On Wed, Feb 13, 2019, at 2:25 PM, Kostya Vasilyev wrote: > Tobias > > On Wed, Feb 13, 2019, at 11:39 AM, Tobias Brunner wrote: > > Hi Kostya, > > > > > It was the conf syntax I was after :) > > > > > > I now see it in the docs for swanctl.conf under "secrets.private<suffix> > > > section". > > > > You only have to configure private keys in such sections if they are > > password protected (and you can't or don't want to provide the password > > interactively) or if they are not stored in the default directories. > > All keys and certificates in the default directories are loaded > > automatically by --load-creds (the tool will prompt the user for > > passwords for protected keys unless --noprompt is given). > > What about automatic startup? > > systemctl start strongswan strongswan-swanctl > > Will that also load all certs and keys automatically from default directories?
Hmm, there is no strongswan-swanctl service on Debian (buster / testing)... I'm looking at this https://wiki.strongswan.org/projects/strongswan/wiki/Swanctl and sorry not sure if I understand... The "old" format config files - get loaded automatically when strongswan itself is started, let's say with systemctl start strongswan But a new format file (I put one into /etc/swanctl/conf.d) didn't get loaded by "restart strongswan" - it only loaded after I manually did "swanctl --load-conns". Am I missing something about automatically loading swanctl format files when the strongswan service starts? In Fedora (my home system) there is a strongswan-swanctl service: ExecStart=/usr/sbin/charon-systemd ExecStartPost=/usr/sbin/swanctl --load-all --noprompt ExecReload=/usr/sbin/swanctl --reload the "--load-all" seems totally appropriate... Does this look like a Debian packaging error - I mean there is supposed to be a swanctl *service* but it's missing for some reason? -- K
