Seeing all the complaints in here of how hard this is to setup brings back memories. I was the lead consultant on a project between a very large US retailer and Centrify to build a product called DirectSecure. It's generally very easy to deploy IPsec policy in a Windows environment via GPO and the customer wanted that to flow down into their <i>nix environments. Centrify, having good hooks in to AD already, was chosen to build a product that did just the same thing in their </i>nix environments by consuming IPsec configuration out of GPO.<p>While not a sales pitch, and in fact I don't think the product seems to have sold well anyway, it was very interesting to work with them on the test harness we built to validate correct IPsec operations, configuration, validation that data wasn't leaking outside of the SAs that were being provisioned, and performance via the translated policy. The relatable component was this was mainly done against StrongSwan implementations of the IKE daemon if I remember correctly (Linux, AIX and Solaris mainly). I wonder if any of those bits flowed back upstream or if the bolt-on aspect kept that from happening.<p>StrongSwan isn't complex if you are well versed in IPsec implementation as a whole. It's no more or less complicated than other implementation and is "better" than TLS in it's own right with regard to things that could go wrong. In static environments it's relatively painless once the learning curve is overcome.<p>That being said I feel like IPsec has a badge it will never get rid of and people discard it before attempting implementation at this point. Hopefully, as mentioned amongst the comments, things like WireGuard will mature and become more mainstream. I very much like the concept carry over that both IPsec and WireGuard can be silent actors within the network not giving away hosts as things like OpenVPN and SSH do. IPsec can, unfortunately, also be implemented to squawk at spurious connection attempts - but at least doesn't rely on the premise as much as things like OpenVPN and SSH do.<p>And for the record - you can tell someone who's dealt with IPsec extensively since they won't refer to it as IPSec. o_O Microsoft is notorious for getting it wrong.
We use Strongswan to secure host to host connections using pre-shared key when setting up Kubernetes clusters in simple VPS providers like DigitalOcean. This is important since DO, Linode etc does not provide private network. Flannel works with it transparently to provide a Kubernetes-aware ip network.<p>You can see our work here: <a href="https://github.com/appscode/swanc" rel="nofollow">https://github.com/appscode/swanc</a>
I've seen this implemented quite usefully in a corporate environment and for container-container communication; but attempting to set it up for my personal use was an absolute disaster. A bit over a week spent trying to make it work, and it never did.<p>OpenVPN worked just fine, but I could never make StrongSwan work at all. Which is a shame, I really wanted to have an easy-to-use VPN for my phone and so forth. Settled on OpenVPN, which worked well enough with the iOS clients.
With the 4000 LOC Wireguard <a href="https://www.wireguard.io/" rel="nofollow">https://www.wireguard.io/</a><p>what are the incentives to continue using IPsec or Strongswan?
I set this up a few weeks ago on a linux vps I'm using for dev. IPSEC with IKEV2 and certificates. Native clients on windows 10 and Ubuntu laptop (needed a network-manager plugin to be built), and took the shortcut and used the StrongSwan app on android.<p>The process was complex and there are things I still don't understand but it does work and the documentation and examples are quite comprehensive. The only issue I had with them was they assume a fair amount of familiarity with subjects that I didn't have. I'm mainly a serverside developer not a network admin, and whilst I have a vague understanding of how certs work I didn't have much awareness of VPN protocols or terminology so I had to abuse google pretty thoroughly.<p>It took about a day to do and I had to watch logs from server and client to figure it out, but it was interesting. I'm still pleased with the results and would recommend the product.
On the subject of VPNs, if people find *swan or Openvpn difficult to get working, I highly recommend OpenConnect (ocserv); _so_ easy to setup.<p>It's an open source implementation of the Cisco AnyConnect SSL vpn, works great and it's compatible with the AnyConnect clients.
One of the reasons ipsec is tricky to understand is it doesn't create virtual interfaces like most other vpn systems on linux. With something like openvpn you can run tcpdump on eth0 / tun0 to figure out what is going on. With ipsec there's no 'ipsec0' interface and the way it works is a little more 'magic'.
