[strongSwan] charon: 11[IKE] no private key found for 'bla-bla-bla'

Daniel Mentz danielml+mailinglists.strongswan at sent.com
Thu Jun 3 12:22:59 CEST 2010

sftf wrote:
> Connection stop with "charon: 11[IKE] no private key found for..." followed by gateway's cert ID.
> Private gateway's key is in /etc/ipsec.d/private/gw.superprime.ru-key.pem and not encrypted.
> Looks like strongswan didn't "see" private key gw.superprime.ru-key.pem.

Putting your private key in /etc/ipsec.d/private/ is not enough. You 
also need to tell strongSwan about this key in /etc/ipsec.secrets. Check out


You have to include something like

: RSA moonKey.pem

Note that strongSwan is picky about the exact format of this file. Don't 
forget the space character between ":" and "RSA".

Run "ipsec listcerts". It should output something like

   subject:  "CN=Foobar"
   issuer:   "CN=Example CA, E=ca at example.com"
   serial:    01
   validity:  not before Sep 26 22:45:53 2009, ok
              not after  Sep 25 22:45:53 2012, ok
   pubkey:    RSA 1024 bits, has private key
   keyid:     85:fb:d9:93:1b:d7:31:00:02:b6:38:57:c8:53:cb:22:b7:cd:c8:16
   subjkey:   66:83:4b:fb:d4:48:7f:2c:07:7d:d7:32:2a:da:64:00:57:0a:ba:70
   authkey:   d2:c4:db:03:58:9d:0d:aa:4a:6c:89:ad:6d:83:b7:47:f7:ff:3e:33

Watch out for "has private key". This tells you whether strongSwan was 
able to read the corresponding private key.

Does that answer your question?

More information about the Users mailing list