[Openswan Users] cert problem with new 2.6.21 version

Paul Wouters paul at xelerance.com
Tue Apr 7 13:37:06 EDT 2009


On Tue, 7 Apr 2009, weirauch at checkmobile.de wrote:

> Apr  7 15:52:08 vpn pluto[32746]: "l2tp-X.509"[1] 85.182.252.146 #1:
> unable to locate my private key for RSA Signature

Is your private key in /etc/ipsec.d/private/  ?
Do you have an entry for it in /etc/ipsec.secrets ?
If the key file is password protected, did you specify the password in ipsec.secrets?
Are you sure the public cert plus the private key belong together
  and are not from different key/cert installs?

> conn l2tp-X.509

>        authby=rsasig
>        left=87.XXX.XXX.140
>        leftcert=/etc/ipsec.d/certs/vpncm_mcert.pem

>        rightcert=/etc/ipsec.d/certs/macpwneu.pem

> content of /etc/ipsec.d/certs
>
> -rw-r--r--  1 root root 1094 Apr  7 15:21 macpwneu.pem
> -rw-r--r--  1 root root 1139 Mar  5 09:50 vpncm_mcert.pem
>
> and in /etc/ipsec.d/cacerts
> is the ca key with which those two keys were signed.

Note that loading the REMOTE certificate by specifying a file
as you did for rightcert= will bypass all CA checks. The key
is considerd "trusted" because you got it from disk.

You can use ipsec auto --listall to debug this further.

Paul


More information about the Users mailing list