Domain: freeswan.ca
Stories and comments across the archive that link to freeswan.ca.
Comments · 11
-
What about freeswan.ca?
I spoke to the maintainer at OLS and he mentioned that some work with the native IPSec was in the works and some other neat functionality (to be merged into 2.6+ eventually [?]) Check out The Other FreeSWAN (fork)
-
I live in LA and I use no WEP
It's been mentioned already by many posters that WEP is insecure. Take a look at AirSnort for details, but basically, depending on the traffic of your network, you can be cracked in as little time as under a day.
Talk about a false sense of security.
WEP is completely disabled to reduce needless overhead on my AP. But I do run a certificate based relaying (See http://vpn.ebootis.de/ & http://www.freeswan.ca/ for details. So if you don't have the right certificate, you can't route any packets in or out of my wireless network.
Have fun cracking a 1024-bit RSA key. -
Re:POPTOP - Out of date report.
Uh, Super FreeS/WAN? I use it over the stock FreeS/WAN because it includes the nat-traversal, Delete SA, and x.509 certificate patches. Mind you, I also prefer SSH Sentinel over the braindead Win2k/XP IPSec stacks. Here's a link to a nice howto if you insist on using Windows builtin, even though SSH Sentinel's under $60 a head.
-
Re:Not so much a crisis...
Things like IPSEC and such do not work through nat without non-standard encapuslation and such.
AH won't work because the packets are being mangled, but ESP works just fine. I've set up dozens of Win2k--SuperFreeS/WAN links, many of them behind NAT.
-
Re:Err ..Did they change stuff when I wasn't looking? I thought win2k still used PPTP to do their "trivial" VPNs. Sure win2k has support for IPSec, but the most common "VPN" that anyone will ever do is the PPTP style. Which would be 1 TCP connection (port 1723) that you run PPP over.
Using the IPSec stuff is way nicer though, since you don't have to do any special "connect" stuff after you configure it (i.e. you don't have to "dial up" before you can use the VPN). It all just works based on the rulesets you specify.
If you want to set up a real IPSec VPN with FreeS/WAN and win2k, they have some fairly mature tools available. Head on over to http://www.freeswan.ca to check them out.
-
Re:SpamStop
You can do this with FreeS/WAN 2.0 - there is the concept of policy groups. ie: for this set of hosts, only accept crypto connections - if they can't encrypt traffic, I don't want to talk to them. You just stick CIDR blocks into a text file to configure this - it doesn't get much simpler than that.
For more information, see Policy Groups documentation.
--
ken@freeswan.ca -
Getting around the VPN ban
FreeSWAN with some patches allows you to wrap the ESP packets inside UDP packets.
Then all you have to do is get around the initial udp/500 IKE stuff.
I assume you could edit the ports that pluto listens on on both ends.
If ISPs blocked udp/500 and protocol 50 and 51, that would stop IPsec based VPNs.
Of course, there's always CIPE, and SSH tunnel, etc. -
Set up IPsec, and transfer it over that.
www.freeswan.ca
Transfer it all over IPsec. People should use it a lot more. -
Re:Now maybe they can work on the store
Apt-get makes dependencies a thing of the past.
That's something I've never fully understood. Why are dependencies so farking hard to observe? I mean to a fresh newbie or someone who just doesn't have the time or interest in it, sure, but I've found apt to be more of a pain in the ass than anything else.
Disclaimer: I've been using Slackware since shortly after it first came out. I believe my first install of Linux was with the 0.99.x kernels, but it may have been the early 1.x.x kernels, I really can't remember.
Slackware's biggest bonus (and fault) has been that it lets you do as you please with packages. It'll let you install a package without having its dependencies installed. You run the app, and you get an error. Usually something along the lines of a library missing.
Now this isn't what I'd want a newbie to see or do, but for someone who's familliar with the system you run ldd on the binary and find out what's missing and install it. No big deal.
Especially now that CheckInstall is around, I have absolutely no issue with Slackware -- -current has logrotate which was sorely missing from the distro, but Checkinstall's the best. Create Slackware, Debian or RPM packages with a touch of the keyboard. Parallel installs, links, everything's supported.
Back to Slackware's packaging. What I disliked about Debian or RPM was that if the package didn't exist you had to go hunt around trying to find it and hope someone else made it, or else make it yourself, perhaps using Checkinstall. Unfortunately both RPM and DEB have heavier requirements -- dependency trees, documentation in the right spot, patches to make it fit within their particular file structure... you either use Checkinstall to make the package poorly (but validly), or you set out on a mission and end up being the maintainer of every package you make. Slackware doesn't care, which is great for me.
Sure Debian's got 10k packages, but it seems that everything I need isn't there, isn't complete, or is old, even in the unstable tree. FreeS/WAN with NAT-traversal and SA-disconnect, GNU-Radiusd, Psi, mplayer... that's just off the top of my head. If I don't install via packages (this goes for Perl modules from CPAN, too!) I now have TWO package managers to take care of -- the one in my head and the one in the distro. For me, Slackware compliments the one in my head (or vice-versa).
Anyway enough ranting -- I just don't understand how for anyone who's been using linux for any amount of time cares about dependencies. Even with upgrades.
-
Re:If I want IPSec stuff
-
Re:PPTP?it might be doing something tricky like wrapping your IPSec packets in a standard UDP packet and then shipping those off. These will pass through the NAT unmolested, and are then unwrapped at the other end and forwarded to the IPSec target host.
Correct. Note that the IPSEC over UDP standard has not been ratified yet. It also adds some overhead.
For FreeS/WAN you'd need the unofficial NAT-T patch.