The config file you posted used leftckaid= and you said you copied it to both sides which wouldn’t work. Can you confir you are trying only with leftrsasigkey and rightrsasigkey ? If that still fails send me output using plutodebug=all and fresh certutil / showhostkey output
Sent from my phone > On Oct 2, 2018, at 17:54, Paul Wouters <p...@nohats.ca> wrote: > >> On Tue, 2 Oct 2018, Alex wrote: >> >> Here is the process I followed on arcade: >> [root@arcade etc]# rm -f ipsec.conf >> [root@arcade etc]# ipsec newhostkey --output /etc/ipsec.secrets >> NSS database in /etc/ipsec.d not initialized. >> Please run 'ipsec initnss --nssdir /etc/ipsec.d' >> [root@arcade etc]# ipsec initnss --nssdir /etc/ipsec.d >> Initializing NSS database >> >> [root@arcade etc]# ipsec newhostkey --output /etc/ipsec.secrets >> Generated RSA key pair with CKAID >> 78ade3745b30ac9c857147cc4de0dc1ca140e6f4 was stored in the NSS >> database > > You do not need to use --output /etc/ipsec.secrets anymore for RSA/ECDSA > keys. > >> [root@arcade etc]# ipsec showhostkey --right --ckaid >> 78ade3745b30ac9c857147cc4de0dc1ca140e6f4 >> # rsakey AwEAAbEfZ >> >> rightrsasigkey=0sAwEAAbEfZRzZ9Y3qC80mHpZFZ1qijnJ+dl+XMHhsvGLbcVkqiJYJ43tYH3fU6eWONm6icrJAouqIcyb9DlyVTIpxHeCjnQxbEJCPOLVZZ+V40SEHasDNmKQmEODhQAXOxx69Cy+3zTmZFWbHk4rud2LsVc3M/JUggRt+zcIFueR3wUjvQxeI/LkDKDMuaqbvRTs8TUa2CpZHbWmClex/q0SLz+P+vDeWPzUHPGAaOtAtvDpn4wgjZ0QquMdPIDL3QYNQRHQT5OAeFeWsi4dlWxpy9zv4NG305cWFkGNV4089kf4dTnGTJcnKEd1Gcfy4X33q+lq3kDPjg+GAt2guCGtlYbRK7AyxHB8BhQTM4YhFOjaMcyl18v6AA8FaSRf7LRnwMgeJ1QVKk0FGD02hW3VxIYuNu/DQA//aGJgQ1BD73+Y6BhDDpVP1Sf6oN13r3Cwpf48NoQETMo0LxG/38gDXWswQ7jRcePcXIXr9VFdaC3WoxoEe29ivEx87yfwcj6FxqHwMU6en+qj/M/5aDIN7PaOuoDY9UMlhB/TP6pc1dRcHX8gr6gsVKlV7hiKyNQdI2XANaGqGCAHYMK4ojPHojQZl3ApF/VU= > > So did you add this to your configuration file? (on both ends) > >> 003 "mytunnel" #2: ignoring informational payload AUTHENTICATION_FAILED, >> msgid=00000000, length=12 > > The other end failed. > >> Here is the process I followed on orion: >> [root@orion ~]# ipsec initnss --nssdir /etc/ipsec.d >> Initializing NSS database >> >> [root@orion ~]# ipsec newhostkey --output /etc/ipsec.secrets >> /usr/libexec/ipsec/newhostkey: WARNING: file "/etc/ipsec.secrets" >> exists, appending to it >> Generated RSA key pair with CKAID >> 192fbeeba1b10bf1e427d7447e87e6270a0f8d64 was stored in the NSS >> database >> [root@orion ~]# ipsec showhostkey --left --ckaid >> 192fbeeba1b10bf1e427d7447e87e6270a0f8d64 >> # rsakey AwEAAcM3S >> >> leftrsasigkey=0sAwEAAcM3S6rcG0ZP+BQiD6bS8ou3ksT7U+YAGC+5o/EJo82G1iT6temZdKct37DDAgQcWRVq7b1+eoNZ8UtCZcJ0mvA0MPVvU94n0sub6dOEp57OBNVvtd6FKVjnHxF1R2gMLu6uOWsqGMYFngOU+2Xkcl17d410KToMvGCigcy1jd+s1j4ARUU+2kNudbKc6efpjSoo6cKqd80BIvFKnAESUA02xddT0s+GemXcezCI0PJEo8TcFRE8JbQpWx2Rc1PmzoesJzatUUGBSDYeuUqjfkYWm8W+eKdHTVY0yizcTJcw2/qPzdg12SYvfuQDI5AQp6ufFOkU/mTsnOf/0nkMRGfCf5FkfjhCwWb4H0ngcbt23r3ClRIFXf3yifjX+28kkM3KTo/3GfVToP0AzEAAgEk+pC+bxb7nmOb5BunZ7L+d63GP4NxhVY4JANSTnHyKOP3wrtr/iZRQJIcU5L+IRodOIRfzxHBdkNie8+W8NmfpzUFv4KaNkWkCcO3xcKF72/VvYXBT3vQ7LYfK4ui7mAbjxIAbAdprF4KTunZSluguWUeV5wWOrLX5irLUw2/75KvcnekUDTtTibv06u6Xc3U= > > did you add this to the configuration file (on both ends) > >> [root@orion etc]# ipsec auto --up mytunnel >> 002 "mytunnel" #1: initiating Main Mode > > It looks like you did not restart libreswan, this is needed to re-open > the NSS database after adding the new keypair. > >> 003 "mytunnel" #1: Can't find the certificate or private key from the NSS >> CKA_ID > > This looks like what happens when you don't restart after adding a > keypair. > >> In this version of /etc/ipsec.conf, I was experimenting with >> left/rightckaid, but I've also uncommented left/rightsigkey and tried >> that as well. The error messages above are from my attempt to use the >> keys. >> >> # /etc/ipsec.conf >> # The version 2 is only required for compatibility with openswan >> version 2 >> >> config setup >> protostack=netkey >> >> conn mytunnel >> leftid=@west >> left=68.195.193.42 >> # rsakey AwEAAcM3S >> >> #leftrsasigkey=0sAwEAAcM3S6rcG0ZP+BQiD6bS8ou3ksT7U+YAGC+5o/EJo82G1iT6temZdKct37DDAgQcWRVq7b1+eoNZ8UtCZcJ0mvA0MPVvU94n0sub6dOEp57OBNVvtd6FKVjnHxF1R2gMLu6uOWsqGMYFngOU+2Xkcl17d410KToMvGCigcy1jd+s1j4ARUU+2kNudbKc6efpjSoo6cKqd80BIvFKnAESUA02xddT0s+GemXcezCI0PJEo8TcFRE8JbQpWx2Rc1PmzoesJzatUUGBSDYeuUqjfkYWm8W+eKdHTVY0yizcTJcw2/qPzdg12SYvfuQDI5AQp6ufFOkU/mTsnOf/0nkMRGfCf5FkfjhCwWb4H0ngcbt23r3ClRIFXf3yifjX+28kkM3KTo/3GfVToP0AzEAAgEk+pC+bxb7nmOb5BunZ7L+d63GP4NxhVY4JANSTnHyKOP3wrtr/iZRQJIcU5L+IRodOIRfzxHBdkNie8+W8NmfpzUFv4KaNkWkCcO3xcKF72/VvYXBT3vQ7LYfK4ui7mAbjxIAbAdprF4KTunZSluguWUeV5wWOrLX5irLUw2/75KvcnekUDTtTibv06u6Xc3U= >> leftckaid=192fbeeba1b10bf1e427d7447e87e6270a0f8d64 >> rightid=@east >> right=107.155.66.2 >> # rsakey AwEAAbEfZ >> >> #rightrsasigkey=0sAwEAAbEfZRzZ9Y3qC80mHpZFZ1qijnJ+dl+XMHhsvGLbcVkqiJYJ43tYH3fU6eWONm6icrJAouqIcyb9DlyVTIpxHeCjnQxbEJCPOLVZZ+V40SEHasDNmKQmEODhQAXOxx69Cy+3zTmZFWbHk4rud2LsVc3M/JUggRt+zcIFueR3wUjvQxeI/LkDKDMuaqbvRTs8TUa2CpZHbWmClex/q0SLz+P+vDeWPzUHPGAaOtAtvDpn4wgjZ0QquMdPIDL3QYNQRHQT5OAeFeWsi4dlWxpy9zv4NG305cWFkGNV4089kf4dTnGTJcnKEd1Gcfy4X33q+lq3kDPjg+GAt2guCGtlYbRK7AyxHB8BhQTM4YhFOjaMcyl18v6AA8FaSRf7LRnwMgeJ1QVKk0FGD02hW3VxIYuNu/DQA//aGJgQ1BD73+Y6BhDDpVP1Sf6oN13r3Cwpf48NoQETMo0LxG/38gDXWswQ7jRcePcXIXr9VFdaC3WoxoEe29ivEx87yfwcj6FxqHwMU6en+qj/M/5aDIN7PaOuoDY9UMlhB/TP6pc1dRcHX8gr6gsVKlV7hiKyNQdI2XANaGqGCAHYMK4ojPHojQZl3ApF/VU= >> rightckaid=78ade3745b30ac9c857147cc4de0dc1ca140e6f4 >> authby=rsasig >> # use auto=start when done testing the tunnel >> auto=add > > For the local endpoint you can use *ckaid= but for the remote endpoint > you cannot use that, you must use the actual public key, so the > *rsasigkey= version. (The CKAID is a hash of the public key so it cannot > be used as a public key, and with raw keys you do not send your public > key to the other endpoint, as is done when using certificates) > > Paul _______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan