<div dir="ltr">Hi Andrew, <div><br></div><div>I tried the following and it seemed to work . I had messed up the IPs apparently - </div><div><br></div><div><pre class="gmail-bz_comment_text" id="gmail-comment_text_2" style="font-size:medium;white-space:pre-wrap;width:50em;color:rgb(0,0,0)">ipsec.conf on Host1 
-----------------------------------------------
[root@aqua6 ~]# cat /etc/ipsec.conf
config setup
    plutodebug=private
    plutostderrlog=/var/log/openswan.log


conn mytunnel
    <a href="mailto:leftid=@aqua6.blr.asicdesigners.com" style="color:rgb(96,112,207)">leftid=@aqua6.blr.asicdesigners.com</a>
    left=102.1.1.89
    leftrsasigkey=0sAwEAAb4j/v2QI06S0rOX7g9k8bIkCp1yWIlGXZyRxp+WYAQcKb8sLaRRkeovlLv7lVadk4P00iwp77O7VYDRdFlWbs75eun3H/ewZHNZw9fHz84wNX/JF49UyKDWCnNuWrEGchVsDHmN2RNbsk4AkJFTd/nIxTHx6hElJmSTET24hac3vyQizwxkwg6JSLke0y1JJpfOP7OszYbjai/HvbUQNv0V6tiEReUAIDltSM1m1UfCAF812vw+ccQdttdzYaU9rQrrHGuwTMdBpOWWpCkDJOuSK5R0oKCAXyaBrvsaFuyJFTE0aclZ4HhXZY2lTdrQY9H0aRQX9LFka5xnJGajvdxzjqlLCV9Yi4TeiqUpnrP2NbGQkoy2nKTI9qUvFt7slnwk0lUG/DGzHRHwIsZYU+4olxLc5ECGPX2mAj8HY0NUU0wvz6NHt80HbA2DLDqGiVFQlR8yzPz0F0ga9DC0lpTjqgbUt4SXKwhvkQedgLJ5xP2V+Z7R/er8xVOjOibVSnBvJCQdXe3i/bpLwtIAGWz+3sidMgofTQLN6jqG8PRrAB8=
        
    <a href="mailto:rightid=@aqua4.blr.asicdesigners.com" style="color:rgb(96,112,207)">rightid=@aqua4.blr.asicdesigners.com</a>
    right=102.1.1.85
    rightrsasigkey=0sAwEAAbhUgd1lQvtXY2PK3j3TiqtxmB7dIZvICCx1JK6fPwPZ851HjH8Kgg/PNg1g6GVTEl83MDaWYYKtiVQUYnOx9tBH0GxEHdRCq1vkb/1O5X8EIgoEEarstzc3tlJFJq+x/Uy5e+kVkQRlK1UVMJgzwORcuUp/+cezqwZrArQJz2QJsIg4qP79T1LSQlQpg6oYP+vRMXwoS0MYuE5s+NU3L4jmJKh4lRX2InOxoUC1Oz1d3+wPXJGjf61jq2U9yal6bPhHPVF+RvRXGykjnzgCj9H0sR8RPk/tBAtM255EsG4fFIrbdpmH/iJRgdZixq8rmUvPAQ6kVw05vL/Hf05YecLjTD3Slvv/ZP9mh16veEfdcibMMndamPLcSL0KITljvAmR8+AVDLFNsknRJhvY/gNMI7ufbpi1+0jzIyyukUZEuWsgxmCt6gMcGG4MnISlaRhZUC7JNDN1XYA3/cG2gChpejYflZ+qfHtN0GIo6WAtqqSFiZM47sPP0z4t8Kp67ewKB7i71Zz00Cw94etbXF3ihMNohjx7y4p9NHJzQYAQDYBLxFdZu+E6sVvepFRNGEPh
    
    authby=rsasig
    phase2alg=aes_gcm128
    type=transport
    auto=add

ipsec.conf on Host2
-----------------------------------------------
[root@aqua4 ~]# cat /etc/ipsec.conf
config setup
    plutodebug=private
    plutostderrlog=/var/log/openswan.log


conn mytunnel
    <a href="mailto:leftid=@aqua6.blr.asicdesigners.com" style="color:rgb(96,112,207)">leftid=@aqua6.blr.asicdesigners.com</a>
    left=102.1.1.89
    leftrsasigkey=0sAwEAAb4j/v2QI06S0rOX7g9k8bIkCp1yWIlGXZyRxp+WYAQcKb8sLaRRkeovlLv7lVadk4P00iwp77O7VYDRdFlWbs75eun3H/ewZHNZw9fHz84wNX/JF49UyKDWCnNuWrEGchVsDHmN2RNbsk4AkJFTd/nIxTHx6hElJmSTET24hac3vyQizwxkwg6JSLke0y1JJpfOP7OszYbjai/HvbUQNv0V6tiEReUAIDltSM1m1UfCAF812vw+ccQdttdzYaU9rQrrHGuwTMdBpOWWpCkDJOuSK5R0oKCAXyaBrvsaFuyJFTE0aclZ4HhXZY2lTdrQY9H0aRQX9LFka5xnJGajvdxzjqlLCV9Yi4TeiqUpnrP2NbGQkoy2nKTI9qUvFt7slnwk0lUG/DGzHRHwIsZYU+4olxLc5ECGPX2mAj8HY0NUU0wvz6NHt80HbA2DLDqGiVFQlR8yzPz0F0ga9DC0lpTjqgbUt4SXKwhvkQedgLJ5xP2V+Z7R/er8xVOjOibVSnBvJCQdXe3i/bpLwtIAGWz+3sidMgofTQLN6jqG8PRrAB8=
        
    <a href="mailto:rightid=@aqua4.blr.asicdesigners.com" style="color:rgb(96,112,207)">rightid=@aqua4.blr.asicdesigners.com</a>
    right=102.1.1.85
    rightrsasigkey=0sAwEAAbhUgd1lQvtXY2PK3j3TiqtxmB7dIZvICCx1JK6fPwPZ851HjH8Kgg/PNg1g6GVTEl83MDaWYYKtiVQUYnOx9tBH0GxEHdRCq1vkb/1O5X8EIgoEEarstzc3tlJFJq+x/Uy5e+kVkQRlK1UVMJgzwORcuUp/+cezqwZrArQJz2QJsIg4qP79T1LSQlQpg6oYP+vRMXwoS0MYuE5s+NU3L4jmJKh4lRX2InOxoUC1Oz1d3+wPXJGjf61jq2U9yal6bPhHPVF+RvRXGykjnzgCj9H0sR8RPk/tBAtM255EsG4fFIrbdpmH/iJRgdZixq8rmUvPAQ6kVw05vL/Hf05YecLjTD3Slvv/ZP9mh16veEfdcibMMndamPLcSL0KITljvAmR8+AVDLFNsknRJhvY/gNMI7ufbpi1+0jzIyyukUZEuWsgxmCt6gMcGG4MnISlaRhZUC7JNDN1XYA3/cG2gChpejYflZ+qfHtN0GIo6WAtqqSFiZM47sPP0z4t8Kp67ewKB7i71Zz00Cw94etbXF3ihMNohjx7y4p9NHJzQYAQDYBLxFdZu+E6sVvepFRNGEPh
    authby=rsasig
    phase2alg=aes_gcm128
    type=transport
    auto=add</pre><pre class="gmail-bz_comment_text" id="gmail-comment_text_2" style="font-size:medium;white-space:pre-wrap;width:50em;color:rgb(0,0,0)"><br></pre><pre class="gmail-bz_comment_text" id="gmail-comment_text_2" style="font-size:medium;white-space:pre-wrap;width:50em;color:rgb(0,0,0)">Thanks for all the help. </pre><pre class="gmail-bz_comment_text" id="gmail-comment_text_2" style="font-size:medium;white-space:pre-wrap;width:50em;color:rgb(0,0,0)"><br></pre><pre class="gmail-bz_comment_text" id="gmail-comment_text_2" style="font-size:medium;white-space:pre-wrap;width:50em;color:rgb(0,0,0)">Thanks, </pre><pre class="gmail-bz_comment_text" id="gmail-comment_text_2" style="font-size:medium;white-space:pre-wrap;width:50em;color:rgb(0,0,0)">Sony Arpita </pre></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 2 Sept 2022 at 02:05, Andrew Cagney <<a href="mailto:andrew.cagney@gmail.com">andrew.cagney@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Thu, 1 Sept 2022 at 12:34, Andrew Cagney <<a href="mailto:andrew.cagney@gmail.com" target="_blank">andrew.cagney@gmail.com</a>> wrote:<br>
><br>
> > Thanks,<br>
> > Sony<br>
> ><br>
> > On Tue, Aug 30, 2022 at 9:44 PM Paul Wouters <<a href="mailto:paul.wouters@aiven.io" target="_blank">paul.wouters@aiven.io</a>> wrote:<br>
> >><br>
> >> On Tue, 30 Aug 2022, Sony Arpita Das wrote:<br>
> >><br>
> >> > I am trying to setup host-to-host VPN and I get the following message -<br>
> >> >  private key matching CKAID '67fc9d0686eeba870eb2c6a7608156b64e0316d0' not found: can't find the<br>
> >> > private key matching the NSS CKAID<br>
> >><br>
> >> Can you try:<br>
> >><br>
> >> certutil -K -d sql:/etc/ipsec.d<br>
> >> certutil -K -d sql:/var/lib/ipsec/nss/ipsec.d<br>
> >><br>
> >> Just to confirm that you are using the nssdb you think you are using?<br>
> >><br>
> >> >    rightrsasigkey=0sAwEAAbhUgd1lQvtXY2PK3j3TiqtxmB7dIZvICCx1JK6fPwPZ851HjH8Kgg/PNg1g6GVTEl83MDaWYYKtiV<br>
> >> > QUYnOx9tBH0GxEHdRCq1vkb/1O5X8EIgoEEarstzc3tlJFJq+x/Uy5e+kVkQRlK1UVMJgzwORcuUp/+cezqwZrArQJz2QJsIg4<br>
> >> > qP79T1LSQlQpg6oYP+vRMXwoS0MYuE5s+NU3L4jmJKh4lRX2InOxoUC1Oz1d3+wPXJGjf61jq2U9yal6bPhHPVF+RvRXGykjnz<br>
> >> > gCj9H0sR8RPk/tBAtM255EsG4fFIrbdpmH/iJRgdZixq8rmUvPAQ6kVw05vL/Hf05YecLjTD3Slvv/ZP9mh16veEfdcibMMnda<br>
> >> > mPLcSL0KITljvAmR8+AVDLFNsknRJhvY/gNMI7ufbpi1+0jzIyyukUZEuWsgxmCt6gMcGG4MnISlaRhZUC7JNDN1XYA3/cG2gC<br>
> >> > hpejYflZ+qfHtN0GIo6WAtqqSFiZM47sPP0z4t8Kp67ewKB7i71Zz00Cw94etbXF3ihMNohjx7y4p9NHJzQYAQDYBLxFdZu+E6<br>
> >> > sVvepFRNGEPh<br>
> >> >     rightckaid=21075ce1a098cfcf82859e1b91e26f530c192bbe<br>
> >><br>
> >> Note that ckaid is only a LOCAL identifier, so be sure to only use it as<br>
> >> such. The rsasigkey= can be used as LOCAL and REMOTE identifier. Maybe<br>
> >> instead of rightckaid=, use<br>
><br>
> The CKAID can be used by both ends.  For instance, here's ipsec.conf<br>
> file used by the test I cited:<br>
<br>
Sorry, I'm wrong; its rsasigkey that should be used on both ends (or<br>
in 4.7, pubkey).  Here's a better indented version of the shared<br>
ipsec.conf:<br>
<br>
+config setup<br>
+       # put the logs in /tmp for the UMLs, so that we can operate<br>
+       # without syslogd, which seems to break on UMLs<br>
+       logfile=/tmp/pluto.log<br>
+       logtime=no<br>
+       logappend=no<br>
+       dumpdir=/tmp<br>
+       plutodebug=all<br>
+conn hostkey<br>
+       left=192.1.2.45<br>
+       leftsubnet=<a href="http://192.0.1.0/24" rel="noreferrer" target="_blank">192.0.1.0/24</a><br>
+       right=192.1.2.23<br>
+       rightsubnet=<a href="http://192.0.2.0/24" rel="noreferrer" target="_blank">192.0.2.0/24</a><br>
+       authby=rsa-sha2<br>
+       # rsakey <<KEYID#1>><br>
+       rightrsasigkey=0s<<RAW-PUBKEY#1>><br>
+       # rsakey <<KEYID#2>><br>
+       leftrsasigkey=0s<<RAW-PUBKEY#2>><br>
<br>
where the entries {left,right}rsasigkey= were generated using:<br>
<br>
$ ipsec showhostkey --left --ckaid ...<br>
$ ipsec showhostkey --right --ckaid ...<br>
<br>
on the respective hosts.<br>
<br>
> config setup<br>
> # put the logs in /tmp for the UMLs, so that we can operate<br>
> # without syslogd, which seems to break on UMLs<br>
> logfile=/tmp/pluto.log<br>
> logtime=no<br>
> logappend=no<br>
> dumpdir=/tmp<br>
> plutodebug=all<br>
><br>
> conn hostkey<br>
> left=192.1.2.45<br>
> leftsubnet=<a href="http://192.0.1.0/24" rel="noreferrer" target="_blank">192.0.1.0/24</a><br>
> right=192.1.2.23<br>
> rightsubnet=<a href="http://192.0.2.0/24" rel="noreferrer" target="_blank">192.0.2.0/24</a><br>
> authby=ecdsa<br>
> # ecdsakey iZwlCr0T9<br>
> rightecdsakey=0skEyuBiXyVoB/d7+Hk7SuoM2o7SwZG6vizTFnzsgbNw+WBg2Q2NV44QKmcI8daIFbnehhVedxKi0hBQwR9EIHMw==<br>
> # ecdsakey wAOi3uXfB<br>
> leftecdsakey=0sGL/PzKgowpZR77YtQnB5bzFN/tG9+BuUNgAdBVFVsR2qQ2NoxZoA1Y5CjpN3PJvearEaFYif6NrEnoGpC47E1Q==<br>
</blockquote></div>