[strongSwan] preloading client certificates
andreas.steffen at strongswan.org
Thu Oct 2 12:57:20 CEST 2014
On 10/02/2014 12:47 PM, cellkites at hushmail.com wrote:
> Awesome thanks for that. I believe I was having an issue with some
> intermediary firewalls / nat devices dropping my oversized packets due
> to the size of the rsa certs. Hopefully preloading them will fix that.
The upcoming strongSwan 5.2.1 release will include support for the new
IKEv2 fragmentation standard, so any oversized IKE_AUTH packet issues
are going to be solved.
> Out of interest how does the strongswan daemon know which cert
> corresponds to which client? Is the client just sending the subject of
> it's certificate and then the daemon uses that to choose a corresponding
> client cert?
Lookup is based on the IKEv2 identity payload sent by the peer.
> On 2/10/2014 at 3:37 PM, "Martin Willi" <martin at strongswan.org> wrote:
> > I've copied them to the /etc/ipsec.d/certs directory and restarted the
> > daemon but "ipsec listcerts" still only lists the certificates that I
> > have a private key for.
> Certificates from the cert directory do not get loaded automatically.
> The directory merely holds the certificates you can directly reference
> with left/rightcert. This is a little different from the swanctl x509
> directory , for which all contained certificates get loaded
> If you have a large bunch of client certificates to handle, you probably
> don't want a conn entry in ipsec.conf for each. Usually you issue all
> the certificates from a CA to avoid handling all the client certificates
> separately, and just install the CA to cacerts.
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
More information about the Users