On Thu, Sep 11, 2014 at 11:45:10AM +0100, Lawrence Manning wrote: > Hi there List, > > I’ve looked for this information, but I can’t find it. > > In essence, what are the advantages to using NETKEY? Since the libreswan > folks are committed to KLIPS, I’m assuming that KLIPS is considered superior. > But why do others use NETKEY? > > I’ve used *swan since the days where FreeSwan needed to be patched to support > x509 certs, and after trying out NEKEY for a few weeks in a test setup I > found the routing/firewall mechanism harder to work with then KLIPS’s > explicit ipsecX interfaces. But beside this, they seemed functionally > similar. How does interoperability faire under NETKEY? Are there any known > regressions compared to KLIPS? Eg. L2TP ontop of NETKEY/IPSec etc. > > In essence, I’m wondering if KLIPS will continue to be maintained “forever” > or is it less pain now to just make the switch?
We switched to netkey for our use some years ago when we found a particular use case we couldn't get klips to handle (running the default route through the ipsec tunnel). Also the klips interfaces and keeping them bound to other interfaces that could come and go (ppp interfaces for example) was a pain to keep track of to know when ipsec had to be restarted to keep things working. The hard coded limit on the number of interfaces that could be used to handle ipsec traffic at a time was also an annoyance. klips made firewalling a bit more obvious, but once we looked at how to do firewalling for netkey it wasn't hard and there was no obvious benefit to using klips for us. If there are any benefits to klips I don't know what they are. Hopefully our developer friends will fill us in on that. -- Len Sorensen _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
