The main project web site is www.freeswan.org.
Links to other project-related sites are
provided in our introduction section.
Some user-contributed patches have been integrated into the FreeS/WAN
distribution. For a variety of reasons, those listed below have not.
Note that not all patches are a good idea.
- There are a number of "features" of IPsec which we do not implement
because they reduce security. See this discussion. We do not recommend using
patches that implement these. One example is aggressive mode.
- We do not recommend adding "features" of any sort unless they are
clearly necessary, or at least have clear benefits. For example,
FreeS/WAN would not become more secure if it offerred a choice of 14
ciphers. If even one was flawed, it would certainly become less secure
for anyone using that cipher. Even with 14 wonderful ciphers, it would be
harder to maintain and administer, hence more vulnerable to various human
This is not to say that patches are necessarily bad, only that using them
requires some deliberation. For example, there might be perfectly good
reasons to add a specific cipher in your application: perhaps GOST to comply
with government standards in Eastern Europe, or AES for performance
Patches believed current::
There is also one add-on that takes the form of a modified FreeS/WAN
distribution, rather than just patches to the standard distribution:
Before using any of the above,, check the mailing
lists for news of newer versions and to see whether they have been
incorporated into more recent versions of FreeS/WAN.
These patches are for older versions of FreeS/WAN and will likely not work
with the current version. Older versions of FreeS/WAN may be available on
some of the distribution sites, but we
recommend using the current release.
Finally, there are some patches to other code that may be useful with
Note that this is not required if the same machine does IPsec and
masquerading, only if you want a to locate your IPsec gateway on a
masqueraded network. See our firewalls
document for discussion of why this is problematic.
At last report, this patch could not co-exist with FreeS/WAN on the same
The introductory section of our document set lists several Linux distributions which include
- /dev/random support page,
discussion of and code for the Linux random number driver. Out-of-date when we
last checked (January 2000), but still useful.
- other programs related to random numbers:
- a Linux L2TP Daemon which
might be useful for communicating with Windows 2000 which builds L2TP
tunnels over its IPsec connections
- to use opportunistic encryption, you need a recent version of BIND. You can get one from the Internet Software Consortium who maintain
- other Linux IPsec implementations
- ENskip, a free
implementation of Sun's SKIP
- vpnd, a non-IPsec VPN daemon
for Linux which creates tunnels using Blowfish encryption
- Zebedee, a simple GPLd
tunnel-building program with Linux and Win32 versions. The name is from
Zlib compression, Blowfish encryption
and Diffie-Hellman key exchange.
- There are at least two PPTP implementations for Linux
(crypto IP encapsulation) project, using their own lightweight protocol
to encrypt between routers
- tinc, a VPN Daemon
There is a list of Linux
VPN software in the Linux Security
- Our document listing the RFCs relevant to Linux
FreeS/WAN and giving various ways of obtaining both RFCs and Internet
- VPN Standards page
maintained by VPNC. This covers both
RFCs and Drafts, and classifies them in a fairly helpful way.
- RFC archive
- Internet Drafts
related to IPsec
- US government site
with their FIPS standards
- Archives of the firstname.lastname@example.org mailing list where discussion of drafts
- Counterpane's evaluation of the
- Simpson's IKE
Considered Dangerous paper. Note that this is a link to an archive of
our mailing list. There are several replies in addition to the paper
- Fate Labs Virual Private
Problems: the Broken Dream
- Catherine Meadows' paper Analysis of the Internet Key Exchange
Protocol Using the NRL Protocol Analyzer, in PDF
- Perlman and Kaufmnan
- Bellovin's papers page
- Security Problems in the TCP/IP Protocol Suite
- Problem Areas for the IP Security Protocols (1996)
- Probable Plaintext Cryptanalysis of the IP Security
- An errata list
for the IPsec RFCs.
- An IP tutorial that seems
to be written mainly for Netware or Microsoft LAN admins entering a new
- IANA, Internet Assigned Numbers
Classless Inter-Domain Routing
- Also see our bibliography
Vendors using FreeS/WAN in turnkey firewall or VPN products are listed in
Other vendors have Linux IPsec products which, as far as we know, do not
provide an open source Linux driver for their PCI hardware VPN card. This
card has a 100 Mbit Ethernet port, an Intel 960 CPU plus more specialised
crypto chips, and claimed encryption performance of 45 Mbit/sec. The PC
sees it as an Ethernet board.
offer a Linux-based VPN with hardware encryption
- Watchguard use Linux in their
- Entrust offer a developers'
toolkit for using their PKI for IPsec
- According to a report on our mailing list, Axent have a Linux version of their
All the major router vendors support IPsec, at least in some models.
