On Tue, 16 Jul 2019, Paul Overton wrote:
My wish to move from KLIPS (which has to date supported all the functionality needed), has been brought about because libreswan is dropping KLIPS. VTI was documented for libreswan, so I tried it. It works fine for IPv4, but some of my networks are 6 native, and I do have 6in6 ipsec tunnels. I like the ability to have defined interfaces from a firewalling perspective, so I ruled out native netkey many years ago.
As did many, which lead to VTI and then XFRMi.
There seems to be very little documentation about XFRMi, and it appears to be very new, and not a production product as yet. I get the impression that some distro's don't support XFRMi as yet. Correct me if I am, wrong but it looks like you need a kernel version 5x to support XFRMi natively? Unless you patch and re-compile a version 4?
It is pretty new, but since the code is based on VTI, it is considered stable in the upstream linux kernel.
Which versions of libreswan support the new XFRMi directives. 3.6.27 did not recognise the following when tested.
We have not yet released a libreswan version with XFRMi support. We plan to do this soon. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
