3 <meta http-equiv="Content-Type" content="text/html">
4 <title>Introduction to FreeS/WAN</title>
6 content="Linux, IPsec, VPN, security, FreeSWAN, introduction">
9 Written by Sandy Harris for the Linux FreeS/WAN project
10 Freely distributable under the GNU General Public License
12 More information at www.freeswan.org
13 Feedback to users@lists.freeswan.org
16 RCS ID: $Id: intro.html,v 1.70 2002/03/29 18:40:07 sandy Exp $
17 Last changed: $Date: 2002/03/29 18:40:07 $
18 Revision number: $Revision: 1.70 $
20 CVS revision numbers do not correspond to FreeS/WAN release numbers.
25 <h1><a name="intro">Introduction</a></h1>
27 <p>This section gives an overview of:</p>
29 <li>what IP Security (IPsec) does</li>
30 <li>how IPsec works</li>
31 <li>why we are implementing it for Linux</li>
32 <li>how this implementation works</li>
35 <p>This section is intended to cover only the essentials, <em>things you
36 should know before trying to use FreeS/WAN.</em></p>
38 <p>For more detailed background information, see the <a
39 href="politics.html">history and politics</a> and <a href="ipsec.html">IPsec
40 protocols</a> sections.</p>
42 <h2><a name="ipsec.intro">IPsec, Security for the Internet Protocol</a></h2>
44 <p>FreeS/WAN is a Linux implementation of the IPsec (IP security) protocols.
45 IPsec provides <a href="glossary.html#encryption">encryption</a> and <a
46 href="glossary.html#authentication">authentication</a> services at the IP
47 (Internet Protocol) level of the network protocol stack.</p>
49 <p>Working at this level, IPsec can protect any traffic carried over IP,
50 unlike other encryption which generally protects only a particular
51 higher-level protocol -- <a href="glossary.html#PGP">PGP</a> for mail, <a
52 href="glossary.html#SSH">SSH</a> for remote login, <a
53 href="glossary.html#SSL">SSL</a> for web work, and so on. This approach has
54 both considerable advantages and some limitations. For discussion, see our <a
55 href="ipsec.html#others">IPsec section</a></p>
57 <p>IPsec can be used on any machine which does IP networking. Dedicated IPsec
58 gateway machines can be installed wherever required to protect traffic. IPsec
59 can also run on routers, on firewall machines, on various application
60 servers, and on end-user desktop or laptop machines.</p>
62 <p>Three protocols are used</p>
64 <li><a href="glossary.html#AH">AH</a> (Authentication Header) provides a
65 packet-level authentication service</li>
66 <li><a href="glossary.html#ESP">ESP</a> (Encapsulating Security Payload)
67 provides encryption plus authentication</li>
68 <li><a href="glossary.html#IKE">IKE</a> (Internet Key Exchange) negotiates
69 connection parameters, including keys, for the other two</li>
72 <p>Our implementation has three main parts:</p>
74 <li><a href="glossary.html#KLIPS">KLIPS</a> (kernel IPsec) implements AH,
75 ESP, and packet handling within the kernel</li>
76 <li><a href="glossary.html#Pluto">Pluto</a> (an IKE daemon) implements IKE,
77 negotiating connections with other systems</li>
78 <li>various scripts provide an adminstrator's interface to the
82 <p>IPsec is optional for the current (version 4) Internet Protocol. FreeS/WAN
83 adds IPsec to the Linux IPv4 network stack. Implementations of <a
84 href="glossary.html#ipv6.gloss">IP version 6</a> are required to include
85 IPsec. Work toward integrating FreeS/WAN into the Linux IPv6 stack has <a
86 href="compat.html#ipv6">started</a>.</p>
88 <p>For more information on IPsec, see our <a href="ipsec.html">IPsec
89 protocols</a> section, our collection of <a href="web.html#ipsec.link">IPsec
90 links</a> or the <a href="rfc.html">RFCs</a> which are the official
91 definitions of these protocols.</p>
93 <h3><a name="intro.interop">Interoperating with other IPsec
94 implementations</a></h3>
96 <p>IPsec is designed to let different implementations work together. We
99 <li>a <a href="web.html#implement">list</a> of some other
101 <li>information on <a href="interop.html">using FreeS/WAN with other
102 implementations</a></li>
105 <p>The VPN Consortium fosters cooperation among implementers and
106 interoperability among implementations. Their <a
107 href="http://www.vpnc.org/">web site</a> has much more information.</p>
109 <h3><a name="applications">Applications of IPsec</a></h3>
111 <p>Because IPsec operates at the network layer, it is remarkably flexible and
112 can be used to secure nearly any type of Internet traffic. Two applications,
113 however, are extremely widespread:</p>
115 <li>a <a href="glossary.html#VPN">Virtual Private Network</a>, or VPN,
116 allows multiple sites to communicate securely over an insecure Internet
117 by encrypting all communication between the sites.</li>
118 <li>"Road Warriors" connect to the office from home, or perhaps from a
122 <p>There is enough opportunity in these applications that vendors are
123 flocking to them. IPsec is being built into routers, into firewall products,
124 and into major operating systems, primarily to support these applications.
125 See our <a href="web.html#implement">list</a> of implementations for
128 <p>We support both of those applications, and various less common IPsec
129 applications as well, but we also add one of our own:</p>
131 <li>opportunistic encryption, the ability to set up FreeS/WAN gateways so
132 that any two of them can encrypt to each other, and will do so whenever
133 packets pass between them.</li>
136 <p>This is an extension we are adding to the protocols. FreeS/WAN is the
137 first prototype implementation, though we hope other IPsec implementations
138 will adopt the technique once we demonstrate it. See <a href="#goals">project
139 goals</a> below for why we think this is important.</p>
141 <p>A somewhat more detailed description of each of these applications is
142 below. Our <a href="quickstart.html">quickstart</a> section will show you how
143 to build each of them.</p>
145 <h4><a name="makeVPN">Using secure tunnels to create a VPN</a></h4>
147 <p>A VPN, or <strong>V</strong>irtual <strong>P</strong>rivate
148 <strong>N</strong>etwork lets two networks communicate securely when the only
149 connection between them is over a third network which they do not trust.</p>
151 <p>The method is to put a security gateway machine between each of the
152 communicating networks and the untrusted network. The gateway machines
153 encrypt packets entering the untrusted net and decrypt packets leaving it,
154 creating a secure tunnel through it.</p>
156 <p>If the cryptography is strong, the implementation is careful, and the
157 administration of the gateways is competent, then one can reasonably trust
158 the security of the tunnel. The two networks then behave like a single large
159 private network, some of whose links are encrypted tunnels through untrusted
162 <p>Actual VPNs are often more complex. One organisation may have fifty branch
163 offices, plus some suppliers and clients, with whom it needs to communicate
164 securely. Another might have 5,000 stores, or 50,000 point-of-sale devices.
165 The untrusted network need not be the Internet. All the same issues arise on
166 a corporate or institutional network whenever two departments want to
167 communicate privately with each other.</p>
169 <p>Administratively, the nice thing about many VPN setups is that large parts
170 of them are static. You know the IP addresses of most of the machines
171 involved. More important, you know they will not change on you. This
172 simplifies some of the admin work. For cases where the addresses do change,
173 see the next section.</p>
175 <h4><a name="road.intro">Road Warriors</a></h4>
177 <p>The prototypical "Road Warrior" is a traveller connecting to home base
178 from a laptop machine. Administratively, most of the same problems arise for
179 a telecommuter connecting from home to the office, especially if the
180 telecommuter does not have a static IP address.</p>
182 <p>For purposes of this document:</p>
184 <li>anyone with a dynamic IP address is a "Road Warrior".</li>
185 <li>any machine doing IPsec processing is a "gateway". Think of the
186 single-user road warrior machine as a gateway with a degenerate subnet
187 (one machine, itself) behind it.</li>
190 <p>These require somewhat different setup than VPN gateways with static
191 addresses and with client systems behind them, but are basically not
194 <p>There are some difficulties which appear for some road warrior
197 <li>Road Wariors who get their addresses via DHCP may have a problem.
198 FreeS/WAN can quite happily build and use a tunnel to such an address,
199 but when the DHCP lease expires, FreeS/WAN does not know that. The tunnel
200 fails, and the only recovery method is to tear it down and re-build
202 <li>If <a href="glossary.html#NAT.gloss">Network Address Translation</a>
203 (NAT) is applied between the two IPsec Gateways, this breaks IPsec. IPsec
204 authenticates packets on an end-to-end basis, to ensure they are not
205 altered en route. NAT rewrites packets as they go by. See our <a
206 href="firewall.html#NAT">firewalls</a> document for details.</li>
209 <p>In most situations, however, FreeS/WAN supports road warrior connections
212 <h4><a name="opp.intro">Opportunistic encryption</a></h4>
214 <p>One of the reasons we are working on FreeS/WAN is that it gives us the
215 opportunity to add what we call opportuntistic encryption. This means that
216 any two FreeS/WAN gateways will be able to encrypt their traffic, even if the
217 two gateway administrators have had no prior contact and neither system has
218 any preset information about the other.</p>
220 <p>Both systems pick up the authentication information they need from the <a
221 href="glossary.html#DNS">DNS</a> (domain name service), the service they
222 already use to look up IP addresses. Of course the administrators must put
223 that information in the DNS, and must set up their gateways with
224 opportunistic encryption enabled. Once that is done, everything is automatic.
225 The gateways look for opportunities to encrypt, and encrypt whatever they
226 can. Whether they also accept unencrypted communication is a policy decision
227 the administrator can make.</p>
229 <p>This technique can give two large payoffs:</p>
231 <li>It reduces the administrative overhead for IPsec enormously. You
232 configure your gateway and thereafter everything is automatic. The need
233 to configure the system on a per-tunnel basis disappears. Of course,
234 FreeS/WAN allows specifically configured tunnels to co-exist with
235 opportunistic encryption, but we hope to make them unnecessary in most
237 <li>It moves us toward a more secure Internet, allowing users to create an
238 environment where message privacy is the default. All messages can be
239 encrypted, provided the other end is willing to co-operate. See our <a
240 href="politics.html">history and politics of cryptography</a> section for
241 discussion of why we think this is needed.</li>
244 <p>Opportunistic encryption is not (yet?) a standard part of the IPsec
245 protocols, but an extension we are proposing and demonstrating. For details
246 of our design, see <a href="#applied">links</a> below.</p>
248 <p>Only one current product we know of implements a form of opportunistic
249 encryption. <a href="web.html#ssmail">Secure sendmail</a> will automatically
250 encrypt server-to-server mail transfers whenever possible.</p>
252 <h3><a name="types">The need to authenticate gateways</a></h3>
254 <p>A complication, which applies to any type of connection -- VPN, Road
255 Warrior or opportunistic -- is that a secure connection cannot be created
256 magically. <em>There must be some mechanism which enables the gateways to
257 reliably identify each other.</em> Without this, they cannot sensibly trust
258 each other and cannot create a genuinely secure link.</p>
260 <p>Any link they do create without some form of <a
261 href="glossary.html#authentication">authentication</a> will be vulnerable to
262 a <a href="glossary.html#middle">man-in-the-middle attack</a>. If <a
263 href="glossary.html#alicebob">Alice and Bob</a> are the people creating the
264 connection, a villian who can re-route or intercept the packets can pose as
265 Alice while talking to Bob and pose as Bob while talking to Alice. Alice and
266 Bob then both talk to the man in the middle, thinking they are talking to
267 each other, and the villain gets everything sent on the bogus "secure"
270 <p>There are two ways to build links securely, both of which exclude the
271 man-in-the middle:</p>
273 <li>with <strong>manual keying</strong>, Alice and Bob share a secret key
274 (which must be transmitted securely, perhaps in a note or via PGP or SSH)
275 to encrypt their messages. For FreeS/WAN, such keys are stored in the <a
276 href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a> file. Of course, if
277 an enemy gets the key, all is lost.</li>
278 <li>with <strong>automatic keying</strong>, the two systems authenticate
279 each other and negotiate their own secret keys. The keys are
280 automatically changed periodically.</li>
283 <p>Automatic keying is much more secure, since if an enemy gets one key only
284 messages between the previous re-keying and the next are exposed. It is
285 therefore the usual mode of operation for most IPsec deployment, and the mode
286 we use in our setup examples. FreeS/WAN does support manual keying for
287 special circumstanes. See this <a
288 href="adv_config.html#prodman">section</a>.</p>
290 <p>For automatic keying, the two systems must authenticate each other during
291 the negotiations. There is a choice of methods for this:</p>
293 <li>a <strong>shared secret</strong> provides authentication. If Alice and
294 Bob are the only ones who know a secret and Alice recives a message which
295 could not have been created without that secret, then Alice can safely
296 believe the message came from Bob.</li>
297 <li>a <a href="glossary.html#public">public key</a> can also provide
298 authentication. If Alice receives a message signed with Bob's private key
299 (which of course only he should know) and she has a trustworthy copy of
300 his public key (so that she can verify the signature), then she can
301 safely believe the message came from Bob.</li>
304 <p>Public key techniques are much preferable, for reasons discussed <a
305 href="config.html#choose">later</a>, and will be used in all our setup
306 examples. FreeS/WAN does also support auto-keying with shared secret
307 authentication. See this <a
308 href="adv_config.html#prodsecrets">section</a>.</p>
310 <h2><a name="project">The FreeS/WAN project</a></h2>
312 <p>For complete information on the project, see our web site, <a
