[Swan] private key matching CKAID not found: can't find the private key matching the NSS CKAID

Andrew Cagney andrew.cagney at gmail.com
Thu Sep 1 23:35:21 EEST 2022 

On Thu, 1 Sept 2022 at 12:34, Andrew Cagney <andrew.cagney at gmail.com> wrote:
>
> > Thanks,
> > Sony
> >
> > On Tue, Aug 30, 2022 at 9:44 PM Paul Wouters <paul.wouters at aiven.io> wrote:
> >>
> >> On Tue, 30 Aug 2022, Sony Arpita Das wrote:
> >>
> >> > I am trying to setup host-to-host VPN and I get the following message -
> >> >  private key matching CKAID '67fc9d0686eeba870eb2c6a7608156b64e0316d0' not found: can't find the
> >> > private key matching the NSS CKAID
> >>
> >> Can you try:
> >>
> >> certutil -K -d sql:/etc/ipsec.d
> >> certutil -K -d sql:/var/lib/ipsec/nss/ipsec.d
> >>
> >> Just to confirm that you are using the nssdb you think you are using?
> >>
> >> >    rightrsasigkey=0sAwEAAbhUgd1lQvtXY2PK3j3TiqtxmB7dIZvICCx1JK6fPwPZ851HjH8Kgg/PNg1g6GVTEl83MDaWYYKtiV
> >> > QUYnOx9tBH0GxEHdRCq1vkb/1O5X8EIgoEEarstzc3tlJFJq+x/Uy5e+kVkQRlK1UVMJgzwORcuUp/+cezqwZrArQJz2QJsIg4
> >> > qP79T1LSQlQpg6oYP+vRMXwoS0MYuE5s+NU3L4jmJKh4lRX2InOxoUC1Oz1d3+wPXJGjf61jq2U9yal6bPhHPVF+RvRXGykjnz
> >> > gCj9H0sR8RPk/tBAtM255EsG4fFIrbdpmH/iJRgdZixq8rmUvPAQ6kVw05vL/Hf05YecLjTD3Slvv/ZP9mh16veEfdcibMMnda
> >> > mPLcSL0KITljvAmR8+AVDLFNsknRJhvY/gNMI7ufbpi1+0jzIyyukUZEuWsgxmCt6gMcGG4MnISlaRhZUC7JNDN1XYA3/cG2gC
> >> > hpejYflZ+qfHtN0GIo6WAtqqSFiZM47sPP0z4t8Kp67ewKB7i71Zz00Cw94etbXF3ihMNohjx7y4p9NHJzQYAQDYBLxFdZu+E6
> >> > sVvepFRNGEPh
> >> >     rightckaid=21075ce1a098cfcf82859e1b91e26f530c192bbe
> >>
> >> Note that ckaid is only a LOCAL identifier, so be sure to only use it as
> >> such. The rsasigkey= can be used as LOCAL and REMOTE identifier. Maybe
> >> instead of rightckaid=, use
>
> The CKAID can be used by both ends.  For instance, here's ipsec.conf
> file used by the test I cited:

Sorry, I'm wrong; its rsasigkey that should be used on both ends (or
in 4.7, pubkey).  Here's a better indented version of the shared
ipsec.conf:

+config setup
+       # put the logs in /tmp for the UMLs, so that we can operate
+       # without syslogd, which seems to break on UMLs
+       logfile=/tmp/pluto.log
+       logtime=no
+       logappend=no
+       dumpdir=/tmp
+       plutodebug=all
+conn hostkey
+       left=192.1.2.45
+       leftsubnet=192.0.1.0/24
+       right=192.1.2.23
+       rightsubnet=192.0.2.0/24
+       authby=rsa-sha2
+       # rsakey <<KEYID#1>>
+       rightrsasigkey=0s<<RAW-PUBKEY#1>>
+       # rsakey <<KEYID#2>>
+       leftrsasigkey=0s<<RAW-PUBKEY#2>>

where the entries {left,right}rsasigkey= were generated using:

$ ipsec showhostkey --left --ckaid ...
$ ipsec showhostkey --right --ckaid ...

on the respective hosts.

> config setup
> # put the logs in /tmp for the UMLs, so that we can operate
> # without syslogd, which seems to break on UMLs
> logfile=/tmp/pluto.log
> logtime=no
> logappend=no
> dumpdir=/tmp
> plutodebug=all
>
> conn hostkey
> left=192.1.2.45
> leftsubnet=192.0.1.0/24
> right=192.1.2.23
> rightsubnet=192.0.2.0/24
> authby=ecdsa
> # ecdsakey iZwlCr0T9
> rightecdsakey=0skEyuBiXyVoB/d7+Hk7SuoM2o7SwZG6vizTFnzsgbNw+WBg2Q2NV44QKmcI8daIFbnehhVedxKi0hBQwR9EIHMw==
> # ecdsakey wAOi3uXfB
> leftecdsakey=0sGL/PzKgowpZR77YtQnB5bzFN/tG9+BuUNgAdBVFVsR2qQ2NoxZoA1Y5CjpN3PJvearEaFYif6NrEnoGpC47E1Q==

More information about the Swan mailing list