[Swan-dev] multiple RSA keys for rollover, ipsec.secrets, ckaid issues

Paul Wouters paul at nohats.ca
Thu Apr 13 01:37:37 UTC 2017

I am looking at ensuring that RSA key rollover works. This is supposed
to be supported via leftrsasigkey= and leftrsasigkey2=

We had no tests that used leftrsasigkey2=

I added two tests for this and it seems that the secrets code cannot
associate them both to the connection? Does anyone remember if this ever
worked on freeswan/openswan without specifically marking the RSA secret
entries differently? Since we will be using FQDN, the two entries will
have the same identifier (either the default or the FQDN)

So the problem is, if ipsec.secrets contains:

: RSA	{

# do not change the indenting of that "}"
: RSA	{

# do not change the indenting of that "}"

I would expect to be able to load both keys using:

conn test

Currently, only the first key is loaded.

Additionally, we have another problem in that we are supposed to not
need any of these and just pull the right key from NSS. But it seems
I also get problems with RAW RSA keys if these do not have an
ipsec.secrets entry.

And lastly, it seems we have have the leftckaid= which I prefer as the
keyid is much shorter and algorithm indepedent, but it seems we never
added leftckaid2= similar to leftrsasigkey2 ?

If anyone remembers some history here, I'd be very curious to hear it :)


More information about the Swan-dev mailing list