[strongSwan] strongSwan and Openswan
andreas.steffen at strongswan.org
Wed Sep 22 09:41:28 CEST 2010
IKEv2 *is* the big difference!
- strongSwan is the only complete Open Source implementation of
the RFC 5996 IKEv2 standard whereas Openswan only implements a
small mandatory subset.
- strongSwan took part in the 2007 and 2008 IKEv2 Interoperability
Workshops in Orlando, FL and San Antonio, TX, respectively, so
we are quite sure that our implementation is correct. Many VPN
vendors are frequently testing their implementation against ours,
so strongSwan has become kind of an IKEv2 reference platform.
- strongSwan IKEv2 is inherently multi-threaded (16 threads by default)
whereas Openswan is basically single-threaded. This allows
strongSwan to handle 20'000 concurrent IPsec tunnels on industry-
grade VPN gateways.
- strongSwan IKEv2 comes with a High-Availability option based on
Cluster IP where currently a cluster of two hosts does active
load-sharing and each host can take over the ESP and IKEv2 states
without rekeying if the other host fails.
- strongSwan is modular and offers dozens of plugins which enhance
the functionality. The user can choose among three crypto libraries
(legacy [non-US] FreeS/WAN, OpenSSL, and gcrypt).
- Using the openssl plugin, strongSwan supports Elliptic Curve
Cryptography (ECDH groups and ECDSA certificates and signatures)
both for IKEv2 *and* IKEv1, so that interoperability with Microsoft's
Suite B implementation on Vista, Win 7, Server 2008, etc. is possible.
- strongSwan IKEv2 supports the following EAP authentication methods:
AKA and SIM including the management of multiple [U]SIM cards,
MD5, MSCHAPv2, GTC, TLS, TTLS. EAP-MSCHAPv2 authentication
based on user passwords and EAP-TLS with user certificates
are interoperable with the Windows 7 Agile VPN Client.
- strongSwan has an EAP-RADIUS plugin which relays EAP packets to
one or multiple AAA servers (e.g. FreeRADIUS or Active Directory)
- strongSwan supports RFC 5998 EAP-only authentication in conjunction
with strong mutual authentication methods like e.g. EAP-TLS.
- strongSwan supports RFC 4739 IKEv2 Multiple Authentication Exchanges.
- strongSwan supports the RFC 4555 Mobility and Multihoming Protocol
(MOBIKE) which allows dynamic changes of the IP address and/or
network interface without IKEv2 rekeying. MOBIKE is also supported
by the Windows 7 Agile VPN Client.
- strongSwan offers the automatic assignment of virtual IP addresses
to VPN clients from one or several address pools using either the
IKEv1 ModeConfig or IKEv2 Configuration payload. The pools are either
volatile (i.e. RAM-based) or stored in an SQLite or MySQL database
(with configurable lease-times).
- The ipsec pool command line utility allows the management of IP
address pools and configuration attributes like internal DNS and
- strongSwan IKEv2 offers a NetworkManager applet supporting EAP,
X.509 certificate and PKCS#11 smartcard based authentication.
Assigned DNS servers are automatically installed and removed again
in /etc/resolv.conf. Openswan also seems to come with NetworkManager
integration but I'm not familiar with the offered functionality.
- strongSwan IKEv2 has been fully ported to the Android operating
system including integration into the VPN applet.
Openswan is not explicitly mentioned in the above list wherever
a given feature is not supported.
Summarizing this rich list of features I'm coming to the
- IKEv2 with RSA and PSK: strongSwan is the clear choice!
- IKEv2 with EAP or RADIUS: strongSwan is the only choice!
- IKEv1 Aggressive Mode: Openswan is the only choice!
- IKEv1 Main Mode: strongSwan and Openswan share the same
FreeS/WAN heritage, so they are about equal.
- IKEv1 with ECC: strongSwan is the only choice !
- IKEv1 with IP pools: strongSwan is the only choice!
On 09/22/2010 04:06 AM, Troy Telford wrote:
> I've been playing around with IPsec lately, and trying to learn about
> the various ways to get it working... In the process, I've come to
> wonder about the different development priorities and feature sets of
> Openswan and stongSwan.
> I've found the comparison at openswan.org, however it is pretty obvious
> that it hasn’t been updated in quite a while - it compares the (not
> released) Openswan 3.0 to strongSwan 4.1. The problem is that the git
> repo for openswan shows that the Openswan 3 branch hasn't been touched
> for years... meanwhile the Openswan 2.x series gets actively developed.
> But honestly: I don't know of any reason to choose one or the other...
> it's pretty clear they have different feature sets, but there's not
> much in the way of comparing the two, partly because the openswan
> website is so dated. I've not seen much in the way of feature lists to
> compare - it seems IKEv2 is the biggest difference.
> Can anybody please enlighten me as to what the advantages offered by
> strongswan are vs openswan?
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
More information about the Users