[Swan] Policy groups

Phil Nightowl phil.nightowl at gmail.com
Tue Jun 16 09:20:52 UTC 2020

> If you are not using a network mesh encryption setup, but you have
> regular host-to-host or subnet-to-subnet tunnels, then you should
> not be using anything with %group or %opportunisticgroup.
> You would just be doing something like:
> https://libreswan.org/wiki/Host_to_host_VPN

	[ ... ]

	What I have to implement some sort of a hybrid setup. There are 
several hosts on a LAN, some roadwarriors and a few remote LANs. So 
far, nothing uncommon. However,

- at least one of the LANs is not physically secured, so I have to use 
'private' policy for host-to-host connections within the LAN.
- part of the hosts is behind NAT, the other part is not

That's why I am trying to set up basically a host-to-host setup everywhere 
(maybe just using transport mode?), with a few exceptions. To be honest, I 
don't know if that counts as a mesh encryption setup.

I wanted to use policy groups mainly in order to achieve a more clear, 
transparent and simple config (aka 'administrative security') and keep the 
maintenance intensity within a scale - using policy groups would allow for 
a nice clear separation of policies and the hosts/network they are applied 
to within the config files.

I know about the option of avoiding group policies (and perhaps using 
'also'/'alsoflip'), but using them seemed a better approach to me 
(especially when, as I thought, some basic policies were built-in, making 
the configuration even shorter).

I do not want to waste your time if this is not going to work for some 
reason, but I would be happy to understand why it is so. Could you perhaps 
share some documentation pointers? The man page is very terse regarding 
policy groups and, as I understand from your previous answers, a little out 
of date regarding built-in policies.

Many thanks,


More information about the Swan mailing list