[strongSwan] preloading client certificates
Andreas Steffen
andreas.steffen at strongswan.org
Thu Oct 2 14:36:02 CEST 2014
The Android VPN client will be updated, too.
Andreas
On 10/02/2014 01:27 PM, cellkites at hushmail.com wrote:
> Ok, thanks for the info Andreas. Will the android client be updated at
> the same time?
>
> Ideally we would just be moving to ecdsa based certs but support for it
> is a bit spotty among the various android vendors.
>
>
> On 2/10/2014 at 6:57 PM, "Andreas Steffen"
> <andreas.steffen at strongswan.org> wrote:
>
> Hi Pete,
>
> On 10/02/2014 12:47 PM, cellkites at hushmail.com wrote:
> >
> > Awesome thanks for that. I believe I was having an issue with some
> > intermediary firewalls / nat devices dropping my oversized packets due
> > to the size of the rsa certs. Hopefully preloading them will fix that.
> >
> The upcoming strongSwan 5.2.1 release will include support for the new
> IKEv2 fragmentation standard, so any oversized IKE_AUTH packet issues
> are going to be solved.
>
> > Out of interest how does the strongswan daemon know which cert
> > corresponds to which client? Is the client just sending the subject of
> > it's certificate and then the daemon uses that to choose a corresponding
> > client cert?
> >
> Lookup is based on the IKEv2 identity payload sent by the peer.
>
> Best regards
>
> Andreas
>
> >
> > On 2/10/2014 at 3:37 PM, "Martin Willi" <martin at strongswan.org> wrote:
> >
> > Pete,
> >
> > > I've copied them to the /etc/ipsec.d/certs directory and restarted the
> > > daemon but "ipsec listcerts" still only lists the certificates that I
> > > have a private key for.
> >
> > Certificates from the cert directory do not get loaded automatically.
> > The directory merely holds the certificates you can directly reference
> > with left/rightcert. This is a little different from the swanctl x509
> > directory [1], for which all contained certificates get loaded
> > implicitly.
> >
> > If you have a large bunch of client certificates to handle, you probably
> > don't want a conn entry in ipsec.conf for each. Usually you issue all
> > the certificates from a CA to avoid handling all the client certificates
> > separately, and just install the CA to cacerts.
> >
> > Regards
> > Martin
> >
> > [1]https://wiki.strongswan.org/projects/strongswan/wiki/SwanctlDirectory
> >
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution! www.strongswan.org
> <http://www.strongswan.org>
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141002/ca979c11/attachment-0001.bin>
More information about the Users
mailing list