[Swan] Unknown RSA Key
Paul Wouters
paul at nohats.ca
Wed Dec 17 15:26:16 EET 2014
On Wed, 17 Dec 2014, Phil Daws wrote:
> Made the changes but still it fails to connect after stage 2 and hitting the message:
>
> "fwl01-aaa" #1: no suitable connection for peer
Now you might be done to cryptographic configuration. Check the subnets=
and authby= and type= and ike=/esp= settings to see if they match the
other end.
A more detailed log might reveal more.
Paul
> followed by the certificate subject details. On both left and right sides I have the certficates and keys within
> the NSS as I issued them.
>
> certutil -L -d /etc/ipsec.d/
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> fwl01-aaa u,u,u
> MY CA T,c,c
> fwl01-bbb u,u,u
>
> Any thoughts on what I may still be doing wrong please ? Thank you.
>
> ----- Original Message -----
> From: "Paul Wouters" <paul at nohats.ca>
> To: "Phil Daws" <uxbod at splatnix.net>
> Cc: swan at lists.libreswan.org
> Sent: Tuesday, 16 December, 2014 9:19:41 PM
> Subject: Re: [Swan] Unknown RSA Key
>
> On Tue, 16 Dec 2014, Phil Daws wrote:
>
> > am new to libreswan and attempting to set up an IPSEC tunnel between two subnets. The issue am facing is that
> when I bring up the connection I see:
> >
> > "network1" #28: no RSA public key known for 'CN=fwl01.bbb'
> >
> > yet if I check the NSS database the certificate is there and the CN is correct. This is how my connection
> looks:
> >
> > conn network1
>
> > leftid="CN=fwl01.aaa"
>
> > leftrsasigkey=%cert
> > leftcert="fwl01-aaa"
>
> > rightid="CN=fwl01.bbb"
>
> That's most likely wrong. Unless you set the "friendly_name" on the
> PKCS#12 import to "CN=fwl01.bbb" instead of "CN=fwl01.bbb".
>
> I assume you are left, and only have the left certificate and its CA in
> your nss, You would write:
>
> leftid=%fromcert
> leftcert=fwl01-aaa
> leftrsasigkey=%cert
> #rightid does not need to be specified
> rightrsasigkey=%cert
> # optionally:
> leftsendcert=always
>
> See also:
>
> https://libreswan.org/wiki/Using_NSS_with_libreswan
>
> https://libreswan.org/wiki/Migrating_from_Openswan
>
> Paul
>
>
More information about the Swan
mailing list