Sorry but I have looked for over two days. Trying every command I could find. There is obviously a misunderstanding somewhere. After generating a key pair with ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/my.secrets I exported to a file with ipsec showhostkey --ipseckey > file The man pages says ipsec showhostkey outputs in ipsec.conf(5) format, Ie ***.server.net. IN IPSECKEY 10 0 2 . AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw= is this the format openssl is meant to beable to convert ? or is the an intermediate step I am missing as like I said not command I found seems to work. On 1 April 2016 at 14:35, Eero Volotinen <eero.volotinen at iki.fi> wrote:> It works, try googling for openssl pem conversion > 1.4.2016 4.32 ip. "Glenn Pierce" <glennpierce at gmail.com> kirjoitti: > >> I have tried >> openssl rsa -in bicester_left.pub -outform pem > bicester_left.pem >> >> I get >> unable to load Private Key >> 140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start >> line:pem_lib.c:701:Expecting: ANY PRIVATE KEY >> >> >> >> On 1 April 2016 at 13:59, Eero Volotinen <eero.volotinen at iki.fi> wrote: >> > You can do any kind of format conversions with openssl commandline >> client. >> > >> > Eero >> > 1.4.2016 3.56 ip. "Glenn Pierce" <glennpierce at gmail.com> kirjoitti: >> > >> >> Hi I am trying to setup a libreswan vpn between centos 7 and a Mikrotik >> >> router. >> >> >> >> I am try to get the keys working. My problem is the Mikrotik router >> >> wants the key in PEM format >> >> >> >> How do I export the keys generated with ipsec newhostkey >> >> into PEM format ? >> >> >> >> >> >> Thanks >> >> _______________________________________________ >> >> CentOS mailing list >> >> CentOS at centos.org >> >> https://lists.centos.org/mailman/listinfo/centos >> >> >> > _______________________________________________ >> > CentOS mailing list >> > CentOS at centos.org >> > https://lists.centos.org/mailman/listinfo/centos >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos >> > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos
So you are using pkcs12 on centos: https://www.sslshopper.com/article-most-common-openssl-commands.html -- Eero 2016-04-01 17:44 GMT+03:00 Glenn Pierce <glennpierce at gmail.com>:> Sorry but I have looked for over two days. Trying every command I could > find. > > There is obviously a misunderstanding somewhere. > > After generating a key pair with > ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/my.secrets > > I exported to a file with > ipsec showhostkey --ipseckey > file > > The man pages says > ipsec showhostkey outputs in ipsec.conf(5) format, > > Ie > > > ***.server.net. IN IPSECKEY 10 0 2 . > > AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw=> > > is this the format openssl is meant to beable to convert ? or is the > an intermediate step I am missing as like I said not command I found > seems to work. > > > On 1 April 2016 at 14:35, Eero Volotinen <eero.volotinen at iki.fi> wrote: > > It works, try googling for openssl pem conversion > > 1.4.2016 4.32 ip. "Glenn Pierce" <glennpierce at gmail.com> kirjoitti: > > > >> I have tried > >> openssl rsa -in bicester_left.pub -outform pem > bicester_left.pem > >> > >> I get > >> unable to load Private Key > >> 140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start > >> line:pem_lib.c:701:Expecting: ANY PRIVATE KEY > >> > >> > >> > >> On 1 April 2016 at 13:59, Eero Volotinen <eero.volotinen at iki.fi> wrote: > >> > You can do any kind of format conversions with openssl commandline > >> client. > >> > > >> > Eero > >> > 1.4.2016 3.56 ip. "Glenn Pierce" <glennpierce at gmail.com> kirjoitti: > >> > > >> >> Hi I am trying to setup a libreswan vpn between centos 7 and a > Mikrotik > >> >> router. > >> >> > >> >> I am try to get the keys working. My problem is the Mikrotik router > >> >> wants the key in PEM format > >> >> > >> >> How do I export the keys generated with ipsec newhostkey > >> >> into PEM format ? > >> >> > >> >> > >> >> Thanks > >> >> _______________________________________________ > >> >> CentOS mailing list > >> >> CentOS at centos.org > >> >> https://lists.centos.org/mailman/listinfo/centos > >> >> > >> > _______________________________________________ > >> > CentOS mailing list > >> > CentOS at centos.org > >> > https://lists.centos.org/mailman/listinfo/centos > >> _______________________________________________ > >> CentOS mailing list > >> CentOS at centos.org > >> https://lists.centos.org/mailman/listinfo/centos > >> > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > https://lists.centos.org/mailman/listinfo/centos > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >
Typical I think I just did it . I downloaded a perl script to do it at https://git.dn42.us/ryan/pubkey-converter/raw/master/pubkey-converter.pl First I did ipsec showhostkey --right > right.pub I then edited the file to remove the ipsec key = line Then I converted with perl pubkey-converter.pl -p < right.pub > /home/glenn/right.pub On 1 April 2016 at 15:44, Glenn Pierce <glennpierce at gmail.com> wrote:> Sorry but I have looked for over two days. Trying every command I could find. > > There is obviously a misunderstanding somewhere. > > After generating a key pair with > ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/my.secrets > > I exported to a file with > ipsec showhostkey --ipseckey > file > > The man pages says > ipsec showhostkey outputs in ipsec.conf(5) format, > > Ie > > > ***.server.net. IN IPSECKEY 10 0 2 . > AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw=> > > is this the format openssl is meant to beable to convert ? or is the > an intermediate step I am missing as like I said not command I found > seems to work. > > > On 1 April 2016 at 14:35, Eero Volotinen <eero.volotinen at iki.fi> wrote: >> It works, try googling for openssl pem conversion >> 1.4.2016 4.32 ip. "Glenn Pierce" <glennpierce at gmail.com> kirjoitti: >> >>> I have tried >>> openssl rsa -in bicester_left.pub -outform pem > bicester_left.pem >>> >>> I get >>> unable to load Private Key >>> 140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start >>> line:pem_lib.c:701:Expecting: ANY PRIVATE KEY >>> >>> >>> >>> On 1 April 2016 at 13:59, Eero Volotinen <eero.volotinen at iki.fi> wrote: >>> > You can do any kind of format conversions with openssl commandline >>> client. >>> > >>> > Eero >>> > 1.4.2016 3.56 ip. "Glenn Pierce" <glennpierce at gmail.com> kirjoitti: >>> > >>> >> Hi I am trying to setup a libreswan vpn between centos 7 and a Mikrotik >>> >> router. >>> >> >>> >> I am try to get the keys working. My problem is the Mikrotik router >>> >> wants the key in PEM format >>> >> >>> >> How do I export the keys generated with ipsec newhostkey >>> >> into PEM format ? >>> >> >>> >> >>> >> Thanks >>> >> _______________________________________________ >>> >> CentOS mailing list >>> >> CentOS at centos.org >>> >> https://lists.centos.org/mailman/listinfo/centos >>> >> >>> > _______________________________________________ >>> > CentOS mailing list >>> > CentOS at centos.org >>> > https://lists.centos.org/mailman/listinfo/centos >>> _______________________________________________ >>> CentOS mailing list >>> CentOS at centos.org >>> https://lists.centos.org/mailman/listinfo/centos >>> >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos
On 04/01/2016 07:44 AM, Glenn Pierce wrote:> Ie > ***.server.net. IN IPSECKEY 10 0 2 .Was that a key that you generated as an example, or your actual VPN key? The fact that you obscured part of it makes me think it might be the latter, but if that's the case, you really should generate a new key for your server. The part you obscured isn't the sensitive part.
I just removed the name. I will be regenerating again. To be honest if an attacker to get this to work I would buy then a drink :) On 1 April 2016 at 17:01, Gordon Messmer <gordon.messmer at gmail.com> wrote:> On 04/01/2016 07:44 AM, Glenn Pierce wrote: >> >> Ie >> ***.server.net. IN IPSECKEY 10 0 2 . > > > Was that a key that you generated as an example, or your actual VPN key? > The fact that you obscured part of it makes me think it might be the latter, > but if that's the case, you really should generate a new key for your > server. The part you obscured isn't the sensitive part. > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos
Just trying to follow the instructions here https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_Virtual_Private_Networks.html I don't think I am doing anything special. At the point where there is some communication going on Getting this error packet from *****:1024: received Vendor ID payload [Cisco-Unity] Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from ***:1024: received Vendor ID payload [Dead Peer Detection] Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from *** :1024: initial Main Mode message received on ****:500 but no connection has been authorized with policy RSASIG+IKEV1_ALLOW The errors are so vague. Not sure what the problem is now My conf conn tunnel #phase2alg=aes256-sha1;modp1024 keyexchange=ike #ike=aes256-sha1;modp1024 left=192.168.1.122 leftnexthop=81.129.247.152 # My ISP assigned external ip adresss (I am testing at home) leftrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw= right=89.200.134.211 rightrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw= authby=secret|rsasig # load and initiate automatically auto=start conn site1 also=tunnel leftsubnet=10.0.128.0/22 rightsubnet=192.168.1.222/32 conn site2 also=tunnel On 1 April 2016 at 15:58, Eero Volotinen <eero.volotinen at iki.fi> wrote:> So you are using pkcs12 on centos: > > https://www.sslshopper.com/article-most-common-openssl-commands.html > -- > Eero > > 2016-04-01 17:44 GMT+03:00 Glenn Pierce <glennpierce at gmail.com>: > >> Sorry but I have looked for over two days. Trying every command I could >> find. >> >> There is obviously a misunderstanding somewhere. >> >> After generating a key pair with >> ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/my.secrets >> >> I exported to a file with >> ipsec showhostkey --ipseckey > file >> >> The man pages says >> ipsec showhostkey outputs in ipsec.conf(5) format, >> >> Ie >> >> >> ***.server.net. IN IPSECKEY 10 0 2 . >> >> AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw=>> >> >> is this the format openssl is meant to beable to convert ? or is the >> an intermediate step I am missing as like I said not command I found >> seems to work. >> >> >> On 1 April 2016 at 14:35, Eero Volotinen <eero.volotinen at iki.fi> wrote: >> > It works, try googling for openssl pem conversion >> > 1.4.2016 4.32 ip. "Glenn Pierce" <glennpierce at gmail.com> kirjoitti: >> > >> >> I have tried >> >> openssl rsa -in bicester_left.pub -outform pem > bicester_left.pem >> >> >> >> I get >> >> unable to load Private Key >> >> 140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start >> >> line:pem_lib.c:701:Expecting: ANY PRIVATE KEY >> >> >> >> >> >> >> >> On 1 April 2016 at 13:59, Eero Volotinen <eero.volotinen at iki.fi> wrote: >> >> > You can do any kind of format conversions with openssl commandline >> >> client. >> >> > >> >> > Eero >> >> > 1.4.2016 3.56 ip. "Glenn Pierce" <glennpierce at gmail.com> kirjoitti: >> >> > >> >> >> Hi I am trying to setup a libreswan vpn between centos 7 and a >> Mikrotik >> >> >> router. >> >> >> >> >> >> I am try to get the keys working. My problem is the Mikrotik router >> >> >> wants the key in PEM format >> >> >> >> >> >> How do I export the keys generated with ipsec newhostkey >> >> >> into PEM format ? >> >> >> >> >> >> >> >> >> Thanks >> >> >> _______________________________________________ >> >> >> CentOS mailing list >> >> >> CentOS at centos.org >> >> >> https://lists.centos.org/mailman/listinfo/centos >> >> >> >> >> > _______________________________________________ >> >> > CentOS mailing list >> >> > CentOS at centos.org >> >> > https://lists.centos.org/mailman/listinfo/centos >> >> _______________________________________________ >> >> CentOS mailing list >> >> CentOS at centos.org >> >> https://lists.centos.org/mailman/listinfo/centos >> >> >> > _______________________________________________ >> > CentOS mailing list >> > CentOS at centos.org >> > https://lists.centos.org/mailman/listinfo/centos >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos >> > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos