[strongSwan] swanctl unloads private key on startup (not desired)
Stephen Ayotte
stephen.ayotte at gmail.com
Fri May 12 00:00:08 CEST 2017
I'm using 5.5.2; my configs are here:
https://gist.github.com/sayotte/1fd19aba0043cb20821cde42535486d7
On startup, swanctl seems to load and then immediately unload the
private key associated with the "local" cert:
10[CFG] loaded RSA private key
10[CFG] unloaded private key with id
4d12e9d018870dfc33ddd431233ec05a97498ccc
This isn't a desirable thing, since without that key the IKE
negotiation fails with this message:
09[IKE] no private key found for 'lb1'
If I manually run "swanctl -s" a second time, *after* startup, it all works:
root at lb1:/usr/local/etc/swanctl# swanctl -s
loaded rsa key from '/usr/local/etc/swanctl/rsa/serverKey.pem'
... The traffic flows and so on.
Adding a second "swanctl -s" to the charon.start-scripts doesn't fix
it-- it loads the same key twice, *then* unloads it. I seem to have to
wait until startup is complete, and only then run "swanctl -s".
Looking at the changelog for 5.5.2 [1] this seems to be a new feature.
But based on the notes (what is a "removed secret"?), and the
documentation (no reference to this?), I can't guess at what its
intended use is or how to correctly configure things so that I'm left
with a working system after startup (without post-startup
intervention).
[1] https://wiki.strongswan.org/projects/strongswan/wiki/Changelog55
More information about the Users
mailing list