Thursday, October 7, 2010

Strongswan: ike alg: unable to locate my private key

If you are using StrongSwan to establish an IPSec connection and you encounter this error:
root@crackjack:~# ipsec up conn-to-td
002 "conn-to-td" #2: initiating Main Mode
002 "conn-to-td" #2: ike alg: unable to locate my private key
002 "conn-to-td" #2: ike alg: unable to locate my private key
003 "conn-to-td" #2: empty ISAKMP SA proposal to send (no algorithms for ike selection?)

Then I have found the way to solve the first part of your problem - the private key part. Basically, after FreeSwan became OpenSwan and then finally StrongSwan, they created a directory for each individual part under /etc/ipsec.d. So for example the CA certs are stored in the folder /etc/ipsec.d/cacerts, or the certs you got are stored in /etc/ipsec.d/certs. Similarly, you are supposed to store your private key at /etc/ipsec.d/private. What you have probably done is that in /etc/ipsec.conf you wrote down
leftcert=/etc/ipsec.d/private/my_private_key.pem
When in fact you should have your /etc/ipsec.conf as the following:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
    plutodebug=all
    plutostderrlog=/var/log/pluto.log
    charonstart=yes
    plutostart=yes


conn host-to-host
      left=
      leftcert=my_cert.pem
      leftid=my_private_key.pem
      right=
      rightid=
      auto=start
      pfs=no
      rekey=no
      keyingtries=3
After this, you can do the faithful /etc/init.d/ipsec restart and the private key problem will disappear

No comments:

Post a Comment