Re: [strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File
Hi Tobias Thank you so much for all the help in solving this issue iam facing. You are right iam getting the same error when i use the -check option for the priv key files. I will try to see why its so? Will get back to you with any updates/info. The surprising thing is that when i use the same certificate and corresponding private key file with Racoon (ikev1), they work perfectly and iam able to establish ike/ipsec tunnels successfully using these certs. Also when i try to verify whether the cert and the corresponding private-key match, using the following: openssl rsa -in priv-key.pem -noout -modulus | openssl sha1 openssl x509 -in cert.pem -noout -modulus | openssl sha1 they match perfectly as they should. But then again the private key file does seem to have consistency check error though? thanks regards rajiv On Thu, Nov 10, 2011 at 11:56 PM, Tobias Brunner tob...@strongswan.orgwrote: Hi Rajiv, When I use openssl rsa -in mfcgw1key2.pem -check -noout on my x86_64 machine with OpenSSL 0.9.8o I get RSA key error: dmp1 not congruent to d RSA key error: dmq1 not congruent to d which is also the reason why our libgmp based plugin doesn't like the keys, i.e. 00[LIB] key integrity tests failed is logged. Actually, OpenSSL reports this error for all the keys you sent. So it sure looks like your keys got corrupted somehow (or never were valid in the first place). Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File
Hi It has been quite sometime now since i could followup on the issue submiited by me, very sorry about the delay in doing so. I have been facing this issue primarily on a OpenWRT Gateway: -- BusyBox v1.4.2 (2011-08-04 02:47:42 IST) Built-in shell (ash) ___ __ | |.-.-.-.| | | |..| |_ | - || _ | -__| || | | || _|| _| |___|| __|_|__|__||||__| || |__| W I R E L E S S F R E E D O M - After recieving the reply by Martin as below (at the end of this mail) for a similar issue on a Linux Fedora-13 server running strongswan 4.5.0, i tried to generate some more newer x509 certs (and the private rsa key files) on the openwrt gateway itself *** root@mfcgw1:/etc# cat ssl/private/mfcgw1key.pem -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,2FC8D750D505E922 D8p/CHn/F5PuiLtSIp9AWfZ9Iig9VQydF7uhCDgJKgOutYGj7PkoufOhFsJ+H7D1 85P87fkzGA6LYj8LyF7/UXKGs0eBC8BT+c6zlVO1SVgvUii5A42oYXKUQQD1AA6d 5W5KNq+C1e9zUs3BDKPfOhHuODjzqAs0f4NdsJ6I5kmGogS2LczwWV6nDwsBLY3U LD3vO9tg99dh7/2+rUPWffYx5Ag+OJtcCON3ku7McTdrLODFKkPQYNNXGNGbolui EuO8o4xRHXdDD3dMud8H/+zHjxrVw8WfcJz5C/uSamLhFwjWUOUL8w5IrnQ8gY7x RkKoMm8j/PUKTj2gTU4cNgA3gyJh35tCLh7vbiK5F5MYRXzuB8bezTMLOV2QduJ9 nNHLziQsD6br0P/2SFgr/tm+TeZ4r90Bc6zF1rrnEzEr2usz8W4gdm/Am9v01fk0 FWiN/CFrAFncXpkGIppo7j19svN13xhtY0cPhzTPIu5pROxhLbcQPUYi2ci9sLti vAEStWV2Vcyc+g3/2ZvE9M/SWEsi80cCumbsepsK8hHjuEl5PBK/KbReP+I8SJGv Dh90ZgiURN35sNd/1GAxltoATCEu526/mIlJcUc1pBpvoPZM6ZOLUgmkwvHRyxp3 1pwkSVx3aTvEzZJCDzQR/nZez4kQD1WwXQ5UQbTfp7yBPOSuRp/ZnWmrdDFs1ck+ 7V+I47a2GLqKXIlJ0xuPV0azMeXky8dC+53uSQuDzPlSp7EgdQhLBLNjXJPOKCHT /mFjd5wRsgz35qld/Jwj19WE7F7baGacrsfM8mSWNBs3YAcNJdks/zavr19Kwgzw X1RtOfe59BsWtdEepciKXw/PW87QxspRIe4w8Jmmugfl3CWtauuV+ossadNfOK+2 R2m3KhkLj8FA9I5JrTjY8z9PPE0qS/KSAT1EjjDABAPUoxnPyO5f9Df2A7L//f+w qf25HtwJSUe3hxsOqxtsqSdOqL8Uan3M -END RSA PRIVATE KEY- root@mfcgw1:/etc# root@mfcgw1:/etc# root@mfcgw1:/etc# ipsec version Linux strongSwan U4.3.6/K2.6.33.5 Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil, Switzerland See 'ipsec --copyright' for copyright information. root@mfcgw1:/etc# *** - and iam still unable to load the RSA private key file in strongswan. Iam getting the following errors: * root@mfcgw1:/etc# ipsec start --nofork Starting strongSwan 4.3.6 IPsec [starter]... starter_start_pluto entered Pluto initialized Starting IKEv1 pluto daemon (strongSwan 4.3.6) THREADS VENDORID pluto (11076) started after 20 ms 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6) loaded plugins: blowfish random x509 pubkey pkcs1 pgp dnskey pem openssl hmac including NAT-Traversal patch (Version 0.6c) Using Linux 2.6 IPsec interface code loading ca certificates from '/etc/ipsec.d/cacerts' loaded ca certificate from '/etc/ipsec.d/cacerts/cacert.pem' loading aa certificates from '/etc/ipsec.d/aacerts' loading ocsp certificates from '/etc/ipsec.d/ocspcerts' Changing to directory '/etc/ipsec.d/crls' loaded crl from 'crl.pem' loading attribute certificates from '/etc/ipsec.d/acerts' listening for IKE messages adding interface eth1/eth1 169.254.0.1:500 adding interface eth1/eth1 169.254.0.1:4500 adding interface eth2/eth2 192.168.1.1:500 adding interface eth2/eth2 192.168.1.1:4500 adding interface eth0/eth0 172.17.10.102:500 adding interface eth0/eth0 172.17.10.102:4500 adding interface lo/lo 127.0.0.1:500 adding interface lo/lo 127.0.0.1:4500 adding interface lo/lo ::1:500 adding interface eth2/eth2 2007::1:500 adding interface eth0/eth0 fec0::ee01:500 loading secrets from /etc/ipsec.secrets 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' 00[CFG] loaded ca certificate C=UK, ST=LNDN, L=LONDON, O=Internet Widgits Pty Ltd, OU=Corp, CN=mfcgw1CA, E=ad...@dvttest.com, subjectAltName=mfcgw1CA.dvttest .com from '/etc/ipsec.d/cacerts/cacert.pem' 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' 00[CFG] loading crls from '/etc/ipsec.d/crls' 00[CFG] loaded crl from '/etc/ipsec.d/crls/crl.pem' 00[CFG] loading secrets from '/etc/ipsec.secrets' building CRED_PRIVATE_KEY - RSA failed, tried 6 builders syntax error in private key file /etc/ipsec.secrets line 3: Private key file -- could not be loaded 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 6 builders 00[CFG] loading private key from '/etc/ipsec.d/private/mfcgw1key.pem' failed 00[DMN] loaded plugins: blowfish random x509 pubkey pkcs1 pgp dnskey pem openssl hmac kernel-pfkey stroke
Re: [strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File
Hello Rajiv, did you add the passphrase which encrypts the private key to the ipsec.secrets entry? : RSA /ssl/private/mfcgw1key.pem my passphrase Regards Andreas On 10.11.2011 15:10, Rajiv Kulkarni wrote: Hi It has been quite sometime now since i could followup on the issue submiited by me, very sorry about the delay in doing so. I have been facing this issue primarily on a OpenWRT Gateway: -- BusyBox v1.4.2 (2011-08-04 02:47:42 IST) Built-in shell (ash) ___ __ | |.-.-.-.| | | |..| |_ | - || _ | -__| || | | || _|| _| |___|| __|_|__|__||||__| || |__| W I R E L E S S F R E E D O M - After recieving the reply by Martin as below (at the end of this mail) for a similar issue on a Linux Fedora-13 server running strongswan 4.5.0, i tried to generate some more newer x509 certs (and the private rsa key files) on the openwrt gateway itself *** root@mfcgw1:/etc mailto:root@mfcgw1:/etc# cat ssl/private/mfcgw1key.pem -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,2FC8D750D505E922 D8p/CHn/F5PuiLtSIp9AWfZ9Iig9VQydF7uhCDgJKgOutYGj7PkoufOhFsJ+H7D1 85P87fkzGA6LYj8LyF7/UXKGs0eBC8BT+c6zlVO1SVgvUii5A42oYXKUQQD1AA6d 5W5KNq+C1e9zUs3BDKPfOhHuODjzqAs0f4NdsJ6I5kmGogS2LczwWV6nDwsBLY3U LD3vO9tg99dh7/2+rUPWffYx5Ag+OJtcCON3ku7McTdrLODFKkPQYNNXGNGbolui EuO8o4xRHXdDD3dMud8H/+zHjxrVw8WfcJz5C/uSamLhFwjWUOUL8w5IrnQ8gY7x RkKoMm8j/PUKTj2gTU4cNgA3gyJh35tCLh7vbiK5F5MYRXzuB8bezTMLOV2QduJ9 nNHLziQsD6br0P/2SFgr/tm+TeZ4r90Bc6zF1rrnEzEr2usz8W4gdm/Am9v01fk0 FWiN/CFrAFncXpkGIppo7j19svN13xhtY0cPhzTPIu5pROxhLbcQPUYi2ci9sLti vAEStWV2Vcyc+g3/2ZvE9M/SWEsi80cCumbsepsK8hHjuEl5PBK/KbReP+I8SJGv Dh90ZgiURN35sNd/1GAxltoATCEu526/mIlJcUc1pBpvoPZM6ZOLUgmkwvHRyxp3 1pwkSVx3aTvEzZJCDzQR/nZez4kQD1WwXQ5UQbTfp7yBPOSuRp/ZnWmrdDFs1ck+ 7V+I47a2GLqKXIlJ0xuPV0azMeXky8dC+53uSQuDzPlSp7EgdQhLBLNjXJPOKCHT /mFjd5wRsgz35qld/Jwj19WE7F7baGacrsfM8mSWNBs3YAcNJdks/zavr19Kwgzw X1RtOfe59BsWtdEepciKXw/PW87QxspRIe4w8Jmmugfl3CWtauuV+ossadNfOK+2 R2m3KhkLj8FA9I5JrTjY8z9PPE0qS/KSAT1EjjDABAPUoxnPyO5f9Df2A7L//f+w qf25HtwJSUe3hxsOqxtsqSdOqL8Uan3M -END RSA PRIVATE KEY- root@mfcgw1:/etc mailto:root@mfcgw1:/etc# root@mfcgw1:/etc mailto:root@mfcgw1:/etc# root@mfcgw1:/etc mailto:root@mfcgw1:/etc# ipsec version Linux strongSwan U4.3.6/K2.6.33.5 Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil, Switzerland See 'ipsec --copyright' for copyright information. root@mfcgw1:/etc mailto:root@mfcgw1:/etc# *** - and iam still unable to load the RSA private key file in strongswan. Iam getting the following errors: * root@mfcgw1:/etc mailto:root@mfcgw1:/etc# ipsec start --nofork Starting strongSwan 4.3.6 IPsec [starter]... starter_start_pluto entered Pluto initialized Starting IKEv1 pluto daemon (strongSwan 4.3.6) THREADS VENDORID pluto (11076) started after 20 ms 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6) loaded plugins: blowfish random x509 pubkey pkcs1 pgp dnskey pem openssl hmac including NAT-Traversal patch (Version 0.6c) Using Linux 2.6 IPsec interface code loading ca certificates from '/etc/ipsec.d/cacerts' loaded ca certificate from '/etc/ipsec.d/cacerts/cacert.pem' loading aa certificates from '/etc/ipsec.d/aacerts' loading ocsp certificates from '/etc/ipsec.d/ocspcerts' Changing to directory '/etc/ipsec.d/crls' loaded crl from 'crl.pem' loading attribute certificates from '/etc/ipsec.d/acerts' listening for IKE messages adding interface eth1/eth1 169.254.0.1:500 http://169.254.0.1:500 adding interface eth1/eth1 169.254.0.1:4500 http://169.254.0.1:4500 adding interface eth2/eth2 192.168.1.1:500 http://192.168.1.1:500 adding interface eth2/eth2 192.168.1.1:4500 http://192.168.1.1:4500 adding interface eth0/eth0 172.17.10.102:500 http://172.17.10.102:500 adding interface eth0/eth0 172.17.10.102:4500 http://172.17.10.102:4500 adding interface lo/lo 127.0.0.1:500 http://127.0.0.1:500 adding interface lo/lo 127.0.0.1:4500 http://127.0.0.1:4500 adding interface lo/lo ::1:500 adding interface eth2/eth2 2007::1:500 adding interface eth0/eth0 fec0::ee01:500 loading secrets from /etc/ipsec.secrets 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' 00[CFG] loaded ca certificate C=UK, ST=LNDN, L=LONDON, O=Internet Widgits Pty Ltd, OU=Corp, CN=mfcgw1CA, E=ad...@dvttest.com mailto:E=ad...@dvttest.com, subjectAltName=mfcgw1CA.dvttest .com from '/etc/ipsec.d/cacerts/cacert.pem' 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' 00[CFG] loading attribute certificates from
Re: [strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File
Hi Yes offcourse. I did that. You see, - when i use OpenSSL 1.0.0d-fips 8 Feb 2011 on a Linux-FC13 machine to generate certs, the default rsa key format is PKCS#8 which i believe strongswan does not yet support - if on the other, i use a openwrt-gw with OpenSSL 0.9.8q 2 Dec 2010 and Linux strongSwan U4.3.6/K2.6.33.5, although the generated private rsa key file is in traditional format, strongswan is unable to load the file thanks regards rajiv On Thu, Nov 10, 2011 at 8:23 PM, Andreas Steffen andreas.stef...@strongswan.org wrote: Hello Rajiv, did you add the passphrase which encrypts the private key to the ipsec.secrets entry? : RSA /ssl/private/mfcgw1key.pem my passphrase Regards Andreas On 10.11.2011 15:10, Rajiv Kulkarni wrote: Hi It has been quite sometime now since i could followup on the issue submiited by me, very sorry about the delay in doing so. I have been facing this issue primarily on a OpenWRT Gateway: --**--** --** BusyBox v1.4.2 (2011-08-04 02:47:42 IST) Built-in shell (ash) ___ __ | |.-.-.-.| | | |..| |_ | - || _ | -__| || | | || _|| _| |___|| __|_|__|__||||__| || |__| W I R E L E S S F R E E D O M --**--** - After recieving the reply by Martin as below (at the end of this mail) for a similar issue on a Linux Fedora-13 server running strongswan 4.5.0, i tried to generate some more newer x509 certs (and the private rsa key files) on the openwrt gateway itself *** root@mfcgw1:/etc mailto:root@mfcgw1:/etc# cat ssl/private/mfcgw1key.pem -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,2FC8D750D505E922 D8p/CHn/**F5PuiLtSIp9AWfZ9Iig9VQydF7uhCD**gJKgOutYGj7PkoufOhFsJ+H7D1 85P87fkzGA6LYj8LyF7/**UXKGs0eBC8BT+**c6zlVO1SVgvUii5A42oYXKUQQD1AA6**d 5W5KNq+**C1e9zUs3BDKPfOhHuODjzqAs0f4Nds**J6I5kmGogS2LczwWV6nDwsBLY3U LD3vO9tg99dh7/2+rUPWffYx5Ag+**OJtcCON3ku7McTdrLODFKkPQYNNXGN**Gbolui EuO8o4xRHXdDD3dMud8H/+**zHjxrVw8WfcJz5C/**uSamLhFwjWUOUL8w5IrnQ8gY7x RkKoMm8j/**PUKTj2gTU4cNgA3gyJh35tCLh7vbiK**5F5MYRXzuB8bezTMLOV2QduJ9 nNHLziQsD6br0P/2SFgr/tm+**TeZ4r90Bc6zF1rrnEzEr2usz8W4gdm**/Am9v01fk0 FWiN/**CFrAFncXpkGIppo7j19svN13xhtY0c**PhzTPIu5pROxhLbcQPUYi2ci9sLti vAEStWV2Vcyc+g3/2ZvE9M/**SWEsi80cCumbsepsK8hHjuEl5PBK/**KbReP+I8SJGv Dh90ZgiURN35sNd/**1GAxltoATCEu526/**mIlJcUc1pBpvoPZM6ZOLUgmkwvHRyx**p3 1pwkSVx3aTvEzZJCDzQR/**nZez4kQD1WwXQ5UQbTfp7yBPOSuRp/**ZnWmrdDFs1ck+ 7V+**I47a2GLqKXIlJ0xuPV0azMeXky8dC+**53uSQuDzPlSp7EgdQhLBLNjXJPOKCH**T /mFjd5wRsgz35qld/**Jwj19WE7F7baGacrsfM8mSWNBs3YAc**NJdks/zavr19Kwgzw X1RtOfe59BsWtdEepciKXw/**PW87QxspRIe4w8Jmmugfl3CWtauuV+**ossadNfOK+2 R2m3KhkLj8FA9I5JrTjY8z9PPE0qS/**KSAT1EjjDABAPUoxnPyO5f9Df2A7L/**/f+w qf25HtwJSUe3hxsOqxtsqSdOqL8Uan**3M -END RSA PRIVATE KEY- root@mfcgw1:/etc mailto:root@mfcgw1:/etc# root@mfcgw1:/etc mailto:root@mfcgw1:/etc# root@mfcgw1:/etc mailto:root@mfcgw1:/etc# ipsec version Linux strongSwan U4.3.6/K2.6.33.5 Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil, Switzerland See 'ipsec --copyright' for copyright information. root@mfcgw1:/etc mailto:root@mfcgw1:/etc# * - and iam still unable to load the RSA private key file in strongswan. Iam getting the following errors: * root@mfcgw1:/etc mailto:root@mfcgw1:/etc# ipsec start --nofork Starting strongSwan 4.3.6 IPsec [starter]... starter_start_pluto entered Pluto initialized Starting IKEv1 pluto daemon (strongSwan 4.3.6) THREADS VENDORID pluto (11076) started after 20 ms 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6) loaded plugins: blowfish random x509 pubkey pkcs1 pgp dnskey pem openssl hmac including NAT-Traversal patch (Version 0.6c) Using Linux 2.6 IPsec interface code loading ca certificates from '/etc/ipsec.d/cacerts' loaded ca certificate from '/etc/ipsec.d/cacerts/cacert.**pem' loading aa certificates from '/etc/ipsec.d/aacerts' loading ocsp certificates from '/etc/ipsec.d/ocspcerts' Changing to directory '/etc/ipsec.d/crls' loaded crl from 'crl.pem' loading attribute certificates from '/etc/ipsec.d/acerts' listening for IKE messages adding interface eth1/eth1 169.254.0.1:500 http://169.254.0.1:500 adding interface eth1/eth1 169.254.0.1:4500 http://169.254.0.1:4500 adding interface eth2/eth2 192.168.1.1:500 http://192.168.1.1:500 adding interface eth2/eth2 192.168.1.1:4500 http://192.168.1.1:4500 adding interface eth0/eth0 172.17.10.102:500 http://172.17.10.102:500 adding interface eth0/eth0 172.17.10.102:4500 http://172.17.10.102:4500 adding interface lo/lo
Re: [strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File
