FreeS/WAN

FreeS/WAN allows you to build an encrypted tunnel through an insecure network, such as the internet. The packets of data that are passed between the two endpoints of the tunnel are encrypted, so that if the data is sniffed on the untrusted network, the contents are unreadable. Each tunnel endpoint is responsible for encrypting and decrypting the packets that are sent back and forth.

The result, as you may have guessed, is a Virtual Private Network or VPN.

The FreeS/WAN project was started in 1996 with the rather ambitious goal of securing 5% of the internet from wiretapping. So far the author (gnu@toad.com) has not achieved this goal, and realizes that this goal was a bit too ambitious, but is continuing to develop the software. As FreeS/WAN is not developed within the United States, none of the stupid US encryption export controls apply, so there is no restriction on strong encryption.

Three protocols are used:

• AH - Authentication Header protocol, providing a packet level authentication service.
• ESP - Encapsulation Security Payload, providing encryption and authentication services.
• IKE - Internet Key Exchange, doing key exchange and negotiating connection parameters.

The three main parts of FreeS/WAN are:

• KLIPS - implements AH, ESP and packet handling in the kernel.
• Pluto - the IKE daemon.
• A set of scripts that provide administrative configuration of the software.

Another functionality that FreeS/WAN provides is the ability to handle road warriors, or VPN endpoints that are not at a fixed IP address. These could be users with a fixed location or DSL or Cable Modem users who are not given a static IP address by their provider.

Probably the most exciting part of FreeS/Wan is it's ability (coming RSN) to provide opportunistic encryption. This method of encryption is for any two systems configured to use opportunistic encryption to be able to create a VPN between them, even if the administrators have not configured the systems for it. Normally the two endpoints of a VPN have to be configured to "know" certain details about the other endpoint. With opportunistic encryption an endpoint can be a promiscuous little encryption whore, and establish a VPN with any other system that it finds that is also configured to use opportunistic encryption.

Freeswan is used in many projects and by many companies that need to use or sell secure communication. My company uses it in our embedded firewall device and are very happy with the results.