[Swan] cannot locate my private key for RSA Signature

Kevin Wilson klwilson227 at comcast.net
Sun Feb 18 14:22:41 UTC 2018 


Sent from my iPhone

> On Feb 17, 2018, at 7:21 PM, Paul Wouters <paul at nohats.ca> wrote:
> 
>> On Sat, 17 Feb 2018, klwilson227 at comcast.net wrote:
>> 
>> I have just installed two Centos7 systems and am attempting to get libreswan setup.
>> Naively used DHCP for the hosts initially. Moved to static later on not sure if this is part of the issues I am having.
>> I ran the following on both machines:
>> Ipsec nssinit
>> Ipsec newhostkey
>> Then I configured the host-to-host.conf two endpoints with there IP and keys that :
> 
> Did you use ipsec showhostkey --list and ipsec showhostkey --left/--right to add the
> proper public key's in your configuration?

Yes
> 
>> 003 “host-to-host” #4: unable to locate my private key for RSA Signature
>> 224 “host-to-host” #4: STATE_MAIN_I2: AUTHENTICATION_FAILED to 192.168.89.6:500
> 
> Looks like your rightrsasigkey= and leftrsasigkey= are not properly
> configured.
> 
>> conn host-to-host
>>         left=192.168.89.7
>>         leftid="@k1"
>>         leftrsasigkey=[keyid AwEAAexla]

No I used the line from IPSec showhostkey —left —ckaid ... that is returned with
Leftrsasigkey=...==

This may be where my confusion is. The line output from the command with leftrsasigkey is what I used. The one that actually looks like a key and is prefixed with the same name as the field to be added to the config.

> 
> Do you have actual [brackets] there? It should not look like that.
> 
>>         rightrsasigkey=[keyid AwEAAejt9]
> 
>> 000 List of RSA Public Keys:
>> 000 
>> 000 Feb 17 12:21:16 2018, 3488 RSA Key AwEAAejt9 (no private key), until --- -- --:--:-- ---- ok (expires never)
>> 000        ID_FQDN '@k2'
>> 000 Feb 17 12:21:16 2018, 3120 RSA Key AwEAAexla (no private key), until --- -- --:--:-- ---- ok (expires never)
>> 000        ID_FQDN '@k1'
> 
> You seem to have no private keys for those public keys?

I am not sure how this happens.

> 
> Did you reinit your nss database after grabbing the public keys?
No generated new keys only. Did not think dropping the dB should be necessary. I can try that now.
> 
> the order to do things should be:
> 
> - ipsec stop
> - delete unknown nss db: rm /etc/ipsec.d/*db
> - start a new nss db: ipsec initnss - generate a new key: ipsec newhostkey

Thanks this will help.

> Once you have done that on both sides, you can get the public keys on
> both ends to put in the configuration file.
> 
> - ipsec showhostkey --list  (look at the ckaid)
> - ipsec showhostkey --ckaid XXXX --left  (where XXXX is the ckaid from
>  the previous command)
> - put the output of that in the config either as leftckaid=/rightckaid=
>  or leftrsasigkey= / rightrsasigkey=
> 
> See also https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan#Using_raw_RSA_keys_with_NSS
> 
> Paul

More information about the Swan mailing list