[strongSwan] swanctl.conf debugging-- fails to load certificates

Tobias Brunner tobias at strongswan.org
Thu May 11 15:34:36 CEST 2017

Hi Stephen,

> but the local_addrs/remote_addrs/local_ts/remote_ts +
> start_action=trap in swanctl.conf looks like it should get the job done.

You can do the same thing with ipsec.conf.

> I was having trouble
> understanding how to ensure that swanctl.conf was being used and
> ipsec.conf being ignored with ipsec-starter in the mix.

Just depends on the loaded plugins.

> "ipsec" tool at all...

You don't need it, pki is installed in /usr/local/bin so just call it

> Ok, now the problem: charon chokes on the certificates with this error:
>     08[LIB] building CRED_CERTIFICATE - X509 failed, tried 3 builders

You will need a plugin that implements RSA (assuming you generated RSA
certificates).  The gmp plugin is the default, alternatives are the
openssl or gcrypt plugins, which can also replace lots of other crypto
plugins (but are not enabled by default).
Basically, don't use a load statement in strongswan.conf if you don't
know what you are doing (see [1]).


[1] https://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad

More information about the Users mailing list