Re: Re: Support for L2TP/IPsec

[Paul Wouters <paul xelerance com>]

> > OK, could you please double-check that your configuration works with
> > strongswan as well as openswan? I want to propose that we focus on one
> > IKE implementation and considering the features available in strongswan,
> > that it works with the most server implementations especially Windows
> > 2003 and 2008 Server and that it supports smartcards the best make it a
> > lead contender. Dan, what do you think of deciding on an IKE? Something
> > like a bake-off?

There is no reason to pick one over the other.

> > Is strongswan a fork of openswan?  If so, was openswan upstream
> > reluctant to take certain patches and thus the strongswan fork?

> There is a lot of material about strongswan and openswan's development
> history in http://www.strongswan.org/docs/LinuxTag2008-strongSwan.pdf
> Even a nice tree of the forks.

As the person who was the liason between John Gilmore of FreeS/WAN
and one of the founders of Openswan, I can tell you that "history"
is pretty wrong.

> It seems that strongswan and openswan both split away from frees/wan for
> different reasons: openswan was the branch that Xelerance developed for
> their commercial network services and strongswan was community developed
> to keep making a better linux IKEv1 and then v2 implementation.

That sounds pretty misleading....

After talks with John Gilmore it was decided amicably to fork freeswan
to get rid of the "no americans can code for freeswan" reqirement of
freeswan. Andreas was invited to be part of the openswan fork, but
could not get over the fact that freeswan/openswan kept a Makefile.inc
style structure where you can disable/enable features. He felt his
code "should not be #ifdef'ed". Since a lot of people do not use or
need X.509 we wanted to keep the #ifdef's, just like we have those in
place for XAUTH, PAM, Opportunistic, etc. Andreas then decided to start
his own fork.

Xelerance was the company founded by freeswan volunteers and ex-employees
of the freeswan project to continue the GPL IPsec implementation and
to additionally offer commercial support. It has extended Openswan
functionality with contracts from companies like RedHat, Sony, HiFN,
Astaro, Ixia, etc. Xelerance has no "commercial network services".

> Is there an intention to merge strongswan back into openswan in the
> future?  That sort of thing.  Unfortunately the politics matter to
> distros...

There is not much to merge. strongswan is using two seperate IKEv1
and IKEv2 daemons, while openswan has integrated IKEv2 fully into one
daemon. Openswan reguarly checks for fixes done by strongswan, and where
appropriate merged them in (with I should say, proper creditation,
something we unfortunately cannot say about strongswan's merging of
openswan's patches)

xl2tpd is a fork of l2tpd by Xelerance after that project seemed to be
dead for over a year, their domain squatted and their sourceforge.net
repository stale and not accepting any code. Jacco de Leeuw kept an
impressive patch set against l2tpd-0.69, and we finally forked to merge
in his patches, our patches and new features such as IPsec SAref support
to support overlapping IP's as shown in :

http://www.openswan.org/docs/ipsecsaref.png

We would gladly help network manager's integration for l2tp/ipsec based VPN's.
Please feel free to mail any questions or information to dev openswan org,
or hang around on the #openswan-dev channel on freenode.

Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155