Re: [Swan] host-to-host config fails with Can't find the certificate or private key

[Paul Wouters]

On Tue, 2 Oct 2018, Alex wrote:

Here is the process I followed on arcade:
[root@arcade etc]# rm -f ipsec.conf
[root@arcade etc]# ipsec newhostkey --output /etc/ipsec.secrets
NSS database in /etc/ipsec.d not initialized.
   Please run 'ipsec initnss --nssdir /etc/ipsec.d'
[root@arcade etc]# ipsec initnss --nssdir /etc/ipsec.d
Initializing NSS database

[root@arcade etc]# ipsec newhostkey --output /etc/ipsec.secrets
Generated RSA key pair with CKAID
78ade3745b30ac9c857147cc4de0dc1ca140e6f4 was stored in the NSS
database

You do not need to use --output /etc/ipsec.secrets anymore for RSA/ECDSA
keys.

[root@arcade etc]# ipsec showhostkey --right --ckaid
78ade3745b30ac9c857147cc4de0dc1ca140e6f4
       # rsakey AwEAAbEfZ
       
rightrsasigkey=0sAwEAAbEfZRzZ9Y3qC80mHpZFZ1qijnJ+dl+XMHhsvGLbcVkqiJYJ43tYH3fU6eWONm6icrJAouqIcyb9DlyVTIpxHeCjnQxbEJCPOLVZZ+V40SEHasDNmKQmEODhQAXOxx69Cy+3zTmZFWbHk4rud2LsVc3M/JUggRt+zcIFueR3wUjvQxeI/LkDKDMuaqbvRTs8TUa2CpZHbWmClex/q0SLz+P+vDeWPzUHPGAaOtAtvDpn4wgjZ0QquMdPIDL3QYNQRHQT5OAeFeWsi4dlWxpy9zv4NG305cWFkGNV4089kf4dTnGTJcnKEd1Gcfy4X33q+lq3kDPjg+GAt2guCGtlYbRK7AyxHB8BhQTM4YhFOjaMcyl18v6AA8FaSRf7LRnwMgeJ1QVKk0FGD02hW3VxIYuNu/DQA//aGJgQ1BD73+Y6BhDDpVP1Sf6oN13r3Cwpf48NoQETMo0LxG/38gDXWswQ7jRcePcXIXr9VFdaC3WoxoEe29ivEx87yfwcj6FxqHwMU6en+qj/M/5aDIN7PaOuoDY9UMlhB/TP6pc1dRcHX8gr6gsVKlV7hiKyNQdI2XANaGqGCAHYMK4ojPHojQZl3ApF/VU=

So did you add this to your configuration file? (on both ends)

003 "mytunnel" #2: ignoring informational payload AUTHENTICATION_FAILED, 
msgid=00000000, length=12

The other end failed.

Here is the process I followed on orion:
[root@orion ~]# ipsec initnss --nssdir /etc/ipsec.d
Initializing NSS database

[root@orion ~]# ipsec newhostkey --output /etc/ipsec.secrets
/usr/libexec/ipsec/newhostkey: WARNING: file "/etc/ipsec.secrets"
exists, appending to it
Generated RSA key pair with CKAID
192fbeeba1b10bf1e427d7447e87e6270a0f8d64 was stored in the NSS
database
[root@orion ~]# ipsec showhostkey --left --ckaid
192fbeeba1b10bf1e427d7447e87e6270a0f8d64
       # rsakey AwEAAcM3S
       
leftrsasigkey=0sAwEAAcM3S6rcG0ZP+BQiD6bS8ou3ksT7U+YAGC+5o/EJo82G1iT6temZdKct37DDAgQcWRVq7b1+eoNZ8UtCZcJ0mvA0MPVvU94n0sub6dOEp57OBNVvtd6FKVjnHxF1R2gMLu6uOWsqGMYFngOU+2Xkcl17d410KToMvGCigcy1jd+s1j4ARUU+2kNudbKc6efpjSoo6cKqd80BIvFKnAESUA02xddT0s+GemXcezCI0PJEo8TcFRE8JbQpWx2Rc1PmzoesJzatUUGBSDYeuUqjfkYWm8W+eKdHTVY0yizcTJcw2/qPzdg12SYvfuQDI5AQp6ufFOkU/mTsnOf/0nkMRGfCf5FkfjhCwWb4H0ngcbt23r3ClRIFXf3yifjX+28kkM3KTo/3GfVToP0AzEAAgEk+pC+bxb7nmOb5BunZ7L+d63GP4NxhVY4JANSTnHyKOP3wrtr/iZRQJIcU5L+IRodOIRfzxHBdkNie8+W8NmfpzUFv4KaNkWkCcO3xcKF72/VvYXBT3vQ7LYfK4ui7mAbjxIAbAdprF4KTunZSluguWUeV5wWOrLX5irLUw2/75KvcnekUDTtTibv06u6Xc3U=

did you add this to the configuration file (on both ends)

[root@orion etc]# ipsec auto --up mytunnel
002 "mytunnel" #1: initiating Main Mode

It looks like you did not restart libreswan, this is needed to re-open
the NSS database after adding the new keypair.

