Linux FreeS/WAN Extensions
Many hard-working folks have contributed to the Linux FreeS/WAN community.
There is now a formal FreeS/WAN code fork,
Openswan. This grew out of Ken Bantoft's
Linux FreeS/WAN enhanced with a number of user-contributed patches.
- Herbert Xu has created
to enable FreeS/WAN's keying daemon to work with the
2.5 kernel IPsec
implementation. These have been integrated into FreeS/WAN 2.03+, but as of
2.06, support is still somewhat experimental. See
our 2.6.known-issues document and
the design list
for the latest details. Openswan also
includes a version of these patches.
- Mathieu Lafon of Arkoon Network
Security has created
NAT Traversal and Delete Notify patches (now in Openswan),
and an IPsec Starter tool.
- Andreas Steffen has
written and supported an X.509 patch (now in Openswan).
- Gerhard Gessler of IABG has adapted
FreeS/WAN for IPv6.
- Tim Niemueller has written the
ipsec_monitor script, which facilitates the use of FreeS/WAN with dynamic
IPs. This application checks with a third party to see if one end of a
FreeS/WAN IPsec tunnel has moved IP addresses and, if so, it rebuilds
Test to Destruction
We want FreeS/WAN to be as robust as possible. Short of attacking Linux
boxes with a sledgehammer, we'd like to see folks test our software to the
point of destruction.
We'd also like to hear about any testing tools or attack strategies
that may be out there. These links are a good start:
- IKEcrack, by Anton Rager.
A proof of concept which demonstrates insecurities in IKE's Aggressive Mode,
this may also be useful in testing Main Mode.
Mike Lynn and Robert Baird have used Airjack to compromise a
wireless network secured with the FreeS/WAN based
They explained how in a BlackHat presentation (MS Power Point
or HTML format).
Please report any interesting findings to
The IETF is the primary protocol and standard building group
on the net. The IPSEC, ISAKMP/Oakley and DNSSEC standards are
being developed via the IETF Working groups and the people who
volunteer their time, resources and effort to the task.
IPSEC & ISAKMP/Oakley Workgroup
DNSEXT Workgroup (where DNSSEC work is done)
Other IPsec implementations:
There are a number of these, both freeware and commercial.
We are pleased that FreeS/WAN interoperates well with many of them. See our
IPsec "Trade Association"
There is an international trade association for manufacturers in the
VPN market at: http://www.vpnc.org