[prev in list] [next in list] [prev in thread] [next in thread]
List: openswan-users
Subject: Re: [Openswan Users] openswan & kernel 2.6
From: "Salvatore Basso" <sasab () pixteam ! com>
Date: 2004-06-30 9:12:33
Message-ID: 024601c45e82$6178c280$0f00000a () pix ! locale
[Download RAW message or body]
Hi and thanks for your exaustive answer, I have tried to make to cohabit \
ipsec/kernel 2.6 and klips for 2.6 but I have had some problem and then I think that \
this means to upset integration of ipsec in kernel the 2.6, therefore I think that I \
will use kernel 2.4/openswan but where I will be forced then I will use kernel \
2.6/ipsec-tool. Still thanks for answer much clear one.
----------
Salvatore.
----- Original Message -----
From: "Dominique Blas" <ml@blas.net>
To: <users@lists.openswan.org>
Sent: Wednesday, June 30, 2004 2:35 AM
Subject: Re: [Openswan Users] openswan & kernel 2.6
> Le lundi 28 Juin 2004 13:28, Salvatore Basso a écrit :
> > Hi, which advantages I can use openswan on kernel 2.6 having to use also nat-t ?? \
> > I make this question why in kernel the 2.6 already the functionalities are \
> > included "klips" and with ipsec-tool I can replace "pluto", my question is \
> > intentionally provocative why I would want to understand with exactitude which \
> > better platform to choose ! Thanks for the support that to always give me.
> Hi Salvatore,
>
> So do I : I said to myself a few months ago, that since the 2.6 kernel has its own \
> 2.6 ipsec code it would be simpler for me to maintain my VPN headers around the \
> world while migrating to 2.6.
> Above all I had problems with freeswan 1.x : it was unable to accepts \
> simultaneously PSK and X509 clients.
> And I began to migrate from super-FreeSWAN to native 2.6 IPSEC and racoon. Ok, it \
> used to work well till I encountered other problems : First, there is no dedicated \
> interface. OK, no problem, it is the way native 2.6 ipsec work (routing decisions \
> and IPSEC policy are decorrelated) and paquets going through the tunnel can still \
> be caught via iptables rules. That is not a real pb.
>
> Second, and in a more perverted manner, I was unable to establish a correct routing \
> in some conditions through the tunnels (see my mail from today). And that point was \
> particularly difficult to accept.
> In fact, Herbert reminded me the behaviour of native IPSEC under 2.6 and now \
> everything works fine (I have to wait a few days to see if this new configuration \
> is stable however). Nevertheless I switched from racoon to openswan (2.1.3 \
> currently) for the reasons I explained in a previous mail.
> In conclusion, you can use openswan-2 with native IPSEC
> Advantages : you keep your 2.6 kernel as is and you only need to compile openswan \
> programs moreover you have the opportunity of IPSEC on IPv6 (don't know if someone \
> tested it [with racoon or ikekmpd since openswan doesn't support it for now]) an a \
> few more algorithms ;
> Drawbacks : bear in mind that you are in 2.6 (ipsec policies are decorrelated from \
> routing policies and you have no ipsec interface) and native IPSEC stack is not \
> able to do anything and keeps a few bugs.
> or upcoming openswan-2 with KLIPS for 2.6
> Advantages : full behaviour of KLIPS (interface ipsec0, routing as before)
> Drawbacks : integration just beginning (since this we) so in early stage.
>
> Hope I could help,
>
> db
> > ----------
> >
> > Salvatore.
> > ---
> > [This E-mail scanned for viruses by Declude Virus]
> >
> > _______________________________________________
> > Users mailing list
> > Users@lists.openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> >
> >
>
> _______________________________________________
> Users mailing list
> Users@lists.openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> ---
> [This E-mail scanned for viruses by Declude Virus]
>
>
---
[This E-mail scanned for viruses by Declude Virus]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic