[Swan] private key matching CKAID not found: can't find the private key matching the NSS CKAID

Andrew Cagney andrew.cagney at gmail.com
Wed Aug 31 01:43:24 EEST 2022


The private key for a4febfa93fb67078efe3ba5679ccae8adf61c568 was
generated on aqua6, but aqua4 is trying to access it?

Check left/right.  I'd go so far as emptying ipsec.secrets, and then
create an ipsec.conf that is identical on both ends as it may help
with knowing which is left and which is right.

For reference, this test from mainline exercises your scenario
https://testing.libreswan.org/v4.7-480-gc74f37b7b2-main/ipsec-hostkey-05-ikev2-raw-rsa/OUTPUT/west.console.verbose.txt

On Tue, 30 Aug 2022 at 10:47, Sony Arpita Das <sonyarpita at gmail.com> wrote:
>
> Hi,
>
> I am trying to setup host-to-host VPN and I get the following message -
>  private key matching CKAID '67fc9d0686eeba870eb2c6a7608156b64e0316d0' not found: can't find the private key matching the NSS CKAID
>
>
> Here are the steps that I have followed -
>
> Host1 - aqua6 ; test IP - 102.1.1.89
> Host2 - aqua4; test IP - 102.1.1.85
>
> On Host1 -
> -----------------------------------------------
>
> [root at aqua6 42345]# rm -f /etc/ipsec.d/*db
>
> [root at aqua6 42345]# /usr/sbin/ipsec initnss --nssdir /etc/ipsec.d
> Initializing NSS database
>
> [root at aqua6 42345]# /usr/sbin/ipsec newhostkey
> Generated RSA key pair with CKAID a4febfa93fb67078efe3ba5679ccae8adf61c568 was stored in the NSS database
> The public key can be displayed using: ipsec showhostkey --left --ckaid a4febfa93fb67078efe3ba5679ccae8adf61c568
> [root at aqua6 42345]# /usr/sbin/ipsec showhostkey --list
> < 1> RSA keyid: AwEAAb4j/ ckaid: a4febfa93fb67078efe3ba5679ccae8adf61c568
> [root at aqua6 42345]# /usr/sbin/ipsec showhostkey --left --ckaid a4febfa93fb67078efe3ba5679ccae8adf61c568
>         # rsakey AwEAAb4j/
>         leftrsasigkey=0sAwEAAb4j/v2QI06S0rOX7g9k8bIkCp1yWIlGXZyRxp+WYAQcKb8sLaRRkeovlLv7lVadk4P00iwp77O7VYDRdFlWbs75eun3H/ewZHNZw9fHz84wNX/JF49UyKDWCnNuWrEGchVsDHmN2RNbsk4AkJFTd/nIxTHx6hElJmSTET24hac3vyQizwxkwg6JSLke0y1JJpfOP7OszYbjai/HvbUQNv0V6tiEReUAIDltSM1m1UfCAF812vw+ccQdttdzYaU9rQrrHGuwTMdBpOWWpCkDJOuSK5R0oKCAXyaBrvsaFuyJFTE0aclZ4HhXZY2lTdrQY9H0aRQX9LFka5xnJGajvdxzjqlLCV9Yi4TeiqUpnrP2NbGQkoy2nKTI9qUvFt7slnwk0lUG/DGzHRHwIsZYU+4olxLc5ECGPX2mAj8HY0NUU0wvz6NHt80HbA2DLDqGiVFQlR8yzPz0F0ga9DC0lpTjqgbUt4SXKwhvkQedgLJ5xP2V+Z7R/er8xVOjOibVSnBvJCQdXe3i/bpLwtIAGWz+3sidMgofTQLN6jqG8PRrAB8=
>
>
> On Host2 -
> -----------------------------------------------
> [root at aqua4 etc]# rm -f /etc/ipsec.d/*db
> [root at aqua4 etc]# /usr/sbin/ipsec initnss --nssdir /etc/ipsec.d
> Initializing NSS database
>
> [root at aqua4 etc]# /usr/sbin/ipsec showhostkey --list
> [root at aqua4 etc]#  /usr/sbin/ipsec newhostkey
> Generated RSA key pair with CKAID 21075ce1a098cfcf82859e1b91e26f530c192bbe was stored in the NSS database
