[Openswan Users] Questions from a beginner ;)

Toby Corkindale openswan at wintrmute.net
Fri Aug 20 15:36:19 CEST 2004

On Fri, Aug 20, 2004 at 09:18:54AM -0400, David Clymer wrote:
> Thus quoth Thomas Henneberger:
> > To: users at openswan.org
> > From: Thomas Henneberger <T.Henneberger at Hcs-Computer.de>
> > Subject: [Openswan Users] Questions from a beginner ;)
> > 
> > Hello list
> > 
> > The first decision I have to make is what Distribution and Kernel to 
> > use. According to some docs
> > I read I could use a 2.6 Kernel with the internal IpSec-stack and just 
> > install the Userland-Tools, other docs tell me that using a 2.6 Kernel 
> > could make problems with Klips and the internal Ipsec stack. Some people 
> > told me to use a 2.4 Kernel and stick with Klips. Nate Carlson writes 
> > that a 2.4. Debian should work fine without touching the Kernel.
> > All that got me confused ;)
> > 
> Openswan will work with both, so whichever you choose will work just
> fine. However, one noticable difference between the two, is that, when
> you set up a VPN with KLIPS, you "see" the unencrypted traffic come in 
> on its own interface (called ipsec0, ipsec1, etc, depending on how many
> you've set up). This is not the case with the "native" kernel code. If
> you are planning to set up firewall rules on this box, you may find it
> useful to have an ipsec interface for use in categorizing or
> differentiating traffic which comes in on the VPN from unencrypted (and
> less trusted?) traffic which is recieved on your ethernet interface.

Note that you can still categorise the traffic from a firewall point of view
on 2.6, but that you can't use tcpdump to view both.
ie. on 2.4 you can do
tcpdump -i ppp0	# views encrypted traffic
tcpdump -i ipsec0 # views unencrypted traffic

but on 2.6, you can only do
tcpdump -i ppp0	# views encrypted traffic

Also, the way you categorise traffic at the firewall is different, too.


Turning and turning in the widening gyre/The falcon cannot hear the falconer;
Things fall apart, the centre cannot hold/Mere anarchy is loosed upon the world
(gpg --keyserver www.co.uk.pgp.net --recv-key 897E5FF3)

More information about the Users mailing list