HOWTO: openswan to libreswan migration: Difference between revisions
Paul Wouters (talk | contribs) (add migration page) |
Paul Wouters (talk | contribs) No edit summary |
||
| Line 1: | Line 1: | ||
= Migration from openswan to libreswan = | |||
libreswan is a fork of openswan 2.6.38. It has features that are unavailable with openswan, but libreswan itself supports all openswan features. | libreswan is a fork of openswan 2.6.38. It has features that are unavailable with openswan, but libreswan itself supports all openswan features. | ||
| Line 6: | Line 6: | ||
{{ ambox | nocat=true | type=important | text = libreswan is fully backwards compatible with openswan }} | {{ ambox | nocat=true | type=important | text = libreswan is fully backwards compatible with openswan }} | ||
== Changes in building libreswan versus openswan == | |||
Some build options have changed. The following list will explain the changes you need to know to update your custom compile environment, such as your Makefile.inc or Makefile.inc.local file, or via specified environment variables in the pacakge build. | Some build options have changed. The following list will explain the changes you need to know to update your custom compile environment, such as your Makefile.inc or Makefile.inc.local file, or via specified environment variables in the pacakge build. | ||
=== NSS mandatory, USE_LIBNSS removed === | |||
Libreswan has removed all old crypto code. It uses the NSS library for all userland cryptographic operations. This was optional with openswan using the USE_LIBNSS compile time option. This option was already set for all RHEL and Fedora builds. The build option USE_LIBNSS has been removed. See [[Migration_NSS]] on how to migrate a non-nss openswan system to libreswan. | Libreswan has removed all old crypto code. It uses the NSS library for all userland cryptographic operations. This was optional with openswan using the USE_LIBNSS compile time option. This option was already set for all RHEL and Fedora builds. The build option USE_LIBNSS has been removed. See [[Migration_NSS]] on how to migrate a non-nss openswan system to libreswan. | ||
=== USE_LWRES removed, USE_DNSSEC added === | |||
Support for the bind9 lwres DNS interface has been removed. The old ADNS interface is only used when USE_DNSSEC is explicitely disabled. When DNSSEC is enabled, the libunbound API is used instead. The opportunstic encryption DNS lookups still use the ADNS interface but are in the process of being migrated to libunbound. | Support for the bind9 lwres DNS interface has been removed. The old ADNS interface is only used when USE_DNSSEC is explicitely disabled. When DNSSEC is enabled, the libunbound API is used instead. The opportunstic encryption DNS lookups still use the ADNS interface but are in the process of being migrated to libunbound. | ||
=== USE_DYNAMICDNS always enabled, option removed === | |||
When connections rekey, dynamic dns support performs a fresh dns lookup to support IPsec gateways on dynamic IP using DNS names, such as dyndns.org. Libreswan always performs these DNS lookups, so this option was removed. | When connections rekey, dynamic dns support performs a fresh dns lookup to support IPsec gateways on dynamic IP using DNS names, such as dyndns.org. Libreswan always performs these DNS lookups, so this option was removed. | ||
=== USE_IPSECPOLICY obsoleted and removed === | |||
The policy socket was an method for non-root users to query the pluto daemon for information. This support has been removed. Similar features will be re-implemented using a dbus API. | The policy socket was an method for non-root users to query the pluto daemon for information. This support has been removed. Similar features will be re-implemented using a dbus API. | ||
=== USE_TAPROOM obsoleted and removed === | |||
The taproom code allowed custom mangling of data for fuzzing and regression testing. It was left unused and no longer worked. It was removed. Fuzzing is now done via [[IKE fuzzer]] | The taproom code allowed custom mangling of data for fuzzing and regression testing. It was left unused and no longer worked. It was removed. Fuzzing is now done via [[IKE fuzzer]] | ||
=== USE_IKEPING always built, option removed === | |||
The 'ipsec ikeping' command is now always built and installed. | The 'ipsec ikeping' command is now always built and installed. | ||
=== SEND_VENDORID changed to runtime option === | |||
Instead of using a global compile time option, libreswan allows one to set sending the vendor id payload on a per connection basis using the new 'send_vendorid=yes' option. The libreswan vendorid changed to 'OEN-<version>' but can be manually set using the global myvendorid= option. | Instead of using a global compile time option, libreswan allows one to set sending the vendor id payload on a per connection basis using the new 'send_vendorid=yes' option. The libreswan vendorid changed to 'OEN-<version>' but can be manually set using the global myvendorid= option. | ||
