On Tue, Feb 12, 2019, at 4:32 PM, brent s. wrote: > On 2/12/19 7:53 AM, Kostya Vasilyev wrote: > > Hi, > > > > I'm looking at converting my existing "legacy" host to host configuration > > to new based on: > > > > https://www.strongswan.org/testing/testresults/swanctl/host2host-transport/ > > > > My current config (legacy format): > > > > newtun.conf > > > > conn mytunnel > > left=139.0.0.1 > > right=%any > > authby=rsasig > > compress=no > > type=transport > > leftprotoport=47/0 > > rightprotoport=47/0 > > auto=add > > ike=aes128-sha256-modp2048 > > esp=aes128-sha256-modp2048 > > rightcert=newtun_client_1.pem > > leftcert=newtun_server_1.pem > > dpddelay=30 > > dpdtimeout=120 > > ikev2=insist > > > > newtun.secrets > > > > : RSA newtun_server_1.pem > > > > I have CA and client and server certs in subdirectories under /etc/ipsec.d, > > it all works. > > > > My question is - right now the private key of the server's (StrongSwan) > > certificate is required in a *.secrets file. There is no automatic loading > > from /etc/ipsec.d/private. > > > > Where do you put the private key with the new format? I don't see it in > > swanctl.conf > > > > https://www.strongswan.org/testing/testresults/swanctl/host2host-transport/moon.swanctl.confauth > > > > This is a bit dependent on which distro (for instance, CentOS/RHEL > stuffs everything in /etc/strongswan/, but others split each subdir to > their own dir in /etc) BUT > > RHEL: > /etc/strongswan/swanctl/private/ > > "exploded" subdirs: > /etc/swanctl/private/ > > And likewise, your certs can be moved from /etc/ipsec.d to their > appropriate analog dir under the swanctl directory. > > [snip]
Right, I understand the directories. > If they are placed in their respective directories, you can reference > them relatively: > > _____ > connections { > pki { > (...) > local { > auth = pubkey > certs = cert.pem > } > remote { > auth = pubkey > cacerts = ca.pem > } > (...) > } > } > (...) > secrets { > private_pki { > file = key.pem > } > } > _____ It was the conf syntax I was after :) I now see it in the docs for swanctl.conf under "secrets.private<suffix> section". Now how can I specify the protocol (GRE in my case, proto 47)? Does that go into local_ts / remote_ts? Does it mean I have to put local and remote IPs in two places first under connections { local_addrs 139.0.0.1 remote_addrs 88.0.0.1 } and then under connections { <conn> { children <child> { local_ts 139.0.0.1[47/0] remote_ts 88.0.0.1[47/0] } ??? Is there some way to just say "I want GRE" as it's possible with the old format? -- K