Please see docs/KNOWN_BUGS file for more information

#stable
v2.5.12
   A fix to detect that XEN has been patched into the kernel, and set
   some of the 2.6.18 changes.
   never log starter_log() things to stdout, they always go to stderr.
   when a packet is passed through, do not call NF_IP_LOCAL_OUT, as it has already 
	passed through the output hooks, and doing it again, confuses things
	causing ip_route_me_harder() which creates a look, since it does the flow
	lookup again. (This doesn't happen if the kernel hasn't got XFRM support)
   fixed parsing of config file so that "version 2" is accepted.
   fixed addconn to respect "right/left"sourceip=, new test case sourceip-01 
   fixed processing of "first"/"last" packet for %trap/%hold conns in KLIPS, it now
	properly forwards the packets when the packet is released.
   

v2.5.11
   Some fixes in KLIPS for "ipsec eroute --clear" bug. It is not clear
   why this suddendly became an issue, or if it would have been an issue
   previously, given the right compiler optimization.
   
v2.5.10
   Includes fixes for xmlto generation for _confread directory.

v2.5.09
   Minor fix to build process, updated CHANGES file.

v2.5.08
   Correct release.
   Includes some changes to permit OE to work without nexthop,
   however this seems to cause it to return an unreachable on 
   the first message.

v2.5.07	-dud due to release script error.

v2.5.06
   set LANGUAGE, LANG and LC_ALL in setup script.
   change OE off by default note and scripts.
   Merge of additional code from 2.4.
   
v2.5.05
   2.5.03 and 2.5.04 were not properly released, and 2.5.05 now
   is properly released and includes below items
    
v2.5.04
    zero peer_ca to avoid crashes.
    (include glob's may still not work correctly)

v2.5.03
    ipsec.conf parsing should ignore keywords that start with x-
	they are a form of structured comment.
    added in forceencaps= keyword.
    process wildcards with glob() in include statements.

v2.5.02
    fixed bug in ipsec.conf parser, where it could not read values
       that had = in them (such as base64 encoded keys)
    fixed bug in key continuation code that could cause a crash
	if the DNS request timed out after the state was deleted
	for other reasons.
 
v2.5.01
    merged xauthusername code base + multinet tests in.
    removed /dev/hw_random from list of valid random sources on linux.
        use "rngd" instead to feed /dev/random.

v2.5.00 
    fixed various bugs with lifetime values in ipsec.conf parser
    AES-128 (group 5, MD5 or SHA1 for PRF) is now accepted for phase 1,
	and it is now the preferred cipher as well. This should be the
	case for Main mode, Aggressive mode, and for XAUTH client and
	XAUTH server, and PSK and RSA sig mode.

    fixes so that starter will now compile
    move whacklib to lib/libwhack
    adjust makefiles to work with OBJDIR version of Makefile.program
    switch to OBJDIR in programs/* and lib/* if it is defined

    added sanitizer for PID files
    be smarter about including git version info into version
    We need to use /dev/urandom first, as it has more random than /dev/random.
       Otherwise, we run out really fast (within a few minutes)
    Use endian.h when comiling out-of-kernel
    patch to turn error about 17/500,0/0 vs 17/0 error with Cisco VPN3000
       into a warning.
    remove test for NAT-T VID vs NATD payload test. It fails for reasons
       that are unknown at this time, and this check is really being pedantic.
    MAJOR: use starter code for "addconn"
    MAJOR: always use OBJDIRs, and compile on Windows (no kernel)
    MAJOR: includes "Taproom" code --- TCL call outs from pluto at IKE
		transition states. 

v2.4.5
* Fix for compiling on 2.6.14 kernels 
* Refactored natd_lookup / hash code, probably fixes lot of NAT related bugs
  #401 l2tp connection is not work with 2.6 build in IPSEC
  #442 Pluto uses wrong port in NAT-D calculation
  #450 macosx (possible generic PSK+NAT-T rekey bug: eroute already in use.
  #462 updated patch for Openswan and OS X with NAT-T
  #509 KLIPS compilation fail with kernel-2.6.14.2 


v2.4.4
  #487 ASSERTION FAILED at state.c:120:IS_ISAKMP_ENCRYPTED(isakmp_sa->st_state) 
  (see http://www.openswan.org/niscc2/)
  (proper fix in pluto_constants.h)
* Fix for kernels having strstr
* Various gcc4 warning fixes
* disable CONFIG_IPSEC_NAT_TRAVERSAL per default so we can build KLIPS on
  Fedora systems.
* questionable spin_unlock commented out. Might fix reported SMP crashers.
* update to permit alg code without module support
* Fix for detecting proper kernel source/header directory on fedora
* Various bugfixes as reported on http://bugs.openswan.org/
  #499: check for module support in kernel for IPsec Modular Extensions
  #500: recent awk breaks on 'setdefault' command


v2.4.3
  #487 ASSERTION FAILED at state.c:120:IS_ISAKMP_ENCRYPTED(isakmp_sa->st_state) 
  (see http://www.openswan.org/niscc2/)
  (incorrect fixed. version not released)

v2.4.2
* Fixes for compiling on 2.6.14 by David McCullough
* Minor fixes to accomodate FC4 2.6.11 kernels.
* Fix for compilation of KLIPS on 2.4.x kernels.
* Fix for NAT-T on 2.4.31
* Fix for 'short' packets with KLIPS on 2.4.x
* Merged in Jacco's l2tp configuration examples
* Various bugfixes as reported on http://bugs.openswan.org/
  #286 Incorrect links in intro.html
  #344 netkey-acquire patch
  #376 install_ipsec_sa and install_inbound_ipsec_sa
  #486 ASSERTION FAILED at crypto.c:258: key_size==(DES_CBC_BLOCK_SIZE * 3)
  (see http://www.openswan.org/niscc2/)

v2.4.1
* Not publically released

v2.4.0
* NAT-T support for KLIPS on 2.6 (Sponsored by Astaro)
* Additional Cipher support with KLIPS on 2.6 (Sponsored by Astaro)
* Fix for NAT-T/PSK rekey (Ulrich @ Astaro)
* Various bugfixes: #269, #328, #342, #350, #355, #357, #361, #363

v2.3.1
* NAT-T RFC support (mlafon/mcr)
* NAT-T Server Side rewrite - handles rekeying alot better
* NAT-T Client Side rekey bug fixed
* Removed HowTo (obselete)
* IPKG packaging updates
* Log message updates
* dpdaction=restart support 

v2.3.0
* KLIPS for 2.6 support (Experimental)
  [ good results on FC3-AMD and vanilla/debian kernel source, but not
    FC3-intel. Might be the grsecurity patch  ]
* Aggressive Mode Support (client and server)
* IKE Mode Config support (Experimental)
* Cisco VPN 3xxx client Interop (Experimental)
* Cryptographic helpers framework
* Fixes for NAT-T on 2.4.28+ kernels.

v2.2.0
* Added RFC 3706 DPD support (see README.DPD)
* Added AES from JuanJo's ALG patches
* Fixes for /proc filesystem issues that started to appear in 2.4.25

v2.1.2
* Fix loading of 2.6 modules 
* Fix for snprintfs() in /proc, new for 2.4.25 kernels (dhr/pw)
* Fix checks for some log files/dirs in case they are sockets or pipes (pw)
* Fix for crl.pem crash/core (dhr/as/kb)

v2.1.1
* Fix _pluto_adns installation path (kb)
* Fix sending of X.509 CR's when no CA present (mcr)

v2.1.0
* NAT-T support (Mathieu Lafon - Arkoon)
* X.509 fixes (Andreas Steffan)
* New configuration file directive, {left|right}sourceip=#.#.#.# 
  This will set the source address when talking to a particular 
  connection.  This is very usefull to assign a static IP to your laptop 
  while travelling.  This is based on Tuomo Soini's Advanced Routing 
  patch.

RCSID $Id: CHANGES,v 1.326.2.31 2005/11/24 05:35:43 ken Exp $
