[strongSwan] A question about KLIPS in strongSwan

Martin Willi martin at strongswan.org
Fri Nov 26 16:05:08 CET 2010


> As far as I understand , with strongSwan, with 2.4 kernel we work with
> KLIPS whereas with Linux 2.6 kernel we work with native IPsec.

There are two widely used IPsec stacks for Linux, the native Netkey
stack introduced with 2.6, and the KLIPS stack originally written for
2.4. KLIPS has been ported to 2.6 by the Openswan project, and even the
Netkey stack has been back-ported to 2.4.

The focus of strongSwan is on the native Netkey stack shipped with 2.6,
but we also have a more or less complete interface to KLIPS for 2.4

> I saw that in OpenSwan you can work with KLIPS also with 2.6 kernel. In
> case you want to have NAT traversal support with KLIPS in openswan
> with 2.6 kernel, you should patch the kernel.

It might even work with strongSwan, but I've never tried it. We highly
recommend Netkey for use with strongSwan, that is what we mainly develop
and test for. And there is no need to patch your kernel.

> Are the lookups perform quicker when working with KLIPS on a
> high loaded server?

I don't think so, Netkey scales just fine. KLIPS might support more
crypto hardware through OCF. Netkey uses the Linux Crypto API. It is
mainline and gets support for more and more hardware, too.


More information about the Users mailing list