On Thu, 11 Sep 2014, Lawrence Manning wrote:

In essence, what are the advantages to using NETKEY? Since the libreswan folks 
are committed to KLIPS, I’m assuming that KLIPS is considered superior. But why 
do others use NETKEY?

We actually recommend using NETKEY in most cases now:

https://libreswan.org/wiki/FAQ#Should_I_use_the_NETKEY_or_KLIPS_IPsec_stack_with_libreswan.3F

I’ve used *swan since the days where FreeSwan needed to be patched to support 
x509 certs, and after trying out NEKEY for a few weeks in a test setup I found 
the routing/firewall mechanism harder to work with then KLIPS’s explicit ipsecX 
interfaces. But beside this, they seemed functionally similar. How does 
interoperability faire under NETKEY? Are there any known regressions compared 
to KLIPS? Eg. L2TP ontop of NETKEY/IPSec etc.

See the FAQ entry, but basically only regressions from KLIPS to
NETKEY are:

- The KLIPS SAref (which can be done probably with Linux VTI)
- The first+last packet caching for on-demand tunneling that NETKEY is still 
lacking.
- OCF cryptographic hardware offload support for embedded devices
  (somewhat available via the OCF cryptosoft driver for netkey)
- Load of a single IPsec SA not distributed over multiple cores/cpus
- No more easy tcpdump use of crypted and decrypted packets (might be
  doable with Linux VTI)
- incompatible iptables rules requiring a rewrite.

In essence, I’m wondering if KLIPS will continue to be maintained “forever” or 
is it less pain now to just make the switch?

We will support KLIPS for a while, but we are not actively developing
for it. So it is mostly in maintanance mode, bringing it up for newer
kernels, etc. Some people still prefer KLIPS due to its much easier
use of firewalling and the ipsecX interfaces.

Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to