Hello, the error message from the ASN.1 parser means that the file "/etc/ipsec.d/private/211Key.pem" does not contain a private key but probably an X.509 certificate.
Kind regards Andreas On 20.04.2010 08:05, shyamsundar.purkayas...@wipro.com wrote: >>> How can I see explicit logs related to charon startup ? > >> Try to start charon in the foreground using >> ipsec start --nofork > > Martin > > I ran the ipsec start --nofork command > As you mentioned in your earlier reply the issue is indeed with loading the > private key . It throws the following error > > ------------------------------------------------------------- > > 00[CFG] loading secrets from '/etc/ipsec.secrets' > 00[LIB] L1 - version: ASN1 tag 0x02 expected, but is 0x30 > 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 5 builders > ------------------------------------------------------------------- > > What could be the reason for this ? > > Here is the complete verbose stdout I got .. Thanks in advance for your help. > -------------------------------------------------------------------- > > > [r...@localhost ~]# ipsec start --nofork > Starting strongSwan 4.3.6 IPsec [starter]... > 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6) > 00[KNL] listening on interfaces: > 00[KNL] eth0 > 00[KNL] 10.201.114.211 > 00[KNL] fe80::21f:e2ff:fe6c:c777 > 00[KNL] received netlink error: Invalid argument (22) > 00[KNL] unable to create IPv6 routing table rule > 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' > 00[CFG] loaded ca certificate "C=IN, ST=KAR, L=EC, O=WT, OU=TEV, > CN=10.201.114.211, e=i...@wt.com" from > '/etc/ipsec.d/cacerts/strongswanCert.pem' > 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' > 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' > 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' > 00[CFG] loading crls from '/etc/ipsec.d/crls' > 00[CFG] loading secrets from '/etc/ipsec.secrets' > 00[LIB] L1 - version: ASN1 tag 0x02 expected, but is 0x30 > 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 5 builders > 00[CFG] loading private key from '/etc/ipsec.d/private/211Key.pem' failed > 00[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509 pubkey > pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke updown attr resolve > 00[JOB] spawning 16 worker threads > charon (30659) started after 60 ms > 12[CFG] stroke message => 426 bytes @ 0xb116d1a0 > 12[CFG] 0: AA 01 00 00 03 00 00 00 FF FF FF FF 34 01 00 00 > ............4... > 12[CFG] 16: 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 > ................ > 12[CFG] 32: 00 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00 > ................ > 12[CFG] 48: 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 > ................ > 12[CFG] 64: 00 00 00 00 01 00 00 00 42 01 00 00 6A 01 00 00 > ........B...j... > 12[CFG] 80: 01 00 00 00 10 0E 00 00 30 2A 00 00 1C 02 00 00 > ........0*...... > 12[CFG] 96: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ................ > 12[CFG] 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ................ > 12[CFG] 128: 03 00 00 00 64 00 00 00 1E 00 00 00 00 00 00 00 > ....d........... > 12[CFG] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ................ > 12[CFG] 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ................ > 12[CFG] 176: 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ................ > 12[CFG] 192: 00 00 00 00 00 00 00 00 8C 01 00 00 00 00 00 00 > ................ > 12[CFG] 208: 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 > ................ > 12[CFG] 224: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ................ > 12[CFG] 240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ................ > 12[CFG] 256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ................ > 12[CFG] 272: 00 00 00 00 9B 01 00 00 00 00 00 00 00 00 00 00 > ................ > 12[CFG] 288: 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 > ................ > 12[CFG] 304: 00 00 00 00 32 31 31 54 4F 36 30 54 75 6E 6E 65 > ....211TO178Tunnel > 12[CFG] 320: 6C 00 61 65 73 31 32 38 2D 73 68 61 31 2D 6D 6F > l.aes128-sha1-mo > 12[CFG] 336: 64 70 32 30 34 38 2C 33 64 65 73 2D 73 68 61 31 > dp2048,3des-sha1 > 12[CFG] 352: 2D 6D 6F 64 70 31 35 33 36 00 61 65 73 31 32 38 > -modp1536.aes128 > 12[CFG] 368: 2D 73 68 61 31 2C 33 64 65 73 2D 73 68 61 31 00 > -sha1,3des-sha1. > 12[CFG] 384: 32 31 31 43 65 72 74 2E 70 65 6D 00 31 30 2E 32 > 211Cert.pem.10.2 > 12[CFG] 400: 30 31 2E 31 31 34 2E 32 31 31 00 31 30 2E 32 30 > 01.114.211.10.20 > 12[CFG] 416: 31 2E 31 31 34 2E 31 37 38 00 1.114.178. > 12[CFG] received stroke: add connection '211TO178Tunnel' > 12[CFG] conn 211TO178Tunnel > 12[CFG] left=10.201.114.211 > 12[CFG] leftsubnet=(null) > 12[CFG] leftsourceip=(null) > 12[CFG] leftauth=(null) > 12[CFG] leftauth2=(null) > 12[CFG] leftid=(null) > 12[CFG] leftid2=(null) > 12[CFG] leftcert=211Cert.pem > 12[CFG] leftcert2=(null) > 12[CFG] leftca=(null) > 12[CFG] leftca2=(null) > 12[CFG] leftgroups=(null) > 12[CFG] leftupdown=(null) > 12[CFG] right=10.201.114.178 > 12[CFG] rightsubnet=(null) > 12[CFG] rightsourceip=(null) > 12[CFG] rightauth=(null) > 12[CFG] rightauth2=(null) > 12[CFG] rightid=(null) > 12[CFG] rightid2=(null) > 12[CFG] rightcert=(null) > 12[CFG] rightcert2=(null) > 12[CFG] rightca=(null) > 12[CFG] rightca2=(null) > 12[CFG] rightgroups=(null) > 12[CFG] rightupdown=(null) > 12[CFG] eap_identity=(null) > 12[CFG] ike=aes128-sha1-modp2048,3des-sha1-modp1536 > 12[CFG] esp=aes128-sha1,3des-sha1 > 12[CFG] mediation=no > 12[CFG] mediated_by=(null) > 12[CFG] me_peerid=(null) > 12[KNL] getting interface name for 10.201.114.178 > 12[KNL] 10.201.114.178 is not a local address > 12[KNL] getting interface name for 10.201.114.211 > 12[KNL] 10.201.114.211 is on interface eth0 > 12[CFG] loaded certificate "C=IN, ST=KAR, O=WT, OU=TEV, CN=211, > e=i...@s2-wt.com" from '211Cert.pem' > 12[CFG] id '10.201.114.211' not confirmed by certificate, defaulting to > 'C=IN, ST=KAR, O=WT, OU=TEV, CN=211, e=i...@s2-wt.com' > 12[CFG] added configuration '211TO178Tunnel' > > Regards > Shyam > > -----Original Message----- > From: Martin Willi [mailto:mar...@strongswan.org] > Sent: Monday, April 19, 2010 10:03 PM > To: Shyamsundar Purkayastha (WT01 - Telecom Equipment) > Cc: users@lists.strongswan.org > Subject: RE: [strongSwan] Trying a basic peer to peer ipsec setup with > strongswan and is failing due to some key related issue > > >> How can I see explicit logs related to charon startup ? > > Try to start charon in the foreground using > ipsec start --nofork > > Regards > Martin ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users