[strongSwan] StrongSwan versions

Erich Titl erich.titl at think.ch
Thu May 27 14:05:39 CEST 2010


Hi Martin

Thanks for the quick reply.

at 27.05.2010 12:03, Martin Willi wrote:
> Hi Erich,
> 
>> Does it support both ikev1 and ikev2 on both 2.4 and 2.6 kernel versions?
> 
> The 2.8 branch is basically IKEv1 only, where 4.x supports IKEv2, too.

OK, so if one wants to be able to speak IKEv2 4.x is a must. Is a mixed
environment feasible?

> 
> The IKEv1 daemon pluto has kernel interfaces to both, KLIPS and Netkey
> (via XFRM), but I'm not sure if pluto in 4.x still works properly on
> KLIPS. Our IKEv2 daemon charon was initially developed for the Netkey
> stack via XFRM, but it gained experimental (and not fully complete)
> support for KLIPS and a more generic PF_KEY interface, usable on Linux
> and on BSD.
> 
> The 2.6 kernel has built-in IPsec functionality, the Netkey stack. There
> are patches for KLIPS on 2.6.
> The vanilla 2.4 kernel does not have any IPsec functionality. There are
> patches for the KLIPS stack, openswan has its focus on KLIPS. But there
> is also a backport of the Netkey stack to the 2.4 kernel, Debian used
> this patchset in its 2.4 kernel series.

Basically, from a user's viewpoint, the most visible interface is the
configuration and the monitoring interface. I reckon the interface to
pluto are it's configuration files, which would then be portable, but
some of the quite handy ipsec subcommands might not work anymore, e.g.
ipsec eroute.

For charon, not having played with it yet I have no clue.

> 
> If you are running IKEv2 tunnels, I'd recommend a Netkey IPsec stack. We
> test on 2.6 kernels only, but a Netkey patched 2.4 kernel should work,
> too.
> 
>> Does StrongSwan suffer from the same problems as OpenSwan in the 2.6
>> branch? I am specifically interested in some compression issues
> 
> We fixed a IPComp bug for IKEv2 in 4.3.6, but it should work fine now.
> We successfully tested it with other (commercial) vendors. As the
> daemons configure IPComp the same way, I think there is no difference in
> IPComp between IKEv1/IKEv2. I don't know if the compression is
> compatible to the KLIPS stack, though.

Outch....

A am considering using strongswan instead of openswan for an embedded
project I am involved in for a number of years (leaf.sourceforge.net). I
want to avoid the gotchas and provide as much portability and
interoperability as possible. I am running roughly 100 tunnels on a
legacy system which I would like to update to a recent software level,
but this requires a high level of interoperability.

Erich

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3409 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100527/aa2d6c2a/attachment.bin>


More information about the Users mailing list