CentOS - Apr 2016 - Libreswan PEM format

Sorry but I have looked for over two days. Trying every command I could find.

There is obviously a misunderstanding somewhere.

After generating a key pair with
ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/my.secrets

I exported to a file with
ipsec showhostkey --ipseckey > file

The man pages says
ipsec showhostkey outputs in ipsec.conf(5) format,

Ie


***.server.net.    IN    IPSECKEY  10 0 2 .
AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw=

is this the format openssl is meant to beable to convert ? or is the
an intermediate step I am missing as like I said not command I found
seems to work.


On 1 April 2016 at 14:35, Eero Volotinen <eero.volotinen at iki.fi>
wrote:
> It works, try googling for openssl pem conversion
> 1.4.2016 4.32 ip. "Glenn Pierce" <glennpierce at gmail.com>
kirjoitti:
>
>> I have tried
>> openssl rsa -in bicester_left.pub -outform pem > bicester_left.pem
>>
>> I get
>> unable to load Private Key
>> 140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start
>> line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
>>
>>
>>
>> On 1 April 2016 at 13:59, Eero Volotinen <eero.volotinen at
iki.fi> wrote:
>> > You can do any kind of format conversions with openssl commandline
>> client.
>> >
>> > Eero
>> > 1.4.2016 3.56 ip. "Glenn Pierce" <glennpierce at
gmail.com> kirjoitti:
>> >
>> >> Hi I am trying to setup a libreswan vpn between centos 7 and a
Mikrotik
>> >> router.
>> >>
>> >> I am try to get the keys working. My problem is the Mikrotik
router
>> >> wants the key in PEM format
>> >>
>> >> How do I export the keys generated with ipsec newhostkey
>> >> into PEM format ?
>> >>
>> >>
>> >> Thanks
>> >> _______________________________________________
>> >> CentOS mailing list
>> >> CentOS at centos.org
>> >> https://lists.centos.org/mailman/listinfo/centos
>> >>
>> > _______________________________________________
>> > CentOS mailing list
>> > CentOS at centos.org
>> > https://lists.centos.org/mailman/listinfo/centos
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos

So you are using pkcs12 on centos:

https://www.sslshopper.com/article-most-common-openssl-commands.html
--
Eero

2016-04-01 17:44 GMT+03:00 Glenn Pierce <glennpierce at gmail.com>:
> Sorry but I have looked for over two days. Trying every command I could
> find.
>
> There is obviously a misunderstanding somewhere.
>
> After generating a key pair with
> ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/my.secrets
>
> I exported to a file with
> ipsec showhostkey --ipseckey > file
>
> The man pages says
> ipsec showhostkey outputs in ipsec.conf(5) format,
>
> Ie
>
>
> ***.server.net.    IN    IPSECKEY  10 0 2 .
>
>
AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw=>
>
> is this the format openssl is meant to beable to convert ? or is the
> an intermediate step I am missing as like I said not command I found
> seems to work.
>
>
> On 1 April 2016 at 14:35, Eero Volotinen <eero.volotinen at iki.fi>
wrote:
> > It works, try googling for openssl pem conversion
> > 1.4.2016 4.32 ip. "Glenn Pierce" <glennpierce at
gmail.com> kirjoitti:
> >
> >> I have tried
> >> openssl rsa -in bicester_left.pub -outform pem >
bicester_left.pem
> >>
> >> I get
> >> unable to load Private Key
> >> 140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start
> >> line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
> >>
> >>
> >>
> >> On 1 April 2016 at 13:59, Eero Volotinen <eero.volotinen at
iki.fi> wrote:
> >> > You can do any kind of format conversions with openssl
commandline
> >> client.
> >> >
> >> > Eero
> >> > 1.4.2016 3.56 ip. "Glenn Pierce" <glennpierce at
gmail.com> kirjoitti:
> >> >
> >> >> Hi I am trying to setup a libreswan vpn between centos 7
and a
> Mikrotik
> >> >> router.
> >> >>
> >> >> I am try to get the keys working. My problem is the
Mikrotik router
> >> >> wants the key in PEM format
> >> >>
> >> >> How do I export the keys generated with ipsec newhostkey
> >> >> into PEM format ?
> >> >>
> >> >>
> >> >> Thanks
> >> >> _______________________________________________
> >> >> CentOS mailing list
> >> >> CentOS at centos.org
> >> >> https://lists.centos.org/mailman/listinfo/centos
> >> >>
> >> > _______________________________________________
> >> > CentOS mailing list
> >> > CentOS at centos.org
> >> > https://lists.centos.org/mailman/listinfo/centos
> >> _______________________________________________
> >> CentOS mailing list
> >> CentOS at centos.org
> >> https://lists.centos.org/mailman/listinfo/centos
> >>
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

Typical I think I just did it .

I downloaded a perl script to do it at

https://git.dn42.us/ryan/pubkey-converter/raw/master/pubkey-converter.pl


First I did
ipsec showhostkey --right > right.pub

I then edited the file to remove the ipsec key = line

Then I converted with

perl pubkey-converter.pl -p < right.pub > /home/glenn/right.pub


On 1 April 2016 at 15:44, Glenn Pierce <glennpierce at gmail.com>
wrote:
> Sorry but I have looked for over two days. Trying every command I could
find.
>
> There is obviously a misunderstanding somewhere.
>
> After generating a key pair with
> ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/my.secrets
>
> I exported to a file with
> ipsec showhostkey --ipseckey > file
>
> The man pages says
> ipsec showhostkey outputs in ipsec.conf(5) format,
>
> Ie
>
>
> ***.server.net.    IN    IPSECKEY  10 0 2 .
>
AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw=>
>
> is this the format openssl is meant to beable to convert ? or is the
> an intermediate step I am missing as like I said not command I found
> seems to work.
>
>
> On 1 April 2016 at 14:35, Eero Volotinen <eero.volotinen at iki.fi>
wrote:
>> It works, try googling for openssl pem conversion
>> 1.4.2016 4.32 ip. "Glenn Pierce" <glennpierce at
gmail.com> kirjoitti:
>>
>>> I have tried
>>> openssl rsa -in bicester_left.pub -outform pem >
bicester_left.pem
>>>
>>> I get
>>> unable to load Private Key
>>> 140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start
>>> line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
>>>
>>>
>>>
>>> On 1 April 2016 at 13:59, Eero Volotinen <eero.volotinen at
iki.fi> wrote:
>>> > You can do any kind of format conversions with openssl
commandline
>>> client.
>>> >
>>> > Eero
>>> > 1.4.2016 3.56 ip. "Glenn Pierce" <glennpierce at
gmail.com> kirjoitti:
>>> >
>>> >> Hi I am trying to setup a libreswan vpn between centos 7
and a Mikrotik
>>> >> router.
>>> >>
>>> >> I am try to get the keys working. My problem is the
Mikrotik router
>>> >> wants the key in PEM format
>>> >>
>>> >> How do I export the keys generated with ipsec newhostkey
>>> >> into PEM format ?
>>> >>
>>> >>
>>> >> Thanks
>>> >> _______________________________________________
>>> >> CentOS mailing list
>>> >> CentOS at centos.org
>>> >> https://lists.centos.org/mailman/listinfo/centos
>>> >>
>>> > _______________________________________________
>>> > CentOS mailing list
>>> > CentOS at centos.org
>>> > https://lists.centos.org/mailman/listinfo/centos
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> https://lists.centos.org/mailman/listinfo/centos
>>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> https://lists.centos.org/mailman/listinfo/centos

On 04/01/2016 07:44 AM, Glenn Pierce wrote:
> Ie
> ***.server.net.    IN    IPSECKEY  10 0 2 .
Was that a key that you generated as an example, or your actual VPN 
key?  The fact that you obscured part of it makes me think it might be 
the latter, but if that's the case, you really should generate a new key 
for your server.  The part you obscured isn't the sensitive part.

I just removed the name. I will be regenerating again.
To be honest if an attacker to get this to work I would buy then a drink :)

On 1 April 2016 at 17:01, Gordon Messmer <gordon.messmer at gmail.com>
wrote:
> On 04/01/2016 07:44 AM, Glenn Pierce wrote:
>>
>> Ie
>> ***.server.net.    IN    IPSECKEY  10 0 2 .
>
>
> Was that a key that you generated as an example, or your actual VPN key?
> The fact that you obscured part of it makes me think it might be the
latter,
> but if that's the case, you really should generate a new key for your
> server.  The part you obscured isn't the sensitive part.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos

Just trying to follow the instructions here
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_Virtual_Private_Networks.html

I don't think I am doing anything special.

At the point where there is some communication going on

Getting this error

packet from *****:1024: received Vendor ID payload [Cisco-Unity]
Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from
***:1024: received Vendor ID payload [Dead Peer Detection]
Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from ***
:1024: initial Main Mode message received on ****:500 but no
connection has been authorized with policy RSASIG+IKEV1_ALLOW

The errors are so vague.
Not sure what the problem is now



My conf



conn tunnel
    #phase2alg=aes256-sha1;modp1024
    keyexchange=ike
    #ike=aes256-sha1;modp1024
    left=192.168.1.122
    leftnexthop=81.129.247.152   # My ISP assigned external ip adresss
 (I am testing at home)
   
leftrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw=
right=89.200.134.211
   
rightrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw=
authby=secret|rsasig
    # load and initiate automatically
    auto=start

conn site1
    also=tunnel
    leftsubnet=10.0.128.0/22
    rightsubnet=192.168.1.222/32

conn site2
    also=tunnel








On 1 April 2016 at 15:58, Eero Volotinen <eero.volotinen at iki.fi>
wrote:
> So you are using pkcs12 on centos:
>
> https://www.sslshopper.com/article-most-common-openssl-commands.html
> --
> Eero
>
> 2016-04-01 17:44 GMT+03:00 Glenn Pierce <glennpierce at gmail.com>:
>
>> Sorry but I have looked for over two days. Trying every command I could
>> find.
>>
>> There is obviously a misunderstanding somewhere.
>>
>> After generating a key pair with
>> ipsec newhostkey --configdir /etc/ipsec.d --output
/etc/ipsec.d/my.secrets
>>
>> I exported to a file with
>> ipsec showhostkey --ipseckey > file
>>
>> The man pages says
>> ipsec showhostkey outputs in ipsec.conf(5) format,
>>
>> Ie
>>
>>
>> ***.server.net.    IN    IPSECKEY  10 0 2 .
>>
>>
AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw=>>
>>
>> is this the format openssl is meant to beable to convert ? or is the
>> an intermediate step I am missing as like I said not command I found
>> seems to work.
>>
>>
>> On 1 April 2016 at 14:35, Eero Volotinen <eero.volotinen at
iki.fi> wrote:
>> > It works, try googling for openssl pem conversion
>> > 1.4.2016 4.32 ip. "Glenn Pierce" <glennpierce at
gmail.com> kirjoitti:
>> >
>> >> I have tried
>> >> openssl rsa -in bicester_left.pub -outform pem >
bicester_left.pem
>> >>
>> >> I get
>> >> unable to load Private Key
>> >> 140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no
start
>> >> line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
>> >>
>> >>
>> >>
>> >> On 1 April 2016 at 13:59, Eero Volotinen <eero.volotinen at
iki.fi> wrote:
>> >> > You can do any kind of format conversions with openssl
commandline
>> >> client.
>> >> >
>> >> > Eero
>> >> > 1.4.2016 3.56 ip. "Glenn Pierce"
<glennpierce at gmail.com> kirjoitti:
>> >> >
>> >> >> Hi I am trying to setup a libreswan vpn between
centos 7 and a
>> Mikrotik
>> >> >> router.
>> >> >>
>> >> >> I am try to get the keys working. My problem is the
Mikrotik router
>> >> >> wants the key in PEM format
>> >> >>
>> >> >> How do I export the keys generated with ipsec
newhostkey
>> >> >> into PEM format ?
>> >> >>
>> >> >>
>> >> >> Thanks
>> >> >> _______________________________________________
>> >> >> CentOS mailing list
>> >> >> CentOS at centos.org
>> >> >> https://lists.centos.org/mailman/listinfo/centos
>> >> >>
>> >> > _______________________________________________
>> >> > CentOS mailing list
>> >> > CentOS at centos.org
>> >> > https://lists.centos.org/mailman/listinfo/centos
>> >> _______________________________________________
>> >> CentOS mailing list
>> >> CentOS at centos.org
>> >> https://lists.centos.org/mailman/listinfo/centos
>> >>
>> > _______________________________________________
>> > CentOS mailing list
>> > CentOS at centos.org
>> > https://lists.centos.org/mailman/listinfo/centos
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos