While not a sales pitch, and in fact I don't think the product seems to have sold well anyway, it was very interesting to work with them on the test harness we built to validate correct IPsec operations, configuration, validation that data wasn't leaking outside of the SAs that were being provisioned, and performance via the translated policy. The relatable component was this was mainly done against StrongSwan implementations of the IKE daemon if I remember correctly (Linux, AIX and Solaris mainly). I wonder if any of those bits flowed back upstream or if the bolt-on aspect kept that from happening.
StrongSwan isn't complex if you are well versed in IPsec implementation as a whole. It's no more or less complicated than other implementation and is "better" than TLS in it's own right with regard to things that could go wrong. In static environments it's relatively painless once the learning curve is overcome.
That being said I feel like IPsec has a badge it will never get rid of and people discard it before attempting implementation at this point. Hopefully, as mentioned amongst the comments, things like WireGuard will mature and become more mainstream. I very much like the concept carry over that both IPsec and WireGuard can be silent actors within the network not giving away hosts as things like OpenVPN and SSH do. IPsec can, unfortunately, also be implemented to squawk at spurious connection attempts - but at least doesn't rely on the premise as much as things like OpenVPN and SSH do.
And for the record - you can tell someone who's dealt with IPsec extensively since they won't refer to it as IPSec. o_O Microsoft is notorious for getting it wrong.
https://github.com/trailofbits/algo
It even generates Apple profiles to auto configure your iPhone!
Was pretty painless.
have a look at how 'rekeying' is done. look at the numerous bugs in strongswan issue tracker related to this. the whole protocol is a shit show and it is really surprising that anything actually works between different vendors.
You can see our work here: https://github.com/appscode/swanc
Any reason you didn't use weave?
OpenVPN worked just fine, but I could never make StrongSwan work at all. Which is a shame, I really wanted to have an easy-to-use VPN for my phone and so forth. Settled on OpenVPN, which worked well enough with the iOS clients.
what are the incentives to continue using IPsec or Strongswan?
I've setup StrongSWAN using smartcards almost 15 years ago, at the time it was the only open source IPSec client that supported it. It was relatively easy to get going (the server was a Cisco VPN appliance, which I managed and it was relatively easy to extract the relevant IKE profiles).
Oh, and where is Wireguard supported out of the box like IPsec is?
I was thrilled when FreeBSD added IPSEC support in 11-RELEASE, but was less excited to learn that IPSEC_NAT_T wasn't compiled in, making it impossible to use strongswan. Oh well, maybe in 11.1 :)
You're welcome.
The process was complex and there are things I still don't understand but it does work and the documentation and examples are quite comprehensive. The only issue I had with them was they assume a fair amount of familiarity with subjects that I didn't have. I'm mainly a serverside developer not a network admin, and whilst I have a vague understanding of how certs work I didn't have much awareness of VPN protocols or terminology so I had to abuse google pretty thoroughly.
It took about a day to do and I had to watch logs from server and client to figure it out, but it was interesting. I'm still pleased with the results and would recommend the product.
It's an open source implementation of the Cisco AnyConnect SSL vpn, works great and it's compatible with the AnyConnect clients.
[0] https://github.com/ftao/vpn-deploy-playbook/tree/master/role...
I tried and tried, yet couldn’t get it to work. Documentation surely was lacking for Libreswan. But then I found Strongswan, and after a few more attempts I managed to set a tunnel as I wanted it. The documentation is much more complete, and the examples were specially helpful.
I am baffled by the choice made by RedHat, to use Libreswan as their official IPsec implementation. It gave me a “beta” feel, while Strongswan seems more solid. Plus the difference regarding documentation is like night and day.
Personally I've been using strongSwan since its 5.0.x for remote access - protect privacy and fight censorship (yes, originally from China where the infamous GFW is deployed...). The native strongSwan client for Android is also a killer feature worth mentioning, RSA authentication with X509 certificates works flawlessly with 1 click ;-)
My company (pre-IPO startup) has been using strongSwan for 2+ years as site-to-site solution from AWS VPC to on-premises data centres (or other cloud virtual network), with 500+ instances deployed, track record has proved it reliable as long as it's properly configured (most outages were caused by AWS maintenance ;-) The only drawback is that strongSwan currently does NOT have a mature HA solution but it's shaping up (5.4.0 introduced IKEv2 redirect). We are currently building a custom HA solution (designed to work in VPC - provide similar redundancy to AWS VPN but a lot more flexible and controllable) using strongSwan (have to use route-based as syncing 2 policy based instances are too hard or impossible).
NOTE: I've seen people mentioned L2TP, it is obsolete. L2TP does NOT provide encryption or confidentiality to traffic passes through it. L2TP/IPsec encapsulates data twice at layer 2, it has pros and cons. See this (may be out-dated) -> https://www.bestvpn.com/blog/4147/pptp-vs-l2tp-vs-openvpn-vs...
IKEv{1,2} + IPsec (ESP) (tunnel mode) with PFS for both ike and esp is recommended configuration.
As mentioned in another comment: To properly install and configure strongSwan, following the tutorials available over the Internet is not enough, it requires good networking knowledge (NAT, iptables in particular), understanding of IPsec protocol suite (including IKE, AH, ESP), PKI, Linux skills and etc.
A good reference to start with: https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.h...
https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-...
http://www.jfcarter.net/~jimc/documents/strongswan-1308.html
The advantages:
* It has a streamlined/faster key negotiation protocol. IKEv2 tunnels can be established in a fraction of the time it takes for IKEv1 negotiation, especially when negotiating multiple SAs.
* More robust integrity algorithms which can detect and re-establish a tunnel faster.
* It supports EAP, so in client/server mode (vs. tunnel mode) you can attach it to an AAA server to assign IP addresses and do user authentication, making L2TP and shared secrets unnecessary. (Note that when using IKEv2 for IPSec tunnels, one still must use either a shared secret or certificates for authentication.)
(Technically you can also skip IKE and manually configure thesymmetric keys and parameters, using eg setkey from Linux ipsec-tools)
I'm using it on my VPS, with my Mac as a client to bypass the UK big brother, and on Android to bypass tethering blocks (in conjunction with the Tether app)
e: Everybody says that using a VPN is a "good thing" but I honestly can't find a use for one in my day-to-day.
Most people use VPN for security purposes. Now, when I mention security, there's various kinds. It can vary from hiding from state-attackers, to not wanting to be surveilled, to just torrenting stuff to avoiding a nasty letter from your ISP.
If you have nothing to worry about in the last paragraph, then the other case is organisational policies or accessibility. Routing all client traffic through a companies server because some companies' internal servers only allow requests from whitelisted IPs and drop all other packets. Of course, as a consumer/employee this is not something you have to worry about but it is something for sysadmins, and/or the security person who makes decisions at a company. And looks like there are a few of those in this thread. Hence all these discussions.
If you want to get into using VPNs, I'd suggest getting a server online first, something from digital ocean, AWS or Gcloud. If you want something super cheap, I suggest OVH's VPS. And the best tutorials in my opinion are from Digital Ocean[1]. If you only know how to use Ubuntu, here's[2] what you want.
[1]:https://www.digitalocean.com/community/tags/vpn?type=tutoria...
[2]: https://www.digitalocean.com/community/tutorials/how-to-set-...
http://jerrygamblin.com/2016/07/10/the-vpn-you-should-be-usi...
To properly install and configure strongSwan, following the tutorials available over the Nnternet is not enough. One needs to have basic networking knowledge (NAT, iptables in particular), good understanding of IPsec protocol suite (including IKE, AH, ESP), PKI, Linux skills and etc.
This is a good reference but still needs the knowledge mentioned above to get it to work: https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.h...
For whatever reason, OpenVPN is way easier to get up and running. Little knowledge required. UDP overhead is minimal.
t. Recently implemented an OpenVPN client from scratch.
I feel your pain. I remember trying to install DNSCrypt[1] on Linux and failing miserably. I was convinced it would work if only I found the right solution online, or if only the right amount of caffeine was in my bloodstream, or if by sheer effort of will I could get it working, but I still failed. I partially got it installed, error messages galore in my terminal, and all my /paths/ were wrong. It was a humbling experience. I quickly uninstalled it as I don't want partially working, broken soft running on my machine.
I guess for this situation a decent OpenVPN client would be ideal like Viscosity[2]
Would you clarify how it's obsolete, because it's doesn't follow from "L2TP does NOT provide encryption or confidentiality..."? AFAIK no one uses L2TP by itself, as there's no shortage of encapsulation protocols (GRE, AYIYA, vxlan, etc.) for other purposes. In practice L2TP/IPsec are always paired akin to TCP/IP, even though in theory you could do things like TCP/IPX or TCP/AppleTalk, or whatever. In the context of VPNs, L2TP/IPsec is "the protocol" even though they are two distinct pieces.
> L2TP/IPsec encapsulates data twice at layer 2, it has pros and cons. See this (may be out-dated) -> https://www.bestvpn.com/blog/4147/pptp-vs-l2tp-vs-openvpn-vs....
Sure it's not optimal, but for its intended purpose, establishing VPNs from roaming devices to intranets, the overhead hardly matters. IMO, what does matter is client device and network[0] compatibility, and L2TP/IPsec is hard to beat here. I wouldn't say that OpenVPN or other VPN solutions obsolete L2TP/IPsec in this aspect, either.
For (semi-)permanent site-to-site VPNs I agree just use IPsec.
[0] IIRC last time I chimed in on L2TP/IPsec you or someone else in the thread disputed that firewalls were generally not an issue for IPsec, contrary to my personal experience. Maybe I've just been extremely lucky, so I'll conceded this point.
My experience has been that it's trivial to setup for site-to-site IPSec tunnels using PSK. It's literally install the package, copy a config file from the docs, start the service, done. I've been using it in scenarios like this for a while, works great even when the remote ends of the tunnel are something else (Cisco appliances, AWS VPN endpoints, etc).
I'm a little less sure how to implement it as a VPN endpoint for employees. There are two main issues here:
1. Having to support a variety of clients (Android, iOS, Mac OS X - perhaps also Windows and Linux)
2. Doing multifactor authentication in a way that works well
Especially when considering #1 and #2 together, it seems difficult to meet all demands. How to do multifactor in a way that works with many different clients? I don't much care what the "factors" are as long as they are "multi". E.g. certificate + individual password.
If I only had to support, say, user/pass authentication, I think that would be somewhat easily doable.
Any clues?
https://wiki.strongswan.org/projects/strongswan/wiki/SmartCa... https://github.com/OpenSC/OpenSC/wiki/Feitian-PKI-card
edit:
Some quick and dirty instructions to generate keys/certs that you can use with a Linux or Android client:
git clone https://github.com/ramann/smartcard-pki
cd smartcard-pki
git checkout vpn-phone
# Edit etc/vpn_server.conf to use your server's IP address
bash -x <(cat README.md | grep '`' | tr -d '`') # You really should generate the VPN server's key & request on the VPN server, but this is just to get something working
# Move vpn_server_key.pem, ca/signing-ca.crt, certs/vpn_server.crt, certs/phone.pem to your VPN server's /etc/ipsec.d/
# Edit your VPN server's /etc/ipsec.conf so that leftcert=vpn_server.crt and rightcert=phone.crt
# To set up your Android phone, just import the phone-and-ca.pfx file
# To set up your Linux client (Ubuntu 16.04 in my case), move phone_key.pem, ca/signing-ca.crt, certs/vpn_server.crt, and certs/phone.crt to /etc/ipsec.d
# Edit your client's /etc/ipsec.conf so that leftcert=phone.crt and rightcert=vpn_server.crt
# To start server: sudo ipsec start
# How to start the Android client should be obvious.
# To start linux client: sudo ipsec start; sudo ipsec up connection_name
> Warning: WireGuard is currently under heavy development, and therefore any installation steps here should be considered as experimental. Please do not rely on WireGuard at this stage. We are rapidly working toward a first release that we will consider secure and ready for widespread usage, but that time has not yet come.
[1] Well, it's theoretically possible to build a custom kernel for some devices, and manage VPN from terminal, but I'm not sure many would enjoy it this way.
However, strongSwan (IPsec) is easy to block (e.g. if detected by big brother - GFW in China) as by default is uses UDP ports 500, 4500, while OpenVPN can easily disguise as SSL/TLS or anything. In that sense, OpenVPN can be a backup for IPsec for remote access (fighting censorship).
Whether or not firewalls are doing enough DPI to figure this out is another question.
Stuff like these is also a reason, why Strongswan, OpenVPN, etc have bigger LOC. I'm not saying that Wireguard is something bad, it just must go through a growing period, where it will gain additional LOC.