Slashdot Mirror
FreeS/WAN Continues As Openswan
leto writes "It seems some of the developers and volunteers of the (recently deceased) FreeS/WAN project have started a new company to develop and support the successor of the Linux IPsec code under the name of Openswan in a "Cygnus style" business model. They announced the new version at CeBIT which fully supports the new Linux 2.6 native IPsec stack. According to the Openswan website, it was started 'by a few of the developers who were growing frustrated with the politics surrounding the FreeS/WAN project.'
There is a FAQ that explains how the various parts of IPsec on Linux work together. I guess that means US citizens can finally submit patches, and that distributions like RedHat/Fedora can now include it in their distribution. FreeS/WAN has always had the most features and most the most user-friendly configuration. It is good to see that will continue. And their mailing list finally seems to refuse spam too."
WHAT OPERATING SYSTEM DO YOU USE because it has ALL BEEN LOGGED!.
.
"ONE LINE OF SOURCE CODE MEANS GUILTY!"
You had a safe, comfortable middle-class life? No, you thought you had, but you didn't. You are a CRIMINAL, you are GUILTY and you can be EXECUTED.
You are just another statistic criminal. Do you want YOU and your PARTNER and KIDS to be DRAGGED from your home and SHOT IN THE STREET?
Is your anus insured for AIDS RAPE?
Does your life insurance cover FORCED PRISON SEX and AIDS DEATH ? Check the policy - maybe not. Does "your" life-insurance carry a clause in the contract about perverts, convicts and enemies of society JUST LIKE YOU? Why should they insure "SOURCE CODE THIEVES" like you?
Scociety hates you.
What are your family going to do when you are jailed for 50 years with no parole? Do you reckon your spouse will hang around for 1 year let alone 50 years before they get lonely and find another partner to love them?
You can be JAILED and RAPED.
A great big muscle-bound GAY RAPIST will tie you to the PRISON BARS and RAPE YOUR ASS with his AIDS AND WART-INFESTED PENIS
You will be forced to SUCK AIDS INFECTED DICKS . Do you want that?
SOCIETY SUCKS and you had better get used to it because this is what you can expect when YOUR COMPUTER is EXAMINED FOR EVIDENCE by the "government".
You will soon learn how "LAWFUL" AND "CORRECT" your government is when you are being raped and the prison guards are looking the other way - or WATCHING or JOINING IN.
DO YOU WANT TO BE RAPED? WELL, DO YOU?
Your "government" wants you to be RAPED IN THE ASS and you had better wise up before they get YOUR ass, because they can recover what OS you use LAST YEAR and use it to kidnap you and rape you.
STOP yourself and your family and kids being kidnapped and raped by criminals.
Protect yourself - don't be a dirty GNU hippie - BUY A SCO(R) LISENCE(tm) TODAY!.
NOW ONLY $699, YOU COCK SMOKING TEABAGGERS!!!!!
This message was generated by the good GOATDOCTOR - Proctologist by Trade (now with 33% more niggardly behaviour!)
Comment removed based on user account deletion
I guess you never personally configured it...
--
Violators will be prosecuted and prosecutors will be violated.
windows (452268) is hated by no one?!
It is your duty as a Slashdot reader to officially and formally hate windows. Slashdot is impure until windows' freaks outnumber it's fans! Strike down this vile evil corporate monster today! Show it how much you hate it. Do Slashdot a favor and bloat windows' freaks list!
Celebrate Our Success!
Our founder, users.pl, has enjoyed great success in persuading brave moderators to promote our cause. Both posts were modded back to -1 in short order, but make sure you metamod our positive moderations as fair and the negative moderations as unfair! Do not let our brave supporters' efforts be shot down by windows loving Nazis!
users.pl has gained public support in other areas as well, gaining nearly unanimous moderator support in a posting promoting the benefits of open source. Waves of people have already joined our cause causing windows' freaks list to inflate rapidly.
In response to our onslaught, windows has posted a frantic and angry journal entry criticizing no less than all of Slashdot for it's open source zealotry and has begun a poll with misleading links to try and trick you into voting for him! Surely, as faithful readers of Slashdot and loving supporters of open source you will not let this blasphemy continue! Make windows your foe and vote for users.pl today! Every Slashdot account and every IP counts!
Did you ever wonder what the hell was going on at the end of X-men 2?
Why did Jean Grey climb out of the ship to stop the tidal wave of water from the dam. If she's telekinetic, why couldn't she do it from in the ship? Why didn't she just lift the ship above the water?
How come Iceman didn't create a wall of ice to protect them? Or cyclops shot big red bolts of energy to vaporise the oncoming flood. Xaviar can move stuff telekinetically, why didn't he help? It just makes no sense whatsoever.
Meine Schwester ist sehr, sehr reizvoll - Nietzsche
As a good, christian, American patriot, I hate niggers in all forms, including sand-niggers, and Israel would be fully justified in going nazi on those camel humpers!
Don't forget about KAME. It isn't just for IPv6, and also supports IPSec for both ipv4 and ipv6.
- Network overhead increased by 40%
- Router MTBF increased by 50%
- Adminstration costs increased by 70%
We eventually dropped Openswan and fired the linux zealot who recommended it to us. We chose the MTSEC security from Bizland Consultants inc instead, and it saved us over 700%! So, don't choose swan without trying MTSEC first!found here
I guess that means US citizens can finally submit patches, and that distributions like RedHat/Fedora can now include it in their distribution.
Ahh, u mean ze citisenz of ze USA can finally have ze same freedom as ze French Bastardz have had for yearz ?
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
- Network overhead increased by 90%
- Router MTBF increased by 150%
- Adminstration costs increased by 770% (even after outsourcing to india!)
We eventually dropped Openswan and fired the linux zealot who recommended it to us. We chose the Hell-O security from Hi Consultants and Kommunications inc instead, and it saved us over 700%! So, don't choose swan without trying Hell-O first!Yes, it works with Debian! This debian certified package is avalible for alpha, arm, i386, ia64, m68k, mipsel, and G5 (unoffically).
So download it today!
Does open source now automatically mean YRO? Does security mean YRO, even when it's not homeland security? How do the editors make these decisions^H^H^H. . .^H^HWhat are the editors smoking?
There was more content in the article on slashdot than on the entire Openswan website!
You are receiving this message because your browser supports Slashdot Sigs and you have Slashdot Sigs enabled.
The problem with KAME is that IPSec packets between two hosts can bypass the packet filters.
:)
That is, with KAME on Linux and FreeBSD, packets are not decrypted until after iptables/ipfw has looked at them. That means you cannot packet filter on anything other than IP & MAC Address as you can't read anything else, its all encrypted
Apparently FreeS/WAN had a separate device to read from that gave unencrypted packets for filtering.
This only applies to transport IPSec between two complete hosts. You can use tunnel mode onto a tun device and filter from that, and you can also just encrypt traffic based on port.
Either way, I'm kind of relieved that FreeS/WAN has not gone completely and that the above situation still has a fix. A security protocol seems kinda useless when it allows firewall bypassing, especially when it could happen automatically if you have IKE setup and open to the world.
Is that it can't run on Xserves. Not even when Linux is on the xserve, the problem is that Apple uses a propreitery TCP stack in its servers, and must written in apple golden cocoa APIs, which cost 5,000 per developers. It makes me so mad that the Xserve has only a few network applications that cost thousands. I may still use Apple for my G5, but after I discovred this scandal I switched to x86 racks with Linux for my IPSEC and network needs!
So I am a full Swan supporter, and I urge you to trash your XSERVES as soon as possible!
Screenshot of My G5 desktop!
There is yet another project. Andreas Steffen (Creator and maintainer of the X509 patches for FreeS/WAN) has started its own version as well. Check out www.strongswan.org for differences between openswan and strongswan.
I've been testing with 2.6 IPsec, but I'm not convinced that it's production ready. Especially the MTU handling gives me the creeps:
valentijn:~# ping -s 1435 host21
PING host21.wireless.palmgracht.nl (10.15.67.21): 1435 data bytes
ping: sendto: Message too long
ping: wrote host21.wireless.palmgracht.nl 1443 chars, ret=-1
ping: sendto: Message too long
ping: wrote host21.wireless.palmgracht.nl 1443 chars, ret=-1
Resetting the MTU on the network interface helps:
valentijn:~# ifconfig eth1 mtu 1400
valentijn:~# ping -s 1417 host21
PING host21.wireless.palmgracht.nl (10.15.67.21): 1417 data bytes
1425 bytes from 10.15.67.21: icmp_seq=0 ttl=64 time=93.0 ms
1425 bytes from 10.15.67.21: icmp_seq=1 ttl=64 time=78.2 ms
Then, resetting it to 1500 again does this:
valentijn:~# ifconfig eth1 mtu 1500
valentijn:~# ping -s 1435 host21
PING host21.wireless.palmgracht.nl (10.15.67.21): 1435 data bytes
ping: sendto: Message too long
ping: wrote host21.wireless.palmgracht.nl 1443 chars, ret=-1
1443 bytes from 10.15.67.21: icmp_seq=1 ttl=64 time=89.0 ms
So only the first packet is blocked, after that the kernel adjusts to the right MTU. And please note: this is internally, the first packet doesn't leave the machine.
I had no time to test further, but what I found so far doesn't encourage me a lot to use 2.6 IPsec in production.
my other sig is a 500 page novel
Used to be correct as of ipfw 1. No longer the case as of ipfw2, though some cases do not work fully yet. See the ipsec qualifier for rules.
Dunno about Linux though. I use KAME extensively only on BSD.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
The G5 link (which I clicked on because I use one) contains gay porn, so does the today link! Please mod this FILTH down!
Screenshot of My G5 desktop!
'business' as use-you-all.
what a surprise?
9-Feb-04 GATES, WILLIAM H. III
Chairman 1,063,273 Sale at $27.03 - $27.151 per share. $28,805,0002
9-Feb-04 GATES, WILLIAM H. III
Chairman 1,936,727 Sale at $26.88 - $27.025 per share. $52,200,0002
6-Feb-04 GATES, WILLIAM H. III
Chairman 3,000,000 Sale at $27 - $27.17 per share. $81,255,0002
6-Feb-04 CASH, JAMES I. JR
Director 200 Sale at $27.08 per share. $5,416
6-Feb-04 GATES, WILLIAM H.
