in CentOS 5, the distribution openswan rpm package use NSS. and seems there's no configuration option to disable that. Maybe you can download the source RPM and recompile it without NSS.<br><br><br><div class="gmail_quote">
2011/7/24 Richard Pickett <span dir="ltr"><<a href="mailto:richard.pickett@csrtechnologies.com">richard.pickett@csrtechnologies.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Hi all (Hi Paul!),
<div><br></div><div>Sooooo, I've got openswan installed stock-rpm on centos 5.1. I didn't do anything special to recompile, install extra mods, etc.</div><div><br></div><div>I'm using (as you guys probably know) x.509 auth on my connections. I really don't want to use nss, but can. I just don't need that level of lock-down.</div>
<div><br></div><div>I'm thinking maybe NSS is mandatory now, I'm connecting w/ shrewsoft and as soon as the connection starts this is what hits the /var/log/secure:</div><div><br></div><div><div>Jul 23 18:37:18 vhost5 pluto[4810]: packet from <a href="http://74.137.71.67:55197" target="_blank">74.137.71.67:55197</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]</div>
<div>Jul 23 18:37:18 vhost5 pluto[4810]: packet from <a href="http://74.137.71.67:55197" target="_blank">74.137.71.67:55197</a>: ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]</div><div>Jul 23 18:37:18 vhost5 pluto[4810]: packet from <a href="http://74.137.71.67:55197" target="_blank">74.137.71.67:55197</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 </div>
<div>Jul 23 18:37:18 vhost5 pluto[4810]: packet from <a href="http://74.137.71.67:55197" target="_blank">74.137.71.67:55197</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108 </div><div>Jul 23 18:37:18 vhost5 pluto[4810]: packet from <a href="http://74.137.71.67:55197" target="_blank">74.137.71.67:55197</a>: received Vendor ID payload [RFC 3947] method set to=109 </div>
<div>Jul 23 18:37:18 vhost5 pluto[4810]: packet from <a href="http://74.137.71.67:55197" target="_blank">74.137.71.67:55197</a>: ignoring Vendor ID payload [FRAGMENTATION 80000000]</div><div>Jul 23 18:37:18 vhost5 pluto[4810]: packet from <a href="http://74.137.71.67:55197" target="_blank">74.137.71.67:55197</a>: received Vendor ID payload [Dead Peer Detection]</div>
<div>Jul 23 18:37:18 vhost5 pluto[4810]: packet from <a href="http://74.137.71.67:55197" target="_blank">74.137.71.67:55197</a>: ignoring unknown Vendor ID payload [f14b94b7bff1fef02773b8c49feded26]</div><div>Jul 23 18:37:18 vhost5 pluto[4810]: packet from <a href="http://74.137.71.67:55197" target="_blank">74.137.71.67:55197</a>: ignoring unknown Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd8451]</div>
<div>Jul 23 18:37:18 vhost5 pluto[4810]: packet from <a href="http://74.137.71.67:55197" target="_blank">74.137.71.67:55197</a>: ignoring unknown Vendor ID payload [8404adf9cda05760b2ca292e4bff537b]</div><div>Jul 23 18:37:18 vhost5 pluto[4810]: packet from <a href="http://74.137.71.67:55197" target="_blank">74.137.71.67:55197</a>: received Vendor ID payload [Cisco-Unity]</div>
<div>Jul 23 18:37:18 vhost5 pluto[4810]: "mobileaegisclient"[1] 74.137.71.67 #1: responding to Main Mode from unknown peer 74.137.71.67</div><div>Jul 23 18:37:18 vhost5 pluto[4810]: "mobileaegisclient"[1] 74.137.71.67 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1</div>
<div>Jul 23 18:37:18 vhost5 pluto[4810]: "mobileaegisclient"[1] 74.137.71.67 #1: STATE_MAIN_R1: sent MR1, expecting MI2</div><div>Jul 23 18:37:18 vhost5 pluto[4810]: "mobileaegisclient"[1] 74.137.71.67 #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed</div>
<div><b>Jul 23 18:37:18 vhost5 pluto[4810]: NSS: DH private key creation failed</b></div><div>Jul 23 18:37:29 vhost5 ipsec__plutorun: Restarting Pluto subsystem...</div><div><b>Jul 23 18:37:29 vhost5 pluto[5363]: nss directory plutomain: /etc/ipsec.d</b></div>
<div><b>Jul 23 18:37:29 vhost5 pluto[5363]: NSS Initialized</b></div><div>Jul 23 18:37:29 vhost5 pluto[5363]: Not able to open /proc/sys/crypto/fips_enabled, returning non-fips mode</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: Not able to open /proc/sys/crypto/fips_enabled, returning non-fips mode</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: Starting Pluto (Openswan Version 2.6.21; Vendor ID OE~q\177kZNr}Wk) pid:5363</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: Setting NAT-Traversal port-4500 floating to on</div><div>
Jul 23 18:37:29 vhost5 pluto[5363]: port floating activation criteria nat_t=1/port_float=1</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: including NAT-Traversal patch (Version 0.6c)</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)</div>
<div>
