Fwd: Re: [Openswan Users] Debian 2.4.26 and Openswan 2.1.3

David Clymer dclyme at hrcsb.org
Mon Sep 13 10:48:32 CEST 2004

Thus quoth t.henneberger at hcs-computer.de:
> To: users at lists.openswan.org
> From: t.henneberger at hcs-computer.de
> Subject: [Openswan Users] Debian 2.4.26 and Openswan 2.1.3
> Hello,
> I am currently in the process of setting up a VPN between linux and win2k.
> After reading many howtos, forums and mailinglists I decided to use Openswan
> and Debian.

good choice ;o)

> I was told that Kernel 2.4 would be a good idea as Klips is the better
> known solution and works just fine. I was also told that I don't have
> to touch the Kernel if I use a Debian 2.4.26 as it has native IPSec.

I'm not sure what keeps you from wanting to "touch the kernel," is it
just unfamilarity with the process of compiling a kernel? If so, take a
look at

If you are worried about ensuring that you have the same configuration
in your new kernel as you do in  your current one, you can always use
the kernel config found in /boot/config-`uname -r`

> This is where my trouble begins. If 2.4.26 has backported IPSec, I can't 
> use Klips, but have to use Setkey, right?

You cant use klips without doing some extra work - compiling the
kernel and the klips module(s) for it, etc, but you _can_ use it.

Dont worry about setkey. Just use openswan in the normal fashion.

> /ipsec verify returns that Ipsec native is installed and that setkey is ok.
> I tried to follow Nate Carlsons howto, where he says "If you use 2.4.26 
> you don't have to touch the kernel", but from then on he only describes
> ipsec.conf, which would be the configuration for Klips.... ack.

You configure openswan for klips and native the same way, except you
dont need to define virtual interface mappings for native ipsec
(for example: interfaces="ipsec0=eth0 ipsec1=eth1" or whatever the
syntax is).

> I would like to use Klips as it is better documented, and because the Ipsec-Tools
> for Windows use the same syntax for the configuration.

Then use KLIPS, but you will have to "touch the kernel." The KLIPS patch
is available as kernel-patch-openswan (if you want to compile it as part
of the kernel) or as openswan-modules-source if you just want to compile
the module for the running kernel. Note that native and klips modules
should not be loaded at the same time.


More information about the Users mailing list