<div dir="ltr"><div class="gmail_default" style="font-family:monospace,monospace">Hello</div><div class="gmail_default" style="font-family:monospace,monospace"><br></div><div class="gmail_default" style="font-family:monospace,monospace">I am upgrading from LibreSwan 3.16 to 3.19rc3</div><div class="gmail_default" style="font-family:monospace,monospace">I am using raw public-keys as in this connection example:</div><div class="gmail_default" style="font-family:monospace,monospace"><br></div><div class="gmail_default"><div class="gmail_default" style="font-family:monospace,monospace">root@ip-10-10-10-200:/home/ubuntu# cat /etc/ipsec.d/connST1478.conf</div><div class="gmail_default" style="font-family:monospace,monospace">conn connST1478</div><div class="gmail_default" style="font-family:monospace,monospace">    authby=rsasig<br></div><div class="gmail_default" style="font-family:monospace,monospace">    auto=start</div><div class="gmail_default" style="font-family:monospace,monospace">    dpdaction=restart</div><div class="gmail_default" style="font-family:monospace,monospace">    dpddelay=30</div><div class="gmail_default" style="font-family:monospace,monospace">    dpdtimeout=120</div><div class="gmail_default" style="font-family:monospace,monospace">    forceencaps=yes</div><div class="gmail_default" style="font-family:monospace,monospace">    ike=aes128-sha1</div><div class="gmail_default" style="font-family:monospace,monospace">    ikelifetime=86400s</div><div class="gmail_default" style="font-family:monospace,monospace">    keyingtries=3</div><div class="gmail_default" style="font-family:monospace,monospace">    left=%defaultroute</div><div class="gmail_default" style="font-family:monospace,monospace">    leftid=@<a href="http://54.154.233.194">54.154.233.194</a></div><div class="gmail_default" style="font-family:monospace,monospace">    leftrsasigkey=0sAQO/rpT0hfkfYBVYHWnNS+AsR5j1ekCK4sz02PAyRFaju+HstcrW0GfYPux6fIybkeh1L5P27v9zsCWShghA2nZvoLOz+6feM7yWTR866MYHogPKj6dcbimHlknqmPfQSRH2Vd5Ju8zxcnLL4ecSPzqZPXKU0MCPsBTuTkmkd13vYI/5hw7QD6kdQX+h1/lZpH1VbFAg92fr6Rfg2lfzYsbC2Rmgsd4zzM4Xrxj5jpW/ksez0mFSqBwT8IqY6Mv5CFLKuHKXUaaAfxzp96+pJmRyJH+e2tniCL0ijCapjcjECN2BKdqSkVOr9/UjF5Gp7Jhw19qAcDGy6cB1fSnV1wG+2hSBLSKGyRy7l3hoVLL6jMzx</div><div class="gmail_default" style="font-family:monospace,monospace">    leftsubnets=<a href="http://10.10.10.0/24,10.254.128.0/24">10.10.10.0/24,10.254.128.0/24</a></div><div class="gmail_default" style="font-family:monospace,monospace">    leftupdown=/usr/fortycloud/libreSwanUpDown.sh</div><div class="gmail_default" style="font-family:monospace,monospace">    pfs=no</div><div class="gmail_default" style="font-family:monospace,monospace">    phase2alg=aes128-sha1</div><div class="gmail_default" style="font-family:monospace,monospace">    right=54.93.249.115</div><div class="gmail_default" style="font-family:monospace,monospace">    rightid=@<a href="http://54.93.249.115">54.93.249.115</a></div><div class="gmail_default" style="font-family:monospace,monospace">    rightrsasigkey=0sAQPM4jM4mrMBNHW8IlCYaZPaiPgXcZIp51xecQINFL18t69I1HBRnw1D9ckjQ9I/NLD4+SvuFBCsljpdiv7az0W6T6IoJ4geGW19pdUuaMtFJKNdPvYcASREeC1BDcXvgYLUP2RYNOA+c4gbRRjVGpEQJcO+yw+8LrTWi5SV5YvybVnwRXWYt4aTa853u1OSTDb3I2YfxHM47sBZTtoBJepIMaYL1z7BSqfRyheMstlUlQnrOM352DTGf1GD1BZffZFJIxjvZ+dE4ZDLVCou5q6YnhAosFLDfJHH9KPCOi0VlFKDX8xItF4tqprHgQT87CnHwWcshpnLWgUQEGxlT58m98rEZ/FOfUIJCfMm0/449gjL</div><div class="gmail_default" style="font-family:monospace,monospace">    rightsubnets=<a href="http://10.254.129.0/24,172.31.0.0/20">10.254.129.0/24,172.31.0.0/20</a></div><div class="gmail_default" style="font-family:monospace,monospace">    salifetime=28800s</div><div class="gmail_default" style="font-family:monospace,monospace">    type=tunnel</div><div style="font-family:monospace,monospace"><br></div><div style="font-family:monospace,monospace"><br></div><div style="font-family:monospace,monospace"><br></div><div style="font-family:monospace,monospace">The public keys were taken using:</div><div><div><font face="monospace, monospace">root@ip-10-10-10-200:/home/ubuntu# ipsec showhostkey --list</font></div><div><font face="monospace, monospace">< 1> RSA keyid: AQO/rpT0h ckaid: 8163e2fd150ff23c28dd49bfce039cdf7f3637dd</font></div><div><font face="monospace, monospace">root@ip-10-10-10-200:/home/ubuntu# ipsec showhostkey --rsaid AQO/rpT0h --left</font></div><div><font face="monospace, monospace">        # rsakey AQO/rpT0h</font></div><div><font face="monospace, monospace">        leftrsasigkey=0sAQO/rpT0hfkfYBVYHWnNS+AsR5j1ekCK4sz02PAyRFaju+HstcrW0GfYPux6fIybkeh1L5P27v9zsCWShghA2nZvoLOz+6feM7yWTR866MYHogPKj6dcbimHlknqmPfQSRH2Vd5Ju8zxcnLL4ecSPzqZPXKU0MCPsBTuTkmkd13vYI/5hw7QD6kdQX+h1/lZpH1VbFAg92fr6Rfg2lfzYsbC2Rmgsd4zzM4Xrxj5jpW/ksez0mFSqBwT8IqY6Mv5CFLKuHKXUaaAfxzp96+pJmRyJH+e2tniCL0ijCapjcjECN2BKdqSkVOr9/UjF5Gp7Jhw19qAcDGy6cB1fSnV1wG+2hSBLSKGyRy7l3hoVLL6jMzx</font></div></div><div style="font-family:monospace,monospace"><br></div><div style="font-family:monospace,monospace"><br></div><div style="font-family:monospace,monospace">However, the connection fails with the following errors in auth.log</div><div style="font-family:monospace,monospace">...</div><div style="font-family:monospace,monospace"><div>637-May  8 13:50:20 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #179: starting keying attempt 2 of at most 3</div><div>638-May  8 13:50:20 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181: initiating Main Mode to replace #179</div><div>639:May  8 13:50:20 ip-10-10-10-200 pluto[12649]: deleting other state #179 (STATE_MAIN_I2) "connST1478/2x2"</div><div>640:May  8 13:50:20 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2</div><div>641:May  8 13:50:20 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181: STATE_MAIN_I2: sent MI2, expecting MR2</div><div>642-May  8 13:50:20 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181: unable to locate my private key for RSA Signature</div><div>643-May  8 13:50:20 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181: sending notification AUTHENTICATION_FAILED to <a href="http://54.93.249.115:500">54.93.249.115:500</a></div><div>644-May  8 13:50:21 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181: unable to locate my private key for RSA Signature</div><div>645-May  8 13:50:21 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181: sending notification AUTHENTICATION_FAILED to <a href="http://54.93.249.115:500">54.93.249.115:500</a></div><div>646-May  8 13:50:21 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181: unable to locate my private key for RSA Signature</div><div>647-May  8 13:50:21 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181: sending notification AUTHENTICATION_FAILED to <a href="http://54.93.249.115:500">54.93.249.115:500</a></div><div>648-May  8 13:50:22 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181: unable to locate my private key for RSA Signature</div><div>649-May  8 13:50:22 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181: sending notification AUTHENTICATION_FAILED to <a href="http://54.93.249.115:500">54.93.249.115:500</a></div><div><br></div><div>This has worked with the old NSS in 3.16, but fails with 3.19rc3</div><div><br></div><div>Is there anything I need to change in the configuration files or in my process?</div><div><br></div><div>Thanks in advance</div></div><div style="font-family:monospace,monospace"><br></div></div><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Noam Singer<span style="font-size:12.8px"> </span></div><div><br></div><span><font color="#888888"></font></span></div></div></div></div></div></div></div></div></div></div></div>
</div>