[Openswan Users] KLIPS or NETKEY?

Paul Wouters paul at xelerance.com
Sat Jan 26 18:09:15 EST 2008

On Sat, 26 Jan 2008, Jason Voorhees wrote:

> This is my first post to this list, I hope you can understand me because
> my English is not very good yet (i think so).

It's fine.

> I decided to investigate on Google and I found there was a problem using
> NETKEY and some packets with DF flag set, right? That made me thing I
> should use KLIPS instead because of its better Path MTU Discovery
> implementation as I read in the book but...
> 1. Is that "bug" in NETKEY/Openswan already solved?

No. The way fragmentation/path mtu is handled is still different between
klips and netkey.

> 2. What IKE daemon should I use? (the book recommends pluto)

Openswan only uses pluto, so if using openswan, you will be using pluto.

> 3. Should I use KLIPS or NETKEY implementation? Why?

Without reiterating (my own writing in the book): KLIPS for now, unless
you need ipv6. But it's easy to try NETKEY first, since that does not
require a kernel recompile.

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list