[strongSwan] strongswan is asking private key for the root CA

Old Kid oldkid at gmx.com
Fri Jul 12 12:39:37 CEST 2019 

Hi all,
I basically copied/pasted DigitalOcean's strongswan configuration for 
ubuntu 
18.04. I run strongswan on debian 9 myself. It's 5.7 version and still uses
ipsec.conf:

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@server_domain_or_IP
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never
    eap_identity=%identity

and this is my ipsec.secrets:
: RSA "server-key.pem"
test : EAP "password"

I have a valid certificate for my domain. I combined the certificates like
this:
cat root-ca.crt domain.crt > server-cert.pem

and I directly copied the private key text file to 
/etc/ipsec.d/private/server-key.pem

But when I tried connecting to the server via strongswan android client,
there was an error in the server log:

Jul 12 06:07:24 debian charon: 13[ENC] received fragment #3 of 3, 
reassembled fragmented IKE message (3120 bytes)
Jul 12 06:07:24 debian charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi 
N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi 
TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) 
]
Jul 12 06:07:24 debian charon: 13[IKE] received 134 cert requests for an 
unknown ca
Jul 12 06:07:24 debian charon: 13[IKE] initiating EAP_IDENTITY method (id 
0x00)
Jul 12 06:07:24 debian charon: 13[IKE] received 
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jul 12 06:07:24 debian charon: 13[IKE] peer supports MOBIKE
Jul 12 06:07:24 debian charon: 13[IKE] no private key found for 'C=GB, 
ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain 
Validation Secure Server CA'
Jul 12 06:07:24 debian charon: 13[ENC] generating IKE_AUTH response 1 [ 
N(AUTH_FAILED) ]

I checked my pem file with openssl verify command and it said ok. I don't
understand why strongswan is asking for private key for the root 
certificate.

More information about the Users mailing list