[strongSwan] No private key found

rajeev nohria rajnohria at gmail.com
Fri Oct 6 14:37:09 CEST 2017


Anderas,

Thanks for reply. I am using davici interface instead of swanctl.conf.  I
do set the id as  id: fc00:cada:c404:607::1001 but not the certs.  Since I
am using davici, it does not know the certificate file name and its path, I
am reading the certificate file and passing the data. How can I resolve the
problem in this situation?

Thanks,
Rajeev

On Thu, Oct 5, 2017 at 11:56 AM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hi,
>
> you must not set the IKEv2 ID to
>
>     id: fc00:cada:c404:607::1001
>
> since this ID is not contained as a subjectAltName in the client
> certificate.
>
> Probably you didn't use the "certs" parameter in the local section of
> swanctl.conf so that the client certificate just got loaded from
> /etc/swanctl/x509. If you don't define the "id" parameter in the local
> section then the IPv6 address of the client is assumed as the "id" by
> default and because the IP address is not contained as a subjectAltName
> in the certificate then neither the certificate nor the corresponding
> private key is found.
>
> So the best approach is to define the following in swanctl.conf:
>
> local {
>    auth = pubkey
>    certs = myCert.pem
> }
>
> This first causes the private key to be found automatically based
> on the fingerprint of the public key contained in the certificate and
> the ID to be set to the subject distinguished name contained in the
> certificate.
>
> Best regards
>
> Andreas
>
> On 05.10.2017 17:33, rajeev nohria wrote:
> > I have seen this issue before and fixed it. But this time I am not able
> > to figure you. Let me know if anyone see issue or any suggestion. Thanks
> > in advance.
> >
> > Problem:
> > Getting error while initiating the connection.
> >
> > *[IKE] no private key found for 'fc00:cada:c404:607::1001'*
> >
> > *11[IKE] no private key found for 'fc00:cada:c404:607::1001'*
> >
> > *
> > *
> >
> > *
> > *
> >
> > *
> > *
> >
> >
> > We are able to load the certificate and keys. looking at logs following
> > are proof.
> >
> >
> > messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> :
> > 08[CFG] loaded RSA private key
> >
> > messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> :
> > 08[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Root CA01,
> > CN=TEST CableLabs Root Certification Authority'
> >
> > messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> :
> > 08[CFG] loaded certificate 'C=US, O=ARRIS, OU=LOWELL,
> CN=00:33:5f:ab:8c:9e'
> >
> > messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> :
> > 08[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Device CA01,
> > CN=TEST CableLabs Device Certification Authority'
> >
> >
> >
> > But when I initiate a connection, I get the following.
> >
> >
> >
> > root at E6kn-2016:# swanctl --initiate --child gcpfc00:cada:c404::200
> >
> > 07[CFG] vici initiate 'gcpfc00:cada:c404::200'
> >
> > 09[IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002
> >
> > [IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002
> >
> > [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> > N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
> >
> > 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> > N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
> >
> > [NET] sending packet: from fc00:cada:c404:607::1001[500] to
> > 2017::5002[500] (264 bytes)
> >
> > 09[NET] sending packet: from fc00:cada:c404:607::1001[500] to
> > 2017::5002[500] (264 bytes)
> >
> > 11[NET] received packet: from 2017::5002[500] to
> > fc00:cada:c404:607::1001[500] (289 bytes)
> >
> > [NET] received packet: from 2017::5002[500] to
> > fc00:cada:c404:607::1001[500] (289 bytes)
> >
> > 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> > N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
> >
> > [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> > CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
> >
> > [IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
> > CN=TEST CableLabs Device Certification Authority"
> >
> > 11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device
> > CA01, CN=TEST CableLabs Device Certification Authority"
> >
> > [IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
> > CN=TEST CableLabs Device Certification Authority"
