26

Searching for IPSec and Linux one inevitably will be confronted with different solutions (see below) which all seem quite similar. The question is: where is the difference?

I found these projects. All of them are open source, all are active (have a release within the last 3 months) and they all seem to provide very similar things.

Also: are there other projects which I did not encounter?

(strongswan vs openswan is asking the same, but is obviously outdated.)

Question: Are there obvious choices for certain requirements/contexts, or are they all interchangeable ?

Example uncertainty: Would needing to support certain clients (android, apple, Microsoft, ..) require (or benefit greatly from) specific implementations ?

Example uncertainty: Are some implementations reviewed and tested for security, and-or compatibility, and-or performance, more than others ?

Example uncertainty: Are some implementations more stable and bug-free than others ?

Example uncertainty: do they all support 1pv4-only / ipv6-only / either / both ?

Example uncertainty: do they all support multiple clients and dhcp ?

Example uncertainty: do they all support the same authentication methods ?

jmullee
  • 208
  • 1
  • 7
masgo
  • 423
  • 1
  • 4
  • 11
  • 1
    If you are looking for basic IPSEC functionality, I would look at which one has the most community support, and/or is supported by your preferred OS in package form. They are all built to do similar things, in similar ways, and unless you have a specific need which requires features one of these has, or security is a primary issue (i.e. you have a serious need for security surety) and you are going to engage in code review and contribution, I think that this approach is your best bet. – T. B. Oct 12 '16 at 17:24

1 Answers1

24

It appears to me that StrongSwan and LibreSwan are the two main viable products now-a-days. strongswan vs openswan has one good comprehensive comment with some comparisons between StrongSwan and LibreSwan. StrongSwan seems to win the argument in that link.

But to be fair, I saw Paul Wouters, who represents the LibreSwan project at RedHat, talking today at the Security session of LinuxCon in Toronto. He put up strong arguments for opportunistic encryption and continuing on with the original project's by line of 'encrypting the internet'. Paul's site is https://nohats.ca/.

But there is overlap between the two because 'ip xfrm' forms the basis for kernel tools of ike/ipsec. So if you need extra certificate stuff, then libreswan or strongswan are needed. But some encryption stuff can be performed with neither present.

From https://lists.strongswan.org/pipermail/dev/2015-April/001321.html:

Libreswan is a fork of Openswan, searching for "strongSwan vs. OpenSwan" should give you a broad range of impressions and meanings.

Both strongSwan and Libreswan have its origins in the FreeS/WAN project. Open/Libreswan are still much closer to its origin, where strongSwan these days is basically a complete reimplementation.

The current strongSwan architecture was designed initially for IKEv2 almost 10 years ago, but since 5.x is used for IKEv1 as well. It comes with an extensible, well scaling multi-threading design, and has its focus on IKEv2 and strong authentication.