Re: [Swan] cannot locate my private key for RSA Signature
On Sun, 18 Feb 2018, klwilson...@comcast.net wrote: Paul, I tried ran the attached reset script to reconfigure the environment. Hopefully there is absolutely no ambiguity in what I am attempting to do or use in my configuration. I also attached the host_to_host.conf file that results from the script showing the final state. I checked it and it looks fine. It should work. Are you at least on 3.21 to ensure it works without any ipsec.secrets entries? Your email regarding the left/right rsasigkey was a bit confusing. I believe these are right the way I have them. Yes, it is. However, I am still running into the same problems. I have attached the conf file as well. 003 "host-to-host" #5: unable to locate my private key for RSA Signatures 224 "host-to-host" #5: STATE_MAIN_I2: AUTHENTICATION_FAILED 002 "host-to-host" #5: sending notification AUTHENTICATION_FAILED to 192.168.89.6:500 The only things I can think of at this point is that your libreswan version requires the ipsec.secrets entry. Change the newhostkey command to: ipsec newhostkey --output /etc/ipsec.secrets (it will overwrite the existing file) If that doesn't solve it, maybe disable whatever security mechanisms might be in play? FIPS? Selinux? AppArmor ? Paul ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] What ways're possible for bringing a VTI up?
After a few days of testing, I think you're perfectly right Paul. Indeed, "auto" works as expected. With little exemption of VTI behavior (on which I'll elaborate a little bit further), Libreswan indeed works like a charm, PFS being the real culprit. As a programmer, I understand that we indeed cannot bind() to an address not yet present at the box, hence I placed a little bash script at interface up/down events. And since it's already running the "whack --listen" command, I've added "auto --add" & "auto --up" in there, either. That brings the VTI interface up successfully. Yes, there might be a little workaround to it (for re-establishing SA "whack --listen" is enough, as shown by IP XFRM) but since we already MUST have a script, I think it's perfectly acceptable to run both "whack" and "auto" commands in it. Thank you, Paul בתאריך 29 בינו' 2018 0:00, "Paul Wouters"כתב: > On Sat, 27 Jan 2018, Alex K. wrote: > > After a few days of running debugs, I finally found the culprit, it was >> PFS (strangely enough, both sides agreed on >> each other proposals and brought SAs up, prior to re-negotiations, but >> that's another issue). >> > > There are known interop issues on rekeying if PFS settings don't match. > One endpoint can accept pfs yes and no, but insist on sending no, and > one end can accept yes and no, but insist on sending yes. So at rekey > times things then break. > > Now, after configuring "pfs=no", the "auto" behaves as expected. With >> little exception, though - after >> re-negotiations, VTI never comes up by itself. I work around this issue >> by adding "vti-shared=yes", and now the >> whole thing behaves. >> > > I'm not sure what you mean with re-negotiation. There is > re-authentication which starts a new IKE SA, and there is > rekeying that just rekeys (in IKEv2) without reauthenticate > using the CREATE_CHILD_SA exchange. > > There might be an issue with routes if the connection is added, upped, > downed and upped again, as the VTI is created in add and removed in > down. This might require some improvements in the updown script for > handling this better. > > As there any debug options, I can use for troubleshoot VTI creation? >> > > All VTI operations happen in the /usr/{local/}libexec/ipsec/_updown.netkey > shell script. So that should be easy to debug by adding some shell > commands there. > > As for "whack --listen", in fact the IP settings are configured statically >> so the IP address never changes, and >> yet, without "--listen", I do notice Pluto isn't listening (using >> "netstat -na | grep 500"). Maybe I'm wrong on >> that, so any suggestions will be welcomed. >> > > The IP address has to exist on the machine before pluto can listen on > it. If pluto starts before the IP is added to the system, you need to > run "ipsec whack --listen" for pluto to re-examine the system for IPs > that got added or removed. > > Paul > ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
[Swan-commit] Changes to ref refs/heads/master
New commits: commit 2d5b488f1793a4cbcd72f0a479c3fa88b77c5ac2 Author: Paul WoutersDate: Mon Feb 19 18:22:49 2018 -0500 pluto: ignore -Wformat-truncation in linux_audit.c We want to truncate the message if it is too long. gcc should let us do that. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/master
New commits: commit daf3c16bfd8b2747271d68b2c7f0072b54800d02 Author: VukasinDate: Mon Feb 19 23:32:16 2018 -0500 documentation: manpages: small addition regarding PPK Signed-off-by: Paul Wouters ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/master
New commits: commit 3938bdb193ea2bf329fba05ca762add9fef4cdc3 Author: Paul WoutersDate: Mon Feb 19 15:47:05 2018 -0500 documentation: update installed ipsec.conf - minor cleanup - add pointer for use with crypto-policies package - commented item for /etc/crypto-policies/back-ends/libreswan.config (which distro's can enable using a simple sed line, eg on fedora) - If the file does not exist, log the file not found error as an ignorable event commit 44be024470e99cab31e8f71f6e91140382f14f14 Author: Paul Wouters Date: Mon Feb 19 18:09:15 2018 -0500 pluto: increase buffer of prettypolicy() on advise of gcc7 ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/master
New commits: commit 6648613fbebbc72a41780a037bd4165fba691847 Author: Andrew CagneyDate: Sat Feb 17 18:49:47 2018 -0500 state: split duplicate_state() into IKEv1 and IKEv2 variants Setting things up for IKEv2 doing stuff different to IKEv1; start by explictly requring an IKE_SA. (Ignore code passing TRUE to IKEv1 variant) ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit