--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
+<HTML>
+<HEAD>
+<TITLE>Introduction to FreeS/WAN</TITLE>
+<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
+<STYLE TYPE="text/css"><!--
+BODY { font-family: serif }
+H1 { font-family: sans-serif }
+H2 { font-family: sans-serif }
+H3 { font-family: sans-serif }
+H4 { font-family: sans-serif }
+H5 { font-family: sans-serif }
+H6 { font-family: sans-serif }
+SUB { font-size: smaller }
+SUP { font-size: smaller }
+PRE { font-family: monospace }
+--></STYLE>
+</HEAD>
+<BODY>
+<A HREF="toc.html">Contents</A>
+<A HREF="upgrading.html">Next</A>
+<HR>
+<H1><A name="intro">Introduction</A></H1>
+<P>This section gives an overview of:</P>
+<UL>
+<LI>what IP Security (IPsec) does</LI>
+<LI>how IPsec works</LI>
+<LI>why we are implementing it for Linux</LI>
+<LI>how this implementation works</LI>
+</UL>
+<P>This section is intended to cover only the essentials,<EM> things you
+ should know before trying to use FreeS/WAN.</EM></P>
+<P>For more detailed background information, see the<A href="politics.html#politics">
+ history and politics</A> and<A href="ipsec.html#ipsec.detail"> IPsec
+ protocols</A> sections.</P>
+<H2><A name="ipsec.intro">IPsec, Security for the Internet Protocol</A></H2>
+<P>FreeS/WAN is a Linux implementation of the IPsec (IP security)
+ protocols. IPsec provides<A href="glossary.html#encryption"> encryption</A>
+ and<A href="glossary.html#authentication"> authentication</A> services
+ at the IP (Internet Protocol) level of the network protocol stack.</P>
+<P>Working at this level, IPsec can protect any traffic carried over IP,
+ unlike other encryption which generally protects only a particular
+ higher-level protocol --<A href="glossary.html#PGP"> PGP</A> for mail,<A
+href="glossary.html#SSH"> SSH</A> for remote login,<A href="glossary.html#SSL">
+ SSL</A> for web work, and so on. This approach has both considerable
+ advantages and some limitations. For discussion, see our<A href="ipsec.html#others">
+ IPsec section</A></P>
+<P>IPsec can be used on any machine which does IP networking. Dedicated
+ IPsec gateway machines can be installed wherever required to protect
+ traffic. IPsec can also run on routers, on firewall machines, on
+ various application servers, and on end-user desktop or laptop
+ machines.</P>
+<P>Three protocols are used</P>
+<UL>
+<LI><A href="glossary.html#AH">AH</A> (Authentication Header) provides a
+ packet-level authentication service</LI>
+<LI><A href="glossary.html#ESP">ESP</A> (Encapsulating Security Payload)
+ provides encryption plus authentication</LI>
+<LI><A href="glossary.html#IKE">IKE</A> (Internet Key Exchange)
+ negotiates connection parameters, including keys, for the other two</LI>
+</UL>
+<P>Our implementation has three main parts:</P>
+<UL>
+<LI><A href="glossary.html#KLIPS">KLIPS</A> (kernel IPsec) implements
+ AH, ESP, and packet handling within the kernel</LI>
+<LI><A href="glossary.html#Pluto">Pluto</A> (an IKE daemon) implements
+ IKE, negotiating connections with other systems</LI>
+<LI>various scripts provide an adminstrator's interface to the machinery</LI>
+</UL>
+<P>IPsec is optional for the current (version 4) Internet Protocol.
+ FreeS/WAN adds IPsec to the Linux IPv4 network stack. Implementations
+ of<A href="glossary.html#ipv6.gloss"> IP version 6</A> are required to
+ include IPsec. Work toward integrating FreeS/WAN into the Linux IPv6
+ stack has<A href="compat.html#ipv6"> started</A>.</P>
+<P>For more information on IPsec, see our<A href="ipsec.html#ipsec.detail">
+ IPsec protocols</A> section, our collection of<A href="web.html#ipsec.link">
+ IPsec links</A> or the<A href="rfc.html#RFC"> RFCs</A> which are the
+ official definitions of these protocols.</P>
+<H3><A name="intro.interop">Interoperating with other IPsec
+ implementations</A></H3>
+<P>IPsec is designed to let different implementations work together. We
+ provide:</P>
+<UL>
+<LI>a<A href="web.html#implement"> list</A> of some other
+ implementations</LI>
+<LI>information on<A href="interop.html#interop"> using FreeS/WAN with
+ other implementations</A></LI>
+</UL>
+<P>The VPN Consortium fosters cooperation among implementers and
+ interoperability among implementations. Their<A href="http://www.vpnc.org/">
+ web site</A> has much more information.</P>
+<H3><A name="advantages">Advantages of IPsec</A></H3>
+<P>IPsec has a number of security advantages. Here are some
+ independently written articles which discuss these:</P>
+<P><A HREF="http://www.sans.org/rr/"> SANS institute papers</A>. See the
+ section on Encryption &VPNs.
+<BR><A HREF="http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns128/networking_solutions_white_papers_list.html">
+ Cisco's white papers on "Networking Solutions"</A>.
+<BR><A HREF="http://iscs.sourceforge.net/HowWhyBrief/HowWhyBrief.html">
+ Advantages of ISCS (Linux Integrated Secure Communications System;
+ includes FreeS/WAN and other software)</A>.</P>
+<H3><A name="applications">Applications of IPsec</A></H3>
+<P>Because IPsec operates at the network layer, it is remarkably
+ flexible and can be used to secure nearly any type of Internet traffic.
+ Two applications, however, are extremely widespread:</P>
+<UL>
+<LI>a<A href="glossary.html#VPN"> Virtual Private Network</A>, or VPN,
+ allows multiple sites to communicate securely over an insecure Internet
+ by encrypting all communication between the sites.</LI>
+<LI>"Road Warriors" connect to the office from home, or perhaps from a
+ hotel somewhere</LI>
+</UL>
+<P>There is enough opportunity in these applications that vendors are
+ flocking to them. IPsec is being built into routers, into firewall
+ products, and into major operating systems, primarily to support these
+ applications. See our<A href="web.html#implement"> list</A> of
+ implementations for details.</P>
+<P>We support both of those applications, and various less common IPsec
+ applications as well, but we also add one of our own:</P>
+<UL>
+<LI>opportunistic encryption, the ability to set up FreeS/WAN gateways
+ so that any two of them can encrypt to each other, and will do so
+ whenever packets pass between them.</LI>
+</UL>
+<P>This is an extension we are adding to the protocols. FreeS/WAN is the
+ first prototype implementation, though we hope other IPsec
+ implementations will adopt the technique once we demonstrate it. See<A href="#goals">
+ project goals</A> below for why we think this is important.</P>
+<P>A somewhat more detailed description of each of these applications is
+ below. Our<A href="quickstart.html#quick_guide"> quickstart</A> section
+ will show you how to build each of them.</P>
+<H4><A name="makeVPN">Using secure tunnels to create a VPN</A></H4>
+<P>A VPN, or<STRONG> V</STRONG>irtual<STRONG> P</STRONG>rivate<STRONG> N</STRONG>
+etwork lets two networks communicate securely when the only connection
+ between them is over a third network which they do not trust.</P>
+<P>The method is to put a security gateway machine between each of the
+ communicating networks and the untrusted network. The gateway machines
+ encrypt packets entering the untrusted net and decrypt packets leaving
+ it, creating a secure tunnel through it.</P>
+<P>If the cryptography is strong, the implementation is careful, and the
+ administration of the gateways is competent, then one can reasonably
+ trust the security of the tunnel. The two networks then behave like a
+ single large private network, some of whose links are encrypted tunnels
+ through untrusted nets.</P>
+<P>Actual VPNs are often more complex. One organisation may have fifty
+ branch offices, plus some suppliers and clients, with whom it needs to
+ communicate securely. Another might have 5,000 stores, or 50,000
+ point-of-sale devices. The untrusted network need not be the Internet.
+ All the same issues arise on a corporate or institutional network
+ whenever two departments want to communicate privately with each other.</P>
+<P>Administratively, the nice thing about many VPN setups is that large
+ parts of them are static. You know the IP addresses of most of the
+ machines involved. More important, you know they will not change on
+ you. This simplifies some of the admin work. For cases where the
+ addresses do change, see the next section.</P>
+<H4><A name="road.intro">Road Warriors</A></H4>
+<P>The prototypical "Road Warrior" is a traveller connecting to home
+ base from a laptop machine. Administratively, most of the same problems
+ arise for a telecommuter connecting from home to the office, especially
+ if the telecommuter does not have a static IP address.</P>
+<P>For purposes of this document:</P>
+<UL>
+<LI>anyone with a dynamic IP address is a "Road Warrior".</LI>
+<LI>any machine doing IPsec processing is a "gateway". Think of the
+ single-user road warrior machine as a gateway with a degenerate subnet
+ (one machine, itself) behind it.</LI>
+</UL>
+<P>These require somewhat different setup than VPN gateways with static
+ addresses and with client systems behind them, but are basically not
+ problematic.</P>
+<P>There are some difficulties which appear for some road warrior
+ connections:</P>
+<UL>
+<LI>Road Wariors who get their addresses via DHCP may have a problem.
+ FreeS/WAN can quite happily build and use a tunnel to such an address,
+ but when the DHCP lease expires, FreeS/WAN does not know that. The
+ tunnel fails, and the only recovery method is to tear it down and
+ re-build it.</LI>
+<LI>If<A href="glossary.html#NAT.gloss"> Network Address Translation</A>
+ (NAT) is applied between the two IPsec Gateways, this breaks IPsec.
