On Fri, 7 Mar 2025, Mamta Gambhir via Swan wrote:
I want to check if my ipsec config is appropriate I have two sections for two interfaces with same subnet.I would think the peer which has clear section in the same subnet in the opportunistic mode will communicate in clear. But Isee both interfaces successfully negotiate. See below
Similar to having two private-or-clear style connections, you should have two clear style connections too?
Node 1 conn private-or-clear right=%opportunisticgroup left=10.106.2.33 conn clear left=10.106.2.34 right=%group
So what is in /etc/ipsec.d/policies/clear and /etc/ipsec.d/policies/private-or-clear ?
Node 2 conn private-or-clear right=%opportunisticgroup left=10.106.2.35
conn clear left=10.106.2.36 right=%group
So what is in /etc/ipsec.d/policies/clear and /etc/ipsec.d/policies/private-or-clear ?
One would expect 33->35 successful and
It all depends on the entries in the policies files. If these have no entries, then the conns are basically "empty" and never matching anything. If you have "clear" entries, when you start pluto, you can see the clear entries using "ip xfrm policy". And again, you will have to do all this twice if you have two IPs covered in diffrent conns for clear, private-or-clear, etc. Paul _______________________________________________ Swan mailing list -- [email protected] To unsubscribe send an email to [email protected]
