[Openswan Users] Is OpenSWAN a good method for this?

Paul Wouters paul at xelerance.com
Mon Mar 8 17:58:41 EST 2010

On Mon, 8 Mar 2010, Whit Blauvelt wrote:

> For a Linux-Cisco IPsec tunnel, are each of these equally compatible with
> the Cisco?
> - OpenSWAN
> - KAME (ipsec-tools)
> - OpenBSD's isakmpd

I don't think anyone can really tell you that, unless someone has done a
comparative analyses.

> For Ubuntu 8.04 (with kernel 2.6.24-19-server, and no X), which of those
> options installs and works most smoothly? (I note that Ubuntu seems to be
> largely ignoring bugs filed against OpenSWAN - see
> "https://bugs.launchpad.net/ubuntu/+source/openswan/+bugs".)

Debian/ubuntu ships horribly old openswan packages.

> At the Cisco end they prefer as defaults (but will alter if required):
> Phase 1 - pre-g2-3des-sha-86400s
> Phase 2 - pfs2-esp-3des-sha-28800s
> and a PSK (not cert)

Should work.

> Are there known gotchas there for Linux? For OpenSWAN? I'm recalling
> FreeSWAN having some problems with pfs; does that remain an issue?

I don't remember freeswan having problems with pfs. The only special case with
pfs is that freeswan/openswan always accepted pfs even when pfs=no (because
it never hurts) and in some cases that could backfire at rekey time.

> Looking at the OpenSWAN wiki, I see for instance a comparison of Linux IPsec
> options without KAME or isakmpd included. Googling on the various
> combinations, I find of plenty of problem reports and partial recipes, but
> little in the way of complete accounts of success. It's obvious from the
> volume on this mailing list that OpenSWAN is still a viable option. It's
> fully possible I've missed answers to exactly the questions here - but my
> eyes glaze over after sampling so many dozens of threads. If answers are
> forthcoming, I'll try to integrate them into the OpenSWAN wiki, so at least
> next time someone like me won't have to address the list for such basic
> stuff.

Documentation and wiki needs a lot of work :( Helping there would be awesome.
The mailinglist archives should be a gold mine of information from previous
answers (I've been doing that for almost 10 years).
However, we do keep the man pages up to date, and do ship with some examples
in /etc/ipsec.d/examples/


More information about the Users mailing list