
FreeS/WAN v1.99, a linux implementation of IPSEC, is included in this
release.  Source code resides in uClinux/uC-src/real/freeswan.
(Version 1.97 was in a previous release, and due various ramifications
of changing directory names with the version control system we are
using, the directory that the source code is in is still called
freeswan-1.97)

FreeS/WAN is a rather complicated package.  You are referred to
http://www.freeswan.org for complete documentation.

FRESWAN-ALG PATCHES

This version of FreeS/WAN has the "freeswan-alg" patches applied, but
most of it was ripped back out of KLIPS (the kernel part) for
efficiency concerns.  Freeswan-alg adds support for a bunch of
different encryption and hash algorithms, and lets you select from
them more precisely in the freeswan config file.  However, in our view
it makes little sense to use any algorithms that aren't supported by
our hardware; so some things have been removed or not applied in the
first place.  What remains here in the Brecis version allows you to
select AES (if you're using a chip with the new security engine), and
to have more control over which algorithms are used.  

In the most basic terms, you can add configuration parameters like
these:
	esp=aes128-sha1,3des-sha1
	esp=3des-md5
	ike=aes128-sha
	ike=3des-md5-modp1536,eas-sha1-modp1024

  esp parameters have two parts, separated by a dash:
    encryption: one of 3des, aes128, aes256
    authentication: one of md5, sha1
  You can specify more than one cobination with a comma separated list. 

  ike parameters have two or three parts, separated by dashes:
    encryption: 3des, aes128, aes256
    authenticaiton: md5, sha1
    dhgroup (optional): modp768, modp1024, modp1536

See CHANGES-ipsec_alg.txt for complete information.


FreeS/WAN is based on text configuration files.  There are no fancy
GUIs or interactive text programs to set up FreeS/WAN.  It is up to
you to supply them if you want them.

To make a useable demonstration system:

    cd uClinux/brecis/compilescripts
    make TYPE_SYSTEM=.freeswan LINUXALL

There is the following known problems:

  * There is no syslog daemon in the system yet, and Pluto prints
    messages on the console if it can't talk to the syslog daemon.  In
    fact, it prints a LOT of messages, counting on the filtering
    features of syslogd to reduce the number of messages as desired.


The configuration files, ipsec.conf and ipsec.secrets, reside in /etc,
which can be in read only storage depending upon configuration.  If
the flash filesystem is present, our current rc scripts mount
/flash/etc over /etc to make this a writeable area, which works fine.

If your configuration does not do this, we suggest you create a copy
of /etc in /var/etc, and "mount -bind" that in place of the flash.

For testing, an EVM was set up to serve as a gateway between a local
network (199.86.15.xxx was used) and a laptop running linux and
freeswan (10.0.0.x network).

Here's a more complete picture of the tested network setup:

Linux Workstation PC
199.86.15.105
     |
     |
Brecis EVM Eth0 port
199.86.15.98
     |
     |
Brecis EVM Eth1 port
10.0.0.1
     |
     |  This is the link with encrypted traffic
     |
Laptop running Linux
10.0.0.100

Configuration of freeswan was done with the files contained in this
directory:

   ipsec.conf.evm         -- /etc/ipsec.conf on the evm board
   ipsec.conf.laptop      -- /etc/ipsec.conf on the laptop
   ipsec.secrets.laptop   -- /etc/ipsec.secrets on both systems.

The following script was run on the evm to start up FreeSWAN IPSEC:

==============================

# need a writeable place to put the configuration files
mkdir /var/etc

# Set up NFS to copy in the configuration files
portmap &
mount -n -t nfs 199.86.15.105:/home/steve/work /mnt

# Copy in the configuration filse
cp /mnt/ipsec.conf.evm /etc/ipsec.conf
cp /mnt/ipsec.secrets.laptop /etc/ipsec.secrets

# set up eth1 port
ifconfig eth1 10.0.0.1 netmask 255.255.255.0

# start ipsec
/etc/rc.d/init.d/ipsec start

ipsec auto --add us-to-office

==============================

On the laptop, similar commands were run to set up FreeS/WAN.

The link was successfully established.

