Re: [Users] Using native pluto with native Linux ipsec...

-----BEGIN PGP SIGNED MESSAGE----- On Friday 10 October 2003 08:01, Giacomo Mulas wrote:
> 1) I had freeswan configured to use aes for encryption (via algo patches),

The algo patches have not been updated for 2.03. However, I know that Herbert did make available some patches for the SuperFreeS/WAN source; these should allow you to use AES with the native kernel code:

http://gondor.apana.org.au/~herbert/freeswan/sfs/2.00rc8/

I'm certain that SFS have a 2.03 based release soon enough.

> 2) I had configured some iptables firewalling rules on the basis of how

They'll go through your iptables rules twice incoming. However, you won't be able to rely on the virtual IF to find ipsec sourced/destination traffic.

> Say e.g. that even after

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

Best method: use the default _updown script to insert rules based on IP address, and only allow that traffic through the tunnel. Read /usr/local/lib/ipsec/_updown for tips. You can either modify that script, or reference your own, custom _updown.

> 3) well, this is more like a comment: I had compiled ah_key as a module,

You mean af_key, right? _startklips should be doing the right thing:

if test ! -f $ipsecversion && test ! -f $kamepfkey then

    # statically compiled KLIPS not found; try to load the module     insmod ipsec
fi                                                                                                                                                                                                                 

if test ! -f $ipsecversion && test ! -f $kamepfkey then

        modprobe -v af_key
fi

• -- Sam Sgro sam@freeswan.org

-----BEGIN PGP SIGNATURE-----

Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

iQCVAwUBP4cM8EOSC4btEQUtAQEE9QP+KrRexzHyV7cZkPzwZI7HvFQBuItNYBv6 QKdCp3ETczZWsSBsBO2ZVahbmJASsOG6+7mxyU64/kTc1l2Yfw1fqVYw/LjWL45U lfE2oBHkEAnvkJBD9D4vRwx3lP3J9IeJlwtkXLMF3gtUz8f2dvKIQgYSHgSkvv0d o/sD+/iXjWg=
=U+gX
-----END PGP SIGNATURE-----