(CC:ing Andrew as he has done most of the rewriting around RSA code)
On Mon, 8 May 2017, Noam Singer wrote:
Date: Mon, 8 May 2017 11:22:45 I am upgrading from LibreSwan 3.16 to 3.19rc3 I am using raw public-keys as in this connection example:
The public keys were taken using: root@ip-10-10-10-200:/home/ubuntu# ipsec showhostkey --list < 1> RSA keyid: AQO/rpT0h ckaid: 8163e2fd150ff23c28dd49bfce039cdf7f3637dd root@ip-10-10-10-200:/home/ubuntu# ipsec showhostkey --rsaid AQO/rpT0h --left # rsakey AQO/rpT0h leftrsasigkey=0sAQO/rpT0hfkfYBVYHWnNS+AsR5j1ekCK4sz02PAyRFaju+HstcrW0GfYPux6fIybkeh1L5P27v9zsCWShghA2nZvoLOz+6feM7yWTR866MYHogPKj 6dcbimHlknqmPfQSRH2Vd5Ju8zxcnLL4ecSPzqZPXKU0MCPsBTuTkmkd13vYI/5hw7QD6kdQX+h1/lZpH1VbFAg92fr6Rfg2lfzYsbC2Rmgsd4zzM4Xrxj5jpW/ksez0 mFSqBwT8IqY6Mv5CFLKuHKXUaaAfxzp96+pJmRyJH+e2tniCL0ijCapjcjECN2BKdqSkVOr9/UjF5Gp7Jhw19qAcDGy6cB1fSnV1wG+2hSBLSKGyRy7l3hoVLL6jMzx However, the connection fails with the following errors in auth.log
642-May 8 13:50:20 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181: unable to locate my private key for RSA Signature
I think this is caused by us "needing" to have the RSA information in /etc/ipsec.secrets even though we are not supposed to need it. If you run: ipsec newhostkey --output /etc/ipsec.secrets and then use the same method to configure the key, does it work? I think when the connection is added, the RSA keys are not properly added unless the ipsec.secrets sauce is there :/ Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
