Interoperating with FreeS/WAN

The FreeS/WAN project needs you! We rely on the user community to keep up to date. Mail [email protected] with your interop success stories.

Please note: Most of our interop examples feature Linux FreeS/WAN 1.x config files. You can convert them to 2.x files fairly easily with the patch in our Upgrading Guide.

Interop at a Glance

  FreeS/WAN VPN Road Warrior OE
  PSK RSA Secret X.509
(requires patch)
NAT-Traversal
(requires patch)
Manual
Keying
   
More Compatible
FreeS/WAN   Yes Yes Yes Yes Yes Yes Yes
isakmpd (OpenBSD)   Yes   Yes   Yes   No    
Kame (FreeBSD,
NetBSD, MacOSX)
aka racoon
 
Yes Yes Yes   Yes   No
McAfee VPN
was PGPNet
 
Yes Yes Yes     Yes No
Microsoft
Windows 2000/XP
 
Yes   Yes     Yes No
SSH Sentinel   Yes   Yes Maybe   Yes No
Safenet SoftPK
/SoftRemote
 
Yes   Yes     Yes No
Other
6Wind       Yes       No
Alcatel Timestep   Yes           No
Apple Macintosh
System 10+
 
Maybe Yes Maybe   Maybe   No
AshleyLaurent
VPCom
 
Yes           No
Borderware   Yes         No No
Check Point FW-1/VPN-1   Yes   Yes     Yes No
Cisco with 3DES   Yes Maybe   Maybe     No
Equinux VPN Tracker
(for Mac OS X)
 
Yes Yes Yes   Maybe   No
F-Secure   Yes     Maybe Yes Yes No
Gauntlet GVPN   Yes   Yes       No
IBM AIX   Yes   Maybe       No
IBM AS/400   Yes           No
Intel Shiva
LANRover/Net Structure
 
Yes           No
LanCom (formerly ELSA)   Yes           No
Linksys   Maybe   No     Yes No
Lucent   Partial           No
Netasq       Yes       No
netcelo       Yes       No
Netgear fvs318   Yes           No
Netscreen 100
or 5xp
 
Yes         Maybe No
Nortel Contivity   Partial   Yes Maybe     No
RadGuard   Yes           No
Raptor   Yes       Yes   No
Redcreek Ravlin   Yes/Partial           No
SonicWall   Yes       Maybe No No
Sun Solaris   Yes   Yes   Yes   No
Symantec   Yes           No
Watchguard
Firebox
 
Yes       Yes   No
Xedia Access Point
/QVPN
 
Yes           No
Zyxel Zywall
/Prestige
 
Yes           No
  PSK RSA Secret X.509
(requires patch)
NAT-Traversal
(requires patch)
Manual
Keying
   
  FreeS/WAN VPN Road Warrior OE

Key

Yes People report that this works for them.
[Blank] We don't know.
No We have reason to believe it was, at some point, not possible to get this to work.
Partial Partial success. For example, a connection can be created from one end only.
Yes/Partial Mixed reports.
Maybe We think the answer is "yes", but need confirmation.

Basic Interop Rules

Vanilla FreeS/WAN implements these parts of the IPSec specifications. You can add more with Openswan, but what we offer may be enough for many users.

We offer a set of proposals which is not user-adjustable, but covers all combinations that we can offer. FreeS/WAN always proposes triple DES encryption and Perfect Forward Secrecy (PFS). In addition, we propose Diffie Hellman groups 5 and 2 (in that order), and MD5 and SHA-1 hashes. We accept the same proposals, in the same order of preference.

Other interop notes:

Longer Stories

For More Compatible Implementations

FreeS/WAN

See our documentation at freeswan.org, and the Openswan docs (formerly Super FreeS/WAN, they still have some good docs posted up on the SFS site). Some user-written HOWTOs for FreeS/WAN-FreeS/WAN connections are listed in our Introduction.

See also:

Back to chart

isakmpd (OpenBSD)

OpenBSD FAQ: Using IPsec
Hans-Joerg Hoexer's interop Linux-OpenBSD (PSK)
Skyper's configuration (PSK)
French page with configs (X.509)

Back to chart

Kame

Kame homepage, with FAQ
NetBSD's IPSec FAQ
Ghislaine's post explaining some interop peculiarities

Itojun's Kame-FreeS/WAN interop tips (PSK)
Ghislaine Labouret's French page with links to matching FreeS/WAN and Kame configs (RSA)
Markus Wernig's HOWTO (X.509, BSD gateway)
Frodo's Kame-FreeS/WAN interop (X.509)
Kame as a WAVEsec client.

