<div dir="ltr"><div class="gmail_default" style="font-family:monospace,monospace">Hi Tobias,</div><div class="gmail_default" style="font-family:monospace,monospace"><br></div><div class="gmail_default" style="font-family:monospace,monospace">Ah, ok, you're suggesting to use a single private key and use it for the CSRs/Certificates? Have not tried to use it before, but this is a test environment, so that could work.<br></div><div class="gmail_default" style="font-family:monospace,monospace"></div><div class="gmail_default" style="font-family:monospace,monospace"><br></div><div class="gmail_default" style="font-family:monospace,monospace">Thanks,</div><div class="gmail_default" style="font-family:monospace,monospace">Roberts<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 4 Apr 2019 at 16:17, Roberts Pakalns <<a href="mailto:pakalns@gmail.com">pakalns@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:monospace,monospace">Hi Tobias,</div><div class="gmail_default" style="font-family:monospace,monospace"><br></div><div class="gmail_default" style="font-family:monospace,monospace">Thank you! I guess this answers it.</div><div class="gmail_default" style="font-family:monospace,monospace"><br></div><div class="gmail_default" style="font-family:monospace,monospace">We're using Strongswan to simulate many unique ipsec peers to the same firewall which acts as the hub. It's not a real life scenario.</div><div class="gmail_default" style="font-family:monospace,monospace"><br></div><div class="gmail_default" style="font-family:monospace,monospace">Thanks,</div><div class="gmail_default" style="font-family:monospace,monospace">Roberts</div><div class="gmail_default" style="font-family:monospace,monospace"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 4 Apr 2019 at 15:28, Tobias Brunner <<a href="mailto:tobias@strongswan.org" target="_blank">tobias@strongswan.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Roberts,<br>
<br>
> Description: I want to set up 2000 IKEv2 cert based tunnels.<br>
<br>
And you need to use separate private keys for each tunnel to identify<br>
your peer/host?<br>
<br>
> Problem: After applying the configuration, I see that load of private<br>
> keys cannot finish as ipsec is restarting after 10s.<br>
<br>
That timeout is hardcoded in starter (invokecharon.c). You could try<br>
charon-systemd/swanctl as alternative (but there might be a timeout too<br>
if the credentials are loaded via systemd unit).<br>
<br>
But again, why would you need to load that many private keys in the<br>
first place?<br>
<br>
Regards,<br>
Tobias<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail-m_-4395790039753019481gmail_signature"><div dir="ltr"><font face="monospace, monospace">Roberts</font></div></div>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><font face="monospace, monospace">Roberts</font></div></div>