[Swan] host-host tunnel using Certificates !
Paul Wouters
paul at nohats.ca
Thu Nov 30 13:57:43 UTC 2017
On Thu, 30 Nov 2017, Kesava Vunnava (kesriniv) wrote:
> Trying to UP host-host tunnel using libreswan (Linux Libreswan 3.20 (netkey) on 3.10.0-514.26.2.el7.x86_64 ) over
> CENTOS using Certificates as authentication mechanism . Before this able to test “preshared key”,
> “unauthenticated OE” and both of them works fine.
I didn't know PSK worked. We don't really test/recommend it because
sharing your key with all nodes basically gives the same security
as authnull (in case of a single node compromise that leaks the PSK)
> With Certificates ., pluto was throwing following error : -
> 133 "test" #2: STATE_PARENT_I1: sent v2I1, expected v2R1
> 003 "test" #2: Failed to find our RSA key”
We had a few releases where there was confusion about the ipsec.secret
entry being needed or not in the for RSA/certs. Could you re-test this
with 3.22. You can find rpms on download.libreswan.org/binaries/rhel/7/
> 1] Generated self-signed certificates on both the hosts .
There was also a bug introduced a few versions ago that would
cause NSS to reject all self-signed certs without a CA. So please
do try 3.22.
But note, the whole idea of using certificates is that you don't
hardcode any certs, and use a common CA for trust, so you should
really noy be using selfsigned certs for this, but generate these
from a single CA and install the CA everywhere. The easiest is to
generate PKCS#12 (.p12) files and import these using "ipsec import".
Paul
More information about the Swan
mailing list