On Wed, 23 Jan 2019, Kostya Vasilyev wrote:
Were you exporting keys that are part of some certificates?
Yes this is possible (and importing too).
But in this case here I'm dealing with "standalone" keys - not keys which are
part of certificates - and this does not seem possible.
You can use certutil -d sql:/etc/ipsec.d -K to list all the raw keys,
even those that came in via pkcs#12 imports. that lists the ckaid,
which you can use to load the key, eg leftckaid=.....
But a CKAID is not a public key format that the other endpoint can use,
so to get the public key in base64 format, you can use:
ipsec showhostkey --left --ckaid ....
I don't know how the remote expects its public key format, there is not
a great standard for this.
I can't use certificate auth because of some issues on Mikrotik side (it seems to want
"something" in subjectAltName but I can't figure out what... a Mikrotik forum
post is pending moderation).
Whatever the IDs used in IKE are, those should appear as SubjectAltName
in the certificate. So if your [email protected] you need a DNS:foo.bar
SAN. Same goes for not using any leftid= which means it is using its IP
address as ID, so you need an IP:a.b.c.d SAN.
The only exception is if you are using a Distinguished Name (DN) as ID.
In that case, the DN of the certificate is matched as a whole to the ID.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
