[CentOS] Libreswan PEM format

Fri Apr 1 17:04:48 UTC 2016
Eero Volotinen <eero.volotinen at iki.fi>

You must define connection address and key in ipsec.secrets.

--
Eero


2016-04-01 19:38 GMT+03:00 Glenn Pierce <glennpierce at gmail.com>:

> Just trying to follow the instructions here
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_Virtual_Private_Networks.html
>
> I don't think I am doing anything special.
>
> At the point where there is some communication going on
>
> Getting this error
>
> packet from *****:1024: received Vendor ID payload [Cisco-Unity]
> Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from
> ***:1024: received Vendor ID payload [Dead Peer Detection]
> Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from ***
> :1024: initial Main Mode message received on ****:500 but no
> connection has been authorized with policy RSASIG+IKEV1_ALLOW
>
> The errors are so vague.
> Not sure what the problem is now
>
>
>
> My conf
>
>
>
> conn tunnel
>     #phase2alg=aes256-sha1;modp1024
>     keyexchange=ike
>     #ike=aes256-sha1;modp1024
>     left=192.168.1.122
>     leftnexthop=81.129.247.152   # My ISP assigned external ip adresss
>  (I am testing at home)
>
> leftrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
>     right=89.200.134.211
>
> rightrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
>     authby=secret|rsasig
>     # load and initiate automatically
>     auto=start
>
> conn site1
>     also=tunnel
>     leftsubnet=10.0.128.0/22
>     rightsubnet=192.168.1.222/32
>
> conn site2
>     also=tunnel
>
>
>
>
>
>
>
>
> On 1 April 2016 at 15:58, Eero Volotinen <eero.volotinen at iki.fi> wrote:
> > So you are using pkcs12 on centos:
> >
> > https://www.sslshopper.com/article-most-common-openssl-commands.html
> > --
> > Eero
> >
> > 2016-04-01 17:44 GMT+03:00 Glenn Pierce <glennpierce at gmail.com>:
> >
> >> Sorry but I have looked for over two days. Trying every command I could
> >> find.
> >>
> >> There is obviously a misunderstanding somewhere.
> >>
> >> After generating a key pair with
> >> ipsec newhostkey --configdir /etc/ipsec.d --output
> /etc/ipsec.d/my.secrets
> >>
> >> I exported to a file with
> >> ipsec showhostkey --ipseckey > file
> >>
> >> The man pages says
> >> ipsec showhostkey outputs in ipsec.conf(5) format,
> >>
> >> Ie
> >>
> >>
> >> ***.server.net.    IN    IPSECKEY  10 0 2 .
> >>
> >>
> AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
> >>
> >>
> >> is this the format openssl is meant to beable to convert ? or is the
> >> an intermediate step I am missing as like I said not command I found
> >> seems to work.
> >>
> >>
> >> On 1 April 2016 at 14:35, Eero Volotinen <eero.volotinen at iki.fi> wrote:
> >> > It works, try googling for openssl pem conversion
> >> > 1.4.2016 4.32 ip. "Glenn Pierce" <glennpierce at gmail.com> kirjoitti:
> >> >
> >> >> I have tried
> >> >> openssl rsa -in bicester_left.pub -outform pem > bicester_left.pem
> >> >>
> >> >> I get
> >> >> unable to load Private Key
> >> >> 140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start
> >> >> line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
> >> >>
> >> >>
> >> >>
> >> >> On 1 April 2016 at 13:59, Eero Volotinen <eero.volotinen at iki.fi>
> wrote:
> >> >> > You can do any kind of format conversions with openssl commandline
> >> >> client.
> >> >> >
> >> >> > Eero
> >> >> > 1.4.2016 3.56 ip. "Glenn Pierce" <glennpierce at gmail.com>
> kirjoitti:
> >> >> >
> >> >> >> Hi I am trying to setup a libreswan vpn between centos 7 and a
> >> Mikrotik
> >> >> >> router.
> >> >> >>
> >> >> >> I am try to get the keys working. My problem is the Mikrotik
> router
> >> >> >> wants the key in PEM format
> >> >> >>
> >> >> >> How do I export the keys generated with ipsec newhostkey
> >> >> >> into PEM format ?
> >> >> >>
> >> >> >>
> >> >> >> Thanks
> >> >> >> _______________________________________________
> >> >> >> CentOS mailing list
> >> >> >> CentOS at centos.org
> >> >> >> https://lists.centos.org/mailman/listinfo/centos
> >> >> >>
> >> >> > _______________________________________________
> >> >> > CentOS mailing list
> >> >> > CentOS at centos.org
> >> >> > https://lists.centos.org/mailman/listinfo/centos
> >> >> _______________________________________________
> >> >> CentOS mailing list
> >> >> CentOS at centos.org
> >> >> https://lists.centos.org/mailman/listinfo/centos
> >> >>
> >> > _______________________________________________
> >> > CentOS mailing list
> >> > CentOS at centos.org
> >> > https://lists.centos.org/mailman/listinfo/centos
> >> _______________________________________________
> >> CentOS mailing list
> >> CentOS at centos.org
> >> https://lists.centos.org/mailman/listinfo/centos
> >>
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>