On Fri, 23 Sep 2016, Bryan Harris wrote:
Welp, I got to playing around with the old certs that were working, and I
somehow broke them. Then I went back
through everything and noticed I had to change the trust bits.
So these trust bits work:
"CT,,"
Yes, you need the trust bits set properly. Libreswan does that on
startup using the "ipsec checknss" command (as part of the service
startup). Older versions did not do this.
And I can't recall where I found the documentation for these, but I had read it
at some point. But the NEW certs
import properly in the first place, so there is not a need (I thought) to set
any trust bits (the new ones look like
"CT,," so I left it alone).
The "ipsec import" should also properly set the trust bits.
One other funny thing is that even though the tunnel works using the old certs
with the proper trust bits, when I do
a "ipsec auto --listall" each server still only shows its own cert in that top list for
"List of RSA Public Keys".
The remote endpoint certificate will come in over IKE, so you will only
see that once you received it from the other end.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
