The main project web site is www.freeswan.org.
Links to other project-related sites are provided in
our introduction section.
Some user-contributed patches gave been integrated into the FreeS/WAN
distribution. For a variety of reasons, those listed below have not.
Patches believed current at time of writing (March 2001, just before 1.9 release):
Before using these, check the mailing list for news of newer
versions and to see whether they have been incorporated into more recent
versions of FreeS/WAN.
Note: At one point the way PGP generates RSA keys and the way
FreeS/WAN checks them for validity before using them were slightly different, so
quite a few PGP-generated keys would be rejected by FreeS/WAN, confusing users
no end. This is fixed in 1.9.
A set of PKIX patches were recently announced on the mailing list:
Subject: a different PKIX patch.
   Date: Mon, 5 Mar 2001
   From: Luc Lanthier <firesoul@netwinder.org>
I'd like to invite volunteers to use the now-complete PKIX project I've
been working on since about August. Because of this, the patch is for
FreeSWAN 1.5, not 1.8... I haven't really felt the need to update it since
I don't use IPV6 nor DNSSec.
This is similar, but different than Andreas Steffen's pkix
implementation. I've based this work on Neil Dunbar's openssl-pkix patch
for FreeSWAN 1.1. I've updated it to run on FreeSWAN 1.5 correctly, and
added support for ID_DER_ASN1_DN ID packet support. It will do LDAP
certificate lookups no problem, as well as local flatfile, directory, or
DB lookup for testing or speed.
IE: It's a full CA-compatible client, capable of looking up, checking the
CRL for expiry and such. It will not only do the classic PSK and RSASIG
freeswan methods just fine, but also does PKIX's RSASIG, PKE and
RPKE. I've spent a lot of time adding RoadWarrior support for these last
IKE exchange methods.
The patch can be found as: 
  ftp://ftp.netwinder.org/users/f/firesoul/freeswan-1.5-pkix_13.patch
There are also freeswan-1.5 - kernel 2.4 patches for those who need them.
Let me know. Feedback is appreciated.
Older patches:
These patches are for older versions of FreeS/WAN and
will likely not work with the current version.  Older
versions of FreeS/WAN may be available on some of the distribution sites, but we recommend using the current
release.
Finally, there are some patches to other code that may be useful with FreeS/WAN:
Note that this is not required if the same machine does IPSEC and masquerading, only
if you want a to locate your IPSEC gateway on a masqueraded network. See our
firewalls document for discussion of why this is
problematic.
At last report, this patch could not co-exist with FreeS/WAN on the same machine.
  
  The introductory section of our document set lists several Linux distributions which include FreeS/WAN.
  
  
    - /dev/random support page,
      discussion of and code for the Linux random number
      driver. Out-of-date when we last checked (January 2000), but still
      useful.
- other programs related to random numbers:
      
    
- a Linux L2TP Daemon which
      might be useful for communicating with Windows 2000 which builds L2TP
      tunnels over its IPSEC connections
- packet spy, a packet
      sniffer whose author said in a Dec 1999 message "It's very unfinished,
      especially the filter, but it can give you an ascii and hex dump at the
      same time. I started it specifically for snooping a FreeS/WAN
      installation."
- to use opportunistic encryption, you need a recent version of
     BIND. Get one from the
     FreeS/WAN site
     or from the Internet Software Consortium
     who maintain BIND.
  
    - other Linux IPSEC implementations
- ENskip, a free
      implementation of Sun's SKIP protocol
- vpnd, a non-IPSEC VPN daemon
      for Linux which creates tunnels using Blowfish
      encryption
- Zebedee, a simple GPLd
      tunnel-building program with Linux and Win32 versions. The name is from
      Zlib compression, Blowfish encryption
      and Diffie-Hellman key exchange.
- LinuxCare's VPS (Virtual
      Private Server) which builds tunnels using SSH
- Moreton Bay's PoPToP, PPTP for
      Linux
- CIPE
      (crypto IP routers)
      project, using their own lightweight protocol to encrypt between
    routers
- vtun "virtual tunnels", using
      Blowfish
- tinc, a VPN Daemon
There is a list of
Linux VPN
software in the
Linux Security Knowledge Base. 
  
  
  
  
  
  
  
  
  
    - Our document listing the RFCs relevant to Linux
      FreeS/WAN and giving various ways of obtaining both RFCs and Internet
      Drafts.
- IPSEC standards
      page maintained by VPNC. This covers both RFCs and
      Drafts, and classifies them in a fairly helpful way.
- RFC archive
- Internet Drafts
      related to IPSEC
- US government  site
      with their FIPS standards
- Archives of the ipsec@tis.com mailing list where discussion of drafts
      takes place.
      
    
    - Counterpane's evaluation of the
      protocols
- Simpson's IKE
      Considered Dangerous paper. Note that this is a link to an archive
      of our mailing list. There are several replies in addition to the paper
      itself.
- Bellovin's papers
      page including his:
      
        - Security Problems in the TCP/IP Protocol Suite (1989)
- Problem Areas for the IP Security Protocols (1996)
- Probable Plaintext Cryptanalysis of the IP Security Protocols
          (1997)
 
- Catherine Meadows of NRL applied the NRL Protocol Analyzer to IKE. Her
      paper is available in PDF
      or Postscript.
- An errata list
      for the IPSEC RFCs.
    - An introduction to IP
      addressing from 3Com
- An IP tutorial that seems
      to be written mainly for Netware or Microsoft LAN admins entering a new
      world
- IANA, Internet Assigned Numbers
      Authority
- CIDR,
      Classless Inter-Domain Routing
- Also see our bibliography
Vendors using FreeS/WAN in turnkey firewall or VPN products are listed in
  our introduction.
  Other vendors have Linux IPSEC products which, as far as we know, do not
  use FreeS/WAN
  
    - Redcreek
      provide an open source Linux driver for their PCI hardware VPN card.
      This card has a 100 Mbit Ethernet port, an Intel 960 CPU plus more
      specialised crypto chips, and claimed encryption performance of 45
      Mbit/sec. The PC sees it as an Ethernet board.
- Paktronix
       offer a Linux-based VPN with hardware encryption
    
- According to a report on our mailing list, Watchguard use Linux in their
      Firebox product.
- Entrust offer a developers'
      toolkit for using their PKI for IPSEC
    authentication
- According to a report on our mailing list, Axent
      have a Linux version of their product.
    
All the major router vendors support IPSEC, at least in some models.
  
    - Cisco IPSEC
      information
- Ascend, now part of Lucent, have
      some IPSEC-based products
- Bay Networks, now part of
      Nortel, use IPSEC in their Contivity switch product line
- 3Com have a
      number of VPN products, some using IPSEC
Many firewall vendors offer IPSEC, either as a standard part of their
product, or an optional extra. A few we know about are:
Vendors using FreeS/WAN in turnkey firewall products are listed in
our introduction.
  
  All the major open source operating systems support IPSEC. See below for
  details on BSD-derived Unix variants.
  Among commercial OS vendors, IPSEC players include:
  
    - Microsoft
      have put IPSEC in their Windows 2000 products
- Apple's Mac OS X has IPSEC support built in
- IBM
      announce a release of OS390 with IPSEC support via a crypto
    co-processor
- Sun
      include IPSEC in Solaris 8
- Hewlett
      Packard offer IPSEC for their Unix machines
We like to think of FreeS/WAN as the Linux IPSEC implementation,
  but it is not the only one. Others we know of are:
  
    - pipsecd, a
      lightweight implementation of IPSEC for Linux. Does not require kernel
      recompilation.
- Petr Novak's ipnsec,
      based on the OpenBSD IPSEC code and using Photuris for key management
- A now defunct project at U of
      Arizona (export controlled)
- NIST Cerebus (export
      controlled)
    - KAME, several
      large Japanese companies co-operating on IPv6 and IPSEC
- US Naval Research Lab
      implementation of IPv6 and of IPSEC for IPv4 (export controlled)
- OpenBSD includes IPSEC as
      a standard part of the distribution
- IPSEC for FreeBSD
- a FAQ
      on NetBSD's IPSEC implementation
The IPSEC protocols are designed so that different implementations should
be able to work together. As they say "the devil is in the details". IPSEC
has a lot of details, but considerable success has been achieved.
  
Linux FreeS/WAN has been tested for interoperability with many other
  IPSEC implementations. Results to date are in our interoperability section.
  Various other sites have information on interoperability between various
  IPSEC implementations:
  
    - interop
      results from a bakeoff in Atlanta, September 1999.
- a French company, HSC's, interoperability
    test data covers FreeS/WAN, Open BSD, KAME, Linux pipsecd, Checkpoint, Red
    Creek Ravlin, and Cisco IOS
- ICSA offer certification programs
      for various security-related products. See their list of 
      certified IPSEC products. Linux FreeS/WAN is not currently on that
      list, but several products with which we interoperate are.
- VPNC have a page on why they are not yet doing
      interoperability testing and a
      page on the spec conformance
      testing that they are doning
- a review
      comparing a dozen commercial IPSEC implemetations. Unfortunately, the
      reviewers did not look at Open Source implementations such as FreeS/WAN
      or OpenBSD.
- results
      from interoperability tests at a conference. FreeS/WAN was not tested
      there.
- test results from the IPSEC 2000 conference
  
The Linux IP stack is getting some new features in 2.4 kernels. Most are
  already available as experimental code in 2.3 kernels. Some HowTos have been
  written:
  
  
  
  
  
  
  
  
  
  
  Two enormous collections of links, each the standard reference in its
  area:
  
    - Gene Spafford's COAST hotlist
- Computer and network security.
- Peter Gutmann's Encryption and
    Security-related Resources
- Cryptography.
See also the interesting papers section
  below.
  
  
  
  
  
  
  
  
  
    - RFC
      1984, the IAB and IESG
      Statement on Cryptographic Technology and the Internet.
- John Young's collection of documents of interest to the
      cryptography, open government and privacy movements, organized
      chronologically
- Encryption, Privacy and Security Resource Page with a mainly US
    focus
- Cryptography
      Export Control Archive, mainly links to court and govenment
      documents on various challenges to US law
- A good overview of
      the issues from Australia.
See also our documentation section on the history and
  politics of cryptography.
  
  
  
  
  
  
  These papers emphasize important issues around the use of cryptography,
  and the design and management of secure systems.
  
  
  
  
  
  
  
  
  
  
  
 
David Wagner at Berkeley provides a set of links to
home pages
of cryptographers, cypherpunks and computer security people.