Wichert Akkerman wrote:
Yes, Debian kernels have 26sec backported and thus work with openswan userland out-of-the-box (with freeswan-compatible configs). However, there are still some issues in the interaction between IPSec tunnels and netfilter (talk to Marc :) ), which need to be sorted out before the KLIPS stack will be obsolete (and yes, I'm waiting for that to happen since about 2 years, KLIPS is still painful). These issues are slowly getting resolved though (finally due to introduction of the RAW table in 2.6.7).As I undertand it Debian kernels now feature the Linux ipsec backport, basically making the kernel-patch-freeswan stuff obsolete. So why not simply just package the freeswan userland to use that? That should be pretty simple.
Giacomo reported that AES is necessary for him. I am currently trying to get some info from the openswan maintainers on when it might be ready.Unfortunately, openswan currently does not have the alg patch and thus no AES etc.3des is still the preferred algorithm so I don't see that being a real problem.
best regards, Rene