[Swan] Policy groups
Phil Nightowl
phil.nightowl at gmail.com
Fri Jun 12 07:01:33 UTC 2020
> You must use ikev2=insist (on rhel/centos)
I'm on debian stable, but I guess this would be pretty much the same.
> On upstream libreswan you can use either ikev2=yes or ikev2=insist.
>
> Opportunistic only works with IKEv2.
>
> You really must use %opportunisticgroup for the private connection.
Can you elaborate a little more on this? I admit I do not fully understand
the difference between %group and %opportunisticgroup. My point was that
- I actually do not need opportunistic encryption in my use case
(connecting hosts are known beforehand)
- supporting ikev1 (for a while) would make my life and the planned
transition somewhat easier
I am indeed going to upgrade, but I would be better off performing the
upgrade step by step and temporary support of ikev1 would allow that.
However, if it is not possible for some reason, I still can change my
procedure.
Phil
More information about the Swan
mailing list