Forgot your password?
typodupeerror
Security Businesses SuSE

Novell-SUSE Sponsors Openswan 132

Posted by timothy
from the they're-building-a-behemoth dept.
hsjones writes "Concerned about the demise of FreeS/WAN? Well, looks like Openswan is going to be a good, strong open source IPsec project going forward. Novell and SUSE have jumped in with Astaro to back the project and move it along. See the press release. The Openswan project is at http://www.openswan.org. SUSE Linux and Astaro Security Linux both use FreeS/WAN in their current releases. It will be very interesting to watch what they do now with Openswan!"
This discussion has been archived. No new comments can be posted.

Novell-SUSE Sponsors Openswan

Comments Filter:
  • by UnCivil Liberty (786163) * on Saturday June 19, 2004 @11:04PM (#9476226)
    Stop looking at me Swan!
  • Somewhat off-topic (Score:5, Informative)

    by coupland (160334) * <dchase@hotCOWmail.com minus herbivore> on Saturday June 19, 2004 @11:06PM (#9476238) Journal

    Building on its contributions to the open source community and commitment to interoperability

    As one of many people who vividly remembers the success of NetWare 3.x, the current situation seems very alien. Novell virtually died when the fact of the matter is their product was by far the best. Today they have good products, yet they really can't claim an enormous technological edge. Their second coming is, instead, based on commitment to a thriving community, and feeds off anti-Microsoft sentiment. If best-of-breed products didn't work, will this perhaps be the strategy that finally works for them? I don't know, but I certainly wouldn't complain to see Novell take back a sizeable bite of the business that was stolen from them.

    • by WIAKywbfatw (307557) on Saturday June 19, 2004 @11:51PM (#9476422) Journal
      Novell got complacent, made some dumb moves (eg, buying WordPerfect) and hit some real competition when Microsoft started muscling in on their traditional turf. Whilst the competition was coming right at it, Novell just looked on, doe-eyed.

      A littany of bad management decisions is why they are where they are today. Maybe Novell can regain some of its lost market share but you'll have to wait a very long time if you want to see it regain market dominance.
      • No offense, but you don't remember the timeline particularly well. WordPerfect had the poop beaten out of it long before Novell bought it -- caused by their failure to release a Windows version while they still had the superior product. By the time Novell bought it they were a steal. Agreed, not a brilliant move, but not what killed them, either. What really killed Novell was Windows 3.11 (Windows for Workgroups) which had built-in networking. Windows NT followed and sealed Netware's fate, despite the fact that NW4 was years ahead of NT. Both instances where the OS was leveraged to strangle the market for a superior product.

        Novell didn't look on doe-eyed, the Wordperfect aquisition (which came much later) was a desperate attempt to save themselves once they realized Microsoft could leverage the OS to beat them, *no matter how superior their products were*. It was desperation, not stupidity.

        • I disagree. The OS was not leveraged more than Novell dropped the ball. Remember TCP/IP? Remember how slow Novell was to adopt it? Remember how hard it was to write NLMs for Novell vs. apps for NT? Remember how cryptic working on the server console was? Granted, you didn't have to do it often but next to the GUI most small offices went the logical way. Bottom line, Novell got complacent, then got the pants beat off em fair and square with a more market friendly product. Microsoft is vulnerable to th
          • Again, you're mixing up your history. Sure Novell was slow to adopt TCP/IP but that's because IPX/SPX was always routable. Microsoft held onto NetBEUI (ptooie!) for far longer and still won the war. Sure Microsoft competitors made some mis-steps, but no more so than Microsoft. Unfortunately they didn't have an endless supply of cash to help them recover.
            • IIRC Novell was designed for corporate networks, routable and securable.
              TCP/IP is fundamentally designed to let anybody in, very routable and hardly securable. It's essentially a difference between private roads and public roads.

              Just on the basis of where Novell is coming from, I'd expect a Linux coming from Novell to be somehow much more "business-friendly". Just a different bias in setting various tweaks and configurations would be enough.
            • Yeah, it was routable. The real issue was that it was;

              a) proprietary, so it couldn't interoperate with any other platform

              b) couldn't scale globally, although Novell tried to sell it that way

              c) cost a mint to buy licenses for

              d) Had nowhere near the number of apps that TCP/IP had riding on top of it.

              TCP/IP was a FAR better protocol from the ground up.
          • Oh the horror. People used the word "leverage" twice in a row on Slashdot. I'm about to run away screaming.
          • You hit it on the head with the GUI I think. Anyone that ever used a windows station could feel comfortable on an NT server. And they were extremely slow to adopt TCP/IP, Sure IPX worked, but TCP/IP was needed for the internet anyways.. so they were basically forcing offices to run both protocols until they released netware 5 back around 98.
        • Windows for Workgroups 3.1 was released in October 1992, while Windows for Workgroups 3.11 was released in December 1993. Neither product was the same as Windows 3.1 (April 1992) or Windows 3.11 (December 1993, but a different product than WfW 3.11).
        • The WP acquisition was (at least!) 50% Utah Mormon cronyism. Bunch of old buddies from the Stake got themslves in a hole and looked to Novell to bail 'm out. Could still have been good for Novell, but then Novell fired Norda and sold off WP, so never executed a real strategy against MS. Just rolled over and played dead under Frankenberger.

          [Btw, the Cambridge buy was 99% cronyism (east coast faction that time) and failed even worse.]

          SuSe is the first major acquisition by Novell that was motivated 100
      • Novell did not by Word Perfect Corp to buy Word Perfect. The bought it to buy what is now called Groupwise, which they make a lot of money on.
    • by wolfdvh (700954)
      I don't know, but I certainly wouldn't complain to see Novell take back a sizeable bite of the business that was stolen from them.

      It was not stolen from them, they gave it away. They lost market share with arrogance and poor support that at the time made Micro$oft seem a breath of fresh air. Their support devolved to where didn't want to even talk to you if you weren't a CNE. The whole certification racket they pioneered was a brilliant stratagem. It got people to pay Novell for the privilege of doing

      • >>I don't know, but I certainly wouldn't complain to see Novell take back a sizeable bite of the business that was stolen from them.

        >It was not stolen from them, they gave it away

        Uhm, they had stolen that market share from someone else before Microsoft stole or took it from them.
        What comes around, goes around.
      • Novell's near ruin was largely the result of thinking that a 90% market share makes you unaccountable to your customers.

        That probably holds true for any company in any industry.
        Seems it almost did in IBM. Seems also that Linux has rejuvenated IBM, maybe moreso that Linux is an antidote for the same-old same-old than Linux itself. Assuming that Novell can provide value for its customers, highly likely since most businesses would rather deal with Novell than the Open Source rabble, both Novell and SuSE shou
  • by crashnbur (127738) on Saturday June 19, 2004 @11:11PM (#9476264)
    "
    It will be very interesting to watch what they do now with Openswan!"
    Damn straight! I've got popcorn in the microwave and three Coke's on ice in anticipation! Now... tell me what I'm watching!
  • SUSE (Score:3, Interesting)

    by Harrison819 (789751) <harrison.smith@gmail.com> on Saturday June 19, 2004 @11:12PM (#9476275) Journal
    SUSE is now one of the premier players on the linux scene now, with Novell's help of course. SUSE was my first disro and I am very happy it has found succes. I just hope it does not go the way of redhat and not try to make their distro the best one out there and rely on the name alone, also like metallica but that is for another time.
    • And what is wrong with Red Hat?
      • I remember Redhat 7.0 It came with gcc 3.0 and the out of the box full install was incapable of recompiling the very kernel sources that came with it. I refused to use redhat, decreed it had sinned against me and excommunicated it from me.

        Then fedora came. I took a copy of the CDs at linux world after talking to one of the peopel there and forgave the company. Mind you I don't think Bob Young would care about my excommunication enough to stand barefoot in the snow outside my window for a few days, I was
        • Re:SUSE (Score:2, Informative)

          by rkit (538398)
          Slight correction: redhat 7.0 shipped with a snapshot towards gcc-3.0 they called gcc-2.96. It is true that this compiler version miscompiled the kernel, but it is also true that they provided a gcc version that was the recommended compiler for the kernel at that time. (they called it kgcc).
          It is also true hat "gcc-2.96" did not have the quality of a proper gcc release. However, this step proved very valuable for gcc 3.0 development, because of the huge user base acting as testers. Of course, 99 percent
    • SUSE is now one of the premier players on the linux scene now...

