2013.10.24

[uclinux-h8/uClinux-dist.git] / freeswan / doc / intro.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<TITLE> Introduction to FreeS/WAN</TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
</HEAD>
<BODY>
<A HREF="toc.html">Contents</a>
<A HREF="install.html">Next</a>
<HR>
<H1><A name="intro">Introduction</A></H1>
<P>This section gives an overview of:</P>
<UL>
<LI>what IP Security (IPSEC) does</LI>
<LI>how IPSEC works</LI>
<LI>why we are implementing it for Linux</LI>
<LI>how this implementation works</LI>
</UL>
<P> This section is intended to cover only the essentials, <EM>things 
you should know before trying to use FreeS/WAN.</EM></P>
<P> For more detailed background information, see the <A href="politics.html">
history and politics</A> and <A href="ipsec.html">IPSEC protocols</A>
 sections.</P>
<H2><A name="ipsec.intro">IPSEC, Security for the Internet Protocol</A></H2>
<P> FreeS/WAN is a Linux implementation of the IPSEC (IP security) 
protocols. IPSEC provides encryption and authentication services at the 
IP (Internet Protocol) level of the network protocol stack. </P>
<P> Working at this level, IPSEC can protect any traffic carried over 
IP, unlike other encryption which generally protects only a particular 
higher-level protocol -- <A href="glossary.html#PGP">PGP</A> for mail, <A
href="glossary.html#SSH">SSH</A> for remote login, <A href="glossary.html#SSL">
SSL</A> for web work, and so on. This has both advantages and 
disadvantages, discussed in our <A href="ipsec.html#others">IPSEC 
section</A></P>
<P> IPSEC can be used on any machine which does IP networking. 
Dedicated IPSEC gateway machines can be installed wherever required to 
protect traffic. IPSEC can also run on routers, on firewall machines, 
on various application servers, and on end-user desktop or laptop 
machines. </P>
<P> Three protocols are used</P>
<UL>
<LI><A href="glossary.html#AH">AH</A> (Authentication Header) provides 
a packet-level authentication service</LI>
<LI><A href="glossary.html#ESP">ESP</A> (Encapsulating Security 
Payload) provides encryption plus authentication</LI>
<LI><A href="glossary.html#IKE">IKE</A> (Internet Key Exchange) 
negotiates connection parameters, including  keys, for the other two</LI>
</UL>
<P> Our implementation has three main parts:</P>
<UL>
<LI><A href="glossary.html#KLIPS">KLIPS</A> (kernel IPSEC) implements 
AH, ESP, and packet handling within the  kernel</LI>
<LI><A href="glossary.html#Pluto">Pluto</A> (an IKE daemon) implements 
IKE, negotiating connections with other  systems</LI>
<LI>various scripts provide an adminstrator's interface to the 
 machinery</LI>
</UL>
<P> IPSEC is optional for the current (version 4) Internet Protocol. 
FreeS/WAN adds IPSEC to the Linux IPv4 network stack. Implementations 
of <A href="glossary.html#ipv6.gloss">IP version 6</A> are required to 
include IPSEC. Work toward integrating FreeS/WAN into the Linux IPv6 
stack has <A href="compat.html#ipv6">started</A>.</P>
<P>For more information on IPSEC, see our <A href="ipsec.html">IPSEC 
protocols</A> section, our collection of <A href="web.html#ipsec.link">
IPSEC links</A> or the <A href="rfc.html">RFCs</A> which are the 
official definitions of these protocols.</P>
<H3><A name="intro.interop">Interoperating with other IPSEC 
implementations</A></H3>
<P>IPSEC is designed to let different implementations work together. We 
provide:</P>
<UL>
<LI>a <A href="web.html#implement">list</A> of some other 
implementations</LI>
<LI>information on <A href="interop.html">using FreeS/WAN with other 
 implementations</A></LI>
</UL>
<P> The VPN Consortium fosters cooperation among implementers and 
interoperability among implementations. Their <A href="http://www.vpnc.org/">
web site</A> has much more information. </P>
<H3><A name="applications">Applications of IPSEC</A></H3>
<P> Because IPSEC operates at the network layer, it is remarkably 
flexible and can be used to secure nearly any type of Internet traffic. 
Two applications, however, are extremely widespread:</P>
<UL>
<LI>a <A href="glossary.html#VPN">Virtual Private Network</A>, or VPN, 
allows multiple  sites to communicate securely over an insecure 
Internet by encrypting all  communication between the sites.</LI>
<LI>&quot;Road Warriors&quot; connect to the office from home, or perhaps from a 
hotel  somewhere</LI>
</UL>
<P> There is enough opportunity in these applications that vendors are 
flocking to them. IPSEC is being built into routers, into firewall 
products, and into major operating systems, primarily to support these 
applications. See our <A href="web.html#implement">list</A> of 
implementations for details. </P>
<P> We support both of those applications, and various less common 
IPSEC applications as well, but we also add one of our own:</P>
<UL>
<LI>opportunistic encryption, the ability to set up FreeS/WAN gateways 
so  that any two of them can encrypt to each other, and will do so 
whenever  packets pass between them.</LI>
</UL>
<P>This is an extension we are adding to the protocols. FreeS/WAN is 
the first prototype implementation, though we hope other IPSEC 
implementations will adopt the technique once we demonstrate it. See <A href="#goals">
project goals</A> below for why we think this is important.</P>
<P>A somewhat more detailed description of each of these applications 
is below. Our <A href="config.html">setup</A> section will show you how 
to build each of them.</P>
<H4><A name="makeVPN">Using secure tunnels to create a VPN</A></H4>
<P> A VPN, or <STRONG>V</STRONG>irtual <STRONG>P</STRONG>rivate <STRONG>
N</STRONG>etwork lets two networks communicate securely when the only 
connection between them is over a third network which they do not trust.</P>
<P>The method is to put a security gateway machine between each of the 
communicating networks and the untrusted network. The gateway machines 
encrypt packets entering the untrusted net and decrypt packets leaving 
it, creating a secure tunnel through it.</P>
<P>If the cryptography is strong, the implementation is careful, and 
the administration of the gateways is competent, then one can 
reasonably trust the security of the tunnel. The two networks then 
behave like a single large private network, some of whose links are 
encrypted tunnels through untrusted nets.</P>
<P>Actual VPNs are often more complex. One organisation may have fifty 
branch offices, plus some suppliers and clients, with whom it needs to 
communicate securely. Another might have 5,000 stores, or 50,000 
point-of-sale devices. The untrusted network need not be the Internet. 
All the same issues arise on a corporate or institutional network 
whenever two departments want to communicate privately with each other.</P>
<P>Administratively, the nice thing about many VPN setups is that large 
parts of them are static. You know the IP addresses of most of the 
machines involved. More important, you know they will not change on 
you. This simplifies some of the admin work. For cases where the 
addresses do change, see the next section.</P>
<H4><A name="road.intro">Road Warriors</A></H4>
<P> The prototypical &quot;Road Warrior&quot; is a traveller connecting to home 
base from a laptop machine. Administratively, most of the same problems 
arise for a telecommuter connecting from home to the office, especially 
if the telecommuter does not have a static IP address.</P>
<P>For purposes of this document:</P>
<UL>
<LI>anyone with a dynamic IP address is a &quot;Road Warrior&quot;.</LI>
<LI>any machine doing IPSEC processing is a &quot;gateway&quot;. Think of the 
 single-user road warrior machine as a gateway with a degenerate subnet 
 (one machine, itself) behind it.</LI>
</UL>
<P> These require somewhat different setup than VPN gateways with 
static addresses and with client systems behind them, but are basically 
not problematic.</P>
<P> There are some difficulties which appear for some road warrior 
connections:</P>
<UL>
<LI>Road Wariors who get their addresses via DHCP may have a problem. 
 FreeS/WAN can quite happily build and use a tunnel to such an address, 
but  when the DHCP lease expires, FreeS/WAN does not know that. The 
tunnel  fails, and the only recovery method is to tear it down and 
re-build  it.</LI>
<LI>If Network Address Translation (NAT) is applied between the two 
IPSEC  Gateways, this breaks IPSEC. IPSEC authenticates packets on an 
end-to-end  basis, to ensure they are not altered en route. NAT 
rewrites packets as  they go by. See our <A href="firewall.html#NAT">
firewalls</A> document for details.</LI>
</UL>
<P> In most situations, however, FreeS/WAN supports road warrior 
connections just fine.</P>
<H4><A name="opp.intro">Opportunistic encryption</A></H4>
<P> One of the reasons we are working on FreeS/WAN is that it gives us 
the opportunity to add what we call opportuntistic encryption. This 
means that any two FreeS/WAN gateways will be able to encrypt their 
traffic, <EM>even if the two gateway administrators have had no prior 
contact and neither system has any preset information about the other</EM>
.  We hope this will go some distance toward creating a secure 
Internet, an environment where message privacy is the default. See our <A
href="politics.html">history and politics of cryptography</A> section 
for discussion.</P>
<P> Both systems pick up the authentication information they need from 
the <A href="glossary.html#DNS.gloss">DNS</A> (domain name service), 
the service they already use to look up IP addresses. Of course the 
administrators must put that information in the DNS, and must set up 
their gateways with opportunistic encryption enabled.  Once that is 
done, everything is automatic. The gateways look for opportunities to 
encrypt, and encrypt whatever they can. Whether they also accept 
unencrypted communication is a policy decision the administrator can 
make.</P>
<P> A draft document giving most of the details of how we plan to 
implement this has been posted to the mailing list. See <A href="#applied">
links</A> below.</P>
<P> Only one current product we know of implements a form of 
opportunistic encryption. <A href="web.html#ssmail">Secure sendmail</A>
 will automatically encrypt server-to-server mail transfers whenever 
possible.</P>
<H3><A name="types">The need to authenticate gateways</A></H3>
<P>A complication, which applies to any type of connection -- VPN, Road 
Warrior or opportunistic -- is that a secure connection cannot be 
created magically. <EM>There must be some mechanism which enables the 
gateways to reliably identify each other.</EM> Without this, they 
cannot sensibly trust each other and cannot create a genuinely secure 
link.</P>
<P>Any link they do create without some form of <A href="glossary.html#authentication">
authentication</A> will be vulnerable to a <A href="glossary.html#middle">
man-in-the-middle attack</A>. If <A href="glossary.html#alicebob">Alice 
and Bob</A> are the people creating the connection, a villian who can 
re-route or intercept the packets can pose as Alice while talking to 
Bob and pose as Bob while talking to Alice. Alice and Bob then both 
talk to the man in the middle, thinking they are talking to each other, 
and the villain gets everything sent on the bogus &quot;secure&quot; connection.</P>
<P>There are two ways to build links securely, both of which exclude 
the man-in-the middle:</P>
<UL>
<LI>with <STRONG>manual keying</STRONG>, Alice and Bob share a secret 
key  (which must be transmitted securely, perhaps in a note or via PGP 
or SSH)  to encrypt their messages. For FreeS/WAN, such keys are stored 
in the <A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A> file. Of 
course, if  an enemy gets the key, all is lost.</LI>
<LI>with <STRONG>automatic keying</STRONG>, the two systems 
authenticate  each other and negotiate their own secret keys. The keys 
are automatically  changed periodically.</LI>
</UL>
<P> Automatic keying is much more secure, since if an enemy gets one 
key only messages between the previous re-keying and the next are 
exposed. It is therefore the usual mode of operation for most IPSEC 
deployment, and the mode we use in our setup examples. FreeS/WAN does 
support manual keying for special circumstanes. See this <A href="config.html#prodman">
section</A>. </P>
<P> For automatic keying, the two systems must authenticate each other 
during the negotiations. There is a choice of methods for this:</P>
<UL>
<LI>a <STRONG>shared secret</STRONG> provides authentication. If Alice 
and  Bob are the only ones who know a secret and Alice recives a 
message which  could not have been created without that secret, then 
Alice can safely  believe the message came from Bob.</LI>
<LI>a <A href="glossary.html#public">public key</A> can also provide 
authentication. If  Alice receives a message signed with Bob's private 
key (which of course  only he should know) and she has a trustworthy 
copy of his public key (so  that she can verify the signature), then 
she can safely believe the  message came from Bob.</LI>
</UL>
<P> Public key techniques are much preferable, for reasons discussed <A href="config.html#choose">
later</A>, and will be used in all our setup examples. FreeS/WAN does 
also support auto-keying with shared secret authentication. See this <A href="config.html#prodsecrets">
section</A>.</P>
<H2><A name="project">The FreeS/WAN project</A></H2>
<H3><A name="goals">Project goals</A></H3>
<P> Our overall goal in FreeS/WAN is to make the Internet more secure 
and more private.</P>
<P> Our IPSEC implementation supports VPNs and Road Warriors of course. 
Those are important applications. Many users will want FreeS/WAN to 
build corporate VPNs or to provide secure remote access. </P>
<P> However, our goals in building it go beyond that. We are trying to 
help <STRONG>build security into the fabric of the Internet</STRONG> so 
that anyone who choses to communicate securely can do so, as easily as 
they can do anything else on the net.</P>
<P>More detailed objectives are:</P>
<UL>
<LI>help make IPSEC widespread by providing an implementation with no 
 restrictions: 
<UL>
<LI>freely available in source code under the <A href="glossary.html#GPL">
GNU General  Public License</A></LI>
<LI>running on a range of readily available hardware</LI>
<LI>not subject to US or other nations' <A href="politics.html#exlaw">
export  restrictions</A>.
<BR> Note that in order to avoid <EM>even the appearance</EM> of being 
 subject to those laws, the project cannot accept software 
 contributions -- <EM>not even one-line bug fixes</EM> -- from US 
 residents or citizens.</LI>
</UL>
</LI>
<LI>provide a high-quality IPSEC implementation for Linux 
<UL>
<LI>portable to all CPUs Linux supports: <A href="compat.html#CPUs">
(current  list)</A></LI>
<LI>interoperable with other IPSEC implementations: <A href="interop.html">
(current list)</A></LI>
</UL>
</LI>
<LI>extend IPSEC to do <A href="glossary.html#carpediem">opportunistic 
encryption</A> so  that 
<UL>
<LI>any two systems can secure their communications without a 
pre-arranged connection</LI>
<LI>secure connections can be the default, falling back to unencrypted 
connections only  if: 
<UL>
<LI><EM>both</EM> the partner is not set up to co-operate on securing 
the connection </LI>
<LI><EM>and</EM> your policy allows insecure connections </LI>
</UL>
</LI>
<LI>a significant fraction of all Internet traffic is encrypted</LI>
</UL>
</LI>
</UL>
<P> If we can get opportunistic encryption implemented and widely 
deployed, then it becomes impossible for even huge well-funded agencies 
to monitor the net. </P>
<P> See also our section on <A href="politics.html">history and politics</A>
 of cryptography, which includes our project leader's <A href="politics.html#gilmore">
rationale</A> for starting the project.</P>
<H3><A name="staff">Project team</A></H3>
 Two of the team are from the US and can therefore contribute no code: 
<UL>
<LI>John Gilmore: founder and policy-maker (<A href="http://www.toad.com/gnu/">
home page</A>) </LI>
<LI>Hugh Daniel: project manager, Most Demented Tester, and 
occasionally Pointy-Haired Boss </LI>
</UL>
 The rest of the team are Canadians, working in Canada. (<A href="politics.html#status">
Why Canada?</A>) 
<UL>
<LI>Henry Spencer: technical lead, script programming </LI>
<LI>Hugh Redelmeier: <A href="glossary.html#Pluto">Pluto daemon</A>
 programmer </LI>
<LI>Richard Guy Briggs: <A href="glossary.html#KLIPS">KLIPS</A>
 programmer </LI>
<LI>Claudia Schmeing: technical support via the <A href="mail.html">
mailing lists</A></LI>
<LI>Sandy Harris: documentation </LI>
</UL>
 The project is funded by civil libertarians who consider our goals 
worthwhile. The team are paid for this work. 
