Paul, I tried ran the attached reset script to reconfigure the environment. Hopefully there is absolutely no ambiguity in what I am attempting to do or use in my configuration. I also attached the host_to_host.conf file that results from the script showing the final state.
Your email regarding the left/right rsasigkey was a bit confusing. I believe these are right the way I have them. I have double checked the Keys in the file are appropriate for the hosts. This seems to be consistent with the other documentation and things I have seen on the web. I added the reset process for the databases so now there is only one key per host. 192.168.89.6 is k2 192.168.89.7 is k1 However, I am still running into the same problems. I have attached the conf file as well. 003 "host-to-host" #5: unable to locate my private key for RSA Signatures 224 "host-to-host" #5: STATE_MAIN_I2: AUTHENTICATION_FAILED 002 "host-to-host" #5: sending notification AUTHENTICATION_FAILED to 192.168.89.6:500 I also tried adding leftckaid=/rightckaid= and this ran into parsing errors. So I have continued using the rsasigkey's. -----Original Message----- From: Paul Wouters [mailto:p...@nohats.ca] Sent: Saturday, February 17, 2018 7:21 PM To: klwilson...@comcast.net Cc: swan@lists.libreswan.org Subject: Re: [Swan] cannot locate my private key for RSA Signature On Sat, 17 Feb 2018, klwilson...@comcast.net wrote: > I have just installed two Centos7 systems and am attempting to get libreswan > setup. > Naively used DHCP for the hosts initially. Moved to static later on not sure > if this is part of the issues I am having. > > I ran the following on both machines: > > Ipsec nssinit > > Ipsec newhostkey > > Then I configured the host-to-host.conf two endpoints with there IP and keys > that : Did you use ipsec showhostkey --list and ipsec showhostkey --left/--right to add the proper public key's in your configuration? > 003 “host-to-host” #4: unable to locate my private key for RSA > Signature > 224 “host-to-host” #4: STATE_MAIN_I2: AUTHENTICATION_FAILED to > 192.168.89.6:500 Looks like your rightrsasigkey= and leftrsasigkey= are not properly configured. > conn host-to-host > left=192.168.89.7 > leftid="@k1" > leftrsasigkey=[keyid AwEAAexla] Do you have actual [brackets] there? It should not look like that. > rightrsasigkey=[keyid AwEAAejt9] > 000 List of RSA Public Keys: > 000 > 000 Feb 17 12:21:16 2018, 3488 RSA Key AwEAAejt9 (no private key), > until --- -- --:--:-- ---- ok (expires never) > 000 ID_FQDN '@k2' > 000 Feb 17 12:21:16 2018, 3120 RSA Key AwEAAexla (no private key), > until --- -- --:--:-- ---- ok (expires never) > 000 ID_FQDN '@k1' You seem to have no private keys for those public keys? Did you reinit your nss database after grabbing the public keys? the order to do things should be: - ipsec stop - delete unknown nss db: rm /etc/ipsec.d/*db - start a new nss db: ipsec initnss - generate a new key: ipsec newhostkey Once you have done that on both sides, you can get the public keys on both ends to put in the configuration file. - ipsec showhostkey --list (look at the ckaid) - ipsec showhostkey --ckaid XXXX --left (where XXXX is the ckaid from the previous command) - put the output of that in the config either as leftckaid=/rightckaid= or leftrsasigkey= / rightrsasigkey= See also https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan#Using_raw_RSA_keys_with_NSS Paul
reset.sh
Description: Binary data
host_to_host.conf
Description: Binary data
_______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan