From Fedora Project Wiki

< Tools

Revision as of 00:55, 27 May 2012 by Pavlix (talk | contribs)

Strongswan can be considered the most powerful IPsec implementation available in Fedora and EPEL.

Features

  • IKEv1, IKEv2 (older and current version of Internet Key Exchange)
  • MOBIKE (mobility and multihoming extension to IKEv2)
  • IPv4, IPv6 (old and new Internet Protocol)
  • Road warror setup
  • NAT traversal
  • NetworkManager plugin
  • And much more...

Things Strongswan can do but Openswan cannot

  • IKEv2 + road warrior
  • IPv6 + road warrior
  • Hybrid IPv4/IPv6 tunnels
  • Multiple IPv4 on a single device

Openswan gives confusing error messages when using IPv6 addresses. You can even have problems if you want to choose a single IPv4 address on an interface where other IPv4 addresses are set up.

Tested with: openswan-2.6.33-1.fc15.x86_64

Source: [1] (in Czech)

Use cases

Simple bi-directional transport channel

conn test
    auto=route
    type=transport
    left=2001:db8::a
    right=2001:db8::b
    authby=psk
    mobike=no

Road warrior (server)

conn test
    auto=add
    type=transport
    left=%any
    right=2001:db8::b
    authby=psk
    mobike=no

Road warrior (client)

conn test
    auto=add
    type=transport
    left=%defaultroute
    leftid=@alpha.example.net
    right=2001:db8::b
    authby=psk
    mobike=no

Tunnel mode

conn test
    auto=route
    type=tunnel
    left=2001:db8::a
    leftsubnet=2001:db8:a:a::/64
    right=2001:db8::b
    leftsubnet=2001:db8:b:b::/64
    authby=psk
    mobike=no
Retrieved from "https://fedoraproject.org/w/index.php?title=Tools/Strongswan&oldid=289804"