On Thu, 30 Nov 2017, Kesava Vunnava (kesriniv) wrote:
Trying to UP host-host tunnel using libreswan (Linux Libreswan 3.20 (netkey) on 3.10.0-514.26.2.el7.x86_64 ) over CENTOS using Certificates as authentication mechanism . Before this able to test “preshared key”, “unauthenticated OE” and both of them works fine.
I didn't know PSK worked. We don't really test/recommend it because sharing your key with all nodes basically gives the same security as authnull (in case of a single node compromise that leaks the PSK)
With Certificates ., pluto was throwing following error : -
133 "test" #2: STATE_PARENT_I1: sent v2I1, expected v2R1 003 "test" #2: Failed to find our RSA key”
We had a few releases where there was confusion about the ipsec.secret entry being needed or not in the for RSA/certs. Could you re-test this with 3.22. You can find rpms on download.libreswan.org/binaries/rhel/7/
1] Generated self-signed certificates on both the hosts .
There was also a bug introduced a few versions ago that would cause NSS to reject all self-signed certs without a CA. So please do try 3.22. But note, the whole idea of using certificates is that you don't hardcode any certs, and use a common CA for trust, so you should really noy be using selfsigned certs for this, but generate these from a single CA and install the CA everywhere. The easiest is to generate PKCS#12 (.p12) files and import these using "ipsec import". Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
