[Swan] Failure to find our RSA key
William Atwood
william.atwood at concordia.ca
Fri Aug 4 22:36:23 EEST 2023
Hello,
I am interested in using Libreswan in a project that requires IPsec
tunnels between hosts. Eventually, these tunnels will be based on
certificates, but I wanted to understand the "basics" before going to
the effort of setting up whatever certificate-management infrastructure
I will need.
So, I found an example of a simple case in the Wiki, at
https://libreswan.org/wiki/Host_to_host_VPN. I ran the example on two
hosts, Lampson and Cherry, each running Ubuntu 20.04.6 LTS.
I installed Libreswan on both hosts, using "sudo apt install libreswan".
The resulting version string is:
Linux Libreswan 3.29 (netkey) on 5.15.0-76-generic
I initialized nss, and then used "sudo ipsec newhostkey" to generate RSA
keypairs on each host. Using the host keys, and appropriate IPv4
addresses, I constructed /etc/ipsec.d/LACH.conf on both hosts, making
sure that the host keys were on a single line in the file.
I ran:
sudo ipsec setup start
sudo ipsec auto --add mytunnel
on both hosts, and then ran
sudo ipsec auto --u mytunnel
on Cherry, which resulted in the following output:
dev at Cherry:~$ sudo ipsec auto --add mytunnel
002 "mytunnel": terminating SAs using this connection
002 added connection description "mytunnel"
dev at Cherry:~$ sudo ipsec auto --up mytunnel
002 "mytunnel" #1: initiating v2 parent SA
133 "mytunnel" #1: initiate
002 "mytunnel": constructed local IKE proposals for mytunnel (IKE SA
initiator selecting KE):
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
(default)
133 "mytunnel" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
003 "mytunnel" #1: Failed to find our RSA key
After 60 seconds, I get the following additional output:
002 "mytunnel" #3: initiating v2 parent SA to replace #1
133 "mytunnel" #3: STATE_PARENT_I0: initiate, replacing #1
002 "mytunnel" #1: deleting state (STATE_PARENT_I2) aged 60.035s and NOT
sending notification
133 "mytunnel" #3: STATE_PARENT_I1: sent v2I1, expected v2R1
003 "mytunnel" #3: Failed to find our RSA key
This behavior then repeats every 60 seconds.
Can anyone suggest to me what is wrong, and how to go about fixing it?
Bill
--
Dr. J.W. Atwood, Eng. tel: +1 (514) 848-2424 x3046
Distinguished Professor Emeritus fax: +1 (514) 848-2830
Department of Computer Science
and Software Engineering
Concordia University ER 1234 email:william.atwood at concordia.ca
1455 de Maisonneuve Blvd. West http://users.encs.concordia.ca/~bill
Montreal, Quebec Canada H3G 1M8
More information about the Swan
mailing list