[Swan] host-to-host config fails with Can't find the certificate or private key
Alex
mysqlstudent at gmail.com
Mon Oct 8 16:12:37 UTC 2018
Hi,
I'm still having difficulty and really don't know what to do. Somehow
the private keys have disappeared:
# ipsec auto --listall
000
000 List of RSA Public Keys:
000
000 Oct 07 22:29:57 2018, 3120 RSA Key AwEAAbKKB (no private key),
until --- -- --:--:-- ---- ok (expires never)
000 ID_FQDN '@orion-arcade'
000 Oct 07 22:29:57 2018, 3536 RSA Key AwEAAbV5+ (no private key),
until --- -- --:--:-- ---- ok (expires never)
000 ID_FQDN '@arcade-orion'
000 Oct 07 22:29:52 2018, 3360 RSA Key AwEAAewqo (has private key),
until --- -- --:--:-- ---- ok (expires never)
000 ID_FQDN '@arcade-bwimail03'
000 Oct 07 22:29:52 2018, 3920 RSA Key AwEAAbT0Q (no private key),
until --- -- --:--:-- ---- ok (expires never)
000 ID_FQDN '@bwimail03-arcade'
At least the second one was created on this host but has now
disappeared. How do I delete those broken keys without having to
remove the whole database? What could cause this to happen?
Thanks,
Alex
On Sun, Oct 7, 2018 at 11:12 AM Alex <mysqlstudent at gmail.com> wrote:
>
> Hi,
>
> > > I've attached the logs from the last few minutes after "ipsec start;
> > > ipsec auto --add mytunnel; ipsec auto --up mytunnel" on both sides.
> > > I've also attached the "ipsec status" output from both sides. I've
> > > also attached the current ipsec.conf used on both sides.
> >
> > Run ipsec whack --listpubkeys on both ends and confirm you have the
> > proper keys configured?
> >
> > If not using identical ipsec.conf files on both ends, ensure that you
> > did not accidentally swap the two keys on one end? Because if you
> > really only have two keys and libreswan tried the wrong key, that's
> > the only thing that could have happened, since there would only be
> > one other key that could be the wrong one which is their own key.
>
> The whole system seems very fragile. I'm confident the keys are
> correct. These are the steps I followed:
>
> orion is the local side and arcade is the remote side.
>
> - initnss on both sides
> - "ipsec newhostkey --output /etc/ipsec.secrets" on both sides
> - ipsec showhostkey --left --ckaid <ckaid key> on local side
> - ipsec showhostkey --right --ckaid <ckaid key> on remote side
> - create /etc/ipsec.conf using the left/rightid and left/right IPs and
> left/rightrsasigkey from both sides
> - scp /etc/ipsec.conf to other side.
> - ipsec setup start on both sides
> - ipsec auto --add <tunnel name> on both sides
> - ipsec auto --up <tunnel name> on both sides
>
> Yesterday I believe I had it working following these steps. The remote
> side shows there are two tunnels up on the remote side (one is the
> other tunnel to the other mail server), but the tunnel on the local
> side (orion) was only loaded, not active.
>
> Now when I try to bring up the tunnel, it fails with that "failed
> (wrong key?)" error:
>
> # ipsec auto --up oriontun
> 003 "oriontun" #4: Signature check (on @arcade-orion) failed (wrong
> key?); tried *AwEAAdDiX
> 133 "oriontun" #3: STATE_PARENT_I1: sent v2I1, expected v2R1
> 002 "oriontun" #3: local ESP/AH proposals for oriontun (IKE SA
> initiator emitting ESP/AH proposals):
> 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED
> 2:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;DH=NONE;ESN=DISABLED
> 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED
> 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED
> 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED
> 134 "oriontun" #4: STATE_PARENT_I2: sent v2I2, expected v2R2
> {auth=IKEv2 cipher=aes_gcm_16_256 integ=n/a prf=sha2_512 group=DH19}
> 002 "oriontun" #4: IKEv2 mode peer ID is ID_FQDN: '@arcade-orion'
> 003 "oriontun" #4: Signature check (on @arcade-orion) failed (wrong
> key?); tried *AwEAAdDiX
> 002 "oriontun" #4: Digital Signature authentication failed
> 036 "oriontun" #4: encountered fatal error in state STATE_PARENT_I2
>
> I've verified they are the correct keys on both sides. One thing I
> noticed with "ipsec status" is this line:
>
> 000 dnssec-rootkey-file=/var/lib/unbound/root.key, dnssec-trusted=<unset>
>
> The /var/lib/unbound/root.key file looks to have been created at midnight:
>
> # ls -l /var/lib/unbound/root.key
> -rw-r--r-- 1 unbound unbound 1251 Oct 7 00:00 /var/lib/unbound/root.key
>
> Could this be the cause? Other than the date, the file appears to be
> the same one as was generated the day prior.
>
> A few questions:
> - How do I delete keys from the NSS database? I can list them with
> "certutil -K -d sql:/etc/ipsec.d" or "ipsec showhostkey --list", but
> how can I delete them?
> - Are there similar easy steps for creating a host-to-host tunnels using certs?
> - Is it important that left/rightid are unique between tunnels?
> - why are the actual lengths of the keys different on one side than
> the other? One is 643 chars while the other is 579 chars. Why wouldn't
> they have been generated to be the same?
>
> Thanks,
> Alex
>
>
>
>
>
>
>
>
>
> >
> > Paul
More information about the Swan
mailing list