I currently have a Debian Woody machine acting as a head-end IPSEC server to three sites with Cisco 837 ADSL routers. Woody is no longer maintained and I would like to upgrade the machine, and get it onto a 2.6 kernel. The IPSEC driver used by FreeS/WAN on 2.4 is klips. FreeS/WAN is no longer maintained, and has forked into OpenSwan and StrongSwan. The 2.6 kernel has its own implementation of IPSEC, called NETKEY, and klips requires a patched kernel, which I would rather not have to maintain, as there is a good IPSEC implementation in the mainline. The standard 2.6 kernel IPSEC model, using the ipsec-tools, lets you do all sorts of things with policies. In the past, I've had an ipsec0 interface, which has been given IP addresses and been able to connect routes to, and hang firewall rules off. I believe NETKEY doesn't give that. The remote sites can be considered 'trusted' insomuch as machines on their LAN are currently routed such they may as well be on the local LAN, and so it wouldn't matter too much that I couldn't apply specific firewall rules. Can anyone advise me on the easiest way to do this? Should I continue using OpenSwan? Is there a good HOWTO for this, or will I be the guy that writes it? (Assume I know everything on http://www.wlug.org.nz/26sec :) Any suggestions? Michal, are you still around, and is this right in your area of expertise? :) Craig