[Swan] NetKey vs KLIPS
Lennart Sorensen
lsorense at csclub.uwaterloo.ca
Thu Sep 11 18:04:28 EEST 2014
On Thu, Sep 11, 2014 at 01:37:42PM +0100, Lawrence Manning wrote:
> If I understand correctly, this can be done by having a 0.0.0/0 remote subnet. Do you mean something else?
It was years ago, so I don't remember exactly why it didn't work with
klips.
> Yes, this is a rather a nasty limitation. I *think* (might be wrong) that this is more an integration problem between the startup glue scripts and pluto/klips vs a real klips problem. Ie. you could probably work around this by making your own action mechanism that add/removed the ipsec interfaces without doing a full restart. But great if netkey makes this a non problem.
Certainly simple with netkey. Also netkey can use the kernel crypto
drivers for hardware crypto which I don't think klips can.
> Yeah, we crank up the limit but it is still hardcoded and not changeable at even module load time AFAIK.
>
> I played with using some of the special netfilter matches for netkey, and I know it can be done… it’s just “weirder”. I believe, for instance, that under ntetkey libpcap will se both the cleartext and the cyphered packets….
Using shorewall as a wrapper it was a simple as defining an ipv4 zone and
an ipsec zone for a given interface and then it just works. Traffic that
came through netkey is tagged as ipsec traffic.
--
Len Sorensen
More information about the Swan
mailing list