[Swan] Is it possible to apply a (private) policy to host-to-host vpn-cfg ?
Daniel Thielemann
luie at mailbox.org
Sun Apr 19 22:48:00 UTC 2020
Hi Paul,
thank you for clarification. Then I'll remove these parameters from cfg.
Kind regards,
Daniel
Am 19.04.20 um 23:58 schrieb Paul Wouters:
> On Fri, 17 Apr 2020, Daniel Thielemann wrote:
>
>> To secure it up completely I would like to ask if there is any way I
>> could apply a "private or drop/hold packet" policy to my vpn configs
>> so that packets are encrypted in ANY case before they leave the box?
>
> if you use auto=ondemand or auto=start, then no unencrypted packets will
> ever leave the host. The packets will either get encrypted, or dropped.
>
>> I used the parameters already but the shunting
>
> the negotiationshunt/failureshunt is really more meant for mesh
> encryption deployments, where some nodes might want to fallback
> to cleartext if a node does not support encryption. These values
> do not need setting, and should not be set for regular host to host
> or site to site tunnels.
>
> Paul
More information about the Swan
mailing list