> Are there any error messages while charon loads the private key?
Oct 14 09:22:17 fw charon: 08[CFG] rereading secrets
Oct 14 09:22:17 fw charon: 08[CFG] loading secrets from
'/etc/ipsec.secrets'
Oct 14 09:22:17 fw charon: 08[CFG] loaded private key file
'/etc/ipsec.d/private/fw-1.key'
Oct 14 09:22:17 fw charon: 08[CFG] line 8: missing ' : ' separator
That separator thing seems to be a common issue, and line 8 is after the key is
loaded anyway.
Here's the (redacted) secrets file:
# RCSID $Id: ipsec.secrets.proto,v 1.2 2004/10/05 15:02:29 ken Exp $
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
: RSA fw-1.key "XX"
@fw-1 x.x.x.x: PSK "XX"
@fw-1 y.y.y.y: PSK "XX"
@fw-1 @heretic: PSK "XX"
@fw-1 %any: PSK "XX"
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
@fw-1: RSA {
# RSA 2048 bits tkhfw1 Mon Feb 21 17:07:15 2005
# for signatures only, UNSAFE FOR ENCRYPTION
...
}
And the relevant parts of ipsec.conf:
config setup
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
nat_traversal=yes
charonstart=yes
plutostart=yes
virtual_private=%v4:172.16.1.0/24
conn %default
pfs=yes
keylife=8h
rekey=yes
rekeymargin=9m
rekeyfuzz=100%
ikelifetime=1h
compress=no
conn Roadwarriors
auto=add
authby=rsasig
left=x.x.x.x
leftnexthop=x.x.x.y
leftsubnet=x.x.x.0/24
leftcert=fw-1.2011.cert
right=%any
rightca=%same
rightsourceip=172.16.1.0/24
conn Roadwarriors2
auto=add
authby=rsasig
left=x.x.x.x
leftnexthop=x.x.x.y
leftsubnet=x.x.x.0/24
leftcert=fw-1.2011.cert
right=%any
rightca=%same
rightsubnetwithin=172.16.1.0/24
-----Original Message-----
From: Andreas Steffen [mailto:[email protected]]
Sent: Thursday, 13 October 2011 7:55 p.m.
To: Luke Pascoe
Cc: [email protected]
Subject: Re: [strongSwan] Certificate problem
Please hold your entrails back!
Are there any error messages while charon loads the private key?
with
ipsec reloadsecrets
you can force a reload. Also check for failures while loading plugins
when charon is starting up.
Regards
Andreas
On 13.10.2011 07:55, Luke Pascoe wrote:
> Please save me, I'm about to commit Seppuku!
>
> I'm trying to set up a roadwarrior terminator on Ubuntu 10.04 LTS. I've got a
> near identical setup working on Ubuntu 9.10 but this new one's being
> difficult.
>
> It appears it's not associating the local certificate with it's private key
> properly, even though both appear to be being loaded correctly:
>
> root@fw:~# ipsec listcerts
> 000
> 000 List of X.509 End Certificates:
> 000
> 000 Oct 13 18:28:47 2011, count: 2
> 000 subject: 'C=NZ, ST=N/A, O=XX.net.nz, CN=fw-1, [email protected]'
> 000 issuer: 'CN=XX, C=NZ, ST=N/A, L=Auckland, O=XX.net.nz,
> [email protected]'
> 000 serial: 05
> 000 validity: not before Oct 13 18:27:55 2011 ok
> 000 not after Oct 11 18:27:55 2016 ok
> 000 pubkey: RSA 2048 bits, has private key
> 000 keyid:
> 50:a2:07:10:19:fd:25:43:d0:e6:ee:1d:08:5c:54:9c:cd:7b:5a:e3
> 000 subjkey:
> 95:78:c9:25:ca:22:08:a3:6e:3d:f2:da:09:4d:51:9a:50:57:ad:54
> 000 authkey:
> 5c:4f:af:d8:e8:38:dc:e2:15:f2:4c:88:f3:0e:68:c8:ee:8a:55:b4
> 000 aserial: 00:d2:a1:e8:5e:53:ee:9f:63
>
> List of X.509 End Entity Certificates:
>
> subject: "C=NZ, ST=N/A, O=XX.net.nz, CN=fw-1, [email protected]"
> issuer: "CN=XX, C=NZ, ST=N/A, L=Auckland, O=XX.net.nz, [email protected]"
> serial: 05
> validity: not before Oct 13 18:27:55 2011, ok
> not after Oct 11 18:27:55 2016, ok
> pubkey: RSA 2048 bits
> keyid: 50:a2:07:10:19:fd:25:43:d0:e6:ee:1d:08:5c:54:9c:cd:7b:5a:e3
> subjkey: 95:78:c9:25:ca:22:08:a3:6e:3d:f2:da:09:4d:51:9a:50:57:ad:54
> authkey: 5c:4f:af:d8:e8:38:dc:e2:15:f2:4c:88:f3:0e:68:c8:ee:8a:55:b4
>
> Note the top says "has private key" but the bottom doesn't. WTF is up with
> that?
