CHANGES

Note that listings are in chronological order of release times, not in order
of version numbers, so you will find 2.5.x and 2.6.x releases intersperced.

See also docs/KNOWN_BUGS.txt and http://www.openswan.org/

v2.6.39 (May 31, 2013)
* Hardening patches from Florian Weimer
* Created .in files for distro packages [Patrick]
* Target deb builds for Precise instead of Lucid [Simon]
* Enable hardened builds by default [Simon]
* Bring 'ipsec policy' back form the dead [Simon]
* Drop the builddep on htmldoc and man2html as those are not needed anymore [Simon]
* CVE-2013-2053 fix: Integrated fix from Andreas Steffan
* Refactor x509dn to seperate out atodn from other functions [MCR]
* Fixed regression test to be 64-bit and IPv6 aware [MCR]
* Patches for kernel 3.9 and changes to work with Linux 3.9 [MCR]
* Nighly builds fixes and whitespace fixes [MCR]
* Fix for three AES-GCM issues with key lengths 128, 192, 256 bits and IV
  of 8, 12, 16 bytes as per RFC 4106 [Avesh]
* SAREF: kernel patches updated to linux 3.2.0 [Simon]
* Refresh debian/control files to point to the right git URL [Simon]
* KLIPS: startklips-ip_route patch [Harald]
* MAST: updown.mast-scriptfix patch [Harald]
* Refresh debian/po from Debian [Simon]
* Fixed ipsec verify to avoid perl and use python instead. It helps during minimum install so that openswan does not have to pull perl packages, and it keeps minimal install really minimum. Also Removed compilation of ipsec policy subprogram as it is not needed with NETKEY. [Paul]
* NATT: rhbz #834400 NAT-OA reserved field issue. [Avesh]
* rhbz #834396 Coverity scan fixes, warnings, dead code. [Avesh] 
* rhbz #785180 openswan uses ifconfig which is deprecated. [Avesh]
* barf: ipsec barf should not grep sparse file. [Paul]
* XAUTH: Phase15 as xauth and modecfg is called in openswan is not handled properly when only xauth (without modecfg) is used. [Avesh]
* Interop: Fixes to interop issues (related to updating/removing local interface with remote ip address and removing local routes) between cisco ASA and openswan. [Avesh]
* XAUTH: Fixes to interop issues between cisco ASA and openswan in main mode.  These fixes prevents xauth/modecfg negotiation during IKE rekey in main mode. [Avesh]
* rhbz #831676 [Avesh]
* IKE: ikev1 aes-gcm esp fixes [Avesh]
* IKE: ikev1/ikev2 sha2-256 related changes [Avesh]
* rhbz#609343: pluto crashes when removing logical interface [Avesh]
* Reading password from a file when creating keys. [Avesh]
* IKEv2: IKEv2 RFC4306/5996 related changes [Avesh]
* Interop: Fixes to solve interop issues between cisco ASA and openswan in aggressive mode.[Avesh]
* Fix for the issue where ipsec help shows the list twice (rhbz 524146, 509318) [Avesh]
* relpath changes [Avesh]
* Bugtracker bugs fixed:
   #1308 forceencaps= setting does now show up in "ipsec auto --status"
         [Matt Rogers]
   #1329 IKEv2 core dumps on 2.6.32 with changes backported from the 2.6.38
         tree [Steve Lanser]
   #1349 pluto logging no subjectAltName matches ID '%fromcert', replaced
         by subject DN [Tuomo]
   #1371 SAref patches 3.2.0 [Simon]
* Fix url to bugs system. [Tuomo]

v2.6.38 (March 23, 2012)
* DPD: seq_no logged after hton() call [Shinichi Furuso]
* DPD: With multiple phase 2 SAs, we sent too many [Shinichi Furuso]
  R_U_THERE's
* barf: iptables-save on suse is in /usr/sbin, not /sbin [Paul/Shinichi]
* SUSE: Package compliant with Kernel Module Package Manual [Shinichi Furuso]
* verify: fix false positive on IP forwarding (perl dependant) [Steve Delaney]
* IKEv2: Introduced new keyword narrowing=yes|no [Paul]
* IKEv2: Send TS_UNACCEPTABLE when narrowing would violate local policy [Paul]
* IKEv2: Fix for multiple SAs to the same peer with different ports [Avesh]
* IKEv2: IKE-SA_INIT with INVALID_KE_PAYLOAD Notify Payload should
         continue [Avesh]
* IKEv2: incorrecty sent PAYLOAD_MALFORMED on unknown minor version [Avesh]
* IKEv2 should ignore unknown RESERVED bits in payload [Avesh]
* IKEv2: Implement sending higher IKEv2 major and minor versions [Paul]
* IKEv2: Delete SA states added to state machine [Avesh]
* IKEv2: Informational Exchange added [Avesh]
* hostpair: initial_connection_sent was never set to not FALSE [Avesh]
* Crypto: handle leading zeroes in DH keys [Avesh]
* Add PLUTO_IS_PEER_CISCO= to updown scripts [Avesh]
* XFRM: update userland copies of xfrm.h netlink.h rtnetlink.h [Paul/Avesh]
* SHA2 fix when pluto is compiled without USE_EXTRACRYPTO [Paul/Tuomo]
* SHA2: Fix for Linux kernel using bad sha2_256 truncation (96 instead of 128)
  (to get the old behaviour for interop, specify sha2_truncbug=yes) [Paul]
* Fix two format string buglets [Moritz Muehlenhoff]
* XAUTH: Support unbound as local resolver in remote_peer_type=cisco [Paul]
* NATT: Fix iphone/iOS by removing outdated OSX NAT-T workarounds [Paul]
* SAREF: kernel patches updated to linux 3.0.0 [Jonathon Padfield]
* SAREF: fix all patch versions to use new numbers for SAREF [Paul]
* Fix various compiler warnings in lib, pluto and ikeping [dhr]
* Various ESP_* and AH_* fixes/updates from IANA [Paul]
* Fix authalg in esp_info to be u_int16_t, not u_int8_t [Paul]
* Debian: Various debiacn packaging fixes [Simon]
* KLIPS: Fix crasher on returning -ENODEV from ppp devices [David]
* XAUTH: Support dynamic config update for unbound DNSSEC resolver [Paul/Tuomo]
* Remove non-iproute2 version of _updown.klips and its USE_IPROUTE2 [Paul]
* Bugracker bugs fixed:
   #1263 /usr/lib/ipsec/_startnetkey selects wrong default gateway if there
         are multiple [Petr Tichy]
   #1314 update the updateresolvconf routines to be able to reconfigure
         locally running unbound [Paul]
   #1322 get rid of unused bucketno argument in state_hash [Paul]
   #1326 0001-SAREF patch not compiling on 3.0.0 [Jonathon Padfield]

v2.6.37 (October 28th, 2011)
* Fix for CVE-2011-4073 crypto helper crash [Paul/dhr]
* KLIPS: Fixes to run on Linux 3.1 [David McCullough / Greg Ungerer]
* KLIPS: Fix sending icmpv6 packets in an ipv6 ipsec tunnel [David McCullough]
* Fix for ike_alg_get_encrypter() possibly returning NULL [Steve Grubb]
  (this is rhbz#747852)
* Bugtracker bugs fixed:
   #1241 vhost allows connections with subnets proposed and ignores
         virtual_privat [Wolfgang Nothdurft]

v2.6.36 (October 5th, 2011)
* CVE-2011-3380 Openswan IKE invalid key length fix [Paul/Hugh]
* auto: Add --checkpubkeys option for checking expiry of X.509 certs
        [Mika Ilmaranta]
* Update building (with SAref) on SLES10 / SLES11 / Opensuse [Shinichi Furuso]
* KLIPS: backported 2.6.19 CryptoAPI for SuSe kernels [Shinichi Furuso]
* KLIPS: ipsecdevices index overflow [Shinichi Furuso]
* KLIPS: cleanup off by one interface,prevented module unload [Shinichi Furuso]
* tncfg called incorrectly for adding more ipsecX interfaces [Shinichi Furuso]
* KLIPS: ipsec_sa_getbyid() did not work properly on IPv6 [Shinichi Furuso]
* NAT-T: Fix delete for port floating case [Shinichi Furuso]
* IKEv2: We always sent the openswan VID instead of using #ifdef [Avesh/Paul]
* IKEv2: ikev2_get_dcookie used SHA1Update() with pointer size [Avesh]
* TESTING: Added some more consistent logging in prerunsetup() [Paul]
* pcr_init() should memset the request helper size, not pointer size [Avesh]
* Prevent deferencing ctx->trans_cur in db_trans_add() [Avesh/Paul]
* XAUTH: whack_get_value() never decremeanted "tries" [Avesh]
* Fix closing fd in lib/libopenswan/oswconf.c [Avesh]
* rsasigkey: configdir is always set in the NSS #ifdef part [Avesh]
* examples: clarify hub-spoke netkey design [Tuomo]
* NAT-T: Fixed logging for broken NAT-T keepalives [Tobias Brunner]
* Use iptables-save instead of iptables -L if possible (rhbz#737973) [Avesh]
* ipsec verify: New kernels use nf_conntrack instead of ip_conntrack [Avesh]
* LDAP/CRL needs liblber (rhbz#737975 [Avesh]
* SAREF: kernel patch added for Linux 2.6.36 and 2.6.38 [Paul]
* SAREF: Remap IP_IPSEC_REFINFO/BINDREF from 22/23 to 30/31 [Sony Japan]
* Disable USE_IPSECPOLICY per default, was only proof of concept code [Paul]
  (local user could cause pluto to stop responding if /var/run is a tmpfs
   mount and /var/run/pluto was manually deleted, Found by Sony Japan)
* Bugtracker bugs fixed:
   #1270 malloc is being used which does not use alloc_bytes/pfree [Paul]

v2.6.35 (July 23, 2011)
* OCF: Fix accidental 'always' setting of large resources [Sony Japan]
* OCF: Give a hard #error in ipsec_ocf.h without proper CONFIG_KLIPS_OCF [Paul]
* OCF: Only include ipsec_ocf.h when using CONFIG_KLIPS_OCF
* MAST: Add ipsec_xmit_sanity_check_dev() in the mast path [Paul]
* MAST: Be more careful about {mast,ipsec}priv structure [Bart]
* MAST: Fix host-host connections, bug introduced in v2.6.34 [David]
* SAREF: Fix crasher in ipsec.ko unload with saref kernel [Sony Japan]
* SAREF: ip_cmsg_recv_ipsec_refinfo() doesn't initialize refs array [Sony Japan]
* SAREF: Added null check of secpath_dup(NULL) [Sony Japan]
* KLIPS: Fix possible double skb free [Sony Japan]
* KLIPS: Fix MTU on interface - bug introduced in 2.6.33 [Wolfgang Nothdurft]
* KLIPS: debug messages often had pre-refactor names in prefix [Paul]
* DPD: Do not ignore failure in dpd_init() but return STF_FAIL [Paul]
* pluto: Fix IPcomp pull-up from 2.4 introduced in 2.6.20 [Paul]
         (malloc <-> pfree caused assertion with LEAK_DETECTIVE set)
* pluto: st_peeridentity_port missed ntohs() causing interop
         failure between big/little-endian machines [Magnus Öberg]
* pluto: Fix for Tuomo's (rare) crasher where globals were not reset [dhr]

