[strongSwan] No private key found

Andreas Steffen andreas.steffen at strongswan.org
Thu Oct 5 17:56:38 CEST 2017


Hi,

you must not set the IKEv2 ID to

    id: fc00:cada:c404:607::1001

since this ID is not contained as a subjectAltName in the client
certificate.

Probably you didn't use the "certs" parameter in the local section of
swanctl.conf so that the client certificate just got loaded from
/etc/swanctl/x509. If you don't define the "id" parameter in the local
section then the IPv6 address of the client is assumed as the "id" by
default and because the IP address is not contained as a subjectAltName
in the certificate then neither the certificate nor the corresponding
private key is found.

So the best approach is to define the following in swanctl.conf:

local {
   auth = pubkey
   certs = myCert.pem
}

This first causes the private key to be found automatically based
on the fingerprint of the public key contained in the certificate and
the ID to be set to the subject distinguished name contained in the
certificate.

Best regards

Andreas

On 05.10.2017 17:33, rajeev nohria wrote:
> I have seen this issue before and fixed it. But this time I am not able
> to figure you. Let me know if anyone see issue or any suggestion. Thanks
> in advance.
> 
> Problem: 
> Getting error while initiating the connection.
> 
> *[IKE] no private key found for 'fc00:cada:c404:607::1001'*
> 
> *11[IKE] no private key found for 'fc00:cada:c404:607::1001'*
> 
> *
> *
> 
> *
> *
> 
> *
> *
> 
> 
> We are able to load the certificate and keys. looking at logs following
> are proof.
>  
> 
> messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> :
> 08[CFG] loaded RSA private key
> 
> messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> :
> 08[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Root CA01,
> CN=TEST CableLabs Root Certification Authority'
> 
> messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> :
> 08[CFG] loaded certificate 'C=US, O=ARRIS, OU=LOWELL, CN=00:33:5f:ab:8c:9e'
> 
> messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> :
> 08[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Device CA01,
> CN=TEST CableLabs Device Certification Authority'
> 
> 
> 
> But when I initiate a connection, I get the following.
> 
> 
> 
> root at E6kn-2016:# swanctl --initiate --child gcpfc00:cada:c404::200
> 
> 07[CFG] vici initiate 'gcpfc00:cada:c404::200'
> 
> 09[IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002
> 
> [IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002
> 
> [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
> 
> 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
> 
> [NET] sending packet: from fc00:cada:c404:607::1001[500] to
> 2017::5002[500] (264 bytes)
> 
> 09[NET] sending packet: from fc00:cada:c404:607::1001[500] to
> 2017::5002[500] (264 bytes)
> 
> 11[NET] received packet: from 2017::5002[500] to
> fc00:cada:c404:607::1001[500] (289 bytes)
> 
> [NET] received packet: from 2017::5002[500] to
> fc00:cada:c404:607::1001[500] (289 bytes)
> 
> 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
> 
> [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
> 
> [IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
> CN=TEST CableLabs Device Certification Authority"
> 
> 11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device
> CA01, CN=TEST CableLabs Device Certification Authority"
> 
> [IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
> CN=TEST CableLabs Device Certification Authority"
> 
> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device
> CA01, CN=TEST CableLabs Device Certification Authority"
> 
> [IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
