Last active
May 11, 2017 13:26
-
-
Save sayotte/9d52580d1bc8620cbc60da47a55bb40f to your computer and use it in GitHub Desktop.
strongswan/swanctl config failing to load certs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ find /usr/local/etc/swanctl/ -type f | |
/usr/local/etc/swanctl/x509/lb2Cert.der | |
/usr/local/etc/swanctl/rsa/lb2Key.der | |
/usr/local/etc/swanctl/swanctl.conf | |
/usr/local/etc/swanctl/x509ca/caCert.der |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
00[LIB] loaded plugins: charon-systemd charon-systemd sha1 pem pkcs1 x509 revocation constraints pubkey random nonce kernel-netlink socket-default updown vici | |
00[JOB] spawning 16 worker threads | |
00[DMN] executing start script 'creds' (/usr/local/sbin/swanctl --load-creds) | |
00[DMN] executing start script 'conns' (/usr/local/sbin/swanctl --load-conns) | |
08[LIB] building CRED_CERTIFICATE - X509 failed, tried 3 builders | |
07[LIB] building CRED_CERTIFICATE - X509 failed, tried 3 builders | |
00[DMN] SIGTERM received, shutting down |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# /usr/local/etc/strongswan.conf - strongSwan configuration file | |
swanctl { | |
load = pem pkcs1 x509 revocation constraints pubkey openssl random | |
} | |
charon { | |
load = sha1 pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default updown vici | |
fragment_size = 1400 | |
start-scripts { | |
creds = /usr/local/sbin/swanctl --load-creds | |
conns = /usr/local/sbin/swanctl --load-conns | |
} | |
filelog { | |
/var/log/charon.log { | |
flush_line = yes | |
} | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# /usr/local/etc/swanctl/swanctl.conf | |
connections { | |
pseudoprivate { | |
# IKEv2 only | |
version = 2 | |
# Allow fragmenting oversized payloads into multiple IPSEC packets | |
fragmentation = yes | |
# If a duplicate connection/SA is found, replace the existing one | |
unique = replace | |
# I think this is the set of ciphersuites available for IKE? | |
proposals = aes128-sha256-modp3072 | |
mobike = no # cargo cult, no idea why this matters | |
# do we need local_addrs and remote_addrs here, or is that handled | |
# under children.<child>.local_ts and children.<child>.remote_ts? | |
local_addrs = 172.16.0.0/24 | |
remote_addrs = 172.16.0.0/24 | |
# Describe how the local endpoint authenticates itself to remote | |
# endpoints | |
local { | |
# List of X509 certs for authentication | |
certs = lb2.der | |
# "a private key associated to a usable certificate" | |
# ^^^^ what?? | |
# This is not a path to a file, but a term that means "use a | |
# key found <somewhere implied but not stated>" | |
auth = pubkey | |
# Arbitrary ID; must be unique among peers | |
id = lb2 | |
} | |
# Describe how remote endpoints should authenticate themselves | |
remote { | |
# accept only RSA 2048-bit or ECDSA 256-bit pubkeys for authN | |
auth = rsa-2048-ecdsa-256 | |
cacerts = caCert.der | |
} | |
# Define parameters for "child" SAs to be negotiated once IKE | |
# and auth are completed above | |
children { | |
pseudoprivatechild { | |
# We shoudl trigger this child as soon as we detect matching traffic | |
start_action = trap | |
close_action = trap | |
# ciphersuites for ESP once the SA is setup | |
esp_proposals = aes128-sha256-modp3072 | |
# transport so we can still have broadcast traffic | |
mode = transport | |
# Include all traffic to/from 172.16.0.0/24 | |
local_ts = 172.16.0.0/24 | |
remote_ts = 172.16.0.0/24 | |
# Since this is within a datacenter, we should immediately | |
# attempt to renegotiate when we detect a dead peer, to | |
# avoid latency if/when the connection is eventually needed. | |
dpd_action = restart | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment