[Swan] private key matching CKAID not found: can't find the private key matching the NSS CKAID

Sony Arpita Das sonyarpita at gmail.com
Tue Sep 6 13:28:48 EEST 2022


Hi Andrew,

I tried the following and it seemed to work . I had messed up the IPs
apparently -

ipsec.conf on Host1
-----------------------------------------------
[root at aqua6 ~]# cat /etc/ipsec.conf
config setup
    plutodebug=private
    plutostderrlog=/var/log/openswan.log


conn mytunnel
    leftid=@aqua6.blr.asicdesigners.com
    left=102.1.1.89
    leftrsasigkey=0sAwEAAb4j/v2QI06S0rOX7g9k8bIkCp1yWIlGXZyRxp+WYAQcKb8sLaRRkeovlLv7lVadk4P00iwp77O7VYDRdFlWbs75eun3H/ewZHNZw9fHz84wNX/JF49UyKDWCnNuWrEGchVsDHmN2RNbsk4AkJFTd/nIxTHx6hElJmSTET24hac3vyQizwxkwg6JSLke0y1JJpfOP7OszYbjai/HvbUQNv0V6tiEReUAIDltSM1m1UfCAF812vw+ccQdttdzYaU9rQrrHGuwTMdBpOWWpCkDJOuSK5R0oKCAXyaBrvsaFuyJFTE0aclZ4HhXZY2lTdrQY9H0aRQX9LFka5xnJGajvdxzjqlLCV9Yi4TeiqUpnrP2NbGQkoy2nKTI9qUvFt7slnwk0lUG/DGzHRHwIsZYU+4olxLc5ECGPX2mAj8HY0NUU0wvz6NHt80HbA2DLDqGiVFQlR8yzPz0F0ga9DC0lpTjqgbUt4SXKwhvkQedgLJ5xP2V+Z7R/er8xVOjOibVSnBvJCQdXe3i/bpLwtIAGWz+3sidMgofTQLN6jqG8PRrAB8=
	
    rightid=@aqua4.blr.asicdesigners.com
    right=102.1.1.85
    rightrsasigkey=0sAwEAAbhUgd1lQvtXY2PK3j3TiqtxmB7dIZvICCx1JK6fPwPZ851HjH8Kgg/PNg1g6GVTEl83MDaWYYKtiVQUYnOx9tBH0GxEHdRCq1vkb/1O5X8EIgoEEarstzc3tlJFJq+x/Uy5e+kVkQRlK1UVMJgzwORcuUp/+cezqwZrArQJz2QJsIg4qP79T1LSQlQpg6oYP+vRMXwoS0MYuE5s+NU3L4jmJKh4lRX2InOxoUC1Oz1d3+wPXJGjf61jq2U9yal6bPhHPVF+RvRXGykjnzgCj9H0sR8RPk/tBAtM255EsG4fFIrbdpmH/iJRgdZixq8rmUvPAQ6kVw05vL/Hf05YecLjTD3Slvv/ZP9mh16veEfdcibMMndamPLcSL0KITljvAmR8+AVDLFNsknRJhvY/gNMI7ufbpi1+0jzIyyukUZEuWsgxmCt6gMcGG4MnISlaRhZUC7JNDN1XYA3/cG2gChpejYflZ+qfHtN0GIo6WAtqqSFiZM47sPP0z4t8Kp67ewKB7i71Zz00Cw94etbXF3ihMNohjx7y4p9NHJzQYAQDYBLxFdZu+E6sVvepFRNGEPh

    authby=rsasig
    phase2alg=aes_gcm128
    type=transport
    auto=add

ipsec.conf on Host2
-----------------------------------------------
[root at aqua4 ~]# cat /etc/ipsec.conf
config setup
    plutodebug=private
    plutostderrlog=/var/log/openswan.log


