[strongSwan] charon: 11[IKE] no private key found for 'bla-bla-bla'
sftf
sftf-misc at mail.ru
Thu Jun 3 11:44:38 CEST 2010
Help me please with follow error.
I try to connect from Win7 client with IKEv2 to Debian strongswan 4.2.4 gateway.
Connection stop with "charon: 11[IKE] no private key found for..." followed by gateway's cert ID.
Private gateway's key is in /etc/ipsec.d/private/gw.superprime.ru-key.pem and not encrypted.
Looks like strongswan didn't "see" private key gw.superprime.ru-key.pem.
--- /etc/ipsec.conf ------------------------------------------------------------------
config setup
nat_traversal=yes
charonstart=yes
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
left=195.162.66.178
leftsubnet=192.168.0.0/24
#leftcert=gw.superprime.ru-cert.pem
leftid="C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=Prime Gateway, E=gateway at superprime.ru"
keyexchange=ikev1
type=tunnel
pfs=yes
pfsgroup=modp1024
ike=aes256-sha1-modp1024
xauth=server
conn rw1
right=%any
rightsourceip=192.168.2.1
rightsubnet=192.168.2.0/24
rightid="C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=rw1, E=rw1 at superprime.ru"
auto=add
authby=rsasig
keyexchange=ikev2
#authby=xauthrsasig
conn rw2
right=%any
rightsourceip=192.168.2.14
rightsubnet=192.168.2.0/24
rightid="C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=rw2, E=rw2 at superprime.ru"
auto=add
authby=rsasig
include /var/lib/strongswan/ipsec.conf.inc
--- /etc/ipsec.conf ------------------------------------------------------------------
--- /etc/ipsec.d/private/gw.superprime.ru-cert.pem ------------------------------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
bc:55:54:34:82:1d:e1:82
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=RU, ST=Tomsk region, O=Prime Ltd, OU=Central Office, CN=Prime CA/emailAddress=postmaster at superprime.ru
Validity
Not Before: Jun 3 08:38:47 2010 GMT
Not After : Jan 19 00:00:00 2038 GMT
Subject: C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=Prime Gateway/emailAddress=gateway at superprime.ru
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:db:80:f2:de:25:50:6b:b4:50:b8:b6:86:e2:87:
0e:14:91:f1:98:b0:b5:ee:4b:bd:31:36:26:75:68:
95:f3:d8:f4:98:d0:d8:eb:26:64:b9:df:35:ca:25:
c6:92:fb:f3:ab:95:6d:c2:4e:26:d3:47:ba:22:3f:
ea:99:9d:56:70:67:92:2b:18:11:77:45:35:42:59:
06:c0:18:a5:d0:65:bb:75:09:87:2b:d5:a6:c3:be:
86:75:fd:a1:36:a4:cb:a2:24:38:72:21:9c:12:19:
c7:02:f4:0a:48:b8:7f:c7:31:80:36:ff:fb:52:46:
fd:2f:35:72:0e:3a:05:0b:4f:0e:4f:13:10:61:ee:
63:44:3c:1f:87:e4:2c:95:10:05:f1:9c:77:a2:db:
e0:ef:63:cd:d1:9c:74:d3:56:a1:df:e5:61:e4:fc:
83:39:4e:bd:a4:86:b9:28:67:7f:e9:98:9d:cf:2f:
ed:3b:b8:a1:3f:38:c6:7d:c9:76:73:2a:2e:40:73:
90:f6:5c:ff:85:90:49:b9:67:f7:56:af:50:ba:9d:
10:7f:09:90:b6:c6:85:53:48:f2:65:21:11:2c:81:
3d:0b:2f:15:95:2c:af:1b:d4:b5:d7:0e:58:c7:ce:
e7:80:41:8a:8a:a5:4a:5b:8d:a3:d3:0f:02:f4:2e:
ce:9b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
Object Signing
Netscape Comment:
Prime Central Office Facility
X509v3 Subject Alternative Name:
DNS:saturn.superprime.ru
X509v3 Subject Key Identifier:
1E:54:BC:89:56:34:7F:B8:13:96:EC:33:3E:E6:96:FE:AE:F3:1A:44
X509v3 Authority Key Identifier:
keyid:0F:88:3E:32:CC:4E:24:2B:73:DC:61:7C:88:59:AE:03:A9:50:6E:D5
--- /etc/ipsec.d/private/gw.superprime.ru-cert.pem ------------------------------------
--- from private key /etc/ipsec.d/private/gw.superprime.ru-key.pem ------------------
Private-Key: (2048 bit)
modulus:
00:db:80:f2:de:25:50:6b:b4:50:b8:b6:86:e2:87:
0e:14:91:f1:98:b0:b5:ee:4b:bd:31:36:26:75:68:
95:f3:d8:f4:98:d0:d8:eb:26:64:b9:df:35:ca:25:
c6:92:fb:f3:ab:95:6d:c2:4e:26:d3:47:ba:22:3f:
ea:99:9d:56:70:67:92:2b:18:11:77:45:35:42:59:
06:c0:18:a5:d0:65:bb:75:09:87:2b:d5:a6:c3:be:
86:75:fd:a1:36:a4:cb:a2:24:38:72:21:9c:12:19:
c7:02:f4:0a:48:b8:7f:c7:31:80:36:ff:fb:52:46:
fd:2f:35:72:0e:3a:05:0b:4f:0e:4f:13:10:61:ee:
63:44:3c:1f:87:e4:2c:95:10:05:f1:9c:77:a2:db:
e0:ef:63:cd:d1:9c:74:d3:56:a1:df:e5:61:e4:fc:
83:39:4e:bd:a4:86:b9:28:67:7f:e9:98:9d:cf:2f:
ed:3b:b8:a1:3f:38:c6:7d:c9:76:73:2a:2e:40:73:
90:f6:5c:ff:85:90:49:b9:67:f7:56:af:50:ba:9d:
10:7f:09:90:b6:c6:85:53:48:f2:65:21:11:2c:81:
3d:0b:2f:15:95:2c:af:1b:d4:b5:d7:0e:58:c7:ce:
e7:80:41:8a:8a:a5:4a:5b:8d:a3:d3:0f:02:f4:2e:
ce:9b
publicExponent: 65537 (0x10001)
--- from private key /etc/ipsec.d/private/gw.superprime.ru-key.pem ------------------
--- log ------------------------------------------------------------------------------
2010-06-03T16:22:46+07:00 saturn charon: 01[DMN] starting charon (strongSwan Version 4.2.4)
2010-06-03T16:22:46+07:00 saturn charon: 01[KNL] listening on interfaces:
2010-06-03T16:22:46+07:00 saturn charon: 01[KNL] eth0
2010-06-03T16:22:46+07:00 saturn charon: 01[KNL] 192.168.0.129
2010-06-03T16:22:46+07:00 saturn charon: 01[KNL] eth1
2010-06-03T16:22:46+07:00 saturn charon: 01[KNL] 195.162.66.178
2010-06-03T16:22:46+07:00 saturn charon: 01[NET] unable to create raw socket: Address family not supported by protocol
2010-06-03T16:22:46+07:00 saturn charon: 01[NET] could not open IPv6 receive socket, IPv6 disabled
2010-06-03T16:22:46+07:00 saturn charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
2010-06-03T16:22:46+07:00 saturn charon: 01[LIB] loaded certificate file '/etc/ipsec.d/cacerts/primeca-cert.pem'
2010-06-03T16:22:46+07:00 saturn charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
2010-06-03T16:22:46+07:00 saturn charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
2010-06-03T16:22:46+07:00 saturn charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
2010-06-03T16:22:46+07:00 saturn charon: 01[CFG] loading crls from '/etc/ipsec.d/crls'
2010-06-03T16:22:46+07:00 saturn charon: 01[CFG] loading secrets from '/etc/ipsec.secrets'
2010-06-03T16:22:46+07:00 saturn charon: 01[JOB] spawning 16 worker threads
2010-06-03T16:22:46+07:00 saturn charon: 03[CFG] received stroke: add connection 'rw1'
2010-06-03T16:22:46+07:00 saturn charon: 03[CFG] added configuration 'rw1': 195.162.66.178[C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=Prime Gateway, E=gateway at superprime.ru]...0.0.0.0[C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=rw1, E=rw1 at superprime.ru]
2010-06-03T16:22:46+07:00 saturn charon: 03[CFG] adding virtual IP address pool 'rw1': 192.168.2.1/32
2010-06-03T16:22:46+07:00 saturn charon: 06[CFG] received stroke: add connection 'rw2'
2010-06-03T16:22:46+07:00 saturn charon: 06[CFG] added configuration 'rw2': 195.162.66.178[C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=Prime Gateway, E=gateway at superprime.ru]...0.0.0.0[C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=rw2, E=rw2 at superprime.ru]
2010-06-03T16:22:46+07:00 saturn charon: 06[CFG] adding virtual IP address pool 'rw2': 192.168.2.14/32
2010-06-03T16:23:03+07:00 saturn charon: 10[NET] received packet: from 195.162.66.180[500] to 195.162.66.178[500]
2010-06-03T16:23:03+07:00 saturn charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
2010-06-03T16:23:03+07:00 saturn charon: 10[AUD] 195.162.66.180 is initiating an IKE_SA
2010-06-03T16:23:03+07:00 saturn charon: 10[AUD] 195.162.66.180 is initiating an IKE_SA
2010-06-03T16:23:03+07:00 saturn charon: 10[IKE] IKE_SA '(unnamed)' state change: CREATED => CONNECTING
2010-06-03T16:23:03+07:00 saturn charon: 10[IKE] sending cert request for "C=RU, ST=Tomsk region, O=Prime Ltd, OU=Central Office, CN=Prime CA, E=postmaster at superprime.ru"
2010-06-03T16:23:03+07:00 saturn charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
2010-06-03T16:23:03+07:00 saturn charon: 10[NET] sending packet: from 195.162.66.178[500] to 195.162.66.180[500]
2010-06-03T16:23:03+07:00 saturn charon: 11[NET] received packet: from 195.162.66.180[4500] to 195.162.66.178[4500]
2010-06-03T16:23:03+07:00 saturn charon: 11[ENC] unknown attribute type (23456)
2010-06-03T16:23:03+07:00 saturn charon: 11[ENC] unknown attribute type (23457)
2010-06-03T16:23:03+07:00 saturn charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CP SA TSi TSr ]
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] received cert request for unknown ca with keyid 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] received cert request for unknown ca with keyid dd:bc:bd:86:9c:3f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] received cert request for unknown ca with keyid 4a:5c:75:22:aa:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] received cert request for unknown ca with keyid 01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] received cert request for "C=RU, ST=Tomsk region, O=Prime Ltd, OU=Central Office, CN=Prime CA, E=postmaster at superprime.ru"
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] received cert request for unknown ca with keyid 34:4f:30:2d:25:69:31:91:ea:f7:73:5c:ab:f5:86:8d:37:82:40:ec
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] received cert request for unknown ca with keyid 3e:df:29:0c:c1:f5:cc:73:2c:eb:3d:24:e1:7e:52:da:bd:27:e2:f0
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] received cert request for unknown ca with keyid 59:79:12:de:61:75:d6:6f:c4:23:b7:77:13:74:c7:96:de:6f:88:72
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] received end entity cert "C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=rw1, E=rw1 at superprime.ru"
2010-06-03T16:23:03+07:00 saturn charon: 11[CFG] using certificate "C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=rw1, E=rw1 at superprime.ru"
2010-06-03T16:23:03+07:00 saturn charon: 11[CFG] using trusted ca certificate "C=RU, ST=Tomsk region, O=Prime Ltd, OU=Central Office, CN=Prime CA, E=postmaster at superprime.ru"
2010-06-03T16:23:03+07:00 saturn charon: 11[CFG] checking certificate status of "C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=rw1, E=rw1 at superprime.ru"
2010-06-03T16:23:03+07:00 saturn charon: 11[CFG] certificate status is not available
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] authentication of 'C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=rw1, E=rw1 at superprime.ru' with RSA signature successful
2010-06-03T16:23:03+07:00 saturn charon: 11[CFG] found matching config "rw1": C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=Prime Gateway, E=gateway at superprime.ru...C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=rw1, E=rw1 at superprime.ru, prio 21
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] ignoring INTERNAL_IP4_NBNS config attribute
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] ignoring (23456) config attribute
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] ignoring (23457) config attribute
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] peer supports MOBIKE
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] no private key found for 'C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=Prime Gateway, E=gateway at superprime.ru'
2010-06-03T16:23:03+07:00 saturn charon: 11[AUD] generating authentication data failed
2010-06-03T16:23:03+07:00 saturn charon: 11[AUD] generating authentication data failed
2010-06-03T16:23:03+07:00 saturn charon: 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
2010-06-03T16:23:03+07:00 saturn charon: 11[NET] sending packet: from 195.162.66.178[4500] to 195.162.66.180[4500]
--- log -----------------------------------------------------------------
More information about the Users
mailing list