[strongSwan-dev] simple RSA authentication w/o CA
James Hulka
jah at open.ch
Mon Feb 4 17:07:05 CET 2013
Martin
thank you for the quick reply. I have also tried the same scenario using
PEM encoded files for the public keys and I get the following error:
charon: 13[LIB] building CRED_CERTIFICATE - TRUSTED_PUBKEY failed,
tried 0 builders
charon: 13[CFG] loading RSA public key for "<leftid>" from
'/etc/ipsec.d/<id>.pub.pem' failed
charon: 13[LIB] building CRED_CERTIFICATE - TRUSTED_PUBKEY failed,
tried 0 builders
charon: 13[CFG] loading RSA public key for "<rightid>" from
'/etc/ipsec.d/<rightid>.pub.pem' failed
I take it this could be a consequence of not having the pubkey plugin?
thanks again,
James
On 02/04/2013 04:52 PM, Martin Willi wrote:
>
>> the public key is entered as text (RFC 3110 DNSKEY format) in the
>> left|rightrsasigkey.
>
>> charon: 13[LIB] building CRED_PUBLIC_KEY - RSA failed, tried 3 builders
>> charon: 13[CFG] loading RSA public key for "<leftid>" failed
>
> Loading the public key fails for some reason. Have you built and enabled
> both the dnskey and the pubkey plugins? These are required to load raw
> public keys.
>
>> charon: 04[IKE] no private key found for '<leftid>'
>
> This is just a consequence of the failure above. The daemon needs a
> certificate (or a public key loaded with a leftid) to find a private key
> for a given identity.
>
>> <leftid> : RSA <leftid>.pem
>
> This doesn't help, as charon does not depend on/respect the identities
> assigned to a private key.
>
> Alternatively, you can try to specify a path to the (PEM or DER encoded)
> public key in left/rightrsasigkey. This way you don't need RFC 3110
> encoded keys.
>
> Regards
> Martin
>
More information about the Dev
mailing list