<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt">Hi Martin/Andreas,<br><br>Now I can ping the other peer and see secure ESP packets are going back and forth but I can see also one uncesure packet as you can see below: it seems 55 node sends ech_request twice one secure and one un secure. is it normal? <br><br>01:24:44.559099 IP LMU5k.lan > 192.168.1.56: ESP(spi=0xcb8b0e8d,seq=0x1), length 132 <br>01:24:44.559417 IP LMU5k.lan > 192.168.1.56: ICMP echo request, id 58919, seq 0, length 64 <br>01:24:44.560057 IP 192.168.1.56 > LMU5k.lan: ESP(spi=0xc3b7a86c,seq=0x1), length
132 <br>01:24:45.565739 IP LMU5k.lan > 192.168.1.56: ESP(spi=0xcb8b0e8d,seq=0x2), length 132 <br>01:24:45.566053 IP LMU5k.lan > 192.168.1.56: ICMP echo request, id 58919, seq 1, length 64 <br>01:24:45.566496 IP 192.168.1.56 > LMU5k.lan: ESP(spi=0xc3b7a86c,seq=0x2), length 132 <br>01:24:46.575691 IP LMU5k.lan > 192.168.1.56: ESP(spi=0xcb8b0e8d,seq=0x3), length 132 <br>01:24:46.576008 IP
LMU5k.lan > 192.168.1.56: ICMP echo request, id 58919, seq 2, length 64 <br>01:24:46.576447 IP 192.168.1.56 > LMU5k.lan: ESP(spi=0xc3b7a86c,seq=0x3), length 132 <br>01:24:46.87<br><div><span><br></span></div><div>Thanks,</div><div>Farid<br></div> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div dir="ltr"> <hr size="1"> <font face="Arial" size="2"> <b><span style="font-weight:bold;">From:</span></b> Farid Farid <farid21657@yahoo.com><br> <b><span style="font-weight: bold;">To:</span></b> Andreas Steffen <andreas.steffen@strongswan.org> <br><b><span style="font-weight: bold;">Cc:</span></b>
"users@lists.strongswan.org" <users@lists.strongswan.org> <br> <b><span style="font-weight: bold;">Sent:</span></b> Thursday, August 1, 2013 9:28 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [strongSwan] No private key found for 'C=CA ...........'<br> </font> </div> <div class="y_msg_container"><br><div id="yiv3830073574"><div><div style="color:#000;background-color:#fff;font-family:times new roman, new york, times, serif;font-size:12pt;"><div><span>Hi Andreas,</span></div><div style="color:rgb(0, 0, 0);font-size:16px;font-family:'times new roman', 'new york', times, serif;background-color:transparent;font-style:normal;"><span><br></span></div><div style="color:rgb(0, 0, 0);font-size:16px;font-family:'times new roman', 'new york', times, serif;background-color:transparent;font-style:normal;"><span>Thank you so much .It is working now:!! :) </span></div><div><br></div><div style="color:rgb(0, 0,
0);font-size:16px;font-family:'times new roman', 'new york', times, serif;background-color:transparent;font-style:normal;">Cheers,</div><div style="color:rgb(0, 0, 0);font-size:16px;font-family:'times new roman', 'new york', times, serif;background-color:transparent;font-style:normal;">Farid</div><div style="color:rgb(0, 0,
0);font-size:16px;font-family:'times new roman', 'new york', times, serif;background-color:transparent;font-style:normal;"><br></div><div style="color:rgb(0, 0, 0);font-size:16px;font-family:'times new roman', 'new york', times, serif;background-color:transparent;font-style:normal;"><br></div> <div style="font-family:'times new roman', 'new york', times, serif;font-size:12pt;"> <div style="font-family:'times new roman', 'new york', times, serif;font-size:12pt;"> <div dir="ltr"> <hr size="1"> <font face="Arial" size="2"> <b><span style="font-weight:bold;">From:</span></b> Andreas Steffen <andreas.steffen@strongswan.org><br> <b><span style="font-weight:bold;">To:</span></b> Farid Farid <farid21657@yahoo.com> <br><b><span style="font-weight:bold;">Cc:</span></b> Martin Willi <martin@strongswan.org>; "users@lists.strongswan.org" <users@lists.strongswan.org> <br> <b><span style="
font-weight:bold;">Sent:</span></b> Wednesday, July 31, 2013 11:37 PM<br> <b><span style="font-weight:bold;">Subject:</span></b> Re: [strongSwan] No private key found for 'C=CA ...........'<br> </font> </div> <div class="yiv3830073574y_msg_container"><br>Hi Farid,<br><br>the startup warning<br><br>> !! Your strongswan.conf contains manual plugin load options for charon.<br>> !! This is recommended for experts only, see<br>> !! <a rel="nofollow" target="_blank" href="http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad">http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad</a><br><br>is intended for newbies like you who don't know what they are doing<br>when meddling around with the strongswan.conf load statement:<br><br>- The pkcs1 plugin is missing so your private key won't get parsed:<br><br>> 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 3 builders<br>> 00[CFG] loading private key from
'/etc/ipsec.d/private/lmu56Key.pem'<br>>
failed<br><br>- The x509 plugin is missing so your certificates don't get parsed:<br><br>> 00[LIB] building CRED_CERTIFICATE - X509 failed, tried 0 builders<br>> 00[CFG] loading ca certificate from '/etc/ipsec.d/cacerts/caCert.pem'<br>> failed<br><br>Just remove the load statement from strongswan.conf and you'll fare<br>much better!<br><br>Andreas<br><br>On 08/01/2013 04:35 AM, Farid Farid wrote:<br>> Thank you martin for the hint.<br>> <br>> I added 'pem' in strongswan.conf (you can see strongswan.conf below): <br>> But I still get the same output. Please see the<br>>>>ipsec start --no-fork output right after strongswan.conf<br>> This package is also installed : strongswan-mod-pem - 5.0.4-1<br>> <br>> Is there anyother way to debug this to see why is not loading the keys? <br>> <br>> <br>> <br>> Appreciate your help.<br>> <br>> Farid<br>> <br>> <br>> <br>> 08[LIB] building
CRED_CERTIFICATE - ANY failed, tried 1 builders<br>> # strongswan.conf - strongSwan configuration<br>> file <br>> <br>> <br>> <br>> charon<br>> {
<br>> <br>> <br>> <br>> # number of worker threads in<br>> charon
<br>> <br>> threads =<br>> 16 <br>> <br>> load = aes pem des sha1 sha2 md5 gmp random nonce hmac stroke<br>> kernel-netlink socket-default updown <br>> # send strongswan vendor<br>> ID?
<br>> <br>> # send_vendor_id =<br>> yes <br>> <br>>
<br>> <br>> plugins<br>> { <br>> <br>>
<br>> <br>> sql<br>> { <br>> <br>> # loglevel to log into sql<br>> database <br>> loglevel =<br>>
-1 <br>> <br>> <br>> <br>> # URI to the<br>> database
<br>> <br>> # database =<br>> sqlite:///path/to/file.db <br>> <br>> # database =<br>> mysql://user:<a rel="nofollow" ymailto="mailto:password@localhost" target="_blank" href="mailto:password@localhost">password@localhost</a>/database
<br>> <br>> <br>> } <br>> <br>> <br>> } <br>> <br>>
<br>> <br>> #<br>> ... <br>> <br>> }
<br>> <br>> <br>> <br>> pluto<br>> {
<br>> <br>> <br>> <br>> }
<br>> <br>> <br>> <br>> libstrongswan<br>> {
<br>> <br>> <br>> <br>> # set to no, the DH exponent size is<br>> optimized <br>> <br>> #
dh_exponent_ansi_x9_42 =<br>> no <br>> <br>> } <br>> <br>> ~
<br>> <br>> <a rel="nofollow" ymailto="mailto:root@LMU8K" target="_blank" href="mailto:root@LMU8K">root@LMU8K</a>:~# ipsec start --nofork<br>> Starting strongSwan 5.0.4 IPsec [starter]...<br>> !! Your strongswan.conf contains manual plugin load options for charon.<br>> !! This is recommended for experts only, see<br>> !! <a rel="nofollow" target="_blank" href="http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad">http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad</a><br>> 00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux 3.3.8,<br>> armv5tejl)<br>> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'<br>> 00[LIB] building CRED_CERTIFICATE - X509 failed, tried 0 builders<br>> 00[CFG] loading ca certificate from '/etc/ipsec.d/cacerts/caCert.pem'<br>> failed<br>> 00[CFG] loading aa certificates
from '/etc/ipsec.d/aacerts'<br>> 00[CFG]
loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'<br>> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'<br>> 00[CFG] loading crls from '/etc/ipsec.d/crls'<br>> 00[CFG] loading secrets from '/etc/ipsec.secrets'<br>> 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 3 builders<br>> 00[CFG] loading private key from '/etc/ipsec.d/private/lmu56Key.pem'<br>> failed<br>> 00[DMN] loaded plugins: charon aes pem des sha1 sha2 md5 gmp random<br>> nonce hmac stroke kernel-netlink socket-default updown<br>> 00[JOB] spawning 16 worker threads<br>> charon (2628) started after 80 ms<br>> 08[CFG] received stroke: add connection 'lmu56'<br>> 08[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders<br>> 08[CFG] loading certificate from 'lmu56Cert.pem' failed<br>> 08[CFG] added configuration 'lmu56'<br>> <br>> <br>> <br>> <br>>
------------------------------------------------------------------------<br>> *From:* Martin Willi <<a rel="nofollow" ymailto="mailto:martin@strongswan.org" target="_blank" href="mailto:martin@strongswan.org">martin@strongswan.org</a>><br>> *To:* Farid Farid <<a rel="nofollow" ymailto="mailto:farid21657@yahoo.com" target="_blank" href="mailto:farid21657@yahoo.com">farid21657@yahoo.com</a>><br>> *Cc:* "<a rel="nofollow" ymailto="mailto:users@lists.strongswan.org" target="_blank" href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a>" <<a rel="nofollow" ymailto="mailto:users@lists.strongswan.org" target="_blank" href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a>><br>> *Sent:* Sunday, July 28, 2013 12:19 AM<br>> *Subject:* Re: [strongSwan] No private key found for 'C=CA ...........'<br>> <br>> Hi Farid,<br>> <br>>> !! Your strongswan.conf contains manual plugin load
options for charon.<br>>> !! This is recommended for experts only, see<br>>> !! <a rel="nofollow" target="_blank" href="http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad">http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad</a><br>> <br>> This warning pops up for specific reason:<br>> <br>>> 00[DMN] loaded plugins: charon aes des sha1 sha2 md5 gmp random nonce<br>> hmac stroke kernel-netlink socket-default updown<br>> <br>> You didn't load the pem plugin, hence<br>> <br>>> 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 2 builders<br>>> 00[CFG] loading private key from '/etc/ipsec.d/private/lmu55Key.pem'<br>> failed<br>> <br>> loading a PEM encoded private key fails.<br>> <br>> Regards<br>> Martin<br>======================================================================<br>Andreas Steffen
<a rel="nofollow" ymailto="mailto:andreas.steffen@strongswan.org" target="_blank" href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>strongSwan - the Linux VPN Solution! www.strongswan.org<br>Institute for Internet Technologies and Applications<br>University of Applied Sciences Rapperswil<br>CH-8640 Rapperswil (Switzerland)<br>===========================================================[ITA-HSR]==<br><br><br></div> </div> </div> </div></div></div><br>_______________________________________________<br>Users mailing list<br><a ymailto="mailto:Users@lists.strongswan.org" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br><a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br><br></div> </div> </div> </div></body></html>