Re: [CentOS] Libreswan PEM format

2016-04-01 Thread Glenn Pierce 
I did :)
I'm all for an easy life.

I got a very similar error
instead of but no connection has been authorized with policy RSASIG+IKEV1_ALLOW
I got
but no connection has been authorized with policy PSK+IKEV1_ALLOW

I did read somewhere though errors are re herrings which is helpful.

Thanks


On 1 April 2016 at 18:39, Eero Volotinen  wrote:
> IPSec is very complex with certificates. try first with PSK authentication
> and then with certificates
>
> --
> Eero
>
> 2016-04-01 20:21 GMT+03:00 Glenn Pierce :
>
>> I generated according to the docs . Which produced
>> my server.secrets as below
>>
>> used the command
>>
>>  ipsec newhostkey --configdir /etc/ipsec.d --output
>> /etc/ipsec.d/www.example.com.secrets
>>
>>
>> : RSA   {
>> # RSA 3328 bits   ***.**.net   Fri Apr  1 15:39:32 2016
>> # for signatures only, UNSAFE FOR ENCRYPTION
>>
>> #pubkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
>> Modulus:
>>
>> 0xecde067a1814494a8cbfe91c6b2ff70cbf4267604291fd26265d4095964045362d83ed526c6b5edf7ef9815232cb0fafd3ef6337d49be53e1912ccafd848fa6887c84db52078203943d961a4b3e85896743865239a8f92c71511687215154008925a0c783a7bc8f5c62b8feac364bff4bed19e2c32622de4d28f70cb7d60a2d831bf2f3675ba440c40211331beaf67d61c0b6d624143711072d52654d296d55da725a759f2afa10f4adcd162555b17674fa9b90087589aa9d4e42d7ac6920903737948239a19b95be915cd0d4d91e0b3e8c7b4890108cc7f9bea0749ae3473830854d594577ed84fe1088800d87d0bdb88d951a3d6d334e6a5e6d8fb3d2998a1a25c9048a9a364d5d4d5107341d7364f4f56b064413c5a6b1fc9379cdd8ca569168f54e58dac31eee468096b47d1490e85ed3890fcd9e0ce421e994d10cedf3b4e43ada46dec5f7da0dd9c62e4470b32c3e77430752f29b70dc6d450a248aefebf7925134cde9814e89271404f93b2e5788720b2e435c7235e6275d9ecb0d6a517fe333bafe08e19041f79f61bbfc7e8931272f9d481d8998fa8e4f4e6cb2f33
>> PublicExponent: 0x03
>> # everything after this point is CKA_ID in hex format - not
>> the real values
>> PrivateExponent: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
>> Prime1: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
>> Prime2: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
>> Exponent1: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
>> Exponent2: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
>> Coefficient: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
>> CKAIDNSS: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
>> }
>> # do not change the indenting of that "}"
>>
>> On 1 April 2016 at 18:04, Eero Volotinen  wrote:
>> > You must define connection address and key in ipsec.secrets.
>> >
>> > --
>> > Eero
>> >
>> >
>> > 2016-04-01 19:38 GMT+03:00 Glenn Pierce :
>> >
>> >> Just trying to follow the instructions here
>> >>
>> >>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_Virtual_Private_Networks.html
>> >>
>> >> I don't think I am doing anything special.
>> >>
>> >> At the point where there is some communication going on
>> >>
>> >> Getting this error
>> >>
>> >> packet from *:1024: received Vendor ID payload [Cisco-Unity]
>> >> Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from
>> >> ***:1024: received Vendor ID payload [Dead Peer Detection]
>> >> Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from ***
>> >> :1024: initial Main Mode message received on :500 but no
>> >> connection has been authorized with policy RSASIG+IKEV1_ALLOW
>> >>
>> >> The errors are so vague.
>> >> Not sure what the problem is now
>> >>
>> >>
>> >>
>> >> My conf
>> >>
>> >>
>> >>
>> >> conn tunnel
>> >> #phase2alg=aes256-sha1;modp1024
>> >> keyexchange=ike
>> >> #ike=aes256-sha1;modp1024
>> >> left=192.168.1.122
>> >> leftnexthop=81.129.247.152   # My ISP assigned external ip adresss
>> >>  (I am testing at home)
>> >>
>> >>
>> leftrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
>> >>

