Slashdot Mirror

← Back to Stories (view on slashdot.org)

FreeS/WAN Continues As Openswan

Posted by timothy on from the duckling-of-indeterminate-pulchritude dept.

leto writes "It seems some of the developers and volunteers of the (recently deceased) FreeS/WAN project have started a new company to develop and support the successor of the Linux IPsec code under the name of Openswan in a "Cygnus style" business model. They announced the new version at CeBIT which fully supports the new Linux 2.6 native IPsec stack. According to the Openswan website, it was started 'by a few of the developers who were growing frustrated with the politics surrounding the FreeS/WAN project.' There is a FAQ that explains how the various parts of IPsec on Linux work together. I guess that means US citizens can finally submit patches, and that distributions like RedHat/Fedora can now include it in their distribution. FreeS/WAN has always had the most features and most the most user-friendly configuration. It is good to see that will continue. And their mailing list finally seems to refuse spam too."

3 of 68 comments (clear)

  1. Re:Not the only IPSec stack by Anonymous Coward · · Score: 5, Informative

    Yes, and it's under a very liberal license too.
    Even better, it is VERY portable, which means that as an administrator you just have to care to know about KAME and not a gazillion halfbaked inconsistent implementations.

  2. Re:no but maybe the better one... by pacman+on+prozac · · Score: 5, Informative

    The problem with KAME is that IPSec packets between two hosts can bypass the packet filters.

    That is, with KAME on Linux and FreeBSD, packets are not decrypted until after iptables/ipfw has looked at them. That means you cannot packet filter on anything other than IP & MAC Address as you can't read anything else, its all encrypted :)

    Apparently FreeS/WAN had a separate device to read from that gave unencrypted packets for filtering.

    This only applies to transport IPSec between two complete hosts. You can use tunnel mode onto a tun device and filter from that, and you can also just encrypt traffic based on port.

    Either way, I'm kind of relieved that FreeS/WAN has not gone completely and that the above situation still has a fix. A security protocol seems kinda useless when it allows firewall bypassing, especially when it could happen automatically if you have IKE setup and open to the world.

  3. Strongswan by gvdkamp · · Score: 5, Informative

    There is yet another project. Andreas Steffen (Creator and maintainer of the X509 patches for FreeS/WAN) has started its own version as well. Check out www.strongswan.org for differences between openswan and strongswan.