Hello Christoph, Yes, use pubkeys = <filename>. The man page for swanctl.conf expands on this:
> connections.<conn>.local<suffix>.pubkeys []
> Comma separated list of raw public key candidates to use for au‐
> thentication. The public keys may use a relative path from the
> swanctl pubkey directory or an absolute path.
>
> Even though multiple local public keys could be defined in prin‐
> ciple, only the first public key in the list is used for authen‐
> tication.
>> The documentation isn't totally clear about it and tells me the pubkeys
>> configuration is for raw keys (does it mean file names of pem/der encoded
>> keys?).
Raw public keys are just simple public keys, e.g. certificates aren't raw
public keys (because they are a public key, metadata and the signature over it
generated by signing it with a private key).
So the file would contain a public key, encoded in DER or PEM format.
Kind regards
Noel
Am 26.10.20 um 15:57 schrieb Christoph Harder:
> Hello Noel,
>
> just to be sure, I use pubkeys = <filename> to specify the keys or rather the
> pem files containing them?
> Or should the key be somehow encoded and put as string in the swanctl.conf
> file?
> The documentation isn't totally clear about it and tells me the pubkeys
> configuration is for raw keys (does it mean file names of pem/der encoded
> keys?).
>
> Thank you in advance.
> -Christoph
>
>
> Am 25.10.2020 um 22:03 schrieb Noel Kuntze:
>> Hi Christoph,
>>
>> Specify the keys using connections.<conn>.local<suffix>.pubkeys and
>> connections.<conn>.remote<suffix>.pubkeys.
>>
>> Afterwards, check the output and the log file (best if you enable debug
>> logging like shown on the HelpRequests page)
>> to see if the public keys were loaded and the private keys, too.
>>
>> Kind regards
>>
>> Noel
>>
>> Am 25.10.20 um 21:11 schrieb Christoph Harder:
>>> Hello everyone,
>>>
>>> I wish to create an IPSEC v2 connection and use two authentication rounds,
>>> both with assymetric key pairs (one round using ECDSA followed by one round
>>> using BLISS).
>>> Since BLISS is rather new I would like the second round as safe-guard in
>>> case the near future shows any fatal flaws in BLISS.
>>> However at the moment I receive the follwoing message when I try to
>>> initiate a connection.
>>>
>>> [IKE] no private key found for 'xyz_ecdsa'
>>>
>>> The private keys are stored as /bliss/xyz_bliss.pem and
>>> /ecdsa/xyz_ecdsa.pem and the matching (same file name) public keys are
>>> stored in /pubkeys.
>>> When I load the keys, e.g. using swanctl --load-creds the keys are listed
>>> and no error message shows up.
>>>
>>> In the swanctl.conf the authentication rounds are defined like this (with
>>> matching remote authentication rounds):
>>> local-1 {
>>> id = xyz_ecdsa
>>> auth = pubkey
>>> round = 1
>>> }
>>> local-2 {
>>> id = xyz_bliss
>>> auth = pubkey
>>> round = 2
>>> }
>>>
>>> The private keys don't have a passphrase and are not listed in the secrets
>>> section.
>>>
>>> The private key file /ecdsa/xyz_ecdsa.pem looks like this:
>>> -----BEGIN EC PRIVATE KEY-----
>>> ...
>>> -----END EC PRIVATE KEY-----
>>>
>>> and the public key file /pubkey/xyz_ecdsa.pem looks like this:
>>> -----BEGIN PUBLIC KEY-----
>>> ...
>>> -----END PUBLIC KEY-----
>>>
>>> The keys have been generated using the pki tool.
>>>
>>> Can you give me any hints on what I might be doing wrong?
>>> Are two rounds even supported when using auth = pubkey in both rounds?
>>> Do I need to tell strongswan somehow to associate the key files with the id?
>>>
>>> Best regards,
>>> Christoph
>>>
>>
signature.asc
Description: OpenPGP digital signature
