[strongSwan] Host to host with certs - where to put own private key?
Kostya Vasilyev
kman at fastmail.com
Wed Feb 13 12:25:41 CET 2019
Tobias
On Wed, Feb 13, 2019, at 11:39 AM, Tobias Brunner wrote:
> Hi Kostya,
>
> > It was the conf syntax I was after :)
> >
> > I now see it in the docs for swanctl.conf under "secrets.private<suffix> section".
>
> You only have to configure private keys in such sections if they are
> password protected (and you can't or don't want to provide the password
> interactively) or if they are not stored in the default directories.
> All keys and certificates in the default directories are loaded
> automatically by --load-creds (the tool will prompt the user for
> passwords for protected keys unless --noprompt is given).
What about automatic startup?
systemctl start strongswan strongswan-swanctl
Will that also load all certs and keys automatically from default directories?
> > Now how can I specify the protocol (GRE in my case, proto 47)?
> >
> > Does that go into local_ts / remote_ts? Does it mean I have to put local and remote IPs in two places
>
> Yes, traffic selectors are configured with these settings. To
> automatically use the IKE endpoints (or virtual IP) in a TS, you can use
> the 'dynamic' keyword (e.g. local_ts = dynamic[47] or remote_ts =
> dynamic[gre]). An example can even be found in our test suite [1].
Thank you, nice to not have to duplicate the IPs.
-- K
More information about the Users
mailing list