Hi, > As far as I understand , with strongSwan, with 2.4 kernel we work with > KLIPS whereas with Linux 2.6 kernel we work with native IPsec.
There are two widely used IPsec stacks for Linux, the native Netkey stack introduced with 2.6, and the KLIPS stack originally written for 2.4. KLIPS has been ported to 2.6 by the Openswan project, and even the Netkey stack has been back-ported to 2.4. The focus of strongSwan is on the native Netkey stack shipped with 2.6, but we also have a more or less complete interface to KLIPS for 2.4 (--enable-kernel-klips). > I saw that in OpenSwan you can work with KLIPS also with 2.6 kernel. In > case you want to have NAT traversal support with KLIPS in openswan > with 2.6 kernel, you should patch the kernel. It might even work with strongSwan, but I've never tried it. We highly recommend Netkey for use with strongSwan, that is what we mainly develop and test for. And there is no need to patch your kernel. > Are the lookups perform quicker when working with KLIPS on a > high loaded server? I don't think so, Netkey scales just fine. KLIPS might support more crypto hardware through OCF. Netkey uses the Linux Crypto API. It is mainline and gets support for more and more hardware, too. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
