[Swan] Policy groups

Paul Wouters paul at nohats.ca
Mon Jun 15 02:41:37 UTC 2020

On Fri, 12 Jun 2020, Phil Nightowl wrote:

>> You must use ikev2=insist (on rhel/centos)
> I'm on debian stable, but I guess this would be pretty much the same.
>> On upstream libreswan you can use either ikev2=yes  or ikev2=insist.
>> Opportunistic only works with IKEv2.
>> You really must use %opportunisticgroup for the private connection.
> Can you elaborate a little more on this? I admit I do not fully understand
> the difference between %group and %opportunisticgroup. My point was that
> - I actually do not need opportunistic encryption in my use case
> (connecting hosts are known beforehand)

If you are not using a network mesh encryption setup, but you have
regular host-to-host or subnet-to-subnet tunnels, then you should
not be using anything with %group or %opportunisticgroup.

You would just be doing something like:




> - supporting ikev1 (for a while) would make my life and the planned
> transition somewhat easier

For static tunnels that is just a matter of adding ikev2=no although for
devices that want IKEv1, they usually also want outdated crypto
algorithms, so you might need a specific ike= and esp= line

If the above configs don't make sense for you, please share more details
about what you are trying to do.


More information about the Swan mailing list