+++ /dev/null
-<html>
-<head>
- <meta http-equiv="Content-Type" content="text/html">
- <title>Introduction to FreeS/WAN</title>
- <meta name="keywords"
- content="Linux, IPsec, VPN, security, FreeSWAN, introduction">
- <!--
-
- Written by Sandy Harris for the Linux FreeS/WAN project
- Freely distributable under the GNU General Public License
-
- More information at www.freeswan.org
- Feedback to users@lists.freeswan.org
-
- CVS information:
- RCS ID: $Id: intro.html,v 1.1 2004/03/15 20:35:24 as Exp $
- Last changed: $Date: 2004/03/15 20:35:24 $
- Revision number: $Revision: 1.1 $
-
- CVS revision numbers do not correspond to FreeS/WAN release numbers.
- -->
-</head>
-
-<body>
-<h1><a name="intro">Introduction</a></h1>
-
-<p>This section gives an overview of:</p>
-<ul>
- <li>what IP Security (IPsec) does</li>
- <li>how IPsec works</li>
- <li>why we are implementing it for Linux</li>
- <li>how this implementation works</li>
-</ul>
-
-<p>This section is intended to cover only the essentials, <em>things you
-should know before trying to use FreeS/WAN.</em></p>
-
-<p>For more detailed background information, see the <a
-href="politics.html#politics">history and politics</a> and
-<a href="ipsec.html#ipsec.detail">IPsec protocols</a> sections.</p>
-
-<h2><a name="ipsec.intro">IPsec, Security for the Internet Protocol</a></h2>
-
-<p>FreeS/WAN is a Linux implementation of the IPsec (IP security) protocols.
-IPsec provides <a href="glossary.html#encryption">encryption</a> and <a
-href="glossary.html#authentication">authentication</a> services at the IP
-(Internet Protocol) level of the network protocol stack.</p>
-
-<p>Working at this level, IPsec can protect any traffic carried over IP,
-unlike other encryption which generally protects only a particular
-higher-level protocol -- <a href="glossary.html#PGP">PGP</a> for mail, <a
-href="glossary.html#SSH">SSH</a> for remote login, <a
-href="glossary.html#SSL">SSL</a> for web work, and so on. This approach has
-both considerable advantages and some limitations. For discussion, see our <a
-href="ipsec.html#others">IPsec section</a></p>
-
-<p>IPsec can be used on any machine which does IP networking. Dedicated IPsec
-gateway machines can be installed wherever required to protect traffic. IPsec
-can also run on routers, on firewall machines, on various application
-servers, and on end-user desktop or laptop machines.</p>
-
-<p>Three protocols are used</p>
-<ul>
- <li><a href="glossary.html#AH">AH</a> (Authentication Header) provides a
- packet-level authentication service</li>
- <li><a href="glossary.html#ESP">ESP</a> (Encapsulating Security Payload)
- provides encryption plus authentication</li>
- <li><a href="glossary.html#IKE">IKE</a> (Internet Key Exchange) negotiates
- connection parameters, including keys, for the other two</li>
-</ul>
-
-<p>Our implementation has three main parts:</p>
-<ul>
- <li><a href="glossary.html#KLIPS">KLIPS</a> (kernel IPsec) implements AH,
- ESP, and packet handling within the kernel</li>
- <li><a href="glossary.html#Pluto">Pluto</a> (an IKE daemon) implements IKE,
- negotiating connections with other systems</li>
- <li>various scripts provide an adminstrator's interface to the
- machinery</li>
-</ul>
-
-<p>IPsec is optional for the current (version 4) Internet Protocol. FreeS/WAN
-adds IPsec to the Linux IPv4 network stack. Implementations of <a
-href="glossary.html#ipv6.gloss">IP version 6</a> are required to include
-IPsec. Work toward integrating FreeS/WAN into the Linux IPv6 stack has <a
-href="compat.html#ipv6">started</a>.</p>
-
-<p>For more information on IPsec, see our
-<a href="ipsec.html#ipsec.detail">IPsec protocols</a> section,
-our collection of <a href="web.html#ipsec.link">IPsec
-links</a> or the <a href="rfc.html#RFC">RFCs</a> which are the official
-definitions of these protocols.</p>
-
-<h3><a name="intro.interop">Interoperating with other IPsec
-implementations</a></h3>
-
-<p>IPsec is designed to let different implementations work together. We
-provide:</p>
-<ul>
- <li>a <a href="web.html#implement">list</a> of some other
- implementations</li>
- <li>information on <a href="interop.html#interop">using FreeS/WAN
- with other implementations</a></li>
-</ul>
-
-<p>The VPN Consortium fosters cooperation among implementers and
-interoperability among implementations. Their <a
-href="http://www.vpnc.org/">web site</a> has much more information.</p>
-
-<h3><a name="advantages">Advantages of IPsec</a></h3>
-
-<p>IPsec has a number of security advantages. Here are some independently
-written articles which discuss these:</p>
-
-<P>
-<A HREF="http://www.sans.org/rr/">SANS institute papers</A>. See the section
-on Encryption &VPNs.
-<BR>
-<A HREF="http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns128/networking_solutions_white_papers_list.html">Cisco's
-white papers on "Networking Solutions"</A>.
-<BR>
-<A HREF="http://iscs.sourceforge.net/HowWhyBrief/HowWhyBrief.html">
-Advantages of ISCS (Linux Integrated Secure Communications System;
-includes FreeS/WAN and other software)</A>.
-
-</P>
-
-
-<h3><a name="applications">Applications of IPsec</a></h3>
-
-<p>Because IPsec operates at the network layer, it is remarkably flexible and
-can be used to secure nearly any type of Internet traffic. Two applications,
-however, are extremely widespread:</p>
-<ul>
- <li>a <a href="glossary.html#VPN">Virtual Private Network</a>, or VPN,
- allows multiple sites to communicate securely over an insecure Internet
- by encrypting all communication between the sites.</li>
- <li>"Road Warriors" connect to the office from home, or perhaps from a
- hotel somewhere</li>
-</ul>
-
-<p>There is enough opportunity in these applications that vendors are
-flocking to them. IPsec is being built into routers, into firewall products,
-and into major operating systems, primarily to support these applications.
-See our <a href="web.html#implement">list</a> of implementations for
-details.</p>
-
-<p>We support both of those applications, and various less common IPsec
-applications as well, but we also add one of our own:</p>
-<ul>
- <li>opportunistic encryption, the ability to set up FreeS/WAN gateways so
- that any two of them can encrypt to each other, and will do so whenever
- packets pass between them.</li>
-</ul>
-
-<p>This is an extension we are adding to the protocols. FreeS/WAN is the
-first prototype implementation, though we hope other IPsec implementations
-will adopt the technique once we demonstrate it. See <a href="#goals">project
-goals</a> below for why we think this is important.</p>
-
-<p>A somewhat more detailed description of each of these applications is
-below. Our <a href="quickstart.html#quick_guide">quickstart</a> section will
-show you how to build each of them.</p>
-
-<h4><a name="makeVPN">Using secure tunnels to create a VPN</a></h4>
-
-<p>A VPN, or <strong>V</strong>irtual <strong>P</strong>rivate
-<strong>N</strong>etwork lets two networks communicate securely when the only
-connection between them is over a third network which they do not trust.</p>
-
-<p>The method is to put a security gateway machine between each of the
-communicating networks and the untrusted network. The gateway machines
-encrypt packets entering the untrusted net and decrypt packets leaving it,
-creating a secure tunnel through it.</p>
-
-<p>If the cryptography is strong, the implementation is careful, and the
-administration of the gateways is competent, then one can reasonably trust
-the security of the tunnel. The two networks then behave like a single large
-private network, some of whose links are encrypted tunnels through untrusted
-nets.</p>
-
-<p>Actual VPNs are often more complex. One organisation may have fifty branch
-offices, plus some suppliers and clients, with whom it needs to communicate
-securely. Another might have 5,000 stores, or 50,000 point-of-sale devices.
-The untrusted network need not be the Internet. All the same issues arise on
-a corporate or institutional network whenever two departments want to
-communicate privately with each other.</p>
-
-<p>Administratively, the nice thing about many VPN setups is that large parts
-of them are static. You know the IP addresses of most of the machines
-involved. More important, you know they will not change on you. This
-simplifies some of the admin work. For cases where the addresses do change,
-see the next section.</p>
-
-<h4><a name="road.intro">Road Warriors</a></h4>
-
-<p>The prototypical "Road Warrior" is a traveller connecting to home base
-from a laptop machine. Administratively, most of the same problems arise for
-a telecommuter connecting from home to the office, especially if the
-telecommuter does not have a static IP address.</p>
-
-<p>For purposes of this document:</p>
-<ul>
- <li>anyone with a dynamic IP address is a "Road Warrior".</li>
- <li>any machine doing IPsec processing is a "gateway". Think of the
- single-user road warrior machine as a gateway with a degenerate subnet
- (one machine, itself) behind it.</li>
-</ul>
-
-<p>These require somewhat different setup than VPN gateways with static
-addresses and with client systems behind them, but are basically not
-problematic.</p>
-
-<p>There are some difficulties which appear for some road warrior
-connections:</p>
-<ul>
- <li>Road Wariors who get their addresses via DHCP may have a problem.
- FreeS/WAN can quite happily build and use a tunnel to such an address,
- but when the DHCP lease expires, FreeS/WAN does not know that. The tunnel
- fails, and the only recovery method is to tear it down and re-build
- it.</li>
- <li>If <a href="glossary.html#NAT.gloss">Network Address Translation</a>
- (NAT) is applied between the two IPsec Gateways, this breaks IPsec. IPsec
- authenticates packets on an end-to-end basis, to ensure they are not
- altered en route. NAT rewrites packets as they go by. See our <a
- href="firewall.html#NAT">firewalls</a> document for details.</li>
-</ul>
-
-<p>In most situations, however, FreeS/WAN supports road warrior connections
-just fine.</p>
-
-<h4><a name="opp.intro">Opportunistic encryption</a></h4>
-
-<p>One of the reasons we are working on FreeS/WAN is that it gives us the
-opportunity to add what we call opportuntistic encryption. This means that
-any two FreeS/WAN gateways will be able to encrypt their traffic, even if the
-two gateway administrators have had no prior contact and neither system has
-any preset information about the other.</p>
-
-<p>Both systems pick up the authentication information they need from the <a
-href="glossary.html#DNS">DNS</a> (domain name service), the service they
-already use to look up IP addresses. Of course the administrators must put
-that information in the DNS, and must set up their gateways with
-opportunistic encryption enabled. Once that is done, everything is automatic.
-The gateways look for opportunities to encrypt, and encrypt whatever they
-can. Whether they also accept unencrypted communication is a policy decision
-the administrator can make.</p>
-
-<p>This technique can give two large payoffs:</p>
-<ul>
- <li>It reduces the administrative overhead for IPsec enormously. You
- configure your gateway and thereafter everything is automatic. The need
- to configure the system on a per-tunnel basis disappears. Of course,
- FreeS/WAN allows specifically configured tunnels to co-exist with
- opportunistic encryption, but we hope to make them unnecessary in most
- cases.</li>
- <li>It moves us toward a more secure Internet, allowing users to create an
- environment where message privacy is the default. All messages can be
- encrypted, provided the other end is willing to co-operate. See our <a
- href="politics.html#politics">history and politics of cryptography</a>
- section for discussion of why we think this is needed.</li>
-</ul>
-
-<p>Opportunistic encryption is not (yet?) a standard part of the IPsec
-protocols, but an extension we are proposing and demonstrating. For details
-of our design, see <a href="#applied">links</a> below.</p>
-
-<p>Only one current product we know of implements a form of opportunistic
-encryption. <a href="web.html#ssmail">Secure sendmail</a> will automatically
-encrypt server-to-server mail transfers whenever possible.</p>
-
-<h3><a name="types">The need to authenticate gateways</a></h3>
-
-<p>A complication, which applies to any type of connection -- VPN, Road
-Warrior or opportunistic -- is that a secure connection cannot be created
-magically. <em>There must be some mechanism which enables the gateways to
-reliably identify each other.</em> Without this, they cannot sensibly trust
-each other and cannot create a genuinely secure link.</p>
-
-<p>Any link they do create without some form of <a
-href="glossary.html#authentication">authentication</a> will be vulnerable to
-a <a href="glossary.html#middle">man-in-the-middle attack</a>. If <a
-href="glossary.html#alicebob">Alice and Bob</a> are the people creating the
-connection, a villian who can re-route or intercept the packets can pose as
-Alice while talking to Bob and pose as Bob while talking to Alice. Alice and
-Bob then both talk to the man in the middle, thinking they are talking to
-each other, and the villain gets everything sent on the bogus "secure"
-connection.</p>
-
-<p>There are two ways to build links securely, both of which exclude the
-man-in-the middle:</p>
-<ul>
- <li>with <strong>manual keying</strong>, Alice and Bob share a secret key
- (which must be transmitted securely, perhaps in a note or via PGP or SSH)
- to encrypt their messages. For FreeS/WAN, such keys are stored in the <a
- href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a> file. Of course, if
- an enemy gets the key, all is lost.</li>
- <li>with <strong>automatic keying</strong>, the two systems authenticate
- each other and negotiate their own secret keys. The keys are
- automatically changed periodically.</li>
-</ul>
-
-<p>Automatic keying is much more secure, since if an enemy gets one key only
-messages between the previous re-keying and the next are exposed. It is
-therefore the usual mode of operation for most IPsec deployment, and the mode
-we use in our setup examples. FreeS/WAN does support manual keying for
-special circumstanes. See this <a
-href="adv_config.html#prodman">section</a>.</p>
-
-<p>For automatic keying, the two systems must authenticate each other during
-the negotiations. There is a choice of methods for this:</p>
-<ul>
- <li>a <strong>shared secret</strong> provides authentication. If Alice and
- Bob are the only ones who know a secret and Alice recives a message which
- could not have been created without that secret, then Alice can safely
- believe the message came from Bob.</li>
- <li>a <a href="glossary.html#public">public key</a> can also provide
- authentication. If Alice receives a message signed with Bob's private key
- (which of course only he should know) and she has a trustworthy copy of
- his public key (so that she can verify the signature), then she can
- safely believe the message came from Bob.</li>
-</ul>
-
-<p>Public key techniques are much preferable, for reasons discussed <a
-href="config.html#choose">later</a>, and will be used in all our setup
-examples. FreeS/WAN does also support auto-keying with shared secret
-authentication. See this <a
-href="adv_config.html#prodsecrets">section</a>.</p>
-
-<h2><a name="project">The FreeS/WAN project</a></h2>
-
-<p>For complete information on the project, see our web site, <a
-href="http://liberty.freeswan.org">freeswan.org</a>.</p>
-
-<p>In summary, we are implementing the <a
-href="glossary.html#IPsec">IPsec</a> protocols for Linux and extending them
-to do <a href="glossary.html#carpediem">opportunistic encryption</a>.</p>
-
-<h3><a name="goals">Project goals</a></h3>
-
-<p>Our overall goal in FreeS/WAN is to make the Internet more secure and more
-private.</p>
-
-<p>Our IPsec implementation supports VPNs and Road Warriors of course. Those
-are important applications. Many users will want FreeS/WAN to build corporate
-VPNs or to provide secure remote access.</p>
-
-<p>However, our goals in building it go beyond that. We are trying to help
-<strong>build security into the fabric of the Internet</strong> so that
-anyone who choses to communicate securely can do so, as easily as they can do
-anything else on the net.</p>
-
-<p>More detailed objectives are:</p>
-<ul>
- <li>extend IPsec to do <a href="glossary.html#carpediem">opportunistic
- encryption</a> so that
- <ul>
- <li>any two systems can secure their communications without a
- pre-arranged connection</li>
- <li><strong>secure connections can be the default</strong>, falling
- back to unencrypted connections only if:
- <ul>
- <li><em>both</em> the partner is not set up to co-operate on
- securing the connection</li>
- <li><em>and</em> your policy allows insecure connections</li>
- </ul>
- </li>
- <li>a significant fraction of all Internet traffic is encrypted</li>
- <li>wholesale monitoring of the net (<a
- href="politics.html#intro.poli">examples</a>) becomes difficult or
- impossible</li>
- </ul>
- </li>
- <li>help make IPsec widespread by providing an implementation with no
- restrictions:
- <ul>
- <li>freely available in source code under the <a
- href="glossary.html#GPL">GNU General Public License</a></li>
- <li>running on a range of readily available hardware</li>
- <li>not subject to US or other nations' <a
- href="politics.html#exlaw">export restrictions</a>.<br>
- Note that in order to avoid <em>even the appearance</em> of being
- subject to those laws, the project cannot accept software
- contributions -- <em>not even one-line bug fixes</em> -- from US
- residents or citizens.</li>
- </ul>
- </li>
- <li>provide a high-quality IPsec implementation for Linux
- <ul>
- <li>portable to all CPUs Linux supports: <a
- href="compat.html#CPUs">(current list)</a></li>
- <li>interoperable with other IPsec implementations: <a
- href="interop.html#interop">(current list)</a></li>
- </ul>
- </li>
-</ul>
-
-<p>If we can get opportunistic encryption implemented and widely deployed,
-then it becomes impossible for even huge well-funded agencies to monitor the
-net.</p>
-
-<p>See also our section on <a href="politics.html#politics">history and
-politics</a> of cryptography, which includes our project leader's <a
-href="politics.html#gilmore">rationale</a> for starting the project.</p>
-
-<h3><a name="staff">Project team</a></h3>
-
-<p>Two of the team are from the US and can therefore contribute no code:</p>
-<ul>
- <li>John Gilmore: founder and policy-maker (<a
- href="http://www.toad.com/gnu/">home page</a>)</li>
- <li>Hugh Daniel: project manager, Most Demented Tester, and occasionally
- Pointy-Haired Boss</li>
-</ul>
-
-<p>The rest of the team are Canadians, working in Canada. (<a
-href="politics.html#status">Why Canada?</a>)</p>
-<ul>
- <li>Hugh Redelmeier: <a href="glossary.html#Pluto">Pluto daemon</a>
- programmer</li>
- <li>Richard Guy Briggs: <a href="glossary.html#KLIPS">KLIPS</a>
- programmer</li>
- <li>Michael Richardson: hacker without portfolio</li>
- <li>Claudia Schmeing: documentation</li>
- <li>Sam Sgro: technical support via the <a href="mail.html#lists">mailing
- lists</a></li>
-</ul>
-
-<p>The project is funded by civil libertarians who consider our goals
-worthwhile. Most of the team are paid for this work.</p>
-
-<p>People outside this core team have made substantial contributions. See</p>
-<ul>
- <li>our <a href="../CREDITS">CREDITS</a> file</li>
- <li>the <a href="web.html#patch">patches and add-ons</a> section of our web
- references file</li>
- <li>lists below of user-written <a href="#howto">HowTos</a> and <a
- href="#applied">other papers</a></li>
-</ul>
-
-<p>Additional contributions are welcome. See the <a
-href="faq.html#contrib.faq">FAQ</a> for details.</p>
-
-<h2><a name="products">Products containing FreeS/WAN</a></h2>
-
-<p>Unfortunately the <a href="politics.html#exlaw">export laws</a> of some
-countries restrict the distribution of strong cryptography. FreeS/WAN is
-therefore not in the standard Linux kernel and not in all CD or web
-distributions.</p>
-
-<p>FreeS/WAN is, however, quite widely used. Products we know of that use it
-are listed below. We would appreciate hearing, via the <a
-href="mail.html#lists">mailing lists</a>, of any we don't know of.</p>
-
-<h3><a name="distwith">Full Linux distributions</a></h3>
-
-<p>FreeS/WAN is included in various general-purpose Linux distributions,
-mostly from countries (shown in brackets) with more sensible laws:</p>
-<ul>
- <li><a href="http://www.suse.com/">SuSE Linux</a> (Germany)</li>
- <li><a href="http://www.conectiva.com">Conectiva</a> (Brazil)</li>
- <li><a href="http://www.linux-mandrake.com/en/">Mandrake</a> (France)</li>
- <li><a href="http://www.debian.org">Debian</a></li>
- <li>the <a href="http://www.pld.org.pl/">Polish(ed) Linux Distribution</a>
- (Poland)</li>
- <li><a>Best Linux</a> (Finland)</li>
-</ul>
-
-<p>For distributions which do not include FreeS/WAN and are not Redhat (which
-we develop and test on), there is additional information in our <a
-href="compat.html#otherdist">compatibility</a> section.</p>
-
-<p>The server edition of <a href="http://www.corel.com">Corel</a> Linux
-(Canada) also had FreeS/WAN, but Corel have dropped that product line.</p>
-
-<h3><a name="kernel_dist">Linux kernel distributions</a></h3>
-
-<ul>
-<li><a href="http://sourceforge.net/projects/wolk/">Working Overloaded Linux Kernel (WOLK)</a></li>
-</ul>
-
-
-<h3><a name="office_dist">Office server distributions</a></h3>
-
-<p>FreeS/WAN is also included in several distributions aimed at the market
-for turnkey business servers:</p>
-<ul>
- <li><a href="http://www.e-smith.com/">e-Smith</a> (Canada), which has
- recently been acquired and become the Network Server Solutions group of
- <a href="http://www.mitel.com/">Mitel Networks</a> (Canada)</li>
- <li><a href="http://www.clarkconnect.org/">ClarkConnect</a> from Point Clark Networks (Canada)</li>
- <li><a href="http://www.trustix.net/">Trustix Secure Linux</a> (Norway)</li>
-
-</ul>
-
-<h3><a name="fw_dist">Firewall distributions</a></h3>
-
-<p>Several distributions intended for firewall and router applications
-include FreeS/WAN:</p>
-<ul>
- <li>The <a href="http://www.linuxrouter.org/">Linux Router Project</a>
- produces a Linux distribution that will boot from a single floppy. The <a
- href="http://leaf.sourceforge.net">LEAF</a> firewall project provides
- several different LRP-based firewall packages. At least one of them,
- Charles Steinkuehler's Dachstein, includes FreeS/WAN with X.509
- patches.</li>
- <li>there are several distributions bootable directly from CD-ROM, usable
- on a machine without hard disk.
- <ul>
- <li>Dachstein (see above) can be used this way</li>
- <li><a href="http://www.gibraltar.at/">Gibraltar</a> is based on Debian
- GNU/Linux.</li>
- <li>at time of writing, <a href="www.xiloo.com">Xiloo</a> is available
- only in Chinese. An English version is expected.</li>
- </ul>
- </li>
- <li><a href="http://www.astaro.com/products/index.html">Astaro Security
- Linux</a> includes FreeS/WAN. It has some web-based tools for managing
- the firewall that include FreeS/WAN configuration management.</li>
- <li><a href="http://www.linuxwall.de">Linuxwall</a></li>
- <li><a href="http://www.smoothwall.org/">Smoothwall</a></li>
- <li><a href="http://www.devil-linux.org/">Devil Linux</a></li>
- <li>Coyote Linux has a <a
- href="http://embedded.coyotelinux.com/wolverine/index.php">Wolverine</a>
- firewall/VPN server</li>
-</ul>
-
-<p>There are also several sets of scripts available for managing a firewall
-which is also acting as a FreeS/WAN IPsec gateway. See this <a
-href="firewall.html#rules.pub">list</a>.</p>
-
-<h3><a name="turnkey">Firewall and VPN products</a></h3>
-
-<p>Several vendors use FreeS/WAN as the IPsec component of a turnkey firewall
-or VPN product.</p>
-
-<p>Software-only products:</p>
-<ul>
- <li><a href="http://www.linuxmagic.com/vpn/index.html">Linux Magic</a>
- offer a VPN/Firewall product using FreeS/WAN</li>
- <li>The Software Group's <a
- href="http://www.wanware.com/sentinet/">Sentinet</a> product uses
- FreeS/WAN</li>
- <li><a href="http://www.merilus.com">Merilus</a> use FreeS/WAN in their
- Gateway Guardian firewall product</li>
-</ul>
-
-<p>Products that include the hardware:</p>
-<ul>
- <li>The <a href="http://www.lasat.com">LASAT SafePipe[tm]</a> series. is an
- IPsec box based on an embedded MIPS running Linux with FreeS/WAN and a
- web-config front end. This company also host our freeswan.org web
- site.</li>
- <li>Merilus <a
- href="http://www.merilus.com/products/fc/index.shtml">Firecard</a> is a
- Linux firewall on a PCI card.</li>
- <li><a href="http://www.kyzo.com/">Kyzo</a> have a "pizza box" product line
- with various types of server, all running from flash. One of them is an
- IPsec/PPTP VPN server</li>
- <li><a href="http://www.pfn.com">PFN</a> use FreeS/WAN in some of their
- products</li>
-</ul>
-
-<p><a href="www.rebel.com">Rebel.com</a>, makers of the Netwinder Linux
-machines (ARM or Crusoe based), had a product that used FreeS/WAN. The
-company is in receivership so the future of the Netwinder is at best unclear.
