$Id: README,v 1.11 1999/06/28 16:03:28 beyssac Exp $

Currently implements:

	- IPSEC-compliant IP tunnelling (i.e., tunnel-mode only):
	    - authentication: IP-AH (RFC 2402) and HMAC (RFC 2104) with:
			RFC 2403: MD5 (HMAC-MD5-96)
			RFC 2404: SHA1 (HMAC-SHA1-96)
			RIPEMD160 (HMAC-RIPEMD160-96)
	    - encryption: IP-ESP (RFC 2406) with:
			Blowfish in CBC mode.
			RFC 2405: DES in CBC mode.
			DES3 in CBC mode.
			CAST in CBC mode.
			IDEA in CBC mode.
	      Additional authentication is supported too, with the same methods
	      as in AH mode.
	- IP tunnels over UDP with MD5 (simple keyed hash) authentication.
	- IP tunnels over ICMP ECHO REPLY with HMAC-MD5-96 authentication.

You NEED to first install the OpenSSL "crypto" library (previously
part of SSLeay). See http://www.openssl.org/ for download and mirrors.

- compile and install
- under *BSD: make a kernel with the "tun" device, by adding the following
  line to your kernel configuration:

	pseudo-device tun 1

  Then remake a kernel (config MYKERNEL; cd ../../compile/MYKERNEL;
	make depend; make; mv /kernel /kernel.old; cp kernel /)

- under Linux: install the "userlink" module, port of the BSD tun driver

- create the file /etc/ipsec/pipsecd.conf (see pipsecd.conf.sample
  for an example)

- start /usr/local/sbin/pipsecd

- under *BSD:
	ifconfig tun0 <virtual_local_ip> <virtual_dest_ip> netmask <mask> mtu 1440

- under Linux 2.0.x:
	ifconfig ul0 <virtual_local_ip> pointopoint <virtual_dest_ip> netmask <mask> mtu 1440
	route add <virtual_dest_ip> ul0

- under Linux 2.2.x, approximately this (I need to check the MTU stuff):
	ifconfig ul0 <virtual_local_ip> pointopoint <virtual_dest_ip> netmask <mask>
	ip route add <virtual_dest_ip> mtu 1440 dev ul0
  (portability? what do you mean?)

- once this works, you can create the script /etc/ipsec/startup
  and make it executable. It's run after the program starts, you
  can put there any interface configuration, routes, mtu and such.

- this should be done on both ends, of course. Then a ping to the remote
  point to point virtual address (the one ifconfig shows) should work.

From then on, add any routes or routing protocols of your liking.
Be careful, however, that the route to the REAL IP address of the
other end of the tunnel is not routed _through_ the tunnel, as it
would create a loop (the program detects this and warns you but is
unable to correct it).

This is the ported version of the pipsecd program
from Pierre Beyssac at the ENST.

The main difference with the original code are:
- it compiles with OpenSSL-0.94
- config files are in /usr/local/etc/ipsec


Apart from that it works exactly as the original work from
Pierre Beyssac.

You can obtain the source distribution of pipsecd at:
http://www.enst.fr/~beyssac/pipsec/
or
http://www.mindstep.com/pipsec/


Version 19991014 (pipsec-19991014.tar.gz):
------------------------------------------

This version adds the following fetures:
- tunnels over UDP and ICMP packets (in authentication mode only).
- logging of events to syslog
- startup script in /usr/local/etc/rc.d (port only)


Version 19990831 (pipsec-19990831.tar.gz):
------------------------------------------

No new feature.
Source distribution mirrored at http://www.mindstep.com/pipsec/


Version 19990519:
-----------------

Initial version for the ports distribution.


Enjoy!

Patrick Bihan-Faou - MindStep Corporation
patrick@mindstep.com - http://www.mindstep.com/