[Swan] Policy groups
phil.nightowl at gmail.com
Thu Jun 11 19:07:07 UTC 2020
Apologies, forgot to cc the list...
----- Forwarded message -----
> If you added it verbatim, it will have failed to load on a missing
> You have never indicated how your nodes are going to identify themselves
> to each other. So I assumed you used a private CA and generate
> certificates for all nodes using some certificate issueing system that
> can create PKCS#12 files. Those files when created ask for a "friendly
> name" to use to identity the certificate as. That is the name you need
> to put in the leftcert= option.
Your assumptions are right. I am sorry for the unnecessary hassle. The
point is that I simply overlooked pluto complaining about the missing
certificate (it was one line without a 'WARNING' or 'ERROR' and I did
not read carefully enough). Yes, I've got certificates and I assume they
are properly stored in the NSS.
So, after getting the cert name right and switching from
%opportunisticgroup to %group (otherwise pluto complained about not
having ike2=insist), I get
pluto: added connection description "private"
pluto: added connection description "clear"
pluto: listening for IKE messages
pluto: adding interface enp2s3/enp2s3 10.0.10.3:500
pluto: adding interface enp2s3/enp2s3 10.0.10.3:4500
pluto: adding interface lo/lo 127.0.0.1:500
pluto: adding interface lo/lo 127.0.0.1:4500
pluto: | setup callback for interface lo:4500 fd 18
pluto: | setup callback for interface lo:500 fd 17
pluto: | setup callback for interface enp2s3:4500 fd 16
pluto: | setup callback for interface enp2s3:500 fd 15
pluto: forgetting secrets
pluto: loading secrets from "/etc/ipsec.secrets"
pluto: no secrets filename matched "/etc/ipsec.d/*.secrets"
pluto: loading group "/etc/ipsec.d/policies/clear"
pluto: loading group "/etc/ipsec.d/policies/private"
pluto: "private#10.0.10.254/32": cannot route template policy of RSASIG+ENCRYPT+TUNNEL+PFS+GROUPINSTANCE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN
Everything fine up to the last line. I searched the web a little, but
found nothing useful (in most cases, the message was a follow-up of
different primary problems rather than a root cause).
Other than that, everything stays the same - packets going out in clear,
no xfrm policies installed (apart from those for SSH and the default
----- End forwarded message -----
More information about the Swan