[Swan] Building site-to-site from old systems

Alex Regan mysqlstudent at gmail.com
Fri Sep 19 06:03:35 EEST 2014


Hi,

I have an old fedora14 system that is the right side of a site-to-site 
connection, with the left side being an even older Linux system. I'm 
trying to upgrade both sides, starting with the fedora14 side first. 
I've built a fedora20 system with the current libreswan, and have gotten 
it to successfully connect to the ancient system on the left.

I have a few general questions to make sure my understanding is correct 
and that I'm doing this correctly.

- The RHEL7 site-to-site VPN docs say to place the leftrsasigkey and 
rightrsasigkey directly into the config file. I've been working with 
openssl to generate pkcs12 files from the key, certificate, and 
certfile. Then I'm using p12util to import the pkcs12 files directly 
into the NSS database. Is there any difference between the two methods?

# openssl pkcs12 -export -out righthost.example.com.p12 -inkey 
remotecerts/orion.key -in remotecerts/righthost.crt -certfile 
CA/newcerts/righthost.pem -name 'righthost'
# openssl pkcs12 -export -out left.example.com.p12 -inkey 
hostcerts/lefthost.key -in hostcerts/lefthost.crt -certfile 
hostcerts/lefthost.crt -name 'lefthost'

# pk12util -i righthost.example.com.p12 -d /etc/ipsec.d
# pk12util -i lefthost.example.com.p12 -d /etc/ipsec.d

- The keys, certs, and certificates are pretty old, and expiring at the 
end of the year. How do I recreate them for libreswan?

- I'm seeing the following message when pluto starts:
   AVX2 or AES-NI instructions are not detected.
Is that a limitation of the processor? It's a Xeon E3-1220 v2, so I 
would think it would have support for this?

- I'm also seeing the following message on the new fedora20 side after 
the connection is set up:
Sep 18 20:51:01 vpntest pluto[4492]: "MYVPN" #1: unable to locate my 
private key for RSA Signature
Sep 18 20:51:01 vpntest pluto[4492]: "MYVPN" #1: sending notification 
AUTHENTICATION_FAILED to 65.1.11.6:500

I have two secrets files - one I just created with ipsec newhostkey and 
I believe is wrong, and an existing hostkey.secrets file that was 
created years ago, which I believe is correct. It also references both 
files during startup:

Sep 18 21:03:14 vpntest pluto[1256]: loading secrets from 
"/etc/ipsec.secrets"
Sep 18 21:03:14 vpntest pluto[1256]: loading secrets from 
"/etc/ipsec.d/hostkey.secrets"
Sep 18 21:03:14 vpntest pluto[1256]: loaded private key for keyid: 
PPK_RSA:AQPAcYrhb
Sep 18 21:03:14 vpntest pluto[1256]: loading secrets from 
"/etc/ipsec.d/righthost.example.com.secrets"

I've included my ipsec.conf file, with IPs modified, in case it helps.

version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
	interfaces=%defaultroute
	uniqueids=yes
	# Debug-logging controls:  "none" for (almost) none, "all" for lots.
	# klipsdebug=none
	# plutodebug="control parsing"
	nat_traversal=no

conn %default
         auto=add
         keyingtries=0
         disablearrivalcheck=no
         keyexchange=ike
         ikelifetime=240m
         keylife=60m
         pfs=yes
         compress=no
         leftrsasigkey=%cert
         rightrsasigkey=%cert
         type=tunnel
         authby=rsasig
         esp=aes
         ike=aes

conn MYVPN
	auto=start
	left=65.46.1.6
	leftnexthop=65.46.1.5
	leftsubnet=64.1.1.0/27
	leftid="@C=US, ST=New Jersey, L=MyTown, O=My Company Inc, 
CN=lefthost.example.com"
	leftcert=lefthost
	right=68.195.1.42
	rightnexthop=68.195.1.41
	rightsubnet=192.168.1.0/24
	rightid="@C=US, ST=New Jersey, L=MyTown, O=My Company Inc, 
CN=righthost.example.com"
	rightcert=righthost

# Disable Opportunistic Encryption
include /etc/ipsec.d/no_oe.conf

Thanks for any ideas.
Alex



More information about the Swan mailing list