Free ipsec software for linux

seppl is both a protocol definition and a software implementation of a new encryption layer for IPv4. seppl project makes use of symmetric cryptography for encrypting the whole traffic on a network. Its implementation is designed around Linux netfilter/iptables.
seppl introduces two new netfilter targets: CRYPT and DECRYPT. A firewall rule may thus be used for encrypting/decrypting the incoming and outgoing network traffic. This makes seppl extraordinarily easy to use, since no daemons need to run for secure communication.
seppl uses the encryption engine of the Linux Cryptographic API which is available in kernel 2.4.22 and newer.
seppl is primarily intended for encrypting wireless LANs (as secure replacement of the broken WEP encryption) and local ethernet networks but may be used for large scale VPN solutions as well.
The protocol seppl relies on is not compatible with any other software. The protocol is open and well defined but there is no implementation other than this reference software.
Why SEPPL, there are already IPSEC, CIPE,...?
CIPE may be used for point-to-point connections only. It has tunnel structure and thus introduces new IP addresses. This is not always desirable. It requires a user space daemon.
IPSEC/FreeSwan is extremely complicated to use. Due to its strange routing scheme it is nearly impossible to use together with routing daemons. IPSEC is heavyweight.
seppl is truely peer-to-peer. It encrypts seamlessly all outgoing traffic and it thus compatible with routing daemons. It is extremely easy to use as well, as it makes no change to the normal routing behaviour. seppl is extremely lightweight.
The Implementation
The implementation consists of three Linux kernel modules: seppl.o, ipt_CRYPT.o and ipt_DECRYPT.o. The former is the in-kernel key manager, the latter are the two new netfilter targets. Both depend on seppl.o.
seppl.o must be inserted into kernel in first place. The key manager may be accessed with the file /proc/net/seppl_keyring. It contains binary key data, and is initially empty. You may add a new key by writing it to that file.
The two Python scripts seppl-ls and seppl-gen-key me be used for key management. seppl-ls may be used for converting seppl keys between the binary format used by /proc/net/seppl_keyring and a human readable XML based format. Simply call seppl-ls for a list of all currently active keys. seppl-gen-key generates a new key from /dev/urandom. By default it will use the XML format. The parameter -x forces binary mode. You may generate and activate two keys "linus" and "alan" by issuing the following command lines:
seppl-gen-key -n linus -x > /proc/net/seppl_keyring
seppl-gen-key -n alan -x > /proc/net/seppl_keyring
seppl-ls without argument lists the new keys saved in the kernel keyring. You may remove all (currently unused) keys by issuing:
echo clear > /proc/net/seppl_keyring
Since seppl is based on symmetric cryptography using shared keys you have to copy newly generated keys to every host you want to connect to your seppl infrastructure. (preferably via SSH or any other secure file transfer) You get a binary copy of your current keyring by issuing:
cat /proc/net/seppl_keyring > keyring.save
Now copy that file keyring.save to all other hosts and issue the following command there:
cat keyring.save > /proc/net/seppl_keyring
That is simple, isnt it?
After doing so you may configure your firewall settings on each host:
iptables -t mangle -A POSTROUTING -o eth0 -j CRYPT --key linus
iptables -t mangle -A PREROUTING -i eth0 -j DECRYPT
This will encrypt all outgoing traffic on eth0 with the key "linus". All incoming traffic is decrypted with either "linus" or "alan", depending on the key name specified in the specific network packet. Unencrypted incoming packets are silently dropped. Use
iptables -t mangle -A PREROUTING -p 177 -i eth0 -j DECRYPT
for allowing both crypted and unencrypted incoming traffic.
Thats it. Youre done. All your traffic on the local subnet is now crypted with seppl.
The default cipher is AES-128. If you dont specify the name of the used key it defaults to "def".
An SysV init script /etc/init.d/seppl is provided. It will load seppls kernel modules and write all keys from the directory /etc/seppl to the kernel keyring. It will not add any firewall rules, however.
Performance issues
The network packets are increased in size when they are crypted, since two new headers and the IV are added. (36 bytes in average) This conflicts on some way with the MTU management of the Linux kernel and results in having all large packets (that is: package size near MTU) fragmented in one large and another very small package. This will hurt network performance. A work-around of this limitation is using the TCPMSS target of netfilter to adjust the MSS value in the TCP header to smaller values. This will increase TCP perfomance, since TCP packets of the size of the MTU are no longer generated. Thus no fragmentation is needed. However, TCPMSS is TCP specific, it wont help on UDP or other IP protocols.
Add the following line before encryption to your firewall setup:
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o eth0 -j TCPMSS --set-mss $((1500-40-8-16-6-15))
The Protocol
For encryption every single unencrypted packet is taken and converted to a crypted one. Not a single further packet is ever sent.
Original SEPPL counterpart
+------------+ +-----------------------+
| IP-Header | | Modified IP-Header | |
+------------+ +-----------------------+ |
| Payload | | SEPPL-Header | > Unencrypted
+------------+ +-----------------------+ |
| Initialization Vector | |
+-----------------------+ /
| SEPPL-Header |
+-----------------------+ | Crypted
| Payload | |
+-----------------------+ /
The original IP header is kept as far as possible. Only three fields are replaced with new values. The protocol number is set to 177, the fragment offset is set to 0 and the total length is corrected to the new length. All other fields are kept as is, including IP options.
The unencrypted seppl header consists of a one-byte cipher number and a key name. Currently only 0 and 1 are defined as cipher numbers for AES with 128bit key, resp. AES with 192bit key. The key name (7 bytes) may be used to select a specific key in a larger keyring.
The IV is used for CBC coding of the cipher used. It differs from packet to packet, but is not randomly generated. Due to perfomance reasons, only the initial IV on system startup is randomized, all following IVs are generated by incrementing the previous ones.
The crypted seppl header consists of three saved fields of the original IP header (protocol number, fragment offset, total length) and a byte which is always 0 for detecting unmatching keys.
The payload is the original IP-playload, from the TCP/UDP/other header to the end.
Version restrictions:
- seppl interferes with netfilters connection tracking in some way. Thus you will not be able to use NAT in conjunction with seppl. If you use connection tracking in some other way together with seppl your mileage may vary.
- seppl is tested with Linux 2.6.1. Use version 0.3 for Linux 2.4.

NetSPoC is a tool for security managment of large computer networks with different security domains. It generates configuration files for packet filters which are controlling the borders of security domains.
NetSPoC provides its own language for describing the security policy and topology of a network. The security policy is a set of rules that state which packets are allowed to pass the network and which not. NetSPoC is topology aware: a rule for traffic from A to B is automatically applied to all managed packet filters on the path from A to B.
Currently NetSPoC generates ACLs and static routing entries for
Cisco routers with or without firewall feature set,
PIX firewalls and
Linux iptables and ip route.
It supports network address translation, virtual IP addresses for redundancy protocols like VRRP and some dynamic routing protocols.
IPSec encryption is supported as well. A powerful syntax allows to easily define a large number of crypto tunnels of either a hub and spoke topology or a fully meshed topology. Crypto rules define which type of traffic needs to be encrypted. Crypto configuration for Cisco IOS routers and PIX firewalls is generated.
NetSPoCs text based specification language is well suited for integration with CVS or other version control systems. A script is provided for tagging a policy and saving it to a policy database.
This software is actively developed with perl 5.8 under linux. It should be portable to other platforms where perl is available.
Enhancements:
- VERSION:
- TODO:
- NEWS.html:
- Prepare version 3.0.
- index.html: Mentioned crypto. Removed links to email addresses to reduce SPAM. Removed CSPM stuff.
- Netspoc.pm:
- Made code 64 bit clean. This was necessary for complement and left-shift operations on 32 bit IP addresses.

/etc/net represents a new approach to Linux network configuration tasks. /etc/net Scripts is inspired by the limitations of traditional configuration subsystems.
/etc/net provides builtin support for configuration profiles, interface name management, removable device support, full iproute2 command set support, interface dependency resolution, and a QoS configuration framework.
/etc/net provides support for the following interface types: Ethernet, WiFi (WEP), IPv6/IPv6 tunnels, PSK IPSec tunnels, VLAN, PLIP, Ethernet bonding and bridging, traffic equalizer, Pent@NET, usbnet, and PPP.
Due to its modular design, support for new interface types can be added without overall design changes.
Enhancements:
- This release features mostly new features (ip6tables, ebtables, OpenVPN, and tun/tap) and some bugfixes (IP rules, wireless, firewall, and DVB).

Trustix Enterprise Firewall represents a revolution within firewall management software. Trustix Enterprise Firewall is the worlds first WYSIWYG Enterprise Firewall, making it easy-to-use and easy-to-deploy. By utilizing the WYSIWYG GUI, your Enterprise Firewall will be out of the box and implemented in an unbeatable 25 minutes- and without the need for a dedicated systems administrator!
A fully-featured packet-filtering router, Trustix Enterprise Firewall has advanced capabilities including an intuitive graphical user interface (GUI) for visualizing and editing firewall policy.
This unique GUI enables you to manage traffic for all your zones (up to 24) as well as port forwarding, network address translation (NAT) and virtual private network (VPN) configurations.
Packet-filtering enables Enterprise Firewall to act as a router to accelerate data transmission. Meaning no more bottle necks due to time consuming proxies.
IP-address sharing by masquerading or NAT.
The underlying rules generated by the program are then fully optimized before being deployed- thereby optimizing the security and performance of your firewalls architecture, and avoiding errors and duplications.
Trustix Enterprise Firewall uses the IPsec protocol to encrypt data transmitted over the net- extending the security of your network to all arms of your business. Communications between your office and home users are protected using 168-bit 3DES encryption- triple the encryption, triple the security! Enables remote, secure configuration of multiple firewalls from one Windows or Linux desktop.
Trustix Enterprise Firewall Blockades and repel malicious attacks from hackers, Trojans, worms and infected files.
Main features:
- Visualise DMZs - drag and drop security policy deployment
- Integrate branch offices with 3DES encrypted VPN tunnels
- Accelerate internet access times with proxy caching server
- Authenticate remote workers with PKI X.509 certificates
- Ensure high availability with fault tolerant automatic failover

The Net-Policy project allows system administrators to configure and manage their entire network at once. It is initially designed to configure firewall and IPsec connections across an entire network.

Net-policy contains the following components:
net-policy:
This is the core network manager. It is a generic SNMP-based manager and is capable of managing any information configurable via SNMP. It is currently web based with a few more interfaces (Tk, CLI, ...) planned or partially implemented. Its SNMP engine is based on the OpenSNMP and Net-SNMP toolkits. It runs on top of a PostgreSQL database.

After checking out the SVN source code or downloading the tar ball for the net-policy project, run ./np-install as root to help guide you through a complete installation using our graphical installer.

Configurable optional pieces
The net-policy manager is capable of managing the following modules. The management system above is already capable of managing
np-cerberus: A IPsec implementation for linux based on the 2.4 kernel. This code is derived from NISTs IPsec reference project. We ported the code to the 2.4 kernel and added some IPtables specific pieces and re-released it here (with their permission).
np-plutoplus: A IKE implementation which runs on top of np-cerberus. This is code is derived from NISTs IKE reference project. It has been instrumented with SNMP support using the Net-SNMP toolkit.

STD is a Linux-based Security Tool. Actually, it is a collection of hundreds if not thousands of open source security tools. Its a Live Linux Distro, which means it runs from a bootable CD in memory without changing the native operating system of the host computer. Its sole purpose in life is to put as many security tools at your disposal with as slick an interface as it can.
STD is meant to be used by both novice and professional security personnel but is not ideal for the Linux uninitiated. STD assumes you know the basics of Linux as most of your work will be done from the command line. If you are completely new to Linux, its best you start with another live Distro like Knoppix to practice the basics.
STD tools are divided into the following categories:
- authentication
- encryption
- forensics
- firewall
- honeypot
- ids
- network utilities
- password tools
- servers
- packet sniffers
- tcp tools
- tunnels
- vulnerability assessment
- wireless tools
Enhancements:
- Eliminated all windows managers except fluxbox
- built kernel from kernel.org 2.4.21 src. added ntfs/rw, superfreeswan and openmosix patches.
- ntfs rw is very limited. You can basically only modify existing files and only if you dont change the size. Good for making basic registry changes.
- Superfreeswan adds IPSEC support for VPNs.
- OpenMosix adds clustering support with automatic discovery of other nodes.
- Added /usr/bin/tunnels category
- Eliminated /usr/bin/pen-test category and moved tools to /usr/bin/vuln-test
- Moved some tools in /usr/bin/sniff to /usr/bin/tcp-tools
- Eliminated /usr/bin/pen-test category and moved tools to /usr/bin/vuln-test
- ACID/MySQL/Snort configured to work automatically
- update nessus plugins, clamAV signatures, and snort signatures
- If you have 640MB of RAM or more you run boot: knoppix toram and free up the CD drive
- patched orinoco driver is the default. no more patch-orinoco
- Kismet updated to 3.0.1 and is pre-configured for orinoco on eth0
- all init scripts now check the knoppix home dir before copying from the CD.This means that if youre using a persistant home dir the init scripts act as restore scripts
- blockall now allows connections from localhost so you can block all external traffic but still run nessus or ntop or kismet or.....
- added many new tools and updated all existing tools

Fetchmail is a full-featured, robust, well-documented remote-mail retrieval and forwarding utility intended to be used over on-demand TCP/IP links (such as SLIP or PPP connections). Fetchmail supports every remote-mail protocol now in use on the Internet: POP2, POP3, RPOP, APOP, KPOP, all flavors of IMAP, ETRN, and ODMR. It can even support IPv6 and IPSEC.
Fetchmail retrieves mail from remote mail servers and forwards it via SMTP, so it can then be read by normal mail user agents such as mutt, elm(1) or BSD Mail. It allows all your system MTAs filtering, forwarding, and aliasing facilities to work just as they would on normal mail.
Fetchmail offers better security than any other Unix remote-mail client. It supports APOP, KPOP, OTP, Compuserve RPA, Microsoft NTLM, and IMAP RFC1731 encrypted authentication methods including CRAM-MD5 to avoid sending passwords en clair. It can be configured to support end-to-end encryption via tunneling with ssh, the Secure Shell.
Fetchmail can be used as a POP/IMAP-to-SMTP gateway for an entire DNS domain, collecting mail from a single drop box on an ISP and SMTP-forwarding it based on header addresses. (We dont really recommend this, though, as it may lose important envelope-header information. ETRN or a UUCP connection is better.)
Fetchmail can be started automatically and silently as a system daemon at boot time. When running in this mode with a short poll interval, it is pretty hard for anyone to tell that the incoming mail link is not a full-time "push" connection.
Fetchmail is easy to configure. You can edit its dotfile directly, or use the interactive GUI configurator (fetchmailconf) supplied with the fetchmail distribution. It is also directly supported in linuxconf versions 1.16r8 and later.
Fetchmail is fast and lightweight. It packs all its standard features (POP3, IMAP, and ETRN support) in 196K of core on a Pentium under Linux.
Fetchmail is open-source software. The openness of the sources is your strongest possible assurance of quality and reliability.
Main features:
- STARTTLS is supported in both POP and IMAP.
- ESMTP AUTH (RFC 2554) is supported.
- Has the capability of adding trace information to the Received header to faciliate mail filtering by mailserver and remote account.
- Fetchmail now has options to handle SSL certificate validation.
- Fetchmail can be told to fall back to delivering via local sendmail if it cant open port 25.
- Support for AUTH=CRAM-MD5 under POP3, a la RFC2195.
- Support for ODMR (On-Demand Mail Relay), RFC 2645.
- Its now easy to deliver mail to a local LMTP socket.
- The interface option now checks both local and remote interface IPs.
- The plugin facility has been enhanced; %h and %p options are now available to pass in the hostname and service port number.
- Added a dropdelivered option to discard Delivered-To headers. This addresses a problem with using fetchmail and postfix as a relay inside a domain; when postfix sees incoming messages with delivered-to headers looking exactly the same as the ones it adds himself, it bounces the message.
- Added --smtpname to set username and domain portion of SMTP "RCPT TO" command. - Added "from" servers IP address to inserted Received line.
- Fetchmail now runs on BeOS, thanks to David Reid .
- In IMAP, unseen-message counting and indexing is now done by SEARCH UNSEEN at the beginning of each poll or re-poll (rather than with the UNSEEN and RECENT responses and FLAGS queries on individual messages). This significantly cuts down on traffic to and from the server, and gives more reliable results.
- The aka option now matches hostname suffixes, so (for example) saying `aka netaxs.com will match not just netaxs.com but also (say) pop3.netaxs.com and mail.netaxs.com.
- Fetchmail can optionally use the RFC 2177 IDLE extension on an IMAP server that supports it. On IMAP servers that dont, it can simulate it using periodic NOOP commands.
- Fetchmail now recognizes the RFC 2449 extended responses [IN-USE] and [LOGIN-DELAY].
- Fetchmail running in daemon mode now restarts itself quietly when the rc file is touched.
- Following recent court decisions and changes in U.S. federal regulatory policy, hooks for Secure Sockets Layer (SSL) are now part of the main fetchmail distribution. The distribution still contains no actual cryptographic code.
- NTLM support under IMAP, so fetchmail can query Microsoft Exchange servers.
- Expunge option can now be used to break POP3 retrieval into subsessions.
- Support for AUTH=CRAM-MD5 under IMAP, a la RFC2195.