-<a href="web.html#patch">PKIX patches</a> for FreeS/WAN developed at Rebel
-are listed in our web links document.</p>
-
-
-<h2><a name="docs">Information sources</a></h2>
-
-<h3><a name="docformats">This HowTo, in multiple formats</a></h3>
-
-<p>FreeS/WAN documentation up to version 1.5 was available only in HTML. Now
-we ship two formats:</p>
-<ul>
- <li>as HTML, one file for each doc section plus a global <a
- href="toc.html">Table of Contents</a></li>
- <li><a href="HowTo.html">one big HTML file</a> for easy searching</li>
-</ul>
-
-<p>and provide a Makefile to generate other formats if required:</p>
-<ul>
- <li><a href="HowTo.pdf">PDF</a></li>
- <li><a href="HowTo.ps">Postscript</a></li>
- <li><a href="HowTo.txt">ASCII text</a></li>
-</ul>
-
-<p>The Makefile assumes the htmldoc tool is available. You can download it
-from <a href="http://www.easysw.com">Easy Software</a>.</p>
-
-<p>All formats should be available at the following websites:</p>
-<ul>
- <li><a href="http://www.freeswan.org/doc.html">FreeS/WAN project</a></li>
- <li><a href="http://www.linuxdoc.org">Linux Documentation Project</a></li>
-</ul>
-
-<p>The distribution tarball has only the two HTML formats.</p>
-
-<p><strong>Note:</strong> If you need the latest doc version, for example to
-see if anyone has managed to set up interoperation between FreeS/WAN and
-whatever, then you should download the current snapshot. What is on the web
-is documentation as of the last release. Snapshots have all changes I've
-checked in to date.</p>
-
-<h3><a name="rtfm">RTFM (please Read The Fine Manuals)</a></h3>
-
-<p>As with most things on any Unix-like system, most parts of Linux FreeS/WAN
-are documented in online manual pages. We provide a list of <a
-href="/mnt/floppy/manpages.html">FreeS/WAN man pages</a>, with links to HTML
-versions of them.</p>
-
-<p>The man pages describing configuration files are:</p>
-<ul>
- <li><a href="/mnt/floppy/manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a></li>
- <li><a
- href="/mnt/floppy/manpage.d/ipsec.secrets.5.html">ipsec.secrets(5)</a></li>
-</ul>
-
-<p>Man pages for common commands include:</p>
-<ul>
- <li><a href="/mnt/floppy/manpage.d/ipsec.8.html">ipsec(8)</a></li>
- <li><a
- href="/mnt/floppy/manpage.d/ipsec_pluto.8.html">ipsec_pluto(8)</a></li>
- <li><a
- href="/mnt/floppy/manpage.d/ipsec_newhostkey.8.html">ipsec_newhostkey(8)</a></li>
- <li><a href="/mnt/floppy/manpage.d/ipsec_auto.8.html">ipsec_auto(8)</a></li>
-</ul>
-
-<p>You can read these either in HTML using the links above or with the
-<var>man(1)</var> command.</p>
-
-<p>In the event of disagreement between this HTML documentation and the man
-pages, the man pages are more likely correct since they are written by the
-implementers. Please report any such inconsistency on the <a
-href="mail.html#lists">mailing list</a>.</p>
-
-<h3><a name="text">Other documents in the distribution</a></h3>
-
-<p>Text files in the main distribution directory are README, INSTALL,
-CREDITS, CHANGES, BUGS and COPYING.</p>
-
-<p>The Libdes encryption library we use has its own documentation. You can
-find it in the library directory..</p>
-
-<h3><a name="assumptions">Background material</a></h3>
-
-<p>Throughout this documentation, I write as if the reader had at least a
-general familiarity with Linux, with Internet Protocol networking, and with
-the basic ideas of system and network security. Of course that will certainly
-not be true for all readers, and quite likely not even for a majority.</p>
-
-<p>However, I must limit amount of detail on these topics in the main text.
-For one thing, I don't understand all the details of those topics myself.
-Even if I did, trying to explain everything here would produce extremely long
-and almost completely unreadable documentation.</p>
-
-<p>If one or more of those areas is unknown territory for you, there are
-plenty of other resources you could look at:</p>
-<dl>
- <dt>Linux</dt>
- <dd>the <a href="http://www.linuxdoc.org">Linux Documentation Project</a>
- or a local <a href="http://www.linux.org/groups/">Linux User Group</a>
- and these <a href="web.html#linux.link">links</a></dd>
- <dt>IP networks</dt>
- <dd>Rusty Russell's <a
- href="http://netfilter.samba.org/unreliable-guides/networking-concepts-HOWTO/index.html">Networking
- Concepts HowTo</a> and these <a
- href="web.html#IP.background">links</a></dd>
- <dt>Security</dt>
- <dd>Schneier's book <a href="biblio.html#secrets">Secrets and Lies</a>
- and these <a href="web.html#crypto.link">links</a></dd>
-</dl>
-
-<p>Also, I do make an effort to provide some background material in these
-documents. All the basic ideas behind IPsec and FreeS/WAN are explained here.
-Explanations that do not fit in the main text, or that not everyone will
-need, are often in the <a href="glossary.html#ourgloss">glossary</a>, which is
-the largest single file in this document set. There is also a <a
-href="background.html#background">background</a> file containing various
-explanations too long to fit in glossary definitions. All files are heavily
-sprinkled with links to each other and to the glossary. <strong>If some passage
-makes no sense to you, try the links</strong>.</p>
-
-<p>For other reference material, see the <a
-href="biblio.html#biblio">bibliography</a> and our collection of <a
-href="web.html#weblinks">web links</a>.</p>
-
-<p>Of course, no doubt I get this (and other things) wrong sometimes.
-Feedback via the <a href="mail.html#lists">mailing lists</a> is welcome.</p>
-
-<h3><a name="archives">Archives of the project mailing list</a></h3>
-
-<p>Until quite recently, there was only one FreeS/WAN mailing list, and
-archives of it were:</p>
-<ul>
- <li><a href="http://www.sandelman.ottawa.on.ca/linux-ipsec">Canada</a></li>
- <li><a href="http://www.nexial.com">Holland</a></li>
-</ul>
-The two archives use completely different search engines. You might want to
-try both.
-
-<p>More recently we have expanded to five lists, each with its own
-archive.</p>
-
-<p><a href="mail.html#lists">More information</a> on mailing lists.</p>
-
-<h3><a name="howto">User-written HowTo information</a></h3>
-
-<p>Various user-written HowTo documents are available. The ones covering
-FreeS/WAN-to-FreeS/WAN connections are:</p>
-<ul>
- <li>Jean-Francois Nadeau's <a href="http://jixen.tripod.com/">practical
- configurations</a> document</li>
- <li>Jens Zerbst's HowTo on <a href="http://dynipsec.tripod.com/">Using
- FreeS/WAN with dynamic IP addresses</a>.</li>
- <li>an entry in Kurt Seifried's <a
- href="http://www.securityportal.com/lskb/kben00000013.html">Linux
- Security Knowledge Base</a>.</li>
- <li>a section of David Ranch's <a
- href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos">Trinity
- OS Guide</a></li>
- <li>a section in David Bander's book <a href="biblio.html#bander">Linux
- Security Toolkit</a></li>
-</ul>
-
-<p>User-wriiten HowTo material may be <strong>especially helpful if you need
-to interoperate with another IPsec implementation</strong>. We have neither
-the equipment nor the manpower to test such configurations. Users seem to be
-doing an admirable job of filling the gaps.</p>
-<ul>
- <li>list of user-written <a href="interop.html#otherpub">interoperation
- HowTos</a> in our interop document</li>
-</ul>
-
-<p>Check what version of FreeS/WAN user-written documents cover. The software
-is under active development and the current version may be significantly
-different from what an older document describes.</p>
-
-<h3><a name="applied">Papers on FreeS/WAN</a></h3>
-
-<p>Two design documents show team thinking on new developments:</p>
-<ul>
- <li><a href="opportunism.spec">Opportunistic Encryption</a> by technical
- lead Henry Spencer and Pluto programmer Hugh Redelemeier</li>
- <li>discussion of <a
- href="http://www.sandelman.ottawa.on.ca/SSW/freeswan/klips2req/">KLIPS
- redesign</a></li>
-</ul>
-
-<p>Both documents are works in progress and are frequently revised. For the
-latest version, see the <a href="mail.html#lists">design mailing list</a>. Comments
-should go to that list.</p>
-
-<p>There is now an <a
-href="http://www.ietf.org/internet-drafts/draft-richardson-ipsec-opportunistic-06.txt">Internet
-Draft on Opportunistic Encryption</a> by Michael Richardson, Hugh Redelmeier
-and Henry Spencer. This is a first step toward getting the protocol
-standardised so there can be multiple implementations of it. Discussion of it
-takes place on the <a
-href="http://www.ietf.org/html.charters/ipsec-charter.html">IETF IPsec
-Working Group</a> mailing list.</p>
-
-<p>A number of papers giving further background on FreeS/WAN, or exploring
-its future or its applications, are also available:</p>
-<ul>
- <li>Both Henry and Richard gave talks on FreeS/WAN at the 2000 <a
- href="http://www.linuxsymposium.org">Ottawa Linux Symposium</a>.
- <ul>
- <li>Richard's <a
- href="http://www.conscoop.ottawa.on.ca/rgb/freeswan/ols2k/">slides</a></li>
- <li>Henry's paper</li>
- <li>MP3 audio of their talks is available from the <a
- href="http://www.linuxsymposium.org/">conference page</a></li>
- </ul>
- </li>
- <li><cite>Moat: A Virtual Private Network Appliances and Services
- Platform</cite> is a paper about large-scale (a few 100 links) use of
- FreeS/WAN in a production application at AT&T Research. It is
- available in Postscript or PDF from co-author Steve Bellovin's <a
- href="http://www.research.att.com/~smb/papers/index.html">papers list
- page</a>.</li>
- <li>One of the Moat co-authors, John Denker, has also written
- <ul>
- <li>a <a
- href="http://www.av8n.com/vpn/ipsec+routing.htm">proposal</a>
- for how future versions of FreeS/WAN might interact with routing
- protocols</li>
- <li>a <a
- href="http://www.av8n.com/vpn/wishlist.htm">wishlist</a>
- of possible new features</li>
- </ul>
- </li>
- <li>Bart Trojanowski's web page has a draft design for <a
- href="http://www.jukie.net/~bart/linux-ipsec/">hardware acceleration</a>
- of FreeS/WAN</li>
-</ul>
-
-<p>Several of these provoked interesting discussions on the mailing lists,
-worth searching for in the <a href="mail.html#archive">archives</a>.</p>
-
-<p>There are also several papers in languages other than English, see our <a
-href="web.html#otherlang">web links</a>.</p>
-
-<h3><a name="licensing">License and copyright information</a></h3>
-
-<p>All code and documentation written for this project is distributed under
-either the GNU General Public License (<a href="glossary.html#GPL">GPL</a>)
-or the GNU Library General Public License. For details see the COPYING file
-in the distribution.</p>
-
-<p>Not all code in the distribution is ours, however. See the CREDITS file
-for details. In particular, note that the <a
-href="glossary.html#LIBDES">Libdes</a> library and the version of <a
-href="glossary.html#MD5">MD5</a> that we use each have their own license.</p>
-
-<h2><a name="sites">Distribution sites</a></h2>
-
-<p>FreeS/WAN is available from a number of sites.</p>
-
-<h3>Primary site</h3>
-
-<p>Our primary site, is at xs4all (Thanks, folks!) in Holland:</p>
-<ul>
- <li><a href="http://www.xs4all.nl/~freeswan">HTTP</a></li>
- <li><a href="ftp://ftp.xs4all.nl/pub/crypto/freeswan">FTP</a></li>
-</ul>
-
-<h3><a name="mirrors">Mirrors</a></h3>
-
-<p>There are also mirror sites all over the world:</p>
-<ul>
- <li><a href="http://www.flora.org/freeswan">Eastern Canada</a> (limited
- resouces)</li>
- <li><a href="ftp://ludwig.doculink.com/pub/freeswan/">Eastern Canada</a>
- (has older versions too)</li>
- <li><a href="ftp://ntsc.notBSD.org/pub/crypto/freeswan/">Eastern Canada</a>
- (has older versions too)</li>
- <li><a href="ftp://ftp.kame.net/pub/freeswan/">Japan</a></li>
- <li><a href="ftp://ftp.futuredynamics.com/freecrypto/FreeSWAN/">Hong
- Kong</a></li>
- <li><a href="ftp://ipsec.dk/pub/freeswan/">Denmark</a></li>
- <li><a href="ftp://ftp.net.lut.ac.uk/freeswan">the UK</a></li>
- <li><a href="http://storm.alert.sk/comp/mirrors/freeswan/">Slovak
- Republic</a></li>
- <li><a
- href="http://the.wiretapped.net/security/vpn-tunnelling/freeswan/">Australia</a></li>
- <li><a href="http://freeswan.technolust.cx/">technolust</a></li>
- <li><a href="http://freeswan.devguide.de/">Germany</a></li>
- <li>Ivan Moore's <a href="http://snowcrash.tdyc.com/freeswan/">site</a></li>
- <li>the <a href="http://www.cryptoarchive.net/">Crypto Archive</a> on the
- <a href="http://www.securityportal.com/">Security Portal</a> site</li>
- <li><a href="http://www.wiretapped.net/">Wiretapped.net</a> in
- Australia</li>
-</ul>
-
-<p>Thanks to those folks as well.</p>
-
-<h3><a name="munitions">The "munitions" archive of Linux crypto
-software</a></h3>
-
-<p>There is also an archive of Linux crypto software called "munitions", with
-its own mirrors in a number of countries. It includes FreeS/WAN, though not
-always the latest version. Some of its sites are:</p>
-<ul>
- <li><a href="http://munitions.vipul.net/">Germany</a></li>
- <li><a href="http://munitions.iglu.cjb.net/">Italy</a></li>
- <li><a href="http://munitions2.xs4all.nl/">Netherlands</a></li>
-</ul>
-
-<p>Any of those will have a list of other "munitions" mirrors. There is also
-a CD available.</p>
-
-<h2>Links to other sections</h2>
-
-<p>For more detailed background information, see:</p>
-<ul>
- <li><a href="politics.html#politics">history and politics</a> of
- cryptography</li>
- <li><a href="ipsec.html#ipsec.detail">IPsec protocols</a></li>
-</ul>
-
-<p>To begin working with FreeS/WAN, go to our <a
-href="quickstart.html#quick.guide">quickstart</a> guide.</p>
-</body>
-</html>
projects / thirdparty / strongswan.git / blobdiff