[strongSwan] Trying a basic peer to peer ipsec setup with strongswan and is failing due to some key related issue

shyamsundar.purkayastha at wipro.com shyamsundar.purkayastha at wipro.com
Tue Apr 20 09:53:18 CEST 2010


> the error message from the ASN.1 parser means that the
> file "/etc/ipsec.d/private/211Key.pem" does not contain
> a private key but probably an X.509 certificate.


After uncommenting the load statement in strongswan.conf I am not
getting the ASN.1 parser error but still the loading of private key
fails. As follows

00[CFG] loading secrets from '/etc/ipsec.secrets'
00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 2 builders
00[CFG]   loading private key from '/etc/ipsec.d/private/211Key.pem'
failed

Here is my strongswan.conf file
--------------------------------------------------------------------
# strongswan.conf - strongSwan configuration file

charon {

    # number of worker threads in charon
    threads = 16

    # plugins to load in charon
    load = des aes sha1 md5 sha2 hmac gmp openssl random pubkey xcbc
x509 stroke pkcs1 pem
    #load = aes des sha1 sha2 md5 curl test-vectors pem pkcs1 gcrypt
x509 hmac stroke kernel-netlink updown 

    plugins {

        sql {
            # loglevel to log into sql database
            loglevel = -1

            # URI to the database
            # database = sqlite:///path/to/file.db
            # database = mysql://user:password@localhost/database
        }
    }

    # ...
}

pluto {

    # plugins to load in pluto
    # load = aes des sha1 md5 sha2 hmac gmp random pubkey

}

libstrongswan {

    #  set to no, the DH exponent size is optimized
    #  dh_exponent_ansi_x9_42 = no
}

---------------------------------------------------------------

One more info. I have generated the keys using openssl command . In that
case is it required to load the openssl module in charon. ? 


 

Regards
Shyam

-----Original Message-----
From:
users-bounces+shyamsundar.purkayastha=wipro.com at lists.strongswan.org
[mailto:users-bounces+shyamsundar.purkayastha=wipro.com at lists.strongswan
.org] On Behalf Of Andreas Steffen
Sent: Tuesday, April 20, 2010 1:00 PM
To: users at lists.strongswan.org
Subject: Re: [strongSwan] Trying a basic peer to peer ipsec setup with
strongswan and is failing due to some key related issue

Hello,

the error message from the ASN.1 parser means that the
file "/etc/ipsec.d/private/211Key.pem" does not contain
a private key but probably an X.509 certificate.

