I noticed that latest gentoo-sources kernel (gentoo-sources-2.4.26-r3) is still shipped with the 04-01.superFreeSWAN-1.99.8.patch. I wanted to upgrade to openswan after the latest exploits in freeswan ([ GLSA 200406-20 ] FreeS/WAN, Openswan, strongSwan: Vulnerabilities in certificate handling), so I downloaded the gentoo-sources and patched the kernel with all patches by hand without the freeswan patch. Next I patched the kernel for NAT-T support with make nattpatch | (cd /usr/src/linux && patch -p1) and did make KERNELSRC=/usr/src/linux module && make KERNELSRC=/usr/src/linux minstall in the openswan sources dir which provides a new openswan compatible ipsec.o module. So in my opinion the 04-01.superFreeSWAN-1.99.8.patch should be removed from the gentoo-sources and replaced with the NAT-T patch if we are forced to use openswan instead of freeswan. Reproducible: Always Steps to Reproduce:
If you could provide a patch for this, I'd be happy to include this in.
Tim, I already made one for hardened-sources. http://dev.gentoo.org/~pfeifer/kernel/openswan-2.1.4-kern+natt.patch.gz It seems to be just fine against the latest gentoo-sources one you exclude/remove the sfs patch. Have a good one, Jay
Tim, Once you get this in, then I can migrate all the freeswan users over as well. And remove freeswan from portage completely. As we will only be supporting openswan & strongswan. The kernel patches should support either (open/strongswan-2.x.x only). Thanks, Jay
I would love for the kernel maintainer to either get rid of the freeswan pacth altogether (from the gentoo-sources) and offer it as a seperate package (similar to e1000), or replace it by the corresponding patch for openswan/strongswan. I now have a small number of production servers that are VPN concentrators which I can not update - and I really don't like that situation.
We can't exactly offer it as a separate package for 2.4 since the OpenS/WAN and FreeS/WAN ebuilds require 2.4 series kernels to have support built into them - if you don't need the patch just do: "UNIPATCH_EXCLUDE='04-01.superFreeSWAN-1.99.8.patch 04-02.cryptoloop-jari-2.4.22.0.patch' emerge gentoo-sources" and that should exclude that patch.
gentoo-sources-2.4.26-r4 is now in the tree. it has patches which match to openswan-2.1.4. Please use openswan or strongswan with gentoo-sources-2.4.26-r4 or a recent 2.6 kernel. Freeswan and superfreeswan are now removed from the tree and all users are migrated to openswan. Closing.
