[strongSwan] charon: 11[IKE] no private key found for 'bla-bla-bla'

Daniel Mentz danielml+mailinglists.strongswan at sent.com
Thu Jun 3 12:22:59 CEST 2010


sftf wrote:
> Connection stop with "charon: 11[IKE] no private key found for..." followed by gateway's cert ID.
> Private gateway's key is in /etc/ipsec.d/private/gw.superprime.ru-key.pem and not encrypted.
> Looks like strongswan didn't "see" private key gw.superprime.ru-key.pem.

Putting your private key in /etc/ipsec.d/private/ is not enough. You 
also need to tell strongSwan about this key in /etc/ipsec.secrets. Check out

http://wiki.strongswan.org/projects/strongswan/wiki/IpsecSecrets

You have to include something like

: RSA moonKey.pem

Note that strongSwan is picky about the exact format of this file. Don't 
forget the space character between ":" and "RSA".

Run "ipsec listcerts". It should output something like

   subject:  "CN=Foobar"
   issuer:   "CN=Example CA, E=ca at example.com"
   serial:    01
   validity:  not before Sep 26 22:45:53 2009, ok
              not after  Sep 25 22:45:53 2012, ok
   pubkey:    RSA 1024 bits, has private key
   keyid:     85:fb:d9:93:1b:d7:31:00:02:b6:38:57:c8:53:cb:22:b7:cd:c8:16
   subjkey:   66:83:4b:fb:d4:48:7f:2c:07:7d:d7:32:2a:da:64:00:57:0a:ba:70
   authkey:   d2:c4:db:03:58:9d:0d:aa:4a:6c:89:ad:6d:83:b7:47:f7:ff:3e:33


Watch out for "has private key". This tells you whether strongSwan was 
able to read the corresponding private key.

Does that answer your question?
-Daniel




More information about the Users mailing list