Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

FreeS/WAN Project Bows Out

timothy posted more than 10 years ago | from the ideas-don't-die-though dept.

Encryption 221

V. Mole writes "After five years, the FreeS/WAN project has decided to end development. The main reason seems to be that although the project was technically successful, it was not making much progress with its political goals of encrypting a significant portion of all Internet communications, although one might guess that the selection of KAME for the standard Linux IPSEC implementation might also have influenced this decision. And don't panic, the software will remain available, and of course some other group is free to continue development."

cancel ×

221 comments

Sorry! There are no comments related to the filter you selected.

FUCKING SHIT! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8435939)

i was just getting this installed to link a couple nets across several states... way to ruin my monday, dammit!

Re:FUCKING SHIT! (-1, Offtopic)

pair-a-noyd (594371) | more than 10 years ago | (#8435953)

You think you have problems?
I just posted to another topic and was denied FP!

MOD PARENT UP (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8436299)

saldfkjslafj

OSS advocate (5, Insightful)

maliabu (665176) | more than 10 years ago | (#8435954)

And don't panic, the software will remain available, and of course some other group is free to continue development

this is probably one of the reason why OSS is A Good Thing.

Re:OSS advocate (-1, Troll)

apt-get-guy (756278) | more than 10 years ago | (#8435995)

What planet are you from? From where I sit, the bane of my existence is abandones open-source products that slowly stop working as the world moves along....I think that's the main advantage of *commercial* software: Companines have an incentive to keep working on their products.

I call troll. (5, Insightful)

Dlugar (124619) | more than 10 years ago | (#8436034)

How many commercial products are there that were started over five years ago that are still in current development? There are quite a handful still in current development--but vastly more that have been abandoned completely.

Both in the open source world and in the commercial world, the vast majority of projects die. The difference is that in the open source world, the dead projects can still be put to good use in a new reincarnation down the line.

Dlugar

Re:I call troll. (2, Insightful)

Alan (347) | more than 10 years ago | (#8436064)

Lets see....
- windows
- office
- wordperfect
- mozilla
- seti@home
- Duke Nukem Forever
- visual studio
- nero
- quickbooks
- palm desktop software
- many many many more

(some of the above I don't know for sure, but they seem old enough to be around for that long).

Now the big question is not if they are still in development, but if you can get the latest version free of charge off the net (legally that is :)

Seriously though, I think any large software maker will have programs that are still in active development, or at a version 2.0 or 3 or 5 as the years go on. That's one of the points of being a big software maker, you're stable and don't abandon your products, and continue to (try to) make them better.

I love linux and OSS, but your argument is flawed IMHO.

Re:I call troll. (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8436233)

Duke Nukem Forever Let's be honest here, DNF is just vaporware now, it will never materalize in any store ever. I know it's somewhat good marketing to delay the game to build up more hype, but I think they delayed it a little to far.

As is yours. (0)

Anonymous Coward | more than 10 years ago | (#8436313)

How many commercial applications are not in that list? I would say quite a large number. Simply because they aren't big names doesn't mean that they are not proprietary. That same goes with open source; many open source projects are quite successful, but not all are. However, it is quite easy to pick up the pieces when an OSS projects is abandoned than when a proprietary project is abandoned.

Re:I call troll. (1)

Dlugar (124619) | more than 10 years ago | (#8436376)

Sorry I didn't make myself more clear ... as I said, there are a good handful of proprietary software programs that are older than five years old and still in development. Now look at the number of proprietary software packages that have died in that same time period.

Is the percentage of dead proprietary software compared to still-in-development proprietary software any greater than the percentage of dead OSS compared to still-in-development OSS? As far as I can tell, the answer is No.

Dlugar

Re:I call troll. (1)

nvrrobx (71970) | more than 10 years ago | (#8436359)

No, you're trolling.

Here's a small sample of still active commercial products:

* Windows
* Office
* Mac OS
* Visual Studio
* CorelDRAW
* Netscape
* QuarkXPress
* Adobe Photoshop

Re:OSS advocate (5, Insightful)

HonkyLips (654494) | more than 10 years ago | (#8436040)

True, but if a company abandons an un-economic product they're not going to make the source code and development history freely available.

Re:OSS advocate (0, Interesting)

Anonymous Coward | more than 10 years ago | (#8436052)

Lets pick a company at random... Microsoft.

Does Windows 98 have a large install base?
Yes.

Are Microsoft still supporting Windows 98?
No.

No, so what exactly was your point?

Re:OSS advocate (0)

Anonymous Coward | more than 10 years ago | (#8436085)

Has it been replaced by something inifinitely more stable and suited to today's hardware? Has that replacement brought forward OS design through stimulating competition with Apple and others? Has that replacement been a huge success?

Yes on all counts.

Now what's your point - that obsolete software should never die?

Re:OSS advocate (0)

Anonymous Coward | more than 10 years ago | (#8436234)

Has it been replaced by something inifinitely more stable and suited to today's hardware? Has that replacement brought forward OS design through stimulating competition with Apple and others? Has that replacement been a huge success?

Yes on all counts.


What about yesterdays hardware? Should I just throw it in the landfill? A new Lunatic OS interface is no reason to buy a 3ghz P4.

Re:OSS advocate (2, Informative)

Anonymous Coward | more than 10 years ago | (#8436104)

Are Microsoft still supporting Windows 98?

No.


ummm - I have win 98 at home, and when I do a "Windows Update" I see that they are still supporting it. They turned around on their plan to abandon win98 for 12 months I think it was.

so what exactly was your point?

Re:OSS advocate (1, Interesting)

Anonymous Coward | more than 10 years ago | (#8436154)

I think one of the reasons Microsoft reconsidered was that WINE on linux would suddenly look like a great idea to all these companies who wanted to use Win98 software, but didn't like the idea of being hung out to dry support-wise if they didn't want to upgrade. I've been considering it myself - there are only a dozen or so win-only apps that I need on my measly p266 laptop (with only 64mb of ram) - I could install RH 9, plonk WINE on top of that, and be good to go.

Re:OSS advocate (1, Informative)

Anonymous Coward | more than 10 years ago | (#8436155)

and this is the link i was looking for http://support.microsoft.com/default.aspx?pr=LifeA n1 [microsoft.com] specifically this part here

"Windows 98 and Windows 98 Second Edition support was scheduled to end on January 16, 2004. However, continual evaluation of the Support Lifecycle policy revealed that customers in the smaller and the emerging markets needed additional time to upgrade their product. Therefore, Windows 98, Windows 98 Second Edition, and Windows Me will continue to be supported after January 16, 2004."

Re:OSS advocate (1)

Jason Earl (1894) | more than 10 years ago | (#8436054)

I can name any number of commercial software products that no longer exist. In fact, just the list of commercial word processors that have gone the way of all the world would fill a small book. Many of these word processor's sole legacy is an obscure Emacs-mode that tries to emulate the keybindings.

At least with Free Software you can maintain the project yourself.

Re:OSS advocate (4, Interesting)

Yobgod Ababua (68687) | more than 10 years ago | (#8436057)

"Companines [sic] have an incentive to keep working on their products."

Not if they go out of business, change business models, or decide that a particular product is no longer profitable.

In all of these cases, if you depended on access to and updates for their software, you would be SOL.

With OSS, you get the source code and have the freedom to recompile it to new targets and make whatever small patches are neccessary to keep it running. If it's important enough to your company (or to you as a personal user) you can take over the maintainence yourself.

The parent is alluding to this fact.

Re:OSS advocate (3, Insightful)

dsanfte (443781) | more than 10 years ago | (#8436101)

Companines have an incentive to keep working on their products.


Usually. But when they don't, you're fucked. See the Vortex2 / 3DFX driver situation.

Re:OSS advocate (2, Interesting)

sisukapalli1 (471175) | more than 10 years ago | (#8436214)

I'll bite the troll... and will give an example from personal experience.

In our lab here, there are plots created with stuff like WingZ (NeXT based spreadsheet/plotting program) and AppsoftDraw (a visio like program) -- both type of plots from about 1995.... The programs no longer exist. We don't even bother to make changes to them.

On the other hand, we also have plots created with gnuplot, xfig, and much older documents created with latex. They all work as if they are created just now...

In this particular case, people behind latex and xfig have incentive to keep working on them -- and it wouldn't really matter that much even if all the development with latex and xfig stop. Just like the core components of emacs, the development occurs at galactic time scales, but that is not a big deal...

S

Re:OSS advocate (1)

Brandybuck (704397) | more than 10 years ago | (#8436218)

Oh go take a long walk off of a short pier! I want my OS/2 and Lotus Smartsuite back...

Re:OSS advocate (1)

Jeff DeMaagd (2015) | more than 10 years ago | (#8436219)

Companines have an incentive to keep working on their products.

The thing is, at least the code is out there if you use the software and just need a small fix. Try getting that out of a company that's collapsed. Or if the company decided that a reasonably profitable product isn't profitable enough and decided to drop it in favor of more profitable ventures. Sure, there's money there but the business decision was to go elsewhere.

Re:OSS advocate (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#8436088)

how do you explain the boatloads of abandoned OSS projects on sourceforge?

You zealots look like dirty, filthy communists, and now you sound just like them.

Re:OSS advocate (2, Informative)

maliabu (665176) | more than 10 years ago | (#8436270)

my statement wasn't about the number of abandoned developments. i assumed there'll be more abandoned OSS than CSS, mainly due to that fact that not all CSS are publicised, especially a failed one. and honestly, not all OSS are good ones.

but that's not the point, i was actually talking about the ability for others to pick up a OSS and continue it. simply put, OSS may sleep, but it'll never die completely.

if no one picks it up, that probably means that particular software isn't worth nothing. this is by no mean the end of that software, it's been abandoned, by the source is still open, and maybe in another 50 years, this worthless abandoned source might become useful because of the change in our society.

Re:OSS advocate (0)

Anonymous Coward | more than 10 years ago | (#8436272)

Worst Idea EvER!!

corporation (2, Interesting)

dwgranth (578126) | more than 10 years ago | (#8435960)

I'm sure some corp will pick up the project... I know a lot of people use it.. so i dont really see any reason for it to die

Die? (0, Informative)

IchBinDasWalross (720916) | more than 10 years ago | (#8435999)

Ressurection is an eventuality, and in the article he states that it's not finished, it's just the end of major comabat operations.

Re:corporation (5, Informative)

velkro (11) | more than 10 years ago | (#8436006)


I've taken my Super FreeS/WAN tree, and formed a company with some other ex-FreeS/WAN folks.

Openswan is new name of the project, you can already get code from www.openswan.org [openswan.org] .

Commercial support + services from us via Xelerance [xelerance.com]

Ken

Re:corporation (5, Funny)

Fnkmaster (89084) | more than 10 years ago | (#8436056)

Support from a guy with a two-digit Slashdot User ID... what more could you ask for?

Re:corporation (4, Funny)

velkro (11) | more than 10 years ago | (#8436097)


Thanks! Some of us have been doing this stuff for many, many years. We might even be good at it by now :)

Re:corporation (1, Funny)

Anonymous Coward | more than 10 years ago | (#8436369)

what more could you ask for?

Support from a hot girl with a two-digit Slashdot User ID!

Re:corporation (0)

Anonymous Coward | more than 10 years ago | (#8436093)

Holy crap. Your userID is 11? I have a newfound respect for the (former) FreeS/WAN project.

Re:corporation (1)

kfg (145172) | more than 10 years ago | (#8436112)

Yep, he's gonna turn it up to. . ., now, let's not always see the same hands.

KFG

Re:corporation (0)

Anonymous Coward | more than 10 years ago | (#8436192)

From the site...
2004-01-04 Openswan 2.0.0dr released. Available here. [openswan.org]

2004-01-02 Openswan 1.0.0 released. Available here. [openswan.org]


That was quick...

The letter (5, Informative)

IronBlade (60118) | more than 10 years ago | (#8435967)

Dear FreeS/WAN Community,

After more than five years of active development, the FreeS/WAN project will be coming to an end.

The initial goal of the project was ambitious -- to secure the Internet using opportunisitically negotiated encryption, invisible and convenient to the user. For more, see our history page. A secondary goal was to challenge then-current US export regulations, which prohibited the export of strong cryptography (such as triple DES encryption) of US origin or authorship.

Since the project's inception, there has been limited success on the political front. After the watershed Bernstein case, US export regulations were relaxed. Since then, many US companies have exported strong cryptography, without seeming restriction other than having to notify the Bureau of Export Administration for tracking purposes.

This comfortable situation has perhaps created a false sense of security. The catch? Export regulations are not laws. The US government still reserves the right to change its export regulations on short notice, and there is no facility to challenge them directly in a court of law. This leaves the US crypto community and US Linux distributions in a position which seems safe, but is not legally protected -- where the US government might at any time *retroactively* regulate previously released code, by prohibiting its future export. This is why FreeS/WAN has always been developed outside the US (in Canada and in Greece), and why it has never (to the best of our knowledge) accepted US patches.

If FreeS/WAN has neither secured the Internet, nor secured the right of US citizens to export software that could do so, it has still had positive benefit.

With version 1.x, the FreeS/WAN team created a mature, well-tested IPsec VPN (Virtual Private Network) product for Linux. The Linux community has relied on it for some time, and it (or a patched variant) has shipped with several Linux distributions.

With version 2.x, FreeS/WAN development efforts focussed on increasing the usability of Opportunistic Encryption (OE), IPSec encryption without prearrangement. Configuration was simplified, FreeS/WAN's cryptographic offerings were streamlined, and the team promoted OE through talks and outreach.

However, nine months after the release of FreeS/WAN 2.00, OE has not caught on as we'd hoped. The Linux user community demands feature-rich VPNs for corporate clients, and while folks genuinely enjoy FreeS/WAN and its derivatives, the ways they use FreeS/WAN don't seem to be getting us any closer to the project's goal: widespread deployment of OE. For its part, OE requires more testing and community feedback before it is ready to be used without second thought. The project's funders have therefore chosen to withdraw their funding.

Anywhere you stop, a little of the road ahead is visible. FreeS/WAN 2.x might have developed further, for example to include ipv6 support.

Before the project stops, the team plans to do at least one more release. Release 2.06 will see FreeS/WAN making a late step toward its goal of being a simple, secure OE product with the removal of Transport Mode. This in keeping with one of Neils Fergusson's and Bruce Schneier's security recommendations, in A Cryptographic Evaluation of IPsec. 2.06 will also feature KLIPS (FreeS/WAN's Kernel Layer IPsec machinery) changes to faciliate use with the 2.6 kernel series.

After Release 2.06, FreeS/WAN code will continue to be available for public use and tinkering. Our website will stay up, and our mailing lists at lists.freeswan.org will continue to provide a forum for users to support one another. We expect that FreeS/WAN and its derivatives will be widely deployed for some time to come.

It is our hope that the public will one day be ready for, and demand, transparent, opportunistic encryption. Perhaps then some adventurous folks pick up FreeS/WAN 2.x and continue its development, making the project's original goal a reality.

Many thanks to the wonderful folks who've been part of the lists.freeswan.org community over the last few years. Thanks to the developers who've created patches and written HOWTOs. Thanks to the volunteers who've donated Web space and time as system administrators. Thanks to the distributors who've puzzled out the fine points of integrating our software with others'. Finally, thanks to the users who've tested our software, shared interoperation success stories, and given others a helping hand. We couldn't have done it without you.

Best Regards,

Claudia Schmeing
for the Linux FreeS/WAN Project

Re:The letter (1, Interesting)

LostCluster (625375) | more than 10 years ago | (#8436147)

If FreeS/WAN has neither secured the Internet, nor secured the right of US citizens to export software that could do so, it has still had positive benefit.

Talk about two goals that are just plain swimming uphill.

Getting the Internet to change what's not broken is very hard. The fact that our default mode of communications is plaintext doesn't quite scare most pointy haired bosses. They want their stuff secured, but there's no sense in switching protocols when we can just secure on top of the existing protocols with things like VPNs, SSH, PGP, SSL, etc.

Meanwhile, getting the government to lift the crypto-export bans just isn't going to happen either. September 11th, 2001 will always be brought up anytime anybody wants to loosen crypto rules. Being able to talk in a way that the US Government can't intercept and understand is something that truely scares the military and the CIA... because if they can't intercept communications, they lose one of their strongest tools in battle. Maybe the crypto-export rules are weak and aren't going to stop much, but at least it stops everything we can stop using a law, and that's better than zero.

So, another open source project with great ideas but not quite enough resources to get the job done packs it in. Oh, well. So it goes.

In Soviet Russia... (-1, Redundant)

Anonymous Coward | more than 10 years ago | (#8435970)

...Internet encrypts YOU!!!!

OpenSwan (5, Informative)

DivineHawk (570091) | more than 10 years ago | (#8435978)

Openswan [openswan.org] is an Open Source implementation of IPsec for the Linux operating system. Is it a code fork of the FreeS/WAN project, started by a few of the developers who were growing frustrated with the politics surrounding the FreeS/WAN project.

first (-1, Offtopic)

howdoishotweb (753822) | more than 10 years ago | (#8435980)

first post

Ouch. This is going to hurt. (5, Interesting)

misspelled (740029) | more than 10 years ago | (#8435982)

This is rather bad news for the not insignificant FreeS/WAN install base out there. The company I worked for last year, for instance, poured a significant quantity of time and money into a corporate VPN based on FreeS/WAN, and even bundled it into products. They don't have the resources or experience to support FreeS/WAN in house themselves, so they'll be in for an intersting ride if problems are discovered. AFAIK, they were hoping not to have to upgrade to Linux 2.6 for at least a year, but that may have to change now. Who all out there is getting left in the lurch by this?

Re:Ouch. This is going to hurt. (4, Informative)

velkro (11) | more than 10 years ago | (#8436035)

As people have mentioned... the Openswan [openswan.org] project is picking up the slack, and commercial support is also available, directly from current Openswan and ex-FreeS/WAN project folks via Xelerance [xelerance.com] .

Re:Ouch. This is going to hurt. (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8436344)

Oh wow. UID 11. Congrats, mate.

Re:Ouch. This is going to hurt. (1)

slugo3 (31204) | more than 10 years ago | (#8436103)

If its working now why does this decision change anything? sure there is no new development but it sounds like the current version fulfills your old companies needs. nothing stopping you from continuing to use it and if you want more features then spend some cash and hire some developers to add it in for you (and release back to the community). the only problem I could see is if security vulnerabilities are discovered then you need to patch it yourself or look to the comunity for a patch.

Corporate users are conservative (-1, Insightful)

misspelled (740029) | more than 10 years ago | (#8436168)

I'm fine with switching my own VPNs to Linux 2.6 or Openswan, but corporate users like to pick a vendor and stick with it, so that they don't need to pay to switch to something else and pay to train people how to use it, and so that they can count on help if needed. That's why Linux is scary to these people. To those people, stuff like this hurts Linux's credibility as an alternative system. The company I was refering to (Verano, if anyone is intersted) can probably manage a switch, expecially if Openswan is fully compatible. The people they sell to, being in the manufacturing and utilities sectors, are even more conservative. If they find out that support for some stuff they bought has been discontinued, they tend to come down pretty hard on the people they bought it from. Which can affect the bottom line.

Re:Ouch. This is going to hurt. (0, Funny)

Anonymous Coward | more than 10 years ago | (#8436180)

The company I worked for last year, for instance, poured a significant quantity of time and money into a corporate VPN based on FreeS/WAN, and even bundled it into products.

Dumbass. Should've used Cisco.

Re:Ouch. This is going to hurt. (0)

Anonymous Coward | more than 10 years ago | (#8436241)

The company I worked for last year, for instance, poured a significant quantity of time and money into a corporate VPN based on FreeS/WAN, and even bundled it into products. They don't have the resources or experience to support FreeS/WAN in house themselves, so they'll be in for an intersting ride if problems are discovered.

Nice troll. If I was a rabid open source Slashbot I wouldn't have easily seen through that. You get extra points for claiming to use FreeS/WAN for your corporate VPN.

Who all out there is getting left in the lurch by this?

The topping on the cake! The pity piece where you draw in fellow Slashbots who feel sorry for you and can envision themselves in a similar plight. Beautiful. 4 stars.

Re:Ouch. This is going to hurt. (4, Informative)

ryanvm (247662) | more than 10 years ago | (#8436254)

Good news - you don't need 2.6 to do native IPSEC.

I've done a couple FreeS/WAN installs on 2.4 and they were kind of difficult to set up. Not too bad - just painful enough to appreciate them.

However, the other day I decided to try the Linux kernel's new native IPSEC modules (that have been backported to at least 2.4.24). Using 2.4.24 and KAME it was an absolute pleasure to set up. Works beatifully, and no more patching. You couldn't pay me to return to FreeS/WAN.

Opportunistic encryption (4, Interesting)

Alan (347) | more than 10 years ago | (#8435990)

As I understand it, they wanted to use opptunistic encryption to do the "common man" encryption of the 5% of the internet. Has this actually become standard yet? If so, it's only been within the last couple of years I think (since I've stopped dealing with VPN).

Also, aren't there other problems inherant with OE? IE: the need to have secure DNS before this can really happen, or a PKI infrastructure or public key escrow or something? I'd love to just install freeswan on my firewall and have encrypted connections happen, but a) would it really help things and b) would it be like being the first one on the block to have a videophone?

Re:Opportunistic encryption (5, Insightful)

Anonymous Coward | more than 10 years ago | (#8436068)

OE doesn't *need* DNSSEC.

It just benefits from it. Without it, you are vulnerable to *ACTIVE* attacks against the DNS. With DNSSEC, you are totally immune.

The real thing that bones up OE is that you need a static, public IP (since OE isn't defined for NAT'ed IPsec). If you want to do full OE, then you access to the reverse map too. How many have that? Well, if you don't, you probably don't have static IP or an AUP that even lets you sneeze.

But, it could be made to work with NAT'ed IPsec, and it could also do enrollment in the reverse map via DHCP.

Re:Opportunistic encryption (1)

NoMoreNicksLeft (516230) | more than 10 years ago | (#8436164)

Yes, it would be like being the first one on your block to have a videophone. How do I know?

Because I have much the same problem.

If you are interested in such things on a hobby level, you'd be more than welcome on my own VPN network. We're building secure dns and pki, and it would be cool to have someone else with their own videophone, so to speak...

Re:Opportunistic encryption (4, Funny)

MrWa (144753) | more than 10 years ago | (#8436190)

Also, aren't there other problems inherant with
OE? IE
Amoung many other problems, yes, Outlook Express being integrated with Internet Explorer is a problem...

I thought the Internet was encypted (5, Funny)

Anonymous Coward | more than 10 years ago | (#8435996)

It's not triple-DES, but it's double-rot-13. Sounds safe enough.

Double ROFL triple latte encryption (1)

cprice (143407) | more than 10 years ago | (#8436022)

Too Funny. I almost shot coffee out my nose.

no make sense (1)

nil5 (538942) | more than 10 years ago | (#8436152)

i don't think i'm alone in not getting that one.

Re:no make sense (3, Funny)

TedCheshireAcad (311748) | more than 10 years ago | (#8436224)

no, trust me, you are.

Elucidation (4, Informative)

Yobgod Ababua (68687) | more than 10 years ago | (#8436244)

rot-13 was an simple cypher used to 'encrypt' spoilers and possibly offensive material in Usenet posts. It worked by converting each letter of the (latin) alphabet to it's numerical equivalent (a=1, b=2, ... ,z=26), adding 13, subtracting 26 if the result was larger than 26, then converting back to a letter. (ROTating the letter thirteen 'spaces').

"Hello World" -> "Uryyb Jbeyq"

triple-DES is a more modern encryption scheme still in use today.

The humor comes from the fact that applying rot-13 twice results in the exact original text, so saying that the Internet uses 'double rot-13 by default' is just noting that it's completely unencrypted but in a way that makes it sound like a real encryption scheme.

It really was quite an amusing post... unlike this one.

There's one more release in the works.... (4, Informative)

tcopeland (32225) | more than 10 years ago | (#8435998)

...from the ending letter:

Before the project stops, the team plans to do at least one more release. Release 2.06 will see FreeS/WAN making a late step toward its goal of being a simple, secure OE product with the removal of Transport Mode. This in keeping with one of Neils Fergusson's and Bruce Schneier's security recommendations, in A Cryptographic Evaluation of IPsec. 2.06 will also feature KLIPS (FreeS/WAN's Kernel Layer IPsec machinery) changes to faciliate use with the 2.6 kernel series.

Don't panic (-1, Offtopic)

HappyCitizen (742844) | more than 10 years ago | (#8436001)

[Qoute]And don't panic, the software will remain available, and of course some other group[/Quote]

A little bell rang in my mind when I heard this. Then I realized, "Don't PANIC!" is on the title of the Hitchhikers Guide to the Galaxy

Impossible (-1, Flamebait)

Rodrin (729362) | more than 10 years ago | (#8436005)

Trying to do the impossible....

Shame and a loss (1)

Yonkeltron (720465) | more than 10 years ago | (#8436013)

It is a shame and a loss that the community will have lost such a valubale resource. It's new versions will be missed sorely. A noble goal indeed.

Just to bad, (1)

JOW (165099) | more than 10 years ago | (#8436015)

Just to bad, as I'm still trying to get the thing to work, and been trying for some time now,
I guess I will never find the support or help now, I just feel bad for the guys in Vietnam that
Now will get all data traffic looked at I'm still looking for some help to get it to work.

Re:Just to bad, (2, Informative)

Yobgod Ababua (68687) | more than 10 years ago | (#8436110)

"I guess I will never find the support or help now"

From the announcement itself:

Our website will stay up, and
our mailing lists at lists.freeswan.org will continue to provide a forum for users to support one another. We expect that FreeS/WAN and its derivatives will be widely deployed for some time to come.

That the original group of developers is bowing out has, really, little to no implications for your ability to find support.

Re:Just to bad, (1, Informative)

Anonymous Coward | more than 10 years ago | (#8436111)

the people in #openswan on irc.freenode.net are pretty helpful.

*gasp!* (3, Funny)

homeobocks (744469) | more than 10 years ago | (#8436020)

You mean my talk sessions through ssh aren't secure any more?!?

/me puts on his tin foil hat.

KAME (2, Informative)

Anonymous Coward | more than 10 years ago | (#8436033)

To say that "KAME" was picked is wrong.

Either it means, that *YET AGAIN* Linux can't play
nicely, and has to import code from the BSD world
to make things work.

Or, it means nothing, because KAME wasn't imported
to the kernel. Only one or two libraries, and the pfkey code was. And, the userspace KAME tools leave so much to be desired, that nobody would want to
run them.

Openswan lives.

Politics Trumping Development (-1)

Anonymous Coward | more than 10 years ago | (#8436036)

This is just one more example how wrongheaded it is to place politics at the forefront of a project, instead of technical achievements.

Most people don't give a flying fuck what political goals your project has. Only the code, and the software matter. All else is gravy.

You can add this to the graveyard of noble goals brought down by zealotry.
HURD anyone? [hurd.org]

Re:Politics Trumping Development (2, Interesting)

H4x0r Jim Duggan (757476) | more than 10 years ago | (#8436248)

Actually, zealotry had little or nothing to do with Hurds non-progression. Remember that Hurd was the first big GNU package that RMS did *not* work on. If zealotry was a problem, GCC, Emacs, GDB, and many of the GNU command line utils would have failed long ago. (GNU Libc was mostly Richard-less, but he did have a hand in it.)

The failure of the Hurd was a bad gamble. Possibly encouraged by the fact that they had written almost an entire operating system (using tried-and-true designs), the GNU projecteers decided to try a latest-and-greatest (fad) design for the GNU kernel - it didn't work out as it was meant to, but luckily Linus had worked on this same project from the conventional angle, so we still ended up with a completely free software OS.

Re:Politics Trumping Development (2, Interesting)

Genda (560240) | more than 10 years ago | (#8436301)

This is just one more example how wrongheaded it is to place politics at the forefront of a project, instead of technical achievements.

Most people don't give a flying fuck what political goals your project has. Only the code, and the software matter. All else is gravy.

You can add this to the graveyard of noble goals brought down by zealotry.


I find this particular outlook sad and disturbing, especially when that outlook is probably more than a little true. It's the nature of the human animal to push boulders up hills, and then become resigned, cynical, and despairing when the effort seems to be overshadowed by the results (or lack thereof.) It's also part of the human animal that a room full of us passionately engaged (or for that matter enraged), will just as likely pull in twenty different directions as a single useful or meaningful one. That said, we can be certain that nothing lasting or important will ever get done if we can't put our own egos, and personal agendas aside for the greater good.

In any project that seems to be as much social engineering as software generation, the two arms must be separate, distinct, and managed tightly by a group of wise men that can be trusted to steer that project. The code heads must be safe, and cozy, whacking away at the bits, while the political engineers are busy spreading memes and building coalition in legistative circles. All the while, cool heads, men and women selected for their integrity and sanity, must guide and nuture the process with patience and forebearance.

Protecting the security, and anonymity of people, is an important endeavor. It deserves bringing to bear, people with moral distinction and the skills needed to manage the long haul, because we live in a world that doesn't do the logical thing, and this will certainly be a long haul. I hope that the software finds a new home, and people with the fortitude to take it to it's logical conclusion. As well, I hope that OSS projects like this can begin to create operational structures that insure the realization of their goals, even in the face of great political/social resistance, and internal conflict. In the end, being a part of an OSS project is ultimately about making a contribution to the human condition... when it becomes something else, projects fail and we all lose.

Genda

"A business man can pull a phone out of his pocket and talk at length to someone halfway around the world. The same man, will sit in a dark room with his wife and childen all evening and never say a word.. clearly something isn't working." -- Dave Cunningham

slashdotted (0, Interesting)

longhairedgnome (610579) | more than 10 years ago | (#8436043)

