diff options
Diffstat (limited to 'doc/interop.html')
| -rw-r--r-- | doc/interop.html | 983 |
1 files changed, 0 insertions, 983 deletions
diff --git a/doc/interop.html b/doc/interop.html deleted file mode 100644 index 1cd7b9e78..000000000 --- a/doc/interop.html +++ /dev/null @@ -1,983 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> -<HTML> -<HEAD> -<TITLE>Introduction to FreeS/WAN</TITLE> -<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1"> -<STYLE TYPE="text/css"><!-- -BODY { font-family: serif } -H1 { font-family: sans-serif } -H2 { font-family: sans-serif } -H3 { font-family: sans-serif } -H4 { font-family: sans-serif } -H5 { font-family: sans-serif } -H6 { font-family: sans-serif } -SUB { font-size: smaller } -SUP { font-size: smaller } -PRE { font-family: monospace } ---></STYLE> -</HEAD> -<BODY> -<A HREF="toc.html">Contents</A> -<A HREF="compat.html">Previous</A> -<A HREF="performance.html">Next</A> -<HR> -<A NAME="interop"></A> -<H1><A NAME="10">Interoperating with FreeS/WAN</A></H1> -<P>The FreeS/WAN project needs you! We rely on the user community to - keep up to date. Mail users@lists.freeswan.org with your interop - success stories.</P> -<P><STRONG>Please note</STRONG>: Most of our interop examples feature - Linux FreeS/WAN 1.x config files. You can convert them to 2.x files - fairly easily with the patch in our<A HREF="upgrading.html#ipsec.conf_v2"> - Upgrading Guide</A>.</P> -<H2><A NAME="10_1">Interop at a Glance</A></H2> -<TABLE BORDER="1"> -<TR><TD> </TD><TD colspan="5">FreeS/WAN VPN</TD><TD>Road Warrior</TD><TD> -OE</TD></TR> -<TR><TD> </TD><TD>PSK</TD><TD>RSA Secret</TD><TD>X.509 -<BR><SMALL><A HREF="#interoprules">(requires patch)</A></SMALL></TD><TD> -NAT-Traversal -<BR><SMALL><A HREF="#interoprules">(requires patch)</A></SMALL></TD><TD> -Manual -<BR>Keying</TD><TD> </TD><TD> </TD></TR> -<TR><TD colspan="8">More Compatible</TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="web.html#freeswan">FreeS/WAN</A><A NAME="freeswan.top"> - </A></TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD><FONT color="#00cc00"> -Yes</FONT></TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD><FONT color="#00cc00"> -Yes</FONT></TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD><FONT color="#00cc00"> -Yes</FONT></TD><TD><FONT color="#00cc00">Yes</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#isakmpd">isakmpd (OpenBSD)</A><A NAME="isakmpd.top"> </A> -</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD> </TD><TD><FONT color="#00cc00"> -Yes</FONT></TD><TD> </TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD> </TD><TD> -<FONT color="#cc0000">No </FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#kame">Kame (FreeBSD, -<BR> NetBSD, MacOSX) -<BR> <SMALL>aka racoon</SMALL></A><A NAME="kame.top"> </A></TD><TD><FONT -color="#00cc00">Yes</FONT></TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD> -<FONT color="#00cc00">Yes</FONT></TD><TD> </TD><TD><FONT color="#00cc00"> -Yes</FONT></TD><TD> </TD><TD><FONT color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#mcafee">McAfee VPN -<BR><SMALL>was PGPNet</SMALL></A><A NAME="mcafee.top"> </A></TD><TD><FONT -color="#00cc00">Yes</FONT></TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD> -<FONT color="#00cc00">Yes</FONT></TD><TD> </TD><TD> </TD><TD><FONT color="#00cc00"> -Yes</FONT></TD><TD><FONT color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#microsoft">Microsoft -<BR> Windows 2000/XP</A><A NAME="microsoft.top"> </A></TD><TD><FONT color="#00cc00"> -Yes</FONT></TD><TD> </TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD> </TD><TD> - </TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD><FONT color="#cc0000"> -No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="glossary.html#ssh">SSH Sentinel</A><A NAME="ssh.top"> </A> -</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD> </TD><TD><FONT color="#00cc00"> -Yes</FONT></TD><TD><FONT color="#cccc00">Maybe</FONT></TD><TD> </TD><TD><FONT -color="#00cc00">Yes</FONT></TD><TD><FONT color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#safenet">Safenet SoftPK -<BR>/SoftRemote</A><A NAME="safenet.top"> </A></TD><TD><FONT color="#00cc00"> -Yes</FONT></TD><TD> </TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD> </TD><TD> - </TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD><FONT color="#cc0000"> -No</FONT></TD></TR> -<TR><TD colspan="8">Other</TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#6wind">6Wind</A><A NAME="6wind.top"> </A></TD><TD> </TD><TD> - </TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD> </TD><TD> </TD><TD> </TD><TD> -<FONT color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#alcatel">Alcatel Timestep</A><A NAME="alcatel.top"> </A> -</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD> </TD><TD> </TD><TD> </TD><TD> - </TD><TD> </TD><TD><FONT color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#apple">Apple Macintosh -<BR>System 10+</A><A NAME="apple.top"> </A></TD><TD><FONT color="#cccc00"> -Maybe</FONT></TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD><FONT color="#cccc00"> -Maybe</FONT></TD><TD> </TD><TD><FONT color="#cccc00">Maybe</FONT></TD><TD> - </TD><TD><FONT color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#ashleylaurent">AshleyLaurent -<BR> VPCom</A><A NAME="ashleylaurent.top"> </A></TD><TD><FONT color="#00cc00"> -Yes</FONT></TD><TD> </TD><TD> </TD><TD> </TD><TD> </TD><TD> </TD><TD><FONT -color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#borderware">Borderware</A><A NAME="borderware.top"> </A> -</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD> </TD><TD> </TD><TD> </TD><TD> - </TD><TD><FONT color="#cc0000">No</FONT></TD><TD><FONT color="#cc0000"> -No</FONT></TD></TR> - -<!