HOWTO: openswan to libreswan migration: Difference between revisions
Paul Wouters (talk | contribs) |
Paul Wouters (talk | contribs) |
||
Line 21: | Line 21: | ||
Libreswan, when specifing an ike= or phasealg= (esp=) algorithem is always strict. Removal of the "!" character is enough to migrate the connection | Libreswan, when specifing an ike= or phasealg= (esp=) algorithem is always strict. Removal of the "!" character is enough to migrate the connection | ||
=== protostack=auto is obsoleted === | |||
Libreswan will interpret protostack=auto to be protostack=netkey. | |||
=== Changed defaults for crypto algorithms === | === Changed defaults for crypto algorithms === |
Revision as of 23:12, 16 September 2015
Migration from openswan to libreswan
libreswan is a fork of openswan 2.6.38. It has features that are unavailable with openswan, but libreswan itself supports all openswan features.
libreswan is fully backwards compatible with openswan |
Configuration changes between libreswan and openswan
Where possible, libreswan recognises old keyword and syntax from openswan. There are a few exceptions where behaviour changed. See the libreswan documentation for the many new features that have been added since forked from openswan.
The key size of the AES_GCM and AES_CCM algorithms no longer include salt/ICV values
So with libreswan, using 256 bit AES_GCM becomes esp=aes_gcm256-null. Libreswan added support for AES_GCM in IKEv2, which is specified as ike=aes_gcm256-sha2 (where sha2 refers to the prf, not the integ/auth algorithm)
Obsoleted /etc/ipsec.d/cacerts and /etc/ipsec.d/crls
These directories are no longer used. Use certutil to import the CAcerts from /etc/ipsec.d/cacerts/ into the NSS database. Use crlutil to import CRL pem files into the NSS database. Both operations can be done at runtime and do not require a restart. Note that pluto supports fetching the CRLs from the DistributionPoints specified in the certificate and will use that per default. This URL can be overridden.
The use of the strict flag ("!") is no longer allowed
Libreswan, when specifing an ike= or phasealg= (esp=) algorithem is always strict. Removal of the "!" character is enough to migrate the connection
protostack=auto is obsoleted
Libreswan will interpret protostack=auto to be protostack=netkey.
Changed defaults for crypto algorithms
IKEv2 has a new default proposal set that added SHA2 and AES_GCM and removed MD5. You might need to update your connections if you update only one of two endpoints using the default IKEv2 proposal list.
Blowish algorithm support has been removed
Blowfish support was removed. Use twofish instead.
Changes to config setup options
A lot of new features have been added to libreswan since it forked from openswan. A few openswan keywords have been obsoleted. When using these obsoleted options, libreswan will log a warning that your obsoleted option is ignored.
Changes in building libreswan versus openswan
Some build options have changed. The following list will explain the changes you need to know to update your custom compile environment, such as your Makefile.inc or Makefile.inc.local file, or via specified environment variables in the pacakge build.
NSS mandatory, USE_LIBNSS removed
Libreswan has removed all old crypto code. It uses the NSS library for all userland cryptographic operations. This was optional with openswan using the USE_LIBNSS compile time option. This option was already set for all RHEL and Fedora builds. The build option USE_LIBNSS has been removed. See Migration_NSS on how to migrate a non-nss openswan system to libreswan.
USE_LWRES removed, USE_DNSSEC added
Support for the bind9 lwres DNS interface has been removed. The old ADNS interface is only used for (obsoleted) IKEv1 opportunstic encryption DNS lookups and will also be removed in the near future when replaced with an libevent based async DNS query mechanism based on getdns or libunbound.
USE_DYNAMICDNS always enabled, option removed
When connections rekey, dynamic dns support performs a fresh dns lookup to support IPsec gateways on dynamic IP using DNS names, such as dyndns.org. Libreswan always performs these DNS lookups, so this option was removed.
USE_IPSECPOLICY obsoleted and removed
The policy socket was an method for non-root users to query the pluto daemon for information. This support has been removed. Similar features will be re-implemented using a dbus API.
USE_TAPROOM obsoleted and removed
The taproom code allowed custom mangling of data for fuzzing and regression testing. It was left unused and no longer worked. It was removed. Fuzzing is now done via IKE fuzzer
USE_IKEPING always built, option removed
The 'ipsec ikeping' command is now always built and installed.
SEND_VENDORID changed to runtime option
Instead of using a global compile time option, libreswan allows one to set sending the vendor id payload on a per connection basis using the new 'send_vendorid=yes' option. The libreswan vendorid changed to 'OEN-<version>' but can be manually set using the global myvendorid= option.
HAVE_STATSD changed to runtime option
The HAVE_STATSD option is now a runtime option statsbin= which can be set in the 'config setup' section of ipsec.conf. Its value should point to a valid executable filename. When the option is not specified, no statsd calls are done.
USE_AGGRESSIVE, USE_XAUTH, USE_NAT_TRAVERSAL, USE_NAT_TRAVERSAL_TRANSPORT_MODE
IKEv1 extensions that were integrated into the IKEv2 specification are always built in libreswan. That means these options have been removed and cannot be disabled at compile time. USE_XAUTHPAM is enabled for all platforms that support pam.
HAVE_THREADS always built, option removed
Thread support is always enabled, as even uclibc has support for it. However, the use of threads has been strongly reduced. Only some of the X509 CRL code and the XAUTH pam code use threads.
FIPSPRODUCTCHECK
FIPS mode detection has been updated to be compliant to new FIPS requirements. The FIPSPRODUCTCHECK= option points to a file that when present, it means that libreswan is running on a "FIPS Product". This is separate from the check if the kernel was booted in FIPS mode.
USE_MODP_RFC5114 always built, option removed
Support for these DiffieHellman groups is always built.
USE_NOCRYPTO
This option was removed put will be re-introduced because sadly people still need it.
USE_EXTRACRYPTO changed
The SHA2 algorithm has moved into the core list of algorithms that are always enabled and the USE_EXTRACRYPTO option now only refers to serpent and twofish. Blowfish support has been removed.
OSTYPE and OSMEDIA
These options are used with the Testing_Harness to specify the OS type (fedora or ubuntu) and the OS network install media. See the kvmsetup.sh file in the main libreswan directory.