This is starting to piss me off. I´ve trying now for a long time to implement a VPN between two sites using OpenSwan and CentOS and I just can´t make it work. In the past I remember being so easy using Debian
Here´s the setup: two offices remotely connected, running same CentOS version
First problem was the absence of the RSA key. Not a problem, let´s create it:
# ipsec newhostkey --output /etc/ipsec.d/hostkeys.secrets --bits 2048
ipsec rsasigkey: configdir is required
Kay, that´s a new one. Fine, done some search and found a configdb at /etc/pki/nssdb/. Again:
# ipsec newhostkey --configdir /etc/pki/nssdb/ --output /etc/ipsec.d/hostkeys.secrets --bits 2048
After a loooooong time, it was ready. Okay, now let´s just create ipsec.conf, as always. Keys were copied from the output of ipsec showhostkey --left/right
# cat /etc/ipsec.conf
version 2.0
config setup
plutodebug='control parsing'
plutostderrlog=/var/log/ipsec.log
protostack=netkey
nat_traversal=no
virtual_private=
oe=off
conn <myConn>
left=X.X.X.X
leftsubnet=Y.Y.Y.Y/YY
leftnexthop=Z.Z.Z.Z
leftrsasigkey=sdniuaheiua..
right=A.A.A.A
rightsubnet=B.B.B.B/BB
rightnexthop=C.C.C.C
rightrsasigkey=msnaibaiufb..
auto=start
The file is the exactly the same at both ends and I´M 100% SURE THE KEYS WERE COPIED CORRECTLY. The thing is:
# service ipsec start
# tail -f /var/log/ipsec.conf
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-220.7.1.el6.x86_64..
ipsec_setup: multiple ip addresses, using X.X.X.X on eth1
..
And then I start getting a huge amount of:
'myConn' #11: Signature check (on A.A.A.A) failed (wrong key?); tried *AQPbuQvlQ
public key for A.A.A.A failed: decrypted SIG payload into a malformed ECB (3NSS error: Not able to decrypt)
'myConn' #11: sending encrypted notification INVALID_KEY_INFORMATION to A.A.A.A:500
..
And the thing goes into a loop.
1) I´ve already lost count of how many times I did recreate those keys
2) I´ve already n_checked for typos and I can guarantee the keys are correct
I tried recreating them by following this link (going back to basics): http://www.linuxhomenetworking.com/w..enswan_Started
# ipsec rsasigkey --verbose 2048 > keys.tmp
(once again the error about configdir.. okay)
# ipsec --configdir /etc/pki/nssdb rsasigkey --verbose 2048 > keys.tmp
Again, after a long time, I get a new error: 'ipsec rsasigkey: key pair generation failed: '-8037'
I followed till this link (https://lists.openswan.org/pipermail..er/017845.html), installed nss-tools and tried the commands as they were:
# certutil -N -d /etc/ipsec.d (typed in a password when prompted)
# ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/hostkeys.secrets --bits 2048 --password <password_ive_typed>
Again, after a long time it ended, but when I checked the new keys with ipsec showhostkey, I got this:
premature end of RSA key
Which seemed reasonable, since one box had a 2 line key and the other had 3.
As expected, those keys didn´t work (same error about INVALID_KEY)
Tried with a smaller, 1024 bit key. I didn´t get the error on premature end, but the INVALID_KEY messages still persist.
I just don´t know what to do anymore. Anyway I can try to solve this without having to change distributions?