Contents Previous Next

Linux FreeS/WAN Compatibility Guide

Most of this document is quoted directly from the Linux FreeS/WAN mailing list. Thanks very much to the community of testers, patchers and commenters there, especially the ones quoted below but also various contributors we haven't quoted.

Implemented parts of the IPSEC Specification

In general, do not expect Linux FreeS/WAN to do everything yet. This is a work-in-progress and some parts of the IPSEC specification are not yet implemented.

In Linux FreeS/WAN

Things we do, as of version 1.6:

All combinations of implemented transforms are supported. Note that some form of authentication is recommended whenever encryption is used.

Deliberately ommitted

We do not implement everything required by the RFCs because some of those things are insecure. See our discussions of avoiding bogus security.

Things deliberately ommitted are:

These are both required by the RFCs, but most inplementations include more secure options as well so dropping these does not greatly hinder interoperation.

Not (yet) in Linux FreeS/WAN

Things we don't yet do, as of version 1.6:

  • encryption transforms
  • Currently Triple DES is the only encryption method Pluto will negotiate.

    No additional encryption transforms are yet implemented, though the RFCs allow them and some other IPSEC implementations support various of them. We are not eager to add more, since they complicate both our work and that of the gateway administrator without any obvious security improvement. We would certainly not want to incorporate any cryptographic method that had inadequate key length or had not been sujected to intensive review over some time.

    Rijndael, which just won the AES competition to choose a successor to the DES standard is an excellent candidate for inclusion in FreeS/WAN. This might be a good project for a volunteer.

  • authentication transforms
  • No optional additional authentication transforms are currently implemented and we do not forsee a need to add any soon.

    Our PF-Key implementation

    We use PF-key Version Two for communication between the KLIPS kernel code and the Pluto Daemon. PF-Key v2 is defined by RFC 2367.

    The "PF" stands for Protocol Family. PF-Inet defines a kernel/userspace interface for the TCP/IP Internet protocols (TCP/IP), and other members of the PF series handle Netware, Appletalk, etc. PF-Key is just a PF for key-related matters.

    Our PF-Key implementation is not yet (mid-July 2000) complete. In particular, it is mostly one-way, used for Pluto to talk to KLIPS but not yet doing much upward communication from kernel to user space. This will change, but is not at the top of our priority list.

    PF-Key portability

    PF-Key came out of Berkeley Unix work and is used in the various BSD IPSEC implementations. We assume also in This means there is some hope of porting our Pluto(8) to one of the BSD distributions or running their photurisd(8) on Linux if you prefer Photuris key management over IKE.

    It is, however, more complex than that. The three PF-Key implementations we have looked at -- ours, OpenBSD and KAME -- all have extensions beyond the RFC, and the extensions are different. There have been discussions aimed at sorting out the differences, perhaps for a version three PF-Key spec. All players are in favour of this, but everyone involved is busy and it is not clear whether or when these discussions might bear fruit.

    Kernels other than 2.0.38 and 2.2.16

    We develop and test on:

    This is what we recommend.

    Other 2.0.x Intel Kernels

    Consider upgrading to the 2.2 kernel series. If you want to stay with the 2.0 series, then we strongly recommend 2.0.38. It has some security patches not present in earlier 2.0 kernels.

    Various versions of the code have run at various times on most 2.0.xx kernels, but the current version is tested only on 2.0.38 and is unlikely to compile on older kernels. Some of our patches for older kernels are shipped in 2.0.37 and later, so they are no longer provided in FreeS/WAN.

    2.2 and 2.3 Kernels

    FreeS/WAN 1.0
    ran only on 2.0 kernels
    FreeS/WAN 1.1
    ran on 2.0 or 2.2 kernels
    FreeS/WAN 1.3
    FreeS/WAN 1.4
    ran on 2.0 or 2.2 kernels
    ran on some 2.3 kernels
    FreeS/WAN 1.5
    ran on 2.0 or 2.2 kernels
    ran on some 2.3 kernels
    ran on some 2.4-test kernels
    FreeS/WAN 1.6
    FreeS/WAN 1.7
    runs on 2.0 or 2.2 kernels
    runs on some 2.4-test kernels, but those are development kernels and change often. Your Mileage May Vary.

    Intel Linux distributions other than Redhat 5.x and 6.x

    We develop and test on Redhat 5.2 for 2.0 kernels, and on Redhat 6.1 for 2.2, so minor changes may be required for other distributions.

    Redhat 7.0

    Initial reports from the mailing list indicate that there are some problems with FreeS/WAN on Redhat 7.0. At time of writing (October 2000), the FreeS/WAN team has not yet looked at this. Check the mailing list archive for more recent news.

    SuSE Linux

    SuSE 6.3 and later versions, at least in Europe, ship with FreeS/WAN included.

    Here are some notes for an earlier SuSE version.

    SuSE Linux 5.3

    Date: Mon, 30 Nov 1998
    From: Peter Onion <ponion@srd.bt.co.uk>
    
    ... I got Saturdays snapshot working between my two SUSE5.3 machines at home.
    
    The mods to the install process are quite simple.  From memory and looking at
    the files on the SUSE53 machine here at work....
    
    And extra link in each of the /etc/init.d/rc?.d directories called K35ipsec
    which SUSE use to shut a service down.
    
    A few mods in /etc/init.d/ipsec  to cope with the different places that SUSE
    put config info, and remove the inculsion of /etc/rc.d/init.d/functions and .
    /etc/sysconfig/network as they don't exists and 1st one isn't needed anyway.
    
    insert ". /etc/rc.config" to pick up the SUSE config info and use 
    
      if test -n "$NETCONFIG" -a "$NETCONFIG" != "YAST_ASK" ; then
    
    to replace 
    
      [ ${NETWORKING} = "no" ] amp; exit 0
    
    Create /etc/sysconfig  as SUSE doesn't have one.
    
    I think that was all (but I prob forgot something)....

    You may also need to fiddle initialisation scripts to ensure that /var/run/pluto.pid is removed when rebooting. If this file is present, Pluto does not come up correctly.

    Slackware

    Subject: Re: linux-ipsec: Slackware distribution
      Date:  Thu, 15 Apr 1999 12:07:01 -0700
      From:  Evan Brewer <dmessiah@silcon.com>
    
    > Very shortly, I will be needing to install ipsec on at least gateways that
    > are running Slackware. . . .
    
    The only trick to getting it up is that on the slackware dist there is no
    init.d directory in /etc/rc.d .. so create one.  Then, what I do is take the
    ipsec startup script which normally gets put into the init.d directory, and
    put it in /etc/rc.d and name ir rc.ipsec .. then I symlink it to the file
    in init.d.  The only file in the dist you need to really edit is the
    utils/Makefile, setup4:
    
    Everything else should be just fine.

    Debian

    Subject: FreeS/WAN 1.0 on Debian 2.1
       Date: Tue, 20 Apr 1999
      From:  Tim Miller <cerebus+counterpane@haybaler.sackheads.org>
    
            Compiled and installed without error on a Debian 2.1 system
    with kernel-source-2.0.36 after pointing RCDIR in utils/Makefile to
    /etc/init.d.
    
            /var/lock/subsys/ doesn't exist on Debian boxen, needs to be
    created; not a fatal error.
    
            Finally, ipsec scripts appear to be dependant on GNU awk
    (gawk); the default Debian awk (mawk-1.3.3-2) had fatal difficulties.
    With gawk installed and /etc/alternatives/awk linked to /usr/bin/gawk
    operation appears flawless.

    The scripts in question have been modified since this was posted. Awk versions should no longer be a problem.

    CPUs other than Intel

    FreeS/WAN has been run sucessfully on a number of different CPU architectures. If you have tried it on one not listed here, please post to the mailing list.

    Corel Netwinder (StrongARM CPU)

    Subject: linux-ipsec: Netwinder diffs
    Date: Wed, 06 Jan 1999
    From: rhatfield@plaintree.com
    
    I had a mistake in my ipsec-auto, so I got things working this morning.
    
    Following are the diffs for my changes.  Probably not the best and cleanest way 
    of doing it, but it works. . . . 

    These diffs are in the 0.92 distribution and any snapshot after Feb 20 1999, so these should work out-of-the-box on Netwinder.

    Yellow Dog Linux on Power PC

    Subject:  Compiling FreeS/WAN 1.1 on YellowDog Linux (PPC)
       Date:  11 Dec 1999
       From:  Darron Froese <darron@fudgehead.com>
    
    I'm summarizing here for the record - because it's taken me many hours to do
    this (multiple times) and because I want to see IPSEC on more linuxes than
    just x86.
    
    Also, I can't remember if I actually did summarize it before... ;-) I'm
    working too many late hours.
    
    That said - here goes.
    
    1. Get your linux kernel and unpack into /usr/src/linux/ - I used 2.2.13.
    <http://www.kernel.org/pub/linux/kernel/v2.2/linux-2.2.13.tar.bz2>
    
    2. Get FreeS/WAN and unpack into /usr/src/freeswan-1.1
    <ftp://ftp.xs4all.nl/pub/crypto/freeswan/freeswan-1.1.tar.gz>
    
    3. Get the gmp src rpm from here:
    <ftp://ftp.yellowdoglinux.com//pub/yellowdog/champion-1.1/SRPMS/SRPMS/gmp-2.0.2-9a.src.rpm>
    
    4. Su to root and do this: rpm --rebuild gmp-2.0.2-9a.src.rpm
    
    You will see a lot of text fly by and when you start to see the rpm
    recompiling like this:
    
