The FreeS/WAN project needs you! We rely on the user community to keep up to date. Mail [email protected] with your interop success stories.
Please note: Most of our interop examples feature Linux FreeS/WAN 1.x config files. You can convert them to 2.x files fairly easily with the patch in our Upgrading Guide.
FreeS/WAN VPN | Road Warrior | OE | |||||
PSK | RSA Secret | X.509 (requires patch) |
NAT-Traversal (requires patch) |
Manual Keying |
|||
More Compatible | |||||||
FreeS/WAN | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
isakmpd (OpenBSD) | Yes | Yes | Yes | No | |||
Kame (FreeBSD,
NetBSD, MacOSX) aka racoon |
Yes | Yes | Yes | Yes | No | ||
McAfee VPN was PGPNet |
Yes | Yes | Yes | Yes | No | ||
Microsoft Windows 2000/XP |
Yes | Yes | Yes | No | |||
SSH Sentinel | Yes | Yes | Maybe | Yes | No | ||
Safenet SoftPK /SoftRemote |
Yes | Yes | Yes | No | |||
Other | |||||||
6Wind | Yes | No | |||||
Alcatel Timestep | Yes | No | |||||
Apple Macintosh System 10+ |
Maybe | Yes | Maybe | Maybe | No | ||
AshleyLaurent VPCom |
Yes | No | |||||
Borderware | Yes | No | No | ||||
Check Point FW-1/VPN-1 | Yes | Yes | Yes | No | |||
Cisco with 3DES | Yes | Maybe | Maybe | No | |||
Equinux VPN Tracker (for Mac OS X) |
Yes | Yes | Yes | Maybe | No | ||
F-Secure | Yes | Maybe | Yes | Yes | No | ||
Gauntlet GVPN | Yes | Yes | No | ||||
IBM AIX | Yes | Maybe | No | ||||
IBM AS/400 | Yes | No | |||||
Intel Shiva LANRover/Net Structure |
Yes | No | |||||
LanCom (formerly ELSA) | Yes | No | |||||
Linksys | Maybe | No | Yes | No | |||
Lucent | Partial | No | |||||
Netasq | Yes | No | |||||
netcelo | Yes | No | |||||
Netgear fvs318 | Yes | No | |||||
Netscreen 100 or 5xp |
Yes | Maybe | No | ||||
Nortel Contivity | Partial | Yes | Maybe | No | |||
RadGuard | Yes | No | |||||
Raptor | Yes | Yes | No | ||||
Redcreek Ravlin | Yes/Partial | No | |||||
SonicWall | Yes | Maybe | No | No | |||
Sun Solaris | Yes | Yes | Yes | No | |||
Symantec | Yes | No | |||||
Watchguard Firebox |
Yes | Yes | No | ||||
Xedia Access Point /QVPN |
Yes | No | |||||
Zyxel Zywall /Prestige |
Yes | No | |||||
PSK | RSA Secret | X.509 (requires patch) |
NAT-Traversal (requires patch) |
Manual Keying |
|||
FreeS/WAN VPN | Road Warrior | OE |
Yes | People report that this works for them. |
[Blank] | We don't know. |
No | We have reason to believe it was, at some point, not possible to get this to work. |
Partial | Partial success. For example, a connection can be created from one end only. |
Yes/Partial | Mixed reports. |
Maybe | We think the answer is "yes", but need confirmation. |
Vanilla FreeS/WAN implements these parts of the IPSec specifications. You can add more with Openswan, but what we offer may be enough for many users.
We offer a set of proposals which is not user-adjustable, but covers all combinations that we can offer. FreeS/WAN always proposes triple DES encryption and Perfect Forward Secrecy (PFS). In addition, we propose Diffie Hellman groups 5 and 2 (in that order), and MD5 and SHA-1 hashes. We accept the same proposals, in the same order of preference.
Other interop notes:
See our documentation at freeswan.org, and the Openswan docs (formerly Super FreeS/WAN, they still have some good docs posted up on the SFS site). Some user-written HOWTOs for FreeS/WAN-FreeS/WAN connections are listed in our Introduction.
See also:
OpenBSD FAQ: Using IPsec
Hans-Joerg Hoexer's interop Linux-OpenBSD (PSK)
Skyper's configuration (PSK)
French page with configs (X.509)
Kame homepage, with FAQ
NetBSD's IPSec FAQ
Ghislaine's post explaining some interop peculiarities
Itojun's Kame-FreeS/WAN interop tips (PSK)
Ghislaine Labouret's French page with links to matching FreeS/WAN and Kame configs (RSA)
Markus Wernig's
HOWTO (X.509, BSD gateway)
Frodo's Kame-FreeS/WAN interop (X.509)
Kame as a WAVEsec client.
Tim Carr's Windows Interop Guide (X.509)
Hans-Joerg Hoexer's Guide for Linux-PGPNet (PSK)
Kai Martius' instructions using RSA Key-Extractor Tool (RSA)
Christian Zeng's page (RSA) based on Kai's work. English or German.
Oscar Delgado's PDF (X.509, no configs)
Ryan's HOWTO for FreeS/WAN-PGPNet (X.509). Through a Linksys Router with IPsec Passthru enabled.
Jean-Francois Nadeau's Practical Configuration (Road Warrior with PSK)
Wouter Prins' HOWTO (Road Warrior with X.509)
Rekeying problem with FreeS/WAN and older PGPNets
DHCP over IPSEC HOWTO for FreeS/WAN (requires X.509 and dhcprelay patches)
Tim Carr's Windows Interop Guide (X.509)
James Carter's
instructions (X.509, NAT-T)
Jean-Francois Nadeau's Net-net Configuration (PSK)
Telenor's Node-node Config (Transport-mode PSK). As of
release 2.06, FreeS/WAN no longer supports transport mode.
Marcus Mueller's HOWTO using his VPN config tool (X.509). Tool also works with PSK.
Nate Carlson's HOWTO using same tool (Road Warrior with X.509). Unusually,
FreeS/WAN is the Road Warrior here.
Oscar Delgado's PDF (X.509, no configs)
Tim Scannell's Windows XP Additional Checklist (X.509)
Microsoft's page on Win2k TCP/IP security features
Microsoft's Win2k IPsec debugging tips
MS VPN may fall back to 1DES
SSH's Sentinel-FreeSWAN interop PDF (X.509)
Nadeem Hassan's
SUSE-to-Sentinel article (Road warrior with X.509)
O-Zone's Italian HOWTO (Road Warrior, X.509, DHCP)
Whit Blauvelt's SoftRemote tips
Tim Wilson's tips (X.509)
Workaround for a "gotcha"
Jean-Francois Nadeau's
Practical Configuration (Road Warrior with PSK)
Terradon Communications' PDF (Road Warrior with PSK)
Seaan.net's PDF (Road Warrior to Subnet, with PSK)
Red Baron Consulting's PDF (Road Warrior with X.509)
French page with configs (X.509)
Alain Sabban's settings (PSK or PSK road warrior; through static NAT)
Derick Cassidy's configs (PSK)
David Kerry's Timestep settings (PSK)
Kevin Gerbracht's ipsec.conf (X.509)
James Carter's instructions (X.509, NAT-T)
Successful interop report, no details
Philip Reetz' configs (PSK)
Borderware server does not support FreeS/WAN road warriors
Older Borderware may not support Diffie Hellman groups 2, 5
AERAsec's Firewall-1 NG site (PSK, X.509, Road Warrior with X.509,
other algorithms)
AERAsec's detailed Check Point-FreeS/WAN support matrix
Checkpoint.com PDF: Linux as a VPN Client to FW-1 (PSK)
PhoneBoy's Check Point FAQ (on Check Point
only, not FreeS/WAN)
Chris
Harwell's tips & FreeS/WAN configs (PSK)
Daniel
Tombeil's configs (PSK)
SANS Institute HOWTO (PSK). Detailed, with extensive references.
Short HOWTO (PSK)
French page with configs for Cisco IOS, PIX and VPN 3000 (X.509)
Dave
McFerren's sample configs (PSK)
Wolfgang
Tremmel's sample configs (PSK road warrior)
Old doc from Pete Davis, with William Watson's updated Tips (PSK)
Some PIX specific information:
Waikato Linux Users' Group HOWTO. Nice detail (PSK)
John Leach's configs (PSK)
Greg Robinson's settings (PSK)
Scott's ipsec.conf for PIX (PSK, FreeS/WAN side only)
Rick
Trimble's PIX and FreeS/WAN settings (PSK)
Cisco VPN support page
Cisco IPsec information page
Equinux provides this excellent interop PDF (PSK, RSA, X.509).
pingworks.de's
"Connecting F-Secure's VPN+ to Linux FreeS/WAN" (PSK road warrior)
Same thing as PDF
Success report, no detail (PSK)
Success report, no detail (Manual)
Richard Reiner's ipsec.conf (PSK)
Might work without that pesky firewall... (PSK)
In late July, 2003 Alexandar Antik reported success interoperating
with Gauntlet 6.0 for Solaris (X.509). Unfortunately the message is not
properly archived at this time.
IBM's "Built-In Network Security with AIX" (PSK, X.509)
IBM's tip: importing Linux FreeS/WAN settings into AIX's ikedb
(PSK)
Richard Welty's tips and tricks
Snowcrash's configs (PSK)
Old configs from an interop (PSK)
The day Shiva tickled a Pluto bug (PSK)
Follow up: success!
Jakob Curdes successfully created a PSK connection with the LanCom 1612 in August 2003.
Ken Bantoft's instructions (Road Warrior with PSK)
Nate Carlson's caveats
Sample HOWTO through a Linksys Router
Nadeem Hasan's configs
Brock Nanson's tips
Partial success report; see also the next message in thread
French page with configs (X.509)
French page with configs (X.509)
Errol Neal's settings (PSK)
Corey Rogers' configs (PSK, no PFS)
Jordan Share's configs (PSK, 2 subnets, through static NAT)
Set src proxy_id to your protected subnet/mask
French page with ipsec.conf, Netscreen screen shots (X.509, may
need to revert to PSK...)
A report of a company using Netscreen with FreeS/WAN on a large scale (FreeS/WAN road warriors?)
JJ Streicher-Bremer's mini HOWTO for old & new software. (PSK with two subnets)
French page with configs (X.509). This succeeds using the above X.509 tip.
Marko Hausalo's configs (PSK). Note: These do create a connection,
as you can see by "IPsec SA established".
Claudia Schmeing's comments
Peter Mazinger's settings (PSK)
Peter Gerland's configs (PSK)
Charles Griebel's configs (PSK).
Lumir Srch's tips (PSK)
John Hardy's configs (Manual)
Older Raptors want 3DES keys in 3 parts (Manual).
Different keys for each direction? (Manual)
Paul Wouters' config (PSK)
Dilan Arumainathan's configuration (PSK)
Dariush's setup... only opens
one way (PSK)
Andreas Steffen's tips (X.509)
Reports of some successful interops from a fellow @sun.com.
See also these follow up posts.
Aleks Shenkman's configs (Manual in transport mode)
As of release 2.06, FreeS/WAN no longer supports transport mode.
Andreas Steffen's configs for Symantec 200R (PSK)
WatchGuard's HOWTO (PSK)
Ronald C. Riviera's Settings (PSK)
Walter Wickersham's Notes (PSK)
Max Enders' Configs (Manual)
Old known issue with auto keying
Tips on key generation and format (Manual)
Hybrid IPsec/L2TP connection settings (X.509)
Xedia's LAN-LAN links don't use multiple tunnels
That explanation, continued
Zyxel's Zywall to FreeS/WAN instructions (PSK)
Zyxel's Prestige to FreeS/WAN instructions (PSK). Note: not all Prestige
versions include VPN software.
Fabrice Cahen's
HOWTO (PSK)