HOWTO: openswan to libreswan migration

From Libreswan
Revision as of 01:23, 11 January 2014 by Paul Wouters (talk | contribs) (add migration page)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
  • Migration from openswan to libreswan

libreswan is a fork of openswan 2.6.38. It has features that are unavailable with openswan, but libreswan itself supports all openswan features.

  • Build changes

Some build options have changed. The following list will explain the changes you need to know to update your custom compile environment, such as your Makefile.inc or Makefile.inc.local file, or via specified environment variables in the pacakge build.

  • NSS mandatory, USE_LIBNSS removed

Libreswan has removed all old crypto code. It uses the NSS library for all userland cryptographic operations. This was optional with openswan using the USE_LIBNSS compile time option. This option was already set for all RHEL and Fedora builds. The build option USE_LIBNSS has been removed. See Migration_NSS on how to migrate a non-nss openswan system to libreswan.

  • USE_LWRES removed, USE_DNSSEC added

Support for the bind9 lwres DNS interface has been removed. The old ADNS interface is only used when USE_DNSSEC is explicitely disabled. When DNSSEC is enabled, the libunbound API is used instead. The opportunstic encryption DNS lookups still use the ADNS interface but are in the process of being migrated to libunbound.

  • USE_DYNAMICDNS always enabled, option removed

When connections rekey, dynamic dns support performs a fresh dns lookup to support IPsec gateways on dynamic IP using DNS names, such as dyndns.org. Libreswan always performs these DNS lookups, so this option was removed.

  • USE_IPSECPOLICY obsoleted and removed

The policy socket was an method for non-root users to query the pluto daemon for information. This support has been removed. Similar features will be re-implemented using a dbus API.

  • USE_TAPROOM obsoleted and removed

The taproom code allowed custom mangling of data for fuzzing and regression testing. It was left unused and no longer worked. It was removed. Fuzzing is now done via IKE fuzzer

  • USE_IKEPING always built, option removed

The 'ipsec ikeping' command is now always built and installed.

  • SEND_VENDORID changed to runtime option

Instead of using a global compile time option, libreswan allows one to set sending the vendor id payload on a per connection basis using the new 'send_vendorid=yes' option. The libreswan vendorid changed to 'OEN-<version>' but can be manually set using the global myvendorid= option.

  • HAVE_STATSD changed to runtime option

The HAVE_STATSD option is now a runtime option statsbin= which can be set in the 'config setup' section of ipsec.conf. Its value should point to a valid executable filename. When the option is not specified, no statsd calls are done.

  • USE_AGGRESSIVE, USE_XAUTH, USE_NAT_TRAVERSAL, USE_NAT_TRAVERSAL_TRANSPORT_MODE

IKEv1 extensions that were integrated into the IKEv2 specification are always built in libreswan. That means these options have been removed and cannot be disabled at compile time. USE_XAUTHPAM is enabled for all platforms that support pam.

  • HAVE_THREADS always built, option removed

Thread support is always enabled, as even uclibc has support for it. However, the use of threads has been strongly reduced. Only some of the X509 CRL code and the XAUTH pam code use threads. The CRL code dependancy on threads will be removed in the near future.

  • FIPSPRODUCTCHECK

FIPS mode detection has been updated to be compliant to new FIPS requirements. The FIPSPRODUCTCHECK= option points to a file that when present, it means that libreswan is running on a "FIPS Product". This is separate from the check if the kernel was booted in FIPS mode.

  • USE_MODP_RFC5114 always built, option removed

Support for these DiffieHellman groups is always built.

  • USE_NOCRYPTO

This option was removed put will be re-introduced because sadly people still need it.

  • USE_EXTRACRYPTO changed

The SHA2 algorithm has moved into the core list of algorithms that are always enabled and the USE_EXTRACRYPTO option now only refers to serpent and twofish. Blowfish support has been removed.

  • OSTYPE and OSMEDIA

These options are used with the Testing_Harness to specify the OS type (fedora or ubuntu) and the OS network install media. See the kvmsetup.sh file in the main libreswan directory.

  • Changes to config setup options

A lot of new features have been added to libreswan since it forked from openswan. A few openswan keywords have been obsoleted. When using these obsoleted options, libreswan will log a warning that your obsoleted option is ignored.