[strongSwan-dev] simple RSA authentication w/o CA

[James Hulka]

My question is if StrongSwan supports a simple RSA authentication based
solely on RSA private/public key pairs without signed certificates? (as
in the case of Racoon)

In an attempt to setup a simple strongswan VPN using RSA authentication
I followed the example found here:

http://www.strongswan.org/uml/testresults/ikev2/net2net-rsa/moon.ipsec.conf

The only difference being server names, key content, auto=start, no
CERTs and the fact that the setup is host2host and not net2net.

The private key for each host is /etc/ipsec.d/private/<leftid>.pem and
the public key is entered as text (RFC 3110 DNSKEY format) in the
left|rightrsasigkey.

Upon starting strongswan I received the following messages:


 loaded RSA private key from '/etc/ipsec.d/private/<leftid>.pem'
 ...
 charon: 13[LIB] building CRED_PUBLIC_KEY - RSA failed, tried 3 builders
 charon: 13[CFG]   loading RSA public key for "<leftid>" failed
 charon: 13[LIB] building CRED_PUBLIC_KEY - RSA failed, tried 3 builders
 charon: 13[CFG]   loading RSA public key for "<rightid>" failed

 charon: 04[IKE] no private key found for '<leftid>'
 ...

Even though StrongSwan is able to load the private key it is not able
find it later when it goes to use it. I would have assumed having:

<leftid> : RSA <leftid>.pem

would solve this but this only works after having build the entire PKI
infrastructure with all involved certificates for each host.

The loading of the public keys fails and I can only assume this is
because certificates containing these keys are required in order to be
able to use them as the same setup worked with a PKI infrastructure.

thank you in advance for shedding some light on this question,

James