[strongSwan] Reg : No private key found

Sindhu S. (sins) sins at cisco.com
Thu Oct 29 07:46:09 CET 2015 

Hi Andreas,

Does this log means , successfully loaded ?

Oct 29 05:25:42 11[CFG]   loaded RSA private key from '/home/ipsec/snbi_new/snbi/snbiFe/bin/./private.pem'

PFA , for full logs after executing "  sudo ipsec rereadsecrets"

Thanks,
Sindhu

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: Thursday, October 29, 2015 11:56 AM
To: Sindhu S. (sins); users at lists.strongswan.org
Subject: Re: [strongSwan] Reg : No private key found

Hi,

how do you know that the private key was loaded successfully if

  ipsec listcerts

does not show that no private key associated with the certificate has been found. Please inspect your log file for any entries concerning the loading of the private key file during the startup of the charon daemon.

Additionally you can execute the command

  ipsec rereadsecrets

to reload the private key. Again check for error messages at the bottom of the log file.

Regards

Andreas

On 10/28/2015 02:36 PM, Sindhu S. (sins) wrote:
>  
> 
> Hi all,
> 
> I'm getting error as no private key found.
> 
> Private key was loaded successfully. Below are details.
> 
> Please let me know , what is the issue ?
> 
>  
> 
> *Logs:*
> 
> Oct 28 12:09:57 00[CFG]   loaded RSA private key from
> '/home/ipsec/snbi_new/snbi/snbiFe/bin/./private.pem'
> 
>  
> 
>  
> 
> Oct 28 12:19:09 05[IKE] received cert request for 
> "N=2e19.ba2d.e05f-53, CN=2e19.ba2d.e05f-53, OU=cisco.com, SN=LINUX:PID:SN:960966186"
> 
> Oct 28 12:19:09 05[IKE] reinitiating already active tasks
> 
> Oct 28 12:19:09 05[IKE]   IKE_CERT_PRE task
> 
> Oct 28 12:19:09 05[IKE]   IKE_AUTH task
> 
> Oct 28 12:19:09 05[IKE] sending cert request for "CN=snbi"
> 
> Oct 28 12:19:09 05[ENC] added payload of type CERTREQ to message
> 
> Oct 28 12:19:09 05[ENC] added payload of type NOTIFY to message
> 
> Oct 28 12:19:09 05[ENC] added payload of type NOTIFY to message
> 
> Oct 28 12:19:09 05[ENC] added payload of type ID_INITIATOR to message
> 
> Oct 28 12:19:09 05[IKE] no private key found for 'N=2e19.ba2d.e05f-53, 
> CN=2e19.ba2d.e05f-53, OU=cisco.com, SN=LINUX:PID:SN:960966186'
> 
> Oct 28 12:19:09 05[MGR] checkin and destroy IKE_SA snbi_tun_2[1]
> 
> Oct 28 12:19:09 05[IKE] IKE_SA snbi_tun_2[1] state change: CONNECTING 
> => DESTROYING
> 
>  
> 
> *ipsec at ipsec2:~/snbi_new/snbi/snbiFe/bin$ sudo ipsec statusall*
> 
> Status of IKE charon daemon (strongSwan 5.3.3, Linux 
> 3.13.0-24-generic,
> x86_64):
> 
>   uptime: 8 seconds, since Oct 28 12:09:58 2015
> 
>   malloc: sbrk 1351680, mmap 0, used 248608, free 1103072
> 
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 0
> 
>   loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey 
> sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve 
> socket-default stroke updown xauth-generic
> 
> Listening IP addresses:
> 
>   10.64.69.117
> 
>   2001:db8:0:f101::1
> 
>   fd08:2eef:c2ee:0:2e19:ba2d:e05f:35
> 
> Connections:
> 
>   snbi_tun_2: 
> fe80::20c:29ff:feb2:ae2f%eth1...fe80::20c:29ff:fea8:e174%eth1  IKEv2
> 
>   snbi_tun_2:   local:  [N=2e19.ba2d.e05f-53, CN=2e19.ba2d.e05f-53,
> OU=cisco.com, SN=LINUX:PID:SN:960966186] uses public key 
> authentication
> 
>   snbi_tun_2:    cert:  "N=2e19.ba2d.e05f-53, CN=2e19.ba2d.e05f-53,
> OU=cisco.com, SN=LINUX:PID:SN:960966186"
> 
>   snbi_tun_2:   remote: uses public key authentication
> 
>   snbi_tun_2:   child:  dynamic === dynamic TRANSPORT
> 
> Security Associations (0 up, 0 connecting):
> 
>   none
> 
> *ipsec at ipsec2:~/snbi_new/snbi/snbiFe/bin$ sudo ipsec up snbi_tun_2*
> 
> initiating IKE_SA snbi_tun_2[1] to fe80::20c:29ff:fea8:e174
> 
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(HASH_ALG) ]
> 
> sending packet: from fe80::20c:29ff:feb2:ae2f[500] to 
> fe80::20c:29ff:fea8:e174[500] (408 bytes)
> 
> received packet: from fe80::20c:29ff:fea8:e174[500] to 
> fe80::20c:29ff:feb2:ae2f[500] (353 bytes)
> 
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
> CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
> 
> received cert request for "N=2e19.ba2d.e05f-53, CN=2e19.ba2d.e05f-53, 
> OU=cisco.com, SN=LINUX:PID:SN:960966186"
> 
> sending cert request for "CN=snbi"
> 
> no private key found for 'N=2e19.ba2d.e05f-53, CN=2e19.ba2d.e05f-53, 
> OU=cisco.com, SN=LINUX:PID:SN:960966186'
> 
> establishing connection 'snbi_tun_2' failed
> 
> *ipsec at ipsec2:~/snbi_new/snbi/snbiFe/bin$ ip -6 tun show*
> 
> snbi_tun_3: gre/ipv6 remote fe80::20c:29ff:fea8:e16a local
> fe80::20c:29ff:feb2:ae25 dev eth0 encaplimit 4 hoplimit 64 tclass 0x00 
> flowlabel 0x00000 (flowinfo 0x00000000)
> 
> ip6gre0: gre/ipv6 remote :: local :: encaplimit 0 hoplimit 0 tclass 
> 0x00 flowlabel 0x00000 (flowinfo 0x00000000)
> 
> ip6tnl0: ipv6/ipv6 remote :: local :: encaplimit 0 hoplimit 0 tclass
> 0x00 flowlabel 0x00000 (flowinfo 0x00000000)
> 
> snbi_tun_1: gre/ipv6 remote fe80::20c:29ff:fe6f:6c61 local
> fe80::20c:29ff:feb2:ae25 dev eth0 encaplimit 4 hoplimit 64 tclass 0x00 
> flowlabel 0x00000 (flowinfo 0x00000000)
> 
> snbi_tun_2: gre/ipv6 remote fe80::20c:29ff:fea8:e174 local 
> fe80::20c:29ff:feb2:ae2f dev eth1 encaplimit 4 hoplimit 64 tclass 0x00 
> flowlabel 0x00000 (flowinfo 0x00000000)
> 
>  
> 
> *ipsec at ipsec2:~/snbi_new/snbi/snbiFe/bin$ sudo ipsec listcerts *
> 
>  
> 
> List of X.509 End Entity Certificates:
> 
>  
> 
>   subject:  "N=2e19.ba2d.e05f-53, CN=2e19.ba2d.e05f-53, OU=cisco.com, 
> SN=LINUX:PID:SN:960966186"
> 
>   issuer:   "CN=snbi"
> 
>   serial:    01:50:ad:1c:60:4f
> 
>   validity:  not before Oct 28 11:52:09 2015, ok
> 
>              not after  Oct 28 11:52:09 2018, ok
> 
>   pubkey:    RSA 1024 bits
> 
>   keyid:     d5:77:cb:02:9d:84:05:d0:7d:00:1f:c1:6b:f2:35:76:c9:37:f3:c6
> 
>   subjkey:   cd:15:7e:9c:33:58:cd:49:f9:ff:89:b4:0a:28:61:a3:d0:a3:45:75
> 
> ipsec at ipsec2:~/snbi_new/snbi/snbiFe/bin$
> 
>  
> 
>  
> 
> Thanks,
> 
> Sindhu
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 

--
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: charon_logs.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151029/04a8b8e5/attachment-0001.txt>

More information about the Users mailing list