ipsec showhostkey no secrets filename matched "/etc/ipsec.d/*.secrets"

ipsec showhostkey no secrets filename matched "/etc/ipsec.d/*.secrets"

ipsec showhostkey no secrets filename matched "/etc/ipsec.d/*.secrets"This error you might get while trying to configure openswan and you are unaware of some important steps which you have missed out in the configuration. You are supposed to generate host key for the authentication which is stored in ipsec.secrets file.

Error:

# ipsec showhostkey --left
ipsec showhostkey nss directory showhostkey: /etc/ipsec.d
ipsec showhostkey no secrets filename matched "/etc/ipsec.d/*.secrets"
No keys found

Solution:


This is the step which you will have to follow to do the same

# ipsec newhostkey --output /etc/ipsec.secrets --bits 2048 --verbose --configdir /etc/pki/nssdb


Once the key is generated in your ipsec.secrets file, open it and add the following line

# vi /etc/ipsec.secrets
 : RSA   {
 : RSA   {
 : RSA   {
        # RSA 2048 bits   ip-10-10-10-134   Tue Oct  9 10:32:09 2012
        # for signatures only, UNSAFE FOR ENCRYPTION

 #pubkey=0sAQOtfFcvEQ6QJvVrr0DEFCa9ImnGLwOWXkTVsNJUptu8GRDLmD5otOiwiQG7LGs7fDsKoLUKhnMskixtwoSgNzBAk8tfykZGUCxK/q2nvJ+QN67SG1Xlh3SG3c/FaVPRmS7WYKYCO942iZrZuao/sj+NuJWr0nL8zkEO0KVX5FId8vnmmOak8vwDeGQ0K2g1zgMRIrj1jYSahe/tSr6bMnCvYFkXiKHn50zjyfktGnChsJNcRtgj2R4RUcK6ahtXfYRRMCCzITuSKy2eG+yPQ/vOuaTOqkiKp9FmkF0UZDDE/GjK65zwe2JEVRtmvDX/tzR7Lsgfk5mcCdGWsnIR499XL

         Modulus: 0xad7c572f110e9026f56baf40c41426bd2269cp62f03965e44d5b0d254a6dbbc1910cb983e68b4e8b08901bb2c6b3b7c3b0aa0b50a86732c922c6dc284a037304093cb5fc991940b12bfab69ef27e40debb486d57961dd21b773f15a54f4664bb59829808ef78da266b66e6a8fec8fe36e256af49cbf339043b42955f914877cbe79a639a93cbf00de190d0ada0d7380c448ae3d636126a17bfb52afa6cc9c2bd81645e22879f9d338f27e4b469c286c24d711b608f647845470ae9a86d5df61144c082cc84ee48acb6786fb23d0fef3ae6933aa9222a9f459a41745190c313f1a32bae73c1ed8911546d9af0d7fedcd1ecbb207e4e667027465ac9c8478f7d5cb

        PublicExponent: 0x03
        # everything after this point is CKA_ID in hex format when using NSS
        PrivateExponent: 0xf0ece7ac58e0dcae7aa3638a98cfa1f132c152f4
        Prime1: 0xf0ece7ac58e0dcae7aa3638a98cfa1f132c152f4
        Prime2: 0xf0ece7ac58e0dcae7aa3638a98cfa1f132c152f4
        Exponent1: 0xf0ece7ac58e0dcae7aa3638a98cfa1f132c152f4
        Exponent2: 0xf0ece7ac58e0dcpae7aa3638a98cfa1f132c152f4
        Coefficient: 0xf0ece7ac58e0dcae7aa3638a98cfa1f132c152f4
        CKAIDNSS: 0xf0ece7ac58e0dcae7aa3638a98cfa1f132c152f4
        }
 # do not change the indenting of that "}"

Now you can check for the new host keys

# ipsec showhostkey --left
        # rsakey AQOtfFcvE

leftrsasigkey=0sAQOtfFcvEQ6QJvVrr0DEFCa9ImnGLwOWXkTVsNJUptu8GRDLmD5otOiwiQG7LGs7fDsKoLUKhnMskixtwoSgNzBAk8tfyZGUCxK/q2nvJ+QN67SG1Xlh3SG3c/FaVPRmS7WYKYCO942iZrpuao/sj+NuJWr0nL8zkEO0KVX5FId8vnmmOak8vwDeGQ0K2g1zgMRIrj1jYSahe/tSr6bMnCvYFkXiKHn50zjyfktGnChsJNcRtgj2R4RUcK6ahtXfYRRMCCzITuSKy2eG+yPQ/vOuaTOqkiKp9FmkF0UZDDE/GjK65zwe2JEVRtmvDX/tzR7Lsgfk5mcCdGWsnIR499XL

 # ipsec showhostkey --right
        # rsakey AQOtfFcvE
        rightrsasigkey=0sAQOtfFcvEQ6QJvVrr0DEFCa9ImnGLwOWXkTVsNJUptu8GRDLmD5otOiwiQG7LGs7fDsKoLUKhnMskixtwoSgNzBAk8tfyZGUCxK/q2nvJ+QN67SG1Xlh3SG3c/FaVPRmS7WYKYCO942iZrZuao/sj+NuJWr0nL8zkEO0KVX5FId8vnmmOak8vwDeGQ0K2g1zgMRIrj1jYSahe/tSr6bMnCvYFkXiKHn50zjyfktGnChsJNcRtgj2R4RUcK6ahtXfYRRMCCzITuSKy2eG+yPQ/vOuaTOqkiKp9FmkF0UZDDE/GjK65zwe2JEVRtmvDX/tzR7Lsgfk5mcCdGWsnIR499XL


For complete configuration of openswan including screenshots follow this page
openswan configuration in RedHat5

 

Leave a Comment