[strongSwan] preloading client certificates

cellkites at hushmail.com cellkites at hushmail.com
Thu Oct 2 13:27:48 CEST 2014

Ok, thanks for the info Andreas. Will the android client be updated at
the same time?

Ideally we would just be moving to ecdsa based certs but support for
it is a bit spotty among the various android vendors.
On 2/10/2014 at 6:57 PM, "Andreas Steffen"  wrote:Hi Pete,

On 10/02/2014 12:47 PM, cellkites at hushmail.com wrote:
> Awesome thanks for that. I believe I was having an issue with some
> intermediary firewalls / nat devices dropping my oversized packets
> to the size of the rsa certs. Hopefully preloading them will fix
The upcoming strongSwan 5.2.1 release will include support for the new
IKEv2 fragmentation standard, so any oversized IKE_AUTH packet issues
are going to be solved.

> Out of interest how does the strongswan daemon know which cert
> corresponds to which client? Is the client just sending the subject
> it's certificate and then the daemon uses that to choose a
> client cert?
Lookup is based on the IKEv2 identity payload sent by the peer.

Best regards


> On 2/10/2014 at 3:37 PM, "Martin Willi"  wrote:
>     Pete,
>     > I've copied them to the /etc/ipsec.d/certs directory and
restarted the
>     > daemon but "ipsec listcerts" still only lists the certificates
that I
>     > have a private key for.
>     Certificates from the cert directory do not get loaded
>     The directory merely holds the certificates you can directly
>     with left/rightcert. This is a little different from the swanctl
>     directory [1], for which all contained certificates get loaded
>     implicitly.
>     If you have a large bunch of client certificates to handle, you
>     don't want a conn entry in ipsec.conf for each. Usually you
issue all
>     the certificates from a CA to avoid handling all the client
>     separately, and just install the CA to cacerts.
>     Regards
>     Martin
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141002/8b94dabc/attachment.html>

More information about the Users mailing list