		Release Notes for Super FreeS/WAN 2.00
		http://www.freeswan.ca/code/super-freeswan

The Super FreeS/WAN 2.x branch is a largely patched up version 
of FreeS/WAN 2.00 [1] with several functionality patches applied.

Most of these patches aren't considered mainline, or haven't been 
tested enough for the FreeS/WAN developers to accept into the 
mainline branch.

This version includes the following major patches:

X.509 Digital Certificate Support [2]
ALG 0.8.1 [3]
Dead Peer Detection [4]
NAT-T support [5]

As well, various bugfixes have been applied on top of these patches - for
a full list, see CHANGES

Download it from http://www.freeswan.ca/code/super-freeswan 

The 2.x branch of Super FreeS/WAN is made possible by patches from the
following folks:

Andreas Steffan  - X.509 Patches [2]
JuanJo Ciarlante - ALG Patches [3], along with many fixes to the entire
                   codebase to numerous to mention.
Mathieu Lafon    - NAT-T Patches [5]
FreeS/WAN Team   - v2.00 & providing access to thier CVS tree


And of course the user community, for testing it, encouraging 
development of it, sending in patches, feedback and bug reports.

UPGRADING:

If you are upgrading from either FreeS/WAN 1.x or Super FreeS/WAN 1.x, 
you have to do several things.

1. Start with a fresh kernel source tree.  You can't patch overtop of a kernel with 
   1.99 installed into it.
2. Read the REQUIREMENTS section, since these have changed quite a bit.
3. Read http://www.freeswan.ca/docs/freeswan-2.00/doc/upgrading.html
   Pay attention to the "Built in Opportunistic connections" & 
   "Revised ipsec.conf" sections.  You *WILL* need to change your 1.x config
   file before it will work with 2.00+
4. If you don't have TXT/KEY records in DNS, disable Opportunistic Encryption.
   See http://www.freeswan.ca/docs/freeswan-2.00/doc/policygroups.html#disable_policygroups


REQUIREMENTS:

A number of folks have reported problems where pluto and/or whack don't
compile properly.  As well if you upgraded over top of another FreeS/WAN
installation, you may see errors like this:

ipsec__plutorun: /usr/local/lib/ipsec/whack: option `--ike' is ambiguous 

There a few packages required for Super FreeS/WAN's pluto/whack to
compile, in addition to the FreeS/WAN requirements.  They are:

1. On Kernel 2.4.x systems, kernel headers 2.4.9-34 or higher

On RedHat 7.x systems, kernel-headers-2.4.9-34.$ARCH.rpm or higher.  
2.4.7-10 is broken, and you will see __fswab32 errors during compilation
of some of the crypto modules.  On non RedHat systems, you'll probably
need kernel 2.4.10 or higher.

2. OpenSSL 0.9.6 (openssl-devel)  

These are needed because a few of the crypto ciphers are taken from the
OpenSSL package, so the headers + libraries provided by OpenSSL are
needed.

3. A non-corrupt kernel source tree

This seems to fix many reported compiling problems - starting with a fresh
tree, either vendor supplied or from http://www.kernel.org.  The best test
is to build a kernel from your source tree before patching in Super
FreeS/WAN.

4. OpenLDAP 2.0.x (openldap-devel)

Super FreeS/WAN 2.x ships with LDAP support for X.509 CRL's enabled by
default, so you will need the headers (from openldap-devel) installed
to be able to build it.  Should you want to disable LDAP support, edit
programs/pluto/Makefile and comment out the LDAP_URL line:

# Uncomment this line to enable dynamic LDAP CRL fetching
# LDAP_URL=1

5. libgmp (libgmp + libgmp-devel)

The normal FreeS/WAN requirements are needed - most importantly, libgmp +
libgmp-devel headers.  (GNU Math Precision Library)


HOW TO INSTALL:

It's best if you're already installed FreeS/WAN before, so you'll be
familiar with the steps outlined below.

1. Read all the README's.  Ignore the patching instructions - I've done all
that for you.  Go back and read the REQUIREMENTS section in this README.  
Ensure you have all the requirements, since 90% of build problems stem
from not having either a recent kernel-headers package or openssl-devel 
package, or a corrupt kernel-source.

2. If you want NAT-Traversal, you need to build a new kernel, since this
patch touches the TCP/IP stack in the kernel - otherwise, you can build a
module. 

3. For those interested in exactly how I build/install it, the steps are:
 i) 	Uncompress linux-2.4.#.tar.bz2 in /usr/src/, symlink /usr/src/linux
        to /usr/src/linux-2.4.#, and then build a normal working kernel. 
        With recent RPM supplied kernels (ie: 2.4.18+) you will probably 
        need to run "make mrproper" immediately after installing the source
        rpm.
 ii) 	Install & ensure that your new kernel works (reboot into it)
 iii) 	From the sfs-2.## source dir, either do the quick way:

        make menugo && make minstall
 	
        Or the step by step way:
 
	make insert && make oldmod && make programs && make minstall


EXTRA NOTES:

1. Tuomo Soini provides Source RPMs @
http://tis.foobar.fi/software/?freeswan

2. Building this a module works, however if you want to the NAT Traversal,
you'll need to build a new kernel, as the EDPinUDP patch touches the
TCP/IP stack in the kernel.

This is tested to compile + play happily with 2.4.18 and higher only.  
It's been reported to work as far back as 2.4.9, but it won't work with
2.4.2.  I don't have a huge collection of machines at my disposal to play
with, so I rely mainly on bug reports and feedback from users to know what
kernel versions work.  So if you're using another version, please let me
know so I can add it to the list of known-good combinations.


BUGS/PATCHES/DEVELOPMENT:

The development mailing list is sfs-dev @ http://lists.freeswan.ca/
You can post directly (there is no subscription required) to
sfs-dev@lists.freeswan.ca

SUPPORT:

1. Mailing lists

Use the FreeS/WAN mailing list - http://lists.freeswan.org/mailman/listinfo/users

I read it several times daily so I'll see reports made there, and reply as
I have time.

Please try not to email me directly for support/howto questions - use the
mailing lists for that, as the authors of each of the patches are there,
as are other people who can probably help quicker than I can.  Emails asking
for sample configs, Windows Interop problems or demanding I supply configs
for your network setup will probably be ignored.

2. IRC

irc.freenode.net, in channel #freeswan is where the developers and many
experienced users lurk.  See http://www.freeswan.ca/irc for more details, 
and a list of courtesy rules to follow


Ken Bantoft 2003-07-24
ken@freeswan.ca


[1]	http://www.freeswan.org
[2]	http://www.strongsec.com/freeswan
[3]	http://www.irrigacion.gov.ar/juanjo/ipsec/
[4]	docs/draft-ietf-ipsec-dpd-03.txt
[5]	http://open-source.arkoon.net

# RCSID $Id: README,v 1.9 2003/07/24 03:57:51 ken Exp $

