[Swan] Policy groups

Phil Nightowl phil.nightowl at gmail.com
Fri Jun 12 07:01:33 UTC 2020

> You must use ikev2=insist (on rhel/centos)

I'm on debian stable, but I guess this would be pretty much the same.

> On upstream libreswan you can use either ikev2=yes  or ikev2=insist.
> Opportunistic only works with IKEv2.
> You really must use %opportunisticgroup for the private connection.

Can you elaborate a little more on this? I admit I do not fully understand 
the difference between %group and %opportunisticgroup. My point was that
- I actually do not need opportunistic encryption in my use case 
(connecting hosts are known beforehand)
- supporting ikev1 (for a while) would make my life and the planned 
transition somewhat easier

I am indeed going to upgrade, but I would be better off performing the 
upgrade step by step and temporary support of ikev1 would allow that.

However, if it is not possible for some reason, I still can change my 


More information about the Swan mailing list