[Openswan Users] Re: KLIPS or NETKEY on 2.6 kernels

[mcr at xelerance.com]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Paul" == Paul Wouters <paul at xelerance.com> writes:
    >>> And for that matter, the 2.3.1 tarball now has
    >>> doc/2.6.known-issues instead, but it still has the same
    >>> paragraph: * compression seems to be incompatible between KLIPS
    >>> and NETKEY.

    >> Well this is simply incorrect.  Paul, could you please correct
    >> this?

    Paul> Having done some debugging, it seems that the bug is not in
    Paul> the stack. I have run a successfull interop with compression
    Paul> enabled.  However, there does seems to be an issue when
    Paul> changing phase1 from compression to no-compression or visa
    Paul> versa, and breaking the phase2. When switching, I had to
    Paul> completely tear down everything and restart both phase 1 and
    Paul> phase 2.

  I don't understand.
  You mean that you:
      a) have ipsec.conf conn "foo" with compress=yes
      b) "ipsec auto --add foo"
      c) "ipsec auto --up foo"
      d) edit ipsec.conf to change compress=no
      e) "ipsec auto --replace foo"
      f) "ipsce auto --up foo"

- -- 
] Michael Richardson          Xelerance Corporation, Ottawa, ON |  firewalls  [
] mcr @ xelerance.com           Now doing IPsec training, see   |net architect[
] http://www.sandelman.ca/mcr/    www.xelerance.com/training/   |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQm0foYqHRg3pndX9AQEoyQQA7Q5IH15DgVRfyjhGO6wKsXzj004OHfOl
3aT3BwBm3JZTvvcavZJc5o68H1GKnN5Q2GNxIQDAlgoUrKfECz4CgeAWkRZwN8gS
/E2oBlD2kM0jSNFtFURQULEMuNPeM5YuLlX/cTjK7HZeqH/RYof9Q0r8eCNmt5Is
MsgtK/z5U88=
=DKzz
-----END PGP SIGNATURE-----