[strongSwan] RSA-encr authentication IKEv1 - loading public key failed

Alex Zetaeffesse fzetafs at gmail.com
Sat May 2 21:27:36 CEST 2015 

Hi folks,

I'm trying to setup an IPsec tunnel with rsa auth but ipsec always fails in
importing the public key of the peer.

I tried by specifying the file containing the pub key both as relative path
and absolute the import always fails.

I specified the entire string within ipsec.conf but it failed as well.

I saw there is an example on the STrongSWan site but there they use
certificates whereas I have only priv and pub keys.

Here below some information

0) STRONGSWAN version
root at ubuntu:/etc/ipsec.d/private# ipsec version
Linux strongSwan U5.1.2/K3.16.0-36-generic

1) PUBLIC KEY
root at ubuntu:/etc/ipsec.d# cat R14_pub.key
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArkTi9BjN+Dz2YmWJSEcD
E+FxLaBejnkbIRUEAZT55CSkdQqF+FxqqmDxYkTglK8McDD5kjtc1cewT7dYHpiJ
ZeQRuPMOC4TeZ40KmGxtE5PHd2nFGgLxI3DAP864+SlAmEAg2d1rFKHYHCY38dvC
aIZtW1JNFKhwx05tGVLo94k0KqAhp4o3sQ+sCChu8IzAOuIUj60NSO06tV2nD2lq
UYat7ZW5EkoskX5xzRjOn04uIROD1/4nnnB3Sq1fZQ8fG5PLe5+rb0c0RTmxpQUd
QudWiu7bEo5HI6eZp0k8kq00QlesiDrIA5+IxOjsulF9OdmOpT+zJM3BAQgUFfGk
SQghJeNJov84Yte8T1XdYbrgCTB2KRgQpTYyBLY7Y9USdFqeYt8jI9Ylhz9GYL+y
uSGIs7JgcvR4LuUWcm0tZY+YusYdsr3sXbGzI7D665J6cSvGqPdmbJonrL0/nNhy
2Lizs7p+CKZXTQub8081Cx+R2RpcroTzO+lqaLIaBMIXNiwJDZPnllXmn8UA5f6K
ui2Fria+13B5UPS+5A5Xhnk/jmmmaVOeL26fa+ln2179dnv8xmIHog+pFcJEmOMR
2YeWdy7SPUBfTBoTkLyOpzxl1GPg4Oxjq70JjnFD6VdKsoAT23wPmJPKBxmuapqK
7ue9SfdRKgKQWUZgCQwxJRkCAwEAAQ==
-----END PUBLIC KEY-----

2) Permisson of the file
-rw-r--r--   1 root root   800 May  2 03:18 R14_pub.key

3) config
root at ubuntu:/etc/ipsec.d# cat ../ipsec.conf
config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        left=192.168.72.4
        leftsubnet=172.16.102.161/32
        leftid=192.168.72.4
        leftfirewall=no
        leftauth=pubkey
#leftrsasigkey=ubuntu_prv.key
#authby=secret

conn gre-ipsec
        right=192.168.72.144
        rightsubnet=172.16.102.162/32
        rightrsasigkey=/etc/ipsec.d/R14_pub.key
        rightid=192.168.72.144
        rightauth=pubkey
        auto=add

4) Logs
May  2 03:18:37 ubuntu charon: 00[CFG]   loaded RSA private key from
'/etc/ipsec.d/private/ubuntu_prv.key'
May  2 03:18:37 ubuntu charon: 00[LIB] loaded plugins: charon addrblock
attr ccm cmac constraints ctr eap-identity gcm md4 openssl pkcs12 pkcs7
pkcs8 rc2 resolve sha1 test-vectors xcbc sha2 md5 aes hmac pem pkcs1 x509
revocation random nonce kernel-netlink socket-default updown stroke
May  2 03:18:37 ubuntu charon: 00[LIB] unable to load 5 plugin features (5
due to unmet dependencies)
May  2 03:18:37 ubuntu charon: 00[LIB] dropped capabilities, running as uid
0, gid 0
May  2 03:18:37 ubuntu charon: 00[JOB] spawning 16 worker threads
May  2 03:18:37 ubuntu charon: 11[CFG] received stroke: add connection
'gre-ipsec'
May  2 03:18:37 ubuntu charon: 11[LIB] building CRED_CERTIFICATE -
TRUSTED_PUBKEY failed, tried 0 builders
May  2 03:18:37 ubuntu charon: 11[CFG]   loading public key for
"192.168.72.144" from '/etc/ipsec.d/R14_pub.key' failed
May  2 03:18:37 ubuntu charon: 11[CFG] added configuration 'gre-ipsec'

Can anyone tell me the reason for which the import fails?
What should the format of the public-key-file be?

Thanks in advance,

Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150502/a945edd4/attachment.html>

More information about the Users mailing list