On Tue, Feb 12, 2019, at 4:32 PM, brent s. wrote:
> On 2/12/19 7:53 AM, Kostya Vasilyev wrote:
> > Hi,
> >
> > I'm looking at converting my existing "legacy" host to host configuration
> > to new based on:
> >
> > https://www.strongswan.org/testing/testresults/swanctl/host2host-transport/
> >
> > My current config (legacy format):
> >
> > newtun.conf
> >
> > conn mytunnel
> > left=139.0.0.1
> > right=%any
> > authby=rsasig
> > compress=no
> > type=transport
> > leftprotoport=47/0
> > rightprotoport=47/0
> > auto=add
> > ike=aes128-sha256-modp2048
> > esp=aes128-sha256-modp2048
> > rightcert=newtun_client_1.pem
> > leftcert=newtun_server_1.pem
> > dpddelay=30
> > dpdtimeout=120
> > ikev2=insist
> >
> > newtun.secrets
> >
> > : RSA newtun_server_1.pem
> >
> > I have CA and client and server certs in subdirectories under /etc/ipsec.d,
> > it all works.
> >
> > My question is - right now the private key of the server's (StrongSwan)
> > certificate is required in a *.secrets file. There is no automatic loading
> > from /etc/ipsec.d/private.
> >
> > Where do you put the private key with the new format? I don't see it in
> > swanctl.conf
> >
> > https://www.strongswan.org/testing/testresults/swanctl/host2host-transport/moon.swanctl.confauth
> >
>
> This is a bit dependent on which distro (for instance, CentOS/RHEL
> stuffs everything in /etc/strongswan/, but others split each subdir to
> their own dir in /etc) BUT
>
> RHEL:
> /etc/strongswan/swanctl/private/
>
> "exploded" subdirs:
> /etc/swanctl/private/
>
> And likewise, your certs can be moved from /etc/ipsec.d to their
> appropriate analog dir under the swanctl directory.
>
> [snip]
Right, I understand the directories.
> If they are placed in their respective directories, you can reference
> them relatively:
>
> _____
> connections {
> pki {
> (...)
> local {
> auth = pubkey
> certs = cert.pem
> }
> remote {
> auth = pubkey
> cacerts = ca.pem
> }
> (...)
> }
> }
> (...)
> secrets {
> private_pki {
> file = key.pem
> }
> }
> _____
It was the conf syntax I was after :)
I now see it in the docs for swanctl.conf under "secrets.private<suffix>
section".
Now how can I specify the protocol (GRE in my case, proto 47)?
Does that go into local_ts / remote_ts? Does it mean I have to put local and
remote IPs in two places
first under
connections {
local_addrs 139.0.0.1
remote_addrs 88.0.0.1
}
and then under
connections { <conn> { children <child> {
local_ts 139.0.0.1[47/0]
remote_ts 88.0.0.1[47/0]
}
??? Is there some way to just say "I want GRE" as it's possible with the old
format?
-- K
