The current version of Linux FreeS/WAN is 2.06,
Recent Project News:
The FreeS/WAN team is proud to announce the arrival of 2.06, the project's
final release of its freely redistributable IPsec for Linux. Here are a few
of its notable features, as documented in the CHANGES file:
- KLIPS has been ported to Linux 2.6; please see the INSTALL file for
- FreeS/WAN's kernel configuration option, CONFIG_IPSEC, has been changed
to CONFIG_KLIPS, due to a name conflict with 2.6 IPsec. This breaks "make
oldgo" on any kernel version, unless a corresponding change is made by hand
to the kernel's .config file.
- KLIPS modules generated for 2.4 kernels via "make module" are now created
in the modobj subdirectory, instead of linux/net/ipsec. The "make minstall"
target has been updated, but users accustomed to a manual install take
- KLIPS now permits DNS packets out on UDP and TCP port 53.
- All support for transport mode has been removed.
Due to a bugfix which addresses a buffer overrun, users of past
releases may wish to upgrade:
- KLIPS code has been updated to avoid buffer overruns during generation of
/proc file contents.
As usual, you can grab this release via ftp from xs4all.nl:
... and binaries for RedHat/Fedora Core users here:
Although this is the final full release, if bugfixes warrant it, patches will
be posted here.
The team would like to thank our sponsors, past team members,
and all the contributors and users of past FreeS/WAN releases. Thanks to
all for your hard work and community support.
Lastly, for current FreeS/WAN users who are wondering
"where do I go from here?", take note of two projects, both forks of the
FreeS/WAN is no longer in active development. Although
we've created a solid IPsec implentation widely used to construct
Virtual Private Networks, the
project's major goal, ubiquitous Opportunistic Encryption,
is unlikely to be reached given its current level of community support.
For the full story, please see this announcement.
We plan a final (2.06) development release shortly, with bugfix releases to
follow as needed. Our community at lists.freeswan.org will continue to provide
a forum where users can support one another, and our Web site will remain
We expect that FreeS/WAN and its derivatives will be actively used for
some time to come.
The FreeS/WAN team has shipped release 2.05, our first release with AH
(Authentication Header) removed!
As part of our continuing efforts to create a lightweight, robust
Opportunistic Encryption (OE) product, (and inspired by Schneier and
Ferguson's critique of IPsec), we've removed AH from FreeS/WAN. For more
information, see this page.
Still in the "experimental support stage" is lwdnsq (lightweight DNS queue),
a mini resolver designed to provide resilient, authenticated DNS lookups to
facilitate OE. lwdnsq now supports DNSsec.
FreeS/WAN now by default generates RSA keys of random length for
authentication. If variable key lengths are widely deployed, FreeS/WAN
will not provide a "sweet spot" key length where crackers could easily focus
their efforts. A generic attack on FreeS/WAN might then require a more diverse
and thorough approach. For more, see this
Please see our CHANGES file for more detail.
The mailing lists are running again. For the users' list, we've had to revert
to an October 8 backup. If you find yourself inadvertently subscribed
again, or want to be effortlessly resubscribed, send mail to
sam at freeswan dot org.
The FreeS/WAN mailing lists (lists.freeswan.org) have been down since
Thursday, due to hard disk failure. We are recovering the data and expect
to have the lists running again soon.
2.04 is a bugfix release, important for users of FreeS/WAN 2.03
with 2.6 kernel native IPsec. It is not relevant to users of
FreeS/WAN's KLIPS code on a regular 2.4 series kernel.
FreeS/WAN 2.03 with 2.6 kernel IPsec is vulnerable to a
class of exploits based on properties
of that kernel's Netlink code, itself still in development. For example,
Netlink can receive input from a userspace process and pass it along to
another process which relies on Netlink, such as FreeS/WAN's Pluto keying
daemon. A local user might use this method to send malicious messages to Pluto.
Our 2.04 release contains bugfixes hardening Pluto against this
class of attack. All users of FreeS/WAN 2.03 on 2.6 series
kernels are encouraged to upgrade.
For this release, we have created RPMs suitable for use on Fedora Core 1.
They are available via the usual download methods.
Linux FreeS/WAN 2.03 is out! It features preliminary support for 2.6 kernels,
either via KLIPS or the native 2.6 kernel IPsec.
new 2.6.known-issues document for more details. 2.03 also ships
with an iproute2 based _updown script. Several bugfixes are included, notably
a fix for SHA1 packet reception.
For more information, see our CHANGES and BUGS documents.
The Linux FreeS/WAN team is pleased to announce release 2.02.
This release offers several new conveniences, including:
- one-line configuration for initiator-only Opportunistic Encryption,
(OE) using ipsec.conf's new myid option. See our
to get set up for OE.
- a new RPM (Redhat Package Manager) spec file.
This will help folks who need to compile RPMs from FreeS/WAN source.
In addition, wavesec and
OE now coexist nicely.
As always, more details are in CHANGES and BUGS.
FreeS/WAN 2.01 has shipped and is available as both source and
binary RPM's. This is an important release for anyone using
Opportunistic Encryption (OE) as there is a small but serious change
to the OE protocol. For now the protocol is backwards compatible, but
we strongly suggest upgrading to 2.01 to everyone (OE and VPN users
To see whats different and just to get using OE as quickly as
possible review our "Quickstart
Guide" while downloading.