v2.6.34 (June 8, 2011))
* Fix build without USE_EXTRACRYPTO introduced in 2.6.33 [Tuomo]
* Fix new leftmtu= option to pass correctly to _updown [Mattias Walstrom]
* Add Apple iOS work-around to l2tp example configs [Tuomo]
* KLIPS: Support to compile on Linux 2.6.38 and 2.6.39 [David]
* KLIPS: Make sin_family setting in delflow the same as addflow [David]
* KLIPS: IPv6 and SLES10 compile fixes [Sony Japan]
* KLIPS: IPv6 outbound policy check used wrong index [Sony Japan]
* KLIPS: Enable CryptoAPI per default [Paul]
* KLIPS: Module unload fixes [David]
* KLIPS: Routing cache corruption due to ip_select_ident [David]
* KLIPS: Only fixup the ethernet header it might be on [David]
* KLIPS: Fix for ixs->skb->dev is null at the top of ipsec_xmit_send [David]
* MAST: refcount bug in transport mode prevented ipsec.ko unload [Sony Japan]
* MAST: Don't autopick mast [David]
* NETKEY: Fix AH mode [Avesh]
  - rh #704548
* DYNDNS: using hostnames could lead to loss of ports in SA [Avesh]
  - rh #703473
* Many uml testing harness fixes and updates, mostly IPv6 related [Paul/Hugh]
* "ipsec look" now shows NETKEY/XFRM and IPv6 routing table [Paul]
* "ipsec look" now shows iptables NEW_IPSEC_CONN mangle table [Paul]
* "ipsec look" and "ipsec barf" now shows ip6tables like iptables [Paul]
* Fix inbound policy --addin, and added --replacein [David]
* KLIPS: Fix family check when policies are not set [David]
* MAST: Fix family check when policies are not set [Sony Japan]
* Improve build speed (don't recalculate build version all the time [David]
* XAUTH: Fix rekey with Cisco when remote_peer_type=cisco [Avesh]
* Openswan (IKEv2/IKEv1) icmp issue (redhat bz 681974) [Avesh]
* IKEv2: port range was hardcoded to 0-65535, not local policy [Avesh]
* MAST: Fix oops on module unload [David]
* Improve build speed, calculate version once [David]
* Import OpenWRT packaging updates [Simon]
* contrib: added openswan patch for 2.4.37.9 [Yannick Koehler]
* KLIPS: Fix for compiling on 2.6.22 (Fedora Core 6 based) kernels [Paul]
* KLIPS IPV6: Fix packet fragmentation [Paul]
* Added PLUTO_CONN_ADDRFAMILY= to updown.* (to disable SAref on v6) [Paul]
* KLIPS: cleanup packaging/*/config-* files [Paul]
* Fix a bunch of gcc unused-but-set-variable warnings [Paul]
* Fix some WERROR warnings [mcr]
* Various file descriptor leaks and mimor memleaks [Avesh/dhr]
* Removed reference to http://www.freeswan.org from ipsec --help [Tuomo]
* Bugtracker bugs fixed:
   #1233 WARNING: at net/ipv4/af_inet.c:151 inet_sock_destruct on stop [David]

v2.6.33 (February 18, 2011)
* Merge in the klips-ipv6 branch [David]
* modprobe more crypto modules on startup (gcm, camelia, sha2* etc) [Paul]
* Added %v4:26/8 to virtual_private ("thanks" to T-Mobile/Rogers/FIDO) [Paul]
* Pluto did not start nhelpers due to --nofork, bug introduced in 2.6.32 [Paul]
* OCF: Set the OCF queues to 10000 when 256MB+ RAM and 1000+ bogomips [Paul]
* Improved NetworkManager support [Avesh]
  - This is Red Hat bugzilla 642722, 658253, 659709 and 641068
* ipsec verify now also shows parse errors in ipsec.conf [Paul]
* Always build SHA2 family support for IKE [Paul]
* KLIPS: Add a new option to override the replay window via /sys [David]
  (echo 0 > /sys/module/ipsec/parameters/ipsec_replaywin_override)
* Add aesni_intel to the list of crypto modules we attempt to load [Paul]
* enable dumpdir= in stock ipsec.conf for use with abrtd [Paul]
* New per-conn keyword mtu= allows setting the mtu per tunnel [Paul]
* per-conn keyword metric= did not export to userland or updown [Paul/Tuomo]
* Cleaned up and moved some old docs [Paul]
* KLIPS: arp_broken_ops is no longer exported in 2.6.37+ [Paul]
* KLIPS: Fix crasher in ipsec_xmit_state_delete [David]
* KLIPS: Fix oops if packet is received on detached tunnel [David]
* Bugtracker bugs fixed:
   # 601 KLIPS: NAT-OA UDP checksum bad in transport mode when both sides are
         NATted [Wolfgang]
   # 645 hundreds of replacements [...]: 000 #3: pending Phase 2 [Anthony Tong]
   #1182 Verification of X509 certificate signed by SHA2 [fryasu@yahoo.co.jp]
   #1183 Fix documentation typo (in ipsec.conf) [Tuomo]
   #1190 nat-t broke on transport mode for klips between 2.6.31 and 2.6.32
         [Paul]
   #1199 when leftsubnet has a different netmask than the localnet, a route
         is added for the localnet to the ipsec device [Tuomo]
   #1201 dpd + ddns does not work [Mattias Walström]
   #1204 Workaround for iPhone/MacOS X NAT problem [Wolfgang Nothdurft]
   #1210 Failes to compile with uClibc >= 0.9.29 [mb@openwrt]

v2.6.32 (December 17, 2010)
* Remove by default forced -DLEAK_DETECTIVE [Tuomo]
* Makefile.inc now uses USE_LEAK_DETECTIVE?=false [Paul]
* NOMMU: Add -DCOMPILER_HAS_NO_PRINTF_LIKE to support arm-elf-gcc [Paul]
* NOMMU: If pluto is started with --nofork, then also disable nhelpers [Paul]
* NOMMU: Added HAVE_NO_FORK?= option to Makefile.inc (default false) [Paul]
* INTEROP: Ignore IKEv1 notification type 40001 (Netscreen private use)
    [Andreas/Daniel]
* IKEv2: Fix crash on receiving retransmited STATE_PARENT_I2 on bad AUTH [Paul]
* IKEv2: Check for USE_TRANSPORT_MODE in all received notification payloads,
    not just the first notify payload. This is Red Hat bugzilla 646718 [Avesh]
* MAST: The mastX interface no longer gets/needs an IP address [Paul]
* MAST: avoid routes towards virtual ipsecN interface [Bart/Roel]
* Support for Isomorphic Algorithms and Identity Disks [Olivia Wilde]
* SAREF: set sareftrack=yes as the default policy [Paul]
* Fix printf format arguments [Simon]
* Added ipsec addconn --checkconfig and initscript support [Harald]
* Fix for:  either "local" is duplicate, or "secondary" is garbage [Simon]
* KLIPS: Better interface handling in _startklips [Paul]
* fix interface parsing in getinterfaceinfo() [Bart/Roel]
* KLIPS: Support more then 9 ipsec/mast interfaces in parser [Simon]
* OCF: Change some hardcoded variables to module paramters [David]
  -ipsec_ocf_batch(1): Make OCF queue packets rather than process immediately
  -ipsec_ocf_cbimm(1): Does OCF immediately (ie., at irq time) run callbacks
                   or queue and call later"
  -ipsec_ixs_cache_allocated_max(1000):
* OCF: Fix up usage of crp_olen as returned from ocf [David]
* OCF: Order algs correctly for processing when mixing AUTH/CIPHER algs [David]
* OCF: Update to OCF for SMP systems to allow using multiple CPU's [David]
* OCF: Added /proc/net/ipsec/ocf to indicate if we support OCF or not [Paul]
* OCF: move netif_wake_queue inside the lock in ipsec_xmit_state_delete [David]
* OCF: OCF: Attempt to load OCF kernel HW module on startup [Paul]
* SMP/OCF: Fix up queue stop/start on SMP systems [David]
* OCF: Fix OCF deadlock (do not call schedule with a lock) [David]
* Fix bad memory read with full debugging enabled (pbs_room vs pbs_left) [Dhr]
* Fix bad memory read with -lefence in osw_alias_cmp() [Dhr]
* Fix for STF_INLINE case in quick_inI1_outR1_cryptocontinue1() [Dhr]
* KLIPS: make kpatch is more robust, less manual patching [Paul]
* UML: Various minor fixes to get uml system back online [Paul]
* SPEC: Add "development" define in spec file to build devel version [Tuomo]
* RSA: Fix generation of ipsec.secrets when missing on first startup [Paul]
* DPD: DPD_ACTION_RESTART would always execute DPD_ACTION_RESTART_BY_PEER [dhr]
* DPD: DPD_ACTION_CLEAR crash on CK_INSTANCE with -lefence [Tuomo]
* DPD: flush_pending_by_connection() when doing a %clear on DPD timeout [dhr]
* NAT: Put old/new style chatter into DBG_NATT [Paul]
* NETKEY: Reduce bogus noise about Old/New NAT-T support [Paul]
* Bugtracker bugs fixed:
   #1095 Local packets are dropped on ipsec device when marking packets in
         OUTPUT chain [Wolfgang Nothdurft]
   #1160 init.d script not reporting correct exit status on config parse
         error [James Mead]
   #1162 IKEv2 transport mode interop with racoon [PATCH] [Avesh]
   #1170 pluto option --impair-shared-phase1 causes segfaults on --down'ing
         a connection

v2.6.31 (October 18, 2010)
* Fix for OCSP compile of commit 934ce6c9443832c [Paul]

v2.6.30 (October 18, 2010)
* Fix for: ASSERTION FAILED at connections.c:1579: c->kind == CK_TEMPLATE
   [Paul]
* Add --listen/listen= option to limit listening to a single IP [Paul]
* sa_policy_bit_names was missing ModeConfig DNS and WINS bit names [Paul]
* SAREF: Add sareftrack=<no|yes|conntrack> connection option [Paul]
* Fix for "handling event EVENT_RETRANSMIT for <invalid>" [Paul]
* Fix for specifying protport=47 (GRE has no ports) [Paul]
* IKEv2: Don't fill traffic selector struct in IKEv2 child SA when not recv'd
   [Paul]
* MODULES: Add geode-aes to the list of crypto modules to load [Paul]
* Don't install ipsec init script as /etc/init.d/setup [David]
* Don't create rc.? symlinks - let user use chkconfig etc instead [Paul]
* Bugtracker bugs fixed:
   # 252/619 more than 20 payloads in message; ignored [paul]
   # 690 ipsec lwdnsq --help not implemented
   # 860 Port --random for newhostkey [Paul]
   #1005 Incorrect message "R_U_THERE_ACK has unexpected sequence number"
         [Mike]
   #1040 Fix to compile without DEBUG [Paul]
   #1054 Startup warning: "ignored obsolete keyword (null)" [Michael Smith]
   #1112 Prototypes only, if function enabled in c-source with KLIPS or
         PFKEY [Henry N.]
   #1115 Fix various warnings u_char * vs. char * for sscanf,... [Henry N.]
   #1149 pluto uses empty NAT_OA as IDci, Server behind NAT and non natted
         Windows XP [Wolfgang Nothdurft]
   #1151 The ipsec module is not removed by 'ipsec setup stop' [Paul]

