strongswan/doc/intro.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<TITLE>Introduction to FreeS/WAN</TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
<STYLE TYPE="text/css"><!--
BODY { font-family: serif }
H1 { font-family: sans-serif }
H2 { font-family: sans-serif }
H3 { font-family: sans-serif }
H4 { font-family: sans-serif }
H5 { font-family: sans-serif }
H6 { font-family: sans-serif }
SUB { font-size: smaller }
SUP { font-size: smaller }
PRE { font-family: monospace }
--></STYLE>
</HEAD>
<BODY>
<A HREF="toc.html">Contents</A>
<A HREF="upgrading.html">Next</A>
<HR>
<H1><A name="intro">Introduction</A></H1>
<P>This section gives an overview of:</P>
<UL>
<LI>what IP Security (IPsec) does</LI>
<LI>how IPsec works</LI>
<LI>why we are implementing it for Linux</LI>
<LI>how this implementation works</LI>
</UL>
<P>This section is intended to cover only the essentials,<EM> things you
 should know before trying to use FreeS/WAN.</EM></P>
<P>For more detailed background information, see the<A href="politics.html#politics">
 history and politics</A> and<A href="ipsec.html#ipsec.detail"> IPsec
 protocols</A> sections.</P>
<H2><A name="ipsec.intro">IPsec, Security for the Internet Protocol</A></H2>
<P>FreeS/WAN is a Linux implementation of the IPsec (IP security)
 protocols. IPsec provides<A href="glossary.html#encryption"> encryption</A>
 and<A href="glossary.html#authentication"> authentication</A> services
 at the IP (Internet Protocol) level of the network protocol stack.</P>
<P>Working at this level, IPsec can protect any traffic carried over IP,
 unlike other encryption which generally protects only a particular
 higher-level protocol --<A href="glossary.html#PGP"> PGP</A> for mail,<A
href="glossary.html#SSH"> SSH</A> for remote login,<A href="glossary.html#SSL">
 SSL</A> for web work, and so on. This approach has both considerable
 advantages and some limitations. For discussion, see our<A href="ipsec.html#others">
 IPsec section</A></P>
<P>IPsec can be used on any machine which does IP networking. Dedicated
 IPsec gateway machines can be installed wherever required to protect
 traffic. IPsec can also run on routers, on firewall machines, on
 various application servers, and on end-user desktop or laptop
 machines.</P>
<P>Three protocols are used</P>
<UL>
<LI><A href="glossary.html#AH">AH</A> (Authentication Header) provides a
 packet-level authentication service</LI>
<LI><A href="glossary.html#ESP">ESP</A> (Encapsulating Security Payload)
 provides encryption plus authentication</LI>
<LI><A href="glossary.html#IKE">IKE</A> (Internet Key Exchange)
 negotiates connection parameters, including keys, for the other two</LI>
</UL>
<P>Our implementation has three main parts:</P>
<UL>
<LI><A href="glossary.html#KLIPS">KLIPS</A> (kernel IPsec) implements
 AH, ESP, and packet handling within the kernel</LI>
<LI><A href="glossary.html#Pluto">Pluto</A> (an IKE daemon) implements
 IKE, negotiating connections with other systems</LI>
<LI>various scripts provide an adminstrator's interface to the machinery</LI>
</UL>
<P>IPsec is optional for the current (version 4) Internet Protocol.
 FreeS/WAN adds IPsec to the Linux IPv4 network stack. Implementations
 of<A href="glossary.html#ipv6.gloss"> IP version 6</A> are required to
 include IPsec. Work toward integrating FreeS/WAN into the Linux IPv6
 stack has<A href="compat.html#ipv6"> started</A>.</P>
<P>For more information on IPsec, see our<A href="ipsec.html#ipsec.detail">
 IPsec protocols</A> section, our collection of<A href="web.html#ipsec.link">
 IPsec links</A> or the<A href="rfc.html#RFC"> RFCs</A> which are the
 official definitions of these protocols.</P>
<H3><A name="intro.interop">Interoperating with other IPsec
 implementations</A></H3>
<P>IPsec is designed to let different implementations work together. We
 provide:</P>
<UL>
<LI>a<A href="web.html#implement"> list</A> of some other
 implementations</LI>
<LI>information on<A href="interop.html#interop"> using FreeS/WAN with
 other implementations</A></LI>
</UL>
<P>The VPN Consortium fosters cooperation among implementers and
 interoperability among implementations. Their<A href="http://www.vpnc.org/">
 web site</A> has much more information.</P>
<H3><A name="advantages">Advantages of IPsec</A></H3>
<P>IPsec has a number of security advantages. Here are some
 independently written articles which discuss these:</P>
<P><A HREF="http://www.sans.org/rr/"> SANS institute papers</A>. See the
 section on Encryption &amp;VPNs.
<BR><A HREF="http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns128/networking_solutions_white_papers_list.html">
 Cisco's white papers on &quot;Networking Solutions&quot;</A>.
