CentOS - Apr 2016 - Libreswan PEM format

I generated according to the docs . Which produced
my server.secrets as below

used the command

 ipsec newhostkey --configdir /etc/ipsec.d --output
/etc/ipsec.d/www.example.com.secrets


: RSA   {
        # RSA 3328 bits   ***.**.net   Fri Apr  1 15:39:32 2016
        # for signatures only, UNSAFE FOR ENCRYPTION
       
#pubkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw=
Modulus:
0xecde067a1814494a8cbfe91c6b2ff70cbf4267604291fd26265d4095964045362d83ed526c6b5edf7ef9815232cb0fafd3ef6337d49be53e1912ccafd848fa6887c84db52078203943d961a4b3e85896743865239a8f92c71511687215154008925a0c783a7bc8f5c62b8feac364bff4bed19e2c32622de4d28f70cb7d60a2d831bf2f3675ba440c40211331beaf67d61c0b6d624143711072d52654d296d55da725a759f2afa10f4adcd162555b17674fa9b90087589aa9d4e42d7ac6920903737948239a19b95be915cd0d4d91e0b3e8c7b4890108cc7f9bea0749ae3473830854d594577ed84fe1088800d87d0bdb88d951a3d6d334e6a5e6d8fb3d2998a1a25c9048a9a364d5d4d5107341d7364f4f56b064413c5a6b1fc9379cdd8ca569168f54e58dac31eee468096b47d1490e85ed3890fcd9e0ce421e994d10cedf3b4e43ada46dec5f7da0dd9c62e4470b32c3e77430752f29b70dc6d450a248aefebf7925134cde9814e89271404f93b2e5788720b2e435c7235e6275d9ecb0d6a517fe333bafe08e19041f79f61bbfc7e8931272f9d481d8998fa8e4f4e6cb2f33
        PublicExponent: 0x03
        # everything after this point is CKA_ID in hex format - not
the real values
        PrivateExponent: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
        Prime1: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
        Prime2: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
        Exponent1: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
        Exponent2: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
        Coefficient: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
        CKAIDNSS: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
        }
# do not change the indenting of that "}"

On 1 April 2016 at 18:04, Eero Volotinen <eero.volotinen at iki.fi>
wrote:
> You must define connection address and key in ipsec.secrets.
>
> --
> Eero
>
>
> 2016-04-01 19:38 GMT+03:00 Glenn Pierce <glennpierce at gmail.com>:
>
>> Just trying to follow the instructions here
>>
>>
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_Virtual_Private_Networks.html
>>
>> I don't think I am doing anything special.
>>
>> At the point where there is some communication going on
>>
>> Getting this error
>>
>> packet from *****:1024: received Vendor ID payload [Cisco-Unity]
>> Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from
>> ***:1024: received Vendor ID payload [Dead Peer Detection]
>> Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from ***
>> :1024: initial Main Mode message received on ****:500 but no
>> connection has been authorized with policy RSASIG+IKEV1_ALLOW
>>
>> The errors are so vague.
>> Not sure what the problem is now
>>
>>
>>
>> My conf
>>
>>
>>
>> conn tunnel
>>     #phase2alg=aes256-sha1;modp1024
>>     keyexchange=ike
>>     #ike=aes256-sha1;modp1024
>>     left=192.168.1.122
>>     leftnexthop=81.129.247.152   # My ISP assigned external ip adresss
>>  (I am testing at home)
>>
>>
leftrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw=>>
right=89.200.134.211
>>
>>
rightrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw=>>
authby=secret|rsasig
>>     # load and initiate automatically
>>     auto=start
>>
>> conn site1
>>     also=tunnel
>>     leftsubnet=10.0.128.0/22
>>     rightsubnet=192.168.1.222/32
>>
>> conn site2
>>     also=tunnel
>>
>>
>>
>>
>>
>>
>>
>>
>> On 1 April 2016 at 15:58, Eero Volotinen <eero.volotinen at
iki.fi> wrote:
>> > So you are using pkcs12 on centos:
>> >
>> >
https://www.sslshopper.com/article-most-common-openssl-commands.html
>> > --
>> > Eero
>> >
>> > 2016-04-01 17:44 GMT+03:00 Glenn Pierce <glennpierce at
gmail.com>:
>> >
>> >> Sorry but I have looked for over two days. Trying every
command I could
>> >> find.
>> >>
>> >> There is obviously a misunderstanding somewhere.
>> >>
>> >> After generating a key pair with
>> >> ipsec newhostkey --configdir /etc/ipsec.d --output
>> /etc/ipsec.d/my.secrets
>> >>
>> >> I exported to a file with
>> >> ipsec showhostkey --ipseckey > file
>> >>
>> >> The man pages says
>> >> ipsec showhostkey outputs in ipsec.conf(5) format,
>> >>
>> >> Ie
>> >>
>> >>
>> >> ***.server.net.    IN    IPSECKEY  10 0 2 .
>> >>
>> >>
>>
AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw=>>
>>
>> >>
>> >> is this the format openssl is meant to beable to convert ? or
is the
>> >> an intermediate step I am missing as like I said not command I
found
>> >> seems to work.
>> >>
>> >>
>> >> On 1 April 2016 at 14:35, Eero Volotinen <eero.volotinen at
iki.fi> wrote:
>> >> > It works, try googling for openssl pem conversion
>> >> > 1.4.2016 4.32 ip. "Glenn Pierce"
<glennpierce at gmail.com> kirjoitti:
>> >> >
>> >> >> I have tried
>> >> >> openssl rsa -in bicester_left.pub -outform pem >
bicester_left.pem
>> >> >>
>> >> >> I get
>> >> >> unable to load Private Key
>> >> >> 140372295030648:error:0906D06C:PEM
routines:PEM_read_bio:no start
>> >> >> line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
>> >> >>
>> >> >>
>> >> >>
>> >> >> On 1 April 2016 at 13:59, Eero Volotinen
<eero.volotinen at iki.fi>
>> wrote:
>> >> >> > You can do any kind of format conversions with
openssl commandline
>> >> >> client.
>> >> >> >
>> >> >> > Eero
>> >> >> > 1.4.2016 3.56 ip. "Glenn Pierce"
<glennpierce at gmail.com>
>> kirjoitti:
>> >> >> >
>> >> >> >> Hi I am trying to setup a libreswan vpn
between centos 7 and a
>> >> Mikrotik
>> >> >> >> router.
>> >> >> >>
>> >> >> >> I am try to get the keys working. My problem
is the Mikrotik
>> router
>> >> >> >> wants the key in PEM format
>> >> >> >>
>> >> >> >> How do I export the keys generated with
ipsec newhostkey
>> >> >> >> into PEM format ?
>> >> >> >>
>> >> >> >>
>> >> >> >> Thanks
>> >> >> >>
_______________________________________________
>> >> >> >> CentOS mailing list
>> >> >> >> CentOS at centos.org
>> >> >> >>
https://lists.centos.org/mailman/listinfo/centos
>> >> >> >>
>> >> >> > _______________________________________________
>> >> >> > CentOS mailing list
>> >> >> > CentOS at centos.org
>> >> >> > https://lists.centos.org/mailman/listinfo/centos
>> >> >> _______________________________________________
>> >> >> CentOS mailing list
>> >> >> CentOS at centos.org
>> >> >> https://lists.centos.org/mailman/listinfo/centos
>> >> >>
>> >> > _______________________________________________
>> >> > CentOS mailing list
>> >> > CentOS at centos.org
>> >> > https://lists.centos.org/mailman/listinfo/centos
>> >> _______________________________________________
>> >> CentOS mailing list
>> >> CentOS at centos.org
>> >> https://lists.centos.org/mailman/listinfo/centos
>> >>
>> > _______________________________________________
>> > CentOS mailing list
>> > CentOS at centos.org
>> > https://lists.centos.org/mailman/listinfo/centos
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos

IPSec is very complex with certificates. try first with PSK authentication
and then with certificates

--
Eero

2016-04-01 20:21 GMT+03:00 Glenn Pierce <glennpierce at gmail.com>:
> I generated according to the docs . Which produced
> my server.secrets as below
>
> used the command
>
>  ipsec newhostkey --configdir /etc/ipsec.d --output
> /etc/ipsec.d/www.example.com.secrets
>
>
> : RSA   {
>         # RSA 3328 bits   ***.**.net   Fri Apr  1 15:39:32 2016
>         # for signatures only, UNSAFE FOR ENCRYPTION
>
>
#pubkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw=>
Modulus:
>
>
0xecde067a1814494a8cbfe91c6b2ff70cbf4267604291fd26265d4095964045362d83ed526c6b5edf7ef9815232cb0fafd3ef6337d49be53e1912ccafd848fa6887c84db52078203943d961a4b3e85896743865239a8f92c71511687215154008925a0c783a7bc8f5c62b8feac364bff4bed19e2c32622de4d28f70cb7d60a2d831bf2f3675ba440c40211331beaf67d61c0b6d624143711072d52654d296d55da725a759f2afa10f4adcd162555b17674fa9b90087589aa9d4e42d7ac6920903737948239a19b95be915cd0d4d91e0b3e8c7b4890108cc7f9bea0749ae3473830854d594577ed84fe1088800d87d0bdb88d951a3d6d334e6a5e6d8fb3d2998a1a25c9048a9a364d5d4d5107341d7364f4f56b064413c5a6b1fc9379cdd8ca569168f54e58dac31eee468096b47d1490e85ed3890fcd9e0ce421e994d10cedf3b4e43ada46dec5f7da0dd9c62e4470b32c3e77430752f29b70dc6d450a248aefebf7925134cde9814e89271404f93b2e5788720b2e435c7235e6275d9ecb0d6a517fe333bafe08e19041f79f61bbfc7e8931272f9d481d8998fa8e4f4e6cb2f33
>         PublicExponent: 0x03
>         # everything after this point is CKA_ID in hex format - not
> the real values
>         PrivateExponent: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
>         Prime1: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
>         Prime2: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
>         Exponent1: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
>         Exponent2: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
>         Coefficient: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
>         CKAIDNSS: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
>         }
> # do not change the indenting of that "}"
>
> On 1 April 2016 at 18:04, Eero Volotinen <eero.volotinen at iki.fi>
wrote:
> > You must define connection address and key in ipsec.secrets.
> >
> > --
> > Eero
> >
> >
> > 2016-04-01 19:38 GMT+03:00 Glenn Pierce <glennpierce at
gmail.com>:
> >
> >> Just trying to follow the instructions here
> >>
> >>
>
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_Virtual_Private_Networks.html
> >>
> >> I don't think I am doing anything special.
> >>
> >> At the point where there is some communication going on
> >>
> >> Getting this error
> >>
> >> packet from *****:1024: received Vendor ID payload [Cisco-Unity]
> >> Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from
> >> ***:1024: received Vendor ID payload [Dead Peer Detection]
> >> Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from ***
> >> :1024: initial Main Mode message received on ****:500 but no
> >> connection has been authorized with policy RSASIG+IKEV1_ALLOW
> >>
> >> The errors are so vague.
> >> Not sure what the problem is now
> >>
> >>
> >>
> >> My conf
> >>
> >>
> >>
> >> conn tunnel
> >>     #phase2alg=aes256-sha1;modp1024
> >>     keyexchange=ike
> >>     #ike=aes256-sha1;modp1024
> >>     left=192.168.1.122
> >>     leftnexthop=81.129.247.152   # My ISP assigned external ip
adresss
> >>  (I am testing at home)
> >>
> >>
>
leftrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw=>
>>     right=89.200.134.211
> >>
> >>
>
rightrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw=>
>>     authby=secret|rsasig
> >>     # load and initiate automatically
> >>     auto=start
> >>
> >> conn site1
> >>     also=tunnel
> >>     leftsubnet=10.0.128.0/22
> >>     rightsubnet=192.168.1.222/32
> >>
> >> conn site2
> >>     also=tunnel
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> On 1 April 2016 at 15:58, Eero Volotinen <eero.volotinen at
iki.fi> wrote:
> >> > So you are using pkcs12 on centos:
> >> >
> >> >
https://www.sslshopper.com/article-most-common-openssl-commands.html
> >> > --
> >> > Eero
> >> >
> >> > 2016-04-01 17:44 GMT+03:00 Glenn Pierce <glennpierce at
gmail.com>:
> >> >
> >> >> Sorry but I have looked for over two days. Trying every
command I
> could
> >> >> find.
> >> >>
> >> >> There is obviously a misunderstanding somewhere.
> >> >>
> >> >> After generating a key pair with
> >> >> ipsec newhostkey --configdir /etc/ipsec.d --output
> >> /etc/ipsec.d/my.secrets
> >> >>
> >> >> I exported to a file with
> >> >> ipsec showhostkey --ipseckey > file
> >> >>
> >> >> The man pages says
> >> >> ipsec showhostkey outputs in ipsec.conf(5) format,
> >> >>
> >> >> Ie
> >> >>
> >> >>
> >> >> ***.server.net.    IN    IPSECKEY  10 0 2 .
> >> >>
> >> >>
> >>
>
AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw=>
>> >>
> >> >>
> >> >> is this the format openssl is meant to beable to convert
? or is the
> >> >> an intermediate step I am missing as like I said not
command I found
> >> >> seems to work.
> >> >>
> >> >>
> >> >> On 1 April 2016 at 14:35, Eero Volotinen
<eero.volotinen at iki.fi>
> wrote:
> >> >> > It works, try googling for openssl pem conversion
> >> >> > 1.4.2016 4.32 ip. "Glenn Pierce"
<glennpierce at gmail.com>
> kirjoitti:
> >> >> >
> >> >> >> I have tried
> >> >> >> openssl rsa -in bicester_left.pub -outform pem
> bicester_left.pem
> >> >> >>
> >> >> >> I get
> >> >> >> unable to load Private Key
> >> >> >> 140372295030648:error:0906D06C:PEM
routines:PEM_read_bio:no start
> >> >> >> line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> On 1 April 2016 at 13:59, Eero Volotinen
<eero.volotinen at iki.fi>
> >> wrote:
> >> >> >> > You can do any kind of format conversions
with openssl
> commandline
> >> >> >> client.
> >> >> >> >
> >> >> >> > Eero
> >> >> >> > 1.4.2016 3.56 ip. "Glenn Pierce"
<glennpierce at gmail.com>
> >> kirjoitti:
> >> >> >> >
> >> >> >> >> Hi I am trying to setup a libreswan vpn
between centos 7 and a
> >> >> Mikrotik
> >> >> >> >> router.
> >> >> >> >>
> >> >> >> >> I am try to get the keys working. My
problem is the Mikrotik
> >> router
> >> >> >> >> wants the key in PEM format
> >> >> >> >>
> >> >> >> >> How do I export the keys generated with
ipsec newhostkey
> >> >> >> >> into PEM format ?
> >> >> >> >>
> >> >> >> >>
> >> >> >> >> Thanks
> >> >> >> >>
_______________________________________________
> >> >> >> >> CentOS mailing list
> >> >> >> >> CentOS at centos.org
> >> >> >> >>
https://lists.centos.org/mailman/listinfo/centos
> >> >> >> >>
> >> >> >> >
_______________________________________________
> >> >> >> > CentOS mailing list
> >> >> >> > CentOS at centos.org
> >> >> >> >
https://lists.centos.org/mailman/listinfo/centos
> >> >> >> _______________________________________________
> >> >> >> CentOS mailing list
> >> >> >> CentOS at centos.org
> >> >> >> https://lists.centos.org/mailman/listinfo/centos
> >> >> >>
> >> >> > _______________________________________________
> >> >> > CentOS mailing list
> >> >> > CentOS at centos.org
> >> >> > https://lists.centos.org/mailman/listinfo/centos
> >> >> _______________________________________________
> >> >> CentOS mailing list
> >> >> CentOS at centos.org
> >> >> https://lists.centos.org/mailman/listinfo/centos
> >> >>
> >> > _______________________________________________
> >> > CentOS mailing list
> >> > CentOS at centos.org
> >> > https://lists.centos.org/mailman/listinfo/centos
> >> _______________________________________________
> >> CentOS mailing list
> >> CentOS at centos.org
> >> https://lists.centos.org/mailman/listinfo/centos
> >>
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

I did :)
I'm all for an easy life.

I got a very similar error
instead of but no connection has been authorized with policy RSASIG+IKEV1_ALLOW
I got
but no connection has been authorized with policy PSK+IKEV1_ALLOW

I did read somewhere though errors are re herrings which is helpful.

Thanks


On 1 April 2016 at 18:39, Eero Volotinen <eero.volotinen at iki.fi>
wrote:
> IPSec is very complex with certificates. try first with PSK authentication
> and then with certificates
>
> --
> Eero
>
> 2016-04-01 20:21 GMT+03:00 Glenn Pierce <glennpierce at gmail.com>:
>
>> I generated according to the docs . Which produced
>> my server.secrets as below
>>
>> used the command
>>
>>  ipsec newhostkey --configdir /etc/ipsec.d --output
>> /etc/ipsec.d/www.example.com.secrets
>>
>>
>> : RSA   {
>>         # RSA 3328 bits   ***.**.net   Fri Apr  1 15:39:32 2016
>>         # for signatures only, UNSAFE FOR ENCRYPTION
>>
>>
#pubkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw=>>
Modulus:
>>
>>
0xecde067a1814494a8cbfe91c6b2ff70cbf4267604291fd26265d4095964045362d83ed526c6b5edf7ef9815232cb0fafd3ef6337d49be53e1912ccafd848fa6887c84db52078203943d961a4b3e85896743865239a8f92c71511687215154008925a0c783a7bc8f5c62b8feac364bff4bed19e2c32622de4d28f70cb7d60a2d831bf2f3675ba440c40211331beaf67d61c0b6d624143711072d52654d296d55da725a759f2afa10f4adcd162555b17674fa9b90087589aa9d4e42d7ac6920903737948239a19b95be915cd0d4d91e0b3e8c7b4890108cc7f9bea0749ae3473830854d594577ed84fe1088800d87d0bdb88d951a3d6d334e6a5e6d8fb3d2998a1a25c9048a9a364d5d4d5107341d7364f4f56b064413c5a6b1fc9379cdd8ca569168f54e58dac31eee468096b47d1490e85ed3890fcd9e0ce421e994d10cedf3b4e43ada46dec5f7da0dd9c62e4470b32c3e77430752f29b70dc6d450a248aefebf7925134cde9814e89271404f93b2e5788720b2e435c7235e6275d9ecb0d6a517fe333bafe08e19041f79f61bbfc7e8931272f9d481d8998fa8e4f4e6cb2f33
>>         PublicExponent: 0x03
>>         # everything after this point is CKA_ID in hex format - not
>> the real values
>>         PrivateExponent: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
>>         Prime1: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
>>         Prime2: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
>>         Exponent1: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
>>         Exponent2: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
>>         Coefficient: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
>>         CKAIDNSS: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
>>         }
>> # do not change the indenting of that "}"
>>
>> On 1 April 2016 at 18:04, Eero Volotinen <eero.volotinen at
iki.fi> wrote:
>> > You must define connection address and key in ipsec.secrets.
>> >
>> > --
>> > Eero
>> >
>> >
>> > 2016-04-01 19:38 GMT+03:00 Glenn Pierce <glennpierce at
gmail.com>:
>> >
>> >> Just trying to follow the instructions here
>> >>
>> >>
>>
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_Virtual_Private_Networks.html
>> >>
>> >> I don't think I am doing anything special.
>> >>
>> >> At the point where there is some communication going on
>> >>
>> >> Getting this error
>> >>
>> >> packet from *****:1024: received Vendor ID payload
[Cisco-Unity]
>> >> Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from
>> >> ***:1024: received Vendor ID payload [Dead Peer Detection]
>> >> Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from
***
>> >> :1024: initial Main Mode message received on ****:500 but no
>> >> connection has been authorized with policy RSASIG+IKEV1_ALLOW
>> >>
>> >> The errors are so vague.
>> >> Not sure what the problem is now
>> >>
>> >>
>> >>
>> >> My conf
>> >>
>> >>
>> >>
>> >> conn tunnel
>> >>     #phase2alg=aes256-sha1;modp1024
>> >>     keyexchange=ike
>> >>     #ike=aes256-sha1;modp1024
>> >>     left=192.168.1.122
>> >>     leftnexthop=81.129.247.152   # My ISP assigned external ip
adresss
>> >>  (I am testing at home)
>> >>
>> >>
>>
leftrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw=>>
>>     right=89.200.134.211
>> >>
>> >>
>>
rightrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw=>>
>>     authby=secret|rsasig
>> >>     # load and initiate automatically
>> >>     auto=start
>> >>
>> >> conn site1
>> >>     also=tunnel
>> >>     leftsubnet=10.0.128.0/22
>> >>     rightsubnet=192.168.1.222/32
>> >>
>> >> conn site2
>> >>     also=tunnel
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> On 1 April 2016 at 15:58, Eero Volotinen <eero.volotinen at
iki.fi> wrote:
>> >> > So you are using pkcs12 on centos:
>> >> >
>> >> >
https://www.sslshopper.com/article-most-common-openssl-commands.html
>> >> > --
>> >> > Eero
>> >> >
>> >> > 2016-04-01 17:44 GMT+03:00 Glenn Pierce <glennpierce
at gmail.com>:
>> >> >
>> >> >> Sorry but I have looked for over two days. Trying
every command I
>> could
>> >> >> find.
>> >> >>
>> >> >> There is obviously a misunderstanding somewhere.
>> >> >>
>> >> >> After generating a key pair with
>> >> >> ipsec newhostkey --configdir /etc/ipsec.d --output
>> >> /etc/ipsec.d/my.secrets
>> >> >>
>> >> >> I exported to a file with
>> >> >> ipsec showhostkey --ipseckey > file
>> >> >>
>> >> >> The man pages says
>> >> >> ipsec showhostkey outputs in ipsec.conf(5) format,
>> >> >>
>> >> >> Ie
>> >> >>
>> >> >>
>> >> >> ***.server.net.    IN    IPSECKEY  10 0 2 .
>> >> >>
>> >> >>
>> >>
>>
AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw=>>
>> >>
>> >> >>
>> >> >> is this the format openssl is meant to beable to
convert ? or is the
>> >> >> an intermediate step I am missing as like I said not
command I found
>> >> >> seems to work.
>> >> >>
>> >> >>
>> >> >> On 1 April 2016 at 14:35, Eero Volotinen
<eero.volotinen at iki.fi>
>> wrote:
>> >> >> > It works, try googling for openssl pem
conversion
>> >> >> > 1.4.2016 4.32 ip. "Glenn Pierce"
<glennpierce at gmail.com>
>> kirjoitti:
>> >> >> >
>> >> >> >> I have tried
>> >> >> >> openssl rsa -in bicester_left.pub -outform
pem > bicester_left.pem
>> >> >> >>
>> >> >> >> I get
>> >> >> >> unable to load Private Key
>> >> >> >> 140372295030648:error:0906D06C:PEM
routines:PEM_read_bio:no start
>> >> >> >> line:pem_lib.c:701:Expecting: ANY PRIVATE
KEY
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >> On 1 April 2016 at 13:59, Eero Volotinen
<eero.volotinen at iki.fi>
>> >> wrote:
>> >> >> >> > You can do any kind of format
conversions with openssl
>> commandline
>> >> >> >> client.
>> >> >> >> >
>> >> >> >> > Eero
>> >> >> >> > 1.4.2016 3.56 ip. "Glenn
Pierce" <glennpierce at gmail.com>
>> >> kirjoitti:
>> >> >> >> >
>> >> >> >> >> Hi I am trying to setup a libreswan
vpn between centos 7 and a
>> >> >> Mikrotik
>> >> >> >> >> router.
>> >> >> >> >>
>> >> >> >> >> I am try to get the keys working.
My problem is the Mikrotik
>> >> router
>> >> >> >> >> wants the key in PEM format
>> >> >> >> >>
>> >> >> >> >> How do I export the keys generated
with ipsec newhostkey
>> >> >> >> >> into PEM format ?
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >> Thanks
>> >> >> >> >>
_______________________________________________
>> >> >> >> >> CentOS mailing list
>> >> >> >> >> CentOS at centos.org
>> >> >> >> >>
https://lists.centos.org/mailman/listinfo/centos
>> >> >> >> >>
>> >> >> >> >
_______________________________________________
>> >> >> >> > CentOS mailing list
>> >> >> >> > CentOS at centos.org
>> >> >> >> >
https://lists.centos.org/mailman/listinfo/centos
>> >> >> >>
_______________________________________________
>> >> >> >> CentOS mailing list
>> >> >> >> CentOS at centos.org
>> >> >> >>
https://lists.centos.org/mailman/listinfo/centos
>> >> >> >>
>> >> >> > _______________________________________________
>> >> >> > CentOS mailing list
>> >> >> > CentOS at centos.org
>> >> >> > https://lists.centos.org/mailman/listinfo/centos
>> >> >> _______________________________________________
>> >> >> CentOS mailing list
>> >> >> CentOS at centos.org
>> >> >> https://lists.centos.org/mailman/listinfo/centos
>> >> >>
>> >> > _______________________________________________
>> >> > CentOS mailing list
>> >> > CentOS at centos.org
>> >> > https://lists.centos.org/mailman/listinfo/centos
>> >> _______________________________________________
>> >> CentOS mailing list
>> >> CentOS at centos.org
>> >> https://lists.centos.org/mailman/listinfo/centos
>> >>
>> > _______________________________________________
>> > CentOS mailing list
>> > CentOS at centos.org
>> > https://lists.centos.org/mailman/listinfo/centos
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos