[Openswan Users] Is OpenSWAN a good method for this?

[Whit Blauvelt]

Hi,

Apologies for asking such a general question. We were using FreeSWAN
internally some years back, then switched to OpenVPN, which has been great
for that. But now we're needing to return to IPsec to tunnel from our Linux
firewall to a remote Cisco 5510. The current state of documentation for
Linux IPsec options is sparse and disorganized. So my questions are quite
basic:

For a Linux-Cisco IPsec tunnel, are each of these equally compatible with
the Cisco?

- OpenSWAN
- KAME (ipsec-tools)
- OpenBSD's isakmpd

For Ubuntu 8.04 (with kernel 2.6.24-19-server, and no X), which of those
options installs and works most smoothly? (I note that Ubuntu seems to be
largely ignoring bugs filed against OpenSWAN - see
"https://bugs.launchpad.net/ubuntu/+source/openswan/+bugs".)

At the Cisco end they prefer as defaults (but will alter if required):

Phase 1 - pre-g2-3des-sha-86400s
Phase 2 - pfs2-esp-3des-sha-28800s
and a PSK (not cert)

Are there known gotchas there for Linux? For OpenSWAN? I'm recalling
FreeSWAN having some problems with pfs; does that remain an issue?

Looking at the OpenSWAN wiki, I see for instance a comparison of Linux IPsec
options without KAME or isakmpd included. Googling on the various
combinations, I find of plenty of problem reports and partial recipes, but
little in the way of complete accounts of success. It's obvious from the
volume on this mailing list that OpenSWAN is still a viable option. It's
fully possible I've missed answers to exactly the questions here - but my
eyes glaze over after sampling so many dozens of threads. If answers are
forthcoming, I'll try to integrate them into the OpenSWAN wiki, so at least
next time someone like me won't have to address the list for such basic
stuff.

Best,
Whit