Contents Previous Next

Interoperating with FreeS/WAN

* PLEASE NOTE * This document is in process. If a section you are looking for is not yet complete, you can use our old interop document.

Interop at a Glance

	FreeS/WAN VPN				Road Warrior	OE
	PSK	RSA Secret	X.509 (requires patch)	Manual Keying
More Compatible
isakmpd (OpenBSD)	Yes		Yes	Yes		No
Kame (FreeBSD, NetBSD)	Yes		Yes	Yes		No
McAfee VPN was PGPNet	Yes	Yes	Yes		Yes	No
Microsoft Windows 2000/XP	Yes		Yes		with FreeS/WAN as Warrior	No
Safenet SoftPK /SoftRemote	Yes		Yes		Yes	No
SSH Sentinel	Yes		Yes		Yes	No
Other
AshleyLaurent VPCom	Yes					No
Borderware	Yes				No	No
Checkpoint FW-1	Yes					No
Checkpoint VPN1	Yes/Partial					No
Cisco with 3DES	Yes	Maybe				No
F-Secure	Yes					No
Gauntlet GVPN	Yes					No
IBM AS/400	Yes					No
Lucent	Yes					No
Netscreen 5xp	Yes					No
Nortel Conitivity	Partial					No
RadGuard	Yes					No
Raptor (NT)	Yes			Yes		No
Raptor (Solaris)	Yes					No
Redcreek Ravlin	Yes/Partial					No
Shiva LANRover	Yes					No
Sun Solaris				Yes		No
SonicWall	Yes					No
Timestep	Yes					No
Watchguard Firebox	Yes			Yes		No
Xedia Access Point /QVPN	Yes					No
	PSK	RSA Secret	X.509 (requires patch)	Manual Keying
	FreeS/WAN VPN				Road Warrior	OE

Our information comes primarily from mailing list reports and tutorials.

The FreeS/WAN project needs you! We rely on the user community to keep up to date. Mail users@lists.freeswan.org with your interop success stories.

Key

Yes	People report that this works for them.
[Blank]	We don't know.
No	We have reason to believe it was, at some point, not possible to get this to work.
Partial	Partial success. For example, a connection can be created from one end only.
Yes/Partial	Mixed reports.
Maybe	We think the answer is "yes", but need confirmation.

Basic Interop Rules

You want to choose X, Y, Z.

Longer Stories

For More Compatible Implementations

isakmpd (OpenBSD)

OpenBSD FAQ: Using IPsec
Hans-Joerg Hoexer's interop Linux-OpenBSD (PSK)
Skyper's configuration (PSK)

Kame for FreeBSD, NetBSD

Kame homepage, with FAQ
NetBSD's IPSec FAQ

Itojun's Kame-FreeS/WAN interop tips (PSK)
Ghislaine Labouret's French page with links to matching FreeS/WAN and Kame configs (RSA)
Ghislaine's post explaining some peculiarities
Frodo's Kame-FreeS/WAN interop (X.509)
Using Kame as a WAVEsec client

PGPNet/McAfee

Now called McAfee VPN Client.
PGPNet also came in a freeware version which did not support subnets
To support dhcp-over-ipsec, you need the X.509 patch, which is included in Super FreeS/WAN.

Hans-Joerg Hoexer's Guide for Linux-PGPNet (PSK)
Kai Martius' instructions using RSA Key-Extractor Tool (RSA)
Christian Zeng's page (RSA) based on Kai's work. English or German.
Oscar Delgado's PDF (X.509, no configs)
Ryan's HOWTO for FreeS/WAN-PGPNet (X.509). Through a Linksys Router with IPsec Passthru enabled.
Jean-Francois Nadeau's Practical Configuration (Road Warrior with PSK)
Wouter Prins' HOWTO (Road Warrior with X.509)

Rekeying problem with FreeS/WAN and older PGPNets

DHCP over IPSEC HOWTO for FreeS/WAN (requires X.509 and dhcprelay patches)

Microsoft Windows 2000/XP

Comes with Win2k, and with XP Support Tools. May require High Encryption Pack.
FreeS/WAN has recently changed its Commit Bit handling, solving an old interop problem.

Jean-Francois Nadeau's Net-net Configuration (PSK)
Telenor's Node-node Config (Transport-mode PSK)
Marcus Mueller's HOWTO using his VPN config tool (X.509). Tool also works with PSK.
Nate Carlson's HOWTO using same tool (Road Warrior with X.509). Unusually, FreeS/WAN is the Road Warrior here.
Oscar Delgado's PDF (X.509, no configs)

Microsoft's Win2k IPsec debugging tips
MS VPN may fall back to 1DES

Safenet SoftPK/SoftRemote

People recommend SafeNet as a low cost Windows client.
SoftRemote seems to be the newer name for SoftPK.

Whit Blauvelt's SoftRemote tips

Jean-Francois Nadeau's Practical Configuration (Road Warrior with PSK)
Terradon Communications' PDF (Road Warrior with PSK)
Red Baron Consulting's PDF (Road Warrior with X.509)

SSH Sentinel

New, popular and well tested.

SSH's Sentinel-FreeSWAN interop PDF (X.509)
Potential problem unless using Legacy Proposal option

For Other Implementations

AshleyLaurent VPCom

Successful interop report, no details

Borderware

I suspect the Borderware client is a rebranded Safenet. If that's true, our Safenet section will help.

Philip Reetz' configs (PSK)
Borderware server does not support FreeS/WAN road warriors
Older Borderware may not support Diffie Hellman groups 2, 5

Checkpoint VPN-1 or FW-1

Text goes here.

Cisco

Text goes here.

F-Secure

Text goes here.

Gauntlet GVPN

Text goes here.

IBM AS/400

Richard Welty's tips and tricks

Lucent

Text goes here.

Netscreen

Errol Neal's settings

Nortel Conitivity

Text goes here.

Radguard

Text goes here.

Raptor (NT)

Text goes here.

Raptor (Solaris)

Text goes here.

Redcreek Ravlin

Text goes here.

Shiva LANRover

Text goes here.

Sun Solaris

Text goes here.

SonicWall

Text goes here.

Timestep

Text goes here.

Watchguard Firebox

Automatic keying works with WatchGuard 5.0+ only.

WatchGuard's HOWTO (PSK)
Ronald C. Riviera's Settings (PSK)

Old known issue with auto keying
Tips on key generation and format (Manual)

Xedia Access Point/QVPN

Hybrid IPsec/L2TP connection settings (X.509)
Xedia's LAN-LAN links don't use multiple tunnels
That explanation, continued

Contents Previous Next