diff options
Diffstat (limited to 'doc/2.6.known-issues')
| -rw-r--r-- | doc/2.6.known-issues | 112 |
1 files changed, 0 insertions, 112 deletions
diff --git a/doc/2.6.known-issues b/doc/2.6.known-issues deleted file mode 100644 index 397c4f957..000000000 --- a/doc/2.6.known-issues +++ /dev/null @@ -1,112 +0,0 @@ -Known issues with FreeS/WAN on a 2.6 kernel Claudia Schmeing -------------------------------------------- - - -This is an overview of known issues with FreeS/WAN on the 2.6 kernel codebase -(also 2.5.x), which includes native Linux IPsec code. - -More information on the native IPsec code is available here: - - http://lartc.org/howto/lartc.ipsec.html - -Tools for use with that code are here: - - http://ipsec-tools.sourceforge.net/ - - -* As of FreeS/WAN 2.03, FreeS/WAN ships with some support for the 2.6 kernel - IPsec code. In 2.03, this support is preliminary, but we expect to develop - it fully. Many thanks to Herbert Xu for the initial code patches. - -* Use the most recent Linux FreeS/WAN 2.x release from ftp.xs4all.nl - to try our 2.6 kernel support. - -* The installation procedure for use with 2.6 kernel IPsec is a little - different from a traditional FreeS/WAN installation. Please see - the latest doc/install.html. - -* Please see the design and users' mailing lists - (http://www.freeswan.org/mail.html) for more detail and the latest reports. - - - -DESIGN-RELATED ISSUES - - -* In 2.6, IPsec policies are detached from routing decisions. Because of this - design, Opportunistic Encryption on the local LAN will be possible with 2.6. - - One side effect: When contacting a node on the local LAN which is protected - by gateway OE, you will get asymmetrical routing (one way through the gateway, - one way direct), and IPsec will drop the return packets. - - - -CURRENT ISSUES - - -* For the moment, users wishing to test FreeS/WAN with 2.6 will require - ipsec-tools' "setkey" program. Though FreeS/WAN's keying daemon, Pluto, - directly sets IPsec policy, setkey is currently required to reset kernel SPD - (Security Policy Database) states when Pluto restarts. We will likely add - this basic functionality to an upcoming FreeS/WAN release. - -* State information is not available to the user, eg. ipsec - eroute/ipsec spi/ipsec look do not work. The exception: ipsec auto --status - This will be fixed in a future release. - -* If you're running Opportunistic Encryption, connectivity to new hosts will - immediately fail. You may receive a message similar to this: - - connect: Resource temporarily unavailable - - The reason for this lies in the kernel code. Fairly complex discussion: - - http://lists.freeswan.org/archives/design/2003-September/msg00073.html - - As of 2.6.0-test6, this has not been fixed. - -* This initial connectivity failure has an unintended side effect on DNS queries. - This will result in a rekey failure for OE connections; a %pass will be - installed for your destination IP before a %pass is re-instituted to your - DNS server. As a workaround, please add your DNS servers to - /etc/ipsec.d/policies/clear. - -* Packets on all interfaces are considered for OE, including loopback. If you're - running a local nameserver, you'll still need to exempt localhost DNS traffic - as per the previous point. Since this traffic has a source of 127.0.0.1/32, - the "clear" policy group will not suffice; you'll need to add the following - %passthrough conn to ipsec.conf: - - conn exclude-lo - authby=never - left=127.0.0.1 - leftsubnet=127.0.0.0/8 - right=127.0.0.2 - rightsubnet=127.0.0.0/8 - type=passthrough - auto=route - - - -OLD ISSUES - - -None, yet. - - - -RELATED DOCUMENTS - - -FreeS/WAN Install web page doc/install.html - -FreeS/WAN Install guide INSTALL - -FreeS/WAN mailing list posts, including: - - http://lists.freeswan.org/archives/design/2003-September/msg00057.html - -To sign up for our mailing lists, see http://www.freeswan.org/mail.html - - |