Hi Rajiv, Try adding an empty line between the third and fourth line of your private key file, like this: -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,2FC8D750D505E922 D8p/CHn/F5PuiLtSIp9AWfZ9Iig9VQydF7uhCDgJKgOutYGj7PkoufOhFsJ+H7D1 85P87fkzGA6LYj8LyF7/UXKGs0eBC8BT+c6zlVO1SVgvUii5A42oYXKUQQD1AA6d ... -END RSA PRIVATE KEY- -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,2FC8D750D505E922 D8p/CHn/F5PuiLtSIp9AWfZ9Iig9VQydF7uhCDgJKgOutYGj7PkoufOhFsJ+H7D1 85P87fkzGA6LYj8LyF7/UXKGs0eBC8BT+c6zlVO1SVgvUii5A42oYXKUQQD1AA6d ... -END RSA PRIVATE KEY- Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File
Hello Tobias I did as adviced and iam getting the following error on ipsec start --nofork --- 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' 00[LIB] key integrity tests failed 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 5 builders 00[CFG] loading private key from '/etc/ipsec.d/private/mfcgw1key.pem' failed - thanks regards rajiv On Thu, Nov 10, 2011 at 9:41 PM, Tobias Brunner tob...@strongswan.orgwrote: Hi Rajiv, Try adding an empty line between the third and fourth line of your private key file, like this: -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,2FC8D750D505E922 D8p/CHn/F5PuiLtSIp9AWfZ9Iig9VQydF7uhCDgJKgOutYGj7PkoufOhFsJ+H7D1 85P87fkzGA6LYj8LyF7/UXKGs0eBC8BT+c6zlVO1SVgvUii5A42oYXKUQQD1AA6d ... -END RSA PRIVATE KEY- -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,2FC8D750D505E922 D8p/CHn/F5PuiLtSIp9AWfZ9Iig9VQydF7uhCDgJKgOutYGj7PkoufOhFsJ+H7D1 85P87fkzGA6LYj8LyF7/UXKGs0eBC8BT+c6zlVO1SVgvUii5A42oYXKUQQD1AA6d ... -END RSA PRIVATE KEY- Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File
Hi Rajiv, 00[LIB] key integrity tests failed Seems like the gmp plugin has some issues with your key. It would help if you could send us an example private key file causing this error. Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File
Hello Tobias, Please find included the sample certs (including the rsa private key files whose passwd is config123). The attachments are in winrar rar file format. hope this helps thanks regards rajiv On Thu, Nov 10, 2011 at 10:34 PM, Tobias Brunner tob...@strongswan.orgwrote: Hi Rajiv, 00[LIB] key integrity tests failed Seems like the gmp plugin has some issues with your key. It would help if you could send us an example private key file causing this error. Regards, Tobias samplegwCA2-certs.rar Description: application/rar samplegwca1-certs.rar Description: application/rar ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File
Hi Rajiv, When I use openssl rsa -in mfcgw1key2.pem -check -noout on my x86_64 machine with OpenSSL 0.9.8o I get RSA key error: dmp1 not congruent to d RSA key error: dmq1 not congruent to d which is also the reason why our libgmp based plugin doesn't like the keys, i.e. 00[LIB] key integrity tests failed is logged. Actually, OpenSSL reports this error for all the keys you sent. So it sure looks like your keys got corrupted somehow (or never were valid in the first place). Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File
Hi I am facing a problem in my Strongswan deployment on a Linux-Fedora13 Server. I have created a CA and some device certs on the Linux-Fed13 server using OpenSSL. But iam unable to use the device certs (the private-key file) in strongswan. Iam getting the following error (console trace). Also other details are given below: -- [root@dvtpc2 etc]# ipsec start --nofork Starting strongSwan 4.5.0 IPsec [starter]... starter_start_pluto entered Pluto initialized Starting IKEv1 pluto daemon (strongSwan 4.5.0) THREADS VENDORID listening on interfaces: eth1 172.30.1.2 fe80::218:8bff:fe04:a492 eth0 172.18.10.100 fe80::2d0:b7ff:fe9e:ab8b loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem gmp hmac xauth attr kernel-netlink resolve including NAT-Traversal patch (Version 0.6c) pluto (2594) started after 20 ms 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0) 00[KNL] listening on interfaces: 00[KNL] eth1 00[KNL] 172.30.1.2 00[KNL] fe80::218:8bff:fe04:a492 00[KNL] eth0 loading ca certificates from '/usr/local/etc/ipsec.d/cacerts' loaded ca certificate from '/usr/local/etc/ipsec.d/cacerts/cacert.pem' loading aa certificates from '/usr/local/etc/ipsec.d/aacerts' loading ocsp certificates from '/usr/local/etc/ipsec.d/ocspcerts' Changing to directory '/usr/local/etc/ipsec.d/crls' 00[KNL] 172.18.10.100 loaded crl from 'crl.pem' 00[KNL] fe80::2d0:b7ff:fe9e:ab8b loading attribute certificates from '/usr/local/etc/ipsec.d/acerts' spawning 4 worker threads listening for IKE messages adding interface eth0/eth0 172.18.10.100:500 adding interface eth0/eth0 172.18.10.100:4500 adding interface eth1/eth1 172.30.1.2:500 adding interface eth1/eth1 172.30.1.2:4500 adding interface lo/lo 127.0.0.1:500 adding interface lo/lo 127.0.0.1:4500 adding interface lo/lo ::1:500 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts' loading secrets from /usr/local/etc/ipsec.secrets L1 - modulus: ASN1 tag 0x02 expected, but is 0x30 building CRED_PRIVATE_KEY - RSA failed, tried 5 builders syntax error in private key file /usr/local/etc/ipsec.secrets line 3: Private key file -- could not be loaded 00[CFG] loaded ca certificate C=IN, ST=AP, L=HYD, O=Internet Widgits Pty Ltd, OU=Corp, CN=dvtpc2CA, E=ad...@dvttest.com, subjectAltName= dvtpc2.dvttest.com from '/usr/local/etc/ipsec.d/cacerts/cacert.pem' 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts' 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts' 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls' 00[CFG] loaded crl from '/usr/local/etc/ipsec.d/crls/crl.pem' 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' 00[LIB] L1 - modulus: ASN1 tag 0x02 expected, but is 0x30 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 5 builders 00[CFG] loading private key from '/usr/local/etc/ipsec.d/private/dvtpc2key1024-self.pem' failed 00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 revocation pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown 00[JOB] spawning 16 worker threads charon (2619) started after 20 ms 04[CFG] received stroke: add connection 'dvtpc2host' 04[CFG] loaded certificate C=IN, ST=AP, L=HYD, O=Internet Widgits Pty Ltd, OU=Corp, CN=dvtpc2.dvttest.com, subjectAltName=dvtpc2.dvttest.com, E=ad...