[Openswan Users]
Paul Wouters
paul at xelerance.com
Tue Mar 1 10:31:42 CET 2005
On Mon, 28 Feb 2005, panos wrote:
> When I start openswan I get ... Linux Openswan U2.3.0/K2.6.9-1.724_FC3
> (netkey)
> How do I prevent "netkey" module from being loaded at boot time.
Ensure the ipsec module is loaded before starting openswan. This should
prevent netkey from getting loaded.
> I know should be using automatic keying but our vpn server on the other
> side is not a linux box, but a sonic wall and it only interops with
> manual keying.
If a "VPN box" only supports manual keying, it should be used as a doorstop
at most. With manual keying you will never rekey your connection, so your
entire duration of the VPN is using 1 key, potentially for years. The
encrypted traffic can be logged, and if a year later either openswan or
the "vpn box" is compromised and the key obtained, all communications can be
decrypted. This is not possible when using automatic keying.
I find it hard to believe Sonic wall would sell manual keying only devices.
A simple ADSL router these days support automatic keying and cost less then
a $100. How valuable is your privacy?
> /lib/modules/2.6.9-1.724_FC3/kernel/net/key/af_key.ko
> ipsec_setup: insmod /lib/modules/2.6.9-1.724_FC3/kernel/net/ipv4/ah4.ko
> ipsec_setup: insmod /lib/modules/2.6.9-1.724_FC3/kernel/net/ipv4/esp4.ko
> ipsec_setup: insmod > /lib/modules/2.6.9-1.724_FC3/kernel/net/ipv4/ipcomp.ko
> ipsec_setup: insmod > /lib/modules/2.6.9-1.724_FC3/kernel/net/ipv4/xfrm4_tunnel.ko
Make sure to unload these with rmmod before loading the iopsec (klips) module.
Paul
More information about the Users
mailing list