[strongSwan] No private key found

rajeev nohria rajnohria at gmail.com
Mon Dec 11 20:45:32 CET 2017


Please find the key and config.  I am using davici so I am printing the
configuration from log as commands are executing.

 Load-Connection command
  Section start rpdfc00:cada:c404::200
  Version is 2
 Local_addrs  is fc00:cada:c404:607::1004
 remote_addrs is fc00:cada:c404::200
  local_port is 500
  remote_port is 500
  proposals is aes128-sha256-modp2048
  local section
 auth is pubkey
 RPD ip address is fc00:cada:c404:607::1004
 id is C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate,
CN=FF:FF:05:E6:E6:20
  remote
  id is %any
  auth is pubkey










On Mon, Dec 11, 2017 at 10:39 AM, Jafar Al-Gharaibeh <jafar at atcorp.com>
wrote:

> Can  you share your config/secret files ?
>
> --Jafar
>
>
> On 12/11/2017 9:17 AM, rajeev nohria wrote:
>
> Anyone can help in this issue, I have setup the id with Subject id.  Still
> have this issue. Is anything else I am missing?
> Thanks,
> Rajeev
>
> On Tue, Nov 14, 2017 at 12:44 PM, rajeev nohria <rajnohria at gmail.com>
> wrote:
>
>>
>> Not sure what is wrong here,  Can you let me know if  I am missing
>> something here.
>>
>>
>>
>> 16[KNL] creating acquire job for policy fc00:cada:c406:607::1001/128[tcp/43005]
>> === fc00:cada:c406::200/128[tcp/8190] with reqid {2}
>>
>> 2017-11-13 15:58:56,001-HalTransport.py-94-INFO-Start a agent transport
>> interface, path = [/tmp/Hal/agent/client/1/push]
>>
>> 15[IKE] initiating IKE_SA rpdfc00:cada:c406::200[1] to fc00:cada:c406::200
>>
>> 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
>> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
>>
>> 15[NET] sending packet: from fc00:cada:c406:607::1001[500] to
>> fc00:cada:c406::200[500] (456 bytes)
>>
>> 10[NET] received packet: from fc00:cada:c406::200[500] to
>> fc00:cada:c406:607::1001[500] (453 bytes)
>>
>> 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
>>
>> 10[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
>> CN=TEST CableLabs Root Certification Authority"
>>
>> 10[IKE] received 1 cert requests for an unknown ca
>>
>> 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
>> CN=TEST CableLabs Device Certification Authority"
>>
>> 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
>> CN=TEST CableLabs Root Certification Authority"
>>
>> 10[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA
>> Remote Device Certificate, CN=FF:FF:05:E6:E6:20'
>>
>> 13[KNL] creating delete job for CHILD_SA ESP/0x00000000/fc00:cada:c406:
>> :200
>>
>> 08[JOB] CHILD_SA ESP/0x00000000/fc00:cada:c406::200 not found for delete
>>
>> 06[KNL] creating acquire job for policy fc00:cada:c406:607::1001/128[tcp/39047]
>> === fc00:cada:c406::200/128[tcp/8190] with reqid {2}
>>
>> 16[IKE] initiating IKE_SA rpdfc00:cada:c406::200[2] to fc00:cada:c406::200
>>
>> 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
>> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
>>
>> 16[NET] sending packet: from fc00:cada:c406:607::1001[500] to
>> fc00:cada:c406::200[500] (456 bytes)
>>
>> 11[NET] received packet: from fc00:cada:c406::200[500] to
>> fc00:cada:c406:607::1001[500] (453 bytes)
>>
>> 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
>>
>> 11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
>> CN=TEST CableLabs Root Certification Authority"
>>
>> 11[IKE] received 1 cert requests for an unknown ca
>>
>> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
>> CN=TEST CableLabs Device Certification Authority"
>>
>> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
>> CN=TEST CableLabs Root Certification Authority"
>>
>> 11[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA
>> Remote Device Certificate, CN=FF:FF:05:E6:E6:20
>>
>>
>>
>>
>>
>>
>>
>> root at plnx_aarch64:~# ip -s xfrm state
>>
>> src fc00:cada:c406:607::1001 dst fc00:cada:c406::200
>>
>>         proto esp spi 0x00000000(0) reqid 2(0x00000002) mode transport
>>
>>         replay-window 0 seq 0x00000002 flag  (0x00000000)
>>
>>         anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
>>
>>         sel src fc00:cada:c406:607::1001/128 dst fc00:cada:c406::200/128
>> proto tcp sport 39047 dport 8190 uid 0
>>
>>         lifetime config:
>>
>>           limit: soft (INF)(bytes), hard (INF)(bytes)
>>
>>           limit: soft (INF)(packets), hard (INF)(packets)
>>
>>           expire add: soft 0(sec), hard 165(sec)
>>
>>           expire use: soft 0(sec), hard 0(sec)
>>
>>         lifetime current:
>>
>>           0(bytes), 0(packets)
>>
>>           add 2017-11-13 16:01:42 use -
>>
>>         stats:
>>
>>           replay-wind
>>
>>
>>
>>
>>
>>
>>
>> root at plnx_aarch64:~# ip -s xfrm policy
>>
>> src fc00:cada:c406::200/128 dst fc00:cada:c406:607::1001/128 proto tcp
>> uid 0
>>
>>         dir in action allow index 88 priority 234336 share any flag
>> (0x00000000)
>>
>>         lifetime config:
>>
>>           limit: soft (INF)(bytes), hard (INF)(bytes)
>>
>>           limit: soft (INF)(packets), hard (INF)(packets)
>>
>>           expire add: soft 0(sec), hard 0(sec)
>>
>>           expire use: soft 0(sec), hard 0(sec)
>>
>>         lifetime current:
>>
>>           0(bytes), 0(packets)
>>
>>           add 2017-11-13 15:58:55 use -
>>
>>         tmpl src :: dst ::
>>
>>                 proto esp spi 0x00000000(0) reqid 2(0x00000002) mode
>> transport
>>
>>                 level required share any
>>
>>                 enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
>>
>> src fc00:cada:c406:607::1001/128 dst fc00:cada:c406::200/128 proto tcp
>> uid 0
>>
>>         dir out action allow index 81 priority 234336 share any flag
>> (0x00000000)
>>
>>         lifetime config:
>>
>>           limit: soft (INF)(bytes), hard (INF)(bytes)
>>
>>           limit: soft (INF)(packets), hard (INF)(packets)
>>
>>           expire add: soft 0(sec), hard 0(sec)
>>
>>           expire use: soft 0(sec), hard 0(sec)
>>
>>         lifetime current:
>>
>>           0(bytes), 0(packets)
>>
>>           add 2017-11-13 15:58:55 use -
>>
>>         tmpl src :: dst ::
>>
>>                 proto esp spi 0x00000000(0) reqid 2(0x00000002) mode
>> transport
>>
>>                 level required share any
>>
>>                 enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
>>
>> src fc00:cada:c406::200/128 dst fc00:cada:c406:607::1001/128 proto l2tp
>> uid 0
>>
>>         dir in action allow index 72 priority 234336 share any flag
>> (0x00000000)
>>
>>         lifetime config:
>>
>>           limit: soft (INF)(bytes), hard (INF)(bytes)
>>
>>           limit: soft (INF)(packets), hard (INF)(packets)
>>
>>           expire add: soft 0(sec), hard 0(sec)
>>
>>           expire use: soft 0(sec), hard 0(sec)
>>
>>         lifetime current:
>>
>>           0(bytes), 0(packets)
>>
>>           add 2017-11-13 15:58:55 use -
>>
>>         tmpl src :: dst ::
>>
>>                 proto esp spi 0x00000000(0) reqid 1(0x00000001) mode
>> transport
>>
>>                 level required share any
>>
>>                 enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
>>
>> src fc00:cada:c406:607::1001/128 dst fc00:cada:c406::200/128 proto l2tp
>> uid 0
>>
>>         dir out action allow index 65 priority 234336 share any flag
>> (0x00000000)
>>
>>         lifetime config:
>>
>>           limit: soft (INF)(bytes), hard (INF)(bytes)
>>
>>           limit: soft (INF)(packets), hard (INF)(packets)
>>
>>           expire add: soft 0(sec), hard 0(sec)
>>
>>           expire use: soft 0(sec), hard 0(sec)
>>
>>         lifetime current:
>>
>>           0(bytes), 0(packets)
>>
>>           add 2017-11-13 15:58:55 use -
>>
>>         tmpl src :: dst ::
>>
>>                 proto esp spi 0x00000000(0) reqid 1(0x00000001) mode
>> transport
>>
>>                 level required share any
>>
>>                 enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
>>
>> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>>
>>         socket in action allow index 59 priority 0 share any flag
>> (0x00000000)
>>
>>         lifetime config:
>>
>>           limit: soft 0(bytes), hard 0(bytes)
>>
