrl.il.ibm.com/mpay/course.html">
- Introduction to Cryptography and Electronic Commerce</A></LI>
-<LI>the<A href="http://www.gnupg.org/gph/en/manual/c173.html"> concepts
- section</A> of the<A href="glossary.html#GPG"> GNU Privacy Guard</A>
- documentation</LI>
-<LI>Bruce Schneier's self-study<A href="http://www.counterpane.com/self-study.html">
- cryptanalysis</A> course</LI>
-</UL>
-<P>See also the<A href="#interesting"> interesting papers</A> section
- below.</P>
-<H4><A name="standards">Crypto and security standards</A></H4>
-<UL>
-<LI><A href="http://csrc.nist.gov/cc">Common Criteria</A>, new
- international computer and network security standards to replace the
- &quot;Rainbow&quot; series</LI>
-<LI>AES<A href="http://csrc.nist.gov/encryption/aes/aes_home.htm">
- Advanced Encryption Standard</A> which will replace DES</LI>
-<LI><A href="http://grouper.ieee.org/groups/1363">IEEE P-1363 public key
- standard</A></LI>
-<LI>our collection of links for the<A href="#ipsec.link"> IPsec</A>
- standards</LI>
-<LI>history of<A href="http://www.visi.com/crypto/evalhist/index.html">
- formal evaluation</A> of security policies and implementation</LI>
-</UL>
-<H4><A name="quotes">Crypto quotes</A></H4>
-<P>There are several collections of cryptographic quotes on the net:</P>
-<UL>
-<LI><A href="http://www.eff.org/pub/EFF/quotes.eff">the EFF</A></LI>
-<LI><A href="http://www.samsimpson.com/cquotes.php">Sam Simpson</A></LI>
-<LI><A href="http://www.amk.ca/quotations/cryptography/page-1.html">AM
- Kutchling</A></LI>
-</UL>
-<H3><A name="policy">Cryptography law and policy</A></H3>
-<H4><A name="legal">Surveys of crypto law</A></H4>
-<UL>
-<LI>International survey of<A href="http://cwis.kub.nl/~FRW/PEOPLE/koops/lawsurvy.htm">
- crypto law</A>.</LI>
-<LI>International survey of<A href="http://rechten.kub.nl/simone/ds-lawsu.htm">
- digital signature law</A></LI>
-</UL>
-<H4><A name="oppose">Organisations opposing crypto restrictions</A></H4>
-<UL>
-<LI>The<A href="glossary.html#EFF"> EFF</A>'s archives on<A href="http://www.eff.org/pub/Privacy/">
- privacy</A> and<A href="http://www.eff.org/pub/Privacy/ITAR_export/">
- export control</A>.</LI>
-<LI><A href="http://www.gilc.org">Global Internet Liberty Campaign</A></LI>
-<LI><A href="http://www.cdt.org/crypto">Center for Democracy and
- Technology</A></LI>
-<LI><A href="http://www.privacyinternational.org/">Privacy International</A>
-, who give out<A href="http://www.bigbrotherawards.org/"> Big Brother
- Awards</A> to snoopy organisations</LI>
-</UL>
-<H4><A name="other.policy">Other information on crypto policy</A></H4>
-<UL>
-<LI><A href="ftp://ftp.isi.edu/in-notes/rfc1984.txt">RFC 1984</A>, the<A href="glossary.html#IAB">
- IAB</A> and<A href="glossary.html#IESG"> IESG</A> Statement on
- Cryptographic Technology and the Internet.</LI>
-<LI>John Young's collection of<A href="http://cryptome.org/"> documents</A>
- of interest to the cryptography, open government and privacy movements,
- organized chronologically</LI>
-<LI>AT&amp;T researcher Matt Blaze's Encryption, Privacy and Security<A href="http://www.crypto.com">
- Resource Page</A></LI>
-<LI>A good<A href="http://cryptome.org/crypto97-ne.htm"> overview</A> of
- the issues from Australia.</LI>
-</UL>
-<P>See also our documentation section on the<A href="politics.html">
- history and politics</A> of cryptography.</P>
-<H3><A name="crypto.tech">Cryptography technical information</A></H3>
-<H4><A name="cryptolinks">Collections of crypto links</A></H4>
-<UL>
-<LI><A href="http://www.counterpane.com/hotlist.html">Counterpane</A></LI>
-<LI><A href="http://www.cs.auckland.ac.nz/~pgut001/links.html">Peter
- Gutman's links</A></LI>
-<LI><A href="http://www.pca.dfn.de/eng/team/ske/pem-dok.html">PKI links</A>
-</LI>
-<LI><A href="http://crypto.yashy.com/www/">Robert Guerra's links</A></LI>
-</UL>
-<H4><A name="papers">Lists of online cryptography papers</A></H4>
-<UL>
-<LI><A href="http://www.counterpane.com/biblio">Counterpane</A></LI>
-<LI><A href="http://www.cryptography.com/resources/papers">
-cryptography.com</A></LI>
-<LI><A href="http://www.cryptosoft.com/html/secpub.htm">Cryptosoft</A></LI>
-</UL>
-<H4><A name="interesting">Particularly interesting papers</A></H4>
-<P>These papers emphasize important issues around the use of
- cryptography, and the design and management of secure systems.</P>
-<UL>
-<LI><A href="http://www.counterpane.com/keylength.html">Key length
- requirements for security</A></LI>
-<LI><A href="http://www.cl.cam.ac.uk/users/rja14/wcf.html">Why
- Cryptosystems Fail</A></LI>
-<LI><A href="http://www.cdt.org/crypto/risks98/">Risks of escrowed
- encryption</A></LI>
-<LI><A href="http://www.counterpane.com/pitfalls.html">Security pitfalls
- in cryptography</A></LI>
-<LI><A href="http://www.acm.org/classics/sep95">Reflections on Trusting
- Trust</A>, Ken Thompson on Trojan horse design</LI>
-<LI><A href="http://www.apache-ssl.org/disclosure.pdf">Security against
- Compelled Disclosure</A>, how to maintain privacy in the face of legal
- or other coersion</LI>
-</UL>
-<H3><A name="compsec">Computer and network security</A></H3>
-<H4><A name="seclink">Security links</A></H4>
-<UL>
-<LI><A href="http://www.cs.purdue.edu/coast/hotlist">COAST Hotlist</A></LI>
-<LI>DMOZ open directory project<A href="http://dmoz.org/Computers/Security/">
- computer security</A> links</LI>
-<LI><A href="http://www-cse.ucsd.edu/users/bsy/sec.html">Bennet Yee</A></LI>
-<LI>Mike Fuhr's<A href="http://www.fuhr.org/~mfuhr/computers/security.html">
- link collection</A></LI>
-<LI><A href="http://www.networkintrusion.co.uk/">links</A> with an
- emphasis on intrusion detection</LI>
-</UL>
-<H4><A name="firewall.web">Firewall links</A></H4>
-<UL>
-<LI><A href="http://www.cs.purdue.edu/coast/firewalls">COAST firewalls</A>
-</LI>
-<LI><A href="http://www.zeuros.co.uk">Firewalls Resource page</A></LI>
-</UL>
-<H4><A name="vpn">VPN links</A></H4>
-<UL>
-<LI><A href="http://www.vpnc.org">VPN Consortium</A></LI>
-<LI>First VPN's<A href="http://www.firstvpn.com/research/rhome.html">
- white paper</A> collection</LI>
-</UL>
-<H4><A name="tools">Security tools</A></H4>
-<UL>
-<LI>PGP -- mail encryption
-<UL>
-<LI><A href="http://www.pgp.com/">PGP Inc.</A> (part of NAI) for
- commercial versions</LI>
-<LI><A href="http://web.mit.edu/network/pgp.html">MIT</A> distributes
- the NAI product for non-commercial use</LI>
-<LI><A href="http://www.pgpi.org/">international</A> distribution site</LI>
-<LI><A href="http://gnupg.org">GNU Privacy Guard (GPG)</A></LI>
-<LI><A href="http://www.dk.pgp.net/pgpnet/pgp-faq/">PGP FAQ</A></LI>
-</UL>
- A message in our mailing list archive has considerable detail on<A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00029.html">
- available versions</A> of PGP and on IPsec support in them.
-<P><STRONG>Note:</STRONG> A fairly nasty bug exists in all commercial
- PGP versions from 5.5 through 6.5.3. If you have one of those,<STRONG>
- upgrade now</STRONG>.</P>
-</LI>
-<LI>SSH -- secure remote login
-<UL>
-<LI><A href="http://www.ssh.fi">SSH Communications Security</A>, for the
- original software. It is free for trial, academic and non-commercial
- use.</LI>
-<LI><A href="http://www.openssh.com/">Open SSH</A>, the Open BSD team's
- free replacement</LI>
-<LI><A href="http://www.freessh.org/">freessh.org</A>, links to free
- implementations for many systems</LI>
-<LI><A href="http://www.uni-karlsruhe.de/~ig25/ssh-faq">SSH FAQ</A></LI>
-<LI><A href="http://www.chiark.greenend.org.uk/~sgtatham/putty/">Putty</A>
-, an SSH client for Windows</LI>
-</UL>
-</LI>
-<LI>Tripwire saves message digests of your system files. Re-calculate
- the digests and compare to saved values to detect any file changes.
- There are several versions available:
-<UL>
-<LI><A href="http://www.tripwiresecurity.com/">commercial version</A></LI>
-<LI><A href="http://www.tripwire.org/">Open Source</A></LI>
-</UL>
-</LI>
-<LI><A href="http://www.snort.org">Snort</A> and<A href="http://www.lids.org">
- LIDS</A> are intrusion detection system for Linux</LI>
-<LI><A href="http://www.fish.com/~zen/satan/satan.html">SATAN</A> System
- Administrators Tool for Analysing Networks</LI>
-<LI><A href="http://www.insecure.org/nmap/">NMAP</A> Network Mapper</LI>
-<LI><A href="ftp://ftp.porcupine.org/pub/security/index.html">Wietse
- Venema's page</A> with various tools</LI>
-<LI><A href="http://ita.ee.lbl.gov/index.html">Internet Traffic Archive</A>
-, various tools to analyze network traffic, mostly scripts to organise
- and format tcpdump(8) output for specific purposes</LI>
-<LI><A name="ssmail">ssmail -- sendmail patched to do</A><A href="glossary.html#carpediem">
- opportunistic encryption</A>
-<UL>
-<LI><A href="http://www.home.aone.net.au/qualcomm/">web page</A> with
- links to code and to a Usenix paper describing it, in PDF</LI>
-</UL>
-</LI>
-<LI><A href="http://www.openca.org/">Open CA</A> project to develop a
- freely distributed<A href="glossary.html#CA"> Certification Authority</A>
- for building a open<A href="glossary.html#PKI"> Public Key
- Infrastructure</A>.</LI>
-</UL>
-<H3><A name="people">Links to home pages</A></H3>
-<P>David Wagner at Berkeley provides a set of links to<A href="http://www.cs.berkeley.edu/~daw/people/crypto.html">
- home pages</A> of cryptographers, cypherpunks and computer security
- people.</P>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="mail.html">Previous</A>
-<A HREF="glossary.html">Next</A>
-</BODY>
-</HTML>
diff --git a/programs/pluto/Makefile b/programs/pluto/Makefile
index a11a755c0..d466d0209 100644
--- a/programs/pluto/Makefile
+++ b/programs/pluto/Makefile
@@ -12,7 +12,7 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: Makefile,v 1.47 2007/01/11 21:47:13 as Exp $
+# RCSID $Id: Makefile,v 1.49 2007/01/29 08:27:19 as Exp $
 
 # relative path to top directory of FreeS/WAN source
 # Note: referenced in ${FREESWANSRCDIR}/Makefile.inc
@@ -90,13 +90,6 @@ else
   BINNAMEADNSIFNEEDED=$(BINNAMEADNS)
 endif
 
-ifeq ($(USE_IPSECPOLICY),true)
-  IPSECPOLICY_FILES=rcv_info.c
-  IPSECPOLICY_DEFINES=-DIPSECPOLICY
-  IPSECPOLICY_LIBS=$(POLICYLIB)
-  IPSECPOLICY_OBJS=rcv_info.o
-endif
-
 ifeq ($(USE_KEYRR),true)
   KEYRR_DEFINES=-DUSE_KEYRR
 endif
@@ -130,7 +123,7 @@ DEFINES = $(EXTRA_DEFINES) \
 # libefence is a free memory allocation debugger
 # Solaris 2 needs -lsocket -lnsl
 LIBSPLUTO = $(OBJSGCRYPT) $(LIBDESLITE) $(FREESWANLIB) $(IPSECPOLICY_LIBS)
-LIBSPLUTO+= -lgmp -lresolv # -lefence
+LIBSPLUTO+= -lgmp -ldl -lresolv # -lefence
 
 
 ifeq ($(USE_VENDORID),true)
@@ -167,7 +160,6 @@ ifeq ($(USE_SMARTCARD),true)
   ifdef PKCS11_DEFAULT_LIB
     DEFINES+= -DPKCS11_DEFAULT_LIB=$(PKCS11_DEFAULT_LIB)
   endif
-  LIBSPLUTO+= -ldl
 endif
 
 # This compile option activates the leak detective
@@ -929,6 +921,7 @@ plutomain.o: ipsec_doi.h
 plutomain.o: ocsp.h
 plutomain.o: crl.h
 plutomain.o: fetch.h
+plutomain.o: xauth.h
 plutomain.o: sha1.h
 plutomain.o: md5.h
 plutomain.o: crypto.h
@@ -982,7 +975,6 @@ server.o: timer.h
 server.o: packet.h
 server.o: demux.h
 server.o: rcv_whack.h
-server.o: rcv_info.h
 server.o: keys.h
 server.o: adns.h
 server.o: dnskey.h
diff --git a/programs/pluto/constants.c b/programs/pluto/constants.c
index f4aa9d5d1..322de74ac 100644
--- a/programs/pluto/constants.c
+++ b/programs/pluto/constants.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: constants.c,v 1.23 2007/01/10 00:36:19 as Exp $
+ * RCSID $Id: constants.c,v 1.24 2007/01/21 08:35:47 as Exp $
  */
 
 /*
@@ -707,7 +707,7 @@ static const char *const xauth_type_name[] = {
 };
 
 enum_names xauth_type_names =
-  { XAUTH_TYPE_GENERIC, XAUTH_TYPE_SKEY, xauth_type_name, NULL};
+    { XAUTH_TYPE_GENERIC, XAUTH_TYPE_SKEY, xauth_type_name, NULL};
 
 /* From draft-beaulieu-ike-xauth */
 static const char *const xauth_attr_tv_name[] = {
@@ -725,6 +725,24 @@ enum_names xauth_attr_tv_names = {
     XAUTH_TYPE   + ISAKMP_ATTR_AF_TV,
     XAUTH_STATUS + ISAKMP_ATTR_AF_TV, xauth_attr_tv_name, NULL };
 
+static const char *const unity_attr_name[] = {
+	"UNITY_BANNER",
+	"UNITY_SAVE_PASSWD",
+	"UNITY_DEF_DOMAIN",
+	"UNITY_SPLITDNS_NAME",
+	"UNITY_SPLIT_INCLUDE",
+	"UNITY_NATT_PORT",
+	"UNITY_LOCAL_LAN",
+	"UNITY_PFS",
+	"UNITY_FW_TYPE",
+	"UNITY_BACKUP_SERVERS",
+	"UNITY_DDNS_HOSTNAME",
+};
+
+enum_names unity_attr_names =
+    { UNITY_BANNER , UNITY_DDNS_HOSTNAME, unity_attr_name , &xauth_attr_tv_names };
+
+
 static const char *const xauth_attr_name[] = {
 	"XAUTH_USER_NAME",
 	"XAUTH_USER_PASSWORD",
@@ -738,7 +756,7 @@ static const char *const xauth_attr_name[] = {
     };
 
 enum_names xauth_attr_names =
-    { XAUTH_USER_NAME , XAUTH_ANSWER, xauth_attr_name , &xauth_attr_tv_names };
+    { XAUTH_USER_NAME , XAUTH_ANSWER, xauth_attr_name , &unity_attr_names };
 
 static const char *const modecfg_attr_name[] = {
 	"INTERNAL_IP4_ADDRESS",
@@ -756,7 +774,6 @@ static const char *const modecfg_attr_name[] = {
 	"INTERNAL_IP4_SUBNET",
 	"SUPPORTED_ATTRIBUTES",
 	"INTERNAL_IP6_SUBNET",
-	NULL
     };
 
 enum_names modecfg_attr_names =
diff --git a/programs/pluto/constants.h b/programs/pluto/constants.h
index f18e93fed..cd0d6357d 100644
--- a/programs/pluto/constants.h
+++ b/programs/pluto/constants.h
@@ -1,3 +1,4 @@
+
 /* manifest constants
  * Copyright (C) 1997 Angelos D. Keromytis.
  * Copyright (C) 1998-2002  D. Hugh Redelmeier.
@@ -12,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: constants.h,v 1.23 2007/01/10 00:36:19 as Exp $
+ * RCSID $Id: constants.h,v 1.27 2007/01/29 08:27:53 as Exp $
  */
 
 #ifndef _CONSTANTS_H
@@ -551,8 +552,8 @@ enum state_kind {
 #define IS_ISAKMP_SA_ESTABLISHED(s) (        \
 		   (s) == STATE_MAIN_R3      \
 		|| (s) == STATE_MAIN_I4      \
-		|| (s) == STATE_XAUTH_R3     \
 		|| (s) == STATE_XAUTH_I2     \
+		|| (s) == STATE_XAUTH_R3     \
 		|| (s) == STATE_MODE_CFG_R1  \
 		|| (s) == STATE_MODE_CFG_I2  \
 		|| (s) == STATE_MODE_CFG_I3  \
@@ -661,9 +662,8 @@ extern enum_names attr_msg_type_names;
 #define    SUPPORTED_ATTRIBUTES       14
 #define    INTERNAL_IP6_SUBNET        15
 
-#define    MODECFG_ROOF               16
-
 extern enum_names modecfg_attr_names;
+
 /* XAUTH attribute values */
 #define    XAUTH_TYPE                16520
 #define    XAUTH_USER_NAME           16521
@@ -680,12 +680,33 @@ extern enum_names modecfg_attr_names;
 
 extern enum_names xauth_attr_names;
 
+/* ISAKMP mode config attributes specific to the Unity vendor Id */
+#define   UNITY_BANNER		    28672
+#define   UNITY_SAVE_PASSWD	    28673
+#define   UNITY_DEF_DOMAIN	    28674
+#define   UNITY_SPLITDNS_NAME	    28675
+#define   UNITY_SPLIT_INCLUDE	    28676
+#define   UNITY_NATT_PORT	    28677
+#define   UNITY_LOCAL_LAN	    28678
+#define   UNITY_PFS		    28679
+#define   UNITY_FW_TYPE		    28680
+#define   UNITY_BACKUP_SERVERS	    28681
+#define   UNITY_DDNS_HOSTNAME	    28682
+
+#define   UNITY_BASE                UNITY_BANNER
+
+extern enum_names unity_attr_names;
+
 /* XAUTH authentication types */
 #define XAUTH_TYPE_GENERIC 0
 #define XAUTH_TYPE_CHAP    1
 #define XAUTH_TYPE_OTP     2
 #define XAUTH_TYPE_SKEY    3
 
+/* Values for XAUTH_STATUS */
+#define	XAUTH_STATUS_FAIL       0
+#define	XAUTH_STATUS_OK         1
+
 extern enum_names xauth_type_names;
 
 /* Exchange types
diff --git a/programs/pluto/demux.c b/programs/pluto/demux.c
index 304d790e3..71aa771c7 100644
--- a/programs/pluto/demux.c
+++ b/programs/pluto/demux.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: demux.c,v 1.17 2007/01/10 00:36:19 as Exp $
+ * RCSID $Id: demux.c,v 1.18 2007/01/29 08:27:53 as Exp $
  */
 
 /* Ordering Constraints on Payloads
@@ -461,7 +461,7 @@ static const struct state_microcode state_microcode_table[] = {
     , EVENT_RETRANSMIT, xauth_inI0 },
 
     { STATE_XAUTH_R1, STATE_XAUTH_R2
-    , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY
+    , SMF_ALL_AUTH | SMF_ENCRYPTED
     , P(ATTR) | P(HASH), P(VID), PT(HASH)
     , EVENT_RETRANSMIT, xauth_inR1 },
 
@@ -1572,6 +1572,15 @@ process_packet(struct msg_digest **mdp)
 
 	    set_cur_state(st);
 
+	    /* the XAUTH_STATUS message might have a new msgid */
+	    if (st->st_state == STATE_XAUTH_I1)
+	    {
+		init_phase2_iv(st, &md->hdr.isa_msgid);
+		new_iv_set = TRUE;
+		from_state = st->st_state;
+		break;
+	    }
+
 	    if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
 	    {
 		loglog(RC_LOG_SERIOUS, "ModeCfg message is unacceptable because"
diff --git a/programs/pluto/ike_alg.c b/programs/pluto/ike_alg.c
index 456ca3a96..508e4ed2a 100644
--- a/programs/pluto/ike_alg.c
+++ b/programs/pluto/ike_alg.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: ike_alg.c,v 1.7 2007/01/10 00:36:19 as Exp $
+ * RCSID $Id: ike_alg.c,v 1.8 2007/01/15 07:48:01 as Exp $
  */
 
 #include <stdio.h>
@@ -231,11 +231,12 @@ ike_alg_db_new(struct alg_info_ike *ai , lset_t policy)
 {
     struct db_context *db_ctx = NULL;
     struct ike_info *ike_info;
-    u_int ealg, halg, modp, eklen = 0;
     struct encrypt_desc *enc_desc;
-    bool is_xauth_server;
+    u_int ealg, halg, modp, eklen = 0;
     int i;
 
+    bool is_xauth_server = (policy & POLICY_XAUTH_SERVER) != LEMPTY;
+
     if (!ai)
     {
 	whack_log(RC_LOG_SERIOUS, "no IKE algorithms "
@@ -305,8 +306,6 @@ ike_alg_db_new(struct alg_info_ike *ai , lset_t policy)
 	    db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp);
 	}
 
-	is_xauth_server = (policy & POLICY_XAUTH_SERVER) != LEMPTY;
-
 	if (policy & POLICY_XAUTH_RSASIG)
 	{
 	    db_trans_add(db_ctx, KEY_IKE);
diff --git a/programs/pluto/modecfg.c b/programs/pluto/modecfg.c
index 01bab8c6e..620c595fb 100644
--- a/programs/pluto/modecfg.c
+++ b/programs/pluto/modecfg.c
@@ -2,7 +2,7 @@
  * Copyright (C) 2001-2002 Colubris Networks
  * Copyright (C) 2003 Sean Mathews - Nu Tech Software Solutions, inc.
  * Copyright (C) 2003-2004 Xelerance Corporation
- * Copyright (C) 2006 Andreas Steffen - Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2006-2007 Andreas Steffen - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: modecfg.c,v 1.10 2007/01/10 00:36:19 as Exp $
+ * RCSID $Id: modecfg.c,v 1.16 2007/01/29 08:27:54 as Exp $
  *
  * This code originally written by Colubris Networks, Inc.
  * Extraction of patch and porting to 1.99 codebases by Xelerance Corporation
@@ -43,12 +43,17 @@
 
 #define MAX_XAUTH_TRIES		3
 
-#define SUPPORTED_ATTR_SET   ( LELEM(INTERNAL_IP4_ADDRESS) \
-                             | LELEM(INTERNAL_IP4_NETMASK) \
-                             | LELEM(INTERNAL_IP4_DNS)     \
-                             | LELEM(INTERNAL_IP4_NBNS)    \
+#define SUPPORTED_ATTR_SET   ( LELEM(INTERNAL_IP4_ADDRESS)         \
+                             | LELEM(INTERNAL_IP4_NETMASK)         \
+                             | LELEM(INTERNAL_IP4_DNS)             \
+                             | LELEM(INTERNAL_IP4_NBNS)            \
+                             | LELEM(APPLICATION_VERSION)          \
                              )
 
+#define SUPPORTED_UNITY_ATTR_SET ( LELEM(UNITY_BANNER - UNITY_BASE) )
+
+#define UNITY_BANNER_STR    "Welcome to strongSwan - the Linux VPN Solution!\n"
+
 /*
  * Addresses assigned (usually via ModeCfg) to the Initiator
  */
@@ -57,12 +62,16 @@ typedef struct internal_addr internal_addr_t;
 struct internal_addr
 {
     lset_t attr_set;
+    lset_t xauth_attr_set;
+    lset_t unity_attr_set;
 
     /* ModeCfg variables */
     ip_address ipaddr;
     ip_address dns[2];
     ip_address wins[2];
 
+    char *unity_banner;
+
     /* XAUTH variables */
     u_int16_t  xauth_type;
     xauth_t    xauth_secret;
@@ -76,9 +85,13 @@ static void
 init_internal_addr(internal_addr_t *ia)
 {
     ia->attr_set = LEMPTY;
+    ia->xauth_attr_set = LEMPTY;
     ia->xauth_secret.user_name = empty_chunk;
     ia->xauth_secret.user_password = empty_chunk;
-    ia->xauth_status = FALSE;
+    ia->xauth_type = XAUTH_TYPE_GENERIC;
+    ia->xauth_status = XAUTH_STATUS_FAIL;
+    ia->unity_attr_set = LEMPTY;
+    ia->unity_banner = NULL;
 
     anyaddr(AF_INET, &ia->ipaddr);
     anyaddr(AF_INET, &ia->dns[0]);
@@ -93,8 +106,6 @@ init_internal_addr(internal_addr_t *ia)
 static void
 get_internal_addr(struct connection *c, internal_addr_t *ia)
 {
-    init_internal_addr(ia);
-
     if (isanyaddr(&c->spd.that.host_srcip))
     {
 	/* not defined in connection - fetch it from LDAP */
@@ -115,10 +126,10 @@ get_internal_addr(struct connection *c, internal_addr_t *ia)
 	c->spd.that.client.maskbits = 32;
 	c->spd.that.has_client      = TRUE;
 	
-	ia->attr_set |= LELEM(INTERNAL_IP4_ADDRESS) | LELEM(INTERNAL_IP4_NETMASK);
+	ia->attr_set = LELEM(INTERNAL_IP4_ADDRESS)
+		     | LELEM(INTERNAL_IP4_NETMASK);
     }
 
-
     if (!isanyaddr(&ia->dns[0]))	/* We got DNS addresses, send them */
 	ia->attr_set |= LELEM(INTERNAL_IP4_DNS);
 
@@ -210,6 +221,8 @@ modecfg_build_msg(struct state *st, pb_stream *rbody
 	int attr_type;
 	int dns_idx, wins_idx;
 	bool dont_advance;
+	bool is_xauth_attr_set = ia->xauth_attr_set != LEMPTY;
+	bool is_unity_attr_set = ia->unity_attr_set != LEMPTY;
 	lset_t attr_set = ia->attr_set;
 
 	attrh.isama_np         = ISAKMP_NEXT_NONE;
@@ -223,9 +236,26 @@ modecfg_build_msg(struct state *st, pb_stream *rbody
 	dns_idx = 0;
 	wins_idx = 0;
 
-	while (attr_set != 0)
+	while (attr_set != LEMPTY || is_xauth_attr_set || is_unity_attr_set)
 	{
+	    if (attr_set == LEMPTY)
+	    {
+		if (is_xauth_attr_set)
+	  	{
+		    attr_set = ia->xauth_attr_set;
+		    attr_type = XAUTH_BASE;
+		    is_xauth_attr_set = FALSE;
+		}
+		else
+		{
+		    attr_set = ia->unity_attr_set;
+		    attr_type = UNITY_BASE;
+		    is_unity_attr_set = FALSE;
+		}
+	    }
+	
 	    dont_advance = FALSE;
+
 	    if (attr_set & 1)
 	    {
 		const u_char *byte_ptr;
@@ -343,6 +373,14 @@ modecfg_build_msg(struct state *st, pb_stream *rbody
 		    break;
 		case XAUTH_STATUS:
 		    break;
+		case UNITY_BANNER:
+		    if (ia->unity_banner != NULL)
+		    {
+			out_raw(ia->unity_banner
+			      , strlen(ia->unity_banner)
+			      , &attrval, "UNITY_BANNER");
+		    }
+		    break;
 		default:
 		    plog("attempt to send unsupported mode cfg attribute %s."
 			 , enum_show(&modecfg_attr_names, attr_type));
@@ -353,10 +391,6 @@ modecfg_build_msg(struct state *st, pb_stream *rbody
 	    if (!dont_advance)
 	    {
 		attr_type++;
-		if (attr_type == MODECFG_ROOF)
-		{
-		    attr_type = XAUTH_BASE;
-		}
 		attr_set >>= 1;
 	    }
 	}
@@ -454,28 +488,81 @@ modecfg_parse_attributes(pb_stream *attrs, internal_addr_t *ia)
 	    {
 		initaddr((char *)(strattr.cur), 4, AF_INET, &ia->ipaddr);
 	    }
-	    /* fall through to set attribute flags */
+	    /* fall through to set attribute flag */
 	case INTERNAL_IP4_NETMASK:
 	case INTERNAL_IP4_DNS:
 	case INTERNAL_IP4_SUBNET:
 	case INTERNAL_IP4_NBNS:
+	case INTERNAL_ADDRESS_EXPIRY:
+	case INTERNAL_IP4_DHCP:
+	case INTERNAL_IP6_ADDRESS:
+	case INTERNAL_IP6_NETMASK:
+	case INTERNAL_IP6_DNS:
+	case INTERNAL_IP6_NBNS:
+	case INTERNAL_IP6_DHCP:
+	case SUPPORTED_ATTRIBUTES:
+	case INTERNAL_IP6_SUBNET:
+	    ia->attr_set |= LELEM(attr_type);
+	    break;
+	case APPLICATION_VERSION:
+	    if (attr_len > 0)
+	    {
+		DBG(DBG_PARSING,
+		    DBG_log("   '%.*s'", attr_len, strattr.cur)
+		)
+	    }
 	    ia->attr_set |= LELEM(attr_type);
 	    break;
 	case XAUTH_TYPE:
 	    ia->xauth_type = attr.isaat_lv;
-	    ia->attr_set |= LELEM(attr_type - XAUTH_BASE + MODECFG_ROOF);
+	    ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
 	    break;
 	case XAUTH_USER_NAME:
 	    setchunk(ia->xauth_secret.user_name, strattr.cur, attr_len);
-	    ia->attr_set |= LELEM(attr_type - XAUTH_BASE + MODECFG_ROOF);
+	    ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
 	    break;
 	case XAUTH_USER_PASSWORD:
 	    setchunk(ia->xauth_secret.user_password, strattr.cur, attr_len);
-	    ia->attr_set |= LELEM(attr_type - XAUTH_BASE + MODECFG_ROOF);
+	    ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
 	    break;
 	case XAUTH_STATUS:
 	    ia->xauth_status = attr.isaat_lv;
-	    ia->attr_set |= LELEM(attr_type - XAUTH_BASE + MODECFG_ROOF);
+	    ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
+	    break;
+	case XAUTH_MESSAGE:
+	    if (attr_len > 0)
+	    {
+		DBG(DBG_PARSING,
+		    DBG_log("   '%.*s'", attr_len, strattr.cur)
+		)
+	    }
+	    /* fall through to set attribute flag */
+	case XAUTH_PASSCODE:
+	case XAUTH_CHALLENGE:
+	case XAUTH_DOMAIN:
+	case XAUTH_NEXT_PIN:
+	case XAUTH_ANSWER:
+	    ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
+	    break;
+	case UNITY_DDNS_HOSTNAME:
+	    if (attr_len > 0)
+	    {
+		DBG(DBG_PARSING,
+		    DBG_log("   '%.*s'", attr_len, strattr.cur)
+		)
+	    }
+	    /* fall through to set attribute flag */
+	case UNITY_BANNER:
+	case UNITY_SAVE_PASSWD:
+	case UNITY_DEF_DOMAIN:
+	case UNITY_SPLITDNS_NAME:
+	case UNITY_SPLIT_INCLUDE:
+	case UNITY_NATT_PORT:
+	case UNITY_LOCAL_LAN:
+	case UNITY_PFS:
+	case UNITY_FW_TYPE:
+	case UNITY_BACKUP_SERVERS:
+	    ia->unity_attr_set |= LELEM(attr_type - UNITY_BASE);
 	    break;
 	default:
 	    plog("unsupported ModeCfg attribute %s received."
@@ -547,6 +634,7 @@ modecfg_send_request(struct state *st)
     internal_addr_t ia;
 
     init_internal_addr(&ia);
+
     ia.attr_set = LELEM(INTERNAL_IP4_ADDRESS)
 	        | LELEM(INTERNAL_IP4_NETMASK);
 
@@ -569,14 +657,24 @@ modecfg_inR0(struct msg_digest *md)
     struct state *const st = md->st;
     u_int16_t isama_id;
     internal_addr_t ia;
+    bool want_unity_banner;
     stf_status stat, stat_build;
 
     stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, &ia);
     if (stat != STF_OK)
 	return stat;
- 
+
+    want_unity_banner = (ia.unity_attr_set & LELEM(UNITY_BANNER - UNITY_BASE)) != LEMPTY;
+
+    init_internal_addr(&ia);
     get_internal_addr(st->st_connection, &ia);
 
+    if (want_unity_banner)
+    {
+	ia.unity_banner = UNITY_BANNER_STR;
+	ia.unity_attr_set |= LELEM(UNITY_BANNER - UNITY_BASE);
+    }
+
     plog("sending ModeCfg reply");
 
     stat_build = modecfg_build_msg(st, &md->rbody
@@ -624,9 +722,15 @@ modecfg_send_set(struct state *st)
     stf_status stat;
     internal_addr_t ia;
 
+    init_internal_addr(&ia);
     get_internal_addr(st->st_connection, &ia);
 
-    plog("sending ModeCfg set");
+#ifdef CISCO_QUIRKS
+    ia.unity_banner = UNITY_BANNER_STR;
+    ia.unity_attr_set |= LELEM(UNITY_BANNER - UNITY_BASE);
+#endif
+
+   plog("sending ModeCfg set");
     st->st_state = STATE_MODE_CFG_R3;
     stat = modecfg_send_msg(st, ISAKMP_CFG_SET, &ia);
     if (stat == STF_OK)
@@ -645,7 +749,7 @@ modecfg_inI0(struct msg_digest *md)
     struct state *const st = md->st;
     u_int16_t isama_id;
     internal_addr_t ia;
-    lset_t attr_set;
+    lset_t attr_set, unity_attr_set;
     stf_status stat, stat_build;
 
     plog("parsing ModeCfg set");
@@ -658,8 +762,10 @@ modecfg_inI0(struct msg_digest *md)
 
     /* prepare ModeCfg ack which sends zero length attributes */
     attr_set = ia.attr_set;
+    unity_attr_set = ia.unity_attr_set;
     init_internal_addr(&ia);
     ia.attr_set = attr_set & SUPPORTED_ATTR_SET;
+    ia.unity_attr_set = unity_attr_set & SUPPORTED_UNITY_ATTR_SET;
 
     plog("sending ModeCfg ack");
 
@@ -707,8 +813,8 @@ xauth_send_request(struct state *st)
     internal_addr_t ia;
 
     init_internal_addr(&ia);
-    ia.attr_set = LELEM(XAUTH_USER_NAME     - XAUTH_BASE + MODECFG_ROOF)
-	        | LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE + MODECFG_ROOF);
+    ia.xauth_attr_set = LELEM(XAUTH_USER_NAME     - XAUTH_BASE)
+		      | LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE);
 
     plog("sending XAUTH request");
     st->st_state = STATE_XAUTH_R1;
@@ -730,6 +836,7 @@ xauth_inI0(struct msg_digest *md)
     u_int16_t isama_id;
     internal_addr_t ia;
     stf_status stat, stat_build;
+    bool xauth_type_present;
 
     plog("parsing XAUTH request");
 
@@ -738,18 +845,19 @@ xauth_inI0(struct msg_digest *md)
 	return stat;
  
     /* check XAUTH attributes */
-    if ((ia.attr_set & LELEM(XAUTH_TYPE - XAUTH_BASE + MODECFG_ROOF)) != LEMPTY
-    && ia.xauth_type != XAUTH_TYPE_GENERIC)
+    xauth_type_present = (ia.xauth_attr_set & LELEM(XAUTH_TYPE - XAUTH_BASE)) != LEMPTY;
+
+    if (xauth_type_present && ia.xauth_type != XAUTH_TYPE_GENERIC)
     {
 	plog("xauth type %s is not supported", enum_name(&xauth_type_names, ia.xauth_type));
 	stat = STF_FAIL;
     }
-    else if ((ia.attr_set & LELEM(XAUTH_USER_NAME - XAUTH_BASE + MODECFG_ROOF)) == LEMPTY)
+    else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_NAME - XAUTH_BASE)) == LEMPTY)
     {
 	plog("user name attribute is missing in XAUTH request");
 	stat = STF_FAIL;
     }
-    else if ((ia.attr_set & LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE + MODECFG_ROOF)) == LEMPTY)
+    else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE)) == LEMPTY)
     {
 	plog("user password attribute is missing in XAUTH request");
 	stat = STF_FAIL;
@@ -779,13 +887,15 @@ xauth_inI0(struct msg_digest *md)
 		   , ia.xauth_secret.user_password.len
 		   , ia.xauth_secret.user_password.ptr)
 	)
-	ia.attr_set = LELEM(XAUTH_USER_NAME - XAUTH_BASE + MODECFG_ROOF)
-		    | LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE + MODECFG_ROOF);
+	ia.xauth_attr_set = LELEM(XAUTH_USER_NAME     - XAUTH_BASE)
+		 	  | LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE);
+        if (xauth_type_present)
+	    ia.xauth_attr_set |= LELEM(XAUTH_TYPE - XAUTH_BASE);
     }
     else
     {
-	ia.attr_set = LELEM(XAUTH_STATUS - XAUTH_BASE + MODECFG_ROOF);
-	ia.xauth_status = FALSE;
+	ia.xauth_attr_set = LELEM(XAUTH_STATUS - XAUTH_BASE);
+	ia.xauth_status = XAUTH_STATUS_FAIL;
     }
 
     plog("sending XAUTH reply");
@@ -800,6 +910,7 @@ xauth_inI0(struct msg_digest *md)
     if (stat == STF_OK)
     {
 	st->st_xauth.started = TRUE;
+	st->st_msgid = 0;
 	return STF_OK;
     }
     else
@@ -834,7 +945,7 @@ xauth_inR1(struct msg_digest *md)
 	return stat;
  
     /* did the client return an XAUTH FAIL status? */
-    if ((ia.attr_set & LELEM(XAUTH_STATUS - XAUTH_BASE + MODECFG_ROOF)) != LEMPTY)
+    if ((ia.xauth_attr_set & LELEM(XAUTH_STATUS - XAUTH_BASE)) != LEMPTY)
     {
 	plog("received FAIL status in XAUTH reply");
 
