<div> </div>
<div>Hi</div>
<div> </div>
<div>It has been quite sometime now since i could followup on the issue submiited by me, very sorry about the delay in doing so.</div>
<div> </div>
<div>I have been facing this issue primarily on a OpenWRT Gateway:</div>
<div>----------------------------------------------------------------------------------------------</div>
<div>BusyBox v1.4.2 (2011-08-04 02:47:42 IST) Built-in shell (ash)<br> _______ ________ __<br> | |.-----.-----.-----.| | | |.----.| |_<br> | - || _ | -__| || | | || _|| _|<br>
|_______|| __|_____|__|__||________||__| |____|<br> |__| W I R E L E S S F R E E D O M</div>
<div>----------------------------------------------------------------------------------------</div>
<div> </div>
<div>- After recieving the reply by Martin as below (at the end of this mail) for a similar issue on a Linux Fedora-13 server running strongswan 4.5.0, i tried to generate some more newer x509 certs (and the private rsa key files) on the openwrt gateway itself</div>
<div>***************************</div>
<div><a href="mailto:root@mfcgw1:/etc">root@mfcgw1:/etc</a># cat ssl/private/mfcgw1key.pem<br>-----BEGIN RSA PRIVATE KEY-----<br>Proc-Type: 4,ENCRYPTED<br>DEK-Info: DES-EDE3-CBC,2FC8D750D505E922</div>
<div>D8p/CHn/F5PuiLtSIp9AWfZ9Iig9VQydF7uhCDgJKgOutYGj7PkoufOhFsJ+H7D1<br>85P87fkzGA6LYj8LyF7/UXKGs0eBC8BT+c6zlVO1SVgvUii5A42oYXKUQQD1AA6d<br>5W5KNq+C1e9zUs3BDKPfOhHuODjzqAs0f4NdsJ6I5kmGogS2LczwWV6nDwsBLY3U<br>LD3vO9tg99dh7/2+rUPWffYx5Ag+OJtcCON3ku7McTdrLODFKkPQYNNXGNGbolui<br>
EuO8o4xRHXdDD3dMud8H/+zHjxrVw8WfcJz5C/uSamLhFwjWUOUL8w5IrnQ8gY7x<br>RkKoMm8j/PUKTj2gTU4cNgA3gyJh35tCLh7vbiK5F5MYRXzuB8bezTMLOV2QduJ9<br>nNHLziQsD6br0P/2SFgr/tm+TeZ4r90Bc6zF1rrnEzEr2usz8W4gdm/Am9v01fk0<br>FWiN/CFrAFncXpkGIppo7j19svN13xhtY0cPhzTPIu5pROxhLbcQPUYi2ci9sLti<br>
vAEStWV2Vcyc+g3/2ZvE9M/SWEsi80cCumbsepsK8hHjuEl5PBK/KbReP+I8SJGv<br>Dh90ZgiURN35sNd/1GAxltoATCEu526/mIlJcUc1pBpvoPZM6ZOLUgmkwvHRyxp3<br>1pwkSVx3aTvEzZJCDzQR/nZez4kQD1WwXQ5UQbTfp7yBPOSuRp/ZnWmrdDFs1ck+<br>7V+I47a2GLqKXIlJ0xuPV0azMeXky8dC+53uSQuDzPlSp7EgdQhLBLNjXJPOKCHT<br>
/mFjd5wRsgz35qld/Jwj19WE7F7baGacrsfM8mSWNBs3YAcNJdks/zavr19Kwgzw<br>X1RtOfe59BsWtdEepciKXw/PW87QxspRIe4w8Jmmugfl3CWtauuV+ossadNfOK+2<br>R2m3KhkLj8FA9I5JrTjY8z9PPE0qS/KSAT1EjjDABAPUoxnPyO5f9Df2A7L//f+w<br>qf25HtwJSUe3hxsOqxtsqSdOqL8Uan3M<br>
-----END RSA PRIVATE KEY-----<br><a href="mailto:root@mfcgw1:/etc">root@mfcgw1:/etc</a>#<br><a href="mailto:root@mfcgw1:/etc">root@mfcgw1:/etc</a>#<br><a href="mailto:root@mfcgw1:/etc">root@mfcgw1:/etc</a># ipsec version<br>
Linux strongSwan U4.3.6/K2.6.33.5<br>Institute for Internet Technologies and Applications<br>University of Applied Sciences Rapperswil, Switzerland<br>See 'ipsec --copyright' for copyright information.<br><a href="mailto:root@mfcgw1:/etc">root@mfcgw1:/etc</a>#</div>
<div>*******************************************************</div>
<div> </div>
<div>- and iam still unable to load the RSA private key file in strongswan. Iam getting the following errors:</div>
<div>*************************************************************</div>
<div><a href="mailto:root@mfcgw1:/etc">root@mfcgw1:/etc</a># ipsec start --nofork<br>Starting strongSwan 4.3.6 IPsec [starter]...<br>starter_start_pluto entered<br>Pluto initialized<br>Starting IKEv1 pluto daemon (strongSwan 4.3.6) THREADS VENDORID<br>
pluto (11076) started after 20 ms<br>00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)<br>loaded plugins: blowfish random x509 pubkey pkcs1 pgp dnskey pem openssl hmac<br> including NAT-Traversal patch (Version 0.6c)<br>
Using Linux 2.6 IPsec interface code<br>loading ca certificates from '/etc/ipsec.d/cacerts'<br> loaded ca certificate from '/etc/ipsec.d/cacerts/cacert.pem'<br>loading aa certificates from '/etc/ipsec.d/aacerts'<br>
loading ocsp certificates from '/etc/ipsec.d/ocspcerts'<br>Changing to directory '/etc/ipsec.d/crls'<br> loaded crl from 'crl.pem'<br>loading attribute certificates from '/etc/ipsec.d/acerts'<br>
listening for IKE messages<br>adding interface eth1/eth1 <a href="http://169.254.0.1:500">169.254.0.1:500</a><br>adding interface eth1/eth1 <a href="http://169.254.0.1:4500">169.254.0.1:4500</a><br>adding interface eth2/eth2 <a href="http://192.168.1.1:500">192.168.1.1:500</a><br>
adding interface eth2/eth2 <a href="http://192.168.1.1:4500">192.168.1.1:4500</a><br>adding interface eth0/eth0 <a href="http://172.17.10.102:500">172.17.10.102:500</a><br>adding interface eth0/eth0 <a href="http://172.17.10.102:4500">172.17.10.102:4500</a><br>
adding interface lo/lo <a href="http://127.0.0.1:500">127.0.0.1:500</a><br>adding interface lo/lo <a href="http://127.0.0.1:4500">127.0.0.1:4500</a><br>adding interface lo/lo ::1:500<br>adding interface eth2/eth2 2007::1:500<br>
adding interface eth0/eth0 fec0::ee01:500<br>loading secrets from "/etc/ipsec.secrets"<br>00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'<br>00[CFG] loaded ca certificate "C=UK, ST=LNDN, L=LONDON, O=Internet Widgits Pty<br>
Ltd, OU=Corp, CN=mfcgw1CA, <a href="mailto:E=admin@dvttest.com">E=admin@dvttest.com</a>, subjectAltName=mfcgw1CA.dvttest<br>.com" from '/etc/ipsec.d/cacerts/cacert.pem'<br>00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'<br>
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'<br>00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'<br>00[CFG] loading crls from '/etc/ipsec.d/crls'<br>00[CFG] loaded crl from '/etc/ipsec.d/crls/crl.pem'<br>
00[CFG] loading secrets from '/etc/ipsec.secrets'<br>building CRED_PRIVATE_KEY - RSA failed, tried 6 builders<br> syntax error in private key file<br>"/etc/ipsec.secrets" line 3: Private key file -- could not be loaded<br>
00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 6 builders<br>00[CFG] loading private key from '/etc/ipsec.d/private/mfcgw1key.pem' failed<br>00[DMN] loaded plugins: blowfish random x509 pubkey pkcs1 pgp dnskey pem openssl<br>
hmac kernel-pfkey stroke updown<br>00[JOB] spawning 16 worker threads<br>charon (11077) started after 720 ms<br>06[CFG] received stroke: add connection 'tunnel1'<br>06[CFG] left nor right host is our side, assuming left=local<br>
06[CFG] loaded certificate "C=UK, ST=LNDN, L=LNDN, O=DVT TEST Inc, OU=Corp, CN<br>=mfcgw1, subjectAltName=172.17.10.102, <a href="mailto:E=postmaster@dvttest.com">E=postmaster@dvttest.com</a>" from 'mfcgw1cer<br>
t.pem'<br>06[CFG] id '/C=UK/ST=LNDN/L=LNDN/O=DVT TEST Inc/OU=Corp/CN=mfcgw1/subjectAltNa<br><a href="mailto:me=172.17.10.102/emailAddress=postmaster@dvttest.com'">me=172.17.10.102/emailAddress=postmaster@dvttest.com'</a> not confirmed by certifica<br>
te, defaulting to 'C=UK, ST=LNDN, L=LNDN, O=DVT TEST Inc, OU=Corp, CN=mfcgw1, su<br>bjectAltName=172.17.10.102, <a href="mailto:E=postmaster@dvttest.com'">E=postmaster@dvttest.com'</a><br>06[CFG] added configuration 'tunnel1'<br>
