[Openswan Users] How to move from Openswan in F10 to F11? (fwd)

Paul Wouters paul at xelerance.com
Fri Jul 3 16:24:14 EDT 2009 

This might be interesting to some people.

Note that the fedora/epel/rhel version of Openswan does not support
PSK at all, and requires raw RSA and X.509 keys to be migrated to
use NSS support.

Paul

---------- Forwarded message ----------
Date: Thu, 25 Jun 2009 00:54:39 -0500
From: Albert Chin <fedora-list at mlists.thewrittenword.com>
Reply-To: fedora-list at redhat.com
To: fedora-list at redhat.com
Subject: How to move from Openswan in F10 to F11?

I have IPsec working in F10 with Openswan. Cert handling in F11 is
different because of NSS. How do I migrate? My F10 layout looks like:
   /etc/ipsec.d/cacerts
   /etc/ipsec.d/cacerts/ca.crt
   /etc/ipsec.d/certs
   /etc/ipsec.d/certs/china at thewrittenword.com.crt
   /etc/ipsec.d/certs/vpn.thewrittenword.com.crt
   /etc/ipsec.d/crls
   /etc/ipsec.d/private
   /etc/ipsec.d/private/local.key
   /etc/ipsec.d/private/local.pub
   /etc/ipsec.d/tww.conf
   /etc/ipsec.d/tww.secrets

For F11, I copied the F10 config and then did the following:
   # cd /etc/ipsec.d
   # certutil -N -d /etc/ipsec.d
   Enter a password which will be used to encrypt your keys.
   The password should be at least 8 characters long,
   and should contain at least one non-alphabetic character.

   Enter new password: [empty]
   Re-enter password: [empty]
   # certutil -A -n china at thewrittenword.com -t "p,p,p" \
   -i certs/china at thewrittenword.com.crt -d /etc/ipsec.d
   # certutil -A -n vpn.thewrittenword.com -t "p,p,p" \
   -i certs/vpn.thewrittenword.com.crt -d /etc/ipsec.d
   # certutil -A -n "TWW CA" -t "C,C,C" \
   -i cacerts/ca.crt -d /etc/ipsec.d

I made changes to the following files:
   [tww.conf]
           authby=rsasig
           rightrsasigkey=%cert
           rightid=@vpn.thewrittenword.com
   -       rightcert=vpn.thewrittenword.com.crt
   +       rightcert=vpn.thewrittenword.com
           leftrsasigkey=%cert
           leftid=china at thewrittenword.com
   -       leftcert=china at thewrittenword.com.crt
   +       leftcert=china at thewrittenword.com
           leftsendcert=always

   [tww.secrets]
   - at china@thewrittenword.com: RSA /etc/ipsec.d/private/local.key
   +: RSA china at thewrittenword.com

When I run "/etc/init.d/ipsec restart", /var/log/messages has:
   Jun 25 00:35:16 localhost ipsec__plutorun: 002 loading certificate from china at thewrittenword.com
   Jun 25 00:35:16 localhost ipsec__plutorun: 002 loading certificate from vpn.thewrittenword.com
   Jun 25 00:35:16 localhost ipsec__plutorun: 002 added connection description "tww"

Then, when I try to establish the IPsec connection:
   # ipsec auto --up tww
   ...
   003 "tww" #1: Can't find the private key from the NSS CERT (err -8166)

Any ideas?

BTW, README.nss from openswan-2.6.21-nss.patch should be included in
openswan-doc.

-- 
albert chin (china at thewrittenword.com)

-- 
fedora-list mailing list
fedora-list at redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

More information about the Users mailing list