[strongSwan] No private key found for 'C=CA ...........'
Farid Farid
farid21657 at yahoo.com
Thu Aug 1 19:18:33 CEST 2013
Hi Martin/Andreas,
Now I can ping the other peer and see secure ESP packets are going back and forth but I can see also one uncesure packet as you can see below: it seems 55 node sends ech_request twice one secure and one un secure. is it normal?
01:24:44.559099 IP LMU5k.lan > 192.168.1.56: ESP(spi=0xcb8b0e8d,seq=0x1), length 132
01:24:44.559417 IP LMU5k.lan > 192.168.1.56: ICMP echo request, id 58919, seq 0, length 64
01:24:44.560057 IP 192.168.1.56 > LMU5k.lan: ESP(spi=0xc3b7a86c,seq=0x1), length 132
01:24:45.565739 IP LMU5k.lan > 192.168.1.56: ESP(spi=0xcb8b0e8d,seq=0x2), length 132
01:24:45.566053 IP LMU5k.lan > 192.168.1.56: ICMP echo request, id 58919, seq 1, length 64
01:24:45.566496 IP 192.168.1.56 > LMU5k.lan: ESP(spi=0xc3b7a86c,seq=0x2), length 132
01:24:46.575691 IP LMU5k.lan > 192.168.1.56: ESP(spi=0xcb8b0e8d,seq=0x3), length 132
01:24:46.576008 IP LMU5k.lan > 192.168.1.56: ICMP echo request, id 58919, seq 2, length 64
01:24:46.576447 IP 192.168.1.56 > LMU5k.lan: ESP(spi=0xc3b7a86c,seq=0x3), length 132
01:24:46.87
Thanks,
Farid
________________________________
From: Farid Farid <farid21657 at yahoo.com>
To: Andreas Steffen <andreas.steffen at strongswan.org>
Cc: "users at lists.strongswan.org" <users at lists.strongswan.org>
Sent: Thursday, August 1, 2013 9:28 AM
Subject: Re: [strongSwan] No private key found for 'C=CA ...........'
Hi Andreas,
Thank you so much .It is working now:!! :)
Cheers,
Farid
________________________________
From: Andreas Steffen <andreas.steffen at strongswan.org>
To: Farid Farid <farid21657 at yahoo.com>
Cc: Martin Willi <martin at strongswan.org>; "users at lists.strongswan.org" <users at lists.strongswan.org>
Sent: Wednesday, July 31, 2013 11:37 PM
Subject: Re: [strongSwan] No private key found for 'C=CA ...........'
Hi Farid,
the startup warning
> !! Your strongswan.conf contains manual plugin load options for charon.
> !! This is recommended for experts only, see
> !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
is intended for newbies like you who don't know what they are doing
when meddling around with the strongswan.conf load statement:
- The pkcs1 plugin is missing so your private key won't get parsed:
> 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 3 builders
> 00[CFG] loading private key from '/etc/ipsec.d/private/lmu56Key.pem'
>
failed
- The x509 plugin is missing so your certificates don't get parsed:
> 00[LIB] building CRED_CERTIFICATE - X509 failed, tried 0 builders
> 00[CFG] loading ca certificate from '/etc/ipsec.d/cacerts/caCert.pem'
> failed
Just remove the load statement from strongswan.conf and you'll fare
much better!
Andreas
On 08/01/2013 04:35 AM, Farid Farid wrote:
> Thank you martin for the hint.
>
> I added 'pem' in strongswan.conf (you can see strongswan.conf below):
> But I still get the same output. Please see the
>>>ipsec start --no-fork output right after strongswan.conf
> This package is also installed : strongswan-mod-pem - 5.0.4-1
>
> Is there anyother way to debug this to see why is not loading the keys?
>
>
>
> Appreciate your help.
>
> Farid
>
>
>
> 08[LIB] building
CRED_CERTIFICATE - ANY failed, tried 1 builders
> # strongswan.conf - strongSwan configuration
> file
>
>
>
> charon
> {
>
>
>
> # number of worker threads in
> charon
>
> threads =
> 16
>
> load = aes pem des sha1 sha2 md5 gmp random nonce hmac stroke
> kernel-netlink socket-default updown
> # send strongswan vendor
> ID?
>
> # send_vendor_id =
> yes
>
>
>
> plugins
> {
>
>
>
> sql
> {
>
> # loglevel to log into sql
> database
> loglevel =
>
-1
>
>
>
> # URI to the
> database
>
> # database =
> sqlite:///path/to/file.db
>
> # database =
> mysql://user:password@localhost/database
>
>
> }
>
>
> }
>
>
>
> #
> ...
>
> }
>
>
>
> pluto
> {
>
>
>
> }
>
>
>
> libstrongswan
> {
>
>
>
> # set to no, the DH exponent size is
> optimized
>
> #
dh_exponent_ansi_x9_42 =
> no
>
> }
>
> ~
>
> root at LMU8K:~# ipsec start --nofork
> Starting strongSwan 5.0.4 IPsec [starter]...
> !! Your strongswan.conf contains manual plugin load options for charon.
> !! This is recommended for experts only, see
> !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
> 00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux 3.3.8,
> armv5tejl)
> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> 00[LIB] building CRED_CERTIFICATE - X509 failed, tried 0 builders
> 00[CFG] loading ca certificate from '/etc/ipsec.d/cacerts/caCert.pem'
> failed
> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> 00[CFG]
loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 3 builders
> 00[CFG] loading private key from '/etc/ipsec.d/private/lmu56Key.pem'
> failed
> 00[DMN] loaded plugins: charon aes pem des sha1 sha2 md5 gmp random
> nonce hmac stroke kernel-netlink socket-default updown
> 00[JOB] spawning 16 worker threads
> charon (2628) started after 80 ms
> 08[CFG] received stroke: add connection 'lmu56'
> 08[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders
> 08[CFG] loading certificate from 'lmu56Cert.pem' failed
> 08[CFG] added configuration 'lmu56'
>
>
>
>
>
------------------------------------------------------------------------
> *From:* Martin Willi <martin at strongswan.org>
> *To:* Farid Farid <farid21657 at yahoo.com>
> *Cc:* "users at lists.strongswan.org" <users at lists.strongswan.org>
> *Sent:* Sunday, July 28, 2013 12:19 AM
> *Subject:* Re: [strongSwan] No private key found for 'C=CA ...........'
>
> Hi Farid,
>
>> !! Your strongswan.conf contains manual plugin load options for charon.
>> !! This is recommended for experts only, see
>> !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
>
> This warning pops up for specific reason:
>
>> 00[DMN] loaded plugins: charon aes des sha1 sha2 md5 gmp random nonce
> hmac stroke kernel-netlink socket-default updown
>
> You didn't load the pem plugin, hence
>
>> 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 2 builders
>> 00[CFG] loading private key from '/etc/ipsec.d/private/lmu55Key.pem'
> failed
>
> loading a PEM encoded private key fails.
>
> Regards
> Martin
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130801/9fa6fd10/attachment.html>
More information about the Users
mailing list