[strongSwan] charon: 11[IKE] no private key found for 'bla-bla-bla'

sftf sftf-misc at mail.ru
Thu Jun 3 11:44:38 CEST 2010


Help me please with follow error.
I try to connect from Win7 client with IKEv2 to Debian strongswan 4.2.4 gateway.
Connection stop with "charon: 11[IKE] no private key found for..." followed by gateway's cert ID.
Private gateway's key is in /etc/ipsec.d/private/gw.superprime.ru-key.pem and not encrypted.
Looks like strongswan didn't "see" private key gw.superprime.ru-key.pem.

--- /etc/ipsec.conf ------------------------------------------------------------------
config setup
    nat_traversal=yes
    charonstart=yes
    plutostart=no

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    left=195.162.66.178
    leftsubnet=192.168.0.0/24
    #leftcert=gw.superprime.ru-cert.pem
    leftid="C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=Prime Gateway, E=gateway at superprime.ru"
    keyexchange=ikev1
    type=tunnel
    pfs=yes
    pfsgroup=modp1024
    ike=aes256-sha1-modp1024
    xauth=server
    
conn rw1
    right=%any
    rightsourceip=192.168.2.1
    rightsubnet=192.168.2.0/24
    rightid="C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=rw1, E=rw1 at superprime.ru"
    auto=add
    authby=rsasig
    keyexchange=ikev2
    #authby=xauthrsasig

conn rw2
    right=%any
    rightsourceip=192.168.2.14
    rightsubnet=192.168.2.0/24
    rightid="C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=rw2, E=rw2 at superprime.ru"
    auto=add
    authby=rsasig
                                                                 
                                                                 
include /var/lib/strongswan/ipsec.conf.inc 
--- /etc/ipsec.conf ------------------------------------------------------------------


--- /etc/ipsec.d/private/gw.superprime.ru-cert.pem ------------------------------------
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            bc:55:54:34:82:1d:e1:82
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=RU, ST=Tomsk region, O=Prime Ltd, OU=Central Office, CN=Prime CA/emailAddress=postmaster at superprime.ru
        Validity
            Not Before: Jun  3 08:38:47 2010 GMT
            Not After : Jan 19 00:00:00 2038 GMT
        Subject: C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=Prime Gateway/emailAddress=gateway at superprime.ru
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:db:80:f2:de:25:50:6b:b4:50:b8:b6:86:e2:87:
                    0e:14:91:f1:98:b0:b5:ee:4b:bd:31:36:26:75:68:
                    95:f3:d8:f4:98:d0:d8:eb:26:64:b9:df:35:ca:25:
                    c6:92:fb:f3:ab:95:6d:c2:4e:26:d3:47:ba:22:3f:
                    ea:99:9d:56:70:67:92:2b:18:11:77:45:35:42:59:
                    06:c0:18:a5:d0:65:bb:75:09:87:2b:d5:a6:c3:be:
                    86:75:fd:a1:36:a4:cb:a2:24:38:72:21:9c:12:19:
                    c7:02:f4:0a:48:b8:7f:c7:31:80:36:ff:fb:52:46:
                    fd:2f:35:72:0e:3a:05:0b:4f:0e:4f:13:10:61:ee:
                    63:44:3c:1f:87:e4:2c:95:10:05:f1:9c:77:a2:db:
                    e0:ef:63:cd:d1:9c:74:d3:56:a1:df:e5:61:e4:fc:
                    83:39:4e:bd:a4:86:b9:28:67:7f:e9:98:9d:cf:2f:
                    ed:3b:b8:a1:3f:38:c6:7d:c9:76:73:2a:2e:40:73:
                    90:f6:5c:ff:85:90:49:b9:67:f7:56:af:50:ba:9d:
                    10:7f:09:90:b6:c6:85:53:48:f2:65:21:11:2c:81:
                    3d:0b:2f:15:95:2c:af:1b:d4:b5:d7:0e:58:c7:ce:
                    e7:80:41:8a:8a:a5:4a:5b:8d:a3:d3:0f:02:f4:2e:
                    ce:9b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                Object Signing
            Netscape Comment: 
                Prime Central Office Facility
            X509v3 Subject Alternative Name: 
                DNS:saturn.superprime.ru
            X509v3 Subject Key Identifier: 
                1E:54:BC:89:56:34:7F:B8:13:96:EC:33:3E:E6:96:FE:AE:F3:1A:44
            X509v3 Authority Key Identifier: 
                keyid:0F:88:3E:32:CC:4E:24:2B:73:DC:61:7C:88:59:AE:03:A9:50:6E:D5
--- /etc/ipsec.d/private/gw.superprime.ru-cert.pem ------------------------------------

--- from private key  /etc/ipsec.d/private/gw.superprime.ru-key.pem ------------------
Private-Key: (2048 bit)
modulus:
    00:db:80:f2:de:25:50:6b:b4:50:b8:b6:86:e2:87:
    0e:14:91:f1:98:b0:b5:ee:4b:bd:31:36:26:75:68:
    95:f3:d8:f4:98:d0:d8:eb:26:64:b9:df:35:ca:25:
    c6:92:fb:f3:ab:95:6d:c2:4e:26:d3:47:ba:22:3f:
    ea:99:9d:56:70:67:92:2b:18:11:77:45:35:42:59:
    06:c0:18:a5:d0:65:bb:75:09:87:2b:d5:a6:c3:be:
    86:75:fd:a1:36:a4:cb:a2:24:38:72:21:9c:12:19:
    c7:02:f4:0a:48:b8:7f:c7:31:80:36:ff:fb:52:46:
    fd:2f:35:72:0e:3a:05:0b:4f:0e:4f:13:10:61:ee:
    63:44:3c:1f:87:e4:2c:95:10:05:f1:9c:77:a2:db:
    e0:ef:63:cd:d1:9c:74:d3:56:a1:df:e5:61:e4:fc:
    83:39:4e:bd:a4:86:b9:28:67:7f:e9:98:9d:cf:2f:
    ed:3b:b8:a1:3f:38:c6:7d:c9:76:73:2a:2e:40:73:
    90:f6:5c:ff:85:90:49:b9:67:f7:56:af:50:ba:9d:
    10:7f:09:90:b6:c6:85:53:48:f2:65:21:11:2c:81:
    3d:0b:2f:15:95:2c:af:1b:d4:b5:d7:0e:58:c7:ce:
    e7:80:41:8a:8a:a5:4a:5b:8d:a3:d3:0f:02:f4:2e:
    ce:9b
publicExponent: 65537 (0x10001) 
--- from private key  /etc/ipsec.d/private/gw.superprime.ru-key.pem ------------------

--- log ------------------------------------------------------------------------------
2010-06-03T16:22:46+07:00 saturn charon: 01[DMN] starting charon (strongSwan Version 4.2.4)
2010-06-03T16:22:46+07:00 saturn charon: 01[KNL] listening on interfaces:
2010-06-03T16:22:46+07:00 saturn charon: 01[KNL]   eth0
2010-06-03T16:22:46+07:00 saturn charon: 01[KNL]     192.168.0.129
2010-06-03T16:22:46+07:00 saturn charon: 01[KNL]   eth1
2010-06-03T16:22:46+07:00 saturn charon: 01[KNL]     195.162.66.178
2010-06-03T16:22:46+07:00 saturn charon: 01[NET] unable to create raw socket: Address family not supported by protocol
2010-06-03T16:22:46+07:00 saturn charon: 01[NET] could not open IPv6 receive socket, IPv6 disabled
2010-06-03T16:22:46+07:00 saturn charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
2010-06-03T16:22:46+07:00 saturn charon: 01[LIB]   loaded certificate file '/etc/ipsec.d/cacerts/primeca-cert.pem'
2010-06-03T16:22:46+07:00 saturn charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
2010-06-03T16:22:46+07:00 saturn charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
2010-06-03T16:22:46+07:00 saturn charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
2010-06-03T16:22:46+07:00 saturn charon: 01[CFG] loading crls from '/etc/ipsec.d/crls'
2010-06-03T16:22:46+07:00 saturn charon: 01[CFG] loading secrets from '/etc/ipsec.secrets'
2010-06-03T16:22:46+07:00 saturn charon: 01[JOB] spawning 16 worker threads
2010-06-03T16:22:46+07:00 saturn charon: 03[CFG] received stroke: add connection 'rw1'
2010-06-03T16:22:46+07:00 saturn charon: 03[CFG] added configuration 'rw1': 195.162.66.178[C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=Prime Gateway, E=gateway at superprime.ru]...0.0.0.0[C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=rw1, E=rw1 at superprime.ru]
2010-06-03T16:22:46+07:00 saturn charon: 03[CFG] adding virtual IP address pool 'rw1': 192.168.2.1/32
2010-06-03T16:22:46+07:00 saturn charon: 06[CFG] received stroke: add connection 'rw2'
2010-06-03T16:22:46+07:00 saturn charon: 06[CFG] added configuration 'rw2': 195.162.66.178[C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=Prime Gateway, E=gateway at superprime.ru]...0.0.0.0[C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=rw2, E=rw2 at superprime.ru]
2010-06-03T16:22:46+07:00 saturn charon: 06[CFG] adding virtual IP address pool 'rw2': 192.168.2.14/32
2010-06-03T16:23:03+07:00 saturn charon: 10[NET] received packet: from 195.162.66.180[500] to 195.162.66.178[500]
2010-06-03T16:23:03+07:00 saturn charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
2010-06-03T16:23:03+07:00 saturn charon: 10[AUD] 195.162.66.180 is initiating an IKE_SA
2010-06-03T16:23:03+07:00 saturn charon: 10[AUD] 195.162.66.180 is initiating an IKE_SA
2010-06-03T16:23:03+07:00 saturn charon: 10[IKE] IKE_SA '(unnamed)' state change: CREATED => CONNECTING
2010-06-03T16:23:03+07:00 saturn charon: 10[IKE] sending cert request for "C=RU, ST=Tomsk region, O=Prime Ltd, OU=Central Office, CN=Prime CA, E=postmaster at superprime.ru"
2010-06-03T16:23:03+07:00 saturn charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
2010-06-03T16:23:03+07:00 saturn charon: 10[NET] sending packet: from 195.162.66.178[500] to 195.162.66.180[500]
2010-06-03T16:23:03+07:00 saturn charon: 11[NET] received packet: from 195.162.66.180[4500] to 195.162.66.178[4500]
2010-06-03T16:23:03+07:00 saturn charon: 11[ENC] unknown attribute type (23456)
2010-06-03T16:23:03+07:00 saturn charon: 11[ENC] unknown attribute type (23457)
2010-06-03T16:23:03+07:00 saturn charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CP SA TSi TSr ]
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] received cert request for unknown ca with keyid 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] received cert request for unknown ca with keyid dd:bc:bd:86:9c:3f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] received cert request for unknown ca with keyid 4a:5c:75:22:aa:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] received cert request for unknown ca with keyid 01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] received cert request for "C=RU, ST=Tomsk region, O=Prime Ltd, OU=Central Office, CN=Prime CA, E=postmaster at superprime.ru"
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] received cert request for unknown ca with keyid 34:4f:30:2d:25:69:31:91:ea:f7:73:5c:ab:f5:86:8d:37:82:40:ec
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] received cert request for unknown ca with keyid 3e:df:29:0c:c1:f5:cc:73:2c:eb:3d:24:e1:7e:52:da:bd:27:e2:f0
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] received cert request for unknown ca with keyid 59:79:12:de:61:75:d6:6f:c4:23:b7:77:13:74:c7:96:de:6f:88:72
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] received end entity cert "C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=rw1, E=rw1 at superprime.ru"
2010-06-03T16:23:03+07:00 saturn charon: 11[CFG]   using certificate "C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=rw1, E=rw1 at superprime.ru"
2010-06-03T16:23:03+07:00 saturn charon: 11[CFG]   using trusted ca certificate "C=RU, ST=Tomsk region, O=Prime Ltd, OU=Central Office, CN=Prime CA, E=postmaster at superprime.ru"
2010-06-03T16:23:03+07:00 saturn charon: 11[CFG] checking certificate status of "C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=rw1, E=rw1 at superprime.ru"
2010-06-03T16:23:03+07:00 saturn charon: 11[CFG] certificate status is not available
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] authentication of 'C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=rw1, E=rw1 at superprime.ru' with RSA signature successful
2010-06-03T16:23:03+07:00 saturn charon: 11[CFG] found matching config "rw1": C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=Prime Gateway, E=gateway at superprime.ru...C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=rw1, E=rw1 at superprime.ru, prio 21
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] ignoring INTERNAL_IP4_NBNS config attribute
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] ignoring (23456) config attribute
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] ignoring (23457) config attribute
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] peer supports MOBIKE
2010-06-03T16:23:03+07:00 saturn charon: 11[IKE] no private key found for 'C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=Prime Gateway, E=gateway at superprime.ru'
2010-06-03T16:23:03+07:00 saturn charon: 11[AUD] generating authentication data failed
2010-06-03T16:23:03+07:00 saturn charon: 11[AUD] generating authentication data failed
2010-06-03T16:23:03+07:00 saturn charon: 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
2010-06-03T16:23:03+07:00 saturn charon: 11[NET] sending packet: from 195.162.66.178[4500] to 195.162.66.180[4500]
--- log -----------------------------------------------------------------






More information about the Users mailing list