+ IPsec authenticates packets on an end-to-end basis, to ensure they are
+ not altered en route. NAT rewrites packets as they go by. See our<A href="firewall.html#NAT">
+ firewalls</A> document for details.</LI>
+</UL>
+<P>In most situations, however, FreeS/WAN supports road warrior
+ connections just fine.</P>
+<H4><A name="opp.intro">Opportunistic encryption</A></H4>
+<P>One of the reasons we are working on FreeS/WAN is that it gives us
+ the opportunity to add what we call opportuntistic encryption. This
+ means that any two FreeS/WAN gateways will be able to encrypt their
+ traffic, even if the two gateway administrators have had no prior
+ contact and neither system has any preset information about the other.</P>
+<P>Both systems pick up the authentication information they need from
+ the<A href="glossary.html#DNS"> DNS</A> (domain name service), the
+ service they already use to look up IP addresses. Of course the
+ administrators must put that information in the DNS, and must set up
+ their gateways with opportunistic encryption enabled. Once that is
+ done, everything is automatic. The gateways look for opportunities to
+ encrypt, and encrypt whatever they can. Whether they also accept
+ unencrypted communication is a policy decision the administrator can
+ make.</P>
+<P>This technique can give two large payoffs:</P>
+<UL>
+<LI>It reduces the administrative overhead for IPsec enormously. You
+ configure your gateway and thereafter everything is automatic. The need
+ to configure the system on a per-tunnel basis disappears. Of course,
+ FreeS/WAN allows specifically configured tunnels to co-exist with
+ opportunistic encryption, but we hope to make them unnecessary in most
+ cases.</LI>
+<LI>It moves us toward a more secure Internet, allowing users to create
+ an environment where message privacy is the default. All messages can
+ be encrypted, provided the other end is willing to co-operate. See our<A
+href="politics.html#politics"> history and politics of cryptography</A>
+ section for discussion of why we think this is needed.</LI>
+</UL>
+<P>Opportunistic encryption is not (yet?) a standard part of the IPsec
+ protocols, but an extension we are proposing and demonstrating. For
+ details of our design, see<A href="#applied"> links</A> below.</P>
+<P>Only one current product we know of implements a form of
+ opportunistic encryption.<A href="web.html#ssmail"> Secure sendmail</A>
+ will automatically encrypt server-to-server mail transfers whenever
+ possible.</P>
+<H3><A name="types">The need to authenticate gateways</A></H3>
+<P>A complication, which applies to any type of connection -- VPN, Road
+ Warrior or opportunistic -- is that a secure connection cannot be
+ created magically.<EM> There must be some mechanism which enables the
+ gateways to reliably identify each other.</EM> Without this, they
+ cannot sensibly trust each other and cannot create a genuinely secure
+ link.</P>
+<P>Any link they do create without some form of<A href="glossary.html#authentication">
+ authentication</A> will be vulnerable to a<A href="glossary.html#middle">
+ man-in-the-middle attack</A>. If<A href="glossary.html#alicebob"> Alice
+ and Bob</A> are the people creating the connection, a villian who can
+ re-route or intercept the packets can pose as Alice while talking to
+ Bob and pose as Bob while talking to Alice. Alice and Bob then both
+ talk to the man in the middle, thinking they are talking to each other,
+ and the villain gets everything sent on the bogus "secure" connection.</P>
+<P>There are two ways to build links securely, both of which exclude the
+ man-in-the middle:</P>
+<UL>
+<LI>with<STRONG> manual keying</STRONG>, Alice and Bob share a secret
+ key (which must be transmitted securely, perhaps in a note or via PGP
+ or SSH) to encrypt their messages. For FreeS/WAN, such keys are stored
+ in the<A href="manpage.d/ipsec.conf.5.html"> ipsec.conf(5)</A> file. Of
+ course, if an enemy gets the key, all is lost.</LI>
+<LI>with<STRONG> automatic keying</STRONG>, the two systems authenticate
+ each other and negotiate their own secret keys. The keys are
+ automatically changed periodically.</LI>
+</UL>
+<P>Automatic keying is much more secure, since if an enemy gets one key
+ only messages between the previous re-keying and the next are exposed.
+ It is therefore the usual mode of operation for most IPsec deployment,
+ and the mode we use in our setup examples. FreeS/WAN does support
+ manual keying for special circumstanes. See this<A href="adv_config.html#prodman">
+ section</A>.</P>
+<P>For automatic keying, the two systems must authenticate each other
+ during the negotiations. There is a choice of methods for this:</P>
+<UL>
+<LI>a<STRONG> shared secret</STRONG> provides authentication. If Alice
+ and Bob are the only ones who know a secret and Alice recives a message
+ which could not have been created without that secret, then Alice can
+ safely believe the message came from Bob.</LI>
+<LI>a<A href="glossary.html#public"> public key</A> can also provide
+ authentication. If Alice receives a message signed with Bob's private
+ key (which of course only he should know) and she has a trustworthy
+ copy of his public key (so that she can verify the signature), then she
+ can safely believe the message came from Bob.</LI>
+</UL>
+<P>Public key techniques are much preferable, for reasons discussed<A href="config.html#choose">
+ later</A>, and will be used in all our setup examples. FreeS/WAN does
+ also support auto-keying with shared secret authentication. See this<A href="adv_config.html#prodsecrets">
+ section</A>.</P>
+<H2><A name="project">The FreeS/WAN project</A></H2>
+<P>For complete information on the project, see our web site,<A href="http://liberty.freeswan.org">
+ freeswan.org</A>.</P>
+<P>In summary, we are implementing the<A href="glossary.html#IPsec">
+ IPsec</A> protocols for Linux and extending them to do<A href="glossary.html#carpediem">
+ opportunistic encryption</A>.</P>
+<H3><A name="goals">Project goals</A></H3>
+<P>Our overall goal in FreeS/WAN is to make the Internet more secure and
+ more private.</P>
+<P>Our IPsec implementation supports VPNs and Road Warriors of course.
