On Tue, 9 Jun 2020, [email protected] wrote:
/etc/ipsec.d/policies/clear containing
/etc/ipsec.d/policies/private containing
Given this very short config (everything else being thus defaults), I
expected the built-in policy groups to apply, causing any connection
attempt to from 10.0.10.3 (which is the default interface's IP on that
host) towards 10.0.10.254 (ping, http, whatever) to trigger the usual
handshake/IKE activity. However, I do not see any of that and the outgoing
packets are happily transmitted in clear.
Any hints to what am I missing would be greatly appreciated.
You need to actually have a conn private and a conn clear. Those
group connections are then instantiated for each CIDR line in
the policy files clear and private.
Try adding those in a file, eg /etc/ipsec.d/mesh.conf
conn clear
type=passthrough
authby=never
left=%defaultroute
right=%group
auto=ondemand
conn private
left=%defaultroute
leftid=%fromcert
leftrsasigkey=%cert
leftcert=clientcert
# right
rightrsasigkey=%cert
rightid=%fromcert
right=%opportunisticgroup
failureshunt=drop
negotiationshunt=drop
auto=ondemand
I specified certificates here as authentication scheme, as you didn't
share what you were using to authenticate the nodes. You could need
to create PKCS#12 files for each node with a "friendly name" (export
name) of "clientcert" and use "ipsec import file.p12" once on each
node to import it.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
