[Openswan Users] KLIPS or NETKEY?
Jason Voorhees
jvoorhees1 at gmail.com
Sat Jan 26 18:43:26 EST 2008
Thanks for your answer. I had problems building KLIPS, ipsec.ko module
just don't load (Unknown symbol in module, or unknown parameter).
I'm starting with NETKEY by now, so I hope don't get errors with RDP
packets or anything else with the DF flag set.
Paul Wouters escribió:
> On Sat, 26 Jan 2008, Jason Voorhees wrote:
>
>> This is my first post to this list, I hope you can understand me because
>> my English is not very good yet (i think so).
>
> It's fine.
>
>> I decided to investigate on Google and I found there was a problem using
>> NETKEY and some packets with DF flag set, right? That made me thing I
>> should use KLIPS instead because of its better Path MTU Discovery
>> implementation as I read in the book but...
>>
>> 1. Is that "bug" in NETKEY/Openswan already solved?
>
> No. The way fragmentation/path mtu is handled is still different between
> klips and netkey.
>
>> 2. What IKE daemon should I use? (the book recommends pluto)
>
> Openswan only uses pluto, so if using openswan, you will be using pluto.
>
>> 3. Should I use KLIPS or NETKEY implementation? Why?
>
> Without reiterating (my own writing in the book): KLIPS for now, unless
> you need ipv6. But it's easy to try NETKEY first, since that does not
> require a kernel recompile.
>
> Paul
More information about the Users
mailing list