The private key for a4febfa93fb67078efe3ba5679ccae8adf61c568 was generated on aqua6, but aqua4 is trying to access it?
Check left/right. I'd go so far as emptying ipsec.secrets, and then create an ipsec.conf that is identical on both ends as it may help with knowing which is left and which is right. For reference, this test from mainline exercises your scenario https://testing.libreswan.org/v4.7-480-gc74f37b7b2-main/ipsec-hostkey-05-ikev2-raw-rsa/OUTPUT/west.console.verbose.txt On Tue, 30 Aug 2022 at 10:47, Sony Arpita Das <[email protected]> wrote: > > Hi, > > I am trying to setup host-to-host VPN and I get the following message - > private key matching CKAID '67fc9d0686eeba870eb2c6a7608156b64e0316d0' not > found: can't find the private key matching the NSS CKAID > > > Here are the steps that I have followed - > > Host1 - aqua6 ; test IP - 102.1.1.89 > Host2 - aqua4; test IP - 102.1.1.85 > > On Host1 - > ----------------------------------------------- > > [root@aqua6 42345]# rm -f /etc/ipsec.d/*db > > [root@aqua6 42345]# /usr/sbin/ipsec initnss --nssdir /etc/ipsec.d > Initializing NSS database > > [root@aqua6 42345]# /usr/sbin/ipsec newhostkey > Generated RSA key pair with CKAID a4febfa93fb67078efe3ba5679ccae8adf61c568 > was stored in the NSS database > The public key can be displayed using: ipsec showhostkey --left --ckaid > a4febfa93fb67078efe3ba5679ccae8adf61c568 > [root@aqua6 42345]# /usr/sbin/ipsec showhostkey --list > < 1> RSA keyid: AwEAAb4j/ ckaid: a4febfa93fb67078efe3ba5679ccae8adf61c568 > [root@aqua6 42345]# /usr/sbin/ipsec showhostkey --left --ckaid > a4febfa93fb67078efe3ba5679ccae8adf61c568 > # rsakey AwEAAb4j/ > > leftrsasigkey=0sAwEAAb4j/v2QI06S0rOX7g9k8bIkCp1yWIlGXZyRxp+WYAQcKb8sLaRRkeovlLv7lVadk4P00iwp77O7VYDRdFlWbs75eun3H/ewZHNZw9fHz84wNX/JF49UyKDWCnNuWrEGchVsDHmN2RNbsk4AkJFTd/nIxTHx6hElJmSTET24hac3vyQizwxkwg6JSLke0y1JJpfOP7OszYbjai/HvbUQNv0V6tiEReUAIDltSM1m1UfCAF812vw+ccQdttdzYaU9rQrrHGuwTMdBpOWWpCkDJOuSK5R0oKCAXyaBrvsaFuyJFTE0aclZ4HhXZY2lTdrQY9H0aRQX9LFka5xnJGajvdxzjqlLCV9Yi4TeiqUpnrP2NbGQkoy2nKTI9qUvFt7slnwk0lUG/DGzHRHwIsZYU+4olxLc5ECGPX2mAj8HY0NUU0wvz6NHt80HbA2DLDqGiVFQlR8yzPz0F0ga9DC0lpTjqgbUt4SXKwhvkQedgLJ5xP2V+Z7R/er8xVOjOibVSnBvJCQdXe3i/bpLwtIAGWz+3sidMgofTQLN6jqG8PRrAB8= > > > On Host2 - > ----------------------------------------------- > [root@aqua4 etc]# rm -f /etc/ipsec.d/*db > [root@aqua4 etc]# /usr/sbin/ipsec initnss --nssdir /etc/ipsec.d > Initializing NSS database > > [root@aqua4 etc]# /usr/sbin/ipsec showhostkey --list > [root@aqua4 etc]# /usr/sbin/ipsec newhostkey > Generated RSA key pair with CKAID 21075ce1a098cfcf82859e1b91e26f530c192bbe > was stored in the NSS database > The public key can be displayed using: ipsec showhostkey --left --ckaid > 21075ce1a098cfcf82859e1b91e26f530c192bbe > [root@aqua4 etc]# /usr/sbin/ipsec showhostkey --list > < 1> RSA keyid: AwEAAbhUg ckaid: 21075ce1a098cfcf82859e1b91e26f530c192bbe > [root@aqua4 etc]# /usr/sbin/ipsec showhostkey --right --ckaid > 21075ce1a098cfcf82859e1b91e26f530c192bbe > # rsakey AwEAAbhUg > > rightrsasigkey=0sAwEAAbhUgd1lQvtXY2PK3j3TiqtxmB7dIZvICCx1JK6fPwPZ851HjH8Kgg/PNg1g6GVTEl83MDaWYYKtiVQUYnOx9tBH0GxEHdRCq1vkb/1O5X8EIgoEEarstzc3tlJFJq+x/Uy5e+kVkQRlK1UVMJgzwORcuUp/+cezqwZrArQJz2QJsIg4qP79T1LSQlQpg6oYP+vRMXwoS0MYuE5s+NU3L4jmJKh4lRX2InOxoUC1Oz1d3+wPXJGjf61jq2U9yal6bPhHPVF+RvRXGykjnzgCj9H0sR8RPk/tBAtM255EsG4fFIrbdpmH/iJRgdZixq8rmUvPAQ6kVw05vL/Hf05YecLjTD3Slvv/ZP9mh16veEfdcibMMndamPLcSL0KITljvAmR8+AVDLFNsknRJhvY/gNMI7ufbpi1+0jzIyyukUZEuWsgxmCt6gMcGG4MnISlaRhZUC7JNDN1XYA3/cG2gChpejYflZ+qfHtN0GIo6WAtqqSFiZM47sPP0z4t8Kp67ewKB7i71Zz00Cw94etbXF3ihMNohjx7y4p9NHJzQYAQDYBLxFdZu+E6sVvepFRNGEPh > > > ipsec.conf on Host1 > ----------------------------------------------- > [root@aqua6 ~]# cat /etc/ipsec.conf > config setup > plutodebug=private > plutostderrlog=/var/log/openswan.log > > > conn mytunnel > [email protected] > left=102.1.1.85 > > leftrsasigkey=0sAwEAAb4j/v2QI06S0rOX7g9k8bIkCp1yWIlGXZyRxp+WYAQcKb8sLaRRkeovlLv7lVadk4P00iwp77O7VYDRdFlWbs75eun3H/ewZHNZw9fHz84wNX/JF49UyKDWCnNuWrEGchVsDHmN2RNbsk4AkJFTd/nIxTHx6hElJmSTET24hac3vyQizwxkwg6JSLke0y1JJpfOP7OszYbjai/HvbUQNv0V6tiEReUAIDltSM1m1UfCAF812vw+ccQdttdzYaU9rQrrHGuwTMdBpOWWpCkDJOuSK5R0oKCAXyaBrvsaFuyJFTE0aclZ4HhXZY2lTdrQY9H0aRQX9LFka5xnJGajvdxzjqlLCV9Yi4TeiqUpnrP2NbGQkoy2nKTI9qUvFt7slnwk0lUG/DGzHRHwIsZYU+4olxLc5ECGPX2mAj8HY0NUU0wvz6NHt80HbA2DLDqGiVFQlR8yzPz0F0ga9DC0lpTjqgbUt4SXKwhvkQedgLJ5xP2V+Z7R/er8xVOjOibVSnBvJCQdXe3i/bpLwtIAGWz+3sidMgofTQLN6jqG8PRrAB8= > [email protected] > right=102.1.1.89 > > rightrsasigkey=0sAwEAAbhUgd1lQvtXY2PK3j3TiqtxmB7dIZvICCx1JK6fPwPZ851HjH8Kgg/PNg1g6GVTEl83MDaWYYKtiVQUYnOx9tBH0GxEHdRCq1vkb/1O5X8EIgoEEarstzc3tlJFJq+x/Uy5e+kVkQRlK1UVMJgzwORcuUp/+cezqwZrArQJz2QJsIg4qP79T1LSQlQpg6oYP+vRMXwoS0MYuE5s+NU3L4jmJKh4lRX2InOxoUC1Oz1d3+wPXJGjf61jq2U9yal6bPhHPVF+RvRXGykjnzgCj9H0sR8RPk/tBAtM255EsG4fFIrbdpmH/iJRgdZixq8rmUvPAQ6kVw05vL/Hf05YecLjTD3Slvv/ZP9mh16veEfdcibMMndamPLcSL0KITljvAmR8+AVDLFNsknRJhvY/gNMI7ufbpi1+0jzIyyukUZEuWsgxmCt6gMcGG4MnISlaRhZUC7JNDN1XYA3/cG2gChpejYflZ+qfHtN0GIo6WAtqqSFiZM47sPP0z4t8Kp67ewKB7i71Zz00Cw94etbXF3ihMNohjx7y4p9NHJzQYAQDYBLxFdZu+E6sVvepFRNGEPh > rightckaid=21075ce1a098cfcf82859e1b91e26f530c192bbe > > authby=rsasig > phase2alg=aes_gcm128 > type=transport > auto=add > > ipsec.conf on Host2 > ----------------------------------------------- > [root@aqua4 ~]# cat /etc/ipsec.conf > config setup > plutodebug=private > plutostderrlog=/var/log/openswan.log > > > conn mytunnel > [email protected] > left=102.1.1.85 > > leftrsasigkey=0sAwEAAb4j/v2QI06S0rOX7g9k8bIkCp1yWIlGXZyRxp+WYAQcKb8sLaRRkeovlLv7lVadk4P00iwp77O7VYDRdFlWbs75eun3H/ewZHNZw9fHz84wNX/JF49UyKDWCnNuWrEGchVsDHmN2RNbsk4AkJFTd/nIxTHx6hElJmSTET24hac3vyQizwxkwg6JSLke0y1JJpfOP7OszYbjai/HvbUQNv0V6tiEReUAIDltSM1m1UfCAF812vw+ccQdttdzYaU9rQrrHGuwTMdBpOWWpCkDJOuSK5R0oKCAXyaBrvsaFuyJFTE0aclZ4HhXZY2lTdrQY9H0aRQX9LFka5xnJGajvdxzjqlLCV9Yi4TeiqUpnrP2NbGQkoy2nKTI9qUvFt7slnwk0lUG/DGzHRHwIsZYU+4olxLc5ECGPX2mAj8HY0NUU0wvz6NHt80HbA2DLDqGiVFQlR8yzPz0F0ga9DC0lpTjqgbUt4SXKwhvkQedgLJ5xP2V+Z7R/er8xVOjOibVSnBvJCQdXe3i/bpLwtIAGWz+3sidMgofTQLN6jqG8PRrAB8= > [email protected] > right=102.1.1.89 > > rightrsasigkey=0sAwEAAbhUgd1lQvtXY2PK3j3TiqtxmB7dIZvICCx1JK6fPwPZ851HjH8Kgg/PNg1g6GVTEl83MDaWYYKtiVQUYnOx9tBH0GxEHdRCq1vkb/1O5X8EIgoEEarstzc3tlJFJq+x/Uy5e+kVkQRlK1UVMJgzwORcuUp/+cezqwZrArQJz2QJsIg4qP79T1LSQlQpg6oYP+vRMXwoS0MYuE5s+NU3L4jmJKh4lRX2InOxoUC1Oz1d3+wPXJGjf61jq2U9yal6bPhHPVF+RvRXGykjnzgCj9H0sR8RPk/tBAtM255EsG4fFIrbdpmH/iJRgdZixq8rmUvPAQ6kVw05vL/Hf05YecLjTD3Slvv/ZP9mh16veEfdcibMMndamPLcSL0KITljvAmR8+AVDLFNsknRJhvY/gNMI7ufbpi1+0jzIyyukUZEuWsgxmCt6gMcGG4MnISlaRhZUC7JNDN1XYA3/cG2gChpejYflZ+qfHtN0GIo6WAtqqSFiZM47sPP0z4t8Kp67ewKB7i71Zz00Cw94etbXF3ihMNohjx7y4p9NHJzQYAQDYBLxFdZu+E6sVvepFRNGEPh > authby=rsasig > phase2alg=aes_gcm128 > type=transport > auto=add > > > Setting tunnel on Host1 and Host 2 > ----------------------------------------------- > [root@aqua6 ~]# systemctl stop ipsec > [root@aqua6 ~]# systemctl start ipsec > [root@aqua6 42345]# /usr/sbin/ipsec setup start > Redirecting to: systemctl start ipsec.service > [root@aqua6 42345]# /usr/sbin/ipsec auto --add mytunnel > 002 "mytunnel": terminating SAs using this connection > 002 "mytunnel": added IKEv2 connection > > [root@aqua4 etc]# systemctl stop ipsec > [root@aqua4 etc]# systemctl start ipsec > [root@aqua4 etc]# /usr/sbin/ipsec auto --add mytunnel > 002 "mytunnel": terminating SAs using this connection > 002 "mytunnel": added IKEv2 connection > [root@aqua4 etc]# /usr/sbin/ipsec auto --up mytunnel > 181 "mytunnel" #1: initiating IKEv2 connection > 181 "mytunnel" #1: sent IKE_SA_INIT request > 003 "mytunnel" #1: private key matching CKAID > 'a4febfa93fb67078efe3ba5679ccae8adf61c568' not found: can't find the private > key matching the NSS CKAID > 036 "mytunnel" #1: encountered fatal error in state STATE_V2_PARENT_I1 > 002 "mytunnel" #1: deleting state (STATE_V2_PARENT_I1) aged 0.006793s and NOT > sending notification > 002 "mytunnel" #1: deleting IKE SA but connection is supposed to remain up; > schedule EVENT_REVIVE_CONNS > > [root@aqua4 ~]# ipsec version > Linux Libreswan 4.5 (XFRM) on 4.18.0-372.9.1.el8.x86_64 > > [root@aqua6 ~]# ipsec version > Linux Libreswan 4.5 (XFRM) on 4.18.0-372.9.1.el8.x86_64 > > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
