[Swan] Solution: Re: Failure to find our RSA key

Paul Wouters paul at nohats.ca
Tue Aug 29 19:54:04 EEST 2023 

On Mon, 28 Aug 2023, William Atwood wrote:

> Subject: Re: [Swan] Failure to find our RSA key

> Simple process description:
> 1) two hosts running Ubuntu 20.04.6 LTS (Cherry and Lampson)
> 2) On each machine:
>    sudo apt install libreswan
>    sudo ipsec initnss --nssdir /var/lib/ipsec/nss
>    sudo ipsec newhostkey
>    use sudo ipsec showhostkey to give me the two keys
>    build and install LACH.conf in /etc/ipsec.d/ on each machine

The problem is that this comes with libreswan 3.29 which still needs
"secrets" entries for RSA keys in ipsec.secrets or its include files.
But the "ipsec newhostkey" that comes with it mistakenly does not generate
this.  Instead, do:

sudo apt install libreswan
sudo ipsec initnss
sudo su
      ipsec rsasigkey > /etc/ipsec.d/connname.secrets

The contents will look like this:

         # RSA 3168 bits   ubuntu   Tue Aug 29 12:41:21 2023
         # for signatures only, UNSAFE FOR ENCRYPTION
         #ckaid=917674ca297398fa38019b368450129750de980d
         #pubkey=0sAwEAAeHAbcnQD2OvJ9cte8fZxniWzTJaHh+F0Vph8PzbEkkWovZRl+Nj1zurUaS1JQGEMGyLePKQ+pFrhJr8li9f2k1y6kQGTAR6Ng7dHiJzffhU1tjkttv/g7nnGzhKa9BF8sJAuh/9NAgNefnS4/oMvLLg2wTEzZ/i+ZhtFsu+qSRK6eXtEOvHGyF2sqOM2gZuRv6iF29oU3aTQCG/+TsauAQFuC6cKYq87uIc845wH2ctTJ+zXOSFJ4jpdXLFPtoZb8UiY52ybWwI4xNJpHaqpEZo3RrawwS0UPJACf8I6dQ6SapvQPO8P6tNd1oTJWGvyfFALSEnudfW/lSxCwO19U0mwiCSf5NXeDG/JW9Y9jq+t3FtkdcV9+7j2eULKX4+0tpjXxo5qGDWRZMzLxhQh4dN+Nxmpu2uHagWTCQyvlE78hWhUAxU4UUOpj7dOlhyW63cMkE+7EjagTv1j29wvgfrBHR0mepo9dDkAvfA7iTX79IHXxGS2+WHm9oBkjg+nndQ8hzMmveDveo8hw==
         Modulus: 0xe1c06dc9d00f63af27d72d7bc7d9c67896cd325a1e1f85d15a61f0fcdb124916a2f65197e363d73bab51a4b5250184306c8b78f290fa916b849afc962f5fda4d72ea44064c047a360edd1e22737df854d6d8e4b6dbff83b9e71b384a6bd045f2c240ba1ffd34080d79f9d2e3fa0cbcb2e0db04c4cd9fe2f9986d16cbbea9244ae9e5ed10ebc71b2176b2a38cda066e46fea2176f685376934021bff93b1ab80405b82e9c298abceee21cf38e701f672d4c9fb35ce4852788e97572c53eda196fc522639db26d6c08e31349a476aaa44668dd1adac304b450f24009ff08e9d43a49aa6f40f3bc3fab4d775a132561afc9f1402d2127b9d7d6fe54b10b03b5f54d26c220927f93577831bf256f58f63abeb7716d91d715f7eee3d9e50b297e3ed2da635f1a39a860d64593332f185087874df8dc66a6edae1da8164c2432be513bf215a1500c54e1450ea63edd3a58725baddc32413eec48da813bf58f6f70be07eb04747499ea68f5d0e402f7c0ee24d7efd2075f1192dbe5879bda0192383e9e7750f21ccc9af783bdea3c87
         PublicExponent: 0x010001


Now sadly, you need to edit this and add a line and the beginning and
end so it becomes:

@ubuntu: RSA {
         # RSA 3168 bits   ubuntu   Tue Aug 29 12:41:21 2023
         # for signatures only, UNSAFE FOR ENCRYPTION
         #ckaid=917674ca297398fa38019b368450129750de980d
         #pubkey=0sAwEAAeHAbcnQD2OvJ9cte8fZxniWzTJaHh+F0Vph8PzbEkkWovZRl+Nj1zurUaS1JQGEMGyLePKQ+pFrhJr8li9f2k1y6kQGTAR6Ng7dHiJzffhU1tjkttv/g7nnGzhKa9BF8sJAuh/9NAgNefnS4/oMvLLg2wTEzZ/i+ZhtFsu+qSRK6eXtEOvHGyF2sqOM2gZuRv6iF29oU3aTQCG/+TsauAQFuC6cKYq87uIc845wH2ctTJ+zXOSFJ4jpdXLFPtoZb8UiY52ybWwI4xNJpHaqpEZo3RrawwS0UPJACf8I6dQ6SapvQPO8P6tNd1oTJWGvyfFALSEnudfW/lSxCwO19U0mwiCSf5NXeDG/JW9Y9jq+t3FtkdcV9+7j2eULKX4+0tpjXxo5qGDWRZMzLxhQh4dN+Nxmpu2uHagWTCQyvlE78hWhUAxU4UUOpj7dOlhyW63cMkE+7EjagTv1j29wvgfrBHR0mepo9dDkAvfA7iTX79IHXxGS2+WHm9oBkjg+nndQ8hzMmveDveo8hw==
         Modulus: 0xe1c06dc9d00f63af27d72d7bc7d9c67896cd325a1e1f85d15a61f0fcdb124916a2f65197e363d73bab51a4b5250184306c8b78f290fa916b849afc962f5fda4d72ea44064c047a360edd1e22737df854d6d8e4b6dbff83b9e71b384a6bd045f2c240ba1ffd34080d79f9d2e3fa0cbcb2e0db04c4cd9fe2f9986d16cbbea9244ae9e5ed10ebc71b2176b2a38cda066e46fea2176f685376934021bff93b1ab80405b82e9c298abceee21cf38e701f672d4c9fb35ce4852788e97572c53eda196fc522639db26d6c08e31349a476aaa44668dd1adac304b450f24009ff08e9d43a49aa6f40f3bc3fab4d775a132561afc9f1402d2127b9d7d6fe54b10b03b5f54d26c220927f93577831bf256f58f63abeb7716d91d715f7eee3d9e50b297e3ed2da635f1a39a860d64593332f185087874df8dc66a6edae1da8164c2432be513bf215a1500c54e1450ea63edd3a58725baddc32413eec48da813bf58f6f70be07eb04747499ea68f5d0e402f7c0ee24d7efd2075f1192dbe5879bda0192383e9e7750f21ccc9af783bdea3c87
         PublicExponent: 0x010001
         }

Indentation matters. Also the "@ubuntu" is your ID (eg leftid= value)

now you can run: ipsec secrets
which should show something like:

root at ubuntu:/home/paul# ipsec secrets
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
002 loading secrets from "/etc/ipsec.d/test.secrets"
002 loaded private key for keyid: PKK_RSA:AwEAAeHAb



All of this is not needed if you upgrade to libreswan 4.x :P

Paul

More information about the Swan mailing list