[strongSwan] No private key found for 'C=CA ...........'
Farid Farid
farid21657 at yahoo.com
Fri Jul 26 03:00:16 CEST 2013
Hi Community,
I am wonder if here is the right place to ask basic questions regarding Strongswan and ipsec. I have posted some questions but got no reply at all which is kind of disappointing.
Hope this time I get an answer or at least someone can tell me where I should post my questions.
I am trying to create a ipsec tunnel using strongswan 5.0.4 between two Openwrt Linux base machine running kernel 3.3.8 with a very basic scenario.
Anytime I try to bring up a connection >> ipsec up lmu55 I get the following error:
no private key found for 'C=CA CN=lmu55'
configuration uses unsupported authentication
tried to check-in and delete nonexisting IKE_SA
establishing connection 'conn' failed
I have two linux box called lmu55 and lmu56.
I am creating the private keys and certificate like this:
ipsec pki --gen --outform pem > caKey.pem
ipsec pki --self --in caKey.pem --dn "C=CA, O=strongswan, CN=lmu55" --outform pem --ca > caCert.pem
for left gateway:
ipsec pki --gen --outform pem > lmu55Key.pem
ipsec pki --pub --in lmu55Key.pem|ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CA, CN=lmu55" --outform pem > lmu55Cert.pem
for right gateway:
ipsec pki --gen --outform pem > lmu56Key.pem
ipsec pki --pub --in lmu56Key.pem|ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CA, CN=lmu56" --outform pem > lmu56Cert.pem
left:
cp lmu55Key.pem lmu55:/etc/ipsec.d/private/
cp lmu55Cert.pem lmu55:/ipsec.d/certs/
cp caCert.pem lmu55:/ipsec.d/cacerts/
right:
cp lmu55Key.pem lmu55:/etc/ipsec.d/private/
cp lmu55Cert.pem lmu55:/ipsec.d/certs/
cp caCert.pem lmu55:/ipsec.d/cacerts/
Here is the ipsec.conf and ipsec.secret for lmu55:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=no
# uniqueids = no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
# authby=xauthrsasig
# mobike=no
# Add connections here.
# Sample VPN connections
conn lmu55
left=192.168.1.55
leftid="C=CA, CN=lmu55"
leftcert=lmu55Cert.pem
leftfirewall=yes
right=192.168.1.56
rightid="C=CA, CN=lmu56"
auto=add
and ipsec.secret
# generated by /etc/init.d/ipsec
: RSA lmu55Key.pem
Here is the ipsec.conf and ipsec.secret for lmu56
:# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
strictcrlpolicy=no
uniqueids = no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
#authby=xauthprsasig
#mobike=no
# Add connections here.
# Sample VPN connections
conn lmu56
left=192.168.1.56
leftid="C=CA, CN=lmu56"
leftcert=lmu56Cert.der
leftfirewall=yes
right=192.168.1.55
rightid="C=CA, CN=lmu55"
auto=add
and ipsec.secret
# generated by /etc/init.d/ipsec
: RSA lmu56Key.pem
If I use authby=xauthprsasig then I can see the peers start negotiating but eventually fails with the same error. Here is the log data:
root at LMU5k:~# ipsec up lmu55
initiating Main Mode IKE_SA lmu55[1] to 192.168.1.56
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 192.168.1.55[500] to 192.168.1.56[500] (224 bytes)
received packet: from 192.168.1.56[500] to 192.168.1.55[500] (136 bytes)
parsed ID_PROT response 0 [ SA V V V ]
received XAuth vendor ID
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.1.55[500] to 192.168.1.56[500] (372 bytes)
received packet: from 192.168.1.56[500] to 192.168.1.55[500] (372 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
no RSA private key found for 'C=CA, CN=lmu55'
generating INFORMATIONAL_V1 request 1007725697 [ HASH N(AUTH_FAILED) ]
sending packet: from 192.168.1.55[500] to 192.168.1.56[500] (92 bytes)
establishing connection 'lmu55' failed
>>ipsec listcerts also returns empty.
what am I missing here?
Thanks for the help.
Farid
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130725/d6e7cdc9/attachment.html>
More information about the Users
mailing list