[strongSwan] A question about KLIPS in strongSwan

David McCullough david_mccullough at mcafee.com
Sat Nov 27 05:17:03 CET 2010 

Jivin Mark Ryden lays it down ...
> Martin,
> Thank a lot for your quick and full answer !
> 
> >KLIPS might support more
> >crypto hardware through OCF. Netkey uses the Linux Crypto API.
> 
> I want to verify that what I deduce from these sentences (even that it
> is not said explicitly:
> 
> Will it be correct to say that you **cannot** use OCF
> when working with NETKEY?

That is currently true.  Only klips currently has support for OCF.

The only thing that could change this would be for someone to write a driver
that plugs OCF into the kernels crypto api.  The reverse is possible using
the OCF cryptosoft driver (ie., OCF can use all cryptoapi drivers).

Cheers,
Davidm

> On Fri, Nov 26, 2010 at 5:05 PM, Martin Willi <martin at strongswan.org> wrote:
> > Hi,
> >
> >> As far as I understand , with strongSwan, with 2.4 kernel we work with
> >> KLIPS whereas with Linux 2.6 kernel we work with native IPsec.
> >
> > There are two widely used IPsec stacks for Linux, the native Netkey
> > stack introduced with 2.6, and the KLIPS stack originally written for
> > 2.4. KLIPS has been ported to 2.6 by the Openswan project, and even the
> > Netkey stack has been back-ported to 2.4.
> >
> > The focus of strongSwan is on the native Netkey stack shipped with 2.6,
> > but we also have a more or less complete interface to KLIPS for 2.4
> > (--enable-kernel-klips).
> >
> >> I saw that in OpenSwan you can work with KLIPS also with 2.6 kernel. In
> >> case you want to have NAT traversal support with KLIPS in openswan
> >> with 2.6 kernel, you should patch the kernel.
> >
> > It might even work with strongSwan, but I've never tried it. We highly
> > recommend Netkey for use with strongSwan, that is what we mainly develop
> > and test for. And there is no need to patch your kernel.
> >
> >> Are the lookups perform quicker when working with KLIPS on a
> >> high loaded server?
> >
> > I don't think so, Netkey scales just fine. KLIPS might support more
> > crypto hardware through OCF. Netkey uses the Linux Crypto API. It is
> > mainline and gets support for more and more hardware, too.
> >
> > Regards
> > Martin
> >
> >
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 
> 

-- 
David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org

More information about the Users mailing list