[Swan] Policy groups
Paul Wouters
paul at nohats.ca
Tue Jun 9 14:42:10 UTC 2020
On Tue, 9 Jun 2020, phil.nightowl at gmail.com wrote:
> /etc/ipsec.d/policies/clear containing
> /etc/ipsec.d/policies/private containing
> Given this very short config (everything else being thus defaults), I
> expected the built-in policy groups to apply, causing any connection
> attempt to from 10.0.10.3 (which is the default interface's IP on that
> host) towards 10.0.10.254 (ping, http, whatever) to trigger the usual
> handshake/IKE activity. However, I do not see any of that and the outgoing
> packets are happily transmitted in clear.
>
> Any hints to what am I missing would be greatly appreciated.
You need to actually have a conn private and a conn clear. Those
group connections are then instantiated for each CIDR line in
the policy files clear and private.
Try adding those in a file, eg /etc/ipsec.d/mesh.conf
conn clear
type=passthrough
authby=never
left=%defaultroute
right=%group
auto=ondemand
conn private
left=%defaultroute
leftid=%fromcert
leftrsasigkey=%cert
leftcert=clientcert
# right
rightrsasigkey=%cert
rightid=%fromcert
right=%opportunisticgroup
failureshunt=drop
negotiationshunt=drop
auto=ondemand
I specified certificates here as authentication scheme, as you didn't
share what you were using to authenticate the nodes. You could need
to create PKCS#12 files for each node with a "friendly name" (export
name) of "clientcert" and use "ipsec import file.p12" once on each
node to import it.
Paul
More information about the Swan
mailing list