-- -http://www.cequrux.com/vpn-guides.php3 -"coming soon" guide to connect with FreeS/WAN. ---> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#checkpoint">Check Point FW-1/VPN-1</A><A NAME="checkpoint.top"> - </A></TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD> </TD><TD><FONT color="#00cc00"> -Yes</FONT></TD><TD> </TD><TD> </TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD> -<FONT color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#cisco">Cisco with 3DES</A><A NAME="cisco.top"> </A></TD><TD> -<FONT color="#00cc00">Yes</FONT></TD><TD><FONT color="#cccc00">Maybe</FONT> -</TD><TD> </TD><TD><FONT color="#cccc00">Maybe</FONT></TD><TD> </TD><TD> - </TD><TD><FONT color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#equinux">Equinux VPN Tracker -<BR> (for Mac OS X)</A><A NAME="equinux.top"> </A></TD><TD><FONT color="#00cc00"> -Yes</FONT></TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD><FONT color="#00cc00"> -Yes</FONT></TD><TD> </TD><TD><FONT color="#cccc00">Maybe</FONT></TD><TD> - </TD><TD><FONT color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#fsecure">F-Secure</A><A NAME="fsecure.top"> </A></TD><TD> -<FONT color="#00cc00">Yes</FONT></TD><TD> </TD><TD> </TD><TD><FONT color="#cccc00"> -Maybe</FONT></TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD><FONT color="#00cc00"> -Yes</FONT></TD><TD><FONT color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#gauntlet">Gauntlet GVPN</A><A NAME="gauntlet.top"> </A> -</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD> </TD><TD><FONT color="#00cc00"> -Yes</FONT></TD><TD> </TD><TD> </TD><TD> </TD><TD><FONT color="#cc0000"> -No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#aix">IBM AIX</A><A NAME="aix.top"> </A></TD><TD><FONT color="#00cc00"> -Yes</FONT></TD><TD> </TD><TD><FONT color="#cccc00">Maybe</FONT></TD><TD> - </TD><TD> </TD><TD> </TD><TD><FONT color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#as400">IBM AS/400</A><A NAME="as400"> </A></TD><TD><FONT -color="#00cc00">Yes</FONT></TD><TD> </TD><TD> </TD><TD> </TD><TD> </TD><TD> - </TD><TD><FONT color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#intel">Intel Shiva -<BR>LANRover/Net Structure</A><A NAME="intel.top"> </A></TD><TD><FONT color="#00cc00"> -Yes</FONT></TD><TD> </TD><TD> </TD><TD> </TD><TD> </TD><TD> </TD><TD><FONT -color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#lancom">LanCom (formerly ELSA)</A><A NAME="lancom.top"> - </A></TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD> </TD><TD> </TD><TD> - </TD><TD> </TD><TD> </TD><TD><FONT color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#linksys">Linksys</A><A NAME="linksys.top"> </A></TD><TD> -<FONT color="#cccc00">Maybe</FONT></TD><TD> </TD><TD><FONT color="#cc0000"> -No</FONT></TD><TD> </TD><TD> </TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD> -<FONT color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#lucent">Lucent</A><A NAME="lucent.top"> </A></TD><TD><FONT -color="#cccc00">Partial</FONT></TD><TD> </TD><TD> </TD><TD> </TD><TD> </TD><TD> - </TD><TD><FONT color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#netasq">Netasq</A><A NAME="netasq.top"> </A></TD><TD> - </TD><TD> </TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD> </TD><TD> </TD><TD> - </TD><TD><FONT color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#netcelo">netcelo</A><A NAME="netcelo.top"> </A></TD><TD> - </TD><TD> </TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD> </TD><TD> </TD><TD> - </TD><TD><FONT color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#netgear">Netgear fvs318</A><A NAME="netgear.top"> </A> -</TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD> </TD><TD> </TD><TD> </TD><TD> - </TD><TD> </TD><TD><FONT color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#netscreen">Netscreen 100 -<BR>or 5xp</A><A NAME="netscreen.top"> </A></TD><TD><FONT color="#00cc00"> -Yes</FONT></TD><TD> </TD><TD> </TD><TD> </TD><TD> </TD><TD><FONT color="#cccc00"> -Maybe</FONT></TD><TD><FONT color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#nortel">Nortel Contivity</A><A NAME="nortel.top"> </A> -</TD><TD><FONT color="#cccc00">Partial</FONT></TD><TD> </TD><TD><FONT color="#00cc00"> -Yes</FONT></TD><TD><FONT color="#cccc00">Maybe</FONT></TD><TD> </TD><TD> - </TD><TD><FONT color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#radguard">RadGuard</A><A NAME="radguard.top"> </A></TD><TD> -<FONT color="#00cc00">Yes</FONT></TD><TD> </TD><TD> </TD><TD> </TD><TD> </TD><TD> - </TD><TD><FONT color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#raptor">Raptor</A><A NAME="raptor"> </A></TD><TD><FONT -color="#00cc00">Yes</FONT></TD><TD> </TD><TD> </TD><TD> </TD><TD><FONT color="#00cc00"> -Yes</FONT></TD><TD> </TD><TD><FONT color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#redcreek">Redcreek Ravlin</A><A NAME="redcreek.top"> </A> -</TD><TD><FONT color="#00cc00">Yes</FONT><FONT color="#cccc00">/Partial</FONT> -</TD><TD> </TD><TD> </TD><TD> </TD><TD> </TD><TD> </TD><TD><FONT color="#cc0000"> -No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#sonicwall">SonicWall</A><A NAME="sonicwall.top"> </A></TD><TD> -<FONT color="#00cc00">Yes</FONT></TD><TD> </TD><TD> </TD><TD> </TD><TD><FONT -color="#cccc00">Maybe</FONT></TD><TD><FONT color="#cc0000">No</FONT></TD><TD> -<FONT color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#sun">Sun Solaris</A><A NAME="sun.top"> </A></TD><TD><FONT -color="#00cc00">Yes</FONT></TD><TD> </TD><TD><FONT color="#00cc00">Yes</FONT> -</TD><TD> </TD><TD><FONT color="#00cc00">Yes</FONT></TD><TD> </TD><TD><FONT -color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#symantec">Symantec</A><A NAME="symantec.top"> </A></TD><TD> -<FONT color="#00cc00">Yes</FONT></TD><TD> </TD><TD> </TD><TD> </TD><TD> </TD><TD> - </TD><TD><FONT color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#watchguard">Watchguard -<BR> Firebox</A><A NAME="watchguard.top"> </A></TD><TD><FONT color="#00cc00"> -Yes</FONT></TD><TD> </TD><TD> </TD><TD> </TD><TD><FONT color="#00cc00"> -Yes</FONT></TD><TD> </TD><TD><FONT color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#xedia">Xedia Access Point -<BR>/QVPN</A><A NAME="xedia.top"> </A></TD><TD><FONT color="#00cc00"> -Yes</FONT></TD><TD> </TD><TD> </TD><TD> </TD><TD> </TD><TD> </TD><TD><FONT -color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -<TR><TD><A HREF="#zyxel">Zyxel Zywall -<BR>/Prestige</A><A NAME="zyxel.top"> </A></TD><TD><FONT color="#00cc00"> -Yes</FONT></TD><TD> </TD><TD> </TD><TD> </TD><TD> </TD><TD> </TD><TD><FONT -color="#cc0000">No</FONT></TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE - - -<TR> -<TD><A HREF="#sample">sample</A></TD> -<TD> </TD> -<TD> </TD> -<TD> </TD> -<TD> </TD> -<TD> </TD> -<TD> </TD> -<TD><FONT color="#cc0000">No</FONT></TD> -</TR> - ---> -<TR><TD> </TD><TD>PSK</TD><TD>RSA Secret</TD><TD>X.509 -<BR><SMALL><A HREF="#interoprules">(requires patch)</A></SMALL></TD><TD> -NAT-Traversal -<BR><SMALL><A HREF="#interoprules">(requires patch)</A></SMALL></TD><TD> -Manual -<BR>Keying</TD><TD> </TD><TD> </TD></TR> -<TR><TD> </TD><TD colspan="5">FreeS/WAN VPN</TD><TD>Road Warrior</TD><TD> -OE</TD></TR> - -<!-- PSK RSA X.509 NAT-T Manual RW OE --> -</TABLE> -<H3><A NAME="10_1_1">Key</A></H3> -<TABLE BORDER="1"> -<TR><TD><FONT color="#00cc00">Yes</FONT></TD><TD>People report that this - works for them.</TD></TR> -<TR><TD>[Blank]</TD><TD>We don't know.</TD></TR> -<TR><TD><FONT color="#cc0000">No</FONT></TD><TD>We have reason to - believe it was, at some point, not possible to get this to work.</TD></TR> -<TR><TD><FONT color="#cccc00">Partial</FONT></TD><TD>Partial success. - For example, a connection can be created from one end only.</TD></TR> -<TR><TD><FONT color="#00cc00">Yes</FONT><FONT color="#cccc00">/Partial</FONT> -</TD><TD>Mixed reports.</TD></TR> -<TR><TD><FONT color="#cccc00">Maybe</FONT></TD><TD>We think the answer - is "yes", but need confirmation.</TD></TR> -</TABLE> -<A NAME="interoprules"></A> -<H2><A NAME="10_2">Basic Interop Rules</A></H2> -<P>Vanilla FreeS/WAN implements<A HREF="compat.html#compat"> these parts</A> - of the IPSec specifications. You can add more with<A HREF="http://www.freeswan.ca"> - Super FreeS/WAN</A>, but what we offer may be enough for many users.</P> -<UL> -<LI> To use X.509 certificates with FreeS/WAN, you will need the<A HREF="http://www.strongsec.org/freeswan"> - X.509 patch</A> or<A HREF="http://www.freeswan.ca"> Super FreeS/WAN</A> -, which includes that patch.</LI> -<LI> To use<A HREF="glossary.html#NAT.gloss"> Network Address - Translation</A> (NAT) traversal with FreeS/WAN, you will need Arkoon - Network Security's<A HREF="http://open-source.arkoon.net"> NAT - traversal patch</A> or<A HREF="http://www.freeswan.ca"> Super FreeS/WAN</A> -, which includes it.</LI> -</UL> -<P>We offer a set of proposals which is not user-adjustable, but covers - all combinations that we can offer. FreeS/WAN always proposes triple - DES encryption and Perfect Forward Secrecy (PFS). In addition, we - propose Diffie Hellman groups 5 and 2 (in that order), and MD5 and - SHA-1 hashes. We accept the same proposals, in the same order of - preference.</P> -<P>Other interop notes:</P> -<UL> -<LI> A<A HREF="http://lists.freeswan.org/archives/users/2003-September/msg00462.html"> - SHA-1 bug in FreeS/WAN 2.00, 2.01 and 2.02</A> may affect some interop - scenarios. It does not affect 1.x versions, and is fixed in 2.03 and - later.</LI> -<LI> Some other implementations will close a connection with FreeS/WAN - after some time. This may be a problem with rekey lifetimes. Please see<A -HREF="http://lists.freeswan.org/archives/users/2003-October/msg00293.html"> - this tip</A> and<A HREF="http://lists.freeswan.org/pipermail/users/2001-December/005758.html"> - this workaround</A>.</LI> -</UL> -<H2><A NAME="10_3">Longer Stories</A></H2> -<H3><A NAME="10_3_1">For<EM> More Compatible</EM> Implementations</A></H3> -<H4><A NAME="freeswan">FreeS/WAN</A></H4> -<P> See our documentation at<A HREF="http://www.freeswan.org"> - freeswan.org</A> and the Super FreeS/WAN docs at<A HREF="http://www.freeswan.ca"> - freeswan.ca</A>. Some user-written HOWTOs for FreeS/WAN-FreeS/WAN - connections are listed in<A HREF="intro.html#howto"> our Introduction</A> -.</P> -<P>See also:</P> -<UL> -<LI><A HREF="http://lugbe.ch/action/reports/ipsec_htbe.phtml"> A German - FreeS/WAN-FreeS/WAN page by Markus Wernig (X.509)</A></LI> -</UL> -<P><A HREF="#freeswan.top">Back to chart</A></P> -<H4><A NAME="isakmpd">isakmpd (OpenBSD)</A></H4> -<P><A HREF="http://www.openbsd.org/faq/faq13.html">OpenBSD FAQ: Using - IPsec</A> -<BR><A HREF="http://www.rommel.stw.uni-erlangen.de/~hshoexer/ipsec-howto/HOWTO.html"> - Hans-Joerg Hoexer's interop Linux-OpenBSD (PSK)</A> -<BR><A HREF="http://www.segfault.net/ipsec/"> Skyper's configuration - (PSK)</A> -<BR><A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2001/#config"> - French page with configs (X.509)</A></P> -<P><A HREF="#isakmpd.top">Back to chart</A></P> -<H4><A NAME="kame">Kame</A></H4> -<UL> -<LI>For FreeBSD and NetBSD. Ships with Mac OS X; see also our<A HREF="#apple"> - Mac</A> section.</LI> -<LI>Also known as<EM> racoon</EM>, its keying daemon.</LI> -</UL> -<P><A HREF="http://www.kame.net">Kame homepage, with FAQ</A> -<BR><A HREF="http://www.netbsd.org/Documentation/network/ipsec"> - NetBSD's IPSec FAQ</A> -<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00560.html"> - Ghislaine's post explaining some interop peculiarities</A></P> -<P><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/09/msg00511.html"> - Itojun's Kame-FreeS/WAN interop tips (PSK)</A> -<BR><A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2000"> Ghislaine - Labouret's French page with links to matching FreeS/WAN and Kame - configs (RSA)</A> -<BR><A HREF="http://lugbe.ch/lostfound/contrib/freebsd_router/"> Markus - Wernig's HOWTO (X.509, BSD gateway)</A> -<BR><A HREF="http://web.morgul.net/~frodo/docs/kame+freeswan_interop.html"> - Frodo's Kame-FreeS/WAN interop (X.509)</A> -<BR><A HREF="http://www.wavesec.org/kame.phtml"> Kame as a WAVEsec - client.</A></P> -<P><A HREF="#kame.top">Back to chart</A></P> -<H4><A NAME="mcafee">PGPNet/McAfee</A></H4> -<P></P> -<UL> -<LI>Now called McAfee VPN Client.