Tobias On Wed, Feb 13, 2019, at 11:39 AM, Tobias Brunner wrote: > Hi Kostya, > > > It was the conf syntax I was after :) > > > > I now see it in the docs for swanctl.conf under "secrets.private<suffix> > > section". > > You only have to configure private keys in such sections if they are > password protected (and you can't or don't want to provide the password > interactively) or if they are not stored in the default directories. > All keys and certificates in the default directories are loaded > automatically by --load-creds (the tool will prompt the user for > passwords for protected keys unless --noprompt is given).
What about automatic startup? systemctl start strongswan strongswan-swanctl Will that also load all certs and keys automatically from default directories? > > Now how can I specify the protocol (GRE in my case, proto 47)? > > > > Does that go into local_ts / remote_ts? Does it mean I have to put local > > and remote IPs in two places > > Yes, traffic selectors are configured with these settings. To > automatically use the IKE endpoints (or virtual IP) in a TS, you can use > the 'dynamic' keyword (e.g. local_ts = dynamic[47] or remote_ts = > dynamic[gre]). An example can even be found in our test suite [1]. Thank you, nice to not have to duplicate the IPs. -- K
