From aaa0331ecf95ced1e913ac9be50168cf0e7cbb82 Mon Sep 17 00:00:00 2001
From: Rene Mayrhofer <rene@mayrhofer.eu.org>
Date: Tue, 30 Jan 2007 12:21:07 +0000
Subject: [svn-upgrade] Integrating new upstream version, strongswan (2.8.2)

---
 doc/upgrading.html | 184 -----------------------------------------------------
 1 file changed, 184 deletions(-)
 delete mode 100644 doc/upgrading.html

(limited to 'doc/upgrading.html')

diff --git a/doc/upgrading.html b/doc/upgrading.html
deleted file mode 100644
index ce9fba3d2..000000000
--- a/doc/upgrading.html
+++ /dev/null
@@ -1,184 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
-<HTML>
-<HEAD>
-<TITLE>Introduction to FreeS/WAN</TITLE>
-<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
-<STYLE TYPE="text/css"><!--
-BODY { font-family: serif }
-H1 { font-family: sans-serif }
-H2 { font-family: sans-serif }
-H3 { font-family: sans-serif }
-H4 { font-family: sans-serif }
-H5 { font-family: sans-serif }
-H6 { font-family: sans-serif }
-SUB { font-size: smaller }
-SUP { font-size: smaller }
-PRE { font-family: monospace }
---></STYLE>
-</HEAD>
-<BODY>
-<A HREF="toc.html">Contents</A>
-<A HREF="intro.html">Previous</A>
-<A HREF="quickstart.html">Next</A>
-<HR>
-<A NAME="upgrading"></A>
-<H1><A NAME="2">Upgrading to FreeS/WAN 2.x</A></H1>
-<H2><A NAME="2_1">New! Built in Opportunistic connections</A></H2>
-<P>Out of the box, FreeS/WAN 2.x will attempt to encrypt all your IP
- traffic. It will try to establish IPsec connections for:</P>
-<UL>
-<LI> IP traffic from the Linux box on which you have installed
- FreeS/WAN, and</LI>
-<LI> outbound IP traffic routed through that Linux box (eg. from a
- protected subnet).</LI>
-</UL>
-<P>FreeS/WAN 2.x uses<STRONG> hidden, automatically enabled<VAR>
- ipsec.conf</VAR> connections</STRONG> to do this.</P>
-<P>This behaviour is part of our campaign to get Opportunistic
- Encryption (OE) widespread in the Linux world, so that any two Linux
- boxes can encrypt to one another without prearrangement. There's one
- catch, however: you must<A HREF="quickstart.html#quickstart"> set up a
- few DNS records</A> to distribute RSA public keys and (if applicable)
- IPsec gateway information.</P>
-<P>If you start FreeS/WAN before you have set up these DNS records, your
- connectivity will be slow, and messages relating to the built in
- connections will clutter your logs. If you are unable to set up DNS for
- OE, you will wish to<A HREF="policygroups.html#disable_policygroups">
- disable the hidden connections</A>.</P>
-<A NAME="upgrading.flagday"></A>
-<H3><A NAME="2_1_1">Upgrading Opportunistic Encryption to 2.01 (or
- later)</A></H3>
-<P>As of FreeS/WAN 2.01, Opportunistic Encryption (OE) uses DNS TXT
- resource records (RRs) only (rather than TXT with KEY). This change
- causes a &quot;flag day&quot;. Users of FreeS/WAN 2.00 (or earlier) OE who are
- upgrading may need to post additional resource records.</P>
-<P>If you are running<A HREF="glossary.html#initiate-only">
- initiate-only OE</A>, you<EM> must</EM> put up a TXT record in any
- forward domain as per our<A HREF="quickstart.html#opp.client">
- quickstart instructions</A>. This replaces your old forward KEY.</P>
-<P> If you are running full OE, you require no updates. You already have
- the needed TXT record in the reverse domain. However, to facilitate
- future features, you may also wish to publish that TXT record in a
- forward domain as instructed<A HREF="quickstart.html#opp.incoming">
- here</A>.</P>
-<P>If you are running OE on a gateway (and encrypting on behalf of
- subnetted boxes) you require no updates. You already have the required
- TXT record in your gateway's reverse map, and the TXT records for any
- subnetted boxes require no updating. However, to facilitate future
- features, you may wish to publish your gateway's TXT record in a
- forward domain as shown<A HREF="quickstart.html#opp.incoming"> here</A>
-.</P>
-<P> During the transition, you may wish to leave any old KEY records up
- for some time. They will provide limited backward compatibility.
-<!--
-For more
-detail on that compatibility, see <A HREF="oe.known-issues">Known Issues with
-OE</A>.
--->
-</P>
-<H2><A NAME="2_2">New! Policy Groups</A></H2>
-<P>We want to make it easy for you to declare security policy as it
- applies to IPsec connections.</P>
-<P>Policy Groups make it simple to say:</P>
-<UL>
-<LI>These are the folks I want to talk to in the clear.</LI>
-<LI>These spammers' domains -- I don't want to talk to them at all.</LI>
-<LI>To talk to the finance department, I must use IPsec.</LI>
-<LI>For any other communication, try to encrypt, but it's okay if we
- can't.</LI>
-</UL>
-<P>FreeS/WAN then implements these policies, creating OE connections if
- and when needed. You can use Policy Groups along with connections you
