[Openswan Users] Status of KLIPS

Chris Patch chrispatch at intrstar.net
Thu Mar 12 17:31:56 EDT 2009

> What's the status of KLIPS today? Is it still an activly developed project 
> that you can rely on, or is it a dead, abandoned project?
> Is there any Linux distribution, preferable firewall/router oriented that 
> ships with a KLIPS enabled kernel?
> I really, really miss the ipsecX interfaces from KLIPS on recent linux 
> kernels with NETKEY, like beeing able to write simple iptables rules based 
> in traffic comming in or going out on the ipsec interface, and beeing able 
> to run tcpdump on the ipsec0 interface for troubleshooting.
> >From a user and firewall admin perspective it was a so much better design 
> to have virtual interfaces to work with.
> Is using the policy module of iptables the de facto way of getting similar 
> functionallity with NETKEY as you had with the ipsecX interfaces with 
> KLIPS, or is there any other method to filter traffic based on whether it 
> is comming from/going to an IPsec tunnel?
> Br // Mathias

I use centos linux 5.2 with NETKEY.  I too used klips in the past.  I periodically do test compiles to see how the fast moving 2.6 series works with klips. 
I have found the best combo for klips to be centos-4.x with a compiled
kernel from Adrian Bunk's 2.6.16.x stable series.  When I do this I use
2.4.13.  I need to test this with 2.6.20 as I have read that 2.4.13 is
now retired from active development.

The way I do the rules for filtering in iptables for NETKEY with eth0 being my outside interface is as follows:

iptables -t mangle -A PREROUTING -i eth0 -p 50 -j MARK --set-mark 0x9
iptables -t mangle -A PREROUTING -i eth0 -p 50 -j RETURN
iptables -t mangle -A PREROUTING -i eth0 -p udp --sport 500 --dport 500
-j MARK --set-mark 0x9
iptables -t mangle -A PREROUTING -i eth0 -p udp --sport 500 --dport 500
iptables -A FORWARD -m mark --mark 0x9 -j ACCEPT
iptables -A INPUT -m mark --mark 0x9 -j ACCEPT

If I am doing roaming clients with nat-t  I add:

iptables -t mangle -A PREROUTING -i eth0 -p udp --sport 500 --dport 4500
-j MARK --set-mark 0x9
iptables -t mangle -A PREROUTING -i eth0 -p udp --sport 500 --dport 4500

My current understanding is the mark survives decryption, so the
decrypted packet still carry the 0x9 mark and are allowed.  If this is
wrong I am sure Paul or someone will chime in.

Chris Patch
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090312/9cd3d99a/attachment.html 

More information about the Users mailing list