[strongSwan] expected record boundary in key

Tobias Brunner tobias at strongswan.org
Wed Feb 8 13:57:24 CET 2012


>>> When I try to add 'leftcert', I can no longer use PSK.
>>
>> Well, what's the point of defining a certificate if you want to use a
>> pre-shared secret for authentication?
>
> Most (all) of my connections will eventually use certificates, so the
> plan was to put that in the %default section, so I don't have to
> duplicate it in every single conn section...

I see.  In that case you have to either add a FQDN/RFC822_ADDR as
subjectAltName to the certificate, so that this simple ID can then be
used as leftid and in ipsec.secrets, or you use the 'also' keyword
instead of %default as a means to avoid having to duplicate options in
multiple connections. Or...

I had a look at the code and it actually is possible to use DNs as ID
selectors in ipsec.secrets (the IKEv2 daemon charon already supports
this).  The problem is that pluto's parser treats any line starting with
" or ' as PSK secret without selectors (seems to be a very old PSK
format used by Free/SWAN).  As indicated by the error message you got,
it seems that this wasn't even fully supported anymore.  I pushed a fix
to our repository [1], which completely removes support for this legacy
format.

Regards,
Tobias

[1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=7efde901




More information about the Users mailing list