[Swan] NetKey vs KLIPS
David McCullough
ucdevel at gmail.com
Fri Sep 12 02:17:57 EEST 2014
Lennart Sorensen wrote the following:
> On Thu, Sep 11, 2014 at 01:37:42PM +0100, Lawrence Manning wrote:
> > If I understand correctly, this can be done by having a 0.0.0/0 remote subnet. Do you mean something else?
>
> It was years ago, so I don't remember exactly why it didn't work with
> klips.
My company and I have been doing default route klips tunnels for 10 years,
its always worked AFAIK.
Cheers,
Davidm
> > Yes, this is a rather a nasty limitation. I *think* (might be wrong) that this is more an integration problem between the startup glue scripts and pluto/klips vs a real klips problem. Ie. you could probably work around this by making your own action mechanism that add/removed the ipsec interfaces without doing a full restart. But great if netkey makes this a non problem.
>
> Certainly simple with netkey. Also netkey can use the kernel crypto
> drivers for hardware crypto which I don't think klips can.
>
> > Yeah, we crank up the limit but it is still hardcoded and not changeable at even module load time AFAIK.
> >
> > I played with using some of the special netfilter matches for netkey, and I know it can be done… it’s just “weirder”. I believe, for instance, that under ntetkey libpcap will se both the cleartext and the cyphered packets….
>
> Using shorewall as a wrapper it was a simple as defining an ipv4 zone and
> an ipsec zone for a given interface and then it just works. Traffic that
> came through netkey is tagged as ipsec traffic.
--
David McCullough, ucdevel at gmail.com, Ph: 0410 560 763
More information about the Swan
mailing list