[Swan] host-host tunnel using Certificates !
Kesava Vunnava (kesriniv)
kesriniv at cisco.com
Thu Nov 30 07:01:22 UTC 2017
Hi ,
Trying to UP host-host tunnel using libreswan (Linux Libreswan 3.20 (netkey) on 3.10.0-514.26.2.el7.x86_64 ) over CENTOS using Certificates as authentication mechanism . Before this able to test "preshared key", "unauthenticated OE" and both of them works fine.
With Certificates ., pluto was throwing following error : -
#########################################
"002 "test" #2: initiating v2 parent SA
133 "test" #2: STATE_PARENT_I1: initiate
133 "test" #2: STATE_PARENT_I1: sent v2I1, expected v2R1
003 "test" #2: Failed to find our RSA key"
################################################
Can see that RSA key was there in NSS DB ("certutil -K -d sql:/etc/ipsec.d/")
Steps followed :
1] Generated self-signed certificates on both the hosts .
2] Exported the certs and ensured importing of the peer's cert was working fine ("cert -L -d sql:/etc/ipsec.d")
3] PFA /etc/ipsec.conf
4] Started the ipsec , added the connection ("ipsec auto --add <conn>") & tried it to bring it UP ("ipsec auto --up <conn>")
As per the documentation of libreswan , it looks pluto should be referring to nss db for Private Keys , Certs . Looks we were missing some configuration here.
Please let me know the needed configuration .
Thanks a lot .
-Regards,
Kesav.
[http://www.cisco.com/c/dam/assets/email-signature-tool/logo_05.png?ct=1449478134969]
Kesava Vunnava
ENGINEER.SOFTWARE ENGINEERING
kesriniv at cisco.com<mailto:kesriniv at cisco.com>
Mobile: 7893426891
Cisco.com<http://www.cisco.com/>
[http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif]Think before you print.
This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.
Please click here<http://www.cisco.com/web/about/doing_business/legal/cri/index.html> for Company Registration Information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171130/8f4fc822/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 2646 bytes
Desc: image001.png
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171130/8f4fc822/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.gif
Type: image/gif
Size: 134 bytes
Desc: image002.gif
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171130/8f4fc822/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec.conf
Type: application/octet-stream
Size: 333 bytes
Desc: ipsec.conf
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171130/8f4fc822/attachment.obj>
More information about the Swan
mailing list