[Swan] host-to-host config fails with Can't find the certificate or private key

Wed Oct 3 01:13:15 UTC 2018

The config file you posted used leftckaid= and you said you copied it to both sides which wouldn’t work. Can you confir you are trying only with leftrsasigkey and rightrsasigkey ? If that still fails send me output using plutodebug=all and fresh certutil / showhostkey output

Sent from my phone

> On Oct 2, 2018, at 17:54, Paul Wouters <paul at nohats.ca> wrote:
> 
>> On Tue, 2 Oct 2018, Alex wrote:
>> 
>> Here is the process I followed on arcade:
>> [root at arcade etc]# rm -f ipsec.conf
>> [root at arcade etc]# ipsec newhostkey --output /etc/ipsec.secrets
>> NSS database in /etc/ipsec.d not initialized.
>>   Please run 'ipsec initnss --nssdir /etc/ipsec.d'
>> [root at arcade etc]# ipsec initnss --nssdir /etc/ipsec.d
>> Initializing NSS database
>> 
>> [root at arcade etc]# ipsec newhostkey --output /etc/ipsec.secrets
>> Generated RSA key pair with CKAID
>> 78ade3745b30ac9c857147cc4de0dc1ca140e6f4 was stored in the NSS
>> database
> 
> You do not need to use --output /etc/ipsec.secrets anymore for RSA/ECDSA
> keys.
> 
>> [root at arcade etc]# ipsec showhostkey --right --ckaid
>> 78ade3745b30ac9c857147cc4de0dc1ca140e6f4
>>       # rsakey AwEAAbEfZ
>>       rightrsasigkey=0sAwEAAbEfZRzZ9Y3qC80mHpZFZ1qijnJ+dl+XMHhsvGLbcVkqiJYJ43tYH3fU6eWONm6icrJAouqIcyb9DlyVTIpxHeCjnQxbEJCPOLVZZ+V40SEHasDNmKQmEODhQAXOxx69Cy+3zTmZFWbHk4rud2LsVc3M/JUggRt+zcIFueR3wUjvQxeI/LkDKDMuaqbvRTs8TUa2CpZHbWmClex/q0SLz+P+vDeWPzUHPGAaOtAtvDpn4wgjZ0QquMdPIDL3QYNQRHQT5OAeFeWsi4dlWxpy9zv4NG305cWFkGNV4089kf4dTnGTJcnKEd1Gcfy4X33q+lq3kDPjg+GAt2guCGtlYbRK7AyxHB8BhQTM4YhFOjaMcyl18v6AA8FaSRf7LRnwMgeJ1QVKk0FGD02hW3VxIYuNu/DQA//aGJgQ1BD73+Y6BhDDpVP1Sf6oN13r3Cwpf48NoQETMo0LxG/38gDXWswQ7jRcePcXIXr9VFdaC3WoxoEe29ivEx87yfwcj6FxqHwMU6en+qj/M/5aDIN7PaOuoDY9UMlhB/TP6pc1dRcHX8gr6gsVKlV7hiKyNQdI2XANaGqGCAHYMK4ojPHojQZl3ApF/VU=
> 
> So did you add this to your configuration file? (on both ends)
> 
>> 003 "mytunnel" #2: ignoring informational payload AUTHENTICATION_FAILED, msgid=00000000, length=12
> 
> The other end failed.
> 
>> Here is the process I followed on orion:
>> [root at orion ~]# ipsec initnss --nssdir /etc/ipsec.d
>> Initializing NSS database
>> 
>> [root at orion ~]# ipsec newhostkey --output /etc/ipsec.secrets
>> /usr/libexec/ipsec/newhostkey: WARNING: file "/etc/ipsec.secrets"
>> exists, appending to it
>> Generated RSA key pair with CKAID
>> 192fbeeba1b10bf1e427d7447e87e6270a0f8d64 was stored in the NSS
>> database
>> [root at orion ~]# ipsec showhostkey --left --ckaid
>> 192fbeeba1b10bf1e427d7447e87e6270a0f8d64
>>       # rsakey AwEAAcM3S
>>       leftrsasigkey=0sAwEAAcM3S6rcG0ZP+BQiD6bS8ou3ksT7U+YAGC+5o/EJo82G1iT6temZdKct37DDAgQcWRVq7b1+eoNZ8UtCZcJ0mvA0MPVvU94n0sub6dOEp57OBNVvtd6FKVjnHxF1R2gMLu6uOWsqGMYFngOU+2Xkcl17d410KToMvGCigcy1jd+s1j4ARUU+2kNudbKc6efpjSoo6cKqd80BIvFKnAESUA02xddT0s+GemXcezCI0PJEo8TcFRE8JbQpWx2Rc1PmzoesJzatUUGBSDYeuUqjfkYWm8W+eKdHTVY0yizcTJcw2/qPzdg12SYvfuQDI5AQp6ufFOkU/mTsnOf/0nkMRGfCf5FkfjhCwWb4H0ngcbt23r3ClRIFXf3yifjX+28kkM3KTo/3GfVToP0AzEAAgEk+pC+bxb7nmOb5BunZ7L+d63GP4NxhVY4JANSTnHyKOP3wrtr/iZRQJIcU5L+IRodOIRfzxHBdkNie8+W8NmfpzUFv4KaNkWkCcO3xcKF72/VvYXBT3vQ7LYfK4ui7mAbjxIAbAdprF4KTunZSluguWUeV5wWOrLX5irLUw2/75KvcnekUDTtTibv06u6Xc3U=
