[Openswan Users] KLIPS or NETKEY?
Paul Wouters
paul at xelerance.com
Sat Jan 26 18:09:15 EST 2008
On Sat, 26 Jan 2008, Jason Voorhees wrote:
> This is my first post to this list, I hope you can understand me because
> my English is not very good yet (i think so).
It's fine.
> I decided to investigate on Google and I found there was a problem using
> NETKEY and some packets with DF flag set, right? That made me thing I
> should use KLIPS instead because of its better Path MTU Discovery
> implementation as I read in the book but...
>
> 1. Is that "bug" in NETKEY/Openswan already solved?
No. The way fragmentation/path mtu is handled is still different between
klips and netkey.
> 2. What IKE daemon should I use? (the book recommends pluto)
Openswan only uses pluto, so if using openswan, you will be using pluto.
> 3. Should I use KLIPS or NETKEY implementation? Why?
Without reiterating (my own writing in the book): KLIPS for now, unless
you need ipv6. But it's easy to try NETKEY first, since that does not
require a kernel recompile.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list