<div dir="ltr">Hi, <div><br></div><div>I am trying to setup host-to-host VPN and I get the following message - </div><div> private key matching CKAID '67fc9d0686eeba870eb2c6a7608156b64e0316d0' not found: can't find the private key matching the NSS CKAID<br></div><div><br></div><div><br></div><div>Here are the steps that I have followed - </div><div><br></div><div>Host1 - aqua6 ; test IP - 102.1.1.89</div><div>Host2 - aqua4; test IP - 102.1.1.85 </div><div><br></div><div>On Host1 - </div><div>-----------------------------------------------<br></div><div><pre style="white-space:pre-wrap;color:rgb(0,0,0)">[root@aqua6 42345]# rm -f /etc/ipsec.d/*db<br></pre><pre style="white-space:pre-wrap;color:rgb(0,0,0)">[root@aqua6 42345]# /usr/sbin/ipsec initnss --nssdir /etc/ipsec.d<br>Initializing NSS database<br><br>[root@aqua6 42345]# /usr/sbin/ipsec newhostkey<br>Generated RSA key pair with CKAID a4febfa93fb67078efe3ba5679ccae8adf61c568 was stored in the NSS database<br>The public key can be displayed using: ipsec showhostkey --left --ckaid a4febfa93fb67078efe3ba5679ccae8adf61c568<br>[root@aqua6 42345]# /usr/sbin/ipsec showhostkey --list<br>< 1> RSA keyid: AwEAAb4j/ ckaid: a4febfa93fb67078efe3ba5679ccae8adf61c568<br>[root@aqua6 42345]# /usr/sbin/ipsec showhostkey --left --ckaid a4febfa93fb67078efe3ba5679ccae8adf61c568<br>        # rsakey AwEAAb4j/<br>        leftrsasigkey=0sAwEAAb4j/v2QI06S0rOX7g9k8bIkCp1yWIlGXZyRxp+WYAQcKb8sLaRRkeovlLv7lVadk4P00iwp77O7VYDRdFlWbs75eun3H/ewZHNZw9fHz84wNX/JF49UyKDWCnNuWrEGchVsDHmN2RNbsk4AkJFTd/nIxTHx6hElJmSTET24hac3vyQizwxkwg6JSLke0y1JJpfOP7OszYbjai/HvbUQNv0V6tiEReUAIDltSM1m1UfCAF812vw+ccQdttdzYaU9rQrrHGuwTMdBpOWWpCkDJOuSK5R0oKCAXyaBrvsaFuyJFTE0aclZ4HhXZY2lTdrQY9H0aRQX9LFka5xnJGajvdxzjqlLCV9Yi4TeiqUpnrP2NbGQkoy2nKTI9qUvFt7slnwk0lUG/DGzHRHwIsZYU+4olxLc5ECGPX2mAj8HY0NUU0wvz6NHt80HbA2DLDqGiVFQlR8yzPz0F0ga9DC0lpTjqgbUt4SXKwhvkQedgLJ5xP2V+Z7R/er8xVOjOibVSnBvJCQdXe3i/bpLwtIAGWz+3sidMgofTQLN6jqG8PRrAB8=<br></pre><pre style="white-space:pre-wrap;color:rgb(0,0,0)"><br></pre></div><div>On Host2 - </div><div>-----------------------------------------------<br></div><div>[root@aqua4 etc]# rm -f /etc/ipsec.d/*db<br>[root@aqua4 etc]# /usr/sbin/ipsec initnss --nssdir /etc/ipsec.d<br>Initializing NSS database<br><br>[root@aqua4 etc]# /usr/sbin/ipsec showhostkey --list<br>[root@aqua4 etc]#  /usr/sbin/ipsec newhostkey<br>Generated RSA key pair with CKAID 21075ce1a098cfcf82859e1b91e26f530c192bbe was stored in the NSS database<br>The public key can be displayed using: ipsec showhostkey --left --ckaid 21075ce1a098cfcf82859e1b91e26f530c192bbe<br>[root@aqua4 etc]# /usr/sbin/ipsec showhostkey --list<br>< 1> RSA keyid: AwEAAbhUg ckaid: 21075ce1a098cfcf82859e1b91e26f530c192bbe<br>[root@aqua4 etc]# /usr/sbin/ipsec showhostkey --right --ckaid 21075ce1a098cfcf82859e1b91e26f530c192bbe<br>        # rsakey AwEAAbhUg<br>        rightrsasigkey=0sAwEAAbhUgd1lQvtXY2PK3j3TiqtxmB7dIZvICCx1JK6fPwPZ851HjH8Kgg/PNg1g6GVTEl83MDaWYYKtiVQUYnOx9tBH0GxEHdRCq1vkb/1O5X8EIgoEEarstzc3tlJFJq+x/Uy5e+kVkQRlK1UVMJgzwORcuUp/+cezqwZrArQJz2QJsIg4qP79T1LSQlQpg6oYP+vRMXwoS0MYuE5s+NU3L4jmJKh4lRX2InOxoUC1Oz1d3+wPXJGjf61jq2U9yal6bPhHPVF+RvRXGykjnzgCj9H0sR8RPk/tBAtM255EsG4fFIrbdpmH/iJRgdZixq8rmUvPAQ6kVw05vL/Hf05YecLjTD3Slvv/ZP9mh16veEfdcibMMndamPLcSL0KITljvAmR8+AVDLFNsknRJhvY/gNMI7ufbpi1+0jzIyyukUZEuWsgxmCt6gMcGG4MnISlaRhZUC7JNDN1XYA3/cG2gChpejYflZ+qfHtN0GIo6WAtqqSFiZM47sPP0z4t8Kp67ewKB7i71Zz00Cw94etbXF3ihMNohjx7y4p9NHJzQYAQDYBLxFdZu+E6sVvepFRNGEPh<br><br></div><div><br></div><div>ipsec.conf on Host1 </div><div>-----------------------------------------------<br></div><div>[root@aqua6 ~]# cat /etc/ipsec.conf<br>config setup<br>    plutodebug=private<br>    plutostderrlog=/var/log/openswan.log<br><br><br>conn mytunnel<br>    leftid=@<a href="http://aqua6.blr.asicdesigners.com">aqua6.blr.asicdesigners.com</a><br>    left=102.1.1.85<br>    leftrsasigkey=0sAwEAAb4j/v2QI06S0rOX7g9k8bIkCp1yWIlGXZyRxp+WYAQcKb8sLaRRkeovlLv7lVadk4P00iwp77O7VYDRdFlWbs75eun3H/ewZHNZw9fHz84wNX/JF49UyKDWCnNuWrEGchVsDHmN2RNbsk4AkJFTd/nIxTHx6hElJmSTET24hac3vyQizwxkwg6JSLke0y1JJpfOP7OszYbjai/HvbUQNv0V6tiEReUAIDltSM1m1UfCAF812vw+ccQdttdzYaU9rQrrHGuwTMdBpOWWpCkDJOuSK5R0oKCAXyaBrvsaFuyJFTE0aclZ4HhXZY2lTdrQY9H0aRQX9LFka5xnJGajvdxzjqlLCV9Yi4TeiqUpnrP2NbGQkoy2nKTI9qUvFt7slnwk0lUG/DGzHRHwIsZYU+4olxLc5ECGPX2mAj8HY0NUU0wvz6NHt80HbA2DLDqGiVFQlR8yzPz0F0ga9DC0lpTjqgbUt4SXKwhvkQedgLJ5xP2V+Z7R/er8xVOjOibVSnBvJCQdXe3i/bpLwtIAGWz+3sidMgofTQLN6jqG8PRrAB8=<br>   rightid=@<a href="http://aqua4.blr.asicdesigners.com">aqua4.blr.asicdesigners.com</a><br>    right=102.1.1.89<br>    rightrsasigkey=0sAwEAAbhUgd1lQvtXY2PK3j3TiqtxmB7dIZvICCx1JK6fPwPZ851HjH8Kgg/PNg1g6GVTEl83MDaWYYKtiVQUYnOx9tBH0GxEHdRCq1vkb/1O5X8EIgoEEarstzc3tlJFJq+x/Uy5e+kVkQRlK1UVMJgzwORcuUp/+cezqwZrArQJz2QJsIg4qP79T1LSQlQpg6oYP+vRMXwoS0MYuE5s+NU3L4jmJKh4lRX2InOxoUC1Oz1d3+wPXJGjf61jq2U9yal6bPhHPVF+RvRXGykjnzgCj9H0sR8RPk/tBAtM255EsG4fFIrbdpmH/iJRgdZixq8rmUvPAQ6kVw05vL/Hf05YecLjTD3Slvv/ZP9mh16veEfdcibMMndamPLcSL0KITljvAmR8+AVDLFNsknRJhvY/gNMI7ufbpi1+0jzIyyukUZEuWsgxmCt6gMcGG4MnISlaRhZUC7JNDN1XYA3/cG2gChpejYflZ+qfHtN0GIo6WAtqqSFiZM47sPP0z4t8Kp67ewKB7i71Zz00Cw94etbXF3ihMNohjx7y4p9NHJzQYAQDYBLxFdZu+E6sVvepFRNGEPh<br>    rightckaid=21075ce1a098cfcf82859e1b91e26f530c192bbe<br><br>    authby=rsasig<br>    phase2alg=aes_gcm128<br>    type=transport<br>    auto=add<br></div><div><br></div><div>ipsec.conf on Host2</div><div>-----------------------------------------------</div><div>[root@aqua4 ~]# cat /etc/ipsec.conf<br></div>config setup<br>    plutodebug=private<br>    plutostderrlog=/var/log/openswan.log<br><br><br>conn mytunnel<br>    leftid=@<a href="http://aqua6.blr.asicdesigners.com">aqua6.blr.asicdesigners.com</a><br>    left=102.1.1.85<br>    leftrsasigkey=0sAwEAAb4j/v2QI06S0rOX7g9k8bIkCp1yWIlGXZyRxp+WYAQcKb8sLaRRkeovlLv7lVadk4P00iwp77O7VYDRdFlWbs75eun3H/ewZHNZw9fHz84wNX/JF49UyKDWCnNuWrEGchVsDHmN2RNbsk4AkJFTd/nIxTHx6hElJmSTET24hac3vyQizwxkwg6JSLke0y1JJpfOP7OszYbjai/HvbUQNv0V6tiEReUAIDltSM1m1UfCAF812vw+ccQdttdzYaU9rQrrHGuwTMdBpOWWpCkDJOuSK5R0oKCAXyaBrvsaFuyJFTE0aclZ4HhXZY2lTdrQY9H0aRQX9LFka5xnJGajvdxzjqlLCV9Yi4TeiqUpnrP2NbGQkoy2nKTI9qUvFt7slnwk0lUG/DGzHRHwIsZYU+4olxLc5ECGPX2mAj8HY0NUU0wvz6NHt80HbA2DLDqGiVFQlR8yzPz0F0ga9DC0lpTjqgbUt4SXKwhvkQedgLJ5xP2V+Z7R/er8xVOjOibVSnBvJCQdXe3i/bpLwtIAGWz+3sidMgofTQLN6jqG8PRrAB8=<br>    rightid=@<a href="http://aqua4.blr.asicdesigners.com">aqua4.blr.asicdesigners.com</a><br>    right=102.1.1.89<br>    rightrsasigkey=0sAwEAAbhUgd1lQvtXY2PK3j3TiqtxmB7dIZvICCx1JK6fPwPZ851HjH8Kgg/PNg1g6GVTEl83MDaWYYKtiVQUYnOx9tBH0GxEHdRCq1vkb/1O5X8EIgoEEarstzc3tlJFJq+x/Uy5e+kVkQRlK1UVMJgzwORcuUp/+cezqwZrArQJz2QJsIg4qP79T1LSQlQpg6oYP+vRMXwoS0MYuE5s+NU3L4jmJKh4lRX2InOxoUC1Oz1d3+wPXJGjf61jq2U9yal6bPhHPVF+RvRXGykjnzgCj9H0sR8RPk/tBAtM255EsG4fFIrbdpmH/iJRgdZixq8rmUvPAQ6kVw05vL/Hf05YecLjTD3Slvv/ZP9mh16veEfdcibMMndamPLcSL0KITljvAmR8+AVDLFNsknRJhvY/gNMI7ufbpi1+0jzIyyukUZEuWsgxmCt6gMcGG4MnISlaRhZUC7JNDN1XYA3/cG2gChpejYflZ+qfHtN0GIo6WAtqqSFiZM47sPP0z4t8Kp67ewKB7i71Zz00Cw94etbXF3ihMNohjx7y4p9NHJzQYAQDYBLxFdZu+E6sVvepFRNGEPh<br>    authby=rsasig<br>    phase2alg=aes_gcm128<br>    type=transport<br>    auto=add<br><div> </div><div><br></div><div>Setting tunnel on Host1 and Host 2 </div><div>-----------------------------------------------</div><div>[root@aqua6 ~]# systemctl stop ipsec<br></div><div>[root@aqua6 ~]# systemctl start ipsec<br></div><div>[root@aqua6 42345]# /usr/sbin/ipsec setup start<br>Redirecting to: systemctl start ipsec.service<br>[root@aqua6 42345]# /usr/sbin/ipsec auto --add mytunnel<br>002 "mytunnel": terminating SAs using this connection<br>002 "mytunnel": added IKEv2 connection<br></div><div><br></div><div>[root@aqua4 etc]# systemctl stop ipsec<br>[root@aqua4 etc]# systemctl start ipsec<br>[root@aqua4 etc]# /usr/sbin/ipsec auto --add mytunnel<br>002 "mytunnel": terminating SAs using this connection<br>002 "mytunnel": added IKEv2 connection<br>[root@aqua4 etc]# /usr/sbin/ipsec auto --up mytunnel<br>181 "mytunnel" #1: initiating IKEv2 connection<br>181 "mytunnel" #1: sent IKE_SA_INIT request<br>003 "mytunnel" #1: private key matching CKAID 'a4febfa93fb67078efe3ba5679ccae8adf61c568' not found: can't find the private key matching the NSS CKAID<br>036 "mytunnel" #1: encountered fatal error in state STATE_V2_PARENT_I1<br>002 "mytunnel" #1: deleting state (STATE_V2_PARENT_I1) aged 0.006793s and NOT sending notification<br>002 "mytunnel" #1: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS<br></div><div><br></div><div>[root@aqua4 ~]# ipsec version<br>Linux Libreswan 4.5 (XFRM) on 4.18.0-372.9.1.el8.x86_64<br></div><div><br></div><div>[root@aqua6 ~]# ipsec version<br>Linux Libreswan 4.5 (XFRM) on 4.18.0-372.9.1.el8.x86_64<br><br></div></div>