Apart from these four classes of OE, there is a mechanism in place to fine-tune these modes even further. The policy files in /etc/ipsec.d/policies/
are a few files that may contain IP addresses or subnets for explicit handling. 0.0.0.0/0 is used to denote the entire Internet.
Policy file |
Purpose |
---|---|
|
Never talk to these hosts at all |
|
Always talk in the clear to these hosts |
|
Talk in the clear, but allow these hosts to initiate OE to us |
|
Only talk encrypted to these hosts |
|
Attempt OE to these hosts, but talk in the clear if they do not support OE |
Note
Any host configured to use OE by publishing OE DNS records must always run Openswan, as any OE-capable hosts will refuse to communicate with it in the clear.
Be aware that private-or-clear
does not mean we will talk to those hosts in the clear if OE fails to initialize properly. Openswan refuses to talk in the clear to any host that advertises OE capabilities through...