[Openswan Users] Fwd: problem with RSA private key (SOLVED)

David Clymer dclyme at hrcsb.org
Fri Aug 13 13:39:05 CEST 2004 

I accidentally replied to paul rather than the list. My appologies. The
email is below.

----- Forwarded message from David Clymer <david at hrcsb.org> -----

> To: Paul Wouters <paul at xelerance.com>
> From: David Clymer <david at hrcsb.org>
> Subject: Re: [Openswan Users] Fwd: problem with RSA private key (SOLVED)
> 
> Thus quoth Paul Wouters:
> > To: David Clymer <dclyme at hrcsb.org>
> > Cc: users at lists.openswan.org
> > From: Paul Wouters <paul at xelerance.com>
> > Subject: Re: [Openswan Users] Fwd: problem with RSA private key
> > 
> > On Fri, 13 Aug 2004, David Clymer wrote:
> > 
> > >  I added the following line to /etc/ipsec.secrets:
> > >  
> > >  juniperhs at hrcsb.org: RSA /etc/ipsec.d/private/jekylKey.pem
> > >  
> > >  I configured my vpn in /etc/ipsec.conf:
> > >  
> > >  # netgear VPN connection
> > >  conn netgear1
> > >          # general options
> > >          type=tunnel
> > >          keyexchange=ike
> > >          pfs=yes
> > >          authby=rsasig
> > >          # Left security gateway, subnet behind it, next hop toward right.
> > >          left=192.168.10.1
> > >          leftsubnet=192.168.2.0/24
> > >          leftid=router at hrcsb.org
> > >          leftcert=jekylCert.pem
> > >          # Right security gateway, subnet behind it, next hop toward left.
> > >          right=192.168.10.192
> > >          rightsubnet=192.168.9.0/24
> > >          rightid=juniperhs at hrcsb.org
> > >          rightcert=netgear1.pem
> > >          auto=start
> > 
> > Is your local really right and not left?
> > 
> 
> No. its left (local), right (remote). Why do you ask? Is there something 
> else odd about my config? I'm a VPN virgin, so its quite likely I've got 
> something strange in my config.
> 
> The index I put in ipsec.secrets is the remote ID. man ipsec.secrets didnt 
> specify whether the index was supposed to be a local id or a remote one, 
> Using the remote ID to determine which key to use just made the most sense 
> to me.
> 
> > The easiest is probably to just remove the passphrase from your key:
> > 
> > juniperhs at hrcsb.org: RSA /etc/ipsec.d/private/jekylKey.pem
> > 
> > openssl rsa  -in /etc/ipsec.d/private/jekylKey.pem -out /etc/ipsec.d/private/jekylKey.pem
> > 
> > Check with ipsec auto --listall and look for 'have private key' to confirm
> > whether the key could be read.
> > 
> 
> I figured it out. I still had my /etc/x509cert.der sitting around from
> my original attempt with freeswan. That was a different certificate from
> my current one, and so my private key wasnt matching.
> 
> Thanks for the help.
> 
> -davidc

----- End forwarded message -----

More information about the Users mailing list