
<div>Hi</div>

<div> </div>

<div>Yes offcourse. I did that. You see,</div>

<div> </div>

<div>- when i use "OpenSSL 1.0.0d-fips 8 Feb 2011" on a Linux-FC13 machine to generate certs, the default rsa key format is PKCS#8 which i believe strongswan does not yet support</div>

<div> </div>

<div>- if on the other, i use a openwrt-gw with "OpenSSL 0.9.8q 2 Dec 2010" and "Linux strongSwan U4.3.6/K2.6.33.5", although the generated private rsa key file is in traditional format, strongswan is unable to load the file</div>


<div> </div>

<div>thanks & regards</div>

<div>rajiv</div>

<div><br><br> </div>

<div class="gmail_quote">On Thu, Nov 10, 2011 at 8:23 PM, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>></span> wrote:<br>

<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">Hello Rajiv,<br><br>did you add the passphrase which encrypts the private key to<br>the ipsec.secrets entry?<br>

<br> : RSA /ssl/private/mfcgw1key.pem "<my passphrase>"<br><br>Regards<br><br>Andreas 

<div class="im"><br><br>On 10.11.2011 15:10, Rajiv Kulkarni wrote:<br></div>

<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">

<div class="im">Hi<br>It has been quite sometime now since i could followup on the issue<br>submiited by me, very sorry about the delay in doing so.<br>I have been facing this issue primarily on a OpenWRT Gateway:<br>------------------------------<u></u>------------------------------<u></u>------------------------------<u></u>----<br>

BusyBox v1.4.2 (2011-08-04 02:47:42 IST) Built-in shell (ash)<br>  _______                     ________        __<br> |       |.-----.-----.-----.|  |  |  |.----.|  |_<br> |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|<br>

 |_______||   __|_____|__|__||________||__|  |____|<br>          |__| W I R E L E S S   F R E E D O M<br>------------------------------<u></u>------------------------------<u></u>----------------------------<br>- After recieving the reply by Martin as below (at the end of this mail)<br>

for a similar issue on a Linux Fedora-13 server running strongswan<br>4.5.0, i tried to generate some more newer x509 certs (and the private<br>rsa key files) on the openwrt gateway itself<br>***************************<br>

</div>root@mfcgw1:/etc <mailto:<a href="mailto:root@mfcgw1" target="_blank">root@mfcgw1</a>:/etc># cat ssl/private/mfcgw1key.pem 

<div class="im"><br>-----BEGIN RSA PRIVATE KEY-----<br>Proc-Type: 4,ENCRYPTED<br>DEK-Info: DES-EDE3-CBC,2FC8D750D505E922<br>D8p/CHn/<u></u>F5PuiLtSIp9AWfZ9Iig9VQydF7uhCD<u></u>gJKgOutYGj7PkoufOhFsJ+H7D1<br>85P87fkzGA6LYj8LyF7/<u></u>UXKGs0eBC8BT+<u></u>c6zlVO1SVgvUii5A42oYXKUQQD1AA6<u></u>d<br>

5W5KNq+<u></u>C1e9zUs3BDKPfOhHuODjzqAs0f4Nds<u></u>J6I5kmGogS2LczwWV6nDwsBLY3U<br>LD3vO9tg99dh7/2+rUPWffYx5Ag+<u></u>OJtcCON3ku7McTdrLODFKkPQYNNXGN<u></u>Gbolui<br>EuO8o4xRHXdDD3dMud8H/+<u></u>zHjxrVw8WfcJz5C/<u></u>uSamLhFwjWUOUL8w5IrnQ8gY7x<br>

