[Swan] Failure when using raw public keys with Libreswan 3.19rc3
Paul Wouters
paul at nohats.ca
Mon May 8 15:44:02 UTC 2017
(CC:ing Andrew as he has done most of the rewriting around RSA code)
On Mon, 8 May 2017, Noam Singer wrote:
> Date: Mon, 8 May 2017 11:22:45
> I am upgrading from LibreSwan 3.16 to 3.19rc3
> I am using raw public-keys as in this connection example:
> The public keys were taken using:
> root at ip-10-10-10-200:/home/ubuntu# ipsec showhostkey --list
> < 1> RSA keyid: AQO/rpT0h ckaid: 8163e2fd150ff23c28dd49bfce039cdf7f3637dd
> root at ip-10-10-10-200:/home/ubuntu# ipsec showhostkey --rsaid AQO/rpT0h --left
> # rsakey AQO/rpT0h
> leftrsasigkey=0sAQO/rpT0hfkfYBVYHWnNS+AsR5j1ekCK4sz02PAyRFaju+HstcrW0GfYPux6fIybkeh1L5P27v9zsCWShghA2nZvoLOz+6feM7yWTR866MYHogPKj
> 6dcbimHlknqmPfQSRH2Vd5Ju8zxcnLL4ecSPzqZPXKU0MCPsBTuTkmkd13vYI/5hw7QD6kdQX+h1/lZpH1VbFAg92fr6Rfg2lfzYsbC2Rmgsd4zzM4Xrxj5jpW/ksez0
> mFSqBwT8IqY6Mv5CFLKuHKXUaaAfxzp96+pJmRyJH+e2tniCL0ijCapjcjECN2BKdqSkVOr9/UjF5Gp7Jhw19qAcDGy6cB1fSnV1wG+2hSBLSKGyRy7l3hoVLL6jMzx
>
>
> However, the connection fails with the following errors in auth.log
> 642-May 8 13:50:20 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181: unable to locate my private key for RSA Signature
I think this is caused by us "needing" to have the RSA information in
/etc/ipsec.secrets even though we are not supposed to need it.
If you run: ipsec newhostkey --output /etc/ipsec.secrets and then use
the same method to configure the key, does it work?
I think when the connection is added, the RSA keys are not properly
added unless the ipsec.secrets sauce is there :/
Paul
More information about the Swan
mailing list