[strongSwan] private key not found

Christoph Harder c_harder at arcor.de
Thu Oct 29 08:11:28 CET 2020


Hello Noel,

thank you, it worked, I no longer receive the message "no private key found for..."

Best regards,
Christoph


Am 28.10.2020 um 14:06 schrieb Noel Kuntze:
> Hello Christoph,
> 
> Yes, use pubkeys = <filename>. The man page for swanctl.conf expands on this:
> 
>>       connections.<conn>.local<suffix>.pubkeys []
>>              Comma separated list of raw public key candidates to use for au‐
>>              thentication. The public keys may use a relative path  from  the
>>              swanctl pubkey directory or an absolute path.
>>
>>              Even though multiple local public keys could be defined in prin‐
>>              ciple, only the first public key in the list is used for authen‐
>>              tication.
> 
>>> The documentation isn't totally clear about it and tells me the pubkeys configuration is for raw keys (does it mean file names of pem/der encoded keys?).
> 
> Raw public keys are just simple public keys, e.g. certificates aren't raw public keys (because they are a public key, metadata and the signature over it generated by signing it with a private key).
> So the file would contain a public key, encoded in DER or PEM format.
> 
> Kind regards
> 
> Noel
> 
> Am 26.10.20 um 15:57 schrieb Christoph Harder:
>> Hello Noel,
>>
>> just to be sure, I use pubkeys = <filename> to specify the keys or rather the pem files containing them?
>> Or should the key be somehow encoded and put as string in the swanctl.conf file?
>> The documentation isn't totally clear about it and tells me the pubkeys configuration is for raw keys (does it mean file names of pem/der encoded keys?).
>>
>> Thank you in advance.
>> -Christoph
>>
>>
>> Am 25.10.2020 um 22:03 schrieb Noel Kuntze:
>>> Hi Christoph,
>>>
>>> Specify the keys using connections.<conn>.local<suffix>.pubkeys and connections.<conn>.remote<suffix>.pubkeys.
>>>
>>> Afterwards, check the output and the log file (best if you enable debug logging like shown on the HelpRequests page)
>>> to see if the public keys were loaded and the private keys, too.
>>>
>>> Kind regards
>>>
>>> Noel
>>>
>>> Am 25.10.20 um 21:11 schrieb Christoph Harder:
>>>> Hello everyone,
>>>>
>>>> I wish to create an IPSEC v2 connection and use two authentication rounds, both with assymetric key pairs (one round using ECDSA followed by one round using BLISS).
>>>> Since BLISS is rather new I would like the second round as safe-guard in case the near future shows any fatal flaws in BLISS.
>>>> However at the moment I receive the follwoing message when I try to initiate a connection.
>>>>
>>>> [IKE] no private key found for 'xyz_ecdsa'
>>>>
>>>> The private keys are stored as /bliss/xyz_bliss.pem and /ecdsa/xyz_ecdsa.pem and the matching (same file name) public keys are stored in /pubkeys.
>>>> When I load the keys, e.g. using swanctl --load-creds the keys are listed and no error message shows up.
>>>>
>>>> In the swanctl.conf the authentication rounds are defined like this (with matching remote authentication rounds):
>>>> local-1 {
>>>> 	id = xyz_ecdsa
>>>> 	auth = pubkey
>>>> 	round = 1
>>>> }
>>>> local-2 {
>>>> 	id = xyz_bliss
>>>> 	auth = pubkey
>>>> 	round = 2
>>>> }
>>>>
>>>> The private keys don't have a passphrase and are not listed in the secrets section.
>>>>
>>>> The private key file /ecdsa/xyz_ecdsa.pem looks like this:
>>>> -----BEGIN EC PRIVATE KEY-----
>>>> ...
>>>> -----END EC PRIVATE KEY-----
>>>>
>>>> and the public key file /pubkey/xyz_ecdsa.pem looks like this:
>>>> -----BEGIN PUBLIC KEY-----
>>>> ...
>>>> -----END PUBLIC KEY-----
>>>>
>>>> The keys have been generated using the pki tool.
>>>>
>>>> Can you give me any hints on what I might be doing wrong?
>>>> Are two rounds even supported when using auth = pubkey in both rounds?
>>>> Do I need to tell strongswan somehow to associate the key files with the id?
>>>>
>>>> Best regards,
>>>> Christoph
>>>>
>>>
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xA362479F3F0ADC06.asc
Type: application/pgp-keys
Size: 1440 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201029/5cfeafce/attachment-0001.key>


More information about the Users mailing list