[strongSwan] eap auth with 5.8 - how?
lejeczek
peljasz at yahoo.co.uk
Mon May 11 14:02:59 CEST 2020
On 11/05/2020 12:43, Tobias Brunner wrote:
> Hi,
>
>> Having only:
>>
>> remote {
>> certs = "remote.fqdn.crt"
>> auth = "pubkey"
>> }
>>
>> does not help.
> Again, not the same thing as configuring %any as remote identity (there
> is a fallback to the certificate's subject identity if a certificate but
> no identity is configured - and that identity is sent to the peer, which
> might not like it, so you should perhaps later check what identity it
> actually returns and configure that).
>
>> Trying: 'mode=tunnel' also fails.
> That will only have an effect after the authentication.
>
>> Also, I'm not sure how to translate this (in case it's critical)
>>
>> leftfirewall=yes
> Whether it's critical depends on your firewall config. See [1] for
> notes on migrating from ipsec.conf to swanctl.conf.
>
> Regards,
> Tobias
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/fromipsecconf
ahh.. I'm got irritated with myself. I also missed this:
..
# swanctl --load-all
loaded certificate from
'/etc/strongswan/swanctl/x509/remote.fqdn.crt'
vici value exceeds size limit (222148 > 65535)
vici builder error: 1 errors (section: 0, list 0)
load-cert request failed: Invalid argument
That cert got malformed somehow somewhere.
It's good now.
May I ask why - mode = "pass" - is no good?
many thanks gents, L
More information about the Users
mailing list