[strongSwan] No private key found
Ben Lavender
ben.lavender at virtualdcs.co.uk
Tue Nov 14 19:10:58 CET 2017
Is the private key in /etc/ipsec.d/private?
Regards
Ben
Sent from my iPhone
On 14 Nov 2017, at 17:45, rajeev nohria <rajnohria at gmail.com<mailto:rajnohria at gmail.com>> wrote:
Not sure what is wrong here, Can you let me know if I am missing something here.
16[KNL] creating acquire job for policy fc00:cada:c406:607::1001/128[tcp/43005] === fc00:cada:c406::200/128[tcp/8190] with reqid {2}
2017-11-13 15:58:56,001-HalTransport.py-94-INFO-Start a agent transport interface, path = [/tmp/Hal/agent/client/1/push]
15[IKE] initiating IKE_SA rpdfc00:cada:c406::200[1] to fc00:cada:c406::200
15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
15[NET] sending packet: from fc00:cada:c406:607::1001[500] to fc00:cada:c406::200[500] (456 bytes)
10[NET] received packet: from fc00:cada:c406::200[500] to fc00:cada:c406:607::1001[500] (453 bytes)
10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
10[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root Certification Authority"
10[IKE] received 1 cert requests for an unknown ca
10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs Device Certification Authority"
10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root Certification Authority"
10[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate, CN=FF:FF:05:E6:E6:20'
13[KNL] creating delete job for CHILD_SA ESP/0x00000000/fc00:cada:c406::200
08[JOB] CHILD_SA ESP/0x00000000/fc00:cada:c406::200 not found for delete
06[KNL] creating acquire job for policy fc00:cada:c406:607::1001/128[tcp/39047] === fc00:cada:c406::200/128[tcp/8190] with reqid {2}
16[IKE] initiating IKE_SA rpdfc00:cada:c406::200[2] to fc00:cada:c406::200
16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
16[NET] sending packet: from fc00:cada:c406:607::1001[500] to fc00:cada:c406::200[500] (456 bytes)
11[NET] received packet: from fc00:cada:c406::200[500] to fc00:cada:c406:607::1001[500] (453 bytes)
11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root Certification Authority"
11[IKE] received 1 cert requests for an unknown ca
11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs Device Certification Authority"
11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root Certification Authority"
11[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate, CN=FF:FF:05:E6:E6:20
root at plnx_aarch64:~# ip -s xfrm state
src fc00:cada:c406:607::1001 dst fc00:cada:c406::200
proto esp spi 0x00000000(0) reqid 2(0x00000002) mode transport
replay-window 0 seq 0x00000002 flag (0x00000000)
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src fc00:cada:c406:607::1001/128 dst fc00:cada:c406::200/128 proto tcp sport 39047 dport 8190 uid 0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 165(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-13 16:01:42 use -
stats:
replay-wind
root at plnx_aarch64:~# ip -s xfrm policy
src fc00:cada:c406::200/128 dst fc00:cada:c406:607::1001/128 proto tcp uid 0
dir in action allow index 88 priority 234336 share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-13 15:58:55 use -
tmpl src :: dst ::
proto esp spi 0x00000000(0) reqid 2(0x00000002) mode transport
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src fc00:cada:c406:607::1001/128 dst fc00:cada:c406::200/128 proto tcp uid 0
dir out action allow index 81 priority 234336 share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-13 15:58:55 use -
tmpl src :: dst ::
proto esp spi 0x00000000(0) reqid 2(0x00000002) mode transport
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src fc00:cada:c406::200/128 dst fc00:cada:c406:607::1001/128 proto l2tp uid 0
dir in action allow index 72 priority 234336 share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-13 15:58:55 use -
tmpl src :: dst ::
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode transport
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src fc00:cada:c406:607::1001/128 dst fc00:cada:c406::200/128 proto l2tp uid 0
dir out action allow index 65 priority 234336 share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-13 15:58:55 use -
tmpl src :: dst ::
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode transport
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 0.0.0.0/0<http://0.0.0.0/0> dst 0.0.0.0/0<http://0.0.0.0/0> uid 0
socket in action allow index 59 priority 0 share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-13 18:46:13 use -
src 0.0.0.0/0<http://0.0.0.0/0> dst 0.0.0.0/0<http://0.0.0.0/0> uid 0
socket out action allow index 52 priority 0 share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-13 18:46:13 use -
src 0.0.0.0/0<http://0.0.0.0/0> dst 0.0.0.0/0<http://0.0.0.0/0> uid 0
socket in action allow index 43 priority 0 share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-13 18:46:13 use -
src 0.0.0.0/0<http://0.0.0.0/0> dst 0.0.0.0/0<http://0.0.0.0/0> uid 0
socket out action allow index 36 priority 0 share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-13 18:46:13 use -
src ::/0 dst ::/0 uid 0
socket in action allow index 27 priority 0 share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-13 18:46:13 use -
src ::/0 dst ::/0 uid 0
socket out action allow index 20 priority 0 share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-13 18:46:13 use -
src ::/0 dst ::/0 uid 0
socket in action allow index 11 priority 0 share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-13 18:46:13 use 2017-11-13 16:04:42
src ::/0 dst ::/0 uid 0
socket out action allow index 4 priority 0 share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-13 18:46:13 use 2017-11-13 16:04:30
################# Certificates ######################
v --in privKey.pem
privkey: RSA 2048 bits
keyid: 85:d3:eb:51:9a:a8:1e:f6:ff:14:ee:cc:64:f6:2f:e0:32:99:1b:ce
subjkey: 71:83:c0:b4:3e:40:06:f1:e5:30:d2:14:2c:82:e7:76:13:37:f4:6f
root at plnx_aarch64:/var/priv# pki --print --type x509 --in Dcert.pem
opening 'Dcert.pem' failed: No such file or directory
building CRED_CERTIFICATE - X509 failed, tried 4 builders
parsing input failed
root at plnx_aarch64:/var/priv# pki --print --type x509 --in DCert.pem
subject: "C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate, CN=FF:FF:05:E6:E6:20"
issuer: "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs Device Certification Authority"
validity: not before Sep 14 16:13:24 2017, ok
not after Sep 14 16:13:24 2018, ok (expires in 305 days)
serial: 01:ff:ff:05:e6:e6:20
authkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b
subjkeyId: 71:83:c0:b4:3e:40:06:f1:e5:30:d2:14:2c:82:e7:76:13:37:f4:6f
pubkey: RSA 2048 bits
keyid: 85:d3:eb:51:9a:a8:1e:f6:ff:14:ee:cc:64:f6:2f:e0:32:99:1b:ce
subjkey: 71:83:c0:b4:3e:40:06:f1:e5:30:d2:14:2c:82:e7:76:13:37:f4:6f
root at plnx_aarch64:/var/priv#
root at plnx_aarch64:/var/priv#
root at plnx_aarch64:/var/priv#
root at plnx_aarch64:/var/priv# pki --print --type x509 --in DMCert.pem
subject: "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs Device Certification Authority"
issuer: "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root Certification Authority"
validity: not before Dec 09 23:08:49 2014, ok
not after Dec 09 23:08:49 2049, ok (expires in 11714 days)
serial: a0:16:bc:73:85:0e:65:37
altNames: CN=SYMC-3072-5
flags: CA CRLSign
pathlen: 0
authkeyId: 89:62:79:3d:b4:07:c9:f3:c6:97:59:dd:b6:dc:65:0b:33:54:ff:fb
subjkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b
pubkey: RSA 3072 bits
keyid: b7:98:32:e4:ae:30:02:57:f7:ad:cb:2b:37:41:17:9c:1b:9d:79:28
subjkey: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b
root at plnx_aarch64:/var/priv# ls
DCert.pem DMCertTemp.der privKey.pem
DCertTemp.der DRCert.pem privKeyTemp.der
DMCert.pem DRCertTemp.der privKeyTemp1.der
root at plnx_aarch64:/var/priv# pki --print --type x509 --in DRCert.pem
subject: "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root Certification Authority"
issuer: "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root Certification Authority"
validity: not before Nov 11 17:19:44 2014, ok
not after Nov 11 17:19:44 2064, ok (expires in 17165 days)
serial: b1:b0:d3:be:83:ee:bf:e3
altNames: CN=MPKI-4096-1-206
flags: CA CRLSign self-signed
subjkeyId: 89:62:79:3d:b4:07:c9:f3:c6:97:59:dd:b6:dc:65:0b:33:54:ff:fb
pubkey: RSA 4096 bits
keyid: bd:0e:4c:0f:21:cf:f0:49:af:19:34:3b:c2:64:c5:31:a1:2e:11:07
subjkey: 89:62:79:3d:b4:07:c9:f3:c6:97:59:dd:b6:dc:65:0b:33:54:ff:fb
root at plnx_aarch64:/var/priv#
Virtual Data Centre Services (virtualDCS) is registered in England and Wales under company number 07238621; registered address: The Waterscape, 42 Leeds and Bradford Road, LS5 3EG. This e-mail and any attachments are strictly confidential and intended for the addressee only. If you are not the named addressee you must not disclose, copy, or take any action in reliance of this transmission, and you should notify us as soon as possible. Any views or opinions expressed are solely those of the author and do not necessarily represent those of virtualDCS. This e-mail and any attachments are believed to be free from viruses but it is your responsibility to carry out all necessary virus checks, and virtualDCS accepts no liability in connection therewith.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171114/5c2ab4c1/attachment-0001.html>
More information about the Users
mailing list