- Cisco IPsec
- Ascend, now part of Lucent, have
some IPsec-based products
- Bay Networks, now part of
Nortel, use IPsec in their Contivity switch product line
- 3Com have a
number of VPN products, some using IPsec
Many firewall vendors offer IPsec, either as a standard part of their
product, or an optional extra. A few we know about are:
Vendors using FreeS/WAN in turnkey firewall products are listed in our introduction.
All the major open source operating systems support IPsec. See below for
details on BSD-derived Unix variants.
Among commercial OS vendors, IPsec players include:
have put IPsec in their Windows 2000 and XP products
announce a release of OS390 with IPsec support via a crypto
include IPsec in Solaris 8
Packard offer IPsec for their Unix machines
- Certicom have IPsec available for the Palm.
- There were reports before the release that Apple's Mac OS X would have
IPsec support built in, but it did not seem to be there when we last
checked. If you find, it please let us know via the mailing list.
IPsec on network cards
Network cards with built-in IPsec acceleration are available from at least
Intel, 3Com and Redcreek.
We like to think of FreeS/WAN as the Linux IPsec implementation,
but it is not the only one. Others we know of are:
- pipsecd, a
lightweight implementation of IPsec for Linux. Does not require kernel
- Petr Novak's ipnsec, based
on the OpenBSD IPsec code and using Photuris for key management
- A now defunct project at U of
Arizona (export controlled)
- NIST Cerebus (export
- KAME, several
large Japanese companies co-operating on IPv6 and IPsec
- US Naval Research Lab
implementation of IPv6 and of IPsec for IPv4 (export controlled)
- OpenBSD includes IPsec as a
standard part of the distribution
- IPsec for FreeBSD
- a FAQ
on NetBSD's IPsec implementation
The IPsec protocols are designed so that different implementations should
be able to work together. As they say "the devil is in the details". IPsec
has a lot of details, but considerable success has been achieved.
Linux FreeS/WAN has been tested for interoperability with many other IPsec
implementations. Results to date are in our interoperability section.
Various other sites have information on interoperability between various
results from a bakeoff in Atlanta, September 1999.
- a French company, HSC's, interoperability
test data covers FreeS/WAN, Open BSD, KAME, Linux pipsecd, Checkpoint,
Red Creek Ravlin, and Cisco IOS
- ICSA offer certification programs
for various security-related products. See their list of
certified IPsec products. Linux FreeS/WAN is not currently on that
list, but several products with which we interoperate are.
- VPNC have a page on why they are not yet doing interoperability testing and
a page on the spec
conformance testing that they are doing
- a review
comparing a dozen commercial IPsec implemetations. Unfortunately, the
reviewers did not look at Open Source implementations such as FreeS/WAN
from interoperability tests at a conference. FreeS/WAN was not tested
- test results from the IPSEC
Nearly any Linux documentation you are likely to want can be found at the
Linux Documentation Project or
guide to Linux information sources
- The LDP's HowTo documents are a standard Linux reference. See this list. Documents there
most relevant to a FreeS/WAN gateway are:
- The LDP do a series of Guides, book-sized publications with more detail
(and often more "why do it this way?") than the HowTos. See this list. Documents there most
relevant to a FreeS/WAN gateway are:
You may not need to go to the LDP to get this material. Most Linux
distributions include the HowTos on their CDs and several include the Guides
as well. Also, most of the Guides and some collections of HowTos are
available in book form from various publishers.
Much of the LDP material is also available in languages other than
English. See this LDP
The Linux IP stack has some new features in 2.4 kernels. Some HowTos have
See also the LDP material above.
Our FreeS/WAN and firewalls document includes
links to several sets of scripts known
to work with FreeS/WAN.
Other information sources:
Two enormous collections of links, each the standard reference in its
- Gene Spafford's COAST hotlist
- Computer and network security.
- Peter Gutmann's Encryption and
See also the interesting papers section
There are several collections of cryptographic quotes on the net:
- RFC 1984, the IAB and IESG Statement on Cryptographic Technology
and the Internet.
- John Young's collection of documents
of interest to the cryptography, open government and privacy movements,
- AT&T researcher Matt Blaze's Encryption, Privacy and Security Resource Page
- A good overview of
the issues from Australia.
See also our documentation section on the history
and politics of cryptography.
These papers emphasize important issues around the use of cryptography,
and the design and management of secure systems.
David Wagner at Berkeley provides a set of links to home pages of
cryptographers, cypherpunks and computer security people.