[strongSwan] PEM vs DER certificate format

Martin Lund scsi7143 at gmx.com
Thu Dec 3 16:20:49 CET 2015


Today I started to reconfiguring an existing StrongSwan 4.4 <>StrongSwan 4.4 vpn because the certs are about to expire soon.

I was surprised that the current documentation on the strongswan site suggest to use some .DER (Binary) certification format:


Why is this? Why did you had to change something which was working for years?
Where do I even see the expiration date of this .der file?

At the old .PEM certificates at least it was obvious because I could set the number of days for expiration:

Considering that this .der identified by unix file as "data", it is junk for other devices like routers. How is this any better from .pem?

After replacing the old .pems with .ders and restarting the vpn nodes I got id 'blahblah.com' not confirmed by certificate, defaulting to ... message so I had to remove the leftid/rightid directives which just making the config more secure but not even after this worked...

On Server:

Dec  3 14:01:08 vpntest1 charon: 14[CFG] no matching peer config found
Dec  3 14:01:08 vpntest1 charon: 14[IKE] peer supports MOBIKE
Dec  3 14:01:08 vpntest1 charon: 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

On Client:
Dec  3 14:01:08 vpntest2 charon: 05[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Dec  3 14:01:08 vpntest2 charon: 05[IKE] received AUTHENTICATION_FAILED notify error

What no matching peer configuration? The server does not have to have any config files just it's own key+cert+cacert.

Please remove this new "der tutorial" from your website asap so people don't even see it

More information about the Users mailing list