From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Wed Oct 23 2002 - 11:34:41 CEST
Is the line
: RSA myKey.pem "<optional passphrase"
in ipsec.secrets terminated with a newline character? If yes,
is there an additional error message concerning the private
key in the syslog?
Regards
Andreas
martin f krafft wrote:
> i am trying to get freeswan (1.98b) to work between two debian sarge
> hosts with X.509 certs (debian has the x509 patch 0.9.14 installed per
> default), and i am not succeeding. the kernel is a 2.4.19 edition.
>
> the current error i am fighting with is that freeswan reports
>
> ipsec__plutorun: 003 "/etc/ipsec.secrets" line 9: error loading RSA
> private key file
>
> upon startup (and upon `ipsec auto --rereadall`)
>
> to facilitate the error-spotting, here's what I did:
>
> 1. generating the certificates:
> -------------------------------
>
> i have a self signed CA cert in ca.pem. ca.config is all properly
> configured.
> so i ran:
>
> openssl genrsa -des3 2048 > gateway1.key
> openssl req -sha1 -config ca.config -new -key gateway1.key \
> -out gateway1.csr
> openssl ca -config ca.config -days 10 -md sha1 \
> policy policy_anything -out gateway1.crt -infiles gateway1.csr
> cat gateway1.crt gateway1.key > gateway1.pem
>
> the CN is the FQDN, subjectAltName is blank
>
> and the same for the other gateway2.
>
> 2. installing certificates
> --------------------------
>
> i copied the respective certificates to /etc/ipsec.d/private
> i copied the ca certificate (not the key) to /etc/ipsec.d/cacerts
> on both hosts
>
> all files are 0600 and owned by root:root
>
> 3. configuring ipsec.conf
> -------------------------
>
> i put the following line in /etc/ipsec.secrets on both systems:
> (the ^ indicates line begin)
>
> : RSA /etc/ipsec.d/private/gateway{1,2}.pem "password"
>
> then i used the following in both gateway's ipsec.conf. left is
> gateway1, right is gateway2. so the following is on both verbatim!
>
> conn gate
> authby=rsasig
> rightrsasigkey=%cert
> leftrsasigkey=%cert
> leftcert=private/gateway1.pem
> left=80.XXX.XX.XX
> leftsubnet=192.168.255.248/28
> right=%any
> auto=add
>
> conn office-gateway
> also=gate
> right=%any
> rightrsasigkey=%cert
> rightcert=private/gateway2.pem
>
> 4. wanting to try it
> --------------------
>
> upon start, freeswan now says:
>
> ipsec__plutorun: 003 "/etc/ipsec.secrets" line 9: error loading
> RSA private key file
>
> it doesn't seem to work (obviously).
>
> also, setting full debugging on klips and pluto doesn't show
> anything interesting, so[1] doesn't apply...
>
> i also tried using non-3des encrypted certificates, but got the
> same error. this rules out[2].
>
> 1. http://lists.freeswan.org/pipermail/users/2002-June/011079.html
> 2. http://frell.ambush.de/archives/freeswan-users/1338.html
>
> i am clueless. thanks for any help!
>
-- ====================================================================== Andreas Steffen e-mail: andreas.steffen_at_strongsec.com strongSec GmbH phone: +41 76 340 25 56 Alter Zürichweg 20 home: http://www.strongsec.com CH-8952 Schlieren (Switzerland) ==========================================[strong internet security]== _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Fri Oct 25 2002 - 05:20:30 CEST