> The public key can be displayed using: ipsec showhostkey --left --ckaid 21075ce1a098cfcf82859e1b91e26f530c192bbe
> [root at aqua4 etc]# /usr/sbin/ipsec showhostkey --list
> < 1> RSA keyid: AwEAAbhUg ckaid: 21075ce1a098cfcf82859e1b91e26f530c192bbe
> [root at aqua4 etc]# /usr/sbin/ipsec showhostkey --right --ckaid 21075ce1a098cfcf82859e1b91e26f530c192bbe
>         # rsakey AwEAAbhUg
>         rightrsasigkey=0sAwEAAbhUgd1lQvtXY2PK3j3TiqtxmB7dIZvICCx1JK6fPwPZ851HjH8Kgg/PNg1g6GVTEl83MDaWYYKtiVQUYnOx9tBH0GxEHdRCq1vkb/1O5X8EIgoEEarstzc3tlJFJq+x/Uy5e+kVkQRlK1UVMJgzwORcuUp/+cezqwZrArQJz2QJsIg4qP79T1LSQlQpg6oYP+vRMXwoS0MYuE5s+NU3L4jmJKh4lRX2InOxoUC1Oz1d3+wPXJGjf61jq2U9yal6bPhHPVF+RvRXGykjnzgCj9H0sR8RPk/tBAtM255EsG4fFIrbdpmH/iJRgdZixq8rmUvPAQ6kVw05vL/Hf05YecLjTD3Slvv/ZP9mh16veEfdcibMMndamPLcSL0KITljvAmR8+AVDLFNsknRJhvY/gNMI7ufbpi1+0jzIyyukUZEuWsgxmCt6gMcGG4MnISlaRhZUC7JNDN1XYA3/cG2gChpejYflZ+qfHtN0GIo6WAtqqSFiZM47sPP0z4t8Kp67ewKB7i71Zz00Cw94etbXF3ihMNohjx7y4p9NHJzQYAQDYBLxFdZu+E6sVvepFRNGEPh
>
>
> ipsec.conf on Host1
> -----------------------------------------------
> [root at aqua6 ~]# cat /etc/ipsec.conf
> config setup
>     plutodebug=private
>     plutostderrlog=/var/log/openswan.log
>
>
> conn mytunnel
>     leftid=@aqua6.blr.asicdesigners.com
>     left=102.1.1.85
>     leftrsasigkey=0sAwEAAb4j/v2QI06S0rOX7g9k8bIkCp1yWIlGXZyRxp+WYAQcKb8sLaRRkeovlLv7lVadk4P00iwp77O7VYDRdFlWbs75eun3H/ewZHNZw9fHz84wNX/JF49UyKDWCnNuWrEGchVsDHmN2RNbsk4AkJFTd/nIxTHx6hElJmSTET24hac3vyQizwxkwg6JSLke0y1JJpfOP7OszYbjai/HvbUQNv0V6tiEReUAIDltSM1m1UfCAF812vw+ccQdttdzYaU9rQrrHGuwTMdBpOWWpCkDJOuSK5R0oKCAXyaBrvsaFuyJFTE0aclZ4HhXZY2lTdrQY9H0aRQX9LFka5xnJGajvdxzjqlLCV9Yi4TeiqUpnrP2NbGQkoy2nKTI9qUvFt7slnwk0lUG/DGzHRHwIsZYU+4olxLc5ECGPX2mAj8HY0NUU0wvz6NHt80HbA2DLDqGiVFQlR8yzPz0F0ga9DC0lpTjqgbUt4SXKwhvkQedgLJ5xP2V+Z7R/er8xVOjOibVSnBvJCQdXe3i/bpLwtIAGWz+3sidMgofTQLN6jqG8PRrAB8=
>    rightid=@aqua4.blr.asicdesigners.com
>     right=102.1.1.89
>     rightrsasigkey=0sAwEAAbhUgd1lQvtXY2PK3j3TiqtxmB7dIZvICCx1JK6fPwPZ851HjH8Kgg/PNg1g6GVTEl83MDaWYYKtiVQUYnOx9tBH0GxEHdRCq1vkb/1O5X8EIgoEEarstzc3tlJFJq+x/Uy5e+kVkQRlK1UVMJgzwORcuUp/+cezqwZrArQJz2QJsIg4qP79T1LSQlQpg6oYP+vRMXwoS0MYuE5s+NU3L4jmJKh4lRX2InOxoUC1Oz1d3+wPXJGjf61jq2U9yal6bPhHPVF+RvRXGykjnzgCj9H0sR8RPk/tBAtM255EsG4fFIrbdpmH/iJRgdZixq8rmUvPAQ6kVw05vL/Hf05YecLjTD3Slvv/ZP9mh16veEfdcibMMndamPLcSL0KITljvAmR8+AVDLFNsknRJhvY/gNMI7ufbpi1+0jzIyyukUZEuWsgxmCt6gMcGG4MnISlaRhZUC7JNDN1XYA3/cG2gChpejYflZ+qfHtN0GIo6WAtqqSFiZM47sPP0z4t8Kp67ewKB7i71Zz00Cw94etbXF3ihMNohjx7y4p9NHJzQYAQDYBLxFdZu+E6sVvepFRNGEPh
>     rightckaid=21075ce1a098cfcf82859e1b91e26f530c192bbe
>
>     authby=rsasig
>     phase2alg=aes_gcm128
>     type=transport
>     auto=add
>
> ipsec.conf on Host2
> -----------------------------------------------
> [root at aqua4 ~]# cat /etc/ipsec.conf
> config setup
>     plutodebug=private
>     plutostderrlog=/var/log/openswan.log
>
>
> conn mytunnel
>     leftid=@aqua6.blr.asicdesigners.com
>     left=102.1.1.85
>     leftrsasigkey=0sAwEAAb4j/v2QI06S0rOX7g9k8bIkCp1yWIlGXZyRxp+WYAQcKb8sLaRRkeovlLv7lVadk4P00iwp77O7VYDRdFlWbs75eun3H/ewZHNZw9fHz84wNX/JF49UyKDWCnNuWrEGchVsDHmN2RNbsk4AkJFTd/nIxTHx6hElJmSTET24hac3vyQizwxkwg6JSLke0y1JJpfOP7OszYbjai/HvbUQNv0V6tiEReUAIDltSM1m1UfCAF812vw+ccQdttdzYaU9rQrrHGuwTMdBpOWWpCkDJOuSK5R0oKCAXyaBrvsaFuyJFTE0aclZ4HhXZY2lTdrQY9H0aRQX9LFka5xnJGajvdxzjqlLCV9Yi4TeiqUpnrP2NbGQkoy2nKTI9qUvFt7slnwk0lUG/DGzHRHwIsZYU+4olxLc5ECGPX2mAj8HY0NUU0wvz6NHt80HbA2DLDqGiVFQlR8yzPz0F0ga9DC0lpTjqgbUt4SXKwhvkQedgLJ5xP2V+Z7R/er8xVOjOibVSnBvJCQdXe3i/bpLwtIAGWz+3sidMgofTQLN6jqG8PRrAB8=
>     rightid=@aqua4.blr.asicdesigners.com
>     right=102.1.1.89
>     rightrsasigkey=0sAwEAAbhUgd1lQvtXY2PK3j3TiqtxmB7dIZvICCx1JK6fPwPZ851HjH8Kgg/PNg1g6GVTEl83MDaWYYKtiVQUYnOx9tBH0GxEHdRCq1vkb/1O5X8EIgoEEarstzc3tlJFJq+x/Uy5e+kVkQRlK1UVMJgzwORcuUp/+cezqwZrArQJz2QJsIg4qP79T1LSQlQpg6oYP+vRMXwoS0MYuE5s+NU3L4jmJKh4lRX2InOxoUC1Oz1d3+wPXJGjf61jq2U9yal6bPhHPVF+RvRXGykjnzgCj9H0sR8RPk/tBAtM255EsG4fFIrbdpmH/iJRgdZixq8rmUvPAQ6kVw05vL/Hf05YecLjTD3Slvv/ZP9mh16veEfdcibMMndamPLcSL0KITljvAmR8+AVDLFNsknRJhvY/gNMI7ufbpi1+0jzIyyukUZEuWsgxmCt6gMcGG4MnISlaRhZUC7JNDN1XYA3/cG2gChpejYflZ+qfHtN0GIo6WAtqqSFiZM47sPP0z4t8Kp67ewKB7i71Zz00Cw94etbXF3ihMNohjx7y4p9NHJzQYAQDYBLxFdZu+E6sVvepFRNGEPh
>     authby=rsasig
>     phase2alg=aes_gcm128
>     type=transport
>     auto=add
>
>
> Setting tunnel on Host1 and Host 2
> -----------------------------------------------
> [root at aqua6 ~]# systemctl stop ipsec
> [root at aqua6 ~]# systemctl start ipsec
> [root at aqua6 42345]# /usr/sbin/ipsec setup start
> Redirecting to: systemctl start ipsec.service
> [root at aqua6 42345]# /usr/sbin/ipsec auto --add mytunnel
> 002 "mytunnel": terminating SAs using this connection
> 002 "mytunnel": added IKEv2 connection
>
> [root at aqua4 etc]# systemctl stop ipsec
> [root at aqua4 etc]# systemctl start ipsec
> [root at aqua4 etc]# /usr/sbin/ipsec auto --add mytunnel
> 002 "mytunnel": terminating SAs using this connection
> 002 "mytunnel": added IKEv2 connection
> [root at aqua4 etc]# /usr/sbin/ipsec auto --up mytunnel
> 181 "mytunnel" #1: initiating IKEv2 connection
> 181 "mytunnel" #1: sent IKE_SA_INIT request
> 003 "mytunnel" #1: private key matching CKAID 'a4febfa93fb67078efe3ba5679ccae8adf61c568' not found: can't find the private key matching the NSS CKAID
> 036 "mytunnel" #1: encountered fatal error in state STATE_V2_PARENT_I1
> 002 "mytunnel" #1: deleting state (STATE_V2_PARENT_I1) aged 0.006793s and NOT sending notification
> 002 "mytunnel" #1: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS
>
> [root at aqua4 ~]# ipsec version
> Linux Libreswan 4.5 (XFRM) on 4.18.0-372.9.1.el8.x86_64
>
> [root at aqua6 ~]# ipsec version
> Linux Libreswan 4.5 (XFRM) on 4.18.0-372.9.1.el8.x86_64
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan


More information about the Swan mailing list