[Swan] cannot locate my private key for RSA Signature

Paul Wouters paul at nohats.ca
Sun Feb 18 02:21:25 UTC 2018 

On Sat, 17 Feb 2018, klwilson227 at comcast.net wrote:

> I have just installed two Centos7 systems and am attempting to get libreswan setup.
> Naively used DHCP for the hosts initially. Moved to static later on not sure if this is part of the issues I am having.
> 
> I ran the following on both machines:
> 
> Ipsec nssinit
> 
> Ipsec newhostkey
> 
> Then I configured the host-to-host.conf two endpoints with there IP and keys that :

Did you use ipsec showhostkey --list and ipsec showhostkey --left/--right to add the
proper public key's in your configuration?

> 003 “host-to-host” #4: unable to locate my private key for RSA Signature
> 224 “host-to-host” #4: STATE_MAIN_I2: AUTHENTICATION_FAILED to 192.168.89.6:500

Looks like your rightrsasigkey= and leftrsasigkey= are not properly
configured.

> conn host-to-host
>         left=192.168.89.7
>         leftid="@k1"
>         leftrsasigkey=[keyid AwEAAexla]

Do you have actual [brackets] there? It should not look like that.

>         rightrsasigkey=[keyid AwEAAejt9]

> 000 List of RSA Public Keys:
> 000 
> 000 Feb 17 12:21:16 2018, 3488 RSA Key AwEAAejt9 (no private key), until --- -- --:--:-- ---- ok (expires never)
> 000        ID_FQDN '@k2'
> 000 Feb 17 12:21:16 2018, 3120 RSA Key AwEAAexla (no private key), until --- -- --:--:-- ---- ok (expires never)
> 000        ID_FQDN '@k1'

You seem to have no private keys for those public keys?

Did you reinit your nss database after grabbing the public keys?

the order to do things should be:

- ipsec stop
- delete unknown nss db: rm /etc/ipsec.d/*db
- start a new nss db: ipsec initnss 
- generate a new key: ipsec newhostkey

Once you have done that on both sides, you can get the public keys on
both ends to put in the configuration file.

- ipsec showhostkey --list  (look at the ckaid)
- ipsec showhostkey --ckaid XXXX --left  (where XXXX is the ckaid from
   the previous command)
- put the output of that in the config either as leftckaid=/rightckaid=
   or leftrsasigkey= / rightrsasigkey=

See also https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan#Using_raw_RSA_keys_with_NSS

Paul

More information about the Swan mailing list