[Openswan Users] Strongswan with self-signed certificates

Piyush Agarwal agarwalpiyush at gmail.com
Fri Apr 21 18:36:39 EDT 2017

I am trying to bring up strongswan IPsec between two linux boxes.

Earlier, this IPsec was up using racoon which has a concept of

Both ends of my IPsec uses self-signed certificates. Using an out-of-band
channel (irrelevant to this question), each box is informed of the valid
peer certificate to expect (and installed on the local machine). So when
IKE certificate validation is performed, the certificate validation
succeeds. Either of my boxes could change/go away at any point -- and the
out-of-band channel ensures each end is informed of the valid peer
certificate to expect all the times.

Now, I am trying to get a similar scheme working with strongswan, without

There is nothing equivalent to peers_certfile that I find. I am a newbie to
these concepts, so please share pointers if I am way off or asking
incorrect questions.

1) Does there have to be a CAcert (self-signed) AND a separate HostCert? Or
can I do with just the HostCert (to be validated by the peer)?

2) Can I get strongswan to accept and validate the peers certfile (informed
via the same out-of-band means)? If yes, what config option is this?

3) In the strongswan way of doing things, what I can give to the
out-of-band channel so the peer can perform required validation?

Thanks for any guidance/pointers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20170421/2c46f0cc/attachment.html>

More information about the Users mailing list