[strongSwan] migration to charon-systemd
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Sep 20 16:00:50 CEST 2017
1. DNS and ("virtual") IPs (everything that you push to a peer) is configured in a pool. You then set the pool to use in the IKE_SA configuration.
2. You need to configure every IKE_SA and CHILD_SA explicitely. You can include other files at arbitrary positions though. The man page for swanctl.conf explains it.
3. Yes. It behaves identically to ipsec.conf.
4. As far as I can tell from the man page, that is not possible.
On 20.09.2017 11:38, Kamil Jońca wrote:
> Recently I found that I can use strongswan as systemd integrated
> service. I tried to move my config to swanctl-like file and I have
> partial success.
> But I have some questions how to migrate some thigs.
> --8<---------------cut here---------------start------------->8---
> config setup
> strictcrlpolicy=ifuri
>
> ca kaczka
> cacert=/etc/ipsec.d/cacerts/ipsec--kaczka--ca.pem
> auto=add
>
> conn %default
> left=192.168.2.2
> leftsubnet=192.168.2.0/24
> leftid="C = PL, ST = xxx, O = kjonca.kjonca, OU = ipsec, CN = bla.bla"
> leftca="C = PL, ST = xxx, L = yyyy, O = kjonca.kjonca, OU = ipsec, CN = openswan--kjonca.kjonca"
> rightca=%same
> leftcert="alfa.kjonca.5.pem"
> rightdns=192.168.2.2
> right=%any
> compress=yes
> keyexchange=ikev2
> auto=add
> rightsourceip=%dhcp
> #rekey=no
>
>
> conn w8-kjonca
> also=alfa-server
> rightid="C=PL, ST=xxx, O=kjonca.kjonca, OU=ipsec, CN=w8-kjonca.kjonca"
> rekey=no
> conn alfa-server
> include /var/lib/strongswan/ipsec.conf.inc
> --8<---------------cut here---------------end--------------->8---
>
> 1. How to "translate" "rightdns=" to swanctl?
> 2. How to have dedicate conection which behaves as "alfa-server" except
> "rekey" feature?
> 3. Is it possible to use ids from certificates (as in leftid/leftca)?
> 4. How to translate "rightca=%same"
> KJ
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170920/e04c4891/attachment.sig>
More information about the Users
mailing list