[Swan] Unknown RSA Key

Paul Wouters paul at nohats.ca
Wed Dec 17 15:26:16 EET 2014 

On Wed, 17 Dec 2014, Phil Daws wrote:

> Made the changes but still it fails to connect after stage 2 and hitting the message:
> 
> "fwl01-aaa" #1: no suitable connection for peer

Now you might be done to cryptographic configuration. Check the subnets=
and authby= and type= and ike=/esp= settings to see if they match the
other end.

A more detailed log might reveal more.

Paul

> followed by the certificate subject details.  On both left and right sides I have the certficates and keys within
> the NSS as I issued them.
> 
> certutil -L -d /etc/ipsec.d/
> 
> Certificate Nickname                                         Trust Attributes
>                                                              SSL,S/MIME,JAR/XPI
> 
> fwl01-aaa                                                    u,u,u
> MY CA                                                        T,c,c
> fwl01-bbb                                                    u,u,u
> 
> Any thoughts on what I may still be doing wrong please ? Thank you.
> 
> ----- Original Message -----
> From: "Paul Wouters" <paul at nohats.ca>
> To: "Phil Daws" <uxbod at splatnix.net>
> Cc: swan at lists.libreswan.org
> Sent: Tuesday, 16 December, 2014 9:19:41 PM
> Subject: Re: [Swan] Unknown RSA Key
> 
> On Tue, 16 Dec 2014, Phil Daws wrote:
> 
> > am new to libreswan and attempting to set up an IPSEC tunnel between two subnets.  The issue am facing is that
> when I bring up the connection I see:
> >
> > "network1" #28: no RSA public key known for 'CN=fwl01.bbb'
> >
> > yet if I check the NSS database the certificate is there and the CN is correct.  This is how my connection
> looks:
> >
> > conn network1
> 
> >        leftid="CN=fwl01.aaa"
> 
> >        leftrsasigkey=%cert
> >        leftcert="fwl01-aaa"
> 
> >        rightid="CN=fwl01.bbb"
> 
> That's most likely wrong. Unless you set the "friendly_name" on the
> PKCS#12 import to "CN=fwl01.bbb" instead of "CN=fwl01.bbb".
> 
> I assume you are left, and only have the left certificate and its CA in
> your nss, You would write:
> 
>          leftid=%fromcert
>          leftcert=fwl01-aaa
>          leftrsasigkey=%cert
>          #rightid does not need to be specified
>          rightrsasigkey=%cert
>          # optionally:
>          leftsendcert=always
> 
> See also:
> 
> https://libreswan.org/wiki/Using_NSS_with_libreswan
> 
> https://libreswan.org/wiki/Migrating_from_Openswan
> 
> Paul
> 
>

More information about the Swan mailing list