[strongSwan] strongSwan and Openswan

[Andreas Steffen]

Hello Troy,

IKEv2 *is* the big difference!

- strongSwan is the only complete Open Source implementation of
  the RFC 5996 IKEv2 standard whereas Openswan only implements a
  small mandatory subset.

- strongSwan took part in the 2007 and 2008 IKEv2 Interoperability
  Workshops in Orlando, FL and San Antonio, TX, respectively, so
  we are quite sure that our implementation is correct. Many VPN
  vendors are frequently testing their implementation against ours,
  so strongSwan has become kind of an IKEv2 reference platform.

- strongSwan IKEv2 is inherently multi-threaded (16 threads by default)
  whereas Openswan is basically single-threaded. This allows
  strongSwan to handle 20'000 concurrent IPsec tunnels on industry-
  grade VPN gateways.

- strongSwan IKEv2 comes with a High-Availability option based on
  Cluster IP where currently a cluster of two hosts does active
  load-sharing and each host can take over the ESP and IKEv2 states
  without rekeying if the other host fails.

- strongSwan is modular and offers dozens of plugins which enhance
  the functionality. The user can choose among three crypto libraries
  (legacy [non-US] FreeS/WAN, OpenSSL, and gcrypt).

- Using the openssl plugin, strongSwan supports Elliptic Curve
  Cryptography (ECDH groups and ECDSA certificates and signatures)
  both for IKEv2 *and* IKEv1, so that interoperability with Microsoft's
  Suite B implementation on Vista, Win 7, Server 2008, etc. is possible.

- strongSwan IKEv2 supports the following EAP authentication methods:
  AKA and SIM including the management of multiple [U]SIM cards,
  MD5, MSCHAPv2, GTC, TLS, TTLS. EAP-MSCHAPv2 authentication
  based on user passwords and EAP-TLS with user certificates
  are interoperable with the Windows 7 Agile VPN Client.

- strongSwan has an EAP-RADIUS plugin which relays EAP packets to
  one or multiple AAA servers (e.g. FreeRADIUS or Active Directory)

- strongSwan supports RFC 5998 EAP-only authentication in conjunction
  with strong mutual authentication methods like e.g. EAP-TLS.

- strongSwan supports RFC 4739 IKEv2 Multiple Authentication Exchanges.

- strongSwan supports the RFC 4555 Mobility and Multihoming Protocol
  (MOBIKE) which allows dynamic changes of the IP address and/or
  network interface without IKEv2 rekeying. MOBIKE is also supported
  by the Windows 7 Agile VPN Client.

- strongSwan offers the automatic assignment of virtual IP addresses
  to VPN clients from one or several address pools using either the
  IKEv1 ModeConfig or IKEv2 Configuration payload. The pools are either
  volatile (i.e. RAM-based) or stored in an SQLite or MySQL database
  (with configurable lease-times).

- The ipsec pool command line utility allows the management of IP
  address pools and configuration attributes like internal DNS and
  NBNS servers.

- strongSwan IKEv2 offers a NetworkManager applet supporting EAP,
  X.509 certificate and PKCS#11 smartcard based authentication.
  Assigned DNS servers are automatically installed and removed again
  in /etc/resolv.conf. Openswan also seems to come with NetworkManager
  integration but I'm not familiar with the offered functionality.

- strongSwan IKEv2 has been fully ported to the Android operating
  system including integration into the VPN applet.

Openswan is not explicitly mentioned in the above list wherever
a given feature is not supported.

Summarizing this rich list of features I'm coming to the
following conclusion:

- IKEv2 with RSA and PSK:  strongSwan is the clear choice!

- IKEv2 with EAP or RADIUS:  strongSwan is the only choice!

- IKEv1 Aggressive Mode:  Openswan is the only choice!

- IKEv1 Main Mode: strongSwan and Openswan share the same
                   FreeS/WAN heritage, so they are about equal.

- IKEv1 with ECC:  strongSwan is the only choice !

- IKEv1 with IP pools:  strongSwan is the only choice!

Kind regards

Andreas

On 09/22/2010 04:06 AM, Troy Telford wrote:
> I've been playing around with IPsec lately, and trying to learn about 
> the various ways to get it working...  In the process, I've come to 
> wonder about the different development priorities and feature sets of 
> Openswan and stongSwan.
> 
> I've found the comparison at openswan.org, however it is pretty obvious 
> that it hasn’t been updated in quite a while - it compares the (not 
> released) Openswan 3.0 to strongSwan 4.1.  The problem is that the git 
> repo for openswan shows that the Openswan 3 branch hasn't been touched 
> for years...  meanwhile the Openswan 2.x series gets actively developed.
> 
> But honestly:  I don't know of any reason to choose one or the other... 
>  it's pretty clear they have different feature sets, but there's not 
> much in the way of comparing the two, partly because the openswan 
> website is so dated.  I've not seen much in the way of feature lists to 
> compare - it seems IKEv2 is the biggest difference.
> 
> Can anybody please enlighten me as to what the advantages offered by 
> strongswan are vs openswan?

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==