"NETKEY" is the name for the IPsec kernel code that is in the Linux 2.6 kernel. It is also known as 26sec
To confuse things, the "NETKEY" code has been "backported" to a number of 2.4 kernels. To further confuse things, the KLIPS code has been ported to work on 2.6 kernels.
NETKEY has the advantage that it is included in the base kernel, and is reasonably well integrated.
NETKEY in 2.4 Kernels has no ipsec0? or mast0? device on which to hang firewalling.
The NETKEY code in 2.6.3 does not support PMTU discovery or fragmentation.
The NETKEY code in 2.6.16 also will cause connect(2) to return with EAGAIN if the kernel has no keying material for a connection. POSIX says connect(2) it should never return such a code, so applications tend to fail.
The NETKEY code in versions before 2.6.8 had issues with IPComp.
