[strongSwan] preloading client certificates

cellkites at hushmail.com cellkites at hushmail.com
Fri Oct 3 02:31:37 CEST 2014 

Sorry, one more question.

One my android peers I have a self gen CA preloaded and manually
specified (i.e. select automatically is unticked), however looking at
the logs I can see in the ike auth request they are requesting the
responder send a copy of that cert. Why is that?

Also in the swanctl docs I could see an option that appeared to stop
the responder sending the entire certificate chain
(connections..send_certreq) but i couldn't find an equivalent option
in ipsec.conf.

Cheers,

pete

On 2/10/2014 at 6:57 PM, "Andreas Steffen"  wrote:Hi Pete,

On 10/02/2014 12:47 PM, cellkites at hushmail.com wrote:
> 
> Awesome thanks for that. I believe I was having an issue with some
> intermediary firewalls / nat devices dropping my oversized packets
due
> to the size of the rsa certs. Hopefully preloading them will fix
that.
>
The upcoming strongSwan 5.2.1 release will include support for the new
IKEv2 fragmentation standard, so any oversized IKE_AUTH packet issues
are going to be solved.

> Out of interest how does the strongswan daemon know which cert
> corresponds to which client? Is the client just sending the subject
of
> it's certificate and then the daemon uses that to choose a
corresponding
> client cert?
> 
Lookup is based on the IKEv2 identity payload sent by the peer.

Best regards

Andreas

> 
> On 2/10/2014 at 3:37 PM, "Martin Willi"  wrote:
> 
>     Pete,
> 
>     > I've copied them to the /etc/ipsec.d/certs directory and
restarted the
>     > daemon but "ipsec listcerts" still only lists the certificates
that I
>     > have a private key for.
> 
>     Certificates from the cert directory do not get loaded
automatically.
>     The directory merely holds the certificates you can directly
reference
>     with left/rightcert. This is a little different from the swanctl
x509
>     directory [1], for which all contained certificates get loaded
>     implicitly.
> 
>     If you have a large bunch of client certificates to handle, you
probably
>     don't want a conn entry in ipsec.conf for each. Usually you
issue all
>     the certificates from a CA to avoid handling all the client
certificates
>     separately, and just install the CA to cacerts.
> 
>     Regards
>     Martin
> 
>    
[1]https://wiki.strongswan.org/projects/strongswan/wiki/SwanctlDirectory
>
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141003/7c898ad1/attachment.html>

More information about the Users mailing list