[strongSwan] Trying a basic peer to peer ipsec setup with strongswan and is failing due to some key related issue
Andreas Steffen
andreas.steffen at strongswan.org
Tue Apr 20 10:34:16 CEST 2010
On 20.04.2010 09:53, shyamsundar.purkayastha at wipro.com wrote:
>
>> the error message from the ASN.1 parser means that the
>> file "/etc/ipsec.d/private/211Key.pem" does not contain
>> a private key but probably an X.509 certificate.
>
>
> After uncommenting the load statement in strongswan.conf I am not
> getting the ASN.1 parser error but still the loading of private key
> fails. As follows
>
> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 2 builders
> 00[CFG] loading private key from '/etc/ipsec.d/private/211Key.pem'
> failed
>
> Here is my strongswan.conf file
> --------------------------------------------------------------------
> # strongswan.conf - strongSwan configuration file
>
> charon {
>
> # number of worker threads in charon
> threads = 16
>
> # plugins to load in charon
> load = des aes sha1 md5 sha2 hmac gmp openssl random pubkey xcbc
> x509 stroke pkcs1 pem
> #load = aes des sha1 sha2 md5 curl test-vectors pem pkcs1 gcrypt
> x509 hmac stroke kernel-netlink updown
>
If you load the openssl plugin then the private key parsing is done by
the openssl module instead of the pkcs1 plugin. The error still persists
but you don't get the log output from the strongSwan ASN.1 parser.
> plugins {
>
> sql {
> # loglevel to log into sql database
> loglevel = -1
>
> # URI to the database
> # database = sqlite:///path/to/file.db
> # database = mysql://user:password@localhost/database
> }
> }
>
> # ...
> }
>
> pluto {
>
> # plugins to load in pluto
> # load = aes des sha1 md5 sha2 hmac gmp random pubkey
>
> }
>
> libstrongswan {
>
> # set to no, the DH exponent size is optimized
> # dh_exponent_ansi_x9_42 = no
> }
>
> ---------------------------------------------------------------
>
> One more info. I have generated the keys using openssl command . In that
> case is it required to load the openssl module in charon. ?
>
The openssl command generates keys in the standardized PKCS#1
format which can be read by strongSwan's pkcs1 plugin. There
is no need to load the openssl plugin. Your problem is that
the file '/etc/ipsec.d/private/211Key.pem' does not contain a
private key. The contents of a PEM-encoded private Key file
should have the following format
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAyi9jPdS7ugWGIVsVoDEvc/UzEk8LM5ua4Tu2SLArTEaODwHm
...
cb9zpyKiIuXoXRCf4sd8r1lR9bn0Fxx0Svpxf+fpMGSI5quHNBKY
-----END RSA PRIVATE KEY-----
if the key is unencrypted or
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,01290773006220E4E96C2975C52D2429
mSt4HT52dsYkDwk6DVYm+Uij1PnFAnYzJD7Jx6EJIA9HuWKfyHPSjtqEcCwZoKHq
...
nuRU15U5aQTniVikvFWchnwGy+23lgv5He9X99jxEu/U1pA4egejfMs3g070AY3J
-----END RSA PRIVATE KEY-----
if the key is protected by a passphrase.
> Regards
> Shyam
Regards
Andreas
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list