>>           limit: soft 0(packets), hard 0(packets)
>>
>>           expire add: soft 0(sec), hard 0(sec)
>>
>>           expire use: soft 0(sec), hard 0(sec)
>>
>>         lifetime current:
>>
>>           0(bytes), 0(packets)
>>
>>           add 2017-11-13 18:46:13 use -
>>
>> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>>
>>         socket out action allow index 52 priority 0 share any flag
>> (0x00000000)
>>
>>         lifetime config:
>>
>>           limit: soft 0(bytes), hard 0(bytes)
>>
>>           limit: soft 0(packets), hard 0(packets)
>>
>>           expire add: soft 0(sec), hard 0(sec)
>>
>>           expire use: soft 0(sec), hard 0(sec)
>>
>>         lifetime current:
>>
>>           0(bytes), 0(packets)
>>
>>           add 2017-11-13 18:46:13 use -
>>
>> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>>
>>         socket in action allow index 43 priority 0 share any flag
>> (0x00000000)
>>
>>         lifetime config:
>>
>>           limit: soft 0(bytes), hard 0(bytes)
>>
>>           limit: soft 0(packets), hard 0(packets)
>>
>>           expire add: soft 0(sec), hard 0(sec)
>>
>>           expire use: soft 0(sec), hard 0(sec)
>>
>>         lifetime current:
>>
>>           0(bytes), 0(packets)
>>
>>           add 2017-11-13 18:46:13 use -
>>
>> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>>
>>         socket out action allow index 36 priority 0 share any flag
>> (0x00000000)
>>
>>         lifetime config:
>>
>>           limit: soft 0(bytes), hard 0(bytes)
>>
>>           limit: soft 0(packets), hard 0(packets)
>>
>>           expire add: soft 0(sec), hard 0(sec)
>>
>>           expire use: soft 0(sec), hard 0(sec)
>>
>>         lifetime current:
>>
>>           0(bytes), 0(packets)
>>
>>           add 2017-11-13 18:46:13 use -
>>
>> src ::/0 dst ::/0 uid 0
>>
>>         socket in action allow index 27 priority 0 share any flag
>> (0x00000000)
>>
>>         lifetime config:
>>
>>           limit: soft 0(bytes), hard 0(bytes)
>>
>>           limit: soft 0(packets), hard 0(packets)
>>
>>           expire add: soft 0(sec), hard 0(sec)
>>
>>           expire use: soft 0(sec), hard 0(sec)
>>
>>         lifetime current:
>>
>>           0(bytes), 0(packets)
>>
>>           add 2017-11-13 18:46:13 use -
>>
>> src ::/0 dst ::/0 uid 0
>>
>>         socket out action allow index 20 priority 0 share any flag
>> (0x00000000)
>>
>>         lifetime config:
>>
>>           limit: soft 0(bytes), hard 0(bytes)
>>
>>           limit: soft 0(packets), hard 0(packets)
>>
>>           expire add: soft 0(sec), hard 0(sec)
>>
>>           expire use: soft 0(sec), hard 0(sec)
>>
>>         lifetime current:
>>
>>           0(bytes), 0(packets)
>>
>>           add 2017-11-13 18:46:13 use -
>>
>> src ::/0 dst ::/0 uid 0
>>
>>         socket in action allow index 11 priority 0 share any flag
>> (0x00000000)
>>
>>         lifetime config:
>>
>>           limit: soft 0(bytes), hard 0(bytes)
>>
>>           limit: soft 0(packets), hard 0(packets)
>>
>>           expire add: soft 0(sec), hard 0(sec)
>>
>>           expire use: soft 0(sec), hard 0(sec)
>>
>>         lifetime current:
>>
>>           0(bytes), 0(packets)
>>
>>           add 2017-11-13 18:46:13 use 2017-11-13 16:04:42
>>
>> src ::/0 dst ::/0 uid 0
>>
>>         socket out action allow index 4 priority 0 share any flag
>> (0x00000000)
>>
>>         lifetime config:
>>
>>           limit: soft 0(bytes), hard 0(bytes)
>>
>>           limit: soft 0(packets), hard 0(packets)
>>
>>           expire add: soft 0(sec), hard 0(sec)
>>
>>           expire use: soft 0(sec), hard 0(sec)
>>
>>         lifetime current:
>>
>>           0(bytes), 0(packets)
>>
>>           add 2017-11-13 18:46:13 use 2017-11-13 16:04:30
>>
>>
>>
>>
>>
>> ################# Certificates ######################
>>
>>
>>
>>
>>
>> v --in *privKey.pem*
>>
>>   privkey:   RSA 2048 bits
>>
>>   keyid:     85:d3:eb:51:9a:a8:1e:f6:ff:14:ee:cc:64:f6:2f:e0:32:99:1b:ce
>>
>>   subjkey:   71:83:c0:b4:3e:40:06:f1:e5:30:d2:14:2c:82:e7:76:13:37:f4:6f
>>
>>
>>
>>
>>
>>
>>
>> root at plnx_aarch64:/var/priv# pki --print --type x509 --in *Dcert.pem*
>>
>>   opening 'Dcert.pem' failed: No such file or directory
>>
>> building CRED_CERTIFICATE - X509 failed, tried 4 builders
>>
>> parsing input failed
>>
>> root at plnx_aarch64:/var/priv# pki --print --type x509 --in DCert.pem
>>
>>   subject:  "C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate,
>> CN=FF:FF:05:E6:E6:20"
>>
>>   issuer:   "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs
>> Device Certification Authority"
>>
>>   validity:  not before Sep 14 16:13:24 2017, ok
>>
>>              not after  Sep 14 16:13:24 2018, ok (expires in 305 days)
>>
>>   serial:    01:ff:ff:05:e6:e6:20
>>
>>   authkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b
>>
>>   subjkeyId: 71:83:c0:b4:3e:40:06:f1:e5:30:d2:14:2c:82:e7:76:13:37:f4:6f
>>
>>   pubkey:    RSA 2048 bits
>>
>>   keyid:     85:d3:eb:51:9a:a8:1e:f6:ff:14:ee:cc:64:f6:2f:e0:32:99:1b:ce
>>
>>   subjkey:   71:83:c0:b4:3e:40:06:f1:e5:30:d2:14:2c:82:e7:76:13:37:f4:6f
>>
>> root at plnx_aarch64:/var/priv#
>>
>> root at plnx_aarch64:/var/priv#
>>
>> root at plnx_aarch64:/var/priv#
>>
>>
>>
>>
>>
>>
>>
>> root at plnx_aarch64:/var/priv# pki --print --type x509 --in *DMCert.pem*
>>
>>   subject:  "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs
>> Device Certification Authority"
>>
>>   issuer:   "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root
>> Certification Authority"
>>
>>   validity:  not before Dec 09 23:08:49 2014, ok
>>
>>              not after  Dec 09 23:08:49 2049, ok (expires in 11714 days)
>>
>>   serial:    a0:16:bc:73:85:0e:65:37
>>
>>   altNames:  CN=SYMC-3072-5
>>
>>   flags:     CA CRLSign
>>
>>   pathlen:   0
>>
>>   authkeyId: 89:62:79:3d:b4:07:c9:f3:c6:97:59:dd:b6:dc:65:0b:33:54:ff:fb
>>
>>   subjkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b
>>
>>   pubkey:    RSA 3072 bits
>>
>>   keyid:     b7:98:32:e4:ae:30:02:57:f7:ad:cb:2b:37:41:17:9c:1b:9d:79:28
>>
>>   subjkey:   f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b
>>
>> root at plnx_aarch64:/var/priv# ls
>>
>> DCert.pem         DMCertTemp.der    privKey.pem
>>
>> DCertTemp.der     DRCert.pem        privKeyTemp.der
>>
>> DMCert.pem        DRCertTemp.der    privKeyTemp1.der
>>
>>
>>
>>
>>
>>
>>
>> root at plnx_aarch64:/var/priv# pki --print --type x509 --in *DRCert.pem*
>>
>>   subject:  "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root
>> Certification Authority"
>>
>>   issuer:   "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root
>> Certification Authority"
>>
>>   validity:  not before Nov 11 17:19:44 2014, ok
>>
>>              not after  Nov 11 17:19:44 2064, ok (expires in 17165 days)
>>
>>   serial:    b1:b0:d3:be:83:ee:bf:e3
>>
>>   altNames:  CN=MPKI-4096-1-206
>>
>>   flags:     CA CRLSign self-signed
>>
>>   subjkeyId: 89:62:79:3d:b4:07:c9:f3:c6:97:59:dd:b6:dc:65:0b:33:54:ff:fb
>>
>>   pubkey:    RSA 4096 bits
>>
>>   keyid:     bd:0e:4c:0f:21:cf:f0:49:af:19:34:3b:c2:64:c5:31:a1:2e:11:07
>>
>>   subjkey:   89:62:79:3d:b4:07:c9:f3:c6:97:59:dd:b6:dc:65:0b:33:54:ff:fb
>>
>> root at plnx_aarch64:/var/priv#
>>
>>
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171211/11f57599/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: DCertTemp.der
Type: application/x-x509-ca-cert
Size: 1049 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171211/11f57599/attachment-0004.crt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: DMCertTemp.der
Type: application/x-x509-ca-cert
Size: 1400 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171211/11f57599/attachment-0005.crt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: DRCertTemp.der
Type: application/x-x509-ca-cert
Size: 1492 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171211/11f57599/attachment-0006.crt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: privKeyTemp1.der
Type: application/x-x509-ca-cert
Size: 1217 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171211/11f57599/attachment-0007.crt>


More information about the Users mailing list