Raju Kadam | 29 Dec 07:19 2008

Re: [strongSwan] [ Help ] no private key found


Thanks Andreas! i was missing the passphrase in ipsec.secrets. But i 
have new problem :(
im getting AUTHENTICATION_FAILED notify from peer. Below logs are 
generated in /var/log/messages
Please let me know whats the problem. I have attached ipsec.conf file of 
both peers

 authentication of 'C=IN, ST=KA, O=HW, OU=NW, CN=rta, E=rta@...' with 
RSA signature successful
Dec 29 11:41:31 linux charon: 10[CFG] looking for a config for 
17.21.2.198[17.21.2.198]...17.21.2.197[C=IN, ST=KA, O=HW, OU=NW, CN=rta, 
E=rta@...]
Dec 29 11:41:31 linux charon: 10[AUD] no matching config found for 
'17.21.2.198'...'C=IN, ST=KA, O=HW, OU=NW, CN=rta, E=rta@...'
Dec 29 11:41:31 linux charon: 10[AUD] no matching config found for 
'17.21.2.198'...'C=IN, ST=KA, O=HW, OU=NW, CN=rta, E=rta@...'
Dec 29 11:41:31 linux charon: 10[ENC] added payload of type NOTIFY to 
message
Dec 29 11:41:31 linux charon: 10[ENC] added payload of type NOTIFY to 
message
Dec 29 11:41:31 linux charon: 10[ENC] generating IKE_AUTH response 1 [ 
N(AUTH_FAILED) ]

Thanks...

Andreas Steffen wrote:
> strongSwan not finding its private key can have the following
> reasons:
>
> - the path in /etc/ipsec.secrets given to the private key file
>   is not correct. The default directory is /etc/ipsec.d/private/.
>
> - the private key file is encrypted and you either didn't give
>   no passphrase or an incorrect one. The syntax in /etc/ipsec.secrets
>   is:
>
>    : RSA myKey.pem "my secret password"
>
> - the private key does not match the public key in your certificate.
>
> The first two errors should generate an error message in the log file.
>
> Best regards
>
> Andreas
>
> BTW - this email is being sent over HUAWEI E196 HDSPA USP Modem ;-)
>
> Raju Kadam wrote:
>   
>> Hello All,
>>    
>>      I am trying to use certificates to authenticate strongswan peers. I 
>> have followed the steps mentioned in documentation to generate CA and 
>> end entity certificates using openssl. ipsec listcerts doesnt display 
>> the private key of the end entity. Also i am gettting " no private key 
>> found" error while sending IKE_AUTH request. Please let me know what im 
>> missing. FYI im using strongswan 4.2.8
>>
>>
>> linux:~ # ipsec listcerts
>>
>> List of X.509 End Entity Certificates:
>>
>>   subject:  "C=IN, ST=KA, O=HW, OU=NW, CN=rta, E=rta@..."
>>   issuer:   "CN=myCA, C=IN, ST=KA, L=BLR, O=HW, E=myca@..."
>>   serial:    01
>>   validity:  not before Dec 12 17:38:06 2008, ok
>>              not after  Dec 12 17:38:06 2010, ok
>>   *pubkey:    RSA 2048 bits*
>>   keyid:     51:5d:26:cf:b2:6a:f4:a9:16:f0:ef:d7:91:63:bb:aa:d9:6d:74:ac
>>   subjkey:   d4:58:3a:f8:f2:84:36:39:32:c8:12:79:46:21:d7:5d:cc:d3:2d:3e
>>   authkey:   61:34:1e:fc:11:bd:2f:18:ff:cc:8a:0c:22:35:e0:a0:3f:da:65:ba
>>
>> linux:~ # ipsec up rw
>> initiating IKE_SA rw[4] to 17.21.2.198
>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> sending packet: from 17.21.2.197[500] to 17.21.2.198[500]
>> received packet: from 17.21.2.198[500] to 17.21.2.197[500]
>> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
>> received cert request for unknown ca with keyid 
>> 5d:23:83:a2:da:5e:b6:e2:55:97:cd:90:72:e9:93:8d:6a:d7:ba:7c
>> sending cert request for "CN=myCA, C=IN, ST=KA, L=BLR, O=HW, E=myca@..."
>> *no private key found** for 'C=IN, ST=KA, O=HW, OU=NW, CN=rta, E=rta@...'
>> generating authentication data failed
>> *
>> Thanks,
>>  Raju Kadam
>>
>>     
>
>
>   

-- 
This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the
person or entity whose address is listed above. Any use of the information contained herein in any way
(including, but not limited to, total or partial disclosure, reproduction, or dissemination) by
persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please
notify the sender by phone or email immediately and delete it!


# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
	# plutodebug=no
        plutostart=no	
	# crlcheckinterval=600
	# strictcrlpolicy=yes
	# cachecrls=yes
	# nat_traversal=no
	charonstart=yes
	charondebug="dmn 32,mgr 32,ike 32,chd 32,job 32,cfg 32,knl 32,net 32,enc 32,lib 32"

# Add connections here.
conn %default
	keyexchange=ikev2
	auth=esp
	mobike=no

conn rw
	left=17.21.2.198
	leftcert=rtbCert.pem
	leftid= <at> rtb.hw.com
	leftfirewall=yes
	right=%any
	auto=add

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
	# plutodebug=no
        plutostart=no	
	# crlcheckinterval=600
	# strictcrlpolicy=yes
	# cachecrls=yes
	# nat_traversal=no
	charonstart=yes
	charondebug="dmn 32,mgr 32,ike 32,chd 32,job 32,cfg 32,knl 32,net 32,enc 32,lib 4"

# Add connections here.
conn %default
	keyexchange=ikev2
	auth=esp
	mobike=no

conn rw
	left=17.21.2.197
	leftcert=rtaCert.pem
	leftid= <at> rta.hw.com
	leftfirewall=yes
	right=17.21.2.198
	auto=add
_______________________________________________
Users mailing list
Users@...
https://lists.strongswan.org/mailman/listinfo/users

Gmane