Hi Yes offcourse. I did that. You see,
- when i use "OpenSSL 1.0.0d-fips 8 Feb 2011" on a Linux-FC13 machine to generate certs, the default rsa key format is PKCS#8 which i believe strongswan does not yet support - if on the other, i use a openwrt-gw with "OpenSSL 0.9.8q 2 Dec 2010" and "Linux strongSwan U4.3.6/K2.6.33.5", although the generated private rsa key file is in traditional format, strongswan is unable to load the file thanks & regards rajiv On Thu, Nov 10, 2011 at 8:23 PM, Andreas Steffen < [email protected]> wrote: > Hello Rajiv, > > did you add the passphrase which encrypts the private key to > the ipsec.secrets entry? > > : RSA /ssl/private/mfcgw1key.pem "<my passphrase>" > > Regards > > Andreas > > > On 10.11.2011 15:10, Rajiv Kulkarni wrote: > >> Hi >> It has been quite sometime now since i could followup on the issue >> submiited by me, very sorry about the delay in doing so. >> I have been facing this issue primarily on a OpenWRT Gateway: >> ------------------------------**------------------------------** >> ------------------------------**---- >> BusyBox v1.4.2 (2011-08-04 02:47:42 IST) Built-in shell (ash) >> _______ ________ __ >> | |.-----.-----.-----.| | | |.----.| |_ >> | - || _ | -__| || | | || _|| _| >> |_______|| __|_____|__|__||________||__| |____| >> |__| W I R E L E S S F R E E D O M >> ------------------------------**------------------------------** >> ---------------------------- >> - After recieving the reply by Martin as below (at the end of this mail) >> for a similar issue on a Linux Fedora-13 server running strongswan >> 4.5.0, i tried to generate some more newer x509 certs (and the private >> rsa key files) on the openwrt gateway itself >> *************************** >> root@mfcgw1:/etc <mailto:root@mfcgw1:/etc># cat >> ssl/private/mfcgw1key.pem >> >> -----BEGIN RSA PRIVATE KEY----- >> Proc-Type: 4,ENCRYPTED >> DEK-Info: DES-EDE3-CBC,2FC8D750D505E922 >> D8p/CHn/**F5PuiLtSIp9AWfZ9Iig9VQydF7uhCD**gJKgOutYGj7PkoufOhFsJ+H7D1 >> 85P87fkzGA6LYj8LyF7/**UXKGs0eBC8BT+**c6zlVO1SVgvUii5A42oYXKUQQD1AA6**d >> 5W5KNq+**C1e9zUs3BDKPfOhHuODjzqAs0f4Nds**J6I5kmGogS2LczwWV6nDwsBLY3U >> LD3vO9tg99dh7/2+rUPWffYx5Ag+**OJtcCON3ku7McTdrLODFKkPQYNNXGN**Gbolui >> EuO8o4xRHXdDD3dMud8H/+**zHjxrVw8WfcJz5C/**uSamLhFwjWUOUL8w5IrnQ8gY7x >> RkKoMm8j/**PUKTj2gTU4cNgA3gyJh35tCLh7vbiK**5F5MYRXzuB8bezTMLOV2QduJ9 >> nNHLziQsD6br0P/2SFgr/tm+**TeZ4r90Bc6zF1rrnEzEr2usz8W4gdm**/Am9v01fk0 >> FWiN/**CFrAFncXpkGIppo7j19svN13xhtY0c**PhzTPIu5pROxhLbcQPUYi2ci9sLti >> vAEStWV2Vcyc+g3/2ZvE9M/**SWEsi80cCumbsepsK8hHjuEl5PBK/**KbReP+I8SJGv >> Dh90ZgiURN35sNd/**1GAxltoATCEu526/**mIlJcUc1pBpvoPZM6ZOLUgmkwvHRyx**p3 >> 1pwkSVx3aTvEzZJCDzQR/**nZez4kQD1WwXQ5UQbTfp7yBPOSuRp/**ZnWmrdDFs1ck+ >> 7V+**I47a2GLqKXIlJ0xuPV0azMeXky8dC+**53uSQuDzPlSp7EgdQhLBLNjXJPOKCH**T >> /mFjd5wRsgz35qld/**Jwj19WE7F7baGacrsfM8mSWNBs3YAc**NJdks/zavr19Kwgzw >> X1RtOfe59BsWtdEepciKXw/**PW87QxspRIe4w8Jmmugfl3CWtauuV+**ossadNfOK+2 >> R2m3KhkLj8FA9I5JrTjY8z9PPE0qS/**KSAT1EjjDABAPUoxnPyO5f9Df2A7L/**/f+w >> qf25HtwJSUe3hxsOqxtsqSdOqL8Uan**3M >> -----END RSA PRIVATE KEY----- >> root@mfcgw1:/etc <mailto:root@mfcgw1:/etc># >> root@mfcgw1:/etc <mailto:root@mfcgw1:/etc># >> root@mfcgw1:/etc <mailto:root@mfcgw1:/etc># ipsec version >> >> Linux strongSwan U4.3.6/K2.6.33.5 >> Institute for Internet Technologies and Applications >> University of Applied Sciences Rapperswil, Switzerland >> See 'ipsec --copyright' for copyright information. >> root@mfcgw1:/etc <mailto:root@mfcgw1:/etc># >> >> ********************************************************* >> - and iam still unable to load the RSA private key file in strongswan. >> Iam getting the following errors: >> ***************************************************************** >> root@mfcgw1:/etc <mailto:root@mfcgw1:/etc># ipsec start --nofork >> >> Starting strongSwan 4.3.6 IPsec [starter]... >> starter_start_pluto entered >> Pluto initialized >> Starting IKEv1 pluto daemon (strongSwan 4.3.6) THREADS VENDORID >> pluto (11076) started after 20 ms >> 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6) >> loaded plugins: blowfish random x509 pubkey pkcs1 pgp dnskey pem openssl >> hmac >> including NAT-Traversal patch (Version 0.6c) >> Using Linux 2.6 IPsec interface code >> loading ca certificates from '/etc/ipsec.d/cacerts' >> loaded ca certificate from '/etc/ipsec.d/cacerts/cacert.