[strongSwan] getting error "expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed"

Andreas Steffen andreas.steffen at strongswan.org
Thu Mar 17 17:38:52 CET 2011


On 17.03.2011 12:33, Meera Sudhakar wrote:
> Hi Andreas,
>  
> This problem was solved by the solution provided in
> http://www.mail-archive.com/users@lists.strongswan.org/msg02152.html. I
> now have a new problem for which I cannot find a solution. It would be
> great if you could help me understand the problem, and hopefully provide
> a solution too.
>  
> I generated the private key and certificate for my machines (the
> initiator and the receiver) by executing the following command on each
> of them:
>  
> openssl req -x509 -days 1460 -newkey rsa:2048 \
>>             -keyout strongswanKey.pem -out strongswanCert.pem
>
This generates a self-signed CA certificate which cannot be used
as a peer certificate.

> I then placed the file strongswanKey.pem in the path
> /etc/ipsec.d/private/, and the file strongswanCert.pem in the path
> /etc/ipsec.d/certs. So now, the line " : RSA strongswanKey.pem "xxxx" "
> is added to the file ipsec.secrets, and the line
> "leftcert=strongswanCert.pem" is added to the file ipsec.conf.
>  
> After starting strongswan, the following was seen in the log file:
>  
> Mar 17 18:35:32 cip-Latitude-D520 charon: 00[CFG] loading secrets from
> '/etc/ipsec.secrets'
> Mar 17 18:35:32 cip-Latitude-D520 charon: 00[CFG]   loaded RSA private
> key from '/etc/ipsec.d/private/strongswanKey.pem'
> *Mar 17 18:35:32 cip-Latitude-D520 charon: 00[CFG] expanding file
> expression '/var/lib/strongswan/ipsec.secrets.inc' failed

do you include secrets from /var/lib/strongswan/ipsec.secrets.inc ?

> *Mar 17 18:35:32 cip-Latitude-D520 charon: 00[DMN] loaded plugins: curl
> ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem
> openssl fips-prf xcbc hmac agent gmp attr kernel-netlink socket-default
> farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2
> dhcp resolve
>  
> Later on in the logs, I see that CHILD_SA was established, but IKE
> authentication failed. I am not sure if this is connected to the above
> problem. Please find a part of the logfile here:
>  
> *Mar 17 18:35:44 cip-Latitude-D520 charon: 12[IKE] establishing CHILD_SA
> sample-with-ca-cert

This is just an announcement that a CHILD_SA is going to be established.

> *Mar 17 18:35:44 cip-Latitude-D520 charon: 12[ENC] generating IKE_AUTH
> request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP)
> N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> Mar 17 18:35:44 cip-Latitude-D520 charon: 12[NET] sending packet: from
> 10.58.114.215[4500] to 10.58.112.139[4500]
> Mar 17 18:35:44 cip-Latitude-D520 charon: 13[NET] received packet: from
> 10.58.112.139[4500] to 10.58.114.215[4500]
> Mar 17 18:35:44 cip-Latitude-D520 charon: 13[ENC] parsed IKE_AUTH
> response 1 [ N(AUTH_FAILED) ]
> *Mar 17 18:35:44 cip-Latitude-D520 charon: 13[IKE] received
> AUTHENTICATION_FAILED notify error
> *
The peer side has an authentication problem because you are sending
a self-signed certificate. You must send an end entity certificate
signed by the strongSwan CA and put strongswanCert.pem into
/etc/ipsec.d/cacerts as a trust anchor.
>  
> Could you please help me sort this out?
>
Consult the following link how to set up a simple PKI:

http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA

> Thanks in advance,
>  
> Meera

Regards

Andreas

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list