Hi, A user has asked me off-list for advice on what IPsec implementation to use on Owl. Since I have no experience with this, I am relaying the question in here. I'd appreciate any comments, especially from people who are actually using IPsec on Owl. The user is going to have Google Android, iPhone, iPad on the other end. Linux 2.6 includes IPsec support, but we're currently building our kernels with the corresponding CONFIG_* options disabled. This happens to list the relevant options: http://www.ipsec-howto.org/x304.html Perhaps the user will need to enable the options (or set them to "=m") and build a custom kernel using one of the approaches given here: http://openwall.info/wiki/Owl/kernel-build Perhaps we need to change the options to "=m" in our default kernels to make this easier going forward. There are also implementations that pre-date integration into the Linux kernel, but I guess those should be out of consideration? For userland tools, there appear to be: Openswan - http://www.openswan.org strongSwan - http://www.strongswan.org IPsec-Tools - http://ipsec-tools.sourceforge.net http://www.ipsec-howto.org/x304.html OpenBSD's isakmpd ported to Linux - http://www.ipsec-howto.org/x501.html http://bender.thinknerd.de/~thomas/IPsec/isakmpd-linux.html (broken link) Which of these are most appropriate to use these days? Last time this topic was brought up in here, Bernhard Fischer wrote: "we are currently using openswan-2.4.6" and "For a single site-to-site connection I prefer OpenVPN": http://www.openwall.com/lists/owl-users/2007/02/01/2 I also recommended OpenVPN (which I am using on Owl): http://www.openwall.com/lists/owl-users/2007/02/04/1 However, in this case the user specifically needs IPsec (he is already aware of OpenVPN and is using it on Owl in other cases). I'd like to provide helpful advice and to make Owl more IPsec-ready (perhaps not package Openswan or whatever into Owl yet, but make our kernel builds suitable). Thanks, Alexander P.S. In general, I prefer users to post their questions in here directly, without using me as a proxy. I am making an exception this time, hopefully without setting a precedent. ;-)Received on Fri May 20 2011 - 12:33:48 PDT
This archive was generated by hypermail 2.2.0 : Fri May 20 2011 - 12:34:22 PDT