Certificate import error, and settings issue.

[sangdrax8]

I am trying to load a certificate, and having issues with anything other than a .p12. I tried simply giving it the pem file for my user certificate and eventually got it to work by switching to the .p12. I then reach the CA certificate (self created) and again, even though I only need the .pem file, it errors saying invalid container each time I select it. Just to see how it works, I selected my user cert for the CA (I know it will fail). After doing this, I end up getting an error because the DH group doesn't match the request on the far side either. So even if I get the certs working IDK if I can alter that in this tool.

I already have a working swanctl.conf file. Is there some way to simply load that as a connection. That way I can start/stop it with strongMan and have full access to any settings I need in swanctl?

[tobiasbrunner]

In what context did you try loading certs (client/server mode, when adding a connection or in the certificate manager)? If while adding a connection, what type (type, authentication method) and what type of certificate did you try loading (server or CA/peer for server conns, or user or CA/server for client conns). What error did occur exactly when you tried loading certs?

After doing this, I end up getting an error because the DH group doesn't match the request on the far side either. So even if I get the certs working IDK if I can alter that in this tool.

Hm, interesting. Wasn't aware of this, but it looks like strongMan configures a single proposal for IKE (aes128-sha256-modp2048) and ESP (aes128gcm16-modp2048) for server connections. For client connections, the ESP proposal is the same, but the IKE proposal is default (i.e. the daemon's default proposal is used). Since it's not configurable in the GUI, it should probably be default for everything, although, that will disable PFS in the ESP proposals. If necessary, it's also possible to change the proposals directly via database.

Is there some way to simply load that as a connection.

No, strongMan only displays/manages its own connections.

[sangdrax8]

In what context did you try loading certs (client/server mode, when adding a connection or in the certificate manager)? If while adding a connection, what type (type, authentication method) and what type of certificate did you try loading (server or CA/peer for server conns, or user or CA/server for client conns). What error did occur exactly when you tried loading certs?

I attempted to add it while adding a connection in client mode for EAP-TLS. I would select my .pem x509 certificate (which I can read with openssl no password required). I would get the error no valid container detected. Maybe your container needs a password?. According to the page, this should be certificate upload, the private key would follow.

I then wen to the certificates section, and the Vici showed my cert and CA, but under "all" nothing was there. So I again would do the upload from there, with the exact same error. Only when using the .p12 with password protection, did it upload correctly.

This same error would again be given when trying to upload the CA, and since I don't need the private key for the CA, I didn't happen to have a .p12 for that one lying around. Therefore I couldn't get it accepted.

After doing this, I end up getting an error because the DH group doesn't match the request on the far side either. So even if I get the certs working IDK if I can alter that in this tool.

Hm, interesting. Wasn't aware of this, but it looks like strongMan configures a single proposal for IKE (aes128-sha256-modp2048) and ESP (aes128gcm16-modp2048) for server connections. For client connections, the ESP proposal is the same, but the IKE proposal is default (i.e. the daemon's default proposal is used). Since it's not configurable in the GUI, it should probably be default for everything, although, that will disable PFS in the ESP proposals. If necessary, it's also possible to change the proposals directly via database.

So if default excludes PFS explicitly, that would still fail for me. My server requires it and will propose it. If the client would accept the proposed settings it would still work in my case.

Is there some way to simply load that as a connection.

No, strongMan only displays/manages its own connections.

Is it possible for me to set all my choices in the database somehow, if I can convert my swanctl.conf into the appropriate database configuration? For example when doing EAP-TLS, there is a strongswan option needed if your EAP server differs from the IPSec server's and therefore has it's own cert with a different name. For my case it does hand off EAP to a radius server, which has a different CN in the certificate than the IPSec host, so I need to set aaa_id so strongswan client will accept this secondary name when doing authentication.

[tobiasbrunner]

I would get the error no valid container detected. Maybe your container needs a password?. According to the page, this should be certificate upload, the private key would follow.

Yeah, that works fine here (PEM or DER encoded certificates are accepted). No idea what's going wrong in your case. Could you attach the files (or email them)?

I then wen to the certificates section, and the Vici showed my cert and CA, but under "all" nothing was there.

Under "vici" it lists all certificates the daemon has loaded and reports via the vici interface, "all" does not include those, only the "root" and "end-entity" certificates loaded into the strongMan database.

So if default excludes PFS explicitly, that would still fail for me. My server requires it and will propose it. If the client would accept the proposed settings it would still work in my case.

It wouldn't.

Is it possible for me to set all my choices in the database somehow, if I can convert my swanctl.conf into the appropriate database configuration?

No, currently not. The proposals are about the only thing strongMan theoretically supports but doesn't provide a GUI for, anything else would need further changes so the correct vici message would get built. In particular, the aaa_id setting is not supported.