[Openswan dev] Linux VPN

[Michael Richardson]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Ido" == Ido  <Goshen> writes:
    Ido> 1. IPSEC and QoS - Is there a way to prevent QoS from
    Ido> reordering of IPSEC packets?  Disordering of packets is
    Ido> critical to IPSEC If understand correctly (probably not) IPSEC
    Ido> handling is done within POST_ROUTING.  Traffic-shaping queues
    Ido> are attached to a device, which is done afterward.

  IPsec can tolerate a certain amount of packet re-ordering. It uses a
32 or 64 packet window to receive things. 

  Neither QoS, nor NETKEY or KLIPS IPsec is not done within POST_ROUTING.

    Ido> 2. IPSEC policy per interface.  Can packet be matched upon
    Ido> their in/out interface ?  I haven't seen that interface can be
    Ido> specified in any method of setting IPSEC rules (e.g. spdadd in
    Ido> 2.6 native ipsec, or ipsec auto -add in KLIPS of OpenSwan)
	
  You can not do that.
  It will be possible in KLIPS3, but we have no release date for that
yet.

- -- 
] Michael Richardson          Xelerance Corporation, Ottawa, ON |  firewalls  [
] mcr @ xelerance.com           Now doing IPsec training, see   |net architect[
] http://www.sandelman.ca/mcr/    www.xelerance.com/training/   |device driver[
]                    I'm a dad: http://www.sandelman.ca/lrmr/                 [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQsQnTYqHRg3pndX9AQH3RAP8DoA+6WwBhS8Y1kj2n4roVT/87PkRKsji
lCQWK/F9xHvQ/8f+/0qHi792lEGow1veFuR3EVN+g/3M5dk3HxZLszZ5J8S78TpC
C2h9rSO7mxnSuX3OLOCllE+A9Uyd8IgbEh5/uZ8yHjJpBNylgSahC31jOTPfEdef
YDfssMSecQo=
=2Q/g
-----END PGP SIGNATURE-----