[strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File
Rajiv Kulkarni
rajivkulkarni69 at gmail.com
Thu Nov 10 16:58:06 CET 2011
Hi
Yes offcourse. I did that. You see,
- when i use "OpenSSL 1.0.0d-fips 8 Feb 2011" on a Linux-FC13 machine to
generate certs, the default rsa key format is PKCS#8 which i believe
strongswan does not yet support
- if on the other, i use a openwrt-gw with "OpenSSL 0.9.8q 2 Dec 2010" and
"Linux strongSwan U4.3.6/K2.6.33.5", although the generated private rsa key
file is in traditional format, strongswan is unable to load the file
thanks & regards
rajiv
On Thu, Nov 10, 2011 at 8:23 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:
> Hello Rajiv,
>
> did you add the passphrase which encrypts the private key to
> the ipsec.secrets entry?
>
> : RSA /ssl/private/mfcgw1key.pem "<my passphrase>"
>
> Regards
>
> Andreas
>
>
> On 10.11.2011 15:10, Rajiv Kulkarni wrote:
>
>> Hi
>> It has been quite sometime now since i could followup on the issue
>> submiited by me, very sorry about the delay in doing so.
>> I have been facing this issue primarily on a OpenWRT Gateway:
>> ------------------------------**------------------------------**
>> ------------------------------**----
>> BusyBox v1.4.2 (2011-08-04 02:47:42 IST) Built-in shell (ash)
>> _______ ________ __
>> | |.-----.-----.-----.| | | |.----.| |_
>> | - || _ | -__| || | | || _|| _|
>> |_______|| __|_____|__|__||________||__| |____|
>> |__| W I R E L E S S F R E E D O M
>> ------------------------------**------------------------------**
>> ----------------------------
>> - After recieving the reply by Martin as below (at the end of this mail)
>> for a similar issue on a Linux Fedora-13 server running strongswan
>> 4.5.0, i tried to generate some more newer x509 certs (and the private
>> rsa key files) on the openwrt gateway itself
>> ***************************
>> root at mfcgw1:/etc <mailto:root at mfcgw1:/etc># cat
>> ssl/private/mfcgw1key.pem
>>
>> -----BEGIN RSA PRIVATE KEY-----
>> Proc-Type: 4,ENCRYPTED
>> DEK-Info: DES-EDE3-CBC,2FC8D750D505E922
>> D8p/CHn/**F5PuiLtSIp9AWfZ9Iig9VQydF7uhCD**gJKgOutYGj7PkoufOhFsJ+H7D1
>> 85P87fkzGA6LYj8LyF7/**UXKGs0eBC8BT+**c6zlVO1SVgvUii5A42oYXKUQQD1AA6**d
>> 5W5KNq+**C1e9zUs3BDKPfOhHuODjzqAs0f4Nds**J6I5kmGogS2LczwWV6nDwsBLY3U
>> LD3vO9tg99dh7/2+rUPWffYx5Ag+**OJtcCON3ku7McTdrLODFKkPQYNNXGN**Gbolui
>> EuO8o4xRHXdDD3dMud8H/+**zHjxrVw8WfcJz5C/**uSamLhFwjWUOUL8w5IrnQ8gY7x
>> RkKoMm8j/**PUKTj2gTU4cNgA3gyJh35tCLh7vbiK**5F5MYRXzuB8bezTMLOV2QduJ9
>> nNHLziQsD6br0P/2SFgr/tm+**TeZ4r90Bc6zF1rrnEzEr2usz8W4gdm**/Am9v01fk0
>> FWiN/**CFrAFncXpkGIppo7j19svN13xhtY0c**PhzTPIu5pROxhLbcQPUYi2ci9sLti
>> vAEStWV2Vcyc+g3/2ZvE9M/**SWEsi80cCumbsepsK8hHjuEl5PBK/**KbReP+I8SJGv
>> Dh90ZgiURN35sNd/**1GAxltoATCEu526/**mIlJcUc1pBpvoPZM6ZOLUgmkwvHRyx**p3
>> 1pwkSVx3aTvEzZJCDzQR/**nZez4kQD1WwXQ5UQbTfp7yBPOSuRp/**ZnWmrdDFs1ck+
>> 7V+**I47a2GLqKXIlJ0xuPV0azMeXky8dC+**53uSQuDzPlSp7EgdQhLBLNjXJPOKCH**T
>> /mFjd5wRsgz35qld/**Jwj19WE7F7baGacrsfM8mSWNBs3YAc**NJdks/zavr19Kwgzw
>> X1RtOfe59BsWtdEepciKXw/**PW87QxspRIe4w8Jmmugfl3CWtauuV+**ossadNfOK+2
>> R2m3KhkLj8FA9I5JrTjY8z9PPE0qS/**KSAT1EjjDABAPUoxnPyO5f9Df2A7L/**/f+w
>> qf25HtwJSUe3hxsOqxtsqSdOqL8Uan**3M
>> -----END RSA PRIVATE KEY-----
>> root at mfcgw1:/etc <mailto:root at mfcgw1:/etc>#
>> root at mfcgw1:/etc <mailto:root at mfcgw1:/etc>#
>> root at mfcgw1:/etc <mailto:root at mfcgw1:/etc># ipsec version
>>
>> Linux strongSwan U4.3.6/K2.6.33.5
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil, Switzerland
>> See 'ipsec --copyright' for copyright information.
>> root at mfcgw1:/etc <mailto:root at mfcgw1:/etc>#
>>
>> *********************************************************
>> - and iam still unable to load the RSA private key file in strongswan.
>> Iam getting the following errors:
>> *****************************************************************
>> root at mfcgw1:/etc <mailto:root at mfcgw1:/etc># ipsec start --nofork
>>
>> Starting strongSwan 4.3.6 IPsec [starter]...
>> starter_start_pluto entered
>> Pluto initialized
>> Starting IKEv1 pluto daemon (strongSwan 4.3.6) THREADS VENDORID
>> pluto (11076) started after 20 ms
>> 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
>> loaded plugins: blowfish random x509 pubkey pkcs1 pgp dnskey pem openssl
>> hmac
>> including NAT-Traversal patch (Version 0.6c)
>> Using Linux 2.6 IPsec interface code
>> loading ca certificates from '/etc/ipsec.d/cacerts'
>> loaded ca certificate from '/etc/ipsec.d/cacerts/cacert.**pem'
>> loading aa certificates from '/etc/ipsec.d/aacerts'
>> loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
>> Changing to directory '/etc/ipsec.d/crls'
>> loaded crl from 'crl.pem'
>> loading attribute certificates from '/etc/ipsec.d/acerts'
>> listening for IKE messages
>> adding interface eth1/eth1 169.254.0.1:500 <http://169.254.0.1:500>
>> adding interface eth1/eth1 169.254.0.1:4500 <http://169.254.0.1:4500>
>> adding interface eth2/eth2 192.168.1.1:500 <http://192.168.1.1:500>
>> adding interface eth2/eth2 192.168.1.1:4500 <http://192.168.1.1:4500>
>> adding interface eth0/eth0 172.17.10.102:500 <http://172.17.10.102:500>
>> adding interface eth0/eth0 172.17.10.102:4500 <http://172.17.10.102:4500>
>> adding interface lo/lo 127.0.0.1:500 <http://127.0.0.1:500>
>> adding interface lo/lo 127.0.0.1:4500 <http://127.0.0.1:4500>
>>
>> adding interface lo/lo ::1:500
>> adding interface eth2/eth2 2007::1:500
>> adding interface eth0/eth0 fec0::ee01:500
>> loading secrets from "/etc/ipsec.secrets"
>> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
>> 00[CFG] loaded ca certificate "C=UK, ST=LNDN, L=LONDON, O=Internet
>> Widgits Pty
>> Ltd, OU=Corp, CN=mfcgw1CA, E=admin at dvttest.com
>> <mailto:E=admin at dvttest.com>, subjectAltName=mfcgw1CA.**dvttest
>>
