[owl-users] IPsec

From: Solar Designer <solar_at_private>
Date: Fri, 20 May 2011 23:33:48 +0400
Hi,

A user has asked me off-list for advice on what IPsec implementation to
use on Owl.  Since I have no experience with this, I am relaying the
question in here.  I'd appreciate any comments, especially from people
who are actually using IPsec on Owl.

The user is going to have Google Android, iPhone, iPad on the other end.

Linux 2.6 includes IPsec support, but we're currently building our
kernels with the corresponding CONFIG_* options disabled.  This happens
to list the relevant options: http://www.ipsec-howto.org/x304.html

Perhaps the user will need to enable the options (or set them to "=m")
and build a custom kernel using one of the approaches given here:
http://openwall.info/wiki/Owl/kernel-build

Perhaps we need to change the options to "=m" in our default kernels to
make this easier going forward.

There are also implementations that pre-date integration into the Linux
kernel, but I guess those should be out of consideration?

For userland tools, there appear to be:

Openswan - http://www.openswan.org

strongSwan - http://www.strongswan.org

IPsec-Tools - http://ipsec-tools.sourceforge.net
http://www.ipsec-howto.org/x304.html

OpenBSD's isakmpd ported to Linux - http://www.ipsec-howto.org/x501.html
http://bender.thinknerd.de/~thomas/IPsec/isakmpd-linux.html (broken link)

Which of these are most appropriate to use these days?

Last time this topic was brought up in here, Bernhard Fischer wrote:
"we are currently using openswan-2.4.6" and "For a single site-to-site
connection I prefer OpenVPN":
http://www.openwall.com/lists/owl-users/2007/02/01/2

I also recommended OpenVPN (which I am using on Owl):
http://www.openwall.com/lists/owl-users/2007/02/04/1

However, in this case the user specifically needs IPsec (he is already
aware of OpenVPN and is using it on Owl in other cases).

I'd like to provide helpful advice and to make Owl more IPsec-ready
(perhaps not package Openswan or whatever into Owl yet, but make our
kernel builds suitable).

Thanks,

Alexander

P.S. In general, I prefer users to post their questions in here
directly, without using me as a proxy.  I am making an exception this
time, hopefully without setting a precedent. ;-)
Received on Fri May 20 2011 - 12:33:48 PDT

This archive was generated by hypermail 2.2.0 : Fri May 20 2011 - 12:34:22 PDT