-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Certificate import error, and settings issue. #130
Comments
In what context did you try loading certs (client/server mode, when adding a connection or in the certificate manager)? If while adding a connection, what type (type, authentication method) and what type of certificate did you try loading (server or CA/peer for server conns, or user or CA/server for client conns). What error did occur exactly when you tried loading certs?
Hm, interesting. Wasn't aware of this, but it looks like strongMan configures a single proposal for IKE (
No, strongMan only displays/manages its own connections. |
I attempted to add it while adding a connection in client mode for EAP-TLS. I would select my .pem x509 certificate (which I can read with openssl no password required). I would get the error I then wen to the certificates section, and the Vici showed my cert and CA, but under "all" nothing was there. So I again would do the upload from there, with the exact same error. Only when using the .p12 with password protection, did it upload correctly. This same error would again be given when trying to upload the CA, and since I don't need the private key for the CA, I didn't happen to have a .p12 for that one lying around. Therefore I couldn't get it accepted.
So if
Is it possible for me to set all my choices in the database somehow, if I can convert my swanctl.conf into the appropriate database configuration? For example when doing EAP-TLS, there is a strongswan option needed if your EAP server differs from the IPSec server's and therefore has it's own cert with a different name. For my case it does hand off EAP to a radius server, which has a different CN in the certificate than the IPSec host, so I need to set |
Yeah, that works fine here (PEM or DER encoded certificates are accepted). No idea what's going wrong in your case. Could you attach the files (or email them)?
Under "vici" it lists all certificates the daemon has loaded and reports via the vici interface, "all" does not include those, only the "root" and "end-entity" certificates loaded into the strongMan database.
It wouldn't.
No, currently not. The proposals are about the only thing strongMan theoretically supports but doesn't provide a GUI for, anything else would need further changes so the correct vici message would get built. In particular, the |
I am trying to load a certificate, and having issues with anything other than a .p12. I tried simply giving it the pem file for my user certificate and eventually got it to work by switching to the .p12. I then reach the CA certificate (self created) and again, even though I only need the .pem file, it errors saying invalid container each time I select it. Just to see how it works, I selected my user cert for the CA (I know it will fail). After doing this, I end up getting an error because the DH group doesn't match the request on the far side either. So even if I get the certs working IDK if I can alter that in this tool.
I already have a working swanctl.conf file. Is there some way to simply load that as a connection. That way I can start/stop it with strongMan and have full access to any settings I need in swanctl?
The text was updated successfully, but these errors were encountered: