Re: [Swan] cannot locate my private key for RSA Signature

2018-02-19 Thread Paul Wouters 

On Sun, 18 Feb 2018, klwilson...@comcast.net wrote:


Paul, I tried ran the attached  reset script to reconfigure the environment. 
Hopefully there is absolutely no ambiguity in what I am attempting to do or use 
in my configuration. I also attached the host_to_host.conf file that results 
from the script showing the final state.


I checked it and it looks fine. It should work. Are you at least on 3.21
to ensure it works without any ipsec.secrets entries?


Your email regarding the left/right rsasigkey was a bit confusing. I believe 
these are right the way I have them.


Yes, it is.


However, I am still running into the same problems. I have attached the conf 
file as well.

003 "host-to-host" #5: unable to locate my private key for RSA Signatures
224 "host-to-host" #5:  STATE_MAIN_I2: AUTHENTICATION_FAILED
002 "host-to-host" #5: sending notification AUTHENTICATION_FAILED to 
192.168.89.6:500


The only things I can think of at this point is that your libreswan
version requires the ipsec.secrets entry. Change the newhostkey
command to: ipsec newhostkey --output /etc/ipsec.secrets
(it will overwrite the existing file)

If that doesn't solve it, maybe disable whatever security mechanisms
might be in play? FIPS? Selinux? AppArmor ?

Paul
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] What ways're possible for bringing a VTI up?

2018-02-19 Thread Alex K. 
After a few days of testing, I think you're perfectly right Paul.

Indeed, "auto" works as expected. With little exemption of VTI behavior (on
which I'll elaborate a little bit further), Libreswan indeed works like a
charm, PFS being the real culprit.

As a programmer, I understand that we indeed cannot bind() to an address
not yet present at the box, hence I placed a little bash script at
interface up/down events. And since it's already running the "whack
--listen" command, I've added "auto --add" & "auto --up" in there, either.
That brings the VTI interface up successfully. Yes, there might be a little
workaround to it (for re-establishing SA "whack --listen" is enough, as
shown by IP XFRM) but since we already MUST have a script, I think it's
perfectly acceptable to run both "whack" and "auto" commands in it.

Thank you, Paul

בתאריך 29 בינו' 2018 0:00,‏ "Paul Wouters"  כתב:

> On Sat, 27 Jan 2018, Alex K. wrote:
>
> After a few days of running debugs, I finally found the culprit, it was
>> PFS (strangely enough, both sides agreed on
>> each other proposals and brought SAs up, prior to re-negotiations, but
>> that's another issue).
>>
>
> There are known interop issues on rekeying if PFS settings don't match.
> One endpoint can accept pfs yes and no, but insist on sending no, and
> one end can accept yes and no, but insist on sending yes. So at rekey
> times things then break.
>
> Now, after configuring "pfs=no", the "auto" behaves as expected. With
>> little exception, though - after
>> re-negotiations, VTI never comes up by itself. I work around this issue
>> by adding "vti-shared=yes", and now the
>> whole thing behaves.
>>
>
> I'm not sure what you mean with re-negotiation. There is
> re-authentication which starts a new IKE SA, and there is
> rekeying that just rekeys (in IKEv2) without reauthenticate
> using the CREATE_CHILD_SA exchange.
>
> There might be an issue with routes if the connection is added, upped,
> downed and upped again, as the VTI is created in add and removed in
> down. This might require some improvements in the updown script for
> handling this better.
>
> As there any debug options, I can use for troubleshoot VTI creation?
>>
>
> All VTI operations happen in the /usr/{local/}libexec/ipsec/_updown.netkey
> shell script. So that should be easy to debug by adding some shell
> commands there.
>
> As for "whack --listen", in fact the IP settings are configured statically
>> so the IP address never changes, and
>> yet, without "--listen", I do notice Pluto isn't listening (using
>> "netstat -na | grep 500"). Maybe I'm wrong on
>> that, so any suggestions will be welcomed.
>>
>
> The IP address has to exist on the machine before pluto can listen on
> it. If pluto starts before the IP is added to the system, you need to
> run "ipsec whack --listen" for pluto to re-examine the system for IPs
> that got added or removed.
>
> Paul
>
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

[Swan-commit] Changes to ref refs/heads/master

2018-02-19 Thread Paul Wouters 
New commits:
commit 2d5b488f1793a4cbcd72f0a479c3fa88b77c5ac2
Author: Paul Wouters 
Date:   Mon Feb 19 18:22:49 2018 -0500

pluto: ignore -Wformat-truncation in linux_audit.c

We want to truncate the message if it is too long. gcc should let us do 
that.

___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-commit

[Swan-commit] Changes to ref refs/heads/master

2018-02-19 Thread Paul Wouters 
New commits:
commit daf3c16bfd8b2747271d68b2c7f0072b54800d02
Author: Vukasin 
Date:   Mon Feb 19 23:32:16 2018 -0500

documentation: manpages: small addition regarding PPK

Signed-off-by: Paul Wouters 

___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-commit

[Swan-commit] Changes to ref refs/heads/master

2018-02-19 Thread Paul Wouters 
New commits:
commit 3938bdb193ea2bf329fba05ca762add9fef4cdc3
Author: Paul Wouters 
Date:   Mon Feb 19 15:47:05 2018 -0500

documentation: update installed ipsec.conf

- minor cleanup
- add pointer for use with crypto-policies package
- commented item for /etc/crypto-policies/back-ends/libreswan.config
  (which distro's can enable using a simple sed line, eg on fedora)
- If the file does not exist, log the file not found error as an
  ignorable event

commit 44be024470e99cab31e8f71f6e91140382f14f14
Author: Paul Wouters 
Date:   Mon Feb 19 18:09:15 2018 -0500

pluto: increase buffer of prettypolicy() on advise of gcc7

___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-commit

[Swan-commit] Changes to ref refs/heads/master

2018-02-19 Thread Andrew Cagney 
New commits:
commit 6648613fbebbc72a41780a037bd4165fba691847
Author: Andrew Cagney 
Date:   Sat Feb 17 18:49:47 2018 -0500

state: split duplicate_state() into IKEv1 and IKEv2 variants

Setting things up for IKEv2 doing stuff different to IKEv1;
start by explictly requring an IKE_SA.

(Ignore code passing TRUE to IKEv1 variant)

___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-commit