[Swan] cannot locate my private key for RSA Signature
klwilson227 at comcast.net
klwilson227 at comcast.net
Sun Feb 18 19:01:14 UTC 2018
Paul, I tried ran the attached reset script to reconfigure the environment. Hopefully there is absolutely no ambiguity in what I am attempting to do or use in my configuration. I also attached the host_to_host.conf file that results from the script showing the final state.
Your email regarding the left/right rsasigkey was a bit confusing. I believe these are right the way I have them.
I have double checked the Keys in the file are appropriate for the hosts. This seems to be consistent with the other documentation and things I have seen on the web.
I added the reset process for the databases so now there is only one key per host.
192.168.89.6 is k2
192.168.89.7 is k1
However, I am still running into the same problems. I have attached the conf file as well.
003 "host-to-host" #5: unable to locate my private key for RSA Signatures
224 "host-to-host" #5: STATE_MAIN_I2: AUTHENTICATION_FAILED
002 "host-to-host" #5: sending notification AUTHENTICATION_FAILED to 192.168.89.6:500
I also tried adding leftckaid=/rightckaid= and this ran into parsing errors. So I have continued using the rsasigkey's.
-----Original Message-----
From: Paul Wouters [mailto:paul at nohats.ca]
Sent: Saturday, February 17, 2018 7:21 PM
To: klwilson227 at comcast.net
Cc: swan at lists.libreswan.org
Subject: Re: [Swan] cannot locate my private key for RSA Signature
On Sat, 17 Feb 2018, klwilson227 at comcast.net wrote:
> I have just installed two Centos7 systems and am attempting to get libreswan setup.
> Naively used DHCP for the hosts initially. Moved to static later on not sure if this is part of the issues I am having.
>
> I ran the following on both machines:
>
> Ipsec nssinit
>
> Ipsec newhostkey
>
> Then I configured the host-to-host.conf two endpoints with there IP and keys that :
Did you use ipsec showhostkey --list and ipsec showhostkey --left/--right to add the proper public key's in your configuration?
> 003 “host-to-host” #4: unable to locate my private key for RSA
> Signature
> 224 “host-to-host” #4: STATE_MAIN_I2: AUTHENTICATION_FAILED to
> 192.168.89.6:500
Looks like your rightrsasigkey= and leftrsasigkey= are not properly configured.
> conn host-to-host
> left=192.168.89.7
> leftid="@k1"
> leftrsasigkey=[keyid AwEAAexla]
Do you have actual [brackets] there? It should not look like that.
> rightrsasigkey=[keyid AwEAAejt9]
> 000 List of RSA Public Keys:
> 000
> 000 Feb 17 12:21:16 2018, 3488 RSA Key AwEAAejt9 (no private key),
> until --- -- --:--:-- ---- ok (expires never)
> 000 ID_FQDN '@k2'
> 000 Feb 17 12:21:16 2018, 3120 RSA Key AwEAAexla (no private key),
> until --- -- --:--:-- ---- ok (expires never)
> 000 ID_FQDN '@k1'
You seem to have no private keys for those public keys?
Did you reinit your nss database after grabbing the public keys?
the order to do things should be:
- ipsec stop
- delete unknown nss db: rm /etc/ipsec.d/*db
- start a new nss db: ipsec initnss
- generate a new key: ipsec newhostkey
Once you have done that on both sides, you can get the public keys on both ends to put in the configuration file.
- ipsec showhostkey --list (look at the ckaid)
- ipsec showhostkey --ckaid XXXX --left (where XXXX is the ckaid from
the previous command)
- put the output of that in the config either as leftckaid=/rightckaid=
or leftrsasigkey= / rightrsasigkey=
See also https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan#Using_raw_RSA_keys_with_NSS
Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: reset.sh
Type: application/octet-stream
Size: 1124 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180218/5c6893cf/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: host_to_host.conf
Type: application/octet-stream
Size: 1355 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180218/5c6893cf/attachment-0001.obj>
More information about the Swan
mailing list