strongswan vs openswan

Question

What are the differences between OpenSwan and StrongSwan? All I found is this comparison between the outdated FreeSwan and testing version of OpenSwan - i.e. current stable of OpenSwan is 2.6 (3.0 in comparison) and current stable for StrongSwan is 4.4 (4.1.7 in comparison) which seems grossly unfair (there is no point in comparing Windows 98 with Ubuntu 10.10 or Mac OS X 10.7 with Slackware 8.0).

After reading some websites, StrongSwan seems to be better maintained while OpenSwan seems to be more popular.

@Sven my edit was meant to remove irrelevant and outdated stuff (the link is broken by the way) and to broaden the question to a third product (ipsec-tools mentioned in the answer below), but in the end the question stays the same and is still about the differences between the three IPSec stacks. Could you please review the edit again ? Thanks. — , Jan 01 '15 at 12:47
@AndréDaniel: No, because I really can't. I also think your edit got too far, as it went way beyond fixing links and retroactively widened the scope of the question. Besides, I think this question is [off-topic](http://serverfault.com/help/on-topic) by todays standard. — Sven, Jan 01 '15 at 14:56

score 66 · Answer 1 · edited May 03 '18 at 13:58

66

Libreswan is the project the Openswan developers created after the company they had originally founded to develop Openswan sued them over the trademark. So Libreswan is what we will discuss here.

The most obvious differences are:

StrongSwan has much more comprehensive and developed documentation than Libreswan.
StrongSwan has support for EAP authentication methods, which make it easier to integrate into heterogeneous environments (such as authenticating to Active Directory). These are less well developed or even missing from Libreswan.
StrongSwan can be clustered and load balanced. Libreswan does not seem to have any support to do either.
Libreswan supports more hardware crypto accelerators than StrongSwan, but requires kernel patches to do so.

Distro support:

StrongSwan is the recommended default in Ubuntu since 14.04.
RHEL 7 ships Libreswan, though StrongSwan is available in EPEL.

IPSec-tools was a port of the KAME IPSec userland from BSD to Linux. It appears to be no longer maintained.

edited May 03 '18 at 13:58

Merlijn Sebrechts

369
1
4
14

answered Jan 01 '15 at 14:08

Michael Hampton

237,123
42
477
940

5

They got sued by Xelerance? Ahh it pays to be a lawyer. Here's an out-take from "Openswan: Building and Integrating VPNs"(PacktPub): "...Openswan was released by Xelerance, a newly founded company for the continued development of a free IPsec implementation for Linux. Openswan's main mission was to cater more to the commercial world, while still keeping the FreeS/WAN ideals alive. This new code-fork also released the FreeS/WAN Project to stick even more strongly to its philosophies...In April 2003, the end of the FreeS/WAN Project was announced..." – ILMostro_7 Oct 24 '15 at 23:25
6

Oh yes. And as is typical of such lawsuits, the company got the trademark, while simultaneously killing the project they were fighting over. Openswan has had only the occasional security patch since then. – Michael Hampton Oct 25 '15 at 00:10

score 16 · Accepted Answer · edited Apr 13 '17 at 12:14

16

NOTE: See the other answer, this one was correct in 2011, but the landscape has changed in that time and this is no longer the correct answer to the OP's question.

Both OpenSwan and StrongSwan are forks for continued development after FreeS/WAN project closed up shop. However, most of the Linux distributions have moved more towards IPsec-Tools since then.

You can use either one for IPsec on Linux, but unless you have a specific need for them, or you are trying to maintain configuration compatibility with older FreeS/WAN setups, you are probably better off using IPsec-Tools and Racoon (ISAKMP daemon from IPsec-Tools) for any new Linux IPSec Setups.

edited Apr 13 '17 at 12:14

Community

1

answered Jan 21 '11 at 22:25

Christopher Cashell

8,999
2
31
43

6

Red Hat 6 has moved **away** from IPSec-Tools and uses OpenSwan now. I still agree with this answer, though. – joechip Jul 29 '11 at 10:38
Interesting, I hadn't realized they were doing that. I'll have to look into the changes. (Thanks for the tip.) – Christopher Cashell Aug 01 '11 at 21:12
7

Looks like Ubuntu is moving from IPsec-Tools to StrongSwan in 14.04: https://wiki.ubuntu.com/TrustyTahr/ReleaseNotes#strongSwan – A B Apr 17 '14 at 21:38
1

IPSec-tools' racoon and offspring "racoon2" do not seem to be maintained since ~2010 (http://www.racoon2.wide.ad.jp/w/?News) – gatopeich Jun 27 '14 at 13:40
4

As of RHEL7, it looks like the default IPSec system is Libreswan, a fork of OpenSwan. – Christopher Cashell Jul 25 '14 at 16:38
3

@ChristopherCashell you should update your original answer too :) – ismail Aug 24 '14 at 09:38
2

@ChristopherCashell the answer was good in 2011, but now in 2016, Canonical and RedHat present other alternatives for VPN with ipsec, like LibreSwan, OpenSwan and StrongSwan. – Yonsy Solis Jul 11 '16 at 19:21
1

Note that the page linked in the reply says on the very top: **The development of ipsec-tools has been ABANDONED. ipsec-tools has security issues, and you should not use it. Please switch to a secure alternative!** So albeit ipsec-tools are still offered as a packet in some Linux distributions and keep working, it is not recommend to use it anymore. The best alternative is usually Openswan, unless a feature is required that Openswan doesn't provide. When it comes to features, strongSwan usually offers the most. – Mecki Jun 07 '19 at 13:30

strongswan vs openswan

2 Answers2

Linked