I am setting up a Strongswan server in Linux Ubuntu 24.04. I have a certificate from LetsEncrypt, which generated an ECP-256 private key. The problem is that when I try to connect to the charon server, I get a syslog error on the server-side:
2025-07-14T21:09:55.322081+00:00 phobos charon: 13[IKE] no private key found for 'mydnsname.com' I've redacted IP addresses and hostnames in the following samples. My ipsec.conf configuration looks like this:
conn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any leftid=mydnsname.com leftcert=mydnsname.crt leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-mschapv2 rightsourceip=10.20.1.0/16 rightdns=8.8.8.8,8.8.4.4 rightsendcert=never eap_identity=%identity My LetsEncrypt certificate is located at the path /etc/ipsec.d/certs/mydnsname.crt. I also have the two LetsEncrypt certificates (intermediate and root) located in /etc/ipsec.d/cacerts/. Lastly, I have placed my private key file at the path /etc/ipsec.d/private/mydnsname.key:
root@phobos:/etc/ipsec.d/private# openssl ec -noout -text -in /etc/ipsec.d/private/mydnsname.key read EC key Private-Key: (256 bit) priv: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX pub: 04:6e:fd:07:b9:6b:53:62:74:55:e7:7e:ec:68:a1: 23:56:d7:47:d2:ab:8f:95:4d:2d:89:27:32:a6:21: ba:d7:81:87:12:f4:97:fb:a3:8c:c7:15:05:a1:38: 65:e2:23:7b:a6:f6:0b:a5:ad:0d:3f:37:4d:8d:62: 09:3b:c0:95:23 ASN1 OID: prime256v1 NIST CURVE: P-256 All this configuration seems to be reasonable to my non-expert eye, but obviously something is wrong because the charon server thinks that there is no private key for this connection, but there most definitely is.
A more complete copy of syslog for the charon server is here, starting from when the connection is initiated by the client up to the error message "no private key found": https://valmarc.com/download/sample-syslog.txt
EDIT: I noticed another error in the syslog file that appears when strongswan is restarted. Presumably it tries to load the private keys on startup, but the following error appears:
2025-07-16T13:06:21.914490+00:00 phobos charon: 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 11 builders This is very suspicious and suggests that it is trying to read the private key as an RSA key, but it is an EC key. Perhaps it doesn't have the EC plugins installed? Or maybe it just tries parsing as an RSA key first and fails, and then silently succeeds when parsing as an EC key? Unfortunately, the log message isn't very helpful.
ipsec rereadall? Is it recognized byipsec listall? Are you deliberately using the obsolete 'ipsec.conf' config format? The whole 'ipsec' command might not be present at all in whichever strongswan version the next Ubuntu LTS will have.ipsec listallcommand does not show any private keys. However, running the same command on another system (where Strongswan is working with a similar configuration) does not show private keys either. The man page of ipsec suggests that the listall command isn't supposed to show private keys (it only shows public keys from certificates).