[strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File

2011-04-20 Thread Rajiv Kulkarni 
Hi

I am facing a problem in my Strongswan deployment on a Linux-Fedora13
Server. I have created a CA and some device certs on the Linux-Fed13 server
using OpenSSL. But iam unable to use the device certs (the private-key file)
in strongswan. Iam getting the following error (console trace). Also other
details are given below:

--



[root@dvtpc2 etc]# ipsec start --nofork
Starting strongSwan 4.5.0 IPsec [starter]...
starter_start_pluto entered
Pluto initialized
Starting IKEv1 pluto daemon (strongSwan 4.5.0) THREADS VENDORID
listening on interfaces:
  eth1
172.30.1.2
fe80::218:8bff:fe04:a492
  eth0
172.18.10.100
fe80::2d0:b7ff:fe9e:ab8b
loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem gmp
hmac xauth attr kernel-netlink resolve
  including NAT-Traversal patch (Version 0.6c)
pluto (2594) started after 20 ms
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)
00[KNL] listening on interfaces:
00[KNL]   eth1
00[KNL] 172.30.1.2
00[KNL] fe80::218:8bff:fe04:a492
00[KNL]   eth0
loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
  loaded ca certificate from '/usr/local/etc/ipsec.d/cacerts/cacert.pem'
loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
loading ocsp certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Changing to directory '/usr/local/etc/ipsec.d/crls'
00[KNL] 172.18.10.100
  loaded crl from 'crl.pem'
00[KNL] fe80::2d0:b7ff:fe9e:ab8b
loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
spawning 4 worker threads
listening for IKE messages
adding interface eth0/eth0 172.18.10.100:500
adding interface eth0/eth0 172.18.10.100:4500
adding interface eth1/eth1 172.30.1.2:500
adding interface eth1/eth1 172.30.1.2:4500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo 127.0.0.1:4500
adding interface lo/lo ::1:500
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
loading secrets from "/usr/local/etc/ipsec.secrets"
L1 - modulus: ASN1 tag 0x02 expected, but is 0x30
building CRED_PRIVATE_KEY - RSA failed, tried 5 builders
  syntax error in private key file
"/usr/local/etc/ipsec.secrets" line 3: Private key file -- could not be
loaded
00[CFG]   loaded ca certificate "C=IN, ST=AP, L=HYD, O=Internet Widgits Pty
Ltd, OU=Corp, CN=dvtpc2CA, E=ad...@dvttest.com, subjectAltName=
dvtpc2.dvttest.com" from '/usr/local/etc/ipsec.d/cacerts/cacert.pem'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG]   loaded crl from '/usr/local/etc/ipsec.d/crls/crl.pem'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[LIB] L1 - modulus: ASN1 tag 0x02 expected, but is 0x30
00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 5 builders
00[CFG]   loading private key from
'/usr/local/etc/ipsec.d/private/dvtpc2key1024-self.pem' failed
00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 revocation pubkey
pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw
stroke updown
00[JOB] spawning 16 worker threads
charon (2619) started after 20 ms
04[CFG] received stroke: add connection 'dvtpc2host'
04[CFG]   loaded certificate "C=IN, ST=AP, L=HYD, O=Internet Widgits Pty
Ltd, OU=Corp, CN=dvtpc2.dvttest.com, subjectAltName=dvtpc2.dvttest.com,
E=ad...@dvttest.com" from 'dvtpc2cert1024-self.pem'
04[CFG]   id '/C=IN/ST=AP/L=HYD/O=Internet Widgits Pty
Ltd/OU=Corp/CN=dvtpc2.dvttest.com/subjectAltName=dvtpc2.dvttest.com/emailAddress=ad...@dvttest.com'not
confirmed by certificate, defaulting to 'C=IN, ST=AP, L=HYD,
O=Internet
Widgits Pty Ltd, OU=Corp, CN=dvtpc2.dvttest.com, subjectAltName=
dvtpc2.dvttest.com, E=ad...@dvttest.com'
04[CFG] added configuration 'dvtpc2host'
  loaded host certificate from
'/usr/local/etc/ipsec.d/certs/dvtpc2cert1024-self.pem'
  id '/C=IN/ST=AP/L=HYD/O=Internet Widgits Pty
Ltd/OU=Corp/CN=dvtpc2.dvttest.com/subjectAltName=dvtpc2.dvttest.com/emailAddress=ad...@dvttest.com'not
confirmed by certificate, defaulting to 'C=IN, ST=AP, L=HYD,
O=Internet
Widgits Pty Ltd, OU=Corp, CN=dvtpc2.dvttest.com, subjectAltName=
dvtpc2.dvttest.com, E=ad...@dvttest.com'
added connection description "dvtpc2host"

