[strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File

Andreas Steffen andreas.steffen at strongswan.org
Thu Nov 10 15:53:29 CET 2011 

Hello Rajiv,

did you add the passphrase which encrypts the private key to
the ipsec.secrets entry?

  : RSA /ssl/private/mfcgw1key.pem "<my passphrase>"

Regards

Andreas

On 10.11.2011 15:10, Rajiv Kulkarni wrote:
> Hi
> It has been quite sometime now since i could followup on the issue
> submiited by me, very sorry about the delay in doing so.
> I have been facing this issue primarily on a OpenWRT Gateway:
> ----------------------------------------------------------------------------------------------
> BusyBox v1.4.2 (2011-08-04 02:47:42 IST) Built-in shell (ash)
>    _______                     ________        __
>   |       |.-----.-----.-----.|  |  |  |.----.|  |_
>   |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
>   |_______||   __|_____|__|__||________||__|  |____|
>            |__| W I R E L E S S   F R E E D O M
> ----------------------------------------------------------------------------------------
> - After recieving the reply by Martin as below (at the end of this mail)
> for a similar issue on a Linux Fedora-13 server running strongswan
> 4.5.0, i tried to generate some more newer x509 certs (and the private
> rsa key files) on the openwrt gateway itself
> ***************************
> root at mfcgw1:/etc <mailto:root at mfcgw1:/etc># cat ssl/private/mfcgw1key.pem
> -----BEGIN RSA PRIVATE KEY-----
> Proc-Type: 4,ENCRYPTED
> DEK-Info: DES-EDE3-CBC,2FC8D750D505E922
> D8p/CHn/F5PuiLtSIp9AWfZ9Iig9VQydF7uhCDgJKgOutYGj7PkoufOhFsJ+H7D1
> 85P87fkzGA6LYj8LyF7/UXKGs0eBC8BT+c6zlVO1SVgvUii5A42oYXKUQQD1AA6d
> 5W5KNq+C1e9zUs3BDKPfOhHuODjzqAs0f4NdsJ6I5kmGogS2LczwWV6nDwsBLY3U
> LD3vO9tg99dh7/2+rUPWffYx5Ag+OJtcCON3ku7McTdrLODFKkPQYNNXGNGbolui
> EuO8o4xRHXdDD3dMud8H/+zHjxrVw8WfcJz5C/uSamLhFwjWUOUL8w5IrnQ8gY7x
> RkKoMm8j/PUKTj2gTU4cNgA3gyJh35tCLh7vbiK5F5MYRXzuB8bezTMLOV2QduJ9
> nNHLziQsD6br0P/2SFgr/tm+TeZ4r90Bc6zF1rrnEzEr2usz8W4gdm/Am9v01fk0
> FWiN/CFrAFncXpkGIppo7j19svN13xhtY0cPhzTPIu5pROxhLbcQPUYi2ci9sLti
> vAEStWV2Vcyc+g3/2ZvE9M/SWEsi80cCumbsepsK8hHjuEl5PBK/KbReP+I8SJGv
> Dh90ZgiURN35sNd/1GAxltoATCEu526/mIlJcUc1pBpvoPZM6ZOLUgmkwvHRyxp3
> 1pwkSVx3aTvEzZJCDzQR/nZez4kQD1WwXQ5UQbTfp7yBPOSuRp/ZnWmrdDFs1ck+
> 7V+I47a2GLqKXIlJ0xuPV0azMeXky8dC+53uSQuDzPlSp7EgdQhLBLNjXJPOKCHT
> /mFjd5wRsgz35qld/Jwj19WE7F7baGacrsfM8mSWNBs3YAcNJdks/zavr19Kwgzw
> X1RtOfe59BsWtdEepciKXw/PW87QxspRIe4w8Jmmugfl3CWtauuV+ossadNfOK+2
> R2m3KhkLj8FA9I5JrTjY8z9PPE0qS/KSAT1EjjDABAPUoxnPyO5f9Df2A7L//f+w
> qf25HtwJSUe3hxsOqxtsqSdOqL8Uan3M
> -----END RSA PRIVATE KEY-----
> root at mfcgw1:/etc <mailto:root at mfcgw1:/etc>#
> root at mfcgw1:/etc <mailto:root at mfcgw1:/etc>#
> root at mfcgw1:/etc <mailto:root at mfcgw1:/etc># ipsec version
> Linux strongSwan U4.3.6/K2.6.33.5
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil, Switzerland
> See 'ipsec --copyright' for copyright information.
> root at mfcgw1:/etc <mailto:root at mfcgw1:/etc>#
> *******************************************************
> - and iam still unable to load the RSA private key file in strongswan.
> Iam getting the following errors:
> *************************************************************
> root at mfcgw1:/etc <mailto:root at mfcgw1:/etc># ipsec start --nofork
