[Openswan Users] Is OpenSwan 2.6.33 supporting kernel 2.4?

Paul Wouters paul at xelerance.com
Sun Feb 27 10:56:15 EST 2011

On Wed, 23 Feb 2011, Michael H. Warfield wrote:

> * I don't see where you really need the ipsecX interfaces.  IPsec is a

Clean simple and easy to understand firewall rules?

> * Aggressive mode?  You lost me on that one.  I'm confused about what
> you are talking about.  First off, aggressive mode has to do with the
> IKE key negotiations, not IPsec.


> * Initial packet buffering also has me confused but purely because I'm
> not familiar with what you are referring to.  Could you or someone
> elaborate on that?

If you have on-demand tunnels, then the first packet on netkey that
trigges the IKE is not cached and resent once the tunnel is estalbished.
(though I heard from erbert Xu that on 2.6.x kernels that might have been
fixed by now - I have not confirmed this)

> Trying to tcpdump or wireshark ipsec traffic is a bit ambiguous

It's terrible and useless with netkey :(
Same for debugging, if a packet goes missing, you have 0 debugging aids.
With klips you can turn on klipsdebug and see why a packet is being dropped.


More information about the Users mailing list