[strongSwan] Fwd: Re: Is IKEv2 certificate binding to the hardware?

tefeng tefeng.em at gmail.com
Fri Sep 19 07:28:28 CEST 2014


Hello, Noel,

one more question:
Is it possbile to extend the lifetime of certificate on server when it 
expires?  That would save me a lot of time to avoid changing the *.p12 
files on vpn client machines.

Best Regards!
Quine
2014-9-19



-------- Forwarded Message --------
Subject: 	Re: [strongSwan] Is IKEv2 certificate binding to the hardware?
Date: 	Fri, 19 Sep 2014 01:57:29 +0800
From: 	tefeng <tefeng.em at gmail.com>
To: 	Noel Kuntze <noel at familie-kuntze.de>



Hello, Noel,

Many THX!  After reproducing the server certificates (serverKey.pem and
serverCert.pem with "--san" field), IKEv2 certificate now is OK.  :)

And also thanks for your reminder.  I got it wrong.  I checked the
strongSwan website again and found the instructions use "ipsec pki
--self ..." to produce certificate.  Then I can use the argument
"--lifetime".

Best Regards!
Quine
2014-9-19



On 9/19/2014 1:06 AM, Noel Kuntze wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello,
> First question: No. Check the SAN fields.
>
> Second question: pki --pub gives you the corresponding public key for the input private key or certificate. The output is not a certificate.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> Am 18.09.2014 um 18:53 schrieb tefeng:
>> Hi, All,
>>
>> I have been using strongswan 4.6.4 on my VPS and it worked well. Recently I migrated it to another VPS (still 4.6.4 and the same certificates copied from the previous VPS) but the vpn client (Agile VPN Client in win7 or strongSwan VPN Client for android) with IKEv2 certificate didn't work except that IKEv1 certificate is OK with Cisco VPN Client.
>>
>> Is IKEv2 certificate binding to the hardware?  If yes, then I have to reproduce the certificates.
>>
>> The 2nd question: Is it possible to substitute "ipsec pki --self ..." for "ipsec pki --pub ..."?  Because the command "--pub" only produces a certificate with fixed 3 years lifetime and I want more.
>>
>> Any recommendation would be really appreciated.  Thank in Adv.
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJUGxEPAAoJEDg5KY9j7GZYX3UP/2+HbGUyA07IshfAUE3301ur
> qLqs5UluKGBOp5Ot0RQM5Q4s+ubte70wlb4dmfMBUR1SCrPehjcNCz31jeZYsoGN
> udsA/XlWzScunc7Cjgw9BPe9IYIaMnf1AVCPXgOV1s7jiF+wDlrn6qRgxdt7B8Dt
> xBD0YWft2WEGtn4El97386+HZXIWo0zSjpbQqtdpRZ5C5VK6ECYKvnoCFEW9ctc8
> i3Vv+wQCxm3ibJfXdbvJLnyKlPAVxUDU7+71t+dFUMIqGiNHt/eQlRZqOzflEcGk
> t7M5OwkFOjigd1UjWQIKumBaxQ47HX8JayfUxoPBVrjk3uOwo1xn363yY5tjke0Q
> i5/ax4UdFcKTGoMZ0SdhrDXLh0jmIc8SszunJ8b6N+l6f3nAK0NeZzMdBT/EsJqG
> 2QN6R6zQxrR9emFnvIBt4rF01iYjYDsQCW80oWRARmRlC+sS+IDJ+8wzx9prDg0H
> ZnOYfL3Mwv5Rxhcrd9mLnXnhnl8pTTjLAiz57gZbuzHJlHF84WX1MpiETOBGyRT3
> qUt65MddstjcgKRNRYC+whaNqqswlRjlwvXLV1/PRcUfypM/zhLpRtYHbV5TfI5r
> XwemSV7H9lOXp8JNIamuxK8eIcqRddQIdrTDbBnOeR/7/7U6P3UBOYwjCfrEnNYm
> tAyMfPgxh5DKVrNYJxFo
> =DzH9
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140919/a401653e/attachment-0001.html>


More information about the Users mailing list