On Wed, 10 Jun 2020, phil.night...@gmail.com wrote:
thanks for your response. I added the two conns from your mail verbatim.
After that, the xfrm policies are installed - but only for ssh (according
to /etc/ipsec.d/policies/clear). This corresponds to pluto startup output;
it only says
pluto[12539]: loading group "/etc/ipsec.d/policies/clear",
but does not mention /etc/ipsec.d/policies/private at all (which itself
contains only the line with 10.0.10.240/32). The system in fact
behaves accordingly, transmitting all packets (not only SSH) happily in
clear.
If you added it verbatim, it will have failed to load on a missing
certificate.
You have never indicated how your nodes are going to identify themselves
to each other. So I assumed you used a private CA and generate
certificates for all nodes using some certificate issueing system that
can create PKCS#12 files. Those files when created ask for a "friendly
name" to use to identity the certificate as. That is the name you need
to put in the leftcert= option.
If you do this with puppet or ansible or something, you should give all
pkcs#12 files the same "friendly name" for the cert, so you can copy
using puppet or ansible or cfengine identical files to all the nodes.
You can confirm my hypothesis by manually running: ipsec auto --add private
Paul
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan