OK, could you please double-check that your configuration works with strongswan as well as openswan? I want to propose that we focus on one IKE implementation and considering the features available in strongswan, that it works with the most server implementations especially Windows 2003 and 2008 Server and that it supports smartcards the best make it a lead contender. Dan, what do you think of deciding on an IKE? Something like a bake-off?
There is no reason to pick one over the other.
Is strongswan a fork of openswan? If so, was openswan upstream reluctant to take certain patches and thus the strongswan fork?
There is a lot of material about strongswan and openswan's development history in http://www.strongswan.org/docs/LinuxTag2008-strongSwan.pdf Even a nice tree of the forks.
As the person who was the liason between John Gilmore of FreeS/WAN and one of the founders of Openswan, I can tell you that "history" is pretty wrong.
It seems that strongswan and openswan both split away from frees/wan for different reasons: openswan was the branch that Xelerance developed for their commercial network services and strongswan was community developed to keep making a better linux IKEv1 and then v2 implementation.
That sounds pretty misleading.... After talks with John Gilmore it was decided amicably to fork freeswan to get rid of the "no americans can code for freeswan" reqirement of freeswan. Andreas was invited to be part of the openswan fork, but could not get over the fact that freeswan/openswan kept a Makefile.inc style structure where you can disable/enable features. He felt his code "should not be #ifdef'ed". Since a lot of people do not use or need X.509 we wanted to keep the #ifdef's, just like we have those in place for XAUTH, PAM, Opportunistic, etc. Andreas then decided to start his own fork. Xelerance was the company founded by freeswan volunteers and ex-employees of the freeswan project to continue the GPL IPsec implementation and to additionally offer commercial support. It has extended Openswan functionality with contracts from companies like RedHat, Sony, HiFN, Astaro, Ixia, etc. Xelerance has no "commercial network services".
Is there an intention to merge strongswan back into openswan in the future? That sort of thing. Unfortunately the politics matter to distros...
There is not much to merge. strongswan is using two seperate IKEv1 and IKEv2 daemons, while openswan has integrated IKEv2 fully into one daemon. Openswan reguarly checks for fixes done by strongswan, and where appropriate merged them in (with I should say, proper creditation, something we unfortunately cannot say about strongswan's merging of openswan's patches) xl2tpd is a fork of l2tpd by Xelerance after that project seemed to be dead for over a year, their domain squatted and their sourceforge.net repository stale and not accepting any code. Jacco de Leeuw kept an impressive patch set against l2tpd-0.69, and we finally forked to merge in his patches, our patches and new features such as IPsec SAref support to support overlapping IP's as shown in : http://www.openswan.org/docs/ipsecsaref.png We would gladly help network manager's integration for l2tp/ipsec based VPN's. Please feel free to mail any questions or information to [EMAIL PROTECTED], or hang around on the #openswan-dev channel on freenode. Paul -- Building and integrating Virtual Private Networks with Openswan: http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 _______________________________________________ NetworkManager-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/networkmanager-list