+ Those are important applications. Many users will want FreeS/WAN to
+ build corporate VPNs or to provide secure remote access.</P>
+<P>However, our goals in building it go beyond that. We are trying to
+ help<STRONG> build security into the fabric of the Internet</STRONG> so
+ that anyone who choses to communicate securely can do so, as easily as
+ they can do anything else on the net.</P>
+<P>More detailed objectives are:</P>
+<UL>
+<LI>extend IPsec to do<A href="glossary.html#carpediem"> opportunistic
+ encryption</A> so that
+<UL>
+<LI>any two systems can secure their communications without a
+ pre-arranged connection</LI>
+<LI><STRONG>secure connections can be the default</STRONG>, falling back
+ to unencrypted connections only if:
+<UL>
+<LI><EM>both</EM> the partner is not set up to co-operate on securing
+ the connection</LI>
+<LI><EM>and</EM> your policy allows insecure connections</LI>
+</UL>
+</LI>
+<LI>a significant fraction of all Internet traffic is encrypted</LI>
+<LI>wholesale monitoring of the net (<A href="politics.html#intro.poli">
+examples</A>) becomes difficult or impossible</LI>
+</UL>
+</LI>
+<LI>help make IPsec widespread by providing an implementation with no
+ restrictions:
+<UL>
+<LI>freely available in source code under the<A href="glossary.html#GPL">
+ GNU General Public License</A></LI>
+<LI>running on a range of readily available hardware</LI>
+<LI>not subject to US or other nations'<A href="politics.html#exlaw">
+ export restrictions</A>.
+<BR> Note that in order to avoid<EM> even the appearance</EM> of being
+ subject to those laws, the project cannot accept software contributions
+ --<EM> not even one-line bug fixes</EM> -- from US residents or
+ citizens.</LI>
+</UL>
+</LI>
+<LI>provide a high-quality IPsec implementation for Linux
+<UL>
+<LI>portable to all CPUs Linux supports:<A href="compat.html#CPUs">
+ (current list)</A></LI>
+<LI>interoperable with other IPsec implementations:<A href="interop.html#interop">
+ (current list)</A></LI>
+</UL>
+</LI>
+</UL>
+<P>If we can get opportunistic encryption implemented and widely
+ deployed, then it becomes impossible for even huge well-funded agencies
+ to monitor the net.</P>
+<P>See also our section on<A href="politics.html#politics"> history and
+ politics</A> of cryptography, which includes our project leader's<A href="politics.html#gilmore">
+ rationale</A> for starting the project.</P>
+<H3><A name="staff">Project team</A></H3>
+<P>Two of the team are from the US and can therefore contribute no code:</P>
+<UL>
+<LI>John Gilmore: founder and policy-maker (<A href="http://www.toad.com/gnu/">
+home page</A>)</LI>
+<LI>Hugh Daniel: project manager, Most Demented Tester, and occasionally
+ Pointy-Haired Boss</LI>
+</UL>
+<P>The rest of the team are Canadians, working in Canada. (<A href="politics.html#status">
+Why Canada?</A>)</P>
+<UL>
+<LI>Hugh Redelmeier:<A href="glossary.html#Pluto"> Pluto daemon</A>
+ programmer</LI>
+<LI>Richard Guy Briggs:<A href="glossary.html#KLIPS"> KLIPS</A>
+ programmer</LI>
+<LI>Michael Richardson: hacker without portfolio</LI>
+<LI>Claudia Schmeing: documentation</LI>
+<LI>Sam Sgro: technical support via the<A href="mail.html#lists">
+ mailing lists</A></LI>
+</UL>
+<P>The project is funded by civil libertarians who consider our goals
+ worthwhile. Most of the team are paid for this work.</P>
+<P>People outside this core team have made substantial contributions.
+ See</P>
+<UL>
+<LI>our<A href="../CREDITS"> CREDITS</A> file</LI>
+<LI>the<A href="web.html#patch"> patches and add-ons</A> section of our
+ web references file</LI>
+<LI>lists below of user-written<A href="#howto"> HowTos</A> and<A href="#applied">
+ other papers</A></LI>
+</UL>
+<P>Additional contributions are welcome. See the<A href="faq.html#contrib.faq">
+ FAQ</A> for details.</P>
+<H2><A name="products">Products containing FreeS/WAN</A></H2>
+<P>Unfortunately the<A href="politics.html#exlaw"> export laws</A> of
+ some countries restrict the distribution of strong cryptography.