- explicitly define in ipsec.conf.</P>
-<P>For more information, see our<A HREF="policygroups.html"> Policy
- Group HOWTO</A>.</P>
-<H2><A NAME="2_3">New! Packetdefault Connection</A></H2>
-<P>Free/SWAN 2.x ships with the<STRONG> automatically enabled, hidden
- connection</STRONG><VAR> packetdefault</VAR>. This configures a
- FreeS/WAN box as an OE gateway for any hosts located behind it. As
- mentioned above, you must configure some<A HREF="quickstart.html"> DNS
- records</A> for OE to work.</P>
-<P>As the name implies, this connection functions as a default. If you
- have more specific connections, such as policy groups which configure
- your FreeS/WAN box as an OE gateway for a local subnet, these will
- apply before<VAR> packetdefault</VAR>. You can view<VAR> packetdefault</VAR>
-'s specifics in<A HREF="manpage.d/ipsec.conf.5.html"> man ipsec.conf</A>
-.</P>
-<H2><A NAME="2_4">FreeS/WAN now disables Reverse Path Filtering</A></H2>
-<P>FreeS/WAN often doesn't work with reverse path filtering. At start
- time, FreeS/WAN now turns rp_filter off, and logs a warning.</P>
-<P>FreeS/WAN does not turn it back on again. You can do this yourself
- with a command like:</P>
-<PRE>   echo 1 &gt; /proc/sys/net/ipv4/conf/eth0/rp_filter</PRE>
-<P>For eth0, substitute the interface which FreeS/WAN was affecting.</P>
-<A NAME="ipsec.conf_v2"></A>
-<H2><A NAME="2_5">Revised<VAR> ipsec.conf</VAR></A></H2>
-<H3><A NAME="2_5_1">No promise of compatibility</A></H3>
-<P>The FreeS/WAN team promised config-file compatibility throughout the
- 1.x series. That means a 1.5 config file can be directly imported into
- a fresh 1.99 install with no problems.</P>
-<P>With FreeS/WAN 2.x, we've given ourselves permission to make the
- config file easier to use. The cost: some FreeS/WAN 1.x configurations
- will not work properly. Many of the new features are, however, backward
- compatible.</P>
-<H3><A NAME="2_5_2">Most<VAR> ipsec.conf</VAR> files will work fine</A></H3>
-<P>... so long as you paste this line,<STRONG> with no preceding
- whitespace</STRONG>, at the top of your config file:</P>
-<PRE>    version 2</PRE>
-<H3><A NAME="2_5_3">Backward compatibility patch</A></H3>
-<P>If the new defaults bite you, use<A HREF="ipsec.conf.2_to_1"> this<VAR>
- ipsec.conf</VAR> fragment</A> to simulate the old default values.</P>
-<H3><A NAME="2_5_4">Details</A></H3>
-<P> We've obsoleted various directives which almost no one was using:</P>
-<PRE>    dump
-    plutobackgroundload
-    no_eroute_pass
-    lifetime
-    rekeystart
-    rekeytries</PRE>
-<P>For most of these, there is some other way to elicit the desired
- behaviour. See<A HREF="http://lists.freeswan.org/pipermail/design/2002-August/003243.html">
- this post</A>.</P>
-<P> We've made some settings, which almost everyone was using, defaults.
- For example:</P>
-<PRE>    interfaces=%defaultroute
-    plutoload=%search
-    plutostart=%search
-    uniqueids=yes</PRE>
-<P>We've also changed some default values to help with OE and Policy
- Groups:</P>
-<PRE>    authby=rsasig   ## not secret!!!
-    leftrsasigkey=%dnsondemand ## looks up missing keys in DNS when needed.
-    rightrsasigkey=%dnsondemand</PRE>
-<P> Of course, you can still override any defaults by explictly
- declaring something else in your connection.</P>
-<P><A HREF="http://lists.freeswan.org/pipermail/design/2002-August/003243.html">
- A post with a list of many ipsec.conf changes.</A>
-<BR><A HREF="manpage.d/ipsec.conf.5.html"> Current ipsec.conf manual.</A>
-</P>
-<A NAME="upgrading.rpms"></A>
-<H3><A NAME="2_5_5">Upgrading from 1.x RPMs to 2.x RPMs</A></H3>
-<P>Note: When upgrading from 1-series to 2-series RPMs,<VAR> rpm -U</VAR>
- will not work.</P>
-<P>You must instead erase the 1.x RPMs, then install the 2.x set:</P>
-<PRE>    rpm -e freeswan</PRE>
-<PRE>    rpm -e freeswan-module</PRE>
-<P>On erasing, your old<VAR> ipsec.conf</VAR> should be moved to<VAR>
- ipsec.conf.rpmsave</VAR>. Keep this. You will probably want to copy
- your existing connections to the end of your new 2.x file.</P>
-<P>Install the RPMs suitable for your kernel version, such as:</P>
-<PRE>    rpm -ivh freeswan-module-2.04_2.4.20_20.9-0.i386.rpm</PRE>
-<PRE>    rpm -ivh freeswan-userland-2.04_2.4.20_20.9-0.i386.rpm</PRE>
-<P>Or, to splice the files:</P>
-<PRE>    cat /etc/ipsec.conf /etc/ipsec.conf.rpmsave &gt; /etc/ipsec.conf.tmp
-    mv /etc/ipsec.conf.tmp /etc/ipsec.conf</PRE>
-<P>Then, remove the redundant<VAR> conn %default</VAR> and<VAR> config
- setup</VAR> sections. Unless you have done any special configuring
- here, you'll likely want to remove the 1.x versions. Remove<VAR> conn
- OEself</VAR>, if present.</P>
-<HR>
-<A HREF="toc.html">Contents</A>
-<A HREF="intro.html">Previous</A>
-<A HREF="quickstart.html">Next</A>
-</BODY>
-</HTML>
-- 
cgit v1.2.3