diff --git a/lib/libipsecconf/parser.l b/lib/libipsecconf/parser.l index c41dd8048..cc2faf5c9 100644 --- a/lib/libipsecconf/parser.l +++ b/lib/libipsecconf/parser.l @@ -160,7 +160,9 @@ static int parser_y_nextglobfile(struct ic_inputsource *iis) char ebuf[128]; snprintf(ebuf, sizeof(ebuf), - "cannot open include filename: '%s': %s", + (strstr(iis->filename, "crypto-policies/back-ends/libreswan.config") == NULL) ? + "cannot open include filename: '%s': %s" : + "ignored loading default system-wide crypto-policies file '%s': %s", iis->fileglob.gl_pathv[fcnt], strerror(errno)); yyerror(ebuf); diff --git a/programs/configs/ipsec.conf.in b/programs/configs/ipsec.conf.in index 7374efc3c..974699f01 100644 --- a/programs/configs/ipsec.conf.in +++ b/programs/configs/ipsec.conf.in @@ -1,27 +1,18 @@ # @FINALCONFDIR@/ipsec.conf - Libreswan IPsec configuration file # -# Manual: ipsec.conf.5 +# see 'man ipsec.conf' and 'man pluto' for more information +# +# For example configurations and documentation, see https://libreswan.org/wiki/ config setup - # Normally, pluto logs via syslog. If you want to log to a file, - # specify below or to disable logging, eg for embedded systems, use - # the file name /dev/null - # Note: SElinux policies might prevent pluto writing to a log file at - # an unusual location. + # Normally, pluto logs via syslog. #logfile=/var/log/pluto.log # # Do not enable debug options to debug configuration issues! # - # plutodebug "all", "none" or a combation from below: - # "raw crypt parsing emitting control controlmore kernel pfkey - # natt x509 dpd dns oppo oppoinfo private". - # Note: "private" is not included with "all", as it can show confidential - # information. It must be specifically specified - # examples: # plutodebug="control parsing" # plutodebug="all crypt" - # Again: only enable plutodebug when asked by a developer - #plutodebug=none + plutodebug=none # # NAT-TRAVERSAL support # exclude networks used on server side by adding %v4:!a.b.c.0/24 @@ -30,10 +21,8 @@ config setup # This range has never been announced via BGP (at least up to 2015) virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 -# For example connections, see your distribution's documentation directory, -# or https://libreswan.org/wiki/ -# -# There is also a lot of information in the manual page, "man ipsec.conf" -# +# if it exists, include system wide crypto-policy defaults +include /etc/crypto-policies/back-ends/libreswan.config + # It is best to add your IPsec connections as separate files in @IPSEC_CONFDDIR@/ include @IPSEC_CONFDDIR@/*.conf