Strongswan can be considered the most powerful IPsec implementation available in Fedora and EPEL.
Features
- IKEv1, IKEv2 (older and current version of Internet Key Exchange)
- MOBIKE (mobility and multihoming extension to IKEv2)
- IPv4, IPv6 (old and new Internet Protocol)
- Road warror setup
- NAT traversal
- NetworkManager plugin
- And much more...
Things Strongswan can do but Openswan cannot
- IKEv2 + road warrior
- IPv6 + road warrior
- Hybrid IPv4/IPv6 tunnels
- Multiple IPv4 on a single device
Openswan gives confusing error messages when using IPv6 addresses. You can even have problems if you want to choose a single IPv4 address on an interface where other IPv4 addresses are set up.
Tested with: openswan-2.6.33-1.fc15.x86_64
Source: [1] (in Czech)
Use cases
The following usecases may be combined or modified. But they show the basic usage of Strongswan. Right now all of them ignore MOBIKE and use PSK for authentication. All use cases use IPv6 addresses to show that both IPv4 and IPv6 are supported.
Strongswan homepage provides lots of more advanced tested examples.
Simple bi-directional transport channel
conn test auto=route type=transport left=2001:db8::a right=2001:db8::b authby=psk mobike=no
Road warrior (server)
conn test auto=add type=transport left=%any right=2001:db8::b authby=psk mobike=no
Road warrior (client)
conn test auto=add type=transport left=%defaultroute leftid=@alpha.example.net right=2001:db8::b authby=psk mobike=no
Tunnel mode
conn test auto=route type=tunnel left=2001:db8::a leftsubnet=2001:db8:a:a::/64 right=2001:db8::b leftsubnet=2001:db8:b:b::/64 authby=psk mobike=no
Alternatives
- Tools/Racoon – obsolete but described in http://www.ipsec-howto.org/
- Tools/Racoon2 – similar in features, rather complicated configuration
- Tools/Openswan – similar in configuration, but rather broken