[Swan] Building site-to-site from old systems
Alex Regan
mysqlstudent at gmail.com
Fri Sep 19 06:03:35 EEST 2014
Hi,
I have an old fedora14 system that is the right side of a site-to-site
connection, with the left side being an even older Linux system. I'm
trying to upgrade both sides, starting with the fedora14 side first.
I've built a fedora20 system with the current libreswan, and have gotten
it to successfully connect to the ancient system on the left.
I have a few general questions to make sure my understanding is correct
and that I'm doing this correctly.
- The RHEL7 site-to-site VPN docs say to place the leftrsasigkey and
rightrsasigkey directly into the config file. I've been working with
openssl to generate pkcs12 files from the key, certificate, and
certfile. Then I'm using p12util to import the pkcs12 files directly
into the NSS database. Is there any difference between the two methods?
# openssl pkcs12 -export -out righthost.example.com.p12 -inkey
remotecerts/orion.key -in remotecerts/righthost.crt -certfile
CA/newcerts/righthost.pem -name 'righthost'
# openssl pkcs12 -export -out left.example.com.p12 -inkey
hostcerts/lefthost.key -in hostcerts/lefthost.crt -certfile
hostcerts/lefthost.crt -name 'lefthost'
# pk12util -i righthost.example.com.p12 -d /etc/ipsec.d
# pk12util -i lefthost.example.com.p12 -d /etc/ipsec.d
- The keys, certs, and certificates are pretty old, and expiring at the
end of the year. How do I recreate them for libreswan?
- I'm seeing the following message when pluto starts:
AVX2 or AES-NI instructions are not detected.
Is that a limitation of the processor? It's a Xeon E3-1220 v2, so I
would think it would have support for this?
- I'm also seeing the following message on the new fedora20 side after
the connection is set up:
Sep 18 20:51:01 vpntest pluto[4492]: "MYVPN" #1: unable to locate my
private key for RSA Signature
Sep 18 20:51:01 vpntest pluto[4492]: "MYVPN" #1: sending notification
AUTHENTICATION_FAILED to 65.1.11.6:500
I have two secrets files - one I just created with ipsec newhostkey and
I believe is wrong, and an existing hostkey.secrets file that was
created years ago, which I believe is correct. It also references both
files during startup:
Sep 18 21:03:14 vpntest pluto[1256]: loading secrets from
"/etc/ipsec.secrets"
Sep 18 21:03:14 vpntest pluto[1256]: loading secrets from
"/etc/ipsec.d/hostkey.secrets"
Sep 18 21:03:14 vpntest pluto[1256]: loaded private key for keyid:
PPK_RSA:AQPAcYrhb
Sep 18 21:03:14 vpntest pluto[1256]: loading secrets from
"/etc/ipsec.d/righthost.example.com.secrets"
I've included my ipsec.conf file, with IPs modified, in case it helps.
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces=%defaultroute
uniqueids=yes
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
nat_traversal=no
conn %default
auto=add
keyingtries=0
disablearrivalcheck=no
keyexchange=ike
ikelifetime=240m
keylife=60m
pfs=yes
compress=no
leftrsasigkey=%cert
rightrsasigkey=%cert
type=tunnel
authby=rsasig
esp=aes
ike=aes
conn MYVPN
auto=start
left=65.46.1.6
leftnexthop=65.46.1.5
leftsubnet=64.1.1.0/27
leftid="@C=US, ST=New Jersey, L=MyTown, O=My Company Inc,
CN=lefthost.example.com"
leftcert=lefthost
right=68.195.1.42
rightnexthop=68.195.1.41
rightsubnet=192.168.1.0/24
rightid="@C=US, ST=New Jersey, L=MyTown, O=My Company Inc,
CN=righthost.example.com"
rightcert=righthost
# Disable Opportunistic Encryption
include /etc/ipsec.d/no_oe.conf
Thanks for any ideas.
Alex
More information about the Swan
mailing list