+ FreeS/WAN is therefore not in the standard Linux kernel and not in all
+ CD or web distributions.</P>
+<P>FreeS/WAN is, however, quite widely used. Products we know of that
+ use it are listed below. We would appreciate hearing, via the<A href="mail.html#lists">
+ mailing lists</A>, of any we don't know of.</P>
+<H3><A name="distwith">Full Linux distributions</A></H3>
+<P>FreeS/WAN is included in various general-purpose Linux distributions,
+ mostly from countries (shown in brackets) with more sensible laws:</P>
+<UL>
+<LI><A href="http://www.suse.com/">SuSE Linux</A> (Germany)</LI>
+<LI><A href="http://www.conectiva.com">Conectiva</A> (Brazil)</LI>
+<LI><A href="http://www.linux-mandrake.com/en/">Mandrake</A> (France)</LI>
+<LI><A href="http://www.debian.org">Debian</A></LI>
+<LI>the<A href="http://www.pld.org.pl/"> Polish(ed) Linux Distribution</A>
+ (Poland)</LI>
+<LI><A>Best Linux</A> (Finland)</LI>
+</UL>
+<P>For distributions which do not include FreeS/WAN and are not Redhat
+ (which we develop and test on), there is additional information in our<A
+href="compat.html#otherdist"> compatibility</A> section.</P>
+<P>The server edition of<A href="http://www.corel.com"> Corel</A> Linux
+ (Canada) also had FreeS/WAN, but Corel have dropped that product line.</P>
+<H3><A name="kernel_dist">Linux kernel distributions</A></H3>
+<UL>
+<LI><A href="http://sourceforge.net/projects/wolk/">Working Overloaded
+ Linux Kernel (WOLK)</A></LI>
+</UL>
+<H3><A name="office_dist">Office server distributions</A></H3>
+<P>FreeS/WAN is also included in several distributions aimed at the
+ market for turnkey business servers:</P>
+<UL>
+<LI><A href="http://www.e-smith.com/">e-Smith</A> (Canada), which has
+ recently been acquired and become the Network Server Solutions group of<A
+href="http://www.mitel.com/"> Mitel Networks</A> (Canada)</LI>
+<LI><A href="http://www.clarkconnect.org/">ClarkConnect</A> from Point
+ Clark Networks (Canada)</LI>
+<LI><A href="http://www.trustix.net/">Trustix Secure Linux</A> (Norway)</LI>
+</UL>
+<H3><A name="fw_dist">Firewall distributions</A></H3>
+<P>Several distributions intended for firewall and router applications
+ include FreeS/WAN:</P>
+<UL>
+<LI>The<A href="http://www.linuxrouter.org/"> Linux Router Project</A>
+ produces a Linux distribution that will boot from a single floppy. The<A
+href="http://leaf.sourceforge.net"> LEAF</A> firewall project provides
+ several different LRP-based firewall packages. At least one of them,
+ Charles Steinkuehler's Dachstein, includes FreeS/WAN with X.509
+ patches.</LI>
+<LI>there are several distributions bootable directly from CD-ROM,
+ usable on a machine without hard disk.
+<UL>
+<LI>Dachstein (see above) can be used this way</LI>
+<LI><A href="http://www.gibraltar.at/">Gibraltar</A> is based on Debian
+ GNU/Linux.</LI>
+<LI>at time of writing,<A href="www.xiloo.com"> Xiloo</A> is available
+ only in Chinese. An English version is expected.</LI>
+</UL>
+</LI>
+<LI><A href="http://www.astaro.com/products/index.html">Astaro Security
+ Linux</A> includes FreeS/WAN. It has some web-based tools for managing
+ the firewall that include FreeS/WAN configuration management.</LI>
+<LI><A href="http://www.linuxwall.de">Linuxwall</A></LI>
+<LI><A href="http://www.smoothwall.org/">Smoothwall</A></LI>
+<LI><A href="http://www.devil-linux.org/">Devil Linux</A></LI>
+<LI>Coyote Linux has a<A href="http://embedded.coyotelinux.com/wolverine/index.php">
+ Wolverine</A> firewall/VPN server</LI>
+</UL>
+<P>There are also several sets of scripts available for managing a
+ firewall which is also acting as a FreeS/WAN IPsec gateway. See this<A href="firewall.html#rules.pub">
+ list</A>.</P>
+<H3><A name="turnkey">Firewall and VPN products</A></H3>
+<P>Several vendors use FreeS/WAN as the IPsec component of a turnkey
+ firewall or VPN product.</P>
+<P>Software-only products:</P>
+<UL>
+<LI><A href="http://www.linuxmagic.com/vpn/index.html">Linux Magic</A>
+ offer a VPN/Firewall product using FreeS/WAN</LI>
+<LI>The Software Group's<A href="http://www.wanware.com/sentinet/">
+ Sentinet</A> product uses FreeS/WAN</LI>
+<LI><A href="http://www.merilus.com">Merilus</A> use FreeS/WAN in their
+ Gateway Guardian firewall product</LI>
+</UL>
+<P>Products that include the hardware:</P>
+<UL>
+<LI>The<A href="http://www.lasat.com"> LASAT SafePipe[tm]</A> series. is
+ an IPsec box based on an embedded MIPS running Linux with FreeS/WAN and
+ a web-config front end. This company also host our freeswan.org web
+ site.</LI>
+<LI>Merilus<A href="http://www.merilus.com/products/fc/index.shtml">
+ Firecard</A> is a Linux firewall on a PCI card.</LI>
+<LI><A href="http://www.kyzo.com/">Kyzo</A> have a "pizza box" product
+ line with various types of server, all running from flash. One of them
+ is an IPsec/PPTP VPN server</LI>
+<LI><A href="http://www.pfn.com">PFN</A> use FreeS/WAN in some of their
+ products</LI>
+</UL>
+<P><A href="www.rebel.com">Rebel.com</A>, makers of the Netwinder Linux
+ machines (ARM or Crusoe based), had a product that used FreeS/WAN. The
+ company is in receivership so the future of the Netwinder is at best
+ unclear.<A href="web.html#patch"> PKIX patches</A> for FreeS/WAN
+ developed at Rebel are listed in our web links document.</P>
+<H2><A name="docs">Information sources</A></H2>
+<H3><A name="docformats">This HowTo, in multiple formats</A></H3>
+<P>FreeS/WAN documentation up to version 1.5 was available only in HTML.
