[Swan-dev] Opportunistic IPSec with wide clear policy issue
Kirill Logachev
logachev.k at gmail.com
Thu Nov 15 18:09:10 UTC 2018
Hi Paul,
Thank you for the confirmation!
We were following an example from here:
https://libreswan.org/wiki/HOWTO:_Opportunistic_IPsec (3.3 Assign networks).
Without the priority override it defaults to clear for all connections, so
priority was just an attempt to find a workaround (other than not to
specify 0/0)
Kirill.
On Thu, Nov 15, 2018 at 9:51 AM Paul Wouters <paul at nohats.ca> wrote:
> On Thu, 15 Nov 2018, Kirill Logachev wrote:
>
> > We were trying to configure LibreSwan opportunistic IPSec in a cluster
> with the next configuration.
> > conn private
>
>
> > conn clear
> > left=%defaultroute
> > right=%group
> > type=passthrough
> > auto=route
> > priority=65535
>
> I strongly recommend not setting a priority. OE requires some careful
> priorities, especially if using it with protocol and port selectors.
>
> > IP ranges configurations:
> > [root at vm0 ipsec.d]# cat policies/clear
> > 0.0.0.0/0
>
> Don't put 0/0 in the clear group. Just leave it empty. Think of the clear
> group as a special override forbidding ipsec.
>
> > [root at vm0 ipsec.d]# cat policies/private
> > 10.0.0.0/24
>
> So if you wanted only 10.0.0.13 to be in the clear, you would add that
> to the clear group. But for 1.2.3.4 you just want it to match no OE
> group, or you put 0/0 in the clear-or-private group, meaning it will
> go out in the clear but if others try IKE to you, you will accept it.
>
> > The expectation is: IPSec is enforced in the cluster subnet & clear is
> allowed for everything else.First, we didn't set a priority, but clear
> connection has
> > higher priority than private in that case.
> > When we lower clear priority, libreswan fails to establish a tunnel.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20181115/56b5d911/attachment.html>
More information about the Swan-dev
mailing list