[strongSwan] swanctl unloads private key on startup (not desired)

Stephen Ayotte stephen.ayotte at gmail.com
Fri May 12 00:00:08 CEST 2017

I'm using 5.5.2; my configs are here:

On startup, swanctl seems to load and then immediately unload the
private key associated with the "local" cert:
    10[CFG] loaded RSA private key
    10[CFG] unloaded private key with id

This isn't a desirable thing, since without that key the IKE
negotiation fails with this message:
    09[IKE] no private key found for 'lb1'

If I manually run "swanctl -s" a second time, *after* startup, it all works:
    root at lb1:/usr/local/etc/swanctl# swanctl -s
    loaded rsa key from '/usr/local/etc/swanctl/rsa/serverKey.pem'

... The traffic flows and so on.

Adding a second "swanctl -s" to the charon.start-scripts doesn't fix
it-- it loads the same key twice, *then* unloads it. I seem to have to
wait until startup is complete, and only then run "swanctl -s".

Looking at the changelog for 5.5.2 [1] this seems to be a new feature.
But based on the notes (what is a "removed secret"?), and the
documentation (no reference to this?), I can't guess at what its
intended use is or how to correctly configure things so that I'm left
with a working system after startup (without post-startup

[1] https://wiki.strongswan.org/projects/strongswan/wiki/Changelog55

More information about the Users mailing list