Re: [strongSwan] no private key found

2020-11-18 Thread Noel Kuntze 
Hi,

Please at least provide a full log as shown on the HelpRequests[1] page.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

Am 16.11.20 um 15:46 schrieb Udo Pokojski:
> Hello,
> 
> 
> I am trying to set up an IPSEC-Tunnel authenticated by certificates. The 
> directory /etc/ipsec.d looks like this:
> 
> /etc/ipsec.d# ls -lR
> .:
> total 36
> drwxr-xr-x 2 root root 4096 Nov 12  2019 aacerts
> drwxr-xr-x 2 root root 4096 Nov 12  2019 acerts
> drwxr-xr-x 2 root root 4096 Sep 28 10:36 cacerts
> drwxr-xr-x 2 root root 4096 Nov 16 14:39 certs
> drwxr-xr-x 2 root root 4096 Nov 12  2019 crls
> drwxr-xr-x 2 root root 4096 Nov 12  2019 ocspcerts
> drwxr-xr-x 2 root root 4096 Nov 12  2019 policies
> drwx-- 2 root root 4096 Nov 16 14:40 private
> drwxr-xr-x 2 root root 4096 Nov 12  2019 reqs
> 
> ./aacerts:
> total 0
> 
> ./acerts:
> total 0
> 
> ./cacerts:
> total 4
> -rw-r--r-- 1 root root 2045 Sep 28 10:36 ca-cert.pem
> 
> ./certs:
> total 16
> -rw-r--r-- 1 root root 1774 Apr  2  2020 ca-cert.pem
> -rw-r--r-- 1 root root 2339 Nov 16 15:03 office-cert.pem
> 
> ./crls:
> total 0
> 
> ./ocspcerts:
> total 0
> 
> ./policies:
> total 0
> 
> ./private:
> total 12
> -rw-r--r-- 1 root root 3243 Nov 16 14:24 office-key.pem
> 
> ./reqs:
> total 0
> 
> 
> This is the content of /etc/ipsec.secrets:
> 
> # RSA private key for this host, authenticating it to any other host
> # which knows the public part.
>  : RSA office-key.pem
> 
> This istthe configuration for the connection:
> 
> conn ikev2-rw
>     right=37.120.163.19
>     # This should match the `leftid` value on your server's configuration
>     rightid="C=DE, ... CN=server..."
>     rightsubnet=10.8.0.0/24,10.9.0.0/24
>     leftsubnet=192.168.200.0/24,192.168.20.0/24
>     rightauth=pubkey
>     leftsourceip=%config
>     leftid="C=DE, ... CN=client"
>  #   leftauth=eap-mschapv2
>     eap_identity=%identity
>     auto=start
>     dpdaction=restart
>     dpdinterval=10s
>     closeaction=restart
> 
> 
> 
> Establishing a connection fails. In the log I can these lines:
> 
> Nov 16 15:40:09 nb-ubuntu ipsec[4108]: 00[CFG]   loaded RSA private key from 
> '/etc/ipsec.d/private/office-key.pem'
> Nov 16 15:40:09 nb-ubuntu charon: 09[IKE] no private key found for 'C=DE, ... 
> CN=client'
> root@udo-nb-ubuntu:/etc/ipsec.d#
> 
> 
> The private keyfile is loaded, but the keys cannot be found. I double checked 
> that the keyfile matches the certificate.
> 
> Why is the private not found?
> 
> 
> Thanks in advance
> 
> Udo
> 



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] no private key found

2020-11-18 Thread Tobias Brunner 
Hi Udo,

> The private keyfile is loaded, but the keys cannot be found. I double 
> checked that the keyfile matches the certificate.

Loading the private key has no effect as long as connections are not
associated with a certificate (or raw public key) that matches it.

For ipsec.conf, you have to do that explicitly via leftcert (or
leftsigkey).  With swanctl.conf, certificates may also be loaded
independently and associated to the connection via identity.

Regards,
Tobias

[strongSwan] no private key found

2020-11-16 Thread Udo Pokojski 

Hello,


I am trying to set up an IPSEC-Tunnel authenticated by certificates. The 
directory /etc/ipsec.d looks like this:


/etc/ipsec.d# ls -lR
.:
total 36
drwxr-xr-x 2 root root 4096 Nov 12  2019 aacerts
drwxr-xr-x 2 root root 4096 Nov 12  2019 acerts
drwxr-xr-x 2 root root 4096 Sep 28 10:36 cacerts
drwxr-xr-x 2 root root 4096 Nov 16 14:39 certs
drwxr-xr-x 2 root root 4096 Nov 12  2019 crls
drwxr-xr-x 2 root root 4096 Nov 12  2019 ocspcerts
drwxr-xr-x 2 root root 4096 Nov 12  2019 policies
drwx-- 2 root root 4096 Nov 16 14:40 private
drwxr-xr-x 2 root root 4096 Nov 12  2019 reqs

./aacerts:
total 0

./acerts:
total 0

./cacerts:
total 4
-rw-r--r-- 1 root root 2045 Sep 28 10:36 ca-cert.pem

./certs:
total 16
-rw-r--r-- 1 root root 1774 Apr  2  2020 ca-cert.pem
-rw-r--r-- 1 root root 2339 Nov 16 15:03 office-cert.pem

./crls:
total 0

./ocspcerts:
total 0

./policies:
total 0

./private:
total 12
-rw-r--r-- 1 root root 3243 Nov 16 14:24 office-key.pem

./reqs:
total 0


This is the content of /etc/ipsec.secrets:

# RSA private key for this host, authenticating it to any other host
# which knows the public part.
 : RSA office-key.pem

This istthe configuration for the connection:

conn ikev2-rw
    right=37.120.163.19
    # This should match the `leftid` value on your server's configuration
    rightid="C=DE, ... CN=server..."
    rightsubnet=10.8.0.0/24,10.9.0.0/24
    leftsubnet=192.168.200.0/24,192.168.20.0/24
    rightauth=pubkey
    leftsourceip=%config
    leftid="C=DE, ... CN=client"
 #   leftauth=eap-mschapv2
    eap_identity=%identity
    auto=start
    dpdaction=restart
    dpdinterval=10s
    closeaction=restart



Establishing a connection fails. In the log I can these lines:

Nov 16 15:40:09 nb-ubuntu ipsec[4108]: 00[CFG]   loaded RSA private key 
from '/etc/ipsec.d/private/office-key.pem'
Nov 16 15:40:09 nb-ubuntu charon: 09[IKE] no private key found for 
'C=DE, ... CN=client'

root@udo-nb-ubuntu:/etc/ipsec.d#


The private keyfile is loaded, but the keys cannot be found. I double 
checked that the keyfile matches the certificate.


Why is the private not found?


Thanks in advance

Udo

[strongSwan] "no private key found for" ERROR

2019-12-24 Thread 李国营 
“no private key found for 'C=CN, ST=Some-State, O=SD, CN=server'”


I found this error.


My cert is like this:
.
./cacerts
./cacerts/cacert.pem
./ocspcerts
./certs
./certs/servercert.pem
./acerts
./aacerts
./crls
./reqs
./private
./private/serverkey.pem


My ipsec.conf is like this:
conn host-host
left=172.16.10.126
leftsubnet=10.1.0.0/16
leftid="C = CN, ST = Some-State, O = SD, CN = server"
leftcert=servercert.pem
leftfirewall=yes
right=172.16.10.127
rightsubnet=10.2.0.0/16
rightid="C = CN, ST = Some-State, O = SD, CN = client"


My ipsec.secrets is like this:
: SM2 serverkey.pem


help ~~~





--
--

Re: [strongSwan] No private key found

2017-12-12 Thread rajeev nohria 
PEM format files..

On Tue, Dec 12, 2017 at 9:33 AM, rajeev nohria  wrote:

> This is at originator side where we are seeing the issue..
>
> ~# ipsec listcerts
>
> List of X.509 End Entity Certificates
>
>   subject:  "C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate,
> CN=FF:FF:05:E6:E6:20"
>   issuer:   "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs
> Device Certification Authority"
>   validity:  not before Sep 14 16:13:24 2017, ok
>  not after  Sep 14 16:13:24 2018, ok (expires in 276 days)
>   serial:01:ff:ff:05:e6:e6:20
>   authkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b
>   subjkeyId: 71:83:c0:b4:3e:40:06:f1:e5:30:d2:14:2c:82:e7:76:13:37:f4:6f
>   pubkey:RSA 2048 bits, has private key
>   keyid: 85:d3:eb:51:9a:a8:1e:f6:ff:14:ee:cc:64:f6:2f:e0:32:99:1b:ce
>   subjkey:   71:83:c0:b4:3e:40:06:f1:e5:30:d2:14:2c:82:e7:76:13:37:f4:6f
>
> On Mon, Dec 11, 2017 at 4:11 PM, rajeev nohria 
> wrote:
>
>> Let me know if you need more info..
>>
>> On Mon, Dec 11, 2017 at 2:45 PM, rajeev nohria 
>> wrote:
>>
>>> Please find the key and config.  I am using davici so I am printing the
>>> configuration from log as commands are executing.
>>>
>>>  Load-Connection command
>>>   Section start rpdfc00:cada:c404::200
>>>   Version is 2
>>>  Local_addrs  is fc00:cada:c404:607::1004
>>>  remote_addrs is fc00:cada:c404::200
>>>   local_port is 500
>>>   remote_port is 500
>>>   proposals is aes128-sha256-modp2048
>>>   local section
>>>  auth is pubkey
>>>  RPD ip address is fc00:cada:c404:607::1004
>>>  id is C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate,
>>> CN=FF:FF:05:E6:E6:20
>>>   remote
>>>   id is %any
>>>   auth is pubkey
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Mon, Dec 11, 2017 at 10:39 AM, Jafar Al-Gharaibeh 
>>> wrote:
>>>
 Can  you share your config/secret files ?

 --Jafar


 On 12/11/2017 9:17 AM, rajeev nohria wrote:

 Anyone can help in this issue, I have setup the id with Subject id.
 Still have this issue. Is anything else I am missing?
 Thanks,
 Rajeev

 On Tue, Nov 14, 2017 at 12:44 PM, rajeev nohria 
 wrote:

>
> Not sure what is wrong here,  Can you let me know if  I am missing
> something here.
>
>
>
> 16[KNL] creating acquire job for policy 
> fc00:cada:c406:607::1001/128[tcp/43005]
> === fc00:cada:c406::200/128[tcp/8190] with reqid {2}
>
> 2017-11-13 15:58:56,001-HalTransport.py-94-INFO-Start a agent
> transport interface, path = [/tmp/Hal/agent/client/1/push]
>
> 15[IKE] initiating IKE_SA rpdfc00:cada:c406::200[1] to
> fc00:cada:c406::200
>
> 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
>
> 15[NET] sending packet: from fc00:cada:c406:607::1001[500] to
> fc00:cada:c406::200[500] (456 bytes)
>
> 10[NET] received packet: from fc00:cada:c406::200[500] to
> fc00:cada:c406:607::1001[500] (453 bytes)
>
> 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
>
> 10[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root
> CA01, CN=TEST CableLabs Root Certification Authority"
>
> 10[IKE] received 1 cert requests for an unknown ca
>
> 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device
> CA01, CN=TEST CableLabs Device Certification Authority"
>
> 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root
> CA01, CN=TEST CableLabs Root Certification Authority"
>
> 10[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA
> Remote Device Certificate, CN=FF:FF:05:E6:E6:20'
>
> 13[KNL] creating delete job for CHILD_SA ESP/0x/fc00:cada:c406:
> :200
>
> 08[JOB] CHILD_SA ESP/0x/fc00:cada:c406::200 not found for
> delete
>
> 06[KNL] creating acquire job for policy 
> fc00:cada:c406:607::1001/128[tcp/39047]
> === fc00:cada:c406::200/128[tcp/8190] with reqid {2}
>
> 16[IKE] initiating IKE_SA rpdfc00:cada:c406::200[2] to
> fc00:cada:c406::200
>
> 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
>
> 16[NET] sending packet: from fc00:cada:c406:607::1001[500] to
> fc00:cada:c406::200[500] (456 bytes)
>
> 11[NET] received packet: from fc00:cada:c406::200[500] to
> fc00:cada:c406:607::1001[500] (453 bytes)
>
> 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
>
> 11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root
> CA01, CN=TEST CableLabs Root Certification Authority"
>
> 11[IKE] received 1 cert requests for an unknown ca
>
> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device

Re: [strongSwan] No private key found

2017-12-11 Thread Noel Kuntze 
Is that everything you're loading? You need to load the certificate and the 
secret, too!

On 11.12.2017 20:45, rajeev nohria wrote:
> Please find the key and config.  I am using davici so I am printing the 
> configuration from log as commands are executing.
> 
>  Load-Connection command  
>   Section start rpdfc00:cada:c404::200 
>   Version is 2 
>  Local_addrs  is fc00:cada:c404:607::1004 
>  remote_addrs is fc00:cada:c404::200 
>   local_port is 500 
>   remote_port is 500 
>   proposals is aes128-sha256-modp2048 
>   local section 
>  auth is pubkey 
>  RPD ip address is fc00:cada:c404:607::1004 
>  id is C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate, 
> CN=FF:FF:05:E6:E6:20 
>   remote  
>   id is %any 
>   auth is pubkey 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> On Mon, Dec 11, 2017 at 10:39 AM, Jafar Al-Gharaibeh  > wrote:
> 
> Can  you share your config/secret files ?
> 
> --Jafar
> 
> 
> On 12/11/2017 9:17 AM, rajeev nohria wrote:
>> Anyone can help in this issue, I have setup the id with Subject id.  
>> Still have this issue. Is anything else I am missing?
>> Thanks,
>> Rajeev
>>
>> On Tue, Nov 14, 2017 at 12:44 PM, rajeev nohria > > wrote:
>>
>>
>> Not sure what is wrong here,  Can you let me know if  I am missing 
>> something here.
>>
>>
>>
>> 16[KNL] creating acquire job for policy 
>> fc00:cada:c406:607::1001/128[tcp/43005] === 
>> fc00:cada:c406::200/128[tcp/8190] with reqid {2}
>>
>> 2017-11-13 15:58:56,001-HalTransport.py-94-INFO-Start a agent 
>> transport interface, path = [/tmp/Hal/agent/client/1/push]
>>
>> 15[IKE] initiating IKE_SA rpdfc00:cada:c406::200[1] to 
>> fc00:cada:c406::200
>>
>> 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) 
>> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
>>
>> 15[NET] sending packet: from fc00:cada:c406:607::1001[500] to 
>> fc00:cada:c406::200[500] (456 bytes)
>>
>> 10[NET] received packet: from fc00:cada:c406::200[500] to 
>> fc00:cada:c406:607::1001[500] (453 bytes)
>>
>> 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
>>
>> 10[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root 
>> CA01, CN=TEST CableLabs Root Certification Authority"
>>
>> 10[IKE] received 1 cert requests for an unknown ca
>>
>> 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device 
>> CA01, CN=TEST CableLabs Device Certification Authority"
>>
>> 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root 
>> CA01, CN=TEST CableLabs Root Certification Authority"
>>
>> 10[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA 
>> Remote Device Certificate, CN=FF:FF:05:E6:E6:20'
>>
>> 13[KNL] creating delete job for CHILD_SA 
>> ESP/0x/fc00:cada:c406::200
>>
>> 08[JOB] CHILD_SA ESP/0x/fc00:cada:c406::200 not found for 
>> delete
>>
>> 06[KNL] creating acquire job for policy 
>> fc00:cada:c406:607::1001/128[tcp/39047] === 
>> fc00:cada:c406::200/128[tcp/8190] with reqid {2}
>>
>> 16[IKE] initiating IKE_SA rpdfc00:cada:c406::200[2] to 
>> fc00:cada:c406::200
>>
>> 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) 
>> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
>>
>> 16[NET] sending packet: from fc00:cada:c406:607::1001[500] to 
>> fc00:cada:c406::200[500] (456 bytes)
>>
>> 11[NET] received packet: from fc00:cada:c406::200[500] to 
>> fc00:cada:c406:607::1001[500] (453 bytes)
>>
>> 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
>>
>> 11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root 
>> CA01, CN=TEST CableLabs Root Certification Authority"
>>
>> 11[IKE] received 1 cert requests for an unknown ca
>>
>> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device 
>> CA01, CN=TEST CableLabs Device Certification Authority"
>>
>> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root 
>> CA01, CN=TEST CableLabs Root Certification Authority"
>>
>> 11[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA 
>> Remote Device Certificate, CN=FF:FF:05:E6:E6:20
>>
>>  
>>
>>  
>>
>>  
>>
>> root@plnx_aarch64:~# ip -s xfrm state  
>>
>> src fc00:cada:c406:607::1001 dst fc00:cada:c406::200
>>
>>     proto esp spi 0x(0) reqid 2(0x0002) mode 
>> transport
>>
>>     replay-window 0 seq 0x0002 flag  (0x)
>>
>>     anti-replay context: seq 0x0, oseq 0x0, bitmap 0x
>>
>>     sel src fc00:cada:c406:607::1001/128 dst 
>> fc00:cada:c406::200/128 proto tcp sport 39047 dport 8190 uid 0
>>
>>     lifetime config:
>>
>>   limit: soft (INF)(bytes), hard (INF)(bytes)
>>
>>

Re: [strongSwan] No private key found

2017-12-11 Thread rajeev nohria 
Let me know if you need more info..

On Mon, Dec 11, 2017 at 2:45 PM, rajeev nohria  wrote:

> Please find the key and config.  I am using davici so I am printing the
> configuration from log as commands are executing.
>
>  Load-Connection command
>   Section start rpdfc00:cada:c404::200
>   Version is 2
>  Local_addrs  is fc00:cada:c404:607::1004
>  remote_addrs is fc00:cada:c404::200
>   local_port is 500
>   remote_port is 500
>   proposals is aes128-sha256-modp2048
>   local section
>  auth is pubkey
>  RPD ip address is fc00:cada:c404:607::1004
>  id is C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate,
> CN=FF:FF:05:E6:E6:20
>   remote
>   id is %any
>   auth is pubkey
>
>
>
>
>
>
>
>
>
>
> On Mon, Dec 11, 2017 at 10:39 AM, Jafar Al-Gharaibeh 
> wrote:
>
>> Can  you share your config/secret files ?
>>
>> --Jafar
>>
>>
>> On 12/11/2017 9:17 AM, rajeev nohria wrote:
>>
>> Anyone can help in this issue, I have setup the id with Subject id.
>> Still have this issue. Is anything else I am missing?
>> Thanks,
>> Rajeev
>>
>> On Tue, Nov 14, 2017 at 12:44 PM, rajeev nohria 
>> wrote:
>>
>>>
>>> Not sure what is wrong here,  Can you let me know if  I am missing
>>> something here.
>>>
>>>
>>>
>>> 16[KNL] creating acquire job for policy 
>>> fc00:cada:c406:607::1001/128[tcp/43005]
>>> === fc00:cada:c406::200/128[tcp/8190] with reqid {2}
>>>
>>> 2017-11-13 15:58:56,001-HalTransport.py-94-INFO-Start a agent transport
>>> interface, path = [/tmp/Hal/agent/client/1/push]
>>>
>>> 15[IKE] initiating IKE_SA rpdfc00:cada:c406::200[1] to
>>> fc00:cada:c406::200
>>>
>>> 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
>>> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
>>>
>>> 15[NET] sending packet: from fc00:cada:c406:607::1001[500] to
>>> fc00:cada:c406::200[500] (456 bytes)
>>>
>>> 10[NET] received packet: from fc00:cada:c406::200[500] to
>>> fc00:cada:c406:607::1001[500] (453 bytes)
>>>
>>> 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
>>>
>>> 10[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
>>> CN=TEST CableLabs Root Certification Authority"
>>>
>>> 10[IKE] received 1 cert requests for an unknown ca
>>>
>>> 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device
>>> CA01, CN=TEST CableLabs Device Certification Authority"
>>>
>>> 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
>>> CN=TEST CableLabs Root Certification Authority"
>>>
>>> 10[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA
>>> Remote Device Certificate, CN=FF:FF:05:E6:E6:20'
>>>
>>> 13[KNL] creating delete job for CHILD_SA ESP/0x/fc00:cada:c406:
>>> :200
>>>
>>> 08[JOB] CHILD_SA ESP/0x/fc00:cada:c406::200 not found for delete
>>>
>>> 06[KNL] creating acquire job for policy 
>>> fc00:cada:c406:607::1001/128[tcp/39047]
>>> === fc00:cada:c406::200/128[tcp/8190] with reqid {2}
>>>
>>> 16[IKE] initiating IKE_SA rpdfc00:cada:c406::200[2] to
>>> fc00:cada:c406::200
>>>
>>> 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
>>> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
>>>
>>> 16[NET] sending packet: from fc00:cada:c406:607::1001[500] to
>>> fc00:cada:c406::200[500] (456 bytes)
>>>
>>> 11[NET] received packet: from fc00:cada:c406::200[500] to
>>> fc00:cada:c406:607::1001[500] (453 bytes)
>>>
>>> 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
>>>
>>> 11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
>>> CN=TEST CableLabs Root Certification Authority"
>>>
>>> 11[IKE] received 1 cert requests for an unknown ca
>>>
>>> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device
>>> CA01, CN=TEST CableLabs Device Certification Authority"
>>>
>>> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
>>> CN=TEST CableLabs Root Certification Authority"
>>>
>>> 11[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA
>>> Remote Device Certificate, CN=FF:FF:05:E6:E6:20
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> root@plnx_aarch64:~# ip -s xfrm state
>>>
>>> src fc00:cada:c406:607::1001 dst fc00:cada:c406::200
>>>
>>> proto esp spi 0x(0) reqid 2(0x0002) mode transport
>>>
>>> replay-window 0 seq 0x0002 flag  (0x)
>>>
>>> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x
>>>
>>> sel src fc00:cada:c406:607::1001/128 dst fc00:cada:c406::200/128
>>> proto tcp sport 39047 dport 8190 uid 0
>>>
>>> lifetime config:
>>>
>>>   limit: soft (INF)(bytes), hard (INF)(bytes)
>>>
>>>   limit: soft (INF)(packets), hard (INF)(packets)
>>>
>>>   expire add: soft 0(sec), hard 165(sec)
>>>
>>>   expire use: soft 0(sec), hard 0(sec)
>>>
>>> lifetime current:
>>>
>>>   0(bytes), 0(packets)
>>>
>>>   add 2017-11-13 16:01:42 use -
>>>
>>> stats:
>>>
>>>   replay-wind
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>

Re: [strongSwan] No private key found

2017-12-11 Thread rajeev nohria 
Please find the key and config.  I am using davici so I am printing the
configuration from log as commands are executing.

 Load-Connection command
  Section start rpdfc00:cada:c404::200
  Version is 2
 Local_addrs  is fc00:cada:c404:607::1004
 remote_addrs is fc00:cada:c404::200
  local_port is 500
  remote_port is 500
  proposals is aes128-sha256-modp2048
  local section
 auth is pubkey
 RPD ip address is fc00:cada:c404:607::1004
 id is C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate,
CN=FF:FF:05:E6:E6:20
  remote
  id is %any
  auth is pubkey










On Mon, Dec 11, 2017 at 10:39 AM, Jafar Al-Gharaibeh 
wrote:

> Can  you share your config/secret files ?
>
> --Jafar
>
>
> On 12/11/2017 9:17 AM, rajeev nohria wrote:
>
> Anyone can help in this issue, I have setup the id with Subject id.  Still
> have this issue. Is anything else I am missing?
> Thanks,
> Rajeev
>
> On Tue, Nov 14, 2017 at 12:44 PM, rajeev nohria 
> wrote:
>
>>
>> Not sure what is wrong here,  Can you let me know if  I am missing
>> something here.
>>
>>
>>
>> 16[KNL] creating acquire job for policy 
>> fc00:cada:c406:607::1001/128[tcp/43005]
>> === fc00:cada:c406::200/128[tcp/8190] with reqid {2}
>>
>> 2017-11-13 15:58:56,001-HalTransport.py-94-INFO-Start a agent transport
>> interface, path = [/tmp/Hal/agent/client/1/push]
>>
>> 15[IKE] initiating IKE_SA rpdfc00:cada:c406::200[1] to fc00:cada:c406::200
>>
>> 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
>> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
>>
>> 15[NET] sending packet: from fc00:cada:c406:607::1001[500] to
>> fc00:cada:c406::200[500] (456 bytes)
>>
>> 10[NET] received packet: from fc00:cada:c406::200[500] to
>> fc00:cada:c406:607::1001[500] (453 bytes)
>>
>> 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
>>
>> 10[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
>> CN=TEST CableLabs Root Certification Authority"
>>
>> 10[IKE] received 1 cert requests for an unknown ca
>>
>> 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
>> CN=TEST CableLabs Device Certification Authority"
>>
>> 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
>> CN=TEST CableLabs Root Certification Authority"
>>
>> 10[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA
>> Remote Device Certificate, CN=FF:FF:05:E6:E6:20'
>>
>> 13[KNL] creating delete job for CHILD_SA ESP/0x/fc00:cada:c406:
>> :200
>>
>> 08[JOB] CHILD_SA ESP/0x/fc00:cada:c406::200 not found for delete
>>
>> 06[KNL] creating acquire job for policy 
>> fc00:cada:c406:607::1001/128[tcp/39047]
>> === fc00:cada:c406::200/128[tcp/8190] with reqid {2}
>>
>> 16[IKE] initiating IKE_SA rpdfc00:cada:c406::200[2] to fc00:cada:c406::200
>>
>> 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
>> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
>>
>> 16[NET] sending packet: from fc00:cada:c406:607::1001[500] to
>> fc00:cada:c406::200[500] (456 bytes)
>>
>> 11[NET] received packet: from fc00:cada:c406::200[500] to
>> fc00:cada:c406:607::1001[500] (453 bytes)
>>
>> 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
>>
>> 11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
>> CN=TEST CableLabs Root Certification Authority"
>>
>> 11[IKE] received 1 cert requests for an unknown ca
>>
>> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
>> CN=TEST CableLabs Device Certification Authority"
>>
>> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
>> CN=TEST CableLabs Root Certification Authority"
>>
>> 11[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA
>> Remote Device Certificate, CN=FF:FF:05:E6:E6:20
>>
>>
>>
>>
>>
>>
>>
>> root@plnx_aarch64:~# ip -s xfrm state
>>
>> src fc00:cada:c406:607::1001 dst fc00:cada:c406::200
>>
>> proto esp spi 0x(0) reqid 2(0x0002) mode transport
>>
>> replay-window 0 seq 0x0002 flag  (0x)
>>
>> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x
>>
>> sel src fc00:cada:c406:607::1001/128 dst fc00:cada:c406::200/128
>> proto tcp sport 39047 dport 8190 uid 0
>>
>> lifetime config:
>>
>>   limit: soft (INF)(bytes), hard (INF)(bytes)
>>
>>   limit: soft (INF)(packets), hard (INF)(packets)
>>
>>   expire add: soft 0(sec), hard 165(sec)
>>
>>   expire use: soft 0(sec), hard 0(sec)
>>
>> lifetime current:
>>
>>   0(bytes), 0(packets)
>>
>>   add 2017-11-13 16:01:42 use -
>>
>> stats:
>>
>>   replay-wind
>>
>>
>>
>>
>>
>>
>>
>> root@plnx_aarch64:~# ip -s xfrm policy
>>
>> src fc00:cada:c406::200/128 dst fc00:cada:c406:607::1001/128 proto tcp
>> uid 0
>>
>> dir in action allow index 88 priority 234336 share any flag
>> (0x)
>>
>> lifetime config:
>>
>>   limit: soft (INF)(bytes), hard (INF)(bytes)
>>
>>

Re: [strongSwan] No private key found

2017-12-11 Thread Jafar Al-Gharaibeh 

Can  you share your config/secret files ?

--Jafar


On 12/11/2017 9:17 AM, rajeev nohria wrote:
Anyone can help in this issue, I have setup the id with Subject id.  
Still have this issue. Is anything else I am missing?

Thanks,
Rajeev

On Tue, Nov 14, 2017 at 12:44 PM, rajeev nohria > wrote:



Not sure what is wrong here,  Can you let me know if  I am missing
something here.



16[KNL] creating acquire job for policy
fc00:cada:c406:607::1001/128[tcp/43005] ===
fc00:cada:c406::200/128[tcp/8190] with reqid {2}

2017-11-13 15:58:56,001-HalTransport.py-94-INFO-Start a agent
transport interface, path = [/tmp/Hal/agent/client/1/push]

15[IKE] initiating IKE_SA rpdfc00:cada:c406::200[1] to
fc00:cada:c406::200

15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]

15[NET] sending packet: from fc00:cada:c406:607::1001[500] to
fc00:cada:c406::200[500] (456 bytes)

10[NET] received packet: from fc00:cada:c406::200[500] to
fc00:cada:c406:607::1001[500] (453 bytes)

10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]

10[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root
CA01, CN=TEST CableLabs Root Certification Authority"

10[IKE] received 1 cert requests for an unknown ca

10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST
Device CA01, CN=TEST CableLabs Device Certification Authority"

10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root
CA01, CN=TEST CableLabs Root Certification Authority"

10[IKE] no private key found for 'C=US, O=ARRIS Group, Inc.,
OU=DCA Remote Device Certificate, CN=FF:FF:05:E6:E6:20'

13[KNL] creating delete job for CHILD_SA
ESP/0x/fc00:cada:c406::200

08[JOB] CHILD_SA ESP/0x/fc00:cada:c406::200 not found for
delete

06[KNL] creating acquire job for policy
fc00:cada:c406:607::1001/128[tcp/39047] ===
fc00:cada:c406::200/128[tcp/8190] with reqid {2}

16[IKE] initiating IKE_SA rpdfc00:cada:c406::200[2] to
fc00:cada:c406::200

16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]

16[NET] sending packet: from fc00:cada:c406:607::1001[500] to
fc00:cada:c406::200[500] (456 bytes)

11[NET] received packet: from fc00:cada:c406::200[500] to
fc00:cada:c406:607::1001[500] (453 bytes)

11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]

11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root
CA01, CN=TEST CableLabs Root Certification Authority"

11[IKE] received 1 cert requests for an unknown ca

11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST
Device CA01, CN=TEST CableLabs Device Certification Authority"

11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root
CA01, CN=TEST CableLabs Root Certification Authority"

11[IKE] no private key found for 'C=US, O=ARRIS Group, Inc.,
OU=DCA Remote Device Certificate, CN=FF:FF:05:E6:E6:20

root@plnx_aarch64:~# ip -s xfrm state

src fc00:cada:c406:607::1001 dst fc00:cada:c406::200

    proto esp spi 0x(0) reqid 2(0x0002) mode transport

    replay-window 0 seq 0x0002 flag  (0x)

    anti-replay context: seq 0x0, oseq 0x0, bitmap 0x

    sel src fc00:cada:c406:607::1001/128 dst
fc00:cada:c406::200/128 proto tcp sport 39047 dport 8190 uid 0

    lifetime config:

limit: soft (INF)(bytes), hard (INF)(bytes)

limit: soft (INF)(packets), hard (INF)(packets)

expire add: soft 0(sec), hard 165(sec)

expire use: soft 0(sec), hard 0(sec)

    lifetime current:

0(bytes), 0(packets)

  add 2017-11-13 16:01:42 use -

    stats:

replay-wind

root@plnx_aarch64:~# ip -s xfrm policy

src fc00:cada:c406::200/128 dst fc00:cada:c406:607::1001/128 proto
tcp uid 0

    dir in action allow index 88 priority 234336 share any
flag (0x)

    lifetime config:

limit: soft (INF)(bytes), hard (INF)(bytes)

limit: soft (INF)(packets), hard (INF)(packets)

expire add: soft 0(sec), hard 0(sec)

expire use: soft 0(sec), hard 0(sec)

    lifetime current:

0(bytes), 0(packets)

  add 2017-11-13 15:58:55 use -

    tmpl src :: dst ::

proto esp spi 0x(0) reqid 2(0x0002) mode transport

level required share any

enc-mask  auth-mask  comp-mask


src fc00:cada:c406:607::1001/128 dst fc00:cada:c406::200/128 proto
tcp uid 0

    dir out action allow index 81 priority 234336 share any
flag (0x)

    lifetime config:

limit: soft (INF)(bytes), hard (INF)(bytes)

  limit: soft (INF)(packets), hard (INF)(packets)

Re: [strongSwan] No private key found

2017-12-11 Thread rajeev nohria 
Anyone can help in this issue, I have setup the id with Subject id.  Still
have this issue. Is anything else I am missing?
Thanks,
Rajeev

On Tue, Nov 14, 2017 at 12:44 PM, rajeev nohria  wrote:

>
> Not sure what is wrong here,  Can you let me know if  I am missing
> something here.
>
>
>
> 16[KNL] creating acquire job for policy 
> fc00:cada:c406:607::1001/128[tcp/43005]
> === fc00:cada:c406::200/128[tcp/8190] with reqid {2}
>
> 2017-11-13 15:58:56,001-HalTransport.py-94-INFO-Start a agent transport
> interface, path = [/tmp/Hal/agent/client/1/push]
>
> 15[IKE] initiating IKE_SA rpdfc00:cada:c406::200[1] to fc00:cada:c406::200
>
> 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
>
> 15[NET] sending packet: from fc00:cada:c406:607::1001[500] to
> fc00:cada:c406::200[500] (456 bytes)
>
> 10[NET] received packet: from fc00:cada:c406::200[500] to
> fc00:cada:c406:607::1001[500] (453 bytes)
>
> 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
>
> 10[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
> CN=TEST CableLabs Root Certification Authority"
>
> 10[IKE] received 1 cert requests for an unknown ca
>
> 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
> CN=TEST CableLabs Device Certification Authority"
>
> 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
> CN=TEST CableLabs Root Certification Authority"
>
> 10[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA Remote
> Device Certificate, CN=FF:FF:05:E6:E6:20'
>
> 13[KNL] creating delete job for CHILD_SA ESP/0x/fc00:cada:c406:
> :200
>
> 08[JOB] CHILD_SA ESP/0x/fc00:cada:c406::200 not found for delete
>
> 06[KNL] creating acquire job for policy 
> fc00:cada:c406:607::1001/128[tcp/39047]
> === fc00:cada:c406::200/128[tcp/8190] with reqid {2}
>
> 16[IKE] initiating IKE_SA rpdfc00:cada:c406::200[2] to fc00:cada:c406::200
>
> 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
>
> 16[NET] sending packet: from fc00:cada:c406:607::1001[500] to
> fc00:cada:c406::200[500] (456 bytes)
>
> 11[NET] received packet: from fc00:cada:c406::200[500] to
> fc00:cada:c406:607::1001[500] (453 bytes)
>
> 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
>
> 11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
> CN=TEST CableLabs Root Certification Authority"
>
> 11[IKE] received 1 cert requests for an unknown ca
>
> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
> CN=TEST CableLabs Device Certification Authority"
>
> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
> CN=TEST CableLabs Root Certification Authority"
>
> 11[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA Remote
> Device Certificate, CN=FF:FF:05:E6:E6:20
>
>
>
>
>
>
>
> root@plnx_aarch64:~# ip -s xfrm state
>
> src fc00:cada:c406:607::1001 dst fc00:cada:c406::200
>
> proto esp spi 0x(0) reqid 2(0x0002) mode transport
>
> replay-window 0 seq 0x0002 flag  (0x)
>
> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x
>
> sel src fc00:cada:c406:607::1001/128 dst fc00:cada:c406::200/128
> proto tcp sport 39047 dport 8190 uid 0
>
> lifetime config:
>
>   limit: soft (INF)(bytes), hard (INF)(bytes)
>
>   limit: soft (INF)(packets), hard (INF)(packets)
>
>   expire add: soft 0(sec), hard 165(sec)
>
>   expire use: soft 0(sec), hard 0(sec)
>
> lifetime current:
>
>   0(bytes), 0(packets)
>
>   add 2017-11-13 16:01:42 use -
>
> stats:
>
>   replay-wind
>
>
>
>
>
>
>
> root@plnx_aarch64:~# ip -s xfrm policy
>
> src fc00:cada:c406::200/128 dst fc00:cada:c406:607::1001/128 proto tcp
> uid 0
>
> dir in action allow index 88 priority 234336 share any flag
> (0x)
>
> lifetime config:
>
>   limit: soft (INF)(bytes), hard (INF)(bytes)
>
>   limit: soft (INF)(packets), hard (INF)(packets)
>
>   expire add: soft 0(sec), hard 0(sec)
>
>   expire use: soft 0(sec), hard 0(sec)
>
> lifetime current:
>
>   0(bytes), 0(packets)
>
>   add 2017-11-13 15:58:55 use -
>
> tmpl src :: dst ::
>
> proto esp spi 0x(0) reqid 2(0x0002) mode
> transport
>
> level required share any
>
> enc-mask  auth-mask  comp-mask 
>
> src fc00:cada:c406:607::1001/128 dst fc00:cada:c406::200/128 proto tcp
> uid 0
>
> dir out action allow index 81 priority 234336 share any flag
> (0x)
>
> lifetime config:
>
>   limit: soft (INF)(bytes), hard (INF)(bytes)
>
>   limit: soft (INF)(packets), hard (INF)(packets)
>
>   expire add: soft 0(sec), hard 0(sec)
>
>   expire use: soft

Re: [strongSwan] No private key found

2017-11-14 Thread Ben Lavender 
Is the private key in /etc/ipsec.d/private?

Regards

Ben

Sent from my iPhone

On 14 Nov 2017, at 17:45, rajeev nohria 
> wrote:


Not sure what is wrong here,  Can you let me know if  I am missing something 
here.



16[KNL] creating acquire job for policy fc00:cada:c406:607::1001/128[tcp/43005] 
=== fc00:cada:c406::200/128[tcp/8190] with reqid {2}
2017-11-13 15:58:56,001-HalTransport.py-94-INFO-Start a agent transport 
interface, path = [/tmp/Hal/agent/client/1/push]
15[IKE] initiating IKE_SA rpdfc00:cada:c406::200[1] to fc00:cada:c406::200
15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(HASH_ALG) N(REDIR_SUP) ]
15[NET] sending packet: from fc00:cada:c406:607::1001[500] to 
fc00:cada:c406::200[500] (456 bytes)
10[NET] received packet: from fc00:cada:c406::200[500] to 
fc00:cada:c406:607::1001[500] (453 bytes)
10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
10[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01, 
CN=TEST CableLabs Root Certification Authority"
10[IKE] received 1 cert requests for an unknown ca
10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01, 
CN=TEST CableLabs Device Certification Authority"
10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST 
CableLabs Root Certification Authority"
10[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA Remote 
Device Certificate, CN=FF:FF:05:E6:E6:20'
13[KNL] creating delete job for CHILD_SA ESP/0x/fc00:cada:c406::200
08[JOB] CHILD_SA ESP/0x/fc00:cada:c406::200 not found for delete
06[KNL] creating acquire job for policy fc00:cada:c406:607::1001/128[tcp/39047] 
=== fc00:cada:c406::200/128[tcp/8190] with reqid {2}
16[IKE] initiating IKE_SA rpdfc00:cada:c406::200[2] to fc00:cada:c406::200
16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(HASH_ALG) N(REDIR_SUP) ]
16[NET] sending packet: from fc00:cada:c406:607::1001[500] to 
fc00:cada:c406::200[500] (456 bytes)
11[NET] received packet: from fc00:cada:c406::200[500] to 
fc00:cada:c406:607::1001[500] (453 bytes)
11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01, 
CN=TEST CableLabs Root Certification Authority"
11[IKE] received 1 cert requests for an unknown ca
11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01, 
CN=TEST CableLabs Device Certification Authority"
11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST 
CableLabs Root Certification Authority"
11[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA Remote 
Device Certificate, CN=FF:FF:05:E6:E6:20



root@plnx_aarch64:~# ip -s xfrm state
src fc00:cada:c406:607::1001 dst fc00:cada:c406::200
proto esp spi 0x(0) reqid 2(0x0002) mode transport
replay-window 0 seq 0x0002 flag  (0x)
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x
sel src fc00:cada:c406:607::1001/128 dst fc00:cada:c406::200/128 proto 
tcp sport 39047 dport 8190 uid 0
lifetime config:
  limit: soft (INF)(bytes), hard (INF)(bytes)
  limit: soft (INF)(packets), hard (INF)(packets)
  expire add: soft 0(sec), hard 165(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2017-11-13 16:01:42 use -
stats:
  replay-wind



root@plnx_aarch64:~# ip -s xfrm policy
src fc00:cada:c406::200/128 dst fc00:cada:c406:607::1001/128 proto tcp uid 0
dir in action allow index 88 priority 234336 share any flag  
(0x)
lifetime config:
  limit: soft (INF)(bytes), hard (INF)(bytes)
  limit: soft (INF)(packets), hard (INF)(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2017-11-13 15:58:55 use -
tmpl src :: dst ::
proto esp spi 0x(0) reqid 2(0x0002) mode transport
level required share any
enc-mask  auth-mask  comp-mask 
src fc00:cada:c406:607::1001/128 dst fc00:cada:c406::200/128 proto tcp uid 0
dir out action allow index 81 priority 234336 share any flag  
(0x)
lifetime config:
  limit: soft (INF)(bytes), hard (INF)(bytes)
  limit: soft (INF)(packets), hard (INF)(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2017-11-13 15:58:55 use -
tmpl src :: dst ::
proto esp spi 0x(0) reqid 2(0x0002) mode transport
level required share any
enc-mask  auth-mask  comp-mask 
src

[strongSwan] No private key found

2017-11-14 Thread rajeev nohria 
Not sure what is wrong here,  Can you let me know if  I am missing
something here.



16[KNL] creating acquire job for policy
fc00:cada:c406:607::1001/128[tcp/43005] ===
fc00:cada:c406::200/128[tcp/8190] with reqid {2}

2017-11-13 15:58:56,001-HalTransport.py-94-INFO-Start a agent transport
interface, path = [/tmp/Hal/agent/client/1/push]

15[IKE] initiating IKE_SA rpdfc00:cada:c406::200[1] to fc00:cada:c406::200

15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]

15[NET] sending packet: from fc00:cada:c406:607::1001[500] to
fc00:cada:c406::200[500] (456 bytes)

10[NET] received packet: from fc00:cada:c406::200[500] to
fc00:cada:c406:607::1001[500] (453 bytes)

10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]

10[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
CN=TEST CableLabs Root Certification Authority"

10[IKE] received 1 cert requests for an unknown ca

10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
CN=TEST CableLabs Device Certification Authority"

10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
CN=TEST CableLabs Root Certification Authority"

10[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA Remote
Device Certificate, CN=FF:FF:05:E6:E6:20'

13[KNL] creating delete job for CHILD_SA ESP/0x/fc00:cada:c406::200

08[JOB] CHILD_SA ESP/0x/fc00:cada:c406::200 not found for delete

06[KNL] creating acquire job for policy
fc00:cada:c406:607::1001/128[tcp/39047] ===
fc00:cada:c406::200/128[tcp/8190] with reqid {2}

16[IKE] initiating IKE_SA rpdfc00:cada:c406::200[2] to fc00:cada:c406::200

16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]

16[NET] sending packet: from fc00:cada:c406:607::1001[500] to
fc00:cada:c406::200[500] (456 bytes)

11[NET] received packet: from fc00:cada:c406::200[500] to
fc00:cada:c406:607::1001[500] (453 bytes)

11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]

11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
CN=TEST CableLabs Root Certification Authority"

11[IKE] received 1 cert requests for an unknown ca

11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
CN=TEST CableLabs Device Certification Authority"

11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
CN=TEST CableLabs Root Certification Authority"

11[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA Remote
Device Certificate, CN=FF:FF:05:E6:E6:20







root@plnx_aarch64:~# ip -s xfrm state

src fc00:cada:c406:607::1001 dst fc00:cada:c406::200

proto esp spi 0x(0) reqid 2(0x0002) mode transport

replay-window 0 seq 0x0002 flag  (0x)

anti-replay context: seq 0x0, oseq 0x0, bitmap 0x

sel src fc00:cada:c406:607::1001/128 dst fc00:cada:c406::200/128
proto tcp sport 39047 dport 8190 uid 0

lifetime config:

  limit: soft (INF)(bytes), hard (INF)(bytes)

  limit: soft (INF)(packets), hard (INF)(packets)

  expire add: soft 0(sec), hard 165(sec)

  expire use: soft 0(sec), hard 0(sec)

lifetime current:

  0(bytes), 0(packets)

  add 2017-11-13 16:01:42 use -

stats:

  replay-wind







root@plnx_aarch64:~# ip -s xfrm policy

src fc00:cada:c406::200/128 dst fc00:cada:c406:607::1001/128 proto tcp uid 0

dir in action allow index 88 priority 234336 share any flag
(0x)

lifetime config:

  limit: soft (INF)(bytes), hard (INF)(bytes)

  limit: soft (INF)(packets), hard (INF)(packets)

  expire add: soft 0(sec), hard 0(sec)

  expire use: soft 0(sec), hard 0(sec)

lifetime current:

  0(bytes), 0(packets)

  add 2017-11-13 15:58:55 use -

tmpl src :: dst ::

proto esp spi 0x(0) reqid 2(0x0002) mode
transport

level required share any

enc-mask  auth-mask  comp-mask 

src fc00:cada:c406:607::1001/128 dst fc00:cada:c406::200/128 proto tcp uid 0

dir out action allow index 81 priority 234336 share any flag
(0x)

lifetime config:

  limit: soft (INF)(bytes), hard (INF)(bytes)

  limit: soft (INF)(packets), hard (INF)(packets)

  expire add: soft 0(sec), hard 0(sec)

  expire use: soft 0(sec), hard 0(sec)

lifetime current:

  0(bytes), 0(packets)

  add 2017-11-13 15:58:55 use -

tmpl src :: dst ::

proto esp spi 0x(0) reqid 2(0x0002) mode
transport

level required share any

enc-mask  auth-mask  comp-mask 

src fc00:cada:c406::200/128 dst fc00:cada:c406:607::1001/128 proto l2tp uid
0

dir in action allow index 72 priority 234336 share

Re: [strongSwan] No private key found

2017-10-08 Thread rajeev nohria 
I resolved the issue by setting up id properly. Thanks for the direction.

On Fri, Oct 6, 2017 at 8:37 AM, rajeev nohria  wrote:

> Anderas,
>
> Thanks for reply. I am using davici interface instead of swanctl.conf.  I
> do set the id as  id: fc00:cada:c404:607::1001 but not the certs.  Since
> I am using davici, it does not know the certificate file name and its path,
> I am reading the certificate file and passing the data. How can I resolve
> the problem in this situation?
>
> Thanks,
> Rajeev
>
> On Thu, Oct 5, 2017 at 11:56 AM, Andreas Steffen <
> andreas.stef...@strongswan.org> wrote:
>
>> Hi,
>>
>> you must not set the IKEv2 ID to
>>
>> id: fc00:cada:c404:607::1001
>>
>> since this ID is not contained as a subjectAltName in the client
>> certificate.
>>
>> Probably you didn't use the "certs" parameter in the local section of
>> swanctl.conf so that the client certificate just got loaded from
>> /etc/swanctl/x509. If you don't define the "id" parameter in the local
>> section then the IPv6 address of the client is assumed as the "id" by
>> default and because the IP address is not contained as a subjectAltName
>> in the certificate then neither the certificate nor the corresponding
>> private key is found.
>>
>> So the best approach is to define the following in swanctl.conf:
>>
>> local {
>>auth = pubkey
>>certs = myCert.pem
>> }
>>
>> This first causes the private key to be found automatically based
>> on the fingerprint of the public key contained in the certificate and
>> the ID to be set to the subject distinguished name contained in the
>> certificate.
>>
>> Best regards
>>
>> Andreas
>>
>> On 05.10.2017 17:33, rajeev nohria wrote:
>> > I have seen this issue before and fixed it. But this time I am not able
>> > to figure you. Let me know if anyone see issue or any suggestion. Thanks
>> > in advance.
>> >
>> > Problem:
>> > Getting error while initiating the connection.
>> >
>> > *[IKE] no private key found for 'fc00:cada:c404:607::1001'*
>> >
>> > *11[IKE] no private key found for 'fc00:cada:c404:607::1001'*
>> >
>> > *
>> > *
>> >
>> > *
>> > *
>> >
>> > *
>> > *
>> >
>> >
>> > We are able to load the certificate and keys. looking at logs following
>> > are proof.
>> >
>> >
>> > messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info  :
>> > 08[CFG] loaded RSA private key
>> >
>> > messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info  :
>> > 08[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Root CA01,
>> > CN=TEST CableLabs Root Certification Authority'
>> >
>> > messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info  :
>> > 08[CFG] loaded certificate 'C=US, O=ARRIS, OU=LOWELL,
>> CN=00:33:5f:ab:8c:9e'
>> >
>> > messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info  :
>> > 08[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Device CA01,
>> > CN=TEST CableLabs Device Certification Authority'
>> >
>> >
>> >
>> > But when I initiate a connection, I get the following.
>> >
>> >
>> >
>> > root@E6kn-2016:# swanctl --initiate --child gcpfc00:cada:c404::200
>> >
>> > 07[CFG] vici initiate 'gcpfc00:cada:c404::200'
>> >
>> > 09[IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002
>> >
>> > [IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002
>> >
>> > [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
>> > N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
>> >
>> > 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
>> > N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
>> >
>> > [NET] sending packet: from fc00:cada:c404:607::1001[500] to
>> > 2017::5002[500] (264 bytes)
>> >
>> > 09[NET] sending packet: from fc00:cada:c404:607::1001[500] to
>> > 2017::5002[500] (264 bytes)
>> >
>> > 11[NET] received packet: from 2017::5002[500] to
>> > fc00:cada:c404:607::1001[500] (289 bytes)
>> >
>> > [NET] received packet: from 2017::5002[500] to
>> > fc00:cada:c404:607::1001[500] (289 bytes)
>> >
>> > 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
>> > N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
>> >
>> > [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
>> > CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
>> >
>> > [IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
>> > CN=TEST CableLabs Device Certification Authority"
>> >
>> > 11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device
>> > CA01, CN=TEST CableLabs Device Certification Authority"
>> >
>> > [IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
>> > CN=TEST CableLabs Device Certification Authority"
>> >
>> > 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device
>> > CA01, CN=TEST CableLabs Device Certification Authority"
>> >
>> > [IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
>> > CN=TEST CableLabs Root Certification Authority"
>> >
>> > 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,

Re: [strongSwan] No private key found

2017-10-07 Thread rajeev nohria 
Anderas,

Thanks for reply. I am using davici interface instead of swanctl.conf.  I
do set the id as  id: fc00:cada:c404:607::1001 but not the certs.  Since I
am using davici, it does not know the certificate file name and its path, I
am reading the certificate file and passing the data. How can I resolve the
problem in this situation?

Thanks,
Rajeev

On Thu, Oct 5, 2017 at 11:56 AM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> Hi,
>
> you must not set the IKEv2 ID to
>
> id: fc00:cada:c404:607::1001
>
> since this ID is not contained as a subjectAltName in the client
> certificate.
>
> Probably you didn't use the "certs" parameter in the local section of
> swanctl.conf so that the client certificate just got loaded from
> /etc/swanctl/x509. If you don't define the "id" parameter in the local
> section then the IPv6 address of the client is assumed as the "id" by
> default and because the IP address is not contained as a subjectAltName
> in the certificate then neither the certificate nor the corresponding
> private key is found.
>
> So the best approach is to define the following in swanctl.conf:
>
> local {
>auth = pubkey
>certs = myCert.pem
> }
>
> This first causes the private key to be found automatically based
> on the fingerprint of the public key contained in the certificate and
> the ID to be set to the subject distinguished name contained in the
> certificate.
>
> Best regards
>
> Andreas
>
> On 05.10.2017 17:33, rajeev nohria wrote:
> > I have seen this issue before and fixed it. But this time I am not able
> > to figure you. Let me know if anyone see issue or any suggestion. Thanks
> > in advance.
> >
> > Problem:
> > Getting error while initiating the connection.
> >
> > *[IKE] no private key found for 'fc00:cada:c404:607::1001'*
> >
> > *11[IKE] no private key found for 'fc00:cada:c404:607::1001'*
> >
> > *
> > *
> >
> > *
> > *
> >
> > *
> > *
> >
> >
> > We are able to load the certificate and keys. looking at logs following
> > are proof.
> >
> >
> > messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info  :
> > 08[CFG] loaded RSA private key
> >
> > messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info  :
> > 08[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Root CA01,
> > CN=TEST CableLabs Root Certification Authority'
> >
> > messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info  :
> > 08[CFG] loaded certificate 'C=US, O=ARRIS, OU=LOWELL,
> CN=00:33:5f:ab:8c:9e'
> >
> > messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info  :
> > 08[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Device CA01,
> > CN=TEST CableLabs Device Certification Authority'
> >
> >
> >
> > But when I initiate a connection, I get the following.
> >
> >
> >
> > root@E6kn-2016:# swanctl --initiate --child gcpfc00:cada:c404::200
> >
> > 07[CFG] vici initiate 'gcpfc00:cada:c404::200'
> >
> > 09[IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002
> >
> > [IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002
> >
> > [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> > N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
> >
> > 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> > N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
> >
> > [NET] sending packet: from fc00:cada:c404:607::1001[500] to
> > 2017::5002[500] (264 bytes)
> >
> > 09[NET] sending packet: from fc00:cada:c404:607::1001[500] to
> > 2017::5002[500] (264 bytes)
> >
> > 11[NET] received packet: from 2017::5002[500] to
> > fc00:cada:c404:607::1001[500] (289 bytes)
> >
> > [NET] received packet: from 2017::5002[500] to
> > fc00:cada:c404:607::1001[500] (289 bytes)
> >
> > 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> > N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
> >
> > [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> > CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
> >
> > [IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
> > CN=TEST CableLabs Device Certification Authority"
> >
> > 11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device
> > CA01, CN=TEST CableLabs Device Certification Authority"
> >
> > [IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
> > CN=TEST CableLabs Device Certification Authority"
> >
> > 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device
> > CA01, CN=TEST CableLabs Device Certification Authority"
> >
> > [IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
> > CN=TEST CableLabs Root Certification Authority"
> >
> > 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
> > CN=TEST CableLabs Root Certification Authority"
> >
> > *[IKE] no private key found for 'fc00:cada:c404:607::1001'*
> >
> > *11[IKE] no private key found for 'fc00:cada:c404:607::1001'*
> >
> > **
> >
> > *initiate failed: establishing CHILD_SA 'gcpfc00:cada:c404::200' failed*
> >
> >
> >
> >
> >
>

[strongSwan] No private key found

2017-10-07 Thread rajeev nohria 
I have seen this issue before and fixed it. But this time I am not able to
figure you. Let me know if anyone see issue or any suggestion. Thanks in
advance.

Problem:
Getting error while initiating the connection.

*[IKE] no private key found for 'fc00:cada:c404:607::1001'*

*11[IKE] no private key found for 'fc00:cada:c404:607::1001'*





We are able to load the certificate and keys. looking at logs following are
proof.


messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info : 08[CFG] loaded RSA
private key

messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info : 08[CFG] loaded
certificate 'C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root
Certification Authority'

messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info : 08[CFG] loaded
certificate 'C=US, O=ARRIS, OU=LOWELL, CN=00:33:5f:ab:8c:9e'

messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info : 08[CFG] loaded
certificate 'C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs
Device Certification Authority'



But when I initiate a connection, I get the following.



root@E6kn-2016:# swanctl --initiate --child gcpfc00:cada:c404::200

07[CFG] vici initiate 'gcpfc00:cada:c404::200'

09[IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002

[IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002

[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(HASH_ALG) N(REDIR_SUP) ]

09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]

[NET] sending packet: from fc00:cada:c404:607::1001[500] to 2017::5002[500]
(264 bytes)

09[NET] sending packet: from fc00:cada:c404:607::1001[500] to
2017::5002[500] (264 bytes)

11[NET] received packet: from 2017::5002[500] to
fc00:cada:c404:607::1001[500] (289 bytes)

[NET] received packet: from 2017::5002[500] to
fc00:cada:c404:607::1001[500] (289 bytes)

11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(HASH_ALG) N(MULT_AUTH) ]

[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(HASH_ALG) N(MULT_AUTH) ]

[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
CN=TEST CableLabs Device Certification Authority"

11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
CN=TEST CableLabs Device Certification Authority"

[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
CN=TEST CableLabs Device Certification Authority"

11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
CN=TEST CableLabs Device Certification Authority"

[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
CN=TEST CableLabs Root Certification Authority"

11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
CN=TEST CableLabs Root Certification Authority"

*[IKE] no private key found for 'fc00:cada:c404:607::1001'*

*11[IKE] no private key found for 'fc00:cada:c404:607::1001'*

*initiate failed: establishing CHILD_SA 'gcpfc00:cada:c404::200' failed*





root@E6kn-2016:# swanctl --list-conns

rpdfc00:cada:c404::200: IKEv2, no reauthentication, rekeying every 14400s

  local:  fc00:cada:c404:607::1001

  remote: 2017::5002

  local public key authentication:

id: fc00:cada:c404:607::1001

  remote public key authentication:

  gcpfc00:cada:c404::200: TRANSPORT, rekeying every 3600s

local:  fc00:cada:c404:607::1001/128[tcp]

remote: 2017::5002/128[tcp]

  l2tpfc00:cada:c404::200: TRANSPORT, rekeying every 3600s

local:  fc00:cada:c404:607::1001/128[l2tp]

remote: 2017::5002/128[l2tp]




root@E6kn-2016:# swanctl --list-certs


List of X.509 End Entity Certificates


  subject:  "C=US, O=ARRIS, OU=LOWELL, CN=00:33:5f:ab:8c:9e"

  issuer:   "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs
Device Certification Authority"

  validity:  not before Sep 28 18:18:53 2017, ok

 not after  Sep 28 18:18:53 2037, ok (expires in 7300 days)

  serial:dd:dc:09:21:36:f2:e8:71

  authkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b

  subjkeyId: 9d:c7:c5:20:f7:bf:0c:fb:39:d2:5d:a2:8f:73:37:f1:f3:e0:a4:f9

  pubkey:RSA 2048 bits, has private key

  keyid: 8d:40:7d:fb:38:7b:4b:e2:fe:00:ba:72:6c:82:63:2b:6b:75:30:6e

  subjkey:   9d:c7:c5:20:f7:bf:0c:fb:39:d2:5d:a2:8f:73:37:f1:f3:e0:a4:f9


List of X.509 CA Certificates


  subject:  "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs
Device Certification Authority"

  issuer:   "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root
Certification Authority"

  validity:  not before Dec 09 23:08:49 2014, ok

 not after  Dec 09 23:08:49 2049, ok (expires in 11755 days)

  serial:a0:16:bc:73:85:0e:65:37

  altNames:  CN=SYMC-3072-5

  flags: CA CRLSign

  pathlen:   0

  authkeyId: 89:62:79:3d:b4:07:c9:f3:c6:97:59:dd:b6:dc:65:0b:33:54:ff:fb

  subjkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b

  pubkey:RSA 3072 bits

  keyid:

Re: [strongSwan] No private key found

2017-10-05 Thread Andreas Steffen 
Hi,

you must not set the IKEv2 ID to

id: fc00:cada:c404:607::1001

since this ID is not contained as a subjectAltName in the client
certificate.

Probably you didn't use the "certs" parameter in the local section of
swanctl.conf so that the client certificate just got loaded from
/etc/swanctl/x509. If you don't define the "id" parameter in the local
section then the IPv6 address of the client is assumed as the "id" by
default and because the IP address is not contained as a subjectAltName
in the certificate then neither the certificate nor the corresponding
private key is found.

So the best approach is to define the following in swanctl.conf:

local {
   auth = pubkey
   certs = myCert.pem
}

This first causes the private key to be found automatically based
on the fingerprint of the public key contained in the certificate and
the ID to be set to the subject distinguished name contained in the
certificate.

Best regards

Andreas

On 05.10.2017 17:33, rajeev nohria wrote:
> I have seen this issue before and fixed it. But this time I am not able
> to figure you. Let me know if anyone see issue or any suggestion. Thanks
> in advance.
> 
> Problem: 
> Getting error while initiating the connection.
> 
> *[IKE] no private key found for 'fc00:cada:c404:607::1001'*
> 
> *11[IKE] no private key found for 'fc00:cada:c404:607::1001'*
> 
> *
> *
> 
> *
> *
> 
> *
> *
> 
> 
> We are able to load the certificate and keys. looking at logs following
> are proof.
>  
> 
> messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info  :
> 08[CFG] loaded RSA private key
> 
> messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info  :
> 08[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Root CA01,
> CN=TEST CableLabs Root Certification Authority'
> 
> messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info  :
> 08[CFG] loaded certificate 'C=US, O=ARRIS, OU=LOWELL, CN=00:33:5f:ab:8c:9e'
> 
> messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info  :
> 08[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Device CA01,
> CN=TEST CableLabs Device Certification Authority'
> 
> 
> 
> But when I initiate a connection, I get the following.
> 
> 
> 
> root@E6kn-2016:# swanctl --initiate --child gcpfc00:cada:c404::200
> 
> 07[CFG] vici initiate 'gcpfc00:cada:c404::200'
> 
> 09[IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002
> 
> [IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002
> 
> [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
> 
> 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
> 
> [NET] sending packet: from fc00:cada:c404:607::1001[500] to
> 2017::5002[500] (264 bytes)
> 
> 09[NET] sending packet: from fc00:cada:c404:607::1001[500] to
> 2017::5002[500] (264 bytes)
> 
> 11[NET] received packet: from 2017::5002[500] to
> fc00:cada:c404:607::1001[500] (289 bytes)
> 
> [NET] received packet: from 2017::5002[500] to
> fc00:cada:c404:607::1001[500] (289 bytes)
> 
> 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
> 
> [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
> 
> [IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
> CN=TEST CableLabs Device Certification Authority"
> 
> 11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device
> CA01, CN=TEST CableLabs Device Certification Authority"
> 
> [IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
> CN=TEST CableLabs Device Certification Authority"
> 
> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device
> CA01, CN=TEST CableLabs Device Certification Authority"
> 
> [IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
> CN=TEST CableLabs Root Certification Authority"
> 
> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
> CN=TEST CableLabs Root Certification Authority"
> 
> *[IKE] no private key found for 'fc00:cada:c404:607::1001'*
> 
> *11[IKE] no private key found for 'fc00:cada:c404:607::1001'*
> 
> **
> 
> *initiate failed: establishing CHILD_SA 'gcpfc00:cada:c404::200' failed*
> 
> 
> 
> 
> 
> root@E6kn-2016:# swanctl --list-conns
> 
> rpdfc00:cada:c404::200: IKEv2, no reauthentication, rekeying every 14400s
> 
>   local:  fc00:cada:c404:607::1001
> 
>   remote: 2017::5002
> 
>   local public key authentication:
> 
>     id: fc00:cada:c404:607::1001
> 
>   remote public key authentication:
> 
>   gcpfc00:cada:c404::200: TRANSPORT, rekeying every 3600s
> 
>     local:  fc00:cada:c404:607::1001/128[tcp]
> 
>     remote: 2017::5002/128[tcp]
> 
>   l2tpfc00:cada:c404::200: TRANSPORT, rekeying every 3600s
> 
>     local:  fc00:cada:c404:607::1001/128[l2tp]
> 
>     remote: 2017::5002/128[l2tp]
> 
> 
> 
> 
> root@E6kn-2016:# swanctl --list-certs
> 
> 
> List

Re: [strongSwan] no private key found with ECDSA certificate

2015-05-28 Thread Andreas Steffen 
 you enter the ECDSA private key in ipsec.secrets as you
did with the RSA key?
 
   Mit freundlichen Grüßen/Kind Regards,
   Noel Kuntze
 
   GPG Key ID: 0x63EC6658
   Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
 
   Am 27.05.2015 um 04:52 schrieb Mark M:
I am trying to use ECDSA certificates with my setup and I keep
getting no private key found on my strongswan server when a client
connects. I am using CentOS 7 and strongSwan 5.2.0. I am using the
android client to connect and the certificate authentication works fine
on the Android device.
 
Any ideas on what would cause the private key to not be found or
be authenticated correctly?
 
 
14[CFG]  using trusted ca certificate C=US, ST=MA, L=SELF,
O=SSCA, OU=SS, CN=192.168.1.7
14[CFG] checking certificate status of C=US, ST=MA, L=SELF,
O=SSCA, OU=SS, CN=phone1ecc
14[CFG] certificate status is not available
14[CFG]  reached self-signed root ca with a path length of 0
14[IKE] authentication of 'C=US, ST=MA, L=SELF, O=SSCA, OU=SS,
CN=phone1ecc' with ECDSA-384 signature successful
14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3
TFC padding
14[IKE] peer supports MOBIKE
14[IKE] no private key found for 'C=US, ST=MA, L=SELF, OU=SSCA'
14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
14[NET] sending packet: from 192.168.1.7[4500] to
70.162.232.57[5477] (88 bytes)
 
 
 
 
 
___
Users mailing list
Users@lists.strongswan.org mailto:Users@lists.strongswan.org
mailto:Users@lists.strongswan.org mailto:Users@lists.strongswan.org
mailto:Users@lists.strongswan.org mailto:Users@lists.strongswan.org
mailto:Users@lists.strongswan.org mailto:Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
 
 
   ___
   Users mailing list
   Users@lists.strongswan.org mailto:Users@lists.strongswan.org
mailto:Users@lists.strongswan.org mailto:Users@lists.strongswan.org
mailto:Users@lists.strongswan.org mailto:Users@lists.strongswan.org
mailto:Users@lists.strongswan.org mailto:Users@lists.strongswan.org
   https://lists.strongswan.org/mailman/listinfo/users
 
 
 
 
 

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJVZjGEAAoJEDg5KY9j7GZY9hgQAJBZeSw2dDyssPgxcWMydhzK
4UphjKZ0IrybXtZ24wTowKBFLEjn1RdW+p5NiCrVskezNESp89zdyKtDaYxvVv/s
N/5KdXeNs0wRMU1kl4hcSH9xjzOt5CFbvhjkSZ6oasFah/8T0OEJtk2e1IID0McC
IzuWb0wY3ui3Mox1KT/XTV/iS+ulfgqjVxDWuDaQi1R9kdYMhMSFYT+KKE6HRKVV
171HgJ2+kcDxcm0gW/w1qEqniuZehW/BsZ48Ut1HGHJmR/z/cgMQGvgilvNmYRpD
eGjk5Kwzl3Wsr8Y6vQssGu8jNTbeXiy5wN0nZ5h+8zHu4MidpQzEhRPvjUxSRC7h
GoESpAg8/m5N8wmXxtJDl2pxXxp1xa9YGWZPNZ7nAVz3UfDLW6cfVgMLukYQsOc7
/p+SNpEjO8x+Zr0Y13s4vllJcE5JbP5GY3caGDF+xVP21HwML4IqiNwFDDgtAZqQ
Iblq1VaTK73x4FxNFzg6C8N5OJo62OP+4HeZUENmBFGAUJaBOARBrsBmmlOqgPkn
2GtYzkcVMdkblaKzvV8Zp3U+tj0tu6QLK6/cDUVVnSoG2h7T6/dBJR6fpcftW9zD
cXcM8MW2Wk1F4LPn9aOr+0rVZWlKVaebj1NrPZhwgqE7zA6XH5EkU3Km15LoSl4D
PDo4tN1Y3zcPHFnLfv+/
=epoc

-END PGP SIGNATURE-









___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users



--
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!  www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==



smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] no private key found with ECDSA certificate

2015-05-27 Thread Noel Kuntze 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello Mark,

Well, did you enter the ECDSA private key in ipsec.secrets as you did with the 
RSA key?

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 27.05.2015 um 04:52 schrieb Mark M:
 I am trying to use ECDSA certificates with my setup and I keep getting no 
 private key found on my strongswan server when a client connects. I am using 
 CentOS 7 and strongSwan 5.2.0. I am using the android client to connect and 
 the certificate authentication works fine on the Android device.

 Any ideas on what would cause the private key to not be found or be 
 authenticated correctly?


 14[CFG]   using trusted ca certificate C=US, ST=MA, L=SELF, O=SSCA, OU=SS, 
 CN=192.168.1.7
 14[CFG] checking certificate status of C=US, ST=MA, L=SELF, O=SSCA, OU=SS, 
 CN=phone1ecc
 14[CFG] certificate status is not available
 14[CFG]   reached self-signed root ca with a path length of 0
 14[IKE] authentication of 'C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=phone1ecc' 
 with ECDSA-384 signature successful
 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
 14[IKE] peer supports MOBIKE
 14[IKE] no private key found for 'C=US, ST=MA, L=SELF, OU=SSCA'
 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
 14[NET] sending packet: from 192.168.1.7[4500] to 70.162.232.57[5477] (88 
 bytes)




 ___
 Users mailing list
 Users@lists.strongswan.org
 https://lists.strongswan.org/mailman/listinfo/users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJVZbDdAAoJEDg5KY9j7GZYdrQP+gKX2Z6UnuuBm3axA47uBFeJ
U++oz8UJ5jN/FW4CMBjvKZJGJPMq+VblMbqZZGMAEE2Mgjm6z9olaDVj0Sl0cO1E
1M0HsNeBbQHb23Pb1p2/wMyCyfFFHPTEWLIqDeNHALOzguGiPVMlibZ/FogCeTjV
8qPfcwgYebQcAujOv8GEm1IWAn1/ZmnXsTbMDz6J3VT09Cjh0dQ5o32s6U0PoT4Y
93V5FLDSJIo0INMVG+RRPqoEt20PVTRyCFLTFaex3HJWgb/O3JKn6WXrdaMKOVex
KjRNkWvoqwg2LWB7sjEScNjrECOtUddBeG9Kx5p/kbs9jsB8Ftx+XKE+gSkXeKtt
qS9HpvAF78v2/aCPLbCYR2fxhxJgaX0Ofh2NQzYV55kFpHgYfH7/5U4tTN6/Go5H
xx/iZBdPr54I4FbWiUid4pMu1zDV2Uwrd7eCpjkpMbYLWUvOXRfztjklZL48K44P
F5Lh8EU5JBl10XI3OFU+tox8A1ZVE03ljeBkFwJfwScRvvAZMUBgnGlGiPmaFPBs
zgVNhmdswvvdikfL8y5E/t2UMMQgDCQpfOPIB+qrWkhGtXtddc2AYZnbRW+Gju4f
Y3Ad6nRh6AAGZbRlGPoc3pGCF2oP+p0yMOIY2QexUn32VSLff8W6Q5ymVVn6KPfx
ogdvtfSe+cOHsuYIW9WT
=koBw
-END PGP SIGNATURE-

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] no private key found with ECDSA certificate

2015-05-27 Thread Noel Kuntze 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello Mark,

Okay, what does charon say during daemon startup?
Please create a log witht the following settings and post it here.
You are encouraged to use a pastebin service.

default = 3
mgr = 1
ike = 1
net = 1
enc = 0
cfg = 2
asn = 1
job = 1
knl = 1

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 27.05.2015 um 22:25 schrieb Mark M:
 Hi Noel,

 I did specify the key in ipsec.secrets. I am doing everything the same way I 
 did with RSA certificates that work fine. Here is my config and how I 
 generated the ECC keys and certs. I am thinking this is an issue with how I 
 genereated the ECC keys and certs?


 openssl ecparam -genkey -name secp384r1 -out centos2ecc.key

  openssl req -new -key centos2ecc.key -out centos2ecc.csr -config 
 /etc/pki/newca/opensslc1.cnf -sha384

 openssl x509 -req -in centos2ecc.csr -CA rooteccCA.crt -CAkey eccCA.key 
 -CAcreateserial -out centos2ecc.crt -days 365 -extensions v3_req -extfile 
 /etc/pki/newca/opensslc1.cnf -sha384

 opensslc1.cnf file:

 [req]
 distinguished_name = req_distinguished_name
 req_extensions = v3_req

 [req_distinguished_name]
 countryName = Country Name (2 letter code)
 stateOrProvinceName = State or Province Name (full name)
 localityName = Locality Name (eg, city)
 organizationalUnitName = Organizational Unit Name (eg, section)
 commonName =

 [v3_req]
 basicConstraints = CA:FALSE
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 subjectAltName = @alt_names

 [alt_names]
 IP.1=10.X.X.X
 IP.2=192.168.1.7
 ~

 ipsec.secrets

 # /etc/ipsec.secrets - strongSwan IPsec secrets file

 : RSA centos2.key
 : ECDSA centos2ecc.key



 [root@CENTOS7 ~]# vi /etc/strongswan/ipsec.conf
 #  leftsendcert=never
 #  right=192.168.0.2
 #  rightsubnet=10.2.0.0/16
 #  rightcert=peerCert.der
 #  auto=start

 #conn sample-with-ca-cert
 #  leftsubnet=10.1.0.0/16
 #  leftcert=myCert.pem
 #  right=192.168.0.2
 #  rightsubnet=10.2.0.0/16
 #  rightid=C=CH, O=Linux strongSwan CN=peer name
 #  auto=start
 conn %default
 keyexchange=ikev2

 conn phone1ecc
 left=%defaultroute
 leftcert=centos2ecc.crt
 leftsubnet=0.0.0.0/0
 leftid=C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7
 leftfirewall=yes
 right=%any
 rightsourceip=192.168.9.0/24
 esp=aes256-sha384-ecp384!
 ike=aes256-sha384-ecp384!
 auto=add





 On Wednesday, May 27, 2015 7:56 AM, Noel Kuntze n...@familie-kuntze.de 
 wrote:



 Hello Mark,

 Well, did you enter the ECDSA private key in ipsec.secrets as you did with 
 the RSA key?

 Mit freundlichen Grüßen/Kind Regards,
 Noel Kuntze

 GPG Key ID: 0x63EC6658
 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

 Am 27.05.2015 um 04:52 schrieb Mark M:
  I am trying to use ECDSA certificates with my setup and I keep getting no 
  private key found on my strongswan server when a client connects. I am 
  using CentOS 7 and strongSwan 5.2.0. I am using the android client to 
  connect and the certificate authentication works fine on the Android device.

  Any ideas on what would cause the private key to not be found or be 
  authenticated correctly?


  14[CFG]  using trusted ca certificate C=US, ST=MA, L=SELF, O=SSCA, OU=SS, 
  CN=192.168.1.7
  14[CFG] checking certificate status of C=US, ST=MA, L=SELF, O=SSCA, OU=SS, 
  CN=phone1ecc
  14[CFG] certificate status is not available
  14[CFG]  reached self-signed root ca with a path length of 0
  14[IKE] authentication of 'C=US, ST=MA, L=SELF, O=SSCA, OU=SS, 
  CN=phone1ecc' with ECDSA-384 signature successful
  14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
  14[IKE] peer supports MOBIKE
  14[IKE] no private key found for 'C=US, ST=MA, L=SELF, OU=SSCA'
  14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
  14[NET] sending packet: from 192.168.1.7[4500] to 70.162.232.57[5477] (88 
  bytes)





  ___
  Users mailing list
  Users@lists.strongswan.org mailto:Users@lists.strongswan.org
  https://lists.strongswan.org/mailman/listinfo/users


 ___
 Users mailing list
 Users@lists.strongswan.org mailto:Users@lists.strongswan.org
 https://lists.strongswan.org/mailman/listinfo/users


-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJVZinKAAoJEDg5KY9j7GZYpi8QAJHhGTsvkwqsIAU1WfvlZQSA
lfCtEBk1r3YS1cE65VZ3OCEOLO6H8/eZNkQCfgPpJfW0TZ/SIMDAr8f2HQBpQgKk
c3Y5RFgxZMo+HjASwtOzM8KYq5GxRyJ5IzmHONsjNlVUM606M9ve1HOVNWMdoW3f
SC9EDBNEQYDH1my2HeJY6ZMf8wifP0BZWj6OH07OV1Fe3bH8ciL0FgjSM+gncgZO
Z3qknAao5CrX+VVtMREtcJKDK8ULFP7DwazcklikZFwkkfm09C7f8OJp1cM7v1lb
OmTTjY0tRrw+ohyef2FJzEK4vAbv5IsETq+1F7rW9B3sTAfwiyP2Tve+6qx/QzFO
Un1q7HsMabY+rk9YXvxFk3Bs3MO2YrNP0mVHQ6ZIoQxk5D6r2w7cxl3XXU5QT6w6

Re: [strongSwan] no private key found with ECDSA certificate

2015-05-27 Thread Mark M 
Hi Noel,
I did specify the key in ipsec.secrets. I am doing everything the same way I 
did with RSA certificates that work fine. Here is my config and how I generated 
the ECC keys and certs. I am thinking this is an issue with how I genereated 
the ECC keys and certs?

openssl ecparam -genkey -name secp384r1 -out centos2ecc.key
 openssl req -new -key centos2ecc.key -out centos2ecc.csr -config 
/etc/pki/newca/opensslc1.cnf -sha384
openssl x509 -req -in centos2ecc.csr -CA rooteccCA.crt -CAkey eccCA.key 
-CAcreateserial -out centos2ecc.crt -days 365 -extensions v3_req -extfile 
/etc/pki/newca/opensslc1.cnf -sha384
opensslc1.cnf file:
[req]distinguished_name = req_distinguished_namereq_extensions = v3_req
[req_distinguished_name]countryName = Country Name (2 letter 
code)stateOrProvinceName = State or Province Name (full name)localityName = 
Locality Name (eg, city)organizationalUnitName = Organizational Unit Name (eg, 
section)commonName =
[v3_req]basicConstraints = CA:FALSEkeyUsage = nonRepudiation, digitalSignature, 
keyEnciphermentsubjectAltName = @alt_names
[alt_names]IP.1=10.X.X.XIP.2=192.168.1.7~
ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA centos2.key: ECDSA centos2ecc.key


[root@CENTOS7 ~]# vi /etc/strongswan/ipsec.conf#      leftsendcert=never#      
right=192.168.0.2#      rightsubnet=10.2.0.0/16#      rightcert=peerCert.der#   
   auto=start
#conn sample-with-ca-cert#      leftsubnet=10.1.0.0/16#      
leftcert=myCert.pem#      right=192.168.0.2#      rightsubnet=10.2.0.0/16#      
rightid=C=CH, O=Linux strongSwan CN=peer name#      auto=startconn %default   
     keyexchange=ikev2
conn phone1ecc
        left=%defaultroute        leftcert=centos2ecc.crt        
leftsubnet=0.0.0.0/0        leftid=C=US, ST=MA, L=SELF, O=SSCA, OU=SS, 
CN=192.168.1.7        leftfirewall=yes        right=%any        
rightsourceip=192.168.9.0/24        esp=aes256-sha384-ecp384!        
ike=aes256-sha384-ecp384!        auto=add
 



 On Wednesday, May 27, 2015 7:56 AM, Noel Kuntze n...@familie-kuntze.de 
wrote:
   

 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello Mark,

Well, did you enter the ECDSA private key in ipsec.secrets as you did with the 
RSA key?

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 27.05.2015 um 04:52 schrieb Mark M:
 I am trying to use ECDSA certificates with my setup and I keep getting no 
 private key found on my strongswan server when a client connects. I am using 
 CentOS 7 and strongSwan 5.2.0. I am using the android client to connect and 
 the certificate authentication works fine on the Android device.

 Any ideas on what would cause the private key to not be found or be 
 authenticated correctly?


 14[CFG]  using trusted ca certificate C=US, ST=MA, L=SELF, O=SSCA, OU=SS, 
 CN=192.168.1.7
 14[CFG] checking certificate status of C=US, ST=MA, L=SELF, O=SSCA, OU=SS, 
 CN=phone1ecc
 14[CFG] certificate status is not available
 14[CFG]  reached self-signed root ca with a path length of 0
 14[IKE] authentication of 'C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=phone1ecc' 
 with ECDSA-384 signature successful
 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
 14[IKE] peer supports MOBIKE
 14[IKE] no private key found for 'C=US, ST=MA, L=SELF, OU=SSCA'
 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
 14[NET] sending packet: from 192.168.1.7[4500] to 70.162.232.57[5477] (88 
 bytes)




 ___
 Users mailing list
 Users@lists.strongswan.org
 https://lists.strongswan.org/mailman/listinfo/users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJVZbDdAAoJEDg5KY9j7GZYdrQP+gKX2Z6UnuuBm3axA47uBFeJ
U++oz8UJ5jN/FW4CMBjvKZJGJPMq+VblMbqZZGMAEE2Mgjm6z9olaDVj0Sl0cO1E
1M0HsNeBbQHb23Pb1p2/wMyCyfFFHPTEWLIqDeNHALOzguGiPVMlibZ/FogCeTjV
8qPfcwgYebQcAujOv8GEm1IWAn1/ZmnXsTbMDz6J3VT09Cjh0dQ5o32s6U0PoT4Y
93V5FLDSJIo0INMVG+RRPqoEt20PVTRyCFLTFaex3HJWgb/O3JKn6WXrdaMKOVex
KjRNkWvoqwg2LWB7sjEScNjrECOtUddBeG9Kx5p/kbs9jsB8Ftx+XKE+gSkXeKtt
qS9HpvAF78v2/aCPLbCYR2fxhxJgaX0Ofh2NQzYV55kFpHgYfH7/5U4tTN6/Go5H
xx/iZBdPr54I4FbWiUid4pMu1zDV2Uwrd7eCpjkpMbYLWUvOXRfztjklZL48K44P
F5Lh8EU5JBl10XI3OFU+tox8A1ZVE03ljeBkFwJfwScRvvAZMUBgnGlGiPmaFPBs
zgVNhmdswvvdikfL8y5E/t2UMMQgDCQpfOPIB+qrWkhGtXtddc2AYZnbRW+Gju4f
Y3Ad6nRh6AAGZbRlGPoc3pGCF2oP+p0yMOIY2QexUn32VSLff8W6Q5ymVVn6KPfx
ogdvtfSe+cOHsuYIW9WT
=koBw
-END PGP SIGNATURE-

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

  ___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] no private key found with ECDSA certificate

2015-05-27 Thread Mark M 
Not working,
I am using this method to convert, maybe it is wrong? 
[root@CENTOS7 ~]# openssl ecparam -in /etc/pki/eccCA/centos2ecc.key -inform PEM 
-outform DER -out centos2ecc.key

I am getting
00[LIB]   file coded in unknown format, discarded00[LIB] building 
CRED_PRIVATE_KEY - ECDSA failed, tried 4 builders00[CFG]   loading private key 
from '/etc/strongswan/ipsec.d/private/centos2ecc.der' failed
 



 On Wednesday, May 27, 2015 5:10 PM, Noel Kuntze n...@familie-kuntze.de 
wrote:
   

 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello Mark,

Try converting the key from PEM to DER format.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 27.05.2015 um 23:03 schrieb Mark M:
 Noel,

  Here is a pastebin of the log with the settings you asked for -

  http://pastebin.com/4T47jNNA

 I am seeing this a problem

 1.
    00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
 2.
    00[LIB] building CRED_PRIVATE_KEY - ECDSA failed, tried 4 builders
 3.
    00[CFG]  loading private key from 
'/etc/strongswan/ipsec.d/private/centos2ecc.key' failed

 


 On Wednesday, May 27, 2015 4:32 PM, Noel Kuntze n...@familie-kuntze.de 
 wrote:



 Hello Mark,

 Okay, what does charon say during daemon startup?
 Please create a log witht the following settings and post it here.
 You are encouraged to use a pastebin service.

 default = 3
 mgr = 1
 ike = 1
 net = 1
 enc = 0
 cfg = 2
 asn = 1
 job = 1              
 knl = 1

 Mit freundlichen Grüßen/Kind Regards,
 Noel Kuntze

 GPG Key ID: 0x63EC6658
 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

 Am 27.05.2015 um 22:25 schrieb Mark M:
  Hi Noel,

  I did specify the key in ipsec.secrets. I am doing everything the same way 
  I did with RSA certificates that work fine. Here is my config and how I 
  generated the ECC keys and certs. I am thinking this is an issue with how I 
  genereated the ECC keys and certs?


  openssl ecparam -genkey -name secp384r1 -out centos2ecc.key

   openssl req -new -key centos2ecc.key -out centos2ecc.csr -config 
 /etc/pki/newca/opensslc1.cnf -sha384

  openssl x509 -req -in centos2ecc.csr -CA rooteccCA.crt -CAkey eccCA.key 
  -CAcreateserial -out centos2ecc.crt -days 365 -extensions v3_req -extfile 
  /etc/pki/newca/opensslc1.cnf -sha384

  opensslc1.cnf file:

  [req]
  distinguished_name = req_distinguished_name
  req_extensions = v3_req

  [req_distinguished_name]
  countryName = Country Name (2 letter code)
  stateOrProvinceName = State or Province Name (full name)
  localityName = Locality Name (eg, city)
  organizationalUnitName = Organizational Unit Name (eg, section)
  commonName =

  [v3_req]
  basicConstraints = CA:FALSE
  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  subjectAltName = @alt_names

  [alt_names]
  IP.1=10.X.X.X
  IP.2=192.168.1.7
  ~

  ipsec.secrets

  # /etc/ipsec.secrets - strongSwan IPsec secrets file

  : RSA centos2.key
  : ECDSA centos2ecc.key



  [root@CENTOS7 mailto:root@CENTOS7 ~]# vi /etc/strongswan/ipsec.conf
  #      leftsendcert=never
  #      right=192.168.0.2
  #      rightsubnet=10.2.0.0/16
  #      rightcert=peerCert.der
  #      auto=start

  #conn sample-with-ca-cert
  #      leftsubnet=10.1.0.0/16
  #      leftcert=myCert.pem
  #      right=192.168.0.2
  #      rightsubnet=10.2.0.0/16
  #      rightid=C=CH, O=Linux strongSwan CN=peer name
  #      auto=start
  conn %default
         keyexchange=ikev2

  conn phone1ecc
         left=%defaultroute
         leftcert=centos2ecc.crt
         leftsubnet=0.0.0.0/0
         leftid=C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7
         leftfirewall=yes
         right=%any
         rightsourceip=192.168.9.0/24
         esp=aes256-sha384-ecp384!
         ike=aes256-sha384-ecp384!
         auto=add





  On Wednesday, May 27, 2015 7:56 AM, Noel Kuntze n...@familie-kuntze.de 
  mailto:n...@familie-kuntze.de wrote:



  Hello Mark,

  Well, did you enter the ECDSA private key in ipsec.secrets as you did with 
  the RSA key?

  Mit freundlichen Grüßen/Kind Regards,
  Noel Kuntze

  GPG Key ID: 0x63EC6658
  Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

  Am 27.05.2015 um 04:52 schrieb Mark M:
   I am trying to use ECDSA certificates with my setup and I keep getting 
   no private key found on my strongswan server when a client connects. I 
   am using CentOS 7 and strongSwan 5.2.0. I am using the android client to 
   connect and the certificate authentication works fine on the Android 
   device.

   Any ideas on what would cause the private key to not be found or be 
   authenticated correctly?


   14[CFG]  using trusted ca certificate C=US, ST=MA, L=SELF, O=SSCA, 
   OU=SS, CN=192.168.1.7
   14[CFG] checking certificate status of C=US, ST=MA, L=SELF, O=SSCA, 
   OU=SS, CN=phone1ecc
   14[CFG] certificate status is not available
   14[CFG]  reached self-signed root ca with a path length of 0
   14

Re: [strongSwan] no private key found with ECDSA certificate

2015-05-27 Thread Mark M 
Do you know this is an issue? it works fine on the Android device? 


 On Wednesday, May 27, 2015 5:25 PM, Mark M mark0...@yahoo.com wrote:
   

 Noel,
I got it to work. I had to use ec instead of ecparam for the conversion like 
this;
openssl ec -in /etc/pki/eccCA/centos2ecc.key -inform PEM -outform DER -out 
centos2ecc.key

strongSwan can now load the private key and I can connect with my Android 
client using ECDSA SHA384 certs :)
Thank you very much for the help.
Mark- 



 On Wednesday, May 27, 2015 5:18 PM, Mark M mark0...@yahoo.com wrote:
   

 Not working,
I am using this method to convert, maybe it is wrong? 
[root@CENTOS7 ~]# openssl ecparam -in /etc/pki/eccCA/centos2ecc.key -inform PEM 
-outform DER -out centos2ecc.key

I am getting
00[LIB]   file coded in unknown format, discarded00[LIB] building 
CRED_PRIVATE_KEY - ECDSA failed, tried 4 builders00[CFG]   loading private key 
from '/etc/strongswan/ipsec.d/private/centos2ecc.der' failed
 



 On Wednesday, May 27, 2015 5:10 PM, Noel Kuntze n...@familie-kuntze.de 
wrote:
   

 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello Mark,

Try converting the key from PEM to DER format.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 27.05.2015 um 23:03 schrieb Mark M:
 Noel,

  Here is a pastebin of the log with the settings you asked for -

  http://pastebin.com/4T47jNNA

 I am seeing this a problem

 1.
    00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
 2.
    00[LIB] building CRED_PRIVATE_KEY - ECDSA failed, tried 4 builders
 3.
    00[CFG]  loading private key from 
'/etc/strongswan/ipsec.d/private/centos2ecc.key' failed

 


 On Wednesday, May 27, 2015 4:32 PM, Noel Kuntze n...@familie-kuntze.de 
 wrote:



 Hello Mark,

 Okay, what does charon say during daemon startup?
 Please create a log witht the following settings and post it here.
 You are encouraged to use a pastebin service.

 default = 3
 mgr = 1
 ike = 1
 net = 1
 enc = 0
 cfg = 2
 asn = 1
 job = 1              
 knl = 1

 Mit freundlichen Grüßen/Kind Regards,
 Noel Kuntze

 GPG Key ID: 0x63EC6658
 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

 Am 27.05.2015 um 22:25 schrieb Mark M:
  Hi Noel,

  I did specify the key in ipsec.secrets. I am doing everything the same way 
  I did with RSA certificates that work fine. Here is my config and how I 
  generated the ECC keys and certs. I am thinking this is an issue with how I 
  genereated the ECC keys and certs?


  openssl ecparam -genkey -name secp384r1 -out centos2ecc.key

   openssl req -new -key centos2ecc.key -out centos2ecc.csr -config 
 /etc/pki/newca/opensslc1.cnf -sha384

  openssl x509 -req -in centos2ecc.csr -CA rooteccCA.crt -CAkey eccCA.key 
  -CAcreateserial -out centos2ecc.crt -days 365 -extensions v3_req -extfile 
  /etc/pki/newca/opensslc1.cnf -sha384

  opensslc1.cnf file:

  [req]
  distinguished_name = req_distinguished_name
  req_extensions = v3_req

  [req_distinguished_name]
  countryName = Country Name (2 letter code)
  stateOrProvinceName = State or Province Name (full name)
  localityName = Locality Name (eg, city)
  organizationalUnitName = Organizational Unit Name (eg, section)
  commonName =

  [v3_req]
  basicConstraints = CA:FALSE
  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  subjectAltName = @alt_names

  [alt_names]
  IP.1=10.X.X.X
  IP.2=192.168.1.7
  ~

  ipsec.secrets

  # /etc/ipsec.secrets - strongSwan IPsec secrets file

  : RSA centos2.key
  : ECDSA centos2ecc.key



  [root@CENTOS7 mailto:root@CENTOS7 ~]# vi /etc/strongswan/ipsec.conf
  #      leftsendcert=never
  #      right=192.168.0.2
  #      rightsubnet=10.2.0.0/16
  #      rightcert=peerCert.der
  #      auto=start

  #conn sample-with-ca-cert
  #      leftsubnet=10.1.0.0/16
  #      leftcert=myCert.pem
  #      right=192.168.0.2
  #      rightsubnet=10.2.0.0/16
  #      rightid=C=CH, O=Linux strongSwan CN=peer name
  #      auto=start
  conn %default
         keyexchange=ikev2

  conn phone1ecc
         left=%defaultroute
         leftcert=centos2ecc.crt
         leftsubnet=0.0.0.0/0
         leftid=C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7
         leftfirewall=yes
         right=%any
         rightsourceip=192.168.9.0/24
         esp=aes256-sha384-ecp384!
         ike=aes256-sha384-ecp384!
         auto=add





  On Wednesday, May 27, 2015 7:56 AM, Noel Kuntze n...@familie-kuntze.de 
  mailto:n...@familie-kuntze.de wrote:



  Hello Mark,

  Well, did you enter the ECDSA private key in ipsec.secrets as you did with 
  the RSA key?

  Mit freundlichen Grüßen/Kind Regards,
  Noel Kuntze

  GPG Key ID: 0x63EC6658
  Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

  Am 27.05.2015 um 04:52 schrieb Mark M:
   I am trying to use ECDSA certificates with my setup and I keep getting 
   no private key found on my strongswan server when a client connects. I 
   am

Re: [strongSwan] no private key found with ECDSA certificate

2015-05-27 Thread Mark M 
Noel,
I got it to work. I had to use ec instead of ecparam for the conversion like 
this;
openssl ec -in /etc/pki/eccCA/centos2ecc.key -inform PEM -outform DER -out 
centos2ecc.key

strongSwan can now load the private key and I can connect with my Android 
client using ECDSA SHA384 certs :)
Thank you very much for the help.
Mark- 



 On Wednesday, May 27, 2015 5:18 PM, Mark M mark0...@yahoo.com wrote:
   

 Not working,
I am using this method to convert, maybe it is wrong? 
[root@CENTOS7 ~]# openssl ecparam -in /etc/pki/eccCA/centos2ecc.key -inform PEM 
-outform DER -out centos2ecc.key

I am getting
00[LIB]   file coded in unknown format, discarded00[LIB] building 
CRED_PRIVATE_KEY - ECDSA failed, tried 4 builders00[CFG]   loading private key 
from '/etc/strongswan/ipsec.d/private/centos2ecc.der' failed
 



 On Wednesday, May 27, 2015 5:10 PM, Noel Kuntze n...@familie-kuntze.de 
wrote:
   

 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello Mark,

Try converting the key from PEM to DER format.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 27.05.2015 um 23:03 schrieb Mark M:
 Noel,

  Here is a pastebin of the log with the settings you asked for -

  http://pastebin.com/4T47jNNA

 I am seeing this a problem

 1.
    00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
 2.
    00[LIB] building CRED_PRIVATE_KEY - ECDSA failed, tried 4 builders
 3.
    00[CFG]  loading private key from 
'/etc/strongswan/ipsec.d/private/centos2ecc.key' failed

 


 On Wednesday, May 27, 2015 4:32 PM, Noel Kuntze n...@familie-kuntze.de 
 wrote:



 Hello Mark,

 Okay, what does charon say during daemon startup?
 Please create a log witht the following settings and post it here.
 You are encouraged to use a pastebin service.

 default = 3
 mgr = 1
 ike = 1
 net = 1
 enc = 0
 cfg = 2
 asn = 1
 job = 1              
 knl = 1

 Mit freundlichen Grüßen/Kind Regards,
 Noel Kuntze

 GPG Key ID: 0x63EC6658
 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

 Am 27.05.2015 um 22:25 schrieb Mark M:
  Hi Noel,

  I did specify the key in ipsec.secrets. I am doing everything the same way 
  I did with RSA certificates that work fine. Here is my config and how I 
  generated the ECC keys and certs. I am thinking this is an issue with how I 
  genereated the ECC keys and certs?


  openssl ecparam -genkey -name secp384r1 -out centos2ecc.key

   openssl req -new -key centos2ecc.key -out centos2ecc.csr -config 
 /etc/pki/newca/opensslc1.cnf -sha384

  openssl x509 -req -in centos2ecc.csr -CA rooteccCA.crt -CAkey eccCA.key 
  -CAcreateserial -out centos2ecc.crt -days 365 -extensions v3_req -extfile 
  /etc/pki/newca/opensslc1.cnf -sha384

  opensslc1.cnf file:

  [req]
  distinguished_name = req_distinguished_name
  req_extensions = v3_req

  [req_distinguished_name]
  countryName = Country Name (2 letter code)
  stateOrProvinceName = State or Province Name (full name)
  localityName = Locality Name (eg, city)
  organizationalUnitName = Organizational Unit Name (eg, section)
  commonName =

  [v3_req]
  basicConstraints = CA:FALSE
  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  subjectAltName = @alt_names

  [alt_names]
  IP.1=10.X.X.X
  IP.2=192.168.1.7
  ~

  ipsec.secrets

  # /etc/ipsec.secrets - strongSwan IPsec secrets file

  : RSA centos2.key
  : ECDSA centos2ecc.key



  [root@CENTOS7 mailto:root@CENTOS7 ~]# vi /etc/strongswan/ipsec.conf
  #      leftsendcert=never
  #      right=192.168.0.2
  #      rightsubnet=10.2.0.0/16
  #      rightcert=peerCert.der
  #      auto=start

  #conn sample-with-ca-cert
  #      leftsubnet=10.1.0.0/16
  #      leftcert=myCert.pem
  #      right=192.168.0.2
  #      rightsubnet=10.2.0.0/16
  #      rightid=C=CH, O=Linux strongSwan CN=peer name
  #      auto=start
  conn %default
         keyexchange=ikev2

  conn phone1ecc
         left=%defaultroute
         leftcert=centos2ecc.crt
         leftsubnet=0.0.0.0/0
         leftid=C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7
         leftfirewall=yes
         right=%any
         rightsourceip=192.168.9.0/24
         esp=aes256-sha384-ecp384!
         ike=aes256-sha384-ecp384!
         auto=add





  On Wednesday, May 27, 2015 7:56 AM, Noel Kuntze n...@familie-kuntze.de 
  mailto:n...@familie-kuntze.de wrote:



  Hello Mark,

  Well, did you enter the ECDSA private key in ipsec.secrets as you did with 
  the RSA key?

  Mit freundlichen Grüßen/Kind Regards,
  Noel Kuntze

  GPG Key ID: 0x63EC6658
  Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

  Am 27.05.2015 um 04:52 schrieb Mark M:
   I am trying to use ECDSA certificates with my setup and I keep getting 
   no private key found on my strongswan server when a client connects. I 
   am using CentOS 7 and strongSwan 5.2.0. I am using the android client to 
   connect and the certificate authentication works fine on the Android

Re: [strongSwan] no private key found with ECDSA certificate

2015-05-27 Thread Noel Kuntze 
 
   mailto:n...@familie-kuntze.de wrote:



   Hello Mark,

   Well, did you enter the ECDSA private key in ipsec.secrets as you did 
   with the RSA key?

   Mit freundlichen Grüßen/Kind Regards,
   Noel Kuntze

   GPG Key ID: 0x63EC6658
   Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

   Am 27.05.2015 um 04:52 schrieb Mark M:
I am trying to use ECDSA certificates with my setup and I keep getting 
no private key found on my strongswan server when a client connects. 
I am using CentOS 7 and strongSwan 5.2.0. I am using the android client 
to connect and the certificate authentication works fine on the Android 
device.

Any ideas on what would cause the private key to not be found or be 
authenticated correctly?


14[CFG]  using trusted ca certificate C=US, ST=MA, L=SELF, O=SSCA, 
OU=SS, CN=192.168.1.7
14[CFG] checking certificate status of C=US, ST=MA, L=SELF, O=SSCA, 
OU=SS, CN=phone1ecc
14[CFG] certificate status is not available
14[CFG]  reached self-signed root ca with a path length of 0
14[IKE] authentication of 'C=US, ST=MA, L=SELF, O=SSCA, OU=SS, 
CN=phone1ecc' with ECDSA-384 signature successful
14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC 
padding
14[IKE] peer supports MOBIKE
14[IKE] no private key found for 'C=US, ST=MA, L=SELF, OU=SSCA'
14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
14[NET] sending packet: from 192.168.1.7[4500] to 70.162.232.57[5477] 
(88 bytes)





___
Users mailing list
Users@lists.strongswan.org mailto:Users@lists.strongswan.org 
mailto:Users@lists.strongswan.org mailto:Users@lists.strongswan.org 
mailto:Users@lists.strongswan.org mailto:Users@lists.strongswan.org 
mailto:Users@lists.strongswan.org mailto:Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users


   ___
   Users mailing list
   Users@lists.strongswan.org mailto:Users@lists.strongswan.org 
   mailto:Users@lists.strongswan.org mailto:Users@lists.strongswan.org 
   mailto:Users@lists.strongswan.org mailto:Users@lists.strongswan.org 
   mailto:Users@lists.strongswan.org mailto:Users@lists.strongswan.org
   https://lists.strongswan.org/mailman/listinfo/users














-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJVZjehAAoJEDg5KY9j7GZYeskP/iXdwalOvQ/4rZFG9hTSIx43
C48+/RIFN4nwg9Nf2INInd4UBMrWYrx5HowquD64yAT9XF1LhpRAuQ/S5Ebdq6yB
e6K6sqYv4YehR87VqX5vANA4bnmUQCRJlNPSvLEJw4o3xnOrfcT8YIHkhAzOcg58
POs+WBOMyzQNnANtGkQHG7BKeAkmXm3XKHbdWxKW07eOAjsCTFJ1LB/DPSJiuPMX
YCDfM7sv1Igs1laEteSNW4DBpnc12adXt0KHk0c7YXM4RcoOPVImeA1qsEtz6hYh
/0XRsU5zf46uAet5lrSW2oFonP5uTpwOr+FkGsgTdpsON4q1/Mof0X22arE0GsQK
cwWc8eMWZz97lsTxRV7cQjcH3a3Li1r+bpymLC9RIqRlFjWQogZ1wklVGu8X2HJx
3OZ4dLGQo4z3WUX2nVWW/qZKZ1QPWm+7/WdZ76SLxwzfYs92bp0Ssc9anA9lwY1c
OBYUHfePApm+13MxvGQeTgW7NnWa5FS/t8SsNkTc3oDm7jolR4tWB2VFYC2/YgZR
zqPxWE6bvAhiMPTDlE2Yr4LCCixKy8bvkHwdzGH+ZKfa0ettzm1zCGELqX1hZdwx
aD6X4x50YdMaI77Gy9scoTo23izZ6ubEwSu26pUlo/3ttDIx3Rpq05c4+ct9vQ6X
yHZQK5Dh9CCqfGXPKm5B
=S3jF
-END PGP SIGNATURE-

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] no private key found with ECDSA certificate

2015-05-26 Thread Mark M 
I am trying to use ECDSA certificates with my setup and I keep getting no 
private key found on my strongswan server when a client connects. I am using 
CentOS 7 and strongSwan 5.2.0. I am using the android client to connect and the 
certificate authentication works fine on the Android device.
Any ideas on what would cause the private key to not be found or be 
authenticated correctly?

14[CFG]   using trusted ca certificate C=US, ST=MA, L=SELF, O=SSCA, OU=SS, 
CN=192.168.1.714[CFG] checking certificate status of C=US, ST=MA, L=SELF, 
O=SSCA, OU=SS, CN=phone1ecc14[CFG] certificate status is not available14[CFG]  
 reached self-signed root ca with a path length of 014[IKE] authentication of 
'C=US, ST=MA, L=SELF, O=SSCA, OU=SS, CN=phone1ecc' with ECDSA-384 signature 
successful14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC 
padding14[IKE] peer supports MOBIKE14[IKE] no private key found for 'C=US, 
ST=MA, L=SELF, OU=SSCA'14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) 
]14[NET] sending packet: from 192.168.1.7[4500] to 70.162.232.57[5477] (88 
bytes)

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] No private key found for 'C=CA ...........'

2013-08-01 Thread Farid Farid 
Hi Andreas,

Thank you so much .It is working now:!!  :)  

Cheers,
Farid




 From: Andreas Steffen andreas.stef...@strongswan.org
To: Farid Farid farid21...@yahoo.com 
Cc: Martin Willi mar...@strongswan.org; users@lists.strongswan.org 
users@lists.strongswan.org 
Sent: Wednesday, July 31, 2013 11:37 PM
Subject: Re: [strongSwan] No private key found for  'C=CA ...'
 

Hi Farid,

the startup warning

 !! Your strongswan.conf contains manual plugin load options for charon.
 !! This is recommended for experts only, see
 !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad

is intended for newbies like you who don't know what they are doing
when meddling around with the strongswan.conf load statement:

- The pkcs1 plugin is missing so your private key won't get parsed:

 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 3 builders
 00[CFG]   loading private key from '/etc/ipsec.d/private/lmu56Key.pem'
 failed

- The x509 plugin is missing so your certificates don't get parsed:

 00[LIB] building CRED_CERTIFICATE - X509 failed, tried 0 builders
 00[CFG]   loading ca certificate from '/etc/ipsec.d/cacerts/caCert.pem'
 failed

Just remove the load statement from strongswan.conf and you'll fare
much better!

Andreas

On 08/01/2013 04:35 AM, Farid Farid wrote:
 Thank you martin for the hint.
 
 I added 'pem' in strongswan.conf (you can see strongswan.conf below): 
 But I still get the same output. Please see the
ipsec start --no-fork output right after strongswan.conf
 This package is also installed : strongswan-mod-pem - 5.0.4-1
 
 Is there anyother way to debug this to see why is not loading the keys? 
 
 
 
 Appreciate your help.
 
 Farid
 
 
 
 08[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders
 # strongswan.conf - strongSwan configuration
 file                                                                          
 
                                                                               
                                             
 
 charon
 {                                                                             
                                        
 
                                                                               
                                             
 
         # number of worker threads in
 charon                                                                        
         
 
         threads =
 16                                                                            
                             
 
         load = aes pem des sha1 sha2 md5 gmp random nonce hmac stroke
 kernel-netlink socket-default updown                  
         # send strongswan vendor
 ID?                                                                           
              
 
         # send_vendor_id =
 yes                                                                           
                    
 
                                                                               
                                             
 
         plugins
 {                                                                             
                              
 
                                                                               
                                             
 
                 sql
 {                                                                             
                          
 
                         # loglevel to log into sql
 database                                                                
                         loglevel =
 -1                                                                            
           
 
                                                                               
                                             
 
                         # URI to the
 database                                                                      
         
 
                         # database =
 sqlite:///path/to/file.db                                                     
          
 
                         # database =
 mysql://user:password@localhost/database

Re: [strongSwan] No private key found for 'C=CA ...........'

2013-08-01 Thread Farid Farid 
Hi Martin/Andreas,

Now I can ping the other peer and see secure ESP packets are going back and 
forth but I can see also one uncesure packet as you can see below: it seems  55 
node sends ech_request twice  one secure and one un secure.  is it normal?  

01:24:44.559099 IP LMU5k.lan  192.168.1.56: ESP(spi=0xcb8b0e8d,seq=0x1), 
length 132 
01:24:44.559417 IP LMU5k.lan  192.168.1.56: ICMP echo request, id 58919, seq 
0, length 64   
01:24:44.560057 IP 192.168.1.56  LMU5k.lan: ESP(spi=0xc3b7a86c,seq=0x1), 
length 132 
01:24:45.565739 IP LMU5k.lan  192.168.1.56: ESP(spi=0xcb8b0e8d,seq=0x2), 
length 132 
01:24:45.566053 IP LMU5k.lan  192.168.1.56: ICMP echo request, id 58919, seq 
1, length 64   
01:24:45.566496 IP 192.168.1.56  LMU5k.lan: ESP(spi=0xc3b7a86c,seq=0x2), 
length 132 
01:24:46.575691 IP LMU5k.lan  192.168.1.56: ESP(spi=0xcb8b0e8d,seq=0x3), 
length 132 
01:24:46.576008 IP LMU5k.lan  192.168.1.56: ICMP echo request, id 58919, seq 
2, length 64   
01:24:46.576447 IP 192.168.1.56  LMU5k.lan: ESP(spi=0xc3b7a86c,seq=0x3), 
length 132 
01:24:46.87


Thanks,
Farid



 From: Farid Farid farid21...@yahoo.com
To: Andreas Steffen andreas.stef...@strongswan.org 
Cc: users@lists.strongswan.org users@lists.strongswan.org 
Sent: Thursday, August 1, 2013 9:28 AM
Subject: Re: [strongSwan] No private key found for  'C=CA ...'
 


Hi Andreas,

Thank you so much .It is working now:!!  :)  

Cheers,
Farid




 From: Andreas Steffen andreas.stef...@strongswan.org
To: Farid Farid farid21...@yahoo.com 
Cc: Martin Willi mar...@strongswan.org; users@lists.strongswan.org 
users@lists.strongswan.org 
Sent: Wednesday, July 31, 2013 11:37 PM
Subject: Re: [strongSwan] No private key found for  'C=CA ...'
 

Hi Farid,

the startup warning

 !! Your strongswan.conf contains manual plugin load options for charon.
 !! This is recommended for experts only, see
 !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad

is intended for newbies like you who don't know what they are doing
when meddling around with the strongswan.conf load statement:

- The pkcs1 plugin is missing so your private key won't get parsed:

 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 3 builders
 00[CFG]   loading private key from '/etc/ipsec.d/private/lmu56Key.pem'

 failed

- The x509 plugin is missing so your certificates don't get parsed:

 00[LIB] building CRED_CERTIFICATE - X509 failed, tried 0 builders
 00[CFG]   loading ca certificate from '/etc/ipsec.d/cacerts/caCert.pem'
 failed

Just remove the load statement from strongswan.conf and you'll fare
much better!

Andreas

On 08/01/2013 04:35 AM, Farid Farid wrote:
 Thank you martin for the hint.
 
 I added 'pem' in strongswan.conf (you can see strongswan.conf below): 
 But I still get the same output. Please see the
ipsec start --no-fork output right after strongswan.conf
 This package is also installed : strongswan-mod-pem - 5.0.4-1
 
 Is there anyother way to debug this to see why is not loading the keys? 
 
 
 
 Appreciate your help.
 
 Farid
 
 
 
 08[LIB] building
 CRED_CERTIFICATE - ANY failed, tried 1 builders
 # strongswan.conf - strongSwan configuration
 file                                                                          
 
                                                                               
                                             
 
 charon
 {                             
                                                                                
       
 
                                                                               
                                             
 
         # number of worker threads in
 charon                                 
                                               
 
         threads =
 16                                                                            
                             
 
         load = aes pem des sha1 sha2 md5 gmp random nonce hmac stroke
 kernel-netlink socket-default updown                  
         # send strongswan vendor
 ID?                       
                                                                 
 
         # send_vendor_id =
 yes                                                                           
                    
 
                                                                               
            
                                 
 
         plugins
 {                                                                             
                              
 
                                                                               
                                  
           
 
                 sql

Re: [strongSwan] No private key found for 'C=CA ...........'

2013-07-31 Thread Farid Farid 
.
!! This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux 3.3.8, armv5tejl)
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[LIB] building CRED_CERTIFICATE - X509 failed, tried 0 builders
00[CFG]   loading ca certificate from '/etc/ipsec.d/cacerts/caCert.pem' failed
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 3 builders
00[CFG]   loading private key from '/etc/ipsec.d/private/lmu56Key.pem' failed
00[DMN] loaded plugins: charon aes pem des sha1 sha2 md5 gmp random nonce hmac 
stroke kernel-netlink socket-default updown
00[JOB] spawning 16 worker threads
charon (2628) started after 80 ms
08[CFG] received stroke: add connection 'lmu56'
08[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders
08[CFG]   loading certificate from 'lmu56Cert.pem' failed
08[CFG] added configuration 'lmu56'







 From: Martin Willi mar...@strongswan.org
To: Farid Farid farid21...@yahoo.com 
Cc: users@lists.strongswan.org users@lists.strongswan.org 
Sent: Sunday, July 28, 2013 12:19 AM
Subject: Re: [strongSwan] No private key found for  'C=CA ...'
 

Hi Farid,

 !! Your strongswan.conf contains manual plugin load options for charon.
 !! This is recommended for experts only, see
 !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad

This warning pops up for specific reason:

 00[DMN] loaded plugins: charon aes des sha1 sha2 md5 gmp random nonce hmac 
 stroke kernel-netlink socket-default updown

You didn't load the pem plugin, hence

 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 2 builders
 00[CFG]   loading private key from '/etc/ipsec.d/private/lmu55Key.pem' failed

loading a PEM encoded private key fails.

Regards
Martin___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] No private key found for 'C=CA ...........'

2013-07-26 Thread Farid Farid 
Hi Martin,

Thank you so much for  your response.  :)
yes I copied everything properly in the correct place and I used the commands 
that I sent in my previous E-mail.

Here is the out put of   ipsec start --nofork

root@LMU5k:~# ipsec start --nofork
Starting strongSwan 5.0.4 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for charon.
!! This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux 3.3.8, armv5tejl)
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[LIB] building CRED_CERTIFICATE - X509 failed, tried 0 builders
00[CFG]   loading ca certificate from '/etc/ipsec.d/cacerts/caCert.pem' failed
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 2 builders
00[CFG]   loading private key from '/etc/ipsec.d/private/lmu55Key.pem' failed
00[DMN] loaded plugins: charon aes des sha1 sha2 md5 gmp random nonce hmac 
stroke kernel-netlink socket-default updown
00[JOB] spawning 16 worker threads
charon (15172) started after 80 ms
06[CFG] received stroke: add connection 'lmu55'
06[LIB] building CRED_CERTIFICATE - ANY failed, tried 0 builders
06[CFG]   loading certificate from 'lmu55Cert.pem' failed
06[CFG] added configuration 'lmu55'


It seems Charon can't load anything . it failed at buliding 
CRED_CERTIFICATE..and I can't see if it ever tries to load  read from 
/ipsec.d/certs/  directory.

So is it the problem with certificate and key generation?  or there is a 
incompatibility here?
I created the certificate and keys on a Ubuntu machine with strongswan4.x.x 
..Do you think it might be the issue?

Is there anyway to check if certificates and Keys are Ok before laoding them to 
the target machine?

Is it possible that strongswan compiled for this target machine is not a full 
package? However I  installed all required package base on OpenWrt wiki page.
My build compiler is uClibc .

I appreciate your help,
Farid





 From: Martin Willi mar...@strongswan.org
To: Farid Farid farid21...@yahoo.com 
Cc: users@lists.strongswan.org users@lists.strongswan.org 
Sent: Friday, July 26, 2013 12:09 AM
Subject: Re: [strongSwan] No private key found for  'C=CA ...'
 

Hi Farid,

 left:
 cp lmu55Key.pem     lmu55:/etc/ipsec.d/private/
 cp lmu55Cert.pem    lmu55:/ipsec.d/certs/
 cp caCert.pem        lmu55:/ipsec.d/cacerts/
 
 right:
 cp lmu55Key.pem     lmu55:/etc/ipsec.d/private/
 cp lmu55Cert.pem    lmu55:/ipsec.d/certs/
 cp caCert.pem        lmu55:/ipsec.d/cacerts/

I assume you have copied lmu56* to the appropriate places as well?

 no RSA private key found for 'C=CA, CN=lmu55'

At a first look the generation of your keys/certs looks good, but for
some reason the daemon can't find the private key for your certificate.

To check if the private key has been loaded, call ipsec listcerts. It
should list your peer certificate, and if it has a private key for it,
it should state has private key.

If this is not the case, you should check the log and see if there is
any error during daemon startup. Alternatively, you can invoke the IKE
daemon in the foreground using ipsec start --nofork. 

Regards
Martin___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] No private key found for 'C=CA ...........'

2013-07-25 Thread Farid Farid 
Hi  Community,

I am wonder if here is the right place to ask basic questions regarding 
Strongswan   and ipsec.  I have posted some questions but  got no reply at all 
which is kind of disappointing.

Hope this time I get an answer or at least someone can tell me where I should 
post my questions.

I am trying to  create a ipsec tunnel  using  strongswan 5.0.4  between two  
Openwrt Linux base machine running kernel 3.3.8 with a very basic scenario.  

Anytime I try to bring up a connection    ipsec  up   lmu55   I get the 
following error:

no private key found for  'C=CA CN=lmu55'
configuration uses unsupported authentication
tried to check-in and delete nonexisting IKE_SA
establishing connection 'conn' failed

I have two linux box called lmu55 and lmu56.
I am creating the private keys and certificate like this:  

ipsec pki --gen --outform pem   caKey.pem
ipsec pki --self --in caKey.pem --dn C=CA, O=strongswan, CN=lmu55 --outform 
pem --ca  caCert.pem


for left  gateway:
ipsec pki --gen  --outform pem  lmu55Key.pem
ipsec pki --pub --in lmu55Key.pem|ipsec pki --issue  --cacert caCert.pem  
--cakey  caKey.pem --dn C=CA, CN=lmu55  --outform pem  lmu55Cert.pem


for right gateway:
ipsec pki --gen  --outform pem  lmu56Key.pem
ipsec pki --pub --in lmu56Key.pem|ipsec pki --issue  --cacert caCert.pem  
--cakey  caKey.pem --dn C=CA, CN=lmu56  --outform pem  lmu56Cert.pem

left:
cp lmu55Key.pem     lmu55:/etc/ipsec.d/private/
cp lmu55Cert.pem    lmu55:/ipsec.d/certs/
cp caCert.pem        lmu55:/ipsec.d/cacerts/

right:
cp lmu55Key.pem     lmu55:/etc/ipsec.d/private/
cp lmu55Cert.pem    lmu55:/ipsec.d/certs/
cp caCert.pem        lmu55:/ipsec.d/cacerts/


Here is the ipsec.conf and  ipsec.secret for lmu55:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
# strictcrlpolicy=no
# uniqueids = no

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev1
#    authby=xauthrsasig
#    mobike=no

# Add connections here.

# Sample VPN connections

conn lmu55
      left=192.168.1.55
      leftid=C=CA, CN=lmu55
      leftcert=lmu55Cert.pem
      leftfirewall=yes
      right=192.168.1.56
      rightid=C=CA, CN=lmu56
      auto=add

and ipsec.secret
# generated by /etc/init.d/ipsec
: RSA lmu55Key.pem 

Here is the ipsec.conf and  ipsec.secret for lmu56

:# ipsec.conf - strongSwan IPsec configuration file


# basic configuration

config setup
 strictcrlpolicy=no
 uniqueids = no

conn %default
     ikelifetime=60m   
     keylife=20m       
     rekeymargin=3m    
     keyingtries=1  
     keyexchange=ikev1
     #authby=xauthprsasig
     #mobike=no

# Add connections here.

# Sample VPN connections

conn lmu56
      left=192.168.1.56
      leftid=C=CA, CN=lmu56
      leftcert=lmu56Cert.der
      leftfirewall=yes
      right=192.168.1.55
      rightid=C=CA, CN=lmu55
      auto=add


and ipsec.secret

# generated by /etc/init.d/ipsec
: RSA lmu56Key.pem





If I use  authby=xauthprsasig  then I can see the peers start negotiating but 
eventually fails with the same error. Here is the log data:

root@LMU5k:~# ipsec  up lmu55
initiating Main Mode IKE_SA lmu55[1] to 192.168.1.56
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 192.168.1.55[500] to 192.168.1.56[500] (224 bytes)
received packet: from 192.168.1.56[500] to 192.168.1.55[500] (136 bytes)
parsed ID_PROT response 0 [ SA V V V ]
received XAuth vendor ID
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.1.55[500] to 192.168.1.56[500] (372 bytes)
received packet: from 192.168.1.56[500] to 192.168.1.55[500] (372 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
no RSA private key found for 'C=CA, CN=lmu55'
generating INFORMATIONAL_V1 request 1007725697 [ HASH N(AUTH_FAILED) ]
sending packet: from 192.168.1.55[500] to 192.168.1.56[500] (92 bytes)
establishing connection 'lmu55' failed



ipsec listcerts  also returns empty.

what am I missing here?

Thanks for the help.
Farid___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] no private key found and unable to initiate to %any

2010-10-21 Thread Daniel Gartmann 
 Hi I am trying to setup an ipsec tunnel but I have got some errors 
that I couldn't solve.


---

moon:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
# plutodebug=all
 crlcheckinterval=180
 strictcrlpolicy=no
# cachecrls=yes
# nat_traversal=yes
# charonstart=no
 plutostart=no

# Add connections here.

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
#ike=aes128-sha256-modp2048!
#esp=aes128-sha256-modp2048!
left=147.87.107.20
leftsubnet=10.1.0.0/16
leftcert=moonCert.pem
leftid=C=CH,O=BFH, CN=gad
leftfirewall=yes

conn rw
right=%any
rightsourceip=%dhcp
auto=add



# /etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA moonKey.pem mypassword

---

carol:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
# plutodebug=all
 crlcheckinterval=180
 strictcrlpolicy=no
# cachecrls=yes
# nat_traversal=yes
# charonstart=no
 plutostart=no

# Add connections here.

# Sample VPN connections

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
#ike=aes128-sha256-modp2048!
#esp=aes128-sha256-modp2048!


conn home
left=147.87.107.19
leftsourceip=%config
leftcert=carolCert.pem
leftid=C=CH, O=BFH, CN=carol
leftfirewall=yes
right=147.87.107.20
rightsubnet=10.1.0.0/16
rightid=C=CH, O=BFH, CN=gad
auto=add


# /etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA carolKey.pem mypassword

--

moon error:

[r...@moon ~]# ipsec  restart
Stopping strongSwan IPsec...
Starting strongSwan 4.4.0 IPsec [starter]...
[r...@moon ~]# ipsec up rw
unable to initiate to %any


carol error:

[r...@carol log]# cat /etc/ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA carolKey.pem daniel
[r...@carol log]# ^C
[r...@carol log]# ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 4.4.0 IPsec [starter]...
[r...@carol log]# ipsec up home
initiating IKE_SA home[1] to 147.87.107.20
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 147.87.107.19[500] to 147.87.107.20[500]
received packet: from 147.87.107.20[500] to 147.87.107.19[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
CERTREQ N(MULT_AUTH) ]
received cert request for C=CH, ST=Bern, L=Biel, O=BFH, OU=SEL, CN=gad, 
e=...@bfh.ch
sending cert request for C=CH, ST=Bern, L=Biel, O=BFH, OU=SEL, CN=gad, 
e=...@bfh.ch
*no private key found* for 'C=CH, ST=Bern, O=BFH, OU=SEL, CN=carol, 
e=ca...@bfh.ch'

[r...@carol log]#

Thank you for your help!

cheers

Daniel










___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] no private key found and unable to initiate to %any

2010-10-21 Thread Andreas Steffen 
Hello Daniel,

either your private key does not match the public key in Carol's
certificate or the private key could not be loaded.

- does ipsec listcerts show Carol's certificate with the comment:
  ..., has private key ?

- does ipsec rereadsecrets write any error messages into the log file?

Regards

Andreas

On 21.10.2010 11:14, Daniel Gartmann wrote:
 Hi I am trying to setup an ipsec tunnel but I have got some errors that
 I couldn't solve.
 
 ---
 
 moon:
 
 # ipsec.conf - strongSwan IPsec configuration file
 
 # basic configuration
 
 config setup
 # plutodebug=all
  crlcheckinterval=180
  strictcrlpolicy=no
 # cachecrls=yes
 # nat_traversal=yes
 # charonstart=no
  plutostart=no
 
 # Add connections here.
 
 conn %default
 ikelifetime=60m
 keylife=20m
 rekeymargin=3m
 keyingtries=1
 keyexchange=ikev2
 #ike=aes128-sha256-modp2048!
 #esp=aes128-sha256-modp2048!
 left=147.87.107.20
 leftsubnet=10.1.0.0/16
 leftcert=moonCert.pem
 leftid=C=CH,O=BFH, CN=gad
 leftfirewall=yes
 
 conn rw
 right=%any
 rightsourceip=%dhcp
 auto=add
 
 
 
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
 : RSA moonKey.pem mypassword
 
 ---
 
 carol:
 
 # ipsec.conf - strongSwan IPsec configuration file
 
 # basic configuration
 
 config setup
 # plutodebug=all
  crlcheckinterval=180
  strictcrlpolicy=no
 # cachecrls=yes
 # nat_traversal=yes
 # charonstart=no
  plutostart=no
 
 # Add connections here.
 
 # Sample VPN connections
 
 conn %default
 ikelifetime=60m
 keylife=20m
 rekeymargin=3m
 keyingtries=1
 keyexchange=ikev2
 #ike=aes128-sha256-modp2048!
 #esp=aes128-sha256-modp2048!
 
 
 conn home
 left=147.87.107.19
 leftsourceip=%config
 leftcert=carolCert.pem
 leftid=C=CH, O=BFH, CN=carol
 leftfirewall=yes
 right=147.87.107.20
 rightsubnet=10.1.0.0/16
 rightid=C=CH, O=BFH, CN=gad
 auto=add
 
 
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
 : RSA carolKey.pem mypassword
 
 --
 
 moon error:
 
 [r...@moon ~]# ipsec  restart
 Stopping strongSwan IPsec...
 Starting strongSwan 4.4.0 IPsec [starter]...
 [r...@moon ~]# ipsec up rw
 unable to initiate to %any
 
 
 carol error:
 
 [r...@carol log]# cat /etc/ipsec.secrets
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
 : RSA carolKey.pem daniel
 [r...@carol log]# ^C
 [r...@carol log]# ipsec restart
 Stopping strongSwan IPsec...
 Starting strongSwan 4.4.0 IPsec [starter]...
 [r...@carol log]# ipsec up home
 initiating IKE_SA home[1] to 147.87.107.20
 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
 sending packet: from 147.87.107.19[500] to 147.87.107.20[500]
 received packet: from 147.87.107.20[500] to 147.87.107.19[500]
 parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
 CERTREQ N(MULT_AUTH) ]
 received cert request for C=CH, ST=Bern, L=Biel, O=BFH, OU=SEL, CN=gad,
 e=...@bfh.ch
 sending cert request for C=CH, ST=Bern, L=Biel, O=BFH, OU=SEL, CN=gad,
 e=...@bfh.ch
 *no private key found* for 'C=CH, ST=Bern, O=BFH, OU=SEL, CN=carol,
 e=ca...@bfh.ch'
 [r...@carol log]#
 
 Thank you for your help!
 
 cheers
 
 Daniel
 

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] no private key found for... problem with ECDSA certificates

2009-10-29 Thread lyle492 
I’m investigating use of strongswan and one of the requirements 
for the project is use of Elliptic-Curve-based keys.  
My problem is  that the private key isn't found, and I do not believe
it's a simple case of mis-matching the cert-key files.

The error message logged in /var/log/messages :

“no private key found for …”

followed by the DN of the certificate.  I generated the key file
using :
openssl ecparam –out lylelaptop-key-ec.pem –name prime256v1 –genkey

I generated the certificate-request with:

openssl req –key lylelaptop-key-ec.pem –nodes –sha256 –days 365 –new –config 
configfile.cnf \
-out lylelaptop-req.pem

and self-signed using an EC-based certificate:
openssl ca –in lylelaptop-req.pem –config localCA.cnf –out 
lylelaptop-cert-ec.pem \
-cert cacert-ec.pem –keyfile private/cakey-ec.pem
where the “-ec” part of the names is a reminder to me that the file was
generated for Elliptic Curves.  I’ve already verified this works fine for me
when the keys are RSA-based;  my problem stems from EC-based keys.

I moved the cert to /usr/local/etc/ipsec.d/certs and the key file to
/usr/local/etc/ipsec.d/private and made its permission 400
I’m fairly sure that the discussion earlier of mis-matching modulus and
exponents don’t apply because I printed the hex
of the public part of the key and it matches the hex in the certificate,
byte-for-byte.

As a check to see if I'd somehow messed-up generating the keys, I also
tried using three similar cert and keyfiless from the testing directory.
I copied the certs and key from 
testing/tests/openssl-ik3v2/ecdsa-certs/hosts/carol
replacing the CA and host cert file and key file I had been using, and 
copy-pasting
the pass-phrase from the test ipsec.secrets file.  This produced almost
the same results. The only difference was that now the DN name is for the test 
key, i.e.,
No private key found for “C=CH, O=Linux stringSwan,
OU= ECDSA 256 bit, cn=ca...@strongswan.org…”  rather than the
DN I used in my cert, proving that I copied into the correct files.

My strongswan.conf file load-line is:
load = openssl random x509 pubkey hmac stroke kernel-netlink updown aes sha1 
sha2 gmp xcbc

How does strongSwan decide which private key goes with which certificate?
I only have one file, in PEM format, in /usr/local/etc/ipsec.d/private
and only two files in /usr/local/etc/ipsec.d/certs.  Permissions on the
key-file are 400, for the certs 444.

I've attached the /var/log/messages fragment starting from the latest restart
in case this helps.  The CA certs won't parse either


I’m using OpenSSL 1.0.0beta3 and strongswan 4.3.4 and I've seen this problem on
RedHat EL 5.4 and also Fedora 10.  gcc on RH is 4.1.2, on Fedora is 4.4.1.  The
./configure line was:
./configure --enable-openssl
(no other parameters)

Thank you in advance.
--lyle
Oct 29 12:55:20 localhost charon: 01[DMN] Starting IKEv2 charon daemon 
(strongSwan 4.3.4)
Oct 29 12:55:20 localhost charon: 01[CFG] loading ca certificates from 
'/usr/local/etc/ipsec.d/cacerts'
Oct 29 12:55:20 localhost charon: 01[LIB] SHA1 hash algorithm not supported, 
unable to use EC
Oct 29 12:55:20 localhost charon: 01[LIB] failed to create a builder for 
credential type CRED_PUBLIC_KEY, subtype (2)
Oct 29 12:55:20 localhost charon: 01[LIB] failed to create a builder for 
credential type CRED_PUBLIC_KEY, subtype (0)
Oct 29 12:55:20 localhost charon: 01[LIB]   could not parse loaded certificate 
file '/usr/local/etc/ipsec.d/cacerts/cacert-ec.pem'
Oct 29 12:55:20 localhost charon: 01[LIB] failed to create a builder for 
credential type CRED_CERTIFICATE, subtype (1)
Oct 29 12:55:20 localhost charon: 01[CFG] loading aa certificates from 
'/usr/local/etc/ipsec.d/aacerts'
Oct 29 12:55:20 localhost charon: 01[CFG] loading ocsp signer certificates from 
'/usr/local/etc/ipsec.d/ocspcerts'
Oct 29 12:55:20 localhost charon: 01[CFG] loading attribute certificates from 
'/usr/local/etc/ipsec.d/acerts'
Oct 29 12:55:20 localhost charon: 01[CFG] loading crls from 
'/usr/local/etc/ipsec.d/crls'
Oct 29 12:55:20 localhost charon: 01[CFG] loading secrets from 
'/usr/local/etc/ipsec.secrets'
Oct 29 12:55:20 localhost charon: 01[LIB]   file coded in unknown format, 
discarded
Oct 29 12:55:20 localhost charon: 01[KNL] listening on interfaces:
Oct 29 12:55:20 localhost charon: 01[KNL]   eth1
Oct 29 12:55:20 localhost charon: 01[KNL] 10.10.16.150
Oct 29 12:55:20 localhost charon: 01[KNL] fe80::20a:e4ff:fed6:61b0
Oct 29 12:55:20 localhost charon: 01[KNL]   virbr0
Oct 29 12:55:20 localhost charon: 01[KNL] 192.168.122.1
Oct 29 12:55:20 localhost charon: 01[KNL] fe80::ff:60ff:fe65:63aa
Oct 29 12:55:20 localhost charon: 01[DMN] loaded plugins: openssl random x509 
pubkey hmac stroke kernel-netlink updown aes sha1 sha2 gmp xcbc 
Oct 29 12:55:20 localhost charon: 01[JOB] spawning 16 worker threads
Oct 29 12:55:20 localhost charon: 03[CFG] stroke message = 415 bytes @ 
0xb76da0c0
Oct 29 12:55:20 localhost charon: 03[CFG]0: 9F 01 00 00 03 00 00 00 FF FF 
FF

[strongSwan] No private key found for (Yeah, yeah again...)

2009-04-01 Thread Никоноров Григорий 
Hello strongSwan team !

Problem solved.
The problem has decided to use the certificates from the example (moon and sun) 
and config from ikev2 host2host-transport example.

Daniel,

Please send me complete list of commands to create CA plus host
certificates.

Thanks in advance!


You wrote 31 марта 2009 г., 17:38:13:

 Никоноров Григорий wrote:
 I followed quick installation guide 
 http://www.strongswan.org/docs/readme42.htm#section_3
 and create X.509 certificates by the command:
 openssl req -x509 -days 1460 -newkey rsa:2048 -keyout sw1priKey.pem -out 
 strongswanCert.pem
 
 Then create host certificate and signed certificate request by the CA
 by the command:
 openssl req -newkey rsa:1024 -keyout sw1hostKey.pem -out sw1Req.pem
 
 Thats all

 Is that the complete list? What I can see is:

 - You're creating a self-signed root CA. You save the private key for 
 the CA in sw1priKey.pem and the CA certificate in strongswanCert.pem. 
 But why are you saving the private key in sw1priKey.pem. Isn't this file
 supposed to contain the private key for the host swan1?

 - You're creating a Certificate Request for swan1. But you do not sign
 that request using the CA's private key.

 You might want to use

 /usr/lib/ssl/misc/CA.pl -newca

 to create the CA.

 Let me know if you're still experiencing problems. I can come up with a
 complete list of commands you can use to create your CA plus host 
 certificates.

 Btw, if you have just two hosts it might be easier to get away without a
 CA and use preloaded certificates instead.

 Daniel




-- 
С уважением,
Никоноров Григорий
Системный администратор
ЗАО Комита
icq 419950912
Тел. 295
 

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] No private key found for (Yeah, yeah again...)

2009-03-31 Thread Никоноров Григорий 
Hello all !

Plz help me!
Problem to realize host-host schema
Linux strongSwan U4.2.12/K2.6.18

swan1 - remote
swan2 - local

ipsec.conf

**swan1*

config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
mobike=no
keyexchange=ikev2

conn host-host
left=192.168.164.116
leftcert=swa1Cert.pem
leftfirewall=yes
right=192.168.164.117
type=transport
auto=add

**swan2*

config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
mobike=no
keyexchange=ikev2

conn host-host
left=192.168.164.117
leftcert=sw2Cert.pem
leftfirewall=yes
right=192.168.164.116
type=transport
auto=add

ipsec.secrets###

swan1

: RSA sw1priKey.pem swan

swan2

: RSA sw2priKey.pem swan

ipsec listalgs

swan1
List of registered IKEv2 Algorithms:

  encryption: AES_CBC 3DES DES DES_ECB 
  integrity:  HMAC_SHA1_96 AUTH_HMAC_SHA1_128 AUTH_HMAC_SHA2_256_128 
HMAC_MD5_96 AUTH_HMAC_SHA2_384_192 AUTH_HMAC_SHA2_512_256 AES_XCBC_96 
  hasher: HASH_SHA1 HASH_SHA256 HASH_SHA384 HASH_SHA512 HASH_MD5 
  prf:PRF_KEYED_SHA1 PRF_HMAC_SHA2_256 PRF_HMAC_SHA1 PRF_HMAC_MD5 
PRF_HMAC_SHA2_384 PRF_HMAC_SHA2_512 PRF_AES128_CBC 
  dh-group:   MODP_2048_BIT MODP_1536_BIT MODP_3072_BIT MODP_4096_BIT 
MODP_6144_BIT MODP_8192_BIT MODP_1024_BIT MODP_768_BIT


swan2
List of registered IKEv2 Algorithms:

  encryption: AES_CBC 3DES DES DES_ECB 
  integrity:  AES_XCBC_96 HMAC_SHA1_96 AUTH_HMAC_SHA1_128 
AUTH_HMAC_SHA2_256_128 HMAC_MD5_96 AUTH_HMAC_SHA2_384_192 
AUTH_HMAC_SHA2_512_256 
  hasher: HASH_SHA1 HASH_SHA256 HASH_SHA384 HASH_SHA512 HASH_MD5 
  prf:PRF_KEYED_SHA1 PRF_FIPS_SHA1_160 PRF_AES128_CBC PRF_HMAC_SHA2_256 
PRF_HMAC_SHA1 PRF_HMAC_MD5 PRF_HMAC_SHA2_384 PRF_HMAC_SHA2_512 
  dh-group:   MODP_2048_BIT MODP_1536_BIT MODP_3072_BIT MODP_4096_BIT 
MODP_6144_BIT MODP_8192_BIT MODP_1024_BIT MODP_768_BIT

ipsec listcacerts
List of X.509 CA Certificates:

  subject:  C=RU, ST=RU, L=RU, O=RU, OU=RU, CN=RU, e...@ru.ru
  issuer:   C=RU, ST=RU, L=RU, O=RU, OU=RU, CN=RU, e...@ru.ru
  serial:00:da:f2:b9:5b:c5:24:ea:eb
  validity:  not before Mar 30 11:28:05 2009, ok
 not after  Mar 29 11:28:05 2013, ok 
  pubkey:RSA 2048 bits, has private key
  keyid: c1:9e:7d:c7:75:4c:ac:a4:9b:33:21:2c:fa:51:80:fb:ad:5c:42:8d
  subjkey:   af:2d:85:4e:4a:f8:40:72:45:06:74:ff:05:41:8e:2a:fb:74:d8:1e
  authkey:   af:2d:85:4e:4a:f8:40:72:45:06:74:ff:05:41:8e:2a:fb:74:d8:1e

LOG

swan2 (local)

ipsec start

Mar 31 06:51:55 swan2 charon: 01[DMN] starting charon (strongSwan Version 
4.2.12)
Mar 31 06:51:55 swan2 charon: 01[CFG] loading ca certificates from 
'/usr/local/etc/ipsec.d/cacerts' 
Mar 31 06:51:55 swan2 charon: 01[LIB]   loaded certificate file 
'/usr/local/etc/ipsec.d/cacerts/strongswanCert.pem' 
Mar 31 06:51:55 swan2 charon: 01[CFG] loading aa certificates from 
'/usr/local/etc/ipsec.d/aacerts' 
Mar 31 06:51:55 swan2 charon: 01[CFG] loading ocsp signer certificates from 
'/usr/local/etc/ipsec.d/ocspcerts' 
Mar 31 06:51:55 swan2 charon: 01[CFG] loading attribute certificates from 
'/usr/local/etc/ipsec.d/acerts' 
Mar 31 06:51:55 swan2 charon: 01[CFG] loading crls from 
'/usr/local/etc/ipsec.d/crls' 
Mar 31 06:51:55 swan2 charon: 01[CFG] loading secrets from 
'/usr/local/etc/ipsec.secrets' 
Mar 31 06:51:55 swan2 charon: 01[CFG]   loaded private key file 
'/usr/local/etc/ipsec.d/private/sw2priKey.pem' 
Mar 31 06:51:55 swan2 charon: 01[DMN] loaded plugins: aes des sha1 sha2 md5 
fips-prf random x509 pubkey xcbc hmac gmp kernel-netlink stroke updown  
Mar 31 06:51:55 swan2 charon: 01[KNL] listening on interfaces: 
Mar 31 06:51:55 swan2 charon: 01[KNL]   eth0 
Mar 31 06:51:55 swan2 charon: 01[KNL] 192.168.164.117 
Mar 31 06:51:55 swan2 charon: 01[KNL] fe80::204:75ff:fec9:cd60 
Mar 31 06:51:55 swan2 charon: 01[JOB] spawning 16 worker threads 
Mar 31 06:51:55 swan2 charon: 03[CFG] received stroke: add connection 
'host-host' 
Mar 31 06:51:55 swan2 charon: 03[LIB]   loaded certificate file 
'/usr/local/etc/ipsec.d/certs/sw2Cert.pem' 
Mar 31 06:51:55 swan2 charon: 03[CFG]   peerid 192.168.164.117 not confirmed by 
certificate, defaulting to subject DN 
Mar 31 06:51:55 swan2 charon: 03[CFG] added configuration 'host-host': 
192.168.164.117[C=RU, ST=RU, L=RU, O=Internet Widgits Pty Ltd, OU=RU, CN=RU, 
e...@ru.ru]...192.168.164.116[192.168.164.116]

swan1 (remote)

Mar 31 08:12:07 swan1 charon: 01[DMN] starting charon (strongSwan Version 
4.2.12)
Mar 31 08:12:07 swan1 charon: 01[LIB] loading plugin 'curl' failed: 
/usr/local/libexec/ipsec/plugins/libstrongswan-curl.so: cannot open shared 
object file:

[strongSwan] No private key found for (Yeah, yeah again...)

2009-03-31 Thread Никоноров Григорий 
Здравствуйте, Daniel.

You wrote 31 march 2009 г., 15:34:56:

 Try using

 openssl rsa -in sw2priKey.pem -text -noout

 and

 openssl x509 -in sw2Cert.pem -noout -text

 and check if modulus and exponent (the public key) match up. Do the same
 for sw1priKey.pem and sw1Cert.pem

 Daniel

Hi Daniel!

Thank for advice. As i see Exponents for swan1,swan2 are identical but
different values of the modules! Wtf ?
Perhaps I did not properly create certificates

Host - swan1

openssl rsa -in sw2priKey.pem -text -noout

modulus:
00:ea:e6:37:5e:7b:97:b1:26:1a:db:a9:36:6e:49:
7b:d4:37:e2:25:7b:42:cc:84:8d:f0:fe:69:10:aa:
2e:1f:79:b2:4c:0a:1c:2a:16:23:28:bf:75:93:d7:
12:92:49:63:16:1d:88:b9:71:66:ac:a5:a7:c3:20:
09:fc:bc:72:8c:a7:7a:38:56:3b:e2:10:2b:4d:91:
51:d2:e3:e9:f9:11:37:0b:17:0e:3d:52:60:94:53:
72:4f:9e:df:ee:12:64:1f:0f:b7:9b:7f:af:22:1d:
04:59:2f:7f:de:1b:89:b1:54:ca:64:59:81:b9:95:
9f:ad:37:cc:a8:3b:df:be:4e:cf:b7:92:ff:f5:9c:
d6:7a:ff:f4:df:b6:60:7b:a7:57:0d:53:b8:4d:1c:
fc:e4:1a:3c:53:4c:a4:4c:dd:87:d2:9e:8c:59:09:
a0:5f:b5:cc:62:00:09:4c:e2:46:cb:1a:35:dc:18:
fe:ba:33:ce:d4:18:03:7f:7a:18:ab:45:b3:53:90:
b6:79:8f:a2:22:a0:47:39:2b:a5:a8:34:f7:a8:a9:
c6:de:df:07:86:2d:8d:48:a7:a9:38:46:fa:cb:d8:
f9:8c:8e:7b:b6:18:00:ef:12:9d:af:aa:bd:97:57:
52:a6:bb:63:de:5b:93:c2:0f:58:ae:80:4a:3a:4a:
37:5d
publicExponent: 65537 (0x10001)

Modulus (1024 bit):
00:c0:1f:b4:4c:c0:3e:33:76:37:86:05:08:a2:b9:
bf:a6:a0:75:79:d1:06:f4:32:69:71:ce:1c:ab:7a:
10:d5:3e:ed:ce:54:a0:b5:98:f0:7b:d0:ec:fe:c6:
e0:e8:72:a2:e5:9e:10:0f:49:1e:ab:1d:93:e0:79:
b8:55:1d:65:4f:44:64:f3:28:19:f4:37:35:0d:d3:
9c:28:93:d3:18:4c:47:46:21:de:f4:00:87:3d:37:
6c:c3:ae:ab:33:1c:32:b4:4c:7f:71:d4:55:fb:f3:
a5:d5:d8:03:55:aa:bd:87:e3:38:d6:d9:83:e6:2d:
df:5a:e3:16:92:41:fc:92:cd
Exponent: 65537 (0x10001)

Host - swan2

openssl x509 -in sw2Cert.pem -noout -text

Modulus (1024 bit):
 00:c0:1f:b4:4c:c0:3e:33:76:37:86:05:08:a2:b9:
 bf:a6:a0:75:79:d1:06:f4:32:69:71:ce:1c:ab:7a:
 10:d5:3e:ed:ce:54:a0:b5:98:f0:7b:d0:ec:fe:c6:
 e0:e8:72:a2:e5:9e:10:0f:49:1e:ab:1d:93:e0:79:
 b8:55:1d:65:4f:44:64:f3:28:19:f4:37:35:0d:d3:
 9c:28:93:d3:18:4c:47:46:21:de:f4:00:87:3d:37:
 6c:c3:ae:ab:33:1c:32:b4:4c:7f:71:d4:55:fb:f3:
 a5:d5:d8:03:55:aa:bd:87:e3:38:d6:d9:83:e6:2d:
 df:5a:e3:16:92:41:fc:92:cd
Exponent: 65537 (0x10001)

openssl rsa -in sw2priKey.pem -text -noout

Private-Key: (2048 bit)
modulus:
00:ea:e6:37:5e:7b:97:b1:26:1a:db:a9:36:6e:49:
7b:d4:37:e2:25:7b:42:cc:84:8d:f0:fe:69:10:aa:
2e:1f:79:b2:4c:0a:1c:2a:16:23:28:bf:75:93:d7:
12:92:49:63:16:1d:88:b9:71:66:ac:a5:a7:c3:20:
09:fc:bc:72:8c:a7:7a:38:56:3b:e2:10:2b:4d:91:
51:d2:e3:e9:f9:11:37:0b:17:0e:3d:52:60:94:53:
72:4f:9e:df:ee:12:64:1f:0f:b7:9b:7f:af:22:1d:
04:59:2f:7f:de:1b:89:b1:54:ca:64:59:81:b9:95:
9f:ad:37:cc:a8:3b:df:be:4e:cf:b7:92:ff:f5:9c:
d6:7a:ff:f4:df:b6:60:7b:a7:57:0d:53:b8:4d:1c:
fc:e4:1a:3c:53:4c:a4:4c:dd:87:d2:9e:8c:59:09:
a0:5f:b5:cc:62:00:09:4c:e2:46:cb:1a:35:dc:18:
fe:ba:33:ce:d4:18:03:7f:7a:18:ab:45:b3:53:90:
b6:79:8f:a2:22:a0:47:39:2b:a5:a8:34:f7:a8:a9:
c6:de:df:07:86:2d:8d:48:a7:a9:38:46:fa:cb:d8:
f9:8c:8e:7b:b6:18:00:ef:12:9d:af:aa:bd:97:57:
52:a6:bb:63:de:5b:93:c2:0f:58:ae:80:4a:3a:4a:
37:5d
publicExponent: 65537 (0x10001)



___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] No private key found for (Yeah, yeah again...)

2009-03-31 Thread Daniel Mentz 
Никоноров Григорий wrote:
 Thank for advice. As i see Exponents for swan1,swan2 are identical but
 different values of the modules! Wtf ?
 Perhaps I did not properly create certificates


I guess that the public exponent is always 0x10001 because that makes 
the verification of signatures more computational effective.

I also don't see the Modulus matching up. The public key in the 
certificate does not match the corresponding private key.

Please share the sequence of commands you used to create the X.509 
certificates.

  Daniel
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users