[strongSwan] private key not found

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Oct 28 14:06:07 CET 2020

Hello Christoph,

Yes, use pubkeys = <filename>. The man page for swanctl.conf expands on this:

>       connections.<conn>.local<suffix>.pubkeys []
>              Comma separated list of raw public key candidates to use for au‐
>              thentication. The public keys may use a relative path  from  the
>              swanctl pubkey directory or an absolute path.
>              Even though multiple local public keys could be defined in prin‐
>              ciple, only the first public key in the list is used for authen‐
>              tication.

>> The documentation isn't totally clear about it and tells me the pubkeys configuration is for raw keys (does it mean file names of pem/der encoded keys?).

Raw public keys are just simple public keys, e.g. certificates aren't raw public keys (because they are a public key, metadata and the signature over it generated by signing it with a private key).
So the file would contain a public key, encoded in DER or PEM format.

Kind regards


Am 26.10.20 um 15:57 schrieb Christoph Harder:
> Hello Noel,
> just to be sure, I use pubkeys = <filename> to specify the keys or rather the pem files containing them?
> Or should the key be somehow encoded and put as string in the swanctl.conf file?
> The documentation isn't totally clear about it and tells me the pubkeys configuration is for raw keys (does it mean file names of pem/der encoded keys?).
> Thank you in advance.
> -Christoph
> Am 25.10.2020 um 22:03 schrieb Noel Kuntze:
>> Hi Christoph,
>> Specify the keys using connections.<conn>.local<suffix>.pubkeys and connections.<conn>.remote<suffix>.pubkeys.
>> Afterwards, check the output and the log file (best if you enable debug logging like shown on the HelpRequests page)
>> to see if the public keys were loaded and the private keys, too.
>> Kind regards
>> Noel
>> Am 25.10.20 um 21:11 schrieb Christoph Harder:
>>> Hello everyone,
>>> I wish to create an IPSEC v2 connection and use two authentication rounds, both with assymetric key pairs (one round using ECDSA followed by one round using BLISS).
>>> Since BLISS is rather new I would like the second round as safe-guard in case the near future shows any fatal flaws in BLISS.
>>> However at the moment I receive the follwoing message when I try to initiate a connection.
>>> [IKE] no private key found for 'xyz_ecdsa'
>>> The private keys are stored as /bliss/xyz_bliss.pem and /ecdsa/xyz_ecdsa.pem and the matching (same file name) public keys are stored in /pubkeys.
>>> When I load the keys, e.g. using swanctl --load-creds the keys are listed and no error message shows up.
>>> In the swanctl.conf the authentication rounds are defined like this (with matching remote authentication rounds):
>>> local-1 {
>>> 	id = xyz_ecdsa
>>> 	auth = pubkey
>>> 	round = 1
>>> }
>>> local-2 {
>>> 	id = xyz_bliss
>>> 	auth = pubkey
>>> 	round = 2
>>> }
>>> The private keys don't have a passphrase and are not listed in the secrets section.
>>> The private key file /ecdsa/xyz_ecdsa.pem looks like this:
>>> -----BEGIN EC PRIVATE KEY-----
>>> ...
>>> -----END EC PRIVATE KEY-----
>>> and the public key file /pubkey/xyz_ecdsa.pem looks like this:
>>> -----BEGIN PUBLIC KEY-----
>>> ...
>>> -----END PUBLIC KEY-----
>>> The keys have been generated using the pki tool.
>>> Can you give me any hints on what I might be doing wrong?
>>> Are two rounds even supported when using auth = pubkey in both rounds?
>>> Do I need to tell strongswan somehow to associate the key files with the id?
>>> Best regards,
>>> Christoph

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201028/0038bd3b/attachment.sig>

More information about the Users mailing list