[Openswan Users] Routing problem with NETKEY

Paul Wouters paul at xelerance.com
Fri Aug 4 12:18:56 EDT 2006

On Fri, 4 Aug 2006, Jani Joki wrote:

> > Can you put an 'ipsec barf' output somewhere on website and give us the
> Which portion of the barf are you interested in? It does contain
> information I'd rather not disclose, such as my firewall rules.

Editing/censoring the barf makes it less useful, as people tend to
make mistakes when anonysing it. If you allow protocol 50 and udp
500 and don't use nat, then the firewall rules section isnt that
interesting and could be skipped.

> I have no great love for netkey - I just used it as it came with FC5
> standard and thought it would make things easier. I understand that netkey
> and klips cannot be used simultaneously - are there any instructiosn
> anywhere on how to remove netkey and go to klips? Do I just need to rebuild
> a kernel that supports klips rather than netkey?

Yes, and if you don't need NAT traversal, then you can just build the module
against your current kernel, and dont need to boot into another kernel.
Just unload the ah4 esp4 ipcomp af_key modules and if the ipsec module is
available, openswan will pick up on that.

> Hrm. My internet connection is a full 100Mbs connection - would it
> not affect my throughput if I lower the MTU on all packets? Is there
> a way to just lower the MTU for the packets destined for the tunnel
> rather than all packets?

Yes, you could try to only lower the mtu for certain destination, using
advanced routing (eg the super badly undocumented 'ip' command)

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list