<div dir="ltr"><div><div>I see. Thanks for the answer.<br></div><br></div>-- Harry<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 5, 2016 at 10:20 PM, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Harry,<br>
<br>
the loading of private keys is not handled by starter but by the<br>
stroke plugin through processing of /etc/ipsec.secrets. Thus the<br>
decryption of protected private key files is done directly by the<br>
charon daemon via the stroke plugin.<br>
<br>
Best regards<br>
<br>
Andreas<span class=""><br>
<br>
On 06.01.2016 06:19, Harry Chan-Maestas wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
Hi Andreas,<br>
<br>
Thank you for clarification.<br>
<br>
So is the "starter" process doing something similar when processing<br>
ipsec.secrets? Basically, I was looking something like<br>
<br></span>
: RSA /<private key file>/ [ /<passphrase>/ | /%prompt/ ]<span class=""><br>
<br>
through VICI.<br>
<br>
Harry<br>
<br>
On Tue, Jan 5, 2016 at 9:04 PM, Andreas Steffen<br></span>
<<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a> <mailto:<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a>>><span class=""><br>
wrote:<br>
<br>
Hi Harry,<br>
<br>
yes your assumption is correct. swanctl decrypts protected private<br>
keys and sends them as plaintext via VICI to the charon daemon.<br>
<br>
Best regards<br>
<br>
Andreas<br>
<br>
<br>
On 06.01.2016 03:59, Harry Chan-Maestas wrote:<br>
<br>
Hi,<br>
<br>
Is this assumption/understanding correct? Going through the swantcl<br>
code, it seems that the way it deals with encrypted private keys<br>
is by<br>
reading the key, decrypting it, and sending the decrypted<br>
version to Charon.<br>
<br>
If this is not the case, would anyone know what is the API to<br>
send the<br>
encrypted RSA private key and the decrypt password to Charon<br>
through VICI?<br>
<br>
Thank you in advance,<br>
<br>
Harry<br>
<br>
<br>
======================================================================<br>
Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a><br></span>
<mailto:<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a>><span class=""><br>
strongSwan - the Open Source VPN Solution! <a href="http://www.strongswan.org" rel="noreferrer" target="_blank">www.strongswan.org</a><br></span>
<<a href="http://www.strongswan.org" rel="noreferrer" target="_blank">http://www.strongswan.org</a>><span class=""><br>
Institute for Internet Technologies and Applications<br>
University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>
===========================================================[ITA-HSR]==<br>
<br>
<br>
</span></blockquote>
<br>
-- <br><div class="HOEnZb"><div class="h5">
======================================================================<br>
Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a><br>
strongSwan - the Open Source VPN Solution! <a href="http://www.strongswan.org" rel="noreferrer" target="_blank">www.strongswan.org</a><br>
Institute for Internet Technologies and Applications<br>
University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>
===========================================================[ITA-HSR]==<br>
<br>
</div></div></blockquote></div><br></div>