> You must use ikev2=insist (on rhel/centos) I'm on debian stable, but I guess this would be pretty much the same.
> On upstream libreswan you can use either ikev2=yes or ikev2=insist. > > Opportunistic only works with IKEv2. > > You really must use %opportunisticgroup for the private connection. Can you elaborate a little more on this? I admit I do not fully understand the difference between %group and %opportunisticgroup. My point was that - I actually do not need opportunistic encryption in my use case (connecting hosts are known beforehand) - supporting ikev1 (for a while) would make my life and the planned transition somewhat easier I am indeed going to upgrade, but I would be better off performing the upgrade step by step and temporary support of ikev1 would allow that. However, if it is not possible for some reason, I still can change my procedure. Phil _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
