Thought I might play around with IPSEC. It seems there are a few different linux implementations, Strongswan, openswan, racoon (which I think is based on a project called KAME) and I think you can do it with Shorewall. Have I missed any notable implementations? Which is your favourite, and why?
Andrew Spiers <andrew@andrewspiers.net> wrote:
Which is your favourite, and why?
I'm not sure. I managed to get OpenSWAN working over IPv6, but it had a few problems and limitations. StrongSWAN has better protocol support (e.g., for IKEv2), but I wasn't able to make it work with my IPv6 arrangements, either due to an error in my configuration or a bug. I didn't get a response via the list either, but nor did I pursue the matter further. IKEv2 is reputedly much better than IKEv1 and I would suggest using an implementation that offers good support for it. With OpenSWAN, the main problem was that it sometimes didn't correctly bind to my interfaces during the boot process, including the PPP interface which is brought up by the ADSL card. Apparently, StrongSWAN can dynamically detect network interfaces as they are brought up and down, which is why I looked closely at it.
OpenSWAN and Shorewall work fine for me for many a year now. The painful part is upgrading. Be sure to read all the release notes so you know what you're up against when you finally do upgrade. I've always done this from CentOS/RHEL installations. At first I was using the OpenSWAN kernel module which has to be compiled for your loaded kernel. Because of some issues with the RHEL kernel backporting, support for the native OpenSWAN kernel module was broken for some time at which point I reverted to using the in-build RHEL ipsec kernel support (NETKEY). This works fine but changes the interfaces used (NETKEY interfaces directly to your existing ethernet ports, the OpenSWAN one creates an ipsec0 interface). This changes the way the firewall must be configured. Also, using the non-native interfaces means you can't use SAref and MAST support from OpenSWAN. I believe the kernel support issues from RHEL kernels has been rectified but I haven't as yet changed back to the OpenSWAN interface module. I actually support 5 Host-to-Host VPN's and one (multiple) "roadwarrior" VPN's all running on OpenSWAN/Shorewall. It works well for our situation. YMMV. Tom On 22/06/12 15:58, Jason White wrote:
Andrew Spiers <andrew@andrewspiers.net> wrote:
Which is your favourite, and why?
I'm not sure. I managed to get OpenSWAN working over IPv6, but it had a few problems and limitations. StrongSWAN has better protocol support (e.g., for IKEv2), but I wasn't able to make it work with my IPv6 arrangements, either due to an error in my configuration or a bug. I didn't get a response via the list either, but nor did I pursue the matter further.
IKEv2 is reputedly much better than IKEv1 and I would suggest using an implementation that offers good support for it.
With OpenSWAN, the main problem was that it sometimes didn't correctly bind to my interfaces during the boot process, including the PPP interface which is brought up by the ADSL card. Apparently, StrongSWAN can dynamically detect network interfaces as they are brought up and down, which is why I looked closely at it.
_______________________________________________ luv-main mailing list luv-main@luv.asn.au http://lists.luv.asn.au/listinfo/luv-main
-- Tom Robinson 19 Thomas Road Mobile: +61 4 3268 7026 Healesville, VIC 3777 Home: +61 3 5962 4543 Australia GPG Key: 8A4CB7A7 CONFIDENTIALITY: Copyright (C). This message with any appended or attached material is intended for addressees only and may not be copied or forwarded to or used by other parties without permission.
Jason White wrote:
With OpenSWAN, the main problem was that it sometimes didn't correctly bind to my interfaces during the boot process, including the PPP interface which is brought up by the ADSL card.
Possibly you can work around this by bouncing strongswan in the ppp ip-up.d and ip-down.d directories. I have the same card as you and that is where I do changes to policy routing.
Andrew Spiers <7andrew@gmail.com> wrote:
From what's been posted here, I think I should experiment with a few different implementations.
That's very wise at this point. I think the new StrongSwan 5.0 release has the potential to be very good, when ready, so I would include that among your options even though it's only a release candidate made available for testing at the moment.
I just visited the StrongSWAN blog for the first time in quite a while, and noticed that there's a new 5.0 version under development (release candidate available) which integrates the IKEv1 and IKEv2 support into a single daemon and tehreby removes the old code inherited from the FreeS/WAN project. http://www.strongswan.org/blog/2012/06/20/bye-bye-pluto.html
On 2012-06-22 15:48, Andrew Spiers wrote:
Thought I might play around with IPSEC. It seems there are a few different linux implementations, Strongswan, openswan, racoon (which I think is based on a project called KAME) and I think you can do it with Shorewall.
Have I missed any notable implementations? Which is your favourite, and why?
I also recently set up IPSec for the hell of it. I used racoon, because it seemed to be the neatest/purest implementation insofar as it made heavy use of the in-kernel stuff, and therefore didn't add much extra bloat to the system. I've attached my documentation, which isn't particularly polished, but has most of the important information in it. -- Regards, Matthew Cengia
Matthew Cengia <mattcen@gmail.com> wrote:
I also recently set up IPSec for the hell of it. I used racoon, because it seemed to be the neatest/purest implementation insofar as it made heavy use of the in-kernel stuff, and therefore didn't add much extra bloat to the system.
It doesn't support IKEv2 though, or has that changed? I think there was supposed to be a Racoon version 2 for that, but when I last checked (a while ago) it wasn't stable and didn't seem to be seeing much development.
On 2012-06-22 16:11, Jason White wrote:
Matthew Cengia <mattcen@gmail.com> wrote:
I also recently set up IPSec for the hell of it. I used racoon, because it seemed to be the neatest/purest implementation insofar as it made heavy use of the in-kernel stuff, and therefore didn't add much extra bloat to the system.
It doesn't support IKEv2 though, or has that changed? I think there was supposed to be a Racoon version 2 for that, but when I last checked (a while ago) it wasn't stable and didn't seem to be seeing much development.
I've not delved deep enough into the different key-exchange stuff to be sure yet, but Wikipedia indicates[1] that racoon, or at least racoon2, supports IKEv2. 1. https://en.wikipedia.org/wiki/Internet_Key_Exchange#Implementations -- Regards, Matthew Cengia
I make use of IPsec at work a lot. Under linux I use strongswan. It has the best interoperability of all the projects I've tried. The strongswan implementation of IKEv2 is most mature. AFAICT it's the only one to support MOBIKE. It claims to be able to support thousands of tunnels concurrently. I see no reason to doubt that. Strongswan also works on ARM and I believe there's a OS X port but I have not tried it. I use strongswan with IKEv1 against Cisco IOS 12.x and IKEv2 against pretty much everything else. On Fri, Jun 22, 2012 at 3:48 PM, Andrew Spiers <andrew@andrewspiers.net> wrote:
Thought I might play around with IPSEC. It seems there are a few different linux implementations, Strongswan, openswan, racoon (which I think is based on a project called KAME) and I think you can do it with Shorewall.
Have I missed any notable implementations? Which is your favourite, and why?
On 22/06/12 15:48, Andrew Spiers wrote:
Thought I might play around with IPSEC.
Here are some links that can help: http://lifeline.org.au/ http://beyondblue.org.au/ http://salvos.org.au/
participants (8)
-
Andrew Spiers -
Andrew Spiers -
Jason White -
Jeremy Visser -
Matthew Cengia -
Richard Andrews -
Tom Robinson -
Trent W. Buck