@@ -844,12 +955,12 @@ xauth_inR1(struct msg_digest *md)
     }
 
     /* check XAUTH reply */
-    if ((ia.attr_set & LELEM(XAUTH_USER_NAME - XAUTH_BASE + MODECFG_ROOF)) == LEMPTY)
+    if ((ia.xauth_attr_set & LELEM(XAUTH_USER_NAME - XAUTH_BASE)) == LEMPTY)
     {
 	plog("user name attribute is missing in XAUTH reply");
 	st->st_xauth.status = FALSE;
     }
-    else if ((ia.attr_set & LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE + MODECFG_ROOF)) == LEMPTY)
+    else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE)) == LEMPTY)
     {
 	plog("user password attribute is missing in XAUTH reply");
 	st->st_xauth.status = FALSE;
@@ -873,16 +984,13 @@ xauth_inR1(struct msg_digest *md)
 
     /* prepare XAUTH set which sends the authentication status */
     init_internal_addr(&ia);
-    ia.attr_set = LELEM(XAUTH_STATUS - XAUTH_BASE + MODECFG_ROOF);
-    ia.xauth_status = st->st_xauth.status;
+    ia.xauth_attr_set = LELEM(XAUTH_STATUS - XAUTH_BASE);
+    ia.xauth_status = (st->st_xauth.status)? XAUTH_STATUS_OK : XAUTH_STATUS_FAIL;
 
     plog("sending XAUTH status:");
 
-    stat_build = modecfg_build_msg(st, &md->rbody
-			 	     , ISAKMP_CFG_SET
-			 	     , &ia
-			 	     , isama_id);
-     if (stat_build != STF_OK)
+    stat_build = modecfg_send_msg(st, ISAKMP_CFG_SET, &ia);
+    if (stat_build != STF_OK)
 	return stat_build;
     return STF_OK;
 }
diff --git a/programs/pluto/plutomain.c b/programs/pluto/plutomain.c
index 613f8d50f..d7e9d8a2c 100644
--- a/programs/pluto/plutomain.c
+++ b/programs/pluto/plutomain.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: plutomain.c,v 1.18 2007/01/14 10:11:56 as Exp $
+ * RCSID $Id: plutomain.c,v 1.19 2007/01/29 08:27:19 as Exp $
  */
 
 #include <stdio.h>
@@ -531,19 +531,6 @@ main(int argc, char **argv)
 	}
     }
 
-#ifdef IPSECPOLICY
-    /* create info socket. */
-    {
-	err_t ugh = init_info_socket();
-
-	if (ugh != NULL)
-	{
-	    fprintf(stderr, "pluto: %s", ugh);
-	    exit_pluto(1);
-	}
-    }
-#endif
-
     /* If not suppressed, do daemon fork */
 
     if (fork_desired)
@@ -595,12 +582,10 @@ main(int argc, char **argv)
 	int i;
 
 	for (i = getdtablesize() - 1; i >= 0; i--)  /* Bad hack */
-	    if ((!log_to_stderr || i != 2)
-#ifdef IPSECPOLICY
-	    && i != info_fd
-#endif
-	    && i != ctl_fd)
+	{
+	    if ((!log_to_stderr || i != 2) && i != ctl_fd)
 		close(i);
+	}
 
 	/* make sure that stdin, stdout, stderr are reserved */
 	if (open("/dev/null", O_RDONLY) != 0)
diff --git a/programs/pluto/rcv_info.c b/programs/pluto/rcv_info.c
deleted file mode 100644
index 1f6127830..000000000
--- a/programs/pluto/rcv_info.c
+++ /dev/null
@@ -1,308 +0,0 @@
-/* info/policy communicating routines
- * Copyright (C) 2003       Michael Richardson <mcr@freeswan.org>
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: rcv_info.c,v 1.2 2004/04/01 18:44:38 as Exp $
- */
-
-#include <stdio.h>
-#include <stddef.h>
-#include <string.h>
-#include <unistd.h>
-#include <errno.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-#include <arpa/nameser.h>	/* missing from <resolv.h> on old systems */
-#include <sys/queue.h>
-
-#include <freeswan.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "id.h"
-#include "connections.h"
-#include "foodgroups.h"
-#include "whack.h"	/* needs connections.h */
-#include "packet.h"
-#include "demux.h"	/* needs packet.h */
-#include "state.h"
-#include "ipsec_doi.h"	/* needs demux.h and state.h */
-#include "kernel.h"
-#include "rcv_whack.h"
-#include "log.h"
-#include "keys.h"
-#include "adns.h"	/* needs <resolv.h> */
-#include "dnskey.h"	/* needs keys.h and adns.h */
-#include "server.h"
-
-#include "freeswan/ipsec_policy.h"
-#include "rcv_info.h"
-
-/* global */
-int info_fd = -1;
-
-static void
-info_lookuphostpair(struct ipsec_policy_cmd_query *ipcq)
-{
-    struct connection *c;
-    struct state *p1st, *p2st;
-
-
-    /* default result: no crypto */
-    ipcq->strength  = IPSEC_PRIVACY_NONE;
-    ipcq->bandwidth = IPSEC_QOS_WIRESPEED;
-    ipcq->credential_count = 0;
-
-#ifdef DEBUG
-    {
-	char sstr[ADDRTOT_BUF], dstr[ADDRTOT_BUF];
-
-	addrtot(&ipcq->query_local,  0, sstr, sizeof(sstr));
-	addrtot(&ipcq->query_remote, 0, dstr, sizeof(dstr));
-	DBG_log("info request for %s -> %s", sstr, dstr);
-    }
-#endif
-
-    /* okay, look up what connection handles this ip pair */
-
-    c = find_connection_for_clients(NULL,
-				    &ipcq->query_local,
-				    &ipcq->query_remote);
-    if (c == NULL)
-    {
-	/* try reversing it */
-	c = find_connection_for_clients(NULL,
-					&ipcq->query_remote,
-					&ipcq->query_local);
-	if (c != NULL)
-	{
-	    ip_address tmp;
-	    tmp = ipcq->query_local;
-	    ipcq->query_local = ipcq->query_remote;
-	    ipcq->query_remote = tmp;
-	}
-    }
-    
-    if (c == NULL)
-    {
-#ifdef DEBUG
-	DBG_log("no connection found");
-#endif
-	return;	/* no crypto */
-    }
-
-    if (c->newest_ipsec_sa == SOS_NOBODY)
-    {
-	ip_subnet us, them;
-
-	DBG_log("connection %s found, no ipsec state, looking again", c->name);
-	addrtosubnet(&ipcq->query_local, &us);
-	addrtosubnet(&ipcq->query_remote, &them);
-	c = find_client_connection(c, &us, &them);
-
-	if (c == NULL)
-	    return;	/* no crypto */
-    }
-
-    DBG_log("connection %s[%ld] with state %u"
-	, c->name, c->instance_serial
-	, (unsigned int)c->newest_ipsec_sa);
-
-    if (c->newest_ipsec_sa == SOS_NOBODY)
-	return;	/* no crypto */
-
-    /* we found a connection, try to lookup the state */
-    p2st = state_with_serialno(c->newest_ipsec_sa);
-
-    p1st = find_phase1_state(c, ISAKMP_SA_ESTABLISHED_STATES);
-
-    if (p1st == NULL || p2st == NULL)
-    {
-	DBG_log("connection %s[%ld] has missing states %s %s"
-	    , c->name, c->instance_serial
-	    , (p1st ? "phase1" : "")
-	    , (p2st ? "phase1" : ""));
-	return;	/* no crypto */
-    }
-
-    /* if we have AH present, then record minimal info */
-    if (p2st->st_ah.present)
-    {
-	ipcq->strength = IPSEC_PRIVACY_INTEGRAL;
-	ipcq->auth_detail = p2st->st_esp.attrs.auth;
-    }
-
-    if (p2st->st_esp.present)
-    {
-	/*
-	 * XXX-mcr Please do not shout at me about relative strengths
-	 *         here. I'm not a cryptographer. I just diddle bits.
-	 */
-	switch (p2st->st_esp.attrs.transid)
-	{
-	case ESP_NULL:
-	    /* actually, do not change it if we set it from AH */
-	    break;
-
-	case ESP_DES:
-	case ESP_DES_IV64:
-	case ESP_DES_IV32:
-	case ESP_RC4:
-	    ipcq->strength = IPSEC_PRIVACY_ROT13;
-	    break;
-	    
-	case ESP_RC5:
-	case ESP_IDEA:
-	case ESP_CAST:
-	case ESP_BLOWFISH:
-	case ESP_3DES:
-	    ipcq->strength = IPSEC_PRIVACY_PRIVATE;
-	    ipcq->bandwidth = IPSEC_QOS_VOIP;
-	    break;
-
-	case ESP_3IDEA:
-	    ipcq->strength = IPSEC_PRIVACY_STRONG;
-	    ipcq->bandwidth = IPSEC_QOS_INTERACTIVE;
-	    break;
-
-	case ESP_AES:
-	    ipcq->strength = IPSEC_PRIVACY_STRONG;
-	    ipcq->bandwidth = IPSEC_QOS_FTP;
-	    break;
-	}
-	ipcq->esp_detail = p2st->st_esp.attrs.transid;
-    }
-
-    if (p2st->st_ipcomp.present)
-	ipcq->comp_detail = p2st->st_esp.attrs.transid;
-
-    /* now! the credentails that were used */
-    /* for the moment we only have 1 credential, the DNS name,
-     * because the DNS servers do not return the chain of SIGs yet
-     */
-
-    if(!c->spd.this.key_from_DNS_on_demand)
-    {
-	/* the key didn't come from the DNS in some way,
-	 * so it must have been loaded locally.
-	 */
-	ipcq->credential_count = 1;
-	ipcq->credentials[0].ii_type   = c->spd.this.id.kind;
-	ipcq->credentials[0].ii_format = CERT_RAW_RSA;
-    }
-	
-#if 0
-    switch (c->spd.id.kind)
-    {
-    case ID_IPV4_ADDR:
-    }
-    if (c->gw_info == NULL)
-    {
-	plog("rcv_info: connection %s had NULL gw_info.", c->name);
-	return
-    }
-#endif
-
-    ipcq->credential_count = 1;
-
-    /* pull credentials out of gw_info */
-    
-    switch (p1st->st_peer_pubkey->dns_auth_level)
-    {
-    case DAL_UNSIGNED:
-    case DAL_NOTSEC:
-	/* these seem to be the same for this purpose */
-	ipcq->credentials[0].ii_type   = p1st->st_peer_pubkey->id.kind;
-	ipcq->credentials[0].ii_type   = CERT_NONE;
-	idtoa(&p1st->st_peer_pubkey->id
-	    , ipcq->credentials[0].ii_credential.ipsec_dns_signed.fqdn
-	    , sizeof(ipcq->credentials[0].ii_credential.ipsec_dns_signed.fqdn));
-	break;
-	
-    case DAL_SIGNED:
-	ipcq->credentials[0].ii_type   = p1st->st_peer_pubkey->id.kind;
-	ipcq->credentials[0].ii_format = CERT_DNS_SIGNED_KEY;
-	idtoa(&p1st->st_peer_pubkey->id
-	    , ipcq->credentials[0].ii_credential.ipsec_dns_signed.fqdn
-	    , sizeof(ipcq->credentials[0].ii_credential.ipsec_dns_signed.fqdn));
-
-	if (p1st->st_peer_pubkey->dns_sig != NULL)
-	{
-	    strncat(ipcq->credentials[0].ii_credential.ipsec_dns_signed.dns_sig
-		, p1st->st_peer_pubkey->dns_sig
-		, sizeof(ipcq->credentials[0].ii_credential.ipsec_dns_signed.dns_sig));
-	}
-	break;
-
-    case DAL_LOCAL:
-	ipcq->credentials[0].ii_type   = p1st->st_peer_pubkey->id.kind;
-	ipcq->credentials[0].ii_format = CERT_RAW_RSA;
-	idtoa(&p1st->st_peer_pubkey->id
-	    , ipcq->credentials[0].ii_credential.ipsec_raw_key.id_name
-	    , sizeof(ipcq->credentials[0].ii_credential.ipsec_raw_key.id_name));
-	break;
-    }
-}
-
-/*
- * Handle an info/policy request. 
- *
- * For now, we close the socket after answering the request.
- *
- */
-void
-info_handle(int infoctlfd)
-{
-	struct sockaddr_un info_client_addr;
-	int info_addr_len = sizeof(info_client_addr);
-	/* Note: actual value in n should fit in int.  To print, cast to int. */
-	int infofd;
-	err_t err;
-	struct ipsec_policy_cmd_query ipcq;
-
-	infofd = accept(infoctlfd, (struct sockaddr *)&info_client_addr
-	    , &info_addr_len);
-
-	if (infofd < 0)
-	{
-	    log_errno((e, "accept() failed in info_handle()"));
-	    return;
-	}
-
-	err = ipsec_policy_readmsg(infofd, (unsigned char *)&ipcq, sizeof(ipcq));
-
-	if (err != NULL)
-	{
-	    log_errno((e, "readmsg said: %s", err));
-	    close(infofd);
-	    return;
-	}
-
-	switch (ipcq.head.ipm_msg_type)
-	{
-	case IPSEC_CMD_QUERY_HOSTPAIR:
-	    info_lookuphostpair(&ipcq);
-	    write(infofd, &ipcq, ipcq.head.ipm_msg_len);
-	    break;
-	    
-	default:
-	    plog("got unimplemented msg type: %d", ipcq.head.ipm_msg_type);
-	    break;
-	}
-
-	/* for now, close the socket */
-	close(infofd);
-}
diff --git a/programs/pluto/rcv_info.h b/programs/pluto/rcv_info.h
deleted file mode 100644
index b5eaef219..000000000
--- a/programs/pluto/rcv_info.h
+++ /dev/null
@@ -1,18 +0,0 @@
-/* whack communicating routines
- * Copyright (C) 2003               Michael Richardson <mcr@freeswan.org>
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: rcv_info.h,v 1.1 2004/03/15 20:35:29 as Exp $
- */
-
-#include "freeswan/ipsec_policy.h"
-extern void info_handle(int infoctlfd);
diff --git a/programs/pluto/server.c b/programs/pluto/server.c
index 30251138e..17b70eba4 100644
--- a/programs/pluto/server.c
+++ b/programs/pluto/server.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: server.c,v 1.9 2005/09/09 14:15:35 as Exp $
+ * RCSID $Id: server.c,v 1.10 2007/01/29 08:27:19 as Exp $
  */
 
 #include <stdio.h>
@@ -54,7 +54,6 @@
 #include "packet.h"
 #include "demux.h"  /* needs packet.h */
 #include "rcv_whack.h"
-#include "rcv_info.h"
 #include "keys.h"
 #include "adns.h"	/* needs <resolv.h> */
 #include "dnskey.h"	/* needs keys.h and adns.h */
@@ -128,50 +127,6 @@ delete_ctl_socket(void)
     unlink(ctl_addr.sun_path);
 }
 
-#ifdef IPSECPOLICY
-/* Initialize the info socket.
- */
-err_t
-init_info_socket(void)
-{
-    err_t failed = NULL;
-
-    delete_info_socket();	/* preventative medicine */
-    info_fd = socket(AF_UNIX, SOCK_STREAM, 0);
-    if (info_fd == -1)
-	failed = "create";
-    else if (fcntl(info_fd, F_SETFD, FD_CLOEXEC) == -1)
-	failed = "fcntl FD+CLOEXEC";
-    else if (setsockopt(info_fd, SOL_SOCKET, SO_REUSEADDR, (const void *)&on, sizeof(on)) < 0)
-	failed = "setsockopt";
-    else
-    {
-	/* this socket should be openable by all proceses */
-	mode_t ou = umask(0);
-
-	if (bind(info_fd, (struct sockaddr *)&info_addr
-	, offsetof(struct sockaddr_un, sun_path) + strlen(info_addr.sun_path)) < 0)
-	    failed = "bind";
-	umask(ou);
-    }
-
-    /* 64 might be big enough, and the system may limit us anyway.
-     */
-    if (failed == NULL && listen(info_fd, 64) < 0)
-	failed = "listen() on";
-
-    return failed == NULL? NULL : builddiag("could not %s info socket: %d %s"
-	    , failed, errno, strerror(errno));
-}
-
-void
-delete_info_socket(void)
-{
-    unlink(info_addr.sun_path);
-}
-#endif /* IPSECPOLICY */
-
-
 bool listening = FALSE;	/* should we pay attention to IKE messages? */
 
 struct iface *interfaces = NULL;	/* public interfaces */
@@ -885,11 +840,6 @@ call_server(void)
 	    FD_ZERO(&readfds);
 	    FD_ZERO(&writefds);
 	    FD_SET(ctl_fd, &readfds);
-#ifdef IPSECPOLICY
-	    FD_SET(info_fd, &readfds);
-	    if (maxfd < info_fd)
-		maxfd = info_fd;
-#endif
 
 	    /* the only write file-descriptor of interest */
 	    if (adns_qfd != NULL_FD && unsent_ADNS_queries)
@@ -1039,19 +989,6 @@ call_server(void)
 		ndes--;
 	    }
 
-#ifdef IPSECPOLICY
-	    if (FD_ISSET(info_fd, &readfds))
-	    {
-		passert(ndes > 0);
-		DBG(DBG_CONTROL,
-		    DBG_log(BLANK_FORMAT);
-		    DBG_log("*received info message"));
-		info_handle(info_fd);
-		passert(GLOBALS_ARE_RESET());
-		ndes--;
-	    }
-#endif
-
 	    passert(ndes == 0);
 	}
     }
diff --git a/programs/pluto/vendor.c b/programs/pluto/vendor.c
index 3e2e0768a..4ca3adffc 100644
--- a/programs/pluto/vendor.c
+++ b/programs/pluto/vendor.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: vendor.c,v 1.43 2007/01/10 00:31:36 as Exp $
+ * RCSID $Id: vendor.c,v 1.45 2007/01/20 18:01:13 as Exp $
  */
 
 #include <stdlib.h>
@@ -208,8 +208,10 @@ static struct vid_struct _vid_tab[] = {
 	DEC_MD5_VID(STRONGSWAN_4_0_4, "strongSwan 4.0.4")
 	DEC_MD5_VID(STRONGSWAN_4_0_5, "strongSwan 4.0.5")
 	DEC_MD5_VID(STRONGSWAN_4_0_6, "strongSwan 4.0.6")
+	DEC_MD5_VID(STRONGSWAN_4_0_7, "strongSwan 4.0.7")
 
-	DEC_MD5_VID(STRONGSWAN,       "strongSwan 2.8.1")
+	DEC_MD5_VID(STRONGSWAN,       "strongSwan 2.8.2")
+	DEC_MD5_VID(STRONGSWAN_2_8_1, "strongSwan 2.8.1")
 	DEC_MD5_VID(STRONGSWAN_2_8_0, "strongSwan 2.8.0")
 	DEC_MD5_VID(STRONGSWAN_2_7_3, "strongSwan 2.7.3")
 	DEC_MD5_VID(STRONGSWAN_2_7_2, "strongSwan 2.7.2")
diff --git a/programs/pluto/vendor.h b/programs/pluto/vendor.h
index 060311b92..2649c5b2f 100644
--- a/programs/pluto/vendor.h
+++ b/programs/pluto/vendor.h
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: vendor.h,v 1.38 2007/01/10 00:31:36 as Exp $
+ * RCSID $Id: vendor.h,v 1.40 2007/01/20 18:01:13 as Exp $
  */
 
 #ifndef _VENDOR_H_
@@ -82,6 +82,7 @@ enum known_vendorid {
   VID_STRONGSWAN_2_7_2		= 61,
   VID_STRONGSWAN_2_7_3		= 62,
   VID_STRONGSWAN_2_8_0		= 63,
+  VID_STRONGSWAN_2_8_1		= 64,
 
   VID_STRONGSWAN_4_0_0		= 70,
   VID_STRONGSWAN_4_0_1		= 71,
@@ -90,6 +91,7 @@ enum known_vendorid {
   VID_STRONGSWAN_4_0_4		= 74,
   VID_STRONGSWAN_4_0_5		= 75,
   VID_STRONGSWAN_4_0_6		= 76,
+  VID_STRONGSWAN_4_0_7		= 77,
 
   /* 101 - 200 : NAT-Traversal */
   VID_NATT_STENBERG_01		=101,
diff --git a/programs/starter/starterwhack.c b/programs/starter/starterwhack.c
index b4bf2fb9d..cb3e02172 100644
--- a/programs/starter/starterwhack.c
+++ b/programs/starter/starterwhack.c
@@ -11,13 +11,13 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: starterwhack.c,v 1.19 2006/10/19 15:02:46 as Exp $
+ * RCSID $Id: starterwhack.c,v 1.20 2007/01/18 21:16:45 as Exp $
  */
 
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/un.h>
-#include <linux/stddef.h>
+#include <stddef.h>
 #include <unistd.h>
 #include <errno.h>
 
diff --git a/testing/INSTALL b/testing/INSTALL
index 033291aa5..8d0dc2a3b 100644
--- a/testing/INSTALL
+++ b/testing/INSTALL
@@ -71,7 +71,7 @@ are required for the strongSwan testing environment:
 
     * The latest strongSwan distribution
 
-      http://download.strongswan.org/strongswan-2.8.1.tar.gz
+      http://download.strongswan.org/strongswan-2.8.2.tar.gz
 
 
 3. Creating the environment
@@ -146,5 +146,5 @@ README document.
 
 -----------------------------------------------------------------------------
 
-This file is RCSID $Id: INSTALL,v 1.44 2007/01/14 12:17:50 as Exp $
+This file is RCSID $Id: INSTALL,v 1.45 2007/01/29 08:29:41 as Exp $
 
diff --git a/testing/hosts/winnetou/etc/conf.d/apache2 b/testing/hosts/winnetou/etc/conf.d/apache2
index 0c96fe77f..cfb80a7d9 100644
--- a/testing/hosts/winnetou/etc/conf.d/apache2
+++ b/testing/hosts/winnetou/etc/conf.d/apache2
@@ -1,6 +1,6 @@
 # Copyright 1999-2004 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /root/strongswan/testing/hosts/winnetou/etc/conf.d/apache2,v 1.2 2006/01/06 12:21:21 as Exp $
+# $Header: /var/cvsroot/strongswan/testing/hosts/winnetou/etc/conf.d/apache2,v 1.2 2006/01/06 12:21:21 as Exp $
 
 # Config file for /etc/init.d/apache2
 
diff --git a/testing/hosts/winnetou/etc/init.d/slapd b/testing/hosts/winnetou/etc/init.d/slapd
index 6e3130e90..d4c070b33 100755
--- a/testing/hosts/winnetou/etc/init.d/slapd
+++ b/testing/hosts/winnetou/etc/init.d/slapd
@@ -1,7 +1,7 @@
 #!/sbin/runscript
 # Copyright 1999-2004 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /root/strongswan/testing/hosts/winnetou/etc/init.d/slapd,v 1.2 2005/05/31 14:04:43 as Exp $
+# $Header: /var/cvsroot/strongswan/testing/hosts/winnetou/etc/init.d/slapd,v 1.2 2005/05/31 14:04:43 as Exp $
 
 depend() {
 	need net
diff --git a/testing/testing.conf b/testing/testing.conf
index d59333cba..3d1228503 100755
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -14,7 +14,7 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: testing.conf,v 1.58 2007/01/14 12:18:31 as Exp $
+# RCSID $Id: testing.conf,v 1.59 2007/01/29 08:29:41 as Exp $
 
 # Root directory of testing
 UMLTESTDIR=~/strongswan-testing
@@ -34,7 +34,7 @@ KERNELCONFIG=$UMLTESTDIR/.config-2.6.18
 UMLPATCH=$UMLTESTDIR/uml_jmpbuf-2.6.18.patch.bz2
 
 # Bzipped source of strongSwan
-STRONGSWAN=$UMLTESTDIR/strongswan-2.8.1.tar.bz2
+STRONGSWAN=$UMLTESTDIR/strongswan-2.8.2.tar.bz2
 
 # strongSwan compile options (use "yes" or "no")
 USE_LIBCURL="yes"