      Hmm, I think they also were before. But with Novell's help probably even more so. ;)
  • by ErikTheRed (162431) on Saturday June 19, 2004 @11:13PM (#9476277) Homepage
    Even since FreeS/WAN gave up on changing the world to Opportunistic Encryption (not my favorite idea, but I suppose if I feel too strongly I can write my own damn implementation :) ), I've been looking into alternatives, and obviously OpenS/WAN is the first choice. A frustration I had when looking into it was that I couldn't find any documentation describing the differences between the two projects. I didn't do any diffs on the documentations, but from a brief perusal it looks pretty much like the FreeS/WAN docs. Does anyone out there have a list of specific differences between the projects - other than the included patches for things like x.509 NAT traversal, etc that are also included in Super FreeS/WAN (I'm kind of assuming that there are more changes)?
  • and ? (Score:4, Interesting)

    by kayen_telva (676872) on Saturday June 19, 2004 @11:20PM (#9476305)
    What does FreeSWAN do that OpenVPN [sourceforge.net] does not ?
    I have never tried SWAN because OpenVPN is so easy.
    Are there any compelling reasons to try it ??
    • Re:and ? (Score:5, Informative)

      by jcr (53032) <jcr@nOspAm.mac.com> on Saturday June 19, 2004 @11:27PM (#9476341) Journal
      IPSEC, of which FreeSWAN is one implementation, doesn't require that you set up a point-to-point tunnel like VPN's do. It encrypts any traffic between any machines that implement it.

      -jcr
      • by billstewart (78916) on Sunday June 20, 2004 @04:38AM (#9477186) Journal
        Actually, IPSEC does require setting up point-to-point connections (though they can be tunnel mode or transport mode) - but one of the goals of FreeSWAN's Opportunistic Encrytion was to do this automatically whenever possible.

        The real difference is that IPSEC is encrypting at the IP layer of the protocol stack, aka Layer 3 in OSI terms, while OpenVPN is creating a TCP Layer 4 tunnel. Inside the tunnel, IPSEC normally puts Layer 3 IP packets, while OpenVPN does something with a TUN/TAP driver on the ends, so they could be doing Layer 3 IP packets or Layer 2 Ethernet packets, and I haven't read the docs enough to know which they did. Layer 4 has more overhead, but has a potentially easier time going through NAT.

        For both of these applications, you have to create an association between two endpoints, and then tell your endpoints' packet handlers to use that association when they want to get packets somewhere. The choice of protocol layers for the inside and outside of the crypto tunnel has a major impact on how you get the routing mechanisms (or whatever) to decide to set up a tunnel and send packets through it.

        • An interesting use of OpenVPN is to bridge the OpenVPN TUN/TAP interface with the local ethernet interface. This way you have all your broadcast packets going over the VPN and keeping Network Neighborhood and other b'cast protocols happy. Plus you only have one address space and don't have to stuff around with a seperate subnet. I haven't done much with IPsec, but I don't think it can do either of these things. Still, IPsec does have the whole Standrd thing going for it.

          • The typical way people implement that sort of thing in IPSEC is to build GRE tunnels, usually running in IPSEC transport mode. In general, bridging protocols over Layer 2 is just inviting trouble, and should be avoided when you can do routing as an alternative - broadcast storms used to be a real problem. Also, if you're running a Layer 2 protocol over an OpenVPN tunnel, then you're adding an extra protocol header layer for the Layer 2 as well as adding a protocol layer for OpenVPN's Layer 4, compared to
    • Re:and ? (Score:5, Informative)

