Re: [Swan] net-to-net for road warriors

Tue, 29 Jan 2019 19:24:19 -0800 

On Tue, 29 Jan 2019, Alex wrote:


I'm now trying to build a tunnel between the server with the static IP
and another host with a static IP and the same libreswan on fedora,
but having a similar problem that I used to have with "wrong key?"
messages when I *know* I'm doing it right.

On bwimail03:
002 "bwimail03-arcade" #5: IKEv2 mode peer ID is ID_FQDN: '@arcade'
003 "bwimail03-arcade" #5: Signature check (on @arcade) failed (wrong
key?); tried *AwEAAfVyj
002 "bwimail03-arcade" #5: RSA authentication failed
036 "bwimail03-arcade" #5: encountered fatal error in state STATE_PARENT_I2

Could there be another explanation for it being unable to find the
right key? It's choosing the key that's intended for the remote system
instead of the one for itself, or so it appears.


Yes, that is normal. It is using the remote public key to verify the remote 
peer :)


- Is there any difference between these two commands:
certutil -N -d sql:/etc/ipsec.d
ipsec initnss --nssdir /etc/ipsec.d


No.


- Sometimes if I shut down the VPN (service ipsec stop) in the wrong
order, the remote system becomes unreachable. How can I prevent that
from happening?


If the system goes down before it send the "Delete/Notify" request, the
other end won't know it went down and will expect encrypted packets only
and assume the plaintext packets are forged. You can enable DPD so the
remote can figure this out before rekey/expire time. But if this happens
often, it is worth checking the shutdown process and see if there is
something specific happening that is causing the packet to be lost.


- How do you delete a key? Using -F doesn't work.
ipsec -F -d sql:/etc/ipsec.d -n <ckaid>

# certutil -K -d sql:/etc/ipsec.d
certutil: Checking token "NSS Certificate DB" in slot "NSS User
Private Key and Certificate Services"
< 0> rsa      a97801beda74b01e2fe3647a87dc9f0e7ad75268   (orphan)
# certutil -F -d sql:/etc/ipsec.d -n a97801beda74b01e2fe3647a87dc9f0e7ad75268
# certutil -K -d sql:/etc/ipsec.d
certutil: Checking token "NSS Certificate DB" in slot "NSS User
Private Key and Certificate Services"
< 0> rsa      a97801beda74b01e2fe3647a87dc9f0e7ad75268   (orphan)


I don't think it is possible using certutl. I tend to just nuke the nss
db.

Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to