Contents
Previous
Next
The main project web site is
www.freeswan.org.
Links to other project-related sites
are provided in our introduction section.
Some user-contributed patches gave been integrated into the
FreeS/WAN distribution. For a variety of reasons, those listed below
have not.
Patches believed current at time of writing (March 2001, just before
1.9 release):
Before using these, check the mailing lists
for news of newer versions and to see whether they have been
incorporated into more recent versions of FreeS/WAN.
A set of PKIX patches were recently announced on the mailing list:
Subject: a different PKIX patch.
Date: Mon, 5 Mar 2001
From: Luc Lanthier <firesoul@netwinder.org>
I'd like to invite volunteers to use the now-complete PKIX project I've
been working on since about August. Because of this, the patch is for
FreeSWAN 1.5, not 1.8... I haven't really felt the need to update it since
I don't use IPV6 nor DNSSec.
This is similar, but different than Andreas Steffen's pkix
implementation. I've based this work on Neil Dunbar's openssl-pkix patch
for FreeSWAN 1.1. I've updated it to run on FreeSWAN 1.5 correctly, and
added support for ID_DER_ASN1_DN ID packet support. It will do LDAP
certificate lookups no problem, as well as local flatfile, directory, or
DB lookup for testing or speed.
IE: It's a full CA-compatible client, capable of looking up, checking the
CRL for expiry and such. It will not only do the classic PSK and RSASIG
freeswan methods just fine, but also does PKIX's RSASIG, PKE and
RPKE. I've spent a lot of time adding RoadWarrior support for these last
IKE exchange methods.
The patch can be found as:
ftp://ftp.netwinder.org/users/f/firesoul/freeswan-1.5-pkix_13.patch
There are also freeswan-1.5 - kernel 2.4 patches for those who need them.
Let me know. Feedback is appreciated.
A more recent URL
has patches for FreeS/WAN versions up to 1.91.
Older patches:
These patches are for older versions of FreeS/WAN and will likely
not work with the current version. Older versions of FreeS/WAN may be
available on some of the distribution sites
, but we recommend using the current release.
Note: At one point the way PGP generates RSA keys
and the way FreeS/WAN checks them for validity before using them were
slightly different, so quite a few PGP-generated keys would be rejected
by FreeS/WAN, confusing users no end. This is fixed in 1.9.
Finally, there are some patches to other code that may be useful with
FreeS/WAN:
Note that this is not required if the same machine does IPsec and
masquerading, only if you want a to locate your IPsec gateway on a
masqueraded network. See our firewalls
document for discussion of why this is problematic.
At last report, this patch could not co-exist with FreeS/WAN on the
same machine.
The introductory section of our document set lists several
Linux distributions which include FreeS/WAN.
- /dev/random support page,
discussion of and code for the Linux
random number driver. Out-of-date when we last checked (January
2000), but still useful.
- other programs related to random numbers:
- a Linux L2TP Daemon which
might be useful for communicating with Windows 2000 which builds L2TP
tunnels over its IPsec connections
- to use opportunistic encryption, you need a recent version of
BIND. You can get one from the
Internet Software Consortium who maintain BIND.
- other Linux IPsec implementations
- ENskip, a free
implementation of Sun's SKIP protocol
- vpnd, a non-IPsec VPN
daemon for Linux which creates tunnels using
Blowfish encryption
- Zebedee, a simple
GPLd tunnel-building program with Linux and Win32 versions. The name
is from Zlib compression, Blowfish
encryption and Diffie-Hellman key exchange.
- There are at least two PPTP implementations for Linux
- CIPE
(crypto IP encapsulation) project, using their own lightweight
protocol to encrypt between routers
- tinc, a VPN Daemon
There is a list of
Linux VPN software in the
Linux Security Knowledge Base.
- Our document listing the RFCs relevant to
Linux FreeS/WAN and giving various ways of obtaining both RFCs and
Internet Drafts.
- VPN Standards
page maintained by VPNC. This covers
both RFCs and Drafts, and classifies them in a fairly helpful way.
- RFC archive
- Internet Drafts
related to IPsec
- US government site
with their FIPS standards
- Archives of the ipsec@tis.com mailing list where discussion of
drafts takes place.
- Counterpane's
evaluation of the protocols
- Simpson's
IKE Considered Dangerous paper. Note that this is a link to an
archive of our mailing list. There are several replies in addition to
the paper itself.
- Fate Labs Virual
Private Problems: the Broken Dream
- Catherine Meadows' paper Analysis of the Internet Key
Exchange Protocol Using the NRL Protocol Analyzer, in
PDF or
Postscript.
- Perlman and Kaufmnan
- Bellovin's
papers page including his:
- Security Problems in the TCP/IP Protocol Suite (1989)
- Problem Areas for the IP Security Protocols (1996)
- Probable Plaintext Cryptanalysis of the IP Security Protocols
(1997)
- An errata list
for the IPsec RFCs.
- An IP tutorial that
seems to be written mainly for Netware or Microsoft LAN admins
entering a new world
- IANA, Internet Assigned Numbers
Authority
- CIDR,
Classless Inter-Domain Routing
- Also see our bibliography
Vendors using FreeS/WAN in turnkey firewall or VPN products are
listed in our introduction.
Other vendors have Linux IPsec products which, as far as we know, do
not use FreeS/WAN
- Redcreek
provide an open source Linux driver for their PCI hardware VPN card.
This card has a 100 Mbit Ethernet port, an Intel 960 CPU plus more
specialised crypto chips, and claimed encryption performance of 45
Mbit/sec. The PC sees it as an Ethernet board.
- Paktronix
offer a Linux-based VPN with hardware encryption
- According to a report on our mailing list,
Watchguard use Linux in their Firebox product.
