On Tuesday 02 March 2004 02:31 am, Erich Titl wrote: > > > >The 2.6 kernel implementation of IPSEC threw out the baby with the > >bath water. > > Are you referring to the native 2.6 IPSEC implementation?
Yes. > > >- Netfilter is totally broken with respect to IPSEC. > >- While it makes OE work reasonably, it makes IPSEC tunneling totally > >different from any other Linux-based tunnel. > > Even when OE is disabled? I never considered it to be _that_ important. > Possibly because it is difficult to get a FQDN in Europe nowadays. The 2.6 native implementation does away with the 'ipsecN' devices. So all VPN/tunnel types *except* IPSEC use a separate device for tunneling; once the changes to netfilter to *really* support this implementation are in place, IPSEC will pass each tunneled packet through the tables twice -- once for the unencrypted copy of the packet and once for the encrypted packet. > > >While there is work going on in the Netfilter project to correct the first > >problem, the second seems to be here to stay. > > > >As things currently stand, Shorewall will have minimal support for IPSEC > >tunnels under the 2.6 kernels. > > Considering the current 2.4 LEAF distribution (which I doubt will move to > 2.6 in a short timeframe) would it be most reasonable to go with openswan > 1.0? > I've not personally tried it, Erich -- there was one user on one of the lists who was seeing traffic in one direction (inbound IIRC) bypassing the ipsec0 device but I never heard if that was a problem with his tunnel setup or a feature of openswan... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
