[strongSwan] StrongSwan versions

Martin Willi martin at strongswan.org
Thu May 27 12:03:31 CEST 2010


Hi Erich,

> Does it support both ikev1 and ikev2 on both 2.4 and 2.6 kernel versions?

The 2.8 branch is basically IKEv1 only, where 4.x supports IKEv2, too.

The IKEv1 daemon pluto has kernel interfaces to both, KLIPS and Netkey
(via XFRM), but I'm not sure if pluto in 4.x still works properly on
KLIPS. Our IKEv2 daemon charon was initially developed for the Netkey
stack via XFRM, but it gained experimental (and not fully complete)
support for KLIPS and a more generic PF_KEY interface, usable on Linux
and on BSD.

The 2.6 kernel has built-in IPsec functionality, the Netkey stack. There
are patches for KLIPS on 2.6.
The vanilla 2.4 kernel does not have any IPsec functionality. There are
patches for the KLIPS stack, openswan has its focus on KLIPS. But there
is also a backport of the Netkey stack to the 2.4 kernel, Debian used
this patchset in its 2.4 kernel series.

If you are running IKEv2 tunnels, I'd recommend a Netkey IPsec stack. We
test on 2.6 kernels only, but a Netkey patched 2.4 kernel should work,
too.

> Does StrongSwan suffer from the same problems as OpenSwan in the 2.6
> branch? I am specifically interested in some compression issues

We fixed a IPComp bug for IKEv2 in 4.3.6, but it should work fine now.
We successfully tested it with other (commercial) vendors. As the
daemons configure IPComp the same way, I think there is no difference in
IPComp between IKEv1/IKEv2. I don't know if the compression is
compatible to the KLIPS stack, though.

Regards
Martin





More information about the Users mailing list