- Entrust offer a developers'
toolkit for using their PKI for IPsec
authentication
- According to a report on our mailing list,
Axent have a Linux version of their product.
All the major router vendors support IPsec, at least in some models.
- Cisco
IPsec information
- Ascend, now part of Lucent,
have some IPsec-based products
- Bay Networks, now part
of Nortel, use IPsec in their Contivity switch product line
- 3Com
have a number of VPN products, some using IPsec
Many firewall vendors offer IPsec, either as a standard part of their
product, or an optional extra. A few we know about are:
Vendors using FreeS/WAN in turnkey firewall products are listed in
our introduction.
All the major open source operating systems support IPsec. See below
for details on BSD-derived Unix variants.
Among commercial OS vendors, IPsec players include:
-
Microsoft have put IPsec in their Windows 2000 products
- IBM
announce a release of OS390 with IPsec support via a crypto
co-processor
-
Sun include IPsec in Solaris 8
-
Hewlett Packard offer IPsec for their Unix machines
- Certicom have IPsec available for the
Palm.
- There were reports before the release that Apple's Mac OS X would
have IPsec support built in, but it did not seem to be there when we
last checked
We like to think of FreeS/WAN as the Linux IPsec
implementation, but it is not the only one. Others we know of are:
- pipsecd, a
lightweight implementation of IPsec for Linux. Does not require kernel
recompilation.
- Petr Novak's ipnsec,
based on the OpenBSD IPsec code and using
Photuris for key management
- A now defunct project at
U of Arizona (export controlled)
- NIST Cerebus
(export controlled)
- KAME,
several large Japanese companies co-operating on IPv6 and IPsec
- US Naval Research Lab
implementation of IPv6 and of IPsec for IPv4 (export controlled)
- OpenBSD includes IPsec as a
standard part of the distribution
- IPsec for FreeBSD
- a FAQ
on NetBSD's IPsec implementation
The IPsec protocols are designed so that different implementations
should be able to work together. As they say "the devil is in the
details". IPsec has a lot of details, but considerable success has been
achieved.
Linux FreeS/WAN has been tested for interoperability with many other
IPsec implementations. Results to date are in our
interoperability section.
Various other sites have information on interoperability between
various IPsec implementations:
- interop
results from a bakeoff in Atlanta, September 1999.
- a French company, HSC's,
interoperability test data covers FreeS/WAN, Open BSD, KAME, Linux
pipsecd, Checkpoint, Red Creek Ravlin, and Cisco IOS
- ICSA offer certification
programs for various security-related products. See their list of
certified IPsec products. Linux FreeS/WAN is not currently on that
list, but several products with which we interoperate are.
- VPNC have a page on why they are not yet doing
interoperability testing and a page on the
spec conformance testing that they are doing
- a review
comparing a dozen commercial IPsec implemetations. Unfortunately, the
reviewers did not look at Open Source implementations such as
FreeS/WAN or OpenBSD.
-
results from interoperability tests at a conference. FreeS/WAN was
not tested there.
- test results from the
IPSEC 2000 conference
Nearly any Linux documentation you are likely to want can be found
at the Linux Documentation Project
or LDP.
- Meta-FAQ
guide to Linux information sources
- The LDP's HowTo documents are a standard Linux reference. See this list. Documents
there most relevant to a FreeS/WAN gateway are:
- The LDP do a series of Guides, book-sized publications with more
detail (and often more "why do it this way?") than the HowTos. See
this list. Documents
there most relevant to a FreeS/WAN gateway are:
You may not need to go to the LDP to get this material. Most Linux
distributions include the HowTos on their CDs and several include the
Guides as well. Also, most of the Guides and some collections of HowTos
are available in book form from various publishers.
Much of the LDP material is also available in languages other than
English. See this
LDP page.
The Linux IP stack has some new features in 2.4 kernels. Some HowTos
have been written:
See also the LDP material above.
Our FreeS/WAN and firewalls document
includes links to several sets of
scripts known to work with FreeS/WAN.
Other information sources:
Two enormous collections of links, each the standard reference in
its area:
- Gene Spafford's
COAST hotlist
- Computer and network security.
- Peter Gutmann's
Encryption and Security-related Resources
- Cryptography.
See also the interesting papers section
below.
There are several collections of cryptographic quotes on the net:
- RFC 1984, the IAB and IESG
Statement on Cryptographic Technology and the Internet.
- John Young's collection of documents
of interest to the cryptography, open government and privacy
movements, organized chronologically
- AT&T researcher Matt Blaze's Encryption, Privacy and Security
Resource Page
- A good overview
of the issues from Australia.
See also our documentation section on the
history and politics of cryptography.
These papers emphasize important issues around the use of
cryptography, and the design and management of secure systems.
- PGP -- mail encryption
A message in our mailing list archive has considerable detail on
available versions of PGP and on IPsec support in them.
Note: A fairly nasty bug exists in all commercial
PGP versions from 5.5 through 6.5.3. If you have one of those,
upgrade now.
- SSH -- secure remote login
- Tripwire saves message digests of your system files. Re-calculate
the digests and compare to saved values to detect any file changes.
There are several versions available:
- Snort and
LIDS are intrusion detection system for Linux
- SATAN
System Administrators Tool for Analysing Networks
- NMAP Network Mapper
- Wietse
Venema's page with various tools
- Internet Traffic Archive
, various tools to analyze network traffic, mostly scripts to organise
and format tcpdump(8) output for specific purposes
- ssmail -- sendmail patched to do
opportunistic encryption
- web page with
links to code and to a Usenix paper describing it, in PDF
- Open CA project to develop a
freely distributed Certification Authority
for building a open Public Key
Infrastructure.
David Wagner at Berkeley provides a set of links to
home pages of cryptographers, cypherpunks and computer security
people.
Contents
Previous
Next