1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
Known issues with FreeS/WAN on a 2.6 kernel Claudia Schmeing
-------------------------------------------
This is an overview of known issues with FreeS/WAN on the 2.6 kernel codebase
(also 2.5.x), which includes native Linux IPsec code.
More information on the native IPsec code is available here:
http://lartc.org/howto/lartc.ipsec.html
Tools for use with that code are here:
http://ipsec-tools.sourceforge.net/
* As of FreeS/WAN 2.03, FreeS/WAN ships with some support for the 2.6 kernel
IPsec code. In 2.03, this support is preliminary, but we expect to develop
it fully. Many thanks to Herbert Xu for the initial code patches.
* Use the most recent Linux FreeS/WAN 2.x release from ftp.xs4all.nl
to try our 2.6 kernel support.
* The installation procedure for use with 2.6 kernel IPsec is a little
different from a traditional FreeS/WAN installation. Please see
the latest doc/install.html.
* Please see the design and users' mailing lists
(http://www.freeswan.org/mail.html) for more detail and the latest reports.
DESIGN-RELATED ISSUES
* In 2.6, IPsec policies are detached from routing decisions. Because of this
design, Opportunistic Encryption on the local LAN will be possible with 2.6.
One side effect: When contacting a node on the local LAN which is protected
by gateway OE, you will get asymmetrical routing (one way through the gateway,
one way direct), and IPsec will drop the return packets.
CURRENT ISSUES
* For the moment, users wishing to test FreeS/WAN with 2.6 will require
ipsec-tools' "setkey" program. Though FreeS/WAN's keying daemon, Pluto,
directly sets IPsec policy, setkey is currently required to reset kernel SPD
(Security Policy Database) states when Pluto restarts. We will likely add
this basic functionality to an upcoming FreeS/WAN release.
* State information is not available to the user, eg. ipsec
eroute/ipsec spi/ipsec look do not work. The exception: ipsec auto --status
This will be fixed in a future release.
* If you're running Opportunistic Encryption, connectivity to new hosts will
immediately fail. You may receive a message similar to this:
connect: Resource temporarily unavailable
The reason for this lies in the kernel code. Fairly complex discussion:
http://lists.freeswan.org/archives/design/2003-September/msg00073.html
As of 2.6.0-test6, this has not been fixed.
* This initial connectivity failure has an unintended side effect on DNS queries.
This will result in a rekey failure for OE connections; a %pass will be
installed for your destination IP before a %pass is re-instituted to your
DNS server. As a workaround, please add your DNS servers to
/etc/ipsec.d/policies/clear.
* Packets on all interfaces are considered for OE, including loopback. If you're
running a local nameserver, you'll still need to exempt localhost DNS traffic
as per the previous point. Since this traffic has a source of 127.0.0.1/32,
the "clear" policy group will not suffice; you'll need to add the following
%passthrough conn to ipsec.conf:
conn exclude-lo
authby=never
left=127.0.0.1
leftsubnet=127.0.0.0/8
right=127.0.0.2
rightsubnet=127.0.0.0/8
type=passthrough
auto=route
OLD ISSUES
None, yet.
RELATED DOCUMENTS
FreeS/WAN Install web page doc/install.html
FreeS/WAN Install guide INSTALL
FreeS/WAN mailing list posts, including:
http://lists.freeswan.org/archives/design/2003-September/msg00057.html
To sign up for our mailing lists, see http://www.freeswan.org/mail.html
|
