The main project web site is www.freeswan.org.
Links to other project-related sites are provided in our introduction section.
Some user-contributed patches have been integrated into the FreeS/WAN distribution. For a variety of reasons, those listed below have not.
Note that not all patches are a good idea.
- There are a number of "features" of IPsec which we do not implement because they reduce security. See this discussion. We do not recommend using patches that implement these. One example is aggressive mode.
- We do not recommend adding "features" of any sort unless they are clearly necessary, or at least have clear benefits. For example, FreeS/WAN would not become more secure if it offerred a choice of 14 ciphers. If even one was flawed, it would certainly become less secure for anyone using that cipher. Even with 14 wonderful ciphers, it would be harder to maintain and administer, hence more vulnerable to various human errors.
This is not to say that patches are necessarily bad, only that using them requires some deliberation. For example, there might be perfectly good reasons to add a specific cipher in your application: perhaps GOST to comply with government standards in Eastern Europe, or AES for performance benefits.
Patches believed current::
- patches for X.509 certificate support, also available from a mirror site
- patches to add AES and other ciphers. There is preliminary data indicating AES gives a substantial performance gain.
There is also one add-on that takes the form of a modified FreeS/WAN distribution, rather than just patches to the standard distribution:
Before using any of the above,, check the mailing lists for news of newer versions and to see whether they have been incorporated into more recent versions of FreeS/WAN.
- hardware acceleration
- a series of patches that
- provide GOST, a Russian gov't. standard cipher, in MMX assembler
- add GOST to OpenSSL
- add GOST to the International kernel patch
- let FreeS/WAN use International kernel patch ciphers
- Neil Dunbar's patches for certificate support, using code from Open SSL.
- Luc Lanthier's patches for PKIX support.
- patches to add Blowfish, IDEA and CAST-128 to FreeS/WAN
- patches for FreeS/WAN 1.3, Pluto support for external authentication, for example with a smartcard or SKEYID.
- patches and utilities for using FreeS/WAN with PGPnet
- Blowfish encryption and Tiger hash
- patches for aggressive mode support
These patches are for older versions of FreeS/WAN and will likely not work with the current version. Older versions of FreeS/WAN may be available on some of the distribution sites , but we recommend using the current release.
Finally, there are some patches to other code that may be useful with FreeS/WAN:
- a patch to make IPsec, PPTP and SSH VPNs work through a Linux firewall with IP masquerade.
- Linux VPN Masquerade HOWTO
Note that this is not required if the same machine does IPsec and masquerading, only if you want a to locate your IPsec gateway on a masqueraded network. See our firewalls document for discussion of why this is problematic.
At last report, this patch could not co-exist with FreeS/WAN on the same machine.
The introductory section of our document set lists several Linux distributions which include FreeS/WAN.
- /dev/random support page, discussion of and code for the Linux random number driver. Out-of-date when we last checked (January 2000), but still useful.
- other programs related to random numbers:
- a Linux L2TP Daemon which might be useful for communicating with Windows 2000 which builds L2TP tunnels over its IPsec connections
- to use opportunistic encryption, you need a recent version of BIND. You can get one from the Internet Software Consortium who maintain BIND.
- other Linux IPsec implementations
- ENskip, a free implementation of Sun's SKIP protocol
- vpnd, a non-IPsec VPN daemon for Linux which creates tunnels using Blowfish encryption
- Zebedee, a simple GPLd tunnel-building program with Linux and Win32 versions. The name is from Zlib compression, Blowfish encryption and Diffie-Hellman key exchange.
- There are at least two PPTP implementations for Linux
- CIPE (crypto IP encapsulation) project, using their own lightweight protocol to encrypt between routers
- tinc, a VPN Daemon
- The VPN Consortium is a group for vendors of IPsec products. Among other things, they have a good collection of IPsec white papers.
- A VPN mailing list with a home page, a FAQ, some product comparisons, and many links.
- VPN pointer page
- a collection of VPN links, and some explanation
- the FreeS/WAN document section on these protocols
- Feczak Szabolcs' thesis in Hungarian
- Davide Cerri's thesis and some presentation slides Italian
- Our document listing the RFCs relevant to Linux FreeS/WAN and giving various ways of obtaining both RFCs and Internet Drafts.
- VPN Standards page maintained by VPNC. This covers both RFCs and Drafts, and classifies them in a fairly helpful way.
- RFC archive
- Internet Drafts related to IPsec
- US government site with their FIPS standards
- Archives of the [email protected] mailing list where discussion of drafts takes place.
- Counterpane's evaluation of the protocols
- Simpson's IKE Considered Dangerous paper. Note that this is a link to an archive of our mailing list. There are several replies in addition to the paper itself.