@dvttest.com from 'dvtpc2cert1024-self.pem' 04[CFG] id '/C=IN/ST=AP/L=HYD/O=Internet Widgits Pty Ltd/OU=Corp/CN=dvtpc2.dvttest.com/subjectAltName=dvtpc2.dvttest.com/emailAddress=ad...@dvttest.com'not confirmed by certificate, defaulting to 'C=IN, ST=AP, L=HYD, O=Internet Widgits Pty Ltd, OU=Corp, CN=dvtpc2.dvttest.com, subjectAltName= dvtpc2.dvttest.com, E=ad...@dvttest.com' 04[CFG] added configuration 'dvtpc2host' loaded host certificate from '/usr/local/etc/ipsec.d/certs/dvtpc2cert1024-self.pem' id '/C=IN/ST=AP/L=HYD/O=Internet Widgits Pty Ltd/OU=Corp/CN=dvtpc2.dvttest.com/subjectAltName=dvtpc2.dvttest.com/emailAddress=ad...@dvttest.com'not confirmed by certificate, defaulting to 'C=IN, ST=AP, L=HYD, O=Internet Widgits Pty Ltd, OU=Corp, CN=dvtpc2.dvttest.com, subjectAltName= dvtpc2.dvttest.com, E=ad...@dvttest.com' added connection description dvtpc2host --- [root@dvtpc2 etc]# openssl version OpenSSL 1.0.0a-fips 1 Jun 2010 [root@dvtpc2 etc]# --- [root@dvtpc2 etc]# [root@dvtpc2 etc]# [root@dvtpc2 etc]# cd ipsec.d/private/ [root@dvtpc2 private]# cat dvtpc2key1024-self.pem -BEGIN PRIVATE KEY- MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALPec1SeRutyn4Sb yWS8RVXDiroh3XgXchjYbwm+RvoFS7k31LcpK+zgs62ZdTFxeYCv6hr/bV2BIwwf NwMlPc5zyHnjFrMmOG2eXzzd0xleFwx12NSW0rXtpAVa9/GVmROhObAFUlrLYL4R WuVLzpA+gv/2U9jVkVxBMr1GG5khAgMBAAECgYEAk2z88ppYXpswjCx0QZDe85C2 oCEpuUjeR+b9++ptmnfEvSc5vnaMfjcejmd9Wu07PXLyWvaI2V8DLuhW2skngjLQ
Re: [strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File
Hi Rajiv, [root@dvtpc2 private]# cat dvtpc2key1024-self.pem -BEGIN PRIVATE KEY- MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALPec1SeRutyn4Sb yWS8RVXDiroh3XgXchjYbwm+RvoFS7k31LcpK+zgs62ZdTFxeYCv6hr/bV2BIwwf NwMlPc5zyHnjFrMmOG2eXzzd0xleFwx12NSW0rXtpAVa9/GVmROhObAFUlrLYL4R WuVLzpA+gv/2U9jVkVxBMr1GG5khAgMBAAECgYEAk2z88ppYXpswjCx0QZDe85C2 oCEpuUjeR+b9++ptmnfEvSc5vnaMfjcejmd9Wu07PXLyWvaI2V8DLuhW2skngjLQ jADppVBvnYvNqqih3GwFSN3H3fieF6fDPeKqv67roqEiGXvCaOUWNFOnAsFGKLpw d66veG3C+8JD2MCd6JECQQDqpyHu/MQpKhsMW13htkhX1+QXjS584RClLLO3L7LL VdGRFjq5cZ2mQzQBNB+ccVDhE02WmfZzAXWHd+hjmzEjAkEAxDtyXkGrdOboz3Wq rvYTM/PCJ+K0/Mbisihoi295yGXU074kzXhdVevpN8SarVHz2ktyjea5qPwFRySF 089q6wJBAMf6ykuv9cmTTdv5HgiX3g2nO4fq1XyuHw52C2+KYhkyuViqFkAnGREy YubHsk0UsbYwSkaYTlXzH2PliBMjlvsCQBsWtcALQrb9lU/mR2ylrZrzYG8PHbrz XaIIb/4nomEmpY2hZwUyQ3gz+9rl+hBJCuesmKC8JA8O00+x3AOUU4cCQQCSn5WN Na04DmDpNODPlp2YgEVsnWZgOVkI3VrKhWzLhEVq/Sduzx9ySgea0VEegsmWAeqz IM+lCeaKgP4Dbjqs -END PRIVATE KEY- This key is wrapped in PKCS#8 without encryption. We currently can't read in any PKCS#8 keys. Covert such keys to plain RSA using: openssl pkcs8 -nocrypt dvtpc2key1024-self.pem Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
