[Swan] Certificate confusion (fwd)
Paul Wouters
paul at nohats.ca
Sat May 30 00:20:00 EEST 2015
On Fri, 29 May 2015, Matt Rogers wrote:
>> conn HomeToVoip
>> leftid=%fromcert
>> leftcert=192.168.200.11
>> leftrsasigkey=%cert
>> rightrsasigkey=%cert
>> leftsendcert=always
>> leftrsasigkey2=EFW-main
Is left the main office or the home (aka you). the end that is you
should have *sendcert=always.
You should not set leftrsasigkey2 - that is for key rollover scenarios
>> leftcert is picked automatically. rightcert can be changed in the config
>> - have tried all permutations.
>> conn Test
>> left=192.168.201.11
>> right=5.6.7.8
>> rightsubnet=192.168.97.0/24
>> leftcert=192.168.200.11cert.pem
>> rightcert=Endian-Certcert.pem
I'm confused why the strongswan end has two certs from disk. One should
come via IKE normally. Although you can have both
> I think your assignment of left/right is mixed up here. You should
> designate one side as left and one side as right for both
That should not matter, as long as you get the things not confused :)
Paul
More information about the Swan
mailing list