[strongSwan] Fail on loading secrets (ECDSA)

Andreas Steffen andreas.steffen at strongswan.org
Tue Nov 30 23:35:04 CET 2010


Hello Bill,

what does "restarting" mean? Does charon crash? (what it shouldn't)
If you give the key in PEM format then it is normal that it is
automatically converted to DER format first.

Regards

Andreas

On 11/30/2010 09:55 PM, William Greene wrote:
> Hello,
>
> The charon daemon keeps restarting after the "loading secrets from
> '/etc/ipsec.secrets' log line when the private key is in der format. In
> pem form, same thing but with:
>
> Nov 30 14:28:52 00[CFG] loading secrets from '/etc/ipsec.secrets'
> Nov 30 14:28:52 00[LIB] file content is not binary ASN.1
> Nov 30 14:28:52 00[LIB] -----BEGIN EC PRIVATE KEY-----
> Nov 30 14:28:52 00[LIB] -----END EC PRIVATE KEY-----
>
> So der form seems the way to go. It appears that I'm having the same
> issue as this:
>
> https://lists.strongswan.org/pipermail/users/2008-December/003030.html
>
> I've regenerated these ECDSA keys several times and I'm at a loss right
> now how to get going with SuiteB testing. I've attached the files that
> I'm using, hoping that someone can tease a clue out from them.
>
> Thanks in advance for any help anyone can provided,
> Bill
>
>
>
> Note: I was unable to use "ipsec pki" commands to create the keys so I
> resolved myself to using openssl and I removed the passphase from the
> private key file, so I know that can't be the issue. To do this I did
> the following:
>
>
> [root at KAP8 private]# openssl ecparam -genkey -name secp384r1 -out
> testParam.pem
>
> [root at KAP8 private]# openssl req -x509 -newkey ec:testParam.pem -config
> /root/openssl.cnf -out testPub.pem -outform PEM
> Generating a 384 bit EC private key
> writing new private key to 'privkey.pem'
> Enter PEM pass phrase:
> Verifying - Enter PEM pass phrase:
> -----
> ...
>
> [root at KAP8 private]# ls
> privkey.pem temp testParam.pem testPub.pem
>
> [root at KAP8 private]# openssl ec -in privkey.pem -out testKey.pem
> read EC key
> Enter PEM pass phrase:
> writing EC key
>
> [root at KAP8 private]# ls
> privkey.pem temp testKey.pem testParam.pem testPub.pem
>
> [root at KAP8 private]# openssl ec -outform DER -in testKey.pem -out
> testKey.der
> read EC key
> writing EC key

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list