Hi,

I have an old fedora14 system that is the right side of a site-to-site connection, with the left side being an even older Linux system. I'm trying to upgrade both sides, starting with the fedora14 side first. I've built a fedora20 system with the current libreswan, and have gotten it to successfully connect to the ancient system on the left.

I have a few general questions to make sure my understanding is correct and that I'm doing this correctly.

- The RHEL7 site-to-site VPN docs say to place the leftrsasigkey and rightrsasigkey directly into the config file. I've been working with openssl to generate pkcs12 files from the key, certificate, and certfile. Then I'm using p12util to import the pkcs12 files directly into the NSS database. Is there any difference between the two methods?

# openssl pkcs12 -export -out righthost.example.com.p12 -inkey remotecerts/orion.key -in remotecerts/righthost.crt -certfile CA/newcerts/righthost.pem -name 'righthost' # openssl pkcs12 -export -out left.example.com.p12 -inkey hostcerts/lefthost.key -in hostcerts/lefthost.crt -certfile hostcerts/lefthost.crt -name 'lefthost'

# pk12util -i righthost.example.com.p12 -d /etc/ipsec.d
# pk12util -i lefthost.example.com.p12 -d /etc/ipsec.d

- The keys, certs, and certificates are pretty old, and expiring at the end of the year. How do I recreate them for libreswan?

- I'm seeing the following message when pluto starts:
  AVX2 or AES-NI instructions are not detected.
Is that a limitation of the processor? It's a Xeon E3-1220 v2, so I would think it would have support for this?

- I'm also seeing the following message on the new fedora20 side after the connection is set up: Sep 18 20:51:01 vpntest pluto[4492]: "MYVPN" #1: unable to locate my private key for RSA Signature Sep 18 20:51:01 vpntest pluto[4492]: "MYVPN" #1: sending notification AUTHENTICATION_FAILED to 65.1.11.6:500

I have two secrets files - one I just created with ipsec newhostkey and I believe is wrong, and an existing hostkey.secrets file that was created years ago, which I believe is correct. It also references both files during startup:

Sep 18 21:03:14 vpntest pluto[1256]: loading secrets from "/etc/ipsec.secrets" Sep 18 21:03:14 vpntest pluto[1256]: loading secrets from "/etc/ipsec.d/hostkey.secrets" Sep 18 21:03:14 vpntest pluto[1256]: loaded private key for keyid: PPK_RSA:AQPAcYrhb Sep 18 21:03:14 vpntest pluto[1256]: loading secrets from "/etc/ipsec.d/righthost.example.com.secrets"

I've included my ipsec.conf file, with IPs modified, in case it helps.

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        interfaces=%defaultroute
        uniqueids=yes
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        nat_traversal=no

conn %default
        auto=add
        keyingtries=0
        disablearrivalcheck=no
        keyexchange=ike
        ikelifetime=240m
        keylife=60m
        pfs=yes
        compress=no
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        type=tunnel
        authby=rsasig
        esp=aes
        ike=aes

conn MYVPN
        auto=start
        left=65.46.1.6
        leftnexthop=65.46.1.5
        leftsubnet=64.1.1.0/27
leftid="@C=US, ST=New Jersey, L=MyTown, O=My Company Inc, CN=lefthost.example.com"
        leftcert=lefthost
        right=68.195.1.42
        rightnexthop=68.195.1.41
        rightsubnet=192.168.1.0/24
rightid="@C=US, ST=New Jersey, L=MyTown, O=My Company Inc, CN=righthost.example.com"
        rightcert=righthost

# Disable Opportunistic Encryption
include /etc/ipsec.d/no_oe.conf

Thanks for any ideas.
Alex

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to