[strongSwan] nm-strongswan always requires a password for client keys

Nicola Feltrin nicola.feltrin at mailbox.org
Wed Dec 28 14:47:27 CET 2016

Hi everyone!

I’m a little bit of a noob, so I hope someone here can help me with
some trouble I’m experiencing with nm-strongswan.

I followed the official guide[^1] to generate certificates and keys. In
particular, I generated the keys with

  pki --gen --outform pem > peer.key.pem

This tool, regardless of the pem format, does not require to set up a
password for the key, nor was I able to find an option in the manual to
do so.

When trying to configure my VPN, though, nm-strongswan asks for the
password of the key, without ever allowing me to proceed without
providing one. This causes charon to fail at opening the key with
errors like:

dic 28 13:40:23 $hostname charon-nm[1923]: 05[LIB] opening
'$path_to_key' failed: Permission denied
dic 28 13:40:23 $hostname charon-nm[1923]: 05[LIB] building
CRED_PRIVATE_KEY - RSA failed, tried 7 builders

I think this might be a bug (I would expect nm-strongswan to detect
when the key is password-protected and when not) but I’d like to hear
someone else’s thoughts before reporting it.

In case it has any relevance, I’m on arch running networkmanager-
strongswan 1.4.1-1 and strongswan 5.5.1-2 (both from the AUR).

Also, as a possible workaround, I’d be grateful if anyone could suggest
a way to generate a password-protected key.

With my best wishes,

Nicola Feltrin

PS: I also asked on the irc, if I get answers there I’ll post them here
for archiving purposes and in case anyone else need them :)

[^1]: https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161228/15a30c2d/attachment.sig>

More information about the Users mailing list