<P> People outside this core team have made substantial contributions. 
See </P>
<UL>
<LI>our <A href="../CREDITS">CREDITS</A> file </LI>
<LI>the <A href="web.html#patch">patches and add-ons</A> section of our 
web references file </LI>
<LI>lists below of user-written <A href="#howto">HowTos</A> and <A href="#applied">
other papers</A></LI>
</UL>
 Additional contributions are welcome. See the <A href="faq.html#contrib.faq">
FAQ</A> for details. 
<H3><A name="webdocs">Information on the web</A></H3>
<UL>
<LI>current site, <A href="http://liberty.freeswan.org">freeswan.org</A></LI>
<LI>original project site at <A href="http://www.xs4all.nl/~freeswan">
xs4all.nl</A></LI>
</UL>
<A name="sites">
<H3><A name="sites">Distribution sites</A></H3>
 FreeS/WAN is available from a number of sites: 
<UL>
<LI>Primary site, in Holland: 
<UL>
<LI><A href="http://www.xs4all.nl/~freeswan">HTTP</A></LI>
<LI><A href="ftp://ftp.xs4all.nl/pub/crypto/freeswan">FTP</A></LI>
</UL>
</LI>
<LI><A href="http://www.flora.org/freeswan">Eastern Canada</A> (limited 
 resouces)</LI>
<LI><A href="ftp://ludwig.doculink.com/pub/freeswan/">Eastern Canada</A>
 (has older versions too)</LI>
<LI><A href="ftp://ntsc.notBSD.org/pub/crypto/freeswan/">Eastern Canada</A>
 (has older versions too)</LI>
<LI><A href="ftp://ftp.kame.net/pub/freeswan/">Japan</A></LI>
<LI><A href="ftp://ftp.futuredynamics.com/freecrypto/FreeSWAN/">Hong 
 Kong</A></LI>
<LI><A href="ftp://ipsec.dk/pub/freeswan/">Denmark</A></LI>
<LI><A href="ftp://ftp.net.lut.ac.uk/freeswan">the UK</A></LI>
<LI><A href="http://storm.alert.sk/comp/mirrors/freeswan/">Slovak 
 Republic</A></LI>
<LI><A href="http://the.wiretapped.net/security/vpn-tunnelling/freeswan/">
Australia</A></LI>
<LI><A href="http://freeswan.technolust.cx/">technolust</A></LI>
<LI>Ivan Moore's <A href="http://snowcrash.tdyc.com/freeswan/">site</A></LI>
<LI>the <A href="http://www.cryptoarchive.net/">Crypto Archive</A> on 
the <A href="http://www.securityportal.com/"> Security Portal</A> site </LI>
</UL>
<H4><A name="munitions">The &quot;munitions&quot; archive of Linux crypto software</A>
</H4>
 There is also an archive of Linux crypto software called &quot;munitions&quot;, 
with its own mirrors in a number of countries. It includes FreeS/WAN, 
though not always the latest version. Some of its sites are: 
<UL>
<LI><A href="http://munitions.vipul.net/">Germany</A></LI>
<LI><A href="http://munitions.iglu.cjb.net/">Italy</A></LI>
<LI><A href="http://munitions2.xs4all.nl/">Netherlands</A></LI>
</UL>
<P> Any of those will have a list of other &quot;munitions&quot; mirrors. </P>
<H3><A name="archives">Archives of the project mailing list</A></H3>
 Until quite recently, there was only one FreeS/WAN mailing list, and 
archives of it were: 
<UL>
<LI><A href="http://www.sandelman.ottawa.on.ca/linux-ipsec">Canada</A></LI>
<LI><A href="http://www.nexial.com">Holland</A></LI>
</UL>
 The two archives use completely different search engines. You might 
want to try both.
<P> More recently we have expanded to five lists, each with its own 
archive. </P>
<P><A href="mail.html"> More information</A> on mailing lists.</P>
<H2><A name="products">Products containing FreeS/WAN</A></H2>
<P> Unfortunately the <A href="politics.html#exlaw">export laws</A> of 
some countries restrict the distribution of strong cryptography. 