+ Now we ship two formats:</P>
+<UL>
+<LI>as HTML, one file for each doc section plus a global<A href="toc.html">
+ Table of Contents</A></LI>
+<LI><A href="HowTo.html">one big HTML file</A> for easy searching</LI>
+</UL>
+<P>and provide a Makefile to generate other formats if required:</P>
+<UL>
+<LI><A href="HowTo.pdf">PDF</A></LI>
+<LI><A href="HowTo.ps">Postscript</A></LI>
+<LI><A href="HowTo.txt">ASCII text</A></LI>
+</UL>
+<P>The Makefile assumes the htmldoc tool is available. You can download
+ it from<A href="http://www.easysw.com"> Easy Software</A>.</P>
+<P>All formats should be available at the following websites:</P>
+<UL>
+<LI><A href="http://www.freeswan.org/doc.html">FreeS/WAN project</A></LI>
+<LI><A href="http://www.linuxdoc.org">Linux Documentation Project</A></LI>
+</UL>
+<P>The distribution tarball has only the two HTML formats.</P>
+<P><STRONG>Note:</STRONG> If you need the latest doc version, for
+ example to see if anyone has managed to set up interoperation between
+ FreeS/WAN and whatever, then you should download the current snapshot.
+ What is on the web is documentation as of the last release. Snapshots
+ have all changes I've checked in to date.</P>
+<H3><A name="rtfm">RTFM (please Read The Fine Manuals)</A></H3>
+<P>As with most things on any Unix-like system, most parts of Linux
+ FreeS/WAN are documented in online manual pages. We provide a list of<A href="/mnt/floppy/manpages.html">
+ FreeS/WAN man pages</A>, with links to HTML versions of them.</P>
+<P>The man pages describing configuration files are:</P>
+<UL>
+<LI><A href="/mnt/floppy/manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A></LI>
+<LI><A href="/mnt/floppy/manpage.d/ipsec.secrets.5.html">
+ipsec.secrets(5)</A></LI>
+</UL>
+<P>Man pages for common commands include:</P>
+<UL>
+<LI><A href="/mnt/floppy/manpage.d/ipsec.8.html">ipsec(8)</A></LI>
+<LI><A href="/mnt/floppy/manpage.d/ipsec_pluto.8.html">ipsec_pluto(8)</A>
+</LI>
+<LI><A href="/mnt/floppy/manpage.d/ipsec_newhostkey.8.html">
+ipsec_newhostkey(8)</A></LI>
+<LI><A href="/mnt/floppy/manpage.d/ipsec_auto.8.html">ipsec_auto(8)</A></LI>
+</UL>
+<P>You can read these either in HTML using the links above or with the<VAR>
+ man(1)</VAR> command.</P>
+<P>In the event of disagreement between this HTML documentation and the
+ man pages, the man pages are more likely correct since they are written
+ by the implementers. Please report any such inconsistency on the<A href="mail.html#lists">
+ mailing list</A>.</P>
+<H3><A name="text">Other documents in the distribution</A></H3>
+<P>Text files in the main distribution directory are README, INSTALL,
+ CREDITS, CHANGES, BUGS and COPYING.</P>
+<P>The Libdes encryption library we use has its own documentation. You
+ can find it in the library directory..</P>
+<H3><A name="assumptions">Background material</A></H3>
+<P>Throughout this documentation, I write as if the reader had at least
+ a general familiarity with Linux, with Internet Protocol networking,
+ and with the basic ideas of system and network security. Of course that
+ will certainly not be true for all readers, and quite likely not even
+ for a majority.</P>
+<P>However, I must limit amount of detail on these topics in the main
+ text. For one thing, I don't understand all the details of those topics
+ myself. Even if I did, trying to explain everything here would produce
+ extremely long and almost completely unreadable documentation.</P>
+<P>If one or more of those areas is unknown territory for you, there are
+ plenty of other resources you could look at:</P>
+<DL>
+<DT>Linux</DT>
+<DD>the<A href="http://www.linuxdoc.org"> Linux Documentation Project</A>
+ or a local<A href="http://www.linux.org/groups/"> Linux User Group</A>
+ and these<A href="web.html#linux.link"> links</A></DD>
+<DT>IP networks</DT>
+<DD>Rusty Russell's<A href="http://netfilter.samba.org/unreliable-guides/networking-concepts-HOWTO/index.html">
+ Networking Concepts HowTo</A> and these<A href="web.html#IP.background">
+ links</A></DD>
+<DT>Security</DT>
+<DD>Schneier's book<A href="biblio.html#secrets"> Secrets and Lies</A>
+ and these<A href="web.html#crypto.link"> links</A></DD>
+</DL>
+<P>Also, I do make an effort to provide some background material in
+ these documents. All the basic ideas behind IPsec and FreeS/WAN are
+ explained here. Explanations that do not fit in the main text, or that
+ not everyone will need, are often in the<A href="glossary.html#ourgloss">
+ glossary</A>, which is the largest single file in this document set.
