[Openswan Users] X-509 in openswan

Andreas Steffen andreas.steffen at strongsec.net
Fri Aug 5 10:52:15 CEST 2005


Check your logs for error messages while loading the
private key file. You can repeat the loading process
by typing

   ipsec auto --rereadsecrets

If the private key is loaded correctly but the command

   ipsec auto --listcerts

list your certificate without the comment

   ..., has private key

then the public key contained in the certificate does
not match the private key.

Regards

Andreas

kumar nani wrote:
> Hello Everybody,
> 
>  I have installed openswan-2.3.0 on two Redhat Linux
> machines and preshared keys are working fine.I'm
> trying to setup IPSec tunnel in openswan using x509
> certificates, but keep getting told by openswan that
> it can't find my private RSA key.
> 
> I have used openssl for generating certificates by
> following the instructions given in this webpage
> 
> http://www.natecarlson.com/linux/ipsec-x509.php#casetup
> 
> 
> ipsec.conf is below
> --------------------
>                                                       
>                                      
> conn kumar
>         type=tunnel
>         authby=rsasig
>         leftrsasigkey=%cert
>         rightrsasigkey=%cert
>         left=xxx.xxx.xxx.xxx
>         leftcert=kumar.com.pem
>         right=yyy.yyy.yyy.yyy
>         rightcert=nitin.com.pem
>         auto=add
>         pfs=yes
>                
> My ipsec.secrets
> -----------------
> : RSA kumar.com.key "kumar123"
> 
> When I attempt to bring up the connection, it fails,
> claiming that it cannot find my RSA key.
> 
> /usr/local/sbin/ipsec auto --up naveen
> 
> 104 "kumar" #1: STATE_MAIN_I1: initiate
> 003 "kumar" #1: received Vendor ID payload [Dead Peer
> Detection]
> 106 "kumar" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "kumar" #1: unable to locate my private key for
> RSA Signature
> 224 "kumar" #1: STATE_MAIN_I2: AUTHENTICATION_FAILED
> 
> 
> If anyone has a suggestion that might help me to solve
> this problem, I'd appreciate it greatly.
> 
> 
> ** Kumar **

=======================================================================
Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===


More information about the Users mailing list