豆丁微信公众号
君，已阅读到文档的结尾了呢~~
基于OpenSwan的动态VPN实现方案实现,基于,方案,实现VPN,动态,VPN,VPN实现,动态vpn,vpn方案
扫扫二维码，随身浏览文档
手机或平板扫扫即可继续访问
基于OpenSwan的动态VPN实现方案
举报该文档为侵权文档。
举报该文档含有违规或不良信息。
反馈该文档无法正常浏览。
举报该文档为重复文档。
推荐理由：
将文档分享至：
分享完整地址
文档地址：
粘贴到BBS或博客
flash地址：
支持嵌入FLASH地址的网站使用
html代码：
&embed src='http://www.docin.com/DocinViewer-4.swf' width='100%' height='600' type=application/x-shockwave-flash ALLOWFULLSCREEN='true' ALLOWSCRIPTACCESS='always'&&/embed&
450px*300px480px*400px650px*490px
支持嵌入HTML代码的网站使用
您的内容已经提交成功
您所提交的内容需要审核后才能发布，请您等待！
3秒自动关闭窗口不喜欢孤独，却又害怕两个人相处。
Openswan IPsecVPN用户态与内核通讯机制
Openswan IPsec中，应用层(用户态)和内核通信方式接口有三种：netlink，pf_key，proc文件系统。
用户态和内核通信的原因：
数据的加解密操作是在内核中进行的，所以数据要从应用层传输到内核。一般是应用层选定要发送的数据，内核层负责加解密以及推送数据至物理接口处发送。
IPsec中的最关键的SA，SP等相关安全操作等在协商的时候要进行通信。SPDB等都存放在内核中。
pf_key是专门留给KLIPS(kernel IPsec support)的。
PF_KEY socket：
pfkeyfd = safe_socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
内核PF_KEY消息种类：
1.回应应用层的请求1).ACK/NAK(ACK:在数据通信传输中，接收站发给发送站的一种传输控制字符。它表示确认发来的数据已经接受无误。NAK是否定应答或者非应答的缩写。它是一个用于数字通信中确认数据收到但是有小错误的信号)2).注册：内核支持的表明的转换。3).getspi需要的SPI(安全参数索引)。
2.捕获，处理我们收到的包
3.删除一个SA。
4.其他进程的消息。
pluto使用的是netlink。在Openswan IPsec中，内核和用户态之间通常是在协商SA等相关安全关联，安全策略的时候会使用netlink。
NETLINK socket：
netlinkfd = safe_socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM);
netlink在应用层有一个socket接口，在Openswan源码中的位置在/openswan/openswan-2.6.38/programs/pluto/kernel_netlink.c中。在内核的文件叫/usr/src/kernels/linux-2.6.35.13/net/netlink/af_netlink.c，若Linux系统不一样可用locate命令查找具体位置。(内核socket不在源码中实现，因为Linux kernel 2.6以后的版本已经自己实现了netlink)。
proc文件系统是内核和用户层交换数据。
pluto程序没有/proc是不能运行的。
在Openswan源码中的位置在/openswan/openswan-2.6.38/programs/pluto/ipsec_proc.c中，有兴趣的朋友可以看看。openswan/openswan-2.6.38/programs/proc是Openswan的proc文件系统。
最近才学习的，欢迎批评指正，学习交流。
没有更多推荐了，linux - strongswan vs openswan - Server Fault
Stack Exchange Network
Stack Exchange network consists of 174 Q&A communities including , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
to customize your list.
This site uses cookies to deliver our services and to show you relevant ads and job listings.
By using our site, you acknowledge that you have read and understand our , , and our .
Your use of Stack Overflow’s Products and Services, including the Stack Overflow Network, is subject to these policies and terms.
What are the differences between OpenSwan and StrongSwan? All I found is
- i.e. current stable of OpenSwan is 2.6 (3.0 in comparison) and current stable for StrongSwan is 4.4 (4.1.7 in comparison) which seems grossly unfair (there is no point in comparing Windows 98 with Ubuntu 10.10 or Mac OS X 10.7 with Slackware 8.0).
After reading some websites, StrongSwan seems to be better maintained while OpenSwan seems to be more popular.
NOTE: See the , this one was correct in 2011, but the landscape has changed in that time and this is no longer the correct answer to the OP's question.
Both OpenSwan and StrongSwan are forks for continued development after FreeS/WAN project closed up shop.
However, most of the Linux distributions have moved more towards
since then.
You can use either one for IPsec on Linux, but unless you have a specific need for them, or you are trying to maintain configuration compatibility with older FreeS/WAN setups, you are probably better off using IPsec-Tools and Racoon (ISAKMP daemon from IPsec-Tools) for any new Linux IPSec Setups.
7,81212642
is the project the Openswan developers created after the company they had originally founded to develop Openswan sued them over the trademark. So Libreswan is what we will discuss here.
The most obvious differences are:
has much more comprehensive and developed documentation than .
StrongSwan has support for EAP authentication methods, which make it easier to integrate into heterogeneous environments (such as authenticating to Active Directory). These are
from Libreswan.
StrongSwan can be . Libreswan does not seem to have any support to do either.
Libreswan supports
than StrongSwan, but requires kernel patches to do so.
Distro support:
StrongSwan is the recommended default in Ubuntu .
RHEL 7 ships Libreswan, though StrongSwan is available in EPEL.
IPSec-tools was a port of the KAME IPSec userland from BSD to Linux. It appears to be no longer maintained.
152k25286573
Your Answer
Sign up or
Sign up using Google
Sign up using Facebook
Post as a guest
Post as a guest
By clicking &Post Your Answer&, you acknowledge that you have read our updated ,
and , and that your continued use of the website is subject to these policies.
Not the answer you're looking for?
Browse other questions tagged
Server Fault works best with JavaScript enabled用OpenSWAN做Linux下的IPSec VPN的详细配置指南_百度文库
您的浏览器Javascript被禁用，需开启后体验完整功能，
享专业文档下载特权
&赠共享文档下载特权
&10W篇文档免费专享
&每天抽奖多种福利
两大类热门资源免费畅读
续费一年阅读会员，立省24元！
用OpenSWAN做Linux下的IPSec VPN的详细配置指南
阅读已结束，下载本文需要
想免费下载本文？
定制HR最喜欢的简历
下载文档到电脑，同时保存到云知识，更方便管理
加入VIP
还剩10页未读，
定制HR最喜欢的简历
你可能喜欢