[strongSwan] policy groups
Martin Willi
martin at strongswan.org
Thu May 16 09:16:19 CEST 2013
Hi Michi,
> Does strongswan support policy groups?
No, strongSwan currently does not know such a configuration concept.
> how can I configure strongswan so that it never sends traffic in clear
> text?
Usually you can achieve this with a "routed" policy, i.e. one with the
auto=route keyword to a rightsubnet=0.0.0.0/0. This will make sure no
traffic leaves unencrypted. If no connection exists for the associated
traffic, the kernel will trigger it.
Of course there are other mechanisms to prevent that plain traffic
leaves your box. You could, for example, manually install a drop policy
to 0.0.0.0/0 with a lower priority, or even use Netfilter to drop any
packet that is not encrypted (or is IKE).
Regards
Martin
More information about the Users
mailing list