313 href="http://liberty.freeswan.org">freeswan.org</a>.</p>
315 <p>In summary, we are implementing the <a
316 href="glossary.html#IPsec">IPsec</a> protocols for Linux and extending them
317 to do <a href="glossary.html#carpediem">opportunistic encryption</a>.</p>
319 <h3><a name="goals">Project goals</a></h3>
321 <p>Our overall goal in FreeS/WAN is to make the Internet more secure and more
324 <p>Our IPsec implementation supports VPNs and Road Warriors of course. Those
325 are important applications. Many users will want FreeS/WAN to build corporate
326 VPNs or to provide secure remote access.</p>
328 <p>However, our goals in building it go beyond that. We are trying to help
329 <strong>build security into the fabric of the Internet</strong> so that
330 anyone who choses to communicate securely can do so, as easily as they can do
331 anything else on the net.</p>
333 <p>More detailed objectives are:</p>
335 <li>extend IPsec to do <a href="glossary.html#carpediem">opportunistic
336 encryption</a> so that
338 <li>any two systems can secure their communications without a
339 pre-arranged connection</li>
340 <li><strong>secure connections can be the default</strong>, falling
341 back to unencrypted connections only if:
343 <li><em>both</em> the partner is not set up to co-operate on
344 securing the connection</li>
345 <li><em>and</em> your policy allows insecure connections</li>
348 <li>a significant fraction of all Internet traffic is encrypted</li>
349 <li>wholesale monitoring of the net (<a
350 href="politics.html#intro.poli">examples</a>) becomes difficult or
354 <li>help make IPsec widespread by providing an implementation with no
357 <li>freely available in source code under the <a
358 href="glossary.html#GPL">GNU General Public License</a></li>
359 <li>running on a range of readily available hardware</li>
360 <li>not subject to US or other nations' <a
361 href="politics.html#exlaw">export restrictions</a>.<br>
362 Note that in order to avoid <em>even the appearance</em> of being
363 subject to those laws, the project cannot accept software
364 contributions -- <em>not even one-line bug fixes</em> -- from US
365 residents or citizens.</li>
368 <li>provide a high-quality IPsec implementation for Linux
370 <li>portable to all CPUs Linux supports: <a
371 href="compat.html#CPUs">(current list)</a></li>
372 <li>interoperable with other IPsec implementations: <a
373 href="interop.html">(current list)</a></li>
378 <p>If we can get opportunistic encryption implemented and widely deployed,
379 then it becomes impossible for even huge well-funded agencies to monitor the
382 <p>See also our section on <a href="politics.html">history and politics</a>
383 of cryptography, which includes our project leader's <a
384 href="politics.html#gilmore">rationale</a> for starting the project.</p>
386 <h3><a name="staff">Project team</a></h3>
388 <p>Two of the team are from the US and can therefore contribute no code:</p>
390 <li>John Gilmore: founder and policy-maker (<a
391 href="http://www.toad.com/gnu/">home page</a>)</li>
392 <li>Hugh Daniel: project manager, Most Demented Tester, and occasionally
393 Pointy-Haired Boss</li>
396 <p>The rest of the team are Canadians, working in Canada. (<a
397 href="politics.html#status">Why Canada?</a>)</p>
399 <li>Henry Spencer: technical lead, script programming</li>
400 <li>Hugh Redelmeier: <a href="glossary.html#Pluto">Pluto daemon</a>
402 <li>Richard Guy Briggs: <a href="glossary.html#KLIPS">KLIPS</a>
404 <li>Michael Richardson: hacker without portfolio</li>
405 <li>Claudia Schmeing: technical support via the <a href="mail.html">mailing
407 <li>Sandy Harris: documentation</li>
410 <p>The project is funded by civil libertarians who consider our goals
411 worthwhile. Most of the team are paid for this work.</p>
413 <p>People outside this core team have made substantial contributions. See</p>
415 <li>our <a href="../CREDITS">CREDITS</a> file</li>
416 <li>the <a href="web.html#patch">patches and add-ons</a> section of our web
418 <li>lists below of user-written <a href="#howto">HowTos</a> and <a
419 href="#applied">other papers</a></li>
422 <p>Additional contributions are welcome. See the <a
423 href="faq.html#contrib.faq">FAQ</a> for details.</p>
425 <h2><a name="products">Products containing FreeS/WAN</a></h2>
427 <p>Unfortunately the <a href="politics.html#exlaw">export laws</a> of some
428 countries restrict the distribution of strong cryptography. FreeS/WAN is
429 therefore not in the standard Linux kernel and not in all CD or web
432 <p>FreeS/WAN is, however, quite widely used. Products we know of that use it
433 are listed below. We would appreciate hearing, via the <a
434 href="mail.html">mailing lists</a>, of any we don't know of.</p>
436 <h3><a name="distwith">Full Linux distributions</a></h3>
438 <p>FreeS/WAN is included in various general-purpose Linux distributions,
439 mostly from countries (shown in brackets) with more sensible laws:</p>
441 <li><a href="http://www.suse.com/">SuSE Linux</a> (Germany)</li>
442 <li><a href="http://www.conectiva.com">Conectiva</a> (Brazil)</li>
443 <li><a href="http://www.linux-mandrake.com/en/">Mandrake</a> (France)</li>
444 <li>Version 3.0 of <a href="http://www.debian.org">Debian</a> will include
445 FreeS/WAN. "unstable" and "test" versions already have it</li>
446 <li>the <a href="http://www.pld.org.pl/">Polish(ed) Linux Distribution</a>
448 <li><a>Best Linux</a> (Finland)</li>
451 <p>For distributions which do not include FreeS/WAN and are not Redhat (which
452 we develop and test on), there is additional information in our <a
453 href="compat.html#otherdist">compatibility</a> section.</p>
455 <p>The server edition of <a href="http://www.corel.com">Corel</a> Linux
456 (Canada) also had FreeS/WAN, but Corel have dropped that product line.</p>
458 <h3><a name="office_dist">Office server distributions</a></h3>
460 <p>FreeS/WAN is also included in several distributions aimed at the market
461 for turnkey business servers:</p>
463 <li><a href="http://www.e-smith.com/">e-Smith</a> (Canada), which has
464 recently been acquired and become the Network Server Solutions group of
465 <a href="http://www.mitel.com/">Mitel Networks</a> (Canada)</li>
466 <li><a href="http://www.trustix.net/">Trustix Secure Linux</a> (Norway)</li>
467 <li><a href="http://www.axonlinux.org/">aXon</a>, based on e-Smith
471 <h3><a name="fw_dist">Firewall distributions</a></h3>
473 <p>Several distributions intended for firewall and router applications
474 include FreeS/WAN:</p>
476 <li>The <a href="http://www.linuxrouter.org/">Linux Router Project</a>
477 produces a Linux distribution that will boot from a single floppy. The <a
478 href="http://leaf.sourceforge.net">LEAF</a> firewall project provides
479 several different LRP-based firewall packages. At least one of them,
480 Charles Steinkuehler's Dachstein, includes FreeS/WAN with X.509
482 <li>there are several distributions bootable directly from CD-ROM, usable
483 on a machine without hard disk.
485 <li>Dachstein (see above) can be used this way</li>
486 <li><a href="http://www.gibraltar.at/">Gibraltar</a> is based on Debian
488 <li>at time of writing, <a href="www.xiloo.com">Xiloo</a> is available
489 only in Chinese. An English version is expected.</li>
492 <li><a href="http://www.astaro.com/products/index.html">Astaro Security
493 Linux</a> includes FreeS/WAN. It has some web-based tools for managing
494 the firewall that include FreeS/WAN configuration management.</li>
495 <li><a href="http://www.linuxwall.de">Linuxwall</a></li>
496 <li><a href="http://www.smoothwall.org/">Smoothwall</a></li>
497 <li><a href="http://www.devil-linux.org/">Devil Linux</a></li>
498 <li>Coyote Linux has a <a
499 href="http://embedded.coyotelinux.com/wolverine/index.php">Wolverine</a>
500 firewall/VPN server</li>
503 <p>There are also several sets of scripts available for managing a firewall
504 which is also acting as a FreeS/WAN IPsec gateway. See this <a
505 href="firewall.html#rules.pub">list</a>.</p>
507 <h3><a name="turnkey">Firewall and VPN products</a></h3>
509 <p>Several vendors use FreeS/WAN as the IPsec component of a turnkey firewall
512 <p>Software-only products:</p>
514 <li><a href="http://www.linuxmagic.com/vpn/index.html">Linux Magic</a>
515 offer a VPN/Firewall product using FreeS/WAN</li>
516 <li>The Software Group's <a
517 href="http://www.wanware.com/sentinet/">Sentinet</a> product uses
519 <li><a href="http://www.merilus.com">Merilus</a> use FreeS/WAN in their
520 Gateway Guardian firewall product</li>
523 <p>Products that include the hardware:</p>
525 <li>The <a href="http://www.lasat.com">LASAT SafePipe[tm]</a> series. is an
526 IPsec box based on an embedded MIPS running Linux with FreeS/WAN and a
527 web-config front end. This company also host our freeswan.org web
530 href="http://www.merilus.com/products/fc/index.shtml">Firecard</a> is a
531 Linux firewall on a PCI card.</li>
532 <li><a href="http://www.kyzo.com/">Kyzo</a> have a "pizza box" product line
533 with various types of server, all running from flash. One of them is an
534 IPsec/PPTP VPN server</li>
535 <li><a href="http://www.pfn.com">PFN</a> use FreeS/WAN in some of their
539 <p><a href="www.rebel.com">Rebel.com</a>, makers of the Netwinder Linux
540 machines (ARM or Crusoe based), had a product that used FreeS/WAN. The
541 company is in receivership so the future of the Netwinder is at best unclear.
