[Swan] net-to-net for road warriors

Alex mysqlstudent at gmail.com
Wed Jan 30 01:57:22 UTC 2019 

Hi,

I'm now trying to build a tunnel between the server with the static IP
and another host with a static IP and the same libreswan on fedora,
but having a similar problem that I used to have with "wrong key?"
messages when I *know* I'm doing it right.

On bwimail03:
002 "bwimail03-arcade" #5: IKEv2 mode peer ID is ID_FQDN: '@arcade'
003 "bwimail03-arcade" #5: Signature check (on @arcade) failed (wrong
key?); tried *AwEAAfVyj
002 "bwimail03-arcade" #5: RSA authentication failed
036 "bwimail03-arcade" #5: encountered fatal error in state STATE_PARENT_I2

Could there be another explanation for it being unable to find the
right key? It's choosing the key that's intended for the remote system
instead of the one for itself, or so it appears.

conn bwimail03-arcade
    leftid=@bwimail03
    left=bwimail03.example.com
        # rsakey AwEAAaf+z
        leftrsasigkey=0sAwEAAaf+zw+7+F0Ridyti4...
    rightid=@arcade
    right=107.155.66.2
        # rsakey AwEAAfVyj
        rightrsasigkey=0sAwEAAfVyjDt+juEk/5jhFVNMj...
    authby=rsasig
    # use auto=start when done testing the tunnel
    auto=start

You'll notice that the AwEAAfVyj key is for the remote (arcade)
system, while the system reporting the signature failure is the local
(bwimail03) system.

This seems to happen randomly on different systems. I've spent nearly
all day just creating new keys and testing this, trying to figure out
what I'm doing wrong, and it's just not reliable. There is something
else wrong.

A few other questions:

- Is there any difference between these two commands:
certutil -N -d sql:/etc/ipsec.d
ipsec initnss --nssdir /etc/ipsec.d

- Sometimes if I shut down the VPN (service ipsec stop) in the wrong
order, the remote system becomes unreachable. How can I prevent that
from happening?

- How do you delete a key? Using -F doesn't work.
ipsec -F -d sql:/etc/ipsec.d -n <ckaid>

# certutil -K -d sql:/etc/ipsec.d
certutil: Checking token "NSS Certificate DB" in slot "NSS User
Private Key and Certificate Services"
< 0> rsa      a97801beda74b01e2fe3647a87dc9f0e7ad75268   (orphan)
# certutil -F -d sql:/etc/ipsec.d -n a97801beda74b01e2fe3647a87dc9f0e7ad75268
# certutil -K -d sql:/etc/ipsec.d
certutil: Checking token "NSS Certificate DB" in slot "NSS User
Private Key and Certificate Services"
< 0> rsa      a97801beda74b01e2fe3647a87dc9f0e7ad75268   (orphan)

More information about the Swan mailing list