<div dir="ltr"><div class="gmail_default" style="font-family:monospace,monospace">Hello Paul,</div><div class="gmail_default" style="font-family:monospace,monospace"><br></div><div class="gmail_default" style="font-family:monospace,monospace">Thanks for assisting</div><div class="gmail_default" style="font-family:monospace,monospace"><br></div><div class="gmail_default" style="font-family:monospace,monospace">This have resolved the issue!!!</div><div class="gmail_default" style="font-family:monospace,monospace"><br></div><div class="gmail_default" style="font-family:monospace,monospace">Many thanks!!!</div><div class="gmail_default" style="font-family:monospace,monospace"><br></div><div class="gmail_default" style="font-family:monospace,monospace">Few issues though:</div><div class="gmail_default" style="font-family:monospace,monospace"><br></div><div class="gmail_default" style="font-family:monospace,monospace">1. When running this command, I am getting:</div><div class="gmail_default"><div class="gmail_default" style="font-family:monospace,monospace">    root@ip-10-10-10-200:/home/ubuntu# ipsec newhostkey --output /etc/ipsec.secrets</div><div class="gmail_default" style="font-family:monospace,monospace">    /usr/lib/ipsec/newhostkey: WARNING: file "/etc/ipsec.secrets" exists, appending to it</div><div class="gmail_default" style="font-family:monospace,monospace">    Generated RSA key pair with CKAID 7cc12381fa13498b79c2e8216411d62cf6254e62 was stored in the NSS database</div><div style="font-family:monospace,monospace">Although the warning says that the key would be appended, the file is actually completely overwritten. </div><div style="font-family:monospace,monospace"><br></div><div><font face="monospace, monospace">2. I created the key by using the command: </font><br><font face="monospace, monospace">    sudo ipsec newhostkey --output /etc/ipsec.secrets</font><span style="font-family:monospace,monospace"> --nssdir /etc/ipsec.d --seeddev /dev/urandom --bits 2192</span></div><div><span style="font-family:monospace,monospace">Still, the keys are not placed in /etc/ipsec.secrets. Only when running the command "</span><span style="font-family:monospace,monospace">ipsec newhostkey --output /etc/ipsec.secrets</span><span style="font-family:monospace,monospace">", they do.</span></div><div><span style="font-family:monospace,monospace"><br></span></div><div><span style="font-family:monospace,monospace">Thanks for all your help.</span></div><div style="font-family:monospace,monospace"><br></div></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div><br></div><div dir="ltr"><div>Noam Singer<span style="font-size:12.8px"> </span></div><div><br></div><span><font color="#888888"></font></span></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Mon, May 8, 2017 at 6:44 PM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
(CC:ing Andrew as he has done most of the rewriting around RSA code)<br>
<br>
<br>
On Mon, 8 May 2017, Noam Singer wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Date: Mon, 8 May 2017 11:22:45<span class=""><br>
I am upgrading from LibreSwan 3.16 to 3.19rc3<br>
I am using raw public-keys as in this connection example:<br>
</span></blockquote>
<br><span class="">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
The public keys were taken using:<br>
root@ip-10-10-10-200:/home/ubu<wbr>ntu# ipsec showhostkey --list<br>
< 1> RSA keyid: AQO/rpT0h ckaid: 8163e2fd150ff23c28dd49bfce039c<wbr>df7f3637dd<br>
root@ip-10-10-10-200:/home/ubu<wbr>ntu# ipsec showhostkey --rsaid AQO/rpT0h --left<br>
        # rsakey AQO/rpT0h<br>
       leftrsasigkey=0sAQO/rpT0hfkfY<wbr>BVYHWnNS+AsR5j1ekCK4sz02PAyRFa<wbr>ju+HstcrW0GfYPux6fIybkeh1L5P27<wbr>v9zsCWShghA2nZvoLOz+6feM7yWTR8<wbr>66MYHogPKj<br>
6dcbimHlknqmPfQSRH2Vd5Ju8zxcnL<wbr>L4ecSPzqZPXKU0MCPsBTuTkmkd13vY<wbr>I/5hw7QD6kdQX+h1/lZpH1VbFAg92f<wbr>r6Rfg2lfzYsbC2Rmgsd4zzM4Xrxj5j<wbr>pW/ksez0<br>
mFSqBwT8IqY6Mv5CFLKuHKXUaaAfxz<wbr>p96+pJmRyJH+e2tniCL0ijCapjcjEC<wbr>N2BKdqSkVOr9/UjF5Gp7Jhw19qAcDG<wbr>y6cB1fSnV1wG+2hSBLSKGyRy7l3hoV<wbr>LL6jMzx<br>
<br>
<br>
However, the connection fails with the following errors in auth.log<br>
</blockquote>
<br>
</span><span class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
642-May  8 13:50:20 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181: unable to locate my private key for RSA Signature<br>
</blockquote>
<br></span>
I think this is caused by us "needing" to have the RSA information in<br>
/etc/ipsec.secrets even though we are not supposed to need it.<br>
<br>
If you run: ipsec newhostkey --output /etc/ipsec.secrets and then use<br>
the same method to configure the key, does it work?<br>
<br>
I think when the connection is added, the RSA keys are not properly<br>
added unless the ipsec.secrets sauce is there :/<span class="HOEnZb"><font color="#888888"><br>
<br>
Paul<br>
</font></span></blockquote></div><br></div>