On Thu, 11 Jun 2020, Phil Nightowl wrote:
So, after getting the cert name right and switching from %opportunisticgroup to %group (otherwise pluto complained about not having ike2=insist), I get
You must use ikev2=insist (on rhel/centos) On upstream libreswan you can use either ikev2=yes or ikev2=insist. Opportunistic only works with IKEv2. You really must use %opportunisticgroup for the private connection.
pluto[20148]: "private#10.0.10.254/32": cannot route template policy of RSASIG+ENCRYPT+TUNNEL+PFS+GROUPINSTANCE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN
If your connection allows ikev1 and ikev2, you have an older libreswan version that has known issues with some opportunistic connections. Please upgrade. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
