Slashdot Mirror

← Back to Stories (view on slashdot.org)

FreeS/WAN Project Bows Out

Posted by timothy on from the ideas-don't-die-though dept.

V. Mole writes "After five years, the FreeS/WAN project has decided to end development. The main reason seems to be that although the project was technically successful, it was not making much progress with its political goals of encrypting a significant portion of all Internet communications, although one might guess that the selection of KAME for the standard Linux IPSEC implementation might also have influenced this decision. And don't panic, the software will remain available, and of course some other group is free to continue development."

10 of 221 comments (clear)

  1. The letter by IronBlade · · Score: 5, Informative

    Dear FreeS/WAN Community,

    After more than five years of active development, the FreeS/WAN project will be coming to an end.

    The initial goal of the project was ambitious -- to secure the Internet using opportunisitically negotiated encryption, invisible and convenient to the user. For more, see our history page. A secondary goal was to challenge then-current US export regulations, which prohibited the export of strong cryptography (such as triple DES encryption) of US origin or authorship.

    Since the project's inception, there has been limited success on the political front. After the watershed Bernstein case, US export regulations were relaxed. Since then, many US companies have exported strong cryptography, without seeming restriction other than having to notify the Bureau of Export Administration for tracking purposes.

    This comfortable situation has perhaps created a false sense of security. The catch? Export regulations are not laws. The US government still reserves the right to change its export regulations on short notice, and there is no facility to challenge them directly in a court of law. This leaves the US crypto community and US Linux distributions in a position which seems safe, but is not legally protected -- where the US government might at any time *retroactively* regulate previously released code, by prohibiting its future export. This is why FreeS/WAN has always been developed outside the US (in Canada and in Greece), and why it has never (to the best of our knowledge) accepted US patches.

    If FreeS/WAN has neither secured the Internet, nor secured the right of US citizens to export software that could do so, it has still had positive benefit.

    With version 1.x, the FreeS/WAN team created a mature, well-tested IPsec VPN (Virtual Private Network) product for Linux. The Linux community has relied on it for some time, and it (or a patched variant) has shipped with several Linux distributions.

    With version 2.x, FreeS/WAN development efforts focussed on increasing the usability of Opportunistic Encryption (OE), IPSec encryption without prearrangement. Configuration was simplified, FreeS/WAN's cryptographic offerings were streamlined, and the team promoted OE through talks and outreach.

    However, nine months after the release of FreeS/WAN 2.00, OE has not caught on as we'd hoped. The Linux user community demands feature-rich VPNs for corporate clients, and while folks genuinely enjoy FreeS/WAN and its derivatives, the ways they use FreeS/WAN don't seem to be getting us any closer to the project's goal: widespread deployment of OE. For its part, OE requires more testing and community feedback before it is ready to be used without second thought. The project's funders have therefore chosen to withdraw their funding.

    Anywhere you stop, a little of the road ahead is visible. FreeS/WAN 2.x might have developed further, for example to include ipv6 support.

    Before the project stops, the team plans to do at least one more release. Release 2.06 will see FreeS/WAN making a late step toward its goal of being a simple, secure OE product with the removal of Transport Mode. This in keeping with one of Neils Fergusson's and Bruce Schneier's security recommendations, in A Cryptographic Evaluation of IPsec. 2.06 will also feature KLIPS (FreeS/WAN's Kernel Layer IPsec machinery) changes to faciliate use with the 2.6 kernel series.

    After Release 2.06, FreeS/WAN code will continue to be available for public use and tinkering. Our website will stay up, and our mailing lists at lists.freeswan.org will continue to provide a forum for users to support one another. We expect that FreeS/WAN and its derivatives will be widely deployed for some time to come.

    It is our hope that the public will one day be ready for, and demand, transparent, opportunistic encryption. Perhaps then some adventurous folks pick up FreeS/WAN 2.x and continue its development, making the project's original goal a reality.

    --
    Important info:
    http://www.lifeaftertheoilcrash.net
    http://dieoff.org/synopsis.htm
    http://www.peakoil.net
  2. OpenSwan by DivineHawk · · Score: 5, Informative

    Openswan is an Open Source implementation of IPsec for the Linux operating system. Is it a code fork of the FreeS/WAN project, started by a few of the developers who were growing frustrated with the politics surrounding the FreeS/WAN project.

  3. There's one more release in the works.... by tcopeland · · Score: 4, Informative
    ...from the ending letter:

    Before the project stops, the team plans to do at least one more release. Release 2.06 will see FreeS/WAN making a late step toward its goal of being a simple, secure OE product with the removal of Transport Mode. This in keeping with one of Neils Fergusson's and Bruce Schneier's security recommendations, in A Cryptographic Evaluation of IPsec. 2.06 will also feature KLIPS (FreeS/WAN's Kernel Layer IPsec machinery) changes to faciliate use with the 2.6 kernel series.
    --
    The Army reading list
  4. Re:corporation by velkro · · Score: 5, Informative


    I've taken my Super FreeS/WAN tree, and formed a company with some other ex-FreeS/WAN folks.

    Openswan is new name of the project, you can already get code from www.openswan.org.

    Commercial support + services from us via Xelerance

    Ken

  5. Re:Ouch. This is going to hurt. by velkro · · Score: 4, Informative

    As people have mentioned... the Openswan project is picking up the slack, and commercial support is also available, directly from current Openswan and ex-FreeS/WAN project folks via Xelerance.

  6. Trolling? Maybe...but here is my experience by Anonymous Coward · · Score: 5, Informative

    In classic Linux fashion, I found FreeSwan complicated and hard to use. It had incredibly obtuse error messages. I couldn't figure out how to configure it (configuring it may be simple, but I couldn't actually figure out _what_ needed to be configured). All I wanted to do was talk to our corporate Sonicwall. All in all a very unpleasant experience.

    I fought with it for a week - did tons of google research, and still couldn't get Phase2 to work. I eventually caved in and bought a Linksys VPN endpoint router that comes with a simple web administration tool. I had it up and running in 15 minutes. I'm just sorry I wasted that week on FreeSwan.

  7. Elucidation by Yobgod+Ababua · · Score: 4, Informative

    rot-13 was an simple cypher used to 'encrypt' spoilers and possibly offensive material in Usenet posts. It worked by converting each letter of the (latin) alphabet to it's numerical equivalent (a=1, b=2, ... ,z=26), adding 13, subtracting 26 if the result was larger than 26, then converting back to a letter. (ROTating the letter thirteen 'spaces').

    "Hello World" -> "Uryyb Jbeyq"

    triple-DES is a more modern encryption scheme still in use today.

    The humor comes from the fact that applying rot-13 twice results in the exact original text, so saying that the Internet uses 'double rot-13 by default' is just noting that it's completely unencrypted but in a way that makes it sound like a real encryption scheme.

    It really was quite an amusing post... unlike this one.

  8. Re:Ouch. This is going to hurt. by ryanvm · · Score: 4, Informative

    Good news - you don't need 2.6 to do native IPSEC.

    I've done a couple FreeS/WAN installs on 2.4 and they were kind of difficult to set up. Not too bad - just painful enough to appreciate them.

    However, the other day I decided to try the Linux kernel's new native IPSEC modules (that have been backported to at least 2.4.24). Using 2.4.24 and KAME it was an absolute pleasure to set up. Works beatifully, and no more patching. You couldn't pay me to return to FreeS/WAN.

  9. Re:SSL based VPNs by jshare · · Score: 4, Informative
    FYI, most of the time when people say "SSL VPN" they don't mean at all the same thing as what Freeswan does. (OpenVPN is an exception).

    Typically, an SSL "VPN" is really just a web app that uses ssl between your browser and itself. It runs on a box on the private network, and provides file browsing capabilities, "intranet" access (e.g. an internal purchasing website), etc. But it doesn't let you encrypt your ping packets, since you're not even really connected to the secured network.

    I think the companies who created the thing called it a "VPN" because it was the buzzword, and not because it is at all a Virtual Private Network.

  10. Freeswan vs KAME and other useless BS by razathorn · · Score: 5, Informative

    For those of you who say "freeswan was so hard to configure so kame's better freeswan sucks bla bla" or even "kame sucks freeswan is king because kame tools are hard to understand" I have this to say: IPSEC in general is hard to configure... you've got tons of different parameters, hash algs, enc algs, id's, tunnels, ah, esp bla bla bla and if you don't understand the protocol in general then you have no business saying either is hard to configure because you got lucky with one of them and it just worked and now you're married to it and consider it superior. I have used both kame and freeswan and can say with authority, hacking for weeks at a time on custom patchs for freeswan, that they are both good products. I LIKE freeswan more because of it's overall feel of higher quality for managing large numbers of connections and it's general tollerance of other devices that have slightly broken behaiour. For instance, you can turn off rekeying on a connection and let the other side always initiate keying. That is handy. Now I don't agree with their politics and I really could do without them -- I can't say that I much care. Freeswan, in the spirit of open source allowed others to modify it as they see fit. I DID, others did, it worked. Saying the project was worthless without really looking at what it's existance has done and only looking at the fact that some of the politics were bad is most disturbing. I would hate to hear even one of you say BSD sucks because of some configuration issue you had on 386 bsd back in the day.

    And just for the record, tail -f /var/log/auth.log is your friend, as is ipsec auto --status | grep connectionname | grep esp (shows active tunnels)... OH one other thing... if you cant figure out what the other side is configured to when it does phase 1 and phase 2 negotiation, ipsec whack --name connectionname --debug-parsing ; tail -f /var/log/auth.log to tell you EVERY SINGLE ipsec parameter the other side sends you.

    For those who hated freeswan because error messages sucked, try the above. For those who say it sucked because of politics, welcome to open source!

    To me it seems obvious that freeswan will still deployed and maintained -- it's just too good of a thing to let go. Try to think of this as a releasing -- openswan and the rest are not going anywhere. Freeswan's active development is done... since their main goal was OE. Since I didn't want OE, I don't care. It's not like freeswan doesn't support some IPSEC feature or that its behind the times. What else needs to be done? Maintenance I would gather .. for a plain old ipsec implementation, it's pretty much done so who can blame em!?

    Considering the responses i've seen here, it's going to be maintained. I'm glad we're in opensource land and I don't HAVE to use kame if I don't want to or have some reason where freeswan is slightly better for my situation.