      by ErikTheRed (162431) on Saturday June 19, 2004 @11:31PM (#9476356) Homepage
      What does FreeSWAN do that OpenVPN does not?
      It's an implementation of IPSec, and thus is compatible with a whole slew of systems. For most corporations running VPNs, Extranets, etc., IPSec is pretty much the defacto standard. I'll be the first to call IPSec a huge designed-by-committee pain in the ass, but it's pretty damned secure when properly implemented, and it's a widely supported open standard.
    • Re:and ? (Score:5, Informative)

      by accessdeniednsp (536678) <detoler&gmail,com> on Saturday June 19, 2004 @11:34PM (#9476364)
      The *SWANs are IPsec. OpenVPN is not. IPsec is cross platform and cross-vendor (hang on, before you get excited, let me finish) and is a (series of) RFCs. IPsec also gets you plenty of perks such as kernel-space (fast, secure, etc).

      Now for the "reply" trigger-happy, OpenVPN does do SSL/TLS, is all in user-space, and does neat things, yes. However, with the *SWANs, you can also get x509, nat-t, dpd, foo, and bar. And yes, OpenVPN is cross-platform.

      The problem lies in not being cross-vendor. And you also have to realize that there is a very large inter-web out there and not everyone uses the same platforms and vendors, etc.

      For example, as a security engineer, I often have to build VPNs between disparate vendors, devices, and software versions. Even with IPsec/IKE it's difficult enough. And they've all pretty much agreed on how to speak IKE well enough to at least have a meet-and-greet among each other. Unfortunately, there is plenty of room for interpretation, so each vendor has a slightly different dialect.

      The point being, OpenVPN isn't a "standards-based VPN" whereas an IKE-based VPN is. I know it's not necessarily a great answer to the question, but it is the truth. (Besides, OpenVPN even says so on their site...it does not do IKE.)

      (whoa, poet and didn't know it)
      (woops, i did it again!)
      • OpenVPN is a free VPN client (talking to an OpenVPN gateway, of course) on Windows that is much easier to setup and get working than IPSec - at least for Windows 2000 Pro. Most Windows users will use a commercial VPN client when using IPSec.
      • Re:and ? (Score:5, Interesting)

        by kayen_telva (676872) on Sunday June 20, 2004 @12:19AM (#9476524)
        However, with the *SWANs, you can also get x509, nat-t, dpd, foo, and bar.

        x509 is certs right ? OpenVPN can do em. nat-t ? OpenVPN doesnt need that kludge. It uses one port that can be redirected through multiple Nats if need be. Dead peer detection ? OpenVPN is self healing. Link goes down, comes back up and OpenVPN reconnects.

        Now before I get too carried away, I dont know shit about vpn, but SWAN looks like a bitch (based on my IPCop machine) and OpenVPN is very easy.
        • ...SWAN looks like a bitch (based on my IPCop machine) and OpenVPN is very easy.

          How long does it take to put together a "normal" VPN? I spent about 6 hours before I got OpenVPN to work, futzing with this option, that config file, etc. until I *finally* got it to do what I wanted.

          Specifically, I have a remote desktop application that I use for tech support (based on VNC) that requires the customer to download a program from a web page, and then connect to a dedicated IP.

          The VPN connects my laptop to the
          • sounds like you had some extra requirements that I didnt have to mess with. I setup openvpn on my laptop so that everytime it turns on, if it has an internet connection, openvpn connects to my home computer, creates the vpn, and I can browse or remote control my home computer. It doesnt matter where I am, my laptop "phones home" and creates the connection. Took me less than an hour (including forwarding one port in my firewall), by just following the instructions. I think I probably setup the most simple ty
          • Re:and ? (Score:2, Interesting)

            by xsecrets (560261)
            Well 6 hours is nothing compared to trying to get one of the SWAN's setup for roadwarior mode. I work with IPSEC implemintations from numerous vendors on a daily basis, and I spent almost two weeks trying to get FreeSWAN to do road warrior before I just gave up to wait for someone to actually write an IPSEC client for linux, and that was over a year ago, and still even with ipsec built into the 2.6 kernel no one has.

            This is one area where I think one of the commercial distrobutions could easily different
        • Re:and ? (Score:3, Informative)

          by jjackson (83961)
          Granted, IPSEC can be a pain to configure.

          However, if you are implementing a VPN between Linux and a device such as a Cisco PIX, you can't use OpenVPN.

          The fact of the matter is - Openswan implements an industry standard VPN implementation, OpenVPN does not.

          Not that it is a cause for great concern, but OpenVPN connections are also vulnerable to connection cutting (see the many, many recent stories about TCP/IP connection cutting DoS attacks), IPSEC is not.
      • Re:and ? (Score:2, Interesting)

        by Anonymous Coward
        IPsec is secure tunneling done right. If you go with a TCP-in-TCP solution, some things screw up. You don't need to mess with OpenVPN for that, good old PPP-over-SSH works perfectly. But it still is TCP-in-TCP.
    • As I understand it, OpenVPN needs software at both ends, so is basically a userspace implementation. Which is fine if you're going desktop to server, but not so suitable if you're doing hardware router/router for network-network encrypted tunnels.

      IPSec is an open standard, so implementations are available from many different vendors in many different setups, including hardware.

      One other advantage if you're supporting windows roadwarriors, is that L2TP/IPSec is built into dialup networking on windows 2K/XP
      • gotcha. in the cases where I wanted two networks connected by a vpn, I have used hardware routers that did all the work for me, such as a netopia r910 or sonicwall. can a linux box doing the same job handle more/faster connections ? of course I guess it depends on the processor. might be a cheaper/more scalable route than an r910 or something similar.
  • by Anonymous Coward
    I don't get it. Why don't use isakmpd for key management?

    It easy to set up, and works just fine on my gentoo box.
    • FreeS/Wan (what Openswan is built off of) was around a long time before the code that is now shipped with the kernel. As for why people haven't resigned to use the (newly) built in IPSec code, I'm not sure. Maybe it's because Openswan is very reliable and is already running on many production servers.
  • by jaymzter (452402) on Saturday June 19, 2004 @11:41PM (#9476382) Homepage
    Openswan is a good example of a patent hurting an Open Source app. I *need* LZS compression for my company's VPN, but Openswan won't work cuz of IPCP LZS compression. I was offered an internal version of super-freeswan with the LZS code but refuse to use it cuz it's not Free. i'm stupid that way
    • by Anonymous Coward
      Huh? IPCP is used by PPP, not IPsec. If you really need LZS compression, you would need to fix your ppd. You would still have the patent issue, though.

      Openswan supports IPCOMP compression. It should interoperate with many IPsec implementations, if they support IPCOMP.
      • Does it work with Cisco?
        FreeS/Wan doesn't.

        I would like to enable encryption on my link to work, but as soon as I do so the link dies.
        It works OK between FreeS/WANs and between Ciscos but not between the two...
        • I've done Openswan interop with Cisco... 17xx's, 36x, 72xx's and 30xx series VPN Concentrators.

          So, details please... it works nicely for me.
          • It does not work between Cisco and FreeS/WAN (1.99), and all I have been able to find on Google is posts from people with the same problem. The link just does not work when compression is enabled.
          • by Anonymous Coward
            lan-2-lan or client (user/group/password) mode ?

            I thought the former was possible, but the latter was not (yet) there ?
      • Try to interop with an Avaya VSU using LZS. It'll never work because they use LZS as the encryption protocol for IPPCP (not to mention the other peculiarities of the VSU which require yet other patches to freeswan).
  • Why? (Score:5, Interesting)

    by Turmio (29215) on Saturday June 19, 2004 @11:48PM (#9476412) Homepage
    There has been a working and tested IPSec implementation from Kame Project [kame.net] in the vanilla Linux kernel for some time now. Why go with a competing and conflicting IPSec implementation that was once formed because the official Linus tree lacked the support. Diversity is a richness etc. on but in this case I feel like these efforts seem fruitless. But big companies such as Novell don't do things because they just can so maybe there's something I don't quite get. I'd love to be englightened, though.
    • Re:Why? (Score:2, Interesting)

      by Anonymous Coward
      Because it's like OSS (open sound system) versus Alsa. OSS is being being depreciated in favor of Alsa. Likewise, because of Novell's support, Kame will be depreciated as Openswan ascends. Novell is putting a lot of money and engineers behind Openswan. Other vendors are getting on board too. Openswan is the future. Kame just doesn't have the flexibility and features to meet *all* the needs of the professional enterprise.
    • Re:Why? (Score:5, Informative)

