[Openswan Users] openswan & kernel 2.6

Salvatore Basso sasab at pixteam.com
Wed Jun 30 12:12:33 CEST 2004 

Hi and  thanks for your exaustive answer, I have tried to make to cohabit ipsec/kernel 2.6 and klips for 2.6 but I
have had some problem and then I think that this means to upset integration of ipsec in kernel the 2.6,
therefore I think that I will use kernel 2.4/openswan but where I will be forced then I will use kernel 2.6/ipsec-tool.
Still thanks for answer much clear one.

----------
        
        Salvatore.


----- Original Message ----- 
From: "Dominique Blas" <ml at blas.net>
To: <users at lists.openswan.org>
Sent: Wednesday, June 30, 2004 2:35 AM
Subject: Re: [Openswan Users] openswan & kernel 2.6


> Le lundi 28 Juin 2004 13:28, Salvatore Basso a écrit :
> > Hi, which advantages I can use openswan on kernel 2.6 having to use also nat-t ?? I make this question why in kernel the 2.6 already the functionalities are included "klips" and with ipsec-tool I can replace "pluto", my question is intentionally provocative why I would want to understand with exactitude which better platform to choose ! Thanks for the support that to always give me.
> > 
> Hi Salvatore,
> 
> So do I : I said to myself a few months ago, that since the 2.6 kernel has its own 2.6 ipsec code it would be simpler for me to maintain my VPN headers around the world while migrating to 2.6.
> 
> Above all I had problems with freeswan 1.x : it was unable to accepts simultaneously PSK and X509 clients.
> 
> And I began to migrate from super-FreeSWAN to native 2.6 IPSEC and racoon. Ok, it used to work well till I encountered other problems :
> First, there is no dedicated interface. OK, no problem, it is the way native 2.6 ipsec work (routing decisions and IPSEC policy are decorrelated) 
> and paquets going through the tunnel can still be caught via iptables rules.
> That is not a real pb.
> 
> Second, and in a more perverted manner, I was unable to establish a correct routing in some conditions through the tunnels (see my mail from today). And that point was particularly
> difficult to accept. 
> In fact, Herbert reminded me the behaviour of native IPSEC under 2.6 and now everything works fine (I have to wait a few days to see if this
> new configuration is stable however).
> Nevertheless I switched from racoon to openswan (2.1.3 currently) for the reasons I explained in a previous mail.
> 
> In conclusion, you can use openswan-2 with native IPSEC
> Advantages : you keep your 2.6 kernel as is and you only need to compile openswan programs
> moreover you have the opportunity of IPSEC on IPv6 (don't know if someone tested it [with racoon or ikekmpd since openswan doesn't support it for now])
> an a few more algorithms ;
> 
> Drawbacks : bear in mind that you are in 2.6 (ipsec policies are decorrelated from routing policies and you have no ipsec interface)
> and native IPSEC stack is not able to do anything and keeps a few bugs.
> 
>  or upcoming openswan-2 with KLIPS for 2.6
> Advantages : full behaviour of KLIPS (interface ipsec0, routing as before)
> Drawbacks : integration just beginning (since this we) so in early stage.
> 
> Hope I could help,
> 
> db
> > ----------
> >         
> >         Salvatore.
> > ---
> > [This E-mail scanned for viruses by Declude Virus]
> > 
> > _______________________________________________
> > Users mailing list
> > Users at lists.openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > 
> > 
> 
> _______________________________________________
> Users mailing list
> Users at lists.openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> ---
> [This E-mail scanned for viruses by Declude Virus]
> 
> 
---
[This E-mail scanned for viruses by Declude Virus]

More information about the Users mailing list