[Swan] IPv6 implicit connection

Paul Wouters paul at nohats.ca
Wed May 27 05:41:24 EEST 2015

On Tue, 26 May 2015, Brandon Enochs wrote:

> I was looking to add a entry to /etc/ipsec.d/policies/private, but the documentation was unclear.

Ah, you were (accidentally) trying Opportunistic Encryption. We are
currently hard at work at reviving that code, and we will update the
documentation for those policy files. For now though, do not use them.

When the special OE connections are loaded (currently via handcrafted
.conf file), it will create a few meta-connections. These are called
"block", "clear", "private", "private-or-clear", "clear-or-private"
and "packetdefault".

For each entry in /etc/ipsec.d/policies/XXX, it will add an instance of
the connection. So adding in "clear" would add a connection
"clear#" which would place a type=passthrough policy in the

For the entry private-or-clear, it will put a policy in the kernel that
causes a packet that matches the remote network to cause a kernel
ACQUIRE to be sent to pluto. Once pluto receives this, it will try to
find a matching connection. This connection is not a traditional static
VPN but based on however pluto get obtain a public IPsec KEY for that
remote endpoint. In the past this was a TXT record in the reverse of
the IP address. In the next libreswan release, there will be AUTH_NULL
support to do IKE without authentication. The release after that will
have support for IPSECKEY lookups in the forward (and reverse) DNS,
and possibly other methods such as Kerberos.

But all of this is most likely not what you wanted. If you want an
ondemand tunnel between two endpoints, you need to configure a full
connection with either a preshared key or certificates or raw RSA
key. See our wiki for configuration examples.


More information about the Swan mailing list