---
[root@dvtpc2 etc]# openssl version
OpenSSL 1.0.0a-fips 1 Jun 2010
[root@dvtpc2 etc]#

---
[root@dvtpc2 etc]#
[root@dvtpc2 etc]#
[root@dvtpc2 etc]# cd ipsec.d/private/
[root@dvtpc2 private]# cat dvtpc2key1024-self.pem
-BEGIN PRIVATE KEY-
MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALPec1SeRutyn4Sb
yWS8RVXDiroh3XgXchjYbwm+RvoFS7k31LcpK+zgs62ZdTFxeYCv6hr/bV2BIwwf
NwMlPc5zyHnjFrMmOG2eXzzd0xleFwx12NSW0rXtpAVa9/GVmROhObAFUlrLYL4R
WuVLzpA+gv/2U9jVkVxBMr1GG5khAgMBAAECgYEAk2z88ppYXpswjCx0QZDe85C2
oCEpuUjeR+b9++ptmnfEvSc5vnaMfjcejmd9Wu07PXLyWvaI2V8DLuhW2skngj

Re: [strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File

2011-04-20 Thread Martin Willi 
Hi Rajiv,

> [root@dvtpc2 private]# cat dvtpc2key1024-self.pem
> -BEGIN PRIVATE KEY-
> MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALPec1SeRutyn4Sb
> yWS8RVXDiroh3XgXchjYbwm+RvoFS7k31LcpK+zgs62ZdTFxeYCv6hr/bV2BIwwf
> NwMlPc5zyHnjFrMmOG2eXzzd0xleFwx12NSW0rXtpAVa9/GVmROhObAFUlrLYL4R
> WuVLzpA+gv/2U9jVkVxBMr1GG5khAgMBAAECgYEAk2z88ppYXpswjCx0QZDe85C2
> oCEpuUjeR+b9++ptmnfEvSc5vnaMfjcejmd9Wu07PXLyWvaI2V8DLuhW2skngjLQ
> jADppVBvnYvNqqih3GwFSN3H3fieF6fDPeKqv67roqEiGXvCaOUWNFOnAsFGKLpw
> d66veG3C+8JD2MCd6JECQQDqpyHu/MQpKhsMW13htkhX1+QXjS584RClLLO3L7LL
> VdGRFjq5cZ2mQzQBNB+ccVDhE02WmfZzAXWHd+hjmzEjAkEAxDtyXkGrdOboz3Wq
> rvYTM/PCJ+K0/Mbisihoi295yGXU074kzXhdVevpN8SarVHz2ktyjea5qPwFRySF
> 089q6wJBAMf6ykuv9cmTTdv5HgiX3g2nO4fq1XyuHw52C2+KYhkyuViqFkAnGREy
> YubHsk0UsbYwSkaYTlXzH2PliBMjlvsCQBsWtcALQrb9lU/mR2ylrZrzYG8PHbrz
> XaIIb/4nomEmpY2hZwUyQ3gz+9rl+hBJCuesmKC8JA8O00+x3AOUU4cCQQCSn5WN
> Na04DmDpNODPlp2YgEVsnWZgOVkI3VrKhWzLhEVq/Sduzx9ySgea0VEegsmWAeqz
> IM+lCeaKgP4Dbjqs
> -END PRIVATE KEY-

This key is wrapped in PKCS#8 without encryption. We currently can't
read in any PKCS#8 keys.

Covert such keys to plain RSA using:
  openssl pkcs8 -nocrypt < dvtpc2key1024-self.pem

Regards
Martin



___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File

2011-11-10 Thread Rajiv Kulkarni 
Hi

It has been quite sometime now since i could followup on the issue
submiited by me, very sorry about the delay in doing so.

I have been facing this issue primarily on a OpenWRT Gateway:
--
BusyBox v1.4.2 (2011-08-04 02:47:42 IST) Built-in shell (ash)
  ___ __
 |   |.-.-.-.|  |  |  |..|  |_
 |   -   ||  _  |  -__| ||  |  |  ||   _||   _|
 |___||   __|_|__|__||||__|  ||
  |__| W I R E L E S S   F R E E D O M


- After recieving the reply by Martin as below (at the end of this mail)
for a similar issue on a Linux Fedora-13 server running strongswan 4.5.0, i
tried to generate some more newer x509 certs (and the private rsa key
files) on the openwrt gateway itself
***
root@mfcgw1:/etc# cat ssl/private/mfcgw1key.pem
-BEGIN RSA PRIVATE KEY-
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,2FC8D750D505E922
D8p/CHn/F5PuiLtSIp9AWfZ9Iig9VQydF7uhCDgJKgOutYGj7PkoufOhFsJ+H7D1
85P87fkzGA6LYj8LyF7/UXKGs0eBC8BT+c6zlVO1SVgvUii5A42oYXKUQQD1AA6d
5W5KNq+C1e9zUs3BDKPfOhHuODjzqAs0f4NdsJ6I5kmGogS2LczwWV6nDwsBLY3U
LD3vO9tg99dh7/2+rUPWffYx5Ag+OJtcCON3ku7McTdrLODFKkPQYNNXGNGbolui
EuO8o4xRHXdDD3dMud8H/+zHjxrVw8WfcJz5C/uSamLhFwjWUOUL8w5IrnQ8gY7x
RkKoMm8j/PUKTj2gTU4cNgA3gyJh35tCLh7vbiK5F5MYRXzuB8bezTMLOV2QduJ9
nNHLziQsD6br0P/2SFgr/tm+TeZ4r90Bc6zF1rrnEzEr2usz8W4gdm/Am9v01fk0
FWiN/CFrAFncXpkGIppo7j19svN13xhtY0cPhzTPIu5pROxhLbcQPUYi2ci9sLti
vAEStWV2Vcyc+g3/2ZvE9M/SWEsi80cCumbsepsK8hHjuEl5PBK/KbReP+I8SJGv
Dh90ZgiURN35sNd/1GAxltoATCEu526/mIlJcUc1pBpvoPZM6ZOLUgmkwvHRyxp3
1pwkSVx3aTvEzZJCDzQR/nZez4kQD1WwXQ5UQbTfp7yBPOSuRp/ZnWmrdDFs1ck+
7V+I47a2GLqKXIlJ0xuPV0azMeXky8dC+53uSQuDzPlSp7EgdQhLBLNjXJPOKCHT
/mFjd5wRsgz35qld/Jwj19WE7F7baGacrsfM8mSWNBs3YAcNJdks/zavr19Kwgzw
X1RtOfe59BsWtdEepciKXw/PW87QxspRIe4w8Jmmugfl3CWtauuV+ossadNfOK+2
R2m3KhkLj8FA9I5JrTjY8z9PPE0qS/KSAT1EjjDABAPUoxnPyO5f9Df2A7L//f+w
qf25HtwJSUe3hxsOqxtsqSdOqL8Uan3M
-END RSA PRIVATE KEY-
root@mfcgw1:/etc#
root@mfcgw1:/etc#
root@mfcgw1:/etc# ipsec version
Linux strongSwan U4.3.6/K2.6.33.5
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
root@mfcgw1:/etc#
***

- and iam still unable to load the RSA private key file in strongswan. Iam
getting the following errors:
*
root@mfcgw1:/etc# ipsec start --nofork
Starting strongSwan 4.3.6 IPsec [starter]...
starter_start_pluto entered
Pluto initialized
Starting IKEv1 pluto daemon (strongSwan 4.3.6) THREADS VENDORID
pluto (11076) started after 20 ms
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
loaded plugins: blowfish random x509 pubkey pkcs1 pgp dnskey pem openssl
hmac
  including NAT-Traversal patch (Version 0.6c)
Using Linux 2.6 IPsec interface code
loading ca certificates from '/etc/ipsec.d/cacerts'
  loaded ca certificate from '/etc/ipsec.d/cacerts/cacert.pem'
loading aa certificates from '/etc/ipsec.d/aacerts'
loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec.d/crls'
  loaded crl from 'crl.pem'
loading attribute certificates from '/etc/ipsec.d/acerts'
listening for IKE messages
adding interface eth1/eth1 169.254.0.1:500
adding interface eth1/eth1 169.254.0.1:4500
adding interface eth2/eth2 192.168.1.1:500
adding interface eth2/eth2 192.168.1.1:4500
adding interface eth0/eth0 172.17.10.102:500
adding interface eth0/eth0 172.17.10.102:4500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo 127.0.0.1:4500
adding interface lo/lo ::1:500
adding interface eth2/eth2 2007::1:500
adding interface eth0/eth0 fec0::ee01:500
loading secrets from "/etc/ipsec.secrets"
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "C=UK, ST=LNDN, L=LONDON, O=Internet
Widgits Pty
 Ltd, OU=Corp, CN=mfcgw1CA, E=ad...@dvttest.com,
subjectAltName=mfcgw1CA.dvttest
.com" from '/etc/ipsec.d/cacerts/cacert.pem'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG]   loaded crl from '/etc/ipsec.d/crls/crl.pem'
00[CFG] loading secrets from '/etc/ipsec.secrets'
building CRED_PRIVATE_KEY - RSA failed, tried 6 builders
  syntax error in private key file
"/etc/ipsec.secrets" line 3: Private key file -- could not be loaded
00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 6 builders
00[CFG]   loading private key from '/etc/ipsec.d/private/mfcgw1key.pem'
failed
00[DMN] loaded plugins: blowfish random x509 pubkey pkcs1 pgp dnskey pem
openssl
 hmac kernel-pfkey strok

Re: [strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File

2011-11-10 Thread Andreas Steffen 

Hello Rajiv,

did you add the passphrase which encrypts the private key to
the ipsec.secrets entry?

 : RSA /ssl/private/mfcgw1key.pem ""

Regards

Andreas

On 10.11.2011 15:10, Rajiv Kulkarni wrote:

Hi
It has been quite sometime now since i could followup on the issue
submiited by me, very sorry about the delay in doing so.
I have been facing this issue primarily on a OpenWRT Gateway:
--
BusyBox v1.4.2 (2011-08-04 02:47:42 IST) Built-in shell (ash)
   ___ __
  |   |.-.-.-.|  |  |  |..|  |_
  |   -   ||  _  |  -__| ||  |  |  ||   _||   _|
  |___||   __|_|__|__||||__|  ||
   |__| W I R E L E S S   F R E E D O M

