[CentOS] Libreswan PEM format

Glenn Pierce glennpierce at gmail.com
Fri Apr 1 16:38:31 UTC 2016 

Just trying to follow the instructions here
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_Virtual_Private_Networks.html

I don't think I am doing anything special.

At the point where there is some communication going on

Getting this error

packet from *****:1024: received Vendor ID payload [Cisco-Unity]
Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from
***:1024: received Vendor ID payload [Dead Peer Detection]
Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from ***
:1024: initial Main Mode message received on ****:500 but no
connection has been authorized with policy RSASIG+IKEV1_ALLOW

The errors are so vague.
Not sure what the problem is now



My conf



conn tunnel
    #phase2alg=aes256-sha1;modp1024
    keyexchange=ike
    #ike=aes256-sha1;modp1024
    left=192.168.1.122
    leftnexthop=81.129.247.152   # My ISP assigned external ip adresss
 (I am testing at home)
    leftrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
    right=89.200.134.211
    rightrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
    authby=secret|rsasig
    # load and initiate automatically
    auto=start

conn site1
    also=tunnel
    leftsubnet=10.0.128.0/22
    rightsubnet=192.168.1.222/32

conn site2
    also=tunnel








On 1 April 2016 at 15:58, Eero Volotinen <eero.volotinen at iki.fi> wrote:
> So you are using pkcs12 on centos:
>
> https://www.sslshopper.com/article-most-common-openssl-commands.html
> --
> Eero
>
> 2016-04-01 17:44 GMT+03:00 Glenn Pierce <glennpierce at gmail.com>:
>
>> Sorry but I have looked for over two days. Trying every command I could
>> find.
>>
>> There is obviously a misunderstanding somewhere.
>>
>> After generating a key pair with
>> ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/my.secrets
>>
>> I exported to a file with
>> ipsec showhostkey --ipseckey > file
>>
>> The man pages says
>> ipsec showhostkey outputs in ipsec.conf(5) format,
>>
>> Ie
>>
>>
>> ***.server.net.    IN    IPSECKEY  10 0 2 .
>>
>> AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
>>
>>
>> is this the format openssl is meant to beable to convert ? or is the
>> an intermediate step I am missing as like I said not command I found
>> seems to work.
>>
>>
>> On 1 April 2016 at 14:35, Eero Volotinen <eero.volotinen at iki.fi> wrote:
>> > It works, try googling for openssl pem conversion
>> > 1.4.2016 4.32 ip. "Glenn Pierce" <glennpierce at gmail.com> kirjoitti:
>> >
>> >> I have tried
>> >> openssl rsa -in bicester_left.pub -outform pem > bicester_left.pem
>> >>
>> >> I get
>> >> unable to load Private Key
>> >> 140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start
>> >> line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
>> >>
>> >>
>> >>
>> >> On 1 April 2016 at 13:59, Eero Volotinen <eero.volotinen at iki.fi> wrote:
>> >> > You can do any kind of format conversions with openssl commandline
>> >> client.
>> >> >
>> >> > Eero
>> >> > 1.4.2016 3.56 ip. "Glenn Pierce" <glennpierce at gmail.com> kirjoitti:
>> >> >
>> >> >> Hi I am trying to setup a libreswan vpn between centos 7 and a
>> Mikrotik
>> >> >> router.
>> >> >>
>> >> >> I am try to get the keys working. My problem is the Mikrotik router
>> >> >> wants the key in PEM format
>> >> >>
>> >> >> How do I export the keys generated with ipsec newhostkey
>> >> >> into PEM format ?
>> >> >>
>> >> >>
>> >> >> Thanks
>> >> >> _______________________________________________
>> >> >> CentOS mailing list
>> >> >> CentOS at centos.org
>> >> >> https://lists.centos.org/mailman/listinfo/centos
>> >> >>
>> >> > _______________________________________________
>> >> > CentOS mailing list
>> >> > CentOS at centos.org
>> >> > https://lists.centos.org/mailman/listinfo/centos
>> >> _______________________________________________
>> >> CentOS mailing list
>> >> CentOS at centos.org
>> >> https://lists.centos.org/mailman/listinfo/centos
>> >>
>> > _______________________________________________
>> > CentOS mailing list
>> > CentOS at centos.org
>> > https://lists.centos.org/mailman/listinfo/centos
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos

More information about the CentOS mailing list