[strongSwan] Problem to read private key - x509

Leandro . frr8rrf at gmail.com
Mon Mar 5 19:42:48 CET 2012 

Hi Andreas, thank you for the information.

I made a review in the files, and really, I found some errors in
ipsec.secrets, I forgot to change the name of the key file.
But, after correct the erro, other message appear in the log:

Mar  5 14:45:11 opensuse2-vm charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Mar  5 14:45:11 opensuse2-vm charon: 00[LIB] L1 - version: *ASN1 tag 0x02
expected, but is 0x30*
Mar  5 14:45:11 opensuse2-vm charon: 00[LIB] building CRED_PRIVATE_KEY -
RSA failed, tried 10 builders
Mar  5 14:45:11 opensuse2-vm charon: 00[CFG]   loading private key from
'/etc/ipsec.d/private/198key.pem' failed


I found email messages (
https://lists.strongswan.org/pipermail/users/2010-April/004783.html) about
the same subject, but I'm confused for the correct format of the file (key
and certificate), is .der or .pem ?
The certificate files was generated as .pem and have this format (below):

opensuse2-vm:~/certs # cat 198key.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI5kolUkBxvxICAggA
...
MBQGCCqGSIb3DQMHBAieNrtfR+zZvASCAoDBzE7vFHXgL0pP8k50T1qygBYyv3Cg
Vh8VR/V5JCcvo1C2JiRx84sZWKZMZ2EmEiJiXqKoL7jsrQotuWWEUmLU
-----END ENCRYPTED PRIVATE KEY-----


and the ipsec.secrets:

opensuse2-vm:/etc # cat ipsec.secrets
# ipsec.secrets
#
: RSA 198key.pem "thekey"



I want to mention that way I generated the cert:


/usr/share/ssl/misc/CA.sh -newca
/usr/share/ssl/misc/CA.sh -newreq
/usr/share/ssl/misc/CA.sh -sign


Is correct ? of I need to use openssl to generate the certs ?

Thank you !



Em 5 de março de 2012 11:50, Andreas Steffen <andreas.steffen at strongswan.org
> escreveu:

> Hi Leandro,
>
> either the syntax in your private key file is not correct or
> the key file is encrypted and you didn't specify the passphrase
> in /etc/ipsec.secrets.
>
>  : RSA 198key.pem "<passphrase>"
>
>  You can increase the debug level to
>
>   charondebug="lib 4"
>
> and check for additional error messages in the log file.
>
> Regards
>
> Andreas
>
> On 05.03.2012 15:31, Leandro . wrote:
> > HI,
> >
> > I've created de certificates x509 in /root/certs, after this, I've
> > copied the certificate to /etc/ipsec.d/certs and the private key to
> > /etc/ipsec.d/private.
> > However, there is a problem to load the private key:
> > _
> > 00[CFG]   loading private key from '/etc/ipsec.d/private/198key.pem'
> failed_
> >
> > My question: how can I force to strongswan read the private key in this
> > directory ?
> > Or clean some information, to read a new file?
> > I did ipsec rereadall, rereadcacerts, but didn't work.
> >
> > Thank you.
> >
> > --
> > *Jefferson Leandro*
> > *Curitiba - BR*
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>


-- 
*Jefferson Leandro*
*Curitiba - BR*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120305/3c800712/attachment.html>

More information about the Users mailing list