[Openswan Users] Migrating to Netkey
Paul Wouters
paul at xelerance.com
Mon Feb 22 13:58:42 EST 2010
On Mon, 22 Feb 2010, Michael H. Warfield wrote:
>> I am migrating from KLIPS to Netkey (primarily to get IPv6 support).
>> I humbly request all Netkey users to share major problems (if any)
>> they have observed.
>
> I think the primary one I recall is if you have any 0.0.0.0/0 routes
> routing out through the tunnel with a subnet behind the gateway. You'll
> find that the subnet can communicate with the outside world through the
> gateway but can not communicate with the gateway unless you add
> passthrough conns for your local subnets. If you've got more than one
> local subnet, you need one for each subnet and one for each pair of
> subnets. You will also need 2.6.23 or later.
There is also the issue of losing packets on on-demand tunnels, as NETKEY
does not first+last packet caching while the connection is being set up.
I believe the on-demand tunnels with NETKEY are also having some issues
with netlink acquires at this point.
NETKEY and KLIPS also handle MTU issues differently, so some problems might
show u there.
Furthermore, you have less support for crypto acceleration (no full OCF)
Finally, you'll have to totally redo your firewalling because of the lack of
a virtual interface with NETKEY.
Oh and no SAref tracking support in the NETKEY kernel, making enterprise L2TP
deployments basically impossible.
Paul
More information about the Users
mailing list