[strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Thu Nov 10 15:10:56 CET 2011


Hi

It has been quite sometime now since i could followup on the issue
submiited by me, very sorry about the delay in doing so.

I have been facing this issue primarily on a OpenWRT Gateway:
----------------------------------------------------------------------------------------------
BusyBox v1.4.2 (2011-08-04 02:47:42 IST) Built-in shell (ash)
  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
----------------------------------------------------------------------------------------

- After recieving the reply by Martin as below (at the end of this mail)
for a similar issue on a Linux Fedora-13 server running strongswan 4.5.0, i
tried to generate some more newer x509 certs (and the private rsa key
files) on the openwrt gateway itself
***************************
root at mfcgw1:/etc# cat ssl/private/mfcgw1key.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,2FC8D750D505E922
D8p/CHn/F5PuiLtSIp9AWfZ9Iig9VQydF7uhCDgJKgOutYGj7PkoufOhFsJ+H7D1
85P87fkzGA6LYj8LyF7/UXKGs0eBC8BT+c6zlVO1SVgvUii5A42oYXKUQQD1AA6d
5W5KNq+C1e9zUs3BDKPfOhHuODjzqAs0f4NdsJ6I5kmGogS2LczwWV6nDwsBLY3U
LD3vO9tg99dh7/2+rUPWffYx5Ag+OJtcCON3ku7McTdrLODFKkPQYNNXGNGbolui
EuO8o4xRHXdDD3dMud8H/+zHjxrVw8WfcJz5C/uSamLhFwjWUOUL8w5IrnQ8gY7x
RkKoMm8j/PUKTj2gTU4cNgA3gyJh35tCLh7vbiK5F5MYRXzuB8bezTMLOV2QduJ9
nNHLziQsD6br0P/2SFgr/tm+TeZ4r90Bc6zF1rrnEzEr2usz8W4gdm/Am9v01fk0
FWiN/CFrAFncXpkGIppo7j19svN13xhtY0cPhzTPIu5pROxhLbcQPUYi2ci9sLti
vAEStWV2Vcyc+g3/2ZvE9M/SWEsi80cCumbsepsK8hHjuEl5PBK/KbReP+I8SJGv
Dh90ZgiURN35sNd/1GAxltoATCEu526/mIlJcUc1pBpvoPZM6ZOLUgmkwvHRyxp3
1pwkSVx3aTvEzZJCDzQR/nZez4kQD1WwXQ5UQbTfp7yBPOSuRp/ZnWmrdDFs1ck+
7V+I47a2GLqKXIlJ0xuPV0azMeXky8dC+53uSQuDzPlSp7EgdQhLBLNjXJPOKCHT
/mFjd5wRsgz35qld/Jwj19WE7F7baGacrsfM8mSWNBs3YAcNJdks/zavr19Kwgzw
X1RtOfe59BsWtdEepciKXw/PW87QxspRIe4w8Jmmugfl3CWtauuV+ossadNfOK+2
R2m3KhkLj8FA9I5JrTjY8z9PPE0qS/KSAT1EjjDABAPUoxnPyO5f9Df2A7L//f+w
qf25HtwJSUe3hxsOqxtsqSdOqL8Uan3M
-----END RSA PRIVATE KEY-----
root at mfcgw1:/etc#
root at mfcgw1:/etc#
root at mfcgw1:/etc# ipsec version
Linux strongSwan U4.3.6/K2.6.33.5
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
root at mfcgw1:/etc#
*******************************************************

- and iam still unable to load the RSA private key file in strongswan. Iam
getting the following errors:
*************************************************************
root at mfcgw1:/etc# ipsec start --nofork
Starting strongSwan 4.3.6 IPsec [starter]...
starter_start_pluto entered
Pluto initialized
Starting IKEv1 pluto daemon (strongSwan 4.3.6) THREADS VENDORID
pluto (11076) started after 20 ms
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
loaded plugins: blowfish random x509 pubkey pkcs1 pgp dnskey pem openssl
hmac
  including NAT-Traversal patch (Version 0.6c)
Using Linux 2.6 IPsec interface code
loading ca certificates from '/etc/ipsec.d/cacerts'
  loaded ca certificate from '/etc/ipsec.d/cacerts/cacert.pem'
loading aa certificates from '/etc/ipsec.d/aacerts'
loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec.d/crls'
  loaded crl from 'crl.pem'
loading attribute certificates from '/etc/ipsec.d/acerts'
listening for IKE messages
adding interface eth1/eth1 169.254.0.1:500
adding interface eth1/eth1 169.254.0.1:4500
adding interface eth2/eth2 192.168.1.1:500
adding interface eth2/eth2 192.168.1.1:4500
adding interface eth0/eth0 172.17.10.102:500
adding interface eth0/eth0 172.17.10.102:4500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo 127.0.0.1:4500
adding interface lo/lo ::1:500
adding interface eth2/eth2 2007::1:500
adding interface eth0/eth0 fec0::ee01:500
loading secrets from "/etc/ipsec.secrets"
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "C=UK, ST=LNDN, L=LONDON, O=Internet
Widgits Pty
 Ltd, OU=Corp, CN=mfcgw1CA, E=admin at dvttest.com,
subjectAltName=mfcgw1CA.dvttest
.com" from '/etc/ipsec.d/cacerts/cacert.pem'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG]   loaded crl from '/etc/ipsec.d/crls/crl.pem'
00[CFG] loading secrets from '/etc/ipsec.secrets'
building CRED_PRIVATE_KEY - RSA failed, tried 6 builders
  syntax error in private key file
"/etc/ipsec.secrets" line 3: Private key file -- could not be loaded
00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 6 builders
00[CFG]   loading private key from '/etc/ipsec.d/private/mfcgw1key.pem'
failed
00[DMN] loaded plugins: blowfish random x509 pubkey pkcs1 pgp dnskey pem
openssl
 hmac kernel-pfkey stroke updown
00[JOB] spawning 16 worker threads
charon (11077) started after 720 ms
06[CFG] received stroke: add connection 'tunnel1'
06[CFG] left nor right host is our side, assuming left=local
06[CFG]   loaded certificate "C=UK, ST=LNDN, L=LNDN, O=DVT TEST Inc,
OU=Corp, CN
=mfcgw1, subjectAltName=172.17.10.102, E=postmaster at dvttest.com" from
'mfcgw1cer
t.pem'
06[CFG]   id '/C=UK/ST=LNDN/L=LNDN/O=DVT TEST
Inc/OU=Corp/CN=mfcgw1/subjectAltNa
me=172.17.10.102/emailAddress=postmaster at dvttest.com' not confirmed by
certifica
te, defaulting to 'C=UK, ST=LNDN, L=LNDN, O=DVT TEST Inc, OU=Corp,
CN=mfcgw1, su
bjectAltName=172.17.10.102, E=postmaster at dvttest.com'
06[CFG] added configuration 'tunnel1'
  loaded host certificate from '/etc/ipsec.d/certs/mfcgw1cert.pem'
  id '/C=UK/ST=LNDN/L=LNDN/O=DVT TEST
Inc/OU=Corp/CN=mfcgw1/subjectAltName=172.1
7.10.102/emailAddress=postmaster at dvttest.com' not confirmed by certificate,
defa
ulting to 'C=UK, ST=LNDN, L=LNDN, O=DVT TEST Inc, OU=Corp, CN=mfcgw1,
subjectAlt
Name=172.17.10.102, E=postmaster at dvttest.com'
added connection description "tunnel1"
09[CFG] received stroke: route 'tunnel1'
09[KNL] no local address found in traffic selector 192.168.1.0/24
configuration 'tunnel1' routed
***********************************************************************

- can you help in understanding why this is happening so when the file is a
correct RSA format?

- Also FYI, iam also facing the same issue of RSA key file loading error
when i use the "ipsec pki.." built-in strongswan cert app. Here too the
error we observe is as below:
---------------------------------------------------------------------------------------------
root at evm1gw:/etc/cert# ipsec pki --self --in caKey.der --dn "C=IN,
O=strongSwan, CN=strongSwan CA" --ca > caCert.der
file coded in unknown format, discarded
building CRED_PRIVATE_KEY - RSA failed, tried 6 builders
parsing private key failed
root at evm1gw:
----------------------------------------------------------------------------------------
Please forgive me again for the lengthy submission of the issue

thanks once again

with regards
Rajiv Kulkarni


----------------------------------------------------------------------
>Hi Rajiv,

>* [root at dvtpc2 <https://lists.strongswan.org/mailman/listinfo/users>private]# cat dvtpc2key1024-self.pem
*>* -----BEGIN PRIVATE KEY-----
*>* MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALPec1SeRutyn4Sb
*>* yWS8RVXDiroh3XgXchjYbwm+RvoFS7k31LcpK+zgs62ZdTFxeYCv6hr/bV2BIwwf
*>* NwMlPc5zyHnjFrMmOG2eXzzd0xleFwx12NSW0rXtpAVa9/GVmROhObAFUlrLYL4R
*>* WuVLzpA+gv/2U9jVkVxBMr1GG5khAgMBAAECgYEAk2z88ppYXpswjCx0QZDe85C2
*>* oCEpuUjeR+b9++ptmnfEvSc5vnaMfjcejmd9Wu07PXLyWvaI2V8DLuhW2skngjLQ
*>* jADppVBvnYvNqqih3GwFSN3H3fieF6fDPeKqv67roqEiGXvCaOUWNFOnAsFGKLpw
*>* d66veG3C+8JD2MCd6JECQQDqpyHu/MQpKhsMW13htkhX1+QXjS584RClLLO3L7LL
*>* VdGRFjq5cZ2mQzQBNB+ccVDhE02WmfZzAXWHd+hjmzEjAkEAxDtyXkGrdOboz3Wq
*>* rvYTM/PCJ+K0/Mbisihoi295yGXU074kzXhdVevpN8SarVHz2ktyjea5qPwFRySF
*>* 089q6wJBAMf6ykuv9cmTTdv5HgiX3g2nO4fq1XyuHw52C2+KYhkyuViqFkAnGREy
*>* YubHsk0UsbYwSkaYTlXzH2PliBMjlvsCQBsWtcALQrb9lU/mR2ylrZrzYG8PHbrz
*>* XaIIb/4nomEmpY2hZwUyQ3gz+9rl+hBJCuesmKC8JA8O00+x3AOUU4cCQQCSn5WN
*>* Na04DmDpNODPlp2YgEVsnWZgOVkI3VrKhWzLhEVq/Sduzx9ySgea0VEegsmWAeqz
*>* IM+lCeaKgP4Dbjqs
*>* -----END PRIVATE KEY-----
*
>This key is wrapped in PKCS#8 without encryption. We currently >can't
>read in any PKCS#8 keys.

>Covert such keys to plain RSA using:
> openssl pkcs8 -nocrypt < dvtpc2key1024-self.pem

>Regards
>Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111110/535160a3/attachment.html>


More information about the Users mailing list