[Swan] NetKey vs KLIPS

[Lennart Sorensen]

On Thu, Sep 11, 2014 at 11:45:10AM +0100, Lawrence Manning wrote:
> Hi there List,
> 
> I’ve looked for this information, but I can’t find it.
> 
> In essence, what are the advantages to using NETKEY? Since the libreswan folks are committed to KLIPS, I’m assuming that KLIPS is considered superior. But why do others use NETKEY?
> 
> I’ve used *swan since the days where FreeSwan needed to be patched to support x509 certs, and after trying out NEKEY for a few weeks in a test setup I found the routing/firewall mechanism harder to work with then KLIPS’s explicit ipsecX interfaces. But beside this, they seemed functionally similar. How does interoperability faire under NETKEY? Are there any known regressions compared to KLIPS? Eg. L2TP ontop of NETKEY/IPSec etc.
> 
> In essence, I’m wondering if KLIPS will continue to be maintained “forever” or is it less pain now to just make the switch?

We switched to netkey for our use some years ago when we found a
particular use case we couldn't get klips to handle (running the default
route through the ipsec tunnel).  Also the klips interfaces and keeping
them bound to other interfaces that could come and go (ppp interfaces
for example) was a pain to keep track of to know when ipsec had to be
restarted to keep things working.  The hard coded limit on the number
of interfaces that could be used to handle ipsec traffic at a time was
also an annoyance.  klips made firewalling a bit more obvious, but once
we looked at how to do firewalling for netkey it wasn't hard and there
was no obvious benefit to using klips for us.  If there are any benefits
to klips I don't know what they are.  Hopefully our developer friends
will fill us in on that.

-- 
Len Sorensen