Known issues with Openswan on a 2.6 kernel ------------------------------------------- The Openswan userland can now use either KLIPS or NETKEY as the kernel level IPsec stack. This is an overview of known issues with Openswan on the 2.6 kernel codebase (also 2.5.x), which includes NETKEY (CONFIG_NET_KEY). * 2.6.18 (but not 2.6.18.1) seems to fail for NETKEY in combination with NAT-Traversal. * 2.6.19 and 2.6.20 cause crashers with NAT-Traversal * pluto[709]: initiate on demand from 172.18.1.37:0 to 172.23.1.5:0 proto=0 state: fos_start because: acquire Netkey does not have %hold operations. It is a serious design bug that KAME also has. It also does not rate limit messages from the kernel to userspace. This means that each packet that wanted to go into a tunnel causes an acquire from the kernel to userspace. Each acquire that the keying daemon gets causes it to initiate a connection. We could rate limit them in some fashion, but we need to be cautious about doing that. Please file a bug with your supplier of your kernel. * The iproute2 (sometimes called iproute) package, as of version 2.6.8, contains XFRM support (ip xfrm), obsoleting the use of the 'setkey' command from the ipsec-tools package. If for some reason you cannot use iproute >= 2.6.8 on your kernel, you can still use the fallback method of using 'setkey' from the ipsec-tools package which is available at: http://ipsec-tools.sourceforge.net/ * 'ip xfrm state' has been reported hanging in uninterruptable sleep, causing Openswan to hang (eg during shutdown) * Openswan-2 ships with support for NETKEY. Many thanks to Herbert Xu for the initial code patches. * setkey doesn't like spaces in PSK's from ipsec.secrets. If you are on a recent distro with 'ip xfrm' support, or using KLIPS, this isn't a problem. * Use the most recent Linux Openswan-2 release from ftp.openswan.org to try our 2.6 kernel support. Currently, this is 2.3.1 * If you wish to use KLIPS on 2.6, you need to build the KLIPS kernel module: make KERNELSRC=/usr/src/linux-2.6.x module minstall On Fedora you can do: make KERNELSRC=/lib/modules/`uname -r`/build module minstall * Preload the ipsec stack you wish to use before starting Openswan. Use 'modprobe af_key' for NETKEY and 'modprobe ipsec' for KLIPS. * To install the userland: make programs install * Please see the dev and users mailing lists for more detail and the latest reports. (http://lists.openswan.org/) DESIGN-RELATED ISSUES * In 2.6, IPsec policies are detached from routing decisions. Because of this design, Opportunistic Encryption on the local LAN will be possible with 2.6. One side effect: When contacting a node on the local LAN which is protected by gateway OE, you will get asymmetrical routing (one way through the gateway, one way direct), and IPsec will drop the return packets. CURRENT ISSUES * There are versioning problems with the current klips module on 2.6.9, kernel: ipsec: no version for "struct_module" found: kernel tainted. * Fedora Core 2/3's gcc and 2.3.0dr4 KLIPS causes crashers and lock ups. * OE with the NETKEY stack is broken. You will notice errors like: pluto[11081]: %hold otherwise handled during DNS lookup for Opportunistic Initiation for 193.110.157.17 to 208.245.212.67 while your command that triggered the OE connection shows: connect: Resource temporarily unavailable * DPD restarts might cause packet loss (see previous item) * There are crashers in xfrm_user in kernels < 2.6.3-rc1. These will happen after the connection goes up and down a few times in quick succession. [ There is currently a bug in the rekeying code that triggers this ] * starting with 2.6.9 NETKEY needs to have xfrm4_tunnel support. You might need to modprobe this on older Openswan versions. * Using SNAT and the 2.6 ipsec code apparently doesn't go well together. Reported by Alexander Samad. Known issue for the netfilter team. DNAT works as usual, meaning you have to exlude DNAT'ing packets meant for a tunnel. Suse currently has some patches that fixes the SNAT issue, but this is untested by us so far. Some patches made it into 2.6.11.7 and 2.6.12-rc3. * For the moment, users wishing to run Openswan with NETKEY will require the ipsec-tools package "setkey" program. Though Openswan's keying daemon, Pluto, directly sets IPsec policy, setkey is currently required to view and reset kernel SPD (Security Policy Database) states when Pluto restarts. We will likely add this basic functionality to an upcoming Openswan release. * State information is not available to the user, eg. ipsec eroute, ipsec spi and ipsec look do not fully work. The exception: ipsec auto --status This will be fixed in a future release. A quickly hacked perl script by Ken Bantoft, can emulate the 'eroute' command behaviour under NETKEY, see: http://www.xtdnet.nl/paul/eroute * If you're running Opportunistic Encryption, connectivity to new hosts will immediately fail. You may receive a message similar to this: connect: Resource temporarily unavailable The reason for this lies in the kernel code. Fairly complex discussion: http://lists.freeswan.org/archives/design/2003-September/msg00073.html As of 2.6.9, this has not been fixed. * This initial connectivity failure has an unintended side effect on DNS queries. This will result in a rekey failure for OE connections; a %pass will be installed for your destination IP before a %pass is re-instituted to your DNS server. As a workaround, please add your DNS servers to /etc/ipsec.d/policies/clear. * Packets on all interfaces are considered for OE, including loopback. If you are running a local nameserver, you'll still need to exempt localhost DNS traffic as per the previous point. Since this traffic has a source of 127.0.0.1/32, the "clear" policy group will not suffice; you'll need to add the following %passthrough conn to ipsec.conf: conn exclude-lo authby=never left=127.0.0.1 leftsubnet=127.0.0.0/8 right=127.0.0.2 rightsubnet=127.0.0.0/8 type=passthrough auto=route OLD ISSUES None, yet. RELATED DOCUMENTS Openswan Install page doc/install.html Openswan Install guide INSTALL Openswan and FreeS/WAN mailing list posts, including: http://lists.freeswan.org/archives/design/2003-September/msg00057.html http://lists.openswan.org/ To sign up for our mailing lists, see http://lists.openswan.org/