> >
> > 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device
> > CA01, CN=TEST CableLabs Device Certification Authority"
> >
> > [IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
> > CN=TEST CableLabs Root Certification Authority"
> >
> > 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
> > CN=TEST CableLabs Root Certification Authority"
> >
> > *[IKE] no private key found for 'fc00:cada:c404:607::1001'*
> >
> > *11[IKE] no private key found for 'fc00:cada:c404:607::1001'*
> >
> > **
> >
> > *initiate failed: establishing CHILD_SA 'gcpfc00:cada:c404::200' failed*
> >
> >
> >
> >
> >
> > root at E6kn-2016:# swanctl --list-conns
> >
> > rpdfc00:cada:c404::200: IKEv2, no reauthentication, rekeying every 14400s
> >
> >   local:  fc00:cada:c404:607::1001
> >
> >   remote: 2017::5002
> >
> >   local public key authentication:
> >
> >     id: fc00:cada:c404:607::1001
> >
> >   remote public key authentication:
> >
> >   gcpfc00:cada:c404::200: TRANSPORT, rekeying every 3600s
> >
> >     local:  fc00:cada:c404:607::1001/128[tcp]
> >
> >     remote: 2017::5002/128[tcp]
> >
> >   l2tpfc00:cada:c404::200: TRANSPORT, rekeying every 3600s
> >
> >     local:  fc00:cada:c404:607::1001/128[l2tp]
> >
> >     remote: 2017::5002/128[l2tp]
> >
> >
> >
> >
> > root at E6kn-2016:# swanctl --list-certs
> >
> >
> > List of X.509 End Entity Certificates
> >
> >
> >   subject:  "C=US, O=ARRIS, OU=LOWELL, CN=00:33:5f:ab:8c:9e"
> >
> >   issuer:   "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs
> > Device Certification Authority"
> >
> >   validity:  not before Sep 28 18:18:53 2017, ok
> >
> >              not after  Sep 28 18:18:53 2037, ok (expires in 7300 days)
> >
> >   serial:    dd:dc:09:21:36:f2:e8:71
> >
> >   authkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b
> >
> >   subjkeyId: 9d:c7:c5:20:f7:bf:0c:fb:39:d2:5d:a2:8f:73:37:f1:f3:e0:a4:f9
> >
> >   pubkey:    RSA 2048 bits, has private key
> >
> >   keyid:     8d:40:7d:fb:38:7b:4b:e2:fe:00:ba:72:6c:82:63:2b:6b:75:30:6e
> >
> >   subjkey:   9d:c7:c5:20:f7:bf:0c:fb:39:d2:5d:a2:8f:73:37:f1:f3:e0:a4:f9
> >
> >
> > List of X.509 CA Certificates
> >
> >
> >   subject:  "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs
> > Device Certification Authority"
> >
> >   issuer:   "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs
> > Root Certification Authority"
> >
> >   validity:  not before Dec 09 23:08:49 2014, ok
> >
> >              not after  Dec 09 23:08:49 2049, ok (expires in 11755 days)
> >
> >   serial:    a0:16:bc:73:85:0e:65:37
> >
> >   altNames:  CN=SYMC-3072-5
> >
> >   flags:     CA CRLSign
> >
> >   pathlen:   0
> >
> >   authkeyId: 89:62:79:3d:b4:07:c9:f3:c6:97:59:dd:b6:dc:65:0b:33:54:ff:fb
> >
> >   subjkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b
> >
> >   pubkey:    RSA 3072 bits
> >
> >   keyid:     b7:98:32:e4:ae:30:02:57:f7:ad:cb:2b:37:41:17:9c:1b:9d:79:28
> >
> >   subjkey:   f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b
> >
> >
> >   subject:  "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs
> > Root Certification Authority"
> >
> >   issuer:   "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs
> > Root Certification Authority"
> >
> >   validity:  not before Nov 11 17:19:44 2014, ok
> >
> >              not after  Nov 11 17:19:44 2064, ok (expires in 17206 days)
> >
> >   serial:    b1:b0:d3:be:83:ee:bf:e3
> >
> >   altNames:  CN=MPKI-4096-1-206
> >
> >   flags:     CA CRLSign self-signed
> >
> >   subjkeyId: 89:62:79:3d:b4:07:c9:f3:c6:97:59:dd:b6:dc:65:0b:33:54:ff:fb
> >
> >   pubkey:    RSA 4096 bits
> >
> >   keyid:     bd:0e:4c:0f:21:cf:f0:49:af:19:34:3b:c2:64:c5:31:a1:2e:11:07
> >
> >   subjkey:   89:62:79:3d:b4:07:c9:f3:c6:97:59:dd:b6:dc:65:0b:33:54:ff:fb
> >
> >
> >
> > pki --print --type rsa-priv --in privKey.pem
> >
> >   privkey:   RSA 2048 bits
> >
> >   keyid:     8d:40:7d:fb:38:7b:4b:e2:fe:00:ba:72:6c:82:63:2b:6b:75:30:6e
> >
> >   subjkey:   9d:c7:c5:20:f7:bf:0c:fb:39:d2:5d:a2:8f:73:37:f1:f3:e0:a4:f9
> >
> >
>
> --
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Networked Solutions
> HSR University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[INS-HSR]==
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171006/644b5574/attachment-0001.html>


More information about the Users mailing list