[strongSwan] IKEv2 SA ( No private Key )
Andreas Steffen
andreas.steffen at strongswan.org
Mon Oct 17 13:43:10 CEST 2011
See my inline comments:
On 17.10.2011 12:15, Jayateerth Hulgi wrote:
> Hi,
>
>
>
> I am not able to resolve the following error no private key found for
> 'alice at strongswan.org' ..
>
> I have included logs as well as my conf please do help me to establish
> connection ..
>
> I m having doubt in ipsec.secrets file .
>
>
> Host1:
>
> ./ipsec up host-host
>
> initiating IKE_SA host-host[4] to 107.108.204.245
>
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>
> sending packet: from 107.108.204.246[500] to 107.108.204.245[500]
>
> received packet: from 107.108.204.245[500] to 107.108.204.246[500]
>
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> CERTREQ N(MULT_AUTH) ]
>
> received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
>
> no private key found for 'alice at strongswan.org'
>
>
>
> conn host-host
>
> left=107.108.204.246
>
> right=107.108.204.245
>
> leftcert=aliceCert.pem
>
> leftfirewall=no
>
> leftid=alice at strongswan.org
>
> rightid=venus.strongswan.org
>
> rightsendcert=never
>
since you seem to have changed your authentication
from EAP-AKA to mutual certificate-based authentication
you should remove the rightsendcert=never option.
The fatal consequences of this directive is shown below.
> mobike=no
>
> auto=add
>
>
>
>
>
> Oct 17 14:44:20 localhost charon: 00[DMN] Starting IKEv2 charon daemon
> (strongSwan 4.5.3)
>
> Oct 17 14:44:20 localhost charon: 00[CFG] disabling load-tester plugin,
> not configured
>
> Oct 17 14:44:20 localhost charon: 00[LIB] plugin 'load-tester': failed
> to load - load_tester_plugin_create returned NULL
>
> Oct 17 14:44:20 localhost charon: 00[KNL] listening on interfaces:
>
> Oct 17 14:44:20 localhost charon: 00[KNL] eth1
>
> Oct 17 14:44:20 localhost charon: 00[KNL] 107.108.204.246
>
> Oct 17 14:44:20 localhost charon: 00[KNL] 10.10.1.1
>
> Oct 17 14:44:20 localhost charon: 00[KNL] 2011::14
>
> Oct 17 14:44:20 localhost charon: 00[KNL] fe80::21b:11ff:febb:263c
>
> Oct 17 14:44:20 localhost charon: 00[CFG] loading ca certificates from
> '/etc/ipsec.d/cacerts'
>
> Oct 17 14:44:20 localhost charon: 00[CFG] loaded ca certificate "C=CH,
> O=Linux strongSwan, CN=strongSwan Root CA" from
> '/etc/ipsec.d/cacerts/strongswanCert.pem'
>
> Oct 17 14:44:20 localhost charon: 00[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'
>
> Oct 17 14:44:20 localhost charon: 00[CFG] loading ocsp signer
> certificates from '/etc/ipsec.d/ocspcerts'
>
> Oct 17 14:44:20 localhost charon: 00[CFG] loading attribute certificates
> from '/etc/ipsec.d/acerts'
>
> Oct 17 14:44:20 localhost charon: 00[CFG] loading crls from
> '/etc/ipsec.d/crls'
>
> Oct 17 14:44:20 localhost charon: 00[CFG] loading secrets from
> '/etc/ipsec.secrets'
>
> Oct 17 14:44:20 localhost charon: 00[CFG] loaded RSA private key from
> '/etc/ipsec.d/private/aliceKey.pem'
>
> Oct 17 14:44:20 localhost charon: 00[CFG] eap-simaka-sql database URI
> missing
>
> Oct 17 14:44:20 localhost charon: 00[LIB] plugin 'eap-simaka-sql':
> failed to load - eap_simaka_sql_plugin_create returned NULL
>
> Oct 17 14:44:20 localhost charon: 00[DMN] loaded plugins: aes des sha1
> sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl
> fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default
> socket-raw stroke updown eap-identity eap-aka eap-aka-3gpp2
>
> Oct 17 14:44:20 localhost charon: 00[JOB] spawning 16 worker threads
>
> Oct 17 14:44:21 localhost charon: 07[CFG] received stroke: add
> connection 'host-host'
>
> Oct 17 14:44:21 localhost charon: 07[CFG] loaded certificate "C=CH,
> O=Linux strongSwan, OU=Sales, CN=alice at strongswan.org" from 'aliceCert.pem'
>
> Oct 17 14:44:21 localhost charon: 07[CFG] added configuration 'host-host'
>
> Oct 17 14:44:23 localhost charon: 07[CFG] received stroke: initiate
> 'host-host'
>
> Oct 17 14:44:23 localhost charon: 09[IKE] initiating IKE_SA host-host[1]
> to 107.108.204.245
>
> Oct 17 14:44:23 localhost charon: 09[ENC] generating IKE_SA_INIT request
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>
> Oct 17 14:44:23 localhost charon: 09[NET] sending packet: from
> 107.108.204.246[500] to 107.108.204.245[500]
>
> Oct 17 14:44:23 localhost charon: 10[NET] received packet: from
> 107.108.204.245[500] to 107.108.204.246[500]
>
> Oct 17 14:44:23 localhost charon: 10[ENC] parsed IKE_SA_INIT response 0
> [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>
> Oct 17 14:44:23 localhost charon: 10[IKE] received cert request for
> "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
>
> Oct 17 14:44:23 localhost charon: 10[IKE] authentication of
> 'alice at strongswan.org' (myself) with RSA signature successful
>
> Oct 17 14:44:23 localhost charon: 10[IKE] sending end entity cert "C=CH,
> O=Linux strongSwan, OU=Sales, CN=alice at strongswan.org"
>
> Oct 17 14:44:23 localhost charon: 10[IKE] establishing CHILD_SA host-host
>
> Oct 17 14:44:23 localhost charon: 10[ENC] generating IKE_AUTH request 1
> [ IDi CERT N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
>
alice does not send a certificate request payload. Therefore
venus will not send a certificate payload (see comment below)
> Oct 17 14:44:23 localhost charon: 10[NET] sending packet: from
> 107.108.204.246[500] to 107.108.204.245[500]
>
> Oct 17 14:44:23 localhost charon: 11[NET] received packet: from
> 107.108.204.245[500] to 107.108.204.246[500]
>
> Oct 17 14:44:23 localhost charon: 11[ENC] parsed IKE_AUTH response 1 [
> IDr AUTH SA TSi TSr N(AUTH_LFT) ]
>
The peer venus does not include a certificate payload in the IKE_AUTH
response. Therefore alice cannot find the public key of venus.
> Oct 17 14:44:23 localhost charon: 11[IKE] no trusted RSA public key
> found for 'venus.strongswan.org'
>
>
>
> Ipsec.secrets:=
>
>
>
> # /etc/ipsec.secrets - strongSwan IPsec secrets file
>
>
>
> : RSA alicekey.pem
>
>
>
> Host2:
>
> /ipsec up host-host
>
> initiating IKE_SA host-host[3] to 107.108.204.246
>
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>
> sending packet: from 107.108.204.245[500] to 107.108.204.246[500]
>
> received packet: from 107.108.204.246[500] to 107.108.204.245[500]
>
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(MULT_AUTH) ]
>
> sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
>
> authentication of 'venus.strongswan.org' (myself) with RSA signature
> successful
>
> establishing CHILD_SA host-host
>
> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA
> TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
>
> sending packet: from 107.108.204.245[500] to 107.108.204.246[500]
>
> received packet: from 107.108.204.246[500] to 107.108.204.245[500]
>
> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>
> received AUTHENTICATION_FAILED notify error
>
>
>
>
>
> conn host-host
>
> left=107.108.204.245
>
> right=107.108.204.246
>
> leftcert=venusCert.pem
>
> rightid=alice at strongswan.org
>
> leftid=venus.strongswan.org
>
> leftfirewall=no
>
> mobike=no
>
> auto=add
>
>
>
> logs:
>
> Oct 17 15:38:18 infba02071 charon: 00[DMN] Starting IKEv2 charon daemon
> (strongSwan 4.5.3)
>
> Oct 17 15:38:18 infba02071 charon: 00[CFG] disabling load-tester plugin,
> not configured
>
> Oct 17 15:38:18 infba02071 charon: 00[LIB] plugin 'load-tester': failed
> to load - load_tester_plugin_create returned NULL
>
> Oct 17 15:38:18 infba02071 charon: 00[KNL] listening on interfaces:
>
> Oct 17 15:38:18 infba02071 charon: 00[KNL] peth1
>
> Oct 17 15:38:18 infba02071 charon: 00[KNL] fe80::21b:11ff:febb:2651
>
> Oct 17 15:38:18 infba02071 charon: 00[KNL] virbr0
>
> Oct 17 15:38:18 infba02071 charon: 00[KNL] 192.168.122.1
>
> Oct 17 15:38:18 infba02071 charon: 00[KNL] fe80::200:ff:fe00:0
>
> Oct 17 15:38:18 infba02071 charon: 00[KNL] eth1
>
> Oct 17 15:38:18 infba02071 charon: 00[KNL] 107.108.204.245
>
> Oct 17 15:38:18 infba02071 charon: 00[KNL] fe80::21b:11ff:febb:2651
>
> Oct 17 15:38:18 infba02071 charon: 00[CFG] loading ca certificates from
> '/etc/ipsec.d/cacerts'
>
> Oct 17 15:38:18 infba02071 charon: 00[CFG] loaded ca certificate
> "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from
> '/etc/ipsec.d/cacerts/strongswanCert.pem'
>
> Oct 17 15:38:18 infba02071 charon: 00[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'
>
> Oct 17 15:38:18 infba02071 charon: 00[CFG] loading ocsp signer
> certificates from '/etc/ipsec.d/ocspcerts'
>
> Oct 17 15:38:18 infba02071 charon: 00[CFG] loading attribute
> certificates from '/etc/ipsec.d/acerts'
>
> Oct 17 15:38:18 infba02071 charon: 00[CFG] loading crls from
> '/etc/ipsec.d/crls'
>
> Oct 17 15:38:18 infba02071 charon: 00[CFG] loading secrets from
> '/etc/ipsec.secrets'
>
> Oct 17 15:38:18 infba02071 charon: 00[CFG] loaded RSA private key from
> '/etc/ipsec.d/private/venusKey.pem'
>
> Oct 17 15:38:18 infba02071 charon: 00[CFG] eap-simaka-sql database URI
> missing
>
> Oct 17 15:38:18 infba02071 charon: 00[LIB] plugin 'eap-simaka-sql':
> failed to load - eap_simaka_sql_plugin_create returned NULL
>
> Oct 17 15:38:18 infba02071 charon: 00[DMN] loaded plugins: aes des sha1
> sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl
> fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default
> socket-raw stroke updown eap-identity eap-aka eap-aka-3gpp2
>
> Oct 17 15:38:18 infba02071 charon: 00[JOB] spawning 16 worker threads
>
> Oct 17 15:38:18 infba02071 charon: 02[CFG] received stroke: add
> connection 'host-host'
>
> Oct 17 15:38:18 infba02071 charon: 02[CFG] loaded certificate "C=CH,
> O=Linux strongSwan, CN=venus.strongswan.org" from 'venusCert.pem'
>
> Oct 17 15:38:18 infba02071 charon: 02[CFG] added configuration 'host-host'
>
> Oct 17 15:38:19 infba02071 charon: 07[NET] received packet: from
> 107.108.204.246[500] to 107.108.204.245[500]
>
> Oct 17 15:38:19 infba02071 charon: 07[ENC] parsed IKE_SA_INIT request 0
> [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>
> Oct 17 15:38:19 infba02071 charon: 07[IKE] 107.108.204.246 is initiating
> an IKE_SA
>
> Oct 17 15:38:19 infba02071 charon: 07[IKE] sending cert request for
> "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
>
> Oct 17 15:38:19 infba02071 charon: 07[ENC] generating IKE_SA_INIT
> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>
> Oct 17 15:38:19 infba02071 charon: 07[NET] sending packet: from
> 107.108.204.245[500] to 107.108.204.246[500]
>
> Oct 17 15:38:19 infba02071 charon: 08[NET] received packet: from
> 107.108.204.246[500] to 107.108.204.245[500]
>
> Oct 17 15:38:19 infba02071 charon: 08[ENC] parsed IKE_AUTH request 1 [
> IDi CERT N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
>
> Oct 17 15:38:19 infba02071 charon: 08[IKE] received end entity cert
> "C=CH, O=Linux strongSwan, OU=Sales, CN=alice at strongswan.org"
>
> Oct 17 15:38:19 infba02071 charon: 08[CFG] looking for peer configs
> matching
> 107.108.204.245[venus.strongswan.org]...107.108.204.246[alice at strongswan.org]
>
>
> Oct 17 15:38:19 infba02071 charon: 08[CFG] selected peer config 'host-host'
>
> Oct 17 15:38:19 infba02071 charon: 08[CFG] using certificate "C=CH,
> O=Linux strongSwan, OU=Sales, CN=alice at strongswan.org"
>
> Oct 17 15:38:19 infba02071 charon: 08[CFG] using trusted ca
> certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
>
> Oct 17 15:38:19 infba02071 charon: 08[CFG] checking certificate status
> of "C=CH, O=Linux strongSwan, OU=Sales, CN=alice at strongswan.org"
>
> Oct 17 15:38:19 infba02071 charon: 08[CFG] fetching crl from
> 'http://crl.strongswan.org/strongswan.crl' ...
>
> Oct 17 15:38:19 infba02071 charon: 08[LIB] unable to fetch from
> http://crl.strongswan.org/strongswan.crl, no capable fetcher found
>
> Oct 17 15:38:19 infba02071 charon: 08[CFG] crl fetching failed
>
> Oct 17 15:38:19 infba02071 charon: 08[CFG] certificate status is not
> available
>
> Oct 17 15:38:19 infba02071 charon: 08[CFG] reached self-signed root ca
> with a path length of 0
>
> Oct 17 15:38:19 infba02071 charon: 08[IKE] authentication of
> 'alice at strongswan.org' with RSA signature successful
>
> Oct 17 15:38:19 infba02071 charon: 08[IKE] authentication of
> 'venus.strongswan.org' (myself) with RSA signature successful
>
> Oct 17 15:38:19 infba02071 charon: 08[IKE] IKE_SA host-host[1]
> established between
> 107.108.204.245[venus.strongswan.org]...107.108.204.246[alice at strongswan.org]
>
>
> Oct 17 15:38:19 infba02071 charon: 08[IKE] scheduling reauthentication
> in 3253s
>
> Oct 17 15:38:19 infba02071 charon: 08[IKE] maximum IKE_SA lifetime 3433s
>
> Oct 17 15:38:19 infba02071 charon: 08[IKE] CHILD_SA host-host{1}
> established with SPIs c3186b2f_i c0ed2141_o and TS 107.108.204.245/32
> === 107.108.204.246/32
>
> Oct 17 15:38:19 infba02071 charon: 08[ENC] generating IKE_AUTH response
> 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
>
> Oct 17 15:38:19 infba02071 charon: 08[NET] sending packet: from
> 107.108.204.245[500] to 107.108.204.246[500]
>
> Oct 17 15:38:20 infba02071 charon: 05[CFG] received stroke: initiate
> 'host-host'
>
> Oct 17 15:38:20 infba02071 charon: 11[IKE] establishing CHILD_SA host-host
>
> Oct 17 15:38:20 infba02071 charon: 11[ENC] generating CREATE_CHILD_SA
> request 0 [ SA No TSi TSr ]
>
> Oct 17 15:38:20 infba02071 charon: 11[NET] sending packet: from
> 107.108.204.245[500] to 107.108.204.246[500]
>
> Oct 17 15:38:24 infba02071 charon: 12[IKE] retransmit 1 of request with
> message ID 0
>
> Oct 17 15:38:24 infba02071 charon: 12[NET] sending packet: from
> 107.108.204.245[500] to 107.108.204.246[500]
>
> Oct 17 15:38:32 infba02071 charon: 13[IKE] retransmit 2 of request with
> message ID 0
>
> Oct 17 15:38:32 infba02071 charon: 13[NET] sending packet: from
> 107.108.204.245[500] to 107.108.204.246[500]
>
> Oct 17 15:38:45 infba02071 charon: 06[IKE] retransmit 3 of request with
> message ID 0
>
> Oct 17 15:38:45 infba02071 charon: 06[NET] sending packet: from
> 107.108.204.245[500] to 107.108.204.246[500]
>
> Oct 17 15:38:49 infba02071 charon: 00[DMN] signal of type SIGINT
> received. Shutting down
>
>
>
> Ipsec.secrets:=
>
>
>
> # /etc/ipsec.secrets - strongSwan IPsec secrets file
>
>
>
> : RSA venusKey.pem
>
>
>
> Regards,
>
> Jayateerth Hulgi
It would be helpful if you wouldn't change your VPN setup every
time you ask for support. It's like blundering without a torch
light in the pitch-black dark!
Andreas
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list