[Swan] host-to-host config fails with Can't find the certificate or private key

Alex mysqlstudent at gmail.com
Mon Oct 8 22:38:06 UTC 2018 

HI,

> > At least the second one was created on this host but has now
> > disappeared. How do I delete those broken keys without having to
> > remove the whole database? What could cause this to happen?
>
> certutil -F -d sql:/etc/ipsec.d -n 34127e44f0718fc6d6ad34c089db926e1bb4d7df
>
> use the ckaid shown for the key you want to delete.

Ah, thank you. That's the only combination I *didn't* try, lol. I
thought that was just the ckaid.

I noticed the system appeared to be confused as to which side it was.
orion was reporting "our id" was the arcade key and vice-versa. So I
generated a new set of keys and switched the --left and --right, and
although it now recognizes the sides correctly, it reports "failed to
find our RSA key" on one side, and "authentication failed" on the
other.

133 "oriontun" #5: STATE_PARENT_I1: sent v2I1, expected v2R1
003 "oriontun" #5: DigSig: failed to find our RSA key

Can you review my config and see if there's anything obvious I'm doing
wrong? From "ipsec barf" (same on both sides):

conn oriontun
        left=107.155.66.2
        leftid="@arcade-orion"

        # generated on left side with "ipsec showhostkey"
        # key can be viewed on left side with "ipsec showhostkey
--rsaid AwEAAeMxH --left"
       leftrsasigkey=[keyid AwEAAeMxH]
        left=107.155.66.2
        right=68.195.193.42
        rightid="@orion-arcade"

        # generated on right side with "ipsec showhostkey"
        # key can be viewed on right side with "ipsec showhostkey
--rsaid AwEAAdfpQ --right"
        rightrsasigkey=[keyid AwEAAdfpQ]
        right=68.195.193.42
        auto=start
        pfs=yes
        ike=aes_gcm256-sha2_... [a dozen others...]
        authby=rsasig
        phase2alg=aes_gcm256,aes256-sha2_512,aes256-sha1,aes128-sha1,aes128-sha2_256
        auto=start
        type=tunnel
        compress=no
        pfs=yes
        ikepad=yes
        authby=rsasig
        phase2=esp
        ikev2=insist
        ppk=no
        esn=no

I don't understand why authentication fails when the keys are correct.

How can I enable more debugging info to determine why i'm receiving
"AUTHENTICATION_FAILED" messages?

More information about the Swan mailing list