On Thu, 8 Feb 2024, Phil Nightowl wrote:
I would try 4.12.
Can you tell me that this is not strictly required to make it work? Of
course, I am going to upgrade at some point - but It will make my life much
easier if I don't have to do it on all hosts involved and right now.
No I can't without knowing a lot more and getting a lot more debug msgs,
and tracking down where we solved bugs in older versions :)
As a starting point,
If you do want to do opportunistic encryption, that really does assume
that there is no NAT to traverse and all nodes see each others real IP
address.
this is what I have missed in the docs so far. I have been using
opportunistic for 192.168.1.0/24 and it works (no NAT there). Primarily
not because I really need opportunistic encryption here (no unknown
hosts), but the way of configuring it (policies) seemed well arranged
and flexible to me.
We should make that more clear, sorry. Yes it is a nice way to do
"cloud encryption".
No problem switching away from opportunistic if that makes things work,
but out of curiosity: is it OK to mix regular and opportunistic
connections?
Yes. regular connections should always "win" from opportunistic ones.
I'm assuming you have roadwarriors (eg clients on dynamic IP that get an
internal IP assigned?)
Yes, I do - but they have been using a separate solution and I can keep it
that way for some time. They have the lowest priority right now.
So, here goes:
===================================
Config on server.privlan:
did not touch (yet). See below. I began with changing host1.privlan's
config to read
conn privlan-ssh
type=passthrough
left=%defaultroute
right=%any
auto=ondemand
authby=never
leftprotoport=tcp/%any
rightprotoport=tcp/22
(flipped left/rightprotoport, since we're on the client here).
Unfortunately, after restarting I get:
host1 pluto[77105]: "privlan-ssh": added passthrough connection
...
host1 pluto[77105]: "privlan-ssh": cannot route template policy of
AUTH_NEVER+PASS
Sorry, try this:
conn privlan-ssh
type=passthrough
left=%defaultroute
right=%any
auto=ondemand
authby=never
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
leftprotoport=tcp/%any
rightprotoport=tcp/22
eg add the subnets.
Also, thanks for Cc:'ing me, please keep it that way. For some reason,
recently I get only a small fraction of the messages sent from the list.
Check your spam folder. Google enforced SPF/DKIM on all mail, as in they
started refusing large amounts of emails. We did fix the libreswan lists
to do this, so likely this is no longer happening to you.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
