#
# IPSEC configuration
# Copyright (C) 2004 Michael Richardson <mcr@freeswan.org>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.
#

config KLIPS
	tristate "Libreswan IPsec (KLIPS)"
	default n
#	depends on NF_CONNTRACK && NETFILTER
	help
	  KLIPS is the Libreswan (www.libreswan.org) Kernel Level IP Security
	  system. It is extensively tested, and has interoperated with
	  many other systems.
	  It provides "ipsecX" devices on which one can do firewalling.
	  The Libreswan userland, is compatible with both KLIPS and NETKEY
	  You cannot build KLIPS and NETKEY inline into the kernel.

menu "KLIPS options"
	depends on KLIPS

config KLIPS_ESP
	bool 'Encapsulating Security Payload - ESP ("VPN")'
	default y
	help
	   This option provides support for the IPSEC Encapsulation Security
	   Payload (IP protocol 50) which provides packet layer content
           hiding, and content authentication.
	   It is recommended to enable this.  RFC2406

config KLIPS_AH
	bool 'Authentication Header - AH'
	default n
	help
           This option provides support for the IPSEC Authentication Header
           (IP protocol 51) which provides packet layer sender and content
           authentication. It does not provide for confidentiality.
	   It is not recommended to enable this.  RFC2402

config KLIPS_AUTH_HMAC_MD5
	bool 'HMAC-MD5 authentication algorithm'
	default y
	help
           The HMAC-MD5 algorithm is used by ESP (and AH) to guarantee packet
	   integrity. There is little reason not to include it.

config KLIPS_AUTH_HMAC_SHA1
	bool 'HMAC-SHA1 authentication algorithm'
	default y
	help
           The HMAC-SHA1 algorithm is used by ESP (and AH) to guarantee packet
	   integrity. SHA1 is a little slower than MD5, but is said to be
	   a bit more secure. There is little reason not to include it.

config KLIPS_ALG
	bool 'KLIPS_ALG software encryption'
	default y
	help
	   This option provides support for loading new algorithms into the
	   kernel for crypto use. You may disable this if using the
	   CONFIG_KLIPS_OCF option for hardware offload.

config KLIPS_ENC_CRYPTOAPI
	bool 'CryptoAPI algorithm interface'
	default y
	depends on KLIPS_ALG
	help
	   Enable the algorithm interface to make all CryptoAPI 1.0 algorithms
	   available to KLIPS.

config KLIPS_ENC_3DES
	bool '3DES encryption algorithm'
	default y
	help
           The 3DES algorithm is used by ESP to provide for packet privacy.
	   3DES is 3-repeats of the DES algorithm. 3DES is widely supported,
	   and analyzed and is considered very secure. 1DES is not supported.

config KLIPS_ENC_AES
	bool 'AES encryption algorithm'
	default y
	depends on KLIPS_ALG
	help
           The AES algorithm is used by ESP to provide for packet privacy.
	   AES the NIST replacement for DES. AES is being widely analyzed,
           and is very fast.

config KLIPS_IPCOMP
	bool 'IP compression'
	default y
	help
           The IPcomp protocol is used prior to ESP to make the packet
	   smaller. Once encrypted, compression will fail, so any link
	   layer efforts (e.g. PPP) will not work.

config KLIPS_OCF
	bool 'IPsec OCF Acceleration Support'
	default n
	help
	   OCF provides Asynchronous crypto acceleration for kernel and
	   user applications.   It supports various HW accelerators.
	   If you have OCF support enabled and wish IPsec to utilise
	   the hardware managed by OCF,  then enable this option.
	   OCF is a kernel patch, see http://ocf-linux.sourceforge.net/

config KLIPS_COMPAT_NAT_NFMARK
	bool 'IPsec: Backwards compatible NAT NFMARK'
	default n
	help
	   Pre-2.6.23 kernels requiring the NAT-Traversal patch use
	   the NFmark feature to mark packets for UDP decapsulation.
	   Kernels since 2.6.23 have native support and do not need
	   to place this nfmark - leaving all nfmark space available
	   to other kernel modules or userland applications. Leave this
	   off when using kernels > 2.6.23

config KLIPS_DEBUG
	bool 'IPsec debugging'
	default y
	help
           KLIPS includes a lot of debugging code. Unless there is a real
	   tangible benefit to removing this code, it should be left in place.
	   Debugging connections without access to kernel level debugging is
	   essentially impossible. Leave this on.

config KLIPS_IF_MAX
	int 'Maximum number of virtual interfaces'
	default 64
	range 4 256
	help
	   KLIPS creates virtual interfaces for tunnel purposes. At present
	   it keeps track of certain items in an array (FIX ME), and needs
	   to preallocate this array. Only a pointer is used per item.

config KLIPS_IF_NUM
	int 'Number of virtual interfaces to auto create'
	default 2
	range 0 256
	help
	   KLIPS will auto create a number of interfaces, any further interfaces
	   need to be created with tncfg.

endmenu