loaded host certificate from '/etc/ipsec.d/certs/mfcgw1cert.pem'<br> id '/C=UK/ST=LNDN/L=LNDN/O=DVT TEST Inc/OU=Corp/CN=mfcgw1/subjectAltName=172.1<br><a href="mailto:7.10.102/emailAddress=postmaster@dvttest.com'">7.10.102/emailAddress=postmaster@dvttest.com'</a> not confirmed by certificate, defa<br>
ulting to 'C=UK, ST=LNDN, L=LNDN, O=DVT TEST Inc, OU=Corp, CN=mfcgw1, subjectAlt<br>Name=172.17.10.102, <a href="mailto:E=postmaster@dvttest.com'">E=postmaster@dvttest.com'</a><br>added connection description "tunnel1"<br>
09[CFG] received stroke: route 'tunnel1'<br>09[KNL] no local address found in traffic selector <a href="http://192.168.1.0/24">192.168.1.0/24</a><br>configuration 'tunnel1' routed</div>
<div>***********************************************************************</div>
<div> </div>
<div>- can you help in understanding why this is happening so when the file is a correct RSA format?</div>
<div> </div>
<div>- Also FYI, iam also facing the same issue of RSA key file loading error when i use the "ipsec pki.." built-in strongswan cert app. Here too the error we observe is as below:</div>
<div>---------------------------------------------------------------------------------------------</div>
<div>root@evm1gw:/etc/cert# ipsec pki --self --in caKey.der --dn "C=IN,<br>O=strongSwan, CN=strongSwan CA" --ca > caCert.der<br>file coded in unknown format, discarded<br>building CRED_PRIVATE_KEY - RSA failed, tried 6 builders<br>
parsing private key failed<br><a href="mailto:root@evm1gw">root@evm1gw</a>:</div>
<div>----------------------------------------------------------------------------------------</div>
<div>Please forgive me again for the lengthy submission of the issue</div>
<div> </div>
<div>thanks once again</div>
<div> </div>
<div>with regards</div>
<div>Rajiv Kulkarni</div>
<div> </div>
<div> </div>
<div>----------------------------------------------------------------------</div>
<div>>Hi Rajiv,<br><br>><i> [<a href="https://lists.strongswan.org/mailman/listinfo/users">root at dvtpc2</a> private]# cat dvtpc2key1024-self.pem<br></i>><i> -----BEGIN PRIVATE KEY-----<br></i>><i> MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALPec1SeRutyn4Sb<br>
</i>><i> yWS8RVXDiroh3XgXchjYbwm+RvoFS7k31LcpK+zgs62ZdTFxeYCv6hr/bV2BIwwf<br></i>><i> NwMlPc5zyHnjFrMmOG2eXzzd0xleFwx12NSW0rXtpAVa9/GVmROhObAFUlrLYL4R<br></i>><i> WuVLzpA+gv/2U9jVkVxBMr1GG5khAgMBAAECgYEAk2z88ppYXpswjCx0QZDe85C2<br>
</i>><i> oCEpuUjeR+b9++ptmnfEvSc5vnaMfjcejmd9Wu07PXLyWvaI2V8DLuhW2skngjLQ<br></i>><i> jADppVBvnYvNqqih3GwFSN3H3fieF6fDPeKqv67roqEiGXvCaOUWNFOnAsFGKLpw<br></i>><i> d66veG3C+8JD2MCd6JECQQDqpyHu/MQpKhsMW13htkhX1+QXjS584RClLLO3L7LL<br>
</i>><i> VdGRFjq5cZ2mQzQBNB+ccVDhE02WmfZzAXWHd+hjmzEjAkEAxDtyXkGrdOboz3Wq<br></i>><i> rvYTM/PCJ+K0/Mbisihoi295yGXU074kzXhdVevpN8SarVHz2ktyjea5qPwFRySF<br></i>><i> 089q6wJBAMf6ykuv9cmTTdv5HgiX3g2nO4fq1XyuHw52C2+KYhkyuViqFkAnGREy<br>
</i>><i> YubHsk0UsbYwSkaYTlXzH2PliBMjlvsCQBsWtcALQrb9lU/mR2ylrZrzYG8PHbrz<br></i>><i> XaIIb/4nomEmpY2hZwUyQ3gz+9rl+hBJCuesmKC8JA8O00+x3AOUU4cCQQCSn5WN<br></i>><i> Na04DmDpNODPlp2YgEVsnWZgOVkI3VrKhWzLhEVq/Sduzx9ySgea0VEegsmWAeqz<br>
</i>><i> IM+lCeaKgP4Dbjqs<br></i>><i> -----END PRIVATE KEY-----<br></i><br>>This key is wrapped in PKCS#8 without encryption. We currently >can't<br>>read in any PKCS#8 keys.<br><br>>Covert such keys to plain RSA using:<br>
> openssl pkcs8 -nocrypt < dvtpc2key1024-self.pem<br><br>>Regards<br>>Martin<br><br><br></div>