FreeS/WAN Continues As Openswan 68
leto writes "It seems some of the developers and volunteers of the (recently deceased) FreeS/WAN project have started a new company to develop and support the successor of the Linux IPsec code under the name of Openswan in a "Cygnus style" business model. They announced the new version at CeBIT which fully supports the new Linux 2.6 native IPsec stack. According to the Openswan website, it was started 'by a few of the developers who were growing frustrated with the politics surrounding the FreeS/WAN project.'
There is a FAQ that explains how the various parts of IPsec on Linux work together. I guess that means US citizens can finally submit patches, and that distributions like RedHat/Fedora can now include it in their distribution. FreeS/WAN has always had the most features and most the most user-friendly configuration. It is good to see that will continue. And their mailing list finally seems to refuse spam too."
Re: (Score:2, Informative)
user friendly? (Score:5, Insightful)
Re:user friendly? (Score:5, Insightful)
The most horrible IPSEC out there. Broken by design, absolutely incompatible with any routing protocol software, broken in operation and utter nightmare to configure and get working.
One of the things I apploaded most when reading the 2.6 kernel changelogs was the port of KAME IPSEC and utilities. They work (TM). They are missing some features that were in FreeSwan that made it useable as a amateur VPN access point (email ID in shared keys, x509 CRL and a few others), but I do not see these as a reason to revive freeswan instead of fixing the omissions.
Re:user friendly? (Score:3, Interesting)
For certain values of 'nice', one of the nice things about klips was that there was a virtual interface for the decrypted traffic. Stuff for encryption went out ipsecN, then the encrypted packet (proto 50/51) went out the real interface. Made firewalling and routin
Re:user friendly? (Score:3, Informative)
Nice for manual kludge on a small office VPN setups - agree 100%.
Absolutely disagree for a larger network with dynamic routing. For any network with these it was THE NIGHTMARE DESIGN (TM). Reason is that nearly any routing protocol carries either IP or IP/NETMASK information and no interface information (neither name, nor ifIndex). It is obvious that in the presence of two int
Re:user friendly? (Score:2)
Re:user friendly? (Score:2)
Not the only IPSec stack (Score:5, Interesting)
Re:Not the only IPSec stack (Score:5, Informative)
Even better, it is VERY portable, which means that as an administrator you just have to care to know about KAME and not a gazillion halfbaked inconsistent implementations.
Re:no but maybe the better one... (Score:5, Informative)
That is, with KAME on Linux and FreeBSD, packets are not decrypted until after iptables/ipfw has looked at them. That means you cannot packet filter on anything other than IP & MAC Address as you can't read anything else, its all encrypted
Apparently FreeS/WAN had a separate device to read from that gave unencrypted packets for filtering.
This only applies to transport IPSec between two complete hosts. You can use tunnel mode onto a tun device and filter from that, and you can also just encrypt traffic based on port.
Either way, I'm kind of relieved that FreeS/WAN has not gone completely and that the above situation still has a fix. A security protocol seems kinda useless when it allows firewall bypassing, especially when it could happen automatically if you have IKE setup and open to the world.
Re:no but maybe the better one... (Score:5, Informative)
Used to be correct as of ipfw 1. No longer the case as of ipfw2, though some cases do not work fully yet. See the ipsec qualifier for rules.
Dunno about Linux though. I use KAME extensively only on BSD.
Re:Problems with OpenSwan (Score:2)
So, at least something improved.
700% savings? (Score:2)
I see.
Not only did your maintainence budget go to zero but Bizland Consultants paid YOU six times your former budget.
Where do I sign up for THAT deal? B-)
= = = =
On second thought, forget it. TANSTAFFL, so they must be getting something from you that's worth even more.
At Lazt ... (Score:5, Funny)
I guess that means US citizens can finally submit patches, and that distributions like RedHat/Fedora can now include it in their distribution.
Ahh, u mean ze citisenz of ze USA can finally have ze same freedom as ze French Bastardz [mandrakelinux.com] have had for yearz ?
Re:At Lazt ... (Score:1, Offtopic)
Re:At Lazt ... (Score:2)
France? Has freedoms? Care to discuss Nazi's and the like on a french based website?
Although I agree with you that banning discussions about a topic is not the best way, the French view is that the Nazi ideology is so far off, that it's simply off-topic..
Like if you would put up a site anywhere in the world about the pros, cons and pleasures of Phedophily. I'm pretty sure it wouldn't stay up very long.
Or, try to put up a website in the USA, that justifies the 3000 dead in the twin towers ...