</LI> -<LI>PGPNet also came in a freeware version which did not support subnets</LI> -<LI>To support dhcp-over-ipsec, you need the X.509 patch, which is - included in<A HREF="http://www.freeswan.ca"> Super FreeS/WAN</A>.</LI> -</UL> -<P><A HREF="http://www.freeswan.ca/docs/WindowsInterop"> Tim Carr's - Windows Interop Guide (X.509)</A> -<BR><A HREF="http://www.rommel.stw.uni-erlangen.de/~hshoexer/ipsec-howto/HOWTO.html#Interop2"> - Hans-Joerg Hoexer's Guide for Linux-PGPNet (PSK)</A> -<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/04/msg00339.html"> - Kai Martius' instructions using RSA Key-Extractor Tool (RSA)</A> -<BR> <A HREF="http://www.zengl.net/freeswan/english.html">Christian - Zeng's page (RSA)</A> based on Kai's work. English or German. -<BR><A HREF="http://tirnanog.ls.fi.upm.es/CriptoLab/Biblioteca/InfTech/InfTech_CriptoLab.htm"> - Oscar Delgado's PDF (X.509, no configs)</A> -<BR><A HREF="http://www-ec.njit.edu/~rxt1077/Howto.txt"> Ryan's HOWTO - for FreeS/WAN-PGPNet (X.509)</A>. Through a Linksys Router with IPsec - Passthru enabled. -<BR><A HREF="http://jixen.tripod.com/#RW-PGP-to-Fwan"> Jean-Francois - Nadeau's Practical Configuration (Road Warrior with PSK)</A> -<BR><A HREF="http://www.evolvedatacom.nl/freeswan.html#toc"> Wouter - Prins' HOWTO (Road Warrior with X.509)</A> -<BR></P> -<P><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/01/msg00271.html"> - Rekeying problem with FreeS/WAN and older PGPNets</A> -<BR></P> -<P><A HREF="http://www.strongsec.com/freeswan/dhcprelay/index.htm"> DHCP - over IPSEC HOWTO for FreeS/WAN (requires X.509 and dhcprelay patches)</A> -</P> -<P><A HREF="#mcafee.top">Back to chart</A></P> -<H4><A NAME="microsoft">Microsoft Windows 2000/XP</A></H4> -<UL> -<LI>IPsec comes with Win2k, and with XP Support Tools. May require<A HREF="http://www.microsoft.com/windows2000/downloads/recommended/encryption/default.asp"> - High Encryption Pack</A>. WinXP users have also reported better results - with Service Pack 1.</LI> -<LI>The Road Warrior setup works either way round. Windows (XP or 2K) - IPsec can connect as a Road Warrior to FreeS/WAN. However, FreeS/WAN - can also successfully connect as a Road Warrior to Windows IPsec (see - Nate Carlson's configs below).</LI> -<LI>FreeS/WAN version 1.92 or later is required to avoid an - interoperation problem with Windows native IPsec. Earlier FreeS/WAN - versions did not process the Commit Bit as Windows native IPsec - expected.</LI> -</UL> -<P><A HREF="http://www.freeswan.ca/docs/WindowsInterop"> Tim Carr's - Windows Interop Guide (X.509)</A> -<BR><A HREF="http://ipsec.math.ucla.edu/services/ipsec.html"> James - Carter's instructions (X.509, NAT-T)</A> -<BR><A HREF="http://jixen.tripod.com/#Win2000-Fwan"> Jean-Francois - Nadeau's Net-net Configuration (PSK)</A> -<BR><A HREF="http://security.nta.no/freeswan-w2k.html"> Telenor's - Node-node Config (Transport-mode PSK)</A> -<BR><A HREF="http://vpn.ebootis.de"> Marcus Mueller's HOWTO using his - VPN config tool (X.509).</A> Tool also works with PSK. -<BR><A HREF="http://www.natecarlson.com/include/showpage.php?cat=linux&page=ipsec-x509"> - Nate Carlson's HOWTO using same tool (Road Warrior with X.509)</A>. - Unusually, FreeS/WAN is the Road Warrior here. -<BR><A HREF="http://tirnanog.ls.fi.upm.es/CriptoLab/Biblioteca/InfTech/InfTech_CriptoLab.htm"> - Oscar Delgado's PDF (X.509, no configs)</A> -<BR><A HREF="http://lists.freeswan.org/pipermail/users/2003-July/022425.html"> - Tim Scannell's Windows XP Additional Checklist (X.509)</A> -<BR></P> - -<!-- Note to self: Include L2TP references? --> -<P><A HREF="http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_TCPIP_ovr_secfeatures.htm"> - Microsoft's page on Win2k TCP/IP security features</A> -<BR><A HREF="http://support.microsoft.com/support/kb/articles/Q257/2/25.ASP"> - Microsoft's Win2k IPsec debugging tips</A> -<BR> -<!-- Alt-URL http://support.microsoft.com/default.aspx?scid=kb;EN-US;q257225 -Perhaps newer? --> -<A HREF="http://www.wired.com/news/technology/0,1282,36336,00.html"> - MS VPN may fall back to 1DES</A></P> -<P><A HREF="#microsoft.top">Back to chart</A></P> -<H4><A NAME="ssh">SSH Sentinel</A></H4> -<UL> -<LI>Popular and well tested.</LI> -<LI>Also rebranded in<A HREF="http://www.zyxel.com"> Zyxel Zywall</A>. - Our Zyxel interop notes are<A HREF="#zyxel"> here</A>.</LI> -<LI> SSH supports IPsec-over-UDP NAT traversal.</LI> -<LI>There is this<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/12/msg00370.html"> - potential problem</A> if you're not using the Legacy Proposal option.</LI> -</UL> -<P><A HREF="http://www.ssh.com/support/sentinel/documents.cfm"> SSH's - Sentinel-FreeSWAN interop PDF (X.509)</A> -<BR><A HREF="http://www.nadmm.com/show.php?story=articles/vpn.inc"> - Nadeem Hassan's SUSE-to-Sentinel article (Road warrior with X.509)</A> -<BR><A HREF="http://www.zerozone.it/documents/Linux/HowTo/VPN-IPsec-Freeswan-HOWTO.html"> - O-Zone's Italian HOWTO (Road Warrior, X.509, DHCP)</A> -<BR></P> -<P><A HREF="#ssh.top">Back to chart</A></P> -<H4><A NAME="safenet">Safenet SoftPK/SoftRemote</A></H4> -<UL> -<LI>People recommend SafeNet as a low cost Windows client.</LI> -<LI>SoftRemote seems to be the newer name for SoftPK.</LI> -</UL> -<P><A HREF="http://lists.freeswan.org/pipermail/users/2001-November/005061.html"> - Whit Blauvelt's SoftRemote tips</A> -<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-October/015591.html"> - Tim Wilson's tips (X.509)</A><A HREF="http://lists.freeswan.org/archives/users/2003-October/msg00607.html"> - Workaround for a "gotcha"</A></P> -<P><A HREF="http://jixen.tripod.com/#Rw-IRE-to-Fwan"> Jean-Francois - Nadeau's Practical Configuration (Road Warrior with PSK)</A> -<BR><A HREF="http://www.terradoncommunications.com/security/whitepapers/safe_net-to-free_swan.pdf"> - Terradon Communications' PDF (Road Warrior with PSK)</A> -<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-October/?????.html"> - Seaan.net's PDF (Road Warrior to Subnet, with PSK)</A> -<BR><A HREF="http://www.redbaronconsulting.com/freeswan/fswansafenet.pdf"> - Red Baron Consulting's PDF (Road Warrior with X.509)</A></P> -<P><A HREF="#safenet.top">Back to chart</A></P> -<H3><A NAME="10_3_2">For<EM> Other Implementations</EM></A></H3> -<H4><A NAME="6wind">6Wind</A></H4> -<P><A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2001/#config"> - French page with configs (X.509)</A></P> -<P><A HREF="#6wind.top">Back to chart</A></P> -<H4><A NAME="alcatel">Alcatel Timestep</A></H4> -<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-June/011878.html"> - Alain Sabban's settings (PSK or PSK road warrior; through static NAT)</A> -<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/06/msg00100.html"> - Derick Cassidy's configs (PSK)</A> -<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/08/msg00194.html"> - David Kerry's Timestep settings (PSK)</A> -<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-August/013711.html"> - Kevin Gerbracht's ipsec.conf (X.509)</A></P> -<P><A HREF="#alcatel.top">Back to chart</A></P> -<H4><A NAME="apple">Apple Macintosh System 10+</A></H4> -<UL> -<LI>Since the system is based on FreeBSD, this should interoperate<A HREF="#kame"> - just like FreeBSD</A>.</LI> -<LI> To use Appletalk over IPsec tunnels,<A HREF="http://lists.freeswan.org/pipermail/users/2001-November/005116.html"> - run it over TCP/IP</A>, or use Open Door Networks' Shareway IP tool,<A HREF="http://lists.freeswan.org/pipermail/users/2001-November/005426.html"> - described here.</A></LI> -<LI>See also the<A HREF="#equinux"> Equinux VPN Tracker</A> for Mac OS - X.</LI> -</UL> -<P><A HREF="http://ipsec.math.ucla.edu/services/ipsec.html"> James - Carter's instructions (X.509, NAT-T)</A></P> -<P><A HREF="#apple.top">Back to chart</A></P> -<H4><A NAME="ashleylaurent">AshleyLaurent VPCom</A></H4> -<P><A HREF="http://www.ashleylaurent.com/newsletter/01-28-00.htm"> - Successful interop report, no details</A></P> -<P><A HREF="#ashleylaurent.top">Back to chart</A></P> -<H4><A NAME="borderware">Borderware</A></H4> -<UL> -<LI>I suspect the Borderware client is a rebranded Safenet. If that's - true, our<A HREF="#safenet"> Safenet section</A> will help.</LI> -</UL> -<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-March/008288.html"> - Philip Reetz' configs (PSK)</A> -<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/09/msg00217.html"> - Borderware server does not support FreeS/WAN road warriors</A> -<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-February/007733.html"> - Older Borderware may not support Diffie Hellman groups 2, 5</A> -<BR></P> -<P><A HREF="#borderware.top">Back to chart</A></P> -<H4><A NAME="checkpoint">Check Point VPN-1 or FW-1</A></H4> -<UL> -<LI><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00099.html"> - Caveat about IP-range inclusion on Check Point.</A></LI> -<LI> Some versions of Check Point may require an aggressive mode patch - to interoperate with FreeS/WAN. -<BR><A HREF="http://www.freeswan.ca/code/super-freeswan"> Super - FreeS/WAN</A> now features this patch. -<!-- -<A HREF="http://www.freeswan.ca/patches/aggressivemode">Steve Harvey's -aggressive mode patch for FreeS/WAN 1.5</A> ---> -</LI> -<LI></LI> -<LI>A Linux FreeS/WAN-Checkpoint connection may close after some time. - Try<A HREF="http://lists.freeswan.org/archives/users/2003-October/msg00293.html"> - this tip</A> toward a workaround.</LI> -</UL> -<P><A HREF="http://www.fw-1.de/aerasec/ng/vpn-freeswan/CPNG+Linux-FreeSWAN.html"> - AERAsec's Firewall-1 NG site (PSK, X.509, Road Warrior with X.509, - other algorithms)</A> -<BR> <A HREF="http://www.fw-1.de/aerasec/ng/vpn-freeswan/CPNG+Linux-FreeSWAN.html#support-matrix"> - AERAsec's detailed Check Point-FreeS/WAN support matrix</A> -<BR><A HREF="http://support.checkpoint.com/kb/docs/public/firewall1/4_1/pdf/fw-linuxvpn.pdf"> - Checkpoint.com PDF: Linux as a VPN Client to FW-1 (PSK)</A> -<BR><A HREF="http://www.phoneboy.com"> PhoneBoy's Check Point FAQ (on - Check Point only, not FreeS/WAN)</A> -<BR></P> -<P><A HREF="http://lists.freeswan.org/pipermail/users/2001-August/002351.html"> - Chris Harwell's tips FreeS/WAN configs (PSK)</A> -<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-April/009362.html"> - Daniel Tombeil's configs (PSK)</A></P> -<P><A HREF="#checkpoint.top">Back to chart</A></P> -<H4><A NAME="cisco">Cisco</A></H4> -<UL> -<LI> Cisco supports IPsec-over-UDP NAT traversal.</LI> -<LI>Cisco VPN Client appears to use nonstandard IPsec and does not work - with FreeS/WAN.<A HREF="https://mj2.freeswan.org/archives/2003-August/maillist.html"> - This message</A> concerns Cisco VPN Client 4.01. -<!-- fix link --> -</LI> -<LI>A Linux FreeS/WAN-Cisco connection may close after some time.<A HREF="http://lists.freeswan.org/pipermail/users/2001-December/005758.html"> - Here</A> is a workaround, and<A HREF="http://lists.freeswan.org/archives/users/2003-October/msg00293.html"> - here</A> is another comment on the same subject.</LI> -<LI><A HREF="http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t2/3desips.htm"> -Older Ciscos</A> purchased outside the United States may not have 3DES, - which FreeS/WAN requires.</LI> -<LI><A HREF="http://lists.freeswan.org/pipermail/users/2001-June/000406.html"> -RSA keying may not be possible between Cisco and FreeS/WAN.</A></LI> -<LI><A HREF="http://lists.freeswan.org/pipermail/users/2001-October/004357.html"> -In ipsec.conf, VPN3000 DN (distinguished name) must be in binary (X.509 - only)</A></LI> -</UL> -<P><A HREF="http://rr.sans.org/encryption/cisco_router.php"> SANS - Institute HOWTO (PSK).</A> Detailed, with extensive references. -<BR><A HREF="http://www.worldbank.ro/IPSEC/cisco-linux.txt"> Short HOWTO - (PSK)</A> -<BR><A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2001/#config"> - French page with configs for Cisco IOS, PIX and VPN 3000 (X.509)</A> -<BR><A HREF="http://lists.freeswan.org/pipermail/users/2001-August/002966.html"> - Dave McFerren's sample configs (PSK)</A> -<BR><A HREF="http://lists.freeswan.org/pipermail/users/2001-September/003422.html"> - Wolfgang Tremmel's sample configs (PSK road warrior)</A> -<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00578.html"> - Old doc from Pete Davis, with William Watson's updated Tips (PSK)</A> -<BR></P> -<P><STRONG>Some PIX specific information:</STRONG> -<BR><A HREF="http://www.wlug.org.nz/FreeSwanToCiscoPix"> Waikato Linux - Users' Group HOWTO. Nice detail (PSK)</A> -<BR><A HREF="http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html"> - John Leach's configs (PSK)</A> -<BR><A HREF="http://www.diverdown.cc/vpn/freeswanpix.html"> Greg - Robinson's settings (PSK)</A> -<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-February/007901.html"> - Scott's ipsec.conf for PIX (PSK, FreeS/WAN side only)</A> -<BR><A HREF="http://lists.freeswan.org/pipermail/users/2001-October/003949.html"> - Rick Trimble's PIX and FreeS/WAN settings (PSK)</A> -<BR></P> -<P><A href="http://www.cisco.com/public/support/tac"> Cisco VPN support - page</A> -<BR><A href="http://www.ieng.com/warp/public/707/index.shtml#ipsec"> - Cisco IPsec information page</A></P> -<P><A HREF="#cisco.top">Back to chart</A></P> -<H4><A NAME="equinux">Equinux VPN tracker (for Mac OS X)</A></H4> -<UL> -<LI>Graphical configurator for Mac OS X IPsec. May be an interface to - the<A HREF="#apple"> native Mac OS X IPsec</A>, which is essentially<A HREF="#kame"> - KAME</A>.</LI> -<LI>To use Appletalk over IPsec tunnels,<A HREF="http://lists.freeswan.org/pipermail/users/2001-November/005116.html"> - run it over TCP/IP</A>, or use Open Door Networks' Shareway IP tool,<A HREF="http://lists.freeswan.org/pipermail/users/2001-November/005426.html"> - described here.</A></LI> -</UL> -<P> Equinux provides<A HREF="http://www.equinux.com/download/HowTo_FreeSWAN.pdf"> - this excellent interop PDF</A> (PSK, RSA, X.509).</P> -<P><A HREF="#equinux.top">Back to chart</A></P> -<H4><A NAME="fsecure">F-Secure</A></H4> -<UL> -<LI> -<!-- <A HREF="http://lists.freeswan.org/pipermail/users/2002-February/007596.html"> --> - F-Secure supports IPsec-over-UDP NAT traversal.</LI> -</UL> -<P><A HREF="http://www.pingworks.de/tech/vpn/vpn.txt">pingworks.de's - "Connecting F-Secure's VPN+ to Linux FreeS/WAN" (PSK road warrior)</A> -<BR> <A HREF="http://www.pingworks.de/tech/vpn/vpn.pdf">Same thing - as PDF</A> -<BR><A HREF="http://www.exim.org/pipermail/linux-ipsec/Week-of-Mon-20010122/000061.html"> - Success report, no detail (PSK)</A> -<BR><A HREF="http://www.exim.org/pipermail/linux-ipsec/Week-of-Mon-20010122/000041.html"> - Success report, no detail (Manual)</A></P> - -<!-- Other NAT traversers: -http://lists.freeswan.org/pipermail/users/2002-April/009136.html -and ssh sentinel: -http://lists.freeswan.org/pipermail/users/2001-September/003108.html ---> -<P><A HREF="#fsecure.top">Back to chart</A></P> -<H4><A NAME="gauntlet">Gauntlet GVPN</A></H4> -<P><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00535.html"> - Richard Reiner's ipsec.conf (PSK)</A> -<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-June/011434.html"> - Might work without that pesky firewall... (PSK)</A> -<BR> -<!-- insert archive link --> - In late July, 2003 Alexandar Antik reported success interoperating - with Gauntlet 6.0 for Solaris (X.509). Unfortunately the message is not - properly archived at this time.</P> -<P><A HREF="#gauntlet.top">Back to chart</A></P> -<H4><A NAME="aix">IBM AIX</A></H4> -<P><A HREF="http://www-1.ibm.com/servers/esdd/articles/security.html"> - IBM's "Built-In Network Security with AIX" (PSK, X.509)</A> -<BR><A HREF="http://www-1.ibm.com/servers/aix/products/ibmsw/security/vpn/faqandtips/#ques20"> - IBM's tip: importing Linux FreeS/WAN settings into AIX's<VAR> ikedb</VAR> - (PSK)</A></P> -<P><A HREF="#aix.top">Back to chart</A></P> -<H4><A NAME="as400">IBM AS/400</A></H4> -<UL> -<LI><A HREF="http://lists.freeswan.org/pipermail/users/2002-April/009106.html"> - Road Warriors may act flaky</A>.</LI> -</UL> -<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-September/014264.html"> - Richard Welty's tips and tricks</A> -<BR></P> -<P><A HREF="#as400.top">Back to chart</A></P> -<H4><A NAME="intel">Intel Shiva LANRover / Net Structure</A></H4> -<UL> -<LI>Intel Shiva LANRover is now known as Intel Net Structure.</LI> -<LI><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/01/msg00298.html"> - Shiva seems to have two modes: IPsec or the proprietary "Shiva Tunnel".</A> - Of course, FreeS/WAN will only create IPsec tunnels.</LI> -<LI><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00293.html"> - AH may not work for Shiva-FreeS/WAN.</A> That's OK, since FreeS/WAN has - phased out the use of AH.</LI> -</UL> -<P><A HREF="http://snowcrash.tdyc.com/freeswan/"> Snowcrash's configs - (PSK)</A> -<BR><A HREF="http://www.opus1.com/vpn/index.html"> Old configs from an - interop (PSK)</A> -<BR><A HREF="http://lists.freeswan.org/pipermail/users/2001-October/003831.html"> - The day Shiva tickled a Pluto bug (PSK)</A> -<BR> <A HREF="http://lists.freeswan.org/pipermail/users/2001-October/004270.html"> - Follow up: success!</A></P> -<P><A HREF="#intel.top">Back to chart</A></P> -<H4><A NAME="lancom">LanCom (formerly ELSA)</A></H4> -<UL> -<LI>This router is popular in Germany.</LI> -</UL> -<P> Jakob Curdes successfully created a PSK connection with the LanCom - 1612 in August 2003. -<!-- add ML link when it appears --> -</P> -<P><A HREF="#lancom.top">Back to chart</A></P> -<H4><A NAME="linksys">Linksys</A></H4> -<UL> -<LI>Linksys may be used as an IPsec tunnel endpoint,<STRONG> OR</STRONG> - as a router in "IPsec passthrough" mode, so that the IPsec tunnel - passes through the Linksys.</LI> -</UL> -<H5>As tunnel endpoint</H5> -<P><A HREF="http://www.freeswan.ca/docs/BEFVP41/"> Ken Bantoft's - instructions (Road Warrior with PSK)</A> -<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-February/007814.html"> - Nate Carlson's caveats</A></P> -<H5>In IPsec passthrough mode</H5> -<P><A HREF="http://www-ec.njit.edu/~rxt1077/Howto.txt"> Sample HOWTO - through a Linksys Router</A> -<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2002/02/msg00114.html"> - Nadeem Hasan's configs</A> -<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2002/02/msg00180.html"> - Brock Nanson's tips</A> -<BR></P> -<P><A HREF="#linksys.top">Back to chart</A></P> -<H4><A NAME="lucent">Lucent</A></H4> -<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-May/010976.html"> - Partial success report; see also the next message in thread</A></P> - -<!