[strongSwan] No private key found for 'C=CA ...........'

Farid Farid farid21657 at yahoo.com
Fri Jul 26 20:21:28 CEST 2013

Hi Martin,

Thank you so much for  your response.  :)
yes I copied everything properly in the correct place and I used the commands that I sent in my previous E-mail.

Here is the out put of   >>ipsec start --nofork

root at LMU5k:~# ipsec start --nofork
Starting strongSwan 5.0.4 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for charon.
!! This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux 3.3.8, armv5tejl)
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[LIB] building CRED_CERTIFICATE - X509 failed, tried 0 builders
00[CFG]   loading ca certificate from '/etc/ipsec.d/cacerts/caCert.pem' failed
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 2 builders
00[CFG]   loading private key from '/etc/ipsec.d/private/lmu55Key.pem' failed
00[DMN] loaded plugins: charon aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
00[JOB] spawning 16 worker threads
charon (15172) started after 80 ms
06[CFG] received stroke: add connection 'lmu55'
06[LIB] building CRED_CERTIFICATE - ANY failed, tried 0 builders
06[CFG]   loading certificate from 'lmu55Cert.pem' failed
06[CFG] added configuration 'lmu55'

It seems Charon can't load anything . it failed at buliding CRED_CERTIFICATE..and I can't see if it ever tries to load  read from /ipsec.d/certs/  directory.

So is it the problem with certificate and key generation?  or there is a incompatibility here?
I created the certificate and keys on a Ubuntu machine with strongswan4.x.x ..Do you think it might be the issue?

Is there anyway to check if certificates and Keys are Ok before laoding them to the target machine?

Is it possible that strongswan compiled for this target machine is not a full package? However I  installed all required package base on OpenWrt wiki page.
My build compiler is uClibc .

I appreciate your help,

 From: Martin Willi <martin at strongswan.org>
To: Farid Farid <farid21657 at yahoo.com> 
Cc: "users at lists.strongswan.org" <users at lists.strongswan.org> 
Sent: Friday, July 26, 2013 12:09 AM
Subject: Re: [strongSwan] No private key found for  'C=CA ...........'

Hi Farid,

> left:
> cp lmu55Key.pem     lmu55:/etc/ipsec.d/private/
> cp lmu55Cert.pem    lmu55:/ipsec.d/certs/
> cp caCert.pem        lmu55:/ipsec.d/cacerts/
> right:
> cp lmu55Key.pem     lmu55:/etc/ipsec.d/private/
> cp lmu55Cert.pem    lmu55:/ipsec.d/certs/
> cp caCert.pem        lmu55:/ipsec.d/cacerts/

I assume you have copied lmu56* to the appropriate places as well?

> no RSA private key found for 'C=CA, CN=lmu55'

At a first look the generation of your keys/certs looks good, but for
some reason the daemon can't find the private key for your certificate.

To check if the private key has been loaded, call "ipsec listcerts". It
should list your peer certificate, and if it has a private key for it,
it should state "has private key".

If this is not the case, you should check the log and see if there is
any error during daemon startup. Alternatively, you can invoke the IKE
daemon in the foreground using "ipsec start --nofork". 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130726/631a5b16/attachment.html>

More information about the Users mailing list