[Swan] Policy groups

Paul Wouters paul at nohats.ca
Tue Jun 9 14:42:10 UTC 2020


On Tue, 9 Jun 2020, phil.nightowl at gmail.com wrote:

> /etc/ipsec.d/policies/clear containing

> /etc/ipsec.d/policies/private containing

> Given this very short config (everything else being thus defaults), I
> expected the built-in policy groups to apply, causing any connection
> attempt to from 10.0.10.3 (which is the default interface's IP on that
> host) towards 10.0.10.254 (ping, http, whatever) to trigger the usual
> handshake/IKE activity. However, I do not see any of that and the outgoing
> packets are happily transmitted in clear.
>
> Any hints to what am I missing would be greatly appreciated.

You need to actually have a conn private and a conn clear. Those
group connections are then instantiated for each CIDR line in
the policy files clear and private.

Try adding those in a file, eg /etc/ipsec.d/mesh.conf

conn clear
         type=passthrough
         authby=never
         left=%defaultroute
         right=%group
         auto=ondemand

conn private
 	left=%defaultroute
 	leftid=%fromcert
         leftrsasigkey=%cert
 	leftcert=clientcert
 	# right
 	rightrsasigkey=%cert
 	rightid=%fromcert
 	right=%opportunisticgroup
 	failureshunt=drop
 	negotiationshunt=drop
 	auto=ondemand

I specified certificates here as authentication scheme, as you didn't
share what you were using to authenticate the nodes. You could need
to create PKCS#12 files for each node with a "friendly name" (export
name) of "clientcert" and use "ipsec import file.p12" once on each
node to import it.

Paul


More information about the Swan mailing list