[strongSwan] No private key found
rajeev nohria
rajnohria at gmail.com
Thu Oct 5 17:33:47 CEST 2017
I have seen this issue before and fixed it. But this time I am not able to
figure you. Let me know if anyone see issue or any suggestion. Thanks in
advance.
Problem:
Getting error while initiating the connection.
*[IKE] no private key found for 'fc00:cada:c404:607::1001'*
*11[IKE] no private key found for 'fc00:cada:c404:607::1001'*
We are able to load the certificate and keys. looking at logs following are
proof.
messages.0:Jan 1 09:09:23 E6kn-2016 daemon.info : 08[CFG] loaded RSA
private key
messages.0:Jan 1 09:09:23 E6kn-2016 daemon.info : 08[CFG] loaded
certificate 'C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root
Certification Authority'
messages.0:Jan 1 09:09:23 E6kn-2016 daemon.info : 08[CFG] loaded
certificate 'C=US, O=ARRIS, OU=LOWELL, CN=00:33:5f:ab:8c:9e'
messages.0:Jan 1 09:09:23 E6kn-2016 daemon.info : 08[CFG] loaded
certificate 'C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs
Device Certification Authority'
But when I initiate a connection, I get the following.
root at E6kn-2016:# swanctl --initiate --child gcpfc00:cada:c404::200
07[CFG] vici initiate 'gcpfc00:cada:c404::200'
09[IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002
[IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(HASH_ALG) N(REDIR_SUP) ]
09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from fc00:cada:c404:607::1001[500] to 2017::5002[500]
(264 bytes)
09[NET] sending packet: from fc00:cada:c404:607::1001[500] to
2017::5002[500] (264 bytes)
11[NET] received packet: from 2017::5002[500] to
fc00:cada:c404:607::1001[500] (289 bytes)
[NET] received packet: from 2017::5002[500] to
fc00:cada:c404:607::1001[500] (289 bytes)
11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
CN=TEST CableLabs Device Certification Authority"
11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
CN=TEST CableLabs Device Certification Authority"
[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
CN=TEST CableLabs Device Certification Authority"
11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
CN=TEST CableLabs Device Certification Authority"
[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
CN=TEST CableLabs Root Certification Authority"
11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
CN=TEST CableLabs Root Certification Authority"
*[IKE] no private key found for 'fc00:cada:c404:607::1001'*
*11[IKE] no private key found for 'fc00:cada:c404:607::1001'*
*initiate failed: establishing CHILD_SA 'gcpfc00:cada:c404::200' failed*
root at E6kn-2016:# swanctl --list-conns
rpdfc00:cada:c404::200: IKEv2, no reauthentication, rekeying every 14400s
local: fc00:cada:c404:607::1001
remote: 2017::5002
local public key authentication:
id: fc00:cada:c404:607::1001
remote public key authentication:
gcpfc00:cada:c404::200: TRANSPORT, rekeying every 3600s
local: fc00:cada:c404:607::1001/128[tcp]
remote: 2017::5002/128[tcp]
l2tpfc00:cada:c404::200: TRANSPORT, rekeying every 3600s
local: fc00:cada:c404:607::1001/128[l2tp]
remote: 2017::5002/128[l2tp]
root at E6kn-2016:# swanctl --list-certs
List of X.509 End Entity Certificates
subject: "C=US, O=ARRIS, OU=LOWELL, CN=00:33:5f:ab:8c:9e"
issuer: "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs
Device Certification Authority"
validity: not before Sep 28 18:18:53 2017, ok
not after Sep 28 18:18:53 2037, ok (expires in 7300 days)
serial: dd:dc:09:21:36:f2:e8:71
authkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b
subjkeyId: 9d:c7:c5:20:f7:bf:0c:fb:39:d2:5d:a2:8f:73:37:f1:f3:e0:a4:f9
pubkey: RSA 2048 bits, has private key
keyid: 8d:40:7d:fb:38:7b:4b:e2:fe:00:ba:72:6c:82:63:2b:6b:75:30:6e
subjkey: 9d:c7:c5:20:f7:bf:0c:fb:39:d2:5d:a2:8f:73:37:f1:f3:e0:a4:f9
List of X.509 CA Certificates
subject: "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs
Device Certification Authority"
issuer: "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root
Certification Authority"
validity: not before Dec 09 23:08:49 2014, ok
not after Dec 09 23:08:49 2049, ok (expires in 11755 days)
serial: a0:16:bc:73:85:0e:65:37
altNames: CN=SYMC-3072-5
flags: CA CRLSign
pathlen: 0
authkeyId: 89:62:79:3d:b4:07:c9:f3:c6:97:59:dd:b6:dc:65:0b:33:54:ff:fb
subjkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b
pubkey: RSA 3072 bits
keyid: b7:98:32:e4:ae:30:02:57:f7:ad:cb:2b:37:41:17:9c:1b:9d:79:28
subjkey: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b
subject: "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root
Certification Authority"
issuer: "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root
Certification Authority"
validity: not before Nov 11 17:19:44 2014, ok
not after Nov 11 17:19:44 2064, ok (expires in 17206 days)
serial: b1:b0:d3:be:83:ee:bf:e3
altNames: CN=MPKI-4096-1-206
flags: CA CRLSign self-signed
subjkeyId: 89:62:79:3d:b4:07:c9:f3:c6:97:59:dd:b6:dc:65:0b:33:54:ff:fb
pubkey: RSA 4096 bits
keyid: bd:0e:4c:0f:21:cf:f0:49:af:19:34:3b:c2:64:c5:31:a1:2e:11:07
subjkey: 89:62:79:3d:b4:07:c9:f3:c6:97:59:dd:b6:dc:65:0b:33:54:ff:fb
pki --print --type rsa-priv --in privKey.pem
privkey: RSA 2048 bits
keyid: 8d:40:7d:fb:38:7b:4b:e2:fe:00:ba:72:6c:82:63:2b:6b:75:30:6e
subjkey: 9d:c7:c5:20:f7:bf:0c:fb:39:d2:5d:a2:8f:73:37:f1:f3:e0:a4:f9
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171005/7a7f16c8/attachment-0001.html>
More information about the Users
mailing list