[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Strongswan (fwd)



Am Fri, 30 Jan 2009 00:09:15 -0500 (EST)
schrieb Paul Wouters <paul xelerance com>:

> 
> Disclaimer: I am the Openswan maintainer and therefor strongly biased.
> 
> > i still look for a good solution in vpn. i tried openswan with
> > racoon,
> 
> Openswan with racoon? Openswan and Racoon are both different IPsec
> implementations (technically: different IKE implementations). They
> don't "go together".
> 
> > openvpn. They are all quite good, openswan is more complicated than
> > openvpn.
> 
> Yes, IPsec is more complicated then SSL-VPN's. They are also more
> robust, have more features, do not require routing hacks on the
> server, or require X.509, and not vulnerable to simple TCP-RST
> attacks. But yes, it is easier to use, and sadly has a better chance
> and getting through firewalls. (If anyone has time, I have a project
> lying around to implement "IPsec over fake port 443)
> 
> > Now, i stumbeld on strongswan, which seems to be one of the
> > best maintained solution (as i read in linux magazine).
> 
> Interesting. I have no idea what that is based on.
> 
> > is it planned to get this packed in fedora? If it is, where can i
> > get it?
> 
> I see it is currently not in fedora, but anyone who wants to package
> it up and put it in can do so. It is not blacklisted. It is just that
> there has been no one with an interest to  package it up.
> 
> > The advantage of strongswan is the integration in NetworkManager,
> 
> NM integration of Openswan is planned by Red Hat, and is slated to
> be worked on after the NSS support for Openswan is finished.
> 
> If anyone wants to work on this, I can give the list of items that
> need to be worked on. The biggest problem is that IPsec is a host-host
> protocol, but is now being used as a user-host protocol. NM requires
> that all information required can be passed as parameters (not config
> files). I am not sure how it handles this for X.509 certificates.
> Openswan uses configuration files, though almost all items can be
> specified via command line parameters (the 'ipsec whack'), there are a
> few that currently cannot - X.509 certs and PSK's.
> 
> Also, to properly integrate Openswan with NM, it should also allow
> for L2TP connections within NM, so integration with xl2tpd (the L2TP
> client to use with Openswan) is required. xl2tpd mostly requires a
> username and password as well, and currently uses the chap-secrets
> for this instead of accepting parameters via NM.
> 
> > which is done, but not with openswan. Openswan is integrated in
> > system-config-network, it is the question, if it belongs there, as
> > NetworkManager should do most work on networking. OpenVPN and Cisco
> > VPN are handled by NetworkManager too...
> 
> I don't see any VPN options in system-config-network on by Fedora-10
> machine.
> 
> NM is mostly used on enduser machines. Remember that Openswan is also
> used as IPsec gateway, where NM plays no part whatsoever.
> 
> So, NM integration is on its way. If people have time to donate,
> contact me.
> 
> Paul

yes, you write as you were the openswan-maintainer ;) and can be
biased.

good to hear, that integration is on its way. As documentation and
response on this mailing  list did not flood my disk and mailbox, i am
glad to hear, that someone looks for integration. Even tough, i am not
a pro at all, there are reasons for encrypting traffic (host2host,
network2network) and would delcare myself as a nosey parker ;)

i cant help you on this, as i need help myself and get an easy life
installing encryption ;)

installing ipsec-tools brings you one tab more in
system-config-network, where you can go and create h2h and
n2n-connections. Still it is not in the same place as the 2 others,
which makes usability harder.

Roger



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]