Re: [CentOS] Libreswan PEM format

2016-04-01 Thread Eero Volotinen 
IPSec is very complex with certificates. try first with PSK authentication
and then with certificates

--
Eero

2016-04-01 20:21 GMT+03:00 Glenn Pierce :

> I generated according to the docs . Which produced
> my server.secrets as below
>
> used the command
>
>  ipsec newhostkey --configdir /etc/ipsec.d --output
> /etc/ipsec.d/www.example.com.secrets
>
>
> : RSA   {
> # RSA 3328 bits   ***.**.net   Fri Apr  1 15:39:32 2016
> # for signatures only, UNSAFE FOR ENCRYPTION
>
> #pubkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
> Modulus:
>
> 0xecde067a1814494a8cbfe91c6b2ff70cbf4267604291fd26265d4095964045362d83ed526c6b5edf7ef9815232cb0fafd3ef6337d49be53e1912ccafd848fa6887c84db52078203943d961a4b3e85896743865239a8f92c71511687215154008925a0c783a7bc8f5c62b8feac364bff4bed19e2c32622de4d28f70cb7d60a2d831bf2f3675ba440c40211331beaf67d61c0b6d624143711072d52654d296d55da725a759f2afa10f4adcd162555b17674fa9b90087589aa9d4e42d7ac6920903737948239a19b95be915cd0d4d91e0b3e8c7b4890108cc7f9bea0749ae3473830854d594577ed84fe1088800d87d0bdb88d951a3d6d334e6a5e6d8fb3d2998a1a25c9048a9a364d5d4d5107341d7364f4f56b064413c5a6b1fc9379cdd8ca569168f54e58dac31eee468096b47d1490e85ed3890fcd9e0ce421e994d10cedf3b4e43ada46dec5f7da0dd9c62e4470b32c3e77430752f29b70dc6d450a248aefebf7925134cde9814e89271404f93b2e5788720b2e435c7235e6275d9ecb0d6a517fe333bafe08e19041f79f61bbfc7e8931272f9d481d8998fa8e4f4e6cb2f33
> PublicExponent: 0x03
> # everything after this point is CKA_ID in hex format - not
> the real values
> PrivateExponent: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
> Prime1: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
> Prime2: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
> Exponent1: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
> Exponent2: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
> Coefficient: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
> CKAIDNSS: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
> }
> # do not change the indenting of that "}"
>
> On 1 April 2016 at 18:04, Eero Volotinen  wrote:
> > You must define connection address and key in ipsec.secrets.
> >
> > --
> > Eero
> >
> >
> > 2016-04-01 19:38 GMT+03:00 Glenn Pierce :
> >
> >> Just trying to follow the instructions here
> >>
> >>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_Virtual_Private_Networks.html
> >>
> >> I don't think I am doing anything special.
> >>
> >> At the point where there is some communication going on
> >>
> >> Getting this error
> >>
> >> packet from *:1024: received Vendor ID payload [Cisco-Unity]
> >> Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from
> >> ***:1024: received Vendor ID payload [Dead Peer Detection]
> >> Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from ***
> >> :1024: initial Main Mode message received on :500 but no
> >> connection has been authorized with policy RSASIG+IKEV1_ALLOW
> >>
> >> The errors are so vague.
> >> Not sure what the problem is now
> >>
> >>
> >>
> >> My conf
> >>
> >>
> >>
> >> conn tunnel
> >> #phase2alg=aes256-sha1;modp1024
> >> keyexchange=ike
> >> #ike=aes256-sha1;modp1024
> >> left=192.168.1.122
> >> leftnexthop=81.129.247.152   # My ISP assigned external ip adresss
> >>  (I am testing at home)
> >>
> >>
> leftrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
> >> right=89.200.134.211
> >>
> >>
>

Re: [CentOS] Libreswan PEM format

2016-04-01 Thread Glenn Pierce 
I generated according to the docs . Which produced
my server.secrets as below

used the command

 ipsec newhostkey --configdir /etc/ipsec.d --output
/etc/ipsec.d/www.example.com.secrets


