Hello Paul,
Thanks for assisting
This have resolved the issue!!!
Many thanks!!!
Few issues though:
1. When running this command, I am getting:
root@ip-10-10-10-200:/home/ubuntu# ipsec newhostkey --output
/etc/ipsec.secrets
/usr/lib/ipsec/newhostkey: WARNING: file "/etc/ipsec.secrets" exists,
appending to it
Generated RSA key pair with CKAID
7cc12381fa13498b79c2e8216411d62cf6254e62 was stored in the NSS database
Although the warning says that the key would be appended, the file is
actually completely overwritten.
2. I created the key by using the command:
sudo ipsec newhostkey --output /etc/ipsec.secrets --nssdir /etc/ipsec.d
--seeddev /dev/urandom --bits 2192
Still, the keys are not placed in /etc/ipsec.secrets. Only when running the
command "ipsec newhostkey --output /etc/ipsec.secrets", they do.
Thanks for all your help.
Noam Singer
On Mon, May 8, 2017 at 6:44 PM, Paul Wouters <[email protected]> wrote:
>
> (CC:ing Andrew as he has done most of the rewriting around RSA code)
>
>
> On Mon, 8 May 2017, Noam Singer wrote:
>
> Date: Mon, 8 May 2017 11:22:45
>> I am upgrading from LibreSwan 3.16 to 3.19rc3
>> I am using raw public-keys as in this connection example:
>>
>
> The public keys were taken using:
>> root@ip-10-10-10-200:/home/ubuntu# ipsec showhostkey --list
>> < 1> RSA keyid: AQO/rpT0h ckaid: 8163e2fd150ff23c28dd49bfce039cdf7f3637dd
>> root@ip-10-10-10-200:/home/ubuntu# ipsec showhostkey --rsaid AQO/rpT0h
>> --left
>> # rsakey AQO/rpT0h
>> leftrsasigkey=0sAQO/rpT0hfkfYBVYHWnNS+AsR5j1ekCK4sz02PAyRFa
>> ju+HstcrW0GfYPux6fIybkeh1L5P27v9zsCWShghA2nZvoLOz+6feM7yWTR866MYHogPKj
>> 6dcbimHlknqmPfQSRH2Vd5Ju8zxcnLL4ecSPzqZPXKU0MCPsBTuTkmkd13vY
>> I/5hw7QD6kdQX+h1/lZpH1VbFAg92fr6Rfg2lfzYsbC2Rmgsd4zzM4Xrxj5jpW/ksez0
>> mFSqBwT8IqY6Mv5CFLKuHKXUaaAfxzp96+pJmRyJH+e2tniCL0ijCapjcjEC
>> N2BKdqSkVOr9/UjF5Gp7Jhw19qAcDGy6cB1fSnV1wG+2hSBLSKGyRy7l3hoVLL6jMzx
>>
>>
>> However, the connection fails with the following errors in auth.log
>>
>
> 642-May 8 13:50:20 ip-10-10-10-200 pluto[12649]: "connST1478/2x2" #181:
>> unable to locate my private key for RSA Signature
>>
>
> I think this is caused by us "needing" to have the RSA information in
> /etc/ipsec.secrets even though we are not supposed to need it.
>
> If you run: ipsec newhostkey --output /etc/ipsec.secrets and then use
> the same method to configure the key, does it work?
>
> I think when the connection is added, the RSA keys are not properly
> added unless the ipsec.secrets sauce is there :/
>
> Paul
>
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
