FreeS/WAN Project Bows Out 221
V. Mole writes "After five years, the FreeS/WAN project has decided to end development. The main reason seems to be that although the project was technically successful, it was not making much progress with its political goals of encrypting a significant portion of all Internet communications, although one might guess that the selection of KAME for the standard Linux IPSEC implementation might also have influenced this decision. And don't panic, the software will remain available, and of course some other group is free to continue development."
OSS advocate (Score:5, Insightful)
this is probably one of the reason why OSS is A Good Thing.
I call troll. (Score:5, Insightful)
Both in the open source world and in the commercial world, the vast majority of projects die. The difference is that in the open source world, the dead projects can still be put to good use in a new reincarnation down the line.
Dlugar
Re:I call troll. (Score:2, Insightful)
- windows
- office
- wordperfect
- mozilla
- seti@home
- Duke Nukem Forever
- visual studio
- nero
- quickbooks
- palm desktop software
- many many many more
(some of the above I don't know for sure, but they seem old enough to be around for that long).
Now the big question is not if they are still in development, but if you can get the latest version free of charge off the net (legally that is
Seriously though, I think any large software maker will have programs that are still in active development,
Re:I call troll. (Score:2)
Err... Mozilla is open source.
Re:I call troll. (Score:2)
Re:I call troll. (Score:2)
Here's a small sample of still active commercial products:
* Windows
* Office
* Mac OS
* Visual Studio
* CorelDRAW
* Netscape
* QuarkXPress
* Adobe Photoshop
Re:I call troll. (Score:2)
Re:OSS advocate (Score:5, Insightful)
Re:OSS advocate (Score:3, Informative)
When they were in business, they wrote Nautilus, and when they died they left Nautilus as a legacy. Bad economics can kill a company - but it can't kill a good piece of free software.
That said, much of my favourite software was written by zealots [slashdot.org] not companies. (link to other comment on this page, possible scored too low for many people to see.)
Re:OSS advocate (Score:2)
I can name any number of commercial software products that no longer exist. In fact, just the list of commercial word processors that have gone the way of all the world would fill a small book. Many of these word processor's sole legacy is an obscure Emacs-mode that tries to emulate the keybindings.
At least with Free Software you can maintain the project yourself.
Re:OSS advocate (Score:5, Interesting)
Not if they go out of business, change business models, or decide that a particular product is no longer profitable.
In all of these cases, if you depended on access to and updates for their software, you would be SOL.
With OSS, you get the source code and have the freedom to recompile it to new targets and make whatever small patches are neccessary to keep it running. If it's important enough to your company (or to you as a personal user) you can take over the maintainence yourself.
The parent is alluding to this fact.
Re:OSS advocate (Score:4, Insightful)
Usually. But when they don't, you're fucked. See the Vortex2 / 3DFX driver situation.
Re:OSS advocate (Score:3, Interesting)
In our lab here, there are plots created with stuff like WingZ (NeXT based spreadsheet/plotting program) and AppsoftDraw (a visio like program) -- both type of plots from about 1995.... The programs no longer exist. We don't even bother to make changes to them.
On the other hand, we also have plots created with gnuplot, xfig, and much older documents created with latex. They all work as if they are created just now...
In this particul
Re:OSS advocate (Score:2)
Re:OSS advocate (Score:2)
The thing is, at least the code is out there if you use the software and just need a small fix. Try getting that out of a company that's collapsed. Or if the company decided that a reasonably profitable product isn't profitable enough and decided to drop it in favor of more profitable ventures. Sure, there's money there but the business decision was to go elsewhere.
Ecco Pro (Score:5, Interesting)
That was a very long time ago and today there is still a vibrant community of ecco users who swear up and down that no other product even comes close. They beg Netmanage to sell the code to them or to open up the source code but Netmanage just ignores their requests. Oddly enough Netmanage does let people download the binary.
To me what netmanage is doing is just cruel. They are not making money off of it, they don't support it and yet they refuse to sell it or open it up. Why did they buy this program for so much money just to mothball it?
Companies are like that. They sometimes suck.
Re:OSS advocate (Score:2, Informative)
No.
ummm - I have win 98 at home, and when I do a "Windows Update" I see that they are still supporting it. They turned around on their plan to abandon win98 for 12 months I think it was.
so what exactly was your point?
Re:OSS advocate (Score:2, Informative)
but that's not the point, i was actually talking about the ability for others to pick up a OSS and continue it. simply put, OSS may sleep, but it'll never die completely.
if no one picks it up, that probably means that particular software isn't worth nothing. this is by no
corporation (Score:2, Interesting)
Re:corporation (Score:5, Informative)
I've taken my Super FreeS/WAN tree, and formed a company with some other ex-FreeS/WAN folks.
Openswan is new name of the project, you can already get code from www.openswan.org [openswan.org].
Commercial support + services from us via Xelerance [xelerance.com]
Ken
Re:corporation (Score:5, Funny)
Re:corporation (Score:5, Funny)
Thanks! Some of us have been doing this stuff for many, many years. We might even be good at it by now
Re:corporation (Score:4, Interesting)
Support from a guy with a slashdot ID that is a 1024 bit RSA encryption key?
I have been doing crypto for a long time now. One of the points that Eric Rescorla raised with me when we were speaking at the RSA show was that more email has been secured with SSL in the first year of deployment than has ever been encrypted with S/MIME and PGP combined.
We all screwed up, Bruce said so in secrets and lies, but he still only half gets it. Almost all the crypto 'truth' turned out to be bogus. End to end crypto is a crock for a start, especially when you try to retrofit to a legacy protocol.
We spent years deplying S/MIME in almost every email reader, but we never made it easy to distribute certs. We also wasted time getting people to implement S/MIME when it would have been better to get them to start by simply not doing harm - if someone gets a multipart/signed message that they don't understand the mail reader should present the signed text without any complaint, just the same as any other unauthenticated content. Same with a message from a person with an invalid or expired cert.
The big screw was messing up the policy aspect. We need an infrastructure to tell people the security that an Internet server supports. DNS is fine for this, as folk point out DNS is secure enough unless there is a pretty difficult active attack.
My criticism of the inanities of the IETF wrt DNSSEC still stand. They just do not understand security there. it would have been better to have deployed DNSSEC with OPTIN two years ago than to continue to wait for all parties to agree on perfection.
Re:corporation (Score:2)
Re:corporation (Score:2)
One of the nice things about OSS is that there is less pressure to continue a bad line of development to "save face" or quell customer concerns. Unlike a commercial project, the OSS community can fork when the developers miss the bus (or make radical course changes when the original developer quits).
In the case of FreeS/WAN I can only hope that the new maintainers look at the OpenVPN project for inspiration. Th
Re:corporation (Score:4, Informative)
And 2.1.0rc1 was released a few minutes ago. Need to update website again
Ken
Re:corporation (Score:2)
It was never integrated properly into the networking stack. It never kept up with any of the advanced routing features. It screwed up the interface reporting in a manner which made any dynamic routing daemon go mad. On top of all it does not work on 90% of the more complex interopreability scenarios. The only thing it was useabl
Re:corporation (Score:2)
The letter (Score:5, Informative)
After more than five years of active development, the FreeS/WAN project will be coming to an end.
The initial goal of the project was ambitious -- to secure the Internet using opportunisitically negotiated encryption, invisible and convenient to the user. For more, see our history page. A secondary goal was to challenge then-current US export regulations, which prohibited the export of strong cryptography (such as triple DES encryption) of US origin or authorship.
Since the project's inception, there has been limited success on the political front. After the watershed Bernstein case, US export regulations were relaxed. Since then, many US companies have exported strong cryptography, without seeming restriction other than having to notify the Bureau of Export Administration for tracking purposes.
This comfortable situation has perhaps created a false sense of security. The catch? Export regulations are not laws. The US government still reserves the right to change its export regulations on short notice, and there is no facility to challenge them directly in a court of law. This leaves the US crypto community and US Linux distributions in a position which seems safe, but is not legally protected -- where the US government might at any time *retroactively* regulate previously released code, by prohibiting its future export. This is why FreeS/WAN has always been developed outside the US (in Canada and in Greece), and why it has never (to the best of our knowledge) accepted US patches.
If FreeS/WAN has neither secured the Internet, nor secured the right of US citizens to export software that could do so, it has still had positive benefit.
With version 1.x, the FreeS/WAN team created a mature, well-tested IPsec VPN (Virtual Private Network) product for Linux. The Linux community has relied on it for some time, and it (or a patched variant) has shipped with several Linux distributions.
With version 2.x, FreeS/WAN development efforts focussed on increasing the usability of Opportunistic Encryption (OE), IPSec encryption without prearrangement. Configuration was simplified, FreeS/WAN's cryptographic offerings were streamlined, and the team promoted OE through talks and outreach.
However, nine months after the release of FreeS/WAN 2.00, OE has not caught on as we'd hoped. The Linux user community demands feature-rich VPNs for corporate clients, and while folks genuinely enjoy FreeS/WAN and its derivatives, the ways they use FreeS/WAN don't seem to be getting us any closer to the project's goal: widespread deployment of OE. For its part, OE requires more testing and community feedback before it is ready to be used without second thought. The project's funders have therefore chosen to withdraw their funding.
Anywhere you stop, a little of the road ahead is visible. FreeS/WAN 2.x might have developed further, for example to include ipv6 support.
Before the project stops, the team plans to do at least one more release. Release 2.06 will see FreeS/WAN making a late step toward its goal of being a simple, secure OE product with the removal of Transport Mode. This in keeping with one of Neils Fergusson's and Bruce Schneier's security recommendations, in A Cryptographic Evaluation of IPsec. 2.06 will also feature KLIPS (FreeS/WAN's Kernel Layer IPsec machinery) changes to faciliate use with the 2.6 kernel series.
After Release 2.06, FreeS/WAN code will continue to be available for public use and tinkering. Our website will stay up, and our mailing lists at lists.freeswan.org will continue to provide a forum for users to support one another. We expect that FreeS/WAN and its derivatives will be widely deployed for some time to come.
It is our hope that the public will one day be ready for, and demand, transparent, opportunistic encryption. Perhaps then some adventurous folks pick up FreeS/WAN 2.x and continue its development, making the project's original goal a reality.
Re:The letter (Score:2, Interesting)
Talk about two goals that are just plain swimming uphill.
Getting the Internet to change what's not broken is very hard. The fact that our default mode of communications is plaintext doesn't quite scare most pointy haired bosses. They want their stuff secured, but there's no sense in switching protocols when we can just secure on top of the existing pro
OpenSwan (Score:5, Informative)
Ouch. This is going to hurt. (Score:5, Interesting)
Re:Ouch. This is going to hurt. (Score:5, Informative)
Re:Ouch. This is going to hurt. (Score:5, Informative)
I've done a couple FreeS/WAN installs on 2.4 and they were kind of difficult to set up. Not too bad - just painful enough to appreciate them.
However, the other day I decided to try the Linux kernel's new native IPSEC modules (that have been backported to at least 2.4.24). Using 2.4.24 and KAME it was an absolute pleasure to set up. Works beatifully, and no more patching. You couldn't pay me to return to FreeS/WAN.
Re:Ouch. This is going to hurt. (Score:2, Informative)
http://www.ipsec-howto.org/
http://ipsec-tools
Re:Ouch. This is going to hurt. (Score:3, Informative)
http://lartc.org/howto/lartc.ipsec.html [lartc.org]
http://www.ipsec-howto.org/t1.html [ipsec-howto.org]
Get yourself a late model 2.4 kernel and follow the directions for 2.6. Everything works the same. If you use Debian 'testing' or 'unstable' the other packages you'll need are ipsec-tools and then racoon (KAME) or isakmpd.
It's actually pretty easy if you just follow the examples.
Re:Ouch. This is going to hurt. (Score:2)
So you worked for a company that bundled something into a product they sell, but has no resources or experience to actually support it? Tell me who they are, so I can avoid them like
2.6 IPsec not ready (Score:3, Interesting)
No, it doesn't. 2.6 IPsec has all sorts of problems with MTU, and 2.4 with 2.6 backport doesn't even understand it's own behaviour. You'll end up with situations like this:
valentijn:~# ping -s 1435 host21
PING host21.wireless.palmgracht.nl (10.15.67.21): 1435 data bytes
ping: sendto: Message too long
ping: wrote host21.wireless.palmgracht.nl 1443 chars, ret=-1
ping: sendto: Message too long
ping: wrote host21.wireless.palmgr
Opportunistic encryption (Score:5, Interesting)
Also, aren't there other problems inherant with OE? IE: the need to have secure DNS before this can really happen, or a PKI infrastructure or public key escrow or something? I'd love to just install freeswan on my firewall and have encrypted connections happen, but a) would it really help things and b) would it be like being the first one on the block to have a videophone?
Re:Opportunistic encryption (Score:5, Insightful)
OE doesn't *need* DNSSEC.
It just benefits from it. Without it, you are vulnerable to *ACTIVE* attacks against the DNS. With DNSSEC, you are totally immune.
The real thing that bones up OE is that you need a static, public IP (since OE isn't defined for NAT'ed IPsec). If you want to do full OE, then you access to the reverse map too. How many have that? Well, if you don't, you probably don't have static IP or an AUP that even lets you sneeze.
But, it could be made to work with NAT'ed IPsec, and it could also do enrollment in the reverse map via DHCP.
Re:Opportunistic encryption (Score:3, Interesting)
Hence the emergence of the OpenVPN project. It allows a variety of authentication and encryption methods to connect two hosts that can both have dynamic addresses with forward-only DNS service (such as DynDNS).
Re:Opportunistic encryption (Score:2)
Because I have much the same problem.
If you are interested in such things on a hobby level, you'd be more than welcome on my own VPN network. We're building secure dns and pki, and it would be cool to have someone else with their own videophone, so to speak...
Re:Opportunistic encryption (Score:5, Funny)
Re:Opportunistic encryption (Score:2)
Securing communication with random parties is nice & all, but I don't really communicate anything worth securing with unknown parties.
For most people, what's at least as important is a strong authentication that the other side is really the guy I want to talk to. Then, once I know who it is, I want to secure the transaction.
This is not to say that FreeS/WAN can't accomplish strong authentication.. It supports certific
Real Problem, but impractical solution (Score:2)
Opportunistic Encryption does it mostly correctly, but not in a way that's very practical, because most people don't have control of their reverse DNS space and will therefore never deploy it. Also virtua
I thought the Internet was encypted (Score:5, Funny)
Re:I thought the Internet was encypted (Score:4, Funny)
Wrong. Double-ROT-13 was found to be insecure. I mean, come on - it's obvious that the second ROT-13 undoes the first ROT-13! So the internet has since been upgraded to quadruple-ROT-13, which is twice as secure as double-ROT-13.
Re:I thought the Internet was encypted (Score:2)
Yes, it was proven vulnerable to the sophisticated "reading" attack. Microsoft is afraid that if they patch this a new rash of worms will arise, so they recomend upgrading to their most expensive versions.
Re:no make sense (Score:3, Funny)
Elucidation (Score:5, Informative)
"Hello World" -> "Uryyb Jbeyq"
triple-DES is a more modern encryption scheme still in use today.
The humor comes from the fact that applying rot-13 twice results in the exact original text, so saying that the Internet uses 'double rot-13 by default' is just noting that it's completely unencrypted but in a way that makes it sound like a real encryption scheme.
It really was quite an amusing post... unlike this one.
There's one more release in the works.... (Score:5, Informative)
*gasp!* (Score:3, Funny)
KAME (Score:2, Informative)
Either it means, that *YET AGAIN* Linux can't play
nicely, and has to import code from the BSD world
to make things work.
Or, it means nothing, because KAME wasn't imported
to the kernel. Only one or two libraries, and the pfkey code was. And, the userspace KAME tools leave so much to be desired, that nobody would want to
run them.
Openswan lives.
Re:KAME (Score:3, Insightful)
It might be an instance of Linux developers failing to produce software that is as good or better than the BSD-licensed alternative (and I don't know either KAME nor FreeS/Wan good enough to say if that's the case), but there is nothing morally wrong about it. Using the best tool
Trolling? Maybe...but here is my experience (Score:5, Informative)
I fought with it for a week - did tons of google research, and still couldn't get Phase2 to work. I eventually caved in and bought a Linksys VPN endpoint router that comes with a simple web administration tool. I had it up and running in 15 minutes. I'm just sorry I wasted that week on FreeSwan.
Re:Trolling? Maybe...but here is my experience (Score:5, Insightful)
You know what's funny? Recent Linksys VPN routers (ie: WRV54G) use FreeS/WAN for IPsec (they are built on the OpenRG platform).
So you might be using it anyways
Re:Trolling? Maybe...but here is my experience (Score:2)
I figured that FreeS/WAN would soon be replaced by
Re:Question (Score:3, Informative)
Re:Trolling? Maybe...but here is my experience (Score:4, Insightful)
I don't think you're alone there. I myself have tried FreeS/wan several times over the years and have always found it a frustrating experience. I think the documentation should take a lot of the blame for the problem. It was never too clear and gave only a few wildly different (and sometimes conflicting) examples. Left side? Right side? They would often switch the left/right-side convention for no apparent reason. And it I found it wasn't always clear what configuration settings were required and how they interacted. Because of this it was hard to condense a working configuration out of the few examples they did give.
Many years ago I was trying to connect my network with my familys' network (linux to linux) I eventually went with vtun [sourceforge.net]. It worked fairly well. More recently I went with OpenVPN [sf.net] when I needed to connect my dads' Win2K laptop back to the family network over a dial-up line. In both these examples I originally tried using FreeS/wan on the linux side(s). I thought it would be easier (especially with W2K in the second case) because IPsec is a standard. Nope. Now I'll go look at this new Kame [kame.net] port in the 2.6 kernel and IPsec-tools [sf.net]. Hopefully it's fairly easy to setup.
I'm afraid... (Score:4, Informative)
Re:I'm afraid... (Score:4, Informative)
Support for FreeS/WAN will continue, the code certianly won't just wither up and die. A number of us forked it awhile ago, and keep two active trees going for stable and feature development.
www.openswan.org (I've karma whored enough tonight).
Ken
Re:I'm afraid... (Score:2)
E-smith is nice if you've standardized on it as a single platform, but if you have a mix of different systems it sucks ass. I have a pair of e-smith/SME servers in my office, and our IPSEC guy in our German office practically pulled out his hair trying to get the non-Mitel supported IPSEC stuff to play nicely with their SuSE machines. Eventually, he rebuilt the config file b
pgp.net (Score:3, Interesting)
PGP.net (oh, where have you gone) provided opportunistic encryption with no infrastructure requirements other than the two machines communicating use the PGP.net software.
Controlling the two endpoints seems a lot easier than trying to control them plus the DNS servers to exchange info.
Anyone know what happened to PGP.net?
mod me flamebait but... (Score:2, Informative)
I have to look after a large network of VPNs across a small country and a lot of things about FreeSWAN bite bad wind.