-- section done --> -<P><A HREF="#lucent.top">Back to chart</A></P> -<H4><A NAME="netasq">Netasq</A></H4> -<P><A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2001/#config"> - French page with configs (X.509)</A></P> - -<!-- section done --> -<P><A HREF="#netasq.top">Back to chart</A></P> -<H4><A NAME="netcelo">Netcelo</A></H4> -<P><A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2001/#config"> - French page with configs (X.509)</A> -<!-- section done --> -</P> -<P><A HREF="#netcelo.top">Back to chart</A></P> -<H4><A NAME="netgear">Netgear fvs318</A></H4> -<UL> -<LI>With a recent Linux FreeS/WAN, you will require the latest (12/2002) - Netgear firmware, which supports Diffie-Hellman (DH) group 2. For - security reasons, we phased out DH 1 after Linux FreeS/WAN 1.5.</LI> -<LI><A HREF="http://lists.freeswan.org/pipermail/users/2002-June/011833.html"> - This message</A> reports the incompatibility between Linux FreeS/WAN - 1.6+ and Netgear fvs318 without the firmware upgrade.</LI> -<LI>We believe Linux FreeS/WAN 1.5 and earlier will interoperate with - any NetGear firmware.</LI> -</UL> -<P><A HREF="http://lists.freeswan.org/pipermail/users/2003-February/017891.html"> - John Morris' setup (PSK)</A></P> -<P><A HREF="#netgear.top">Back to chart</A></P> -<H4><A NAME="netscreen">Netscreen 100 or 5xp</A></H4> -<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-August/013409.html"> - Errol Neal's settings (PSK)</A> -<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-October/015265.html"> - Corey Rogers' configs (PSK, no PFS)</A> -<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-August/013051.html"> - Jordan Share's configs (PSK, 2 subnets, through static NAT)</A> -<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/08/msg00404.html"> - Set src proxy_id to your protected subnet/mask</A> -<BR><A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2001/#config"> - French page with ipsec.conf, Netscreen screen shots (X.509, may need to - revert to PSK...)</A></P> -<P><A HREF="http://archives.neohapsis.com/archives/sf/linux/2001-q2/0123.html"> - A report of a company using Netscreen with FreeS/WAN on a large scale - (FreeS/WAN road warriors?)</A></P> -<P><A HREF="#netscreen.top">Back to chart</A></P> -<H4><A NAME="nortel">Nortel Contivity</A></H4> -<UL> -<LI> Nortel supports IPsec-over-UDP NAT traversal.</LI> -<LI><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00417.html"> - Some older versions of Contivity and FreeS/WAN will not communicate.</A> -</LI> -<LI><A HREF="http://lists.freeswan.org/pipermail/users/2002-May/010924.html"> - FreeS/WAN cannot be used as a "client" to a Nortel Contivity server, - but can be used as a branch-office tunnel.</A></LI> - -<!-- Probably obsoleted by Ken's post -<LI> -(Matthias siebler from old interop) -At one point you could not configure Nortel-FreeS/WAN tunnels as -"Client Tunnels" since FreeS/WAN does not support Aggressive Mode. -Current status of this problem: unknown. -<LI> -<A HREF="http://lists.freeswan.org/pipermail/users/2001-November/004612.html"> -How do we map group and user passwords onto the data that FreeS/WAN wants? -</A> -</LI> ---> -<LI><A HREF="http://lists.freeswan.org/pipermail/users/2002-October/015455.html"> - Contivity does not send Distinguished Names in the order FS wants them - (X.509).</A></LI> -<LI><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/03/msg00137.html"> - Connections may time out after 30-40 minutes idle.</A></LI> -</UL> -<P><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/03/msg00137.html"> - JJ Streicher-Bremer's mini HOWTO for old new software. (PSK with two - subnets)</A> -<BR><A HREF="http://www.hsc.fr/ressources/ipsec/ipsec2001/#config"> - French page with configs (X.509)</A>. This succeeds using the above - X.509 tip.</P> - -<!-- I could do more searching but this is a solid start. --> -<P><A HREF="#nortel.top">Back to chart</A></P> -<H4><A NAME="radguard">Radguard</A></H4> -<P><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/05/msg00009.html"> - Marko Hausalo's configs (PSK).</A> Note: These do create a connection, - as you can see by "IPsec SA established". -<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-October/???.html"> - Claudia Schmeing's comments</A></P> -<P><A HREF="#radguard.top">Back to chart</A></P> -<H4><A NAME="raptor">Raptor (NT or Solaris)</A></H4> -<P></P> -<UL> -<LI>Now known as Symantec Enterprise Firewall.</LI> -<LI>The Raptor does not normally come with X.509, but this may be - available as an add-on.</LI> -<LI><A HREF="http://lists.freeswan.org/pipermail/users/2002-May/010256.html"> - Raptor requires alphanumberic PSK values, whereas FreeS/WAN uses hex.</A> -</LI> -<LI>Raptor's tunnel endpoint may be a host, subnet or group of subnets - (see<A HREF="http://lists.freeswan.org/pipermail/design/2001-November/001295.html"> - this message</A> ). FreeS/WAN cannot handle the group of subnets; you - must create separate connections for each in order to interoperate.</LI> -<LI><A HREF="http://lists.freeswan.org/pipermail/users/2002-May/010113.html"> - Some versions of Raptor accept only single DES.</A> According to this - German message,<A HREF="http://radawana.cg.tuwien.ac.at/mail-archives/lll/200012/msg00065.html"> - the Raptor Mobile Client demo offers single DES only.</A></LI> -</UL> -<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-January/006935.html"> - Peter Mazinger's settings (PSK)</A> -<BR><A HREF="http://lists.freeswan.org/pipermail/users/2001-November/005522.html"> - Peter Gerland's configs (PSK)</A> -<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/07/msg00597.html"> - Charles Griebel's configs (PSK).