[strongSwan] Reg : No private key found

Andreas Steffen andreas.steffen at strongswan.org
Thu Oct 29 07:26:09 CET 2015


Hi,

how do you know that the private key was loaded successfully if

  ipsec listcerts

does not show that no private key associated with the certificate
has been found. Please inspect your log file for any entries
concerning the loading of the private key file during the startup
of the charon daemon.

Additionally you can execute the command

  ipsec rereadsecrets

to reload the private key. Again check for error messages at the
bottom of the log file.

Regards

Andreas

On 10/28/2015 02:36 PM, Sindhu S. (sins) wrote:
>  
> 
> Hi all,
> 
> I’m getting error as no private key found.
> 
> Private key was loaded successfully. Below are details.
> 
> Please let me know , what is the issue ?
> 
>  
> 
> *Logs:*
> 
> Oct 28 12:09:57 00[CFG]   loaded RSA private key from
> '/home/ipsec/snbi_new/snbi/snbiFe/bin/./private.pem'
> 
>  
> 
>  
> 
> Oct 28 12:19:09 05[IKE] received cert request for "N=2e19.ba2d.e05f-53,
> CN=2e19.ba2d.e05f-53, OU=cisco.com, SN=LINUX:PID:SN:960966186"
> 
> Oct 28 12:19:09 05[IKE] reinitiating already active tasks
> 
> Oct 28 12:19:09 05[IKE]   IKE_CERT_PRE task
> 
> Oct 28 12:19:09 05[IKE]   IKE_AUTH task
> 
> Oct 28 12:19:09 05[IKE] sending cert request for "CN=snbi"
> 
> Oct 28 12:19:09 05[ENC] added payload of type CERTREQ to message
> 
> Oct 28 12:19:09 05[ENC] added payload of type NOTIFY to message
> 
> Oct 28 12:19:09 05[ENC] added payload of type NOTIFY to message
> 
> Oct 28 12:19:09 05[ENC] added payload of type ID_INITIATOR to message
> 
> Oct 28 12:19:09 05[IKE] no private key found for 'N=2e19.ba2d.e05f-53,
> CN=2e19.ba2d.e05f-53, OU=cisco.com, SN=LINUX:PID:SN:960966186'
> 
> Oct 28 12:19:09 05[MGR] checkin and destroy IKE_SA snbi_tun_2[1]
> 
> Oct 28 12:19:09 05[IKE] IKE_SA snbi_tun_2[1] state change: CONNECTING =>
> DESTROYING
> 
>  
> 
> *ipsec at ipsec2:~/snbi_new/snbi/snbiFe/bin$ sudo ipsec statusall*
> 
> Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.13.0-24-generic,
> x86_64):
> 
>   uptime: 8 seconds, since Oct 28 12:09:58 2015
> 
>   malloc: sbrk 1351680, mmap 0, used 248608, free 1103072
> 
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 0
> 
>   loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
> pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve
> socket-default stroke updown xauth-generic
> 
> Listening IP addresses:
> 
>   10.64.69.117
> 
>   2001:db8:0:f101::1
> 
>   fd08:2eef:c2ee:0:2e19:ba2d:e05f:35
> 
> Connections:
> 
>   snbi_tun_2: 
> fe80::20c:29ff:feb2:ae2f%eth1...fe80::20c:29ff:fea8:e174%eth1  IKEv2
> 
>   snbi_tun_2:   local:  [N=2e19.ba2d.e05f-53, CN=2e19.ba2d.e05f-53,
> OU=cisco.com, SN=LINUX:PID:SN:960966186] uses public key authentication
> 
>   snbi_tun_2:    cert:  "N=2e19.ba2d.e05f-53, CN=2e19.ba2d.e05f-53,
> OU=cisco.com, SN=LINUX:PID:SN:960966186"
> 
>   snbi_tun_2:   remote: uses public key authentication
> 
>   snbi_tun_2:   child:  dynamic === dynamic TRANSPORT
> 
> Security Associations (0 up, 0 connecting):
> 
>   none
> 
> *ipsec at ipsec2:~/snbi_new/snbi/snbiFe/bin$ sudo ipsec up snbi_tun_2*
> 
> initiating IKE_SA snbi_tun_2[1] to fe80::20c:29ff:fea8:e174
> 
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(HASH_ALG) ]
> 
> sending packet: from fe80::20c:29ff:feb2:ae2f[500] to
> fe80::20c:29ff:fea8:e174[500] (408 bytes)
> 
> received packet: from fe80::20c:29ff:fea8:e174[500] to
> fe80::20c:29ff:feb2:ae2f[500] (353 bytes)
> 
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
> 
> received cert request for "N=2e19.ba2d.e05f-53, CN=2e19.ba2d.e05f-53,
> OU=cisco.com, SN=LINUX:PID:SN:960966186"
> 
> sending cert request for "CN=snbi"
> 
> no private key found for 'N=2e19.ba2d.e05f-53, CN=2e19.ba2d.e05f-53,
> OU=cisco.com, SN=LINUX:PID:SN:960966186'
> 
> establishing connection 'snbi_tun_2' failed
> 
> *ipsec at ipsec2:~/snbi_new/snbi/snbiFe/bin$ ip -6 tun show*
> 
> snbi_tun_3: gre/ipv6 remote fe80::20c:29ff:fea8:e16a local
> fe80::20c:29ff:feb2:ae25 dev eth0 encaplimit 4 hoplimit 64 tclass 0x00
> flowlabel 0x00000 (flowinfo 0x00000000)
> 
> ip6gre0: gre/ipv6 remote :: local :: encaplimit 0 hoplimit 0 tclass 0x00
> flowlabel 0x00000 (flowinfo 0x00000000)
> 
> ip6tnl0: ipv6/ipv6 remote :: local :: encaplimit 0 hoplimit 0 tclass
> 0x00 flowlabel 0x00000 (flowinfo 0x00000000)
> 
> snbi_tun_1: gre/ipv6 remote fe80::20c:29ff:fe6f:6c61 local
> fe80::20c:29ff:feb2:ae25 dev eth0 encaplimit 4 hoplimit 64 tclass 0x00
> flowlabel 0x00000 (flowinfo 0x00000000)
> 
> snbi_tun_2: gre/ipv6 remote fe80::20c:29ff:fea8:e174 local
> fe80::20c:29ff:feb2:ae2f dev eth1 encaplimit 4 hoplimit 64 tclass 0x00
> flowlabel 0x00000 (flowinfo 0x00000000)
> 
>  
> 
> *ipsec at ipsec2:~/snbi_new/snbi/snbiFe/bin$ sudo ipsec listcerts *
> 
>  
> 
> List of X.509 End Entity Certificates:
> 
>  
> 
>   subject:  "N=2e19.ba2d.e05f-53, CN=2e19.ba2d.e05f-53, OU=cisco.com,
> SN=LINUX:PID:SN:960966186"
> 
>   issuer:   "CN=snbi"
> 
>   serial:    01:50:ad:1c:60:4f
> 
>   validity:  not before Oct 28 11:52:09 2015, ok
> 
>              not after  Oct 28 11:52:09 2018, ok
> 
>   pubkey:    RSA 1024 bits
> 
>   keyid:     d5:77:cb:02:9d:84:05:d0:7d:00:1f:c1:6b:f2:35:76:c9:37:f3:c6
> 
>   subjkey:   cd:15:7e:9c:33:58:cd:49:f9:ff:89:b4:0a:28:61:a3:d0:a3:45:75
> 
> ipsec at ipsec2:~/snbi_new/snbi/snbiFe/bin$
> 
>  
> 
>  
> 
> Thanks,
> 
> Sindhu
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==


More information about the Users mailing list