[Openswan Users] openswan & kernel 2.6
Dominique Blas
ml at blas.net
Wed Jun 30 03:35:25 CEST 2004
Le lundi 28 Juin 2004 13:28, Salvatore Basso a écrit :
> Hi, which advantages I can use openswan on kernel 2.6 having to use also nat-t ?? I make this question why in kernel the 2.6 already the functionalities are included "klips" and with ipsec-tool I can replace "pluto", my question is intentionally provocative why I would want to understand with exactitude which better platform to choose ! Thanks for the support that to always give me.
>
Hi Salvatore,
So do I : I said to myself a few months ago, that since the 2.6 kernel has its own 2.6 ipsec code it would be simpler for me to maintain my VPN headers around the world while migrating to 2.6.
Above all I had problems with freeswan 1.x : it was unable to accepts simultaneously PSK and X509 clients.
And I began to migrate from super-FreeSWAN to native 2.6 IPSEC and racoon. Ok, it used to work well till I encountered other problems :
First, there is no dedicated interface. OK, no problem, it is the way native 2.6 ipsec work (routing decisions and IPSEC policy are decorrelated)
and paquets going through the tunnel can still be caught via iptables rules.
That is not a real pb.
Second, and in a more perverted manner, I was unable to establish a correct routing in some conditions through the tunnels (see my mail from today). And that point was particularly
difficult to accept.
In fact, Herbert reminded me the behaviour of native IPSEC under 2.6 and now everything works fine (I have to wait a few days to see if this
new configuration is stable however).
Nevertheless I switched from racoon to openswan (2.1.3 currently) for the reasons I explained in a previous mail.
In conclusion, you can use openswan-2 with native IPSEC
Advantages : you keep your 2.6 kernel as is and you only need to compile openswan programs
moreover you have the opportunity of IPSEC on IPv6 (don't know if someone tested it [with racoon or ikekmpd since openswan doesn't support it for now])
an a few more algorithms ;
Drawbacks : bear in mind that you are in 2.6 (ipsec policies are decorrelated from routing policies and you have no ipsec interface)
and native IPSEC stack is not able to do anything and keeps a few bugs.
or upcoming openswan-2 with KLIPS for 2.6
Advantages : full behaviour of KLIPS (interface ipsec0, routing as before)
Drawbacks : integration just beginning (since this we) so in early stage.
Hope I could help,
db
> ----------
>
> Salvatore.
> ---
> [This E-mail scanned for viruses by Declude Virus]
>
> _______________________________________________
> Users mailing list
> Users at lists.openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
>
More information about the Users
mailing list