[Swan] NetKey vs KLIPS

[Lennart Sorensen]

On Thu, Sep 11, 2014 at 01:37:42PM +0100, Lawrence Manning wrote:
> If I understand correctly, this can be done by having a 0.0.0/0 remote subnet. Do you mean something else?

It was years ago, so I don't remember exactly why it didn't work with
klips.

> Yes, this is a rather a nasty limitation. I *think* (might be wrong) that this is more an integration problem between the startup glue scripts and pluto/klips vs a real klips problem. Ie. you could probably work around this by making your own action mechanism that add/removed the ipsec interfaces without doing a full restart. But great if netkey makes this a non problem.

Certainly simple with netkey.  Also netkey can use the kernel crypto
drivers for hardware crypto which I don't think klips can.

> Yeah, we crank up the limit but it is still hardcoded and not changeable at even module load time AFAIK.
> 
> I played with using some of the special netfilter matches for netkey, and I know it can be done… it’s just “weirder”. I believe, for instance, that under ntetkey libpcap will se both the cleartext and the cyphered packets….

Using shorewall as a wrapper it was a simple as defining an ipv4 zone and
an ipsec zone for a given interface and then it just works.  Traffic that
came through netkey is tagged as ipsec traffic.

-- 
Len Sorensen