I don't think anyone can really tell you that, unless someone has done a
comparative analyses.
Debian/ubuntu ships horribly old openswan packages.
Should work.
I don't remember freeswan having problems with pfs. The only special case with
pfs is that freeswan/openswan always accepted pfs even when pfs=no (because
it never hurts) and in some cases that could backfire at rekey time.
Documentation and wiki needs a lot of work :( Helping there would be awesome.
The mailinglist archives should be a gold mine of information from previous
answers (I've been doing that for almost 10 years).
However, we do keep the man pages up to date, and do ship with some examples
in /etc/ipsec.d/examples/

Paul

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000066">
Some comparison like that would interest me, too.<br>
I am basically RedHat guy, so whatever RedHat unveils for their
enterprise Linux, I go for it. Unfortunately this 'tactics' is no use
here either as in RHEL-5 you can find both OpenSwan and Kame.<br>
So I would decide based on quality of support / documentation the
mailing lists of both provide.<br>
For Openswan is the support bit troublesome as Paul seems to be the
only person willing to respond/help.<br>
I would wonder how is the situation with Kame....<br>
<br>
Ondrej<br>
<br>
Whit Blauvelt wrote:
<blockquote cite="mid:***@transpect.com" type="cite">
<pre wrap="">Hi,

Apologies for asking such a general question. We were using FreeSWAN
internally some years back, then switched to OpenVPN, which has been great
for that. But now we're needing to return to IPsec to tunnel from our Linux
firewall to a remote Cisco 5510. The current state of documentation for
Linux IPsec options is sparse and disorganized. So my questions are quite
basic:

For a Linux-Cisco IPsec tunnel, are each of these equally compatible with
the Cisco?

- OpenSWAN
- KAME (ipsec-tools)
- OpenBSD's isakmpd

For Ubuntu 8.04 (with kernel 2.6.24-19-server, and no X), which of those
options installs and works most smoothly? (I note that Ubuntu seems to be
largely ignoring bugs filed against OpenSWAN - see
<a class="moz-txt-link-rfc2396E" href="https://bugs.launchpad.net/ubuntu/+source/openswan/+bugs">"https://bugs.launchpad.net/ubuntu/+source/openswan/+bugs"</a>.)

At the Cisco end they prefer as defaults (but will alter if required):

Phase 1 - pre-g2-3des-sha-86400s
Phase 2 - pfs2-esp-3des-sha-28800s
and a PSK (not cert)

Are there known gotchas there for Linux? For OpenSWAN? I'm recalling
FreeSWAN having some problems with pfs; does that remain an issue?

Looking at the OpenSWAN wiki, I see for instance a comparison of Linux IPsec
options without KAME or isakmpd included. Googling on the various
combinations, I find of plenty of problem reports and partial recipes, but
little in the way of complete accounts of success. It's obvious from the
volume on this mailing list that OpenSWAN is still a viable option. It's
fully possible I've missed answers to exactly the questions here - but my
eyes glaze over after sampling so many dozens of threads. If answers are
forthcoming, I'll try to integrate them into the OpenSWAN wiki, so at least
next time someone like me won't have to address the list for such basic
stuff.

Best,
Whit
_______________________________________________
<a class="moz-txt-link-abbreviated" href="mailto:***@openswan.org">***@openswan.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a>
Building and Integrating Virtual Private Networks with Openswan:
<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
<br>
</body>
</html>