[strongSwan] Trying a basic peer to peer ipsec setup with strongswan and is failing due to some key related issue

shyamsundar.purkayastha at wipro.com shyamsundar.purkayastha at wipro.com
Tue Apr 20 10:58:26 CEST 2010


>> One more info. I have generated the keys using openssl command . In
that
>> case is it required to load the openssl module in charon. ?
>>



> The openssl command generates keys in the standardized PKCS#1
> format which can be read by strongSwan's pkcs1 plugin. There
> is no need to load the openssl plugin. Your problem is that
> the file '/etc/ipsec.d/private/211Key.pem' does not contain a
> private key. The contents of a PEM-encoded private Key file
> should have the following format

Hi Andreas

If you say so then I think I am confused about the creation of keys.

I blindly copied the openssl key generation commands from the strongswan
readme page

http://www.strongswan.org/docs/readme42.htm

I followed the following command for generating the host private key   (
after setting up the CA keys and openssl.conf to locate the CA keys )

openssl req -newkey rsa:1024 -keyout 211Key.pem -out 211Req.pem

and the following command for signing the key

openssl ca -in 211Req.pem -days 730 -out 211Cert.pem  -notext


As an alternative I have also tried with the der format of the keys for
which the procedure is given in the documentation section titled "
Setting-up a simple CA using strongSwan PKI tool"

Even with this I get the same results and the same error message at
ipsec start --nofork

So what could be going wrong w.r.t key generation ? 

Regards
Shyam

-----Original Message-----
From:
users-bounces+shyamsundar.purkayastha=wipro.com at lists.strongswan.org
[mailto:users-bounces+shyamsundar.purkayastha=wipro.com at lists.strongswan
.org] On Behalf Of Andreas Steffen
Sent: Tuesday, April 20, 2010 2:04 PM
To: users at lists.strongswan.org
Subject: Re: [strongSwan] Trying a basic peer to peer ipsec setup with
strongswan and is failing due to some key related issue

On 20.04.2010 09:53, shyamsundar.purkayastha at wipro.com wrote:
>
>> the error message from the ASN.1 parser means that the
>> file "/etc/ipsec.d/private/211Key.pem" does not contain
>> a private key but probably an X.509 certificate.
>
>
> After uncommenting the load statement in strongswan.conf I am not
> getting the ASN.1 parser error but still the loading of private key
> fails. As follows
>
> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 2 builders
> 00[CFG]   loading private key from '/etc/ipsec.d/private/211Key.pem'
> failed
>
> Here is my strongswan.conf file
> --------------------------------------------------------------------
> # strongswan.conf - strongSwan configuration file
>
> charon {
>
>      # number of worker threads in charon
>      threads = 16
>
>      # plugins to load in charon
>      load = des aes sha1 md5 sha2 hmac gmp openssl random pubkey xcbc
> x509 stroke pkcs1 pem
>      #load = aes des sha1 sha2 md5 curl test-vectors pem pkcs1 gcrypt
> x509 hmac stroke kernel-netlink updown
>
If you load the openssl plugin then the private key parsing is done by
the openssl module instead of the pkcs1 plugin. The error still persists
but you don't get the log output from the strongSwan ASN.1 parser.

>      plugins {
>
>          sql {
>              # loglevel to log into sql database
>              loglevel = -1
>
>              # URI to the database
>              # database = sqlite:///path/to/file.db
>              # database = mysql://user:password@localhost/database
>          }
>      }
>
>      # ...
> }
>
> pluto {
>
>      # plugins to load in pluto
>      # load = aes des sha1 md5 sha2 hmac gmp random pubkey
>
> }
>
> libstrongswan {
>
>      #  set to no, the DH exponent size is optimized
>      #  dh_exponent_ansi_x9_42 = no
> }
>
> ---------------------------------------------------------------
>
> One more info. I have generated the keys using openssl command . In
that
> case is it required to load the openssl module in charon. ?
>
The openssl command generates keys in the standardized PKCS#1
format which can be read by strongSwan's pkcs1 plugin. There
is no need to load the openssl plugin. Your problem is that
the file '/etc/ipsec.d/private/211Key.pem' does not contain a
private key. The contents of a PEM-encoded private Key file
should have the following format

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAyi9jPdS7ugWGIVsVoDEvc/UzEk8LM5ua4Tu2SLArTEaODwHm
...
cb9zpyKiIuXoXRCf4sd8r1lR9bn0Fxx0Svpxf+fpMGSI5quHNBKY
-----END RSA PRIVATE KEY-----

if the key is unencrypted or

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,01290773006220E4E96C2975C52D2429

mSt4HT52dsYkDwk6DVYm+Uij1PnFAnYzJD7Jx6EJIA9HuWKfyHPSjtqEcCwZoKHq
...
nuRU15U5aQTniVikvFWchnwGy+23lgv5He9X99jxEu/U1pA4egejfMs3g070AY3J
-----END RSA PRIVATE KEY-----

if the key is protected by a passphrase.

> Regards
> Shyam

Regards

Andreas

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Please do not print this email unless it is absolutely necessary. 

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. 

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. 

www.wipro.com




More information about the Users mailing list