[Swan] Policy groups
Phil Nightowl
phil.nightowl at gmail.com
Thu Jun 11 19:07:07 UTC 2020
Apologies, forgot to cc the list...
----- Forwarded message -----
> If you added it verbatim, it will have failed to load on a missing
> certificate.
>
> You have never indicated how your nodes are going to identify themselves
> to each other. So I assumed you used a private CA and generate
> certificates for all nodes using some certificate issueing system that
> can create PKCS#12 files. Those files when created ask for a "friendly
> name" to use to identity the certificate as. That is the name you need
> to put in the leftcert= option.
Your assumptions are right. I am sorry for the unnecessary hassle. The
point is that I simply overlooked pluto complaining about the missing
certificate (it was one line without a 'WARNING' or 'ERROR' and I did
not read carefully enough). Yes, I've got certificates and I assume they
are properly stored in the NSS.
So, after getting the cert name right and switching from
%opportunisticgroup to %group (otherwise pluto complained about not
having ike2=insist), I get
pluto[20148]: added connection description "private"
pluto[20148]: added connection description "clear"
pluto[20148]: listening for IKE messages
pluto[20148]: adding interface enp2s3/enp2s3 10.0.10.3:500
pluto[20148]: adding interface enp2s3/enp2s3 10.0.10.3:4500
pluto[20148]: adding interface lo/lo 127.0.0.1:500
pluto[20148]: adding interface lo/lo 127.0.0.1:4500
pluto[20148]: | setup callback for interface lo:4500 fd 18
pluto[20148]: | setup callback for interface lo:500 fd 17
pluto[20148]: | setup callback for interface enp2s3:4500 fd 16
pluto[20148]: | setup callback for interface enp2s3:500 fd 15
pluto[20148]: forgetting secrets
pluto[20148]: loading secrets from "/etc/ipsec.secrets"
pluto[20148]: no secrets filename matched "/etc/ipsec.d/*.secrets"
pluto[20148]: loading group "/etc/ipsec.d/policies/clear"
pluto[20148]: loading group "/etc/ipsec.d/policies/private"
pluto[20148]: "private#10.0.10.254/32": cannot route template policy of RSASIG+ENCRYPT+TUNNEL+PFS+GROUPINSTANCE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN
Everything fine up to the last line. I searched the web a little, but
found nothing useful (in most cases, the message was a follow-up of
different primary problems rather than a root cause).
Other than that, everything stays the same - packets going out in clear,
no xfrm policies installed (apart from those for SSH and the default
'zeros').
Best regards,
Phil
----- End forwarded message -----
More information about the Swan
mailing list