[Swan] Is it possible to apply a (private) policy to host-to-host vpn-cfg ?

Daniel Thielemann luie at mailbox.org
Sun Apr 19 22:48:00 UTC 2020

Hi Paul,

thank you for clarification. Then I'll remove these parameters from cfg.

Kind regards,


Am 19.04.20 um 23:58 schrieb Paul Wouters:
> On Fri, 17 Apr 2020, Daniel Thielemann wrote:
>> To secure it up completely I would like to ask if there is any way I 
>> could apply a "private or drop/hold packet" policy to my vpn configs 
>> so that packets are encrypted in ANY case before they leave the box?
> if you use auto=ondemand or auto=start, then no unencrypted packets will
> ever leave the host. The packets will either get encrypted, or dropped.
>> I used the parameters already but the shunting
> the negotiationshunt/failureshunt is really more meant for mesh
> encryption deployments, where some nodes might want to fallback
> to cleartext if a node does not support encryption. These values
> do not need setting, and should not be set for regular host to host
> or site to site tunnels.
> Paul

More information about the Swan mailing list