Please hold your entrails back! Are there any error messages while charon loads the private key? with
ipsec reloadsecrets you can force a reload. Also check for failures while loading plugins when charon is starting up. Regards Andreas On 13.10.2011 07:55, Luke Pascoe wrote: > Please save me, I'm about to commit Seppuku! > > I'm trying to set up a roadwarrior terminator on Ubuntu 10.04 LTS. I've got a > near identical setup working on Ubuntu 9.10 but this new one's being > difficult. > > It appears it's not associating the local certificate with it's private key > properly, even though both appear to be being loaded correctly: > > root@fw:~# ipsec listcerts > 000 > 000 List of X.509 End Certificates: > 000 > 000 Oct 13 18:28:47 2011, count: 2 > 000 subject: 'C=NZ, ST=N/A, O=XX.net.nz, CN=fw-1, [email protected]' > 000 issuer: 'CN=XX, C=NZ, ST=N/A, L=Auckland, O=XX.net.nz, > [email protected]' > 000 serial: 05 > 000 validity: not before Oct 13 18:27:55 2011 ok > 000 not after Oct 11 18:27:55 2016 ok > 000 pubkey: RSA 2048 bits, has private key > 000 keyid: > 50:a2:07:10:19:fd:25:43:d0:e6:ee:1d:08:5c:54:9c:cd:7b:5a:e3 > 000 subjkey: > 95:78:c9:25:ca:22:08:a3:6e:3d:f2:da:09:4d:51:9a:50:57:ad:54 > 000 authkey: > 5c:4f:af:d8:e8:38:dc:e2:15:f2:4c:88:f3:0e:68:c8:ee:8a:55:b4 > 000 aserial: 00:d2:a1:e8:5e:53:ee:9f:63 > > List of X.509 End Entity Certificates: > > subject: "C=NZ, ST=N/A, O=XX.net.nz, CN=fw-1, [email protected]" > issuer: "CN=XX, C=NZ, ST=N/A, L=Auckland, O=XX.net.nz, [email protected]" > serial: 05 > validity: not before Oct 13 18:27:55 2011, ok > not after Oct 11 18:27:55 2016, ok > pubkey: RSA 2048 bits > keyid: 50:a2:07:10:19:fd:25:43:d0:e6:ee:1d:08:5c:54:9c:cd:7b:5a:e3 > subjkey: 95:78:c9:25:ca:22:08:a3:6e:3d:f2:da:09:4d:51:9a:50:57:ad:54 > authkey: 5c:4f:af:d8:e8:38:dc:e2:15:f2:4c:88:f3:0e:68:c8:ee:8a:55:b4 > > Note the top says "has private key" but the bottom doesn't. WTF is up with > that? > > Here's what I'm getting in the logs when I try to connect, which pretty much > matches the above: > > Oct 13 18:03:02 tkh-fw charon: 09[NET] received packet: from > 122.63.65.10[500] to x.x.x.x[500] > Oct 13 18:03:02 tkh-fw charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE > No N(NATD_S_IP) N(NATD_D_IP) ] > Oct 13 18:03:02 tkh-fw charon: 09[IKE] 122.63.65.10 is initiating an IKE_SA > Oct 13 18:03:02 tkh-fw charon: 09[IKE] remote host is behind NAT > Oct 13 18:03:02 tkh-fw charon: 09[IKE] DH group ECP_192 inacceptable, > requesting MODP_2048 > Oct 13 18:03:02 tkh-fw charon: 09[ENC] generating IKE_SA_INIT response 0 [ > N(INVAL_KE) ] > Oct 13 18:03:02 tkh-fw charon: 09[NET] sending packet: from x.x.x.x[500] to > 122.63.65.10[500] > Oct 13 18:03:03 tkh-fw charon: 16[NET] received packet: from > 122.63.65.10[500] to x.x.x.x[500] > Oct 13 18:03:03 tkh-fw charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE > No N(NATD_S_IP) N(NATD_D_IP) ] > Oct 13 18:03:03 tkh-fw charon: 16[IKE] 122.63.65.10 is initiating an IKE_SA > Oct 13 18:03:03 tkh-fw charon: 16[IKE] remote host is behind NAT > Oct 13 18:03:03 tkh-fw charon: 16[IKE] sending cert request for "CN=XX, C=NZ, > ST=N/A, L=Auckland, O=XX.net.nz, [email protected]" > Oct 13 18:03:03 tkh-fw charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA > KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] > Oct 13 18:03:03 tkh-fw charon: 16[NET] sending packet: from x.x.x.x[500] to > 122.63.65.10[500] > Oct 13 18:03:03 tkh-fw charon: 11[NET] received packet: from > 122.63.65.10[4500] to x.x.x.x[4500] > Oct 13 18:03:03 tkh-fw charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERT > IDr AUTH CP SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) > ] > Oct 13 18:03:03 tkh-fw charon: 11[IKE] received end entity cert "C=NZ, > ST=N/A, O=XX.net.nz, CN=sin, [email protected]" > Oct 13 18:03:03 tkh-fw charon: 11[CFG] looking for peer configs matching > x.x.x.x[C=NZ, ST=N/A, O=XX.net.nz, CN=fw-1, > [email protected]]...122.63.65.10[C=NZ, ST=N/A, O=XX.net.nz, CN=sin, > [email protected]] > Oct 13 18:03:03 tkh-fw charon: 11[CFG] selected peer config 'Roadwarriors' > Oct 13 18:03:03 tkh-fw charon: 11[CFG] using certificate "C=NZ, ST=N/A, > O=XX.net.nz, CN=sin, [email protected]" > Oct 13 18:03:03 tkh-fw charon: 11[CFG] using trusted ca certificate "CN=XX, > C=NZ, ST=N/A, L=Auckland, O=XX.net.nz, [email protected]" > Oct 13 18:03:03 tkh-fw charon: 11[CFG] checking certificate status of "C=NZ, > ST=N/A, O=XX.net.nz, CN=sin, [email protected]" > Oct 13 18:03:03 tkh-fw charon: 11[CFG] certificate status is not available > Oct 13 18:03:03 tkh-fw charon: 11[IKE] authentication of 'C=NZ, ST=N/A, > O=XX.net.nz, CN=sin, [email protected]' with RSA signature successful > Oct 13 18:03:03 tkh-fw charon: 11[IKE] peer supports MOBIKE > Oct 13 18:03:03 tkh-fw charon: 11[IKE] no private key found for 'C=NZ, > ST=N/A, O=XX.net.nz, CN=fw-1, [email protected]' > Oct 13 18:03:03 tkh-fw charon: 11[ENC] generating IKE_AUTH response 1 [ > N(AUTH_FAILED) ] > Oct 13 18:03:03 tkh-fw charon: 11[NET] sending packet: from x.x.x.x[4500] to > 122.63.65.10[4500] > > This is the pertinent bit: >> no private key found for 'C=NZ, ST=N/A, O=XX.net.nz, CN=fw-1, >> [email protected]' > > Buggered if I know what's going on. > > Any ideas? > > Thanks. > > Luke. ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
