[Swan] private key matching CKAID not found: can't find the private key matching the NSS CKAID
Sony Arpita Das
sonyarpita at gmail.com
Tue Sep 6 13:28:48 EEST 2022
Hi Andrew,
I tried the following and it seemed to work . I had messed up the IPs
apparently -
ipsec.conf on Host1
-----------------------------------------------
[root at aqua6 ~]# cat /etc/ipsec.conf
config setup
plutodebug=private
plutostderrlog=/var/log/openswan.log
conn mytunnel
leftid=@aqua6.blr.asicdesigners.com
left=102.1.1.89
leftrsasigkey=0sAwEAAb4j/v2QI06S0rOX7g9k8bIkCp1yWIlGXZyRxp+WYAQcKb8sLaRRkeovlLv7lVadk4P00iwp77O7VYDRdFlWbs75eun3H/ewZHNZw9fHz84wNX/JF49UyKDWCnNuWrEGchVsDHmN2RNbsk4AkJFTd/nIxTHx6hElJmSTET24hac3vyQizwxkwg6JSLke0y1JJpfOP7OszYbjai/HvbUQNv0V6tiEReUAIDltSM1m1UfCAF812vw+ccQdttdzYaU9rQrrHGuwTMdBpOWWpCkDJOuSK5R0oKCAXyaBrvsaFuyJFTE0aclZ4HhXZY2lTdrQY9H0aRQX9LFka5xnJGajvdxzjqlLCV9Yi4TeiqUpnrP2NbGQkoy2nKTI9qUvFt7slnwk0lUG/DGzHRHwIsZYU+4olxLc5ECGPX2mAj8HY0NUU0wvz6NHt80HbA2DLDqGiVFQlR8yzPz0F0ga9DC0lpTjqgbUt4SXKwhvkQedgLJ5xP2V+Z7R/er8xVOjOibVSnBvJCQdXe3i/bpLwtIAGWz+3sidMgofTQLN6jqG8PRrAB8=
rightid=@aqua4.blr.asicdesigners.com
right=102.1.1.85
rightrsasigkey=0sAwEAAbhUgd1lQvtXY2PK3j3TiqtxmB7dIZvICCx1JK6fPwPZ851HjH8Kgg/PNg1g6GVTEl83MDaWYYKtiVQUYnOx9tBH0GxEHdRCq1vkb/1O5X8EIgoEEarstzc3tlJFJq+x/Uy5e+kVkQRlK1UVMJgzwORcuUp/+cezqwZrArQJz2QJsIg4qP79T1LSQlQpg6oYP+vRMXwoS0MYuE5s+NU3L4jmJKh4lRX2InOxoUC1Oz1d3+wPXJGjf61jq2U9yal6bPhHPVF+RvRXGykjnzgCj9H0sR8RPk/tBAtM255EsG4fFIrbdpmH/iJRgdZixq8rmUvPAQ6kVw05vL/Hf05YecLjTD3Slvv/ZP9mh16veEfdcibMMndamPLcSL0KITljvAmR8+AVDLFNsknRJhvY/gNMI7ufbpi1+0jzIyyukUZEuWsgxmCt6gMcGG4MnISlaRhZUC7JNDN1XYA3/cG2gChpejYflZ+qfHtN0GIo6WAtqqSFiZM47sPP0z4t8Kp67ewKB7i71Zz00Cw94etbXF3ihMNohjx7y4p9NHJzQYAQDYBLxFdZu+E6sVvepFRNGEPh
authby=rsasig
phase2alg=aes_gcm128
type=transport
auto=add
ipsec.conf on Host2
-----------------------------------------------
[root at aqua4 ~]# cat /etc/ipsec.conf
config setup
plutodebug=private
plutostderrlog=/var/log/openswan.log
conn mytunnel
leftid=@aqua6.blr.asicdesigners.com
left=102.1.1.89
leftrsasigkey=0sAwEAAb4j/v2QI06S0rOX7g9k8bIkCp1yWIlGXZyRxp+WYAQcKb8sLaRRkeovlLv7lVadk4P00iwp77O7VYDRdFlWbs75eun3H/ewZHNZw9fHz84wNX/JF49UyKDWCnNuWrEGchVsDHmN2RNbsk4AkJFTd/nIxTHx6hElJmSTET24hac3vyQizwxkwg6JSLke0y1JJpfOP7OszYbjai/HvbUQNv0V6tiEReUAIDltSM1m1UfCAF812vw+ccQdttdzYaU9rQrrHGuwTMdBpOWWpCkDJOuSK5R0oKCAXyaBrvsaFuyJFTE0aclZ4HhXZY2lTdrQY9H0aRQX9LFka5xnJGajvdxzjqlLCV9Yi4TeiqUpnrP2NbGQkoy2nKTI9qUvFt7slnwk0lUG/DGzHRHwIsZYU+4olxLc5ECGPX2mAj8HY0NUU0wvz6NHt80HbA2DLDqGiVFQlR8yzPz0F0ga9DC0lpTjqgbUt4SXKwhvkQedgLJ5xP2V+Z7R/er8xVOjOibVSnBvJCQdXe3i/bpLwtIAGWz+3sidMgofTQLN6jqG8PRrAB8=
rightid=@aqua4.blr.asicdesigners.com
right=102.1.1.85
rightrsasigkey=0sAwEAAbhUgd1lQvtXY2PK3j3TiqtxmB7dIZvICCx1JK6fPwPZ851HjH8Kgg/PNg1g6GVTEl83MDaWYYKtiVQUYnOx9tBH0GxEHdRCq1vkb/1O5X8EIgoEEarstzc3tlJFJq+x/Uy5e+kVkQRlK1UVMJgzwORcuUp/+cezqwZrArQJz2QJsIg4qP79T1LSQlQpg6oYP+vRMXwoS0MYuE5s+NU3L4jmJKh4lRX2InOxoUC1Oz1d3+wPXJGjf61jq2U9yal6bPhHPVF+RvRXGykjnzgCj9H0sR8RPk/tBAtM255EsG4fFIrbdpmH/iJRgdZixq8rmUvPAQ6kVw05vL/Hf05YecLjTD3Slvv/ZP9mh16veEfdcibMMndamPLcSL0KITljvAmR8+AVDLFNsknRJhvY/gNMI7ufbpi1+0jzIyyukUZEuWsgxmCt6gMcGG4MnISlaRhZUC7JNDN1XYA3/cG2gChpejYflZ+qfHtN0GIo6WAtqqSFiZM47sPP0z4t8Kp67ewKB7i71Zz00Cw94etbXF3ihMNohjx7y4p9NHJzQYAQDYBLxFdZu+E6sVvepFRNGEPh
authby=rsasig
phase2alg=aes_gcm128
type=transport
auto=add
Thanks for all the help.
Thanks,
Sony Arpita
On Fri, 2 Sept 2022 at 02:05, Andrew Cagney <andrew.cagney at gmail.com> wrote:
> On Thu, 1 Sept 2022 at 12:34, Andrew Cagney <andrew.cagney at gmail.com>
> wrote:
> >
> > > Thanks,
> > > Sony
> > >
> > > On Tue, Aug 30, 2022 at 9:44 PM Paul Wouters <paul.wouters at aiven.io>
> wrote:
> > >>
> > >> On Tue, 30 Aug 2022, Sony Arpita Das wrote:
> > >>
> > >> > I am trying to setup host-to-host VPN and I get the following
> message -
> > >> > private key matching CKAID
> '67fc9d0686eeba870eb2c6a7608156b64e0316d0' not found: can't find the
> > >> > private key matching the NSS CKAID
> > >>
> > >> Can you try:
> > >>
> > >> certutil -K -d sql:/etc/ipsec.d
> > >> certutil -K -d sql:/var/lib/ipsec/nss/ipsec.d
> > >>
> > >> Just to confirm that you are using the nssdb you think you are using?