conn mytunnel
    leftid=@aqua6.blr.asicdesigners.com
    left=102.1.1.89
    leftrsasigkey=0sAwEAAb4j/v2QI06S0rOX7g9k8bIkCp1yWIlGXZyRxp+WYAQcKb8sLaRRkeovlLv7lVadk4P00iwp77O7VYDRdFlWbs75eun3H/ewZHNZw9fHz84wNX/JF49UyKDWCnNuWrEGchVsDHmN2RNbsk4AkJFTd/nIxTHx6hElJmSTET24hac3vyQizwxkwg6JSLke0y1JJpfOP7OszYbjai/HvbUQNv0V6tiEReUAIDltSM1m1UfCAF812vw+ccQdttdzYaU9rQrrHGuwTMdBpOWWpCkDJOuSK5R0oKCAXyaBrvsaFuyJFTE0aclZ4HhXZY2lTdrQY9H0aRQX9LFka5xnJGajvdxzjqlLCV9Yi4TeiqUpnrP2NbGQkoy2nKTI9qUvFt7slnwk0lUG/DGzHRHwIsZYU+4olxLc5ECGPX2mAj8HY0NUU0wvz6NHt80HbA2DLDqGiVFQlR8yzPz0F0ga9DC0lpTjqgbUt4SXKwhvkQedgLJ5xP2V+Z7R/er8xVOjOibVSnBvJCQdXe3i/bpLwtIAGWz+3sidMgofTQLN6jqG8PRrAB8=
	
    rightid=@aqua4.blr.asicdesigners.com
    right=102.1.1.85
    rightrsasigkey=0sAwEAAbhUgd1lQvtXY2PK3j3TiqtxmB7dIZvICCx1JK6fPwPZ851HjH8Kgg/PNg1g6GVTEl83MDaWYYKtiVQUYnOx9tBH0GxEHdRCq1vkb/1O5X8EIgoEEarstzc3tlJFJq+x/Uy5e+kVkQRlK1UVMJgzwORcuUp/+cezqwZrArQJz2QJsIg4qP79T1LSQlQpg6oYP+vRMXwoS0MYuE5s+NU3L4jmJKh4lRX2InOxoUC1Oz1d3+wPXJGjf61jq2U9yal6bPhHPVF+RvRXGykjnzgCj9H0sR8RPk/tBAtM255EsG4fFIrbdpmH/iJRgdZixq8rmUvPAQ6kVw05vL/Hf05YecLjTD3Slvv/ZP9mh16veEfdcibMMndamPLcSL0KITljvAmR8+AVDLFNsknRJhvY/gNMI7ufbpi1+0jzIyyukUZEuWsgxmCt6gMcGG4MnISlaRhZUC7JNDN1XYA3/cG2gChpejYflZ+qfHtN0GIo6WAtqqSFiZM47sPP0z4t8Kp67ewKB7i71Zz00Cw94etbXF3ihMNohjx7y4p9NHJzQYAQDYBLxFdZu+E6sVvepFRNGEPh
    authby=rsasig
    phase2alg=aes_gcm128
    type=transport
    auto=add


Thanks for all the help.


Thanks,

Sony Arpita


On Fri, 2 Sept 2022 at 02:05, Andrew Cagney <andrew.cagney at gmail.com> wrote:

> On Thu, 1 Sept 2022 at 12:34, Andrew Cagney <andrew.cagney at gmail.com>
> wrote:
> >
> > > Thanks,
> > > Sony
> > >
> > > On Tue, Aug 30, 2022 at 9:44 PM Paul Wouters <paul.wouters at aiven.io>
> wrote:
> > >>
> > >> On Tue, 30 Aug 2022, Sony Arpita Das wrote:
> > >>
> > >> > I am trying to setup host-to-host VPN and I get the following
> message -
> > >> >  private key matching CKAID
> '67fc9d0686eeba870eb2c6a7608156b64e0316d0' not found: can't find the
> > >> > private key matching the NSS CKAID
> > >>
> > >> Can you try:
> > >>
> > >> certutil -K -d sql:/etc/ipsec.d
> > >> certutil -K -d sql:/var/lib/ipsec/nss/ipsec.d
> > >>
> > >> Just to confirm that you are using the nssdb you think you are using?
> > >>
> > >> >
> rightrsasigkey=0sAwEAAbhUgd1lQvtXY2PK3j3TiqtxmB7dIZvICCx1JK6fPwPZ851HjH8Kgg/PNg1g6GVTEl83MDaWYYKtiV
> > >> >
> QUYnOx9tBH0GxEHdRCq1vkb/1O5X8EIgoEEarstzc3tlJFJq+x/Uy5e+kVkQRlK1UVMJgzwORcuUp/+cezqwZrArQJz2QJsIg4
> > >> >
> qP79T1LSQlQpg6oYP+vRMXwoS0MYuE5s+NU3L4jmJKh4lRX2InOxoUC1Oz1d3+wPXJGjf61jq2U9yal6bPhHPVF+RvRXGykjnz
> > >> >
> gCj9H0sR8RPk/tBAtM255EsG4fFIrbdpmH/iJRgdZixq8rmUvPAQ6kVw05vL/Hf05YecLjTD3Slvv/ZP9mh16veEfdcibMMnda
> > >> >
> mPLcSL0KITljvAmR8+AVDLFNsknRJhvY/gNMI7ufbpi1+0jzIyyukUZEuWsgxmCt6gMcGG4MnISlaRhZUC7JNDN1XYA3/cG2gC
> > >> >
> hpejYflZ+qfHtN0GIo6WAtqqSFiZM47sPP0z4t8Kp67ewKB7i71Zz00Cw94etbXF3ihMNohjx7y4p9NHJzQYAQDYBLxFdZu+E6
> > >> > sVvepFRNGEPh
> > >> >     rightckaid=21075ce1a098cfcf82859e1b91e26f530c192bbe
> > >>
> > >> Note that ckaid is only a LOCAL identifier, so be sure to only use it
> as
> > >> such. The rsasigkey= can be used as LOCAL and REMOTE identifier. Maybe
> > >> instead of rightckaid=, use
> >
> > The CKAID can be used by both ends.  For instance, here's ipsec.conf
> > file used by the test I cited:
>
> Sorry, I'm wrong; its rsasigkey that should be used on both ends (or
> in 4.7, pubkey).  Here's a better indented version of the shared
> ipsec.conf:
>
> +config setup
> +       # put the logs in /tmp for the UMLs, so that we can operate
> +       # without syslogd, which seems to break on UMLs
> +       logfile=/tmp/pluto.log
> +       logtime=no
> +       logappend=no
> +       dumpdir=/tmp
> +       plutodebug=all
> +conn hostkey
> +       left=192.1.2.45
> +       leftsubnet=192.0.1.0/24
> +       right=192.1.2.23
> +       rightsubnet=192.0.2.0/24
> +       authby=rsa-sha2
> +       # rsakey <<KEYID#1>>
> +       rightrsasigkey=0s<<RAW-PUBKEY#1>>
> +       # rsakey <<KEYID#2>>
> +       leftrsasigkey=0s<<RAW-PUBKEY#2>>
>
> where the entries {left,right}rsasigkey= were generated using:
>
> $ ipsec showhostkey --left --ckaid ...
> $ ipsec showhostkey --right --ckaid ...
>
> on the respective hosts.
>
> > config setup
> > # put the logs in /tmp for the UMLs, so that we can operate
> > # without syslogd, which seems to break on UMLs
> > logfile=/tmp/pluto.log
> > logtime=no
> > logappend=no
> > dumpdir=/tmp
> > plutodebug=all
> >
> > conn hostkey
> > left=192.1.2.45
> > leftsubnet=192.0.1.0/24
> > right=192.1.2.23
> > rightsubnet=192.0.2.0/24
> > authby=ecdsa
> > # ecdsakey iZwlCr0T9
> >
> rightecdsakey=0skEyuBiXyVoB/d7+Hk7SuoM2o7SwZG6vizTFnzsgbNw+WBg2Q2NV44QKmcI8daIFbnehhVedxKi0hBQwR9EIHMw==
> > # ecdsakey wAOi3uXfB
> >
> leftecdsakey=0sGL/PzKgowpZR77YtQnB5bzFN/tG9+BuUNgAdBVFVsR2qQ2NoxZoA1Y5CjpN3PJvearEaFYif6NrEnoGpC47E1Q==
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20220906/e301a080/attachment.htm>


More information about the Swan mailing list