[Openswan Users] Is OpenSwan 2.6.33 supporting kernel 2.4?
Paul Wouters
paul at xelerance.com
Sun Feb 27 10:56:15 EST 2011
On Wed, 23 Feb 2011, Michael H. Warfield wrote:
> * I don't see where you really need the ipsecX interfaces. IPsec is a
Clean simple and easy to understand firewall rules?
> * Aggressive mode? You lost me on that one. I'm confused about what
> you are talking about. First off, aggressive mode has to do with the
> IKE key negotiations, not IPsec.
Correct.
> * Initial packet buffering also has me confused but purely because I'm
> not familiar with what you are referring to. Could you or someone
> elaborate on that?
If you have on-demand tunnels, then the first packet on netkey that
trigges the IKE is not cached and resent once the tunnel is estalbished.
(though I heard from erbert Xu that on 2.6.x kernels that might have been
fixed by now - I have not confirmed this)
> Trying to tcpdump or wireshark ipsec traffic is a bit ambiguous
It's terrible and useless with netkey :(
Same for debugging, if a packet goes missing, you have 0 debugging aids.
With klips you can turn on klipsdebug and see why a packet is being dropped.
Paul
More information about the Users
mailing list