[strongSwan] No private key found

rajeev nohria rajnohria at gmail.com
Thu Oct 5 17:33:47 CEST 2017


I have seen this issue before and fixed it. But this time I am not able to
figure you. Let me know if anyone see issue or any suggestion. Thanks in
advance.

Problem:
Getting error while initiating the connection.

*[IKE] no private key found for 'fc00:cada:c404:607::1001'*

*11[IKE] no private key found for 'fc00:cada:c404:607::1001'*





We are able to load the certificate and keys. looking at logs following are
proof.


messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info : 08[CFG] loaded RSA
private key

messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info : 08[CFG] loaded
certificate 'C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root
Certification Authority'

messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info : 08[CFG] loaded
certificate 'C=US, O=ARRIS, OU=LOWELL, CN=00:33:5f:ab:8c:9e'

messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info : 08[CFG] loaded
certificate 'C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs
Device Certification Authority'



But when I initiate a connection, I get the following.



root at E6kn-2016:# swanctl --initiate --child gcpfc00:cada:c404::200

07[CFG] vici initiate 'gcpfc00:cada:c404::200'

09[IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002

[IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002

[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(HASH_ALG) N(REDIR_SUP) ]

09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]

[NET] sending packet: from fc00:cada:c404:607::1001[500] to 2017::5002[500]
(264 bytes)

09[NET] sending packet: from fc00:cada:c404:607::1001[500] to
2017::5002[500] (264 bytes)

11[NET] received packet: from 2017::5002[500] to
fc00:cada:c404:607::1001[500] (289 bytes)

[NET] received packet: from 2017::5002[500] to
fc00:cada:c404:607::1001[500] (289 bytes)

11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(HASH_ALG) N(MULT_AUTH) ]

[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(HASH_ALG) N(MULT_AUTH) ]

[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
CN=TEST CableLabs Device Certification Authority"

11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
CN=TEST CableLabs Device Certification Authority"

[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
CN=TEST CableLabs Device Certification Authority"

11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
CN=TEST CableLabs Device Certification Authority"

[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
CN=TEST CableLabs Root Certification Authority"

11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
CN=TEST CableLabs Root Certification Authority"

*[IKE] no private key found for 'fc00:cada:c404:607::1001'*

*11[IKE] no private key found for 'fc00:cada:c404:607::1001'*

*initiate failed: establishing CHILD_SA 'gcpfc00:cada:c404::200' failed*





root at E6kn-2016:# swanctl --list-conns

rpdfc00:cada:c404::200: IKEv2, no reauthentication, rekeying every 14400s

  local:  fc00:cada:c404:607::1001

  remote: 2017::5002

  local public key authentication:

    id: fc00:cada:c404:607::1001

  remote public key authentication:

  gcpfc00:cada:c404::200: TRANSPORT, rekeying every 3600s

    local:  fc00:cada:c404:607::1001/128[tcp]

    remote: 2017::5002/128[tcp]

  l2tpfc00:cada:c404::200: TRANSPORT, rekeying every 3600s

    local:  fc00:cada:c404:607::1001/128[l2tp]

    remote: 2017::5002/128[l2tp]




root at E6kn-2016:# swanctl --list-certs


List of X.509 End Entity Certificates


  subject:  "C=US, O=ARRIS, OU=LOWELL, CN=00:33:5f:ab:8c:9e"

  issuer:   "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs
Device Certification Authority"

  validity:  not before Sep 28 18:18:53 2017, ok

             not after  Sep 28 18:18:53 2037, ok (expires in 7300 days)

  serial:    dd:dc:09:21:36:f2:e8:71

  authkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b

  subjkeyId: 9d:c7:c5:20:f7:bf:0c:fb:39:d2:5d:a2:8f:73:37:f1:f3:e0:a4:f9

  pubkey:    RSA 2048 bits, has private key

  keyid:     8d:40:7d:fb:38:7b:4b:e2:fe:00:ba:72:6c:82:63:2b:6b:75:30:6e

  subjkey:   9d:c7:c5:20:f7:bf:0c:fb:39:d2:5d:a2:8f:73:37:f1:f3:e0:a4:f9


List of X.509 CA Certificates


  subject:  "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs
Device Certification Authority"

  issuer:   "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root
Certification Authority"

  validity:  not before Dec 09 23:08:49 2014, ok

             not after  Dec 09 23:08:49 2049, ok (expires in 11755 days)

  serial:    a0:16:bc:73:85:0e:65:37

  altNames:  CN=SYMC-3072-5

  flags:     CA CRLSign

  pathlen:   0

  authkeyId: 89:62:79:3d:b4:07:c9:f3:c6:97:59:dd:b6:dc:65:0b:33:54:ff:fb

  subjkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b

  pubkey:    RSA 3072 bits

  keyid:     b7:98:32:e4:ae:30:02:57:f7:ad:cb:2b:37:41:17:9c:1b:9d:79:28

  subjkey:   f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b


  subject:  "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root
Certification Authority"

  issuer:   "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root
Certification Authority"

  validity:  not before Nov 11 17:19:44 2014, ok

             not after  Nov 11 17:19:44 2064, ok (expires in 17206 days)

  serial:    b1:b0:d3:be:83:ee:bf:e3

  altNames:  CN=MPKI-4096-1-206

  flags:     CA CRLSign self-signed

  subjkeyId: 89:62:79:3d:b4:07:c9:f3:c6:97:59:dd:b6:dc:65:0b:33:54:ff:fb

  pubkey:    RSA 4096 bits

  keyid:     bd:0e:4c:0f:21:cf:f0:49:af:19:34:3b:c2:64:c5:31:a1:2e:11:07

  subjkey:   89:62:79:3d:b4:07:c9:f3:c6:97:59:dd:b6:dc:65:0b:33:54:ff:fb



pki --print --type rsa-priv --in privKey.pem

  privkey:   RSA 2048 bits

  keyid:     8d:40:7d:fb:38:7b:4b:e2:fe:00:ba:72:6c:82:63:2b:6b:75:30:6e

  subjkey:   9d:c7:c5:20:f7:bf:0c:fb:39:d2:5d:a2:8f:73:37:f1:f3:e0:a4:f9
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171005/7a7f16c8/attachment-0001.html>


More information about the Users mailing list