Re: [Swan] cannot locate my private key for RSA Signature
3.20-5 was the latest ver that centos yum install picked up. Sent from my iPhone > On Feb 20, 2018, at 9:59 AM, Paul Wouters wrote: > >> On Tue, 20 Feb 2018, Kevin Wilson wrote: >> >> From a new installation it appears the —output arg on newhostkey should be >> mandatory. The connection gets established properly once this was put into >> place. > > > Was this using libreswan 3.21 or older? It should not be needed anymore > with 3.22 and 3.23. > > Paul ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] cannot locate my private key for RSA Signature
On Tue, 20 Feb 2018, Kevin Wilson wrote: From a new installation it appears the —output arg on newhostkey should be mandatory. The connection gets established properly once this was put into place. Was this using libreswan 3.21 or older? It should not be needed anymore with 3.22 and 3.23. Paul ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] cannot locate my private key for RSA Signature
From a new installation it appears the —output arg on newhostkey should be mandatory. The connection gets established properly once this was put into place. Sent from my iPhone > On Feb 19, 2018, at 8:10 PM, Paul Wouters wrote: > >> On Sun, 18 Feb 2018, klwilson...@comcast.net wrote: >> >> Paul, I tried ran the attached reset script to reconfigure the environment. >> Hopefully there is absolutely no ambiguity in what I am attempting to do or >> use in my configuration. I also attached the host_to_host.conf file that >> results from the script showing the final state. > > I checked it and it looks fine. It should work. Are you at least on 3.21 > to ensure it works without any ipsec.secrets entries? > >> Your email regarding the left/right rsasigkey was a bit confusing. I believe >> these are right the way I have them. > > Yes, it is. > >> However, I am still running into the same problems. I have attached the conf >> file as well. >> >> 003 "host-to-host" #5: unable to locate my private key for RSA Signatures >> 224 "host-to-host" #5: STATE_MAIN_I2: AUTHENTICATION_FAILED >> 002 "host-to-host" #5: sending notification AUTHENTICATION_FAILED to >> 192.168.89.6:500 > > The only things I can think of at this point is that your libreswan > version requires the ipsec.secrets entry. Change the newhostkey > command to: ipsec newhostkey --output /etc/ipsec.secrets > (it will overwrite the existing file) > > If that doesn't solve it, maybe disable whatever security mechanisms > might be in play? FIPS? Selinux? AppArmor ? > > Paul ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] cannot locate my private key for RSA Signature
On Sun, 18 Feb 2018, klwilson...@comcast.net wrote: Paul, I tried ran the attached reset script to reconfigure the environment. Hopefully there is absolutely no ambiguity in what I am attempting to do or use in my configuration. I also attached the host_to_host.conf file that results from the script showing the final state. I checked it and it looks fine. It should work. Are you at least on 3.21 to ensure it works without any ipsec.secrets entries? Your email regarding the left/right rsasigkey was a bit confusing. I believe these are right the way I have them. Yes, it is. However, I am still running into the same problems. I have attached the conf file as well. 003 "host-to-host" #5: unable to locate my private key for RSA Signatures 224 "host-to-host" #5: STATE_MAIN_I2: AUTHENTICATION_FAILED 002 "host-to-host" #5: sending notification AUTHENTICATION_FAILED to 192.168.89.6:500 The only things I can think of at this point is that your libreswan version requires the ipsec.secrets entry. Change the newhostkey command to: ipsec newhostkey --output /etc/ipsec.secrets (it will overwrite the existing file) If that doesn't solve it, maybe disable whatever security mechanisms might be in play? FIPS? Selinux? AppArmor ? Paul ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] cannot locate my private key for RSA Signature
Paul, I tried ran the attached reset script to reconfigure the environment. Hopefully there is absolutely no ambiguity in what I am attempting to do or use in my configuration. I also attached the host_to_host.conf file that results from the script showing the final state. Your email regarding the left/right rsasigkey was a bit confusing. I believe these are right the way I have them. I have double checked the Keys in the file are appropriate for the hosts. This seems to be consistent with the other documentation and things I have seen on the web. I added the reset process for the databases so now there is only one key per host. 192.168.89.6 is k2 192.168.89.7 is k1 However, I am still running into the same problems. I have attached the conf file as well. 003 "host-to-host" #5: unable to locate my private key for RSA Signatures 224 "host-to-host" #5: STATE_MAIN_I2: AUTHENTICATION_FAILED 002 "host-to-host" #5: sending notification AUTHENTICATION_FAILED to 192.168.89.6:500 I also tried adding leftckaid=/rightckaid= and this ran into parsing errors. So I have continued using the rsasigkey's. -Original Message- From: Paul Wouters [mailto:p...@nohats.ca] Sent: Saturday, February 17, 2018 7:21 PM To: klwilson...@comcast.net Cc: swan@lists.libreswan.org Subject: Re: [Swan] cannot locate my private key for RSA Signature On Sat, 17 Feb 2018, klwilson...@comcast.net wrote: > I have just installed two Centos7 systems and am attempting to get libreswan > setup. > Naively used DHCP for the hosts initially. Moved to static later on not sure > if this is part of the issues I am having. > > I ran the following on both machines: > > Ipsec nssinit > > Ipsec newhostkey > > Then I configured the host-to-host.conf two endpoints with there IP and keys > that : Did you use ipsec showhostkey --list and ipsec showhostkey --left/--right to add the proper public key's in your configuration? > 003 “host-to-host” #4: unable to locate my private key for RSA > Signature > 224 “host-to-host” #4: STATE_MAIN_I2: AUTHENTICATION_FAILED to > 192.168.89.6:500 Looks like your rightrsasigkey= and leftrsasigkey= are not properly configured. > conn host-to-host > left=192.168.89.7 > leftid="@k1" > leftrsasigkey=[keyid AwEAAexla] Do you have actual [brackets] there? It should not look like that. > rightrsasigkey=[keyid AwEAAejt9] > 000 List of RSA Public Keys: > 000 > 000 Feb 17 12:21:16 2018, 3488 RSA Key AwEAAejt9 (no private key), > until --- -- --:--:-- ok (expires never) > 000ID_FQDN '@k2' > 000 Feb 17 12:21:16 2018, 3120 RSA Key AwEAAexla (no private key), > until --- -- --:--:-- ok (expires never) > 000ID_FQDN '@k1' You seem to have no private keys for those public keys? Did you reinit your nss database after grabbing the public keys? the order to do things should be: - ipsec stop - delete unknown nss db: rm /etc/ipsec.d/*db - start a new nss db: ipsec initnss - generate a new key: ipsec newhostkey Once you have done that on both sides, you can get the public keys on both ends to put in the configuration file. - ipsec showhostkey --list (look at the ckaid) - ipsec showhostkey --ckaid --left (where is the ckaid from the previous command) - put the output of that in the config either as leftckaid=/rightckaid= or leftrsasigkey= / rightrsasigkey= See also https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan#Using_raw_RSA_keys_with_NSS Paul reset.sh Description: Binary data host_to_host.conf Description: Binary data ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] cannot locate my private key for RSA Signature
Sent from my iPhone > On Feb 17, 2018, at 7:21 PM, Paul Wouters wrote: > >> On Sat, 17 Feb 2018, klwilson...@comcast.net wrote: >> >> I have just installed two Centos7 systems and am attempting to get libreswan >> setup. >> Naively used DHCP for the hosts initially. Moved to static later on not sure >> if this is part of the issues I am having. >> I ran the following on both machines: >> Ipsec nssinit >> Ipsec newhostkey >> Then I configured the host-to-host.conf two endpoints with there IP and keys >> that : > > Did you use ipsec showhostkey --list and ipsec showhostkey --left/--right to > add the > proper public key's in your configuration? Yes > >> 003 “host-to-host” #4: unable to locate my private key for RSA Signature >> 224 “host-to-host” #4: STATE_MAIN_I2: AUTHENTICATION_FAILED to >> 192.168.89.6:500 > > Looks like your rightrsasigkey= and leftrsasigkey= are not properly > configured. > >> conn host-to-host >> left=192.168.89.7 >> leftid="@k1" >> leftrsasigkey=[keyid AwEAAexla] No I used the line from IPSec showhostkey —left —ckaid ... that is returned with Leftrsasigkey=...== This may be where my confusion is. The line output from the command with leftrsasigkey is what I used. The one that actually looks like a key and is prefixed with the same name as the field to be added to the config. > > Do you have actual [brackets] there? It should not look like that. > >> rightrsasigkey=[keyid AwEAAejt9] > >> 000 List of RSA Public Keys: >> 000 >> 000 Feb 17 12:21:16 2018, 3488 RSA Key AwEAAejt9 (no private key), until --- >> -- --:--:-- ok (expires never) >> 000ID_FQDN '@k2' >> 000 Feb 17 12:21:16 2018, 3120 RSA Key AwEAAexla (no private key), until --- >> -- --:--:-- ok (expires never) >> 000ID_FQDN '@k1' > > You seem to have no private keys for those public keys? I am not sure how this happens. > > Did you reinit your nss database after grabbing the public keys? No generated new keys only. Did not think dropping the dB should be necessary. I can try that now. > > the order to do things should be: > > - ipsec stop > - delete unknown nss db: rm /etc/ipsec.d/*db > - start a new nss db: ipsec initnss - generate a new key: ipsec newhostkey Thanks this will help. > Once you have done that on both sides, you can get the public keys on > both ends to put in the configuration file. > > - ipsec showhostkey --list (look at the ckaid) > - ipsec showhostkey --ckaid --left (where is the ckaid from > the previous command) > - put the output of that in the config either as leftckaid=/rightckaid= > or leftrsasigkey= / rightrsasigkey= > > See also > https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan#Using_raw_RSA_keys_with_NSS > > Paul ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] cannot locate my private key for RSA Signature
On Sat, 17 Feb 2018, klwilson...@comcast.net wrote: I have just installed two Centos7 systems and am attempting to get libreswan setup. Naively used DHCP for the hosts initially. Moved to static later on not sure if this is part of the issues I am having. I ran the following on both machines: Ipsec nssinit Ipsec newhostkey Then I configured the host-to-host.conf two endpoints with there IP and keys that : Did you use ipsec showhostkey --list and ipsec showhostkey --left/--right to add the proper public key's in your configuration? 003 “host-to-host” #4: unable to locate my private key for RSA Signature 224 “host-to-host” #4: STATE_MAIN_I2: AUTHENTICATION_FAILED to 192.168.89.6:500 Looks like your rightrsasigkey= and leftrsasigkey= are not properly configured. conn host-to-host left=192.168.89.7 leftid="@k1" leftrsasigkey=[keyid AwEAAexla] Do you have actual [brackets] there? It should not look like that. rightrsasigkey=[keyid AwEAAejt9] 000 List of RSA Public Keys: 000 000 Feb 17 12:21:16 2018, 3488 RSA Key AwEAAejt9 (no private key), until --- -- --:--:-- ok (expires never) 000 ID_FQDN '@k2' 000 Feb 17 12:21:16 2018, 3120 RSA Key AwEAAexla (no private key), until --- -- --:--:-- ok (expires never) 000 ID_FQDN '@k1' You seem to have no private keys for those public keys? Did you reinit your nss database after grabbing the public keys? the order to do things should be: - ipsec stop - delete unknown nss db: rm /etc/ipsec.d/*db - start a new nss db: ipsec initnss - generate a new key: ipsec newhostkey Once you have done that on both sides, you can get the public keys on both ends to put in the configuration file. - ipsec showhostkey --list (look at the ckaid) - ipsec showhostkey --ckaid --left (where is the ckaid from the previous command) - put the output of that in the config either as leftckaid=/rightckaid= or leftrsasigkey= / rightrsasigkey= See also https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan#Using_raw_RSA_keys_with_NSS Paul ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan