Slashdot Mirror


FreeS/WAN Continues As Openswan

leto writes "It seems some of the developers and volunteers of the (recently deceased) FreeS/WAN project have started a new company to develop and support the successor of the Linux IPsec code under the name of Openswan in a "Cygnus style" business model. They announced the new version at CeBIT which fully supports the new Linux 2.6 native IPsec stack. According to the Openswan website, it was started 'by a few of the developers who were growing frustrated with the politics surrounding the FreeS/WAN project.' There is a FAQ that explains how the various parts of IPsec on Linux work together. I guess that means US citizens can finally submit patches, and that distributions like RedHat/Fedora can now include it in their distribution. FreeS/WAN has always had the most features and most the most user-friendly configuration. It is good to see that will continue. And their mailing list finally seems to refuse spam too."

2 of 68 comments (clear)

  1. Not the only IPSec stack by The-Pheon · · Score: 5, Interesting

    Don't forget about KAME. It isn't just for IPv6, and also supports IPSec for both ipv4 and ipv6.

  2. 2.6 IPsec still problematic by valentyn · · Score: 4, Interesting

    I've been testing with 2.6 IPsec, but I'm not convinced that it's production ready. Especially the MTU handling gives me the creeps:

    valentijn:~# ping -s 1435 host21
    PING host21.wireless.palmgracht.nl (10.15.67.21): 1435 data bytes
    ping: sendto: Message too long
    ping: wrote host21.wireless.palmgracht.nl 1443 chars, ret=-1
    ping: sendto: Message too long
    ping: wrote host21.wireless.palmgracht.nl 1443 chars, ret=-1

    Resetting the MTU on the network interface helps:

    valentijn:~# ifconfig eth1 mtu 1400
    valentijn:~# ping -s 1417 host21
    PING host21.wireless.palmgracht.nl (10.15.67.21): 1417 data bytes
    1425 bytes from 10.15.67.21: icmp_seq=0 ttl=64 time=93.0 ms
    1425 bytes from 10.15.67.21: icmp_seq=1 ttl=64 time=78.2 ms

    Then, resetting it to 1500 again does this:
    valentijn:~# ifconfig eth1 mtu 1500
    valentijn:~# ping -s 1435 host21
    PING host21.wireless.palmgracht.nl (10.15.67.21): 1435 data bytes
    ping: sendto: Message too long
    ping: wrote host21.wireless.palmgracht.nl 1443 chars, ret=-1
    1443 bytes from 10.15.67.21: icmp_seq=1 ttl=64 time=89.0 ms

    So only the first packet is blocked, after that the kernel adjusts to the right MTU. And please note: this is internally, the first packet doesn't leave the machine.

    I had no time to test further, but what I found so far doesn't encourage me a lot to use 2.6 IPsec in production.

    --
    my other sig is a 500 page novel