[strongSwan] Host to host with certs - where to put own private key?
Kostya Vasilyev
kman at fastmail.com
Tue Feb 12 13:54:58 CET 2019
On Tue, Feb 12, 2019, at 3:53 PM, Kostya Vasilyev wrote:
> Hi,
>
> I'm looking at converting my existing "legacy" host to host
> configuration to new based on:
>
> https://www.strongswan.org/testing/testresults/swanctl/host2host-transport/
>
> My current config (legacy format):
>
> newtun.conf
>
> conn mytunnel
> left=139.0.0.1
> right=%any
> authby=rsasig
> compress=no
> type=transport
> leftprotoport=47/0
> rightprotoport=47/0
> auto=add
> ike=aes128-sha256-modp2048
> esp=aes128-sha256-modp2048
> rightcert=newtun_client_1.pem
> leftcert=newtun_server_1.pem
> dpddelay=30
> dpdtimeout=120
> ikev2=insist
>
> newtun.secrets
>
> : RSA newtun_server_1.pem
>
> I have CA and client and server certs in subdirectories under /etc/
> ipsec.d, it all works.
>
> My question is - right now the private key of the server's (StrongSwan)
> certificate is required in a *.secrets file. There is no automatic
> loading from /etc/ipsec.d/private.
>
> Where do you put the private key with the new format? I don't see it in
> swanctl.conf
>
> https://www.strongswan.org/testing/testresults/swanctl/host2host-transport/moon.swanctl.confauth
The right link is:
https://www.strongswan.org/testing/testresults/swanctl/host2host-transport/moon.swanctl.conf
Oops!
>
> And a "meta" - is there any benefit to the "new" format configuration?
>
> --
> Kostya Vasilyev
> kman at fastmail.com
More information about the Users
mailing list