[Swan] How to configure RSA (not preshared key) on HA(High Available) machines ?

Paul Wouters paul at nohats.ca
Thu Jan 21 22:01:57 UTC 2016

On Thu, 21 Jan 2016, ChenHao wrote:

> I have configured pre-shared as authentication on HA machines. I also have known how to configure rsasig on
> standalone machine.
> Now customer want to support rsasig on HA machine.  Can I just copy public key (/etc/ipsec.secrets) and private key
> (/etc/ipsec.d/*.db) from ACTIVE to overwrite corresponding configuration on STANDBY ? Then after HA switch over,
> peer can still connect to our HA?

Libreswan stores all private keys in its internal NSS database in
/etc/ipsec.d/*.db so you need those as well as the ipsec.secrets
containing the public raw RSA key.

If the architectures are different, you might need to use certutil to
export and import the NSS entries.


More information about the Swan mailing list