[Openswan Users] *Solved* CentOS IPsec RSA sigs

SilverTip257 silvertip257 at gmail.com
Wed Mar 9 11:41:11 EST 2011 

Bao Wang,

Please CC the Openswan Users list next time.

*** Generating PSKs is nothing specific on CentOS/RHEL as compared to
Debian or any other distro as far as I know.

No, you do not need to change anything in /etc/ipsec.d/ when using PSKs.
You simply need to create a preshared key - preferably a lengthy
random one.  You could however just put a simple pass phrase in there,
but that is not secure and not recommended!  Consider switching to RSA
sigs once you get a working setup with PSKs - since you're using
Openswan-to-Openswan this won't be a problem.

Use ipsec randbits.
The SharedSecretsInProduction (link below) suggests at least 128 bit
PSKs.  This generates a 38 character PSK.
debian507-vm:~# ipsec ranbits 128 > temp128
debian507-vm:~# wc -m temp128
38 temp128
[PSK gen suggestions]
http://wiki.openswan.org/index.php/Openswan/UsingSharedSecretsInProduction
-Note:  There are other alternatives to create random strings, but
randbits should suffice.

Using the format for the ipsec.secrets file shown here:
[see bottom] http://wiki.openswan.org/index.php/Openswan/ConfFiles
ip1 ip2 : PSK "0xa449fd66_38b80c26_69337273..."
You copy/paste (or cat the PSK into ipsec.secrets) and put in the proper format.

Enough spoon feeding for today.  I pieced together everything I have
after much reading.  And if it wasn't for the existing documentation I
wouldn't have a working setup now. >> I'll consider contributing a
more refined list to the wiki on secrets.
Consider searching the wiki for information:
http://wiki.openswan.org/index.php/Main/HomePage
[example PSK] http://wiki.openswan.org/index.php/Main/SearchWiki?q=psk&action=search&submit_x=0&submit_y=0
And search engines do a good job indexing the past emails sent to the
Openswan Users mailing list.

---~~.~~---
Mike
//  SilverTip257  //



On Wed, Mar 9, 2011 at 10:12, Bao Wang <baowang98 at yahoo.com> wrote:
> Hi,
>
> Will you mind to share your configuration for using PSK ? I simply tried to setup host-2-host ipsec with ikev2. The 2 hosts are running CentOs. Do you think that I also need regenerate ipsec.d for PSK ? Right now, my ipsec.conf looks like
> "config setup
>         protostack=netkey
>        protostack=netkey
>        nat_traversal=no
>        oe=off
>        nhelpers=0
>
> conn test
>    auto=start
>    left=xxx.xx.xx.xxx  (real ip address of host 1)
>    right=yyy.yy.yy.yy  (real ip address of host 2)
>    ikev2=insist
>    keyingtries=5
>    rekeymargin=2m
>    authby=secret
>    pfs=yes
> "
> Your help will be greatly appreciated.
>
> Bao Wang
>
>
> --- On Tue, 3/8/11, SilverTip257 <silvertip257 at gmail.com> wrote:
>
>> From: SilverTip257 <silvertip257 at gmail.com>
>> Subject: [Openswan Users] *Solved* CentOS IPsec RSA sigs
>> To: "Openswan Users" <users at openswan.org>
>> Date: Tuesday, March 8, 2011, 8:58 PM
>> I'm working on configuring my setup
>> to use RSA signatures now that I
>> have a working config using PSKs.
>>
>> I'm using CentOS5.4 as the left gateway and Debian Lenny as
>> the right gateway.
>> I had a bit of trouble generating keys until I used a
>> different
>> configdir as suggested here
>> https://www.centos.org/modules/newbb/viewtopic.php?viewmode=thread&topic_id=22906&forum=38&post_id=105108
>> [root at centos54vm ipsec.d]# ipsec newhostkey --output
>> /etc/ipsec.secrets --configdir /etc/ipsec.d
>> ipsec rsasigkey: key pair generation failed: "-8023"
>> # Use NSSDB instead of ipsec.d
>> [root at centos54vm ipsec.d]# ipsec newhostkey --output
>> /etc/ipsec.secrets --configdir /etc/pki/nssdb
>> Generated RSA key pair using the NSS database
>>
>> Now that I had an RSA sig in /etc/ipsec.secrets, I changed
>> my ipsec.conf
>> conn advc-d_rsa
>>         authby=rsasig
>>         auto=add
>>         left=192.168.110.2
>>         leftsourceip=172.16.0.33
>>         leftid=@centrsa
>>         leftrsasigkey=0sAQPT0eXk+...
>>         leftnexthop=192.168.110.1
>>         leftsubnet=172.16.0.32/27
>>         right=192.168.111.2
>>         rightsourceip=10.0.2.1
>>         rightsubnet=10.0.2.0/24
>>         rightid=@debrsa
>>         rightrsasigkey=0sAQODfpUObY...
>>
>> The hosts do not quickly change states and by checking the
>> logs, I
>> have noticed errors.
>> * It most blatantly says that there's a problem with
>> keys.  However
>> the key that the rightgw is trying is indeed the key for
>> the leftgw.
>>
>> Mar  8 12:13:54 centos54vm pluto[8017]: "advc-d_rsa"
>> #7: sending
>> notification PAYLOAD_MALFORMED to 192.168.111.2:500
>> Mar  8 12:13:57 centos54vm pluto[8017]: "advc-d_rsa"
>> #6: discarding
>> duplicate packet; already STATE_MAIN_I3
>> Mar  8 12:14:04 centos54vm pluto[8017]: "advc-d_rsa"
>> #6: ignoring
>> informational payload, type INVALID_KEY_INFORMATION
>> msgid=00000000
>> Mar  8 12:14:04 centos54vm pluto[8017]: "advc-d_rsa"
>> #6: received and
>> ignored informational message
>> Mar  8 12:14:07 centos54vm pluto[8017]: "advc-d_rsa"
>> #6: discarding
>> duplicate packet; already STATE_MAIN_I3
>> Mar  8 12:14:24 centos54vm pluto[8017]: "advc-d_rsa"
>> #6: ignoring
>> informational payload, type INVALID_KEY_INFORMATION
>> msgid=00000000
>> Mar  8 12:14:24 centos54vm pluto[8017]: "advc-d_rsa"
>> #6: received and
>> ignored informational message
>>
>> Mar  8 12:58:04 centos54vm pluto[8566]: loaded private
>> key for keyid:
>> PPK_RSA:AQPT0eXk+
>> 003 "advc-d_rsa" #4: Can't find the private key from the
>> NSS CERT (err -12285)
>> ---------
>> Mar  8 19:58:44 debian507-vm pluto[3631]: "advc-d_rsa"
>> #1: Main mode
>> peer ID is ID_FQDN: '@centrsa'
>> Mar  8 19:58:44 debian507-vm pluto[3631]: "advc-d_rsa"
>> #1: Signature
>> check (on @centrsa) failed (wrong key?); tried *AQPT0eXk+
>> Mar  8 19:58:44 debian507-vm pluto[3631]: "advc-d_rsa"
>> #1: sending
>> encrypted notification INVALID_KEY_INFORMATION to
>> 192.168.110.2:500
>>
>> *****
>> SOLUTION:
>> - For anyone running CentOS, it appears something is wrong
>> with the
>> /etc/ipsec.d/ NSS database files.  So you'll have to
>> regenerate new
>> ones!  Fixed my problem.
>> *****
>> cd /etc/ipsec.d/
>> ls -l
>> mkdir old
>> # move the old NSS database to a folder named old; backup
>> precaution.
>> mv cert8.db key3.db secmod.db policies/ old/
>> # I generated my new NSS cert without a password (leave it
>> blank by
>> pressing Enter), otherwise the --password flag is needed
>> for
>> generating the new RSA key.
>> certutil -N -d /etc/ipsec.d
>> # be careful not to overwrite your ipsec.secrets
>> file!  In this case
>> we will append the RSA sig to secrets.
>> ipsec newhostkey --output /etc/ipsec.rsa.secrets
>> --configdir /etc/ipsec.d
>> # if you want to time the command, prefix the command with
>> `time`.
>> #example:  time ipsec newhostkey --output
>> /etc/ipsec.rsa.secrets
>> --configdir /etc/ipsec.d
>> cat /etc/ipsec.rsa.secrets >> /etc/ipsec.secrets
>>
>> Make the proper @leftid/rightid changes to the RSA
>> sig.  Add the
>> left/rightrsasigkey= line to your conn.
>>
>> ---~~.~~---
>> Mike
>> //  SilverTip257  //
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with
>> Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>
>
>
>

More information about the Users mailing list