[Openswan Users] Openswan on fc14 with nss and net-to-net

Alex mysqlstudent at gmail.com
Sat Jan 29 20:58:56 EST 2011 

Hi,

[is it convention on this list to reply to list as well as sender?]

>> Among the error messages I currently receive when trying to start ipsec are:
>>
>>   - unable to locate my private key for RSA Signature
>
> Ok...  That's your first problem from which all else radiates.  We get
> nowhere till that's solved.

It looks like that one is now fixed, although I'm really not sure why
yet. I _think_ it might be because I had "protostack=netkey" commented
because the other side doesn't use netkey (klips instead, I guess),
and I wasn't sure it would be compatible? I now know that the Fedora
RPM doesn't include klips anyway, so I figured it didn't matter.

> Assuming you are NOT using PSK...  If you are, do NOT post ANY from your
> secrets files!

No, no PSK here.

Requested output printed below. I made a note below, but it looks like
the private keys are the same for the left and right sides?

File: /etc/ipsec.secrets
: RSA	{
	# RSA 2192 bits   local.example.com   Fri Jan 14 23:40:33 2011
	# for signatures only, UNSAFE FOR ENCRYPTION
	#pubkey=0sAQPxepIR3xKn9I/NNwnQ+U/e4c...
	Modulus: 0xf17a9211df12a7f48fcd3709d...
	PublicExponent: 0x03
	# everything after this point is CKA_ID in hex format when using NSS
	PrivateExponent: 0x40bc221733e5298d499ec5b3b33ec826d0aa8e45
	Prime1: 0x40bc221733e5298d499ec5b3b33ec826d0aa8e45
	Prime2: 0x40bc221733e5298d499ec5b3b33ec826d0aa8e45
	Exponent1: 0x40bc221733e5298d499ec5b3b33ec826d0aa8e45
	Exponent2: 0x40bc221733e5298d499ec5b3b33ec826d0aa8e45
	Coefficient: 0x40bc221733e5298d499ec5b3b33ec826d0aa8e45
	CKAIDNSS: 0x40bc221733e5298d499ec5b3b33ec826d0aa8e45
	}
# do not change the indenting of that "}"

It looks like the keys on the local and remote side are the same
here?! From where
does it get this information?

[root at local ipsec.d]# ipsec showhostkey --left
ipsec showhostkey nss directory showhostkey: /etc/ipsec.d
        # rsakey AQPxepIR3
        leftrsasigkey=0sAQPxepIR3xKn9I/NNwnQz5Q1EP...
[root at local ipsec.d]# ipsec showhostkey --right
ipsec showhostkey nss directory showhostkey: /etc/ipsec.d
        # rsakey AQPxepIR3
        rightrsasigkey=0sAQPxepIR3xKn9I/NNwnQz5Q1EP...

[root at local ipsec.d]# certutil -L -d /etc/ipsec.d

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

local.example.com                                    cu,cu,cu
VPN CA #20041220-01 - Company, Inc.                  ,,
remotesvr.example.com                                  u,u,u
VPN Certificate for                                          u,u,u

File: /etc/ipsec.conf

version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
	# Debug-logging controls:  "none" for (almost) none, "all" for lots.
	klipsdebug=all
	# plutodebug="control parsing"
	# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
	nat_traversal=no
	interfaces=%defaultroute
	uniqueids=yes
	protostack=netkey
	#virtual_private=
	oe=off
	# Enable this if you see "failed to find any available worker"
	nhelpers=0

#You may put your configuration (.conf) file in the "/etc/ipsec.d/"
#include /etc/ipsec.d/*.conf

conn %default
        auto=add
        keyingtries=0
        disablearrivalcheck=no
        keyexchange=ike
        ikelifetime=240m
        keylife=60m
        pfs=yes
        compress=no
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        type=tunnel
        authby=rsasig
        esp=aes
        ike=aes

################################################################################
# Persistent VPN
#
conn VPN-HEADQUARTERS-COLO
	auto=start
	left=68.XXX.YYY.42
	leftnexthop=68.XXX.YYY.41
	leftsubnet=192.168.1.0/24
	leftid="@C=US, ST=XX, L=City, O=Company Inc, CN=local.example.com"
	leftcert="local.example.com"
	right=XX.YY.72.6
	rightnexthop=XX.YY.72.5
	rightsubnet=XX.YY.16.0/27
	rightid="@C=US, ST=XX, L=City, O=Company Inc, CN=remotesvr.example.com"
	rightcert="remotesvr.example.com"

conn VPN-HEADQUARTERS-COLO-2
	auto=start
	left=68.XXX.YYY.42
	leftnexthop=68.XXX.YYY.41
	leftsubnet=192.168.1.0/24
	leftid="@C=US, ST=XX, L=City, O=Company Inc, CN=local.example.com"
	leftcert="local.example.com"
	right=XX.YY.72.6
	rightnexthop=XX.YY.72.5
	rightsubnet=XX.YY.218.96/28
	rightid="@C=US, ST=XX, L=City, O=Company Inc, CN=remotesvr.example.com"
	rightcert="remotesvr.example.com"

################################################################################
# Standard Road Warrior VPN.
#
conn rw-intranet
 	left=%defaultroute
 	leftsubnet=192.168.1.0/24
 	leftid="@C=US, ST=XX, L=City, O=Company Inc., CN=local.example.com"
 	leftcert=hostcerts/local.crt
 	right=%any
 	rightsubnet=
 	rightsubnetwithin=192.168.6.0/24

# Disable Opportunistic Encryption
# include /etc/ipsec.d/no_oe.conf

Thanks so much. It's so great that you're so willing to share your
knowledge for all these years with us.

More information about the Users mailing list