Chinaunix首页 | 论坛 | 博客
  • 博客访问: 857147
  • 博文数量: 213
  • 博客积分: 5048
  • 博客等级: 大校
  • 技术积分: 1883
  • 用 户 组: 普通用户
  • 注册时间: 2008-04-14 10:14
文章分类

全部博文(213)

文章存档

2011年(4)

2010年(55)

2009年(47)

2008年(107)

我的朋友

分类: 系统运维

2010-05-21 10:38:49

There are several IPsec implementation available for Linux:
  • : this was the first IPsec implementation available for Linux. However, FreeS/WAN is no longer in active development. It forked into Openswan and strongSwan.
  • is maintained by former FreeS/WAN team members who have started the company .
  • is also a continuation of FreeS/WAN. StrongSwan's principal author is Andreas Steffen, the creator of the X.509 certificate patch for FreeS/WAN. Not surprisingly, its main focus is on good certificate and smartcard support. StrongSwan is sponsored by .
  • Kernel 2.6+ contains a native IPsec implementation, which is known as "", "26sec" or "PF_KEY". This means that recent distributions ship with IPsec support out of the box.
  • is based on and used by default on many distributions. Its IKE daemon is called racoon.
  • : there is a of 's ISAKMP daemon.
A Linux IPsec implementation typically consist of a kernel part and corresponding userland utilities. The kernel part of FreeS/WAN, Openswan and strongSwan is called . The userland IKE daemon is called 'pluto'. Vanilla kernels (2.4 and older) do not ship with KLIPS by default. You will have to apply a KLIPS kernel patch or install loadable kernel modules for KLIPS. As mentioned above, kernels 2.6 and higher ship with a native IPsec implementation called . Recent versions of FreeS/WAN c.s. support not only KLIPS but also NETKEY. To make things even more complex, there is also a NETKEY backport for kernel 2.4 and work is in progress to port KLIPS to kernel 2.6. This means that you have the following userland vs. kernel options on the Linux side:


Kernel 2.0 KLIPS
Kernel 2.2 KLIPS
Kernel 2.4 KLIPS
Kernel 2.4 NETKEY backport 1) 2)
Kernel 2.6 KLIPS Kernel 2.6 NETKEY 1)
FreeS/WAN 1.x
X
X
X



FreeS/WAN 2.x

X
X
X
X
Openswan 1.x X
X
X



Openswan 2.x

X
X
X4)
X
strongSwan 2.x


X


X
ipsec-tools utilities 3)



X

X
isakmpd Linux port



X?

X?

1) Linux 2.6+ contains NETKEY, a native IPsec implementation.
2) NETKEY has also been backported to kernel 2.4. This port is not included with the vanilla Linus kernel but some Linux distributions (Debian in particular) include the backport in their kernels.
3) The utilities (including the IKE daemon 'racoon') are a Linux port of . Ipsec-tools is included in most distributions.
4) There are issues with the heavily modified kernels of some distributions such as RHEL 3.
阅读(1193) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~