Hi Paul, Thank you for responding , here are the command outputs
[root@aqua6 ~]# certutil -K -d sql:/etc/ipsec.d certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa 56b52184dbbf33748cd5e6e45c8496b286ba8506 (orphan) [root@aqua6 ~]# certutil -K -d sql:/var/lib/ipsec/nss/ipsec.d certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database. [root@aqua6 ~]# ipsec auto --listall 000 000 List of Public Keys: 000 000 Sep 01 02:49:52 2022, 3104 RSA Key AwEAAb5ft (no private key), until --- -- --:--:-- ---- ok (expires never) 000 ID_FQDN '@aqua4.blr.asicdesigners.com' 000 Sep 01 02:49:52 2022, 4080 RSA Key AwEAAeTF3 (has private key), until --- -- --:--:-- ---- ok (expires never) 000 ID_FQDN '@aqua6.blr.asicdesigners.com' 000 000 List of Pre-shared secrets (from /etc/ipsec.secrets) 000 000 0: RSA (none) (none) 000 ckaid: 56b52184dbbf33748cd5e6e45c8496b286ba8506 000 000 List of X.509 End Certificates: 000 000 List of X.509 CA Certificates: 000 000 List of CRLs: 000 Please note that I re-did the key generation, so the CKAID has changed on both aqua4/aqua6 Thanks, Sony On Tue, Aug 30, 2022 at 9:44 PM Paul Wouters <[email protected]> wrote: > On Tue, 30 Aug 2022, Sony Arpita Das wrote: > > > I am trying to setup host-to-host VPN and I get the following message - > > private key matching CKAID '67fc9d0686eeba870eb2c6a7608156b64e0316d0' > not found: can't find the > > private key matching the NSS CKAID > > Can you try: > > certutil -K -d sql:/etc/ipsec.d > certutil -K -d sql:/var/lib/ipsec/nss/ipsec.d > > Just to confirm that you are using the nssdb you think you are using? > > > > > rightrsasigkey=0sAwEAAbhUgd1lQvtXY2PK3j3TiqtxmB7dIZvICCx1JK6fPwPZ851HjH8Kgg/PNg1g6GVTEl83MDaWYYKtiV > > > QUYnOx9tBH0GxEHdRCq1vkb/1O5X8EIgoEEarstzc3tlJFJq+x/Uy5e+kVkQRlK1UVMJgzwORcuUp/+cezqwZrArQJz2QJsIg4 > > > qP79T1LSQlQpg6oYP+vRMXwoS0MYuE5s+NU3L4jmJKh4lRX2InOxoUC1Oz1d3+wPXJGjf61jq2U9yal6bPhHPVF+RvRXGykjnz > > > gCj9H0sR8RPk/tBAtM255EsG4fFIrbdpmH/iJRgdZixq8rmUvPAQ6kVw05vL/Hf05YecLjTD3Slvv/ZP9mh16veEfdcibMMnda > > > mPLcSL0KITljvAmR8+AVDLFNsknRJhvY/gNMI7ufbpi1+0jzIyyukUZEuWsgxmCt6gMcGG4MnISlaRhZUC7JNDN1XYA3/cG2gC > > > hpejYflZ+qfHtN0GIo6WAtqqSFiZM47sPP0z4t8Kp67ewKB7i71Zz00Cw94etbXF3ihMNohjx7y4p9NHJzQYAQDYBLxFdZu+E6 > > sVvepFRNGEPh > > rightckaid=21075ce1a098cfcf82859e1b91e26f530c192bbe > > Note that ckaid is only a LOCAL identifier, so be sure to only use it as > such. The rsasigkey= can be used as LOCAL and REMOTE identifier. Maybe > instead of rightckaid=, use > > > rightrsasigkey=0sAwEAAb4j/v2QI06S0rOX7g9k8bIkCp1yWIlGXZyRxp+WYAQcKb8sLaRRkeovlLv7lVadk4P00iwp77O7VYDRdFlWbs75eun3H/ewZHNZw9fHz84wNX/JF49UyKDWCnNuWrEGchVsDHmN2RNbsk4AkJFTd/nIxTHx6hElJmSTET24hac3vyQizwxkwg6JSLke0y1JJpfOP7OszYbjai/HvbUQNv0V6tiEReUAIDltSM1m1UfCAF812vw+ccQdttdzYaU9rQrrHGuwTMdBpOWWpCkDJOuSK5R0oKCAXyaBrvsaFuyJFTE0aclZ4HhXZY2lTdrQY9H0aRQX9LFka5xnJGajvdxzjqlLCV9Yi4TeiqUpnrP2NbGQkoy2nKTI9qUvFt7slnwk0lUG/DGzHRHwIsZYU+4olxLc5ECGPX2mAj8HY0NUU0wvz6NHt80HbA2DLDqGiVFQlR8yzPz0F0ga9DC0lpTjqgbUt4SXKwhvkQedgLJ5xP2V+Z7R/er8xVOjOibVSnBvJCQdXe3i/bpLwtIAGWz+3sidMgofTQLN6jqG8PRrAB8= > > > [root@aqua6 42345]# /usr/sbin/ipsec auto --add mytunnel > > 002 "mytunnel": terminating SAs using this connection > > 002 "mytunnel": added IKEv2 connection > > After you do this, can you do: ipsec auto --listall which should show us > the keys loaded. > > Paul
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
