[strongSwan] Private key not found
Andreas Steffen
andreas.steffen at strongswan.org
Tue Jun 22 18:58:13 CEST 2010
Our Changelog says:
strongswan-4.3.4
----------------
- The IKEv2 charon daemon supports include files in ipsec.secrets.
So probably charon stops parsing ipsec.secrets due to
the unsupported include statement.
Regards
Andreas
On 22.06.2010 18:50, Shane W wrote:
> Hi,
>
> I was using Debian strongswan 4.3.2 and Debian has an
> include directive in ipsec.secrets. Taking that out solves
> the problem. Odd that pluto handled that though.
>
> Thanks,
> Shane
>
>
> On Tue, Jun 22, 2010 at 11:49:18AM +0200, Andreas Steffen wrote:
>> Hi Shane,
>>
>> the first output comes from the IKEv1 pluto daemon who
>> finds the matching private key whereas the second output
>> is from the IKEv2 charon daemon who fails in finding the
>> private key. If you disable the pluto daemon by setting
>>
>> config setup
>> plutostart=no
>>
>> in ipsec.conf then you won't get these duplicate outputs.
>>
>> Returning to your problem:
>>
>> - Which strongSwan version are you using?
>>
>> - Is your private key encrypted by a password?
>>
>> - Are there any error messages in your log if you type
>> ipsec rereadsecrets
>>
>> Regards
>>
>> Andreas
>>
>> 22.06.2010 11:29, Shane W wrote:
>>> Hey all,
>>>
>>> I have done some archive searching on this one and previous
>>> issues have either been with ipsec.secrets providing the
>>> right password or key not matching cert issues. However, I
>>> have checked these things and am still getting this
>>> message.
>>>
>>> Jun 22 02:10:32 li01 charon: 14[IKE] no private key found
>>> for 'C=CA, ST=British Columbia, O=Continuum Systems,
>>> CN=li01.csy.ca'
>>>
>>> And yet, an ipsec listcerts shows that the cert has the
>>> private key the first time round but in the endpoint list,
>>> it doesn't. Why is the key being listed twice here?
>>>
>>> li01:~# ipsec listcerts
>>> 000
>>> 000 List of X.509 End Certificates:
>>> 000
>>> 000 Jun 22 02:20:59 2010, count: 1
>>> 000 subject: 'C=CA, ST=British Columbia, O=Continuum Systems, CN=li01.csy.ca'
>>> 000 issuer: 'C=CA, ST=British Columbia, L=Vancouver, O=Continuum Systems, CN=li01 CA'
>>> 000 serial: 02
>>> 000 validity: not before Jun 22 02:08:43 2010 ok
>>> 000 not after Jun 19 02:08:43 2020 ok
>>> 000 pubkey: RSA 2048 bits, has private key
>>> 000 keyid: 09:c2:ed:6b:83:fc:99:1d:dc:ba:8d:68:9c:dc:4d:bd:68:a7:ab:4b
>>> 000 subjkey: 32:83:42:5c:1a:d7:96:42:e7:73:45:dc:d7:b4:7c:02:f3:8f:41:6c
>>> 000 authkey: 0d:33:d4:3b:fd:a8:40:03:88:ad:65:ba:dd:f6:57:50:72:b5:90:f2
>>>
>>> List of X.509 End Entity Certificates:
>>>
>>> subject: "C=CA, ST=British Columbia, O=Continuum Systems, CN=li01.csy.ca"
>>> issuer: "C=CA, ST=British Columbia, L=Vancouver, O=Continuum Systems, CN=li01 CA"
>>> serial: 02
>>> validity: not before Jun 22 02:08:43 2010, ok
>>> not after Jun 19 02:08:43 2020, ok
>>> pubkey: RSA 2048 bits
>>> keyid: 09:c2:ed:6b:83:fc:99:1d:dc:ba:8d:68:9c:dc:4d:bd:68:a7:ab:4b
>>> subjkey: 32:83:42:5c:1a:d7:96:42:e7:73:45:dc:d7:b4:7c:02:f3:8f:41:6c
>>> authkey: 0d:33:d4:3b:fd:a8:40:03:88:ad:65:ba:dd:f6:57:50:72:b5:90:f2
>>>
>>> Any help greatly appreciated,
>>> Shane
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3430 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100622/e3485f95/attachment.bin>
More information about the Users
mailing list