[Swan] Importing keypairs from keytool

Sowmini Varadhan sowmini.varadhan at oracle.com
Thu Aug 18 12:02:48 UTC 2016


I am trying to export (as a pkcs12 file) a keypair generated by
java/keytool into NSS and use this for ipsec. I am following
similar instructions for openssl documented in the libreswan wiki. 

I'm able to get the tunnels to load, but IKE auth does not converge:
tcpdump reports (n: doi=ipsec proto=isakmp type=AUTHENTICATION-FAILED)

I suspect this may be because I am missing something in 
/etc/ipsec.d/ipsec.secrets, I could use some hints about what I may
be doing incorrectly.

Here's what I am doing:

With keytool generate a pkcs certificate on the right-node.
 right# keytool -exportcert -keystore java/my.pkcs12 \
		-storetype pkcs12 \
 		-validity 720 -v  -alias BDS \
		-genkeypair -keyalg RSA -storepass $passwd -keypass $passwd

Now import this with ipsec:
 right# ipsec import java/my.pkcs12

Check that it is there:
 right#  certutil -L -d sql:/etc/ipsec.d

  Certificate Nickname                                       Trust Attributes

  bds                                                        u,u,u

Modify the right-node config file for this tunnel:

  right# grep right /etc/ipsec.d/eth4.conf

On the left node, import the public key. First export it on the right node:

  right# certutil -L -n "bds" -d sql:/etc/ipsec.d/ -a > right.crt

Copy right.crt over to the left node, then 
  left# certutil -A -i right.crt -n "bds" -t "C,C,C" -d /etc/ipsec.d

Left will report it as:

  left# certutil -L -d /etc/ipsec.d

  Certificate Nickname                                       Trust Attributes

  bds                                                        C,C,C

Add the info the ipsec.d/*.conf:
 left# grep right /etc/ipsec.d/eth4.conf

Now restarting ipsec loads tunnels but ike does not complete the
auth phase. Is something missing in some other /etc/ipsec.d config
file to tell it to go look in sql:/etc/ipsec.d?

Thanks in advance for hints,


More information about the Swan mailing list