Re: [strongSwan] Trying a basic peer to peer ipsec setup with strongswan and is failing due to some key related issue

How can I see explicit logs related to charon startup ? Try to start charon in the foreground using ipsec start --nofork Martin I ran the ipsec start --nofork command As you mentioned in your earlier reply the issue is indeed with loading the private key . It throws the following error

Re: [strongSwan] Trying a basic peer to peer ipsec setup with strongswan and is failing due to some key related issue

Hello, the error message from the ASN.1 parser means that the file /etc/ipsec.d/private/211Key.pem does not contain a private key but probably an X.509 certificate. Kind regards Andreas On 20.04.2010 08:05, shyamsundar.purkayas...@wipro.com wrote: How can I see explicit logs related to charon

Re: [strongSwan] Trying a basic peer to peer ipsec setup with strongswan and is failing due to some key related issue

the error message from the ASN.1 parser means that the file /etc/ipsec.d/private/211Key.pem does not contain a private key but probably an X.509 certificate. After uncommenting the load statement in strongswan.conf I am not getting the ASN.1 parser error but still the loading of private key

Re: [strongSwan] IKEv1 - Message-IDs during phase 1 for encrypted Notify messages

Hello Vladimir, the Message ID will be unique non-zero and the encryption will be derived from the IKE Phase 1 IV. The following link shows the function generate_msgid() which generates a unique msgid:

Re: [strongSwan] Trying a basic peer to peer ipsec setup with strongswan and is failing due to some key related issue

One more info. I have generated the keys using openssl command . In that case is it required to load the openssl module in charon. ? The openssl command generates keys in the standardized PKCS#1 format which can be read by strongSwan's pkcs1 plugin. There is no need to load the openssl

Re: [strongSwan] Trying a basic peer to peer ipsec setup with strongswan and is failing due to some key related issue

Hi Andreas As an alternative I have also tried with the der format of the keys for which the procedure is given in the documentation section titled Setting- up a simple CA using strongSwan PKI tool Even with this I get the same results and the same error message at ipsec start --nofork

Re: [strongSwan] Trying a basic peer to peer ipsec setup with strongswan and is failing due to some key related issue

On 20.04.2010 12:11, shyamsundar.purkayas...@wipro.com wrote: But I have a new error when I try to bring up my configuration [r...@localhost ~]# ipsec up 211TO60Tunnel initiating IKE_SA 211TO60Tunnel[3] to 10.201.114.178 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]

Re: [strongSwan] Trying a basic peer to peer ipsec setup with strongswan and is failing due to some key related issue

On 20.04.2010 12:11, shyamsundar.purkayas...@wipro.com wrote: But I have a new error when I try to bring up my configuration [r...@localhost ~]# ipsec up 211TO60Tunnel initiating IKE_SA 211TO60Tunnel[3] to 10.201.114.178 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]

[strongSwan] Specifying a relaxed ESP encryption/authentication proposal for CHILD_SA setup and rekeying

Hello All, We've a problem here with a couple of errant security-gateways when trying to connect our strongswan-using software to them. Originally, we specified a connection to use the following params: ike=aes-sha-modp1024! esp=aes-sha1 The first segw was *unhappy* with this, because the