[Swan] unable to locate my private key for RSA Signature
LAURIA Giuseppe
giuseppe.lauria at axa-winterthur.ch
Wed Jan 30 17:21:43 UTC 2019
Hi all.
We are using libreswan between two different RedHat Servers and want to do host-to-host transport tunnel encryption to port 8080.
Left: RHEL 7.6 ( SELinux set to Permissive )
libreswan version: libreswan-3.25-2.el7.x86_64
Right: RHEL 6.10
Libreswan version : libreswan-3.15-7.5.el6_9.x86_64
I initialized NSS DB
ipsec initnss
I created two new keys on each box
ipsec newhostkey
listed the rsa key on both boxes:
eg. ipsec showhostkey --left --rsaid AwEAAavAZ
configured a connection:
conn lagu_tunnel
leftid=@west
left=<left-IP>
leftrsasigkey=0sAw.......j6Og/7E=
rightid=@east
right=<right-IP>
rightprotoport=tcp/8080
rightrsasigkey=0sAQ......m0dfg7pH
#auto=start
authby=rsasig
type=transport
I'm able to add the connection on left side.
Then up-ing the connection on left side.
Then adding the connection on right side, soon after errors pop up on left side
ipsec auto --add lagu_tunnel
002 added connection description "lagu_tunnel"
[root at DDAA2053 ipsec.d]# ipsec auto --up lagu_tunnel
002 "lagu_tunnel" #1: initiating Main Mode
104 "lagu_tunnel" #1: STATE_MAIN_I1: initiate
010 "lagu_tunnel" #1: STATE_MAIN_I1: retransmission; will wait 0.5 seconds for response
010 "lagu_tunnel" #1: STATE_MAIN_I1: retransmission; will wait 1 seconds for response
010 "lagu_tunnel" #1: STATE_MAIN_I1: retransmission; will wait 2 seconds for response
106 "lagu_tunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "lagu_tunnel" #1: unable to locate my private key for RSA Signature
224 "lagu_tunnel" #1: STATE_MAIN_I2: AUTHENTICATION_FAILED
002 "lagu_tunnel" #1: sending notification AUTHENTICATION_FAILED to <right-IP>:500
003 "lagu_tunnel" #1: unable to locate my private key for RSA Signature
224 "lagu_tunnel" #1: STATE_MAIN_I2: AUTHENTICATION_FAILED
002 "lagu_tunnel" #1: sending notification AUTHENTICATION_FAILED to <right-IP>:500
003 "lagu_tunnel" #1: unable to locate my private key for RSA Signature
224 "lagu_tunnel" #1: STATE_MAIN_I2: AUTHENTICATION_FAILED
002 "lagu_tunnel" #1: sending notification AUTHENTICATION_FAILED to <right-IP>:500
003 "lagu_tunnel" #1: unable to locate my private key for RSA Signature
224 "lagu_tunnel" #1: STATE_MAIN_I2: AUTHENTICATION_FAILED
002 "lagu_tunnel" #1: sending notification AUTHENTICATION_FAILED to <right-IP>:500
003 "lagu_tunnel" #1: unable to locate my private key for RSA Signature
224 "lagu_tunnel" #1: STATE_MAIN_I2: AUTHENTICATION_FAILED
002 "lagu_tunnel" #1: sending notification AUTHENTICATION_FAILED to <right-IP>:500
003 "lagu_tunnel" #1: unable to locate my private key for RSA Signature
224 "lagu_tunnel" #1: STATE_MAIN_I2: AUTHENTICATION_FAILED
002 "lagu_tunnel" #1: sending notification AUTHENTICATION_FAILED to <right-IP>:500
I added also a debug snippet from pluto.log ( see attachment lagu-tunnel.txt )
As far as I understand the private key should reside within local NSS database. The file was initialized fresh and only this one key is there
ipsec showhostkey --list
< 1> RSA keyid: AwEAAavAZ ckaid: 489d253fc467cfb68e76f35707af387ace5e2c6d
certutil -K -d sql:.
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa 489d253fc467cfb68e76f35707af387ace5e2c6d (orphan)
The files are here:
pwd
/etc/ipsec.d
ls -l *.db
-rw-------. 1 root root 9216 Jan 30 17:20 cert9.db
-rw-------. 1 root root 17408 Jan 30 17:20 key4.db
Can someone help me in troubleshoot this ?
Thank you very much.
Best regards.
Giuseppe Lauria
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190130/603912d9/attachment-0001.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: lagu-tunnel.txt
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190130/603912d9/attachment-0001.txt>
More information about the Swan
mailing list