[strongSwan] no private key found

Udo Pokojski swan at upokojski.de
Mon Nov 16 15:46:52 CET 2020 

Hello,


I am trying to set up an IPSEC-Tunnel authenticated by certificates. The 
directory /etc/ipsec.d looks like this:

/etc/ipsec.d# ls -lR
.:
total 36
drwxr-xr-x 2 root root 4096 Nov 12  2019 aacerts
drwxr-xr-x 2 root root 4096 Nov 12  2019 acerts
drwxr-xr-x 2 root root 4096 Sep 28 10:36 cacerts
drwxr-xr-x 2 root root 4096 Nov 16 14:39 certs
drwxr-xr-x 2 root root 4096 Nov 12  2019 crls
drwxr-xr-x 2 root root 4096 Nov 12  2019 ocspcerts
drwxr-xr-x 2 root root 4096 Nov 12  2019 policies
drwx------ 2 root root 4096 Nov 16 14:40 private
drwxr-xr-x 2 root root 4096 Nov 12  2019 reqs

./aacerts:
total 0

./acerts:
total 0

./cacerts:
total 4
-rw-r--r-- 1 root root 2045 Sep 28 10:36 ca-cert.pem

./certs:
total 16
-rw-r--r-- 1 root root 1774 Apr  2  2020 ca-cert.pem
-rw-r--r-- 1 root root 2339 Nov 16 15:03 office-cert.pem

./crls:
total 0

./ocspcerts:
total 0

./policies:
total 0

./private:
total 12
-rw-r--r-- 1 root root 3243 Nov 16 14:24 office-key.pem

./reqs:
total 0


This is the content of /etc/ipsec.secrets:

# RSA private key for this host, authenticating it to any other host
# which knows the public part.
  : RSA office-key.pem

This istthe configuration for the connection:

conn ikev2-rw
     right=37.120.163.19
     # This should match the `leftid` value on your server's configuration
     rightid="C=DE, ... CN=server..."
     rightsubnet=10.8.0.0/24,10.9.0.0/24
     leftsubnet=192.168.200.0/24,192.168.20.0/24
     rightauth=pubkey
     leftsourceip=%config
     leftid="C=DE, ... CN=client"
  #   leftauth=eap-mschapv2
     eap_identity=%identity
     auto=start
     dpdaction=restart
     dpdinterval=10s
     closeaction=restart



Establishing a connection fails. In the log I can these lines:

Nov 16 15:40:09 nb-ubuntu ipsec[4108]: 00[CFG]   loaded RSA private key 
from '/etc/ipsec.d/private/office-key.pem'
Nov 16 15:40:09 nb-ubuntu charon: 09[IKE] no private key found for 
'C=DE, ... CN=client'
root at udo-nb-ubuntu:/etc/ipsec.d#


The private keyfile is loaded, but the keys cannot be found. I double 
checked that the keyfile matches the certificate.

Why is the private not found?


Thanks in advance

Udo

More information about the Users mailing list