: RSA   {
# RSA 3328 bits   ***.**.net   Fri Apr  1 15:39:32 2016
# for signatures only, UNSAFE FOR ENCRYPTION

#pubkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
Modulus:
0xecde067a1814494a8cbfe91c6b2ff70cbf4267604291fd26265d4095964045362d83ed526c6b5edf7ef9815232cb0fafd3ef6337d49be53e1912ccafd848fa6887c84db52078203943d961a4b3e85896743865239a8f92c71511687215154008925a0c783a7bc8f5c62b8feac364bff4bed19e2c32622de4d28f70cb7d60a2d831bf2f3675ba440c40211331beaf67d61c0b6d624143711072d52654d296d55da725a759f2afa10f4adcd162555b17674fa9b90087589aa9d4e42d7ac6920903737948239a19b95be915cd0d4d91e0b3e8c7b4890108cc7f9bea0749ae3473830854d594577ed84fe1088800d87d0bdb88d951a3d6d334e6a5e6d8fb3d2998a1a25c9048a9a364d5d4d5107341d7364f4f56b064413c5a6b1fc9379cdd8ca569168f54e58dac31eee468096b47d1490e85ed3890fcd9e0ce421e994d10cedf3b4e43ada46dec5f7da0dd9c62e4470b32c3e77430752f29b70dc6d450a248aefebf7925134cde9814e89271404f93b2e5788720b2e435c7235e6275d9ecb0d6a517fe333bafe08e19041f79f61bbfc7e8931272f9d481d8998fa8e4f4e6cb2f33
PublicExponent: 0x03
# everything after this point is CKA_ID in hex format - not
the real values
PrivateExponent: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
Prime1: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
Prime2: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
Exponent1: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
Exponent2: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
Coefficient: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
CKAIDNSS: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
}
# do not change the indenting of that "}"

On 1 April 2016 at 18:04, Eero Volotinen  wrote:
> You must define connection address and key in ipsec.secrets.
>
> --
> Eero
>
>
> 2016-04-01 19:38 GMT+03:00 Glenn Pierce :
>
>> Just trying to follow the instructions here
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_Virtual_Private_Networks.html
>>
>> I don't think I am doing anything special.
>>
>> At the point where there is some communication going on
>>
>> Getting this error
>>
>> packet from *:1024: received Vendor ID payload [Cisco-Unity]
>> Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from
>> ***:1024: received Vendor ID payload [Dead Peer Detection]
>> Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from ***
>> :1024: initial Main Mode message received on :500 but no
>> connection has been authorized with policy RSASIG+IKEV1_ALLOW
>>
>> The errors are so vague.
>> Not sure what the problem is now
>>
>>
>>
>> My conf
>>
>>
>>
>> conn tunnel
>> #phase2alg=aes256-sha1;modp1024
>> keyexchange=ike
>> #ike=aes256-sha1;modp1024
>> left=192.168.1.122
>> leftnexthop=81.129.247.152   # My ISP assigned external ip adresss
>>  (I am testing at home)
>>
>> leftrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
>> right=89.200.134.211
>>
>> rightrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
>> authby=secret|rsasig
>> # load and initiate automatically
>> auto=start
>>
>> conn site1
>> also=tunnel
>> leftsubnet=10.0.128.0/22
>>

Re: [CentOS] Libreswan PEM format

2016-04-01 Thread Eero Volotinen 
You must define connection address and key in ipsec.secrets.

--
Eero


2016-04-01 19:38 GMT+03:00 Glenn Pierce :

> Just trying to follow the instructions here
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_Virtual_Private_Networks.html
>
> I don't think I am doing anything special.
>
> At the point where there is some communication going on
>
> Getting this error
>
> packet from *:1024: received Vendor ID payload [Cisco-Unity]
> Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from
> ***:1024: received Vendor ID payload [Dead Peer Detection]
> Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from ***
> :1024: initial Main Mode message received on :500 but no
> connection has been authorized with policy RSASIG+IKEV1_ALLOW
>
> The errors are so vague.
> Not sure what the problem is now
>
>
>
> My conf
>
>
>
> conn tunnel
> #phase2alg=aes256-sha1;modp1024
> keyexchange=ike
> #ike=aes256-sha1;modp1024
> left=192.168.1.122
> leftnexthop=81.129.247.152   # My ISP assigned external ip adresss
>  (I am testing at home)
>
> leftrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
> right=89.200.134.211
>
> rightrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
> authby=secret|rsasig
> # load and initiate automatically
> auto=start
>
> conn site1
> also=tunnel
> leftsubnet=10.0.128.0/22
> rightsubnet=192.168.1.222/32
>
> conn site2
> also=tunnel
>
>
>
>
>
>
>
>
> On 1 April 2016 at 15:58, Eero Volotinen  wrote:
> > So you are using pkcs12 on centos:
> >
> > https://www.sslshopper.com/article-most-common-openssl-commands.html
> > --
> > Eero
> >
> > 2016-04-01 17:44 GMT+03:00 Glenn Pierce :
> >
> >> Sorry but I have looked for over two days. Trying every command I could
> >> find.
> >>
> >> There is obviously a misunderstanding somewhere.
> >>
> >> After generating a key pair with
> >> ipsec newhostkey --configdir /etc/ipsec.d --output
> /etc/ipsec.d/my.secrets
> >>
> >> I exported to a file with
> >> ipsec showhostkey --ipseckey > file
> >>
> >> The man pages says
> >> ipsec showhostkey outputs in ipsec.conf(5) format,
> >>
> >> Ie
> >>
> >>
> >> ***.server.net.INIPSECKEY  10 0 2 .
> >>
> >>
> AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
> >>
> >>
> >> is this the format openssl is meant to beable to convert ? or is the
> >> an intermediate step I am missing as like I said not command I found
> >> seems to work.
> >>
> >>
> >> On 1 April 2016 at 14:35, Eero Volotinen  wrote:
> >> > It works, try googling for openssl pem conversion
> >> > 1.4.2016 4.32 ip. "Glenn Pierce"  kirjoitti:
> >> >
> >> >> I have tried
> >> >> openssl rsa -in bicester_left.pub -outform pem > bicester_left.pem
> >> >>
> >> >> I get
> >> >> unable to load Private Key
> >> >> 140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start
> >> >> line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
> >> >>
> >> >>
> >> >>
> >> >> On 1 April 2016 at 13:59, Eero Volotinen 
> wrote:
> >> >> > You can do any kind of format conversions with openssl commandline
> >> >> client.
> >> >> >
> >> >> > Eero
> >> >> > 1.4.2016 3.56 ip. "Glenn Pierce" 
> kirjoitti:
> >> >> >
> >> >> >> Hi I am trying to setup a libreswan vpn

Re: [CentOS] Libreswan PEM format

2016-04-01 Thread Glenn Pierce 
Just trying to follow the instructions here
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_Virtual_Private_Networks.html

I don't think I am doing anything special.

At the point where there is some communication going on

Getting this error

packet from *:1024: received Vendor ID payload [Cisco-Unity]
Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from
***:1024: received Vendor ID payload [Dead Peer Detection]
Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from ***
:1024: initial Main Mode message received on :500 but no
connection has been authorized with policy RSASIG+IKEV1_ALLOW

The errors are so vague.
Not sure what the problem is now



My conf



conn tunnel
#phase2alg=aes256-sha1;modp1024
keyexchange=ike
#ike=aes256-sha1;modp1024
left=192.168.1.122
leftnexthop=81.129.247.152   # My ISP assigned external ip adresss
 (I am testing at home)

leftrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
right=89.200.134.211

rightrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
authby=secret|rsasig
# load and initiate automatically
auto=start

conn site1
also=tunnel
leftsubnet=10.0.128.0/22
rightsubnet=192.168.1.222/32

conn site2
also=tunnel








On 1 April 2016 at 15:58, Eero Volotinen  wrote:
> So you are using pkcs12 on centos:
>
> https://www.sslshopper.com/article-most-common-openssl-commands.html
> --
> Eero
>
> 2016-04-01 17:44 GMT+03:00 Glenn Pierce :
>
>> Sorry but I have looked for over two days. Trying every command I could
>> find.
>>
>> There is obviously a misunderstanding somewhere.
>>
>> After generating a key pair with
>> ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/my.secrets
>>
>> I exported to a file with
>> ipsec showhostkey --ipseckey > file
>>
>> The man pages says
>> ipsec showhostkey outputs in ipsec.conf(5) format,
>>
>> Ie
>>
>>
>> ***.server.net.INIPSECKEY  10 0 2 .
>>
>> AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
>>
>>
>> is this the format openssl is meant to beable to convert ? or is the
>> an intermediate step I am missing as like I said not command I found
>> seems to work.
>>
>>
>> On 1 April 2016 at 14:35, Eero Volotinen  wrote:
>> > It works, try googling for openssl pem conversion
>> > 1.4.2016 4.32 ip. "Glenn Pierce"  kirjoitti:
>> >
>> >> I have tried
>> >> openssl rsa -in bicester_left.pub -outform pem > bicester_left.pem
>> >>
>> >> I get
>> >> unable to load Private Key
>> >> 140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start
>> >> line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
>> >>
>> >>
>> >>
>> >> On 1 April 2016 at 13:59, Eero Volotinen  wrote:
>> >> > You can do any kind of format conversions with openssl commandline
>> >> client.
>> >> >
>> >> > Eero
>> >> > 1.4.2016 3.56 ip. "Glenn Pierce"  kirjoitti:
>> >> >
>> >> >> Hi I am trying to setup a libreswan vpn between centos 7 and a
>> Mikrotik
>> >> >> router.
>> >> >>
>> >> >> I am try to get the keys working. My problem is the Mikrotik router
>> >> >> wants the key in PEM format
>> >> >>
>> >> >> How do I export the keys generated with ipsec newhostkey
>> >> >> into PEM format ?
>> >> >>
>> >> >>
>> >> >> Thanks
>> >> >>

Re: [CentOS] Libreswan PEM format

2016-04-01 Thread Glenn Pierce 
I just removed the name. I will be regenerating again.
To be honest if an attacker to get this to work I would buy then a drink :)

On 1 April 2016 at 17:01, Gordon Messmer  wrote:
> On 04/01/2016 07:44 AM, Glenn Pierce wrote:
>>
>> Ie
>> ***.server.net.INIPSECKEY  10 0 2 .
>
>
> Was that a key that you generated as an example, or your actual VPN key?
> The fact that you obscured part of it makes me think it might be the latter,
> but if that's the case, you really should generate a new key for your
> server.  The part you obscured isn't the sensitive part.
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Libreswan PEM format

2016-04-01 Thread Gordon Messmer 

On 04/01/2016 07:44 AM, Glenn Pierce wrote:

Ie
***.server.net.INIPSECKEY  10 0 2 .


Was that a key that you generated as an example, or your actual VPN 
key?  The fact that you obscured part of it makes me think it might be 
the latter, but if that's the case, you really should generate a new key 
for your server.  The part you obscured isn't the sensitive part.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Libreswan PEM format

2016-04-01 Thread Glenn Pierce 
Typical I think I just did it .

I downloaded a perl script to do it at

https://git.dn42.us/ryan/pubkey-converter/raw/master/pubkey-converter.pl


First I did
ipsec showhostkey --right > right.pub

I then edited the file to remove the ipsec key = line

Then I converted with

perl pubkey-converter.pl -p < right.pub > /home/glenn/right.pub


On 1 April 2016 at 15:44, Glenn Pierce  wrote:
> Sorry but I have looked for over two days. Trying every command I could find.
>
> There is obviously a misunderstanding somewhere.
>
> After generating a key pair with
> ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/my.secrets
>
> I exported to a file with
> ipsec showhostkey --ipseckey > file
>
> The man pages says
> ipsec showhostkey outputs in ipsec.conf(5) format,
>
> Ie
>
>
> ***.server.net.INIPSECKEY  10 0 2 .
> AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
>
>
> is this the format openssl is meant to beable to convert ? or is the
> an intermediate step I am missing as like I said not command I found
> seems to work.
>
>
> On 1 April 2016 at 14:35, Eero Volotinen  wrote:
>> It works, try googling for openssl pem conversion
>> 1.4.2016 4.32 ip. "Glenn Pierce"  kirjoitti:
>>
>>> I have tried
>>> openssl rsa -in bicester_left.pub -outform pem > bicester_left.pem
>>>
>>> I get
>>> unable to load Private Key
>>> 140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start
>>> line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
>>>
>>>
>>>
>>> On 1 April 2016 at 13:59, Eero Volotinen  wrote:
>>> > You can do any kind of format conversions with openssl commandline
>>> client.
>>> >
>>> > Eero
>>> > 1.4.2016 3.56 ip. "Glenn Pierce"  kirjoitti:
>>> >
>>> >> Hi I am trying to setup a libreswan vpn between centos 7 and a Mikrotik
>>> >> router.
>>> >>
>>> >> I am try to get the keys working. My problem is the Mikrotik router
>>> >> wants the key in PEM format
>>> >>
>>> >> How do I export the keys generated with ipsec newhostkey
>>> >> into PEM format ?
>>> >>
>>> >>
>>> >> Thanks
>>> >> ___
>>> >> CentOS mailing list
>>> >> CentOS@centos.org
>>> >> https://lists.centos.org/mailman/listinfo/centos
>>> >>
>>> > ___
>>> > CentOS mailing list
>>> > CentOS@centos.org
>>> > https://lists.centos.org/mailman/listinfo/centos
>>> ___
>>> CentOS mailing list
>>> CentOS@centos.org
>>> https://lists.centos.org/mailman/listinfo/centos
>>>
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Libreswan PEM format

2016-04-01 Thread Eero Volotinen 
So you are using pkcs12 on centos:

https://www.sslshopper.com/article-most-common-openssl-commands.html
--
Eero

2016-04-01 17:44 GMT+03:00 Glenn Pierce :

> Sorry but I have looked for over two days. Trying every command I could
> find.
>
> There is obviously a misunderstanding somewhere.
>
> After generating a key pair with
> ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/my.secrets
>
> I exported to a file with
> ipsec showhostkey --ipseckey > file
>
> The man pages says
> ipsec showhostkey outputs in ipsec.conf(5) format,
>
> Ie
>
>
> ***.server.net.INIPSECKEY  10 0 2 .
>
> AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
>
>
> is this the format openssl is meant to beable to convert ? or is the
> an intermediate step I am missing as like I said not command I found
> seems to work.
>
>
> On 1 April 2016 at 14:35, Eero Volotinen  wrote:
> > It works, try googling for openssl pem conversion
> > 1.4.2016 4.32 ip. "Glenn Pierce"  kirjoitti:
> >
> >> I have tried
> >> openssl rsa -in bicester_left.pub -outform pem > bicester_left.pem
> >>
> >> I get
> >> unable to load Private Key
> >> 140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start
> >> line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
> >>
> >>
> >>
> >> On 1 April 2016 at 13:59, Eero Volotinen  wrote:
> >> > You can do any kind of format conversions with openssl commandline
> >> client.
> >> >
> >> > Eero
> >> > 1.4.2016 3.56 ip. "Glenn Pierce"  kirjoitti:
> >> >
> >> >> Hi I am trying to setup a libreswan vpn between centos 7 and a
> Mikrotik
> >> >> router.
> >> >>
> >> >> I am try to get the keys working. My problem is the Mikrotik router
> >> >> wants the key in PEM format
> >> >>
> >> >> How do I export the keys generated with ipsec newhostkey
> >> >> into PEM format ?
> >> >>
> >> >>
> >> >> Thanks
> >> >> ___
> >> >> CentOS mailing list
> >> >> CentOS@centos.org
> >> >> https://lists.centos.org/mailman/listinfo/centos
> >> >>
> >> > ___
> >> > CentOS mailing list
> >> > CentOS@centos.org
> >> > https://lists.centos.org/mailman/listinfo/centos
> >> ___
> >> CentOS mailing list
> >> CentOS@centos.org
> >> https://lists.centos.org/mailman/listinfo/centos
> >>
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Libreswan PEM format

2016-04-01 Thread Glenn Pierce 
Sorry but I have looked for over two days. Trying every command I could find.

There is obviously a misunderstanding somewhere.

After generating a key pair with
ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/my.secrets

I exported to a file with
ipsec showhostkey --ipseckey > file

The man pages says
ipsec showhostkey outputs in ipsec.conf(5) format,

Ie


***.server.net.INIPSECKEY  10 0 2 .
AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==


is this the format openssl is meant to beable to convert ? or is the
an intermediate step I am missing as like I said not command I found
seems to work.


On 1 April 2016 at 14:35, Eero Volotinen  wrote:
> It works, try googling for openssl pem conversion
> 1.4.2016 4.32 ip. "Glenn Pierce"  kirjoitti:
>
>> I have tried
>> openssl rsa -in bicester_left.pub -outform pem > bicester_left.pem
>>
>> I get
>> unable to load Private Key
>> 140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start
>> line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
>>
>>
>>
>> On 1 April 2016 at 13:59, Eero Volotinen  wrote:
>> > You can do any kind of format conversions with openssl commandline
>> client.
>> >
>> > Eero
>> > 1.4.2016 3.56 ip. "Glenn Pierce"  kirjoitti:
>> >
>> >> Hi I am trying to setup a libreswan vpn between centos 7 and a Mikrotik
>> >> router.
>> >>
>> >> I am try to get the keys working. My problem is the Mikrotik router
>> >> wants the key in PEM format
>> >>
>> >> How do I export the keys generated with ipsec newhostkey
>> >> into PEM format ?
>> >>
>> >>
>> >> Thanks
>> >> ___
>> >> CentOS mailing list
>> >> CentOS@centos.org
>> >> https://lists.centos.org/mailman/listinfo/centos
>> >>
>> > ___
>> > CentOS mailing list
>> > CentOS@centos.org
>> > https://lists.centos.org/mailman/listinfo/centos
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Libreswan PEM format

2016-04-01 Thread Eero Volotinen 
It works, try googling for openssl pem conversion
1.4.2016 4.32 ip. "Glenn Pierce"  kirjoitti:

> I have tried
> openssl rsa -in bicester_left.pub -outform pem > bicester_left.pem
>
> I get
> unable to load Private Key
> 140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start
> line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
>
>
>
> On 1 April 2016 at 13:59, Eero Volotinen  wrote:
> > You can do any kind of format conversions with openssl commandline
> client.
> >
> > Eero
> > 1.4.2016 3.56 ip. "Glenn Pierce"  kirjoitti:
> >
> >> Hi I am trying to setup a libreswan vpn between centos 7 and a Mikrotik
> >> router.
> >>
> >> I am try to get the keys working. My problem is the Mikrotik router
> >> wants the key in PEM format
> >>
> >> How do I export the keys generated with ipsec newhostkey
> >> into PEM format ?
> >>
> >>
> >> Thanks
> >> ___
> >> CentOS mailing list
> >> CentOS@centos.org
> >> https://lists.centos.org/mailman/listinfo/centos
> >>
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Libreswan PEM format

2016-04-01 Thread Glenn Pierce 
I have tried
openssl rsa -in bicester_left.pub -outform pem > bicester_left.pem

I get
unable to load Private Key
140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:701:Expecting: ANY PRIVATE KEY



On 1 April 2016 at 13:59, Eero Volotinen  wrote:
> You can do any kind of format conversions with openssl commandline client.
>
> Eero
> 1.4.2016 3.56 ip. "Glenn Pierce"  kirjoitti:
>
>> Hi I am trying to setup a libreswan vpn between centos 7 and a Mikrotik
>> router.
>>
>> I am try to get the keys working. My problem is the Mikrotik router
>> wants the key in PEM format
>>
>> How do I export the keys generated with ipsec newhostkey
>> into PEM format ?
>>
>>
>> Thanks
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Libreswan PEM format

2016-04-01 Thread Eero Volotinen 
You can do any kind of format conversions with openssl commandline client.

Eero
1.4.2016 3.56 ip. "Glenn Pierce"  kirjoitti:

> Hi I am trying to setup a libreswan vpn between centos 7 and a Mikrotik
> router.
>
> I am try to get the keys working. My problem is the Mikrotik router
> wants the key in PEM format
>
> How do I export the keys generated with ipsec newhostkey
> into PEM format ?
>
>
> Thanks
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos