[Openswan Users] Openswan not able to load x509 Private Key

Elison Niven elison.niven at elitecore.com
Thu Dec 6 05:30:50 EST 2012 

Try this :
openssl rsa -in /etc/ipsec.d/private/newkey.key -out newkey.key.new
and use that in ipsec.secrets.

On Thursday 29 November 2012 07:19:58 PM IST, Pedro Peixoto wrote:
> Hi there,
>
> I'm trying to setup a L2TP/IPSec test environment using OpenSWAN +
> xl2tp + pppd, but I can't get OpenSWAN to load the private key correctly.
> My configuration files seems ok to me, as does the cert/key generation
> process. Can anyone show me what's wrong?
>
> I'm using Ubuntu 12.10 x64 with Kernel 3.5.0-18
> OpenSSL 1.0.1c
> Openswan U2.6.37/K3.5.0-18-generic (netkey)
>
> I fallowed this tutorial:
> http://www.natecarlson.com/2006/07/10/configuring-an-ipsec-tunnel-with-openswan-and-l2tpd/
>
> 1- Created a CACert.pem using: CA.sh -newreq
> 2- Created a CRL file using: openssl ca -gencrl -out crl.pem
> 3- Created a Server certificate pair (cert + key) using: CA.sh
> -newreq; CA.sh -sign
> (CAcert and all certificates were genereted with no errors. Server
> certificate was generated using "senhasenha" as the passphrase)
> 4- Moved the files to the correct /etc/ipsec.d structure
> 5- Here's my ipsec.conf file:
>
> --- begin ipsec.conf file ---
> version 2.0     # conforms to second version of ipsec.conf specification
>
> config setup
>         plutodebug="all"
>         dumpdir=/var/run/pluto/
>         nat_traversal=yes
>
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>         oe=off
>         protostack=netkey
>         plutostderrlog=/var/log/openswan.log
>
> conn L2TP_IPSEC
>         compress=yes
>         disablearrivalcheck=no
>         authby=rsasig
>         keyingtries=1
>         leftrsasigkey=%cert
>         rightrsasigkey=%cert
>         pfs=no
>         rekey=no
>         type=transport
>         left=PUBLIC.IP.ADDR
>         leftcert=newcert.pem
>         leftprotoport=17/1701
>         right=%any
>         rightprotoport=17/%any
>         auto=add
> --- end ipsec.conf file ---
>
> And my ipsec.secrets:
>
> --- begin ipsec.secrets file ---
>
> : RSA newkey.key "senhasenha"
>
> --- end ipsec.secrets file ---
>
> 6- When I start OpenSWAN, the logfile says:
>
> loading secrets from "/etc/ipsec.secrets"
>   loaded private key file '/etc/ipsec.d/private/newkey.key' (1834 bytes)
> |   file content is not binary ASN.1
> |   -----BEGIN ENCRYPTED PRIVATE KEY-----
> |   -----END ENCRYPTED PRIVATE KEY-----
> |   file coded in PEM format
> | L0 - RSAPrivateKey:
> | L1 - version: ASN1 tag 0x02 expected, but is 0x30
> |   30 40 06 09  2a 86 48 86  f7 0d 01 05  0d 30 33 30
> |   1b 06 09 2a  86 48 86 f7  0d 01 05 0c  30 0e 04 08
> |   94 04 00 c4  42 76 2f 74  02 02 08 00  30 14 06 08
> |   2a 86 48 86  f7 0d 03 07  04 08 03 6f  80 9e bc 85
> |   65 5d
>   error in PKCS#1 private key
> "/etc/ipsec.secrets" line 2: error loading RSA private key file
>
> Big thanks from Brazil,
>
> Pedro Peixoto
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

--
Best Regards,
Elison Niven

More information about the Users mailing list