The Linux FreeS/WAN Project

Introduction     Online Documentation     FreeS/WAN Download     Old News     Related Tools     Helping Out     Bug Reports     Maillist & Archives     IPSEC Community     History & Politics     Credits     Home Page   !Lights!

Linux FreeS/WAN Extensions

    Many hard-working folks have contributed to the Linux FreeS/WAN community. In particular:

  • There is now a formal FreeS/WAN code fork, Openswan. This grew out of Ken Bantoft's Super FreeS/WAN, Linux FreeS/WAN enhanced with a number of user-contributed patches.
  • Herbert Xu has created patches to enable FreeS/WAN's keying daemon to work with the 2.5 kernel IPsec implementation. These have been integrated into FreeS/WAN 2.03+, but as of 2.06, support is still somewhat experimental. See our 2.6.known-issues document and the design list for the latest details. Openswan also includes a version of these patches.
  • Mathieu Lafon of Arkoon Network Security has created NAT Traversal and Delete Notify patches (now in Openswan), and an IPsec Starter tool.
  • Andreas Steffen has written and supported an X.509 patch (now in Openswan).
  • Gerhard Gessler of IABG has adapted FreeS/WAN for IPv6.
  • Tim Niemueller has written the ipsec_monitor script, which facilitates the use of FreeS/WAN with dynamic IPs. This application checks with a third party to see if one end of a FreeS/WAN IPsec tunnel has moved IP addresses and, if so, it rebuilds the connection.

Test to Destruction

    We want FreeS/WAN to be as robust as possible. Short of attacking Linux boxes with a sledgehammer, we'd like to see folks test our software to the point of destruction. We'd also like to hear about any testing tools or attack strategies that may be out there. These links are a good start:

  • IKEcrack, by Anton Rager. A proof of concept which demonstrates insecurities in IKE's Aggressive Mode, this may also be useful in testing Main Mode.
  • Airjack. Mike Lynn and Robert Baird have used Airjack to compromise a wireless network secured with the FreeS/WAN based WAVEsec scheme. They explained how in a BlackHat presentation (MS Power Point or HTML format).

    Please report any interesting findings to design@lists.freeswan.org.

Protocol Development:

    The IETF is the primary protocol and standard building group on the net. The IPSEC, ISAKMP/Oakley and DNSSEC standards are being developed via the IETF Working groups and the people who volunteer their time, resources and effort to the task.
    IETF IPSEC & ISAKMP/Oakley Workgroup
    IETF DNSEXT Workgroup (where DNSSEC work is done)

Other IPsec implementations:

  There are a number of these, both freeware and commercial. We are pleased that FreeS/WAN interoperates well with many of them. See our interop chart for details.

IPsec "Trade Association"

    There is an international trade association for manufacturers in the VPN market at: http://www.vpnc.org