[strongSwan] Host to host with certs - where to put own private key?

Kostya Vasilyev kman at fastmail.com
Tue Feb 12 13:54:58 CET 2019


On Tue, Feb 12, 2019, at 3:53 PM, Kostya Vasilyev wrote:
> Hi,
> 
> I'm looking at converting my existing "legacy" host to host 
> configuration to new based on:
> 
> https://www.strongswan.org/testing/testresults/swanctl/host2host-transport/
> 
> My current config (legacy format):
> 
> newtun.conf
> 
> conn mytunnel
> 	left=139.0.0.1
> 	right=%any
> 	authby=rsasig
> 	compress=no
> 	type=transport
> 	leftprotoport=47/0
> 	rightprotoport=47/0
> 	auto=add
> 	ike=aes128-sha256-modp2048
> 	esp=aes128-sha256-modp2048
> 	rightcert=newtun_client_1.pem
> 	leftcert=newtun_server_1.pem
> 	dpddelay=30
> 	dpdtimeout=120
> 	ikev2=insist
> 
> newtun.secrets
> 
>  : RSA newtun_server_1.pem
> 
> I have CA and client and server certs in subdirectories under /etc/
> ipsec.d, it all works.
> 
> My question is - right now the private key of the server's (StrongSwan) 
> certificate is required in a *.secrets file. There is no automatic 
> loading from /etc/ipsec.d/private.
> 
> Where do you put the private key with the new format? I don't see it in 
> swanctl.conf
> 
> https://www.strongswan.org/testing/testresults/swanctl/host2host-transport/moon.swanctl.confauth

The right link is:

https://www.strongswan.org/testing/testresults/swanctl/host2host-transport/moon.swanctl.conf

Oops!

> 
> And a "meta" - is there any benefit to the "new" format configuration?
> 
> -- 
> Kostya Vasilyev
> kman at fastmail.com


More information about the Users mailing list