Hi
I am facing a problem in my Strongswan deployment on a Linux-Fedora13
Server. I have created a CA and some device certs on the Linux-Fed13 server
using OpenSSL. But iam unable to use the device certs (the private-key file)
in strongswan. Iam getting the following error (console trace). Also other
details are given below:
--
[root@dvtpc2 etc]# ipsec start --nofork
Starting strongSwan 4.5.0 IPsec [starter]...
starter_start_pluto entered
Pluto initialized
Starting IKEv1 pluto daemon (strongSwan 4.5.0) THREADS VENDORID
listening on interfaces:
eth1
172.30.1.2
fe80::218:8bff:fe04:a492
eth0
172.18.10.100
fe80::2d0:b7ff:fe9e:ab8b
loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem gmp
hmac xauth attr kernel-netlink resolve
including NAT-Traversal patch (Version 0.6c)
pluto (2594) started after 20 ms
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)
00[KNL] listening on interfaces:
00[KNL] eth1
00[KNL] 172.30.1.2
00[KNL] fe80::218:8bff:fe04:a492
00[KNL] eth0
loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
loaded ca certificate from '/usr/local/etc/ipsec.d/cacerts/cacert.pem'
loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
loading ocsp certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Changing to directory '/usr/local/etc/ipsec.d/crls'
00[KNL] 172.18.10.100
loaded crl from 'crl.pem'
00[KNL] fe80::2d0:b7ff:fe9e:ab8b
loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
spawning 4 worker threads
listening for IKE messages
adding interface eth0/eth0 172.18.10.100:500
adding interface eth0/eth0 172.18.10.100:4500
adding interface eth1/eth1 172.30.1.2:500
adding interface eth1/eth1 172.30.1.2:4500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo 127.0.0.1:4500
adding interface lo/lo ::1:500
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
loading secrets from "/usr/local/etc/ipsec.secrets"
L1 - modulus: ASN1 tag 0x02 expected, but is 0x30
building CRED_PRIVATE_KEY - RSA failed, tried 5 builders
syntax error in private key file
"/usr/local/etc/ipsec.secrets" line 3: Private key file -- could not be
loaded
00[CFG] loaded ca certificate "C=IN, ST=AP, L=HYD, O=Internet Widgits Pty
Ltd, OU=Corp, CN=dvtpc2CA, E=ad...@dvttest.com, subjectAltName=
dvtpc2.dvttest.com" from '/usr/local/etc/ipsec.d/cacerts/cacert.pem'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG] loaded crl from '/usr/local/etc/ipsec.d/crls/crl.pem'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[LIB] L1 - modulus: ASN1 tag 0x02 expected, but is 0x30
00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 5 builders
00[CFG] loading private key from
'/usr/local/etc/ipsec.d/private/dvtpc2key1024-self.pem' failed
00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 revocation pubkey
pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw
stroke updown
00[JOB] spawning 16 worker threads
charon (2619) started after 20 ms
04[CFG] received stroke: add connection 'dvtpc2host'
04[CFG] loaded certificate "C=IN, ST=AP, L=HYD, O=Internet Widgits Pty
Ltd, OU=Corp, CN=dvtpc2.dvttest.com, subjectAltName=dvtpc2.dvttest.com,
E=ad...@dvttest.com" from 'dvtpc2cert1024-self.pem'
04[CFG] id '/C=IN/ST=AP/L=HYD/O=Internet Widgits Pty
Ltd/OU=Corp/CN=dvtpc2.dvttest.com/subjectAltName=dvtpc2.dvttest.com/emailAddress=ad...@dvttest.com'not
confirmed by certificate, defaulting to 'C=IN, ST=AP, L=HYD,
O=Internet
Widgits Pty Ltd, OU=Corp, CN=dvtpc2.dvttest.com, subjectAltName=
dvtpc2.dvttest.com, E=ad...@dvttest.com'
04[CFG] added configuration 'dvtpc2host'
loaded host certificate from
'/usr/local/etc/ipsec.d/certs/dvtpc2cert1024-self.pem'
id '/C=IN/ST=AP/L=HYD/O=Internet Widgits Pty
Ltd/OU=Corp/CN=dvtpc2.dvttest.com/subjectAltName=dvtpc2.dvttest.com/emailAddress=ad...@dvttest.com'not
confirmed by certificate, defaulting to 'C=IN, ST=AP, L=HYD,
O=Internet
Widgits Pty Ltd, OU=Corp, CN=dvtpc2.dvttest.com, subjectAltName=
dvtpc2.dvttest.com, E=ad...@dvttest.com'
added connection description "dvtpc2host"
---
[root@dvtpc2 etc]# openssl version
OpenSSL 1.0.0a-fips 1 Jun 2010
[root@dvtpc2 etc]#
---
[root@dvtpc2 etc]#
[root@dvtpc2 etc]#
[root@dvtpc2 etc]# cd ipsec.d/private/
[root@dvtpc2 private]# cat dvtpc2key1024-self.pem
-BEGIN PRIVATE KEY-
MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALPec1SeRutyn4Sb
yWS8RVXDiroh3XgXchjYbwm+RvoFS7k31LcpK+zgs62ZdTFxeYCv6hr/bV2BIwwf
NwMlPc5zyHnjFrMmOG2eXzzd0xleFwx12NSW0rXtpAVa9/GVmROhObAFUlrLYL4R
WuVLzpA+gv/2U9jVkVxBMr1GG5khAgMBAAECgYEAk2z88ppYXpswjCx0QZDe85C2
oCEpuUjeR+b9++ptmnfEvSc5vnaMfjcejmd9Wu07PXLyWvaI2V8DLuhW2skngj