RkKoMm8j/<u></u>PUKTj2gTU4cNgA3gyJh35tCLh7vbiK<u></u>5F5MYRXzuB8bezTMLOV2QduJ9<br>nNHLziQsD6br0P/2SFgr/tm+<u></u>TeZ4r90Bc6zF1rrnEzEr2usz8W4gdm<u></u>/Am9v01fk0<br>FWiN/<u></u>CFrAFncXpkGIppo7j19svN13xhtY0c<u></u>PhzTPIu5pROxhLbcQPUYi2ci9sLti<br>

vAEStWV2Vcyc+g3/2ZvE9M/<u></u>SWEsi80cCumbsepsK8hHjuEl5PBK/<u></u>KbReP+I8SJGv<br>Dh90ZgiURN35sNd/<u></u>1GAxltoATCEu526/<u></u>mIlJcUc1pBpvoPZM6ZOLUgmkwvHRyx<u></u>p3<br>1pwkSVx3aTvEzZJCDzQR/<u></u>nZez4kQD1WwXQ5UQbTfp7yBPOSuRp/<u></u>ZnWmrdDFs1ck+<br>

7V+<u></u>I47a2GLqKXIlJ0xuPV0azMeXky8dC+<u></u>53uSQuDzPlSp7EgdQhLBLNjXJPOKCH<u></u>T<br>/mFjd5wRsgz35qld/<u></u>Jwj19WE7F7baGacrsfM8mSWNBs3YAc<u></u>NJdks/zavr19Kwgzw<br>X1RtOfe59BsWtdEepciKXw/<u></u>PW87QxspRIe4w8Jmmugfl3CWtauuV+<u></u>ossadNfOK+2<br>

R2m3KhkLj8FA9I5JrTjY8z9PPE0qS/<u></u>KSAT1EjjDABAPUoxnPyO5f9Df2A7L/<u></u>/f+w<br>qf25HtwJSUe3hxsOqxtsqSdOqL8Uan<u></u>3M<br>-----END RSA PRIVATE KEY-----<br></div>root@mfcgw1:/etc <mailto:<a href="mailto:root@mfcgw1" target="_blank">root@mfcgw1</a>:/etc>#<br>

root@mfcgw1:/etc <mailto:<a href="mailto:root@mfcgw1" target="_blank">root@mfcgw1</a>:/etc>#<br>root@mfcgw1:/etc <mailto:<a href="mailto:root@mfcgw1" target="_blank">root@mfcgw1</a>:/etc># ipsec version 

<div class="im"><br>Linux strongSwan U4.3.6/K2.6.33.5<br>Institute for Internet Technologies and Applications<br>University of Applied Sciences Rapperswil, Switzerland<br>See 'ipsec --copyright' for copyright information.<br>

</div>root@mfcgw1:/etc <mailto:<a href="mailto:root@mfcgw1" target="_blank">root@mfcgw1</a>:/etc># 

<div class="im"><br>******************************<u></u>*************************<br>- and iam still unable to load the RSA private key file in strongswan.<br>Iam getting the following errors:<br>******************************<u></u>******************************<u></u>*<br>

</div>root@mfcgw1:/etc <mailto:<a href="mailto:root@mfcgw1" target="_blank">root@mfcgw1</a>:/etc># ipsec start --nofork 

<div class="im"><br>Starting strongSwan 4.3.6 IPsec [starter]...<br>starter_start_pluto entered<br>Pluto initialized<br>Starting IKEv1 pluto daemon (strongSwan 4.3.6) THREADS VENDORID<br>pluto (11076) started after 20 ms<br>

00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)<br>loaded plugins: blowfish random x509 pubkey pkcs1 pgp dnskey pem openssl<br>hmac<br>  including NAT-Traversal patch (Version 0.6c)<br>Using Linux 2.6 IPsec interface code<br>

loading ca certificates from '/etc/ipsec.d/cacerts'<br>  loaded ca certificate from '/etc/ipsec.d/cacerts/cacert.<u></u>pem'<br>loading aa certificates from '/etc/ipsec.d/aacerts'<br>loading ocsp certificates from '/etc/ipsec.d/ocspcerts'<br>

Changing to directory '/etc/ipsec.d/crls'<br>  loaded crl from 'crl.pem'<br>loading attribute certificates from '/etc/ipsec.d/acerts'<br>listening for IKE messages<br></div>adding interface eth1/eth1 <a href="http://169.254.0.1:500/" target="_blank">169.254.0.1:500</a> <<a href="http://169.254.0.1:500/" target="_blank">http://169.254.0.1:500</a>><br>

adding interface eth1/eth1 <a href="http://169.254.0.1:4500/" target="_blank">169.254.0.1:4500</a> <<a href="http://169.254.0.1:4500/" target="_blank">http://169.254.0.1:4500</a>><br>adding interface eth2/eth2 <a href="http://192.168.1.1:500/" target="_blank">192.168.1.1:500</a> <<a href="http://192.168.1.1:500/" target="_blank">http://192.168.1.1:500</a>><br>

adding interface eth2/eth2 <a href="http://192.168.1.1:4500/" target="_blank">192.168.1.1:4500</a> <<a href="http://192.168.1.1:4500/" target="_blank">http://192.168.1.1:4500</a>><br>adding interface eth0/eth0 <a href="http://172.17.10.102:500/" target="_blank">172.17.10.102:500</a> <<a href="http://172.17.10.102:500/" target="_blank">http://172.17.10.102:500</a>><br>

adding interface eth0/eth0 <a href="http://172.17.10.102:4500/" target="_blank">172.17.10.102:4500</a> <<a href="http://172.17.10.102:4500/" target="_blank">http://172.17.10.102:4500</a>><br>adding interface lo/lo <a href="http://127.0.0.1:500/" target="_blank">127.0.0.1:500</a> <<a href="http://127.0.0.1:500/" target="_blank">http://127.0.0.1:500</a>><br>

adding interface lo/lo <a href="http://127.0.0.1:4500/" target="_blank">127.0.0.1:4500</a> <<a href="http://127.0.0.1:4500/" target="_blank">http://127.0.0.1:4500</a>> 

<div class="im"><br>adding interface lo/lo ::1:500<br>adding interface eth2/eth2 2007::1:500<br>adding interface eth0/eth0 fec0::ee01:500<br>loading secrets from "/etc/ipsec.secrets"<br>00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'<br>

00[CFG]   loaded ca certificate "C=UK, ST=LNDN, L=LONDON, O=Internet<br>Widgits Pty<br> Ltd, OU=Corp, CN=mfcgw1CA, E=<a href="mailto:admin@dvttest.com" target="_blank">admin@dvttest.com</a><br></div><mailto:<a href="mailto:E" target="_blank">E</a>=<a href="mailto:admin@dvttest.com" target="_blank">admin@dvttest.com</a>>, subjectAltName=mfcgw1CA.<u></u>dvttest 

<div class="im"><br>.com" from '/etc/ipsec.d/cacerts/cacert.<u></u>pem'<br>00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'<br>00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'<br>

00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'<br>00[CFG] loading crls from '/etc/ipsec.d/crls'<br>00[CFG]   loaded crl from '/etc/ipsec.d/crls/crl.pem'<br>00[CFG] loading secrets from '/etc/ipsec.secrets'<br>

building CRED_PRIVATE_KEY - RSA failed, tried 6 builders<br>  syntax error in private key file<br>"/etc/ipsec.secrets" line 3: Private key file -- could not be loaded<br>00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 6 builders<br>

00[CFG]   loading private key from '/etc/ipsec.d/private/<u></u>mfcgw1key.pem'<br>failed<br>00[DMN] loaded plugins: blowfish random x509 pubkey pkcs1 pgp dnskey pem<br>openssl<br> hmac kernel-pfkey stroke updown<br>

00[JOB] spawning 16 worker threads<br>charon (11077) started after 720 ms<br>06[CFG] received stroke: add connection 'tunnel1'<br>06[CFG] left nor right host is our side, assuming left=local<br>06[CFG]   loaded certificate "C=UK, ST=LNDN, L=LNDN, O=DVT TEST Inc,<br>

OU=Corp, CN<br>=mfcgw1, subjectAltName=172.17.10.102, E=<a href="mailto:postmaster@dvttest.com" target="_blank">postmaster@dvttest.com</a><br></div><mailto:<a href="mailto:E" target="_blank">E</a>=<a href="mailto:postmaster@dvttest.com" target="_blank">postmaster@dvttest.<u></u>com</a>>" from 'mfcgw1cer 

<div class="im"><br>t.pem'<br>06[CFG]   id '/C=UK/ST=LNDN/L=LNDN/O=DVT TEST<br>Inc/OU=Corp/CN=mfcgw1/<u></u>subjectAltNa<br>me=<a href="http://172.17.10.102/emailAddress=postmaster@dvttest.com" target="_blank">172.17.10.102/emailAddress=<u></u>postmaster@dvttest.com</a>'<br>

</div><mailto:<a href="mailto:me" target="_blank">me</a>=<a href="http://172.17.10.102/emailAddress=postmaster@dvttest.com" target="_blank">172.17.10.102/<u></u>emailAddress=postmaster@<u></u>dvttest.com</a>'> not 

<div class="im"><br>confirmed by certifica<br>te, defaulting to 'C=UK, ST=LNDN, L=LNDN, O=DVT TEST Inc, OU=Corp,<br>CN=mfcgw1, su<br>bjectAltName=172.17.10.102, E=<a href="mailto:postmaster@dvttest.com" target="_blank">postmaster@dvttest.com</a>'<br>

</div><mailto:<a href="mailto:E" target="_blank">E</a>=<a href="mailto:postmaster@dvttest.com" target="_blank">postmaster@dvttest.<u></u>com</a>'> 

<div class="im"><br>06[CFG] added configuration 'tunnel1'<br>  loaded host certificate from '/etc/ipsec.d/certs/<u></u>mfcgw1cert.pem'<br>  id '/C=UK/ST=LNDN/L=LNDN/O=DVT TEST<br>Inc/OU=Corp/CN=mfcgw1/<u></u>subjectAltName=172.1<br>

7.10.102/emailAddress=<a href="mailto:postmaster@dvttest.com" target="_blank">postmast<u></u>er@dvttest.com</a>'<br></div><mailto:<a href="mailto:7.10.102" target="_blank">7.10.102</a>/emailAddress=<a href="mailto:postmaster@dvttest.com" target="_blank"><u></u>postmaster@dvttest.com</a>'> not confirmed by 

<div class="im"><br>certificate, defa<br>ulting to 'C=UK, ST=LNDN, L=LNDN, O=DVT TEST Inc, OU=Corp, CN=mfcgw1,<br>subjectAlt<br>Name=172.17.10.102, E=<a href="mailto:postmaster@dvttest.com" target="_blank">postmaster@dvttest.com</a>'<br>

</div><mailto:<a href="mailto:E" target="_blank">E</a>=<a href="mailto:postmaster@dvttest.com" target="_blank">postmaster@dvttest.<u></u>com</a>'> 

<div class="im"><br>added connection description "tunnel1"<br>09[CFG] received stroke: route 'tunnel1'<br>09[KNL] no local address found in traffic selector <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a><br>

</div><<a href="http://192.168.1.0/24" target="_blank">http://192.168.1.0/24</a>> 

<div class="im"><br>configuration 'tunnel1' routed<br>******************************<u></u>******************************<u></u>***********<br>- can you help in understanding why this is happening so when the file<br>

is a correct RSA format?<br>- Also FYI, iam also facing the same issue of RSA key file loading error<br>when i use the "ipsec pki.." built-in strongswan cert app. Here too the<br>error we observe is as below:<br>

------------------------------<u></u>------------------------------<u></u>------------------------------<u></u>---<br>root@evm1gw:/etc/cert# ipsec pki --self --in caKey.der --dn "C=IN,<br>O=strongSwan, CN=strongSwan CA" --ca > caCert.der<br>

file coded in unknown format, discarded<br>building CRED_PRIVATE_KEY - RSA failed, tried 6 builders<br>parsing private key failed<br></div>root@evm1gw <mailto:<a href="mailto:root@evm1gw" target="_blank">root@evm1gw</a>>: 

<div class="im"><br>------------------------------<u></u>------------------------------<u></u>----------------------------<br>Please forgive me again for the lengthy submission of the issue<br>thanks once again<br>with regards<br>

Rajiv Kulkarni<br>------------------------------<u></u>------------------------------<u></u>----------<br> >Hi Rajiv,<br><br></div> >/[root at dvtpc2 <<a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/<u></u>mailman/listinfo/users</a>><br>

private]# cat dvtpc2key1024-self.pem<br>/>/-----BEGIN PRIVATE KEY-----<br>/>/<u></u>MIICeAIBADANBgkqhkiG9w0BAQEFAA<u></u>SCAmIwggJeAgEAAoGBALPec1SeRuty<u></u>n4Sb<br>/>/yWS8RVXDiroh3XgXchjYbwm+<u></u>RvoFS7k31LcpK+<u></u>zgs62ZdTFxeYCv6hr/bV2BIwwf<br>

/>/<u></u>NwMlPc5zyHnjFrMmOG2eXzzd0xleFw<u></u>x12NSW0rXtpAVa9/<u></u>GVmROhObAFUlrLYL4R<br>/>/WuVLzpA+gv/<u></u>2U9jVkVxBMr1GG5khAgMBAAECgYEAk<u></u>2z88ppYXpswjCx0QZDe85C2<br>/>/oCEpuUjeR+b9++<u></u>ptmnfEvSc5vnaMfjcejmd9Wu07PXLy<u></u>WvaI2V8DLuhW2skngjLQ<br>

/>/<u></u>jADppVBvnYvNqqih3GwFSN3H3fieF6<u></u>fDPeKqv67roqEiGXvCaOUWNFOnAsFG<u></u>KLpw<br>/>/d66veG3C+<u></u>8JD2MCd6JECQQDqpyHu/<u></u>MQpKhsMW13htkhX1+<u></u>QXjS584RClLLO3L7LL<br>/>/VdGRFjq5cZ2mQzQBNB+<u></u>ccVDhE02WmfZzAXWHd+<u></u>hjmzEjAkEAxDtyXkGrdOboz3Wq<br>

/>/rvYTM/PCJ+K0/<u></u>Mbisihoi295yGXU074kzXhdVevpN8S<u></u>arVHz2ktyjea5qPwFRySF<br>/>/<u></u>089q6wJBAMf6ykuv9cmTTdv5HgiX3g<u></u>2nO4fq1XyuHw52C2+<u></u>KYhkyuViqFkAnGREy<br>/>/<u></u>YubHsk0UsbYwSkaYTlXzH2PliBMjlv<u></u>sCQBsWtcALQrb9lU/<u></u>mR2ylrZrzYG8PHbrz<br>

/>/XaIIb/4nomEmpY2hZwUyQ3gz+<u></u>9rl+hBJCuesmKC8JA8O00+<u></u>x3AOUU4cCQQCSn5WN<br>/>/<u></u>Na04DmDpNODPlp2YgEVsnWZgOVkI3V<u></u>rKhWzLhEVq/<u></u>Sduzx9ySgea0VEegsmWAeqz<br>/>/IM+lCeaKgP4Dbjqs<br>/>/-----END PRIVATE KEY----- 

<div class="im"><br>/<br> >This key is wrapped in PKCS#8 without encryption. We currently >can't<br> >read in any PKCS#8 keys.<br><br> >Covert such keys to plain RSA using:<br> > openssl pkcs8 -nocrypt < dvtpc2key1024-self.pem<br>

<br> >Regards<br> >Martin<br><br><br><br><br></div>______________________________<u></u>_________________<br>Users mailing list<br><a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a><br>

<a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/<u></u>mailman/listinfo/users</a><br></blockquote><br><br>-- <br>==============================<u></u>==============================<u></u>==========<br>

Andreas Steffen                         <a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a><br>strongSwan - the Linux VPN Solution!                <a href="http://www.strongswan.org/" target="_blank">www.strongswan.org</a> 

<div class="im"><br>Institute for Internet Technologies and Applications<br>University of Applied Sciences Rapperswil<br></div>CH-8640 Rapperswil (Switzerland)<br>==============================<u></u>=============================[<u></u>ITA-HSR]==<br>

<br></blockquote></div><br>