[strongSwan] No private key found

rajeev nohria rajnohria at gmail.com
Mon Oct 9 03:17:56 CEST 2017


I resolved the issue by setting up id properly. Thanks for the direction.

On Fri, Oct 6, 2017 at 8:37 AM, rajeev nohria <rajnohria at gmail.com> wrote:

> Anderas,
>
> Thanks for reply. I am using davici interface instead of swanctl.conf.  I
> do set the id as  id: fc00:cada:c404:607::1001 but not the certs.  Since
> I am using davici, it does not know the certificate file name and its path,
> I am reading the certificate file and passing the data. How can I resolve
> the problem in this situation?
>
> Thanks,
> Rajeev
>
> On Thu, Oct 5, 2017 at 11:56 AM, Andreas Steffen <
> andreas.steffen at strongswan.org> wrote:
>
>> Hi,
>>
>> you must not set the IKEv2 ID to
>>
>>     id: fc00:cada:c404:607::1001
>>
>> since this ID is not contained as a subjectAltName in the client
>> certificate.
>>
>> Probably you didn't use the "certs" parameter in the local section of
>> swanctl.conf so that the client certificate just got loaded from
>> /etc/swanctl/x509. If you don't define the "id" parameter in the local
>> section then the IPv6 address of the client is assumed as the "id" by
>> default and because the IP address is not contained as a subjectAltName
>> in the certificate then neither the certificate nor the corresponding
>> private key is found.
>>
>> So the best approach is to define the following in swanctl.conf:
>>
>> local {
>>    auth = pubkey
>>    certs = myCert.pem
>> }
>>
>> This first causes the private key to be found automatically based
>> on the fingerprint of the public key contained in the certificate and
>> the ID to be set to the subject distinguished name contained in the
>> certificate.
>>
>> Best regards
>>
>> Andreas
>>
>> On 05.10.2017 17:33, rajeev nohria wrote:
>> > I have seen this issue before and fixed it. But this time I am not able
>> > to figure you. Let me know if anyone see issue or any suggestion. Thanks
>> > in advance.
>> >
>> > Problem:
>> > Getting error while initiating the connection.
>> >
>> > *[IKE] no private key found for 'fc00:cada:c404:607::1001'*
>> >
>> > *11[IKE] no private key found for 'fc00:cada:c404:607::1001'*
>> >
>> > *
>> > *
>> >
>> > *
>> > *
>> >
>> > *
>> > *
>> >
>> >
>> > We are able to load the certificate and keys. looking at logs following
>> > are proof.
>> >
>> >
>> > messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> :
>> > 08[CFG] loaded RSA private key
>> >
>> > messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> :
>> > 08[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Root CA01,
>> > CN=TEST CableLabs Root Certification Authority'
>> >
>> > messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> :
>> > 08[CFG] loaded certificate 'C=US, O=ARRIS, OU=LOWELL,
>> CN=00:33:5f:ab:8c:9e'
>> >
>> > messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> :
>> > 08[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Device CA01,
>> > CN=TEST CableLabs Device Certification Authority'
>> >
>> >
>> >
>> > But when I initiate a connection, I get the following.
>> >
>> >
>> >
>> > root at E6kn-2016:# swanctl --initiate --child gcpfc00:cada:c404::200
>> >
>> > 07[CFG] vici initiate 'gcpfc00:cada:c404::200'
>> >
>> > 09[IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002
>> >
>> > [IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002
>> >
>> > [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
>> > N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
>> >
>> > 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
>> > N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
>> >
>> > [NET] sending packet: from fc00:cada:c404:607::1001[500] to
>> > 2017::5002[500] (264 bytes)
>> >
>> > 09[NET] sending packet: from fc00:cada:c404:607::1001[500] to
>> > 2017::5002[500] (264 bytes)
>> >
>> > 11[NET] received packet: from 2017::5002[500] to
>> > fc00:cada:c404:607::1001[500] (289 bytes)
>> >
>> > [NET] received packet: from 2017::5002[500] to
>> > fc00:cada:c404:607::1001[500] (289 bytes)
>> >
>> > 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
>> > N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
>> >
>> > [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
>> > CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
>> >
>> > [IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
>> > CN=TEST CableLabs Device Certification Authority"
>> >
>> > 11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device
>> > CA01, CN=TEST CableLabs Device Certification Authority"
>> >
>> > [IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
>> > CN=TEST CableLabs Device Certification Authority"
>> >
>> > 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device
>> > CA01, CN=TEST CableLabs Device Certification Authority"
>> >
>> > [IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
>> > CN=TEST CableLabs Root Certification Authority"
>> >
>> > 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
>> > CN=TEST CableLabs Root Certification Authority"
>> >
>> > *[IKE] no private key found for 'fc00:cada:c404:607::1001'*
>> >
>> > *11[IKE] no private key found for 'fc00:cada:c404:607::1001'*
>> >
>> > **
>> >
>> > *initiate failed: establishing CHILD_SA 'gcpfc00:cada:c404::200' failed*
>> >
>> >
>> >
>> >
>> >
>> > root at E6kn-2016:# swanctl --list-conns
>> >
>> > rpdfc00:cada:c404::200: IKEv2, no reauthentication, rekeying every
>> 14400s
>> >
>> >   local:  fc00:cada:c404:607::1001
>> >
>> >   remote: 2017::5002
>> >
>> >   local public key authentication:
>> >
>> >     id: fc00:cada:c404:607::1001
>> >
>> >   remote public key authentication:
>> >
>> >   gcpfc00:cada:c404::200: TRANSPORT, rekeying every 3600s
>> >
>> >     local:  fc00:cada:c404:607::1001/128[tcp]
>> >
>> >     remote: 2017::5002/128[tcp]
>> >
>> >   l2tpfc00:cada:c404::200: TRANSPORT, rekeying every 3600s
>> >
>> >     local:  fc00:cada:c404:607::1001/128[l2tp]
>> >
>> >     remote: 2017::5002/128[l2tp]
>> >
>> >
>> >
>> >
>> > root at E6kn-2016:# swanctl --list-certs
>> >
>> >
>> > List of X.509 End Entity Certificates
>> >
>> >
>> >   subject:  "C=US, O=ARRIS, OU=LOWELL, CN=00:33:5f:ab:8c:9e"
>> >
>> >   issuer:   "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs
>> > Device Certification Authority"
>> >
>> >   validity:  not before Sep 28 18:18:53 2017, ok
>> >
>> >              not after  Sep 28 18:18:53 2037, ok (expires in 7300 days)
>> >
>> >   serial:    dd:dc:09:21:36:f2:e8:71
>> >
>> >   authkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:
>> 78:b5:4a:28:7a:7f:57:9b:f9:9b
>> >
>> >   subjkeyId: 9d:c7:c5:20:f7:bf:0c:fb:39:d2:
>> 5d:a2:8f:73:37:f1:f3:e0:a4:f9
>> >
>> >   pubkey:    RSA 2048 bits, has private key
>> >
>> >   keyid:     8d:40:7d:fb:38:7b:4b:e2:fe:00:
>> ba:72:6c:82:63:2b:6b:75:30:6e
>> >
>> >   subjkey:   9d:c7:c5:20:f7:bf:0c:fb:39:d2:
>> 5d:a2:8f:73:37:f1:f3:e0:a4:f9
>> >
>> >
>> > List of X.509 CA Certificates
>> >
>> >
>> >   subject:  "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs
>> > Device Certification Authority"
>> >
>> >   issuer:   "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs
>> > Root Certification Authority"
>> >
>> >   validity:  not before Dec 09 23:08:49 2014, ok
>> >
>> >              not after  Dec 09 23:08:49 2049, ok (expires in 11755 days)
>> >
>> >   serial:    a0:16:bc:73:85:0e:65:37
>> >
>> >   altNames:  CN=SYMC-3072-5
>> >
>> >   flags:     CA CRLSign
>> >
>> >   pathlen:   0
>> >
>> >   authkeyId: 89:62:79:3d:b4:07:c9:f3:c6:97:
>> 59:dd:b6:dc:65:0b:33:54:ff:fb
>> >
>> >   subjkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:
>> 78:b5:4a:28:7a:7f:57:9b:f9:9b
>> >
>> >   pubkey:    RSA 3072 bits
>> >
>> >   keyid:     b7:98:32:e4:ae:30:02:57:f7:ad:
>> cb:2b:37:41:17:9c:1b:9d:79:28
>> >
>> >   subjkey:   f6:dc:40:8a:89:b6:7b:7a:08:f6:
>> 78:b5:4a:28:7a:7f:57:9b:f9:9b
>> >
>> >
>> >   subject:  "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs
>> > Root Certification Authority"
>> >
>> >   issuer:   "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs
>> > Root Certification Authority"
>> >
>> >   validity:  not before Nov 11 17:19:44 2014, ok
>> >
>> >              not after  Nov 11 17:19:44 2064, ok (expires in 17206 days)
>> >
>> >   serial:    b1:b0:d3:be:83:ee:bf:e3
>> >
>> >   altNames:  CN=MPKI-4096-1-206
>> >
>> >   flags:     CA CRLSign self-signed
>> >
>> >   subjkeyId: 89:62:79:3d:b4:07:c9:f3:c6:97:
>> 59:dd:b6:dc:65:0b:33:54:ff:fb
>> >
>> >   pubkey:    RSA 4096 bits
>> >
>> >   keyid:     bd:0e:4c:0f:21:cf:f0:49:af:19:
>> 34:3b:c2:64:c5:31:a1:2e:11:07
>> >
>> >   subjkey:   89:62:79:3d:b4:07:c9:f3:c6:97:
>> 59:dd:b6:dc:65:0b:33:54:ff:fb
>> >
>> >
>> >
>> > pki --print --type rsa-priv --in privKey.pem
>> >
>> >   privkey:   RSA 2048 bits
>> >
>> >   keyid:     8d:40:7d:fb:38:7b:4b:e2:fe:00:
>> ba:72:6c:82:63:2b:6b:75:30:6e
>> >
>> >   subjkey:   9d:c7:c5:20:f7:bf:0c:fb:39:d2:
>> 5d:a2:8f:73:37:f1:f3:e0:a4:f9
>> >
>> >
>>
>> --
>> ======================================================================
>> Andreas Steffen                         andreas.steffen at strongswan.org
>> strongSwan - the Open Source VPN Solution!          www.strongswan.org
>> Institute for Networked Solutions
>> HSR University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[INS-HSR]==
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171008/bf91d871/attachment.html>


More information about the Users mailing list