[strongSwan] Trying a basic peer to peer ipsec setup with strongswan and is failing due to some key related issue
shyamsundar.purkayastha at wipro.com
shyamsundar.purkayastha at wipro.com
Tue Apr 20 12:11:46 CEST 2010
Hi Andreas
> As an alternative I have also tried with the der format of the keys
for
> which the procedure is given in the documentation section titled "
Setting-
> up a simple CA using strongSwan PKI tool"
> Even with this I get the same results and the same error message at
ipsec
> start --nofork
> So what could be going wrong w.r.t key generation ?
Sorry . Actually I forget to change the .pem extension to .der extension
in the config file.
Now I fixed it and now I do not see any error in isec charon startup.
But I have a new error when I try to bring up my configuration
[root at localhost ~]# ipsec up 211TO60Tunnel
initiating IKE_SA 211TO60Tunnel[3] to 10.201.114.178
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.201.114.211[500] to 10.201.114.178[500]
received packet: from 10.201.114.178[500] to 10.201.114.211[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(MULT_AUTH) ]
received cert request for "C=CH, O=strongSwan, CN=strongSwan CA"
sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA"
authentication of 'C=CH, O=strongSwan, CN=211' (myself) with RSA
signature successful
sending end entity cert "C=CH, O=strongSwan, CN=211"
establishing CHILD_SA 211TO60Tunnel
unable to allocate SPIs from kernel
What could be the reason for this " unable to allocate SPIs from kernel"
error.
Also, Any idea why the openssl generated keys wouldn't work ? I used the
latest openssl-1.0.0 version.
Regards
Shyam
-----Original Message-----
From: Shyamsundar Purkayastha (WT01 - Telecom Equipment)
Sent: Tuesday, April 20, 2010 2:28 PM
To: 'Andreas Steffen'; users at lists.strongswan.org
Subject: RE: [strongSwan] Trying a basic peer to peer ipsec setup with
strongswan and is failing due to some key related issue
>> One more info. I have generated the keys using openssl command . In
that
>> case is it required to load the openssl module in charon. ?
>>
> The openssl command generates keys in the standardized PKCS#1
> format which can be read by strongSwan's pkcs1 plugin. There
> is no need to load the openssl plugin. Your problem is that
> the file '/etc/ipsec.d/private/211Key.pem' does not contain a
> private key. The contents of a PEM-encoded private Key file
> should have the following format
Hi Andreas
If you say so then I think I am confused about the creation of keys.
I blindly copied the openssl key generation commands from the strongswan
readme page
http://www.strongswan.org/docs/readme42.htm
I followed the following command for generating the host private key (
after setting up the CA keys and openssl.conf to locate the CA keys )
openssl req -newkey rsa:1024 -keyout 211Key.pem -out 211Req.pem
and the following command for signing the key
openssl ca -in 211Req.pem -days 730 -out 211Cert.pem -notext
As an alternative I have also tried with the der format of the keys for
which the procedure is given in the documentation section titled "
Setting-up a simple CA using strongSwan PKI tool"
Even with this I get the same results and the same error message at
ipsec start --nofork
So what could be going wrong w.r.t key generation ?
Regards
Shyam
-----Original Message-----
From:
users-bounces+shyamsundar.purkayastha=wipro.com at lists.strongswan.org
[mailto:users-bounces+shyamsundar.purkayastha=wipro.com at lists.strongswan
.org] On Behalf Of Andreas Steffen
Sent: Tuesday, April 20, 2010 2:04 PM
To: users at lists.strongswan.org
Subject: Re: [strongSwan] Trying a basic peer to peer ipsec setup with
strongswan and is failing due to some key related issue
On 20.04.2010 09:53, shyamsundar.purkayastha at wipro.com wrote:
>
>> the error message from the ASN.1 parser means that the
>> file "/etc/ipsec.d/private/211Key.pem" does not contain
>> a private key but probably an X.509 certificate.
>
>
> After uncommenting the load statement in strongswan.conf I am not
> getting the ASN.1 parser error but still the loading of private key
> fails. As follows
>
> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 2 builders
> 00[CFG] loading private key from '/etc/ipsec.d/private/211Key.pem'
> failed
>
> Here is my strongswan.conf file
> --------------------------------------------------------------------
> # strongswan.conf - strongSwan configuration file
>
> charon {
>
> # number of worker threads in charon
> threads = 16
>
> # plugins to load in charon
> load = des aes sha1 md5 sha2 hmac gmp openssl random pubkey xcbc
> x509 stroke pkcs1 pem
> #load = aes des sha1 sha2 md5 curl test-vectors pem pkcs1 gcrypt
> x509 hmac stroke kernel-netlink updown
>
If you load the openssl plugin then the private key parsing is done by
the openssl module instead of the pkcs1 plugin. The error still persists
but you don't get the log output from the strongSwan ASN.1 parser.
> plugins {
>
> sql {
> # loglevel to log into sql database
> loglevel = -1
>
> # URI to the database
> # database = sqlite:///path/to/file.db
> # database = mysql://user:password@localhost/database
> }
> }
>
> # ...
> }
>
> pluto {
>
> # plugins to load in pluto
> # load = aes des sha1 md5 sha2 hmac gmp random pubkey
>
> }
>
> libstrongswan {
>
> # set to no, the DH exponent size is optimized
> # dh_exponent_ansi_x9_42 = no
> }
>
> ---------------------------------------------------------------
>
> One more info. I have generated the keys using openssl command . In
that
> case is it required to load the openssl module in charon. ?
>
The openssl command generates keys in the standardized PKCS#1
format which can be read by strongSwan's pkcs1 plugin. There
is no need to load the openssl plugin. Your problem is that
the file '/etc/ipsec.d/private/211Key.pem' does not contain a
private key. The contents of a PEM-encoded private Key file
should have the following format
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAyi9jPdS7ugWGIVsVoDEvc/UzEk8LM5ua4Tu2SLArTEaODwHm
...
cb9zpyKiIuXoXRCf4sd8r1lR9bn0Fxx0Svpxf+fpMGSI5quHNBKY
-----END RSA PRIVATE KEY-----
if the key is unencrypted or
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,01290773006220E4E96C2975C52D2429
mSt4HT52dsYkDwk6DVYm+Uij1PnFAnYzJD7Jx6EJIA9HuWKfyHPSjtqEcCwZoKHq
...
nuRU15U5aQTniVikvFWchnwGy+23lgv5He9X99jxEu/U1pA4egejfMs3g070AY3J
-----END RSA PRIVATE KEY-----
if the key is protected by a passphrase.
> Regards
> Shyam
Regards
Andreas
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Please do not print this email unless it is absolutely necessary.
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
www.wipro.com
More information about the Users
mailing list