<BR><A HREF="http://iscs.sourceforge.net/HowWhyBrief/HowWhyBrief.html">
 Advantages of ISCS (Linux Integrated Secure Communications System;
 includes FreeS/WAN and other software)</A>.</P>
<H3><A name="applications">Applications of IPsec</A></H3>
<P>Because IPsec operates at the network layer, it is remarkably
 flexible and can be used to secure nearly any type of Internet traffic.
 Two applications, however, are extremely widespread:</P>
<UL>
<LI>a<A href="glossary.html#VPN"> Virtual Private Network</A>, or VPN,
 allows multiple sites to communicate securely over an insecure Internet
 by encrypting all communication between the sites.</LI>
<LI>&quot;Road Warriors&quot; connect to the office from home, or perhaps from a
 hotel somewhere</LI>
</UL>
<P>There is enough opportunity in these applications that vendors are
 flocking to them. IPsec is being built into routers, into firewall
 products, and into major operating systems, primarily to support these
 applications. See our<A href="web.html#implement"> list</A> of
 implementations for details.</P>
<P>We support both of those applications, and various less common IPsec
 applications as well, but we also add one of our own:</P>
<UL>
<LI>opportunistic encryption, the ability to set up FreeS/WAN gateways
 so that any two of them can encrypt to each other, and will do so
 whenever packets pass between them.</LI>
</UL>
<P>This is an extension we are adding to the protocols. FreeS/WAN is the
 first prototype implementation, though we hope other IPsec
 implementations will adopt the technique once we demonstrate it. See<A href="#goals">
 project goals</A> below for why we think this is important.</P>
<P>A somewhat more detailed description of each of these applications is
 below. Our<A href="quickstart.html#quick_guide"> quickstart</A> section
 will show you how to build each of them.</P>
<H4><A name="makeVPN">Using secure tunnels to create a VPN</A></H4>
<P>A VPN, or<STRONG> V</STRONG>irtual<STRONG> P</STRONG>rivate<STRONG> N</STRONG>
etwork lets two networks communicate securely when the only connection
 between them is over a third network which they do not trust.</P>
<P>The method is to put a security gateway machine between each of the
 communicating networks and the untrusted network. The gateway machines
 encrypt packets entering the untrusted net and decrypt packets leaving
 it, creating a secure tunnel through it.</P>
<P>If the cryptography is strong, the implementation is careful, and the
 administration of the gateways is competent, then one can reasonably
 trust the security of the tunnel. The two networks then behave like a
 single large private network, some of whose links are encrypted tunnels
 through untrusted nets.</P>
<P>Actual VPNs are often more complex. One organisation may have fifty
 branch offices, plus some suppliers and clients, with whom it needs to
 communicate securely. Another might have 5,000 stores, or 50,000
 point-of-sale devices. The untrusted network need not be the Internet.
 All the same issues arise on a corporate or institutional network
 whenever two departments want to communicate privately with each other.</P>
<P>Administratively, the nice thing about many VPN setups is that large
 parts of them are static. You know the IP addresses of most of the
 machines involved. More important, you know they will not change on
 you. This simplifies some of the admin work. For cases where the
 addresses do change, see the next section.</P>
<H4><A name="road.intro">Road Warriors</A></H4>
<P>The prototypical &quot;Road Warrior&quot; is a traveller connecting to home
 base from a laptop machine. Administratively, most of the same problems
 arise for a telecommuter connecting from home to the office, especially
 if the telecommuter does not have a static IP address.</P>
<P>For purposes of this document:</P>
<UL>
<LI>anyone with a dynamic IP address is a &quot;Road Warrior&quot;.</LI>
<LI>any machine doing IPsec processing is a &quot;gateway&quot;. Think of the
 single-user road warrior machine as a gateway with a degenerate subnet
 (one machine, itself) behind it.</LI>
</UL>
<P>These require somewhat different setup than VPN gateways with static
 addresses and with client systems behind them, but are basically not
 problematic.</P>
<P>There are some difficulties which appear for some road warrior
 connections:</P>
<UL>
<LI>Road Wariors who get their addresses via DHCP may have a problem.
 FreeS/WAN can quite happily build and use a tunnel to such an address,
 but when the DHCP lease expires, FreeS/WAN does not know that. The
 tunnel fails, and the only recovery method is to tear it down and
 re-build it.</LI>
<LI>If<A href="glossary.html#NAT.gloss"> Network Address Translation</A>
 (NAT) is applied between the two IPsec Gateways, this breaks IPsec.
 IPsec authenticates packets on an end-to-end basis, to ensure they are
 not altered en route. NAT rewrites packets as they go by. See our<A href="firewall.html#NAT">
 firewalls</A> document for details.</LI>
</UL>
<P>In most situations, however, FreeS/WAN supports road warrior
 connections just fine.</P>
<H4><A name="opp.intro">Opportunistic encryption</A></H4>
<P>One of the reasons we are working on FreeS/WAN is that it gives us
 the opportunity to add what we call opportuntistic encryption. This
 means that any two FreeS/WAN gateways will be able to encrypt their
 traffic, even if the two gateway administrators have had no prior
 contact and neither system has any preset information about the other.</P>
<P>Both systems pick up the authentication information they need from
 the<A href="glossary.html#DNS"> DNS</A> (domain name service), the
 service they already use to look up IP addresses. Of course the
 administrators must put that information in the DNS, and must set up
 their gateways with opportunistic encryption enabled. Once that is
 done, everything is automatic. The gateways look for opportunities to
 encrypt, and encrypt whatever they can. Whether they also accept
 unencrypted communication is a policy decision the administrator can
 make.</P>
<P>This technique can give two large payoffs:</P>
<UL>
<LI>It reduces the administrative overhead for IPsec enormously. You
 configure your gateway and thereafter everything is automatic. The need
 to configure the system on a per-tunnel basis disappears. Of course,
 FreeS/WAN allows specifically configured tunnels to co-exist with
 opportunistic encryption, but we hope to make them unnecessary in most
 cases.</LI>
<LI>It moves us toward a more secure Internet, allowing users to create
 an environment where message privacy is the default. All messages can
 be encrypted, provided the other end is willing to co-operate. See our<A
href="politics.html#politics"> history and politics of cryptography</A>
 section for discussion of why we think this is needed.</LI>
</UL>
<P>Opportunistic encryption is not (yet?) a standard part of the IPsec
 protocols, but an extension we are proposing and demonstrating. For
 details of our design, see<A href="#applied"> links</A> below.</P>
<P>Only one current product we know of implements a form of
 opportunistic encryption.<A href="web.html#ssmail"> Secure sendmail</A>
 will automatically encrypt server-to-server mail transfers whenever
 possible.</P>
<H3><A name="types">The need to authenticate gateways</A></H3>
<P>A complication, which applies to any type of connection -- VPN, Road
 Warrior or opportunistic -- is that a secure connection cannot be
 created magically.<EM> There must be some mechanism which enables the
 gateways to reliably identify each other.</EM> Without this, they
 cannot sensibly trust each other and cannot create a genuinely secure
 link.</P>
<P>Any link they do create without some form of<A href="glossary.html#authentication">
 authentication</A> will be vulnerable to a<A href="glossary.html#middle">
 man-in-the-middle attack</A>. If<A href="glossary.html#alicebob"> Alice
 and Bob</A> are the people creating the connection, a villian who can
 re-route or intercept the packets can pose as Alice while talking to
 Bob and pose as Bob while talking to Alice. Alice and Bob then both
 talk to the man in the middle, thinking they are talking to each other,
 and the villain gets everything sent on the bogus &quot;secure&quot; connection.</P>
<P>There are two ways to build links securely, both of which exclude the
 man-in-the middle:</P>
<UL>
<LI>with<STRONG> manual keying</STRONG>, Alice and Bob share a secret
 key (which must be transmitted securely, perhaps in a note or via PGP
 or SSH) to encrypt their messages. For FreeS/WAN, such keys are stored
 in the<A href="manpage.d/ipsec.conf.5.html"> ipsec.conf(5)</A> file. Of
 course, if an enemy gets the key, all is lost.</LI>
<LI>with<STRONG> automatic keying</STRONG>, the two systems authenticate
 each other and negotiate their own secret keys. The keys are
 automatically changed periodically.</LI>
</UL>
<P>Automatic keying is much more secure, since if an enemy gets one key
 only messages between the previous re-keying and the next are exposed.
 It is therefore the usual mode of operation for most IPsec deployment,
 and the mode we use in our setup examples. FreeS/WAN does support
 manual keying for special circumstanes. See this<A href="adv_config.html#prodman">
 section</A>.</P>
<P>For automatic keying, the two systems must authenticate each other
 during the negotiations. There is a choice of methods for this:</P>
<UL>
<LI>a<STRONG> shared secret</STRONG> provides authentication. If Alice
 and Bob are the only ones who know a secret and Alice recives a message
 which could not have been created without that secret, then Alice can
 safely believe the message came from Bob.</LI>
<LI>a<A href="glossary.html#public"> public key</A> can also provide
 authentication. If Alice receives a message signed with Bob's private
 key (which of course only he should know) and she has a trustworthy
 copy of his public key (so that she can verify the signature), then she
 can safely believe the message came from Bob.</LI>
</UL>
<P>Public key techniques are much preferable, for reasons discussed<A href="config.html#choose">
 later</A>, and will be used in all our setup examples. FreeS/WAN does
 also support auto-keying with shared secret authentication. See this<A href="adv_config.html#prodsecrets">
 section</A>.</P>
<H2><A name="project">The FreeS/WAN project</A></H2>
<P>For complete information on the project, see our web site,<A href="http://liberty.freeswan.org">
 freeswan.org</A>.</P>
<P>In summary, we are implementing the<A href="glossary.html#IPsec">
 IPsec</A> protocols for Linux and extending them to do<A href="glossary.html#carpediem">
 opportunistic encryption</A>.</P>
<H3><A name="goals">Project goals</A></H3>
<P>Our overall goal in FreeS/WAN is to make the Internet more secure and
 more private.</P>
<P>Our IPsec implementation supports VPNs and Road Warriors of course.
 Those are important applications. Many users will want FreeS/WAN to
 build corporate VPNs or to provide secure remote access.</P>
<P>However, our goals in building it go beyond that. We are trying to
 help<STRONG> build security into the fabric of the Internet</STRONG> so
 that anyone who choses to communicate securely can do so, as easily as
 they can do anything else on the net.</P>
<P>More detailed objectives are:</P>
<UL>
<LI>extend IPsec to do<A href="glossary.html#carpediem"> opportunistic
 encryption</A> so that
<UL>
<LI>any two systems can secure their communications without a
 pre-arranged connection</LI>
<LI><STRONG>secure connections can be the default</STRONG>, falling back
 to unencrypted connections only if:
<UL>
<LI><EM>both</EM> the partner is not set up to co-operate on securing
 the connection</LI>
<LI><EM>and</EM> your policy allows insecure connections</LI>
</UL>
</LI>
<LI>a significant fraction of all Internet traffic is encrypted</LI>
<LI>wholesale monitoring of the net (<A href="politics.html#intro.poli">
examples</A>) becomes difficult or impossible</LI>
</UL>
</LI>
<LI>help make IPsec widespread by providing an implementation with no
 restrictions:
<UL>
<LI>freely available in source code under the<A href="glossary.html#GPL">
 GNU General Public License</A></LI>
<LI>running on a range of readily available hardware</LI>
<LI>not subject to US or other nations'<A href="politics.html#exlaw">
 export restrictions</A>.
<BR> Note that in order to avoid<EM> even the appearance</EM> of being
 subject to those laws, the project cannot accept software contributions
 --<EM> not even one-line bug fixes</EM> -- from US residents or
 citizens.</LI>
</UL>
</LI>
<LI>provide a high-quality IPsec implementation for Linux
<UL>
<LI>portable to all CPUs Linux supports:<A href="compat.html#CPUs">
 (current list)</A></LI>
<LI>interoperable with other IPsec implementations:<A href="interop.html#interop">
 (current list)</A></LI>
</UL>
</LI>
</UL>
<P>If we can get opportunistic encryption implemented and widely
 deployed, then it becomes impossible for even huge well-funded agencies
 to monitor the net.</P>
<P>See also our section on<A href="politics.html#politics"> history and
 politics</A> of cryptography, which includes our project leader's<A href="politics.html#gilmore">
 rationale</A> for starting the project.</P>
<H3><A name="staff">Project team</A></H3>
<P>Two of the team are from the US and can therefore contribute no code:</P>
<UL>
<LI>John Gilmore: founder and policy-maker (<A href="http://www.toad.com/gnu/">
home page</A>)</LI>
<LI>Hugh Daniel: project manager, Most Demented Tester, and occasionally
 Pointy-Haired Boss</LI>
</UL>
<P>The rest of the team are Canadians, working in Canada. (<A href="politics.html#status">
Why Canada?</A>)</P>
<UL>
<LI>Hugh Redelmeier:<A href="glossary.html#Pluto"> Pluto daemon</A>
 programmer</LI>
<LI>Richard Guy Briggs:<A href="glossary.html#KLIPS"> KLIPS</A>
 programmer</LI>
<LI>Michael Richardson: hacker without portfolio</LI>
<LI>Claudia Schmeing: documentation</LI>
<LI>Sam Sgro: technical support via the<A href="mail.html#lists">
 mailing lists</A></LI>
</UL>
<P>The project is funded by civil libertarians who consider our goals
 worthwhile. Most of the team are paid for this work.</P>
<P>People outside this core team have made substantial contributions.
 See</P>
<UL>
<LI>our<A href="../CREDITS"> CREDITS</A> file</LI>
<LI>the<A href="web.html#patch"> patches and add-ons</A> section of our
 web references file</LI>
<LI>lists below of user-written<A href="#howto"> HowTos</A> and<A href="#applied">
 other papers</A></LI>
</UL>
<P>Additional contributions are welcome. See the<A href="faq.html#contrib.faq">
 FAQ</A> for details.</P>
<H2><A name="products">Products containing FreeS/WAN</A></H2>
<P>Unfortunately the<A href="politics.html#exlaw"> export laws</A> of
 some countries restrict the distribution of strong cryptography.
 FreeS/WAN is therefore not in the standard Linux kernel and not in all
 CD or web distributions.</P>
<P>FreeS/WAN is, however, quite widely used. Products we know of that
 use it are listed below. We would appreciate hearing, via the<A href="mail.html#lists">
 mailing lists</A>, of any we don't know of.</P>
<H3><A name="distwith">Full Linux distributions</A></H3>
<P>FreeS/WAN is included in various general-purpose Linux distributions,
 mostly from countries (shown in brackets) with more sensible laws:</P>
<UL>
<LI><A href="http://www.suse.com/">SuSE Linux</A> (Germany)</LI>
<LI><A href="http://www.conectiva.com">Conectiva</A> (Brazil)</LI>
<LI><A href="http://www.linux-mandrake.com/en/">Mandrake</A> (France)</LI>
<LI><A href="http://www.debian.org">Debian</A></LI>
<LI>the<A href="http://www.pld.org.pl/"> Polish(ed) Linux Distribution</A>
 (Poland)</LI>
<LI><A>Best Linux</A> (Finland)</LI>
</UL>
<P>For distributions which do not include FreeS/WAN and are not Redhat
 (which we develop and test on), there is additional information in our<A
href="compat.html#otherdist"> compatibility</A> section.</P>
<P>The server edition of<A href="http://www.corel.com"> Corel</A> Linux
 (Canada) also had FreeS/WAN, but Corel have dropped that product line.</P>
<H3><A name="kernel_dist">Linux kernel distributions</A></H3>
<UL>
<LI><A href="http://sourceforge.net/projects/wolk/">Working Overloaded
 Linux Kernel (WOLK)</A></LI>
</UL>
<H3><A name="office_dist">Office server distributions</A></H3>
<P>FreeS/WAN is also included in several distributions aimed at the
 market for turnkey business servers:</P>
<UL>
<LI><A href="http://www.e-smith.com/">e-Smith</A> (Canada), which has
 recently been acquired and become the Network Server Solutions group of<A
href="http://www.mitel.com/"> Mitel Networks</A> (Canada)</LI>
<LI><A href="http://www.clarkconnect.org/">ClarkConnect</A> from Point
 Clark Networks (Canada)</LI>
<LI><A href="http://www.trustix.net/">Trustix Secure Linux</A> (Norway)</LI>
</UL>
<H3><A name="fw_dist">Firewall distributions</A></H3>
<P>Several distributions intended for firewall and router applications
 include FreeS/WAN:</P>
<UL>
<LI>The<A href="http://www.linuxrouter.org/"> Linux Router Project</A>
 produces a Linux distribution that will boot from a single floppy. The<A
href="http://leaf.sourceforge.net"> LEAF</A> firewall project provides
 several different LRP-based firewall packages. At least one of them,
 Charles Steinkuehler's Dachstein, includes FreeS/WAN with X.509
 patches.</LI>
<LI>there are several distributions bootable directly from CD-ROM,
 usable on a machine without hard disk.
<UL>
<LI>Dachstein (see above) can be used this way</LI>
<LI><A href="http://www.gibraltar.at/">Gibraltar</A> is based on Debian
 GNU/Linux.</LI>
<LI>at time of writing,<A href="www.xiloo.com"> Xiloo</A> is available
 only in Chinese. An English version is expected.</LI>
</UL>
</LI>
<LI><A href="http://www.astaro.com/products/index.html">Astaro Security
 Linux</A> includes FreeS/WAN. It has some web-based tools for managing
 the firewall that include FreeS/WAN configuration management.</LI>
<LI><A href="http://www.linuxwall.de">Linuxwall</A></LI>
<LI><A href="http://www.smoothwall.org/">Smoothwall</A></LI>
<LI><A href="http://www.devil-linux.org/">Devil Linux</A></LI>
<LI>Coyote Linux has a<A href="http://embedded.coyotelinux.com/wolverine/index.php">
 Wolverine</A> firewall/VPN server</LI>
</UL>
<P>There are also several sets of scripts available for managing a
 firewall which is also acting as a FreeS/WAN IPsec gateway. See this<A href="firewall.html#rules.pub">
 list</A>.</P>
<H3><A name="turnkey">Firewall and VPN products</A></H3>
<P>Several vendors use FreeS/WAN as the IPsec component of a turnkey
 firewall or VPN product.</P>
<P>Software-only products:</P>
<UL>
<LI><A href="http://www.linuxmagic.com/vpn/index.html">Linux Magic</A>
 offer a VPN/Firewall product using FreeS/WAN</LI>
<LI>The Software Group's<A href="http://www.wanware.com/sentinet/">
 Sentinet</A> product uses FreeS/WAN</LI>
<LI><A href="http://www.merilus.com">Merilus</A> use FreeS/WAN in their
 Gateway Guardian firewall product</LI>
</UL>
<P>Products that include the hardware:</P>
<UL>
<LI>The<A href="http://www.lasat.com"> LASAT SafePipe[tm]</A> series. is
 an IPsec box based on an embedded MIPS running Linux with FreeS/WAN and
 a web-config front end. This company also host our freeswan.org web
 site.</LI>
<LI>Merilus<A href="http://www.merilus.com/products/fc/index.shtml">
 Firecard</A> is a Linux firewall on a PCI card.</LI>
<LI><A href="http://www.kyzo.com/">Kyzo</A> have a &quot;pizza box&quot; product
 line with various types of server, all running from flash. One of them
 is an IPsec/PPTP VPN server</LI>
<LI><A href="http://www.pfn.com">PFN</A> use FreeS/WAN in some of their
 products</LI>
</UL>
<P><A href="www.rebel.com">Rebel.com</A>, makers of the Netwinder Linux
 machines (ARM or Crusoe based), had a product that used FreeS/WAN. The
 company is in receivership so the future of the Netwinder is at best
 unclear.<A href="web.html#patch"> PKIX patches</A> for FreeS/WAN
 developed at Rebel are listed in our web links document.</P>
<H2><A name="docs">Information sources</A></H2>
<H3><A name="docformats">This HowTo, in multiple formats</A></H3>
<P>FreeS/WAN documentation up to version 1.5 was available only in HTML.