> > >>
> > >> >
> rightrsasigkey=0sAwEAAbhUgd1lQvtXY2PK3j3TiqtxmB7dIZvICCx1JK6fPwPZ851HjH8Kgg/PNg1g6GVTEl83MDaWYYKtiV
> > >> >
> QUYnOx9tBH0GxEHdRCq1vkb/1O5X8EIgoEEarstzc3tlJFJq+x/Uy5e+kVkQRlK1UVMJgzwORcuUp/+cezqwZrArQJz2QJsIg4
> > >> >
> qP79T1LSQlQpg6oYP+vRMXwoS0MYuE5s+NU3L4jmJKh4lRX2InOxoUC1Oz1d3+wPXJGjf61jq2U9yal6bPhHPVF+RvRXGykjnz
> > >> >
> gCj9H0sR8RPk/tBAtM255EsG4fFIrbdpmH/iJRgdZixq8rmUvPAQ6kVw05vL/Hf05YecLjTD3Slvv/ZP9mh16veEfdcibMMnda
> > >> >
> mPLcSL0KITljvAmR8+AVDLFNsknRJhvY/gNMI7ufbpi1+0jzIyyukUZEuWsgxmCt6gMcGG4MnISlaRhZUC7JNDN1XYA3/cG2gC
> > >> >
> hpejYflZ+qfHtN0GIo6WAtqqSFiZM47sPP0z4t8Kp67ewKB7i71Zz00Cw94etbXF3ihMNohjx7y4p9NHJzQYAQDYBLxFdZu+E6
> > >> > sVvepFRNGEPh
> > >> > rightckaid=21075ce1a098cfcf82859e1b91e26f530c192bbe
> > >>
> > >> Note that ckaid is only a LOCAL identifier, so be sure to only use it
> as
> > >> such. The rsasigkey= can be used as LOCAL and REMOTE identifier. Maybe
> > >> instead of rightckaid=, use
> >
> > The CKAID can be used by both ends. For instance, here's ipsec.conf
> > file used by the test I cited:
>
> Sorry, I'm wrong; its rsasigkey that should be used on both ends (or
> in 4.7, pubkey). Here's a better indented version of the shared
> ipsec.conf:
>
> +config setup
> + # put the logs in /tmp for the UMLs, so that we can operate
> + # without syslogd, which seems to break on UMLs
> + logfile=/tmp/pluto.log
> + logtime=no
> + logappend=no
> + dumpdir=/tmp
> + plutodebug=all
> +conn hostkey
> + left=192.1.2.45
> + leftsubnet=192.0.1.0/24
> + right=192.1.2.23
> + rightsubnet=192.0.2.0/24
> + authby=rsa-sha2
> + # rsakey <<KEYID#1>>
> + rightrsasigkey=0s<<RAW-PUBKEY#1>>
> + # rsakey <<KEYID#2>>
> + leftrsasigkey=0s<<RAW-PUBKEY#2>>
>
> where the entries {left,right}rsasigkey= were generated using:
>
> $ ipsec showhostkey --left --ckaid ...
> $ ipsec showhostkey --right --ckaid ...
>
> on the respective hosts.
>
> > config setup
> > # put the logs in /tmp for the UMLs, so that we can operate
> > # without syslogd, which seems to break on UMLs
> > logfile=/tmp/pluto.log
> > logtime=no
> > logappend=no
> > dumpdir=/tmp
> > plutodebug=all
> >
> > conn hostkey
> > left=192.1.2.45
> > leftsubnet=192.0.1.0/24
> > right=192.1.2.23
> > rightsubnet=192.0.2.0/24
> > authby=ecdsa
> > # ecdsakey iZwlCr0T9
> >
> rightecdsakey=0skEyuBiXyVoB/d7+Hk7SuoM2o7SwZG6vizTFnzsgbNw+WBg2Q2NV44QKmcI8daIFbnehhVedxKi0hBQwR9EIHMw==
> > # ecdsakey wAOi3uXfB
> >
> leftecdsakey=0sGL/PzKgowpZR77YtQnB5bzFN/tG9+BuUNgAdBVFVsR2qQ2NoxZoA1Y5CjpN3PJvearEaFYif6NrEnoGpC47E1Q==
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20220906/e301a080/attachment.htm>
More information about the Swan
mailing list