[Swan] host-to-host config fails with Can't find the certificate or private key

Paul Wouters paul at nohats.ca
Tue Oct 2 21:54:18 UTC 2018


On Tue, 2 Oct 2018, Alex wrote:

> Here is the process I followed on arcade:
> [root at arcade etc]# rm -f ipsec.conf
> [root at arcade etc]# ipsec newhostkey --output /etc/ipsec.secrets
> NSS database in /etc/ipsec.d not initialized.
>    Please run 'ipsec initnss --nssdir /etc/ipsec.d'
> [root at arcade etc]# ipsec initnss --nssdir /etc/ipsec.d
> Initializing NSS database
>
> [root at arcade etc]# ipsec newhostkey --output /etc/ipsec.secrets
> Generated RSA key pair with CKAID
> 78ade3745b30ac9c857147cc4de0dc1ca140e6f4 was stored in the NSS
> database

You do not need to use --output /etc/ipsec.secrets anymore for RSA/ECDSA
keys.

> [root at arcade etc]# ipsec showhostkey --right --ckaid
> 78ade3745b30ac9c857147cc4de0dc1ca140e6f4
>        # rsakey AwEAAbEfZ
>        rightrsasigkey=0sAwEAAbEfZRzZ9Y3qC80mHpZFZ1qijnJ+dl+XMHhsvGLbcVkqiJYJ43tYH3fU6eWONm6icrJAouqIcyb9DlyVTIpxHeCjnQxbEJCPOLVZZ+V40SEHasDNmKQmEODhQAXOxx69Cy+3zTmZFWbHk4rud2LsVc3M/JUggRt+zcIFueR3wUjvQxeI/LkDKDMuaqbvRTs8TUa2CpZHbWmClex/q0SLz+P+vDeWPzUHPGAaOtAtvDpn4wgjZ0QquMdPIDL3QYNQRHQT5OAeFeWsi4dlWxpy9zv4NG305cWFkGNV4089kf4dTnGTJcnKEd1Gcfy4X33q+lq3kDPjg+GAt2guCGtlYbRK7AyxHB8BhQTM4YhFOjaMcyl18v6AA8FaSRf7LRnwMgeJ1QVKk0FGD02hW3VxIYuNu/DQA//aGJgQ1BD73+Y6BhDDpVP1Sf6oN13r3Cwpf48NoQETMo0LxG/38gDXWswQ7jRcePcXIXr9VFdaC3WoxoEe29ivEx87yfwcj6FxqHwMU6en+qj/M/5aDIN7PaOuoDY9UMlhB/TP6pc1dRcHX8gr6gsVKlV7hiKyNQdI2XANaGqGCAHYMK4ojPHojQZl3ApF/VU=

So did you add this to your configuration file? (on both ends)

> 003 "mytunnel" #2: ignoring informational payload AUTHENTICATION_FAILED, msgid=00000000, length=12

The other end failed.

> Here is the process I followed on orion:
> [root at orion ~]# ipsec initnss --nssdir /etc/ipsec.d
> Initializing NSS database
>
> [root at orion ~]# ipsec newhostkey --output /etc/ipsec.secrets
> /usr/libexec/ipsec/newhostkey: WARNING: file "/etc/ipsec.secrets"
> exists, appending to it
> Generated RSA key pair with CKAID
> 192fbeeba1b10bf1e427d7447e87e6270a0f8d64 was stored in the NSS
> database
> [root at orion ~]# ipsec showhostkey --left --ckaid
> 192fbeeba1b10bf1e427d7447e87e6270a0f8d64
>        # rsakey AwEAAcM3S
>        leftrsasigkey=0sAwEAAcM3S6rcG0ZP+BQiD6bS8ou3ksT7U+YAGC+5o/EJo82G1iT6temZdKct37DDAgQcWRVq7b1+eoNZ8UtCZcJ0mvA0MPVvU94n0sub6dOEp57OBNVvtd6FKVjnHxF1R2gMLu6uOWsqGMYFngOU+2Xkcl17d410KToMvGCigcy1jd+s1j4ARUU+2kNudbKc6efpjSoo6cKqd80BIvFKnAESUA02xddT0s+GemXcezCI0PJEo8TcFRE8JbQpWx2Rc1PmzoesJzatUUGBSDYeuUqjfkYWm8W+eKdHTVY0yizcTJcw2/qPzdg12SYvfuQDI5AQp6ufFOkU/mTsnOf/0nkMRGfCf5FkfjhCwWb4H0ngcbt23r3ClRIFXf3yifjX+28kkM3KTo/3GfVToP0AzEAAgEk+pC+bxb7nmOb5BunZ7L+d63GP4NxhVY4JANSTnHyKOP3wrtr/iZRQJIcU5L+IRodOIRfzxHBdkNie8+W8NmfpzUFv4KaNkWkCcO3xcKF72/VvYXBT3vQ7LYfK4ui7mAbjxIAbAdprF4KTunZSluguWUeV5wWOrLX5irLUw2/75KvcnekUDTtTibv06u6Xc3U=

did you add this to the configuration file (on both ends)

> [root at orion etc]# ipsec auto --up mytunnel
> 002 "mytunnel" #1: initiating Main Mode

It looks like you did not restart libreswan, this is needed to re-open
the NSS database after adding the new keypair.

> 003 "mytunnel" #1: Can't find the certificate or private key from the NSS CKA_ID

This looks like what happens when you don't restart after adding a
keypair.

> In this version of /etc/ipsec.conf, I was experimenting with
> left/rightckaid, but I've also uncommented left/rightsigkey and tried
> that as well. The error messages above are from my attempt to use the
> keys.
>
> # /etc/ipsec.conf
> # The version 2 is only required for compatibility with openswan
> version 2
>
> config setup
>    protostack=netkey
>
> conn mytunnel
>    leftid=@west
>    left=68.195.193.42
>        # rsakey AwEAAcM3S
>        #leftrsasigkey=0sAwEAAcM3S6rcG0ZP+BQiD6bS8ou3ksT7U+YAGC+5o/EJo82G1iT6temZdKct37DDAgQcWRVq7b1+eoNZ8UtCZcJ0mvA0MPVvU94n0sub6dOEp57OBNVvtd6FKVjnHxF1R2gMLu6uOWsqGMYFngOU+2Xkcl17d410KToMvGCigcy1jd+s1j4ARUU+2kNudbKc6efpjSoo6cKqd80BIvFKnAESUA02xddT0s+GemXcezCI0PJEo8TcFRE8JbQpWx2Rc1PmzoesJzatUUGBSDYeuUqjfkYWm8W+eKdHTVY0yizcTJcw2/qPzdg12SYvfuQDI5AQp6ufFOkU/mTsnOf/0nkMRGfCf5FkfjhCwWb4H0ngcbt23r3ClRIFXf3yifjX+28kkM3KTo/3GfVToP0AzEAAgEk+pC+bxb7nmOb5BunZ7L+d63GP4NxhVY4JANSTnHyKOP3wrtr/iZRQJIcU5L+IRodOIRfzxHBdkNie8+W8NmfpzUFv4KaNkWkCcO3xcKF72/VvYXBT3vQ7LYfK4ui7mAbjxIAbAdprF4KTunZSluguWUeV5wWOrLX5irLUw2/75KvcnekUDTtTibv06u6Xc3U=
>        leftckaid=192fbeeba1b10bf1e427d7447e87e6270a0f8d64
>    rightid=@east
>    right=107.155.66.2
>        # rsakey AwEAAbEfZ
>        #rightrsasigkey=0sAwEAAbEfZRzZ9Y3qC80mHpZFZ1qijnJ+dl+XMHhsvGLbcVkqiJYJ43tYH3fU6eWONm6icrJAouqIcyb9DlyVTIpxHeCjnQxbEJCPOLVZZ+V40SEHasDNmKQmEODhQAXOxx69Cy+3zTmZFWbHk4rud2LsVc3M/JUggRt+zcIFueR3wUjvQxeI/LkDKDMuaqbvRTs8TUa2CpZHbWmClex/q0SLz+P+vDeWPzUHPGAaOtAtvDpn4wgjZ0QquMdPIDL3QYNQRHQT5OAeFeWsi4dlWxpy9zv4NG305cWFkGNV4089kf4dTnGTJcnKEd1Gcfy4X33q+lq3kDPjg+GAt2guCGtlYbRK7AyxHB8BhQTM4YhFOjaMcyl18v6AA8FaSRf7LRnwMgeJ1QVKk0FGD02hW3VxIYuNu/DQA//aGJgQ1BD73+Y6BhDDpVP1Sf6oN13r3Cwpf48NoQETMo0LxG/38gDXWswQ7jRcePcXIXr9VFdaC3WoxoEe29ivEx87yfwcj6FxqHwMU6en+qj/M/5aDIN7PaOuoDY9UMlhB/TP6pc1dRcHX8gr6gsVKlV7hiKyNQdI2XANaGqGCAHYMK4ojPHojQZl3ApF/VU=
>        rightckaid=78ade3745b30ac9c857147cc4de0dc1ca140e6f4
>    authby=rsasig
>    # use auto=start when done testing the tunnel
>    auto=add

For the local endpoint you can use *ckaid= but for the remote endpoint
you cannot use that, you must use the actual public key, so the
*rsasigkey= version. (The CKAID is a hash of the public key so it cannot
be used as a public key, and with raw keys you do not send your public
key to the other endpoint, as is done when using certificates)

Paul


More information about the Swan mailing list