[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Freeswan in Debian, or: Why I am such a bad maintainer

Wichert Akkerman wrote:
As I undertand it Debian kernels now feature the Linux ipsec backport,
basically making the kernel-patch-freeswan stuff obsolete. So why not
simply just package the freeswan userland to use that? That should be
pretty simple.
Yes, Debian kernels have 26sec backported and thus work with openswan userland out-of-the-box (with freeswan-compatible configs). However, there are still some issues in the interaction between IPSec tunnels and netfilter (talk to Marc :) ), which need to be sorted out before the KLIPS stack will be obsolete (and yes, I'm waiting for that to happen since about 2 years, KLIPS is still painful). These issues are slowly getting resolved though (finally due to introduction of the RAW table in 2.6.7).

Unfortunately, openswan currently does not have the alg patch and thus
no AES etc.

3des is still the preferred algorithm so I don't see that being a real
Giacomo reported that AES is necessary for him. I am currently trying to get some info from the openswan maintainers on when it might be ready.

best regards,

Reply to: