Am Fri, 30 Jan 2009 00:09:15 -0500 (EST) schrieb Paul Wouters <paul@xxxxxxxxxxxxx>: > > Disclaimer: I am the Openswan maintainer and therefor strongly biased. > > > i still look for a good solution in vpn. i tried openswan with > > racoon, > > Openswan with racoon? Openswan and Racoon are both different IPsec > implementations (technically: different IKE implementations). They > don't "go together". > > > openvpn. They are all quite good, openswan is more complicated than > > openvpn. > > Yes, IPsec is more complicated then SSL-VPN's. They are also more > robust, have more features, do not require routing hacks on the > server, or require X.509, and not vulnerable to simple TCP-RST > attacks. But yes, it is easier to use, and sadly has a better chance > and getting through firewalls. (If anyone has time, I have a project > lying around to implement "IPsec over fake port 443) > > > Now, i stumbeld on strongswan, which seems to be one of the > > best maintained solution (as i read in linux magazine). > > Interesting. I have no idea what that is based on. > > > is it planned to get this packed in fedora? If it is, where can i > > get it? > > I see it is currently not in fedora, but anyone who wants to package > it up and put it in can do so. It is not blacklisted. It is just that > there has been no one with an interest to package it up. > > > The advantage of strongswan is the integration in NetworkManager, > > NM integration of Openswan is planned by Red Hat, and is slated to > be worked on after the NSS support for Openswan is finished. > > If anyone wants to work on this, I can give the list of items that > need to be worked on. The biggest problem is that IPsec is a host-host > protocol, but is now being used as a user-host protocol. NM requires > that all information required can be passed as parameters (not config > files). I am not sure how it handles this for X.509 certificates. > Openswan uses configuration files, though almost all items can be > specified via command line parameters (the 'ipsec whack'), there are a > few that currently cannot - X.509 certs and PSK's. > > Also, to properly integrate Openswan with NM, it should also allow > for L2TP connections within NM, so integration with xl2tpd (the L2TP > client to use with Openswan) is required. xl2tpd mostly requires a > username and password as well, and currently uses the chap-secrets > for this instead of accepting parameters via NM. > > > which is done, but not with openswan. Openswan is integrated in > > system-config-network, it is the question, if it belongs there, as > > NetworkManager should do most work on networking. OpenVPN and Cisco > > VPN are handled by NetworkManager too... > > I don't see any VPN options in system-config-network on by Fedora-10 > machine. > > NM is mostly used on enduser machines. Remember that Openswan is also > used as IPsec gateway, where NM plays no part whatsoever. > > So, NM integration is on its way. If people have time to donate, > contact me. > > Paul yes, you write as you were the openswan-maintainer ;) and can be biased. good to hear, that integration is on its way. As documentation and response on this mailing list did not flood my disk and mailbox, i am glad to hear, that someone looks for integration. Even tough, i am not a pro at all, there are reasons for encrypting traffic (host2host, network2network) and would delcare myself as a nosey parker ;) i cant help you on this, as i need help myself and get an easy life installing encryption ;) installing ipsec-tools brings you one tab more in system-config-network, where you can go and create h2h and n2n-connections. Still it is not in the same place as the 2 others, which makes usability harder. Roger -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
