Re: [Ocf-linux-users] NETKEY and OCF-Linux under 2.6.24

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I tried them on 2.6.24 using PSK for subnetA-GW1-GW2-subnetB. run "ipsec 
eroute" showed a tunnel is up betwwen GW1-GW2. However when I send 
packets from subnetA to subnetB, it seems the vpn channel is not 
involved, i.e. I got the same throughput with/without ipsec.

I disabled OCF totally for the debugging, also when "ifconfig ipsec0" I 
saw zero packets are Tx/Rx-ed, though eth1/eth0 has lots of packets 
Tx/Rx-ed, seems like ipsec0 is bypassed totally.

Any suggestions?
Thanks,

Xianghua

David McCullough wrote:
>
> Jivin xianghua xiao lays it down ...
> ...
> > Yes I would like to try your alpha tarball right away. I managed to get
> > KLIPS compiled under 2.6.24 but it crashes sometimes, plus pluto
> > complained "no hardware accelerator was found".
>
> Ok,  here is everything I think you need and is easiest to generate.
> It's a openswan-2.4.12 patch and a diff against the old 2007 release of
> OCF.  Ince you have openssl working I don't think you need a new version
> of that patch.
>
> This is not as nicely packaged as a release,  but I think you will be
> able to work out what you need, if not hassle me :-)
>
> > Hope someday NETKEY can invoke OCF directly, that will make life easier.
>
> Or some writes crypto drivers for linux for the HW you are using :-)
>
> > There are quite a lot legacy network code in OpenSwan (partially due to
> > its back-compatibility support) and it's  becoming harder to keep KLIPS
> > in sync with new kernel releases.
>
> It's not too bad actually,  we update kernels regularly and while
> openswan is often an issue,  it's not always the worst offender :-)
>
> Cheers,
> Davidm
>
> --
> David McCullough,  dav...@se...,   Ph:+61 
> 734352815
> Secure Computing - SnapGear  http://www.uCdot.org   
> http://www.snapgear.com
>