Hello,
I am trying to set up an IPSEC-Tunnel authenticated by certificates. The
directory /etc/ipsec.d looks like this:
/etc/ipsec.d# ls -lR
.:
total 36
drwxr-xr-x 2 root root 4096 Nov 12 2019 aacerts
drwxr-xr-x 2 root root 4096 Nov 12 2019 acerts
drwxr-xr-x 2 root root 4096 Sep 28 10:36 cacerts
drwxr-xr-x 2 root root 4096 Nov 16 14:39 certs
drwxr-xr-x 2 root root 4096 Nov 12 2019 crls
drwxr-xr-x 2 root root 4096 Nov 12 2019 ocspcerts
drwxr-xr-x 2 root root 4096 Nov 12 2019 policies
drwx------ 2 root root 4096 Nov 16 14:40 private
drwxr-xr-x 2 root root 4096 Nov 12 2019 reqs
./aacerts:
total 0
./acerts:
total 0
./cacerts:
total 4
-rw-r--r-- 1 root root 2045 Sep 28 10:36 ca-cert.pem
./certs:
total 16
-rw-r--r-- 1 root root 1774 Apr 2 2020 ca-cert.pem
-rw-r--r-- 1 root root 2339 Nov 16 15:03 office-cert.pem
./crls:
total 0
./ocspcerts:
total 0
./policies:
total 0
./private:
total 12
-rw-r--r-- 1 root root 3243 Nov 16 14:24 office-key.pem
./reqs:
total 0
This is the content of /etc/ipsec.secrets:
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
: RSA office-key.pem
This istthe configuration for the connection:
conn ikev2-rw
right=37.120.163.19
# This should match the `leftid` value on your server's configuration
rightid="C=DE, ... CN=server..."
rightsubnet=10.8.0.0/24,10.9.0.0/24
leftsubnet=192.168.200.0/24,192.168.20.0/24
rightauth=pubkey
leftsourceip=%config
leftid="C=DE, ... CN=client"
# leftauth=eap-mschapv2
eap_identity=%identity
auto=start
dpdaction=restart
dpdinterval=10s
closeaction=restart
Establishing a connection fails. In the log I can these lines:
Nov 16 15:40:09 nb-ubuntu ipsec[4108]: 00[CFG] loaded RSA private key
from '/etc/ipsec.d/private/office-key.pem'
Nov 16 15:40:09 nb-ubuntu charon: 09[IKE] no private key found for
'C=DE, ... CN=client'
root@udo-nb-ubuntu:/etc/ipsec.d#
The private keyfile is loaded, but the keys cannot be found. I double
checked that the keyfile matches the certificate.
Why is the private not found?
Thanks in advance
Udo
