[Openswan Users]

[panos]

The sonic wall supports most methods of keying.
But I could only get it to inter-op with openswan with manual keying.
But that was one of the reasons to experiment with a new kernel and a
later version of openswan.

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Tuesday, March 01, 2005 1:32 AM
To: panos
Cc: users at openswan.org
Subject: RE: [Openswan Users]

On Mon, 28 Feb 2005, panos wrote:

> When I start openswan I get ... Linux Openswan U2.3.0/K2.6.9-1.724_FC3
> (netkey)
> How do I prevent "netkey" module from being loaded at boot time.

Ensure the ipsec module is loaded before starting openswan. This should
prevent netkey from getting loaded.

> I know should be using automatic keying but our vpn server on the
other
> side is not a linux box, but a sonic wall and it only interops with
> manual keying.

If a "VPN box" only supports manual keying, it should be used as a
doorstop
at most. With manual keying you will never rekey your connection, so
your
entire duration of the VPN is using 1 key, potentially for years. The
encrypted traffic can be logged, and if a year later either openswan or
the "vpn box" is compromised and the key obtained, all communications
can be
decrypted. This is not possible when using automatic keying.
I find it hard to believe Sonic wall would sell manual keying only
devices.

A simple ADSL router these days support automatic keying and cost less
then
a $100. How valuable is your privacy?

> /lib/modules/2.6.9-1.724_FC3/kernel/net/key/af_key.ko
> ipsec_setup: insmod
/lib/modules/2.6.9-1.724_FC3/kernel/net/ipv4/ah4.ko
> ipsec_setup: insmod
/lib/modules/2.6.9-1.724_FC3/kernel/net/ipv4/esp4.ko
> ipsec_setup: insmod >
/lib/modules/2.6.9-1.724_FC3/kernel/net/ipv4/ipcomp.ko
> ipsec_setup: insmod >
/lib/modules/2.6.9-1.724_FC3/kernel/net/ipv4/xfrm4_tunnel.ko

Make sure to unload these with rmmod before loading the iopsec (klips)
module.

Paul