You
Re:At Lazt ... (Score:4, Funny)
Excuse me, but here in the US the politically-correct term is Freedom Bastardz. ;-)
Re:Debian packages now avalible for freeswan (Score:4, Informative)
Re:Debian packages now avalible for freeswan (Score:4, Interesting)
That said, it should work well enough on most things-from their site, "Standards Compliant: Openswan conforms to nearly all IPsec + IKE RFCs, and has one of the based interoperability track records of any IPsec implementation. It is compatible with products from Microsoft, Cisco, Nortel, Netscreen, Checkpoint, and many others vendors."
And "Platforms: x86, IA64, PPC, PPC64, MIPS, Alpha, StrongArm"
Openswan should work for just about anyone who isn't satisfied with KAME or Racoon (though it might be hard to set up, see this thread [openswan.org]...
The front page summary makes it sound like the company they're starting exists solely for openswan, but it's worth noting Xelerance is producing some other stuff [xelerance.com] including freeRadius, think about your breathing-you have to manually control your breathing or suffocate, DNSSec, and Asterisk. The changeover will likely mean an increase in the quality of support available for (paying) swan users, since they provide an array of consulting services. [xelerance.com]
That also gives them an incentive to spread adoption. Unlike FreeS/WAN-one of the problems with FreeS/WAN was that it would not work with low-bit encryption. This was done to promote their political goal. But it also had the side effect of inhibiting adoption at the places where for whatever reason people had to interoperate with low-bit encryption applications or setups. According to their FAQ, "As we see it, it is more important to deliver real security than to comply with a standard which has been subverted into allowing use of inadequate methods." For example, they went out of their way to avoid allowing any handling of single DES.
And if you've got any more questions about openswan, the guy to ask is on slashdot with user id #11 [slashdot.org]! He'll probably be posting in here when it's morning in that part of the world.
Who would win? Flying Shark or Flying Croc?? Croc all the way, fools!
Re:Debian packages now avalible for freeswan (Score:2)
Yup, I'm in EST, so it's morning now. Imagine my surprise with a 5.6mbit
Re: (Score:1, Troll)
Talk about lacking in content (Score:4, Interesting)
Strongswan (Score:5, Informative)
2.6 IPsec still problematic (Score:5, Interesting)
valentijn:~# ping -s 1435 host21
PING host21.wireless.palmgracht.nl (10.15.67.21): 1435 data bytes
ping: sendto: Message too long
ping: wrote host21.wireless.palmgracht.nl 1443 chars, ret=-1
ping: sendto: Message too long
ping: wrote host21.wireless.palmgracht.nl 1443 chars, ret=-1
Resetting the MTU on the network interface helps:
valentijn:~# ifconfig eth1 mtu 1400
valentijn:~# ping -s 1417 host21
PING host21.wireless.palmgracht.nl (10.15.67.21): 1417 data bytes
1425 bytes from 10.15.67.21: icmp_seq=0 ttl=64 time=93.0 ms
1425 bytes from 10.15.67.21: icmp_seq=1 ttl=64 time=78.2 ms
Then, resetting it to 1500 again does this:
valentijn:~# ifconfig eth1 mtu 1500
valentijn:~# ping -s 1435 host21
PING host21.wireless.palmgracht.nl (10.15.67.21): 1435 data bytes
ping: sendto: Message too long
ping: wrote host21.wireless.palmgracht.nl 1443 chars, ret=-1
1443 bytes from 10.15.67.21: icmp_seq=1 ttl=64 time=89.0 ms
So only the first packet is blocked, after that the kernel adjusts to the right MTU. And please note: this is internally, the first packet doesn't leave the machine.
I had no time to test further, but what I found so far doesn't encourage me a lot to use 2.6 IPsec in production.
Re:2.6 IPsec still problematic (Score:2, Informative)
Re:2.6 IPsec still problematic (Score:3, Informative)
I've seen NFS mounts come to a grinding halt because of this.
My setup is special in the sense that a 2.6 machine in between runs two tunnels: one to my office, one to a WiFi host (with a 2.4 kernel). I haven't found time yet to test a
Swansong (Score:3, Funny)
Re:Swansong (Score:2)
"If I leave here tomorrow,
will you still remember OE?"
[*groan*]
Does It Support Single DES? (Score:1)
Refusal to support single DES was what made FreeS/WAN virtually useless, even for those who muddled through the endpoint configurations and could put up with ip:port combos occasionally being hung out to dry due to dropped connects until the next rekey.
Opportunistic Encryption? (Score:3, Interesting)
Sounds like a good idea to me. Are either of these new FreeS/WAN offshoots, or any other comparable project, trying to achieve Opportunistic Encryption? Or are they just for VPNs?
Yes, Opportunistic Encryption? (Score:3, Informative)
Re:Opportunistic Encryption - on by default (Score:1)
"Cygnus style" business model (Score:2)
Red.
Re:Follow the BSDs (Score:1)