Novell-SUSE Sponsors Openswan

hsjones writes "Concerned about the demise of FreeS/WAN? Well, looks like Openswan is going to be a good, strong open source IPsec project going forward. Novell and SUSE have jumped in with Astaro to back the project and move it along. See the press release. The Openswan project is at http://www.openswan.org. SUSE Linux and Astaro Security Linux both use FreeS/WAN in their current releases. It will be very interesting to watch what they do now with Openswan!"

SUSE

[Harrison819]

SUSE is now one of the premier players on the linux scene now, with Novell's help of course. SUSE was my first disro and I am very happy it has found succes. I just hope it does not go the way of redhat and not try to make their distro the best one out there and rely on the name alone, also like metallica but that is for another time.

and ?

[kayen_telva]

What does FreeSWAN do that OpenVPN [sourceforge.net] does not ?
I have never tried SWAN because OpenVPN is so easy.
Are there any compelling reasons to try it ??

Why?

[Turmio]

There has been a working and tested IPSec implementation from Kame Project [kame.net] in the vanilla Linux kernel for some time now. Why go with a competing and conflicting IPSec implementation that was once formed because the official Linus tree lacked the support. Diversity is a richness etc. on but in this case I feel like these efforts seem fruitless. But big companies such as Novell don't do things because they just can so maybe there's something I don't quite get. I'd love to be englightened, though.

Re:Why?

[Anonymous Coward]

Because it's like OSS (open sound system) versus Alsa. OSS is being being depreciated in favor of Alsa. Likewise, because of Novell's support, Kame will be depreciated as Openswan ascends. Novell is putting a lot of money and engineers behind Openswan. Other vendors are getting on board too. Openswan is the future. Kame just doesn't have the flexibility and features to meet *all* the needs of the professional enterprise.

Re:and ?

[kayen_telva]

However, with the *SWANs, you can also get x509, nat-t, dpd, foo, and bar.

x509 is certs right ? OpenVPN can do em. nat-t ? OpenVPN doesnt need that kludge. It uses one port that can be redirected through multiple Nats if need be. Dead peer detection ? OpenVPN is self healing. Link goes down, comes back up and OpenVPN reconnects.

Now before I get too carried away, I dont know shit about vpn, but SWAN looks like a bitch (based on my IPCop machine) and OpenVPN is very easy.

Re:and ?

[xsecrets]

Well 6 hours is nothing compared to trying to get one of the SWAN's setup for roadwarior mode. I work with IPSEC implemintations from numerous vendors on a daily basis, and I spent almost two weeks trying to get FreeSWAN to do road warrior before I just gave up to wait for someone to actually write an IPSEC client for linux, and that was over a year ago, and still even with ipsec built into the 2.6 kernel no one has.

This is one area where I think one of the commercial distrobutions could easily differentiate themselves from the pack, but no signs of it yet.

Re:Why?

[velkro]

There are still bugs in the KAME IPsec stack that is integrated into the Linux 2.6 series of kernels, and will be for another few months, I suspect.

Look at the recent posts on the netfilter lists, for instance - doing secure firewalling with 26sec is still a real pain. There's a set of 6 patches now, but they aren't integrated into the kernel yet, and some may not be for some time.

Also, there's some network configurations that work fine under 2.4/Openswan, but will not work at all in 2.6. One of these configs I use daily (subnet extrusion), so I've been unable to update any of my production machines to the new stack, even though I'm one of the Openswan developers.

I hope to see about solving some of this at LinuxTag in a few days, since there will be a large contingent of developers present, and putting the right people in a room together gets things resolved very quickly :)

Ken

Re:Novell fumbled the ball - again and again...

[Tony-A]

IIRC Novell was designed for corporate networks, routable and securable.
TCP/IP is fundamentally designed to let anybody in, very routable and hardly securable. It's essentially a difference between private roads and public roads.

Just on the basis of where Novell is coming from, I'd expect a Linux coming from Novell to be somehow much more "business-friendly". Just a different bias in setting various tweaks and configurations would be enough.

Re:Novell's Commitment to Free Software

[Sunspire]

With other major Linux vendors (well, vendor) seemingly moving more and more toward closing their software...

Look, we all know which company you're thinking of, and I'm telling you you're completely misinformed. Can you please let me know some of the supposed closed programs this evil company is distributing, because the last time I checked it was all open source. Somehow the bashers always forget this detail...

This is the comany that is afraid to include mp3 support for being non-free, right? The company that pays Alax Cox, Arjan van de Ven, Dave Jones, Jeff Garzik, Warren Togami, Roland McGrath, Guy Streeter and many more to hack the kernel? In fact, if I'm not mistaken this company has more kernel hackers than IBM and Novell combined (read a kernel changelog lately)? I'd list some GNOME developers that works for this beast of a company, but let's just say outside Ximian they're the #1 employer here as well (cough, Havoc Pennington, Alexandre Oliva *cough*). And all that money and effort they pour into Freedesktop.org and X.org, that's just to lock you in, right?

That company? Am I forgetting something... ? Oh yeah, they pretty much alone funded NPTL development for 2.6, backported it to 2.4 not only for their paying customers but their free version too. I guess they're pretty much the defacto maintainers of GCC and glibc these days too, but other than that, what have they ever given us?

Re:and ?

[Anonymous Coward]

IPsec is secure tunneling done right. If you go with a TCP-in-TCP solution, some things screw up. You don't need to mess with OpenVPN for that, good old PPP-over-SSH works perfectly. But it still is TCP-in-TCP.

Re:Novell's Commitment to Free Software

[Anonymous Coward]

There's basically 3 kinds of Red Hat haters around these days.

1. The n00b. Red Hat = MS. This person doesn't let the facts get in the way of a good argument. He's running Linux 'cause it's the l33t thing to do. Listen sonny, I was installing Slackware from disksets from the local BBS when you where a twinkle in your daddy's eye. Between then and now the community, and I myself, have written a shitload of code so that I and you don't have to do things the hard way anymore to be l33t. I've got actual work to do now on Linux, get this, not in fact related to Linux at all.

2. The rabid KDE zealot (a minority in the KDE community). Red Hat will go KDE, oh, right about when the Sun goes Nova. They hate RH and Ximian for basically keeping GNOME alive no matter what might come.

3. The distro zealot. "My distro makes me feel like a productive community member, because I've got GCC compiling 24/7... not that I know what any of the output means...". Curiously you never, ever see these distro makers posting on the Linux kernel mailing list, or contributing to any core project outside their own little package management tools.

KAME has problems

[ink]

Try managing 20 ipsec connections with KAME/racoon sometime. You almost always have to kill all the tunnels when a change is made to one tunnel. With Openswan, you can simply do 'ipsec auto --down/--up connectionname' after the connection has been defined. Racoon log messages themselves are cryptic; when no policy can be found, it simply logs (when logging works) a message to that effect: "no policy found"; Openswan will give you all the details of the attempted policy, without having to restart it in "debug mode"; or "running Racoon in foreground -F mode". Racoon seems to have problems logging normal information to syslog -- sometimes its messages just dissapear mysteriously (I've seen this on RHEL3 and FC2).

KAME also has problems with netfilter; specifically it doesn't work with all NAT rules, which are VERY common on ipsec gateways. It also doesn't work at the interface level, so many of the advanced routing tools don't work like you'd expect (try using tc with it, on an inteface level...).

I don't know why 2.6 and the Linux ipsec-tools project standardized on KAME. It may be from BSD, but we already have better userland tools, and they already (mostly) work with the new 2.6 ipsec intefaces. Hopefully these tools will get better with time, but right now pluto/openswan are simply more mature, stable and just plain better.

Re:Novell's Commitment to Free Software

[soren42]

I think you entirely missed the point of my post. I was not really attempting to throw stones at Red Hat, I was trying to say more that I was encouraged by Novell. Red Hat was founded around Free Software - it's no surprise that they are still heavily involved in Linux development.

Novell, on the other hand, had built a (at one time) very successful business around proprietary software. It's a huge culture shift for them. Not they were ever the "evil empire" type of company, but they were certainly not making money on Free Software.

I have so much more to say about this, actually, that I can't say in a public forum. Suffice to say, I never had the opportunity to work with Novell in it's former heyday, but today they are one of the most accomdating, ethical, and sensible companies I have ever dealt with. They have a true understanding of what "customer service" means, and it reflects very well on them. Additionally - only from personal experience, mind you - I could could say all the opposite things about my experiences with Red Hat. (If you'd more insights about this, privately, please feel free to e-mail at the address above.)

So, here's what I'm getting at - I, personally, have decided to business with Novell instead of Red Hat, for reasons that have nothing to do with Free Software ideology. That said, I was very concerned about Novell's level of commitment to Free Software, but their recent actions have quelled those fears. I appreciate Red Hat's work, their staff, and the company's contribution to Free Software - but that was never really in question.



One more thing (really a side note) - your list of kernel developers piqued my interest. I never realized that Jeff Garzik was working at Red Hat or was coding kernels. I read your list, and went, "Hey! I know Jeff Garzik! He's at Red Hat? Cool!" I went to college with Jeff at Georgia Tech back in the 90's, and I always wondered what he was up to. He was such a brilliant coder and SA, I'm glad to see he's doing well for himself. In fact, at one point, we did a really great Star Wars [google.com] parody. Heh heh heh ... those were the days, being just a number (gtd543a, gt2357a, etc.) Thanks for that trip down memory lane!

Re:patents hurt openswan

[Anonymous Coward]

lan-2-lan or client (user/group/password) mode ?

I thought the former was possible, but the latter was not (yet) there ?

Re:OpenVPN is an excellent alternative to IPSec...

[hsjones]

I think the issue is what is currently pervasive in corporate environments. Remember, we're talking about Novell here, a company that claims 80% of the Fortune 100, and like I said in a previous post, probably IBM in the background, a company with even more of the Global 2000. Those kinds of companies are using IPsec from Cisco, Check Point, Nortel, etc...

With those hardware companies moving to Linux as a platform (CyberGuard, BorderWare, Stonesoft, Astaro and others already there -- many more moving), this is a good move for Novell to make SuSE Linux more attractive to those guys.