003 "mytunnel" #1: Can't find the certificate or private key from the NSS CKA_ID

This looks like what happens when you don't restart after adding a
keypair.

In this version of /etc/ipsec.conf, I was experimenting with
left/rightckaid, but I've also uncommented left/rightsigkey and tried
that as well. The error messages above are from my attempt to use the
keys.

# /etc/ipsec.conf
# The version 2 is only required for compatibility with openswan
version 2

config setup
   protostack=netkey

conn mytunnel
   leftid=@west
   left=68.195.193.42
       # rsakey AwEAAcM3S
       
#leftrsasigkey=0sAwEAAcM3S6rcG0ZP+BQiD6bS8ou3ksT7U+YAGC+5o/EJo82G1iT6temZdKct37DDAgQcWRVq7b1+eoNZ8UtCZcJ0mvA0MPVvU94n0sub6dOEp57OBNVvtd6FKVjnHxF1R2gMLu6uOWsqGMYFngOU+2Xkcl17d410KToMvGCigcy1jd+s1j4ARUU+2kNudbKc6efpjSoo6cKqd80BIvFKnAESUA02xddT0s+GemXcezCI0PJEo8TcFRE8JbQpWx2Rc1PmzoesJzatUUGBSDYeuUqjfkYWm8W+eKdHTVY0yizcTJcw2/qPzdg12SYvfuQDI5AQp6ufFOkU/mTsnOf/0nkMRGfCf5FkfjhCwWb4H0ngcbt23r3ClRIFXf3yifjX+28kkM3KTo/3GfVToP0AzEAAgEk+pC+bxb7nmOb5BunZ7L+d63GP4NxhVY4JANSTnHyKOP3wrtr/iZRQJIcU5L+IRodOIRfzxHBdkNie8+W8NmfpzUFv4KaNkWkCcO3xcKF72/VvYXBT3vQ7LYfK4ui7mAbjxIAbAdprF4KTunZSluguWUeV5wWOrLX5irLUw2/75KvcnekUDTtTibv06u6Xc3U=
       leftckaid=192fbeeba1b10bf1e427d7447e87e6270a0f8d64
   rightid=@east
   right=107.155.66.2
       # rsakey AwEAAbEfZ
       
#rightrsasigkey=0sAwEAAbEfZRzZ9Y3qC80mHpZFZ1qijnJ+dl+XMHhsvGLbcVkqiJYJ43tYH3fU6eWONm6icrJAouqIcyb9DlyVTIpxHeCjnQxbEJCPOLVZZ+V40SEHasDNmKQmEODhQAXOxx69Cy+3zTmZFWbHk4rud2LsVc3M/JUggRt+zcIFueR3wUjvQxeI/LkDKDMuaqbvRTs8TUa2CpZHbWmClex/q0SLz+P+vDeWPzUHPGAaOtAtvDpn4wgjZ0QquMdPIDL3QYNQRHQT5OAeFeWsi4dlWxpy9zv4NG305cWFkGNV4089kf4dTnGTJcnKEd1Gcfy4X33q+lq3kDPjg+GAt2guCGtlYbRK7AyxHB8BhQTM4YhFOjaMcyl18v6AA8FaSRf7LRnwMgeJ1QVKk0FGD02hW3VxIYuNu/DQA//aGJgQ1BD73+Y6BhDDpVP1Sf6oN13r3Cwpf48NoQETMo0LxG/38gDXWswQ7jRcePcXIXr9VFdaC3WoxoEe29ivEx87yfwcj6FxqHwMU6en+qj/M/5aDIN7PaOuoDY9UMlhB/TP6pc1dRcHX8gr6gsVKlV7hiKyNQdI2XANaGqGCAHYMK4ojPHojQZl3ApF/VU=
       rightckaid=78ade3745b30ac9c857147cc4de0dc1ca140e6f4
   authby=rsasig
   # use auto=start when done testing the tunnel
   auto=add

For the local endpoint you can use *ckaid= but for the remote endpoint
you cannot use that, you must use the actual public key, so the
*rsasigkey= version. (The CKAID is a hash of the public key so it cannot
be used as a public key, and with raw keys you do not send your public
key to the other endpoint, as is done when using certificates)

Paul
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan