[Openswan Users] Initiate IKE on an outbound packet

Philip Bellino pbellino at mrv.com
Wed Oct 7 16:25:01 EDT 2009


Paul,
My system hangs solid, can't ping it, mouse doesn't work, cannot
cntrl-c, etc.
Thanks,
Phil

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Wednesday, October 07, 2009 4:04 PM
To: Philip Bellino
Cc: users at openswan.org
Subject: RE: [Openswan Users] Initiate IKE on an outbound packet

On Wed, 7 Oct 2009, Philip Bellino wrote:

> Using auto=route with KLIPS on my 2.6.27.21-78.2.41.fc9 hangs the
entire system. I thought I saw an outstanding Openswan bug (795) on
this.

hangs as in kernel crash? or network hang? You'd need oe=off.

> We then tried it with the protostack as netlink and it didn't initiate
IKE negotiations on traffic.

I need to look into this. we have not done much testing for this with
netkey.

> Does using "oe=on" in the ipsec.conf file buys us anything?
> We see that whack has an option "%opportunistic".  Does using this
initiate IKE negotiations on traffic?

No, it will do IPSEC key DNS records lookups to find public keys for all
IP's you try 
to connect to, which is not what you want.

Paul


More information about the Users mailing list