[Swan] Policy groups
Paul Wouters
paul at nohats.ca
Thu Jun 11 03:28:15 UTC 2020
On Wed, 10 Jun 2020, phil.nightowl at gmail.com wrote:
> thanks for your response. I added the two conns from your mail verbatim.
> After that, the xfrm policies are installed - but only for ssh (according
> to /etc/ipsec.d/policies/clear). This corresponds to pluto startup output;
> it only says
>
> pluto[12539]: loading group "/etc/ipsec.d/policies/clear",
>
> but does not mention /etc/ipsec.d/policies/private at all (which itself
> contains only the line with 10.0.10.240/32). The system in fact
> behaves accordingly, transmitting all packets (not only SSH) happily in
> clear.
If you added it verbatim, it will have failed to load on a missing
certificate.
You have never indicated how your nodes are going to identify themselves
to each other. So I assumed you used a private CA and generate
certificates for all nodes using some certificate issueing system that
can create PKCS#12 files. Those files when created ask for a "friendly
name" to use to identity the certificate as. That is the name you need
to put in the leftcert= option.
If you do this with puppet or ansible or something, you should give all
pkcs#12 files the same "friendly name" for the cert, so you can copy
using puppet or ansible or cfengine identical files to all the nodes.
You can confirm my hypothesis by manually running: ipsec auto --add private
Paul
More information about the Swan
mailing list