Michael Tremer

IPFire 2.13 Beta 1 - Part 2 Strongswan 5 - IPsec VPN
by Michael Tremer, January 15, 2013

The second feature, we would like to highlight is strongswan 5, which will finally ship with IPFire 2.13.

strongswan is the software, that runs the IPSec VPN connections. In version 5, the ancient service daemon pluto has been removed in favour of charon, a total rewrite that supports a lot more features.

But why is pluto ancient? strongswan has been forked from FreeS/WAN which last release has been published in 2004. From that code base, two other projects have been forked. One is OpenSWAN, which has been running inside IPFire for several years, but was then replaced by the other fork, which is strongswan. When forking the code base of a project, you will always carry all the problems and issues that have been with the old project to the new one and you’ll inevitably have to deal with them. So, the central component pluto has been patched and enhanced by both projects. That worked (from our point of view) very well at the beginning, but as the code grew bigger and bigger new problems showed up.

When the strongswan project started to adapt IKEv2 (the Internet Key Exchange Protocol version 2), they wrote a new daemon, that was responsible for handling that protocol. It was not a copy of pluto, but a complete re-design of how to implement such a service. If you use IPsec in IPFire right now, charon, the new daemon, is already running and working.

The idea of the strongswan developers was, that the old revision of the Internet Key Exchange protocol (IKEv1) would soon get obsolete after a transition period of about 3 to 5 years. But that was not the case as smartphones made their ways into everybody’s pockets. The VPN implementations did not talk IKEv2, but IKEv1 and therefore everybody wanted to set up XAUTH-based IKEv1 connections. It did not help very much that Windows 7 shipped with its Agile VPN client, which was able to talk IKEv2.

In late 2011, the strongswan developers started to re-implement the IKEv1 protocol by extending the modern code base of the charon daemon. After that was finished, the pluto daemon got removed from the code base.

What is the benefit to the users?

Obviously, the strongswan developers made a gift for themselves, because maintaining pluto and extending its functionality must have caused pain. The monolithic design had a lot of problems, which also affected the way how to use IPsec:

So a very important new thing in IPFire is, that it is not necessary to restart all IPsec connections any more when one connection is edited, created or removed. That leaves us with much more stability. Changing preferences and some smaller bits are much faster and don’t require to reconnect to all the remote parties. Data transfers cannot break during this time and that is very enjoyable for every admin who cares about a couple of busy IPsec connections.

Secondly, a lot new ciphers and hash algorithms can be used to protect your data and assure its integrity. For example there are AES-256, AES-192, AES-128 and 3DES for encryption. IKE/ESP integrity was available with SHA1 and MD5 which has been extended by SHA2-256, SHA2-384, SHA2-512 and AES XCBC and the Diffie Hellman group types have been extended by some with larger key lengths.

Altogether, the smoothness and comfort is much better with strongswan 5 and interoperability with other IPsec implementation has once again been improved. For all that, we would like to thank the strongswan developers for developing such a great piece of software that runs that awesome in IPFire.

Posted: January 15, 2013 • 1044 views