[strongSwan-dev] simple RSA authentication w/o CA

James Hulka jah at open.ch
Mon Feb 4 17:07:05 CET 2013


Martin

thank you for the quick reply. I have also tried the same scenario using
PEM encoded files for the public keys and I get the following error:

 charon: 13[LIB] building CRED_CERTIFICATE - TRUSTED_PUBKEY failed,
tried 0 builders
 charon: 13[CFG]   loading RSA public key for "<leftid>" from
'/etc/ipsec.d/<id>.pub.pem' failed

 charon: 13[LIB] building CRED_CERTIFICATE - TRUSTED_PUBKEY failed,
tried 0 builders
 charon: 13[CFG]   loading RSA public key for "<rightid>" from
'/etc/ipsec.d/<rightid>.pub.pem' failed

I take it this could be a consequence of not having the pubkey plugin?

thanks again,

James

On 02/04/2013 04:52 PM, Martin Willi wrote:
> 
>> the public key is entered as text (RFC 3110 DNSKEY format) in the
>> left|rightrsasigkey.
> 
>>  charon: 13[LIB] building CRED_PUBLIC_KEY - RSA failed, tried 3 builders
>>  charon: 13[CFG]   loading RSA public key for "<leftid>" failed
> 
> Loading the public key fails for some reason. Have you built and enabled
> both the dnskey and the pubkey plugins? These are required to load raw
> public keys.
> 
>>  charon: 04[IKE] no private key found for '<leftid>'
> 
> This is just a consequence of the failure above. The daemon needs a
> certificate (or a public key loaded with a leftid) to find a private key
> for a given identity.
> 
>> <leftid> : RSA <leftid>.pem
> 
> This doesn't help, as charon does not depend on/respect the identities
> assigned to a private key.
> 
> Alternatively, you can try to specify a path to the (PEM or DER encoded)
> public key in left/rightrsasigkey. This way you don't need RFC 3110
> encoded keys.
> 
> Regards
> Martin
> 





More information about the Dev mailing list