I looked in the yum repositories for CentOS 7 and I noticed that there are no packages for any of the major open source IPSec VPN apps - Openswan, strongSwan, etc. I'm pretty sure CentOS 6 had Openswan packages.
What is the current consensus w.r.t. building an IPSec VPN "server" (concentrator, whatever) on CentOS 7, that will do site-to-site connections with Cisco hardware at the other end? Is any of the *swan apps still considered the best option for that?
Any guidelines w.r.t. IPSec VPN in general on this platform?
Thanks.
2015-04-14 21:07 GMT+03:00 Florin Andrei florin@andrei.myip.org:
I looked in the yum repositories for CentOS 7 and I noticed that there are no packages for any of the major open source IPSec VPN apps - Openswan, strongSwan, etc. I'm pretty sure CentOS 6 had Openswan packages.
What is the current consensus w.r.t. building an IPSec VPN "server" (concentrator, whatever) on CentOS 7, that will do site-to-site connections with Cisco hardware at the other end? Is any of the *swan apps still considered the best option for that?
I think epel-7 repo provides strongwan ipsec package that is required to connect to cisco asa.
-- Eero
On 04/14/2015 11:07 AM, Florin Andrei wrote:
I looked in the yum repositories for CentOS 7 and I noticed that there are no packages for any of the major open source IPSec VPN apps - Openswan, strongSwan, etc. I'm pretty sure CentOS 6 had Openswan packages.
libreswan replaced openswan, and is available in the CentOS 7 repo.
On 2015-04-14 11:25, Gordon Messmer wrote:
On 04/14/2015 11:07 AM, Florin Andrei wrote:
I looked in the yum repositories for CentOS 7 and I noticed that there are no packages for any of the major open source IPSec VPN apps - Openswan, strongSwan, etc. I'm pretty sure CentOS 6 had Openswan packages.
libreswan replaced openswan, and is available in the CentOS 7 repo.
I just noticed that strongSwan is in EPEL.
I'm also looking at this comment on ServerFault:
http://serverfault.com/a/655752/24406
If that is accurate, the documentation, and the clustering / load balancing might tilt the balance in the direction of strongSwan.
2015-04-14 21:40 GMT+03:00 Florin Andrei florin@andrei.myip.org:
On 2015-04-14 11:25, Gordon Messmer wrote:
On 04/14/2015 11:07 AM, Florin Andrei wrote:
I looked in the yum repositories for CentOS 7 and I noticed that there are no packages for any of the major open source IPSec VPN apps - Openswan, strongSwan, etc. I'm pretty sure CentOS 6 had Openswan packages.
libreswan replaced openswan, and is available in the CentOS 7 repo.
I just noticed that strongSwan is in EPEL.
I'm also looking at this comment on ServerFault:
http://serverfault.com/a/655752/24406
If that is accurate, the documentation, and the clustering / load balancing might tilt the balance in the direction of strongSwan.
Well, both packages can do ipsec to cisco asa without any problems.
-- Eero
On 2015-04-14 11:44, Eero Volotinen wrote:
2015-04-14 21:40 GMT+03:00 Florin Andrei florin@andrei.myip.org:
http://serverfault.com/a/655752/24406
If that is accurate, the documentation, and the clustering / load balancing might tilt the balance in the direction of strongSwan.
Well, both packages can do ipsec to cisco asa without any problems.
I have this one case where the other end of the connection wants to use some specific encryption parameters (specific versions of AES and SHA). I need to make sure that whatever software I use, is capable of providing that. Better documentation will certainly help.
And of course, a more actively supported project, with a good security track record, is very important.
All these are factors in choosing between Openswan / Libreswan / strongSwan.
2015-04-14 22:05 GMT+03:00 Florin Andrei florin@andrei.myip.org:
On 2015-04-14 11:44, Eero Volotinen wrote:
2015-04-14 21:40 GMT+03:00 Florin Andrei florin@andrei.myip.org:
http://serverfault.com/a/655752/24406
If that is accurate, the documentation, and the clustering / load balancing might tilt the balance in the direction of strongSwan.
Well, both packages can do ipsec to cisco asa without any problems.
I have this one case where the other end of the connection wants to use some specific encryption parameters (specific versions of AES and SHA). I need to make sure that whatever software I use, is capable of providing that. Better documentation will certainly help.
And of course, a more actively supported project, with a good security track record, is very important.
All these are factors in choosing between Openswan / Libreswan / strongSwan.
Well, you can use any of these software for such basic tasks. I also think that they are almost compatible with configuration files, so you can later change package, if any problems occurs.
I think best choice is software that comes with Centos.
I currently use openswan (epel?) Centos and Amazon Linux to connect with checkpoint and cisco asa ipsec hardware devices.
-- Eero
-
Eero Volotinen -
Florin Andrei -
Gordon Messmer