OpenSWAN and Shorewall work fine for me for many a year now. The painful part is upgrading. Be sure to read all the release notes so you know what you're up against when you finally do upgrade. I've always done this from CentOS/RHEL installations. At first I was using the OpenSWAN kernel module which has to be compiled for your loaded kernel. Because of some issues with the RHEL kernel backporting, support for the native OpenSWAN kernel module was broken for some time at which point I reverted to using the in-build RHEL ipsec kernel support (NETKEY). This works fine but changes the interfaces used (NETKEY interfaces directly to your existing ethernet ports, the OpenSWAN one creates an ipsec0 interface). This changes the way the firewall must be configured. Also, using the non-native interfaces means you can't use SAref and MAST support from OpenSWAN. I believe the kernel support issues from RHEL kernels has been rectified but I haven't as yet changed back to the OpenSWAN interface module. I actually support 5 Host-to-Host VPN's and one (multiple) "roadwarrior" VPN's all running on OpenSWAN/Shorewall. It works well for our situation. YMMV. Tom On 22/06/12 15:58, Jason White wrote:
Andrew Spiers <andrew@andrewspiers.net> wrote:
Which is your favourite, and why?
I'm not sure. I managed to get OpenSWAN working over IPv6, but it had a few problems and limitations. StrongSWAN has better protocol support (e.g., for IKEv2), but I wasn't able to make it work with my IPv6 arrangements, either due to an error in my configuration or a bug. I didn't get a response via the list either, but nor did I pursue the matter further.
IKEv2 is reputedly much better than IKEv1 and I would suggest using an implementation that offers good support for it.
With OpenSWAN, the main problem was that it sometimes didn't correctly bind to my interfaces during the boot process, including the PPP interface which is brought up by the ADSL card. Apparently, StrongSWAN can dynamically detect network interfaces as they are brought up and down, which is why I looked closely at it.
_______________________________________________ luv-main mailing list luv-main@luv.asn.au http://lists.luv.asn.au/listinfo/luv-main
-- Tom Robinson 19 Thomas Road Mobile: +61 4 3268 7026 Healesville, VIC 3777 Home: +61 3 5962 4543 Australia GPG Key: 8A4CB7A7 CONFIDENTIALITY: Copyright (C). This message with any appended or attached material is intended for addressees only and may not be copied or forwarded to or used by other parties without permission.