[strongSwan] Host to host with certs - where to put own private key?
bts at square-r00t.net
Tue Feb 12 14:32:29 CET 2019
On 2/12/19 7:53 AM, Kostya Vasilyev wrote:
> I'm looking at converting my existing "legacy" host to host configuration to new based on:
> My current config (legacy format):
> conn mytunnel
> : RSA newtun_server_1.pem
> I have CA and client and server certs in subdirectories under /etc/ipsec.d, it all works.
> My question is - right now the private key of the server's (StrongSwan) certificate is required in a *.secrets file. There is no automatic loading from /etc/ipsec.d/private.
> Where do you put the private key with the new format? I don't see it in swanctl.conf
This is a bit dependent on which distro (for instance, CentOS/RHEL
stuffs everything in /etc/strongswan/, but others split each subdir to
their own dir in /etc) BUT
And likewise, your certs can be moved from /etc/ipsec.d to their
appropriate analog dir under the swanctl directory.
The following is RHEL, adjust per your use case as needed:
# tree /etc/strongswan/swanctl/
│ └── key.pem
│ └── cert.pem
│ └── ca.pem
I believe you should see this reproduced in the test cases.
If they are placed in their respective directories, you can reference
auth = pubkey
certs = cert.pem
auth = pubkey
cacerts = ca.pem
file = key.pem
BUT I believe you can also use absolute paths if you don't want to use
the provided directory structure - at least for the secrets you can.
> And a "meta" - is there any benefit to the "new" format configuration?
I don't think there are any plans to obsolete the ipsec.conf format? One
of the developers can probably weigh in if so.
I personally prefer the swanctl.conf format because it's just a lot
easier to parse, at least visually, for me. I'm not aware of any
explicit benefit or advantage.
GPG info: https://square-r00t.net/gpg-info
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 899 bytes
Desc: OpenPGP digital signature
More information about the Users