<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1164322360;
mso-list-type:hybrid;
mso-list-template-ids:-213729874 -880138980 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:2;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Frustrating. Now I can’t even create a new hostkey. Forget about importing an old hostkey.secrets – trying to bite the bullet and just create a new one. I wish some of this stuff would be documented and a little more stable from release to release. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Running Fedora 14 with the newest Red Hat Openswan 2.6.31 RPM.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>First I create a new NSS database, like this:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>certutil -N -d /etc/ipsec.d<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Next, I try to setup a new hostkey.secrets file, like this:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>ipsec newhostkey --configdir /etc/ipsec.d \<o:p></o:p></p><p class=MsoNormal> --output /etc/ipsec.d/hostkey.secrets \<o:p></o:p></p><p class=MsoNormal> --verbose \<o:p></o:p></p><p class=MsoNormal> --hostname DRsite-fw<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>This **should** run for a long time generating what it needs. It used to. But instead, it completes immediately and leaves me with an empty hostkey.secrets file populated with nothing useful. And here I sit. Another day older and deeper in debt. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>What changed? This all used to work.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>In fact – I just tested it on another Fedora 14 system running 2.6.29 and it worked. But this newer Fedora 14 system updated to 2.6.31 has the problem. Maybe I’ll just go back to 2.6.29 on the problem system. But is this something that will be broken forever or just a bug with this release?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>[root@DRsite-fw ipsec.d]# ls<o:p></o:p></p><p class=MsoNormal>DR-ipsec.conf DR-updown.sh policies<o:p></o:p></p><p class=MsoNormal>[root@DRsite-fw ipsec.d]# certutil -N -d /etc/ipsec.d<o:p></o:p></p><p class=MsoNormal>Enter a password which will be used to encrypt your keys.<o:p></o:p></p><p class=MsoNormal>The password should be at least 8 characters long,<o:p></o:p></p><p class=MsoNormal>and should contain at least one non-alphabetic character.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Enter new password:<o:p></o:p></p><p class=MsoNormal>Re-enter password:<o:p></o:p></p><p class=MsoNormal>[root@DRsite-fw ipsec.d]# ls<o:p></o:p></p><p class=MsoNormal>cert8.db DR-ipsec.conf DR-updown.sh key3.db policies secmod.db<o:p></o:p></p><p class=MsoNormal>[root@DRsite-fw ipsec.d]# ipsec newhostkey --configdir /etc/ipsec.d \<o:p></o:p></p><p class=MsoNormal>> --output /etc/ipsec.d/hostkey.secrets \<o:p></o:p></p><p class=MsoNormal>> --verbose \<o:p></o:p></p><p class=MsoNormal>> --hostname DRsite-fw<o:p></o:p></p><p class=MsoNormal>[root@DRsite-fw ipsec.d]#<o:p></o:p></p><p class=MsoNormal>[root@DRsite-fw ipsec.d]# ls<o:p></o:p></p><p class=MsoNormal>cert8.db DR-ipsec.conf DR-updown.sh hostkey.secrets key3.db policies secmod.db<o:p></o:p></p><p class=MsoNormal>[root@DRsite-fw ipsec.d]#<o:p></o:p></p><p class=MsoNormal>[root@DRsite-fw ipsec.d]#<o:p></o:p></p><p class=MsoNormal>[root@DRsite-fw ipsec.d]# more hostkey.secrets<o:p></o:p></p><p class=MsoNormal>: RSA {<o:p></o:p></p><p class=MsoNormal>Usage: rsasigkey [--verbose] [--random device] [--configdir dir] [--password password] nbits<o:p></o:p></p><p class=MsoNormal> }<o:p></o:p></p><p class=MsoNormal># do not change the indenting of that "}"<o:p></o:p></p><p class=MsoNormal>[root@DRsite-fw ipsec.d]#<o:p></o:p></p><p class=MsoNormal>[root@DRsite-fw ipsec.d]#<o:p></o:p></p><p class=MsoNormal>[root@DRsite-fw ipsec.d]# certutil -L -d /etc/ipsec.d<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Certificate Nickname Trust Attributes<o:p></o:p></p><p class=MsoNormal> SSL,S/MIME,JAR/XPI<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>[root@DRsite-fw ipsec.d]#<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Greg Scott<o:p></o:p></p></div></body></html>