[Swan-dev] the new ikev2 default (upstream and downstream issue)

Paul Wouters paul at nohats.ca
Sun Dec 2 22:16:32 UTC 2018

I'm preparing to move to ikev2 as the default. This comes in the same
release where we will no longer allow a connection to be either v1
or v2. That is, basically we only have ikev2=yes|no

For the other options, ikev2=propose|permit we need to define what to
do. We had come to a tentative conclusion to alias 'propose' to 'yes'
and alias 'permit' to 'no'. We figured this would break the least amount
of configurations.

Red Hat however, prefers that we break cleanly. That is, they prefer
that the keywords propose and permit just error out and that the
connection fails to load. This makes it a little unfriendler, but
the _if_ a failure happens, it is clear as to why and when it happens.
(on upgrade, on startup)

This leaves us in an unfortunate situation that upstream would behave
different from a major deployment downstream.

So the question is, should we do the same in upstream or not?

I have a slight preference for not doing this, but my feelings are not
very strong about this. What do others think?


More information about the Swan-dev mailing list