[Swan] NetKey vs KLIPS
Paul Wouters
paul at nohats.ca
Thu Sep 11 17:57:07 EEST 2014
On Thu, 11 Sep 2014, Lawrence Manning wrote:
>> Also the klips interfaces and keeping
>> them bound to other interfaces that could come and go (ppp interfaces
>> for example) was a pain to keep track of to know when ipsec had to be
>> restarted to keep things working.
>
> Yes, this is a rather a nasty limitation.
I think netkey has its own issues there. When your DHCP lease renwews to
the same IP address as before, you lose your tunnel silently.
> I played with using some of the special netfilter matches for netkey, and I know it can be done… it’s just “weirder”. I believe, for instance, that under ntetkey libpcap will se both the cleartext and the cyphered packets….
There should really be a proper hook for tcpdump that would allow seeing
the complete packet flow, and one where you would only see either
encrypted or decrypted packets.
Paul
More information about the Swan
mailing list