Red Hat Bugzilla – Bug 447419
openswan ships with OE enabled by accident
Last modified: 2009-01-23 11:02:58 EST
Description of problem:
openswan 2.6.09-2.fc9 ships with Opportunistic Encryption (OE) enabled while
using the netkey(xfrm) stack. This is causing connection failures
Version-Release number of selected component (if applicable):
Add oe=off to the section "config setup" in /etc/ipsec.conf
note that in openswan-2.4.x the oe= option did not exist, and OE was disabled by
note: openswan-2.6.9 has broken IKEv2 code. It is incompatable with other IKEv2
daemons and with openswan-2.6.12+. Please use 2.6.13 (or 2.6.14 when available)
patch4 also breaks dynamic clents using left=%defaultroute. please remove that
- I see that oe=off is still not enabled in the ipsec.conf :(
- There is no virtual_private= defined, so it won't work as client behind NAT
- Many fixes between 2.6.14 - 2.6.18, should really update the entire package. See CHANGES
- openswan-2.6-intwarning.patch breaks certain setups and should really NOT be applied to the package anymore.
- why not Buildrequires: xmlto so we can build up to date man pages from xml?
openswan-2.6-noxmlto.patch should go away IMHO
I just checked openswan-2.6.18-1.fc10
- openswan-2.6.16-initscript-correction.patch will cause breaking with NFS mounts via IPsec. (obviously /usr is a problem, but others don't have to be)
- oe=off should still be added
- virtual_private= with RFC1918 space should still be added (see man ipsec.conf)
- openswan-2.6-intwarning.patch is still an urgent problem
- Why compile with USE_LWRES=false ? It would be better to BuildRequire: bind-devel. We haven't been testing with USE_LWRES=false for about a year now, as it is the obsolete resolving method (we need lwres for non-blocking dns helper threads and for DNSSEC)
- License: GPLv2+
That's wrong. The license is v2, not v2+
It is also partially BSD license for some crypto code.
- rm -rf programs/readwriteconf
why is that done? readwriteconf is only used when running 'make check' ?
original bug is closed, the rest is just chatter that does not really matter anymore.