**pem' >> loading aa certificates from '/etc/ipsec.d/aacerts' >> loading ocsp certificates from '/etc/ipsec.d/ocspcerts' >> Changing to directory '/etc/ipsec.d/crls' >> loaded crl from 'crl.pem' >> loading attribute certificates from '/etc/ipsec.d/acerts' >> listening for IKE messages >> adding interface eth1/eth1 169.254.0.1:500 <http://169.254.0.1:500> >> adding interface eth1/eth1 169.254.0.1:4500 <http://169.254.0.1:4500> >> adding interface eth2/eth2 192.168.1.1:500 <http://192.168.1.1:500> >> adding interface eth2/eth2 192.168.1.1:4500 <http://192.168.1.1:4500> >> adding interface eth0/eth0 172.17.10.102:500 <http://172.17.10.102:500> >> adding interface eth0/eth0 172.17.10.102:4500 <http://172.17.10.102:4500> >> adding interface lo/lo 127.0.0.1:500 <http://127.0.0.1:500> >> adding interface lo/lo 127.0.0.1:4500 <http://127.0.0.1:4500> >> >> adding interface lo/lo ::1:500 >> adding interface eth2/eth2 2007::1:500 >> adding interface eth0/eth0 fec0::ee01:500 >> loading secrets from "/etc/ipsec.secrets" >> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' >> 00[CFG] loaded ca certificate "C=UK, ST=LNDN, L=LONDON, O=Internet >> Widgits Pty >> Ltd, OU=Corp, CN=mfcgw1CA, [email protected] >> <mailto:[email protected]>, subjectAltName=mfcgw1CA.**dvttest >> >> .com" from '/etc/ipsec.d/cacerts/cacert.**pem' >> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' >> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' >> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' >> 00[CFG] loading crls from '/etc/ipsec.d/crls' >> 00[CFG] loaded crl from '/etc/ipsec.d/crls/crl.pem' >> 00[CFG] loading secrets from '/etc/ipsec.secrets' >> building CRED_PRIVATE_KEY - RSA failed, tried 6 builders >> syntax error in private key file >> "/etc/ipsec.secrets" line 3: Private key file -- could not be loaded >> 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 6 builders >> 00[CFG] loading private key from '/etc/ipsec.d/private/**mfcgw1key.pem' >> failed >> 00[DMN] loaded plugins: blowfish random x509 pubkey pkcs1 pgp dnskey pem >> openssl >> hmac kernel-pfkey stroke updown >> 00[JOB] spawning 16 worker threads >> charon (11077) started after 720 ms >> 06[CFG] received stroke: add connection 'tunnel1' >> 06[CFG] left nor right host is our side, assuming left=local >> 06[CFG] loaded certificate "C=UK, ST=LNDN, L=LNDN, O=DVT TEST Inc, >> OU=Corp, CN >> =mfcgw1, subjectAltName=172.17.10.102, [email protected] >> <mailto:E=postmaster@dvttest.**com <[email protected]>>" from >> 'mfcgw1cer >> >> t.pem' >> 06[CFG] id '/C=UK/ST=LNDN/L=LNDN/O=DVT TEST >> Inc/OU=Corp/CN=mfcgw1/**subjectAltNa >> me=172.17.10.102/emailAddress=**[email protected]<http://172.17.10.102/[email protected]> >> ' >> <mailto:me=172.17.10.102/**emailAddress=postmaster@**dvttest.com<http://172.17.10.102/[email protected]>'> >> not >> >> confirmed by certifica >> te, defaulting to 'C=UK, ST=LNDN, L=LNDN, O=DVT TEST Inc, OU=Corp, >> CN=mfcgw1, su >> bjectAltName=172.17.10.102, [email protected]' >> <mailto:E=postmaster@dvttest.