[Openswan Users] problems with INVALID_KEY_INFORMATION on Debian

Jim Blake jim at blakes.homeip.net
Wed May 23 16:17:09 EDT 2007 

Hi Peter

<<SNIP>>
>>
>> input: ipsec newhostkey --output /root/tmpkey
>> input: cat /root/tmpkey >> /etc/ipsec.secrets
>> input: rm /root/tmpkey

<<SNIP>>

Did you do this once for each of the two machines?

Yes, and took leftkey from the left machine, and rightkey from the right



>
> This isn't your problem, openswan just uses plain rsa keys
> By default, no certs, there is nothing wrong with plain rsa keys.
> Whack is just part of the ipsec process.

Fair enough, thats what I originally thought, but when it didn't work, I
began to wonder....


>
> Your two confs, should be nearly the same, something like this...
> (But using your own keys, ips and subnets, etc...)

My two confs were absolutely identical...I created the ipsec.conf file on
a memory stick and copied it to both machines without change

> Host A:
> /etc/ipsec.conf
> conn stmarys-office-net-to-london-office-net
>         left=66...
>         leftnexthop=%defaultroute
>         leftid=@sheridan.london.goco.net
>         # RSA 2192 bits   sheridan.london.goco.net
>         leftrsasigkey=0sAQNd...
>         leftsubnet=172.21.3.0/24
>         leftsourceip=172.21.3.101
>         right=69...
>         rightnexthop=%defaultroute
>         rightid=@delenn.stmarys.goco.net
>         # RSA 2192 bits   delenn.stmarys.goco.net
>         rightsasigkey=0sAQNs...
>         rightsubnet=172.21.1.0/24
>         rightsourceip=172.21.1.49
>         auto=start
> /etc/ipsec.secrets
>         : RSA   {
>         # RSA 2192 bits   sheridan.london.goco.net
>         # for signatures only, UNSAFE FOR ENCRYPTION
>         #pubkey=0sAQNd...
>         ...
>         }
> # do not change the indenting of that "}"
>
> Host B:
> /etc/ipsec.conf
> conn stmarys-office-net-to-london-office-net
>         left=69...
>         leftnexthop=%defaultroute
>         leftid=@delenn.stmarys.goco.net
>         # RSA 2192 bits   delenn.stmarys.goco.net
>         leftsasigkey=0sAQNs...
>         leftsubnet=172.21.1.0/24
>         leftsourceip=172.21.1.49
>         right=66...
>         rightnexthop=%defaultroute
>         rightid=@sheridan.london.goco.net
>         # RSA 2192 bits   sheridan.london.goco.net
>         rightrsasigkey=0sAQNd...
>         rightsubnet=172.21.3.0/24
>         rightsourceip=172.21.3.101
>         auto=start
> /etc/ipsec.secrets
>         : RSA   {
>         # RSA 2192 bits   delenn.stmarys.goco.net
>         # for signatures only, UNSAFE FOR ENCRYPTION
>         #pubkey=0sAQNs...
>         ...
>         }
> # do not change the indenting of that "}"

Were your ipsec.secrets files created automatically, or did you build them
manually?
>
> Make sure your keys copied into your confs are one big line, they will
> wrap
> a few times on an 80 column terminal, and all conn lines are indented with
> a tab.

Yes, I did that.........



Here's the ipsec.conf file, suitably anonimised:
version	2.0	# conforms to second version of ipsec.conf specification

config setup
	interfaces=%defaultroute
	# klipsdebug=all
	#plutodebug=control
	# plutodebug / klipsdebug = "all", "none" or a combation from below:
	# "raw crypt parsing emitting control klips pfkey natt x509 private"
	# eg: plutodebug="control parsing"
	#
	# Only enable klipsdebug=all if you are a developer
	#
	# NAT-TRAVERSAL support, see README.NAT-Traversal
        #	nat_traversal=yes
	# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
	#
	# enable this if you see "failed to find any available worker"
	# nhelpers=0

conn %default
	authby=rsasig

conn left-to-right
	left=81.2.96.38
	leftsubnet=10.0.0.0/24
	leftid=@swan.blakes.homeip.net
	leftrsasigkey=0sAQNZqfnhuiIaYV/kEfWTNKaQbo5AwR8qqGzBk+YupzUt8DO616Etb/xXD2GD5fXnetzYHC/E/GXLZ6aSRyZYLhCXhAzl17zErPFec4PFdynKyAH6i0DIPh3H7n7J8t+bfeKldc+h1H/UKgFqwJsGm0p3BRo5oQ+bKq1SQVlt+AVBTcHIUR+++XJVTNkUaBZ34vwggHs/jITQ8doKe0HdSgIIEn0qEPsUKuFlggPJDgFzWDmrXn61234B5zumJCsgxV3yLobIr1IiztPiVmuA1z7tqIyrvQ85xv+cmCmvvoRWjCEZZWaGan4rPVz2zVqkBlgAYvXtzpDzplesCBntHseJ6BfVh3TwcdniksIA/8j5Qod1
	leftnexthop=%defaultroute
	right=81.2.96.36
	rightsubnet=10.0.1.0/24
	rightid=@debian.blakes.homeip.net
	rightrsasigkey=0sAQOMVVGFuFKdtyEB7p0pLatx4oO3G1LB8Ln/KpkVbzHbsUymgp0UUHTId3MJcMppOoL6PuwHMgJaO6mf9otSyxLzj/D1AhvdTaLsNZqKNOLmEhhJicrXMUp0wOACr1OeGqfiVLaT6tzyBki9nbhqUzlhtpYvRggHpYpS5aMNa217isk45XyeCIDB6yKJDqdTzSBD81VWF07V82laYSDY/1YqKeZf/Kufh75vKbCBeA/9jnBkCeRdDfxXCIf22vvy0jqewTi/b/tS8XWKe/wrEoHiNVv2uzBzbCaV6fFeFnxroMcRig0exEe8Lwbq3vOxaCH9VXWJY072g+2kxB3YKHFXwqjMBd6ml/kydskyN/vip7LZ
	rightnexthop=%defaultroute
	auto=add

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf



Jim Blake
e:jim at blakes.homeip.net
m:07971 070751
h:01628 520495

More information about the Users mailing list