[Openswan Users] problems with INVALID_KEY_INFORMATION on Debian

Peter McGill petermcgill at goco.net
Wed May 23 16:45:37 EDT 2007 

> -----Original Message-----
> From: Jim Blake [mailto:jim at blakes.homeip.net] 
> Sent: May 23, 2007 4:17 PM
> To: petermcgill at goco.net
> Cc: jim at blakes.homeip.net; users at openswan.org
> Subject: RE: [Openswan Users] problems with 
> INVALID_KEY_INFORMATION on Debian
> 
> Hi Peter
> 
> <<SNIP>>
> >>
> >> input: ipsec newhostkey --output /root/tmpkey
> >> input: cat /root/tmpkey >> /etc/ipsec.secrets
> >> input: rm /root/tmpkey
> 
> <<SNIP>>
> 
> Did you do this once for each of the two machines?
> 
> Yes, and took leftkey from the left machine, and rightkey 
> from the right
> 
> 
> 
> >
> > This isn't your problem, openswan just uses plain rsa keys
> > By default, no certs, there is nothing wrong with plain rsa keys.
> > Whack is just part of the ipsec process.
> 
> Fair enough, thats what I originally thought, but when it 
> didn't work, I
> began to wonder....
> 
> 
> >
> > Your two confs, should be nearly the same, something like this...
> > (But using your own keys, ips and subnets, etc...)
> 
> My two confs were absolutely identical...I created the 
> ipsec.conf file on
> a memory stick and copied it to both machines without change

That's fine, openswan doesn't care which end is left or right.
We just like to switch them so left is always local, and right
Is remote, but it will work either way.

> > Host A:
> > /etc/ipsec.conf
> > conn stmarys-office-net-to-london-office-net
> >         left=66...
> >         leftnexthop=%defaultroute
> >         leftid=@sheridan.london.goco.net
> >         # RSA 2192 bits   sheridan.london.goco.net
> >         leftrsasigkey=0sAQNd...
> >         leftsubnet=172.21.3.0/24
> >         leftsourceip=172.21.3.101
> >         right=69...
> >         rightnexthop=%defaultroute
> >         rightid=@delenn.stmarys.goco.net
> >         # RSA 2192 bits   delenn.stmarys.goco.net
> >         rightsasigkey=0sAQNs...
> >         rightsubnet=172.21.1.0/24
> >         rightsourceip=172.21.1.49
> >         auto=start
> > /etc/ipsec.secrets
> >         : RSA   {
> >         # RSA 2192 bits   sheridan.london.goco.net
> >         # for signatures only, UNSAFE FOR ENCRYPTION
> >         #pubkey=0sAQNd...
> >         ...
> >         }
> > # do not change the indenting of that "}"
> >
> > Host B:
> > /etc/ipsec.conf
> > conn stmarys-office-net-to-london-office-net
> >         left=69...
> >         leftnexthop=%defaultroute
> >         leftid=@delenn.stmarys.goco.net
> >         # RSA 2192 bits   delenn.stmarys.goco.net
> >         leftsasigkey=0sAQNs...
> >         leftsubnet=172.21.1.0/24
> >         leftsourceip=172.21.1.49
> >         right=66...
> >         rightnexthop=%defaultroute
> >         rightid=@sheridan.london.goco.net
> >         # RSA 2192 bits   sheridan.london.goco.net
> >         rightrsasigkey=0sAQNd...
> >         rightsubnet=172.21.3.0/24
> >         rightsourceip=172.21.3.101
> >         auto=start
> > /etc/ipsec.secrets
> >         : RSA   {
> >         # RSA 2192 bits   delenn.stmarys.goco.net
> >         # for signatures only, UNSAFE FOR ENCRYPTION
> >         #pubkey=0sAQNs...
> >         ...
> >         }
> > # do not change the indenting of that "}"
> 
> Were your ipsec.secrets files created automatically, or did 
> you build them
> manually?

I used the method in doc/ which works the same as what you did.
ipsec newhostkey --output /etc/ipsec.secrets --hostname xy.example.com
chmod 600 /etc/ipsec.secrets

And
ipsec showhostkey --left
To get the public part of the key for use in ipsec.conf.

> > Make sure your keys copied into your confs are one big 
> line, they will
> > wrap
> > a few times on an 80 column terminal, and all conn lines 
> are indented with
> > a tab.
> 
> Yes, I did that.........
> 
> Here's the ipsec.conf file, suitably anonimised:
> version	2.0	# conforms to second version of 
> ipsec.conf specification
> 
> config setup
> 	interfaces=%defaultroute
> 	# klipsdebug=all
> 	#plutodebug=control
> 	# plutodebug / klipsdebug = "all", "none" or a 
> combation from below:
> 	# "raw crypt parsing emitting control klips pfkey natt 
> x509 private"
> 	# eg: plutodebug="control parsing"
> 	#
> 	# Only enable klipsdebug=all if you are a developer
> 	#
> 	# NAT-TRAVERSAL support, see README.NAT-Traversal
>         #	nat_traversal=yes
> 	# 
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
> 	#
> 	# enable this if you see "failed to find any available worker"
> 	# nhelpers=0
> 
> conn %default
> 	authby=rsasig
> 
> conn left-to-right
> 	left=81.2.96.38
> 	leftsubnet=10.0.0.0/24
> 	leftid=@swan.blakes.homeip.net
> 	
> leftrsasigkey=0sAQNZqfnhuiIaYV/kEfWTNKaQbo5AwR8qqGzBk+YupzUt8D
O616Etb/xXD2GD5fXnetzYHC/E/GXLZ6aSRyZYLhCXhAzl17zErPFec4PFdynKyAH6i0DIPh3H7n7J8t+bfeKldc+h1H/UKgFqwJsGm0p3BRo5oQ+bKq1SQVlt>
+AVBTcHIUR+++XJVTNkUaBZ34vwggHs/jITQ8doKe0HdSgIIEn0qEPsUKuFlgg
> PJDgFzWDmrXn61234B5zumJCsgxV3yLobIr1IiztPiVmuA1z7tqIyrvQ85xv+c
> mCmvvoRWjCEZZWaGan4rPVz2zVqkBlgAYvXtzpDzplesCBntHseJ6BfVh3Twcd
> niksIA/8j5Qod1
> 	leftnexthop=%defaultroute
> 	right=81.2.96.36
> 	rightsubnet=10.0.1.0/24
> 	rightid=@debian.blakes.homeip.net
> 	
> rightrsasigkey=0sAQOMVVGFuFKdtyEB7p0pLatx4oO3G1LB8Ln/KpkVbzHbs
Uymgp0UUHTId3MJcMppOoL6PuwHMgJaO6mf9otSyxLzj/D1AhvdTaLsNZqKNOLmEhhJicrXMUp0wOACr1OeGqfiVLaT6tzyBki9nbhqUzlhtpYvRggHpYpS5aM>
Na217isk45XyeCIDB6yKJDqdTzSBD81VWF07V82laYSDY/1YqKeZf/Kufh75vK
> bCBeA/9jnBkCeRdDfxXCIf22vvy0jqewTi/b/tS8XWKe/wrEoHiNVv2uzBzbCa
> V6fFeFnxroMcRig0exEe8Lwbq3vOxaCH9VXWJY072g+2kxB3YKHFXwqjMBd6ml
> /kydskyN/vip7LZ
> 	rightnexthop=%defaultroute
> 	auto=add
> 
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf

Can't see anything wrong here, don't know why it's saying INVALID_KEY_INFORMATION.

Found this in an old post:
> You have more then one RSA key in there and it is picking the wrong one?
> This happens when you use two entries like ":RSA" where no specific identifier
> is used with the particular rsa key. Easy way is to just have that one key
> in there, and comment out the other. Run 'ipsec secrets' to reread the file.
> 
> Paul

> >> input: ipsec newhostkey --output /root/tmpkey
> >> input: cat /root/tmpkey >> /etc/ipsec.secrets
> >> input: rm /root/tmpkey

Your ipsec.secrets file should contain only the private key for the local machine,
if there was already a default key in the file, when you did this you now
Have two keys, that's not good, delete the first one from your ipsec.secrets file.

If that doesn't solve it, try the following.

Can you do an ipsec --version and ipsec verify and show us the results.

Peter

More information about the Users mailing list