[strongSwan] preloading client certificates

cellkites at hushmail.com cellkites at hushmail.com
Thu Oct 2 13:27:48 CEST 2014 

Ok, thanks for the info Andreas. Will the android client be updated at
the same time?

Ideally we would just be moving to ecdsa based certs but support for
it is a bit spotty among the various android vendors.
On 2/10/2014 at 6:57 PM, "Andreas Steffen"  wrote:Hi Pete,

On 10/02/2014 12:47 PM, cellkites at hushmail.com wrote:
> 
> Awesome thanks for that. I believe I was having an issue with some
> intermediary firewalls / nat devices dropping my oversized packets
due
> to the size of the rsa certs. Hopefully preloading them will fix
that.
>
The upcoming strongSwan 5.2.1 release will include support for the new
IKEv2 fragmentation standard, so any oversized IKE_AUTH packet issues
are going to be solved.

> Out of interest how does the strongswan daemon know which cert
> corresponds to which client? Is the client just sending the subject
of
> it's certificate and then the daemon uses that to choose a
corresponding
> client cert?
> 
Lookup is based on the IKEv2 identity payload sent by the peer.

Best regards

Andreas

> 
> On 2/10/2014 at 3:37 PM, "Martin Willi"  wrote:
> 
>     Pete,
> 
>     > I've copied them to the /etc/ipsec.d/certs directory and
restarted the
>     > daemon but "ipsec listcerts" still only lists the certificates
that I
>     > have a private key for.
> 
>     Certificates from the cert directory do not get loaded
automatically.
>     The directory merely holds the certificates you can directly
reference
>     with left/rightcert. This is a little different from the swanctl
x509
>     directory [1], for which all contained certificates get loaded
>     implicitly.
> 
>     If you have a large bunch of client certificates to handle, you
probably
>     don't want a conn entry in ipsec.conf for each. Usually you
issue all
>     the certificates from a CA to avoid handling all the client
certificates
>     separately, and just install the CA to cacerts.
> 
>     Regards
>     Martin
> 
>    
[1]https://wiki.strongswan.org/projects/strongswan/wiki/SwanctlDirectory
>
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141002/8b94dabc/attachment.html>

More information about the Users mailing list