> CN=TEST CableLabs Root Certification Authority"
> 
> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
> CN=TEST CableLabs Root Certification Authority"
> 
> *[IKE] no private key found for 'fc00:cada:c404:607::1001'*
> 
> *11[IKE] no private key found for 'fc00:cada:c404:607::1001'*
> 
> **
> 
> *initiate failed: establishing CHILD_SA 'gcpfc00:cada:c404::200' failed*
> 
> 
> 
> 
> 
> root at E6kn-2016:# swanctl --list-conns
> 
> rpdfc00:cada:c404::200: IKEv2, no reauthentication, rekeying every 14400s
> 
>   local:  fc00:cada:c404:607::1001
> 
>   remote: 2017::5002
> 
>   local public key authentication:
> 
>     id: fc00:cada:c404:607::1001
> 
>   remote public key authentication:
> 
>   gcpfc00:cada:c404::200: TRANSPORT, rekeying every 3600s
> 
>     local:  fc00:cada:c404:607::1001/128[tcp]
> 
>     remote: 2017::5002/128[tcp]
> 
>   l2tpfc00:cada:c404::200: TRANSPORT, rekeying every 3600s
> 
>     local:  fc00:cada:c404:607::1001/128[l2tp]
> 
>     remote: 2017::5002/128[l2tp]
> 
> 
> 
> 
> root at E6kn-2016:# swanctl --list-certs
> 
> 
> List of X.509 End Entity Certificates
> 
> 
>   subject:  "C=US, O=ARRIS, OU=LOWELL, CN=00:33:5f:ab:8c:9e"
> 
>   issuer:   "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs
> Device Certification Authority"
> 
>   validity:  not before Sep 28 18:18:53 2017, ok
> 
>              not after  Sep 28 18:18:53 2037, ok (expires in 7300 days)
> 
>   serial:    dd:dc:09:21:36:f2:e8:71
> 
>   authkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b
> 
>   subjkeyId: 9d:c7:c5:20:f7:bf:0c:fb:39:d2:5d:a2:8f:73:37:f1:f3:e0:a4:f9
> 
>   pubkey:    RSA 2048 bits, has private key
> 
>   keyid:     8d:40:7d:fb:38:7b:4b:e2:fe:00:ba:72:6c:82:63:2b:6b:75:30:6e
> 
>   subjkey:   9d:c7:c5:20:f7:bf:0c:fb:39:d2:5d:a2:8f:73:37:f1:f3:e0:a4:f9
> 
> 
> List of X.509 CA Certificates
> 
> 
>   subject:  "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs
> Device Certification Authority"
> 
>   issuer:   "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs
> Root Certification Authority"
> 
>   validity:  not before Dec 09 23:08:49 2014, ok
> 
>              not after  Dec 09 23:08:49 2049, ok (expires in 11755 days)
> 
>   serial:    a0:16:bc:73:85:0e:65:37
> 
>   altNames:  CN=SYMC-3072-5
> 
>   flags:     CA CRLSign 
> 
>   pathlen:   0
> 
>   authkeyId: 89:62:79:3d:b4:07:c9:f3:c6:97:59:dd:b6:dc:65:0b:33:54:ff:fb
> 
>   subjkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b
> 
>   pubkey:    RSA 3072 bits
> 
>   keyid:     b7:98:32:e4:ae:30:02:57:f7:ad:cb:2b:37:41:17:9c:1b:9d:79:28
> 
>   subjkey:   f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b
> 
> 
>   subject:  "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs
> Root Certification Authority"
> 
>   issuer:   "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs
> Root Certification Authority"
> 
>   validity:  not before Nov 11 17:19:44 2014, ok
> 
>              not after  Nov 11 17:19:44 2064, ok (expires in 17206 days)
> 
>   serial:    b1:b0:d3:be:83:ee:bf:e3
> 
>   altNames:  CN=MPKI-4096-1-206
> 
>   flags:     CA CRLSign self-signed 
> 
>   subjkeyId: 89:62:79:3d:b4:07:c9:f3:c6:97:59:dd:b6:dc:65:0b:33:54:ff:fb
> 
>   pubkey:    RSA 4096 bits
> 
>   keyid:     bd:0e:4c:0f:21:cf:f0:49:af:19:34:3b:c2:64:c5:31:a1:2e:11:07
> 
>   subjkey:   89:62:79:3d:b4:07:c9:f3:c6:97:59:dd:b6:dc:65:0b:33:54:ff:fb
> 
> 
> 
> pki --print --type rsa-priv --in privKey.pem
> 
>   privkey:   RSA 2048 bits
> 
>   keyid:     8d:40:7d:fb:38:7b:4b:e2:fe:00:ba:72:6c:82:63:2b:6b:75:30:6e
> 
>   subjkey:   9d:c7:c5:20:f7:bf:0c:fb:39:d2:5d:a2:8f:73:37:f1:f3:e0:a4:f9
> 
> 

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==


More information about the Users mailing list