[Swan] RSA keys help

Kostya Vasilyev kman at fastmail.com
Wed Jan 23 18:12:20 UTC 2019

Thanks for the response, please see below:

On Wed, Jan 23, 2019, at 9:00 PM, Paul Wouters wrote:
> On Wed, 23 Jan 2019, Kostya Vasilyev wrote:
> > I'm trying to configure a LibreSwan  server  with a Mikrotik router client (GRE tunnel).
> nit pick, it is libreswan, no upper case S please :)

Sorry! It's libreswan, libreswan, libreswan, no uppercase S :)

> > Got it working with PSK auth, would like to switch to RSA key based auth.
> >
> > Have seen the wiki's, still have some questions.
> >
> > LibreSwan uses NSS for key storage - which is fine but Mikrotik doesn't have NSS to generate the keys nor understands NSS format (RFC 3110? aka DNS format encoding?)
> Does your Mikrotik support raw RSA keys? Likely not, in which case the
> path to go is certificates. You can generate them with whatever tool
> you want, as long as you end up with two PKCS#12 formatted certificate
> bundles. These .p12 files contain a private key, public cert and CA
> cert. You can import a .p12 file using "ipsec import file.p12".

It can import openssl format keys (and I can convert openssl / p12 back and forth).

> [ ... snip ... ]

What I ended up doing is - use a certificate in NSS on libreswan side together with

leftcert=cert name in NSS

to have libreswan (lowercase s) pick up the keys from the certificate.

And then on the client, exported the certificate's public key on the "big" host system using openssl and imported that public key in openssl format into Mikrotik.

It all worked, I'm up and running.

> > Option 3:
> >
> > Generate keys with openssl and somehow make LibreSwan use them directly from files, not from NSS.
> That is not an option. libreswan does not read or parse files or have
> native support for pkcs#11 for hardware tokens. It all goes via NSS.
> > Directly specify keys in LibreSwan config (as strings) but I'd to convert my openssl keys (both public and private for the server, public for the client) into RFC 3110 format, and can't find a way to do this.
> You cannot. private keys must be inside the NSS database.

When I've put the server's private key into ipsec.secrets like this: : RSA {
	# RSA 2048 bits
	# pubkey=0sAwEAAaJ..../3xyU=
	Modulus: ....

I got this in the log:

pluto[28048]: loading secrets from "/etc/ipsec.d/mikrotik.secrets"
pluto[28048]: loaded private key for keyid: PKK_RSA:AwEAAaJEj

So it can parse a private key from *.secrets (it's also there in the code) - but as you wrote "private keys *must* be inside the NSS database" - so what is this private key for then?

-- K

More information about the Swan mailing list