[strongSwan] Fail on loading secrets (ECDSA)

William Greene wgreene9617 at yahoo.com
Fri Dec 3 15:30:52 CET 2010



I'm pretty much at a dead end on how to proceed further.  Does anyone have ideas 
or suggestions to debug the charon daemon when it is in a restart loop when 
using ECDSA public and private keys?

Thanks in advance for any help and/or suggestions to proceed,
Bill



________________________________
From: William Greene <wgreene9617 at yahoo.com>
To: Andreas Steffen <andreas.steffen at strongswan.org>
Cc: users at lists.strongswan.org
Sent: Wed, December 1, 2010 9:44:59 AM
Subject: Re: [strongSwan] Fail on loading secrets (ECDSA)




Here are snippets from the logs for each type of encoding.  They just repeat.

Using DER encoded certificates, from the charon.log:

Dec  1 09:36:54 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)
Dec  1 09:36:54 00[LIB] plugin 'aes': loaded successfully
Dec  1 09:36:54 00[LIB] plugin 'des': loaded successfully
Dec  1 09:36:54 00[LIB] plugin 'sha1': loaded successfully
Dec  1 09:36:54 00[LIB] plugin 'sha2': loaded successfully
Dec  1 09:36:54 00[LIB] plugin 'md5': loaded successfully
Dec  1 09:36:54 00[LIB] plugin 'random': loaded successfully
Dec  1 09:36:54 00[LIB] plugin 'x509':  loaded successfully
Dec  1 09:36:54 00[LIB] plugin 'revocation': loaded successfully
Dec  1 09:36:54 00[LIB] plugin 'pubkey': loaded successfully
Dec  1 09:36:54 00[LIB] plugin 'pkcs1': loaded successfully
Dec  1 09:36:54 00[LIB] plugin 'pgp': loaded successfully
Dec  1 09:36:54 00[LIB] plugin 'pem': loaded successfully
Dec  1 09:36:54 00[LIB] plugin 'openssl': loaded successfully
Dec  1 09:36:54 00[LIB] plugin 'gcrypt': loaded successfully
Dec  1 09:36:54 00[LIB] plugin 'fips-prf': loaded successfully
Dec  1 09:36:54 00[LIB] plugin 'gmp': loaded successfully
Dec  1 09:36:54 00[LIB] plugin 'xcbc': loaded successfully
Dec  1 09:36:54 00[LIB] plugin 'hmac': loaded successfully
Dec  1 09:36:54 00[LIB] plugin 'gcm': loaded successfully
Dec  1 09:36:54 00[LIB] plugin  'attr': loaded successfully
Dec  1 09:36:54 00[KNL] listening on interfaces:
Dec  1 09:36:54 00[KNL]   eth0
Dec  1 09:36:54 00[KNL]     10.168.80.8
Dec  1 09:36:54 00[KNL]     2005:a8::21e:c9ff:feff:124
Dec  1 09:36:54 00[KNL]     2004:a8::21e:c9ff:feff:124
Dec  1 09:36:54 00[KNL]     fe80::21e:c9ff:feff:124
Dec  1 09:36:54 00[KNL] received netlink error: Address family not supported by 
protocol (97)
Dec  1 09:36:54 00[KNL] unable to create IPv6 routing table rule
Dec  1 09:36:54 00[LIB] plugin 'kernel-netlink': loaded successfully
Dec  1 09:36:54 00[LIB] plugin 'resolve': loaded successfully
Dec  1 09:36:54 00[LIB] plugin 'socket-default': loaded successfully
Dec  1 09:36:54 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Dec  1 09:36:54 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Dec  1 09:36:54 00[CFG] loading ocsp signer certificates from 
'/etc/ipsec.d/ocspcerts'
Dec  1 09:36:54 00[CFG] loading attribute certificates from 
'/etc/ipsec.d/acerts'
Dec  1 09:36:54 00[CFG] loading crls from '/etc/ipsec.d/crls'
Dec  1 09:36:54 00[CFG] loading secrets from '/etc/ipsec.secrets'
Dec  1 09:36:59 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)
Dec  1 09:36:59 00[LIB] plugin 'aes': loaded successfully
Dec  1 09:36:59 00[LIB] plugin 'des': loaded successfully
Dec  1 09:36:59 00[LIB] plugin 'sha1': loaded successfully
Dec  1 09:36:59 00[LIB] plugin 'sha2': loaded successfully
Dec  1 09:36:59 00[LIB] plugin 'md5': loaded successfully
Dec  1 09:36:59 00[LIB] plugin 'random': loaded successfully
Dec  1 09:36:59 00[LIB] plugin 'x509':  loaded successfully
Dec  1 09:36:59 00[LIB] plugin 'revocation': loaded successfully
Dec  1 09:36:59 00[LIB] plugin 'pubkey': loaded successfully
Dec  1 09:36:59 00[LIB] plugin 'pkcs1': loaded successfully
Dec  1 09:36:59 00[LIB] plugin 'pgp': loaded successfully
Dec  1 09:36:59 00[LIB] plugin 'pem': loaded successfully
Dec  1 09:36:59 00[LIB] plugin 'openssl': loaded successfully
Dec  1 09:36:59 00[LIB] plugin 'gcrypt': loaded successfully
Dec  1 09:36:59 00[LIB] plugin 'fips-prf': loaded successfully
Dec  1 09:36:59 00[LIB] plugin 'gmp': loaded successfully
Dec  1 09:36:59 00[LIB] plugin 'xcbc': loaded successfully
Dec  1 09:36:59 00[LIB] plugin 'hmac': loaded successfully
Dec  1 09:36:59 00[LIB] plugin 'gcm': loaded successfully
Dec  1 09:36:59 00[LIB] plugin  'attr': loaded successfully
Dec  1 09:36:59 00[KNL] listening on interfaces:
Dec  1 09:36:59 00[KNL]   eth0
Dec  1 09:36:59 00[KNL]     10.168.80.8
Dec  1 09:36:59 00[KNL]     2005:a8::21e:c9ff:feff:124
Dec  1 09:36:59 00[KNL]     2004:a8::21e:c9ff:feff:124
Dec  1 09:36:59 00[KNL]     fe80::21e:c9ff:feff:124
Dec  1 09:36:59 00[KNL] received netlink error: Address family not supported by 
protocol (97)
Dec  1 09:36:59 00[KNL] unable to create IPv6 routing table rule
Dec  1 09:36:59 00[LIB] plugin 'kernel-netlink': loaded successfully
Dec  1 09:36:59 00[LIB] plugin 'resolve': loaded successfully
Dec  1 09:36:59 00[LIB] plugin 'socket-default': loaded successfully
Dec  1 09:36:59 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Dec  1 09:36:59 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Dec  1 09:36:59 00[CFG] loading ocsp signer certificates from 
'/etc/ipsec.d/ocspcerts'
Dec  1 09:36:59 00[CFG] loading attribute certificates from 
'/etc/ipsec.d/acerts'
Dec  1 09:36:59 00[CFG] loading crls from '/etc/ipsec.d/crls'
Dec  1 09:36:59 00[CFG] loading secrets from '/etc/ipsec.secrets'


Using PEM encoded certificates, the charon.log:

Dec  1 09:41:19 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)
Dec  1 09:41:19 00[LIB] plugin 'aes': loaded successfully
Dec  1 09:41:19 00[LIB] plugin 'des': loaded successfully
Dec  1 09:41:19 00[LIB] plugin 'sha1': loaded successfully
Dec  1 09:41:19 00[LIB] plugin  'sha2': loaded successfully
Dec  1 09:41:19 00[LIB] plugin 'md5': loaded successfully
Dec  1 09:41:19 00[LIB] plugin 'random': loaded successfully
Dec  1 09:41:19 00[LIB] plugin 'x509': loaded successfully
Dec  1 09:41:19 00[LIB] plugin 'revocation': loaded successfully
Dec  1 09:41:19 00[LIB] plugin 'pubkey': loaded successfully
Dec  1 09:41:19 00[LIB] plugin 'pkcs1': loaded successfully
Dec  1 09:41:19 00[LIB] plugin 'pgp': loaded successfully
Dec  1 09:41:19 00[LIB] plugin 'pem': loaded successfully
Dec  1 09:41:19 00[LIB] plugin 'openssl': loaded successfully
Dec  1 09:41:19 00[LIB] plugin 'gcrypt': loaded successfully
Dec  1 09:41:19 00[LIB] plugin 'fips-prf': loaded successfully
Dec  1 09:41:19 00[LIB] plugin 'gmp': loaded successfully
Dec  1  09:41:19 00[LIB] plugin 'xcbc': loaded successfully
Dec  1 09:41:19 00[LIB] plugin 'hmac': loaded successfully
Dec  1 09:41:19 00[LIB] plugin 'gcm': loaded successfully
Dec  1 09:41:19 00[LIB] plugin 'attr': loaded successfully
Dec  1 09:41:19 00[KNL] listening on interfaces:
Dec  1 09:41:19 00[KNL]   eth0
Dec  1 09:41:19 00[KNL]     10.168.80.8
Dec  1 09:41:19 00[KNL]     2005:a8::21e:c9ff:feff:124
Dec  1 09:41:19 00[KNL]     2004:a8::21e:c9ff:feff:124
Dec  1 09:41:19 00[KNL]     fe80::21e:c9ff:feff:124
Dec  1 09:41:19 00[KNL] received netlink error: Address family not supported by 
protocol (97)
Dec  1 09:41:19 00[KNL] unable to create IPv6 routing table rule
Dec  1 09:41:19 00[LIB] plugin 'kernel-netlink': loaded successfully
Dec  1 09:41:19 00[LIB] plugin 'resolve': loaded successfully
Dec  1 09:41:19 00[LIB] plugin 'socket-default': loaded successfully
Dec  1 09:41:19 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Dec  1 09:41:19 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Dec  1 09:41:19 00[CFG] loading ocsp signer certificates from 
'/etc/ipsec.d/ocspcerts'
Dec  1 09:41:19 00[CFG] loading attribute certificates from 
'/etc/ipsec.d/acerts'
Dec  1 09:41:19 00[CFG] loading crls from '/etc/ipsec.d/crls'
Dec  1 09:41:19 00[CFG] loading secrets from '/etc/ipsec.secrets'
Dec  1 09:41:19 00[LIB]   file content is not binary ASN.1
Dec  1 09:41:19 00[LIB]   -----BEGIN EC PRIVATE KEY-----
Dec  1 09:41:19 00[LIB]   -----END EC PRIVATE KEY-----
Dec  1 09:41:24 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)
Dec  1  09:41:24 00[LIB] plugin 'aes': loaded successfully
Dec  1 09:41:24 00[LIB] plugin 'des': loaded successfully
Dec  1 09:41:24 00[LIB] plugin 'sha1': loaded successfully
Dec  1 09:41:24 00[LIB] plugin 'sha2': loaded successfully
Dec  1 09:41:24 00[LIB] plugin 'md5': loaded successfully
Dec  1 09:41:24 00[LIB] plugin 'random': loaded successfully
Dec  1 09:41:24 00[LIB] plugin 'x509': loaded successfully
Dec  1 09:41:24 00[LIB] plugin 'revocation': loaded successfully
Dec  1 09:41:24 00[LIB] plugin 'pubkey': loaded successfully
Dec  1 09:41:24 00[LIB] plugin 'pkcs1': loaded successfully
Dec  1 09:41:24 00[LIB] plugin 'pgp': loaded successfully
Dec  1 09:41:24 00[LIB] plugin 'pem': loaded successfully
Dec  1 09:41:24 00[LIB] plugin 'openssl': loaded successfully
Dec   1 09:41:24 00[LIB] plugin 'gcrypt': loaded successfully
Dec  1 09:41:24 00[LIB] plugin 'fips-prf': loaded successfully
Dec  1 09:41:24 00[LIB] plugin 'gmp': loaded successfully
Dec  1 09:41:24 00[LIB] plugin 'xcbc': loaded successfully
Dec  1 09:41:24 00[LIB] plugin 'hmac': loaded successfully
Dec  1 09:41:24 00[LIB] plugin 'gcm': loaded successfully
Dec  1 09:41:24 00[LIB] plugin 'attr': loaded  successfully
Dec  1 09:41:24 00[KNL] listening on interfaces:
Dec  1 09:41:24 00[KNL]   eth0
Dec  1 09:41:24 00[KNL]     10.168.80.8
Dec  1 09:41:24 00[KNL]     2005:a8::21e:c9ff:feff:124
Dec  1 09:41:24 00[KNL]     2004:a8::21e:c9ff:feff:124
Dec  1 09:41:24 00[KNL]     fe80::21e:c9ff:feff:124
Dec   1 09:41:24 00[KNL] received netlink error: Address family not supported by 
protocol (97)
Dec  1 09:41:24 00[KNL] unable to create IPv6 routing table rule
Dec  1 09:41:24 00[LIB] plugin 'kernel-netlink': loaded successfully
Dec  1 09:41:24 00[LIB] plugin 'resolve': loaded successfully
Dec  1 09:41:24 00[LIB] plugin 'socket-default': loaded successfully
Dec  1 09:41:24 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Dec  1 09:41:24 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Dec  1 09:41:24 00[CFG] loading ocsp signer certificates from 
'/etc/ipsec.d/ocspcerts'
Dec  1 09:41:24 00[CFG] loading attribute certificates from 
'/etc/ipsec.d/acerts'
Dec  1 09:41:24 00[CFG] loading crls from '/etc/ipsec.d/crls'
Dec  1 09:41:24 00[CFG] loading secrets from '/etc/ipsec.secrets'
Dec  1 09:41:24 00[LIB]   file content is not binary ASN.1
Dec  1 09:41:24 00[LIB]   -----BEGIN EC PRIVATE KEY-----
Dec  1 09:41:24 00[LIB]   -----END EC PRIVATE KEY-----




________________________________
From: Andreas Steffen <andreas.steffen at strongswan.org>
To: William Greene <wgreene9617 at yahoo.com>
Cc: users at lists.strongswan.org
Sent: Tue, November 30, 2010 5:35:04 PM
Subject: Re: [strongSwan] Fail on loading secrets (ECDSA)

Hello Bill,

what does "restarting" mean? Does charon crash? (what it shouldn't)
If you give the key in PEM format then it is normal that it is
automatically converted to DER format first.

Regards

Andreas

On 11/30/2010 09:55 PM, William Greene wrote:
> Hello,
>
> The charon daemon keeps restarting after the "loading secrets from
> '/etc/ipsec.secrets' log line when the private key is in der format. In
> pem form, same thing but with:
>
> Nov 30 14:28:52 00[CFG] loading secrets from '/etc/ipsec.secrets'
> Nov 30 14:28:52 00[LIB] file content is not binary ASN.1
> Nov 30 14:28:52 00[LIB] -----BEGIN EC PRIVATE KEY-----
> Nov 30 14:28:52 00[LIB] -----END EC PRIVATE KEY-----
>
> So der form seems the way to go. It appears that I'm having the same
> issue as this:
>
> https://lists.strongswan.org/pipermail/users/2008-December/003030.html
>
> I've regenerated these ECDSA keys several times and I'm at a loss right
> now how to get going with SuiteB testing. I've attached the files that
> I'm using, hoping that someone can tease a clue out from them.
>
> Thanks in advance for any help anyone can provided,
> Bill
>
>
>
> Note: I was unable to use "ipsec pki" commands to create the keys so I
> resolved myself to using openssl and I removed the passphase from the
> private key file, so I know that can't be the issue. To do this I did
> the following:
>
>
> [root at KAP8 private]# openssl ecparam -genkey -name secp384r1 -out
> testParam.pem
>
> [root at KAP8 private]# openssl req -x509 -newkey ec:testParam.pem  -config
> /root/openssl.cnf -out testPub.pem -outform PEM
> Generating a 384 bit EC private key
> writing new private key to 'privkey.pem'
> Enter PEM pass phrase:
> Verifying - Enter PEM pass phrase:
> -----
> ...
>
> [root at KAP8 private]# ls
> privkey.pem temp testParam.pem testPub.pem
>
> [root at KAP8 private]# openssl ec -in privkey.pem -out testKey.pem
> read EC key
> Enter PEM pass phrase:
> writing EC key
>
> [root at KAP8 private]# ls
> privkey.pem temp testKey.pem testParam.pem testPub.pem
>
> [root at KAP8 private]# openssl ec -outform DER -in testKey.pem -out
> testKey.der
> read EC key
> writing EC key

======================================================================
Andreas Steffen                        andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101203/917ed533/attachment.html>


More information about the Users mailing list