[strongSwan] Trying a basic peer to peer ipsec setup with strongswan and is failing due to some key related issue

shyamsundar.purkayastha at wipro.com shyamsundar.purkayastha at wipro.com
Tue Apr 20 08:05:51 CEST 2010 

>> How can I see explicit logs related to charon startup ?

>Try to start charon in the foreground using
> ipsec start --nofork

Martin

I ran the ipsec start --nofork command
As you mentioned in your earlier reply the issue is indeed with loading the private key . It throws the following error 

-------------------------------------------------------------

00[CFG] loading secrets from '/etc/ipsec.secrets'
00[LIB] L1 - version: ASN1 tag 0x02 expected, but is 0x30
00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 5 builders
-------------------------------------------------------------------

What could be the reason for this ?

Here is the complete verbose stdout I got .. Thanks in advance for your help.
--------------------------------------------------------------------


[root at localhost ~]# ipsec start --nofork
Starting strongSwan 4.3.6 IPsec [starter]...
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
00[KNL] listening on interfaces:
00[KNL]   eth0
00[KNL]     10.201.114.211
00[KNL]     fe80::21f:e2ff:fe6c:c777
00[KNL] received netlink error: Invalid argument (22)
00[KNL] unable to create IPv6 routing table rule
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "C=IN, ST=KAR, L=EC, O=WT, OU=TEV, CN=10.201.114.211, E=info at wt.com" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[LIB] L1 - version: ASN1 tag 0x02 expected, but is 0x30
00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 5 builders
00[CFG]   loading private key from '/etc/ipsec.d/private/211Key.pem' failed
00[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509 pubkey pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke updown attr resolve 
00[JOB] spawning 16 worker threads
charon (30659) started after 60 ms
12[CFG] stroke message => 426 bytes @ 0xb116d1a0
12[CFG]    0: AA 01 00 00 03 00 00 00 FF FF FF FF 34 01 00 00  ............4...
12[CFG]   16: 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
12[CFG]   32: 00 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00  ................
12[CFG]   48: 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00  ................
12[CFG]   64: 00 00 00 00 01 00 00 00 42 01 00 00 6A 01 00 00  ........B...j...
12[CFG]   80: 01 00 00 00 10 0E 00 00 30 2A 00 00 1C 02 00 00  ........0*......
12[CFG]   96: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
12[CFG]  112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
12[CFG]  128: 03 00 00 00 64 00 00 00 1E 00 00 00 00 00 00 00  ....d...........
12[CFG]  144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
12[CFG]  160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
12[CFG]  176: 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
12[CFG]  192: 00 00 00 00 00 00 00 00 8C 01 00 00 00 00 00 00  ................
12[CFG]  208: 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ................
12[CFG]  224: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
12[CFG]  240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
12[CFG]  256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
12[CFG]  272: 00 00 00 00 9B 01 00 00 00 00 00 00 00 00 00 00  ................
12[CFG]  288: 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00  ................
12[CFG]  304: 00 00 00 00 32 31 31 54 4F 36 30 54 75 6E 6E 65  ....211TO178Tunnel
12[CFG]  320: 6C 00 61 65 73 31 32 38 2D 73 68 61 31 2D 6D 6F  l.aes128-sha1-mo
12[CFG]  336: 64 70 32 30 34 38 2C 33 64 65 73 2D 73 68 61 31  dp2048,3des-sha1
12[CFG]  352: 2D 6D 6F 64 70 31 35 33 36 00 61 65 73 31 32 38  -modp1536.aes128
12[CFG]  368: 2D 73 68 61 31 2C 33 64 65 73 2D 73 68 61 31 00  -sha1,3des-sha1.
12[CFG]  384: 32 31 31 43 65 72 74 2E 70 65 6D 00 31 30 2E 32  211Cert.pem.10.2
12[CFG]  400: 30 31 2E 31 31 34 2E 32 31 31 00 31 30 2E 32 30  01.114.211.10.20
12[CFG]  416: 31 2E 31 31 34 2E 31 37 38 00                    1.114.178.
12[CFG] received stroke: add connection '211TO178Tunnel'
12[CFG] conn 211TO178Tunnel
12[CFG]   left=10.201.114.211
12[CFG]   leftsubnet=(null)
12[CFG]   leftsourceip=(null)
12[CFG]   leftauth=(null)
12[CFG]   leftauth2=(null)
12[CFG]   leftid=(null)
12[CFG]   leftid2=(null)
12[CFG]   leftcert=211Cert.pem
12[CFG]   leftcert2=(null)
12[CFG]   leftca=(null)
12[CFG]   leftca2=(null)
12[CFG]   leftgroups=(null)
12[CFG]   leftupdown=(null)
12[CFG]   right=10.201.114.178
12[CFG]   rightsubnet=(null)
12[CFG]   rightsourceip=(null)
12[CFG]   rightauth=(null)
12[CFG]   rightauth2=(null)
12[CFG]   rightid=(null)
12[CFG]   rightid2=(null)
12[CFG]   rightcert=(null)
12[CFG]   rightcert2=(null)
12[CFG]   rightca=(null)
12[CFG]   rightca2=(null)
12[CFG]   rightgroups=(null)
12[CFG]   rightupdown=(null)
12[CFG]   eap_identity=(null)
12[CFG]   ike=aes128-sha1-modp2048,3des-sha1-modp1536
12[CFG]   esp=aes128-sha1,3des-sha1
12[CFG]   mediation=no
12[CFG]   mediated_by=(null)
12[CFG]   me_peerid=(null)
12[KNL] getting interface name for 10.201.114.178
12[KNL] 10.201.114.178 is not a local address
12[KNL] getting interface name for 10.201.114.211
12[KNL] 10.201.114.211 is on interface eth0
12[CFG]   loaded certificate "C=IN, ST=KAR, O=WT, OU=TEV, CN=211, E=info at s2-wt.com" from '211Cert.pem'
12[CFG]   id '10.201.114.211' not confirmed by certificate, defaulting to 'C=IN, ST=KAR, O=WT, OU=TEV, CN=211, E=info at s2-wt.com'
12[CFG] added configuration '211TO178Tunnel'

Regards
Shyam

-----Original Message-----
From: Martin Willi [mailto:martin at strongswan.org] 
Sent: Monday, April 19, 2010 10:03 PM
To: Shyamsundar Purkayastha (WT01 - Telecom Equipment)
Cc: users at lists.strongswan.org
Subject: RE: [strongSwan] Trying a basic peer to peer ipsec setup with strongswan and is failing due to some key related issue


> How can I see explicit logs related to charon startup ?

Try to start charon in the foreground using
 ipsec start --nofork

Regards
Martin


Please do not print this email unless it is absolutely necessary. 

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. 

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. 

www.wipro.com

More information about the Users mailing list