Hi, I'm still trying to build a host-to-host vpn and it's now failing with "Can't find the certificate or private key from the NSS CKA_ID". I can't find any way to specify an explicit path, or even where it's looking.
I found an old thread from Feb that indicated I should specify ---output /etc/ipsec.secrets to the newhostkey command, and I've done that. I've included below all the details I can think of to help troubleshoot this. I've also tried specifying left/rightckaid and that didn't work either. This config involves two hosts - arcade (right, remote) and orion (left, local). I'm using "east" and "west" in this /etc/ipsec.conf, but have also tried using the actual hostnames. [root@orion etc]# rpm -q libreswan libreswan-3.25-3.fc28.x86_64 Here is the process I followed on arcade: [root@arcade etc]# rm -f ipsec.conf [root@arcade etc]# ipsec newhostkey --output /etc/ipsec.secrets NSS database in /etc/ipsec.d not initialized. Please run 'ipsec initnss --nssdir /etc/ipsec.d' [root@arcade etc]# ipsec initnss --nssdir /etc/ipsec.d Initializing NSS database [root@arcade etc]# ipsec newhostkey --output /etc/ipsec.secrets Generated RSA key pair with CKAID 78ade3745b30ac9c857147cc4de0dc1ca140e6f4 was stored in the NSS database [root@arcade etc]# ipsec showhostkey --right --ckaid 78ade3745b30ac9c857147cc4de0dc1ca140e6f4 # rsakey AwEAAbEfZ rightrsasigkey=0sAwEAAbEfZRzZ9Y3qC80mHpZFZ1qijnJ+dl+XMHhsvGLbcVkqiJYJ43tYH3fU6eWONm6icrJAouqIcyb9DlyVTIpxHeCjnQxbEJCPOLVZZ+V40SEHasDNmKQmEODhQAXOxx69Cy+3zTmZFWbHk4rud2LsVc3M/JUggRt+zcIFueR3wUjvQxeI/LkDKDMuaqbvRTs8TUa2CpZHbWmClex/q0SLz+P+vDeWPzUHPGAaOtAtvDpn4wgjZ0QquMdPIDL3QYNQRHQT5OAeFeWsi4dlWxpy9zv4NG305cWFkGNV4089kf4dTnGTJcnKEd1Gcfy4X33q+lq3kDPjg+GAt2guCGtlYbRK7AyxHB8BhQTM4YhFOjaMcyl18v6AA8FaSRf7LRnwMgeJ1QVKk0FGD02hW3VxIYuNu/DQA//aGJgQ1BD73+Y6BhDDpVP1Sf6oN13r3Cwpf48NoQETMo0LxG/38gDXWswQ7jRcePcXIXr9VFdaC3WoxoEe29ivEx87yfwcj6FxqHwMU6en+qj/M/5aDIN7PaOuoDY9UMlhB/TP6pc1dRcHX8gr6gsVKlV7hiKyNQdI2XANaGqGCAHYMK4ojPHojQZl3ApF/VU= [root@arcade etc]# service ipsec restart Redirecting to /bin/systemctl restart ipsec.service [root@arcade etc]# ipsec auto --add mytunnel 002 "mytunnel": deleting non-instance connection 002 added connection description "mytunnel" [root@arcade etc]# ipsec auto --up mytunnel 002 "mytunnel" #2: initiating Main Mode 104 "mytunnel" #2: STATE_MAIN_I1: initiate 106 "mytunnel" #2: STATE_MAIN_I2: sent MI2, expecting MR2 108 "mytunnel" #2: STATE_MAIN_I3: sent MI3, expecting MR3 003 "mytunnel" #2: ignoring informational payload AUTHENTICATION_FAILED, msgid=00000000, length=12 003 "mytunnel" #2: received and ignored informational message 010 "mytunnel" #2: STATE_MAIN_I3: retransmission; will wait 0.5 seconds for response 003 "mytunnel" #2: ignoring informational payload AUTHENTICATION_FAILED, msgid=00000000, length=12 003 "mytunnel" #2: received and ignored informational message 010 "mytunnel" #2: STATE_MAIN_I3: retransmission; will wait 1 seconds for response 003 "mytunnel" #2: ignoring informational payload AUTHENTICATION_FAILED, msgid=00000000, length=12 003 "mytunnel" #2: received and ignored informational message Here is the process I followed on orion: [root@orion ~]# ipsec initnss --nssdir /etc/ipsec.d Initializing NSS database [root@orion ~]# ipsec newhostkey --output /etc/ipsec.secrets /usr/libexec/ipsec/newhostkey: WARNING: file "/etc/ipsec.secrets" exists, appending to it Generated RSA key pair with CKAID 192fbeeba1b10bf1e427d7447e87e6270a0f8d64 was stored in the NSS database [root@orion ~]# ipsec showhostkey --left --ckaid 192fbeeba1b10bf1e427d7447e87e6270a0f8d64 # rsakey AwEAAcM3S leftrsasigkey=0sAwEAAcM3S6rcG0ZP+BQiD6bS8ou3ksT7U+YAGC+5o/EJo82G1iT6temZdKct37DDAgQcWRVq7b1+eoNZ8UtCZcJ0mvA0MPVvU94n0sub6dOEp57OBNVvtd6FKVjnHxF1R2gMLu6uOWsqGMYFngOU+2Xkcl17d410KToMvGCigcy1jd+s1j4ARUU+2kNudbKc6efpjSoo6cKqd80BIvFKnAESUA02xddT0s+GemXcezCI0PJEo8TcFRE8JbQpWx2Rc1PmzoesJzatUUGBSDYeuUqjfkYWm8W+eKdHTVY0yizcTJcw2/qPzdg12SYvfuQDI5AQp6ufFOkU/mTsnOf/0nkMRGfCf5FkfjhCwWb4H0ngcbt23r3ClRIFXf3yifjX+28kkM3KTo/3GfVToP0AzEAAgEk+pC+bxb7nmOb5BunZ7L+d63GP4NxhVY4JANSTnHyKOP3wrtr/iZRQJIcU5L+IRodOIRfzxHBdkNie8+W8NmfpzUFv4KaNkWkCcO3xcKF72/VvYXBT3vQ7LYfK4ui7mAbjxIAbAdprF4KTunZSluguWUeV5wWOrLX5irLUw2/75KvcnekUDTtTibv06u6Xc3U= [root@orion etc]# ipsec auto --up mytunnel 002 "mytunnel" #1: initiating Main Mode 104 "mytunnel" #1: STATE_MAIN_I1: initiate 010 "mytunnel" #1: STATE_MAIN_I1: retransmission; will wait 0.5 seconds for response 010 "mytunnel" #1: STATE_MAIN_I1: retransmission; will wait 1 seconds for response 106 "mytunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2 003 "mytunnel" #1: Can't find the certificate or private key from the NSS CKA_ID 003 "mytunnel" #1: unable to locate my private key for RSA Signature 224 "mytunnel" #1: STATE_MAIN_I2: AUTHENTICATION_FAILED 002 "mytunnel" #1: sending notification AUTHENTICATION_FAILED to 107.155.66.2:500 003 "mytunnel" #1: Can't find the certificate or private key from the NSS CKA_ID 003 "mytunnel" #1: unable to locate my private key for RSA Signature 224 "mytunnel" #1: STATE_MAIN_I2: AUTHENTICATION_FAILED In this version of /etc/ipsec.conf, I was experimenting with left/rightckaid, but I've also uncommented left/rightsigkey and tried that as well. The error messages above are from my attempt to use the keys. # /etc/ipsec.conf # The version 2 is only required for compatibility with openswan version 2 config setup protostack=netkey conn mytunnel leftid=@west left=68.195.193.42 # rsakey AwEAAcM3S #leftrsasigkey=0sAwEAAcM3S6rcG0ZP+BQiD6bS8ou3ksT7U+YAGC+5o/EJo82G1iT6temZdKct37DDAgQcWRVq7b1+eoNZ8UtCZcJ0mvA0MPVvU94n0sub6dOEp57OBNVvtd6FKVjnHxF1R2gMLu6uOWsqGMYFngOU+2Xkcl17d410KToMvGCigcy1jd+s1j4ARUU+2kNudbKc6efpjSoo6cKqd80BIvFKnAESUA02xddT0s+GemXcezCI0PJEo8TcFRE8JbQpWx2Rc1PmzoesJzatUUGBSDYeuUqjfkYWm8W+eKdHTVY0yizcTJcw2/qPzdg12SYvfuQDI5AQp6ufFOkU/mTsnOf/0nkMRGfCf5FkfjhCwWb4H0ngcbt23r3ClRIFXf3yifjX+28kkM3KTo/3GfVToP0AzEAAgEk+pC+bxb7nmOb5BunZ7L+d63GP4NxhVY4JANSTnHyKOP3wrtr/iZRQJIcU5L+IRodOIRfzxHBdkNie8+W8NmfpzUFv4KaNkWkCcO3xcKF72/VvYXBT3vQ7LYfK4ui7mAbjxIAbAdprF4KTunZSluguWUeV5wWOrLX5irLUw2/75KvcnekUDTtTibv06u6Xc3U= leftckaid=192fbeeba1b10bf1e427d7447e87e6270a0f8d64 rightid=@east right=107.155.66.2 # rsakey AwEAAbEfZ #rightrsasigkey=0sAwEAAbEfZRzZ9Y3qC80mHpZFZ1qijnJ+dl+XMHhsvGLbcVkqiJYJ43tYH3fU6eWONm6icrJAouqIcyb9DlyVTIpxHeCjnQxbEJCPOLVZZ+V40SEHasDNmKQmEODhQAXOxx69Cy+3zTmZFWbHk4rud2LsVc3M/JUggRt+zcIFueR3wUjvQxeI/LkDKDMuaqbvRTs8TUa2CpZHbWmClex/q0SLz+P+vDeWPzUHPGAaOtAtvDpn4wgjZ0QquMdPIDL3QYNQRHQT5OAeFeWsi4dlWxpy9zv4NG305cWFkGNV4089kf4dTnGTJcnKEd1Gcfy4X33q+lq3kDPjg+GAt2guCGtlYbRK7AyxHB8BhQTM4YhFOjaMcyl18v6AA8FaSRf7LRnwMgeJ1QVKk0FGD02hW3VxIYuNu/DQA//aGJgQ1BD73+Y6BhDDpVP1Sf6oN13r3Cwpf48NoQETMo0LxG/38gDXWswQ7jRcePcXIXr9VFdaC3WoxoEe29ivEx87yfwcj6FxqHwMU6en+qj/M/5aDIN7PaOuoDY9UMlhB/TP6pc1dRcHX8gr6gsVKlV7hiKyNQdI2XANaGqGCAHYMK4ojPHojQZl3ApF/VU= rightckaid=78ade3745b30ac9c857147cc4de0dc1ca140e6f4 authby=rsasig # use auto=start when done testing the tunnel auto=add Here is the output from an attempt to add the tunnel using left/rightckaid instead of left/rightrsasigkey: [root@orion etc]# ipsec auto --add mytunnel 002 "mytunnel": deleting non-instance connection 036 left certificate with CKAID '192fbeeba1b10bf1e427d7447e87e6270a0f8d64' not found in NSS DB 036 right certificate with CKAID '78ade3745b30ac9c857147cc4de0dc1ca140e6f4' not found in NSS DB 002 added connection description "mytunnel" _______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan