Q: Why do I get “ERROR: failed to get private key” when trying to establish an IPSec tunnel with racoon (ipsec-tools)?

A: If you are using x509 certificates to authenticate your end-points,
it is likely that your private keys are encrypted (assume the private key
is named maguro.key)

  # less maguro.key
  -----BEGIN RSA PRIVATE KEY-----
  Proc-Type: 4,ENCRYPTED
  DEK-Info: DES-EDE3-CBC,94BC2753E921722E

  BjPpMYZouxEUBSdEtuRrnbcdGaTlmfuIh8RNxuijBU6ZawY1I5hosULrFKzrLzZt
  FJ9kg9Zo60o7U0FGzI1LTw4UalQnnkgH/quRZ4pJeM20Hjc5m4mj+YDtXAgNXYrw
  [ snip ]
  F2EmHvuKGA+kF50n2CF9zXbg95iJZ2Fn57+8FTOmzNDMxQZDgfJ2BM2iy4eCy2kv
  gp9gSvZrPLXJsw8ezrIsaNGsD9WEKim50je1LiWNMlBiVr8U41wgPg==
  -----END RSA PRIVATE KEY-----

To retrieve the unencrypted private key you should run the command(s):

  # mv maguro.key maguro.key.encrypted
  # openssl rsa -in maguro.key.encrypted -out maguro.key
  Enter pass phrase for maguro.key:
  writing RSA key

The resulting maguro.key is your unencrypted private key.

  # less maguro.key
  -----BEGIN RSA PRIVATE KEY-----
  MIICXQIBAAKBgQCaCgZ5CUVqt6liqHAySkD/I/AuLbzekutPi7zNQ7OrV82kuZJy
  5qoWcR7WmPZ+awkk9i487DG7NacNNOjj1+uGrEr+S32ceG5s8Fd2qUOHx554SOoF
  [ snip ]
  Y5Dmk/jiZGhnxJmRKmMCQQCkYkdiv3ze6/JiAQueTASlR4qiON7ZJdol41ghI4JP
  A8Q+bS5dFpyzM9XEU4ptjrFhkZi9SkdH1rqCJ64C4DF+
  -----END RSA PRIVATE KEY-----
This entry was posted in Answers, DragonFlyBSD, FreeBSD, NetBSD, Security. Bookmark the permalink.

One Response to Q: Why do I get “ERROR: failed to get private key” when trying to establish an IPSec tunnel with racoon (ipsec-tools)?

  1. Pingback: BSD Support » Configuring racoon/ipsec-tools to use x509 Certificates

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>