Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Novell-SUSE Sponsors Openswan

timothy posted more than 10 years ago | from the they're-building-a-behemoth dept.

Security 132

hsjones writes "Concerned about the demise of FreeS/WAN? Well, looks like Openswan is going to be a good, strong open source IPsec project going forward. Novell and SUSE have jumped in with Astaro to back the project and move it along. See the press release. The Openswan project is at http://www.openswan.org. SUSE Linux and Astaro Security Linux both use FreeS/WAN in their current releases. It will be very interesting to watch what they do now with Openswan!"

Sorry! There are no comments related to the filter you selected.

Shampoo is better, no, conditioner is better (3, Funny)

UnCivil Liberty (786163) | more than 10 years ago | (#9476226)

Stop looking at me Swan!

Re:Shampoo is better, no, conditioner is better (0)

Anonymous Coward | more than 10 years ago | (#9476544)

I hope the joke explaining troll comes along and works his magic on this one.

Re:Shampoo is better, no, conditioner is better (0)

Anonymous Coward | more than 10 years ago | (#9476716)

Remeber that Billy Madison also saw penguins when he was drunk.

Who knew that Adam Sandler was a Linux user?

Re:Shampoo is better, no, conditioner is better (2, Funny)

swordsaintzero (665343) | more than 10 years ago | (#9477292)

its an adam sandler movie reference. I forget which one does it really matter? (removes hook from mouth after being reeled in)

my penis (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9476229)

is bleeding, oh please reply with a cure i think it's a vein!

rel?

Worse... (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9476664)

You have the Rawanda virus. (just touching your skin causes the cell walls to rupture; thus bleed).

There is no cure, so please don't infect anyone: die with honor, that you hath first lost your family's jewels before you lost your living soul.

Somewhat off-topic (5, Informative)

coupland (160334) | more than 10 years ago | (#9476238)

Building on its contributions to the open source community and commitment to interoperability

As one of many people who vividly remembers the success of NetWare 3.x, the current situation seems very alien. Novell virtually died when the fact of the matter is their product was by far the best. Today they have good products, yet they really can't claim an enormous technological edge. Their second coming is, instead, based on commitment to a thriving community, and feeds off anti-Microsoft sentiment. If best-of-breed products didn't work, will this perhaps be the strategy that finally works for them? I don't know, but I certainly wouldn't complain to see Novell take back a sizeable bite of the business that was stolen from them.

Business "stolen" from them? (-1, Troll)

Anonymous Coward | more than 10 years ago | (#9476307)

Care you explain that comment without resorting to your catch phrases, cliches, and slogans? You pathetic liberals, you are like little sheep (yes I can tell you are a liberal). Sad little man.

Novell fumbled the ball - again and again... (4, Insightful)

WIAKywbfatw (307557) | more than 10 years ago | (#9476422)

Novell got complacent, made some dumb moves (eg, buying WordPerfect) and hit some real competition when Microsoft started muscling in on their traditional turf. Whilst the competition was coming right at it, Novell just looked on, doe-eyed.

A littany of bad management decisions is why they are where they are today. Maybe Novell can regain some of its lost market share but you'll have to wait a very long time if you want to see it regain market dominance.

Re:Novell fumbled the ball - again and again... (4, Insightful)

coupland (160334) | more than 10 years ago | (#9476469)

No offense, but you don't remember the timeline particularly well. WordPerfect had the poop beaten out of it long before Novell bought it -- caused by their failure to release a Windows version while they still had the superior product. By the time Novell bought it they were a steal. Agreed, not a brilliant move, but not what killed them, either. What really killed Novell was Windows 3.11 (Windows for Workgroups) which had built-in networking. Windows NT followed and sealed Netware's fate, despite the fact that NW4 was years ahead of NT. Both instances where the OS was leveraged to strangle the market for a superior product.

Novell didn't look on doe-eyed, the Wordperfect aquisition (which came much later) was a desperate attempt to save themselves once they realized Microsoft could leverage the OS to beat them, *no matter how superior their products were*. It was desperation, not stupidity.

Re:Novell fumbled the ball - again and again... (2, Insightful)

flinxmeister (601654) | more than 10 years ago | (#9476534)

I disagree. The OS was not leveraged more than Novell dropped the ball. Remember TCP/IP? Remember how slow Novell was to adopt it? Remember how hard it was to write NLMs for Novell vs. apps for NT? Remember how cryptic working on the server console was? Granted, you didn't have to do it often but next to the GUI most small offices went the logical way. Bottom line, Novell got complacent, then got the pants beat off em fair and square with a more market friendly product. Microsoft is vulnerable to the same thing now.

Re:Novell fumbled the ball - again and again... (2, Informative)

coupland (160334) | more than 10 years ago | (#9476608)

Again, you're mixing up your history. Sure Novell was slow to adopt TCP/IP but that's because IPX/SPX was always routable. Microsoft held onto NetBEUI (ptooie!) for far longer and still won the war. Sure Microsoft competitors made some mis-steps, but no more so than Microsoft. Unfortunately they didn't have an endless supply of cash to help them recover.

Re:Novell fumbled the ball - again and again... (0)

Anonymous Coward | more than 10 years ago | (#9476635)

IPX sucked on large networks, unlike TCP/IP.
Plus, TCP/IP == Internet == Buzz == Stock Price, something Novell badly needed.

Also, Microsoft adopted TCP/IP back in the 80s with OS/2 so I dunno if you know your history either.

Re:Novell fumbled the ball - again and again... (3, Funny)

coupland (160334) | more than 10 years ago | (#9476646)

Also, Microsoft adopted TCP/IP back in the 80s with OS/2 so I dunno if you know your history either.

Awww, yer so cute when you have no clue what you're talking about. Microsoft? TCP/IP? OS/2? That's utterly adorable. Go do some research and once you realize how funny that is come back here and we'll have a good ol' laugh about it.

OS/2... Snicker...

Re:Novell fumbled the ball - again and again... (-1, Troll)

Anonymous Coward | more than 10 years ago | (#9476697)

That attempt at a comeback fails to negate the fact that it's true, which you would know if you weren't talking out of your ass. (Although, I agree that OS/2 is funny in a laugh-at-you-not-with-you kind of way.)

So, Microsoft went with standards for their routable protocol, Novell didn't, and now lots of Linux boxes are running a "LanMan" clone. Snicker.

Re:Novell fumbled the ball - again and again... (2, Insightful)

coupland (160334) | more than 10 years ago | (#9476723)

See my last comment to parent, where I point out that your hypothesis is completely impossible. Microsoft didn't go IP until years after the competition, and they had no hand in OS/2. I feel like I'm arguing history with a 12-year-old. You were obviously not there, dude, so stop making up stories about what happened. Anyone who was there knows you are wrong.

Re:Novell fumbled the ball - again and again... (1)

j-pimp (177072) | more than 10 years ago | (#9476823)

So, Microsoft went with standards for their routable protocol, Novell didn't, and now lots of Linux boxes are running a "LanMan" clone.

I would not call it a LanMan clone. Putting aside what role NetBios, NetBEUI, LanMan, SMB, CIFS and whatever other acronyms involved play in the proccess of me accessing my home directory on my FreeBSD box from my windows 2000 server, Samba was originally built to allow the author to access a DEC server from his Unix (I believe slowlaris) box.

Re:Novell fumbled the ball - again and again... (4, Informative)

coupland (160334) | more than 10 years ago | (#9476676)

Ok fine after mocking you mercilessly I will explain why you are such a funny guy.

1. Microsoft was only involved in OS/2 up until version 1.3
2. OS/2 was widely criticized because it did not have built-in networking. So Microsoft certainly didn't introduce TCP/IP in the 80's with OS/2.
3. The first version of OS/2 with built-in networking was OS/2 WARP, which was after OS/2 2.1. This was many years after the IBM/Microsoft rift.

So.... yeah. This is what any decent research will tell you. Rebuttals are welcome, I'm kind of enjoying teaching a new generation about how the 80's played out. ;-)

Re:Novell fumbled the ball - again and again... (0)

Anonymous Coward | more than 10 years ago | (#9476732)

Do the research yourself. Microsoft OS/2 LAN Manager was a server OS sold and supported until Windows NT came out in 1993, after which IBM continued the product as OS/2 LAN Server. As you might guess by the name, it had networking and it had TCP/IP.

Now be a good old senile grouch and admit you were wrong, or we'll have to go Logan's Run on your ass.

Re:Novell fumbled the ball - again and again... (2, Informative)

coupland (160334) | more than 10 years ago | (#9476755)

Sorry but you are falling into "retard" status. LAN Manager was based on NetBIOS and NetBEUI was the transport protocol. Neither were routable, and had nothing to do with TCP/IP. In fact, LAN Manager was licensed technology to begin with! Sure, you could run TCP/IP under LANMAN, but you could also run IPX/SPX. This doesn't mean Microsoft "went" TCP/IP any more so than they "went" IPX/SPX. Your memory of the time is passable at best and totally flawed at worst.

Re:Novell fumbled the ball - again and again... (-1)

Anonymous Coward | more than 10 years ago | (#9476775)

And you are completely beyond "asshole flamer" status. You were wrong. You are babbling like a twit. Fuck you.

Re:Novell fumbled the ball - again and again... (0, Flamebait)

coupland (160334) | more than 10 years ago | (#9476800)

Thanks, I knew you'd admit I was right sooner or later. I scrubbed both my cheeks smoothe as silk in anticipation of your admission, but on second thought I'd prefer a nice french-kiss on the browneye.

OOooo, thanks, that tickled!

IPX on large networks (5, Informative)

billstewart (78916) | more than 10 years ago | (#9476791)

IPX actually did fine - it was the IP layer equivalent. What sucked on large networks was Netware. One of its problems was inadequate flow control (though I forget if that was SPX's fault or other Netware protocols - the PBurst stuff just didn't cut it when there were congestion problems.)

But the real performance killer on lots of networks was all the chatty SAP announcements - even on a medium-sized network, all the printers advertising themselves can clog up any useful bandwidth, which often meant 56kbps back when this sort of networking was common for users like banks, retail stores, and branch offices of big companies. Yes, we learned how to do SAP filtering, and eventually Novell came out with NLSP which helped a lot.

The more important problems were pricing - upgrading to Netware 5 which could use TCP/IP instead of IPX tended to cost too much for the types of companies that were big Netware users back in mumblety-95, so they stayed with IPX way past its prime, around the time that Microsoft was figuring out how to make NetBIOS-over-IP perform badly over long distances (as opposed to NetBIOS-over-NETBEUI.) While Microsoft _still_ doesn't have a clue about decent networking, they were good enough to beat Netware in the market, and small networks of either Netware or NetBEUI could both be self-configuring, a lesson we're trying to relearn for IPv6.

Re:Novell fumbled the ball - again and again... (2, Interesting)

Tony-A (29931) | more than 10 years ago | (#9477139)

IIRC Novell was designed for corporate networks, routable and securable.
TCP/IP is fundamentally designed to let anybody in, very routable and hardly securable. It's essentially a difference between private roads and public roads.

Just on the basis of where Novell is coming from, I'd expect a Linux coming from Novell to be somehow much more "business-friendly". Just a different bias in setting various tweaks and configurations would be enough.

Re:Novell fumbled the ball - again and again... (0)

Anonymous Coward | more than 10 years ago | (#9476618)

Remember TCP/IP? ... Remember how hard it was to write NLMs for Novell vs. apps for NT?

And the worst part about this was that Novell OWNED UNIX! But yet just sat on it and pushed NetWare, even tho the market felt it to be inferior in many ways.

Re:Novell fumbled the ball - again and again... (1)

vadim_t (324782) | more than 10 years ago | (#9477531)

Oh the horror. People used the word "leverage" twice in a row on Slashdot. I'm about to run away screaming.

Re:Somewhat off-topic (3, Insightful)

wolfdvh (700954) | more than 10 years ago | (#9476580)

I don't know, but I certainly wouldn't complain to see Novell take back a sizeable bite of the business that was stolen from them.

It was not stolen from them, they gave it away. They lost market share with arrogance and poor support that at the time made Micro$oft seem a breath of fresh air. Their support devolved to where didn't want to even talk to you if you weren't a CNE. The whole certification racket they pioneered was a brilliant stratagem. It got people to pay Novell for the privilege of doing their technical support for them. It was so successful that Microsoft later copied it.

Novell's near ruin was largely the result of thinking that a 90% market share makes you unaccountable to you customers. The ash heap of the industry is littered with companies, Digital Research (CP/M), Lotus, Ashton-Tate (dBase), WordStar, who made that same mistake.

I know that all those old players are gone and only the name is the same, but I was struck with real pangs of apprehension when I heard they were buying SuSE. It was the irrational fear that they would do to SuSE what they did to WordPerfect.

Legally, a corporation is a person, and I suspect this person has changed. I truly wish them well.

Re:Somewhat off-topic (1)

Donny Smith (567043) | more than 10 years ago | (#9476900)

>>I don't know, but I certainly wouldn't complain to see Novell take back a sizeable bite of the business that was stolen from them.

>It was not stolen from them, they gave it away

Uhm, they had stolen that market share from someone else before Microsoft stole or took it from them.
What comes around, goes around.

Re:Somewhat off-topic (0)

Anonymous Coward | more than 10 years ago | (#9477452)

It was the irrational fear that they would do to SuSE what they did to WordPerfect.

I don't know what Novell did to WordPerfect, but Pete Peterson's (one of the three owners) "Almost Perfect" (readable online) tells how WP got into trouble all on their own.

Mainly by first betting on OS/2 and then not getting a Windows version of WP out when Microsoft Released WinWord after WinWord. And it's pretty amazing in the book how WP Corp was unable to even figure out how to get WPwin done, where to find the programmers who knew Windows, et cetera, and how they didn't treat the situation like a major crisis.

The book focuses on management and marketing, not on the actual product and the prorammers, so it is hard to say what exactly went/was wrong in the WPwin project. But it gives the appearance that there wasn't much Novell could do to save the situation.

( www.fitnesoft.com/AlmostPerfect/ )

Can someone explain this? (0)

agent dero (680753) | more than 10 years ago | (#9476244)

Yeah, I understand how SuSE & Novell become involved in this, but can someone explain what this does? I mean, what's the hoopla about?

Re:Can someone explain this? (0)

Anonymous Coward | more than 10 years ago | (#9476268)

S/WAN = Secure Wide Area Network

http://www.freeswan.org/intro.html

Re:Can someone explain this? (2, Informative)

krumms (613921) | more than 10 years ago | (#9476288)

Well, "Openswan is an implementation of IPsec for Linux."

IPsec is basically authentication/encryption for packets at the IP level.

Re:Can someone explain this? (4, Informative)

whoever57 (658626) | more than 10 years ago | (#9476300)

Yeah, I understand how SuSE & Novell become involved in this, but can someone explain what this does? I mean, what's the hoopla about?
FreeSWAN/OpenSWAN is a Linux-based VPN solution. It is a flexible solution providing host-to-host, network-to-network and host-to-network VPNs.

What's more, unlike other Linux-based solutions, I don't think there have ever been any serious questions raised over its security.

Free/OpenSWAN also interoperates with a wide variety of commercial (soft and hard) VPNs. Authentication can be by RSA secrets or X509 certificates.

Re:Can someone explain this? (0, Funny)

Anonymous Coward | more than 10 years ago | (#9476379)

Oh, okay, it's a VPN solution.

What's a VPN?

Re:Can someone explain this? (1)

DetrimentalFiend (233753) | more than 10 years ago | (#9476399)

Virtual Private Network. Of course 2 seconds on google could have told you that.

Re:Can someone explain this? (-1, Troll)

Anonymous Coward | more than 10 years ago | (#9476479)

Oh, okay, VPN stands for Virtual Private Network.

What's a Virtual Private Network?

Re:Can someone explain this? (0, Troll)

Anonymous Coward | more than 10 years ago | (#9476687)

:Can someone explain this? (Score:-1, Troll)
by Anonymous Coward on 11:07 PM -- Saturday June 19 2004


What's a troll?

Re:Can someone explain this? (3, Informative)

ticktockticktock (772894) | more than 10 years ago | (#9476958)

Copied and pasted in verbatim from www.wikipedia.org [wikipedia.org] :

"A Virtual Private Network [wikipedia.org] , or VPN, is a private communications network [wikipedia.org] usually used within a company, or by several different companies or organisations, communicating over a public network. VPN message traffic is carried on public networking infrastructure (ie, the Internet) using standard (possibly unsecure) protocols.

VPNs use cryptographic [wikipedia.org] tunneling [wikipedia.org] protocols to provide the necessary confidentiality (preventing snooping), sender authentication (preventing identity spoofing), and message integrity (preventing message alteration) to achieve the privacy intended. When properly chosen, implemented, and used, such techniques can indeed provide secure communications over unsecure networks.

Note that such choice, implementation, and use are not trivial and there are many unsecure VPN schemes on the market. Users are cautioned to investigate products they propose to use very carefully. 'VPN' is a label which, by itself, provides little except a marketing tag.

VPN technologies may also be used to enhance security as a 'security overlay' within dedicated networking infrastructures.

VPN protocols include:

* IPSec [wikipedia.org] (IP security), an obligatory part of IPv6.
* PPTP [wikipedia.org] (point-to-point tunneling protocol), developed by Microsoft.
* L2F (Layer 2 Forwarding), developed by Cisco.
* L2TP [wikipedia.org] (Layer 2 Tunnelling Protocol), including work by both Microsoft and Cisco.

Multi-protocol label switching [wikipedia.org] can be used to build VPNs."

Dead Dogs Society (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9476250)

This message brought to you by the National Association for Humane Action for Dogs and the Euthenasia for Canus Familourous Association. Gadgets For The Elimination Of Dogs is announcing a BRAND NEW product designed to exterminate canine pests of all sizes. Our economical K9Zap product retails for just $49.95 and takes only 2 seconds for a 60 lb dog. Our $5 bakers chocolate will kill up to 500 lbs of dog per package!

Gadgets For The Elimination Of Dogs is a division of ECFA (Euthenasia for Canus Familourous Association). The GFTEOD/ECFA would like you to do one thing - KILL A DOG. By KILLING A DOG, you will ELIMINATE one USELESSLY RESPIRATING animal from this planet. Are you TIRED of having your TAXES increased? Humane Societies cost our country over $100 million annually. By eliminating DOGS, this money can EDUCATE OUR KIDS. OVERPOPULATION of DOGS is RAPANT in this country. Take a stand! Help rid this INFESTATION. KILL A DOG TODAY!!!!

Have you ever stepped in DOG DOO-DOO [k9treat.com]

Are you MAD? [apa.org]

Do you KILL DOGS? [friendsofdogs.net]

Are you a MAD DOG KILLER? [k911emergencies.com]

If you answered "YES" to any of the above questions the ECFA (Euthenasia for Canus Familourous Association) is for you! Why change your sexual lifestyle or change your skin color to join an EVIL ORGANIZATION when you can simply INCREASE OUR SUPPLY OF O2! Did you know that DOGS turn BENEFICIAL O2 into CO2 simply to gain their energy to bark, drool, and howl? They ACTUALLY BOND their carbon TO OUR OXYGEN SUPPLY!!! One dog can waste 2 moles of O2 PER HOUR! This country has MANY UNWANTED, ABANDONED DOGS that WE ARE PAYING MONEY TO KEEP ALIVE. We are FEEDING them our food supply while making the homeless STARVE! By using a Dog Killing Gadget, a dog can be turned into beneficial food, helping us all. We let children go hungry yet feed our **UNWANTED** dogs like royalty.

Do you own a dog? Are you tired of its mess? Then get it euthanized. Euthanasia is a painless way for a dog to... terminate. However, it can be too expensive to buy these drugs for the LARGE NUMBER of DOGS in the HUMANE SOCIETIES. It is thus proposed that these dogs be turned into food for the homeless.

WANT TO SUPPORT THE ECFA? Simply form picket lines around your nearest humane society or gain a FIRST POST on /. to join our club. If you have MOD POINTS and would like to support the ECFA, moderate this post UP.

==This post brought to you by proud dog killer PickaBu on EFNET.

LoLs!!1 (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9476393)

Best. Troll. Ever.

Wireless world: Satan's dream come true? (-1, Troll)

Anonymous Coward | more than 10 years ago | (#9476254)

The Mark of The Beast.. will it require wireless technology everywhere for this to emerge? Chips in the body = cashless transactions. It's only a matter of time. Hell, there's news stories about people in a club somewhere waving their hands with microchips embedded in them to order drinks.

But can it run Linux? (-1, Troll)

Anonymous Coward | more than 10 years ago | (#9476260)

buttsex makes the baby jesus cry.

I officially support (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9476261)

Open anus [goat.cx]

"It will be very interesting to watch..." (3, Funny)

crashnbur (127738) | more than 10 years ago | (#9476264)

"
It will be very interesting to watch what they do now with Openswan!"
Damn straight! I've got popcorn in the microwave and three Coke's on ice in anticipation! Now... tell me what I'm watching!

MOD PARENT UP +1 ON THE MONEY (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#9476394)

This story sux.

SUSE (3, Interesting)

Harrison819 (789751) | more than 10 years ago | (#9476275)

SUSE is now one of the premier players on the linux scene now, with Novell's help of course. SUSE was my first disro and I am very happy it has found succes. I just hope it does not go the way of redhat and not try to make their distro the best one out there and rely on the name alone, also like metallica but that is for another time.

Re:SUSE (1)

DAldredge (2353) | more than 10 years ago | (#9476729)

And what is wrong with Red Hat?

Re:SUSE (1)

j-pimp (177072) | more than 10 years ago | (#9476851)

I remember Redhat 7.0 It came with gcc 3.0 and the out of the box full install was incapable of recompiling the very kernel sources that came with it. I refused to use redhat, decreed it had sinned against me and excommunicated it from me.

Then fedora came. I took a copy of the CDs at linux world after talking to one of the peopel there and forgave the company. Mind you I don't think Bob Young would care about my excommunication enough to stand barefoot in the snow outside my window for a few days, I was pissed at redhat.

Anyway, I never got around to installing Fedora, but its on my todo list. Redhat seems to be making money selling services and presumeably doing whatever they do that requires the newer features of C++ that GCC 3 had that caused them to ship a compiler that would not compiloe their kernel.
However, they started to forget about the little guy. Being the distro of the geeks means that you have free developers, word of mouth marketing etc. Luckily, they did this fedora thing to try to correct that.

Re:SUSE (2, Informative)

rkit (538398) | more than 10 years ago | (#9477250)

Slight correction: redhat 7.0 shipped with a snapshot towards gcc-3.0 they called gcc-2.96. It is true that this compiler version miscompiled the kernel, but it is also true that they provided a gcc version that was the recommended compiler for the kernel at that time. (they called it kgcc).
It is also true hat "gcc-2.96" did not have the quality of a proper gcc release. However, this step proved very valuable for gcc 3.0 development, because of the huge user base acting as testers. Of course, 99 percent of redhat users would never have bothered to install a development snapshot of gcc. (and the rest would not have used in a production environment...)

Re:SUSE (1)

ahillen (45680) | more than 10 years ago | (#9477111)

SUSE is now one of the premier players on the linux scene now...

Hmm, I think they also were before. But with Novell's help probably even more so. ;)

Nice project but documentation is lacking... (5, Informative)

ErikTheRed (162431) | more than 10 years ago | (#9476277)

Even since FreeS/WAN gave up on changing the world to Opportunistic Encryption (not my favorite idea, but I suppose if I feel too strongly I can write my own damn implementation :) ), I've been looking into alternatives, and obviously OpenS/WAN is the first choice. A frustration I had when looking into it was that I couldn't find any documentation describing the differences between the two projects. I didn't do any diffs on the documentations, but from a brief perusal it looks pretty much like the FreeS/WAN docs. Does anyone out there have a list of specific differences between the projects - other than the included patches for things like x.509 NAT traversal, etc that are also included in Super FreeS/WAN (I'm kind of assuming that there are more changes)?

Re:Nice project but documentation is lacking... (3, Informative)

buddha42 (539539) | more than 10 years ago | (#9476342)

http://www.openswan.org/development/roadmap.php

Re:Nice project but documentation is lacking... (5, Informative)

velkro (11) | more than 10 years ago | (#9477063)

Hi,

I was the maintainer of Super FreeS/WAN, and am now the release manager of Openswan.

We're currently working on a whole new set of documentation, in DocBook/XML format to boot. It's slow, since we all know how much developers love to write documentation, but it's coming. For now, you can see The Wiki [openswan.org] which will probably get slashdotted.

Ken

and ? (3, Interesting)

kayen_telva (676872) | more than 10 years ago | (#9476305)

What does FreeSWAN do that OpenVPN [sourceforge.net] does not ?
I have never tried SWAN because OpenVPN is so easy.
Are there any compelling reasons to try it ??

Re:and ? (5, Informative)

jcr (53032) | more than 10 years ago | (#9476341)

IPSEC, of which FreeSWAN is one implementation, doesn't require that you set up a point-to-point tunnel like VPN's do. It encrypts any traffic between any machines that implement it.

-jcr

IP Encryption vs. TCP Encryption (4, Informative)

billstewart (78916) | more than 10 years ago | (#9477186)

Actually, IPSEC does require setting up point-to-point connections (though they can be tunnel mode or transport mode) - but one of the goals of FreeSWAN's Opportunistic Encrytion was to do this automatically whenever possible.

The real difference is that IPSEC is encrypting at the IP layer of the protocol stack, aka Layer 3 in OSI terms, while OpenVPN is creating a TCP Layer 4 tunnel. Inside the tunnel, IPSEC normally puts Layer 3 IP packets, while OpenVPN does something with a TUN/TAP driver on the ends, so they could be doing Layer 3 IP packets or Layer 2 Ethernet packets, and I haven't read the docs enough to know which they did. Layer 4 has more overhead, but has a potentially easier time going through NAT.

For both of these applications, you have to create an association between two endpoints, and then tell your endpoints' packet handlers to use that association when they want to get packets somewhere. The choice of protocol layers for the inside and outside of the crypto tunnel has a major impact on how you get the routing mechanisms (or whatever) to decide to set up a tunnel and send packets through it.

Re:and ? (4, Informative)

ErikTheRed (162431) | more than 10 years ago | (#9476356)

What does FreeSWAN do that OpenVPN does not?
It's an implementation of IPSec, and thus is compatible with a whole slew of systems. For most corporations running VPNs, Extranets, etc., IPSec is pretty much the defacto standard. I'll be the first to call IPSec a huge designed-by-committee pain in the ass, but it's pretty damned secure when properly implemented, and it's a widely supported open standard.

Re:and ? (5, Informative)

accessdeniednsp (536678) | more than 10 years ago | (#9476364)

The *SWANs are IPsec. OpenVPN is not. IPsec is cross platform and cross-vendor (hang on, before you get excited, let me finish) and is a (series of) RFCs. IPsec also gets you plenty of perks such as kernel-space (fast, secure, etc).

Now for the "reply" trigger-happy, OpenVPN does do SSL/TLS, is all in user-space, and does neat things, yes. However, with the *SWANs, you can also get x509, nat-t, dpd, foo, and bar. And yes, OpenVPN is cross-platform.

The problem lies in not being cross-vendor. And you also have to realize that there is a very large inter-web out there and not everyone uses the same platforms and vendors, etc.

For example, as a security engineer, I often have to build VPNs between disparate vendors, devices, and software versions. Even with IPsec/IKE it's difficult enough. And they've all pretty much agreed on how to speak IKE well enough to at least have a meet-and-greet among each other. Unfortunately, there is plenty of room for interpretation, so each vendor has a slightly different dialect.

The point being, OpenVPN isn't a "standards-based VPN" whereas an IKE-based VPN is. I know it's not necessarily a great answer to the question, but it is the truth. (Besides, OpenVPN even says so on their site...it does not do IKE.)

(whoa, poet and didn't know it)
(woops, i did it again!)

Re:and ? (1)

Homology (639438) | more than 10 years ago | (#9476437)

OpenVPN is a free VPN client (talking to an OpenVPN gateway, of course) on Windows that is much easier to setup and get working than IPSec - at least for Windows 2000 Pro. Most Windows users will use a commercial VPN client when using IPSec.

Re:and ? (4, Interesting)

kayen_telva (676872) | more than 10 years ago | (#9476524)

However, with the *SWANs, you can also get x509, nat-t, dpd, foo, and bar.

x509 is certs right ? OpenVPN can do em. nat-t ? OpenVPN doesnt need that kludge. It uses one port that can be redirected through multiple Nats if need be. Dead peer detection ? OpenVPN is self healing. Link goes down, comes back up and OpenVPN reconnects.

Now before I get too carried away, I dont know shit about vpn, but SWAN looks like a bitch (based on my IPCop machine) and OpenVPN is very easy.

Re:and ? (1)

mcrbids (148650) | more than 10 years ago | (#9476641)

...SWAN looks like a bitch (based on my IPCop machine) and OpenVPN is very easy.

How long does it take to put together a "normal" VPN? I spent about 6 hours before I got OpenVPN to work, futzing with this option, that config file, etc. until I *finally* got it to do what I wanted.

Specifically, I have a remote desktop application that I use for tech support (based on VNC) that requires the customer to download a program from a web page, and then connect to a dedicated IP.

The VPN connects my laptop to the dedicated IP so that, wherever I am, I can use the VNC application on any broadband 'net connection.

I'm *not* a newbie - is this typical?

