[Openswan Users] Openswan not able to load x509 Private Key

Pedro Peixoto pedrohrfp at hotmail.com
Thu Nov 29 08:49:58 EST 2012 

Hi there,

I'm trying to setup a L2TP/IPSec test environment using OpenSWAN + xl2tp + pppd, but I can't get OpenSWAN to load the private key correctly.
My configuration files seems ok to me, as does the cert/key generation process. Can anyone show me what's wrong?

I'm using Ubuntu 12.10 x64 with Kernel 3.5.0-18
OpenSSL 1.0.1c
Openswan U2.6.37/K3.5.0-18-generic (netkey)

I fallowed this tutorial: http://www.natecarlson.com/2006/07/10/configuring-an-ipsec-tunnel-with-openswan-and-l2tpd/

1- Created a CACert.pem using: CA.sh -newreq
2- Created a CRL file using: openssl ca -gencrl -out crl.pem
3- Created a Server certificate pair (cert + key) using: CA.sh -newreq; CA.sh -sign
(CAcert and all certificates were genereted with no errors. Server certificate was generated using "senhasenha" as the passphrase)
4- Moved the files to the correct /etc/ipsec.d structure
5- Here's my ipsec.conf file:

--- begin ipsec.conf file ---
version 2.0     # conforms to second version of ipsec.conf specification

config setup
        plutodebug="all"
        dumpdir=/var/run/pluto/
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        oe=off
        protostack=netkey
        plutostderrlog=/var/log/openswan.log

conn L2TP_IPSEC
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        keyingtries=1
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        pfs=no
        rekey=no
        type=transport
        left=PUBLIC.IP.ADDR
        leftcert=newcert.pem
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
        auto=add
--- end ipsec.conf file ---

And my ipsec.secrets:

--- begin ipsec.secrets file ---

: RSA newkey.key "senhasenha"

--- end ipsec.secrets file ---

6- When I start OpenSWAN, the logfile says:

loading secrets from "/etc/ipsec.secrets"
  loaded private key file '/etc/ipsec.d/private/newkey.key' (1834 bytes)
|   file content is not binary ASN.1
|   -----BEGIN ENCRYPTED PRIVATE KEY-----
|   -----END ENCRYPTED PRIVATE KEY-----
|   file coded in PEM format
| L0 - RSAPrivateKey:
| L1 - version: ASN1 tag 0x02 expected, but is 0x30
|   30 40 06 09  2a 86 48 86  f7 0d 01 05  0d 30 33 30
|   1b 06 09 2a  86 48 86 f7  0d 01 05 0c  30 0e 04 08
|   94 04 00 c4  42 76 2f 74  02 02 08 00  30 14 06 08
|   2a 86 48 86  f7 0d 03 07  04 08 03 6f  80 9e bc 85
|   65 5d
  error in PKCS#1 private key
"/etc/ipsec.secrets" line 2: error loading RSA private key file

Big thanks from Brazil,

Pedro Peixoto


	   		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20121129/19a40e45/attachment.html>

More information about the Users mailing list