[Swan] host-to-host config fails with Can't find the certificate or private key
Alex
mysqlstudent at gmail.com
Mon Oct 8 22:38:06 UTC 2018
HI,
> > At least the second one was created on this host but has now
> > disappeared. How do I delete those broken keys without having to
> > remove the whole database? What could cause this to happen?
>
> certutil -F -d sql:/etc/ipsec.d -n 34127e44f0718fc6d6ad34c089db926e1bb4d7df
>
> use the ckaid shown for the key you want to delete.
Ah, thank you. That's the only combination I *didn't* try, lol. I
thought that was just the ckaid.
I noticed the system appeared to be confused as to which side it was.
orion was reporting "our id" was the arcade key and vice-versa. So I
generated a new set of keys and switched the --left and --right, and
although it now recognizes the sides correctly, it reports "failed to
find our RSA key" on one side, and "authentication failed" on the
other.
133 "oriontun" #5: STATE_PARENT_I1: sent v2I1, expected v2R1
003 "oriontun" #5: DigSig: failed to find our RSA key
Can you review my config and see if there's anything obvious I'm doing
wrong? From "ipsec barf" (same on both sides):
conn oriontun
left=107.155.66.2
leftid="@arcade-orion"
# generated on left side with "ipsec showhostkey"
# key can be viewed on left side with "ipsec showhostkey
--rsaid AwEAAeMxH --left"
leftrsasigkey=[keyid AwEAAeMxH]
left=107.155.66.2
right=68.195.193.42
rightid="@orion-arcade"
# generated on right side with "ipsec showhostkey"
# key can be viewed on right side with "ipsec showhostkey
--rsaid AwEAAdfpQ --right"
rightrsasigkey=[keyid AwEAAdfpQ]
right=68.195.193.42
auto=start
pfs=yes
ike=aes_gcm256-sha2_... [a dozen others...]
authby=rsasig
phase2alg=aes_gcm256,aes256-sha2_512,aes256-sha1,aes128-sha1,aes128-sha2_256
auto=start
type=tunnel
compress=no
pfs=yes
ikepad=yes
authby=rsasig
phase2=esp
ikev2=insist
ppk=no
esn=no
I don't understand why authentication fails when the keys are correct.
How can I enable more debugging info to determine why i'm receiving
"AUTHENTICATION_FAILED" messages?
More information about the Swan
mailing list