[Openswan Users] Openswan not able to load x509 Private Key

Pedro Peixoto pedrohrfp at hotmail.com
Thu Dec 6 09:02:55 EST 2012


Hi,

Sorry for previous message replied outside of the List.

Thanks for replying. That solved the problem, but now it 
seems there is no need to use the Private Key passphrase in the secrets 
file (even a random string will be accepted). Is that correct?

Thanks in advance,

Pedro Peixoto.

> Date: Thu, 6 Dec 2012 16:00:50 +0530
> From: elison.niven at elitecore.com
> To: pedrohrfp at hotmail.com
> CC: users at lists.openswan.org
> Subject: Re: [Openswan Users] Openswan not able to load x509 Private Key
> 
> Try this :
> openssl rsa -in /etc/ipsec.d/private/newkey.key -out newkey.key.new
> and use that in ipsec.secrets.
> 
> On Thursday 29 November 2012 07:19:58 PM IST, Pedro Peixoto wrote:
> > Hi there,
> >
> > I'm trying to setup a L2TP/IPSec test environment using OpenSWAN +
> > xl2tp + pppd, but I can't get OpenSWAN to load the private key correctly.
> > My configuration files seems ok to me, as does the cert/key generation
> > process. Can anyone show me what's wrong?
> >
> > I'm using Ubuntu 12.10 x64 with Kernel 3.5.0-18
> > OpenSSL 1.0.1c
> > Openswan U2.6.37/K3.5.0-18-generic (netkey)
> >
> > I fallowed this tutorial:
> > http://www.natecarlson.com/2006/07/10/configuring-an-ipsec-tunnel-with-openswan-and-l2tpd/
> >
> > 1- Created a CACert.pem using: CA.sh -newreq
> > 2- Created a CRL file using: openssl ca -gencrl -out crl.pem
> > 3- Created a Server certificate pair (cert + key) using: CA.sh
> > -newreq; CA.sh -sign
> > (CAcert and all certificates were genereted with no errors. Server
> > certificate was generated using "senhasenha" as the passphrase)
> > 4- Moved the files to the correct /etc/ipsec.d structure
> > 5- Here's my ipsec.conf file:
> >
> > --- begin ipsec.conf file ---
> > version 2.0     # conforms to second version of ipsec.conf specification
> >
> > config setup
> >         plutodebug="all"
> >         dumpdir=/var/run/pluto/
> >         nat_traversal=yes
> >
> > virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
> >         oe=off
> >         protostack=netkey
> >         plutostderrlog=/var/log/openswan.log
> >
> > conn L2TP_IPSEC
> >         compress=yes
> >         disablearrivalcheck=no
> >         authby=rsasig
> >         keyingtries=1
> >         leftrsasigkey=%cert
> >         rightrsasigkey=%cert
> >         pfs=no
> >         rekey=no
> >         type=transport
> >         left=PUBLIC.IP.ADDR
> >         leftcert=newcert.pem
> >         leftprotoport=17/1701
> >         right=%any
> >         rightprotoport=17/%any
> >         auto=add
> > --- end ipsec.conf file ---
> >
> > And my ipsec.secrets:
> >
> > --- begin ipsec.secrets file ---
> >
> > : RSA newkey.key "senhasenha"
> >
> > --- end ipsec.secrets file ---
> >
> > 6- When I start OpenSWAN, the logfile says:
> >
> > loading secrets from "/etc/ipsec.secrets"
> >   loaded private key file '/etc/ipsec.d/private/newkey.key' (1834 bytes)
> > |   file content is not binary ASN.1
> > |   -----BEGIN ENCRYPTED PRIVATE KEY-----
> > |   -----END ENCRYPTED PRIVATE KEY-----
> > |   file coded in PEM format
> > | L0 - RSAPrivateKey:
> > | L1 - version: ASN1 tag 0x02 expected, but is 0x30
> > |   30 40 06 09  2a 86 48 86  f7 0d 01 05  0d 30 33 30
> > |   1b 06 09 2a  86 48 86 f7  0d 01 05 0c  30 0e 04 08
> > |   94 04 00 c4  42 76 2f 74  02 02 08 00  30 14 06 08
> > |   2a 86 48 86  f7 0d 03 07  04 08 03 6f  80 9e bc 85
> > |   65 5d
> >   error in PKCS#1 private key
> > "/etc/ipsec.secrets" line 2: error loading RSA private key file
> >
> > Big thanks from Brazil,
> >
> > Pedro Peixoto
> >
> >
> > _______________________________________________
> > Users at lists.openswan.org
> > https://lists.openswan.org/mailman/listinfo/users
> > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 
> --
> Best Regards,
> Elison Niven
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20121206/2780543c/attachment.html>


More information about the Users mailing list