[Swan] private key matching CKAID not found: can't find the private key matching the NSS CKAID

Andrew Cagney andrew.cagney at gmail.com
Thu Sep 1 19:34:53 EEST 2022


> Thanks,
> Sony
>
> On Tue, Aug 30, 2022 at 9:44 PM Paul Wouters <paul.wouters at aiven.io> wrote:
>>
>> On Tue, 30 Aug 2022, Sony Arpita Das wrote:
>>
>> > I am trying to setup host-to-host VPN and I get the following message -
>> >  private key matching CKAID '67fc9d0686eeba870eb2c6a7608156b64e0316d0' not found: can't find the
>> > private key matching the NSS CKAID
>>
>> Can you try:
>>
>> certutil -K -d sql:/etc/ipsec.d
>> certutil -K -d sql:/var/lib/ipsec/nss/ipsec.d
>>
>> Just to confirm that you are using the nssdb you think you are using?
>>
>> >    rightrsasigkey=0sAwEAAbhUgd1lQvtXY2PK3j3TiqtxmB7dIZvICCx1JK6fPwPZ851HjH8Kgg/PNg1g6GVTEl83MDaWYYKtiV
>> > QUYnOx9tBH0GxEHdRCq1vkb/1O5X8EIgoEEarstzc3tlJFJq+x/Uy5e+kVkQRlK1UVMJgzwORcuUp/+cezqwZrArQJz2QJsIg4
>> > qP79T1LSQlQpg6oYP+vRMXwoS0MYuE5s+NU3L4jmJKh4lRX2InOxoUC1Oz1d3+wPXJGjf61jq2U9yal6bPhHPVF+RvRXGykjnz
>> > gCj9H0sR8RPk/tBAtM255EsG4fFIrbdpmH/iJRgdZixq8rmUvPAQ6kVw05vL/Hf05YecLjTD3Slvv/ZP9mh16veEfdcibMMnda
>> > mPLcSL0KITljvAmR8+AVDLFNsknRJhvY/gNMI7ufbpi1+0jzIyyukUZEuWsgxmCt6gMcGG4MnISlaRhZUC7JNDN1XYA3/cG2gC
>> > hpejYflZ+qfHtN0GIo6WAtqqSFiZM47sPP0z4t8Kp67ewKB7i71Zz00Cw94etbXF3ihMNohjx7y4p9NHJzQYAQDYBLxFdZu+E6
>> > sVvepFRNGEPh
>> >     rightckaid=21075ce1a098cfcf82859e1b91e26f530c192bbe
>>
>> Note that ckaid is only a LOCAL identifier, so be sure to only use it as
>> such. The rsasigkey= can be used as LOCAL and REMOTE identifier. Maybe
>> instead of rightckaid=, use

The CKAID can be used by both ends.  For instance, here's ipsec.conf
file used by the test I cited:

config setup
# put the logs in /tmp for the UMLs, so that we can operate
# without syslogd, which seems to break on UMLs
logfile=/tmp/pluto.log
logtime=no
logappend=no
dumpdir=/tmp
plutodebug=all

conn hostkey
left=192.1.2.45
leftsubnet=192.0.1.0/24
right=192.1.2.23
rightsubnet=192.0.2.0/24
authby=ecdsa
# ecdsakey iZwlCr0T9
rightecdsakey=0skEyuBiXyVoB/d7+Hk7SuoM2o7SwZG6vizTFnzsgbNw+WBg2Q2NV44QKmcI8daIFbnehhVedxKi0hBQwR9EIHMw==
# ecdsakey wAOi3uXfB
leftecdsakey=0sGL/PzKgowpZR77YtQnB5bzFN/tG9+BuUNgAdBVFVsR2qQ2NoxZoA1Y5CjpN3PJvearEaFYif6NrEnoGpC47E1Q==


More information about the Swan mailing list