[strongSwan] Host to host with certs - where to put own private key?

Kostya Vasilyev kman at fastmail.com
Tue Feb 12 18:46:33 CET 2019


On Tue, Feb 12, 2019, at 4:32 PM, brent s. wrote:
> On 2/12/19 7:53 AM, Kostya Vasilyev wrote:
> > Hi,
> > 
> > I'm looking at converting my existing "legacy" host to host configuration to new based on:
> > 
> > https://www.strongswan.org/testing/testresults/swanctl/host2host-transport/
> > 
> > My current config (legacy format):
> > 
> > newtun.conf
> > 
> > conn mytunnel
> > 	left=139.0.0.1
> > 	right=%any
> > 	authby=rsasig
> > 	compress=no
> > 	type=transport
> > 	leftprotoport=47/0
> > 	rightprotoport=47/0
> > 	auto=add
> > 	ike=aes128-sha256-modp2048
> > 	esp=aes128-sha256-modp2048
> > 	rightcert=newtun_client_1.pem
> > 	leftcert=newtun_server_1.pem
> > 	dpddelay=30
> > 	dpdtimeout=120
> > 	ikev2=insist
> > 
> > newtun.secrets
> > 
> >  : RSA newtun_server_1.pem
> > 
> > I have CA and client and server certs in subdirectories under /etc/ipsec.d, it all works.
> > 
> > My question is - right now the private key of the server's (StrongSwan) certificate is required in a *.secrets file. There is no automatic loading from /etc/ipsec.d/private.
> > 
> > Where do you put the private key with the new format? I don't see it in swanctl.conf
> > 
> > https://www.strongswan.org/testing/testresults/swanctl/host2host-transport/moon.swanctl.confauth
> > 
> 
> This is a bit dependent on which distro (for instance, CentOS/RHEL
> stuffs everything in /etc/strongswan/, but others split each subdir to
> their own dir in /etc) BUT
> 
> RHEL:
> /etc/strongswan/swanctl/private/
> 
> "exploded" subdirs:
> /etc/swanctl/private/
> 
> And likewise, your certs can be moved from /etc/ipsec.d to their
> appropriate analog dir under the swanctl directory.
> 
> [snip]

Right, I understand the directories.

> If they are placed in their respective directories, you can reference
> them relatively:
> 
> _____
> connections {
>     pki {
>     (...)
>         local {
>             auth = pubkey
>             certs = cert.pem
>         }
>         remote {
>              auth = pubkey
>              cacerts = ca.pem
>         }
>     (...)
>     }
> }
> (...)
> secrets {
>     private_pki {
>         file = key.pem
>     }
> }
> _____

It was the conf syntax I was after :)

I now see it in the docs for swanctl.conf under "secrets.private<suffix> section".

Now how can I specify the protocol (GRE in my case, proto 47)?

Does that go into local_ts / remote_ts? Does it mean I have to put local and remote IPs in two places

first under

connections {
local_addrs 139.0.0.1
remote_addrs 88.0.0.1 
}

and then under 

connections { <conn> { children <child> {
local_ts 139.0.0.1[47/0]
remote_ts 88.0.0.1[47/0]
}

??? Is there some way to just say "I want GRE" as it's possible with the old format?

-- K


More information about the Users mailing list