Hosting Provided By

[Users] Using native pluto with native Linux ipsec...

From: Giacomo Mulas <gmulas(at)ca.astro.it>
Date: Fri Oct 10 2003 - 08:01:47 EDT

First and foremost: thanks to Herbert Xu for making pluto work "out of the box" with native linux IPSec. I just tried 2.03 freeswan with a debian 2.4.22 kernel, wich includes the 2.4.x backport of native linux IPSec, and it just worked with my existing ipsec.conf. Simply impressive indeed! Now I would like to ask a few perhaps stupid questions about differences and similarities between KLIPS and the native linux implementation (feel free to just tell me to RTFM, as long as you tell me which FM to read and where I can find it...):

I had freeswan configured to use aes for encryption (via algo patches), can I have the native linux implementation use AES as well, and if yes how?
I had configured some iptables firewalling rules on the basis of how klips worked: incoming encrypted packets show up first on the physical, say eth0, interface in ESP protocol, then unencrypted on the ipsecX interface, and both times they go through my iptables rules, the same in reverse order for outgoing traffic. How does this work with the native IPSec implementation? Do packets only go through netfilter once, when they come in on the physical interface? Can I use firewalling to restrict the kind of traffic to let through an IPSec tunnel? Say e.g. that even after establishing an IPSec connection to a machine I just want to let it access the www port through the tunnel, with klips I can accomplish this with iptables rules on the ipsec0 interface, how can I do the same with the native linux implementation?
well, this is more like a comment: I had compiled ah_key as a module, hence /proc/net/pfkey is not present until I load it, but _startklips gives up if it does not find it. Since it attempts to load the esp4, ah4 etc. modules, if available, perhaps it might do the same for ah_key? This was the only real stumbling block in my otherwise seamless switch to native linux kernel IPSec, but it did take some time to figure out.

Thanks a lot, bye
Giacomo

-- 

_________________________________________________________________


Giacomo Mulas 

_________________________________________________________________


OSSERVATORIO ASTRONOMICO DI CAGLIARI
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel. (OAC): +39 070 71180 248     Fax : +39 070 71180 222
Tel. (UNICA): +39 070 675 4916

_________________________________________________________________


"When the storms are raging around you, stay right where you are"
                         (Freddy Mercury)

_________________________________________________________________

_______________________________________________
FreeS/WAN Users mailing list
users@lists.freeswan.org
https://mj2.freeswan.org/cgi-bin/mj_wwwusr

Received on Fri Oct 10 08:21:30 2003

This message: [ Message body ]
Next message: Jan Spitalnik: "[Users] [LONG] Freeswan - IP&MAC theft"
Previous message: Paolo: "[Users] Newbie question: NATed & Preshared keys (& XP ???)"
Next in thread: Sam Sgro: "Re: [Users] Using native pluto with native Linux ipsec..."
Reply: Sam Sgro: "Re: [Users] Using native pluto with native Linux ipsec..."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:02:04 EDT