There are several IPsec implementation available
for Linux:
- : this was the
first IPsec implementation available for Linux. However, FreeS/WAN is no longer in active
development. It forked into Openswan and strongSwan.
- is maintained by
former
FreeS/WAN team members who have started the company .
- is
also a
continuation of FreeS/WAN. StrongSwan's principal author is Andreas
Steffen, the creator of the X.509 certificate patch for FreeS/WAN. Not
surprisingly,
its main
focus is on good certificate and smartcard support. StrongSwan is
sponsored by .
- Kernel 2.6+ contains a native IPsec implementation, which is
known as "",
"26sec" or
"PF_KEY".
This means that recent distributions ship with IPsec support out of the
box.
- is
based on and used by default on
many distributions. Its IKE daemon is called racoon.
- :
there is a of 's ISAKMP
daemon.
A Linux IPsec implementation typically
consist of a kernel part and corresponding userland utilities. The
kernel part of FreeS/WAN, Openswan and strongSwan is called
.
The
userland IKE daemon is called 'pluto'. Vanilla kernels (2.4 and older)
do not ship with KLIPS by default. You will have to apply a
KLIPS kernel patch or install loadable kernel modules for KLIPS. As
mentioned
above, kernels 2.6 and higher ship with a native IPsec implementation
called .
Recent versions of
FreeS/WAN c.s. support not only KLIPS but also NETKEY. To make things
even more complex, there is also a NETKEY
backport for kernel 2.4 and work
is in progress to port KLIPS to kernel 2.6.
This means that you have the following userland vs.
kernel options on the
Linux side:
|
Kernel 2.0 KLIPS
|
Kernel 2.2 KLIPS
|
Kernel 2.4 KLIPS
|
Kernel 2.4 NETKEY backport 1) 2)
|
Kernel 2.6 KLIPS |
Kernel 2.6 NETKEY 1)
|
FreeS/WAN 1.x
|
X
|
X
|
X
|
|
|
|
| FreeS/WAN 2.x |
|
|
X
|
X
|
X
|
X
|
| Openswan 1.x |
X
|
X
|
X
|
|
|
|
| Openswan 2.x |
|
|
X
|
X
|
X4)
|
X
|
strongSwan 2.x
|
|
|
X
|
|
|
X
|
ipsec-tools utilities 3)
|
|
|
|
X
|
|
X
|
isakmpd Linux port
|
|
|
|
X?
|
|
X?
|
1) Linux 2.6+ contains NETKEY, a
native IPsec implementation.
2) NETKEY has also been backported to
kernel 2.4. This port is not included with the vanilla Linus kernel but
some Linux distributions (Debian in particular)
include the backport in their kernels.
3) The
utilities
(including the IKE daemon 'racoon') are a Linux port of .
Ipsec-tools is included in most distributions.
4) There are issues with the heavily modified kernels of
some distributions such as RHEL 3.
阅读(1149) | 评论(0) | 转发(0) |
