In case Raw RSA keys will be used for the IPSec authentication then these keys need to be created before they can be used in the configuration later.
Each RSA Key has a private key which needs to be stored in the NSS Database to which the RSA Key belongs and a public key which will be part of the configuration file, which is shared between the nodes.
Creating the RSA key and storing it in the NSS Database is very easy. For this on each individual node a RSA key needs to be created.
To create a new RSA Key with 4096 bite run the following command on each node.
ipsec newhostkey –bits 4096 --output /etc/ipsec/ipsec.d/.secrets
Example:
root@ng-east:~# ipsec newhostkey --output /etc/ipsec/ipsec.d/ng-east.secrets
Generated RSA key pair with CKAID 2dedf16dedf74614c7519e97c6fcef1baaf03bc4 was stored in the NSS database.
As a next step the public key needs to be extracted so that it can be used in the configuration file.
If the node is the West or Left node use the following command. The CKAID can be found as part of the previous command.
root@ng-west:~# ipsec showhostkey --left --ckaid 2dedf16ded… … … 6fcef # rsakey AQPADPksQ leftrsasigkey=0sAQO1Gr2MY41qhG…………….bbtc7lkT+TxtPBE7sSBWkHr1C5aalkYLwL9kfgK0i7w==
Both outputs can directly be copied into the connection configuration files.
Below is an example for a Host to Host configuration with RSA Keys
Example /etc/ipsec/ipsec.d/host-to-host-rsa.conf
conn host-to-host-rsa connaddrfamily=ipv4 auto=start authby=rsasig leftid=@West left=192.168.50.4 leftrsasigkey=0sAQO1Gr2MY41qhG…………….bbtc7lkT+TxtPBE7sSBWkHr1C5aalkYLwL9kfgK0i7w== rightid=@East right=192.168.58.4 rightrsasigkey=0Vaixy810IkQzUU+SmxA6O………..WORl0i3K43tZx9aakmMyvanRg7Bwz4R+ssDe4+MwsGP0=
Note: The RSA Keys have been shortened in the example to improve readability.