IPSEC has two pieces!
Posted Mar 4, 2004 10:00 UTC (Thu) by gurulabs
Parent article: FreeS/wansong
There is the in kernel IPSec stack, and then there is the userland IKE daemon.
The only time you don't need an IKE daemon is if you are doing 'manual keying'. Which is fine for lab or little tests, but nobody deploys real-world VPN deployments without IKE.
Free/SWAN had two pieces
* Klips - in kernel stack
* pluto - userland IKE daemon
Pluto is BY FAR superior to any IKE daemon out there and lives on in the OpenSWAN project.
Guess what, Pluto can work with either the "klips" kernel code OR the native 2.6 kernel IPSEC. The FreeBSD/NetBSD KAME and the OpenBSD isakmpd IKE deamons blow major chunks compared to Pluto.
The most featureful, powerful and future proof deployement approach is to use Pluto WITH the 2.6 kernel! Even Red Hat is working with the OpenSWAN folks to get Pluto as part of Fedora (maybe even FC2).
It does a huge diservice to repeate the inane blathering "The 2.6 kernel now includes an IPSec implementation of its own, negating the need for an add-in implementation like FreeS/WAN."
to post comments)