[strongSwan] private key not found

Christoph Harder c_harder at arcor.de
Mon Oct 26 15:57:54 CET 2020 

Hello Noel,

just to be sure, I use pubkeys = <filename> to specify the keys or rather the pem files containing them?
Or should the key be somehow encoded and put as string in the swanctl.conf file?
The documentation isn't totally clear about it and tells me the pubkeys configuration is for raw keys (does it mean file names of pem/der encoded keys?).

Thank you in advance.
-Christoph


Am 25.10.2020 um 22:03 schrieb Noel Kuntze:
> Hi Christoph,
> 
> Specify the keys using connections.<conn>.local<suffix>.pubkeys and connections.<conn>.remote<suffix>.pubkeys.
> 
> Afterwards, check the output and the log file (best if you enable debug logging like shown on the HelpRequests page)
> to see if the public keys were loaded and the private keys, too.
> 
> Kind regards
> 
> Noel
> 
> Am 25.10.20 um 21:11 schrieb Christoph Harder:
>> Hello everyone,
>>
>> I wish to create an IPSEC v2 connection and use two authentication rounds, both with assymetric key pairs (one round using ECDSA followed by one round using BLISS).
>> Since BLISS is rather new I would like the second round as safe-guard in case the near future shows any fatal flaws in BLISS.
>> However at the moment I receive the follwoing message when I try to initiate a connection.
>>
>> [IKE] no private key found for 'xyz_ecdsa'
>>
>> The private keys are stored as /bliss/xyz_bliss.pem and /ecdsa/xyz_ecdsa.pem and the matching (same file name) public keys are stored in /pubkeys.
>> When I load the keys, e.g. using swanctl --load-creds the keys are listed and no error message shows up.
>>
>> In the swanctl.conf the authentication rounds are defined like this (with matching remote authentication rounds):
>> local-1 {
>> 	id = xyz_ecdsa
>> 	auth = pubkey
>> 	round = 1
>> }
>> local-2 {
>> 	id = xyz_bliss
>> 	auth = pubkey
>> 	round = 2
>> }
>>
>> The private keys don't have a passphrase and are not listed in the secrets section.
>>
>> The private key file /ecdsa/xyz_ecdsa.pem looks like this:
>> -----BEGIN EC PRIVATE KEY-----
>> ...
>> -----END EC PRIVATE KEY-----
>>
>> and the public key file /pubkey/xyz_ecdsa.pem looks like this:
>> -----BEGIN PUBLIC KEY-----
>> ...
>> -----END PUBLIC KEY-----
>>
>> The keys have been generated using the pki tool.
>>
>> Can you give me any hints on what I might be doing wrong?
>> Are two rounds even supported when using auth = pubkey in both rounds?
>> Do I need to tell strongswan somehow to associate the key files with the id?
>>
>> Best regards,
>> Christoph
>>
>

More information about the Users mailing list