    Executing: %build
    + umask 022
    + cd /usr/src/redhat/BUILD
    + cd gmp-2.0.2
    + libtoolize --copy --force
    Remember to add `AM_PROG_LIBTOOL' to `configure.in'.
    You should add the contents of `/usr/share/aclocal/libtool.m4' to
    `aclocal.m4'.
    + CFLAGS=-O2 -fsigned-char
    + ./configure --prefix=/usr
    
    Hit Control-C to stop the rebuild. NOTE: We're doing this because for some
    reason the gmp source provided with FreeS/WAN 1.1 won't build properly on
    ydl.
    
    cd /usr/src/redhat/BUILD/
    cp -ar gmp-2.0.2 /usr/src/freeswan-1.1/
    cd /usr/src/freeswan-1.1/
    rm -rf gmp
    mv gmp-2.0.2 gmp
    
    5. Open the freeswan Makefile and change the line that says:
    KERNEL=$(b)zimage (or something like that) to
    KERNEL=vmlinux
    
    6. cd ../linux/
    
    7. make menuconfig
    Select an option or two and then exit - saving your changes.
    
    8. cd ../freeswan-1.1/ ; make menugo
    
    That will start the whole process going - once that's finished compiling,
    you have to install your new kernel and reboot.
    
    That should build FreeS/WAN on ydl (I tried it on 1.1).
    And a later message on the same topic:
    Subject: Re: FreeS/WAN, PGPnet and E-mail
       Date: Sat, 22 Jan 2000
       From: Darron Froese <darron@fudgehead.com>
    
    on 1/22/00 6:47 PM, Philip Trauring at philip@trauring.com wrote:
    
    > I have a PowerMac G3 ...
    
    The PowerMac G3 can run YDL 1.1 just fine. It should also be able to run
    FreeS/WAN 1.2patch1 with a couple minor modifications:
    
    1. In the Makefile it specifies a bzimage for the kernel compile - you have
    to change that to vmlinux for the PPC.
    
    2. The gmp source that comes with FreeS/WAN (for whatever reason) fails to
    compile. I have gotten around this by getting the gmp src rpm from here:
    
    ftp://ftp.yellowdoglinux.com//pub/yellowdog/champion-1.1/SRPMS/SRPMS/gmp-2.0.2-9a.src.rpm
    
    If you rip the source out of there - and place it where the gmp source
    resides it will compile just fine.

    Mklinux

    One user reports success on the Mach-based micro kernel Linux.

    Subject: Smiles on sparc and ppc
       Date: Fri, 10 Mar 2000
       From: Jake Hill <jah@alien.bt.co.uk>
    
    You may or may not be interested to know that I have successfully built
    FreeS/WAN on a number of non intel alpha architectures; namely on ppc
    and sparc and also on osfmach3/ppc (MkLinux). I can report that it just
    works, mostly, with few changes.

    Alpha 64-bit processors

    Subject: IT WORKS (again) between intel & alpha :-)))))
       Date: Fri, 29 Jan 1999
       From: Peter Onion <ponion@srd.bt.co.uk>
    
    Well I'm happy to report that I've got an IPSEC connection between by intel & alpha machines again :-))
    
    If you look back on this list to 7th of December I wrote...
    
    -On 07-Dec-98 Peter Onion wrote:
    -> 
    -> I've about had enuf of wandering around inside the kernel trying to find out
    -> just what is corrupting outgoing packets...
    -
    -Its 7:30 in the evening .....
    -
    -I FIXED IT  :-))))))))))))))))))))))))))))))))
    -
    -It was my own fault :-((((((((((((((((((
    -
    -If you ask me very nicly I'll tell you where I was a little too over keen to
    -change unsigned long int __u32 :-)  OPSE ...
    -
    -So tomorrow it will full steam ahead to produce a set of diffs/patches against
    -0.91 
    -
    -Peter Onion.
    

    In general (there have been some glitches), FreeS/WAN has been running on Alphas since then.

    Sun SPARC processors

    Several users have reported success with FreeS/WAN on SPARC Linux. Here is one mailing list message:

    Subject: Smiles on sparc and ppc
       Date: Fri, 10 Mar 2000
       From: Jake Hill <jah@alien.bt.co.uk>
    
    You may or may not be interested to know that I have successfully built
    FreeS/WAN on a number of non intel alpha architectures; namely on ppc
    and sparc and also on osfmach3/ppc (MkLinux). I can report that it just
    works, mostly, with few changes.
    
    I have a question, before I make up some patches. I need to hack
    gmp/mpn/powerpc32/*.s to build them. Is this ok? The changes are
    trivial, but could I also use a different version of gmp? Is it vanilla
    here?
    
    I guess my only real headache is from ipchains, which appears to stop
    running when IPSec has been started for a while. This is with 2.2.14 on
    sparc.

    This message, from a different mailing list, may be relevant for anyone working with FreeS/WAN on Suns:

    Subject: UltraSPARC DES assembler
       Date: Thu, 13 Apr 2000
       From: svolaf@inet.uni2.dk (Svend Olaf Mikkelsen)
         To: coderpunks@toad.com
    
    An UltraSPARC assembler version of the LibDES/SSLeay/OpenSSL des_enc.c
    file is available at http://inet.uni2.dk/~svolaf/des.htm.
    
    This brings DES on UltraSPARC from slower than Pentium at the same
    clock speed to significantly faster.
    

    MIPS processors

    We know FreeS/WAN runs on at least some MIPS processors because Lasat (who host our freeswan.org web site) manufacture an IPSEC box based on an embedded MIPS running Linux with FreeS/WAN. We have no details.

    Motorola Coldfire

    Subject: Re: Crypto hardware support
       Date: Mon, 03 Jul 2000
       From: Dan DeVault <devault@tampabay.rr.com>
    
    .... I have been running
    uClinux with FreeS/WAN 1.4 on a system built by Moreton Bay  (
    http://www.moretonbay.com )  and it was using a Coldfire processor
    and was able to do the Triple DES encryption at just about
    1 mbit / sec rate.......  they put a Hi/Fn 7901 hardware encryption
    chip on their board and now their system does over 25 mbit of 3DES
    encryption........ pretty significant increase if you ask me.
    

    Support for crypto hardware

    Supporting hardware cryptography accelerators has not been a high priority for the development team because it raises a number of fairly complex issues:

    That said, we have a report of FreeS/WAN working with one crypto accelerator and some work is going on to modify KLIPS to create a clean generic interface to such products.

    IP version 6 (IPng)

    The Internet currently runs on version four of the IP protocols. IPv4 is what is in the standard Linux IP stack, and what FreeS/WAN was built for. In IPv4, IPSEC is an optional feature.

    The next version of the IP protocol suite is version six, usually abbreviated either as "IPv6" or as "IPng" for "IP: the next generation". For IPv6, IPSEC is a required feature. Any machine doing IPv6 is required to support IPSEC, much as any machine doing (any version of) IP is required to support ICMP.

    So far, Linux has both IPv6 support and IPSEC support, but the two do not work together yet. We, and others, are working on integrating them.

    IPv6 background

    IPv6 has been specified by an IETF working group. The group's page lists over 30 RFCs to date, and many Internet Drafts as well. The overview is RFC 2460. Major features include:

    A number of projects are working on IPv6 implementation. A prominent Open Source effort is KAME , a collaboration among several large Japanese companies to implement IPv6 for Berkeley Unix. Other major players are also working on IPv6. For example, see pages at Sun, Cisco and Microsoft. The 6bone (IPv6 backbone) testbed network has been up for some time. There is an active IPv6 user group.

    One of the design goals for IPv6 was that it must be possible to convert from v4 to v6 via a gradual transition process. Imagine the mess if there were a "flag day" after which the entire Internet used v6, and all software designed for v4 stopped working. Almost every computer on the planet would need major software changes! There would be huge costs to replace older equipment. Implementers would be worked to death before "the day", systems administrators and technical support completely swamped after it. The bugs in every implementation would all bite simultaneously. Large chunks of the net would almost certainly be down for substantial time periods. ...

    Fortunately, the design avoids any "flag day". It is therefore a little tricky to tell how quickly IPv6 will take over. The transition has certainly begun. For examples, see announcements from NTT and Nokia. However, it is not yet clear how quickly the process will gain momentum, or when it will be completed. Likely large parts of the Internet will remain with IPv4 for years to come.

    IPv6 on Linux

    There is a Linux implementation of IPv6 in Linux kernels 2.2 and above. For details, see the FAQ. It does not yet support IPSEC. The USAGI project are also working on IPv6 for Linux.

    FreeS/WAN and IPv6

    FreeS/WAN was originally built for the current standard, IPv4, but we are interested in seeing it work with IPv6. Project technical lead Henry Spencer summarized the situation, as of April 2000, thus:

    We are interested in IPv6 support, but so far it has been a low priority:
    we've been too busy with IPv4.  (We have one volunteer contributor who's
    made a start on it, ...)
    

    and the volunteer in question writes:

    From: Gerhard Gessler <gessler@iabg.de>
    
    I have the library of FreeSWAN 1.3 ported to support IPv6 and I'm
    testing my code for IPv6 support in Pluto. ...
    

    By September, for the 1.6 release, Henry had incorporated Gerhard's library changes and made some of his own. Much of the work on IPv6 support in pluto(8) is done, but not yet well tested.

    Neither KLIPS nor ipsec auto(8) has v6 support yet at time or writing (mid-November 2000).

    For more recent information, check the mailing list.


    Contents Previous Next