Martin, Thank a lot for your quick and full answer ! >KLIPS might support more >crypto hardware through OCF. Netkey uses the Linux Crypto API.
I want to verify that what I deduce from these sentences (even that it is not said explicitly: Will it be correct to say that you **cannot** use OCF when working with NETKEY? Thanks again! Regards, Mark On Fri, Nov 26, 2010 at 5:05 PM, Martin Willi <[email protected]> wrote: > Hi, > >> As far as I understand , with strongSwan, with 2.4 kernel we work with >> KLIPS whereas with Linux 2.6 kernel we work with native IPsec. > > There are two widely used IPsec stacks for Linux, the native Netkey > stack introduced with 2.6, and the KLIPS stack originally written for > 2.4. KLIPS has been ported to 2.6 by the Openswan project, and even the > Netkey stack has been back-ported to 2.4. > > The focus of strongSwan is on the native Netkey stack shipped with 2.6, > but we also have a more or less complete interface to KLIPS for 2.4 > (--enable-kernel-klips). > >> I saw that in OpenSwan you can work with KLIPS also with 2.6 kernel. In >> case you want to have NAT traversal support with KLIPS in openswan >> with 2.6 kernel, you should patch the kernel. > > It might even work with strongSwan, but I've never tried it. We highly > recommend Netkey for use with strongSwan, that is what we mainly develop > and test for. And there is no need to patch your kernel. > >> Are the lookups perform quicker when working with KLIPS on a >> high loaded server? > > I don't think so, Netkey scales just fine. KLIPS might support more > crypto hardware through OCF. Netkey uses the Linux Crypto API. It is > mainline and gets support for more and more hardware, too. > > Regards > Martin > > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
