[Swan] Raw rsa keys and .secrets file

Cesare Leonardi celeonar at gmail.com
Mon Feb 24 19:10:37 UTC 2020


Hello, there is something not clear to me regarding .secrets file.
I've read this:
https://lists.libreswan.org/pipermail/swan/2018/002496.html
And this (slide 13):
https://libreswan.org/wiki/images/a/a5/DevConf2016-IPsec.pdf

 From these documents I understand that using raw RSA key with Libreswan 
 >= 3.21, .secrets file is not required anymore. But in my tests I 
wasn't able to connect without it.

Using Libreswan 3.29 (from Debian unstable) on the local side and 
Libreswan 3.27 (from Debian 10) on the remote side, here is what I've done:
- ipsec initnss
- ipsec newhostkey --output /etc/ipsec.d/test.secrets
- ipsec showhostkey --left --rsaid ID
- vi /etc/ipsec.d/test.conf
---------
conn test
     auto=start
     authby=rsasig
     leftid=@aaa
     left=xxx.xxx.xxx.xxx
     leftsubnet=192.168.1.0/24
     leftsourceip=192.168.1.97
     # Obtained from the showhostkey command above.
     leftrsasigkey=0sAwAA...
     rightid=@bbb
     right=yyy.yyy.yyy.yyy
     rightsubnet=192.168.25.0/24
     # Obtained from the other side.
     rightrsasigkey=0sAwBB...
---------
- Setup the other side
- systemctl restart ipsec

With the steps above the VPN works, but it doesn't work anymore if I do 
this:
- mv /etc/ipsec.d/test.secrets /etc/ipsec.d/test.secrets.disabled
- systemctl restart ipsec

And in the logs I find:
"test" #1: Failed to find our RSA key

Am I missing something? Can it depends on some compile time option that 
Debian is using?

Cesare.


More information about the Swan mailing list