Introducing FreeS/WAN and IPsec

FreeS/WAN (Secure Wide Area Network) is a tool that permits the secure transmission of data over untrusted networks, such as the Internet. The central component of FreeS/WAN is the IETF’s (Internet Engineering Task Force) IPsec (Internet Protocol SECurity) specification. Among other things, IPsec is designed to support Virtual Private Networks (VPNs). While FreeS/WAN is Linux-based, it conforms to the IETF’s IPsec specification and is known to be interoperable with many other vendor’s implementations of IPsec. (Refer to the official Web site, http://www.freeswan.org, for the latest news.) The FreeS/WAN project was started by John Gilmore, is maintained by numerous energetic individuals, and is freely available in source code under the GNU General Public License.

IPsec is an extension to the Internet Protocol (IP) that provides authentication and encryption at the OSI Reference Model transport layer. IPsec has been mandated into the IETF’s specification of IP version 6 (IPv6). Three protocols are used to handle encryption and authentication: ESP (Encapsulating Security Payload); AH (Authentication Header); and IKE (the Internet Key Exchange). All of these components are included in the FreeS/WAN implementation of IPsec, and are generally invisible to the end user. The ESP and AH handle encryption and authentication, while IKE negotiates the connection parameters, including the initialization, handling, and renewal of encryption keys. The only encryption scheme currently supported by FreeS/WAN is 3DES (the triple DES or Data Encryption Standard, the current standard for IPsec encryption). Authentication is carried out using MD5 digests of a so-called shared secret (a shared key). The shared key could be a mutually agreed upon character string or RSA private keys. FreeS/WAN’s KLIPS (kernel IPsec) component, which is compiled into the Linux kernel, implements AH, ESP, and the handling of packets.