[Swan] cannot locate my private key for RSA Signature

Kevin Wilson klwilson227 at comcast.net
Tue Feb 20 16:50:34 UTC 2018


From a new installation it appears the —output arg on newhostkey should be mandatory. The connection gets established properly once this was put into place.

Sent from my iPhone

> On Feb 19, 2018, at 8:10 PM, Paul Wouters <paul at nohats.ca> wrote:
> 
>> On Sun, 18 Feb 2018, klwilson227 at comcast.net wrote:
>> 
>> Paul, I tried ran the attached  reset script to reconfigure the environment. Hopefully there is absolutely no ambiguity in what I am attempting to do or use in my configuration. I also attached the host_to_host.conf file that results from the script showing the final state.
> 
> I checked it and it looks fine. It should work. Are you at least on 3.21
> to ensure it works without any ipsec.secrets entries?
> 
>> Your email regarding the left/right rsasigkey was a bit confusing. I believe these are right the way I have them.
> 
> Yes, it is.
> 
>> However, I am still running into the same problems. I have attached the conf file as well.
>> 
>> 003 "host-to-host" #5: unable to locate my private key for RSA Signatures
>> 224 "host-to-host" #5:  STATE_MAIN_I2: AUTHENTICATION_FAILED
>> 002 "host-to-host" #5: sending notification AUTHENTICATION_FAILED to 192.168.89.6:500
> 
> The only things I can think of at this point is that your libreswan
> version requires the ipsec.secrets entry. Change the newhostkey
> command to: ipsec newhostkey --output /etc/ipsec.secrets
> (it will overwrite the existing file)
> 
> If that doesn't solve it, maybe disable whatever security mechanisms
> might be in play? FIPS? Selinux? AppArmor ?
> 
> Paul



More information about the Swan mailing list