[Swan] IPv6 implicit connection
Brandon Enochs
enochs.brandon at gmail.com
Wed May 27 05:57:44 EEST 2015
Are IPv6 host to host connections with right specified as a subnet
supported?
On May 26, 2015 10:41 PM, "Paul Wouters" <paul at nohats.ca> wrote:
> On Tue, 26 May 2015, Brandon Enochs wrote:
>
> I was looking to add a entry to /etc/ipsec.d/policies/private, but the
>> documentation was unclear.
>>
>
> Ah, you were (accidentally) trying Opportunistic Encryption. We are
> currently hard at work at reviving that code, and we will update the
> documentation for those policy files. For now though, do not use them.
>
> When the special OE connections are loaded (currently via handcrafted
> .conf file), it will create a few meta-connections. These are called
> "block", "clear", "private", "private-or-clear", "clear-or-private"
> and "packetdefault".
>
> For each entry in /etc/ipsec.d/policies/XXX, it will add an instance of
> the connection. So adding 1.2.3.4/32 in "clear" would add a connection
> "clear#1.2.3.4/32" which would place a type=passthrough policy in the
> kernel.
>
> For the entry private-or-clear, it will put a policy in the kernel that
> causes a packet that matches the remote network to cause a kernel
> ACQUIRE to be sent to pluto. Once pluto receives this, it will try to
> find a matching connection. This connection is not a traditional static
> VPN but based on however pluto get obtain a public IPsec KEY for that
> remote endpoint. In the past this was a TXT record in the reverse of
> the IP address. In the next libreswan release, there will be AUTH_NULL
> support to do IKE without authentication. The release after that will
> have support for IPSECKEY lookups in the forward (and reverse) DNS,
> and possibly other methods such as Kerberos.
>
> But all of this is most likely not what you wanted. If you want an
> ondemand tunnel between two endpoints, you need to configure a full
> connection with either a preshared key or certificates or raw RSA
> key. See our wiki for configuration examples.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150526/b76a4452/attachment.html>
More information about the Swan
mailing list