[Swan] Importing keypairs from keytool
Sowmini Varadhan
sowmini.varadhan at oracle.com
Thu Aug 18 12:02:48 UTC 2016
Hi,
I am trying to export (as a pkcs12 file) a keypair generated by
java/keytool into NSS and use this for ipsec. I am following
similar instructions for openssl documented in the libreswan wiki.
I'm able to get the tunnels to load, but IKE auth does not converge:
tcpdump reports (n: doi=ipsec proto=isakmp type=AUTHENTICATION-FAILED)
I suspect this may be because I am missing something in
/etc/ipsec.d/ipsec.secrets, I could use some hints about what I may
be doing incorrectly.
Here's what I am doing:
With keytool generate a pkcs certificate on the right-node.
e.g.,
right# keytool -exportcert -keystore java/my.pkcs12 \
-storetype pkcs12 \
-validity 720 -v -alias BDS \
-genkeypair -keyalg RSA -storepass $passwd -keypass $passwd
Now import this with ipsec:
right# ipsec import java/my.pkcs12
Check that it is there:
right# certutil -L -d sql:/etc/ipsec.d
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
bds u,u,u
Modify the right-node config file for this tunnel:
right# grep right /etc/ipsec.d/eth4.conf
rightid="CN=bds"
right=14.0.0.70
rightcert=bds
rightrsasigkey=%cert
On the left node, import the public key. First export it on the right node:
right# certutil -L -n "bds" -d sql:/etc/ipsec.d/ -a > right.crt
Copy right.crt over to the left node, then
left# certutil -A -i right.crt -n "bds" -t "C,C,C" -d /etc/ipsec.d
Left will report it as:
left# certutil -L -d /etc/ipsec.d
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
bds C,C,C
Add the info the ipsec.d/*.conf:
left# grep right /etc/ipsec.d/eth4.conf
right=14.0.0.70
rightid="CN=bds"
rightrsasigkey=%cert
Now restarting ipsec loads tunnels but ike does not complete the
auth phase. Is something missing in some other /etc/ipsec.d config
file to tell it to go look in sql:/etc/ipsec.d?
Thanks in advance for hints,
--Sowmini
More information about the Swan
mailing list