[Openswan Users] Migrating to Netkey

Paul Wouters paul at xelerance.com
Mon Feb 22 13:58:42 EST 2010


On Mon, 22 Feb 2010, Michael H. Warfield wrote:

>> I am migrating from KLIPS to Netkey (primarily to get IPv6 support).
>> I humbly request all Netkey users to share major problems (if any)
>> they have observed.
>
> I think the primary one I recall is if you have any 0.0.0.0/0 routes
> routing out through the tunnel with a subnet behind the gateway.  You'll
> find that the subnet can communicate with the outside world through the
> gateway but can not communicate with the gateway unless you add
> passthrough conns for your local subnets.  If you've got more than one
> local subnet, you need one for each subnet and one for each pair of
> subnets.  You will also need 2.6.23 or later.

There is also the issue of losing packets on on-demand tunnels, as NETKEY
does not first+last packet caching while the connection is being set up.

I believe the on-demand tunnels with NETKEY are also having some issues
with netlink acquires at this point.

NETKEY and KLIPS also handle MTU issues differently, so some problems might
show u there.

Furthermore, you have less support for crypto acceleration (no full OCF)

Finally, you'll have to totally redo your firewalling because of the lack of
a virtual interface with NETKEY.

Oh and no SAref tracking support in the NETKEY kernel, making enterprise L2TP
deployments basically impossible.

Paul


More information about the Users mailing list