On Tue, 13 Jun 2017, Evan Wheeler wrote:
My understanding is that the "negotiationshunt=passthrough" option would allow traffic to pass in the clear between two hosts while the hosts are negotiating during Phase 1, and "negotiationshunt=passthrough" would allow packets to pass in the clear after negotiations had failed due to the differing PSK values on each host, but a simple ping test between the hosts shows no ICMP packets passing in either direction according to Wireshark. All I see are ISAKMP packets. Here are the contents of my ipsec.conf file for both hosts:
That is the idea, yes.
conn mytunnel left=192.168.1.2 right=192.168.1.3 authby=secret auto=start failureshunt=passthrough negotiationshunt=passthrough keyingtries=1 retransmit-timeout=3s Am I missing something ? Should failureshunt and negotiationshunt work in this configuration?
That should do it. Possibly we have only enabled these shunts for Opportunistic based connections. You could confirm that by using right=%opportunisticgroup and adding 192.168.1.3/32 to a policy file, eg /etc/ipsec.d/policies/private-or-clear and renaming your conn mytunnel to "conn private-or-clear". If so, that is a bug. It is pretty rare that people want static VPN tunnels to "fail open", and it is really only the "opportunistic" case where people want this. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
