On Mon 2018-10-08 18:07:14 -0400, Paul Wouters wrote: > Now, when you are talking about a real remote access VPN,
I'm assuming this means an "encrypted internet proxy" -- is that right? > I do agree it is a little more complicated then desired: > > conn vpn.nohats.ca > left=%defaultroute > leftcert=letoams.nohats.ca > leftsubnet=0.0.0.0/0 > [email protected] > right=vpn.nohats.ca > rightsubnet=0.0.0.0/0 > narrowing=yes > ikev2=insist > leftmodecfgclient=yes > > It would be nice if this could become: > > conn vpn.nohats.ca > type=remote-access-vpn > leftcert=letoams.nohats.ca > right=vpn.nohats.ca What does it take to get there from here? and doesn't this minimal setup (as nice as it looks) require some interaction with a certificate authority to get the certs right in the first place? (not to mention certificate maintenance) -- or do we have a story for automated certificate management that i'm not aware of? Also, how is a novice admin supposed to know what "left" and "right" mean here? Wireguard's [Interface] vs [Peer] stanzas make it pretty clear which part corresponds to the local machine and which part corresponds to everybody else. I note that the conf.ini-style syntax wireguard uses is probably marginally visually simpler for most admins (thanks to inheritance from years of microsoft, in addition to adoption by systemd) than libreswan's indented stanzas, but i'm sure that's also a matter of taste, and not a religious war i want to fight right now. :) I want to see libreswan get to this level of simplicity and ease of use! i'm asking these questions to try to push in that direction, not trying to throw shade. If there's some way to get us closer to this, that'd be great. Good, opinionated defaults could go a long way here, and we can "bundle" them with just such a type= argument so that we're not worried about shifting an already-deployed base. --dkg
signature.asc
Description: PGP signature
_______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
