[strongSwan] charon: 11[IKE] no private key found for 'bla-bla-bla'
Daniel Mentz
danielml+mailinglists.strongswan at sent.com
Thu Jun 3 12:22:59 CEST 2010
sftf wrote:
> Connection stop with "charon: 11[IKE] no private key found for..." followed by gateway's cert ID.
> Private gateway's key is in /etc/ipsec.d/private/gw.superprime.ru-key.pem and not encrypted.
> Looks like strongswan didn't "see" private key gw.superprime.ru-key.pem.
Putting your private key in /etc/ipsec.d/private/ is not enough. You
also need to tell strongSwan about this key in /etc/ipsec.secrets. Check out
http://wiki.strongswan.org/projects/strongswan/wiki/IpsecSecrets
You have to include something like
: RSA moonKey.pem
Note that strongSwan is picky about the exact format of this file. Don't
forget the space character between ":" and "RSA".
Run "ipsec listcerts". It should output something like
subject: "CN=Foobar"
issuer: "CN=Example CA, E=ca at example.com"
serial: 01
validity: not before Sep 26 22:45:53 2009, ok
not after Sep 25 22:45:53 2012, ok
pubkey: RSA 1024 bits, has private key
keyid: 85:fb:d9:93:1b:d7:31:00:02:b6:38:57:c8:53:cb:22:b7:cd:c8:16
subjkey: 66:83:4b:fb:d4:48:7f:2c:07:7d:d7:32:2a:da:64:00:57:0a:ba:70
authkey: d2:c4:db:03:58:9d:0d:aa:4a:6c:89:ad:6d:83:b7:47:f7:ff:3e:33
Watch out for "has private key". This tells you whether strongSwan was
able to read the corresponding private key.
Does that answer your question?
-Daniel
More information about the Users
mailing list