[strongSwan] Host to host with certs - where to put own private key?
Kostya Vasilyev
kman at fastmail.com
Tue Feb 12 13:53:45 CET 2019
Hi,
I'm looking at converting my existing "legacy" host to host configuration to new based on:
https://www.strongswan.org/testing/testresults/swanctl/host2host-transport/
My current config (legacy format):
newtun.conf
conn mytunnel
left=139.0.0.1
right=%any
authby=rsasig
compress=no
type=transport
leftprotoport=47/0
rightprotoport=47/0
auto=add
ike=aes128-sha256-modp2048
esp=aes128-sha256-modp2048
rightcert=newtun_client_1.pem
leftcert=newtun_server_1.pem
dpddelay=30
dpdtimeout=120
ikev2=insist
newtun.secrets
: RSA newtun_server_1.pem
I have CA and client and server certs in subdirectories under /etc/ipsec.d, it all works.
My question is - right now the private key of the server's (StrongSwan) certificate is required in a *.secrets file. There is no automatic loading from /etc/ipsec.d/private.
Where do you put the private key with the new format? I don't see it in swanctl.conf
https://www.strongswan.org/testing/testresults/swanctl/host2host-transport/moon.swanctl.confauth
And a "meta" - is there any benefit to the "new" format configuration?
--
Kostya Vasilyev
kman at fastmail.com
More information about the Users
mailing list