Re:and ? (1)

kayen_telva (676872) | more than 10 years ago | (#9476754)

sounds like you had some extra requirements that I didnt have to mess with. I setup openvpn on my laptop so that everytime it turns on, if it has an internet connection, openvpn connects to my home computer, creates the vpn, and I can browse or remote control my home computer. It doesnt matter where I am, my laptop "phones home" and creates the connection. Took me less than an hour (including forwarding one port in my firewall), by just following the instructions. I think I probably setup the most simple type it supports (shared key using SSL). I have been wanting this for several years, but hated the IPsec/PPTP/L2TP/SWAN complexities. I "knew" someone would make a simple vpn app eventually, and I was so pleased I donated. Cant code for shit so I put my money where my data is. Im going to research the SWAN IPsec implementation more closely just so I know what I am missing ;)

Re:and ? (2, Interesting)

xsecrets (560261) | more than 10 years ago | (#9477056)

Well 6 hours is nothing compared to trying to get one of the SWAN's setup for roadwarior mode. I work with IPSEC implemintations from numerous vendors on a daily basis, and I spent almost two weeks trying to get FreeSWAN to do road warrior before I just gave up to wait for someone to actually write an IPSEC client for linux, and that was over a year ago, and still even with ipsec built into the 2.6 kernel no one has.

This is one area where I think one of the commercial distrobutions could easily differentiate themselves from the pack, but no signs of it yet.

Re:and ? (2, Interesting)

Anonymous Coward | more than 10 years ago | (#9477287)

IPsec is secure tunneling done right. If you go with a TCP-in-TCP solution, some things screw up. You don't need to mess with OpenVPN for that, good old PPP-over-SSH works perfectly. But it still is TCP-in-TCP.

openvpn by default uses the UDP port (1)

ion++ (134665) | more than 10 years ago | (#9477526)

OpenVPN by default uses udp port 5000, but if you want to, you can configure it to use any other port, and tcp rather than udp. But as you wrote, tcp over tcp can bring trouble

Re:and ? (0)

Anonymous Coward | more than 10 years ago | (#9476566)

IPsec is a protocol designed and scrutinised by real security experts.

Interoperability: there are several IPsec implementations available.

Built-in client: recent versions of Windows, Mac and Linux support IPsec out of the box. No need to download and install a third-party client.

fr15t psot (-1, Troll)

Anonymous Coward | more than 10 years ago | (#9476353)

Rooting Corpse [goat.cx]

ISAKMPD (1)

Anonymous Coward | more than 10 years ago | (#9476367)

I don't get it. Why don't use isakmpd for key management?

It easy to set up, and works just fine on my gentoo box.

Re:ISAKMPD (1)

DetrimentalFiend (233753) | more than 10 years ago | (#9476414)

FreeS/Wan (what Openswan is built off of) was around a long time before the code that is now shipped with the kernel. As for why people haven't resigned to use the (newly) built in IPSec code, I'm not sure. Maybe it's because Openswan is very reliable and is already running on many production servers.

patents hurt openswan (2, Informative)

jaymzter (452402) | more than 10 years ago | (#9476382)

Openswan is a good example of a patent hurting an Open Source app. I *need* LZS compression for my company's VPN, but Openswan won't work cuz of IPCP LZS compression. I was offered an internal version of super-freeswan with the LZS code but refuse to use it cuz it's not Free. i'm stupid that way

Re:patents hurt openswan (-1, Troll)

Anonymous Coward | more than 10 years ago | (#9476530)

I would fire you in about 4 seconds if you worked for me.

Re:patents hurt openswan (1, Informative)

Anonymous Coward | more than 10 years ago | (#9476616)

Huh? IPCP is used by PPP, not IPsec. If you really need LZS compression, you would need to fix your ppd. You would still have the patent issue, though.

Openswan supports IPCOMP compression. It should interoperate with many IPsec implementations, if they support IPCOMP.

Re:patents hurt openswan (1)

pe1chl (90186) | more than 10 years ago | (#9477568)

Does it work with Cisco?
FreeS/Wan doesn't.

I would like to enable encryption on my link to work, but as soon as I do so the link dies.
It works OK between FreeS/WANs and between Ciscos but not between the two...

Re:patents hurt openswan (1)

velkro (11) | more than 10 years ago | (#9477585)

I've done Openswan interop with Cisco... 17xx's, 36x, 72xx's and 30xx series VPN Concentrators.

So, details please... it works nicely for me.

Re:patents hurt openswan (1)

pe1chl (90186) | more than 10 years ago | (#9477600)

It does not work between Cisco and FreeS/WAN (1.99), and all I have been able to find on Google is posts from people with the same problem. The link just does not work when compression is enabled.

Re: worst. story. ever. (-1, Redundant)

Anonymous Coward | more than 10 years ago | (#9476384)

Concerned about the demise of FreeS/WAN?

I can think of about 49,309 things I'm more concerned about.

If, like me, Openswan doesn't work for you (-1, Troll)

Anonymous Coward | more than 10 years ago | (#9476391)

Check out the competition. [vyr.us]

Usability (-1, Flamebait)

davidsturnbull (650325) | more than 10 years ago | (#9476408)

Until they fix the braindead configuration, fuck *SWAN.

Now what I've had to use Linux more, I'm used to spending a couple of hours figuring out how some bullshit works, I probably have the skills to suss it out.

What is it about concise, detailed and _useful_ manpages that the Linux community couldn't give a toss over?

Why? (4, Interesting)

Turmio (29215) | more than 10 years ago | (#9476412)

There has been a working and tested IPSec implementation from Kame Project [kame.net] in the vanilla Linux kernel for some time now. Why go with a competing and conflicting IPSec implementation that was once formed because the official Linus tree lacked the support. Diversity is a richness etc. on but in this case I feel like these efforts seem fruitless. But big companies such as Novell don't do things because they just can so maybe there's something I don't quite get. I'd love to be englightened, though.

Re:Why? (2, Interesting)

Anonymous Coward | more than 10 years ago | (#9476503)

Because it's like OSS (open sound system) versus Alsa. OSS is being being depreciated in favor of Alsa. Likewise, because of Novell's support, Kame will be depreciated as Openswan ascends. Novell is putting a lot of money and engineers behind Openswan. Other vendors are getting on board too. Openswan is the future. Kame just doesn't have the flexibility and features to meet *all* the needs of the professional enterprise.

Re:Why? (5, Informative)

hsjones (789284) | more than 10 years ago | (#9476809)

A complete VPN solution is more than just an IPsec module (Kame) or an IKE module (Racoon). So it's not a question of Openswan vs. 2.6 kernel IPsec. Openswan moves up the stack with added functionality and intends to continue doing so. And it can use either the FreeS/WAN IPsec engine (which is being carried forward for use on pre-Linux 2.6 machines) *or* the 2.6 kernel IPsec (Kame).

(Btw, the 2.6 kernel hasn't exactly been official "for some time now" -- even SuSE is just now shipping it in their 9.1 release.)

In fact, with Novell now involved in Openswan (which means IBM is likely involved as well but less publicly), we will probably see Openswan work with IPsec hardware too (IBM makes some).

Re:Why? (2, Interesting)

velkro (11) | more than 10 years ago | (#9477106)

There are still bugs in the KAME IPsec stack that is integrated into the Linux 2.6 series of kernels, and will be for another few months, I suspect.

Look at the recent posts on the netfilter lists, for instance - doing secure firewalling with 26sec is still a real pain. There's a set of 6 patches now, but they aren't integrated into the kernel yet, and some may not be for some time.

Also, there's some network configurations that work fine under 2.4/Openswan, but will not work at all in 2.6. One of these configs I use daily (subnet extrusion), so I've been unable to update any of my production machines to the new stack, even though I'm one of the Openswan developers.

I hope to see about solving some of this at LinuxTag in a few days, since there will be a large contingent of developers present, and putting the right people in a room together gets things resolved very quickly :)

Ken

KAME has problems (2, Interesting)

ink (4325) | more than 10 years ago | (#9477607)

Try managing 20 ipsec connections with KAME/racoon sometime. You almost always have to kill all the tunnels when a change is made to one tunnel. With Openswan, you can simply do 'ipsec auto --down/--up connectionname' after the connection has been defined. Racoon log messages themselves are cryptic; when no policy can be found, it simply logs (when logging works) a message to that effect: "no policy found"; Openswan will give you all the details of the attempted policy, without having to restart it in "debug mode"; or "running Racoon in foreground -F mode". Racoon seems to have problems logging normal information to syslog -- sometimes its messages just dissapear mysteriously (I've seen this on RHEL3 and FC2).

KAME also has problems with netfilter; specifically it doesn't work with all NAT rules, which are VERY common on ipsec gateways. It also doesn't work at the interface level, so many of the advanced routing tools don't work like you'd expect (try using tc with it, on an inteface level...).

I don't know why 2.6 and the Linux ipsec-tools project standardized on KAME. It may be from BSD, but we already have better userland tools, and they already (mostly) work with the new 2.6 ipsec intefaces. Hopefully these tools will get better with time, but right now pluto/openswan are simply more mature, stable and just plain better.

What's new, Kohza? (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9476482)

http://whatsnewkohza.ytmnd.com

Novell's Commitment to Free Software (4, Insightful)

soren42 (700305) | more than 10 years ago | (#9476528)

I'm so very pleased by this news. My biggest concern from Novell's acquistion of SuSE and Ximian was whether or not they would continue to support Free Software. With other major Linux vendors (well, vendor) seemingly moving more and more toward closing their software, and locking users into their products, it's refreshing to see Novell opening more software up and supporting community projects.

We've seen it now with their support of OpenSWAN, the open-sourcing of YaST and iFolder, and the continuing free releases of SuSE 9.1.

As I said, I'm very pleased to see this, and I suspect we'll see even more support of the open source and free software community from the reborn phoenix that is Novell.

Re:Novell's Commitment to Free Software (0)

Anonymous Coward | more than 10 years ago | (#9477043)

[...]from the reborn phoenix that is Novell.

A phoenix is a bird that by definition is reborn. Somthing that is already reborn canot be prefixed as being reborn.

Cheesy Cheese? Brown Dogshit? White Lightning? Open Goatse? Fuck Microsoft? Slashdot Sucks? Win32 Virus? Yellow Urine? Dank Fart?

Re:Novell's Commitment to Free Software (4, Interesting)

Sunspire (784352) | more than 10 years ago | (#9477255)

With other major Linux vendors (well, vendor) seemingly moving more and more toward closing their software...

Look, we all know which company you're thinking of, and I'm telling you you're completely misinformed. Can you please let me know some of the supposed closed programs this evil company is distributing, because the last time I checked it was all open source. Somehow the bashers always forget this detail...

This is the comany that is afraid to include mp3 support for being non-free, right? The company that pays Alax Cox, Arjan van de Ven, Dave Jones, Jeff Garzik, Warren Togami, Roland McGrath, Guy Streeter and many more to hack the kernel? In fact, if I'm not mistaken this company has more kernel hackers than IBM and Novell combined (read a kernel changelog lately)? I'd list some GNOME developers that works for this beast of a company, but let's just say outside Ximian they're the #1 employer here as well (cough, Havoc Pennington, Alexandre Oliva *cough*). And all that money and effort they pour into Freedesktop.org and X.org, that's just to lock you in, right?

That company? Am I forgetting something... ? Oh yeah, they pretty much alone funded NPTL development for 2.6, backported it to 2.4 not only for their paying customers but their free version too. I guess they're pretty much the defacto maintainers of GCC and glibc these days too, but other than that, what have they ever given us?

