[Openswan Users] Should Openswan 2.6.24 do kernel patch?

Paul Wouters paul at xelerance.com
Sat Feb 6 13:03:44 EST 2010


On Sat, 6 Feb 2010, mix.kao wrote:

> i built the openswan 2.6.24 (klips) and kernel 2.6.28 to do IPSec.
> Does the openswan still need to patch my kernel source? Or in this
> version, we no need to patch the kernel?

If you meant the NAT-T patch, then no you do not. If you are happy
with klips as a module, you do not need to recompile your kernel.

> Another question about the DES encryption
> I know the DES is not secure anymore.

It's not just not secure. It's only slightly better then rot13.

> I install the openswan 2.6.24 in my ARCH Linux with DES support
> I can get DES support in phase 2 (ESP_DES), but there is not DES support
> in phase 1 (IKE)

You will need to enable 1DES in both userland and klips. klips only
supports 1des via cryptoapi.

> The same version of openswan
> Can i say openswan 2.6.24 still support DES in phase 1/2 but how to
> enable it or how to make it work?

You must explicitely specify it on the ike/esp lines to use it, as we
do no include 1des in the default proposal list.

Paul


More information about the Users mailing list