[Swan] IPSec PKI based policy requirement.

Paul Wouters paul at nohats.ca
Thu Apr 22 19:06:21 UTC 2021

Libreswan complies to RFC 4945 but also accepts webpki/TLS authentication. So almost all certificate EKU’s or lack there of will do.

Sent from my iPhone

> On Apr 22, 2021, at 13:24, Madhan Raj <madhanrajrm at gmail.com> wrote:
> Hi Swan users, 
> My libreswan version is libreswan-3.25-9.1.el7.x86_64 
> and my public key has the below XU and EXU extensions  currently 
>         X509v3 Key Usage:
>                 Digital Signature, Key Encipherment, Data Encipherment, Certificate Sign
>             X509v3 Extended Key Usage:
>                 TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System
>             X509v3 Subject Key Identifier:
>                 EF:D1:D4:57:4F:A1:4A:61:0F:DE:FB:27:AA:63:74:BC:94:ED:A1:18
>             X509v3 Basic Constraints: critical
>                 CA:TRUE, pathlen:0
> So i wan't to know does libreswan really need the  Key Encipherment &  IPSec End System XKU to bring up the IKE connection ?
> It would be great if I can get the recommended XU and EXU in the public key to bring up an ipsec connection up and running. 
> Thanks,
> Madhan
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

More information about the Swan mailing list