[strongSwan] preloading client certificates

cellkites at hushmail.com cellkites at hushmail.com
Thu Oct 2 12:47:30 CEST 2014


Awesome thanks for that.  I believe I was having an issue with some
intermediary firewalls / nat  devices dropping my oversized packets
due to the size of the rsa certs.  Hopefully preloading them will fix
that.

Out of interest how does  the strongswan daemon know which cert
corresponds to which client? Is  the client just sending the subject
of it's certificate and then the  daemon uses that to choose a
corresponding client cert?
On 2/10/2014 at 3:37 PM, "Martin Willi"  wrote:Pete,

> I've copied them to the /etc/ipsec.d/certs directory and restarted
the
> daemon but "ipsec listcerts" still only lists the certificates that
I
> have a private key for.

Certificates from the cert directory do not get loaded automatically.
The directory merely holds the certificates you can directly reference
with left/rightcert. This is a little different from the swanctl x509
directory [1], for which all contained certificates get loaded
implicitly.

If you have a large bunch of client certificates to handle, you
probably
don't want a conn entry in ipsec.conf for each. Usually you issue all
the certificates from a CA to avoid handling all the client
certificates
separately, and just install the CA to cacerts.

Regards
Martin

[1]https://wiki.strongswan.org/projects/strongswan/wiki/SwanctlDirectory
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141002/5807c022/attachment.html>


More information about the Users mailing list