FreeS/WAN is therefore not in the standard Linux kernel and not in all 
CD or web distributions.</P>
<H3><A name="distwith">Full Linux distributions</A></H3>
<P>FreeS/WAN is included in various general-purpose Linux distributions 
from countries (shown in brackets) with more sensible laws:</P>
<UL>
<LI>European versions of <A href="http://www.suse.com/">SuSE Linux</A>
 (Germany)</LI>
<LI><A href="http://www.conectiva.com">Conectiva</A> (Brazil)</LI>
<LI>the server edition of <A href="http://www.corel.com">Corel</A>
 Linux (Canada)</LI>
<LI>the <A href="http://www.pld.org.pl/">Polish(ed) Linux Distribution</A>
 (Poland)</LI>
<LI><A href="http://www.trustix.net/">Trustix Secure Linux</A> (Norway) </LI>
</UL>
<P> For distributions which do not include FreeS/WAN and are not Redhat 
(which we develop and test on), there is additional information in our <A
href="compatibility.html#otherdist">compatibility</A> section.</P>
<P> We would appreciate hearing of other distributions using FreeS/WAN.</P>
<H3><A name="fw_dist">Firewall distributions</A></H3>
 FreeS/WAN is also included in, or available for, more specialised 
distributions intended for firewall and router applications: 
<UL>
<LI><A href="http://www.gibraltar.at/">Gibraltar</A> is based on Debian 
GNU/Linux.  It is bootable directly from CD-ROM,  usable on a machine 
without hard disk. </LI>
<LI>The <A href="http://www.linuxrouter.org/">Linux Router Project</A>
 produces a distribution that will boot from a single floppy. Charles 
 Steinkuehler's LRP site provides <A href="http://lrp.steinkuehler.net/Packages/ipsec1.5.htm">
 FreeS/WAN packaged for LRP</A>. </LI>
<LI><A href="http://www.astaro.com/products/index.html">Astaro Security 
Linux</A> includes FreeS/WAN.  It has some web-based tools for managing 
the firewall that include FreeS/WAN configuration  management.</LI>
<LI><A href="http://www.linuxwall.de">Linuxwall</A></LI>
</UL>
<P> There are also several sets of scripts available for managing a 
firewall which is also acting as a FreeS/WAN IPSEC gateway. See this <A href="firewall.html#examplefw">
list</A>. </P>
<P> We would appreciate hearing of other specialised distributions 
using FreeS/WAN, or other script sets.</P>
<H3><A name="turnkey">Firewall and VPN products</A></H3>
<P>Several vendors use FreeS/WAN as the IPSEC component of a turnkey 
firewall or VPN product:</P>
<UL>
<LI>The <A href="http://www.lasat.com">LASAT SafePipe[tm]</A> series. 
is an  IPSEC box based on an embedded MIPS running Linux with FreeS/WAN 
and a  web-config front end. This company also host our freeswan.org 
web  site.</LI>
<LI><A href="www.rebel.com">Rebel.com</A>, makers of the Netwinder ARM 
Linux  machine, have a new (mid-2000) division <A href="http://www.rebel.com/solutions/smb/rn-what.html">
Rebel Networks</A> whose product uses FreeS/WAN.</LI>
<LI><A href="http://www.linuxmagic.com/vpn/index.html">Linux Magic</A>
 offer  a VPN/Firewall product using FreeS/WAN</LI>
<LI>The Software Group's <A href="http://www.wanware.com/sentinet/">
Sentinet</A> product uses  FreeS/WAN</LI>
<LI><A href="http://www.merilus.com">Merilus</A> use FreeS/WAN in their 
Gateway Guardian firewall  product and in their <A href="http://www.merilus.com/firecard/index.shtml">
Firecard</A> product, a Linux firewall on a PCI card. </LI>
<LI><A href="http://www.kyzo.com/">Kyzo</A> have a &quot;pizza box&quot; product 
line with various types of  server, all running from flash. One of them 
is an IPSEC/PPTP VPN server. </LI>
<LI><A href="http://www.linuxcare.com">Linuxcare</A> have &quot;bootable 
business card&quot;  usable as a recovery disk for broken Linux systems. </LI>
</UL>
<P>We would appreciate hearing of other products using FreeS/WAN.</P>
<H2><A name="docs">Documentation</A></H2>
<H3><A name="docformats">This HowTo, in multiple formats</A></H3>
<P> FreeS/WAN documentation up to version 1.5 was available only in 
HTML. Now we ship two formats: </P>
<UL>
<LI>as HTML, one file for each doc section plus a global <A href="toc.html">
Table of Contents</A></LI>
<LI><A href="HowTo.html">one big HTML file</A> for easy searching</LI>
</UL>
 and provide a Makefile to generate other formats if required:
<UL>
<LI><A href="HowTo.pdf">PDF</A></LI>
<LI><A href="HowTo.ps">Postscript</A></LI>
<LI><A href="HowTo.txt">ASCII text</A></LI>
</UL>
<P> The Makefile assumes the htmldoc tool is available. You can 
download it from <A href="http://www.easysw.com">Easy Software</A>. You 
may need to get source code and change some of the limits in <NOBR><VAR>
#define MAX_&lt;whatever&gt;</VAR></NOBR> statements near the end of its <VAR>
config.h.in</VAR> file. Otherwise it core dumps when those limits are 
exceeded on large files such as our glossary.html.</P>
<P> All formats should be available at the following websites: </P>
<UL>
<LI><A href="http://www.freeswan.org/doc.html">FreeS/WAN project</A></LI>
<LI><A href="http://www.linuxdoc.org">Linux Documentation Project</A></LI>
</UL>
<P> The distribution tarball has only the two HTML formats.</P>
<P><STRONG> Note:</STRONG> If you need the latest doc version, for 
example to see if anyone has managed to set up interoperation between 
FreeS/WAN and whatever, then you should download the current snapshot. 
What is on the web is documentation as of the last release. Snapshots 
have all changes I've checked in to date. </P>
<H3><A name="text">Other documents in the distribution</A></H3>
<P>Text files in the main distribution directory are README, INSTALL, 
CREDITS, CHANGES, BUGS and COPYING.</P>
<P> FreeS/WAN commands and library routines are documented in standard 
Unix manual pages, accessible via the <VAR>man(1)</VAR> command. We 
also provide them in HTML, accessible from this <A href="manpages.html">
index</A>. In the event of disagreement between this HowTo and the man 
pages, the man pages are more likely correct since they are written by 
the implementers. Please report any such inconsistency on the <A href="mail.html">
mailing list</A>.</P>
<P>The gmp (GNU multi-precision arithmetic) and Libdes (encryption) 
libraries which we use each have their own documentation. You can find 
it in those library directories.</P>
<H3><A name="howto">User-written HowTo information</A></H3>
<P> Various user-written HowTo documents are available. The ones 
covering FreeS/WAN-to-FreeS/WAN connections are:</P>
<UL>
<LI>Jean-Francois Nadeau's <A href="http://jixen.tripod.com/">practical 
 configurations</A> document</LI>
<LI>Jens Zerbst's HowTo on <A href="http://dynipsec.tripod.com/">Using 
FreeS/WAN with dynamic IP  addresses</A>. </LI>
<LI>an entry in Kurt Seifried's <A href="http://www.securityportal.com/lskb/kben00000013.html">
 Linux Security Knowledge Base</A>. </LI>
<LI>a section of David Ranch's <A href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos">
Trinity  OS Guide</A></LI>
<LI>a section in David Bander's book <A href="biblio.html#bander">Linux 
Security Toolkit</A></LI>
</UL>
<P> User-wriiten HowTo material may be <STRONG>especially helpful if 
you need to interoperate with another IPSEC implementation</STRONG>. We 
have neither the equipment nor the manpower to test such 
configurations. Users seem to be doing an admirable job of filling the 
gaps.</P>
<UL>
<LI>list of user-written <A href="interop.html#otherpub">interoperation 
HowTos</A> in our interop document </LI>
</UL>
<P> Check what version of FreeS/WAN user-written documents cover. The 
software is under active development and the current version may be 
significantly different from what an older document describes.</P>
<H3><A name="applied">Papers on FreeS/WAN</A></H3>
<P> Two design documents show current team thinking on new 
developments: </P>
<UL>
<LI><A href="opportunism.spec">Opportunistic Encryption</A> by 
technical lead Henry Spencer and Pluto programmer Hugh Redelemeier </LI>
<LI><A href="klips2.spec">KLIPS II Design</A> by kernel programmer 
Richard Guy Briggs </LI>
</UL>
 Both documents are works in progress and frequently revised. The most 
recent versions can be found either in FreeS/WAN snapshots or on the <A href="mail.html">
design mailing list</A>. Comments should go to that list. 
<P> A number of papers giving further background on FreeS/WAN, or 
exploring its future or its applications, are also available:</P>
<UL>
<LI>Both Henry and Richard gave talks on FreeS/WAN at the 2000 <A href="http://www.linuxsymposium.org">
Ottawa Linux Symposium</A>. 
<UL>
<LI>Richard's <A href="http://www.conscoop.ottawa.on.ca/rgb/freeswan/ols2k/">
slides</A></LI>
<LI>Henry's paper</LI>
<LI>MP3 audio of their talks is available from the <A href="http://www.linuxsymposium.org/">
conference page</A></LI>
</UL>
</LI>
<LI><CITE>Moat: A Virtual Private Network Appliances and Services 
 Platform</CITE> is a paper about large-scale (a few 100 links) use of 
 FreeS/WAN in a production application at AT&amp;T research. It is 
 available in Postscript or PDF from co-author Steve Bellovin's <A href="http://www.research.att.com/~smb/papers/index.html">
papers list  page</A>.</LI>
<LI>One of the Moat co-authors, John Denker, has also written 
<UL>
<LI>a <A href="http://www.quintillion.com/fdis/moat/ipsec+routing/">
proposal</A> for how future versions of FreeS/WAN might interact with 
routing  protocols</LI>
<LI>a <A href="http://www.quintillion.com/fdis/moat/wishlist.html">
wishlist</A> of possible new features</LI>
</UL>
</LI>
<LI>Bart Trojanowski's web page has a draft design for <A href="http://www.jukie.net/~bart/linux-ipsec/">
 hardware acceleration</A> of FreeS/WAN </LI>
<LI>Feczak Szabolcs' <A href="http://feczo.koli.kando.hu/vpn/">thesis</A>
, in Hungarian </LI>
</UL>
<P> Several of these provoked interesting discussions on the mailing 
lists, worth searching for in the <A href="mail.html#archive">archives</A>
. </P>
<H3><A name="test">Test results</A></H3>
<UL>
<LI><A href="http://tsc.llwybr.org.uk/public/reports/SWANTIME/">Speed 
test  results</A> from a Welsh university.</LI>
</UL>
<P> Interoperability test results are in our <A href="web.html#result">
web links</A> document. </P>
<H2><A name="licensing">License and copyright information</A></H2>
 All code and documentation written for this project is distributed 
under either the GNU General Public License (<A href="glossary.html#GPL">
GPL</A>) or the GNU Library General Public License. For details see the 
COPYING file in the distribution. 
<P>Not all code in the distribution is ours, however. See the CREDITS 
file for details. In particular, note that the <A href="glossary.html#LIBDES">
Libdes</A> library has its own license.</P>
<H2><A NAME="1_6">Links to other sections</A></H2>
<P>For more detailed background information, see:</P>
<UL>
<LI><A href="politics.html">history and politics</A> of cryptography</LI>
<LI><A href="ipsec.html">IPSEC protocols</A></LI>
</UL>
<P> To begin working with FreeS/WAN, go to: </P>
<UL>
<LI><A href="install.html">installation</A> if you need to install 
FreeS/WAN</LI>
<LI><A href="config.html">setup</A> if your distribution came with 
FreeS/WAN so  you just need to configure your IPSEC links</LI>
</UL>
<HR>
<A HREF="toc.html">Contents</a>
<A HREF="install.html">Next</a>
</BODY>
</HTML>