Please see docs/KNOWN_BUGS file for more information

v2.4.6
* Fix for VIA Nehemiah to use /dev/hw_random to generate new rsakey
  (using /dev/random on these chips caused it to block too long)
* Various CryptoAPI related fixes.
* Removed support for HIPPI which broke compilation on 2.6.16.*
* Pull up of fix for rightnexthop->leftnexthop
* Added logging when we don't find the right hash bucket
* Changed a few x509 log messages to make automatic parsing easier
* Unload KLIPS at shutdown again to prevent lingering IPs on ipsecX,
  also in case KLIPS is inline, and the ipsecX interfaces do not go away,
  remove IP addresses from IP aliases bound to ipsecX devices.
* Fixed typo in ipsec.conf's virtual_private example
* Improved protocol detection in ipsec_print_ip() [bart]
* Fixed minimum skb lenght requried for ipsec decompression [bart]
  (This is probably bug #609)
* Fix a 64bit bug in compression code [bart]
* Removing a left over '#else' that split another '#if/#endif' block in two 
  in ipsec_xmit.c [bart]
* MODULE_PARM has been obsoleted for module_param on 2.6.17+ [paul]
* skb_linearize API changed in 2.6.18+ [paul]
* bugtracker bugs fixed:
  #452: dpdaction=restart doesn't clear or restart quick mode SAs
  #537: Compilation will fail with kernel 2.6.14 and klips and CONFIG_HIPPI=y
  #636: KLIPS and vanilla-2.6.17 compilation error
  #642: ipsec_xmit.c and CONFIG_KLIPS_DEBUG on 2.4 compile issue
  #647: compile fails with version 2.4.6-rc2 + vanilla kernel linux-2.6.17.6	
  #631: KLIPS module does not build with 2.6.17-rc6 kernel
  #646: NATT + IPCOMP fails on rcv in KLIPS [bart]
        (This is a generic NATT+ESP bug, not just an ipcomp bug)
v2.4.5
* Fix for prefering RFC3947 over OSX-workaround by Jacco de Leeuw
* Fix for openswan as l2tp server behind NAT by Bernd Galonska
* Fix for compiling + working on SMP (including HyperThreaded) machines
* Fix for arp_broken_ops relocation in 2.6.16
* Fix for compiling on 2.6.14 kernels 
* Fix patching against 2.6.15 kernels (NAT-T Patch)
* Fix patching against 2.6.14 kernels
* Fix for strict mode
* Fix for ipsec module unload. Fix by Ankit Desai <ankit@elitecore.com>
* Fix for ipsec: Unknown symbol sysctl_ip_default_ttl
* Fix for AH hash by Ronen Shitrit <rshitrit@marvell.com>
* Additions to barf and verify commands for various kernel internals
* load hw_random and padlock modules before aes module so hardware routines
  are prefered over software routines.
* allow rightsubnet= with type=transport for L2TP behind NAT.
* Refactored natd_lookup / hash code, probably fixes lot of NAT related bugs
* Fix for interop with Cisco devices which propose port 0 (eg: VPN3000)
* When DPD rcookie is invalid, just warn instead of ignoring entirely
* Redid all the DPD log messages
* Fix for manual.in to not use a complicated sed line that some embedded
  sed versions (busybox?) cannot handle.
* Fix for NAT-T detection when Openswan is the initiator
  #401 l2tp connection is not work with 2.6 build in IPSEC
  #442 Pluto uses wrong port in NAT-D calculation
  #450 macosx (possible generic PSK+NAT-T rekey bug: eroute already in use.
  #454 klips module refcount bug (found by Matthias Haas)
       (prevented klips from unloading on 2.4 kernels)
  #462 updated patch for Openswan and OS X with NAT-T
  #509 KLIPS compilation fail with kernel-2.6.14.2 
  #518 Incorrect physical interface MTU detection
  #521 KLIPS module crash for kernel 2.6.12+
  #545 unnecessary warnings from _updown script, remove weird control character.
  #558 two machines using incompatible ike= settings still establish a
       connection. (fix by Matthias Haas <mh@pompase.net>)
  #560 Pluto crash (memory leak fixes in pluto by Ilia Sotnikov)
  #563 Error when unload ipsec.ko module "rmmod ipsec" [dupl bug]
  #568 uninitialized struct in ipsec_tunnel.c coud break routing under 2.6
       kernels
  #569 ipsec module unload crasher
  #573 Openswan fails to compile with NAT_TRAVERSAL=false
  #574 Openswan fails to compile with NAT_TRAVERSAL=false #2
  #581 _Updown script installs direct (scope link) routes even for remote
       peers/subnets
  #589 userspace with USE_EXTRACRYPTO won't compile without kernel sourcecode


v2.4.4
  #487 ASSERTION FAILED at state.c:120:IS_ISAKMP_ENCRYPTED(isakmp_sa->st_state) 
  (see http://www.openswan.org/niscc2/)
  (proper fix in pluto_constants.h)
* Fix for kernels having strstr
* Various gcc4 warning fixes
* disable CONFIG_IPSEC_NAT_TRAVERSAL per default so we can build KLIPS on
  Fedora systems.
* questionable spin_unlock commented out. Might fix reported SMP crashers.
* update to permit alg code without module support
* Fix for detecting proper kernel source/header directory on fedora
* Various bugfixes as reported on http://bugs.openswan.org/
  #499: check for module support in kernel for IPsec Modular Extensions
  #500: recent awk breaks on 'setdefault' command


v2.4.3
  #487 ASSERTION FAILED at state.c:120:IS_ISAKMP_ENCRYPTED(isakmp_sa->st_state) 
  (see http://www.openswan.org/niscc2/)
  (incorrect fixed. version not released)

v2.4.2
* Fixes for compiling on 2.6.14 by David McCullough
* Minor fixes to accomodate FC4 2.6.11 kernels.
* Fix for compilation of KLIPS on 2.4.x kernels.
* Fix for NAT-T on 2.4.31
* Fix for 'short' packets with KLIPS on 2.4.x
* Merged in Jacco's l2tp configuration examples
* Various bugfixes as reported on http://bugs.openswan.org/
  #286 Incorrect links in intro.html
  #344 netkey-acquire patch
  #376 install_ipsec_sa and install_inbound_ipsec_sa
  #486 ASSERTION FAILED at crypto.c:258: key_size==(DES_CBC_BLOCK_SIZE * 3)
  (see http://www.openswan.org/niscc2/)

v2.4.1
* Not publically released

v2.4.0
* NAT-T support for KLIPS on 2.6 (Sponsored by Astaro)
* Additional Cipher support with KLIPS on 2.6 (Sponsored by Astaro)
* Fix for NAT-T/PSK rekey (Ulrich @ Astaro)
* Delete _updown.c and _updown.posix versions as they were obsolete
* Fixes for aggressive mode and policy mode
* Various bugfixes as reported on http://bugs.openswan.org/
  #201 pluto not accepting negotiations on port 500 after port floating to 4500
  #249 two default routes confuses scripts
  #261 2 RW's w/DPD behind a NAT kick each other off at rekey time
  #267 pluto crashes on inbound X.509 roadwarrior 
  #269 informational crasher in demux.c
  #301 kernel_netkey.c lists invalid ESP algorithm
  #302 pluto assumes it has 3DES
  #305 passert_fail (pred_str=0x80b88e3 "st->st_suspended_md->st == st", file_str=0x80b86a0 "state.c"
  #306 st->st_suspended_md->st == st passert()
  #316 Patch for ALG support from Astaro
  #324 Impossible to disable AGGRESSIVE mode
  #327 pluto nat-t detection on 2.6 without klips nat-t patch fails to
       disable nat-t
  #328 ipsec setup fxies for awk compiled with --enable-switch
  #341 Pluto crashes with: ipsec__plutorun: !pluto failure!: exited with error
       status 134 (signal 6)
  #342 fix for 2.6.12 undocumented API fixes for sk_zapped and sk_alloc()
       (based on fix from Sergeil.
  #350 fix for passert() at connections.c:1353: isanyaddr(&c->spd.that.host_addr)
  #355 dpdaction restart fix from Astaro
  #357 secure_xauth_username_str fix from Astaro
  #360 checkv199install creates bogus "old" files
  #361/#363 fix for passert() demux.c:1204: unknown address family in
       anyaddr/unspecaddr
  #368 Fix for ipsec --setup --status output and eroute counting
  #372 Netkey and device labels (eth#:#)
  #373 _updown_x509 still uses obsolete 'route add' commands
  #377 pluto crashes processing first connection if nhelpers=0
  #380 pluto crashes when sent an IKEPING
  #381 assertion failure in init_demux if AGGRESSIVE not defined
  #383 MODP >= 4096 FIX
  #386 undefined symbols compiling klips as module
  #387 / #420 pfkey_ops undefined error on SMP kernel compiles.
              possibly fixed, but may result in SMP unsafe-ness.
  #342 KLIPS cannot be compiled for 2.6.12+
  #415 RPM packaging errors for 2.4 based kernels
  #416 Need a way to tell if NAT-T is compiled in the IPSec kernel

v2.3.1
* NAT-T RFC support (mlafon/mcr)
* NAT-T Server Side rewrite - handles rekeying alot better
* NAT-T Client Side rekey bug fixed
* Removed HowTo (obselete)
* IPKG packaging updates
* Log message updates
* dpdaction=restart support

v2.3.0
* KLIPS for 2.6 support (Experimental)
  [ good results on FC3-AMD and vanilla/debian kernel source, but not
    FC3-intel. Might be the grsecurity patch  ]
* Aggressive Mode Support (client and server)
* IKE Mode Config support (Experimental)
* Cisco VPN 3xxx client Interop (Experimental)
* Cryptographic helpers framework
* Fixes for NAT-T on 2.4.28+ kernels.
* Fix for SIOCDEVPRIVATE use (aka the snmpd crasher)

v2.2.0
* Added RFC 3706 DPD support (see README.DPD)
* Added AES from JuanJo's ALG patches
* Fixes for /proc filesystem issues that started to appear in 2.4.25

v2.1.2
* Fix loading of 2.6 modules
* Fix for snprintfs() in /proc, new for 2.4.25 kernels (dhr/pw)
* Fix checks for some log files/dirs in case they are sockets or pipes (pw)
* Fix for crl.pem crash/core (dhr/as/kb)

v2.1.1
* Fix _pluto_adns installation path (kb)
* Fix sending of X.509 CR's when no CA present (mcr)

v2.1.0
* NAT-T support (Mathieu Lafon - Arkoon)
* X.509 fixes (Andreas Steffan)
* New configuration file directive, {left|right}sourceip=#.#.#.#
  This will set the source address when talking to a particular
  connection.  This is very usefull to assign a static IP to your laptop
  while travelling.  This is based on Tuomo Soini's Advanced Routing
  patch.

RCSID $Id: CHANGES,v 1.326.2.72 2006/07/30 02:15:49 paul Exp $
