From Fedora Project Wiki
< Tools
(Created page with "Strongswan can be considered the most powerful IPsec implementation in Fedora. == Features * IKEv1, IKEv2 (older and current version of Internet Key Exchange) * MOBIKE (mobilit...") |
|||
| (7 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
Strongswan can be considered the most powerful IPsec implementation in Fedora. | Strongswan can be considered the most powerful IPsec implementation available in Fedora and EPEL. | ||
== Features | == Features == | ||
* IKEv1, IKEv2 (older and current version of Internet Key Exchange) | * IKEv1, IKEv2 (older and current version of Internet Key Exchange) | ||
* MOBIKE (mobility and multihoming extension to IKEv2) | * MOBIKE (mobility and multihoming extension to IKEv2) | ||
* IPv4, IPv6 (old and new Internet Protocol) | * IPv4, IPv6 (old and new Internet Protocol) | ||
* Road | * Road warror setup | ||
* NAT | * NAT traversal | ||
* NetworkManager plugin | * NetworkManager plugin | ||
* And much more... | * And much more... | ||
== Things Strongswan can do but Openswan cannot == | |||
* IKEv2 + road warrior | |||
* IPv6 + road warrior | |||
* Hybrid IPv4/IPv6 tunnels | |||
* Multiple IPv4 on a single device | |||
Openswan gives confusing error messages when using IPv6 addresses. You | |||
can even have problems if you want to choose a single IPv4 address on | |||
an interface where other IPv4 addresses are set up. | |||
Tested with: openswan-2.6.33-1.fc15.x86_64 | |||
Source: [http://data.pavlix.net/europen/39/] (in Czech) | |||
Please contact [[User:Pavlix]] with more items or changes in Openswan. Or, if you | |||
are confident about your information, edit the page yourself. | |||
== Use cases == | |||
The following usecases may be combined or modified. But they show the basic | |||
usage of Strongswan. Right now all of them ignore MOBIKE and use PSK for | |||
authentication. All use cases use IPv6 addresses to show that both IPv4 and | |||
IPv6 are supported. | |||
Strongswan homepage provides ''lots of'' more advanced [http://www.strongswan.org/uml-testresults.html tested examples]. | |||
=== Simple bi-directional transport channel === | |||
<pre> | |||
conn test | |||
auto=route | |||
type=transport | |||
left=2001:db8::a | |||
right=2001:db8::b | |||
authby=psk | |||
mobike=no | |||
</pre> | |||
=== Road warrior (server) === | |||
<pre> | |||
conn test | |||
auto=add | |||
type=transport | |||
left=%any | |||
right=2001:db8::b | |||
authby=psk | |||
mobike=no | |||
</pre> | |||
=== Road warrior (client) === | |||
<pre> | |||
conn test | |||
auto=add | |||
type=transport | |||
left=%defaultroute | |||
leftid=@alpha.example.net | |||
right=2001:db8::b | |||
authby=psk | |||
mobike=no | |||
</pre> | |||
=== Tunnel mode === | |||
<pre> | |||
conn test | |||
auto=route | |||
type=tunnel | |||
left=2001:db8::a | |||
leftsubnet=2001:db8:a:a::/64 | |||
right=2001:db8::b | |||
leftsubnet=2001:db8:b:b::/64 | |||
authby=psk | |||
mobike=no | |||
</pre> | |||
== Alternatives == | |||
* [[Tools/Racoon]] – obsolete but described in http://www.ipsec-howto.org/ | |||
* [[Tools/Racoon2]] – similar in features, rather complicated configuration | |||
* [[Tools/Openswan]] – similar in configuration, but rather broken | |||
Latest revision as of 09:44, 27 May 2012
Strongswan can be considered the most powerful IPsec implementation available in Fedora and EPEL.
Features
- IKEv1, IKEv2 (older and current version of Internet Key Exchange)
- MOBIKE (mobility and multihoming extension to IKEv2)
- IPv4, IPv6 (old and new Internet Protocol)
- Road warror setup
- NAT traversal
- NetworkManager plugin
- And much more...
Things Strongswan can do but Openswan cannot
- IKEv2 + road warrior
- IPv6 + road warrior
- Hybrid IPv4/IPv6 tunnels
- Multiple IPv4 on a single device
Openswan gives confusing error messages when using IPv6 addresses. You can even have problems if you want to choose a single IPv4 address on an interface where other IPv4 addresses are set up.
Tested with: openswan-2.6.33-1.fc15.x86_64
Source: [1] (in Czech)
Please contact User:Pavlix with more items or changes in Openswan. Or, if you are confident about your information, edit the page yourself.
Use cases
The following usecases may be combined or modified. But they show the basic usage of Strongswan. Right now all of them ignore MOBIKE and use PSK for authentication. All use cases use IPv6 addresses to show that both IPv4 and IPv6 are supported.
Strongswan homepage provides lots of more advanced tested examples.
Simple bi-directional transport channel
conn test
auto=route
type=transport
left=2001:db8::a
right=2001:db8::b
authby=psk
mobike=no
Road warrior (server)
conn test
auto=add
type=transport
left=%any
right=2001:db8::b
authby=psk
mobike=no
Road warrior (client)
conn test
auto=add
type=transport
left=%defaultroute
leftid=@alpha.example.net
right=2001:db8::b
authby=psk
mobike=no
Tunnel mode
conn test
auto=route
type=tunnel
left=2001:db8::a
leftsubnet=2001:db8:a:a::/64
right=2001:db8::b
leftsubnet=2001:db8:b:b::/64
authby=psk
mobike=no
Alternatives
- Tools/Racoon – obsolete but described in http://www.ipsec-howto.org/
- Tools/Racoon2 – similar in features, rather complicated configuration
- Tools/Openswan – similar in configuration, but rather broken