My project for 1996 was to secure 5% of the Internet traffic against passive wiretapping. It didn't happen in 1996, so I'm still working on it in 1999! If we get 5% in 1999 or 2000, we can secure 20% the next year, against both active and passive attacks; and 80% the following year. Soon the whole Internet will be private and secure. The project is called S/WAN or S/Wan or Swan for Secure Wide Area Network; since it's free software, we call it FreeS/WAN to distinguish it from various commercial implementations. RSA came up with the term "S/WAN". Our main web site is at http://www.freeswan.org. Want to help? The idea is to deploy PC-based boxes that will sit between your local area network and the Internet (near your firewall or router) which opportunistically encrypt your Internet packets. Whenever you talk to a machine (like a Web site) that doesn't support encryption, your traffic goes out "in the clear" as usual. Whenever you connect to a machine that does support this kind of encryption, this box automatically encrypts all your packets, and decrypts the ones that come in. In effect, each packet gets put into an "envelope" on one side of the net, and removed from the envelope when it reaches its destination. This works for all kinds of Internet traffic, including Web access, Telnet, FTP, email, IRC, Usenet, etc. The encryption boxes are standard PC's that use freely available Linux software that you can download over the Internet, or install from a cheap CDROM. This wasn't just my idea; lots of people have been working on it for years. The encryption protocols for these boxes are called IPSEC (IP Security). They have been developed by the IP Security Working Group of the Internet Engineering Task Force, and will be a standard part of the next major version of the Internet protocols (IPv6). For today's (IP version 4) Internet, they are an option. The Internet Architecture Board and Internet Engineering Steering Group have taken a strong stand that the Internet should use powerful encryption to provide security and privacy. I think these protocols are the best chance to do that, because they can be deployed very easily, without changing your hardware or software or retraining your users. They offer the best security we know how to build, using the Triple-DES, RSA, and Diffie-Hellman algorithms. This "opportunistic encryption box" offers the "fax effect". As each person installs one for their own use, it becomes more valuable for their neighbors to install one too, because there's one more person to use it with. The software automatically notices each newly installed box, and doesn't require a network administrator to reconfigure it. Instead of "virtual private networks" we have a "REAL private network"; we add privacy to the real network instead of layering a manually-maintained virtual network on top of an insecure Internet. programmers working all over the world and coordinating over the Internet. Linux is distributed under the GNU Public License, which gives everyone the right to copy it, improve it, give it to their friends, sell it commercially, or do just about anything else with it, without paying anyone for the privilege. Organizations that want to secure their network will be able to put two Ethernet cards into an IBM PC, install Linux on it from a $30 CDROM or by downloading it over the net, and plug it in between their Ethernet and their Internet link or firewall. That's all they'll have to do to encrypt their Internet traffic everywhere outside their own local area network. Travelers will be able to run Linux on their laptops, to secure their connection back to their home network (and to everywhere else that they connect to, such as customer sites). Anyone who runs Linux on a standalone PC will also be able to secure their network connections, without changing their application software or how they operate their computer from day to day. There are already numerous commercially available hardware and software products that use the IPSEC technology. The FreeS/WAN team regularly participates in interoperability tests to ensure that our software communicates cleanly and securely with other vendors' products. Eventually IPSEC will move into the operating systems and networking protocol stacks of major vendors. This will probably take longer, because those vendors will have to figure out what they want Check the FreeS/WAN web site for more frequently updated status. Protocols The low-level encrypted packet formats are defined. The system for publishing keys and providing secure domain name service is defined. The IP Security working group has settled on a complex NSA-sponsored protocol for key agreement (called IKE). The protocol is not yet defined to enable opportunistic encryption or the use of DNSSEC keys. Linux Implementation The Linux implementation has reached its first major release and is ready for production use in manually-configured networks, using Linux kernel version 2.0.36. Later snapshots work on 2.2.x Linux kernels. Domain Name System Security All BIND releases starting with BIND-4.9.5 include support for the KEY records that will soon be needed by FreeS/WAN. The latest BIND releases, after 8.2, includes most DNS Security features, including cryptographic integrity protection if you sign your domain's records. BIND releases are available from the Internet Software Consortium FTP site. None of these BIND releases are export-controlled; the early ones don't contain cryptography, and the later ones merely use it for authentication, which is also exportable. Good documentation on the DNSSEC features is missing, though. Why? Because I can. I have made enough money from several successful startup companies, that for a while I don't have to work to support myself. I spend my energies and money creating the kind of world that I'd like to live in and that I'd like my (future) kids to live in. Keeping and improving on the civil rights we have in the United States, as we move more of our lives into cyberspace, is a particular goal of mine. What You Can Do Set up a Linux system Get a machine running Linux (say the 6.1 release from Red Hat). Give the machine two Ethernet cards. Install the Linux IPSEC (FreeS/WAN) software If you're an experienced sysadmin or Linux hacker, install the freeswan-1.0 release, or any later release or snapshot. These releases do NOT provide automated "opportunistic" operation; they must be manually configured for each site you wish to encrypt with. Get on the Linux FreeS/WAN mailing lists Join the discussion forums for people working on the project, and testing the code and documentation. Install a recent BIND at your site. You won't be able to publish any keys for your domain, until you have upgraded your copy of BIND. The thing you really need from it is the new version of named, the Name Daemon, which knows about the KEY and SIG record types. So, download it from the Internet Software Consortium and install it on your name server machine (or get server) records. Would you like to help? I can use people who are willing to write documentation, install early releases for testing, write cryptographic code outside the United States, support users and companies (for money) who want to use FreeS/WAN, sell pre-packaged software or systems including this technology, and teach classes for network administrators who want to install this technology. To offer to help, send me email at gnu@toad.com. Tell me what country you live in and what your citizenship is (it matters due to the export control laws; personally I don't care). Include a copy of your resume and the URL of your home page. Describe what you'd like to do for the project, and what you're uniquely qualified for. Mention what other volunteer projects you've been involved in (and how they worked out). Helping out will require that you be able to commit to doing particular things, meet your commitments, and be responsive by email. Volunteer projects just don't work without those things. Related projects IPSEC for NetBSD This prototype implementation of the IP Security protocols is for another free operating system. Download BSDipsec.tar.gz. IPSEC for OpenBSD This prototype implementation of the IP Security protocols is for yet another free operating system. It is directly integrated into the OS release, since the OS is maintained in Canada, which has freedom of speech in software. Misc notes I've also collected a small bit of information about network encryption history and patents (warning: may be censored)

Trolling? Maybe...but here is my experience (5, Informative)

Anonymous Coward | more than 10 years ago | (#8436072)

In classic Linux fashion, I found FreeSwan complicated and hard to use. It had incredibly obtuse error messages. I couldn't figure out how to configure it (configuring it may be simple, but I couldn't actually figure out _what_ needed to be configured). All I wanted to do was talk to our corporate Sonicwall. All in all a very unpleasant experience.

I fought with it for a week - did tons of google research, and still couldn't get Phase2 to work. I eventually caved in and bought a Linksys VPN endpoint router that comes with a simple web administration tool. I had it up and running in 15 minutes. I'm just sorry I wasted that week on FreeSwan.

Re:Trolling? Maybe...but here is my experience (4, Insightful)

velkro (11) | more than 10 years ago | (#8436199)


You know what's funny? Recent Linksys VPN routers (ie: WRV54G) use FreeS/WAN for IPsec (they are built on the OpenRG platform).

So you might be using it anyways ;)

Re:Trolling? Maybe...but here is my experience (0)

Anonymous Coward | more than 10 years ago | (#8436342)

IPSec is complicated and hard to use. FreeS/WAN and *BSD have /incredibly simple/ and easy to understand error messages compared to many commercial products (Cisco, Netscreen, Checkpoint, etc).

Don't blame the error messages for your lack of understanding of the protocols involved.

FreeS/WAN and *BSD are pretty much the simplest implementation to troubleshoot if (when) problems occur.

I'm afraid... (3, Informative)

flogger (524072) | more than 10 years ago | (#8436083)

I'm afraid that this is going to be the course of all good free/open source software projects. I work in an envioronment that uses Free software for our servers because the schools can't afford others. We've been using Mitel's [mitel.com] SME Server (E-Smith [e-smith.org] for you old-schoolers) for quite a while. Recently Mitel is dropping support for this. This announcement came right after Redhat's shakeup a while back. Free/swan is an excellent tool that we've been using to connect schools and homes. Anyway, I'm afraid that education will suffer, which in turn will lead to everyone's suffering.

Well, then. Stop complaining... (0)

Anonymous Coward | more than 10 years ago | (#8436327)

And start coding! If you don't have the skills, donate to someone who is willing to code. Just because the project is ending doesn't mean you can't use the software any more! And, just because the project is ending doesn't mean others cannot develop it!

pgp.net (3, Interesting)

Anonymous Coward | more than 10 years ago | (#8436084)

It seems that FreeS/WAN's goals of opportunistic encryption were in opposition to the complexity that their implementation required (DNS changes, etc.)

PGP.net (oh, where have you gone) provided opportunistic encryption with no infrastructure requirements other than the two machines communicating use the PGP.net software.

Controlling the two endpoints seems a lot easier than trying to control them plus the DNS servers to exchange info.

Anyone know what happened to PGP.net?

Re:pgp.net (1)

Fiona Winger (758088) | more than 10 years ago | (#8436294)

Well, actually, FreeS/WAN used low quality 32/bit encryption not to controlling the endpoints, but expanding them while encrypting the easier to encrypt info. When the DNS servers would exchange info, FreeS/WAN would sort and encrypt the info being exchanged, and filter out the possibly security threatening files. PGP.net was closed down due to low site fund maintanance, the host just couldn't keep it going. Sorry for the bad news. =/

mod me flamebait but... (2, Informative)

myowntrueself (607117) | more than 10 years ago | (#8436139)

FreeSWAN sucks.

I have to look after a large network of VPNs across a small country and a lot of things about FreeSWAN bite bad wind.

For one thing, not only does it encrypt network traffic; it encrypts its error messages as well. They are all but unintelligible, even after looking at the sourcecode.

Actually, after looking at the sourcecode one is frequently more confused than ever.

And googling for the error messages often seems to find threads where the FreeSWAN developers burble to the effect of "yeah its confusing but I can't be bothered fixing it".

I'm not a developer, but my (highly competent) developer colleague assures me that its 'spaghetti code'.

For another thing, running it over ADSL is a pain in the proverbial; it seems highly intolerant of the so-called 'micro-outages' that pervades ADSL.

Good riddance.

I just hope that we can shift everything over to KAME before the next gaping security hole in FreeSWAN makes its appearance.

Re:mod me flamebait but... (4, Interesting)

ErikTheRed (162431) | more than 10 years ago | (#8436292)

Actually, I've implemented FreeS/WAN on some VPNs that operate over wireless ISPs in Mexico, and is seems unusually tolerant of the, shall we say, continuous stream of new and exciting conditions that exist on those networks. It's been far more stable than some commercial products we tried (for big $$$).

That being said, I did believe (from reading the docs) that the development team was far more interested in making a (pointless, IMHO) political statement than in creating a useable piece of software. For most small / medium businesses, Oportunistic Encryption is the last thing you want - typically these companies have one interface to the Internet, and having trusted and untrusted-from-random-IP-subnets coming in on the same connection creates a firewall design nightmare. I'm sure there's a way to make it work, but frankly if information is worth securing, we can and do secure it. If it isn't, then we just don't care - I'd rather just Keep It Simple, Stupid.

alternatives (4, Interesting)

frazzydee (731240) | more than 10 years ago | (#8436161)

What's wrong with implementing OpenVPN [sourceforge.net] - the SSL approach? I suppose it may be difficult for some companies to upgrade . . . but if they require it, and it is a viable alternative- why not?
Would it really be that difficult for somebody to take over the development? Maybe their role could be more to administer the operation rather than code a lot of it.
Also, this (google's cache) [216.239.37.104] or the PDF version of the above [sosresearch.org] claims that FreeS/WAN does not support PKI.

Doesn't it seem that... (3, Insightful)

Trolling4Dollars (627073) | more than 10 years ago | (#8436162)

...this [sourceforge.net] project would be a little better of a choice for VPN than FreeSWAN? I've been looking it over and it looks pretty cool. I still have to actually try it though.

Re:Doesn't it seem that... (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8436201)

??? how the hell is this insightful? set your threshhold lower, moderaters, and you will see it's redundant- same as a previous post by someone else.

Re:Doesn't it seem that... (3, Informative)

nick this (22998) | more than 10 years ago | (#8436309)

After futzing for the better part of an afternoon trying to get OSX and FreeS/WAN working together, I said "screw it". I downloaded OpenVPN and had it running in literally ten minutes.

Why the heck can't IPSec have a set of "must implement" specs so that there could be a standard default config that works with every single ipsec vpn?

Plus, it all runs in userspace, and it works on every single operating system ever, can be port forwarded, natted, mangled in just about every which-way and still works.

What a pleasure to use. Try it. You'll like it.

Re:Doesn't it seem that... (2, Insightful)

Fiona Winger (758088) | more than 10 years ago | (#8436381)

Well, sure, there's definitely going to be projects that are much more developed and advanced than FreeS/WAN. But.. this is a sad moment. FreeS/WAN is the innovator, the one that gave that other particular project the momentum to do what it has planned. Truly, it feels like we've lost another legend today. Mabye I'm just an over dramatic nerd, but I really feel like I've suffered a loss.

It will be missed... (-1)

Kip Winger (547075) | more than 10 years ago | (#8436181)

This was a great thing in a making, and its discontinuation greatly saddens me. May it rest in peace... God Bless

who cares? (2, Interesting)

segment (695309) | more than 10 years ago | (#8436194)


No I'm not trolling I'm asking a question here. Outside of admins, how many people really care whether their connection is secure or not. I always reference this out regarding IPSec and the likes, so I'll point out eBay as an example. Now a company such as eBay in my opinion should have SSL based log on by default, period. It's optional. Why? Because most users outside of the geekrealm, and system admin realm don't understand the escape key from their space bar. So when it comes to things like... "Will you accept this certificate?" and the likes, they don't know, and they certainly don't care. Same goes for VPN's. Why should the people care if Freeswan "was not making much progress with its political goals of encrypting a significant portion of all Internet communications" when the typical user doesn't know about Freeswan, and more than likely wouldn't care.

Re:who cares? (-1)

Kip Winger (547075) | more than 10 years ago | (#8436211)

I care about whether my connetion is secure or not, and I'm just a normal internet use. I send lots of emails, instant messages, and other online video feeds and what not. The fact that my communication is secure is incredibly important to me. Have fun, and god bless you all.

Re:who cares? (1)

segment (695309) | more than 10 years ago | (#8436293)


You're missing my point. In order for Freeswan to have been as successful as they'd like to have been, they kind of sold their hopes too high. Not everyone cares about security though most should. How many people/companies do you know of that still use ftp as opposed to sftp or scp, and even use passive ftp. It's easier to use, and you won't have to spend time explaining things to the non-geek user. Majority rules remember that, like it or not.

