[Swan] Certificate confusion (fwd)

Paul Wouters paul at nohats.ca
Sat May 30 00:20:00 EEST 2015


On Fri, 29 May 2015, Matt Rogers wrote:

>> conn HomeToVoip
>>     leftid=%fromcert
>>     leftcert=192.168.200.11
>>     leftrsasigkey=%cert

>>     rightrsasigkey=%cert
>>     leftsendcert=always
>>     leftrsasigkey2=EFW-main

Is left the main office or the home (aka you). the end that is you
should have *sendcert=always.

You should not set leftrsasigkey2 - that is for key rollover scenarios

>> leftcert is picked automatically. rightcert can be changed in the config
>> - have tried all permutations.

>> conn Test
>>     left=192.168.201.11
>>     right=5.6.7.8
>>     rightsubnet=192.168.97.0/24
>>     leftcert=192.168.200.11cert.pem
>>     rightcert=Endian-Certcert.pem

I'm confused why the strongswan end has two certs from disk. One should
come via IKE normally. Although you can have both

> I think your assignment of left/right is mixed up here. You should
> designate one side as left and one side as right for both

That should not matter, as long as you get the things not confused :)

Paul


More information about the Swan mailing list