[Openswan Users] *Solved* CentOS IPsec RSA sigs
SilverTip257
silvertip257 at gmail.com
Tue Mar 8 21:58:54 EST 2011
I'm working on configuring my setup to use RSA signatures now that I
have a working config using PSKs.
I'm using CentOS5.4 as the left gateway and Debian Lenny as the right gateway.
I had a bit of trouble generating keys until I used a different
configdir as suggested here
https://www.centos.org/modules/newbb/viewtopic.php?viewmode=thread&topic_id=22906&forum=38&post_id=105108
[root at centos54vm ipsec.d]# ipsec newhostkey --output
/etc/ipsec.secrets --configdir /etc/ipsec.d
ipsec rsasigkey: key pair generation failed: "-8023"
# Use NSSDB instead of ipsec.d
[root at centos54vm ipsec.d]# ipsec newhostkey --output
/etc/ipsec.secrets --configdir /etc/pki/nssdb
Generated RSA key pair using the NSS database
Now that I had an RSA sig in /etc/ipsec.secrets, I changed my ipsec.conf
conn advc-d_rsa
authby=rsasig
auto=add
left=192.168.110.2
leftsourceip=172.16.0.33
leftid=@centrsa
leftrsasigkey=0sAQPT0eXk+...
leftnexthop=192.168.110.1
leftsubnet=172.16.0.32/27
right=192.168.111.2
rightsourceip=10.0.2.1
rightsubnet=10.0.2.0/24
rightid=@debrsa
rightrsasigkey=0sAQODfpUObY...
The hosts do not quickly change states and by checking the logs, I
have noticed errors.
* It most blatantly says that there's a problem with keys. However
the key that the rightgw is trying is indeed the key for the leftgw.
Mar 8 12:13:54 centos54vm pluto[8017]: "advc-d_rsa" #7: sending
notification PAYLOAD_MALFORMED to 192.168.111.2:500
Mar 8 12:13:57 centos54vm pluto[8017]: "advc-d_rsa" #6: discarding
duplicate packet; already STATE_MAIN_I3
Mar 8 12:14:04 centos54vm pluto[8017]: "advc-d_rsa" #6: ignoring
informational payload, type INVALID_KEY_INFORMATION msgid=00000000
Mar 8 12:14:04 centos54vm pluto[8017]: "advc-d_rsa" #6: received and
ignored informational message
Mar 8 12:14:07 centos54vm pluto[8017]: "advc-d_rsa" #6: discarding
duplicate packet; already STATE_MAIN_I3
Mar 8 12:14:24 centos54vm pluto[8017]: "advc-d_rsa" #6: ignoring
informational payload, type INVALID_KEY_INFORMATION msgid=00000000
Mar 8 12:14:24 centos54vm pluto[8017]: "advc-d_rsa" #6: received and
ignored informational message
Mar 8 12:58:04 centos54vm pluto[8566]: loaded private key for keyid:
PPK_RSA:AQPT0eXk+
003 "advc-d_rsa" #4: Can't find the private key from the NSS CERT (err -12285)
---------
Mar 8 19:58:44 debian507-vm pluto[3631]: "advc-d_rsa" #1: Main mode
peer ID is ID_FQDN: '@centrsa'
Mar 8 19:58:44 debian507-vm pluto[3631]: "advc-d_rsa" #1: Signature
check (on @centrsa) failed (wrong key?); tried *AQPT0eXk+
Mar 8 19:58:44 debian507-vm pluto[3631]: "advc-d_rsa" #1: sending
encrypted notification INVALID_KEY_INFORMATION to 192.168.110.2:500
*****
SOLUTION:
- For anyone running CentOS, it appears something is wrong with the
/etc/ipsec.d/ NSS database files. So you'll have to regenerate new
ones! Fixed my problem.
*****
cd /etc/ipsec.d/
ls -l
mkdir old
# move the old NSS database to a folder named old; backup precaution.
mv cert8.db key3.db secmod.db policies/ old/
# I generated my new NSS cert without a password (leave it blank by
pressing Enter), otherwise the --password flag is needed for
generating the new RSA key.
certutil -N -d /etc/ipsec.d
# be careful not to overwrite your ipsec.secrets file! In this case
we will append the RSA sig to secrets.
ipsec newhostkey --output /etc/ipsec.rsa.secrets --configdir /etc/ipsec.d
# if you want to time the command, prefix the command with `time`.
#example: time ipsec newhostkey --output /etc/ipsec.rsa.secrets
--configdir /etc/ipsec.d
cat /etc/ipsec.rsa.secrets >> /etc/ipsec.secrets
Make the proper @leftid/rightid changes to the RSA sig. Add the
left/rightrsasigkey= line to your conn.
---~~.~~---
Mike
// SilverTip257 //
More information about the Users
mailing list