      by hsjones (789284) <hsjones@sisna.com> on Sunday June 20, 2004 @01:45AM (#9476809) Homepage
      A complete VPN solution is more than just an IPsec module (Kame) or an IKE module (Racoon). So it's not a question of Openswan vs. 2.6 kernel IPsec. Openswan moves up the stack with added functionality and intends to continue doing so. And it can use either the FreeS/WAN IPsec engine (which is being carried forward for use on pre-Linux 2.6 machines) *or* the 2.6 kernel IPsec (Kame).

      (Btw, the 2.6 kernel hasn't exactly been official "for some time now" -- even SuSE is just now shipping it in their 9.1 release.)

      In fact, with Novell now involved in Openswan (which means IBM is likely involved as well but less publicly), we will probably see Openswan work with IPsec hardware too (IBM makes some).
    • Re:Why? (Score:3, Interesting)

      by velkro (11) *
      There are still bugs in the KAME IPsec stack that is integrated into the Linux 2.6 series of kernels, and will be for another few months, I suspect.

      Look at the recent posts on the netfilter lists, for instance - doing secure firewalling with 26sec is still a real pain. There's a set of 6 patches now, but they aren't integrated into the kernel yet, and some may not be for some time.

      Also, there's some network configurations that work fine under 2.4/Openswan, but will not work at all in 2.6. One of these c
    • KAME has problems (Score:3, Interesting)

      by ink (4325) *
      Try managing 20 ipsec connections with KAME/racoon sometime. You almost always have to kill all the tunnels when a change is made to one tunnel. With Openswan, you can simply do 'ipsec auto --down/--up connectionname' after the connection has been defined. Racoon log messages themselves are cryptic; when no policy can be found, it simply logs (when logging works) a message to that effect: "no policy found"; Openswan will give you all the details of the attempted policy, without having to restart it in
  • I'm so very pleased by this news. My biggest concern from Novell's acquistion of SuSE and Ximian was whether or not they would continue to support Free Software. With other major Linux vendors (well, vendor) seemingly moving more and more toward closing their software, and locking users into their products, it's refreshing to see Novell opening more software up and supporting community projects.

    We've seen it now with their support of OpenSWAN, the open-sourcing of YaST and iFolder, and the continuing free releases of SuSE 9.1.

    As I said, I'm very pleased to see this, and I suspect we'll see even more support of the open source and free software community from the reborn phoenix that is Novell.

    • by Sunspire (784352) on Sunday June 20, 2004 @05:20AM (#9477255)
      With other major Linux vendors (well, vendor) seemingly moving more and more toward closing their software...

      Look, we all know which company you're thinking of, and I'm telling you you're completely misinformed. Can you please let me know some of the supposed closed programs this evil company is distributing, because the last time I checked it was all open source. Somehow the bashers always forget this detail...

      This is the comany that is afraid to include mp3 support for being non-free, right? The company that pays Alax Cox, Arjan van de Ven, Dave Jones, Jeff Garzik, Warren Togami, Roland McGrath, Guy Streeter and many more to hack the kernel? In fact, if I'm not mistaken this company has more kernel hackers than IBM and Novell combined (read a kernel changelog lately)? I'd list some GNOME developers that works for this beast of a company, but let's just say outside Ximian they're the #1 employer here as well (cough, Havoc Pennington, Alexandre Oliva *cough*). And all that money and effort they pour into Freedesktop.org and X.org, that's just to lock you in, right?

      That company? Am I forgetting something... ? Oh yeah, they pretty much alone funded NPTL development for 2.6, backported it to 2.4 not only for their paying customers but their free version too. I guess they're pretty much the defacto maintainers of GCC and glibc these days too, but other than that, what have they ever given us?
      • by Anonymous Coward
        There's basically 3 kinds of Red Hat haters around these days.