> Starting strongSwan 4.3.6 IPsec [starter]...
> starter_start_pluto entered
> Pluto initialized
> Starting IKEv1 pluto daemon (strongSwan 4.3.6) THREADS VENDORID
> pluto (11076) started after 20 ms
> 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
> loaded plugins: blowfish random x509 pubkey pkcs1 pgp dnskey pem openssl
> hmac
>    including NAT-Traversal patch (Version 0.6c)
> Using Linux 2.6 IPsec interface code
> loading ca certificates from '/etc/ipsec.d/cacerts'
>    loaded ca certificate from '/etc/ipsec.d/cacerts/cacert.pem'
> loading aa certificates from '/etc/ipsec.d/aacerts'
> loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
> Changing to directory '/etc/ipsec.d/crls'
>    loaded crl from 'crl.pem'
> loading attribute certificates from '/etc/ipsec.d/acerts'
> listening for IKE messages
> adding interface eth1/eth1 169.254.0.1:500 <http://169.254.0.1:500>
> adding interface eth1/eth1 169.254.0.1:4500 <http://169.254.0.1:4500>
> adding interface eth2/eth2 192.168.1.1:500 <http://192.168.1.1:500>
> adding interface eth2/eth2 192.168.1.1:4500 <http://192.168.1.1:4500>
> adding interface eth0/eth0 172.17.10.102:500 <http://172.17.10.102:500>
> adding interface eth0/eth0 172.17.10.102:4500 <http://172.17.10.102:4500>
> adding interface lo/lo 127.0.0.1:500 <http://127.0.0.1:500>
> adding interface lo/lo 127.0.0.1:4500 <http://127.0.0.1:4500>
> adding interface lo/lo ::1:500
> adding interface eth2/eth2 2007::1:500
> adding interface eth0/eth0 fec0::ee01:500
> loading secrets from "/etc/ipsec.secrets"
> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> 00[CFG]   loaded ca certificate "C=UK, ST=LNDN, L=LONDON, O=Internet
> Widgits Pty
>   Ltd, OU=Corp, CN=mfcgw1CA, E=admin at dvttest.com
> <mailto:E=admin at dvttest.com>, subjectAltName=mfcgw1CA.dvttest
> .com" from '/etc/ipsec.d/cacerts/cacert.pem'
> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/etc/ipsec.d/crls'
> 00[CFG]   loaded crl from '/etc/ipsec.d/crls/crl.pem'
> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> building CRED_PRIVATE_KEY - RSA failed, tried 6 builders
>    syntax error in private key file
> "/etc/ipsec.secrets" line 3: Private key file -- could not be loaded
> 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 6 builders
> 00[CFG]   loading private key from '/etc/ipsec.d/private/mfcgw1key.pem'
> failed
> 00[DMN] loaded plugins: blowfish random x509 pubkey pkcs1 pgp dnskey pem
> openssl
>   hmac kernel-pfkey stroke updown
> 00[JOB] spawning 16 worker threads
> charon (11077) started after 720 ms
> 06[CFG] received stroke: add connection 'tunnel1'
> 06[CFG] left nor right host is our side, assuming left=local
> 06[CFG]   loaded certificate "C=UK, ST=LNDN, L=LNDN, O=DVT TEST Inc,
> OU=Corp, CN
> =mfcgw1, subjectAltName=172.17.10.102, E=postmaster at dvttest.com
> <mailto:E=postmaster at dvttest.com>" from 'mfcgw1cer
> t.pem'
> 06[CFG]   id '/C=UK/ST=LNDN/L=LNDN/O=DVT TEST
> Inc/OU=Corp/CN=mfcgw1/subjectAltNa
> me=172.17.10.102/emailAddress=postmaster at dvttest.com'
> <mailto:me=172.17.10.102/emailAddress=postmaster at dvttest.com'> not
> confirmed by certifica
> te, defaulting to 'C=UK, ST=LNDN, L=LNDN, O=DVT TEST Inc, OU=Corp,
> CN=mfcgw1, su
> bjectAltName=172.17.10.102, E=postmaster at dvttest.com'
> <mailto:E=postmaster at dvttest.com'>
> 06[CFG] added configuration 'tunnel1'
>    loaded host certificate from '/etc/ipsec.d/certs/mfcgw1cert.pem'
>    id '/C=UK/ST=LNDN/L=LNDN/O=DVT TEST
> Inc/OU=Corp/CN=mfcgw1/subjectAltName=172.1
> 7.10.102/emailAddress=postmaster at dvttest.com'
> <mailto:7.10.102/emailAddress=postmaster at dvttest.com'> not confirmed by
> certificate, defa
> ulting to 'C=UK, ST=LNDN, L=LNDN, O=DVT TEST Inc, OU=Corp, CN=mfcgw1,
> subjectAlt
> Name=172.17.10.102, E=postmaster at dvttest.com'
> <mailto:E=postmaster at dvttest.com'>
> added connection description "tunnel1"
> 09[CFG] received stroke: route 'tunnel1'
> 09[KNL] no local address found in traffic selector 192.168.1.0/24
> <http://192.168.1.0/24>
> configuration 'tunnel1' routed
> ***********************************************************************
> - can you help in understanding why this is happening so when the file
> is a correct RSA format?
> - Also FYI, iam also facing the same issue of RSA key file loading error
> when i use the "ipsec pki.." built-in strongswan cert app. Here too the
> error we observe is as below:
> ---------------------------------------------------------------------------------------------
> root at evm1gw:/etc/cert# ipsec pki --self --in caKey.der --dn "C=IN,
> O=strongSwan, CN=strongSwan CA" --ca > caCert.der
> file coded in unknown format, discarded
> building CRED_PRIVATE_KEY - RSA failed, tried 6 builders
> parsing private key failed
> root at evm1gw <mailto:root at evm1gw>:
> ----------------------------------------------------------------------------------------
> Please forgive me again for the lengthy submission of the issue
> thanks once again
> with regards
> Rajiv Kulkarni
> ----------------------------------------------------------------------
>  >Hi Rajiv,
>
>  >/[root at dvtpc2 <https://lists.strongswan.org/mailman/listinfo/users>
> private]# cat dvtpc2key1024-self.pem
> />/-----BEGIN PRIVATE KEY-----
> />/MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALPec1SeRutyn4Sb
> />/yWS8RVXDiroh3XgXchjYbwm+RvoFS7k31LcpK+zgs62ZdTFxeYCv6hr/bV2BIwwf
> />/NwMlPc5zyHnjFrMmOG2eXzzd0xleFwx12NSW0rXtpAVa9/GVmROhObAFUlrLYL4R
> />/WuVLzpA+gv/2U9jVkVxBMr1GG5khAgMBAAECgYEAk2z88ppYXpswjCx0QZDe85C2
> />/oCEpuUjeR+b9++ptmnfEvSc5vnaMfjcejmd9Wu07PXLyWvaI2V8DLuhW2skngjLQ
> />/jADppVBvnYvNqqih3GwFSN3H3fieF6fDPeKqv67roqEiGXvCaOUWNFOnAsFGKLpw
> />/d66veG3C+8JD2MCd6JECQQDqpyHu/MQpKhsMW13htkhX1+QXjS584RClLLO3L7LL
> />/VdGRFjq5cZ2mQzQBNB+ccVDhE02WmfZzAXWHd+hjmzEjAkEAxDtyXkGrdOboz3Wq
> />/rvYTM/PCJ+K0/Mbisihoi295yGXU074kzXhdVevpN8SarVHz2ktyjea5qPwFRySF
> />/089q6wJBAMf6ykuv9cmTTdv5HgiX3g2nO4fq1XyuHw52C2+KYhkyuViqFkAnGREy
> />/YubHsk0UsbYwSkaYTlXzH2PliBMjlvsCQBsWtcALQrb9lU/mR2ylrZrzYG8PHbrz
> />/XaIIb/4nomEmpY2hZwUyQ3gz+9rl+hBJCuesmKC8JA8O00+x3AOUU4cCQQCSn5WN
> />/Na04DmDpNODPlp2YgEVsnWZgOVkI3VrKhWzLhEVq/Sduzx9ySgea0VEegsmWAeqz
> />/IM+lCeaKgP4Dbjqs
> />/-----END PRIVATE KEY-----
> /
>  >This key is wrapped in PKCS#8 without encryption. We currently >can't
>  >read in any PKCS#8 keys.
>
>  >Covert such keys to plain RSA using:
>  > openssl pkcs8 -nocrypt < dvtpc2key1024-self.pem
>
>  >Regards
>  >Martin
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4489 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111110/0a73511c/attachment.bin>

More information about the Users mailing list