- After recieving the reply by Martin as below (at the end of this mail)
for a similar issue on a Linux Fedora-13 server running strongswan
4.5.0, i tried to generate some more newer x509 certs (and the private
rsa key files) on the openwrt gateway itself
***
root@mfcgw1:/etc # cat ssl/private/mfcgw1key.pem
-BEGIN RSA PRIVATE KEY-
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,2FC8D750D505E922
D8p/CHn/F5PuiLtSIp9AWfZ9Iig9VQydF7uhCDgJKgOutYGj7PkoufOhFsJ+H7D1
85P87fkzGA6LYj8LyF7/UXKGs0eBC8BT+c6zlVO1SVgvUii5A42oYXKUQQD1AA6d
5W5KNq+C1e9zUs3BDKPfOhHuODjzqAs0f4NdsJ6I5kmGogS2LczwWV6nDwsBLY3U
LD3vO9tg99dh7/2+rUPWffYx5Ag+OJtcCON3ku7McTdrLODFKkPQYNNXGNGbolui
EuO8o4xRHXdDD3dMud8H/+zHjxrVw8WfcJz5C/uSamLhFwjWUOUL8w5IrnQ8gY7x
RkKoMm8j/PUKTj2gTU4cNgA3gyJh35tCLh7vbiK5F5MYRXzuB8bezTMLOV2QduJ9
nNHLziQsD6br0P/2SFgr/tm+TeZ4r90Bc6zF1rrnEzEr2usz8W4gdm/Am9v01fk0
FWiN/CFrAFncXpkGIppo7j19svN13xhtY0cPhzTPIu5pROxhLbcQPUYi2ci9sLti
vAEStWV2Vcyc+g3/2ZvE9M/SWEsi80cCumbsepsK8hHjuEl5PBK/KbReP+I8SJGv
Dh90ZgiURN35sNd/1GAxltoATCEu526/mIlJcUc1pBpvoPZM6ZOLUgmkwvHRyxp3
1pwkSVx3aTvEzZJCDzQR/nZez4kQD1WwXQ5UQbTfp7yBPOSuRp/ZnWmrdDFs1ck+
7V+I47a2GLqKXIlJ0xuPV0azMeXky8dC+53uSQuDzPlSp7EgdQhLBLNjXJPOKCHT
/mFjd5wRsgz35qld/Jwj19WE7F7baGacrsfM8mSWNBs3YAcNJdks/zavr19Kwgzw
X1RtOfe59BsWtdEepciKXw/PW87QxspRIe4w8Jmmugfl3CWtauuV+ossadNfOK+2
R2m3KhkLj8FA9I5JrTjY8z9PPE0qS/KSAT1EjjDABAPUoxnPyO5f9Df2A7L//f+w
qf25HtwJSUe3hxsOqxtsqSdOqL8Uan3M
-END RSA PRIVATE KEY-
root@mfcgw1:/etc #
root@mfcgw1:/etc #
root@mfcgw1:/etc # ipsec version
Linux strongSwan U4.3.6/K2.6.33.5
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
root@mfcgw1:/etc #
***
- and iam still unable to load the RSA private key file in strongswan.
Iam getting the following errors:
*
root@mfcgw1:/etc # ipsec start --nofork
Starting strongSwan 4.3.6 IPsec [starter]...
starter_start_pluto entered
Pluto initialized
Starting IKEv1 pluto daemon (strongSwan 4.3.6) THREADS VENDORID
pluto (11076) started after 20 ms
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
loaded plugins: blowfish random x509 pubkey pkcs1 pgp dnskey pem openssl
hmac
   including NAT-Traversal patch (Version 0.6c)
Using Linux 2.6 IPsec interface code
loading ca certificates from '/etc/ipsec.d/cacerts'
   loaded ca certificate from '/etc/ipsec.d/cacerts/cacert.pem'
loading aa certificates from '/etc/ipsec.d/aacerts'
loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec.d/crls'
   loaded crl from 'crl.pem'
loading attribute certificates from '/etc/ipsec.d/acerts'
listening for IKE messages
adding interface eth1/eth1 169.254.0.1:500 
adding interface eth1/eth1 169.254.0.1:4500 
adding interface eth2/eth2 192.168.1.1:500 
adding interface eth2/eth2 192.168.1.1:4500 
adding interface eth0/eth0 172.17.10.102:500 
adding interface eth0/eth0 172.17.10.102:4500 
adding interface lo/lo 127.0.0.1:500 
adding interface lo/lo 127.0.0.1:4500 
adding interface lo/lo ::1:500
adding interface eth2/eth2 2007::1:500
adding interface eth0/eth0 fec0::ee01:500
loading secrets from "/etc/ipsec.secrets"
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "C=UK, ST=LNDN, L=LONDON, O=Internet
Widgits Pty
  Ltd, OU=Corp, CN=mfcgw1CA, E=ad...@dvttest.com
, subjectAltName=mfcgw1CA.dvttest
.com" from '/etc/ipsec.d/cacerts/cacert.pem'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute cert

Re: [strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File

2011-11-10 Thread Rajiv Kulkarni 
Hi

Yes offcourse. I did that. You see,

- when i use "OpenSSL 1.0.0d-fips 8 Feb 2011" on a Linux-FC13 machine to
generate certs, the default rsa key format is PKCS#8 which i believe
strongswan does not yet support

- if on the other, i use a openwrt-gw with "OpenSSL 0.9.8q 2 Dec 2010" and
"Linux strongSwan U4.3.6/K2.6.33.5", although the generated private rsa key
file is in traditional format, strongswan is unable to load the file

thanks & regards
rajiv



On Thu, Nov 10, 2011 at 8:23 PM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> Hello Rajiv,
>
> did you add the passphrase which encrypts the private key to
> the ipsec.secrets entry?
>
>  : RSA /ssl/private/mfcgw1key.pem ""
>
> Regards
>
> Andreas
>
>
> On 10.11.2011 15:10, Rajiv Kulkarni wrote:
>
>> Hi
>> It has been quite sometime now since i could followup on the issue
>> submiited by me, very sorry about the delay in doing so.
>> I have been facing this issue primarily on a OpenWRT Gateway:
>> --**--**
>> --**
>> BusyBox v1.4.2 (2011-08-04 02:47:42 IST) Built-in shell (ash)
>>   ___ __
>>  |   |.-.-.-.|  |  |  |..|  |_
>>  |   -   ||  _  |  -__| ||  |  |  ||   _||   _|
>>  |___||   __|_|__|__||||__|  ||
>>   |__| W I R E L E S S   F R E E D O M
>> --**--**
>> 
>> - After recieving the reply by Martin as below (at the end of this mail)
>> for a similar issue on a Linux Fedora-13 server running strongswan
>> 4.5.0, i tried to generate some more newer x509 certs (and the private
>> rsa key files) on the openwrt gateway itself
>> ***
>> root@mfcgw1:/etc # cat
>> ssl/private/mfcgw1key.pem
>>
>> -BEGIN RSA PRIVATE KEY-
>> Proc-Type: 4,ENCRYPTED
>> DEK-Info: DES-EDE3-CBC,2FC8D750D505E922
>> D8p/CHn/**F5PuiLtSIp9AWfZ9Iig9VQydF7uhCD**gJKgOutYGj7PkoufOhFsJ+H7D1
>> 85P87fkzGA6LYj8LyF7/**UXKGs0eBC8BT+**c6zlVO1SVgvUii5A42oYXKUQQD1AA6**d
>> 5W5KNq+**C1e9zUs3BDKPfOhHuODjzqAs0f4Nds**J6I5kmGogS2LczwWV6nDwsBLY3U
>> LD3vO9tg99dh7/2+rUPWffYx5Ag+**OJtcCON3ku7McTdrLODFKkPQYNNXGN**Gbolui
>> EuO8o4xRHXdDD3dMud8H/+**zHjxrVw8WfcJz5C/**uSamLhFwjWUOUL8w5IrnQ8gY7x
>> RkKoMm8j/**PUKTj2gTU4cNgA3gyJh35tCLh7vbiK**5F5MYRXzuB8bezTMLOV2QduJ9
>> nNHLziQsD6br0P/2SFgr/tm+**TeZ4r90Bc6zF1rrnEzEr2usz8W4gdm**/Am9v01fk0
>> FWiN/**CFrAFncXpkGIppo7j19svN13xhtY0c**PhzTPIu5pROxhLbcQPUYi2ci9sLti
>> vAEStWV2Vcyc+g3/2ZvE9M/**SWEsi80cCumbsepsK8hHjuEl5PBK/**KbReP+I8SJGv
>> Dh90ZgiURN35sNd/**1GAxltoATCEu526/**mIlJcUc1pBpvoPZM6ZOLUgmkwvHRyx**p3
>> 1pwkSVx3aTvEzZJCDzQR/**nZez4kQD1WwXQ5UQbTfp7yBPOSuRp/**ZnWmrdDFs1ck+
>> 7V+**I47a2GLqKXIlJ0xuPV0azMeXky8dC+**53uSQuDzPlSp7EgdQhLBLNjXJPOKCH**T
>> /mFjd5wRsgz35qld/**Jwj19WE7F7baGacrsfM8mSWNBs3YAc**NJdks/zavr19Kwgzw
>> X1RtOfe59BsWtdEepciKXw/**PW87QxspRIe4w8Jmmugfl3CWtauuV+**ossadNfOK+2
>> R2m3KhkLj8FA9I5JrTjY8z9PPE0qS/**KSAT1EjjDABAPUoxnPyO5f9Df2A7L/**/f+w
>> qf25HtwJSUe3hxsOqxtsqSdOqL8Uan**3M
>> -END RSA PRIVATE KEY-
>> root@mfcgw1:/etc #
>> root@mfcgw1:/etc #
>> root@mfcgw1:/etc # ipsec version
>>
>> Linux strongSwan U4.3.6/K2.6.33.5
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil, Switzerland
>> See 'ipsec --copyright' for copyright information.
>> root@mfcgw1:/etc #
>>
>> *
>> - and iam still unable to load the RSA private key file in strongswan.
>> Iam getting the following errors:
>> *
>> root@mfcgw1:/etc # ipsec start --nofork
>>
>> Starting strongSwan 4.3.6 IPsec [starter]...
>> starter_start_pluto entered
>> Pluto initialized
>> Starting IKEv1 pluto daemon (strongSwan 4.3.6) THREADS VENDORID
>> pluto (11076) started after 20 ms
>> 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
>> loaded plugins: blowfish random x509 pubkey pkcs1 pgp dnskey pem openssl
>> hmac
>>   including NAT-Traversal patch (Version 0.6c)
>> Using Linux 2.6 IPsec interface code
>> loading ca certificates from '/etc/ipsec.d/cacerts'
>>   loaded ca certificate from '/etc/ipsec.d/cacerts/cacert.**pem'
>> loading aa certificates from '/etc/ipsec.d/aacerts'
>> loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
>> Changing to directory '/etc/ipsec.d/crls'
>>   loaded crl from 'crl.pem'
>> loading attribute certificates from '/etc/ipsec.d/acerts'
>> listening for IKE messages
>> adding interface eth1/eth1 169.254.0.1:500 
>> adding interface eth1/eth1 169.254.0.1:4500 
>> adding interface eth2/eth2 192.168.1.1:500 
>> adding interface eth2/eth2 192.168.1.1:4500

Re: [strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File

2011-11-10 Thread Tobias Brunner 
Hi Rajiv,

Try adding an empty line between the third and fourth line of your
private key file, like this:

> -BEGIN RSA PRIVATE KEY-
> Proc-Type: 4,ENCRYPTED
> DEK-Info: DES-EDE3-CBC,2FC8D750D505E922
> D8p/CHn/F5PuiLtSIp9AWfZ9Iig9VQydF7uhCDgJKgOutYGj7PkoufOhFsJ+H7D1
> 85P87fkzGA6LYj8LyF7/UXKGs0eBC8BT+c6zlVO1SVgvUii5A42oYXKUQQD1AA6d
> ...
> -END RSA PRIVATE KEY-

>

> -BEGIN RSA PRIVATE KEY-
> Proc-Type: 4,ENCRYPTED
> DEK-Info: DES-EDE3-CBC,2FC8D750D505E922
>
> D8p/CHn/F5PuiLtSIp9AWfZ9Iig9VQydF7uhCDgJKgOutYGj7PkoufOhFsJ+H7D1
> 85P87fkzGA6LYj8LyF7/UXKGs0eBC8BT+c6zlVO1SVgvUii5A42oYXKUQQD1AA6d
> ...
> -END RSA PRIVATE KEY-

Regards,
Tobias

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File

2011-11-10 Thread Rajiv Kulkarni 
Hello Tobias

I did as adviced and iam getting the following error on "ipsec start
--nofork"

---
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[LIB] key integrity tests failed
00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 5 builders
00[CFG]   loading private key from '/etc/ipsec.d/private/mfcgw1key.pem'
failed
-

thanks & regards

rajiv


On Thu, Nov 10, 2011 at 9:41 PM, Tobias Brunner wrote:

> Hi Rajiv,
>
> Try adding an empty line between the third and fourth line of your
> private key file, like this:
>
> > -BEGIN RSA PRIVATE KEY-
> > Proc-Type: 4,ENCRYPTED
> > DEK-Info: DES-EDE3-CBC,2FC8D750D505E922
> > D8p/CHn/F5PuiLtSIp9AWfZ9Iig9VQydF7uhCDgJKgOutYGj7PkoufOhFsJ+H7D1
> > 85P87fkzGA6LYj8LyF7/UXKGs0eBC8BT+c6zlVO1SVgvUii5A42oYXKUQQD1AA6d
> > ...
> > -END RSA PRIVATE KEY-
>
> >
>
> > -BEGIN RSA PRIVATE KEY-
> > Proc-Type: 4,ENCRYPTED
> > DEK-Info: DES-EDE3-CBC,2FC8D750D505E922
> >
> > D8p/CHn/F5PuiLtSIp9AWfZ9Iig9VQydF7uhCDgJKgOutYGj7PkoufOhFsJ+H7D1
> > 85P87fkzGA6LYj8LyF7/UXKGs0eBC8BT+c6zlVO1SVgvUii5A42oYXKUQQD1AA6d
> > ...
> > -END RSA PRIVATE KEY-
>
> Regards,
> Tobias
>
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File

2011-11-10 Thread Tobias Brunner 
Hi Rajiv,

> 00[LIB] key integrity tests failed

Seems like the gmp plugin has some issues with your key.  It would help
if you could send us an example private key file causing this error.

Regards,
Tobias

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File

2011-11-10 Thread Rajiv Kulkarni 
Hello Tobias,

Please find included the sample certs (including the rsa private key files
whose passwd is config123). The attachments are in winrar rar file format.

hope this helps
thanks & regards

rajiv



On Thu, Nov 10, 2011 at 10:34 PM, Tobias Brunner wrote:

> Hi Rajiv,
>
> > 00[LIB] key integrity tests failed
>
> Seems like the gmp plugin has some issues with your key.  It would help
> if you could send us an example private key file causing this error.
>
> Regards,
> Tobias
>


samplegwCA2-certs.rar
Description: application/rar


samplegwca1-certs.rar
Description: application/rar
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File

2011-11-10 Thread Tobias Brunner 
Hi Rajiv,

When I use

openssl rsa -in mfcgw1key2.pem -check -noout

on my x86_64 machine with OpenSSL 0.9.8o I get

RSA key error: dmp1 not congruent to d
RSA key error: dmq1 not congruent to d

which is also the reason why our libgmp based plugin doesn't like the
keys, i.e.

> 00[LIB] key integrity tests failed

is logged.  Actually, OpenSSL reports this error for all the keys you
sent.  So it sure looks like your keys got corrupted somehow (or never
were valid in the first place).

Regards,
Tobias

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File

2011-11-14 Thread Rajiv Kulkarni 
Hi Tobias

Thank you so much for all the help in solving this issue iam facing.

You are right iam getting the same error when i use the -check option for
the priv key files. I will try to see why its so? Will get back to you with
any updates/info.

The surprising thing is that when i use the same certificate and
corresponding private key file with Racoon (ikev1), they work perfectly and
iam able to establish ike/ipsec tunnels successfully using these certs.

Also when i try to verify whether the cert and the corresponding
private-key match, using the following:

openssl rsa -in  -noout -modulus | openssl sha1
openssl x509 -in  -noout -modulus | openssl sha1

they match perfectly as they should. But then again the private key file
does seem to have consistency check error though?

thanks & regards
rajiv



On Thu, Nov 10, 2011 at 11:56 PM, Tobias Brunner wrote:

> Hi Rajiv,
>
> When I use
>
>openssl rsa -in mfcgw1key2.pem -check -noout
>
> on my x86_64 machine with OpenSSL 0.9.8o I get
>
>RSA key error: dmp1 not congruent to d
>RSA key error: dmq1 not congruent to d
>
> which is also the reason why our libgmp based plugin doesn't like the
> keys, i.e.
>
> > 00[LIB] key integrity tests failed
>
> is logged.  Actually, OpenSSL reports this error for all the keys you
> sent.  So it sure looks like your keys got corrupted somehow (or never
> were valid in the first place).
>
> Regards,
> Tobias
>
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users