Jul 23 18:37:29 vhost5 pluto[5363]: starting up 3 cryptographic helpers</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: main fd(8) helper fd(9)</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: started helper (thread) pid=1097259328 (fd:8)</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: main fd(10) helper fd(11)</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: started helper (thread) pid=1105652032 (fd:10)</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: main fd(12) helper fd(13)</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: started helper (thread) pid=1114044736 (fd:12)</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: Using Linux 2.6 IPsec interface code on 2.6.39.1-x86_64-linode19 (experimental code)</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names </div><div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating <NULL>: Ok (ret=0)</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names </div><div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already exists</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names </div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already exists</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names </div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already exists</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names </div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already exists</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names </div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already exists</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: Changed path to directory '/etc/ipsec.d/cacerts'</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: loaded CA cert file 'ca_crt.pem' (3816 bytes)</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: loaded CA cert file '0000-SERVER-CA.pem' (3816 bytes)</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: Could not change to directory '/etc/ipsec.d/aacerts': /etc/ipsec.d</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: Could not change to directory '/etc/ipsec.d/ocspcerts': /etc/ipsec.d</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: Changing to directory '/etc/ipsec.d/crls'</div><div>
Jul 23 18:37:29 vhost5 pluto[5363]: loaded crl file 'mobile_aegils_crl.pem' (1783 bytes)</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: | NSS: length of decrypted sig = 35</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: | NSS : RSA Signature verified, hash values matched</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: loading certificate from 0000-SERVER-CERT.pem </div><div>Jul 23 18:37:29 vhost5 pluto[5363]: could not open host cert with nick name '0000-SERVER-CERT.pem' in NSS DB</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: added connection description "mobileaegisclient"</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: listening for IKE messages</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: adding interface eth0:cp1/eth0:cp1 <a href="http://192.168.141.50:500" target="_blank">192.168.141.50:500</a></div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: adding interface eth0:cp1/eth0:cp1 <a href="http://192.168.141.50:4500" target="_blank">192.168.141.50:4500</a></div><div>Jul 23 18:37:29 vhost5 pluto[5363]: adding interface eth0/eth0 <a href="http://173.255.254.20:500" target="_blank">173.255.254.20:500</a></div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: adding interface eth0/eth0 <a href="http://173.255.254.20:4500" target="_blank">173.255.254.20:4500</a></div><div>Jul 23 18:37:29 vhost5 pluto[5363]: adding interface lo/lo <a href="http://127.0.0.1:500" target="_blank">127.0.0.1:500</a></div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: adding interface lo/lo <a href="http://127.0.0.1:4500" target="_blank">127.0.0.1:4500</a></div><div>Jul 23 18:37:29 vhost5 pluto[5363]: adding interface lo/lo ::1:500</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: loading secrets from "/etc/ipsec.secrets"</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: loading secrets from "/etc/ipsec.d/ca.secrets"</div><div><b>Jul 23 18:37:33 vhost5 pluto[5363]: packet from <a href="http://74.137.71.67:55197" target="_blank">74.137.71.67:55197</a>: phase 1 message is part of an unknown exchange</b></div>
</div><div><br></div><div><br></div><div>Since it restarts pluto, naturally it has no idea what this message is, since it's already forgot this conversation.</div><div><br></div><div>Am I right about NSS? Is there a way to turn it off, or do I just have to bite the bullet? If I use NSS, how much of my ipsec rsa config gets changed?</div>
<div><br></div><div>Thanks!</div>
<br>_______________________________________________<br>
<a href="mailto:Users@openswan.org">Users@openswan.org</a><br>
<a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br></blockquote></div><br>