[Swan] Failure when using raw public keys with Libreswan 3.19rc3

Noam Singer noam at fortycloud.com
Mon May 8 15:22:45 UTC 2017 

Hello

I am upgrading from LibreSwan 3.16 to 3.19rc3
I am using raw public-keys as in this connection example:

root at ip-10-10-10-200:/home/ubuntu# cat /etc/ipsec.d/connST1478.conf
conn connST1478
    authby=rsasig
    auto=start
    dpdaction=restart
    dpddelay=30
    dpdtimeout=120
    forceencaps=yes
    ike=aes128-sha1
    ikelifetime=86400s
    keyingtries=3
    left=%defaultroute
    leftid=@54.154.233.194

leftrsasigkey=0sAQO/rpT0hfkfYBVYHWnNS+AsR5j1ekCK4sz02PAyRFaju+HstcrW0GfYPux6fIybkeh1L5P27v9zsCWShghA2nZvoLOz+6feM7yWTR866MYHogPKj6dcbimHlknqmPfQSRH2Vd5Ju8zxcnLL4ecSPzqZPXKU0MCPsBTuTkmkd13vYI/5hw7QD6kdQX+h1/lZpH1VbFAg92fr6Rfg2lfzYsbC2Rmgsd4zzM4Xrxj5jpW/ksez0mFSqBwT8IqY6Mv5CFLKuHKXUaaAfxzp96+pJmRyJH+e2tniCL0ijCapjcjECN2BKdqSkVOr9/UjF5Gp7Jhw19qAcDGy6cB1fSnV1wG+2hSBLSKGyRy7l3hoVLL6jMzx
    leftsubnets=10.10.10.0/24,10.254.128.0/24
    leftupdown=/usr/fortycloud/libreSwanUpDown.sh
    pfs=no
    phase2alg=aes128-sha1
    right=54.93.249.115
    rightid=@54.93.249.115

rightrsasigkey=0sAQPM4jM4mrMBNHW8IlCYaZPaiPgXcZIp51xecQINFL18t69I1HBRnw1D9ckjQ9I/NLD4+SvuFBCsljpdiv7az0W6T6IoJ4geGW19pdUuaMtFJKNdPvYcASREeC1BDcXvgYLUP2RYNOA+c4gbRRjVGpEQJcO+yw+8LrTWi5SV5YvybVnwRXWYt4aTa853u1OSTDb3I2YfxHM47sBZTtoBJepIMaYL1z7BSqfRyheMstlUlQnrOM352DTGf1GD1BZffZFJIxjvZ+dE4ZDLVCou5q6YnhAosFLDfJHH9KPCOi0VlFKDX8xItF4tqprHgQT87CnHwWcshpnLWgUQEGxlT58m98rEZ/FOfUIJCfMm0/449gjL
    rightsubnets=10.254.129.0/24,172.31.0.0/20
    salifetime=28800s
    type=tunnel



The public keys were taken using:
root at ip-10-10-10-200:/home/ubuntu# ipsec showhostkey --list
< 1> RSA keyid: AQO/rpT0h ckaid: 8163e2fd150ff23c28dd49bfce039cdf7f3637dd
root at ip-10-10-10-200:/home/ubuntu# ipsec showhostkey --rsaid AQO/rpT0h
--left
        # rsakey AQO/rpT0h

leftrsasigkey=0sAQO/rpT0hfkfYBVYHWnNS+AsR5j1ekCK4sz02PAyRFaju+HstcrW0GfYPux6fIybkeh1L5P27v9zsCWShghA2nZvoLOz+6feM7yWTR866MYHogPKj6dcbimHlknqmPfQSRH2Vd5Ju8zxcnLL4ecSPzqZPXKU0MCPsBTuTkmkd13vYI/5hw7QD6kdQX+h1/lZpH1VbFAg92fr6Rfg2lfzYsbC2Rmgsd4zzM4Xrxj5jpW/ksez0mFSqBwT8IqY6Mv5CFLKuHKXUaaAfxzp96+pJmRyJH+e2tniCL0ijCapjcjECN2BKdqSkVOr9/UjF5Gp7Jhw19qAcDGy6cB1fSnV1wG+2hSBLSKGyRy7l3hoVLL6jMzx


However, the connection fails with the following errors in auth.log
...
637-May  8 13:50:20 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #179:
starting keying attempt 2 of at most 3
638-May  8 13:50:20 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181:
initiating Main Mode to replace #179
639:May  8 13:50:20 ip-10-10-10-200 pluto[12649]: deleting other state #179
(STATE_MAIN_I2) "connST1478/2x2"
640:May  8 13:50:20 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181:
transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
641:May  8 13:50:20 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181:
STATE_MAIN_I2: sent MI2, expecting MR2
642-May  8 13:50:20 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181:
unable to locate my private key for RSA Signature
643-May  8 13:50:20 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181:
sending notification AUTHENTICATION_FAILED to 54.93.249.115:500
644-May  8 13:50:21 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181:
unable to locate my private key for RSA Signature
645-May  8 13:50:21 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181:
sending notification AUTHENTICATION_FAILED to 54.93.249.115:500
646-May  8 13:50:21 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181:
unable to locate my private key for RSA Signature
647-May  8 13:50:21 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181:
sending notification AUTHENTICATION_FAILED to 54.93.249.115:500
648-May  8 13:50:22 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181:
unable to locate my private key for RSA Signature
649-May  8 13:50:22 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181:
sending notification AUTHENTICATION_FAILED to 54.93.249.115:500

This has worked with the old NSS in 3.16, but fails with 3.19rc3

Is there anything I need to change in the configuration files or in my
process?

Thanks in advance

Noam Singer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170508/5e343443/attachment.html>

More information about the Swan mailing list