[Swan] Policy groups
paul at nohats.ca
Thu Jun 11 20:40:11 UTC 2020
On Thu, 11 Jun 2020, Phil Nightowl wrote:
> So, after getting the cert name right and switching from
> %opportunisticgroup to %group (otherwise pluto complained about not
> having ike2=insist), I get
You must use ikev2=insist (on rhel/centos)
On upstream libreswan you can use either ikev2=yes or ikev2=insist.
Opportunistic only works with IKEv2.
You really must use %opportunisticgroup for the private connection.
> pluto: "private#10.0.10.254/32": cannot route template policy of RSASIG+ENCRYPT+TUNNEL+PFS+GROUPINSTANCE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN
If your connection allows ikev1 and ikev2, you have an older libreswan
version that has known issues with some opportunistic connections.
More information about the Swan