v2.6.29 (September 27, 2010)
! This release is made for CVE-2010-3302 and CVE-2010-3308
! Duplicate CVE's issues for these are CVE-2010-3752 and CVE-2010-3753
* XAUTH: Avoid buffer overflow in CISCO DNS info [dhr/paul]
         Avoid shell problems with single quotes CISCO DNS paramters [dhr/paul]
  http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3302
* XAUTH: Avoid buffer overflow in CISCO BANNER [dhr/paul]
         Avoid shell problems with single quotes in CISCO paramters [dhr/paul]
  http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3308
* NETKEY: Fix for spurious %hold netlink-acquires [Paul/dhr]
* KLIPS: Fix compiling on 2.6.18 based RHEL5 kernels [Paul]
* Various fixes based on automated source code review [dhr]
* SAREF: Updated for 2.6.35 kernel [Harald]
* KLIPS: Updated for 2.6.35 kernel [Harald]
* PACKAGING Use Epoch 1: for Debian/Ubuntu [Simon]
* MAST: fix iptables rule "leak" on rekey [Bart]
* MAST: use only the most recent iptables rule [Bart]
* pluto: restrict rekeymargin to be smaller than salifetime [Bart]
* MAST: ensure we don't end up with mtu=0 on mast0 [Bart/Paul]
* MAST: enforce outgoing tunnel policy [Bart]
* MAST: use addflow pfkey command to set policy on tunnel SAs [Bart]
* Added a new pfkey flag, POLICYONLY, to the ADDFLOW command [Bart]
* MAST: allow for setting of policy for inbound SAs [Bart]
* MAST: favour deleting an SA even if the pfkey op failed [Bart]
* HAVESTATSD: Log new phase2 messages as a result of a rekey [Paul]
* MAST: use iptables --comment to show the conn name [Bart]
* VNET: differentiate instantiation of road warriors and vnet [Paul]
* Log LEAK_DETECTIVE and HAVE_LIBNSS support on startup [Paul]
* IKEv2 connections were broken since 2.6.25 [Avesh]
* MAST: new "ipsec policy" command replaces "ipsec eroute" [Bart]
* Fix SElinux warning in realsetup (bz628879) [Avesh]
* Support for SHA2_256 in IKEv2 (bz621790) [Avesh]
* IKEv2: Fix for using MD5 and PRF conversion function [Avesh]
* SAREF: Improved workaround for rp_filter [Bart]
* NSS: Increase minimum nss for rhbz#453577 [Paul]
  (this allows us to revert workaround in git 6c8ff2791d1)
* SAREF: Added /proc/net/ipsec/saref that shows kernel patch state [Bart]
* SAREF: Add SAref checks to ipsec verify [bart/paul]
* A bunch of Makefile.inc variables could not be overridden properly [Paul]
* Bugtracker bugs fixed:
   #1042 NF_INET_LOCAL_OUT vs NF_IP_LOCAL_OUT still broken [David]
   #1102: Ensure KLIPS still works on older kernels [Paul]
   #1113: crypt_dh.c: Fix "warning: multi-line comment" [Tuomo]

v2.6.28 (July 29, 2010)
* MAST: Fix SAref vmalloc() call that could cause a kernel panic [Bart]
* SAREF: rework exported interface to avoid might_sleep() during rcu lock [Bart]
* SAREF: Use the correct mask when updating nfmark in rcv path [Bart]
* MAST: Cleanup updown.mast iptables rule management [Bart]
* MAST: Rework mast init scripts to use conntrack [Bart]
* MAST: Remove iptables rules after SA is deleted [Bart]
* SAREF: Fix bug in stream-socket saref mode [Bart]
* SAREF: Ported to apply on Linux 2.6.34 [Harald]
* MAST: Fix for NAT-T mode (set ixs->outgoing_said in mast mode) [Bart]
* MAST: Fix module unload with mast [Bart]
* Allow rightsubnet=vnet:%priv rightprotoport=17/%any w/o right=%any [Paul]
* SAREF: Log SAref and SAbind capabilities on pluto startup [Paul]
* Log tunnel down with HAVE_STATSD as "down", not "unknown" [Paul]
* Changes to _realsetup.in for making the init script LSB compliant [Avesh]
  rhbz #594767
* _startnetkey update for DNS and NetworkManager [Avesh]
* SAREF: fix bug in stream-socket saref mode [Bart]
* Added TCP header flags to ipsec_print_ip() output [Bart]
* KLIPS: Don't fail non-existant header_ops (breaks ppp) [David]
* KLIPS: ip_select_ident hashing fix in AH xmit path [Kirill Berezin]
* HAVE_STATSD: Fix phase1/phase2 logging through HAVE_STATSD interface [David]
* HAVE_STATSD: log output fix when two connections share a phase1 [David]
* HAVE_STATSD: Slightly clarified and changed log messages [Paul]
* SAREF: Clarified defines and fixed nfmark printing in HAVE_STATSD [dhr/Paul]
* MAST: Temp workaround in _updown.mast for martians problem [Bart/Paul]
* Cleanup source code to use C-style comments [Tuomo]
* Bugtracker bugs fixed:
   # 1120: [PATCH] netlink receive buffer size too small for linux 2.6.32
           [Roman Hoog Antink]

v2.6.27 (June 21, 2010)
* Fixes to the SAREF / MAST code to avoid recursion loops [Bart]
* KLIPS compile fixes for 2.4 kernels [David]
* Memory leak fix unshare_connection_strings [Shinichi Furuso]
* define ALLOW_MICROSOFT_BAD_PROPOSAL to allow connecting to behind NAT [Paul]
* Missing load_oswcrypto() call 'ipsec showhostkey' [Kevin Locke]
  (this is http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=575757?)
* Log the netfilter mark (him/me) with HAVE_STATSD=true [Paul]
* saref-bind kernel patch that allows setsockopt() to an saref [Bart]
* Rename /bin/statsd to /bin/openswan-statsd with HAVE_STATSD=true [Paul]
* contrib/sarefnc is netcat (nc) with saref settable option [Bart]
* Allow multiple proposals in Aggressive Mode, as long as the DH group is
  the same for all of them [Michael H. Warfield]
* alg_info_addref() needed #ifdef KERNEL_ALG like  alg_info_delref() [Shinichi]
* Remove the obsolete _confread script. [Simon]
* Correct the creation of the directory /var/lock/subsys. [Simon]
* Set a default value for IPSECsyslog in setup to avoid logger errors. [Simon]
* Cleanup source code to use C-style comments [Tuomo]
* Enable addconn to read config from stdin when called with --config - [Simon]
* Fix for broken enum_names regarding ENCAPSULATION_MODE_TUNNEL* [Paul]
* Fix for a few gcc warnings in dnskey.c and xauth.c [Paul/Simon]
* Fix for kernel_pfkey.c bad_case(esatype) introduced in 2.6.25 [Bart]
* Bugtracker bugs fixed:
   #  76: ipsec verify warns about no RSA key when using X509 pem files [Paul]
   #1074: virtual_private broken on U2.6.19/K2.6.27.25-78.2.56.fc9.i686?
          Fix virtual_private checks to give correct warnings [Tuomo]
   #1101: protoport code and nat-t code are switching ports with netkey
          [Mika Ilmaranta/Tuomo]
   #1106: Incorrect xfrm policy with both-NAT client connection [Paul]

v2.6.26 (May 25, 2010)
* KLIPS fixes for 2.6.33 kernel [Greg Ungerger/David]
* RFC-5114 Diffie-Hellman group 22, 23 and 24 support [Avesh]
* Revert broken work-around for nspr4 warning [Tuomo]
* Copy David's klips fixes to netlink where they are needed too [Tuomo]
* Fix bogus initiations of existing tunnels on netkey introduced
  in 2.6.25 [Tuomo]
* Compile fixes for compiling without NAT_TRAVERSAL [Paul]
* Fix pfkey error on tunnel deletion [David]
* Fix up eroute_connection for klips [David]
* When we ASSERT, show where we asserted [Bart]
* Merge in #osx branch [Paul]
* Fix eroute_type to satype conversion for pfkey [Bart]
* Fix confusion about transport_proto and proto in comments and bsdkame [Tuomo]
* Updated SecureClient patch for hybrid mode in contrib [Yair Elharrar] 
* remote_peer_type= support for whack [Avesh Agarwal]
* Cisco banner support in _updown via PLUTO_PEER_BANNER [Avesh Agarwal]
* New option nm_configured=yes will skip reconfiguring resolv.conf, so
  that NetworkManager can handle this. Can be directory whack'ed using
  the --nm_controlled option. [Avesh Agarwal]
* Clean up DPD logging. [Tuomo]
* SAref updated to 2.6.32 kernel [Bart/Paul]
* Bugtracker bugs fixed:
   # 414: Y2K38 bug in X.509 Digital Certificate handling [Andreas Steffen]
          (happened only on 32bit machines for certs expiring after 2038)
   # 428: Fix for representation of [...] used algorithms
          in ipsec auto --status [Martin Schiller]
   #1004: Better fix for bug #1004 [Mika Ilmaranta/Tuomo]
   #1035: Allow specifying interface name, eg left=%ppp0 [Martin Schiller]
   #1080: duplicate of #414
   #1085: Random disconnects of (ipsec+l2tpd) tunnels [Mika Ilmaranta/Tuomo]
   #1087: acquires cause invalid policies being inserted into xfrm policy
          introduced in 2.6.25 [Tuomo]
   #1093: enc alg=0 not found in constants.c:oakley_enc_names [Henry N.]
   #1094: IPSEC_RCV_DECAPFAIL with auth=ah [Wolfgang Nothdurft] 
   #1096: ipsec_xmit_send ignored mark of skb. causing ignoring of ip rules
          and only main routing table was used. [Wolfgang Nothdurft]
   #1104: Compile for NETKEY without KLIPS fails with missing symbols
          [Henry N.]
   #1107: buildfix for showpolicy.c when using gcc 4.5 by Paweł Zuzelski
   #1108: gcc-4.5.0 enum warning fix [Paweł Zuzelski]
   #1110: rightsubnet=vhost:%priv,%no not working as expected for non-natted
          case fixed by new #1004 fix [Mika Ilmaranta/Tuomo]
* Fix for protostack=auto when KLIPS or NETKEY is not compiled in [Paul]
* Fix for compiling without XAUTH (introduced with remote_peer=cisco support)
          [Thomas Geulig]
* Fix %prompt for encrypted X.509 private keys [Harald]
* Fix plutodebug=natt being accepted just like whack --debug-natt [Tuomo]

v2.6.25 (Mar 21, 2010)
* Google Summer of Code 2009 project for osxApp merged in [Paul]
  code contributed by student Jose Quaresma and mentor Stefan Arentz
* Google Summer of Code 2009 project for livetest merged in [Paul]
  code contributed by student Daniel Snider and mentor Paul Wouters
* Added exceptsocket NULL kernel_ops for non-bsd stacks [Paul]
* Remove hardcoded sql: from nss db path (showhostkey, rsasigkey) [Tuomo]
* Remove version from README.nss [Tuomo]
* Fixed obvious errors on fedora and centos5 rpm specs [Tuomo]
* Remove --key option from showhostkey [Paul]
* Fix for NAT-T vendorid payload on some ARM processors [dhr]
* Fix reference to unused file in README.nss [Tuomo]
* Fix 'ip' failure when built against libcap-ng [Kyle McMartin]
* Split networking support for remote_peer_type=cisco [Avesh]
* Fixup for compiling with broken version of nspr [Avesh]
* Update ipsec.conf man page [Tuomo]
* In rare circumstances, DPD could kill an active tunnel [Shinichi Furuso]
* Compile fixes for NETKEY without KLIPS [Ajay.V.Sarraju]
* Fix tcpdump operation on KLIPS/ipsecX interfaces [David]
* Report NETDEV_TX_BUSY when klips is overloaded with requests [David]
* Fix usage of KLIPS_IP_SELECT_IDENT to prevent kernel trace/warnings [David]
* Auth corruption due to unprotected data in sha1 (work_space) [Shinichi Furuso]
* Correct locking for SA tables in pfkey interface [Shinichi Furuso/David]
* Add locking to PRNG to prevent possible corruption [Shinichi Furuso/David]
* Fix oops on held packets [David]
* Implement remove_orphaned_holds for NETKEY [Tuomo]
* Fix _plutorun to use standard restart option for ipsec setup [Tuomo]
* Disable auto skb_dst_release so that icmp_send works [Ronen Shitrit/David]
* Fix for unloading KLIPS module on latish kernels [Ronen Shitrit]
* Fix init script default not to start up on boot by default [Tuomo]
* Do not store XAUTH password in a variable if read from the prompt [Avesh]
* spi/spigrp/tncfg blindly assumed KLIPS. Give nicer error output [Avesh]
* Fix for _updown.netkey not being able to delete route [Tuomo]
* Fix bad bare_shunt entry that break tunnel routing [David]
* Fix oops when network driver doesn't support all header_ops [David]
* Fix for hardcoded hmac 96 bits length [Avesh]
* Check for clrngd as well as rngd in ipsec verify [Paul]
* Fix default value for ikev2 in ipsec.conf man page [Tuomo]
* Support for USE_TRANSPORT_MODE in IKEv2 [Avesh]
* Fix fox implicit DSO linking with NSS [Avesh]
  - redhat bz#565140
* Fix various spelling errors [Harald]
* Fix for leftid=@[foo] notation [Michael H. Warfield]
* Interop issue with Cisco where with XAUTH and ModeConfig we expected
  ISAKMP_CFG_REPLY but we got ISAKMP_CFG_ACK [Paul]
* Support for receiving Cisco dns and domain settings and updating
  /etc/resolv.conf. Requires remote_peer_type=cisco [Avesh]

v2.6.24 (Jan 8, 2010)
* Give clear warning about missing defaultroute [Tuomo]
* Fix to allow ";" in the ike/esp parameters as per man page. [Avesh]
* Fix for DPD with NETKEY [Frank Eberle]
* Make initscript LSB compliant [Avesh]
* Fix for compiling with nss and broken nspr header [Elio Maldonado Batiz]
* Do not set the IKEv2 Critical flag for payloads defined in RFC 4306 [Avesh]
* Client side support for Cisco load balance directives in IKEv1 [Avesh]
  - new keyword: remote_peer_type=cisco
* Update ipsec_setup man page to match setup changes [Tuomo]
* Zeroize ISAKMP and IPsec SA's when in FIPS mode [Avesh]
* Initial contact from Windows/l2tp would fail once before succeeding [David]
* KLIPS compiles on all recent (upto 2.6.31) kernels [mcr]
* KLIPS fixes for 2.6.32 [david/paul]
* Fix for mixed IPv6 in IPv4 and vice versa tunnels [Heiko Hund]
* Fix for NETKEY on kernels 2.6.26+ [Andreas Steffan]
* NAT-OA fixes [David]
* Fixup cryptoapi sg_set_page for older kernels [David]
* Honour kernel build verbose setting via V=1 [mcr]
* Change NAT-Traversal support log message (It's not a patch) [Tuomo]
* Some programs were installed twice causing .old files [Avesh]
  - This is redhat bugzilla #546024
* lwdns.req.log moved from /var/tmp/ to /var/run/pluto/ [Avesh]
  - This is to avoid an SElinux AVC Denial
* Fix compilation so it does not require xmlto [paul]
* Fix NSS by removing extra sql: from NSS db directory name [Tuomo]
  (sql: syntax not supported on RHEL/CentOS nss version)
* Move NSS debug logging to DBG_PARSING [Tuomo]
* Bugtracker bugs fixed:
   # 428:  KLIPS NULL encryption patch (through cryptoapi)
   #1004: L2TP broken with NAT'ed clients [dhr/Tuomo/Paul]
   #1053: typo in notification sending routine [Seong-hun Lim]
   #1055: init script hangs on startup with semi-broken shells [Michael Smith]
          (eg busybox and debian's new default /bin/dash shell)
   #1056: setup script start_stop() checks for filesystem writability
   #1067: openswan fails on systems not supporting popen() [Jonathan Miller]
   #1072: Compiling with USE_VENDORID=false fails [paul]

v2.6.23 (Sep 8, 2009)
* Support for dropping unneeded capabilities using libcap-ng [Avesh]
  (Changed using  USE_LIBCAP_NG= in Makefile.inc)
* Additional ASN.1 parser checks by David McCullough [David]
* PSK support with USE_LIBNSS [Avesh Agarwal]
* Allow multiple different PSK road warriors with Aggressive Mode [David]
* Additional KLIPS debugging can be enabled in /proc/net/ipsec_saraw [David]
* Extended fipschecks [Avesh Agarwal]
* auto=route tunnels could fail due to an Opportunstic Encryption bug [David]
* passthrough routes on NETKEY where missing a a policy [Michael H. Warfield]
* The init script was mistakenly installed twice, once as 'setup' [Paul/Harald]
* LSB compliance error in initscript (debian bug#537335) [Petter Reinholdtsen]
* Fix for old style nat-t patch on newstyle 2.6.23+ kernel [Paul]
* ipsec verify now returns non-zero when an error is encountered [Paul]
* Fix for ipsec whack --crash <IP> crasher [David]
* Partial fix for #1004. We no longer drop the port from protoport= [dhr/Paul]
  transport mode L2TP now works again for the non-NAT'ed case
* Fix for size (XXX) differs from size specified in ISAKMP HDR (YYY) [David]
* Removed old USE_SMARTCARD code. Smartcards are now supported via NSS [Paul]
  (not all code was properly #ifdef'ed, so a few changes outside #ifdef
   SMARTCARD were needed)
* Prevent aggressive mode tunnels losing phase2 [David]
* Various fixes to eroutes [David]
* Bugtracker bugs fixed:
   #1044: openswan.spec file builds an RPM that is missing lwdnsq [Joe Steele]

v2.6.22 (Jun 23, 2009)
* Malicious X.509 certificates could crash the asn.1 parser.
  Found by Orange Labs vulnerability research team. Patches via
  an irresponsible 0-day public announcement by Andreas Steffen 
  (this is CVE-2009-2185)
* NSS support via USE_LIBNSS updated [Avesh Agarwal]
* Added USE_FIPSCHECK. [Avesh Agarwal]
* NAT-T cleanup (no nat-t patch needed for >= 2.6.23) [Harald Jenny/David]
* Enabled USE_DYNAMICDNS per default. Disabled USE_LWRES. [Paul]
* Fix for gcc 4.4 errors [Avesh Agarwal]
* AVC Denail with /var/tmp and openswan ipsec service [Avesh Agarwal]
  (see https://bugzilla.redhat.com/show_bug.cgi?id=489113)
* misc. fixes to the build system [mcr]
* Updated various Copyrights [Paul]
* Fix for DYNAMICDNS when dns name was unknown on initial load [David]
* Fix for ttoaddr when passing AF_INET/AF_INET6 [David]
* newer CA's (openssl) now use a crlnumber. Create one with 01 [Paul]
* Fixes to new nat-t code (HAVE_UDP_ENCAP_CONVERT ) [mcr]
* Some ipsec_tunnel KLIPS cleanups [mcr]
* Implement a fallback to SW for failed HW requests [David]
* Make sure that ipsec starts after the crypto layer [David]
* Fix compilation without OCF and cryptoapi instead [David]
* Fixes to compile with 2.6.29 [David]
* Fixed to compile on 2.6.30 [Harald Jenny]
* Fix for the default assigned of "ipsec0" to all packets [David]
* Fix for concurrent ISAKMP negotiations from different hosts to a
  single host with nhelpers>=1 [Anthony Tong]
* UDP port 501 encaps to interop with Lucent in contrib/lucent
  Contributed by  Rolando Zappacosta 
* Various warnings fixed in pluto [Gilles Espinasse]
* Bugtracker bugs fixed:
   #1031: Fail to compile KLIPS module on RHEL5.3 or CentOS5.3 [Mark Keir]
   #1030: aggressive mode & dead peer detection fails [Tim Horsburgh]
   #1023: Oops due to improper ipsec_sa destruction [Nick Jones]
   #1036: sysctl variables are not correctly set anymore [David]

v2.4.15 (Jun 25, 2009)
* Fix for CVE-2009-2185 X.509 ASN.1 parser crasher [Andreas Steffen/Paul]

v2.6.21 (Mar 30, 2009)
* Fix for CVE-2009-0790 DPD crasher [Gerd v. Egidy/Paul]
* Fix remaining SADB_EXT_MAX -> K_SADB_EXT_MAX entries. ["bencsathb"]
* Fix ipsec setup --status not showing amount of tunnels with netkey [Tuomo]
* Bugtracker bugs fixed:
   #1016: rightid=%fromcert without rightcert causes crash 

v2.4.14 (Mar 30, 2009)
* Fix for CVE-2009-0790 DPD crasher [Gerd v. Egidy/Paul]
* Fix for CVE-2009-1121 ipsec livetest tmp file "issue" [Paul]
* Bugtracker bugs fixed:
  #986: Compile-Error and Debugging in 'linux/net/ipsec/ipsec_alg_cryptoapi.c'

v2.6.20 (Feb 9, 2009)
* Added support for USE_NSS (default false) [Avesh Agarwal]
* USE_IPSEC_CONNECTION_LIMIT (default false) support for those who have to
  deal with export restrictions [David]
* Added "metric=" keyword to the conn section to allow host failover
  from another interface to ipsec using route management. [David]
* Split crypto calls off into liboswcrypto for easier FIPS handling [David]
* Fix sprintf warning in init_crypto_helper [Owen Jacobson]
* KLIPS could not be unloaded (requires updated nat-t patch) [David]
* Fix crasher with disassociated pending (async) crypto requests [David]
* Make pluto more verbose on aborting for embedded systems [David]
* Fix for ipsec_kversion.h on kernels > 2.6.22 non-RHEL/SLE [David]
* New parser was missing keep_alive= and force_keepalive= options [Paul]
* Fix for ipsec whack --listevents [Shingo Yamawaki]
* Fix compiling without OCF [David]
* Fix for using kernel cryptoapi algs causing bad packets [David]
* Fix ESP+IPCOMP processing [David]
* Only calculate (expensive) irs->sa_len when debug is enabled [David]
* Repaired missing code responsible for sending IPCOMP request to peer [David]
* Make sure we only set NEXT_NONE on the last VID entry that we add [David]
* Fix NETKEY with transport mode and NAT-T [Paul]
  (does not yet fully fix bug #1004, as the wrong IP (inside vs outsid)
   is used in the policy)
* Fix for KLIPS with NAT-t so decrypted packets do not appear to come
  from the hardcoded ipsec0 interface [Hiren Joshi]
* Send the remote host address to PAM during XAUTH so that it may be used
  for better logging/authentication purposes at the PAM end. [Ken Wilson]
* Using Main and Aggressive mode could pick the wrong policy and fail [David]
* Fix for main_inI2_outR2_tail() when compiled without DEBUG [Shingo Yamawaki]
* Fix for bogus "discarding packet received during asynchronous work
  (DNS or crypto)". We were queueing/dropping packets that were needed to
  get the tunnel going [David]
* The pluto event loop behaves more predictable under heavy load.
* Fix for sending wrong state/cookies with async crypto  [David]
* Do not sent duplicate status changes to the stats daemon [David]
* Disable the warning if DH operations take more than 200ms [David]
* Use K_SADB_EXT_MAX, not SADB_EXT_MAX in eroute.c [Carsten Schlote]
* Fix for fmt_common_shell_out() using long PLUTO* vars [Carsten Schlote]
* Bugtracker bugs fixed:
   #1015: no building of ipsec.conf.5 manpage on 2.6.20dr2 
   #1018: ipsec eroute --clear segfaults (KLIPS) [Carsten Schlote]
   #1004: [partial fix] ipsec/l2tp server behind NAT/port forward broken [Paul]
   #1014: compress=yes on initiator does not propose IPcomp [David]
   #0982: kernel panic with compression=yes  [Florian Westphal]
   #0949: not able to set nhelpers=0 [Shingo Yamawaki]

v2.6.19 (Nov 24, 2008)
* Fix for L2TP/IPsec with Windows machines having their packets
  disgarded by accident [Hiren Joshi]
* Workaround for bad "%v:" virtual_private= entries [paul]
* Fixes to interop with SoftRemote/aggressive mode [David McCullough]
* Fix for ERROR: Module xfrm6_tunnel is in use by ipcomp6 [paul]
* Fix for using MODPROBE=insmod where insmod does not support -q [paul]
* Enable all wins/dns options as specified in man pages [david]
* build support for all WINS/DNS options as mentioned in the man pages [david]
* Removed obsolete keywords: firewall (linux 2.0), spibase, spi,espenckey,
  espauthkey and espreplay_window (manual keying) [paul]
* Fix unneccesary and bogus connection switching with NAT [Shingo Yamawaki]
  (this might relate to several reported bugs in the tracker)
* Added cisco-decrypt utility for PCF obfuscation in contrib/ [paul]
* Fix for crasher when the leftcert= filename was not found [paul]
* Patch for "route already in use" when using two different IP's
  to talk to the same remote IP using two tunnels [Avesh Agarwal]
* Fixes to init scripts [Avesh/Tuomo]
  See also: RedHat bugzilla #466861.
* Bugtracker bugs fixed:
   #992: keyingretries default changed from %forever to 3 [ken]
         (bug was introduced in 2.6.x)
   #981: plutodebug=all klipsdebug=all not operate. [paul]
   #994: Not having leftid=%fromcert results in a pluto segmentation [paul]
  #1003: virtual_private broken? [paul]

v2.6.18 (Oct 6, 2008)
* Fix for compiling KLIPS on RHEL/Centos 2.6.18-92.1.10.el5 [dhr/paul]
* Fix in deleting connections that might have caused some of our Delete
  Notifies to have gotten lost. Introduced in openswan 2.5.01 [paul]
* Rekey= inverted yes/no, causing rekey=no to be rekey=yes [Shingo Yamawaki]
* Some memory leaks / refcount fixes [Shingo Yamawaki]
* Removed most of #ifdef CONFIG_KLIPS_DEBUG conditionals. We now always
  compile in DEBUG support. [paul]
* No longer use the assembly version of des_encrypt (dx86unix.S). It
  is i386-i686 specific, requires framepointers and does not work with
  CONFIG_REGPARM=y, which is the unconditional default for 2.6.17+ [paul]
* Fix memory leak when we run out of descriptors [David McCullough]
* Various memory leak fixes for pluto (from #macosx) [Ilia Sotnikov]
* LEAK_DETECTIVE should report better now [Ilia Sotnikov]
* Add support for USE_DMALLOC [Ilia Sotnikov]
* Update stats to show dropped packets [David McCullough]
* Allow session migration of OCF devices [Brad Vrabete]
* DNS/WINS ModeConfig fixes [David McCullough]
* refineconnection bug fix. This might cover various problems where
  the right conn was not picked (eg rightca="%any" workaround, but
  perhaps also some rekey issues) [paul]
* unregister_netdevice: waiting for ppp2 to become free. Usage
  count = -1 on kernels < 2.6.24 [Martin Schiller]
* Fix for parallel building, eg with rpmbuild [tuomo]
* Bugtracker bugs fixed:
  #989: Patch for fixing type-punned compiler warnings [Alin Nastac]
  #979: Two errors in debian/ packaging files (fix included) [ruben]
  #978: ipsec.conf man page has typo in virtual_private sample line [tuomo]
  #975: ipsec_setup: Unknown socket write error 96. [paul]
  #231: In Aggressive Mode with NAT-T,initiator should switch port [hiren joshi]
  #228: Problems with %any matching in ipsec.secrets? [David McCullough]
  #984: OpenSwan 2.4.13: Wrong ipsec_dev_get(x) function for Kernels < 2.6.24 

v2.6.17 [will be skipped due to bad tag]

v2.6.16 (Aug 18, 2008)
* Merged in David McCullough's OCF patch [david/paul]
  Requires kernel patch, see http://ocf-linux.sourceforge.net/
* dpdaction=restart_by_peer support added [david]
* dynamic dns support (do dns lookup at restart conn, eg after dpd) [david]
  Uses USE_DYNAMICDNS=
* Added USE_SINGLE_CONF_DIR= [david]
* KLIPS support for 2.6.24 / 2.6.25 [david]
* Fix for "Unknown sysctl binary path" [david]
* rekeyfuzz is percentage, not integer [david]
* Added HAVE_STATSD= support to log state changes (for webgui etc) [david]
  (disabled per default)
* Wrapper to handle more then 2048 NETKEY tunnels [david]
* fixes for parser warnings [dhr]
* Fix rmmod calls not to use -s since busybox rmmod does not support it [paul]
* Fixes to KLIPS for newer 2.4 kernels [greg/davidm]
* Road Warrior behind NAT - Aggressive Mode: wrong NAT-T decision [hiren joshi]
* Added documentation for leftxauthusername= and XAUTH passwd support [paul]
* Bugtracker bugs fixed:
  #977: KLIPS doesn't work when wan interface is a tagged vlan interface
        Regression from 2.4? [Tino Keitel / Krisztian KOVACS]
  #972: Aggressive mode connection breaks after DPD timeout for NATed peer
  #965: xmlto man fails to generate ipsec.conf.5 man page  [tuomo]

v2.6.15 (Jul 4, 2008)
* Patch to support NETKEY backport on Debian kernels [Rene Mayrhofer]
* Fix a crasher when using right=%any with plutodebug=controlmore [paul]
* Fix a crasher when deleting connections in NETKEY [ken]
* Added disable_port_floating support to scripts and parser and
  repair the default back to allow port floating [paul]
* Change (back) defaults of plutorestartoncrash and uniqueids from
  no to yes. The new parser mistakenly did not set these [paul]
* Revert af family code in find_host_pair causing some connections to not
  be found in find_host_connection2() [paul]
* Fixes to _updown.mast, _realsetup (mast) and startklips [paul]
* Fixed to saref code so we can build on OSX again [paul]
* Use PREROUTING instead of OUTPUT/FORWARD for mast [mcr]
* NETKEY support for eroute_idle using get_sa_info() [herbert/andreas]
* Do not send DPD "R_Y_THERE" when eroute not idle [andreas]
* Support for Relative Distinguished Name "unstructuredName"/"UN"
  in ID_DER_ASN1_DN identities (eg leftid="UN=John Doe") [andreas]
* Removed forwardcontrol= and rp_filter= options. Ignore if present
  in config file. Use /etc/sysctl.conf [paul]
* Fix for left="%defaultroute" when using NETKEY [tuomo]
* Fix for KLIPS on SMP systems (missing SOCKOPS_WRAP for pfkey_ops) [dhr/paul]
* Merged in some IPsec SAref related code [mcr/paul]
* Merged in packaging/suse for building rpms on SLES [paul]
* Bugtracker bugs fixed:
  #784 / #928 : openswan (pfs=yes) to vista (pfs=no) crasher [paul/dhr]
  #934: mem leak in klips:ipsec_rcv_decap [Wolfgang Nothdurft]
  #935: 935: Openswan 2.6.14rc5 refuses to start after carsh  [paul]
  #939: Openswan 2.6.14rc5 crashes on startup if dns is not reachable [andreas]
        (curl issue on 64bit platforms when dns is not available)
  #953: disable_port_floating defaults to yes and config parser... [paul]
  #954: patch to support DEFAULT_SOURCE using netkey [mdw21]
  #957: pluto always gets --disable_port_floating parameter... [paul]
  #963: rp_filter=%unchanged option causes assertion failure  [paul]
  #964: make -j4 programs fail [tuomo]

v2.4.13 (Jun 26, 2008)
* Fix a memory leak by removing unused variables alg_esp and alg_ike [dhr]
* Recognise and log unsupported IKEv2 exchanges [paul]
* Bugtracker bugs fixed:
  #198: Connection not coming up automatically, plutowait=yes workaround

v2.6.14 (Jun 6, 2008)
* Fix for integ vs prf mixup [herbert/antony] 
  See:
   https://bugzilla.redhat.com/show_bug.cgi?id=439771
* Merged in v2.5.18 (see entries below) [paul]
* Merged in v2.5.17 (see entries below) [paul]
* Merged in v2.5.12-v2.5.16 (see entries below) [paul]
* NETKEY and crypto modules did not get loaded automatically [paul]
* Updated "clear" policy file for L root nameserver's new IP for OE. [paul]
* Added testcase interop-ikev2-strongswan-06-aes192 [paul]
* Removed "interfaces= is ignored when using the NETKEY stack" warning
  as it caused confusion and a wrong patch in Fedora 9. [paul]
  See:
   https://bugzilla.redhat.com/show_bug.cgi?id=445179
* Fix for a few warnings of using "en" uninitialised [dhr]
* Various fixes on strnat, chdir, fwrite, fgets, etc. [paul]
* Fix for a potential crasher when displaying status using certs [paul]
* Removed obsoleted and unused  hardware random related defines [paul]
* Maintanance on IKEv2 properties and names [paul]
* IKEv2 rekey fix for initiator [herbert]
* KLIPS fixes to compile on 2.6.24+ [david/paul]
* Added AES-CCM support [herbert]
  See:
   https://bugzilla.redhat.com/show_bug.cgi?id=441383
* Support for KLIPS on 2.6.24+ [david]
* Bugtracker bugs fixed:
  #943: Openswan 2.6.14rc5 pluto crash at ikev1_main.c:1145 
  #936: EXPECTATION FAILED kernel_ops->eroute_idle != NULL [paul]
  #930: 'best.len' and 'cur.len' may be uninitialised. [Michal Nazarewicz]
  #781: %defaultroute detection broken on netkey for 2.5.x [paul]


* Above 2.5.x merges brings in userland IPsec SAref support. Requires
  kernel support, currently only supported with USE_MAST.(KLIPSNG)
  Also requires kernel modification to add IP_IPSEC_REFINFO support 
  This adds support for overlapip, allowing multiple clients behind the
  same NAT router and multi clients on identical IP's behind different
  NAT routers. For possible deployments, see doc/ipsecsaref.png

v2.6.13 (May 17, 2008)
* RFC4306 Section 3.3.5 IKEv2 Attribute KEY_LENGTH support [herbert/paul]
  See:
   https://bugzilla.redhat.com/show_bug.cgi?id=444166
   https://bugzilla.redhat.com/show_bug.cgi?id=439771
* Support for ESP_NULL and AH_NULL [herbert/paul]
  See:
   https://bugzilla.redhat.com/show_bug.cgi?id=442955
   https://bugzilla.redhat.com/show_bug.cgi?id=442956
* Close on file descriptors on exec (fixes SElinux avc denials) [Neil Horman]
  See:
   https://bugzilla.redhat.com/show_bug.cgi?id=442333
* Fix a memory leak by removing unused variables alg_esp and alg_ike [dhr]
* linux/include/crypto renamed to linux/include/klips-crypto [paul]
* Fix for IKEv1-only policies attempting bogus IKEv2 rekeys [Miloslav Trmac]
* Bugtracker bugs fixed:
  #198: Connection not coming up automatically, plutowait=yes workaround [tuomo]
  #622: pluto memory leak [dhr]
  #916: KLIPS kmod fails to compile 2.6.22 based kernel (...) [paul]
  #917: pluto fails to compile when using pam. xauth [Tamas Pal]
  #922: pluto crashes on rekey failure [Miloslav Trmac]

v2.6.12 (Apr 21, 2008)
* Add aes-*-modp1024 proposals to default responder policy db [antony]
  This is bug https://bugzilla.redhat.com/show_bug.cgi?id=439985
* Fix for ikev1 continuation segfault (only the first helper's continuations
  were cleaned up properly (eg. on dpd, sa expires..) [Anthony Tong]
* Redid fix for leftsourceip/rightsourceip getting deleted [paul]
  This is bug https://bugzilla.redhat.com/show_bug.cgi?id=432821
* As per RFC 4309, use modp2048 as default for PSK with IKEv2 [paul]
  Relates to https://bugzilla.redhat.com/show_bug.cgi?id=441588
* Added workaround for INITIATOR/RESPONDER keys being swapped [herbert]
* Preliminary work to support IKEv2_ENCR_AES_CCM__* algos [paul]
* modprobe the AES ccm kernel module on startup [paul]

v2.6.11 (Apr 8, 2008)
* Fix state machine to pick proper Responder STATE_UNDEFINED state
  when receiving R1 NO_PROPOSAL_CHOSEN [dhr/paul/antony]
* Fixes to some enum tables that caused (null)'s in logs [dhr/paul]
* Starting the prf+ counter from 1 instead of 0 [herbert]
* Removed wrong Gr check [antony]
* Added IKEv2 NO_PROPOSAL_CHOSEN processing [antony]
* Clone st_ni/st_nr chunks for child SA [herbert]
* Various smal logging changes - mostly to fix (null)'s [paul/dhr]
* AUTH_ALGORITHM_HMAC_SHA2_* are now logged properly [paul]
* interop-* testcase output updated [paul]


v2.6.10 (Apr 3, 2008)
* Includes fallback from IKEv2->IKEv1 [mcr]
* IKEv2 bid-down attack recovery [mcr]
* changes to I1 retransmission timers [mcr]
* Only check for bid-down when POLICY_IKEV2_PROPOSE to avoid two ikev2
  capable ikev1 instances from false detecting a biddown [paul]
* Fix ikev2_trans struct (redhat bug #438826) [dhr/paul]
* Revisit of 2.6.06 NOTIFY crasher - fixed again [paul]

v2.6.09 (Mar 10, 2008)
* Completed IKEv2 6msg exchange support [antony]

v2.6.08 (Mar 9, 2008)
* IKEv2 6msg exchange (responder, partially for initiator) [antony]
* IKEv2 notify support [antony]
* Some pullups from #testing related to NETKEY [paul/tuomo]
* Added force_busy option for testing 6msg exchange [paul]
* OSX compile fixes [paul]
* sourceip= option fixed with NETKEY [paul]
* ipsec setup restart with NETKEY fix [paul]
* NETKEY, strongswan, racoon2 support in test harnass [paul/antony]

v2.6.07 (Feb 8, 2008)
* IKEv2 retransmit fixes [mcr]

v2.5.18 (not released)
* Do not use the KMEM_CACHE macro for now, so KLIPS works on 2.6.23 [paul]
* Sha2 support for X.509 certificates in pluto [Daniel Mueller]
* Various memory leaks
* uclibc workaround for malloc(0) abort. Fixes to not malloc 0 [paul]
* Bugtracker bugs fixed
 #917: pluto fails to compile when using pam. xauth [folti]
 #919: Invalid memory access in show_dnskey of showhostkey.c [paul]

v2.5.17 (Feb 28, 2008)
* Implemented netlink_shunt_eroute() [paul]
* Simplified _updown.netkey [tuomo]
* Bugtracker bugs fixed
  #460: Fix bogus header with delayed MAIN I2->R2 [Herbert Xu]
  #496: kernel_alg_esp_auth_ok() call fixed - [gernot]
  #761: pluto crashes after removing interface [Tillman Baumann]
  #897/731: crash in alg_info_snprint() - ["Deep Throat"]
  #889: backport from #ikev2 branch to fix ipsec_delete_sa with NETKEY [mcr]

v2.4.12 (Feb 19, 2008)
* Partial fix for 2.6.24 kernels (new proc_net macro and
  dev_get_by_name arg), no fix yet for changed dev struct [paul]
* Fix for lingering 'dir out' XFRM policy when using NETKEY [paul]
* Various memory leaks [gernot]
* null_alg was not fixed for linux autoconf [paul]
* enable HAVE_NEW_SKB_LINEARIZE for Suse Linux SLES10 SP1 [nicole haehnel]
* Bugtracker bugs fixed
  #419: Use of "source" vs "." (breaks on Debian /bin/dash) [paul]
  #496: kernel_alg_esp_auth_ok() call fixed [gernot]
  #538/#892: IP compression proposal lostin negotiation [sscholz@astaro.com]
  #771: various memory leaks
  #814: KLIPS build fails against 2.6.22 kernel (linux.ip.h for iphdr) [sedrez]
  #816: CRYPTO_API error (KLIPS_ALG was undefined) [paul]
  #888: dir out XFRM bug
  #889: Backport of #ikev2: pluto crasher on --delete connection with netkey
  #891: passert(sr->eroute_owner ==SOS_NOBODY) crasher [mcr]

v2.5.16 (Feb 18, 2008)
* Implemented netlink_shunt_eroute() [paul]
* Simplified _updown.netkey [tuomo]

v2.6.06 (Feb 8, 2008)
* Added IKEv2 X.509 CERTREQ [antony]
* Interop fix for IKEv2 PSK - Use correct IETF Key Pad without \0 [paul]
* Fixed a few IKEv2 related crashers on receiving a NOTIFY in R1 [paul]

v2.6.05 (Feb 1, 2008)
* Added IKEv2 X.509 CERT [antony/paul]

v2.6.04 (Jan 25, 2008)
* Added IKEv2 PSK AUTH [antony/paul]

v2.6.03 (Jan 10, 2008)
* Added IKEv2 RSA AUTH [mcr]

v2.6.02 (Dec 20, 2007)
* workaround for openswan.spec file

v2.6.01 (Dec 18, 2007)
* IKEv2 support

v2.4.11 (Dec 4, 2007)
* Fix typo in startklips bugfix for #834
* Fix display of nat-t vendor code picked [mcr]
* Fix for KLIPS on 2.6.23.1 without CONFIG_NF_CONNTRACK* [paul]
* Sync'ed openwrt packaging with upstream [paul/nbd]

#stable
* Merged in XAUTH DNS/WINS server-side patch from Anna Wiejak [paul]
  See: http://popoludnica.pl/?id=10100110 
* Various fixes to the scripts for NETKEY [paul]
* KLIPS support for the 2.6.23+ UDP ENCAP sockets [mcr]
  Userland support not yet finished. This should obsolete the NAT-T patch
  when finished.
* incorporated changes between 2.4.8 and 2.4.9
* incorporated changes between 2.4.9 and 2.4.10
* Notice and gracefully fail to load KLIPS when we try to load esp/ah/ipcomp
  protocol and another module already has registered these (eg esp4, ah4,
  ipcomp) [paul]
* Fix for KLIPS NAT-T dropping all packets on 64bit big endian machines [dhr]
* FIx for KLIPS on 2.6.23.1 without CONFIG_NF_CONNTRACK* [paul]
* Bugtracker bugs fixed:
  #600: multiple definitions of passert_fail when cross-compiling.
  #852: dd_connection() fails with ...not AH+ESP for type=passthrough conns
  #708: vanilla kernel-2.6.19, KLIPS compile error (sock_unregister) [sergeil]
  #654: XAUTH strips space out of username/password + patch [Dustin Lang]
  #641: Herein patches to fix warnings if -Wshadow is used [andygay/paul]
  #580: kernel 2.4.x cryptoapi broken [espakman]
  #582: Cannot initiate on demand a connection with traffic selectors [Ilia Sotnikov]
  #590: serpent lib used private kernel header [paul]
  #544: the following error should only show up for x509 debugging: ... [paul]
  #185: Deadlock in function "scx_release()" daemon pluto.(SMARTCARD) [Kurodo]

v2.5.15 (Aug 14, 2007)
   change ipsec_breakroute to permit non-existant eroute's to be replaced.  
   fix for NAT-T negotiation with IP address changes during negotiation.
   adjusted addconn to support nat-t debug keywords.

v2.5.14 (Jul 19, 2007)
   failed attempt to fix ipsec_breakroute.
   fixed leftsendcert= to be implemented in keyword parser.
   introduced startnetkey functions.
   UML kernel configuration canonicalization updated.

v2.5.13 (May 7, 2007)
   move DNS lookups from libipsecconf into pluto, where they belong. DNS lookups
	are still only done once during conn load time, and are done synchronously.

v2.5.12 (Apr 30, 2007)
   A fix to detect that XEN has been patched into the kernel, and set
   some of the 2.6.18 changes.
   never log starter_log() things to stdout, they always go to stderr.
   when a packet is passed through, do not call NF_IP_LOCAL_OUT, as it has already 
	passed through the output hooks, and doing it again, confuses things
	causing ip_route_me_harder() which creates a look, since it does the flow
	lookup again. (This doesn't happen if the kernel hasn't got XFRM support)
   fixed parsing of config file so that "version 2" is accepted.
   fixed addconn to respect "right/left"sourceip=, new test case sourceip-01 
   fixed processing of "first"/"last" packet for %trap/%hold conns in KLIPS, it now
	properly forwards the packets when the packet is released.
   

v2.5.11 (Apr 19, 2007)
   Some fixes in KLIPS for "ipsec eroute --clear" bug. It is not clear
   why this suddendly became an issue, or if it would have been an issue
   previously, given the right compiler optimization.
   
v2.5.10 (Apr 2, 2007)
   Includes fixes for xmlto generation for _confread directory.

v2.5.09 (Apr 2, 2007)
   Minor fix to build process, updated CHANGES file.
 
v2.5.08 (Apr 2, 2007)
   Correct release.
   Includes some changes to permit OE to work without nexthop,
   however this seems to cause it to return an unreachable on 
   the first message.

v2.5.07	-dud due to release script error.

v2.5.06 (?)
   set LANGUAGE, LANG and LC_ALL in setup script.
   change OE off by default note and scripts.
   Merge of additional code from 2.4.
   
v2.5.05 (Feb 14, 2007)
   2.5.03 and 2.5.04 were not properly released, and 2.5.05 now
   is properly released and includes below items
    
v2.5.04 (?)
    zero peer_ca to avoid crashes.
    (include glob's may still not work correctly)

v2.5.0sbs5 (Dec 12, 2005)
    fixed issues with libwhack not getting built with VIRTUAL_IP.
    adjusted programs/pluto/Makefile to depend upon libraries better

v2.5.0sbs4 (Dec 11, 2005)
    When a template conn is instantiated for a phase 1 configuration, it
	may still need to be adjusted to a virtual IP address. In addition,
	change the order of the virtual IP address setting and the
	port-wildcard processing.
        This patch also provides some additional debugging of the proposal
	which actually processed by the machinery.

    tests for L2TP+X.509 L2TP configuration --- 2 clients behind the
        same NAT with certificates that need to have their connection both
        instantiated (in phase 1) and virtualized (in phase 2).

v2.5.03 (Jan 10, 2007)

    ipsec.conf parsing should ignore keywords that start with x-
	they are a form of structured comment.
    added in forceencaps= keyword.
    process wildcards with glob() in include statements.

v2.5.02 (?)
    fixed bug in ipsec.conf parser, where it could not read values
       that had = in them (such as base64 encoded keys)
    fixed bug in key continuation code that could cause a crash
	if the DNS request timed out after the state was deleted
	for other reasons.
 
v2.5.01 (Jan 2, 2007)
    merged xauthusername code base + multinet tests in.
    removed /dev/hw_random from list of valid random sources on linux.
        use "rngd" instead to feed /dev/random.

v2.5.00 (Nov 2, 2006)
    fixed various bugs with lifetime values in ipsec.conf parser
    AES-128 (group 5, MD5 or SHA1 for PRF) is now accepted for phase 1,
	and it is now the preferred cipher as well. This should be the
	case for Main mode, Aggressive mode, and for XAUTH client and
	XAUTH server, and PSK and RSA sig mode.

    fixes so that starter will now compile
    move whacklib to lib/libwhack
    adjust makefiles to work with OBJDIR version of Makefile.program
    switch to OBJDIR in programs/* and lib/* if it is defined

    added sanitizer for PID files
    be smarter about including git version info into version
    We need to use /dev/urandom first, as it has more random than /dev/random.
       Otherwise, we run out really fast (within a few minutes)
    Use endian.h when comiling out-of-kernel
    patch to turn error about 17/500,0/0 vs 17/0 error with Cisco VPN3000
       into a warning.
    remove test for NAT-T VID vs NATD payload test. It fails for reasons
       that are unknown at this time, and this check is really being pedantic.
    MAJOR: use starter code for "addconn"
    MAJOR: always use OBJDIRs, and compile on Windows (no kernel)
    MAJOR: includes "Taproom" code --- TCL call outs from pluto at IKE
		transition states. 

v2.4.10 (Nov 6, 2007)
* Some workarounds for openwrt related to starter and lack of modprobe [paul]
* Fix for sock.sk_stamp type change in 2.6.22 [dhr]
* Workaround for implementations that propose port 0 for l2tp to allow
  us to connect to all their ports (instead of only 1701). This happens
  with Cisco VPN 3000, OSX and Windows XP. This relates to various
  reported bugs about rightprotoport=17/%any and CK_INSTANCE crashers [mcr]
  Use the workaround for OSX clients using rightprotoport=17/0
* Backport of fix for xauth name containing a space [paul]
* Fix for final next payload in Aggressive Mode [David McCullough]
* Fixes for compliling against 2.6.22 [David McCullough / Hugh Redelmeier]
  (note: NAT-T KLIPS patch will not work on 2.6.23+)
* Speed gains in the scripts on systems with many interfaces [David McCullough]
* passert declaration fix [David McCullough]
* A missed nfmark -> mark case in ipsec_sa.h [David McCullough]
* Fix for ktime_to_timeval to use proper kernel versions [paul]
* Added back -DCONFIG_KLIPS_ALG in KLIPSCOMPILE, which we require when not
  building KLIPS with David's OCF patch [paul]
* Added SElinux patch in contrib/ [Venkat Yekkirala]
* Bugtracker bugs fixed:
  #449: 17/%any is a template conn problem [mcr]
  #708: vanilla kernel-2.6.19, KLIPS compile error (sock_unregister) [sergeil]
  #796: can't compile 2.4.8 on kernel 2.4.34 (module_param fix) [sergeil]
  #802: Error: "our client ID returned doesn't match my proposal" [mcr/paul]
  #813: incorporate tuomo's lsb patch [tuomo]
  #824: defaultroute detection fails with PPP default route [sergeil]
  (this is also the bug introduced in 2.4.9 that causes failed subnet tunnels)
  #855: Pluto restart impossible on busybox [paul]

v2.4.9 (July 17, 2007)
* Fix for Aggressive Mode with NAT-T (no negotiation in aggrmode) [mcr]
* Integrated most openwrt workarounds - tested on whiterussian  [paul]
* Typofix for smartcard support [andreas zwicker]
* Fix for when responder PSK incorrectly uses pfs and has nhelpers=0
  [Matthias Haas]
  #801: Patch for fixing type-punned compiler warnings [Alin Nastac]
  #811: Patch for using custom algs with CONFIG_KLIPS_ALG [iamscard]
  #812: Bogus defaultroute nexthop for PPPoE (& PPP?) [BruceS]

v2.4.8 (May 24, 2007)
* Added Andy Gay's ipcomp with esp= fix in contrib/ipcomp/ (see #538)
* Added and enabled DISABLE_UDP_CHECKSUM until the cause of this bug
  has been fixed. This is bug#601. Found by Frank Vogt
* fix for ikeping reporting wrong percentge of lost packets [Mark-Andre Hopf]
* Fix for busybox' ifconfig (doesn't support 'inet') [Dave Chuha]
* Fix for compiling on 2.6.20 (sk_buff's nfmark is now called mark)
* NAT-T patch update for 2.6.20
* NAT-T patch broke NAT-T for NETKEY,even with CONFIG_IPSEC_NAT_TRAVERSAL unset
* Fix for too small ike string buffer ipsec auto --status output [paul/dhr]
* Fix for Aggressive Mode and NAT-T port floating, based on RedHat patch [paul]
* Fix for Aggressive Mode and NAT-T (#491) by Delta Yeh
* ikeping waits milliseconds instead of seconds, patch by Mark-Andre Hopf
* Workaround for NETKEY's unlimited acquire stream by Michael Smiths (#726)
* Some vendor ID's for Vista and Cisco VPN 3000 [jacco]
* backports from git
  #git 5735f731ed474dbb22fce2f5bc0a9f5e1fea2994: rewrite of available worker
                                                 code from egbert@ [mcr]
  #git c75967b03b2c478a612aef4ccb7e5dff6e4bdaf5: dpdaction=restart fix [mcr]
  #git 41e54a2684dc809d7952e816860ea646a3194a72: Fix for kernels > 2.6.18
  #git c2e23a6e16a55632d618740518d419f3fad3323d: AggressiveMode with nhelpers=0
                                                 fix from Marin Hincks
  #git 1933710623a33fe8f3229b193721aed005fb87c2: Crasher in printing alg debug
  #git 9bfb2794bd9c239dfe9e9617616eaf6fc389de57: uninitialized sockaddrs fix
  #git e199785d8e11687534569b04a3e0a6956b2086b8: set helper # in child
* bugtracker bugs fixed:
  #723: Bogus Code in pluto_crypt.c [egbert/mt/mcr]
  #698: Wrong IKE-Algorithm displayed on ipsec auto --status [martin/paul/mcr]
        original patch by Martin Schiller
  #719: Fix to authenticate with a smartcard (USB Aladdin eToken) ["pm"]

v2.4.7 (Nov 14, 2006)
* Remove direct use of /dev/hw* for random on Linux. It is not guranteed
  to be secure (FIPS compliant) random [paul]
* Fix bugs introduced in 2.4.6 using KLIPS and CryptoAPI on 2.6.17.6+
* fixes for displaying proper NAT-T draft/rfc used [jacco]
* Various fixes to lwdnsq [mcr]
* Extensively updated man pages [paul]
* Added rootservers to the clear policy [idea by mcr]
* Fix for pluto to allow NETKEY's ESP_NULL by JuanJo Ciarlante
* Added ESP_NULL support to KLIPS by JuanJo Ciarlante (disabled per default)
* Support Fedora style default RSA hostkey [paul]
* Clarified various log messages
* Possible interop fix for Sonicwall
* Fixes to _startklips and logging cleanup [paul]
* Fix for handling defaultroute to a p-t-p interface without gw ip. [bleve]
  - this might also fix #693
* Extended ipsec verify to complain misconfigured hardware random [paul]
* Extended ipsec verify to complain about SElinux in enforced mode, until
  working security policies are known to exist as it breaks with both
  NETKEY and KLIPS [paul]
* Cleanup of crypto module modprobing. It is now silent [paul]
* bugtracker bugs fixed:
  #474 ASSERTION FAILED at spdb_struct.c:1233: trans->attr_cnt > == 4"
  #642: ipsec_xmit.c and CONFIG_KLIPS_DEBUG [completed fix]
  #655: /etc/rc.d/ipsec --status breaks connection
  #671: oops from __module_get during pfkey_create

v2.4.6 (Aug 4, 2006)
* Fix for VIA Nehemiah to use /dev/hw_random to generate new rsakey
  (using /dev/random on these chips caused it to block too long)
* Various CryptoAPI related fixes.
* Removed support for HIPPI which broke compilation on 2.6.16.*
* Pull up of fix for rightnexthop->leftnexthop
* Added logging when we don't find the right hash bucket
* Changed a few x509 log messages to make automatic parsing easier
* Unload KLIPS at shutdown again to prevent lingering IPs on ipsecX,
  also in case KLIPS is inline, and the ipsecX interfaces do not go away,
  remove IP addresses from IP aliases bound to ipsecX devices.
* Fixed typo in ipsec.conf's virtual_private example
* Improved protocol detection in ipsec_print_ip() [bart]
* Fixed minimum skb lenght requried for ipsec decompression [bart]
  (This is probably bug #609)
* Fix a 64bit bug in compression code [bart]
* Removing a left over '#else' that split another '#if/#endif' block in two
  in ipsec_xmit.c [bart]
* MODULE_PARM has been obsoleted for module_param on 2.6.17+ [paul]
* skb_linearize API changed in 2.6.18+ [paul]
* bugtracker bugs fixed:
  #452: dpdaction=restart doesn't clear or restart quick mode SAs
  #537: Compilation will fail with kernel 2.6.14 and klips and CONFIG_HIPPI=y
  #636: KLIPS and vanilla-2.6.17 compilation error
  #642: ipsec_xmit.c and CONFIG_KLIPS_DEBUG on 2.4 compile issue [partial fix]
  #647: compile fails with version 2.4.6-rc2 + vanilla kernel linux-2.6.17.6
  #631: KLIPS module does not build with 2.6.17-rc6 kernel
  #646: NATT + IPCOMP fails on rcv in KLIPS [bart]
        (This is a generic NATT+ESP bug, not just an ipcomp bug)

v2.4.5 (Apr 6, 2006)
* Fix for prefering RFC3947 over OSX-workaround by Jacco de Leeuw
* Fix for openswan as l2tp server behind NAT by Bernd Galonska
* Fix for compiling + working on SMP (including HyperThreaded) machines
* Fix for arp_broken_ops relocation in 2.6.16
* Fix for compiling on 2.6.14 kernels
* Fix patching against 2.6.15 kernels (NAT-T Patch)
* Fix patching against 2.6.14 kernels
* Fix for strict mode
* Fix for ipsec module unload. Fix by Ankit Desai <ankit@elitecore.com>
* Fix for ipsec: Unknown symbol sysctl_ip_default_ttl
* Fix for AH hash by Ronen Shitrit <rshitrit@marvell.com>
* Additions to barf and verify commands for various kernel internals
* load hw_random and padlock modules before aes module so hardware routines
  are prefered over software routines.
* allow rightsubnet= with type=transport for L2TP behind NAT.
* Refactored natd_lookup / hash code, probably fixes lot of NAT related bugs
* Fix for interop with Cisco devices which propose port 0 (eg: VPN3000)
* When DPD rcookie is invalid, just warn instead of ignoring entirely
* Redid all the DPD log messages
* Fix for manual.in to not use a complicated sed line that some embedded
  sed versions (busybox?) cannot handle.
* Fix for NAT-T detection when Openswan is the initiator
  #401 l2tp connection is not work with 2.6 build in IPSEC
  #442 Pluto uses wrong port in NAT-D calculation
  #450 macosx (possible generic PSK+NAT-T rekey bug: eroute already in use.
  #454 klips module refcount bug (found by Matthias Haas)
       (prevented klips from unloading on 2.4 kernels)
  #462 updated patch for Openswan and OS X with NAT-T
  #509 KLIPS compilation fail with kernel-2.6.14.2
  #518 Incorrect physical interface MTU detection
  #521 KLIPS module crash for kernel 2.6.12+
  #545 unnecessary warnings from _updown script, remove weird control character.
  #558 two machines using incompatible ike= settings still establish a
       connection. (fix by Matthias Haas <mh@pompase.net>)
  #560 Pluto crash (memory leak fixes in pluto by Ilia Sotnikov)
  #563 Error when unload ipsec.ko module "rmmod ipsec" [dupl bug]
  #568 uninitialized struct in ipsec_tunnel.c coud break routing under 2.6
       kernels
  #569 ipsec module unload crasher
  #573 Openswan fails to compile with NAT_TRAVERSAL=false
  #574 Openswan fails to compile with NAT_TRAVERSAL=false #2
  #581 _Updown script installs direct (scope link) routes even for remote
       peers/subnets
  #589 userspace with USE_EXTRACRYPTO won't compile without kernel sourcecode

v2.4.4 (Nov 18, 2005)
  #487 ASSERTION FAILED at state.c:120:IS_ISAKMP_ENCRYPTED(isakmp_sa->st_state) 
  (see http://www.openswan.org/niscc2/)
  (proper fix in pluto_constants.h)
* Fix for kernels having strstr
* Various gcc4 warning fixes
* disable CONFIG_IPSEC_NAT_TRAVERSAL per default so we can build KLIPS on
  Fedora systems.
* questionable spin_unlock commented out. Might fix reported SMP crashers.
* update to permit alg code without module support
* Fix for detecting proper kernel source/header directory on fedora
* Various bugfixes as reported on http://bugs.openswan.org/
  #499: check for module support in kernel for IPsec Modular Extensions
  #500: recent awk breaks on 'setdefault' command


v2.4.3 (-)
  #487 ASSERTION FAILED at state.c:120:IS_ISAKMP_ENCRYPTED(isakmp_sa->st_state) 
  (see http://www.openswan.org/niscc2/)
  (incorrect fixed. version not released)

v2.4.2 (Nov 13, 2005)
* Fixes for compiling on 2.6.14 by David McCullough
* Minor fixes to accomodate FC4 2.6.11 kernels.
* Fix for compilation of KLIPS on 2.4.x kernels.
* Fix for NAT-T on 2.4.31
* Fix for 'short' packets with KLIPS on 2.4.x
* Merged in Jacco's l2tp configuration examples
* Various bugfixes as reported on http://bugs.openswan.org/
  #286 Incorrect links in intro.html
  #344 netkey-acquire patch
  #376 install_ipsec_sa and install_inbound_ipsec_sa
  #486 ASSERTION FAILED at crypto.c:258: key_size==(DES_CBC_BLOCK_SIZE * 3)
  (see http://www.openswan.org/niscc2/)

v2.4.1
* Not publically released

v2.4.0 (Sep 12, 2005)
* NAT-T support for KLIPS on 2.6 (Sponsored by Astaro)
* Additional Cipher support with KLIPS on 2.6 (Sponsored by Astaro)
* Fix for NAT-T/PSK rekey (Ulrich @ Astaro)
* Delete _updown.c and _updown.posix versions as they were obsolete
* Fixes for aggressive mode and policy mode
* Various bugfixes as reported on http://bugs.openswan.org/
  #201 pluto not accepting negotiations on port 500 after port floating to 4500
  #249 two default routes confuses scripts
  #261 2 RW's w/DPD behind a NAT kick each other off at rekey time
  #267 pluto crashes on inbound X.509 roadwarrior
  #269 informational crasher in demux.c
  #301 kernel_netkey.c lists invalid ESP algorithm
  #302 pluto assumes it has 3DES
  #305 passert_fail (pred_str=0x80b88e3 "st->st_suspended_md->st == st", file_str=0x80b86a0 "state.c"
  #306 st->st_suspended_md->st == st passert()
  #316 Patch for ALG support from Astaro
  #324 Impossible to disable AGGRESSIVE mode
  #327 pluto nat-t detection on 2.6 without klips nat-t patch fails to
       disable nat-t
  #328 ipsec setup fxies for awk compiled with --enable-switch
  #341 Pluto crashes with: ipsec__plutorun: !pluto failure!: exited with error
       status 134 (signal 6)
  #342 fix for 2.6.12 undocumented API fixes for sk_zapped and sk_alloc()
       (based on fix from Sergeil.
  #350 fix for passert() at connections.c:1353: isanyaddr(&c->spd.that.host_addr)
  #355 dpdaction restart fix from Astaro
  #357 secure_xauth_username_str fix from Astaro
  #360 checkv199install creates bogus "old" files
  #361/#363 fix for passert() demux.c:1204: unknown address family in
       anyaddr/unspecaddr
  #368 Fix for ipsec --setup --status output and eroute counting
  #372 Netkey and device labels (eth#:#)
  #373 _updown_x509 still uses obsolete 'route add' commands
  #377 pluto crashes processing first connection if nhelpers=0
  #380 pluto crashes when sent an IKEPING
  #381 assertion failure in init_demux if AGGRESSIVE not defined
  #383 MODP >= 4096 FIX
  #386 undefined symbols compiling klips as module
  #387 / #420 pfkey_ops undefined error on SMP kernel compiles.
              possibly fixed, but may result in SMP unsafe-ness.
  #342 KLIPS cannot be compiled for 2.6.12+
  #415 RPM packaging errors for 2.4 based kernels
  #416 Need a way to tell if NAT-T is compiled in the IPSec kernel

v2.3.1
* NAT-T RFC support (mlafon/mcr)
* NAT-T Server Side rewrite - handles rekeying alot better
* NAT-T Client Side rekey bug fixed
* Removed HowTo (obselete)
* IPKG packaging updates
* Log message updates
* dpdaction=restart support 

v2.3.0
* KLIPS for 2.6 support (Experimental)
  [ good results on FC3-AMD and vanilla/debian kernel source, but not
    FC3-intel. Might be the grsecurity patch  ]
* Aggressive Mode Support (client and server)
* IKE Mode Config support (Experimental)
* Cisco VPN 3xxx client Interop (Experimental)
* Cryptographic helpers framework
* Fixes for NAT-T on 2.4.28+ kernels.

v2.2.0
* Added RFC 3706 DPD support (see README.DPD)
* Added AES from JuanJo's ALG patches
* Fixes for /proc filesystem issues that started to appear in 2.4.25

v2.1.2
* Fix loading of 2.6 modules 
* Fix for snprintfs() in /proc, new for 2.4.25 kernels (dhr/pw)
* Fix checks for some log files/dirs in case they are sockets or pipes (pw)
* Fix for crl.pem crash/core (dhr/as/kb)

v2.1.1
* Fix _pluto_adns installation path (kb)
* Fix sending of X.509 CR's when no CA present (mcr)

v2.1.0
* NAT-T support (Mathieu Lafon - Arkoon)
* X.509 fixes (Andreas Steffan)
* New configuration file directive, {left|right}sourceip=#.#.#.# 
  This will set the source address when talking to a particular 
  connection.  This is very usefull to assign a static IP to your laptop 
  while travelling.  This is based on Tuomo Soini's Advanced Routing 
  patch.