[strongSwan] Host to host with certs - where to put own private key?

Kostya Vasilyev kman at fastmail.com
Wed Feb 13 12:25:41 CET 2019


On Wed, Feb 13, 2019, at 11:39 AM, Tobias Brunner wrote:
> Hi Kostya,
> > It was the conf syntax I was after :)
> > 
> > I now see it in the docs for swanctl.conf under "secrets.private<suffix> section".
> You only have to configure private keys in such sections if they are
> password protected (and you can't or don't want to provide the password
> interactively) or if they are not stored in the default directories.
> All keys and certificates in the default directories are loaded
> automatically by --load-creds (the tool will prompt the user for
> passwords for protected keys unless --noprompt is given).

What about automatic startup?

systemctl start strongswan strongswan-swanctl

Will that also load all certs and keys automatically from default directories?

> > Now how can I specify the protocol (GRE in my case, proto 47)?
> > 
> > Does that go into local_ts / remote_ts? Does it mean I have to put local and remote IPs in two places
> Yes, traffic selectors are configured with these settings.  To
> automatically use the IKE endpoints (or virtual IP) in a TS, you can use
> the 'dynamic' keyword (e.g. local_ts = dynamic[47] or remote_ts =
> dynamic[gre]).  An example can even be found in our test suite [1].

Thank you, nice to not have to duplicate the IPs.

-- K

More information about the Users mailing list