Re:who cares? (1, Informative)

Anonymous Coward | more than 10 years ago | (#8436283)

In the corporate world its huge huge huge. Without encrypted VPN none of the engineers would be able to do any work from home. Too much IP exposed to the world, as well as protecting the corporate network form hostiles!

Note that IPSec is doing a lot more than your ebay example, it allows you to connect two networks together at the IP level. When I VPN into work from home, my computer is actually inside the corporate network, past all the firewalls and security measure. I might as well be sitting at my desk at work...

Re:who cares? (2, Interesting)

bangular (736791) | more than 10 years ago | (#8436326)

Because people don't care doesn't mean it doesn't matter. People will start caring real soon when their credit card number is sniffed.

This gives me a chance to have an OT rant about SSL. SSL is not the one stop security shop people think it is. You talk to an admin about doing a secure site and the very first thing they will talk about is getting an SSL cert. What people don't understand is encrypting the data is like number 59 on the list of things for a secure site. I can't tell you how many sites I've seen with weak authtication systems, sql injection vulns, XSS, hidden values holding sub totals, input validation using only javascript...

People like to think SSL sites are safe because SSL sites are very easy to set up and very offical (with your offical thawte cert.). Proper programming and thinking of crazy theoritical situtations takes MUCH longer to do. How many sites check cookies for meta charaters...

I've used FreeS/WAN (2, Informative)

bangular (736791) | more than 10 years ago | (#8436200)

I've used FreeS/WAN... it wasn't a bad project or bad software, but was just too much 99% of the time. I usually only need to encrypt data between under 5 ports. I can set up an ssh tunnel almost instantly which does the job just as well. If ssh is already set up (which it usually is more often than not these days) you can have an ssh tunnel going in a few seconds. FreeS/WAN needed kernel patches and took much longer to set up and besides that, the development didn't seem very fast.

perhaps there is another lesson (5, Insightful)

superwiz (655733) | more than 10 years ago | (#8436208)

to be learned here. The stated goal of the project was to increase the amount of traffic that is encrypted on the internet. While this does not directly conflict with the goal of making as much software as possible "free" (as in beer), it does set a different goal.

Why the hell am I bringing this up? Well, one of the problems with FreeS/WAN was that it would not work with low-bit encryption. This was done to promote their political goal. But it also had the side effect of inhibiting adoption at the places where for whatever reason people had to interoperate with low-bit encryption applications or setups. The last time I checked (which I have to admit was over 2 years ago) the FreeS/WAN project explicitly stated that they would refuse to cooperate with anyone who tried "subvert" the project by building-in interoperation with low-bit encryption.

So what is this lesson to be learned that I am talking about? When fighting an uphill battle (which a volunteer project challenging for-profit institutions always does), it may not be wise to make it more difficult for people on the sidelines to agree with your cause.

Linux was built on much better technology than Windows (nfs vs smb, ext vs fat, separate windowing subsystem vs windowing system as part of the kernel, etc), but it didn't gain in popularity because it decided it replace all the Windows boxen. The technical decision was made to cooperate with them. The fundamental decision on priorities was to hold interoperability above politics. FreeS/Wan took the other road.

Probably a good thing (4, Insightful)

The Pim (140414) | more than 10 years ago | (#8436259)

As someone who's dabbled in FreeS/WAN and IPSEC, I think this may actually help IPSEC on Linux take off. There is now another prominent IPSEC implementation available: the one in 2.6. For a long time, FreeS/WAN was the only choice, and while it was quite good, it had some baggage: Due to legal and political concerns, it was maintained by a relatively closed team, it was never well-integrated into the kernel, and it didn't offer some of the "insecure" features some users wanted. I would argue it was destined to remain a fringe project, never attaining the community acceptance needed for real success.

The 2.6 implementation is not as mature, but it has excellent success factors. It was written by an alpha kernel hacker, it's in the mainline, and it's open in the Linux tradition. An influx of former FreeS/WAN users may be just what it needs to work out the kinks. FreeS/WAN has done a great service, and is now doing another by throwing its momentum behind an implementation with better long-term prospects.

How little I knew ye. (0, Redundant)

numbski (515011) | more than 10 years ago | (#8436261)

I run an ISP and was not aware of this product, and now it's more or less gone.

I would have used and backed this to teh hilt had I known. :(

were FreeSwan users afforded "luxury of ignorance" (5, Insightful)

totro2 (758083) | more than 10 years ago | (#8436263)

I've been a Linux user for 10 years, and a Unix System Administrator for 3 years, but Freeswan was among the most challenging things I've ever installed. I found that nothing less than reading the documentation from cover to cover is sufficient to understand it. I'm not suprised that it never caught with any sort of mainstream. Don't get me wrong, I am all for the vision of a secure-by-default internet. But unfortunately, it's so tough to install that only die hard security buffs have the patience to figure it out. Where is the ncurses-based "kernel setup wizard" script with forward and backward buttons? A checklist-based helper to point out what is missing next in getting the damn thing installed properly? A webmin module? A gui based connection configurator, called, say, [g|k]freeswan-conf? ESR has it dead on: without a thick slathering of user friendliness, this sort of project cannot succeed on any widespread level. Them's the breaks. I wish things were diffrent, believe me.

That sucks (3, Insightful)

whois (27479) | more than 10 years ago | (#8436282)

As a long time freeswan user I have to say this sucks pretty hard. Having used isakmpd and racoon on openbsd and freebsd respectivly, I've always thought freeswan was easier to configure (but not always easier to get working)

Hopefully openswan will be a good replacement :)

FreeS/WAN was a bad codebase to start with (2, Interesting)

kiltedtaco (213773) | more than 10 years ago | (#8436300)

I've spent so many weekends playing with connecting FreeS/WAN to my OpenBSD router. Every time I'd end up with some insanely cryptic error message (on both ends, openbsd isn't much better). This weekend I downloaded KAME for the 2.6 kernel, and had it working within half an hour, including the time to recompile my kernel.

FreeS/WAN is an unfortunate example of a project too focused on a far out goal (OE) to make the simple foundations work.

Re:FreeS/WAN was a bad codebase to start with (1)

Fiona Winger (758088) | more than 10 years ago | (#8436367)

Well, FreeS/WAN is definitely hard to work with and get operating, but when its up and running, BOY does it function great. Once you learn how to get it going, you should give it another shot. It gave me a ton of freedom once I figured out how to properly configure it.

when linux 2.6 has NAT-T support ... (0)

Anonymous Coward | more than 10 years ago | (#8436391)

Then we can throw freeswan/superfreeswan/openswan in the trash.

sorry.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>