 Now we ship two formats:</P>
<UL>
<LI>as HTML, one file for each doc section plus a global<A href="toc.html">
 Table of Contents</A></LI>
<LI><A href="HowTo.html">one big HTML file</A> for easy searching</LI>
</UL>
<P>and provide a Makefile to generate other formats if required:</P>
<UL>
<LI><A href="HowTo.pdf">PDF</A></LI>
<LI><A href="HowTo.ps">Postscript</A></LI>
<LI><A href="HowTo.txt">ASCII text</A></LI>
</UL>
<P>The Makefile assumes the htmldoc tool is available. You can download
 it from<A href="http://www.easysw.com"> Easy Software</A>.</P>
<P>All formats should be available at the following websites:</P>
<UL>
<LI><A href="http://www.freeswan.org/doc.html">FreeS/WAN project</A></LI>
<LI><A href="http://www.linuxdoc.org">Linux Documentation Project</A></LI>
</UL>
<P>The distribution tarball has only the two HTML formats.</P>
<P><STRONG>Note:</STRONG> If you need the latest doc version, for
 example to see if anyone has managed to set up interoperation between
 FreeS/WAN and whatever, then you should download the current snapshot.
 What is on the web is documentation as of the last release. Snapshots
 have all changes I've checked in to date.</P>
<H3><A name="rtfm">RTFM (please Read The Fine Manuals)</A></H3>
<P>As with most things on any Unix-like system, most parts of Linux
 FreeS/WAN are documented in online manual pages. We provide a list of<A href="/mnt/floppy/manpages.html">
 FreeS/WAN man pages</A>, with links to HTML versions of them.</P>
<P>The man pages describing configuration files are:</P>
<UL>
<LI><A href="/mnt/floppy/manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A></LI>
<LI><A href="/mnt/floppy/manpage.d/ipsec.secrets.5.html">
ipsec.secrets(5)</A></LI>
</UL>
<P>Man pages for common commands include:</P>
<UL>
<LI><A href="/mnt/floppy/manpage.d/ipsec.8.html">ipsec(8)</A></LI>
<LI><A href="/mnt/floppy/manpage.d/ipsec_pluto.8.html">ipsec_pluto(8)</A>
</LI>
<LI><A href="/mnt/floppy/manpage.d/ipsec_newhostkey.8.html">
ipsec_newhostkey(8)</A></LI>
<LI><A href="/mnt/floppy/manpage.d/ipsec_auto.8.html">ipsec_auto(8)</A></LI>
</UL>
<P>You can read these either in HTML using the links above or with the<VAR>
 man(1)</VAR> command.</P>
<P>In the event of disagreement between this HTML documentation and the
 man pages, the man pages are more likely correct since they are written
 by the implementers. Please report any such inconsistency on the<A href="mail.html#lists">
 mailing list</A>.</P>
<H3><A name="text">Other documents in the distribution</A></H3>
<P>Text files in the main distribution directory are README, INSTALL,
 CREDITS, CHANGES, BUGS and COPYING.</P>
<P>The Libdes encryption library we use has its own documentation. You
 can find it in the library directory..</P>
<H3><A name="assumptions">Background material</A></H3>
<P>Throughout this documentation, I write as if the reader had at least
 a general familiarity with Linux, with Internet Protocol networking,
 and with the basic ideas of system and network security. Of course that
 will certainly not be true for all readers, and quite likely not even
 for a majority.</P>
<P>However, I must limit amount of detail on these topics in the main
 text. For one thing, I don't understand all the details of those topics
 myself. Even if I did, trying to explain everything here would produce
 extremely long and almost completely unreadable documentation.</P>
<P>If one or more of those areas is unknown territory for you, there are
 plenty of other resources you could look at:</P>
<DL>
<DT>Linux</DT>
<DD>the<A href="http://www.linuxdoc.org"> Linux Documentation Project</A>
 or a local<A href="http://www.linux.org/groups/"> Linux User Group</A>
 and these<A href="web.html#linux.link"> links</A></DD>
<DT>IP networks</DT>
<DD>Rusty Russell's<A href="http://netfilter.samba.org/unreliable-guides/networking-concepts-HOWTO/index.html">
 Networking Concepts HowTo</A> and these<A href="web.html#IP.background">
 links</A></DD>
<DT>Security</DT>
<DD>Schneier's book<A href="biblio.html#secrets"> Secrets and Lies</A>
 and these<A href="web.html#crypto.link"> links</A></DD>
</DL>
<P>Also, I do make an effort to provide some background material in
 these documents. All the basic ideas behind IPsec and FreeS/WAN are
 explained here. Explanations that do not fit in the main text, or that
 not everyone will need, are often in the<A href="glossary.html#ourgloss">
 glossary</A>, which is the largest single file in this document set.
 There is also a<A href="background.html#background"> background</A>
 file containing various explanations too long to fit in glossary
 definitions. All files are heavily sprinkled with links to each other
 and to the glossary.<STRONG> If some passage makes no sense to you, try
 the links</STRONG>.</P>
<P>For other reference material, see the<A href="biblio.html#biblio">
 bibliography</A> and our collection of<A href="web.html#weblinks"> web
 links</A>.</P>
<P>Of course, no doubt I get this (and other things) wrong sometimes.
 Feedback via the<A href="mail.html#lists"> mailing lists</A> is
 welcome.</P>
<H3><A name="archives">Archives of the project mailing list</A></H3>
<P>Until quite recently, there was only one FreeS/WAN mailing list, and
 archives of it were:</P>
<UL>
<LI><A href="http://www.sandelman.ottawa.on.ca/linux-ipsec">Canada</A></LI>
<LI><A href="http://www.nexial.com">Holland</A></LI>
</UL>
 The two archives use completely different search engines. You might
 want to try both.
<P>More recently we have expanded to five lists, each with its own
 archive.</P>
<P><A href="mail.html#lists">More information</A> on mailing lists.</P>
<H3><A name="howto">User-written HowTo information</A></H3>
<P>Various user-written HowTo documents are available. The ones covering
 FreeS/WAN-to-FreeS/WAN connections are:</P>
<UL>
<LI>Jean-Francois Nadeau's<A href="http://jixen.tripod.com/"> practical
 configurations</A> document</LI>
<LI>Jens Zerbst's HowTo on<A href="http://dynipsec.tripod.com/"> Using
 FreeS/WAN with dynamic IP addresses</A>.</LI>
<LI>an entry in Kurt Seifried's<A href="http://www.securityportal.com/lskb/kben00000013.html">
 Linux Security Knowledge Base</A>.</LI>
<LI>a section of David Ranch's<A href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos">
 Trinity OS Guide</A></LI>
<LI>a section in David Bander's book<A href="biblio.html#bander"> Linux
 Security Toolkit</A></LI>
</UL>
<P>User-wriiten HowTo material may be<STRONG> especially helpful if you
 need to interoperate with another IPsec implementation</STRONG>. We
 have neither the equipment nor the manpower to test such
 configurations. Users seem to be doing an admirable job of filling the
 gaps.</P>
<UL>
<LI>list of user-written<A href="interop.html#otherpub"> interoperation
 HowTos</A> in our interop document</LI>
</UL>
<P>Check what version of FreeS/WAN user-written documents cover. The
 software is under active development and the current version may be
 significantly different from what an older document describes.</P>
<H3><A name="applied">Papers on FreeS/WAN</A></H3>
<P>Two design documents show team thinking on new developments:</P>
<UL>
<LI><A href="opportunism.spec">Opportunistic Encryption</A> by technical
 lead Henry Spencer and Pluto programmer Hugh Redelemeier</LI>
<LI>discussion of<A href="http://www.sandelman.ottawa.on.ca/SSW/freeswan/klips2req/">
 KLIPS redesign</A></LI>
</UL>
<P>Both documents are works in progress and are frequently revised. For
 the latest version, see the<A href="mail.html#lists"> design mailing
 list</A>. Comments should go to that list.</P>
<P>There is now an<A href="http://www.ietf.org/internet-drafts/draft-richardson-ipsec-opportunistic-06.txt">
 Internet Draft on Opportunistic Encryption</A> by Michael Richardson,
 Hugh Redelmeier and Henry Spencer. This is a first step toward getting
 the protocol standardised so there can be multiple implementations of
 it. Discussion of it takes place on the<A href="http://www.ietf.org/html.charters/ipsec-charter.html">
 IETF IPsec Working Group</A> mailing list.</P>
<P>A number of papers giving further background on FreeS/WAN, or
 exploring its future or its applications, are also available:</P>
<UL>
<LI>Both Henry and Richard gave talks on FreeS/WAN at the 2000<A href="http://www.linuxsymposium.org">
 Ottawa Linux Symposium</A>.
