[strongSwan] Host to host with certs - where to put own private key?

Tobias Brunner tobias at strongswan.org
Wed Feb 13 09:39:38 CET 2019

Hi Kostya,

> It was the conf syntax I was after :)
> I now see it in the docs for swanctl.conf under "secrets.private<suffix> section".

You only have to configure private keys in such sections if they are
password protected (and you can't or don't want to provide the password
interactively) or if they are not stored in the default directories.
All keys and certificates in the default directories are loaded
automatically by --load-creds (the tool will prompt the user for
passwords for protected keys unless --noprompt is given).

> Now how can I specify the protocol (GRE in my case, proto 47)?
> Does that go into local_ts / remote_ts? Does it mean I have to put local and remote IPs in two places

Yes, traffic selectors are configured with these settings.  To
automatically use the IKE endpoints (or virtual IP) in a TS, you can use
the 'dynamic' keyword (e.g. local_ts = dynamic[47] or remote_ts =
dynamic[gre]).  An example can even be found in our test suite [1].


[1] https://www.strongswan.org/testing/testresults/route-based/net2net-gre/

More information about the Users mailing list