During the past holidays, at my parent’s, I set up some infrastructure to allow remote management of some network equipment and computers. I used to employ OpenVPN for this, but I decided to give IPsec a try. Since I have been learning CentOS, initially I went with RedHat’s suggested option: Libreswan.<p>I tried and tried, yet couldn’t get it to work. Documentation surely was lacking for Libreswan. But then I found Strongswan, and after a few more attempts I managed to set a tunnel as I wanted it. The documentation is much more complete, and the examples were specially helpful.<p>I am baffled by the choice made by RedHat, to use Libreswan as their official IPsec implementation. It gave me a “beta” feel, while Strongswan seems more solid. Plus the difference regarding documentation is like night and day.
strongSwan is the best free and open source IPsec implementation available on Linux, (much better than libreswan...), good documentation, use cases and examples etc, good quality of code (less bugs - that's what we've found running it in production for 2+ years with 500+ instances deployed) actively developed and maintained by a group of passionate developers that knows the stuff well.<p>Personally I've been using strongSwan since its 5.0.x for remote access - protect privacy and fight censorship (yes, originally from China where the infamous GFW is deployed...). The native strongSwan client for Android is also a killer feature worth mentioning, RSA authentication with X509 certificates works flawlessly with 1 click ;-)<p>My company (pre-IPO startup) has been using strongSwan for 2+ years as site-to-site solution from AWS VPC to on-premises data centres (or other cloud virtual network), with 500+ instances deployed, track record has proved it reliable as long as it's properly configured (most outages were caused by AWS maintenance ;-) The only drawback is that strongSwan currently does NOT have a mature HA solution but it's shaping up (5.4.0 introduced IKEv2 redirect). We are currently building a custom HA solution (designed to work in VPC - provide similar redundancy to AWS VPN but a lot more flexible and controllable) using strongSwan (have to use route-based as syncing 2 policy based instances are too hard or impossible).<p>NOTE: I've seen people mentioned L2TP, it is obsolete. L2TP does NOT provide encryption or confidentiality to traffic passes through it. L2TP/IPsec encapsulates data twice at layer 2, it has pros and cons. See this (may be out-dated) -> <a href="https://www.bestvpn.com/blog/4147/pptp-vs-l2tp-vs-openvpn-vs-sstp-vs-ikev2/" rel="nofollow">https://www.bestvpn.com/blog/4147/pptp-vs-l2tp-vs-openvpn-vs...</a><p>IKEv{1,2} + IPsec (ESP) (tunnel mode) with PFS for both ike and esp is recommended configuration.<p>As mentioned in another comment: To properly install and configure strongSwan, following the tutorials available over the Internet is not enough, it requires good networking knowledge (NAT, iptables in particular), understanding of IPsec protocol suite (including IKE, AH, ESP), PKI, Linux skills and etc.<p>A good reference to start with: <a href="https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.html" rel="nofollow">https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.h...</a>
It is indeed a bit of a pain to set up properly, but it can be done, I have a droplet running it 24/7 and have no problems connecting to it from Apple devices. Here are some helpful guides for setting up:<p><a href="https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/" rel="nofollow">https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-...</a><p><a href="http://www.jfcarter.net/~jimc/documents/strongswan-1308.html" rel="nofollow">http://www.jfcarter.net/~jimc/documents/strongswan-1308.html</a>
When I was looking to replace my OpenVPN server for a cloud based VPN one thing I wanted was to use the OS native VPN solution. Everything pointed me to L2TP/IPSec, I am wondering why I would choose IKEv2 over that.
Anyone knows if Docker is using IPsec in some interoperable mode? They say here that they are using IPsec: <a href="https://docs.docker.com/engine/userguide/networking/overlay-security-model/" rel="nofollow">https://docs.docker.com/engine/userguide/networking/overlay-...</a>
StrongSwan is a real powerhorse, even though a bit of a b*tch to configure to work out-of-the-box on most platforms. The documentation is scarce and the wiki was a bit out of date IIRC.<p>I'm using it on my VPS, with my Mac as a client to bypass the UK big brother, and on Android to bypass tethering blocks (in conjunction with the Tether app)
This seems great, but what would I actually use this for?<p>e: Everybody says that using a VPN is a "good thing" but I honestly can't find a use for one in my day-to-day.