State Of IPSec VPN On CentOS 7: Openswan, StrongSwan, RPM Packages
I looked in the yum repositories for CentOS 7 and I noticed that there are no packages for any of the major open source IPSec VPN apps –
Openswan, strongSwan, etc. I’m pretty sure CentOS 6 had Openswan packages.
What is the current consensus w.r.t. building an IPSec VPN “server”
(concentrator, whatever) on CentOS 7, that will do site-to-site connections with Cisco hardware at the other end? Is any of the *swan apps still considered the best option for that?
Any guidelines w.r.t. IPSec VPN in general on this platform?
Thanks.
6 thoughts on - State Of IPSec VPN On CentOS 7: Openswan, StrongSwan, RPM Packages
2015-04-14 21:07 GMT+03:00 Florin Andrei:
I think epel-7 repo provides strongwan ipsec package that is required to connect to cisco asa.
libreswan replaced openswan, and is available in the CentOS 7 repo.
I just noticed that strongSwan is in EPEL.
I’m also looking at this comment on ServerFault:
http://serverfault.com/a/655752/24406
If that is accurate, the documentation, and the clustering / load balancing might tilt the balance in the direction of strongSwan.
2015-04-14 21:40 GMT+03:00 Florin Andrei:
Well, both packages can do ipsec to cisco asa without any problems.
I have this one case where the other end of the connection wants to use some specific encryption parameters (specific versions of AES and SHA). I need to make sure that whatever software I use, is capable of providing that. Better documentation will certainly help.
And of course, a more actively supported project, with a good security track record, is very important.
All these are factors in choosing between Openswan / Libreswan /
strongSwan.
2015-04-14 22:05 GMT+03:00 Florin Andrei:
Well, you can use any of these software for such basic tasks. I also think that they are almost compatible with configuration files, so you can later change package, if any problems occurs.
I think best choice is software that comes with CentOS.
I currently use openswan (epel?) CentOS and Amazon Linux to connect with checkpoint and cisco asa ipsec hardware devices.