[strongSwan] KLIPS and iptables policy match

Andreas Steffen andreas.steffen at strongswan.org
Thu Mar 31 08:11:33 CEST 2011

Hello John,

we use the IPsec policy netfilter rules with the nativee Linux netkey
IPsec stack only. With KLIPS the ipsecN interfaces would be available
for filtering plaintext traffic but actually strongSwan 4.x does not
really support KLIPS any more.



On 03/30/2011 11:52 PM, John A. Sullivan III wrote:
> Hello, all.  Does the iptables policy match, e.g., "-m policy --strict
> --dir in --pol ipsec --proto esp --mode tunnel," match esp packets using
> KLIPS or just netkey?
> We continue to plug away at the ISCS project for managing large, complex
> security environments as a whole entity rather than individual
> firewall/gateway management (http://iscs.sourceforge.net).  Thus, it is
> helpful for us to be able to write rules which work on multiple
> platforms, e.g., netkey and KLIPS.  Thanks - John

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list