Re:Novell's Commitment to Free Software (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9477260)

REG:
They've bled us white, the bastards. They've taken everything we had, and not just from us, from our fathers, and from our fathers' fathers.
LORETTA:
And from our fathers' fathers' fathers.
REG:
Yeah.
LORETTA:
And from our fathers' fathers' fathers' fathers.
REG:
Yeah. All right, Stan. Don't labour the point. And what have they ever given us in return?!
XERXES:
The aqueduct?
REG:
What?
XERXES:
The aqueduct.
REG:
Oh. Yeah, yeah. They did give us that. Uh, that's true. Yeah.
COMMANDO #3:
And the sanitation.
LORETTA:
Oh, yeah, the sanitation, Reg. Remember what the city used to be like?
REG:
Yeah. All right. I'll grant you the aqueduct and the sanitation are two things that the Romans have done.
MATTHIAS:
And the roads.
REG:
Well, yeah. Obviously the roads. I mean, the roads go without saying, don't they? But apart from the sanitation, the aqueduct, and the roads--
COMMANDO:
Irrigation.
XERXES:
Medicine.
COMMANDOS:
Huh? Heh? Huh...
COMMANDO #2:
Education.
COMMANDOS:
Ohh...
REG:
Yeah, yeah. All right. Fair enough.
COMMANDO #1:
And the wine.
COMMANDOS:
Oh, yes. Yeah...
FRANCIS:
Yeah. Yeah, that's something we'd really miss, Reg, if the Romans left. Huh.
COMMANDO:
Public baths.
LORETTA:
And it's safe to walk in the streets at night now, Reg.
FRANCIS:
Yeah, they certainly know how to keep order. Let's face it. They're the only ones who could in a place like this.
COMMANDOS:
Hehh, heh. Heh heh heh heh heh heh heh.
REG:
All right, but apart from the sanitation, the medicine, education, wine, public order, irrigation, roads, a fresh water system, and public health, what have the Romans ever done for us?
XERXES:
Brought peace.
REG:
Oh. Peace? Shut up!

Re:Novell's Commitment to Free Software (1, Interesting)

Anonymous Coward | more than 10 years ago | (#9477291)

There's basically 3 kinds of Red Hat haters around these days.

1. The n00b. Red Hat = MS. This person doesn't let the facts get in the way of a good argument. He's running Linux 'cause it's the l33t thing to do. Listen sonny, I was installing Slackware from disksets from the local BBS when you where a twinkle in your daddy's eye. Between then and now the community, and I myself, have written a shitload of code so that I and you don't have to do things the hard way anymore to be l33t. I've got actual work to do now on Linux, get this, not in fact related to Linux at all.

2. The rabid KDE zealot (a minority in the KDE community). Red Hat will go KDE, oh, right about when the Sun goes Nova. They hate RH and Ximian for basically keeping GNOME alive no matter what might come.

3. The distro zealot. "My distro makes me feel like a productive community member, because I've got GCC compiling 24/7... not that I know what any of the output means...". Curiously you never, ever see these distro makers posting on the Linux kernel mailing list, or contributing to any core project outside their own little package management tools.

Going Forward (-1, Redundant)

Anonymous Coward | more than 10 years ago | (#9476629)

The following comment will likely be labelled as -1: Troll, but I have to say it:

Stop using the asinine phrase "going forward". It reeks of stupid managerial dialect and, for me anyway, cheapens whatever point you're trying to make.

I thank you for your t#ime (-1, Troll)

Anonymous Coward | more than 10 years ago | (#9477035)

mod uP (-1, Troll)

Anonymous Coward | more than 10 years ago | (#9477123)

be treated by your and some of the Percent Of the *BSD the goodwill erosion of user a8d shouting that [gay-sex-access.com]?

Nativew IPsec Embedded in the Kernel (3, Informative)

afriguru (784434) | more than 10 years ago | (#9477156)

Note that Freeswan and Openswan are not strictly needed for the future because:
As of Linux 2.5.47, there is a
native IPSEC implementation in the kernel. It was written by Alexey Kuznetsov and Dave Miller, inspired by the work of the USAGI IPv6 group. With its merge, James Morris' CrypoAPI also became part of the kernel - it does the actual crypting.
http://lartc.org/howto/lartc.ipsec.html
Freeswan only needs to remain secure for current deployments. This means fixing any discovered veulenrabilities. __________

Re:Nativew IPsec Embedded in the Kernel (1)

Sunspire (784352) | more than 10 years ago | (#9477304)

It's not an either/or choice, Openswan can in fact directly use the kernel IPsec modules in 2.6. But Openswan is a whole lot more too, it provides all the userland tools and higher level functionality that makes using IPsec easier and more powerful. There exists other Linux IPsec toolchains, but right now Openswan seems to have the most momentum.

Re:Nativew IPsec Embedded in the Kernel (1)

jamesh (87723) | more than 10 years ago | (#9477373)

I use debian sarge on which the 2.4 kernel has the 2.6 IPSEC implementation backported. So xS/Wan is just the key manager. It is easier to use and more flexible than all the others I have tried.

Re:Nativew IPsec Embedded in the Kernel (3, Informative)

velkro (11) | more than 10 years ago | (#9477594)

Sorry, but completed your research before spouting off links and quotes.

2.6 has an IPsec kernel layer implementation. There are two part to IPsec - the kernel layer, and the key management (IKE) portion. The IKE daemons are userland, and without them, you don't have a complete IPsec implementation.

Thus, they have ported isakmpd/racoon to Linux, or you can run Openswan's userland tool (aka pluto).

If you ask me... (0, Redundant)

ross.w (87751) | more than 10 years ago | (#9477251)

It sounds more like an ugly duckling.

Somewhat more off-topic (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9477258)

When is SLES 9 coming out?

OpenVPN is an excellent alternative to IPSec... (2, Informative)

Anonymous Coward | more than 10 years ago | (#9477294)

OpenVPN (http://openvpn.sf.net/) is an excellent alternative to IPSec. It's using UDP or TCP as transport layer and doesn't care about NAT. You can have NAT on the both sides. The client and server share the same code and can be used on WIN32 or GNU/Linux (and more). The version 2.0 can handle routing per X.509 certificate... and much more.

Novell-Suse-... should sponsor this excellent project instead of the brain damaged(tm) IPSec.

screw this...why not just use.. (-1, Troll)

Anonymous Coward | more than 10 years ago | (#9477459)

a Cisco solution?

More widely tested and secure.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?