<UL>
<LI>Richard's<A href="http://www.conscoop.ottawa.on.ca/rgb/freeswan/ols2k/">
 slides</A></LI>
<LI>Henry's paper</LI>
<LI>MP3 audio of their talks is available from the<A href="http://www.linuxsymposium.org/">
 conference page</A></LI>
</UL>
</LI>
<LI><CITE>Moat: A Virtual Private Network Appliances and Services
 Platform</CITE> is a paper about large-scale (a few 100 links) use of
 FreeS/WAN in a production application at AT&amp;T Research. It is available
 in Postscript or PDF from co-author Steve Bellovin's<A href="http://www.research.att.com/~smb/papers/index.html">
 papers list page</A>.</LI>
<LI>One of the Moat co-authors, John Denker, has also written
<UL>
<LI>a<A href="http://www.av8n.com/vpn/ipsec+routing.htm"> proposal</A>
 for how future versions of FreeS/WAN might interact with routing
 protocols</LI>
<LI>a<A href="http://www.av8n.com/vpn/wishlist.htm"> wishlist</A> of
 possible new features</LI>
</UL>
</LI>
<LI>Bart Trojanowski's web page has a draft design for<A href="http://www.jukie.net/~bart/linux-ipsec/">
 hardware acceleration</A> of FreeS/WAN</LI>
</UL>
<P>Several of these provoked interesting discussions on the mailing
 lists, worth searching for in the<A href="mail.html#archive"> archives</A>
.</P>
<P>There are also several papers in languages other than English, see
 our<A href="web.html#otherlang"> web links</A>.</P>
<H3><A name="licensing">License and copyright information</A></H3>
<P>All code and documentation written for this project is distributed
 under either the GNU General Public License (<A href="glossary.html#GPL">
GPL</A>) or the GNU Library General Public License. For details see the
 COPYING file in the distribution.</P>
<P>Not all code in the distribution is ours, however. See the CREDITS
 file for details. In particular, note that the<A href="glossary.html#LIBDES">
 Libdes</A> library and the version of<A href="glossary.html#MD5"> MD5</A>
 that we use each have their own license.</P>
<H2><A name="sites">Distribution sites</A></H2>
<P>FreeS/WAN is available from a number of sites.</P>
<H3><A NAME="1_5_1">Primary site</A></H3>
<P>Our primary site, is at xs4all (Thanks, folks!) in Holland:</P>
<UL>
<LI><A href="http://www.xs4all.nl/~freeswan">HTTP</A></LI>
<LI><A href="ftp://ftp.xs4all.nl/pub/crypto/freeswan">FTP</A></LI>
</UL>
<H3><A name="mirrors">Mirrors</A></H3>
<P>There are also mirror sites all over the world:</P>
<UL>
<LI><A href="http://www.flora.org/freeswan">Eastern Canada</A> (limited
 resouces)</LI>
<LI><A href="ftp://ludwig.doculink.com/pub/freeswan/">Eastern Canada</A>
 (has older versions too)</LI>
<LI><A href="ftp://ntsc.notBSD.org/pub/crypto/freeswan/">Eastern Canada</A>
 (has older versions too)</LI>
<LI><A href="ftp://ftp.kame.net/pub/freeswan/">Japan</A></LI>
<LI><A href="ftp://ftp.futuredynamics.com/freecrypto/FreeSWAN/">Hong
 Kong</A></LI>
<LI><A href="ftp://ipsec.dk/pub/freeswan/">Denmark</A></LI>
<LI><A href="ftp://ftp.net.lut.ac.uk/freeswan">the UK</A></LI>
<LI><A href="http://storm.alert.sk/comp/mirrors/freeswan/">Slovak
 Republic</A></LI>
<LI><A href="http://the.wiretapped.net/security/vpn-tunnelling/freeswan/">
Australia</A></LI>
<LI><A href="http://freeswan.technolust.cx/">technolust</A></LI>
<LI><A href="http://freeswan.devguide.de/">Germany</A></LI>
<LI>Ivan Moore's<A href="http://snowcrash.tdyc.com/freeswan/"> site</A></LI>
<LI>the<A href="http://www.cryptoarchive.net/"> Crypto Archive</A> on
 the<A href="http://www.securityportal.com/"> Security Portal</A> site</LI>
<LI><A href="http://www.wiretapped.net/">Wiretapped.net</A> in Australia</LI>
</UL>
<P>Thanks to those folks as well.</P>
<H3><A name="munitions">The &quot;munitions&quot; archive of Linux crypto software</A>
</H3>
<P>There is also an archive of Linux crypto software called &quot;munitions&quot;,
 with its own mirrors in a number of countries. It includes FreeS/WAN,
 though not always the latest version. Some of its sites are:</P>
<UL>
<LI><A href="http://munitions.vipul.net/">Germany</A></LI>
<LI><A href="http://munitions.iglu.cjb.net/">Italy</A></LI>
<LI><A href="http://munitions2.xs4all.nl/">Netherlands</A></LI>
</UL>
<P>Any of those will have a list of other &quot;munitions&quot; mirrors. There is
 also a CD available.</P>
<H2><A NAME="1_6">Links to other sections</A></H2>
<P>For more detailed background information, see:</P>
<UL>
<LI><A href="politics.html#politics">history and politics</A> of
 cryptography</LI>
<LI><A href="ipsec.html#ipsec.detail">IPsec protocols</A></LI>
</UL>
<P>To begin working with FreeS/WAN, go to our<A href="quickstart.html#quick.guide">
 quickstart</A> guide.</P>
<HR>
<A HREF="toc.html">Contents</A>
<A HREF="upgrading.html">Next</A>
</BODY>
</HTML>