[strongSwan] Issues when loading rsa private key

Sameer Agrawal agrawalsameer at gmail.com
Mon Apr 7 20:39:24 CEST 2014 

Thanks Andreas.

So, I am using 2048 bits now and I fixed my /etc/ipsec.secrets file to
load the key from /etc/ipsec.d/private directory.
The key is now getting loaded, however the peer is complaining that it
in unable to find the public key for the peer.
I have configured the public key information in the /etc/ipsec.conf
file using the "rightrsasigkey" directive.

: "peer-192.0.2.1-tunnel-1" #44: responding to Main Mode
: "peer-192.0.2.1-tunnel-1" #44: Peer ID is ID_IPV4_ADDR: '192.0.2.1'
: "peer-192.0.2.1-tunnel-1" #44: no public key known for '192.0.2.1'
: "peer-192.0.2.1-tunnel-1" #44: sending encrypted notification
INVALID_KEY_INFORMATION to 192.0.2.1:500
: "peer-192.0.2.1-tunnel-1" #44: Peer ID is ID_IPV4_ADDR: '192.0.2.1'
: "peer-192.0.2.1-tunnel-1" #44: no public key known for '192.0.2.1'
: "peer-192.0.2.1-tunnel-1" #44: sending encrypted notification
INVALID_KEY_INFORMATION to 192.0.2.1:500
: "peer-192.0.2.1-tunnel-1" #44: Peer ID is ID_IPV4_ADDR: '192.0.2.1'
: "peer-192.0.2.1-tunnel-1" #44: no public key known for '192.0.2.1'
: "peer-192.0.2.1-tunnel-1" #44: sending encrypted notification
INVALID_KEY_INFORMATION to 192.0.2.1:500

ipsec.secrets
==========
: RSA ssl_r.pem

ipsec.conf file
===========
conn peer-192.0.2.1-tunnel-1
        left=192.0.2.33
        right=192.0.2.1
        leftsubnet=192.168.60.0/24
        rightsubnet=192.168.40.0/24
        leftsourceip=192.168.60.8
        ike=aes256-sha1,aes128-sha1!
        ikelifetime=3600s
        esp=aes256-sha1,3des-md5!
        keylife=1800s
        rekeymargin=540s
        type=tunnel
        pfs=yes
        compress=no
        authby=rsasig
        leftrsasigkey="0"
        rightrsasigkey="MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtZaxHxEEf2/dnlJhP0Q8yYE5Bj25tXyng8xi7M34qI8b5zxmtpay4G/3AxppjDh2/wvAe0CExOvgwOvvWyE4Wo66VYBF+TA2jdbSOrdz13Lm8BD2/WnBgs8zmdoLhSGyCeYUEpxfKuYYyr5o6nI2MufGlZuKUmJT8gq2Ryk+RM324AKQ2QPxHUk5IZUwUiNdjmbMaIyeORRdk7iziko7krCC2T7GIFA51EQrafd+nNQrU1ZX18LuqD1u7XQOUrge8jeROuQAbBnxXLSnyrUewjmN4tD1AztGV58AgzjAwPfVZRxdppmyhn9ioeecTONMQerf+pmK4UZv8Lje0o9EMwIDAQAB"
        auto=start
        keyingtries=%forever

Am i missing anything?

On Sat, Apr 5, 2014 at 1:39 AM, Andreas Steffen
<andreas.steffen at strongswan.org> wrote:
> Hi Sam,
>
> your RSA private key is ok, although you should use
> a modulus size of 2048 bits. Your 256 bit key is
> ridiculously weak and might not even be accepted by the
> IPsec peer.
>
> Most probably there is a syntax error in /etc/ipsec.secrets
> where you try to load the private key from ssl_r.pem. Could
> you post your ipsec.secrets file?
>
> Best regards
>
> Andreas
>
> On 04.04.2014 23:47, Sameer Agrawal wrote:
>> Hi
>>
>> I am using strongswan-4.5.2 and seeing some issue with loading rsa
>> private-key when I try to establish site-to-site connection.
>> I tried both "openssl" and "ipsec pki tool", however I am seeing the
>> following error when loading the key.
>>
>> Using OPENSSL
>> ==============
>> openssl genrsa -out ssl_r.pem 256
>>
>> Key generated -> ssl_r.pem file
>> =================================
>> -----BEGIN RSA PRIVATE KEY-----
>> MIGqAgEAAiEAyrDMmSXhTCAbJp1tqwtpDvRVB/MbbEOqdBNJirWuE4UCAwEAAQIg
>> bxxYLCP9y1NWTubB9Z+9qMCk43rykSB7IbuopABJ0wkCEQD0Ef/I1/d0QugkG9ur
>> 1yTfAhEA1JkGUEWfOr68YkG88PjQGwIQbIl0jgQ8bt8yDJy223wZUQIQUflnO9B8
>> ozQkg2aBqhDmfQIRANkGT4FW29x0nWvyLn8Kxx0=
>> -----END RSA PRIVATE KEY-----
>>
>>
>> Error message from pluto src code:
>> ===========================
>> loading secrets from "ssl_r.pem"
>> line 2: unexpected end of id list
>> line 3: unexpected end of id list
>> line 4: unexpected end of id list
>> line 5: unexpected end of id list
>> line 6: unexpected end of id list
>> line 6: unexpected end of id list
>> ...
>> and finally, ike alg: unable to retrieve my private key.
>>
>>
>> I faced similar issue when using "ipsec pki" tool too. Can you please
>> let me know what can i do so that the secret key is loaded correctly.
>>
>> Thanks
>> Sam
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
> --
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>

More information about the Users mailing list