IKE v2 "no private key found"

Allgemeine Fragen zu Problemen. Keine Fehlerberichte oder Feature-Anfragen

Moderator: Securepoint

Antworten
nraeth
Beiträge: 32
Registriert: Fr 03.07.2015, 16:20

IKE v2 "no private key found"

Beitrag von nraeth »

Nachdem IKE v2 bei uns einige Zeit lief, tritt zum zweiten Mal das Problem auf, dass die Verbindung nicht hergestellt werden kann.
Die Appliance loggt, dass sie keinen privaten Key für ihr Appliance Cert finden kann.
Als das das letzte Mal passierte habe ich ein neues Appliance Cert erstellt, dann ging es wieder.
Das half dieses Mal nicht.

Was ist da los?
Nach oben
Benutzeravatar
David
Securepoint
Beiträge: 449
Registriert: Di 09.02.2016, 14:01

Beitrag von David »

Hallo,
könnten Sie uns bitte einen Auszug aus dem Log hier zukommen lassen?
Mit freundlichen Grüßen

David Gundermann
Head of Mobile Security
Tel. 04131/2401-0
Fax 04131/2401-50

Securepoint GmbH
Bleckeder Landstraße 28
D-21337 Lüneburg
http://www.securepoint.de
Nach oben
nraeth
Beiträge: 32
Registriert: Fr 03.07.2015, 16:20

Beitrag von nraeth »

Bitte sehr:

Code: Alles auswählen

2016-02-01 17:21:44	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:44+01:00 - charon - - - 09[NET] received packet: from 131.220.xxx.xxx[500] to 217.91.xxx.xxx[500]
2016-02-01 17:21:44	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:44+01:00 - charon - - - 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
2016-02-01 17:21:44	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:44+01:00 - charon - - - 09[IKE] 131.220.xxx.xxx is initiating an IKE_SA
2016-02-01 17:21:44	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:44+01:00 - charon - - - last message repeated 1 times
2016-02-01 17:21:44	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:44+01:00 - charon - - - 09[IKE] sending cert request for "C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=Firma, CN=Securepoint Root CA, E=mail@firma.de"
2016-02-01 17:21:44	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:44+01:00 - charon - - - 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
2016-02-01 17:21:44	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:44+01:00 - charon - - - 09[NET] sending packet: from 217.91.xxx.xxx[500] to 131.220.xxx.xxx[500]
2016-02-01 17:21:45	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:45+01:00 - charon - - - 15[NET] received packet: from 131.220.xxx.xxx[4500] to 217.91.xxx.xxx[4500]
2016-02-01 17:21:45	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:45+01:00 - charon - - - 15[ENC] unknown attribute type INTERNAL_IP4_SERVER
2016-02-01 17:21:45	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:45+01:00 - charon - - - 15[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV) SA TSi TSr ]
2016-02-01 17:21:45	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:45+01:00 - charon - - - 15[IKE] received cert request for "C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=Firma, CN=Securepoint Root CA, E=mail@firma.de"
2016-02-01 17:21:45	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:45+01:00 - charon - - - 15[IKE] received 35 cert requests for an unknown ca
2016-02-01 17:21:45	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:45+01:00 - charon - - - 15[IKE] received end entity cert "C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=Firma, CN=User Gerät, E=mail@firma.de"
2016-02-01 17:21:45	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:45+01:00 - charon - - - 15[CFG] looking for peer configs matching 217.91.xxx.xxx[%any]...131.220.xxx.xxx[C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=Firma, CN=User Gerät, E=mail@firma.de]
2016-02-01 17:21:45	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:45+01:00 - charon - - - 15[CFG] selected peer config 'IP-Sec IKE config_6'
2016-02-01 17:21:45	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:45+01:00 - charon - - - 15[CFG]   using certificate "C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=Firma, CN=User Gerät, E=mail@firma.de"
2016-02-01 17:21:45	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:45+01:00 - charon - - - 15[CFG]   using trusted ca certificate "C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=Firma, CN=Securepoint Root CA, E=mail@firma.de"
2016-02-01 17:21:45	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:45+01:00 - charon - - - 15[CFG] checking certificate status of "C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=Firma, CN=User Gerät, E=mail@firma.de"
2016-02-01 17:21:45	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:45+01:00 - charon - - - 15[CFG]   using trusted certificate "C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=Firma, CN=Securepoint Root CA, E=mail@firma.de"
2016-02-01 17:21:45	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:45+01:00 - charon - - - 15[CFG]   crl correctly signed by "C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=Firma, CN=Securepoint Root CA, E=mail@firma.de"
2016-02-01 17:21:45	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:45+01:00 - charon - - - 15[CFG]   crl is valid: until Jan 20 17:23:19 2017
2016-02-01 17:21:45	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:45+01:00 - charon - - - 15[CFG]   using cached crl
2016-02-01 17:21:45	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:45+01:00 - charon - - - 15[CFG] certificate status is good
2016-02-01 17:21:45	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:45+01:00 - charon - - - 15[CFG]   reached self-signed root ca with a path length of 0
2016-02-01 17:21:45	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:45+01:00 - charon - - - 15[IKE] authentication of 'C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=Firma, CN=User Gerät, E=mail@firma.de' with RSA signature successful
2016-02-01 17:21:45	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:45+01:00 - charon - - - 15[IKE] peer supports MOBIKE
2016-02-01 17:21:45	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:45+01:00 - charon - - - 15[IKE] no private key found for 'C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=Firma, CN=Firewall Cert, E=mail@firma.de'
2016-02-01 17:21:45	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:45+01:00 - charon - - - 15[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
2016-02-01 17:21:45	Daemon.Info	192.168.xx.1	1 2016-02-01T17:21:45+01:00 - charon - - - 15[NET] sending packet: from 217.91.xxx.xxx[4500] to 131.220.xxx.xxx[4500]
Nach ein wenig revoken/wieder zulassen und/oder Applianceneustarts gehts nun wieder, aber das ist kein Zustand, wenn das dauernd auf einmal die Funktion einstellt.
Nach oben
nraeth
Beiträge: 32
Registriert: Fr 03.07.2015, 16:20

Beitrag von nraeth »

So, der Auslöser ist klar. Nach jedem Appliance Neustart ist der private key nicht geladen.
Revoken und entsperren, anschließend IPSec Dienst neu starten hilft.
Vielleicht hilft sogar nur das Neustarten des IPSec Dienstes.
In jedem Fall nur ein Workaround, also bitte schnell fixen das Problem.
Er lädt beim Neustart scheinbar gar keine Secrets.

Code: Alles auswählen

2016-02-18 17:43:50	Daemon.Info	192.168.xx.1	1 2016-02-18T17:43:50+01:00 - charon - - - 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
2016-02-18 17:43:50	Daemon.Info	192.168.xx.1	1 2016-02-18T17:43:50+01:00 - charon - - - 00[CFG]   loaded ca certificate "C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=Firma, CN=Securepoint Root CA, E=mail@firma.de" from '/etc/ipsec.d/cacerts/Securepoint Root CA.pem'
2016-02-18 17:43:50	Daemon.Info	192.168.xx.1	1 2016-02-18T17:43:50+01:00 - charon - - - 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
2016-02-18 17:43:50	Daemon.Info	192.168.xx.1	1 2016-02-18T17:43:50+01:00 - charon - - - 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
2016-02-18 17:43:50	Daemon.Info	192.168.xx.1	1 2016-02-18T17:43:50+01:00 - charon - - - 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
2016-02-18 17:43:50	Daemon.Info	192.168.xx.1	1 2016-02-18T17:43:50+01:00 - charon - - - 00[CFG] loading crls from '/etc/ipsec.d/crls'
2016-02-18 17:43:50	Daemon.Info	192.168.xx.1	1 2016-02-18T17:43:50+01:00 - charon - - - 00[CFG]   loaded crl from '/etc/ipsec.d/crls/Securepoint Root CA.crl'
2016-02-18 17:43:50	Daemon.Info	192.168.xx.1	1 2016-02-18T17:43:50+01:00 - charon - - - 00[CFG] loading secrets from '/etc/ipsec.secrets'
2016-02-18 17:43:50	Daemon.Info	192.168.xx.1	1 2016-02-18T17:43:50+01:00 - charon - - - 00[LIB] mapping '/etc/ipsec.secrets' failed: Invalid argument
2016-02-18 17:43:50	Daemon.Info	192.168.xx.1	1 2016-02-18T17:43:50+01:00 - charon - - - 00[DMN] loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem openssl af-alg fips-prf xcbc cmac hmac attr kernel-netlink resolve socket-raw stroke updown
2016-02-18 17:43:50	Daemon.Info	192.168.xx.1	1 2016-02-18T17:43:50+01:00 - charon - - - 00[JOB] spawning 16 worker threads
2016-02-18 17:43:50	Daemon.Info	192.168.xx.1	1 2016-02-18T17:43:50+01:00 - charon - - - 06[CFG] received stroke: add ca 'Securepoint Root CA'
2016-02-18 17:43:50	Daemon.Info	192.168.xx.1	1 2016-02-18T17:43:50+01:00 - charon - - - 06[CFG] ca Securepoint Root CA
2016-02-18 17:43:50	Daemon.Info	192.168.xx.1	1 2016-02-18T17:43:50+01:00 - charon - - - 06[CFG]   cacert=/etc/ipsec.d/cacerts/Securepoint Root CA.pem
2016-02-18 17:43:50	Daemon.Info	192.168.xx.1	1 2016-02-18T17:43:50+01:00 - charon - - - 06[CFG]   crluri=file:///etc/ipsec.d/crls/Securepoint Root CA.crl
2016-02-18 17:43:50	Daemon.Info	192.168.xx.1	1 2016-02-18T17:43:50+01:00 - charon - - - 06[CFG]   crluri2=(null)
2016-02-18 17:43:50	Daemon.Info	192.168.xx.1	1 2016-02-18T17:43:50+01:00 - charon - - - 06[CFG]   ocspuri=(null)
2016-02-18 17:43:50	Daemon.Info	192.168.xx.1	1 2016-02-18T17:43:50+01:00 - charon - - - 06[CFG]   ocspuri2=(null)
2016-02-18 17:43:50	Daemon.Info	192.168.xx.1	1 2016-02-18T17:43:50+01:00 - charon - - - 06[CFG]   certuribase=(null)
2016-02-18 17:43:50	Daemon.Info	192.168.xx.1	1 2016-02-18T17:43:50+01:00 - charon - - - 06[CFG] added ca 'Securepoint Root CA'
Hier das Log dann beim Nuestarten nur des IPSec Dienstes

Code: Alles auswählen

2016-02-18 23:34:36	Daemon.Info	192.168.xx.1	1 2016-02-18T23:34:36+01:00 - charon - - - 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
2016-02-18 23:34:36	Daemon.Info	192.168.xx.1	1 2016-02-18T23:34:36+01:00 - charon - - - 00[CFG]   loaded ca certificate "C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=Firma, CN=Securepoint Root CA, E=mail@firma.de" from '/etc/ipsec.d/cacerts/Securepoint Root CA.pem'
2016-02-18 23:34:36	Daemon.Info	192.168.xx.1	1 2016-02-18T23:34:36+01:00 - charon - - - 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
2016-02-18 23:34:36	Daemon.Info	192.168.xx.1	1 2016-02-18T23:34:36+01:00 - charon - - - 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
2016-02-18 23:34:36	Daemon.Info	192.168.xx.1	1 2016-02-18T23:34:36+01:00 - charon - - - 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
2016-02-18 23:34:36	Daemon.Info	192.168.xx.1	1 2016-02-18T23:34:36+01:00 - charon - - - 00[CFG] loading crls from '/etc/ipsec.d/crls'
2016-02-18 23:34:36	Daemon.Info	192.168.xx.1	1 2016-02-18T23:34:36+01:00 - charon - - - 00[CFG]   loaded crl from '/etc/ipsec.d/crls/Securepoint Root CA.crl'
2016-02-18 23:34:36	Daemon.Info	192.168.xx.1	1 2016-02-18T23:34:36+01:00 - charon - - - 00[CFG] loading secrets from '/etc/ipsec.secrets'
2016-02-18 23:34:36	Daemon.Info	192.168.xx.1	1 2016-02-18T23:34:36+01:00 - charon - - - 00[CFG]   loaded IKE secret for 192.168.100.1 %any
2016-02-18 23:34:36	Daemon.Info	192.168.xx.1	1 2016-02-18T23:34:36+01:00 - charon - - - last message repeated 1 times
2016-02-18 23:34:36	Daemon.Info	192.168.xx.1	1 2016-02-18T23:34:36+01:00 - charon - - - 00[CFG]   loaded IKE secret for 192.168.100.1 131.220.xxx.xxx
2016-02-18 23:34:36	Daemon.Info	192.168.xx.1	1 2016-02-18T23:34:36+01:00 - charon - - - 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/Appliance Cert.key'
2016-02-18 23:34:36	Daemon.Info	192.168.xx.1	1 2016-02-18T23:34:36+01:00 - charon - - - 00[CFG]   loaded IKE secret for 192.168.100.1 %any
Nach oben
nraeth
Beiträge: 32
Registriert: Fr 03.07.2015, 16:20

Beitrag von nraeth »

Hallo gibt es einen Plan, den Bug zu beheben?
Oder falls ich der einzige damit sein sollte, wie wäre es zu beheben?
Nach oben
Antworten

Zurück zu „Allgemeines“