> 
> did you add this to the configuration file (on both ends)
> 
>> [root at orion etc]# ipsec auto --up mytunnel
>> 002 "mytunnel" #1: initiating Main Mode
> 
> It looks like you did not restart libreswan, this is needed to re-open
> the NSS database after adding the new keypair.
> 
>> 003 "mytunnel" #1: Can't find the certificate or private key from the NSS CKA_ID
> 
> This looks like what happens when you don't restart after adding a
> keypair.
> 
>> In this version of /etc/ipsec.conf, I was experimenting with
>> left/rightckaid, but I've also uncommented left/rightsigkey and tried
>> that as well. The error messages above are from my attempt to use the
>> keys.
>> 
>> # /etc/ipsec.conf
>> # The version 2 is only required for compatibility with openswan
>> version 2
>> 
>> config setup
>>   protostack=netkey
>> 
>> conn mytunnel
>>   leftid=@west
>>   left=68.195.193.42
>>       # rsakey AwEAAcM3S
>>       #leftrsasigkey=0sAwEAAcM3S6rcG0ZP+BQiD6bS8ou3ksT7U+YAGC+5o/EJo82G1iT6temZdKct37DDAgQcWRVq7b1+eoNZ8UtCZcJ0mvA0MPVvU94n0sub6dOEp57OBNVvtd6FKVjnHxF1R2gMLu6uOWsqGMYFngOU+2Xkcl17d410KToMvGCigcy1jd+s1j4ARUU+2kNudbKc6efpjSoo6cKqd80BIvFKnAESUA02xddT0s+GemXcezCI0PJEo8TcFRE8JbQpWx2Rc1PmzoesJzatUUGBSDYeuUqjfkYWm8W+eKdHTVY0yizcTJcw2/qPzdg12SYvfuQDI5AQp6ufFOkU/mTsnOf/0nkMRGfCf5FkfjhCwWb4H0ngcbt23r3ClRIFXf3yifjX+28kkM3KTo/3GfVToP0AzEAAgEk+pC+bxb7nmOb5BunZ7L+d63GP4NxhVY4JANSTnHyKOP3wrtr/iZRQJIcU5L+IRodOIRfzxHBdkNie8+W8NmfpzUFv4KaNkWkCcO3xcKF72/VvYXBT3vQ7LYfK4ui7mAbjxIAbAdprF4KTunZSluguWUeV5wWOrLX5irLUw2/75KvcnekUDTtTibv06u6Xc3U=
>>       leftckaid=192fbeeba1b10bf1e427d7447e87e6270a0f8d64
>>   rightid=@east
>>   right=107.155.66.2
>>       # rsakey AwEAAbEfZ
>>       #rightrsasigkey=0sAwEAAbEfZRzZ9Y3qC80mHpZFZ1qijnJ+dl+XMHhsvGLbcVkqiJYJ43tYH3fU6eWONm6icrJAouqIcyb9DlyVTIpxHeCjnQxbEJCPOLVZZ+V40SEHasDNmKQmEODhQAXOxx69Cy+3zTmZFWbHk4rud2LsVc3M/JUggRt+zcIFueR3wUjvQxeI/LkDKDMuaqbvRTs8TUa2CpZHbWmClex/q0SLz+P+vDeWPzUHPGAaOtAtvDpn4wgjZ0QquMdPIDL3QYNQRHQT5OAeFeWsi4dlWxpy9zv4NG305cWFkGNV4089kf4dTnGTJcnKEd1Gcfy4X33q+lq3kDPjg+GAt2guCGtlYbRK7AyxHB8BhQTM4YhFOjaMcyl18v6AA8FaSRf7LRnwMgeJ1QVKk0FGD02hW3VxIYuNu/DQA//aGJgQ1BD73+Y6BhDDpVP1Sf6oN13r3Cwpf48NoQETMo0LxG/38gDXWswQ7jRcePcXIXr9VFdaC3WoxoEe29ivEx87yfwcj6FxqHwMU6en+qj/M/5aDIN7PaOuoDY9UMlhB/TP6pc1dRcHX8gr6gsVKlV7hiKyNQdI2XANaGqGCAHYMK4ojPHojQZl3ApF/VU=
>>       rightckaid=78ade3745b30ac9c857147cc4de0dc1ca140e6f4
>>   authby=rsasig
>>   # use auto=start when done testing the tunnel
>>   auto=add
> 
> For the local endpoint you can use *ckaid= but for the remote endpoint
> you cannot use that, you must use the actual public key, so the
> *rsasigkey= version. (The CKAID is a hash of the public key so it cannot
> be used as a public key, and with raw keys you do not send your public
> key to the other endpoint, as is done when using certificates)
> 
> Paul