[strongSwan] Host to host with certs - where to put own private key?
kman at fastmail.com
Wed Feb 13 12:52:00 CET 2019
On Wed, Feb 13, 2019, at 2:25 PM, Kostya Vasilyev wrote:
> On Wed, Feb 13, 2019, at 11:39 AM, Tobias Brunner wrote:
> > Hi Kostya,
> > > It was the conf syntax I was after :)
> > >
> > > I now see it in the docs for swanctl.conf under "secrets.private<suffix> section".
> > You only have to configure private keys in such sections if they are
> > password protected (and you can't or don't want to provide the password
> > interactively) or if they are not stored in the default directories.
> > All keys and certificates in the default directories are loaded
> > automatically by --load-creds (the tool will prompt the user for
> > passwords for protected keys unless --noprompt is given).
> What about automatic startup?
> systemctl start strongswan strongswan-swanctl
> Will that also load all certs and keys automatically from default directories?
Hmm, there is no strongswan-swanctl service on Debian (buster / testing)...
I'm looking at this
and sorry not sure if I understand...
The "old" format config files - get loaded automatically when strongswan itself is started, let's say with
systemctl start strongswan
But a new format file (I put one into /etc/swanctl/conf.d) didn't get loaded by "restart strongswan" - it only loaded after I manually did "swanctl --load-conns".
Am I missing something about automatically loading swanctl format files when the strongswan service starts?
In Fedora (my home system) there is a strongswan-swanctl service:
ExecStartPost=/usr/sbin/swanctl --load-all --noprompt
the "--load-all" seems totally appropriate...
Does this look like a Debian packaging error - I mean there is supposed to be a swanctl *service* but it's missing for some reason?
More information about the Users