[Openswan Users] Re: ipsec look on 2.6

Paul Wouters paul at xelerance.com
Thu Dec 1 18:53:45 CET 2005


On Thu, 1 Dec 2005, Peter McGill wrote:

> For example, how else would one determine which packets we're from
> 10.10.10.0/24 spoofed from internet and which were from 10.10.10.0/24
> branch office tunnel? Would marking incoming ESP packets work, or
> would the marking disappear with the decapsulation?

Marks are preserved, so that works, but I agree that having seperate
interfaces is much more managable.

> When I upgrade to kernel 2.6, in the absence of other significant differences,
> I would choose KLIPS over NETKEY for the ipsecX interfaces. But I'm still
> waiting for 2.6 to become mainstream.

2.6 has become mainstream on full blown PC's. You cannot run a distro on a
pentium-4 machine with 2.4 and expect your hardware to work. For embedded
devices, they are still very much as 2.4 though on the move. But the lack of
a "stable" 2.6 kernel is keeping back a lot of people on 2.4 there.

> I suppose if you wanted to make everyone happy, you could make ipsecX
> interfaces a compile option, assuming it didn't create too much extra work.

I'd love to see the features of the stack merge together, though there is no
harm in having choice. It is very unfortunate though that we have no nat-t
support as a netfilter module, so that KLIPS requires a total kernel recompile
at this point. (If anyone wishes to donate resources to this effort, contact
me offlist)

Paul


More information about the Users mailing list