[strongSwan] preloading client certificates
andreas.steffen at strongswan.org
Thu Oct 2 14:36:02 CEST 2014
The Android VPN client will be updated, too.
On 10/02/2014 01:27 PM, cellkites at hushmail.com wrote:
> Ok, thanks for the info Andreas. Will the android client be updated at
> the same time?
> Ideally we would just be moving to ecdsa based certs but support for it
> is a bit spotty among the various android vendors.
> On 2/10/2014 at 6:57 PM, "Andreas Steffen"
> <andreas.steffen at strongswan.org> wrote:
> Hi Pete,
> On 10/02/2014 12:47 PM, cellkites at hushmail.com wrote:
> > Awesome thanks for that. I believe I was having an issue with some
> > intermediary firewalls / nat devices dropping my oversized packets due
> > to the size of the rsa certs. Hopefully preloading them will fix that.
> The upcoming strongSwan 5.2.1 release will include support for the new
> IKEv2 fragmentation standard, so any oversized IKE_AUTH packet issues
> are going to be solved.
> > Out of interest how does the strongswan daemon know which cert
> > corresponds to which client? Is the client just sending the subject of
> > it's certificate and then the daemon uses that to choose a corresponding
> > client cert?
> Lookup is based on the IKEv2 identity payload sent by the peer.
> Best regards
> > On 2/10/2014 at 3:37 PM, "Martin Willi" <martin at strongswan.org> wrote:
> > Pete,
> > > I've copied them to the /etc/ipsec.d/certs directory and restarted the
> > > daemon but "ipsec listcerts" still only lists the certificates that I
> > > have a private key for.
> > Certificates from the cert directory do not get loaded automatically.
> > The directory merely holds the certificates you can directly reference
> > with left/rightcert. This is a little different from the swanctl x509
> > directory , for which all contained certificates get loaded
> > implicitly.
> > If you have a large bunch of client certificates to handle, you probably
> > don't want a conn entry in ipsec.conf for each. Usually you issue all
> > the certificates from a CA to avoid handling all the client certificates
> > separately, and just install the CA to cacerts.
> > Regards
> > Martin
> > https://wiki.strongswan.org/projects/strongswan/wiki/SwanctlDirectory
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> Users mailing list
> Users at lists.strongswan.org
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
More information about the Users