=== HAVE_STATSD changed to runtime option === | |||
The HAVE_STATSD option is now a runtime option statsbin= which can be set in the 'config setup' section of ipsec.conf. Its value should point to a valid executable filename. When the option is not specified, no statsd calls are done. | The HAVE_STATSD option is now a runtime option statsbin= which can be set in the 'config setup' section of ipsec.conf. Its value should point to a valid executable filename. When the option is not specified, no statsd calls are done. | ||
=== USE_AGGRESSIVE, USE_XAUTH, USE_NAT_TRAVERSAL, USE_NAT_TRAVERSAL_TRANSPORT_MODE === | |||
IKEv1 extensions that were integrated into the IKEv2 specification are always built in libreswan. That means these options have been removed and cannot be disabled at compile time. USE_XAUTHPAM is enabled for all platforms that support pam. | IKEv1 extensions that were integrated into the IKEv2 specification are always built in libreswan. That means these options have been removed and cannot be disabled at compile time. USE_XAUTHPAM is enabled for all platforms that support pam. | ||
=== HAVE_THREADS always built, option removed === | |||
Thread support is always enabled, as even uclibc has support for it. However, the use of threads has been strongly reduced. Only some of the X509 CRL code and the XAUTH pam code use threads. The CRL code dependancy on threads will be removed in the near future. | Thread support is always enabled, as even uclibc has support for it. However, the use of threads has been strongly reduced. Only some of the X509 CRL code and the XAUTH pam code use threads. The CRL code dependancy on threads will be removed in the near future. | ||
=== FIPSPRODUCTCHECK === | |||
FIPS mode detection has been updated to be compliant to new FIPS requirements. The FIPSPRODUCTCHECK= option points to a file that when present, it means that libreswan is running on a "FIPS Product". This is separate from the check if the kernel was booted in FIPS mode. | FIPS mode detection has been updated to be compliant to new FIPS requirements. The FIPSPRODUCTCHECK= option points to a file that when present, it means that libreswan is running on a "FIPS Product". This is separate from the check if the kernel was booted in FIPS mode. | ||
=== USE_MODP_RFC5114 always built, option removed === | |||
Support for these DiffieHellman groups is always built. | Support for these DiffieHellman groups is always built. | ||
=== USE_NOCRYPTO === | |||
This option was removed put will be re-introduced because sadly people still need it. | This option was removed put will be re-introduced because sadly people still need it. | ||
=== USE_EXTRACRYPTO changed === | |||
The SHA2 algorithm has moved into the core list of algorithms that are always enabled and the USE_EXTRACRYPTO option now only refers to serpent and twofish. Blowfish support has been removed. | The SHA2 algorithm has moved into the core list of algorithms that are always enabled and the USE_EXTRACRYPTO option now only refers to serpent and twofish. Blowfish support has been removed. | ||
=== OSTYPE and OSMEDIA === | |||
These options are used with the [[Testing_Harness]] to specify the OS type (fedora or ubuntu) and the OS network install media. See the kvmsetup.sh file in the main libreswan directory. | These options are used with the [[Testing_Harness]] to specify the OS type (fedora or ubuntu) and the OS network install media. See the kvmsetup.sh file in the main libreswan directory. | ||
=== Changes to config setup options === | |||
A lot of new features have been added to libreswan since it forked from openswan. A few openswan keywords have been obsoleted. When using these obsoleted options, libreswan will log a warning that your obsoleted option is ignored. | A lot of new features have been added to libreswan since it forked from openswan. A few openswan keywords have been obsoleted. When using these obsoleted options, libreswan will log a warning that your obsoleted option is ignored. | ||
Revision as of 19:05, 16 September 2015
Migration from openswan to libreswan
libreswan is a fork of openswan 2.6.38. It has features that are unavailable with openswan, but libreswan itself supports all openswan features.
 | libreswan is fully backwards compatible with openswan |
Changes in building libreswan versus openswan
Some build options have changed. The following list will explain the changes you need to know to update your custom compile environment, such as your Makefile.inc or Makefile.inc.local file, or via specified environment variables in the pacakge build.
NSS mandatory, USE_LIBNSS removed
Libreswan has removed all old crypto code. It uses the NSS library for all userland cryptographic operations. This was optional with openswan using the USE_LIBNSS compile time option. This option was already set for all RHEL and Fedora builds. The build option USE_LIBNSS has been removed. See Migration_NSS on how to migrate a non-nss openswan system to libreswan.
USE_LWRES removed, USE_DNSSEC added
Support for the bind9 lwres DNS interface has been removed. The old ADNS interface is only used when USE_DNSSEC is explicitely disabled. When DNSSEC is enabled, the libunbound API is used instead. The opportunstic encryption DNS lookups still use the ADNS interface but are in the process of being migrated to libunbound.
USE_DYNAMICDNS always enabled, option removed
When connections rekey, dynamic dns support performs a fresh dns lookup to support IPsec gateways on dynamic IP using DNS names, such as dyndns.org. Libreswan always performs these DNS lookups, so this option was removed.
USE_IPSECPOLICY obsoleted and removed
The policy socket was an method for non-root users to query the pluto daemon for information. This support has been removed. Similar features will be re-implemented using a dbus API.
USE_TAPROOM obsoleted and removed
The taproom code allowed custom mangling of data for fuzzing and regression testing. It was left unused and no longer worked. It was removed. Fuzzing is now done via IKE fuzzer
USE_IKEPING always built, option removed
The 'ipsec ikeping' command is now always built and installed.
SEND_VENDORID changed to runtime option
Instead of using a global compile time option, libreswan allows one to set sending the vendor id payload on a per connection basis using the new 'send_vendorid=yes' option. The libreswan vendorid changed to 'OEN-<version>' but can be manually set using the global myvendorid= option.
HAVE_STATSD changed to runtime option
The HAVE_STATSD option is now a runtime option statsbin= which can be set in the 'config setup' section of ipsec.conf. Its value should point to a valid executable filename. When the option is not specified, no statsd calls are done.
USE_AGGRESSIVE, USE_XAUTH, USE_NAT_TRAVERSAL, USE_NAT_TRAVERSAL_TRANSPORT_MODE
IKEv1 extensions that were integrated into the IKEv2 specification are always built in libreswan. That means these options have been removed and cannot be disabled at compile time. USE_XAUTHPAM is enabled for all platforms that support pam.
HAVE_THREADS always built, option removed
Thread support is always enabled, as even uclibc has support for it. However, the use of threads has been strongly reduced. Only some of the X509 CRL code and the XAUTH pam code use threads. The CRL code dependancy on threads will be removed in the near future.
FIPSPRODUCTCHECK
FIPS mode detection has been updated to be compliant to new FIPS requirements. The FIPSPRODUCTCHECK= option points to a file that when present, it means that libreswan is running on a "FIPS Product". This is separate from the check if the kernel was booted in FIPS mode.
USE_MODP_RFC5114 always built, option removed
Support for these DiffieHellman groups is always built.
USE_NOCRYPTO
This option was removed put will be re-introduced because sadly people still need it.
USE_EXTRACRYPTO changed
The SHA2 algorithm has moved into the core list of algorithms that are always enabled and the USE_EXTRACRYPTO option now only refers to serpent and twofish. Blowfish support has been removed.
OSTYPE and OSMEDIA
These options are used with the Testing_Harness to specify the OS type (fedora or ubuntu) and the OS network install media. See the kvmsetup.sh file in the main libreswan directory.
Changes to config setup options
A lot of new features have been added to libreswan since it forked from openswan. A few openswan keywords have been obsoleted. When using these obsoleted options, libreswan will log a warning that your obsoleted option is ignored.