[strongSwan] Host to host with certs - where to put own private key?
brent s.
bts at square-r00t.net
Tue Feb 12 14:32:29 CET 2019
On 2/12/19 7:53 AM, Kostya Vasilyev wrote:
> Hi,
>
> I'm looking at converting my existing "legacy" host to host configuration to new based on:
>
> https://www.strongswan.org/testing/testresults/swanctl/host2host-transport/
>
> My current config (legacy format):
>
> newtun.conf
>
> conn mytunnel
> left=139.0.0.1
> right=%any
> authby=rsasig
> compress=no
> type=transport
> leftprotoport=47/0
> rightprotoport=47/0
> auto=add
> ike=aes128-sha256-modp2048
> esp=aes128-sha256-modp2048
> rightcert=newtun_client_1.pem
> leftcert=newtun_server_1.pem
> dpddelay=30
> dpdtimeout=120
> ikev2=insist
>
> newtun.secrets
>
> : RSA newtun_server_1.pem
>
> I have CA and client and server certs in subdirectories under /etc/ipsec.d, it all works.
>
> My question is - right now the private key of the server's (StrongSwan) certificate is required in a *.secrets file. There is no automatic loading from /etc/ipsec.d/private.
>
> Where do you put the private key with the new format? I don't see it in swanctl.conf
>
> https://www.strongswan.org/testing/testresults/swanctl/host2host-transport/moon.swanctl.confauth
>
This is a bit dependent on which distro (for instance, CentOS/RHEL
stuffs everything in /etc/strongswan/, but others split each subdir to
their own dir in /etc) BUT
RHEL:
/etc/strongswan/swanctl/private/
"exploded" subdirs:
/etc/swanctl/private/
And likewise, your certs can be moved from /etc/ipsec.d to their
appropriate analog dir under the swanctl directory.
The following is RHEL, adjust per your use case as needed:
# tree /etc/strongswan/swanctl/
/etc/strongswan/swanctl/
├── bliss
├── conf.d
├── ecdsa
├── pkcs12
├── pkcs8
├── private
│ └── key.pem
├── pubkey
├── rsa
├── swanctl.conf
├── x509
│ └── cert.pem
├── x509aa
├── x509ac
├── x509ca
│ └── ca.pem
├── x509crl
└── x509ocsp
I believe you should see this reproduced in the test cases.
If they are placed in their respective directories, you can reference
them relatively:
_____
connections {
pki {
(...)
local {
auth = pubkey
certs = cert.pem
}
remote {
auth = pubkey
cacerts = ca.pem
}
(...)
}
}
(...)
secrets {
private_pki {
file = key.pem
}
}
_____
BUT I believe you can also use absolute paths if you don't want to use
the provided directory structure - at least for the secrets you can.
> And a "meta" - is there any benefit to the "new" format configuration?
>
I don't think there are any plans to obsolete the ipsec.conf format? One
of the developers can probably weigh in if so.
I personally prefer the swanctl.conf format because it's just a lot
easier to parse, at least visually, for me. I'm not aware of any
explicit benefit or advantage.
--
brent saner
https://square-r00t.net/
GPG info: https://square-r00t.net/gpg-info
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190212/4668e817/attachment.sig>
More information about the Users
mailing list