[strongSwan] No private key found
rajeev nohria
rajnohria at gmail.com
Mon Dec 11 20:45:32 CET 2017
Please find the key and config. I am using davici so I am printing the
configuration from log as commands are executing.
Load-Connection command
Section start rpdfc00:cada:c404::200
Version is 2
Local_addrs is fc00:cada:c404:607::1004
remote_addrs is fc00:cada:c404::200
local_port is 500
remote_port is 500
proposals is aes128-sha256-modp2048
local section
auth is pubkey
RPD ip address is fc00:cada:c404:607::1004
id is C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate,
CN=FF:FF:05:E6:E6:20
remote
id is %any
auth is pubkey
On Mon, Dec 11, 2017 at 10:39 AM, Jafar Al-Gharaibeh <jafar at atcorp.com>
wrote:
> Can you share your config/secret files ?
>
> --Jafar
>
>
> On 12/11/2017 9:17 AM, rajeev nohria wrote:
>
> Anyone can help in this issue, I have setup the id with Subject id. Still
> have this issue. Is anything else I am missing?
> Thanks,
> Rajeev
>
> On Tue, Nov 14, 2017 at 12:44 PM, rajeev nohria <rajnohria at gmail.com>
> wrote:
>
>>
>> Not sure what is wrong here, Can you let me know if I am missing
>> something here.
>>
>>
>>
>> 16[KNL] creating acquire job for policy fc00:cada:c406:607::1001/128[tcp/43005]
>> === fc00:cada:c406::200/128[tcp/8190] with reqid {2}
>>
>> 2017-11-13 15:58:56,001-HalTransport.py-94-INFO-Start a agent transport
>> interface, path = [/tmp/Hal/agent/client/1/push]
>>
>> 15[IKE] initiating IKE_SA rpdfc00:cada:c406::200[1] to fc00:cada:c406::200
>>
>> 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
>> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
>>
>> 15[NET] sending packet: from fc00:cada:c406:607::1001[500] to
>> fc00:cada:c406::200[500] (456 bytes)
>>
>> 10[NET] received packet: from fc00:cada:c406::200[500] to
>> fc00:cada:c406:607::1001[500] (453 bytes)
>>
>> 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
>>
>> 10[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
>> CN=TEST CableLabs Root Certification Authority"
>>
>> 10[IKE] received 1 cert requests for an unknown ca
>>
>> 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
>> CN=TEST CableLabs Device Certification Authority"
>>
>> 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
>> CN=TEST CableLabs Root Certification Authority"
>>
>> 10[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA
>> Remote Device Certificate, CN=FF:FF:05:E6:E6:20'
>>
>> 13[KNL] creating delete job for CHILD_SA ESP/0x00000000/fc00:cada:c406:
>> :200
>>
>> 08[JOB] CHILD_SA ESP/0x00000000/fc00:cada:c406::200 not found for delete
>>
>> 06[KNL] creating acquire job for policy fc00:cada:c406:607::1001/128[tcp/39047]
>> === fc00:cada:c406::200/128[tcp/8190] with reqid {2}
>>
>> 16[IKE] initiating IKE_SA rpdfc00:cada:c406::200[2] to fc00:cada:c406::200
>>
>> 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
>> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
>>
>> 16[NET] sending packet: from fc00:cada:c406:607::1001[500] to
>> fc00:cada:c406::200[500] (456 bytes)
>>
>> 11[NET] received packet: from fc00:cada:c406::200[500] to
>> fc00:cada:c406:607::1001[500] (453 bytes)
>>
>> 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
>>
>> 11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
>> CN=TEST CableLabs Root Certification Authority"
>>
>> 11[IKE] received 1 cert requests for an unknown ca
>>
>> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
>> CN=TEST CableLabs Device Certification Authority"
>>
>> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
>> CN=TEST CableLabs Root Certification Authority"
>>
>> 11[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA
>> Remote Device Certificate, CN=FF:FF:05:E6:E6:20
>>
>>
>>
>>
>>
>>
>>
>> root at plnx_aarch64:~# ip -s xfrm state
>>
>> src fc00:cada:c406:607::1001 dst fc00:cada:c406::200
>>
>> proto esp spi 0x00000000(0) reqid 2(0x00000002) mode transport
>>
>> replay-window 0 seq 0x00000002 flag (0x00000000)
>>
>> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
>>
>> sel src fc00:cada:c406:607::1001/128 dst fc00:cada:c406::200/128
>> proto tcp sport 39047 dport 8190 uid 0
>>
>> lifetime config:
>>
>> limit: soft (INF)(bytes), hard (INF)(bytes)
>>
>> limit: soft (INF)(packets), hard (INF)(packets)
>>
>> expire add: soft 0(sec), hard 165(sec)
>>
>> expire use: soft 0(sec), hard 0(sec)
>>
>> lifetime current:
>>
>> 0(bytes), 0(packets)
>>
>> add 2017-11-13 16:01:42 use -
>>
>> stats:
>>
>> replay-wind
>>
>>
>>
>>
>>
>>
>>
>> root at plnx_aarch64:~# ip -s xfrm policy
>>
>> src fc00:cada:c406::200/128 dst fc00:cada:c406:607::1001/128 proto tcp
>> uid 0
>>
>> dir in action allow index 88 priority 234336 share any flag
>> (0x00000000)
>>
>> lifetime config:
>>
>> limit: soft (INF)(bytes), hard (INF)(bytes)
>>
>> limit: soft (INF)(packets), hard (INF)(packets)
>>
>> expire add: soft 0(sec), hard 0(sec)
>>
>> expire use: soft 0(sec), hard 0(sec)
>>
>> lifetime current:
>>
>> 0(bytes), 0(packets)
>>
>> add 2017-11-13 15:58:55 use -
>>
>> tmpl src :: dst ::
>>
>> proto esp spi 0x00000000(0) reqid 2(0x00000002) mode
>> transport
>>
>> level required share any
>>
>> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
>>
>> src fc00:cada:c406:607::1001/128 dst fc00:cada:c406::200/128 proto tcp
>> uid 0
>>
>> dir out action allow index 81 priority 234336 share any flag
>> (0x00000000)
>>
>> lifetime config:
>>
>> limit: soft (INF)(bytes), hard (INF)(bytes)
>>
>> limit: soft (INF)(packets), hard (INF)(packets)
>>
>> expire add: soft 0(sec), hard 0(sec)
>>
>> expire use: soft 0(sec), hard 0(sec)
>>
>> lifetime current:
>>
>> 0(bytes), 0(packets)
>>
>> add 2017-11-13 15:58:55 use -
>>
>> tmpl src :: dst ::
>>
>> proto esp spi 0x00000000(0) reqid 2(0x00000002) mode
>> transport
>>
>> level required share any
>>
>> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
>>
>> src fc00:cada:c406::200/128 dst fc00:cada:c406:607::1001/128 proto l2tp
>> uid 0
>>
>> dir in action allow index 72 priority 234336 share any flag
>> (0x00000000)
>>
>> lifetime config:
>>
>> limit: soft (INF)(bytes), hard (INF)(bytes)
>>
>> limit: soft (INF)(packets), hard (INF)(packets)
>>
>> expire add: soft 0(sec), hard 0(sec)
>>
>> expire use: soft 0(sec), hard 0(sec)
>>
>> lifetime current:
>>
>> 0(bytes), 0(packets)
>>
>> add 2017-11-13 15:58:55 use -
>>
>> tmpl src :: dst ::
>>
>> proto esp spi 0x00000000(0) reqid 1(0x00000001) mode
>> transport
>>
>> level required share any
>>
>> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
>>
>> src fc00:cada:c406:607::1001/128 dst fc00:cada:c406::200/128 proto l2tp
>> uid 0
>>
>> dir out action allow index 65 priority 234336 share any flag
>> (0x00000000)
>>
>> lifetime config:
>>
>> limit: soft (INF)(bytes), hard (INF)(bytes)
>>
>> limit: soft (INF)(packets), hard (INF)(packets)
>>
>> expire add: soft 0(sec), hard 0(sec)
>>
>> expire use: soft 0(sec), hard 0(sec)
>>
>> lifetime current:
>>
>> 0(bytes), 0(packets)
>>
>> add 2017-11-13 15:58:55 use -
>>
>> tmpl src :: dst ::
>>
>> proto esp spi 0x00000000(0) reqid 1(0x00000001) mode
>> transport
>>
>> level required share any
>>
>> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
>>
>> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>>
>> socket in action allow index 59 priority 0 share any flag
>> (0x00000000)
>>
>> lifetime config:
>>
