[Openswan Users] RHEL guides

Paul Wouters paul at xelerance.com
Mon Jun 6 18:19:59 CEST 2005

On Mon, 6 Jun 2005, Gavin Henry wrote:

> Would anyone of you kind soles recommend the use of:
> http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/security-guide/s1-ipsec-host2host.html
> and
> http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/security-guide/s1-ipsec-net2net.html

The first exmaple uses PSK based ipsec connections, which we always recommend, regardless of the 
software being used. 
I find the following advise a bit ironic:

 	"To test the IPsec connection, run the tcpdump	utility to
 	 view the network packets being transfered between the hosts
 	 (or networks) and verify that they are encrypted via IPsec."

Since with NETKEY, you can't reliably look at the data with tcpdump, since netkey hooks into
the networking stack past the point where tcpdump can look.

There are other reasons to choose openswan over racoon. Many more options, much better
regression testing of code, more active development, etc. An important case for scaling
is that to add a ipsec connection to racoon, you have to restart all of racoon, so all your
current IKE sessions are lost and need to be restarted (and they will hit you all at the
same time as a result of that).


More information about the Users mailing list