strongswan vs openswan

Solution 1:

Libreswan is the project the Openswan developers created after the company they had originally founded to develop Openswan sued them over the trademark. So Libreswan is what we will discuss here.

The most obvious differences are:

  • StrongSwan has much more comprehensive and developed documentation than Libreswan.
  • StrongSwan has support for EAP authentication methods, which make it easier to integrate into heterogeneous environments (such as authenticating to Active Directory). These are less well developed or even missing from Libreswan.
  • StrongSwan can be clustered and load balanced. Libreswan does not seem to have any support to do either.
  • Libreswan supports more hardware crypto accelerators than StrongSwan, but requires kernel patches to do so.

Distro support:

  • StrongSwan is the recommended default in Ubuntu since 14.04.
  • RHEL 7 ships Libreswan, though StrongSwan is available in EPEL.

IPSec-tools was a port of the KAME IPSec userland from BSD to Linux. It appears to be no longer maintained.

Solution 2:

NOTE: See the other answer, this one was correct in 2011, but the landscape has changed in that time and this is no longer the correct answer to the OP's question.


Both OpenSwan and StrongSwan are forks for continued development after FreeS/WAN project closed up shop. However, most of the Linux distributions have moved more towards IPsec-Tools since then.

You can use either one for IPsec on Linux, but unless you have a specific need for them, or you are trying to maintain configuration compatibility with older FreeS/WAN setups, you are probably better off using IPsec-Tools and Racoon (ISAKMP daemon from IPsec-Tools) for any new Linux IPSec Setups.

Tags:

Linux

Ipsec