For the private key file both absolute paths or paths relative to /etc/ipsec.d/private are accepted. If the private key file is encrypted, the passphrase must be defined. Instead of a passphrase %prompt can be used which then causes the daemons to ask the user for the password whenever it is required to decrypt the key.
: RSA <private key file> [ <passphrase> | %prompt ]
: RSA moonKey.pem : RSA sunKey.der "cjen4*lWnr3jsk"