>> .com" from '/etc/ipsec.d/cacerts/cacert.**pem'
>> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
>> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
>> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
>> 00[CFG] loading crls from '/etc/ipsec.d/crls'
>> 00[CFG] loaded crl from '/etc/ipsec.d/crls/crl.pem'
>> 00[CFG] loading secrets from '/etc/ipsec.secrets'
>> building CRED_PRIVATE_KEY - RSA failed, tried 6 builders
>> syntax error in private key file
>> "/etc/ipsec.secrets" line 3: Private key file -- could not be loaded
>> 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 6 builders
>> 00[CFG] loading private key from '/etc/ipsec.d/private/**mfcgw1key.pem'
>> failed
>> 00[DMN] loaded plugins: blowfish random x509 pubkey pkcs1 pgp dnskey pem
>> openssl
>> hmac kernel-pfkey stroke updown
>> 00[JOB] spawning 16 worker threads
>> charon (11077) started after 720 ms
>> 06[CFG] received stroke: add connection 'tunnel1'
>> 06[CFG] left nor right host is our side, assuming left=local
>> 06[CFG] loaded certificate "C=UK, ST=LNDN, L=LNDN, O=DVT TEST Inc,
>> OU=Corp, CN
>> =mfcgw1, subjectAltName=172.17.10.102, E=postmaster at dvttest.com
>> <mailto:E=postmaster at dvttest.**com <postmaster at dvttest.com>>" from
>> 'mfcgw1cer
>>
>> t.pem'
>> 06[CFG] id '/C=UK/ST=LNDN/L=LNDN/O=DVT TEST
>> Inc/OU=Corp/CN=mfcgw1/**subjectAltNa
>> me=172.17.10.102/emailAddress=**postmaster at dvttest.com<http://172.17.10.102/emailAddress=postmaster@dvttest.com>
>> '
>> <mailto:me=172.17.10.102/**emailAddress=postmaster@**dvttest.com<http://172.17.10.102/emailAddress=postmaster@dvttest.com>'>
>> not
>>
>> confirmed by certifica
>> te, defaulting to 'C=UK, ST=LNDN, L=LNDN, O=DVT TEST Inc, OU=Corp,
>> CN=mfcgw1, su
>> bjectAltName=172.17.10.102, E=postmaster at dvttest.com'
>> <mailto:E=postmaster at dvttest.**com <postmaster at dvttest.com>'>
>>
>> 06[CFG] added configuration 'tunnel1'
>> loaded host certificate from '/etc/ipsec.d/certs/**mfcgw1cert.pem'
>> id '/C=UK/ST=LNDN/L=LNDN/O=DVT TEST
>> Inc/OU=Corp/CN=mfcgw1/**subjectAltName=172.1
>> 7.10.102/emailAddress=postmast**er at dvttest.com <postmaster at dvttest.com>'
>> <mailto:7.10.102/emailAddress=**postmaster at dvttest.com<postmaster at dvttest.com>'>
>> not confirmed by
>>
>> certificate, defa
>> ulting to 'C=UK, ST=LNDN, L=LNDN, O=DVT TEST Inc, OU=Corp, CN=mfcgw1,
>> subjectAlt
>> Name=172.17.10.102, E=postmaster at dvttest.com'
>> <mailto:E=postmaster at dvttest.**com <postmaster at dvttest.com>'>
>>
>> added connection description "tunnel1"
>> 09[CFG] received stroke: route 'tunnel1'
>> 09[KNL] no local address found in traffic selector 192.168.1.0/24
>> <http://192.168.1.0/24>
>>
>> configuration 'tunnel1' routed
>> ****************************************************************
>> ***********
>> - can you help in understanding why this is happening so when the file
>> is a correct RSA format?
>> - Also FYI, iam also facing the same issue of RSA key file loading error
>> when i use the "ipsec pki.." built-in strongswan cert app. Here too the
>> error we observe is as below:
>> ------------------------------**------------------------------**
>> ------------------------------**---
>> root at evm1gw:/etc/cert# ipsec pki --self --in caKey.der --dn "C=IN,
>> O=strongSwan, CN=strongSwan CA" --ca > caCert.der
>> file coded in unknown format, discarded
>> building CRED_PRIVATE_KEY - RSA failed, tried 6 builders
>> parsing private key failed
>> root at evm1gw <mailto:root at evm1gw>:
>>
>> ------------------------------**------------------------------**
>> ----------------------------
>> Please forgive me again for the lengthy submission of the issue
>> thanks once again
>> with regards
>> Rajiv Kulkarni
>> ------------------------------**------------------------------**
>> ----------
>> >Hi Rajiv,
>>
>> >/[root at dvtpc2 <https://lists.strongswan.org/**mailman/listinfo/users<https://lists.strongswan.org/mailman/listinfo/users>
>> >
>> private]# cat dvtpc2key1024-self.pem
>> />/-----BEGIN PRIVATE KEY-----
>> />/**MIICeAIBADANBgkqhkiG9w0BAQEFAA**SCAmIwggJeAgEAAoGBALPec1SeRuty**n4Sb
>> />/yWS8RVXDiroh3XgXchjYbwm+**RvoFS7k31LcpK+**zgs62ZdTFxeYCv6hr/bV2BIwwf
>> />/**NwMlPc5zyHnjFrMmOG2eXzzd0xleFw**x12NSW0rXtpAVa9/**GVmROhObAFUlrLYL4R
>> />/WuVLzpA+gv/**2U9jVkVxBMr1GG5khAgMBAAECgYEAk**2z88ppYXpswjCx0QZDe85C2
>> />/oCEpuUjeR+b9++**ptmnfEvSc5vnaMfjcejmd9Wu07PXLy**WvaI2V8DLuhW2skngjLQ
>> />/**jADppVBvnYvNqqih3GwFSN3H3fieF6**fDPeKqv67roqEiGXvCaOUWNFOnAsFG**KLpw
>> />/d66veG3C+**8JD2MCd6JECQQDqpyHu/**MQpKhsMW13htkhX1+**QXjS584RClLLO3L7LL
>> />/VdGRFjq5cZ2mQzQBNB+**ccVDhE02WmfZzAXWHd+**hjmzEjAkEAxDtyXkGrdOboz3Wq
>> />/rvYTM/PCJ+K0/**Mbisihoi295yGXU074kzXhdVevpN8S**arVHz2ktyjea5qPwFRySF
>> />/**089q6wJBAMf6ykuv9cmTTdv5HgiX3g**2nO4fq1XyuHw52C2+**KYhkyuViqFkAnGREy
>> />/**YubHsk0UsbYwSkaYTlXzH2PliBMjlv**sCQBsWtcALQrb9lU/**mR2ylrZrzYG8PHbrz
>> />/XaIIb/4nomEmpY2hZwUyQ3gz+**9rl+hBJCuesmKC8JA8O00+**x3AOUU4cCQQCSn5WN
>> />/**Na04DmDpNODPlp2YgEVsnWZgOVkI3V**rKhWzLhEVq/**Sduzx9ySgea0VEegsmWAeqz
>> />/IM+lCeaKgP4Dbjqs
>> />/-----END PRIVATE KEY-----
>>
>> /
>> >This key is wrapped in PKCS#8 without encryption. We currently >can't
>> >read in any PKCS#8 keys.
>>
>> >Covert such keys to plain RSA using:
>> > openssl pkcs8 -nocrypt < dvtpc2key1024-self.pem
>>
>> >Regards
>> >Martin
>>
>>
>>
>>
>> ______________________________**_________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/**mailman/listinfo/users<https://lists.strongswan.org/mailman/listinfo/users>
>>
>
>
> --
> ==============================**==============================**==========
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
>
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ==============================**=============================[**ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111110/f784b326/attachment.html>
More information about the Users
mailing list