Hi I am trying to setup a libreswan vpn between centos 7 and a Mikrotik router.
I am try to get the keys working. My problem is the Mikrotik router wants the key in PEM format
How do I export the keys generated with ipsec newhostkey into PEM format ?
Thanks
You can do any kind of format conversions with openssl commandline client.
Eero 1.4.2016 3.56 ip. "Glenn Pierce" glennpierce@gmail.com kirjoitti:
Hi I am trying to setup a libreswan vpn between centos 7 and a Mikrotik router.
I am try to get the keys working. My problem is the Mikrotik router wants the key in PEM format
How do I export the keys generated with ipsec newhostkey into PEM format ?
Thanks _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
I have tried openssl rsa -in bicester_left.pub -outform pem > bicester_left.pem
I get unable to load Private Key 140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
On 1 April 2016 at 13:59, Eero Volotinen eero.volotinen@iki.fi wrote:
You can do any kind of format conversions with openssl commandline client.
Eero 1.4.2016 3.56 ip. "Glenn Pierce" glennpierce@gmail.com kirjoitti:
Hi I am trying to setup a libreswan vpn between centos 7 and a Mikrotik router.
I am try to get the keys working. My problem is the Mikrotik router wants the key in PEM format
How do I export the keys generated with ipsec newhostkey into PEM format ?
Thanks _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
It works, try googling for openssl pem conversion 1.4.2016 4.32 ip. "Glenn Pierce" glennpierce@gmail.com kirjoitti:
I have tried openssl rsa -in bicester_left.pub -outform pem > bicester_left.pem
I get unable to load Private Key 140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
On 1 April 2016 at 13:59, Eero Volotinen eero.volotinen@iki.fi wrote:
You can do any kind of format conversions with openssl commandline
client.
Eero 1.4.2016 3.56 ip. "Glenn Pierce" glennpierce@gmail.com kirjoitti:
Hi I am trying to setup a libreswan vpn between centos 7 and a Mikrotik router.
I am try to get the keys working. My problem is the Mikrotik router wants the key in PEM format
How do I export the keys generated with ipsec newhostkey into PEM format ?
Thanks _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Sorry but I have looked for over two days. Trying every command I could find.
There is obviously a misunderstanding somewhere.
After generating a key pair with ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/my.secrets
I exported to a file with ipsec showhostkey --ipseckey > file
The man pages says ipsec showhostkey outputs in ipsec.conf(5) format,
Ie
***.server.net. IN IPSECKEY 10 0 2 . AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
is this the format openssl is meant to beable to convert ? or is the an intermediate step I am missing as like I said not command I found seems to work.
On 1 April 2016 at 14:35, Eero Volotinen eero.volotinen@iki.fi wrote:
It works, try googling for openssl pem conversion 1.4.2016 4.32 ip. "Glenn Pierce" glennpierce@gmail.com kirjoitti:
I have tried openssl rsa -in bicester_left.pub -outform pem > bicester_left.pem
I get unable to load Private Key 140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
On 1 April 2016 at 13:59, Eero Volotinen eero.volotinen@iki.fi wrote:
You can do any kind of format conversions with openssl commandline
client.
Eero 1.4.2016 3.56 ip. "Glenn Pierce" glennpierce@gmail.com kirjoitti:
Hi I am trying to setup a libreswan vpn between centos 7 and a Mikrotik router.
I am try to get the keys working. My problem is the Mikrotik router wants the key in PEM format
How do I export the keys generated with ipsec newhostkey into PEM format ?
Thanks _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
So you are using pkcs12 on centos:
https://www.sslshopper.com/article-most-common-openssl-commands.html -- Eero
2016-04-01 17:44 GMT+03:00 Glenn Pierce glennpierce@gmail.com:
Sorry but I have looked for over two days. Trying every command I could find.
There is obviously a misunderstanding somewhere.
After generating a key pair with ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/my.secrets
I exported to a file with ipsec showhostkey --ipseckey > file
The man pages says ipsec showhostkey outputs in ipsec.conf(5) format,
Ie
***.server.net. IN IPSECKEY 10 0 2 .
AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
is this the format openssl is meant to beable to convert ? or is the an intermediate step I am missing as like I said not command I found seems to work.
