[strongSwan] Host to host with certs - where to put own private key?

[Kostya Vasilyev]

On Wed, Feb 13, 2019, at 2:25 PM, Kostya Vasilyev wrote:
> Tobias
> 
> On Wed, Feb 13, 2019, at 11:39 AM, Tobias Brunner wrote:
> > Hi Kostya,
> > 
> > > It was the conf syntax I was after :)
> > > 
> > > I now see it in the docs for swanctl.conf under "secrets.private<suffix> section".
> > 
> > You only have to configure private keys in such sections if they are
> > password protected (and you can't or don't want to provide the password
> > interactively) or if they are not stored in the default directories.
> > All keys and certificates in the default directories are loaded
> > automatically by --load-creds (the tool will prompt the user for
> > passwords for protected keys unless --noprompt is given).
> 
> What about automatic startup?
> 
> systemctl start strongswan strongswan-swanctl
> 
> Will that also load all certs and keys automatically from default directories?

Hmm, there is no strongswan-swanctl service on Debian (buster / testing)...

I'm looking at this

https://wiki.strongswan.org/projects/strongswan/wiki/Swanctl

and sorry not sure if I understand...

The "old" format config files - get loaded automatically when strongswan itself is started, let's say with

systemctl start strongswan

But a new format file (I put one into /etc/swanctl/conf.d) didn't get loaded by "restart strongswan" - it only loaded after I manually did "swanctl --load-conns".

Am I missing something about automatically loading swanctl format files when the strongswan service starts?

In Fedora (my home system) there is a strongswan-swanctl service:

ExecStart=/usr/sbin/charon-systemd
ExecStartPost=/usr/sbin/swanctl --load-all --noprompt
ExecReload=/usr/sbin/swanctl --reload

the "--load-all" seems totally appropriate...

Does this look like a Debian packaging error -  I mean there is supposed to be a swanctl *service* but it's missing for some reason?

-- K