[Openswan Users] *Solved* CentOS IPsec RSA sigs

SilverTip257 silvertip257 at gmail.com
Tue Mar 8 21:58:54 EST 2011 

I'm working on configuring my setup to use RSA signatures now that I
have a working config using PSKs.

I'm using CentOS5.4 as the left gateway and Debian Lenny as the right gateway.
I had a bit of trouble generating keys until I used a different
configdir as suggested here
https://www.centos.org/modules/newbb/viewtopic.php?viewmode=thread&topic_id=22906&forum=38&post_id=105108
[root at centos54vm ipsec.d]# ipsec newhostkey --output
/etc/ipsec.secrets --configdir /etc/ipsec.d
ipsec rsasigkey: key pair generation failed: "-8023"
# Use NSSDB instead of ipsec.d
[root at centos54vm ipsec.d]# ipsec newhostkey --output
/etc/ipsec.secrets --configdir /etc/pki/nssdb
Generated RSA key pair using the NSS database

Now that I had an RSA sig in /etc/ipsec.secrets, I changed my ipsec.conf
conn advc-d_rsa
        authby=rsasig
        auto=add
        left=192.168.110.2
        leftsourceip=172.16.0.33
        leftid=@centrsa
        leftrsasigkey=0sAQPT0eXk+...
        leftnexthop=192.168.110.1
        leftsubnet=172.16.0.32/27
        right=192.168.111.2
        rightsourceip=10.0.2.1
        rightsubnet=10.0.2.0/24
        rightid=@debrsa
        rightrsasigkey=0sAQODfpUObY...

The hosts do not quickly change states and by checking the logs, I
have noticed errors.
* It most blatantly says that there's a problem with keys.  However
the key that the rightgw is trying is indeed the key for the leftgw.

Mar  8 12:13:54 centos54vm pluto[8017]: "advc-d_rsa" #7: sending
notification PAYLOAD_MALFORMED to 192.168.111.2:500
Mar  8 12:13:57 centos54vm pluto[8017]: "advc-d_rsa" #6: discarding
duplicate packet; already STATE_MAIN_I3
Mar  8 12:14:04 centos54vm pluto[8017]: "advc-d_rsa" #6: ignoring
informational payload, type INVALID_KEY_INFORMATION msgid=00000000
Mar  8 12:14:04 centos54vm pluto[8017]: "advc-d_rsa" #6: received and
ignored informational message
Mar  8 12:14:07 centos54vm pluto[8017]: "advc-d_rsa" #6: discarding
duplicate packet; already STATE_MAIN_I3
Mar  8 12:14:24 centos54vm pluto[8017]: "advc-d_rsa" #6: ignoring
informational payload, type INVALID_KEY_INFORMATION msgid=00000000
Mar  8 12:14:24 centos54vm pluto[8017]: "advc-d_rsa" #6: received and
ignored informational message

Mar  8 12:58:04 centos54vm pluto[8566]: loaded private key for keyid:
PPK_RSA:AQPT0eXk+
003 "advc-d_rsa" #4: Can't find the private key from the NSS CERT (err -12285)
---------
Mar  8 19:58:44 debian507-vm pluto[3631]: "advc-d_rsa" #1: Main mode
peer ID is ID_FQDN: '@centrsa'
Mar  8 19:58:44 debian507-vm pluto[3631]: "advc-d_rsa" #1: Signature
check (on @centrsa) failed (wrong key?); tried *AQPT0eXk+
Mar  8 19:58:44 debian507-vm pluto[3631]: "advc-d_rsa" #1: sending
encrypted notification INVALID_KEY_INFORMATION to 192.168.110.2:500

*****
SOLUTION:
- For anyone running CentOS, it appears something is wrong with the
/etc/ipsec.d/ NSS database files.  So you'll have to regenerate new
ones!  Fixed my problem.
*****
cd /etc/ipsec.d/
ls -l
mkdir old
# move the old NSS database to a folder named old; backup precaution.
mv cert8.db key3.db secmod.db policies/ old/
# I generated my new NSS cert without a password (leave it blank by
pressing Enter), otherwise the --password flag is needed for
generating the new RSA key.
certutil -N -d /etc/ipsec.d
# be careful not to overwrite your ipsec.secrets file!  In this case
we will append the RSA sig to secrets.
ipsec newhostkey --output /etc/ipsec.rsa.secrets --configdir /etc/ipsec.d
# if you want to time the command, prefix the command with `time`.
#example:  time ipsec newhostkey --output /etc/ipsec.rsa.secrets
--configdir /etc/ipsec.d
cat /etc/ipsec.rsa.secrets >> /etc/ipsec.secrets

Make the proper @leftid/rightid changes to the RSA sig.  Add the
left/rightrsasigkey= line to your conn.

---~~.~~---
Mike
//  SilverTip257  //

More information about the Users mailing list