[Swan] RSA keys help

Kostya Vasilyev kman at fastmail.com
Wed Jan 23 13:54:14 UTC 2019


I'm trying to configure a LibreSwan  server  with a Mikrotik router client (GRE tunnel).

Got it working with PSK auth, would like to switch to RSA key based auth.

Have seen the wiki's, still have some questions.

LibreSwan uses NSS for key storage - which is fine but Mikrotik doesn't have NSS to generate the keys nor understands NSS format (RFC 3110? aka DNS format encoding?)

It does understand SSH format keys (and I can convert them to / from P12) and of course I can use openssl to generate.

I can think of these ways to set up my keys, but can't get any of them to work:

Option 1:

Generate both (server and client) keys on server side with NSS and somehow export them in SSH format, including 1) server's public key 2) client's public key 3) client's private key

>From what I've seen on the Internet, NSS cannot (by design) export private keys at all. Maybe this is wrong and there is a way?

And if I could do this, how would I convert from RFC 3110 in NSS to openssl format for Mikrotik?

Option 2:

Generate both (server and client) keys separately with openssl and somehow import them into NSS on the server, including 1) server's public key 2) server's private key 3) client's public key.

But as far as I can tell, NSS cannot import keys, only certificates (I mean pk12util -i ...) so that seems like a dead end too unless I'm missing something.

 Option 3:

Generate keys with openssl and somehow make LibreSwan use them directly from files, not from NSS.

Is this possible? I understand from LibreSwan docs that NSS is the main method of configuring keys - but is it perhaps also possible to use SSH format key files (or SSH format key strings in settings)?

Variation on 3:

Directly specify keys in LibreSwan config (as strings) but I'd to convert my openssl keys (both public and private for the server, public for the client) into RFC 3110 format, and can't find a way to do this.

I assume there is a solution to this, it has to be a frequent case where "the other side" is not also LibreSwan, but just can't find the right docs it seems.

Help please?

Kostya Vasilyev
kman at fastmail.com

More information about the Swan mailing list