[Openswan Users] PSK works, certificates not

Paul Wouters paul at xelerance.com
Tue Jul 17 13:24:14 EDT 2007

On Tue, 17 Jul 2007, Arno Lehmann wrote:

> Quite basic at the moment:
> I have an internal network,, where I run a server that
> will become a VPN gateway. This is "balrog" at

> A test client "phoenix" is at .88. This machine runs MS Windows Vista
> business.

> conn intern-cert
>          authby=rsasig
>          rightrsasigkey=%cert
>          leftcert=ITS-VPN.pem
>          left=
>          leftprotoport=17/1701
>          right=%any
>          rightprotoport=17/1701
>          rightsubnet=vhost:%no,%priv
>          rightca=%same
>          auto=add
> (the defaults are unchanged from the PSK setup, and the connection
> itself is also similar to the working PSK one.
> I created a (sub) CA (I'm using tinyCA for other certificate handling
> already) and created two certificates, one for the VPN server, and one
> for the windows client.
> I packaged the windows one as a pkcs12 file and installed it on that
> machine.

How did you install it? Double clicking won't work properly.

> When I keep the gateway certificate protected by a password, and have
> a line like ": RSA <keyfile> "password" in ipsec.secrets, I get these
> messages:
> > Jul 17 01:18:05 balrog pluto[13311]: loading secrets from "/etc/ipsec.secrets"
> > Jul 17 01:18:05 balrog pluto[13311]:   could not open private key file '/etc/ipsec.d/private/ITS-VPN.pem'
> > Jul 17 01:18:05 balrog pluto[13311]: "/etc/ipsec.secrets" line 14: error loading RSA private key file
> > Jul 17 01:18:05 balrog ipsec__plutorun: 003 "/etc/ipsec.secrets" line 14: error loading RSA private key file

that's odd. Are you using any odd characters in the secret?

> If I unlock the key file (and comment out the line in ipsec.secrets),
> I get no messages in the log.

You still need to put the keyfile in there, just leave out the "password" section.

You can see with ipsec auto --listall what x509 bits have been loaded by pluto.

> The malformed payload message is, as far as I understand after much
> reading, more or less only an artifact of an unencrypted message sent
> because encryption could not be established.

Yes, windows is bad in that way.

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list