**com <[email protected]>'> >> >> 06[CFG] added configuration 'tunnel1' >> loaded host certificate from '/etc/ipsec.d/certs/**mfcgw1cert.pem' >> id '/C=UK/ST=LNDN/L=LNDN/O=DVT TEST >> Inc/OU=Corp/CN=mfcgw1/**subjectAltName=172.1 >> 7.10.102/emailAddress=postmast**[email protected] <[email protected]>' >> <mailto:7.10.102/emailAddress=**[email protected]<[email protected]>'> >> not confirmed by >> >> certificate, defa >> ulting to 'C=UK, ST=LNDN, L=LNDN, O=DVT TEST Inc, OU=Corp, CN=mfcgw1, >> subjectAlt >> Name=172.17.10.102, [email protected]' >> <mailto:E=postmaster@dvttest.**com <[email protected]>'> >> >> added connection description "tunnel1" >> 09[CFG] received stroke: route 'tunnel1' >> 09[KNL] no local address found in traffic selector 192.168.1.0/24 >> <http://192.168.1.0/24> >> >> configuration 'tunnel1' routed >> **************************************************************** >> *********** >> - can you help in understanding why this is happening so when the file >> is a correct RSA format? >> - Also FYI, iam also facing the same issue of RSA key file loading error >> when i use the "ipsec pki.." built-in strongswan cert app. Here too the >> error we observe is as below: >> ------------------------------**------------------------------** >> ------------------------------**--- >> root@evm1gw:/etc/cert# ipsec pki --self --in caKey.der --dn "C=IN, >> O=strongSwan, CN=strongSwan CA" --ca > caCert.der >> file coded in unknown format, discarded >> building CRED_PRIVATE_KEY - RSA failed, tried 6 builders >> parsing private key failed >> root@evm1gw <mailto:root@evm1gw>: >> >> ------------------------------**------------------------------** >> ---------------------------- >> Please forgive me again for the lengthy submission of the issue >> thanks once again >> with regards >> Rajiv Kulkarni >> ------------------------------**------------------------------** >> ---------- >> >Hi Rajiv, >> >> >/[root at dvtpc2 >> <https://lists.strongswan.org/**mailman/listinfo/users<https://lists.strongswan.org/mailman/listinfo/users> >> > >> private]# cat dvtpc2key1024-self.pem >> />/-----BEGIN PRIVATE KEY----- >> />/**MIICeAIBADANBgkqhkiG9w0BAQEFAA**SCAmIwggJeAgEAAoGBALPec1SeRuty**n4Sb >> />/yWS8RVXDiroh3XgXchjYbwm+**RvoFS7k31LcpK+**zgs62ZdTFxeYCv6hr/bV2BIwwf >> />/**NwMlPc5zyHnjFrMmOG2eXzzd0xleFw**x12NSW0rXtpAVa9/**GVmROhObAFUlrLYL4R >> />/WuVLzpA+gv/**2U9jVkVxBMr1GG5khAgMBAAECgYEAk**2z88ppYXpswjCx0QZDe85C2 >> />/oCEpuUjeR+b9++**ptmnfEvSc5vnaMfjcejmd9Wu07PXLy**WvaI2V8DLuhW2skngjLQ >> />/**jADppVBvnYvNqqih3GwFSN3H3fieF6**fDPeKqv67roqEiGXvCaOUWNFOnAsFG**KLpw >> />/d66veG3C+**8JD2MCd6JECQQDqpyHu/**MQpKhsMW13htkhX1+**QXjS584RClLLO3L7LL >> />/VdGRFjq5cZ2mQzQBNB+**ccVDhE02WmfZzAXWHd+**hjmzEjAkEAxDtyXkGrdOboz3Wq >> />/rvYTM/PCJ+K0/**Mbisihoi295yGXU074kzXhdVevpN8S**arVHz2ktyjea5qPwFRySF >> />/**089q6wJBAMf6ykuv9cmTTdv5HgiX3g**2nO4fq1XyuHw52C2+**KYhkyuViqFkAnGREy >> />/**YubHsk0UsbYwSkaYTlXzH2PliBMjlv**sCQBsWtcALQrb9lU/**mR2ylrZrzYG8PHbrz >> />/XaIIb/4nomEmpY2hZwUyQ3gz+**9rl+hBJCuesmKC8JA8O00+**x3AOUU4cCQQCSn5WN >> />/**Na04DmDpNODPlp2YgEVsnWZgOVkI3V**rKhWzLhEVq/**Sduzx9ySgea0VEegsmWAeqz >> />/IM+lCeaKgP4Dbjqs >> />/-----END PRIVATE KEY----- >> >> / >> >This key is wrapped in PKCS#8 without encryption. We currently >can't >> >read in any PKCS#8 keys. >> >> >Covert such keys to plain RSA using: >> > openssl pkcs8 -nocrypt < dvtpc2key1024-self.pem >> >> >Regards >> >Martin >> >> >> >> >> ______________________________**_________________ >> Users mailing list >> [email protected] >> https://lists.strongswan.org/**mailman/listinfo/users<https://lists.strongswan.org/mailman/listinfo/users> >> > > > -- > ==============================**==============================**========== > Andreas Steffen [email protected] > strongSwan - the Linux VPN Solution! www.strongswan.org > > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ==============================**=============================[**ITA-HSR]== > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