Back to chart

PGPNet/McAfee

Tim Carr's Windows Interop Guide (X.509)
Hans-Joerg Hoexer's Guide for Linux-PGPNet (PSK)
Kai Martius' instructions using RSA Key-Extractor Tool (RSA)
    Christian Zeng's page (RSA) based on Kai's work. English or German.
Oscar Delgado's PDF (X.509, no configs)
Ryan's HOWTO for FreeS/WAN-PGPNet (X.509). Through a Linksys Router with IPsec Passthru enabled.
Jean-Francois Nadeau's Practical Configuration (Road Warrior with PSK)
Wouter Prins' HOWTO (Road Warrior with X.509)

Rekeying problem with FreeS/WAN and older PGPNets

DHCP over IPSEC HOWTO for FreeS/WAN (requires X.509 and dhcprelay patches)

Back to chart

Microsoft Windows 2000/XP

Tim Carr's Windows Interop Guide (X.509)
James Carter's instructions (X.509, NAT-T)
Jean-Francois Nadeau's Net-net Configuration (PSK)
Telenor's Node-node Config (Transport-mode PSK). As of release 2.06, FreeS/WAN no longer supports transport mode.
Marcus Mueller's HOWTO using his VPN config tool (X.509). Tool also works with PSK.
Nate Carlson's HOWTO using same tool (Road Warrior with X.509). Unusually, FreeS/WAN is the Road Warrior here.
Oscar Delgado's PDF (X.509, no configs)
Tim Scannell's Windows XP Additional Checklist (X.509)

Microsoft's page on Win2k TCP/IP security features
Microsoft's Win2k IPsec debugging tips
MS VPN may fall back to 1DES

Back to chart

SSH Sentinel

SSH's Sentinel-FreeSWAN interop PDF (X.509)
Nadeem Hassan's SUSE-to-Sentinel article (Road warrior with X.509)
O-Zone's Italian HOWTO (Road Warrior, X.509, DHCP)

Back to chart

Safenet SoftPK/SoftRemote

Whit Blauvelt's SoftRemote tips
Tim Wilson's tips (X.509) Workaround for a "gotcha"

Jean-Francois Nadeau's Practical Configuration (Road Warrior with PSK)
Terradon Communications' PDF (Road Warrior with PSK)
Seaan.net's PDF (Road Warrior to Subnet, with PSK)
Red Baron Consulting's PDF (Road Warrior with X.509)

Back to chart

For Other Implementations

6Wind

French page with configs (X.509)

Back to chart

Alcatel Timestep

Alain Sabban's settings (PSK or PSK road warrior; through static NAT)
Derick Cassidy's configs (PSK)
David Kerry's Timestep settings (PSK)
Kevin Gerbracht's ipsec.conf (X.509)

Back to chart

Apple Macintosh System 10+

James Carter's instructions (X.509, NAT-T)

Back to chart

AshleyLaurent VPCom

Successful interop report, no details

Back to chart

Borderware

Philip Reetz' configs (PSK)
Borderware server does not support FreeS/WAN road warriors
Older Borderware may not support Diffie Hellman groups 2, 5

Back to chart

Check Point VPN-1 or FW-1

AERAsec's Firewall-1 NG site (PSK, X.509, Road Warrior with X.509, other algorithms)
     AERAsec's detailed Check Point-FreeS/WAN support matrix
Checkpoint.com PDF: Linux as a VPN Client to FW-1 (PSK)
PhoneBoy's Check Point FAQ (on Check Point only, not FreeS/WAN)

Chris Harwell's tips & FreeS/WAN configs (PSK)
Daniel Tombeil's configs (PSK)

Back to chart

Cisco

SANS Institute HOWTO (PSK). Detailed, with extensive references.
Short HOWTO (PSK)
French page with configs for Cisco IOS, PIX and VPN 3000 (X.509)
Dave McFerren's sample configs (PSK)
Wolfgang Tremmel's sample configs (PSK road warrior)
Old doc from Pete Davis, with William Watson's updated Tips (PSK)

Some PIX specific information:
Waikato Linux Users' Group HOWTO. Nice detail (PSK)
John Leach's configs (PSK)
Greg Robinson's settings (PSK)
Scott's ipsec.conf for PIX (PSK, FreeS/WAN side only)
Rick Trimble's PIX and FreeS/WAN settings (PSK)

Cisco VPN support page
Cisco IPsec information page

Back to chart

Equinux VPN tracker (for Mac OS X)

Equinux provides this excellent interop PDF (PSK, RSA, X.509).

Back to chart

F-Secure

pingworks.de's "Connecting F-Secure's VPN+ to Linux FreeS/WAN" (PSK road warrior)
    Same thing as PDF
Success report, no detail (PSK)
Success report, no detail (Manual)

Back to chart

Gauntlet GVPN

Richard Reiner's ipsec.conf (PSK)
Might work without that pesky firewall... (PSK)
In late July, 2003 Alexandar Antik reported success interoperating with Gauntlet 6.0 for Solaris (X.509). Unfortunately the message is not properly archived at this time.

Back to chart

IBM AIX

IBM's "Built-In Network Security with AIX" (PSK, X.509)
IBM's tip: importing Linux FreeS/WAN settings into AIX's ikedb (PSK)

Back to chart

IBM AS/400

Richard Welty's tips and tricks

Back to chart

Intel Shiva LANRover / Net Structure

Snowcrash's configs (PSK)
Old configs from an interop (PSK)
The day Shiva tickled a Pluto bug (PSK)
     Follow up: success!

Back to chart

LanCom (formerly ELSA)

Jakob Curdes successfully created a PSK connection with the LanCom 1612 in August 2003.

Back to chart

Linksys

As tunnel endpoint

Ken Bantoft's instructions (Road Warrior with PSK)
Nate Carlson's caveats

In IPsec passthrough mode

Sample HOWTO through a Linksys Router
Nadeem Hasan's configs
Brock Nanson's tips

Back to chart

Lucent

Partial success report; see also the next message in thread

Back to chart

Netasq

French page with configs (X.509)

Back to chart

Netcelo

French page with configs (X.509)

Back to chart

Netgear fvs318

John Morris' setup (PSK)

Back to chart

Netscreen 100 or 5xp

Errol Neal's settings (PSK)
Corey Rogers' configs (PSK, no PFS)
Jordan Share's configs (PSK, 2 subnets, through static NAT)
Set src proxy_id to your protected subnet/mask
French page with ipsec.conf, Netscreen screen shots (X.509, may need to revert to PSK...)

A report of a company using Netscreen with FreeS/WAN on a large scale (FreeS/WAN road warriors?)

Back to chart

Nortel Contivity

JJ Streicher-Bremer's mini HOWTO for old & new software. (PSK with two subnets)
French page with configs (X.509). This succeeds using the above X.509 tip.

Back to chart

Radguard

Marko Hausalo's configs (PSK). Note: These do create a connection, as you can see by "IPsec SA established".
Claudia Schmeing's comments

Back to chart

Raptor (NT or Solaris)

Peter Mazinger's settings (PSK)
Peter Gerland's configs (PSK)
Charles Griebel's configs (PSK).
Lumir Srch's tips (PSK)

John Hardy's configs (Manual)
Older Raptors want 3DES keys in 3 parts (Manual).
Different keys for each direction? (Manual)

Back to chart

Redcreek Ravlin

Back to chart

SonicWall

Paul Wouters' config (PSK)
Dilan Arumainathan's configuration (PSK)
Dariush's setup... only opens one way (PSK)
Andreas Steffen's tips (X.509)

Back to chart

Sun Solaris

Reports of some successful interops from a fellow @sun.com. See also these follow up posts.
Aleks Shenkman's configs (Manual in transport mode) As of release 2.06, FreeS/WAN no longer supports transport mode.

Back to chart

Symantec

Andreas Steffen's configs for Symantec 200R (PSK)

Back to chart

Watchguard Firebox

WatchGuard's HOWTO (PSK)
Ronald C. Riviera's Settings (PSK)
Walter Wickersham's Notes (PSK)
Max Enders' Configs (Manual)

Old known issue with auto keying
Tips on key generation and format (Manual)

Back to chart

Xedia Access Point/QVPN

Hybrid IPsec/L2TP connection settings (X.509)
Xedia's LAN-LAN links don't use multiple tunnels
     That explanation, continued

Back to chart

Zyxel

Zyxel's Zywall to FreeS/WAN instructions (PSK)
Zyxel's Prestige to FreeS/WAN instructions (PSK). Note: not all Prestige versions include VPN software.
Fabrice Cahen's HOWTO (PSK)
    

Back to chart