[Openswan Users] KLIPS or NETKEY?

Jason Voorhees jvoorhees1 at gmail.com
Sat Jan 26 18:43:26 EST 2008

Thanks for your answer. I had problems building KLIPS, ipsec.ko module 
just don't load (Unknown symbol in module, or unknown parameter).

I'm starting with NETKEY by now, so I hope don't get errors with RDP 
packets or anything else with the DF flag set.

Paul Wouters escribió:
> On Sat, 26 Jan 2008, Jason Voorhees wrote:
>> This is my first post to this list, I hope you can understand me because
>> my English is not very good yet (i think so).
> It's fine.
>> I decided to investigate on Google and I found there was a problem using
>> NETKEY and some packets with DF flag set, right? That made me thing I
>> should use KLIPS instead because of its better Path MTU Discovery
>> implementation as I read in the book but...
>> 1. Is that "bug" in NETKEY/Openswan already solved?
> No. The way fragmentation/path mtu is handled is still different between
> klips and netkey.
>> 2. What IKE daemon should I use? (the book recommends pluto)
> Openswan only uses pluto, so if using openswan, you will be using pluto.
>> 3. Should I use KLIPS or NETKEY implementation? Why?
> Without reiterating (my own writing in the book): KLIPS for now, unless
> you need ipv6. But it's easy to try NETKEY first, since that does not
> require a kernel recompile.
> Paul

More information about the Users mailing list