You may be interested in why OpportunisticEncryption is on in the first place. The reasons go back to the original purpose of the FreeSWAN project. We hope to make it trivial to run with both OpportunisticEncryption and VPN use at the same time. Remember, this is a work-in-progress.
OE is implemented with five implicit conns. If they do not exist in ipsec.conf, then the scripts create them. This permits OE to be enabled on a system with no configuration. The conns are:
There are two ways to disable OE.
One way is to edit /etc/ipsec.d/policies/private-or-clear
and comment out the line, 0.0.0.0/0. You will then want to add to /etc/ipsec.d/policies/clear
a line saying 0.0.0.0/0. This makes the default OE policy for "world" to be clear. The nice thing about doing this, is that you can enable OE again for certain destinations. If you add the 0.0.0.0/0 instead to the clear-or-private file, then you can support being a target for OE connections, but you will never initiate any.
See Quickstart for information on publishing your key.
The second way is to create conns that disable all OE conns. This is done by creating conns with the "auto=ignore" option:
conn packetdefault
auto=ignore
conn private
auto=ignore
conn clear
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
Unless you have a screwed up distro, a file that does exactly this should be installed for you already in /etc/ipsec.d/examples/no_oe.conf. Thus the simplest way is to do:
include /etc/ipsec.d/examples/no_oe.conf
at the end of the /etc/ipsec.conf file. You will notice that this may in fact already be there.