        1. The n00b. Red Hat = MS. This person doesn't let the facts get in the way of a good argument. He's running Linux 'cause it's the l33t thing to do. Listen sonny, I was installing Slackware from disksets from the local BBS when you where a twinkle in your daddy's eye. Between then and now the community, and I myself, have written a shitload of code so that I and you don't have to do things the hard way anymore to be l33t. I've got actual work to
      • I think you entirely missed the point of my post. I was not really attempting to throw stones at Red Hat, I was trying to say more that I was encouraged by Novell. Red Hat was founded around Free Software - it's no surprise that they are still heavily involved in Linux development.

        Novell, on the other hand, had built a (at one time) very successful business around proprietary software. It's a huge culture shift for them. Not they were ever the "evil empire" type of company, but they were certainly no
  • by afriguru (784434) on Sunday June 20, 2004 @04:24AM (#9477156) Homepage
    Note that Freeswan and Openswan are not strictly needed for the future because:
    As of Linux 2.5.47, there is a
    native IPSEC implementation in the kernel. It was written by Alexey Kuznetsov and Dave Miller, inspired by the work of the USAGI IPv6 group. With its merge, James Morris' CrypoAPI also became part of the kernel - it does the actual crypting.
    http://lartc.org/howto/lartc.ipsec.html
    Freeswan only needs to remain secure for current deployments. This means fixing any discovered veulenrabilities. __________
    • It's not an either/or choice, Openswan can in fact directly use the kernel IPsec modules in 2.6. But Openswan is a whole lot more too, it provides all the userland tools and higher level functionality that makes using IPsec easier and more powerful. There exists other Linux IPsec toolchains, but right now Openswan seems to have the most momentum.
    • I use debian sarge on which the 2.4 kernel has the 2.6 IPSEC implementation backported. So xS/Wan is just the key manager. It is easier to use and more flexible than all the others I have tried.
    • by velkro (11) * on Sunday June 20, 2004 @08:35AM (#9477594) Homepage
      Sorry, but completed your research before spouting off links and quotes.

      2.6 has an IPsec kernel layer implementation. There are two part to IPsec - the kernel layer, and the key management (IKE) portion. The IKE daemons are userland, and without them, you don't have a complete IPsec implementation.

      Thus, they have ported isakmpd/racoon to Linux, or you can run Openswan's userland tool (aka pluto).
    • Userland tools of Freeswan and derivatives can be used with 2.6 ipsec native stack.

      Personally, I have found easier and more mature the Freeswan tools than the the ipsec-tools.

      Omar
  • by Anonymous Coward
    OpenVPN (http://openvpn.sf.net/) is an excellent alternative to IPSec. It's using UDP or TCP as transport layer and doesn't care about NAT. You can have NAT on the both sides. The client and server share the same code and can be used on WIN32 or GNU/Linux (and more). The version 2.0 can handle routing per X.509 certificate... and much more.

    Novell-Suse-... should sponsor this excellent project instead of the brain damaged(tm) IPSec.
    • It needs support from some router manufacturers to become viable. Cisco would be nice, but it could start with Draytek, ZyXEL, etc.
    • I think the issue is what is currently pervasive in corporate environments. Remember, we're talking about Novell here, a company that claims 80% of the Fortune 100, and like I said in a previous post, probably IBM in the background, a company with even more of the Global 2000. Those kinds of companies are using IPsec from Cisco, Check Point, Nortel, etc...

      With those hardware companies moving to Linux as a platform (CyberGuard, BorderWare, Stonesoft, Astaro and others already there -- many more moving),
  • Strongswan [strongswan.org] has been mucho more active since Freeswan dead. Also has more features. Why not to go for Strongswan instead of Freeswan?

    Omar
  • 1) I wonder why they didn't sponsor the original FreeSWAN project in the first place? Why did FreeSWAN have to die bacause of lack of funding? Now THE FreeSWANs source is used by the OpenSWAN project, and they get sponsoring. Can anyone explain?

    2) Is opportunistic encryption still a priority for the FreeSWAN project as it was for OpenSWAN? I didn't see any mention of it on their starting page.

NOWPRINT. NOWPRINT. Clemclone, back to the shadows again. - The Firesign Theater

Working...