[Swan] Policy groups
Paul Wouters
paul at nohats.ca
Thu Jun 11 20:40:11 UTC 2020
On Thu, 11 Jun 2020, Phil Nightowl wrote:
> So, after getting the cert name right and switching from
> %opportunisticgroup to %group (otherwise pluto complained about not
> having ike2=insist), I get
You must use ikev2=insist (on rhel/centos)
On upstream libreswan you can use either ikev2=yes or ikev2=insist.
Opportunistic only works with IKEv2.
You really must use %opportunisticgroup for the private connection.
> pluto[20148]: "private#10.0.10.254/32": cannot route template policy of RSASIG+ENCRYPT+TUNNEL+PFS+GROUPINSTANCE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN
If your connection allows ikev1 and ikev2, you have an older libreswan
version that has known issues with some opportunistic connections.
Please upgrade.
Paul
More information about the Swan
mailing list