Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Raju Kadam <rajulk-hv44wF8Li93QT0dZR+AlfA <at> public.gmane.org>
Subject: Re: [strongSwan] [ Help ] no private key found
Newsgroups: gmane.network.vpn.strongswan.user
Date: Monday 29th December 2008 06:19:45 UTC (over 7 years ago)
Thanks Andreas! i was missing the passphrase in ipsec.secrets. But i 
have new problem :(
im getting AUTHENTICATION_FAILED notify from peer. Below logs are 
generated in /var/log/messages
Please let me know whats the problem. I have attached ipsec.conf file of 
both peers

 authentication of 'C=IN, ST=KA, O=HW, OU=NW, CN=rta,
[email protected]' with 
RSA signature successful
Dec 29 11:41:31 linux charon: 10[CFG] looking for a config for 
17.21.2.198[17.21.2.198]...17.21.2.197[C=IN, ST=KA, O=HW, OU=NW, CN=rta, 
[email protected]]
Dec 29 11:41:31 linux charon: 10[AUD] no matching config found for 
'17.21.2.198'...'C=IN, ST=KA, O=HW, OU=NW, CN=rta,
[email protected]'
Dec 29 11:41:31 linux charon: 10[AUD] no matching config found for 
'17.21.2.198'...'C=IN, ST=KA, O=HW, OU=NW, CN=rta,
[email protected]'
Dec 29 11:41:31 linux charon: 10[ENC] added payload of type NOTIFY to 
message
Dec 29 11:41:31 linux charon: 10[ENC] added payload of type NOTIFY to 
message
Dec 29 11:41:31 linux charon: 10[ENC] generating IKE_AUTH response 1 [ 
N(AUTH_FAILED) ]


Thanks...


Andreas Steffen wrote:
> strongSwan not finding its private key can have the following
> reasons:
>
> - the path in /etc/ipsec.secrets given to the private key file
>   is not correct. The default directory is /etc/ipsec.d/private/.
>
> - the private key file is encrypted and you either didn't give
>   no passphrase or an incorrect one. The syntax in /etc/ipsec.secrets
>   is:
>
>    : RSA myKey.pem "my secret password"
>
> - the private key does not match the public key in your certificate.
>
> The first two errors should generate an error message in the log file.
>
> Best regards
>
> Andreas
>
> BTW - this email is being sent over HUAWEI E196 HDSPA USP Modem ;-)
>
> Raju Kadam wrote:
>   
>> Hello All,
>>    
>>      I am trying to use certificates to authenticate strongswan peers. I

>> have followed the steps mentioned in documentation to generate CA and 
>> end entity certificates using openssl. ipsec listcerts doesnt display 
>> the private key of the end entity. Also i am gettting " no private key 
>> found" error while sending IKE_AUTH request. Please let me know what im 
>> missing. FYI im using strongswan 4.2.8
>>
>>
>> linux:~ # ipsec listcerts
>>
>> List of X.509 End Entity Certificates:
>>
>>   subject:  "C=IN, ST=KA, O=HW, OU=NW, CN=rta,
[email protected]"
>>   issuer:   "CN=myCA, C=IN, ST=KA, L=BLR, O=HW,
[email protected]"
>>   serial:    01
>>   validity:  not before Dec 12 17:38:06 2008, ok
>>              not after  Dec 12 17:38:06 2010, ok
>>   *pubkey:    RSA 2048 bits*
>>   keyid:     51:5d:26:cf:b2:6a:f4:a9:16:f0:ef:d7:91:63:bb:aa:d9:6d:74:ac
>>   subjkey:   d4:58:3a:f8:f2:84:36:39:32:c8:12:79:46:21:d7:5d:cc:d3:2d:3e
>>   authkey:   61:34:1e:fc:11:bd:2f:18:ff:cc:8a:0c:22:35:e0:a0:3f:da:65:ba
>>
>> linux:~ # ipsec up rw
>> initiating IKE_SA rw[4] to 17.21.2.198
>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> sending packet: from 17.21.2.197[500] to 17.21.2.198[500]
>> received packet: from 17.21.2.198[500] to 17.21.2.197[500]
>> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ ]
>> received cert request for unknown ca with keyid 
>> 5d:23:83:a2:da:5e:b6:e2:55:97:cd:90:72:e9:93:8d:6a:d7:ba:7c
>> sending cert request for "CN=myCA, C=IN, ST=KA, L=BLR, O=HW,
[email protected]"
>> *no private key found** for 'C=IN, ST=KA, O=HW, OU=NW, CN=rta,
[email protected]'
>> generating authentication data failed
>> *
>> Thanks,
>>  Raju Kadam
>>
>>     
>
>
>   


-- 
This e-mail and attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed
above. Any use of the information contained herein in any way (including,
but not limited to, total or partial disclosure, reproduction, or
dissemination) by persons other than the intended recipient's) is
prohibited. If you receive this e-mail in error, please notify the sender
by phone or email immediately and delete it!
 
CD: 3ms