On Tue, Feb 12, 2019, at 3:53 PM, Kostya Vasilyev wrote: > Hi, > > I'm looking at converting my existing "legacy" host to host > configuration to new based on: > > https://www.strongswan.org/testing/testresults/swanctl/host2host-transport/ > > My current config (legacy format): > > newtun.conf > > conn mytunnel > left=139.0.0.1 > right=%any > authby=rsasig > compress=no > type=transport > leftprotoport=47/0 > rightprotoport=47/0 > auto=add > ike=aes128-sha256-modp2048 > esp=aes128-sha256-modp2048 > rightcert=newtun_client_1.pem > leftcert=newtun_server_1.pem > dpddelay=30 > dpdtimeout=120 > ikev2=insist > > newtun.secrets > > : RSA newtun_server_1.pem > > I have CA and client and server certs in subdirectories under /etc/ > ipsec.d, it all works. > > My question is - right now the private key of the server's (StrongSwan) > certificate is required in a *.secrets file. There is no automatic > loading from /etc/ipsec.d/private. > > Where do you put the private key with the new format? I don't see it in > swanctl.conf > > https://www.strongswan.org/testing/testresults/swanctl/host2host-transport/moon.swanctl.confauth
The right link is: https://www.strongswan.org/testing/testresults/swanctl/host2host-transport/moon.swanctl.conf Oops! > > And a "meta" - is there any benefit to the "new" format configuration? > > -- > Kostya Vasilyev > [email protected]