</A> -<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-July/012275.html"> - Lumir Srch's tips (PSK)</A></P> -<P><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/05/msg00214.html"> - John Hardy's configs (Manual)</A> -<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/01/msg00236.html"> - Older Raptors want 3DES keys in 3 parts (Manual).</A> -<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/06/msg00480.html"> - Different keys for each direction? (Manual)</A> -<BR></P> -<P><A HREF="#raptor.top">Back to chart</A></P> -<H4><A NAME="redcreek">Redcreek Ravlin</A></H4> -<UL> -<LI>Known issue #1: The Ravlin expects a quick mode renegotiation right - after every Main Mode negotiation.</LI> -<LI> Known issue #2: The Ravlin tries to negotiate a zero connection - lifetime, which it takes to mean "infinite".<A HREF="http://www.bear-cave.org.uk/linux/ravlin/"> - Jim Hague's patch</A> addresses both issues.</LI> -<LI><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/03/msg00191.html"> - Interop works with Ravlin Firmware > 3.33. Includes tips (PSK).</A></LI> -</UL> -<P><A HREF="#redcreek.top">Back to chart</A></P> -<H4><A NAME="sonicwall">SonicWall</A></H4> -<UL> -<LI><A HREF="http://lists.freeswan.org/pipermail/users/2001-June/000998.html"> - Sonicwall cannot be used for Road Warrior setups</A></LI> -<LI> At one point,<A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/05/msg00217.html"> - only Sonicwall PRO supported triple DES</A>.</LI> -<LI><A HREF="http://lists.freeswan.org/pipermail/users/2002-March/008600.html"> - Older Sonicwalls (before Nov 2001) feature Diffie Hellman group 1 only</A> -.</LI> -</UL> -<P><A HREF="http://www.xinit.cx/docs/freeswan.html"> Paul Wouters' - config (PSK)</A> -<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00073.html"> - Dilan Arumainathan's configuration (PSK)</A> -<BR><A HREF="http://www.gravitas.co.uk/vpndebug"> Dariush's setup... - only opens one way (PSK)</A> -<BR><A HREF="http://lists.freeswan.org/pipermail/users/2003-July/022302.html"> - Andreas Steffen's tips (X.509)</A> -<BR></P> -<P><A HREF="#sonicwall.top">Back to chart</A></P> -<H4><A NAME="sun">Sun Solaris</A></H4> -<UL> -<LI> Solaris 8+ has a native (in kernel) IPsec implementation.</LI> -<LI><A HREF="http://lists.freeswan.org/pipermail/users/2002-May/010503.html"> - Solaris does not seem to support tunnel mode, but you can make IP-in-IP - tunnels instead, like this.</A></LI> -</UL> -<P><A HREF="http://lists.freeswan.org/pipermail/users/2003-June/022216.html"> - Reports of some successful interops</A> from a fellow @sun.com. See - also<A HREF="http://lists.freeswan.org/pipermail/users/2003-July/022247.html"> - these follow up posts</A>. -<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/03/msg00332.html"> - Aleks Shenkman's configs (Manual in transport mode)</A> -<BR> -<!--sparc 64 stuff goes where?--> -</P> -<P><A HREF="#solaris.top">Back to chart</A></P> -<H4><A NAME="symantec">Symantec</A></H4> -<UL> -<LI>The Raptor, covered<A HREF="#raptor"> above</A>, is now known as - Symantec Enterprise Firewall.</LI> -<LI>Symantec's "distinguished name" is a KEY_ID. See Andreas Steffen's - post, below.</LI> -</UL> -<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-April/009037.html"> - Andreas Steffen's configs for Symantec 200R (PSK)</A></P> -<P><A HREF="#symantec.top">Back to chart</A></P> -<H4><A NAME="watchguard">Watchguard Firebox</A></H4> -<UL> -<LI>Automatic keying works with WatchGuard 5.0+ only.</LI> -<LI>Seen to interoperate with WatchGuard 1000, II, III; firmware v. 5, - 6..</LI> -<LI>For manual keying, Watchguard's Policy Manager expects SPI numbers - and encryption and authentication keys in decimal (not hex).</LI> -</UL> -<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-July/012595.html"> - WatchGuard's HOWTO (PSK)</A> -<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-August/013342.html"> - Ronald C. Riviera's Settings (PSK)</A> -<BR><A HREF="http://lists.freeswan.org/archives/users/2003-October/msg00179.html"> - Walter Wickersham's Notes (PSK)</A> -<BR><A HREF="http://lists.freeswan.org/pipermail/users/2002-October/015587.html"> - Max Enders' Configs (Manual)</A></P> -<P><A HREF="http://lists.freeswan.org/pipermail/users/2002-April/009404.html"> - Old known issue with auto keying</A> -<BR><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00124.html"> - Tips on key generation and format (Manual)</A> -<BR></P> -<P><A HREF="#watchguard.top">Back to chart</A></P> -<H4><A NAME="xedia">Xedia Access Point/QVPN</A></H4> -<P><A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/12/msg00520.html"> - Hybrid IPsec/L2TP connection settings (X.509)</A> -<BR><A HREF="http://www.sandelman.ottawa.on.ca/ipsec/1999/08/msg00140.html"> - Xedia's LAN-LAN links don't use multiple tunnels</A> -<BR> <A HREF="http://www.sandelman.ottawa.on.ca/ipsec/1999/08/msg00140.html"> - That explanation, continued</A></P> -<P><A HREF="#xedia.top">Back to chart</A></P> -<H4><A NAME="zyxel">Zyxel</A></H4> -<UL> -<LI>The Zyxel Zywall is a rebranded SSH Sentinel box. See also our - section on<A HREF="glossary.html#ssh"> SSH</A>.</LI> -<LI>There seems to be a problem with keeping this connection alive. This - is caused at the Zyxel end. See this brief<A HREF="http://lists.freeswan.org/archives/users/2003-October/msg00141.html"> - discussion and solution.</A></LI> -</UL> -<P><A HREF="http://www.zyxel.com/support/supportnote/zywall/app/zw_freeswan.htm"> - Zyxel's Zywall to FreeS/WAN instructions (PSK)</A> -<BR><A HREF="http://www.zyxel.com/support/supportnote/p652/app/zw_freeswan.htm"> - Zyxel's Prestige to FreeS/WAN instructions (PSK)</A>. Note: not all - Prestige versions include VPN software. -<BR><A HREF="http://www.lancry.net/techdocs/freeswan-zyxel.txt"> Fabrice - Cahen's HOWTO (PSK)</A> -<BR> </P> -<P><A HREF="#zyxel.top">Back to chart</A></P> - -<!-- SAMPLE ENTRY - -<H4><A NAME="timestep">Timestep</A></H4> - -<P>Text goes here. -</P> - ---> -<HR> -<A HREF="toc.html">Contents</A> -<A HREF="compat.html">Previous</A> -<A HREF="performance.html">Next</A> -</BODY> -</HTML> |