[Openswan Users] Problem with not specifying protostack=netkey

Neal Murphy neal.p.murphy at alum.wpi.edu
Thu Mar 24 17:59:11 EDT 2011

On Thursday 24 March 2011 17:30:37 Nick Howitt wrote:

> Why does it fail when not explicitly specifying netkey which it then
> falls back to using when it works if you explicitly set it to use netkey?

It may be related to how it determines whether to use KLIPS, MAST or NETKEY 
when none are specified in ipsec.conf. I have *not* looked at the source code. 
I *suspect* that the code does not use the 'detected state' consistently; it 
appears to mix and match. A similar, yet different, effect is seen when NETKEY 
is not available: it seems to find KLIPS, but then tries to use MAST. These 
things can be buggerers to track down, but it feels ever so good when you do!

In essence, if 'protostack' is not specified in ipsec.conf, then the detected 
capability should effectively do the same as specifying protostack. That was 
the intent with the current code, but it doesn't seem to do it right.

More information about the Users mailing list