The Free Secure Wide Area Network (Free S/WAN) project was born as an initiative to offer an open-source, full- featured IPSec implementation for a wide range of target architectures, including the Linux OS. Unlike the Secure Wide Area Network (S/WAN) product offered by RSA Data Security, Free S/WAN is available at no cost, and since all the cryptographic development takes place outside the United States, strong encryption is also offered as part of the standard distribution.
The Free S/WAN package comprises two discrete components: the kernel module and the Internet Key Exchange (IKE) daemon.
As with any other security service, IPSec requires kernel support for the encryption and encapsulation of packet payload. The Free S/WAN modules must be merged into the standard Linux source tree, and a new kernel must be compiled.
The IKE protocol requires two IPSec gateways to exchange authentication and key setup information before the actual IPSec tunnel can be constructed. The information negotiated via IKE generates the Security Association (SA), which contains the tunnel credentials that each endpoint maintains for each of its peers. The Free S/WAN IKE daemon is implemented in user space and uses UDP port 500 for sending and receiving data to the remote IPSec peer. This daemon must be compiled and installed for Free S/WAN to operate correctly.
The main advantage of a Network-layer VPN solution is its simplicity; hosts behind the IPSec gateway need not be aware of its existence at all, as no client modification is necessary. IPSec can protect any service that uses the IP layer, typically with a nominal amount of overhead, even when the strongest data encryption (3DES) is selected (and often using a relatively inexpensive platform).