[Openswan Users] Fwd: problem with RSA private key (SOLVED)
dclyme at hrcsb.org
Fri Aug 13 13:39:05 CEST 2004
I accidentally replied to paul rather than the list. My appologies. The
email is below.
----- Forwarded message from David Clymer <david at hrcsb.org> -----
> To: Paul Wouters <paul at xelerance.com>
> From: David Clymer <david at hrcsb.org>
> Subject: Re: [Openswan Users] Fwd: problem with RSA private key (SOLVED)
> Thus quoth Paul Wouters:
> > To: David Clymer <dclyme at hrcsb.org>
> > Cc: users at lists.openswan.org
> > From: Paul Wouters <paul at xelerance.com>
> > Subject: Re: [Openswan Users] Fwd: problem with RSA private key
> > On Fri, 13 Aug 2004, David Clymer wrote:
> > > I added the following line to /etc/ipsec.secrets:
> > >
> > > juniperhs at hrcsb.org: RSA /etc/ipsec.d/private/jekylKey.pem
> > >
> > > I configured my vpn in /etc/ipsec.conf:
> > >
> > > # netgear VPN connection
> > > conn netgear1
> > > # general options
> > > type=tunnel
> > > keyexchange=ike
> > > pfs=yes
> > > authby=rsasig
> > > # Left security gateway, subnet behind it, next hop toward right.
> > > left=192.168.10.1
> > > leftsubnet=192.168.2.0/24
> > > leftid=router at hrcsb.org
> > > leftcert=jekylCert.pem
> > > # Right security gateway, subnet behind it, next hop toward left.
> > > right=192.168.10.192
> > > rightsubnet=192.168.9.0/24
> > > rightid=juniperhs at hrcsb.org
> > > rightcert=netgear1.pem
> > > auto=start
> > Is your local really right and not left?
> No. its left (local), right (remote). Why do you ask? Is there something
> else odd about my config? I'm a VPN virgin, so its quite likely I've got
> something strange in my config.
> The index I put in ipsec.secrets is the remote ID. man ipsec.secrets didnt
> specify whether the index was supposed to be a local id or a remote one,
> Using the remote ID to determine which key to use just made the most sense
> to me.
> > The easiest is probably to just remove the passphrase from your key:
> > juniperhs at hrcsb.org: RSA /etc/ipsec.d/private/jekylKey.pem
> > openssl rsa -in /etc/ipsec.d/private/jekylKey.pem -out /etc/ipsec.d/private/jekylKey.pem
> > Check with ipsec auto --listall and look for 'have private key' to confirm
> > whether the key could be read.
> I figured it out. I still had my /etc/x509cert.der sitting around from
> my original attempt with freeswan. That was a different certificate from
> my current one, and so my private key wasnt matching.
> Thanks for the help.
----- End forwarded message -----
More information about the Users