[strongSwan] Host to host with certs - where to put own private key?

Kostya Vasilyev kman at fastmail.com
Tue Feb 12 13:53:45 CET 2019


Hi,

I'm looking at converting my existing "legacy" host to host configuration to new based on:

https://www.strongswan.org/testing/testresults/swanctl/host2host-transport/

My current config (legacy format):

newtun.conf

conn mytunnel
	left=139.0.0.1
	right=%any
	authby=rsasig
	compress=no
	type=transport
	leftprotoport=47/0
	rightprotoport=47/0
	auto=add
	ike=aes128-sha256-modp2048
	esp=aes128-sha256-modp2048
	rightcert=newtun_client_1.pem
	leftcert=newtun_server_1.pem
	dpddelay=30
	dpdtimeout=120
	ikev2=insist

newtun.secrets

 : RSA newtun_server_1.pem

I have CA and client and server certs in subdirectories under /etc/ipsec.d, it all works.

My question is - right now the private key of the server's (StrongSwan) certificate is required in a *.secrets file. There is no automatic loading from /etc/ipsec.d/private.

Where do you put the private key with the new format? I don't see it in swanctl.conf

https://www.strongswan.org/testing/testresults/swanctl/host2host-transport/moon.swanctl.confauth

And a "meta" - is there any benefit to the "new" format configuration?

-- 
Kostya Vasilyev
kman at fastmail.com


More information about the Users mailing list