3 <meta http-equiv=
"Content-Type" content=
"text/html">
4 <title>Introduction to FreeS/WAN
</title>
6 content=
"Linux, IPsec, VPN, security, encryption, cryptography, FreeS/WAN, FreeSWAN">
9 Written by Claudia Schmeing for the Linux FreeS/WAN project
10 Freely distributable under the GNU General Public License
12 More information at www.freeswan.org
13 Feedback to users@lists.freeswan.org
16 RCS ID: $Id: upgrading.html,v 1.1 2004/03/15 20:35:24 as Exp $
17 Last changed: $Date: 2004/03/15 20:35:24 $
18 Revision number: $Revision: 1.1 $
20 CVS revision numbers do not correspond to FreeS/WAN release numbers.
25 <A NAME=
"upgrading"></A><h1>Upgrading to FreeS/WAN
2.x
</h1>
28 <H2>New! Built in Opportunistic connections
</H2>
30 <P>Out of the box, FreeS/WAN
2.x will attempt to encrypt all your IP traffic.
31 It will try to establish IPsec connections for:
</P>
33 IP traffic from the Linux box on which you have installed FreeS/WAN, and
</LI>
35 outbound IP traffic routed through that Linux box (eg. from a protected subnet).
</LI>
37 <P>FreeS/WAN
2.x uses
<STRONG>hidden, automatically enabled
38 <VAR>ipsec.conf
</VAR> connections
</STRONG> to do this.
</P>
40 <P>This behaviour is part of our campaign to get Opportunistic
41 Encryption (OE) widespread in the Linux world, so that any two Linux boxes can
42 encrypt to one another without prearrangement.
43 There's one catch, however: you must
<A HREF=
"quickstart.html#quickstart">set
44 up a few DNS records
</A>
45 to distribute RSA public keys and (if applicable) IPsec gateway
48 <P>If you start FreeS/WAN before you have set up these DNS
49 records, your connectivity will be slow, and
50 messages relating to the built in connections will clutter your logs.
51 If you are unable to set up DNS for OE, you will wish to
52 <A HREF=
"policygroups.html#disable_policygroups">disable the
53 hidden connections
</A>.
</P>
55 <A NAME=
"upgrading.flagday"></A>
57 <H3>Upgrading Opportunistic Encryption
58 to
2.01 (or later)
</H3>
60 <P>As of FreeS/WAN
2.01, Opportunistic Encryption (OE)
61 uses DNS TXT resource records (RRs) only (rather than TXT with KEY).
62 This change causes a
"flag day".
63 Users of FreeS/WAN
2.00 (or earlier) OE who are upgrading may
64 need to post additional resource records.
68 <A HREF=
"glossary.html#initiate-only">initiate-only OE
</A>,
69 you
<em>must
</em> put up a TXT record in any forward domain as per our
70 <A HREF=
"quickstart.html#opp.client">quickstart instructions
</A>. This
71 replaces your old forward KEY.
75 If you are running full OE, you require no updates. You already have
76 the needed TXT record in the reverse domain.
77 However, to facilitate future features, you
78 may also wish to publish that TXT record in a forward domain as
79 instructed
<A HREF=
"quickstart.html#opp.incoming">here
</A>.
82 <P>If you are running OE on a gateway (and encrypting on behalf of subnetted
83 boxes) you require no updates.
84 You already have the required TXT record in your gateway's reverse map,
85 and the TXT records for any subnetted boxes require no updating.
86 However, to facilitate future features, you may wish to publish your gateway's
87 TXT record in a forward domain as shown
88 <A HREF=
"quickstart.html#opp.incoming">here
</A>.
92 During the transition, you may wish to leave any old KEY records up for
93 some time. They will provide limited backward compatibility.
96 detail on that compatibility, see <A HREF="oe.known-issues">Known Issues with
101 <H2>New! Policy Groups
</H2>
103 <P>We want to make it easy for you to declare security policy as it
104 applies to IPsec connections.
</P>
106 <P>Policy Groups make it simple to say:
110 <LI>These are the folks I want to talk to in the clear.
</LI>
111 <LI>These spammers' domains -- I don't want to talk to them at all.
</LI>
112 <LI>To talk to the finance department, I must use IPsec.
</LI>
113 <LI>For any other communication, try to encrypt, but it's okay if we can't.
</LI></UL>
115 <P>FreeS/WAN then implements these policies, creating OE connections
117 You can use Policy Groups along with connections you explicitly
118 define in ipsec.conf.
</P>
120 <P>For more information, see our
121 <A HREF=
"policygroups.html">Policy Group HOWTO
</A>.
</P>
124 <H2>New! Packetdefault Connection
</H2>
126 <P>Free/SWAN
2.x ships with the
<STRONG>automatically enabled, hidden
127 connection
</STRONG> <VAR>packetdefault
</VAR>. This configures
128 a FreeS/WAN box as an OE gateway for any hosts located
129 behind it. As mentioned above, you must configure some
130 <A HREF=
"quickstart.html">DNS records
</A> for
132 <P>As the name implies, this connection functions as a default. If you
133 have more specific connections, such as policy groups which configure
134 your FreeS/WAN box as an OE gateway for a local subnet, these
135 will apply before
<VAR>packetdefault
</VAR>. You can view
136 <VAR>packetdefault
</VAR>'s specifics in
137 <A HREF=
"manpage.d/ipsec.conf.5.html">man ipsec.conf
</A>.
141 <H2>FreeS/WAN now disables Reverse Path Filtering
</H2>
143 <P>FreeS/WAN often doesn't work with reverse path filtering. At
144 start time, FreeS/WAN now turns rp_filter off, and logs a warning.
</P>
146 <P>FreeS/WAN does not turn it back on again.
147 You can do this yourself with a command like:
</P>
149 <PRE> echo
1 > /proc/sys/net/ipv4/conf/eth0/rp_filter
</PRE>
151 <P>For eth0, substitute the interface which FreeS/WAN was affecting.
</P>
154 <A NAME=
"ipsec.conf_v2"></A><H2>Revised
<VAR>ipsec.conf
</VAR></H2>
156 <H3>No promise of compatibility
</H3>
158 <P>The FreeS/WAN team promised config-file compatibility throughout
159 the
1.x series. That means a
1.5 config file can be directly imported into
160 a fresh
1.99 install with no problems.
</P>
162 <P>With FreeS/WAN
2.x, we've given ourselves permission to make the config
163 file easier to use. The cost: some FreeS/WAN
1.x configurations will not
164 work properly. Many of the new features are, however, backward compatible.
</P>
167 <H3>Most
<VAR>ipsec.conf
</VAR> files will work fine
</H3>
169 <P>... so long as you paste this line,
<STRONG>with no preceding
171 at the top of your config file:
174 <PRE> version
2</PRE>
176 <H3>Backward compatibility patch
</H3>
178 <P>If the new defaults bite you, use
179 <A HREF=
"ipsec.conf.2_to_1">
180 this
<VAR>ipsec.conf
</VAR> fragment
</A> to simulate the old default values.
</P>
186 We've obsoleted various directives which almost no one was using:
195 <P>For most of these, there is some other way to elicit the desired behaviour.
196 See
<A HREF=
"http://lists.freeswan.org/pipermail/design/2002-August/003243.html">
200 We've made some settings, which almost everyone was using, defaults.
204 <PRE> interfaces=%defaultroute
209 <P>We've also changed some default values to help with OE and Policy Groups:
</P>
211 <PRE> authby=rsasig ## not secret!!!
212 leftrsasigkey=%dnsondemand ## looks up missing keys in DNS when needed.
213 rightrsasigkey=%dnsondemand
</PRE>
216 Of course, you can still override any defaults by explictly declaring something
217 else in your connection.
221 <A HREF=
"http://lists.freeswan.org/pipermail/design/2002-August/003243.html">A post with a list of many ipsec.conf changes.
</A><BR>
222 <A HREF=
"manpage.d/ipsec.conf.5.html">Current ipsec.conf manual.
</A>
226 <A NAME=
"upgrading.rpms"></A><H3>Upgrading from
1.x RPMs to
2.x RPMs
</H3>
228 <P>Note: When upgrading from
1-series to
2-series RPMs,
229 <VAR>rpm -U
</VAR> will not work.
</P>
231 <P>You must instead erase the
1.x RPMs, then install the
2.x set:
</P>
232 <PRE> rpm -e freeswan
</PRE>
233 <PRE> rpm -e freeswan-module
</PRE>
235 <P>On erasing, your old
<VAR>ipsec.conf
</VAR> should be moved to
236 <VAR>ipsec.conf.rpmsave
</VAR>.
237 Keep this. You will probably want to copy your existing connections to the
238 end of your new
2.x file.
</P>
240 <P>Install the RPMs suitable for your kernel version, such as:
</P>
241 <PRE> rpm -ivh freeswan-module-
2.04_2.4
.20_20.9-
0.i386.rpm
</PRE>
242 <PRE> rpm -ivh freeswan-userland-
2.04_2.4
.20_20.9-
0.i386.rpm
</PRE>
246 <P>Or, to splice the files:
</P>
248 <PRE> cat /etc/ipsec.conf /etc/ipsec.conf.rpmsave
> /etc/ipsec.conf.tmp
249 mv /etc/ipsec.conf.tmp /etc/ipsec.conf
</PRE>
251 <P>Then, remove the redundant
<VAR>conn %default
</VAR> and
252 <VAR>config setup
</VAR>
253 sections. Unless you have done any special configuring here, you'll likely
254 want to remove the
1.x versions. Remove
<VAR>conn OEself
</VAR>, if