>> limit: soft 0(bytes), hard 0(bytes)
>>
>> limit: soft 0(packets), hard 0(packets)
>>
>> expire add: soft 0(sec), hard 0(sec)
>>
>> expire use: soft 0(sec), hard 0(sec)
>>
>> lifetime current:
>>
>> 0(bytes), 0(packets)
>>
>> add 2017-11-13 18:46:13 use -
>>
>> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>>
>> socket out action allow index 52 priority 0 share any flag
>> (0x00000000)
>>
>> lifetime config:
>>
>> limit: soft 0(bytes), hard 0(bytes)
>>
>> limit: soft 0(packets), hard 0(packets)
>>
>> expire add: soft 0(sec), hard 0(sec)
>>
>> expire use: soft 0(sec), hard 0(sec)
>>
>> lifetime current:
>>
>> 0(bytes), 0(packets)
>>
>> add 2017-11-13 18:46:13 use -
>>
>> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>>
>> socket in action allow index 43 priority 0 share any flag
>> (0x00000000)
>>
>> lifetime config:
>>
>> limit: soft 0(bytes), hard 0(bytes)
>>
>> limit: soft 0(packets), hard 0(packets)
>>
>> expire add: soft 0(sec), hard 0(sec)
>>
>> expire use: soft 0(sec), hard 0(sec)
>>
>> lifetime current:
>>
>> 0(bytes), 0(packets)
>>
>> add 2017-11-13 18:46:13 use -
>>
>> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>>
>> socket out action allow index 36 priority 0 share any flag
>> (0x00000000)
>>
>> lifetime config:
>>
>> limit: soft 0(bytes), hard 0(bytes)
>>
>> limit: soft 0(packets), hard 0(packets)
>>
>> expire add: soft 0(sec), hard 0(sec)
>>
>> expire use: soft 0(sec), hard 0(sec)
>>
>> lifetime current:
>>
>> 0(bytes), 0(packets)
>>
>> add 2017-11-13 18:46:13 use -
>>
>> src ::/0 dst ::/0 uid 0
>>
>> socket in action allow index 27 priority 0 share any flag
>> (0x00000000)
>>
>> lifetime config:
>>
>> limit: soft 0(bytes), hard 0(bytes)
>>
>> limit: soft 0(packets), hard 0(packets)
>>
>> expire add: soft 0(sec), hard 0(sec)
>>
>> expire use: soft 0(sec), hard 0(sec)
>>
>> lifetime current:
>>
>> 0(bytes), 0(packets)
>>
>> add 2017-11-13 18:46:13 use -
>>
>> src ::/0 dst ::/0 uid 0
>>
>> socket out action allow index 20 priority 0 share any flag
>> (0x00000000)
>>
>> lifetime config:
>>
>> limit: soft 0(bytes), hard 0(bytes)
>>
>> limit: soft 0(packets), hard 0(packets)
>>
>> expire add: soft 0(sec), hard 0(sec)
>>
>> expire use: soft 0(sec), hard 0(sec)
>>
>> lifetime current:
>>
>> 0(bytes), 0(packets)
>>
>> add 2017-11-13 18:46:13 use -
>>
>> src ::/0 dst ::/0 uid 0
>>
>> socket in action allow index 11 priority 0 share any flag
>> (0x00000000)
>>
>> lifetime config:
>>
>> limit: soft 0(bytes), hard 0(bytes)
>>
>> limit: soft 0(packets), hard 0(packets)
>>
>> expire add: soft 0(sec), hard 0(sec)
>>
>> expire use: soft 0(sec), hard 0(sec)
>>
>> lifetime current:
>>
>> 0(bytes), 0(packets)
>>
>> add 2017-11-13 18:46:13 use 2017-11-13 16:04:42
>>
>> src ::/0 dst ::/0 uid 0
>>
>> socket out action allow index 4 priority 0 share any flag
>> (0x00000000)
>>
>> lifetime config:
>>
>> limit: soft 0(bytes), hard 0(bytes)
>>
>> limit: soft 0(packets), hard 0(packets)
>>
>> expire add: soft 0(sec), hard 0(sec)
>>
>> expire use: soft 0(sec), hard 0(sec)
>>
>> lifetime current:
>>
>> 0(bytes), 0(packets)
>>
>> add 2017-11-13 18:46:13 use 2017-11-13 16:04:30
>>
>>
>>
>>
>>
>> ################# Certificates ######################
>>
>>
>>
>>
>>
>> v --in *privKey.pem*
>>
>> privkey: RSA 2048 bits
>>
>> keyid: 85:d3:eb:51:9a:a8:1e:f6:ff:14:ee:cc:64:f6:2f:e0:32:99:1b:ce
>>
>> subjkey: 71:83:c0:b4:3e:40:06:f1:e5:30:d2:14:2c:82:e7:76:13:37:f4:6f
>>
>>
>>
>>
>>
>>
>>
>> root at plnx_aarch64:/var/priv# pki --print --type x509 --in *Dcert.pem*
>>
>> opening 'Dcert.pem' failed: No such file or directory
>>
>> building CRED_CERTIFICATE - X509 failed, tried 4 builders
>>
>> parsing input failed
>>
>> root at plnx_aarch64:/var/priv# pki --print --type x509 --in DCert.pem
>>
>> subject: "C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate,
>> CN=FF:FF:05:E6:E6:20"
>>
>> issuer: "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs
>> Device Certification Authority"
>>
>> validity: not before Sep 14 16:13:24 2017, ok
>>
>> not after Sep 14 16:13:24 2018, ok (expires in 305 days)
>>
>> serial: 01:ff:ff:05:e6:e6:20
>>
>> authkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b
>>
>> subjkeyId: 71:83:c0:b4:3e:40:06:f1:e5:30:d2:14:2c:82:e7:76:13:37:f4:6f
>>
>> pubkey: RSA 2048 bits
>>
>> keyid: 85:d3:eb:51:9a:a8:1e:f6:ff:14:ee:cc:64:f6:2f:e0:32:99:1b:ce
>>
>> subjkey: 71:83:c0:b4:3e:40:06:f1:e5:30:d2:14:2c:82:e7:76:13:37:f4:6f
>>
>> root at plnx_aarch64:/var/priv#
>>
>> root at plnx_aarch64:/var/priv#
>>
>> root at plnx_aarch64:/var/priv#
>>
>>
>>
>>
>>
>>
>>
>> root at plnx_aarch64:/var/priv# pki --print --type x509 --in *DMCert.pem*
>>
>> subject: "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs
>> Device Certification Authority"
>>
>> issuer: "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root
>> Certification Authority"
>>
>> validity: not before Dec 09 23:08:49 2014, ok
>>
>> not after Dec 09 23:08:49 2049, ok (expires in 11714 days)
>>
>> serial: a0:16:bc:73:85:0e:65:37
>>
>> altNames: CN=SYMC-3072-5
>>
>> flags: CA CRLSign
>>
>> pathlen: 0
>>
>> authkeyId: 89:62:79:3d:b4:07:c9:f3:c6:97:59:dd:b6:dc:65:0b:33:54:ff:fb
>>
>> subjkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b
>>
>> pubkey: RSA 3072 bits
>>
>> keyid: b7:98:32:e4:ae:30:02:57:f7:ad:cb:2b:37:41:17:9c:1b:9d:79:28
>>
>> subjkey: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b
>>
>> root at plnx_aarch64:/var/priv# ls
>>
>> DCert.pem DMCertTemp.der privKey.pem
>>
>> DCertTemp.der DRCert.pem privKeyTemp.der
>>
>> DMCert.pem DRCertTemp.der privKeyTemp1.der
>>
>>
>>
>>
>>
>>
>>
>> root at plnx_aarch64:/var/priv# pki --print --type x509 --in *DRCert.pem*
>>
>> subject: "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root
>> Certification Authority"
>>
>> issuer: "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root
>> Certification Authority"
>>
>> validity: not before Nov 11 17:19:44 2014, ok
>>
>> not after Nov 11 17:19:44 2064, ok (expires in 17165 days)
>>
>> serial: b1:b0:d3:be:83:ee:bf:e3
>>
>> altNames: CN=MPKI-4096-1-206
>>
>> flags: CA CRLSign self-signed
>>
>> subjkeyId: 89:62:79:3d:b4:07:c9:f3:c6:97:59:dd:b6:dc:65:0b:33:54:ff:fb
>>
>> pubkey: RSA 4096 bits
>>
>> keyid: bd:0e:4c:0f:21:cf:f0:49:af:19:34:3b:c2:64:c5:31:a1:2e:11:07
>>
>> subjkey: 89:62:79:3d:b4:07:c9:f3:c6:97:59:dd:b6:dc:65:0b:33:54:ff:fb
>>
>> root at plnx_aarch64:/var/priv#
>>
>>
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171211/11f57599/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: DCertTemp.der
Type: application/x-x509-ca-cert
Size: 1049 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171211/11f57599/attachment-0004.crt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: DMCertTemp.der
Type: application/x-x509-ca-cert
Size: 1400 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171211/11f57599/attachment-0005.crt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: DRCertTemp.der
Type: application/x-x509-ca-cert
Size: 1492 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171211/11f57599/attachment-0006.crt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: privKeyTemp1.der
Type: application/x-x509-ca-cert
Size: 1217 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171211/11f57599/attachment-0007.crt>
More information about the Users
mailing list