542 <a href="web.html#patch">PKIX patches</a> for FreeS/WAN developed at Rebel
543 are listed in our web links document.</p>
545 <h3><a name="rpm.sets">RPM sets</a></h3>
547 <p>For some distributions which do not include FreeS/WAN, it may be possible
548 to install using RPM (Redhat Package Manager), rather than going through <a
549 href="install.html">our more complex procedure</a>.</p>
551 <p>Some caution is required on this. The RPMs are specific to a Linux
552 distribution and an attempt to use them on another distribution is likely to
555 <p>RPMs for FreeS/WAN 1.91 and Red Hat 7.1 or 7.2 are available for download
556 from <a href="http://rpms.steamballoon.com/freeswan/">Steamballoon</a>. Check
557 there for later versions.</p>
559 <p>As of version 1.93, the FreeS/WAN distribution incorporates some of the
560 Steamballoon work, providing a facility for building your own RPMs. Details
561 are in our <a href="install.html#build.rpm">installation</a> document.</p>
563 <h2><a name="docs">Information sources</a></h2>
565 <h3><a name="docformats">This HowTo, in multiple formats</a></h3>
567 <p>FreeS/WAN documentation up to version 1.5 was available only in HTML. Now
568 we ship two formats:</p>
570 <li>as HTML, one file for each doc section plus a global <a
571 href="toc.html">Table of Contents</a></li>
572 <li><a href="HowTo.html">one big HTML file</a> for easy searching</li>
575 <p>and provide a Makefile to generate other formats if required:</p>
577 <li><a href="HowTo.pdf">PDF</a></li>
578 <li><a href="HowTo.ps">Postscript</a></li>
579 <li><a href="HowTo.txt">ASCII text</a></li>
582 <p>The Makefile assumes the htmldoc tool is available. You can download it
583 from <a href="http://www.easysw.com">Easy Software</a>.</p>
585 <p>All formats should be available at the following websites:</p>
587 <li><a href="http://www.freeswan.org/doc.html">FreeS/WAN project</a></li>
588 <li><a href="http://www.linuxdoc.org">Linux Documentation Project</a></li>
591 <p>The distribution tarball has only the two HTML formats.</p>
593 <p><strong>Note:</strong> If you need the latest doc version, for example to
594 see if anyone has managed to set up interoperation between FreeS/WAN and
595 whatever, then you should download the current snapshot. What is on the web
596 is documentation as of the last release. Snapshots have all changes I've
597 checked in to date.</p>
599 <h3><a name="rtfm">RTFM (please Read The Fine Manuals)</a></h3>
601 <p>As with most things on any Unix-like system, most parts of Linux FreeS/WAN
602 are documented in online manual pages. We provide a list of <a
603 href="/mnt/floppy/manpages.html">FreeS/WAN man pages</a>, with links to HTML
604 versions of them.</p>
606 <p>The man pages describing configuration files are:</p>
608 <li><a href="/mnt/floppy/manpage.d/ipsec.conf.5.html">ipsec.conf(5)</a></li>
610 href="/mnt/floppy/manpage.d/ipsec.secrets.5.html">ipsec.secrets(5)</a></li>
613 <p>Man pages for common commands include:</p>
615 <li><a href="/mnt/floppy/manpage.d/ipsec.8.html">ipsec(8)</a></li>
617 href="/mnt/floppy/manpage.d/ipsec_pluto.8.html">ipsec_pluto(8)</a></li>
619 href="/mnt/floppy/manpage.d/ipsec_newhostkey.8.html">ipsec_newhostkey(8)</a></li>
620 <li><a href="/mnt/floppy/manpage.d/ipsec_auto.8.html">ipsec_auto(8)</a></li>
623 <p>You can read these either in HTML using the links above or with the
624 <var>man(1)</var> command.</p>
626 <p>In the event of disagreement between this HTML documentation and the man
627 pages, the man pages are more likely correct since they are written by the
628 implementers. Please report any such inconsistency on the <a
629 href="mail.html">mailing list</a>.</p>
631 <h3><a name="text">Other documents in the distribution</a></h3>
633 <p>Text files in the main distribution directory are README, INSTALL,
634 CREDITS, CHANGES, BUGS and COPYING.</p>
636 <p>The Libdes encryption library we use has its own documentation. You can
637 find it in the library directory..</p>
639 <h3><a name="assumptions">Background material</a></h3>
641 <p>Throughout this documentation, I write as if the reader had at least a
642 general familiarity with Linux, with Internet Protocol networking, and with
643 the basic ideas of system and network security. Of course that will certainly
644 not be true for all readers, and quite likely not even for a majority.</p>
646 <p>However, I must limit amount of detail on these topics in the main text.
647 For one thing, I don't understand all the details of those topics myself.
648 Even if I did, trying to explain everything here would produce extremely long
649 and almost completely unreadable documentation.</p>
651 <p>If one or more of those areas is unknown territory for you, there are
652 plenty of other resources you could look at:</p>
655 <dd>the <a href="http://www.linuxdoc.org">Linux Documentation Project</a>
656 or a local <a href="http://www.linux.org/groups/">Linux User Group</a>
657 and these <a href="web.html#linux.link">links</a></dd>
659 <dd>Rusty Russell's <a
660 href="http://netfilter.samba.org/unreliable-guides/networking-concepts-HOWTO/index.html">Networking
661 Concepts HowTo</a> and these <a
662 href="web.html#IP.background">links</a></dd>
664 <dd>Schneier's book <a href="biblio.html#secrets">Secrets and Lies</a>
665 and these <a href="web.html#crypto.link">links</a></dd>
668 <p>Also, I do make an effort to provide some background material in these
669 documents. All the basic ideas behind IPsec and FreeS/WAN are explained here.
670 Explanations that do not fit in the main text, or that not everyone will
671 need, are often in the <a href="glossary.html">glossary</a>, which is the
672 largest single file in this document set. There is also a <a
673 href="background.html">background</a> file containing various explanations
674 too long to fit in glossary definitions. All files are heavily sprinkled with
675 links to each other and to the glossary. <strong>If some passage makes no
676 sense to you, try the links</strong>.</p>
678 <p>For other reference material, see the <a
679 href="biblio.html">bibliography</a> and our collection of <a
680 href="web.html">web links</a>.</p>
682 <p>Of course, no doubt I get this (and other things) wrong sometimes.
683 Feedback via the <a href="mail.html">mailing lists</a> is welcome.</p>
685 <h3><a name="archives">Archives of the project mailing list</a></h3>
687 <p>Until quite recently, there was only one FreeS/WAN mailing list, and
688 archives of it were:</p>
690 <li><a href="http://www.sandelman.ottawa.on.ca/linux-ipsec">Canada</a></li>
691 <li><a href="http://www.nexial.com">Holland</a></li>
693 The two archives use completely different search engines. You might want to
696 <p>More recently we have expanded to five lists, each with its own
699 <p><a href="mail.html">More information</a> on mailing lists.</p>
701 <h3><a name="howto">User-written HowTo information</a></h3>
703 <p>Various user-written HowTo documents are available. The ones covering
704 FreeS/WAN-to-FreeS/WAN connections are:</p>
706 <li>Jean-Francois Nadeau's <a href="http://jixen.tripod.com/">practical
707 configurations</a> document</li>
708 <li>Jens Zerbst's HowTo on <a href="http://dynipsec.tripod.com/">Using
709 FreeS/WAN with dynamic IP addresses</a>.</li>
710 <li>an entry in Kurt Seifried's <a
711 href="http://www.securityportal.com/lskb/kben00000013.html">Linux
712 Security Knowledge Base</a>.</li>
713 <li>a section of David Ranch's <a
714 href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos">Trinity
716 <li>a section in David Bander's book <a href="biblio.html#bander">Linux
717 Security Toolkit</a></li>
720 <p>User-wriiten HowTo material may be <strong>especially helpful if you need
721 to interoperate with another IPsec implementation</strong>. We have neither
722 the equipment nor the manpower to test such configurations. Users seem to be
723 doing an admirable job of filling the gaps.</p>
725 <li>list of user-written <a href="interop.html#otherpub">interoperation
726 HowTos</a> in our interop document</li>
729 <p>Check what version of FreeS/WAN user-written documents cover. The software
730 is under active development and the current version may be significantly
731 different from what an older document describes.</p>
733 <h3><a name="applied">Papers on FreeS/WAN</a></h3>
735 <p>Two design documents show team thinking on new developments:</p>
737 <li><a href="opportunism.spec">Opportunistic Encryption</a> by technical
738 lead Henry Spencer and Pluto programmer Hugh Redelemeier</li>
740 href="http://www.sandelman.ottawa.on.ca/SSW/freeswan/klips2req/">KLIPS
744 <p>Both documents are works in progress and are frequently revised. For the
745 latest version, see the <a href="mail.html">design mailing list</a>. Comments
746 should go to that list.</p>
748 <p>There is now an <a
749 href="http://www.ietf.org/internet-drafts/draft-richardson-ipsec-opportunistic-06.txt">Internet
750 Draft on Opportunistic Encryption</a> by Michael Richardson, Hugh Redelmeier
751 and Henry Spencer. This is a first step toward getting the protocol
752 standardised so there can be multiple implementations of it. Discussion of it
753 takes place on the <a
754 href="http://www.ietf.org/html.charters/ipsec-charter.html">IETF IPsec
755 Working Group</a> mailing list.</p>
757 <p>A number of papers giving further background on FreeS/WAN, or exploring
758 its future or its applications, are also available:</p>
760 <li>Both Henry and Richard gave talks on FreeS/WAN at the 2000 <a
761 href="http://www.linuxsymposium.org">Ottawa Linux Symposium</a>.
764 href="http://www.conscoop.ottawa.on.ca/rgb/freeswan/ols2k/">slides</a></li>
765 <li>Henry's paper</li>
766 <li>MP3 audio of their talks is available from the <a
767 href="http://www.linuxsymposium.org/">conference page</a></li>
770 <li><cite>Moat: A Virtual Private Network Appliances and Services
771 Platform</cite> is a paper about large-scale (a few 100 links) use of
772 FreeS/WAN in a production application at AT&T Research. It is
773 available in Postscript or PDF from co-author Steve Bellovin's <a
774 href="http://www.research.att.com/~smb/papers/index.html">papers list
776 <li>One of the Moat co-authors, John Denker, has also written
779 href="http://www.quintillion.com/fdis/moat/ipsec+routing/">proposal</a>
780 for how future versions of FreeS/WAN might interact with routing
783 href="http://www.quintillion.com/fdis/moat/wishlist.html">wishlist</a>
784 of possible new features</li>
787 <li>Bart Trojanowski's web page has a draft design for <a
788 href="http://www.jukie.net/~bart/linux-ipsec/">hardware acceleration</a>
792 <p>Several of these provoked interesting discussions on the mailing lists,
793 worth searching for in the <a href="mail.html#archive">archives</a>.</p>
795 <p>There are also several papers in languages other than English, see our <a
796 href="web.html#otherlang">web links</a>.</p>
798 <h3><a name="licensing">License and copyright information</a></h3>
800 <p>All code and documentation written for this project is distributed under
801 either the GNU General Public License (<a href="glossary.html#GPL">GPL</a>)
802 or the GNU Library General Public License. For details see the COPYING file
803 in the distribution.</p>
805 <p>Not all code in the distribution is ours, however. See the CREDITS file
806 for details. In particular, note that the <a
807 href="glossary.html#LIBDES">Libdes</a> library and the version of <a
808 href="glossary.html#MD5">MD5</a> that we use each have their own license.</p>
810 <h2><a name="sites">Distribution sites</a></h2>
812 <p>FreeS/WAN is available from a number of sites.</p>
814 <h3>Primary site</h3>
816 <p>Our primary site, is at xs4all (Thanks, folks!) in Holland:</p>
818 <li><a href="http://www.xs4all.nl/~freeswan">HTTP</a></li>
819 <li><a href="ftp://ftp.xs4all.nl/pub/crypto/freeswan">FTP</a></li>
822 <h3><a name="mirrors">Mirrors</a></h3>
824 <p>There are also mirror sites all over the world:</p>
826 <li><a href="http://www.flora.org/freeswan">Eastern Canada</a> (limited
828 <li><a href="ftp://ludwig.doculink.com/pub/freeswan/">Eastern Canada</a>
829 (has older versions too)</li>
830 <li><a href="ftp://ntsc.notBSD.org/pub/crypto/freeswan/">Eastern Canada</a>
831 (has older versions too)</li>
832 <li><a href="ftp://ftp.kame.net/pub/freeswan/">Japan</a></li>
833 <li><a href="ftp://ftp.futuredynamics.com/freecrypto/FreeSWAN/">Hong
835 <li><a href="ftp://ipsec.dk/pub/freeswan/">Denmark</a></li>
836 <li><a href="ftp://ftp.net.lut.ac.uk/freeswan">the UK</a></li>
837 <li><a href="http://storm.alert.sk/comp/mirrors/freeswan/">Slovak
840 href="http://the.wiretapped.net/security/vpn-tunnelling/freeswan/">Australia</a></li>
841 <li><a href="http://freeswan.technolust.cx/">technolust</a></li>
842 <li><a href="http://freeswan.devguide.de/">Germany</a></li>
843 <li>Ivan Moore's <a href="http://snowcrash.tdyc.com/freeswan/">site</a></li>
844 <li>the <a href="http://www.cryptoarchive.net/">Crypto Archive</a> on the
845 <a href="http://www.securityportal.com/">Security Portal</a> site</li>
846 <li><a href="http://www.wiretapped.net/">Wiretapped.net</a> in
850 <p>Thanks to those folks as well.</p>
852 <h3><a name="munitions">The "munitions" archive of Linux crypto
855 <p>There is also an archive of Linux crypto software called "munitions", with
856 its own mirrors in a number of countries. It includes FreeS/WAN, though not
857 always the latest version. Some of its sites are:</p>
859 <li><a href="http://munitions.vipul.net/">Germany</a></li>
860 <li><a href="http://munitions.iglu.cjb.net/">Italy</a></li>
861 <li><a href="http://munitions2.xs4all.nl/">Netherlands</a></li>
864 <p>Any of those will have a list of other "munitions" mirrors. There is also
867 <h2>Links to other sections</h2>
869 <p>For more detailed background information, see:</p>
871 <li><a href="politics.html">history and politics</a> of cryptography</li>
872 <li><a href="ipsec.html">IPsec protocols</a></li>
875 <p>To begin working with FreeS/WAN, go to our <a
876 href="quickstart.html">quickstart</a> guide.</p>