>
> Here's what I'm getting in the logs when I try to connect, which pretty much
> matches the above:
>
> Oct 13 18:03:02 tkh-fw charon: 09[NET] received packet: from
> 122.63.65.10[500] to x.x.x.x[500]
> Oct 13 18:03:02 tkh-fw charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE
> No N(NATD_S_IP) N(NATD_D_IP) ]
> Oct 13 18:03:02 tkh-fw charon: 09[IKE] 122.63.65.10 is initiating an IKE_SA
> Oct 13 18:03:02 tkh-fw charon: 09[IKE] remote host is behind NAT
> Oct 13 18:03:02 tkh-fw charon: 09[IKE] DH group ECP_192 inacceptable,
> requesting MODP_2048
> Oct 13 18:03:02 tkh-fw charon: 09[ENC] generating IKE_SA_INIT response 0 [
> N(INVAL_KE) ]
> Oct 13 18:03:02 tkh-fw charon: 09[NET] sending packet: from x.x.x.x[500] to
> 122.63.65.10[500]
> Oct 13 18:03:03 tkh-fw charon: 16[NET] received packet: from
> 122.63.65.10[500] to x.x.x.x[500]
> Oct 13 18:03:03 tkh-fw charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE
> No N(NATD_S_IP) N(NATD_D_IP) ]
> Oct 13 18:03:03 tkh-fw charon: 16[IKE] 122.63.65.10 is initiating an IKE_SA
> Oct 13 18:03:03 tkh-fw charon: 16[IKE] remote host is behind NAT
> Oct 13 18:03:03 tkh-fw charon: 16[IKE] sending cert request for "CN=XX, C=NZ,
> ST=N/A, L=Auckland, O=XX.net.nz, [email protected]"
> Oct 13 18:03:03 tkh-fw charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA
> KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> Oct 13 18:03:03 tkh-fw charon: 16[NET] sending packet: from x.x.x.x[500] to
> 122.63.65.10[500]
> Oct 13 18:03:03 tkh-fw charon: 11[NET] received packet: from
> 122.63.65.10[4500] to x.x.x.x[4500]
> Oct 13 18:03:03 tkh-fw charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERT
> IDr AUTH CP SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH)
> ]
> Oct 13 18:03:03 tkh-fw charon: 11[IKE] received end entity cert "C=NZ,
> ST=N/A, O=XX.net.nz, CN=sin, [email protected]"
> Oct 13 18:03:03 tkh-fw charon: 11[CFG] looking for peer configs matching
> x.x.x.x[C=NZ, ST=N/A, O=XX.net.nz, CN=fw-1,
> [email protected]]...122.63.65.10[C=NZ, ST=N/A, O=XX.net.nz, CN=sin,
> [email protected]]
> Oct 13 18:03:03 tkh-fw charon: 11[CFG] selected peer config 'Roadwarriors'
> Oct 13 18:03:03 tkh-fw charon: 11[CFG] using certificate "C=NZ, ST=N/A,
> O=XX.net.nz, CN=sin, [email protected]"
> Oct 13 18:03:03 tkh-fw charon: 11[CFG] using trusted ca certificate "CN=XX,
> C=NZ, ST=N/A, L=Auckland, O=XX.net.nz, [email protected]"
> Oct 13 18:03:03 tkh-fw charon: 11[CFG] checking certificate status of "C=NZ,
> ST=N/A, O=XX.net.nz, CN=sin, [email protected]"
> Oct 13 18:03:03 tkh-fw charon: 11[CFG] certificate status is not available
> Oct 13 18:03:03 tkh-fw charon: 11[IKE] authentication of 'C=NZ, ST=N/A,
> O=XX.net.nz, CN=sin, [email protected]' with RSA signature successful
> Oct 13 18:03:03 tkh-fw charon: 11[IKE] peer supports MOBIKE
> Oct 13 18:03:03 tkh-fw charon: 11[IKE] no private key found for 'C=NZ,
> ST=N/A, O=XX.net.nz, CN=fw-1, [email protected]'
> Oct 13 18:03:03 tkh-fw charon: 11[ENC] generating IKE_AUTH response 1 [
> N(AUTH_FAILED) ]
> Oct 13 18:03:03 tkh-fw charon: 11[NET] sending packet: from x.x.x.x[4500] to
> 122.63.65.10[4500]
>
> This is the pertinent bit:
>> no private key found for 'C=NZ, ST=N/A, O=XX.net.nz, CN=fw-1,
>> [email protected]'
>
> Buggered if I know what's going on.
>
> Any ideas?
>
> Thanks.
>
> Luke.
======================================================================
Andreas Steffen [email protected]
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
Mgate3.telecom.co.nz made the following annotations
---------------------------------------------------------------------
This communication, including any attachments, is confidential. If you are not
the intended recipient, you should not read it - please contact me immediately,
destroy it, and do not copy or use any part of this communication or disclose
anything about it. Thank you. Please note that this communication does not
designate an information system for the purposes of the Electronic Transactions
Act 2002.
---------------------------------------------------------------------
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
