[Openswan Users] Should Openswan 2.6.24 do kernel patch?
Paul Wouters
paul at xelerance.com
Sat Feb 6 13:03:44 EST 2010
On Sat, 6 Feb 2010, mix.kao wrote:
> i built the openswan 2.6.24 (klips) and kernel 2.6.28 to do IPSec.
> Does the openswan still need to patch my kernel source? Or in this
> version, we no need to patch the kernel?
If you meant the NAT-T patch, then no you do not. If you are happy
with klips as a module, you do not need to recompile your kernel.
> Another question about the DES encryption
> I know the DES is not secure anymore.
It's not just not secure. It's only slightly better then rot13.
> I install the openswan 2.6.24 in my ARCH Linux with DES support
> I can get DES support in phase 2 (ESP_DES), but there is not DES support
> in phase 1 (IKE)
You will need to enable 1DES in both userland and klips. klips only
supports 1des via cryptoapi.
> The same version of openswan
> Can i say openswan 2.6.24 still support DES in phase 1/2 but how to
> enable it or how to make it work?
You must explicitely specify it on the ike/esp lines to use it, as we
do no include 1des in the default proposal list.
Paul
More information about the Users
mailing list