- Fate Labs Virual Private Problems: the Broken Dream
- Catherine Meadows' paper Analysis of the Internet Key Exchange Protocol Using the NRL Protocol Analyzer, in PDF or Postscript.
- Perlman and Kaufmnan
- Bellovin's papers page including his:
- Security Problems in the TCP/IP Protocol Suite (1989)
- Problem Areas for the IP Security Protocols (1996)
- Probable Plaintext Cryptanalysis of the IP Security Protocols (1997)
- An errata list for the IPsec RFCs.
- An IP tutorial that seems to be written mainly for Netware or Microsoft LAN admins entering a new world
- IANA, Internet Assigned Numbers Authority
- CIDR, Classless Inter-Domain Routing
- Also see our bibliography
Vendors using FreeS/WAN in turnkey firewall or VPN products are listed in our introduction.
Other vendors have Linux IPsec products which, as far as we know, do not use FreeS/WAN
- Redcreek provide an open source Linux driver for their PCI hardware VPN card. This card has a 100 Mbit Ethernet port, an Intel 960 CPU plus more specialised crypto chips, and claimed encryption performance of 45 Mbit/sec. The PC sees it as an Ethernet board.
- Paktronix offer a Linux-based VPN with hardware encryption
- Watchguard use Linux in their Firebox product.
- Entrust offer a developers' toolkit for using their PKI for IPsec authentication
- According to a report on our mailing list, Axent have a Linux version of their product.
All the major router vendors support IPsec, at least in some models.
- Cisco IPsec information
- Ascend, now part of Lucent, have some IPsec-based products
- Bay Networks, now part of Nortel, use IPsec in their Contivity switch product line
- 3Com have a number of VPN products, some using IPsec
Many firewall vendors offer IPsec, either as a standard part of their product, or an optional extra. A few we know about are:
Vendors using FreeS/WAN in turnkey firewall products are listed in our introduction.
All the major open source operating systems support IPsec. See below for details on BSD-derived Unix variants.
Among commercial OS vendors, IPsec players include:
- Microsoft have put IPsec in their Windows 2000 and XP products
- IBM announce a release of OS390 with IPsec support via a crypto co-processor
- Sun include IPsec in Solaris 8
- Hewlett Packard offer IPsec for their Unix machines
- Certicom have IPsec available for the Palm.
- There were reports before the release that Apple's Mac OS X would have IPsec support built in, but it did not seem to be there when we last checked. If you find, it please let us know via the mailing list.
Network cards with built-in IPsec acceleration are available from at least Intel, 3Com and Redcreek.
We like to think of FreeS/WAN as the Linux IPsec implementation, but it is not the only one. Others we know of are:
- pipsecd, a lightweight implementation of IPsec for Linux. Does not require kernel recompilation.
- Petr Novak's ipnsec, based on the OpenBSD IPsec code and using Photuris for key management
- A now defunct project at U of Arizona (export controlled)
- NIST Cerebus (export controlled)
- KAME, several large Japanese companies co-operating on IPv6 and IPsec
- US Naval Research Lab implementation of IPv6 and of IPsec for IPv4 (export controlled)
- OpenBSD includes IPsec as a standard part of the distribution
- IPsec for FreeBSD
- a FAQ on NetBSD's IPsec implementation
- Helsinki U of Technolgy have implemented IPsec for Solaris, Java and Macintosh
The IPsec protocols are designed so that different implementations should be able to work together. As they say "the devil is in the details". IPsec has a lot of details, but considerable success has been achieved.
Linux FreeS/WAN has been tested for interoperability with many other IPsec implementations. Results to date are in our interoperability section.
Various other sites have information on interoperability between various IPsec implementations:
- interop results from a bakeoff in Atlanta, September 1999.
- a French company, HSC's, interoperability test data covers FreeS/WAN, Open BSD, KAME, Linux pipsecd, Checkpoint, Red Creek Ravlin, and Cisco IOS
- ICSA offer certification programs for various security-related products. See their list of certified IPsec products. Linux FreeS/WAN is not currently on that list, but several products with which we interoperate are.
- VPNC have a page on why they are not yet doing interoperability testing and a page on the spec conformance testing that they are doing
- a review comparing a dozen commercial IPsec implemetations. Unfortunately, the reviewers did not look at Open Source implementations such as FreeS/WAN or OpenBSD.
- results from interoperability tests at a conference. FreeS/WAN was not tested there.
- test results from the IPSEC 2000 conference
- TAHI, a Japanese IPv6 testing project with free IPsec validation software
- National Institute of Standards and Technology
- SSH Communications Security
- Linux Getting Started HOWTO document
- A getting started guide from the U of Oregon
- A large link collection which includes a lot of introductory and tutorial material on Unix, Linux, the net, . . .
Nearly any Linux documentation you are likely to want can be found at the Linux Documentation Project or LDP.
- Meta-FAQ guide to Linux information sources
- The LDP's HowTo documents are a standard Linux reference. See this list. Documents there most relevant to a FreeS/WAN gateway are:
- The LDP do a series of Guides, book-sized publications with more detail (and often more "why do it this way?") than the HowTos. See this list. Documents there most relevant to a FreeS/WAN gateway are:
You may not need to go to the LDP to get this material. Most Linux distributions include the HowTos on their CDs and several include the Guides as well. Also, most of the Guides and some collections of HowTos are available in book form from various publishers.
Much of the LDP material is also available in languages other than English. See this LDP page.
The Linux IP stack has some new features in 2.4 kernels. Some HowTos have been written:
- several HowTos for the netfilter firewall code in newer kernels
- 2.4 networking HowTo
- 2.4 routing HowTo
See also the LDP material above.
- Trinity OS guide to setting up Linux
- Unix security page
- PPDD encrypting filesystem
- Linux Encryption HowTo (outdated when last checked, had an Oct 2000 revision date in March 2002)
Other information sources:
- IP Masquerade resource page
- netfilter firewall code in 2.4 kernels
- Our list of general firewall references on the web
- Mason, a tool for automatically configuring Linux firewalls
- the web cache software squid and squidguard which turns Squid into a filtering web proxy
Two enormous collections of links, each the standard reference in its area:
- Gene Spafford's COAST hotlist
- Computer and network security.
- Peter Gutmann's Encryption and Security-related Resources
- Cryptography FAQ
- Firewall FAQ
- Secure Unix Programming FAQ
- FAQs for specific programs are listed in the tools section below.
- Gary Kessler's Overview of Cryptography
- Terry Ritter's introduction
- Peter Gutman's cryptography tutorial (500 slides in PDF format)
- Amir Herzberg of IBM's sildes for his course Introduction to Cryptography and Electronic Commerce
- the concepts section of the GNU Privacy Guard documentation
- Bruce Schneier's self-study cryptanalysis course
See also the interesting papers section below.
- Common Criteria, new international computer and network security standards to replace the "Rainbow" series
- AES Advanced Encryption Standard which will replace DES
- IEEE P-1363 public key standard
- our collection of links for the IPsec standards
- history of formal evaluation of security policies and implementation
There are several collections of cryptographic quotes on the net:
- The EFF's archives on privacy and export control.
- Global Internet Liberty Campaign
- Center for Democracy and Technology
- Privacy International , who give out Big Brother Awards to snoopy organisations
- RFC 1984, the IAB and IESG Statement on Cryptographic Technology and the Internet.
- John Young's collection of documents of interest to the cryptography, open government and privacy movements, organized chronologically
- AT&T researcher Matt Blaze's Encryption, Privacy and Security Resource Page
- A good overview of the issues from Australia.
See also our documentation section on the history and politics of cryptography.
These papers emphasize important issues around the use of cryptography, and the design and management of secure systems.
- Key length requirements for security
- Why Cryptosystems Fail
- Risks of escrowed encryption
- Security pitfalls in cryptography
- Reflections on Trusting Trust, Ken Thompson on Trojan horse design
- Security against Compelled Disclosure, how to maintain privacy in the face of legal or other coersion
- COAST Hotlist
- DMOZ open directory project computer security links
- Bennet Yee
- Mike Fuhr's link collection
- links with an emphasis on intrusion detection
- PGP -- mail encryption
- PGP Inc. (part of NAI) for commercial versions
- MIT distributes the NAI product for non-commercial use
- international distribution site
- GNU Privacy Guard (GPG)
- PGP FAQ
Note: A fairly nasty bug exists in all commercial PGP versions from 5.5 through 6.5.3. If you have one of those, upgrade now.
- SSH -- secure remote login
- Tripwire saves message digests of your system files. Re-calculate the digests and compare to saved values to detect any file changes. There are several versions available:
- Snort and LIDS are intrusion detection system for Linux
- SATAN System Administrators Tool for Analysing Networks
- NMAP Network Mapper
- Wietse Venema's page with various tools
- Internet Traffic Archive , various tools to analyze network traffic, mostly scripts to organise and format tcpdump(8) output for specific purposes
- ssmail -- sendmail patched to do opportunistic encryption
- web page with links to code and to a Usenix paper describing it, in PDF
- Open CA project to develop a freely distributed Certification Authority for building a open Public Key Infrastructure.
David Wagner at Berkeley provides a set of links to home pages of cryptographers, cypherpunks and computer security people.
Contents Previous Next