For one thing, not only does it encrypt network traffic; it encrypts its error messages as well. They are all but unintelligible, even after looking at the sourcecode.
Actually, after looking at the sourcecode one is frequently more confused than ever.
And googling for the error messages often seems to find threads where the FreeSWAN developers burble to the effect of "yeah i
Re:mod me flamebait but... (Score:5, Interesting)
That being said, I did believe (from reading the docs) that the development team was far more interested in making a (pointless, IMHO) political statement than in creating a useable piece of software. For most small / medium businesses, Oportunistic Encryption is the last thing you want - typically these companies have one interface to the Internet, and having trusted and untrusted-from-random-IP-subnets coming in on the same connection creates a firewall design nightmare. I'm sure there's a way to make it work, but frankly if information is worth securing, we can and do secure it. If it isn't, then we just don't care - I'd rather just Keep It Simple, Stupid.
alternatives (Score:4, Interesting)
Would it really be that difficult for somebody to take over the development? Maybe their role could be more to administer the operation rather than code a lot of it.
Also, this (google's cache) [216.239.37.104] or the PDF version of the above [sosresearch.org] claims that FreeS/WAN does not support PKI.
Re:alternatives (Score:2)
Doesn't it seem that... (Score:4, Insightful)
Re:Doesn't it seem that... (Score:4, Informative)
Why the heck can't IPSec have a set of "must implement" specs so that there could be a standard default config that works with every single ipsec vpn?
Plus, it all runs in userspace, and it works on every single operating system ever, can be port forwarded, natted, mangled in just about every which-way and still works.
What a pleasure to use. Try it. You'll like it.
Re:Doesn't it seem that... (Score:2, Insightful)
who cares? (Score:3, Interesting)
No I'm not trolling I'm asking a question here. Outside of admins, how many people really care whether their connection is secure or not. I always reference this out regarding IPSec and the likes, so I'll point out eBay as an example. Now a company such as eBay in my opinion should have SSL based log on by default, period. It's optional. Why? Because most users outside of the geekrealm, and system admin realm don't understand the escape key from their space bar. So when it comes to things like... "Will you accept this certificate?" and the likes, they don't know, and they certainly don't care. Same goes for VPN's. Why should the people care if Freeswan "was not making much progress with its political goals of encrypting a significant portion of all Internet communications" when the typical user doesn't know about Freeswan, and more than likely wouldn't care.
Re: (Score:3, Interesting)
Re:who cares? (Score:2)
Sure, it's not. Neither are locks on doors on houses.
To secure your house, you must:
1) Lock the door.
2) Lock the windows.
3) Notify your neighbors when you'll be out of town
4) Turn on lights
5) Turn on alarm system
6) Lock fence gates
But HOW MUCH GOOD IS 2-6 IF YOUR FRONT DOOR IS UNLOCKED?!?!?
Don't assume that SSL is all that's needed. But don't pretend that it isn't needed.
Re:who cares? (Score:2)
You're missing my point. In order for Freeswan to have been as successful as they'd like to have been, they kind of sold their hopes too high. Not everyone cares about security though most should. How many people/companies do you know of that still use ftp as opposed to sftp or scp, and even use passive ftp. It's easier to use, and you won't have to spend time explaining things to the non-geek user. Majority rules remember that, like it or not.
Comment removed (Score:3, Informative)
perhaps there is another lesson (Score:5, Insightful)
to be learned here. The stated goal of the project was to increase the amount of traffic that is encrypted on the internet. While this does not directly conflict with the goal of making as much software as possible "free" (as in beer), it does set a different goal.
Why the hell am I bringing this up? Well, one of the problems with FreeS/WAN was that it would not work with low-bit encryption. This was done to promote their political goal. But it also had the side effect of inhibiting adoption at the places where for whatever reason people had to interoperate with low-bit encryption applications or setups. The last time I checked (which I have to admit was over 2 years ago) the FreeS/WAN project explicitly stated that they would refuse to cooperate with anyone who tried "subvert" the project by building-in interoperation with low-bit encryption.
So what is this lesson to be learned that I am talking about? When fighting an uphill battle (which a volunteer project challenging for-profit institutions always does), it may not be wise to make it more difficult for people on the sidelines to agree with your cause.
Linux was built on much better technology than Windows (nfs vs smb, ext vs fat, separate windowing subsystem vs windowing system as part of the kernel, etc), but it didn't gain in popularity because it decided it replace all the Windows boxen. The technical decision was made to cooperate with them. The fundamental decision on priorities was to hold interoperability above politics. FreeS/Wan took the other road.
Re:perhaps there is another lesson (Score:3, Informative)
I mean, really. From a personal file-sharing standpoint, NFS is retarded.
"Here, connect to my computer. Have a magic cookie or two. Let's cram a stateless protocol into a state-filled paradigm. While we're at it, I trust your computer has not been compromised, and will do all proper authentication. It's only polite, after all."
NFS sort-of works for a pack of servers operating in a firewalled area of the network, but p
Probably a good thing (Score:5, Insightful)
The 2.6 implementation is not as mature, but it has excellent success factors. It was written by an alpha kernel hacker, it's in the mainline, and it's open in the Linux tradition. An influx of former FreeS/WAN users may be just what it needs to work out the kinks. FreeS/WAN has done a great service, and is now doing another by throwing its momentum behind an implementation with better long-term prospects.
were FreeSwan users afforded "luxury of ignorance" (Score:5, Insightful)
Re:were FreeSwan users afforded "luxury of ignoran (Score:2)
Security is directly related to the skill of the admin implementing it. The skill of an admin is directly related to how well that admin understands that tool. Not necessaraly the actual protocols and server bits that make it work, but at least its configuration. My point in experiementing was not to get a single link up, but to eventualy use it for securing W
Re:were FreeSwan users afforded "luxury of ignoran (Score:2)
Try here [sourceforge.net]. A FreeS/WAN webmin module is standard in the latest release of Webmin. Unfortunately, it does little to unobfuscate FreeS/WAN. I have been looking into FS for the last couple of weeks and was planning on implementing it this weekend at a client's office. Now, I will look at alternatives - lord knows they can't be any more complicated to configure that FS.
That sucks (Score:4, Insightful)
Hopefully openswan will be a good replacement
FreeS/WAN was a bad codebase to start with (Score:2, Interesting)
FreeS/WAN is an unfortunate example of a project too focused on a far out goal (OE) to make the simple foundations work.
SSL based VPNs (Score:3, Informative)
Re:SSL based VPNs (Score:2)
Re:SSL based VPNs (Score:5, Informative)
Typically, an SSL "VPN" is really just a web app that uses ssl between your browser and itself. It runs on a box on the private network, and provides file browsing capabilities, "intranet" access (e.g. an internal purchasing website), etc. But it doesn't let you encrypt your ping packets, since you're not even really connected to the secured network.
I think the companies who created the thing called it a "VPN" because it was the buzzword, and not because it is at all a Virtual Private Network.
I use FreeSWAN (Score:4, Interesting)
There was absolutely no way that 'normal' users were ever going to be able to make use of this product for the 'opportunistic encryption' the project aimed for, I honestly don't think you could design a more opaque and confusing piece of software if you were actually trying.
That being said, once you get over the configuration hurdles and realise you will have to employ script-based kludges to do simple things e.g. get it to route packets though multiple tunnels terminating on the same local IP address, it mostly works quite well.
Re:I use FreeSWAN (Score:2)
Not surprized (Score:2)
Re:Not surprized (Score:2)
True.
I'm sure it IS configurable, but the documentation is terrible.
Now, I'm not trying to be a FreeBSD whore... but this is one of the things I was most impressed with so far with FreeBSD.
IPSec still isn't *really* simple to configure, but at least I managed to get it working within a day.
I still don't have key exchange working properly between windows and BSD, but I set up a wireless link using BSD to BSD and ipse
I'm both disappointed and relieved (Score:2)
I tried to set up OE. In fact, I did have it working, sort of. The problem is that a box running OE presently needs to use another machine as it's nameserver (or at least, use another machine's nameserver in preference to a local
Re:I'm both disappointed and relieved (Score:3, Insightful)
I think this is being fixed in 2.06, so we'll assimilate that chunk of code if it works correctly.
>Also, OE requires the use of the TXT field. There are many other projects also proposing to use this field (well, a few anti-SPAM proposals), so conflicts could arise in the future.
You can have multiple TXT records, just like MX, A and other DNS records, so this shouldn't be a problem.
>However, I hop
Why They Weren't Used As Much As They Wanted (Score:5, Insightful)
Part of the problem with the FreeS/WAN group was that they DIDN'T WANT TO INTEROPERATE. Their attitude toward single DES was that they refused to support it because it wasn't sufficiently secure. As I recall, they wouldn't even accept patches that provided it as an ifdef with the default turned off. So, they were a pain in the ass to use for any serious interoperative commercial development, which obviously requires stooping to single DES.
This quote from the FAQ at freeswan.org sums up their attitude regarding interoperability:
"As we see it, it is more important to deliver real security than to comply with a standard which has been subverted into allowing use of inadequate methods."
FreeS/WAN saw it wrong. Sure, single DES is not macho enough, but interoperating is pretty damned important, even if that means supporting a protocol that is beneath your 'leetness.
OE... (Score:2)
providing seamless ipsec without configuration, depends on having control of
your reverse dns. A lot of ISPs won't allow you to change or won't change for
you the reverse, as this is often encoded with useful info for the ISP, such as
node id, and geographic location. This has had as big an effect at slowing
down the spread of it as anything else. Some are cool, and I am actually very
disappointed cause I recommended it to a friend of mine
Freeswan vs KAME and other useless BS (Score:5, Informative)
And just for the record, tail -f
For those who hated freeswan because error messages sucked, try the above. For those who say it sucked because of politics, welcome to open source!
To me it seems obvious that freeswan will still deployed and maintained -- it's just too good of a thing to let go. Try to think of this as a releasing -- openswan and the rest are not going anywhere. Freeswan's active development is done... since their main goal was OE. Since I didn't want OE, I don't care. It's not like freeswan doesn't support some IPSEC feature or that its behind the times. What else needs to be done? Maintenance I would gather
Considering the responses i've seen here, it's going to be maintained. I'm glad we're in opensource land and I don't HAVE to use kame if I don't want to or have some reason where freeswan is slightly better for my situation.
Aw RATS (Score:2)
If anyone takes over development, I will definitely be testing each new version, at least as it pertains to my setup.
Re:Just to bad, (Score:3, Informative)
From the announcement itself:
That the original group of developers is bowing out has, really, little to no implications for your ability to find support.
Re:Politics Trumping Development (Score:2, Interesting)
The failure of the Hurd was a bad gamble. Possibly encouraged by the fact that they had written almost an entire operating system (using tried-and-true designs), the GNU projectee
Wow, that's a weird observation (Score:2)
> on. If zealotry was a problem, GCC, Emacs, GDB, and many of
> the GNU command line utils would have failed long ago
But did Richards zealotry make the other projects work, or did his programming prowess make them work in spite of his zealotry?
Either way, that's a pretty weird observation
Re:Politics Trumping Development (Score:3, Interesting)
Most people don't give a flying fuck what political goals your project has. Only the code, and the software matter. All else is gravy.
You can add this to the graveyard of noble goals brought down by zealotry.
I find this particular outlook sad and disturbing, especially when that outlook is probably more than a little true. It's the nature of the human animal to push