[strongSwan] swanctl unloads private key on startup (not desired)
stephen.ayotte at gmail.com
Fri May 12 00:00:08 CEST 2017
I'm using 5.5.2; my configs are here:
On startup, swanctl seems to load and then immediately unload the
private key associated with the "local" cert:
10[CFG] loaded RSA private key
10[CFG] unloaded private key with id
This isn't a desirable thing, since without that key the IKE
negotiation fails with this message:
09[IKE] no private key found for 'lb1'
If I manually run "swanctl -s" a second time, *after* startup, it all works:
root at lb1:/usr/local/etc/swanctl# swanctl -s
loaded rsa key from '/usr/local/etc/swanctl/rsa/serverKey.pem'
... The traffic flows and so on.
Adding a second "swanctl -s" to the charon.start-scripts doesn't fix
it-- it loads the same key twice, *then* unloads it. I seem to have to
wait until startup is complete, and only then run "swanctl -s".
Looking at the changelog for 5.5.2  this seems to be a new feature.
But based on the notes (what is a "removed secret"?), and the
documentation (no reference to this?), I can't guess at what its
intended use is or how to correctly configure things so that I'm left
with a working system after startup (without post-startup
More information about the Users