Tools/Strongswan
From FedoraProject
Strongswan can be considered the most powerful IPsec implementation available in Fedora and EPEL.
Contents |
Features
- IKEv1, IKEv2 (older and current version of Internet Key Exchange)
- MOBIKE (mobility and multihoming extension to IKEv2)
- IPv4, IPv6 (old and new Internet Protocol)
- Road warror setup
- NAT traversal
- NetworkManager plugin
- And much more...
Things Strongswan can do but Openswan cannot
- IKEv2 + road warrior
- IPv6 + road warrior
- Hybrid IPv4/IPv6 tunnels
- Multiple IPv4 on a single device
Openswan gives confusing error messages when using IPv6 addresses. You can even have problems if you want to choose a single IPv4 address on an interface where other IPv4 addresses are set up.
Tested with: openswan-2.6.33-1.fc15.x86_64
Source: [1] (in Czech)
Please contact User:Pavlix with more items or changes in Openswan. Or, if you are confident about your information, edit the page yourself.
Use cases
The following usecases may be combined or modified. But they show the basic usage of Strongswan. Right now all of them ignore MOBIKE and use PSK for authentication. All use cases use IPv6 addresses to show that both IPv4 and IPv6 are supported.
Strongswan homepage provides lots of more advanced tested examples.
Simple bi-directional transport channel
conn test
auto=route
type=transport
left=2001:db8::a
right=2001:db8::b
authby=psk
mobike=no
Road warrior (server)
conn test
auto=add
type=transport
left=%any
right=2001:db8::b
authby=psk
mobike=no
Road warrior (client)
conn test
auto=add
type=transport
left=%defaultroute
leftid=@alpha.example.net
right=2001:db8::b
authby=psk
mobike=no
Tunnel mode
conn test
auto=route
type=tunnel
left=2001:db8::a
leftsubnet=2001:db8:a:a::/64
right=2001:db8::b
leftsubnet=2001:db8:b:b::/64
authby=psk
mobike=no
Alternatives
- Tools/Racoon – obsolete but described in http://www.ipsec-howto.org/
- Tools/Racoon2 – similar in features, rather complicated configuration
- Tools/Openswan – similar in configuration, but rather broken
