Chapter 1
The History of Openswan
While the IETF was still busy designing the IPsec protocols, entrepreneur John Gilmore founded the FreeS/WAN Project. S/WAN stands for Secure Wide Area Network. The ultimate goal of the project was to make IPsec the default mode of operation for the entire Internet. Version 1.0 was released for Linux in April of 1999 under the GPL license and worked on the Linux 2.0.36 kernel.
In effect, the Presidential decrees on crypto export meant that should an American touch the Free/SWAN code, the US government could legally restrict its use to whomever they wanted. For this reason, Gilmore barred any American from ever coding for the project, running it entirely outside of the US from Canada and Europe. No patches from Americans were ever accepted.
This became a major problem when end users really wanted the kernel code of FreeS/WAN (KLIPS) to be merged into the mainstream Linux kernel. First of all, Linus Torvalds, the original programmer and current maintainer of the Linux kernel as a whole, has a policy of keeping politics from entering into the kernel, so code with such restrictions would never be permitted. On top of this problem, the maintainer of the network subsystem of the Linux kernel, Dave Miller, was an American. Thus, KLIPS never made it into the mainstream kernel, and FreeS/WAN never got included in the popular Red Hat Linux distributions. This situation lasted for a few years during which users had to patch their kernel manually to add IPsec support, and compile their own FreeS/WAN software. Later on the project shipped binary packages for Red Hat (RPMs) to make IPsec deployment relatively easy.
Meanwhile, although Gilmore's project was widely used as a VPN solution, the intention to encrypt the entire Internet was failing. It seemed that the project was not succeeding in its political goal, even though FreeS/WAN was widely deployed to increase the privacy and security of military organizations and Fortune500 companies.
IETF Troubles over DNS
To encrypt the entire Internet using IPsec, through a method dubbed Opportunistic Encryption (OE), it was necessary that a certain DNS record be added for FreeS/WAN support. Purists at the IETF did not want applications to use DNS, and worse, DNS itself was long overdue for an overhaul to add cryptographic security to it, but the process of drawing up this new DNSSEC protocol has been one of the slowest projects coming out of the IETF and was only released as RFC 4034 and RFC 4035 in March 2005. On top of these DNS issues, OE faced more and more problems due to the wide deployment of NAT, a method for connecting multiple computers using 'internal-only' IP addresses behind a single computer with a single real Internet-connected IP address. IPsec however, was more and more necessary after wireless networking took off, and the WiFi encryption standards were broken one after the other.
Super FreeS/WAN
The rigorous views of the FreeS/WAN project were extremely problematic. Its political leanings drew it away from the real-world demands for certain VPN features and IETF standards implementation. Most notably, the refusal for inclusion of the X.509 patch, written by Andreas Steffen, a computer science research professor at the University of Applied Sciences Rapperswil in Switzerland, and the NAT-Traversal patch written by the French security company Arkoon,
17
Introduction
made a "stock FreeS/WAN" release next to useless for most real-world VPN usage, something the FreeS/WAN Project was not too concerned about since X.509 was deemed inferior compared its own DNS-based OE. This was because it was only really offering privacy to businesses rather than everyone on the Internet.
The non-DNS-based authentication method in IPsec using X.509 Certificates was becoming further entrenched because of Windows support. If someone wanted IPsec to support their Windows users, they would now need to download FreeS/WAN, download a few patches, patch the FreeS/WAN code, patch the kernel, compile the kernel IPsec module, and then compile the rest of the non-IPsec kernel modules and install all of the compiled components. And since there was no coordination between the patch maintainers and the FreeS/WAN maintainers, the patches were breaking continuously when new versions of FreeS/WAN or the Linux kernel were released. It was a very difficult process for someone not familiar with FreeS/WAN. This resulted in the creation of Super FreeS/WAN by one of the authors of this book (Ken Bantoft) to provide an easy-to-use patched version of FreeS/WAN that had all of the features people needed for VPNs and interoperability. However, maintaining Super FreeS/WAN was becoming harder and harder.
The Arrival of Openswan
The lack of out-of-the-box IPsec code for the Linux kernel was becoming a big problem for users setting up VPNs, and there were members of the FreeS/WAN project who wanted to work on a solution. In the summer of 2003, European volunteers and some members of the FreeS/WAN project—led by Paul Wouters, one of the authors of this book—met and talked to Gilmore at the Chaos Computer Club summer camp near Berlin. The foundation of the fork was laid, and in November of that year, Openswan was released by Xelerance, a newly founded company for the continued development of a free IPsec implementation for Linux.
Openswan's main mission was to cater more to the commercial world, while still keeping the FreeS/WAN ideals alive. This new code-fork also released the FreeS/WAN Project to stick even more strongly to its philosophies, and the next FreeS/WAN version removed support for AH and Transport Mode, two hardly used modes of IPsec, even though that completely broke interoperability with Microsoft Windows 2000 and XP. In April 2003, the end of the FreeS/WAN Project was announced and the last version of FreeS/WAN, with KLIPS support for the Linux 2.6 kernel, was released. In the next year, Openswan expanded and became the de facto IPsec implementation for Linux in practically all Linux distributions.
NETKEY
While this was happening, the lack of native IPsec support in Red Hat was a big problem for Linux distributions aimed at the enterprise market. They decided to code their way out of this problem by porting the IPsec code from another free operating system, FreeBSD. At this point, many kernel hackers also worked for Red Hat, so inclusion in the kernel would come naturally. Their adaptation of the KAME IPsec code from the BSD resulted in the Linux kernel NETKEY code.
Red Hat initially used the somewhat limited Racoon userland IPsec software in combination with the NETKEY code, but Openswan was added in version 3 of the Fedora Core distribution when Red Hat realized the political constraints of the FreeS/WAN Project did not apply to Openswan.
18