[Swan] Raw rsa keys and .secrets file

Paul Wouters paul at nohats.ca
Mon Feb 24 21:28:34 UTC 2020

On Mon, 24 Feb 2020, Cesare Leonardi wrote:

> Hello, there is something not clear to me regarding .secrets file.
> I've read this:
> https://lists.libreswan.org/pipermail/swan/2018/002496.html
> And this (slide 13):
> https://libreswan.org/wiki/images/a/a5/DevConf2016-IPsec.pdf
> From these documents I understand that using raw RSA key with Libreswan 
>> = 3.21, .secrets file is not required anymore. But in my tests I 
> wasn't able to connect without it.

In theory in should work. In practise there is a catch22 issue we still
need to fix. For raw keys, to load the connection, we need to know the
keys are there, but to load the keys we need a connection.

We thought at some point it was no longer needed, but that was wrong.
Hence you seeing some confusion online. So yes, for raw (non-X.509)
keys, it is still needed. For X.509 certificates, it is not needed.


More information about the Swan mailing list