[Swan] Raw rsa keys and .secrets file
Cesare Leonardi
celeonar at gmail.com
Mon Feb 24 19:10:37 UTC 2020
Hello, there is something not clear to me regarding .secrets file.
I've read this:
https://lists.libreswan.org/pipermail/swan/2018/002496.html
And this (slide 13):
https://libreswan.org/wiki/images/a/a5/DevConf2016-IPsec.pdf
From these documents I understand that using raw RSA key with Libreswan
>= 3.21, .secrets file is not required anymore. But in my tests I
wasn't able to connect without it.
Using Libreswan 3.29 (from Debian unstable) on the local side and
Libreswan 3.27 (from Debian 10) on the remote side, here is what I've done:
- ipsec initnss
- ipsec newhostkey --output /etc/ipsec.d/test.secrets
- ipsec showhostkey --left --rsaid ID
- vi /etc/ipsec.d/test.conf
---------
conn test
auto=start
authby=rsasig
leftid=@aaa
left=xxx.xxx.xxx.xxx
leftsubnet=192.168.1.0/24
leftsourceip=192.168.1.97
# Obtained from the showhostkey command above.
leftrsasigkey=0sAwAA...
rightid=@bbb
right=yyy.yyy.yyy.yyy
rightsubnet=192.168.25.0/24
# Obtained from the other side.
rightrsasigkey=0sAwBB...
---------
- Setup the other side
- systemctl restart ipsec
With the steps above the VPN works, but it doesn't work anymore if I do
this:
- mv /etc/ipsec.d/test.secrets /etc/ipsec.d/test.secrets.disabled
- systemctl restart ipsec
And in the logs I find:
"test" #1: Failed to find our RSA key
Am I missing something? Can it depends on some compile time option that
Debian is using?
Cesare.
More information about the Swan
mailing list