[Openswan Users] X-509 in openswan

Toby Chamberlain toby at webtechservices.com.au
Fri Aug 5 22:08:25 CEST 2005 

That looks exactly like what I have, but maybe just check the spaces - I 
have none before the ":" and one after it. The only other things I can 
suggest are to double check the password is correct, double check the .key 
file is in /etc/ipsec.d/private, double check it's filename is the same as 
what you have ("kumar.com.key") and double check that the directory and file 
permission allow reading/listing by root... (does 'cat 
/etc/ipsec.d/private/kumar.com.key' as root work?)

I also have the certificate file itself (xxx.pem in my case) in the 
ipsec.d/certs directory, but I don't know if this is necessary - it 
certainly doesn't seem to be what openswan is complaining about.


> Hi Toby,
>
> Yes I have the key file in /etc/ipsec.d/private.I am
> thinking that it may be the problem with configuring
> the ipsec.secrets file.
>
> my ipsec.secrets file
> ------------------------------
> : RSA kumar.com.key "kumar123"
>
> ------------------------------
>
> Thanks
> Kumar
>
> --- Toby Chamberlain <toby at webtechservices.com.au>
> wrote:
>
>> You do have the key file in /etc/ipsec.d/private
>> don't you?
>>
>> >
>> > Hi Andreas,
>> >
>> > I have added the newline character at the end but
>> stil
>> > the same problem is coming.The /var/log/messages
>> are
>> > showing like this
>> >
>> > Aug  5 15:31:22 buick ipsec_setup: ...Openswan
>> IPsec
>> > started
>> > Aug  5 15:31:22 buick ipsec_setup: Starting
>> Openswan
>> > IPsec cvs2002Mar12_05:49:03...
>> > Aug  5 15:31:22 buick ipsec__plutorun: 003
>> > "/etc/ipsec.secrets" line 2: error loading RSA
>> private
>> > key file
>> >
>> > Thanks
>> > Kumar
>> >
>> > --- Andreas Steffen
>> <andreas.steffen at strongsec.net>
>> > wrote:
>> >
>> >> The line
>> >>
>> >> : RSA kumar.com.key "kumar123"
>> >>
>> >> must be terminated with a newline character, i.e.
>> >> a line feed to the next line.
>> >>
>> >> Andreas
>> >>
>> >> kumar nani wrote:
>> >> > Hi Andreas,
>> >> >
>> >> > I have checked my log messages.I think there is
>> >> some
>> >> > error while loading my private key.See below
>> the
>> >> dump
>> >> > of /var/log/messages
>> >> >
>> >> > Aug  5 12:24:31 buick ipsec_setup: KLIPS ipsec0
>> on
>> >> > eth0 192.168.1.124/255.255.255.0 broadcast
>> >> > 192.168.1.255
>> >> > Aug  5 12:24:31 buick ipsec_setup: ...Openswan
>> >> IPsec
>> >> > started
>> >> > Aug  5 12:24:31 buick ipsec_setup: Starting
>> >> Openswan
>> >> > IPsec cvs2002Mar12_05:49:03...
>> >> > Aug  5 12:24:31 buick ipsec__plutorun: 003
>> >> > "/etc/ipsec.secrets" line 1: error loading RSA
>> >> private
>> >> > key file
>> >> >
>> >> > 2.When I am executing the command
>> >> >  "ipsec auto --rereadsecrets" then also same
>> >> message
>> >> > is coming.
>> >> >
>> >> > 003 "/etc/ipsec.secrets" line 1: error loading
>> RSA
>> >> > private key file
>> >> >
>> >> > My ipsec.secrets is given below.
>> >> > --------------------------------
>> >> > : RSA kumar.com.key "kumar123"
>> >> >
>> >> > Is there any thing still I have to do.
>> >> >
>> >> > Thanks
>> >> > Kumar
>> >> >
>> >> > --- Andreas Steffen
>> >> <andreas.steffen at strongsec.net>
>> >> > wrote:
>> >> >
>> >> >
>> >> >>Check your logs for error messages while
>> loading
>> >> the
>> >> >>private key file. You can repeat the loading
>> >> process
>> >> >>by typing
>> >> >>
>> >> >>   ipsec auto --rereadsecrets
>> >> >>
>> >> >>If the private key is loaded correctly but the
>> >> >>command
>> >> >>
>> >> >>   ipsec auto --listcerts
>> >> >>
>> >> >>list your certificate without the comment
>> >> >>
>> >> >>   ..., has private key
>> >> >>
>> >> >>then the public key contained in the
>> certificate
>> >> >>does
>> >> >>not match the private key.
>> >> >>
>> >> >>Regards
>> >> >>
>> >> >>Andreas
>> >> >>
>> >> >>kumar nani wrote:
>> >> >>
>> >> >>>Hello Everybody,
>> >> >>>
>> >> >>> I have installed openswan-2.3.0 on two Redhat
>> >> >>
>> >> >>Linux
>> >> >>
>> >> >>>machines and preshared keys are working
>> fine.I'm
>> >> >>>trying to setup IPSec tunnel in openswan using
>> >> >>
>> >> >>x509
>> >> >>
>> >> >>>certificates, but keep getting told by
>> openswan
>> >> >>
>> >> >>that
>> >> >>
>> >> >>>it can't find my private RSA key.
>> >> >>>
>> >> >>>I have used openssl for generating
>> certificates
>> >> by
>> >> >>>following the instructions given in this
>> webpage
>> >> >>>
>> >> >>>
>> >> >>
>> >> >
>> >>
>> >
>>
> http://www.natecarlson.com/linux/ipsec-x509.php#casetup
>> >> >
>> >> >>>
>> >> >>>ipsec.conf is below
>> >> >>>--------------------
>> >> >>>
>> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >>>
>> >> >>>conn kumar
>> >> >>>        type=tunnel
>> >> >>>        authby=rsasig
>> >> >>>        leftrsasigkey=%cert
>> >> >>>        rightrsasigkey=%cert
>> >> >>>        left=xxx.xxx.xxx.xxx
>> >> >>>        leftcert=kumar.com.pem
>> >> >>>        right=yyy.yyy.yyy.yyy
>> >> >>>        rightcert=nitin.com.pem
>> >> >>>        auto=add
>> >> >>>        pfs=yes
>> >> >>>
>> >> >>>My ipsec.secrets
>> >> >>>-----------------
>> >> >>>: RSA kumar.com.key "kumar123"
>> >> >>>
>> >> >>>When I attempt to bring up the connection, it
>> >> >>
>> >> >>fails,
>> >> >>
>> >> >>>claiming that it cannot find my RSA key.
>> >> >>>
>> >> >>>/usr/local/sbin/ipsec auto --up naveen
>> >> >>>
>> >> >>>104 "kumar" #1: STATE_MAIN_I1: initiate
>> >> >>>003 "kumar" #1: received Vendor ID payload
>> [Dead
>> >> >>
>> >> >>Peer
>> >> >>
>> >> >>>Detection]
>> >> >>>106 "kumar" #1: STATE_MAIN_I2: sent MI2,
>> >> expecting
>> >> >>
>> >> >>MR2
>> >> >>
>> >> >>>003 "kumar" #1: unable to locate my private
>> key
>> >> >>
>> >> >>for
>> >> >>
>> >> >>>RSA Signature
>> >> >>>224 "kumar" #1: STATE_MAIN_I2:
>> >> >>
>>
> === message truncated ===
>
>
>
>
> _______________________________________________________
> Too much spam in your inbox? Yahoo! Mail gives you the best spam 
> protection for FREE! http://in.mail.yahoo.com
>

More information about the Users mailing list