Why KAME/racoon sucks (was: OpenSWAN ANNOUCEMENT)
Dax Kelson
dax at gurulabs.com
Sun Jan 4 02:58:03 UTC 2004
On Sat, 2004-01-03 at 12:14, Lamar Owen wrote:
> v2.10? They just released 1.0.0, with 2.0.0 in development. Why do we need
> this when the KAME stuff is working and works with 2.6? KAME being what RHEL
> is using, why would OpenSWAN be needed in Core (maybe in Alternatives, since
> it _is_ and alternative IPsec implementation). If you need DPD and NAT-T, I
> guess you would want this. For straight IPsec, or PPP over L2TP over IPsec
> w/X.509, KAME plus the RHEL 2.4 kernel or the 2.6 kernel seems to get the job
> done.
>
> Just curious as to the reason why; I looked at Super FreeS/WAN before getting
> White Box loaded here (which has the same patches and ipsec-tools as RHEL3).
> The KAME config is vastly different than the SFSWAN config. So, tell me why
> I should completely redo everything: if it has a Can't-Live-Without feature,
> then, tell us.
Sure, I tell you yet again...(already posted to this list on Dec 8th):
As a user and an administrator of variety of production systems IKE
daemons ranging from KAME/racoon, isakmpd, Solaris 8/9 IKE, FreeSWAN,
and SuperFreeSWAN, I can comment that I've found all but SuperFreeSWAN
sorely lacking.
Note that Openswan is the successor to Super FreeSWAN.
The critical features an IKE daemon are:
a) Ability to be configured as VPN concentrator supporting both road
warriors and remote LANs all at the same time.
b) X.509 certificate support
c) Virtual-IP support for persistent inner IP address in ESP packets.
This allows no-headache IPsec through non-brain dead NATing
routers/firewalls without resorting to the following.
d) NAT-T (ala ESP-over-UDP) for IPsec through brain dead NATing
routers/firewalls.
The other nice features are:
e) AES support
f) Notify/Delete SA (for Cisco interop)
g) XAUTH support (authenticate VPN users/tunnels via PAM)
h) DHCP over IPSec
i) Transport mode
All these features are supported by SuperFreeSWAN/Openswan and racoon
and isakmpd only support b, i and maybe "e".
IPsec deployment covers two areas
1) Secure LAN-to-LAN communication
2) Secure road warrior to HQ communication
I would say IPsec deployment for "2" clearly, clearly outweighs "1".
Basically, supporting road warriors is impossible with racoon or isakmp.
Dax Kelson
Guru Labs
More information about the fedora-devel-list
mailing list