On Thu, Sep 11, 2014 at 01:37:42PM +0100, Lawrence Manning wrote: > If I understand correctly, this can be done by having a 0.0.0/0 remote > subnet. Do you mean something else?
It was years ago, so I don't remember exactly why it didn't work with klips. > Yes, this is a rather a nasty limitation. I *think* (might be wrong) that > this is more an integration problem between the startup glue scripts and > pluto/klips vs a real klips problem. Ie. you could probably work around this > by making your own action mechanism that add/removed the ipsec interfaces > without doing a full restart. But great if netkey makes this a non problem. Certainly simple with netkey. Also netkey can use the kernel crypto drivers for hardware crypto which I don't think klips can. > Yeah, we crank up the limit but it is still hardcoded and not changeable at > even module load time AFAIK. > > I played with using some of the special netfilter matches for netkey, and I > know it can be done… it’s just “weirder”. I believe, for instance, that under > ntetkey libpcap will se both the cleartext and the cyphered packets…. Using shorewall as a wrapper it was a simple as defining an ipv4 zone and an ipsec zone for a given interface and then it just works. Traffic that came through netkey is tagged as ipsec traffic. -- Len Sorensen _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
