[strongSwan] Question for building CRED_CERTIFICATE - X509 failed
Brian Watson
bwats9999 at gmail.com
Fri May 9 22:35:06 CEST 2014
Hi,
I've been able to get StrongSwan working using PSK, but now I'm trying
to use certificates. I followed the wiki for setting up a simple CA and
generated the keys and stored them in the associated directories (
http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA). When I start
StrongSwan it fails and the log displays the following:
May 9 15:08:57 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
May 9 15:08:57 00[LIB] building CRED_CERTIFICATE - X509 failed, tried 2
builders
May 9 15:08:57 00[CFG] loading ca certificate from
'/etc/ipsec.d/cacerts/caCert.der' failed
May 9 15:08:57 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
May 9 15:08:57 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
May 9 15:08:57 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
May 9 15:08:57 00[CFG] loading crls from '/etc/ipsec.d/crls'
May 9 15:08:57 00[CFG] loading secrets from '/etc/ipsec.secrets'
May 9 15:08:57 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 3
builders
May 9 15:08:57 00[CFG] loading private key from
'/etc/ipsec.d/private/strongSwan3Key.der' failed
May 9 15:08:57 00[LIB] loaded plugins: charon aes sha1 sha2 md5 openssl
random nonce hmac stroke kernel-netlink socket-default updown pkcs1 x509
........
May 9 15:08:57 05[CFG] conn home
May 9 15:08:57 05[CFG] left=192.168.0.3
May 9 15:08:57 05[CFG] leftsubnet=(null)
May 9 15:08:57 05[CFG] leftsourceip=(null)
May 9 15:08:57 05[CFG] leftdns=(null)
May 9 15:08:57 05[CFG] leftauth=pubkey
May 9 15:08:57 05[CFG] leftauth2=(null)
May 9 15:08:57 05[CFG] leftid=%any
May 9 15:08:57 05[CFG] leftid2=(null)
May 9 15:08:57 05[CFG] leftrsakey=(null)
May 9 15:08:57 05[CFG] leftcert=strongSwan3Key.der
May 9 15:08:57 05[CFG] leftcert2=(null)
May 9 15:08:57 05[CFG] leftca=(null)
May 9 15:08:57 05[CFG] leftca2=(null)
May 9 15:08:57 05[CFG] leftgroups=(null)
May 9 15:08:57 05[CFG] leftgroups2=(null)
May 9 15:08:57 05[CFG] leftupdown=(null)
May 9 15:08:57 05[CFG] right=192.168.0.2
May 9 15:08:57 05[CFG] rightsubnet=(null)
May 9 15:08:57 05[CFG] rightsourceip=(null)
May 9 15:08:57 05[CFG] rightdns=(null)
May 9 15:08:57 05[CFG] rightauth=pubkey
May 9 15:08:57 05[CFG] rightauth2=(null)
May 9 15:08:57 05[CFG] rightid=%any
May 9 15:08:57 05[CFG] rightid2=(null)
May 9 15:08:57 05[CFG] rightrsakey=(null)
May 9 15:08:57 05[CFG] rightcert=(null)
May 9 15:08:57 05[CFG] rightcert2=(null)
May 9 15:08:57 05[CFG] rightca=(null)
May 9 15:08:57 05[CFG] rightca2=(null)
May 9 15:08:57 05[CFG] rightgroups=(null)
May 9 15:08:57 05[CFG] rightgroups2=(null)
May 9 15:08:57 05[CFG] rightupdown=(null)
May 9 15:08:57 05[CFG] eap_identity=(null)
May 9 15:08:57 05[CFG] aaa_identity=(null)
May 9 15:08:57 05[CFG] xauth_identity=(null)
May 9 15:08:57 05[CFG] ike=aes256-sha384-ecp384bp
May 9 15:08:57 05[CFG] esp=aes256gcm16
May 9 15:08:57 05[CFG] ah=(null)
May 9 15:08:57 05[CFG] dpddelay=30
May 9 15:08:57 05[CFG] dpdtimeout=150
May 9 15:08:57 05[CFG] dpdaction=0
May 9 15:08:57 05[CFG] closeaction=0
May 9 15:08:57 05[CFG] mediation=no
May 9 15:08:57 05[CFG] mediated_by=(null)
May 9 15:08:57 05[CFG] me_peerid=(null)
May 9 15:08:57 05[CFG] keyexchange=ikev2
If I do "sudo ipsec listcerts" it comes back empty, but if i do "pki
--verify --in /etc/ipsec.d/certs/strongSwan2Cert.der --ca
/etc/ipsec.d/cacerts/caCert.der" it says:
signature good, certificates valid
Any ideas?
Thanks,
Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140509/4c2a6ca1/attachment.html>
More information about the Users
mailing list