[strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Wed Apr 20 18:22:49 CEST 2011


Hi

I am facing a problem in my Strongswan deployment on a Linux-Fedora13
Server. I have created a CA and some device certs on the Linux-Fed13 server
using OpenSSL. But iam unable to use the device certs (the private-key file)
in strongswan. Iam getting the following error (console trace). Also other
details are given below:

----------------------



[root at dvtpc2 etc]# ipsec start --nofork
Starting strongSwan 4.5.0 IPsec [starter]...
starter_start_pluto entered
Pluto initialized
Starting IKEv1 pluto daemon (strongSwan 4.5.0) THREADS VENDORID
listening on interfaces:
  eth1
    172.30.1.2
    fe80::218:8bff:fe04:a492
  eth0
    172.18.10.100
    fe80::2d0:b7ff:fe9e:ab8b
loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem gmp
hmac xauth attr kernel-netlink resolve
  including NAT-Traversal patch (Version 0.6c)
pluto (2594) started after 20 ms
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)
00[KNL] listening on interfaces:
00[KNL]   eth1
00[KNL]     172.30.1.2
00[KNL]     fe80::218:8bff:fe04:a492
00[KNL]   eth0
loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
  loaded ca certificate from '/usr/local/etc/ipsec.d/cacerts/cacert.pem'
loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
loading ocsp certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Changing to directory '/usr/local/etc/ipsec.d/crls'
00[KNL]     172.18.10.100
  loaded crl from 'crl.pem'
00[KNL]     fe80::2d0:b7ff:fe9e:ab8b
loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
spawning 4 worker threads
listening for IKE messages
adding interface eth0/eth0 172.18.10.100:500
adding interface eth0/eth0 172.18.10.100:4500
adding interface eth1/eth1 172.30.1.2:500
adding interface eth1/eth1 172.30.1.2:4500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo 127.0.0.1:4500
adding interface lo/lo ::1:500
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
loading secrets from "/usr/local/etc/ipsec.secrets"
L1 - modulus: ASN1 tag 0x02 expected, but is 0x30
building CRED_PRIVATE_KEY - RSA failed, tried 5 builders
  syntax error in private key file
"/usr/local/etc/ipsec.secrets" line 3: Private key file -- could not be
loaded
00[CFG]   loaded ca certificate "C=IN, ST=AP, L=HYD, O=Internet Widgits Pty
Ltd, OU=Corp, CN=dvtpc2CA, E=admin at dvttest.com, subjectAltName=
dvtpc2.dvttest.com" from '/usr/local/etc/ipsec.d/cacerts/cacert.pem'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG]   loaded crl from '/usr/local/etc/ipsec.d/crls/crl.pem'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[LIB] L1 - modulus: ASN1 tag 0x02 expected, but is 0x30
00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 5 builders
00[CFG]   loading private key from
'/usr/local/etc/ipsec.d/private/dvtpc2key1024-self.pem' failed
00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 revocation pubkey
pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw
stroke updown
00[JOB] spawning 16 worker threads
charon (2619) started after 20 ms
04[CFG] received stroke: add connection 'dvtpc2host'
04[CFG]   loaded certificate "C=IN, ST=AP, L=HYD, O=Internet Widgits Pty
Ltd, OU=Corp, CN=dvtpc2.dvttest.com, subjectAltName=dvtpc2.dvttest.com,
E=admin at dvttest.com" from 'dvtpc2cert1024-self.pem'
04[CFG]   id '/C=IN/ST=AP/L=HYD/O=Internet Widgits Pty
Ltd/OU=Corp/CN=dvtpc2.dvttest.com/subjectAltName=dvtpc2.dvttest.com/emailAddress=admin at dvttest.com'not
confirmed by certificate, defaulting to 'C=IN, ST=AP, L=HYD,
O=Internet
Widgits Pty Ltd, OU=Corp, CN=dvtpc2.dvttest.com, subjectAltName=
dvtpc2.dvttest.com, E=admin at dvttest.com'
04[CFG] added configuration 'dvtpc2host'
  loaded host certificate from
'/usr/local/etc/ipsec.d/certs/dvtpc2cert1024-self.pem'
  id '/C=IN/ST=AP/L=HYD/O=Internet Widgits Pty
Ltd/OU=Corp/CN=dvtpc2.dvttest.com/subjectAltName=dvtpc2.dvttest.com/emailAddress=admin at dvttest.com'not
confirmed by certificate, defaulting to 'C=IN, ST=AP, L=HYD,
O=Internet
Widgits Pty Ltd, OU=Corp, CN=dvtpc2.dvttest.com, subjectAltName=
dvtpc2.dvttest.com, E=admin at dvttest.com'
added connection description "dvtpc2host"

---------------------------------------
[root at dvtpc2 etc]# openssl version
OpenSSL 1.0.0a-fips 1 Jun 2010
[root at dvtpc2 etc]#

-----------------------------------
[root at dvtpc2 etc]#
[root at dvtpc2 etc]#
[root at dvtpc2 etc]# cd ipsec.d/private/
[root at dvtpc2 private]# cat dvtpc2key1024-self.pem
-----BEGIN PRIVATE KEY-----
MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALPec1SeRutyn4Sb
yWS8RVXDiroh3XgXchjYbwm+RvoFS7k31LcpK+zgs62ZdTFxeYCv6hr/bV2BIwwf
NwMlPc5zyHnjFrMmOG2eXzzd0xleFwx12NSW0rXtpAVa9/GVmROhObAFUlrLYL4R
WuVLzpA+gv/2U9jVkVxBMr1GG5khAgMBAAECgYEAk2z88ppYXpswjCx0QZDe85C2
oCEpuUjeR+b9++ptmnfEvSc5vnaMfjcejmd9Wu07PXLyWvaI2V8DLuhW2skngjLQ
jADppVBvnYvNqqih3GwFSN3H3fieF6fDPeKqv67roqEiGXvCaOUWNFOnAsFGKLpw
d66veG3C+8JD2MCd6JECQQDqpyHu/MQpKhsMW13htkhX1+QXjS584RClLLO3L7LL
VdGRFjq5cZ2mQzQBNB+ccVDhE02WmfZzAXWHd+hjmzEjAkEAxDtyXkGrdOboz3Wq
rvYTM/PCJ+K0/Mbisihoi295yGXU074kzXhdVevpN8SarVHz2ktyjea5qPwFRySF
089q6wJBAMf6ykuv9cmTTdv5HgiX3g2nO4fq1XyuHw52C2+KYhkyuViqFkAnGREy
YubHsk0UsbYwSkaYTlXzH2PliBMjlvsCQBsWtcALQrb9lU/mR2ylrZrzYG8PHbrz
XaIIb/4nomEmpY2hZwUyQ3gz+9rl+hBJCuesmKC8JA8O00+x3AOUU4cCQQCSn5WN
Na04DmDpNODPlp2YgEVsnWZgOVkI3VrKhWzLhEVq/Sduzx9ySgea0VEegsmWAeqz
IM+lCeaKgP4Dbjqs
-----END PRIVATE KEY-----
[root at dvtpc2 private]#
[root at dvtpc2 private]# openssl rsa -noout -text -in dvtpc2key1024-self.pem
Private-Key: (1024 bit)
modulus:
    00:b3:de:73:54:9e:46:eb:72:9f:84:9b:c9:64:bc:
    45:55:c3:8a:ba:21:dd:78:17:72:18:d8:6f:09:be:
    46:fa:05:4b:b9:37:d4:b7:29:2b:ec:e0:b3:ad:99:
    75:31:71:79:80:af:ea:1a:ff:6d:5d:81:23:0c:1f:
    37:03:25:3d:ce:73:c8:79:e3:16:b3:26:38:6d:9e:
    5f:3c:dd:d3:19:5e:17:0c:75:d8:d4:96:d2:b5:ed:
    a4:05:5a:f7:f1:95:99:13:a1:39:b0:05:52:5a:cb:
    60:be:11:5a:e5:4b:ce:90:3e:82:ff:f6:53:d8:d5:
    91:5c:41:32:bd:46:1b:99:21
publicExponent: 65537 (0x10001)
privateExponent:
    00:93:6c:fc:f2:9a:58:5e:9b:30:8c:2c:74:41:90:
    de:f3:90:b6:a0:21:29:b9:48:de:47:e6:fd:fb:ea:
    6d:9a:77:c4:bd:27:39:be:76:8c:7e:37:1e:8e:67:
    7d:5a:ed:3b:3d:72:f2:5a:f6:88:d9:5f:03:2e:e8:
    56:da:c9:27:82:32:d0:8c:00:e9:a5:50:6f:9d:8b:
    cd:aa:a8:a1:dc:6c:05:48:dd:c7:dd:f8:9e:17:a7:
    c3:3d:e2:aa:bf:ae:eb:a2:a1:22:19:7b:c2:68:e5:
    16:34:53:a7:02:c1:46:28:ba:70:77:ae:af:78:6d:
    c2:fb:c2:43:d8:c0:9d:e8:91
prime1:
    00:ea:a7:21:ee:fc:c4:29:2a:1b:0c:5b:5d:e1:b6:
    48:57:d7:e4:17:8d:2e:7c:e1:10:a5:2c:b3:b7:2f:
    b2:cb:55:d1:91:16:3a:b9:71:9d:a6:43:34:01:34:
    1f:9c:71:50:e1:13:4d:96:99:f6:73:01:75:87:77:
    e8:63:9b:31:23
prime2:
    00:c4:3b:72:5e:41:ab:74:e6:e8:cf:75:aa:ae:f6:
    13:33:f3:c2:27:e2:b4:fc:c6:e2:b2:28:68:8b:6f:
    79:c8:65:d4:d3:be:24:cd:78:5d:55:eb:e9:37:c4:
    9a:ad:51:f3:da:4b:72:8d:e6:b9:a8:fc:05:47:24:
    85:d3:cf:6a:eb
exponent1:
    00:c7:fa:ca:4b:af:f5:c9:93:4d:db:f9:1e:08:97:
    de:0d:a7:3b:87:ea:d5:7c:ae:1f:0e:76:0b:6f:8a:
    62:19:32:b9:58:aa:16:40:27:19:11:32:62:e6:c7:
    b2:4d:14:b1:b6:30:4a:46:98:4e:55:f3:1f:63:e5:
    88:13:23:96:fb
exponent2:
    1b:16:b5:c0:0b:42:b6:fd:95:4f:e6:47:6c:a5:ad:
    9a:f3:60:6f:0f:1d:ba:f3:5d:a2:08:6f:fe:27:a2:
    61:26:a5:8d:a1:67:05:32:43:78:33:fb:da:e5:fa:
    10:49:0a:e7:ac:98:a0:bc:24:0f:0e:d3:4f:b1:dc:
    03:94:53:87
coefficient:
    00:92:9f:95:8d:35:ad:38:0e:60:e9:34:e0:cf:96:
    9d:98:80:45:6c:9d:66:60:39:59:08:dd:5a:ca:85:
    6c:cb:84:45:6a:fd:27:6e:cf:1f:72:4a:07:9a:d1:
    51:1e:82:c9:96:01:ea:b3:20:cf:a5:09:e6:8a:80:
    fe:03:6e:3a:ac
[root at dvtpc2 private]#

---------------------------------------------------------------------------------

Now i also have some certs/priv-key files generated on a linux m/c using
again OpenSSL, but sometime back in 2010. Now this priv-key file gets loaded
correctly. The file details are as below. Needed a confirmation that the
OpenSSL on the Linux-Fed13 (2.6.34 kernel i guess) is itself having some
issues?

---------------------------------------------------
[root at dvtpc2 anand-certs]# ls
cacert-anand.pem  cacert.pem  gateway1_cert.pem  gateway1_key.pem
Gateway2_cert.pem  Gateway2_key.pem  WS_FTP.LOG
[root at dvtpc2 anand-certs]# cat gateway1_key.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,973A0820E677E768
zQ7A/s1pqPfsPAWePYY/RDpSWGnvxLcj/gMXKT88gpkvjRn76NyLLu0FJfDKV21K
8Qk75/JGBLc+N7q2njz08/+SDH4h8lhBk8ZubwQQF77Xk8m/wftndIoWPcafJTuD
r4NaAPrAzc69VmIBpGTw1bUoAXy9ueE5QUxOOvmT5GrFgf0VuK6Q9xnWM3Ugjcxz
8hjvjgZ8CvX6TPwPBRAf0oL0XrSXH3xhwWugcWHphRePyuPTogmvkAgTtNFVAoFE
HOIGSLtR5Itj+LiV33poWqedsOqz3wU0g+cGWlfaZR1XEu12wfwNFBTVhXXed5dG
fU6x/PzqctxMzV5Bkcjs7f+gQGWXAYvqi6vmw9FhZLlrc0Mn4eGnhdwdLXK44RGH
svozWGpATq9UJtrkwRmaZ/pWU//PyTb9VUeJIcb0MfVNtkCJVq9B2EnSr96KWosW
MTNy8K+HXGr2lngZbX63TxAbb50w9jEL/IsmQM/POqBz5IZVs9GJHVxWEDxnG5N3
3uBbHj5+9LbB3LrlDRgGhoXPkvyX1kPVtb+S2F+ki5IFMyBp7ETzWJn8o83L8zQz
w8o19/9N8ACGFfHroXjhh3R7flNN0xlIZEdkdgjlgbp5+Ju+1Y0PTnrSflNKMB7G
ZuqqbPSiJrNiXoctLMXcYU6KuNEfyXXvRxwaOUnfBjmbdjP5c+ys1slxOkUTFHCb
KiwbPFmhR8XfXyqd/9gxAWiBmUCne7UbCLiuD5dnoaBcfuEN9hQclV54oyrD9cWd
sNPL/8tknfq23b5sOS3o6MZhjIwspRYblQ6u7+5H8aU=
-----END RSA PRIVATE KEY-----
[root at dvtpc2-certs]#
[root at dvtpc2-certs]#
[root at dvtpc2-certs]# ls
cacert.pem  gateway1_cert.pem  gateway1_key.pem  Gateway2_cert.pem
Gateway2_key.pem  WS_FTP.LOG
[root at dvtpc2-certs]# openssl rsa -in gateway1_key.pem -noout -text
Enter pass phrase for gateway1_key.pem:
Private-Key: (1024 bit)
modulus:
    00:95:fe:c6:32:e8:68:0b:d8:20:0a:60:0a:5d:96:
    11:72:78:eb:e2:8c:9b:76:ad:25:9a:ef:c1:b8:50:
    82:76:bd:b1:6a:be:7c:d7:bd:79:b9:b0:10:22:d5:
    cb:b1:f1:79:09:04:76:b4:df:f2:20:68:47:f7:ce:
    26:c9:b3:ca:23:47:8b:8f:60:f3:d3:a7:14:05:9b:
    b8:22:e2:ad:5f:a8:6c:f3:b0:e8:f0:5a:08:57:f8:
    66:13:7a:be:ef:37:ce:5b:ad:66:29:41:2d:da:07:
    d1:40:4f:fc:65:08:b5:71:cf:38:d9:95:90:da:65:
    04:b4:99:14:b4:0a:48:30:61
publicExponent: 65537 (0x10001)
privateExponent:
    57:f3:58:0c:29:b2:38:9f:b5:c9:df:9e:b4:59:76:
    49:85:15:eb:75:3f:03:4b:6b:ad:79:c0:41:6f:13:
    d0:c4:51:ef:a1:5a:5a:b6:43:55:da:22:dc:0a:38:
    b2:52:41:02:44:97:c6:5f:39:fe:3e:a7:54:6a:90:
    db:dc:8c:3d:55:bb:94:3f:41:ac:ff:45:1b:a7:3b:
    34:2e:73:33:9c:cf:56:81:ad:18:78:90:e2:83:94:
    52:de:25:e0:35:3d:16:3a:ec:52:8f:27:d9:5e:80:
    a8:92:07:12:c7:05:6e:d0:a9:93:dc:6d:95:3b:7b:
    2f:8c:46:a5:cb:8e:8a:31
prime1:
    00:c5:1a:a9:0d:b9:1f:cb:c8:71:13:7a:0a:4e:ee:
    ea:52:bf:91:f8:77:f2:4a:65:89:5b:27:c1:82:df:
    57:8a:af:12:7a:4d:43:f6:ec:e3:e4:22:5a:d1:79:
    31:d0:b0:c0:3a:dc:d2:95:52:38:c6:1a:bc:b7:70:
    10:4c:af:84:13
prime2:
    00:c2:d0:8c:d3:26:5e:78:fa:c4:2c:d9:a3:cc:44:
    52:00:17:e5:30:f1:5d:50:5a:62:d2:b4:9e:1c:0e:
    2e:cc:73:63:5d:fb:77:9d:0e:ac:b5:e8:e3:13:fa:
    ae:50:aa:66:8d:b8:c1:99:23:0a:56:59:c9:5b:e2:
    d2:09:f0:40:3b
exponent1:
    49:ad:a7:97:fb:a5:89:15:8a:3f:4f:95:5e:e0:2c:
    33:76:6c:e8:46:5e:09:b5:5e:dc:f6:45:7d:d8:62:
    ee:f2:76:a3:c5:12:2c:d1:6c:76:b0:e8:e5:f8:b9:
    c8:5a:e9:e0:96:ff:18:d6:3d:66:c0:43:df:06:42:
    f1:87:82:85
exponent2:
    7b:41:67:57:d0:56:c5:44:23:0a:1d:48:bc:dc:1c:
    e5:62:38:e7:96:4d:eb:a0:c4:15:7b:a0:ed:2f:2b:
    fc:be:a4:87:b9:aa:1b:fc:44:d9:72:d6:f8:b5:09:
    c4:8f:8b:02:ef:79:cd:61:96:10:bc:0d:e1:cc:c8:
    06:f1:b2:31
coefficient:
    04:6a:67:1c:b5:d8:77:16:03:00:4e:28:db:72:39:
    f0:26:2a:ce:f9:51:f0:df:cf:f3:b3:e7:6c:a9:49:
    34:fa:39:f9:27:94:1b:68:a8:69:77:7c:94:81:8c:
    2d:62:82:40:65:69:19:61:07:cd:5f:85:94:1f:df:
    37:85:77:44

[root at dvtpc2-certs]# openssl x509 -in gateway1_cert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d5:79:a4:07:58:96:24:7c
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd,
CN=RootCA/emailAddress=anand at yahoo.com
        Validity
            Not Before: Aug 30 04:05:34 2010 GMT
            Not After : Aug 30 04:05:34 2011 GMT
        Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd,
CN=Gateway1/emailAddress=anand1 at yahoo.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:95:fe:c6:32:e8:68:0b:d8:20:0a:60:0a:5d:96:
                    11:72:78:eb:e2:8c:9b:76:ad:25:9a:ef:c1:b8:50:
                    82:76:bd:b1:6a:be:7c:d7:bd:79:b9:b0:10:22:d5:
                    cb:b1:f1:79:09:04:76:b4:df:f2:20:68:47:f7:ce:
                    26:c9:b3:ca:23:47:8b:8f:60:f3:d3:a7:14:05:9b:
                    b8:22:e2:ad:5f:a8:6c:f3:b0:e8:f0:5a:08:57:f8:
                    66:13:7a:be:ef:37:ce:5b:ad:66:29:41:2d:da:07:
                    d1:40:4f:fc:65:08:b5:71:cf:38:d9:95:90:da:65:
                    04:b4:99:14:b4:0a:48:30:61
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                AE:62:23:1E:EB:8B:C4:A3:FA:BB:CC:9E:4B:37:EF:D8:38:A7:99:E6
            X509v3 Authority Key Identifier:

keyid:EE:79:3D:03:2C:28:7B:9C:6F:A3:4C:79:41:4F:54:5A:31:F5:DE:1D
    Signature Algorithm: sha1WithRSAEncryption
        6f:a2:cc:c1:6a:80:41:62:74:2a:2e:f7:7a:0c:76:99:f1:19:
        37:52:f9:bd:4e:de:c8:87:91:4f:fa:2a:02:c4:2a:50:3e:e8:
        fa:a5:d1:f2:4c:ed:19:96:42:a5:9e:9e:cd:2f:fa:40:50:8d:
        ca:ee:41:6a:7a:5a:c2:ea:7b:67:f2:21:f1:5e:13:8d:47:91:
        ec:79:ce:30:cc:85:f7:cb:93:03:bb:e8:6f:de:01:66:99:41:
        1d:86:c6:21:c1:cc:6e:30:7f:ff:e5:fe:c3:37:4d:54:13:44:
        4a:aa:5f:fb:60:a1:32:df:af:f9:16:d0:90:b3:14:04:ae:29:
        b3:ca
-------------------------------------------------------------------------------------------------------------------


where am i going wrong? can somebody help? Also Please forgive me for such a
lengthy query.

thanks & regards
Rajiv
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110420/ce25d986/attachment.html>


More information about the Users mailing list