Python VICI connection request pass certificate

[ashirbadIndia]

Hi all, I hope you are doing well,

I tried to setup host-to-host IPSec tunnel using strongswan. I followed the quickstart guide from strongswan documentation, which worked as expected.

/etc/swanctl/x509ca/strongswan.pem
/etc/swanctl/x509/peer1.pem
/etc/swanctl/private/peer1key.pem

/etc/swanctl/swanctl.conf:

connections {
    host-host {
      remote_addrs = 10.231.25.182
      local {
        auth=pubkey
        id = "10.231.32.93"
        certs = peer1.pem
      }
      remote {
        auth = pubkey
        id = "10.231.25.182"
      }
      children {
        host-host {
          start_action = trap
        }
      }
    }
  }

But how do I do the same using python VICI interface

I had previously used python VICI to load connections with pre-shared key, but could not figure out how to load certificates.

Note: I loaded the essential credentials from using swanctl --load-creds, just wanted to try loading connection

import vici
import time

s = vici.Session()

connection =  {
   'host-host': {
      'remote_addrs': ['10.231.25.182'],
      'local': {
         'auth': 'pubkey',
        'id': '10.231.32.93',
        'certs': ['peer1.pem']
      },
      'remote': {
        'auth': 'pubkey',
        'id': '10.231.25.182'
      },
      'children': {
        'host-host': {
          'start_action': 'trap'
        }
      }
    }
}

s.load_conn(connection)

this code throws the following error

Traceback (most recent call last):
File "", line 1, in
File "/usr/local/lib/python3.10/dist-packages/vici/command_wrappers.py", line 161, in load_conn
self.request("load-conn", connection)
File "/usr/local/lib/python3.10/dist-packages/vici/session.py", line 104, in request
raise CommandException(
vici.exception.CommandException: Command failed: invalid value for: certs, config discarded

What is the correct way to pass certs

[tobiasbrunner]

Certificates are passed as binary blobs (either PEM or DER encoded). So you have to open the file and pass its contents as value. Alternatively, you could use the cert<suffix>.file syntax to pass an absolute path to the certificate file so the daemon loads it.

[antonymsouza]

I also faced the same issue, but even after changing this to cert.file like below still facing issue like "vici.exception.CommandException: Command failed: unknown option: cert1.file, config discarded"

load_config = { 'rightTunnel2': { 'version': 2, 'mobike': 'no', 'reauth_time': '0s', 'dpd_delay': '30s', 'keyingtries': 0, 'rekey_time': '21600s', 'proposals': ['aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072','aes192-sha256-ecp256-modp3072','aes128-sha256-x25519','default'], 'local_addrs': ['10.80.2.205'], 'remote_addrs': ['10.80.0.234'], 'local': { 'auth': 'pubkey', 'cert1.file': '/etc/swanctl/x509/abc.pem' },

[tobiasbrunner]

Not the right syntax. cert1 would be a section and file a key inside that (i.e. something like 'cert1': { 'file': '...' }).

[antonymsouza]

It is working fine, thank you very much for the quick support