[Swan] Failure when using raw public keys with Libreswan 3.19rc3

Noam Singer noam at fortycloud.com
Tue May 9 07:13:45 UTC 2017 

Hello Paul,

Thanks for assisting

This have resolved the issue!!!

Many thanks!!!

Few issues though:

1. When running this command, I am getting:
    root at ip-10-10-10-200:/home/ubuntu# ipsec newhostkey --output
/etc/ipsec.secrets
    /usr/lib/ipsec/newhostkey: WARNING: file "/etc/ipsec.secrets" exists,
appending to it
    Generated RSA key pair with CKAID
7cc12381fa13498b79c2e8216411d62cf6254e62 was stored in the NSS database
Although the warning says that the key would be appended, the file is
actually completely overwritten.

2. I created the key by using the command:
    sudo ipsec newhostkey --output /etc/ipsec.secrets --nssdir /etc/ipsec.d
--seeddev /dev/urandom --bits 2192
Still, the keys are not placed in /etc/ipsec.secrets. Only when running the
command "ipsec newhostkey --output /etc/ipsec.secrets", they do.

Thanks for all your help.



Noam Singer


On Mon, May 8, 2017 at 6:44 PM, Paul Wouters <paul at nohats.ca> wrote:

>
> (CC:ing Andrew as he has done most of the rewriting around RSA code)
>
>
> On Mon, 8 May 2017, Noam Singer wrote:
>
> Date: Mon, 8 May 2017 11:22:45
>> I am upgrading from LibreSwan 3.16 to 3.19rc3
>> I am using raw public-keys as in this connection example:
>>
>
> The public keys were taken using:
>> root at ip-10-10-10-200:/home/ubuntu# ipsec showhostkey --list
>> < 1> RSA keyid: AQO/rpT0h ckaid: 8163e2fd150ff23c28dd49bfce039cdf7f3637dd
>> root at ip-10-10-10-200:/home/ubuntu# ipsec showhostkey --rsaid AQO/rpT0h
>> --left
>>         # rsakey AQO/rpT0h
>>        leftrsasigkey=0sAQO/rpT0hfkfYBVYHWnNS+AsR5j1ekCK4sz02PAyRFa
>> ju+HstcrW0GfYPux6fIybkeh1L5P27v9zsCWShghA2nZvoLOz+6feM7yWTR866MYHogPKj
>> 6dcbimHlknqmPfQSRH2Vd5Ju8zxcnLL4ecSPzqZPXKU0MCPsBTuTkmkd13vY
>> I/5hw7QD6kdQX+h1/lZpH1VbFAg92fr6Rfg2lfzYsbC2Rmgsd4zzM4Xrxj5jpW/ksez0
>> mFSqBwT8IqY6Mv5CFLKuHKXUaaAfxzp96+pJmRyJH+e2tniCL0ijCapjcjEC
>> N2BKdqSkVOr9/UjF5Gp7Jhw19qAcDGy6cB1fSnV1wG+2hSBLSKGyRy7l3hoVLL6jMzx
>>
>>
>> However, the connection fails with the following errors in auth.log
>>
>
> 642-May  8 13:50:20 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181:
>> unable to locate my private key for RSA Signature
>>
>
> I think this is caused by us "needing" to have the RSA information in
> /etc/ipsec.secrets even though we are not supposed to need it.
>
> If you run: ipsec newhostkey --output /etc/ipsec.secrets and then use
> the same method to configure the key, does it work?
>
> I think when the connection is added, the RSA keys are not properly
> added unless the ipsec.secrets sauce is there :/
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170509/258fc9bf/attachment.html>

More information about the Swan mailing list