[strongSwan] Reg : No private key found

Andreas Steffen andreas.steffen at strongswan.org
Thu Oct 29 10:41:14 CET 2015


Hi Sindhu,

yes, the private key was in fact successfully loaded but it might be
that it does not match the public key contained in your certificate.
You should compare the fingerprints of your private and public keys:

pki --print --type rsa-priv --in myKey.pem

private key with:
pubkey:    RSA 2048 bits
keyid:     04:aa:f7:5d:d3:c1:5b:b5:7f:b1:d9:47:62:19:a4:ee:cf:1a:b6:dc
subjkey:   98:5f:5f:d7:e6:f4:f9:59:1d:6f:49:a8:b9:28:05:41:69:5a:5a:ee

pki --print --type x509 --in myCert.pem

cert:      X509
subject:  "C=CH, O=MSE, OU=TSM_ITSec, OU=Machine, CN=Andreas Steffen"
issuer:   "C=CH, O=MSE, OU=TSM_ITSec, CN=MSE CA"
validity:  not before Mar 11 20:27:51 2013, ok
           not after  Mar 11 20:27:51 2017, ok (expires in 499 days)
serial:    c3:31:57:3a:db:fb:68:fa
altNames:  steffen
flags:
CRL URIs:  http://security.hsr.ch/mse/mse.crl
authkeyId: 97:f1:d4:44:35:c4:57:0b:27:f6:3f:bd:69:19:09:8e:b5:fa:53:f8
subjkeyId: 98:5f:5f:d7:e6:f4:f9:59:1d:6f:49:a8:b9:28:05:41:69:5a:5a:ee
pubkey:    RSA 2048 bits
keyid:     04:aa:f7:5d:d3:c1:5b:b5:7f:b1:d9:47:62:19:a4:ee:cf:1a:b6:dc
subjkey:   98:5f:5f:d7:e6:f4:f9:59:1d:6f:49:a8:b9:28:05:41:69:5a:5a:ee

The keyid must identical.

BTW - you posted your private key on the mailing list, so please
      do not use this key in a production system.

On 10/29/2015 07:46 AM, Sindhu S. (sins) wrote:
> Hi Andreas,
> 
> Does this log means , successfully loaded ?
> 
> Oct 29 05:25:42 11[CFG]   loaded RSA private key from '/home/ipsec/snbi_new/snbi/snbiFe/bin/./private.pem'
> 
> PFA , for full logs after executing "  sudo ipsec rereadsecrets"
> 
> Thanks,
> Sindhu
> 
> -----Original Message-----
> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
> Sent: Thursday, October 29, 2015 11:56 AM
> To: Sindhu S. (sins); users at lists.strongswan.org
> Subject: Re: [strongSwan] Reg : No private key found
> 
> Hi,
> 
> how do you know that the private key was loaded successfully if
> 
>   ipsec listcerts
> 
> does not show that no private key associated with the certificate has been found. Please inspect your log file for any entries concerning the loading of the private key file during the startup of the charon daemon.
> 
> Additionally you can execute the command
> 
>   ipsec rereadsecrets
> 
> to reload the private key. Again check for error messages at the bottom of the log file.
> 
> Regards
> 
> Andreas
> 
> On 10/28/2015 02:36 PM, Sindhu S. (sins) wrote:
>>  
>>
>> Hi all,
>>
>> I'm getting error as no private key found.
>>
>> Private key was loaded successfully. Below are details.
>>
>> Please let me know , what is the issue ?
>>
>>  
>>
>> *Logs:*
>>
>> Oct 28 12:09:57 00[CFG]   loaded RSA private key from
>> '/home/ipsec/snbi_new/snbi/snbiFe/bin/./private.pem'
>>
>>  
>>
>>  
>>
>> Oct 28 12:19:09 05[IKE] received cert request for 
>> "N=2e19.ba2d.e05f-53, CN=2e19.ba2d.e05f-53, OU=cisco.com, SN=LINUX:PID:SN:960966186"
>>
>> Oct 28 12:19:09 05[IKE] reinitiating already active tasks
>>
>> Oct 28 12:19:09 05[IKE]   IKE_CERT_PRE task
>>
>> Oct 28 12:19:09 05[IKE]   IKE_AUTH task
>>
>> Oct 28 12:19:09 05[IKE] sending cert request for "CN=snbi"
>>
>> Oct 28 12:19:09 05[ENC] added payload of type CERTREQ to message
>>
>> Oct 28 12:19:09 05[ENC] added payload of type NOTIFY to message
>>
>> Oct 28 12:19:09 05[ENC] added payload of type NOTIFY to message
>>
>> Oct 28 12:19:09 05[ENC] added payload of type ID_INITIATOR to message
>>
>> Oct 28 12:19:09 05[IKE] no private key found for 'N=2e19.ba2d.e05f-53, 
>> CN=2e19.ba2d.e05f-53, OU=cisco.com, SN=LINUX:PID:SN:960966186'
>>
>> Oct 28 12:19:09 05[MGR] checkin and destroy IKE_SA snbi_tun_2[1]
>>
>> Oct 28 12:19:09 05[IKE] IKE_SA snbi_tun_2[1] state change: CONNECTING 
>> => DESTROYING
>>
>>  
>>
>> *ipsec at ipsec2:~/snbi_new/snbi/snbiFe/bin$ sudo ipsec statusall*
>>
>> Status of IKE charon daemon (strongSwan 5.3.3, Linux 
>> 3.13.0-24-generic,
>> x86_64):
>>
>>   uptime: 8 seconds, since Oct 28 12:09:58 2015
>>
>>   malloc: sbrk 1351680, mmap 0, used 248608, free 1103072
>>
>>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>> scheduled: 0
>>
>>   loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 
>> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey 
>> sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve 
>> socket-default stroke updown xauth-generic
>>
>> Listening IP addresses:
>>
>>   10.64.69.117
>>
>>   2001:db8:0:f101::1
>>
>>   fd08:2eef:c2ee:0:2e19:ba2d:e05f:35
>>
>> Connections:
>>
>>   snbi_tun_2: 
>> fe80::20c:29ff:feb2:ae2f%eth1...fe80::20c:29ff:fea8:e174%eth1  IKEv2
>>
>>   snbi_tun_2:   local:  [N=2e19.ba2d.e05f-53, CN=2e19.ba2d.e05f-53,
>> OU=cisco.com, SN=LINUX:PID:SN:960966186] uses public key 
>> authentication
>>
>>   snbi_tun_2:    cert:  "N=2e19.ba2d.e05f-53, CN=2e19.ba2d.e05f-53,
>> OU=cisco.com, SN=LINUX:PID:SN:960966186"
>>
>>   snbi_tun_2:   remote: uses public key authentication
>>
>>   snbi_tun_2:   child:  dynamic === dynamic TRANSPORT
>>
>> Security Associations (0 up, 0 connecting):
>>
>>   none
>>
>> *ipsec at ipsec2:~/snbi_new/snbi/snbiFe/bin$ sudo ipsec up snbi_tun_2*
>>
>> initiating IKE_SA snbi_tun_2[1] to fe80::20c:29ff:fea8:e174
>>
>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
>> N(HASH_ALG) ]
>>
>> sending packet: from fe80::20c:29ff:feb2:ae2f[500] to 
>> fe80::20c:29ff:fea8:e174[500] (408 bytes)
>>
>> received packet: from fe80::20c:29ff:fea8:e174[500] to 
>> fe80::20c:29ff:feb2:ae2f[500] (353 bytes)
>>
>> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
>> CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
>>
>> received cert request for "N=2e19.ba2d.e05f-53, CN=2e19.ba2d.e05f-53, 
>> OU=cisco.com, SN=LINUX:PID:SN:960966186"
>>
>> sending cert request for "CN=snbi"
>>
>> no private key found for 'N=2e19.ba2d.e05f-53, CN=2e19.ba2d.e05f-53, 
>> OU=cisco.com, SN=LINUX:PID:SN:960966186'
>>
>> establishing connection 'snbi_tun_2' failed
>>
>> *ipsec at ipsec2:~/snbi_new/snbi/snbiFe/bin$ ip -6 tun show*
>>
>> snbi_tun_3: gre/ipv6 remote fe80::20c:29ff:fea8:e16a local
>> fe80::20c:29ff:feb2:ae25 dev eth0 encaplimit 4 hoplimit 64 tclass 0x00 
>> flowlabel 0x00000 (flowinfo 0x00000000)
>>
>> ip6gre0: gre/ipv6 remote :: local :: encaplimit 0 hoplimit 0 tclass 
>> 0x00 flowlabel 0x00000 (flowinfo 0x00000000)
>>
>> ip6tnl0: ipv6/ipv6 remote :: local :: encaplimit 0 hoplimit 0 tclass
>> 0x00 flowlabel 0x00000 (flowinfo 0x00000000)
>>
>> snbi_tun_1: gre/ipv6 remote fe80::20c:29ff:fe6f:6c61 local
>> fe80::20c:29ff:feb2:ae25 dev eth0 encaplimit 4 hoplimit 64 tclass 0x00 
>> flowlabel 0x00000 (flowinfo 0x00000000)
>>
>> snbi_tun_2: gre/ipv6 remote fe80::20c:29ff:fea8:e174 local 
>> fe80::20c:29ff:feb2:ae2f dev eth1 encaplimit 4 hoplimit 64 tclass 0x00 
>> flowlabel 0x00000 (flowinfo 0x00000000)
>>
>>  
>>
>> *ipsec at ipsec2:~/snbi_new/snbi/snbiFe/bin$ sudo ipsec listcerts *
>>
>>  
>>
>> List of X.509 End Entity Certificates:
>>
>>  
>>
>>   subject:  "N=2e19.ba2d.e05f-53, CN=2e19.ba2d.e05f-53, OU=cisco.com, 
>> SN=LINUX:PID:SN:960966186"
>>
>>   issuer:   "CN=snbi"
>>
>>   serial:    01:50:ad:1c:60:4f
>>
>>   validity:  not before Oct 28 11:52:09 2015, ok
>>
>>              not after  Oct 28 11:52:09 2018, ok
>>
>>   pubkey:    RSA 1024 bits
>>
>>   keyid:     d5:77:cb:02:9d:84:05:d0:7d:00:1f:c1:6b:f2:35:76:c9:37:f3:c6
>>
>>   subjkey:   cd:15:7e:9c:33:58:cd:49:f9:ff:89:b4:0a:28:61:a3:d0:a3:45:75
>>
>> ipsec at ipsec2:~/snbi_new/snbi/snbiFe/bin$
>>
>>  
>>
>>  
>>
>> Thanks,
>>
>> Sindhu
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
> 
> --
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
> 

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==


More information about the Users mailing list