[Swan] Is it possible to apply a (private) policy to host-to-host vpn-cfg ?

Paul Wouters paul at nohats.ca
Sun Apr 19 21:58:32 UTC 2020

On Fri, 17 Apr 2020, Daniel Thielemann wrote:

> To secure it up completely I would like to ask if there is any way I could 
> apply a "private or drop/hold packet" policy to my vpn configs so that 
> packets are encrypted in ANY case before they leave the box?

if you use auto=ondemand or auto=start, then no unencrypted packets will
ever leave the host. The packets will either get encrypted, or dropped.

> I used the parameters already but the shunting

the negotiationshunt/failureshunt is really more meant for mesh
encryption deployments, where some nodes might want to fallback
to cleartext if a node does not support encryption. These values
do not need setting, and should not be set for regular host to host
or site to site tunnels.


More information about the Swan mailing list