[strongSwan] A question about KLIPS in strongSwan

Mark Ryden markryde at gmail.com
Fri Nov 26 19:37:18 CET 2010


Martin,
Thank a lot for your quick and full answer !

>KLIPS might support more
>crypto hardware through OCF. Netkey uses the Linux Crypto API.

I want to verify that what I deduce from these sentences (even that it
is not said explicitly:

Will it be correct to say that you **cannot** use OCF
when working with NETKEY?

Thanks again!

Regards,
Mark


On Fri, Nov 26, 2010 at 5:05 PM, Martin Willi <martin at strongswan.org> wrote:
> Hi,
>
>> As far as I understand , with strongSwan, with 2.4 kernel we work with
>> KLIPS whereas with Linux 2.6 kernel we work with native IPsec.
>
> There are two widely used IPsec stacks for Linux, the native Netkey
> stack introduced with 2.6, and the KLIPS stack originally written for
> 2.4. KLIPS has been ported to 2.6 by the Openswan project, and even the
> Netkey stack has been back-ported to 2.4.
>
> The focus of strongSwan is on the native Netkey stack shipped with 2.6,
> but we also have a more or less complete interface to KLIPS for 2.4
> (--enable-kernel-klips).
>
>> I saw that in OpenSwan you can work with KLIPS also with 2.6 kernel. In
>> case you want to have NAT traversal support with KLIPS in openswan
>> with 2.6 kernel, you should patch the kernel.
>
> It might even work with strongSwan, but I've never tried it. We highly
> recommend Netkey for use with strongSwan, that is what we mainly develop
> and test for. And there is no need to patch your kernel.
>
>> Are the lookups perform quicker when working with KLIPS on a
>> high loaded server?
>
> I don't think so, Netkey scales just fine. KLIPS might support more
> crypto hardware through OCF. Netkey uses the Linux Crypto API. It is
> mainline and gets support for more and more hardware, too.
>
> Regards
> Martin
>
>




More information about the Users mailing list