Linux FreeSWAN HTML documents Automatically generated Table of Contents Bug reports to the mailing list: linux-ipsec@clinet.fiSection headings printed, indentation shows structure =================================================== HTML file: index.html --------------------------------------------------- Linux FreeS/WAN Index file Our HTML documents Documents from outside the FreeS/WAN team Distribution text files License and copyright information Printed documentation =================================================== HTML file: overview.html --------------------------------------------------- Linux FreeS/WAN Overview Introduction Project goals The Role of IPSEC Services provided Security protocols at other levels Advantages of IPSEC Limitations of IPSEC [ depends ] [ notend2end ] [ notpanacea ] [ DoS ] [ traffic ] Some uses of IPSEC Using authentication without encryption Encryption without authentication is dangerous Multiple layers of IPSEC processing are possible Using "unnecessary" encryption to frustrate attackers Structure of IPSEC IKE (Internet Key Exchange) Phases of IKE Structure of IKE messages IPSEC Services, AH and ESP The Authentication Header (AH) Keyed MD5 and Keyed SHA Sequence numbers Encapsulated Security Payload (ESP) IPSEC modes Tunnel mode Transport mode FreeS/WAN parts KLIPS: Kernel IPSEC Support The Pluto daemon The ipsec(8) command Linux FreeS/WAN configuration file Key management Currently Implemented Methods Manual keying Automatic keying Methods not yet implemented Unauthenticated key exchange Key exchange using DNS Key exchange using a PKI Photuris SKIP =================================================== HTML file: roadmap.html --------------------------------------------------- Distribution Roadmap
What's Where in Linux FreeS/WAN Subsystems Top directory Documentation KLIPS: kernel IP security Pluto key and connection management daemon Utils Libraries FreeS/WAN Library Imported Libraries =================================================== HTML file: setup.html --------------------------------------------------- Linux FreeS/WAN Setup Setting up a secure tunnel to create a VPN Types of connection Our example network Configuration for a testbed network SuSE 6.3 and 6.4 Installation steps Before starting the install Choosing a kernel Getting kernel source Kernel configuration Install and test a kernel before adding FreeS/WAN Building the software The simplest way Configuring the kernel yourself Doing it step-by-step Configuration files Types of connection The setup section of ipsec.conf(5) Editing connections in ipsec.conf(5) [ conndesc ] Which is which? Putting secrets in ipsec.secrets(5) Setting up interfaces Matching numbers Testing the installation Manually keyed test Testing with tcpdump Testing Automatic connections =================================================== HTML file: configuration.html --------------------------------------------------- Linux FreeS/WAN Configuration RTFM (please Read The Fine Manuals) Simplifying ipsec.conf files Choosing your connection types Manual vs. automatic keying Authentication methods for auto-keying Advantages of public key methods Setting up various types of connection Using RSA signatures for authentication RSA signature examples Putting public keys in DNS Using shared secrets in production Using manual keying in production Creating keys with ranbits Setting up connections at boot time Multiple tunnels between the same two gateways Many tunnels from a single gateway Variations on IPSEC
Extruded Subnets Road Warrior support Road Warrior example Road Warrior with virtual IP address Dynamic Network Interfaces Basics Boot Time Change Time Unencrypted tunnels =================================================== HTML file: RFCs.html --------------------------------------------------- Linux FreeS/WAN RFC List The RFCs.tar.gz Distribution File Other sources for RFCs & Internet drafts RFCs Internet Drafts FIPS standards Document CDs What's in the RFCs.tar.gz bundle? Overview RFCs Basic protocols Key management Details of various things used Older RFCs which may be referenced RFCs for secure DNS service, which IPSEC may use RFCs labelled "experimental" Related RFCs =================================================== HTML file: debugging.html --------------------------------------------------- Linux FreeS/WAN Troubleshooting Problem Reporting Logs used Test with ipsec manual before going to auto If a manually keyed connection works and auto doesn't If manually keyed connections don't work Interoperation problems Dropped packets The firewall ate my packets! Small packets work, but large transfers fail Dropped connections Interoperability problems Systems that want to use DES Pluto problem hints Pluto error "no acceptable transform" message Connection names in Pluto error messages ECONNREFUSED error message Information available on your system man pages provided Status information ifconfig reports for KLIPS debugging Testing between security gateways =================================================== HTML file: compatibility.html --------------------------------------------------- Linux FreeS/WAN compatibility Guide Implemented parts of the IPSEC Specification In Linux FreeS/WAN Not (yet) in Linux FreeS/WAN Kernels other than 2.0.38 and 2.2.14 Other 2.0.x Intel Kernels 2.2 and 2.3 Kernels Intel Linux distributions other than Redhat SuSE Linux SuSE Linux 5.3 Slackware Debian Debugging on Debian CPUs other than Intel [ netwinder ] Corel Netwinder (StrongARM CPU) Yellow Dog Linux on Power PC Mklinux Alpha 64-bit processors Sun SPARC processors MIPS processors IP version 6 (IPng) Interoperation with other IPSEC implementations Published test results and HowTo documents OpenBSD FreeBSD Cisco Routers Nortel (Bay Networks) Contivity switch Raptor Firewall on Windows NT Checkpoint Firewall-1 F-Secure VPN for Windows Xedia Access Point/QVPN PGP 6.5 Mac and Windows IPSEC Client, PGPnet IRE Safenet/SoftPK Borderware Freegate Timestep Shiva/Intel LANrover Sun Solaris Windows 2000 =================================================== HTML file: DES.html --------------------------------------------------- DES is Not Secure Dedicated hardware breaks DES in a few days Spooks may break DES faster yet Networks break DES in a few weeks We disable DES 40-bits is laughably weak Alternatives to DES AES in IPSEC =================================================== HTML file: exportlaws.html --------------------------------------------------- Cryptography Export Laws US Law US contributions to FreeS/WAN What's wrong with restrictions on cryptography [ quotes ] The Wassenaar Arrangement Export status of Linux FreeS/WAN Help spread IPSEC around Web References =================================================== HTML file: mail.html --------------------------------------------------- Mailing lists related to FreeS/WAN The FreeS/WAN mailing list Archives of the project mailing list Lists for related software and topics Linux mailing lists Lists for IETF working groups Other mailing lists =================================================== HTML file: glossary.html --------------------------------------------------- Glossary for the Linux FreeS/WAN project Jump to a letter in the glossary Other glossaries Definitions [ 0 ] [ 3DES ] [ A ] [ active ] [ AES ] [ AH ] [ alicebob ] [ ASIO ] [ authentication ] [ auto ] [ B ] [ benchmarks ] [ BIND ] [ birthday ] [ paradox ] [ block ] [ Blowfish ] [ brute ] [ BXA ] [ C ] [ CA ] [ CAST128 ] [ CBC ] [ mode ] [ challenge ] [ ciphertext ] [ client ] [ collision ] [ CSE ] [ D ] [ DARPA ] [ DOS ] [ DES ] [ DESX ] [ DH ] [ signature ] [ dlog ] [ DNS ] [ E ] [ EAR ] [ ECB ] [ EDE ] [ Entrust ] [ EFF ] [ encryption ] [ ESP ] [ extruded ] [ F ] [ FIPS ] [ FSF ] [ G ] [ GCHQ ] [ GILC ] [ GTR ] [ GNU ] [ GPL ] [ GPG ] [ H ] [ hash ] [ HMAC ] [ hybrid ] [ I ] [ IAB ] [ icmp ] [ IDEA ] [ IESG ] [ IETF ] [ IKE ] [ IV ] [ IP ] [ masq ] [ IPng ] [ IPv4 ] [ IPv6 ] [ IPSEC ] [ ISAKMP ] [ ITAR ] [ J ] [ K ] [ KLIPS ] [ L ] [ LDAP ] [ LIBDES ] [ Linux ] [ FreeSWAN ] [ M ] [ list ] [ middle ] [ manual ] [ MD4 ] [ MD5 ] [ meet ] [ digest ] [ MTU ] [ N ] [ NAI ] [ NAT ] [ NIST ] [ nonce ] [ non-routable ] [ NSA ] [ O ] [ OTP ] [ carpediem ] [ P ] [ P1363 ] [ passive ] [ pathMTU ] [ PFS ] [ PGP ] [ PGPI ] [ photuris ] [ PPTP ] [ PKI ] [ PKIX ] [ plaintext ] [ Pluto ] [ public ] [ Q ] [ R ] [ random ] [ RC4 ] [ RC6 ] [ replay ] [ RIPEMD ] [ rootCA ] [ routable ] [ RSA ] [ RSAco ] [ S ] [ SA ] [ SDNS ] [ sequence ] [ SHA ] [ SIGINT ] [ SKIP ] [ snake ] [ SSH ] [ SSHco ] [ SSL ] [ stream ] [ subnet ] [ SWAN ] [ symmetric ] [ T ] [ TIS ] [ TLS ] [ traffic ] [ transport ] [ tunnel ] [ 2key ] [ U ] [ V ] [ virtual ] [ VPN ] [ VPNC ] [ W ] [ Wassenaar ] [ web ] [ X ] [ X509 ] [ Y ] [ Z ] =================================================== HTML file: bibliography.html --------------------------------------------------- Bibliography for the Linux FreeS/WAN project [ adams ] [ DNS ] [ puzzle ] [ comer ] [ EFF ] [ Garfinkel ] [ PGP ] [ practical ] [ kirch ] [ RFCs ] [ GTR ] [ handbook ] [ Mourani ] [ ranch ] [ schneier ] [ VPNbook ] [ LASG ] [ Smith ] [ stevens ] [ Zeigler ] =================================================== HTML file: WWWref.html --------------------------------------------------- Web links for Linux FreeS/WAN Sections of this document Other documents with web links The Linux FreeS/WAN Project Web information [ rationale ] Distribution sites Primary site Mirror Sites Other web information on FreeS/WAN Archives of the project mailing list Applied FreeS/WAN Related Linux code Add-ons and patches for FreeS/WAN Distributions including FreeS/WAN Things FreeS/WAN uses or could use Other approaches to VPNs for Linux =================================================== HTML file: rationale.html --------------------------------------------------- Deployment of IPSEC Current status Why? What You Can Do Related projects =================================================== HTML file: press.html --------------------------------------------------- Press coverage of Linux FreeS/WAN: FreeS/WAN 1.0 press FreeS/WAN 1.1 press Press release for version 1.0 =================================================== HTML file: manpages.html --------------------------------------------------- FreeS/WAN manual pages Files Commands Library routines =================================================== HTML file: links.ipsec.html --------------------------------------------------- IPSEC links The IPSEC Protocols General IPSEC or VPN information IPSEC overview documents or slide sets IPSEC information in languages other than English RFCs and other reference documents Analysis and critiques of IPSEC protocols Background information on IP IPSEC Implementations Vendors with Linux products IPSEC in router products Operating systems with IPSEC support Open source IPSEC implementations Other Linux IPSEC implementations IPSEC for BSD Unix IPSEC for other systems [ interop ] Interoperability Interoperability test sites [ test ] Interoperability results Linux FreeS/WAN has undergone initial testing for interoperability with various other IPSEC implementations. Results to date are in our compatibility document.ICSA offer certification programs for various security-related products. See their list of certified IPSEC products. Linux FreeS/WAN is not currently on that list, but several products with which we interoperate are. =================================================== HTML file: links.crypto.html --------------------------------------------------- Crypto and security links Crypto and security resources Frequently Asked Question (FAQ) documents Tutorials Crypto and security standards [ policy ] Cryptography law and policy Surveys of crypto law Organisations opposing crypto restrictions Other information on crypto policy Cryptography technical information Lists of online cryptography papers Particularly interesting papers Collections of crypto links Computer and network security Security links Firewall links VPN links Security tools Links to home pages =================================================== HTML file: links.linux.html --------------------------------------------------- World Wide Web links for Linux Basic and tutorial Linux information General Linux sites Linux Documentation Project Advanced routing Security for Linux Linux firewalls Miscellaneous Linux information =================================================== Linux FreeSWAN HTML documents Automatically generated Table of Contents Bug reports to the mailing list: linux-ipsec@clinet.fi
Docs & script by Sandy Harris