[Swan] Policy groups
paul at nohats.ca
Mon Jun 15 02:41:37 UTC 2020
On Fri, 12 Jun 2020, Phil Nightowl wrote:
>> You must use ikev2=insist (on rhel/centos)
> I'm on debian stable, but I guess this would be pretty much the same.
>> On upstream libreswan you can use either ikev2=yes or ikev2=insist.
>> Opportunistic only works with IKEv2.
>> You really must use %opportunisticgroup for the private connection.
> Can you elaborate a little more on this? I admit I do not fully understand
> the difference between %group and %opportunisticgroup. My point was that
> - I actually do not need opportunistic encryption in my use case
> (connecting hosts are known beforehand)
If you are not using a network mesh encryption setup, but you have
regular host-to-host or subnet-to-subnet tunnels, then you should
not be using anything with %group or %opportunisticgroup.
You would just be doing something like:
> - supporting ikev1 (for a while) would make my life and the planned
> transition somewhat easier
For static tunnels that is just a matter of adding ikev2=no although for
devices that want IKEv1, they usually also want outdated crypto
algorithms, so you might need a specific ike= and esp= line
If the above configs don't make sense for you, please share more details
about what you are trying to do.
More information about the Swan