Hi Tobias, Ah, ok, you're suggesting to use a single private key and use it for the CSRs/Certificates? Have not tried to use it before, but this is a test environment, so that could work.
Thanks, Roberts On Thu, 4 Apr 2019 at 16:17, Roberts Pakalns <[email protected]> wrote: > Hi Tobias, > > Thank you! I guess this answers it. > > We're using Strongswan to simulate many unique ipsec peers to the same > firewall which acts as the hub. It's not a real life scenario. > > Thanks, > Roberts > > > On Thu, 4 Apr 2019 at 15:28, Tobias Brunner <[email protected]> wrote: > >> Hi Roberts, >> >> > Description: I want to set up 2000 IKEv2 cert based tunnels. >> >> And you need to use separate private keys for each tunnel to identify >> your peer/host? >> >> > Problem: After applying the configuration, I see that load of private >> > keys cannot finish as ipsec is restarting after 10s. >> >> That timeout is hardcoded in starter (invokecharon.c). You could try >> charon-systemd/swanctl as alternative (but there might be a timeout too >> if the credentials are loaded via systemd unit). >> >> But again, why would you need to load that many private keys in the >> first place? >> >> Regards, >> Tobias >> > > > -- > Roberts > -- Roberts
