[Swan] Solution: Re: Failure to find our RSA key
Paul Wouters
paul at nohats.ca
Tue Aug 29 19:54:04 EEST 2023
On Mon, 28 Aug 2023, William Atwood wrote:
> Subject: Re: [Swan] Failure to find our RSA key
> Simple process description:
> 1) two hosts running Ubuntu 20.04.6 LTS (Cherry and Lampson)
> 2) On each machine:
> sudo apt install libreswan
> sudo ipsec initnss --nssdir /var/lib/ipsec/nss
> sudo ipsec newhostkey
> use sudo ipsec showhostkey to give me the two keys
> build and install LACH.conf in /etc/ipsec.d/ on each machine
The problem is that this comes with libreswan 3.29 which still needs
"secrets" entries for RSA keys in ipsec.secrets or its include files.
But the "ipsec newhostkey" that comes with it mistakenly does not generate
this. Instead, do:
sudo apt install libreswan
sudo ipsec initnss
sudo su
ipsec rsasigkey > /etc/ipsec.d/connname.secrets
The contents will look like this:
# RSA 3168 bits ubuntu Tue Aug 29 12:41:21 2023
# for signatures only, UNSAFE FOR ENCRYPTION
#ckaid=917674ca297398fa38019b368450129750de980d
#pubkey=0sAwEAAeHAbcnQD2OvJ9cte8fZxniWzTJaHh+F0Vph8PzbEkkWovZRl+Nj1zurUaS1JQGEMGyLePKQ+pFrhJr8li9f2k1y6kQGTAR6Ng7dHiJzffhU1tjkttv/g7nnGzhKa9BF8sJAuh/9NAgNefnS4/oMvLLg2wTEzZ/i+ZhtFsu+qSRK6eXtEOvHGyF2sqOM2gZuRv6iF29oU3aTQCG/+TsauAQFuC6cKYq87uIc845wH2ctTJ+zXOSFJ4jpdXLFPtoZb8UiY52ybWwI4xNJpHaqpEZo3RrawwS0UPJACf8I6dQ6SapvQPO8P6tNd1oTJWGvyfFALSEnudfW/lSxCwO19U0mwiCSf5NXeDG/JW9Y9jq+t3FtkdcV9+7j2eULKX4+0tpjXxo5qGDWRZMzLxhQh4dN+Nxmpu2uHagWTCQyvlE78hWhUAxU4UUOpj7dOlhyW63cMkE+7EjagTv1j29wvgfrBHR0mepo9dDkAvfA7iTX79IHXxGS2+WHm9oBkjg+nndQ8hzMmveDveo8hw==
Modulus: 0xe1c06dc9d00f63af27d72d7bc7d9c67896cd325a1e1f85d15a61f0fcdb124916a2f65197e363d73bab51a4b5250184306c8b78f290fa916b849afc962f5fda4d72ea44064c047a360edd1e22737df854d6d8e4b6dbff83b9e71b384a6bd045f2c240ba1ffd34080d79f9d2e3fa0cbcb2e0db04c4cd9fe2f9986d16cbbea9244ae9e5ed10ebc71b2176b2a38cda066e46fea2176f685376934021bff93b1ab80405b82e9c298abceee21cf38e701f672d4c9fb35ce4852788e97572c53eda196fc522639db26d6c08e31349a476aaa44668dd1adac304b450f24009ff08e9d43a49aa6f40f3bc3fab4d775a132561afc9f1402d2127b9d7d6fe54b10b03b5f54d26c220927f93577831bf256f58f63abeb7716d91d715f7eee3d9e50b297e3ed2da635f1a39a860d64593332f185087874df8dc66a6edae1da8164c2432be513bf215a1500c54e1450ea63edd3a58725baddc32413eec48da813bf58f6f70be07eb04747499ea68f5d0e402f7c0ee24d7efd2075f1192dbe5879bda0192383e9e7750f21ccc9af783bdea3c87
PublicExponent: 0x010001
Now sadly, you need to edit this and add a line and the beginning and
end so it becomes:
@ubuntu: RSA {
# RSA 3168 bits ubuntu Tue Aug 29 12:41:21 2023
# for signatures only, UNSAFE FOR ENCRYPTION
#ckaid=917674ca297398fa38019b368450129750de980d
#pubkey=0sAwEAAeHAbcnQD2OvJ9cte8fZxniWzTJaHh+F0Vph8PzbEkkWovZRl+Nj1zurUaS1JQGEMGyLePKQ+pFrhJr8li9f2k1y6kQGTAR6Ng7dHiJzffhU1tjkttv/g7nnGzhKa9BF8sJAuh/9NAgNefnS4/oMvLLg2wTEzZ/i+ZhtFsu+qSRK6eXtEOvHGyF2sqOM2gZuRv6iF29oU3aTQCG/+TsauAQFuC6cKYq87uIc845wH2ctTJ+zXOSFJ4jpdXLFPtoZb8UiY52ybWwI4xNJpHaqpEZo3RrawwS0UPJACf8I6dQ6SapvQPO8P6tNd1oTJWGvyfFALSEnudfW/lSxCwO19U0mwiCSf5NXeDG/JW9Y9jq+t3FtkdcV9+7j2eULKX4+0tpjXxo5qGDWRZMzLxhQh4dN+Nxmpu2uHagWTCQyvlE78hWhUAxU4UUOpj7dOlhyW63cMkE+7EjagTv1j29wvgfrBHR0mepo9dDkAvfA7iTX79IHXxGS2+WHm9oBkjg+nndQ8hzMmveDveo8hw==
Modulus: 0xe1c06dc9d00f63af27d72d7bc7d9c67896cd325a1e1f85d15a61f0fcdb124916a2f65197e363d73bab51a4b5250184306c8b78f290fa916b849afc962f5fda4d72ea44064c047a360edd1e22737df854d6d8e4b6dbff83b9e71b384a6bd045f2c240ba1ffd34080d79f9d2e3fa0cbcb2e0db04c4cd9fe2f9986d16cbbea9244ae9e5ed10ebc71b2176b2a38cda066e46fea2176f685376934021bff93b1ab80405b82e9c298abceee21cf38e701f672d4c9fb35ce4852788e97572c53eda196fc522639db26d6c08e31349a476aaa44668dd1adac304b450f24009ff08e9d43a49aa6f40f3bc3fab4d775a132561afc9f1402d2127b9d7d6fe54b10b03b5f54d26c220927f93577831bf256f58f63abeb7716d91d715f7eee3d9e50b297e3ed2da635f1a39a860d64593332f185087874df8dc66a6edae1da8164c2432be513bf215a1500c54e1450ea63edd3a58725baddc32413eec48da813bf58f6f70be07eb04747499ea68f5d0e402f7c0ee24d7efd2075f1192dbe5879bda0192383e9e7750f21ccc9af783bdea3c87
PublicExponent: 0x010001
}
Indentation matters. Also the "@ubuntu" is your ID (eg leftid= value)
now you can run: ipsec secrets
which should show something like:
root at ubuntu:/home/paul# ipsec secrets
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
002 loading secrets from "/etc/ipsec.d/test.secrets"
002 loaded private key for keyid: PKK_RSA:AwEAAeHAb
All of this is not needed if you upgrade to libreswan 4.x :P
Paul
More information about the Swan
mailing list