Quicksearch
Syndicate This Blog
Thursday, September 24. 2009
IPSec: Hopelessly confused
Comments
Display comments as
(Linear | Threaded)
These days we just use the ipsec-tools and the in-kernel IPSEC stack. Much easier these days then it used to be!!
You can pretty much ignore everything else.
Another question might be, "Why IPSec when simpler fully userspace solutions such as openvpn are available?".
on lenny all you have to do is
apt-get install strongswan
edit ipsec.conf to your needs
/etc/init.d/ipsec restart
thats it
Hi,
I didn't configure IPSec recently, but this is my current understanding. OpenSWAN and StrongSWAN are both forks of the now dead FreeSWAN, and have slightly different feature sets. There is a feature comparison on the OpenSWAN wiki but it refers to the not-yet-released 3.0 version of OpenSWAN.
OpenSWAN can use the IPSec code in the upstream kernel, but you can still patch the kernel and use the KLIPS IPSec stack. The most visible difference is that KLIPS still gives you virtual network devices, while with the in-kernel implementation you need to use netfilter's "policy" module to control/separate IPSec/non-IPSec traffic.
ipsec-tools (from the KAME project) is needed to talk to the in-kernel IPSec stack and is used by OpenSWAN too. But you also need a daemon to handle the key exchanges. The keying daemon in OpenSWAN is called pluto and is part of the openswan package, the daemon from KAME is called racoon. And there is also isakmpd from OpenBSD...
IMHO OpenSWAN is easiest to set up. With racoon you have to have more knowledge about how things work internally. OpenSWAN hides some of that, at least until you're fine with the most common setups. There are differences in features but unless you need such a feature it is really personal preference that matters the most.
All you need for ESP/AH (ipv4 ipsec tunnel/transport) and IKE (ipv4 ipsec auth) is racoon. racoon-tool actually makes it fairly easy to set up. For a vpn with fixed IP's and a pre-shared secret you only need to edit /etc/racoon/racoon-tool.conf and /etc/racoon/psk.txt
OpenSWAN is both an IKE daemon and an IPsec stack for Linux. It is possible to use the IKE daemon with KAME stack (the one which comes with Linux 2.6).
OpenSWAN stack provides ipsec0 interface which allows to see clear text traffic and handle it in a more careful way with Netfilter.
OpenSWAN stack allows to use NAT-T with transport mode, something that is not possible with KAME stack. Maybe this is something that changed:
http://www.kame.net/racoon/racoon-ml/msg00810.html
This limitation does not allow to use L2TP over IPsec with the KAME stack.
Getting support for KAME or racoon seems quite difficult while getting support for OpenSWAN is very easy.
For simple IPsec needs, you can stick with racoon + KAME. You can also try OpenSWAN IKE daemon + KAME. IMO, pluto (OpenSWAN IKE daemon) is easier to debug and gives better diagnostics. If you want ipsec0 interface, you will need the OpenSWAN stack, as well as if you want to use L2TP.
Yeah, ipsec docs are a mess imo, this one i followed and was succesfull on debian lenny : http://www.ipsec-howto.org/x304.html
(basicly ignore the installation and just install racoon and ipsec-tools)
The German Linux Magazin compared four IPsec implementations in 10/09 (Racoon, Openswan, Strongswan, Isakmpd) with respect to conectivity to Windows XP or Cisco. Their favorite is Strongswan, because it works good with Cisco, even when in homogenous environments the Openswan implementation is the faster one. For Linux only tunnels all four implementations are OK.
Comments