[Swan] private key matching CKAID not found: can't find the private key matching the NSS CKAID

Paul Wouters paul.wouters at aiven.io
Tue Aug 30 19:14:41 EEST 2022


On Tue, 30 Aug 2022, Sony Arpita Das wrote:

> I am trying to setup host-to-host VPN and I get the following message - 
>  private key matching CKAID '67fc9d0686eeba870eb2c6a7608156b64e0316d0' not found: can't find the
> private key matching the NSS CKAID

Can you try:

certutil -K -d sql:/etc/ipsec.d
certutil -K -d sql:/var/lib/ipsec/nss/ipsec.d

Just to confirm that you are using the nssdb you think you are using?

>    rightrsasigkey=0sAwEAAbhUgd1lQvtXY2PK3j3TiqtxmB7dIZvICCx1JK6fPwPZ851HjH8Kgg/PNg1g6GVTEl83MDaWYYKtiV
> QUYnOx9tBH0GxEHdRCq1vkb/1O5X8EIgoEEarstzc3tlJFJq+x/Uy5e+kVkQRlK1UVMJgzwORcuUp/+cezqwZrArQJz2QJsIg4
> qP79T1LSQlQpg6oYP+vRMXwoS0MYuE5s+NU3L4jmJKh4lRX2InOxoUC1Oz1d3+wPXJGjf61jq2U9yal6bPhHPVF+RvRXGykjnz
> gCj9H0sR8RPk/tBAtM255EsG4fFIrbdpmH/iJRgdZixq8rmUvPAQ6kVw05vL/Hf05YecLjTD3Slvv/ZP9mh16veEfdcibMMnda
> mPLcSL0KITljvAmR8+AVDLFNsknRJhvY/gNMI7ufbpi1+0jzIyyukUZEuWsgxmCt6gMcGG4MnISlaRhZUC7JNDN1XYA3/cG2gC
> hpejYflZ+qfHtN0GIo6WAtqqSFiZM47sPP0z4t8Kp67ewKB7i71Zz00Cw94etbXF3ihMNohjx7y4p9NHJzQYAQDYBLxFdZu+E6
> sVvepFRNGEPh
>     rightckaid=21075ce1a098cfcf82859e1b91e26f530c192bbe

Note that ckaid is only a LOCAL identifier, so be sure to only use it as
such. The rsasigkey= can be used as LOCAL and REMOTE identifier. Maybe
instead of rightckaid=, use

      rightrsasigkey=0sAwEAAb4j/v2QI06S0rOX7g9k8bIkCp1yWIlGXZyRxp+WYAQcKb8sLaRRkeovlLv7lVadk4P00iwp77O7VYDRdFlWbs75eun3H/ewZHNZw9fHz84wNX/JF49UyKDWCnNuWrEGchVsDHmN2RNbsk4AkJFTd/nIxTHx6hElJmSTET24hac3vyQizwxkwg6JSLke0y1JJpfOP7OszYbjai/HvbUQNv0V6tiEReUAIDltSM1m1UfCAF812vw+ccQdttdzYaU9rQrrHGuwTMdBpOWWpCkDJOuSK5R0oKCAXyaBrvsaFuyJFTE0aclZ4HhXZY2lTdrQY9H0aRQX9LFka5xnJGajvdxzjqlLCV9Yi4TeiqUpnrP2NbGQkoy2nKTI9qUvFt7slnwk0lUG/DGzHRHwIsZYU+4olxLc5ECGPX2mAj8HY0NUU0wvz6NHt80HbA2DLDqGiVFQlR8yzPz0F0ga9DC0lpTjqgbUt4SXKwhvkQedgLJ5xP2V+Z7R/er8xVOjOibVSnBvJCQdXe3i/bpLwtIAGWz+3sidMgofTQLN6jqG8PRrAB8=

> [root at aqua6 42345]# /usr/sbin/ipsec auto --add mytunnel
> 002 "mytunnel": terminating SAs using this connection
> 002 "mytunnel": added IKEv2 connection

After you do this, can you do: ipsec auto --listall which should show us
the keys loaded.

Paul


More information about the Swan mailing list