[strongSwan] RSA-encr authentication IKEv1 - loading public key failed

Andreas Steffen andreas.steffen at strongswan.org
Sun May 3 17:30:09 CEST 2015 

Hi Alex,

charon does not load the pubkey plugin and is therefore not able to
process raw RSA public keys. Are you using an explicit

charon {
   load =
}

statement in /etc/strongswan.conf where pubkey is missing?

Best regards

Andreas

On 02.05.2015 21:27, Alex Zetaeffesse wrote:
> Hi folks,
>
> I'm trying to setup an IPsec tunnel with rsa auth but ipsec always fails
> in importing the public key of the peer.
>
> I tried by specifying the file containing the pub key both as relative
> path and absolute the import always fails.
>
> I specified the entire string within ipsec.conf but it failed as well.
>
> I saw there is an example on the STrongSWan site but there they use
> certificates whereas I have only priv and pub keys.
>
> Here below some information
>
> 0) STRONGSWAN version
> root at ubuntu:/etc/ipsec.d/private# ipsec version
> Linux strongSwan U5.1.2/K3.16.0-36-generic
>
> 1) PUBLIC KEY
> root at ubuntu:/etc/ipsec.d# cat R14_pub.key
> -----BEGIN PUBLIC KEY-----
> MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArkTi9BjN+Dz2YmWJSEcD
> E+FxLaBejnkbIRUEAZT55CSkdQqF+FxqqmDxYkTglK8McDD5kjtc1cewT7dYHpiJ
> ZeQRuPMOC4TeZ40KmGxtE5PHd2nFGgLxI3DAP864+SlAmEAg2d1rFKHYHCY38dvC
> aIZtW1JNFKhwx05tGVLo94k0KqAhp4o3sQ+sCChu8IzAOuIUj60NSO06tV2nD2lq
> UYat7ZW5EkoskX5xzRjOn04uIROD1/4nnnB3Sq1fZQ8fG5PLe5+rb0c0RTmxpQUd
> QudWiu7bEo5HI6eZp0k8kq00QlesiDrIA5+IxOjsulF9OdmOpT+zJM3BAQgUFfGk
> SQghJeNJov84Yte8T1XdYbrgCTB2KRgQpTYyBLY7Y9USdFqeYt8jI9Ylhz9GYL+y
> uSGIs7JgcvR4LuUWcm0tZY+YusYdsr3sXbGzI7D665J6cSvGqPdmbJonrL0/nNhy
> 2Lizs7p+CKZXTQub8081Cx+R2RpcroTzO+lqaLIaBMIXNiwJDZPnllXmn8UA5f6K
> ui2Fria+13B5UPS+5A5Xhnk/jmmmaVOeL26fa+ln2179dnv8xmIHog+pFcJEmOMR
> 2YeWdy7SPUBfTBoTkLyOpzxl1GPg4Oxjq70JjnFD6VdKsoAT23wPmJPKBxmuapqK
> 7ue9SfdRKgKQWUZgCQwxJRkCAwEAAQ==
> -----END PUBLIC KEY-----
>
> 2) Permisson of the file
> -rw-r--r--   1 root root   800 May  2 03:18 R14_pub.key
>
> 3) config
> root at ubuntu:/etc/ipsec.d# cat ../ipsec.conf
> config setup
>
> conn %default
>          ikelifetime=60m
>          keylife=20m
>          rekeymargin=3m
>          keyingtries=1
>          keyexchange=ikev1
>          left=192.168.72.4
>          leftsubnet=172.16.102.161/32 <http://172.16.102.161/32>
>          leftid=192.168.72.4
>          leftfirewall=no
>          leftauth=pubkey
> #leftrsasigkey=ubuntu_prv.key
> #authby=secret
>
> conn gre-ipsec
>          right=192.168.72.144
>          rightsubnet=172.16.102.162/32 <http://172.16.102.162/32>
>          rightrsasigkey=/etc/ipsec.d/R14_pub.key
>          rightid=192.168.72.144
>          rightauth=pubkey
>          auto=add
>
> 4) Logs
> May  2 03:18:37 ubuntu charon: 00[CFG]   loaded RSA private key from
> '/etc/ipsec.d/private/ubuntu_prv.key'
> May  2 03:18:37 ubuntu charon: 00[LIB] loaded plugins: charon addrblock
> attr ccm cmac constraints ctr eap-identity gcm md4 openssl pkcs12 pkcs7
> pkcs8 rc2 resolve sha1 test-vectors xcbc sha2 md5 aes hmac pem pkcs1
> x509 revocation random nonce kernel-netlink socket-default updown stroke
> May  2 03:18:37 ubuntu charon: 00[LIB] unable to load 5 plugin features
> (5 due to unmet dependencies)
> May  2 03:18:37 ubuntu charon: 00[LIB] dropped capabilities, running as
> uid 0, gid 0
> May  2 03:18:37 ubuntu charon: 00[JOB] spawning 16 worker threads
> May  2 03:18:37 ubuntu charon: 11[CFG] received stroke: add connection
> 'gre-ipsec'
> May  2 03:18:37 ubuntu charon: 11[LIB] building CRED_CERTIFICATE -
> TRUSTED_PUBKEY failed, tried 0 builders
> May  2 03:18:37 ubuntu charon: 11[CFG]   loading public key for
> "192.168.72.144" from '/etc/ipsec.d/R14_pub.key' failed
> May  2 03:18:37 ubuntu charon: 11[CFG] added configuration 'gre-ipsec'
>
> Can anyone tell me the reason for which the import fails?
> What should the format of the public-key-file be?
>
> Thanks in advance,
>
> Alex
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150503/6e4bbf58/attachment.bin>

More information about the Users mailing list