Created
May 11, 2017 21:54
-
-
Save sayotte/1fd19aba0043cb20821cde42535486d7 to your computer and use it in GitHub Desktop.
swanctl working, but unloads key on startup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
00[LIB] loaded plugins: charon-systemd charon-systemd sha1 pem pkcs1 x509 revocation constraints pubkey openssl random nonce kernel-netlink socket-default updown vici | |
00[JOB] spawning 16 worker threads | |
00[DMN] executing start script 'creds' (/usr/local/sbin/swanctl --load-creds) | |
13[CFG] loaded RSA private key | |
00[DMN] creds: loaded rsa key from '/usr/local/etc/swanctl/rsa/serverKey.pem' | |
00[DMN] executing start script 'conns' (/usr/local/sbin/swanctl --load-conns) | |
16[CFG] added vici connection: pseudoprivate | |
16[CFG] installing 'pseudoprivatechild' | |
00[DMN] conns: loaded connection 'pseudoprivate' | |
00[DMN] conns: successfully loaded 1 connections, 0 unloaded | |
10[CFG] loaded RSA private key | |
10[CFG] unloaded private key with id 4d12e9d018870dfc33ddd431233ec05a97498ccc | |
10[CFG] updated vici connection: pseudoprivate |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
swanctl { | |
load = pem pkcs1 x509 revocation constraints pubkey openssl random | |
} | |
charon { | |
load = sha1 pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default updown vici | |
fragment_size = 1400 | |
start-scripts { | |
creds = /usr/local/sbin/swanctl --load-creds | |
conns = /usr/local/sbin/swanctl --load-conns | |
} | |
filelog { | |
/var/log/charon.log { | |
flush_line = yes | |
} | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
connections { | |
pseudoprivate { | |
# IKEv2 only | |
version = 2 | |
# Allow fragmenting oversized payloads into multiple IPSEC packets | |
fragmentation = yes | |
# If a duplicate connection/SA is found, replace the existing one | |
unique = replace | |
# I think this is the set of ciphersuites available for IKE? | |
proposals = aes128-sha256-modp3072 | |
mobike = no # cargo cult, no idea why this matters | |
# do we need local_addrs and remote_addrs here, or is that handled | |
# under children.<child>.local_ts and children.<child>.remote_ts? | |
local_addrs = 172.16.0.0/24 | |
remote_addrs = 172.16.0.0/24 | |
# Describe how the local endpoint authenticates itself to remote | |
# endpoints | |
local { | |
# List of X509 certs for authentication | |
certs = /etc/ssl/private/serverCert.pem | |
# "a private key associated to a usable certificate" | |
# ^^^^ what?? | |
# This is not a path to a file, but a term that means "use a | |
# key found <somewhere implied but not stated>" | |
auth = pubkey | |
# Arbitrary ID; must be unique among peers | |
id = lb1 | |
} | |
# Describe how remote endpoints should authenticate themselves | |
remote { | |
# accept only RSA 2048-bit or ECDSA 256-bit pubkeys for authN | |
auth = rsa-2048-ecdsa-256 | |
cacerts = /etc/ssl/private/rootCA.cert | |
} | |
# Define parameters for "child" SAs to be negotiated once IKE | |
# and auth are completed above | |
children { | |
pseudoprivatechild { | |
# We shoudl trigger this child as soon as we detect matching traffic | |
start_action = trap | |
close_action = trap | |
# ciphersuites for ESP once the SA is setup | |
esp_proposals = aes128-sha256-modp3072 | |
# transport so we can still have broadcast traffic | |
mode = transport | |
# Include all traffic to/from 172.16.0.0/24 | |
local_ts = 172.16.0.0/24 | |
remote_ts = 172.16.0.0/24 | |
# Since this is within a datacenter, we should immediately | |
# attempt to renegotiate when we detect a dead peer, to | |
# avoid latency if/when the connection is eventually needed. | |
dpd_action = restart | |
} | |
} | |
} | |
} | |
secrets { | |
rsa { | |
file = serverKey.pem | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment