Hi Dariusz, >>> Does it use the information in /etc/ipsec.secrets or is there another >>> way? >> >> It doesn't. You have to decrypt the key to use it with scepclient. > > Thank you Tobias. I guess I was mislead by the fact that there are > traces of an attempt to implement this (like a call to pem_decrypt if > a passphrase has been returned from the enumerator).
That's just the generic code in the pem plugin, which does support encrypted keys and expects a credential set to provide the password. The scepclient utility could be extended to support that (like e.g. the pki tool does), but it's currently just not implemented (also see [1]). Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/Scepclient
