Comment 24 for bug 1535951
Revision history for this message
| Tobias Brunner (tobias-strongswan) wrote Re: [Bug 1535951] Re: Please merge strongswan 5.3.5-1 (main) from Debian unstable (main) | #24 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
>> i think the kernel-libipsec plugin should not be loaded by default
>>
>> the plugin works only with UDP encapsulated packets
>>
>> (look here: https:/
>> libipsec)
>>
>> and this will break most of the "normal"/LAN setups
>>
>
> The kernel-libipsec plugin is optional; a user must apt-get install
> libstrongswan-
> I've installed the extra plugins in a VM which uses NAT configuration and
> none of the
> networking was broken if the kernel-libipsec module was loaded (but
> unconfigured).
There is nothing to configure, as long as it gets loaded before any of
the other kernel-ipsec implementations (that's the default) it gets used
as IPsec backend (i.e. IPsec is then handled in userland, not the
kernel). As described on the wiki page, it is not generally recommended
to be used.
> However, I'm interested if you can expand on what setup would break? We
> certainly don't want
> break or surprise users so I'd like understand what "breaks" if the module
> is loaded by default.
Refer to the wiki page above. One example are host-to-host tunnels,
which require additional configuration, then there are the performance
limitations.
>> i would build and include the plugin but disable the loading with
>>
>> /etc/strongswan
>>> load = no
That would be an option, another is to put the plugin and config snippet
into a separate package.
Regards,
Tobias