Hi , Trying to UP host-host tunnel using libreswan (Linux Libreswan 3.20 (netkey) on 3.10.0-514.26.2.el7.x86_64 ) over CENTOS using Certificates as authentication mechanism . Before this able to test "preshared key", "unauthenticated OE" and both of them works fine.
With Certificates ., pluto was throwing following error : -
#########################################
"002 "test" #2: initiating v2 parent SA
133 "test" #2: STATE_PARENT_I1: initiate
133 "test" #2: STATE_PARENT_I1: sent v2I1, expected v2R1
003 "test" #2: Failed to find our RSA key"
################################################
Can see that RSA key was there in NSS DB ("certutil -K -d sql:/etc/ipsec.d/")
Steps followed :
1] Generated self-signed certificates on both the hosts .
2] Exported the certs and ensured importing of the peer's cert was working fine
("cert -L -d sql:/etc/ipsec.d")
3] PFA /etc/ipsec.conf
4] Started the ipsec , added the connection ("ipsec auto --add <conn>") & tried
it to bring it UP ("ipsec auto --up <conn>")
As per the documentation of libreswan , it looks pluto should be referring to
nss db for Private Keys , Certs . Looks we were missing some configuration here.
Please let me know the needed configuration .
Thanks a lot .
-Regards,
Kesav.
[http://www.cisco.com/c/dam/assets/email-signature-tool/logo_05.png?ct=1449478134969]
Kesava Vunnava
ENGINEER.SOFTWARE ENGINEERING
[email protected]<mailto:[email protected]>
Mobile: 7893426891
Cisco.com<http://www.cisco.com/>
[http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif]Think before you
print.
This email may contain confidential and privileged material for the sole use of
the intended recipient. Any review, use, distribution or disclosure by others
is strictly prohibited. If you are not the intended recipient (or authorized to
receive for the recipient), please contact the sender by reply email and delete
all copies of this message.
Please click
here<http://www.cisco.com/web/about/doing_business/legal/cri/index.html> for
Company Registration Information.
ipsec.conf
Description: ipsec.conf
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
![http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif]Think](http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif]Think){kind=link}