[Swan] Failure when using raw public keys with Libreswan 3.19rc3
Noam Singer
noam at fortycloud.com
Mon May 8 15:22:45 UTC 2017
Hello
I am upgrading from LibreSwan 3.16 to 3.19rc3
I am using raw public-keys as in this connection example:
root at ip-10-10-10-200:/home/ubuntu# cat /etc/ipsec.d/connST1478.conf
conn connST1478
authby=rsasig
auto=start
dpdaction=restart
dpddelay=30
dpdtimeout=120
forceencaps=yes
ike=aes128-sha1
ikelifetime=86400s
keyingtries=3
left=%defaultroute
leftid=@54.154.233.194
leftrsasigkey=0sAQO/rpT0hfkfYBVYHWnNS+AsR5j1ekCK4sz02PAyRFaju+HstcrW0GfYPux6fIybkeh1L5P27v9zsCWShghA2nZvoLOz+6feM7yWTR866MYHogPKj6dcbimHlknqmPfQSRH2Vd5Ju8zxcnLL4ecSPzqZPXKU0MCPsBTuTkmkd13vYI/5hw7QD6kdQX+h1/lZpH1VbFAg92fr6Rfg2lfzYsbC2Rmgsd4zzM4Xrxj5jpW/ksez0mFSqBwT8IqY6Mv5CFLKuHKXUaaAfxzp96+pJmRyJH+e2tniCL0ijCapjcjECN2BKdqSkVOr9/UjF5Gp7Jhw19qAcDGy6cB1fSnV1wG+2hSBLSKGyRy7l3hoVLL6jMzx
leftsubnets=10.10.10.0/24,10.254.128.0/24
leftupdown=/usr/fortycloud/libreSwanUpDown.sh
pfs=no
phase2alg=aes128-sha1
right=54.93.249.115
rightid=@54.93.249.115
rightrsasigkey=0sAQPM4jM4mrMBNHW8IlCYaZPaiPgXcZIp51xecQINFL18t69I1HBRnw1D9ckjQ9I/NLD4+SvuFBCsljpdiv7az0W6T6IoJ4geGW19pdUuaMtFJKNdPvYcASREeC1BDcXvgYLUP2RYNOA+c4gbRRjVGpEQJcO+yw+8LrTWi5SV5YvybVnwRXWYt4aTa853u1OSTDb3I2YfxHM47sBZTtoBJepIMaYL1z7BSqfRyheMstlUlQnrOM352DTGf1GD1BZffZFJIxjvZ+dE4ZDLVCou5q6YnhAosFLDfJHH9KPCOi0VlFKDX8xItF4tqprHgQT87CnHwWcshpnLWgUQEGxlT58m98rEZ/FOfUIJCfMm0/449gjL
rightsubnets=10.254.129.0/24,172.31.0.0/20
salifetime=28800s
type=tunnel
The public keys were taken using:
root at ip-10-10-10-200:/home/ubuntu# ipsec showhostkey --list
< 1> RSA keyid: AQO/rpT0h ckaid: 8163e2fd150ff23c28dd49bfce039cdf7f3637dd
root at ip-10-10-10-200:/home/ubuntu# ipsec showhostkey --rsaid AQO/rpT0h
--left
# rsakey AQO/rpT0h
leftrsasigkey=0sAQO/rpT0hfkfYBVYHWnNS+AsR5j1ekCK4sz02PAyRFaju+HstcrW0GfYPux6fIybkeh1L5P27v9zsCWShghA2nZvoLOz+6feM7yWTR866MYHogPKj6dcbimHlknqmPfQSRH2Vd5Ju8zxcnLL4ecSPzqZPXKU0MCPsBTuTkmkd13vYI/5hw7QD6kdQX+h1/lZpH1VbFAg92fr6Rfg2lfzYsbC2Rmgsd4zzM4Xrxj5jpW/ksez0mFSqBwT8IqY6Mv5CFLKuHKXUaaAfxzp96+pJmRyJH+e2tniCL0ijCapjcjECN2BKdqSkVOr9/UjF5Gp7Jhw19qAcDGy6cB1fSnV1wG+2hSBLSKGyRy7l3hoVLL6jMzx
However, the connection fails with the following errors in auth.log
...
637-May 8 13:50:20 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #179:
starting keying attempt 2 of at most 3
638-May 8 13:50:20 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181:
initiating Main Mode to replace #179
639:May 8 13:50:20 ip-10-10-10-200 pluto[12649]: deleting other state #179
(STATE_MAIN_I2) "connST1478/2x2"
640:May 8 13:50:20 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181:
transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
641:May 8 13:50:20 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181:
STATE_MAIN_I2: sent MI2, expecting MR2
642-May 8 13:50:20 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181:
unable to locate my private key for RSA Signature
643-May 8 13:50:20 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181:
sending notification AUTHENTICATION_FAILED to 54.93.249.115:500
644-May 8 13:50:21 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181:
unable to locate my private key for RSA Signature
645-May 8 13:50:21 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181:
sending notification AUTHENTICATION_FAILED to 54.93.249.115:500
646-May 8 13:50:21 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181:
unable to locate my private key for RSA Signature
647-May 8 13:50:21 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181:
sending notification AUTHENTICATION_FAILED to 54.93.249.115:500
648-May 8 13:50:22 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181:
unable to locate my private key for RSA Signature
649-May 8 13:50:22 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181:
sending notification AUTHENTICATION_FAILED to 54.93.249.115:500
This has worked with the old NSS in 3.16, but fails with 3.19rc3
Is there anything I need to change in the configuration files or in my
process?
Thanks in advance
Noam Singer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170508/5e343443/attachment.html>
More information about the Swan
mailing list