LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Standards, the kernel, and Postfix

In defense of Ubuntu

Why the JMRI decision matters

LWN.net Weekly Edition for August 14, 2008

Details of the DNS flaw revealed

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

IPSEC has two pieces!

IPSEC has two pieces!

Posted Mar 4, 2004 10:00 UTC (Thu) by gurulabs (subscriber, #10753)
Parent article: FreeS/wansong

There is the in kernel IPSec stack, and then there is the userland IKE daemon.

The only time you don't need an IKE daemon is if you are doing 'manual keying'. Which is fine for lab or little tests, but nobody deploys real-world VPN deployments without IKE.

Free/SWAN had two pieces
* Klips - in kernel stack
* pluto - userland IKE daemon

Pluto is BY FAR superior to any IKE daemon out there and lives on in the OpenSWAN project.

Guess what, Pluto can work with either the "klips" kernel code OR the native 2.6 kernel IPSEC. The FreeBSD/NetBSD KAME and the OpenBSD isakmpd IKE deamons blow major chunks compared to Pluto.

The most featureful, powerful and future proof deployement approach is to use Pluto WITH the 2.6 kernel! Even Red Hat is working with the OpenSWAN folks to get Pluto as part of Fedora (maybe even FC2).

It does a huge diservice to repeate the inane blathering "The 2.6 kernel now includes an IPSec implementation of its own, negating the need for an add-in implementation like FreeS/WAN."

(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Powered by Rackspace Managed Hosting.