diff options
Diffstat (limited to 'doc/2.6.known-issues')
| -rw-r--r-- | doc/2.6.known-issues | 112 |
1 files changed, 112 insertions, 0 deletions
diff --git a/doc/2.6.known-issues b/doc/2.6.known-issues new file mode 100644 index 000000000..397c4f957 --- /dev/null +++ b/doc/2.6.known-issues @@ -0,0 +1,112 @@ +Known issues with FreeS/WAN on a 2.6 kernel Claudia Schmeing +------------------------------------------- + + +This is an overview of known issues with FreeS/WAN on the 2.6 kernel codebase +(also 2.5.x), which includes native Linux IPsec code. + +More information on the native IPsec code is available here: + + http://lartc.org/howto/lartc.ipsec.html + +Tools for use with that code are here: + + http://ipsec-tools.sourceforge.net/ + + +* As of FreeS/WAN 2.03, FreeS/WAN ships with some support for the 2.6 kernel + IPsec code. In 2.03, this support is preliminary, but we expect to develop + it fully. Many thanks to Herbert Xu for the initial code patches. + +* Use the most recent Linux FreeS/WAN 2.x release from ftp.xs4all.nl + to try our 2.6 kernel support. + +* The installation procedure for use with 2.6 kernel IPsec is a little + different from a traditional FreeS/WAN installation. Please see + the latest doc/install.html. + +* Please see the design and users' mailing lists + (http://www.freeswan.org/mail.html) for more detail and the latest reports. + + + +DESIGN-RELATED ISSUES + + +* In 2.6, IPsec policies are detached from routing decisions. Because of this + design, Opportunistic Encryption on the local LAN will be possible with 2.6. + + One side effect: When contacting a node on the local LAN which is protected + by gateway OE, you will get asymmetrical routing (one way through the gateway, + one way direct), and IPsec will drop the return packets. + + + +CURRENT ISSUES + + +* For the moment, users wishing to test FreeS/WAN with 2.6 will require + ipsec-tools' "setkey" program. Though FreeS/WAN's keying daemon, Pluto, + directly sets IPsec policy, setkey is currently required to reset kernel SPD + (Security Policy Database) states when Pluto restarts. We will likely add + this basic functionality to an upcoming FreeS/WAN release. + +* State information is not available to the user, eg. ipsec + eroute/ipsec spi/ipsec look do not work. The exception: ipsec auto --status + This will be fixed in a future release. + +* If you're running Opportunistic Encryption, connectivity to new hosts will + immediately fail. You may receive a message similar to this: + + connect: Resource temporarily unavailable + + The reason for this lies in the kernel code. Fairly complex discussion: + + http://lists.freeswan.org/archives/design/2003-September/msg00073.html + + As of 2.6.0-test6, this has not been fixed. + +* This initial connectivity failure has an unintended side effect on DNS queries. + This will result in a rekey failure for OE connections; a %pass will be + installed for your destination IP before a %pass is re-instituted to your + DNS server. As a workaround, please add your DNS servers to + /etc/ipsec.d/policies/clear. + +* Packets on all interfaces are considered for OE, including loopback. If you're + running a local nameserver, you'll still need to exempt localhost DNS traffic + as per the previous point. Since this traffic has a source of 127.0.0.1/32, + the "clear" policy group will not suffice; you'll need to add the following + %passthrough conn to ipsec.conf: + + conn exclude-lo + authby=never + left=127.0.0.1 + leftsubnet=127.0.0.0/8 + right=127.0.0.2 + rightsubnet=127.0.0.0/8 + type=passthrough + auto=route + + + +OLD ISSUES + + +None, yet. + + + +RELATED DOCUMENTS + + +FreeS/WAN Install web page doc/install.html + +FreeS/WAN Install guide INSTALL + +FreeS/WAN mailing list posts, including: + + http://lists.freeswan.org/archives/design/2003-September/msg00057.html + +To sign up for our mailing lists, see http://www.freeswan.org/mail.html + + |