[Openswan Users] Openswan stability/usability on RHEL4/Centos 4

[Nigel Metheringham]

I've been testing Openswan 2.3.1 on a Centos 4/4.1 platform using kernel
2.6.9-11.EL.  Originally I was using netkey, with moderate success
although I had encountered a couple of oddities (I'll put a note about
those in at the bottom of this mail).  So I decided to try rebuilding
the packages for KLIPS.

2.3.1 rpms (built from the openswan source rpm, with sufficient tweaks
to make the build work for KLIPS) panics as soon as you establish an
IPSec SA.

So I tried the 2.4.0rc6 rpms.  This appeared to work pretty well.  But
then when left over the weekend the box paniced after less than 24 hours
when in a basically idle state.  I don't have the trace for this, but
the error was similar to that Ravi Verma in August.

However I'm wondering whether I should avoid KLIPS for the RHEL4/Centos
4 series - indications on the list appear to be that there are problems
with interoperation with this kernel series.

Is anyone running KLIPS successfully long term on 2.6.9-11.EL??


	Nigel.

Openswan/Netkey issues 
----------------------
(with Openswan 2.3.1 against netkey from 2.6.9-11.EL)
      * Requires a default route to be set before bringing up ipsec.
        This is down to the (redundant) code for KLIPS bring up
        effectively using ipsec0=%defaultroute even though this is
        redundant.
      * Additionally on the left box, having a rightnexthop=%
        defaultroute can require that a default route is set on the left
        box. This is obviously a userspace rather than a KLIPS/netkey
        issue.
      * If you have a default source set on the routes down the ipsec
        tunnel then the interface/ip of that default source becomes
        unavailable on the box - pings to it go down the tunnel to the
        other end!!!

-- 
[ Nigel Metheringham           Nigel.Metheringham at InTechnology.co.uk ]
[ - Comments in this message are my own and not ITO opinion/policy - ]