[Openswan Users] Problem with not specifying protostack=netkey
neal.p.murphy at alum.wpi.edu
Thu Mar 24 17:59:11 EDT 2011
On Thursday 24 March 2011 17:30:37 Nick Howitt wrote:
> Why does it fail when not explicitly specifying netkey which it then
> falls back to using when it works if you explicitly set it to use netkey?
It may be related to how it determines whether to use KLIPS, MAST or NETKEY
when none are specified in ipsec.conf. I have *not* looked at the source code.
I *suspect* that the code does not use the 'detected state' consistently; it
appears to mix and match. A similar, yet different, effect is seen when NETKEY
is not available: it seems to find KLIPS, but then tries to use MAST. These
things can be buggerers to track down, but it feels ever so good when you do!
In essence, if 'protostack' is not specified in ipsec.conf, then the detected
capability should effectively do the same as specifying protostack. That was
the intent with the current code, but it doesn't seem to do it right.
More information about the Users