Stephen Frost on Tue 22/03 19:33 -0500:
> Sounds like I may need to check out strongswan/openswan.
> I can tell you I wasn't exactly a fan of freeswan for a
> variety of reasons.
What reasons? The userspace code with it is great (i.e. the
IKE daemon). The kernel stuff may be a different matter.
You could use the native IPSEC code in the kernel instead.
I don't know what distribution you're using but I found it
simple to adapt the openswan .spec file to make a source RPM
for strongswan.
As I understand it, the Openswan project is motivated by
commercial interests, whereas Strongswan is in it for
security and correctness. I had difficulty using Openswan
with AES (it wasn't accepting custom ciphers and DH groups
specified in the config file, and was sending bogus IKE
proposals with 65535 in all the fields of the first listed
transform) until I switched to Strongswan. And if you are
doing anything with X.509, the author of that patch is the
one that forked Strongswan. It has been very solid for me
since I switched off Racoon.
|