[strongSwan] Trying a basic peer to peer ipsec setup with strongswan and is failing due to some key related issue

Andreas Steffen andreas.steffen at strongswan.org
Tue Apr 20 09:30:02 CEST 2010 

Hello,

the error message from the ASN.1 parser means that the
file "/etc/ipsec.d/private/211Key.pem" does not contain
a private key but probably an X.509 certificate.

Kind regards

Andreas

On 20.04.2010 08:05, shyamsundar.purkayastha at wipro.com wrote:
>>> How can I see explicit logs related to charon startup ?
>
>> Try to start charon in the foreground using
>> ipsec start --nofork
>
> Martin
>
> I ran the ipsec start --nofork command
> As you mentioned in your earlier reply the issue is indeed with loading the private key . It throws the following error
>
> -------------------------------------------------------------
>
> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 00[LIB] L1 - version: ASN1 tag 0x02 expected, but is 0x30
> 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 5 builders
> -------------------------------------------------------------------
>
> What could be the reason for this ?
>
> Here is the complete verbose stdout I got .. Thanks in advance for your help.
> --------------------------------------------------------------------
>
>
> [root at localhost ~]# ipsec start --nofork
> Starting strongSwan 4.3.6 IPsec [starter]...
> 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
> 00[KNL] listening on interfaces:
> 00[KNL]   eth0
> 00[KNL]     10.201.114.211
> 00[KNL]     fe80::21f:e2ff:fe6c:c777
> 00[KNL] received netlink error: Invalid argument (22)
> 00[KNL] unable to create IPv6 routing table rule
> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> 00[CFG]   loaded ca certificate "C=IN, ST=KAR, L=EC, O=WT, OU=TEV, CN=10.201.114.211, E=info at wt.com" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 00[LIB] L1 - version: ASN1 tag 0x02 expected, but is 0x30
> 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 5 builders
> 00[CFG]   loading private key from '/etc/ipsec.d/private/211Key.pem' failed
> 00[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509 pubkey pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke updown attr resolve
> 00[JOB] spawning 16 worker threads
> charon (30659) started after 60 ms
> 12[CFG] stroke message =>  426 bytes @ 0xb116d1a0
> 12[CFG]    0: AA 01 00 00 03 00 00 00 FF FF FF FF 34 01 00 00  ............4...
> 12[CFG]   16: 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
> 12[CFG]   32: 00 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00  ................
> 12[CFG]   48: 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00  ................
> 12[CFG]   64: 00 00 00 00 01 00 00 00 42 01 00 00 6A 01 00 00  ........B...j...
> 12[CFG]   80: 01 00 00 00 10 0E 00 00 30 2A 00 00 1C 02 00 00  ........0*......
> 12[CFG]   96: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 12[CFG]  112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 12[CFG]  128: 03 00 00 00 64 00 00 00 1E 00 00 00 00 00 00 00  ....d...........
> 12[CFG]  144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 12[CFG]  160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 12[CFG]  176: 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 12[CFG]  192: 00 00 00 00 00 00 00 00 8C 01 00 00 00 00 00 00  ................
> 12[CFG]  208: 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ................
> 12[CFG]  224: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 12[CFG]  240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 12[CFG]  256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 12[CFG]  272: 00 00 00 00 9B 01 00 00 00 00 00 00 00 00 00 00  ................
> 12[CFG]  288: 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00  ................
> 12[CFG]  304: 00 00 00 00 32 31 31 54 4F 36 30 54 75 6E 6E 65  ....211TO178Tunnel
> 12[CFG]  320: 6C 00 61 65 73 31 32 38 2D 73 68 61 31 2D 6D 6F  l.aes128-sha1-mo
> 12[CFG]  336: 64 70 32 30 34 38 2C 33 64 65 73 2D 73 68 61 31  dp2048,3des-sha1
> 12[CFG]  352: 2D 6D 6F 64 70 31 35 33 36 00 61 65 73 31 32 38  -modp1536.aes128
> 12[CFG]  368: 2D 73 68 61 31 2C 33 64 65 73 2D 73 68 61 31 00  -sha1,3des-sha1.
> 12[CFG]  384: 32 31 31 43 65 72 74 2E 70 65 6D 00 31 30 2E 32  211Cert.pem.10.2
> 12[CFG]  400: 30 31 2E 31 31 34 2E 32 31 31 00 31 30 2E 32 30  01.114.211.10.20
> 12[CFG]  416: 31 2E 31 31 34 2E 31 37 38 00                    1.114.178.
> 12[CFG] received stroke: add connection '211TO178Tunnel'
> 12[CFG] conn 211TO178Tunnel
> 12[CFG]   left=10.201.114.211
> 12[CFG]   leftsubnet=(null)
> 12[CFG]   leftsourceip=(null)
> 12[CFG]   leftauth=(null)
> 12[CFG]   leftauth2=(null)
> 12[CFG]   leftid=(null)
> 12[CFG]   leftid2=(null)
> 12[CFG]   leftcert=211Cert.pem
> 12[CFG]   leftcert2=(null)
> 12[CFG]   leftca=(null)
> 12[CFG]   leftca2=(null)
> 12[CFG]   leftgroups=(null)
> 12[CFG]   leftupdown=(null)
> 12[CFG]   right=10.201.114.178
> 12[CFG]   rightsubnet=(null)
> 12[CFG]   rightsourceip=(null)
> 12[CFG]   rightauth=(null)
> 12[CFG]   rightauth2=(null)
> 12[CFG]   rightid=(null)
> 12[CFG]   rightid2=(null)
> 12[CFG]   rightcert=(null)
> 12[CFG]   rightcert2=(null)
> 12[CFG]   rightca=(null)
> 12[CFG]   rightca2=(null)
> 12[CFG]   rightgroups=(null)
> 12[CFG]   rightupdown=(null)
> 12[CFG]   eap_identity=(null)
> 12[CFG]   ike=aes128-sha1-modp2048,3des-sha1-modp1536
> 12[CFG]   esp=aes128-sha1,3des-sha1
> 12[CFG]   mediation=no
> 12[CFG]   mediated_by=(null)
> 12[CFG]   me_peerid=(null)
> 12[KNL] getting interface name for 10.201.114.178
> 12[KNL] 10.201.114.178 is not a local address
> 12[KNL] getting interface name for 10.201.114.211
> 12[KNL] 10.201.114.211 is on interface eth0
> 12[CFG]   loaded certificate "C=IN, ST=KAR, O=WT, OU=TEV, CN=211, E=info at s2-wt.com" from '211Cert.pem'
> 12[CFG]   id '10.201.114.211' not confirmed by certificate, defaulting to 'C=IN, ST=KAR, O=WT, OU=TEV, CN=211, E=info at s2-wt.com'
> 12[CFG] added configuration '211TO178Tunnel'
>
> Regards
> Shyam
>
> -----Original Message-----
> From: Martin Willi [mailto:martin at strongswan.org]
> Sent: Monday, April 19, 2010 10:03 PM
> To: Shyamsundar Purkayastha (WT01 - Telecom Equipment)
> Cc: users at lists.strongswan.org
> Subject: RE: [strongSwan] Trying a basic peer to peer ipsec setup with strongswan and is failing due to some key related issue
>
>
>> How can I see explicit logs related to charon startup ?
>
> Try to start charon in the foreground using
>   ipsec start --nofork
>
> Regards
> Martin

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list