+ There is also a<A href="background.html#background"> background</A>
+ file containing various explanations too long to fit in glossary
+ definitions. All files are heavily sprinkled with links to each other
+ and to the glossary.<STRONG> If some passage makes no sense to you, try
+ the links</STRONG>.</P>
+<P>For other reference material, see the<A href="biblio.html#biblio">
+ bibliography</A> and our collection of<A href="web.html#weblinks"> web
+ links</A>.</P>
+<P>Of course, no doubt I get this (and other things) wrong sometimes.
+ Feedback via the<A href="mail.html#lists"> mailing lists</A> is
+ welcome.</P>
+<H3><A name="archives">Archives of the project mailing list</A></H3>
+<P>Until quite recently, there was only one FreeS/WAN mailing list, and
+ archives of it were:</P>
+<UL>
+<LI><A href="http://www.sandelman.ottawa.on.ca/linux-ipsec">Canada</A></LI>
+<LI><A href="http://www.nexial.com">Holland</A></LI>
+</UL>
+ The two archives use completely different search engines. You might
+ want to try both.
+<P>More recently we have expanded to five lists, each with its own
+ archive.</P>
+<P><A href="mail.html#lists">More information</A> on mailing lists.</P>
+<H3><A name="howto">User-written HowTo information</A></H3>
+<P>Various user-written HowTo documents are available. The ones covering
+ FreeS/WAN-to-FreeS/WAN connections are:</P>
+<UL>
+<LI>Jean-Francois Nadeau's<A href="http://jixen.tripod.com/"> practical
+ configurations</A> document</LI>
+<LI>Jens Zerbst's HowTo on<A href="http://dynipsec.tripod.com/"> Using
+ FreeS/WAN with dynamic IP addresses</A>.</LI>
+<LI>an entry in Kurt Seifried's<A href="http://www.securityportal.com/lskb/kben00000013.html">
+ Linux Security Knowledge Base</A>.</LI>
+<LI>a section of David Ranch's<A href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos">
+ Trinity OS Guide</A></LI>
+<LI>a section in David Bander's book<A href="biblio.html#bander"> Linux
+ Security Toolkit</A></LI>
+</UL>
+<P>User-wriiten HowTo material may be<STRONG> especially helpful if you
+ need to interoperate with another IPsec implementation</STRONG>. We
+ have neither the equipment nor the manpower to test such
+ configurations. Users seem to be doing an admirable job of filling the
+ gaps.</P>
+<UL>
+<LI>list of user-written<A href="interop.html#otherpub"> interoperation
+ HowTos</A> in our interop document</LI>
+</UL>
+<P>Check what version of FreeS/WAN user-written documents cover. The
+ software is under active development and the current version may be
+ significantly different from what an older document describes.</P>
+<H3><A name="applied">Papers on FreeS/WAN</A></H3>
+<P>Two design documents show team thinking on new developments:</P>
+<UL>
+<LI><A href="opportunism.spec">Opportunistic Encryption</A> by technical
+ lead Henry Spencer and Pluto programmer Hugh Redelemeier</LI>
+<LI>discussion of<A href="http://www.sandelman.ottawa.on.ca/SSW/freeswan/klips2req/">
+ KLIPS redesign</A></LI>
+</UL>
+<P>Both documents are works in progress and are frequently revised. For
+ the latest version, see the<A href="mail.html#lists"> design mailing
+ list</A>. Comments should go to that list.</P>
+<P>There is now an<A href="http://www.ietf.org/internet-drafts/draft-richardson-ipsec-opportunistic-06.txt">
+ Internet Draft on Opportunistic Encryption</A> by Michael Richardson,
+ Hugh Redelmeier and Henry Spencer. This is a first step toward getting
+ the protocol standardised so there can be multiple implementations of
+ it. Discussion of it takes place on the<A href="http://www.ietf.org/html.charters/ipsec-charter.html">
+ IETF IPsec Working Group</A> mailing list.</P>
+<P>A number of papers giving further background on FreeS/WAN, or
+ exploring its future or its applications, are also available:</P>
+<UL>
+<LI>Both Henry and Richard gave talks on FreeS/WAN at the 2000<A href="http://www.linuxsymposium.org">
+ Ottawa Linux Symposium</A>.
+<UL>
+<LI>Richard's<A href="http://www.conscoop.ottawa.on.ca/rgb/freeswan/ols2k/">
+ slides</A></LI>
+<LI>Henry's paper</LI>
+<LI>MP3 audio of their talks is available from the<A href="http://www.linuxsymposium.org/">
+ conference page</A></LI>
+</UL>
+</LI>
+<LI><CITE>Moat: A Virtual Private Network Appliances and Services
+ Platform</CITE> is a paper about large-scale (a few 100 links) use of
+ FreeS/WAN in a production application at AT&T Research. It is available
+ in Postscript or PDF from co-author Steve Bellovin's<A href="http://www.research.att.com/~smb/papers/index.html">
+ papers list page</A>.</LI>
+<LI>One of the Moat co-authors, John Denker, has also written
+<UL>
+<LI>a<A href="http://www.av8n.com/vpn/ipsec+routing.htm"> proposal</A>
+ for how future versions of FreeS/WAN might interact with routing
+ protocols</LI>
+<LI>a<A href="http://www.av8n.com/vpn/wishlist.htm"> wishlist</A> of
+ possible new features</LI>
+</UL>
+</LI>
+<LI>Bart Trojanowski's web page has a draft design for<A href="http://www.jukie.net/~bart/linux-ipsec/">
+ hardware acceleration</A> of FreeS/WAN</LI>
+</UL>
+<P>Several of these provoked interesting discussions on the mailing
+ lists, worth searching for in the<A href="mail.html#archive"> archives</A>
+.</P>
+<P>There are also several papers in languages other than English, see
+ our<A href="web.html#otherlang"> web links</A>.</P>
+<H3><A name="licensing">License and copyright information</A></H3>
+<P>All code and documentation written for this project is distributed
+ under either the GNU General Public License (<A href="glossary.html#GPL">
+GPL</A>) or the GNU Library General Public License. For details see the
+ COPYING file in the distribution.</P>
+<P>Not all code in the distribution is ours, however. See the CREDITS
+ file for details. In particular, note that the<A href="glossary.html#LIBDES">
+ Libdes</A> library and the version of<A href="glossary.html#MD5"> MD5</A>
+ that we use each have their own license.</P>
+<H2><A name="sites">Distribution sites</A></H2>
+<P>FreeS/WAN is available from a number of sites.</P>
+<H3><A NAME="1_5_1">Primary site</A></H3>
+<P>Our primary site, is at xs4all (Thanks, folks!) in Holland:</P>
+<UL>
+<LI><A href="http://www.xs4all.nl/~freeswan">HTTP</A></LI>
+<LI><A href="ftp://ftp.xs4all.nl/pub/crypto/freeswan">FTP</A></LI>
+</UL>
+<H3><A name="mirrors">Mirrors</A></H3>
+<P>There are also mirror sites all over the world:</P>
+<UL>
+<LI><A href="http://www.flora.org/freeswan">Eastern Canada</A> (limited
+ resouces)</LI>
+<LI><A href="ftp://ludwig.doculink.com/pub/freeswan/">Eastern Canada</A>
+ (has older versions too)</LI>
+<LI><A href="ftp://ntsc.notBSD.org/pub/crypto/freeswan/">Eastern Canada</A>
+ (has older versions too)</LI>
+<LI><A href="ftp://ftp.kame.net/pub/freeswan/">Japan</A></LI>
+<LI><A href="ftp://ftp.futuredynamics.com/freecrypto/FreeSWAN/">Hong
+ Kong</A></LI>
+<LI><A href="ftp://ipsec.dk/pub/freeswan/">Denmark</A></LI>
+<LI><A href="ftp://ftp.net.lut.ac.uk/freeswan">the UK</A></LI>
+<LI><A href="http://storm.alert.sk/comp/mirrors/freeswan/">Slovak
+ Republic</A></LI>
+<LI><A href="http://the.wiretapped.net/security/vpn-tunnelling/freeswan/">
+Australia</A></LI>
+<LI><A href="http://freeswan.technolust.cx/">technolust</A></LI>
+<LI><A href="http://freeswan.devguide.de/">Germany</A></LI>
+<LI>Ivan Moore's<A href="http://snowcrash.tdyc.com/freeswan/"> site</A></LI>
+<LI>the<A href="http://www.cryptoarchive.net/"> Crypto Archive</A> on
+ the<A href="http://www.securityportal.com/"> Security Portal</A> site</LI>
+<LI><A href="http://www.wiretapped.net/">Wiretapped.net</A> in Australia</LI>
+</UL>
+<P>Thanks to those folks as well.</P>
+<H3><A name="munitions">The "munitions" archive of Linux crypto software</A>
+</H3>
+<P>There is also an archive of Linux crypto software called "munitions",
+ with its own mirrors in a number of countries. It includes FreeS/WAN,
+ though not always the latest version. Some of its sites are:</P>
+<UL>
+<LI><A href="http://munitions.vipul.net/">Germany</A></LI>
+<LI><A href="http://munitions.iglu.cjb.net/">Italy</A></LI>
+<LI><A href="http://munitions2.xs4all.nl/">Netherlands</A></LI>
+</UL>
+<P>Any of those will have a list of other "munitions" mirrors. There is
+ also a CD available.</P>
+<H2><A NAME="1_6">Links to other sections</A></H2>
+<P>For more detailed background information, see:</P>
+<UL>
+<LI><A href="politics.html#politics">history and politics</A> of
+ cryptography</LI>
+<LI><A href="ipsec.html#ipsec.detail">IPsec protocols</A></LI>
+</UL>
+<P>To begin working with FreeS/WAN, go to our<A href="quickstart.html#quick.guide">
+ quickstart</A> guide.</P>
+<HR>
+<A HREF="toc.html">Contents</A>
+<A HREF="upgrading.html">Next</A>
+</BODY>
+</HTML>
projects / thirdparty / strongswan.git / blobdiff