diff -bruN freeswan-1.9.orig/CREDITS freeswan-1.9/CREDITS --- freeswan-1.9.orig/CREDITS Mon Feb 26 18:56:08 2001 +++ freeswan-1.9/CREDITS Wed May 16 10:57:20 2001 @@ -60,6 +60,8 @@ for other contributors to this project and related ones. +This product includes software developed by the OpenSSL Project for use +in the OpenSSL Toolkit (http://www.openssl.org/). This file is RCSID $Id: CREDITS,v 1.20.2.1 2001/02/26 23:56:08 henry Exp $ diff -bruN freeswan-1.9.orig/INSTALL.pkix freeswan-1.9/INSTALL.pkix --- freeswan-1.9.orig/INSTALL.pkix Wed Dec 31 19:00:00 1969 +++ freeswan-1.9/INSTALL.pkix Wed May 16 10:57:20 2001 @@ -0,0 +1,47 @@ +Documentation on how to use the PKIX extension for IPSec can be found under +'doc/pkix'. Within that directory, you will also find working examples I +have preserved to test the various connection modes I have successfully +connection with FreeSWAN. There are also some scripts you might (will?) +find useful. + +Requirements: +OpenLDAP 1.2 or better +OpenSSL 0.9.5a with Shared Libraries compiled. + + + If you have to compile OpenSSL 0.9.5a yourself, here's how you should +compile it. Don't forget to add '/usr/local/ssl/lib' (or whatever your SSL +path is going to be) to '/etc/ld.so.conf'. This following script will let +you create '.so' shared library files. Of course, Run it as Root.: +------------------------------------------------------- +./config +make +if [ ! -d shlib_dir ]; +then + mkdir shlib_dir +else + rm -f shlib_dir/* +fi +cd shlib_dir +ar -x ../libcrypto.a && gcc -shared ./*.o -Wl,-soname \ + -Wl,libcrypto.so -o ./libcrypto.so.0.9.5a && rm *.o +ar -x ../libssl.a && gcc -shared ./*.o -Wl,-soname \ + -Wl,libssl.so -o ./libssl.so.0.9.5a && rm *.o +cp libssl.so.0.9.5a /usr/local/ssl/lib +cp libcrypto.so.0.9.5a /usr/local/ssl/lib +cd .. +make install +ldconfig +------------------------------------------------------- + +NOTE: I don't think freeswan-pkix will compile against OpenSSL 0.9.6. There +has been many major changes in the OpenSSL project. + +Don't forget to edit the root Makefile for OPENSSLROOT and LDAPROOT if their +include paths are non-standard (ie: not under /usr/include/). + + +Otherwise, just follow FreeSWAN's own INSTALL file normally. + +-- Luc Lanthier +luc.lanthier@rebel.com diff -bruN freeswan-1.9.orig/LICENSE freeswan-1.9/LICENSE --- freeswan-1.9.orig/LICENSE Wed Dec 31 19:00:00 1969 +++ freeswan-1.9/LICENSE Wed May 16 10:57:20 2001 @@ -0,0 +1,29 @@ +Legal statements +---------------- + +X.509 FreeS/WAN patch: +Copyright (C) 1999, Neil Dunbar +Copyright (C) 2000, Luc Lanthier + Rebel.com, Ottawa, Canada + +X.509 FreeS/WAN-PGPNet patch: +Copyright (C) 2000, Andreas Hess, Patrick Lichtsteiner, Roger Wegmann & + Andreas Steffen , + Zurich University of Applied Sciences in Winterthur, Switzerland + +PGPnet-RSA portions of patch: +Copyright (C) 2000, Kai Martius + +fswcert utility: +Copyright (C) 2000, Andreas Gruenbacher + + +This program is free software; you can redistribute it and/or modify it +under the terms of the GNU General Public License as published by the +Free Software Foundation; either version 2 of the License, or (at your +option) any later version. See . + +This program is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +for more details. diff -bruN freeswan-1.9.orig/Makefile freeswan-1.9/Makefile --- freeswan-1.9.orig/Makefile Fri Feb 23 11:31:38 2001 +++ freeswan-1.9/Makefile Wed May 16 10:57:20 2001 @@ -13,21 +13,41 @@ # # RCSID $Id: Makefile,v 1.123.2.2 2001/02/23 16:31:38 henry Exp $ -# install pathnames; DESTDIR can be used to supply a prefix to them all -# PUBDIR is where the "ipsec" command goes; beware, many things define PATH -# settings which are assumed to include it (or at least, to include *some* -# copy of the "ipsec" command). -PUBDIR=$(DESTDIR)/usr/local/sbin -# PRIVDIR is where commands get put, REALPRIVDIR is where they think they -# will be run from in the end (currently only used by utils/ipsec) + +# change this to 0 if you don't want OPENSSL support turned on +# it will turn off all pkix support also +# check the paths for the OPENSSLROOT and LDAPROOT +export USEOPENSSL=1 +ifeq "$(USEOPENSSL)" "1" +export OPENSSLROOT=/usr/local/ssl +export OPENSSLINCLS=-I$(OPENSSLROOT)/include +export OPENSSLLIBS=-L$(OPENSSLROOT)/lib -lcrypto + +export LDAPROOT=/usr/local +export LDAPINCS=-I$(LDAPROOT)/include +endif + +# PREFIX controls where everything gets installed to. This is intended +# only for use by RPM, which installs everything into a temporary root +# prior to creating the package. +export PREFIX ?= / + +# public and private command directories +# Beware, many things define PATH settings which are assumed to include +# PUBDIR (or at least, to include *some* copy of the "ipsec" command). +PUBDIR=$(PREFIX)/usr/local/sbin + +# PRIVDIR is where things get put, FINALPRIVDIR is where they think they +# will be put (currently only used by utils/ipsec) +PRIVDIR=/usr/local/lib/ipsec +FINALPRIVDIR=/usr/local/lib/ipsec REALPRIVDIR=/usr/local/lib/ipsec -PRIVDIR=$(DESTDIR)$(REALPRIVDIR) # where manpages go -MANTREE=$(DESTDIR)/usr/local/man +MANTREE=/usr/local/man # all relevant manpage subdirectories MANPLACES=man3 man5 man8 # where configuration files go -CONFDIR=$(DESTDIR)/etc +CONFDIR=$(PREFIX)/etc # RCDIR is where boot/shutdown scripts go (first RCDIRS that exists gets it); # REALRCDIR is where they think they will ultimately be (for utils/Makefile) RCDIRS=/etc/rc.d/init.d /etc/rc.d /etc/init.d /sbin/init.d @@ -38,7 +58,7 @@ RCDIR=$(DESTDIR)$(REALRCDIR) # kernel location, and location of kernel patches in the distribution -KERNELSRC=/usr/src/linux +KERNELSRC?=/usr/src/linux DIRIN22=$(KERNELSRC)/net/netlink FILIN24=$(KERNELSRC)/net/khttpd/main.c KERNELREL=$(shell { test -f $(FILIN24) && echo 2.3; } || { test -d $(DIRIN22) && echo 2.2; } ) @@ -48,6 +68,8 @@ # note, some of the patches know the last part of this path KERNELKLIPS=$(KERNELSRC)/net/ipsec + + # kernel make name: zImage for 2.0.xx, bzImage for 2.2.xx and later, and # different foolishness on the Alpha (what ever happened to standards?) B=$(shell test -d $(DIRIN22) && echo b) @@ -89,7 +111,24 @@ ln -s `pwd`/libdes/asm/*.pl $(KERNELKLIPS)/libdes/asm ln -s `pwd`/libdes/asm/perlasm $(KERNELKLIPS)/libdes/asm ln -s `pwd`/zlib/Makefile $(KERNELKLIPS)/zlib - ln -s `pwd`/zlib/*.[chS] $(KERNELKLIPS)/zlib + +kcopy: + rm -rf $(KERNELKLIPS) + mkdir -p $(KERNELKLIPS)/libdes/asm + mkdir -p $(KERNELKLIPS)/libfreeswan + mkdir -p $(KERNELKLIPS)/zlib + cp -R --verbose `pwd`/klips/net/ipsec/Makefile $(KERNELKLIPS) + cp -R --verbose `pwd`/klips/net/ipsec/Config.in $(KERNELKLIPS) + cp -R --verbose `pwd`/klips/net/ipsec/defconfig $(KERNELKLIPS) + cp -R --verbose `pwd`/klips/net/ipsec/*.[ch] $(KERNELKLIPS) + cp -R --verbose `pwd`/lib/Makefile.kernel $(KERNELKLIPS)/libfreeswan/Makefile + cp -R --verbose `pwd`/lib/*.[ch] $(KERNELKLIPS)/libfreeswan + cp -R --verbose `pwd`/libdes/Makefile $(KERNELKLIPS)/libdes + cp -R --verbose `pwd`/libdes/*.[ch] $(KERNELKLIPS)/libdes + cp -R --verbose `pwd`/libdes/asm/*.pl $(KERNELKLIPS)/libdes/asm + cp -R --verbose `pwd`/libdes/asm/perlasm $(KERNELKLIPS)/libdes/asm + cp -R --verbose `pwd`/zlib/Makefile $(KERNELKLIPS)/zlib + cp -R --verbose `pwd`/zlib/*.[chS] $(KERNELKLIPS)/zlib PATCHER=utils/patcher patches: @@ -210,8 +249,8 @@ cd utils ; $(MAKE) $(SETTINGS) install: - mkdir -p $(PRIVDIR) $(PUBDIR) - for m in $(MANPLACES) ; do mkdir -p $(MANTREE)/$$m ; done + mkdir -p $(PREFIX)/$(PRIVDIR) $(PREFIX)/$(PUBDIR) + for m in $(MANPLACES) ; do mkdir -p $(PREFIX)/$(MANTREE)/$$m ; done cd lib ; $(MAKE) install $(SETTINGS) cd klips/utils ; $(MAKE) install $(SETTINGS) cd pluto ; $(MAKE) install $(SETTINGS) @@ -329,3 +368,9 @@ ctags `find lib pluto klips/utils klips/net/ipsec -name '*.[ch]'` dummy: + +patchclean: + find $(KERNELSRC) -name '*.preipsec' -exec rm {} \; + find $(KERNELSRC) -name '*.wipsec' -exec rm {} \; + find $(KERNELSRC) -name '*.ipsecmd5' -exec rm {} \; + diff -bruN freeswan-1.9.orig/doc/DES.readme_first freeswan-1.9/doc/DES.readme_first --- freeswan-1.9.orig/doc/DES.readme_first Wed Dec 31 19:00:00 1969 +++ freeswan-1.9/doc/DES.readme_first Mon Jun 4 11:34:31 2001 @@ -0,0 +1,16 @@ +DES has been readded via the pkix patch. This just means that it is +supported, but not necessarily used as the primary cypher. + +You can __force__ to use only DES or 3DES with the following whack command: + +DES only: + -- force_encrypt_cypher des +3DES only: + -- force_encrypt_cypher 3des + +You can also pass this parameter along to pluto via /etc/ipsec.conf + +DES only: + force_encrypt_cypher=des +3DES only: + force_encrypt_cypher=3des diff -bruN freeswan-1.9.orig/doc/HowTo.html freeswan-1.9/doc/HowTo.html --- freeswan-1.9.orig/doc/HowTo.html Tue Mar 27 23:16:54 2001 +++ freeswan-1.9/doc/HowTo.html Mon Jun 4 01:15:59 2001 @@ -75,7 +75,7 @@
  • Make sure Lilo knows about the new kernel
  • Testing to see if install succeeded
    • -
  • Links to other sections
    • +
  • Where to go from here
    • Configuration
  • Pluto problem hints
    • +
  • ifconfig reports for KLIPS debugging
  • Testing between security gateways
  • Claudia's guide
    • @@ -233,8 +237,7 @@
  • Other 2.0.x Intel Kernels
  • 2.2 and 2.4 Kernels
    • -
  • Intel Linux distributions other than Redhat -5.x and 6.x
    • +
  • Intel Linux distributions other than Redhat

    • Any of those will have a list of other "munitions" mirrors.

    Archives of the project mailing list

    + Until quite recently, there was only one FreeS/WAN mailing list, and +archives of it were: -

    The two archives use completely different search engines. You might -want to try both.

    + The two archives use completely different search engines. You might +want to try both. +

    More recently we have expanded to five lists, each with its own +archive. See details elsewhere in the +documentation.

    More information on this and other mailing lists.

    Products containing FreeS/WAN

    @@ -915,8 +948,8 @@
  • Trustix Secure Linux (Norway)

    • For distributions which do not include FreeS/WAN and are not Redhat -6.x (which we develop and test on), there is additional information in -our compatibility section.

    +(which we develop and test on), there is additional information in our compatibility section.

    We would appreciate hearing of other distributions using FreeS/WAN.

    Firewall distributions

    FreeS/WAN is also included in, or available for, more specialised @@ -956,6 +989,9 @@
  • Merilus use FreeS/WAN in their Gateway Guardian firewall product and in their Firecard product, a Linux firewall on a PCI card.
    • +
  • Kyzo have a "pizza box" product +line with various types of server, all running from flash. One of them +is an IPSEC/PPTP VPN server.

    • We would appreciate hearing of other products using FreeS/WAN.

    Documentation

    @@ -1064,7 +1100,7 @@ Both documents are works in progress and may be revised. Check the @@ -1155,16 +1191,23 @@

    If you have not done this before, you will need to read the Kernel HowTo.

    Choosing a kernel

    -

    2.2.x for most users

    -

    Most users should run the most stable available series of Linux -production kernels. At time of writing (February -2001), we recommend the 2.2 series for most users. The latest version -is 2.2.18.

    +

    2.2.19 for many users

    +

    Many users can continue to run kernels from the 2.2 series of Linux +production kernels.

    +

    At time of writing (June 2001), the latest version is 2.2.19. If +you are going to use a 2.2 kernel, we strongly recommend + upgrading to 2.2.19 since:

    +
      +
    • It has a number of small security fixes not found in earlier +kernels.
      • +
    • There have been changes in some kernel file formats that make it +difficult to compile a current FreeS/WAN with earlier kernels. See the mailing list archives for details if needed.
      • +

    2.4.x is possible

    - The new 2.4 series of kernels were first released in January 2001 and -are currently (mid-February) at 2.4.2. FreeS/WAN does work on these -kernels, but for production use we suggest waiting a while yet. -

    On the other hand, 2.4 has new firewalling code called + The new 2.4 series of kernels began in January 2001 and are currently +(early June) at 2.4.5. FreeS/WAN is known to work on 2.4.5. +

    2.4 has new firewalling code called netfilter. This may provide good reasons to move to 2.4, especially on for gateway machines.

    2.0.x should still work

    @@ -1182,10 +1225,10 @@ for use by kernel developers. By convention, production kernels have an even second digit in the version number (2.0, 2.2, 2.4) and development kernels have an odd digit there (2.1, 2.3, 2.5). -

    At time of writing (February 2001, shortly after the release of -2.4), no more 2.3 kernels are being produced and the 2.5 series has not -been started yet, so just now development kernels are not an issue. No -doubt a 2.5 series will be started in the next few months.

    +

    At time of writing, no more 2.3 kernels are being produced and the +2.5 series has not been started yet, so just now development kernels +are not an issue. No doubt a 2.5 series will be started in the next few +months.

    Development kernels are not intended for production use . They change often and include new code which has not yet been thoroughly tested. This regularly breaks things, including @@ -1472,7 +1515,7 @@

    Of course any status information at this point should be uninteresting since you have not yet configured connections.

    -

    Links to other sections

    +

    Where to go from here

    See the following section for information on configuring connections.

    Alternately, you might want to look at background material on the @@ -1965,14 +2008,6 @@ been removed in FreeS/WAN 1.9. However, if the other end of the tunnel is an older version, the restriction will still apply there, so some caution is still required.

    -

    The conn %default section shipped in our example file -includes parameters for manual keying. These are completely - insecure, intended only for testing. We recommend you leave -these in place during testing since it is sometimes useful to be able -to test with manual keying. Once testing is done, however, delete the -test keys or ensure that they are commented out with # characters. -Production use of manual keying is not recommended, but is possible -and is described in a later section.

    Editing a connection description

    Edit our example connection to match what you want to do. Rename it appropriately for the connection you would like to build: @@ -2038,9 +2073,9 @@ The file syntax allows names to be used, but this creates an additional risk. If someone can subvert the DNS service, then they can redirect packets whose addresses are looked up via that service.

    -

    Many of the variables in this file come in pairs such as -"leftsubnet: and "rightsubnet", one for each end of the connection. -The variables on the left side are:

    +

    Many of the variables in this file come in pairs such as +"leftsubnet: and "rightsubnet", one for each end of the connection. The +variables on the left side are:

    left
    The gateway's external interface, the one it uses to talk to the @@ -2068,14 +2103,16 @@
    Addresses for the machines which left is protecting.
    • Often something like 101.202.203.0/24 to indicate that a subnet - resides behind left.
      • + resides behind left. Often this subnet will be directly connected to +left, but this not necessary. The only requirement is that left must +be able to route to it.
    • If you omit the leftsubnet line, then left is both the security gateway and the only client on that end.
    For some applications, you may want to create two connections, one to protect traffic from the subnet behind left and another to protect traffic from the left gateway itself. This takes two connection - descriptions.
    + descriptions. See below.
    leftfirewall
    Set to "yes" if there is a firewall in play that suppresses forwarding, for example if a subnet behind left uses non-routable @@ -2332,19 +2369,166 @@ Practical Configurations document also has an example of using RSA authentication for road warriors.

    Opportunistic encryption

    -

    This section is currently just a placeholder for the opportunistic -encryption documentation I'll write when the design has solidified -somewhat.

    -

    Putting public keys in DNS

    -

    Release 1.4 had the first experimental code to support fetching -public key information from the other system's DNS entries. Even in -1.6, this is still experimental code. You cannot trust it for -production use until

    -
      -
    • both our code is much better tested (you can help with that!)
      • -
    • and secure DNS is widely deployed
      • -
    -

    The relevant lines in the config file would look like this:

    + We use the term opportunistic encryption + for encryption which does not rely on any pre-arranged connection, +hence does not require that the administrators of the two gateways +involved communicate with each other (for example, to exchange keys) +before their systems can create a secure connection. +

    The idea is that each gateway check the destinations of outgoing +packets, see if an encrypted connection is possible and, if so, take +the opportuntity to encrypt. The opportunity will exist whenever the +admins on both ends have set their systems up for opportunistic +encryption.

    +

    This makes encryption the default behaviour, and could greatly +increase the overall security of the Internet if it were widely enough +adopted. See our documents:

    +
    +
    history and politics
    +
    for the reasons we want to do this
    +
    IPSEC protocols
    +
    for discussion of the general principle of encrypting as much as +possible
    +
    +

    The gateways must be able to authenticate each other for IPSEC to +be secure. For opportunistic encryption, we rely on the domain name +system, DNS, to provide the RSA keys needed +for this authentication. Note, that currently this is not entirely +secure because the DNS mechanism it relies on is not fully +secure. Eventually, as secure DNS becomes +widely deployed, this will change.

    +

    Status

    + The team have been working on this for some time, and testing +internally. As of late May, 2001 this code is ready for wider testing. +We encourage everyone to try it. +

    The main documentation items so far are:

    +
      +
    • an Opportunism HowTo by Pluto +programmer Hugh Redelmeier
      • +
    • a design document by Hugh and technical lead Henry Spencer. A +link to this is in our introduction.
      • +
    + I am playing catch up; HTML documentation so far is neither complete +nor particularly clear. What I have so far is below. +

    Note that both software and documentation for this are changing +quickly. You may want the latest snapshot for opportunism experiments.

    +

    We do not yet recommend this code for production use +. You should still protect your critical data with explicitly +configured IPSEC tunnels, rather than relying on opportunistic for +everything at this stage.

    +

    Some DNS background

    +

    Opportunism requires that the gateway systems be able to fetch +public keys, and other IPSEC-related information, from each other's DNS +(domain name service) records.

    +

    DNS is a distributed database that maps names to IP addresses and +vice versa. A system named gateway.example.com with IP address +10.20.30.40 should have at least two DNS records:

    +
    +
    gateway.example.com. IN A 10.20.30.40
    +
    used to look up the name and get an IP address
    +
    40.30.20.10.in-addr.arpa. IN PTR gateway.example.com.
    +
    used for reverse lookups, looking up the name associated with an +address. Notice that the digits here are in reverse order; the actual +address is 10.20.30.40 but we use 40.30.20.10 here.
    +
    + Some syntactic details are: +
      +
    • the IN indicates that these records are for In +ternet addresses
      • +
    • The final periods in '.com.' and '.arpa.' are required. They +indicate the root of the domain name system.
      • +
    + For much more detail, see the +Linux Network Administrator's Guide or a DNS +reference book. +

    The capitalised strings after IN indicate the type of record. +Possible types include:

    +
      +
    • Address
      • +
    • PoinTeR
      • +
    • Canonical NAME, records to +support aliasing, multiple names for one address
      • +
    • MX, used in mail handling
      • +
    • SIGnature, used in secure DNS
      • +
    • KEY, used in secure DNS
      • +
    • TeXT, a multi-purpose record type
      • +
    + To set up for opportunistic encryption, you add some KEY and TXT +records to your DNS data. +

    Putting IPSEC information in DNS

    + There are two types of DNS record to be added: +
      +
    • each gateway must have a KEY record which other gateways can query +to fetch its RSA authentication key
      • +
    • any client whose communications are to be protected by a gateway +must have a TXT record pointing to that machine as an authorised IPSEC +gateway
      • +
    + ipsec_rsasigkey(8) + provides the key in DNS record format as a comment. You need to cut +and paste the comment from +ipsec.secrets(5) (or wherever you have the private key) into the +appropriate place in the DNS records. +

    There are two ways to handle this, depending on whether or not you +control the reverse lookup (in-addr.arpa.) sections of the DNS files +for your gateway. You must have control of the reverse DNS information +for clients or this cannot work at all.

    +
    If you control the gateway's reverse map
    + If you control the gateway's reverse map, you just add a KEY record +there. Here is an example, with many characters of the key itself left +out: +
    +40.30.20.10.in-addr.arpa. IN KEY 0x4200 4 1 AQNJjkKlIk9...nYyUkKK8
+
    + This allows lookups on the IP address of the gateway to retrieve the +key. +

    A client that wishes to be protected by Opportunistic Encryption +must include a special TXT record in its reverse-map. If you control +the gateway's reverse map, example client records would look like this:

    +
    +42.42.42.10.in-addr.arpa. IN PTR deepthought.example.com.
+42.42.42.10.in-addr.arpa. IN TXT "X-IPsec-Server(10)=10.20.30.40 AQNJjkKlIk9...nYyUkKK8"
+
    + which can also be written as just: +
    +42.42.42.10.in-addr.arpa. IN PTR deepthought.example.com.
+                          IN TXT "X-IPsec-Server(10)=10.20.30.40 AQNJjkKlIk9...nYyUkKK8"
+
    + This provides the IP address of the security gateway and the public +key which the gateway will use to authenticate itself. This is the +preferred variant. Using it, the remote system does one lookup and gets +everything it needs for IKE negotiations. +
    If you don't control the gateway's reverse map
    + The approach must be slightly different if you do not have control +over the contents of the reverse map for your gateway. Perhaps your ISP +controls that, and provides no way for you to put data into their maps. +Without that, you cannot set your gateway up to respond to incoming +opportunistic requests (short of changing ISPs, which you might +consider). +

    However, suppose a friend over at example.org will let you put +things in their maps. That will allow you to set your gateway up to +handle opportunistic connections for which it is the initiator.

    +

    You still need to be able to put data in the reverse map for your +clients. However, that data is slightly different:

    +
    +42.42.42.10.in-addr.arpa. IN PTR deepthought.example.com.
+                          IN TXT "X-IPsec-Server(10)=something.example.org"
+
    + Over at example.org, your friend inserts these lines in the DNS data +files: +
    +something.example.org. IN A 10.20.30.40
+                       IN KEY 0x4200 4 1 AQNJjkKlIk9...nYyUkKK8
+
    + Your gateway must identify itself in IKE as something.example.org, not +as gateway.example.com. You set that up via leftid= or +rightid= entries in +ipsec.conf(5). +

    With this arrangement, the remote gateway does two lookups. First +it does a reverse lookup on the client IP address and finds the gateway +name "something.example.org". Then it looks up that name to get the IP +address and key for the gateway.

    +

    ipsec.conf entries for opportunism

    + The relevant lines in the config file would look like this: 
             leftid=@gateway.example.com
         leftrsasigkey=%dns
@@ -2603,13 +2787,13 @@
 
    Testing with tcpdump
    
 
     To verify that all is working, run tcpdump(8) on a machine which 
 can listen to the traffic between the gateways.
    
-
     This really has to be done from a third machine, not from one of 
-the gateways. On the gateways you'll see packets at intermediate stages 
-of processing and the result will be confusing. Also, both tcpdump(8) 
-and nmap(8) use the libpcap library. Some versions of that library 
-(e.g. the ones that shipped with Redhat 5) do not recognise ipsec? 
-devices and will generate "bad physical medium" error messages if you 
-try to use it with them.
    
+
     This is most easily done from a third machine, rather than from one 
+of the gateways. On the gateways you may see packets at intermediate 
+stages of processing and the result may be confusing. 
    
+
     If the results make no sense at all, or you see "bad physical 
+medium" error messages, you probably have an outdated version of 
+tcpdump(8) that does not handle IPSEC at all. See our 
+FAQ.
    
 
     The packets should, except for some of the header information, be 
 utterly unintelligible. The output of good encryption looks exactly 
 like random noise.
    
@@ -3085,12 +3269,12 @@
  what type of software is sending the messages. If the settings are 
  "daemon.error" as in our example, then syslogd treats the messages as 
  error messages from a daemon.
    -

    Note that Pluto does not currently pay +

    Note that Pluto does not currently pay attention to this variable. The variable controls setup messages only.

    klipsdebug=
    Debug settings for KLIPS.
    plutodebug=
    -
    Debug settings for Pluto.
    +
    Debug settings for Pluto.
    ... for both the above DEBUG settings
    Normally, leave empty as shown above for no debugging output.
    Use "all" for maximum information. @@ -3108,7 +3292,7 @@ boot time. Useful for testing, but not for long term use. Connections which are automatically started should also be automatically re-keyed.
    pluto=yes
    -
    Whether to start Pluto when ipsec startup is +
    Whether to start Pluto when ipsec startup is done.
    This parameter is optional and defaults to "yes" if not present.

    "yes" is strongly recommended for production use so that the keying @@ -3227,6 +3411,47 @@ functionality. You cannot use them as gateways with a subnet behind them. To get that functionality, you must upgrade to Windows 2000 server or the commercially available PGP products.

    +

    One tunnel plus advanced routing

    + It is also possible to use the new routing features in 2.2 and later +kernels to avoid most needs for multple tunnels. Here is one mailing +list message on the topic: +
    +Subject: Re: linux-ipsec: IPSec packets not entering tunnel?
+   Date: Mon, 20 Nov 2000
+   From: Justin Guyett <jfg@sonicity.com>
+
+On Mon, 20 Nov 2000, Claudia Schmeing wrote:
+
+> Right                                                         Left
+>                      "home"                "office"
+> 10.92.10.0/24 ---- 24.93.85.110 ========= 216.175.164.91 ---- 10.91.10.24/24
+>
+> I've created all four tunnels, and can ping to test each of them,
+> *except* homegate-officenet.
+
+I keep wondering why people create all four tunnels.  Why not route
+traffic generated from home to 10.91.10.24/24 out ipsec0 with iproute2?
+And 99% of the time you don't need to access "office" directly, which
+means you can eliminate all but the subnet<->subnet connection.
+
    + and FreeS/WAN technical lead Henry Spencer's comment: +
    +> I keep wondering why people create all four tunnels.  Why not route
+> traffic generated from home to 10.91.10.24/24 out ipsec0 with iproute2?
+
+This is feasible, given some iproute2 attention to source addresses, but
+it isn't something we've documented yet... (partly because we're still
+making some attempt to support 2.0.xx kernels, which can't do this, but
+mostly because we haven't caught up with it yet).
+
+> And 99% of the time you don't need to access "office" directly, which
+> means you can eliminate all but the subnet<->subnet connection.
+
+Correct in principle, but people will keep trying to ping to or from the
+gateways during testing, and sometimes they want to run services on the
+gateway machines too.
+
+

    Many tunnels from a single gateway

    FreeS/WAN allows a single gateway machine to build tunnels to many others. There may, however, be some problems for large numbers as @@ -3534,31 +3759,46 @@ 

            ipsec setup restart

    Again, this breaks any existing connections.

    Unencrypted tunnels

    -

    Sometimes you will want to create a tunnel without encryption. The -IPSEC protocols provide two ways to do this, either using -AH without ESP or using ESP with null -encryption. With Linux FreeS/WAN, these are currently supported for -manually keyed connections, but not with automatic keying, so we'll -look at other solutions here.

    +

    Sometimes you might want to create a tunnel without encryption. +Often this is a bad idea, even if you have some data which need not be +private. See this discussion.

    +

    The IPSEC protocols provide two ways to do build such tunnels,

    +
      +
    • using AH without ESP
      • +
    • using ESP with null encryption.
      • +
    + Linux FreeS/WAN allows AH-only for manually keyed connections, but not +with automatic keying, and does not support null encryption, so we'll +look at other solutions here.

    One situation in which this comes up is when otherwise some data would be encrypted twice. Alice wants a secure tunnel from her machine to Bob's. Since she's behind one security gateway and he's behind another, part of the tunnel that they build passes through the tunnel that their site admins have built between the gateways. All of Alice and Bob's messages are encrypted twice.

    -

    There are several ways to handle this.

    +

    There are several ways to handle this.

    • Just accept the overhead of double encryption. The site admins -might choose this if policy says encrypt everything, if they don't -entirely trust Alice and Bob, or if they don't feel the saved cycles -are worth the time they'd need to build a non-encrypted tunnel for -Alice and Bob's packets.
      • +might choose this if any of the following apply: +
        +
      • policy says encrypt everything (usually, it should)
        • +
      • they don't entirely trust Alice and Bob (usually, if they don't +have to, they shouldn't)
        • +
      • if they don't feel the saved cycles are worth the time they'd need +to build a non-encrypted tunnel for Alice and Bob's packets (often, +they aren't)
        • +
      +
    • Use a plain IP-in-IP tunnel. These are not well documented. A good starting point is in the Linux kernel source tree, in /usr/src/linux/drivers/net/README.tunnel.
      • -
    • Use a manually-keyed AH-only tunnel. This is recommended over ESP -with null encryption.
      • +
    • Use a manually-keyed AH-only tunnel.
    +

    Note that if Alice and Bob want end-to-end security, they must +build a tunnel end-to-end between their machines or use some other +end-to-end tool such as PGP or SSL that suits their data. The only +question is whether the admins build some special unencrypted tunnel +for those already-encrypted packets.

    FreeS/WAN manual pages

    The various components of Linux FreeS/WAN are of course documented @@ -3802,16 +4042,20 @@ must allow UDP 500 and at least one of AH or ESP on the interface that communicates with the other gateway.

    IPSEC through the gateway

    -

    The preceeding paragraph deals with packets addressed to or sent -from your gateway. It is a separate policy decision whether to -permit such packets to pass through the gateway so that +

    The preceeding paragraph deals with packets addressed to or +sent from your gateway. It is a separate policy decision whether +to permit such packets to pass through the gateway so that client machines can build end-to-end IPSEC tunnels of their own. This may not be practical if you are using NAT (IP masquerade) on your gateway, and may conflict with some corporate security policies. Other than that, it is likely a good idea.

    +

    Preventing non-IPSEC traffic

    + You can of course also filter everything but UDP port 500 and +ESP or AH to restrict traffic to IPSEC only, either for anyone +communicating with your host or just for specific partners.

    Filtering packets from unknown gateways

    -

    It is possible to use firewall rules to restrict UDP 500, ESP and AH - packets so that these packets are accepted only from known gateways. +

    It is possible to use firewall rules to restrict UDP 500, ESP and +AH packets so that these packets are accepted only from known gateways. This is not strictly necessary since FreeS/WAN will discard packets from unknown gateways. You might, however, want to do it for any of a number of reasons. For example:

    @@ -3857,7 +4101,7 @@ which can affect the operation of FreeS/WAN or of diagnostic tools commonly used with it. These are discussed below.

    ICMP filtering

    -

    ICMP is the Internet C +

    ICMP is the Internet C ontrol Message Protocol. It is used for messages between IP implementations themselves, whereas IP used is used between the clients of those implementations. ICMP is, @@ -3969,9 +4213,15 @@ Here you have a choice of techniques depending on whether you want to make your client subnet visible to clients on the other end:

      -
    • If you want to make them visible, then give the client subnet -addresses as the leftsubnet= parameter in the connection -description and +
    • If you want the single gateway to behave like the two shown above, +with your clients hidden behind the NAT, then omit the leftsubnet= + parameter. It then defaults to the gateway address. Clients on the +other end then talk via the tunnel only to your gateway. The gateway +takes packets emerging from the tunnel, applies normal masquerading, +and forwards them to clients.
      • +
    • If you want to make your client machines visible, then give the +client subnet addresses as the leftsubnet= parameter in the +connection description and
      either
      set leftfirewall=yes to use the default updown @@ -3987,11 +4237,6 @@ client subnet addresses, although of course the encapsulating packets use gateway addresses in their headers. Clients behind the right security gateway see a route via that gateway to the left subnet.

      -
    • If you want your clients hidden, then omit the leftsubnet= - parameter. It then defaults to the gateway address. Clients on the -other end then talk via the tunnel only to your gateway. The gateway -takes packets emerging from the tunnel, applies normal masquerading, -and forwards them to clients.

    NAT between gateways is problematic

    We recommend not trying to build IPSEC connections which pass @@ -4220,7 +4465,7 @@ # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # -# RCSID $Id: firewall.html,v 1.10.2.3 2001/03/15 00:12:35 henry Exp $ +# RCSID $Id: firewall.html,v 1.16 2001/05/02 20:56:27 sandy Exp $ # check interface version case "$PLUTO_VERSION" in @@ -4311,7 +4556,7 @@ only to known receivers) -

  • let Pluto deal with IKE
    • +
  • let Pluto deal with IKE
  • let KLIPS deal with ESP
  • if necessary, filter incoming packets emerging from KLIPS.
    • @@ -4331,7 +4576,7 @@ message.

    Those scripts were based on David Ranch's scripts for his "Trinity OS" for setting up a secure Linux. Check his -home page for the latest version and for information on his +home page for the latest version and for information on his book on securing Linux. If you are going to base your firewalling on Ranch's scripts, we recommend using his latest version, and sending him any IPSEC modifications you make for incorporation into later @@ -4373,9 +4618,9 @@

    Information available on your system

    man pages provided

    -
    ipsec.conf(5)
    +
    ipsec.conf(5)
    Manual page for IPSEC configuration file.
    -
    ipsec(8)
    +
    ipsec(8)
    Primary man page for ipsec utilities.

    Other man pages are on

    @@ -4399,7 +4644,7 @@
    Copious debugging info.

    Pluto problem hints

    -

    From a message posted to the mailing list Jan 14 2000 by Pluto +

    From a message posted to the mailing list Jan 14 2000 by Pluto developer Hugh Redelmeier:

     Until ipsec auto and whack/pluto get fixed:
@@ -4423,6 +4668,33 @@
  Various error messages from Pluto are discussed in the 
 FAQ and the ipsec_pluto(8)
  man page. 
+
    Using GDB on Pluto
    
+ You may need to use the GNU degugger, gdb(1), on Pluto. This should be 
+necessary only in unusal cases, for example if you encounter a problem 
+which the Pluto developer cannot readily reproduce or if you are 
+modifying Pluto. 
+
     Here are the Pluto developer's suggestions for doing this: 
    
+
    +Can you get a core dump and use gdb to find out what Pluto was doing
+when it died?
+
+To get a core dump, you will have to set dumpdir to point to a
+suitable directory (see ipsec.conf(5)).
+
+To get gdb to tell you interesting stuff:
+        $ script
+        $ cd dump-directory-you-chose
+        $ gdb /usr/local/lib/ipsec/pluto core
+        (gdb) where
+        (gdb) quit
+        $ exit
+
+The resulting output will have been captured by the script command in
+a file called "typescript".  Send it to the list.
+
+Do not delete the core file.  I may need to ask you to print out some
+more relevant stuff.
+
    
 
    ifconfig reports for KLIPS debugging
    
 
    From a mail message from our KLIPS developer:
    
 
    @@ -5041,7 +5313,7 @@
 
            man 8 ipsec_tncfg
    
 
 
    Pluto key and connection management daemon
    
-
     Pluto is our key management and negotiation 
+
     Pluto is our key management and negotiation 
 daemon. It lives in the pluto directory, along with its low-level user 
 utility, whack. 
    
 
     There are no subdirectories. Documentation is a man page, 
@@ -5101,11 +5373,11 @@
 patchers and commenters there, especially the ones quoted below but 
  also various contributors we haven't quoted.
    
 
    Implemented parts of the IPSEC Specification
    
-
    In general, do not expect Linux FreeS/WAN to do everything yet. This 
-is a  work-in-progress and some parts of the IPSEC specification are 
-not yet  implemented.
    
+
     In general, do not expect Linux FreeS/WAN to do everything yet. 
+This is a work-in-progress and some parts of the IPSEC specification 
+are not yet implemented.
    
 
    In Linux FreeS/WAN
    
-
    Things we do, as of version 1.9:
    
+
     Things we do, as of version 1.9:
    
 
      
 
    • key management methods 
 
      
@@ -5113,7 +5385,7 @@
 
      using keys stored in /etc/ipsec.conf
      
 
      automatically keyed
      
 
      Automatically negotiating session keys as required. All 
- connections are automatically re-keyed periodically. The 
+ connections are automatically re-keyed periodically. The 
  Pluto daemon implements this  using the IKE
  protocol.
      
 
      
@@ -5144,10 +5416,6 @@
 
      • 
 
    • encryption transforms 
 
      
-
      null encryption (to use ESP as an authentication-only service) 
      
-
      We implement this since the RFCs require it. Since it is  obviously 
-insecure, we disable it by default. It can be enabled  with a kernel 
-configuration option.
      
 
      DES
      
 
      DES is in the source code since it is needed to implement  3DES, 
 but single DES is not made available to users because 
@@ -5179,7 +5447,9 @@
 
      • 
 
    
 
     All combinations of implemented transforms are supported. Note that 
-some  form of authentication is recommended whenever encryption is used.
    
+some form of packet-level authentication is required whenever 
+encryption is used. Without it, the encryption will not be 
+secure.
    
 
    Deliberately ommitted
    
  We do not implement everything in the RFCs because some of those 
 things are insecure. See our discussions of avoiding 
@@ -5187,16 +5457,17 @@
 
    
 
     Things we deliberately omit which are required in the RFCs are:
    
 
      
+
    • null encryption (to use ESP as an authentication-only service) 
      • 
 
    • single DES 
      • 
 
    • DH group 1, a 768-bit modp group 
      • 
 
    
-
     Since these are the only encryption algorithm and DH group the RFCs 
-require, it is possible in theory to have a standards-conforming 
+
     Since these are the only encryption algorithms and DH group the 
+RFCs require, it is possible in theory to have a standards-conforming 
 implementation which will not interpoperate with FreeS/WAN. Such an 
 implementation would be inherently insecure, so we do not consider this 
 a problem. Anyway, most implementations sensibly include more secure 
-options as well, so dropping single DES and Group 1 does not greatly 
-hinder interoperation in practice.
    
+options as well, so dropping null encryption, single DES and Group 1 
+does not greatly hinder interoperation in practice.
    
 
     We also do not implement some optional features allowed by the 
 RFCs: 
    
 
      
@@ -5212,7 +5483,7 @@
 default. Typically, these are easily solved with a configuration change 
 that overrides that default.
      
 
      Not (yet) in Linux FreeS/WAN
      
-
      Things we don't yet do, as of version 1.9:
      
+
       Things we don't yet do, as of version 1.91:
      
 
        
 
      • key management methods 
 
          
@@ -5238,6 +5509,9 @@
 
          We expect eventually to do it using DNS. The newer versions of 
 BIND provide much of what we need but they are not  yet widespread 
 and our code to communicate with them is not  ready.
          
+
           Update: As of 1.91, we have beta-testable code for 
+opportunistic encryption. See our configuration 
+document. 
          
 
        
 
        • 
 
      
@@ -5257,6 +5531,19 @@
 
    • authentication transforms 
      • 
 
      No optional additional authentication transforms are currently 
  implemented and we do not forsee a need to add any soon.
      
+
    • Policy checking on decrypted packets 
      • 
+
       To fully comply with the RFCs, it is not enough just to accept only 
+packets  which survive any firewall rules in place to limit what IPSEC 
+packets get in,  and then pass KLIPS authentication. That is what 
+FreeS/WAN currently does. 
      
+
       We should also apply additional tests, for example ensuring that 
+all packets  emerging from a particular tunnel have sourcen and 
+destination addresses that  fall within the subnets defined for that 
+tunnel, and that packets with those  addresses that did not emerge from 
+the appropriate tunnel are disallowed. 
      
+
       This will be done as part of the KLIPS rewrite currently in 
+progress. See  these links and the 
+ design mailing list for discussion. 
      
 
      Our PF-Key implementation
      
 
      We use PF-key Version Two for communication between the KLIPS kernel 
 code  and the Pluto Daemon. PF-Key v2 is defined by 
@@ -5270,34 +5557,37 @@
 not  yet doing much upward communication from kernel to user space. 
 This will  change, but is not at the top of our priority list.
      
 
      PF-Key portability
      
-
      PF-Key came out of Berkeley Unix work and is used in the various BSD 
-IPSEC  implementations. We assume also in This means there is some hope 
-of  porting our Pluto(8) to one of the BSD distributions or running 
-their  photurisd(8) on Linux if you prefer Photuris
- key  management over IKE.
      
-
      It is, however, more complex than that. The three PF-Key 
-implementations  we have looked at -- ours, OpenBSD and KAME -- all 
-have extensions beyond  the RFC, and the extensions are different. 
-There have been discussions aimed  at sorting out the differences, 
-perhaps for a version three PF-Key spec. All  players are in favour of 
-this, but everyone involved is busy and it is not  clear whether or 
-when these discussions might bear fruit.
      
+
       PF-Key came out of Berkeley Unix work and is used in the various 
+BSD IPSEC implementations, and in Solaris. This means there is some 
+hope of porting our Pluto(8) to one of the BSD distributions, or of 
+running their photurisd(8) on Linux if you prefer 
+Photuris key management over IKE.
      
+
       It is, however, more complex than that. The PK-Key RFC deliberately 
+deals only with keying, not policy management. The three PF-Key 
+implementations we have looked at -- ours, OpenBSD and KAME -- all have 
+extensions to deal with security policy, and the extensions are 
+different. There have been discussions aimed at sorting out the 
+differences, perhaps for a version three PF-Key spec. All players are 
+in favour of this, but everyone involved is busy and it is not clear 
+whether or when these discussions might bear fruit.
      
 
      Kernels other than 2.0.38 and 2.2.18
      
-
      We develop and test on:
      
+
       We develop and test on:
      
 
        
-
      • Redhat 5.2 with a 2.0.38 kernel.
        • 
-
      • Redhat 6.1 with a 2.2.18 kernel.
        • 
+
      • Redhat 6.1 with a 2.2.19 kernel.
        • 
+
      • Redhat 7.1 with a 2.4.4 kernel.
        • 
 
      
 
       This is what we recommend. 
      
 
      Other 2.0.x Intel Kernels
      
 
       Consider upgrading to the 2.2 kernel series. If you want to stay 
-with the 2.0 series, then we strongly recommend 2.0.38. It has some 
-security patches not present in earlier 2.0 kernels.
      
+with the 2.0 series, then we strongly recommend 2.0.39. Some useful 
+security patches were added in 2.0.38.
      
 
       Various versions of the code have run at various times on most 
-2.0.xx kernels, but the current version is tested only on 2.0.38 and is 
-unlikely to compile on older kernels. Some of our patches for older 
-kernels are shipped in 2.0.37 and later, so they are no longer provided 
-in FreeS/WAN.
      
+2.0.xx kernels, but the current version is only lightly tested on 
+2.0.39, and not at all on older kernels. 
      
+
       Some of our patches for older kernels are shipped in 2.0.37 and 
+later, so they are no longer provided in FreeS/WAN. This means recent 
+versions of FreeS/WAN will probably not compile om anything earlier 
+than 2.0.37.
      
 
      2.2 and 2.4 Kernels
      
 
      
 
      FreeS/WAN 1.0
      
@@ -5308,12 +5598,11 @@
 
      FreeS/WAN 1.9
      
 
      runs on 2.0, 2.2 or 2.4 kernels
      
 
      
-
       We suggest the latest 2.2 kernel (2.2.18 at time of writing) for 
-production use. 
      
-
      Intel Linux distributions other than Redhat 5.x 
-and 6.x
      
-
       We develop and test on Redhat 5.2 for 2.0 kernels, and on Redhat 
-6.1 for 2.2, so minor changes may be required for other distributions.
      
+
       We suggest the latest 2.2 kernel or 2.4 (2.2.19 or 2.4.5 at time of 
+writing) for production use. 
      
+
      Intel Linux distributions other than Redhat
      
+
       We develop and test on Redhat 6.1 for 2.2 kernels, and on Redhat 
+7.1 for 2.4, so minor changes may be required for other distributions.
      
 
      Redhat 7.0
      
 
       There are some problems with FreeS/WAN on Redhat 7.0, but they are 
 soluble. 
      
@@ -5353,8 +5642,8 @@
  Check the mailing list archive for more recent 
 news.
 
      SuSE Linux
      
-
      SuSE 6.3 and later versions, at least in Europe, ship with FreeS/WAN 
- included.
      
+
       SuSE 6.3 and later versions, at least in Europe, ship with 
+FreeS/WAN included.
      
 
      Here are some notes for an earlier SuSE version.
      
 
      SuSE Linux 5.3
      
 
      Date: Mon, 30 Nov 1998
@@ -5697,9 +5986,8 @@
 made, but at time of writing (February 2001), the job is not complete. 
 For more recent information, check the mailing list
 .
      
-
       In short, Linux currently has both IPv6 support and IPSEC support, 
-but the two do not work together yet. We, and others, 
-are working on integrating them, but it is a substantial job. 
      
+
       The first release of Linux IPv6 with FreeS/WAN support is now 
+ available. 
      
 
      IPv6 background
      
 
       IPv6 has been specified by an IETF 
 working group. The group's page lists over 30 RFCs to date, and 
@@ -5788,40 +6076,50 @@
 those formats. See this list of  patches and add-ons
 . 
      
 
      Interoperability problems
      
-
      The IPSEC RFCs are complex and include a number of optional 
+
       The IPSEC RFCs are complex and include a number of optional 
 features.  There is considerable opportunity for even two correct, 
 standard-conforming,  implementations to disagree on details in a way 
 that blocks interoperation.  Of course, misinterpretations of the 
 standards and implementation or  configuration errors on either end can 
 also foul things up.
      
 
      That said, FreeS/WAN interoperates successfully with many other 
- implementations. There is a list in another 
- section.
      
+ implementations. There is a list below.
      
 
       Known areas where problems may appear are:
      
 
        
+
      • FreeS/WAN does not implement single DES because 
+DES is insecure. Suggestions on what to do if  the device you want 
+to talk to has only DES are below.
        • 
+
      • FreeS/WAN does not implement Diffie-Hellman group 1
+ because it  it is not entirely clear that this is secure.
        • 
 
      • The RFCs define two modes for IKE negotiations -- main mode and 
  aggressive mode. Aggressive mode is slightly faster, but reveals more 
  information to an eavesdropper. Specifically, it lets an eavesdropper 
  know what identities are in use. FreeS/WAN does not implement 
  aggressive mode, so any negotiation another implementation 
- tries that way will fail. In principle this should not be a problem 
- since main mode support is required in all implementations and 
-aggressive  mode is optional. 
        • 
-
         In practice, it is sometimes a problem. Some implementations 
-default to  aggressive mode unless you configure them for main mode.
        
-
      • FreeS/WAN does not implement single DES because 
-DES is insecure. Suggestions on what to do if  the device you want 
-to talk to has only DES are in our FAQ document.
        • 
-
      • FreeS/WAN does not implement Diffie-Hellman group 1
- because it  it is not entirely clear that this is secure. 
        • 
-
      • For automatic keying, the FreeS/WAN default is to provide 
- perfect forward secrecy. We see no reason not  to; this 
-is more secure and costs little. Some other implementations,  however, 
-turn PFS off by default. 
        • 
+ tries that way will fail. 
+
         In principle this should not be a problem  since main mode support 
+is required in all implementations and aggressive  mode is optional. 
+ In practice, it is sometimes a problem.  Some implementations default 
+to  aggressive mode unless you configure them for main mode.
        
+
      •  For automatic keying, the FreeS/WAN default is to provide  perfect forward secrecy. We see no reason not 
+ to; this is more secure and costs little. Some other implementations, 
+ however, turn PFS off by default. 
        • 
 
         You can turn PFS off in FreeS/WAN with the pfs=no
  setting in  ipsec.conf(5), 
 but if possible  we suggest you enable it on the other end instead. 
 That is more secure.
        
+
      •  The IKE protocol allows several types of optional message. Two 
+things happen  which are allowed by the RFCs: 
+
          
+
        • Some implementations send various optional messages. 
          • 
+
        • FreeS/WAN ignores them. 
          • 
+
        
+ However, problems may arise if the other end relies on some expected 
+effect  of these messages. There are two FAQ questions dealing with 
+this, one on the  log message FreeS/WAN gives 
+when ignoring  optional payloads and one on the 
+delete SA payload. 
        • 
 
      
 
       The general rule is that to interoperate with FreeS/WAN, the other 
 implementation should be configured for:
      
@@ -5831,34 +6129,39 @@
 
    • Diffie-Hellman Group 2 or 5 
      • 
 
    
 
     This is possible for most implementations.
    
-
    Systems that want to use DES
    
-
     Linux FreeS/WAN does not support DES transforms. Neither Pluto's 
-IKE connections nor KLIPS' IPSEC connections can use DES. Since 
-DES is insecure we do not, and will not at any future time, provide 
-it.
    
+
    Systems that want to use single DES
    
+
     Linux FreeS/WAN does not support single DES transforms. Neither 
+Pluto's IKE connections nor KLIPS' IPSEC connections can use DES. Since DES is insecure we do not, and will not at any 
+future time, provide it.
    
 
     DES is, unfortunately, a mandatory part of the 
 IPSEC standard. Despite that, we will not implement DES. We believe 
 it is more important to provide security than to comply with a standard 
-which has been subverted into allowing weak algorithms. See our 
-history and politics section for discussion.
    
-
    Some implementations may offer DES as the default. In such cases we 
+which has been subverted into allowing weak 
+algorithms. See our history and politics
+ section for discussion.
    
+
     Some implementations may offer DES as the default. In such cases we 
 urge  you to change them to Triple DES. If this is 
 not  possible, for example because export laws
  prevent your  vendor from offerring you adequate crytography, we urge 
-you to complain  vigorously to
    
+you to complain vigorously to one or more of:
    
 
      
-
    • your government
      • 
+
    • your government, especially any department concerned with 
+protecting citizens'  privacy or your nation's communication 
+infrastructure
      • 
 
    • the vendor
      • 
-
    • the embassy of the nation whose laws are problematic for you.
      • 
+
    • the embassy of the nation whose laws are problematic for you
      • 
 
    
-
     In the meanwhile, use FreeS/WAN to get strong crypto until the laws 
-are fixed.
    
+
     Consider using FreeS/WAN instead. PCs are cheap and we deliver 3DES 
+now. 
    
 
     FreeS/WAN does have DES code in it as a sort of 
 historical accident, since we need it to implement our default 
 (currently, our only) block cipher, Triple DES. 
 However, since DES is insecure, we do not 
-provide any interface to that code and, as a matter of policy, will 
-provide no help to anyone who may wish to use it.
    
+provide any interface to that code.
    
+
     As a matter of project policy, we will not help anyone subvert 
+FreeS/WAN to provide insecure DES encryption
+. 
    
 
    Interop HowTo documents
    
 
     The FreeS/WAN team does not have the resources to test with 
 anything like the full range of other IPSEC 
@@ -6023,7 +6326,7 @@
 I've attached some ipsec barf output - pluto still complains a few times,
 but it gets there :-)
 
    
-
    A later message from Ian:
    
+
     A later message from Ian:
    
 
     This configuration is provided as-is and with no assistance or guarantee
 that it works whatsover. In particular your attention is drawn to the versions
@@ -6101,6 +6404,19 @@
 |     7500 Series
 
    
 
    Nortel (Bay Networks) Contivity switch
    
+ There is one known issue in FreeS/WAN-to-Contivity interoperation. 
+Recent versions of FreeS/WAN no longer support DH group 1 for key 
+exchange. Older versions of Contivity software support nothing else. 
+Group 2 was added in more recent releases. So: 
+
      
+
    • older FreeS/WANs, such as 1.5, will work with any Contivity 
+software. Key exchange will be done using DH Group 1. This may not be 
+secure. 
      • 
+
    • current FreeS/WANs will work only with recent Contivity releases 
+supporting DH Group 2. Contivity 3.5 is one such release. 
      • 
+
    
+ We recommend using the latest Contivity release. 
+
     Some messages from the mailing list: 
    
 
     Subject: Contivity Extranet Switch
    Date: Fri, 11 Jun 1999
@@ -6507,6 +6823,13 @@
 HowTo for connecting FreeS/WAN and this product can be downloaded 
 from the  vendor's site or browsed at a VPN mailing list 
 site.
    
+
    Redcreek Ravlin
    
+ We have reports of successful interoperation at an interop 
+conference, but there is also a mailing list 
+ thread discussing difficulties some users have encountered. 
+
    SSH Sentinel
    
+ The vendor's 
+ web site has configuration examples for use with FreeS/WAN. 
 
    F-Secure VPN for Windows
    
 
       Subject: linux-ipsec: Identification through other than IP number
    Date: Tue, 13 Apr 1999
@@ -7140,8 +7463,9 @@
 of both domains or consider setting up WINS service(s).
 
    
  We suspect that in some cases it may be more complex than that. See 
-the discussion of Linux services and Windows 2000 below
-. 
+the discussion of Linux services and Windows 2000
+ below and the Interop HowTo documents listed 
+above. 
 
    Windows 2000
    
 
     Windows 2000 ships with an IPSEC implementation built in. There may 
 be  restrictions. We have had mailing list reports that only the server 
@@ -7211,16 +7535,9 @@
 http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00195.html
 
    
 
    FreeS/WAN-to-Win2000 interop
    
-
    As for IPSEC interoperation between Windows 2000 and FreeS/WAN, 
-there are some web sites:
    
-
+
     As for IPSEC interoperation between Windows 2000 and FreeS/WAN, 
+there are several web sites listed under Interop 
+HowTo documents above.
    
 
    Here is a discussion from the mailing list:
    
 
    From: "Jean-Francois Nadeau" <jna@microflex.ca>
 Subject: Win2000 IPsec  interop. in tunnel mode
@@ -7358,19 +7675,18 @@
 general-purpose digital computers. 
 
  • Ultra made codebreaking a large-scale enterprise, producing 
 intelligence on an industrial scale. This was not a "black chamber", 
-not some hidden room in some obscure government building with a small 
-crew of code-breakers. The whole operation -- from intercept operators 
-all over the world grabbing copies of enemy communications, through 
-large-scale code-breaking and analysis of the decrypted material (with 
-an enormous set of files for cross-referencing), to delivery of 
-intelligence to field commanders -- was huge, and very carefully 
-managed. 
    • 
+not a hidden room in some obscure government building with a small crew 
+of code-breakers. The whole operation -- from wholesale interception of 
+enemy communications by stations around the world, through large-scale 
+code-breaking and analysis of the decrypted material (with an enormous 
+set of files for cross-referencing), to delivery of intelligence to 
+field commanders -- was huge, and very carefully managed. 
 
 
     So by the end of the war, Allied code-breakers were expert at 
 large-scale mechanised code-breaking. The payoffs were enormous. 
    
 
    Postwar and Cold War
    
  The wartime innovations were enthusiastically adopted by post-war and 
-Cold War signals intelligence agencies. Presumably most nations now 
+Cold War signals intelligence agencies. Presumably many nations now 
 have some agency capable of sophisticated attacks on communications 
 security, and quite a few engage in such activity on a large scale. 
 
     America's NSA, for example, is said to be both 
@@ -7391,7 +7707,7 @@
 electronic mail, or tapping into the huge volumes of data on new media 
 such as fiber optics or satellite links. None of these targets existed 
 in 1950. All of them can be attacked today, and almost certainly are 
-being attacked on a large scale. 
    
+being attacked. 
    
 
     The Ultra story was not made public until the 1970s. Much of the 
 recent history of codes and code-breaking has not been made public, and 
 some of it may never be. Two important books are: 
    
@@ -7423,20 +7739,26 @@
 networking becoming ubiquitous, cryptography is now important to almost 
 everyone. Among the developments since the 1970s: 
    
 
      
-
    • the US gov't established the DES standard, a 
-block cipher for cryptographic protection of unclassfied documents 
      • 
-
    • public key cryptography invented by Diffie 
-and Hellman 
      • 
-
    • academic conferences such as 
-Crypto, 
-Eurocrypt, ... 
      • 
-
    • companies offerring cryptographic products: RSA
-, PGP, the many vendors with PKI
- products, ... 
      • 
-
    • crypto in other products: operating systems, word processors, ... 
      • 
-
    • network protocols based on crypto:  SSH, 
-SSL,  IPSEC, ... 
      • 
-
    • widespread use of cryptography to secure bank cards, terminals, ... 
      • 
+
    • The US gov't established the Data Encryption Standard, 
+DES standard, a block cipher for cryptographic 
+protection of unclassfied documents. It has also been widely used in 
+industry. 
      • 
+
    • Public key cryptography was invented by 
+Diffie and Hellman. 
      • 
+
    • Academic conferences such as 
+Crypto and 
+Eurocrypt began. 
      • 
+
    • Several companies began offerring cryptographic products: 
+RSA, PGP, the many vendors with 
+PKI products, ... 
      • 
+
    • Cryptography appeared in other products: operating systems, word 
+processors, ... 
      • 
+
    • Network protocols based on crypto were developed: 
+ SSH, SSL,  IPSEC, ... 
      • 
+
    • Crytography came into widespread use to secure bank cards, 
+terminals, ... 
      • 
+
    • The US government replaced DES with the much 
+stronger Advanced Encryption Standard, AES
      • 
 
    
 
     This has led to a complex ongoing battle between various mainly 
 government groups wanting to control the spread of crypto and various 
@@ -7497,14 +7819,20 @@
 communication systems, but that it is an activity of the  investigative 
 authorities and intelligence services of many countries with 
  governments of different political signature.  Even if 
-they have nothing on the scale of Echelon, most or all intelligence 
-agencies and  police forces certainly have some interception 
-capability. 
+they have nothing on the scale of Echelon, most intelligence agencies 
+and  police forces certainly have some interception capability. 
+
  • NSA tapping of submarine communication cables, 
+described  in 
+this article
    • 
 
  • A proposal for international co-operation on 
  Internet surveillance.
    • 
 
  • Alleged sabotage
  of security  products by the NSA (the US signals 
 intelligence agency).
    • 
+
  • The German armed forces and some government departments will stop 
+using American software for fear of NSA  "back doors", according to 
+this news 
+story. 
    • 
 
  • The British Regulation of Investigatory Powers bill. See  this 
 web page. and  perhaps this 
 cartoon.
    • 
@@ -7538,6 +7866,8 @@
 
      
 
    • industrial espionage, as for example in this 
 news story
      • 
+
    • attacks by organised criminals, as in this 
+ large-scale attack
      • 
 
    • collection of personal data by various companies. 
 
        
 
      • for example, consider the various corporate winners of Privacy 
@@ -7894,11 +8224,13 @@
 held by some third party and turned over to law enforcement or security 
 agencies under some conditions.
        
 
        -Mary had cryptography
-Her keys were in escrow
-And everything that Mary said
-The feds were sure to know
+  Mary had cryptography
+  Her keys were in escrow
+  And everything that Mary said
+  The feds were sure to know
 
        
+ (If anyone knows the origin of that ditty, let 
+let me know so I can credit the author.) 
 
         There is an excellent paper available on 
 Risks of Escrowed Encryption, from a group of cryptographic 
 luminaries which included our project leader.
        
@@ -7916,14 +8248,18 @@
 
         FreeS/WAN does not support escrowed encryption, and never will.
        
 
        Limited key lengths
        
 
         Various governments, and some vendors, have also made persistent 
-attempts to convince people that weak systems are sufficient for some 
-data, that strong cryptography should be reserved for cases where the 
-extra overheads are justified. This is nonsense.
        
+attempts to convince people that: 
        
+
          
+
        • weak systems are sufficient for some data 
          • 
+
        • strong cryptography should be reserved for cases where the extra 
+overheads are justified 
          • 
+
        
+ This is nonsense.
 
         Weak systems touted include:
        
 
          
 
        • the ludicrously weak (deliberately crippled) 40-bit ciphers that 
 until  recently were all various export laws
- allowed.
          • 
+ allowed
 
        • 56-bit single DES, discussed below
          • 
 
        • 64-bit symmetric ciphers and 512-bit RSA, the maximums for 
 unrestricted  export under various current laws
          • 
@@ -7954,10 +8290,12 @@
 usually hybrid systems in which the bulk of the 
 work is done  by a symmetric cipher. The effect of increasing the cost 
 of the public  key operations is typically negligible because the 
-public key operations  use only a tiny fraction of total resources. For 
-example, if public key  operations use use 1% of the time in a hybrid 
-system and you triple the  cost of public key operations, the overall 
-effect is a 2% rise in system  cost.
+public key operations  use only a tiny fraction of total resources. 
+
           For example, suppose public key  operations use use 1% of the time 
+in a hybrid system and you triple the  cost of public key operations. 
+The cost of symmetric cipher operations  is unchanged at 99% of the 
+original total cost, so the overall effect is a  jump from 99 + 1 = 100 
+to 99 + 3 = 102, a 2% rise in system cost.
          
 
        
 
         In short, there has never been any technical reason to use 
 inadequate ciphers. The only reason there has ever been for 
@@ -8634,7 +8972,7 @@
 Multicast is not yet supported, though there are  Internet Draft 
 documents for that.
        
 
        IPSEC creates secure tunnels through untrusted networks
-.  Sites connected by these tunnels form VPNs, Virtual 
+.  Sites connected by these tunnels form VPNs, Virtual 
 Private  Networks.
        
 
        IPSEC gateways can be installed wherever they are required.
        
 
          
@@ -8682,7 +9020,7 @@
  on various protocols become difficult if authentication at  packet 
 level is in use on the potential victims' communication channel.
          
 
          Using authentication without encryption
          
-
          Where appropriate, IPSEC can provide authentication without 
+
           Where appropriate, IPSEC can provide authentication without 
 encryption.  One might do this, for example:
          
 
            
 
          • where the data is public but one wants to be sure of getting the 
@@ -8695,6 +9033,12 @@
 protocols  harder.
            • 
 
          
 
           Authentication has lower overheads than encryption. 
          
+
           The protocols provide four ways to build such connections, using 
+either an AH-only connection or ESP using null encryption, and in 
+either manually or automatically keyed mode. FreeS/WAN supports only 
+one of these, manually keyed AH-only connections, and we do not 
+recommend using that. Our reasons are discussed under 
+Resisting traffic analysis a few sections further along. 
          
 
          Encryption without authentication is dangerous
 
          
 
          Originally, the IPSEC encryption protocol ESP
@@ -8712,7 +9056,7 @@
 
        • ESP for encryption and authentication
          • 
 
        • AH for authentication alone
          • 
 
        
-
        Other variants are allowed by the standard, but not much used:
        
+
         Other variants are allowed by the standard, but not much used:
        
 
        
 
        ESP encryption without authentication
        
 
        Bellovin has demonstrated fatal flaws in this. Do not  use.
@@ -8732,14 +9076,14 @@
  might use ESP as well.
        
 
        ESP authentication without encryption
        
 
        The standard allows this, calling it "null encryption". FreeS/WAN 
- does not normally support it, but it can be enabled with a kernel 
- configuration option. We recommend that you use AH instead if 
+ does not support it. We recommend that you use AH instead if 
  authentication is all you require. AH authenticates parts of the IP 
- header, which ESP-null does not do. Also, if you do not enable 
- ESP-null on your FreeS/WAN machine, then you run no risk of a 
- configuration error using this when it should be encrypting.
        
+ header, which ESP-null does not do.
 
        
-
        There are fairly frequent suggestions that AH be dropped entirely 
+ Some of these variants cannot be used with FreeS/WAN because we do not 
+support ESP-null and do not support automatic keying of AH-only 
+connections. 
+
         There are fairly frequent suggestions that AH be dropped entirely 
 from  the IPSEC specifications since ESP and null encryption can handle 
 that  situation. It is not clear whether this will occur. My guess is 
 that it is  unlikely.
        
@@ -8770,13 +9114,12 @@
 useful intelligence from encrypted traffic without breaking the 
 encryption. For example, an eavesdropper might deduce something 
 interesting merely by knowing that your CEO was exchanging email with a 
-particular venture capital firm. Or that all the CEO's mail this week 
-went to a firm of bankruptcy trustees and a half dozen executive 
-recruiting agencies. 
        
+particular venture capital firm, or that the CEO was talking to a firm 
+of bankruptcy trustees and a half dozen executive recruiting agencies. 
        
 
         Except in the simplest cases, traffic analysis is hard to do well. 
 It requires both considerable resources and considerable analytic 
 skill. However, intelligence agencies of various nations have been 
-doing it for centuries and most of them are likely quite good at it by 
+doing it for centuries and many of them are likely quite good at it by 
 now. Various commercial organisations, especially those working on 
 "targeted marketing" may also be quite good at analysing certain types 
 of traffic. 
        
@@ -9206,13 +9549,10 @@
 may choose to support  additional algorithms in either category.
        
 
        The authentication algorithms are the same ones used in the IPSEC 
 authentication header.
        
-
        We do not implement single DES since DES is 
- insecure. Instead we provide triple DES or 3DES
+
         We do not implement single DES since DES is 
+insecure. Instead we provide triple DES or 3DES
 .  This is currently the only encryption algorithm supported.
        
-
        We do implement null encryption, but it is disabled by default. You 
-can  enable it in the IPSEC part of kernel configuration if required. 
-We would  suggest, however, that if you need only authentication, you 
-should use AH  rather than ESP with null encryption.
        
+
         We do not implement null encryption since it is obviously insecure.
        
 
        IPSEC modes
        
 
        IPSEC can connect in two modes. Transport mode is a host-to-host 
  connection involving only two machines. In tunnel mode, the IPSEC 
@@ -9273,11 +9613,11 @@
 are  stored with the connection definitions in /etc/ipsec.conf.
        
 
        Manual keying is useful for debugging since it 
  allows you to test the KLIPS kernel IPSEC code 
-without  the Pluto daemon doing key negotiation.
        
+without  the Pluto daemon doing key negotiation.
        
 
        In general, however, automatic keying is preferred because it is 
 more  secure.
        
 
        Automatic keying
        
-
        In automatic keying, the Pluto daemon 
+
        In automatic keying, the Pluto daemon 
 negotiates  keys using the IKE Internet Key Exchange 
 protocol.  Connections are automatically re-keyed periodically.
        
 
        This is considerably more secure than manual keying. In either case 
@@ -9289,7 +9629,7 @@
 two admins make changes. Moreover, they  have to communicate the new 
 keys securely, perhaps with PGP or SSH
 .  This may be possible in some  cases, but as a general solution it is 
-expensive, bothersome and unreliable.  Far better to let 
+expensive, bothersome and unreliable.  Far better to let 
 Pluto handle these chores; no doubt  the administrators have enough 
 to do.
        
 
        Also, automatic keying is inherently more secure against an attacker 
@@ -9359,7 +9699,7 @@
 Linux FreeS/WAN might be  a good project for a volunteer. The likely 
 starting point would be the  OpenBSD photurisd code.
        
 
        SKIP
        
-
        SKIP is yet another key management protocol, 
+
        SKIP is yet another key management protocol, 
  developed by Sun. At one point it was fairly widely used, but our 
 current  impression is that it is moribund, displaced by IKE. Sun now 
 (as of Solaris  8.0) ship an IPSEC implementation using IKE. We have no 
@@ -9379,7 +9719,8 @@
 
        
 
          
 
        • The general list for discussing use of the software 
          • 
-
        • The place for seeking help with problems. 
          • 
+
        • The place for seeking help with problems (but 
+please check the FAQ first). 
          • 
 
        • Anyone can post. 
          • 
 
        
 
        
@@ -9401,7 +9742,9 @@
 
      • Design discussions, for people working on 
 FreeS/WAN development or others with an interest  in design and 
 security issues. 
        • 
-
      • Only subscribers can post. 
        • 
+
      • It would be a good idea to read the existing design papers (see 
+this list) before  posting. 
        • 
+
      • Anyone can post. 
        • 
 
      
 
 
      
@@ -9413,7 +9756,10 @@
 software. 
      • 
 
    • All posts here are also sent to the users list. You need not 
 subscribe to both. 
      • 
-
    • Only authorised people can post. 
      • 
+
    • Only the FreeS/WAN team can post. 
      • 
+
    • If you have something you feel should go on this list, send it to 
+announce-admin@lists.freeswan.org.  Unless it is obvious, please 
+include a short note explaining why we should post it.
      • 
 
    
 
 
    
@@ -9424,7 +9770,7 @@
 
  • Weekly summaries of activity on the users list. 
    • 
 
  • All posts here are also sent to the users list. You need not 
 subscribe to both. 
    • 
-
  • Only authorised people can post. 
    • 
+
  • Only the FreeS/WAN team can post. 
    • 
 
 
 
@@ -9436,6 +9782,8 @@
 
  • send mail to listname-request@lists.freeswan.org with a 
 one-line message body "subscribe" 
    • 
 
+
     Archives of these lists are available via the 
+web interface. 
    
 
    List policies
    
  US citizens or residents are asked not to post code to the 
 lists, not even one-line bug fixes. The project cannot accept 
@@ -9455,7 +9803,9 @@
 
  • Canada
    • 
 
  • Holland
    • 
 
-
    Note that these use different search engines. Try both.
    
+
     Note that these use different search engines. Try both.
    
+
     Archives of the new lists are available via the 
+web interface. 
    
 
    Other FreeS/WAN related lists
    
 
     There are several other lists related to FreeS/WAN: 
    
 
      
@@ -9569,10 +9919,24 @@
 
    • patches for X.509 
  certificate support, also available from a 
 mirror site
      • 
+
    • a series of patches that 
+
        
+
      • provide GOST, a Russian gov't. standard cipher, in MMX assembler 
        • 
+
      • add GOST to OpenSSL 
        • 
+
      • add GOST to the International kernel patch 
        • 
+
      • let FreeS/WAN use International kernel patch ciphers 
        • 
+
      
+
      • 
+
    • IPv6 
+support
      • 
 
    
 
     Before using these, check the mailing list
  for news of newer versions and to see whether they have been 
 incorporated into more recent versions of FreeS/WAN.
    
+
     Note: At one point the way PGP generates RSA keys 
+and the way FreeS/WAN checks them for validity before using them were 
+slightly different, so quite a few PGP-generated keys would be rejected 
+by FreeS/WAN, confusing users no end. This is fixed in 1.9. 
    
 
     A set of PKIX patches were recently announced on the mailing list:
    
 
     Subject: a different PKIX patch.
@@ -9612,6 +9976,8 @@
 
  • patches
  to add Blowfish, IDEA and CAST-128 to FreeS/WAN
    • 
+
  • 
+patches for aggressive  mode support 
    • 
 
 
     These patches are for older versions of FreeS/WAN and will likely 
 not work with the current version.  Older versions of FreeS/WAN may be 
@@ -9665,7 +10031,7 @@
 
    
+
     Another useful command here is ipsec auto --replace 
+<conn_name> which re-reads data for a named connection. 
    
 
    Can I use several masqueraded subnets?
    
  Yes. This is done all the time. See the discussion in our 
 setup document. The only restriction is that the subnets on the two 
@@ -13482,24 +14147,27 @@
 a tunnel that pokes through both masquerades and delivers packets from 
 leftsubnet to rightsubnet and vice versa. For this to 
 work, the two subnets must be distinct. 
    
-
     There are only two solutions to this problem. 
    
+
     There are several solutions to this problem. 
    
 
      
-
    • Usually, you re-number the subnets. Perhaps the Vancouver office 
-becomes 192.168.101.0/24, Calgary 192.168.102.0/24 and so on. FreeS/WAN 
-can happily handle this. With, for example 
+
    • Usually, you re-number the subnets. Perhaps the 
+Vancouver office becomes 192.168.101.0/24, Calgary 192.168.102.0/24 and 
+so on. FreeS/WAN can happily handle this. With, for example 
 leftsubnet=192.168.101.0/24 and rightsubnet=192.168.102.0/24
  in a connection description, any machine in Calgary can talk to any 
 machine in Vancouver. If you want to be more restrictive and use 
 something like leftsubnet=192.168.101.128/25 and 
 rightsubnet=192.168.102.240/28 so only certain machines on each 
 end have access to the tunnel, that's fine too. 
      • 
-
    • Alternately, you can just give up routing directly to machines on 
-the subnets. Omit the leftsubnet and rightsubnet
- parameters from your connection descriptions. Your IPSEC tunnels will 
-then run between the public interfaces of the two firewalls. Packets 
-will be masqueraded both before they are put into tunnels and after 
-they emerge. Your Vancouver client machines will see only one Calgary 
-machine, the firewall. 
      • 
+
    • You could also split the subnet into smaller ones, 
+for example using 192.168.1.0/25 in Vancouver and 
+rightsubnet=192.168.0.128/25 in Calgary. 
      • 
+
    • Alternately, you can just give up routing directly 
+to machines on the subnets. Omit the leftsubnet and 
+rightsubnet parameters from your connection descriptions. Your 
+IPSEC tunnels will then run between the public interfaces of the two 
+firewalls. Packets will be masqueraded both before they are put into 
+tunnels and after they emerge. Your Vancouver client machines will see 
+only one Calgary machine, the firewall. 
      • 
 
    
 
    Can I assign a road warrior an address on my 
 net?
    
@@ -13539,8 +14207,145 @@
 DiffServ does not interact well with tunneling in general.  Ways of
 improving this are being studied.
 
    
- See ipsec.conf(5) for more 
-on the hidetos= parameter. 
+
     Copying the TOS information from the encapsulated packet to the 
+outer header reveals the TOS information to an eavesdropper. It is not 
+clear whether or how an attacker could use this information, but since 
+we do not have to give it to him, our default is not to. 
    
+
     See ipsec.conf(5) for 
+more on the hidetos= parameter. 
    
+
    Can I recognise dead tunnels and shut them 
+down?
    
+ There is no general mechanism to do this is in the IPSEC protocols. 
+
     From time to time, there is discussion on the IETF Working Group 
+mailing list of adding a "keep-alive" mechanism (which some say 
+should be called "make-dead"), but it is a fairly complex problem and 
+no consensus has been reached on whether or how it should be done. 
    
+
     The protocol does have optional delete-SA
+ messages which one side can send when it closes a connection in hopes 
+this will cause the other side to do the same. FreeS/WAN does not 
+currently support these. In any case, they would not solve the problem 
+since: 
    
+
      
+
    • a gateway that crashes or hangs would not send the messages 
      • 
+
    • the sender is not required to send them 
      • 
+
    • they are not authenticated, so any receiver that trusts them leaves 
+itself open to a denial of service attack 
      • 
+
    • the receiver is not required to do anything about them 
      • 
+
    • the receiver cannot acknowledge them; the protocol provides no 
+mechanism for that 
      • 
+
    • since they are not acknowledged, the sender cannot rely on them 
      • 
+
    
+
     However, connections do have limited lifetimes and you can control 
+how many attempts your gateway makes to rekey before giving up. For 
+example, you can set: 
    
+
    +conn default
+	keyingtries=3
+	keylife=30m
+
    
+ With these settings old connections will be cleaned up. Within 30 
+minutes of the other end dying, rekeying will be attempted. If it 
+succeeds, the new connection replaces the old one. If it fails, no new 
+connection is created. Either way, the old connection is taken down 
+when its lifetime expires. 
+
     Here is a mailing list message on the topic from FreeS/WAN tech 
+support person Claudia Schmeing: 
    
+
    +You ask how to determine whether a tunnel is redundant:
+
+> Can anybody explain the best way to determine this. Esp when a RW has
+> disconnected? I thought 'ipsec auto --status' might be one way.
+
+If a tunnel goes down from one end, Linux FreeS/WAN on the
+other end has no way of knowing this until it attempts to rekey.
+Once it tries to rekey and fails, it will 'know' that the tunnel is 
+down.
+
+Because it doesn't have a way of knowing the state until this point, 
+it will also not be able to tell you the state via ipsec auto --status.
+
+> However, comparing output from a working tunnel with that of one that
+> was closed 
+> did not show clearly show tunnel status.
+
+If your tunnel is down but not 'unrouted' (see man ipsec_auto), you
+should not be able to ping the opposite side of the tunnel. You can
+use this as an indicator of tunnel status.
+
+On a related note, you may be interested to know that as of 1.7, 
+redundant tunnels caused by RW disconnections are likely to be 
+less of a pain. From doc/CHANGES:
+
+    There is a new configuration parameter, uniqueids, to control a new Pluto
+    option:  when a new connection is negotiated with the same ID as an old
+    one, the old one is deleted immediately.  This should help eliminate
+    dangling Road Warrior connections when the same Road Warrior reconnects. 
+    It thus requires that IDs not be shared by hosts (a previously legal but
+    probably useless capability).  NOTE WELL:  the sample ipsec.conf now has
+    uniqueids=yes in its config-setup section.
+
+
+Cheers,
+
+Claudia
+
    
+
    Can I build tunnels over a demand-dialed link?
+
    
+ This is possible, but not easy. FreeS/WAN technical lead Henry Spencer 
+wrote: 
+
    +> 5. If the ISDN link goes down in between and is reestablished, the SAs
+> are still up but the eroute are deleted and the IPSEC interface shows
+> garbage (with ifconfig)
+> 6. Only restarting IPSEC will bring the VPN back online.
+
+This one is awkward to solve.  If the real interface that the IPsec
+interface is mounted on goes down, it takes most of the IPsec machinery
+down with it, and a restart is the only good way to recover. 
+
+The only really clean fix, right now, is to split the machines in two: 
+
+1. A minimal machine serves as the network router, and only it is aware
+that the link goes up and down. 
+
+2. The IPsec is done on a separate gateway machine, which thinks it has
+a permanent network connection, via the router.
+
+This is clumsy but it does work.  Trying to do both functions within a
+single machine is tricky.  There is a software package (diald) which will
+give the illusion of a permanent connection for demand-dialed modem
+connections; I don't know whether it's usable for ISDN, or whether it can
+be made to cooperate properly with FreeS/WAN. 
+
+Doing a restart each time the interface comes up *does* work, although it
+is a bit painful.  I did that with PPP when I was running on a modem link;
+it wasn't hard to arrange the PPP scripts to bring IPsec up and down at
+the right times.  (I'd meant to investigate diald but never found time.)
+
+In principle you don't need to do a complete restart on reconnect, but you
+do have to rebuild some things, and we have no nice clean way of doing
+only the necessary parts.
+
    
+ In the same thread, one user commented: 
+
    +Subject: Re: linux-ipsec: IPSEC and Dial Up Connections
+   Date: Wed, 22 Nov 2000
+   From: Andy Bradford <andyb@calderasystems.com>
+
+On Wed, 22 Nov 2000 19:47:11 +0100, Philip Reetz wrote:
+
+> Are there any ideas what might be the cause of the problem and any way
+> to work around it.
+> Any help is highly appreciated.
+
+On my laptop, when using ppp there is a ip-up script in /etc/ppp that 
+will be executed each time that the ppp interface is brought up.  
+Likewise there is an ip-down script that is called when it is taken 
+down.  You might consider custimzing those to stop and start FreeS/Wan 
+with each connection.  I believe that ISDN uses the same files, though 
+I could be wrong---there should be something similar though.
+
    
+
 
    Does FreeS/WAN support X.509 or other PKI certificates?
    
  FreeS/WAN, as distributed, does not currently support use of     
 X.509 or other PKI certificates for 
@@ -13576,40 +14381,34 @@
 authentication. 
 
  If either of those is trustworthy, it is not clear that you need user 
-authentication in IPSEC. 
+authentication in IPSEC. 
 
    Does FreeS/WAN support single DES encryption?
    
  No, single DES is not used either at the     IKE level 
 for negotiating connections or at the IPSEC level 
 for actually building them. 
-
     Single DES is insecure. 
-
    
-
    But isn't DES support part of the IPSEC standard?
    
- Yes, but     DES is insecure. As we see it, it 
-is more important to deliver real security than to comply with a 
+
     Single DES is insecure. As we see it, 
+it is more important to deliver real security than to comply with a 
 standard which has been subverted into allowing use of inadequate 
-methods. See this discussion. 
-
    I have to talk to .... which offers only DES. How do I do this?
    
- Ask the device vendor for the triple DES upgrade. 
-These exist for many IPSEC devices. If no cipher stronger than DES is 
-available, we recommend you not use that IPSEC implementation. 
-
     If a 3DES implementation exists but your vendor cannot sell it to 
-you because of export laws, consider complaining to one or more of: 
    
-
      
-
    • the vendor 
      • 
-
    • your own government, especially any branch concerned with citizen's 
-privacy and/or protection of communication infrastructure 
      • 
-
    • the local embassy of the nation which restricts export to you 
      • 
-
    
-
     Consider using FreeS/WAN instead. PCs are cheap and we deliver 3DES 
-now. 
    
-
     As a matter of project policy, we will not help anyone subvert 
-FreeS/WAN to provide insecure DES encryption
-. 
    
-
    Why don't you restrict the mailing list to reduce 
+methods. See this discussion. 
    
+
     If you want to interoperate with an IPSEC implementation which 
+offers only DES, see our interoperation document. 
    
+
    Why don't you restrict the mailing lists to reduce 
 spam?
    
-
     As a matter of policy, the list needs to be open to 
-non-subscribers. Project management feel strongly that maintaining this 
-openness is more important than blocking spam. 
    
+
     As a matter of policy, some of our mailing lists
+ need to be open to non-subscribers. Project management feel strongly 
+that maintaining this openness is more important than blocking spam. 
    
+
      
+
    • Users should be able to get help or report bugs without 
+subscribing. 
      • 
+
    • Even a user who is subscribed may not have access to his or her 
+subscribed account when he or she needs help, miles from home base in 
+the middle of setting up a client's gateway. 
      • 
+
    • There is arguably a legal requirement for this policy. A US 
+resident or citizen could be charged under munitions export laws for 
+providing technical assistance to a foreign cryptographic project. Such 
+a charge would be more easily defended if the discussion takes place in 
+public, on an open list. 
      • 
+
    
 
     This has been discussed several times at some length on the list. 
 See the list archives. Bringing the topic up 
 again is unlikely to be useful. Please don't. Or at the very least, 
@@ -13621,10 +14420,19 @@
 The decision is final, and is not open to discussion.  This needs to be 
 communicated better to people, and steps are being taken to do that. 
  Adding this FAQ section is one of the steps he refers to. 
    
-
     You have various options other than just putting up with the spam 
-or unsubscribing: 
    
+
     You have various options other than just putting up with the spam, 
+filtering it yourself, or unsubscribing: 
    
 
      
-
    • read the list via one of its archives
      • 
+
    • read the main list via one of its archives
      • 
+
    • subscribe only to one or both of our lists with restricted posting 
+rules: 
+
        
+
      • briefs
+, weekly list summaries 
        • 
+
      • announce
+, project-related announcements 
        • 
+
      
+
      • 
 
    • subscribe to one or more of the other 
 FreeS/WAN-related lists. 
      • 
 
    
@@ -13647,7 +14455,8 @@
 filtering. 
    
 
     For information on tracking down spammers, see these 
 HowTos, or the Sputum
- site. 
    
+ site. Sputum have a Linux anti-spam screensaver available for 
+download. 
    
 
     Here is a more detailed message from Henry: 
    
 
     On Mon, 15 Jan 2001, Jay Vaughan wrote:
@@ -13739,5 +14548,5 @@
         John Gilmore
         founder sponsor, FreeS/WAN project
 
    
-
+
 
diff -bruN freeswan-1.9.orig/doc/compat.html freeswan-1.9/doc/compat.html
--- freeswan-1.9.orig/doc/compat.html	Tue Mar 27 23:16:51 2001
+++ freeswan-1.9/doc/compat.html	Mon Jun  4 01:15:56 2001
@@ -15,11 +15,11 @@
 patchers and commenters there, especially the ones quoted below but 
  also various contributors we haven't quoted.
    
 
    Implemented parts of the IPSEC Specification
    
-
    In general, do not expect Linux FreeS/WAN to do everything yet. This 
-is a  work-in-progress and some parts of the IPSEC specification are 
-not yet  implemented.
    
+
     In general, do not expect Linux FreeS/WAN to do everything yet. 
+This is a work-in-progress and some parts of the IPSEC specification 
+are not yet implemented.
    
 
    In Linux FreeS/WAN
    
-
    Things we do, as of version 1.9:
    
+
     Things we do, as of version 1.9:
    
 
      
 
    • key management methods 
 
      
@@ -59,10 +59,6 @@
 
      • 
 
    • encryption transforms 
 
      
-
      null encryption (to use ESP as an authentication-only service) 
      
-
      We implement this since the RFCs require it. Since it is  obviously 
-insecure, we disable it by default. It can be enabled  with a kernel 
-configuration option.
      
 
      DES
      
 
      DES is in the source code since it is needed to implement  3DES, 
 but single DES is not made available to users because 
@@ -94,7 +90,9 @@
 
      • 
 
    
 
     All combinations of implemented transforms are supported. Note that 
-some  form of authentication is recommended whenever encryption is used.
    
+some form of packet-level authentication is required whenever 
+encryption is used. Without it, the encryption will not be 
+secure.
    
 
    Deliberately ommitted
    
  We do not implement everything in the RFCs because some of those 
 things are insecure. See our discussions of avoiding 
@@ -102,16 +100,17 @@
 
    
 
     Things we deliberately omit which are required in the RFCs are:
    
 
      
+
    • null encryption (to use ESP as an authentication-only service) 
      • 
 
    • single DES 
      • 
 
    • DH group 1, a 768-bit modp group 
      • 
 
    
-
     Since these are the only encryption algorithm and DH group the RFCs 
-require, it is possible in theory to have a standards-conforming 
+
     Since these are the only encryption algorithms and DH group the 
+RFCs require, it is possible in theory to have a standards-conforming 
 implementation which will not interpoperate with FreeS/WAN. Such an 
 implementation would be inherently insecure, so we do not consider this 
 a problem. Anyway, most implementations sensibly include more secure 
-options as well, so dropping single DES and Group 1 does not greatly 
-hinder interoperation in practice.
    
+options as well, so dropping null encryption, single DES and Group 1 
+does not greatly hinder interoperation in practice.
    
 
     We also do not implement some optional features allowed by the 
 RFCs: 
    
 
      
@@ -127,7 +126,7 @@
 default. Typically, these are easily solved with a configuration change 
 that overrides that default.
      
 
      Not (yet) in Linux FreeS/WAN
      
-
      Things we don't yet do, as of version 1.9:
      
+
       Things we don't yet do, as of version 1.91:
      
 
        
 
      • key management methods 
 
          
@@ -155,6 +154,9 @@
 
          We expect eventually to do it using DNS. The newer versions of 
 BIND provide much of what we need but they are not  yet widespread 
 and our code to communicate with them is not  ready.
          
+
           Update: As of 1.91, we have beta-testable code for 
+opportunistic encryption. See our 
+configuration document. 
          
 
        
 
        • 
 
      
@@ -175,6 +177,19 @@
 
    • authentication transforms 
      • 
 
      No optional additional authentication transforms are currently 
  implemented and we do not forsee a need to add any soon.
      
+
    • Policy checking on decrypted packets 
      • 
+
       To fully comply with the RFCs, it is not enough just to accept only 
+packets  which survive any firewall rules in place to limit what IPSEC 
+packets get in,  and then pass KLIPS authentication. That is what 
+FreeS/WAN currently does. 
      
+
       We should also apply additional tests, for example ensuring that 
+all packets  emerging from a particular tunnel have sourcen and 
+destination addresses that  fall within the subnets defined for that 
+tunnel, and that packets with those  addresses that did not emerge from 
+the appropriate tunnel are disallowed. 
      
+
       This will be done as part of the KLIPS rewrite currently in 
+progress. See  these links and the 
+ design mailing list for discussion. 
      
 
      Our PF-Key implementation
      
 
      We use PF-key Version Two for communication between the KLIPS kernel 
 code  and the Pluto Daemon. PF-Key v2 is defined by 
@@ -188,34 +203,37 @@
 not  yet doing much upward communication from kernel to user space. 
 This will  change, but is not at the top of our priority list.
      
 
      PF-Key portability
      
-
      PF-Key came out of Berkeley Unix work and is used in the various BSD 
-IPSEC  implementations. We assume also in This means there is some hope 
-of  porting our Pluto(8) to one of the BSD distributions or running 
-their  photurisd(8) on Linux if you prefer 
+
       PF-Key came out of Berkeley Unix work and is used in the various 
+BSD IPSEC implementations, and in Solaris. This means there is some 
+hope of porting our Pluto(8) to one of the BSD distributions, or of 
+running their photurisd(8) on Linux if you prefer 
 Photuris key  management over IKE.
      
-
      It is, however, more complex than that. The three PF-Key 
-implementations  we have looked at -- ours, OpenBSD and KAME -- all 
-have extensions beyond  the RFC, and the extensions are different. 
-There have been discussions aimed  at sorting out the differences, 
-perhaps for a version three PF-Key spec. All  players are in favour of 
-this, but everyone involved is busy and it is not  clear whether or 
-when these discussions might bear fruit.
      
+
       It is, however, more complex than that. The PK-Key RFC deliberately 
+deals only with keying, not policy management. The three PF-Key 
+implementations we have looked at -- ours, OpenBSD and KAME -- all have 
+extensions to deal with security policy, and the extensions are 
+different. There have been discussions aimed at sorting out the 
+differences, perhaps for a version three PF-Key spec. All players are 
+in favour of this, but everyone involved is busy and it is not clear 
+whether or when these discussions might bear fruit.
      
 
      Kernels other than 2.0.38 and 2.2.18
      
-
      We develop and test on:
      
+
       We develop and test on:
      
 
        
-
      • Redhat 5.2 with a 2.0.38 kernel.
        • 
-
      • Redhat 6.1 with a 2.2.18 kernel.
        • 
+
      • Redhat 6.1 with a 2.2.19 kernel.
        • 
+
      • Redhat 7.1 with a 2.4.4 kernel.
        • 
 
      
 
       This is what we recommend. 
      
 
      Other 2.0.x Intel Kernels
      
 
       Consider upgrading to the 2.2 kernel series. If you want to stay 
-with the 2.0 series, then we strongly recommend 2.0.38. It has some 
-security patches not present in earlier 2.0 kernels.
      
+with the 2.0 series, then we strongly recommend 2.0.39. Some useful 
+security patches were added in 2.0.38.
      
 
       Various versions of the code have run at various times on most 
-2.0.xx kernels, but the current version is tested only on 2.0.38 and is 
-unlikely to compile on older kernels. Some of our patches for older 
-kernels are shipped in 2.0.37 and later, so they are no longer provided 
-in FreeS/WAN.
      
+2.0.xx kernels, but the current version is only lightly tested on 
+2.0.39, and not at all on older kernels. 
      
+
       Some of our patches for older kernels are shipped in 2.0.37 and 
+later, so they are no longer provided in FreeS/WAN. This means recent 
+versions of FreeS/WAN will probably not compile om anything earlier 
+than 2.0.37.
      
 
      2.2 and 2.4 Kernels
      
 
      
 
      FreeS/WAN 1.0
      
@@ -226,12 +244,11 @@
 
      FreeS/WAN 1.9
      
 
      runs on 2.0, 2.2 or 2.4 kernels
      
 
      
-
       We suggest the latest 2.2 kernel (2.2.18 at time of writing) for 
-production use. 
      
-
      Intel Linux distributions other than Redhat 5.x 
-and 6.x
      
-
       We develop and test on Redhat 5.2 for 2.0 kernels, and on Redhat 
-6.1 for 2.2, so minor changes may be required for other distributions.
      
+
       We suggest the latest 2.2 kernel or 2.4 (2.2.19 or 2.4.5 at time of 
+writing) for production use. 
      
+
      Intel Linux distributions other than Redhat
      
+
       We develop and test on Redhat 6.1 for 2.2 kernels, and on Redhat 
+7.1 for 2.4, so minor changes may be required for other distributions.
      
 
      Redhat 7.0
      
 
       There are some problems with FreeS/WAN on Redhat 7.0, but they are 
 soluble. 
      
@@ -271,8 +288,8 @@
  Check the mailing list archive for more recent 
 news.
 
      SuSE Linux
      
-
      SuSE 6.3 and later versions, at least in Europe, ship with FreeS/WAN 
- included.
      
+
       SuSE 6.3 and later versions, at least in Europe, ship with 
+FreeS/WAN included.
      
 
      Here are some notes for an earlier SuSE version.
      
 
      SuSE Linux 5.3
      
 
      Date: Mon, 30 Nov 1998
@@ -615,9 +632,8 @@
 made, but at time of writing (February 2001), the job is not complete. 
 For more recent information, check the mailing list
 .
      
-
       In short, Linux currently has both IPv6 support and IPSEC support, 
-but the two do not work together yet. We, and others, 
-are working on integrating them, but it is a substantial job. 
      
+
       The first release of Linux IPv6 with FreeS/WAN support is now 
+ available. 
      
 
      IPv6 background
      
 
       IPv6 has been specified by an IETF 
 working group. The group's page lists over 30 RFCs to date, and 
diff -bruN freeswan-1.9.orig/doc/config.html freeswan-1.9/doc/config.html
--- freeswan-1.9.orig/doc/config.html	Tue Mar 27 23:16:51 2001
+++ freeswan-1.9/doc/config.html	Mon Jun  4 01:15:55 2001
@@ -497,14 +497,6 @@
 been removed in FreeS/WAN 1.9. However, if the other end of the tunnel 
 is an older version, the restriction will still apply there, so some 
 caution is still required. 
      
-
      The conn %default section shipped in our example file 
-includes  parameters for manual keying. These are completely 
- insecure, intended only for testing. We recommend you leave 
-these  in place during testing since it is sometimes useful to be able 
-to test with  manual keying. Once testing is done, however, delete the 
-test keys or ensure  that they are commented out with # characters. 
-Production use of manual  keying is not recommended, but is possible 
-and is described in a  later section.
      
 
      Editing a connection description
      
 
      Edit our example connection to match what you want to do.  Rename it 
  appropriately for the connection you would like to build: 
@@ -570,9 +562,9 @@
 The  file syntax allows names to be used, but this creates an 
 additional risk. If  someone can subvert the DNS service, then they can 
 redirect packets whose  addresses are looked up via that service.
      
-
      Many of the variables in this file come in pairs such as 
-"leftsubnet: and  "rightsubnet", one for each end of the connection. 
-The variables on the left  side are:
      
+
       Many of the variables in this file come in pairs such as 
+"leftsubnet: and "rightsubnet", one for each end of the connection. The 
+variables on the left side are:
      
 
      
 
      left
      
 
      The gateway's external interface, the one it uses to talk to the 
@@ -600,14 +592,16 @@
 
      Addresses for the machines which left is protecting. 
 
        
 
      • Often something like 101.202.203.0/24 to indicate that a subnet 
- resides behind left.
        • 
+ resides behind left. Often this subnet will be directly connected  to 
+left, but this not necessary. The only requirement is that left  must 
+be able to route to it.
 
      • If you omit the leftsubnet line, then left is both the security 
  gateway and the only client on that end.
        • 
 
      
  For some applications, you may want to create two connections, one to 
  protect traffic from the subnet behind left and another to protect 
  traffic from the left gateway itself. This takes two connection 
- descriptions.
      
+ descriptions. See below.
 
      leftfirewall
      
 
      Set to "yes" if there is a firewall in play that suppresses 
  forwarding, for example if a subnet behind left uses non-routable 
@@ -864,19 +858,168 @@
 Practical Configurations document also has an example  of using RSA 
 authentication for road warriors.
      
 
      Opportunistic encryption
      
-
       This section is currently just a placeholder for the opportunistic 
-encryption documentation I'll write when the design has solidified 
-somewhat.
      
-
      Putting public keys in DNS
      
-
      Release 1.4 had the first experimental code to support fetching 
-public  key information from the other system's DNS entries. Even in 
-1.6, this is  still experimental code. You cannot trust it for 
-production use until
      
+ We use the term opportunistic encryption
+ for encryption which does not rely on any pre-arranged connection, 
+hence does not require that the administrators of the two gateways 
+involved communicate with each other (for example, to exchange keys) 
+before their systems can create a secure connection. 
+
       The idea is that each gateway check the destinations of outgoing 
+packets, see if an encrypted connection is possible and, if so, take 
+the opportuntity to encrypt. The opportunity will exist whenever the 
+admins on both ends have set their systems up for opportunistic 
+encryption. 
      
+
       This makes encryption the default behaviour, and could greatly 
+increase the overall security of the Internet if it were widely enough 
+adopted. See our documents: 
      
+
      
+
      history and politics
      
+
      for the reasons we want to do this 
      
+
      IPSEC protocols
      
+
      for discussion of the general principle of encrypting as much as 
+possible 
      
+
      
+
       The gateways must be able to authenticate each other for IPSEC to 
+be secure. For opportunistic encryption, we rely on the domain name 
+system, DNS, to provide the RSA keys needed 
+for this authentication.  Note, that currently this is not entirely 
+secure because the DNS mechanism it relies on is not fully 
+secure. Eventually, as secure DNS
+ becomes widely deployed, this will change. 
      
+
      Status
      
+ The team have been working on this for some time, and testing 
+internally. As of late May, 2001 this code is ready for wider testing. 
+We encourage everyone to try it.
+
       The main documentation items so far are: 
      
+
        
+
      • an Opportunism HowTo by Pluto 
+programmer Hugh Redelmeier 
        • 
+
      • a design document by Hugh and technical lead Henry Spencer. A 
+link to this is in our introduction. 
        • 
+
      
+ I am playing catch up; HTML documentation so far is neither complete 
+nor particularly clear. What I have so far is below. 
+
       Note that both software and documentation for this are changing 
+quickly. You may want the latest snapshot for opportunism experiments. 
      
+
       We do not yet recommend this code for production use
+. You should still protect your critical data with explicitly 
+configured IPSEC tunnels, rather than relying on opportunistic for 
+everything at this stage. 
      
+
      Some DNS background
      
+
       Opportunism requires that the gateway systems be able to fetch 
+public keys, and other IPSEC-related information, from each other's DNS 
+(domain name service) records. 
      
+
       DNS is a distributed database that maps names to IP addresses and 
+vice versa. A system named gateway.example.com with IP address 
+10.20.30.40 should have at least two DNS records: 
      
+
      
+
      gateway.example.com. IN A 10.20.30.40 
      
+
      used to look up the name and get an IP address 
      
+
      40.30.20.10.in-addr.arpa. IN PTR gateway.example.com. 
      
+
      used for reverse lookups, looking up the name associated with an 
+address. Notice that the digits here are in reverse order; the actual 
+address is 10.20.30.40 but we use 40.30.20.10 here. 
      
+
      
+ Some syntactic details are: 
 
        
-
      • both our code is much better tested (you can help with that!)
        • 
-
      • and secure DNS is widely deployed
        • 
-
      
-
      The relevant lines in the config file would look like this:
      
+
    • the IN indicates that these records are for In
+ternet addresses 
      • 
+
    • The final periods in '.com.' and '.arpa.' are required. They 
+indicate the root of the domain name system. 
      • 
+
    
+ For much more detail, see the 
+Linux Network Administrator's Guide or a DNS 
+reference book. 
+
     The capitalised strings after IN indicate the type of record. 
+Possible types include: 
    
+
      
+
    • Address 
      • 
+
    • PoinTeR
      • 
+
    • Canonical NAME, records to 
+support aliasing,  multiple names for one address 
      • 
+
    • MX, used in mail handling 
      • 
+
    • SIGnature, used in 
+secure DNS
      • 
+
    • KEY, used in secure 
+DNS
      • 
+
    • TeXT, a multi-purpose record type 
      • 
+
    
+ To set up for opportunistic encryption, you add some KEY and TXT 
+records to your DNS data. 
+
    Putting IPSEC information in DNS
    
+ There are two types of DNS record to be added: 
+
      
+
    • each gateway must have a KEY record which other gateways can query 
+to fetch its RSA authentication key 
      • 
+
    • any client whose communications are to be protected by a gateway 
+must have a TXT record pointing to that machine as an authorised IPSEC 
+gateway 
      • 
+
    
+ ipsec_rsasigkey(8)
+ provides the key in DNS record format as a comment. You need to cut 
+and paste the comment from 
+ipsec.secrets(5) (or wherever you have the private key) into the 
+appropriate place in the DNS records. 
+
     There are two ways to handle this, depending on whether or not you 
+control the reverse lookup (in-addr.arpa.) sections of the DNS files 
+for your gateway. You must have control of the reverse DNS information 
+for clients or this cannot work at all. 
    
+
    If you control the gateway's reverse map
    
+ If you control the gateway's reverse map, you just add a KEY record 
+there. Here is an example, with many characters of the key itself left 
+out: 
+
    +40.30.20.10.in-addr.arpa. IN KEY 0x4200 4 1 AQNJjkKlIk9...nYyUkKK8
+
    
+ This allows lookups on the IP address of the gateway to retrieve the 
+key. 
+
     A client that wishes to be protected by Opportunistic Encryption 
+must include a special TXT record in its reverse-map. If you control 
+the gateway's reverse map, example client records would look like this: 
    
+
    +42.42.42.10.in-addr.arpa. IN PTR deepthought.example.com.
+42.42.42.10.in-addr.arpa. IN TXT "X-IPsec-Server(10)=10.20.30.40 AQNJjkKlIk9...nYyUkKK8"
+
    
+ which can also be written as just: 
+
    +42.42.42.10.in-addr.arpa. IN PTR deepthought.example.com.
+                          IN TXT "X-IPsec-Server(10)=10.20.30.40 AQNJjkKlIk9...nYyUkKK8"
+
    
+ This provides the IP address of the security gateway and the public 
+key which the gateway will use to authenticate itself. This is the 
+preferred variant. Using it, the remote system does one lookup and gets 
+everything it needs for IKE negotiations. 
+
    If you don't control the gateway's reverse map
    
+ The approach must be slightly different if you do not have control 
+over the contents of the reverse map for your gateway. Perhaps your ISP 
+controls that, and provides no way for you to put data into their maps. 
+Without that, you cannot set your gateway up to respond to incoming 
+opportunistic requests (short of changing ISPs, which you might 
+consider). 
+
     However, suppose a friend over at example.org will let you put 
+things in their maps. That will allow you to set your gateway up to 
+handle opportunistic connections for which it is the initiator. 
    
+
     You still need to be able to put data in the reverse map for your 
+clients. However, that data is slightly different: 
    
+
    +42.42.42.10.in-addr.arpa. IN PTR deepthought.example.com.
+                          IN TXT "X-IPsec-Server(10)=something.example.org"
+
    
+ Over at example.org, your friend inserts these lines in the DNS data 
+files: 
+
    +something.example.org. IN A 10.20.30.40
+                       IN KEY 0x4200 4 1 AQNJjkKlIk9...nYyUkKK8
+
    
+ Your gateway must identify itself in IKE as something.example.org, not 
+as gateway.example.com. You set that up via leftid= or 
+rightid= entries in 
+ipsec.conf(5). 
+
     With this arrangement, the remote gateway does two lookups. First 
+it does a reverse lookup on the client IP address and finds the gateway 
+name  "something.example.org". Then it looks up that name to get the IP 
+address and key for the gateway. 
    
+
    ipsec.conf entries for opportunism
    
+ The relevant lines in the config file would look like this:
 
             leftid=@gateway.example.com
         leftrsasigkey=%dns
@@ -1136,13 +1279,13 @@
 
    Testing with tcpdump
    
 
     To verify that all is working, run tcpdump(8) on a machine which 
 can listen to the traffic between the gateways.
    
-
     This really has to be done from a third machine, not from one of 
-the gateways. On the gateways you'll see packets at intermediate stages 
-of processing and the result will be confusing. Also, both tcpdump(8) 
-and nmap(8) use the libpcap library. Some versions of that library 
-(e.g. the ones that shipped with Redhat 5) do not recognise ipsec? 
-devices and will generate "bad physical medium" error messages if you 
-try to use it with them.
    
+
     This is most easily done from a third machine, rather than from one 
+of the gateways. On the gateways you may see packets at intermediate 
+stages of processing and the result may be confusing. 
    
+
     If the results make no sense at all, or you see "bad physical 
+medium" error messages, you probably have an outdated version of 
+tcpdump(8) that does not handle IPSEC at all. See our 
+FAQ.
    
 
     The packets should, except for some of the header information, be 
 utterly unintelligible. The output of good encryption looks exactly 
 like random noise.
    
@@ -1768,6 +1911,47 @@
 functionality. You cannot use them as gateways with a subnet behind 
 them. To get that functionality, you must upgrade to Windows 2000 
 server or the commercially available PGP products. 
    
+
    One tunnel plus advanced routing
    
+ It is also possible to use the new routing features in 2.2 and later 
+kernels to avoid most needs for multple tunnels. Here is one mailing 
+list message on the topic: 
+
    +Subject: Re: linux-ipsec: IPSec packets not entering tunnel?
+   Date: Mon, 20 Nov 2000
+   From: Justin Guyett <jfg@sonicity.com>
+
+On Mon, 20 Nov 2000, Claudia Schmeing wrote:
+
+> Right                                                         Left
+>                      "home"                "office"
+> 10.92.10.0/24 ---- 24.93.85.110 ========= 216.175.164.91 ---- 10.91.10.24/24
+>
+> I've created all four tunnels, and can ping to test each of them,
+> *except* homegate-officenet.
+
+I keep wondering why people create all four tunnels.  Why not route
+traffic generated from home to 10.91.10.24/24 out ipsec0 with iproute2?
+And 99% of the time you don't need to access "office" directly, which
+means you can eliminate all but the subnet<->subnet connection.
+
    
+ and FreeS/WAN technical lead Henry Spencer's comment: 
+
    +> I keep wondering why people create all four tunnels.  Why not route
+> traffic generated from home to 10.91.10.24/24 out ipsec0 with iproute2?
+
+This is feasible, given some iproute2 attention to source addresses, but
+it isn't something we've documented yet... (partly because we're still
+making some attempt to support 2.0.xx kernels, which can't do this, but
+mostly because we haven't caught up with it yet).
+
+> And 99% of the time you don't need to access "office" directly, which
+> means you can eliminate all but the subnet<->subnet connection.
+
+Correct in principle, but people will keep trying to ping to or from the
+gateways during testing, and sometimes they want to run services on the
+gateway machines too.
+
+
    
 
    Many tunnels from a single gateway
    
 
     FreeS/WAN allows a single gateway machine to build tunnels to many 
 others. There may, however, be some problems for large numbers as 
@@ -1824,7 +2008,7 @@
 operations before receiving a reply from the peer.
    
 
    Extruded Subnets
    
 
    What we call extruded subnets
- are a special case  of VPNs.
    
+ are a special case  of VPNs.
    
 
    If your buddy has some unused IP addresses, in his subnet far off at 
 the  other side of the Internet, he can loan them to you... provided 
 that the  connection between you and him is fast enough to carry all 
@@ -2075,31 +2259,47 @@
 
            ipsec setup restart
    
 
    Again, this breaks any existing connections.
    
 
    Unencrypted tunnels
    
-
     Sometimes you will want to create a tunnel without encryption. The 
-IPSEC protocols provide two ways to do this, either using 
-AH without ESP or using ESP with 
-null encryption. With Linux FreeS/WAN, these are currently supported 
-for manually keyed connections, but not with automatic keying, so we'll 
-look at other solutions here.
    
+
     Sometimes you might want to create a tunnel without encryption. 
+Often this is a bad idea, even if you have some data which need not be 
+private. See this discussion. 
    
+
     The IPSEC protocols provide two ways to do build such tunnels, 
    
+
      
+
    • using AH without 
+ESP
      • 
+
    • using ESP with null encryption. 
      • 
+
    
+ Linux FreeS/WAN allows AH-only for manually keyed connections, but not 
+with automatic keying, and does not support null encryption, so we'll 
+look at other solutions here.
 
     One situation in which this comes up is when otherwise some data 
 would be  encrypted twice. Alice wants a secure tunnel from her machine 
 to Bob's.  Since she's behind one security gateway and he's behind 
 another, part of the  tunnel that they build passes through the tunnel 
 that their site admins have  built between the gateways. All of Alice 
 and Bob's messages are encrypted  twice.
    
-
    There are several ways to handle this.
    
+
     There are several ways to handle this.
    
 
      
 
    • Just accept the overhead of double encryption. The site admins 
-might  choose this if policy says encrypt everything, if they don't 
-entirely  trust Alice and Bob, or if they don't feel the saved cycles 
-are worth  the time they'd need to build a non-encrypted tunnel for 
-Alice and Bob's  packets.
      • 
+might  choose this if any of the following apply: 
+
        
+
      • policy says encrypt everything (usually, it should) 
        • 
+
      • they don't entirely trust Alice and Bob (usually, if they don't 
+have to, they  shouldn't) 
        • 
+
      • if they don't feel the saved cycles are worth the time they'd need 
+to  build a non-encrypted tunnel for Alice and Bob's packets (often, 
+they aren't) 
        • 
+
      
+
 
    • Use a plain IP-in-IP tunnel. These are not well documented. A good 
  starting point is in the Linux kernel source tree, in 
  /usr/src/linux/drivers/net/README.tunnel.
      • 
-
    • Use a manually-keyed AH-only tunnel. This is recommended over ESP 
-with  null encryption.
      • 
+
    • Use a manually-keyed AH-only tunnel.
      • 
 
    
+
     Note that if Alice and Bob want end-to-end security, they must 
+build a tunnel end-to-end between their machines or use some other 
+end-to-end tool such as PGP or SSL that suits their data. The only 
+question is whether the admins build some special unencrypted tunnel 
+for those already-encrypted packets. 
    
 
    
 Contents
 Previous
diff -bruN freeswan-1.9.orig/doc/faq.html freeswan-1.9/doc/faq.html
--- freeswan-1.9.orig/doc/faq.html	Tue Mar 27 23:16:52 2001
+++ freeswan-1.9/doc/faq.html	Mon Jun  4 01:15:57 2001
@@ -30,6 +30,8 @@
 
  •  Can different FreeS/WAN versions talk to 
 each other?
    • 
 
  •  Does FreeS/WAN run on my version of Linux?
    • 
+
  •  Does FreeS/WAN run on the latest kernel 
+version?
    • 
 
  •  Can I modify FreeS/WAN to ...?
    • 
 
  •  Can I contribute to the project?
    • 
 
  • Is there detailed design documentation?
    • 
@@ -37,6 +39,7 @@
 
  • Compilation problems
    • 
 
 
  •  Life's little mysteries
    • 
 
 
  • Testing in stages
    • 
 
 
    
@@ -197,11 +210,56 @@
 compatibility document. 
    
 
     FreeS/WAN has been tested on multiprocessor Intel Linux and worked 
 there. Note, however, that we do not test this often and have never 
-tested on multiprocessor machines of other architectures. 
    
+tested on multiprocessor machines of other architectures. 
+
    
+
    Does FreeS/WAN run on the latest kernel version?
    
+ Quite often, no. 
+
     Released versions of FreeS/WAN generally run on whatever production 
+kernels were current at the time of the release. For example, FreeS/WAN 
+1.91 runs on kernel 2.2.19 or 2.4.5. Often they will run on slightly 
+earlier or later kernels as well, but we test on the current production 
+kernels, so those are strongly recommended. 
    
+
     The kernel is under active development and it is not uncommon for 
+changes to appear that cause problems for FreeS/WAN. For example, 2.4.6 
+or 2.4.7 may have changes that break FreeS/WAN 1.91. Or not; you can't 
+tell in advance. When such changes appear, we put a fix in the 
+FreeS/WAN snapshots, and distribute it with our next release. 
    
+
     However, this is not a top priority for us, and it may take 
+anything from a few days to several weeks for such a problem to find 
+its way to the top of our kernel programmer's todo list. In the 
+meanwhile, you have two choices: either stick with a slightly older 
+kernel, or fix the problem yourself and send us a patch. 
    
+
     We don't even try to keep up with kernel changes outside the main 
+2.2 and 2.4 branches, such as the 2.4.x-ac patched versions from Alan 
+Cox or (when they appear) the 2.5 series of development kernels. We'd 
+rather work on developing the FreeS/WAN code than on chasing these 
+moving targets. 
    
 
    Can I modify FreeS/WAN to ...?
    
  You are free to modify FreeS/WAN in any way. See the discussion of 
 licensing in our introduction document. 
 
    Can I contribute to the project?
    
+ In general, we welcome contributions from the community. Various 
+contributed patches, either to fix bugs or to add features, have been 
+incorporated into our distribution. Other patches, not yet included in 
+the distribution, are listed in our web links
+ section. 
+
     Users have also contributed heavily to documentation, both by 
+creating their own HowTos and by posting 
+things on the mailing lists which I have quoted 
+in these HTML docs. 
    
+
     There are, however, some caveats. 
    
+
     FreeS/WAN is being implemented in Canada, by Canadians, largely to 
+ensure that is it is entirely free of export restrictions. See this 
+discussion. We cannot accept code contributions from US 
+residents or citizens, not even one-line bugs fixes. The 
+reasons for this were recently discussed extensively on the mailing 
+list, in a thread starting 
+here. 
    
+
     Not all contributions are of interest to us. The project has a set 
+of fairly ambitious and quite specific goals, described in our 
+introduction. Contributions that lead toward these goals are likely 
+to be welcomed enthusiastically. Other contributions may be seen as 
+lower priority, or even as a distraction. 
    
 
    Is there detailed design documentation?
    
  There are: 
 
      
@@ -233,6 +291,20 @@
 is apt-get install gmp2. 
      
 
       For more information and the latest version, see the 
 GMP home page. 
      
+
      ... virtual memory exhausted
      
+ We have had several reports of this message appearing, all on SPARC 
+Linux. Here is a mailing message on a solution: 
+
      +> ipsec_sha1.c: In function `SHA1Transform':
+> ipsec_sha1.c:95: virtual memory exhausted
+
+I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
+MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.
+
+I can get around this by using -O instead of -O2 for the optimization
+level.  So it is probably a bug in the optimizer on the sparc complier. 
+I'll try and chase this down on the sparc lists.
+
      
 
      Life's little mysteries
      
  FreeS/WAN is a fairly complex product. (Neither the networks it runs 
 on nor the protocols it uses are simple, so it could hardly be 
@@ -432,8 +504,9 @@
  using a different specification; the route is altered  as necessary) 
 without having a ``window'' in which packets  might go elsewhere based 
 on a more general route.  Such  a  route can be removed using the 
---unroute operation (and is  implicitly removed by --delete).  See also 
-this mailing list 
+--unroute operation (and is  implicitly removed by --delete). 
+
      
+
       See also this mailing list 
 message. 
      
 
      The firewall ate my packets!
      
  If firewalls filter out:
@@ -452,7 +525,7 @@
 any number of reasons, ranging from hardware failures to various 
 software problems such as the path MTU problems discussed 
 elsewhere in the FAQ. Fortunately, various diagnostic tools exist 
-that help you sort many of the possible problems.
      
+that help you sort out many of the possible problems.
      
 
       There is one situation, however, where FreeS/WAN (using default 
 settings) may destroy a connection for no readily apparent reason. This 
 occurs when things are misconfigured so that 
@@ -461,7 +534,7 @@
 
       In this situation, the first tunnel comes up fine and works until 
 the second is established. At that point, because of the way we track 
 connections internally, the first tunnel ceases to exist as far as this 
-gateway is concerned. Of course the far end does not know that and a 
+gateway is concerned. Of course the far end does not know that, and a 
 storm of error messages appears on both systems as it tries to use the 
 tunnel.
      
 
       If the far end gives up, goes back to square one and negotiates a 
@@ -543,6 +616,77 @@
 
       Note that nothing on either subnet needs to change. This lets you 
 test most of your IPSEC setup before connecting to the insecure 
 Internet. 
      
+
      Traceroute does not show anything between the 
+gateways
      
+ As far as traceroute can see, the two gateways are one hop apart; the 
+data packet goes directly from one to the other through the tunnel. Of 
+course the outer packets that implement the tunnel pass through 
+whatever lies between the gateways, but  those packets are built and 
+dismantled by the gateways. Traceroute does not see them and cannot 
+report anything about their path. 
+
       Here is a mailing list message with more detail. 
      
+
      +Date: Mon, 14 May 2001
+To: linux-ipsec@freeswan.org
+From: "John S. Denker" <jsd@research.att.com<
+Subject: Re: traceroute: one virtual hop
+
+At 02:20 PM 5/14/01 -0400, Claudia Schmeing wrote:
+>
+>> > A bonus question: traceroute in subnet to subnet enviroment looks like:
+>> > 
+>> > traceroute to andris.dmz (172.20.24.10), 30 hops max, 38 byte packets
+>> > 1  drama (172.20.1.1)  0.716 ms  0.942 ms  0.434 ms
+>> > 2  * * *
+>> > 3  andris.dmz (172.20.24.10)  73.576 ms  78.858 ms  79.434 ms
+>> > 
+>> > Why aren't there the other hosts which take part in the delivery during 
+>    * * * ?
+>
+>If there is an ipsec tunnel between GateA and Gate B, this tunnel forms a 
+>'virtual wire'.  When it is tunneled, the original packet becomes an inner 
+>packet, and new ESP and/or AH headers are added to create an outer packet 
+>around it. You can see an example of how this is done for AH at 
+>doc/ipsec.html#AH . For ESP it is similar.
+>
+>Think about the packet's path from the inner packet's perspective.
+>It leaves the subnet, goes into the tunnel, and re-emerges in the second
+>subnet. This perspective is also the only one available to the
+>'traceroute' command when the IPSec tunnel is up.
+
+Claudia got this exactly right.  Let me just expand on a couple of points:
+
+*) GateB is exactly one (virtual) hop away from GateA.  This is how it
+would be if there were a physically private wire from A to B.  The
+virtually private connection should work the same, and it does.
+
+*) While the information is in transit from GateA to GateB, the hop count
+of the outer header (the "envelope") is being decremented.  The hop count
+of the inner header (the "contents" of the envelope) is not decremented and
+should not be decremented.  The hop count of the outer header is not
+derived from and should not be derived from the hop count of the inner header.
+
+Indeed, even if the packets did time out in transit along the tunnel, there
+would be no way for traceroute to find out what happened.  Just as
+information cannot leak _out_ of the tunnel to the outside, information
+cannot leak _into_ the tunnel from outside, and this includes ICMP messages
+from routers along the path.
+
+There are some cases where one might wish for information about what is
+happening at the IP layer (below the tunnel layer) -- but the protocol
+makes no provision for this.  This raises all sorts of conceptual issues.
+AFAIK nobody has ever cared enough to really figure out what _should_
+happen, let alone implement it and standardize it.
+
+*) I consider the "* * *" to be a slight bug.  One might wish for it to be
+replaced by "GateB GateB GateB".  It has to do with treating host-to-subnet
+traffic different from subnet-to-subnet traffic (and other gory details).
+I fervently hope KLIPS2 will make this problem go away.
+
+*) If you want to ask questions about the link from GateA to GateB at the
+IP level (below the tunnel level), you have to ssh to GateA and launch a
+traceroute from there.
+
      
 
      Testing in stages
      
 
       It is often useful in debugging to test things one at a time:
      
 
        
@@ -591,13 +735,18 @@
 UDP port 500 packets used in key negotiation. 
 
         Other possibilities:
        
 
          
-
        • mis-configuration of auto connection in the /etc/ipsec.conf file
          • 
+
        • mis-configuration of auto connection in the /etc/ipsec.conf file. 
          • 
+
          One common  configuration error is forgetting that you need 
+auto=add to load the  connection description on the receiving end 
+so it recognises the connection  when the other end asks for it.
          
 
        • error in shared secret in /etc/ipsec.secrets
          • 
 
        • one gateway lacks a route to the other so Pluto's UDP packets are 
  lost
          • 
 
        • bugs in Pluto
          • 
 
        • incompatibilities between Pluto's IKE
- implementation and the IKE at the other end of the tunnel.
          • 
+ implementation and the IKE at the other end of the tunnel. 
+
          Some possibile problems  are discussed in out 
+interoperation document.
          
 
        
 
        IPSEC works, but connections using compression fail
 
        
@@ -691,6 +840,37 @@
  Since the above message was written, we have modified the updown 
 script to provide a better diagnostic for this problem. Check 
 /var/log/messages. 
+
        ipsec_setup: Fatal error, kernel appears to lack 
+KLIPS
        
+ This message indicates an installation failure. The kernel you are 
+running does not contain the KLIPS (kernel IPSEC) code.
+
        
+
         Here is one of Claudia's messages on the topic: 
        
+
        +> I tried to install freeswan 1.8 on my mandrake 7.2 test box. ...
+
+> It does show version and some output for whack.
+
+Yes, because the Pluto (daemon) part of ipsec is installed correctly, but
+as we see below the kernel portion is not.
+
+> However, I get the following from /var/log/messages:
+> 
+> Mar 11 22:11:55 pavillion ipsec_setup: Starting FreeS/WAN IPSEC 1.8...
+> Mar 11 22:12:02 pavillion ipsec_setup: modprobe: Can't locate module ipsec
+> Mar 11 22:12:02 pavillion ipsec_setup: Fatal error, kernel appears to lack
+> KLIPS.
+
+This is your problem. You have not successfully installed a kernel with
+IPSec machinery in it. 
+
+Did you build Linux FreeS/WAN as a module? If so, you need to ensure that 
+your new module has been installed in the directory where your kernel 
+loader normally finds your modules. If not, you need to ensure
+that the new IPSec-enabled kernel is being loaded correctly.
+
+See also doc/install.html, and INSTALL in the distro.
+
        
 
        Connection names in Pluto error messages
        
 
         From Pluto programmer Hugh Redelmeier:
        
 
        @@ -733,11 +913,11 @@
 connection and Pluto does not have a connection description that 
 matches what the remote system has requested. The most common cause is 
 a configuration error on one end or the other. 
-
         The match involves the left, right, 
-leftsubnet and rightsubnet parameters and must be 
-exact. For example, if your left subnet is a.b.c.0/24 then neither a 
-single machine in that net nor a smaller subnet such as a.b.c.64/26 
-will be considered a match. 
        
+
         Parameters involved in this match are left, right
+, leftsubnet and rightsubnet. 
        
+
         The match must be exact. For example, if your left 
+subnet is a.b.c.0/24 then neither a single machine in that net nor a 
+smaller subnet such as a.b.c.64/26 will be considered a match. 
        
 
         The message can also occur when an appropriate description exists 
 but Pluto has not loaded it. Use an auto=add statement in 
 the connection description, or an ipsec auto --add <conn_name>
@@ -766,13 +946,91 @@
 The leftsubnet= (client) in your conn is 216.112.83.64/26.  It must
 exactly match what pluto is looking for, and it does not.
 
        
+
        Pluto: ... no suitable connection ...
        
+ This is similar to the no connection known
+ error, but occurs at a different point in Pluto processing. 
+
         Here is one of Claudia's messages explaining the problem: 
        
+
        +You write,
+
+> What could be the reason of the following error? 
+> "no suitable connection for peer '@xforce'"
+
+When a connection is initiated by the peer, Pluto must choose which entry in 
+the conf file best matches the incoming connection. A preliminary choice is 
+made on the basis of source and destination IPs, since that information is 
+available at that time. 
+
+A payload containing an ID arrives later in the negotiation. Based on this
+id and the *id= parameters, Pluto refines its conn selection. ...
+
+The message "no suitable connection" indicates that in this refining step,
+Pluto does not find a connection that matches that ID.
+
+Please see "Selecting a connection when responding" in man ipsec_pluto for
+more details.
+
        
+
         See also Connection names in Pluto error 
+messages. 
        
+
        Pluto: ... no connection has been authorized
+
        
+ Here is one of Claudia's messages discussing this problem: 
+
        +You write,
+
+>  May 22 10:46:31 debian Pluto[25834]: packet from x.y.z.p:10014: 
+>  initial Main Mode message from x.y.z.p:10014 
+                            but no connection has been authorized
+
+This error occurs early in the connection negotiation process,
+at the first step of IKE negotiation (Main Mode), which is itself the 
+first of two negotiation phases involved in creating an IPSec connection.
+
+Here, Linux FreeS/WAN receives a packet from a potential peer, which 
+requests that they begin discussing a connection.
+
+The "no connection has been authorized" means that there is no connection 
+description in Linux FreeS/WAN's internal database that can be used to 
+link your ipsec interface with that peer.
+
+
+
+"But of course I configured that connection!" 
+
+It may be that the appropriate connection description exists in ipsec.conf 
+but has not been added to the database with ipsec auto --add myconn or the 
+auto=add method. Or, the connection description may be misconfigured.
+
+The only parameters that are relevant in this decision are left= and right= .
+Local and remote ports are also taken into account -- we see that the port 
+is printed in the message above -- but there is no way to control these
+in ipsec.conf.
+
+
+Failure at "no connection has been authorized" is similar to the
+"no connection is known for..." error in the FAQ, and the "no suitable
+connection" error described in the snapshot's FAQ. In all three cases,
+Linux FreeS/WAN is trying to match parameters received in the
+negotiation with the connection description in the local config file.
+
+As it receives more information, its matches take more parameters into 
+account, and become more precise:  first the pair of potential peers,
+then the peer IDs, then the endpoints (including any subnets).
+
+The "no suitable connection for peer *" occurs toward the end of IKE 
+(Main Mode) negotiation, when the IDs are matched.
+
+"no connection is known for a/b===c...d" is seen at the beginning of IPSec 
+(Quick Mode, phase 2) negotiation, when the connections are matched using
+left, right, and any information about the subnets.
+
        
 
        Pluto: ... OAKLEY_DES_CBC is not supported.
 
        
  This message occurs when the other system attempts to negotiate a 
 connection using single DES, which we do not support because it is 
 insecure. 
-
         Another FAQ section describes how to deal with
- systems that attempt to use single DES. 
        
+
         Our interoperation document has suggestions for 
+ how to deal with systems that attempt to use single DES. 
        
 
         Pluto: ... no acceptable transform
        
  This message means that the other gateway has made a proposal for 
 connection parameters, but nothing they proposed is acceptable to 
@@ -782,10 +1040,10 @@
 
      • policy incompatibilities, for example we require encrypted 
 connections but they are trying to create one with just authentication 
        • 
 
      • interoperation problems, for example they offer only single DES and 
-FreeS/WAN does not support that. (see below for 
-DES problems) 
        • 
+FreeS/WAN does not support that. (see below
+ for DES problems) 
 
      
- A more detailed explanation, from Pluto programmer Hugh Redelmaier:
+ A more detailed explanation, from Pluto programmer Hugh Redelmeier:
 
       Background:
 
@@ -956,6 +1214,54 @@
 
      
  This problem is also discussed in this FAQ under the heading 
 One manual connection works, but second one fails. 
+
      ... ignoring ... payload
      
+ This message is harmless. The IKE protocol provides for a number of 
+optional messages types: 
+
        
+
      • delete SA 
        • 
+
      • initial contact 
        • 
+
      • vendor ID 
        • 
+
      •  ... 
        • 
+
      
+ An implementation is never required to send these, but they are 
+allowed to.  The receiver is not required to do anything with them. 
+FreeS/WAN ignores them, but notifies you via the logs. 
+
       For the "ignoring delete SA Payload" message, see also the 
+discussion below of cleaning up dead tunnels. 
      
+
      ipsec_setup: ... interfaces ... and ... share 
+address ...
      
+ This is a fatal error. FreeS/WAN cannot cope with two or more 
+interfaces using the same IP address. You must re-configure to avoid 
+this. 
+
       A mailing list message on the topic from Pluto developer Hugh 
+Redelmeier: 
      
+
      +| I'm trying to get freeswan working between two machine where one has a ppp
+| interface.
+| I've already suceeded with  two machines with ethernet ports but  the ppp
+| interface is causing me problems.
+|  basically when I run ipsec start  i get
+| ipsec_setup: Starting FreeS/WAN IPSEC 1.7...
+| ipsec_setup: 003 IP interfaces ppp1 and ppp0 share address 192.168.0.10!
+| ipsec_setup: 003 IP interfaces ppp1 and ppp2 share address 192.168.0.10!
+| ipsec_setup: 003 IP interfaces ppp0 and ppp2 share address 192.168.0.10!
+| ipsec_setup: 003 no public interfaces found
+|
+| followed by lots of cannot work out interface for connection messages
+|
+| now I can specify the interface in ipsec.conf to be ppp0 , but this does
+| not affect the above behaviour. A quick look in server.c indicates that the
+| interfaces value  is not used but some sort of raw detect happens.
+|
+| I guess I could prevent the formation of the extra ppp interfaces or
+| allocate them different ip but I'd  rather not. if at all possible. Any
+| suggestions please.
+
+Pluto won't touch an interface that shares an IP address with another.
+This will eventually change, but it probably won't happen soon.
+
+For now, you will have to give the ppp1 and ppp2 different addresses.
+
      
 
      Can I ...
      
 
      Can I reload connection info without restarting?
 
      
@@ -984,6 +1290,8 @@
 There may be more bits to look for, depending on what you are trying
 to do.
 
    
+
     Another useful command here is ipsec auto --replace 
+<conn_name> which re-reads data for a named connection. 
    
 
    Can I use several masqueraded subnets?
    
  Yes. This is done all the time. See the discussion in our 
 setup document. The only restriction is that the subnets on the two 
@@ -1063,24 +1371,27 @@
 a tunnel that pokes through both masquerades and delivers packets from 
 leftsubnet to rightsubnet and vice versa. For this to 
 work, the two subnets must be distinct. 
    
-
     There are only two solutions to this problem. 
    
+
     There are several solutions to this problem. 
    
 
      
-
    • Usually, you re-number the subnets. Perhaps the Vancouver office 
-becomes 192.168.101.0/24, Calgary 192.168.102.0/24 and so on. FreeS/WAN 
-can happily handle this. With, for example 
+
    • Usually, you re-number the subnets. Perhaps the 
+Vancouver office becomes 192.168.101.0/24, Calgary 192.168.102.0/24 and 
+so on. FreeS/WAN can happily handle this. With, for example 
 leftsubnet=192.168.101.0/24 and rightsubnet=192.168.102.0/24
  in a connection description, any machine in Calgary can talk to any 
 machine in Vancouver. If you want to be more restrictive and use 
 something like leftsubnet=192.168.101.128/25 and 
 rightsubnet=192.168.102.240/28 so only certain machines on each 
 end have access to the tunnel, that's fine too. 
      • 
-
    • Alternately, you can just give up routing directly to machines on 
-the subnets. Omit the leftsubnet and rightsubnet
- parameters from your connection descriptions. Your IPSEC tunnels will 
-then run between the public interfaces of the two firewalls. Packets 
-will be masqueraded both before they are put into tunnels and after 
-they emerge. Your Vancouver client machines will see only one Calgary 
-machine, the firewall. 
      • 
+
    • You could also split the subnet into smaller ones, 
+for example using 192.168.1.0/25 in Vancouver and 
+rightsubnet=192.168.0.128/25 in Calgary. 
      • 
+
    • Alternately, you can just give up routing directly 
+to machines on the subnets. Omit the leftsubnet and 
+rightsubnet parameters from your connection descriptions. Your 
+IPSEC tunnels will then run between the public interfaces of the two 
+firewalls. Packets will be masqueraded both before they are put into 
+tunnels and after they emerge. Your Vancouver client machines will see 
+only one Calgary machine, the firewall. 
      • 
 
    
 
    Can I assign a road warrior an address on my 
 net?
    
@@ -1120,8 +1431,146 @@
 DiffServ does not interact well with tunneling in general.  Ways of
 improving this are being studied.
    - See ipsec.conf(5) for more -on the hidetos= parameter. +

    Copying the TOS information from the encapsulated packet to the +outer header reveals the TOS information to an eavesdropper. It is not +clear whether or how an attacker could use this information, but since +we do not have to give it to him, our default is not to.

    +

    See ipsec.conf(5) for +more on the hidetos= parameter.

    +

    Can I recognise dead tunnels and shut them +down?

    + There is no general mechanism to do this is in the IPSEC protocols. +

    From time to time, there is discussion on the IETF Working Group +mailing list of adding a "keep-alive" mechanism (which some say +should be called "make-dead"), but it is a fairly complex problem and +no consensus has been reached on whether or how it should be done.

    +

    The protocol does have optional delete-SA + messages which one side can send when it closes a connection in hopes +this will cause the other side to do the same. FreeS/WAN does not +currently support these. In any case, they would not solve the problem +since:

    +
      +
    • a gateway that crashes or hangs would not send the messages
      • +
    • the sender is not required to send them
      • +
    • they are not authenticated, so any receiver that trusts them leaves +itself open to a denial of service + attack
      • +
    • the receiver is not required to do anything about them
      • +
    • the receiver cannot acknowledge them; the protocol provides no +mechanism for that
      • +
    • since they are not acknowledged, the sender cannot rely on them
      • +
    +

    However, connections do have limited lifetimes and you can control +how many attempts your gateway makes to rekey before giving up. For +example, you can set:

    +
    +conn default
+	keyingtries=3
+	keylife=30m
+
    + With these settings old connections will be cleaned up. Within 30 +minutes of the other end dying, rekeying will be attempted. If it +succeeds, the new connection replaces the old one. If it fails, no new +connection is created. Either way, the old connection is taken down +when its lifetime expires. +

    Here is a mailing list message on the topic from FreeS/WAN tech +support person Claudia Schmeing:

    +
    +You ask how to determine whether a tunnel is redundant:
+
+> Can anybody explain the best way to determine this. Esp when a RW has
+> disconnected? I thought 'ipsec auto --status' might be one way.
+
+If a tunnel goes down from one end, Linux FreeS/WAN on the
+other end has no way of knowing this until it attempts to rekey.
+Once it tries to rekey and fails, it will 'know' that the tunnel is 
+down.
+
+Because it doesn't have a way of knowing the state until this point, 
+it will also not be able to tell you the state via ipsec auto --status.
+
+> However, comparing output from a working tunnel with that of one that
+> was closed 
+> did not show clearly show tunnel status.
+
+If your tunnel is down but not 'unrouted' (see man ipsec_auto), you
+should not be able to ping the opposite side of the tunnel. You can
+use this as an indicator of tunnel status.
+
+On a related note, you may be interested to know that as of 1.7, 
+redundant tunnels caused by RW disconnections are likely to be 
+less of a pain. From doc/CHANGES:
+
+    There is a new configuration parameter, uniqueids, to control a new Pluto
+    option:  when a new connection is negotiated with the same ID as an old
+    one, the old one is deleted immediately.  This should help eliminate
+    dangling Road Warrior connections when the same Road Warrior reconnects. 
+    It thus requires that IDs not be shared by hosts (a previously legal but
+    probably useless capability).  NOTE WELL:  the sample ipsec.conf now has
+    uniqueids=yes in its config-setup section.
+
+
+Cheers,
+
+Claudia
+
    +

    Can I build tunnels over a demand-dialed link? +

    + This is possible, but not easy. FreeS/WAN technical lead Henry Spencer +wrote: +
    +> 5. If the ISDN link goes down in between and is reestablished, the SAs
+> are still up but the eroute are deleted and the IPSEC interface shows
+> garbage (with ifconfig)
+> 6. Only restarting IPSEC will bring the VPN back online.
+
+This one is awkward to solve.  If the real interface that the IPsec
+interface is mounted on goes down, it takes most of the IPsec machinery
+down with it, and a restart is the only good way to recover. 
+
+The only really clean fix, right now, is to split the machines in two: 
+
+1. A minimal machine serves as the network router, and only it is aware
+that the link goes up and down. 
+
+2. The IPsec is done on a separate gateway machine, which thinks it has
+a permanent network connection, via the router.
+
+This is clumsy but it does work.  Trying to do both functions within a
+single machine is tricky.  There is a software package (diald) which will
+give the illusion of a permanent connection for demand-dialed modem
+connections; I don't know whether it's usable for ISDN, or whether it can
+be made to cooperate properly with FreeS/WAN. 
+
+Doing a restart each time the interface comes up *does* work, although it
+is a bit painful.  I did that with PPP when I was running on a modem link;
+it wasn't hard to arrange the PPP scripts to bring IPsec up and down at
+the right times.  (I'd meant to investigate diald but never found time.)
+
+In principle you don't need to do a complete restart on reconnect, but you
+do have to rebuild some things, and we have no nice clean way of doing
+only the necessary parts.
+
    + In the same thread, one user commented: +
    +Subject: Re: linux-ipsec: IPSEC and Dial Up Connections
+   Date: Wed, 22 Nov 2000
+   From: Andy Bradford <andyb@calderasystems.com>
+
+On Wed, 22 Nov 2000 19:47:11 +0100, Philip Reetz wrote:
+
+> Are there any ideas what might be the cause of the problem and any way
+> to work around it.
+> Any help is highly appreciated.
+
+On my laptop, when using ppp there is a ip-up script in /etc/ppp that 
+will be executed each time that the ppp interface is brought up.  
+Likewise there is an ip-down script that is called when it is taken 
+down.  You might consider custimzing those to stop and start FreeS/Wan 
+with each connection.  I believe that ISDN uses the same files, though 
+I could be wrong---there should be something similar though.
+
    +

    Does FreeS/WAN support X.509 or other PKI certificates?

    FreeS/WAN, as distributed, does not currently support use of     X.509 or other PKI certificates for @@ -1157,42 +1606,36 @@ authentication. If either of those is trustworthy, it is not clear that you need user -authentication in IPSEC. +authentication in IPSEC.

    Does FreeS/WAN support single DES encryption?

    No, single DES is not used either at the     IKE level for negotiating connections or at the IPSEC level for actually building them. -

    Single DES is insecure. -

    -

    But isn't DES support part of the IPSEC standard?

    - Yes, but     DES is insecure. As +

    Single DES is insecure. As we see it, it is more important to deliver real security than to comply with a standard which has been subverted into allowing use of inadequate methods. See this discussion -. -

    I have to talk to .... which offers only DES. How do I do this?

    - Ask the device vendor for the triple DES - upgrade. These exist for many IPSEC devices. If no cipher stronger -than DES is available, we recommend you not use that IPSEC -implementation. -

    If a 3DES implementation exists but your vendor cannot sell it to -you because of export laws, consider complaining to one or more of:

    -
      -
    • the vendor
      • -
    • your own government, especially any branch concerned with citizen's -privacy and/or protection of communication infrastructure
      • -
    • the local embassy of the nation which restricts export to you
      • -
    -

    Consider using FreeS/WAN instead. PCs are cheap and we deliver 3DES -now.

    -

    As a matter of project policy, we will not help anyone subvert -FreeS/WAN to provide insecure DES -encryption.

    -

    Why don't you restrict the mailing list to reduce +.

    +

    If you want to interoperate with an IPSEC implementation which +offers only DES, see our interoperation + document.

    +

    Why don't you restrict the mailing lists to reduce spam?

    -

    As a matter of policy, the list needs to be open to -non-subscribers. Project management feel strongly that maintaining this -openness is more important than blocking spam.

    +

    As a matter of policy, some of our mailing lists + need to be open to non-subscribers. Project management feel strongly +that maintaining this openness is more important than blocking spam.

    +
      +
    • Users should be able to get help or report bugs without +subscribing.
      • +
    • Even a user who is subscribed may not have access to his or her +subscribed account when he or she needs help, miles from home base in +the middle of setting up a client's gateway.
      • +
    • There is arguably a legal requirement for this policy. A US +resident or citizen could be charged under munitions export laws for +providing technical assistance to a foreign cryptographic project. Such +a charge would be more easily defended if the discussion takes place in +public, on an open list.
      • +

    This has been discussed several times at some length on the list. See the list archives. Bringing the topic up again is unlikely to be useful. Please don't. Or at the very @@ -1204,10 +1647,19 @@ The decision is final, and is not open to discussion. This needs to be communicated better to people, and steps are being taken to do that. Adding this FAQ section is one of the steps he refers to.

    -

    You have various options other than just putting up with the spam -or unsubscribing:

    +

    You have various options other than just putting up with the spam, +filtering it yourself, or unsubscribing:

      -
    • read the list via one of its archives +
    • read the main list via one of its +archives
      • +
    • subscribe only to one or both of our lists with restricted posting +rules: +
        +
      • briefs +, weekly list summaries
        • +
      • announce +, project-related announcements
        • +
    • subscribe to one or more of the other FreeS/WAN-related lists.
      • @@ -1231,7 +1683,8 @@ filtering.

      For information on tracking down spammers, see these HowTos, or the Sputum - site.

      + site. Sputum have a Linux anti-spam screensaver available for +download.

      Here is a more detailed message from Henry: 

       On Mon, 15 Jan 2001, Jay Vaughan wrote:
@@ -1323,7 +1776,7 @@
         John Gilmore
         founder sponsor, FreeS/WAN project
      -
      +
      Contents Previous diff -bruN freeswan-1.9.orig/doc/firewall.html freeswan-1.9/doc/firewall.html --- freeswan-1.9.orig/doc/firewall.html Tue Mar 27 23:16:51 2001 +++ freeswan-1.9/doc/firewall.html Mon Jun 4 01:15:56 2001 @@ -147,16 +147,20 @@ must allow UDP 500 and at least one of AH or ESP on the interface that communicates with the other gateway.

      IPSEC through the gateway

      -

      The preceeding paragraph deals with packets addressed to or sent -from your gateway. It is a separate policy decision whether to -permit such packets to pass through the gateway so that +

      The preceeding paragraph deals with packets addressed to or +sent from your gateway. It is a separate policy decision whether +to permit such packets to pass through the gateway so that client machines can build end-to-end IPSEC tunnels of their own. This -may not be practical if you are using NAT (IP -masquerade) on your gateway, and may conflict with some corporate -security policies. Other than that, it is likely a good idea.

      +may not be practical if you are using NAT +(IP masquerade) on your gateway, and may conflict with some +corporate security policies. Other than that, it is likely a good idea.

      +

      Preventing non-IPSEC traffic

      + You can of course also filter everything but UDP port 500 and +ESP or AH to restrict traffic to IPSEC only, either for anyone +communicating with your host or just for specific partners.

      Filtering packets from unknown gateways

      -

      It is possible to use firewall rules to restrict UDP 500, ESP and AH - packets so that these packets are accepted only from known gateways. +

      It is possible to use firewall rules to restrict UDP 500, ESP and +AH packets so that these packets are accepted only from known gateways. This is not strictly necessary since FreeS/WAN will discard packets from unknown gateways. You might, however, want to do it for any of a number of reasons. For example:

      @@ -316,9 +320,15 @@ Here you have a choice of techniques depending on whether you want to make your client subnet visible to clients on the other end:
        -
      • If you want to make them visible, then give the client subnet -addresses as the leftsubnet= parameter in the connection -description and +
      • If you want the single gateway to behave like the two shown above, +with your clients hidden behind the NAT, then omit the leftsubnet= + parameter. It then defaults to the gateway address. Clients on the +other end then talk via the tunnel only to your gateway. The gateway +takes packets emerging from the tunnel, applies normal masquerading, +and forwards them to clients.
        • +
      • If you want to make your client machines visible, then give the +client subnet addresses as the leftsubnet= parameter in the +connection description and
        either
        set leftfirewall=yes to use the default updown @@ -334,11 +344,6 @@ client subnet addresses, although of course the encapsulating packets use gateway addresses in their headers. Clients behind the right security gateway see a route via that gateway to the left subnet.

        -
      • If you want your clients hidden, then omit the leftsubnet= - parameter. It then defaults to the gateway address. Clients on the -other end then talk via the tunnel only to your gateway. The gateway -takes packets emerging from the tunnel, applies normal masquerading, -and forwards them to clients.

      NAT between gateways is problematic

      We recommend not trying to build IPSEC connections which pass @@ -567,7 +572,7 @@ # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # -# RCSID $Id: firewall.html,v 1.10.2.3 2001/03/15 00:12:35 henry Exp $ +# RCSID $Id: firewall.html,v 1.16 2001/05/02 20:56:27 sandy Exp $ # check interface version case "$PLUTO_VERSION" in diff -bruN freeswan-1.9.orig/doc/glossary.html freeswan-1.9/doc/glossary.html --- freeswan-1.9.orig/doc/glossary.html Tue Mar 27 23:16:52 2001 +++ freeswan-1.9/doc/glossary.html Mon Jun 4 01:15:56 2001 @@ -154,7 +154,7 @@ FreeS/WAN would be useful undertaking, and considerable freely available code exists to start from. One complication is that our code is built for a 64-bit block cipher and AES uses a 128-bit block. - Volunteers via the mailing list would be welcome.

      + Volunteers via the mailing lists would be welcome.

      For more information, see the NIST AES home page or the Block Cipher Lounge AES page. For code and benchmarks see @@ -193,7 +193,7 @@

    • packet authentication, authenticating packets on an established SA, either with a separate authentication header or with the optional authentication in the -ESP protocol. In either case, packet authentication uses a +ESP protocol. In either case, packet authentication uses a hashed message athentication code technique.

    Outside IPSEC, passwords are perhaps the most common authentication @@ -309,9 +309,9 @@

  • AES block ciphers using a 128-bit block instead of the 64-bit block of most current ciphers
  • IPSEC using a 32-bit counter for packets sent -on an automatically keyed SA - and requiring that the connection always be rekeyed before the -counter overflows.
    • +on an automatically keyed SA and +requiring that the connection always be rekeyed before the counter +overflows.
    Birthday paradox
    Not really a paradox, just a rather counter-intuitive mathematical @@ -408,7 +408,7 @@ things, cryptography.
    C
    CA
    -
    Certification Authority, an entity in a +
    Certification Authority, an entity in a public key infrastructure that can certify keys by signing them. Usually CAs form a hierarchy. The top of this hierarchy is called the root CA.
    @@ -416,7 +416,7 @@
    CAST-128
    A block cipher using 64-bit blocks and 128-bit keys, described in RFC 2144 and used in products such as -Entrust and recent versions of PGP.
    +Entrust and recent versions of PGP.

    This is not required by the IPSEC RFCs and not currently used in Linux FreeS/WAN.

    CAST-256
    @@ -550,7 +550,7 @@ and a fragment carries information on where it starts within that 64K and how long it is. The "ping of death" delivers fragments that say, for example, that they start at 60K and are 20K long. Attempting to -re-assemble thse without checking for overflow can be fatal. +re-assemble these without checking for overflow can be fatal.

    The two example attacks discussed were both quite effective when @@ -747,7 +747,7 @@

    The EDE two-key variant can also interoperate with the EDE three-key variant used in IPSEC; just set k1=k3.

    Entrust
    -
    A Canadian company offerring enterprise PKI +
    A Canadian company offerring enterprise PKI products using CAST-128 symmetric crypto, RSA public key and X.509 directories.
    EFF
    @@ -786,7 +786,7 @@ (as they would for, say, the accounting department) they are then encapsulated and sent back onto the Internet for delivery to the branch office.

    -

    For information on doing this with Linux FreeS/WAN, look in our +

    For information on doing this with Linux FreeS/WAN, look in our Configuration file.

    Exhaustive search
    See brute force attack.
    @@ -830,14 +830,14 @@
    Global Trust Register
    An attempt to create something like a root CA - for PGP by publishing both + for PGP by publishing both as a book and on the web the fingerprints of a set of verified keys for well-known users and organisations.
    GMP
    The GNU Multi-Precision library code, used in Linux FreeS/WAN by -Pluto for public key calculations.
    +href="#FreeSWAN"> Linux FreeS/WAN by Pluto for public key calculations.
    GNU
    GNU's Not Unix, the Free Software Foundation's project aimed at creating a free system with @@ -858,8 +858,8 @@ page.
    GNU Privacy Guard
    -
    An open source implementation of Open PGP - as defined in RFC 2440.
    +
    An open source implementation of Open PGP as + defined in RFC 2440.
    GPL
    see GNU General Public License.
    H
    @@ -884,11 +884,11 @@ because they output only 96 bits of the hash. This makes some attacks on the hash functions harder.

    HMAC
    -
    see Hashed Message Authentication Code
    +
    see Hashed Message Authentication Code
    HMAC-MD5-96
    -
    see Hashed Message Authentication Code
    +
    see Hashed Message Authentication Code
    HMAC-SHA-96
    -
    see Hashed Message Authentication Code
    +
    see Hashed Message Authentication Code
    Hybrid cryptosystem
    A system using both public key and symmetric cipher techniques. This works well. Public key methods @@ -909,7 +909,7 @@ such as DES which were too weak for serious use. IDEA is a block cipher using 64-bit blocks and 128-bit keys, and is used in products such as PGP.
    +href="#PGP"> PGP.

    IDEA is not required by the IPSEC RFCs and not currently used in Linux FreeS/WAN.

    IDEA is patented and, with strictly limited exceptions for personal @@ -927,8 +927,7 @@

    IKE
    Internet Key Exchange, based on the Diffie-Hellman key exchange protocol. IKE is implemented in -Linux FreeS/WAN by the Pluto daemon -.
    +Linux FreeS/WAN by the Pluto daemon.
    Initialisation Vector (IV)
    Some cipher modes, including the CBC mode which IPSEC uses, require some extra data at the @@ -951,17 +950,16 @@ come from one IP address, that of its Internet interface. It then gets all the replies, does some table lookups and more header rewriting, and delivers the replies to the appropriate client machines.

    -

    To use masquerade with Linux FreeS/WAN, you must set - leftfirewall=yes and/or rightfirewall=yes in the connection - description in /etc/ipsec.conf.

    +

    For information on using masquerade with Linux FreeS/WAN, see our + firewall document and the FAQ and.

    IPng
    "IP the Next Generation", see IPv6.
    IPv4
    -
    The current version of the Internet protocol suite -.
    +
    The current version of the Internet protocol + suite.
    IPv6 (IPng)
    -
    Version six of the Internet protocol suite, - currently being developed. It will replace the current +
    Version six of the Internet protocol suite +, currently being developed. It will replace the current version four. IPv6 has IPSEC as a mandatory component.

    See this @@ -1005,7 +1003,7 @@ development kernels only if they have an urgent need for some feature not yet available in production kernels.

    Keyed message digest
    -
    See HMAC.
    +
    See HMAC.
    Key length
    see brute force attack
    KLIPS
    @@ -1016,15 +1014,15 @@
    LDAP
    Lightweight Directory Access Protocol, defined in RFCs 1777 and 1778, a method of accessing information - stored in directories. LDAP is used by several -PKI implementations, often with X.501 directories and -X.509 certificates. It may also be used by IPSEC - to obtain key certifications from those PKIs. This is not yet -implemented in Linux FreeS/WAN.
    + stored in directories. LDAP is used by several PKI + implementations, often with X.501 directories and X.509 + certificates. It may also be used by IPSEC to +obtain key certifications from those PKIs. This is not yet implemented +in Linux FreeS/WAN.
    LIBDES
    A publicly available library of DES code, written by Eric Young, which Linux FreeS/WAN - uses in both KLIPS and + uses in both KLIPS and Pluto.
    Linux
    A freely available Unix-like operating system based on a kernel @@ -1047,7 +1045,7 @@ other IPSEC implementations. The name is partly taken, with permission, from the S/WAN multi-vendor IPSEC compatability effort. Linux FreeS/WAN has two major components, KLIPS (KerneL IPSEC Support) and the +href="ipsec.html#KLIPS">KLIPS (KerneL IPSEC Support) and the Pluto daemon which manages the whole thing.

    See our IPSEC Overview for more detail. For the code see our primary @@ -1055,18 +1053,9 @@ this list.

    M
    Mailing list
    -
    The Linux FreeS/WAN project has an open - public email list for bug reports and software development - discussions. The list address is linux-ipsec@clinet.fi. To - subscribe, send mail to -majordomo@clinet.fi with a one-line message body "subscribe -linux-ipsec".For more information, send majordomo the one-line message -"help".
    -

    NOTE: US citizens or residents are asked not to post code - to the list, not even one-line bug fixes. The project cannot - accept code which might entangle it in US export restrictions.

    -

    For more detail, see our document on this and other -mailing lists.

    +
    The Linux FreeS/WAN project has several + public email lists for bug reports and software development + discussions. See our document on mailing lists.
    Man-in-the-middle attack
    An active attack in which the attacker impersonates each of the legitimate players in a protocol to the @@ -1104,7 +1093,7 @@ completely.

    Manual keying
    An IPSEC mode in which the keys are provided by the administrator. - In FreeS/WAN, they are stored in /etc/ipsec.conf. The alternative, + In FreeS/WAN, they are stored in /etc/ipsec.conf. The alternative, automatic keying, is preferred in most cases.
    MD4
    Message Digest Algorithm Four from Ron Rivest @@ -1119,7 +1108,7 @@

    MD5 is one of two message digest algorithms available in IPSEC. The other is SHA. SHA produces a longer hash and is therefore more resistant to birthday attacks, - but this is not a concern for IPSEC. The HMAC + but this is not a concern for IPSEC. The HMAC method used in IPSEC is secure even if the underlying hash is not particularly strong against this attack.

    Meet-in-the-middle attack
    @@ -1157,8 +1146,8 @@ collision resistance. The main applications are in message authentication and digital signature schemes. Widely used algorithms include MD5 and -SHA. In IPSEC, message digests are used for HMAC - authentication of packets. +SHA. In IPSEC, message digests are used for +HMAC authentication of packets.
    MTU
    Maximum Transmission U nit, the largest size of packet that can be sent over a link. This is @@ -1281,10 +1270,12 @@ time pad FAQ.

    Opportunistic encryption
    A situation in which any two IPSEC-aware machines can secure their - communications, without a pre-shared secret and without a common + communications, without a pre-shared secret and without a common PKI or previous exchange of public keys. This is one of the goals of the Linux FreeS/WAN project, discussed in our -introduction section.
    +introduction section. +

    Setting up for opportunistic encryption is described in our + configuration document.

    P
    P1363 standard
    @@ -1305,7 +1296,7 @@ ragment) bit in the packet header
  • any router which cannot send the packet on (outgoing MTU is too small for it, and DF prevents fragmenting it to match) sends back an ICMP packet reporting the problem
    • +href="firewall.html#ICMP">ICMP packet reporting the problem
  • originator looks at ICMP message and tries a smaller size
  • eventually, you settle on a size that can pass all routers
  • thereafter, originator just sends that size and no-one has to @@ -1347,7 +1338,7 @@ Zimmerman.

    The 2.xx versions of PGP used the RSA public key algorithm and used IDEA as the symmetric cipher. - These versions are described in RFC 1991 and in + These versions are described in RFC 1991 and in Garfinkel's book. Since version 5, the products from PGP Inc. have used Diffie-Hellman public key methods and CAST-128 symmetric encryption. These @@ -1360,8 +1351,8 @@

    For more information on PGP, including how to obtain it, see our cryptography links.

    PGP Inc.
    -
    A company founded by Zimmerman, the author of -PGP, now a division of NAI. See the +
    A company founded by Zimmerman, the author of PGP +, now a division of NAI. See the corporate website.

    Their PGP 6.5 product includes PGPnet, an IPSEC client for Macintosh or for Windows 95/98/NT.

    @@ -1385,8 +1376,7 @@ infrastructure.

    PKIX
    PKI eXchange, an IETF - standard that allows PKIs to talk to -each other.
    + standard that allows PKIs to talk to each other.

    This is required, for example, when users of a corporate PKI need to communicate with people at client, supplier or government organisations, any of which may have a different PKI in place. I @@ -1425,11 +1415,11 @@ symmetric ciphers. The resulting hybrid cryptosystems use public key methods to manage keys for symmetric ciphers.

    -

    Many organisations are currently creating -PKIs, public key infrastructures to make these benefits widely +

    Many organisations are currently creating PKIs, + public key infrastructures to make these benefits widely available.

    Public Key Infrastructure
    -
    see PKI
    +
    see PKI
    Q
    R
    Random
    @@ -1480,7 +1470,7 @@ packet headers. These are the routable addresses; we expect routing to be possible for them. If we send a packet to one of them, we expect (in most cases; there are various complications) that it will be -delivered if the address is in use and will cause an +delivered if the address is in use and will cause an ICMP error packet to come back to us if not.

    There are also several classes of non-routable IP addresses.

    @@ -1557,7 +1547,7 @@ Diffie-Hellman key exchange to bootstrap itself. This would allow opportunistic encryption. Any pair of machines which could authenticate each other via DNS could communicate -securely, without either a pre-existing shared secret or a shared +securely, without either a pre-existing shared secret or a shared PKI.

    Linux FreeS/WAN will support this in a future release.

    @@ -1569,7 +1559,7 @@
    A number added to a packet or message which indicates its position in a sequence of packets or messages. This provides some security against replay attacks.
    -

    For automatic keying mode, the +

    For automatic keying mode, the IPSEC RFCs require that the sender generate sequence numbers for each packet, but leave it optional whether the receiver does anything with them.

    @@ -1737,12 +1727,12 @@
    Transport mode
    An IPSEC application in which the IPSEC gateway is the destination of the protected packets, a machine acts as its own gateway. Contrast - with tunnel mode.
    + with tunnel mode.
    Triple DES
    see 3DES
    Tunnel mode
    An IPSEC application in which an IPSEC gateway provides protection - for packets to and from other systems. Contrast with + for packets to and from other systems. Contrast with transport mode.
    Two-key Triple DES
    A variant of triple DES or 3DES in which only @@ -1769,7 +1759,7 @@ book form or on the web for details.
    Virtual Private Network
    -
    see VPN
    +
    see VPN
    VPN
    Virtual Private Network, a network which can safely be used as if it were private, even though some of its @@ -1790,18 +1780,18 @@ restricted under the current version of the agreement. Discussion.
    Web of Trust
    -
    PGP's method of certifying keys. Any -user can sign a key; you decide which signatures or combinations of -signatures to accept as certification. This contrasts with the -hierarchy of CAs (Certification Authorities) used in -many PKIs (Public Key Infrastructures).
    -

    See Global Trust Register for an interesting - addition to the web of trust.

    +
    PGP's method of certifying keys. Any user can + sign a key; you decide which signatures or combinations of signatures + to accept as certification. This contrasts with the hierarchy of +CAs (Certification Authorities) used in many PKIs +(Public Key Infrastructures).
    +

    See Global Trust Register for an +interesting addition to the web of trust.

    X
    X.509
    A standard from the ITU (International Telecommunication Union), for hierarchical directories with - authentication services, used in many PKI + authentication services, used in many PKI implementations.

    Use of X.509 services, via the LDAP protocol, for certification of keys is allowed but not required by the diff -bruN freeswan-1.9.orig/doc/index.html freeswan-1.9/doc/index.html --- freeswan-1.9.orig/doc/index.html Tue Mar 27 23:17:16 2001 +++ freeswan-1.9/doc/index.html Mon Jun 4 01:16:19 2001 @@ -2,6 +2,17 @@ FreeS/WAN HTML document index + + +

    FreeS/WAN documentation

    diff -bruN freeswan-1.9.orig/doc/install.html freeswan-1.9/doc/install.html --- freeswan-1.9.orig/doc/install.html Tue Mar 27 23:16:51 2001 +++ freeswan-1.9/doc/install.html Mon Jun 4 01:15:55 2001 @@ -61,16 +61,23 @@

    If you have not done this before, you will need to read the Kernel HowTo.

    Choosing a kernel

    -

    2.2.x for most users

    -

    Most users should run the most stable available series of Linux -production kernels. At time of -writing (February 2001), we recommend the 2.2 series for most users. -The latest version is 2.2.18.

    +

    2.2.19 for many users

    +

    Many users can continue to run kernels from the 2.2 series of Linux +production kernels.

    +

    At time of writing (June 2001), the latest version is 2.2.19. If +you are going to use a 2.2 kernel, we strongly recommend + upgrading to 2.2.19 since:

    +
      +
    • It has a number of small security fixes not found in earlier +kernels.
      • +
    • There have been changes in some kernel file formats that make it +difficult to compile a current FreeS/WAN with earlier kernels. See the mailing list archives for details if needed.
      • +

    2.4.x is possible

    - The new 2.4 series of kernels were first released in January 2001 and -are currently (mid-February) at 2.4.2. FreeS/WAN does work on these -kernels, but for production use we suggest waiting a while yet. -

    On the other hand, 2.4 has new firewalling code called + The new 2.4 series of kernels began in January 2001 and are currently +(early June) at 2.4.5. FreeS/WAN is known to work on 2.4.5. +

    2.4 has new firewalling code called netfilter. This may provide good reasons to move to 2.4, especially on for gateway machines.

    2.0.x should still work

    @@ -88,10 +95,10 @@ for use by kernel developers. By convention, production kernels have an even second digit in the version number (2.0, 2.2, 2.4) and development kernels have an odd digit there (2.1, 2.3, 2.5). -

    At time of writing (February 2001, shortly after the release of -2.4), no more 2.3 kernels are being produced and the 2.5 series has not -been started yet, so just now development kernels are not an issue. No -doubt a 2.5 series will be started in the next few months.

    +

    At time of writing, no more 2.3 kernels are being produced and the +2.5 series has not been started yet, so just now development kernels +are not an issue. No doubt a 2.5 series will be started in the next few +months.

    Development kernels are not intended for production use . They change often and include new code which has not yet been thoroughly tested. This regularly breaks things, including @@ -378,7 +385,7 @@

    Of course any status information at this point should be uninteresting since you have not yet configured connections.

    -

    Links to other sections

    +

    Where to go from here

    See the following section for information on configuring connections.

    Alternately, you might want to look at background material on the diff -bruN freeswan-1.9.orig/doc/interop.html freeswan-1.9/doc/interop.html --- freeswan-1.9.orig/doc/interop.html Tue Mar 27 23:16:51 2001 +++ freeswan-1.9/doc/interop.html Mon Jun 4 01:15:56 2001 @@ -52,41 +52,50 @@ those formats. See this list of patches and add-ons.

    Interoperability problems

    -

    The IPSEC RFCs are complex and include a number of optional +

    The IPSEC RFCs are complex and include a number of optional features. There is considerable opportunity for even two correct, standard-conforming, implementations to disagree on details in a way that blocks interoperation. Of course, misinterpretations of the standards and implementation or configuration errors on either end can also foul things up.

    That said, FreeS/WAN interoperates successfully with many other - implementations. There is a list in another - section.

    + implementations. There is a list below.

    Known areas where problems may appear are:

      +
    • FreeS/WAN does not implement single DES because +DES is insecure. Suggestions on what to do if the device you want +to talk to has only DES are below.
      • +
    • FreeS/WAN does not implement Diffie-Hellman group 1 + because it it is not entirely clear that this is secure.
    • The RFCs define two modes for IKE negotiations -- main mode and aggressive mode. Aggressive mode is slightly faster, but reveals more information to an eavesdropper. Specifically, it lets an eavesdropper know what identities are in use. FreeS/WAN does not implement aggressive mode, so any negotiation another implementation - tries that way will fail. In principle this should not be a problem - since main mode support is required in all implementations and -aggressive mode is optional.
      • -

      In practice, it is sometimes a problem. Some implementations -default to aggressive mode unless you configure them for main mode.

      -
    • FreeS/WAN does not implement single DES because -DES is insecure. Suggestions on what to do if the device you want -to talk to has only DES are in our FAQ - document.
      • -
    • FreeS/WAN does not implement Diffie-Hellman group 1 - because it it is not entirely clear that this is secure.
      • -
    • For automatic keying, the FreeS/WAN default is to provide - perfect forward secrecy. We see no reason not to; this -is more secure and costs little. Some other implementations, however, -turn PFS off by default.
      • + tries that way will fail. +

      In principle this should not be a problem since main mode support +is required in all implementations and aggressive mode is optional. + In practice, it is sometimes a problem. Some implementations default +to aggressive mode unless you configure them for main mode.

      +
    • For automatic keying, the FreeS/WAN default is to provide perfect forward secrecy. We see +no reason not to; this is more secure and costs little. Some other +implementations, however, turn PFS off by default.

      • You can turn PFS off in FreeS/WAN with the pfs=no setting in ipsec.conf(5), but if possible we suggest you enable it on the other end instead. That is more secure.

      +
    • The IKE protocol allows several types of optional message. Two +things happen which are allowed by the RFCs: +
        +
      • Some implementations send various optional messages.
        • +
      • FreeS/WAN ignores them.
        • +
      + However, problems may arise if the other end relies on some expected +effect of these messages. There are two FAQ questions dealing with +this, one on the log message FreeS/WAN +gives when ignoring optional payloads and one on the +delete SA payload.

    The general rule is that to interoperate with FreeS/WAN, the other implementation should be configured for:

    @@ -96,34 +105,39 @@
  • Diffie-Hellman Group 2 or 5

    • This is possible for most implementations.

    -

    Systems that want to use DES

    -

    Linux FreeS/WAN does not support DES transforms. Neither Pluto's -IKE connections nor KLIPS' IPSEC connections can use DES. Since -DES is insecure we do not, and will not at any future time, provide -it.

    +

    Systems that want to use single DES

    +

    Linux FreeS/WAN does not support single DES transforms. Neither +Pluto's IKE connections nor KLIPS' IPSEC connections can use DES. Since DES is insecure we do not, and +will not at any future time, provide it.

    DES is, unfortunately, a mandatory part of the IPSEC standard. Despite that, we will not implement DES. We believe it is more important to provide security than to comply with a standard -which has been subverted into allowing weak algorithms. See our -history and politics section for discussion.

    -

    Some implementations may offer DES as the default. In such cases we -urge you to change them to Triple DES -. If this is not possible, for example because +which has been subverted into allowing +weak algorithms. See our history and politics + section for discussion.

    +

    Some implementations may offer DES as the default. In such cases we +urge you to change them to Triple DES. +If this is not possible, for example because export laws prevent your vendor from offerring you adequate -crytography, we urge you to complain vigorously to

    +crytography, we urge you to complain vigorously to one or more of:

      -
    • your government
      • +
    • your government, especially any department concerned with +protecting citizens' privacy or your nation's communication +infrastructure
    • the vendor
      • -
    • the embassy of the nation whose laws are problematic for you.
      • +
    • the embassy of the nation whose laws are problematic for you
    -

    In the meanwhile, use FreeS/WAN to get strong crypto until the laws -are fixed.

    +

    Consider using FreeS/WAN instead. PCs are cheap and we deliver 3DES +now.

    FreeS/WAN does have DES code in it as a sort of historical accident, since we need it to implement our default (currently, our only) block cipher, Triple DES. However, since DES -is insecure, we do not provide any interface to that code and, as a -matter of policy, will provide no help to anyone who may wish to use it.

    +is insecure, we do not provide any interface to that code.

    +

    As a matter of project policy, we will not help anyone subvert +FreeS/WAN to provide insecure DES +encryption.

    Interop HowTo documents

    The FreeS/WAN team does not have the resources to test with anything like the full range of other @@ -288,7 +302,7 @@ I've attached some ipsec barf output - pluto still complains a few times, but it gets there :-) -

    A later message from Ian:

    +

    A later message from Ian:

     This configuration is provided as-is and with no assistance or guarantee
 that it works whatsover. In particular your attention is drawn to the versions
@@ -366,6 +380,19 @@
 |     7500 Series

    Nortel (Bay Networks) Contivity switch

    + There is one known issue in FreeS/WAN-to-Contivity interoperation. +Recent versions of FreeS/WAN no longer support DH group 1 for key +exchange. Older versions of Contivity software support nothing else. +Group 2 was added in more recent releases. So: +
      +
    • older FreeS/WANs, such as 1.5, will work with any Contivity +software. Key exchange will be done using DH Group 1. This may not be +secure.
      • +
    • current FreeS/WANs will work only with recent Contivity releases +supporting DH Group 2. Contivity 3.5 is one such release.
      • +
    + We recommend using the latest Contivity release. +

    Some messages from the mailing list: 

     Subject: Contivity Extranet Switch
    Date: Fri, 11 Jun 1999
@@ -772,6 +799,13 @@
 HowTo for connecting FreeS/WAN and this product can be downloaded 
 from the  vendor's site or browsed at a VPN mailing list 
 site.
    
+
    Redcreek Ravlin
    
+ We have reports of successful interoperation at an interop 
+conference, but there is also a mailing list 
+ thread discussing difficulties some users have encountered. 
+
    SSH Sentinel
    
+ The vendor's 
+ web site has configuration examples for use with FreeS/WAN. 
 
    F-Secure VPN for Windows
    
 
       Subject: linux-ipsec: Identification through other than IP number
    Date: Tue, 13 Apr 1999
@@ -1407,8 +1441,9 @@
 of both domains or consider setting up WINS service(s).
 
    
  We suspect that in some cases it may be more complex than that. See 
-the discussion of Linux services and Windows 2000 below
-. 
+the discussion of Linux services and Windows 2000
+ below and the Interop HowTo documents listed 
+above. 
 
    Windows 2000
    
 
     Windows 2000 ships with an IPSEC implementation built in. There may 
 be  restrictions. We have had mailing list reports that only the server 
@@ -1478,16 +1513,9 @@
 http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00195.html

    FreeS/WAN-to-Win2000 interop

    -

    As for IPSEC interoperation between Windows 2000 and FreeS/WAN, -there are some web sites:

    - +

    As for IPSEC interoperation between Windows 2000 and FreeS/WAN, +there are several web sites listed under Interop +HowTo documents above.

    Here is a discussion from the mailing list:

    From: "Jean-Francois Nadeau" <jna@microflex.ca>
 Subject: Win2000 IPsec  interop. in tunnel mode
diff -bruN freeswan-1.9.orig/doc/intro.html freeswan-1.9/doc/intro.html
--- freeswan-1.9.orig/doc/intro.html	Tue Mar 27 23:16:50 2001
+++ freeswan-1.9/doc/intro.html	Mon Jun  4 01:15:55 2001
@@ -157,7 +157,8 @@
 
  • If Network Address Translation (NAT) is applied between the two 
 IPSEC  Gateways, this breaks IPSEC. IPSEC authenticates packets on an 
 end-to-end  basis, to ensure they are not altered en route. NAT 
-rewrites packets as  they go by.
    • 
+rewrites packets as  they go by. See our 
+firewalls document for details.
 
 
     In most situations, however, FreeS/WAN supports road warrior 
 connections just fine.
    
@@ -170,7 +171,7 @@
 .  We hope this will go some distance toward creating a secure 
 Internet, an environment where message privacy is the default. See our history and politics of cryptography section 
-for discussion
    
+for discussion.
    
 
     Both systems pick up the authentication information they need from 
 the DNS (domain name service), 
 the service they already use to look up IP addresses. Of course the 
@@ -180,8 +181,9 @@
 encrypt, and encrypt whatever they can. Whether they also accept 
 unencrypted communication is a policy decision the administrator can 
 make.
    
-
     A draft document giving most of the 
-details of how we plan to implement this is available.
    
+
     A draft document giving most of the details of how we plan to 
+implement this has been posted to the mailing list. See 
+links below.
    
 
     Only one current product we know of implements a form of 
 opportunistic encryption. Secure sendmail
  will automatically encrypt server-to-server mail transfers whenever 
@@ -323,8 +325,12 @@
 
  • the UK
    • 
 
  • Slovak 
  Republic
    • 
+
  • 
+Australia
    • 
 
  • technolust
    • 
 
  • Ivan Moore's site
    • 
+
  • the Crypto Archive on 
+the  Security Portal site 
    • 
 
 
    The "munitions" archive of Linux crypto software
 
    
@@ -338,12 +344,17 @@
 
 
     Any of those will have a list of other "munitions" mirrors. 
    
 
    Archives of the project mailing list
    
+ Until quite recently, there was only one FreeS/WAN mailing list, and 
+archives of it were: 
 
-
     The two archives use completely different search engines. You might 
-want to try both.
    
+ The two archives use completely different search engines. You might 
+want to try both.
+
     More recently we have expanded to five lists, each with its own 
+archive. See details elsewhere in the 
+documentation. 
    
 
    More information on this and other mailing 
 lists.
    
 
    Products containing FreeS/WAN
    
@@ -365,8 +376,8 @@
 
  • Trustix Secure Linux (Norway) 
    • 
 
 
     For distributions which do not include FreeS/WAN and are not Redhat 
-6.x (which we develop and test on), there is additional information in 
-our compatibility section.
    
+(which we develop and test on), there is additional information in our compatibility section.
    
 
     We would appreciate hearing of other distributions using FreeS/WAN.
    
 
    Firewall distributions
    
  FreeS/WAN is also included in, or available for, more specialised 
@@ -406,6 +417,9 @@
 
  • Merilus use FreeS/WAN in their 
 Gateway Guardian firewall  product and in their 
 Firecard product, a Linux firewall on a PCI card. 
    • 
+
  • Kyzo have a "pizza box" product 
+line with various types of  server, all running from flash. One of them 
+is an IPSEC/PPTP VPN server. 
    • 
 
 
    We would appreciate hearing of other products using FreeS/WAN.
    
 
    Documentation
    
@@ -514,7 +528,7 @@
 
  Both documents are works in progress and may be revised. Check the 
diff -bruN freeswan-1.9.orig/doc/ipsec.html freeswan-1.9/doc/ipsec.html
--- freeswan-1.9.orig/doc/ipsec.html	Tue Mar 27 23:16:51 2001
+++ freeswan-1.9/doc/ipsec.html	Mon Jun  4 01:15:56 2001
@@ -233,7 +233,7 @@
 authentication at  packet level is in use on the potential victims' 
 communication channel.
    
 
    Using authentication without encryption
    
-
    Where appropriate, IPSEC can provide authentication without 
+
     Where appropriate, IPSEC can provide authentication without 
 encryption.  One might do this, for example:
    
 
      
 
    • where the data is public but one wants to be sure of getting the 
@@ -246,6 +246,12 @@
 protocols  harder.
      • 
 
    
 
     Authentication has lower overheads than encryption. 
    
+
     The protocols provide four ways to build such connections, using 
+either an AH-only connection or ESP using null encryption, and in 
+either manually or automatically keyed mode. FreeS/WAN supports only 
+one of these, manually keyed AH-only connections, and we do not 
+recommend using that. Our reasons are discussed under 
+Resisting traffic analysis a few sections further along. 
    
 
    Encryption without authentication is dangerous
 
    
 
    Originally, the IPSEC encryption protocol 
@@ -263,7 +269,7 @@
 
  • ESP for encryption and authentication
    • 
 
  • AH for authentication alone
    • 
 
-
    Other variants are allowed by the standard, but not much used:
    
+
     Other variants are allowed by the standard, but not much used:
    
 
    
 
    ESP encryption without authentication
    
 
    Bellovin has demonstrated fatal flaws in this. Do not  use.
@@ -283,14 +289,14 @@
  might use ESP as well.
    
 
    ESP authentication without encryption
    
 
    The standard allows this, calling it "null encryption". FreeS/WAN 
- does not normally support it, but it can be enabled with a kernel 
- configuration option. We recommend that you use AH instead if 
+ does not support it. We recommend that you use AH instead if 
  authentication is all you require. AH authenticates parts of the IP 
- header, which ESP-null does not do. Also, if you do not enable 
- ESP-null on your FreeS/WAN machine, then you run no risk of a 
- configuration error using this when it should be encrypting.
    
+ header, which ESP-null does not do.
 
    
-
    There are fairly frequent suggestions that AH be dropped entirely 
+ Some of these variants cannot be used with FreeS/WAN because we do not 
+support ESP-null and do not support automatic keying of AH-only 
+connections. 
+
     There are fairly frequent suggestions that AH be dropped entirely 
 from  the IPSEC specifications since ESP and null encryption can handle 
 that  situation. It is not clear whether this will occur. My guess is 
 that it is  unlikely.
    
@@ -321,13 +327,12 @@
 to derive useful intelligence from encrypted traffic without breaking 
 the encryption. For example, an eavesdropper might deduce something 
 interesting merely by knowing that your CEO was exchanging email with a 
-particular venture capital firm. Or that all the CEO's mail this week 
-went to a firm of bankruptcy trustees and a half dozen executive 
-recruiting agencies. 
    
+particular venture capital firm, or that the CEO was talking to a firm 
+of bankruptcy trustees and a half dozen executive recruiting agencies. 
    
 
     Except in the simplest cases, traffic analysis is hard to do well. 
 It requires both considerable resources and considerable analytic 
 skill. However, intelligence agencies of various nations have been 
-doing it for centuries and most of them are likely quite good at it by 
+doing it for centuries and many of them are likely quite good at it by 
 now. Various commercial organisations, especially those working on 
 "targeted marketing" may also be quite good at analysing certain types 
 of traffic. 
    
@@ -761,14 +766,11 @@
 category.
    
 
    The authentication algorithms are the same ones used in the IPSEC 
 authentication header.
    
-
    We do not implement single DES since 
+
     We do not implement single DES since 
 DES is  insecure. Instead we provide 
-triple DES or 3DES.  This is currently the only encryption 
-algorithm supported.
    
-
    We do implement null encryption, but it is disabled by default. You 
-can  enable it in the IPSEC part of kernel configuration if required. 
-We would  suggest, however, that if you need only authentication, you 
-should use AH  rather than ESP with null encryption.
    
+triple DES or 3DES. This is currently the only encryption algorithm 
+supported.
    
+
     We do not implement null encryption since it is obviously insecure.
    
 
    IPSEC modes
    
 
    IPSEC can connect in two modes. Transport mode is a host-to-host 
  connection involving only two machines. In tunnel mode, the IPSEC 
diff -bruN freeswan-1.9.orig/doc/mail.html freeswan-1.9/doc/mail.html
--- freeswan-1.9.orig/doc/mail.html	Tue Mar 27 23:16:51 2001
+++ freeswan-1.9/doc/mail.html	Mon Jun  4 01:15:56 2001
@@ -23,7 +23,8 @@
 
    
 
      
 
    • The general list for discussing use of the software 
      • 
-
    • The place for seeking help with problems. 
      • 
+
    • The place for seeking help with problems (but 
+please check the FAQ first). 
      • 
 
    • Anyone can post. 
      • 
 
    
 
    
@@ -45,7 +46,9 @@
 
  • Design discussions, for people working on 
 FreeS/WAN development or others with an interest  in design and 
 security issues. 
    • 
-
  • Only subscribers can post. 
    • 
+
  • It would be a good idea to read the existing design papers (see 
+this list) before  posting. 
    • 
+
  • Anyone can post. 
    • 
 
 
 
    
@@ -57,7 +60,10 @@
 software. 
 
  • All posts here are also sent to the users list. You need not 
 subscribe to both. 
    • 
-
  • Only authorised people can post. 
    • 
+
  • Only the FreeS/WAN team can post. 
    • 
+
  • If you have something you feel should go on this list, send it to 
+announce-admin@lists.freeswan.org.  Unless it is obvious, please 
+include a short note explaining why we should post it.
    • 
 
 
 
    
@@ -68,7 +74,7 @@
 
  • Weekly summaries of activity on the users list. 
    • 
 
  • All posts here are also sent to the users list. You need not 
 subscribe to both. 
    • 
-
  • Only authorised people can post. 
    • 
+
  • Only the FreeS/WAN team can post. 
    • 
 
 
 
@@ -80,6 +86,8 @@
 
  • send mail to listname-request@lists.freeswan.org with a 
 one-line message body "subscribe" 
    • 
 
+
     Archives of these lists are available via the 
+web interface. 
    
 
    List policies
    
  US citizens or residents are asked not to post code to the 
 lists, not even one-line bug fixes. The project cannot accept 
@@ -99,7 +107,9 @@
 
  • Canada
    • 
 
  • Holland
    • 
 
-
    Note that these use different search engines. Try both.
    
+
     Note that these use different search engines. Try both.
    
+
     Archives of the new lists are available via the 
+web interface. 
    
 
    Other FreeS/WAN related lists
    
 
     There are several other lists related to FreeS/WAN: 
    
 
      
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec.8.html freeswan-1.9/doc/manpage.d/ipsec.8.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec.8.html	Tue Mar 27 23:17:08 2001
+++ freeswan-1.9/doc/manpage.d/ipsec.8.html	Mon Jun  4 01:16:12 2001
@@ -3,7 +3,7 @@
 Manpage of IPSEC
 
 
      IPSEC
      
-Section: Maintenance Commands (8)
      Updated: 11 Dec 2000
      Index
+Section: Maintenance Commands (8)
      Updated: 1 June 2001
      Index
 Return to Main Contents
      
 
 
@@ -63,24 +63,30 @@
 command
 
 with a suitable PATH environment variable,
-and also provides an IPSECDIR environment variable containing
-the full pathname of the directory where the IPsec utilities are stored.
+and also provides IPSEC_DIR and IPSEC_VERSION environment variables,
+containing respectively
+the full pathname of the directory where the IPsec utilities are stored
+and the IPsec version number.
 
      
 
 ipsec --help
 
 lists the available commands.
 Most have their own manual pages, e.g.
-ipsec_manual(8)
+ipsec_auto(8)
 
 for
-manual.
+auto.
 
 
      
 
 ipsec --version
 
 supplies the version number of Linux FreeS/WAN.
+A version number of the form ``Uxxx/Kyyy''
+indicates that the user-level utilities are version xxx
+but the kernel portion appears to be version yyy
+(this form is used only if the two disagree).
 
      
 
 ipsec --copyright
@@ -93,22 +99,37 @@
 reports where
 ipsec
 
-thinkgs the IPsec utilities are stored.
+thinks the IPsec utilities are stored.
  
 
      FILES
      
 
-/usr/local/lib/ipsec   utilities directory (default location)
      
+/usr/local/lib/ipsec   usual utilities directory
      
  
 
      SEE ALSO
      
 
 
-ipsec_manual(8), ipsec_auto(8),
-ipsec_klipsdebug(8), ipsec_barf(8)
+
+ipsec.conf(5), ipsec.secrets(5),
+ipsec_auto(8),
+ipsec_barf(8),
+ipsec_setup(8),
+ipsec_showdefaults(8),
+ipsec_showhostkey(8)
+
+
+
      
+
+HTML documentation shipped with the release, starting with
+doc/index.html.
+
+<http://www.freeswan.org/doc.html>
+
+may also be of use.
  
 
      HISTORY
      
 
-Written for the Linux FreeS/WAN project
-<http://www.xs4all.nl/~freeswan/>
+Written for Linux FreeS/WAN
+<http://www.freeswan.org>
 by Henry Spencer.
  
 
      BUGS
      
@@ -136,6 +157,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:08 GMT, March 28, 2001
+Time: 05:16:11 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec.conf.5.html freeswan-1.9/doc/manpage.d/ipsec.conf.5.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec.conf.5.html	Tue Mar 27 23:17:08 2001
+++ freeswan-1.9/doc/manpage.d/ipsec.conf.5.html	Mon Jun  4 01:16:12 2001
@@ -3,7 +3,7 @@
 Manpage of IPSEC.CONF
 
 
      IPSEC.CONF
      
-Section: File Formats (5)
      Updated: 9 March 2001
      Index
+Section: File Formats (5)
      Updated: 29 May 2001
      Index
 Return to Main Contents
      
 
 
@@ -118,9 +118,10 @@
 There can be white space on either side of the
 =.
 
-The parameter names are specific to a section type.
+Parameter names follow the same syntax as section names,
+and are specific to a section type.
 Unless otherwise explicitly specified,
-no parameter may appear more than once in a section.
+no parameter name may appear more than once in a section.
 
      
 
 An empty
@@ -350,41 +351,6 @@
 no
 
 (the default).
-
      auto
-
-
      
-what operation, if any, should be done automatically at IPsec startup;
-currently-accepted values are
-add
-
-(signifying an
-ipsec_auto
-
-add),
-
-start
-
-(signifying an
-ipsec_auto
-
-start),
-
-and
-ignore
-
-(also the default) (signifying no automatic startup operation).
-This parameter is ignored unless the
-plutoload
-
-or
-plutostart
-
-configuration parameter is set suitably; see the
-config
-
-setup
-
-discussion below.
 
      left
 
 
      
@@ -456,7 +422,10 @@
 next-hop gateway IP address for the left participant's connection
 to the public network;
 defaults to
-right.
+%direct
+
+(meaning
+right).
 
 If the value is to be overridden by the
 left=%defaultroute
@@ -566,6 +535,48 @@
 the default and currently the only accepted value is
 ike
 
+
      auto
+
+
      
+what operation, if any, should be done automatically at IPsec startup;
+currently-accepted values are
+add
+
+(signifying an
+ipsec auto
+
+--add),
+
+route
+
+(signifying that plus an
+ipsec auto
+
+--route),
+
+start
+
+(signifying that plus an
+ipsec auto
+
+--up),
+
+and
+ignore
+
+(also the default) (signifying no automatic startup operation).
+This parameter is ignored unless the
+plutoload
+
+or
+plutostart
+
+configuration parameter is set suitably; see the
+config
+
+setup
+
+discussion below.
 
      auth
 
 
      
@@ -1244,37 +1255,50 @@
 no
 
 (the default).
-
      no_eroute_pass
+
      packetdefault
 
 
      
-whether a packet which reaches KLIPS (via a route into a virtual interface)
-but does not match any eroute should be passed in plaintext,
-rather than discarded;
+what should be done with
+a packet which reaches KLIPS (via a route into a virtual interface)
+but does not match any eroute;
 acceptable values are
-yes
+pass
+
+(insecure unless you really know what you're doing!!!),
+drop
 
-(insecure unless you really know what you're doing!!!)
+(the default),
 and
-no
+reject
 
-(the default).
-This overrides
-opportunistic.
+(currently same as
+drop,
 
-
      opportunistic
+but eventually it will send an ICMP notification back
+to the sender).
+
      no_eroute_pass
 
 
      
-whether a packet which reaches KLIPS (via a route into a virtual interface)
-but does not match any eroute should cause an attempt to signal
-ipsec_pluto
+obsolete parameter similar to
+packetdefault
+
+but with more limited functionality;
+ignored if
+packetdefault
 
-to create a connection for it;
+is set;
 acceptable values are
 yes
 
+(synonymous with
+packetdefault=pass)
+
 and
 no
 
+(synonymous with
+packetdefault=drop)
+
 (the default).
 
      hidetos
 
@@ -1323,7 +1347,7 @@
 
      HISTORY
      
 
 Designed for the FreeS/WAN project
-<http://www.xs4all.nl/~freeswan/>
+<http://www.freeswan.org>
 by Henry Spencer.
  
 
      BUGS
      
@@ -1406,6 +1430,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:08 GMT, March 28, 2001
+Time: 05:16:12 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec.secrets.5.html freeswan-1.9/doc/manpage.d/ipsec.secrets.5.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec.secrets.5.html	Tue Mar 27 23:17:08 2001
+++ freeswan-1.9/doc/manpage.d/ipsec.secrets.5.html	Mon Jun  4 01:16:12 2001
@@ -217,6 +217,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:08 GMT, March 28, 2001
+Time: 05:16:12 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_addrbytesof.3.html freeswan-1.9/doc/manpage.d/ipsec_addrbytesof.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_addrbytesof.3.html	Tue Mar 27 23:17:08 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_addrbytesof.3.html	Mon Jun  4 01:16:12 2001
@@ -227,6 +227,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:08 GMT, March 28, 2001
+Time: 05:16:12 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_addrbytesptr.3.html freeswan-1.9/doc/manpage.d/ipsec_addrbytesptr.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_addrbytesptr.3.html	Tue Mar 27 23:17:08 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_addrbytesptr.3.html	Mon Jun  4 01:16:12 2001
@@ -227,6 +227,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:08 GMT, March 28, 2001
+Time: 05:16:12 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_addrcmp.3.html freeswan-1.9/doc/manpage.d/ipsec_addrcmp.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_addrcmp.3.html	Tue Mar 27 23:17:08 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_addrcmp.3.html	Mon Jun  4 01:16:12 2001
@@ -269,6 +269,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:08 GMT, March 28, 2001
+Time: 05:16:12 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_addrinsubnet.3.html freeswan-1.9/doc/manpage.d/ipsec_addrinsubnet.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_addrinsubnet.3.html	Tue Mar 27 23:17:08 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_addrinsubnet.3.html	Mon Jun  4 01:16:12 2001
@@ -269,6 +269,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:08 GMT, March 28, 2001
+Time: 05:16:12 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_addrlenof.3.html freeswan-1.9/doc/manpage.d/ipsec_addrlenof.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_addrlenof.3.html	Tue Mar 27 23:17:08 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_addrlenof.3.html	Mon Jun  4 01:16:12 2001
@@ -227,6 +227,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:08 GMT, March 28, 2001
+Time: 05:16:12 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_addrtoa.3.html freeswan-1.9/doc/manpage.d/ipsec_addrtoa.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_addrtoa.3.html	Tue Mar 27 23:17:08 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_addrtoa.3.html	Mon Jun  4 01:16:12 2001
@@ -437,6 +437,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:08 GMT, March 28, 2001
+Time: 05:16:12 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_addrtot.3.html freeswan-1.9/doc/manpage.d/ipsec_addrtot.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_addrtot.3.html	Tue Mar 27 23:17:08 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_addrtot.3.html	Mon Jun  4 01:16:12 2001
@@ -563,6 +563,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:08 GMT, March 28, 2001
+Time: 05:16:12 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_addrtypeof.3.html freeswan-1.9/doc/manpage.d/ipsec_addrtypeof.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_addrtypeof.3.html	Tue Mar 27 23:17:08 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_addrtypeof.3.html	Mon Jun  4 01:16:12 2001
@@ -227,6 +227,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:08 GMT, March 28, 2001
+Time: 05:16:12 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_anyaddr.3.html freeswan-1.9/doc/manpage.d/ipsec_anyaddr.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_anyaddr.3.html	Tue Mar 27 23:17:09 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_anyaddr.3.html	Mon Jun  4 01:16:12 2001
@@ -161,6 +161,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:08 GMT, March 28, 2001
+Time: 05:16:12 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_atoaddr.3.html freeswan-1.9/doc/manpage.d/ipsec_atoaddr.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_atoaddr.3.html	Tue Mar 27 23:17:09 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_atoaddr.3.html	Mon Jun  4 01:16:12 2001
@@ -437,6 +437,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:09 GMT, March 28, 2001
+Time: 05:16:12 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_atoasr.3.html freeswan-1.9/doc/manpage.d/ipsec_atoasr.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_atoasr.3.html	Tue Mar 27 23:17:09 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_atoasr.3.html	Mon Jun  4 01:16:12 2001
@@ -284,6 +284,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:09 GMT, March 28, 2001
+Time: 05:16:12 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_atosa.3.html freeswan-1.9/doc/manpage.d/ipsec_atosa.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_atosa.3.html	Tue Mar 27 23:17:09 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_atosa.3.html	Mon Jun  4 01:16:12 2001
@@ -336,6 +336,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:09 GMT, March 28, 2001
+Time: 05:16:12 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_atosubnet.3.html freeswan-1.9/doc/manpage.d/ipsec_atosubnet.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_atosubnet.3.html	Tue Mar 27 23:17:09 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_atosubnet.3.html	Mon Jun  4 01:16:12 2001
@@ -437,6 +437,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:09 GMT, March 28, 2001
+Time: 05:16:12 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_atoul.3.html freeswan-1.9/doc/manpage.d/ipsec_atoul.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_atoul.3.html	Tue Mar 27 23:17:09 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_atoul.3.html	Mon Jun  4 01:16:12 2001
@@ -255,6 +255,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:09 GMT, March 28, 2001
+Time: 05:16:12 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_auto.8.html freeswan-1.9/doc/manpage.d/ipsec_auto.8.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_auto.8.html	Tue Mar 27 23:17:09 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_auto.8.html	Mon Jun  4 01:16:12 2001
@@ -3,7 +3,7 @@
 Manpage of IPSEC_AUTO
 
 
      IPSEC_AUTO
      
-Section: Maintenance Commands (8)
      Updated: 23 March 2001
      Index
+Section: Maintenance Commands (8)
      Updated: 31 May 2001
      Index
 Return to Main Contents
      
 
 
@@ -233,7 +233,7 @@
 to re-read the
 /etc/ipsec.secrets
 
-shared-secrets file,
+secret-keys file,
 which it normally reads only at startup time.
 (This is currently a synonym for
 --ready,
@@ -348,7 +348,7 @@
 
      HISTORY
      
 
 Written for the FreeS/WAN project
-<http://www.xs4all.nl/~freeswan/>
+<http://www.freeswan.org>
 by Henry Spencer.
  
 
      BUGS
      
@@ -394,6 +394,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:09 GMT, March 28, 2001
+Time: 05:16:12 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_barf.8.html freeswan-1.9/doc/manpage.d/ipsec_barf.8.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_barf.8.html	Tue Mar 27 23:17:09 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_barf.8.html	Mon Jun  4 01:16:12 2001
@@ -3,7 +3,7 @@
 Manpage of IPSEC_BARF
 
 
      IPSEC_BARF
      
-Section: Maintenance Commands (8)
      Updated: 1 June 2000
      Index
+Section: Maintenance Commands (8)
      Updated: 31 May 2001
      Index
 Return to Main Contents
      
 
 
@@ -77,12 +77,18 @@
  
 
      FILES
      
 
-/proc/net/*, /var/log/*
+
      +/proc/net/*
+/var/log/*
+/etc/ipsec.conf
+/etc/ipsec.secrets
+
      
+
  
 
      HISTORY
      
 
 Written for the Linux FreeS/WAN project
-<http://www.xs4all.nl/~freeswan/>
+<http://www.freeswan.org>
 by Henry Spencer.
  
 
      BUGS
      
@@ -121,6 +127,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:09 GMT, March 28, 2001
+Time: 05:16:12 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_bitstomask.3.html freeswan-1.9/doc/manpage.d/ipsec_bitstomask.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_bitstomask.3.html	Tue Mar 27 23:17:09 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_bitstomask.3.html	Mon Jun  4 01:16:12 2001
@@ -110,6 +110,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:09 GMT, March 28, 2001
+Time: 05:16:12 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_broadcastof.3.html freeswan-1.9/doc/manpage.d/ipsec_broadcastof.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_broadcastof.3.html	Tue Mar 27 23:17:09 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_broadcastof.3.html	Mon Jun  4 01:16:12 2001
@@ -96,6 +96,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:09 GMT, March 28, 2001
+Time: 05:16:12 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_datatot.3.html freeswan-1.9/doc/manpage.d/ipsec_datatot.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_datatot.3.html	Tue Mar 27 23:17:09 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_datatot.3.html	Mon Jun  4 01:16:13 2001
@@ -372,6 +372,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:09 GMT, March 28, 2001
+Time: 05:16:13 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_eroute.5.html freeswan-1.9/doc/manpage.d/ipsec_eroute.5.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_eroute.5.html	Tue Mar 27 23:17:09 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_eroute.5.html	Mon Jun  4 01:16:13 2001
@@ -40,6 +40,8 @@
 A table entry consists of:
 
      
 
      +
      
+packet count,
+
      +
      
 source address with mask,
 
      +
      
 a '->' separator for visual and automated parsing between src and dst
@@ -54,6 +56,10 @@
 protocol
 (proto),
 
      +
      
+address family
+(af),
+where '.' stands for IPv4 and ':' for IPv6
+
      +
      
 Security Parameters Index
 (SPI),
 
      +
      
@@ -62,10 +68,6 @@
 where the packet should be forwarded after processing
 (normally the other security gateway)
 together indicate which Security Association should be used to process the packet
-
      +
      
-address family
-(af),
-where '.' stands for IPv4 and ':' for IPv6
 
      
 
      
 
@@ -75,23 +77,50 @@
 SPIs are prefixed hexadecimal numbers where the prefix '.' is for IPv4 and the prefix ':' is for IPv6
 
      
 
-SAIDs are written as "protoafSPI@edst".
+SAIDs are written as "protoafSPI@edst".  There are also 5
+"magic" SAIDs which have special meaning:
+
      
+
      +
      
+%drop
+
+means that matches are to be dropped
+
      +
      
+%reject
+
+means that matches are to be dropped and an ICMP returned, if
+possible to inform
+
      +
      
+%trap
+
+means that matches are to trigger an ACQUIRE message to the Key
+Management daemon(s) and a hold eroute will be put in place to
+prevent subsequent packets also triggering ACQUIRE messages.
+
      +
      
+%hold
+
+means that matches are to stored until the eroute is replaced or
+until that eroute gets reaped
+
      +
      
+%pass
+
+means that matches are to allowed to pass without IPSEC processing
 
      
 
 
+
      
  
 
      EXAMPLES
      
 
 
      
 
-172.31.252.0/24    -> 0.0.0.0/0          => tun.130@192.168.43.1
+1867     172.31.252.0/24    -> 0.0.0.0/0          => tun.130@192.168.43.1
 
 
      
 
-means that an
+means that 1,867 packets have been sent to an
 eroute
 
-has been set up to protect traffic between the subnet
+that has been set up to protect traffic between the subnet
 172.31.252.0
 
 with a subnet mask of
@@ -117,14 +146,14 @@
 in hexadecimal.
 
      
 
-3049:1::/64    -> 0:0/0          => tun:130@3058:4::5
+125      3049:1::/64    -> 0:0/0          => tun:130@3058:4::5
 
 
      
 
-means that an
+means that 125 packets have been sent to an
 eroute
 
-has been set up to protect traffic between the subnet
+that has been set up to protect traffic between the subnet
 3049:1::
 
 with a subnet mask of
@@ -150,14 +179,14 @@
 in hexadecimal.
 
      
 
-192.168.6.0/24     -> 192.168.7.0/24     => %passthrough
+42         192.168.6.0/24     -> 192.168.7.0/24     => %passthrough
 
 
      
 
-means that an
+means that 42 packets have been sent to an
 eroute
 
-has been set up to pass the traffic from the subnet
+that has been set up to pass the traffic from the subnet
 192.168.6.0
 
 with a subnet mask of
@@ -172,7 +201,25 @@
 bits without any IPSEC processing.
 
      
 
-192.168.2.110/32   -> 192.168.2.120/32   => 
+2112     192.168.8.55/32    -> 192.168.9.47/24    => %hold
+
+
      
+
+means that 2112 packets have been sent to an
+eroute
+
+that has been set up to hold the traffic from the host
+192.168.8.55
+
+and to host
+192.168.9.47
+
+until a key exchange from a Key Management daemon
+succeeds and puts in an SA or fails and puts in a pass
+or drop eroute depending on the default configuration.
+
      
+
+2001     192.168.2.110/32   -> 192.168.2.120/32   => 
 
 
      
 
@@ -180,10 +227,10 @@
 
 
      
 
-means that an
+means that 2001 packets have been sent to an
 eroute
 
-has been set up to protect traffic between the host
+that has been set up to protect traffic between the host
 192.168.2.110
 
 and the host
@@ -207,7 +254,7 @@
 IPPROTO_ESP).
 
      
 
-3049:1::110/128   -> 3049:1::120/128   => 
+1984     3049:1::110/128   -> 3049:1::120/128   => 
 
 
      
 
@@ -215,10 +262,10 @@
 
 
      
 
-means that an
+means that 1984 packets have been sent to an
 eroute
 
-has been set up to authenticate traffic between the host
+that has been set up to authenticate traffic between the host
 3049:1::110
 
 and the host
@@ -277,6 +324,14 @@
 
 
 
+
+
+
+
+
+
+
+
 
      
 
 
      
@@ -294,6 +349,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:09 GMT, March 28, 2001
+Time: 05:16:13 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_eroute.8.html freeswan-1.9/doc/manpage.d/ipsec_eroute.8.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_eroute.8.html	Tue Mar 27 23:17:09 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_eroute.8.html	Mon Jun  4 01:16:13 2001
@@ -152,23 +152,24 @@
 
      +
      
 Security Association IDentifier, comprised of:
 
      +
      
+protocol
+(proto), indicating (together with the
+effective destination and the security parameters index)
+which Security Association should be used to process the packet
+
      +
      
 address family
 (af),
 
      +
      
-effective destination
-(edst),
-where the packet should be forwarded after processing
-(normally the other security gateway)
-
      +
      
 Security Parameters Index
 (spi), indicating (together with the
 effective destination and protocol)
 which Security Association should be used to process the packet
+(must be larger than or equal to 0x100)
 
      +
      
-protocol
-(proto), indicating (together with the
-effective destination and the security parameters index)
-which Security Association should be used to process the packet
+effective destination
+(edst),
+where the packet should be forwarded after processing
+(normally the other security gateway)
 
      +
      
 OR
 
      +
      
@@ -178,12 +179,40 @@
 
 
      
 
-Addresses are written as IPv4 dotted quads or IPv6 coloned hex, protocol is one
-of "ah", "esp", "comp" or "tun" and SPIs are prefixed hexadecimal numbers where '.' represents
-IPv4 and ':' stands for IPv6.
+Addresses are written as IPv4 dotted quads or IPv6 coloned hex,
+protocol is one of "ah", "esp", "comp" or "tun" and SPIs are
+prefixed hexadecimal numbers where '.' represents IPv4 and ':'
+stands for IPv6.
 
      
 
-SAIDs are written as "protoafSPI@address".
+SAIDs are written as "protoafSPI@address".  There are also 5
+"magic" SAIDs which have special meaning:
+
      
+
      +
      
+%drop
+
+means that matches are to be dropped
+
      +
      
+%reject
+
+means that matches are to be dropped and an ICMP returned, if
+possible to inform
+
      +
      
+%trap
+
+means that matches are to trigger an ACQUIRE message to the Key
+Management daemon(s) and a hold eroute will be put in place to
+prevent subsequent packets also triggering ACQUIRE messages.
+
      +
      
+%hold
+
+means that matches are to stored until the eroute is replaced or
+until that eroute gets reaped
+
      +
      
+%pass
+
+means that matches are to allowed to pass without IPSEC processing
+
      
 
      
 
 The format of /proc/net/ipsec_eroute is listed in ipsec_eroute(5).
@@ -362,6 +391,11 @@
 
 
 
+
+
+
+
+
 
      
 
 
      
@@ -379,6 +413,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:09 GMT, March 28, 2001
+Time: 05:16:13 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_four2perm.1.html freeswan-1.9/doc/manpage.d/ipsec_four2perm.1.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_four2perm.1.html	Tue Mar 27 23:17:09 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_four2perm.1.html	Mon Jun  4 01:16:13 2001
@@ -52,6 +52,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:09 GMT, March 28, 2001
+Time: 05:16:13 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_goodmask.3.html freeswan-1.9/doc/manpage.d/ipsec_goodmask.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_goodmask.3.html	Tue Mar 27 23:17:09 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_goodmask.3.html	Mon Jun  4 01:16:13 2001
@@ -110,6 +110,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:09 GMT, March 28, 2001
+Time: 05:16:13 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_hostof.3.html freeswan-1.9/doc/manpage.d/ipsec_hostof.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_hostof.3.html	Tue Mar 27 23:17:09 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_hostof.3.html	Mon Jun  4 01:16:13 2001
@@ -96,6 +96,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:09 GMT, March 28, 2001
+Time: 05:16:13 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_html2four.1.html freeswan-1.9/doc/manpage.d/ipsec_html2four.1.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_html2four.1.html	Tue Mar 27 23:17:09 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_html2four.1.html	Mon Jun  4 01:16:13 2001
@@ -58,6 +58,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:09 GMT, March 28, 2001
+Time: 05:16:13 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_initaddr.3.html freeswan-1.9/doc/manpage.d/ipsec_initaddr.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_initaddr.3.html	Tue Mar 27 23:17:09 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_initaddr.3.html	Mon Jun  4 01:16:13 2001
@@ -227,6 +227,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:09 GMT, March 28, 2001
+Time: 05:16:13 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_initsaid.3.html freeswan-1.9/doc/manpage.d/ipsec_initsaid.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_initsaid.3.html	Tue Mar 27 23:17:09 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_initsaid.3.html	Mon Jun  4 01:16:13 2001
@@ -3,7 +3,7 @@
 Manpage of IPSEC_TTOSA
 
 
      IPSEC_TTOSA
      
-Section: C Library Functions (3)
      Updated: 15 Sept 2000
      Index
+Section: C Library Functions (3)
      Updated: 27 Feb 2001
      Index
 Return to Main Contents
      
 
 
@@ -96,8 +96,10 @@
 
 tun,
 
+comp,
+
 or
-comp),
+int),
 
 a single character indicating the address family
 (.
@@ -149,6 +151,29 @@
 so the internal representation is never visible.
 
      
 
+Similarly, the SA specifiers
+%pass,
+
+%drop,
+
+%reject,
+
+%hold,
+
+and
+%trap
+
+signify special ``magic'' SAs used to indicate that packets should be
+passed, dropped, rejected (dropped with ICMP notification),
+held,
+and trapped (sent up to
+ipsec_pluto(8))
+
+respectively.
+These forms too are known to both routines,
+so the internal representation of the magic SAs should never be visible.
+
      
+
 The
 <freeswan.h>
 
@@ -190,6 +215,48 @@
 
 
      
 
+<freeswan.h>
+
+also defines
+SA_INT
+
+to have the value
+61
+
+(reserved by IANA for ``any host internal protocol'')
+and
+SPI_PASS,
+
+SPI_DROP,
+
+SPI_REJECT,
+
+SPI_HOLD,
+
+and
+SPI_TRAP
+
+to have the values 256-260 (in host byte order) respectively.
+These are used in constructing the magic SAs
+(which always have address
+0.0.0.0).
+
+
      
+
+If
+satot
+
+encounters an unknown protocol code, e.g. 77,
+it yields output using a prefix
+showing the code numerically, e.g. ``unk77''.
+This form is
+not
+
+recognized by
+ttosa.
+
+
      
+
 The
 srclen
 
@@ -328,7 +395,7 @@
 satot
 
 are:
-unknown format; unknown protocol code.
+unknown format.
  
 
      HISTORY
      
 
@@ -375,6 +442,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:09 GMT, March 28, 2001
+Time: 05:16:13 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_initsubnet.3.html freeswan-1.9/doc/manpage.d/ipsec_initsubnet.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_initsubnet.3.html	Tue Mar 27 23:17:09 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_initsubnet.3.html	Mon Jun  4 01:16:13 2001
@@ -199,6 +199,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:09 GMT, March 28, 2001
+Time: 05:16:13 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_isanyaddr.3.html freeswan-1.9/doc/manpage.d/ipsec_isanyaddr.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_isanyaddr.3.html	Tue Mar 27 23:17:09 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_isanyaddr.3.html	Mon Jun  4 01:16:13 2001
@@ -161,6 +161,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:09 GMT, March 28, 2001
+Time: 05:16:13 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_isloopbackaddr.3.html freeswan-1.9/doc/manpage.d/ipsec_isloopbackaddr.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_isloopbackaddr.3.html	Tue Mar 27 23:17:09 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_isloopbackaddr.3.html	Mon Jun  4 01:16:13 2001
@@ -161,6 +161,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:09 GMT, March 28, 2001
+Time: 05:16:13 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_isunspecaddr.3.html freeswan-1.9/doc/manpage.d/ipsec_isunspecaddr.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_isunspecaddr.3.html	Tue Mar 27 23:17:09 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_isunspecaddr.3.html	Mon Jun  4 01:16:13 2001
@@ -161,6 +161,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:09 GMT, March 28, 2001
+Time: 05:16:13 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_klipsdebug.5.html freeswan-1.9/doc/manpage.d/ipsec_klipsdebug.5.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_klipsdebug.5.html	Tue Mar 27 23:17:10 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_klipsdebug.5.html	Mon Jun  4 01:16:13 2001
@@ -221,6 +221,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:10 GMT, March 28, 2001
+Time: 05:16:13 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_klipsdebug.8.html freeswan-1.9/doc/manpage.d/ipsec_klipsdebug.8.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_klipsdebug.8.html	Tue Mar 27 23:17:10 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_klipsdebug.8.html	Mon Jun  4 01:16:13 2001
@@ -256,6 +256,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:10 GMT, March 28, 2001
+Time: 05:16:13 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_look.8.html freeswan-1.9/doc/manpage.d/ipsec_look.8.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_look.8.html	Tue Mar 27 23:17:10 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_look.8.html	Mon Jun  4 01:16:13 2001
@@ -3,7 +3,7 @@
 Manpage of IPSEC_BARF
 
 
      IPSEC_BARF
      
-Section: Maintenance Commands (8)
      Updated: 1 June 2000
      Index
+Section: Maintenance Commands (8)
      Updated: 31 May 2001
      Index
 Return to Main Contents
      
 
 
@@ -77,12 +77,18 @@
  
 
      FILES
      
 
-/proc/net/*, /var/log/*
+
      +/proc/net/*
+/var/log/*
+/etc/ipsec.conf
+/etc/ipsec.secrets
+
      
+
  
 
      HISTORY
      
 
 Written for the Linux FreeS/WAN project
-<http://www.xs4all.nl/~freeswan/>
+<http://www.freeswan.org>
 by Henry Spencer.
  
 
      BUGS
      
@@ -121,6 +127,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:10 GMT, March 28, 2001
+Time: 05:16:13 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_loopbackaddr.3.html freeswan-1.9/doc/manpage.d/ipsec_loopbackaddr.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_loopbackaddr.3.html	Tue Mar 27 23:17:10 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_loopbackaddr.3.html	Mon Jun  4 01:16:13 2001
@@ -161,6 +161,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:10 GMT, March 28, 2001
+Time: 05:16:13 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_manual.8.html freeswan-1.9/doc/manpage.d/ipsec_manual.8.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_manual.8.html	Tue Mar 27 23:17:10 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_manual.8.html	Mon Jun  4 01:16:13 2001
@@ -404,6 +404,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:10 GMT, March 28, 2001
+Time: 05:16:13 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_maskof.3.html freeswan-1.9/doc/manpage.d/ipsec_maskof.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_maskof.3.html	Tue Mar 27 23:17:10 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_maskof.3.html	Mon Jun  4 01:16:13 2001
@@ -199,6 +199,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:10 GMT, March 28, 2001
+Time: 05:16:13 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_masktobits.3.html freeswan-1.9/doc/manpage.d/ipsec_masktobits.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_masktobits.3.html	Tue Mar 27 23:17:10 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_masktobits.3.html	Mon Jun  4 01:16:13 2001
@@ -110,6 +110,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:10 GMT, March 28, 2001
+Time: 05:16:13 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_masktocount.3.html freeswan-1.9/doc/manpage.d/ipsec_masktocount.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_masktocount.3.html	Tue Mar 27 23:17:10 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_masktocount.3.html	Mon Jun  4 01:16:13 2001
@@ -199,6 +199,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:10 GMT, March 28, 2001
+Time: 05:16:13 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_networkof.3.html freeswan-1.9/doc/manpage.d/ipsec_networkof.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_networkof.3.html	Tue Mar 27 23:17:10 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_networkof.3.html	Mon Jun  4 01:16:13 2001
@@ -199,6 +199,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:10 GMT, March 28, 2001
+Time: 05:16:13 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_optionsfrom.3.html freeswan-1.9/doc/manpage.d/ipsec_optionsfrom.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_optionsfrom.3.html	Tue Mar 27 23:17:10 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_optionsfrom.3.html	Mon Jun  4 01:16:14 2001
@@ -270,6 +270,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:10 GMT, March 28, 2001
+Time: 05:16:14 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_pf_key.5.html freeswan-1.9/doc/manpage.d/ipsec_pf_key.5.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_pf_key.5.html	Tue Mar 27 23:17:10 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_pf_key.5.html	Mon Jun  4 01:16:14 2001
@@ -168,6 +168,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:10 GMT, March 28, 2001
+Time: 05:16:14 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_pluto.8.html freeswan-1.9/doc/manpage.d/ipsec_pluto.8.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_pluto.8.html	Tue Mar 27 23:17:10 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_pluto.8.html	Mon Jun  4 01:16:14 2001
@@ -594,12 +594,16 @@
 identity defaults to the IP address specified by --host.
 
 
      --host ip-address
      
+
      --host %any
      
+
      --host %opportunistic
      
 the IP address of the end (generally the public interface).
 If pluto is to act as a responder
 for IKE negotiations initiated from unknown IP addresses (the
 ``Road Warrior'' case), the
 IP address should be specified as %any (currently,
 the obsolete notation 0.0.0.0 is also accepted for this).
+If pluto is to opportunistically initiate the connection,
+use %opportunistic
 
      --ikeport port-number
      
 the UDP port that IKE listens to on that host.  The default is 500.
 (pluto on this machine uses the port specified by its own command
@@ -703,7 +707,8 @@
 
 If none of the --encrypt, --authenticate, --compress,
 or --pfs flags is given, the initiating the connection will
-only build an ISAKMP SA.
+only build an ISAKMP SA.  For such a connection, client subnets have
+no meaning and must not be specified.
 
      
 
 More work is needed to allow for flexible policies.  Currently
@@ -761,6 +766,8 @@
 virtual interface.
 Once routing is set up, no packets will be
 sent ``in the clear'' to the peer's client specified in the connection.
+A TRAP shunt eroute will be installed; if outbound traffic is caught,
+Pluto will initiate the connection.
 An explicit whack route is not always needed: if it hasn't been
 done when an IPsec SA is being installed, one will be automatically attempted.
 
      
@@ -1642,6 +1649,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:10 GMT, March 28, 2001
+Time: 05:16:14 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_portof.3.html freeswan-1.9/doc/manpage.d/ipsec_portof.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_portof.3.html	Tue Mar 27 23:17:10 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_portof.3.html	Mon Jun  4 01:16:14 2001
@@ -138,6 +138,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:10 GMT, March 28, 2001
+Time: 05:16:14 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_ranbits.8.html freeswan-1.9/doc/manpage.d/ipsec_ranbits.8.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_ranbits.8.html	Tue Mar 27 23:17:10 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_ranbits.8.html	Mon Jun  4 01:16:14 2001
@@ -105,7 +105,7 @@
 
      HISTORY
      
 
 Written for the Linux FreeS/WAN project
-<http://www.xs4all.nl/~freeswan/>
+<http://www.freeswan.org>
 by Henry Spencer.
  
 
      BUGS
      
@@ -142,6 +142,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:10 GMT, March 28, 2001
+Time: 05:16:14 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_rangetoa.3.html freeswan-1.9/doc/manpage.d/ipsec_rangetoa.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_rangetoa.3.html	Tue Mar 27 23:17:10 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_rangetoa.3.html	Mon Jun  4 01:16:14 2001
@@ -284,6 +284,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:10 GMT, March 28, 2001
+Time: 05:16:14 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_rangetosubnet.3.html freeswan-1.9/doc/manpage.d/ipsec_rangetosubnet.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_rangetosubnet.3.html	Tue Mar 27 23:17:10 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_rangetosubnet.3.html	Mon Jun  4 01:16:14 2001
@@ -111,6 +111,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:10 GMT, March 28, 2001
+Time: 05:16:14 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_rsasigkey.8.html freeswan-1.9/doc/manpage.d/ipsec_rsasigkey.8.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_rsasigkey.8.html	Tue Mar 27 23:17:10 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_rsasigkey.8.html	Mon Jun  4 01:16:14 2001
@@ -3,7 +3,7 @@
 Manpage of IPSEC_RSASIGKEY
 
 
      IPSEC_RSASIGKEY
      
-Section: Maintenance Commands (8)
      Updated: 23 Feb 2001
      Index
+Section: Maintenance Commands (8)
      Updated: 14 May 2001
      Index
 Return to Main Contents
      
 
 
@@ -193,7 +193,7 @@
 
               # RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
         # for signatures only, UNSAFE FOR ENCRYPTION
-        #pubkey=0x0103cc2a86fcf440...cf1011abb82d1
+        #pubkey=0sAQOF8tZ2NZt...Y1P+buFuFn/
         #IN KEY 0x4200 4 1 AQOF8tZ2NZt...Y1P+buFuFn/
         # (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA)
         Modulus: 0xcc2a86fcf440...cf1011abb82d1
@@ -209,13 +209,22 @@
 
 
      
 
+The first (comment) line,
+indicating the nature and date of the key,
+and giving a host name,
+is used by
+ipsec_showhostkey(8)
+
+when generating some forms of key output.
+
      
+
 The commented-out
 pubkey=
 
 line contains the public key---the public exponent and the modulus---combined
 in approximately RFC 2537 format
-(the one deviation is that the combined value is given in hex with a
-0x
+(the one deviation is that the combined value is given with a
+0s
 
 prefix, rather than in unadorned base-64),
 suitable for use in the
@@ -335,7 +344,7 @@
  
 
      SEE ALSO
      
 
-random(4)
+random(4), ipsec_showhostkey(8)
 
      
 
 Applied Cryptography, 2nd. ed., by Bruce Schneier, Wiley 1996.
@@ -350,7 +359,7 @@
 
      HISTORY
      
 
 Written for the Linux FreeS/WAN project
-<http://www.xs4all.nl/~freeswan/>
+<http://www.freeswan.org>
 by Henry Spencer.
  
 
      BUGS
      
@@ -402,6 +411,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:10 GMT, March 28, 2001
+Time: 05:16:14 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_sameaddr.3.html freeswan-1.9/doc/manpage.d/ipsec_sameaddr.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_sameaddr.3.html	Tue Mar 27 23:17:10 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_sameaddr.3.html	Mon Jun  4 01:16:14 2001
@@ -269,6 +269,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:10 GMT, March 28, 2001
+Time: 05:16:14 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_sameaddrtype.3.html freeswan-1.9/doc/manpage.d/ipsec_sameaddrtype.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_sameaddrtype.3.html	Tue Mar 27 23:17:10 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_sameaddrtype.3.html	Mon Jun  4 01:16:14 2001
@@ -269,6 +269,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:10 GMT, March 28, 2001
+Time: 05:16:14 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_samesaid.3.html freeswan-1.9/doc/manpage.d/ipsec_samesaid.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_samesaid.3.html	Tue Mar 27 23:17:11 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_samesaid.3.html	Mon Jun  4 01:16:14 2001
@@ -269,6 +269,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:11 GMT, March 28, 2001
+Time: 05:16:14 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_samesubnet.3.html freeswan-1.9/doc/manpage.d/ipsec_samesubnet.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_samesubnet.3.html	Tue Mar 27 23:17:11 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_samesubnet.3.html	Mon Jun  4 01:16:14 2001
@@ -269,6 +269,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:11 GMT, March 28, 2001
+Time: 05:16:14 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_samesubnettype.3.html freeswan-1.9/doc/manpage.d/ipsec_samesubnettype.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_samesubnettype.3.html	Tue Mar 27 23:17:11 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_samesubnettype.3.html	Mon Jun  4 01:16:14 2001
@@ -269,6 +269,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:11 GMT, March 28, 2001
+Time: 05:16:14 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_satoa.3.html freeswan-1.9/doc/manpage.d/ipsec_satoa.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_satoa.3.html	Tue Mar 27 23:17:11 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_satoa.3.html	Mon Jun  4 01:16:14 2001
@@ -336,6 +336,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:11 GMT, March 28, 2001
+Time: 05:16:14 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_satot.3.html freeswan-1.9/doc/manpage.d/ipsec_satot.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_satot.3.html	Tue Mar 27 23:17:11 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_satot.3.html	Mon Jun  4 01:16:14 2001
@@ -3,7 +3,7 @@
 Manpage of IPSEC_TTOSA
 
 
      IPSEC_TTOSA
      
-Section: C Library Functions (3)
      Updated: 15 Sept 2000
      Index
+Section: C Library Functions (3)
      Updated: 27 Feb 2001
      Index
 Return to Main Contents
      
 
 
@@ -96,8 +96,10 @@
 
 tun,
 
+comp,
+
 or
-comp),
+int),
 
 a single character indicating the address family
 (.
@@ -149,6 +151,29 @@
 so the internal representation is never visible.
 
      
 
+Similarly, the SA specifiers
+%pass,
+
+%drop,
+
+%reject,
+
+%hold,
+
+and
+%trap
+
+signify special ``magic'' SAs used to indicate that packets should be
+passed, dropped, rejected (dropped with ICMP notification),
+held,
+and trapped (sent up to
+ipsec_pluto(8))
+
+respectively.
+These forms too are known to both routines,
+so the internal representation of the magic SAs should never be visible.
+
      
+
 The
 <freeswan.h>
 
@@ -190,6 +215,48 @@
 
 
      
 
+<freeswan.h>
+
+also defines
+SA_INT
+
+to have the value
+61
+
+(reserved by IANA for ``any host internal protocol'')
+and
+SPI_PASS,
+
+SPI_DROP,
+
+SPI_REJECT,
+
+SPI_HOLD,
+
+and
+SPI_TRAP
+
+to have the values 256-260 (in host byte order) respectively.
+These are used in constructing the magic SAs
+(which always have address
+0.0.0.0).
+
+
      
+
+If
+satot
+
+encounters an unknown protocol code, e.g. 77,
+it yields output using a prefix
+showing the code numerically, e.g. ``unk77''.
+This form is
+not
+
+recognized by
+ttosa.
+
+
      
+
 The
 srclen
 
@@ -328,7 +395,7 @@
 satot
 
 are:
-unknown format; unknown protocol code.
+unknown format.
  
 
      HISTORY
      
 
@@ -375,6 +442,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:11 GMT, March 28, 2001
+Time: 05:16:14 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_setportof.3.html freeswan-1.9/doc/manpage.d/ipsec_setportof.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_setportof.3.html	Tue Mar 27 23:17:11 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_setportof.3.html	Mon Jun  4 01:16:14 2001
@@ -138,6 +138,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:11 GMT, March 28, 2001
+Time: 05:16:14 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_setup.8.html freeswan-1.9/doc/manpage.d/ipsec_setup.8.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_setup.8.html	Tue Mar 27 23:17:11 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_setup.8.html	Mon Jun  4 01:16:14 2001
@@ -3,7 +3,7 @@
 Manpage of IPSEC_SETUP
 
 
      IPSEC_SETUP
      
-Section: Maintenance Commands (8)
      Updated: 28 Nov 2000
      Index
+Section: Maintenance Commands (8)
      Updated: 31 May 2001
      Index
 Return to Main Contents
      
 
 
@@ -64,7 +64,8 @@
 interface(s) specified in the configuration file,
 and (if the configuration file so specifies)
 setting up manually-keyed connections and/or
-asking Pluto to negotiate tunnels to other security gateways
+asking Pluto to negotiate automatically-keyed connections
+to other security gateways
 
      stop
 
 
      
@@ -79,6 +80,19 @@
 followed by
 start
 
+
      status
+
+
      
+report the status of the subsystem;
+normally just reports
+started
+
+or
+stopped
+
+and exits with status 0,
+but will go into more detail (and exit with status 1)
+if something strange is found.
 
 
      
 
@@ -88,6 +102,12 @@
 operation tries to clean up properly even if assorted accidents
 have occurred,
 e.g. Pluto having died without removing its lock file.
+If
+stop
+
+discovers that the subsystem is (supposedly) not running,
+it will complain,
+but will do its cleanup anyway before exiting with status 1.
 
      
 
 Although a number of configuration-file parameters influence
@@ -122,7 +142,13 @@
  
 
      DIAGNOSTICS
      
 
-All output from the commands this script invokes goes both to standard
+All output from the commands
+start
+
+and
+stop
+
+invoke goes both to standard
 output and to
 syslogd(8)
 
@@ -136,7 +162,7 @@
 
      HISTORY
      
 
 Written for the FreeS/WAN project
-<http://www.xs4all.nl/~freeswan/>
+<http://www.freeswan.org>
 by Henry Spencer.
  
 
      BUGS
      
@@ -147,6 +173,12 @@
 injected spurious extra newlines onto standard output.
 
      
 
+Startup failure is not consistently reported in the exit status.
+
      
+
+The normal status report probably should include Pluto's process ID.
+
      
+
 
      
  
      Index
      
 
      
@@ -163,6 +195,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:11 GMT, March 28, 2001
+Time: 05:16:14 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_showdefaults.8.html freeswan-1.9/doc/manpage.d/ipsec_showdefaults.8.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_showdefaults.8.html	Tue Mar 27 23:17:11 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_showdefaults.8.html	Mon Jun  4 01:16:14 2001
@@ -59,7 +59,7 @@
 
      HISTORY
      
 
 Written for the Linux FreeS/WAN project
-<http://www.xs4all.nl/~freeswan/>
+<http://www.freeswan.org>
 by Henry Spencer.
 
      
 
@@ -77,6 +77,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:11 GMT, March 28, 2001
+Time: 05:16:14 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_showhostkey.8.html freeswan-1.9/doc/manpage.d/ipsec_showhostkey.8.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_showhostkey.8.html	Tue Mar 27 23:17:11 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_showhostkey.8.html	Mon Jun  4 01:16:14 2001
@@ -3,7 +3,7 @@
 Manpage of IPSEC_SHOWHOSTKEY
 
 
      IPSEC_SHOWHOSTKEY
      
-Section: Maintenance Commands (8)
      Updated: 8 March 2001
      Index
+Section: Maintenance Commands (8)
      Updated: 22 May 2001
      Index
 Return to Main Contents
      
 
 
@@ -25,6 +25,10 @@
 --right
 
 ] [
+--txt
+
+gateway
+] [
 --file
 
 secretfile
@@ -67,6 +71,29 @@
 
      
 
 The
+--txt
+
+option causes the output to be in opportunistic-encryption DNS TXT record
+format,
+with the specified
+gateway
+
+value.
+Again, generation information is included if available.
+For example,
+--txt 10.11.12.13
+
+might give (with the key data trimmed for clarity):
+
      
+
+
      +  ; RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
+      IN TXT  "X-IPsec-Server(10)=10.11.12.13 AQOF8tZ2...+buFuFn/"
+
      
+
+
      
+
+The
 --left
 
 and
@@ -124,7 +151,7 @@
 
      HISTORY
      
 
 Written for the Linux FreeS/WAN project
-<http://www.xs4all.nl/~freeswan/>
+<http://www.freeswan.org>
 by Henry Spencer.
  
 
      BUGS
      
@@ -142,6 +169,24 @@
 option, to generate a suitable output line.
 
      
 
+The need to specify the gateway address (etc.) for
+--txt
+
+is annoying, but there is no good way to determine it automatically.
+
      
+
+There should be a way to specify the priority value for TXT records;
+currently it is hardwired to
+10.
+
+
      
+
+Assumes there is only one RSA key in
+ipsec.secrets,
+
+which is common but not necessarily universal.
+
      
+
 
      
  
      Index
      
 
      
@@ -158,6 +203,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:11 GMT, March 28, 2001
+Time: 05:16:14 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_sockaddrlenof.3.html freeswan-1.9/doc/manpage.d/ipsec_sockaddrlenof.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_sockaddrlenof.3.html	Tue Mar 27 23:17:11 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_sockaddrlenof.3.html	Mon Jun  4 01:16:14 2001
@@ -138,6 +138,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:11 GMT, March 28, 2001
+Time: 05:16:14 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_sockaddrof.3.html freeswan-1.9/doc/manpage.d/ipsec_sockaddrof.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_sockaddrof.3.html	Tue Mar 27 23:17:11 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_sockaddrof.3.html	Mon Jun  4 01:16:14 2001
@@ -138,6 +138,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:11 GMT, March 28, 2001
+Time: 05:16:14 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_spi.5.html freeswan-1.9/doc/manpage.d/ipsec_spi.5.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_spi.5.html	Tue Mar 27 23:17:11 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_spi.5.html	Mon Jun  4 01:16:15 2001
@@ -291,6 +291,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:11 GMT, March 28, 2001
+Time: 05:16:14 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_spi.8.html freeswan-1.9/doc/manpage.d/ipsec_spi.8.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_spi.8.html	Tue Mar 27 23:17:11 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_spi.8.html	Mon Jun  4 01:16:15 2001
@@ -123,28 +123,6 @@
 --src
 
 src
---esp
-
-null-md5-96|null-sha1-96
-
-[
---replay_window
-
-replayw ]
---authkey
-
-akey
-
      
-
-ipsec
-
-spi
-
-<SA>
-
---src
-
-src
 --comp
 
 deflate
@@ -443,24 +421,6 @@
 akey
 
 (RFC2451, RFC2404)
-
      null-md5-96
-
-
      
-encryption using the identity transform with authentication
-provided by HMAC and MD5 (96-bit authenticator), using
-a 128-bit HMAC-MD5
-akey
-
-(RFC2410, RFC2403)
-
      null-sha1-96
-
-
      
-encryption using the identity transform with authentication
-provided by HMAC and SHA1 (96-bit authenticator), using
-a 160-bit HMAC-SHA1
-akey
-
-(RFC2410, RFC2404)
 
      --replay_window replayw
 
 
      
@@ -727,6 +687,9 @@
 
 
 
+
+
+
 
      
 
 
      
@@ -746,6 +709,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:11 GMT, March 28, 2001
+Time: 05:16:15 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_spigrp.5.html freeswan-1.9/doc/manpage.d/ipsec_spigrp.5.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_spigrp.5.html	Tue Mar 27 23:17:11 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_spigrp.5.html	Mon Jun  4 01:16:15 2001
@@ -185,6 +185,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:11 GMT, March 28, 2001
+Time: 05:16:15 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_spigrp.8.html freeswan-1.9/doc/manpage.d/ipsec_spigrp.8.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_spigrp.8.html	Tue Mar 27 23:17:11 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_spigrp.8.html	Mon Jun  4 01:16:15 2001
@@ -272,6 +272,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:11 GMT, March 28, 2001
+Time: 05:16:15 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_subnetinsubnet.3.html freeswan-1.9/doc/manpage.d/ipsec_subnetinsubnet.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_subnetinsubnet.3.html	Tue Mar 27 23:17:11 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_subnetinsubnet.3.html	Mon Jun  4 01:16:15 2001
@@ -269,6 +269,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:11 GMT, March 28, 2001
+Time: 05:16:15 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_subnetishost.3.html freeswan-1.9/doc/manpage.d/ipsec_subnetishost.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_subnetishost.3.html	Tue Mar 27 23:17:11 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_subnetishost.3.html	Mon Jun  4 01:16:15 2001
@@ -269,6 +269,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:11 GMT, March 28, 2001
+Time: 05:16:15 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_subnetof.3.html freeswan-1.9/doc/manpage.d/ipsec_subnetof.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_subnetof.3.html	Tue Mar 27 23:17:12 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_subnetof.3.html	Mon Jun  4 01:16:15 2001
@@ -96,6 +96,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:11 GMT, March 28, 2001
+Time: 05:16:15 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_subnettoa.3.html freeswan-1.9/doc/manpage.d/ipsec_subnettoa.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_subnettoa.3.html	Tue Mar 27 23:17:12 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_subnettoa.3.html	Mon Jun  4 01:16:15 2001
@@ -437,6 +437,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:12 GMT, March 28, 2001
+Time: 05:16:15 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_subnettot.3.html freeswan-1.9/doc/manpage.d/ipsec_subnettot.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_subnettot.3.html	Tue Mar 27 23:17:12 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_subnettot.3.html	Mon Jun  4 01:16:15 2001
@@ -563,6 +563,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:12 GMT, March 28, 2001
+Time: 05:16:15 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_subnettypeof.3.html freeswan-1.9/doc/manpage.d/ipsec_subnettypeof.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_subnettypeof.3.html	Tue Mar 27 23:17:12 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_subnettypeof.3.html	Mon Jun  4 01:16:15 2001
@@ -199,6 +199,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:12 GMT, March 28, 2001
+Time: 05:16:15 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_tnatoaddr.3.html freeswan-1.9/doc/manpage.d/ipsec_tnatoaddr.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_tnatoaddr.3.html	Tue Mar 27 23:17:12 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_tnatoaddr.3.html	Mon Jun  4 01:16:15 2001
@@ -563,6 +563,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:12 GMT, March 28, 2001
+Time: 05:16:15 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_tncfg.5.html freeswan-1.9/doc/manpage.d/ipsec_tncfg.5.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_tncfg.5.html	Tue Mar 27 23:17:12 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_tncfg.5.html	Mon Jun  4 01:16:15 2001
@@ -54,13 +54,15 @@
 
      +
      
 the MTU of the ipsec virtual I/F,
 
      +
      
+the automatically adjusted effective MTU for PMTU discovery, in brackets,
+
      +
      
 a visual and machine parsable separator '->', separating the virtual I/F
 MTU and the physical I/F MTU,
 
      +
      
 the MTU of the attached physical I/F.
 .SHEXAMPLES
 
-
      ipsec2 -> eth3 mtu=16260 -> 1500
+
      ipsec2 -> eth3 mtu=16260(1443) -> 1500
 
 
      
 
      
@@ -76,10 +78,14 @@
 eth3
 
 with an MTU of
-1500.
+1500
+
+and that the effective MTU as a result of PMTU discovery has been
+automatically set to
+1443.
 
 
      
-
      ipsec0 -> wvlan0 mtu=1400 -> 1500
+
      ipsec0 -> wvlan0 mtu=1400(16260) -> 1500
 
 
      
 
      
@@ -95,10 +101,12 @@
 wvlan0
 
 with an MTU of
-1500.
+1500
 
+and no PMTU packets have gotten far enough to bump down the effective MTU
+from its default of 16260.
 
      
-
      ipsec3 -> NULL mtu=0 -> 0
+
      ipsec3 -> NULL mtu=0(0) -> 0
 
 
      
 
      
@@ -140,6 +148,9 @@
 
 
 
+
+
+
 
      
 
 
      
@@ -156,6 +167,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:12 GMT, March 28, 2001
+Time: 05:16:15 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_tncfg.8.html freeswan-1.9/doc/manpage.d/ipsec_tncfg.8.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_tncfg.8.html	Tue Mar 27 23:17:12 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_tncfg.8.html	Mon Jun  4 01:16:15 2001
@@ -187,6 +187,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:12 GMT, March 28, 2001
+Time: 05:16:15 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_ttoaddr.3.html freeswan-1.9/doc/manpage.d/ipsec_ttoaddr.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_ttoaddr.3.html	Tue Mar 27 23:17:12 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_ttoaddr.3.html	Mon Jun  4 01:16:15 2001
@@ -563,6 +563,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:12 GMT, March 28, 2001
+Time: 05:16:15 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_ttodata.3.html freeswan-1.9/doc/manpage.d/ipsec_ttodata.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_ttodata.3.html	Tue Mar 27 23:17:12 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_ttodata.3.html	Mon Jun  4 01:16:15 2001
@@ -372,6 +372,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:12 GMT, March 28, 2001
+Time: 05:16:15 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_ttosa.3.html freeswan-1.9/doc/manpage.d/ipsec_ttosa.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_ttosa.3.html	Tue Mar 27 23:17:12 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_ttosa.3.html	Mon Jun  4 01:16:15 2001
@@ -3,7 +3,7 @@
 Manpage of IPSEC_TTOSA
 
 
      IPSEC_TTOSA
      
-Section: C Library Functions (3)
      Updated: 15 Sept 2000
      Index
+Section: C Library Functions (3)
      Updated: 27 Feb 2001
      Index
 Return to Main Contents
      
 
 
@@ -96,8 +96,10 @@
 
 tun,
 
+comp,
+
 or
-comp),
+int),
 
 a single character indicating the address family
 (.
@@ -149,6 +151,29 @@
 so the internal representation is never visible.
 
      
 
+Similarly, the SA specifiers
+%pass,
+
+%drop,
+
+%reject,
+
+%hold,
+
+and
+%trap
+
+signify special ``magic'' SAs used to indicate that packets should be
+passed, dropped, rejected (dropped with ICMP notification),
+held,
+and trapped (sent up to
+ipsec_pluto(8))
+
+respectively.
+These forms too are known to both routines,
+so the internal representation of the magic SAs should never be visible.
+
      
+
 The
 <freeswan.h>
 
@@ -190,6 +215,48 @@
 
 
      
 
+<freeswan.h>
+
+also defines
+SA_INT
+
+to have the value
+61
+
+(reserved by IANA for ``any host internal protocol'')
+and
+SPI_PASS,
+
+SPI_DROP,
+
+SPI_REJECT,
+
+SPI_HOLD,
+
+and
+SPI_TRAP
+
+to have the values 256-260 (in host byte order) respectively.
+These are used in constructing the magic SAs
+(which always have address
+0.0.0.0).
+
+
      
+
+If
+satot
+
+encounters an unknown protocol code, e.g. 77,
+it yields output using a prefix
+showing the code numerically, e.g. ``unk77''.
+This form is
+not
+
+recognized by
+ttosa.
+
+
      
+
 The
 srclen
 
@@ -328,7 +395,7 @@
 satot
 
 are:
-unknown format; unknown protocol code.
+unknown format.
  
 
      HISTORY
      
 
@@ -375,6 +442,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:12 GMT, March 28, 2001
+Time: 05:16:15 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_ttosubnet.3.html freeswan-1.9/doc/manpage.d/ipsec_ttosubnet.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_ttosubnet.3.html	Tue Mar 27 23:17:13 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_ttosubnet.3.html	Mon Jun  4 01:16:15 2001
@@ -563,6 +563,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:13 GMT, March 28, 2001
+Time: 05:16:15 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_ttoul.3.html freeswan-1.9/doc/manpage.d/ipsec_ttoul.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_ttoul.3.html	Tue Mar 27 23:17:13 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_ttoul.3.html	Mon Jun  4 01:16:15 2001
@@ -305,6 +305,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:13 GMT, March 28, 2001
+Time: 05:16:15 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_ultoa.3.html freeswan-1.9/doc/manpage.d/ipsec_ultoa.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_ultoa.3.html	Tue Mar 27 23:17:13 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_ultoa.3.html	Mon Jun  4 01:16:15 2001
@@ -255,6 +255,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:13 GMT, March 28, 2001
+Time: 05:16:15 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_ultot.3.html freeswan-1.9/doc/manpage.d/ipsec_ultot.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_ultot.3.html	Tue Mar 27 23:17:13 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_ultot.3.html	Mon Jun  4 01:16:15 2001
@@ -305,6 +305,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:13 GMT, March 28, 2001
+Time: 05:16:15 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_unspecaddr.3.html freeswan-1.9/doc/manpage.d/ipsec_unspecaddr.3.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_unspecaddr.3.html	Tue Mar 27 23:17:13 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_unspecaddr.3.html	Mon Jun  4 01:16:15 2001
@@ -161,6 +161,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:13 GMT, March 28, 2001
+Time: 05:16:15 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_version.5.html freeswan-1.9/doc/manpage.d/ipsec_version.5.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_version.5.html	Tue Mar 27 23:17:13 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_version.5.html	Mon Jun  4 01:16:16 2001
@@ -95,6 +95,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:13 GMT, March 28, 2001
+Time: 05:16:15 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/manpage.d/ipsec_whack.8.html freeswan-1.9/doc/manpage.d/ipsec_whack.8.html
--- freeswan-1.9.orig/doc/manpage.d/ipsec_whack.8.html	Tue Mar 27 23:17:13 2001
+++ freeswan-1.9/doc/manpage.d/ipsec_whack.8.html	Mon Jun  4 01:16:16 2001
@@ -594,12 +594,16 @@
 identity defaults to the IP address specified by --host.
 
 
      --host ip-address
      
+
      --host %any
      
+
      --host %opportunistic
      
 the IP address of the end (generally the public interface).
 If pluto is to act as a responder
 for IKE negotiations initiated from unknown IP addresses (the
 ``Road Warrior'' case), the
 IP address should be specified as %any (currently,
 the obsolete notation 0.0.0.0 is also accepted for this).
+If pluto is to opportunistically initiate the connection,
+use %opportunistic
 
      --ikeport port-number
      
 the UDP port that IKE listens to on that host.  The default is 500.
 (pluto on this machine uses the port specified by its own command
@@ -703,7 +707,8 @@
 
 If none of the --encrypt, --authenticate, --compress,
 or --pfs flags is given, the initiating the connection will
-only build an ISAKMP SA.
+only build an ISAKMP SA.  For such a connection, client subnets have
+no meaning and must not be specified.
 
      
 
 More work is needed to allow for flexible policies.  Currently
@@ -761,6 +766,8 @@
 virtual interface.
 Once routing is set up, no packets will be
 sent ``in the clear'' to the peer's client specified in the connection.
+A TRAP shunt eroute will be installed; if outbound traffic is caught,
+Pluto will initiate the connection.
 An explicit whack route is not always needed: if it hasn't been
 done when an IPsec SA is being installed, one will be automatically attempted.
 
      
@@ -1642,6 +1649,6 @@
 This document was created by
 man2html,
 using the manual pages.
      
-Time: 04:17:13 GMT, March 28, 2001
+Time: 05:16:16 GMT, June 04, 2001
 
 
diff -bruN freeswan-1.9.orig/doc/opportunism.howto freeswan-1.9/doc/opportunism.howto
--- freeswan-1.9.orig/doc/opportunism.howto	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/opportunism.howto	Sun Jun  3 13:32:36 2001
@@ -0,0 +1,357 @@
+FreeS/WAN Opportunism HowTo
+===========================
+
+RCSID $Id: opportunism.howto,v 1.5 2001/06/03 17:32:36 dhr Exp $
+
+D. Hugh Redelmeier
+
+
+FreeS/WAN, the LINUX IPSEC implementation, is intended to allow
+systems to connect through secure tunnels without prearrangement.
+This HowTo is intended to be a guide to setting up a system to enable
+this feature, which we call opportunism.  Much more information about
+FreeS/WAN is provided at http://www.freeswan.org.
+
+You are expected to already have built and used FreeS/WAN.  This
+document is only intended to describe the support for opportunism
+after release 1.9.
+
+For a more complete description of the design of Opportunism, see our
+paper "Opportunistic Encryption".
+
+
+Theory
+======
+
+If opportunism is enabled, a Security Gateway running FreeS/WAN will
+intercept the first outbound packet to a particular destination (IP
+address), and try to negotiate a security tunnel suitable for traffic
+to that destination.  Note that throughout this document, the term
+"Security Gateway" is meant to include a machine that is protecting
+its own traffic.
+
+To make this work going the other way, the Security Gateway must be
+willing to negotiate with peers trying to protect traffic initiated
+from their side.
+
+The first novel problem is that our Security Gateway needs to discover
+the IP address of the other Security Gateway for the packet that
+prompted the negotiation.  Oh, and quickly discover if there is none
+-- that negotiation will be impossible.
+
+The second novel problem is that our Security Gateway needs to
+authenticate the other Security Gateway.  This authentication needs to
+ensure that the other Security Gateway is who it claims to be AND that
+it is authorized to represent the client for which it claims to be the
+gateway.
+
+The roles in a particular negotiation are:
+     Source----Initiator----...----Responder----Destination
+
+The Source and Destination are endpoints of the traffic that is to be
+protected.  The Source is the one that happened to send the first
+packet of traffic.  Neither needs to be aware of IPSEC or FreeS/WAN.
+That is the job of their respective Security Gateways, Initiator and
+Responder.  The names "Initiator" and "Responder" match those used in
+the IPSEC standards.  It is quite possible for Source and Initiator to
+be the same machine; similarly, Destination and Responder could be the
+same.  All traffic from Source or Destination must flow through their
+Security Gateways if it is to be considered for protection.  These
+roles are fluid -- they can be different for each negotiation.
+
+We use the DNS (the Domain Name System) as a distributed database to
+hold the required information.
+
+
+DNS Records Required
+====================
+
+See section 2.3 of "Opportunistic Encryption" for a fuller
+explanation.
+
+Generally, we need to add records to the reverse-map DNS entries for
+the client machine and the Security Gateway machine.  There are
+special cases that are exceptions.
+
+A Security Gateway that is going to initiate an Opportunistic
+negotiation needs to provide a way for the Responding SG to find a
+public key for the Initiator to allow authentication.  This is
+accomplished by putting the public key in a KEY record in the
+reverse-map of the Initiator.  Conveniently, the KEY record can
+be generated by the ipsec_showhostkey(8) command.  All you need to
+do is copy the output of the command
+	ipsec showhostkey
+into the zone information for the reverse-map.  Here is an example,
+with many characters of the key itself left out:
+
+	; RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
+	xy.example.com.   IN   KEY   0x4200 4 1 AQOF8tZ2...+buFuFn/
+
+Each client that is to be protected by Opportunistic Encryption must
+include a special TXT record in its reverse-map.  The
+ipsec_showhostkey(8) command is willing to do this too.  Remember:
+this command must be run on the Security Gateway where the
+ipsec.secrets file resides.  In this case, you must tell the command
+what IP address to in the TXT record:
+	ipsec showhostkey --txt 10.11.12.13
+might produce the output:
+	; RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
+	IN TXT  "X-IPsec-Server(10)=10.11.12.13 AQOF8tZ2...+buFuFn/"
+
+- the quotes matter: this is a single string, as far as DNS is concerned
+
+- the X-IPsec-Server is a prefix that signifies that the TXT record
+  contains Opportunism configuration information
+
+- the (10) specifies a precedence for this record.  This is similar
+  to MX record preferences.  Lower numbers have stronger preference.
+
+- 10.11.12.13 specifies the IP address of the Security Gateway for
+  this machine.
+
+- AQOF8tZ2...+buFuFn/ is the (shortened) encoding of the RSA Public
+  key of the Security Gateway.
+
+This output must be added to the zone information for the reverse-map
+for each client machine.  This gets a bit dull and repetitive.
+
+Unfortunately, not every administrator has control over the contents
+of the reverse-map.  The only case where we can work around this is
+where the Initiator has no suitable reverse map (but the Source
+must!).  In this case, the Source's TXT record gives @FQDN ("Fully
+Qualified Domain Name") in place of its Security Gateway's IP address.
+This FQDN must match the ID-payload used by the Initiator.
+Furthermore, a forward lookup for a KEY record on the FQDN must yield
+the Initiator's public key.  Obscure fact: the forward lookup is only
+done by a Responder, and then only when the Initiator's ID payload
+specifies the FQDN.  There is no provision for a Responder with no
+control over its reverse-map.
+
+DNS changes sometimes take a long time to propagate.
+
+
+Configuring FreeS/WAN
+=====================
+
+To enable opportunism, you must include a suitable conn in
+/etc/ipsec.conf and you must enable it.
+
+A suitable conn looks like an ordinary conn.  It more closely resembles
+a Road Warrior conn (one that has a wildcard %any specified as the
+other Security Gateway).  But in this case, both the other Security
+Gateway AND its client are unknown.
+
+conn ours-to-anyone	# for our client subnet
+	leftsubnet=10.3.2.1.0/24	# any single client in our subnet
+	also=us-to-anyone	# rest is same as for SG
+
+conn us-to-anyone	# for our Security Gatway
+	left=%defaultroute	# our SG (defaults leftnexthop too)
+	right=%opportunistic
+
+(%defaultroute only works if you have specified
+interfaces=%defaultroute.  Since this isn't the topic of the howto,
+you will have to look at the other documentation to find out how to
+handle other cases.)
+
+You can have any number of opportunistic conns, but generally it only
+makes sense to have one for each client subnet and one for the
+Security Gateway itself.
+
+Currently only one interface may be used for opportunism: Pluto knows
+nothing about routing, so would be unable to choose amongst several.
+Almost certainly our side's nexthop must be predetermined
+(%defaultroute will do that).
+
+Note: the routing done for outbound Opportunism will catch any packets
+not covered by a more specific route.  This is what you want for
+packets that are also covered by an eroute.  But packets caught by the
+route and not an eroute will be subject to the no-eroute policy of
+KLIPS, which defaults to %drop.
+
+To enable these conns for inbound opportunistic negotiation, it must be
+--added:
+	ipsec auto --add us-to-anyone
+	ipsec auto --add ours-to-anyone
+If you want this automatically done on startup, put
+	auto=add
+in the us-to-anyone conn.
+
+To enable these conns for outbound opportunistic negotiation, it must
+be both --added and --routed.  Outbound packets will then be trapped
+and will trigger negotiation:
+	ipsec auto --add us-to-anyone
+	ipsec auto --add ours-to-anyone
+	ipsec auto --route us-to-anyone
+	ipsec auto --route ours-to-anyone
+If you want this automatically done on startup, put
+	auto=route
+in the us-to-anyone conn (this feature may be renamed in the future).
+
+
+Getting DNS Through
+===================
+
+There is a serious chicken-and-egg problem.  Outbound Opportunism blocks
+communication with an IP address until it discovers whether that IP
+address can have an IPSEC connection negotiated.  This discovery takes
+DNS queries.  These DNS queries might involve communicating with
+arbitrary IP addresses.  Thus we require DNS queries to succeed before
+any communication succeeds, including those same DNS queries!  The way
+out of this conundrum is to exempt at least some DNS query IP traffic
+from Opportunism.
+
+There are several possible solutions, all of which have advantages and
+disadvantages.
+
+1. If you use a single machine, outside your Security Gateway, as DNS
+server, you can build a clear path (or even an IPSEC tunnel, but not
+opportunistically) directly to that machine.
+
+- you could use a type=passthrough conn to provide a clear path
+  between your machine and the DNS machine.
+
+- you could explicitly create an IPSEC connection to your DNS server.
+  Just be sure that it need not access DNS to find the IP addresses
+  or RSA public keys.
+
+- you could install an explicit route to the DNS machine through
+  your public interface (not ipsecN).  This will bypass KLIPS
+  processing.  You might have to adjust your firewall.  For example:
+  	route add host -net ns.example.com gw gw.example.com dev eth1
+
+2. Generally, it is better to run DNS on your Security Gateway.  This
+leads to a need for non-opportunistic paths to an arbitrary number of
+DNS servers in the internet.  One way to accomplish this is to NOT
+have outbound opportunism cover the SG itself, but only the subnet
+behind it.  In other words, leave out the 
+	ipsec auto --route us-to-anyone
+You must also add a type=passthrough eroute specifically for
+us-to-anyone (without this, the traffic will be handled by the KLIPS
+no-eroute policy).
+
+3. It is actually possible to use a single machine inside your client
+subnet as a DNS server.  The techniques listed in 1 could be used to
+let it communicate with other DNS servers without interference.  This
+might have advantages over 1 if the DNS machine *only* did DNS.
+Another technique (not often possible or reasonable) is to give this
+machine another route to the internet, one that avoids the SG.
+
+We would like to have better solutions.  Perhaps we will in the
+future.  Suggestions are welcome.
+
+
+Figuring out what is going on
+=============================
+
+Since Opportunism lets your SG operate with less supervision, you may
+be puzzled by what it is up to.  The usual tools exist, but their use
+is more important.  I like to use
+	ipsec auto --status
+and also to examine the kernel's eroute table.
+
+The "file" /proc/net/ipsec_eroute contains a description of all the
+eroutes in the kernel (see also ipsec_look(8)).  Here is an example:
+
+10         10.3.2.1.0/24    -> 0.0.0.0/0          => %trap
+259        10.3.2.1.115/32  -> 10.19.75.161/32    => tun0x1002@10.19.75.145
+71         10.44.73.97/32   -> 0.0.0.0/0          => %trap
+4119       10.44.73.97/32   -> 10.114.121.41/32   => %pass
+
+You read each line as: a packet from within the first subnet, destined
+for the second subnet, will be processed by the Security Association
+Identity (SAID) specified last.  The first column is the number of
+(outbound) packets processed by this eroute.
+
+For shunt eroutes, the SAID is printed as just the type of shunt:
+%pass	pass the packet through with no processing
+%drop	discard the packet
+%reject	discard the packet and notify sender
+%hold	keep the last packet; discard others
+%trap	cause any trapped packet to generate a PF_KEY ACQUIRE
+	to request negotiation; install a corresponding %hold
+	shunt and attach this packet to the %hold
+
+For other eroutes, the SAID is printed as a triple: protocol (three
+letters), SPI (32-bit number in hex), and destination IP address.
+Protocols include:
+
+tun	IP in IP encapsulation (used for most tunnels)
+esp	ESP encapsulation -- part of an IPSEC SA group
+ah	AH packet authentication -- part of an IPSEC SA group
+
+So, looking at our sample eroutes:
+
+10         10.3.2.1.0/24    -> 0.0.0.0/0          => %trap
+
+	This is a TRAP (int0x104) shunt eroute.  It was installed by
+	Pluto so that it can catch all traffic from its client subnet
+	to the world at large.  Ten outbound packets have been trapped.
+
+259        10.3.2.1.115/32  -> 10.19.75.161/32    => tun0x1002@10.19.75.145
+
+	This is a tunnel eroute: packets from 10.3.2.1.115 (within
+	our client subnet) going to 10.19.75.161 will be encrypted
+	and sent to the peer SG 10.19.75.145.  This was the product
+	of an Opportunistic negotiation (a hint is that each client
+	subnet has only one member).  259 packets have been sent
+	through this tunnel.
+
+71         10.44.73.97/32   -> 0.0.0.0/0          => %trap
+
+	This is another TRAP shunt eroute.  It is to catch traffic
+	from the Security Gateway to the world.  It has caught
+	71 outbound packets.
+
+4119       10.44.73.97/32   -> 10.114.121.41/32   => %pass
+
+	This is a %pass (0x100) shunt eroute.  It was installed when an
+	attempted Opportunistic negotiation failed because the reverse
+	domain of 10.114.121.41 had no suitable TXT record.  4119
+	outbound packets have been passed.
+
+
+Important Limitations
+=====================
+
+Pluto's DNS lookup is synchronous (single-threaded).  Not only does
+this slow things down, but it turns out that in extreme cases where
+there are a lot of ACQUIRE messages from KLIPS at once, some of those
+messages can be lost and communications will be blocked by the %hold
+eroute that Pluto doesn't know about.  Pluto now looks every 2 minutes
+for any %holds that it missed.
+
+DNS lookup is not verified -- we don't use Secure DNS.  A spoofed DNS
+could compromise Opportunism.
+
+There are several new opportunities for Denial of Service attacks.
+For example, a Bad Guy could spray our system with pings with forged
+source addresses.  For each unique source address, our system would do
+a (synchronous!) DNS lookup.
+
+Once a %pass eroute is added for a failed negotiation, it will stay
+until it has been inactive for about 15 minutes.  The only activity
+that counts is outbound -- not surprising since a %pass only affects
+outbound traffic.
+
+If a destination's DNS entry specifies the information we need for
+negotiation, Pluto will not let communications proceed without
+negotiating a Security Tunnel.
+
+There is currently no way to tear down a tunnel that is no longer in
+use.  To add insult to injury, when the lifetime is about to be
+exceeded, the initiating Pluto will rekey!  Restarting will clear
+these out.
+
+If one side of a Security Tunnel restarts, but doesn't initiate
+negotiation with the other side, the other side will not be able to
+communicate with it until it thinks the tunnel needs rekeying due to
+lifetime.
+
+KLIPS does not implement inbound policy checking.  This means that a
+message from one peer can be forged by another peer.  So you ought not
+to trust information more just because it appears to have come from a
+source covered by a Security Tunnel.  This makes it difficult to
+safely combine a VPN with Opportunism.
+
+It isn't clear what firewall policies make sense with Opportunism.
diff -bruN freeswan-1.9.orig/doc/pkix/CA-regenerate-flatfile.sh freeswan-1.9/doc/pkix/CA-regenerate-flatfile.sh
--- freeswan-1.9.orig/doc/pkix/CA-regenerate-flatfile.sh	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/CA-regenerate-flatfile.sh	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,20 @@
+#!/bin/sh
+if [ -d /var/lib/ssl ]; then
+  cd /var/lib/ssl
+elif [ -d /usr/lib/ssl ]; then
+  cd /usr/lib/ssl
+elif [ -d /usr/local/lib/ssl ]; then
+  cd /usr/local/lib/ssl
+elif [ -d /usr/share/ssl ]; then
+  cd /usr/share/ssl
+else
+  echo "ERROR: Cannot determine location of ssl directory."
+  exit 1
+fi
+
+for ii in certs/*.pem cacert.pem crl.pem;
+do
+  cat $ii | \
+  perl -e '$printme = 0; while (<>) { if (/---BEGIN/) {$printme = 1;}; if ($printme) {print STDOUT $_;} }; print STDOUT "\n";' \
+  >> flatfile.txt
+done
diff -bruN freeswan-1.9.orig/doc/pkix/README.certificates freeswan-1.9/doc/pkix/README.certificates
--- freeswan-1.9.orig/doc/pkix/README.certificates	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/README.certificates	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,452 @@
+	     Readme for certificate setup under FreeS/WAN
+
+			     Neil Dunbar
+			  5th November, 1999
+
+The certificate patches are (almost) always against the most recent
+snapshots available from
+ftp://ftp.xs4all.nl/~freeswan/snapshot.tar.gz. The patches are
+available from ftp://hplose.hpl.hp.com/pub/nd/pluto-openssl.tar.gz.
+
+The patches count on your having OpenSSL-0.9.3 or above installed on
+your system. Check out http://www.openssl.org for details on how to
+get OpenSSL. NB: the patches will *not* work on OpenSSL-0.9.2 or
+below.
+
+1. Applying the patches
+
+To apply the patches, cd to the build directory for the snapshot,
+which is generally freeswan-snap1999MonthDayb, and untar the
+pluto-openssl.tar.gz.
+
+Then type 'patch -p0 < pluto.diff', followed by 'patch -p0 <
+utils.diff'.
+
+2. Building and Installing FreeS/WAN
+
+Go to the pluto directory in the snapshot source directory, and edit
+the Makefile. Find the line OPENSSLROOT=.... and change the value of
+that variable to be the location of where you have installed the
+includes and libraries for OpenSSL. By default this is set to
+/usr/local/ssl.
+
+After that, build the system as per the FreeS/WAN installation notes.
+
+Installation, similarly, is no different to the normal method.
+
+3. Configuring FreeS/WAN
+
+In order to allow Pluto to use digital signatures, rather than
+preshared secrets to generate key material for IPsec, there are
+several options within the connection section of the file
+/etc/ipsec.conf which need to be set.
+
+For examples, we assume the host to host connection as follows
+
+	      west === westhop ...... easthop ==== east
+
+3.1 certfile
+
+The certfile setting should be set to the full path name of the file
+which contains the certificate whose private key will be used to
+perform the digital signatures. This file must be set in order for
+pluto to send the certificate to the other side, if requested. The
+certificate can  be in PEM or DER format.
+
+Example : /etc/ipsec/west.certificate.pem
+
+3.2 keyfile
+
+This setting should be set to the full path name to the file which
+contains the key which will be used to perform the digital
+signature.
+
+The key file can be stored in several formats, but at the moment, only
+unencrypted private keys can be used. If you use an encrypted one, the
+key load will fail, and signature/public key modes will cease to be
+available.
+
+The key files can be stored in DER or PEM format, using the OpenSSL
+private key format, which is specific to OpenSSL. Alternatively, the
+key can be stored in PKCS-8 format, which is system independent. The
+problem is that, for the moment, the OpenSSL key generation
+applications only store keys in OpenSSL format. To convert a key file
+into PKCS-8 form, use the following command (assuming that the file
+key.pem stores the OpenSSL private key in PEM format).
+
+openssl -nocrypt -topk8 -in key.pem -inform PEM -outform DER \
+	-out key.pk8
+
+(If the original key is in DER format, change '-inform PEM' to
+'-inform DER'. Similarly, if you want a PEM PKCS-8 file, change
+'-outform DER' to '-outform PEM).
+
+The key can be either an RSA or DSA key. Note that if an RSA key is
+loaded, DSS signature modes will not be offered (or accepted) from the
+other side. Similarly, a DSA key will prevent RSA modes from being
+selected.
+
+Example : /etc/ipsec/west.key.pk8
+
+3.3 peerfile
+
+This option is obsolete. It used to specify the path to certificates
+used to start public key authentication mode. This function has been
+subsumed by the certpath option.
+
+Do not use peerfile any more.
+
+3.4 certpath
+
+This gives a comma separated list of maps (see README.xmap) which can
+be used to look up certificates and/or CRLs by specifying their
+subject names, issuer names and such like.
+
+At the moment, the XMAP types are file, dir, db, ldap.
+
+Example : ldap:/etc/ldap.conf:ldap_ipsec,dir:/etc/ipsec
+
+(The first item specifies an LDAP directory lookup, whose details are
+specified in the file /etc/ldap.conf, and the identifier of which LDAP
+lookup to use within that file is 'ldap_ipsec'. The second specifies a
+local directory called /etc/ipsec, which should have files and
+symbolic links which index the relevant certificates in the
+directory).
+
+For the format of ldap files, and certificate directories, read the
+file README.xmap.
+
+3.5 certopts
+
+This setting is a comma separated list which gives a set of switches
+which control the behaviour of the public key encryption/signatures
+within pluto.
+
+To set an option in the list, one simply includes its name.
+
+To clear an option in the list, one includes its name, with a '!'
+symbol before the name.
+
+Example : !send,!pkcs7,!pk,strict,dss-sha,dss-alt
+
+The example means: turn ON the options 'strict', 'dss-sha' and
+'dss-alt', but turn OFF the options 'send', 'pkcs7' and 'pk'.
+
+The options are as follows
+
+3.5.1 'send'
+
+Set this option if you want your side of the connection to send its
+certificate to the other side as part of the main mode
+negotiations. This certificate must be in the set of certificates
+which the other side is expecting on this connection.
+
+3.5.2 'pkcs7'
+
+***NOT IMPLEMENTED YET***
+
+When sending a certificate, if this option is set, a PKCS7 encoding
+for the certificate will be chosen. If not set, a standard DER
+encoding of the X.509 certificate will be used.
+
+3.5.3 'pk'
+
+When choosing between digital signature and public key encryption
+ISAKMP methods, this option forces pluto to select public key
+encryption. If not set, pluto will choose digital signature methods.
+
+Note that this option used to be called 'rsa', but this name makes
+little sense, since both RSA and El Gamal encryption methods are
+selected by this option.
+
+3.5.3 'rev'
+
+If using public key encryption for Phase 1 negotiations, this option
+makes pluto prefer to use the revised mode method, rather than the
+standard public key mode. Revised public key mode uses fewer public
+key encryptions and transmits fewer bytes in the protocol (since
+public key ciphertexts are much larger than their symmetric key
+counterparts). Probably not a bad idea to use this one all the time if
+you want ID protection.
+
+3.5.4 'strict'
+
+This option forces verification to be very strict on the acceptability
+of certificates from the peer. If 'strict' mode is on, the following
+conditions must apply to the peer's certificate --
+
+1. For every signing certificate in the chain up to the root CA
+   certificate a valid CRL *must* be present. If a CRL is not
+   available, or the CRL is not valid (badly signed, expired, etc),
+   the verification of the certificate will fail.
+
+2. The name on the certificate must bear some relation to the name of
+   the peer, as given in the ISAKMP ID field. Assuming that the name
+   of the peer is an IPv4 address, which is the only supported one,
+   then the Common Name on the subject of the certificate must start
+   with the fully qualified domain name of the peer. Failing that, the
+   subjectAltName extension must contain an entry of type IP, which is
+   equal to the IP address given as the peer's name, or it must
+   contain an entry of type DNS, which must be equal to the name of
+   the resoved FQDN of the IP address given as the peer's name. If any
+   of these conditions are met, the certificate will be accepted. If
+   none of these conditions succeed, the verification will fail.
+
+If strict mode is not set, and these conditions fail, then debugging
+warnings will be logged, but verification will succeed. Be warned that
+this makes the setup less secure than would strict mode.
+
+3.5.5 'dss-sha'
+
+RFC2409 stipulates that the DSS signature method requires the output
+of a SHA1 hash to sign and send to the other side. It does not say
+whether this hash is a keyed one (eg HMAC) or unkeyed (ie plain SHA1).
+
+A subsequent document, draft-ietf-ipsec-ike-01.txt, given a formula
+for the plain SHA1 output. However, as Tero Kivinen of SSH has pointed
+out, most implementations of IKE use the standard HMAC method.
+
+This option forces pluto to use the plain SHA1 method outlined in the
+draft document. Clearing this option forces the HMAC method to be
+used.
+
+3.5.6 'dss-alt'
+
+RFC2409 stipulates that the encoding of a DSS signature should be 'r
+followed by s'. It does not say what format this should take. ANSI
+document X9.30 states that DSS output should be the DER encoding of
+the ASN.1 construct -
+
+ SEQUENCE {
+  r INTEGER;
+  s INTEGER;
+ };
+
+This puts some wrapper bytes around the 160 bit integers r and s, so
+that the signature is some 45-48 bytes long (depending on leading
+zeros within the integers).
+
+draft-ietf-ipsec-ike-01.txt states that the signature should be a
+single 320 bit string, with r occupying the first 160 bits and s
+occupying the next 160, without wrappers, such that all signatures are
+exactly 40 bytes long.
+
+By using the 'dss-alt' option, pluto is forced into the draft document
+mode of operation. By clearing it, the X9.30 implementation is used.
+
+4. Creating the certificates
+
+This section summarises the far more useful guide within the OpenSSL
+documentation, but should serve to generate the certificates and keys
+required for a connection. The document assumes that OpenSSL has been
+compiled and installed in /usr/local/ssl. Furthermore, it assumes that
+that configuration file for OpenSSL is stored in
+/usr/local/ssl/lib/openssl.cnf. If this is not the case, all 'openssl
+' entries should be replaced by 'openssl  -config
+/path/to/openssl.cnf'.
+
+I am heavily indebted to Peter Onion of BT Labs for his efforts to
+debug and clarify this documentation. Peter: Your efforts are much
+appreciated.
+
+NB: This isn't the "correct" way to generate certs/CRLs. It's just my
+own recipe (largely from memory - it's been a while!) for doing
+so. It's not efficient, and you really should read the OpenSSL docs
+for better guidance.
+
+4.1 Edit openssl.cnf
+
+Ensure that the following settings for the CA_default section are more
+or less as follows -
+
+dir             = /usr/local/ssl
+certs           = $dir/certs
+crl_dir         = $dir/crl
+database        = $dir/index.txt
+new_certs_dir   = $dir/newcerts
+ 
+certificate     = $dir/cacert.pem
+serial          = $dir/serial
+crl             = $dir/crl.pem
+private_key     = $dir/private/cakey.pem
+RANDFILE        = $dir/private/.rand
+
+Fill in the default fields (country, organization, etc) as seems right
+for your setup.
+
+Create a file ca.ext containing the following -
+
+-----------------------------------
+# Extensions for a typical CA - PKIX recommendation.
+ 
+subjectKeyIdentifier=hash
+ 
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = CA:true 
+keyUsage = cRLSign, keyCertSign
+nsCertType = sslCA, emailCA
+subjectAltName=email:copy
+----------------------------------
+
+4.2 Make the CA certificate
+
+Go to the directory /usr/local/ssl
+
+Generate your CA cert by the usual method
+
+openssl req -new -newkey rsa:1024 \
+  -keyout /usr/local/ssl/private/cakey.pem \
+  -out careq.pem
+
+Now sign the CA cert, citing the extensions for [v3_ca]
+
+openssl x509 -CAcreateserial -signkey private/cakey.pem -req \
+  -in careq.pem -out cacert.pem -days 2000 -extfile ca.ext
+
+This creates the self signed certificate which can be used to sign
+further certificates. Ensure that this cacert.pem file is made widely
+available to all hosts which will communicate via IPsec.
+
+4.3 Make an empty certificate database
+
+Execute the following commands, whilst in the directory /usr/local/ssl
+
+touch index.txt
+
+echo "01" > serial
+
+This creates the database, and starts issued certificates with the
+serial number starting at 1.
+
+4.4 Generate a CRL
+
+Use the command
+
+openssl ca -gencrl -out crl.pem
+
+to generate an (initially empty) CRL.  You should always have a
+current CRL, even if nothing has been revoked, since that proves
+*actively* that no certificates have been cancelled. Without a CRL,
+you are forced into the assumption that no certificates have been
+revoked.
+
+The CRL is placed in /usr/local/ssl/crl.pem. Distribute this file to
+all hosts holding the cacert.pem file. (Or, if you have an LDAP
+directory handy, publish the CRL there, so that all hosts can contact
+it).
+
+4.5 Generate the host certificate requests.
+
+On each host, generate a key and certificate request with the
+following command (I'll assume that ipsec certificates are in the
+directory /etc/ipsec, which must exist beforehand).
+
+I'll assume that the host is called foo, and lives in .mydomain.com,
+and has IP address aa.bb.cc.dd.
+
+openssl req -new -newkey rsa:1024 \
+  -nodes -keyout /etc/ipsec/foo.key -out foo.req.pem
+
+Fill in the fields for the subject name, and ensure that the common
+name section is set to 'foo.mydomain.com IPsec certificate #1', or
+some such thing - either way, it should start with foo.mydomain.com.
+
+See section 3.2 (keyfile) on converting private key files to the
+standard PKCS-8 format (which pluto can also understand). If you do
+this, you can delete the original private key file 'foo.key', once you
+have a PKCS-8 equivalent of it.
+
+Change the file permissions on foo.key to be 400 - Owner read only,
+and change to owner to be root.
+
+Transport the file foo.req.pem to the host which will sign certificate
+requests. This should be done via some secure method of
+transmission. In an ideal setup, your CA host shouldn't be connected
+to any network at all - but that's a site specific decision)
+
+4.6 Sign the certificate requests.
+
+On the CA host, edit the openssl.cnf file such that there is a section
+[svr_cert] at the bottom of the file with the following contents. 
+
+[ svr_cert ]
+basicConstraints=CA:FALSE
+nsCertType = server
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+nsComment = $ENV::NSCOMMENT
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+subjectAltName=email:copy,DNS:$ENV::HOSTFQDN,IP:$ENV::HOSTIP
+issuerAltName=issuer:copy       
+
+If this is not already done, alter the x509_extensions in the
+[CA_default] section such that it looks like -
+
+x509_extensions = $ENV::EXTENSION
+
+Now sign the request with the wrapper script 'signIPSEC', which
+is produced below. The script was written by Peter Onion.
+
+-----------------8<-------CUT HERE------8<----------------------------
+#! /bin/bash
+
+# Simple wrapper for "openssl ca" that sets environment to pass in
+# values for the svr_cert extension
+# P.J.Onion  23/9/1999
+
+if test $# -ne 3 ; then
+        echo "Usage: signIPSEC hostname ipaddress reqfile"
+        exit 1
+fi
+
+
+HOSTFQDN=$1
+HOSTIP=$2
+NSCOMMENT="IPsec Certificate for $1"
+EXTENSION=svr_cert
+
+export HOSTFQDN HOSTIP NSCOMMENT EXTENSION
+# Change /usr/local/ssl to be the directory in which OpenSSL
+# is installed.
+
+/usr/local/ssl/bin/openssl ca -in $3
+
+-----------8<----------CUT TO HERE --------8<-------------------------
+
+
+In the case above, you would do
+
+signIPSEC foo.mydomain.com 192.168.1.5 foo.req
+
+(assuming that foo.mydomain.com has the IP address 192.168.1.5, and
+that foo.req contains the PEM certificate request).
+
+Check the details that it prints, and commit the new certificate to
+the database. The new certificate will be in the directory
+/usr/local/ssl/newcerts. Tranport this file back to the requesting
+host and place it in the file /etc/ipsec/foo.pem. You can delete the
+file foo.req.pem now.
+
+Once the certificate has been delivered, move the file from newcerts
+into certs and run the command
+
+c_rehash /usr/local/ssl/certs
+
+to create the hashed directory.
+
+4.7 Renewing a certificate
+
+When you want to replace a certificate stored in file foo.pem, issue
+the command
+
+openssl ca -revoke foo.pem
+
+This changes the database to reflect the fact that the certificate has
+been cancelled, but does not update the CRL. Do that with the
+instructions in section 4.4. Make sure that the new CRL is propagated
+to all participating hosts.
+
+Now create the key/request/certificate as per sections 4.5 onwards.
+
+   ******************* End of document ********************
+
diff -bruN freeswan-1.9.orig/doc/pkix/README.certopts freeswan-1.9/doc/pkix/README.certopts
--- freeswan-1.9.orig/doc/pkix/README.certopts	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/README.certopts	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,22 @@
+The current options available within this PKIX package are:
+
+send 	-> If using RSASIG or RPKE, send your certificate to the peer.
+	   This option is usually optional.
+
+pk	-> Use PKE authentication
+
+pk,rev	-> Use RPKE authentication
+
+strict	-> Strict authenticate. There _must_ be a CRL available, and it
+	   must be valid.
+
+I recommend always sending the optional certificate to the peer, as well 
+as using "strict" at all times to make sure the connection is truly 
+fully authenticated.
+	certopts=send,strict,pk,rev
+
+For more information on these certopts options, please refer to Neil Dunbar's
+README.certificates document.
+
+-- Luc Lanthier
+luc.lanthier@rebel.com 
diff -bruN freeswan-1.9.orig/doc/pkix/README.xmap freeswan-1.9/doc/pkix/README.xmap
--- freeswan-1.9.orig/doc/pkix/README.xmap	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/README.xmap	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,398 @@
+			     README.xmap
+
+			     Neil Dunbar
+			  21st October, 1999
+
+1. Introduction
+
+As of the October release of the pluto-openssl patches, the
+certificate paths parameter has been replaced by a list of
+XMAPs. XMAPs are an abstraction of a dictionary lookup, which are
+designed to look up public key information. This includes X.509
+certificates, X.509 certificate revocation lists, and, in theory,
+simple public key values (NB: raw public keys are not supported yet).
+
+An XMAP is similar to the X509_LOOKUP system employed within OpenSSL
+to specify file and directory lookup. Indeed, XMAP has two mechanisms
+for lookup via file and directory, as well as others.
+
+The specification for an XMAP consists of a text string of the format
+:
      . The type denotes the sort of search which the XMAP
+library will carry out, and the details give appropriate parameter
+information so that the search can execute. As an example, a file XMAP
+on the file /etc/ipsec/certs.txt would have the form
+"file:/etc/ipsec/certs.txt".
+
+2. XMAP lookup
+
+(Programmer stuff - ignore if not interested)
+
+A lookup is a search which is identified by three parameters: the type
+of the thing being looked for, the search identifier and a search
+parameter (which is governed by the search identifier).
+
+The result of the search is a list (actually an OpenSSL STACK) of type
+X509_OBJECT (all of which fit the search criteria specified, sorted to
+be age order [most recent first, oldest last]. The type X509_OBJECT is
+defined in the OpenSSL header file x509_vfy.h. Note: this is NOT the
+same as the file X509_OBJECTS defined in x509.h. The C type
+declaration is reproduced here.
+
+typedef struct x509_object_st {
+   /* one of the above types */
+   int type;
+   union  {
+     char *ptr;
+     X509 *x509;
+     X509_CRL *crl;
+     EVP_PKEY *pkey;
+   } data; 
+} X509_OBJECT;
+
+Thus, if an X.509 certificate is stored in such an object, the type
+field will be set to X509_LU_X509, and .data.x509 holds a
+pointer to the actual certificate data.
+
+Thus, to iterate through all certificates returned in a search, a C
+program fragment would look like the following.
+
+XMAP *xmap;
+int i;
+STACK_OF(X509_OBJECT) *sk;
+X509_OBJECT *obj;
+X509 *x;
+ :
+ :
+sk = XMAP_lookup(xmap, X509_LU_X509, , );
+for (i=0; idata.x509;
+
+    /* Operations on the certificate 'x' */
+} 
+
+3. XMAP Search types
+
+The various search types are detailed in the following sections. The
+list of items are sorted (if possible) in date descending order, ie
+the most recent object is first in the return list, and the oldest
+object comes last. All duplicates are removed from the return list.
+
+3.1 "subject" (returns X.509 cert)
+
+The search looks for a certificate whose name is the the same as the
+X.509 name given in the parameter to the search.
+
+3.2 "issuer" (returns X.509 CRL)
+
+The search looks for a certificate revocation list (CRL) whose issuer
+is the same as the X.509 given as a search parameter.
+
+3.3 "uid" (returns X.509 cert)
+
+The search looks for the certificates which are listed as belonging to
+the user whose ID is given by the null terminated character string
+given as the search parameter.
+
+3.4 "dns" (returns X.509 cert)
+
+The search returns a list of the certificates which are listed as
+belonging to the fully qualified domain name (FQDN) as given in the
+search parameter, which is a null terminated character string.
+
+NB: Any certificate MUST have a subjectAltName which includes a DNS
+entry which is the same as the search string. This requirement is in
+addition to any indexing which is required for the individual XMAP
+search type.
+
+3.5 "ip" (returns X.509 cert)
+
+The search returns a list of the certificates which are listed as
+belonging to the IPv4 address given as a search parameter. The search
+parameter is a 4 octet string, which gives the IP address in network
+order; for example the ip address 15.144.59.30 would have the search
+parameter (in hex) 0F903B1E.
+
+As with DNS indexed certificates, the certificates must contain a
+subjectAltName with the correct IP entry within it.
+
+3.6 "ca" (returns X.509 cert)
+
+This search returns all CA certificates indexed in the list. A CA
+certificate is one which has a basicConstraints extension with the CA
+flag set to true. Also the CA has the subjectName and issuerName set
+to be the same.
+
+There is no search parameter for this search. It should be set to NULL
+in the XMAP_lookup() call.
+
+4. XMAP Types
+
+There are currently four types of XMAP: File, Directory, Berkeley DB
+and LDAP. Respectively, their type specifiers are "file", "dir", "db"
+and "ldap". Each subsection will detail the exact representation and
+expectations of the XMAP.
+
+4.1 File
+
+Type Specifier: "file"
+Syntax: file:
+
+This implements a simple flat file structure for lookups. The file can
+contain as many certificates in PEM format as desired. In order to
+index them, certain fields should be prepended to the certificates.
+
+For example a file might look like this.
+
+-----BEGIN CERTIFICATE-----
+MIIEHzCCAwegAwIBAgIBADANBgkqhkiG9w0BAQQFADCBpzELMAkGA1UEBhMCR0Ix
+HQ0Qb72dPlXYO20xtdMR9fX92PfSQSgAulNITYzusd8KE6yvJ8+HEbUuwXLHXZh4
+  :
+  :
+  :
+pk/Bv8iFUiZhH8EAr6SvF0AkpULi46bVcoQlr36Ax59uQ8OcJeNmljKYdbrN5uFL
+62In
+-----END CERTIFICATE-----
+
+uid: nd
+-----BEGIN CERTIFICATE-----
+MIIETDCCA7WgAwIBAgIQE9hfeRmSr51Wzgvm4B19JjANBgkqhkiG9w0BAQQFADCB
+njEPMA0GA1UEChMGaHAuY29tMRowGAYDVQQLExFJVCBJbmZyYXN0cnVjdHVyZTEL
+  :
+  :
+  :
+6pZk+pEpZ5S55lFP1QspTsBVbrBgsEuGFyGpHTo9sIEaQYxfRGNEvW+ZaEPU1HKo
+YVkAahuv5T21GdvouWdelA6l6uWMK/hfsQo9PdpBLDaUrwH5lkDuXcNk+LHZvVDt
+-----END CERTIFICATE-----                                       
+
+-----BEGIN X509 CRL-----
+MIICLTCCARUwDQYJKoZIhvcNAQEEBQAwgacxCzAJBgNVBAYTAkdCMR4wHAYDVQQI
+ExVTb3V0aCBHbG91Y2VzdGVyc2hpcmUxEDAOBgNVBAcTB0JyaXN0b2wxJTAjBgNV
+  :
+  :
+  :
+++lOGcX1WTtZ2dnV6Lb5r5xQ3IGavf2TKnu1/nCyAKFlF34+j7/+fIxT4iQiEDjk
+Z8Q76UEWVRMw7Tk63aAf0Yf5qaI1Tpd+SKhSTgc4arJH
+-----END X509 CRL-----
+
+ip: 15.144.59.30
+dns: pinky.hpl.hp.com
+-----BEGIN CERTIFICATE-----
+MIIHgTCCBmmgAwIBAgIBCjANBgkqhkiG9w0BAQQFADCBpzELMAkGA1UEBhMCR0Ix
+HjAcBgNVBAgTFVNvdXRoIEdsb3VjZXN0ZXJzaGlyZTEQMA4GA1UEBxMHQnJpc3Rv
+  :
+  :
+  :
+KkW/kYOxRrmg9KGnSVOolD1ueLYg9D4CtY30r1JGE/wixmIvQEP8JEv+X6Cr4Wiu
+VfENrF8=
+-----END CERTIFICATE-----
+
+This example indexes the fourth certificate as belonging to the IP
+address 15.144.59.30, as well as the DNS name "pinky.hpl.hp.com". The
+second certificate belongs to the user ID "nd".
+
+The file also contains a CRL embedded within it.
+
+Note: indexed searches in files are done by simple linear search. It's
+not an efficient means for searching serious amounts of data - use the
+other types for anything other than trivial data.
+
+
+4.2 Directory
+
+Type Specifier: "dir"
+Syntax: dir:
+
+The directory type is a derivation of the hashed directory used in the
+OpenSSL applications. The certificates are stored within a single
+level directory. Each certificate (or CRL) is stored in exactly one
+file in the directory. These files can be in either DER or PEM format,
+unlike the flat file above. To index the files for subject and issuer
+searches, you need to make a symbolic link from a hashed
+representation of the X.509 name of the certificate subject name (or
+CRL issuer name).
+
+To do this, you should execute the command -
+
+[for certificate files -- all on one line]
+
+ln -s certificate.pem
+  `openssl x509 -noout -hash -in certificate.pem`.cert.0
+
+NB: The .0 on the end is an arbitrary extension to the link name in
+case there might be a hash clash in the directory. You can call it
+anythin you like, but the ".cert" extension MUST be present -- unlike
+standard OpenSSL hash directories.
+
+[ for CRL files ]
+ln -s crl.pem
+  `openssl crl -noout -hash -in certificate.pem`.crl.0
+
+Again, the .0 is a differentiating extension, but the ".crl" is
+mandatory for marking out certificates.
+
+To index other attributes, you should make links which have the
+following appearance -
+
+uid-.cert.0 [ denotes a user file ]
+dns-.cert.0 [ a DNS indexed cert ]
+ip-.cert.0 [ an IP indexed cert ]
+
+For example, assume that file pinky.pem held the certificate for DNS
+pinky.hpl.hp.com and/or IP address 15.144.59.30, the links would look
+like -
+
+dns-pinky.hpl.hp.com.cert.0  )__________\. pinky.pem
+ip-15.144.59.30.cert.0       )          /
+
+CA certificates don't need to be indexed. CA searches are performed by
+loading every certificate file in the directory and checking for a CA
+certificate, so it's failrly slow for this type of search.
+
+What Directories *are* good for is converting into a Berkeley DB file
+database - which is the fastest of all searches.
+
+-- ADDENDUM -- 20001016, Luc Lanthier
+
+I've created a short and ugly shell script 'rehashcertdir' which will 
+do this work for you. Usage:
+
+  ipsec rehashcertdir 
+
+
+
+3.3 - Berkeley DB searches
+
+Type Specifier: "db"
+Syntax: db:
+
+Assuming you have a Berkeley DB 1.85 library available on your system,
+you can index the certificates/CRLs in a DB hash file, which provides
+the fastest lookup of any of the methods.
+
+The internal details of the DB file are maintained in a separate file
+(README.XMAP.DB -- to be written -- nd). To make a DB file, you should
+create a directory as in the above section, then run the utility
+command "dir2hash" as follows, assuming that the directory to be
+hashed is called "my_dir" and the output DB file should be called
+certs.db :-
+
+  ipsec dir2hash -o dbhash.db my_dir
+
+Note: You don't have to make the hashed, DNS or IP links as in the
+directory above (they are automatically figured out by the dir2hash
+program from the subjectNames and subjectAltNames of the
+certificates/CRLs). You DO have to index the uid entries manually,
+since the certificates don't necessarily have the means of
+indentifying which users they belong to.
+
+Note that IPsec knows nothing of uid's and doesn;t use them yet, so a
+perfectly valid IPsec DB file can be mafe by putting all the
+certificates into a directory without any links at all, then running
+dir2hash on the directory.
+
+However, this still creates a single file which must be copied to all
+hosts participating in the IPsec process. Therefore, this mechanism
+will not scale past a few, easily managed hosts. For scalability you
+should use LDAP.
+
+3.4 - LDAP searches
+
+Type Specifier: "ldap"
+Syntax: ldap::
+
+Assuming that you have at least one LDAP server available on your
+network, you can make a config file (which is NOT the same as
+ipsec.conf) to specify how to search for entries in one or more LDAP
+servers. A single ldap configuration file can hold search details for
+many ldap servers. Each server specification must be identified by a
+unique ldap ID. This ID can be any alphanumeric string. If the LDAP
+identifier is omitted, then the first specification in the file will
+be used by default.
+
+The entries in the configuration file can be of the following form:
+
+_host_name: 
+
+_port: 
+
+_base: 
+
+_timeout: 
+
+_bindDN: 
+
+_bindPW: 
+
+Note that you MUST supply a base search string: the software cannot
+guess a reasonable default. Also, the bind DN and password is the only
+supported authentication mechanism. PLEASE don't put the LDAP server
+on a host which needs to reached via IPsec. If you're relying on it to
+serve all certificates, the LDAP connection won't work (since the
+IPsec connection might not be up yet).
+
+For each search type, you must specify the filter string and
+attributes which should be searched for from the LDAP directory.
+
+The filter string specification has the form
+
+_filter::: 
+
+where  is either "uid", "subject", "issuer", "dns" or
+"ip" as above, and  is either "cert" (for X.509
+certificates) or "crl" for CRL searches. Either the  or
+ can be set to "*", which is a wildcard, meaning any
+index or any return type.
+
+Similarly, the attribute specification looks like:
+
+_attributes::: 
+
+The  and  are as above, with the list of
+attributes a comma separated list of attributes.
+
+For an example, let us use the following file
+
+ldapnd_host_name = ldap.hpl.hp.com
+ldapnd_base = o=Hewlett-Packard Laboratories, c=GB
+ldapnd_filter:uid = (uid=%s)
+
+ldapnd_attributes:*:crl = certificaterevocationlist, certificaterevocationlist;binary
+
+ldapnd_filter:*:crl = (&(objectclass=certificationAuthority)(cn=%s))
+
+ldapnd_filter:ca = (objectclass=certificationauthority)
+
+ldapnd_filter:dns = (&(objectclass=hostRecord)(dNSRecord=%s))
+ldapnd_attributes:dns = servercertificate, servercertificate;binary
+
+ldapnd_filter:ip = (&(objectclass=hostRecord)(ipv4Address=%s))   
+ldapnd_attributes:ip = servercertificate, servercertificate;binary
+
+This stipulates an anonymous bind search of the LDAP server on
+ldap.hpl.hp.com port 389 (the default), whose base for searches is
+"o=Hewlett-Packard Laboratories,c=GB".
+
+For DNS searches, the filter used will be
+
+"(&(objectClass=hostRecord)(dNSRecord=%s))"
+
+where "%s" will be replaced by the DNS name being searched for. In the
+case of a search for pinky.hpl.hp.com, the search string will be -
+
+"(&(objectClass=hostRecord)(dNSRecord=pinky.hpl.hp.com))"
+
+For IP address searches, the filter used will be
+
+"(&(objectclass=hostRecord)(ipv4Address=%s))"
+
+Again, searching for the host with IP address 15.144.59.30, the host
+search filter will be -
+
+"(&(objectclass=hostRecord)(ipv4Address=15.144.59.30))"
+
+In both DNS and IP searches, the search will return the attributes
+"serverCertificate" and "serverCertificate;binary".
+
+Note that the return type is missing from many of the
+specifications. Return types default to "cert".
diff -bruN freeswan-1.9.orig/doc/pkix/examples/arm-devel.key freeswan-1.9/doc/pkix/examples/arm-devel.key
--- freeswan-1.9.orig/doc/pkix/examples/arm-devel.key	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/arm-devel.key	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQCoqQwsIfybAtb0mMfD3NGNMZH7ckGrCehSm741ddjw9rW6igzZ
+AptaqQ2Y5raPl0XrF+MQI8SQkfTtzP92/ZU9eqbEWbBFRfYLqckMd21eU9GHDVl5
+UPmUwWSOXuE4lK58f2heEFE975yf9CsIvOuas33FsiuYtO5UEmzapAVAnQIDAQAB
+AoGAXUzWvPs4IBAcFUcHCyR2j6LiXLTB+voKGNirCivdDL+NnFmN7eZxRl/Kc9D9
+IMXQGdMm+uCudkMnuPz0PUDeczQST46jiTlG5vkQdj3zpmz/x73t5I4E8vFSX6A4
+gKREFeGxSCEm0THNusBKk1Q+huHUDKw4mFh85MTopy32McECQQDVWcc3BMlDICG2
+6bFc3+1ieeVIKoD2GnJR7b/GU57umLFyDmSFwOkTTt7VWp3jV/81Oy+xBe3cC8Fm
+mFC/e45VAkEAymA9ke8XFduafs2Q+nsbfx4QI+f8lAd51pBR4A4J+W50JLO1/WqC
+PwOXwVPRCPyzHiY9B8L9KPrFKSwVedihKQJBAKnGCl/+wAVZcVqztf649pbRdyGp
+KPwt6WDGtz+j1Sn6eeHQEC/bZd2Geo3+0PtTT/NVCMtuc2wSMrFobYEiWg0CQQCl
+lf9qw5049jlAHYTNXiNObFO6fVuN51wKcoV7dSE2JOkFCsISuq4dTxxBRApadyE7
+vv/atPGdMSpXGMntq5GZAkEA1PJ0w4WSC3sW3guq4WzDLWqmbK2pOvC40ATZR67y
+lYC1okanKDsRam0remPY7xWZ8WACJx5KOIvYgXhX+dNXPg==
+-----END RSA PRIVATE KEY-----
diff -bruN freeswan-1.9.orig/doc/pkix/examples/arm-devel.pem freeswan-1.9/doc/pkix/examples/arm-devel.pem
--- freeswan-1.9.orig/doc/pkix/examples/arm-devel.pem	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/arm-devel.pem	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,79 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=CA, ST=Ontario, L=Ottawa, O=Rebel.com, OU=SoftEng, CN=CA_arm-devel/Email=luc.lanthier@rebel.com
+        Validity
+            Not Before: Feb 14 20:59:13 2001 GMT
+            Not After : Feb 14 20:59:13 2002 GMT
+        Subject: C=CA, ST=Ontario, O=Rebel.com, OU=SoftEng, CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:a8:a9:0c:2c:21:fc:9b:02:d6:f4:98:c7:c3:dc:
+                    d1:8d:31:91:fb:72:41:ab:09:e8:52:9b:be:35:75:
+                    d8:f0:f6:b5:ba:8a:0c:d9:02:9b:5a:a9:0d:98:e6:
+                    b6:8f:97:45:eb:17:e3:10:23:c4:90:91:f4:ed:cc:
+                    ff:76:fd:95:3d:7a:a6:c4:59:b0:45:45:f6:0b:a9:
+                    c9:0c:77:6d:5e:53:d1:87:0d:59:79:50:f9:94:c1:
+                    64:8e:5e:e1:38:94:ae:7c:7f:68:5e:10:51:3d:ef:
+                    9c:9f:f4:2b:08:bc:eb:9a:b3:7d:c5:b2:2b:98:b4:
+                    ee:54:12:6c:da:a4:05:40:9d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+            Netscape Comment: 
+                IPsec Certificate for arm-devel.netwinder.org
+            X509v3 Subject Key Identifier: 
+                98:76:ED:A5:41:7C:28:3C:C8:63:0F:09:F7:DE:9E:B2:00:B6:36:FE
+            X509v3 Authority Key Identifier: 
+                keyid:7A:38:75:E9:B9:94:AB:B6:00:C5:36:81:EA:A5:60:3E:FA:FE:E4:E1
+                DirName:/C=CA/ST=Ontario/L=Ottawa/O=Rebel.com/OU=SoftEng/CN=CA_arm-devel/Email=luc.lanthier@rebel.com
+                serial:00
+
+            X509v3 Subject Alternative Name: 
+                email:luc.lanthier@rebel.com, DNS:arm-devel.netwinder.org, IP Address:10.8.49.122
+            X509v3 Issuer Alternative Name: 
+                email:luc.lanthier@rebel.com
+    Signature Algorithm: md5WithRSAEncryption
+        bb:a9:1a:f4:e3:55:c8:f6:e7:d6:32:cb:a2:2f:6d:58:a3:5d:
+        8f:5a:0d:95:53:c7:bf:06:e7:3b:ca:99:48:99:2f:55:28:5a:
+        9e:37:ef:3b:44:73:1e:e0:61:93:43:f8:04:6b:06:1e:68:e5:
+        3e:a2:10:53:94:2f:66:76:fc:66:93:d4:5e:76:cf:2d:18:e2:
+        ff:eb:c0:77:c9:d5:4d:00:60:34:50:59:69:b9:7d:07:fb:ca:
+        8b:6e:ee:5c:d2:d9:06:2f:ee:df:d8:09:12:76:bc:b5:17:80:
+        a8:d6:a7:25:59:5c:b4:65:cb:29:b1:cd:77:29:e9:c4:03:00:
+        ea:c4
+-----BEGIN CERTIFICATE-----
+MIIEUTCCA7qgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTESMBAGA1UEChMJUmVi
+ZWwuY29tMRAwDgYDVQQLEwdTb2Z0RW5nMRUwEwYDVQQDFAxDQV9hcm0tZGV2ZWwx
+JTAjBgkqhkiG9w0BCQEWFmx1Yy5sYW50aGllckByZWJlbC5jb20wHhcNMDEwMjE0
+MjA1OTEzWhcNMDIwMjE0MjA1OTEzWjCBjjELMAkGA1UEBhMCQ0ExEDAOBgNVBAgT
+B09udGFyaW8xEjAQBgNVBAoTCVJlYmVsLmNvbTEQMA4GA1UECxMHU29mdEVuZzEg
+MB4GA1UEAxMXYXJtLWRldmVsLm5ldHdpbmRlci5vcmcxJTAjBgkqhkiG9w0BCQEW
+Fmx1Yy5sYW50aGllckByZWJlbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAKipDCwh/JsC1vSYx8Pc0Y0xkftyQasJ6FKbvjV12PD2tbqKDNkCm1qpDZjm
+to+XResX4xAjxJCR9O3M/3b9lT16psRZsEVF9gupyQx3bV5T0YcNWXlQ+ZTBZI5e
+4TiUrnx/aF4QUT3vnJ/0Kwi865qzfcWyK5i07lQSbNqkBUCdAgMBAAGjggG1MIIB
+sTAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCBeAwPAYJ
+YIZIAYb4QgENBC8WLUlQc2VjIENlcnRpZmljYXRlIGZvciBhcm0tZGV2ZWwubmV0
+d2luZGVyLm9yZzAdBgNVHQ4EFgQUmHbtpUF8KDzIYw8J996esgC2Nv4wgcEGA1Ud
+IwSBuTCBtoAUejh16bmUq7YAxTaB6qVgPvr+5OGhgZqkgZcwgZQxCzAJBgNVBAYT
+AkNBMRAwDgYDVQQIEwdPbnRhcmlvMQ8wDQYDVQQHEwZPdHRhd2ExEjAQBgNVBAoT
+CVJlYmVsLmNvbTEQMA4GA1UECxMHU29mdEVuZzEVMBMGA1UEAxQMQ0FfYXJtLWRl
+dmVsMSUwIwYJKoZIhvcNAQkBFhZsdWMubGFudGhpZXJAcmViZWwuY29tggEAMEAG
+A1UdEQQ5MDeBFmx1Yy5sYW50aGllckByZWJlbC5jb22CF2FybS1kZXZlbC5uZXR3
+aW5kZXIub3JnhwQKCDF6MCEGA1UdEgQaMBiBFmx1Yy5sYW50aGllckByZWJlbC5j
+b20wDQYJKoZIhvcNAQEEBQADgYEAu6ka9ONVyPbn1jLLoi9tWKNdj1oNlVPHvwbn
+O8qZSJkvVShanjfvO0RzHuBhk0P4BGsGHmjlPqIQU5QvZnb8ZpPUXnbPLRji/+vA
+d8nVTQBgNFBZabl9B/vKi27uXNLZBi/u39gJEna8tReAqNanJVlctGXLKbHNdynp
+xAMA6sQ=
+-----END CERTIFICATE-----
diff -bruN freeswan-1.9.orig/doc/pkix/examples/arm-devel.req.pem freeswan-1.9/doc/pkix/examples/arm-devel.req.pem
--- freeswan-1.9.orig/doc/pkix/examples/arm-devel.req.pem	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/arm-devel.req.pem	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIB4DCCAUkCAQAwgZ8xCzAJBgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMQ8w
+DQYDVQQHEwZPdHRhd2ExEjAQBgNVBAoTCVJlYmVsLmNvbTEQMA4GA1UECxMHU29m
+dEVuZzEgMB4GA1UEAxMXYXJtLWRldmVsLm5ldHdpbmRlci5vcmcxJTAjBgkqhkiG
+9w0BCQEWFmx1Yy5sYW50aGllckByZWJlbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
+gY0AMIGJAoGBAKipDCwh/JsC1vSYx8Pc0Y0xkftyQasJ6FKbvjV12PD2tbqKDNkC
+m1qpDZjmto+XResX4xAjxJCR9O3M/3b9lT16psRZsEVF9gupyQx3bV5T0YcNWXlQ
++ZTBZI5e4TiUrnx/aF4QUT3vnJ/0Kwi865qzfcWyK5i07lQSbNqkBUCdAgMBAAGg
+ADANBgkqhkiG9w0BAQQFAAOBgQCNEgKfb3Qwtk7rgHcLiUCcXA4w4XFyHxRA8GEO
+N/sJVOFq6mV2wVHEmhYalMQTXs3KXNucppQ3ZtHhiLCxzuHSe1Cs6q3iBXPaOPsY
+L6I2gJ/wQ49E11HYtMSzDjcAbxV3zWWd42Xk8mNNrhT2r1h+g30DQEgFjXkXhbpt
+1R+0uA==
+-----END CERTIFICATE REQUEST-----
diff -bruN freeswan-1.9.orig/doc/pkix/examples/db-pk-rw.conf freeswan-1.9/doc/pkix/examples/db-pk-rw.conf
--- freeswan-1.9.orig/doc/pkix/examples/db-pk-rw.conf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/db-pk-rw.conf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,16 @@
+conn test
+	left=0.0.0.0
+	leftupdown=/usr/lib/ipsec/updown.netwinder
+	right=10.8.49.122
+	rightnexthop=10.8.54.1
+	rightupdown=/usr/lib/ipsec/updown.netwinder
+	authby=cert
+	auto=add
+	certfile=/etc/ipsec/pubcert.pem
+	keyfile=/etc/ipsec/privkey.pem
+	certpath=db:/etc/ipsec/dir_dbhash.db
+	certopts=send,strict,pk
+	#right DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+	rightid=@~30818E310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E673120301E0603550403131761726D2D646576656C2E6E657477696E6465722E6F72673125302306092A864886F70D01090116166C75632E6C616E746869657240726562656C2E636F6D
+	#left DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+	leftid=@~308189310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E67311B30190603550403131261726D312E6E657477696E6465722E6F72673125302306092A864886F70D010901161666697265736F756C406E657477696E6465722E6F7267
diff -bruN freeswan-1.9.orig/doc/pkix/examples/db-pk.conf freeswan-1.9/doc/pkix/examples/db-pk.conf
--- freeswan-1.9.orig/doc/pkix/examples/db-pk.conf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/db-pk.conf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,17 @@
+conn test
+	left=10.1.49.124
+	leftnexthop=10.1.1.7
+	leftupdown=/usr/lib/ipsec/updown.netwinder
+	right=10.8.49.122
+	rightnexthop=10.8.54.1
+	rightupdown=/usr/lib/ipsec/updown.netwinder
+	authby=cert
+	auto=add
+	certfile=/etc/ipsec/pubcert.pem
+	keyfile=/etc/ipsec/privkey.pem
+	certpath=db:/etc/ipsec/dir_dbhash.db
+	certopts=send,strict,pk
+	#right DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+	rightid=@~30818E310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E673120301E0603550403131761726D2D646576656C2E6E657477696E6465722E6F72673125302306092A864886F70D01090116166C75632E6C616E746869657240726562656C2E636F6D
+	#left DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+	leftid=@~308189310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E67311B30190603550403131261726D312E6E657477696E6465722E6F72673125302306092A864886F70D010901161666697265736F756C406E657477696E6465722E6F7267
diff -bruN freeswan-1.9.orig/doc/pkix/examples/db-rpk-rw.conf freeswan-1.9/doc/pkix/examples/db-rpk-rw.conf
--- freeswan-1.9.orig/doc/pkix/examples/db-rpk-rw.conf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/db-rpk-rw.conf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,16 @@
+conn test
+	left=0.0.0.0
+	leftupdown=/usr/lib/ipsec/updown.netwinder
+	right=10.8.49.122
+	rightnexthop=10.8.54.1
+	rightupdown=/usr/lib/ipsec/updown.netwinder
+	authby=cert
+	auto=add
+	certfile=/etc/ipsec/pubcert.pem
+	keyfile=/etc/ipsec/privkey.pem
+	certpath=db:/etc/ipsec/dir_dbhash.db
+	certopts=send,strict,pk,rev
+	#right DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+	rightid=@~30818E310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E673120301E0603550403131761726D2D646576656C2E6E657477696E6465722E6F72673125302306092A864886F70D01090116166C75632E6C616E746869657240726562656C2E636F6D
+	#left DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+	leftid=@~308189310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E67311B30190603550403131261726D312E6E657477696E6465722E6F72673125302306092A864886F70D010901161666697265736F756C406E657477696E6465722E6F7267
diff -bruN freeswan-1.9.orig/doc/pkix/examples/db-rpk.conf freeswan-1.9/doc/pkix/examples/db-rpk.conf
--- freeswan-1.9.orig/doc/pkix/examples/db-rpk.conf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/db-rpk.conf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,17 @@
+conn test
+	left=10.1.49.124
+	leftnexthop=10.1.1.7
+	leftupdown=/usr/lib/ipsec/updown.netwinder
+	right=10.8.49.122
+	rightnexthop=10.8.54.1
+	rightupdown=/usr/lib/ipsec/updown.netwinder
+	authby=cert
+	auto=add
+	certfile=/etc/ipsec/pubcert.pem
+	keyfile=/etc/ipsec/privkey.pem
+	certpath=db:/etc/ipsec/dir_dbhash.db
+	certopts=send,strict,pk,rev
+	#right DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+	rightid=@~30818E310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E673120301E0603550403131761726D2D646576656C2E6E657477696E6465722E6F72673125302306092A864886F70D01090116166C75632E6C616E746869657240726562656C2E636F6D
+	#left DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+	leftid=@~308189310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E67311B30190603550403131261726D312E6E657477696E6465722E6F72673125302306092A864886F70D010901161666697265736F756C406E657477696E6465722E6F7267
diff -bruN freeswan-1.9.orig/doc/pkix/examples/db-rsasig-rw.conf freeswan-1.9/doc/pkix/examples/db-rsasig-rw.conf
--- freeswan-1.9.orig/doc/pkix/examples/db-rsasig-rw.conf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/db-rsasig-rw.conf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,16 @@
+conn test
+	left=0.0.0.0
+	leftupdown=/usr/lib/ipsec/updown.netwinder
+	right=10.8.49.122
+	rightnexthop=10.8.54.1
+	rightupdown=/usr/lib/ipsec/updown.netwinder
+	authby=cert
+	auto=add
+	certfile=/etc/ipsec/pubcert.pem
+	keyfile=/etc/ipsec/privkey.pem
+	certpath=db:/etc/ipsec/dir_dbhash.db
+	certopts=send
+	#right DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+	rightid=@~30818E310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E673120301E0603550403131761726D2D646576656C2E6E657477696E6465722E6F72673125302306092A864886F70D01090116166C75632E6C616E746869657240726562656C2E636F6D
+	#left DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+	leftid=@~308189310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E67311B30190603550403131261726D312E6E657477696E6465722E6F72673125302306092A864886F70D010901161666697265736F756C406E657477696E6465722E6F7267
diff -bruN freeswan-1.9.orig/doc/pkix/examples/db-rsasig.conf freeswan-1.9/doc/pkix/examples/db-rsasig.conf
--- freeswan-1.9.orig/doc/pkix/examples/db-rsasig.conf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/db-rsasig.conf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,17 @@
+conn test
+	left=10.1.49.124
+	leftnexthop=10.1.1.7
+	leftupdown=/usr/lib/ipsec/updown.netwinder
+	right=10.8.49.122
+	rightnexthop=10.8.54.1
+	rightupdown=/usr/lib/ipsec/updown.netwinder
+	authby=cert
+	auto=add
+	certfile=/etc/ipsec/pubcert.pem
+	keyfile=/etc/ipsec/privkey.pem
+	certpath=db:/etc/ipsec/dir_dbhash.db
+	certopts=send
+	#right DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+	rightid=@~30818E310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E673120301E0603550403131761726D2D646576656C2E6E657477696E6465722E6F72673125302306092A864886F70D01090116166C75632E6C616E746869657240726562656C2E636F6D
+	#left DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+	leftid=@~308189310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E67311B30190603550403131261726D312E6E657477696E6465722E6F72673125302306092A864886F70D010901161666697265736F756C406E657477696E6465722E6F7267
diff -bruN freeswan-1.9.orig/doc/pkix/examples/dir/60601ae4.cert.0 freeswan-1.9/doc/pkix/examples/dir/60601ae4.cert.0
--- freeswan-1.9.orig/doc/pkix/examples/dir/60601ae4.cert.0	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/dir/60601ae4.cert.0	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,78 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=CA, ST=Ontario, L=Ottawa, O=Rebel.com, OU=SoftEng, CN=CA_arm-devel/Email=luc.lanthier@rebel.com
+        Validity
+            Not Before: Feb 14 21:00:11 2001 GMT
+            Not After : Feb 14 21:00:11 2002 GMT
+        Subject: C=CA, ST=Ontario, O=Rebel.com, OU=SoftEng, CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:e2:2b:ad:70:6b:29:e7:83:be:af:12:50:4b:a4:
+                    26:02:60:ed:f9:bd:49:51:86:96:18:9c:10:f1:0c:
+                    7d:bd:b9:22:8e:66:6a:f4:96:e5:8d:e2:c4:11:1e:
+                    64:8e:59:1e:b1:a2:64:15:fa:a6:17:9a:59:f3:9f:
+                    9f:c8:c9:17:b8:a7:87:55:70:8f:de:25:78:e6:e0:
+                    4c:82:ae:f1:47:14:77:fa:5b:3e:4d:e5:05:5e:31:
+                    09:62:56:f8:3b:94:51:b2:e3:7e:bb:8f:6e:dc:ea:
+                    64:2e:2f:65:8e:41:18:0e:cf:9d:8a:b8:0a:86:6c:
+                    6a:88:be:58:ce:be:b3:32:c1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+            Netscape Comment: 
+                IPsec Certificate for arm1.netwinder.org
+            X509v3 Subject Key Identifier: 
+                82:A2:6E:58:0D:B6:98:EF:D9:A0:68:9D:D0:C0:70:59:B3:6A:32:99
+            X509v3 Authority Key Identifier: 
+                keyid:7A:38:75:E9:B9:94:AB:B6:00:C5:36:81:EA:A5:60:3E:FA:FE:E4:E1
+                DirName:/C=CA/ST=Ontario/L=Ottawa/O=Rebel.com/OU=SoftEng/CN=CA_arm-devel/Email=luc.lanthier@rebel.com
+                serial:00
+
+            X509v3 Subject Alternative Name: 
+                email:firesoul@netwinder.org, DNS:arm1.netwinder.org, IP Address:10.1.49.124
+            X509v3 Issuer Alternative Name: 
+                email:luc.lanthier@rebel.com
+    Signature Algorithm: md5WithRSAEncryption
+        c3:68:19:5f:60:12:18:6f:48:87:f9:97:d2:a3:0f:bc:e4:d0:
+        59:37:69:17:28:32:55:7d:5c:7a:35:ff:e1:67:05:f5:31:80:
+        27:cc:3a:37:28:47:46:ec:d9:b0:f9:69:ac:ce:6d:89:94:19:
+        16:38:64:bb:da:67:68:c5:e3:26:e3:66:98:b2:45:bf:0d:16:
+        2b:95:0c:1a:cc:65:8c:c5:f4:ba:2f:2b:5a:f4:ad:9a:71:92:
+        de:e5:77:c4:08:96:7c:c3:25:25:fe:43:b0:f3:f9:65:1f:fa:
+        6c:2d:2e:e2:1f:18:75:03:51:33:94:61:29:59:1a:9c:7c:71:
+        42:e1
+-----BEGIN CERTIFICATE-----
+MIIEQjCCA6ugAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTESMBAGA1UEChMJUmVi
+ZWwuY29tMRAwDgYDVQQLEwdTb2Z0RW5nMRUwEwYDVQQDFAxDQV9hcm0tZGV2ZWwx
+JTAjBgkqhkiG9w0BCQEWFmx1Yy5sYW50aGllckByZWJlbC5jb20wHhcNMDEwMjE0
+MjEwMDExWhcNMDIwMjE0MjEwMDExWjCBiTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgT
+B09udGFyaW8xEjAQBgNVBAoTCVJlYmVsLmNvbTEQMA4GA1UECxMHU29mdEVuZzEb
+MBkGA1UEAxMSYXJtMS5uZXR3aW5kZXIub3JnMSUwIwYJKoZIhvcNAQkBFhZmaXJl
+c291bEBuZXR3aW5kZXIub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDi
+K61waynng76vElBLpCYCYO35vUlRhpYYnBDxDH29uSKOZmr0luWN4sQRHmSOWR6x
+omQV+qYXmlnzn5/IyRe4p4dVcI/eJXjm4EyCrvFHFHf6Wz5N5QVeMQliVvg7lFGy
+4367j27c6mQuL2WOQRgOz52KuAqGbGqIvljOvrMywQIDAQABo4IBqzCCAacwCQYD
+VR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgXgMDcGCWCGSAGG
++EIBDQQqFihJUHNlYyBDZXJ0aWZpY2F0ZSBmb3IgYXJtMS5uZXR3aW5kZXIub3Jn
+MB0GA1UdDgQWBBSCom5YDbaY79mgaJ3QwHBZs2oymTCBwQYDVR0jBIG5MIG2gBR6
+OHXpuZSrtgDFNoHqpWA++v7k4aGBmqSBlzCBlDELMAkGA1UEBhMCQ0ExEDAOBgNV
+BAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTESMBAGA1UEChMJUmViZWwuY29t
+MRAwDgYDVQQLEwdTb2Z0RW5nMRUwEwYDVQQDFAxDQV9hcm0tZGV2ZWwxJTAjBgkq
+hkiG9w0BCQEWFmx1Yy5sYW50aGllckByZWJlbC5jb22CAQAwOwYDVR0RBDQwMoEW
+ZmlyZXNvdWxAbmV0d2luZGVyLm9yZ4ISYXJtMS5uZXR3aW5kZXIub3JnhwQKATF8
+MCEGA1UdEgQaMBiBFmx1Yy5sYW50aGllckByZWJlbC5jb20wDQYJKoZIhvcNAQEE
+BQADgYEAw2gZX2ASGG9Ih/mX0qMPvOTQWTdpFygyVX1cejX/4WcF9TGAJ8w6NyhH
+RuzZsPlprM5tiZQZFjhku9pnaMXjJuNmmLJFvw0WK5UMGsxljMX0ui8rWvStmnGS
+3uV3xAiWfMMlJf5DsPP5ZR/6bC0u4h8YdQNRM5RhKVkanHxxQuE=
+-----END CERTIFICATE-----
diff -bruN freeswan-1.9.orig/doc/pkix/examples/dir/arm-devel.pem freeswan-1.9/doc/pkix/examples/dir/arm-devel.pem
--- freeswan-1.9.orig/doc/pkix/examples/dir/arm-devel.pem	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/dir/arm-devel.pem	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,79 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=CA, ST=Ontario, L=Ottawa, O=Rebel.com, OU=SoftEng, CN=CA_arm-devel/Email=luc.lanthier@rebel.com
+        Validity
+            Not Before: Feb 14 20:59:13 2001 GMT
+            Not After : Feb 14 20:59:13 2002 GMT
+        Subject: C=CA, ST=Ontario, O=Rebel.com, OU=SoftEng, CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:a8:a9:0c:2c:21:fc:9b:02:d6:f4:98:c7:c3:dc:
+                    d1:8d:31:91:fb:72:41:ab:09:e8:52:9b:be:35:75:
+                    d8:f0:f6:b5:ba:8a:0c:d9:02:9b:5a:a9:0d:98:e6:
+                    b6:8f:97:45:eb:17:e3:10:23:c4:90:91:f4:ed:cc:
+                    ff:76:fd:95:3d:7a:a6:c4:59:b0:45:45:f6:0b:a9:
+                    c9:0c:77:6d:5e:53:d1:87:0d:59:79:50:f9:94:c1:
+                    64:8e:5e:e1:38:94:ae:7c:7f:68:5e:10:51:3d:ef:
+                    9c:9f:f4:2b:08:bc:eb:9a:b3:7d:c5:b2:2b:98:b4:
+                    ee:54:12:6c:da:a4:05:40:9d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+            Netscape Comment: 
+                IPsec Certificate for arm-devel.netwinder.org
+            X509v3 Subject Key Identifier: 
+                98:76:ED:A5:41:7C:28:3C:C8:63:0F:09:F7:DE:9E:B2:00:B6:36:FE
+            X509v3 Authority Key Identifier: 
+                keyid:7A:38:75:E9:B9:94:AB:B6:00:C5:36:81:EA:A5:60:3E:FA:FE:E4:E1
+                DirName:/C=CA/ST=Ontario/L=Ottawa/O=Rebel.com/OU=SoftEng/CN=CA_arm-devel/Email=luc.lanthier@rebel.com
+                serial:00
+
+            X509v3 Subject Alternative Name: 
+                email:luc.lanthier@rebel.com, DNS:arm-devel.netwinder.org, IP Address:10.8.49.122
+            X509v3 Issuer Alternative Name: 
+                email:luc.lanthier@rebel.com
+    Signature Algorithm: md5WithRSAEncryption
+        bb:a9:1a:f4:e3:55:c8:f6:e7:d6:32:cb:a2:2f:6d:58:a3:5d:
+        8f:5a:0d:95:53:c7:bf:06:e7:3b:ca:99:48:99:2f:55:28:5a:
+        9e:37:ef:3b:44:73:1e:e0:61:93:43:f8:04:6b:06:1e:68:e5:
+        3e:a2:10:53:94:2f:66:76:fc:66:93:d4:5e:76:cf:2d:18:e2:
+        ff:eb:c0:77:c9:d5:4d:00:60:34:50:59:69:b9:7d:07:fb:ca:
+        8b:6e:ee:5c:d2:d9:06:2f:ee:df:d8:09:12:76:bc:b5:17:80:
+        a8:d6:a7:25:59:5c:b4:65:cb:29:b1:cd:77:29:e9:c4:03:00:
+        ea:c4
+-----BEGIN CERTIFICATE-----
+MIIEUTCCA7qgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTESMBAGA1UEChMJUmVi
+ZWwuY29tMRAwDgYDVQQLEwdTb2Z0RW5nMRUwEwYDVQQDFAxDQV9hcm0tZGV2ZWwx
+JTAjBgkqhkiG9w0BCQEWFmx1Yy5sYW50aGllckByZWJlbC5jb20wHhcNMDEwMjE0
+MjA1OTEzWhcNMDIwMjE0MjA1OTEzWjCBjjELMAkGA1UEBhMCQ0ExEDAOBgNVBAgT
+B09udGFyaW8xEjAQBgNVBAoTCVJlYmVsLmNvbTEQMA4GA1UECxMHU29mdEVuZzEg
+MB4GA1UEAxMXYXJtLWRldmVsLm5ldHdpbmRlci5vcmcxJTAjBgkqhkiG9w0BCQEW
+Fmx1Yy5sYW50aGllckByZWJlbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAKipDCwh/JsC1vSYx8Pc0Y0xkftyQasJ6FKbvjV12PD2tbqKDNkCm1qpDZjm
+to+XResX4xAjxJCR9O3M/3b9lT16psRZsEVF9gupyQx3bV5T0YcNWXlQ+ZTBZI5e
+4TiUrnx/aF4QUT3vnJ/0Kwi865qzfcWyK5i07lQSbNqkBUCdAgMBAAGjggG1MIIB
+sTAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCBeAwPAYJ
+YIZIAYb4QgENBC8WLUlQc2VjIENlcnRpZmljYXRlIGZvciBhcm0tZGV2ZWwubmV0
+d2luZGVyLm9yZzAdBgNVHQ4EFgQUmHbtpUF8KDzIYw8J996esgC2Nv4wgcEGA1Ud
+IwSBuTCBtoAUejh16bmUq7YAxTaB6qVgPvr+5OGhgZqkgZcwgZQxCzAJBgNVBAYT
+AkNBMRAwDgYDVQQIEwdPbnRhcmlvMQ8wDQYDVQQHEwZPdHRhd2ExEjAQBgNVBAoT
+CVJlYmVsLmNvbTEQMA4GA1UECxMHU29mdEVuZzEVMBMGA1UEAxQMQ0FfYXJtLWRl
+dmVsMSUwIwYJKoZIhvcNAQkBFhZsdWMubGFudGhpZXJAcmViZWwuY29tggEAMEAG
+A1UdEQQ5MDeBFmx1Yy5sYW50aGllckByZWJlbC5jb22CF2FybS1kZXZlbC5uZXR3
+aW5kZXIub3JnhwQKCDF6MCEGA1UdEgQaMBiBFmx1Yy5sYW50aGllckByZWJlbC5j
+b20wDQYJKoZIhvcNAQEEBQADgYEAu6ka9ONVyPbn1jLLoi9tWKNdj1oNlVPHvwbn
+O8qZSJkvVShanjfvO0RzHuBhk0P4BGsGHmjlPqIQU5QvZnb8ZpPUXnbPLRji/+vA
+d8nVTQBgNFBZabl9B/vKi27uXNLZBi/u39gJEna8tReAqNanJVlctGXLKbHNdynp
+xAMA6sQ=
+-----END CERTIFICATE-----
diff -bruN freeswan-1.9.orig/doc/pkix/examples/dir/arm1.pem freeswan-1.9/doc/pkix/examples/dir/arm1.pem
--- freeswan-1.9.orig/doc/pkix/examples/dir/arm1.pem	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/dir/arm1.pem	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,78 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=CA, ST=Ontario, L=Ottawa, O=Rebel.com, OU=SoftEng, CN=CA_arm-devel/Email=luc.lanthier@rebel.com
+        Validity
+            Not Before: Feb 14 21:00:11 2001 GMT
+            Not After : Feb 14 21:00:11 2002 GMT
+        Subject: C=CA, ST=Ontario, O=Rebel.com, OU=SoftEng, CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:e2:2b:ad:70:6b:29:e7:83:be:af:12:50:4b:a4:
+                    26:02:60:ed:f9:bd:49:51:86:96:18:9c:10:f1:0c:
+                    7d:bd:b9:22:8e:66:6a:f4:96:e5:8d:e2:c4:11:1e:
+                    64:8e:59:1e:b1:a2:64:15:fa:a6:17:9a:59:f3:9f:
+                    9f:c8:c9:17:b8:a7:87:55:70:8f:de:25:78:e6:e0:
+                    4c:82:ae:f1:47:14:77:fa:5b:3e:4d:e5:05:5e:31:
+                    09:62:56:f8:3b:94:51:b2:e3:7e:bb:8f:6e:dc:ea:
+                    64:2e:2f:65:8e:41:18:0e:cf:9d:8a:b8:0a:86:6c:
+                    6a:88:be:58:ce:be:b3:32:c1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+            Netscape Comment: 
+                IPsec Certificate for arm1.netwinder.org
+            X509v3 Subject Key Identifier: 
+                82:A2:6E:58:0D:B6:98:EF:D9:A0:68:9D:D0:C0:70:59:B3:6A:32:99
+            X509v3 Authority Key Identifier: 
+                keyid:7A:38:75:E9:B9:94:AB:B6:00:C5:36:81:EA:A5:60:3E:FA:FE:E4:E1
+                DirName:/C=CA/ST=Ontario/L=Ottawa/O=Rebel.com/OU=SoftEng/CN=CA_arm-devel/Email=luc.lanthier@rebel.com
+                serial:00
+
+            X509v3 Subject Alternative Name: 
+                email:firesoul@netwinder.org, DNS:arm1.netwinder.org, IP Address:10.1.49.124
+            X509v3 Issuer Alternative Name: 
+                email:luc.lanthier@rebel.com
+    Signature Algorithm: md5WithRSAEncryption
+        c3:68:19:5f:60:12:18:6f:48:87:f9:97:d2:a3:0f:bc:e4:d0:
+        59:37:69:17:28:32:55:7d:5c:7a:35:ff:e1:67:05:f5:31:80:
+        27:cc:3a:37:28:47:46:ec:d9:b0:f9:69:ac:ce:6d:89:94:19:
+        16:38:64:bb:da:67:68:c5:e3:26:e3:66:98:b2:45:bf:0d:16:
+        2b:95:0c:1a:cc:65:8c:c5:f4:ba:2f:2b:5a:f4:ad:9a:71:92:
+        de:e5:77:c4:08:96:7c:c3:25:25:fe:43:b0:f3:f9:65:1f:fa:
+        6c:2d:2e:e2:1f:18:75:03:51:33:94:61:29:59:1a:9c:7c:71:
+        42:e1
+-----BEGIN CERTIFICATE-----
+MIIEQjCCA6ugAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTESMBAGA1UEChMJUmVi
+ZWwuY29tMRAwDgYDVQQLEwdTb2Z0RW5nMRUwEwYDVQQDFAxDQV9hcm0tZGV2ZWwx
+JTAjBgkqhkiG9w0BCQEWFmx1Yy5sYW50aGllckByZWJlbC5jb20wHhcNMDEwMjE0
+MjEwMDExWhcNMDIwMjE0MjEwMDExWjCBiTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgT
+B09udGFyaW8xEjAQBgNVBAoTCVJlYmVsLmNvbTEQMA4GA1UECxMHU29mdEVuZzEb
+MBkGA1UEAxMSYXJtMS5uZXR3aW5kZXIub3JnMSUwIwYJKoZIhvcNAQkBFhZmaXJl
+c291bEBuZXR3aW5kZXIub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDi
+K61waynng76vElBLpCYCYO35vUlRhpYYnBDxDH29uSKOZmr0luWN4sQRHmSOWR6x
+omQV+qYXmlnzn5/IyRe4p4dVcI/eJXjm4EyCrvFHFHf6Wz5N5QVeMQliVvg7lFGy
+4367j27c6mQuL2WOQRgOz52KuAqGbGqIvljOvrMywQIDAQABo4IBqzCCAacwCQYD
+VR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgXgMDcGCWCGSAGG
++EIBDQQqFihJUHNlYyBDZXJ0aWZpY2F0ZSBmb3IgYXJtMS5uZXR3aW5kZXIub3Jn
+MB0GA1UdDgQWBBSCom5YDbaY79mgaJ3QwHBZs2oymTCBwQYDVR0jBIG5MIG2gBR6
+OHXpuZSrtgDFNoHqpWA++v7k4aGBmqSBlzCBlDELMAkGA1UEBhMCQ0ExEDAOBgNV
+BAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTESMBAGA1UEChMJUmViZWwuY29t
+MRAwDgYDVQQLEwdTb2Z0RW5nMRUwEwYDVQQDFAxDQV9hcm0tZGV2ZWwxJTAjBgkq
+hkiG9w0BCQEWFmx1Yy5sYW50aGllckByZWJlbC5jb22CAQAwOwYDVR0RBDQwMoEW
+ZmlyZXNvdWxAbmV0d2luZGVyLm9yZ4ISYXJtMS5uZXR3aW5kZXIub3JnhwQKATF8
+MCEGA1UdEgQaMBiBFmx1Yy5sYW50aGllckByZWJlbC5jb20wDQYJKoZIhvcNAQEE
+BQADgYEAw2gZX2ASGG9Ih/mX0qMPvOTQWTdpFygyVX1cejX/4WcF9TGAJ8w6NyhH
+RuzZsPlprM5tiZQZFjhku9pnaMXjJuNmmLJFvw0WK5UMGsxljMX0ui8rWvStmnGS
+3uV3xAiWfMMlJf5DsPP5ZR/6bC0u4h8YdQNRM5RhKVkanHxxQuE=
+-----END CERTIFICATE-----
diff -bruN freeswan-1.9.orig/doc/pkix/examples/dir/b2dc4b6f.cert.0 freeswan-1.9/doc/pkix/examples/dir/b2dc4b6f.cert.0
--- freeswan-1.9.orig/doc/pkix/examples/dir/b2dc4b6f.cert.0	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/dir/b2dc4b6f.cert.0	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,79 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=CA, ST=Ontario, L=Ottawa, O=Rebel.com, OU=SoftEng, CN=CA_arm-devel/Email=luc.lanthier@rebel.com
+        Validity
+            Not Before: Feb 14 20:59:13 2001 GMT
+            Not After : Feb 14 20:59:13 2002 GMT
+        Subject: C=CA, ST=Ontario, O=Rebel.com, OU=SoftEng, CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:a8:a9:0c:2c:21:fc:9b:02:d6:f4:98:c7:c3:dc:
+                    d1:8d:31:91:fb:72:41:ab:09:e8:52:9b:be:35:75:
+                    d8:f0:f6:b5:ba:8a:0c:d9:02:9b:5a:a9:0d:98:e6:
+                    b6:8f:97:45:eb:17:e3:10:23:c4:90:91:f4:ed:cc:
+                    ff:76:fd:95:3d:7a:a6:c4:59:b0:45:45:f6:0b:a9:
+                    c9:0c:77:6d:5e:53:d1:87:0d:59:79:50:f9:94:c1:
+                    64:8e:5e:e1:38:94:ae:7c:7f:68:5e:10:51:3d:ef:
+                    9c:9f:f4:2b:08:bc:eb:9a:b3:7d:c5:b2:2b:98:b4:
+                    ee:54:12:6c:da:a4:05:40:9d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+            Netscape Comment: 
+                IPsec Certificate for arm-devel.netwinder.org
+            X509v3 Subject Key Identifier: 
+                98:76:ED:A5:41:7C:28:3C:C8:63:0F:09:F7:DE:9E:B2:00:B6:36:FE
+            X509v3 Authority Key Identifier: 
+                keyid:7A:38:75:E9:B9:94:AB:B6:00:C5:36:81:EA:A5:60:3E:FA:FE:E4:E1
+                DirName:/C=CA/ST=Ontario/L=Ottawa/O=Rebel.com/OU=SoftEng/CN=CA_arm-devel/Email=luc.lanthier@rebel.com
+                serial:00
+
+            X509v3 Subject Alternative Name: 
+                email:luc.lanthier@rebel.com, DNS:arm-devel.netwinder.org, IP Address:10.8.49.122
+            X509v3 Issuer Alternative Name: 
+                email:luc.lanthier@rebel.com
+    Signature Algorithm: md5WithRSAEncryption
+        bb:a9:1a:f4:e3:55:c8:f6:e7:d6:32:cb:a2:2f:6d:58:a3:5d:
+        8f:5a:0d:95:53:c7:bf:06:e7:3b:ca:99:48:99:2f:55:28:5a:
+        9e:37:ef:3b:44:73:1e:e0:61:93:43:f8:04:6b:06:1e:68:e5:
+        3e:a2:10:53:94:2f:66:76:fc:66:93:d4:5e:76:cf:2d:18:e2:
+        ff:eb:c0:77:c9:d5:4d:00:60:34:50:59:69:b9:7d:07:fb:ca:
+        8b:6e:ee:5c:d2:d9:06:2f:ee:df:d8:09:12:76:bc:b5:17:80:
+        a8:d6:a7:25:59:5c:b4:65:cb:29:b1:cd:77:29:e9:c4:03:00:
+        ea:c4
+-----BEGIN CERTIFICATE-----
+MIIEUTCCA7qgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTESMBAGA1UEChMJUmVi
+ZWwuY29tMRAwDgYDVQQLEwdTb2Z0RW5nMRUwEwYDVQQDFAxDQV9hcm0tZGV2ZWwx
+JTAjBgkqhkiG9w0BCQEWFmx1Yy5sYW50aGllckByZWJlbC5jb20wHhcNMDEwMjE0
+MjA1OTEzWhcNMDIwMjE0MjA1OTEzWjCBjjELMAkGA1UEBhMCQ0ExEDAOBgNVBAgT
+B09udGFyaW8xEjAQBgNVBAoTCVJlYmVsLmNvbTEQMA4GA1UECxMHU29mdEVuZzEg
+MB4GA1UEAxMXYXJtLWRldmVsLm5ldHdpbmRlci5vcmcxJTAjBgkqhkiG9w0BCQEW
+Fmx1Yy5sYW50aGllckByZWJlbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAKipDCwh/JsC1vSYx8Pc0Y0xkftyQasJ6FKbvjV12PD2tbqKDNkCm1qpDZjm
+to+XResX4xAjxJCR9O3M/3b9lT16psRZsEVF9gupyQx3bV5T0YcNWXlQ+ZTBZI5e
+4TiUrnx/aF4QUT3vnJ/0Kwi865qzfcWyK5i07lQSbNqkBUCdAgMBAAGjggG1MIIB
+sTAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCBeAwPAYJ
+YIZIAYb4QgENBC8WLUlQc2VjIENlcnRpZmljYXRlIGZvciBhcm0tZGV2ZWwubmV0
+d2luZGVyLm9yZzAdBgNVHQ4EFgQUmHbtpUF8KDzIYw8J996esgC2Nv4wgcEGA1Ud
+IwSBuTCBtoAUejh16bmUq7YAxTaB6qVgPvr+5OGhgZqkgZcwgZQxCzAJBgNVBAYT
+AkNBMRAwDgYDVQQIEwdPbnRhcmlvMQ8wDQYDVQQHEwZPdHRhd2ExEjAQBgNVBAoT
+CVJlYmVsLmNvbTEQMA4GA1UECxMHU29mdEVuZzEVMBMGA1UEAxQMQ0FfYXJtLWRl
+dmVsMSUwIwYJKoZIhvcNAQkBFhZsdWMubGFudGhpZXJAcmViZWwuY29tggEAMEAG
+A1UdEQQ5MDeBFmx1Yy5sYW50aGllckByZWJlbC5jb22CF2FybS1kZXZlbC5uZXR3
+aW5kZXIub3JnhwQKCDF6MCEGA1UdEgQaMBiBFmx1Yy5sYW50aGllckByZWJlbC5j
+b20wDQYJKoZIhvcNAQEEBQADgYEAu6ka9ONVyPbn1jLLoi9tWKNdj1oNlVPHvwbn
+O8qZSJkvVShanjfvO0RzHuBhk0P4BGsGHmjlPqIQU5QvZnb8ZpPUXnbPLRji/+vA
+d8nVTQBgNFBZabl9B/vKi27uXNLZBi/u39gJEna8tReAqNanJVlctGXLKbHNdynp
+xAMA6sQ=
+-----END CERTIFICATE-----
diff -bruN freeswan-1.9.orig/doc/pkix/examples/dir/cacert.pem freeswan-1.9/doc/pkix/examples/dir/cacert.pem
--- freeswan-1.9.orig/doc/pkix/examples/dir/cacert.pem	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/dir/cacert.pem	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID2jCCA0OgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTESMBAGA1UEChMJUmVi
+ZWwuY29tMRAwDgYDVQQLEwdTb2Z0RW5nMRUwEwYDVQQDFAxDQV9hcm0tZGV2ZWwx
+JTAjBgkqhkiG9w0BCQEWFmx1Yy5sYW50aGllckByZWJlbC5jb20wHhcNMDEwMjE0
+MTk0NTAyWhcNMDYwODA3MTk0NTAyWjCBlDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgT
+B09udGFyaW8xDzANBgNVBAcTBk90dGF3YTESMBAGA1UEChMJUmViZWwuY29tMRAw
+DgYDVQQLEwdTb2Z0RW5nMRUwEwYDVQQDFAxDQV9hcm0tZGV2ZWwxJTAjBgkqhkiG
+9w0BCQEWFmx1Yy5sYW50aGllckByZWJlbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
+gY0AMIGJAoGBANWu/vkaR1M1bvP2Y80Dv105n3VHmOqZcyy9fnbaXXc92nKbBMib
+bsuUdfWdjOuC34BjfNuC9DU3rP8jZNBg+qeyAie6G7Q1R3atroqYvaFFhEbU1OnZ
+vBigB39dOIjfFiHbeqNCqlxLlrMJwkBJtkLdiktuf6Rqp+nnX6ymxz1BAgMBAAGj
+ggE4MIIBNDAdBgNVHQ4EFgQUejh16bmUq7YAxTaB6qVgPvr+5OEwgcEGA1UdIwSB
+uTCBtoAUejh16bmUq7YAxTaB6qVgPvr+5OGhgZqkgZcwgZQxCzAJBgNVBAYTAkNB
+MRAwDgYDVQQIEwdPbnRhcmlvMQ8wDQYDVQQHEwZPdHRhd2ExEjAQBgNVBAoTCVJl
+YmVsLmNvbTEQMA4GA1UECxMHU29mdEVuZzEVMBMGA1UEAxQMQ0FfYXJtLWRldmVs
+MSUwIwYJKoZIhvcNAQkBFhZsdWMubGFudGhpZXJAcmViZWwuY29tggEAMAwGA1Ud
+EwQFMAMBAf8wCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjAhBgNVHREE
+GjAYgRZsdWMubGFudGhpZXJAcmViZWwuY29tMA0GCSqGSIb3DQEBBAUAA4GBAHzh
+QeKz7deGehWh7KtZ1tNNu1gWxeW4fwjHUT/xkoepd0XclIIRoKH+2h6w5QG3p2Up
+9TLxWlS8SB0tR0FiVu1WD658vOZjDTqqL9EVdEgSCrWX26KaMhNLrYzT3nzqq9VR
+QYqYZDAD3Z345UweqfCJBgxrim03x++bsEq9tP4Y
+-----END CERTIFICATE-----
diff -bruN freeswan-1.9.orig/doc/pkix/examples/dir/crl.pem freeswan-1.9/doc/pkix/examples/dir/crl.pem
--- freeswan-1.9.orig/doc/pkix/examples/dir/crl.pem	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/dir/crl.pem	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,10 @@
+-----BEGIN X509 CRL-----
+MIIBWjCBxDANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgT
+B09udGFyaW8xDzANBgNVBAcTBk90dGF3YTESMBAGA1UEChMJUmViZWwuY29tMRAw
+DgYDVQQLEwdTb2Z0RW5nMRUwEwYDVQQDFAxDQV9hcm0tZGV2ZWwxJTAjBgkqhkiG
+9w0BCQEWFmx1Yy5sYW50aGllckByZWJlbC5jb20XDTAxMDIxNDE5NDUzN1oXDTAx
+MDMxNjE5NDUzN1owDQYJKoZIhvcNAQEEBQADgYEAcM3oRcSVw2rf7AQbcX0WqsEh
+YEHnMUNur13Wd2ai7b6KSKxHj+O/WWSupH3IDPL1TEKwdWLG9+MtbhKhBh8WNzQh
+7Nl/NzTgdCh0xDBoJDGG7zN7WDNQ1WGbaAkjDUJm6ty92zlpFkF4Gg2B1dl8WwYK
+LSSaMtj6/VV4CuhzFMg=
+-----END X509 CRL-----
diff -bruN freeswan-1.9.orig/doc/pkix/examples/dir/dns-arm-devel.netwinder.org.cert.0 freeswan-1.9/doc/pkix/examples/dir/dns-arm-devel.netwinder.org.cert.0
--- freeswan-1.9.orig/doc/pkix/examples/dir/dns-arm-devel.netwinder.org.cert.0	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/dir/dns-arm-devel.netwinder.org.cert.0	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,79 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=CA, ST=Ontario, L=Ottawa, O=Rebel.com, OU=SoftEng, CN=CA_arm-devel/Email=luc.lanthier@rebel.com
+        Validity
+            Not Before: Feb 14 20:59:13 2001 GMT
+            Not After : Feb 14 20:59:13 2002 GMT
+        Subject: C=CA, ST=Ontario, O=Rebel.com, OU=SoftEng, CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:a8:a9:0c:2c:21:fc:9b:02:d6:f4:98:c7:c3:dc:
+                    d1:8d:31:91:fb:72:41:ab:09:e8:52:9b:be:35:75:
+                    d8:f0:f6:b5:ba:8a:0c:d9:02:9b:5a:a9:0d:98:e6:
+                    b6:8f:97:45:eb:17:e3:10:23:c4:90:91:f4:ed:cc:
+                    ff:76:fd:95:3d:7a:a6:c4:59:b0:45:45:f6:0b:a9:
+                    c9:0c:77:6d:5e:53:d1:87:0d:59:79:50:f9:94:c1:
+                    64:8e:5e:e1:38:94:ae:7c:7f:68:5e:10:51:3d:ef:
+                    9c:9f:f4:2b:08:bc:eb:9a:b3:7d:c5:b2:2b:98:b4:
+                    ee:54:12:6c:da:a4:05:40:9d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+            Netscape Comment: 
+                IPsec Certificate for arm-devel.netwinder.org
+            X509v3 Subject Key Identifier: 
+                98:76:ED:A5:41:7C:28:3C:C8:63:0F:09:F7:DE:9E:B2:00:B6:36:FE
+            X509v3 Authority Key Identifier: 
+                keyid:7A:38:75:E9:B9:94:AB:B6:00:C5:36:81:EA:A5:60:3E:FA:FE:E4:E1
+                DirName:/C=CA/ST=Ontario/L=Ottawa/O=Rebel.com/OU=SoftEng/CN=CA_arm-devel/Email=luc.lanthier@rebel.com
+                serial:00
+
+            X509v3 Subject Alternative Name: 
+                email:luc.lanthier@rebel.com, DNS:arm-devel.netwinder.org, IP Address:10.8.49.122
+            X509v3 Issuer Alternative Name: 
+                email:luc.lanthier@rebel.com
+    Signature Algorithm: md5WithRSAEncryption
+        bb:a9:1a:f4:e3:55:c8:f6:e7:d6:32:cb:a2:2f:6d:58:a3:5d:
+        8f:5a:0d:95:53:c7:bf:06:e7:3b:ca:99:48:99:2f:55:28:5a:
+        9e:37:ef:3b:44:73:1e:e0:61:93:43:f8:04:6b:06:1e:68:e5:
+        3e:a2:10:53:94:2f:66:76:fc:66:93:d4:5e:76:cf:2d:18:e2:
+        ff:eb:c0:77:c9:d5:4d:00:60:34:50:59:69:b9:7d:07:fb:ca:
+        8b:6e:ee:5c:d2:d9:06:2f:ee:df:d8:09:12:76:bc:b5:17:80:
+        a8:d6:a7:25:59:5c:b4:65:cb:29:b1:cd:77:29:e9:c4:03:00:
+        ea:c4
+-----BEGIN CERTIFICATE-----
+MIIEUTCCA7qgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTESMBAGA1UEChMJUmVi
+ZWwuY29tMRAwDgYDVQQLEwdTb2Z0RW5nMRUwEwYDVQQDFAxDQV9hcm0tZGV2ZWwx
+JTAjBgkqhkiG9w0BCQEWFmx1Yy5sYW50aGllckByZWJlbC5jb20wHhcNMDEwMjE0
+MjA1OTEzWhcNMDIwMjE0MjA1OTEzWjCBjjELMAkGA1UEBhMCQ0ExEDAOBgNVBAgT
+B09udGFyaW8xEjAQBgNVBAoTCVJlYmVsLmNvbTEQMA4GA1UECxMHU29mdEVuZzEg
+MB4GA1UEAxMXYXJtLWRldmVsLm5ldHdpbmRlci5vcmcxJTAjBgkqhkiG9w0BCQEW
+Fmx1Yy5sYW50aGllckByZWJlbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAKipDCwh/JsC1vSYx8Pc0Y0xkftyQasJ6FKbvjV12PD2tbqKDNkCm1qpDZjm
+to+XResX4xAjxJCR9O3M/3b9lT16psRZsEVF9gupyQx3bV5T0YcNWXlQ+ZTBZI5e
+4TiUrnx/aF4QUT3vnJ/0Kwi865qzfcWyK5i07lQSbNqkBUCdAgMBAAGjggG1MIIB
+sTAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCBeAwPAYJ
+YIZIAYb4QgENBC8WLUlQc2VjIENlcnRpZmljYXRlIGZvciBhcm0tZGV2ZWwubmV0
+d2luZGVyLm9yZzAdBgNVHQ4EFgQUmHbtpUF8KDzIYw8J996esgC2Nv4wgcEGA1Ud
+IwSBuTCBtoAUejh16bmUq7YAxTaB6qVgPvr+5OGhgZqkgZcwgZQxCzAJBgNVBAYT
+AkNBMRAwDgYDVQQIEwdPbnRhcmlvMQ8wDQYDVQQHEwZPdHRhd2ExEjAQBgNVBAoT
+CVJlYmVsLmNvbTEQMA4GA1UECxMHU29mdEVuZzEVMBMGA1UEAxQMQ0FfYXJtLWRl
+dmVsMSUwIwYJKoZIhvcNAQkBFhZsdWMubGFudGhpZXJAcmViZWwuY29tggEAMEAG
+A1UdEQQ5MDeBFmx1Yy5sYW50aGllckByZWJlbC5jb22CF2FybS1kZXZlbC5uZXR3
+aW5kZXIub3JnhwQKCDF6MCEGA1UdEgQaMBiBFmx1Yy5sYW50aGllckByZWJlbC5j
+b20wDQYJKoZIhvcNAQEEBQADgYEAu6ka9ONVyPbn1jLLoi9tWKNdj1oNlVPHvwbn
+O8qZSJkvVShanjfvO0RzHuBhk0P4BGsGHmjlPqIQU5QvZnb8ZpPUXnbPLRji/+vA
+d8nVTQBgNFBZabl9B/vKi27uXNLZBi/u39gJEna8tReAqNanJVlctGXLKbHNdynp
+xAMA6sQ=
+-----END CERTIFICATE-----
diff -bruN freeswan-1.9.orig/doc/pkix/examples/dir/dns-arm1.netwinder.org.cert.0 freeswan-1.9/doc/pkix/examples/dir/dns-arm1.netwinder.org.cert.0
--- freeswan-1.9.orig/doc/pkix/examples/dir/dns-arm1.netwinder.org.cert.0	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/dir/dns-arm1.netwinder.org.cert.0	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,78 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=CA, ST=Ontario, L=Ottawa, O=Rebel.com, OU=SoftEng, CN=CA_arm-devel/Email=luc.lanthier@rebel.com
+        Validity
+            Not Before: Feb 14 21:00:11 2001 GMT
+            Not After : Feb 14 21:00:11 2002 GMT
+        Subject: C=CA, ST=Ontario, O=Rebel.com, OU=SoftEng, CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:e2:2b:ad:70:6b:29:e7:83:be:af:12:50:4b:a4:
+                    26:02:60:ed:f9:bd:49:51:86:96:18:9c:10:f1:0c:
+                    7d:bd:b9:22:8e:66:6a:f4:96:e5:8d:e2:c4:11:1e:
+                    64:8e:59:1e:b1:a2:64:15:fa:a6:17:9a:59:f3:9f:
+                    9f:c8:c9:17:b8:a7:87:55:70:8f:de:25:78:e6:e0:
+                    4c:82:ae:f1:47:14:77:fa:5b:3e:4d:e5:05:5e:31:
+                    09:62:56:f8:3b:94:51:b2:e3:7e:bb:8f:6e:dc:ea:
+                    64:2e:2f:65:8e:41:18:0e:cf:9d:8a:b8:0a:86:6c:
+                    6a:88:be:58:ce:be:b3:32:c1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+            Netscape Comment: 
+                IPsec Certificate for arm1.netwinder.org
+            X509v3 Subject Key Identifier: 
+                82:A2:6E:58:0D:B6:98:EF:D9:A0:68:9D:D0:C0:70:59:B3:6A:32:99
+            X509v3 Authority Key Identifier: 
+                keyid:7A:38:75:E9:B9:94:AB:B6:00:C5:36:81:EA:A5:60:3E:FA:FE:E4:E1
+                DirName:/C=CA/ST=Ontario/L=Ottawa/O=Rebel.com/OU=SoftEng/CN=CA_arm-devel/Email=luc.lanthier@rebel.com
+                serial:00
+
+            X509v3 Subject Alternative Name: 
+                email:firesoul@netwinder.org, DNS:arm1.netwinder.org, IP Address:10.1.49.124
+            X509v3 Issuer Alternative Name: 
+                email:luc.lanthier@rebel.com
+    Signature Algorithm: md5WithRSAEncryption
+        c3:68:19:5f:60:12:18:6f:48:87:f9:97:d2:a3:0f:bc:e4:d0:
+        59:37:69:17:28:32:55:7d:5c:7a:35:ff:e1:67:05:f5:31:80:
+        27:cc:3a:37:28:47:46:ec:d9:b0:f9:69:ac:ce:6d:89:94:19:
+        16:38:64:bb:da:67:68:c5:e3:26:e3:66:98:b2:45:bf:0d:16:
+        2b:95:0c:1a:cc:65:8c:c5:f4:ba:2f:2b:5a:f4:ad:9a:71:92:
+        de:e5:77:c4:08:96:7c:c3:25:25:fe:43:b0:f3:f9:65:1f:fa:
+        6c:2d:2e:e2:1f:18:75:03:51:33:94:61:29:59:1a:9c:7c:71:
+        42:e1
+-----BEGIN CERTIFICATE-----
+MIIEQjCCA6ugAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTESMBAGA1UEChMJUmVi
+ZWwuY29tMRAwDgYDVQQLEwdTb2Z0RW5nMRUwEwYDVQQDFAxDQV9hcm0tZGV2ZWwx
+JTAjBgkqhkiG9w0BCQEWFmx1Yy5sYW50aGllckByZWJlbC5jb20wHhcNMDEwMjE0
+MjEwMDExWhcNMDIwMjE0MjEwMDExWjCBiTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgT
+B09udGFyaW8xEjAQBgNVBAoTCVJlYmVsLmNvbTEQMA4GA1UECxMHU29mdEVuZzEb
+MBkGA1UEAxMSYXJtMS5uZXR3aW5kZXIub3JnMSUwIwYJKoZIhvcNAQkBFhZmaXJl
+c291bEBuZXR3aW5kZXIub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDi
+K61waynng76vElBLpCYCYO35vUlRhpYYnBDxDH29uSKOZmr0luWN4sQRHmSOWR6x
+omQV+qYXmlnzn5/IyRe4p4dVcI/eJXjm4EyCrvFHFHf6Wz5N5QVeMQliVvg7lFGy
+4367j27c6mQuL2WOQRgOz52KuAqGbGqIvljOvrMywQIDAQABo4IBqzCCAacwCQYD
+VR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgXgMDcGCWCGSAGG
++EIBDQQqFihJUHNlYyBDZXJ0aWZpY2F0ZSBmb3IgYXJtMS5uZXR3aW5kZXIub3Jn
+MB0GA1UdDgQWBBSCom5YDbaY79mgaJ3QwHBZs2oymTCBwQYDVR0jBIG5MIG2gBR6
+OHXpuZSrtgDFNoHqpWA++v7k4aGBmqSBlzCBlDELMAkGA1UEBhMCQ0ExEDAOBgNV
+BAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTESMBAGA1UEChMJUmViZWwuY29t
+MRAwDgYDVQQLEwdTb2Z0RW5nMRUwEwYDVQQDFAxDQV9hcm0tZGV2ZWwxJTAjBgkq
+hkiG9w0BCQEWFmx1Yy5sYW50aGllckByZWJlbC5jb22CAQAwOwYDVR0RBDQwMoEW
+ZmlyZXNvdWxAbmV0d2luZGVyLm9yZ4ISYXJtMS5uZXR3aW5kZXIub3JnhwQKATF8
+MCEGA1UdEgQaMBiBFmx1Yy5sYW50aGllckByZWJlbC5jb20wDQYJKoZIhvcNAQEE
+BQADgYEAw2gZX2ASGG9Ih/mX0qMPvOTQWTdpFygyVX1cejX/4WcF9TGAJ8w6NyhH
+RuzZsPlprM5tiZQZFjhku9pnaMXjJuNmmLJFvw0WK5UMGsxljMX0ui8rWvStmnGS
+3uV3xAiWfMMlJf5DsPP5ZR/6bC0u4h8YdQNRM5RhKVkanHxxQuE=
+-----END CERTIFICATE-----
diff -bruN freeswan-1.9.orig/doc/pkix/examples/dir/eb7e7e69.cert.0 freeswan-1.9/doc/pkix/examples/dir/eb7e7e69.cert.0
--- freeswan-1.9.orig/doc/pkix/examples/dir/eb7e7e69.cert.0	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/dir/eb7e7e69.cert.0	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID2jCCA0OgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTESMBAGA1UEChMJUmVi
+ZWwuY29tMRAwDgYDVQQLEwdTb2Z0RW5nMRUwEwYDVQQDFAxDQV9hcm0tZGV2ZWwx
+JTAjBgkqhkiG9w0BCQEWFmx1Yy5sYW50aGllckByZWJlbC5jb20wHhcNMDEwMjE0
+MTk0NTAyWhcNMDYwODA3MTk0NTAyWjCBlDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgT
+B09udGFyaW8xDzANBgNVBAcTBk90dGF3YTESMBAGA1UEChMJUmViZWwuY29tMRAw
+DgYDVQQLEwdTb2Z0RW5nMRUwEwYDVQQDFAxDQV9hcm0tZGV2ZWwxJTAjBgkqhkiG
+9w0BCQEWFmx1Yy5sYW50aGllckByZWJlbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
+gY0AMIGJAoGBANWu/vkaR1M1bvP2Y80Dv105n3VHmOqZcyy9fnbaXXc92nKbBMib
+bsuUdfWdjOuC34BjfNuC9DU3rP8jZNBg+qeyAie6G7Q1R3atroqYvaFFhEbU1OnZ
+vBigB39dOIjfFiHbeqNCqlxLlrMJwkBJtkLdiktuf6Rqp+nnX6ymxz1BAgMBAAGj
+ggE4MIIBNDAdBgNVHQ4EFgQUejh16bmUq7YAxTaB6qVgPvr+5OEwgcEGA1UdIwSB
+uTCBtoAUejh16bmUq7YAxTaB6qVgPvr+5OGhgZqkgZcwgZQxCzAJBgNVBAYTAkNB
+MRAwDgYDVQQIEwdPbnRhcmlvMQ8wDQYDVQQHEwZPdHRhd2ExEjAQBgNVBAoTCVJl
+YmVsLmNvbTEQMA4GA1UECxMHU29mdEVuZzEVMBMGA1UEAxQMQ0FfYXJtLWRldmVs
+MSUwIwYJKoZIhvcNAQkBFhZsdWMubGFudGhpZXJAcmViZWwuY29tggEAMAwGA1Ud
+EwQFMAMBAf8wCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjAhBgNVHREE
+GjAYgRZsdWMubGFudGhpZXJAcmViZWwuY29tMA0GCSqGSIb3DQEBBAUAA4GBAHzh
+QeKz7deGehWh7KtZ1tNNu1gWxeW4fwjHUT/xkoepd0XclIIRoKH+2h6w5QG3p2Up
+9TLxWlS8SB0tR0FiVu1WD658vOZjDTqqL9EVdEgSCrWX26KaMhNLrYzT3nzqq9VR
+QYqYZDAD3Z345UweqfCJBgxrim03x++bsEq9tP4Y
+-----END CERTIFICATE-----
diff -bruN freeswan-1.9.orig/doc/pkix/examples/dir/eb7e7e69.crl.0 freeswan-1.9/doc/pkix/examples/dir/eb7e7e69.crl.0
--- freeswan-1.9.orig/doc/pkix/examples/dir/eb7e7e69.crl.0	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/dir/eb7e7e69.crl.0	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,10 @@
+-----BEGIN X509 CRL-----
+MIIBWjCBxDANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgT
+B09udGFyaW8xDzANBgNVBAcTBk90dGF3YTESMBAGA1UEChMJUmViZWwuY29tMRAw
+DgYDVQQLEwdTb2Z0RW5nMRUwEwYDVQQDFAxDQV9hcm0tZGV2ZWwxJTAjBgkqhkiG
+9w0BCQEWFmx1Yy5sYW50aGllckByZWJlbC5jb20XDTAxMDIxNDE5NDUzN1oXDTAx
+MDMxNjE5NDUzN1owDQYJKoZIhvcNAQEEBQADgYEAcM3oRcSVw2rf7AQbcX0WqsEh
+YEHnMUNur13Wd2ai7b6KSKxHj+O/WWSupH3IDPL1TEKwdWLG9+MtbhKhBh8WNzQh
+7Nl/NzTgdCh0xDBoJDGG7zN7WDNQ1WGbaAkjDUJm6ty92zlpFkF4Gg2B1dl8WwYK
+LSSaMtj6/VV4CuhzFMg=
+-----END X509 CRL-----
diff -bruN freeswan-1.9.orig/doc/pkix/examples/dir/ip-10.1.49.124.cert.0 freeswan-1.9/doc/pkix/examples/dir/ip-10.1.49.124.cert.0
--- freeswan-1.9.orig/doc/pkix/examples/dir/ip-10.1.49.124.cert.0	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/dir/ip-10.1.49.124.cert.0	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,78 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=CA, ST=Ontario, L=Ottawa, O=Rebel.com, OU=SoftEng, CN=CA_arm-devel/Email=luc.lanthier@rebel.com
+        Validity
+            Not Before: Feb 14 21:00:11 2001 GMT
+            Not After : Feb 14 21:00:11 2002 GMT
+        Subject: C=CA, ST=Ontario, O=Rebel.com, OU=SoftEng, CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:e2:2b:ad:70:6b:29:e7:83:be:af:12:50:4b:a4:
+                    26:02:60:ed:f9:bd:49:51:86:96:18:9c:10:f1:0c:
+                    7d:bd:b9:22:8e:66:6a:f4:96:e5:8d:e2:c4:11:1e:
+                    64:8e:59:1e:b1:a2:64:15:fa:a6:17:9a:59:f3:9f:
+                    9f:c8:c9:17:b8:a7:87:55:70:8f:de:25:78:e6:e0:
+                    4c:82:ae:f1:47:14:77:fa:5b:3e:4d:e5:05:5e:31:
+                    09:62:56:f8:3b:94:51:b2:e3:7e:bb:8f:6e:dc:ea:
+                    64:2e:2f:65:8e:41:18:0e:cf:9d:8a:b8:0a:86:6c:
+                    6a:88:be:58:ce:be:b3:32:c1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+            Netscape Comment: 
+                IPsec Certificate for arm1.netwinder.org
+            X509v3 Subject Key Identifier: 
+                82:A2:6E:58:0D:B6:98:EF:D9:A0:68:9D:D0:C0:70:59:B3:6A:32:99
+            X509v3 Authority Key Identifier: 
+                keyid:7A:38:75:E9:B9:94:AB:B6:00:C5:36:81:EA:A5:60:3E:FA:FE:E4:E1
+                DirName:/C=CA/ST=Ontario/L=Ottawa/O=Rebel.com/OU=SoftEng/CN=CA_arm-devel/Email=luc.lanthier@rebel.com
+                serial:00
+
+            X509v3 Subject Alternative Name: 
+                email:firesoul@netwinder.org, DNS:arm1.netwinder.org, IP Address:10.1.49.124
+            X509v3 Issuer Alternative Name: 
+                email:luc.lanthier@rebel.com
+    Signature Algorithm: md5WithRSAEncryption
+        c3:68:19:5f:60:12:18:6f:48:87:f9:97:d2:a3:0f:bc:e4:d0:
+        59:37:69:17:28:32:55:7d:5c:7a:35:ff:e1:67:05:f5:31:80:
+        27:cc:3a:37:28:47:46:ec:d9:b0:f9:69:ac:ce:6d:89:94:19:
+        16:38:64:bb:da:67:68:c5:e3:26:e3:66:98:b2:45:bf:0d:16:
+        2b:95:0c:1a:cc:65:8c:c5:f4:ba:2f:2b:5a:f4:ad:9a:71:92:
+        de:e5:77:c4:08:96:7c:c3:25:25:fe:43:b0:f3:f9:65:1f:fa:
+        6c:2d:2e:e2:1f:18:75:03:51:33:94:61:29:59:1a:9c:7c:71:
+        42:e1
+-----BEGIN CERTIFICATE-----
+MIIEQjCCA6ugAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTESMBAGA1UEChMJUmVi
+ZWwuY29tMRAwDgYDVQQLEwdTb2Z0RW5nMRUwEwYDVQQDFAxDQV9hcm0tZGV2ZWwx
+JTAjBgkqhkiG9w0BCQEWFmx1Yy5sYW50aGllckByZWJlbC5jb20wHhcNMDEwMjE0
+MjEwMDExWhcNMDIwMjE0MjEwMDExWjCBiTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgT
+B09udGFyaW8xEjAQBgNVBAoTCVJlYmVsLmNvbTEQMA4GA1UECxMHU29mdEVuZzEb
+MBkGA1UEAxMSYXJtMS5uZXR3aW5kZXIub3JnMSUwIwYJKoZIhvcNAQkBFhZmaXJl
+c291bEBuZXR3aW5kZXIub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDi
+K61waynng76vElBLpCYCYO35vUlRhpYYnBDxDH29uSKOZmr0luWN4sQRHmSOWR6x
+omQV+qYXmlnzn5/IyRe4p4dVcI/eJXjm4EyCrvFHFHf6Wz5N5QVeMQliVvg7lFGy
+4367j27c6mQuL2WOQRgOz52KuAqGbGqIvljOvrMywQIDAQABo4IBqzCCAacwCQYD
+VR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgXgMDcGCWCGSAGG
++EIBDQQqFihJUHNlYyBDZXJ0aWZpY2F0ZSBmb3IgYXJtMS5uZXR3aW5kZXIub3Jn
+MB0GA1UdDgQWBBSCom5YDbaY79mgaJ3QwHBZs2oymTCBwQYDVR0jBIG5MIG2gBR6
+OHXpuZSrtgDFNoHqpWA++v7k4aGBmqSBlzCBlDELMAkGA1UEBhMCQ0ExEDAOBgNV
+BAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTESMBAGA1UEChMJUmViZWwuY29t
+MRAwDgYDVQQLEwdTb2Z0RW5nMRUwEwYDVQQDFAxDQV9hcm0tZGV2ZWwxJTAjBgkq
+hkiG9w0BCQEWFmx1Yy5sYW50aGllckByZWJlbC5jb22CAQAwOwYDVR0RBDQwMoEW
+ZmlyZXNvdWxAbmV0d2luZGVyLm9yZ4ISYXJtMS5uZXR3aW5kZXIub3JnhwQKATF8
+MCEGA1UdEgQaMBiBFmx1Yy5sYW50aGllckByZWJlbC5jb20wDQYJKoZIhvcNAQEE
+BQADgYEAw2gZX2ASGG9Ih/mX0qMPvOTQWTdpFygyVX1cejX/4WcF9TGAJ8w6NyhH
+RuzZsPlprM5tiZQZFjhku9pnaMXjJuNmmLJFvw0WK5UMGsxljMX0ui8rWvStmnGS
+3uV3xAiWfMMlJf5DsPP5ZR/6bC0u4h8YdQNRM5RhKVkanHxxQuE=
+-----END CERTIFICATE-----
diff -bruN freeswan-1.9.orig/doc/pkix/examples/dir/ip-10.8.49.122.cert.0 freeswan-1.9/doc/pkix/examples/dir/ip-10.8.49.122.cert.0
--- freeswan-1.9.orig/doc/pkix/examples/dir/ip-10.8.49.122.cert.0	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/dir/ip-10.8.49.122.cert.0	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,79 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=CA, ST=Ontario, L=Ottawa, O=Rebel.com, OU=SoftEng, CN=CA_arm-devel/Email=luc.lanthier@rebel.com
+        Validity
+            Not Before: Feb 14 20:59:13 2001 GMT
+            Not After : Feb 14 20:59:13 2002 GMT
+        Subject: C=CA, ST=Ontario, O=Rebel.com, OU=SoftEng, CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:a8:a9:0c:2c:21:fc:9b:02:d6:f4:98:c7:c3:dc:
+                    d1:8d:31:91:fb:72:41:ab:09:e8:52:9b:be:35:75:
+                    d8:f0:f6:b5:ba:8a:0c:d9:02:9b:5a:a9:0d:98:e6:
+                    b6:8f:97:45:eb:17:e3:10:23:c4:90:91:f4:ed:cc:
+                    ff:76:fd:95:3d:7a:a6:c4:59:b0:45:45:f6:0b:a9:
+                    c9:0c:77:6d:5e:53:d1:87:0d:59:79:50:f9:94:c1:
+                    64:8e:5e:e1:38:94:ae:7c:7f:68:5e:10:51:3d:ef:
+                    9c:9f:f4:2b:08:bc:eb:9a:b3:7d:c5:b2:2b:98:b4:
+                    ee:54:12:6c:da:a4:05:40:9d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+            Netscape Comment: 
+                IPsec Certificate for arm-devel.netwinder.org
+            X509v3 Subject Key Identifier: 
+                98:76:ED:A5:41:7C:28:3C:C8:63:0F:09:F7:DE:9E:B2:00:B6:36:FE
+            X509v3 Authority Key Identifier: 
+                keyid:7A:38:75:E9:B9:94:AB:B6:00:C5:36:81:EA:A5:60:3E:FA:FE:E4:E1
+                DirName:/C=CA/ST=Ontario/L=Ottawa/O=Rebel.com/OU=SoftEng/CN=CA_arm-devel/Email=luc.lanthier@rebel.com
+                serial:00
+
+            X509v3 Subject Alternative Name: 
+                email:luc.lanthier@rebel.com, DNS:arm-devel.netwinder.org, IP Address:10.8.49.122
+            X509v3 Issuer Alternative Name: 
+                email:luc.lanthier@rebel.com
+    Signature Algorithm: md5WithRSAEncryption
+        bb:a9:1a:f4:e3:55:c8:f6:e7:d6:32:cb:a2:2f:6d:58:a3:5d:
+        8f:5a:0d:95:53:c7:bf:06:e7:3b:ca:99:48:99:2f:55:28:5a:
+        9e:37:ef:3b:44:73:1e:e0:61:93:43:f8:04:6b:06:1e:68:e5:
+        3e:a2:10:53:94:2f:66:76:fc:66:93:d4:5e:76:cf:2d:18:e2:
+        ff:eb:c0:77:c9:d5:4d:00:60:34:50:59:69:b9:7d:07:fb:ca:
+        8b:6e:ee:5c:d2:d9:06:2f:ee:df:d8:09:12:76:bc:b5:17:80:
+        a8:d6:a7:25:59:5c:b4:65:cb:29:b1:cd:77:29:e9:c4:03:00:
+        ea:c4
+-----BEGIN CERTIFICATE-----
+MIIEUTCCA7qgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTESMBAGA1UEChMJUmVi
+ZWwuY29tMRAwDgYDVQQLEwdTb2Z0RW5nMRUwEwYDVQQDFAxDQV9hcm0tZGV2ZWwx
+JTAjBgkqhkiG9w0BCQEWFmx1Yy5sYW50aGllckByZWJlbC5jb20wHhcNMDEwMjE0
+MjA1OTEzWhcNMDIwMjE0MjA1OTEzWjCBjjELMAkGA1UEBhMCQ0ExEDAOBgNVBAgT
+B09udGFyaW8xEjAQBgNVBAoTCVJlYmVsLmNvbTEQMA4GA1UECxMHU29mdEVuZzEg
+MB4GA1UEAxMXYXJtLWRldmVsLm5ldHdpbmRlci5vcmcxJTAjBgkqhkiG9w0BCQEW
+Fmx1Yy5sYW50aGllckByZWJlbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAKipDCwh/JsC1vSYx8Pc0Y0xkftyQasJ6FKbvjV12PD2tbqKDNkCm1qpDZjm
+to+XResX4xAjxJCR9O3M/3b9lT16psRZsEVF9gupyQx3bV5T0YcNWXlQ+ZTBZI5e
+4TiUrnx/aF4QUT3vnJ/0Kwi865qzfcWyK5i07lQSbNqkBUCdAgMBAAGjggG1MIIB
+sTAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCBeAwPAYJ
+YIZIAYb4QgENBC8WLUlQc2VjIENlcnRpZmljYXRlIGZvciBhcm0tZGV2ZWwubmV0
+d2luZGVyLm9yZzAdBgNVHQ4EFgQUmHbtpUF8KDzIYw8J996esgC2Nv4wgcEGA1Ud
+IwSBuTCBtoAUejh16bmUq7YAxTaB6qVgPvr+5OGhgZqkgZcwgZQxCzAJBgNVBAYT
+AkNBMRAwDgYDVQQIEwdPbnRhcmlvMQ8wDQYDVQQHEwZPdHRhd2ExEjAQBgNVBAoT
+CVJlYmVsLmNvbTEQMA4GA1UECxMHU29mdEVuZzEVMBMGA1UEAxQMQ0FfYXJtLWRl
+dmVsMSUwIwYJKoZIhvcNAQkBFhZsdWMubGFudGhpZXJAcmViZWwuY29tggEAMEAG
+A1UdEQQ5MDeBFmx1Yy5sYW50aGllckByZWJlbC5jb22CF2FybS1kZXZlbC5uZXR3
+aW5kZXIub3JnhwQKCDF6MCEGA1UdEgQaMBiBFmx1Yy5sYW50aGllckByZWJlbC5j
+b20wDQYJKoZIhvcNAQEEBQADgYEAu6ka9ONVyPbn1jLLoi9tWKNdj1oNlVPHvwbn
+O8qZSJkvVShanjfvO0RzHuBhk0P4BGsGHmjlPqIQU5QvZnb8ZpPUXnbPLRji/+vA
+d8nVTQBgNFBZabl9B/vKi27uXNLZBi/u39gJEna8tReAqNanJVlctGXLKbHNdynp
+xAMA6sQ=
+-----END CERTIFICATE-----
diff -bruN freeswan-1.9.orig/doc/pkix/examples/dir-pk-rw.conf freeswan-1.9/doc/pkix/examples/dir-pk-rw.conf
--- freeswan-1.9.orig/doc/pkix/examples/dir-pk-rw.conf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/dir-pk-rw.conf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,16 @@
+conn test
+	left=0.0.0.0
+	leftupdown=/usr/lib/ipsec/updown.netwinder
+	right=10.8.49.122
+	rightnexthop=10.8.54.1
+	rightupdown=/usr/lib/ipsec/updown.netwinder
+	authby=cert
+	auto=add
+	certfile=/etc/ipsec/pubcert.pem
+	keyfile=/etc/ipsec/privkey.pem
+	certpath=dir:/etc/ipsec/dir
+	certopts=send,strict,pk
+	#right DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+	rightid=@~30818E310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E673120301E0603550403131761726D2D646576656C2E6E657477696E6465722E6F72673125302306092A864886F70D01090116166C75632E6C616E746869657240726562656C2E636F6D
+	#left DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+	leftid=@~308189310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E67311B30190603550403131261726D312E6E657477696E6465722E6F72673125302306092A864886F70D010901161666697265736F756C406E657477696E6465722E6F7267
diff -bruN freeswan-1.9.orig/doc/pkix/examples/dir-pk.conf freeswan-1.9/doc/pkix/examples/dir-pk.conf
--- freeswan-1.9.orig/doc/pkix/examples/dir-pk.conf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/dir-pk.conf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,17 @@
+conn test
+	left=10.1.49.124
+	leftnexthop=10.1.1.7
+	leftupdown=/usr/lib/ipsec/updown.netwinder
+	right=10.8.49.122
+	rightnexthop=10.8.54.1
+	rightupdown=/usr/lib/ipsec/updown.netwinder
+	authby=cert
+	auto=add
+	certfile=/etc/ipsec/pubcert.pem
+	keyfile=/etc/ipsec/privkey.pem
+	certpath=dir:/etc/ipsec/dir
+	certopts=send,strict,pk
+	#right DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+	rightid=@~30818E310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E673120301E0603550403131761726D2D646576656C2E6E657477696E6465722E6F72673125302306092A864886F70D01090116166C75632E6C616E746869657240726562656C2E636F6D
+	#left DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+	leftid=@~308189310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E67311B30190603550403131261726D312E6E657477696E6465722E6F72673125302306092A864886F70D010901161666697265736F756C406E657477696E6465722E6F7267
diff -bruN freeswan-1.9.orig/doc/pkix/examples/dir-rpk-rw.conf freeswan-1.9/doc/pkix/examples/dir-rpk-rw.conf
--- freeswan-1.9.orig/doc/pkix/examples/dir-rpk-rw.conf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/dir-rpk-rw.conf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,16 @@
+conn test
+	left=0.0.0.0
+	leftupdown=/usr/lib/ipsec/updown.netwinder
+	right=10.8.49.122
+	rightnexthop=10.8.54.1
+	rightupdown=/usr/lib/ipsec/updown.netwinder
+	authby=cert
+	auto=add
+	certfile=/etc/ipsec/pubcert.pem
+	keyfile=/etc/ipsec/privkey.pem
+	certpath=dir:/etc/ipsec/dir
+	certopts=send,strict,pk,rev
+	#right DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+	rightid=@~30818E310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E673120301E0603550403131761726D2D646576656C2E6E657477696E6465722E6F72673125302306092A864886F70D01090116166C75632E6C616E746869657240726562656C2E636F6D
+	#left DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+	leftid=@~308189310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E67311B30190603550403131261726D312E6E657477696E6465722E6F72673125302306092A864886F70D010901161666697265736F756C406E657477696E6465722E6F7267
diff -bruN freeswan-1.9.orig/doc/pkix/examples/dir-rpk.conf freeswan-1.9/doc/pkix/examples/dir-rpk.conf
--- freeswan-1.9.orig/doc/pkix/examples/dir-rpk.conf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/dir-rpk.conf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,17 @@
+conn test
+	left=10.1.49.124
+	leftnexthop=10.1.1.7
+	leftupdown=/usr/lib/ipsec/updown.netwinder
+	right=10.8.49.122
+	rightnexthop=10.8.54.1
+	rightupdown=/usr/lib/ipsec/updown.netwinder
+	authby=cert
+	auto=add
+	certfile=/etc/ipsec/pubcert.pem
+	keyfile=/etc/ipsec/privkey.pem
+	certpath=dir:/etc/ipsec/dir
+	certopts=send,strict,pk,rev
+	#right DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+	rightid=@~30818E310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E673120301E0603550403131761726D2D646576656C2E6E657477696E6465722E6F72673125302306092A864886F70D01090116166C75632E6C616E746869657240726562656C2E636F6D
+	#left DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+	leftid=@~308189310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E67311B30190603550403131261726D312E6E657477696E6465722E6F72673125302306092A864886F70D010901161666697265736F756C406E657477696E6465722E6F7267
diff -bruN freeswan-1.9.orig/doc/pkix/examples/dir-rsasig-rw.conf freeswan-1.9/doc/pkix/examples/dir-rsasig-rw.conf
--- freeswan-1.9.orig/doc/pkix/examples/dir-rsasig-rw.conf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/dir-rsasig-rw.conf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,16 @@
+conn test
+	left=0.0.0.0
+	leftupdown=/usr/lib/ipsec/updown.netwinder
+	right=10.8.49.122
+	rightnexthop=10.8.54.1
+	rightupdown=/usr/lib/ipsec/updown.netwinder
+	authby=cert
+	auto=add
+	certfile=/etc/ipsec/pubcert.pem
+	keyfile=/etc/ipsec/privkey.pem
+	certpath=dir:/etc/ipsec/dir
+	certopts=send
+	#right DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+	rightid=@~30818E310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E673120301E0603550403131761726D2D646576656C2E6E657477696E6465722E6F72673125302306092A864886F70D01090116166C75632E6C616E746869657240726562656C2E636F6D
+	#left DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+	leftid=@~308189310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E67311B30190603550403131261726D312E6E657477696E6465722E6F72673125302306092A864886F70D010901161666697265736F756C406E657477696E6465722E6F7267
diff -bruN freeswan-1.9.orig/doc/pkix/examples/dir-rsasig.conf freeswan-1.9/doc/pkix/examples/dir-rsasig.conf
--- freeswan-1.9.orig/doc/pkix/examples/dir-rsasig.conf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/dir-rsasig.conf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,17 @@
+conn test
+	left=10.1.49.124
+	leftnexthop=10.1.1.7
+	leftupdown=/usr/lib/ipsec/updown.netwinder
+	right=10.8.49.122
+	rightnexthop=10.8.54.1
+	rightupdown=/usr/lib/ipsec/updown.netwinder
+	authby=cert
+	auto=add
+	certfile=/etc/ipsec/pubcert.pem
+	keyfile=/etc/ipsec/privkey.pem
+	certpath=dir:/etc/ipsec/dir
+	certopts=send
+	#right DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+	rightid=@~30818E310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E673120301E0603550403131761726D2D646576656C2E6E657477696E6465722E6F72673125302306092A864886F70D01090116166C75632E6C616E746869657240726562656C2E636F6D
+	#left DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+	leftid=@~308189310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E67311B30190603550403131261726D312E6E657477696E6465722E6F72673125302306092A864886F70D010901161666697265736F756C406E657477696E6465722E6F7267
diff -bruN freeswan-1.9.orig/doc/pkix/examples/ff-pk-rw.conf freeswan-1.9/doc/pkix/examples/ff-pk-rw.conf
--- freeswan-1.9.orig/doc/pkix/examples/ff-pk-rw.conf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/ff-pk-rw.conf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,16 @@
+conn test
+	left=0.0.0.0
+	leftupdown=/usr/lib/ipsec/updown.netwinder
+	right=10.8.49.122
+	rightnexthop=10.8.54.1
+	rightupdown=/usr/lib/ipsec/updown.netwinder
+	authby=cert
+	auto=add
+	certfile=/etc/ipsec/pubcert.pem
+	keyfile=/etc/ipsec/privkey.pem
+	certpath=file:/etc/ipsec/flatfile.txt
+	certopts=send,strict,pk
+	#right DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+	rightid=@~30818E310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E673120301E0603550403131761726D2D646576656C2E6E657477696E6465722E6F72673125302306092A864886F70D01090116166C75632E6C616E746869657240726562656C2E636F6D
+	#left DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+	leftid=@~308189310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E67311B30190603550403131261726D312E6E657477696E6465722E6F72673125302306092A864886F70D010901161666697265736F756C406E657477696E6465722E6F7267
diff -bruN freeswan-1.9.orig/doc/pkix/examples/ff-pk.conf freeswan-1.9/doc/pkix/examples/ff-pk.conf
--- freeswan-1.9.orig/doc/pkix/examples/ff-pk.conf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/ff-pk.conf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,17 @@
+conn test
+	left=10.1.49.124
+	leftnexthop=10.1.1.7
+	leftupdown=/usr/lib/ipsec/updown.netwinder
+	right=10.8.49.122
+	rightnexthop=10.8.54.1
+	rightupdown=/usr/lib/ipsec/updown.netwinder
+	authby=cert
+	auto=add
+	certfile=/etc/ipsec/pubcert.pem
+	keyfile=/etc/ipsec/privkey.pem
+	certpath=file:/etc/ipsec/flatfile.txt
+	certopts=send,strict,pk
+	#right DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+	rightid=@~30818E310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E673120301E0603550403131761726D2D646576656C2E6E657477696E6465722E6F72673125302306092A864886F70D01090116166C75632E6C616E746869657240726562656C2E636F6D
+	#left DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+	leftid=@~308189310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E67311B30190603550403131261726D312E6E657477696E6465722E6F72673125302306092A864886F70D010901161666697265736F756C406E657477696E6465722E6F7267
diff -bruN freeswan-1.9.orig/doc/pkix/examples/ff-rpk-rw.conf freeswan-1.9/doc/pkix/examples/ff-rpk-rw.conf
--- freeswan-1.9.orig/doc/pkix/examples/ff-rpk-rw.conf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/ff-rpk-rw.conf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,16 @@
+conn test
+	left=0.0.0.0
+	leftupdown=/usr/lib/ipsec/updown.netwinder
+	right=10.8.49.122
+	rightnexthop=10.8.54.1
+	rightupdown=/usr/lib/ipsec/updown.netwinder
+	authby=cert
+	auto=add
+	certfile=/etc/ipsec/pubcert.pem
+	keyfile=/etc/ipsec/privkey.pem
+	certpath=file:/etc/ipsec/flatfile.txt
+	certopts=send,strict,pk,rev
+	#right DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+	rightid=@~30818E310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E673120301E0603550403131761726D2D646576656C2E6E657477696E6465722E6F72673125302306092A864886F70D01090116166C75632E6C616E746869657240726562656C2E636F6D
+	#left DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+	leftid=@~308189310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E67311B30190603550403131261726D312E6E657477696E6465722E6F72673125302306092A864886F70D010901161666697265736F756C406E657477696E6465722E6F7267
diff -bruN freeswan-1.9.orig/doc/pkix/examples/ff-rpk.conf freeswan-1.9/doc/pkix/examples/ff-rpk.conf
--- freeswan-1.9.orig/doc/pkix/examples/ff-rpk.conf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/ff-rpk.conf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,17 @@
+conn test
+	left=10.1.49.124
+	leftnexthop=10.1.1.7
+	leftupdown=/usr/lib/ipsec/updown.netwinder
+	right=10.8.49.122
+	rightnexthop=10.8.54.1
+	rightupdown=/usr/lib/ipsec/updown.netwinder
+	authby=cert
+	auto=add
+	certfile=/etc/ipsec/pubcert.pem
+	keyfile=/etc/ipsec/privkey.pem
+	certpath=file:/etc/ipsec/flatfile.txt
+	certopts=send,strict,pk,rev
+	#right DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+	rightid=@~30818E310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E673120301E0603550403131761726D2D646576656C2E6E657477696E6465722E6F72673125302306092A864886F70D01090116166C75632E6C616E746869657240726562656C2E636F6D
+	#left DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+	leftid=@~308189310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E67311B30190603550403131261726D312E6E657477696E6465722E6F72673125302306092A864886F70D010901161666697265736F756C406E657477696E6465722E6F7267
diff -bruN freeswan-1.9.orig/doc/pkix/examples/ff-rsasig-rw.conf freeswan-1.9/doc/pkix/examples/ff-rsasig-rw.conf
--- freeswan-1.9.orig/doc/pkix/examples/ff-rsasig-rw.conf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/ff-rsasig-rw.conf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,16 @@
+conn test
+	left=0.0.0.0
+	leftupdown=/usr/lib/ipsec/updown.netwinder
+	right=10.8.49.122
+	rightnexthop=10.8.54.1
+	rightupdown=/usr/lib/ipsec/updown.netwinder
+	authby=cert
+	auto=add
+	certfile=/etc/ipsec/pubcert.pem
+	keyfile=/etc/ipsec/privkey.pem
+	certpath=file:/etc/ipsec/flatfile.txt
+	certopts=send
+	#right DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+	rightid=@~30818E310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E673120301E0603550403131761726D2D646576656C2E6E657477696E6465722E6F72673125302306092A864886F70D01090116166C75632E6C616E746869657240726562656C2E636F6D
+	#left DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+	leftid=@~308189310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E67311B30190603550403131261726D312E6E657477696E6465722E6F72673125302306092A864886F70D010901161666697265736F756C406E657477696E6465722E6F7267
diff -bruN freeswan-1.9.orig/doc/pkix/examples/ff-rsasig.conf freeswan-1.9/doc/pkix/examples/ff-rsasig.conf
--- freeswan-1.9.orig/doc/pkix/examples/ff-rsasig.conf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/ff-rsasig.conf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,17 @@
+conn test
+	left=10.1.49.124
+	leftnexthop=10.1.1.7
+	leftupdown=/usr/lib/ipsec/updown.netwinder
+	right=10.8.49.122
+	rightnexthop=10.8.54.1
+	rightupdown=/usr/lib/ipsec/updown.netwinder
+	authby=cert
+	auto=add
+	certfile=/etc/ipsec/pubcert.pem
+	keyfile=/etc/ipsec/privkey.pem
+	certpath=file:/etc/ipsec/flatfile.txt
+	certopts=send
+	#right DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+	rightid=@~30818E310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E673120301E0603550403131761726D2D646576656C2E6E657477696E6465722E6F72673125302306092A864886F70D01090116166C75632E6C616E746869657240726562656C2E636F6D
+	#left DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+	leftid=@~308189310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E67311B30190603550403131261726D312E6E657477696E6465722E6F72673125302306092A864886F70D010901161666697265736F756C406E657477696E6465722E6F7267
diff -bruN freeswan-1.9.orig/doc/pkix/examples/flatfile.txt freeswan-1.9/doc/pkix/examples/flatfile.txt
--- freeswan-1.9.orig/doc/pkix/examples/flatfile.txt	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/flatfile.txt	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,92 @@
+ip: 10.8.49.122
+dns: arm-devel.netwinder.org
+-----BEGIN CERTIFICATE-----
+MIIEUTCCA7qgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTESMBAGA1UEChMJUmVi
+ZWwuY29tMRAwDgYDVQQLEwdTb2Z0RW5nMRUwEwYDVQQDFAxDQV9hcm0tZGV2ZWwx
+JTAjBgkqhkiG9w0BCQEWFmx1Yy5sYW50aGllckByZWJlbC5jb20wHhcNMDEwMjE0
+MjA1OTEzWhcNMDIwMjE0MjA1OTEzWjCBjjELMAkGA1UEBhMCQ0ExEDAOBgNVBAgT
+B09udGFyaW8xEjAQBgNVBAoTCVJlYmVsLmNvbTEQMA4GA1UECxMHU29mdEVuZzEg
+MB4GA1UEAxMXYXJtLWRldmVsLm5ldHdpbmRlci5vcmcxJTAjBgkqhkiG9w0BCQEW
+Fmx1Yy5sYW50aGllckByZWJlbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAKipDCwh/JsC1vSYx8Pc0Y0xkftyQasJ6FKbvjV12PD2tbqKDNkCm1qpDZjm
+to+XResX4xAjxJCR9O3M/3b9lT16psRZsEVF9gupyQx3bV5T0YcNWXlQ+ZTBZI5e
+4TiUrnx/aF4QUT3vnJ/0Kwi865qzfcWyK5i07lQSbNqkBUCdAgMBAAGjggG1MIIB
+sTAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCBeAwPAYJ
+YIZIAYb4QgENBC8WLUlQc2VjIENlcnRpZmljYXRlIGZvciBhcm0tZGV2ZWwubmV0
+d2luZGVyLm9yZzAdBgNVHQ4EFgQUmHbtpUF8KDzIYw8J996esgC2Nv4wgcEGA1Ud
+IwSBuTCBtoAUejh16bmUq7YAxTaB6qVgPvr+5OGhgZqkgZcwgZQxCzAJBgNVBAYT
+AkNBMRAwDgYDVQQIEwdPbnRhcmlvMQ8wDQYDVQQHEwZPdHRhd2ExEjAQBgNVBAoT
+CVJlYmVsLmNvbTEQMA4GA1UECxMHU29mdEVuZzEVMBMGA1UEAxQMQ0FfYXJtLWRl
+dmVsMSUwIwYJKoZIhvcNAQkBFhZsdWMubGFudGhpZXJAcmViZWwuY29tggEAMEAG
+A1UdEQQ5MDeBFmx1Yy5sYW50aGllckByZWJlbC5jb22CF2FybS1kZXZlbC5uZXR3
+aW5kZXIub3JnhwQKCDF6MCEGA1UdEgQaMBiBFmx1Yy5sYW50aGllckByZWJlbC5j
+b20wDQYJKoZIhvcNAQEEBQADgYEAu6ka9ONVyPbn1jLLoi9tWKNdj1oNlVPHvwbn
+O8qZSJkvVShanjfvO0RzHuBhk0P4BGsGHmjlPqIQU5QvZnb8ZpPUXnbPLRji/+vA
+d8nVTQBgNFBZabl9B/vKi27uXNLZBi/u39gJEna8tReAqNanJVlctGXLKbHNdynp
+xAMA6sQ=
+-----END CERTIFICATE-----
+
+ip: 10.1.49.124
+dns: arm1.netwinder.org
+-----BEGIN CERTIFICATE-----
+MIIEQjCCA6ugAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTESMBAGA1UEChMJUmVi
+ZWwuY29tMRAwDgYDVQQLEwdTb2Z0RW5nMRUwEwYDVQQDFAxDQV9hcm0tZGV2ZWwx
+JTAjBgkqhkiG9w0BCQEWFmx1Yy5sYW50aGllckByZWJlbC5jb20wHhcNMDEwMjE0
+MjEwMDExWhcNMDIwMjE0MjEwMDExWjCBiTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgT
+B09udGFyaW8xEjAQBgNVBAoTCVJlYmVsLmNvbTEQMA4GA1UECxMHU29mdEVuZzEb
+MBkGA1UEAxMSYXJtMS5uZXR3aW5kZXIub3JnMSUwIwYJKoZIhvcNAQkBFhZmaXJl
+c291bEBuZXR3aW5kZXIub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDi
+K61waynng76vElBLpCYCYO35vUlRhpYYnBDxDH29uSKOZmr0luWN4sQRHmSOWR6x
+omQV+qYXmlnzn5/IyRe4p4dVcI/eJXjm4EyCrvFHFHf6Wz5N5QVeMQliVvg7lFGy
+4367j27c6mQuL2WOQRgOz52KuAqGbGqIvljOvrMywQIDAQABo4IBqzCCAacwCQYD
+VR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgXgMDcGCWCGSAGG
++EIBDQQqFihJUHNlYyBDZXJ0aWZpY2F0ZSBmb3IgYXJtMS5uZXR3aW5kZXIub3Jn
+MB0GA1UdDgQWBBSCom5YDbaY79mgaJ3QwHBZs2oymTCBwQYDVR0jBIG5MIG2gBR6
+OHXpuZSrtgDFNoHqpWA++v7k4aGBmqSBlzCBlDELMAkGA1UEBhMCQ0ExEDAOBgNV
+BAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTESMBAGA1UEChMJUmViZWwuY29t
+MRAwDgYDVQQLEwdTb2Z0RW5nMRUwEwYDVQQDFAxDQV9hcm0tZGV2ZWwxJTAjBgkq
+hkiG9w0BCQEWFmx1Yy5sYW50aGllckByZWJlbC5jb22CAQAwOwYDVR0RBDQwMoEW
+ZmlyZXNvdWxAbmV0d2luZGVyLm9yZ4ISYXJtMS5uZXR3aW5kZXIub3JnhwQKATF8
+MCEGA1UdEgQaMBiBFmx1Yy5sYW50aGllckByZWJlbC5jb20wDQYJKoZIhvcNAQEE
+BQADgYEAw2gZX2ASGG9Ih/mX0qMPvOTQWTdpFygyVX1cejX/4WcF9TGAJ8w6NyhH
+RuzZsPlprM5tiZQZFjhku9pnaMXjJuNmmLJFvw0WK5UMGsxljMX0ui8rWvStmnGS
+3uV3xAiWfMMlJf5DsPP5ZR/6bC0u4h8YdQNRM5RhKVkanHxxQuE=
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIID2jCCA0OgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTESMBAGA1UEChMJUmVi
+ZWwuY29tMRAwDgYDVQQLEwdTb2Z0RW5nMRUwEwYDVQQDFAxDQV9hcm0tZGV2ZWwx
+JTAjBgkqhkiG9w0BCQEWFmx1Yy5sYW50aGllckByZWJlbC5jb20wHhcNMDEwMjE0
+MTk0NTAyWhcNMDYwODA3MTk0NTAyWjCBlDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgT
+B09udGFyaW8xDzANBgNVBAcTBk90dGF3YTESMBAGA1UEChMJUmViZWwuY29tMRAw
+DgYDVQQLEwdTb2Z0RW5nMRUwEwYDVQQDFAxDQV9hcm0tZGV2ZWwxJTAjBgkqhkiG
+9w0BCQEWFmx1Yy5sYW50aGllckByZWJlbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
+gY0AMIGJAoGBANWu/vkaR1M1bvP2Y80Dv105n3VHmOqZcyy9fnbaXXc92nKbBMib
+bsuUdfWdjOuC34BjfNuC9DU3rP8jZNBg+qeyAie6G7Q1R3atroqYvaFFhEbU1OnZ
+vBigB39dOIjfFiHbeqNCqlxLlrMJwkBJtkLdiktuf6Rqp+nnX6ymxz1BAgMBAAGj
+ggE4MIIBNDAdBgNVHQ4EFgQUejh16bmUq7YAxTaB6qVgPvr+5OEwgcEGA1UdIwSB
+uTCBtoAUejh16bmUq7YAxTaB6qVgPvr+5OGhgZqkgZcwgZQxCzAJBgNVBAYTAkNB
+MRAwDgYDVQQIEwdPbnRhcmlvMQ8wDQYDVQQHEwZPdHRhd2ExEjAQBgNVBAoTCVJl
+YmVsLmNvbTEQMA4GA1UECxMHU29mdEVuZzEVMBMGA1UEAxQMQ0FfYXJtLWRldmVs
+MSUwIwYJKoZIhvcNAQkBFhZsdWMubGFudGhpZXJAcmViZWwuY29tggEAMAwGA1Ud
+EwQFMAMBAf8wCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjAhBgNVHREE
+GjAYgRZsdWMubGFudGhpZXJAcmViZWwuY29tMA0GCSqGSIb3DQEBBAUAA4GBAHzh
+QeKz7deGehWh7KtZ1tNNu1gWxeW4fwjHUT/xkoepd0XclIIRoKH+2h6w5QG3p2Up
+9TLxWlS8SB0tR0FiVu1WD658vOZjDTqqL9EVdEgSCrWX26KaMhNLrYzT3nzqq9VR
+QYqYZDAD3Z345UweqfCJBgxrim03x++bsEq9tP4Y
+-----END CERTIFICATE-----
+
+-----BEGIN X509 CRL-----
+MIIBWjCBxDANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgT
+B09udGFyaW8xDzANBgNVBAcTBk90dGF3YTESMBAGA1UEChMJUmViZWwuY29tMRAw
+DgYDVQQLEwdTb2Z0RW5nMRUwEwYDVQQDFAxDQV9hcm0tZGV2ZWwxJTAjBgkqhkiG
+9w0BCQEWFmx1Yy5sYW50aGllckByZWJlbC5jb20XDTAxMDIxNDE5NDUzN1oXDTAx
+MDMxNjE5NDUzN1owDQYJKoZIhvcNAQEEBQADgYEAcM3oRcSVw2rf7AQbcX0WqsEh
+YEHnMUNur13Wd2ai7b6KSKxHj+O/WWSupH3IDPL1TEKwdWLG9+MtbhKhBh8WNzQh
+7Nl/NzTgdCh0xDBoJDGG7zN7WDNQ1WGbaAkjDUJm6ty92zlpFkF4Gg2B1dl8WwYK
+LSSaMtj6/VV4CuhzFMg=
+-----END X509 CRL-----
+
diff -bruN freeswan-1.9.orig/doc/pkix/examples/ipsec.conf freeswan-1.9/doc/pkix/examples/ipsec.conf
--- freeswan-1.9.orig/doc/pkix/examples/ipsec.conf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/ipsec.conf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,60 @@
+# /etc/ipsec.conf - FreeS/WAN IPSEC configuration file
+
+# More elaborate and more varied sample configurations can be found
+# in doc/examples.
+
+# basic configuration
+config setup
+	# THIS SETTING MUST BE CORRECT or almost nothing will work;
+	# %defaultroute is okay for most simple cases.
+	interfaces=%defaultroute
+	# Debug-logging controls:  "none" for (almost) none, "all" for lots.
+	klipsdebug=none
+	#plutodebug=all
+	#plutodebug=crypt
+	plutodebug=none
+	# Use auto= parameters in conn descriptions to control startup actions.
+	plutoload=%search
+	plutostart=%search
+
+# defaults for subsequent connection descriptions
+conn %default
+	# How persistent to be in (re)keying negotiations (0 means very).
+	keyingtries=3
+	# Authentication by RSA signature keys
+	authby=rsasig
+
+#Standard connection types.
+#include /etc/ipsec/psk.conf
+#include /etc/ipsec/rsasig.conf
+#include /etc/ipsec/rsasig-rw.conf
+#
+# PKIX ########
+# LDAP lookups
+#include /etc/ipsec/ldap-rsasig.conf
+#include /etc/ipsec/ldap-rsasig-rw.conf
+#include /etc/ipsec/ldap-pk.conf
+include /etc/ipsec/ldap-pk-rw.conf
+#include /etc/ipsec/ldap-rpk.conf
+#include /etc/ipsec/ldap-rpk-rw.conf
+# dir lookups
+#include /etc/ipsec/dir-rsasig.conf
+#include /etc/ipsec/dir-rsasig-rw.conf
+#include /etc/ipsec/dir-pk.conf
+#include /etc/ipsec/dir-pk-rw.conf
+#include /etc/ipsec/dir-rpk.conf
+#include /etc/ipsec/dir-rpk-rw.conf
+# db lookups
+#include /etc/ipsec/db-rsasig.conf
+#include /etc/ipsec/db-rsasig-rw.conf
+#include /etc/ipsec/db-pk.conf
+#include /etc/ipsec/db-pk-rw.conf
+#include /etc/ipsec/db-rpk.conf
+#include /etc/ipsec/db-rpk-rw.conf
+# flatfile lookups
+#include /etc/ipsec/ff-rsasig.conf
+#include /etc/ipsec/ff-rsasig-rw.conf
+#include /etc/ipsec/ff-pk.conf
+#include /etc/ipsec/ff-pk-rw.conf
+#include /etc/ipsec/ff-rpk.conf
+#include /etc/ipsec/ff-rpk-rw.conf
diff -bruN freeswan-1.9.orig/doc/pkix/examples/ldap-pk-rw.conf freeswan-1.9/doc/pkix/examples/ldap-pk-rw.conf
--- freeswan-1.9.orig/doc/pkix/examples/ldap-pk-rw.conf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/ldap-pk-rw.conf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,16 @@
+conn test
+	left=0.0.0.0
+	leftupdown=/usr/lib/ipsec/updown.netwinder
+	right=10.8.49.122
+	rightnexthop=10.8.54.1
+	rightupdown=/usr/lib/ipsec/updown.netwinder
+	authby=cert
+	auto=add
+	certfile=/etc/ipsec/pubcert.pem
+	keyfile=/etc/ipsec/privkey.pem
+	certpath=ldap:/etc/ipsec/ldap.cnf:ldapdevel
+	certopts=send,strict,pk
+	#right DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+	rightid=@~30818E310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E673120301E0603550403131761726D2D646576656C2E6E657477696E6465722E6F72673125302306092A864886F70D01090116166C75632E6C616E746869657240726562656C2E636F6D
+	#left DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+	leftid=@~308189310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E67311B30190603550403131261726D312E6E657477696E6465722E6F72673125302306092A864886F70D010901161666697265736F756C406E657477696E6465722E6F7267
diff -bruN freeswan-1.9.orig/doc/pkix/examples/ldap-pk.conf freeswan-1.9/doc/pkix/examples/ldap-pk.conf
--- freeswan-1.9.orig/doc/pkix/examples/ldap-pk.conf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/ldap-pk.conf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,17 @@
+conn test
+	left=10.1.49.124
+	leftnexthop=10.1.1.7
+	leftupdown=/usr/lib/ipsec/updown.netwinder
+	right=10.8.49.122
+	rightnexthop=10.8.54.1
+	rightupdown=/usr/lib/ipsec/updown.netwinder
+	authby=cert
+	auto=add
+	certfile=/etc/ipsec/pubcert.pem
+	keyfile=/etc/ipsec/privkey.pem
+	certpath=ldap:/etc/ipsec/ldap.cnf:ldapdevel
+	certopts=send,strict,pk
+	#right DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+	rightid=@~30818E310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E673120301E0603550403131761726D2D646576656C2E6E657477696E6465722E6F72673125302306092A864886F70D01090116166C75632E6C616E746869657240726562656C2E636F6D
+	#left DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+	leftid=@~308189310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E67311B30190603550403131261726D312E6E657477696E6465722E6F72673125302306092A864886F70D010901161666697265736F756C406E657477696E6465722E6F7267
diff -bruN freeswan-1.9.orig/doc/pkix/examples/ldap-rpk-rw.conf freeswan-1.9/doc/pkix/examples/ldap-rpk-rw.conf
--- freeswan-1.9.orig/doc/pkix/examples/ldap-rpk-rw.conf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/ldap-rpk-rw.conf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,16 @@
+conn test
+	left=0.0.0.0
+	leftupdown=/usr/lib/ipsec/updown.netwinder
+	right=10.8.49.122
+	rightnexthop=10.8.54.1
+	rightupdown=/usr/lib/ipsec/updown.netwinder
+	authby=cert
+	auto=add
+	certfile=/etc/ipsec/pubcert.pem
+	keyfile=/etc/ipsec/privkey.pem
+	certpath=ldap:/etc/ipsec/ldap.cnf:ldapdevel
+	certopts=send,strict,pk,rev
+	#right DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+	rightid=@~30818E310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E673120301E0603550403131761726D2D646576656C2E6E657477696E6465722E6F72673125302306092A864886F70D01090116166C75632E6C616E746869657240726562656C2E636F6D
+	#left DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+	leftid=@~308189310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E67311B30190603550403131261726D312E6E657477696E6465722E6F72673125302306092A864886F70D010901161666697265736F756C406E657477696E6465722E6F7267
diff -bruN freeswan-1.9.orig/doc/pkix/examples/ldap-rpk.conf freeswan-1.9/doc/pkix/examples/ldap-rpk.conf
--- freeswan-1.9.orig/doc/pkix/examples/ldap-rpk.conf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/ldap-rpk.conf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,17 @@
+conn test
+	left=10.1.49.124
+	leftnexthop=10.1.1.7
+	leftupdown=/usr/lib/ipsec/updown.netwinder
+	right=10.8.49.122
+	rightnexthop=10.8.54.1
+	rightupdown=/usr/lib/ipsec/updown.netwinder
+	authby=cert
+	auto=add
+	certfile=/etc/ipsec/pubcert.pem
+	keyfile=/etc/ipsec/privkey.pem
+	certpath=ldap:/etc/ipsec/ldap.cnf:ldapdevel
+	certopts=send,strict,pk,rev
+	#right DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+	rightid=@~30818E310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E673120301E0603550403131761726D2D646576656C2E6E657477696E6465722E6F72673125302306092A864886F70D01090116166C75632E6C616E746869657240726562656C2E636F6D
+	#left DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+	leftid=@~308189310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E67311B30190603550403131261726D312E6E657477696E6465722E6F72673125302306092A864886F70D010901161666697265736F756C406E657477696E6465722E6F7267
diff -bruN freeswan-1.9.orig/doc/pkix/examples/ldap-rsasig-rw.conf freeswan-1.9/doc/pkix/examples/ldap-rsasig-rw.conf
--- freeswan-1.9.orig/doc/pkix/examples/ldap-rsasig-rw.conf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/ldap-rsasig-rw.conf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,16 @@
+conn test
+	left=0.0.0.0
+	leftupdown=/usr/lib/ipsec/updown.netwinder
+	right=10.8.49.122
+	rightnexthop=10.8.54.1
+	rightupdown=/usr/lib/ipsec/updown.netwinder
+	authby=cert
+	auto=add
+	certfile=/etc/ipsec/pubcert.pem
+	keyfile=/etc/ipsec/privkey.pem
+	certpath=ldap:/etc/ipsec/ldap.cnf:ldapdevel
+	certopts=send
+	#right DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+	rightid=@~30818E310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E673120301E0603550403131761726D2D646576656C2E6E657477696E6465722E6F72673125302306092A864886F70D01090116166C75632E6C616E746869657240726562656C2E636F6D
+	#left DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+	leftid=@~308189310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E67311B30190603550403131261726D312E6E657477696E6465722E6F72673125302306092A864886F70D010901161666697265736F756C406E657477696E6465722E6F7267
diff -bruN freeswan-1.9.orig/doc/pkix/examples/ldap-rsasig.conf freeswan-1.9/doc/pkix/examples/ldap-rsasig.conf
--- freeswan-1.9.orig/doc/pkix/examples/ldap-rsasig.conf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/ldap-rsasig.conf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,17 @@
+conn test
+	left=10.1.49.124
+	leftnexthop=10.1.1.7
+	leftupdown=/usr/lib/ipsec/updown.netwinder
+	right=10.8.49.122
+	rightnexthop=10.8.54.1
+	rightupdown=/usr/lib/ipsec/updown.netwinder
+	authby=cert
+	auto=add
+	certfile=/etc/ipsec/pubcert.pem
+	keyfile=/etc/ipsec/privkey.pem
+	certpath=ldap:/etc/ipsec/ldap.cnf:ldapdevel
+	certopts=send
+	#right DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+	rightid=@~30818E310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E673120301E0603550403131761726D2D646576656C2E6E657477696E6465722E6F72673125302306092A864886F70D01090116166C75632E6C616E746869657240726562656C2E636F6D
+	#left DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+	leftid=@~308189310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D3110300E060355040B1307536F6674456E67311B30190603550403131261726D312E6E657477696E6465722E6F72673125302306092A864886F70D010901161666697265736F756C406E657477696E6465722E6F7267
diff -bruN freeswan-1.9.orig/doc/pkix/examples/ldap.cnf freeswan-1.9/doc/pkix/examples/ldap.cnf
--- freeswan-1.9.orig/doc/pkix/examples/ldap.cnf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/ldap.cnf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,20 @@
+ldapdevel_host_name = 10.8.49.122
+ldapdevel_base = dc=netwinder,dc=org
+ldapdevel_filter:uid = (uid=%s)
+
+ldapdevel_attributes:*:crl = certificaterevocationlist, certificaterevocationlist;binary
+ldapdevel_filter:*:crl = (&(objectclass=certificationAuthority)(cn=CA))
+
+ldapdevel_filter:ca = (objectclass=certificationauthority)
+
+ldapdevel_filter:dns = (&(objectclass=hostRecord)(dNSRecord=%s))
+ldapdevel_attributes:dns = servercertificate, servercertificate;binary
+
+ldapdevel_filter:ip = (&(objectclass=hostRecord)(ipv4Address=%s))
+ldapdevel_attributes:ip = servercertificate, servercertificate;binary
+
+ldapdevel_filter:subject = (&(objectclass=hostRecord)(subject=%s))
+ldapdevel_attributes:subject = servercertificate, servercertificate;binary
+
+ldapdevel_filter:issuer = (&(objectclass=hostRecord)(issuer=%s))
+ldapdevel_attributes:issuer = servercertificate, servercertificate;binary
diff -bruN freeswan-1.9.orig/doc/pkix/examples/privkey.pem freeswan-1.9/doc/pkix/examples/privkey.pem
--- freeswan-1.9.orig/doc/pkix/examples/privkey.pem	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/privkey.pem	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQCoqQwsIfybAtb0mMfD3NGNMZH7ckGrCehSm741ddjw9rW6igzZ
+AptaqQ2Y5raPl0XrF+MQI8SQkfTtzP92/ZU9eqbEWbBFRfYLqckMd21eU9GHDVl5
+UPmUwWSOXuE4lK58f2heEFE975yf9CsIvOuas33FsiuYtO5UEmzapAVAnQIDAQAB
+AoGAXUzWvPs4IBAcFUcHCyR2j6LiXLTB+voKGNirCivdDL+NnFmN7eZxRl/Kc9D9
+IMXQGdMm+uCudkMnuPz0PUDeczQST46jiTlG5vkQdj3zpmz/x73t5I4E8vFSX6A4
+gKREFeGxSCEm0THNusBKk1Q+huHUDKw4mFh85MTopy32McECQQDVWcc3BMlDICG2
+6bFc3+1ieeVIKoD2GnJR7b/GU57umLFyDmSFwOkTTt7VWp3jV/81Oy+xBe3cC8Fm
+mFC/e45VAkEAymA9ke8XFduafs2Q+nsbfx4QI+f8lAd51pBR4A4J+W50JLO1/WqC
+PwOXwVPRCPyzHiY9B8L9KPrFKSwVedihKQJBAKnGCl/+wAVZcVqztf649pbRdyGp
+KPwt6WDGtz+j1Sn6eeHQEC/bZd2Geo3+0PtTT/NVCMtuc2wSMrFobYEiWg0CQQCl
+lf9qw5049jlAHYTNXiNObFO6fVuN51wKcoV7dSE2JOkFCsISuq4dTxxBRApadyE7
+vv/atPGdMSpXGMntq5GZAkEA1PJ0w4WSC3sW3guq4WzDLWqmbK2pOvC40ATZR67y
+lYC1okanKDsRam0remPY7xWZ8WACJx5KOIvYgXhX+dNXPg==
+-----END RSA PRIVATE KEY-----
diff -bruN freeswan-1.9.orig/doc/pkix/examples/psk.conf freeswan-1.9/doc/pkix/examples/psk.conf
--- freeswan-1.9.orig/doc/pkix/examples/psk.conf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/psk.conf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,9 @@
+conn test
+	left=10.1.49.124
+	leftnexthop=10.1.1.7
+	leftupdown=/usr/lib/ipsec/updown.netwinder
+	right=10.8.49.122
+	rightnexthop=10.8.54.1
+	rightupdown=/usr/lib/ipsec/updown.netwinder
+	authby=psk
+	auto=add
diff -bruN freeswan-1.9.orig/doc/pkix/examples/pubcert.pem freeswan-1.9/doc/pkix/examples/pubcert.pem
--- freeswan-1.9.orig/doc/pkix/examples/pubcert.pem	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/pubcert.pem	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,79 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=CA, ST=Ontario, L=Ottawa, O=Rebel.com, OU=SoftEng, CN=CA_arm-devel/Email=luc.lanthier@rebel.com
+        Validity
+            Not Before: Feb 14 20:59:13 2001 GMT
+            Not After : Feb 14 20:59:13 2002 GMT
+        Subject: C=CA, ST=Ontario, O=Rebel.com, OU=SoftEng, CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:a8:a9:0c:2c:21:fc:9b:02:d6:f4:98:c7:c3:dc:
+                    d1:8d:31:91:fb:72:41:ab:09:e8:52:9b:be:35:75:
+                    d8:f0:f6:b5:ba:8a:0c:d9:02:9b:5a:a9:0d:98:e6:
+                    b6:8f:97:45:eb:17:e3:10:23:c4:90:91:f4:ed:cc:
+                    ff:76:fd:95:3d:7a:a6:c4:59:b0:45:45:f6:0b:a9:
+                    c9:0c:77:6d:5e:53:d1:87:0d:59:79:50:f9:94:c1:
+                    64:8e:5e:e1:38:94:ae:7c:7f:68:5e:10:51:3d:ef:
+                    9c:9f:f4:2b:08:bc:eb:9a:b3:7d:c5:b2:2b:98:b4:
+                    ee:54:12:6c:da:a4:05:40:9d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+            Netscape Comment: 
+                IPsec Certificate for arm-devel.netwinder.org
+            X509v3 Subject Key Identifier: 
+                98:76:ED:A5:41:7C:28:3C:C8:63:0F:09:F7:DE:9E:B2:00:B6:36:FE
+            X509v3 Authority Key Identifier: 
+                keyid:7A:38:75:E9:B9:94:AB:B6:00:C5:36:81:EA:A5:60:3E:FA:FE:E4:E1
+                DirName:/C=CA/ST=Ontario/L=Ottawa/O=Rebel.com/OU=SoftEng/CN=CA_arm-devel/Email=luc.lanthier@rebel.com
+                serial:00
+
+            X509v3 Subject Alternative Name: 
+                email:luc.lanthier@rebel.com, DNS:arm-devel.netwinder.org, IP Address:10.8.49.122
+            X509v3 Issuer Alternative Name: 
+                email:luc.lanthier@rebel.com
+    Signature Algorithm: md5WithRSAEncryption
+        bb:a9:1a:f4:e3:55:c8:f6:e7:d6:32:cb:a2:2f:6d:58:a3:5d:
+        8f:5a:0d:95:53:c7:bf:06:e7:3b:ca:99:48:99:2f:55:28:5a:
+        9e:37:ef:3b:44:73:1e:e0:61:93:43:f8:04:6b:06:1e:68:e5:
+        3e:a2:10:53:94:2f:66:76:fc:66:93:d4:5e:76:cf:2d:18:e2:
+        ff:eb:c0:77:c9:d5:4d:00:60:34:50:59:69:b9:7d:07:fb:ca:
+        8b:6e:ee:5c:d2:d9:06:2f:ee:df:d8:09:12:76:bc:b5:17:80:
+        a8:d6:a7:25:59:5c:b4:65:cb:29:b1:cd:77:29:e9:c4:03:00:
+        ea:c4
+-----BEGIN CERTIFICATE-----
+MIIEUTCCA7qgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCQ0Ex
+EDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTESMBAGA1UEChMJUmVi
+ZWwuY29tMRAwDgYDVQQLEwdTb2Z0RW5nMRUwEwYDVQQDFAxDQV9hcm0tZGV2ZWwx
+JTAjBgkqhkiG9w0BCQEWFmx1Yy5sYW50aGllckByZWJlbC5jb20wHhcNMDEwMjE0
+MjA1OTEzWhcNMDIwMjE0MjA1OTEzWjCBjjELMAkGA1UEBhMCQ0ExEDAOBgNVBAgT
+B09udGFyaW8xEjAQBgNVBAoTCVJlYmVsLmNvbTEQMA4GA1UECxMHU29mdEVuZzEg
+MB4GA1UEAxMXYXJtLWRldmVsLm5ldHdpbmRlci5vcmcxJTAjBgkqhkiG9w0BCQEW
+Fmx1Yy5sYW50aGllckByZWJlbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAKipDCwh/JsC1vSYx8Pc0Y0xkftyQasJ6FKbvjV12PD2tbqKDNkCm1qpDZjm
+to+XResX4xAjxJCR9O3M/3b9lT16psRZsEVF9gupyQx3bV5T0YcNWXlQ+ZTBZI5e
+4TiUrnx/aF4QUT3vnJ/0Kwi865qzfcWyK5i07lQSbNqkBUCdAgMBAAGjggG1MIIB
+sTAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCBeAwPAYJ
+YIZIAYb4QgENBC8WLUlQc2VjIENlcnRpZmljYXRlIGZvciBhcm0tZGV2ZWwubmV0
+d2luZGVyLm9yZzAdBgNVHQ4EFgQUmHbtpUF8KDzIYw8J996esgC2Nv4wgcEGA1Ud
+IwSBuTCBtoAUejh16bmUq7YAxTaB6qVgPvr+5OGhgZqkgZcwgZQxCzAJBgNVBAYT
+AkNBMRAwDgYDVQQIEwdPbnRhcmlvMQ8wDQYDVQQHEwZPdHRhd2ExEjAQBgNVBAoT
+CVJlYmVsLmNvbTEQMA4GA1UECxMHU29mdEVuZzEVMBMGA1UEAxQMQ0FfYXJtLWRl
+dmVsMSUwIwYJKoZIhvcNAQkBFhZsdWMubGFudGhpZXJAcmViZWwuY29tggEAMEAG
+A1UdEQQ5MDeBFmx1Yy5sYW50aGllckByZWJlbC5jb22CF2FybS1kZXZlbC5uZXR3
+aW5kZXIub3JnhwQKCDF6MCEGA1UdEgQaMBiBFmx1Yy5sYW50aGllckByZWJlbC5j
+b20wDQYJKoZIhvcNAQEEBQADgYEAu6ka9ONVyPbn1jLLoi9tWKNdj1oNlVPHvwbn
+O8qZSJkvVShanjfvO0RzHuBhk0P4BGsGHmjlPqIQU5QvZnb8ZpPUXnbPLRji/+vA
+d8nVTQBgNFBZabl9B/vKi27uXNLZBi/u39gJEna8tReAqNanJVlctGXLKbHNdynp
+xAMA6sQ=
+-----END CERTIFICATE-----
diff -bruN freeswan-1.9.orig/doc/pkix/examples/rsasig-rw.conf freeswan-1.9/doc/pkix/examples/rsasig-rw.conf
--- freeswan-1.9.orig/doc/pkix/examples/rsasig-rw.conf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/rsasig-rw.conf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,12 @@
+conn test
+	left=0.0.0.0
+	leftupdown=/usr/lib/ipsec/updown.netwinder
+	leftrsasigkey=0x010383adc0c40d031b8b51445074a015b6f6575221df37a23c597acafa7b588eccaeac2a705ca95c7062b7808849728a9083daf7e8f73335ecfdbfe18dda96b4c6b9c47cc695d1d9c20a92ce652cb0cd8b71af87cfb84d4ef5e02f13ef2233da2c98e5147b9092a5ef9f2789defb0b45d47570c1662bf8f159ae8e82107850184055
+	leftid="@arm1.netwinder.org"
+	right=10.8.49.122
+	rightnexthop=10.8.54.1
+	rightupdown=/usr/lib/ipsec/updown.netwinder
+	rightrsasigkey=0x0103e39df4e5d9cdfb1bd781cc516b99053af9d39f97230e663ecdf77cb14764fcd7aadb274b2da2eaa6c8b7f3764e1b87a5ae5d9f7cafdad01dd95518da017794fcf7c86f435f7b7ce45429414d9c099ebb91d8a3f54514be78f9b801b02608e8299a5d19a3a4fa5510d0d318b692c649dc3b37287153852a9ac81891d140a38a0d
+	rightid="@arm-devel.netwinder.org"
+	authby=rsasig
+	auto=add
diff -bruN freeswan-1.9.orig/doc/pkix/examples/rsasig.conf freeswan-1.9/doc/pkix/examples/rsasig.conf
--- freeswan-1.9.orig/doc/pkix/examples/rsasig.conf	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/examples/rsasig.conf	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,13 @@
+conn test
+	left=10.1.49.124
+	leftnexthop=10.1.1.7
+	leftupdown=/usr/lib/ipsec/updown.netwinder
+	leftrsasigkey=0x010383adc0c40d031b8b51445074a015b6f6575221df37a23c597acafa7b588eccaeac2a705ca95c7062b7808849728a9083daf7e8f73335ecfdbfe18dda96b4c6b9c47cc695d1d9c20a92ce652cb0cd8b71af87cfb84d4ef5e02f13ef2233da2c98e5147b9092a5ef9f2789defb0b45d47570c1662bf8f159ae8e82107850184055
+	leftid="@arm1.netwinder.org"
+	right=10.8.49.122
+	rightnexthop=10.8.54.1
+	rightupdown=/usr/lib/ipsec/updown.netwinder
+	rightrsasigkey=0x0103e39df4e5d9cdfb1bd781cc516b99053af9d39f97230e663ecdf77cb14764fcd7aadb274b2da2eaa6c8b7f3764e1b87a5ae5d9f7cafdad01dd95518da017794fcf7c86f435f7b7ce45429414d9c099ebb91d8a3f54514be78f9b801b02608e8299a5d19a3a4fa5510d0d318b692c649dc3b37287153852a9ac81891d140a38a0d
+	rightid="@arm-devel.netwinder.org"
+	authby=rsasig
+	auto=add
diff -bruN freeswan-1.9.orig/doc/pkix/ldap-ca.quickstart freeswan-1.9/doc/pkix/ldap-ca.quickstart
--- freeswan-1.9.orig/doc/pkix/ldap-ca.quickstart	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/ldap-ca.quickstart	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,340 @@
+
+Quick commands and files based on how I set up my own LDAP CA.
+-- Luc Lanthier, 20001004
+-- revised: 20010301
+
+A more complete explanation can be found in the README.xmap file written
+by the original freeswan-pkix patch author, Neil Dunbar.
+
+Building and LDAP server is nothing simple. Easiest is installing the base 
+package or compiling it yourself. But after that, it's editing, creating, or
+modifying many configuration files or scripts.
+
+Here's a list of some of the config files or scripts you will encounter 
+in this document:
+  LDIF.sh
+  LDIF
+  slapd.oc-x509.conf
+  slapd.at-x509.conf
+  slapd.conf
+  regen-ldap_ca.sh
+  ldap.cnf
+  ipsec.conf
+  /etc/ipsec/*
+  /etc/rc.d/rc.local
+
+
+Your best bet is to following the LDAP documentation and use this document as
+a source of information, with examples.
+
+
+
+1A- Building openldap software:
+-----------------------------------------------------------------
+# The following containing version numbers is just an example.
+# If you compile from source, you can expect the config files to
+# be found in /usr/local/etc/openldap
+cd /usr/src
+tar xfvz openldap-stable-20000704.tgz 
+cd openldap-1.2.11
+./configure --enable-shared --with-gnu-ld --enable-ldapd 
+make depend
+make
+cd tests
+make
+cd ..
+make install
+
+1B- Installing openldap software from RPMs:
+-----------------------------------------------------------------
+Make sure the following are installed. Version numbers are merely a 
+suggestion.
+  openldap-1.2.9-6_nw1.armv4l.rpm
+  openldap-devel-1.2.9-6_nw1.armv4l.rpm
+The config files should be found under "/etc/openldap".
+
+
+
+2: Creating LDIF files:
+-----------------------------------------------------------------
+A LDIF file contains the information to add to the LDAP directory
+database in a simplified manner.
+
+Use your favorite editor and create an LDIF file that contains:
+            dn: dc=, dc= 
+            objectclass: dcObject 
+            objectclass: organization 
+            o:  
+            dc:  
+
+            dn: cn=Manager, dc=, dc= 
+            objectclass: organizationalRole 
+            cn: Manager
+
+Now, you may run ldapadd(1) to insert these entries into your directory.
+            ldapadd -D "cn=Manager, dc=, dc=" -W -f example.ldif
+
+
+Now we're ready to verify the added entries are in your directory. You 
+can use any LDAP client to do this, but our example uses the 
+ldapsearch(1) tool. Remember to replace dc=example,dc=com with the correct 
+values for your site:
+            ldapsearch -b 'dc=example,dc=com' '(objectclass=*)'
+
+-----------------------------------------------------------------
+
+
+3- How I created my own LDIF file
+-----------------------------------------------------------------
+Try to keep track of which certificate belongs to which host while
+creating the CA. The CA will only store the certificates in a 
+simplified naming format.
+ie: /usr/share/ssl/certs/01.pem
+
+If you forget, query the certificate, and look at the CN part of the 
+subject line. If created correctly, the CommonName will contain 
+the hostname.
+
+=========================
+[root@arm-devel ipsec]# openssl x509 -in /usr/share/ssl/certs/01.pem \
+	-noout -subject
+subject=/C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm-devel.netwinder.org/Email=luc.lanthier@rebel.com
+=========================
+
+To save me time, I created a shell script much like the following to speed up
+the generation of LDIF files.
+----------- LDIF.sh:
+#!/usr/bin/bash
+
+function openssl_out ()
+{
+  openssl x509 -in $1 -inform PEM -outform DER | \
+    ldif -b servercertificate 
+  openssl x509 -in $1 -noout -subject | \
+    sed -e 's/^subject=/subject: /'
+  openssl x509 -in $1 -noout -issuer | \
+    sed -e 's/^issuer=/issuer: /'
+}
+
+###### First, create entries for manager and CA.
+cat < LDIF
+ldif2ldbm -i LDIF
+slapd -s 1
+-----------------------------------------------------------------
+
+
+6- How I access the ldap DB from freeswan, the config files:
+-----------------------------------------------------------------
+The following file is used by FreeSWAN's pkix ldap lookup. 
+"ldapnd" in the front of each name is the name of the server the lookup
+is done on. If you wish to access 2 or more different ldap servers, just 
+copy the entire section a second time, while using the new header name.
+Keep in mind to change the domain and server hostname IP address.
+-- /etc/ipsec/ldap.cnf ------------------------------------------
+ldapnd_host_name = 10.8.49.100
+ldapnd_base = dc=netwinder,dc=org
+ldapnd_filter:uid = (uid=%s)
+
+ldapnd_attributes:*:crl = certificaterevocationlist, certificaterevocationlist;binary
+ldapnd_filter:*:crl = (&(objectclass=certificationAuthority)(cn=CA))
+
+ldapnd_filter:ca = (objectclass=certificationauthority)
+
+ldapnd_filter:dns = (&(objectclass=hostRecord)(dNSRecord=%s))
+ldapnd_attributes:dns = servercertificate, servercertificate;binary
+
+ldapnd_filter:ip = (&(objectclass=hostRecord)(ipv4Address=%s))
+ldapnd_attributes:ip = servercertificate, servercertificate;binary
+
+ldapnd_filter:subject = (&(objectclass=hostRecord)(subject=%s))
+ldapnd_attributes:subject = servercertificate, servercertificate;binary
+
+ldapnd_filter:issuer = (&(objectclass=hostRecord)(issuer=%s))
+ldapnd_attributes:issuer = servercertificate, servercertificate;binary
+-----------------------------------------------------------------
+
+The following is an example config entry for freeswan to use. You
+can either enter these settings in '/etc/ipsec.conf', or create
+a separate file with these settings to use. '/etc/ipsec.conf' can load
+separate files with 'include ' commands.
+-- freeswan config ----------------------------------------------
+conn test_host-host
+	left=10.1.49.233
+	leftnexthop=10.1.1.7
+	leftupdown=/usr/lib/ipsec/updown.firewall
+	right=10.8.49.101
+	rightupdown=/usr/lib/ipsec/updown.firewall
+	rightnexthop=10.8.54.1
+	auto=add
+	authby=cert
+	# certfile: full path to private key
+	certfile=/etc/ipsec/pubcert.pem
+	# keyfile: full path to public key in unencrypted format
+	keyfile=/etc/ipsec/privkey.pem
+	certpath=ldap:/etc/ipsec/ldap.cnf:ldapnd
+	certopts=send,pk,rev
+	#The certificate are found using IKE's ID_DER_ASN1_DN ID payload
+	#You can provide the info by running:
+	#  ipsec fswcert -d a -l /etc/ipsec/[hostleft].pem
+	#left DN: /C=CA/ST=Ontario/O=Rebel.com/OU=x86eng/CN=Luc Lanthier/Email=firesoul@netwinder.org
+	leftid=@~308182310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D310F300D060355040B1306783836656E67311530130603550403130C4C7563204C616E74686965723125302306092A864886F70D010901161666697265736F756C406E657477696E6465722E6F7267
+	#  ipsec fswcert -d a -l /etc/ipsec/[hostright].pem
+	#right DN: /C=CA/ST=Ontario/O=Rebel.com/OU=SE/CN=Luc Lanthier/Email=firesoul@pet.notbsd.org
+	rightid=@~307F310B30090603550406130243413110300E060355040813074F6E746172696F31123010060355040A1309526562656C2E636F6D310B3009060355040B13025345311530130603550403130C4C7563204C616E74686965723126302406092A864886F70D010901161766697265736F756C407065742E6E6F746273642E6F7267
+-----------------------------------------------------------------
+
+The certificate are found using IKE's ID_DER_ASN1_DN ID payload
+You can provide the info by running on each respective host:
+-----------------------------------------------------------------
+ipsec fswcert -d a -l /etc/ipsec/[hostleft].pem
+ipsec fswcert -d a -r /etc/ipsec/[hostright].pem
+
+
diff -bruN freeswan-1.9.orig/doc/pkix/openssl-ca.quickstart freeswan-1.9/doc/pkix/openssl-ca.quickstart
--- freeswan-1.9.orig/doc/pkix/openssl-ca.quickstart	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/openssl-ca.quickstart	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,237 @@
+This document is much like a quickstart, but in an even shorter form.
+These are the steps I took to create an opensourced CA capable of signing 
+certificates.
+
+How I set up a CA on RedHat 6.2 and used it:
+
+
+1- install openssl on the CA. 
+If the openssl package is already installed, then ignore this 
+section. Please note: requires 0.9.5a. I doubt FreeSWAN will
+run with openssl 0.9.6.
+----------------------------------------------------------------
+cd /usr/src/redhat/SRPMS
+scp root@10.8.49.101:/usr/src/redhat/SRPMS/openssl*.src.rpm .
+rpm --rebuild openssl-0.9.5a-1.src.rpm
+cd ../RPMS/i386/
+rpm -i openssl-*
+
+
+2- Setting up the openssl CA.
+The openssl RPM already create a /var/lib/ssl directory. If you installed
+openssl from source, look for it in either /usr/ssl, /usr/local/ssl,
+or even /usr/share/ssl.
+----------------------------------------------------------------
+cd /var/lib/ssl
+# Note! Newer redhat openssl RPMs created the dir in /usr/share/ssl
+
+# will simplify finding global conf files.
+ln -s /etc etc 
+
+# see README.certificates, section 4.1, for instructions
+# on the creation/addition of openssl.cnf 
+# Note! Since Redhat redid its openssl packages, openssl.cnf is present.
+# Use it instead.
+vi /etc/openssl.cnf
+
+# see README.certificates, section 4.1, for instructions
+# on the CA extensions to define in ca.ext
+vi ca.ext 
+
+openssl req -new -newkey rsa:1024 -keyout \
+	private/cakey.pem -out careq.pem
+# Please enter in a password to be able to use the CA's signing cert once 
+# it is generated. Only that password will unlock it for use.
+# Data may be asked of you to enter.
+# ____________________________________________________________________
+# --- Country Name (2 letter code) [AU]:
+# --- State or Province Name (full name) [Some-State]:
+# --- Locality Name (eg, city) []:
+# **important** The OrgName must match on ALL certs which will be signed
+# by this self-signed cert.
+#   --- Organization Name (eg, company) [Internet Widgits Pty Ltd]:
+# --- Organizational Unit Name (eg, section) []:
+# **Note** Try to use the machine's FQDN as common name. Not your own
+# name. :
+#   --- Common Name (eg, your name or your server's hostname) []:
+# --- Email Address []:
+# ____________________________________________________________________
+#
+# Unimportant:
+# Please enter the following 'extra' attributes
+# to be sent with your certificate request
+# A challenge password []:
+# An optional company name []:
+
+# sign our own CA certificate.
+openssl x509 -CAcreateserial -signkey private/cakey.pem -req \
+	-in careq.pem -out cacert.pem -days 2000 -extfile ca.ext
+
+touch index.txt
+echo "01" > serial
+openssl ca -gencrl -out crl.pem; # distribute/make available to all hosts.
+
+
+3- adding cacert.pem and crl.pem to hosts (OPTIONAL)
+Unless you are using LDAP lookup, you will have to make the certificate
+available on all the client hosts. Of course, make sure the destination 
+directory exists.
+----------------------------------------------------------------
+scp crl.pem 10.1.49.233:/etc/ipsec
+scp cacert.pem 10.1.49.233:/etc/ipsec
+scp crl.pem 10.8.49.101:/etc/ipsec
+scp cacert.pem 10.8.49.101:/etc/ipsec
+
+
+4- Each client host -- generate certificate requests.
+The CA's signing certificate is ready. Now we can create the client
+certificates. 
+NOTE: a CA can also be its own client if a separate certificate
+is generated. Both the cacert.pem and the host certificates must be
+made available as standard host certificates, as if they were 2 separate
+hosts.
+----------------------------------------------------------------
+mkdir -p /etc/ipsec
+cd /etc/ipsec
+
+# Make sure the info entered for the "CommonName" for each client 
+#   is DIFFERENT, usually containing the hostname.
+# Make sure the "OrgName" used is the same as the one used 
+#   for cacert.pem's creation.
+# Make sure you don't create this certificate with a password.
+#  This certificate must be available for use without user intervention.
+#  (that includes password entry)
+openssl req -new -newkey rsa:1024 -nodes -keyout \
+	`hostname`.key -out `hostname`.req.pem
+############################
+# OR DSA: (still unsupported. left note in to remember how to do it)
+# openssl dsaparam 1024 -out dsa_params.txt
+# chmod 400 dsa_params.txt
+#openssl req -new -newkey dsa:dsa_params.txt -nodes -keyout \
+#        /etc/ipsec/`hostname`.key -out /etc/ipsec/`hostname`.req.pem
+#remember that all parties must use DSA
+############################
+
+# how about a generic name on each host for ease?
+ln -fs `hostname`.key privkey.pem
+ln -fs `hostname`.pem pubcert.pem; # will be created soon.
+
+# protect the private key.
+chmod 400 `hostname`.key
+
+
+
+5- Signing certificates on the CA host
+Signing the certificates is a necessary step in the pkix CA setup,
+but first, you must give your CA the ability.
+You may find the signIPSEC script handy.
+----------------------------------------------------------------
+###########################
+# Create/Undate the following ONCE.
+# Once again, note the paths may be wrong.
+vi /etc/openssl.cnf; # (see README.certificates section 4.6)
+
+# Either create signIPSEC, or copy it from the current directory.
+#   to /usr/local/bin on the CA host.
+vi /usr/local/bin/signIPSEC; # (see README.certificates section 4.6)
+
+chmod 700 /usr/local/bin/signIPSEC
+# use: signIPSEC foo.mydomain.com 192.168.1.5 foo.req
+
+# Once again, CD to the correct path.
+cd /var/lib/ssl/
+mkdir -p newcerts
+
+# The following steps can be reused over and over, for each host to add
+#
+# 1- copy over the unsigned public cert from the host.
+scp root@10.1.49.233:/etc/ipsec/*.req.pem .
+#
+# 2- sign it with the correct values.
+signIPSEC sticky.netwinder.org 10.1.49.233 sticky.req.pem
+#
+# 3- copy the newly signed certificate to the host.
+scp newcerts/`cat serial.old`.pem root@10.1.49.233:/etc/ipsec/sticky.pem
+#
+# 4- rehash the current database of certificates handled by the CA.
+mv newcerts/* certs/
+c_rehash certs
+
+
+
+6- CA host: prepping flat file for client hosts
+Here's a short script for quick generations of text flatfiles needed
+by the various clients. LDAP lookup is prefered, but flatfile is available
+for testing or simplicity.
+The script is available as "CA-regenerate-flatfile.sh".
+----------------------------------------------------------------
+#!/bin/sh -x
+
+if [ -d /var/lib/ssl ]; then
+  cd /var/lib/ssl
+elif [ -d /usr/lib/ssl ]; then
+  cd /usr/lib/ssl
+elif [ -d /usr/local/lib/ssl ]; then
+  cd /usr/local/lib/ssl
+elif [ -d /usr/share/ssl ]; then
+  cd /usr/share/ssl
+else
+  echo "ERROR: Cannot determine location of ssl directory."
+  exit 1
+fi
+
+cat /dev/null > flatfile.txt
+
+for ii in certs/*.pem cacert.pem crl.pem;
+do
+  if [ "`basename $ii`" != "crl.pem" ] && [ "`basename $ii`" != "cacert.pem" ];
+  then
+    perl -e "open(IN, \"openssl x509 -in $ii -noout -text \|\"); \
+      @IN = ; \
+      foreach (@IN) { \
+        if (/IP Address:(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})/) { \
+          print \"ip: \$1\\n\"; \
+        } \
+        if (/DNS:([^, ]*).*$/) { \
+          print \"dns: \$1\\n\"; \
+        } \
+      };" >> flatfile.txt
+  fi
+  cat $ii | \
+  perl -e '$printme = 0; while (<>) { if (/---BEGIN/) {$printme = 1;}; if ($printme) {print STDOUT $_;} }; print STDOUT "\n";' \
+  >> flatfile.txt
+done
+----------------------------------------------------------------
+
+# the flatfile is created. Send to Client hosts.
+scp flatfile.txt root@10.1.49.233:/etc/ipsec
+scp flatfile.txt root@10.8.49.101:/etc/ipsec
+
+
+
+7- revoking a certificate
+Sometimes it becomes necessary to revoke a certificate. 
+----------------------------------------------------------------
+# First, find out which certificate has to be revoked. If properly
+# generated, the CommonName (CN) will be the certificate's owner 
+# hostname. Replace "WANTED_HOSTNAME" by the hostname to look for.
+cd /var/lib/ssl/
+(
+for certs in certs/*.pem; do 
+  echo -n "$certs: " 
+  openssl x509 -in $certs -noout -subject
+done
+) | grep WANTED_HOSTNAME
+
+# Example output:
+# 02.pem: subject=/C=CA/ST=Ontario/O=Rebel.com/OU=SoftEng/CN=arm1.netwinder.org/Email=firesoul@netwinder.org
+
+# next, proceed to revoke the certificate.
+# once again, double-check the paths.
+openssl ca -revoke /var/lib/ssl/certs/02.pem 
+openssl ca -gencrl -out /var/lib/ssl/crl.pem
+
+# If we're using LDAP, the new crl.pem will be used automatically.
+# Otherwise, it has to be copied to each one of the client hosts.
+scp crl.pem root@10.1.49.233:/etc/ipsec
+scp crl.pem root@10.8.49.101:/etc/ipsec
diff -bruN freeswan-1.9.orig/doc/pkix/signIPSEC freeswan-1.9/doc/pkix/signIPSEC
--- freeswan-1.9.orig/doc/pkix/signIPSEC	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/doc/pkix/signIPSEC	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+# Simple wrapper for "openssl ca" that sets environment to pass in
+# values for the svr_cert extension
+# P.J.Onion  23/9/1999
+# updated by: Luc Lanthier   20010214
+if [ -d /var/lib/ssl ]; then
+  SSLDIR="/var/lib/ssl";
+elif [ -d /usr/lib/ssl ]; then
+  SSLDIR="/usr/lib/ssl";
+elif [ -d /usr/local/lib/ssl ]; then
+  SSLDIR="/usr/local/lib/ssl";
+elif [ -d /usr/share/ssl ]; then
+  SSLDIR="/usr/share/ssl";
+else
+  echo "ERROR: Cannot determine location of ssl directory."
+  exit 1
+fi
+
+
+if test $# -ne 3 ; then
+        echo "Usage: $0 hostname ipaddress reqfile"
+        exit 1
+fi
+
+
+HOSTFQDN=$1
+HOSTIP=$2
+NSCOMMENT="IPsec Certificate for $1"
+EXTENSION=svr_cert
+
+export HOSTFQDN HOSTIP NSCOMMENT EXTENSION
+if (which openssl &> /dev/null) ; then
+  openssl ca -in $3
+else
+  echo "ERROR: Cannot locate/execute openssl binary."
+  exit 1
+fi
diff -bruN freeswan-1.9.orig/doc/politics.html freeswan-1.9/doc/politics.html
--- freeswan-1.9.orig/doc/politics.html	Tue Mar 27 23:16:51 2001
+++ freeswan-1.9/doc/politics.html	Mon Jun  4 01:15:56 2001
@@ -62,19 +62,18 @@
 general-purpose digital computers. 
 
    • Ultra made codebreaking a large-scale enterprise, producing 
 intelligence on an industrial scale. This was not a "black chamber", 
-not some hidden room in some obscure government building with a small 
-crew of code-breakers. The whole operation -- from intercept operators 
-all over the world grabbing copies of enemy communications, through 
-large-scale code-breaking and analysis of the decrypted material (with 
-an enormous set of files for cross-referencing), to delivery of 
-intelligence to field commanders -- was huge, and very carefully 
-managed. 
      • 
+not a hidden room in some obscure government building with a small crew 
+of code-breakers. The whole operation -- from wholesale interception of 
+enemy communications by stations around the world, through large-scale 
+code-breaking and analysis of the decrypted material (with an enormous 
+set of files for cross-referencing), to delivery of intelligence to 
+field commanders -- was huge, and very carefully managed. 
 
 
       So by the end of the war, Allied code-breakers were expert at 
 large-scale mechanised code-breaking. The payoffs were enormous. 
      
 
      Postwar and Cold War
      
  The wartime innovations were enthusiastically adopted by post-war and 
-Cold War signals intelligence agencies. Presumably most nations now 
+Cold War signals intelligence agencies. Presumably many nations now 
 have some agency capable of sophisticated attacks on communications 
 security, and quite a few engage in such activity on a large scale. 
 
       America's NSA, for example, is said 
@@ -95,7 +94,7 @@
 electronic mail, or tapping into the huge volumes of data on new media 
 such as fiber optics or satellite links. None of these targets existed 
 in 1950. All of them can be attacked today, and almost certainly are 
-being attacked on a large scale. 
      
+being attacked. 
      
 
       The Ultra story was not made public until the 1970s. Much of the 
 recent history of codes and code-breaking has not been made public, and 
 some of it may never be. Two important books are: 
      
@@ -127,22 +126,28 @@
 networking becoming ubiquitous, cryptography is now important to almost 
 everyone. Among the developments since the 1970s: 
      
 
 
       This has led to a complex ongoing battle between various mainly 
 government groups wanting to control the spread of crypto and various 
@@ -203,14 +208,20 @@
 communication systems, but that it is an activity of the  investigative 
 authorities and intelligence services of many countries with 
  governments of different political signature.  Even if 
-they have nothing on the scale of Echelon, most or all intelligence 
-agencies and  police forces certainly have some interception 
-capability. 
+they have nothing on the scale of Echelon, most intelligence agencies 
+and  police forces certainly have some interception capability. 
+
    • NSA tapping of submarine 
+communication cables, described  in 
+this article
      • 
 
    • A proposal for international co-operation on 
  Internet surveillance.
      • 
 
    • Alleged sabotage
  of security  products by the NSA (the 
 US signals intelligence agency).
      • 
+
    • The German armed forces and some government departments will stop 
+using American software for fear of NSA  "back doors", according to 
+this news 
+story. 
      • 
 
    • The British Regulation of Investigatory Powers bill. See  this 
 web page. and  perhaps this 
 cartoon.
      • 
@@ -244,6 +255,8 @@
 
        
 
      • industrial espionage, as for example in this 
 news story
        • 
+
      • attacks by organised criminals, as in this 
+ large-scale attack
        • 
 
      • collection of personal data by various companies. 
 
          
 
        • for example, consider the various corporate winners of Privacy 
@@ -603,11 +616,13 @@
 held by some third party and turned over to law enforcement or security 
 agencies under some conditions.
          
 
          -Mary had cryptography
-Her keys were in escrow
-And everything that Mary said
-The feds were sure to know
+  Mary had cryptography
+  Her keys were in escrow
+  And everything that Mary said
+  The feds were sure to know
 
          
+ (If anyone knows the origin of that ditty, let 
+let me know so I can credit the author.) 
 
           There is an excellent paper available on 
 Risks of Escrowed Encryption, from a group of cryptographic 
 luminaries which included our project leader.
          
@@ -626,14 +641,18 @@
 
           FreeS/WAN does not support escrowed encryption, and never will.
          
 
          Limited key lengths
          
 
           Various governments, and some vendors, have also made persistent 
-attempts to convince people that weak systems are sufficient for some 
-data, that strong cryptography should be reserved for cases where the 
-extra overheads are justified. This is nonsense.
          
+attempts to convince people that: 
          
+
            
+
          • weak systems are sufficient for some data 
            • 
+
          • strong cryptography should be reserved for cases where the extra 
+overheads are justified 
            • 
+
          
+ This is nonsense.
 
           Weak systems touted include:
          
 
            
 
          • the ludicrously weak (deliberately crippled) 40-bit ciphers that 
 until  recently were all various export laws
- allowed.
            • 
+ allowed
 
          • 56-bit single DES, discussed below
            • 
 
          • 64-bit symmetric ciphers and 512-bit RSA, the maximums for 
 unrestricted  export under various current laws
            • 
@@ -665,9 +684,12 @@
 the bulk of the work is done  by a symmetric cipher. The effect of 
 increasing the cost of the public  key operations is typically 
 negligible because the public key operations  use only a tiny fraction 
-of total resources. For example, if public key  operations use use 1% 
-of the time in a hybrid system and you triple the  cost of public key 
-operations, the overall effect is a 2% rise in system  cost.
+of total resources. 
+
             For example, suppose public key  operations use use 1% of the time 
+in a hybrid system and you triple the  cost of public key operations. 
+The cost of symmetric cipher operations  is unchanged at 99% of the 
+original total cost, so the overall effect is a  jump from 99 + 1 = 100 
+to 99 + 3 = 102, a 2% rise in system cost.
            
 
          
 
           In short, there has never been any technical reason to use 
 inadequate ciphers. The only reason there has ever been for 
diff -bruN freeswan-1.9.orig/doc/roadmap.html freeswan-1.9/doc/roadmap.html
--- freeswan-1.9.orig/doc/roadmap.html	Tue Mar 27 23:16:51 2001
+++ freeswan-1.9/doc/roadmap.html	Mon Jun  4 01:15:56 2001
@@ -18,7 +18,7 @@
 
          
 
          KLIPS
          
 
          the kernel code
          
-
          Pluto
          
+
          Pluto
          
 
          the user-level key-management daemon
          
 
          
 
          plus assorted odds and ends. 
          
diff -bruN freeswan-1.9.orig/doc/src/compat.html freeswan-1.9/doc/src/compat.html
--- freeswan-1.9.orig/doc/src/compat.html	Sun Mar 11 23:13:14 2001
+++ freeswan-1.9/doc/src/compat.html	Sun Jun  3 22:41:05 2001
@@ -3,21 +3,23 @@
 
 
          Linux FreeS/WAN Compatibility Guide
          
 
-  
          
+
          
 Most of this document is quoted directly from the Linux FreeS/WAN
 mailing list. Thanks very much to the community of
   testers, patchers and commenters there, especially the ones quoted below but
   also various contributors we haven't quoted.
          
 
-  
          Implemented parts of the IPSEC Specification
          
+
          Implemented parts of the IPSEC Specification
          
 
-  
          In general, do not expect Linux FreeS/WAN to do everything yet. This is a
-  work-in-progress and some parts of the IPSEC specification are not yet
-  implemented.
          
+
          
+In general, do not expect Linux FreeS/WAN to do everything yet. This is a
+work-in-progress and some parts of the IPSEC specification are not yet
+implemented.
          
 
-  
          In Linux FreeS/WAN
          
+
          In Linux FreeS/WAN
          
 
-  
          Things we do, as of version 1.9:
          
+
          
+Things we do, as of version 1.9:
          
   
            
     
          • key management methods
       
            
@@ -57,10 +59,6 @@
        
               
     
          • encryption transforms
       
            
-        
            null encryption (to use ESP as an authentication-only service)
-          
            We implement this since the RFCs require it. Since it is
-              obviously insecure, we disable it by default. It can be enabled
-              with a kernel configuration option.
            
           
            DES
            
             
            DES is in the source code since it is needed to implement
               3DES, but single DES is not made available to users because 
   
          
 
-  
          
+
          
 All combinations of implemented transforms are supported. Note that some
-  form of authentication is recommended whenever encryption is used.
          
+form of packet-level authentication is required whenever encryption
+is used. Without it, the encryption will not be secure.
          
 
 
          Deliberately ommitted
          
 
@@ -108,15 +107,16 @@
 
          
 Things we deliberately omit which are required in the RFCs are:
          
 
            
+
          • null encryption (to use ESP as an authentication-only service)
 
          • single DES
 
          • DH group 1, a 768-bit modp group
 
          
 
          
-Since these are the only encryption algorithm and DH group the RFCs require, it
+Since these are the only encryption algorithms and DH group the RFCs require, it
 is possible in theory to have a standards-conforming implementation which will
 not interpoperate with FreeS/WAN. Such an implementation would be inherently
 insecure, so we do not consider this a problem. Anyway, most implementations
-sensibly include more secure options as well, so dropping
+sensibly include more secure options as well, so dropping null encryption,
 single DES and Group 1 does not greatly hinder interoperation in practice.
          
 
          
 We also do not implement some optional features allowed by the RFCs:
@@ -133,9 +133,10 @@
 Windows 2000 where aggressive mode is the default. Typically, these are easily
 solved with a configuration change that overrides that default.
           
 
-  
          Not (yet) in Linux FreeS/WAN
          
+
          Not (yet) in Linux FreeS/WAN
          
 
-  
          Things we don't yet do, as of version 1.9:
          
+
          
+Things we don't yet do, as of version 1.91:
          
   
            
     
          • key management methods
       
              
@@ -164,6 +165,9 @@
           href="glossary.html#BIND">BIND provide much of what we need but they are not
           yet widespread and our code to communicate with them is not
           ready.
              
+
              
+Update: As of 1.91, we have beta-testable code for opportunistic encryption.
+See our configuration document.
         
       
            
     
            • 
@@ -186,6 +190,20 @@
       
            No optional additional authentication transforms are currently
       implemented and we do not forsee a need to add any soon.
            
     
+  
          • Policy checking on decrypted packets
+  
            
+   To fully comply with the RFCs, it is not enough just to accept only packets
+   which survive any firewall rules in place to limit what IPSEC packets get in,
+   and then pass KLIPS authentication. That is what FreeS/WAN currently does.
+   
            
+   We should also apply additional tests, for example ensuring that all packets
+   emerging from a particular tunnel have sourcen and destination addresses that
+   fall within the subnets defined for that tunnel, and that packets with those
+   addresses that did not emerge from the appropriate tunnel are disallowed.
+   
            
+   This will be done as part of the KLIPS rewrite currently in progress. See
+   these links and the
+   design mailing list for discussion.  
   
          
 
   
          Our PF-Key implementation
          
@@ -206,41 +224,49 @@
 
   
          PF-Key portability
          
 
-  
          PF-Key came out of Berkeley Unix work and is used in the various BSD IPSEC
-  implementations. We assume also in This means there is some hope of
-  porting our Pluto(8) to one of the BSD distributions or running their
-  photurisd(8) on Linux if you prefer Photuris key
-  management over IKE.
          
-
-  
          It is, however, more complex than that. The three PF-Key implementations
-  we have looked at -- ours, OpenBSD and KAME -- all have extensions beyond
-  the RFC, and the extensions are different. There have been discussions aimed
-  at sorting out the differences, perhaps for a version three PF-Key spec. All
-  players are in favour of this, but everyone involved is busy and it is not
-  clear whether or when these discussions might bear fruit.
          
+
          
+PF-Key came out of Berkeley Unix work and is used in the various BSD IPSEC
+implementations, and in Solaris. This means there is some hope of
+porting our Pluto(8) to one of the BSD distributions, or of running their
+photurisd(8) on Linux if you prefer Photuris key
+management over IKE.
          
+
+
          
+It is, however, more complex than that. The PK-Key RFC deliberately deals
+only with keying, not policy management. The three PF-Key implementations
+we have looked at -- ours, OpenBSD and KAME -- all have extensions to deal
+with security policy, and the extensions are different. There have been
+discussions aimed at sorting out the differences, perhaps for a version
+three PF-Key spec. All players are in favour of this, but everyone involved
+is busy and it is not clear whether or when these discussions might bear
+fruit.
          
 
-  
          Kernels other than 2.0.38 and 2.2.18
          
+
          Kernels other than 2.0.38 and 2.2.18
          
 
-  
          We develop and test on:
          
+
          
+We develop and test on:
          
   
            
-    
          • Redhat 5.2 with a 2.0.38 kernel.
            • 
-    
          • Redhat 6.1 with a 2.2.18 kernel.
            • 
+    
          • Redhat 6.1 with a 2.2.19 kernel.
            • 
+    
          • Redhat 7.1 with a 2.4.4 kernel.
            • 
+
   
          
 
          
-  This is what we recommend.
+This is what we recommend.
 
   
          Other 2.0.x Intel Kernels
          
 
 
          
 Consider upgrading to the 2.2 kernel series. If you want to stay with
-the 2.0 series, then we strongly recommend 2.0.38. It has some security
-patches not present in earlier 2.0 kernels.
          
-
+the 2.0 series, then we strongly recommend 2.0.39. Some useful security
+patches were added in 2.0.38.
          
 
          
 Various versions of the code have run at various times on most 2.0.xx
-kernels, but the current version is tested only on 2.0.38 and is unlikely to
-compile on older kernels. Some of our patches for older kernels are shipped
-in 2.0.37 and later, so they are no longer provided in FreeS/WAN.
          
+kernels, but the current version is only lightly tested on 2.0.39, and
+not at all on older kernels.
+
          
+Some of our patches for older kernels are shipped in 2.0.37 and later,
+so they are no longer provided in FreeS/WAN. This means recent versions
+of FreeS/WAN will probably not compile om anything earlier than 2.0.37.
          
 
   
          2.2 and 2.4 Kernels
          
   
          
@@ -253,13 +279,14 @@
       
          runs on 2.0, 2.2 or 2.4 kernels
          
   
          
 
          
-We suggest the latest 2.2 kernel (2.2.18 at time of writing) for production use.
+We suggest the latest 2.2 kernel or 2.4 (2.2.19 or 2.4.5 at time of writing)
+for production use.
 
-  
          Intel Linux distributions other than Redhat 5.x and 6.x
          
+  
          Intel Linux distributions other than Redhat
          
 
   
          
-We develop and test on Redhat 5.2 for 2.0 kernels, and on Redhat 6.1 for
-2.2, so minor changes may be required for other distributions.
          
+We develop and test on Redhat 6.1 for 2.2 kernels, and on Redhat 7.1 for
+2.4, so minor changes may be required for other distributions.
          
 
 
          Redhat 7.0
          
 
          
@@ -307,8 +334,9 @@
 
   
          SuSE Linux
          
 
-  
          SuSE 6.3 and later versions, at least in Europe, ship with FreeS/WAN
-  included.
          
+
          
+SuSE 6.3 and later versions, at least in Europe, ship with FreeS/WAN
+included.
          
 
   
          Here are some notes for an earlier SuSE version.
          
 
@@ -698,9 +726,8 @@
 information, check the mailing list.
          
 
 
          
-In short, Linux currently has both IPv6 support and IPSEC support, but the two
-do not work together yet. We, and others, are working on integrating
-them, but it is a substantial job.
+The first release of Linux IPv6 with FreeS/WAN support is now 
+available.
 
 
 
diff -bruN freeswan-1.9.orig/doc/src/config.html freeswan-1.9/doc/src/config.html
--- freeswan-1.9.orig/doc/src/config.html	Sun Mar 11 23:13:14 2001
+++ freeswan-1.9/doc/src/config.html	Sun Jun  3 22:41:05 2001
@@ -594,14 +594,6 @@
 the tunnel is an older version, the restriction will still apply there, so some
 caution is still required.
 
-  
          The conn %default section shipped in our example file includes
-  parameters for manual keying. These are completely
-  insecure, intended only for testing. We recommend you leave these
-  in place during testing since it is sometimes useful to be able to test with
-  manual keying. Once testing is done, however, delete the test keys or ensure
-  that they are commented out with # characters. Production use of manual
-  keying is not recommended, but is possible and is described in a
-  later section.
          
 
   
          Editing a connection description
          
 
@@ -675,9 +667,10 @@
   someone can subvert the DNS service, then they can redirect packets whose
   addresses are looked up via that service.
          
 
-  
          Many of the variables in this file come in pairs such as "leftsubnet: and
-  "rightsubnet", one for each end of the connection. The variables on the left
-  side are:
          
+
          
+Many of the variables in this file come in pairs such as "leftsubnet: and
+"rightsubnet", one for each end of the connection. The variables on the left
+side are:
          
   
          
     
          left
          
       
          The gateway's external interface, the one it uses to talk to the
@@ -708,14 +701,16 @@
       
          Addresses for the machines which left is protecting.
         
            
           
          • Often something like 101.202.203.0/24 to indicate that a subnet
-            resides behind left.
            • 
+            resides behind left. Often this subnet will be directly connected
+            to left, but this not necessary. The only requirement is that left
+            must be able to route to it.
           
          • If you omit the leftsubnet line, then left is both the security
             gateway and the only client on that end.
            • 
         
          
         For some applications, you may want to create two connections, one to
         protect traffic from the subnet behind left and another to protect
         traffic from the left gateway itself. This takes two connection
-        descriptions.
          
+        descriptions. See below.
     
          leftfirewall
          
       
          Set to "yes" if there is a firewall in play that suppresses
         forwarding, for example if a subnet behind left uses non-routable
@@ -1016,22 +1011,185 @@
 
 
          Opportunistic encryption
          
 
+We use the term opportunistic encryption for
+encryption which does not rely on any pre-arranged connection, hence does
+not require that the administrators of the two gateways involved communicate
+with each other (for example, to exchange keys) before their systems can
+create a secure connection.
+
          
+The idea is that each gateway check the destinations of outgoing packets,
+see if an encrypted connection is possible and, if so, take the opportuntity
+to encrypt. The opportunity will exist whenever the admins on both ends have
+set their systems up for opportunistic encryption.  
+
          
+This makes encryption the default behaviour, and could greatly
+increase the overall security of the Internet if it were widely enough adopted.
+See our documents:
+
          
+
          history and politics
+
          for the reasons we want to do this
+
          IPSEC protocols
+
          for discussion of the general principle of encrypting as much as possible
+
           
+
          
+The gateways must be able to authenticate each other for IPSEC to be secure.
+For opportunistic encryption, we rely on the domain name system,
+DNS, to provide the RSA keys needed for this
+authentication.  Note, that currently this is not entirely secure because
+the DNS mechanism it relies on is not fully secure.
+Eventually, as secure DNS becomes widely
+deployed, this will change.
+
          Status
          
+
+The team have been working on this for some time, and testing internally.
+As of late May, 2001 this code is ready for wider testing. We
+encourage everyone to try it.
+
          
+The main documentation items so far are:
+
            
+
          • an Opportunism HowTo by Pluto programmer
+Hugh Redelmeier
+
          • a design document by Hugh and technical lead Henry Spencer.
+A link to this is in our introduction.
+
          
+I am playing catch up; HTML documentation so far is neither complete nor
+particularly clear. What I have so far is below.
 
          
-This section is currently just a placeholder for the opportunistic
-encryption documentation I'll write when the design has solidified
-somewhat.
           
+Note that both software and documentation for this are changing quickly.
+You may want the latest snapshot for opportunism experiments.
+
           
+We do not yet recommend this code for production use.
+You should still protect your critical data with explicitly configured
+IPSEC tunnels, rather than relying on opportunistic for everything at
+this stage. 
+
           
 
-
          Putting public keys in DNS
          
+
          Some DNS background
          
 
-  
          Release 1.4 had the first experimental code to support fetching public
-  key information from the other system's DNS entries. Even in 1.6, this is
-  still experimental code. You cannot trust it for production use until
          
-  
            
-    
          • both our code is much better tested (you can help with that!)
            • 
-    
          • and secure DNS is widely deployed
            • 
-  
          
+
          
+Opportunism requires that the gateway systems be able to fetch public keys, and
+other IPSEC-related information, from each other's DNS (domain name service)
+records.
+
          
+DNS is a distributed database that maps names to IP addresses and vice versa.
+A system named gateway.example.com with IP address 10.20.30.40 should have at
+least two DNS records:
+
          
+
          gateway.example.com. IN A 10.20.30.40
+
          used to look up the name and get an IP address
+
          40.30.20.10.in-addr.arpa. IN PTR gateway.example.com.
+
          used for reverse lookups, looking up the name associated with an address.
+Notice that the digits here are in reverse order; the actual address is
+10.20.30.40 but we use 40.30.20.10 here.
+
          
+Some syntactic details are:
+
            
+
          • the IN indicates that these records are for Internet addresses
+
          • The final periods in '.com.' and '.arpa.' are required. They indicate the
+root of the domain name system.
+
          
+For much more detail, see the
+Linux Network Administrator's Guide
+or a DNS reference book.
+
          
+The capitalised strings after IN indicate the type of record. Possible types include:
+
            
+
          • Address
+
          • PoinTeR
+
          • Canonical NAME, records to support aliasing, 
+multiple names for one address
+
          • MX, used in mail handling
+
          • SIGnature, used in secure DNS
+
          • KEY, used in secure DNS
+
          • TeXT, a multi-purpose record type
+
          
+To set up for opportunistic encryption, you add some KEY and TXT records to your
+DNS data.
 
-  
          The relevant lines in the config file would look like this:
          
+
          Putting IPSEC information in DNS
          
+
+There are two types of DNS record to be added:
+
            
+
          • each gateway must have a KEY record which other gateways can query to
+fetch its RSA authentication key
+
          • any client whose communications are to be protected by a gateway
+must have a TXT record pointing to that machine as an authorised IPSEC gateway
+
          
+ipsec_rsasigkey(8) provides
+the key in DNS record format as a comment. You need to cut and paste the
+comment from ipsec.secrets(5)
+(or wherever you have the private key)
+into the appropriate place in the DNS records.
+
           
+There are two ways to handle this, depending on whether or not you control
+the reverse lookup (in-addr.arpa.) sections of the DNS files for your gateway.
+You must have control of the reverse DNS information for clients or this
+cannot work at all.
+
+
          If you control the gateway's reverse map
          
+
+If you control the gateway's reverse map, you just add a KEY record there.
+Here is an example, with many characters of the key itself left out:
+
          +40.30.20.10.in-addr.arpa. IN KEY 0x4200 4 1 AQNJjkKlIk9...nYyUkKK8
+
          
+This allows lookups on the IP address of the gateway to retrieve the key.
+
          
+A client that wishes to be protected by Opportunistic Encryption must
+include a special TXT record in its reverse-map. If you control the
+gateway's reverse map, example client records would look like this:
+
          +42.42.42.10.in-addr.arpa. IN PTR deepthought.example.com.
+42.42.42.10.in-addr.arpa. IN TXT "X-IPsec-Server(10)=10.20.30.40 AQNJjkKlIk9...nYyUkKK8"
+
          
+which can also be written as just:
+
          +42.42.42.10.in-addr.arpa. IN PTR deepthought.example.com.
+                          IN TXT "X-IPsec-Server(10)=10.20.30.40 AQNJjkKlIk9...nYyUkKK8"
+
          
+
+This provides the IP address of the security gateway and the public key
+which the gateway will use to authenticate itself. This is the preferred
+variant. Using it, the remote system does one lookup and gets everything
+it needs for IKE negotiations.
+
+
          If you don't control the gateway's reverse map
          
+
+The approach must be slightly different if you do not have control over the
+contents of the reverse map for your gateway. Perhaps your ISP controls that,
+and provides no way for you to put data into their maps. Without that, you
+cannot set your gateway up to respond to incoming opportunistic requests
+(short of changing ISPs, which you might consider).
+
          
+However, suppose a friend over at example.org will let you put things in
+their maps. That will allow you to set your gateway up to handle opportunistic
+connections for which it is the initiator.
+
          
+You still need to be able to put data in the reverse map for your clients.
+However, that data is slightly different:
+
          +42.42.42.10.in-addr.arpa. IN PTR deepthought.example.com.
+                          IN TXT "X-IPsec-Server(10)=something.example.org"
+
          
+Over at example.org, your friend inserts these lines in the DNS data files:
+
          +something.example.org. IN A 10.20.30.40
+                       IN KEY 0x4200 4 1 AQNJjkKlIk9...nYyUkKK8
+
          
+Your gateway must identify itself in IKE as something.example.org, not
+as gateway.example.com. You set that up via leftid= or
+rightid= entries in ipsec.conf(5).
+
          
+With this arrangement, the remote gateway does two lookups. First it does a
+reverse lookup on the client IP address and finds the gateway name 
+"something.example.org". Then it looks up that name to get the IP address
+and key for the gateway.
+
+
+
+
          ipsec.conf entries for opportunism
          
+
+The relevant lines in the config file would look like this:
          
 
                   leftid=@gateway.example.com
         leftrsasigkey=%dns
@@ -1379,13 +1537,13 @@
 listen to the traffic between the gateways.
          
 
 
          
-This really has to be done from a third machine, not from one of the
-gateways. On the gateways you'll see packets at intermediate stages of
-processing and the result will be confusing. Also, both tcpdump(8) and
-nmap(8) use the libpcap library. Some versions of that library (e.g. the
-ones that shipped with Redhat 5) do not recognise ipsec? devices and will
-generate "bad physical medium" error messages if you try to use it with
-them.
          
+This is most easily done from a third machine, rather than from one of the
+gateways. On the gateways you may see packets at intermediate stages of
+processing and the result may be confusing.
+
          
+If the results make no sense at all, or you see "bad physical medium" error
+messages, you probably have an outdated version of tcpdump(8) that does
+not handle IPSEC at all. See our FAQ.
          
 
 
          
 The packets should, except for some of the header information, be utterly
@@ -2136,6 +2294,49 @@
 gateways with a subnet behind them. To get that functionality, you must upgrade
 to Windows 2000 server or the commercially available PGP products.
 
+
          One tunnel plus advanced routing
          
+
+It is also possible to use the new routing features in 2.2 and later
+kernels to avoid most needs for multple tunnels. Here is one mailing
+list message on the topic:
+
          +Subject: Re: linux-ipsec: IPSec packets not entering tunnel?
+   Date: Mon, 20 Nov 2000
+   From: Justin Guyett <jfg@sonicity.com>
+
+On Mon, 20 Nov 2000, Claudia Schmeing wrote:
+
+> Right                                                         Left
+>                      "home"                "office"
+> 10.92.10.0/24 ---- 24.93.85.110 ========= 216.175.164.91 ---- 10.91.10.24/24
+>
+> I've created all four tunnels, and can ping to test each of them,
+> *except* homegate-officenet.
+
+I keep wondering why people create all four tunnels.  Why not route
+traffic generated from home to 10.91.10.24/24 out ipsec0 with iproute2?
+And 99% of the time you don't need to access "office" directly, which
+means you can eliminate all but the subnet<->subnet connection.
+
          
+and FreeS/WAN technical lead Henry Spencer's comment:
+
          +> I keep wondering why people create all four tunnels.  Why not route
+> traffic generated from home to 10.91.10.24/24 out ipsec0 with iproute2?
+
+This is feasible, given some iproute2 attention to source addresses, but
+it isn't something we've documented yet... (partly because we're still
+making some attempt to support 2.0.xx kernels, which can't do this, but
+mostly because we haven't caught up with it yet).
+
+> And 99% of the time you don't need to access "office" directly, which
+> means you can eliminate all but the subnet<->subnet connection.
+
+Correct in principle, but people will keep trying to ping to or from the
+gateways during testing, and sometimes they want to run services on the
+gateway machines too.
+
+
          
+
 
          Many tunnels from a single gateway
          
 
 
          
@@ -2481,34 +2682,49 @@
 
          Unencrypted tunnels
          
 
 
          
-Sometimes you will want to create a tunnel without encryption. The IPSEC
-protocols provide two ways to do this, either using AH
-without ESP or using ESP with null encryption. With Linux
-FreeS/WAN, these are currently supported for manually keyed connections, but
-not with automatic keying, so we'll look at other solutions here.
          
+Sometimes you might want to create a tunnel without encryption. Often this is
+a bad idea, even if you have some data which need not be private. See
+this discussion. 
+
          
+The IPSEC protocols provide two ways to do build such tunnels,
+
            
+
          • using AH without ESP
+
          • using ESP with null encryption.
+
          
+Linux FreeS/WAN allows AH-only for manually keyed connections, but
+not with automatic keying, and does not support null encryption, so we'll look
+at other solutions here.
          
 
 
          
 One situation in which this comes up is when otherwise some data would be
-  encrypted twice. Alice wants a secure tunnel from her machine to Bob's.
-  Since she's behind one security gateway and he's behind another, part of the
-  tunnel that they build passes through the tunnel that their site admins have
-  built between the gateways. All of Alice and Bob's messages are encrypted
-  twice.
          
+encrypted twice. Alice wants a secure tunnel from her machine to Bob's.
+Since she's behind one security gateway and he's behind another, part of the
+tunnel that they build passes through the tunnel that their site admins have
+built between the gateways. All of Alice and Bob's messages are encrypted
+twice.
          
 
-  
          There are several ways to handle this.
          
+
          
+There are several ways to handle this.
          
   
            
     
          • Just accept the overhead of double encryption. The site admins might
-      choose this if policy says encrypt everything, if they don't entirely
-      trust Alice and Bob, or if they don't feel the saved cycles are worth
-      the time they'd need to build a non-encrypted tunnel for Alice and Bob's
-      packets.
            • 
+      choose this if any of the following apply:
+    
              
+	
            • policy says encrypt everything (usually, it should)
+	
            • they don't entirely trust Alice and Bob (usually, if they don't have to, they
+       shouldn't)
+	
            • if they don't feel the saved cycles are worth the time they'd need to
+      build a non-encrypted tunnel for Alice and Bob's packets (often, they aren't)
+    
            
     
          • Use a plain IP-in-IP tunnel. These are not well documented. A good
       starting point is in the Linux kernel source tree, in
       /usr/src/linux/drivers/net/README.tunnel.
            • 
-    
          • Use a manually-keyed AH-only tunnel. This is recommended over ESP with
-      null encryption.
            • 
+    
          • Use a manually-keyed AH-only tunnel.
            • 
   
          
-
+
          
+Note that if Alice and Bob want end-to-end security, they must build a tunnel
+end-to-end between their machines or use some other end-to-end tool such as
+PGP or SSL that suits their data. The only question is whether the admins
+build some special unencrypted tunnel for those already-encrypted packets.
  
 
 
diff -bruN freeswan-1.9.orig/doc/src/faq.html freeswan-1.9/doc/src/faq.html
--- freeswan-1.9.orig/doc/src/faq.html	Wed Mar 14 19:12:33 2001
+++ freeswan-1.9/doc/src/faq.html	Sun Jun  3 22:41:06 2001
@@ -36,6 +36,9 @@
 Can different FreeS/WAN versions talk to each other?
          • 
 
        • 
 Does FreeS/WAN run on my version of Linux?
          • 
+
        • 
+Does FreeS/WAN run on the latest kernel version?
          • 
+
 
        • 
 Can I modify FreeS/WAN to ...?
          • 
 
        • 
@@ -48,6 +51,10 @@
 
        • Compilation problems
          • 
 
 
 
        • 
@@ -66,10 +73,10 @@
 
        • The firewall ate my packets!
          • 
 
        • Dropped connections
          • 
 
-
- 
 
        • 
 TCPdump on the gateway shows strange things
          • 
+
        • 
+Traceroute does not show anything between the gateways
          • 
 
        
 
 
      • Testing in stages
        • 
@@ -93,12 +100,20 @@
 Interpreting error messages
 
 
@@ -123,24 +141,19 @@
 
      • Can I assign a road warrior an address on my net?
        • 
 
 
      • Can I use Quality of Service routing with FreeS/WAN?
        • 
+
      • Can I recognise dead tunnels and shut them down?
        • 
+
      • Can I build tunnels over a demand-dialed link?
        • 
+
 
      • 
 Does FreeS/WAN support X.509 or other PKI certificates?
        • 
 
      • 
 Does FreeS/WAN support Radius or other user authentication?
        • 
 
-
      • 
+
      • 
 Does FreeS/WAN support single DES encryption?
        • 
-
 
-
      
-
-
    • Why don't you restrict the mailing list to reduce spam?
      • 
+
    • Why don't you restrict the mailing lists to reduce spam?
      • 
 
 
 
      
@@ -257,6 +270,36 @@
 Note, however, that we do not test this often and have never tested on
 multiprocessor machines of other architectures.
 
+
+
+
      Does FreeS/WAN run on the latest kernel version?
      
+
+Quite often, no.
+
      
+Released versions of FreeS/WAN generally run on whatever production
+kernels were current at the time of the release. For example, FreeS/WAN
+1.91 runs on kernel 2.2.19 or 2.4.5. Often they will run on slightly
+earlier or later kernels as well, but we test on the current production
+kernels, so those are strongly recommended.
+
      
+The kernel is under active development and it is not uncommon for
+changes to appear that cause problems for FreeS/WAN. For example,
+2.4.6 or 2.4.7 may have changes that break FreeS/WAN 1.91. Or not;
+you can't tell in advance. When such changes appear, we put a fix
+in the FreeS/WAN snapshots, and distribute it with our next release.
+
      
+However, this is not a top priority for us, and it may take
+anything from a few days to several weeks for such a problem to find
+its way to the top of our kernel programmer's todo list. In the
+meanwhile, you have two choices: either stick with a slightly older
+kernel, or fix the problem yourself and send us a patch.
+
      
+We don't even try to keep up with kernel changes outside the main
+2.2 and 2.4 branches, such as the 2.4.x-ac patched versions from
+Alan Cox or (when they appear) the 2.5 series of development kernels.
+We'd rather work on developing the FreeS/WAN code than on chasing
+these moving targets. 
+ 
 
      Can I modify FreeS/WAN to ...?
      
 
 You are free to modify FreeS/WAN in any way. See the discussion of
@@ -264,6 +307,30 @@
 
 
      Can I contribute to the project?
      
 
+In general, we welcome contributions from the community. Various contributed
+patches, either to fix bugs or to add features, have been incorporated into
+our distribution. Other patches, not yet included in the distribution, are
+listed in our web links section.
+
      
+Users have also contributed heavily to documentation, both by creating their
+own HowTos and by posting things on the
+mailing lists which I have quoted in these HTML docs.
+
      
+There are, however, some caveats.
+
      
+FreeS/WAN is being implemented in Canada, by Canadians, largely to ensure
+that is it is entirely free of export restrictions. See this
+discussion. We cannot accept
+code contributions from US residents or citizens, not even one-line
+bugs fixes. The reasons for this were recently discussed extensively on the
+mailing list, in a thread starting
+here.
+
      
+Not all contributions are of interest to us. The project has a set of
+fairly ambitious and quite specific goals, described in our
+introduction. Contributions that lead toward
+these goals are likely to be welcomed enthusiastically. Other contributions
+may be seen as lower priority, or even as a distraction. 
 
 
      Is there detailed design documentation?
      
 
@@ -300,6 +367,22 @@
 For more information and the latest version, see the
 GMP home page.
 
+
      ... virtual memory exhausted
      
+
+We have had several reports of this message appearing, all on SPARC
+Linux. Here is a mailing message on a solution:
+
      +> ipsec_sha1.c: In function `SHA1Transform':
+> ipsec_sha1.c:95: virtual memory exhausted
+
+I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
+MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.
+
+I can get around this by using -O instead of -O2 for the optimization
+level.  So it is probably a bug in the optimizer on the sparc complier. 
+I'll try and chase this down on the sparc lists.
+
      
+
 
      Life's little mysteries
      
 
 FreeS/WAN is a fairly complex product. (Neither the networks it
@@ -530,8 +613,8 @@
        there, which may be preferable to having them  sent elsewhere
        based  on  a  more  general  route (e.g., a default
        route).
-
      
 
      
+
      
        Normally, pluto's route to a destination remains in  place
        when  a  --down  operation  is used to take the connection
        down (or if connection setup, or later automatic rekeying,
@@ -542,6 +625,7 @@
        route can be removed using the --unroute operation (and is
        implicitly removed by --delete).
 
      
+
      
 See also this mailing list
 message.
 
@@ -570,7 +654,7 @@
 number of reasons, ranging from hardware failures to various software
 problems such as the path MTU problems discussed
 elsewhere in the FAQ. Fortunately, various
-diagnostic tools exist that help you sort many of the possible problems.
      
+diagnostic tools exist that help you sort out many of the possible problems.
      
 
      
 There is one situation, however, where FreeS/WAN (using default settings) may
 destroy a connection for no readily apparent reason. This occurs
@@ -580,7 +664,7 @@
 In this situation, the first tunnel comes up fine and works until the
 second is established. At that point, because of the way we track
 connections internally, the first tunnel ceases to exist as far as this
-gateway is concerned. Of course the far end does not know that and a storm
+gateway is concerned. Of course the far end does not know that, and a storm
 of error messages appears on both systems as it tries to use the tunnel.
      
 
      
 If the far end gives up, goes back to square one and negotiates a new
@@ -669,6 +753,78 @@
 Internet.
 
      
 
+
      Traceroute does not show anything between the gateways
      
+
+As far as traceroute can see, the two gateways are one hop apart; the data packet
+goes directly from one to the other through the tunnel. Of course the outer packets
+that implement the tunnel pass through whatever lies between the gateways, but 
+those packets are built and dismantled by the gateways. Traceroute does not see
+them and cannot report anything about their path.
+
      
+Here is a mailing list message with more detail.
+
      +Date: Mon, 14 May 2001
+To: linux-ipsec@freeswan.org
+From: "John S. Denker" <jsd@research.att.com<
+Subject: Re: traceroute: one virtual hop
+
+At 02:20 PM 5/14/01 -0400, Claudia Schmeing wrote:
+>
+>> > A bonus question: traceroute in subnet to subnet enviroment looks like:
+>> > 
+>> > traceroute to andris.dmz (172.20.24.10), 30 hops max, 38 byte packets
+>> > 1  drama (172.20.1.1)  0.716 ms  0.942 ms  0.434 ms
+>> > 2  * * *
+>> > 3  andris.dmz (172.20.24.10)  73.576 ms  78.858 ms  79.434 ms
+>> > 
+>> > Why aren't there the other hosts which take part in the delivery during 
+>    * * * ?
+>
+>If there is an ipsec tunnel between GateA and Gate B, this tunnel forms a 
+>'virtual wire'.  When it is tunneled, the original packet becomes an inner 
+>packet, and new ESP and/or AH headers are added to create an outer packet 
+>around it. You can see an example of how this is done for AH at 
+>doc/ipsec.html#AH . For ESP it is similar.
+>
+>Think about the packet's path from the inner packet's perspective.
+>It leaves the subnet, goes into the tunnel, and re-emerges in the second
+>subnet. This perspective is also the only one available to the
+>'traceroute' command when the IPSec tunnel is up.
+
+Claudia got this exactly right.  Let me just expand on a couple of points:
+
+*) GateB is exactly one (virtual) hop away from GateA.  This is how it
+would be if there were a physically private wire from A to B.  The
+virtually private connection should work the same, and it does.
+
+*) While the information is in transit from GateA to GateB, the hop count
+of the outer header (the "envelope") is being decremented.  The hop count
+of the inner header (the "contents" of the envelope) is not decremented and
+should not be decremented.  The hop count of the outer header is not
+derived from and should not be derived from the hop count of the inner header.
+
+Indeed, even if the packets did time out in transit along the tunnel, there
+would be no way for traceroute to find out what happened.  Just as
+information cannot leak _out_ of the tunnel to the outside, information
+cannot leak _into_ the tunnel from outside, and this includes ICMP messages
+from routers along the path.
+
+There are some cases where one might wish for information about what is
+happening at the IP layer (below the tunnel layer) -- but the protocol
+makes no provision for this.  This raises all sorts of conceptual issues.
+AFAIK nobody has ever cared enough to really figure out what _should_
+happen, let alone implement it and standardize it.
+
+*) I consider the "* * *" to be a slight bug.  One might wish for it to be
+replaced by "GateB GateB GateB".  It has to do with treating host-to-subnet
+traffic different from subnet-to-subnet traffic (and other gory details).
+I fervently hope KLIPS2 will make this problem go away.
+
+*) If you want to ask questions about the link from GateA to GateB at the
+IP level (below the tunnel level), you have to ssh to GateA and launch a
+traceroute from there.
+
      
+
 
      Testing in stages
      
 
   
      
@@ -730,13 +886,19 @@
 
      
 Other possibilities:
      
   
        
-    
      • mis-configuration of auto connection in the /etc/ipsec.conf file
        • 
+    
      • mis-configuration of auto connection in the /etc/ipsec.conf file.
+      
        One common
+      configuration error is forgetting that you need auto=add to load the
+      connection description on the receiving end so it recognises the connection
+      when the other end asks for it.
        • 
     
      • error in shared secret in /etc/ipsec.secrets
        • 
     
      • one gateway lacks a route to the other so Pluto's UDP packets are
     lost
        • 
     
      • bugs in Pluto
        • 
     
      • incompatibilities between Pluto's IKE
-      implementation and the IKE at the other end of the tunnel.
        • 
+      implementation and the IKE at the other end of the tunnel.
+      
        Some possibile problems
+      are discussed in out interoperation document.
   
      
 
 
@@ -839,6 +1001,38 @@
 Since the above message was written, we have modified the updown script
 to provide a better diagnostic for this problem. Check /var/log/messages.
 
+
      ipsec_setup: Fatal error, kernel appears to lack KLIPS
      
+
+This message indicates an installation failure. The kernel you are running does
+not contain the KLIPS (kernel IPSEC) code.
      
+
      
+Here is one of Claudia's messages on the topic:
+
      +> I tried to install freeswan 1.8 on my mandrake 7.2 test box. ...
+
+> It does show version and some output for whack.
+
+Yes, because the Pluto (daemon) part of ipsec is installed correctly, but
+as we see below the kernel portion is not.
+
+> However, I get the following from /var/log/messages:
+> 
+> Mar 11 22:11:55 pavillion ipsec_setup: Starting FreeS/WAN IPSEC 1.8...
+> Mar 11 22:12:02 pavillion ipsec_setup: modprobe: Can't locate module ipsec
+> Mar 11 22:12:02 pavillion ipsec_setup: Fatal error, kernel appears to lack
+> KLIPS.
+
+This is your problem. You have not successfully installed a kernel with
+IPSec machinery in it. 
+
+Did you build Linux FreeS/WAN as a module? If so, you need to ensure that 
+your new module has been installed in the directory where your kernel 
+loader normally finds your modules. If not, you need to ensure
+that the new IPSec-enabled kernel is being loaded correctly.
+
+See also doc/install.html, and INSTALL in the distro.
+
      
+
 
      Connection names in Pluto error messages
      
 
 
      
@@ -890,8 +1084,10 @@
 matches what the remote system has requested.
 The most common cause is a configuration error on one end or the other.
 
      
-The match involves the left, right, leftsubnet
-and rightsubnet parameters and must be exact. For example, if your
+Parameters involved in this match are left, right, leftsubnet
+and rightsubnet.
+
      
+The match must be exact. For example, if your
 left subnet is a.b.c.0/24 then neither a single machine in that net nor a
 smaller subnet such as a.b.c.64/26 will be considered a match.
 
      
@@ -925,14 +1121,97 @@
 exactly match what pluto is looking for, and it does not.
 
 
+
      Pluto: ... no suitable connection ...
      
+
+This is similar to the no connection known
+error, but occurs at a different point in Pluto processing.
+
      
+Here is one of Claudia's messages explaining the problem:
+
      +You write,
+
+> What could be the reason of the following error? 
+> "no suitable connection for peer '@xforce'"
+
+When a connection is initiated by the peer, Pluto must choose which entry in 
+the conf file best matches the incoming connection. A preliminary choice is 
+made on the basis of source and destination IPs, since that information is 
+available at that time. 
+
+A payload containing an ID arrives later in the negotiation. Based on this
+id and the *id= parameters, Pluto refines its conn selection. ...
+
+The message "no suitable connection" indicates that in this refining step,
+Pluto does not find a connection that matches that ID.
+
+Please see "Selecting a connection when responding" in man ipsec_pluto for
+more details.
+
      
+
      
+See also Connection names in Pluto error messages.
+
+
      Pluto: ... no connection has been authorized
      
+
+Here is one of Claudia's messages discussing this problem:
+
      +You write,
+
+>  May 22 10:46:31 debian Pluto[25834]: packet from x.y.z.p:10014: 
+>  initial Main Mode message from x.y.z.p:10014 
+                            but no connection has been authorized
+
+This error occurs early in the connection negotiation process,
+at the first step of IKE negotiation (Main Mode), which is itself the 
+first of two negotiation phases involved in creating an IPSec connection.
+
+Here, Linux FreeS/WAN receives a packet from a potential peer, which 
+requests that they begin discussing a connection.
+
+The "no connection has been authorized" means that there is no connection 
+description in Linux FreeS/WAN's internal database that can be used to 
+link your ipsec interface with that peer.
+
+
+
+"But of course I configured that connection!" 
+
+It may be that the appropriate connection description exists in ipsec.conf 
+but has not been added to the database with ipsec auto --add myconn or the 
+auto=add method. Or, the connection description may be misconfigured.
+
+The only parameters that are relevant in this decision are left= and right= .
+Local and remote ports are also taken into account -- we see that the port 
+is printed in the message above -- but there is no way to control these
+in ipsec.conf.
+
+
+Failure at "no connection has been authorized" is similar to the
+"no connection is known for..." error in the FAQ, and the "no suitable
+connection" error described in the snapshot's FAQ. In all three cases,
+Linux FreeS/WAN is trying to match parameters received in the
+negotiation with the connection description in the local config file.
+
+As it receives more information, its matches take more parameters into 
+account, and become more precise:  first the pair of potential peers,
+then the peer IDs, then the endpoints (including any subnets).
+
+The "no suitable connection for peer *" occurs toward the end of IKE 
+(Main Mode) negotiation, when the IDs are matched.
+
+"no connection is known for a/b===c...d" is seen at the beginning of IPSec 
+(Quick Mode, phase 2) negotiation, when the connections are matched using
+left, right, and any information about the subnets.
+
      
+
+
 
      Pluto: ... OAKLEY_DES_CBC is not supported.
      
 
 This message occurs when the other system attempts to negotiate a connection
 using single DES, which we do not support because it is
 insecure.
 
      
-Another FAQ section describes how to deal with systems
-that attempt to use single DES.
+Our interoperation document has suggestions for 
+how to deal with systems that attempt to use single DES.
 
 
       Pluto: ... no acceptable transform
      
 
@@ -947,7 +1226,7 @@
 FreeS/WAN does not support that. (see below for DES
 problems)  
 
-A more detailed explanation, from Pluto programmer Hugh Redelmaier:
      
+A more detailed explanation, from Pluto programmer Hugh Redelmeier:
      
 
 
       Background:
@@ -1134,6 +1413,57 @@
 This problem is also discussed in this FAQ under the heading
 One manual connection works, but second one fails.
 
+
      ... ignoring ... payload
      
+
+This message is harmless. The IKE protocol provides for a number of optional
+messages types:
+
        
+
      • delete SA
+
      • initial contact
+
      • vendor ID
+
      •  ...
+
       
+An implementation is never required to send these, but they are allowed to. 
+The receiver is not required to do anything with them. FreeS/WAN ignores
+them, but notifies you via the logs.
+
      
+For the "ignoring delete SA Payload" message, see also the discussion
+below of cleaning up dead tunnels.
+
+
      ipsec_setup: ... interfaces ... and ... share address ...
      
+
+This is a fatal error. FreeS/WAN cannot cope with two or more interfaces using
+the same IP address. You must re-configure to avoid this.
+
      
+A mailing list message on the topic from Pluto developer Hugh Redelmeier:
+
      +| I'm trying to get freeswan working between two machine where one has a ppp
+| interface.
+| I've already suceeded with  two machines with ethernet ports but  the ppp
+| interface is causing me problems.
+|  basically when I run ipsec start  i get
+| ipsec_setup: Starting FreeS/WAN IPSEC 1.7...
+| ipsec_setup: 003 IP interfaces ppp1 and ppp0 share address 192.168.0.10!
+| ipsec_setup: 003 IP interfaces ppp1 and ppp2 share address 192.168.0.10!
+| ipsec_setup: 003 IP interfaces ppp0 and ppp2 share address 192.168.0.10!
+| ipsec_setup: 003 no public interfaces found
+|
+| followed by lots of cannot work out interface for connection messages
+|
+| now I can specify the interface in ipsec.conf to be ppp0 , but this does
+| not affect the above behaviour. A quick look in server.c indicates that the
+| interfaces value  is not used but some sort of raw detect happens.
+|
+| I guess I could prevent the formation of the extra ppp interfaces or
+| allocate them different ip but I'd  rather not. if at all possible. Any
+| suggestions please.
+
+Pluto won't touch an interface that shares an IP address with another.
+This will eventually change, but it probably won't happen soon.
+
+For now, you will have to give the ppp1 and ppp2 different addresses.
+
      
+
 
      Can I ...
      
 
 
      Can I reload connection info without restarting?
      
@@ -1163,6 +1493,9 @@
 There may be more bits to look for, depending on what you are trying
 to do.
 
       
+
      
+Another useful command here is ipsec auto --replace <conn_name>
+which re-reads data for a named connection. 
 
 
      Can I use several masqueraded subnets?
      
 
@@ -1247,9 +1580,9 @@
 leftsubnet to rightsubnet and vice versa. For this
 to work, the two subnets must be distinct.
 
      
-There are only two solutions to this problem.
+There are several solutions to this problem.
 
        
-
      • Usually, you re-number the subnets. Perhaps the Vancouver office becomes
+
      • Usually, you re-number the subnets. Perhaps the Vancouver office becomes
 192.168.101.0/24, Calgary 192.168.102.0/24 and so on. FreeS/WAN can happily
 handle this. With, for example leftsubnet=192.168.101.0/24 and
 rightsubnet=192.168.102.0/24 in a connection description, any machine
@@ -1257,8 +1590,11 @@
 restrictive and use something like leftsubnet=192.168.101.128/25 and
 rightsubnet=192.168.102.240/28 so only certain machines on each end
 have access to the tunnel, that's fine too.
-
      • Alternately, you can just give up routing directly to machines on the
-subnets. Omit the leftsubnet and rightsubnet parameters
+
      • You could also split the subnet into smaller ones, for example
+using 192.168.1.0/25 in Vancouver and rightsubnet=192.168.0.128/25
+in Calgary. 
+
      • Alternately, you can just give up routing directly to machines
+on the subnets. Omit the leftsubnet and rightsubnet parameters
 from your connection descriptions. Your IPSEC tunnels will then run between
 the public interfaces of the two firewalls. Packets will be masqueraded
 both before they are put into tunnels and after they emerge. Your Vancouver
@@ -1306,9 +1642,150 @@
 DiffServ does not interact well with tunneling in general.  Ways of
 improving this are being studied.
 
+
        
+Copying the TOS information from the encapsulated packet to the outer
+header reveals the TOS information to an eavesdropper. It is not clear
+whether or how an attacker could use this information, but since we do
+not have to give it to him, our default is not to.
+
        
 See ipsec.conf(5) for more
 on the hidetos= parameter.
 
+
        Can I recognise dead tunnels and shut them down?
        
+
+There is no general mechanism to do this is in the IPSEC protocols.
+
        
+From time to time, there is discussion on the IETF Working Group
+mailing list of adding a "keep-alive"
+mechanism (which some say should be called "make-dead"),
+but it is a fairly complex problem and no consensus has been reached
+on whether or how it should be done.
+
        
+The protocol does have optional delete-SA messages
+which one side can send when it closes a connection in hopes this will cause the other
+side to do the same. FreeS/WAN does not currently support these. In any
+case, they would not solve the problem since:
+
          
+
        • a gateway that crashes or hangs would not send the messages
+
        • the sender is not required to send them
+
        • they are not authenticated, so any receiver that trusts them leaves itself open to a
+denial of service attack
+
        • the receiver is not required to do anything about them
+
        • the receiver cannot acknowledge them; the protocol provides no mechanism for that
+
        • since they are not acknowledged, the sender cannot rely on them
+
        
+
        
+However, connections do have limited lifetimes and you can control how many
+attempts your gateway makes to rekey before giving up. For example, you can
+set:
+
        +conn default
+	keyingtries=3
+	keylife=30m
+
        
+With these settings old connections will be cleaned up. Within 30 minutes
+of the other end dying, rekeying will be attempted. If it succeeds, the new
+connection replaces the old one. If it fails, no new connection is created.
+Either way, the old connection is taken down when its lifetime expires.
+
        
+Here is a mailing list message on the topic from FreeS/WAN tech support person
+Claudia Schmeing:
+
        +You ask how to determine whether a tunnel is redundant:
+
+> Can anybody explain the best way to determine this. Esp when a RW has
+> disconnected? I thought 'ipsec auto --status' might be one way.
+
+If a tunnel goes down from one end, Linux FreeS/WAN on the
+other end has no way of knowing this until it attempts to rekey.
+Once it tries to rekey and fails, it will 'know' that the tunnel is 
+down.
+
+Because it doesn't have a way of knowing the state until this point, 
+it will also not be able to tell you the state via ipsec auto --status.
+
+> However, comparing output from a working tunnel with that of one that
+> was closed 
+> did not show clearly show tunnel status.
+
+If your tunnel is down but not 'unrouted' (see man ipsec_auto), you
+should not be able to ping the opposite side of the tunnel. You can
+use this as an indicator of tunnel status.
+
+On a related note, you may be interested to know that as of 1.7, 
+redundant tunnels caused by RW disconnections are likely to be 
+less of a pain. From doc/CHANGES:
+
+    There is a new configuration parameter, uniqueids, to control a new Pluto
+    option:  when a new connection is negotiated with the same ID as an old
+    one, the old one is deleted immediately.  This should help eliminate
+    dangling Road Warrior connections when the same Road Warrior reconnects. 
+    It thus requires that IDs not be shared by hosts (a previously legal but
+    probably useless capability).  NOTE WELL:  the sample ipsec.conf now has
+    uniqueids=yes in its config-setup section.
+
+
+Cheers,
+
+Claudia
+
        
+
+
        Can I build tunnels over a demand-dialed link?
        
+
+This is possible, but not easy. FreeS/WAN technical lead Henry Spencer wrote:
+
        +> 5. If the ISDN link goes down in between and is reestablished, the SAs
+> are still up but the eroute are deleted and the IPSEC interface shows
+> garbage (with ifconfig)
+> 6. Only restarting IPSEC will bring the VPN back online.
+
+This one is awkward to solve.  If the real interface that the IPsec
+interface is mounted on goes down, it takes most of the IPsec machinery
+down with it, and a restart is the only good way to recover. 
+
+The only really clean fix, right now, is to split the machines in two: 
+
+1. A minimal machine serves as the network router, and only it is aware
+that the link goes up and down. 
+
+2. The IPsec is done on a separate gateway machine, which thinks it has
+a permanent network connection, via the router.
+
+This is clumsy but it does work.  Trying to do both functions within a
+single machine is tricky.  There is a software package (diald) which will
+give the illusion of a permanent connection for demand-dialed modem
+connections; I don't know whether it's usable for ISDN, or whether it can
+be made to cooperate properly with FreeS/WAN. 
+
+Doing a restart each time the interface comes up *does* work, although it
+is a bit painful.  I did that with PPP when I was running on a modem link;
+it wasn't hard to arrange the PPP scripts to bring IPsec up and down at
+the right times.  (I'd meant to investigate diald but never found time.)
+
+In principle you don't need to do a complete restart on reconnect, but you
+do have to rebuild some things, and we have no nice clean way of doing
+only the necessary parts.
+
        
+In the same thread, one user commented:
+
        +Subject: Re: linux-ipsec: IPSEC and Dial Up Connections
+   Date: Wed, 22 Nov 2000
+   From: Andy Bradford <andyb@calderasystems.com>
+
+On Wed, 22 Nov 2000 19:47:11 +0100, Philip Reetz wrote:
+
+> Are there any ideas what might be the cause of the problem and any way
+> to work around it.
+> Any help is highly appreciated.
+
+On my laptop, when using ppp there is a ip-up script in /etc/ppp that 
+will be executed each time that the ppp interface is brought up.  
+Likewise there is an ip-down script that is called when it is taken 
+down.  You might consider custimzing those to stop and start FreeS/Wan 
+with each connection.  I believe that ISDN uses the same files, though 
+I could be wrong---there should be something similar though.
+
        
+ 
 
 
        Does FreeS/WAN support X.509 or other PKI certificates?
        
 
@@ -1357,7 +1834,7 @@
 user authentication in IPSEC. 
 
 
-        
+
 
        Does FreeS/WAN support single DES encryption?
        
 
 No, single DES is not used either at the         IKE
@@ -1365,42 +1842,31 @@
 level for actually building them.
 
        
 Single DES is insecure.
-
-
-
        But isn't DES support part of the IPSEC standard?
        
-
-Yes, but DES is insecure. As we see it, it is more
+As we see it, it is more
 important to deliver real security than to comply with a standard which
 has been subverted into allowing use of inadequate methods. See this
 discussion.
-
-
-
        I have to talk to .... which offers only DES. How do I do this?
        
-
-Ask the device vendor for the         triple DES upgrade.
-These exist for many IPSEC devices. If no cipher stronger than DES is available,
-we recommend you not use that IPSEC implementation.
 
        
-If a 3DES implementation exists but your vendor cannot sell it to you
-because of export laws, consider complaining to one or more of:
-
          
-
        • the vendor
-
        • your own government, especially any branch concerned with citizen's
-privacy and/or protection of communication infrastructure
-
        • the local embassy of the nation which restricts export to you
-
        
-
        
-Consider using FreeS/WAN instead. PCs are cheap and we deliver 3DES now.
-
        
-As a matter of project policy, we will not help anyone subvert FreeS/WAN
-to provide insecure DES encryption.
+If you want to interoperate with an IPSEC implementation which offers only DES,
+see our interoperation document.
 
 
-
        Why don't you restrict the mailing list to reduce spam?
        
+
        Why don't you restrict the mailing lists to reduce spam?
        
 
        
-As a matter of policy, the list needs to be open to non-subscribers. Project
-management feel strongly that maintaining this openness is more important
-than blocking spam.
+As a matter of policy, some of our mailing lists need
+to be open to non-subscribers. Project management feel strongly that maintaining
+this openness is more important than blocking spam.
+
          
+
        • Users should be able to get help or report bugs without subscribing.
+
        • Even a user who is subscribed may not have access to his or her subscribed
+account when he or she needs help, miles from home base in the middle of setting
+up a client's gateway.
+
        • There is arguably a legal requirement for this policy.
+A US resident or citizen could be charged under munitions export laws for
+providing technical assistance to a foreign cryptographic project. Such a
+charge would be more easily defended if the discussion takes place in public,
+on an open list.
+
        
 
        
 This has been discussed several times at some length on the list. See the
 list archives. Bringing the topic up again
@@ -1417,10 +1883,15 @@
 
 Adding this FAQ section is one of the steps he refers to.
 
        
-You have various options other than just putting up with the spam or
-unsubscribing:
+You have various options other than just putting up with the spam, filtering
+it yourself, or unsubscribing:
+
          
+
        • read the main list via one of its archives
+
        • subscribe only to one or both of our lists with restricted posting rules:
 
            
-
          • read the list via one of its archives
+
          • briefs, weekly list summaries
+
          • announce, project-related announcements
+
           
 
        • subscribe to one or more of the other FreeS/WAN-related lists.
 
        
 
        
@@ -1445,7 +1916,8 @@
 
        
 For information on tracking down spammers, see these
 HowTos, or
-the Sputum site.
+the Sputum site. Sputum have a Linux
+anti-spam screensaver available for download.
 
        
 Here is a more detailed message from Henry:
 
        diff -bruN freeswan-1.9.orig/doc/src/firewall.html freeswan-1.9/doc/src/firewall.html
--- freeswan-1.9.orig/doc/src/firewall.html	Wed Mar 14 19:12:35 2001
+++ freeswan-1.9/doc/src/firewall.html	Wed May  2 16:56:27 2001
@@ -156,14 +156,15 @@
     
      • protocol 51 if you use AH packet-level authentication
        • 
   
      
 
      
-  Your gateway and the other IPSEC gateways it communicates with must be able
-  to exchange these packets for IPSEC to work. Firewall rules must allow UDP
-  500 and at least one of AH or ESP on the interface that communicates with
-  the other gateway.
+Your gateway and the other IPSEC gateways it communicates with must be able
+to exchange these packets for IPSEC to work. Firewall rules must allow UDP
+500 and at least one of AH or ESP on the interface that communicates with
+the other gateway.
 
-  
      IPSEC through the gateway
      
+
      IPSEC through the gateway
      
 
-  
      The preceeding paragraph deals with packets addressed to or sent from
+
      
+The preceeding paragraph deals with packets addressed to or sent from
   your gateway. It is a separate policy decision whether to permit such
   packets to pass through the gateway so that client machines can
   build end-to-end IPSEC tunnels of their own. This may not be practical if
@@ -171,13 +172,20 @@
   may conflict with some corporate security policies. Other than that, it is
   likely a good idea.
      
 
-  
      Filtering packets from unknown gateways
      
+
      Preventing non-IPSEC traffic
      
+
+You can of course also filter everything but UDP port 500 and
+ESP or AH to restrict traffic to IPSEC only, either for anyone communicating
+with your host or just for specific partners.
+
+
      Filtering packets from unknown gateways
      
 
-  
      It is possible to use firewall rules to restrict UDP 500, ESP and AH
-  packets so that these packets are accepted only from known gateways. This is
-  not strictly necessary since FreeS/WAN will discard packets from unknown
-  gateways. You might, however, want to do it for any of a number of reasons.
-  For example:
      
+
      
+It is possible to use firewall rules to restrict UDP 500, ESP and AH
+packets so that these packets are accepted only from known gateways. This is
+not strictly necessary since FreeS/WAN will discard packets from unknown
+gateways. You might, however, want to do it for any of a number of reasons.
+For example:
      
   
        
     
      • Arguably, "belt and suspenders" is the sensible approach to security.
       If you can block a potential attack in two ways, use both. The only
@@ -364,7 +372,13 @@
 Here you have a choice of techniques depending on whether you want
 to make your client subnet visible to clients on the other end:
 
          
-  
        • If you want to make them visible,
+
        • If you want the single gateway to behave like the two shown above, with
+your clients hidden behind the NAT, then omit the leftsubnet=
+parameter. It then defaults to the gateway address. Clients on the other
+end then talk via the tunnel only to your gateway. The gateway takes packets
+emerging from the tunnel, applies normal masquerading, and forwards them to
+clients.
+
        • If you want to make your client machines visible,
 then give the client subnet addresses as the
 leftsubnet= parameter in the connection description
 and
@@ -382,11 +396,6 @@
 although of course the encapsulating packets use gateway addresses in their
 headers. Clients behind the right security gateway see a route via
 that gateway to the left subnet.
          • 
-
        • If you want your clients hidden, then omit the leftsubnet=
-parameter. It then defaults to the gateway address. Clients on the other
-end then talk via the tunnel only to your gateway. The gateway takes packets
-emerging from the tunnel, applies normal masquerading, and forwards them to
-clients.
 
        
 
 
        NAT between gateways is problematic
        
@@ -650,7 +659,7 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: firewall.html,v 1.10.2.3 2001/03/15 00:12:35 henry Exp $
+# RCSID $Id: firewall.html,v 1.16 2001/05/02 20:56:27 sandy Exp $
 
 # check interface version
 case "$PLUTO_VERSION" in
diff -bruN freeswan-1.9.orig/doc/src/glossary.html freeswan-1.9/doc/src/glossary.html
--- freeswan-1.9.orig/doc/src/glossary.html	Sun Mar 11 23:13:16 2001
+++ freeswan-1.9/doc/src/glossary.html	Sun Jun  3 22:41:06 2001
@@ -173,7 +173,7 @@
         FreeS/WAN would be useful undertaking, and considerable freely
         available code exists to start from. One complication is that our code
         is built for a 64-bit block cipher and AES uses a 128-bit block.
-        Volunteers via the mailing list would be
+        Volunteers via the mailing lists would be
         welcome.
        
         
        For more information, see the  NIST AES home
@@ -628,7 +628,7 @@
             64K bytes and a fragment carries information on where it starts
             within that 64K and how long it is. The "ping of death" delivers
             fragments that say, for example, that they start at 60K and are
-            20K long. Attempting to re-assemble thse without checking for
+            20K long. Attempting to re-assemble these without checking for
             overflow can be fatal.
        • 
         
      
         
      The two example attacks discussed were both quite effective when
@@ -1062,9 +1062,9 @@
         interface. It then gets all the replies, does some table lookups and
         more header rewriting, and delivers the replies to the appropriate
         client machines.
      
-        
      To use masquerade with Linux FreeS/WAN, you must set
-        leftfirewall=yes and/or rightfirewall=yes in the connection
-        description in /etc/ipsec.conf.
      
+        
      
+        For information on using masquerade with Linux FreeS/WAN, see our
+        firewall document and the FAQ and.
      
       
     
      IPng
      
       
      "IP the Next Generation", see IPv6.
      
@@ -1175,18 +1175,9 @@
       
     
      M
      
     
      Mailing list
      
-      
      The Linux FreeS/WAN project has an open
-        public email list for bug reports and software development
-        discussions. The list address is linux-ipsec@clinet.fi. To
-        subscribe, send mail to majordomo@clinet.fi with a
-        one-line message body "subscribe linux-ipsec".For more information,
-        send majordomo the one-line message "help".
-        
      NOTE: US citizens or residents are asked not to post code
-        to the list, not even one-line bug fixes. The project cannot
-        accept code which might entangle it in US export restrictions.
      
-        
      For more detail, see our document on this and other mailing lists.
      
+      
      The Linux FreeS/WAN project has several
+        public email lists for bug reports and software development
+        discussions. See our document on mailing lists.
      
       
      
     
      Man-in-the-middle attack
      
       
      An active attack in which the attacker
@@ -1422,7 +1413,10 @@
         communications, without a pre-shared secret and without a common PKI or previous exchange of public keys. This is one
         of the goals of the Linux FreeS/WAN project, discussed in our introduction section.
      
+        href="intro.html#goals">introduction section.
+    
      
+    Setting up for opportunistic encryption is described in our
+    configuration document.
     
      P
      
     
      P1363
     standard
      
diff -bruN freeswan-1.9.orig/doc/src/index.html freeswan-1.9/doc/src/index.html
--- freeswan-1.9.orig/doc/src/index.html	Sun Mar 11 23:13:17 2001
+++ freeswan-1.9/doc/src/index.html	Wed May 30 11:42:36 2001
@@ -2,6 +2,17 @@
 
 
 FreeS/WAN HTML document index
+
+
+
 
 
 
      FreeS/WAN documentation
      
diff -bruN freeswan-1.9.orig/doc/src/install.html freeswan-1.9/doc/src/install.html
--- freeswan-1.9.orig/doc/src/install.html	Sun Mar 11 23:13:17 2001
+++ freeswan-1.9/doc/src/install.html	Sun Jun  3 22:41:06 2001
@@ -67,21 +67,28 @@
 
 
      Choosing a kernel
      
 
-
      2.2.x for most users
      
+
      2.2.19 for many users
      
 
 
      
-Most users should run the most stable available series of
-Linux production kernels. At time of writing
-(February 2001), we recommend the 2.2 series for most users. The latest version is
-2.2.18.
      
+Many users can continue to run kernels from the 2.2 series of
+Linux production kernels.
+
      
+At time of writing (June 2001), the latest version is 2.2.19. If you
+are going to use a 2.2 kernel, we strongly recommend
+upgrading to 2.2.19 since:
+
        
+
      • It has a number of small security fixes not found in earlier kernels.
+
      • There have been changes in some kernel file formats that make it
+difficult to compile a current FreeS/WAN with earlier kernels. See the
+mailing list archives for details if needed.
+
      
 
 
      2.4.x is possible
      
 
-The new 2.4 series of kernels were first released in January 2001 and are currently
-(mid-February) at 2.4.2. FreeS/WAN does work on these kernels, but for production
-use we suggest waiting a while yet.
+The new 2.4 series of kernels began in January 2001 and are currently
+(early June) at 2.4.5. FreeS/WAN is known to work on 2.4.5.
 
      
-On the other hand, 2.4 has new firewalling code called
+2.4 has new firewalling code called
 netfilter.
 This may provide good reasons to move to 2.4, especially on for gateway machines.
 
@@ -108,7 +115,7 @@
 in the version number (2.0, 2.2, 2.4) and development kernels have an odd
 digit there (2.1, 2.3, 2.5).
 
      
-At time of writing (February 2001, shortly after the release of 2.4), no more 2.3
+At time of writing, no more 2.3
 kernels are being produced and the 2.5 series has not been started yet, so just
 now development kernels are not an issue. No doubt a 2.5 series will be started
 in the next few months.
@@ -452,7 +459,7 @@
 Of course any status information at this point should be uninteresting
 since you have not yet configured connections.
      
 
-
      Links to other sections
      
+
      Where to go from here
      
 
 
      See the following section for information on configuring
 connections.
      
diff -bruN freeswan-1.9.orig/doc/src/interop.html freeswan-1.9/doc/src/interop.html
--- freeswan-1.9.orig/doc/src/interop.html	Wed Mar 14 19:12:35 2001
+++ freeswan-1.9/doc/src/interop.html	Sun Jun  3 22:41:06 2001
@@ -49,40 +49,41 @@
 are available for both those formats. See this list of 
 patches and add-ons.
 
-  
      Interoperability problems
      
+
      Interoperability problems
      
 
-  
      The IPSEC RFCs are complex and include a number of optional features.
+
      
+The IPSEC RFCs are complex and include a number of optional features.
   There is considerable opportunity for even two correct, standard-conforming,
   implementations to disagree on details in a way that blocks interoperation.
   Of course, misinterpretations of the standards and implementation or
   configuration errors on either end can also foul things up.
      
 
   
      That said, FreeS/WAN interoperates successfully with many other
-  implementations. There is a list in another
-  section.
      
+  implementations. There is a list below.
      
 
 
      
 Known areas where problems may appear are:
      
   
        
+    
      • FreeS/WAN does not implement single DES because DES is insecure. Suggestions on what to do if
+      the device you want to talk to has only DES are below.
        • 
+    
      • FreeS/WAN does not implement Diffie-Hellman group 1 because it
+      it is not entirely clear that this is secure.
        • 
     
      • The RFCs define two modes for IKE negotiations -- main mode and
       aggressive mode. Aggressive mode is slightly faster, but reveals more
       information to an eavesdropper. Specifically, it lets an eavesdropper
       know what identities are in use. FreeS/WAN does not implement
       aggressive mode, so any negotiation another implementation
-      tries that way will fail. In principle this should not be a problem
-      since main mode support is required in all implementations and aggressive
-      mode is optional.
+      tries that way will fail.
       
        
-      In practice, it is sometimes a problem. Some implementations default to
+      In principle this should not be a problem
+      since main mode support is required in all implementations and aggressive
+      mode is optional.       In practice, it is sometimes a problem.
+      Some implementations default to
       aggressive mode unless you configure them for main mode.
        
-    
        • 
-    
      • FreeS/WAN does not implement single DES because DES is insecure. Suggestions on what to do if
-      the device you want to talk to has only DES are in our FAQ document.
        • 
-    
      • FreeS/WAN does not implement Diffie-Hellman group 1 because it
-      it is not entirely clear that this is secure.
-    
      • For automatic keying, the FreeS/WAN default is to provide
+
+    
      • 
+      For automatic keying, the FreeS/WAN default is to provide
       perfect forward secrecy. We see no reason not
       to; this is more secure and costs little. Some other implementations,
       however, turn PFS off by default.
@@ -90,6 +91,18 @@
       You can turn PFS off in FreeS/WAN with the pfs=no setting in
       ipsec.conf(5), but if possible
       we suggest you enable it on the other end instead. That is more secure.
        • 
+    
      • 
+      The IKE protocol allows several types of optional message. Two things happen
+      which are allowed by the RFCs:
+      
          
+      
        • Some implementations send various optional messages.
+      
        • FreeS/WAN ignores them.
+      
        
+      However, problems may arise if the other end relies on some expected effect
+      of these messages. There are two FAQ questions dealing with this, one on the
+      log message FreeS/WAN gives when ignoring
+      optional payloads and one on the delete SA
+      payload.
   
      
 
 
      
@@ -105,10 +118,10 @@
 This is possible for most implementations.
      
 
 
-
      Systems that want to use DES
      
+
      Systems that want to use single DES
      
 
 
      
-Linux FreeS/WAN does not support DES transforms. Neither Pluto's IKE
+Linux FreeS/WAN does not support single DES transforms. Neither Pluto's IKE
 connections nor KLIPS' IPSEC connections can use DES. Since
 DES is insecure we do not,
 and will not at any future time, provide it.
      
@@ -117,31 +130,35 @@
 DES is, unfortunately, a mandatory part of the IPSEC
 standard. Despite that, we will not implement DES. We believe it is more
 important to provide security than to comply with a standard which has been
-subverted into allowing weak algorithms. See our history
+subverted into allowing weak algorithms. See our
+history
 and politics section for discussion.
      
 
-  
      Some implementations may offer DES as the default. In such cases we urge
-  you to change them to Triple DES. If this is not
-  possible, for example because export laws prevent your
-  vendor from offerring you adequate crytography, we urge you to complain
-  vigorously to
      
+
      
+Some implementations may offer DES as the default. In such cases we urge
+you to change them to Triple DES. If this is not
+possible, for example because export laws prevent your
+vendor from offerring you adequate crytography, we urge you to complain
+vigorously to one or more of:
      
   
        
-    
      • your government
        • 
+    
      • your government, especially any department concerned with protecting citizens' 
+      privacy or your nation's communication infrastructure
        • 
     
      • the vendor
        • 
-    
      • the embassy of the nation whose laws are problematic for you.
        • 
+    
      • the embassy of the nation whose laws are problematic for you
        • 
   
      
 
 
      
-In the meanwhile, use FreeS/WAN to get strong crypto until the laws are
-fixed.
      
+Consider using FreeS/WAN instead. PCs are cheap and we deliver 3DES now.
 
-  
      
+
      
 FreeS/WAN does have DES code in it as a sort of
 historical accident, since we need it to implement our default (currently,
 our only) block cipher, Triple DES. However, since DES is insecure, we do not provide any interface to
-that code and, as a matter of policy, will provide no help to anyone who may
-wish to use it.
      
+that code.
      
+
      
+As a matter of project policy, we will not help anyone subvert FreeS/WAN
+to provide insecure DES encryption.
 
 
 
      Interop HowTo documents
      
@@ -183,6 +200,8 @@
   FreeS/WAN and Windows 2000
    
    • Ryan's HowTo for getting PGPnet to
    connect with FreeS/WAN using x509 certs through a Linksys router, with IPSec passthru enabled.
+ 
+
   
 
      
 See also our list of available patches and add-ons.
@@ -333,7 +352,8 @@
 but it gets there :-)
 
 
-  
      A later message from Ian:
      
+
      
+A later message from Ian:
      
 
       This configuration is provided as-is and with no assistance or guarantee
 that it works whatsover. In particular your attention is drawn to the versions
@@ -415,6 +435,19 @@
 
 
      Nortel (Bay Networks) Contivity switch
      
 
+There is one known issue in FreeS/WAN-to-Contivity interoperation.
+Recent versions of FreeS/WAN no longer support DH group 1 for key
+exchange. Older versions of Contivity software support nothing else.
+Group 2 was added in more recent releases. So:
+
        
+
      • older FreeS/WANs, such as 1.5, will work with any Contivity software.
+Key exchange will be done using DH Group 1. This may not be secure.
+
      • current FreeS/WANs will work only with recent Contivity releases
+supporting DH Group 2. Contivity 3.5 is one such release.
+
      
+We recommend using the latest Contivity release.
+
      
+Some messages from the mailing list:
 
       Subject: Contivity Extranet Switch
    Date: Fri, 11 Jun 1999
@@ -832,6 +865,20 @@
   vendor's site or browsed at a VPN mailing list site.
      
 
+
      Redcreek Ravlin
      
+
+We have reports of successful interoperation at an interop
+conference, but
+there is also a mailing list 
+thread
+discussing difficulties some users have encountered.
+
+
      SSH Sentinel
      
+
+The vendor's 
+web site
+has configuration examples for use with FreeS/WAN.
+
 
      F-Secure VPN for Windows
      
   
         Subject: linux-ipsec: Identification through other than IP number
    Date: Tue, 13 Apr 1999
@@ -1510,7 +1557,8 @@
 of both domains or consider setting up WINS service(s).
 
      
 We suspect that in some cases it may be more complex than that. See the
-discussion of Linux services and Windows 2000 below.
+discussion of Linux services and Windows 2000 below
+and the Interop HowTo documents listed above.
 
 
      Windows 2000
      
 
@@ -1594,15 +1642,10 @@
 
   
      FreeS/WAN-to-Win2000 interop
      
 
-
      As for IPSEC interoperation between Windows 2000 and FreeS/WAN,
-there are some web sites:
      
-
+
      
+As for IPSEC interoperation between Windows 2000 and FreeS/WAN,
+there are several web sites listed under Interop HowTo documents
+above.
      
 
   
      Here is a discussion from the mailing list:
      
   
      From: "Jean-Francois Nadeau" <jna@microflex.ca>
diff -bruN freeswan-1.9.orig/doc/src/intro.html freeswan-1.9/doc/src/intro.html
--- freeswan-1.9.orig/doc/src/intro.html	Wed Mar 14 19:12:35 2001
+++ freeswan-1.9/doc/src/intro.html	Sun Jun  3 22:41:07 2001
@@ -184,7 +184,7 @@
   
    • If Network Address Translation (NAT) is applied between the two IPSEC
     Gateways, this breaks IPSEC. IPSEC authenticates packets on an end-to-end
     basis, to ensure they are not altered en route. NAT rewrites packets as
-    they go by.
      • 
+    they go by. See our firewalls document for details.
      • 
 
 
 
      
@@ -201,7 +201,7 @@
 preset information about the other.  We hope this will go some distance
 toward creating a secure Internet, an environment where message privacy is the
 default. See our history and politics of cryptography
-section for discussion
      
+section for discussion.
      
 
      
 Both systems pick up the authentication information they need from the
 DNS (domain name service), the service
@@ -214,8 +214,8 @@
 accept unencrypted communication is a policy decision the administrator can
 make.
      
 
      
-A draft document giving most of the details
-of how we plan to implement this is available.
      
+A draft document giving most of the details of how we plan to implement
+this has been posted to the mailing list. See links below.
      
 
      
 Only one current product we know of implements a form of opportunistic
 encryption. Secure sendmail will automatically encrypt
@@ -377,8 +377,11 @@
   
    • the UK
      • 
   
    • Slovak
     Republic
      • 
+  
    • Australia
      • 
   
    • technolust
      • 
   
    • Ivan Moore's site
      • 
+  
    • the Crypto Archive on the
+  Security Portal site
 
 
 
      The "munitions" archive of Linux crypto software
      
@@ -395,14 +398,18 @@
 Any of those will have a list of other "munitions" mirrors.
 
 
      Archives of the project mailing list
      
+
+Until quite recently, there was only one FreeS/WAN mailing list, and archives
+of it were:
 
-
-
      
 The two archives use completely different search engines. You might want to
 try both.
      
+
      
+More recently we have expanded to five lists, each with its own archive.
+See details elsewhere in the documentation.
 
 
      More information on this and other mailing lists.
      
 
@@ -425,7 +432,7 @@
   
    • Trustix Secure Linux (Norway)
 
 
      
-For distributions which do not include FreeS/WAN and are not Redhat 6.x (which we
+For distributions which do not include FreeS/WAN and are not Redhat (which we
 develop and test on), there is additional information in our
 compatibility section.
      
 
      
@@ -475,6 +482,8 @@
   FreeS/WAN
      • 
   
    • Merilus use FreeS/WAN in their Gateway Guardian firewall
     product and in their Firecard product, a Linux firewall on a PCI card.
+  
    • Kyzo have a "pizza box" product line with various types of
+    server, all running from flash. One of them is an IPSEC/PPTP VPN server.
 
 
 
      We would appreciate hearing of other products using FreeS/WAN.
      
@@ -601,7 +610,7 @@
      
    • kernel programmer Richard Guy Briggs on
     redesign of KLIPS
      
    • technical lead Henry Spencer on
-     opportunistic encryption
+     opportunistic encryption
   
    Both documents are works in progress and may be revised. Check the mailing list for more recent versions.
     
    • Bart Trojanowski's web page has a draft design for
diff -bruN freeswan-1.9.orig/doc/src/ipsec.html freeswan-1.9/doc/src/ipsec.html
--- freeswan-1.9.orig/doc/src/ipsec.html	Mon Feb 26 19:59:17 2001
+++ freeswan-1.9/doc/src/ipsec.html	Sun Jun  3 22:41:07 2001
@@ -243,7 +243,8 @@
 
   
      Using authentication without encryption
      
 
-  
      Where appropriate, IPSEC can provide authentication without encryption.
+
      
+Where appropriate, IPSEC can provide authentication without encryption.
   One might do this, for example:
      
   
        
     
      • where the data is public but one wants to be sure of getting the right
@@ -256,7 +257,14 @@
       harder.
        • 
   
      
 
      
-  Authentication has lower overheads than encryption.
+Authentication has lower overheads than encryption.
+
      
+The protocols provide four ways to build such connections, using either an
+AH-only connection or ESP using null encryption, and in either manually or
+automatically keyed mode. FreeS/WAN supports only one of these, manually keyed
+AH-only connections, and we do not recommend using that. Our
+reasons are discussed under Resisting traffic analysis
+a few sections further along.
 
   
      Encryption without authentication is dangerous
      
 
@@ -276,7 +284,8 @@
     
    • AH for authentication alone
      • 
   
 
-  
      Other variants are allowed by the standard, but not much used:
      
+
      
+Other variants are allowed by the standard, but not much used:
      
   
      
     
      ESP encryption without authentication
      
       
      Bellovin has demonstrated fatal flaws in this. Do not
@@ -296,15 +305,14 @@
         might use ESP as well.
      
     
      ESP authentication without encryption
      
       
      The standard allows this, calling it "null encryption". FreeS/WAN
-        does not normally support it, but it can be enabled with a kernel
-        configuration option. We recommend that you use AH instead if
+        does not support it. We recommend that you use AH instead if
         authentication is all you require. AH authenticates parts of the IP
-        header, which ESP-null does not do. Also, if you do not enable
-        ESP-null on your FreeS/WAN machine, then you run no risk of a
-        configuration error using this when it should be encrypting.
      
+        header, which ESP-null does not do.
   
      
-
-  
      There are fairly frequent suggestions that AH be dropped entirely from
+Some of these variants cannot be used with FreeS/WAN because we do not support
+ESP-null and do not support automatic keying of AH-only connections. 
+
      
+There are fairly frequent suggestions that AH be dropped entirely from
   the IPSEC specifications since ESP and null encryption can handle that
   situation. It is not clear whether this will occur. My guess is that it is
   unlikely.
      
@@ -340,14 +348,13 @@
 derive useful intelligence from encrypted traffic without breaking the
 encryption. For example, an eavesdropper might deduce something interesting
 merely by knowing that your CEO was exchanging email with a particular
-venture capital firm. Or that all the CEO's mail this week went to a
-firm of bankruptcy trustees and a half dozen executive recruiting
-agencies.
+venture capital firm, or that the CEO was talking to a firm of bankruptcy
+trustees and a half dozen executive recruiting agencies.
 
      
 Except in the simplest cases, traffic analysis is hard to do well. It
 requires both considerable resources and considerable analytic skill.
 However, intelligence agencies of various nations have been doing it
-for centuries and most of them are likely quite good at it by now.
+for centuries and many of them are likely quite good at it by now.
 Various commercial organisations, especially those working on
 "targeted marketing" may also be quite good at analysing
 certain types of traffic.
@@ -860,14 +867,13 @@
   
      The authentication algorithms are the same ones used in the IPSEC authentication header.
      
 
-  
      We do not implement single DES since DES is
-  insecure. Instead we provide triple DES or 3DES.
-  This is currently the only encryption algorithm supported.
      
-
-  
      We do implement null encryption, but it is disabled by default. You can
-  enable it in the IPSEC part of kernel configuration if required. We would
-  suggest, however, that if you need only authentication, you should use AH
-  rather than ESP with null encryption.
      
+  
      
+We do not implement single DES since DES is
+insecure. Instead we provide triple DES or 3DES.
+This is currently the only encryption algorithm supported.
      
+
+
      
+We do not implement null encryption since it is obviously insecure.
      
 
   
      IPSEC modes
      
 
diff -bruN freeswan-1.9.orig/doc/src/mail.html freeswan-1.9/doc/src/mail.html
--- freeswan-1.9.orig/doc/src/mail.html	Wed Mar 14 19:12:35 2001
+++ freeswan-1.9/doc/src/mail.html	Sun Jun  3 22:41:07 2001
@@ -17,7 +17,7 @@
 
      
 
        
    
      • The general list for discussing use of the software
-   
      • The place for seeking help with problems.
+   
      • The place for seeking help with problems (but please check the FAQ first).
    
      • Anyone can post.
 
      
 
      
@@ -35,7 +35,9 @@
 
        
    
      • Design discussions, for people working on FreeS/WAN development or others with an interest
         in design and security issues.
-   
      • Only subscribers can post.
+   
      • It would be a good idea to read the existing design papers (see this list) before
+         posting.
+   
      • Anyone can post.
 
      
 
 
      announce
      
@@ -44,8 +46,9 @@
    
    • A low-traffic list.
    
    • Announcements about FreeS/WAN and related software.
    
    • All posts here are also sent to the users list. You need not subscribe to both.
-   
    • Only authorised people can post.
-
+   
    • Only the FreeS/WAN team can post.
+   
    • If you have something you feel should go on this list, send it to announce-admin@lists.freeswan.org.
+     Unless it is obvious, please include a short note explaining why we should post it.
 
 
      briefs
      
 
      
@@ -53,7 +56,7 @@
    
    • A low-traffic list.
    
    • Weekly summaries of activity on the users list.
    
    • All posts here are also sent to the users list. You need not subscribe to both.
-   
    • Only authorised people can post.
+   
    • Only the FreeS/WAN team can post.
 
 
      • 
 
@@ -64,6 +67,10 @@
 
    • send mail to listname-request@lists.freeswan.org
 with a one-line message body "subscribe"
 
+
      
+Archives of these lists are available via the
+web interface.
+
 
 
      List policies
      
 
@@ -91,7 +98,13 @@
     
    • Holland
      • 
   
 
-  
      Note that these use different search engines. Try both.
      
+
      
+Note that these use different search engines. Try both.
      
+
+
      
+Archives of the new lists are available via the
+web interface.
+
 
 
      Other FreeS/WAN related lists
      
 
      
diff -bruN freeswan-1.9.orig/doc/src/politics.html freeswan-1.9/doc/src/politics.html
--- freeswan-1.9.orig/doc/src/politics.html	Sun Mar 11 23:13:18 2001
+++ freeswan-1.9/doc/src/politics.html	Wed May 30 11:42:36 2001
@@ -64,10 +64,10 @@
 University, several old Ultra hands included, built one of the world's first
 actual general-purpose digital computers.
 
    • Ultra made codebreaking a large-scale enterprise, producing intelligence on
-an industrial scale. This was not a "black chamber", not some hidden room
+an industrial scale. This was not a "black chamber", not a hidden room
 in some obscure government building with a small crew of code-breakers. The whole
-operation -- from intercept operators all over the world grabbing copies of enemy
-communications, through large-scale code-breaking and analysis of the decrypted
+operation -- from wholesale interception of enemy communications by stations
+around the world, through large-scale code-breaking and analysis of the decrypted
 material (with an enormous set of files for cross-referencing), to delivery of
 intelligence to field commanders -- was huge, and very carefully managed.
 
@@ -78,7 +78,7 @@
 
      Postwar and Cold War
      
 
 The wartime innovations were enthusiastically adopted by post-war and Cold War
-signals intelligence agencies. Presumably most nations now have some agency capable
+signals intelligence agencies. Presumably many nations now have some agency capable
 of sophisticated attacks on communications security, and quite a few engage in such
 activity on a large scale.
 
      
@@ -100,7 +100,7 @@
 on cell phones, or intercepting electronic mail, or tapping into the huge
 volumes of data on new media such as fiber optics or satellite links. None
 of these targets existed in 1950. All of them can be attacked today, and almost
-certainly are being attacked on a large scale.
+certainly are being attacked.
 
      
 The Ultra story was not made public until the 1970s. Much of the recent history
 of codes and code-breaking has not been made public, and some of it may never be.
@@ -136,19 +136,22 @@
 becoming ubiquitous, cryptography is now important to almost everyone. Among
 the developments since the 1970s:
 
        
-
      • the US gov't established the DES
+
      • The US gov't established the Data Encryption Standard, DES
 standard, a block cipher for
-cryptographic protection of unclassfied documents
-
      • public key cryptography invented by Diffie and Hellman
-
      • academic conferences such as Crypto,
-Eurocrypt, ...
-
      • companies offerring cryptographic products: RSA,
+cryptographic protection of unclassfied documents. It has also been widely used in
+industry.
+
      • Public key cryptography was invented by Diffie and Hellman.
+
      • Academic conferences such as Crypto
+and Eurocrypt began.
+
      • Several companies began offerring cryptographic products: RSA,
 PGP, the many vendors with PKI products,
 ...
-
      • crypto in other products: operating systems, word processors, ...
-
      • network protocols based on crypto:  SSH,
+
      • Cryptography appeared in other products: operating systems, word processors, ...
+
      • Network protocols based on crypto were developed:  SSH,
 SSL,  IPSEC, ...
-
      • widespread use of cryptography to secure bank cards, terminals, ... 
+
      • Crytography came into widespread use to secure bank cards, terminals, ...
+
      • The US government replaced DES with the much stronger
+Advanced Encryption Standard, AES
 
      
 
      
 This has led to a complex ongoing battle between various mainly government groups wanting to
@@ -218,7 +221,8 @@
     
    • Echelon, a monitor-the-world project of the US, UK, NZ, Australian and
       Canadian signals intelligence agencies. See this
       collection of links and
-      this story on the French Parliament's reaction.
      • 
+      this story
+      on the French Parliament's reaction.
     
    • Others governments may well have their own Echelon-like projects. To quote
        the Dutch Minister of Defense, as reported in a German
       magazine:
@@ -228,13 +232,18 @@
     investigative authorities and intelligence services of many countries with
      governments of different political signature.
     
-    Even if they have nothing on the scale of Echelon, most or all intelligence agencies and
+    Even if they have nothing on the scale of Echelon, most intelligence agencies and
     police forces certainly have some interception capability.
+   
    • NSA tapping of submarine communication cables, described
+     in this article
     
    • A proposal for international co-operation on 
       Internet surveillance.
      • 
 
     
    • Alleged sabotage of security
       products by the NSA (the US signals intelligence agency).
      • 
+   
    • The German armed forces and some government departments will stop using American software for fear of NSA
+      "back doors", according to this news story. 
+ 
     
    • The British Regulation of Investigatory Powers bill. See
       this web page. and
       perhaps this cartoon.
      • 
@@ -269,6 +278,8 @@
 
        
 
      • industrial espionage, as for example in this
 news story
        • 
+
      • attacks by organised criminals, as in this 
+large-scale attack
 
      • collection of personal data by various companies.
 
          
 
        • for example, consider the various corporate winners of Privacy International's
@@ -665,17 +676,18 @@
 
 
          
 Various governments have made persistent attempts to encourage or mandate
-"escrowed encrytion", also called "key recovery", or GAK for "government
-access to keys". The idea is that cryptographic keys be held by some third
+"escrowed encrytion", also called "key recovery", or GAK for "government
+access to keys". The idea is that cryptographic keys be held by some third
 party and turned over to law enforcement or security agencies under some
 conditions.
          
 
          -Mary had cryptography
-Her keys were in escrow
-And everything that Mary said
-The feds were sure to know
+  Mary had cryptography
+  Her keys were in escrow
+  And everything that Mary said
+  The feds were sure to know
 
          
-
+(If anyone knows the origin of that ditty, let
+let me know so I can credit the author.)
 
          
 There is an excellent paper available on
 Risks of Escrowed Encryption,
@@ -700,16 +712,20 @@
 
 
          
 Various governments, and some vendors, have also made persistent attempts
-to convince people that weak systems are sufficient for some data, that
-strong cryptography should be reserved for cases where the extra overheads
-are justified. This is nonsense.
          
+to convince people that:
+
            
+
          • weak systems are sufficient for some data
+
          • strong cryptography should be reserved for cases where the extra overheads
+are justified
+
          
+This is nonsense.
          
 
 
          
 Weak systems touted include:
          
 
 
            
   
          • the ludicrously weak (deliberately crippled) 40-bit ciphers that until
-    recently were all various export laws allowed.
            • 
+    recently were all various export laws allowed
     
          • 56-bit single DES, discussed below
            • 
   
          • 64-bit symmetric ciphers and 512-bit RSA, the maximums for unrestricted
     export under various current laws
            • 
@@ -744,10 +760,13 @@
       href="glossary.html#hybrid">hybrid systems in which the bulk of the work is done
       by a symmetric cipher. The effect of increasing the cost of the public
       key operations is typically negligible because the public key operations
-      use only a tiny fraction of total resources. For example, if public key
+      use only a tiny fraction of total resources.
+      
            
+      For example, suppose public key
       operations use use 1% of the time in a hybrid system and you triple the
-      cost of public key operations, the overall effect is a 2% rise in system
-      cost.
+      cost of public key operations. The cost of symmetric cipher operations
+      is unchanged at 99% of the original total cost, so the overall effect is a
+      jump from 99 + 1 = 100 to 99 + 3 = 102, a 2% rise in system cost.
 
          
 
 
          
diff -bruN freeswan-1.9.orig/doc/src/trouble.html freeswan-1.9/doc/src/trouble.html
--- freeswan-1.9.orig/doc/src/trouble.html	Wed Mar 14 19:12:36 2001
+++ freeswan-1.9/doc/src/trouble.html	Wed May 30 11:42:36 2001
@@ -41,9 +41,9 @@
 
   
          man pages provided
          
   
          
-    
          ipsec.conf(5)
          
+    
          ipsec.conf(5)
          
       
          Manual page for IPSEC configuration file.
          
-    
          ipsec(8)
          
+    
          ipsec(8)
          
       
          Primary man page for ipsec utilities.
          
   
          
 
@@ -69,9 +69,11 @@
     
          ipsec barf
          
       
          Copious debugging info.
          
   
-  
          Pluto problem hints
          
 
-  
          From a message posted to the mailing list Jan 14 2000 by Pluto developer
+
          Pluto problem hints
          
+
+
          
+From a message posted to the mailing list Jan 14 2000 by Pluto developer
   Hugh Redelmeier:
          
   
           Until ipsec auto and whack/pluto get fixed:
@@ -94,6 +96,36 @@
 
          
 Various error messages from Pluto are discussed in the FAQ
 and the ipsec_pluto(8) man page.
+
+
          Using GDB on Pluto
          
+
+You may need to use the GNU degugger, gdb(1), on Pluto. This should be
+necessary only in unusal cases, for example if you encounter a problem
+which the Pluto developer cannot readily reproduce or if you are
+modifying Pluto.
+
          
+Here are the Pluto developer's suggestions for doing this:
+
          +Can you get a core dump and use gdb to find out what Pluto was doing
+when it died?
+
+To get a core dump, you will have to set dumpdir to point to a
+suitable directory (see ipsec.conf(5)).
+
+To get gdb to tell you interesting stuff:
+        $ script
+        $ cd dump-directory-you-chose
+        $ gdb /usr/local/lib/ipsec/pluto core
+        (gdb) where
+        (gdb) quit
+        $ exit
+
+The resulting output will have been captured by the script command in
+a file called "typescript".  Send it to the list.
+
+Do not delete the core file.  I may need to ask you to print out some
+more relevant stuff.
+
          
 
 
          ifconfig reports for KLIPS debugging
          
 
diff -bruN freeswan-1.9.orig/doc/src/web.html freeswan-1.9/doc/src/web.html
--- freeswan-1.9.orig/doc/src/web.html	Wed Mar 14 19:12:36 2001
+++ freeswan-1.9/doc/src/web.html	Mon Mar 26 13:23:59 2001
@@ -24,12 +24,25 @@
       using FreeS/WAN with PGPnet
          • 
   
        • patches for X.509
     certificate support, also available from a mirror site
          • 
+  
        • a series of patches that
+  
            
+  
          • provide GOST, a Russian gov't. standard cipher, in MMX assembler
+  
          • add GOST to OpenSSL
+  
          • add GOST to the International kernel patch
+  
          • let FreeS/WAN use International kernel patch ciphers
   
          
+  
        • IPv6 support 
+
        
 
        
 Before using these, check the mailing list for news of newer
 versions and to see whether they have been incorporated into more recent
 versions of FreeS/WAN.
        
 
        
+Note: At one point the way PGP generates RSA keys and the way
+FreeS/WAN checks them for validity before using them were slightly different, so
+quite a few PGP-generated keys would be rejected by FreeS/WAN, confusing users
+no end. This is fixed in 1.9.
+
        
 A set of PKIX patches were recently announced on the mailing list:
        
 
         Subject: a different PKIX patch.
@@ -72,6 +85,8 @@
     
      • patches
       to add Blowfish, IDEA and CAST-128 to FreeS/WAN
        • 
+  
      • patches for aggressive
+      mode support 
 
      
 
      
 These patches are for older versions of FreeS/WAN and
@@ -270,7 +285,7 @@
 
 
      
 Vendors using FreeS/WAN in turnkey firewall or VPN products are listed in
-  our introduction.
      
+  our introduction.
      
 
   
      Other vendors have Linux IPSEC products which, as far as we know, do not
   use FreeS/WAN
      
diff -bruN freeswan-1.9.orig/doc/toc.html freeswan-1.9/doc/toc.html
--- freeswan-1.9.orig/doc/toc.html	Tue Mar 27 23:16:50 2001
+++ freeswan-1.9/doc/toc.html	Mon Jun  4 01:15:54 2001
@@ -78,7 +78,7 @@
 
 
    • Testing to see if install 
 succeeded
      • 
-
    • Links to other sections
      • 
+
    • Where to go from here
      • 
 
 Configuration
 
 
    • What next?
      • 
 
    • Other configuration possibilities
@@ -135,7 +135,7 @@
 
    • Multiple tunnels between the same 
 two gateways
      • 
 
    • Many tunnels from a single gateway
      • 
-
    • Extruded Subnets
      • 
+
    • Extruded Subnets
      • 
 
    • Road Warrior with virtual IP address
 
      • 
 
    • Dynamic Network Interfaces
      • 
@@ -159,16 +159,17 @@
 
 
 
    • Other packet filters
      • 
 
-
    • IPSEC and NAT
      • 
+
    • IPSEC and NAT
      • 
 
 
    • Pluto problem hints
      • 
+
 
    • ifconfig reports for KLIPS debugging
 
      • 
 
    • Testing between security gateways
@@ -229,7 +233,7 @@
 
    • Top directory
      • 
 
    • Documentation
      • 
 
    • KLIPS: kernel IP security
      • 
-
    • Pluto key and connection management 
+
    • Pluto key and connection management 
 daemon
      • 
 
    • Utils
      • 
 
    • Libraries
      • 
@@ -258,7 +262,7 @@
 
    • 2.2 and 2.4 Kernels
      • 
 
 
    • Intel Linux distributions other 
-than Redhat 5.x and 6.x
      • 
+than Redhat
 
 
    • IPSEC modes
      • 
 
 
    • FreeS/WAN parts
      • 
 
 
    • IPSEC Implementations
      • 
 
 
       Before using these, check the mailing list
  for news of newer versions and to see whether they have been 
 incorporated into more recent versions of FreeS/WAN.
      
+
       Note: At one point the way PGP generates RSA keys 
+and the way FreeS/WAN checks them for validity before using them were 
+slightly different, so quite a few PGP-generated keys would be rejected 
+by FreeS/WAN, confusing users no end. This is fixed in 1.9. 
      
 
       A set of PKIX patches were recently announced on the mailing list:
      
 
       Subject: a different PKIX patch.
@@ -70,6 +84,8 @@
 
    • patches
  to add Blowfish, 
 IDEA and CAST-128 to FreeS/WAN
      • 
+
    • 
+patches for aggressive  mode support 
      • 
 
 
       These patches are for older versions of FreeS/WAN and will likely 
 not work with the current version.  Older versions of FreeS/WAN may be 
@@ -240,7 +256,7 @@
 
      IPSEC Implementations
      
 
      Linux products
      
 
       Vendors using FreeS/WAN in turnkey firewall or VPN products are 
-listed in  our introduction.
      
+listed in  our introduction.
      
 
      Other vendors have Linux IPSEC products which, as far as we know, do 
 not  use FreeS/WAN
      
 
        
diff -bruN freeswan-1.9.orig/ipsec.conf.def freeswan-1.9/ipsec.conf.def
--- freeswan-1.9.orig/ipsec.conf.def	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/ipsec.conf.def	Wed May 16 10:57:20 2001
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - FreeS/WAN IPSEC configuration file
+
+# More elaborate and more varied sample configurations can be found
+# in doc/examples.
+
+# basic configuration
+config setup
+	# THIS SETTING MUST BE CORRECT or almost nothing will work;
+	# %defaultroute is okay for most simple cases.
+	interfaces=%defaultroute
+	# Debug-logging controls:  "none" for (almost) none, "all" for lots.
+	klipsdebug=none
+	plutodebug=none
+	# Use auto= parameters in conn descriptions to control startup actions.
+	plutoload=%search
+	plutostart=%search
+
+# defaults for subsequent connection descriptions
+conn %default
+	# How persistent to be in (re)keying negotiations (0 means very).
+	keyingtries=3
+	# Authentication by RSA signature keys
+	authby=rsasig
+	# keylife of 8h is too long for rekeying drops.
+	keylife=1h
+
diff -bruN freeswan-1.9.orig/klips/doc/DONE freeswan-1.9/klips/doc/DONE
--- freeswan-1.9.orig/klips/doc/DONE	Mon Nov  6 00:09:00 2000
+++ freeswan-1.9/klips/doc/DONE	Mon Jun  4 12:54:57 2001
@@ -1,8 +1,12 @@
 *
-* RCSID $Id: DONE,v 1.20 2000/11/06 05:09:00 rgb Exp $
+* RCSID $Id: DONE,v 1.22 2001/06/01 07:25:19 rgb Exp $
 *
 
 Bugs as of 0.90:
+	auto AH+ESP transport mode oops?
+	ipcomp: fix i[56]86 ASM code 2.4 makefile issues
+	kill single-letter options from klips utils manpages.
+	add --label to klips utils manpages
 	ah tunnel -- 3 esp packets kills the sg
 	single spi ungroup fails
 	elucidate the meaning of 'tdb' in all error message references
@@ -180,6 +184,9 @@
 	Oops if IPCOMP not config in KLIPS but negotiated by pluto.
 	Passthrough packets must be sent with frag in mind.
 
+1.9
+	Add magic saids for pass, drop, reject, trap, hold
+
 Features for 2.0:
 	Investigate PMTU (rfc2401-4.4.2, 6.1.2)
 	Mark incoming packets as from ipsec0 for accounting and validation
@@ -200,6 +207,12 @@
 
 *
 * $Log: DONE,v $
+* Revision 1.22  2001/06/01 07:25:19  rgb
+* Clean up miscellaneous stuff...
+*
+* Revision 1.21  2001/02/26 20:11:12  rgb
+* Post 1.9 candidate, magic SAs and email purge updates.
+*
 * Revision 1.20  2000/11/06 05:09:00  rgb
 * A few bugfixes...
 *
diff -bruN freeswan-1.9.orig/klips/doc/TODO freeswan-1.9/klips/doc/TODO
--- freeswan-1.9.orig/klips/doc/TODO	Mon Jan 29 17:29:46 2001
+++ freeswan-1.9/klips/doc/TODO	Mon Jun  4 12:54:57 2001
@@ -1,11 +1,23 @@
 *
-* RCSID $Id: TODO,v 1.65 2001/01/29 22:29:46 rgb Exp $
+* RCSID $Id: TODO,v 1.70 2001/06/01 07:25:19 rgb Exp $
 *
 
 fordhr:	enforce 4k msg limit.
 
 Bugs:
-	IPCOMP frag-in-clear
+	fix tncfg output after attached physical I/F disappears.
+	detach, but don't down ipsec virtual device if attached physical
+		device disappears
+	fix pfkey_update:new tdb should add to, not replace original
+	implement self-documenting kernel code:
+		http://kernelbook.sourceforge.net/#kdocs
+	replace IKE bypass machinery with SPD entries.
+	add hold machinery to store the last packet sent to the hold eroute
+		and re-inject it once the hold is deleted. (eroute entry or
+		separate table?)
+	implement eroute reject IMCP "communication administratively prohibited"
+	fix lifetime_byte_c len/ilen assignment
+	IPCOMP frag-in-clear?
 	pick-next-less-specific-eroute for intermediate tunnel lookup
 		for IKE passthrough.
 	sparc64:klips/net/ipsec/ipsec_tunnel.c:2106/2912:
@@ -106,6 +118,8 @@
 			expire (written, needs testing)
 Most	Expire SA's on soft/hard time/seq/qty and signal user (pfkey) (written, needs testing)
 GG	Port to IPv6
+	satot() conversion for /proc spi display
+	xlen, skb->len review for bogus packets, skb->len must be larger than ip->totlen
 
 2.0:
 	Port to ipchains/netfilter (with ifdefs to virtual device paradigm)
@@ -137,6 +151,21 @@
 
 *
 * $Log: TODO,v $
+* Revision 1.70  2001/06/01 07:25:19  rgb
+* Clean up miscellaneous stuff...
+*
+* Revision 1.69  2001/05/19 02:30:00  rgb
+* Added a couple of klips utils doc bugs.
+*
+* Revision 1.68  2001/04/19 19:03:37  rgb
+* Added note to update in update rather than replace.
+*
+* Revision 1.67  2001/03/16 07:30:20  rgb
+* Add 2.4 ipcomp asm note.
+*
+* Revision 1.66  2001/02/26 20:11:12  rgb
+* Post 1.9 candidate, magic SAs and email purge updates.
+*
 * Revision 1.65  2001/01/29 22:29:46  rgb
 * Add dhr suggestion.
 *
diff -bruN freeswan-1.9.orig/klips/doc/klips2-design-api-trips.txt freeswan-1.9/klips/doc/klips2-design-api-trips.txt
--- freeswan-1.9.orig/klips/doc/klips2-design-api-trips.txt	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/klips/doc/klips2-design-api-trips.txt	Mon Jun  4 12:54:57 2001
@@ -0,0 +1,1031 @@
+#  -*- mode: Outline; fill-column: 78; fill-prefix: "	" -*-
+#
+#  klips2-design-api-trips.txt
+#	Richard Guy Briggs 
+#
+#  RCSID $Id: klips2-design-api-trips.txt,v 1.8 2001/05/30 08:00:14 rgb Exp $
+#
+
+# This document outlines various trips that are made through the
+# various APIs for different scenarios.  Please see klips2-design.txt
+# for an overview.
+
+# Several scenario titles are listed.  Under each scenario title is
+# listed point form text to describe what action is happenning and/or
+# the reason for the following calls.  Following the descriptive text
+# is a origin and destination entity interface description.  Within
+# each interface description is a list of specific arguments used or
+# that need to be added to accomplish the action.
+
+Opportunistic encryption:
+	- put a trap in place from KMd
+		KMd -> iptables(8) system(3) call (Policy)
+		KMd -> ip6tables(8) system(3) call (Policy)
+			in:
+				char[] -I
+				char[] -s SADDR/SMASK
+				char[] -d DADDR/DMASK
+				char[] --protocol PROTO
+				char[] --sport SPORT
+				char[] --dport DPORT
+				char[] --uid-owner UID
+				char[] --seclev seclevstr
+				char[] -J TRAP
+			out:
+				unsigned char exit_code
+
+		iptables(8) -> seclev match iptables(8) library
+		ip6tables(8) -> seclev match ip6tables(8) library
+			in:
+				char[] --seclev seclevstr
+			out:
+				struct seclev
+
+		iptables(8) -> NetFilter
+		ip6tables(8) -> NetFilter
+		I/F is already defined in NetFilter.  In addition, it will
+		need structures to pass the following:
+			in:
+				struct seclev
+				target TRAP
+		
+	- packet comes
+		NetFilter -> seclev match NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct seclev
+			out:
+				boolean
+
+		NetFilter -> sa match NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct ip_said SA[,...]
+			out:
+				boolean
+
+	- packet matches TRAP
+		NetFilter -> TRAP target NetFilter kernel module
+			in:
+				struct sk_buff *skb
+			out:
+				unsigned int = NF_STOLEN
+
+	- send up an ACQUIRE
+		TRAP target NetFilter kernel module -> KMds (PF_KEYv2 ACQUIRE)
+			see RFC2367, PF_KEYv2 ACQUIRE
+
+	- create HOLD target with skb info and store the first packet
+		TRAP target NetFilter kernel module -> NetFilter
+			in:
+				struct sk_buff *skb
+			out:
+				boolean
+
+	- next packet comes in while KMd is negotiating SAs.
+		NetFilter -> seclev match NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct seclev
+			out:
+				boolean
+
+		NetFilter -> sa match NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct ip_said SA[,...]
+			out:
+				boolean
+
+	- packet matches HOLD so discard previous skb (packet) and store this one
+		NetFilter -> HOLD target NetFilter kernel module
+			in:
+				struct sk_buff *skb
+			out:
+				unsigned int = NF_STOLEN
+				
+	- put the new SAs in place once the negotiations have succeeded
+		KMd -> SADB (PF_KEYv2 ADD/UPDATE)
+			see RFC2367, PF_KEYv2 ADD/UPDATE message for each SA
+
+	- add ENCRYPT target with specific SAs to use
+		KMd -> iptables(8) system(3) call (Policy)
+		KMd -> ip6tables(8) system(3) call (Policy)
+			in:
+				char[] -I
+				char[] -s SADDR/SMASK
+				char[] -d DADDR/DMASK
+				char[] --protocol PROTO
+				char[] --sport SPORT
+				char[] --dport DPORT
+				char[] --uid-owner UID
+				char[] --seclev seclev
+				char[] -J ENCRYPT
+				char[] --salist SAList
+			out:
+				unsigned char exit_code
+
+		iptables(8) -> seclev match iptables(8) library
+		ip6tables(8) -> seclev match ip6tables(8) library
+			in:
+				char[] --seclev seclevstr
+			out:
+				struct seclev
+
+		iptables(8) -> ENCRYPT target iptables(8) library
+		ip6tables(8) -> ENCRYPT target ip6tables(8) library
+			in:
+				char[] --salist SAList
+			out:
+				struct ip_said SA[, ...]
+
+		iptables(8) -> NetFilter
+		ip6tables(8) -> NetFilter
+		I/F is already defined in NetFilter.  In addition, it will
+		need structures to pass the following:
+			in:
+				struct seclev
+				target ENCRYPT
+				struct ip_said SA[, ...]
+		
+	- add ACCEPT target for once the packet is processed
+		KMd -> iptables(8) system(3) call (Policy)
+		KMd -> ip6tables(8) system(3) call (Policy)
+			in:
+				char[] -I
+				char[] -s SADDR/SMASK (local SG)
+				char[] -d DADDR/DMASK (remote SG)
+				char[] --proto ESP
+				char[] --salist SAList
+				char[] --espspi SPI
+				char[] -J ACCEPT
+			out:
+				unsigned char exit_code
+
+		iptables(8) -> seclev match iptables(8) library
+		ip6tables(8) -> seclev match ip6tables(8) library
+			in:
+				char[] --seclev seclevstr
+			out:
+				struct seclev
+
+		iptables(8) -> sa match iptables(8) library
+		ip6tables(8) -> sa match ip6tables(8) library
+			in:
+				char[] --salist SAList
+			out:
+				struct ip_said SA[, ...]
+
+		iptables(8) -> NetFilter
+		ip6tables(8) -> NetFilter
+		I/F is already defined in NetFilter.  In addition, it will
+		need structures to pass the following:
+			in:
+				struct seclev
+				struct ip_said SA[, ...]
+
+	- replace HOLD target with ENCRYPT target, releasing skb
+		HOLD target NetFilter kernel module -> NetFilter
+				(I don't know the best way to show this
+				on the diagram, since the skb is
+				stored with the eroute and not the HOLD
+				target module)
+			in:
+				struct sk_buff *skb
+
+	- send released packet through newly created ENCRYPT target and SAs
+		NetFilter -> ENCRYPT target NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct ip_said SA[, ...]
+			out:
+				unsigned int = NF_STOLEN
+
+	- fetch SAs specified in NetFilter table entry with ENCRYPT args
+		ENCRYPT target NetFilter kernel module -> SADB (SAID)
+			in:
+				struct ip_said SA
+			out:
+				struct tdb *tdbp
+
+	- send skb (packet) back into NF_IP_POST_ROUTE
+		ENCRYPT target NetFilter kernel module -> NetFilter
+			in:
+				struct sk_buff *skb
+				struct ip_said SA[,...]
+		
+	- expire SA if a limit is reached
+		SADB -> KMd (PF_KEYv2 EXPIRE)
+			see RFC2367, PF_KEYv2 EXPIRE
+				
+Outgoing w/existing connection specifying SAs
+	- put the new SAs in place once negotiations have succeeded
+		KMd -> SADB (PF_KEYv2 ADD/UPDATE)
+			see RFC2367, PF_KEYv2 ADD/UPDATE message for each SA
+
+	- put in a rule to match packets for that set of SAs
+		KMd -> iptables(8) system(3) call (Policy)
+		KMd -> ip6tables(8) system(3) call (Policy)
+			in:
+				char[] -I
+				char[] -s SADDR/SMASK
+				char[] -d DADDR/DMASK
+				char[] --protocol PROTO
+				char[] --sport SPORT
+				char[] --dport DPORT
+				char[] --uid-owner UID
+				char[] --seclev seclev
+				char[] -J ENCRYPT
+				char[] --salist SAList
+			out:
+				unsigned char exit_code
+
+		iptables(8) -> seclev match iptables(8) library
+		ip6tables(8) -> seclev match ip6tables(8) library
+			in:
+				char[] --seclev seclevstr
+			out:
+				struct seclev
+
+		iptables(8) -> ENCRYPT target iptables(8) library
+		ip6tables(8) -> ENCRYPT target ip6tables(8) library
+			in:
+				char[] --salist SAList
+			out:
+				struct ip_said SA[, ...]
+
+		iptables(8) -> NetFilter
+		ip6tables(8) -> NetFilter
+		I/F is already defined in NetFilter.  In addition, it will
+		need structures to pass the following:
+			in:
+				struct seclev
+				target ENCRYPT
+				struct ip_said SA[, ...]
+		
+	- add ACCEPT for once the packet is processed
+		KMd -> iptables(8) system(3) call (Policy)
+		KMd -> ip6tables(8) system(3) call (Policy)
+			in:
+				char[] -I
+				char[] -s SADDR/SMASK (local SG)
+				char[] -d DADDR/DMASK (remote SG)
+				char[] --proto ESP
+				char[] --salist SAList
+				char[] --espspi SPI
+				char[] -J ACCEPT
+			out:
+				unsigned char exit_code
+
+		iptables(8) -> seclev match iptables(8) library
+		ip6tables(8) -> seclev match ip6tables(8) library
+			in:
+				char[] --seclev seclevstr
+			out:
+				struct seclev
+
+		iptables(8) -> sa match iptables(8) library
+		ip6tables(8) -> sa match ip6tables(8) library
+			in:
+				char[] --salist SAList
+			out:
+				struct ip_said SA[, ...]
+
+		iptables(8) -> NetFilter
+		I/F is already defined in NetFilter.  In addition, it will
+		need structures to pass the following:
+			in:
+				struct seclev
+				struct ip_said SA[, ...]
+				target ACCEPT
+
+	- outgoing packet is tested on selectors
+		NetFilter -> seclev match NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct seclev
+			out:
+				boolean
+
+		NetFilter -> sa match NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct ip_said SA[,...]
+			out:
+				boolean
+
+	- matching packet is sent to ENCRYPT target with SAList
+		NetFilter -> ENCRYPT target NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct ip_said SA[, ...]
+			out:
+				unsigned int = NF_STOLEN
+
+	- fetch SAs specified in NetFilter table entry with ENCRYPT args
+		ENCRYPT target NetFilter kernel module -> SADB (SAID)
+			in:
+				struct ip_said SA
+			out:
+				struct tdb *tdbp
+
+	- send skb (packet) back into NF_IP_POST_ROUTE
+		ENCRYPT target NetFilter kernel module -> NetFilter
+			in:
+				struct sk_buff *skb
+				struct ip_said SA[,...]
+		
+	- outgoing processed packet is tested on selectors and ACCEPTed
+		NetFilter -> seclev match NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct seclev
+			out:
+				boolean
+
+		NetFilter -> sa match NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct ip_said SA[,...]
+			out:
+				boolean
+
+	- expire SA if a limit is reached
+		SADB -> KMd (PF_KEYv2 EXPIRE)
+			see RFC2367, PF_KEYv2 EXPIRE
+				
+Outgoing w/existing connection routing through IPSec device
+	- put the new SAs in place once negotiations have succeeded
+		KMd -> SADB (PF_KEYv2 ADD/UPDATE)
+			see RFC2367, PF_KEYv2 ADD/UPDATE message for each SA
+
+	- put in a rule to match packets for that set of SAs
+		KMd -> iptables(8) system(3) call (Policy)
+		KMd -> ip6tables(8) system(3) call (Policy)
+			in:
+				char[] -I
+				char[] -s SADDR/SMASK
+				char[] -d DADDR/DMASK
+				char[] --protocol PROTO
+				char[] --sport SPORT
+				char[] --dport DPORT
+				char[] --uid-owner UID
+				char[] --seclev seclev
+				char[] --out-interface IPSECdev
+				char[] -J ENCRYPT
+				char[] --salist SAList
+			out:
+				unsigned char exit_code
+
+		iptables(8) -> seclev match iptables(8) library
+		ip6tables(8) -> seclev match ip6tables(8) library
+			in:
+				char[] --seclev seclevstr
+			out:
+				struct seclev
+
+		iptables(8) -> ENCRYPT target iptables(8) library
+		ip6tables(8) -> ENCRYPT target ip6tables(8) library
+			in:
+				char[] --salist SAList
+			out:
+				struct ip_said SA[, ...]
+
+		iptables(8) -> NetFilter
+		ip6tables(8) -> NetFilter
+		I/F is already defined in NetFilter.  In addition, it will
+		need structures to pass the following:
+			in:
+				struct seclev
+				target ENCRYPT
+				struct ip_said SA[, ...]
+		
+		KMd -> Routing Table (Routing)
+			see route(8) or iproute2(8), currently done by
+				     system(3) calls to _updown.
+			in:
+				char[] IPSECdev
+			out:
+				unsigned char exit_code
+
+	- add ACCEPT for once the packet is processed
+		KMd -> iptables(8) system(3) call (Policy)
+		KMd -> ip6tables(8) system(3) call (Policy)
+			in:
+				char[] -I
+				char[] -s SADDR/SMASK (local SG)
+				char[] -d DADDR/DMASK (remote SG)
+				char[] --proto ESP
+				char[] --espspi SPI
+				char[] --salist SAList
+				char[] -J ACCEPT
+			out:
+				unsigned char exit_code
+
+		iptables(8) -> seclev match iptables(8) library
+		ip6tables(8) -> seclev match ip6tables(8) library
+			in:
+				char[] --seclev seclevstr
+			out:
+				struct seclev
+
+		iptables(8) -> sa match iptables(8) library
+		ip6tables(8) -> sa match ip6tables(8) library
+			in:
+				char[] --salist SAList
+			out:
+				struct ip_said SA[, ...]
+
+		iptables(8) -> NetFilter
+		ip6tables(8) -> NetFilter
+		I/F is already defined in NetFilter.  In addition, it will
+		need structures to pass the following:
+			in:
+				struct seclev
+				struct ip_said SA[, ...]
+
+	- outgoing packet is tested on match modules
+		NetFilter -> seclev match NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct seclev
+			out:
+				boolean
+
+		NetFilter -> sa match NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct ip_said SA[,...]
+			out:
+				boolean
+
+	- outgoing packet matches IPSECdev and is sent to ENCRYPT target with SAList
+		NetFilter -> ENCRYPT target NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct ip_said SA[, ...]
+			out:
+				unsigned int = NF_STOLEN
+
+	- fetch SAs specified in NetFilter table entry with ENCRYPT args
+		ENCRYPT target NetFilter kernel module -> SADB (SAID)
+			in:
+				struct ip_said SA
+			out:
+				struct tdb *tdbp
+
+	- send skb (packet) back into NF_IP_POST_ROUTE
+		ENCRYPT target NetFilter kernel module -> NetFilter
+			in:
+				struct sk_buff *skb
+				struct ip_said SA[,...]
+		
+	- processed packet is tested on match modules and ACCEPTed
+		NetFilter -> seclev match NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct seclev
+			out:
+				boolean
+
+		NetFilter -> sa match NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct ip_said SA[,...]
+			out:
+				boolean
+
+	- expire SA if a limit is reached
+		SADB -> KMd (PF_KEYv2 EXPIRE)
+			see RFC2367, PF_KEYv2 EXPIRE
+				
+Incoming w/existing connection specifying SAs
+	- put in the new SAs in place once the negotiations have succeeded
+		KMd -> SADB (PF_KEYv2 ADD/UPDATE)
+			see RFC2367, PF_KEYv2 ADD/UPDATE message for each SA
+
+	- put in a blocking entry to prevent unprotected packets entering
+		KMd -> iptables(8) system(3) call (Policy)
+		KMd -> ip6tables(8) system(3) call (Policy)
+			in:
+				char[] -I
+				char[] -s SADDR/SMASK
+				char[] -d DADDR/DMASK
+				char[] --protocol PROTO
+				char[] --sport SPORT
+				char[] --dport DPORT
+				char[] --uid-owner UID
+				char[] --seclev seclev
+				char[] -J DROP (or PEEK)
+			out:
+				unsigned char exit_code
+
+		iptables(8) -> seclev match iptables(8) library
+		ip6tables(8) -> seclev match ip6tables(8) library
+			in:
+				char[] --seclev seclevstr
+			out:
+				struct seclev
+
+		iptables(8) -> NetFilter
+		ip6tables(8) -> NetFilter
+		I/F is already defined in NetFilter.  In addition, it will
+		need structures to pass the following:
+			in:
+				struct seclev
+				target DROP (or PEEK)
+		
+	- allow properly processed packets in
+		KMd -> iptables(8) system(3) call (Policy)
+		KMd -> ip6tables(8) system(3) call (Policy)
+			in:
+				char[] -I
+				char[] -s SADDR/SMASK
+				char[] -d DADDR/DMASK
+				char[] --protocol PROTO
+				char[] --sport SPORT
+				char[] --dport DPORT
+				char[] --uid-owner UID
+				char[] --seclev seclev
+				char[] --salist SAList
+				char[] -J ACCEPT
+			out:
+				unsigned char exit_code
+
+		iptables(8) -> seclev match iptables(8) library
+		ip6tables(8) -> seclev match ip6tables(8) library
+			in:
+				char[] --seclev seclevstr
+			out:
+				struct seclev
+
+		iptables(8) -> sa match iptables(8) library
+		ip6tables(8) -> sa match ip6tables(8) library
+			in:
+				char[] --salist SAList
+			out:
+				struct ip_said SA[, ...]
+
+		iptables(8) -> NetFilter
+		ip6tables(8) -> NetFilter
+		I/F is already defined in NetFilter.  In addition, it will
+		need structures to pass the following:
+			in:
+				struct seclev
+				struct ip_said SA[, ...]
+
+	- allow unprocessed packets from IPSec peer in
+		KMd -> iptables(8) system(3) call (Policy)
+		KMd -> ip6tables(8) system(3) call (Policy)
+			in:
+				char[] -I
+				char[] -s SADDR/SMASK (remote SG)
+				char[] -d DADDR/DMASK (local SG)
+				char[] --proto ESP
+				char[] --espspi SPI
+				char[] -J ACCEPT
+			out:
+				unsigned char exit_code
+
+		iptables(8) -> seclev match iptables(8) library
+		ip6tables(8) -> seclev match ip6tables(8) library
+			in:
+				char[] --seclev seclevstr
+			out:
+				struct seclev
+
+		iptables(8) -> NetFilter
+		ip6tables(8) -> NetFilter
+		I/F is already defined in NetFilter.  In addition, it will
+		need structures to pass the following:
+			in:
+				struct seclev
+
+	- incoming packet is tested on match modules
+		NetFilter -> seclev match NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct seclev
+			out:
+				boolean
+
+		NetFilter -> sa match NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct ip_said SA[,...]
+			out:
+				boolean
+
+	- packet arrives via transport layer demux to DECRYPT
+		Transport Layer De-mux -> IPSec DECRYPT kernel module
+			in:
+				struct sk_buff *skb
+
+	- fetch SAs specified by packet in skb
+		IPSec DECRYPT kernel module -> SADB (SAID)
+			in:
+				struct ip_said SA
+			out:
+				struct tdb *tdbp
+
+	- send skb (packet) back into NF_IP_PRE_ROUTE
+		IPSec DECRYPT kernel module -> NetFilter
+			in:
+				struct sk_buff *skb
+				struct ip_said SA[,...]
+		
+	- processed packet is tested on match modules and ACCEPTED
+		NetFilter -> seclev match NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct seclev
+			out:
+				boolean
+
+		NetFilter -> sa match NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct ip_said SA[,...]
+			out:
+				boolean
+
+	- expire SA if a limit is reached
+		SADB -> KMd (PF_KEYv2 EXPIRE)
+			see RFC2367, PF_KEYv2 EXPIRE
+				
+Incoming w/existing connection specifying IPSec device
+	- put in the new SAs in place once the negotiations have succeeded
+		KMd -> SADB (PF_KEYv2 ADD/UPDATE)
+			see RFC2367, PF_KEYv2 ADD/UPDATE message for each SA
+
+	- put in a blocking entry to prevent unprotected packets entering
+		KMd -> iptables(8) system(3) call (Policy)
+		KMd -> ip6tables(8) system(3) call (Policy)
+			in:
+				char[] -I
+				char[] -s SADDR/SMASK
+				char[] -d DADDR/DMASK
+				char[] --protocol PROTO
+				char[] --sport SPORT
+				char[] --dport DPORT
+				char[] --uid-owner UID
+				char[] --seclev seclev
+				char[] -J DROP (or PEEK)
+			out:
+				unsigned char exit_code
+
+		iptables(8) -> seclev match iptables(8) library
+		ip6tables(8) -> seclev match ip6tables(8) library
+			in:
+				char[] --seclev seclevstr
+			out:
+				struct seclev
+
+		iptables(8) -> NetFilter
+		ip6tables(8) -> NetFilter
+		I/F is already defined in NetFilter.  In addition, it will
+		need structures to pass the following:
+			in:
+				struct seclev
+				target DROP (or PEEK)
+		
+	- allow properly processed packets in
+		KMd -> iptables(8) system(3) call (Policy)
+		KMd -> ip6tables(8) system(3) call (Policy)
+			in:
+				char[] -I
+				char[] -s SADDR/SMASK
+				char[] -d DADDR/DMASK
+				char[] --protocol PROTO
+				char[] --sport SPORT
+				char[] --dport DPORT
+				char[] --uid-owner UID
+				char[] --in-interface IPSECdev
+				char[] --seclev seclev
+				char[] --salist SAList
+				       (can we set an --in-interface IPSECdev
+					from this so we can just test
+					in-interface?  This may need two
+					entries, including a target SETDEV)
+				char[] -J ACCEPT
+			out:
+				unsigned char exit_code
+
+		iptables(8) -> seclev match iptables(8) library
+		ip6tables(8) -> seclev match ip6tables(8) library
+			in:
+				char[] --seclev seclevstr
+			out:
+				struct seclev
+
+		iptables(8) -> sa match iptables(8) library
+		ip6tables(8) -> sa match ip6tables(8) library
+			in:
+				char[] --salist SAList
+			out:
+				struct ip_said SA[, ...]
+
+		iptables(8) -> NetFilter
+		ip6tables(8) -> NetFilter
+		I/F is already defined in NetFilter.  In addition, it will
+		need structures to pass the following:
+			in:
+				struct seclev
+				struct ip_said SA[, ...]
+
+	- allow unprocessed packets from IPSec peer in
+		KMd -> iptables(8) system(3) call (Policy)
+		KMd -> ip6tables(8) system(3) call (Policy)
+			in:
+				char[] -I
+				char[] -s SADDR/SMASK (remote SG)
+				char[] -d DADDR/DMASK (local SG)
+				char[] --proto ESP
+				char[] --espspi SPI
+				char[] -J ACCEPT
+			out:
+				unsigned char exit_code
+
+		iptables(8) -> seclev match iptables(8) library
+		ip6tables(8) -> seclev match ip6tables(8) library
+			in:
+				char[] --seclev seclevstr
+			out:
+				struct seclev
+
+		iptables(8) -> NetFilter
+		ip6tables(8) -> NetFilter
+		I/F is already defined in NetFilter.  In addition, it will
+		need structures to pass the following:
+			in:
+				struct seclev
+
+	- incoming packet is tested on match modules
+		NetFilter -> seclev match NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct seclev
+			out:
+				boolean
+
+		NetFilter -> sa match NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct ip_said SA[,...]
+			out:
+				boolean
+
+	- packet arrives via transport layer demux to DECRYPT
+		Transport Layer De-mux -> IPSec DECRYPT kernel module
+			in:
+				struct sk_buff *skb
+
+	- fetch SAs specified by packet in skb
+		IPSec DECRYPT kernel module -> SADB (SAID)
+			in:
+				struct ip_said SA
+			out:
+				struct tdb *tdbp
+
+	- send skb (packet) back into NF_IP_PRE_ROUTE
+		IPSec DECRYPT kernel module -> NetFilter
+			in:
+				struct sk_buff *skb
+				struct ip_said SA[,...]
+		
+	- processed packet is tested on match modules and ACCEPTED
+		NetFilter -> seclev match NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct seclev
+			out:
+				boolean
+
+		NetFilter -> sa match NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct ip_said SA[,...]
+			out:
+				boolean
+
+	- expire SA if a limit is reached
+		SADB -> KMd (PF_KEYv2 EXPIRE)
+			see RFC2367, PF_KEYv2 EXPIRE
+				
+Incoming no connection
+	 - set target for PEEKing at (or TRAPing) incoming packets with no connection
+		KMd -> iptables(8) system(3) call (Policy)
+		KMd -> ip6tables(8) system(3) call (Policy)
+			in:
+				char[] -I
+				char[] -s SADDR/SMASK
+				char[] -d DADDR/DMASK
+				char[] --protocol PROTO
+				char[] --sport SPORT
+				char[] --dport DPORT
+				char[] --uid-owner UID
+				char[] --seclev seclev
+				char[] -J PEEK (or TRAP)
+			out:
+				unsigned char exit_code
+
+		iptables(8) -> seclev match iptables(8) library
+		ip6tables(8) -> seclev match ip6tables(8) library
+			in:
+				char[] --seclev seclevstr
+			out:
+				struct seclev
+
+		iptables(8) -> NetFilter
+		ip6tables(8) -> NetFilter
+		I/F is already defined in NetFilter.  In addition, it will
+		need structures to pass the following:
+			in:
+				struct seclev
+				target PEEK (or TRAP)
+
+	- packet comes in and gets tested by match modules
+		NetFilter -> seclev match NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct seclev
+			out:
+				boolean
+
+		NetFilter -> sa match NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct ip_said SA[,...]
+			out:
+				boolean
+
+	- packet matches and gets sent to PEEK target
+		NetFilter -> PEEK (or TRAP) target NetFilter kernel module
+			in:
+				struct sk_buff *skb
+			out:
+				unsigned int = NF_ACCEPT (or NF_STOLEN)
+
+	- send up an ACQUIRE
+		PEEK (or TRAP) target NetFilter kernel module -> KMds (PF_KEYv2 ACQUIRE)
+			see RFC2367, PF_KEYv2 ACQUIRE
+
+	- create ACCEPT (or HOLD) target with skb info to prevent KMd overload
+		PEEK (or HOLD) target NetFilter kernel module -> NetFilter
+			in:
+				struct sk_buff *skb
+			out:
+				boolean
+
+	- next packet comes in while KMd is negotiating SAs.
+		NetFilter -> seclev match NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct seclev
+			out:
+				boolean
+
+		NetFilter -> sa match NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct ip_said SA[,...]
+			out:
+				boolean
+
+	- put the new SAs in place once the negotiations have succeeded
+		KMd -> SADB (PF_KEYv2 ADD/UPDATE)
+			see RFC2367, PF_KEYv2 ADD/UPDATE message for each SA
+
+	- put in a blocking entry to prevent unprotected packets entering
+		KMd -> iptables(8) system(3) call (Policy)
+		KMd -> ip6tables(8) system(3) call (Policy)
+			in:
+				char[] -I
+				char[] -s SADDR/SMASK
+				char[] -d DADDR/DMASK
+				char[] --protocol PROTO
+				char[] --sport SPORT
+				char[] --dport DPORT
+				char[] --uid-owner UID
+				char[] --seclev seclev
+				char[] -J DROP (or PEEK)
+			out:
+				unsigned char exit_code
+
+		iptables(8) -> seclev match iptables(8) library
+		ip6tables(8) -> seclev match ip6tables(8) library
+			in:
+				char[] --seclev seclevstr
+			out:
+				struct seclev
+
+		iptables(8) -> NetFilter
+		ip6tables(8) -> NetFilter
+		I/F is already defined in NetFilter.  In addition, it will
+		need structures to pass the following:
+			in:
+				struct seclev
+				(target PEEK)
+		
+	- allow properly processed packets in
+		KMd -> iptables(8) system(3) call (Policy)
+		KMd -> ip6tables(8) system(3) call (Policy)
+			in:
+				char[] -I
+				char[] -s SADDR/SMASK
+				char[] -d DADDR/DMASK
+				char[] --protocol PROTO
+				char[] --sport SPORT
+				char[] --dport DPORT
+				char[] --uid-owner UID
+				char[] --seclev seclev
+				char[] --salist SAList
+				char[] -J ACCEPT
+			out:
+				unsigned char exit_code
+
+		iptables(8) -> seclev match iptables(8) library
+		ip6tables(8) -> seclev match ip6tables(8) library
+			in:
+				char[] --seclev seclevstr
+			out:
+				struct seclev
+
+		iptables(8) -> sa match iptables(8) library
+		ip6tables(8) -> sa match ip6tables(8) library
+			in:
+				char[] --salist SAList
+			out:
+				struct ip_said SA[, ...]
+
+		iptables(8) -> NetFilter
+		ip6tables(8) -> NetFilter
+		I/F is already defined in NetFilter.  In addition, it will
+		need structures to pass the following:
+			in:
+				struct seclev
+				struct ip_said SA[, ...]
+		
+	- incoming packet is tested on match modules
+		NetFilter -> seclev match NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct seclev
+			out:
+				boolean
+
+		NetFilter -> sa match NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct ip_said SA[,...]
+			out:
+				boolean
+
+	- packet arrives via transport layer demux to DECRYPT
+		Transport Layer De-mux -> IPSec DECRYPT kernel module
+			in:
+				struct sk_buff *skb
+
+	- fetch SAs specified by packet in skb
+		IPSec DECRYPT kernel module -> SADB (SAID)
+			in:
+				struct ip_said SA
+			out:
+				struct tdb *tdbp
+
+	- send skb (packet) back into NF_IP_PRE_ROUTE
+		IPSec DECRYPT kernel module -> NetFilter
+			in:
+				struct sk_buff *skb
+				struct ip_said SA[,...]
+		
+	- processed packet is tested on match modules and ACCEPTed
+		NetFilter -> seclev match NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct seclev
+			out:
+				boolean
+
+		NetFilter -> sa match NetFilter kernel module
+			in:
+				struct sk_buff *skb
+				struct ip_said SA[,...]
+			out:
+				boolean
+
+	- expire SA if a limit is reached
+		SADB -> KMd (PF_KEYv2 EXPIRE)
+			see RFC2367, PF_KEYv2 EXPIRE
+
+TODO:
+	api trips:
+		Packet w/no route?  how to get to kmd?  default route to IPSECdev which calls TRAP?
+		Nested tunnels, IKE recursion api trip
+		how to know when to stop decapsulating nested tunnels?
+		DHR's routing problem
+		mutli-layer routing environments that both touch and denker need.
+	nail down function calls and/or globals for each I/F, c-like function syntax
+	better api block comments
+	interface, function, args, block comment
+
diff -bruN freeswan-1.9.orig/klips/doc/klips2-design-api.txt freeswan-1.9/klips/doc/klips2-design-api.txt
--- freeswan-1.9.orig/klips/doc/klips2-design-api.txt	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/klips/doc/klips2-design-api.txt	Mon Jun  4 12:54:57 2001
@@ -0,0 +1,2375 @@
+#  -*- mode: Outline -*-
+# 
+#  klips2-design-api.txt
+#	Richard Guy Briggs 
+#
+#  RCSID $Id: klips2-design-api.txt,v 1.17 2001/06/01 07:25:53 rgb Exp $
+#
+
+* Outline Commands cheat sheet (C-c C-s to see this)
+        C-c C-t         Hide EVERYTHING in buffer
+        C-c C-a         Show EVERYTHING in buffer
+
+        C-c C-d         Hide THIS item and subitems (subtree)
+        C-c C-s         Show THIS item and subitems (subtree)
+
+        C-c C-c         Hide ONE item
+        C-c C-e         Show ONE item
+
+* Introduction
+	This document describes all the APIs used in this design.
+	Please see klips2-design.txt for an overview.
+
+** Interface:
+	interface description, listing origin and destination
+	entities, separated by an ">->" with diagram label, if it
+	exists within double quotes ``"''
+
+** Label:
+	diagram label
+
+** Name:
+	the name of the function used and a very brief description
+
+** Synopsis:
+	function form, argument position, type and return type
+
+** Arguments:
+	description of each argument
+
+** Description:
+	description of interface and function
+
+** Implementation notes:
+	caveats and side effects
+
+** Return value:
+	function return values
+
+** Example:
+	usage example
+
+** See also:
+	related documentation or further explanation
+
+
+
+* Interfaces
+
+** KMd >-> iptables(8) "Policy"
+** KMd >-> ip6tables(8) "Policy"
+
+	Interface:
+
+		KMd >-> iptables(8)
+		KMd >-> ip6tables(8)
+
+	Label:
+
+		"Policy"
+
+	Name:
+
+		system(3) call to iptables(8) - execute a shell
+		command to do IP packet filter administration to set
+		ipsec policy
+
+	Synopsis:
+
+		#include 
+
+		int system(const char * "iptables \
+			--table ipsec \
+			--new-table chain ");
+		int system(const char * "iptables \
+			--table ipsec \
+			--policy chain target");
+		int system(const char * "iptables \
+			--table ipsec \
+			--{append,delete,insert,replace} chain \
+			--protocol protocol \
+			--source src \
+			--destination dst \
+			--jump target \
+			--in-interface IPSECdev \
+			--out-interface IPSECdev \
+			--source-port SPORT \
+			--destination-port DPORT \
+			--uid-owner UID \
+			--gid-owner GID \
+			--pid-owner PID \
+			--sid-owner SID \
+			--espspi SPI \
+			--seclev seclevstr \
+			--salist SAList \
+		");
+
+	Arguments:
+
+		--table ipsec
+			specify ipsec SPDB NetFilter kernel table
+
+		--new-chain chain
+			create new chain in ipsec SPDB
+
+		--policy chain target
+			set default target for specified chain
+
+		--{append,delete,insert,replace} chain
+			manipulate a rule in the specified chain
+
+		--protocol protocol
+			protocol for the matching rule
+
+		--source src
+			source address for the matching rule
+
+		--destination dst
+			destination address for the matching rule
+
+		--in-interface IPSECdev
+			incoming ipsec device for the matching rule
+
+		--out-interface IPSECdev
+			outgoing ipsec device for the matching rule
+
+		--source-port SPORT
+			source port for the matching rule (tcp or udp)
+
+		--destination-port DPORT
+			destination port for the matching rule (tcp or udp)
+
+		--uid-owner UID
+			user ID for the matching rule
+
+		--espspi SPI
+			Encapsulation Security Payload Security Parameters
+			Index for the matching rule
+
+		--seclev seclevstr
+			security or sensitivity level or label for the
+			matching rule
+
+		--salist SAList
+			Security Association IDentifier list for the matching
+			rule
+
+		--jump target
+			target for a matching packet
+
+	Description:
+
+		This is the SPDB (or as yet undefined PF_POLICY)
+		interface from the key management daemons to the
+		kernel via netfilter.
+
+		The default chains of in and out are created when the
+		table is created.  Additional chains can be created as
+		needed with the iptables --new-chain command and can
+		be listed as targets to match entries.
+
+		The default policy of each chain can be changed from
+		the initialised value of DROP (TRAP?) with the
+		iptables --policy command.  The default policy of each
+		chain is one of the standard NetFilter targets of
+		ACCEPT, DROP, REJECT.  IPSec adds the targets TRAP,
+		HOLD (internal), PEEK and IPSEC.  Only the IPSEC
+		target takes any arguments, which consists of a list
+		of SAs to be used for processing.
+
+		Rules are appended, inserted, deleted or replaced to
+		set the IPSec policy.
+
+		Packets can be matched on IP transport protocol,
+		source or destination address, incoming or outgoing
+		ipsec device, source or destination port for tcp or
+		udp, user ID, Encapsulation Security Payload or
+		Authentication Header Security Parameters Index,
+		security or sensitivity level or label, Security
+		Association IDentifier list.  A target must be
+		specified for each matching rule using the iptables
+		--jump option.
+
+	Implementation notes:
+
+		If the in and out chains don't yet exist, they must be
+		created with the iptables --new-chain command.  (These
+		will most likely be created by loading the module and
+		so this paragraph may disappear.)  
+
+		An alternative may be to have the KMd link directly
+		with iptables.o rather than invoking system(3) to call
+		iptables(8).
+
+		It looks like it may be possible to call the libipt
+		functions directly, which will be a big help in
+		speeding things up since text conversion and parsing
+		won't have to be done.  This will change most of the
+		char fields to binary fields and change the calling
+		function and return codes.
+
+	Return value:
+
+		system(3) returns:
+		The value returned is 127 if the execve() call for
+		/bin/sh fails, -1 if there was another error.
+
+		iptables(8) returns:
+		Various error messages are printed to standard error.
+		The exit code is 0 for correct functioning.  Errors
+		which appear to be caused by invalid or abused command
+		line parameters cause an exit code of 2, and other
+		errors cause an exit code of 1.
+
+	Example:
+
+		#include 
+		int return;
+
+		...
+
+		if((return = system("iptables \
+			--table ipsec \
+			--insert out \
+			--source this-subnet.example.com \
+			--destination that-subnet.example.com \
+			--jump IPSEC \
+			--use-salist esp.12345678@that-sg.example.com \
+			"))){
+			fprintf(stderr, "error $d calling iptables\n");
+			exit 1;
+		}
+
+	See also:
+
+		system(3), iptables(8)
+
+
+
+** iptables(8) >-> seclev match iptables(8) library
+** ip6tables(8) >-> seclev match ip6tables(8) library
+
+	Interface:
+
+		iptables(8) >-> seclev match iptables(8) library
+		ip6tables(8) >-> seclev match ip6tables(8) library
+
+	Label:
+
+	Name:
+
+		(*seclev_parse) - parse, convert and check security level options
+
+	Synopsis:
+
+		static int
+		seclev_parse(
+			int c,
+			char **argv,
+			int invert,
+			unsigned int *flags,
+			const struct ipt_entry *entry,
+			unsigned int *nfcache,
+			struct ipt_entry_match **match
+		)
+
+	Arguments:
+
+		c
+			argument count
+
+		argv
+			text arguments to be parsed by this match
+
+		invert
+			invert this match?
+
+		flags
+			bitmap to indicate which arguments have been processed
+
+		entry
+			pointer to table entry associated with match
+
+		nfcache
+			bitmap of skb parts examined by this match
+
+		match
+			match data
+
+	Description:
+
+		This function parses, converts and checks iptables(8)
+		and ip6tables(8) command line security level text
+		arguments for use by the seclev match NetFilter kernel
+		module.
+
+		Input is expected to be in the form of "--seclev
+		seclevstr" where seclevstr is the security (or
+		sensitivity) level (or label) associated with the
+		packet.
+
+	Implementation notes:
+
+		I don't actually what form security level data takes,
+		but that can be sorted out later.
+
+	Return value:
+
+		1 if an option was eaten, 0 if not.
+
+	Example:
+
+		static int
+		seclev_parse(
+			int c,
+			char **argv,
+			int invert,
+			unsigned int *flags,
+			const struct ipt_entry *entry,
+			unsigned int *nfcache,
+			struct ipt_entry_match **match
+		) {
+			struct ipt_seclev_info *info = (struct ipt_seclev_info*)(*match)->data;
+
+			/* parse option arguments */
+			...
+			return 1;
+		}
+
+		struct iptables_match seclev_match_lib = {
+			NULL,
+			"seclev",
+			NETFILTER_VERSION,
+			IPT_ALIGN(sizeof(struct ipt_seclev_info)),
+			IPT_ALIGN(sizeof(struct ipt_seclev_info)),
+			&seclev_help,
+			&seclev_init,
+			&seclev_parse,
+			&seclev_final_check,
+			&seclev_print,
+			&seclev_save,
+			seclev_opts
+		};
+
+		void
+		_init(void)
+		{
+			register_match(&seclev_match_lib);
+		}
+
+	See also:
+
+
+
+** iptables(8) >-> salist match iptables(8) library
+** ip6tables(8) >-> salist match ip6tables(8) library
+
+	Interface:
+
+		iptables(8) >-> salist match iptables(8) library
+		ip6tables(8) >-> salist match ip6tables(8) library
+
+	Label:
+
+	Name:
+
+		(*salist_parse) - parse, convert and check security
+		association list options
+
+	Synopsis:
+
+		static int
+		salist_parse(
+			int c,
+			char **argv,
+			int invert,
+			unsigned int *flags,
+			const struct ipt_entry *entry,
+			unsigned int *nfcache,
+			struct ipt_entry_match **match
+		)
+
+	Arguments:
+
+		c
+			argument count
+
+		argv
+			text arguments to be parsed by this match
+
+		invert
+			invert this match?
+
+		flags
+			bitmap to indicate which arguments have been processed
+
+		entry
+			pointer to table entry associated with match
+
+		nfcache
+			bitmap of skb parts examined by this match
+
+		match
+			match data
+
+	Description:
+
+		This function parses, converts and checks iptables(8)
+		and ip6tables(8) command line security association
+		list level text arguments for use by the salist match
+		NetFilter kernel module.
+
+		Input is expected to be in the form of "--salist
+		SAList" where SAList is the security association list
+		associated with the packet.
+
+	Implementation notes:
+
+		There is still some disagreement about the form of the
+		salist.
+
+	Return value:
+
+		1 if an option was eaten, 0 if not.
+
+	Example:
+
+		static int
+		salist_parse(
+			int c,
+			char **argv,
+			int invert,
+			unsigned int *flags,
+			const struct ipt_entry *entry,
+			unsigned int *nfcache,
+			struct ipt_entry_match **match
+		) {
+			struct ipt_salist_info *info = (struct ipt_salist_info*)(*match)->data;
+
+			/* parse option arguments */
+			...
+			return 1;
+		}
+
+		struct iptables_match salist_match_lib = {
+			NULL,
+			"salist",
+			NETFILTER_VERSION,
+			IPT_ALIGN(sizeof(struct ipt_salist_info)),
+			IPT_ALIGN(sizeof(struct ipt_salist_info)),
+			&salist_help,
+			&salist_init,
+			&salist_parse,
+			&salist_final_check,
+			&salist_print,
+			&salist_save,
+			salist_opts
+		};
+
+		void
+		_init(void)
+		{
+			register_match(&salist_match_lib);
+		}
+
+	See also:
+
+		http://netfilter.samba.org/unreliable-guides/netfilter-hacking-HOWTO/netfilter-hacking-HOWTO.linuxdoc-4.html
+
+
+
+** iptables(8) >-> TRAP target iptables(8) library
+** ip6tables(8) >-> TRAP target ip6tables(8) library	
+
+	Interface:
+
+		iptables(8) >-> TRAP target iptables(8) library
+		ip6tables(8) >-> TRAP target ip6tables(8) library
+
+	Label:
+
+	Name:
+
+		(*trap_parse) - parse, convert and check TRAP options
+
+	Synopsis:
+
+		static int trap_parse(
+			int c,
+			char **argv,
+			int invert,
+			unsigned int *flags,
+			const struct ipt_entry *entry,
+			struct ipt_entry_target **target
+		)
+
+	Arguments:
+
+		c
+			argument count
+
+		argv
+			text arguments to be parsed by this target
+
+		invert
+			invert flag (doesn't make sense for targets)
+
+		flags
+			bitmap to indicate which arguments have been processed
+
+		entry
+			pointer to table entry associated with target
+
+		target
+			target data
+
+	Description:
+
+		This function parses, converts and checks iptables(8)
+		and ip6tables(8) command line TRAP text
+		arguments for use by the TRAP target NetFilter kernel
+		module.
+
+		Input is expected to be in the form of "--salist
+		SAList" where SAList is the security association list
+		to be applied to packets sent to the TRAP target.
+
+	Implementation notes:
+
+		There is still some disagreement about the form of the
+		salist.
+
+	Return value:
+
+		1 if an option was eaten, 0 if not.
+
+	Example:
+
+		static int
+		trap_parse(
+			int c,
+			char **argv,
+			int invert,
+			unsigned int *flags,
+			const struct ipt_entry *entry,
+			struct ipt_entry_target **target
+		) {
+			struct ipt_trap_target_info *info = (struct ipt_trap_target_info*)(*target)->data;
+
+			/* parse option arguments */
+			...
+			return 1;
+		}
+
+		struct iptables_target trap_target_lib = {
+			NULL,
+			"TRAP",
+			NETFILTER_VERSION,
+			IPT_ALIGN(sizeof(struct ipt_trap_target_info)),
+			IPT_ALIGN(sizeof(struct ipt_trap_target_info)),
+			&trap_help,
+			&trap_init,
+			&trap_parse,
+			&trap_final_check,
+			&trap_print,
+			&trap_save,
+			trap_opts
+		};
+
+		void
+		_init(void)
+		{
+			register_target(&trap_target_lib);
+		}
+
+	See also:
+
+		http://netfilter.samba.org/unreliable-guides/netfilter-hacking-HOWTO/netfilter-hacking-HOWTO.linuxdoc-4.html
+
+
+
+** iptables(8) >-> HOLD target iptables(8) library
+** ip6tables(8) >-> HOLD target ip6tables(8) library	
+
+	Interface:
+
+		iptables(8) >-> HOLD target iptables(8) library
+		ip6tables(8) >-> HOLD target ip6tables(8) library
+
+	Label:
+
+	Name:
+
+	Synopsis:
+
+		static int hold_parse(
+			int c,
+			char **argv,
+			int invert,
+			unsigned int *flags,
+			const struct ipt_entry *entry,
+			struct ipt_entry_target **target
+		)
+
+	Arguments:
+
+		c
+			argument count
+
+		argv
+			text arguments to be parsed by this target
+
+		invert
+			invert flag (doesn't make sense for targets)
+
+		flags
+			bitmap to indicate which arguments have been processed
+
+		entry
+			pointer to table entry associated with target
+
+		target
+		target data
+
+	Description:
+
+		This function parses, converts and checks iptables(8)
+		and ip6tables(8) command line HOLD text
+		arguments for use by the HOLD target NetFilter kernel
+		module.
+
+		Input is expected to be in the form of "--salist
+		SAList" where SAList is the security association list
+		to be applied to packets sent to the HOLD target.
+
+	Implementation notes:
+
+		There is still some disagreement about the form of the
+		salist.
+
+	Return value:
+
+		1 if an option was eaten, 0 if not.
+
+	Example:
+
+		static int
+		hold_parse(
+			int c,
+			char **argv,
+			int invert,
+			unsigned int *flags,
+			const struct ipt_entry *entry,
+			struct ipt_entry_target **target
+		) {
+			struct ipt_hold_target_info *info = (struct ipt_hold_target_info*)(*target)->data;
+
+			/* parse option arguments */
+			...
+			return 1;
+		}
+
+		struct iptables_target hold_target_lib = {
+			NULL,
+			"HOLD",
+			NETFILTER_VERSION,
+			IPT_ALIGN(sizeof(struct ipt_hold_target_info)),
+			IPT_ALIGN(sizeof(struct ipt_hold_target_info)),
+			&hold_help,
+			&hold_init,
+			&hold_parse,
+			&hold_final_check,
+			&hold_print,
+			&hold_save,
+			hold_opts
+		};
+
+		void
+		_init(void)
+		{
+			register_target(&hold_target_lib);
+		}
+
+	See also:
+
+		http://netfilter.samba.org/unreliable-guides/netfilter-hacking-HOWTO/netfilter-hacking-HOWTO.linuxdoc-4.html
+
+
+
+** iptables(8) >-> PEEK target iptables(8) library
+** ip6tables(8) >-> PEEK target ip6tables(8) library	
+
+	Interface:
+
+		iptables(8) >-> PEEK target iptables(8) library
+		ip6tables(8) >-> PEEK target ip6tables(8) library
+
+	Label:
+
+	Name:
+
+	Synopsis:
+
+		static int peek_parse(
+			int c,
+			char **argv,
+			int invert,
+			unsigned int *flags,
+			const struct ipt_entry *entry,
+			struct ipt_entry_target **target
+		)
+
+	Arguments:
+
+		c
+			argument count
+
+		argv
+			text arguments to be parsed by this target
+
+		invert
+			invert flag (doesn't make sense for targets)
+
+		flags
+			bitmap to indicate which arguments have been processed
+
+		entry
+			pointer to table entry associated with target
+
+		target
+			target data
+
+	Description:
+
+		This function parses, converts and checks iptables(8)
+		and ip6tables(8) command line PEEK text
+		arguments for use by the PEEK target NetFilter kernel
+		module.
+
+		Input is expected to be in the form of "--salist
+		SAList" where SAList is the security association list
+		to be applied to packets sent to the PEEK target.
+
+	Implementation notes:
+
+		There is still some disagreement about the form of the
+		salist.
+
+	Return value:
+
+		1 if an option was eaten, 0 if not.
+
+	Example:
+
+		static int
+		peek_parse(
+			int c,
+			char **argv,
+			int invert,
+			unsigned int *flags,
+			const struct ipt_entry *entry,
+			struct ipt_entry_target **target
+		) {
+			struct ipt_peek_target_info *info = (struct ipt_peek_target_info*)(*target)->data;
+
+			/* parse option arguments */
+			...
+			return 1;
+		}
+
+		struct iptables_target peek_target_lib = {
+			NULL,
+			"PEEK",
+			NETFILTER_VERSION,
+			IPT_ALIGN(sizeof(struct ipt_peek_target_info)),
+			IPT_ALIGN(sizeof(struct ipt_peek_target_info)),
+			&peek_help,
+			&peek_init,
+			&peek_parse,
+			&peek_final_check,
+			&peek_print,
+			&peek_save,
+			peek_opts
+		};
+
+		void
+		_init(void)
+		{
+			register_target(&peek_target_lib);
+		}
+
+	See also:
+
+		http://netfilter.samba.org/unreliable-guides/netfilter-hacking-HOWTO/netfilter-hacking-HOWTO.linuxdoc-4.html
+
+
+
+** iptables(8) >-> IPSEC target iptables(8) library
+** ip6tables(8) >-> IPSEC target ip6tables(8) library	
+
+	Interface:
+
+		iptables(8) >-> IPSEC target iptables(8) library
+		ip6tables(8) >-> IPSEC target ip6tables(8) library
+
+	Label:
+
+	Name:
+
+	Synopsis:
+
+		static int ipsec_parse(
+			int c,
+			char **argv,
+			int invert,
+			unsigned int *flags,
+			const struct ipt_entry *entry,
+			struct ipt_entry_target **target
+		)
+
+	Arguments:
+
+		c
+			argument count
+
+		argv
+			text arguments to be parsed by this target
+
+		invert
+			invert flag (doesn't make sense for targets)
+
+		flags
+			bitmap to indicate which arguments have been processed
+
+		entry
+			pointer to table entry associated with target
+
+		target
+			target data
+
+	Description:
+
+		This function parses, converts and checks iptables(8)
+		and ip6tables(8) command line IPSEC text
+		arguments for use by the IPSEC target NetFilter kernel
+		module.
+
+		Input is expected to be in the form of "--salist
+		SAList" where SAList is the security association list
+		to be applied to packets sent to the IPSEC target.
+
+	Implementation notes:
+
+		There is still some disagreement about the form of the
+		salist.
+
+	Return value:
+
+		1 if an option was eaten, 0 if not.
+
+	Example:
+
+		static int
+		ipsec_parse(
+			int c,
+			char **argv,
+			int invert,
+			unsigned int *flags,
+			const struct ipt_entry *entry,
+			struct ipt_entry_target **target
+		) {
+			struct ipt_ipsec_target_info *info = (struct ipt_ipsec_target_info*)(*target)->data;
+
+			/* parse option arguments */
+			...
+			return 1;
+		}
+
+		struct iptables_target ipsec_target_lib = {
+			NULL,
+			"IPSEC",
+			NETFILTER_VERSION,
+			IPT_ALIGN(sizeof(struct ipt_ipsec_target_info)),
+			IPT_ALIGN(sizeof(struct ipt_ipsec_target_info)),
+			&ipsec_help,
+			&ipsec_init,
+			&ipsec_parse,
+			&ipsec_final_check,
+			&ipsec_print,
+			&ipsec_save,
+			ipsec_opts
+		};
+
+		void
+		_init(void)
+		{
+			register_target(&ipsec_target_lib);
+		}
+
+	See also:
+
+		http://netfilter.samba.org/unreliable-guides/netfilter-hacking-HOWTO/netfilter-hacking-HOWTO.linuxdoc-4.html
+
+
+
+** iptables(8) >-> NetFilter
+** ip6tables(8) >-> NetFilter
+
+	Interface:
+
+		iptables(8) >-> NetFilter
+		ip6tables(8) >-> NetFilter
+
+	Label:
+
+	Name:
+
+	Synopsis:
+
+	Arguments:
+
+		match->data = struct ipt_seclev_info
+		match->data = struct ipt_salist_info
+		target->data = struct ipt_trap_target_info
+		target->data = struct ipt_peek_target_info
+		target->data = struct ipt_ipsec_target_info
+
+	Description:
+
+		This I/F is already defined in NetFilter.  We don't
+		call it directly.  In addition, it will need
+		structures to pass the arguments above.  This
+		interface provides a mechanism for iptables to update
+		the kernel netfilter tables.
+
+	Implementation notes:
+
+	Return value:
+
+	Example:
+
+	See also:
+
+
+** NetFilter >-> seclev match NetFilter kernel module
+
+	Interface:
+
+		NetFilter >-> seclev match NetFilter kernel module
+
+	Label:
+
+	Name:
+
+		(*seclev_match) - does the packet match Security
+		Level?
+
+	Synopsis:
+
+		static int
+		seclev_match(
+			const struct sk_buff *skb,
+			const struct net_device *in,
+			const struct net_device *out,
+			const void *matchinfo,
+			int offset,
+			const void *hdr,
+			u_int16_t datalen,
+			int *hotdrop
+		)
+
+	Arguments:
+
+		skb
+			skb to test for match
+
+		in
+			incoming network interface
+
+		out
+			outgoing network interface
+
+		matchinfo
+			match information
+
+		offset
+			packet offset
+
+		hdr
+			transport layer header pointer
+
+		datalen
+			length of skb
+
+		hotdrop
+			flag to immediately drop packet
+
+	Description:
+
+		This function checks if the skb supplied matches
+		the security level specified in matchinfo.
+
+	Implementation notes:
+
+	Return value:
+
+		It returns true (1) for	match, false (0) for no match.
+
+	Example:
+
+		static int
+		seclev_match(
+			const struct sk_buff *skb,
+			const struct net_device *in,
+			const struct net_device *out,
+			const void *matchinfo,
+			int offset,
+			const void *hdr,
+			u_int16_t datalen,
+			int *hotdrop
+		) {
+			struct ipt_seclev_info *info = (struct ipt_seclev_info*)matchinfo;
+
+			if(/* test skb for match to matchinfo data */) {
+				return 1;
+			}
+			return 0;
+		}
+
+		static struct ipt_match seclev_match_mod = {
+			{ NULL, NULL },
+			"seclev",
+			&seclev_match,
+			&seclev_checkentry,
+			NULL,
+			THIS_MODULE
+		};
+
+		static int __init
+		init(void)
+		{
+			return ipt_register_match(&seclev_match_mod);
+		}
+
+		static void __exit
+		fini(void)
+		{
+			ipt_unregister_match(&seclev_match_mod);
+		}
+
+	See also:
+
+		http://netfilter.samba.org/unreliable-guides/netfilter-hacking-HOWTO/netfilter-hacking-HOWTO.linuxdoc-4.html
+
+
+
+** NetFilter >-> salist match NetFilter kernel module
+
+	Interface:
+
+		NetFilter >-> salist match NetFilter kernel module
+
+	Label:
+
+	Name:
+
+		(*salist_match) - does the packet match the Security
+		Association List?
+
+	Synopsis:
+
+		static int salist_match(
+			const struct sk_buff *skb,
+			const struct net_device *in,
+			const struct net_device *out,
+			const void *matchinfo,
+			int offset,
+			const void *hdr,
+			u_int16_t datalen,
+			int *hotdrop
+		)
+
+	Arguments:
+
+		skb
+			skb to test for match
+
+		in
+			incoming network interface
+
+		out
+			outgoing network interface
+
+		matchinfo
+			match information
+
+		offset
+			packet offset
+
+		hdr
+			transport layer header pointer
+
+		datalen
+			length of skb
+
+		hotdrop
+			flag to immediately drop packet
+
+	Description:
+
+		This function checks if the skb supplied matches
+		the Security Association list specified in matchinfo.
+
+	Implementation notes:
+
+	Return value:
+
+		It returns true (1) for	match, false (0) for no match.
+
+	Example:
+
+		static int
+		salist_match(
+			const struct sk_buff *skb,
+			const struct net_device *in,
+			const struct net_device *out,
+			const void *matchinfo,
+			int offset,
+			const void *hdr,
+			u_int16_t datalen,
+			int *hotdrop
+		) {
+			struct ipt_salist_info *info = (struct ipt_salist_info*)matchinfo;
+
+			if(/* test skb for match to matchinfo data */) {
+				return 1;
+			}
+			return 0;
+		}
+
+		static struct ipt_match salist_match_mod = {
+			{ NULL, NULL },
+			"salist",
+			&salist_match,
+			&salist_checkentry,
+			NULL,
+			THIS_MODULE
+		};
+
+		static int __init
+		init(void)
+		{
+			return ipt_register_match(&salist_match_mod);
+		}
+
+		static void __exit
+		fini(void)
+		{
+			ipt_unregister_match(&salist_match_mod);
+		}
+
+	See also:
+
+		http://netfilter.samba.org/unreliable-guides/netfilter-hacking-HOWTO/netfilter-hacking-HOWTO.linuxdoc-4.html
+
+
+
+** NetFilter >-> TRAP target NetFilter kernel module
+
+	Interface:
+
+		NetFilter >-> TRAP target NetFilter kernel module
+
+	Label:
+
+		TRAP
+
+	Name:
+
+		(*trap_target) - TRAP outgoing packets to initiate
+		opportunism
+
+	Synopsis:
+
+		static unsigned int
+		trap_target(
+			struct sk_buff **pskb,
+			unsigned int hooknum,
+			const struct net_device *in,
+			const struct net_device *out,
+			const void *targinfo,
+			void *userinfo
+		)
+
+	Arguments:
+
+		pskb
+			skb to be processed by target
+
+        	hooknum
+			which hook from which it was called
+
+		in
+			network device it came from
+
+		out
+			network device to which it is headed
+
+		targinfo
+			data used by target for processing
+
+		userinfo
+			optional user data passed in from mainline
+			hook
+
+	Description:
+
+		This is a NetFilter target.  It TRAPs packets to notify the
+		key management daemons to acquire a new set of
+		Security Associations and to set up a HOLD to save it
+		until the acquire has succeeded.
+
+	Implementation notes:
+
+	Return value:
+
+		It returns NF_STOLEN.
+
+	Example:
+
+		File net/ipv4/netfilter/ipt_TRAP.c:
+		#include 
+
+		static unsigned int
+		trap_target(struct sk_buff **pskb,
+			unsigned int hooknum,
+			const struct net_device *in,
+			const struct net_device *out,
+			const void *targinfo,
+			void *userinfo)
+		{
+			/* send up a PF_KEYv2 ACQUIRE */
+			...
+			/* create HOLD and save packet */
+			...
+			return NF_STOLEN;
+		}
+
+		static struct ipt_target trap_target_mod = {
+			{ NULL, NULL },
+			"TRAP",
+			trap_target,
+			trap_checkentry,
+			NULL,
+			THIS_MODULE
+		};
+
+		static int __init init(void)
+		{
+			if (ipt_register_target(&trap_target_mod))
+				return -EINVAL;
+			return 0;
+		}
+
+		static void __exit fini(void)
+		{
+			ipt_unregister_target(&trap_target_mod);
+		}
+
+	See also:
+
+		http://netfilter.samba.org/unreliable-guides/netfilter-hacking-HOWTO/netfilter-hacking-HOWTO.linuxdoc-4.html
+
+
+
+** TRAP target NetFilter kernel module >-> KMds "PF_KEYv2 ACQUIRE"
+
+	Interface:
+
+		TRAP target NetFilter kernel module >-> KMds "PF_KEYv2 ACQUIRE"
+
+	Label:
+
+		see RFC2367, PF_KEYv2 ACQUIRE
+
+	Name:
+
+		see RFC2367, PF_KEYv2 ACQUIRE
+
+	Synopsis:
+
+		see RFC2367, PF_KEYv2 ACQUIRE
+
+	Arguments:
+
+		see RFC2367, PF_KEYv2 ACQUIRE
+
+	Description:
+
+		This interface is used to make requests from the
+		kernel to key management daemons for a set of Security
+		Associations to cover the specified traffic named to a
+		remote host.
+
+	Implementation notes:
+
+	Return value:
+
+		see RFC2367, PF_KEYv2 ACQUIRE
+
+	Example:
+
+	See also:
+
+
+** TRAP target NetFilter kernel module >-> NetFilter
+
+	Interface:
+
+		TRAP target NetFilter kernel module >-> NetFilter
+
+	Label:
+
+	Name:
+
+	Synopsis:
+
+	Arguments:
+
+	in:
+		struct sk_buff *skb
+	out:
+		boolean
+
+	Description:
+
+		This interface is used by the NetFilter TRAP target
+		kernel module to set up a HOLD to save outgoing
+		packets until the acquire has succeeded, limiting the
+		demand on the PF_KEYv2 ACQUIRE interface.
+
+	Implementation notes:
+
+		At present, this looks really ugly.  The table can
+		only be modified from userspace by reading the entire
+		table and then replacing the entire table atomically.
+
+	Return value:
+
+	Example:
+
+	See also:
+
+
+** NetFilter >-> HOLD target NetFilter kernel module
+
+	Interface:
+
+		NetFilter >-> HOLD target NetFilter kernel module
+
+	Label:
+
+	Name:
+
+		(*hold_target) - HOLD packets to prevent key
+		management daemon flooding
+
+	Synopsis:
+
+		static unsigned int 
+		hold_target(
+			struct sk_buff **pskb,
+			unsigned int hooknum,
+			const struct net_device *in,
+			const struct net_device *out,
+			const void *targinfo,
+			void *userinfo
+		)
+
+	Arguments:
+
+		pskb
+			skb to be processed by target
+
+        	hooknum
+			which hook from which it was called
+
+		in
+			network device it came from
+
+		out
+			network device to which it is headed
+
+		targinfo
+			data used by target for processing
+
+		userinfo
+			optional user data passed in from mainline
+			hook
+
+	Description:
+
+		This is a NetFilter target.  It discards the 
+		previous held packet and holds onto the
+		last packet packet pending replacement by an SPDB
+		change that deletes this HOLD and releases the packet.
+
+	Implementation notes:
+
+		There sound like there will be problems with this
+		because of the atomic complete replacement of the
+		table at which point any data stored with the target
+		will be lost.
+
+	Return value:
+
+		It returns NF_STOLEN.
+
+	Example:
+
+		File net/ipv4/netfilter/ipt_HOLD.c:
+		#include 
+
+		static unsigned int
+		hold_target(struct sk_buff **pskb,
+			unsigned int hooknum,
+			const struct net_device *in,
+			const struct net_device *out,
+			const void *targinfo,
+			void *userinfo)
+		{
+			/* send up a PF_KEYv2 ACQUIRE */
+			...
+			/* create HOLD and save packet */
+			...
+			return NF_STOLEN;
+		}
+
+		static struct ipt_target hold_target_mod = {
+			{ NULL, NULL },
+			"HOLD",
+			hold_target,
+			hold_checkentry,
+			NULL,
+			THIS_MODULE
+		};
+
+		static int __init init(void)
+		{
+			if (ipt_register_target(&hold_target_mod))
+				return -EINVAL;
+			return 0;
+		}
+
+		static void __exit fini(void)
+		{
+			ipt_unregister_target(&hold_target_mod);
+		}
+
+	See also:
+
+		http://netfilter.samba.org/unreliable-guides/netfilter-hacking-HOWTO/netfilter-hacking-HOWTO.linuxdoc-4.html
+
+
+
+** KMd >-> SADB "PF_KEYv2 ADD/UPDATE"
+
+	Interface:
+
+		KMd >-> SADB "PF_KEYv2 ADD/UPDATE"
+
+	Label:
+
+		see RFC2367, PF_KEYv2 ADD/UPDATE
+
+	Name:
+
+		see RFC2367, PF_KEYv2 ADD/UPDATE
+
+	Synopsis:
+
+		see RFC2367, PF_KEYv2 ADD/UPDATE
+
+	Arguments:
+
+		see RFC2367, PF_KEYv2 ADD/UPDATE
+
+	Description:
+
+		This interface is used by key management daemons to
+		set incoming or outgoing Security Associations in the
+		kernel to/from a remote host.
+
+	Implementation notes:
+
+	Return value:
+
+		see RFC2367, PF_KEYv2 ADD/UPDATE
+
+	Example:
+
+	See also:
+
+
+
+** HOLD target NetFilter kernel module >-> NetFilter
+
+	Interface:
+
+		HOLD target NetFilter kernel module >-> NetFilter
+
+	Label:
+
+	Name:
+
+	Synopsis:
+
+	Arguments:
+
+	in:
+		struct sk_buff *skb
+
+	Description:
+
+		This interface provides a method for previously held
+		packets to be released and sent on their way once the
+		HOLD SPDB entry has been replaced or deleted, usually
+		pointing to newly created Security Associations that
+		were aquired to cover that packet stream.  (I don't
+		know the best way to show this on the diagram, since
+		the skb is stored with the eroute and not the HOLD
+		target module)
+
+	Implementation notes:
+
+	Return value:
+
+	Example:
+
+	See also:
+
+
+
+** NetFilter >-> IPSEC target NetFilter kernel module
+
+	Interface:
+
+		NetFilter >-> IPSEC target NetFilter kernel module
+
+	Label:
+
+	Name:
+
+		(*ipsec_target) - process outgoing packet with
+		specified Security Associations
+
+	Synopsis:
+
+		static unsigned int
+		ipsec_target(
+			struct sk_buff **pskb,
+			unsigned int hooknum,
+			const struct net_device *in,
+			const struct net_device *out,
+			const void *targinfo,
+			void *userinfo
+		)
+
+	Arguments:
+
+		pskb
+			skb to be processed by target
+
+        	hooknum
+			which hook from which it was called
+
+		in
+			network device it came from
+
+		out
+			network device to which it is headed
+
+		targinfo
+			data used by target for processing
+
+		userinfo
+			optional user data passed in from mainline
+			hook
+
+	Description:
+
+		This is a NetFilter target.  It looks up the Security
+		Associations listed as an argument, in the Security
+		Association DataBase, and applies them in sequence to
+		the outgoing packet.
+
+	Implementation notes:
+
+	Return value:
+
+	       It returns NF_STOLEN.
+
+	Example:
+
+		File net/ipv4/netfilter/ipt_IPSEC.c:
+		#include 
+
+		static unsigned int
+		ipsec_target(struct sk_buff **pskb,
+			unsigned int hooknum,
+			const struct net_device *in,
+			const struct net_device *out,
+			const void *targinfo,
+			void *userinfo)
+		{
+			/* send up a PF_KEYv2 ACQUIRE */
+			...
+			/* create HOLD and save packet */
+			...
+			return NF_STOLEN;
+		}
+
+		static struct ipt_target ipsec_target_mod = {
+			{ NULL, NULL },
+			"IPSEC",
+			ipsec_target,
+			ipsec_checkentry,
+			NULL,
+			THIS_MODULE
+		};
+
+		static int __init init(void)
+		{
+			if (ipt_register_target(&ipsec_target_mod))
+				return -EINVAL;
+			return 0;
+		}
+
+		static void __exit fini(void)
+		{
+			ipt_unregister_target(&ipsec_target_mod);
+		}
+
+	See also:
+
+		http://netfilter.samba.org/unreliable-guides/netfilter-hacking-HOWTO/netfilter-hacking-HOWTO.linuxdoc-4.html
+
+
+
+** IPSEC target NetFilter kernel module >-> SADB "SAID"
+
+	Interface:
+
+		IPSEC target NetFilter kernel module >-> SADB
+
+	Label: 
+
+		SAID
+
+	Name:
+
+		ipsec_getsa - get an SA from the SADB by SAID
+
+	Synopsis: 
+
+		#include 
+
+		struct ipsec_sa *
+		ipsec_getsa(
+			struct ipsec_said asaid
+		);
+
+	Arguments:
+
+		asaid
+			Security Association IDentifier to try to
+			match in SADB
+
+
+	Description:
+
+		Retrieve a Security Association from the system
+		Security Association DataBase that matches the
+		supplied Security Association IDentifier.
+
+		The Security Association IDentifier must be supplied
+		as a completely filled struct ipsec_said.  ipsec_getsa() attempts
+		to exactly match the SAID structure of an SA
+		entry in the global SADB hash table ipsec_sadb with
+		the SAID argument.  If this succeeds, 
+		a pointer to the matching SA is returned.
+
+	Implementation notes:
+
+		The reference count of the matching SA is atomically
+		incremented by ipsec_getsa() and must be atomically
+		decremented when the caller of ipsec_getsa() has
+		finished with the SA.
+
+		The global SADB hash table struct
+		ipsec_sa*ipsec_sadb[] is locked by ipsec_getsa()
+		during lookup.
+
+	Return values:
+
+		A pointer to a valid Security Association is returned
+		if a match was found, otherwise NULL is returned.
+
+	Example:
+
+		struct ipsec_sa *sa;
+		struct ipsec_said said;
+		...
+		sa = ipsec_getsa(said);
+		...
+		if(atomic_dec_and_test(sa->refcount)) {
+			ipsec_sa_free(sa);
+		}
+
+	See also:
+
+
+
+** IPSEC target NetFilter kernel module >-> NetFilter
+
+	Interface:
+
+		IPSEC target NetFilter kernel module >-> NetFilter
+
+	Label:
+
+	Name:
+
+		nf_reinject - re-inject a packet at one of the
+		netfilter hooks
+
+	Synopsis:
+
+		void
+		nf_reinject(
+			struct sk_buff *skb,
+			struct nf_info *info,
+			unsigned int verdict
+		)
+
+	Arguments:
+
+		skb
+			packet to be re-injected
+
+		info
+
+		verdict
+			verdict to be returned to netfilter hook
+
+	Description:
+
+		This interface is to re-inject packets to
+		NF_IP_LOCAL_OUT after the packet has been processed.
+
+	Implementation notes:
+
+	Return value:
+
+		none (void)
+
+	Example:
+
+		skb->salist = struct salist
+
+	See also:
+
+		http://netfilter.samba.org/unreliable-guides/netfilter-hacking-HOWTO/netfilter-hacking-HOWTO.linuxdoc-4.html
+
+
+
+** SADB >-> KMd "PF_KEYv2 EXPIRE"
+
+	Interface:
+
+		SADB >-> KMd "PF_KEYv2 EXPIRE"
+
+	Label:
+
+		see RFC2367, PF_KEYv2 EXPIRE
+
+	Name:
+
+		see RFC2367, PF_KEYv2 EXPIRE
+
+	Synopsis:
+
+		see RFC2367, PF_KEYv2 EXPIRE
+
+	Arguments:
+
+		see RFC2367, PF_KEYv2 EXPIRE
+
+	Description:
+
+		This interface is used by the kernel to notify key
+		management daemons that a security association has
+		either soft or hard expired and to negotiate a
+		replacement.
+
+	Implementation notes:
+
+	Return value:
+
+		see RFC2367, PF_KEYv2 EXPIRE
+
+	Example:
+
+	See also:
+
+
+** Routing Table >-> IPSEC target NetFilter kernel module "IPSECdev"
+
+	Interface:
+
+		Routing Table >-> IPSEC target NetFilter kernel module
+
+	Label:
+
+		 "IPSECdev"
+
+	Name:
+
+	Synopsis:
+
+	Arguments:
+
+	Description:
+
+		This interface provides a way of routing packets
+		through a specific IPSec virtual tunnel.  This is
+		standard linux network routing.
+
+	Implementation notes:
+
+	Return value:
+
+	Example:
+
+	See also:
+
+
+
+** KMd >-> Routing Table "Routing"
+
+	Interface:
+
+		KMd >-> Routing Table
+
+	Label:
+
+		"Routing"
+
+	Name:
+
+		system(3) call to route(8) - execute a shell
+		command to do IP packet routing administration to set
+		ipsec policy
+
+	Synopsis:
+
+		#include 
+
+		int
+		system(
+			const char * "route \
+			{add,del} -{host,net} \
+			{,[/mask]} \
+			gw  \
+			dev  \
+		");
+
+	Arguments:
+
+		add
+			add an entry to the routing table
+
+		del
+			delete an entry from the routing table
+
+		-host
+			add or delete a host
+
+		-net
+			add or delete a network
+
+		
+			host FQDN or IPv4 or IPv6 address
+
+		[/mask]
+			network FQDN or IPv4 or IPv6 address with netmask
+
+		gw 
+			nexthop gateway address
+
+		dev 
+
+		char[] IPSECdev
+		unsigned char exit_code
+
+	Description:
+
+		This is an interface from the key management daemon to
+		explicitly route traffic through an IPSEC virtual
+		device which is defined by a pair of IPSEC tunnel
+		endpoints and a set of Security Associations.
+
+	Implementation notes:
+
+		currently done by system(3) calls to _updown.
+
+	Return value:
+
+	Example:
+
+	See also:
+
+		system(3), route(8), iproute2(8)
+
+
+
+** Transport Layer De-mux >-> IPSec DECRYPT kernel module
+
+	Interface:
+
+		Transport Layer De-mux >-> IPSec DECRYPT kernel module
+
+	Label:
+
+	Name:
+
+		ipsec_rcv - process an incoming IPSec packet
+	Synopsis:
+		
+		#include 
+
+		int
+		ipsec_rcv(
+			struct sk_buff *skb,
+			unsigned short xlen
+		)
+
+	Arguments:
+
+		skb
+			skb to be processed
+
+		xlen
+			length of skb buffer
+
+	Description:
+
+		This interface is to call the IPSEC ESP transport
+		layer protocol handler to process (decrypt) an
+		incoming packet.
+
+		The packet is freed, being re-injected into the
+		NF_IP_PRE_ROUTING hook.
+
+	Implementation notes:
+
+	Return value:
+
+	       ipsec_rcv() returns zero (0).
+
+	Example:
+
+	See also:
+
+
+** IPSec DECRYPT kernel module >-> SADB "SAID"
+
+	Interface:
+
+		IPSec DECRYPT kernel module >-> SADB
+
+	Label:
+
+		see "SAID"
+
+	Name:
+
+		ipsec_getsa - get an SA from the SADB by SAID
+
+	Synopsis:
+
+		#include 
+
+		struct ipsec_sa *
+		ipsec_getsa(
+			struct ipsec_said asaid
+		)
+
+	Arguments:
+
+		asaid
+			Security Association IDentifier to try to
+			match in SADB
+
+	Description:
+
+	Implementation notes:
+
+	Return value:
+
+	Example:
+
+	See also:
+
+		IPSEC target NetFilter kernel module >-> SADB "SAID"
+
+
+** IPSec DECRYPT kernel module >-> NetFilter
+
+	Interface:
+
+		IPSec DECRYPT kernel module >-> NetFilter
+
+	Label:
+
+	Name:
+
+		nf_reinject - re-inject a packet at one of the
+		netfilter hooks
+
+	Synopsis:
+
+		void
+		nf_reinject(
+			struct sk_buff *skb,
+			struct nf_info *info,
+			unsigned int verdict
+		)
+
+	Arguments:
+
+			skb
+				packet to be re-injected
+
+			info
+
+			verdict
+				verdict to be returned to netfilter hook
+
+	Description:
+
+		This interface is to re-inject the processed packet
+		back into the input stream at NF_IP_PRE_ROUTE to check
+		policy with processed (decrypted) connection
+		information.
+
+	Implementation notes:
+
+	Return value:
+
+		none (void)
+
+	Example:
+
+		skb->salist = struct salist
+
+	See also:
+
+
+** NetFilter >-> PEEK target NetFilter kernel module
+
+	Interface:
+
+		NetFilter >-> PEEK target NetFilter kernel module
+
+	Label:
+
+	Name:
+
+		(*peek_target) - PEEK at packets to initiate opportunism
+
+	Synopsis:
+
+		static unsigned int
+		peek_target(
+			struct sk_buff **pskb,
+			unsigned int hooknum,
+			const struct net_device *in,
+			const struct net_device *out,
+			const void *targinfo,
+			void *userinfo
+		)
+
+	Arguments:
+
+		pskb
+			skb to be processed by target
+
+        	hooknum
+			which hook from which it was called
+
+		in
+			network device it came from
+
+		out
+			network device to which it is headed
+
+		targinfo
+			data used by target for processing
+
+		userinfo
+			optional user data passed in from mainline
+			hook
+
+	Description:
+
+		This interface is used by the kernel netfilter table
+		as a target for packets to be PEEKed at to notify the
+		key management daemons to acquire a new set of
+		Security Associations and to set up an ACCEPT to allow
+		packets in and avoid overloading the KMds.
+
+	Implementation notes:
+
+	Return value:
+
+		It returns NF_ACCEPT.
+
+	Example:
+
+		File net/ipv4/netfilter/ipt_PEEK.c:
+		#include 
+
+		static unsigned int
+		peek_target(struct sk_buff **pskb,
+			unsigned int hooknum,
+			const struct net_device *in,
+			const struct net_device *out,
+			const void *targinfo,
+			void *userinfo)
+		{
+			/* send up a PF_KEYv2 ACQUIRE */
+			...
+			/* create HOLD and save packet */
+			...
+			return NF_STOLEN;
+		}
+
+		static struct ipt_target peek_target_mod =
+		{ { NULL, NULL }, "PEEK", peek_target, peek_checkentry, NULL,
+			THIS_MODULE };
+
+		static int __init init(void)
+		{
+			if (ipt_register_target(&peek_target_mod))
+				return -EINVAL;
+			return 0;
+		}
+
+		static void __exit fini(void)
+		{
+			ipt_unregister_target(&peek_target_mod);
+		}
+
+	See also:
+
+		http://netfilter.samba.org/unreliable-guides/netfilter-hacking-HOWTO/netfilter-hacking-HOWTO.linuxdoc-4.html
+
+
+
+** PEEK target NetFilter kernel module >-> KMds "PF_KEYv2 ACQUIRE"
+
+	Interface:
+
+		PEEK target NetFilter kernel module >-> KMds
+
+	Label:
+
+		"PF_KEYv2 ACQUIRE"
+
+	Name:
+
+		see RFC2367, PF_KEYv2 ACQUIRE
+
+	Synopsis:
+
+		see RFC2367, PF_KEYv2 ACQUIRE
+
+	Arguments:
+
+		see RFC2367, PF_KEYv2 ACQUIRE
+
+	Description:
+
+		This interface is used to make requests from the
+		kernel to key management daemons for a set of Security
+		Associations to cover the specified traffic named to a
+		remote host.
+
+	Implementation notes:
+
+	Return value:
+
+		see RFC2367, PF_KEYv2 ACQUIRE
+
+	Example:
+
+	See also:
+
+		see RFC2367, PF_KEYv2 ACQUIRE
+
+
+
+** PEEK target NetFilter kernel module >-> NetFilter
+
+	Interface:
+
+		PEEK target NetFilter kernel module >-> NetFilter
+
+	Label:
+
+	Name:
+
+	Synopsis:
+
+	Arguments:
+
+	in:
+		struct sk_buff *skb
+	out:
+		boolean
+
+	Description:
+
+		This interface is to provide a way to install an
+		ACCEPT target to avoid overloading the KMds while they
+		are negotiating.
+
+	Implementation notes:
+
+	Return value:
+
+	Example:
+
+	See also:
+
+
+
+
+** New I/F section template
+
+	Interface:
+
+	Label:
+
+	Name:
+
+	Synopsis:
+
+	Arguments:
+
+	Description:
+
+	Implementation notes:
+
+	Return value:
+
+	Example:
+
+	See also:
+
+
+
+
+* Definitions and Data structures used
+
+SAList := [,[,[,]]]
+
+ := @
+
+ := ah | esp | comp | tun
+
+ := . | : (indicates IPv4 or IPv6 respectively)
+
+ := <8-digit hexadecimal string>
+
+ := 
+
+
+const struct ipt_entry is already defined in netfilter.
+
+struct ipt_entry_match is already defined in netfilter.
+
+struct ipsec_seclev remains to be defined.
+
+struct ipt_seclev_info {
+	struct ipsec_seclev;		/* Security Level data */
+	u_int8_t  invert;	/* Invert match */
+};
+
+struct ipsec_salist {
+	struct ipsec_said said1;
+	struct ipsec_said said2;
+	struct ipsec_said said3;
+	struct ipsec_said said4;
+}
+
+struct ipt_salist_info {
+	struct ipsec_salist salist;	/* Security Association List data */
+	u_int8_t  invert;	/* Invert match */
+};
+
+struct ipt_ipsec_target_info {
+	struct ipsec_said said1;
+	struct ipsec_said said2;
+	struct ipsec_said said3;
+	struct ipsec_said said4;
+};
+
+struct ipsec_said{		/* to identify an SA, we need: */
+	ip_address dst;		/* A. destination host */
+	ipsec_spi_t spi;	/* B. 32-bit SPI, assigned by dest. host */
+#		define	SPI_PASS	256	/* magic values... */
+#		define	SPI_DROP	257	/* ...for use... */
+#		define	SPI_REJECT	258	/* ...with SA_INT */
+#		define	SPI_HOLD	259
+#		define	SPI_TRAP	260
+	int proto;		/* C. protocol */
+#		define	SA_ESP	50	/* IPPROTO_ESP */
+#		define	SA_AH	51	/* IPPROTO_AH */
+#		define	SA_IPIP	4	/* IPPROTO_IPIP */
+#		define	SA_COMP	108	/* IPPROTO_COMP */
+#		define	SA_INT	61	/* IANA reserved for internal use */
+};
+
+typedef struct {
+	union {
+		struct sockaddr_in v4;
+		struct sockaddr_in6 v6;
+	} u;
+} ip_address;
+
+struct ipsec_sa {
+	/* copy most from struct tdb */
+};
+
+struct ipsecinfo {
+	struct ipt_entry_target t;
+	struct ipt_ipsec_target_info salist;
+};
+
+struct trapinfo {
+	struct ipt_entry_target t;
+};
+
+struct peekinfo {
+	struct ipt_entry_target t;
+};
+
+struct holdinfo {
+	struct ipt_entry_target t;
+};
+
+* Version:
+
+	$Id: klips2-design-api.txt,v 1.17 2001/06/01 07:25:53 rgb Exp $
diff -bruN freeswan-1.9.orig/klips/doc/klips2-design-legend.txt freeswan-1.9/klips/doc/klips2-design-legend.txt
--- freeswan-1.9.orig/klips/doc/klips2-design-legend.txt	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/klips/doc/klips2-design-legend.txt	Mon Jun  4 12:54:57 2001
@@ -0,0 +1,46 @@
+#  -*- mode: Outline; fill-column: 78; fill-prefix: "	" -*-
+#
+#  klips2-design-legend.txt
+#	Richard Guy Briggs 
+#
+#  RCSID $Id: klips2-design-legend.txt,v 1.7 2001/05/29 18:52:12 rgb Exp $
+#
+
+# This document is a legend of labels and acronyms on the diagram.  It
+# also acts as a very brief glossary to the rest of the klips2-design
+# documents.  Please see klips2-design.txt for an overview.
+
+# The first column contains the acronym or label used.  It is followed
+# by the acronym written out in full or a very brief description.
+
+
+KMd-1...n	Key Management Daemons 1 to n
+Routing		Routing Table kernel interface
+Policy		SPDB KMd interface
+seclev		Match Packet Security Level (not yet implemented in Linux)
+SADDR		Match Packet Source Address
+DADDR		Match Packet Destination Address
+SMASK		Match Packet Source Address Network Mask
+DMASK		Match Packet Destination Address Network Mask
+SPORT		Match Packet Transport Layer Source Port Number
+DPORT		Match Packet Transport Layer Destination Port Number
+UID		Match Packet User IDentifier
+SA		Security Association
+SAList		Security Association List
+SAID		Security Association IDentifier
+TDB		Tunnel Descriptor Block
+ESP		Encapsulating Security Payload
+IPSECdev	IPSEC virtual tunnel device
+SADB		Security Association DataBase
+SPDB		Security Policy DataBase
+SPI		Security Parameters Index
+get/set_sockopt	get or set socket options
+DROP		Target DROP Packet
+ACCEPT		Target ACCEPT Packet
+REJECT		Target REJECT Packet
+TRAP		Target TRAP Packet
+HOLD		Target HOLD Packet
+PEEK		Target PEEK Packet
+IPSEC		Target IPSEC Packet
+__..__..	PF_KEYv2 communication path
+___.___.	User/Kernel Space demarcation
diff -bruN freeswan-1.9.orig/klips/doc/klips2-design.dia freeswan-1.9/klips/doc/klips2-design.dia
--- freeswan-1.9.orig/klips/doc/klips2-design.dia	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/klips/doc/klips2-design.dia	Mon Jun  4 12:54:57 2001
@@ -0,0 +1,4316 @@
+
+
+  
+    
+      
+    
+    
+      
+        
+          #A4#
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+        
+          
+        
+      
+    
+  
+  
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #SADDR#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #DADDR#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #SMASK#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #DMASK#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #SPORT#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #DPORT#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #UID#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #Snapshot and Release document location: klips/doc/klips2-design.dia#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #iptables(8)#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #DROP#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #ACCEPT#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #REJECT#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #IPSec
+NetFilter
+Table#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #SADDR#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #DADDR#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #SMASK#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #DMASK#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #SPORT#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #DPORT#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #UID#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #DROP#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #ACCEPT#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #REJECT#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #IPSEC#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #TRAP#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #IPSEC#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #HOLD#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #seclev#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #SADB#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #Routing
+Table#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #UserSpace#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #KernelSpace#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #get/set_sock_opt#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+        
+        
+      
+      
+        
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #KMd-1#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #KMd-n#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #ACQUIRE#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #EXPIRE#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #ADD/UPDATE#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #SAID#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #IPSECdev#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #Linux FreeS/WAN KLIPS2 Design w/NetFilter#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #Version: $Id: klips2-design.dia,v 1.7 2001/05/29 18:52:13 rgb Exp $#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #Project website: http://www.freeswan.org#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #.  .  .#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #Accompanies klips/doc/klips2-design.txt#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #seclev#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            ##
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            ##
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #Routing#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #Policy#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            ##
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            ##
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            ##
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            ##
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #ipsec_rcv#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+        
+        
+      
+      
+        
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+        
+        
+      
+      
+        
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #Transport Layer De-mux#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #PEEK#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+        
+        
+      
+      
+        
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+        
+        
+      
+      
+        
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #salist#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #salist#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #NF_IP_POST_ROUTE#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #NF_IP_PRE_ROUTE#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+        
+        
+      
+      
+        
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+        
+        
+      
+      
+        
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #TRAP#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #HOLD#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+          
+            #PEEK#
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+          
+            
+          
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+        
+        
+      
+      
+        
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+    
+      
+        
+      
+      
+        
+      
+      
+        
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+      
+        
+      
+    
+  
+
diff -bruN freeswan-1.9.orig/klips/doc/klips2-design.txt freeswan-1.9/klips/doc/klips2-design.txt
--- freeswan-1.9.orig/klips/doc/klips2-design.txt	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/klips/doc/klips2-design.txt	Mon Jun  4 12:54:57 2001
@@ -0,0 +1,383 @@
+#  -*- mode: Outline; fill-column: 78; fill-prefix: "	" -*-
+#
+#  klips2-design.txt
+#	Richard Guy Briggs 
+#
+#  RCSID $Id: klips2-design.txt,v 1.16 2001/06/01 07:26:15 rgb Exp $
+#
+
+* Outline Commands cheat sheet (C-c C-s to see this)
+        C-c C-t         Hide EVERYTHING in buffer
+        C-c C-a         Show EVERYTHING in buffer
+
+        C-c C-d         Hide THIS item and subitems (subtree)
+        C-c C-s         Show THIS item and subitems (subtree)
+
+        C-c C-c         Hide ONE item
+        C-c C-e         Show ONE item
+
+* Introduction
+
+Linux FreeS/WAN IPSec -- KLIPS2 DESIGN
+======================================
+
+# This document outlines the proposed design for KLIPS2, the second
+# generation Linux FreeS/WAN IPSec kernel implementation.  It is
+# accompanied by the following:
+#
+# klips2-design.dia		dia(1) diagram
+# klips2-design-legend.txt	diagram legend
+# klips2-design-api.txt		API descriptions
+# klips2-design-api-trips.txt	scenarios that force trips through the
+#				various APIs to verify all needed resources
+#				are available
+
+# This document is devided up into Introduction, Goals, Feature requests,
+# Packet path overview, NetFilter overview, IPSec path description, and
+# Other issues.
+#
+# This document was originally written 2.5 weeks after OLS2000, inspired
+# from a meeting with Rusty and Marc Boucher in Montreal in November 1999
+# and two meetings at OLS2000.
+#
+# Please comment to the linux-ipsec, netfilter-devel or netdev lists.
+#
+# Current kernel version reference is 2.4.4 with iptables 1.2
+
+* Goals:
+
+	To get rid of the current IPSec virtual interfaces that associate with
+	a specific physical network interfaces and replace them with IPSec
+	virtual interfaces that specify a local gateway address as a source
+	address, a remote gateway address as a destination address and
+	specific tunnel policy or SAs.
+
+	To use existing packet matching engines rather than re-invent.
+
+	To support more of the required selectors, especially source and
+	destination ports, and possibly userid.  Security labels are not of
+	obvious value, but the selectors will be easy to add in the future if
+	they are implemented in the Linux kernel.
+
+	To get access to *all* packets incoming and outgoing to enforce policy
+	in both directions.
+
+	To better support opportunistic encryption.
+
+	To take advantage of the parallellism of SMP and H/W encryption.
+
+	To make encryption and authentication modular.
+
+The idea is to redesign KLIPS (kernel parts of FreeS/WAN) to avoid all the
+'stoopid routing tricks' (TM) to which we have had to resort since the project
+started by disassociating any IPSec devices from physical devices and to add a
+proper SPDB to do proper incoming IPSec policy checks.  We are hoping to use
+existing pattern-matching tools rather than invent our own.  NetFilter appears
+to have all the pattern matching capabilities with the exception of security
+labels which Linux doesn't appear to have anyways, but may be limited in other
+ways.
+
+There is also a significant interest in enabling FreeS/WAN to communicate with
+routing daemons and be able to do load sharing and failover:
+
+	http://www.quintillion.com/fdis/moat/ipsec+routing/
+
+
+
+* Feature requests:
+
+Code=Level/Status/Priority
+Level:
+	S = strategic
+	M = middle
+	T = tactical
+	U = unset
+Status:
+	U = unstarted
+	C = coded
+	T = tested
+	D = deleted
+Priority:
+	H = high
+	M = medium
+	L = low
+	U = unset
+	D = deprecated
+
+Code	Feature		Implementation
+====	=======		==============
+S/U/U	changeable gw wild-side addresses on-the-fly
+			- road warriors with RSA keys and hooks from DHCP
+			  to move to a new set of SAs upon expiry of previous
+			  DHCP lease.  Notify peers.  Negociate new tunnels.
+			  Handle delayed or denied renewal see: conn up, down,
+			  wanted.
+M/U/U	address inertia for remote gw's with changeable wild-side addresses
+	so local gw reboots will initiate reconnect to remotes.
+			- this requires a disk cache.
+T/U/U	mini-database of road warriors that persists across reboots.
+			- this requires a disk cache.
+M/U/U	connection up, down, wanted
+			- 
+S/U/U	routing below tunnel layer to support mobility and multi-homing
+			-
+M/U/U	tunnel identified by subnets served?
+			-
+M/U/U	why do equalizing schedulers not play well with tunnels?
+			-
+M/U/U	decouple SA retrieval from DADDR (don't care how it arrived)
+			- protocol redesign
+T/U/U	SPIs unique, independant of protocol and DADDR
+			- 
+S/U/U	routing above tunnel layer
+			-
+S/U/U	granularity smaller than host
+			- SPORT, DPORT, UID, SecLev
+M/U/U	/dev/ipsecNNN devices that could be chown(1)ed and chmod(1)ed.
+
+M/U/U	process to process tunnels
+
+T/U/U	netfilter,pf_key,ioctl,/dev/ipsecNNN ways to manipulate tunnel perms.
+
+S/U/U	KLIPS as a loadable module (isn't it already?)
+
+S/U/U	stats: {number,time_of_last} packets {out,good_in,error_in}
+
+S/U/U	integrate IPSec and firewall policy into Security Policy.
+	(What APIs and user-level tools?)
+
+S/U/U	full inbound policy checking
+S/U/U	secure ciphers and hashes
+T/U/U	kernel implementation (should be faster)
+S/U/U	plays well with routing daemons
+S/U/U	free of export restrictions
+T/U/U	standard crypto api to add newer ciphers and hashes
+S/U/U	opportunistic
+T/U/U	SADB hash table will be locked for additions/deletions
+T/U/U	use a refcount on each SA to increase locking granularity
+
+
+
+* Packet path overview:
+
+The basic path through the kernel as it concerns IPSec for the three
+types of packets is as follows:
+
+IN:
+	NIC
+	basic sanity checks
+	NF_IP_PRE_ROUTING hook
+	route-in
+	ip-options processing
+	defragmentation
+	NF_IP_LOCAL_IN hook
+	transport layer demux
+	application
+
+FORWARD:
+	NIC
+	basic sanity checks
+	NF_IP_PRE_ROUTING hook
+	routing-in
+	ip-options processing
+	ttl decrement and check
+	NF_IP_FORWARD hook
+	fragmentation
+	NF_IP_POST_ROUTING hook
+	fragmentation
+	output()
+	NIC
+
+OUT:
+	application
+	transport layer mux
+	NF_IP_LOCAL_OUT hook
+	route-out
+	NF_IP_POST_ROUTING hook
+	fragmentation
+	output()
+	NIC
+
+
+
+* NetFilter overview:
+
+The basic architecture of NetFilter is:
+
+       --->[1]--->(ROUTE)--->[3]--->[4]--->     where:
+                     |            ^             [1] NF_IP_PRE_ROUTING
+                     |            |             [2] NF_IP_LOCAL_IN
+                     |         (ROUTE)          [3] NF_IP_FORWARD
+                     v            |             [4] NF_IP_POST_ROUTING
+                    [2]          [5]            [5] NF_IP_LOCAL_OUT
+                     |            ^             
+                     |            |             
+                     v            |             
+
+Destination NAT (port forwarding) gets applied in NF_IP_PRE_ROUTING and
+NF_IP_LOCAL_OUT at priority NF_IP_PRIORITY_DNAT = -100, and Source NAT
+(masquerading) gets applied in NF_IP_POST_ROUTING at priority
+NF_IP_PRIORITY_SNAT = 100, .  Filtering is applied in NF_IP_LOCAL_IN,
+NF_IP_FORWARD and NF_IP_LOCAL_OUT at priority NF_IP_PRIORITY_FILTER = 0.
+
+
+Hook processing order would generally be:
+
        +PRE	IN	FWD	OUT	POST	PRIORITY MACRO         PRI
+=======.=======.=======.=======.=======.=================== = ====
+-500?  .       .       .       .       .NF_IP_PRI_IPSEC_IN  = -500 (?)
+-200   .       .       .-200   .       .NF_IP_PRI_CONNTRACK = -200
+-175? . . . . . . . . . . . . . . . . .	NF_IP_PRI_IPSEC_IN  = -175 (?)
+-150   .       .       .-150   .       .NF_IP_PRI_MANGLE    = -150
+-100   .       .       .-100   .       .NF_IP_PRI_NAT_DST   = -100
+. . . . . .0. . . .0. .	. .0. . . . . . NF_IP_PRI_FILTER    =    0
+       .       .       .       . 100   .NF_IP_PRI_NAT_SRC   =  100
+       .       .       .       . 500   .NF_IP_PRI_IPSEC_OUT =  500
+=======.=======.=======.=======.=======.=================== = ====
+
        
+
+Not all modules are present at each hook.  I am uncertain still if IPSEC_IN
+should be before or after CONNTRACK.  Any comments?
+
+
+
+* IPSec path description:
+
+Treat incoming IPSec encapsulation as a transport layer protocol and
+decapsulate it at the transport layer demultiplexer since it appears as a
+transport layer protocol from the bottom of the Internet Protocol network
+stack.  For outgoing, we treat IPSec as a network layer protocol since that is
+what IPSec appears to be from the top of the IP stack.
+
+An incoming packet starts off with a sanity check.  It then goes through all
+the NF_IP_PRE_ROUTING hooks starting with the SPDB checking.  It would have
+several possible targets: DROP; REJECT; ACCEPT; PEEK.  DROP, REJECT, ACCEPT
+are standard NetFilter targets.  It would DROP if it should have been
+encrypted.  REJECT is a special case of DROP where an ICMP is returned.  It
+would ACCEPT if it was an encrypted IPSec packet bound for this machine and no
+other policy was expected first, it had already been decrypted from expected
+SAs indicated by nfmarks or virtual IPSec device or there was policy to allow
+it through.  PEEK would let the KMd have a look at the packet to see if it
+needed to start thinking about opportunistic and then pass it on.  Since it is
+a fresh ESP or AH packet, it will not have any nfmarks or virtual IPSec device
+association and unless that outer IP header should have been processed by
+another SG in between, no policy will have been required, letting it through.
+
+The rest of the NF_IP_PRE_ROUTING hooks may cause it to be DNATed and
+defragmented.  It then goes through routing which thinks it is a local packet,
+deals with any outer header IP options, then defragmentation and
+NF_IP_LOCAL_IN filter (allow ESP,AH) before getting to ipsec_rcv() where the
+outer bundle is authenticated and decrypted and nfmarked or associated with a
+virtual IPSec device to indicate what decapsulation happenned before being
+passed back to netif_rx().  The next IP header is now visible.  The packet now
+gets re-injected at the beginning.  It goes through the incoming sanity check
+again, getting checked at NF_IP_PRE_ROUTING for policy using previously set
+nfmark or virtual IPSec device from decryption.  It may again be DNATed and
+defragmented.  Routing looks at the now-visible next IP header and routes it
+locally or via the forward hook.
+
+If it is a local packet, IP options and defragmentation are processed.
+NF_IP_LOCAL_IN then gets to check filtering policy for other transport layer
+protocols.  If it is the endpoint for nested bundles, it is sent back to
+netif_rx(), having exposed the next IP header.
+
+If it is not a local packet, routing has selected a route, potentially through
+an existing virtual IPSec device, one per connection, not per physical I/F.
+IP options and TTL are processed before being filtered at NF_IP_FORWARD,
+fragmented, then sent to NF_IP_POST_ROUTING.
+
+If it is a locally generated packet, it would go through normal filtering at
+NF_IP_LOCAL_OUT, then go through routing, then be sent to NF_IP_POST_ROUTING.
+
+At NF_IP_POST_ROUTING, the ipsec table would make a decision about the fate of
+the packet.  It would have several possible targets: ACCEPT; IPSEC SAList;
+DROP; REJECT; TRAP; HOLD.  ACCEPT would allow the packet through with no
+processing.  IPSEC would return NF_STOLEN, stealing the packet and applying
+the policy specified by its parameter of an SA list.  If the SA(s) do(es)n't
+exist(s) or if the TRAP target was specified, it would send up an ACQUIRE to
+all listening key management daemons via PF_KEYv2 and put in a HOLD that would
+keep only the last packet that matched for that HOLD, waiting for the
+appropriate SA(s).  If or once the SA(s) is/are available, it then IPSec
+processes the packet, then re-injects the packet at NF_IP_LOCAL_OUT (since the
+packet now appears to originate from this host) and sets nfmark or associates
+it with a virtual IPSec device to indicate what processing happenned.  The
+packet would then be routed and sent back to NF_IP_POST_ROUTING.  If the IPSec
+remote security gateway is not different upon policy lookup, the ipsec table
+would ACCEPT it.  DROP would drop the packet if previous attempts to do
+opportunistic encryption failed and the default policy was to block non-IPSec
+packets.  REJECT would be almost the same as DROP, except that it returns
+ICMPs.  ACCEPT, DROP, REJECT are standard NetFilter targets.
+
+A packet routed through an optional IPSec virtual I/F simply gets assigned a
+specific source address, and has the nfmark/SA list preloaded.
+
+
+
+* Other issues:
+
+The way that nfmark is used is rather vague.  It is presently only 32 bits.
+Ideally, I would like to be able to indicate exactly which SAs were processed
+on the way in, which would most easily be represented by as many as 4 SAs (AH,
+ESP, IPCOMP, IPIP), each having an 8 bit protocol field (absolute minimum of
+2-bits), 32-bit destination address field (for IPv4, IPv6 would be 128) and a
+32-bit SPI.  This is a potential maximum of 672 bits.  A way of mapping 672
+bits on to the 32 bits available would be required to use this.  A lookup
+table could be used to map nfmarks to SAIDs, not the SAs themselves, since the
+SAs could disappear at any time the SADB is not locked.  It should be
+able to represent a bundle of SAs where one SA could be used in more than one
+bundle.  There could also be more than one right answer for the incoming SPDB.
+I have an idea how to accomplish this by changing/extending nfmark by
+converting it to a list of nfmark structures that contain a pointer to the
+next item on the list, a cookie for the specific netfilter function that owns
+the data and a pointer to a data structure.
+
+nfmark may not be the right tool for this.  Another possible solution is to
+add a member to the struct sk_buff to point to this information.  This has the
+benefit of not depending on anyone else, but the drawback of needing to patch
+a header file *and recompiling the entire kernel*.  There is also the
+possibility of using the NetFilter Connection Tracking facility.
+
+The SADB would be managed via the PF_KEYv2 socket I/F.
+
+The SPDB would be managed via a combination of PF_KEYv2 socket I/F extensions
+and iptables.  A separate NetFilter table called 'ipsec' (as opposed to
+'filter', 'nat' or 'mangle') would have the first hook at NF_IP_PRE_ROUTING
+and the last hook at NF_IP_POST_ROUTING.  iptables(8) currently uses
+get/set_sockopt(2) system calles, but there is discussion of having it
+converted to use the AF_NETLINK socket family.  Having it use a PF_POLICY
+interface that was interoperable with multiple platforms would be a big win.
+
+For matches, we have source/destination address/mask/port, userid (owner) and
+security label.  source/destination address/mask/port and userid are already
+supplied by iptables.  We only need to supply security label, if we even think
+we need it.
+
+
+For targets, how do we do this?  SPDB with policies, or name specific SAs, SA
+chains or SA lists or even virtual IPSec devices.  Currently, we name specific
+SAs which are chained exclusively together.
+ 
+We could have a target iptables library and kernel module that has a target of
+IPSEC which:
+	1. names a specific SA/chain which are unsharable
+	2. lists SAs to apply which are sharable
+	3. names a specific virtual IPSec device which implies a list of SAs
+	4. spec's req'd policy, ie.: cipher, hash, shared?, remote gw
+		(pfs should not be and option)
+ 
+I am favouring option number 2.  Option number 3 would map to number 2 in the
+SPDB.
+ 
+SAs would still be stored in a SADB hash table.  The prev and next fields of
+struct ipsec_sa would be removed if SAs were no longer chained, but were
+listed in lists, either from a direct list, virtual IPSec device or from an
+SPDB.
+
+
+We could use one table for ipsec matching or maybe use one table for each of
+ipsec_in and ipsec_out.  It would have to use a table separate from filter,
+nat or mangle since we need an input NF_IP_PREROUTE priority of less than -200
+(CONNTRACK) and an output NF_IP_POST_ROUTING priority of more than 200
+(CONNTRACK?).  I suggest NF_IP_PRIORITY_IPSEC_IN = -500 and
+NF_IP_PRIORITY_IPSEC_OUT = 500.
+
diff -bruN freeswan-1.9.orig/klips/doc/modes.html freeswan-1.9/klips/doc/modes.html
--- freeswan-1.9.orig/klips/doc/modes.html	Tue Apr  6 00:54:23 1999
+++ freeswan-1.9/klips/doc/modes.html	Mon Jun  4 12:54:57 2001
@@ -1,6 +1,6 @@
 
+    RCSID $Id: modes.html,v 1.9 2001/04/19 18:54:53 rgb Exp $
+-->
 
 
   
@@ -925,8 +925,11 @@
 
 
+-->
diff -bruN freeswan-1.9.orig/klips/net/ipsec/Config.in freeswan-1.9/klips/net/ipsec/Config.in
--- freeswan-1.9.orig/klips/net/ipsec/Config.in	Fri Sep 15 07:37:00 2000
+++ freeswan-1.9/klips/net/ipsec/Config.in	Mon Jun  4 11:34:31 2001
@@ -27,6 +27,7 @@
 bool '   IPSEC: Encapsulating Security Payload' CONFIG_IPSEC_ESP
 if [ "$CONFIG_IPSEC_ESP" = "y" ]; then
   bool '      3DES encryption algorithm' CONFIG_IPSEC_ENC_3DES
+  bool '      DES encryption algorithm' CONFIG_IPSEC_ENC_DES
 fi
 
 bool '   IPSEC: IP Compression' CONFIG_IPSEC_IPCOMP
diff -bruN freeswan-1.9.orig/klips/net/ipsec/Makefile freeswan-1.9/klips/net/ipsec/Makefile
--- freeswan-1.9.orig/klips/net/ipsec/Makefile	Mon Jan 29 17:19:06 2001
+++ freeswan-1.9/klips/net/ipsec/Makefile	Tue Jun 12 15:56:33 2001
@@ -54,6 +54,7 @@
 EXTRA_CFLAGS += -Wbad-function-cast 
 
 obj-$(CONFIG_IPSEC_ENC_3DES) += libdes/libdes.a
+obj-$(CONFIG_IPSEC_ENC_DES) += libdes/libdes.a
 obj-$(CONFIG_IPSEC_AUTH_HMAC_MD5) += ipsec_md5c.o
 obj-$(CONFIG_IPSEC_AUTH_HMAC_SHA1) += ipsec_sha1.o
 obj-$(CONFIG_IPSEC_IPCOMP) += ipcomp.o zlib/zlib.a
diff -bruN freeswan-1.9.orig/klips/net/ipsec/defconfig freeswan-1.9/klips/net/ipsec/defconfig
--- freeswan-1.9.orig/klips/net/ipsec/defconfig	Thu Nov 30 12:26:56 2000
+++ freeswan-1.9/klips/net/ipsec/defconfig	Mon Jun  4 11:34:31 2001
@@ -43,6 +43,7 @@
 
 # Encryption algorithm(s):
 CONFIG_IPSEC_ENC_3DES=y
+CONFIG_IPSEC_ENC_DES=y
 
 # IP Compression: new, probably still has minor bugs.
 CONFIG_IPSEC_IPCOMP=y
diff -bruN freeswan-1.9.orig/klips/net/ipsec/ipcomp.c freeswan-1.9/klips/net/ipsec/ipcomp.c
--- freeswan-1.9.orig/klips/net/ipsec/ipcomp.c	Mon Jan 29 17:19:22 2001
+++ freeswan-1.9/klips/net/ipsec/ipcomp.c	Mon Jun  4 11:34:31 2001
@@ -14,7 +14,7 @@
  * for more details.
  */
 
-char ipcomp_c_version[] = "RCSID $Id: ipcomp.c,v 1.20 2001/01/29 22:19:22 rgb Exp $";
+char ipcomp_c_version[] = "RCSID $Id: ipcomp.c,v 1.22 2001/05/05 03:31:41 rgb Exp $";
 
 /* SSS */
 
@@ -136,7 +136,7 @@
 	}
 	
 	/* Don't compress packets already fragmented */
-	if (ntohs(iph->frag_off) & ~0x4000) {
+	if (iph->frag_off & __constant_htons(IP_MF | IP_OFFSET)) {
 		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
 			    "klips_debug:skb_compress: "
 			    "skipping compression of fragmented packet.\n");
@@ -707,7 +707,9 @@
 		n->mac.raw=skb->mac.raw+offset;
 	else
 		n->mac.raw=NULL;
+#ifndef NETDEV_23
         n->used=skb->used;
+#endif /* !NETDEV_23 */
         n->pkt_type=skb->pkt_type;
 #ifndef NETDEV_23
 	n->pkt_bridged=skb->pkt_bridged;
diff -bruN freeswan-1.9.orig/klips/net/ipsec/ipsec_encap.h freeswan-1.9/klips/net/ipsec/ipsec_encap.h
--- freeswan-1.9.orig/klips/net/ipsec/ipsec_encap.h	Fri Sep  8 15:12:56 2000
+++ freeswan-1.9/klips/net/ipsec/ipsec_encap.h	Mon Jun  4 12:54:13 2001
@@ -13,18 +13,27 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: ipsec_encap.h,v 1.11 2000/09/08 19:12:56 rgb Exp $
+ * RCSID $Id: ipsec_encap.h,v 1.12 2001/05/27 06:12:10 rgb Exp $
  */
 
 #define SENT_IP4	0x0008		/* data is two struct in_addr */
+			/* (2 * sizeof(struct in_addr)) */
+			/* sizeof(struct sockaddr_encap)
+			   - offsetof(struct sockaddr_encap, Sen.Sip4.Src) */
 
 #define SEN_HDRLEN	(2*sizeof(__u8)+sizeof(__u16))
+			/* offsetof(struct sockaddr_encap, Sen.Sip4.Src) */
 
 #define SEN_IP4_SRCOFF	(0)
 #define SEN_IP4_DSTOFF (sizeof (struct in_addr))
+			/* offsetof(struct sockaddr_encap, Sen.Sip4.Dst)
+			   - offsetof(struct sockaddr_encap, Sen.Sip4.Src) */
 #define SEN_IP4_OPTOFF	(2 * sizeof (struct in_addr))
+			/* sizeof(struct sockaddr_encap)
+			   - offsetof(struct sockaddr_encap, Sen.Sip4.Src) */
 
 #define SEN_IP4_LEN	(SENT_HDRLEN + SENT_IP4_OPTOFF)
+			/* sizeof(struct sockaddr_encap) */
 
 #ifdef CONFIG_IPSEC_DEBUG
 #define DB_ER_PROCFS	0x0001
@@ -79,11 +88,13 @@
  * radix tree entry and a SAID (a destination_address/SPI/protocol triple).
  */
 
-struct
-eroute
+struct eroute
 {
 	struct rjtentry er_rjt;
 	struct sa_id er_said;
+	uint32_t er_pid;
+	uint32_t er_count;
+	uint64_t er_lasttime;
 	struct sockaddr_encap er_eaddr;
 	struct sockaddr_encap er_emask;
 };
@@ -106,6 +117,10 @@
 
 /*
  * $Log: ipsec_encap.h,v $
+ * Revision 1.12  2001/05/27 06:12:10  rgb
+ * Added structures for pid, packet count and last access time to eroute.
+ * Added packet count to beginning of /proc/net/ipsec_eroute.
+ *
  * Revision 1.11  2000/09/08 19:12:56  rgb
  * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
  *
diff -bruN freeswan-1.9.orig/klips/net/ipsec/ipsec_esp.h freeswan-1.9/klips/net/ipsec/ipsec_esp.h
--- freeswan-1.9.orig/klips/net/ipsec/ipsec_esp.h	Fri Sep  8 15:12:56 2000
+++ freeswan-1.9/klips/net/ipsec/ipsec_esp.h	Tue Jun 12 15:21:15 2001
@@ -40,6 +40,27 @@
 #define DB_ES_OH	0x0400
 #define DB_ES_REPLAY	0x0800
 
+struct espdesold_xdata
+{
+       int     edx_ivlen;              /* 4 or 8 */
+       union
+       {
+               __u8    Iv[8];          /* that's enough space */
+               __u32   Ivl[2];
+               __u64   Ivq;
+       }Iu;
+#define edx_iv Iu.Iv
+#define edx_ivl Iu.Ivl
+#define edx_ivq Iu.Ivq
+       union
+       {
+               __u8 Rk[8];
+               __u32 Eks[16][2];
+       }Xu;
+#define edx_rk Xu.Rk
+#define edx_eks        Xu.Eks
+};
+
 struct espblkrply_edata
 {
 	__u16	eme_klen;		/* encryption key length */
@@ -64,6 +85,19 @@
 };
 
 #ifdef __KERNEL__
+struct espdesmd5_xdata
+{
+       __u8    edmx_flags;             /* same as before */
+       __u8    edmx_ooowin;            /* out-of-order window size */
+       __u16   edmx_ivlen;             /* IV length */
+       __u32   edmx_bitmap;            /* this&next should be 4 bytes each */
+       __u32   edmx_lastseq;           /* in host order */
+       __u32   edmx_eks[16][2];        /* the key schedule */
+       __u32   edmx_iv[2];             /* constant IV */
+       MD5_CTX edmx_ictx;              /* derived from HMAC_key */
+       MD5_CTX edmx_octx;              /* ditto */
+};
+
 struct esp3desmd5_xdata
 {
 	__u8	edmx_flags;		/* same as before */
@@ -89,6 +123,19 @@
 	MD5_CTX edmx_octx;		/* ditto */
 };
 
+struct espdessha1_xdata
+{
+       __u8    edmx_flags;             /* same as before */
+       __u8    edmx_ooowin;            /* out-of-order window size */
+       __u16   edmx_ivlen;             /* IV length */
+       __u32   edmx_bitmap;            /* this&next should be 4 bytes each */
+       __u32   edmx_lastseq;           /* in host order */
+       __u32   edmx_eks[16][2];        /* the key schedule */
+       __u32   edmx_iv[2];             /* constant IV */
+       SHA1_CTX edmx_ictx;             /* derived from HMAC_key */
+       SHA1_CTX edmx_octx;             /* ditto */
+};
+
 struct esp3dessha1_xdata
 {
 	__u8	edmx_flags;		/* same as before */
@@ -114,6 +161,17 @@
 	SHA1_CTX edmx_octx;		/* ditto */
 };
 
+struct espdes_xdata
+{
+       __u8    edmx_flags;             /* same as before */
+       __u8    edmx_ooowin;            /* out-of-order window size */
+       __u16   edmx_ivlen;             /* IV length */
+       __u32   edmx_bitmap;            /* this&next should be 4 bytes each */
+       __u32   edmx_lastseq;           /* in host order */
+       __u32   edmx_eks[16][2];        /* the key schedule */
+       __u32   edmx_iv[2];             /* constant IV */
+};
+
 struct esp3des_xdata
 {
 	__u8	edmx_flags;		/* same as before */
@@ -165,9 +223,6 @@
  * $Log: ipsec_esp.h,v $
  * Revision 1.13  2000/09/08 19:12:56  rgb
  * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
- *
- * Revision 1.12  2000/08/01 14:51:50  rgb
- * Removed _all_ remaining traces of DES.
  *
  * Revision 1.11  2000/01/10 16:36:20  rgb
  * Ditch last of EME option flags, including initiator.
diff -bruN freeswan-1.9.orig/klips/net/ipsec/ipsec_init.c freeswan-1.9/klips/net/ipsec/ipsec_init.c
--- freeswan-1.9.orig/klips/net/ipsec/ipsec_init.c	Mon Feb 26 19:50:59 2001
+++ freeswan-1.9/klips/net/ipsec/ipsec_init.c	Mon Jun  4 12:54:13 2001
@@ -14,7 +14,7 @@
  * for more details.
  */
 
-char ipsec_init_c_version[] = "RCSID $Id: ipsec_init.c,v 1.63.2.1 2001/02/27 00:50:59 henry Exp $";
+char ipsec_init_c_version[] = "RCSID $Id: ipsec_init.c,v 1.68 2001/05/29 05:14:36 rgb Exp $";
 
 #include 
 #include 
@@ -100,9 +100,12 @@
 #endif /* CONFIG_IPSEC_DEBUG */
 
 	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
-		    "klips_debug:ipsec_eroute_get_info: buffer=0x%p,"
-		    " *start=0x%x, offset=%d, length=%d\n",
-		    buffer, (u_int)*start, (int)offset, length);
+		    "klips_debug:ipsec_eroute_get_info: "
+		    "buffer=0x%p, *start=0x%x, offset=%d, length=%d\n",
+		    buffer,
+		    (u_int)*start,
+		    (int)offset,
+		    length);
 
 	spin_lock_bh(&eroute_lock);
 
@@ -140,16 +143,19 @@
 	size_t sa_len;
 
 	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
-		    "klips_debug:ipsec_spi_get_info: buffer=0x%p,"
-		    "*start=0x%x, offset=%d, length=%d\n",
-		    buffer, (u_int)*start, (int)offset, length);
+		    "klips_debug:ipsec_spi_get_info: "
+		    "buffer=0x%p, *start=0x%x, offset=%d, length=%d\n",
+		    buffer,
+		    (u_int)*start,
+		    (int)offset,
+		    length);
 	
 	spin_lock_bh(&tdb_lock);
 	
 	for (i = 0; i < TDB_HASHMOD; i++) {
 		for (tdbp = tdbh[i]; tdbp; tdbp = tdbp->tdb_hnext) {
 			sa_len = satoa(tdbp->tdb_said, 0, sa, SATOA_BUF);
-			len += sprintf(buffer + len, "%s ", sa);
+			len += sprintf(buffer + len, "%s ", sa_len ? sa : " (error)");
 			len += sprintf(buffer + len, "%s%s%s", TDB_XFORM_NAME(tdbp));
 			len += sprintf(buffer + len, ": dir=%s",
 				       (tdbp->tdb_flags & EMT_INBOUND) ?
@@ -381,9 +387,12 @@
 	size_t sa_len;
 
 	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
-		    "klips_debug:ipsec_spigrp_get_info: buffer=0x%p,"
-		    " *start=0x%x, offset=%d, length=%d\n",
-		    buffer, (u_int)*start, (int)offset, length);
+		    "klips_debug:ipsec_spigrp_get_info: "
+		    "buffer=0x%p, *start=0x%x, offset=%d, length=%d\n",
+		    buffer,
+		    (u_int)*start,
+		    (int)offset,
+		    length);
 
 	spin_lock_bh(&tdb_lock);
 	
@@ -396,7 +405,7 @@
 				while(tdbp2) {
 					sa_len = satoa(tdbp2->tdb_said, 0, sa, SATOA_BUF);
 					len += sprintf(buffer + len, "%s ",
-						       sa);
+						       sa_len ? sa : " (error)");
 					tdbp2 = tdbp2->tdb_onext;
 				}
 				len += sprintf(buffer + len, "\n");
@@ -440,9 +449,12 @@
 	struct ipsecpriv *priv;
 
 	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
-		    "klips_debug:ipsec_tncfg_get_info: buffer=0x%p,"
-		    "*start=0x%x, offset=%d, length=%d\n",
-		    buffer, (u_int)*start, (int)offset, length);
+		    "klips_debug:ipsec_tncfg_get_info: "
+		    "buffer=0x%p, *start=0x%x, offset=%d, length=%d\n",
+		    buffer,
+		    (u_int)*start,
+		    (int)offset,
+		    length);
 
 	for(i = 0; i < IPSEC_NUM_IF; i++) {
 		sprintf(name, "ipsec%d", i);
@@ -455,8 +467,10 @@
 				privdev = (struct device *)(priv->dev);
 				len += sprintf(buffer + len, " -> %s",
 					       privdev ? privdev->name : "NULL");
-				len += sprintf(buffer + len, " mtu=%d -> %d",
-					       /* priv */ dev->mtu, privdev ? privdev->mtu : 0);
+				len += sprintf(buffer + len, " mtu=%d(%d) -> %d",
+					       dev->mtu,
+					       priv->mtu,
+					       privdev ? privdev->mtu : 0);
 			} else {
 				KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
 					    "klips_debug:ipsec_tncfg_get_info: device '%s' has no private data space!\n",
@@ -497,7 +511,10 @@
 	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
 		    "klips_debug:ipsec_version_get_info: "
 		    "buffer=0x%p, *start=0x%x, offset=%d, length=%d\n",
-		    buffer, (u_int)*start, (int)offset, length);
+		    buffer,
+		    (u_int)*start,
+		    (int)offset,
+		    length);
 
 	len += sprintf(buffer + len, "FreeS/WAN version: %s\n", freeswan_version);
 #if 0
@@ -541,9 +558,12 @@
 	off_t begin = 0;
 
 	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
-		    "klips_debug:ipsec_klipsdebug_get_info: buffer=0x%p,"
-		    "*start=0x%x, offset=%d, length=%d\n",
-		    buffer, (u_int)*start, (int)offset, length);
+		    "klips_debug:ipsec_klipsdebug_get_info: "
+		    "buffer=0x%p, *start=0x%x, offset=%d, length=%d\n",
+		    buffer,
+		    (u_int)*start,
+		    (int)offset,
+		    length);
 
 	len += sprintf(buffer + len, "debug_tunnel=%08x.\n", debug_tunnel);
 	len += sprintf(buffer + len, "debug_netlink=%08x.\n", debug_netlink);
@@ -655,22 +675,22 @@
 #ifdef CONFIG_PROC_FS
 #  ifndef PROC_FS_2325
 #    ifdef PROC_FS_21
-	proc_register(proc_net, &ipsec_eroute);
-	proc_register(proc_net, &ipsec_spi);
-	proc_register(proc_net, &ipsec_spigrp);
-	proc_register(proc_net, &ipsec_tncfg);
-	proc_register(proc_net, &ipsec_version);
+	error |= proc_register(proc_net, &ipsec_eroute);
+	error |= proc_register(proc_net, &ipsec_spi);
+	error |= proc_register(proc_net, &ipsec_spigrp);
+	error |= proc_register(proc_net, &ipsec_tncfg);
+	error |= proc_register(proc_net, &ipsec_version);
 #      ifdef CONFIG_IPSEC_DEBUG
-	proc_register(proc_net, &ipsec_klipsdebug);
+	error |= proc_register(proc_net, &ipsec_klipsdebug);
 #      endif /* CONFIG_IPSEC_DEBUG */
 #    else /* PROC_FS_21 */
-	proc_register_dynamic(&proc_net, &ipsec_eroute);
-	proc_register_dynamic(&proc_net, &ipsec_spi);
-	proc_register_dynamic(&proc_net, &ipsec_spigrp);
-	proc_register_dynamic(&proc_net, &ipsec_tncfg);
-	proc_register_dynamic(&proc_net, &ipsec_version);
+	error |= proc_register_dynamic(&proc_net, &ipsec_eroute);
+	error |= proc_register_dynamic(&proc_net, &ipsec_spi);
+	error |= proc_register_dynamic(&proc_net, &ipsec_spigrp);
+	error |= proc_register_dynamic(&proc_net, &ipsec_tncfg);
+	error |= proc_register_dynamic(&proc_net, &ipsec_version);
 #      ifdef CONFIG_IPSEC_DEBUG
-	proc_register_dynamic(&proc_net, &ipsec_klipsdebug);
+	error |= proc_register_dynamic(&proc_net, &ipsec_klipsdebug);
 #      endif /* CONFIG_IPSEC_DEBUG */
 #    endif /* PROC_FS_21 */
 #  else /* !PROC_FS_2325 */
@@ -685,7 +705,8 @@
 #  endif /* !PROC_FS_2325 */
 #endif          /* CONFIG_PROC_FS */
 
-	printk("IPsec: KLIPS startup, FreeS/WAN version: %s\n",
+	printk("klips_debug:ipsec_init: "
+	       "KLIPS startup, FreeS/WAN IPSec version: %s\n",
 	       freeswan_version);
 
 #ifndef SPINLOCK
@@ -698,7 +719,7 @@
 
 	error |= pfkey_init();
 
-	register_netdevice_notifier(&ipsec_dev_notifier);
+	error |= register_netdevice_notifier(&ipsec_dev_notifier);
 
 #ifdef CONFIG_IPSEC_ESP
 	inet_add_protocol(&esp_protocol);
@@ -733,53 +754,66 @@
         ipsec_sysctl_unregister();
 #endif                                                                          
 	KLIPS_PRINT(debug_netlink, /* debug_tunnel & DB_TN_INIT, */
-		    "klips_debug:ipsec_cleanup: calling ipsec_tunnel_cleanup_devices.\n");
+		    "klips_debug:ipsec_cleanup: "
+		    "calling ipsec_tunnel_cleanup_devices.\n");
 	error |= ipsec_tunnel_cleanup_devices();
 
 #if 0
 #ifdef CONFIG_IPSEC_IPCOMP
   if (inet_del_protocol(&comp_protocol) < 0)
-    printk(KERN_INFO "klips_debug:ipsec_cleanup:comp close: can't remove protocol\n");
+		printk(KERN_INFO "klips_debug:ipsec_cleanup: "
+		       "comp close: can't remove protocol\n");
 #endif
 #endif
 #ifdef CONFIG_IPSEC_AH
-	if ( inet_del_protocol(&ah_protocol) < 0 )
-		printk(KERN_INFO "klips_debug:ipsec_cleanup:ah close: can't remove protocol\n");
+	if (inet_del_protocol(&ah_protocol) < 0)
+		printk(KERN_INFO "klips_debug:ipsec_cleanup: "
+		       "ah close: can't remove protocol\n");
 #endif /* CONFIG_IPSEC_AH */
 #ifdef CONFIG_IPSEC_ESP
-	if ( inet_del_protocol(&esp_protocol) < 0 )
-		printk(KERN_INFO "klips_debug:ipsec_cleanup:esp close: can't remove protocol\n");
+	if (inet_del_protocol(&esp_protocol) < 0)
+		printk(KERN_INFO "klips_debug:ipsec_cleanup: "
+		       "esp close: can't remove protocol\n");
 #endif /* CONFIG_IPSEC_ESP */
 
-	unregister_netdevice_notifier(&ipsec_dev_notifier);
+	error |= unregister_netdevice_notifier(&ipsec_dev_notifier);
 
 	KLIPS_PRINT(debug_netlink, /* debug_tunnel & DB_TN_INIT, */
-		    "klips_debug:ipsec_cleanup: calling ipsec_tdbcleanup.\n");
+		    "klips_debug:ipsec_cleanup: "
+		    "calling ipsec_tdbcleanup.\n");
 	error |= ipsec_tdbcleanup(0);
 	KLIPS_PRINT(debug_netlink, /* debug_tunnel & DB_TN_INIT, */
-		    "klips_debug:ipsec_cleanup: calling ipsec_radijcleanup.\n");
+		    "klips_debug:ipsec_cleanup: "
+		    "calling ipsec_radijcleanup.\n");
 	error |= ipsec_radijcleanup();
 	
 	KLIPS_PRINT(debug_pfkey, /* debug_tunnel & DB_TN_INIT, */
-		    "klips_debug:ipsec_cleanup: calling pfkey_cleanup.\n");
+		    "klips_debug:ipsec_cleanup: "
+		    "calling pfkey_cleanup.\n");
 	error |= pfkey_cleanup();
 
 #ifdef CONFIG_PROC_FS
 #  ifndef PROC_FS_2325
 #    ifdef CONFIG_IPSEC_DEBUG
 	if (proc_net_unregister(ipsec_klipsdebug.low_ino) != 0)
-		printk("klips_debug:ipsec_cleanup: cannot unregister /proc/net/ipsec_klipsdebug\n");
+		printk("klips_debug:ipsec_cleanup: "
+		       "cannot unregister /proc/net/ipsec_klipsdebug\n");
 #    endif /* CONFIG_IPSEC_DEBUG */
 	if (proc_net_unregister(ipsec_version.low_ino) != 0)
-		printk("klips_debug:ipsec_cleanup: cannot unregister /proc/net/ipsec_version\n");
+		printk("klips_debug:ipsec_cleanup: "
+		       "cannot unregister /proc/net/ipsec_version\n");
 	if (proc_net_unregister(ipsec_eroute.low_ino) != 0)
-		printk("klips_debug:ipsec_cleanup: cannot unregister /proc/net/ipsec_eroute\n");
+		printk("klips_debug:ipsec_cleanup: "
+		       "cannot unregister /proc/net/ipsec_eroute\n");
 	if (proc_net_unregister(ipsec_spi.low_ino) != 0)
-		printk("klips_debug:ipsec_cleanup: cannot unregister /proc/net/ipsec_spi\n");
+		printk("klips_debug:ipsec_cleanup: "
+		       "cannot unregister /proc/net/ipsec_spi\n");
 	if (proc_net_unregister(ipsec_spigrp.low_ino) != 0)
-		printk("klips_debug:ipsec_cleanup: cannot unregister /proc/net/ipsec_spigrp\n");
+		printk("klips_debug:ipsec_cleanup: "
+		       "cannot unregister /proc/net/ipsec_spigrp\n");
 	if (proc_net_unregister(ipsec_tncfg.low_ino) != 0)
-		printk("klips_debug:ipsec_cleanup: cannot unregister /proc/net/ipsec_tncfg\n");
+		printk("klips_debug:ipsec_cleanup: "
+		       "cannot unregister /proc/net/ipsec_tncfg\n");
 #  else /* !PROC_FS_2325 */
 #    ifdef CONFIG_IPSEC_DEBUG
 	proc_net_remove ("ipsec_klipsdebug");
@@ -812,11 +846,13 @@
 	int error = 0;
 
 	KLIPS_PRINT(debug_netlink, /* debug_tunnel & DB_TN_INIT, */
-		    "klips_debug:cleanup_module: calling ipsec_cleanup.\n");
+		    "klips_debug:cleanup_module: "
+		    "calling ipsec_cleanup.\n");
 
 	error |= ipsec_cleanup();
 
-	KLIPS_PRINT(1, "klips_debug:cleanup_module: ipsec module unloaded.\n");
+	KLIPS_PRINT(1, "klips_debug:cleanup_module: "
+		    "ipsec module unloaded.\n");
 
 	return error;
 }
@@ -824,8 +860,21 @@
 
 /*
  * $Log: ipsec_init.c,v $
- * Revision 1.63.2.1  2001/02/27 00:50:59  henry
- * message improvements
+ * Revision 1.68  2001/05/29 05:14:36  rgb
+ * Added PMTU to /proc/net/ipsec_tncfg output.  See 'man 5 ipsec_tncfg'.
+ *
+ * Revision 1.67  2001/05/04 16:34:52  rgb
+ * Rremove erroneous checking of return codes for proc_net_* in 2.4.
+ *
+ * Revision 1.66  2001/05/03 19:40:34  rgb
+ * Check error return codes in startup and shutdown.
+ *
+ * Revision 1.65  2001/02/28 05:03:27  rgb
+ * Clean up and rationalise startup messages.
+ *
+ * Revision 1.64  2001/02/27 22:24:53  rgb
+ * Re-formatting debug output (line-splitting, joining, 1arg/line).
+ * Check for satoa() return codes.
  *
  * Revision 1.63  2000/11/29 20:14:06  rgb
  * Add src= to the output of /proc/net/ipsec_spi and delete dst from IPIP.
diff -bruN freeswan-1.9.orig/klips/net/ipsec/ipsec_netlink.c freeswan-1.9/klips/net/ipsec/ipsec_netlink.c
--- freeswan-1.9.orig/klips/net/ipsec/ipsec_netlink.c	Sun Nov  5 23:32:08 2000
+++ freeswan-1.9/klips/net/ipsec/ipsec_netlink.c	Mon Jun  4 11:34:31 2001
@@ -14,7 +14,7 @@
  * for more details.
  */
 
-char ipsec_netlink_c_version[] = "RCSID $Id: ipsec_netlink.c,v 1.47 2000/11/06 04:32:08 rgb Exp $";
+char ipsec_netlink_c_version[] = "RCSID $Id: ipsec_netlink.c,v 1.48 2001/02/27 22:24:54 rgb Exp $";
 
 #include 
 #include 
@@ -93,23 +93,31 @@
 #ifdef CONFIG_IPSEC_DEBUG
 	struct eroute *eret;
 	char sa[SATOA_BUF];
+	size_t sa_len;
 
 
-	satoa(em->em_said, 0, sa, SATOA_BUF);
+	sa_len = satoa(em->em_said, 0, sa, SATOA_BUF);
 
 	if(debug_netlink) {
-		printk("klips_debug:ipsec_callback: skb=0x%p skblen=%ld em_magic=%d em_type=%d\n",
-		       skb, (unsigned long int)skb->len, em->em_magic, em->em_type);
+		printk("klips_debug:ipsec_callback: "
+		       "skb=0x%p skblen=%ld em_magic=%d em_type=%d\n",
+		       skb,
+		       (unsigned long int)skb->len,
+		       em->em_magic,
+		       em->em_type);
 		switch(em->em_type) {
 		case EMT_SETDEBUG:
-			printk("klips_debug:ipsec_callback: set ipsec_debug level\n");
+			printk("klips_debug:ipsec_callback: "
+			       "set ipsec_debug level\n");
 			break;
 		case EMT_DELEROUTE:
 		case EMT_CLREROUTE:
 		case EMT_CLRSPIS:
 			break;
 		default:
-			printk("klips_debug:ipsec_callback: called for SA:%s\n", sa);
+			printk("klips_debug:ipsec_callback: "
+			       "called for SA:%s\n",
+			       sa_len ? sa : " (error)");
 		}
 	}
 #endif /* CONFIG_IPSEC_DEBUG */
@@ -120,7 +128,8 @@
 
 	/*	em = (struct encap_msghdr *)dat; */
 	if (em->em_magic != EM_MAGIC) {
-		printk("klips_debug:ipsec_callback: bad magic=%d failed, should be %d\n",
+		printk("klips_debug:ipsec_callback: "
+		       "bad magic=%d failed, should be %d\n",
 		       em->em_magic,
 		       EM_MAGIC);
 		SENDERR(EINVAL);
@@ -157,7 +166,8 @@
 			debug_pfkey   &= em->em_db_ky;
 		}
 #else /* CONFIG_IPSEC_DEBUG */
-		printk("klips_debug:ipsec_callback: debugging not enabled\n");
+		printk("klips_debug:ipsec_callback: "
+		       "debugging not enabled\n");
 		SENDERR(EINVAL);
 #endif /* CONFIG_IPSEC_DEBUG */
 		break;
@@ -205,22 +215,26 @@
 				tdbp->tdb_flags |= EMT_INBOUND;
 			}
 			KLIPS_PRINT(debug_netlink & DB_NL_TDBCB,
-				    "klips_debug:ipsec_callback: existing Tunnel Descriptor Block not found (this\n"
-				    "klips_debug:                is good) for SA: %s, %s-bound, allocating.\n",
-				    sa, (tdbp->tdb_flags & EMT_INBOUND) ? "in" : "out");
+				    "klips_debug:ipsec_callback: "
+				    "existing Tunnel Descriptor Block not found (this is good) for SA: %s, %s-bound, allocating.\n",
+				    sa_len ? sa : " (error)",
+				    (tdbp->tdb_flags & EMT_INBOUND) ? "in" : "out");
 
 /* XXX  		tdbp->tdb_rcvif = &(enc_softc[em->em_if].enc_if);*/
 			tdbp->tdb_rcvif = NULL;
 		} else {
 			KLIPS_PRINT(debug_netlink & DB_NL_TDBCB,
-				    "klips_debug:ipsec_callback: EMT_SETSPI found an old Tunnel Descriptor Block\n"
-				    "klips_debug:                for SA: %s, delete it first.\n", sa);
+				    "klips_debug:ipsec_callback: "
+				    "EMT_SETSPI found an old Tunnel Descriptor Block for SA: %s, delete it first.\n",
+				    sa_len ? sa : " (error)");
 			SENDERR(EEXIST);
 		}
 		
 		if ((error = tdb_init(tdbp, em))) {
 			KLIPS_PRINT(debug_netlink & DB_NL_TDBCB,
-				    "klips_debug:ipsec_callback: EMT_SETSPI not successful for SA: %s, deleting.\n", sa);
+				    "klips_debug:ipsec_callback: "
+				    "EMT_SETSPI not successful for SA: %s, deleting.\n",
+				    sa_len ? sa : " (error)");
 			ipsec_tdbwipe(tdbp);
 			
 			SENDERR(-error);
@@ -234,7 +248,9 @@
 
 		puttdb(tdbp);
 		KLIPS_PRINT(debug_netlink & DB_NL_TDBCB,
-			    "klips_debug:ipsec_callback: EMT_SETSPI successful for SA: %s\n", sa);
+			    "klips_debug:ipsec_callback: "
+			    "EMT_SETSPI successful for SA: %s\n",
+			    sa_len ? sa : " (error)");
 		break;
 		
 	case EMT_DELSPI:
@@ -247,8 +263,8 @@
 		if (tdbp == NULL) {
 			KLIPS_PRINT(debug_netlink & DB_NL_TDBCB,
 				    "klips_debug:ipsec_callback: "
-				    "EMT_DELSPI Tunnel Descriptor Block not found for SA:\n"
-				    "klips_debug:                %s, could not delete.\n", sa);
+				    "EMT_DELSPI Tunnel Descriptor Block not found for SA%s, could not delete.\n",
+				    sa_len ? sa : " (error)");
 			spin_unlock_bh(&tdb_lock);
 			SENDERR(ENXIO);  /* XXX -- wrong error message... */
 		} else {
@@ -264,7 +280,8 @@
 	case EMT_GRPSPIS:
 		nspis = (len - EMT_GRPSPIS_FLEN) / sizeof(em->em_rel[0]);
 		if ((nspis * (sizeof(em->em_rel[0]))) != (len - EMT_GRPSPIS_FLEN)) {
-			printk("klips_debug:ipsec_callback: EMT_GRPSPI message size incorrect, expected nspis(%d)*%d, got %d.\n",
+			printk("klips_debug:ipsec_callback: "
+			       "EMT_GRPSPI message size incorrect, expected nspis(%d)*%d, got %d.\n",
 			       nspis,
 			       sizeof(em->em_rel[0]),
 			       (len - EMT_GRPSPIS_FLEN));
@@ -276,21 +293,23 @@
 
 		for (i = 0; i < nspis; i++) {
 			KLIPS_PRINT(debug_netlink,
-				    "klips_debug:ipsec_callback: EMT_GRPSPI for SA(%d)\n"
-				    "klips_debug:                %s,\n", i, sa);
+				    "klips_debug:ipsec_callback: "
+				    "EMT_GRPSPI for SA(%d) %s,\n",
+				    i,
+				    sa_len ? sa : " (error)");
 			if ((tdbp = gettdb(&(em->em_rel[i].emr_said))) == NULL) {
 				KLIPS_PRINT(debug_netlink,
 					    "klips_debug:ipsec_callback: "
-					    "EMT_GRPSPI Tunnel Descriptor Block not found for SA:\n"
-					    "klips_debug:                %s, could not group.\n", sa);
+					    "EMT_GRPSPI Tunnel Descriptor Block not found for SA%s, could not group.\n",
+					    sa_len ? sa : " (error)");
 				spin_unlock_bh(&tdb_lock);
 				SENDERR(ENXIO);
 			} else {
 				if(tdbp->tdb_inext || tdbp->tdb_onext) {
 					KLIPS_PRINT(debug_netlink,
 						    "klips_debug:ipsec_callback: "
-						    "EMT_GRPSPI Tunnel Descriptor Block already grouped\n"
-						    "klips_debug:                for SA: %s, can't regroup.\n", sa);
+						    "EMT_GRPSPI Tunnel Descriptor Block already grouped for SA: %s, can't regroup.\n",
+						    sa_len ? sa : " (error)");
 					spin_unlock_bh(&tdb_lock);
 					SENDERR(EBUSY);
 				}
@@ -327,8 +346,8 @@
 		if ((tdbp = gettdb(&(em->em_rel[0].emr_said))) == NULL) {
 			KLIPS_PRINT(debug_netlink,
 				    "klips_debug:ipsec_callback: "
-				    "EMT_UGRPSPI Tunnel Descriptor Block not found for SA:\n"
-				    "klips_debug:                %s, could not ungroup.\n", sa);
+				    "EMT_UGRPSPI Tunnel Descriptor Block not found for SA%s, could not ungroup.\n",
+				    sa_len ? sa : " (error)");
 			spin_unlock_bh(&tdb_lock);
 			SENDERR(ENXIO);
 		}
@@ -348,14 +367,16 @@
 		
 	case EMT_CLRSPIS:
 		KLIPS_PRINT(debug_netlink,
-			    "klips_debug:ipsec_callback: spi clear called.\n");
+			    "klips_debug:ipsec_callback: "
+			    "spi clear called.\n");
 		if (em->em_if >= 5)	/* XXX -- why 5? */
 			SENDERR(ENODEV);
 		ipsec_tdbcleanup(0);
 		break;
 	default:
 		KLIPS_PRINT(debug_netlink,
-			    "klips_debug:ipsec_callback: unknown message type\n");
+			    "klips_debug:ipsec_callback: "
+			    "unknown message type\n");
 		SENDERR(EINVAL);
 	}
  errlab:
@@ -370,6 +391,10 @@
 
 /*
  * $Log: ipsec_netlink.c,v $
+ * Revision 1.48  2001/02/27 22:24:54  rgb
+ * Re-formatting debug output (line-splitting, joining, 1arg/line).
+ * Check for satoa() return codes.
+ *
  * Revision 1.47  2000/11/06 04:32:08  rgb
  * Ditched spin_lock_irqsave in favour of spin_lock_bh.
  *
diff -bruN freeswan-1.9.orig/klips/net/ipsec/ipsec_radij.c freeswan-1.9/klips/net/ipsec/ipsec_radij.c
--- freeswan-1.9.orig/klips/net/ipsec/ipsec_radij.c	Sun Nov  5 23:32:08 2000
+++ freeswan-1.9/klips/net/ipsec/ipsec_radij.c	Mon Jun  4 12:54:13 2001
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: ipsec_radij.c,v 1.41 2000/11/06 04:32:08 rgb Exp $
+ * RCSID $Id: ipsec_radij.c,v 1.45 2001/05/27 06:12:11 rgb Exp $
  */
 
 #include 
@@ -54,7 +54,7 @@
 int debug_radij = 0;
 #endif /* CONFIG_IPSEC_DEBUG */
 
-struct radij_node_head *rnh = 0;
+struct radij_node_head *rnh = NULL;
 #ifdef SPINLOCK
 spinlock_t eroute_lock = SPIN_LOCK_UNLOCKED;
 #else /* SPINLOCK */
@@ -68,7 +68,7 @@
 
 	rj_init();
 	
-	if (rj_inithead((void **)&rnh, 16) == 0) /* 16 is bit offset of sen_type */
+	if (rj_inithead((void **)&rnh, /*16*/offsetof(struct sockaddr_encap, sen_type) * sizeof(__u8)) == 0) /* 16 is bit offset of sen_type */
 		return -1;
 	return 0;
 }
@@ -90,7 +90,7 @@
 int
 ipsec_cleareroutes(void)
 {
-	int error;
+	int error = 0;
 
 	spin_lock_bh(&eroute_lock);
 
@@ -105,15 +105,18 @@
 ipsec_breakroute(struct sockaddr_encap *eaddr, struct sockaddr_encap *emask)
 {
 	struct radij_node *rn;
-	int error;
+	int error = 0;
 #ifdef CONFIG_IPSEC_DEBUG
 	char buf1[64], buf2[64];
 	
 	if (debug_eroute) {
 		subnettoa(eaddr->sen_ip_src, emask->sen_ip_src, 0, buf1, sizeof(buf1));
 		subnettoa(eaddr->sen_ip_dst, emask->sen_ip_dst, 0, buf2, sizeof(buf2));
-		printk("klips_debug:ipsec_breakroute: attempting to delete eroute for %s->%s\n",
-			       buf1, buf2);
+		KLIPS_PRINT(debug_eroute, 
+			    "klips_debug:ipsec_breakroute: "
+			    "attempting to delete eroute for %s->%s\n",
+			    buf1,
+			    buf2);
 	}
 #endif /* CONFIG_IPSEC_DEBUG */
 
@@ -121,7 +124,8 @@
 
 	if ((error = rj_delete(eaddr, emask, rnh, &rn)) != 0) {
 		spin_unlock_bh(&eroute_lock);
-		KLIPS_PRINT(debug_eroute, "klips_debug:ipsec_breakroute: "
+		KLIPS_PRINT(debug_eroute, 
+			    "klips_debug:ipsec_breakroute: "
 			    "node not found, eroute delete failed.\n");
 		return error;
 	}
@@ -138,10 +142,10 @@
 }
 
 int
-ipsec_makeroute(struct sockaddr_encap *eaddr, struct sockaddr_encap *emask, struct sa_id said)
+ipsec_makeroute(struct sockaddr_encap *eaddr, struct sockaddr_encap *emask, struct sa_id said, uint32_t pid)
 {
 	struct eroute *retrt;
-	int error;
+	int error = 0;
 	char sa[SATOA_BUF];
 	size_t sa_len;
 #ifdef CONFIG_IPSEC_DEBUG
@@ -151,14 +155,20 @@
 		subnettoa(eaddr->sen_ip_src, emask->sen_ip_src, 0, buf1, sizeof(buf1));
 		subnettoa(eaddr->sen_ip_dst, emask->sen_ip_dst, 0, buf2, sizeof(buf2));
 		sa_len = satoa(said, 0, sa, SATOA_BUF);
-		printk("klips_debug:ipsec_makeroute: attempting to insert eroute for %s->%s, SA: %s\n",
-		       buf1, buf2, sa);
+		KLIPS_PRINT(debug_eroute, 
+			    "klips_debug:ipsec_makeroute: "
+			    "attempting to insert eroute for %s->%s, SA: %s, PID:%d\n",
+			    buf1,
+			    buf2,
+			    sa_len ? sa : " (error)",
+			    pid);
 	}
 #endif /* CONFIG_IPSEC_DEBUG */
 
 	retrt = (struct eroute *)kmalloc(sizeof (struct eroute), GFP_ATOMIC);
 	if (retrt == NULL) {
-		printk("klips_error:ipsec_makeroute: not able to allocate kernel memory");
+		printk("klips_error:ipsec_makeroute: "
+		       "not able to allocate kernel memory");
 		return ENOMEM;
 	}
 	memset((caddr_t)retrt, 0, sizeof (struct eroute));
@@ -166,6 +176,9 @@
 	retrt->er_eaddr = *eaddr;
 	retrt->er_emask = *emask;
 	retrt->er_said = said;
+	retrt->er_pid = pid;
+	retrt->er_count = 0;
+	retrt->er_lasttime = jiffies/HZ;
 	rd_key((&(retrt->er_rjt))) = &(retrt->er_eaddr);
 	
 	spin_lock_bh(&eroute_lock);
@@ -177,12 +190,40 @@
 	
 	if(error) {
 		sa_len = satoa(said, 0, sa, SATOA_BUF);
-		printk("klips_debug:ipsec_makeroute: rj_addroute not able to insert eroute for SA:%s\n", sa);
+		KLIPS_PRINT(debug_eroute, 
+			    "klips_debug:ipsec_makeroute: "
+			    "rj_addroute not able to insert eroute for SA:%s\n",
+			    sa_len ? sa : " (error)");
 		kfree(retrt); /* XXX -- should we? */
 		return error;
 	}
+
+	if (debug_eroute && 0) {
+/*
+		subnettoa(eaddr->sen_ip_src, emask->sen_ip_src, 0, buf1, sizeof(buf1));
+		subnettoa(eaddr->sen_ip_dst, emask->sen_ip_dst, 0, buf2, sizeof(buf2));
+*/
+		subnettoa(rd_key((&(retrt->er_rjt)))->sen_ip_src, rd_mask((&(retrt->er_rjt)))->sen_ip_src, 0, buf1, sizeof(buf1));
+		subnettoa(rd_key((&(retrt->er_rjt)))->sen_ip_dst, rd_mask((&(retrt->er_rjt)))->sen_ip_dst, 0, buf2, sizeof(buf2));
+		sa_len = satoa(retrt->er_said, 0, sa, SATOA_BUF);
+		
 	KLIPS_PRINT(debug_eroute,
-		    "klips_debug:ipsec_makeroute: succeeded, I think...\n");
+			    "klips_debug:ipsec_makeroute: "
+			    "pid=%05d "
+			    "count=%10d "
+			    "lasttime=%6d "
+			    "%-18s -> %-18s => %s\n",
+			    retrt->er_pid,
+			    retrt->er_count,
+			    (int)(jiffies/HZ - retrt->er_lasttime),
+			    buf1,
+			    buf2,
+			    sa_len ? sa : " (error)");
+	}
+
+	KLIPS_PRINT(debug_eroute,
+		    "klips_debug:ipsec_makeroute: "
+		    "succeeded, I think...\n");
 	return 0;
 }
 
@@ -196,11 +237,22 @@
 	if (debug_radij & DB_RJ_FINDROUTE) {
 		addrtoa(eaddr->sen_ip_src, 0, buf1, sizeof(buf1));
 		addrtoa(eaddr->sen_ip_dst, 0, buf2, sizeof(buf2));
-		printk("klips_debug:ipsec_findroute: %s->%s\n",
-		       buf1, buf2);
+		KLIPS_PRINT(debug_eroute,
+			    "klips_debug:ipsec_findroute: "
+			    "%s->%s\n",
+			    buf1,
+			    buf2);
 	}
 #endif /* CONFIG_IPSEC_DEBUG */
 	rn = rj_match((caddr_t)eaddr, rnh);
+	if(rn) {
+		KLIPS_PRINT(debug_eroute,
+			    "klips_debug:ipsec_findroute: "
+			    "found, points to proto=%d, spi=%x, dst=%x.\n",
+			    ((struct eroute*)rn)->er_said.proto,
+			    ntohl(((struct eroute*)rn)->er_said.spi),
+			    ntohl(((struct eroute*)rn)->er_said.dst.s_addr));
+	}
 	return (struct eroute *)rn;
 }
 		
@@ -217,8 +269,10 @@
 	struct sockaddr_encap *key, *mask;
 	
 	KLIPS_PRINT(debug_radij,
-		    "klips_debug:ipsec_rj_walker_procprint: rn=%p, w0=%p\n",
-		    rn, w0);
+		    "klips_debug:ipsec_rj_walker_procprint: "
+		    "rn=%p, w0=%p\n",
+		    rn,
+		    w0);
 	if (rn == NULL)	{
 		return 120;
 	}
@@ -238,8 +292,24 @@
 	subnettoa(key->sen_ip_dst, mask->sen_ip_dst, 0, buf2, sizeof(buf2));
 	sa_len = satoa(ro->er_said, 0, sa, SATOA_BUF);
 	w->len += sprintf(w->buffer + w->len,
+/*
+			  "%05d "
+*/
+			  "%-10d "
+/*
+			  "%6d "
+*/
 			  "%-18s -> %-18s => %s\n",
-			  buf1, buf2, sa);
+/*
+			  ro->er_pid,
+*/
+			  ro->er_count,
+/*
+			  jiffies / HZ - ro->er_lasttime,
+*/
+			  buf1,
+			  buf2,
+			  sa_len ? sa : " (error)");
 	
 	w->pos = w->begin + w->len;
 	if(w->pos < w->offset) {
@@ -258,7 +328,7 @@
 {
 	struct rjtentry *rd = (struct rjtentry *)rn;
 	struct radij_node *rn2;
-	int error;
+	int error = 0;
 	struct sockaddr_encap *key, *mask;
 #ifdef CONFIG_IPSEC_DEBUG
 	char buf1[64] = { 0 }, buf2[64] = { 0 };
@@ -272,14 +342,17 @@
 	mask = rd_mask(rd);
 	
 	if(!key || !mask) {
-		return -1;
+		return -ENODATA;
 	}
 #ifdef CONFIG_IPSEC_DEBUG
 	if(debug_radij)	{
 		subnettoa(key->sen_ip_src, mask->sen_ip_src, 0, buf1, sizeof(buf1));
 		subnettoa(key->sen_ip_dst, mask->sen_ip_dst, 0, buf2, sizeof(buf2));
-		printk("klips_debug:ipsec_rj_walker_delete: deleting: %s -> %s\n",
-		       buf1, buf2);
+		KLIPS_PRINT(debug_radij, 
+			    "klips_debug:ipsec_rj_walker_delete: "
+			    "deleting: %s -> %s\n",
+			    buf1,
+			    buf2);
 	}
 #endif /* CONFIG_IPSEC_DEBUG */
 
@@ -291,8 +364,8 @@
 	}
 
 	if(rn2 != rn) {
-		printk("klips_debug:ipsec_rj_walker_delete: tried to delete a different node?!?"
-		       "This should never happen!\n");
+		printk("klips_debug:ipsec_rj_walker_delete: "
+		       "tried to delete a different node?!?  This should never happen!\n");
 	}
 	memset((caddr_t)rn, 0, sizeof (struct eroute));
 	kfree(rn);
@@ -302,6 +375,21 @@
 
 /*
  * $Log: ipsec_radij.c,v $
+ * Revision 1.45  2001/05/27 06:12:11  rgb
+ * Added structures for pid, packet count and last access time to eroute.
+ * Added packet count to beginning of /proc/net/ipsec_eroute.
+ *
+ * Revision 1.44  2001/05/03 19:41:01  rgb
+ * Initialise error return variable.
+ * Use more appropriate return value for ipsec_rj_walker_delete().
+ *
+ * Revision 1.43  2001/02/27 22:24:54  rgb
+ * Re-formatting debug output (line-splitting, joining, 1arg/line).
+ * Check for satoa() return codes.
+ *
+ * Revision 1.42  2001/02/27 06:21:57  rgb
+ * Added findroute success instrumentation.
+ *
  * Revision 1.41  2000/11/06 04:32:08  rgb
  * Ditched spin_lock_irqsave in favour of spin_lock_bh.
  *
diff -bruN freeswan-1.9.orig/klips/net/ipsec/ipsec_radij.h freeswan-1.9/klips/net/ipsec/ipsec_radij.h
--- freeswan-1.9.orig/klips/net/ipsec/ipsec_radij.h	Fri Sep  8 15:12:56 2000
+++ freeswan-1.9/klips/net/ipsec/ipsec_radij.h	Mon Jun  4 12:54:13 2001
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: ipsec_radij.h,v 1.11 2000/09/08 19:12:56 rgb Exp $
+ * RCSID $Id: ipsec_radij.h,v 1.12 2001/05/27 06:12:11 rgb Exp $
  */
 
 #include 
@@ -34,14 +34,8 @@
 	off_t pos;
 };
 
-#if 0
-struct eroute * ipsec_makeroute(struct sockaddr_encap *ea, struct sockaddr_encap *em, struct sa_id);
-#endif
-int ipsec_makeroute(struct sockaddr_encap *ea, struct sockaddr_encap *em, struct sa_id);
-
-#if 0
-struct eroute * ipsec_breakroute(struct sockaddr_encap *ea, struct sockaddr_encap *em);
-#endif
+int ipsec_makeroute(struct sockaddr_encap *ea, struct sockaddr_encap *em, struct sa_id, uint32_t pid);
+
 int ipsec_breakroute(struct sockaddr_encap *ea, struct sockaddr_encap *em);
 
 int ipsec_radijinit(void);
@@ -68,6 +62,10 @@
 
 /*
  * $Log: ipsec_radij.h,v $
+ * Revision 1.12  2001/05/27 06:12:11  rgb
+ * Added structures for pid, packet count and last access time to eroute.
+ * Added packet count to beginning of /proc/net/ipsec_eroute.
+ *
  * Revision 1.11  2000/09/08 19:12:56  rgb
  * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
  *
diff -bruN freeswan-1.9.orig/klips/net/ipsec/ipsec_rcv.c freeswan-1.9/klips/net/ipsec/ipsec_rcv.c
--- freeswan-1.9.orig/klips/net/ipsec/ipsec_rcv.c	Mon Feb 19 17:28:30 2001
+++ freeswan-1.9/klips/net/ipsec/ipsec_rcv.c	Tue Jun 12 16:25:46 2001
@@ -14,7 +14,7 @@
  * for more details.
  */
 
-char ipsec_rcv_c_version[] = "RCSID $Id: ipsec_rcv.c,v 1.75 2001/02/19 22:28:30 rgb Exp $";
+char ipsec_rcv_c_version[] = "RCSID $Id: ipsec_rcv.c,v 1.85 2001/05/30 08:14:02 rgb Exp $";
 
 #include 
 #include 
@@ -77,6 +77,7 @@
 int sysctl_ipsec_inbound_policy_check = 1;
 
 #ifdef CONFIG_IPSEC_ESP
+extern void des_cbc_encrypt(caddr_t, caddr_t, int, caddr_t, caddr_t, int);
 extern void des_ede3_cbc_encrypt(caddr_t, caddr_t, int, caddr_t, caddr_t, caddr_t, caddr_t, int);
 #endif /* !CONFIG_IPSEC_ESP */
 #if defined(CONFIG_IPSEC_ESP) || defined(CONFIG_IPSEC_AH)
@@ -252,6 +253,14 @@
 		goto rcvleave;
 	}
 		
+#ifdef IPH_is_SKB_PULLED
+	/* In Linux 2.4.4, the IP header has been skb_pull()ed before the
+	   packet is passed to us. So we'll skb_push() to get back to it. */
+	if (skb->data == skb->h.raw) {
+		skb_push(skb, skb->h.raw - skb->nh.raw);
+	}
+#endif /* IPH_is_SKB_PULLED */
+	
 	ipp = (struct iphdr *)skb->data;
 	iphlen = ipp->ihl << 2;
 	/* dev->hard_header_len is unreliable and should not be used */
@@ -267,20 +276,26 @@
 		/* include any mac header while copying.. */
 		if(skb_headroom(skb) < hard_header_len) {
 			printk(KERN_WARNING "klips_error:ipsec_rcv: "
-			       "tried to skb_push hhlen=%d, %d available.  "
-			       "This should never happen, please report.\n",
-			       hard_header_len, skb_headroom(skb));
+			       "tried to skb_push hhlen=%d, %d available.  This should never happen, please report.\n",
+			       hard_header_len,
+			       skb_headroom(skb));
 			goto rcvleave;
 		}
 		skb_push(skb, hard_header_len);
-		if ((skb = skb_cow(skb, skb_headroom(skb))) == NULL) {
+		if
+#ifdef SKB_COW_NEW
+               (skb_cow(skb, skb_headroom(skb)) != 0)
+#else /* SKB_COW_NEW */
+               ((skb = skb_cow(skb, skb_headroom(skb))) == NULL)
+#endif /* SKB_COW_NEW */
+		{
 			goto rcvleave;
 		}
 		if(skb->len < hard_header_len) {
 			printk(KERN_WARNING "klips_error:ipsec_rcv: "
-			       "tried to skb_pull hhlen=%d, %d available.  "
-			       "This should never happen, please report.\n",
-			       hard_header_len, skb->len);
+			       "tried to skb_pull hhlen=%d, %d available.  This should never happen, please report.\n",
+			       hard_header_len,
+			       skb->len);
 			goto rcvleave;
 		}
 		skb_pull(skb, hard_header_len);
@@ -289,7 +304,8 @@
 #endif /* NET_21 */
 		
 	KLIPS_PRINT(debug_rcv, 
-		    "klips_debug:ipsec_rcv: <<< Info -- ");
+		    "klips_debug:ipsec_rcv: "
+		    "<<< Info -- ");
 	KLIPS_PRINTMORE(debug_rcv && skb->dev, "skb->dev=%s ",
 		    skb->dev->name ? skb->dev->name : "NULL");
 	KLIPS_PRINTMORE(debug_rcv && dev, "dev=%s ",
@@ -297,9 +313,8 @@
 	KLIPS_PRINTMORE(debug_rcv, "\n");
 
 	KLIPS_PRINT(debug_rcv && !(skb->dev && dev && (skb->dev == dev)),
-		    "klips_debug:ipsec_rcv: Informational -- "
-		    "**if this happens, find out why** "
-		    "skb->dev:%s is not equal to dev:%s\n",
+		    "klips_debug:ipsec_rcv: "
+		    "Informational -- **if this happens, find out why** skb->dev:%s is not equal to dev:%s\n",
 		    skb->dev ? (skb->dev->name ? skb->dev->name : "NULL") : "NULL",
 		    dev ? (dev->name ? dev->name : "NULL") : "NULL");
 
@@ -333,24 +348,25 @@
 				}
 				ipsecdev = skb->dev;
 				KLIPS_PRINT(debug_rcv,
-					    "klips_debug:ipsec_rcv: Info -- pkt "
-					    "already proc'ed a group of ipsec headers, "
-					    "processing next group of ipsec headers.\n");
+					    "klips_debug:ipsec_rcv: "
+					    "Info -- pkt already proc'ed a group of ipsec headers, processing next group of ipsec headers.\n");
 				break;
 			}
 			if((ipsecdev = ipsec_dev_get(name)) == NULL) {
 				KLIPS_PRINT(debug_rcv,
-					    "klips_error:ipsec_rcv: device %s does "
-					    "not exist\n", name);
+					    "klips_error:ipsec_rcv: "
+					    "device %s does not exist\n",
+					    name);
 			}
 			prv = ipsecdev ? (struct ipsecpriv *)(ipsecdev->priv) : NULL;
 			prvdev = prv ? (struct device *)(prv->dev) : NULL;
 			
 #if 0
 			KLIPS_PRINT(debug_rcv && prvdev, 
-				    "klips_debug:ipsec_rcv: physical device"
-				    " for device %s is %s\n",
-				    name, prvdev->name);
+				    "klips_debug:ipsec_rcv: "
+				    "physical device for device %s is %s\n",
+				    name,
+				    prvdev->name);
 #endif
 			if(prvdev && skb->dev &&
 			   !strcmp(prvdev->name, skb->dev->name)) {
@@ -368,20 +384,16 @@
 		}
 	} else {
 		KLIPS_PRINT(debug_rcv, 
-			    "klips_debug:ipsec_rcv: device supplied"
-			    " with skb is NULL\n");
+			    "klips_debug:ipsec_rcv: "
+			    "device supplied with skb is NULL\n");
 	}
 			
 	if(!stats) {
 		ipsecdev = NULL;
 	}
 	KLIPS_PRINT((debug_rcv && !stats),
-		    "klips_error:ipsec_rcv: packet received from physical "
-		    "I/F (%s) not connected to ipsec I/F.  Cannot record "
-		    "stats.\n"
-		    "klips_error          May not have SA for decoding.  "
-		    "Is IPSEC traffic expected on this I/F?  "
-		    "Check routing.\n",
+		    "klips_error:ipsec_rcv: "
+		    "packet received from physical I/F (%s) not connected to ipsec I/F.  Cannot record stats.  May not have SA for decoding.  Is IPSEC traffic expected on this I/F?  Check routing.\n",
 		    skb->dev ? (skb->dev->name ? skb->dev->name : "NULL") : "NULL");
 
 	KLIPS_IP_PRINT(debug_rcv, ipp);
@@ -415,9 +427,9 @@
 		/* XXX this will need to be 8 for IPv6 */
 		if ((proto == IPPROTO_ESP) && ((len - iphlen) % 4)) {
 			printk("klips_error:ipsec_rcv: "
-			       "got packet with content length = %d from %s "
-			       "-- should be on 4 octet boundary, packet dropped\n",
-			       len - iphlen, ipaddr_txt);
+			       "got packet with content length = %d from %s -- should be on 4 octet boundary, packet dropped\n",
+			       len - iphlen,
+			       ipaddr_txt);
 			if(stats) {
 				stats->rx_errors++;
 			}
@@ -467,11 +479,9 @@
 			next_header = ahp->ah_nh;
 			if (ahhlen != sizeof(struct ah)) {
 				KLIPS_PRINT(debug_rcv & DB_RX_INAU,
-					    "klips_debug:ipsec_rcv: bad "
-					    "authenticator length %d, expected "
-					    "%d from %s\n",
-					    ahhlen - ((caddr_t)(ahp->ah_data) -
-						      (caddr_t)ahp),
+					    "klips_debug:ipsec_rcv: "
+					    "bad authenticator length %d, expected %d from %s\n",
+					    ahhlen - ((caddr_t)(ahp->ah_data) - (caddr_t)ahp),
 					    AHHMAC_HASHLEN,
 					    ipaddr_txt);
 				if(stats) {
@@ -484,26 +494,34 @@
 #endif /* CONFIG_IPSEC_AH */
 		
 		/*
-		 * The spinlock is to prevent any other process from
-		 * accessing or deleting the structure while we are
-		 * using and updating it.
+		  The spinlock is to prevent any other process from
+		  accessing or deleting the TDB hash table or any of the
+		  TDBs while we are using and updating them.
+		  
+		  This is not optimal, but was relatively straightforward
+		  at the time.  A better way to do it has been planned for
+		  more than a year, to lock the hash table and put reference
+		  counts on each TDB instead.  This is not likely to happen
+		  in KLIPS1 unless a volunteer contributes it, but will be
+		  designed into KLIPS2.
 		 */
+		if(tdbprev == NULL) {
 		spin_lock(&tdb_lock);
+		}
 		
 #ifdef CONFIG_IPSEC_IPCOMP
 		if (proto == IPPROTO_COMP) {
 			unsigned int flags = 0;
 			if (tdbp == NULL) {
+				spin_unlock(&tdb_lock);
 				KLIPS_PRINT(debug_rcv,
 					    "klips_debug:ipsec_rcv: "
-					    "Incoming packet with outer IPCOMP "
-					    "header SA:%s: not yet supported "
-					    "by KLIPS, dropped\n", sa);
+					    "Incoming packet with outer IPCOMP header SA:%s: not yet supported by KLIPS, dropped\n",
+					    sa_len ? sa : " (error)");
 				if(stats) {
 					stats->rx_dropped++;
 				}
 
-				spin_unlock(&tdb_lock);
 				goto rcvleave;
 			}
 
@@ -516,27 +534,24 @@
 				   && ((ntohl(tdbp->tdb_said.spi) & 0x0000ffff)
 				       != ntohl(said.spi))))) {
 				char sa2[SATOA_BUF];
+				size_t sa_len2 = 0;
 
 				if(tdbp) {
-					sa_len = satoa(tdbp->tdb_said, 0, sa2, SATOA_BUF);
+					sa_len2 = satoa(tdbp->tdb_said, 0, sa2, SATOA_BUF);
 				}
 				KLIPS_PRINT(debug_rcv,
 					    "klips_debug:ipsec_rcv: "
-					    "Incoming packet with SA(IPCA):%s "
-					    "does not match policy SA(IPCA):%s "
-					    "cpi=%04x cpi->spi=%08x spi=%08x, spi->cpi=%04x for "
-					    "SA grouping, dropped.\n",
-					    sa,
-					    tdbp ? sa2 : "NULL",
+					    "Incoming packet with SA(IPCA):%s does not match policy SA(IPCA):%s cpi=%04x cpi->spi=%08x spi=%08x, spi->cpi=%04x for SA grouping, dropped.\n",
+					    sa_len ? sa : " (error)",
+					    tdbp ? (sa_len2 ? sa2 : " (error)") : "NULL",
 					    ntohs(compp->ipcomp_cpi),
 					    (__u32)ntohl(said.spi),
 					    tdbp ? (__u32)ntohl((tdbp->tdb_said.spi)) : 0,
 					    tdbp ? (__u16)(ntohl(tdbp->tdb_said.spi) & 0x0000ffff) : 0);
+				spin_unlock(&tdb_lock);
 				if(stats) {
 					stats->rx_dropped++;
 				}
-
-				spin_unlock(&tdb_lock);
 				goto rcvleave;
 			}
 
@@ -548,10 +563,10 @@
 
 			skb = skb_decompress(skb, tdbp, &flags);
 			if (!skb || flags) {
+				spin_unlock(&tdb_lock);
 				KLIPS_PRINT(debug_rcv,
 					    "klips_debug:ipsec_rcv: "
-					    "skb_decompress() returned "
-					    "error flags=%x, dropped.\n",
+					    "skb_decompress() returned error flags=%x, dropped.\n",
 					    flags);
 				if (stats) {
 				    if (flags)
@@ -559,8 +574,6 @@
 				    else
 					stats->rx_dropped++;
 				}
-
-				spin_unlock(&tdb_lock);
 				goto rcvleave;
 			}
 #ifdef NET_21
@@ -575,9 +588,8 @@
 
 			KLIPS_PRINT(debug_rcv,
 				    "klips_debug:ipsec_rcv: "
-				    "packet decompressed SA(IPCA):%s "
-				    "cpi->spi=%08x spi=%08x, spi->cpi=%04x, nh=%d.\n",
-				    sa,
+				    "packet decompressed SA(IPCA):%s cpi->spi=%08x spi=%08x, spi->cpi=%04x, nh=%d.\n",
+				    sa_len ? sa : " (error)",
 				    (__u32)ntohl(said.spi),
 				    tdbp ? (__u32)ntohl((tdbp->tdb_said.spi)) : 0,
 				    tdbp ? (__u16)(ntohl(tdbp->tdb_said.spi) & 0x0000ffff) : 0,
@@ -594,9 +606,9 @@
 		if (tdbp == NULL) {
 			spin_unlock(&tdb_lock);
 			KLIPS_PRINT(debug_rcv,
-				    "klips_debug:ipsec_rcv: no Tunnel Descriptor "
-				    "Block for SA:%s: incoming packet with no SA "
-				    "dropped\n", sa);
+				    "klips_debug:ipsec_rcv: "
+				    "no Tunnel Descriptor Block for SA:%s: incoming packet with no SA dropped\n",
+				    sa_len ? sa : " (error)");
 			if(stats) {
 				stats->rx_dropped++;
 			}
@@ -611,27 +623,27 @@
 				KLIPS_PRINT(debug_rcv,
 					    "klips_debug:ipsec_rcv: "
 					    "SA:%s, src=%s of pkt does not agree with expected SA source address policy.\n",
-					    sa, ipaddr_txt);
+					    sa_len ? sa : " (error)",
+					    ipaddr_txt);
 				if(stats) {
 					stats->rx_dropped++;
 				}
 				goto rcvleave;
 			}
-			{
 				ipaddr.s_addr = ipp->saddr;
 				addrtoa(ipaddr, 0, ipaddr_txt, sizeof(ipaddr_txt));
 				KLIPS_PRINT(debug_rcv,
 					    "klips_debug:ipsec_rcv: "
 					    "SA:%s, src=%s of pkt agrees with expected SA source address policy.\n",
-					    sa, ipaddr_txt);
-			}
+				    sa_len ? sa : " (error)",
+				    ipaddr_txt);
 			if(tdbnext) {
 				if(tdbnext != tdbp) {
 					spin_unlock(&tdb_lock);
 					KLIPS_PRINT(debug_rcv,
 						    "klips_debug:ipsec_rcv: "
 						    "unexpected SA:%s: does not agree with tdb->inext policy, dropped\n",
-						    sa);
+						    sa_len ? sa : " (error)");
 					if(stats) {
 						stats->rx_dropped++;
 					}
@@ -640,22 +652,21 @@
 				KLIPS_PRINT(debug_rcv,
 					    "klips_debug:ipsec_rcv: "
 					    "SA:%s grouping from previous SA is OK.\n",
-					    sa);
+					    sa_len ? sa : " (error)");
 			} else {
 				KLIPS_PRINT(debug_rcv,
 					    "klips_debug:ipsec_rcv: "
 					    "SA:%s First SA in group.\n",
-					    sa);
+					    sa_len ? sa : " (error)");
 			}
 			
-#if 1
 			if(tdbp->tdb_onext) {
 				if(tdbprev != tdbp->tdb_onext) {
 					spin_unlock(&tdb_lock);
 					KLIPS_PRINT(debug_rcv,
 						    "klips_debug:ipsec_rcv: "
 						    "unexpected SA:%s: does not agree with tdb->onext policy, dropped.\n",
-						    sa);
+						    sa_len ? sa : " (error)");
 					if(stats) {
 						stats->rx_dropped++;
 					}
@@ -664,15 +675,14 @@
 					KLIPS_PRINT(debug_rcv,
 						    "klips_debug:ipsec_rcv: "
 						    "SA:%s grouping to previous SA is OK.\n",
-						    sa);
+						    sa_len ? sa : " (error)");
 				}
 			} else {
 				KLIPS_PRINT(debug_rcv,
 					    "klips_debug:ipsec_rcv: "
 					    "SA:%s No previous backlink in group.\n",
-					    sa);
+					    sa_len ? sa : " (error)");
 			}
-#endif
 		}
 		
 		/* If it is in larval state, drop the packet, we cannot process yet. */
@@ -680,8 +690,7 @@
 			spin_unlock(&tdb_lock);
 			KLIPS_PRINT(debug_rcv,
 				    "klips_debug:ipsec_rcv: "
-				    "TDB in larval state, cannot be used yet, "
-				    "dropping packet.\n");
+				    "TDB in larval state, cannot be used yet, dropping packet.\n");
 			if(stats) {
 				stats->rx_dropped++;
 			}
@@ -692,8 +701,7 @@
 			spin_unlock(&tdb_lock);
 			KLIPS_PRINT(debug_rcv,
 				    "klips_debug:ipsec_rcv: "
-				    "TDB in dead state, cannot be used any more, "
-				    "dropping packet.\n");
+				    "TDB in dead state, cannot be used any more, dropping packet.\n");
 			if(stats) {
 				stats->rx_dropped++;
 			}
@@ -707,8 +715,8 @@
 			spin_unlock(&tdb_lock);
 			KLIPS_PRINT(debug_rcv,
 				    "klips_debug:ipsec_rcv: "
-				    "hard bytes lifetime of SA:%s has been reached, "
-				    "SA expired, incoming packet dropped.\n", sa);
+				    "hard bytes lifetime of SA:%s has been reached, SA expired, incoming packet dropped.\n",
+				    sa_len ? sa : " (error)");
 			if(stats) {
 				stats->rx_dropped++;
 			}
@@ -716,13 +724,14 @@
 		}
 		if(tdbp->tdb_lifetime_bytes_s &&
 		   (tdbp->tdb_lifetime_bytes_c > tdbp->tdb_lifetime_bytes_s)) {
+			if(tdbp->tdb_state != SADB_SASTATE_DYING) {
+				pfkey_expire(tdbp, 0);
+			}
 			tdbp->tdb_state = SADB_SASTATE_DYING;
 			KLIPS_PRINT(debug_rcv,
 				    "klips_debug:ipsec_rcv: "
-				    "soft bytes lifetime of SA:%s has been reached, "
-				    "SA expiring, soft expire message sent up, "
-				    "incoming packet still processed.\n", sa);
-			pfkey_expire(tdbp, 0);
+				    "soft bytes lifetime of SA:%s has been reached, SA expiring, soft expire message sent up, incoming packet still processed.\n",
+				    sa_len ? sa : " (error)");
 		}
 		
 		if(tdbp->tdb_lifetime_addtime_h &&
@@ -733,8 +742,8 @@
 			spin_unlock(&tdb_lock);
 			KLIPS_PRINT(debug_rcv,
 				    "klips_debug:ipsec_rcv: "
-				    "hard addtime lifetime of SA:%s has been reached, "
-				    "SA expired, incoming packet dropped.\n", sa);
+				    "hard addtime lifetime of SA:%s has been reached, SA expired, incoming packet dropped.\n",
+				    sa_len ? sa : " (error)");
 			if(stats) {
 				stats->rx_dropped++;
 			}
@@ -743,13 +752,14 @@
 		if(tdbp->tdb_lifetime_addtime_s &&
 		   ((jiffies / HZ) - tdbp->tdb_lifetime_addtime_c >
 		    tdbp->tdb_lifetime_addtime_s)) {
+			if(tdbp->tdb_state != SADB_SASTATE_DYING) {
+				pfkey_expire(tdbp, 0);
+			}
 			tdbp->tdb_state = SADB_SASTATE_DYING;
 			KLIPS_PRINT(debug_rcv,
 				    "klips_debug:ipsec_rcv: "
-				    "soft addtime lifetime of SA:%s has been reached, "
-				    "SA expiring, soft expire message sent up, "
-				    "incoming packet still processed.\n", sa);
-			pfkey_expire(tdbp, 0);
+				    "soft addtime lifetime of SA:%s has been reached, SA expiring, soft expire message sent up, incoming packet still processed.\n",
+				    sa_len ? sa : " (error)");
 		}
 		
 		if(tdbp->tdb_lifetime_usetime_c) {
@@ -761,8 +771,8 @@
 				spin_unlock(&tdb_lock);
 				KLIPS_PRINT(debug_rcv,
 					    "klips_debug:ipsec_rcv: "
-					    "hard usetime lifetime of SA:%s has been reached, "
-					    "SA expired, incoming packet dropped.\n", sa);
+					    "hard usetime lifetime of SA:%s has been reached, SA expired, incoming packet dropped.\n",
+					    sa_len ? sa : " (error)");
 				if(stats) {
 					stats->rx_dropped++;
 				}
@@ -771,13 +781,14 @@
 			if(tdbp->tdb_lifetime_usetime_s &&
 			   ((jiffies / HZ) - tdbp->tdb_lifetime_usetime_c >
 			    tdbp->tdb_lifetime_usetime_s)) {
+				if(tdbp->tdb_state != SADB_SASTATE_DYING) {
+					pfkey_expire(tdbp, 0);
+				}
 				tdbp->tdb_state = SADB_SASTATE_DYING;
 				KLIPS_PRINT(debug_rcv,
 					    "klips_debug:ipsec_rcv: "
-					    "soft usetime lifetime of SA:%s has been reached, "
-					    "SA expiring, soft expire message sent up, "
-					    "incoming packet still processed.\n", sa);
-				pfkey_expire(tdbp, 0);
+					    "soft usetime lifetime of SA:%s has been reached, SA expiring, soft expire message sent up, incoming packet still processed.\n",
+					    sa_len ? sa : " (error)");
 			}
 		}
 		
@@ -788,8 +799,8 @@
 			spin_unlock(&tdb_lock);
 			KLIPS_PRINT(debug_rcv,
 				    "klips_debug:ipsec_rcv: "
-				    "hard packets lifetime of SA:%s has been reached, "
-				    "SA expired, incoming packet dropped.\n", sa);
+				    "hard packets lifetime of SA:%s has been reached, SA expired, incoming packet dropped.\n",
+				    sa_len ? sa : " (error)");
 			if(stats) {
 				stats->rx_dropped++;
 			}
@@ -797,13 +808,14 @@
 		}
 		if(tdbp->tdb_lifetime_packets_s &&
 		   (tdbp->tdb_lifetime_packets_c > tdbp->tdb_lifetime_packets_s)) {
+			if(tdbp->tdb_state != SADB_SASTATE_DYING) {
+				pfkey_expire(tdbp, 0);
+			}
 			tdbp->tdb_state = SADB_SASTATE_DYING;
 			KLIPS_PRINT(debug_rcv,
 				    "klips_debug:ipsec_rcv: "
-				    "soft packets lifetime of SA:%s has been reached, "
-				    "SA expiring, soft expire message sent up, "
-				    "incoming packet still processed.\n", sa);
-			pfkey_expire(tdbp, 0);
+				    "soft packets lifetime of SA:%s has been reached, SA expiring, soft expire message sent up, incoming packet still processed.\n",
+				    sa_len ? sa : " (error)");
 		}
 		
 		/* authenticate, if required */
@@ -823,24 +835,26 @@
 			authlen = 0;
 			break;
 		default:
+			tdbp->tdb_alg_errs += 1;
+			spin_unlock(&tdb_lock);
 			if(stats) {
 				stats->rx_errors++;
 			}
-			tdbp->tdb_alg_errs += 1;
-			spin_unlock(&tdb_lock);
 			goto rcvleave;
 		}
 		ilen = len - iphlen - authlen;
 		
 #ifdef CONFIG_IPSEC_ESP
 		KLIPS_PRINT(proto == IPPROTO_ESP && debug_rcv, 
-			    "klips_debug:ipsec_rcv: packet from %s received with"
-			    " seq=%d (iv)=0x%08x%08x iplen=%d esplen=%d sa=%s\n",
+			    "klips_debug:ipsec_rcv: "
+			    "packet from %s received with seq=%d (iv)=0x%08x%08x iplen=%d esplen=%d sa=%s\n",
 			    ipaddr_txt,
 			    (__u32)ntohl(espp->esp_rpl),
 			    (__u32)ntohl(*((__u32 *)(espp->esp_iv)    )),
 			    (__u32)ntohl(*((__u32 *)(espp->esp_iv) + 1)),
-			    len, ilen, sa);
+			    len,
+			    ilen,
+			    sa_len ? sa : " (error)");
 #endif /* !CONFIG_IPSEC_ESP */
 		
 		switch(proto) {
@@ -863,7 +877,7 @@
 			deltdbchain(tdbp);
 			spin_unlock(&tdb_lock);
 			KLIPS_PRINT(debug_rcv,
-				    "klips_debug:ipsec_tunnel_start_xmit: "
+				    "klips_debug:ipsec_rcv: "
 				    "replay window counter rolled, expiring SA.\n");
 			if(stats) {
 				stats->rx_dropped++;
@@ -872,15 +886,15 @@
 		}
 
 		if (!ipsec_checkreplaywindow(tdbp, replay)) {
+			tdbp->tdb_replaywin_errs += 1;
+			spin_unlock(&tdb_lock);
 			KLIPS_PRINT(debug_rcv & DB_RX_REPLAY,
-				    "klips_debug:ipsec_rcv: duplicate frame from %s,"
-				    " packet dropped\n",
+				    "klips_debug:ipsec_rcv: "
+				    "duplicate frame from %s, packet dropped\n",
 				    ipaddr_txt);
 			if(stats) {
 				stats->rx_dropped++;
 			}
-			tdbp->tdb_replaywin_errs += 1;
-			spin_unlock(&tdb_lock);
 			goto rcvleave;
 		}
 		
@@ -889,8 +903,10 @@
 		 */
 		
 		KLIPS_PRINT(debug_rcv,
-			    "klips_debug:ipsec_rcv: encalg = %d, authalg = %d.\n",
-			    tdbp->tdb_encalg, tdbp->tdb_authalg);
+			    "klips_debug:ipsec_rcv: "
+			    "encalg = %d, authalg = %d.\n",
+			    tdbp->tdb_encalg,
+			    tdbp->tdb_authalg);
 		
 		if(tdbp->tdb_authalg) {
 			switch(tdbp->tdb_authalg) {
@@ -959,19 +975,21 @@
 			}
 		
 			if(!authenticator) {
+				tdbp->tdb_auth_errs += 1;
+				spin_unlock(&tdb_lock);
 				if(stats) {
 					stats->rx_dropped++;
 				}
-				tdbp->tdb_auth_errs += 1;
-				spin_unlock(&tdb_lock);
 				goto rcvleave;
 			}
 
 			if (memcmp(hash, authenticator, authlen)) {
+				tdbp->tdb_auth_errs += 1;
+				spin_unlock(&tdb_lock);
 				KLIPS_PRINT(debug_rcv & DB_RX_INAU,
-					    "klips_debug:ipsec_rcv: auth failed on incoming "
-					    "packet from %s: hash=%08x%08x%08x "
-					    "auth=%08x%08x%08x, dropped\n", ipaddr_txt,
+					    "klips_debug:ipsec_rcv: "
+					    "auth failed on incoming packet from %s: hash=%08x%08x%08x auth=%08x%08x%08x, dropped\n",
+					    ipaddr_txt,
 					    *(__u32*)&hash[0],
 					    *(__u32*)&hash[4],
 					    *(__u32*)&hash[8],
@@ -981,12 +999,11 @@
 				if(stats) {
 					stats->rx_dropped++;
 				}
-				tdbp->tdb_auth_errs += 1;
-				spin_unlock(&tdb_lock);
 				goto rcvleave;
 			} else {
 				KLIPS_PRINT(debug_rcv,
-					    "klips_debug:ipsec_rcv: authentication successful.\n");
+					    "klips_debug:ipsec_rcv: "
+					    "authentication successful.\n");
 			}
 			
 			memset((caddr_t)&tctx, 0, sizeof(tctx));
@@ -994,15 +1011,15 @@
 		}
 
 		if (!ipsec_updatereplaywindow(tdbp, replay)) {
+			tdbp->tdb_replaywin_errs += 1;
+			spin_unlock(&tdb_lock);
 			KLIPS_PRINT(debug_rcv & DB_RX_REPLAY,
-				    "klips_debug:ipsec_rcv: duplicate frame from %s,"
-				    " packet dropped\n",
+				    "klips_debug:ipsec_rcv: "
+				    "duplicate frame from %s, packet dropped\n",
 				    ipaddr_txt);
 			if(stats) {
 				stats->rx_dropped++;
 			}
-			tdbp->tdb_replaywin_errs += 1;
-			spin_unlock(&tdb_lock);
 			goto rcvleave;
 		}
 		
@@ -1010,37 +1027,52 @@
 #ifdef CONFIG_IPSEC_ESP
 		case IPPROTO_ESP:
 			switch(tdbp->tdb_encalg) {
+			case ESP_DES:
 			case ESP_3DES:
 				iv[0] = *((__u32 *)(espp->esp_iv)    );
 				iv[1] = *((__u32 *)(espp->esp_iv) + 1);
 				esphlen = sizeof(struct esp);
 				break;
-			case ESP_NULL:
-				esphlen = offsetof(struct esp, esp_iv);
-				break;
 			default:
+				tdbp->tdb_alg_errs += 1;
+				spin_unlock(&tdb_lock);
 				if(stats) {
 					stats->rx_errors++;
 				}
-				tdbp->tdb_alg_errs += 1;
-				spin_unlock(&tdb_lock);
 				goto rcvleave;
 			}
 			idat += esphlen;
 			ilen -= esphlen;
 			
 			switch(tdbp->tdb_encalg) {
-			case ESP_3DES:
+			case ESP_DES:
 				if ((ilen) % 8) {
+					tdbp->tdb_encsize_errs += 1;
+					spin_unlock(&tdb_lock);
 					printk("klips_error:ipsec_rcv: "
-					       "got packet with esplen = %d from %s "
-					       "-- should be on 8 octet boundary, packet dropped\n",
-					       ilen, ipaddr_txt);
+					       "got packet with esplen = %d from %s -- should be on 8 octet boundary, packet dropped\n",
+					       ilen,
+					       ipaddr_txt);
 					if(stats) {
 						stats->rx_errors++;
 					}
+					goto rcvleave;
+				}
+				des_cbc_encrypt(idat, idat, ilen,
+						     tdbp->tdb_key_e,
+						     (caddr_t)iv, 0);
+				break;
+			case ESP_3DES:
+				if ((ilen) % 8) {
 					tdbp->tdb_encsize_errs += 1;
 					spin_unlock(&tdb_lock);
+					printk("klips_error:ipsec_rcv: "
+					       "got packet with esplen = %d from %s -- should be on 8 octet boundary, packet dropped\n",
+					       ilen,
+					       ipaddr_txt);
+					if(stats) {
+						stats->rx_errors++;
+					}
 					goto rcvleave;
 				}
 				des_ede3_cbc_encrypt(idat, idat, ilen,
@@ -1049,8 +1081,6 @@
 						     tdbp->tdb_key_e + 2 * sizeof(struct des_eks),
 						     (caddr_t)iv, 0);
 				break;
-			case ESP_NULL:
-				break;
 			}
 			next_header = idat[ilen - 1];
 			padlen = idat[ilen - 2];
@@ -1123,23 +1153,25 @@
 				(void *)(skb->data), iphlen);
 			if(skb->len < esphlen) {
 				spin_unlock(&tdb_lock);
-				printk(KERN_WARNING "klips_error:ipsec_rcv: "
-				       "tried to skb_pull esphlen=%d, %d available.  "
-				       "This should never happen, please report.\n",
+				printk(KERN_WARNING
+				       "klips_error:ipsec_rcv: "
+				       "tried to skb_pull esphlen=%d, %d available.  This should never happen, please report.\n",
 				       esphlen, (int)(skb->len));
 				goto rcvleave;
 			}
 			skb_pull(skb, esphlen);
 
 			KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
-				    "klips_debug:ipsec_rcv: trimming to %d.\n",
+				    "klips_debug:ipsec_rcv: "
+				    "trimming to %d.\n",
 				    len - esphlen - pad);
 			if(pad + esphlen <= len) {
 			        skb_trim(skb, len - esphlen - pad);
 			} else {
 				spin_unlock(&tdb_lock);
 			        KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
-				            "klips_debug:ipsec_rcv: bogus packet, size is zero or negative, dropping.\n");
+				            "klips_debug:ipsec_rcv: "
+					    "bogus packet, size is zero or negative, dropping.\n");
 				goto rcvleave;
 			}
 		break;
@@ -1151,10 +1183,11 @@
 				(void *)(skb->data), iphlen);
 			if(skb->len < ahhlen) {
 				spin_unlock(&tdb_lock);
-				printk(KERN_WARNING "klips_error:ipsec_rcv: "
-				       "tried to skb_pull ahhlen=%d, %d available.  "
-				       "This should never happen, please report.\n",
-				       ahhlen, (int)(skb->len));
+				printk(KERN_WARNING
+				       "klips_error:ipsec_rcv: "
+				       "tried to skb_pull ahhlen=%d, %d available.  This should never happen, please report.\n",
+				       ahhlen,
+				       (int)(skb->len));
 				goto rcvleave;
 			}
 			skb_pull(skb, ahhlen);
@@ -1187,8 +1220,10 @@
 		ipp->check = ip_fast_csum((unsigned char *)dat, iphlen >> 2);
 		
 		KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
-			    "klips_debug:ipsec_rcv: after <%s%s%s>, SA:%s:\n",
-					    TDB_XFORM_NAME(tdbp), sa);
+			    "klips_debug:ipsec_rcv: "
+			    "after <%s%s%s>, SA:%s:\n",
+			    TDB_XFORM_NAME(tdbp),
+			    sa_len ? sa : " (error)");
 		KLIPS_IP_PRINT(debug_rcv & DB_RX_PKTRX, ipp);
 		
 		skb->protocol = htons(ETH_P_IP);
@@ -1203,7 +1238,7 @@
 					KLIPS_PRINT(debug_rcv,
 						    "klips_debug:ipsec_rcv: "
 						    "SA:%s, backpolicy does not agree with fwdpolicy.\n",
-						    sa);
+						    sa_len ? sa : " (error)");
 					if(stats) {
 						stats->rx_dropped++;
 					}
@@ -1212,7 +1247,7 @@
 				KLIPS_PRINT(debug_rcv,
 					    "klips_debug:ipsec_rcv: "
 					    "SA:%s, backpolicy agrees with fwdpolicy.\n",
-					    sa);
+					    sa_len ? sa : " (error)");
 				if(!(   (ipp->protocol == IPPROTO_AH  )
 					|| (ipp->protocol == IPPROTO_ESP )
 					|| (ipp->protocol == IPPROTO_IPIP)
@@ -1224,7 +1259,7 @@
 					KLIPS_PRINT(debug_rcv,
 						    "klips_debug:ipsec_rcv: "
 						    "packet with incomplete policy dropped, last successful SA:%s.\n",
-						    sa);
+						    sa_len ? sa : " (error)");
 					if(stats) {
 						stats->rx_dropped++;
 					}
@@ -1233,12 +1268,12 @@
 				KLIPS_PRINT(debug_rcv,
 					    "klips_debug:ipsec_rcv: "
 					    "SA:%s, Another IPSEC header to process.\n",
-					    sa);
+					    sa_len ? sa : " (error)");
 			} else {
 				KLIPS_PRINT(debug_rcv,
 					    "klips_debug:ipsec_rcv: "
 					    "No tdb_inext from this SA:%s.\n",
-					    sa);
+					    sa_len ? sa : " (error)");
 			}
 		}
 
@@ -1288,7 +1323,7 @@
 			KLIPS_PRINT(debug_rcv,
 				    "klips_debug:ipsec_rcv: "
 				    "SA:%s, Hey!  How did this get through?  Dropped.\n",
-				    sa);
+				    sa_len ? sa : " (error)");
 			if(stats) {
 				stats->rx_dropped++;
 			}
@@ -1296,12 +1331,14 @@
 		}
 		if(sysctl_ipsec_inbound_policy_check && (tdbnext = tdbp->tdb_inext)) {
 			char sa2[SATOA_BUF];
-			sa_len = satoa(tdbnext->tdb_said, 0, sa2, SATOA_BUF);
+			size_t sa_len2;
+			sa_len2 = satoa(tdbnext->tdb_said, 0, sa2, SATOA_BUF);
 			spin_unlock(&tdb_lock);
 			KLIPS_PRINT(debug_rcv,
 				    "klips_debug:ipsec_rcv: "
 				    "unexpected SA:%s after IPIP SA:%s\n",
-				    sa2, sa);
+				    sa_len2 ? sa2 : " (error)",
+				    sa_len ? sa : " (error)");
 			if(stats) {
 				stats->rx_dropped++;
 			}
@@ -1345,6 +1382,8 @@
 		policy_said = er->er_said;
 		policy_eaddr = er->er_eaddr;
 		policy_emask = er->er_emask;
+		er->er_count++;
+		er->er_lasttime = jiffies/HZ;
 	}
 	
 	spin_unlock(&eroute_lock);
@@ -1355,15 +1394,15 @@
 		 * accessing or deleting the tdb while we are using and
 		 * updating it.
 		 */
-		/* spin_lock(&tdb_lock); */
+		spin_lock(&tdb_lock);
 
 		policy_tdb = gettdb(&policy_said);
 		if (policy_tdb == NULL) {
-			/* spin_unlock(&tdb_lock); */
+			spin_unlock(&tdb_lock);
 			KLIPS_PRINT(debug_rcv,
 				    "klips_debug:ipsec_rcv: "
-				    "no Tunnel Descriptor Block for SA%s: "
-				    "incoming packet with no policy SA, dropped.\n", sa);
+				    "no Tunnel Descriptor Block for SA%s: incoming packet with no policy SA, dropped.\n",
+				    sa_len ? sa : " (error)");
 			goto rcvleave;
 		}
 		
@@ -1371,7 +1410,8 @@
 
 		KLIPS_PRINT(debug_rcv,
 			    "klips_debug:ipsec_rcv: "
-			    "found policy Tunnel Descriptor Block -- SA:%s\n", sa);
+			    "found policy Tunnel Descriptor Block -- SA:%s\n",
+			    sa_len ? sa : " (error)");
 		while(1) {
 			if(policy_tdb->tdb_inext) {
 				policy_tdb = policy_tdb->tdb_inext;
@@ -1380,11 +1420,11 @@
 			}
 		}
 		if(policy_tdb != tdbp) {
-			/* spin_unlock(&tdb_lock); */
+			spin_unlock(&tdb_lock);
 			KLIPS_PRINT(debug_rcv,
 				    "klips_debug:ipsec_rcv: "
-				    " Tunnel Descriptor Block for SA%s: "
-				    "incoming packet with different policy SA, dropped.\n", sa);
+				    "Tunnel Descriptor Block for SA%s: incoming packet with different policy SA, dropped.\n",
+				    sa_len ? sa : " (error)");
 			goto rcvleave;
 		}
 
@@ -1408,12 +1448,12 @@
 		}
 		
 		if(skb->len < iphlen) {
+			spin_unlock(&tdb_lock);
 			printk(KERN_WARNING "klips_debug:ipsec_rcv: "
-			       "tried to skb_pull iphlen=%d, %d available.  "
-			       "This should never happen, please report.\n",
-			       iphlen, (int)(skb->len));
+			       "tried to skb_pull iphlen=%d, %d available.  This should never happen, please report.\n",
+			       iphlen,
+			       (int)(skb->len));
 
-			spin_unlock(&tdb_lock);
 			goto rcvleave;
 		}
 		skb_pull(skb, iphlen);
@@ -1432,7 +1472,8 @@
 		skb->protocol = htons(ETH_P_IP);
 		skb->ip_summed = 0;
 		KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
-			    "klips_debug:ipsec_rcv: IPIP tunnel stripped.\n");
+			    "klips_debug:ipsec_rcv: "
+			    "IPIP tunnel stripped.\n");
 		KLIPS_IP_PRINT(debug_rcv & DB_RX_PKTRX, ipp);
 	}
 
@@ -1469,7 +1510,10 @@
 			}
 			goto rcvleave;
 		}
-		/* XXX need a tdb for updating ratio counters XXX */
+		/*
+		  XXX need a TDB for updating ratio counters but it is not
+		  following policy anyways so it is not a priority
+		*/
 		skb = skb_decompress(skb, NULL, &flags);
 		if (!skb || flags) {
 			KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
@@ -1481,11 +1525,6 @@
 			}
 			goto rcvleave;
 		}
-#ifdef NET_21
-		ipp = skb->nh.iph;
-#else /* NET_21 */
-		ipp = skb->ip_hdr;
-#endif /* NET_21 */
 	}
 #endif /* CONFIG_IPSEC_IPCOMP */
 
@@ -1497,7 +1536,8 @@
 #endif /* CONFIG_NETFILTER_DEBUG */
 #endif /* SKB_RESET_NFCT */
 	KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
-		    "klips_debug:ipsec_rcv: netif_rx() called.\n");
+		    "klips_debug:ipsec_rcv: "
+		    "netif_rx() called.\n");
 	netif_rx(skb);
 
 	MOD_DEC_USE_COUNT;
@@ -1558,6 +1598,43 @@
 
 /*
  * $Log: ipsec_rcv.c,v $
+ * Revision 1.85  2001/05/30 08:14:02  rgb
+ * Removed vestiges of esp-null transforms.
+ *
+ * Revision 1.84  2001/05/27 06:12:11  rgb
+ * Added structures for pid, packet count and last access time to eroute.
+ * Added packet count to beginning of /proc/net/ipsec_eroute.
+ *
+ * Revision 1.83  2001/05/04 16:45:47  rgb
+ * Remove unneeded code.  ipp is not used after this point.
+ *
+ * Revision 1.82  2001/05/04 16:36:00  rgb
+ * Fix skb_cow() call for 2.4.4. (SS)
+ *
+ * Revision 1.81  2001/05/02 14:46:53  rgb
+ * Fix typo for compiler directive to pull IPH back.
+ *
+ * Revision 1.80  2001/04/30 19:46:34  rgb
+ * Update for 2.4.4.  We now receive the skb with skb->data pointing to
+ * h.raw.
+ *
+ * Revision 1.79  2001/04/23 15:01:15  rgb
+ * Added spin_lock() check to prevent double-locking for multiple
+ * transforms and hence kernel lock-ups with SMP kernels.
+ * Minor spin_unlock() adjustments to unlock before non-dependant prints
+ * and IPSEC device stats updates.
+ *
+ * Revision 1.78  2001/04/21 23:04:24  rgb
+ * Check if soft expire has already been sent before sending another to
+ * prevent ACQUIRE flooding.
+ *
+ * Revision 1.77  2001/03/16 07:35:20  rgb
+ * Ditch extra #if 1 around now permanent policy checking code.
+ *
+ * Revision 1.76  2001/02/27 22:24:54  rgb
+ * Re-formatting debug output (line-splitting, joining, 1arg/line).
+ * Check for satoa() return codes.
+ *
  * Revision 1.75  2001/02/19 22:28:30  rgb
  * Minor change to virtual device discovery code to assert which I/F has
  * been found.
@@ -1661,9 +1738,6 @@
  * Revision 1.51  2000/08/18 21:23:30  rgb
  * Improve bad padding warning so that the printk buffer doesn't get
  * trampled.
- *
- * Revision 1.50  2000/08/01 14:51:51  rgb
- * Removed _all_ remaining traces of DES.
  *
  * Revision 1.49  2000/07/28 13:50:53  rgb
  * Changed enet_statistics to net_device_stats and added back compatibility
diff -bruN freeswan-1.9.orig/klips/net/ipsec/ipsec_rcv.h freeswan-1.9/klips/net/ipsec/ipsec_rcv.h
--- freeswan-1.9.orig/klips/net/ipsec/ipsec_rcv.h	Thu Sep 21 00:34:21 2000
+++ freeswan-1.9/klips/net/ipsec/ipsec_rcv.h	Mon Jun  4 11:34:31 2001
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: ipsec_rcv.h,v 1.11 2000/09/21 04:34:21 rgb Exp $
+ * RCSID $Id: ipsec_rcv.h,v 1.12 2001/03/16 07:36:44 rgb Exp $
  */
 
 #define DB_RX_PKTRX	0x0001
@@ -55,10 +55,13 @@
 extern int debug_rcv;
 #endif /* CONFIG_IPSEC_DEBUG */
 extern int sysctl_ipsec_inbound_policy_check;
-#endif __KERNEL__
+#endif /* __KERNEL__ */
 
 /*
  * $Log: ipsec_rcv.h,v $
+ * Revision 1.12  2001/03/16 07:36:44  rgb
+ * Fixed #endif comment to sate compiler.
+ *
  * Revision 1.11  2000/09/21 04:34:21  rgb
  * Moved declaration of sysctl_ipsec_inbound_policy_check outside
  * CONFIG_IPSEC_DEBUG. (MB)
diff -bruN freeswan-1.9.orig/klips/net/ipsec/ipsec_tunnel.c freeswan-1.9/klips/net/ipsec/ipsec_tunnel.c
--- freeswan-1.9.orig/klips/net/ipsec/ipsec_tunnel.c	Mon Feb 26 19:51:00 2001
+++ freeswan-1.9/klips/net/ipsec/ipsec_tunnel.c	Tue Jun 12 16:35:03 2001
@@ -14,7 +14,7 @@
  * for more details.
  */
 
-char ipsec_tunnel_c_version[] = "RCSID $Id: ipsec_tunnel.c,v 1.137.2.1 2001/02/27 00:51:00 henry Exp $";
+char ipsec_tunnel_c_version[] = "RCSID $Id: ipsec_tunnel.c,v 1.163 2001/06/06 20:28:51 rgb Exp $";
 
 #define __NO_VERSION__
 #include 
@@ -80,7 +80,7 @@
 #include 
 #ifdef NETDEV_23
 #include 
-#endif
+#endif /* NETDEV_23 */
 
 #include "radij.h"
 #include "ipsec_encap.h"
@@ -103,6 +103,7 @@
 #ifdef MSS_HACK
 #include 		/* TCP options */
 #endif	/* MSS_HACK */
+extern void des_cbc_encrypt(caddr_t, caddr_t, int, caddr_t, caddr_t, int);
 extern void des_ede3_cbc_encrypt(caddr_t, caddr_t, int, caddr_t, caddr_t, caddr_t, caddr_t, int);
 static __u32 zeroes[64];
 
@@ -112,8 +113,6 @@
 #endif /* CONFIG_IPSEC_DEBUG */
 
 int sysctl_ipsec_icmp = 0;
-int sysctl_ipsec_no_eroute_pass = 0;
-int sysctl_ipsec_opportunistic = 0;
 int sysctl_ipsec_tos = 0;
 
 #ifdef CONFIG_IPSEC_DEBUG_
@@ -124,7 +123,10 @@
 	unsigned char *b = bb;
   
 	if (debug_tunnel) {
-		printk(KERN_INFO "klips_debug:ipsec_tunnel_:at %s, len=%d:", s, len);
+		printk(KERN_INFO "klips_debug:ipsec_tunnel_:dmp: "
+		       "at %s, len=%d:",
+		       s,
+		       len);
 		for (i=0; i < len; i++) {
 			if(!(i%16)){
 				printk("\nklips_debug:  ");
@@ -152,9 +154,11 @@
 	 *	Do sanity checking
 	 */
 	if((headroom < 0) || (tailroom < 0) || ((headroom+tailroom) < 0)) {
-		printk(KERN_WARNING "klips_error:skb_copy_expand: "
+		printk(KERN_WARNING
+		       "klips_error:skb_copy_expand: "
 		       "Illegal negative head,tailroom %d,%d\n",
-		       headroom, tailroom);
+		       headroom,
+		       tailroom);
 		return NULL;
 	}
 	/*
@@ -192,9 +196,9 @@
 	/* Set the tail pointer and length */
 	if(skb_tailroom(n) < skb->len) {
 		printk(KERN_WARNING "klips_error:skb_copy_expand: "
-		       "tried to skb_put %ld, %d available.  "
-		       "This should never happen, please report.\n",
-		       (unsigned long int)skb->len, skb_tailroom(n));
+		       "tried to skb_put %ld, %d available.  This should never happen, please report.\n",
+		       (unsigned long int)skb->len,
+		       skb_tailroom(n));
 		dev_kfree_skb(n, FREE_WRITE);
 		return NULL;
 	}
@@ -243,7 +247,9 @@
 	if(skb->mac.raw) 
 		n->mac.raw=skb->mac.raw+offset;
 	memcpy(n->proto_priv, skb->proto_priv, sizeof(skb->proto_priv));
+#ifndef NETDEV_23
 	n->used=skb->used;
+#endif /* !NETDEV_23 */
 	n->pkt_type=skb->pkt_type;
 	n->stamp=skb->stamp;
 	
@@ -265,11 +271,15 @@
 	printk(" ver:%d", ip->version);
 	printk(" tos:%d", ip->tos);
 	printk(" tlen:%d", ntohs(ip->tot_len));
-	printk(" id:%d", ip->id);
-	printk(" frag_off:%d", ip->frag_off);
+	printk(" id:%d", ntohs(ip->id));
+	printk(" %s%s%sfrag_off:%d",
+               ip->frag_off & __constant_htons(IP_CE) ? "CE " : "",
+               ip->frag_off & __constant_htons(IP_DF) ? "DF " : "",
+               ip->frag_off & __constant_htons(IP_MF) ? "MF " : "",
+               (ntohs(ip->frag_off) & IP_OFFSET) << 3);
 	printk(" ttl:%d", ip->ttl);
 	printk(" proto:%d", ip->protocol);
-	printk(" chk:%d", ip->check);
+	printk(" chk:%d", ntohs(ip->check));
 	addrtoa(*((struct in_addr*)(&ip->saddr)), 0, buf, sizeof(buf));
 	printk(" saddr:%s", buf);
 	addrtoa(*((struct in_addr*)(&ip->daddr)), 0, buf, sizeof(buf));
@@ -283,7 +293,8 @@
 		c = ((__u8*)ip) + ip->ihl*4;
 		for(i = 0; i < ntohs(ip->tot_len) - ip->ihl*4; i++ /*, c++*/) {
 			if(!(i % 16)) {
-				printk(KERN_INFO "klips_debug:   @%03x:",
+				printk(KERN_INFO
+				       "klips_debug:   @%03x:",
 				       i);
 			}
 			printk(" %02x", /***/c[i]);
@@ -303,6 +314,7 @@
  *	Locking
  */
  
+#if 0
 DEBUG_NO_STATIC int
 ipsec_tunnel_lock(struct ipsecpriv *prv)
 {
@@ -322,13 +334,16 @@
 	restore_flags(flags);
 	return 1;
 }
+#endif
 
+#if 0
 DEBUG_NO_STATIC void
 ipsec_tunnel_unlock(struct ipsecpriv *prv)
 {
 	prv->locked=0;
 	wake_up(&prv->wait_queue);
 }
+#endif
 #endif /* REAL_LOCKING_P */
 
 DEBUG_NO_STATIC int
@@ -434,9 +449,6 @@
 	__u32   newsrc;			/* The new source SG's IP address */
 	__u32	orgsrc;			/* Original IP source address */
 	__u32	innersrc;		/* Innermost IP source address */
-#ifdef NETDEV_23
-	__u32	route_saddr;		/* source IP used in route lookup */
-#endif /* NETDEV_23 */
 	int	iphlen;			/* IP header length */
 	int	pyldsz;			/* upper protocol payload size */
 	int	headroom;
@@ -464,6 +476,11 @@
 	struct rtable *rt = NULL;
 #endif /* NET_21 */
 	struct sa_id outgoing_said;
+#ifdef NET_21
+	int pass = 0;
+#endif /* NET_21 */
+	int error = 0;
+	uint32_t eroute_pid = 0;
 
 	/*
 	 *	Return if there is nothing to do.  (Does this ever happen?) XXX
@@ -506,10 +523,17 @@
 	   tcpdump being momentarily attached to the interface), make
 	   a copy of our own to modify */
 	if(skb_cloned(skb)) {
-		if ((skb = skb_cow(skb, skb_headroom(skb))) == NULL) {
+		if
+#ifdef SKB_COW_NEW
+	       (skb_cow(skb, skb_headroom(skb)) != 0)
+#else /* SKB_COW_NEW */
+	       ((skb = skb_cow(skb, skb_headroom(skb))) == NULL)
+#endif /* SKB_COW_NEW */
+		{
 			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
 		        	    "klips_error:ipsec_tunnel_start_xmit: "
 				    "skb_cow failed to allocate buffer, dropping.\n" );
+			stats->tx_dropped++;
 			goto cleanup;
 		}
 	}
@@ -572,8 +596,7 @@
 	if ((iph->ihl << 2) != sizeof (struct iphdr)) {
 		KLIPS_PRINT(debug_tunnel,
 			    "klips_debug:ipsec_tunnel_start_xmit: "
-			    "cannot process IP header options yet.  "
-			    "May be mal-formed packet.\n"); /* XXX */
+			    "cannot process IP header options yet.  May be mal-formed packet.\n"); /* XXX */
 		stats->tx_dropped++;
 		goto cleanup;
 	}
@@ -623,6 +646,9 @@
 	er = ipsec_findroute(&matcher);
 	if(er) {
 		outgoing_said = er->er_said;
+		eroute_pid = er->er_pid;
+		er->er_count++;
+		er->er_lasttime = jiffies/HZ;
 	}
 
 	spin_unlock(&eroute_lock);
@@ -632,24 +658,19 @@
 	 * without interference since it is most likely an IKE packet.
 	 */
 	if((ip_chk_addr((unsigned long)iph->saddr) == IS_MYADDR)
-	   && ((!er) || (iph->daddr == outgoing_said.dst.s_addr))) {
-		if(iph->protocol == IPPROTO_UDP) {
-			struct udphdr *udph = (struct udphdr*)((caddr_t)iph + (iph->ihl << 2));
-			if(ntohs(udph->dest) == 500) {
+	   && ((!er)
+	       || (iph->daddr == outgoing_said.dst.s_addr)
+	       || (INADDR_ANY == outgoing_said.dst.s_addr))
+	   && (iph->protocol == IPPROTO_UDP)
+	   && (ntohs(((struct udphdr*)((caddr_t)iph + (iph->ihl << 2)))->dest) == 500)) {
+#ifdef NET_21
+		pass = 1;
+#endif /* NET_21 */
 				KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
 					    "klips_debug:ipsec_tunnel_start_xmit: "
 					    "udp/500 IKE packet, sending unprocessed, "
 					    "calling dev_queue_xmit\n"); 
-#if 1
 				goto bypass;
-#else
-				DEV_QUEUE_XMIT(skb, physdev, SOPRI_NORMAL);
-				/* IP_SEND(skb, physdev); */
-				skb = NULL;
-				goto cleanup;
-#endif
-			}
-		}
 	}
 
 	KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
@@ -660,6 +681,8 @@
 	innersrc = iph->saddr;
 	/* start encapsulation loop here XXX */
 	do {
+		struct tdb *tdbprev = NULL;
+
 		newdst = orgdst = iph->daddr;
 		newsrc = orgsrc = iph->saddr;
 		orgedst = outgoing_said.dst.s_addr;
@@ -667,26 +690,55 @@
 		pyldsz = ntohs(iph->tot_len) - iphlen;
 		max_headroom = max_tailroom = 0;
 		
-		if (er == NULL)	{
-			if(sysctl_ipsec_no_eroute_pass) {
+		if(er == NULL || (outgoing_said.proto==IPPROTO_INT
+				  && outgoing_said.spi==htonl(SPI_DROP))) {
 				KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
 					    "klips_debug:ipsec_tunnel_start_xmit: "
-					    "no eroute!: calling dev_queue_xmit\n");
-#if 1
+				    "shunt SA of DROP or no eroute: dropping.\n");
+			stats->tx_dropped++;
+			goto cleanup;
+		}
+		
+		if(outgoing_said.proto==IPPROTO_INT
+		   && outgoing_said.spi==htonl(SPI_REJECT)) {
+			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+				    "klips_debug:ipsec_tunnel_start_xmit: "
+				    "shunt SA of REJECT: notifying when coded... and dropping.\n");
+			stats->tx_dropped++;
+			goto cleanup;
+		}
+		
+		if(outgoing_said.proto==IPPROTO_INT
+		   && outgoing_said.spi==htonl(SPI_PASS)) {
+#ifdef NET_21
+			pass = 1;
+#endif /* NET_21 */
+			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+				    "klips_debug:ipsec_tunnel_start_xmit: "
+				    "shunt SA of PASS: calling dev_queue_xmit\n");
 				goto bypass;
-#else
-				DEV_QUEUE_XMIT(skb, physdev, SOPRI_NORMAL);
-				/* IP_SEND(skb, physdev); */
-				skb = NULL;
-#endif
-			} else {
-				if(sysctl_ipsec_opportunistic && !er) {
+		}
+
+		if(outgoing_said.proto==IPPROTO_INT
+		   && outgoing_said.spi==htonl(SPI_HOLD)) {
+			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+				    "klips_debug:ipsec_tunnel_start_xmit: "
+				    "shunt SA of HOLD: will stash when coded..., dropping for now.\n");
+			stats->tx_dropped++;
+			goto cleanup;
+		}
+		
+		if(outgoing_said.proto==IPPROTO_INT
+		   && outgoing_said.spi==htonl(SPI_TRAP)) {
 					struct tdb tdb;
 					struct sockaddr_in src, dst;
 #ifdef CONFIG_IPSEC_DEBUG
 					char bufsrc[ADDRTOA_BUF], bufdst[ADDRTOA_BUF];
 #endif /* CONFIG_IPSEC_DEBUG */
+			struct eroute hold_eroute;
+			struct sa_id hold_said;
 					
+			/* Signal all listening KMds with a PF_KEY ACQUIRE */
 					tdb.tdb_said.proto = iph->protocol;
 					src.sin_family = AF_INET;
 					dst.sin_family = AF_INET;
@@ -723,41 +775,106 @@
 						    ((struct sockaddr_in*)(tdb.tdb_addr_d))->sin_port,
 						    tdb.tdb_said.proto);
 					pfkey_acquire(&tdb);
-				} else {
-					KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+
+			/* install HOLD eroute */
+			memset((caddr_t)&hold_eroute, 0, sizeof(hold_eroute));
+			memset((caddr_t)&hold_said, 0, sizeof(hold_said));
+
+			hold_said.proto = IPPROTO_INT;
+			hold_said.spi = htonl(SPI_HOLD);
+			hold_said.dst.s_addr = 0L;
+
+			hold_eroute.er_eaddr.sen_len = sizeof(struct sockaddr_encap);
+			hold_eroute.er_emask.sen_len = sizeof(struct sockaddr_encap);
+			hold_eroute.er_eaddr.sen_family = AF_ENCAP;
+			hold_eroute.er_emask.sen_family = AF_ENCAP;
+			hold_eroute.er_eaddr.sen_type = SENT_IP4;
+			hold_eroute.er_emask.sen_type = 255;
+
+			hold_eroute.er_eaddr.sen_ip_src.s_addr = iph->saddr;
+			hold_eroute.er_eaddr.sen_ip_dst.s_addr = iph->daddr;
+			hold_eroute.er_emask.sen_ip_src.s_addr = INADDR_BROADCAST;
+			hold_eroute.er_emask.sen_ip_dst.s_addr = INADDR_BROADCAST;
+			
+			hold_eroute.er_pid = eroute_pid;
+			hold_eroute.er_count = 0;
+			hold_eroute.er_lasttime = jiffies/HZ;
+
+#ifdef IPSEC_CONFIG_FULL_SELECTOR_LIST
+			/* These are ficticious.  Don't uncomment these until
+			   proto, sport and dport exist in the SPDB */
+			hold_eroute.er_proto = iph->protocol;
+			hold_eroute.er_src_port = 
+				(iph->protocol == IPPROTO_UDP
+				 ? ((struct udphdr*) (((caddr_t)iph) + (iph->ihl << 2)))->source
+				 : (iph->protocol == IPPROTO_TCP
+				    ? ((struct tcphdr*)((caddr_t)iph + (iph->ihl << 2)))->source
+				    : 0));
+			hold_eroute.er_dst_port = 
+				(iph->protocol == IPPROTO_UDP
+				 ? ((struct udphdr*) (((caddr_t)iph) + (iph->ihl << 2)))->dest
+				 : (iph->protocol == IPPROTO_TCP
+				    ? ((struct tcphdr*)((caddr_t)iph + (iph->ihl << 2)))->dest
+				    : 0));
+#endif /* IPSEC_CONFIG_FULL_SELECTOR_LIST */
+
+#ifdef CONFIG_IPSEC_DEBUG
+			if (debug_pfkey) {
+				char buf1[64], buf2[64];
+				subnettoa(hold_eroute.er_eaddr.sen_ip_src,
+					  hold_eroute.er_emask.sen_ip_src, 0, buf1, sizeof(buf1));
+				subnettoa(hold_eroute.er_eaddr.sen_ip_dst,
+					  hold_eroute.er_emask.sen_ip_dst, 0, buf2, sizeof(buf2));
+				KLIPS_PRINT(debug_pfkey,
 						    "klips_debug:ipsec_tunnel_start_xmit: "
-						    "no eroute!: dropping.\n");
-					stats->tx_dropped++;
+					    "calling breakeroute and makeroute for %s->%s HOLD eroute.\n",
+					    buf1, buf2);
 				}
-			}
-			goto cleanup;
+#endif /* CONFIG_IPSEC_DEBUG */
+			if (!(ipsec_breakroute(&(hold_eroute.er_eaddr),
+						      &(hold_eroute.er_emask)) == EINVAL)) {
+				KLIPS_PRINT(debug_pfkey,
+					    "klips_debug:ipsec_tunnel_start_xmit: "
+					    "breakeroute should have failed.\n");
+				/* SENDERR(-error); */
+			} else {
+				KLIPS_PRINT(debug_pfkey,
+					    "klips_debug:ipsec_tunnel_start_xmit: "
+					    "HOLD breakeroute found nothing as expected.\n");
 		}
 		
-		/*
-		  If the packet matches an eroute with an SA.proto of IP
-		  tunnelling and 
-		  an SA.spi of '0', then forward the packet unprotected.
-		  XXX -- This should eventually go into an SPD. 
-		*/
-		if((outgoing_said.proto == IPPROTO_IPIP) && (outgoing_said.spi == 0)) {
-			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+			if ((error = ipsec_makeroute(&(hold_eroute.er_eaddr),
+						     &(hold_eroute.er_emask),
+						     hold_said,
+						     eroute_pid))) {
+				KLIPS_PRINT(debug_pfkey,
 				    "klips_debug:ipsec_tunnel_start_xmit: "
-				    "passthrough eroute, packet sent.\n");
-#if 1
-			goto bypass;
-#else
-			DEV_QUEUE_XMIT(skb, physdev, SOPRI_NORMAL);
-			/* IP_SEND(skb, physdev); */
-			skb = NULL;
+					    "HOLD makeroute returned %d, failed.\n", error);
+				/* SENDERR(-error); */
+			} else {
+				KLIPS_PRINT(debug_pfkey,
+					    "klips_debug:ipsec_tunnel_start_xmit: "
+					    "HOLD makeroute call successful.\n");
+			}
+			
 			goto cleanup;
-#endif
 		}
 		
 		/*
-		 * The spinlock is to prevent any other process from accessing or deleting
-		 * the tdb while we are using and updating it.
+		  The spinlock is to prevent any other process from
+		  accessing or deleting the TDB hash table or any of the
+		  TDBs while we are using and updating them.
+		  
+		  This is not optimal, but was relatively straightforward
+		  at the time.  A better way to do it has been planned for
+		  more than a year, to lock the hash table and put reference
+		  counts on each TDB instead.  This is not likely to happen
+		  in KLIPS1 unless a volunteer contributes it, but will be
+		  designed into KLIPS2.
 		 */
+		if(tdbprev == NULL) {
 		spin_lock(&tdb_lock);
+		}
 
 		tdbp = gettdb(&outgoing_said);
 		sa_len = satoa(outgoing_said, 0, sa, SATOA_BUF);
@@ -766,8 +883,8 @@
 			spin_unlock(&tdb_lock);
 			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
 				    "klips_debug:ipsec_tunnel_start_xmit: "
-				    "no Tunnel Descriptor Block for SA%s: "
-				    "outgoing packet with no SA, dropped.\n", sa);
+				    "no Tunnel Descriptor Block for SA%s: outgoing packet with no SA, dropped.\n",
+				    sa_len ? sa : " (error)");
 			stats->tx_dropped++;
 			goto cleanup;
 		}
@@ -775,7 +892,8 @@
 		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
 			    "klips_debug:ipsec_tunnel_start_xmit: "
 			    "found Tunnel Descriptor Block -- SA:<%s%s%s> %s\n",
-			    TDB_XFORM_NAME(tdbp), sa);
+			    TDB_XFORM_NAME(tdbp),
+			    sa_len ? sa : " (error)");
 		
 		/*
 		 * How much headroom do we need to be able to apply
@@ -789,9 +907,9 @@
 			if(tdbp->tdb_state == SADB_SASTATE_LARVAL) {
 				KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
 					    "klips_debug:ipsec_tunnel_start_xmit: "
-					    "TDB in larval state for SA:<%s%s%s> %s, "
-					    "cannot be used yet, dropping packet.\n",
-					    TDB_XFORM_NAME(tdbp), sa);
+					    "TDB in larval state for SA:<%s%s%s> %s, cannot be used yet, dropping packet.\n",
+					    TDB_XFORM_NAME(tdbp),
+					    sa_len ? sa : " (error)");
 				spin_unlock(&tdb_lock);
 				stats->tx_errors++;
 				goto cleanup;
@@ -800,9 +918,9 @@
 			if(tdbp->tdb_state == SADB_SASTATE_DEAD) {
 				KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
 					    "klips_debug:ipsec_tunnel_start_xmit: "
-					    "TDB in dead state for SA:<%s%s%s> %s, "
-					    "can no longer be used, dropping packet.\n",
-					    TDB_XFORM_NAME(tdbp), sa);
+					    "TDB in dead state for SA:<%s%s%s> %s, can no longer be used, dropping packet.\n",
+					    TDB_XFORM_NAME(tdbp),
+					    sa_len ? sa : " (error)");
 				spin_unlock(&tdb_lock);
 				stats->tx_errors++;
 				goto cleanup;
@@ -813,9 +931,9 @@
 				pfkey_expire(tdbp, 1);
 				KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
 					    "klips_debug:ipsec_tunnel_start_xmit: "
-					    "replay window counter rolled for SA:<%s%s%s> %s, "
-					    "packet dropped, expiring SA.\n",
-					    TDB_XFORM_NAME(tdbp), sa);
+					    "replay window counter rolled for SA:<%s%s%s> %s, packet dropped, expiring SA.\n",
+					    TDB_XFORM_NAME(tdbp),
+					    sa_len ? sa : " (error)");
 				deltdbchain(tdbp);
 				spin_unlock(&tdb_lock);
 				stats->tx_errors++;
@@ -828,9 +946,9 @@
 				pfkey_expire(tdbp, 1);
 				KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
 					    "klips_debug:ipsec_tunnel_start_xmit: "
-					    "hard bytes lifetime of SA:<%s%s%s> %s has been reached, "
-					    "SA expired, outgoing packet dropped.\n",
-					    TDB_XFORM_NAME(tdbp), sa);
+					    "hard bytes lifetime of SA:<%s%s%s> %s has been reached, SA expired, outgoing packet dropped.\n",
+					    TDB_XFORM_NAME(tdbp),
+					    sa_len ? sa : " (error)");
 				deltdbchain(tdbp);
 				spin_unlock(&tdb_lock);
 				stats->tx_errors++;
@@ -838,14 +956,15 @@
 			}
 			if(tdbp->tdb_lifetime_bytes_s &&
 			   (tdbp->tdb_lifetime_bytes_c > tdbp->tdb_lifetime_bytes_s)) {
+				if(tdbp->tdb_state != SADB_SASTATE_DYING) {
 				pfkey_expire(tdbp, 0);
+				}
 				tdbp->tdb_state = SADB_SASTATE_DYING;
 				KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
 					    "klips_debug:ipsec_tunnel_start_xmit: "
-					    "soft bytes lifetime of SA:<%s%s%s> %s has been reached, "
-					    "SA expiring, soft expire message sent up, "
-					    "outgoing packet still processed.\n",
-					    TDB_XFORM_NAME(tdbp), sa);
+					    "soft bytes lifetime of SA:<%s%s%s> %s has been reached, SA expiring, soft expire message sent up, outgoing packet still processed.\n",
+					    TDB_XFORM_NAME(tdbp),
+					    sa_len ? sa : " (error)");
 			}
 
 			if(tdbp->tdb_lifetime_addtime_h &&
@@ -854,9 +973,9 @@
 				pfkey_expire(tdbp, 1);
 				KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
 					    "klips_debug:ipsec_tunnel_start_xmit: "
-					    "hard addtime lifetime of SA:<%s%s%s> %s has been reached, "
-					    "SA expired, outgoing packet dropped.\n",
-					    TDB_XFORM_NAME(tdbp), sa);
+					    "hard addtime lifetime of SA:<%s%s%s> %s has been reached, SA expired, outgoing packet dropped.\n",
+					    TDB_XFORM_NAME(tdbp),
+					    sa_len ? sa : " (error)");
 				deltdbchain(tdbp);
 				spin_unlock(&tdb_lock);
 				stats->tx_errors++;
@@ -865,14 +984,15 @@
 			if(tdbp->tdb_lifetime_addtime_s &&
 			   ((jiffies / HZ) - tdbp->tdb_lifetime_addtime_c >
 			    tdbp->tdb_lifetime_addtime_s)) {
+				if(tdbp->tdb_state != SADB_SASTATE_DYING) {
 				pfkey_expire(tdbp, 0);
+				}
 				tdbp->tdb_state = SADB_SASTATE_DYING;
 				KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
 					    "klips_debug:ipsec_tunnel_start_xmit: "
-					    "soft addtime lifetime of SA:<%s%s%s> %s has been reached, "
-					    "SA expiring, soft expire message sent up, "
-					    "outgoing packet still processed.\n",
-					    TDB_XFORM_NAME(tdbp), sa);
+					    "soft addtime lifetime of SA:<%s%s%s> %s has been reached, SA expiring, soft expire message sent up, outgoing packet still processed.\n",
+					    TDB_XFORM_NAME(tdbp),
+					    sa_len ? sa : " (error)");
 			}
 
 			if(tdbp->tdb_lifetime_usetime_c) {
@@ -882,9 +1002,9 @@
 					pfkey_expire(tdbp, 1);
 					KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
 						    "klips_debug:ipsec_tunnel_start_xmit: "
-						    "hard usetime lifetime of SA:<%s%s%s> %s has been reached, "
-						    "SA expired, outgoing packet dropped.\n",
-						    TDB_XFORM_NAME(tdbp), sa);
+						    "hard usetime lifetime of SA:<%s%s%s> %s has been reached, SA expired, outgoing packet dropped.\n",
+						    TDB_XFORM_NAME(tdbp),
+						    sa_len ? sa : " (error)");
 					deltdbchain(tdbp);
 					spin_unlock(&tdb_lock);
 					stats->tx_errors++;
@@ -893,14 +1013,15 @@
 				if(tdbp->tdb_lifetime_usetime_s &&
 				   ((jiffies / HZ) - tdbp->tdb_lifetime_usetime_c >
 				    tdbp->tdb_lifetime_usetime_s)) {
+					if(tdbp->tdb_state != SADB_SASTATE_DYING) {
 					pfkey_expire(tdbp, 0);
+					}
 					tdbp->tdb_state = SADB_SASTATE_DYING;
 					KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
 						    "klips_debug:ipsec_tunnel_start_xmit: "
-						    "soft usetime lifetime of SA:<%s%s%s> %s has been reached, "
-						    "SA expiring, soft expire message sent up, "
-						    "outgoing packet still processed.\n",
-						    TDB_XFORM_NAME(tdbp), sa);
+						    "soft usetime lifetime of SA:<%s%s%s> %s has been reached, SA expiring, soft expire message sent up, outgoing packet still processed.\n",
+						    TDB_XFORM_NAME(tdbp),
+						    sa_len ? sa : " (error)");
 				}
 			}
 
@@ -909,9 +1030,9 @@
 				pfkey_expire(tdbp, 1);
 				KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
 					    "klips_debug:ipsec_tunnel_start_xmit: "
-					    "hard packets lifetime of SA:<%s%s%s> %s has been reached, "
-					    "SA expired, outgoing packet dropped.\n",
-					    TDB_XFORM_NAME(tdbp), sa);
+					    "hard packets lifetime of SA:<%s%s%s> %s has been reached, SA expired, outgoing packet dropped.\n",
+					    TDB_XFORM_NAME(tdbp),
+					    sa_len ? sa : " (error)");
 				deltdbchain(tdbp);
 				spin_unlock(&tdb_lock);
 				stats->tx_errors++;
@@ -919,21 +1040,23 @@
 			}
 			if(tdbp->tdb_lifetime_packets_s &&
 			   (tdbp->tdb_lifetime_packets_c > tdbp->tdb_lifetime_packets_s)) {
+				if(tdbp->tdb_state != SADB_SASTATE_DYING) {
 				pfkey_expire(tdbp, 0);
+				}
 				tdbp->tdb_state = SADB_SASTATE_DYING;
 				KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
 					    "klips_debug:ipsec_tunnel_start_xmit: "
-					    "soft packets lifetime of SA:<%s%s%s> %s has been reached, "
-					    "SA expiring, soft expire message sent up, "
-					    "outgoing packet still processed.\n",
-					    TDB_XFORM_NAME(tdbp), sa);
+					    "soft packets lifetime of SA:<%s%s%s> %s has been reached, SA expiring, soft expire message sent up, outgoing packet still processed.\n",
+					    TDB_XFORM_NAME(tdbp),
+					    sa_len ? sa : " (error)");
 			}
 
 			headroom = tailroom = 0;
 			KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
 				    "klips_debug:ipsec_tunnel_start_xmit: "
 				    "calling room for <%s%s%s>, SA:%s\n", 
-				    TDB_XFORM_NAME(tdbp), sa);
+				    TDB_XFORM_NAME(tdbp),
+				    sa_len ? sa : " (error)");
 			switch(tdbp->tdb_said.proto) {
 #ifdef CONFIG_IPSEC_AH
 			case IPPROTO_AH:
@@ -943,16 +1066,16 @@
 #ifdef CONFIG_IPSEC_ESP
 			case IPPROTO_ESP:
 				switch(tdbp->tdb_encalg) {
+#ifdef CONFIG_IPSEC_ENC_DES
+				case ESP_DES:
+					headroom += sizeof(struct esp);
+					break;
+#endif /* CONFIG_IPSEC_ENC_DES */
 #ifdef CONFIG_IPSEC_ENC_3DES
 				case ESP_3DES:
 					headroom += sizeof(struct esp);
 					break;
 #endif /* CONFIG_IPSEC_ENC_3DES */
-#ifdef CONFIG_IPSEC_ENC_NULL
-				case ESP_NULL:
-					headroom += offsetof(struct esp, esp_iv);
-					break;
-#endif /* CONFIG_IPSEC_ENC_NULL */
 				default:
 					spin_unlock(&tdb_lock);
 					stats->tx_errors++;
@@ -1019,8 +1142,7 @@
 		
 		KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
 			    "klips_debug:ipsec_tunnel_start_xmit: "
-			    "existing head,tailroom: %d,%d "
-			    "before applying xforms with head,tailroom: %d,%d .\n",
+			    "existing head,tailroom: %d,%d before applying xforms with head,tailroom: %d,%d .\n",
 			    skb_headroom(skb), skb_tailroom(skb),
 			    max_headroom, max_tailroom);
 		
@@ -1030,18 +1152,21 @@
 		mtudiff = prv->mtu + tot_headroom + tot_tailroom - physmtu;
 
 		KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
-			    "klips_debug:ipsec_tunnel_start_xmit: mtu:%d physmtu:%d "
-			    "tothr:%d tottr:%d mtudiff:%d ippkttotlen:%d\n",
+			    "klips_debug:ipsec_tunnel_start_xmit: "
+			    "mtu:%d physmtu:%d tothr:%d tottr:%d mtudiff:%d ippkttotlen:%d\n",
 			    prv->mtu, physmtu,
 			    tot_headroom, tot_tailroom, mtudiff, ntohs(iph->tot_len));
 		if(mtudiff > 0) {
+			int newmtu = physmtu - (tot_headroom + ((tot_tailroom + 2) & ~7) + 5);
+
 			KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
 				    "klips_info:ipsec_tunnel_start_xmit: "
-				    "dev %s mtu of %d decreased by %d\n",
+				    "dev %s mtu of %d decreased by %d to %d\n",
 				    dev->name,
 				    prv->mtu,
-				    prv->mtu - (physmtu - tot_headroom - tot_tailroom));
-			prv->mtu = physmtu - (tot_headroom + tot_tailroom + 7);	/* add some slop? */
+				    prv->mtu - newmtu,
+				    newmtu);
+			prv->mtu = newmtu;
 #ifdef NET_21
 #if 0
 			skb->dst->pmtu = prv->mtu; /* RGB */
@@ -1053,6 +1178,34 @@
 #endif /* NET_21 */
 		}
 		
+		/* If the sender is doing PMTU discovery, and the packet doesn't fit within
+		 * prv->mtu, notify him (unless it was an ICMP packet) and drop it.
+		 * Note: buggy firewall configuration may prevent the ICMP packet from getting back.
+		 * Note2: Linux 2.4.x is trying to do PMTU discovery on ICMP packets, but this seems
+		 * bogus, and should be fixed in the kernel.
+		 */
+		if (iph->frag_off & __constant_htons(IP_DF)
+			&& prv->mtu < ntohs(iph->tot_len))
+		{
+			int notify = iph->protocol != IPPROTO_ICMP
+				     && (iph->frag_off & __constant_htons(IP_OFFSET)) == 0;
+
+			spin_unlock(&tdb_lock);
+			KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
+				    "klips_debug:ipsec_tunnel_start_xmit: "
+				    "fragmentation needed and DF set; %sdropping packet\n",
+				    notify ? "sending ICMP and " : "");
+			if (notify)
+				ICMP_SEND(skb,
+					  ICMP_DEST_UNREACH,
+					  ICMP_FRAG_NEEDED,
+					  prv->mtu,
+					  physdev);
+			stats->tx_dropped++;
+			goto cleanup;
+		}
+
+		
 #ifdef MSS_HACK
 		/*
 		 * If this is a transport mode TCP packet with
@@ -1065,7 +1218,8 @@
 			if (tcph->syn && !tcph->ack) {
 				if(!ipsec_adjust_mss(skb, tcph, prv->mtu)) {
 					spin_unlock(&tdb_lock);
-					printk(KERN_WARNING "klips: "
+					printk(KERN_WARNING
+					       "klips_warning:ipsec_tunnel_start_xmit: "
 					       "ipsec_adjust_mss() failed\n");
 					stats->tx_errors++;
 					goto cleanup;
@@ -1077,8 +1231,8 @@
 		if(!hard_header_stripped) {
 			if((saved_header = kmalloc(hard_header_len, GFP_ATOMIC)) == NULL) {
 				spin_unlock(&tdb_lock);
-				printk(KERN_WARNING "klips_debug:ipsec_tunnel_start_xmit: Failed, "
-				       "tried to allocate %d bytes for temp hard_header.\n", 
+				printk(KERN_WARNING "klips_debug:ipsec_tunnel_start_xmit: "
+				       "Failed, tried to allocate %d bytes for temp hard_header.\n", 
 				       hard_header_len);
 				stats->tx_errors++;
 				goto cleanup;
@@ -1089,8 +1243,7 @@
 			if(skb->len < hard_header_len) {
 				spin_unlock(&tdb_lock);
 				printk(KERN_WARNING "klips_error:ipsec_tunnel_start_xmit: "
-				       "tried to skb_pull hhlen=%d, %d available.  "
-				       "This should never happen, please report.\n",
+				       "tried to skb_pull hhlen=%d, %d available.  This should never happen, please report.\n",
 				       hard_header_len, (int)(skb->len));
 				stats->tx_errors++;
 				goto cleanup;
@@ -1144,8 +1297,9 @@
 			skb = tskb;
 			if (!skb) {
 				spin_unlock(&tdb_lock);
-				printk(KERN_WARNING "klips_debug:ipsec_tunnel_start_xmit: Failed, "
-				       "tried to allocate %d head and %d tailroom\n", 
+				printk(KERN_WARNING
+				       "klips_debug:ipsec_tunnel_start_xmit: "
+				       "Failed, tried to allocate %d head and %d tailroom\n", 
 				       max_headroom, max_tailroom);
 				stats->tx_errors++;
 				goto cleanup;
@@ -1190,7 +1344,8 @@
 			KLIPS_PRINT(debug_tunnel & DB_TN_OXFS,
 				    "klips_debug:ipsec_tunnel_start_xmit: "
 				    "calling output for <%s%s%s>, SA:%s\n", 
-				    TDB_XFORM_NAME(tdbp), sa);
+				    TDB_XFORM_NAME(tdbp),
+				    sa_len ? sa : " (error)");
 			
 			switch(tdbp->tdb_said.proto) {
 #ifdef CONFIG_IPSEC_AH
@@ -1201,16 +1356,16 @@
 #ifdef CONFIG_IPSEC_ESP
 			case IPPROTO_ESP:
 				switch(tdbp->tdb_encalg) {
+#ifdef CONFIG_IPSEC_ENC_DES
+				case ESP_DES:
+					headroom += sizeof(struct esp);
+					break;
+#endif /* CONFIG_IPSEC_ENC_DES */
 #ifdef CONFIG_IPSEC_ENC_3DES
 				case ESP_3DES:
 					headroom += sizeof(struct esp);
 					break;
 #endif /* CONFIG_IPSEC_ENC_3DES */
-#ifdef CONFIG_IPSEC_ENC_NULL
-				case ESP_NULL:
-					headroom += offsetof(struct esp, esp_iv);
-					break;
-#endif /* CONFIG_IPSEC_ENC_NULL */
 				default:
 					spin_unlock(&tdb_lock);
 					stats->tx_errors++;
@@ -1259,9 +1414,9 @@
 				    headroom, tailroom, tdbp->tdb_said.proto);
 			if(skb_headroom(skb) < headroom) {
 				spin_unlock(&tdb_lock);
-				printk(KERN_WARNING "klips_error:ipsec_tunnel_start_xmit: "
-				       "tried to skb_push headroom=%d, %d available.  "
-				       "This should never happen, please report.\n",
+				printk(KERN_WARNING
+				       "klips_error:ipsec_tunnel_start_xmit: "
+				       "tried to skb_push headroom=%d, %d available.  This should never happen, please report.\n",
 				       headroom, skb_headroom(skb));
 				stats->tx_errors++;
 				goto cleanup;
@@ -1270,9 +1425,9 @@
 			ilen = skb->len - tailroom;
 			if(skb_tailroom(skb) < tailroom) {
 				spin_unlock(&tdb_lock);
-				printk(KERN_WARNING "klips_error:ipsec_tunnel_start_xmit: "
-				       "tried to skb_put %d, %d available.  "
-				       "This should never happen, please report.\n",
+				printk(KERN_WARNING
+				       "klips_error:ipsec_tunnel_start_xmit: "
+				       "tried to skb_put %d, %d available.  This should never happen, please report.\n",
 				       tailroom, skb_tailroom(skb));
 				stats->tx_errors++;
 				goto cleanup;
@@ -1286,8 +1441,7 @@
 			if(len > 0xfff0) {
 				spin_unlock(&tdb_lock);
 				printk(KERN_WARNING "klips_error:ipsec_tunnel_start_xmit: "
-				       "tot_len (%d) > 65520.  "
-				       "This should never happen, please report.\n",
+				       "tot_len (%d) > 65520.  This should never happen, please report.\n",
 				       len);
 				stats->tx_errors++;
 				goto cleanup;
@@ -1304,20 +1458,19 @@
 				espp->esp_rpl = htonl(++(tdbp->tdb_replaywin_lastseq));
 				
 				switch(tdbp->tdb_encalg) {
-#if defined(CONFIG_IPSEC_ENC_3DES)
+#if defined(CONFIG_IPSEC_ENC_DES) || defined(CONFIG_IPSEC_ENC_3DES)
 #ifdef CONFIG_IPSEC_ENC_3DES
-				case ESP_3DES:
+				case ESP_DES:
 #endif /* CONFIG_IPSEC_ENC_3DES */
+#ifdef CONFIG_IPSEC_ENC_3DES
+				case ESP_3DES:
+#endif /* defined(CONFIG_IPSEC_ENC_DES) || CONFIG_IPSEC_ENC_3DES */
 					iv[0] = *((__u32*)&(espp->esp_iv)    ) =
 						((__u32*)(tdbp->tdb_iv))[0];
 					iv[1] = *((__u32*)&(espp->esp_iv) + 1) =
 						((__u32*)(tdbp->tdb_iv))[1];
 					break;
 #endif /* defined(CONFIG_IPSEC_ENC_3DES) */
-#ifdef CONFIG_IPSEC_ENC_NULL
-				case ESP_NULL:
-					break;
-#endif /* CONFIG_IPSEC_ENC_NULL */
 				default:
 					spin_unlock(&tdb_lock);
 					stats->tx_errors++;
@@ -1339,6 +1492,13 @@
 				iph->protocol = IPPROTO_ESP;
 				
 				switch(tdbp->tdb_encalg) {
+#ifdef CONFIG_IPSEC_ENC_DES
+                                case ESP_DES:
+                                       des_cbc_encrypt(idat, idat, ilen,
+                                                       (caddr_t)tdbp->tdb_key_e,
+                                                       (caddr_t)iv, 1);
+                                       break;
+#endif /* CONFIG_IPSEC_ENC_DES */
 #ifdef CONFIG_IPSEC_ENC_3DES
 				case ESP_3DES:
 					des_ede3_cbc_encrypt(idat, idat, ilen,
@@ -1348,10 +1508,6 @@
 							     (caddr_t)iv, 1);
 					break;
 #endif /* CONFIG_IPSEC_ENC_3DES */
-#ifdef CONFIG_IPSEC_ENC_NULL
-				case ESP_NULL:
-					break;
-#endif /* CONFIG_IPSEC_ENC_NULL */
 				default:
 					spin_unlock(&tdb_lock);
 					stats->tx_errors++;
@@ -1359,7 +1515,10 @@
 				}
 				
 				switch(tdbp->tdb_encalg) {
-#if defined(CONFIG_IPSEC_ENC_3DES)
+#if  defined(CONFIG_IPSEC_ENC_DES) || defined(CONFIG_IPSEC_ENC_3DES)
+#ifdef CONFIG_IPSEC_ENC_DES
+                               case ESP_DES:
+#endif /* CONFIG_IPSEC_ENC_DES */
 #ifdef CONFIG_IPSEC_ENC_3DES
 				case ESP_3DES:
 #endif /* CONFIG_IPSEC_ENC_3DES */
@@ -1369,11 +1528,7 @@
 					((__u32*)(tdbp->tdb_iv))[1] =
 						((__u32 *)(idat))[(ilen >> 2) - 1];
 					break;
-#endif /* defined(CONFIG_IPSEC_ENC_3DES) */
-#ifdef CONFIG_IPSEC_ENC_NULL
-				case ESP_NULL:
-					break;
-#endif /* CONFIG_IPSEC_ENC_NULL */
+#endif /* defined(CONFIG_IPSEC_ENC_DES) || defined(CONFIG_IPSEC_ENC_3DES) */
 				default:
 					spin_unlock(&tdb_lock);
 					stats->tx_errors++;
@@ -1540,10 +1695,14 @@
 				/* XXX use of skb->dst below is a questionable
 				   substitute for &rt->u.dst which is only
 				   available later-on */
+#ifdef IP_SELECT_IDENT_NEW
+				ip_select_ident(iph, skb->dst, NULL);
+#else /* IP_SELECT_IDENT_NEW */
 				ip_select_ident(iph, skb->dst);
-#else
+#endif /* IP_SELECT_IDENT_NEW */
+#else /* IP_SELECT_IDENT */
 				iph->id       = htons(ip_id_count++);   /* Race condition here? */
-#endif
+#endif /* IP_SELECT_IDENT */
 
 				newdst = (__u32)iph->daddr;
 				newsrc = (__u32)iph->saddr;
@@ -1559,7 +1718,7 @@
 					unsigned int flags = 0;
 #ifdef CONFIG_IPSEC_DEBUG
 					unsigned int old_tot_len = ntohs(iph->tot_len);
-#endif
+#endif /* CONFIG_IPSEC_DEBUG */
 					tdbp->tdb_comp_ratio_dbytes += ntohs(iph->tot_len);
 
 					skb = skb_compress(skb, tdbp, &flags);
@@ -1610,7 +1769,8 @@
 			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
 				    "klips_debug:ipsec_tunnel_start_xmit: "
 				    "after <%s%s%s>, SA:%s:\n",
-				    TDB_XFORM_NAME(tdbp), sa);
+				    TDB_XFORM_NAME(tdbp),
+				    sa_len ? sa : " (error)");
 			KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, iph);
  			
 			tdbp->tdb_lifetime_bytes_c += len;
@@ -1620,6 +1780,7 @@
 			tdbp->tdb_lifetime_usetime_l = jiffies / HZ;
 			tdbp->tdb_lifetime_packets_c += 1;
 
+			tdbprev = tdbp;
 			tdbp = tdbp->tdb_onext;
 			
 		}
@@ -1633,14 +1794,18 @@
 		er = ipsec_findroute(&matcher);
 		if(er) {
 			outgoing_said = er->er_said;
+			eroute_pid = er->er_pid;
+			er->er_count++;
+			er->er_lasttime = jiffies/HZ;
 		}
 		spin_unlock(&eroute_lock);
-		KLIPS_PRINT(/* ((orgdst != newdst) || (orgsrc != newsrc)) */
+		KLIPS_PRINT((debug_tunnel & DB_TN_XMIT) &&
+			    /* ((orgdst != newdst) || (orgsrc != newsrc)) */
 			(orgedst != outgoing_said.dst.s_addr) &&
 			outgoing_said.dst.s_addr &&
-			er &&
-			(debug_tunnel & DB_TN_XMIT),
-			"klips_debug:ipsec_tunnel_start_xmit: We are recursing here.\n");
+			    er,
+			    "klips_debug:ipsec_tunnel_start_xmit: "
+			    "We are recursing here.\n");
 	} while(/*((orgdst != newdst) || (orgsrc != newsrc))*/
 		(orgedst != outgoing_said.dst.s_addr) &&
 		outgoing_said.dst.s_addr &&
@@ -1664,9 +1829,9 @@
 
 	if(saved_header) {
 		if(skb_headroom(skb) < hard_header_len) {
-			printk(KERN_WARNING "klips_error:ipsec_tunnel_start_xmit: "
-			       "tried to skb_push hhlen=%d, %d available.  "
-			       "This should never happen, please report.\n",
+			printk(KERN_WARNING
+			       "klips_error:ipsec_tunnel_start_xmit: "
+			       "tried to skb_push hhlen=%d, %d available.  This should never happen, please report.\n",
 			       hard_header_len, skb_headroom(skb));
 			stats->tx_errors++;
 			goto cleanup;
@@ -1682,28 +1847,21 @@
 		    "With hard_header, final head,tailroom: %d,%d\n",
 		    skb_headroom(skb), skb_tailroom(skb));
 
-#ifdef NET_21
+#ifdef NET_21	/* 2.2 and 2.4 kernels */
 	/* new route/dst cache code from James Morris */
 	skb->dev = physdev;
 	/*skb_orphan(skb);*/
-#ifdef NETDEV_23
-	if(sysctl_ipsec_no_eroute_pass) {
-		/* zero the saddr used in ip_route_output */
-		route_saddr=0;
-	}else{
-		route_saddr=skb->nh.iph->saddr;
-	}
-#endif /* NETDEV_23 */
-	if(ip_route_output(&rt,
+	if((error = ip_route_output(&rt,
 			   skb->nh.iph->daddr,
-#ifdef NETDEV_23
-			   route_saddr,
-#else /* NETDEV_23 */
-			   skb->nh.iph->saddr,
-#endif /* NETDEV_23 */
+				   pass ? 0 : skb->nh.iph->saddr,
 			   RT_TOS(skb->nh.iph->tos),
-			   physdev->iflink)) {
+				   physdev->iflink))) {
 		stats->tx_errors++;
+		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+			    "klips_debug:ipsec_tunnel_start_xmit: "
+			    "ip_route_output failed with error code %d, rt->u.dst.dev=%s, dropped\n",
+			    error,
+			    rt->u.dst.dev->name);
 		goto cleanup;
 	}
 	if(dev == rt->u.dst.dev) {
@@ -1719,11 +1877,11 @@
 	skb->dst = &rt->u.dst;
 	stats->tx_bytes += skb->len;
 	if(skb->len < skb->nh.raw - skb->data) {
-		printk(KERN_WARNING "klips_error:ipsec_tunnel_start_xmit: "
-		       "tried to __skb_pull nh-data=%d, %d available.  "
-		       "This should never happen, please report.\n",
-		       skb->nh.raw - skb->data, skb->len);
 		stats->tx_errors++;
+		printk(KERN_WARNING
+		       "klips_error:ipsec_tunnel_start_xmit: "
+		       "tried to __skb_pull nh-data=%d, %d available.  This should never happen, please report.\n",
+		       skb->nh.raw - skb->data, skb->len);
 		goto cleanup;
 	}
 	__skb_pull(skb, skb->nh.raw - skb->data);
@@ -1736,8 +1894,10 @@
 #endif /* SKB_RESET_NFCT */
 	KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
 		    "klips_debug:ipsec_tunnel_start_xmit: "
-		    "...done, calling ip_send()\n");
-#ifdef NETDEV_23
+		    "...done, calling ip_send() on device:%s\n",
+		    skb->dev ? skb->dev->name : "NULL");
+	KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, skb->nh.iph);
+#ifdef NETDEV_23	/* 2.4 kernels */
 	{
 		int err;
 
@@ -1746,7 +1906,8 @@
 		if(err != NET_XMIT_SUCCESS && err != NET_XMIT_CN) {
 			if(net_ratelimit())
 				printk(KERN_ERR
-				       "ipsec_tunnel_start_xmit: ip_send() failed, err=%d\n", 
+				       "klips_error:ipsec_tunnel_start_xmit: "
+				       "ip_send() failed, err=%d\n", 
 				       -err);
 			stats->tx_errors++;
 			stats->tx_aborted_errors++;
@@ -1754,10 +1915,10 @@
 			goto cleanup;
 		}
 	}
-#else
+#else /* NETDEV_23 */	/* 2.2 kernels */
 	ip_send(skb);
-#endif
-#else /* NET_21 */
+#endif /* NETDEV_23 */
+#else /* NET_21 */	/* 2.0 kernels */
 	skb->arp = 1;
 	/* ISDN/ASYNC PPP from Matjaz Godec. */
 	/*	skb->protocol = htons(ETH_P_IP); */
@@ -1772,16 +1933,18 @@
  cleanup:
 #if defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE)
 	netif_wake_queue(dev);
-#else
+#else /* defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) */
 	dev->tbusy = 0;
-#endif
-	if(saved_header)
+#endif /* defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) */
+	if(saved_header) {
 		kfree(saved_header);
+	}
 	if(skb) {
 		dev_kfree_skb(skb, FREE_WRITE);
 	}
-	if(oskb)
+	if(oskb) {
 		dev_kfree_skb(oskb, FREE_WRITE);
+	}
 	return 0;
 }
 
@@ -1803,6 +1966,46 @@
 	struct ipsecpriv *prv = dev->priv;
 	struct device *tmp;
 	int ret;
+	struct net_device_stats *stats;	/* This device's statistics */
+	
+	if(skb == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_hard_header: "
+			    "no skb...");
+		return -ENODATA;
+	}
+
+	if(dev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_hard_header: "
+			    "no device...");
+		return -ENODEV;
+	}
+
+	KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+		    "klips_debug:ipsec_tunnel_hard_header: "
+		    "skb->dev=%s dev=%s.",
+		    skb->dev ? skb->dev->name : "NULL",
+		    dev->name);
+	
+	if(prv == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_hard_header: "
+			    "no private space associated with dev=%s",
+			    dev->name ? dev->name : "NULL");
+		return -ENODEV;
+	}
+
+	stats = (struct net_device_stats *) &(prv->mystats);
+
+	if(prv->dev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_hard_header: "
+			    "no physical device associated with dev=%s",
+			    dev->name ? dev->name : "NULL");
+		stats->tx_dropped++;
+		return -ENODEV;
+	}
 
 	/* check if we have to send a IPv6 packet. It might be a Router
 	   Solicitation, where the building of the packet happens in
@@ -1820,9 +2023,12 @@
 		if(!prv->hard_header) {
 			KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
 				    "klips_debug:ipsec_tunnel_hard_header: "
-				    "physical device has been detached, packet dropped "
-				    "0x%p->0x%p len=%d type=%d dev=%s->NULL ",
-				    saddr, daddr, len, type, dev->name);
+				    "physical device has been detached, packet dropped 0x%p->0x%p len=%d type=%d dev=%s->NULL ",
+				    saddr,
+				    daddr,
+				    len,
+				    type,
+				    dev->name);
 #ifdef NET_21
 			KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
 					"ip=%08x->%08x\n",
@@ -1834,15 +2040,20 @@
 					(__u32)ntohl(skb->ip_hdr->saddr),
 					(__u32)ntohl(skb->ip_hdr->daddr) );
 #endif /* NET_21 */
+			stats->tx_dropped++;
 			return -ENODEV;
 		}
 		
 #define da ((struct device *)(prv->dev))->dev_addr
 		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
 			    "klips_debug:ipsec_tunnel_hard_header: "
-			    "Revectored 0x%p->0x%p len=%d type=%d dev=%s->%s "
-			    "dev_addr=%02x:%02x:%02x:%02x:%02x:%02x ",
-			    saddr, daddr, len, type, dev->name, prv->dev->name,
+			    "Revectored 0x%p->0x%p len=%d type=%d dev=%s->%s dev_addr=%02x:%02x:%02x:%02x:%02x:%02x ",
+			    saddr,
+			    daddr,
+			    len,
+			    type,
+			    dev->name,
+			    prv->dev->name,
 			    da[0], da[1], da[2], da[3], da[4], da[5]);
 #ifdef NET_21
 		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
@@ -1878,12 +2089,38 @@
 	struct ipsecpriv *prv = skb->dev->priv;
 	struct device *tmp;
 	int ret;
+	struct net_device_stats *stats;	/* This device's statistics */
+	
+	if(skb->dev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_rebuild_header: "
+			    "no device...");
+		return -ENODEV;
+	}
+
+	if(prv == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_rebuild_header: "
+			    "no private space associated with dev=%s",
+			    skb->dev->name ? skb->dev->name : "NULL");
+		return -ENODEV;
+	}
+
+	stats = (struct net_device_stats *) &(prv->mystats);
+
+	if(prv->dev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_rebuild_header: "
+			    "no physical device associated with dev=%s",
+			    skb->dev->name ? skb->dev->name : "NULL");
+		stats->tx_dropped++;
+		return -ENODEV;
+	}
 	
 	if(!prv->rebuild_header) {
 		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
 			    "klips_debug:ipsec_tunnel_rebuild_header: "
-			    "physical device has been detached, packet dropped "
-			    "skb->dev=%s->NULL ",
+			    "physical device has been detached, packet dropped skb->dev=%s->NULL ",
 			    skb->dev->name);
 #ifdef NET_21
 		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
@@ -1896,6 +2133,7 @@
 			    (__u32)ntohl(skb->ip_hdr->saddr),
 			    (__u32)ntohl(skb->ip_hdr->daddr) );
 #endif /* NET_21 */
+		stats->tx_dropped++;
 		return -ENODEV;
 	}
 
@@ -1931,11 +2169,38 @@
 {
 	struct ipsecpriv *prv = dev->priv;
 	
+	struct net_device_stats *stats;	/* This device's statistics */
+	
+	if(dev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_set_mac_address: "
+			    "no device...");
+		return -ENODEV;
+	}
+
+	if(prv == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_set_mac_address: "
+			    "no private space associated with dev=%s",
+			    dev->name ? dev->name : "NULL");
+		return -ENODEV;
+	}
+
+	stats = (struct net_device_stats *) &(prv->mystats);
+
+	if(prv->dev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_set_mac_address: "
+			    "no physical device associated with dev=%s",
+			    dev->name ? dev->name : "NULL");
+		stats->tx_dropped++;
+		return -ENODEV;
+	}
+
 	if(!prv->set_mac_address) {
 		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
 			    "klips_debug:ipsec_tunnel_set_mac_address: "
-			    "physical device has been detached, cannot set - "
-			    "skb->dev=%s->NULL\n",
+			    "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
 			    dev->name);
 		return -ENODEV;
 	}
@@ -1955,12 +2220,40 @@
 {
 	struct ipsecpriv *prv = dev->priv;
 	
+	struct net_device_stats *stats;	/* This device's statistics */
+	
+	if(dev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_cache_bind: "
+			    "no device...");
+		return;
+	}
+
+	if(prv == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_cache_bind: "
+			    "no private space associated with dev=%s",
+			    dev->name ? dev->name : "NULL");
+		return;
+	}
+
+	stats = (struct net_device_stats *) &(prv->mystats);
+
+	if(prv->dev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_cache_bind: "
+			    "no physical device associated with dev=%s",
+			    dev->name ? dev->name : "NULL");
+		stats->tx_dropped++;
+		return;
+	}
+
 	if(!prv->header_cache_bind) {
 		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
 			    "klips_debug:ipsec_tunnel_cache_bind: "
-			    "physical device has been detached, cannot set - "
-			    "skb->dev=%s->NULL\n",
+			    "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
 			    dev->name);
+		stats->tx_dropped++;
 		return;
 	}
 
@@ -1978,11 +2271,38 @@
 {
 	struct ipsecpriv *prv = dev->priv;
 	
+	struct net_device_stats *stats;	/* This device's statistics */
+	
+	if(dev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_cache_update: "
+			    "no device...");
+		return;
+	}
+
+	if(prv == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_cache_update: "
+			    "no private space associated with dev=%s",
+			    dev->name ? dev->name : "NULL");
+		return;
+	}
+
+	stats = (struct net_device_stats *) &(prv->mystats);
+
+	if(prv->dev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_cache_update: "
+			    "no physical device associated with dev=%s",
+			    dev->name ? dev->name : "NULL");
+		stats->tx_dropped++;
+		return;
+	}
+
 	if(!prv->header_cache_update) {
 		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
 			    "klips_debug:ipsec_tunnel_cache_update: "
-			    "physical device has been detached, cannot set - "
-			    "skb->dev=%s->NULL\n",
+			    "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
 			    dev->name);
 		return;
 	}
@@ -1999,8 +2319,7 @@
 ipsec_tunnel_neigh_setup(struct neighbour *n)
 {
 	KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-		    "klips_debug:ipsec_tunnel: "
-		    "ipsec_tunnel_neigh_setup\n");
+		    "klips_debug:ipsec_tunnel_neigh_setup:\n");
 
         if (n->nud_state == NUD_NONE) {
                 n->ops = &arp_broken_ops;
@@ -2013,8 +2332,9 @@
 ipsec_tunnel_neigh_setup_dev(struct device *dev, struct neigh_parms *p)
 {
 	KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-		    "klips_debug:ipsec_tunnel: "
-		    "ipsec_tunnel_neigh_setup_dev\n");
+		    "klips_debug:ipsec_tunnel_neigh_setup_dev: "
+		    "setting up %s\n",
+		    dev ? dev->name : "NULL");
 
         if (p->tbl->family == AF_INET) {
                 p->neigh_setup = ipsec_tunnel_neigh_setup;
@@ -2030,70 +2350,86 @@
  */
 
 DEBUG_NO_STATIC int
-ipsec_tunnel_attach(struct device *tndev, struct ipsecpriv *prv, struct device *dev)
+ipsec_tunnel_attach(struct device *dev, struct device *physdev)
 {
         int i;
+	struct ipsecpriv *prv = dev->priv;
+
+	if(dev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_attach: "
+			    "no device...");
+		return -ENODEV;
+	}
 
-	prv->dev = dev;
-	prv->hard_start_xmit = dev->hard_start_xmit;
-	prv->get_stats = dev->get_stats;
-
-	if (dev->hard_header) {
-		prv->hard_header = dev->hard_header;
-		tndev->hard_header = ipsec_tunnel_hard_header;
+	if(prv == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_attach: "
+			    "no private space associated with dev=%s",
+			    dev->name ? dev->name : "NULL");
+		return -ENODATA;
+	}
+
+	prv->dev = physdev;
+	prv->hard_start_xmit = physdev->hard_start_xmit;
+	prv->get_stats = physdev->get_stats;
+
+	if (physdev->hard_header) {
+		prv->hard_header = physdev->hard_header;
+		dev->hard_header = ipsec_tunnel_hard_header;
 	} else
-		tndev->hard_header = NULL;
+		dev->hard_header = NULL;
 	
-	if (dev->rebuild_header) {
-		prv->rebuild_header = dev->rebuild_header;
-		tndev->rebuild_header = ipsec_tunnel_rebuild_header;
+	if (physdev->rebuild_header) {
+		prv->rebuild_header = physdev->rebuild_header;
+		dev->rebuild_header = ipsec_tunnel_rebuild_header;
 	} else
-		tndev->rebuild_header = NULL;
+		dev->rebuild_header = NULL;
 	
-	if (dev->set_mac_address) {
-		prv->set_mac_address = dev->set_mac_address;
-		tndev->set_mac_address = ipsec_tunnel_set_mac_address;
+	if (physdev->set_mac_address) {
+		prv->set_mac_address = physdev->set_mac_address;
+		dev->set_mac_address = ipsec_tunnel_set_mac_address;
 	} else
-		tndev->set_mac_address = NULL;
+		dev->set_mac_address = NULL;
 	
 #ifndef NET_21
-	if (dev->header_cache_bind) {
-		prv->header_cache_bind = dev->header_cache_bind;
-		tndev->header_cache_bind = ipsec_tunnel_cache_bind;
+	if (physdev->header_cache_bind) {
+		prv->header_cache_bind = physdev->header_cache_bind;
+		dev->header_cache_bind = ipsec_tunnel_cache_bind;
 	} else
-		tndev->header_cache_bind = NULL;
+		dev->header_cache_bind = NULL;
 #endif /* !NET_21 */
 
-	if (dev->header_cache_update) {
-		prv->header_cache_update = dev->header_cache_update;
-		tndev->header_cache_update = ipsec_tunnel_cache_update;
+	if (physdev->header_cache_update) {
+		prv->header_cache_update = physdev->header_cache_update;
+		dev->header_cache_update = ipsec_tunnel_cache_update;
 	} else
-		tndev->header_cache_update = NULL;
+		dev->header_cache_update = NULL;
 
-	tndev->hard_header_len = dev->hard_header_len;
+	dev->hard_header_len = physdev->hard_header_len;
 
 #ifdef NET_21
-/*	prv->neigh_setup        = dev->neigh_setup; */
+/*	prv->neigh_setup        = physdev->neigh_setup; */
 	dev->neigh_setup        = ipsec_tunnel_neigh_setup_dev;
 #endif /* NET_21 */
-	tndev->mtu = 16260; /* 0xfff0; */ /* dev->mtu; */
-	prv->mtu = dev->mtu;
+	dev->mtu = 16260; /* 0xfff0; */ /* dev->mtu; */
+	prv->mtu = physdev->mtu;
 
 #ifdef PHYSDEV_TYPE
-	tndev->type = dev->type /* ARPHRD_TUNNEL */;	/* initially */
+	dev->type = physdev->type /* ARPHRD_TUNNEL */;	/* initially */
 #endif /*  PHYSDEV_TYPE */
 
-	tndev->addr_len = dev->addr_len;
-	for (i=0; iaddr_len; i++) {
-		tndev->dev_addr[i] = dev->dev_addr[i];
+	dev->addr_len = physdev->addr_len;
+	for (i=0; iaddr_len; i++) {
+		dev->dev_addr[i] = physdev->dev_addr[i];
 	}
 #ifdef CONFIG_IPSEC_DEBUG
 	if(debug_tunnel & DB_TN_INIT) {
 		printk(KERN_INFO "klips_debug:ipsec_tunnel_attach: "
 		       "physical device %s being attached has HW address: %2x",
-		       dev->name, dev->dev_addr[0]);
-		for (i=1; i < dev->addr_len; i++) {
-			printk(":%02x", dev->dev_addr[i]);
+		       physdev->name, physdev->dev_addr[0]);
+		for (i=1; i < physdev->addr_len; i++) {
+			printk(":%02x", physdev->dev_addr[i]);
 		}
 		printk("\n");
 	}
@@ -2107,49 +2443,80 @@
  */
 
 DEBUG_NO_STATIC int
-ipsec_tunnel_detach(struct device *dev, struct ipsecpriv *prv)
+ipsec_tunnel_detach(struct device *dev)
 {
         int i;
+	struct ipsecpriv *prv = dev->priv;
+
+	if(dev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_detach: "
+			    "no device...");
+		return -ENODEV;
+	}
+
+	if(prv == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_detach: "
+			    "no private space associated with dev=%s",
+			    dev->name ? dev->name : "NULL");
+		return -ENODATA;
+	}
 
 	KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
 		    "klips_debug:ipsec_tunnel_detach: "
 		       "physical device %s being detached from virtual device %s\n",
-		       prv->dev->name, dev->name);
+		    prv->dev ? prv->dev->name : "NULL",
+		    dev->name);
 
 	prv->dev = NULL;
 	prv->hard_start_xmit = NULL;
 	prv->get_stats = NULL;
 
 	prv->hard_header = NULL;
+#ifdef DETACH_AND_DOWN
 	dev->hard_header = NULL;
+#endif /* DETACH_AND_DOWN */
 	
 	prv->rebuild_header = NULL;
+#ifdef DETACH_AND_DOWN
 	dev->rebuild_header = NULL;
+#endif /* DETACH_AND_DOWN */
 	
 	prv->set_mac_address = NULL;
+#ifdef DETACH_AND_DOWN
 	dev->set_mac_address = NULL;
+#endif /* DETACH_AND_DOWN */
 	
 #ifndef NET_21
 	prv->header_cache_bind = NULL;
+#ifdef DETACH_AND_DOWN
 	dev->header_cache_bind = NULL;
+#endif /* DETACH_AND_DOWN */
 #endif /* !NET_21 */
 
 	prv->header_cache_update = NULL;
+#ifdef DETACH_AND_DOWN
 	dev->header_cache_update = NULL;
+#endif /* DETACH_AND_DOWN */
 
 #ifdef NET_21
 /*	prv->neigh_setup        = NULL; */
+#ifdef DETACH_AND_DOWN
 	dev->neigh_setup        = NULL;
+#endif /* DETACH_AND_DOWN */
 #endif /* NET_21 */
 	dev->hard_header_len = 0;
+#ifdef DETACH_AND_DOWN
 	dev->mtu = 0;
+#endif /* DETACH_AND_DOWN */
 	prv->mtu = 0;
 	for (i=0; idev_addr[i] = 0;
 	}
 	dev->addr_len = 0;
 #ifdef PHYSDEV_TYPE
-	dev->type = 0;
+	dev->type = ARPHRD_TUNNEL;
 #endif /*  PHYSDEV_TYPE */
 	
 	return 0;
@@ -2168,7 +2535,7 @@
 	int ret;
 
 	KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-		    "klips_debug:ipsec_tunnel_clear: called.\n");
+		    "klips_debug:ipsec_tunnel_clear: .\n");
 
 	for(i = 0; i < IPSEC_NUM_IF; i++) {
 		sprintf(name, "ipsec%d", i);
@@ -2180,7 +2547,7 @@
 						    "klips_debug:ipsec_tunnel_clear: "
 						    "physical device for device %s is %s\n",
 						    name, prvdev->name);
-					if((ret = ipsec_tunnel_detach(ipsecdev, prv))) {
+					if((ret = ipsec_tunnel_detach(ipsecdev))) {
 						KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
 							    "klips_debug:ipsec_tunnel_clear: "
 							    "error %d detatching device %s from device %s.\n",
@@ -2205,12 +2572,24 @@
 	char realphysname[IFNAMSIZ];
 #endif /* CONFIG_IP_ALIAS */
 	
+	if(dev == NULL) {
 	KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
 		    "klips_debug:ipsec_tunnel_ioctl: "
-		    "tncfg service call #%d\n", cmd);
+			    "device not supplied.\n");
+		return -ENODEV;
+	}
+
+	KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+		    "klips_debug:ipsec_tunnel_ioctl: "
+		    "tncfg service call #%d for dev=%s\n",
+		    cmd,
+		    dev->name ? dev->name : "NULL");
 	switch (cmd) {
 	/* attach a virtual ipsec? device to a physical device */
 	case IPSEC_SET_DEV:
+		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+			    "klips_debug:ipsec_tunnel_ioctl: "
+			    "calling ipsec_tunnel_attatch...\n");
 #ifdef CONFIG_IP_ALIAS
 		/* If this is an IP alias interface, get its real physical name */
 		strncpy(realphysname, cf->cf_name, IFNAMSIZ);
@@ -2225,19 +2604,41 @@
 		if (them == NULL) {
 			KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
 				    "klips_debug:ipsec_tunnel_ioctl: "
-				    "physical device requested is null\n");
+				    "physical device %s requested is null\n",
+				    cf->cf_name);
+			return -ENXIO;
+		}
 
+#if 0
+		if (them->flags & IFF_UP) {
+			KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+				    "klips_debug:ipsec_tunnel_ioctl: "
+				    "physical device %s requested is not up.\n",
+				    cf->cf_name);
 			return -ENXIO;
 		}
+#endif
 		
-		if (prv->dev)
+		if (prv && prv->dev) {
+			KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+				    "klips_debug:ipsec_tunnel_ioctl: "
+				    "virtual device is already connected to %s.\n",
+				    prv->dev->name ? prv->dev->name : "NULL");
 			return -EBUSY;
-		return ipsec_tunnel_attach(dev, dev->priv, them);
+		}
+		return ipsec_tunnel_attach(dev, them);
 
 	case IPSEC_DEL_DEV:
-		if (! prv->dev)
+		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+			    "klips_debug:ipsec_tunnel_ioctl: "
+			    "calling ipsec_tunnel_detatch.\n");
+		if (! prv->dev) {
+			KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+				    "klips_debug:ipsec_tunnel_ioctl: "
+				    "physical device not connected.\n");
 			return -ENODEV;
-		return ipsec_tunnel_detach(dev, dev->priv);
+		}
+		return ipsec_tunnel_detach(dev);
 	       
 	case IPSEC_CLR_DEV:
 		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
@@ -2246,6 +2647,10 @@
 		return ipsec_tunnel_clear();
 
 	default:
+		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+			    "klips_debug:ipsec_tunnel_ioctl: "
+			    "unknown command %d.\n",
+			    cmd);
 		return -EOPNOTSUPP;
 	}
 }
@@ -2259,15 +2664,45 @@
 	char name[9];
 	int i;
 
+	if (dev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+			    "klips_debug:ipsec_device_event: "
+			    "dev=NULL for event type %ld.\n",
+			    event);
+		return(NOTIFY_DONE);
+	}
+
 	/* check for loopback devices */
-	if (dev->flags & IFF_LOOPBACK)
+	if (dev && (dev->flags & IFF_LOOPBACK)) {
 		return(NOTIFY_DONE);
+	}
 
-	switch (event) 
-	{
+	switch (event) {
+	case NETDEV_DOWN:
+		/* look carefully at the scope of these compiler
+		   #defines before changing anything... */
+#ifdef NET_21
+	case NETDEV_UNREGISTER:
+		switch (event) {
 		case NETDEV_DOWN:
+#endif /* NET_21 */
 			KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-				    "ipsec_device_event: NETDEV_DOWN...\n");
+				    "klips_debug:ipsec_device_event: "
+				    "NETDEV_DOWN dev=%s flags=%x\n",
+				    dev->name,
+				    dev->flags);
+#ifdef NET_21
+			break;
+		case NETDEV_UNREGISTER:
+			KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+				    "klips_debug:ipsec_device_event: "
+				    "NETDEV_UNREGISTER dev=%s flags=%x\n",
+				    dev->name,
+				    dev->flags);
+			break;
+		}
+#endif /* NET_21 */
+		
 			/* find the attached physical device and detach it. */
 			for(i = 0; i < IPSEC_NUM_IF; i++) {
 				sprintf(name, "ipsec%d", i);
@@ -2277,35 +2712,82 @@
 					if(priv) {
 						;
 						if(((struct device *)(priv->dev)) == dev) {
-							dev_close(ipsec_dev);
-							/* return */ ipsec_tunnel_detach(ipsec_dev, priv);
-							return NOTIFY_DONE;
+						/* dev_close(ipsec_dev); */
+						/* return */ ipsec_tunnel_detach(ipsec_dev);
+						KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+							    "klips_debug:ipsec_device_event: "
+							    "device '%s' has been detached.\n",
+							    ipsec_dev->name);
 							break;
 						}
 					} else {
 						KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-							    "klips_debug:ipsec_device_event: device '%s' has no private data space!\n",
+						    "klips_debug:ipsec_device_event: "
+						    "device '%s' has no private data space!\n",
 							    ipsec_dev->name);
 					}
 				}
 			}
-
 			break;
 		case NETDEV_UP:
 			KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-				    "ipsec_device_event: NETDEV_UP...\n");
-			/* Only handle ethernet ports */
-			if(dev->type!=ARPHRD_ETHER && dev->type!=ARPHRD_LOOPBACK)
-				return NOTIFY_DONE;
-
+			    "klips_debug:ipsec_device_event: "
+			    "NETDEV_UP dev=%s\n",
+			    dev->name);
 			break;
 #ifdef NET_21
-		case NETDEV_UNREGISTER:
+	case NETDEV_REBOOT:
 			KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-				    "ipsec_device_event: NETDEV_UNREGISTER...\n");
-
+			    "klips_debug:ipsec_device_event: "
+			    "NETDEV_REBOOT dev=%s\n",
+			    dev->name);
+		break;
+	case NETDEV_CHANGE:
+		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+			    "klips_debug:ipsec_device_event: "
+			    "NETDEV_CHANGE dev=%s flags=%x\n",
+			    dev->name,
+			    dev->flags);
+		break;
+	case NETDEV_REGISTER:
+		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+			    "klips_debug:ipsec_device_event: "
+			    "NETDEV_REGISTER dev=%s\n",
+			    dev->name);
+		break;
+	case NETDEV_CHANGEMTU:
+		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+			    "klips_debug:ipsec_device_event: "
+			    "NETDEV_CHANGEMTU dev=%s to mtu=%d\n",
+			    dev->name,
+			    dev->mtu);
+		break;
+	case NETDEV_CHANGEADDR:
+		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+			    "klips_debug:ipsec_device_event: "
+			    "NETDEV_CHANGEADDR dev=%s\n",
+			    dev->name);
+		break;
+	case NETDEV_GOING_DOWN:
+		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+			    "klips_debug:ipsec_device_event: "
+			    "NETDEV_GOING_DOWN dev=%s\n",
+			    dev->name);
+		break;
+	case NETDEV_CHANGENAME:
+		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+			    "klips_debug:ipsec_device_event: "
+			    "NETDEV_CHANGENAME dev=%s\n",
+			    dev->name);
 			break;
 #endif /* NET_21 */
+	default:
+		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+			    "klips_debug:ipsec_device_event: "
+			    "event type %ld unrecognised for dev=%s\n",
+			    event,
+			    dev->name);
+		break;
 	}
 	return NOTIFY_DONE;
 }
@@ -2320,8 +2802,12 @@
 {
 	int i;
 
-	printk(KERN_INFO "IPsec: initialisation of device: %s\n",
+#if 0
+	printk(KERN_INFO
+	       "klips_debug:ipsec_tunnel_init: "
+	       "initialisation of device: %s\n",
 	       dev->name ? dev->name : "NULL");
+#endif
 
 	/* Add our tunnel functions to the device */
 	dev->open		= ipsec_tunnel_open;
@@ -2510,8 +2996,104 @@
 
 /*
  * $Log: ipsec_tunnel.c,v $
- * Revision 1.137.2.1  2001/02/27 00:51:00  henry
- * message improvements
+ * Revision 1.163  2001/06/06 20:28:51  rgb
+ * Added sanity checks for NULL skbs and devices.
+ * Added more debugging output to various functions.
+ * Removed redundant dev->priv argument to ipsec_tunnel_{at,de}tach().
+ * Renamed ipsec_tunnel_attach() virtual and physical device arguments.
+ * Corrected neigh_setup() device function assignment.
+ * Keep valid pointers to ipsec_tunnel_*() on detach.
+ * Set dev->type to the originally-initiallised value.
+ *
+ * Revision 1.162  2001/06/01 07:28:04  rgb
+ * Added sanity checks for detached devices.  Don't down virtual devices
+ * to prevent packets going out in the clear if the detached device comes
+ * back up.
+ *
+ * Revision 1.161  2001/05/30 08:14:52  rgb
+ * Removed vestiges of esp-null transforms.
+ * NetDev Notifier instrumentation to track down disappearing devices.
+ *
+ * Revision 1.160  2001/05/29 05:15:12  rgb
+ * Added SS' PMTU patch which notifies sender if packet doesn't fit
+ * physical MTU (if it wasn't ICMP) and then drops it.
+ *
+ * Revision 1.159  2001/05/27 06:12:12  rgb
+ * Added structures for pid, packet count and last access time to eroute.
+ * Added packet count to beginning of /proc/net/ipsec_eroute.
+ *
+ * Revision 1.158  2001/05/24 05:39:33  rgb
+ * Applied source zeroing to 2.2 ip_route_output() call as well to enable
+ * PASS eroutes for opportunism.
+ *
+ * Revision 1.157  2001/05/23 22:35:28  rgb
+ * 2.4 source override simplification.
+ *
+ * Revision 1.156  2001/05/23 21:41:31  rgb
+ * Added error return code printing on ip_route_output().
+ *
+ * Revision 1.155  2001/05/23 05:09:13  rgb
+ * Fixed incorrect ip_route_output() failure message.
+ *
+ * Revision 1.154  2001/05/21 14:53:31  rgb
+ * Added debug statement for case when ip_route_output() fails, causing
+ * packet to be dropped, but log looked ok.
+ *
+ * Revision 1.153  2001/05/19 02:37:54  rgb
+ * Fixed missing comment termination.
+ *
+ * Revision 1.152  2001/05/19 02:35:50  rgb
+ * Debug code optimisation for non-debug speed.
+ * Kernel version compiler define comments.
+ * 2.2 and 2.4 kernel ip_send device and ip debug output added.
+ *
+ * Revision 1.151  2001/05/18 16:17:35  rgb
+ * Changed reference from "magic" to "shunt" SAs.
+ *
+ * Revision 1.150  2001/05/18 16:12:19  rgb
+ * Changed UDP/500 bypass test from 3 nested ifs to one anded if.
+ *
+ * Revision 1.149  2001/05/16 04:39:33  rgb
+ * Add default == eroute.dest to IKE bypass conditions for magic eroutes.
+ *
+ * Revision 1.148  2001/05/05 03:31:41  rgb
+ * IP frag debugging updates and enhancements.
+ *
+ * Revision 1.147  2001/05/03 19:41:40  rgb
+ * Added SS' skb_cow fix for 2.4.4.
+ *
+ * Revision 1.146  2001/04/30 19:28:16  rgb
+ * Update for 2.4.4.  ip_select_ident() now has 3 args.
+ *
+ * Revision 1.145  2001/04/23 14:56:10  rgb
+ * Added spin_lock() check to prevent double-locking for multiple
+ * transforms and hence kernel lock-ups with SMP kernels.
+ *
+ * Revision 1.144  2001/04/21 23:04:45  rgb
+ * Define out skb->used for 2.4 kernels.
+ * Check if soft expire has already been sent before sending another to
+ * prevent ACQUIRE flooding.
+ *
+ * Revision 1.143  2001/03/16 07:37:21  rgb
+ * Added comments to all #endifs.
+ *
+ * Revision 1.142  2001/02/28 05:03:27  rgb
+ * Clean up and rationalise startup messages.
+ *
+ * Revision 1.141  2001/02/27 22:24:54  rgb
+ * Re-formatting debug output (line-splitting, joining, 1arg/line).
+ * Check for satoa() return codes.
+ *
+ * Revision 1.140  2001/02/27 06:40:12  rgb
+ * Fixed TRAP->HOLD eroute byte order.
+ *
+ * Revision 1.139  2001/02/26 20:38:59  rgb
+ * Added compiler defines for 2.4.x-specific code.
+ *
+ * Revision 1.138  2001/02/26 19:57:27  rgb
+ * Implement magic SAs %drop, %reject, %trap, %hold, %pass as part
+ * of the new SPD and to support opportunistic.
+ * Drop sysctl_ipsec_{no_eroute_pass,opportunistic}, replaced by magic SAs.
  *
  * Revision 1.137  2001/02/19 22:29:49  rgb
  * Fixes for presence of active ipv6 segments which share ipsec physical
@@ -2615,9 +3197,6 @@
  * Added a hard/soft expiry parameter to pfkey_expire(). (Momchil)
  * Re-arranged the order of soft and hard expiry to conform to RFC2367.
  * Clean up references to CONFIG_IPSEC_PFKEYv2.
- *
- * Revision 1.111  2000/08/01 14:51:51  rgb
- * Removed _all_ remaining traces of DES.
  *
  * Revision 1.110  2000/07/28 14:58:31  rgb
  * Changed kfree_s to kfree, eliminating extra arg to fix 2.4.0-test5.
diff -bruN freeswan-1.9.orig/klips/net/ipsec/ipsec_xform.c freeswan-1.9/klips/net/ipsec/ipsec_xform.c
--- freeswan-1.9.orig/klips/net/ipsec/ipsec_xform.c	Sun Nov  5 23:32:08 2000
+++ freeswan-1.9/klips/net/ipsec/ipsec_xform.c	Tue Jun 12 16:07:52 2001
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: ipsec_xform.c,v 1.47 2000/11/06 04:32:08 rgb Exp $
+ * RCSID $Id: ipsec_xform.c,v 1.51 2001/05/30 08:14:03 rgb Exp $
  */
 
 #include 
@@ -61,7 +61,7 @@
 int debug_xform = 0;
 #endif /* CONFIG_IPSEC_DEBUG */
 
-#define SENDERR(_x) do { len = -(_x); goto errlab; } while (0)
+#define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
 
 extern int des_set_key(caddr_t, caddr_t);
 
@@ -69,6 +69,9 @@
 { XF_IP4,		0,		"IPv4_Encapsulation"},
 { XF_AHHMACMD5,		XFT_AUTH,	"HMAC_MD5_Authentication"},
 { XF_AHHMACSHA1,	XFT_AUTH,	"HMAC_SHA-1_Authentication"},
+{ XF_ESPDES,		XFT_CONF,	"DES_Encryption"},
+{ XF_ESPDESMD596,	XFT_CONF,	"DES-MD5-96_Encryption"},
+{ XF_ESPDESSHA196,	XFT_CONF,	"DES-SHA1-96_Encryption"},
 { XF_ESP3DES,		XFT_CONF,	"3DES_Encryption"},
 { XF_ESP3DESMD596,	XFT_CONF,	"3DES-MD5-96_Encryption"},
 { XF_ESP3DESSHA196,	XFT_CONF,	"3DES-SHA1-96_Encryption"},
@@ -101,25 +104,31 @@
 	int hashval;
 	struct tdb *tdbp;
         char sa[SATOA_BUF];
+	size_t sa_len;
 
 	if(!said) {
 		KLIPS_PRINT(debug_xform,
-			    "klips_error:gettdb: null pointer passed in!\n");
+			    "klips_error:gettdb: "
+			    "null pointer passed in!\n");
 		return NULL;
 	}
 
-	satoa(*said, 0, sa, SATOA_BUF);
+	sa_len = satoa(*said, 0, sa, SATOA_BUF);
 
 	hashval = (said->spi+said->dst.s_addr+said->proto) % TDB_HASHMOD;
 	
 	KLIPS_PRINT(debug_xform,
-		    "klips_debug:gettdb: linked entry in tdb table for hash=%d of SA:%s requested.\n",
-		    hashval, sa);
+		    "klips_debug:gettdb: "
+		    "linked entry in tdb table for hash=%d of SA:%s requested.\n",
+		    hashval,
+		    sa_len ? sa : " (error)");
 
 	if(!(tdbp = tdbh[hashval])) {
 		KLIPS_PRINT(debug_xform,
-			    "klips_debug:gettdb: no entries in tdb table for hash=%d of SA:%s.\n",
-			    hashval, sa);
+			    "klips_debug:gettdb: "
+			    "no entries in tdb table for hash=%d of SA:%s.\n",
+			    hashval,
+			    sa_len ? sa : " (error)");
 		return NULL;
 	}
 
@@ -132,12 +141,16 @@
 	}
 	
 	KLIPS_PRINT(debug_xform,
-		    "klips_debug:gettdb: no entry in linked list for hash=%d of SA:%s.\n",
-		    hashval, sa);
+		    "klips_debug:gettdb: "
+		    "no entry in linked list for hash=%d of SA:%s.\n",
+		    hashval,
+		    sa_len ? sa : " (error)");
 	return NULL;
 }
 
-/* void */
+/*
+  The tdb table better *NOT* be locked before it is handed in, or SMP locks will happen
+*/
 int
 puttdb(struct tdb *tdbp)
 {
@@ -146,7 +159,8 @@
 
 	if(!tdbp) {
 		KLIPS_PRINT(debug_xform,
-			    "klips_error:puttdb: null pointer passed in!\n");
+			    "klips_error:puttdb: "
+			    "null pointer passed in!\n");
 		return -ENODATA;
 	}
 	hashval = ((tdbp->tdb_said.spi + tdbp->tdb_said.dst.s_addr + tdbp->tdb_said.proto) % TDB_HASHMOD);
@@ -161,40 +175,46 @@
 	return error;
 }
 
-/* This tdb better be locked before it is handed in, or races might
- * happen */
-
-/* void */
+/*
+  The tdb table better be locked before it is handed in, or races might happen
+*/
 int
 deltdb(struct tdb *tdbp)
 {
 	unsigned int hashval;
 	struct tdb *tdbtp;
         char sa[SATOA_BUF];
+	size_t sa_len;
 
 	if(!tdbp) {
 		KLIPS_PRINT(debug_xform,
-			    "klips_error:deltdb: null pointer passed in!\n");
+			    "klips_error:deltdb: "
+			    "null pointer passed in!\n");
 		return -ENODATA;
 	}
 	
-	satoa(tdbp->tdb_said, 0, sa, SATOA_BUF);
+	sa_len = satoa(tdbp->tdb_said, 0, sa, SATOA_BUF);
 	if(tdbp->tdb_inext || tdbp->tdb_onext) {
 		KLIPS_PRINT(debug_xform,
-			    "klips_error:deltdb: SA:%s still linked!\n",
-			    sa);
+			    "klips_error:deltdb: "
+			    "SA:%s still linked!\n",
+			    sa_len ? sa : " (error)");
 		return -EMLINK;
 	}
 	
 	hashval = ((tdbp->tdb_said.spi + tdbp->tdb_said.dst.s_addr + tdbp->tdb_said.proto) % TDB_HASHMOD);
 	
 	KLIPS_PRINT(debug_xform,
-		    "klips_debug:deltdb: deleting SA:%s, hashval=%d.\n",
-		    sa, hashval);
+		    "klips_debug:deltdb: "
+		    "deleting SA:%s, hashval=%d.\n",
+		    sa_len ? sa : " (error)",
+		    hashval);
 	if(!tdbh[hashval]) {
 		KLIPS_PRINT(debug_xform,
-			    "klips_debug:deltdb: no entries in tdb table for hash=%d of SA:%s.\n",
-			    hashval, sa);
+			    "klips_debug:deltdb: "
+			    "no entries in tdb table for hash=%d of SA:%s.\n",
+			    hashval,
+			    sa_len ? sa : " (error)");
 		return -ENOENT;
 	}
 	
@@ -202,7 +222,8 @@
 		tdbh[hashval] = tdbh[hashval]->tdb_hnext;
 		tdbp->tdb_hnext = NULL;
 		KLIPS_PRINT(debug_xform,
-			    "klips_debug:deltdb: successfully deleted first tdb in chain.\n");
+			    "klips_debug:deltdb: "
+			    "successfully deleted first tdb in chain.\n");
 		return 0;
 	} else {
 		for (tdbtp = tdbh[hashval]; tdbtp; tdbtp = tdbtp->tdb_hnext) {
@@ -210,53 +231,62 @@
 				tdbtp->tdb_hnext = tdbp->tdb_hnext;
 				tdbp->tdb_hnext = NULL;
 				KLIPS_PRINT(debug_xform,
-					    "klips_debug:deltdb: successfully "
-					    "deleted link in tdb chain.\n");
+					    "klips_debug:deltdb: "
+					    "successfully deleted link in tdb chain.\n");
 				return 0;
 			}
 		}
 	}
 	
 	KLIPS_PRINT(debug_xform,
-		    "klips_debug:deltdb: no entries in linked list for hash=%d of SA:%s.\n",
-		    hashval, sa);
+		    "klips_debug:deltdb: "
+		    "no entries in linked list for hash=%d of SA:%s.\n",
+		    hashval,
+		    sa_len ? sa : " (error)");
 	return -ENOENT;
 }
 
-/* This tdb better be locked before it is handed in, or races might
- * happen */
-
+/*
+  The tdb table better be locked before it is handed in, or races might happen
+*/
 int
 deltdbchain(struct tdb *tdbp)
 {
 	struct tdb *tdbdel;
 	int error = 0;
         char sa[SATOA_BUF];
+	size_t sa_len;
 
 	if(!tdbp) {
 		KLIPS_PRINT(debug_xform,
-			    "klips_error:deltdbchain: null pointer passed in!\n");
+			    "klips_error:deltdbchain: "
+			    "null pointer passed in!\n");
 		return -ENODATA;
 	}
 
-	satoa(tdbp->tdb_said, 0, sa, SATOA_BUF);
+	sa_len = satoa(tdbp->tdb_said, 0, sa, SATOA_BUF);
 	KLIPS_PRINT(debug_xform,
-		    "klips_debug:deltdbchain: passed SA:%s\n", sa);
+		    "klips_debug:deltdbchain: "
+		    "passed SA:%s\n",
+		    sa_len ? sa : " (error)");
 	while(tdbp->tdb_onext) {
 		tdbp = tdbp->tdb_onext;
 	}
 
 	while(tdbp) {
 		/* XXX send a pfkey message up to advise of deleted TDB */
-		satoa(tdbp->tdb_said, 0, sa, SATOA_BUF);
+		sa_len = satoa(tdbp->tdb_said, 0, sa, SATOA_BUF);
 		KLIPS_PRINT(debug_xform,
-			    "klips_debug:deltdbchain: unlinking and delting SA:%s", sa);
+			    "klips_debug:deltdbchain: "
+			    "unlinking and delting SA:%s",
+			    sa_len ? sa : " (error)");
 		tdbdel = tdbp;
 		tdbp = tdbp->tdb_inext;
 		if(tdbp) {
-			satoa(tdbp->tdb_said, 0, sa, SATOA_BUF);
+			sa_len = satoa(tdbp->tdb_said, 0, sa, SATOA_BUF);
 			KLIPS_PRINT(debug_xform,
-				    ", inext=%s", sa);
+				    ", inext=%s",
+				    sa_len ? sa : " (error)");
 			tdbdel->tdb_inext = NULL;
 			tdbp->tdb_onext = NULL;
 		}
@@ -284,34 +314,39 @@
 {
 	int alg;
 	struct xformsw *xsp;
-	int len;
+	int error = 0;
         int i;
-#if defined(CONFIG_IPSEC_ENC_3DES)
+#if defined(CONFIG_IPSEC_ENC_DES) || defined(CONFIG_IPSEC_ENC_3DES)
         int error;
-#endif /* CONFIG_IPSEC_ENC_3DES */
+#endif /* CONFIG_IPSEC_ENC_{,3}DES */
 
         char sa[SATOA_BUF];
         size_t sa_len;
 
 	if(!tdbp || !em) {
 		KLIPS_PRINT(debug_xform,
-			    "klips_error:tdb_init: null pointer passed in!\n");
+			    "klips_error:tdb_init: "
+			    "null pointer passed in!\n");
 		SENDERR(ENODATA);
 	}
 
 	sa_len = satoa(em->em_said, 0, sa, SATOA_BUF);
 
         KLIPS_PRINT(debug_esp,
-		    "klips_debug:tdb_init: (algo_switch defined) called for SA:%s\n", sa);
+		    "klips_debug:tdb_init: "
+		    "(algo_switch defined) called for SA:%s\n",
+		    sa_len ? sa : " (error)");
 	alg = em->em_alg;
 	
 	for (xsp = xformsw; xsp < xformswNXFORMSW; xsp++) {
 		if (xsp->xf_type == alg) {
 			KLIPS_PRINT(debug_netlink,
-				    "klips_debug:tdb_init: called with tdbp=0x%p, xsp=0x%p, em=0x%p\n",
+				    "klips_debug:tdb_init: "
+				    "called with tdbp=0x%p, xsp=0x%p, em=0x%p\n",
 				    tdbp, xsp, em);
 			KLIPS_PRINT(debug_netlink,
-				    "klips_debug:tdb_init: calling init routine of %s\n",
+				    "klips_debug:tdb_init: "
+				    "calling init routine of %s\n",
 				    xsp->xf_name);
 			tdbp->tdb_xform = xsp;
 			tdbp->tdb_replaywin_lastseq = 0;
@@ -363,22 +398,23 @@
 				
 				if (ed->ame_klen != AHMD596_KLEN) {
 					KLIPS_PRINT(debug_ah,
-						    "klips_debug:tdb_init: incorrect key size: %d"
-						    "-- must be %d octets (bytes)\n",
+						    "klips_debug:tdb_init: "
+						    "incorrect key size: %d -- must be %d octets (bytes)\n",
 						    ed->ame_klen, AHMD596_KLEN);
 					SENDERR(EINVAL);
 				}
 				
 				if (ed->ame_alen != AHMD596_ALEN) {
 					KLIPS_PRINT(debug_ah,
-						    "klips_debug:tdb_init: authenticator size: %d"
-						    " -- must be %d octets (bytes)\n",
+						    "klips_debug:tdb_init: "
+						    "authenticator size: %d -- must be %d octets (bytes)\n",
 						    ed->ame_alen, AHMD596_ALEN);
 					SENDERR(EINVAL);
 				}
 				
 				KLIPS_PRINT(debug_ah,
-					    "klips_debug:tdb_init: hmac md5-96 key is 0x%08x %08x %08x %08x\n",
+					    "klips_debug:tdb_init: "
+					    "hmac md5-96 key is 0x%08x %08x %08x %08x\n",
 					    (__u32)ntohl(*(((__u32 *)ed->ame_key)+0)),
 					    (__u32)ntohl(*(((__u32 *)ed->ame_key)+1)),
 					    (__u32)ntohl(*(((__u32 *)ed->ame_key)+2)),
@@ -389,8 +425,8 @@
 				
 				if(ed->ame_ooowin > 64) {
 					KLIPS_PRINT(debug_ah,
-						    "klips_debug:tdb_init: replay window size: %d"
-						    " -- must be 0 <= size <= 64\n",
+						    "klips_debug:tdb_init: "
+						    "replay window size: %d -- must be 0 <= size <= 64\n",
 						    ed->ame_ooowin);
 					SENDERR(EINVAL);
 				}
@@ -422,8 +458,8 @@
 				MD5Update(octx, kb, AHMD596_BLKLEN);
 				
 				KLIPS_PRINT(debug_ah,
-					    "klips_debug:tdb_init: MD5 ictx=0x%08x %08x %08x %08x"
-					    " octx=0x%08x %08x %08x %08x\n",
+					    "klips_debug:tdb_init: "
+					    "MD5 ictx=0x%08x %08x %08x %08x octx=0x%08x %08x %08x %08x\n",
 					    ((__u32*)ictx)[0],
 					    ((__u32*)ictx)[1],
 					    ((__u32*)ictx)[2],
@@ -456,22 +492,23 @@
 				
 				if (ed->ame_klen != AHSHA196_KLEN) {
 					KLIPS_PRINT(debug_ah,
-						    "klips_debug:tdb_init: incorrect key size: %d"
-						    "-- must be %d octets (bytes)\n",
+						    "klips_debug:tdb_init: "
+						    "incorrect key size: %d -- must be %d octets (bytes)\n",
 						    ed->ame_klen, AHSHA196_KLEN);
 					SENDERR(EINVAL);
 				}
 				
 				if (ed->ame_alen != AHSHA196_ALEN) {
 					KLIPS_PRINT(debug_ah,
-						    "klips_debug:tdb_init: authenticator size: %d"
-						    " -- must be %d octets (bytes)\n",
+						    "klips_debug:tdb_init: "
+						    "authenticator size: %d -- must be %d octets (bytes)\n",
 						    ed->ame_alen, AHSHA196_ALEN);
 					SENDERR(EINVAL);
 				}
 				
 				KLIPS_PRINT(debug_ah,
-					    "klips_debug:tdb_init: hmac sha1-96 key is 0x%08x %08x %08x %08x\n",
+					    "klips_debug:tdb_init: "
+					    "hmac sha1-96 key is 0x%08x %08x %08x %08x\n",
 					    (__u32)ntohl(*(((__u32 *)ed->ame_key)+0)),
 					    (__u32)ntohl(*(((__u32 *)ed->ame_key)+1)),
 					    (__u32)ntohl(*(((__u32 *)ed->ame_key)+2)),
@@ -482,8 +519,8 @@
 				
 				if(ed->ame_ooowin > 64) {
 					KLIPS_PRINT(debug_ah,
-						    "klips_debug:tdb_init: replay window size: %d"
-						    " -- must be 0 <= size <= 64\n",
+						    "klips_debug:tdb_init: "
+						    "replay window size: %d -- must be 0 <= size <= 64\n",
 						    ed->ame_ooowin);
 					SENDERR(EINVAL);
 				}
@@ -513,8 +550,8 @@
 				SHA1Update(octx, kb, AHSHA196_BLKLEN);
 				
 				KLIPS_PRINT(debug_ah,
-					    "klips_debug:tdb_init: SHA1 ictx=0x%08x %08x %08x %08x"
-					    " octx=0x%08x %08x %08x %08x\n", 
+					    "klips_debug:tdb_init: "
+					    "SHA1 ictx=0x%08x %08x %08x %08x octx=0x%08x %08x %08x %08x\n", 
 					    ((__u32*)ictx)[0],
 					    ((__u32*)ictx)[1],
 					    ((__u32*)ictx)[2],
@@ -534,6 +571,16 @@
 #endif /* CONFIG_IPSEC_AH */
 
 #ifdef CONFIG_IPSEC_ESP
+#ifdef CONFIG_IPSEC_ENC_DES
+			case XF_ESPDES:
+#ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
+			case XF_ESPDESMD596:
+#endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
+#ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
+			case XF_ESPDESSHA196:
+#endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
+#endif /* CONFIG_IPSEC_ENC_DES */
+
 #ifdef CONFIG_IPSEC_ENC_3DES
 			case XF_ESP3DES:
 #ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
@@ -543,14 +590,6 @@
 			case XF_ESP3DESSHA196:
 #endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
 #endif /* CONFIG_IPSEC_ENC_3DES */
-#ifdef CONFIG_IPSEC_ENC_NULL
-#ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
-			case XF_ESPNULLMD596:
-#endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
-#ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
-			case XF_ESPNULLSHA196:
-#endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
-#endif /* CONFIG_IPSEC_ENC_NULL */
 			{
 				struct espblkrply_edata *ed;
 				unsigned char kb[AHMD596_BLKLEN];
@@ -570,8 +609,8 @@
 
 				if(ed->eme_ooowin > 64) {
 					KLIPS_PRINT(debug_esp,
-						    "klips_debug:tdb_init: replay window size: %d"
-						    "-- must be 0 <= size <= 64\n",
+						    "klips_debug:tdb_init: "
+						    "replay window size: %d -- must be 0 <= size <= 64\n",
 						    ed->eme_ooowin);
 					SENDERR(EINVAL);
 				}
@@ -581,6 +620,9 @@
 				case XF_ESP3DES:
 				case XF_ESP3DESMD596:
 				case XF_ESP3DESSHA196:
+				case XF_ESPDES:
+				case XF_ESPDESMD596:
+				case XF_ESPDESSHA196:
 					if((tdbp->tdb_iv = (caddr_t)
 					   kmalloc((tdbp->tdb_iv_size = EMT_ESPDES_IV_SZ), GFP_ATOMIC)) == NULL) {
 						SENDERR(ENOMEM);
@@ -592,6 +634,45 @@
 				}
 
 				switch(alg) {
+
+#ifdef CONFIG_IPSEC_ENC_DES
+				case XF_ESPDES:
+				case XF_ESPDESMD596:
+				case XF_ESPDESSHA196:
+					tdbp->tdb_encalg = ESP_DES;
+				
+					if (ed->eme_klen != EMT_ESPDES_KEY_SZ) {
+						KLIPS_PRINT(debug_esp,
+							    "klips_debug:tdb_init: "
+							    "incorrect encryption key size: %d -- must be %d octets (bytes)\n",
+							    ed->eme_klen, EMT_ESPDES_KEY_SZ);
+						SENDERR(EINVAL);
+					}
+
+					tdbp->tdb_key_bits_e = ed->eme_klen;
+
+					if((tdbp->tdb_key_e = (caddr_t)
+					   kmalloc((tdbp->tdb_key_e_size = sizeof(struct des_eks)),
+						   GFP_ATOMIC)) == NULL) {
+						SENDERR(ENOMEM);
+					}
+
+						error = des_set_key((caddr_t)(ed->eme_key),
+								    (caddr_t)&((struct des_eks*)(tdbp->tdb_key_e)));
+						if (error == -1)
+							printk("klips_debug:tdb_init: "
+							       "parity error in des key\n");
+						else if (error == -2)
+							printk("klips_debug:tdb_init: "
+							       "illegal weak des key\n");
+						if (error) {
+							memset(tdbp->tdb_key_e, 0, sizeof(struct des_eks));
+							kfree(tdbp->tdb_key_e);
+							SENDERR(EINVAL);
+						}
+
+					break;
+#endif /* CONFIG_IPSEC_ENC_DES */
 #ifdef CONFIG_IPSEC_ENC_3DES
 				case XF_ESP3DES:
 				case XF_ESP3DESMD596:
@@ -600,8 +681,8 @@
 				
 					if (ed->eme_klen != EMT_ESP3DES_KEY_SZ) {
 						KLIPS_PRINT(debug_esp,
-							    "klips_debug:tdb_init: incorrect encryption "
-							    "key size: %d -- must be %d octets (bytes)\n",
+							    "klips_debug:tdb_init: "
+							    "incorrect encryption key size: %d -- must be %d octets (bytes)\n",
 							    ed->eme_klen, EMT_ESP3DES_KEY_SZ);
 						SENDERR(EINVAL);
 					}
@@ -617,7 +698,8 @@
 					for(i = 0; i < 3; i++) {
 #if 0
 						KLIPS_PRINT(debug_esp,
-							    "klips_debug:tdb_init: 3des key %d/3 is 0x%08lx%08lx\n",
+							    "klips_debug:tdb_init: "
+							    "3des key %d/3 is 0x%08lx%08lx\n",
 							    i + 1,
 							    ntohl(*((__u32 *)ed->eme_key + i * 2)),
 							    ntohl(*((__u32 *)ed->eme_key + i * 2 + 1)));
@@ -625,9 +707,11 @@
 						error = des_set_key((caddr_t)(ed->eme_key) + EMT_ESPDES_KEY_SZ * i,
 								    (caddr_t)&((struct des_eks*)(tdbp->tdb_key_e))[i]);
 						if (error == -1)
-							printk("klips_debug:tdb_init: parity error in des key %d/3\n", i + 1);
+							printk("klips_debug:tdb_init: "
+							       "parity error in des key %d/3\n", i + 1);
 						else if (error == -2)
-							printk("klips_debug:tdb_init: illegal weak des key %d/3\n", i + 1);
+							printk("klips_debug:tdb_init: "
+							       "illegal weak des key %d/3\n", i + 1);
 						if (error) {
 							memset(tdbp->tdb_key_e, 0, 3 * sizeof(struct des_eks));
 							kfree(tdbp->tdb_key_e);
@@ -643,6 +727,7 @@
 
 				switch(alg) {
 #ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
+				case XF_ESPDESMD596:
 				case XF_ESP3DESMD596:
 				case XF_ESPNULLMD596:
 				{
@@ -653,8 +738,8 @@
 				
 					if (ed->ame_klen != AHMD596_KLEN) {
 						KLIPS_PRINT(debug_esp,
-							    "klips_debug:tdb_init: incorrect authorisation "
-							    " key size: %d -- must be %d octets (bytes)\n",
+							    "klips_debug:tdb_init: "
+							    "incorrect authorisation  key size: %d -- must be %d octets (bytes)\n",
 							    ed->ame_klen, AHMD596_KLEN);
 						SENDERR(EINVAL);
 					}
@@ -669,7 +754,8 @@
 						SENDERR(ENOMEM);
 					}
 					KLIPS_PRINT(debug_esp,
-						    "klips_debug:tdb_init: hmac md5-96 key is 0x%08x %08x %08x %08x\n",
+						    "klips_debug:tdb_init: "
+						    "hmac md5-96 key is 0x%08x %08x %08x %08x\n",
 						    (__u32)ntohl(*(((__u32 *)ed->ame_key)+0)),
 						    (__u32)ntohl(*(((__u32 *)ed->ame_key)+1)),
 						    (__u32)ntohl(*(((__u32 *)ed->ame_key)+2)),
@@ -698,8 +784,8 @@
 					MD5Update(octx, kb, AHMD596_BLKLEN);
 					
 					KLIPS_PRINT(debug_esp,
-						    "klips_debug:tdb_init: MD5 ictx=0x%08x %08x %08x %08x"
-						    " octx=0x%08x %08x %08x %08x\n",
+						    "klips_debug:tdb_init: "
+						    "MD5 ictx=0x%08x %08x %08x %08x octx=0x%08x %08x %08x %08x\n",
 						    ((__u32*)ictx)[0],
 						    ((__u32*)ictx)[1],
 						    ((__u32*)ictx)[2],
@@ -717,6 +803,7 @@
 #endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
 #ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
 				case XF_ESPNULLSHA196:
+				case XF_ESPDESSHA196:
 				case XF_ESP3DESSHA196:
 				{
 					SHA1_CTX *ictx;
@@ -726,8 +813,8 @@
 				
 					if (ed->ame_klen != AHSHA196_KLEN) {
 						KLIPS_PRINT(debug_esp,
-							    "klips_debug:tdb_init: incorrect authorisation "
-							    " key size: %d -- must be %d octets (bytes)\n",
+							    "klips_debug:tdb_init: "
+							    "incorrect authorisation key size: %d -- must be %d octets (bytes)\n",
 							    ed->ame_klen, AHSHA196_KLEN);
 						SENDERR(EINVAL);
 					}
@@ -741,7 +828,8 @@
 						SENDERR(ENOMEM);
 					}
 					KLIPS_PRINT(debug_esp,
-						    "klips_debug:tdb_init: hmac sha1-96 key is 0x%08x %08x %08x %08x\n",
+						    "klips_debug:tdb_init: "
+						    "hmac sha1-96 key is 0x%08x %08x %08x %08x\n",
 						    (__u32)ntohl(*(((__u32 *)ed->ame_key)+0)),
 						    (__u32)ntohl(*(((__u32 *)ed->ame_key)+1)),
 						    (__u32)ntohl(*(((__u32 *)ed->ame_key)+2)),
@@ -768,8 +856,8 @@
 					SHA1Update(octx, kb, AHSHA196_BLKLEN);
 				
 					KLIPS_PRINT(debug_esp,
-						    "klips_debug:tdb_init: SHA1 ictx=0x%08x %08x %08x %08x"
-						    " octx=0x%08x %08x %08x %08x\n",
+						    "klips_debug:tdb_init: "
+						    "SHA1 ictx=0x%08x %08x %08x %08x octx=0x%08x %08x %08x %08x\n",
 						    ((__u32*)ictx)[0],
 						    ((__u32*)ictx)[1],
 						    ((__u32*)ictx)[2],
@@ -785,6 +873,7 @@
 					break;
 				}
 #endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
+				case XF_ESPDES:
 				case XF_ESP3DES:
 					tdbp->tdb_authalg = AH_NONE;
 					break;
@@ -795,18 +884,22 @@
 #endif /* !CONFIG_IPSEC_ESP */
 			default:
 				KLIPS_PRINT(debug_xform,
-					    "klips_debug:tdb_init: alg=%d not configured\n", alg);
+					    "klips_debug:tdb_init: "
+					    "alg=%d not configured\n",
+					    alg);
 				SENDERR(ESOCKTNOSUPPORT);
 			}
 			SENDERR(0);
 		}
 	}
 	KLIPS_PRINT(debug_xform & DB_XF_INIT,
-		    "klips_debug:tdb_init: unregistered algorithm %d requested\n"
-		    "klips_debug:   trying to setup SA:%s\n", alg, sa);
+		    "klips_debug:tdb_init: "
+		    "unregistered algorithm %d requested trying to setup SA:%s\n",
+		    alg,
+		    sa_len ? sa : " (error)");
 	SENDERR(EINVAL);
 errlab:
-	return len;
+	return error;
 }
 #endif
 
@@ -817,9 +910,12 @@
 	int error = 0;
 	struct tdb *tdbp, **tdbprev, *tdbdel;
         char sa[SATOA_BUF];
+	size_t sa_len;
 
 	KLIPS_PRINT(debug_xform,
-		    "klips_debug:ipsec_tdbcleanup: cleaning up proto=%d.\n", proto);
+		    "klips_debug:ipsec_tdbcleanup: "
+		    "cleaning up proto=%d.\n",
+		    proto);
 
 	spin_lock_bh(&tdb_lock);
 
@@ -827,56 +923,67 @@
 		tdbprev = &(tdbh[i]);
 		tdbp = tdbh[i];
 		for(; tdbp;) {
-			satoa(tdbp->tdb_said, 0, sa, SATOA_BUF);
+			sa_len = satoa(tdbp->tdb_said, 0, sa, SATOA_BUF);
 			KLIPS_PRINT(debug_xform,
-				    "klips_debug:ipsec_tdbcleanup: checking SA:%s, hash=%d",
-				    sa, i);
+				    "klips_debug:ipsec_tdbcleanup: "
+				    "checking SA:%s, hash=%d",
+				    sa_len ? sa : " (error)",
+				    i);
 			tdbdel = tdbp;
 			tdbp = tdbdel->tdb_hnext;
 			if(tdbp) {
-				satoa(tdbp->tdb_said, 0, sa, SATOA_BUF);
+				sa_len = satoa(tdbp->tdb_said, 0, sa, SATOA_BUF);
 				KLIPS_PRINT(debug_xform,
-					    ", hnext=%s", sa);
+					    ", hnext=%s",
+					    sa_len ? sa : " (error)");
 			}
 			if(*tdbprev) {
-				satoa((*tdbprev)->tdb_said, 0, sa, SATOA_BUF);
+				sa_len = satoa((*tdbprev)->tdb_said, 0, sa, SATOA_BUF);
 				KLIPS_PRINT(debug_xform,
-					    ", *tdbprev=%s", sa);
+					    ", *tdbprev=%s",
+					    sa_len ? sa : " (error)");
 				if((*tdbprev)->tdb_hnext) {
-					satoa((*tdbprev)->tdb_hnext->tdb_said, 0, sa, SATOA_BUF);
+					sa_len = satoa((*tdbprev)->tdb_hnext->tdb_said, 0, sa, SATOA_BUF);
 					KLIPS_PRINT(debug_xform,
-						    ", *tdbprev->tdb_hnext=%s", sa);
+						    ", *tdbprev->tdb_hnext=%s",
+						    sa_len ? sa : " (error)");
 				}
 			}
 			KLIPS_PRINT(debug_xform,
 				    ".\n");
 			if(!proto || (proto == tdbdel->tdb_said.proto)) {
-				satoa(tdbdel->tdb_said, 0, sa, SATOA_BUF);
+				sa_len = satoa(tdbdel->tdb_said, 0, sa, SATOA_BUF);
 				KLIPS_PRINT(debug_xform,
-					    "klips_debug:ipsec_tdbcleanup: deleting SA chain:%s.\n",
-					    sa);
-				/* *tdbprev = tdbdel->tdb_hnext; */
+					    "klips_debug:ipsec_tdbcleanup: "
+					    "deleting SA chain:%s.\n",
+					    sa_len ? sa : " (error)");
 				if((error = deltdbchain(tdbdel))) {
-					goto errlab;
+					SENDERR(-error);
 				}
 				tdbprev = &(tdbh[i]);
 				tdbp = tdbh[i];
 
 				KLIPS_PRINT(debug_xform,
-					    "klips_debug:ipsec_tdbcleanup: deleted SA chain:%s", sa);
+					    "klips_debug:ipsec_tdbcleanup: "
+					    "deleted SA chain:%s",
+					    sa_len ? sa : " (error)");
 				if(tdbp) {
-					satoa(tdbp->tdb_said, 0, sa, SATOA_BUF);
+					sa_len = satoa(tdbp->tdb_said, 0, sa, SATOA_BUF);
 					KLIPS_PRINT(debug_xform,
-						    ", tdbh[%d]=%s", i, sa);
+						    ", tdbh[%d]=%s",
+						    i,
+						    sa_len ? sa : " (error)");
 				}
 				if(*tdbprev) {
-					satoa((*tdbprev)->tdb_said, 0, sa, SATOA_BUF);
+					sa_len = satoa((*tdbprev)->tdb_said, 0, sa, SATOA_BUF);
 					KLIPS_PRINT(debug_xform,
-						    ", *tdbprev=%s", sa);
+						    ", *tdbprev=%s",
+						    sa_len ? sa : " (error)");
 					if((*tdbprev)->tdb_hnext) {
-						satoa((*tdbprev)->tdb_hnext->tdb_said, 0, sa, SATOA_BUF);
+						sa_len = satoa((*tdbprev)->tdb_hnext->tdb_said, 0, sa, SATOA_BUF);
 						KLIPS_PRINT(debug_xform,
-							    ", *tdbprev->tdb_hnext=%s", sa);
+							    ", *tdbprev->tdb_hnext=%s",
+							    sa_len ? sa : " (error)");
 					}
 				}
 				KLIPS_PRINT(debug_xform,
@@ -890,14 +997,14 @@
 
 	spin_unlock_bh(&tdb_lock);
 
-	return(-error);
+	return(error);
 }
 
 int
 ipsec_tdbwipe(struct tdb *tdbp)
 {
 	if(!tdbp) {
-		return -1;
+		return -ENODATA;
 	}
 
 	if(tdbp->tdb_addr_s) {
@@ -961,6 +1068,22 @@
 
 /*
  * $Log: ipsec_xform.c,v $
+ * Revision 1.51  2001/05/30 08:14:03  rgb
+ * Removed vestiges of esp-null transforms.
+ *
+ * Revision 1.50  2001/05/03 19:43:18  rgb
+ * Initialise error return variable.
+ * Update SENDERR macro.
+ * Fix sign of error return code for ipsec_tdbcleanup().
+ * Use more appropriate return code for ipsec_tdbwipe().
+ *
+ * Revision 1.49  2001/04/19 18:56:17  rgb
+ * Fixed tdb table locking comments.
+ *
+ * Revision 1.48  2001/02/27 22:24:55  rgb
+ * Re-formatting debug output (line-splitting, joining, 1arg/line).
+ * Check for satoa() return codes.
+ *
  * Revision 1.47  2000/11/06 04:32:08  rgb
  * Ditched spin_lock_irqsave in favour of spin_lock_bh.
  *
@@ -976,9 +1099,6 @@
  *
  * Revision 1.43  2000/08/18 21:30:41  rgb
  * Purged all tdb_spi, tdb_proto and tdb_dst macros.  They are unclear.
- *
- * Revision 1.42  2000/08/01 14:51:51  rgb
- * Removed _all_ remaining traces of DES.
  *
  * Revision 1.41  2000/07/28 14:58:31  rgb
  * Changed kfree_s to kfree, eliminating extra arg to fix 2.4.0-test5.
diff -bruN freeswan-1.9.orig/klips/net/ipsec/ipsec_xform.h freeswan-1.9/klips/net/ipsec/ipsec_xform.h
--- freeswan-1.9.orig/klips/net/ipsec/ipsec_xform.h	Tue Jan 30 18:42:47 2001
+++ freeswan-1.9/klips/net/ipsec/ipsec_xform.h	Tue Jun 12 16:08:37 2001
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: ipsec_xform.h,v 1.29 2001/01/30 23:42:47 rgb Exp $
+ * RCSID $Id: ipsec_xform.h,v 1.30 2001/05/30 08:14:03 rgb Exp $
  */
 
 #include 
@@ -22,16 +22,22 @@
 #define XF_IP4			1	/* IPv4 inside IPv4 */
 #define XF_AHMD5		2	/* AH MD5 */
 #define XF_AHSHA		3	/* AH SHA */
+#define XF_ESPDESOLD		4	/* old ESP DES-CBC */
 #define XF_ESP3DES		5	/* ESP DES3-CBC */
 #define XF_AHHMACMD5		6	/* AH-HMAC-MD5 with opt replay prot */
 #define XF_AHHMACSHA1		7	/* AH-HMAC-SHA1 with opt replay prot */
+#define XF_ESPDESMD5		8	/* DES, HMAC-MD-5, 128-bits of authentication */
 #define XF_ESP3DESMD5		9	/* triple DES, HMAC-MD-5, 128-bits of authentication */
 #define	XF_ESP3DESMD596		10	/* triple DES, HMAC-MD-5, 96-bits of authentication */
+#define	XF_ESPDESMD596		11	/* DES, HMAC-MD-5, 96-bits of authentication */
 #define	XF_ESPNULLMD596		12	/* NULL, HMAC-MD-5 with 96-bits of authentication */
 #define	XF_ESPNULLSHA196	13	/* NULL, HMAC-SHA-1 with 96-bits of authentication */
 #define	XF_ESP3DESSHA196	14	/* triple DES, HMAC-SHA-1, 96-bits of authentication */
-#define XF_IP6			15	/* IPv6 inside IPv6 */
-#define XF_COMPDEFLATE		16	/* IPCOMP deflate */
+#define	XF_ESPDESSHA196		15	/* DES, HMAC-SHA-1, 96-bits of authentication */
+#define	XF_ESPDES		16	/* ESP DES */
+
+#define XF_IP6			17	/* IPv6 inside IPv6 */
+#define XF_COMPDEFLATE		18	/* IPCOMP deflate */
 
 #define XF_CLR			126	/* Clear SA table */
 #define XF_DEL			127	/* Delete SA */
@@ -44,16 +50,20 @@
 #define AH_NONE                  0
 #define AH_MD5                   2
 #define AH_SHA                   3
+#define AH_DES                   4
 
 /* IPsec ESP transform values */
 
 #define ESP_NONE		 0
+#define ESP_DES_IV64             1
+#define ESP_DES                  2
 #define ESP_3DES                 3
 #define ESP_RC5                  4
 #define ESP_IDEA                 5
 #define ESP_CAST                 6
 #define ESP_BLOWFISH             7
 #define ESP_3IDEA                8
+#define ESP_DES_IV32             9
 #define ESP_RC4                 10
 #define ESP_NULL                11
 
@@ -179,8 +189,8 @@
 		((x)->tdb_encalg == SADB_X_CALG_DEFLATE ? \
 		 "_DEFLATE" : "_UNKNOWN_comp") : \
 	(x)->tdb_encalg == ESP_NONE ? "" : \
+	(x)->tdb_encalg == ESP_DES ? "_DES" : \
 	(x)->tdb_encalg == ESP_3DES ? "_3DES" : \
-	(x)->tdb_encalg == ESP_NULL ? "_NULL_encr" : \
 	"_UNKNOWN_encr", \
 	(x)->tdb_authalg == AH_NONE ? "" : \
 	(x)->tdb_authalg == AH_MD5 ? "_HMAC_MD5" : \
@@ -216,6 +226,9 @@
 
 /*
  * $Log: ipsec_xform.h,v $
+ * Revision 1.30  2001/05/30 08:14:03  rgb
+ * Removed vestiges of esp-null transforms.
+ *
  * Revision 1.29  2001/01/30 23:42:47  rgb
  * Allow pfkey msgs from pid other than user context required for ACQUIRE
  * and subsequent ADD or UDATE.
@@ -247,9 +260,6 @@
  * Revision 1.20  2000/08/30 05:31:01  rgb
  * Removed all the rest of the references to tdb_spi, tdb_proto, tdb_dst.
  * Kill remainder of tdb_xform, tdb_xdata, xformsw.
- *
- * Revision 1.19  2000/08/01 14:51:52  rgb
- * Removed _all_ remaining traces of DES.
  *
  * Revision 1.18  2000/01/21 06:17:45  rgb
  * Tidied up spacing.
diff -bruN freeswan-1.9.orig/klips/net/ipsec/pfkey_v2.c freeswan-1.9/klips/net/ipsec/pfkey_v2.c
--- freeswan-1.9.orig/klips/net/ipsec/pfkey_v2.c	Mon Feb 26 19:51:01 2001
+++ freeswan-1.9/klips/net/ipsec/pfkey_v2.c	Mon Jun  4 11:34:31 2001
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: pfkey_v2.c,v 1.51.2.1 2001/02/27 00:51:01 henry Exp $
+ * RCSID $Id: pfkey_v2.c,v 1.58 2001/05/04 16:37:24 rgb Exp $
  */
 
 /*
@@ -275,7 +275,10 @@
 pfkey_data_ready(struct sock *sk, int len)
 {
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_data_ready: .sk=%p len=%d\n", sk, len);
+		    "klips_debug:pfkey_data_ready: "
+		    "sk=%p len=%d\n",
+		    sk,
+		    len);
 	if(!sk->dead) {
 		wake_up_interruptible(sk->sleep);
 		sock_wake_async(sk->socket, 1);
@@ -298,7 +301,9 @@
 pfkey_insert_socket(struct sock *sk)
 {
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_insert_socket: sk=%p\n", sk);
+		    "klips_debug:pfkey_insert_socket: "
+		    "sk=%p\n",
+		    sk);
 	cli();
 	sk->next=pfkey_sock_list;
 	pfkey_sock_list=sk;
@@ -321,14 +326,16 @@
 			sk->next=NULL;
 			sti();
 			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_remove_socket: succeeded.\n");
+				    "klips_debug:pfkey_remove_socket: "
+				    "succeeded.\n");
 			return;
 		}
 		s=&((*s)->next);
 	}
 	sti();
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_remove_socket: not found.\n");
+		    "klips_debug:pfkey_remove_socket: "
+		    "not found.\n");
 	return;
 }
 
@@ -341,7 +348,8 @@
 		    "klips_debug:pfkey_destroy_socket: .\n");
 	pfkey_remove_socket(sk);
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_destroy_socket: pfkey_remove_socket called.\n");
+		    "klips_debug:pfkey_destroy_socket: "
+		    "pfkey_remove_socket called.\n");
 	
 	KLIPS_PRINT(debug_pfkey,
 		    "klips_debug:pfkey_destroy_socket: "
@@ -355,8 +363,10 @@
 #ifdef CONFIG_IPSEC_DEBUG
 		if(debug_pfkey && sysctl_ipsec_debug_verbose) {
 			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_destroy_socket: skb=%p dequeued.\n", skb);
-			printk(KERN_INFO "klips_debug: pfkey_skb contents:");
+				    "klips_debug:pfkey_destroy_socket: "
+				    "skb=%p dequeued.\n", skb);
+			printk(KERN_INFO "klips_debug:pfkey_destroy_socket: "
+			       "pfkey_skb contents:");
 			printk(" next:%p", skb->next);
 			printk(" prev:%p", skb->prev);
 			printk(" list:%p", skb->list);
@@ -386,8 +396,8 @@
 			}
 			printk(" len:%d", skb->len);
 			printk(" csum:%d", skb->csum);
-			printk(" used:%d", skb->used);
 #ifndef NETDEV_23
+			printk(" used:%d", skb->used);
 			printk(" is_clone:%d", skb->is_clone);
 #endif /* NETDEV_23 */
 			printk(" cloned:%d", skb->cloned);
@@ -413,12 +423,16 @@
 		}
 #endif /* CONFIG_IPSEC_DEBUG */
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_destroy_socket: skb=%p freed.\n", skb);
+			    "klips_debug:pfkey_destroy_socket: "
+			    "skb=%p freed.\n",
+			    skb);
 		kfree_skb(skb);
 
 #else /* NET_21 */
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_destroy_socket: skb=%p dequeued and freed.\n", skb);
+			    "klips_debug:pfkey_destroy_socket: "
+			    "skb=%p dequeued and freed.\n",
+			    skb);
 		kfree_skb(skb, FREE_WRITE);
 
 #endif /* NET_21 */
@@ -434,19 +448,21 @@
 int
 pfkey_upmsg(struct socket *sock, struct sadb_msg *pfkey_msg)
 {
-	int error;
+	int error = 0;
 	struct sk_buff * skb = NULL;
 	struct sock *sk;
 
 	if(sock == NULL) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_upmsg: NULL socket passed in.\n");
+			    "klips_debug:pfkey_upmsg: "
+			    "NULL socket passed in.\n");
 		return -EINVAL;
 	}
 
 	if(pfkey_msg == NULL) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_upmsg: NULL pfkey_msg passed in.\n");
+			    "klips_debug:pfkey_upmsg: "
+			    "NULL pfkey_msg passed in.\n");
 		return -EINVAL;
 	}
 
@@ -458,27 +474,31 @@
 
 	if(sk == NULL) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_upmsg: NULL sock passed in.\n");
+			    "klips_debug:pfkey_upmsg: "
+			    "NULL sock passed in.\n");
 		return -EINVAL;
 	}
 
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_upmsg: allocating %d bytes...\n",
+		    "klips_debug:pfkey_upmsg: "
+		    "allocating %d bytes...\n",
 		    pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN);
 	if(!(skb = alloc_skb(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN, GFP_ATOMIC) )) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_upmsg: no buffers left to send up a message.\n");
+			    "klips_debug:pfkey_upmsg: "
+			    "no buffers left to send up a message.\n");
 		return -ENOBUFS;
 	}
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_upmsg: ...allocated at %p.\n", skb);
+		    "klips_debug:pfkey_upmsg: "
+		    "...allocated at %p.\n",
+		    skb);
 	
 	skb->dev = NULL;
 	
 	if(skb_tailroom(skb) < pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN) {
 		printk(KERN_WARNING "klips_error:pfkey_upmsg: "
-		       "tried to skb_put %ld, %d available.  "
-		       "This should never happen, please report.\n",
+		       "tried to skb_put %ld, %d available.  This should never happen, please report.\n",
 		       (unsigned long int)pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN,
 		       skb_tailroom(skb));
 #ifdef NET_21
@@ -505,10 +525,11 @@
 		KLIPS_PRINT(debug_pfkey,
 			    "klips_debug:pfkey_upmsg: "
 			    "error=%d calling sock_queue_rcv_skb with skb=%p.\n",
-			    error, skb);
+			    error,
+			    skb);
 		return error;
 	}
-	return 0;
+	return error;
 }
 
 DEBUG_NO_STATIC int
@@ -518,12 +539,14 @@
 
 	if(sock == NULL) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_create: socket NULL.\n");
+			    "klips_debug:pfkey_create: "
+			    "socket NULL.\n");
 		return -EINVAL;
 	}
 
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_create: sock=%p type:%d state:%d flags:%ld protocol:%d\n",
+		    "klips_debug:pfkey_create: "
+		    "sock=%p type:%d state:%d flags:%ld protocol:%d\n",
 		    sock,
 		    sock->type,
 		    (unsigned int)(sock->state),
@@ -531,19 +554,22 @@
 
 	if(sock->type != SOCK_RAW) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_create: only SOCK_RAW supported.\n");
+			    "klips_debug:pfkey_create: "
+			    "only SOCK_RAW supported.\n");
 		return -ESOCKTNOSUPPORT;
 	}
 
 	if(protocol != PF_KEY_V2) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_create: protocol not PF_KEY_V2.\n");
+			    "klips_debug:pfkey_create: "
+			    "protocol not PF_KEY_V2.\n");
 		return -EPROTONOSUPPORT;
 	}
 
 	if((current->uid != 0)) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_create: must be root to open pfkey sockets.\n");
+			    "klips_debug:pfkey_create: "
+			    "must be root to open pfkey sockets.\n");
 		return -EACCES;
 	}
 
@@ -558,7 +584,8 @@
 #endif /* NET_21 */
 	{
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_create: Out of memory trying to allocate.\n");
+			    "klips_debug:pfkey_create: "
+			    "Out of memory trying to allocate.\n");
 		MOD_DEC_USE_COUNT;
 		return -ENOMEM;
 	}
@@ -580,7 +607,8 @@
 	sk->protocol = protocol;
 	key_pid(sk) = current->pid;
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_create: sock->fasync_list=%p sk->sleep=%p.\n",
+		    "klips_debug:pfkey_create: "
+		    "sock->fasync_list=%p sk->sleep=%p.\n",
 		    sock->fasync_list,
 		    sk->sleep);
 #else /* NET_21 */
@@ -608,7 +636,8 @@
 	pfkey_list_insert_socket(sock, &pfkey_open_sockets);
 
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_create: Socket sock=%p sk=%p initialised.\n", sock, sk);
+		    "klips_debug:pfkey_create: "
+		    "Socket sock=%p sk=%p initialised.\n", sock, sk);
 	return 0;
 }
 
@@ -620,13 +649,15 @@
 
 	if(newsock==NULL) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_dup: No new socket attached.\n");
+			    "klips_debug:pfkey_dup: "
+			    "No new socket attached.\n");
 		return -EINVAL;
 	}
 		
 	if(oldsock==NULL) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_dup: No old socket attached.\n");
+			    "klips_debug:pfkey_dup: "
+			    "No old socket attached.\n");
 		return -EINVAL;
 	}
 		
@@ -639,7 +670,8 @@
 	/* May not have data attached */
 	if(sk==NULL) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_dup: No sock attached to old socket.\n");
+			    "klips_debug:pfkey_dup: "
+			    "No sock attached to old socket.\n");
 		return -EINVAL;
 	}
 		
@@ -662,7 +694,8 @@
 
 	if(sock==NULL) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_release: No socket attached.\n");
+			    "klips_debug:pfkey_release: "
+			    "No socket attached.\n");
 		return 0; /* -EINVAL; */
 	}
 		
@@ -675,12 +708,14 @@
 	/* May not have data attached */
 	if(sk==NULL) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_release: No sk attached to sock=%p.\n", sock);
+			    "klips_debug:pfkey_release: "
+			    "No sk attached to sock=%p.\n", sock);
 		return 0; /* -EINVAL; */
 	}
 		
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_release: .sock=%p sk=%p\n", sock, sk);
+		    "klips_debug:pfkey_release: "
+		    "sock=%p sk=%p\n", sock, sk);
 
 #ifdef NET_21
 	if(!sk->dead)
@@ -704,7 +739,8 @@
 
 	MOD_DEC_USE_COUNT;
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_release: succeeded.\n");
+		    "klips_debug:pfkey_release: "
+		    "succeeded.\n");
 
 	return 0;
 }
@@ -714,7 +750,8 @@
 pfkey_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
 {
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_bind: operation not supported.\n");
+		    "klips_debug:pfkey_bind: "
+		    "operation not supported.\n");
 	return -EINVAL;
 }
 
@@ -722,7 +759,8 @@
 pfkey_connect(struct socket *sock, struct sockaddr *uaddr, int addr_len, int flags)
 {
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_connect: operation not supported.\n");
+		    "klips_debug:pfkey_connect: "
+		    "operation not supported.\n");
 	return -EINVAL;
 }
 
@@ -730,7 +768,8 @@
 pfkey_socketpair(struct socket *a, struct socket *b)
 {
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_socketpair: operation not supported.\n");
+		    "klips_debug:pfkey_socketpair: "
+		    "operation not supported.\n");
 	return -EINVAL;
 }
 
@@ -738,7 +777,8 @@
 pfkey_accept(struct socket *sock, struct socket *newsock, int flags)
 {
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_aaccept: operation not supported.\n");
+		    "klips_debug:pfkey_aaccept: "
+		    "operation not supported.\n");
 	return -EINVAL;
 }
 
@@ -760,13 +800,15 @@
 {
 	
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_select: .sock=%p sk=%p sel_type=%d\n",
+		    "klips_debug:pfkey_select: "
+		    ".sock=%p sk=%p sel_type=%d\n",
 		    sock,
 		    sock->data,
 		    sel_type);
 	if(sock == NULL) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_select: Null socket passed in.\n");
+			    "klips_debug:pfkey_select: "
+			    "Null socket passed in.\n");
 		return -EINVAL;
 	}
 	return datagram_select(sock->data, sel_type, wait);
@@ -776,7 +818,8 @@
 pfkey_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
 {
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_ioctl: not supported.\n");
+		    "klips_debug:pfkey_ioctl: "
+		    "not supported.\n");
 	return -EINVAL;
 }
 
@@ -784,7 +827,8 @@
 pfkey_listen(struct socket *sock, int backlog)
 {
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_listen: not supported.\n");
+		    "klips_debug:pfkey_listen: "
+		    "not supported.\n");
 	return -EINVAL;
 }
 #endif /* !NET_21 */
@@ -796,7 +840,8 @@
 
 	if(sock == NULL) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_shutdown: NULL socket passed in.\n");
+			    "klips_debug:pfkey_shutdown: "
+			    "NULL socket passed in.\n");
 		return -EINVAL;
 	}
 
@@ -808,12 +853,14 @@
 	
 	if(sk == NULL) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_shutdown: No sock attached to socket.\n");
+			    "klips_debug:pfkey_shutdown: "
+			    "No sock attached to socket.\n");
 		return -EINVAL;
 	}
 
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_shutdown: mode=%x.\n", mode);
+		    "klips_debug:pfkey_shutdown: "
+		    "mode=%x.\n", mode);
 	mode++;
 	
 	if(mode&SEND_SHUTDOWN) {
@@ -837,7 +884,8 @@
 
 	if(sock == NULL) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_setsockopt: Null socket passed in.\n");
+			    "klips_debug:pfkey_setsockopt: "
+			    "Null socket passed in.\n");
 		return -EINVAL;
 	}
 	
@@ -845,7 +893,8 @@
 	
 	if(sk == NULL) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_setsockopt: Null sock passed in.\n");
+			    "klips_debug:pfkey_setsockopt: "
+			    "Null sock passed in.\n");
 		return -EINVAL;
 	}
 #endif /* !NET_21 */
@@ -870,7 +919,8 @@
 
 	if(sock == NULL) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_setsockopt: Null socket passed in.\n");
+			    "klips_debug:pfkey_setsockopt: "
+			    "Null socket passed in.\n");
 		return -EINVAL;
 	}
 	
@@ -878,7 +928,8 @@
 	
 	if(sk == NULL) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_setsockopt: Null sock passed in.\n");
+			    "klips_debug:pfkey_setsockopt: "
+			    "Null sock passed in.\n");
 		return -EINVAL;
 	}
 #endif /* !NET_21 */
@@ -1073,17 +1124,19 @@
 		for(pfkey_socketsp = pfkey_open_sockets;
 		    pfkey_socketsp;
 		    pfkey_socketsp = pfkey_socketsp->next) {
+			int error_upmsg = 0;
 			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_sendmsg: "
 				    "sending up error=%d message=%p to socket=%p.\n",
 				    error,
 				    pfkey_reply,
 				    pfkey_socketsp->socketp);
-			if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
+			if((error_upmsg = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
 				KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_sendmsg: "
 					    "sending up error message to socket=%p failed with error=%d.\n",
-					    pfkey_socketsp->socketp, error);
+					    pfkey_socketsp->socketp,
+					    error_upmsg);
 				pfkey_msg_free(&pfkey_reply);
-				goto errlab;
+				SENDERR(-error);
 			}
 			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_sendmsg: "
 				    "sending up error message to socket=%p succeeded.\n",
@@ -1127,7 +1180,8 @@
 
 	if(sock == NULL) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_recvmsg: Null socket passed in.\n");
+			    "klips_debug:pfkey_recvmsg: "
+			    "Null socket passed in.\n");
 		return -EINVAL;
 	}
 
@@ -1139,13 +1193,15 @@
 
 	if(sk == NULL) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_recvmsg: Null sock passed in for sock=%p.\n", sock);
+			    "klips_debug:pfkey_recvmsg: "
+			    "Null sock passed in for sock=%p.\n", sock);
 		return -EINVAL;
 	}
 
 	if(msg == NULL) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_recvmsg: Null msghdr passed in for sock=%p, sk=%p.\n",
+			    "klips_debug:pfkey_recvmsg: "
+			    "Null msghdr passed in for sock=%p, sk=%p.\n",
 			    sock, sk);
 		return -EINVAL;
 	}
@@ -1155,7 +1211,8 @@
 		    sock, sk, msg, size);
 	if(flags & ~MSG_PEEK) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_sendmsg: flags (%d) other than MSG_PEEK not supported.\n",
+			    "klips_debug:pfkey_sendmsg: "
+			    "flags (%d) other than MSG_PEEK not supported.\n",
 			    flags);
 		return -EOPNOTSUPP;
 	}
@@ -1170,7 +1227,8 @@
 		
 	if(sk->err) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_sendmsg: sk->err=%d.\n", sk->err);
+			    "klips_debug:pfkey_sendmsg: "
+			    "sk->err=%d.\n", sk->err);
 		return sock_error(sk);
 	}
 
@@ -1286,10 +1344,12 @@
 #ifdef CONFIG_IPSEC_DEBUG
 	if(!sysctl_ipsec_debug_verbose) {
 #endif CONFIG_IPSEC_DEBUG
-	len+= sprintf(buffer,"    sock   pid   socket     next     prev e n p sndbf    Flags     Type St\n");
+	len+= sprintf(buffer,
+		      "    sock   pid   socket     next     prev e n p sndbf    Flags     Type St\n");
 #ifdef CONFIG_IPSEC_DEBUG
 	} else {
-	len+= sprintf(buffer,"    sock   pid d    sleep   socket     next     prev e r z n p sndbf    stamp    Flags     Type St\n");
+	len+= sprintf(buffer,
+		      "    sock   pid d    sleep   socket     next     prev e r z n p sndbf    stamp    Flags     Type St\n");
 	}
 #endif CONFIG_IPSEC_DEBUG
 	
@@ -1297,7 +1357,8 @@
 #ifdef CONFIG_IPSEC_DEBUG
 		if(!sysctl_ipsec_debug_verbose) {
 #endif CONFIG_IPSEC_DEBUG
-		len+=sprintf(buffer+len,"%8p %5d %8p %8p %8p %d %d %d %5d %08lX %8X %2X\n",
+		len+=sprintf(buffer+len,
+			     "%8p %5d %8p %8p %8p %d %d %d %5d %08lX %8X %2X\n",
 			     sk,
 			     key_pid(sk),
 			     sk->socket,
@@ -1312,7 +1373,8 @@
 			     sk->socket->state);
 #ifdef CONFIG_IPSEC_DEBUG
 		} else {
-		len+=sprintf(buffer+len,"%8p %5d %d %8p %8p %8p %8p %d %d %d %d %d %5d %d.%06d %08lX %8X %2X\n",
+		len+=sprintf(buffer+len,
+			     "%8p %5d %d %8p %8p %8p %8p %d %d %d %d %d %5d %d.%06d %08lX %8X %2X\n",
 			     sk,
 			     key_pid(sk),
 			     sk->dead,
@@ -1367,12 +1429,14 @@
 	int satype;
 	struct supported_list *pfkey_supported_p;
 	
-	len+= sprintf(buffer,"satype exttype alg_id ivlen minbits maxbits\n");
+	len+= sprintf(buffer,
+		      "satype exttype alg_id ivlen minbits maxbits\n");
 	
 	for(satype = SADB_SATYPE_UNSPEC; satype <= SADB_SATYPE_MAX; satype++) {
 		pfkey_supported_p = pfkey_supported_list[satype];
 		while(pfkey_supported_p) {
-			len+=sprintf(buffer+len,"    %2d      %2d     %2d   %3d     %3d     %3d\n",
+			len+=sprintf(buffer+len,
+				     "    %2d      %2d     %2d   %3d     %3d     %3d\n",
 				     satype,
 				     pfkey_supported_p->supportedp->supported_alg_exttype,
 				     pfkey_supported_p->supportedp->supported_alg_id,
@@ -1413,19 +1477,22 @@
 	int satype;
 	struct socket_list *pfkey_sockets;
 	
-	len+= sprintf(buffer,"satype   socket   pid       sk\n");
+	len+= sprintf(buffer,
+		      "satype   socket   pid       sk\n");
 	
 	for(satype = SADB_SATYPE_UNSPEC; satype <= SADB_SATYPE_MAX; satype++) {
 		pfkey_sockets = pfkey_registered_sockets[satype];
 		while(pfkey_sockets) {
 #ifdef NET_21
-			len+=sprintf(buffer+len,"    %2d %8p %5d %8p\n",
+			len+=sprintf(buffer+len,
+				     "    %2d %8p %5d %8p\n",
 				     satype,
 				     pfkey_sockets->socketp,
 				     key_pid(pfkey_sockets->socketp->sk),
 				     pfkey_sockets->socketp->sk);
 #else /* NET_21 */
-			len+=sprintf(buffer+len,"    %2d %8p   N/A %8p\n",
+			len+=sprintf(buffer+len,
+				     "    %2d %8p   N/A %8p\n",
 				     satype,
 				     pfkey_sockets->socketp,
 #if 0
@@ -1565,36 +1632,40 @@
 	};
 #endif /* CONFIG_IPSEC_IPCOMP */
 
-        printk(KERN_INFO "IPsec: initialising PF_KEY domain sockets.\n");
+#if 0
+        printk(KERN_INFO
+	       "klips_info:pfkey_init: "
+	       "FreeS/WAN: initialising PF_KEYv2 domain sockets.\n");
+#endif
 
 	for(i = SADB_SATYPE_UNSPEC; i <= SADB_SATYPE_MAX; i++) {
 		pfkey_registered_sockets[i] = NULL;
 		pfkey_supported_list[i] = NULL;
 	}
 
-	supported_add_all(SADB_SATYPE_AH, supported_init_ah, sizeof(supported_init_ah));
-	supported_add_all(SADB_SATYPE_ESP, supported_init_esp, sizeof(supported_init_esp));
+	error |= supported_add_all(SADB_SATYPE_AH, supported_init_ah, sizeof(supported_init_ah));
+	error |= supported_add_all(SADB_SATYPE_ESP, supported_init_esp, sizeof(supported_init_esp));
 #ifdef CONFIG_IPSEC_IPCOMP
-	supported_add_all(SADB_X_SATYPE_COMP, supported_init_ipcomp, sizeof(supported_init_ipcomp));
+	error |= supported_add_all(SADB_X_SATYPE_COMP, supported_init_ipcomp, sizeof(supported_init_ipcomp));
 #endif /* CONFIG_IPSEC_IPCOMP */
-	supported_add_all(SADB_X_SATYPE_IPIP, supported_init_ipip, sizeof(supported_init_ipip));
+	error |= supported_add_all(SADB_X_SATYPE_IPIP, supported_init_ipip, sizeof(supported_init_ipip));
 
 #ifdef NET_21
-        sock_register(&pfkey_family_ops);
+        error |= sock_register(&pfkey_family_ops);
 #else /* NET_21 */
-        sock_register(pfkey_proto_ops.family, &pfkey_proto_ops);
+        error |= sock_register(pfkey_proto_ops.family, &pfkey_proto_ops);
 #endif /* NET_21 */
 
 #ifdef CONFIG_PROC_FS
 #  ifndef PROC_FS_2325
 #    ifdef PROC_FS_21
-	proc_register(proc_net, &proc_net_pfkey);
-	proc_register(proc_net, &proc_net_pfkey_supported);
-	proc_register(proc_net, &proc_net_pfkey_registered);
+	error |= proc_register(proc_net, &proc_net_pfkey);
+	error |= proc_register(proc_net, &proc_net_pfkey_supported);
+	error |= proc_register(proc_net, &proc_net_pfkey_registered);
 #    else /* PROC_FS_21 */
-	proc_register_dynamic(&proc_net, &proc_net_pfkey);
-	proc_register_dynamic(&proc_net, &proc_net_pfkey_supported);
-	proc_register_dynamic(&proc_net, &proc_net_pfkey_registered);
+	error |= proc_register_dynamic(&proc_net, &proc_net_pfkey);
+	error |= proc_register_dynamic(&proc_net, &proc_net_pfkey_supported);
+	error |= proc_register_dynamic(&proc_net, &proc_net_pfkey_registered);
 #    endif /* PROC_FS_21 */
 #  else /* !PROC_FS_2325 */
 	proc_net_create ("pf_key", 0, pfkey_get_info);
@@ -1611,28 +1682,32 @@
 {
 	int error = 0;
 	
-        printk(KERN_INFO "FreeS/WAN: shutting down PF_KEY domain sockets.\n");
+        printk(KERN_INFO "klips_info:pfkey_cleanup: "
+	       "shutting down PF_KEY domain sockets.\n");
 #ifdef NET_21
-        sock_unregister(PF_KEY);
+        error |= sock_unregister(PF_KEY);
 #else /* NET_21 */
-        sock_unregister(pfkey_proto_ops.family);
+        error |= sock_unregister(pfkey_proto_ops.family);
 #endif /* NET_21 */
 
-	supported_remove_all(SADB_SATYPE_AH);
-	supported_remove_all(SADB_SATYPE_ESP);
+	error |= supported_remove_all(SADB_SATYPE_AH);
+	error |= supported_remove_all(SADB_SATYPE_ESP);
 #ifdef CONFIG_IPSEC_IPCOMP
-	supported_remove_all(SADB_X_SATYPE_COMP);
+	error |= supported_remove_all(SADB_X_SATYPE_COMP);
 #endif /* CONFIG_IPSEC_IPCOMP */
-	supported_remove_all(SADB_X_SATYPE_IPIP);
+	error |= supported_remove_all(SADB_X_SATYPE_IPIP);
 
 #ifdef CONFIG_PROC_FS
 #  ifndef PROC_FS_2325
 	if (proc_net_unregister(proc_net_pfkey.low_ino) != 0)
-		printk("klips_debug:pfkey_cleanup: cannot unregister /proc/net/pf_key\n");
+		printk("klips_debug:pfkey_cleanup: "
+		       "cannot unregister /proc/net/pf_key\n");
 	if (proc_net_unregister(proc_net_pfkey_supported.low_ino) != 0)
-		printk("klips_debug:pfkey_cleanup: cannot unregister /proc/net/pf_key_supported\n");
+		printk("klips_debug:pfkey_cleanup: "
+		       "cannot unregister /proc/net/pf_key_supported\n");
 	if (proc_net_unregister(proc_net_pfkey_registered.low_ino) != 0)
-		printk("klips_debug:pfkey_cleanup: cannot unregister /proc/net/pf_key_registered\n");
+		printk("klips_debug:pfkey_cleanup: "
+		       "cannot unregister /proc/net/pf_key_registered\n");
 #  else /* !PROC_FS_2325 */
 	proc_net_remove ("pf_key");
 	proc_net_remove ("pf_key_supported");
@@ -1669,8 +1744,30 @@
 
 /*
  * $Log: pfkey_v2.c,v $
- * Revision 1.51.2.1  2001/02/27 00:51:01  henry
- * message improvements
+ * Revision 1.58  2001/05/04 16:37:24  rgb
+ * Remove erroneous checking of return codes for proc_net_* in 2.4.
+ *
+ * Revision 1.57  2001/05/03 19:43:36  rgb
+ * Initialise error return variable.
+ * Check error return codes in startup and shutdown.
+ * Standardise on SENDERR() macro.
+ *
+ * Revision 1.56  2001/04/21 23:05:07  rgb
+ * Define out skb->used for 2.4 kernels.
+ *
+ * Revision 1.55  2001/02/28 05:03:28  rgb
+ * Clean up and rationalise startup messages.
+ *
+ * Revision 1.54  2001/02/27 22:24:55  rgb
+ * Re-formatting debug output (line-splitting, joining, 1arg/line).
+ * Check for satoa() return codes.
+ *
+ * Revision 1.53  2001/02/27 06:48:18  rgb
+ * Fixed pfkey socket unregister log message to reflect type and function.
+ *
+ * Revision 1.52  2001/02/26 22:34:38  rgb
+ * Fix error return code that was getting overwritten by the error return
+ * code of an upmsg.
  *
  * Revision 1.51  2001/01/30 23:42:47  rgb
  * Allow pfkey msgs from pid other than user context required for ACQUIRE
diff -bruN freeswan-1.9.orig/klips/net/ipsec/pfkey_v2_parser.c freeswan-1.9/klips/net/ipsec/pfkey_v2_parser.c
--- freeswan-1.9.orig/klips/net/ipsec/pfkey_v2_parser.c	Mon Feb 26 19:51:01 2001
+++ freeswan-1.9/klips/net/ipsec/pfkey_v2_parser.c	Tue Jun 12 16:51:59 2001
@@ -12,14 +12,14 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: pfkey_v2_parser.c,v 1.68.2.1 2001/02/27 00:51:01 henry Exp $
+ * RCSID $Id: pfkey_v2_parser.c,v 1.82 2001/05/30 08:14:04 rgb Exp $
  */
 
 /*
  *		Template from klips/net/ipsec/ipsec/ipsec_netlink.c.
  */
 
-char pfkey_v2_parser_c_version[] = "$Id: pfkey_v2_parser.c,v 1.68.2.1 2001/02/27 00:51:01 henry Exp $";
+char pfkey_v2_parser_c_version[] = "$Id: pfkey_v2_parser.c,v 1.82 2001/05/30 08:14:04 rgb Exp $";
 
 #include 
 #include 
@@ -94,13 +94,15 @@
 	int error = 0;
 	if(*tdb) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_alloc_tdb: tdb struct already allocated\n");
+			    "klips_debug:pfkey_alloc_tdb: "
+			    "tdb struct already allocated\n");
 		SENDERR(EEXIST);
 	}
 
 	if((*tdb = kmalloc(sizeof(**tdb), GFP_ATOMIC) ) == NULL) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_alloc_tdb: memory allocation error\n");
+			    "klips_debug:pfkey_alloc_tdb: "
+			    "memory allocation error\n");
 		SENDERR(ENOMEM);
 	}
 	KLIPS_PRINT(debug_pfkey,
@@ -118,13 +120,15 @@
 	int error = 0;
 	if(*eroute) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_alloc_eroute: eroute struct already allocated\n");
+			    "klips_debug:pfkey_alloc_eroute: "
+			    "eroute struct already allocated\n");
 		SENDERR(EEXIST);
 	}
 
 	if((*eroute = kmalloc(sizeof(**eroute), GFP_ATOMIC) ) == NULL) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_alloc_eroute: memory allocation error\n");
+			    "klips_debug:pfkey_alloc_eroute: "
+			    "memory allocation error\n");
 		SENDERR(ENOMEM);
 	}
 	KLIPS_PRINT(debug_pfkey,
@@ -137,6 +141,9 @@
 		(*eroute)->er_emask.sen_family = AF_ENCAP;
 	(*eroute)->er_eaddr.sen_type = SENT_IP4;
 	(*eroute)->er_emask.sen_type = 255;
+	(*eroute)->er_pid = 0;
+	(*eroute)->er_count = 0;
+	(*eroute)->er_lasttime = jiffies/HZ;
 
  errlab:
 	return(error);
@@ -171,7 +178,8 @@
 		break;
 	default:
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_sa_process: invalid exttype=%d.\n",
+			    "klips_debug:pfkey_sa_process: "
+			    "invalid exttype=%d.\n",
 			    pfkey_ext->sadb_ext_type);
 		SENDERR(EINVAL);
 	}
@@ -201,6 +209,10 @@
 		tdbp->tdb_encalg = pfkey_sa->sadb_sa_encrypt;
 		break;
 #endif /* CONFIG_IPSEC_IPCOMP */
+	case IPPROTO_INT:
+		tdbp->tdb_authalg = AH_NONE;
+		tdbp->tdb_encalg = ESP_NONE;
+		break;
 	case 0:
 		break;
 	default:
@@ -324,7 +336,8 @@
 		break;
 	default:
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug: pfkey_lifetime_process: invalid exttype=%d.\n",
+			    "klips_debug:pfkey_lifetime_process: "
+			    "invalid exttype=%d.\n",
 			    pfkey_ext->sadb_ext_type);
 		SENDERR(EINVAL);
 	}
@@ -349,7 +362,7 @@
 	
 	if(!extr || !extr->tdb) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_address_process:\n"
+			    "klips_debug:pfkey_address_process: "
 			    "extr or extr->tdb is NULL, fatal\n");
 		SENDERR(EINVAL);
 	}
@@ -359,8 +372,10 @@
 		saddr_len = sizeof(struct sockaddr_in);
 		addrtoa(((struct sockaddr_in*)s)->sin_addr, 0, ipaddr_txt, sizeof(ipaddr_txt));
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_address_process: found address family=%d, AF_INET, %s.\n",
-			    s->sa_family, ipaddr_txt);
+			    "klips_debug:pfkey_address_process: "
+			    "found address family=%d, AF_INET, %s.\n",
+			    s->sa_family,
+			    ipaddr_txt);
 		break;
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 	case AF_INET6:
@@ -369,7 +384,8 @@
 #endif /* defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */
 	default:
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_address_process: s->sa_family=%d not supported.\n",
+			    "klips_debug:pfkey_address_process: "
+			    "s->sa_family=%d not supported.\n",
 			    s->sa_family);
 		SENDERR(EPFNOSUPPORT);
 	}
@@ -377,25 +393,29 @@
 	switch(pfkey_address->sadb_address_exttype) {
 	case SADB_EXT_ADDRESS_SRC:
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_address_process: found src address.\n");
+			    "klips_debug:pfkey_address_process: "
+			    "found src address.\n");
 		sap = (unsigned char **)&(extr->tdb->tdb_addr_s);
 		extr->tdb->tdb_addr_s_size = saddr_len;
 		break;
 	case SADB_EXT_ADDRESS_DST:
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_address_process: found dst address.\n");
+			    "klips_debug:pfkey_address_process: "
+			    "found dst address.\n");
 		sap = (unsigned char **)&(extr->tdb->tdb_addr_d);
 		extr->tdb->tdb_addr_d_size = saddr_len;
 		break;
 	case SADB_EXT_ADDRESS_PROXY:
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_address_process: found proxy address.\n");
+			    "klips_debug:pfkey_address_process: "
+			    "found proxy address.\n");
 		sap = (unsigned char **)&(extr->tdb->tdb_addr_p);
 		extr->tdb->tdb_addr_p_size = saddr_len;
 		break;
 	case SADB_X_EXT_ADDRESS_DST2:
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_address_process: found 2nd dst address.\n");
+			    "klips_debug:pfkey_address_process: "
+			    "found 2nd dst address.\n");
 		if(pfkey_alloc_tdb(&(extr->tdb2)) == ENOMEM) {
 			SENDERR(ENOMEM);
 		}
@@ -404,7 +424,8 @@
 		break;
 	case SADB_X_EXT_ADDRESS_SRC_FLOW:
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_address_process: found src flow address.\n");
+			    "klips_debug:pfkey_address_process: "
+			    "found src flow address.\n");
 		if(pfkey_alloc_eroute(&(extr->eroute)) == ENOMEM) {
 			SENDERR(ENOMEM);
 		}
@@ -412,7 +433,8 @@
 		break;
 	case SADB_X_EXT_ADDRESS_DST_FLOW:
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_address_process: found dst flow address.\n");
+			    "klips_debug:pfkey_address_process: "
+			    "found dst flow address.\n");
 		if(pfkey_alloc_eroute(&(extr->eroute)) == ENOMEM) {
 			SENDERR(ENOMEM);
 		}
@@ -420,7 +442,8 @@
 		break;
 	case SADB_X_EXT_ADDRESS_SRC_MASK:
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_address_process: found src mask address.\n");
+			    "klips_debug:pfkey_address_process: "
+			    "found src mask address.\n");
 		if(pfkey_alloc_eroute(&(extr->eroute)) == ENOMEM) {
 			SENDERR(ENOMEM);
 		}
@@ -428,7 +451,8 @@
 		break;
 	case SADB_X_EXT_ADDRESS_DST_MASK:
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_address_process: found dst mask address.\n");
+			    "klips_debug:pfkey_address_process: "
+			    "found dst mask address.\n");
 		if(pfkey_alloc_eroute(&(extr->eroute)) == ENOMEM) {
 			SENDERR(ENOMEM);
 		}
@@ -436,7 +460,8 @@
 		break;
 	default:
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_address_process: unrecognised ext_type=%d.\n",
+			    "klips_debug:pfkey_address_process: "
+			    "unrecognised ext_type=%d.\n",
 			    pfkey_address->sadb_address_exttype);
 		SENDERR(EINVAL);
 	}
@@ -454,7 +479,8 @@
 	default:
 		if(s->sa_family	!= AF_INET) {
 			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_address_process: s->sa_family=%d not supported.\n",
+				    "klips_debug:pfkey_address_process: "
+				    "s->sa_family=%d not supported.\n",
 				    s->sa_family);
 			SENDERR(EPFNOSUPPORT);
 		}
@@ -483,24 +509,26 @@
 	case SADB_EXT_ADDRESS_DST:
 		if(s->sa_family == AF_INET) {
 			tdbp->tdb_said.dst.s_addr = ((struct sockaddr_in*)(tdbp->tdb_addr_d))->sin_addr.s_addr;
+#if 0
 			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_address_process: tdbp->tdb_said.dst.s_addr=%08x,\n"
-				    "klips_debug:                     ((struct sockaddr_in*)(tdbp->tdb_addr_d))->sin_addr.s_addr=%08x,\n",
+				    "klips_debug:pfkey_address_process: "
+				    "tdbp->tdb_said.dst.s_addr=%08x, ((struct sockaddr_in*)(tdbp->tdb_addr_d))->sin_addr.s_addr=%08x,\n",
 				    tdbp->tdb_said.dst.s_addr,
 				    ((struct sockaddr_in*)(tdbp->tdb_addr_d))->sin_addr.s_addr
 				);
+#endif
 			addrtoa(((struct sockaddr_in*)(tdbp->tdb_addr_d))->sin_addr,
 				0,
 				ipaddr_txt,
 				sizeof(ipaddr_txt));
 			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_address_process: tdb_said.dst set to %s.\n",
+				    "klips_debug:pfkey_address_process: "
+				    "tdb_said.dst set to %s.\n",
 				    ipaddr_txt);
 		} else {
 			KLIPS_PRINT(debug_pfkey,
 				    "klips_debug:pfkey_address_process: "
-				    "uh, tdb_said.dst doesn't do address family=%d yet, "
-				    "said will be invalid.\n",
+				    "uh, tdb_said.dst doesn't do address family=%d yet, said will be invalid.\n",
 				    s->sa_family);
 		}
 	default:
@@ -532,33 +560,38 @@
 
         switch(pfkey_key->sadb_key_exttype) {
         case SADB_EXT_KEY_AUTH:
-                extr->tdb->tdb_key_bits_a = pfkey_key->sadb_key_bits;
 		if(!(extr->tdb->tdb_key_a = kmalloc(DIVUP(pfkey_key->sadb_key_bits, 8), GFP_KERNEL))) {
 			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_key_process: memory allocation error.\n");
+				    "klips_debug:pfkey_key_process: "
+				    "memory allocation error.\n");
 			SENDERR(ENOMEM);
 		}
+                extr->tdb->tdb_key_bits_a = pfkey_key->sadb_key_bits;
+                extr->tdb->tdb_key_a_size = DIVUP(pfkey_key->sadb_key_bits, 8);
 		memcpy(extr->tdb->tdb_key_a,
 		       (char*)pfkey_key + sizeof(struct sadb_key),
-		       DIVUP(pfkey_key->sadb_key_bits, 8));
+		       extr->tdb->tdb_key_a_size);
 		break;
 	case SADB_EXT_KEY_ENCRYPT: /* Key(s) */
-		extr->tdb->tdb_key_bits_e = pfkey_key->sadb_key_bits;
 		if(!(extr->tdb->tdb_key_e = kmalloc(DIVUP(pfkey_key->sadb_key_bits, 8), GFP_KERNEL))) {
 			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_key_process: memory allocation error.\n");
+				    "klips_debug:pfkey_key_process: "
+				    "memory allocation error.\n");
 			SENDERR(ENOMEM);
 		}
+		extr->tdb->tdb_key_bits_e = pfkey_key->sadb_key_bits;
+		extr->tdb->tdb_key_e_size = DIVUP(pfkey_key->sadb_key_bits, 8);
 		memcpy(extr->tdb->tdb_key_e,
 		       (char*)pfkey_key + sizeof(struct sadb_key),
-		       DIVUP(pfkey_key->sadb_key_bits, 8));
+		       extr->tdb->tdb_key_e_size);
 		break;
 	default:
 		SENDERR(EINVAL);
  	}
 
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_key_process: success.\n");
+		    "klips_debug:pfkey_key_process: "
+		    "success.\n");
 errlab:
 	return error;
 }
@@ -629,7 +662,8 @@
         int error = 0;
 	
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug: pfkey_sens_process: Sorry, I can't process exttype=%d yet.\n",
+		    "klips_debug:pfkey_sens_process: "
+		    "Sorry, I can't process exttype=%d yet.\n",
 		    pfkey_ext->sadb_ext_type);
         SENDERR(EINVAL); /* don't process these yet */
  errlab:
@@ -642,7 +676,8 @@
         int error = 0;
 	
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug: pfkey_prop_process: Sorry, I can't process exttype=%d yet.\n",
+		    "klips_debug:pfkey_prop_process: "
+		    "Sorry, I can't process exttype=%d yet.\n",
 		    pfkey_ext->sadb_ext_type);
 	SENDERR(EINVAL); /* don't process these yet */
 	
@@ -656,7 +691,8 @@
         int error = 0;
 
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug: pfkey_supported_process: Sorry, I can't process exttype=%d yet.\n",
+		    "klips_debug:pfkey_supported_process: "
+		    "Sorry, I can't process exttype=%d yet.\n",
 		    pfkey_ext->sadb_ext_type);
 	SENDERR(EINVAL); /* don't process these yet */
 
@@ -670,7 +706,7 @@
         int error = 0;
 
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug: pfkey_spirange_process: .\n");
+		    "klips_debug:pfkey_spirange_process: .\n");
 /* errlab: */
 	return error;
 }
@@ -681,7 +717,8 @@
 	int error = 0;
 
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug: pfkey_x_kmprivate_process: Sorry, I can't process exttype=%d yet.\n",
+		    "klips_debug:pfkey_x_kmprivate_process: "
+		    "Sorry, I can't process exttype=%d yet.\n",
 		    pfkey_ext->sadb_ext_type);
 	SENDERR(EINVAL); /* don't process these yet */
 
@@ -696,11 +733,11 @@
 	struct sadb_x_satype *pfkey_x_satype = (struct sadb_x_satype *)pfkey_ext;
 
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug: pfkey_x_satype_process: .\n");
+		    "klips_debug:pfkey_x_satype_process: .\n");
 
 	if(!extr || !extr->tdb) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug: pfkey_x_satype_process: "
+			    "klips_debug:pfkey_x_satype_process: "
 			    "extr or extr->tdb is NULL, fatal\n");
 		SENDERR(EINVAL);
 	}
@@ -710,10 +747,17 @@
 	}
 	if(!(extr->tdb2->tdb_said.proto = satype2proto(pfkey_x_satype->sadb_x_satype_satype))) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug: pfkey_x_satype_process: proto lookup from satype=%d failed.\n",
+			    "klips_debug:pfkey_x_satype_process: "
+			    "proto lookup from satype=%d failed.\n",
 			    pfkey_x_satype->sadb_x_satype_satype);
 		SENDERR(EINVAL);
 	}
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_x_satype_process: "
+		    "protocol==%d decoded from satype==%d(%s).\n",
+		    extr->tdb2->tdb_said.proto,
+		    pfkey_x_satype->sadb_x_satype_satype,
+		    satype2name(pfkey_x_satype->sadb_x_satype_satype));
 
 errlab:
 	return error;
@@ -726,7 +770,8 @@
 	struct sadb_x_debug *pfkey_x_debug = (struct sadb_x_debug *)pfkey_ext;
 
 	if(!pfkey_x_debug) {
-		printk("klips_debug:pfkey_x_debug_process: null pointer passed in\n");
+		printk("klips_debug:pfkey_x_debug_process: "
+		       "null pointer passed in\n");
 		SENDERR(EINVAL);
 	}
 
@@ -752,10 +797,8 @@
 			sysctl_ipsec_debug_ipcomp  |= pfkey_x_debug->sadb_x_debug_ipcomp;
 #endif /* CONFIG_IPSEC_IPCOMP */
 			sysctl_ipsec_debug_verbose |= pfkey_x_debug->sadb_x_debug_verbose;
-			if(debug_netlink)
 				printk(KERN_INFO "klips_debug:pfkey_x_debug_process: set\n");
 		} else {
-			if(debug_netlink)
 				printk(KERN_INFO "klips_debug:pfkey_x_debug_process: unset\n");
 			debug_tunnel  &= pfkey_x_debug->sadb_x_debug_tunnel;
 			debug_netlink &= pfkey_x_debug->sadb_x_debug_netlink;
@@ -773,7 +816,8 @@
 			sysctl_ipsec_debug_verbose &= pfkey_x_debug->sadb_x_debug_verbose;
 		}
 #else /* CONFIG_IPSEC_DEBUG */
-		printk("klips_debug:pfkey_x_debug_process: debugging not enabled\n");
+		printk("klips_debug:pfkey_x_debug_process: "
+		       "debugging not enabled\n");
 		SENDERR(EINVAL);
 #endif /* CONFIG_IPSEC_DEBUG */
 	
@@ -788,6 +832,7 @@
         int i;
         int error = 0;
         char sa[SATOA_BUF];
+	size_t sa_len;
 	char ipaddr_txt[ADDRTOA_BUF];
 	char ipaddr2_txt[ADDRTOA_BUF];
 	unsigned char kb[AHMD596_BLKLEN];
@@ -799,13 +844,16 @@
 		SENDERR(EINVAL);
 	}
 
-	satoa(tdbp->tdb_said, 0, sa, SATOA_BUF);
+	sa_len = satoa(tdbp->tdb_said, 0, sa, SATOA_BUF);
 
         KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_tdb_init: (pfkey defined) called for SA:%s\n", sa);
+		    "klips_debug:pfkey_tdb_init: "
+		    "(pfkey defined) called for SA:%s\n",
+		    sa_len ? sa : " (error)");
 
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_tdb_init: calling init routine of %s%s%s\n",
+		    "klips_debug:pfkey_tdb_init: "
+		    "calling init routine of %s%s%s\n",
 		    TDB_XFORM_NAME(tdbp));
 	
 	switch(tdbp->tdb_said.proto) {
@@ -832,20 +880,22 @@
 # ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
 		case AH_MD5: {
 			unsigned char *akp;
+			unsigned int aks;
 			MD5_CTX *ictx;
 			MD5_CTX *octx;
 			
 			if(tdbp->tdb_key_bits_a != (AHMD596_KLEN * 8)) {
 				KLIPS_PRINT(debug_pfkey,
-					    "klips_debug:pfkey_tdb_init: incorrect key size: %d bits"
-					    "-- must be %d bits\n"/*octets (bytes)\n"*/,
+					    "klips_debug:pfkey_tdb_init: "
+					    "incorrect key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
 					    tdbp->tdb_key_bits_a, AHMD596_KLEN * 8);
 				SENDERR(EINVAL);
 			}
 			
 #  if 0 /* we don't really want to print these unless there are really big problems */
 			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
-					    "klips_debug:pfkey_tdb_init: hmac md5-96 key is 0x%08lx %08lx %08lx %08lx\n",
+				    "klips_debug:pfkey_tdb_init: "
+				    "hmac md5-96 key is 0x%08lx %08lx %08lx %08lx\n",
 				    ntohl(*(((__u32 *)tdbp->tdb_key_a)+0)),
 				    ntohl(*(((__u32 *)tdbp->tdb_key_a)+1)),
 				    ntohl(*(((__u32 *)tdbp->tdb_key_a)+2)),
@@ -856,12 +906,14 @@
 			
 			/* save the pointer to the key material */
 			akp = tdbp->tdb_key_a;
+			aks = tdbp->tdb_key_a_size;
 			
 			if((tdbp->tdb_key_a = (caddr_t)
-			    kmalloc((tdbp->tdb_key_a_size = sizeof(struct md5_ctx)),
-				    GFP_ATOMIC)) == NULL) {
+			    kmalloc(sizeof(struct md5_ctx), GFP_ATOMIC)) == NULL) {
+				tdbp->tdb_key_a = akp;
 				SENDERR(ENOMEM);
 			}
+			tdbp->tdb_key_a_size = sizeof(struct md5_ctx);
 
 			for (i = 0; i < DIVUP(tdbp->tdb_key_bits_a, 8); i++) {
 				kb[i] = akp[i] ^ HMAC_IPAD;
@@ -884,8 +936,8 @@
 			
 #  if 0 /* we don't really want to print these unless there are really big problems */
 			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
-				    "klips_debug:pfkey_tdb_init: MD5 ictx=0x%08x %08x %08x %08x"
-				    " octx=0x%08x %08x %08x %08x\n",
+				    "klips_debug:pfkey_tdb_init: "
+				    "MD5 ictx=0x%08x %08x %08x %08x octx=0x%08x %08x %08x %08x\n",
 				    ((__u32*)ictx)[0],
 				    ((__u32*)ictx)[1],
 				    ((__u32*)ictx)[2],
@@ -897,28 +949,30 @@
 #  endif
 			
 				/* zero key buffer -- paranoid */
-			memset(akp, 0, DIVUP(tdbp->tdb_key_bits_a, BITS_PER_OCTET));
+			memset(akp, 0, aks);
+			kfree(akp);
 		}
 		break;
 # endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
 # ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
 		case AH_SHA: {
-			
 			unsigned char *akp;
+			unsigned int aks;
 			SHA1_CTX *ictx;
 			SHA1_CTX *octx;
 			
 			if(tdbp->tdb_key_bits_a != (AHSHA196_KLEN * 8)) {
 				KLIPS_PRINT(debug_pfkey,
-					    "klips_debug:pfkey_tdb_init: incorrect key size: %d bits"
-					    "-- must be %d bits\n"/*octets (bytes)\n"*/,
+					    "klips_debug:pfkey_tdb_init: "
+					    "incorrect key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
 					    tdbp->tdb_key_bits_a, AHSHA196_KLEN * 8);
 				SENDERR(EINVAL);
 			}
 			
 #  if 0 /* we don't really want to print these unless there are really big problems */
 			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
-				    "klips_debug:pfkey_tdb_init: hmac sha1-96 key is 0x%08lx %08lx %08lx %08lx\n",
+				    "klips_debug:pfkey_tdb_init: "
+				    "hmac sha1-96 key is 0x%08lx %08lx %08lx %08lx\n",
 				    ntohl(*(((__u32 *)tdbp->tdb_key_a)+0)),
 				    ntohl(*(((__u32 *)tdbp->tdb_key_a)+1)),
 				    ntohl(*(((__u32 *)tdbp->tdb_key_a)+2)),
@@ -929,12 +983,14 @@
 			
 			/* save the pointer to the key material */
 			akp = tdbp->tdb_key_a;
+			aks = tdbp->tdb_key_a_size;
 			
 			if((tdbp->tdb_key_a = (caddr_t)
-			    kmalloc((tdbp->tdb_key_a_size = sizeof(struct sha1_ctx)),
-				    GFP_ATOMIC)) == NULL) {
+			    kmalloc(sizeof(struct sha1_ctx), GFP_ATOMIC)) == NULL) {
+				tdbp->tdb_key_a = akp;
 				SENDERR(ENOMEM);
 			}
+			tdbp->tdb_key_a_size = sizeof(struct sha1_ctx);
 			
 			for (i = 0; i < DIVUP(tdbp->tdb_key_bits_a, 8); i++) {
 				kb[i] = akp[i] ^ HMAC_IPAD;
@@ -957,8 +1013,8 @@
 			
 #  if 0 /* we don't really want to print these unless there are really big problems */
 			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
-				    "klips_debug:pfkey_tdb_init: SHA1 ictx=0x%08x %08x %08x %08x"
-				    " octx=0x%08x %08x %08x %08x\n", 
+				    "klips_debug:pfkey_tdb_init: "
+				    "SHA1 ictx=0x%08x %08x %08x %08x octx=0x%08x %08x %08x %08x\n", 
 				    ((__u32*)ictx)[0],
 				    ((__u32*)ictx)[1],
 				    ((__u32*)ictx)[2],
@@ -969,7 +1025,8 @@
 				    ((__u32*)octx)[3] );
 #  endif			
 				/* zero key buffer -- paranoid */
-			memset(akp, 0, DIVUP(tdbp->tdb_key_bits_a, BITS_PER_OCTET));
+			memset(akp, 0, aks);
+			kfree(akp);
 		}
 		break;
 # endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
@@ -985,12 +1042,16 @@
 #ifdef CONFIG_IPSEC_ESP
 	case IPPROTO_ESP: {
 		unsigned char *akp, *ekp;
+		unsigned int aks, eks;
 		
 		switch(tdbp->tdb_encalg) {
-# ifdef CONFIG_IPSEC_ENC_3DES
+#ifdef CONFIG_IPSEC_ENC_DES
+		case ESP_DES:
+#endif /* CONFIG_IPSEC_ENC_DES */
+#ifdef CONFIG_IPSEC_ENC_3DES
 		case ESP_3DES:
-# endif /* CONFIG_IPSEC_ENC_3DES */
-# if defined(CONFIG_IPSEC_ENC_3DES)
+#endif /* CONFIG_IPSEC_ENC_3DES */
+#if defined(CONFIG_IPSEC_ENC_DES) || defined(CONFIG_IPSEC_ENC_3DES)
 			if((tdbp->tdb_iv = (caddr_t)
 			    kmalloc((tdbp->tdb_iv_size = EMT_ESPDES_IV_SZ), GFP_ATOMIC)) == NULL) {
 				SENDERR(ENOMEM);
@@ -998,11 +1059,8 @@
 			get_random_bytes((void *)tdbp->tdb_iv, EMT_ESPDES_IV_SZ);
 			tdbp->tdb_iv_bits = tdbp->tdb_iv_size * 8;
 			break;
-# endif /* defined(CONFIG_IPSEC_ENC_3DES) */
+#endif /* defined(CONFIG_IPSEC_ENC_DES) || defined(CONFIG_IPSEC_ENC_3DES) */
 		case ESP_NONE:
-# ifdef CONFIG_IPSEC_ENC_NULL
-		case ESP_NULL:
-# endif /* CONFIG_IPSEC_ENC_NULL */
 			break;
 		default:
 			KLIPS_PRINT(debug_pfkey,
@@ -1013,55 +1071,103 @@
 		}
 		
 		switch(tdbp->tdb_encalg) {
-# ifdef CONFIG_IPSEC_ENC_3DES
+#ifdef CONFIG_IPSEC_ENC_DES
+		case ESP_DES:
+			if(tdbp->tdb_key_bits_e != (EMT_ESPDES_KEY_SZ * 8)) {
+				KLIPS_PRINT(debug_pfkey,
+					    "klips_debug:pfkey_tdb_init: "
+					    "incorrect encryption key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
+					    tdbp->tdb_key_bits_e, EMT_ESPDES_KEY_SZ * 8);
+				SENDERR(EINVAL);
+			}
+			
+			/* save encryption key pointer */
+			ekp = tdbp->tdb_key_e;
+			eks = tdbp->tdb_key_e_size;
+			
+			if((tdbp->tdb_key_e = (caddr_t)
+			    kmalloc(sizeof(struct des_eks), GFP_ATOMIC)) == NULL) {
+				tdbp->tdb_key_e = ekp;
+				SENDERR(ENOMEM);
+			}
+			tdbp->tdb_key_e_size = sizeof(struct des_eks);
+
+#if 0 /* we don't really want to print these unless there are really big problems */
+                       KLIPS_PRINT(debug_pfkey,
+                                   "klips_debug:pfkey_tdb_init: des key 1 is 0x%08lx%08lx\n",
+                                   ntohl(*((__u32 *)ed->eme_key)),
+                                   ntohl(*((__u32 *)ed->eme_key + 1)));
+#endif
+			error = des_set_key((caddr_t)ekp, 
+					    (caddr_t)(tdbp->tdb_key_e));
+			if (error == -1)
+					printk("klips_debug:pfkey_tdb_init: "
+					       "parity error in des key\n");
+				else if (error == -2)
+					printk("klips_debug:pfkey_tdb_init: "
+					       "illegal weak des key\n");
+				if (error) {
+					memset(ekp, 0, eks);
+					kfree(ekp);
+					SENDERR(EINVAL);
+				}
+
+			/* paranoid */
+			memset(ekp, 0, eks);
+			kfree(ekp);
+			break;
+#endif /* CONFIG_IPSEC_ENC_DES */
+#ifdef CONFIG_IPSEC_ENC_3DES
 		case ESP_3DES:
 			if(tdbp->tdb_key_bits_e != (EMT_ESP3DES_KEY_SZ * 8)) {
 				KLIPS_PRINT(debug_pfkey,
-					    "klips_debug:pfkey_tdb_init: incorrect encryption"
-					    "key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
+					    "klips_debug:pfkey_tdb_init: "
+					    "incorrect encryption key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
 					    tdbp->tdb_key_bits_e, EMT_ESP3DES_KEY_SZ * 8);
 				SENDERR(EINVAL);
 			}
 			
 			/* save encryption key pointer */
 			ekp = tdbp->tdb_key_e;
+			eks = tdbp->tdb_key_e_size;
 			
 			if((tdbp->tdb_key_e = (caddr_t)
-			    kmalloc((tdbp->tdb_key_e_size = 3 * sizeof(struct des_eks)),
-				    GFP_ATOMIC)) == NULL) {
+			    kmalloc(3 * sizeof(struct des_eks), GFP_ATOMIC)) == NULL) {
+				tdbp->tdb_key_e = ekp;
 				SENDERR(ENOMEM);
 			}
+			tdbp->tdb_key_e_size = 3 * sizeof(struct des_eks);
 			
 			for(i = 0; i < 3; i++) {
-#  if 0 /* we don't really want to print these unless there are really big problems */
+#if 0 /* we don't really want to print these unless there are really big problems */
 				KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
-					    "klips_debug:pfkey_tdb_init: 3des key %d/3 is 0x%08lx%08lx\n",
+					    "klips_debug:pfkey_tdb_init: "
+					    "3des key %d/3 is 0x%08lx%08lx\n",
 					    i + 1,
-					    ntohl(*((__u32 *)tdbp->tdb_key_e + i * 2)),
-					    ntohl(*((__u32 *)tdbp->tdb_key_e + i * 2 + 1)));
-#  endif
+					    ntohl(*((__u32 *)ekp + i * 2)),
+					    ntohl(*((__u32 *)ekp + i * 2 + 1)));
+#endif
 				error = des_set_key((caddr_t)ekp + EMT_ESPDES_KEY_SZ * i,
 						    (caddr_t)&((struct des_eks*)(tdbp->tdb_key_e))[i]);
 				if (error == -1)
-					printk("klips_debug:pfkey_tdb_init: parity error in des key %d/3\n", i + 1);
+					printk("klips_debug:pfkey_tdb_init: "
+					       "parity error in des key %d/3\n",
+					       i + 1);
 				else if (error == -2)
-					printk("klips_debug:pfkey_tdb_init: illegal weak des key %d/3\n", i + 1);
+					printk("klips_debug:pfkey_tdb_init: "
+					       "illegal weak des key %d/3\n", i + 1);
 				if (error) {
-					memset(tdbp->tdb_key_e, 0, 3 * sizeof(struct des_eks));
-					kfree(tdbp->tdb_key_e);
-					memset(ekp, 0, DIVUP(tdbp->tdb_key_bits_e, BITS_PER_OCTET));
+					memset(ekp, 0, eks);
+					kfree(ekp);
 					SENDERR(EINVAL);
 				}
 			}
 
 			/* paranoid */
-			memset(ekp, 0, DIVUP(tdbp->tdb_key_bits_e, BITS_PER_OCTET));
-			
+			memset(ekp, 0, eks);
+			kfree(ekp);
 			break;
-# endif /* CONFIG_IPSEC_ENC_3DES */
-# ifdef CONFIG_IPSEC_ENC_NULL
-		case ESP_NULL:
-# endif /* CONFIG_IPSEC_ENC_NULL */
+#endif /* CONFIG_IPSEC_ENC_3DES */
 		case ESP_NONE:
 			break;
 		default:
@@ -1073,37 +1179,41 @@
 		}
 		
 		switch(tdbp->tdb_authalg) {
-# ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
+#ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
 		case AH_MD5: {
 			MD5_CTX *ictx;
 			MD5_CTX *octx;
 
 			if(tdbp->tdb_key_bits_a != (AHMD596_KLEN * 8)) {
 				KLIPS_PRINT(debug_pfkey,
-					    "klips_debug:pfkey_tdb_init: incorrect authorisation"
-					    " key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
-					    tdbp->tdb_key_bits_a, AHMD596_KLEN * 8);
+					    "klips_debug:pfkey_tdb_init: "
+					    "incorrect authorisation key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
+					    tdbp->tdb_key_bits_a,
+					    AHMD596_KLEN * 8);
 				SENDERR(EINVAL);
 			}
 			
-#  if 0 /* we don't really want to print these unless there are really big problems */
+#if 0 /* we don't really want to print these unless there are really big problems */
 			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
-				    "klips_debug:pfkey_tdb_init: hmac md5-96 key is 0x%08lx %08lx %08lx %08lx\n",
+				    "klips_debug:pfkey_tdb_init: "
+				    "hmac md5-96 key is 0x%08lx %08lx %08lx %08lx\n",
 				    ntohl(*(((__u32 *)(tdbp->tdb_key_a))+0)),
 				    ntohl(*(((__u32 *)(tdbp->tdb_key_a))+1)),
 				    ntohl(*(((__u32 *)(tdbp->tdb_key_a))+2)),
 				    ntohl(*(((__u32 *)(tdbp->tdb_key_a))+3)));
-#  endif
+#endif
 			tdbp->tdb_auth_bits = AHMD596_ALEN * 8;
 			
 			/* save the pointer to the key material */
 			akp = tdbp->tdb_key_a;
+			aks = tdbp->tdb_key_a_size;
 			
 			if((tdbp->tdb_key_a = (caddr_t)
-			    kmalloc((tdbp->tdb_key_a_size = sizeof(struct md5_ctx)),
-				    GFP_ATOMIC)) == NULL) {
+			    kmalloc(sizeof(struct md5_ctx), GFP_ATOMIC)) == NULL) {
+				tdbp->tdb_key_a = akp;
 				SENDERR(ENOMEM);
 			}
+			tdbp->tdb_key_a_size = sizeof(struct md5_ctx);
 			
 			for (i = 0; i < DIVUP(tdbp->tdb_key_bits_a, 8); i++) {
 				kb[i] = akp[i] ^ HMAC_IPAD;
@@ -1126,8 +1236,8 @@
 			
 #  if 0 /* we don't really want to print these unless there are really big problems */
 			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
-				    "klips_debug:pfkey_tdb_init: MD5 ictx=0x%08x %08x %08x %08x"
-				    " octx=0x%08x %08x %08x %08x\n",
+				    "klips_debug:pfkey_tdb_init: "
+				    "MD5 ictx=0x%08x %08x %08x %08x octx=0x%08x %08x %08x %08x\n",
 				    ((__u32*)ictx)[0],
 				    ((__u32*)ictx)[1],
 				    ((__u32*)ictx)[2],
@@ -1138,7 +1248,8 @@
 				    ((__u32*)octx)[3] );
 #  endif
 			/* paranoid */
-			memset(akp, 0, DIVUP(tdbp->tdb_key_bits_a, BITS_PER_OCTET));
+			memset(akp, 0, aks);
+			kfree(akp);
 			break;
 		}
 # endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
@@ -1149,15 +1260,17 @@
 
 			if(tdbp->tdb_key_bits_a != (AHSHA196_KLEN * 8)) {
 				KLIPS_PRINT(debug_pfkey,
-					    "klips_debug:pfkey_tdb_init: incorrect authorisation"
-					    " key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
-					    tdbp->tdb_key_bits_a, AHSHA196_KLEN * 8);
+					    "klips_debug:pfkey_tdb_init: "
+					    "incorrect authorisation key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
+					    tdbp->tdb_key_bits_a,
+					    AHSHA196_KLEN * 8);
 				SENDERR(EINVAL);
 			}
 			
 #  if 0 /* we don't really want to print these unless there are really big problems */
 			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
-				    "klips_debug:pfkey_tdb_init: hmac sha1-96 key is 0x%08lx %08lx %08lx %08lx\n",
+				    "klips_debug:pfkey_tdb_init: "
+				    "hmac sha1-96 key is 0x%08lx %08lx %08lx %08lx\n",
 				    ntohl(*(((__u32 *)tdbp->tdb_key_a)+0)),
 				    ntohl(*(((__u32 *)tdbp->tdb_key_a)+1)),
 				    ntohl(*(((__u32 *)tdbp->tdb_key_a)+2)),
@@ -1167,12 +1280,14 @@
 			
 			/* save the pointer to the key material */
 			akp = tdbp->tdb_key_a;
+			aks = tdbp->tdb_key_a_size;
 
 			if((tdbp->tdb_key_a = (caddr_t)
-			    kmalloc((tdbp->tdb_key_a_size = sizeof(struct sha1_ctx)),
-				    GFP_ATOMIC)) == NULL) {
+			    kmalloc(sizeof(struct sha1_ctx), GFP_ATOMIC)) == NULL) {
+				tdbp->tdb_key_a = akp;
 				SENDERR(ENOMEM);
 			}
+			tdbp->tdb_key_a_size = sizeof(struct sha1_ctx);
 			
 			for (i = 0; i < DIVUP(tdbp->tdb_key_bits_a, 8); i++) {
 				kb[i] = akp[i] ^ HMAC_IPAD;
@@ -1195,8 +1310,8 @@
 			
 #  if 0 /* we don't really want to print these unless there are really big problems */
 			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
-				    "klips_debug:pfkey_tdb_init: SHA1 ictx=0x%08x %08x %08x %08x"
-				    " octx=0x%08x %08x %08x %08x\n",
+				    "klips_debug:pfkey_tdb_init: "
+				    "SHA1 ictx=0x%08x %08x %08x %08x octx=0x%08x %08x %08x %08x\n",
 				    ((__u32*)ictx)[0],
 				    ((__u32*)ictx)[1],
 				    ((__u32*)ictx)[2],
@@ -1206,7 +1321,8 @@
 				    ((__u32*)octx)[2],
 				    ((__u32*)octx)[3] );
 #  endif
-			memset(akp, 0, DIVUP(tdbp->tdb_key_bits_a, BITS_PER_OCTET));
+			memset(akp, 0, aks);
+			kfree(akp);
 			break;
 		}
 # endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
@@ -1246,14 +1362,17 @@
 int
 pfkey_safe_build(int error, struct sadb_ext *extensions[SADB_MAX+1])
 {
-	KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_safe_build: error=%d\n", error);
+	KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_safe_build: "
+		    "error=%d\n",
+		    error);
 	if (!error) {
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_safe_build:"
 			    "success.\n");
 		return 1;
 	} else {
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_safe_build:"
-			    "caught error %d\n", error);
+			    "caught error %d\n",
+			    error);
 		pfkey_extensions_free(extensions);
 		return 0;
 	}
@@ -1268,6 +1387,7 @@
 	int found_avail = 0;
 	struct tdb *tdbq;
 	char sa[SATOA_BUF];
+	size_t sa_len;
 	struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
 	struct sadb_msg *pfkey_reply = NULL;
 	struct socket_list *pfkey_socketsp;
@@ -1280,7 +1400,8 @@
 
 	if(!extr || !extr->tdb) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_getspi_parse: error, extr or extr->tdb pointer NULL\n");
+			    "klips_debug:pfkey_getspi_parse: "
+			    "error, extr or extr->tdb pointer NULL\n");
 		SENDERR(EINVAL);
 	}
 
@@ -1292,10 +1413,11 @@
 	if(maxspi == minspi) {
 		extr->tdb->tdb_said.spi = maxspi;
 		if((tdbq = gettdb(&(extr->tdb->tdb_said)))) {
-			satoa(extr->tdb->tdb_said, 0, sa, SATOA_BUF);
+			sa_len = satoa(extr->tdb->tdb_said, 0, sa, SATOA_BUF);
 			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug: pfkey_getspi_parse: EMT_GETSPI found an old Tunnel Descriptor Block\n"
-				    "klips_debug:                for SA: %s, delete it first.\n", sa);
+				    "klips_debug:pfkey_getspi_parse: "
+				    "EMT_GETSPI found an old Tunnel Descriptor Block for SA: %s, delete it first.\n",
+				    sa_len ? sa : " (error)");
 			SENDERR(EEXIST);
 		} else {
 			found_avail = 1;
@@ -1322,12 +1444,13 @@
 		}
 	}
 
-	satoa(extr->tdb->tdb_said, 0, sa, SATOA_BUF);
+	sa_len = satoa(extr->tdb->tdb_said, 0, sa, SATOA_BUF);
 
 	if (!found_avail) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug: pfkey_getspi_parse: found an old Tunnel Descriptor Block\n"
-			    "klips_debug:                for SA: %s, delete it first.\n", sa);
+			    "klips_debug:pfkey_getspi_parse: "
+			    "found an old Tunnel Descriptor Block for SA: %s, delete it first.\n",
+			    sa_len ? sa : " (error)");
 		SENDERR(EEXIST);
 	}
 
@@ -1336,9 +1459,10 @@
 	}
 
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug: pfkey_getspi_parse: existing Tunnel Descriptor Block not found (this\n"
-		    "klips_debug:                is good) for SA: %s, %s-bound, allocating.\n",
-		    sa, extr->tdb->tdb_flags & EMT_INBOUND ? "in" : "out");
+		    "klips_debug:pfkey_getspi_parse: "
+		    "existing Tunnel Descriptor Block not found (this is good) for SA: %s, %s-bound, allocating.\n",
+		    sa_len ? sa : " (error)",
+		    extr->tdb->tdb_flags & EMT_INBOUND ? "in" : "out");
 	
 	/* XXX extr->tdb->tdb_rcvif = &(enc_softc[em->em_if].enc_if);*/
 	extr->tdb->tdb_rcvif = NULL;
@@ -1357,7 +1481,7 @@
 							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
 							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
 			      extensions_reply)
-	     && pfkey_safe_build(pfkey_sa_build(&extensions_reply[SADB_EXT_SA],
+	     && pfkey_safe_build(error = pfkey_sa_build(&extensions_reply[SADB_EXT_SA],
 						SADB_EXT_SA,
 						extr->tdb->tdb_said.spi,
 						0,
@@ -1366,13 +1490,13 @@
 						0,
 						0),
 				 extensions_reply)
-	     && pfkey_safe_build(pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_SRC],
+	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_SRC],
 						     SADB_EXT_ADDRESS_SRC,
 						     0, /*extr->tdb->tdb_said.proto,*/
 						     0,
 						     extr->tdb->tdb_addr_s),
 				 extensions_reply)
-	     && pfkey_safe_build(pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_DST],
+	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_DST],
 						     SADB_EXT_ADDRESS_DST,
 						     0, /*extr->tdb->tdb_said.proto,*/
 						     0,
@@ -1387,29 +1511,37 @@
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_getspi_parse: "
 			    "failed to add the larval SA with error=%d.\n",
 			    error);
-		goto errlab;
+		SENDERR(-error);
 	}
+	extr->tdb = NULL;
 	
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_getspi_parse: successful for SA: %s\n", sa);
+		    "klips_debug:pfkey_getspi_parse: "
+		    "successful for SA: %s\n",
+		    sa_len ? sa : " (error)");
 	
 	if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_getspi_parse: "
 			    "failed to build the getspi reply message\n");
-		goto errlab;
+		SENDERR(-error);
 	}
 	for(pfkey_socketsp = pfkey_open_sockets;
 	    pfkey_socketsp;
 	    pfkey_socketsp = pfkey_socketsp->next) {
 		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
 			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_getspi_parse: "
-				    "sending up getspi reply message for satype=%d to socket=%p failed with error=%d.\n",
-				    satype, pfkey_socketsp->socketp, error);
-			goto errlab;
+				    "sending up getspi reply message for satype=%d(%s) to socket=%p failed with error=%d.\n",
+				    satype,
+				    satype2name(satype),
+				    pfkey_socketsp->socketp,
+				    error);
+			SENDERR(-error);
 		}
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_getspi_parse: "
-			    "sending up getspi reply message for satype=%d to socket=%p succeeded.\n",
-			    satype, pfkey_socketsp->socketp);
+			    "sending up getspi reply message for satype=%d(%s) to socket=%p succeeded.\n",
+			    satype,
+			    satype2name(satype),
+			    pfkey_socketsp->socketp);
 	}
 
  errlab:
@@ -1426,6 +1558,7 @@
 	int error = 0;
 	struct tdb* tdbq;
 	char sa[SATOA_BUF];
+	size_t sa_len;
 	struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
 	struct sadb_msg *pfkey_reply = NULL;
 	struct socket_list *pfkey_socketsp;
@@ -1447,11 +1580,12 @@
 
 	if(!extr || !extr->tdb) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_update_parse: error, extr or extr->tdb pointer NULL\n");
+			    "klips_debug:pfkey_update_parse: "
+			    "error, extr or extr->tdb pointer NULL\n");
 		SENDERR(EINVAL);
 	}
 
-	satoa(extr->tdb->tdb_said, 0, sa, SATOA_BUF);
+	sa_len = satoa(extr->tdb->tdb_said, 0, sa, SATOA_BUF);
 
 	spin_lock_bh(&tdb_lock);
 
@@ -1459,8 +1593,9 @@
 	if (!tdbq) {
 		spin_unlock_bh(&tdb_lock);
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug: pfkey_update_parse: reserved Tunnel Descriptor Block\n"
-			    "klips_debug:            for SA: %s not found.  Call SADB_GETSPI first or call SADB_ADD instead.\n", sa);
+			    "klips_debug:pfkey_update_parse: "
+			    "reserved Tunnel Descriptor Block for SA: %s not found.  Call SADB_GETSPI first or call SADB_ADD instead.\n",
+			    sa_len ? sa : " (error)");
 		SENDERR(EEXIST);
 	}
 
@@ -1469,9 +1604,10 @@
 	}
 
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug: pfkey_update_parse: existing Tunnel Descriptor Block found (this\n"
-		    "klips_debug:                is good) for SA: %s, %s-bound, updating.\n",
-		    sa, extr->tdb->tdb_flags & EMT_INBOUND ? "in" : "out");
+		    "klips_debug:pfkey_update_parse: "
+		    "existing Tunnel Descriptor Block found (this is good) for SA: %s, %s-bound, updating.\n",
+		    sa_len ? sa : " (error)",
+		    extr->tdb->tdb_flags & EMT_INBOUND ? "in" : "out");
 	
 	/* XXX extr->tdb->tdb_rcvif = &(enc_softc[em->em_if].enc_if);*/
 	extr->tdb->tdb_rcvif = NULL;
@@ -1479,8 +1615,8 @@
 		spin_unlock_bh(&tdb_lock);
 		KLIPS_PRINT(debug_pfkey,
 			    "klips_debug:pfkey_update_parse: "
-			    "not successful for SA: %s, deleting.\n", sa);
-		ipsec_tdbwipe(extr->tdb);
+			    "not successful for SA: %s, deleting.\n",
+			    sa_len ? sa : " (error)");
 		SENDERR(-error);
 	}
 
@@ -1490,7 +1626,8 @@
 		KLIPS_PRINT(debug_pfkey,
 			    "klips_debug:pfkey_update_parse: "
 			    "error=%d, trouble deleting intermediate tdb for SA=%s.\n",
-			    error, sa);
+			    error,
+			    sa_len ? sa : " (error)");
 		SENDERR(-error);
 	}
 
@@ -1587,36 +1724,45 @@
 		)) {
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_update_parse: "
 			    "failed to build the update reply message extensions\n");
-		goto errlab;
+		SENDERR(-error);
 	}
 		
 	if((error = puttdb(extr->tdb))) {
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_update_parse: "
-			    "failed to add the mature SA with error=%d.\n",
+			    "failed to update the mature SA=%s with error=%d.\n",
+			    sa_len ? sa : " (error)",
 			    error);
-		goto errlab;
+		SENDERR(-error);
 	}
+	extr->tdb = NULL;
 	
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_update_parse: successful for SA: %s\n", sa);
+		    "klips_debug:pfkey_update_parse: "
+		    "successful for SA: %s\n",
+		    sa_len ? sa : " (error)");
 	
 	if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_update_parse: "
 			    "failed to build the update reply message\n");
-		goto errlab;
+		SENDERR(-error);
 	}
 	for(pfkey_socketsp = pfkey_open_sockets;
 	    pfkey_socketsp;
 	    pfkey_socketsp = pfkey_socketsp->next) {
 		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
 			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_update_parse: "
-				    "sending up update reply message for satype=%d to socket=%p failed with error=%d.\n",
-				    satype, pfkey_socketsp->socketp, error);
-			goto errlab;
+				    "sending up update reply message for satype=%d(%s) to socket=%p failed with error=%d.\n",
+				    satype,
+				    satype2name(satype),
+				    pfkey_socketsp->socketp,
+				    error);
+			SENDERR(-error);
 		}
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_update_parse: "
-			    "sending up update reply message for satype=%d to socket=%p succeeded.\n",
-			    satype, pfkey_socketsp->socketp);
+			    "sending up update reply message for satype=%d(%s) to socket=%p succeeded.\n",
+			    satype,
+			    satype2name(satype),
+			    pfkey_socketsp->socketp);
 	}
 	
  errlab:
@@ -1633,13 +1779,14 @@
 	int error = 0;
 	struct tdb* tdbq;
 	char sa[SATOA_BUF];
+	size_t sa_len;
 	struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
 	struct sadb_msg *pfkey_reply = NULL;
 	struct socket_list *pfkey_socketsp;
 	uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
 
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_add_parse: parsing add message\n");
+		    "klips_debug:pfkey_add_parse: .\n");
 
 	pfkey_extensions_init(extensions_reply);
 
@@ -1654,17 +1801,19 @@
 
 	if(!extr || !extr->tdb) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_add_parse: extr or extr->tdb pointer NULL\n");
+			    "klips_debug:pfkey_add_parse: "
+			    "extr or extr->tdb pointer NULL\n");
 		SENDERR(EINVAL);
 	}
 
-	satoa(extr->tdb->tdb_said, 0, sa, SATOA_BUF);
+	sa_len = satoa(extr->tdb->tdb_said, 0, sa, SATOA_BUF);
 
 	tdbq = gettdb(&(extr->tdb->tdb_said));
 	if (tdbq) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_add_parse: found an old Tunnel Descriptor Block\n"
-			    "klips_debug:                for SA: %s, delete it first.\n", sa);
+			    "klips_debug:pfkey_add_parse: "
+			    "found an old Tunnel Descriptor Block for SA%s, delete it first.\n",
+			    sa_len ? sa : " (error)");
 		SENDERR(EEXIST);
 	}
 
@@ -1673,18 +1822,20 @@
 	}
 
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_add_parse: existing Tunnel Descriptor Block not found (this\n"
-		    "klips_debug:                is good) for SA: %s, %s-bound, allocating.\n",
-		    sa, extr->tdb->tdb_flags & EMT_INBOUND ? "in" : "out");
+		    "klips_debug:pfkey_add_parse: "
+		    "existing Tunnel Descriptor Block not found (this is good) for SA%s, %s-bound, allocating.\n",
+		    sa_len ? sa : " (error)",
+		    extr->tdb->tdb_flags & EMT_INBOUND ? "in" : "out");
 	
 	/* XXX extr->tdb->tdb_rcvif = &(enc_softc[em->em_if].enc_if);*/
 	extr->tdb->tdb_rcvif = NULL;
 	
 	if ((error = pfkey_tdb_init(extr->tdb, extensions))) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_add_parse: not successful for SA: %s, deleting.\n", sa);
-		ipsec_tdbwipe(extr->tdb);
-		goto errlab;
+			    "klips_debug:pfkey_add_parse: "
+			    "not successful for SA: %s, deleting.\n",
+			    sa_len ? sa : " (error)");
+		SENDERR(-error);
 	}
 
 	extr->tdb->tdb_lifetime_addtime_c = jiffies / HZ;
@@ -1772,36 +1923,44 @@
 		)) {
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_add_parse: "
 			    "failed to build the add reply message extensions\n");
-		goto errlab;
+		SENDERR(-error);
 	}
 		
 	if((error = puttdb(extr->tdb))) {
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_add_parse: "
 			    "failed to add the mature SA with error=%d.\n",
 			    error);
-		goto errlab;
+		SENDERR(-error);
 	}
+	extr->tdb = NULL;
 	
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_add_parse: successful for SA: %s\n", sa);
+		    "klips_debug:pfkey_add_parse: "
+		    "successful for SA: %s\n",
+		    sa_len ? sa : " (error)");
 	
 	if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_add_parse: "
 			    "failed to build the add reply message\n");
-		goto errlab;
+		SENDERR(-error);
 	}
 	for(pfkey_socketsp = pfkey_open_sockets;
 	    pfkey_socketsp;
 	    pfkey_socketsp = pfkey_socketsp->next) {
 		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
 			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_add_parse: "
-				    "sending up add reply message for satype=%d to socket=%p failed with error=%d.\n",
-				    satype, pfkey_socketsp->socketp, error);
-			goto errlab;
+				    "sending up add reply message for satype=%d(%s) to socket=%p failed with error=%d.\n",
+				    satype,
+				    satype2name(satype),
+				    pfkey_socketsp->socketp,
+				    error);
+			SENDERR(-error);
 		}
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_add_parse: "
-			    "sending up add reply message for satype=%d to socket=%p succeeded.\n",
-			    satype, pfkey_socketsp->socketp);
+			    "sending up add reply message for satype=%d(%s) to socket=%p succeeded.\n",
+			    satype,
+			    satype2name(satype),
+			    pfkey_socketsp->socketp);
 	}
 	
  errlab:
@@ -1817,6 +1976,7 @@
 {
 	struct tdb *tdbp;
 	char sa[SATOA_BUF];
+	size_t sa_len;
 	int error = 0;
 	struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
 	struct sadb_msg *pfkey_reply = NULL;
@@ -1835,7 +1995,7 @@
 		SENDERR(EINVAL);
 	}
 
-	satoa(extr->tdb->tdb_said, 0, sa, SATOA_BUF);
+	sa_len = satoa(extr->tdb->tdb_said, 0, sa, SATOA_BUF);
 
 	spin_lock_bh(&tdb_lock);
 
@@ -1845,7 +2005,7 @@
 		KLIPS_PRINT(debug_pfkey,
 			    "klips_debug:pfkey_delete_parse: "
 			    "Tunnel Descriptor Block not found for SA:%s, could not delete.\n",
-			    sa);
+			    sa_len ? sa : " (error)");
 		SENDERR(ESRCH);
 	}
 
@@ -1854,7 +2014,8 @@
 		KLIPS_PRINT(debug_pfkey,
 			    "klips_debug:pfkey_delete_parse: "
 			    "error=%d returned trying to delete Tunnel Descriptor Block for SA:%s.\n",
-			    error, sa);
+			    error,
+			    sa_len ? sa : " (error)");
 		SENDERR(-error);
 	}
 	spin_unlock_bh(&tdb_lock);
@@ -1890,31 +2051,34 @@
 		)) {
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_delete_parse: "
 			    "failed to build the delete reply message extensions\n");
-		goto errlab;
+		SENDERR(-error);
 	}
 	
 	if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_delete_parse: "
 			    "failed to build the delete reply message\n");
-		goto errlab;
+		SENDERR(-error);
 	}
 	for(pfkey_socketsp = pfkey_open_sockets;
 	    pfkey_socketsp;
 	    pfkey_socketsp = pfkey_socketsp->next) {
 		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
 			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_delete_parse: "
-				    "sending up delete reply message for satype=%d to socket=%p failed with error=%d.\n",
-				    satype, pfkey_socketsp->socketp, error);
-			goto errlab;
+				    "sending up delete reply message for satype=%d(%s) to socket=%p failed with error=%d.\n",
+				    satype,
+				    satype2name(satype),
+				    pfkey_socketsp->socketp,
+				    error);
+			SENDERR(-error);
 		}
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_delete_parse: "
-			    "sending up delete reply message for satype=%d to socket=%p succeeded.\n",
-			    satype, pfkey_socketsp->socketp);
+			    "sending up delete reply message for satype=%d(%s) to socket=%p succeeded.\n",
+			    satype,
+			    satype2name(satype),
+			    pfkey_socketsp->socketp);
 	}
 	
  errlab:
-	ipsec_tdbwipe(extr->tdb);
-
 	if (pfkey_reply) {
 		pfkey_msg_free(&pfkey_reply);
 	}
@@ -1928,6 +2092,7 @@
 	int error = 0;
 	struct tdb *tdbp;
 	char sa[SATOA_BUF];
+	size_t sa_len;
 	struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
 	struct sadb_msg *pfkey_reply = NULL;
 
@@ -1943,7 +2108,7 @@
 		SENDERR(EINVAL);
 	}
 
-	satoa(extr->tdb->tdb_said, 0, sa, SATOA_BUF);
+	sa_len = satoa(extr->tdb->tdb_said, 0, sa, SATOA_BUF);
 
 	spin_lock_bh(&tdb_lock);
 
@@ -1952,7 +2117,7 @@
 		spin_unlock_bh(&tdb_lock);
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_get_parse: "
 			    "Tunnel Descriptor Block not found for SA=%s, could not get.\n",
-			    sa);
+			    sa_len ? sa : " (error)");
 		SENDERR(ESRCH);
 	}
 	
@@ -2079,7 +2244,7 @@
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_get_parse: "
 			    "failed to build the get reply message extensions\n");
 		spin_unlock_bh(&tdb_lock);
-		goto errlab;
+		SENDERR(-error);
 	}
 		
 	spin_unlock_bh(&tdb_lock);
@@ -2087,13 +2252,13 @@
 	if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_get_parse: "
 			    "failed to build the get reply message\n");
-		goto errlab;
+		SENDERR(-error);
 	}
 	
 	if((error = pfkey_upmsg(sk->socket, pfkey_reply))) {
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_get_parse: "
 			    "failed to send the get reply message\n");
-		goto errlab;
+		SENDERR(-error);
 	}
 	
 	KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_get_parse: "
@@ -2117,7 +2282,7 @@
 	KLIPS_PRINT(debug_pfkey,
 		    "klips_debug:pfkey_acquire_parse: .\n");
 
-	/* I don't know if we want an upper bound, since userspace may
+	/* XXX I don't know if we want an upper bound, since userspace may
 	   want to register itself for an satype > SADB_SATYPE_MAX. */
 	if((satype == 0) || (satype > SADB_SATYPE_MAX)) {
 		KLIPS_PRINT(debug_pfkey,
@@ -2129,8 +2294,9 @@
 
 	if(!(pfkey_registered_sockets[satype])) {
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_acquire_parse: "
-			    "no sockets registered for SAtype=%d.\n",
-			    satype);
+			    "no sockets registered for SAtype=%d(%s).\n",
+			    satype,
+			    satype2name(satype));
 		SENDERR(EPROTONOSUPPORT);
 	}
 
@@ -2140,13 +2306,18 @@
 		if((error = pfkey_upmsg(pfkey_socketsp->socketp,
 					((struct sadb_msg*)extensions[SADB_EXT_RESERVED])))) {
 			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_acquire_parse: "
-				    "sending up acquire reply message for satype=%d to socket=%p failed with error=%d.\n",
-				    satype, pfkey_socketsp->socketp, error);
-			goto errlab;
+				    "sending up acquire reply message for satype=%d(%s) to socket=%p failed with error=%d.\n",
+				    satype,
+				    satype2name(satype),
+				    pfkey_socketsp->socketp,
+				    error);
+			SENDERR(-error);
 		}
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_acquire_parse: "
-			    "sending up acquire reply message for satype=%d to socket=%p succeeded.\n",
-			    satype, pfkey_socketsp->socketp);
+			    "sending up acquire reply message for satype=%d(%s) to socket=%p succeeded.\n",
+			    satype,
+			    satype2name(satype),
+			    pfkey_socketsp->socketp);
 	}
 	
  errlab:
@@ -2170,7 +2341,7 @@
 
 	pfkey_extensions_init(extensions_reply);
 
-	/* I don't know if we want an upper bound, since userspace may
+	/* XXX I don't know if we want an upper bound, since userspace may
 	   want to register itself for an satype > SADB_SATYPE_MAX. */
 	if((satype == 0) || (satype > SADB_SATYPE_MAX)) {
 		KLIPS_PRINT(debug_pfkey,
@@ -2184,8 +2355,10 @@
 				 &(pfkey_registered_sockets[satype]))) {
 		KLIPS_PRINT(debug_pfkey,
 			    "klips_debug:pfkey_register_parse: "
-			    "SATYPE=%02d successfully registered by KMd on pid=%d.\n",
-			    satype, key_pid(sk));
+			    "SATYPE=%02d(%s) successfully registered by KMd (pid=%d).\n",
+			    satype,
+			    satype2name(satype),
+			    key_pid(sk));
 	};
 	
 	/* send up register msg with supported SATYPE algos */
@@ -2218,7 +2391,8 @@
 	if(alg_num_a) {
 		if((alg_a = kmalloc(alg_num_a * sizeof(struct sadb_alg), GFP_ATOMIC) ) == NULL) {
 			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_register_parse: auth alg memory allocation error\n");
+				    "klips_debug:pfkey_register_parse: "
+				    "auth alg memory allocation error\n");
 			SENDERR(ENOMEM);
 		}
 		alg_ap = alg_a;
@@ -2227,7 +2401,8 @@
 	if(alg_num_e) {
 		if((alg_e = kmalloc(alg_num_e * sizeof(struct sadb_alg), GFP_ATOMIC) ) == NULL) {
 			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_register_parse: enc alg memory allocation error\n");
+				    "klips_debug:pfkey_register_parse: "
+				    "enc alg memory allocation error\n");
 			SENDERR(ENOMEM);
 		}
 		alg_ep = alg_e;
@@ -2265,8 +2440,9 @@
 		}
 		KLIPS_PRINT(debug_pfkey,
 			    "klips_debug:pfkey_register_parse: "
-			    "found satype=%d exttype=%d id=%d ivlen=%d minbits=%d maxbits=%d.\n",
+			    "found satype=%d(%s) exttype=%d id=%d ivlen=%d minbits=%d maxbits=%d.\n",
 			    satype,
+			    satype2name(satype),
 			    pfkey_supported_listp->supportedp->supported_alg_exttype,
 			    pfkey_supported_listp->supportedp->supported_alg_id,
 			    pfkey_supported_listp->supportedp->supported_alg_ivlen,
@@ -2294,26 +2470,31 @@
 					  extensions_reply) : 1))) {
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_register_parse: "
 			    "failed to build the register message extensions\n");
-		goto errlab;
+		SENDERR(-error);
 	}
 	
 	if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_register_parse: "
 			    "failed to build the register message\n");
-		goto errlab;
+		SENDERR(-error);
 	}
 	for(pfkey_socketsp = pfkey_registered_sockets[satype];
 	    pfkey_socketsp;
 	    pfkey_socketsp = pfkey_socketsp->next) {
 		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
 			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_register_parse: "
-				    "sending up register reply message for satype=%d to socket=%p failed with error=%d.\n",
-				    satype, pfkey_socketsp->socketp, error);
-			goto errlab;
+				    "sending up register reply message for satype=%d(%s) to socket=%p failed with error=%d.\n",
+				    satype,
+				    satype2name(satype),
+				    pfkey_socketsp->socketp,
+				    error);
+			SENDERR(-error);
 		}
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_register_parse: "
-			    "sending up register reply message for satype=%d to socket=%p succeeded.\n",
-			    satype, pfkey_socketsp->socketp);
+			    "sending up register reply message for satype=%d(%s) to socket=%p succeeded.\n",
+			    satype,
+			    satype2name(satype),
+			    pfkey_socketsp->socketp);
 	}
 	
  errlab:
@@ -2343,13 +2524,18 @@
 			if((error = pfkey_upmsg(pfkey_socketsp->socketp,
 						((struct sadb_msg*)extensions[SADB_EXT_RESERVED])))) {
 				KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire_parse: "
-					    "sending up expire reply message for satype=%d to socket=%p failed with error=%d.\n",
-					    satype, pfkey_socketsp->socketp, error);
-				goto errlab;
+					    "sending up expire reply message for satype=%d(%s) to socket=%p failed with error=%d.\n",
+					    satype,
+					    satype2name(satype),
+					    pfkey_socketsp->socketp,
+					    error);
+				SENDERR(-error);
 			}
 			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire_parse: "
-				    "sending up expire reply message for satype=%d to socket=%p succeeded.\n",
-				    satype, pfkey_socketsp->socketp);
+				    "sending up expire reply message for satype=%d(%s) to socket=%p succeeded.\n",
+				    satype,
+				    satype2name(satype),
+				    pfkey_socketsp->socketp);
 		}
 	}
 
@@ -2363,14 +2549,24 @@
 	int error = 0;
 	struct socket_list *pfkey_socketsp;
 	uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
+	uint8_t proto = 0;
 
 	KLIPS_PRINT(debug_pfkey,
 		    "klips_debug:pfkey_flush_parse: "
 		    "flushing type %d SAs\n",
 		    satype);
 
-	if ((error = ipsec_tdbcleanup(satype)))
+	if(satype && !(proto = satype2proto(satype))) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_flush_parse: "
+			    "satype %d lookup failed.\n", 
+			    ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype);
+		SENDERR(EINVAL);
+	}
+
+	if ((error = ipsec_tdbcleanup(proto))) {
 		SENDERR(-error);
+	}
 
 	if(pfkey_open_sockets) {
 		for(pfkey_socketsp = pfkey_open_sockets;
@@ -2379,15 +2575,18 @@
 			if((error = pfkey_upmsg(pfkey_socketsp->socketp,
 						((struct sadb_msg*)extensions[SADB_EXT_RESERVED])))) {
 				KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_flush_parse: "
-					    "sending up flush reply message for satype=%d to socket=%p failed with error=%d.\n",
+					    "sending up flush reply message for satype=%d(%s) (proto=%d) to socket=%p failed with error=%d.\n",
 					    satype,
+					    satype2name(satype),
+					    proto,
 					    pfkey_socketsp->socketp,
 					    error);
-				goto errlab;
+				SENDERR(-error);
 			}
 			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_flush_parse: "
-				    "sending up flush reply message for satype=%d to socket=%p succeeded.\n",
+				    "sending up flush reply message for satype=%d(%s) to socket=%p succeeded.\n",
 				    satype,
+				    satype2name(satype),
 				    pfkey_socketsp->socketp);
 		}
 	}
@@ -2444,6 +2643,7 @@
 	struct socket_list *pfkey_socketsp;
 	uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
 	char sa1[SATOA_BUF], sa2[SATOA_BUF];
+	size_t sa_len1, sa_len2 = 0;
 	int error = 0;
 
 	KLIPS_PRINT(debug_pfkey,
@@ -2451,33 +2651,34 @@
 
 	pfkey_extensions_init(extensions_reply);
 
-	spin_lock_bh(&tdb_lock);
-
 	if(!extr || !extr->tdb) {
 		KLIPS_PRINT(debug_pfkey,
 			    "klips_debug:pfkey_x_grpsa_parse: "
 			    "extr or extr->tdb is NULL, fatal.\n");
-		spin_unlock_bh(&tdb_lock);
 		SENDERR(EINVAL);
 	}
 
-	satoa(extr->tdb->tdb_said, 0, sa1, SATOA_BUF);
+	sa_len1 = satoa(extr->tdb->tdb_said, 0, sa1, SATOA_BUF);
 	if(extr->tdb2) {
-		satoa(extr->tdb2->tdb_said, 0, sa2, SATOA_BUF);
+		sa_len2 = satoa(extr->tdb2->tdb_said, 0, sa2, SATOA_BUF);
 	}
 
+	spin_lock_bh(&tdb_lock);
+
 	if(!(tdb1p = gettdb(&(extr->tdb->tdb_said)))) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug: pfkey_x_grpsa_parse: reserved Tunnel Descriptor Block\n"
-			    "klips_debug:            for SA: %s not found.  Call SADB_ADD/UPDATE first.\n", sa1);
+			    "klips_debug:pfkey_x_grpsa_parse: "
+			    "reserved Tunnel Descriptor Block for SA: %s not found.  Call SADB_ADD/UPDATE first.\n",
+			    sa_len1 ? sa1 : " (error)");
 		spin_unlock_bh(&tdb_lock);
 		SENDERR(EEXIST);
 	}
 	if(extr->tdb2) { /* GRPSA */
 		if(!(tdb2p = gettdb(&(extr->tdb2->tdb_said)))) {
 			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug: pfkey_x_grpsa_parse: reserved Tunnel Descriptor Block\n"
-				    "klips_debug:            for SA: %s not found.  Call SADB_ADD/UPDATE first.\n", sa2);
+				    "klips_debug:pfkey_x_grpsa_parse: "
+				    "reserved Tunnel Descriptor Block for SA: %s not found.  Call SADB_ADD/UPDATE first.\n",
+				    sa_len2 ? sa2 : " (error)");
 			spin_unlock_bh(&tdb_lock);
 			SENDERR(EEXIST);
 		}
@@ -2485,15 +2686,17 @@
 		/* Is either one already linked? */
 		if(tdb1p->tdb_onext) {
 			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug: pfkey_x_grpsa_parse: Tunnel Descriptor Block\n"
-				    "klips_debug:                for SA: %s is already linked.\n", sa1);
+				    "klips_debug:pfkey_x_grpsa_parse: "
+				    "Tunnel Descriptor Block for SA: %s is already linked.\n",
+				    sa_len1 ? sa1 : " (error)");
 			spin_unlock_bh(&tdb_lock);
 			SENDERR(EEXIST);
 		}
 		if(tdb2p->tdb_inext) {
 			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug: pfkey_x_grpsa_parse: Tunnel Descriptor Block\n"
-				    "klips_debug:                for SA: %s is already linked.\n", sa2);
+				    "klips_debug:pfkey_x_grpsa_parse: "
+				    "Tunnel Descriptor Block for SA: %s is already linked.\n",
+				    sa_len2 ? sa2 : " (error)");
 			spin_unlock_bh(&tdb_lock);
 			SENDERR(EEXIST);
 		}
@@ -2527,7 +2730,7 @@
 
 	if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
 							  SADB_X_GRPSA,
-							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype,
+							  satype,
 							  0,
 							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
 							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
@@ -2547,8 +2750,10 @@
 							     0,
 							     extr->tdb->tdb_addr_d),
 				 extensions_reply)
-	     && pfkey_safe_build(error = pfkey_x_satype_build(&extensions_reply[SADB_X_EXT_SATYPE2],
-							      proto2satype(extr->tdb2->tdb_said.proto)),
+	     && (extr->tdb2
+		 ? (pfkey_safe_build(error = pfkey_x_satype_build(&extensions_reply[SADB_X_EXT_SATYPE2],
+								  ((struct sadb_x_satype*)extensions[SADB_X_EXT_SATYPE2])->sadb_x_satype_satype
+								  /* proto2satype(extr->tdb2->tdb_said.proto) */),
 				 extensions_reply)
 	     && pfkey_safe_build(error = pfkey_sa_build(&extensions_reply[SADB_X_EXT_SA2],
 							SADB_X_EXT_SA2,
@@ -2564,17 +2769,17 @@
 							     0, /*extr->tdb->tdb_said.proto,*/
 							     0,
 							     extr->tdb2->tdb_addr_d),
-				 extensions_reply)
+							 extensions_reply) ) : 1 )
 		     )) {
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_grpsa_parse: "
 			    "failed to build the x_grpsa reply message extensions\n");
-		goto errlab;
+		SENDERR(-error);
 	}
 
 	if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_grpsa_parse: "
 			    "failed to build the x_grpsa reply message\n");
-		goto errlab;
+		SENDERR(-error);
 	}
 	
 	for(pfkey_socketsp = pfkey_open_sockets;
@@ -2582,24 +2787,28 @@
 	    pfkey_socketsp = pfkey_socketsp->next) {
 		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
 			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_grpsa_parse: "
-				    "sending up x_grpsa reply message for satype=%d to socket=%p failed with error=%d.\n",
-				    satype, pfkey_socketsp->socketp, error);
-			goto errlab;
+				    "sending up x_grpsa reply message for satype=%d(%s) to socket=%p failed with error=%d.\n",
+				    satype,
+				    satype2name(satype),
+				    pfkey_socketsp->socketp,
+				    error);
+			SENDERR(-error);
 		}
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_grpsa_parse: "
-			    "sending up x_grpsa reply message for satype=%d to socket=%p succeeded.\n",
-			    satype, pfkey_socketsp->socketp);
+			    "sending up x_grpsa reply message for satype=%d(%s) to socket=%p succeeded.\n",
+			    satype,
+			    satype2name(satype),
+			    pfkey_socketsp->socketp);
 	}
 	
 	KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_grpsa_parse: "
 		    "succeeded in sending x_grpsa reply message.\n");
 	
  errlab:
-	ipsec_tdbwipe(extr->tdb);
-	if(extr->tdb2) {
-		ipsec_tdbwipe(extr->tdb2);
+	if (pfkey_reply) {
+		pfkey_msg_free(&pfkey_reply);
 	}
-
+	pfkey_extensions_free(extensions_reply);
 	return error;
 }
 
@@ -2673,7 +2882,8 @@
 
 	if ((error = ipsec_makeroute(&(extr->eroute->er_eaddr),
 				     &(extr->eroute->er_emask),
-				     extr->tdb->tdb_said))) {
+				     extr->tdb->tdb_said,
+				     ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid))) {
 		KLIPS_PRINT(debug_pfkey,
 			    "klips_debug:pfkey_x_addflow_parse: "
 			    "makeroute returned %d.\n", error);
@@ -2686,7 +2896,7 @@
 
 	if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
 							  SADB_X_ADDFLOW,
-							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype,
+							  satype,
 							  0,
 							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
 							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
@@ -2741,13 +2951,13 @@
 		)) {
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_addflow_parse: "
 			    "failed to build the x_addflow reply message extensions\n");
-		goto errlab;
+		SENDERR(-error);
 	}
 		
 	if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_addflow_parse: "
 			    "failed to build the x_addflow reply message\n");
-		goto errlab;
+		SENDERR(-error);
 	}
 	
 	for(pfkey_socketsp = pfkey_open_sockets;
@@ -2755,22 +2965,30 @@
 	    pfkey_socketsp = pfkey_socketsp->next) {
 		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
 			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_addflow_parse: "
-				    "sending up x_addflow reply message for satype=%d to socket=%p failed with error=%d.\n",
-				    satype, pfkey_socketsp->socketp, error);
-			goto errlab;
+				    "sending up x_addflow reply message for satype=%d(%s) to socket=%p failed with error=%d.\n",
+				    satype,
+				    satype2name(satype),
+				    pfkey_socketsp->socketp,
+				    error);
+			SENDERR(-error);
 		}
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_addflow_parse: "
-			    "sending up x_addflow reply message for satype=%d to socket=%p succeeded.\n",
-			    satype, pfkey_socketsp->socketp);
+			    "sending up x_addflow reply message for satype=%d(%s) (proto=%d) to socket=%p succeeded.\n",
+			    satype,
+			    satype2name(satype),
+			    extr->tdb->tdb_said.proto,
+			    pfkey_socketsp->socketp);
 	}
 	
-	ipsec_tdbwipe(extr->tdb);
-
 	KLIPS_PRINT(debug_pfkey,
 		    "klips_debug:pfkey_x_addflow_parse: "
 		    "extr->tdb cleaned up and freed.\n");
 
  errlab:
+	if (pfkey_reply) {
+		pfkey_msg_free(&pfkey_reply);
+	}
+	pfkey_extensions_free(extensions_reply);
 	return error;
 }
 
@@ -2853,7 +3071,7 @@
 	
 	if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
 							  SADB_X_DELFLOW,
-							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype,
+							  satype,
 							  0,
 							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
 							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
@@ -2894,13 +3112,13 @@
 		)) {
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_delflow_parse: "
 			    "failed to build the x_delflow reply message extensions\n");
-		goto errlab;
+		SENDERR(-error);
 	}
 		
 	if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_delflow_parse: "
 			    "failed to build the x_delflow reply message\n");
-		goto errlab;
+		SENDERR(-error);
 	}
 	
 	for(pfkey_socketsp = pfkey_open_sockets;
@@ -2908,22 +3126,29 @@
 	    pfkey_socketsp = pfkey_socketsp->next) {
 		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
 			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_delflow_parse: "
-				    "sending up x_delflow reply message for satype=%d to socket=%p failed with error=%d.\n",
-				    satype, pfkey_socketsp->socketp, error);
-			goto errlab;
+				    "sending up x_delflow reply message for satype=%d(%s) to socket=%p failed with error=%d.\n",
+				    satype,
+				    satype2name(satype),
+				    pfkey_socketsp->socketp,
+				    error);
+			SENDERR(-error);
 		}
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_delflow_parse: "
-			    "sending up x_delflow reply message for satype=%d to socket=%p succeeded.\n",
-			    satype, pfkey_socketsp->socketp);
+			    "sending up x_delflow reply message for satype=%d(%s) to socket=%p succeeded.\n",
+			    satype,
+			    satype2name(satype),
+			    pfkey_socketsp->socketp);
 	}
 	
-	ipsec_tdbwipe(extr->tdb);
-
 	KLIPS_PRINT(debug_pfkey,
 		    "klips_debug:pfkey_x_delflow_parse: "
 		    "extr->tdb cleaned up and freed.\n");
 
  errlab:
+	if (pfkey_reply) {
+		pfkey_msg_free(&pfkey_reply);
+	}
+	pfkey_extensions_free(extensions_reply);
 	return error;
 }
 
@@ -2947,10 +3172,18 @@
 	struct sadb_msg *pfkey_msg = NULL;
 	struct socket_list *pfkey_socketsp;
 	int error = 0;
-	uint8_t satype = proto2satype(tdbp->tdb_said.proto);
+	uint8_t satype;
 
 	pfkey_extensions_init(extensions);
 
+	if(!(satype = proto2satype(tdbp->tdb_said.proto))) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_expire: "
+			    "satype lookup for protocol %d lookup failed.\n", 
+			    tdbp->tdb_said.proto);
+		SENDERR(EINVAL);
+	}
+	
 	if(!pfkey_open_sockets) {
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire: "
 			    "no sockets listening.\n");
@@ -3007,16 +3240,16 @@
 							      0,
 							      tdbp->tdb_addr_d),
 				  extensions))) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire: failed to "
-			    "build the expire message extensions\n");
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire: "
+			    "failed to build the expire message extensions\n");
 		spin_unlock(&tdb_lock);
 		goto errlab;
 	}
 	
 	if ((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_OUT))) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire: failed to "
-			    "build the expire message\n");
-		goto errlab;
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire: "
+			    "failed to build the expire message\n");
+		SENDERR(-error);
 	}
 	
 	for(pfkey_socketsp = pfkey_open_sockets;
@@ -3024,13 +3257,19 @@
 	    pfkey_socketsp = pfkey_socketsp->next) {
 		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_msg))) {
 			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire: "
-				    "sending up expire message for satype=%d to socket=%p failed with error=%d.\n",
-				    satype, pfkey_socketsp->socketp, error);
-			goto errlab;
+				    "sending up expire message for satype=%d(%s) to socket=%p failed with error=%d.\n",
+				    satype,
+				    satype2name(satype),
+				    pfkey_socketsp->socketp,
+				    error);
+			SENDERR(-error);
 		}
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire: "
-			    "sending up expire message for satype=%d to socket=%p succeeded.\n",
-			    satype, pfkey_socketsp->socketp);
+			    "sending up expire message for satype=%d(%s) (proto=%d) to socket=%p succeeded.\n",
+			    satype,
+			    satype2name(satype),
+			    tdbp->tdb_said.proto,
+			    pfkey_socketsp->socketp);
 	}
 	
  errlab:
@@ -3053,6 +3292,14 @@
 		/* auth_minbits; auth_maxbits; encrypt_minbits; encrypt_maxbits; */
 		/* reserved; soft_allocations; hard_allocations; soft_bytes; hard_bytes; */
 		/* soft_addtime; hard_addtime; soft_usetime; hard_usetime; */
+		{ SADB_AALG_MD5HMAC,  SADB_EALG_DESCBC, SADB_SAFLAGS_PFS,
+		  128, 128, 56, 56,
+		  0, 0, 0, 0, 0,
+		  57600, 86400, 57600, 86400 },
+		{ SADB_AALG_SHA1HMAC, SADB_EALG_DESCBC, SADB_SAFLAGS_PFS,
+		  160, 160, 56, 56,
+		  0, 0, 0, 0, 0,
+		  57600, 86400, 57600, 86400 },
 		{ SADB_AALG_MD5HMAC,  SADB_EALG_3DESCBC, SADB_SAFLAGS_PFS,
 		  128, 128, 168, 168,
 		  0, 0, 0, 0, 0,
@@ -3063,7 +3310,7 @@
 		  57600, 86400, 57600, 86400 }
 	};
        
-	/* This should not be hard-coded.  It should be taken from the spdb */
+	/* XXX This should not be hard-coded.  It should be taken from the spdb */
 	uint8_t satype = SADB_SATYPE_ESP;
 
 	pfkey_extensions_init(extensions);
@@ -3077,8 +3324,9 @@
 
 	if(!(pfkey_registered_sockets[satype])) {
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_acquire: "
-			    "no sockets registered for SAtype=%d.\n",
-			    satype);
+			    "no sockets registered for SAtype=%d(%s).\n",
+			    satype,
+			    satype2name(satype));
 		SENDERR(EPROTONOSUPPORT);
 	}
 	
@@ -3146,15 +3394,15 @@
 							   &(comb[0])),
 				  extensions)
 		)) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_acquire: failed to "
-			    "build the acquire message extensions\n");
-		goto errlab;
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_acquire: "
+			    "failed to build the acquire message extensions\n");
+		SENDERR(-error);
 	}
 	
 	if ((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_OUT))) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_acquire: failed to "
-			    "build the acquire message\n");
-		goto errlab;
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_acquire: "
+			    "failed to build the acquire message\n");
+		SENDERR(-error);
 	}
 	
 	/* this should go to all registered sockets for that satype only */
@@ -3163,13 +3411,18 @@
 	    pfkey_socketsp = pfkey_socketsp->next) {
 		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_msg))) {
 			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_acquire: "
-				    "sending up acquire message for satype=%d to socket=%p failed with error=%d.\n",
-				    satype, pfkey_socketsp->socketp, error);
-			goto errlab;
+				    "sending up acquire message for satype=%d(%s) to socket=%p failed with error=%d.\n",
+				    satype,
+				    satype2name(satype),
+				    pfkey_socketsp->socketp,
+				    error);
+			SENDERR(-error);
 		}
 		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_acquire: "
-			    "sending up acquire message for satype=%d to socket=%p succeeded.\n",
-			    satype, pfkey_socketsp->socketp);
+			    "sending up acquire message for satype=%d(%s) to socket=%p succeeded.\n",
+			    satype,
+			    satype2name(satype),
+			    pfkey_socketsp->socketp);
 	}
 	
  errlab:
@@ -3243,12 +3496,13 @@
 	int msg_type = pfkey_msg->sadb_msg_type;
 	int seq = pfkey_msg->sadb_msg_seq;
 
-	KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_build_reply: building reply"
-					" with type: %d\n", msg_type);
+	KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_build_reply: "
+		    "building reply with type: %d\n",
+		    msg_type);
 	pfkey_extensions_init(extensions);
 	if (!extr || !extr->tdb) {
-			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_build_reply: bad TDB"
-							"passed\n");
+			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_build_reply: "
+				    "bad TDB passed\n");
 			return EINVAL;
 	}
 	error = pfkey_safe_build(pfkey_msg_hdr_build(&extensions[0],
@@ -3302,10 +3556,13 @@
 		return EINVAL;
 	}
 
-	KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_build_reply: built extensions"
-		    ", proceed to build the message\n");
-	KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_build_reply: extensions[1]="
-		    " %p\n", extensions[1]);
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_build_reply: "
+		    "built extensions, proceed to build the message\n");
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_build_reply: "
+		    "extensions[1]= %p\n",
+		    extensions[1]);
 	error = pfkey_msg_build(pfkey_reply, extensions, EXT_BITS_OUT);
 	pfkey_extensions_free(extensions);
 
@@ -3323,12 +3580,13 @@
 	
 	pfkey_extensions_init(extensions);
 	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_msg_interp: parsing message "
-		    "ver=%d, type=%d, errno=%d, satype=%d, len=%d, res=%d, seq=%d, pid=%d.\n", 
+		    "klips_debug:pfkey_msg_interp: "
+		    "parsing message ver=%d, type=%d, errno=%d, satype=%d(%s), len=%d, res=%d, seq=%d, pid=%d.\n", 
 		    pfkey_msg->sadb_msg_version,
 		    pfkey_msg->sadb_msg_type,
 		    pfkey_msg->sadb_msg_errno,
 		    pfkey_msg->sadb_msg_satype,
+		    satype2name(pfkey_msg->sadb_msg_satype),
 		    pfkey_msg->sadb_msg_len,
 		    pfkey_msg->sadb_msg_reserved,
 		    pfkey_msg->sadb_msg_seq,
@@ -3337,18 +3595,22 @@
 	if((error = pfkey_alloc_tdb(&(extr.tdb)))) {
 		KLIPS_PRINT(debug_pfkey,
 			    "klips_debug:pfkey_msg_interp: "
-			    "something's really wrong, extr.tdb=%p should be NULL.\n", extr.tdb);
+			    "something's really wrong, extr.tdb=%p should be NULL.\n",
+			    extr.tdb);
 		SENDERR(-error);
 	}
 
 	KLIPS_PRINT(debug_pfkey,
 		    "klips_debug:pfkey_msg_interp: "
-		    "allocated extr->tdb=%p.\n", extr.tdb);
+		    "allocated extr->tdb=%p.\n",
+		    extr.tdb);
 	
 	if(pfkey_msg->sadb_msg_satype > SADB_SATYPE_MAX) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_msg_interp: satype %d > max %d\n", 
-			    pfkey_msg->sadb_msg_satype, SADB_SATYPE_MAX);
+			    "klips_debug:pfkey_msg_interp: "
+			    "satype %d > max %d\n", 
+			    pfkey_msg->sadb_msg_satype,
+			    SADB_SATYPE_MAX);
 		SENDERR(EINVAL);
 	}
 	
@@ -3358,16 +3620,21 @@
 	case SADB_ADD:
 	case SADB_DELETE:
 	case SADB_X_GRPSA:
+	case SADB_X_ADDFLOW:
 		if(!(extr.tdb->tdb_said.proto = satype2proto(pfkey_msg->sadb_msg_satype))) {
 			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_msg_interp: satype %d lookup failed.\n", 
+				    "klips_debug:pfkey_msg_interp: "
+				    "satype %d lookup failed.\n", 
 				    pfkey_msg->sadb_msg_satype);
 			SENDERR(EINVAL);
+		} else {
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_msg_interp: "
+				    "satype %d lookups to proto=%d.\n", 
+				    pfkey_msg->sadb_msg_satype,
+				    extr.tdb->tdb_said.proto);
 		}
 		break;
-	case SADB_X_ADDFLOW:
-		extr.tdb->tdb_said.proto = satype2proto(pfkey_msg->sadb_msg_satype);
-		break;
 	default:
 	}
 	
@@ -3376,7 +3643,8 @@
 	if((error = pfkey_msg_parse(pfkey_msg, NULL, extensions, EXT_BITS_IN)))
 	{
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_msg_interp: message parsing failed with error %d.\n",
+			    "klips_debug:pfkey_msg_interp: "
+			    "message parsing failed with error %d.\n",
 			    error); 
 		SENDERR(-error);
 	}
@@ -3390,8 +3658,10 @@
 				    i, extensions[i], ext_processors[i]);
 			if((error = ext_processors[i](extensions[i], &extr))) {
 				KLIPS_PRINT(debug_pfkey,
-					    "klips_debug:pfkey_msg_interp: extension processing for type %d failed with error %d.\n",
-					    i,error); 
+					    "klips_debug:pfkey_msg_interp: "
+					    "extension processing for type %d failed with error %d.\n",
+					    i,
+					    error); 
 				SENDERR(-error);
 			}
 			
@@ -3407,7 +3677,8 @@
 		    msg_parsers[pfkey_msg->sadb_msg_type]); 
 	if((error = msg_parsers[pfkey_msg->sadb_msg_type](sk, extensions, &extr))) {
 		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_msg_interp: message parsing failed with error %d.\n",
+			    "klips_debug:pfkey_msg_interp: "
+			    "message parsing failed with error %d.\n",
 			    error); 
 		SENDERR(-error);
 	}
@@ -3419,13 +3690,76 @@
 	}
 #endif	
  errlab:
+	if(extr.tdb != NULL) {
+		ipsec_tdbwipe(extr.tdb);
+	}
+	if(extr.tdb2 != NULL) {
+		ipsec_tdbwipe(extr.tdb2);
+	}
+	if (extr.eroute != NULL) {
+		kfree(extr.eroute);
+	}
 	return(error);
 }
 
 /*
  * $Log: pfkey_v2_parser.c,v $
- * Revision 1.68.2.1  2001/02/27 00:51:01  henry
- * message improvements
+ * Revision 1.82  2001/05/30 08:14:04  rgb
+ * Removed vestiges of esp-null transforms.
+ *
+ * Revision 1.81  2001/05/27 06:12:12  rgb
+ * Added structures for pid, packet count and last access time to eroute.
+ * Added packet count to beginning of /proc/net/ipsec_eroute.
+ *
+ * Revision 1.80  2001/05/03 19:43:59  rgb
+ * Check error return codes for all build function calls.
+ * Standardise on SENDERR() macro.
+ *
+ * Revision 1.79  2001/04/20 21:09:16  rgb
+ * Cleaned up fixed tdbwipes.
+ * Free pfkey_reply and clean up extensions_reply for grpsa, addflow and
+ * delflow (Per Cederqvist) plugging memleaks.
+ *
+ * Revision 1.78  2001/04/19 19:02:39  rgb
+ * Fixed extr.tdb freeing, stealing it for getspi, update and add.
+ * Refined a couple of spinlocks, fixed the one in update.
+ *
+ * Revision 1.77  2001/04/18 20:26:16  rgb
+ * Wipe/free eroute and both tdbs from extr at end of pfkey_msg_interp()
+ * instead of inside each message type parser.  This fixes two memleaks.
+ *
+ * Revision 1.76  2001/04/17 23:51:18  rgb
+ * Quiet down pfkey_x_debug_process().
+ *
+ * Revision 1.75  2001/03/29 01:55:05  rgb
+ * Fixed pfkey key init memleak.
+ * Fixed pfkey encryption key debug output.
+ *
+ * Revision 1.74  2001/03/27 05:29:14  rgb
+ * Debug output cleanup/silencing.
+ *
+ * Revision 1.73  2001/02/28 05:03:28  rgb
+ * Clean up and rationalise startup messages.
+ *
+ * Revision 1.72  2001/02/27 22:24:56  rgb
+ * Re-formatting debug output (line-splitting, joining, 1arg/line).
+ * Check for satoa() return codes.
+ *
+ * Revision 1.71  2001/02/27 06:59:30  rgb
+ * Added satype2name() conversions most places satype is debug printed.
+ *
+ * Revision 1.70  2001/02/26 22:37:08  rgb
+ * Fixed 'unknown proto' INT bug in new code.
+ * Added satype to protocol debugging instrumentation.
+ *
+ * Revision 1.69  2001/02/26 19:57:51  rgb
+ * Re-formatted debug output (split lines, consistent spacing).
+ * Fixed as yet undetected FLUSH bug which called ipsec_tdbcleanup()
+ * with an satype instead of proto.
+ * Checked for satype consistency and fixed minor bugs.
+ * Fixed undetected ungrpspi bug that tried to upmsg a second tdb.
+ * Check for satype sanity in pfkey_expire().
+ * Added satype sanity check to addflow.
  *
  * Revision 1.68  2001/02/12 23:14:40  rgb
  * Remove double spin lock in pfkey_expire().
@@ -3570,9 +3904,6 @@
  *
  * Revision 1.36  2000/08/15 15:41:55  rgb
  * Fixed the (as yet unused and untested) pfkey_getspi() routine.
- *
- * Revision 1.35  2000/08/01 14:51:52  rgb
- * Removed _all_ remaining traces of DES.
  *
  * Revision 1.34  2000/07/28 14:58:32  rgb
  * Changed kfree_s to kfree, eliminating extra arg to fix 2.4.0-test5.
diff -bruN freeswan-1.9.orig/klips/net/ipsec/radij.c freeswan-1.9/klips/net/ipsec/radij.c
--- freeswan-1.9.orig/klips/net/ipsec/radij.c	Sun Nov  5 23:35:21 2000
+++ freeswan-1.9/klips/net/ipsec/radij.c	Mon Jun  4 11:34:31 2001
@@ -1,4 +1,4 @@
-char radij_c_version[] = "RCSID $Id: radij.c,v 1.31 2000/11/06 04:35:21 rgb Exp $";
+char radij_c_version[] = "RCSID $Id: radij.c,v 1.34 2001/05/03 19:44:26 rgb Exp $";
 
 /*
  * This file is defived from ${SRC}/sys/net/radix.c of BSD 4.4lite
@@ -213,7 +213,8 @@
 	 * See if we match exactly as a host destination
 	 */
 	KLIPS_PRINT(debug_radij,
-		    "klips_debug:rj_match: * See if we match exactly as a host destination\n");
+		    "klips_debug:rj_match: "
+		    "* See if we match exactly as a host destination\n");
 	
 	cp += off; cp2 = t->rj_key + off; cplim = v + vlen;
 	for (; cp < cplim; cp++, cp2++)
@@ -230,7 +231,8 @@
 	matched_off = cp - v;
 	saved_t = t;
 	KLIPS_PRINT(debug_radij,
-		    "klips_debug:rj_match: ** try to match a leaf, t=0x%p\n", t);
+		    "klips_debug:rj_match: "
+		    "** try to match a leaf, t=0x%p\n", t);
 	do {
 	    if (t->rj_mask) {
 		/*
@@ -251,13 +253,17 @@
 	t = saved_t;
 	/* start searching up the tree */
 	KLIPS_PRINT(debug_radij,
-		    "klips_debug:rj_match: *** start searching up the tree, t=0x%p\n", t);
+		    "klips_debug:rj_match: "
+		    "*** start searching up the tree, t=0x%p\n",
+		    t);
 	do {
 		register struct radij_mask *m;
 		
 		t = t->rj_p;
 		KLIPS_PRINT(debug_radij,
-			    "klips_debug:rj_match: **** t=0x%p\n", t);
+			    "klips_debug:rj_match: "
+			    "**** t=0x%p\n",
+			    t);
 		if ((m = t->rj_mklist)) {
 			/*
 			 * After doing measurements here, it may
@@ -271,7 +277,9 @@
 				cp2 = mstart;
 				cp3 = m->rm_mask + off;
 				KLIPS_PRINT(debug_radij,
-					    "klips_debug:rj_match: ***** cp2=0x%p cp3=0x%p\n", cp2, cp3);
+					    "klips_debug:rj_match: "
+					    "***** cp2=0x%p cp3=0x%p\n",
+					    cp2, cp3);
 				for (cp = v + off; cp < cplim;)
 					*cp2++ =  *cp++ & *cp3++;
 				x = rj_search(maskedKey, t);
@@ -285,7 +293,8 @@
 		}
 	} while (t != top);
 	KLIPS_PRINT(debug_radij,
-		    "klips_debug:rj_match: ***** not found.\n");
+		    "klips_debug:rj_match: "
+		    "***** not found.\n");
 	return 0;
 };
 		
@@ -363,7 +372,7 @@
 	} while (b > (unsigned) x->rj_b); /* x->rj_b < b && x->rj_b >= 0 */
 #ifdef RJ_DEBUG
 	if (rj_debug)
-		printk("klips_debug:Going In:\n"), traverse(p);
+		printk("klips_debug:rj_insert: Going In:\n"), traverse(p);
 #endif /* RJ_DEBUG */
 	t = rj_newpair(v_arg, b, nodes); tt = t->rj_l;
 	if ((cp[p->rj_off] & p->rj_bmask) == 0)
@@ -378,7 +387,7 @@
 	}
 #ifdef RJ_DEBUG
 	if (rj_debug)
-		printk("klips_debug:Coming out:\n"), traverse(p);
+		printk("klips_debug:rj_insert: Coming out:\n"), traverse(p);
 #endif /* RJ_DEBUG */
     }
 	return (tt);
@@ -460,7 +469,7 @@
 		if (Bcmp(netmask, x->rj_key, mlen) != 0) {
 			x = rj_addmask(netmask, 0, top->rj_off);
 			if (x == 0)
-				return /* (0) rgb */ ENOMEM;
+				return /* (0) rgb */ -ENOMEM;
 		}
 		netmask = x->rj_key;
 		b = -1 - x->rj_b;
@@ -472,7 +481,7 @@
 	if (keyduplicated) {
 		do {
 			if (tt->rj_mask == netmask)
-				return /* (0) rgb */ ENXIO;
+				return /* (0) rgb */ -ENXIO;
 			t = tt;
 			if (netmask == 0 ||
 			    (tt->rj_mask && rj_refines(netmask, tt->rj_mask)))
@@ -569,7 +578,8 @@
 	}
 	MKGet(m);
 	if (m == 0) {
-		printk("klips_debug:Mask for route not entered\n");
+		printk("klips_debug:rj_addroute: "
+		       "Mask for route not entered\n");
 		return /* (tt) rgb */ 0;
 	}
 	Bzero(m, sizeof *m);
@@ -617,7 +627,8 @@
 	if (tt->rj_mask == 0 || (saved_m = m = tt->rj_mklist) == 0)
 		goto on1;
 	if (m->rm_mask != tt->rj_mask) {
-		printk("klips_debug:rj_delete: inconsistent annotation\n");
+		printk("klips_debug:rj_delete: "
+		       "inconsistent annotation\n");
 		goto on1;
 	}
 	if (--m->rm_refs >= 0)
@@ -637,7 +648,8 @@
 			break;
 		}
 	if (m == 0)
-		printk("klips_debug:rj_delete: couldn't find our annotation\n");
+		printk("klips_debug:rj_delete: "
+		       "couldn't find our annotation\n");
 on1:
 	/*
 	 * Eliminate us from tree
@@ -658,7 +670,8 @@
 			for (x = p = saved_tt; p && p->rj_dupedkey != tt;)
 				p = p->rj_dupedkey;
 			if (p) p->rj_dupedkey = tt->rj_dupedkey;
-			else printk("klips_debug:rj_delete: couldn't find us\n");
+			else printk("klips_debug:rj_delete: "
+				       "couldn't find us\n");
 		}
 		t = tt + 1;
 		if  (t->rj_flags & RJF_ACTIVE) {
@@ -691,8 +704,8 @@
 					x->rj_mklist = 0;
 					MKFree(m);
 				} else 
-					printk("klips_debug:%s %p at %p\n",
-					    "rj_delete: Orphaned Mask", m, x);
+					printk("klips_debug:rj_delete: "
+					    "Orphaned Mask %p at %p\n", m, x);
 				m = mm;
 			}
 		}
@@ -729,7 +742,7 @@
 	register struct radij_node *rn;
 
 	if(!h || !f /* || !w */) {
-		return -1;
+		return -ENODATA;
 	}
 
 	rn = h->rnh_treetop;
@@ -744,9 +757,14 @@
 	for (;;) {
 #ifdef CONFIG_IPSEC_DEBUG
 		if(debug_radij) {
-			printk("klips_debug:RN_WALKTREE: for: rn=%p rj_b=%d rj_flags=%x", rn, rn->rj_b, rn->rj_flags);
+			printk("klips_debug:rj_walktree: "
+			       "for: rn=%p rj_b=%d rj_flags=%x",
+			       rn,
+			       rn->rj_b,
+			       rn->rj_flags);
 			rn->rj_b >= 0 ?
-				printk(" node off=%x\n", rn->rj_off) :
+				printk(" node off=%x\n",
+				       rn->rj_off) :
 				printk(" leaf key = %08x->%08x\n",
 				       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_key)->sen_ip_src.s_addr),
 				       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_key)->sen_ip_dst.s_addr))
@@ -763,9 +781,14 @@
 		next = rn;
 #ifdef CONFIG_IPSEC_DEBUG
 		if(debug_radij) {
-			printk("klips_debug:RN_WALKTREE: processing leaves, rn=%p rj_b=%d rj_flags=%x", rn, rn->rj_b, rn->rj_flags);
+			printk("klips_debug:rj_walktree: "
+			       "processing leaves, rn=%p rj_b=%d rj_flags=%x",
+			       rn,
+			       rn->rj_b,
+			       rn->rj_flags);
 			rn->rj_b >= 0 ?
-				printk(" node off=%x\n", rn->rj_off) :
+				printk(" node off=%x\n",
+				       rn->rj_off) :
 				printk(" leaf key = %08x->%08x\n",
 				       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_key)->sen_ip_src.s_addr),
 				       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_key)->sen_ip_dst.s_addr))
@@ -777,10 +800,15 @@
 			base = rn->rj_dupedkey;
 #ifdef CONFIG_IPSEC_DEBUG
 			if(debug_radij) {
-				printk("klips_debug:RN_WALKTREE: while: base=%p rn=%p rj_b=%d rj_flags=%x",
-				       base, rn, rn->rj_b, rn->rj_flags);
+				printk("klips_debug:rj_walktree: "
+				       "while: base=%p rn=%p rj_b=%d rj_flags=%x",
+				       base,
+				       rn,
+				       rn->rj_b,
+				       rn->rj_flags);
 				rn->rj_b >= 0 ?
-					printk(" node off=%x\n", rn->rj_off) :
+					printk(" node off=%x\n",
+					       rn->rj_off) :
 					printk(" leaf key = %08x->%08x\n",
 					       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_key)->sen_ip_src.s_addr),
 					       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_key)->sen_ip_dst.s_addr))
@@ -807,7 +835,7 @@
 	if (*head)
 		return (1);
 	R_Malloc(rnh, struct radij_node_head *, sizeof (*rnh));
-	if (rnh == 0)
+	if (rnh == NULL)
 		return (0);
 	Bzero(rnh, sizeof (*rnh));
 	*head = rnh;
@@ -834,7 +862,8 @@
 	char *cp, *cplim;
 
 	if (maj_keylen == 0) {
-		printk("klips_debug:rj_init: radij functions require maj_keylen be set\n");
+		printk("klips_debug:rj_init: "
+		       "radij functions require maj_keylen be set\n");
 		return;
 	}
 	R_Malloc(rj_zeroes, char *, 3 * maj_keylen);
@@ -855,7 +884,8 @@
 	int i;
 	
 	if (rn == NULL){
-		printk("klips_debug:rj_preorder: NULL pointer\n");
+		printk("klips_debug:rj_preorder: "
+		       "NULL pointer\n");
 		return;
 	}
 	
@@ -865,27 +895,29 @@
 		printk("klips_debug:");
 		for (i=0; irj_off);
+		printk(" off = %d\n",
+		       rn->rj_off);
 	} else {
 		printk("klips_debug:");
 		for (i=0; irj_flags);
+		printk(" flags = %x",
+		       (u_int)rn->rj_flags);
 		if (rn->rj_flags & RJF_ACTIVE) {
-			printk(" @key = %p", rn->rj_key);
-			
+			printk(" @key = %p",
+			       rn->rj_key);
 			printk(" key = %08x->%08x",
 			       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_key)->sen_ip_src.s_addr),
 			       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_key)->sen_ip_dst.s_addr));
-
-			printk(" @mask = %p", rn->rj_mask);
+			printk(" @mask = %p",
+			       rn->rj_mask);
 			if (rn->rj_mask)
 				printk(" mask = %08x->%08x",
 				       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_mask)->sen_ip_src.s_addr),
 				       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_mask)->sen_ip_dst.s_addr));
-		
 			if (rn->rj_dupedkey)
-				printk(" dupedkey = %08x", (u_int)rn->rj_dupedkey);
+				printk(" dupedkey = %08x",
+				       (u_int)rn->rj_dupedkey);
 		}
 		printk("\n");
 	}
@@ -951,6 +983,16 @@
 
 /*
  * $Log: radij.c,v $
+ * Revision 1.34  2001/05/03 19:44:26  rgb
+ * Fix sign of error return codes for rj_addroute().
+ *
+ * Revision 1.33  2001/02/27 22:24:56  rgb
+ * Re-formatting debug output (line-splitting, joining, 1arg/line).
+ * Check for satoa() return codes.
+ *
+ * Revision 1.32  2001/02/27 06:23:15  rgb
+ * Debug line splitting.
+ *
  * Revision 1.31  2000/11/06 04:35:21  rgb
  * Clear table *before* releasing other items in radijcleanup.
  *
diff -bruN freeswan-1.9.orig/klips/net/ipsec/sysctl_net_ipsec.c freeswan-1.9/klips/net/ipsec/sysctl_net_ipsec.c
--- freeswan-1.9.orig/klips/net/ipsec/sysctl_net_ipsec.c	Fri Sep 15 21:50:15 2000
+++ freeswan-1.9/klips/net/ipsec/sysctl_net_ipsec.c	Mon Jun  4 11:34:31 2001
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: sysctl_net_ipsec.c,v 1.10 2000/09/16 01:50:15 rgb Exp $
+ * RCSID $Id: sysctl_net_ipsec.c,v 1.11 2001/02/26 19:58:13 rgb Exp $
  */
 
 /* -*- linux-c -*-
@@ -44,9 +44,7 @@
 #endif /* CONFIG_IPSEC_DEBUG */
 
 extern int sysctl_ipsec_icmp;
-extern int sysctl_ipsec_no_eroute_pass;
 extern int sysctl_ipsec_inbound_policy_check;
-extern int sysctl_ipsec_opportunistic;
 extern int sysctl_ipsec_tos;
 
 enum {
@@ -65,10 +63,8 @@
 	NET_IPSEC_DEBUG_IPCOMP=12,
 #endif /* CONFIG_IPSEC_DEBUG */
 	NET_IPSEC_ICMP=13,
-	NET_IPSEC_NO_EROUTE_PASS=14,
-	NET_IPSEC_INBOUND_POLICY_CHECK=15,
-	NET_IPSEC_OPPORTUNISTIC=16,
-	NET_IPSEC_TOS=17
+	NET_IPSEC_INBOUND_POLICY_CHECK=14,
+	NET_IPSEC_TOS=15
 };
 
 static ctl_table ipsec_table[] = {
@@ -102,12 +98,8 @@
 #endif /* CONFIG_IPSEC_DEBUG */
 	{ NET_IPSEC_ICMP, "icmp", &sysctl_ipsec_icmp,
 	  sizeof(int), 0644, NULL, &proc_dointvec},    
-	{ NET_IPSEC_NO_EROUTE_PASS, "no_eroute_pass", &sysctl_ipsec_no_eroute_pass,
-	  sizeof(int), 0644, NULL, &proc_dointvec},    
 	{ NET_IPSEC_INBOUND_POLICY_CHECK, "inbound_policy_check", &sysctl_ipsec_inbound_policy_check,
 	  sizeof(int), 0644, NULL, &proc_dointvec},    
-	{ NET_IPSEC_OPPORTUNISTIC, "opportunistic", &sysctl_ipsec_opportunistic,
-	  sizeof(int), 0644, NULL, &proc_dointvec},    
 	{ NET_IPSEC_TOS, "tos", &sysctl_ipsec_tos,
 	  sizeof(int), 0644, NULL, &proc_dointvec},    
 	{0}
@@ -143,6 +135,9 @@
 
 /*
  * $Log: sysctl_net_ipsec.c,v $
+ * Revision 1.11  2001/02/26 19:58:13  rgb
+ * Drop sysctl_ipsec_{no_eroute_pass,opportunistic}, replaced by magic SAs.
+ *
  * Revision 1.10  2000/09/16 01:50:15  rgb
  * Protect sysctl_ipsec_debug_ipcomp with compiler defines too so that the
  * linker won't blame rj_delete() for missing symbols.  ;->  Damn statics...
diff -bruN freeswan-1.9.orig/klips/net/ipsec/version.c freeswan-1.9/klips/net/ipsec/version.c
--- freeswan-1.9.orig/klips/net/ipsec/version.c	Mon Feb 26 18:56:08 2001
+++ freeswan-1.9/klips/net/ipsec/version.c	Thu Jun  7 14:53:47 2001
@@ -1,2 +1,2 @@
-/* silly pointless RCSID $Id: version.c,v 1.17.2.1 2001/02/26 23:56:08 henry Exp $ */
-static const char freeswan_version[] = "1.9";
+/* silly pointless RCSID $Id: version.c,v 1.19 2001/05/30 13:02:20 henry Exp $ */
+static const char freeswan_version[] = "FreeSWAN-1.9-pkix2";
diff -bruN freeswan-1.9.orig/klips/test/ipsec.funcs freeswan-1.9/klips/test/ipsec.funcs
--- freeswan-1.9.orig/klips/test/ipsec.funcs	Wed Dec 31 19:00:00 1969
+++ freeswan-1.9/klips/test/ipsec.funcs	Mon Jun  4 11:34:31 2001
@@ -0,0 +1,209 @@
+#!/bin/sh
+#
+# ipsec.func	This file contains functions for use by klips/test
+#		shell scripts.
+# Version:	0.0
+#
+# Author:	Richard Guy Briggs, 
+#
+# Default search path:
+export PATH="/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:/usr/local/bin"
+#
+# The following (environment) variables are expected to be set before
+# calling these functions as apropriate.
+#
+# net1=
+# net2=
+# gw1=
+# gw2=
+# h_mask=
+# n_mask=
+# ipsec_dev=
+# phys_dev=
+## iv=
+## esp_key=
+## ah_key=
+#
+# xform1a=
+# xform1b=
+# xform1c=
+# xform2a=
+# xform2b=
+# xform2c=
+#
+# spi1a=
+# spi1b=
+# spi1c=
+# spi2a=
+# spi2b=
+# spi2c=
+#
+
+# Setup module and interface
+#
+ipsec_setup() {
+	# Load the module
+	depmod -a
+	modprobe ipsec
+	# Attach and configure the interface
+	tncfg attach $ipsecdev $physdev
+	ifconfig $ipsecdev $gw1 
+}
+#
+# Clean up and unload the module
+ipsec_unload() {
+	ifconfig ipsec0 down
+	ifconfig ipsec1 down
+	rmmod ipsec
+}
+#
+# Display configuration from /proc/net/ipsec* filesystem.
+#
+ipsec_proc() {
+	echo /proc/net/ipsec-spi
+	cat /proc/net/ipsec-spi
+	echo
+	echo /proc/net/ipsec-route
+	cat /proc/net/ipsec-route
+}
+#
+# Setup a secure connection
+#
+ipsec_setconn() {
+case "$1" in
+	# Transport mode
+	trespah)
+		spi $gw1 $spi1a esp $xform1a i \
+			$iv $esp_key
+
+		route del $gw2
+		route add -host $gw2 dev ipsec0
+
+		eroute add $gw1 $hmask \
+			$gw2 $hmask \
+			$gw2 $spi2a
+		spi $gw2 $spi2a esp $xform2a i \
+			$iv $esp_key
+		;;
+	trespahdel)
+		spi $gw1 $spi1a del
+
+		spi $gw2 $spi2a del
+
+		eroute del $gw1 $hmask $gw2 $hmask
+
+		route del $gw2
+		;;
+	trah)
+		spi $gw1 $spi1a ah $xform1a $ah_key
+
+		route del $gw2
+		route add -host $gw2 dev ipsec0
+
+		eroute add $gw1 $hmask \
+			$gw2 $hmask \
+			$gw2 $spi2a
+		spi $gw2 $spi2a ah $xform2a $ah_key
+		;;
+	tresp)
+		spi $gw1 $spi1a esp $xform1a $iv $esp_key
+
+		route del $gw2
+		route add -host $gw2 dev ipsec0
+
+		eroute add $gw1 $hmask \
+			$gw2 $hmask \
+			$gw2 $spi2a
+		spi $gw2 $spi2a esp $xform2a $iv $esp_key
+		;;
+	# Tunnel mode
+	tu)
+		# return path
+		spi $gw1 $spi1b esp $xform1b $iv $esp_key
+		spi $gw1 $spi1c ah $xform1c $ah_key
+
+		route del $net2
+		route add -net $net2 dev ipsec0 gw $gw2
+
+		# forward path
+		eroute add $net1 $nmask \
+			$net2 $nmask \
+			$gw2 $spi2a
+
+		spi $gw2 $spi2a $xform2a \
+			$gw1 $gw2
+		spi $gw2 $spi2b esp $xform2b $iv $esp_key
+		spi $gw2 $spi2c ah $xform2c $ah_key
+
+		spigrp $gw2 $spi2a \
+			$gw2 $spi2b \
+			$gw2 $spi2c
+		;;
+	turoad)
+		# return path
+		spi $gw1 $spi1b esp $xform1b $iv $esp_key
+		spi $gw1 $spi1c ah $xform1c $ah_key
+
+		route del $gw2
+		route add -host $gw2 dev ipsec0 gw $gw2a
+
+		# forward path
+		eroute add $net1 $nmask \
+			$gw2 $hmask \
+			$gw2 $spi2a
+
+		spi $gw2 $spi2a $xform2a \
+			$gw1 $gw2
+		spi $gw2 $spi2b esp $xform2b $iv $esp_key
+		spi $gw2 $spi2c ah $xform2c $ah_key
+
+		spigrp $gw2 $spi2a \
+			$gw2 $spi2b \
+			$gw2 $spi2c
+		;;
+	turoad2)
+		# return path
+		spi $gw1 $spi1b esp $xform1b $iv $esp_key
+		spi $gw1 $spi1c ah $xform1c $ah_key
+
+		route del $net2
+		route add -net $net2 dev ipsec0 gw $gw2
+
+		# forward path
+		eroute add $gw1 $hmask \
+			$net2 $nmask \
+			$gw2 $spi2a
+
+		spi $gw2 $spi2a $xform2a \
+			$gw1 $gw2
+		spi $gw2 $spi2b esp $xform2b $iv $esp_key
+		spi $gw2 $spi2c ah $xform2c $ah_key
+
+		spigrp $gw2 $spi2a \
+			$gw2 $spi2b \
+			$gw2 $spi2c
+		;;
+	tugw)
+		# return path
+		spi $gw1 $spi1b esp $xform1b $iv $esp_key
+		spi $gw1 $spi1c ah $xform1c $ah_key
+
+		route del $gw2
+		route add -host $gw2 dev ipsec0
+
+		# forward path
+		eroute add $gw1 $hmask \
+			$gw2 $hmask \
+			$gw2 $spi2a
+
+		spi $gw2 $spi2a $xform2a \
+			$gw1 $gw2
+		spi $gw2 $spi2b esp $xform2b $iv $esp_key
+		spi $gw2 $spi2c ah $xform2c $ah_key
+
+		spigrp $gw2 $spi2a \
+			$gw2 $spi2b \
+			$gw2 $spi2c
+		;;
+esac
+}
diff -bruN freeswan-1.9.orig/klips/utils/Makefile freeswan-1.9/klips/utils/Makefile
--- freeswan-1.9.orig/klips/utils/Makefile	Fri Jun 30 02:20:25 2000
+++ freeswan-1.9/klips/utils/Makefile	Mon Jun  4 11:34:31 2001
@@ -30,8 +30,8 @@
 CFLAGS+= -Wbad-function-cast 
 
 ALL=spi eroute spigrp tncfg klipsdebug
-BINDIR=/usr/local/lib/ipsec
-MANTREE=/usr/local/man
+BINDIR=/usr/lib/ipsec
+MANTREE=/usr/man
 MANDIR8=$(MANTREE)/man8
 MANDIR5=$(MANTREE)/man5
 FREESWANLIB=../../lib/libfreeswan.a
@@ -40,11 +40,11 @@
 all: $(ALL)
 
 install: $(ALL)
-	$(INSTALL) $(ALL) $(BINDIR)
+	$(INSTALL) $(ALL) $(PREFIX)/$(BINDIR)
 	for f in $(addsuffix .8, $(ALL)) ; do \
-		$(INSTALL) $$f $(MANDIR8)/ipsec_$$f || exit 1 ; done
+		$(INSTALL) $$f $(PREFIX)/$(MANDIR8)/ipsec_$$f || exit 1 ; done
 	for f in $(addsuffix .5, $(ALL) version pf_key) ; do \
-		$(INSTALL) $$f $(MANDIR5)/ipsec_$$f || exit 1 ; done
+		$(INSTALL) $$f $(PREFIX)/$(MANDIR5)/ipsec_$$f || exit 1 ; done
 
 spi: spi.o
 	$(CC) $(DFLAGS) -o $@ $? $(FREESWANLIB)
diff -bruN freeswan-1.9.orig/klips/utils/eroute.5 freeswan-1.9/klips/utils/eroute.5
--- freeswan-1.9.orig/klips/utils/eroute.5	Sun Sep 17 14:56:48 2000
+++ freeswan-1.9/klips/utils/eroute.5	Mon Jun  4 12:56:04 2001
@@ -1,6 +1,6 @@
 .TH IPSEC_EROUTE 5 "26 Jun 2000"
 .\"
-.\" RCSID $Id: eroute.5,v 1.5 2000/09/17 18:56:48 rgb Exp $
+.\" RCSID $Id: eroute.5,v 1.7 2001/05/29 05:15:31 rgb Exp $
 .\"
 .SH NAME
 ipsec_eroute \- list of existing eroutes
@@ -19,6 +19,8 @@
 .PP
 A table entry consists of:
 .IP + 3
+packet count,
+.IP +
 source address with mask,
 .IP +
 a '->' separator for visual and automated parsing between src and dst
@@ -33,6 +35,10 @@
 protocol
 (\fIproto\fR),
 .IP +
+address family
+(\fIaf\fR),
+where '.' stands for IPv4 and ':' for IPv6
+.IP +
 Security Parameters Index
 (\fISPI\fR),
 .IP +
@@ -41,10 +47,6 @@
 where the packet should be forwarded after processing
 (normally the other security gateway)
 together indicate which Security Association should be used to process the packet
-.IP +
-address family
-(\fIaf\fR),
-where '.' stands for IPv4 and ':' for IPv6
 .PP
 Addresses are written as IPv4 dotted quads or IPv6 coloned hex,
 protocol is one of "ah", "esp", "comp" or "tun"
@@ -52,16 +54,36 @@
 SPIs are prefixed hexadecimal numbers where the prefix '.' is for IPv4 and the prefix ':' is for IPv6
 .
 .PP
-SAIDs are written as "protoafSPI@edst".
+SAIDs are written as "protoafSPI@edst".  There are also 5
+"magic" SAIDs which have special meaning:
+.IP + 3
+.B %drop
+means that matches are to be dropped
+.IP +
+.B %reject
+means that matches are to be dropped and an ICMP returned, if
+possible to inform
+.IP +
+.B %trap
+means that matches are to trigger an ACQUIRE message to the Key
+Management daemon(s) and a hold eroute will be put in place to
+prevent subsequent packets also triggering ACQUIRE messages.
+.IP +
+.B %hold
+means that matches are to stored until the eroute is replaced or
+until that eroute gets reaped
+.IP +
+.B %pass
+means that matches are to allowed to pass without IPSEC processing
 .br
 .ne 5
 .SH EXAMPLES
 .LP
-.B 172.31.252.0/24    -> 0.0.0.0/0          => tun.130@192.168.43.1
+.B 1867     172.31.252.0/24    -> 0.0.0.0/0          => tun.130@192.168.43.1
 .LP
-means that an
+means that 1,867 packets have been sent to an
 .BR eroute
-has been set up to protect traffic between the subnet
+that has been set up to protect traffic between the subnet
 .BR 172.31.252.0
 with a subnet mask of
 .BR 24
@@ -79,11 +101,11 @@
 .BR 130
 in hexadecimal.
 .LP
-.B 3049:1::/64    -> 0:0/0          => tun:130@3058:4::5
+.B 125      3049:1::/64    -> 0:0/0          => tun:130@3058:4::5
 .LP
-means that an
+means that 125 packets have been sent to an
 .BR eroute
-has been set up to protect traffic between the subnet
+that has been set up to protect traffic between the subnet
 .BR 3049:1::
 with a subnet mask of
 .BR 64
@@ -101,11 +123,11 @@
 .BR 130
 in hexadecimal.
 .LP
-.B 192.168.6.0/24     -> 192.168.7.0/24     => %passthrough
+.B 42         192.168.6.0/24     -> 192.168.7.0/24     => %passthrough
 .LP
-means that an
+means that 42 packets have been sent to an
 .BR eroute
-has been set up to pass the traffic from the subnet
+that has been set up to pass the traffic from the subnet
 .BR 192.168.6.0
 with a subnet mask of
 .BR 24
@@ -115,13 +137,25 @@
 .BR 24
 bits without any IPSEC processing.
 .LP
-.B "192.168.2.110/32   -> 192.168.2.120/32   => "
+.B 2112     192.168.8.55/32    -> 192.168.9.47/24    => %hold
+.LP
+means that 2112 packets have been sent to an
+.BR eroute
+that has been set up to hold the traffic from the host
+.BR 192.168.8.55
+and to host
+.BR 192.168.9.47
+until a key exchange from a Key Management daemon
+succeeds and puts in an SA or fails and puts in a pass
+or drop eroute depending on the default configuration.
+.LP
+.B "2001     192.168.2.110/32   -> 192.168.2.120/32   => "
 .br
 .B "        esp.e6de@192.168.2.120"
 .LP
-means that an
+means that 2001 packets have been sent to an
 .BR eroute
-has been set up to protect traffic between the host
+that has been set up to protect traffic between the host
 .BR 192.168.2.110
 and the host
 .BR 192.168.2.120
@@ -138,13 +172,13 @@
 in hexadecimal using Encapsuation Security Payload protocol (50,
 IPPROTO_ESP).
 .LP
-.B "3049:1::110/128   -> 3049:1::120/128   => "
+.B "1984     3049:1::110/128   -> 3049:1::120/128   => "
 .br
 .B "        ah:f5ed@3049:1::120"
 .LP
-means that an
+means that 1984 packets have been sent to an
 .BR eroute
-has been set up to authenticate traffic between the host
+that has been set up to authenticate traffic between the host
 .BR 3049:1::110
 and the host
 .BR 3049:1::120
@@ -172,6 +206,14 @@
 by Richard Guy Briggs.
 .\"
 .\" $Log: eroute.5,v $
+.\" Revision 1.7  2001/05/29 05:15:31  rgb
+.\" Added packet count field at beginning of line.
+.\"
+.\" Revision 1.6  2001/02/26 19:58:32  rgb
+.\" Put SAID elements in order they appear in SAID.
+.\" Implement magic SAs %drop, %reject, %trap, %hold, %pass as part
+.\" of the new SPD and to support opportunistic.
+.\"
 .\" Revision 1.5  2000/09/17 18:56:48  rgb
 .\" Added IPCOMP support.
 .\"
diff -bruN freeswan-1.9.orig/klips/utils/eroute.8 freeswan-1.9/klips/utils/eroute.8
--- freeswan-1.9.orig/klips/utils/eroute.8	Sun Sep 17 14:56:48 2000
+++ freeswan-1.9/klips/utils/eroute.8	Mon Jun  4 12:56:04 2001
@@ -1,6 +1,6 @@
 .TH IPSEC_EROUTE 8 "21 Jun 2000"
 .\"
-.\" RCSID $Id: eroute.8,v 1.23 2000/09/17 18:56:48 rgb Exp $
+.\" RCSID $Id: eroute.8,v 1.24 2001/02/26 19:58:49 rgb Exp $
 .\"
 .SH NAME
 ipsec eroute \- manipulate IPSEC extended routing tables
@@ -89,23 +89,24 @@
 .IP +
 Security Association IDentifier, comprised of:
 .IP + 6
+protocol
+(\fIproto\fR), indicating (together with the
+effective destination and the security parameters index)
+which Security Association should be used to process the packet
+.IP +
 address family
 (\fIaf\fR),
 .IP +
-effective destination
-(\fIedst\fR),
-where the packet should be forwarded after processing
-(normally the other security gateway)
-.IP +
 Security Parameters Index
 (\fIspi\fR), indicating (together with the
 effective destination and protocol)
 which Security Association should be used to process the packet
+(must be larger than or equal to 0x100)
 .IP +
-protocol
-(\fIproto\fR), indicating (together with the
-effective destination and the security parameters index)
-which Security Association should be used to process the packet
+effective destination
+(\fIedst\fR),
+where the packet should be forwarded after processing
+(normally the other security gateway)
 .IP + 3
 OR
 .IP + 6
@@ -113,11 +114,32 @@
 (\fIsaid\fR), indicating 
 which Security Association should be used to process the packet
 .PP
-Addresses are written as IPv4 dotted quads or IPv6 coloned hex, protocol is one
-of "ah", "esp", "comp" or "tun" and SPIs are prefixed hexadecimal numbers where '.' represents
-IPv4 and ':' stands for IPv6.
+Addresses are written as IPv4 dotted quads or IPv6 coloned hex,
+protocol is one of "ah", "esp", "comp" or "tun" and SPIs are
+prefixed hexadecimal numbers where '.' represents IPv4 and ':'
+stands for IPv6.
 .PP
-SAIDs are written as "protoafSPI@address".
+SAIDs are written as "protoafSPI@address".  There are also 5
+"magic" SAIDs which have special meaning:
+.IP + 3
+.B %drop
+means that matches are to be dropped
+.IP +
+.B %reject
+means that matches are to be dropped and an ICMP returned, if
+possible to inform
+.IP +
+.B %trap
+means that matches are to trigger an ACQUIRE message to the Key
+Management daemon(s) and a hold eroute will be put in place to
+prevent subsequent packets also triggering ACQUIRE messages.
+.IP +
+.B %hold
+means that matches are to stored until the eroute is replaced or
+until that eroute gets reaped
+.IP +
+.B %pass
+means that matches are to allowed to pass without IPSEC processing
 .PP
 The format of /proc/net/ipsec_eroute is listed in ipsec_eroute(5).
 .br
@@ -213,6 +235,11 @@
 by Richard Guy Briggs.
 .\"
 .\" $Log: eroute.8,v $
+.\" Revision 1.24  2001/02/26 19:58:49  rgb
+.\" Added a comment on the restriction of spi > 0x100.
+.\" Implement magic SAs %drop, %reject, %trap, %hold, %pass as part
+.\" of the new SPD and to support opportunistic.
+.\"
 .\" Revision 1.23  2000/09/17 18:56:48  rgb
 .\" Added IPCOMP support.
 .\"
diff -bruN freeswan-1.9.orig/klips/utils/eroute.c freeswan-1.9/klips/utils/eroute.c
--- freeswan-1.9.orig/klips/utils/eroute.c	Sun Sep 17 14:56:48 2000
+++ freeswan-1.9/klips/utils/eroute.c	Mon Jun  4 12:56:04 2001
@@ -14,7 +14,7 @@
  * for more details.
  */
 
-char eroute_c_version[] = "RCSID $Id: eroute.c,v 1.38 2000/09/17 18:56:48 rgb Exp $";
+char eroute_c_version[] = "RCSID $Id: eroute.c,v 1.41 2001/05/21 02:02:54 rgb Exp $";
 
 
 #include 
@@ -63,13 +63,14 @@
 usage(char* arg)
 {
 	fprintf(stdout, "usage: %s --{add,replace} --eraf  --src /| --dst /| \n", arg);
-	fprintf(stdout, "            where  is '--af  --edst  --spi  --proto ' OR '--said ' OR '--said <%%passthrough | %%passthrough4 | %%passthrough6>'.\n");
+	fprintf(stdout, "            where  is '--af  --edst  --spi  --proto ' OR '--said ' OR '--said <%%passthrough | %%passthrough4 | %%passthrough6 | %%drop | %%reject | %%trap | %%hold | %%pass>'.\n");
 	fprintf(stdout, "       %s --del --eraf --src /| --dst /|\n", arg);
 	fprintf(stdout, "       %s --clear\n", arg);
 	fprintf(stdout, "       %s --help\n", arg);
 	fprintf(stdout, "       %s --version\n", arg);
 	fprintf(stdout, "       %s\n", arg);
 	fprintf(stdout, "        [ --debug ] is optional to any %s command.\n", arg);
+	fprintf(stdout, "        [ --label