[Swan] host-to-host config fails with Can't find the certificate or private key

Alex mysqlstudent at gmail.com
Thu Oct 11 03:29:39 UTC 2018 

Hi Paul, I'm still having trouble and could really use some help. Do
these errors mean anything?

Oct 10 21:21:33.289300: | #5 in state PARENT_I2: sent v2I2, expected v2R2
Oct 10 21:21:33.289303: | Unpacking clear payload for svm: Initiator:
process INVALID_SYNTAX AUTH notification
Oct 10 21:21:33.289306: | Now let's proceed with payload (ISAKMP_NEXT_v2SK)
Oct 10 21:21:33.289309: | serialno table: hash serialno #4 to head
0x56548f76ccc0
Oct 10 21:21:33.289312: | serialno table: hash serialno #4 to head
0x56548f76ccc0
Oct 10 21:21:33.289330: | Now let's proceed with payload (ISAKMP_NEXT_v2N)
Oct 10 21:21:33.289334: | selected state microcode Initiator: process
AUTHENTICATION_FAILED AUTH notification
Oct 10 21:21:33.289337: | Now let's proceed with state specific processing
Oct 10 21:21:33.289339: | calling processor Initiator: process
AUTHENTICATION_FAILED AUTH notification
Oct 10 21:21:33.289343: "oriontun" #5: IKE SA authentication request
rejected: AUTHENTICATION_FAILED

Googling any of these errors/warnings generally only reveal the lines
themselves from the source code. How do I find out what exactly was
the invalid syntax?

Thanks,
Alex

On Mon, Oct 8, 2018 at 10:37 PM Alex <mysqlstudent at gmail.com> wrote:
>
> I don't understand this error:
>
> Oct  8 22:30:01.939114: "oriontun" #3: IKEv2 mode peer ID is ID_FQDN:
> '@arcade-orion'
> Oct  8 22:30:01.939222: "oriontun" #3: Signature check (on
> @arcade-orion) failed (wrong key?); tried *AwEAAePbb
> Oct  8 22:30:01.939234: "oriontun" #3: Digital Signature authentication failed
> Oct  8 22:30:01.939262: "oriontun" #3: responding to AUTH message (ID
> 1) from 107.155.66.2:500 with encrypted notification
> AUTHENTICATION_FAILED
>
> This is from the left host, orion. The key that it tried is the pub
> key from the right host, arcade. Why would it fail a signature check?
>
> It seems to indicate that it's the wrong key, but that's the public
> key from the keypair generated on the other side. It passes on the
> other side:
>
> # ipsec showhostkey --right --rsaid AwEAAePbb
>         # rsakey AwEAAePbb
> rightrsasigkey=0sAwEAAePbbigzEO59FKqpM3frTLK4yry7xtEJN2J+A8rrb2e5reVu28IawJ/IOROx7XeGJkOz0bMX6zUF+ojYz0OPfJWpNfMBdl92NTU6/epO0h9/slKgn2G4hVK6bb1UOrcfo...
>
> I have worked on this all day and all night for more than three days
> and just have no idea why it's failing here.

More information about the Swan mailing list