Contents
Previous
Next
The main project web site is 
www.freeswan.org.
Links to other project-related sites
 are provided in our introduction section.
 Some user-contributed patches gave been integrated into the 
FreeS/WAN distribution. For a variety of reasons, those listed below 
have not.
Patches believed current at time of writing (March 2001, just before 
1.9 release):
 Before using these, check the mailing list
 for news of newer versions and to see whether they have been 
incorporated into more recent versions of FreeS/WAN.
 Note: At one point the way PGP generates RSA keys 
and the way FreeS/WAN checks them for validity before using them were 
slightly different, so quite a few PGP-generated keys would be rejected 
by FreeS/WAN, confusing users no end. This is fixed in 1.9. 
 A set of PKIX patches were recently announced on the mailing list:
Subject: a different PKIX patch.
   Date: Mon, 5 Mar 2001
   From: Luc Lanthier <firesoul@netwinder.org>
I'd like to invite volunteers to use the now-complete PKIX project I've
been working on since about August. Because of this, the patch is for
FreeSWAN 1.5, not 1.8... I haven't really felt the need to update it since
I don't use IPV6 nor DNSSec.
This is similar, but different than Andreas Steffen's pkix
implementation. I've based this work on Neil Dunbar's openssl-pkix patch
for FreeSWAN 1.1. I've updated it to run on FreeSWAN 1.5 correctly, and
added support for ID_DER_ASN1_DN ID packet support. It will do LDAP
certificate lookups no problem, as well as local flatfile, directory, or
DB lookup for testing or speed.
IE: It's a full CA-compatible client, capable of looking up, checking the
CRL for expiry and such. It will not only do the classic PSK and RSASIG
freeswan methods just fine, but also does PKIX's RSASIG, PKE and
RPKE. I've spent a lot of time adding RoadWarrior support for these last
IKE exchange methods.
The patch can be found as: 
  ftp://ftp.netwinder.org/users/f/firesoul/freeswan-1.5-pkix_13.patch
There are also freeswan-1.5 - kernel 2.4 patches for those who need them.
Let me know. Feedback is appreciated.
 Older patches:
 These patches are for older versions of FreeS/WAN and will likely 
not work with the current version.  Older versions of FreeS/WAN may be 
available on some of the distribution sites
, but we recommend using the current release.
 Finally, there are some patches to other code that may be useful with 
FreeS/WAN: 
 Note that this is not required if the same machine does IPSEC and 
masquerading, only if you want a to locate your IPSEC gateway on a 
masqueraded network. See our firewalls
 document for discussion of why this is problematic. 
 At last report, this patch could not co-exist with FreeS/WAN on the 
same machine. 
The introductory section of our document set lists several 
Linux distributions which include FreeS/WAN.
- /dev/random support page, 
 discussion of and code for the Linux 
random number  driver. Out-of-date when we last checked (January 
2000), but still  useful.
- other programs related to random numbers: 
- a Linux L2TP Daemon which 
 might be useful for communicating with Windows 2000 which builds L2TP 
 tunnels over its IPSEC connections
- packet spy, a 
packet  sniffer whose author said in a Dec 1999 message "It's very 
unfinished,  especially the filter, but it can give you an ascii and 
hex dump at the  same time. I started it specifically for snooping a 
FreeS/WAN  installation."
- to use opportunistic encryption, you need a recent version of 
 BIND. Get one from the 
 FreeS/WAN site or from the Internet 
Software Consortium who maintain BIND. 
- other Linux IPSEC implementations
- ENskip, a free 
 implementation of Sun's SKIP protocol
- vpnd, a non-IPSEC VPN 
daemon  for Linux which creates tunnels using 
Blowfish encryption
- Zebedee, a simple 
GPLd  tunnel-building program with Linux and Win32 versions. The name 
is from  Zlib compression, Blowfish 
encryption  and Diffie-Hellman key exchange.
- LinuxCare's VPS (Virtual 
 Private Server) which builds tunnels using 
SSH
- Moreton Bay's 
PoPToP, PPTP for  Linux
- CIPE
 (crypto IP routers)  project, using their own lightweight protocol to 
encrypt between  routers
- vtun "virtual tunnels", 
using  Blowfish
- tinc, a VPN Daemon
 There is a list of 
Linux VPN software in the 
Linux Security Knowledge Base. 
- Our document listing the RFCs relevant to 
Linux  FreeS/WAN and giving various ways of obtaining both RFCs and 
Internet  Drafts.
- IPSEC standards
 page maintained by VPNC. This covers 
both RFCs and  Drafts, and classifies them in a fairly helpful way.
- RFC archive
- Internet Drafts
 related to IPSEC
- US government  site
 with their FIPS standards
- Archives of the ipsec@tis.com mailing list where discussion of 
drafts  takes place. 
- Counterpane's 
evaluation of the  protocols
- Simpson's 
IKE  Considered Dangerous paper. Note that this is a link to an 
archive  of our mailing list. There are several replies in addition to 
the paper  itself.
- Bellovin's 
papers page including his: 
- Security Problems in the TCP/IP Protocol Suite (1989)
- Problem Areas for the IP Security Protocols (1996)
- Probable Plaintext Cryptanalysis of the IP Security Protocols 
 (1997)
 
- Catherine Meadows of NRL applied the NRL Protocol Analyzer to IKE. 
Her  paper is available in 
PDF or 
Postscript.
- An errata list
 for the IPSEC RFCs.
- An introduction to IP 
 addressing from 3Com
- An IP tutorial that 
seems  to be written mainly for Netware or Microsoft LAN admins 
entering a new  world
- IANA, Internet Assigned Numbers 
 Authority
- CIDR, 
 Classless Inter-Domain Routing
- Also see our bibliography
 Vendors using FreeS/WAN in turnkey firewall or VPN products are 
listed in  our introduction.
Other vendors have Linux IPSEC products which, as far as we know, do 
not  use FreeS/WAN
- Redcreek
 provide an open source Linux driver for their PCI hardware VPN card. 
 This card has a 100 Mbit Ethernet port, an Intel 960 CPU plus more 
 specialised crypto chips, and claimed encryption performance of 45 
 Mbit/sec. The PC sees it as an Ethernet board.
- Paktronix
 offer a Linux-based VPN with hardware encryption 
- According to a report on our mailing list, 
Watchguard use Linux in their  Firebox product.
- Entrust offer a developers' 
 toolkit for using their PKI for IPSEC 
 authentication
- According to a report on our mailing list, 
Axent have a Linux version of their product. 
 All the major router vendors support IPSEC, at least in some models.
- Cisco
 IPSEC  information
- Ascend, now part of Lucent, 
have  some IPSEC-based products
- Bay Networks, now part 
of  Nortel, use IPSEC in their Contivity switch product line
- 3Com
 have a  number of VPN products, some using IPSEC
Many firewall vendors offer IPSEC, either as a standard part of their 
product, or an optional extra. A few we know about are: Vendors using FreeS/WAN in turnkey firewall products are listed in 
our introduction.
All the major open source operating systems support IPSEC. See below 
for  details on BSD-derived Unix variants.
Among commercial OS vendors, IPSEC players include:
- 
Microsoft have put IPSEC in their Windows 2000 products
- Apple's Mac OS X
 has IPSEC support built in
- IBM
 announce a release of OS390 with IPSEC support via a crypto 
 co-processor
- 
Sun include IPSEC in Solaris 8
- 
Hewlett  Packard offer IPSEC for their Unix machines
We like to think of FreeS/WAN as the Linux IPSEC 
implementation,  but it is not the only one. Others we know of are:
- pipsecd, a 
 lightweight implementation of IPSEC for Linux. Does not require kernel 
 recompilation.
- Petr Novak's ipnsec, 
 based on the OpenBSD IPSEC code and using 
Photuris for key management
- A now defunct project at 
U of  Arizona (export controlled)
- NIST Cerebus
 (export  controlled)
- KAME, 
several  large Japanese companies co-operating on IPv6 and IPSEC
- US Naval Research Lab
 implementation of IPv6 and of IPSEC for IPv4 (export controlled)
- OpenBSD includes IPSEC 
as  a standard part of the distribution
- IPSEC for FreeBSD
- a FAQ
 on NetBSD's IPSEC implementation
 The IPSEC protocols are designed so that different implementations 
should be able to work together. As they say "the devil is in the 
details". IPSEC has a lot of details, but considerable success has been 
achieved.
 Linux FreeS/WAN has been tested for interoperability with many 
other  IPSEC implementations. Results to date are in our 
interoperability section.
Various other sites have information on interoperability between 
various  IPSEC implementations:
- interop 
 results from a bakeoff in Atlanta, September 1999.
- a French company, HSC's, 
interoperability test data covers FreeS/WAN, Open BSD, KAME, Linux 
pipsecd, Checkpoint, Red  Creek Ravlin, and Cisco IOS
- ICSA offer certification 
programs  for various security-related products. See their list of 
 certified IPSEC products. Linux FreeS/WAN is not currently on that 
 list, but several products with which we interoperate are.
- VPNC have a page on why they are not yet doing 
 interoperability testing and a  page on the 
spec conformance testing that they are doning
- a review
 comparing a dozen commercial IPSEC implemetations. Unfortunately, the 
 reviewers did not look at Open Source implementations such as 
FreeS/WAN  or OpenBSD.
- 
results from interoperability tests at a conference. FreeS/WAN was 
not tested  there.
- test results from the 
IPSEC 2000 conference 
The Linux IP stack is getting some new features in 2.4 kernels. Most 
are  already available as experimental code in 2.3 kernels. Some HowTos 
have been  written:
Two enormous collections of links, each the standard reference in 
its  area:
- Gene Spafford's 
COAST hotlist
- Computer and network security.
- Peter Gutmann's 
Encryption and  Security-related Resources
- Cryptography.
See also the interesting papers section 
 below.
- 
RFC  1984, the IAB and 
IESG Statement on Cryptographic Technology and the Internet.
- John Young's collection of 
documents of interest to the  cryptography, open government and 
privacy movements, organized  chronologically
- Encryption, Privacy and Security 
Resource Page with a mainly US  focus
- Cryptography 
 Export Control Archive, mainly links to court and govenment 
 documents on various challenges to US law
- A good overview
 of  the issues from Australia.
See also our documentation section on the 
history and  politics of cryptography.
These papers emphasize important issues around the use of 
cryptography,  and the design and management of secure systems.
- Open SEC, a link farm full of 
 links to freely available security tools
- PGP -- mail encryption 
 A message in our mailing list archive has considerable detail on 
 available versions of PGP and on IPSEC support in them. 
 Note: A fairly nasty bug exists in all commercial 
PGP  versions from 5.5 through 6.5.3. If you have one of those, read 
the  security 
advisory and upgrade now. 
- SSH -- secure remote login 
- ssmail -- sendmail patched to do 
opportunistic encryption
- web page with 
 links to code and to a Usenix paper describing it, in PDF
 
- COPS Computer 
Oracle  and Password System; tests a system for various weaknesses
- SATAN
 System  Administrators Tool for Analysing Networks
- NMAP Network Mapper
- Internet Traffic  Archive
, various tools to analyze network traffic, mostly scripts to  organise 
and format tcpdump(8) output for specific purposes
- Wietse 
 Venema's page with various tools
- Crack password 
 cracker
- Tripwire
 saves message digests of your system files. Re-calculate the digests 
and  compare to saved values to detect any file changes.
- Deception Toolkit, a 
collection  of "honeypot" servers which emulate widely exploited 
weaknesses while  logging the attacks.
- Open CA project to develop a 
 freely distributed Certification Authority
 for  building a open Public Key 
Infrastructure.
- ISIC, 
 IP stack integrity 
 checker, generates legitmate and bogus packets "to test  the 
stability of an IP Stack and its component stacks (TCP, UDP, ICMP  et. 
al.)"
 David Wagner at Berkeley provides a set of links to 
home pages of cryptographers, cypherpunks and computer security 
people.
Contents
Previous
Next