Chairman 3,000,000 Planned Sale $80,880,0001
5-Feb-04 GATES, WILLIAM H. III
Chairman 3,000,000 Planned Sale $81,030,0001
5-Feb-04 GATES, WILLIAM H. III
Chairman 3,000,000 Sale at $26.89 - $27.12 per share. $81,015,0002
4-Feb-04 GATES, WILLIAM H. III
Chairman 898,265 Sale at $27.18 - $27.41 per share. $24,518,0002
4-Feb-04 GATES, WILLIAM H. III
Chairman 1,417,668 Sale at $27.09 - $27.177 per share. $38,466,0002
4-Feb-04 GATES, WILLIAM H. III
Chairman 684,067 Sale at $27.02 - $27.085 per share. $18,506,0002
4-Feb-04 GATES, WILLIAM H. III
Chairman 3,000,000 Planned Sale $81,870,0001
3-Feb-04 GATES, WILLIAM H. III
Chairman 2,000,000 Sale at $27.22 - $27.41 per share. $54,630,0002
3-Feb-04 GATES, WILLIAM H. III
Chairman 2,000,000 Planned Sale $54,800,0001
2-Feb-04 GATES, WILLIAM H. III
Chairman 3,000,000 Sale at $27.30 - $27.77 per share. $82,605,0002
2-Feb-04 SHIRLEY, JON A.
Director 120,000 Automatic Sale at $27.50 - $27.55 per share. $3,303,0002
2-Feb-04 GATES, WILLIAM H. III
Chairman 1,000,000 Planned Sale $27,650,0001
29-Jan-04 MARQUARDT, DAVID F.
Director 100,000 Sale at $27.65 per share. $2,765,000
29-Jan-04 GATES, WILLIAM H. III
Chairman 1,000,000 Sale at $27.69 - $27.93 per share. $27,810,0002
28-Jan-04 GATES, WILLIAM H. III
Chairman 1,000,000 Planned Sale $28,250,0001
28-Jan-04 GATES, WILLIAM H. III
Chairman 1,000,000 Sale at $28.01 - $28.4 per share. $28,205,0002
slashdot is shit
will it run linux?
I don't know how a post that has a pic of a man about to eat another mans ass with a giant fork got modded up. This one has to go down in slashdot history. Nice use of debian redirect cgi though, I was actually expecting a debian package page.
So that earlier noise about it closing was not it's SwanSong after all.
that redhead is freakin HOT!
We applauded when the apploaded
or is it?
app + exploded = apploaded
From what I've seen, ipsec is FAR too complicated. It's too low level, it screws up routing.
It looks to me that openvpn is MUCH simpler, and just as useful. I think ipsec should die.
If it wants to interoperate with any IPSec implementation other than itself, it will need to support negotiation through single DES (even if the tunnel doesn't wind up using it).
Refusal to support single DES was what made FreeS/WAN virtually useless, even for those who muddled through the endpoint configurations and could put up with ip:port combos occasionally being hung out to dry due to dropped connects until the next rekey.
Ironically, the original goal of FreeS/WAN was not support of VPNs. It was to implement John "Suspected Terrorist" Gilmore's goal of "encrypting 5% of the Internet by Christmas". The idea was that if two systems went to talk to each other with an ordinary net connection, and both happened to be running FreeS/WAN or compatible software, they would automatically and transparently negotiate IPSec encryption and use that for the connection. This is what they called Opportunistic Encryption. The goal of the project was to get some substantial fraction of internet traffic to be encrypted by this mechanism, thereby increasing privacy and decreasing the effectiveness of net-wide surveillance and monitoring tools.
Sounds like a good idea to me. Are either of these new FreeS/WAN offshoots, or any other comparable project, trying to achieve Opportunistic Encryption? Or are they just for VPNs?
We chose the MTSEC security from Bizland Consultants inc instead, and it saved us over 700%
I see.
Not only did your maintainence budget go to zero but Bizland Consultants paid YOU six times your former budget.
Where do I sign up for THAT deal? B-)
= = = =
On second thought, forget it. TANSTAFFL, so they must be getting something from you that's worth even more.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
If Gilmore was willing to risk MITM attacks in return for protecting a much higher fraction of the network users from passive eavesdroppers, the alternative was to use "shared secret" mode with a publicly known "secret", such as "open secret" or something proposed in a draft rfc. But that would have meant that the people who most needed OE would be using a method that wasn't secure against governments or motivated crackers, and a false sense of security is arguably much more dangerous than known insecurity - if you know you're not secure, you're forced to use PGP to encrypt your email instead.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Or, based on the fact that this project is an offspring of freeswan, should that be "Cygnet style" ? ;) ... ok, back in my box.
Red.
FreeS/WAN and now OpenSwan.....
is NetS/WAN next?
In Openswan OE is on by default and you have to edit your config file to turn it off. Fortunately - it's easy to disable.