Hi It has been quite sometime now since i could followup on the issue submiited by me, very sorry about the delay in doing so.
I have been facing this issue primarily on a OpenWRT Gateway: ---------------------------------------------------------------------------------------------- BusyBox v1.4.2 (2011-08-04 02:47:42 IST) Built-in shell (ash) _______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M ---------------------------------------------------------------------------------------- - After recieving the reply by Martin as below (at the end of this mail) for a similar issue on a Linux Fedora-13 server running strongswan 4.5.0, i tried to generate some more newer x509 certs (and the private rsa key files) on the openwrt gateway itself *************************** root@mfcgw1:/etc# cat ssl/private/mfcgw1key.pem -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,2FC8D750D505E922 D8p/CHn/F5PuiLtSIp9AWfZ9Iig9VQydF7uhCDgJKgOutYGj7PkoufOhFsJ+H7D1 85P87fkzGA6LYj8LyF7/UXKGs0eBC8BT+c6zlVO1SVgvUii5A42oYXKUQQD1AA6d 5W5KNq+C1e9zUs3BDKPfOhHuODjzqAs0f4NdsJ6I5kmGogS2LczwWV6nDwsBLY3U LD3vO9tg99dh7/2+rUPWffYx5Ag+OJtcCON3ku7McTdrLODFKkPQYNNXGNGbolui EuO8o4xRHXdDD3dMud8H/+zHjxrVw8WfcJz5C/uSamLhFwjWUOUL8w5IrnQ8gY7x RkKoMm8j/PUKTj2gTU4cNgA3gyJh35tCLh7vbiK5F5MYRXzuB8bezTMLOV2QduJ9 nNHLziQsD6br0P/2SFgr/tm+TeZ4r90Bc6zF1rrnEzEr2usz8W4gdm/Am9v01fk0 FWiN/CFrAFncXpkGIppo7j19svN13xhtY0cPhzTPIu5pROxhLbcQPUYi2ci9sLti vAEStWV2Vcyc+g3/2ZvE9M/SWEsi80cCumbsepsK8hHjuEl5PBK/KbReP+I8SJGv Dh90ZgiURN35sNd/1GAxltoATCEu526/mIlJcUc1pBpvoPZM6ZOLUgmkwvHRyxp3 1pwkSVx3aTvEzZJCDzQR/nZez4kQD1WwXQ5UQbTfp7yBPOSuRp/ZnWmrdDFs1ck+ 7V+I47a2GLqKXIlJ0xuPV0azMeXky8dC+53uSQuDzPlSp7EgdQhLBLNjXJPOKCHT /mFjd5wRsgz35qld/Jwj19WE7F7baGacrsfM8mSWNBs3YAcNJdks/zavr19Kwgzw X1RtOfe59BsWtdEepciKXw/PW87QxspRIe4w8Jmmugfl3CWtauuV+ossadNfOK+2 R2m3KhkLj8FA9I5JrTjY8z9PPE0qS/KSAT1EjjDABAPUoxnPyO5f9Df2A7L//f+w qf25HtwJSUe3hxsOqxtsqSdOqL8Uan3M -----END RSA PRIVATE KEY----- root@mfcgw1:/etc# root@mfcgw1:/etc# root@mfcgw1:/etc# ipsec version Linux strongSwan U4.3.6/K2.6.33.5 Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil, Switzerland See 'ipsec --copyright' for copyright information. root@mfcgw1:/etc# ******************************************************* - and iam still unable to load the RSA private key file in strongswan. Iam getting the following errors: ************************************************************* root@mfcgw1:/etc# ipsec start --nofork Starting strongSwan 4.3.6 IPsec [starter]... starter_start_pluto entered Pluto initialized Starting IKEv1 pluto daemon (strongSwan 4.3.6) THREADS VENDORID pluto (11076) started after 20 ms 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6) loaded plugins: blowfish random x509 pubkey pkcs1 pgp dnskey pem openssl hmac including NAT-Traversal patch (Version 0.6c) Using Linux 2.6 IPsec interface code loading ca certificates from '/etc/ipsec.d/cacerts' loaded ca certificate from '/etc/ipsec.d/cacerts/cacert.pem' loading aa certificates from '/etc/ipsec.d/aacerts' loading ocsp certificates from '/etc/ipsec.d/ocspcerts' Changing to directory '/etc/ipsec.d/crls' loaded crl from 'crl.pem' loading attribute certificates from '/etc/ipsec.d/acerts' listening for IKE messages adding interface eth1/eth1 169.254.0.1:500 adding interface eth1/eth1 169.254.0.1:4500 adding interface eth2/eth2 192.168.1.1:500 adding interface eth2/eth2 192.168.1.1:4500 adding interface eth0/eth0 172.17.10.102:500 adding interface eth0/eth0 172.17.10.102:4500 adding interface lo/lo 127.0.0.1:500 adding interface lo/lo 127.0.0.1:4500 adding interface lo/lo ::1:500 adding interface eth2/eth2 2007::1:500 adding interface eth0/eth0 fec0::ee01:500 loading secrets from "/etc/ipsec.secrets" 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' 00[CFG] loaded ca certificate "C=UK, ST=LNDN, L=LONDON, O=Internet Widgits Pty Ltd, OU=Corp, CN=mfcgw1CA, E=ad...@dvttest.com, subjectAltName=mfcgw1CA.dvttest .com" from '/etc/ipsec.d/cacerts/cacert.pem' 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' 00[CFG] loading crls from '/etc/ipsec.d/crls' 00[CFG] loaded crl from '/etc/ipsec.d/crls/crl.pem' 00[CFG] loading secrets from '/etc/ipsec.secrets' building CRED_PRIVATE_KEY - RSA failed, tried 6 builders syntax error in private key file "/etc/ipsec.secrets" line 3: Private key file -- could not be loaded 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 6 builders 00[CFG] loading private key from '/etc/ipsec.d/private/mfcgw1key.pem' failed 00[DMN] loaded plugins: blowfish random x509 pubkey pkcs1 pgp dnskey pem openssl hmac kernel-pfkey stroke updown 00[JOB] spawning 16 worker threads charon (11077) started after 720 ms 06[CFG] received stroke: add connection 'tunnel1' 06[CFG] left nor right host is our side, assuming left=local 06[CFG] loaded certificate "C=UK, ST=LNDN, L=LNDN, O=DVT TEST Inc, OU=Corp, CN =mfcgw1, subjectAltName=172.17.10.102, E=postmas...@dvttest.com" from 'mfcgw1cer t.pem' 06[CFG] id '/C=UK/ST=LNDN/L=LNDN/O=DVT TEST Inc/OU=Corp/CN=mfcgw1/subjectAltNa me=172.17.10.102/emailAddress=postmas...@dvttest.com' not confirmed by certifica te, defaulting to 'C=UK, ST=LNDN, L=LNDN, O=DVT TEST Inc, OU=Corp, CN=mfcgw1, su bjectAltName=172.17.10.102, E=postmas...@dvttest.com' 06[CFG] added configuration 'tunnel1' loaded host certificate from '/etc/ipsec.d/certs/mfcgw1cert.pem' id '/C=UK/ST=LNDN/L=LNDN/O=DVT TEST Inc/OU=Corp/CN=mfcgw1/subjectAltName=172.1 7.10.102/emailAddress=postmas...@dvttest.com' not confirmed by certificate, defa ulting to 'C=UK, ST=LNDN, L=LNDN, O=DVT TEST Inc, OU=Corp, CN=mfcgw1, subjectAlt Name=172.17.10.102, E=postmas...@dvttest.com' added connection description "tunnel1" 09[CFG] received stroke: route 'tunnel1' 09[KNL] no local address found in traffic selector 192.168.1.0/24 configuration 'tunnel1' routed *********************************************************************** - can you help in understanding why this is happening so when the file is a correct RSA format? - Also FYI, iam also facing the same issue of RSA key file loading error when i use the "ipsec pki.." built-in strongswan cert app. Here too the error we observe is as below: --------------------------------------------------------------------------------------------- root@evm1gw:/etc/cert# ipsec pki --self --in caKey.der --dn "C=IN, O=strongSwan, CN=strongSwan CA" --ca > caCert.der file coded in unknown format, discarded building CRED_PRIVATE_KEY - RSA failed, tried 6 builders parsing private key failed root@evm1gw: ---------------------------------------------------------------------------------------- Please forgive me again for the lengthy submission of the issue thanks once again with regards Rajiv Kulkarni ---------------------------------------------------------------------- >Hi Rajiv, >* [root at dvtpc2 ><https://lists.strongswan.org/mailman/listinfo/users>private]# cat >dvtpc2key1024-self.pem *>* -----BEGIN PRIVATE KEY----- *>* MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALPec1SeRutyn4Sb *>* yWS8RVXDiroh3XgXchjYbwm+RvoFS7k31LcpK+zgs62ZdTFxeYCv6hr/bV2BIwwf *>* NwMlPc5zyHnjFrMmOG2eXzzd0xleFwx12NSW0rXtpAVa9/GVmROhObAFUlrLYL4R *>* WuVLzpA+gv/2U9jVkVxBMr1GG5khAgMBAAECgYEAk2z88ppYXpswjCx0QZDe85C2 *>* oCEpuUjeR+b9++ptmnfEvSc5vnaMfjcejmd9Wu07PXLyWvaI2V8DLuhW2skngjLQ *>* jADppVBvnYvNqqih3GwFSN3H3fieF6fDPeKqv67roqEiGXvCaOUWNFOnAsFGKLpw *>* d66veG3C+8JD2MCd6JECQQDqpyHu/MQpKhsMW13htkhX1+QXjS584RClLLO3L7LL *>* VdGRFjq5cZ2mQzQBNB+ccVDhE02WmfZzAXWHd+hjmzEjAkEAxDtyXkGrdOboz3Wq *>* rvYTM/PCJ+K0/Mbisihoi295yGXU074kzXhdVevpN8SarVHz2ktyjea5qPwFRySF *>* 089q6wJBAMf6ykuv9cmTTdv5HgiX3g2nO4fq1XyuHw52C2+KYhkyuViqFkAnGREy *>* YubHsk0UsbYwSkaYTlXzH2PliBMjlvsCQBsWtcALQrb9lU/mR2ylrZrzYG8PHbrz *>* XaIIb/4nomEmpY2hZwUyQ3gz+9rl+hBJCuesmKC8JA8O00+x3AOUU4cCQQCSn5WN *>* Na04DmDpNODPlp2YgEVsnWZgOVkI3VrKhWzLhEVq/Sduzx9ySgea0VEegsmWAeqz *>* IM+lCeaKgP4Dbjqs *>* -----END PRIVATE KEY----- * >This key is wrapped in PKCS#8 without encryption. We currently >can't >read in any PKCS#8 keys. >Covert such keys to plain RSA using: > openssl pkcs8 -nocrypt < dvtpc2key1024-self.pem >Regards >Martin
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users