Kind regards

Andreas

On 20.04.2010 08:05, shyamsundar.purkayastha at wipro.com wrote:
>>> How can I see explicit logs related to charon startup ?
>
>> Try to start charon in the foreground using
>> ipsec start --nofork
>
> Martin
>
> I ran the ipsec start --nofork command
> As you mentioned in your earlier reply the issue is indeed with
loading the private key . It throws the following error
>
> -------------------------------------------------------------
>
> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 00[LIB] L1 - version: ASN1 tag 0x02 expected, but is 0x30
> 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 5 builders
> -------------------------------------------------------------------
>
> What could be the reason for this ?
>
> Here is the complete verbose stdout I got .. Thanks in advance for
your help.
> --------------------------------------------------------------------
>
>
> [root at localhost ~]# ipsec start --nofork
> Starting strongSwan 4.3.6 IPsec [starter]...
> 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
> 00[KNL] listening on interfaces:
> 00[KNL]   eth0
> 00[KNL]     10.201.114.211
> 00[KNL]     fe80::21f:e2ff:fe6c:c777
> 00[KNL] received netlink error: Invalid argument (22)
> 00[KNL] unable to create IPv6 routing table rule
> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> 00[CFG]   loaded ca certificate "C=IN, ST=KAR, L=EC, O=WT, OU=TEV,
CN=10.201.114.211, E=info at wt.com" from
'/etc/ipsec.d/cacerts/strongswanCert.pem'
> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 00[LIB] L1 - version: ASN1 tag 0x02 expected, but is 0x30
> 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 5 builders
> 00[CFG]   loading private key from '/etc/ipsec.d/private/211Key.pem'
failed
> 00[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509
pubkey pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke updown
attr resolve
> 00[JOB] spawning 16 worker threads
> charon (30659) started after 60 ms
> 12[CFG] stroke message =>  426 bytes @ 0xb116d1a0
> 12[CFG]    0: AA 01 00 00 03 00 00 00 FF FF FF FF 34 01 00 00
............4...
> 12[CFG]   16: 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
................
> 12[CFG]   32: 00 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00
................
> 12[CFG]   48: 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00
................
> 12[CFG]   64: 00 00 00 00 01 00 00 00 42 01 00 00 6A 01 00 00
........B...j...
> 12[CFG]   80: 01 00 00 00 10 0E 00 00 30 2A 00 00 1C 02 00 00
........0*......
> 12[CFG]   96: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
> 12[CFG]  112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
> 12[CFG]  128: 03 00 00 00 64 00 00 00 1E 00 00 00 00 00 00 00
....d...........
> 12[CFG]  144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
> 12[CFG]  160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
> 12[CFG]  176: 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
> 12[CFG]  192: 00 00 00 00 00 00 00 00 8C 01 00 00 00 00 00 00
................
> 12[CFG]  208: 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
................
> 12[CFG]  224: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
> 12[CFG]  240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
> 12[CFG]  256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
> 12[CFG]  272: 00 00 00 00 9B 01 00 00 00 00 00 00 00 00 00 00
................
> 12[CFG]  288: 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00
................
> 12[CFG]  304: 00 00 00 00 32 31 31 54 4F 36 30 54 75 6E 6E 65
....211TO178Tunnel
> 12[CFG]  320: 6C 00 61 65 73 31 32 38 2D 73 68 61 31 2D 6D 6F
l.aes128-sha1-mo
> 12[CFG]  336: 64 70 32 30 34 38 2C 33 64 65 73 2D 73 68 61 31
dp2048,3des-sha1
> 12[CFG]  352: 2D 6D 6F 64 70 31 35 33 36 00 61 65 73 31 32 38
-modp1536.aes128
> 12[CFG]  368: 2D 73 68 61 31 2C 33 64 65 73 2D 73 68 61 31 00
-sha1,3des-sha1.
> 12[CFG]  384: 32 31 31 43 65 72 74 2E 70 65 6D 00 31 30 2E 32
211Cert.pem.10.2
> 12[CFG]  400: 30 31 2E 31 31 34 2E 32 31 31 00 31 30 2E 32 30
01.114.211.10.20
> 12[CFG]  416: 31 2E 31 31 34 2E 31 37 38 00
1.114.178.
> 12[CFG] received stroke: add connection '211TO178Tunnel'
> 12[CFG] conn 211TO178Tunnel
> 12[CFG]   left=10.201.114.211
> 12[CFG]   leftsubnet=(null)
> 12[CFG]   leftsourceip=(null)
> 12[CFG]   leftauth=(null)
> 12[CFG]   leftauth2=(null)
> 12[CFG]   leftid=(null)
> 12[CFG]   leftid2=(null)
> 12[CFG]   leftcert=211Cert.pem
> 12[CFG]   leftcert2=(null)
> 12[CFG]   leftca=(null)
> 12[CFG]   leftca2=(null)
> 12[CFG]   leftgroups=(null)
> 12[CFG]   leftupdown=(null)
> 12[CFG]   right=10.201.114.178
> 12[CFG]   rightsubnet=(null)
> 12[CFG]   rightsourceip=(null)
> 12[CFG]   rightauth=(null)
> 12[CFG]   rightauth2=(null)
> 12[CFG]   rightid=(null)
> 12[CFG]   rightid2=(null)
> 12[CFG]   rightcert=(null)
> 12[CFG]   rightcert2=(null)
> 12[CFG]   rightca=(null)
> 12[CFG]   rightca2=(null)
> 12[CFG]   rightgroups=(null)
> 12[CFG]   rightupdown=(null)
> 12[CFG]   eap_identity=(null)
> 12[CFG]   ike=aes128-sha1-modp2048,3des-sha1-modp1536
> 12[CFG]   esp=aes128-sha1,3des-sha1
> 12[CFG]   mediation=no
> 12[CFG]   mediated_by=(null)
> 12[CFG]   me_peerid=(null)
> 12[KNL] getting interface name for 10.201.114.178
> 12[KNL] 10.201.114.178 is not a local address
> 12[KNL] getting interface name for 10.201.114.211
> 12[KNL] 10.201.114.211 is on interface eth0
> 12[CFG]   loaded certificate "C=IN, ST=KAR, O=WT, OU=TEV, CN=211,
E=info at s2-wt.com" from '211Cert.pem'
> 12[CFG]   id '10.201.114.211' not confirmed by certificate, defaulting
to 'C=IN, ST=KAR, O=WT, OU=TEV, CN=211, E=info at s2-wt.com'
> 12[CFG] added configuration '211TO178Tunnel'
>
> Regards
> Shyam
>
> -----Original Message-----
> From: Martin Willi [mailto:martin at strongswan.org]
> Sent: Monday, April 19, 2010 10:03 PM
> To: Shyamsundar Purkayastha (WT01 - Telecom Equipment)
> Cc: users at lists.strongswan.org
> Subject: RE: [strongSwan] Trying a basic peer to peer ipsec setup with
strongswan and is failing due to some key related issue
>
>
>> How can I see explicit logs related to charon startup ?
>
> Try to start charon in the foreground using
>   ipsec start --nofork
>
> Regards
> Martin

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Please do not print this email unless it is absolutely necessary. 

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. 

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. 

www.wipro.com




More information about the Users mailing list