[strongSwan] Issues when loading rsa private key

Sameer Agrawal agrawalsameer at gmail.com
Thu Apr 10 20:48:14 CEST 2014


Hi Andreas, users

The public key that I am getting (using openssl) does not start with
"0s" whereas the rsasigkey directive expects with 0s prefix (base 64
encoding).
I want to understand how can I get the public key with the "0s"
prefix. Neither "ipsec pki" nor "openssl rsa" is generating in the
format that strongswan-4.5.2 expects.


vyatta at vyatta# openssl rsa -in localhost.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5kfPPdXJCZFTZiwpR1AS
On8qZehmOJ4RzrsAfTsUBv51C9VdxG0ec5haLmUga9GhTxDDgT17J3IcSjR8RfB1
X2C+lEEG8uZmFAZnHDycjDiS18MvtWeTimKZjluEcN4DzUSKB+VOoVQZPJXe4O2D
XCIxIImWbB8JF131ggybaopfvyMf5DX79rf/IkLOiD8aJDoilSXYIR+HZf6nm97f
kb3YRyKXgx4SoIfs3i5HGsfCmihG05/+s6wiun7Nrwgnm/C4vV2GjXuiX0g+PrSY
+91Wsr+mwLMp7YquCASBamJEAIIaBucX3muh38x47/g5NzjYfwzCAATkNlmrByJV
7wIDAQAB
-----END PUBLIC KEY----

Also, public-key generated using "ipsec pki" has junk characters. Is
that normal?

Thanks & Regards
Sam


On Mon, Apr 7, 2014 at 10:42 PM, Sameer Agrawal <agrawalsameer at gmail.com> wrote:
> Hi Andreas
>
> When i try to load the public portion of the peer's key (generated by
> openssl), I see that rsa key is malformed with incorrect format
> prefix.
>
> ipsec_starter: conn À#002~ §#177/left: rsakey malformed [input too
> short to be valid]
> ipsec_starter: conn À#002~ §#177/right: rsakey malformed [input does
> not begin with format prefix]
>
> I have set the "rightrsasigkey" directive in my ipsec.conf file as
> shown in the previous post.
>
> Thanks
> Sam
>
> On Mon, Apr 7, 2014 at 11:39 AM, Sameer Agrawal <agrawalsameer at gmail.com> wrote:
>> Thanks Andreas.
>>
>> So, I am using 2048 bits now and I fixed my /etc/ipsec.secrets file to
>> load the key from /etc/ipsec.d/private directory.
>> The key is now getting loaded, however the peer is complaining that it
>> in unable to find the public key for the peer.
>> I have configured the public key information in the /etc/ipsec.conf
>> file using the "rightrsasigkey" directive.
>>
>> : "peer-192.0.2.1-tunnel-1" #44: responding to Main Mode
>> : "peer-192.0.2.1-tunnel-1" #44: Peer ID is ID_IPV4_ADDR: '192.0.2.1'
>> : "peer-192.0.2.1-tunnel-1" #44: no public key known for '192.0.2.1'
>> : "peer-192.0.2.1-tunnel-1" #44: sending encrypted notification
>> INVALID_KEY_INFORMATION to 192.0.2.1:500
>> : "peer-192.0.2.1-tunnel-1" #44: Peer ID is ID_IPV4_ADDR: '192.0.2.1'
>> : "peer-192.0.2.1-tunnel-1" #44: no public key known for '192.0.2.1'
>> : "peer-192.0.2.1-tunnel-1" #44: sending encrypted notification
>> INVALID_KEY_INFORMATION to 192.0.2.1:500
>> : "peer-192.0.2.1-tunnel-1" #44: Peer ID is ID_IPV4_ADDR: '192.0.2.1'
>> : "peer-192.0.2.1-tunnel-1" #44: no public key known for '192.0.2.1'
>> : "peer-192.0.2.1-tunnel-1" #44: sending encrypted notification
>> INVALID_KEY_INFORMATION to 192.0.2.1:500
>>
>> ipsec.secrets
>> ==========
>> : RSA ssl_r.pem
>>
>> ipsec.conf file
>> ===========
>> conn peer-192.0.2.1-tunnel-1
>>         left=192.0.2.33
>>         right=192.0.2.1
>>         leftsubnet=192.168.60.0/24
>>         rightsubnet=192.168.40.0/24
>>         leftsourceip=192.168.60.8
>>         ike=aes256-sha1,aes128-sha1!
>>         ikelifetime=3600s
>>         esp=aes256-sha1,3des-md5!
>>         keylife=1800s
>>         rekeymargin=540s
>>         type=tunnel
>>         pfs=yes
>>         compress=no
>>         authby=rsasig
>>         leftrsasigkey="0"
>>         rightrsasigkey="MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtZaxHxEEf2/dnlJhP0Q8yYE5Bj25tXyng8xi7M34qI8b5zxmtpay4G/3AxppjDh2/wvAe0CExOvgwOvvWyE4Wo66VYBF+TA2jdbSOrdz13Lm8BD2/WnBgs8zmdoLhSGyCeYUEpxfKuYYyr5o6nI2MufGlZuKUmJT8gq2Ryk+RM324AKQ2QPxHUk5IZUwUiNdjmbMaIyeORRdk7iziko7krCC2T7GIFA51EQrafd+nNQrU1ZX18LuqD1u7XQOUrge8jeROuQAbBnxXLSnyrUewjmN4tD1AztGV58AgzjAwPfVZRxdppmyhn9ioeecTONMQerf+pmK4UZv8Lje0o9EMwIDAQAB"
>>         auto=start
>>         keyingtries=%forever
>>
>> Am i missing anything?
>>
>> On Sat, Apr 5, 2014 at 1:39 AM, Andreas Steffen
>> <andreas.steffen at strongswan.org> wrote:
>>> Hi Sam,
>>>
>>> your RSA private key is ok, although you should use
>>> a modulus size of 2048 bits. Your 256 bit key is
>>> ridiculously weak and might not even be accepted by the
>>> IPsec peer.
>>>
>>> Most probably there is a syntax error in /etc/ipsec.secrets
>>> where you try to load the private key from ssl_r.pem. Could
>>> you post your ipsec.secrets file?
>>>
>>> Best regards
>>>
>>> Andreas
>>>
>>> On 04.04.2014 23:47, Sameer Agrawal wrote:
>>>> Hi
>>>>
>>>> I am using strongswan-4.5.2 and seeing some issue with loading rsa
>>>> private-key when I try to establish site-to-site connection.
>>>> I tried both "openssl" and "ipsec pki tool", however I am seeing the
>>>> following error when loading the key.
>>>>
>>>> Using OPENSSL
>>>> ==============
>>>> openssl genrsa -out ssl_r.pem 256
>>>>
>>>> Key generated -> ssl_r.pem file
>>>> =================================
>>>> -----BEGIN RSA PRIVATE KEY-----
>>>> MIGqAgEAAiEAyrDMmSXhTCAbJp1tqwtpDvRVB/MbbEOqdBNJirWuE4UCAwEAAQIg
>>>> bxxYLCP9y1NWTubB9Z+9qMCk43rykSB7IbuopABJ0wkCEQD0Ef/I1/d0QugkG9ur
>>>> 1yTfAhEA1JkGUEWfOr68YkG88PjQGwIQbIl0jgQ8bt8yDJy223wZUQIQUflnO9B8
>>>> ozQkg2aBqhDmfQIRANkGT4FW29x0nWvyLn8Kxx0=
>>>> -----END RSA PRIVATE KEY-----
>>>>
>>>>
>>>> Error message from pluto src code:
>>>> ===========================
>>>> loading secrets from "ssl_r.pem"
>>>> line 2: unexpected end of id list
>>>> line 3: unexpected end of id list
>>>> line 4: unexpected end of id list
>>>> line 5: unexpected end of id list
>>>> line 6: unexpected end of id list
>>>> line 6: unexpected end of id list
>>>> ...
>>>> and finally, ike alg: unable to retrieve my private key.
>>>>
>>>>
>>>> I faced similar issue when using "ipsec pki" tool too. Can you please
>>>> let me know what can i do so that the secret key is loaded correctly.
>>>>
>>>> Thanks
>>>> Sam
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.strongswan.org
>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>
>>>
>>> --
>>> ======================================================================
>>> Andreas Steffen                         andreas.steffen at strongswan.org
>>> strongSwan - the Open Source VPN Solution!          www.strongswan.org
>>> Institute for Internet Technologies and Applications
>>> University of Applied Sciences Rapperswil
>>> CH-8640 Rapperswil (Switzerland)
>>> ===========================================================[ITA-HSR]==
>>>


More information about the Users mailing list