Libreswan PEM Format
Hi I am trying to setup a libreswan vpn between CentOS 7 and a Mikrotik router.
I am try to get the keys working. My problem is the Mikrotik router wants the key in PEM format
How do I export the keys generated with ipsec newhostkey into PEM format ?
Thanks
13 thoughts on - Libreswan PEM Format
You can do any kind of format conversions with openssl commandline client.
Eero kirjoitti:
1.4.2016 3.56 ip. “Glenn Pierce”
I have tried openssl rsa -in bicester_left.pub -outform pem > bicester_left.pem
I get unable to load Private Key
140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
It works, try googling for openssl pem conversion kirjoitti:
1.4.2016 4.32 ip. “Glenn Pierce”
Sorry but I have looked for over two days. Trying every command I could find.
There is obviously a misunderstanding somewhere.
After generating a key pair with ipsec newhostkey –configdir /etc/ipsec.d –output /etc/ipsec.d/my.secrets
I exported to a file with ipsec showhostkey –ipseckey > file
The man pages says ipsec showhostkey outputs in ipsec.conf(5) format,
Ie
***.server.net. IN IPSECKEY 10 0 2 . AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4
So you are using pkcs12 on CentOS:
https://www.sslshopper.com/article-most-common-openssl-commands.html
Typical I think I just did it .
I downloaded a perl script to do it at
https://git.dn42.us/ryan/pubkey-converter/raw/master/pubkey-converter.pl
First I did ipsec showhostkey –right > right.pub
I then edited the file to remove the ipsec key = line
Then I converted with
perl pubkey-converter.pl -p < right.pub > /home/glenn/right.pub
Was that a key that you generated as an example, or your actual VPN
key? The fact that you obscured part of it makes me think it might be the latter, but if that’s the case, you really should generate a new key for your server. The part you obscured isn’t the sensitive part.
I just removed the name. I will be regenerating again. To be honest if an attacker to get this to work I would buy then a drink :)
Just trying to follow the instructions here https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_Virtual_Private_Networks.html
I don’t think I am doing anything special.
At the point where there is some communication going on
Getting this error
packet from *****:1024: received Vendor ID payload [Cisco-Unity]
Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from
***:1024: received Vendor ID payload [Dead Peer Detection]
Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from ***
:1024: initial Main Mode message received on ****:500 but no connection has been authorized with policy RSASIG+IKEV1_ALLOW
The errors are so vague. Not sure what the problem is now
My conf
conn tunnel
#phase2alg
You must define connection address and key in ipsec.secrets.
I generated according to the docs . Which produced my server.secrets as below
used the command
ipsec newhostkey –configdir /etc/ipsec.d –output
/etc/ipsec.d/www.example.com.secrets
: RSA {
# RSA 3328 bits ***.**.net Fri Apr 1 15:39:32 2016
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4
IPSec is very complex with certificates. try first with PSK authentication and then with certificates
I did :)
I’m all for an easy life.
I got a very similar error instead of but no connection has been authorized with policy RSASIG+IKEV1_ALLOW
I got but no connection has been authorized with policy PSK+IKEV1_ALLOW
I did read somewhere though errors are re herrings which is helpful.
Thanks