Hi,
I would like to use different host-to-host vpns to "authenticate" the
hosts before they can communicate with each other and solved this with
RSASIG-Keys yet - works fine.
To secure it up completely I would like to ask if there is any way I
could apply a "private or drop/hold packet" policy to my vpn configs so
that packets are encrypted in ANY case before they leave the box? I used
the parameters already but the shunting/whack (don't know whats the
right name for it) policies didn't came up. I think because it just
works with "conn private" and %opportunisticgroup right? Is there any
other way to achieve this so that I can stick with my rsasigkeys?
Because I've different levels of security (roles) it would be great to
find a way, because then I really know which host can talk to whom.
Boxes running @ centOS 8 with libreswan 3.29-6.el8.
Config:
conn tun_ap01
[email protected]
left=192.168.3.1
leftrsasigkey=<snip>
[email protected]
right=192.168.2.1
rightrsasigkey=<snip>
authby=rsasig
# use auto=start when done testing the tunnel
auto=start
encapsulation=yes
ikev2=insist
phase2=esp
narrowing=yes
negotiationshunt=hold
failureshunt=drop
keyingtries=%forever
retransmit-timeout=3s
Thanks in advance
Kind regards,
Daniel
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
