On 2/12/19 7:53 AM, Kostya Vasilyev wrote: > Hi, > > I'm looking at converting my existing "legacy" host to host configuration to > new based on: > > https://www.strongswan.org/testing/testresults/swanctl/host2host-transport/ > > My current config (legacy format): > > newtun.conf > > conn mytunnel > left=139.0.0.1 > right=%any > authby=rsasig > compress=no > type=transport > leftprotoport=47/0 > rightprotoport=47/0 > auto=add > ike=aes128-sha256-modp2048 > esp=aes128-sha256-modp2048 > rightcert=newtun_client_1.pem > leftcert=newtun_server_1.pem > dpddelay=30 > dpdtimeout=120 > ikev2=insist > > newtun.secrets > > : RSA newtun_server_1.pem > > I have CA and client and server certs in subdirectories under /etc/ipsec.d, > it all works. > > My question is - right now the private key of the server's (StrongSwan) > certificate is required in a *.secrets file. There is no automatic loading > from /etc/ipsec.d/private. > > Where do you put the private key with the new format? I don't see it in > swanctl.conf > > https://www.strongswan.org/testing/testresults/swanctl/host2host-transport/moon.swanctl.confauth >
This is a bit dependent on which distro (for instance, CentOS/RHEL
stuffs everything in /etc/strongswan/, but others split each subdir to
their own dir in /etc) BUT
RHEL:
/etc/strongswan/swanctl/private/
"exploded" subdirs:
/etc/swanctl/private/
And likewise, your certs can be moved from /etc/ipsec.d to their
appropriate analog dir under the swanctl directory.
The following is RHEL, adjust per your use case as needed:
# tree /etc/strongswan/swanctl/
/etc/strongswan/swanctl/
├── bliss
├── conf.d
├── ecdsa
├── pkcs12
├── pkcs8
├── private
│ └── key.pem
├── pubkey
├── rsa
├── swanctl.conf
├── x509
│ └── cert.pem
├── x509aa
├── x509ac
├── x509ca
│ └── ca.pem
├── x509crl
└── x509ocsp
I believe you should see this reproduced in the test cases.
If they are placed in their respective directories, you can reference
them relatively:
_____
connections {
pki {
(...)
local {
auth = pubkey
certs = cert.pem
}
remote {
auth = pubkey
cacerts = ca.pem
}
(...)
}
}
(...)
secrets {
private_pki {
file = key.pem
}
}
_____
BUT I believe you can also use absolute paths if you don't want to use
the provided directory structure - at least for the secrets you can.
> And a "meta" - is there any benefit to the "new" format configuration?
>
I don't think there are any plans to obsolete the ipsec.conf format? One
of the developers can probably weigh in if so.
I personally prefer the swanctl.conf format because it's just a lot
easier to parse, at least visually, for me. I'm not aware of any
explicit benefit or advantage.
--
brent saner
https://square-r00t.net/
GPG info: https://square-r00t.net/gpg-info
signature.asc
Description: OpenPGP digital signature
