Migration from openswan to libreswan

libreswan is a fork of openswan 2.6.38. It has features that are unavailable with openswan, but libreswan itself supports all openswan features.

libreswan is fully backwards compatible with openswan

Configuration changes between libreswan and openswan

Where possible, libreswan recognises old keyword and syntax from openswan. There are a few exceptions where behaviour changed. See the libreswan documentation for the many new features that have been added since forked from openswan.

The key size of the AES_GCM and AES_CCM algorithms no longer include salt/ICV values

So with libreswan, using 256 bit AES_GCM becomes esp=aes_gcm256-null. Libreswan added support for AES_GCM in IKEv2, which is specified as ike=aes_gcm256-sha2 (where sha2 refers to the prf, not the integ/auth algorithm)

Obsoleted /etc/ipsec.d/cacerts and /etc/ipsec.d/crls

These directories are no longer used. Use certutil to import the CAcerts from /etc/ipsec.d/cacerts/ into the NSS database. Use ipsec _import_crl to import CRLs into the NSS database. Both operations can be done at runtime and do not require a restart.

The use of the strict flag ("!") is no longer allowed

Libreswan, when specifing an ike= or phasealg= (esp=) algorithem is always strict. Removal of the "!" character is enough to migrate the connection

Changed defaults for crypto algorithms

IKEv2 has a new default proposal set that added SHA2 and AES_GCM and removed MD5. You might need to update your connections if you update only one of two endpoints using the default IKEv2 proposal list.

Blowish algorithm support has been removed

Blowfish support was removed. Use twofish instead.

Changes to config setup options

A lot of new features have been added to libreswan since it forked from openswan. A few openswan keywords have been obsoleted. When using these obsoleted options, libreswan will log a warning that your obsoleted option is ignored.

Changes in building libreswan versus openswan

Some build options have changed. The following list will explain the changes you need to know to update your custom compile environment, such as your Makefile.inc or Makefile.inc.local file, or via specified environment variables in the pacakge build.

NSS mandatory, USE_LIBNSS removed

Libreswan has removed all old crypto code. It uses the NSS library for all userland cryptographic operations. This was optional with openswan using the USE_LIBNSS compile time option. This option was already set for all RHEL and Fedora builds. The build option USE_LIBNSS has been removed. See Migration_NSS on how to migrate a non-nss openswan system to libreswan.

USE_LWRES removed, USE_DNSSEC added

Support for the bind9 lwres DNS interface has been removed. The old ADNS interface is only used when USE_DNSSEC is explicitely disabled. When DNSSEC is enabled, the libunbound API is used instead. The opportunstic encryption DNS lookups still use the ADNS interface but are in the process of being migrated to libunbound.

USE_DYNAMICDNS always enabled, option removed

When connections rekey, dynamic dns support performs a fresh dns lookup to support IPsec gateways on dynamic IP using DNS names, such as dyndns.org. Libreswan always performs these DNS lookups, so this option was removed.

USE_IPSECPOLICY obsoleted and removed

The policy socket was an method for non-root users to query the pluto daemon for information. This support has been removed. Similar features will be re-implemented using a dbus API.

USE_TAPROOM obsoleted and removed

The taproom code allowed custom mangling of data for fuzzing and regression testing. It was left unused and no longer worked. It was removed. Fuzzing is now done via IKE fuzzer

USE_IKEPING always built, option removed

The 'ipsec ikeping' command is now always built and installed.

SEND_VENDORID changed to runtime option

Instead of using a global compile time option, libreswan allows one to set sending the vendor id payload on a per connection basis using the new 'send_vendorid=yes' option. The libreswan vendorid changed to 'OEN-<version>' but can be manually set using the global myvendorid= option.

HAVE_STATSD changed to runtime option

The HAVE_STATSD option is now a runtime option statsbin= which can be set in the 'config setup' section of ipsec.conf. Its value should point to a valid executable filename. When the option is not specified, no statsd calls are done.

USE_AGGRESSIVE, USE_XAUTH, USE_NAT_TRAVERSAL, USE_NAT_TRAVERSAL_TRANSPORT_MODE

IKEv1 extensions that were integrated into the IKEv2 specification are always built in libreswan. That means these options have been removed and cannot be disabled at compile time. USE_XAUTHPAM is enabled for all platforms that support pam.

HAVE_THREADS always built, option removed

Thread support is always enabled, as even uclibc has support for it. However, the use of threads has been strongly reduced. Only some of the X509 CRL code and the XAUTH pam code use threads. The CRL code dependancy on threads will be removed in the near future.

FIPSPRODUCTCHECK

FIPS mode detection has been updated to be compliant to new FIPS requirements. The FIPSPRODUCTCHECK= option points to a file that when present, it means that libreswan is running on a "FIPS Product". This is separate from the check if the kernel was booted in FIPS mode.

USE_MODP_RFC5114 always built, option removed

Support for these DiffieHellman groups is always built.

USE_NOCRYPTO

This option was removed put will be re-introduced because sadly people still need it.

USE_EXTRACRYPTO changed

The SHA2 algorithm has moved into the core list of algorithms that are always enabled and the USE_EXTRACRYPTO option now only refers to serpent and twofish. Blowfish support has been removed.

OSTYPE and OSMEDIA

These options are used with the Testing_Harness to specify the OS type (fedora or ubuntu) and the OS network install media. See the kvmsetup.sh file in the main libreswan directory.