[Swan] Policy groups
phil.nightowl at gmail.com
Tue Jun 16 09:20:52 UTC 2020
> If you are not using a network mesh encryption setup, but you have
> regular host-to-host or subnet-to-subnet tunnels, then you should
> not be using anything with %group or %opportunisticgroup.
> You would just be doing something like:
[ ... ]
What I have to implement some sort of a hybrid setup. There are
several hosts on a LAN, some roadwarriors and a few remote LANs. So
far, nothing uncommon. However,
- at least one of the LANs is not physically secured, so I have to use
'private' policy for host-to-host connections within the LAN.
- part of the hosts is behind NAT, the other part is not
That's why I am trying to set up basically a host-to-host setup everywhere
(maybe just using transport mode?), with a few exceptions. To be honest, I
don't know if that counts as a mesh encryption setup.
I wanted to use policy groups mainly in order to achieve a more clear,
transparent and simple config (aka 'administrative security') and keep the
maintenance intensity within a scale - using policy groups would allow for
a nice clear separation of policies and the hosts/network they are applied
to within the config files.
I know about the option of avoiding group policies (and perhaps using
'also'/'alsoflip'), but using them seemed a better approach to me
(especially when, as I thought, some basic policies were built-in, making
the configuration even shorter).
I do not want to waste your time if this is not going to work for some
reason, but I would be happy to understand why it is so. Could you perhaps
share some documentation pointers? The man page is very terse regarding
policy groups and, as I understand from your previous answers, a little out
of date regarding built-in policies.
More information about the Swan