[strongSwan] swanctl.conf debugging-- fails to load certificates

Stephen Ayotte stephen.ayotte at gmail.com
Thu May 11 15:26:29 CEST 2017

First, please check my reasoning for using swanctl: I want ad-hoc
host-to-host transport level connections between all hosts which are A) in
the same subnet and B) have an X509 cert signed by the same CA. I don't see
a syntax that expresses this in ipsec.conf (only specific, known
endpoints), but the local_addrs/remote_addrs/local_ts/remote_ts +
start_action=trap in swanctl.conf looks like it should get the job done.

Short coverage of my starting conditions: I'm using strongswan-5.5.2 on
Debian-8.7/amd64, compiled with these config options:

    ./configure --enable-monolithic \
        --disable-charon --disable-stroke --disable-scepclient \
        --enable-systemd --enable-swanctl

I went for 5.5.x for the systemd integration; I was having trouble
understanding how to ensure that swanctl.conf was being used and ipsec.conf
being ignored with ipsec-starter in the mix.

I'm using certificates generated using the "ipsec pki" utility, following
the instructions found at this link (
https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA), with the
exception that I named the files after my hosts rather than e.g.
"peerCert.der". Note that I generated these using 5.4.x from the
Debian-supplied package, since the one I built doesn't include the "ipsec"
tool at all... I also used the 5.4.x package to verify these certs are
loadable and indeed they were (although pinging host-to-host in a static
setup exactly asin this example (
didn't provoke any IKE negotiation... but I don't think solving that
problem would help me anyway, so I didn't try).

Ok, now the problem: charon chokes on the certificates with this error:
    08[LIB] building CRED_CERTIFICATE - X509 failed, tried 3 builders

I've stashed my configs in a gist here:

That error message seems to originate on the charon side of the vici
socket; I found two places it might originate from in the code once the
failure has already happened, but the funky use of function-pointers for
pseudo-OO made it hard to understand where it's actually failing.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170511/b8e7c829/attachment.html>

More information about the Users mailing list