[Openswan Users] Openswan+Ipv6 probem....again....
Paul Wouters
paul at xelerance.com
Tue May 18 15:54:03 CEST 2004
On Tue, 18 May 2004, zze-DURBEC Mathieu FTRD/DTL/ISS wrote:
> I understand that you can't use both FreeSWAN KLIPS and native kernel
> IPsec...
> But i can't find a solution to do what I need.
> What I have to do is to setup oppotunistic encryption with ipv6 on a
> linux system.
If you manage to run static runnels with ipv6 (see recent postings to the list)
then OE should not be any harder. Though there might be some dns querries
that need to be extended for ipv6.
> But I've heard that you can't do opportunistic encryption with new
> kernels ( > 2.6 )...
You can do OE with 2.6 kernels, but the first packet is lost on an
-EAGAIN error, because the 2.6 kernel, unlike KLIPS, doesn't cache that
first packet that triggers the tunnel setup. There have been some talks on
the kernel/net mailinglists about this I believe, where someone else had
a non-ipsec issue with the same problem. I believe the kernel people are
addressing this issue.
> Do you know what I should use (kernel, FreesWan or OpenSWAN, which patch
> ?) ??
If you need OE, you can only use Openswan/FreeS/WAN.
If you need 2.6 native support, you can only use Openswan-2
If you need ipv6 support, you can only use the 2.6 native IPsec.
So you'll have to work with openswan-2 using the 2.6 kernel.
Paul
More information about the Users
mailing list