<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt">Hi Martin,<br><br>Thank you so much for your response. :)<br>yes I copied everything properly in the correct place and I used the commands that I sent in my previous E-mail.<br><br>Here is the out put of >>ipsec start --nofork<br><br>root@LMU5k:~# ipsec start --nofork<br>Starting strongSwan 5.0.4 IPsec [starter]...<br>!! Your strongswan.conf contains manual plugin load options for charon.<br>!! This is recommended for experts only, see<br>!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad<br>00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux 3.3.8, armv5tejl)<br>00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'<br>00[LIB] building CRED_CERTIFICATE - X509 failed, tried 0 builders<br>00[CFG] loading ca certificate from '/etc/ipsec.d/cacerts/caCert.pem'
failed<br>00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'<br>00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'<br>00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'<br>00[CFG] loading crls from '/etc/ipsec.d/crls'<br>00[CFG] loading secrets from '/etc/ipsec.secrets'<br>00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 2 builders<br>00[CFG] loading private key from '/etc/ipsec.d/private/lmu55Key.pem' failed<br>00[DMN] loaded plugins: charon aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown<br>00[JOB] spawning 16 worker threads<br>charon (15172) started after 80 ms<br>06[CFG] received stroke: add connection 'lmu55'<br>06[LIB] building CRED_CERTIFICATE - ANY failed, tried 0 builders<br>06[CFG] loading certificate from 'lmu55Cert.pem' failed<br>06[CFG] added configuration 'lmu55'<br><br><br>It seems Charon can't load anything . it failed at
buliding CRED_CERTIFICATE..and I can't see if it ever tries to load read from /ipsec.d/certs/ directory.<br><br>So is it the problem with certificate and key generation? or there is a incompatibility here?<br>I created the certificate and keys on a Ubuntu machine with strongswan4.x.x ..Do you think it might be the issue?<br><br>Is there anyway to check if certificates and Keys are Ok before laoding them to the target machine?<br><br>Is it possible that strongswan compiled for this target machine is not a full package? However I installed all required package base on OpenWrt wiki page.<br>My build compiler is uClibc .<br><br>I appreciate your help,<br>Farid<br><div><span><br></span></div><div><br></div> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div dir="ltr"> <hr size="1"> <font face="Arial" size="2">
<b><span style="font-weight:bold;">From:</span></b> Martin Willi <martin@strongswan.org><br> <b><span style="font-weight: bold;">To:</span></b> Farid Farid <farid21657@yahoo.com> <br><b><span style="font-weight: bold;">Cc:</span></b> "users@lists.strongswan.org" <users@lists.strongswan.org> <br> <b><span style="font-weight: bold;">Sent:</span></b> Friday, July 26, 2013 12:09 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [strongSwan] No private key found for 'C=CA ...........'<br> </font> </div> <div class="y_msg_container"><br>Hi Farid,<br><br>> left:<br>> cp lmu55Key.pem lmu55:/etc/ipsec.d/private/<br>> cp lmu55Cert.pem lmu55:/ipsec.d/certs/<br>> cp caCert.pem lmu55:/ipsec.d/cacerts/<br>> <br>> right:<br>> cp lmu55Key.pem lmu55:/etc/ipsec.d/private/<br>> cp lmu55Cert.pem lmu55:/ipsec.d/certs/<br>> cp
caCert.pem lmu55:/ipsec.d/cacerts/<br><br>I assume you have copied lmu56* to the appropriate places as well?<br><br>> no RSA private key found for 'C=CA, CN=lmu55'<br><br>At a first look the generation of your keys/certs looks good, but for<br>some reason the daemon can't find the private key for your certificate.<br><br>To check if the private key has been loaded, call "ipsec listcerts". It<br>should list your peer certificate, and if it has a private key for it,<br>it should state "has private key".<br><br>If this is not the case, you should check the log and see if there is<br>any error during daemon startup. Alternatively, you can invoke the IKE<br>daemon in the foreground using "ipsec start --nofork". <br><br>Regards<br>Martin<br><br><br><br></div> </div> </div> </div></body></html>