[Swan] net-to-net for road warriors

Paul Wouters paul at nohats.ca
Wed Jan 30 03:23:32 UTC 2019 

On Tue, 29 Jan 2019, Alex wrote:

> I'm now trying to build a tunnel between the server with the static IP
> and another host with a static IP and the same libreswan on fedora,
> but having a similar problem that I used to have with "wrong key?"
> messages when I *know* I'm doing it right.
>
> On bwimail03:
> 002 "bwimail03-arcade" #5: IKEv2 mode peer ID is ID_FQDN: '@arcade'
> 003 "bwimail03-arcade" #5: Signature check (on @arcade) failed (wrong
> key?); tried *AwEAAfVyj
> 002 "bwimail03-arcade" #5: RSA authentication failed
> 036 "bwimail03-arcade" #5: encountered fatal error in state STATE_PARENT_I2
>
> Could there be another explanation for it being unable to find the
> right key? It's choosing the key that's intended for the remote system
> instead of the one for itself, or so it appears.

Yes, that is normal. It is using the remote public key to verify the remote peer :)

> - Is there any difference between these two commands:
> certutil -N -d sql:/etc/ipsec.d
> ipsec initnss --nssdir /etc/ipsec.d

No.

> - Sometimes if I shut down the VPN (service ipsec stop) in the wrong
> order, the remote system becomes unreachable. How can I prevent that
> from happening?

If the system goes down before it send the "Delete/Notify" request, the
other end won't know it went down and will expect encrypted packets only
and assume the plaintext packets are forged. You can enable DPD so the
remote can figure this out before rekey/expire time. But if this happens
often, it is worth checking the shutdown process and see if there is
something specific happening that is causing the packet to be lost.

> - How do you delete a key? Using -F doesn't work.
> ipsec -F -d sql:/etc/ipsec.d -n <ckaid>
>
> # certutil -K -d sql:/etc/ipsec.d
> certutil: Checking token "NSS Certificate DB" in slot "NSS User
> Private Key and Certificate Services"
> < 0> rsa      a97801beda74b01e2fe3647a87dc9f0e7ad75268   (orphan)
> # certutil -F -d sql:/etc/ipsec.d -n a97801beda74b01e2fe3647a87dc9f0e7ad75268
> # certutil -K -d sql:/etc/ipsec.d
> certutil: Checking token "NSS Certificate DB" in slot "NSS User
> Private Key and Certificate Services"
> < 0> rsa      a97801beda74b01e2fe3647a87dc9f0e7ad75268   (orphan)

I don't think it is possible using certutl. I tend to just nuke the nss
db.

Paul

More information about the Swan mailing list