[Openswan Users] Strongswan with self-signed certificates

[Piyush Agarwal]

Hi,
I am trying to bring up strongswan IPsec between two linux boxes.

Earlier, this IPsec was up using racoon which has a concept of
peers_certfile.

Both ends of my IPsec uses self-signed certificates. Using an out-of-band
channel (irrelevant to this question), each box is informed of the valid
peer certificate to expect (and installed on the local machine). So when
IKE certificate validation is performed, the certificate validation
succeeds. Either of my boxes could change/go away at any point -- and the
out-of-band channel ensures each end is informed of the valid peer
certificate to expect all the times.

Now, I am trying to get a similar scheme working with strongswan, without
success.

There is nothing equivalent to peers_certfile that I find. I am a newbie to
these concepts, so please share pointers if I am way off or asking
incorrect questions.

1) Does there have to be a CAcert (self-signed) AND a separate HostCert? Or
can I do with just the HostCert (to be validated by the peer)?

2) Can I get strongswan to accept and validate the peers certfile (informed
via the same out-of-band means)? If yes, what config option is this?

3) In the strongswan way of doing things, what I can give to the
out-of-band channel so the peer can perform required validation?

Thanks for any guidance/pointers.
Piyush
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20170421/2c46f0cc/attachment.html>