openswan-2.6.32-27.2.0.1.AXS4

Openswan is a free implementation of IPsec & IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted net is encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network or VPN.

This package contains the daemons and userland tools for setting up Openswan. It supports the NETKEY/XFRM IPsec kernel stack that exists in the default Linux kernel.

Openswan 2.6.x also supports IKEv2 (RFC4306)

Security issues fixed with this release:

• CVE-2013-6466
Openswan 2.6.39 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads.

Fixed bugs:

• Previously, when the signature of a Certificate Revocation List started with a zero, the verification failed. This has been fixed.

• Fixed the order of the load_crls() and load_authcerts_from_nss() functions in the plutomain.c file so that the IPsec daemon (pluto) no longer fails during startup and loads the CRLs successfully.

• It is now possible to establish an IKE tunnel when the "xauth" option is enabled and the "leftmodecfgclient" option is disabled in the /etc/ipsec.conf file. This previously did not work and has been fied.

• Previously, Openswan could not establish L2TP connection with devices using NAT-Traversal. This has been fixed and support for passing traffic selectors to an XFRM IPsec stack for transport mode is now complete.

• Openswan can now use SHA2 algorithms in FIPS mode.

Enhancements:

• Added support for Internet Key Exchage (IKE) fragmentation.

• Added support for the Internet Key Exchage version 1 (IKEv1) INITIAL-CONTACT IPsec message, as per RFC2407 Section 4.6.3.3.