[strongSwan] Issues when loading rsa private key

Sameer Agrawal agrawalsameer at gmail.com
Tue Apr 8 07:42:41 CEST 2014 

Hi Andreas

When i try to load the public portion of the peer's key (generated by
openssl), I see that rsa key is malformed with incorrect format
prefix.

ipsec_starter: conn À#002~ §#177/left: rsakey malformed [input too
short to be valid]
ipsec_starter: conn À#002~ §#177/right: rsakey malformed [input does
not begin with format prefix]

I have set the "rightrsasigkey" directive in my ipsec.conf file as
shown in the previous post.

Thanks
Sam

On Mon, Apr 7, 2014 at 11:39 AM, Sameer Agrawal <agrawalsameer at gmail.com> wrote:
> Thanks Andreas.
>
> So, I am using 2048 bits now and I fixed my /etc/ipsec.secrets file to
> load the key from /etc/ipsec.d/private directory.
> The key is now getting loaded, however the peer is complaining that it
> in unable to find the public key for the peer.
> I have configured the public key information in the /etc/ipsec.conf
> file using the "rightrsasigkey" directive.
>
> : "peer-192.0.2.1-tunnel-1" #44: responding to Main Mode
> : "peer-192.0.2.1-tunnel-1" #44: Peer ID is ID_IPV4_ADDR: '192.0.2.1'
> : "peer-192.0.2.1-tunnel-1" #44: no public key known for '192.0.2.1'
> : "peer-192.0.2.1-tunnel-1" #44: sending encrypted notification
> INVALID_KEY_INFORMATION to 192.0.2.1:500
> : "peer-192.0.2.1-tunnel-1" #44: Peer ID is ID_IPV4_ADDR: '192.0.2.1'
> : "peer-192.0.2.1-tunnel-1" #44: no public key known for '192.0.2.1'
> : "peer-192.0.2.1-tunnel-1" #44: sending encrypted notification
> INVALID_KEY_INFORMATION to 192.0.2.1:500
> : "peer-192.0.2.1-tunnel-1" #44: Peer ID is ID_IPV4_ADDR: '192.0.2.1'
> : "peer-192.0.2.1-tunnel-1" #44: no public key known for '192.0.2.1'
> : "peer-192.0.2.1-tunnel-1" #44: sending encrypted notification
> INVALID_KEY_INFORMATION to 192.0.2.1:500
>
> ipsec.secrets
> ==========
> : RSA ssl_r.pem
>
> ipsec.conf file
> ===========
> conn peer-192.0.2.1-tunnel-1
>         left=192.0.2.33
>         right=192.0.2.1
>         leftsubnet=192.168.60.0/24
>         rightsubnet=192.168.40.0/24
>         leftsourceip=192.168.60.8
>         ike=aes256-sha1,aes128-sha1!
>         ikelifetime=3600s
>         esp=aes256-sha1,3des-md5!
>         keylife=1800s
>         rekeymargin=540s
>         type=tunnel
>         pfs=yes
>         compress=no
>         authby=rsasig
>         leftrsasigkey="0"
>         rightrsasigkey="MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtZaxHxEEf2/dnlJhP0Q8yYE5Bj25tXyng8xi7M34qI8b5zxmtpay4G/3AxppjDh2/wvAe0CExOvgwOvvWyE4Wo66VYBF+TA2jdbSOrdz13Lm8BD2/WnBgs8zmdoLhSGyCeYUEpxfKuYYyr5o6nI2MufGlZuKUmJT8gq2Ryk+RM324AKQ2QPxHUk5IZUwUiNdjmbMaIyeORRdk7iziko7krCC2T7GIFA51EQrafd+nNQrU1ZX18LuqD1u7XQOUrge8jeROuQAbBnxXLSnyrUewjmN4tD1AztGV58AgzjAwPfVZRxdppmyhn9ioeecTONMQerf+pmK4UZv8Lje0o9EMwIDAQAB"
>         auto=start
>         keyingtries=%forever
>
> Am i missing anything?
>
> On Sat, Apr 5, 2014 at 1:39 AM, Andreas Steffen
> <andreas.steffen at strongswan.org> wrote:
>> Hi Sam,
>>
>> your RSA private key is ok, although you should use
>> a modulus size of 2048 bits. Your 256 bit key is
>> ridiculously weak and might not even be accepted by the
>> IPsec peer.
>>
>> Most probably there is a syntax error in /etc/ipsec.secrets
>> where you try to load the private key from ssl_r.pem. Could
>> you post your ipsec.secrets file?
>>
>> Best regards
>>
>> Andreas
>>
>> On 04.04.2014 23:47, Sameer Agrawal wrote:
>>> Hi
>>>
>>> I am using strongswan-4.5.2 and seeing some issue with loading rsa
>>> private-key when I try to establish site-to-site connection.
>>> I tried both "openssl" and "ipsec pki tool", however I am seeing the
>>> following error when loading the key.
>>>
>>> Using OPENSSL
>>> ==============
>>> openssl genrsa -out ssl_r.pem 256
>>>
>>> Key generated -> ssl_r.pem file
>>> =================================
>>> -----BEGIN RSA PRIVATE KEY-----
>>> MIGqAgEAAiEAyrDMmSXhTCAbJp1tqwtpDvRVB/MbbEOqdBNJirWuE4UCAwEAAQIg
>>> bxxYLCP9y1NWTubB9Z+9qMCk43rykSB7IbuopABJ0wkCEQD0Ef/I1/d0QugkG9ur
>>> 1yTfAhEA1JkGUEWfOr68YkG88PjQGwIQbIl0jgQ8bt8yDJy223wZUQIQUflnO9B8
>>> ozQkg2aBqhDmfQIRANkGT4FW29x0nWvyLn8Kxx0=
>>> -----END RSA PRIVATE KEY-----
>>>
>>>
>>> Error message from pluto src code:
>>> ===========================
>>> loading secrets from "ssl_r.pem"
>>> line 2: unexpected end of id list
>>> line 3: unexpected end of id list
>>> line 4: unexpected end of id list
>>> line 5: unexpected end of id list
>>> line 6: unexpected end of id list
>>> line 6: unexpected end of id list
>>> ...
>>> and finally, ike alg: unable to retrieve my private key.
>>>
>>>
>>> I faced similar issue when using "ipsec pki" tool too. Can you please
>>> let me know what can i do so that the secret key is loaded correctly.
>>>
>>> Thanks
>>> Sam
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>>
>>
>> --
>> ======================================================================
>> Andreas Steffen                         andreas.steffen at strongswan.org
>> strongSwan - the Open Source VPN Solution!          www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
>>

More information about the Users mailing list