[Openswan dev] Re: [Openswan Users] Re: KLIPS or NETKEY on 2.6
kernels
Michael Richardson
mcr at sandelman.ottawa.on.ca
Tue Apr 26 23:07:23 CEST 2005
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Paul" == Paul Wouters <paul at xelerance.com> writes:
>> A little bit near-topic, is this the same issue why IPcomp isn't
>> working between 2.6.x kernels and Check Point FW-1? I did only a
>> test with racoon some time ago and it looked like an SA problem
>> (afair IPcomp SA was separated from encryption SA).
Paul> That is often the case when racoon is misconfigured. People
Paul> often do not believe it, because racoon interops with itself
Paul> in such a broken configuration.
It isn't really racoon's fault.
racoon doesn't try to involve itself with policy --- it is just a
keying daemon.
It assumes that the kernel knows exactly what policy it wants. If you
get the input to setkey wrong, then racoon happily does the wrong thing.
It's a good idea --- putting the configuration in the kernel where the
applications can set it --- unfortunately, it isn't done right.
The policy needs to be *fully* specifiable in that interface,
including phase 1 IDs, authentication materials (RSA keys, PSKs, etc.).
Of course, few application writers (think "Mozilla" or "Evolution")
want to deal with such things, yet alone should end-users be given such
knobs.
- --
] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [
] mcr @ xelerance.com Now doing IPsec training, see |net architect[
] http://www.sandelman.ca/mcr/ www.xelerance.com/training/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQm7z1oqHRg3pndX9AQFskQP/ay+KGwMhZ0TySy8YDAK7RXKrCfeuccXT
jYhWWnq8bFMXCHDLnTCGqI/vfE2DS4U3knnk+c1+vjIYkKnvdyickKH8ugRrEgde
o1kSayEKc59hrUkqukFTmYJO9+WO99ax/+79qMBIqstPKhrYVlwpo5LXR5veB3Ck
DpCmYMTZ/yo=
=PFUz
-----END PGP SIGNATURE-----
More information about the Dev
mailing list