[Openswan Users] Openswan on fc14 with nss and net-to-net

Michael H. Warfield mhw at WittsEnd.com
Sat Jan 29 22:26:02 EST 2011 

On Sat, 2011-01-29 at 20:58 -0500, Alex wrote: 
> Hi,

> [is it convention on this list to reply to list as well as sender?]

> >> Among the error messages I currently receive when trying to start ipsec are:
> >>
> >>   - unable to locate my private key for RSA Signature
> >
> > Ok...  That's your first problem from which all else radiates.  We get
> > nowhere till that's solved.

> It looks like that one is now fixed, although I'm really not sure why
> yet. I _think_ it might be because I had "protostack=netkey" commented
> because the other side doesn't use netkey (klips instead, I guess),
> and I wasn't sure it would be compatible? I now know that the Fedora
> RPM doesn't include klips anyway, so I figured it didn't matter.

KLIPS and netkey (and mast) are transports.  They better all be
compatible or they are not compliant with the IPsec standard.  This is
in the keying exchange, IAC.

> > Assuming you are NOT using PSK...  If you are, do NOT post ANY from your
> > secrets files!

> No, no PSK here.

Really?

> Requested output printed below. I made a note below, but it looks like
> the private keys are the same for the left and right sides?

> File: /etc/ipsec.secrets
> : RSA	{
> 	# RSA 2192 bits   local.example.com   Fri Jan 14 23:40:33 2011
> 	# for signatures only, UNSAFE FOR ENCRYPTION
> 	#pubkey=0sAQPxepIR3xKn9I/NNwnQ+U/e4c...
> 	Modulus: 0xf17a9211df12a7f48fcd3709d...
> 	PublicExponent: 0x03
> 	# everything after this point is CKA_ID in hex format when using NSS
> 	PrivateExponent: 0x40bc221733e5298d499ec5b3b33ec826d0aa8e45
> 	Prime1: 0x40bc221733e5298d499ec5b3b33ec826d0aa8e45
> 	Prime2: 0x40bc221733e5298d499ec5b3b33ec826d0aa8e45
> 	Exponent1: 0x40bc221733e5298d499ec5b3b33ec826d0aa8e45
> 	Exponent2: 0x40bc221733e5298d499ec5b3b33ec826d0aa8e45
> 	Coefficient: 0x40bc221733e5298d499ec5b3b33ec826d0aa8e45
> 	CKAIDNSS: 0x40bc221733e5298d499ec5b3b33ec826d0aa8e45
> 	}
> # do not change the indenting of that "}"

Ah...  Crap.  That's exactly the sort of thing I did not want you to
post.  That's your private key.  Looks like you are using raw RSA keys.
You might want to change that now.  :-P  Sorry.  Guess I should have
been clearer.

> It looks like the keys on the local and remote side are the same
> here?!

Er?  Each side should have their own keys.  You only trade public keys.

> From where
> does it get this information?

> [root at local ipsec.d]# ipsec showhostkey --left
> ipsec showhostkey nss directory showhostkey: /etc/ipsec.d
>         # rsakey AQPxepIR3
>         leftrsasigkey=0sAQPxepIR3xKn9I/NNwnQz5Q1EP...
> [root at local ipsec.d]# ipsec showhostkey --right
> ipsec showhostkey nss directory showhostkey: /etc/ipsec.d
>         # rsakey AQPxepIR3
>         rightrsasigkey=0sAQPxepIR3xKn9I/NNwnQz5Q1EP...

> [root at local ipsec.d]# certutil -L -d /etc/ipsec.d

> Certificate Nickname                                         Trust Attributes
>                                                              SSL,S/MIME,JAR/XPI
> 
> local.example.com                                    cu,cu,cu
> VPN CA #20041220-01 - Company, Inc.                  ,,
> remotesvr.example.com                                  u,u,u
> VPN Certificate for                                          u,u,u

Ah...  "example.com"????  Haven't you generated your own certificates?

> File: /etc/ipsec.conf

> version	2.0	# conforms to second version of ipsec.conf specification
> 
> # basic configuration
> config setup
> 	# Debug-logging controls:  "none" for (almost) none, "all" for lots.
> 	klipsdebug=all
> 	# plutodebug="control parsing"
> 	# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
> 	nat_traversal=no
> 	interfaces=%defaultroute
> 	uniqueids=yes
> 	protostack=netkey
> 	#virtual_private=
> 	oe=off
> 	# Enable this if you see "failed to find any available worker"
> 	nhelpers=0

> #You may put your configuration (.conf) file in the "/etc/ipsec.d/"
> #include /etc/ipsec.d/*.conf

> conn %default
>         auto=add
>         keyingtries=0
>         disablearrivalcheck=no
>         keyexchange=ike
>         ikelifetime=240m
>         keylife=60m
>         pfs=yes
>         compress=no
>         leftrsasigkey=%cert
>         rightrsasigkey=%cert
>         type=tunnel
>         authby=rsasig
>         esp=aes
>         ike=aes

> ################################################################################
> # Persistent VPN
> #
> conn VPN-HEADQUARTERS-COLO
> 	auto=start
> 	left=68.XXX.YYY.42
> 	leftnexthop=68.XXX.YYY.41
> 	leftsubnet=192.168.1.0/24
> 	leftid="@C=US, ST=XX, L=City, O=Company Inc, CN=local.example.com"
> 	leftcert="local.example.com"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Ok, seriously, are you really using the sample "*.example.com" certs or
are you just obfuscating things for posting here?

> 	right=XX.YY.72.6
> 	rightnexthop=XX.YY.72.5
> 	rightsubnet=XX.YY.16.0/27
> 	rightid="@C=US, ST=XX, L=City, O=Company Inc, CN=remotesvr.example.com"
> 	rightcert="remotesvr.example.com"

> conn VPN-HEADQUARTERS-COLO-2
> 	auto=start
> 	left=68.XXX.YYY.42
> 	leftnexthop=68.XXX.YYY.41
> 	leftsubnet=192.168.1.0/24
> 	leftid="@C=US, ST=XX, L=City, O=Company Inc, CN=local.example.com"
> 	leftcert="local.example.com"
> 	right=XX.YY.72.6
> 	rightnexthop=XX.YY.72.5
> 	rightsubnet=XX.YY.218.96/28
> 	rightid="@C=US, ST=XX, L=City, O=Company Inc, CN=remotesvr.example.com"
> 	rightcert="remotesvr.example.com"
> 
> ################################################################################
> # Standard Road Warrior VPN.
> #
> conn rw-intranet
>  	left=%defaultroute
>  	leftsubnet=192.168.1.0/24
>  	leftid="@C=US, ST=XX, L=City, O=Company Inc., CN=local.example.com"
>  	leftcert=hostcerts/local.crt
>  	right=%any
>  	rightsubnet=
>  	rightsubnetwithin=192.168.6.0/24
> 
> # Disable Opportunistic Encryption
> # include /etc/ipsec.d/no_oe.conf
> 
> Thanks so much. It's so great that you're so willing to share your
> knowledge for all these years with us.

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20110129/69503ee7/attachment.bin

More information about the Users mailing list