Jivin Mark Ryden lays it down ... > Martin, > Thank a lot for your quick and full answer ! > > >KLIPS might support more > >crypto hardware through OCF. Netkey uses the Linux Crypto API. > > I want to verify that what I deduce from these sentences (even that it > is not said explicitly: > > Will it be correct to say that you **cannot** use OCF > when working with NETKEY?
That is currently true. Only klips currently has support for OCF. The only thing that could change this would be for someone to write a driver that plugs OCF into the kernels crypto api. The reverse is possible using the OCF cryptosoft driver (ie., OCF can use all cryptoapi drivers). Cheers, Davidm > On Fri, Nov 26, 2010 at 5:05 PM, Martin Willi <[email protected]> wrote: > > Hi, > > > >> As far as I understand , with strongSwan, with 2.4 kernel we work with > >> KLIPS whereas with Linux 2.6 kernel we work with native IPsec. > > > > There are two widely used IPsec stacks for Linux, the native Netkey > > stack introduced with 2.6, and the KLIPS stack originally written for > > 2.4. KLIPS has been ported to 2.6 by the Openswan project, and even the > > Netkey stack has been back-ported to 2.4. > > > > The focus of strongSwan is on the native Netkey stack shipped with 2.6, > > but we also have a more or less complete interface to KLIPS for 2.4 > > (--enable-kernel-klips). > > > >> I saw that in OpenSwan you can work with KLIPS also with 2.6 kernel. In > >> case you want to have NAT traversal support with KLIPS in openswan > >> with 2.6 kernel, you should patch the kernel. > > > > It might even work with strongSwan, but I've never tried it. We highly > > recommend Netkey for use with strongSwan, that is what we mainly develop > > and test for. And there is no need to patch your kernel. > > > >> Are the lookups perform quicker when working with KLIPS on a > >> high loaded server? > > > > I don't think so, Netkey scales just fine. KLIPS might support more > > crypto hardware through OCF. Netkey uses the Linux Crypto API. It is > > mainline and gets support for more and more hardware, too. > > > > Regards > > Martin > > > > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users > > -- David McCullough, [email protected], Ph:+61 734352815 McAfee - SnapGear http://www.mcafee.com http://www.uCdot.org _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