On 1 April 2016 at 14:35, Eero Volotinen eero.volotinen@iki.fi wrote:
It works, try googling for openssl pem conversion 1.4.2016 4.32 ip. "Glenn Pierce" glennpierce@gmail.com kirjoitti:
I have tried openssl rsa -in bicester_left.pub -outform pem > bicester_left.pem
I get unable to load Private Key 140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
On 1 April 2016 at 13:59, Eero Volotinen eero.volotinen@iki.fi wrote:
You can do any kind of format conversions with openssl commandline
client.
Eero 1.4.2016 3.56 ip. "Glenn Pierce" glennpierce@gmail.com kirjoitti:
Hi I am trying to setup a libreswan vpn between centos 7 and a
Mikrotik
router.
I am try to get the keys working. My problem is the Mikrotik router wants the key in PEM format
How do I export the keys generated with ipsec newhostkey into PEM format ?
Thanks _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Just trying to follow the instructions here https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
I don't think I am doing anything special.
At the point where there is some communication going on
Getting this error
packet from *****:1024: received Vendor ID payload [Cisco-Unity] Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from ***:1024: received Vendor ID payload [Dead Peer Detection] Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from *** :1024: initial Main Mode message received on ****:500 but no connection has been authorized with policy RSASIG+IKEV1_ALLOW
The errors are so vague. Not sure what the problem is now
My conf
conn tunnel #phase2alg=aes256-sha1;modp1024 keyexchange=ike #ike=aes256-sha1;modp1024 left=192.168.1.122 leftnexthop=81.129.247.152 # My ISP assigned external ip adresss (I am testing at home) leftrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw== right=89.200.134.211 rightrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw== authby=secret|rsasig # load and initiate automatically auto=start
conn site1 also=tunnel leftsubnet=10.0.128.0/22 rightsubnet=192.168.1.222/32
conn site2 also=tunnel
On 1 April 2016 at 15:58, Eero Volotinen eero.volotinen@iki.fi wrote:
So you are using pkcs12 on centos:
https://www.sslshopper.com/article-most-common-openssl-commands.html
Eero
2016-04-01 17:44 GMT+03:00 Glenn Pierce glennpierce@gmail.com:
Sorry but I have looked for over two days. Trying every command I could find.
There is obviously a misunderstanding somewhere.
After generating a key pair with ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/my.secrets
I exported to a file with ipsec showhostkey --ipseckey > file
The man pages says ipsec showhostkey outputs in ipsec.conf(5) format,
Ie
***.server.net. IN IPSECKEY 10 0 2 .
AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
is this the format openssl is meant to beable to convert ? or is the an intermediate step I am missing as like I said not command I found seems to work.
On 1 April 2016 at 14:35, Eero Volotinen eero.volotinen@iki.fi wrote:
It works, try googling for openssl pem conversion 1.4.2016 4.32 ip. "Glenn Pierce" glennpierce@gmail.com kirjoitti:
I have tried openssl rsa -in bicester_left.pub -outform pem > bicester_left.pem
I get unable to load Private Key 140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
On 1 April 2016 at 13:59, Eero Volotinen eero.volotinen@iki.fi wrote:
You can do any kind of format conversions with openssl commandline
client.
Eero 1.4.2016 3.56 ip. "Glenn Pierce" glennpierce@gmail.com kirjoitti:
Hi I am trying to setup a libreswan vpn between centos 7 and a
Mikrotik
router.
I am try to get the keys working. My problem is the Mikrotik router wants the key in PEM format
How do I export the keys generated with ipsec newhostkey into PEM format ?
Thanks _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
You must define connection address and key in ipsec.secrets.
-- Eero
2016-04-01 19:38 GMT+03:00 Glenn Pierce glennpierce@gmail.com:
Just trying to follow the instructions here
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
I don't think I am doing anything special.
At the point where there is some communication going on
Getting this error
packet from *****:1024: received Vendor ID payload [Cisco-Unity] Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from ***:1024: received Vendor ID payload [Dead Peer Detection] Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from *** :1024: initial Main Mode message received on ****:500 but no connection has been authorized with policy RSASIG+IKEV1_ALLOW
The errors are so vague. Not sure what the problem is now
My conf
conn tunnel #phase2alg=aes256-sha1;modp1024 keyexchange=ike #ike=aes256-sha1;modp1024 left=192.168.1.122 leftnexthop=81.129.247.152 # My ISP assigned external ip adresss (I am testing at home)
leftrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw== right=89.200.134.211
rightrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw== authby=secret|rsasig # load and initiate automatically auto=start
conn site1 also=tunnel leftsubnet=10.0.128.0/22 rightsubnet=192.168.1.222/32
conn site2 also=tunnel
On 1 April 2016 at 15:58, Eero Volotinen eero.volotinen@iki.fi wrote:
So you are using pkcs12 on centos:
https://www.sslshopper.com/article-most-common-openssl-commands.html
Eero
2016-04-01 17:44 GMT+03:00 Glenn Pierce glennpierce@gmail.com:
Sorry but I have looked for over two days. Trying every command I could find.
There is obviously a misunderstanding somewhere.
After generating a key pair with ipsec newhostkey --configdir /etc/ipsec.d --output
/etc/ipsec.d/my.secrets
I exported to a file with ipsec showhostkey --ipseckey > file
The man pages says ipsec showhostkey outputs in ipsec.conf(5) format,
Ie
***.server.net. IN IPSECKEY 10 0 2 .
AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
is this the format openssl is meant to beable to convert ? or is the an intermediate step I am missing as like I said not command I found seems to work.
On 1 April 2016 at 14:35, Eero Volotinen eero.volotinen@iki.fi wrote:
It works, try googling for openssl pem conversion 1.4.2016 4.32 ip. "Glenn Pierce" glennpierce@gmail.com kirjoitti:
I have tried openssl rsa -in bicester_left.pub -outform pem > bicester_left.pem
I get unable to load Private Key 140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
On 1 April 2016 at 13:59, Eero Volotinen eero.volotinen@iki.fi
wrote:
You can do any kind of format conversions with openssl commandline
client.
Eero 1.4.2016 3.56 ip. "Glenn Pierce" glennpierce@gmail.com
kirjoitti:
> Hi I am trying to setup a libreswan vpn between centos 7 and a
Mikrotik
> router. > > I am try to get the keys working. My problem is the Mikrotik
router
> wants the key in PEM format > > How do I export the keys generated with ipsec newhostkey > into PEM format ? > > > Thanks > _______________________________________________ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
I generated according to the docs . Which produced my server.secrets as below
used the command
ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/www.example.com.secrets
: RSA { # RSA 3328 bits ***.**.net Fri Apr 1 15:39:32 2016 # for signatures only, UNSAFE FOR ENCRYPTION #pubkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw== Modulus: 0xecde067a1814494a8cbfe91c6b2ff70cbf4267604291fd26265d4095964045362d83ed526c6b5edf7ef9815232cb0fafd3ef6337d49be53e1912ccafd848fa6887c84db52078203943d961a4b3e85896743865239a8f92c71511687215154008925a0c783a7bc8f5c62b8feac364bff4bed19e2c32622de4d28f70cb7d60a2d831bf2f3675ba440c40211331beaf67d61c0b6d624143711072d52654d296d55da725a759f2afa10f4adcd162555b17674fa9b90087589aa9d4e42d7ac6920903737948239a19b95be915cd0d4d91e0b3e8c7b4890108cc7f9bea0749ae3473830854d594577ed84fe1088800d87d0bdb88d951a3d6d334e6a5e6d8fb3d2998a1a25c9048a9a364d5d4d5107341d7364f4f56b064413c5a6b1fc9379cdd8ca569168f54e58dac31eee468096b47d1490e85ed3890fcd9e0ce421e994d10cedf3b4e43ada46dec5f7da0dd9c62e4470b32c3e77430752f29b70dc6d450a248aefebf7925134cde9814e89271404f93b2e5788720b2e435c7235e6275d9ecb0d6a517fe333bafe08e19041f79f61bbfc7e8931272f9d481d8998fa8e4f4e6cb2f33 PublicExponent: 0x03 # everything after this point is CKA_ID in hex format - not the real values PrivateExponent: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514 Prime1: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514 Prime2: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514 Exponent1: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514 Exponent2: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514 Coefficient: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514 CKAIDNSS: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514 } # do not change the indenting of that "}"
On 1 April 2016 at 18:04, Eero Volotinen eero.volotinen@iki.fi wrote:
You must define connection address and key in ipsec.secrets.
-- Eero
2016-04-01 19:38 GMT+03:00 Glenn Pierce glennpierce@gmail.com:
Just trying to follow the instructions here
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
I don't think I am doing anything special.
At the point where there is some communication going on
Getting this error
packet from *****:1024: received Vendor ID payload [Cisco-Unity] Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from ***:1024: received Vendor ID payload [Dead Peer Detection] Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from *** :1024: initial Main Mode message received on ****:500 but no connection has been authorized with policy RSASIG+IKEV1_ALLOW
The errors are so vague. Not sure what the problem is now
My conf
conn tunnel #phase2alg=aes256-sha1;modp1024 keyexchange=ike #ike=aes256-sha1;modp1024 left=192.168.1.122 leftnexthop=81.129.247.152 # My ISP assigned external ip adresss (I am testing at home)
leftrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw== right=89.200.134.211
rightrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw== authby=secret|rsasig # load and initiate automatically auto=start
conn site1 also=tunnel leftsubnet=10.0.128.0/22 rightsubnet=192.168.1.222/32
conn site2 also=tunnel
On 1 April 2016 at 15:58, Eero Volotinen eero.volotinen@iki.fi wrote:
So you are using pkcs12 on centos:
https://www.sslshopper.com/article-most-common-openssl-commands.html
Eero
2016-04-01 17:44 GMT+03:00 Glenn Pierce glennpierce@gmail.com:
Sorry but I have looked for over two days. Trying every command I could find.
There is obviously a misunderstanding somewhere.
After generating a key pair with ipsec newhostkey --configdir /etc/ipsec.d --output
/etc/ipsec.d/my.secrets
I exported to a file with ipsec showhostkey --ipseckey > file
The man pages says ipsec showhostkey outputs in ipsec.conf(5) format,
Ie
***.server.net. IN IPSECKEY 10 0 2 .
AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
is this the format openssl is meant to beable to convert ? or is the an intermediate step I am missing as like I said not command I found seems to work.
On 1 April 2016 at 14:35, Eero Volotinen eero.volotinen@iki.fi wrote:
It works, try googling for openssl pem conversion 1.4.2016 4.32 ip. "Glenn Pierce" glennpierce@gmail.com kirjoitti:
I have tried openssl rsa -in bicester_left.pub -outform pem > bicester_left.pem
I get unable to load Private Key 140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
On 1 April 2016 at 13:59, Eero Volotinen eero.volotinen@iki.fi
wrote:
> You can do any kind of format conversions with openssl commandline client. > > Eero > 1.4.2016 3.56 ip. "Glenn Pierce" glennpierce@gmail.com
kirjoitti:
> >> Hi I am trying to setup a libreswan vpn between centos 7 and a
Mikrotik
>> router. >> >> I am try to get the keys working. My problem is the Mikrotik
router
>> wants the key in PEM format >> >> How do I export the keys generated with ipsec newhostkey >> into PEM format ? >> >> >> Thanks >> _______________________________________________ >> CentOS mailing list >> CentOS@centos.org >> https://lists.centos.org/mailman/listinfo/centos >> > _______________________________________________ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
IPSec is very complex with certificates. try first with PSK authentication and then with certificates
-- Eero
2016-04-01 20:21 GMT+03:00 Glenn Pierce glennpierce@gmail.com:
I generated according to the docs . Which produced my server.secrets as below
used the command
ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/www.example.com.secrets
: RSA { # RSA 3328 bits ***.**.net Fri Apr 1 15:39:32 2016 # for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw== Modulus:
0xecde067a1814494a8cbfe91c6b2ff70cbf4267604291fd26265d4095964045362d83ed526c6b5edf7ef9815232cb0fafd3ef6337d49be53e1912ccafd848fa6887c84db52078203943d961a4b3e85896743865239a8f92c71511687215154008925a0c783a7bc8f5c62b8feac364bff4bed19e2c32622de4d28f70cb7d60a2d831bf2f3675ba440c40211331beaf67d61c0b6d624143711072d52654d296d55da725a759f2afa10f4adcd162555b17674fa9b90087589aa9d4e42d7ac6920903737948239a19b95be915cd0d4d91e0b3e8c7b4890108cc7f9bea0749ae3473830854d594577ed84fe1088800d87d0bdb88d951a3d6d334e6a5e6d8fb3d2998a1a25c9048a9a364d5d4d5107341d7364f4f56b064413c5a6b1fc9379cdd8ca569168f54e58dac31eee468096b47d1490e85ed3890fcd9e0ce421e994d10cedf3b4e43ada46dec5f7da0dd9c62e4470b32c3e77430752f29b70dc6d450a248aefebf7925134cde9814e89271404f93b2e5788720b2e435c7235e6275d9ecb0d6a517fe333bafe08e19041f79f61bbfc7e8931272f9d481d8998fa8e4f4e6cb2f33 PublicExponent: 0x03 # everything after this point is CKA_ID in hex format - not the real values PrivateExponent: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514 Prime1: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514 Prime2: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514 Exponent1: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514 Exponent2: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514 Coefficient: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514 CKAIDNSS: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514 } # do not change the indenting of that "}"
On 1 April 2016 at 18:04, Eero Volotinen eero.volotinen@iki.fi wrote:
You must define connection address and key in ipsec.secrets.
-- Eero
2016-04-01 19:38 GMT+03:00 Glenn Pierce glennpierce@gmail.com:
Just trying to follow the instructions here
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
I don't think I am doing anything special.
At the point where there is some communication going on
Getting this error
packet from *****:1024: received Vendor ID payload [Cisco-Unity] Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from ***:1024: received Vendor ID payload [Dead Peer Detection] Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from *** :1024: initial Main Mode message received on ****:500 but no connection has been authorized with policy RSASIG+IKEV1_ALLOW
The errors are so vague. Not sure what the problem is now
My conf
conn tunnel #phase2alg=aes256-sha1;modp1024 keyexchange=ike #ike=aes256-sha1;modp1024 left=192.168.1.122 leftnexthop=81.129.247.152 # My ISP assigned external ip adresss (I am testing at home)
leftrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
right=89.200.134.211rightrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
authby=secret|rsasig # load and initiate automatically auto=startconn site1 also=tunnel leftsubnet=10.0.128.0/22 rightsubnet=192.168.1.222/32
conn site2 also=tunnel
On 1 April 2016 at 15:58, Eero Volotinen eero.volotinen@iki.fi wrote:
So you are using pkcs12 on centos:
https://www.sslshopper.com/article-most-common-openssl-commands.html
Eero
2016-04-01 17:44 GMT+03:00 Glenn Pierce glennpierce@gmail.com:
Sorry but I have looked for over two days. Trying every command I
could
find.
There is obviously a misunderstanding somewhere.
After generating a key pair with ipsec newhostkey --configdir /etc/ipsec.d --output
/etc/ipsec.d/my.secrets
I exported to a file with ipsec showhostkey --ipseckey > file
The man pages says ipsec showhostkey outputs in ipsec.conf(5) format,
Ie
***.server.net. IN IPSECKEY 10 0 2 .
AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
is this the format openssl is meant to beable to convert ? or is the an intermediate step I am missing as like I said not command I found seems to work.
On 1 April 2016 at 14:35, Eero Volotinen eero.volotinen@iki.fi
wrote:
It works, try googling for openssl pem conversion 1.4.2016 4.32 ip. "Glenn Pierce" glennpierce@gmail.com
kirjoitti:
> I have tried > openssl rsa -in bicester_left.pub -outform pem > bicester_left.pem > > I get > unable to load Private Key > 140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start > line:pem_lib.c:701:Expecting: ANY PRIVATE KEY > > > > On 1 April 2016 at 13:59, Eero Volotinen eero.volotinen@iki.fi
wrote:
> > You can do any kind of format conversions with openssl
commandline
> client. > > > > Eero > > 1.4.2016 3.56 ip. "Glenn Pierce" glennpierce@gmail.com
kirjoitti:
> > > >> Hi I am trying to setup a libreswan vpn between centos 7 and a
Mikrotik
> >> router. > >> > >> I am try to get the keys working. My problem is the Mikrotik
router
> >> wants the key in PEM format > >> > >> How do I export the keys generated with ipsec newhostkey > >> into PEM format ? > >> > >> > >> Thanks > >> _______________________________________________ > >> CentOS mailing list > >> CentOS@centos.org > >> https://lists.centos.org/mailman/listinfo/centos > >> > > _______________________________________________ > > CentOS mailing list > > CentOS@centos.org > > https://lists.centos.org/mailman/listinfo/centos > _______________________________________________ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
I did :) I'm all for an easy life.
I got a very similar error instead of but no connection has been authorized with policy RSASIG+IKEV1_ALLOW I got but no connection has been authorized with policy PSK+IKEV1_ALLOW
I did read somewhere though errors are re herrings which is helpful.
Thanks
On 1 April 2016 at 18:39, Eero Volotinen eero.volotinen@iki.fi wrote:
IPSec is very complex with certificates. try first with PSK authentication and then with certificates
-- Eero
2016-04-01 20:21 GMT+03:00 Glenn Pierce glennpierce@gmail.com:
I generated according to the docs . Which produced my server.secrets as below
used the command
ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/www.example.com.secrets
: RSA { # RSA 3328 bits ***.**.net Fri Apr 1 15:39:32 2016 # for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw== Modulus:
0xecde067a1814494a8cbfe91c6b2ff70cbf4267604291fd26265d4095964045362d83ed526c6b5edf7ef9815232cb0fafd3ef6337d49be53e1912ccafd848fa6887c84db52078203943d961a4b3e85896743865239a8f92c71511687215154008925a0c783a7bc8f5c62b8feac364bff4bed19e2c32622de4d28f70cb7d60a2d831bf2f3675ba440c40211331beaf67d61c0b6d624143711072d52654d296d55da725a759f2afa10f4adcd162555b17674fa9b90087589aa9d4e42d7ac6920903737948239a19b95be915cd0d4d91e0b3e8c7b4890108cc7f9bea0749ae3473830854d594577ed84fe1088800d87d0bdb88d951a3d6d334e6a5e6d8fb3d2998a1a25c9048a9a364d5d4d5107341d7364f4f56b064413c5a6b1fc9379cdd8ca569168f54e58dac31eee468096b47d1490e85ed3890fcd9e0ce421e994d10cedf3b4e43ada46dec5f7da0dd9c62e4470b32c3e77430752f29b70dc6d450a248aefebf7925134cde9814e89271404f93b2e5788720b2e435c7235e6275d9ecb0d6a517fe333bafe08e19041f79f61bbfc7e8931272f9d481d8998fa8e4f4e6cb2f33 PublicExponent: 0x03 # everything after this point is CKA_ID in hex format - not the real values PrivateExponent: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514 Prime1: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514 Prime2: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514 Exponent1: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514 Exponent2: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514 Coefficient: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514 CKAIDNSS: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514 } # do not change the indenting of that "}"
On 1 April 2016 at 18:04, Eero Volotinen eero.volotinen@iki.fi wrote:
You must define connection address and key in ipsec.secrets.
-- Eero
2016-04-01 19:38 GMT+03:00 Glenn Pierce glennpierce@gmail.com:
Just trying to follow the instructions here
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
I don't think I am doing anything special.
At the point where there is some communication going on
Getting this error
packet from *****:1024: received Vendor ID payload [Cisco-Unity] Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from ***:1024: received Vendor ID payload [Dead Peer Detection] Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from *** :1024: initial Main Mode message received on ****:500 but no connection has been authorized with policy RSASIG+IKEV1_ALLOW
The errors are so vague. Not sure what the problem is now
My conf
conn tunnel #phase2alg=aes256-sha1;modp1024 keyexchange=ike #ike=aes256-sha1;modp1024 left=192.168.1.122 leftnexthop=81.129.247.152 # My ISP assigned external ip adresss (I am testing at home)
leftrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
right=89.200.134.211rightrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
authby=secret|rsasig # load and initiate automatically auto=startconn site1 also=tunnel leftsubnet=10.0.128.0/22 rightsubnet=192.168.1.222/32
conn site2 also=tunnel
On 1 April 2016 at 15:58, Eero Volotinen eero.volotinen@iki.fi wrote:
So you are using pkcs12 on centos:
https://www.sslshopper.com/article-most-common-openssl-commands.html
Eero
2016-04-01 17:44 GMT+03:00 Glenn Pierce glennpierce@gmail.com:
Sorry but I have looked for over two days. Trying every command I
could
find.
There is obviously a misunderstanding somewhere.
After generating a key pair with ipsec newhostkey --configdir /etc/ipsec.d --output
/etc/ipsec.d/my.secrets
I exported to a file with ipsec showhostkey --ipseckey > file
The man pages says ipsec showhostkey outputs in ipsec.conf(5) format,
Ie
***.server.net. IN IPSECKEY 10 0 2 .
AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
is this the format openssl is meant to beable to convert ? or is the an intermediate step I am missing as like I said not command I found seems to work.
On 1 April 2016 at 14:35, Eero Volotinen eero.volotinen@iki.fi
wrote:
> It works, try googling for openssl pem conversion > 1.4.2016 4.32 ip. "Glenn Pierce" glennpierce@gmail.com
kirjoitti:
> >> I have tried >> openssl rsa -in bicester_left.pub -outform pem > bicester_left.pem >> >> I get >> unable to load Private Key >> 140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start >> line:pem_lib.c:701:Expecting: ANY PRIVATE KEY >> >> >> >> On 1 April 2016 at 13:59, Eero Volotinen eero.volotinen@iki.fi
wrote:
>> > You can do any kind of format conversions with openssl
commandline
>> client. >> > >> > Eero >> > 1.4.2016 3.56 ip. "Glenn Pierce" glennpierce@gmail.com
kirjoitti:
>> > >> >> Hi I am trying to setup a libreswan vpn between centos 7 and a Mikrotik >> >> router. >> >> >> >> I am try to get the keys working. My problem is the Mikrotik
router
>> >> wants the key in PEM format >> >> >> >> How do I export the keys generated with ipsec newhostkey >> >> into PEM format ? >> >> >> >> >> >> Thanks >> >> _______________________________________________ >> >> CentOS mailing list >> >> CentOS@centos.org >> >> https://lists.centos.org/mailman/listinfo/centos >> >> >> > _______________________________________________ >> > CentOS mailing list >> > CentOS@centos.org >> > https://lists.centos.org/mailman/listinfo/centos >> _______________________________________________ >> CentOS mailing list >> CentOS@centos.org >> https://lists.centos.org/mailman/listinfo/centos >> > _______________________________________________ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Typical I think I just did it .
I downloaded a perl script to do it at
https://git.dn42.us/ryan/pubkey-converter/raw/master/pubkey-converter.pl
First I did ipsec showhostkey --right > right.pub
I then edited the file to remove the ipsec key = line
Then I converted with
perl pubkey-converter.pl -p < right.pub > /home/glenn/right.pub
On 1 April 2016 at 15:44, Glenn Pierce glennpierce@gmail.com wrote:
Sorry but I have looked for over two days. Trying every command I could find.
There is obviously a misunderstanding somewhere.
After generating a key pair with ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/my.secrets
I exported to a file with ipsec showhostkey --ipseckey > file
The man pages says ipsec showhostkey outputs in ipsec.conf(5) format,
Ie
***.server.net. IN IPSECKEY 10 0 2 . AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
is this the format openssl is meant to beable to convert ? or is the an intermediate step I am missing as like I said not command I found seems to work.
On 1 April 2016 at 14:35, Eero Volotinen eero.volotinen@iki.fi wrote:
It works, try googling for openssl pem conversion 1.4.2016 4.32 ip. "Glenn Pierce" glennpierce@gmail.com kirjoitti:
I have tried openssl rsa -in bicester_left.pub -outform pem > bicester_left.pem
I get unable to load Private Key 140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
On 1 April 2016 at 13:59, Eero Volotinen eero.volotinen@iki.fi wrote:
You can do any kind of format conversions with openssl commandline
client.
Eero 1.4.2016 3.56 ip. "Glenn Pierce" glennpierce@gmail.com kirjoitti:
Hi I am trying to setup a libreswan vpn between centos 7 and a Mikrotik router.
I am try to get the keys working. My problem is the Mikrotik router wants the key in PEM format
How do I export the keys generated with ipsec newhostkey into PEM format ?
Thanks _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 04/01/2016 07:44 AM, Glenn Pierce wrote:
Ie ***.server.net. IN IPSECKEY 10 0 2 .
Was that a key that you generated as an example, or your actual VPN key? The fact that you obscured part of it makes me think it might be the latter, but if that's the case, you really should generate a new key for your server. The part you obscured isn't the sensitive part.
I just removed the name. I will be regenerating again. To be honest if an attacker to get this to work I would buy then a drink :)
On 1 April 2016 at 17:01, Gordon Messmer gordon.messmer@gmail.com wrote:
On 04/01/2016 07:44 AM, Glenn Pierce wrote:
Ie ***.server.net. IN IPSECKEY 10 0 2 .
Was that a key that you generated as an example, or your actual VPN key? The fact that you obscured part of it makes me think it might be the latter, but if that's the case, you really should generate a new key for your server. The part you obscured isn't the sensitive part.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
-
Eero Volotinen -
Glenn Pierce -
Gordon Messmer