Bug ID: 725518<div><br>This is pretty urgent on my side. I have one other box to try things on, in the mean time I'm compiling without nss (yuck).<br>
<br><br><div class="gmail_quote">On Mon, Jul 25, 2011 at 10:38 AM, Avesh Agarwal <span dir="ltr"><<a href="mailto:avagarwa@redhat.com">avagarwa@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div><div></div><div class="h5">On 07/25/2011 11:30 AM, Paul Wouters wrote:<br>
> On Mon, 25 Jul 2011, Kevin Keane wrote:<br>
><br>
>> I have a feeling that there is a bug in the NSS DH code. I’m getting<br>
>> almost the same error (in my case, the last message<br>
>> is “NSS: slot for DH key gen is NULL” instead of your “NSS: DH<br>
>> private key creation failed”). In my case, the mere fact<br>
>> that I have a certificate in the database triggers this error.<br>
><br>
>> I posted the full log with plutodebug=all a couple days ago, but so<br>
>> far haven’t gotten a response.<br>
><br>
> I was hoping Avesh would have a look at.<br>
><br>
> I think it might be a misconfiguration of your NSS that causes this. I<br>
> am not sure I want pluto to die<br>
> and restart on this, instead of just failing this one connection (eg<br>
> STF_FAIL)<br>
><br>
> Paul<br>
><br>
>> From: <a href="mailto:users-bounces@openswan.org">users-bounces@openswan.org</a> [mailto:<a href="mailto:users-bounces@openswan.org">users-bounces@openswan.org</a>]<br>
>> On Behalf Of Richard Pickett<br>
>> Sent: Sunday, July 24, 2011 8:30 PM<br>
>> To: Openswan Users<br>
>> Subject: [Openswan Users] nss DH woes<br>
>><br>
>><br>
>><br>
>> Still plunking around trying to get certs to work on openswan. Got<br>
>> them imported into nss just fine, and it reports in<br>
>> the log that it loads them correctly.<br>
>><br>
>><br>
>><br>
>> But when the first client connects, here's what hits the logs (notice<br>
>> the last line):<br>
>><br>
>><br>
>><br>
>> Jul 24 22:26:44 vhost5 pluto[6039]: packet from <a href="http://74.137.71.67:42600" target="_blank">74.137.71.67:42600</a>:<br>
>> received Vendor ID payload<br>
>> [draft-ietf-ipsec-nat-t-ike-00]<br>
>><br>
>> Jul 24 22:26:44 vhost5 pluto[6039]: packet from <a href="http://74.137.71.67:42600" target="_blank">74.137.71.67:42600</a>:<br>
>> ignoring unknown Vendor ID payload<br>
>> [16f6ca16e4a4066d83821a0f0aeaa862]<br>
>><br>
>> Jul 24 22:26:44 vhost5 pluto[6039]: packet from <a href="http://74.137.71.67:42600" target="_blank">74.137.71.67:42600</a>:<br>
>> received Vendor ID payload<br>
>> [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106<br>
>><br>
>> Jul 24 22:26:44 vhost5 pluto[6039]: packet from <a href="http://74.137.71.67:42600" target="_blank">74.137.71.67:42600</a>:<br>
>> received Vendor ID payload<br>
>> [draft-ietf-ipsec-nat-t-ike-03] method set to=108<br>
>><br>
>> Jul 24 22:26:44 vhost5 pluto[6039]: packet from <a href="http://74.137.71.67:42600" target="_blank">74.137.71.67:42600</a>:<br>
>> received Vendor ID payload [RFC 3947] method set<br>
>> to=109<br>
>><br>
>> Jul 24 22:26:44 vhost5 pluto[6039]: packet from <a href="http://74.137.71.67:42600" target="_blank">74.137.71.67:42600</a>:<br>
>> ignoring Vendor ID payload [FRAGMENTATION 80000000]<br>
>><br>
>> Jul 24 22:26:44 vhost5 pluto[6039]: packet from <a href="http://74.137.71.67:42600" target="_blank">74.137.71.67:42600</a>:<br>
>> received Vendor ID payload [Dead Peer Detection]<br>
>><br>
>> Jul 24 22:26:44 vhost5 pluto[6039]: packet from <a href="http://74.137.71.67:42600" target="_blank">74.137.71.67:42600</a>:<br>
>> ignoring unknown Vendor ID payload<br>
>> [f14b94b7bff1fef02773b8c49feded26]<br>
>><br>
>> Jul 24 22:26:44 vhost5 pluto[6039]: packet from <a href="http://74.137.71.67:42600" target="_blank">74.137.71.67:42600</a>:<br>
>> ignoring unknown Vendor ID payload<br>
>> [166f932d55eb64d8e4df4fd37e2313f0d0fd8451]<br>
>><br>
>> Jul 24 22:26:44 vhost5 pluto[6039]: packet from <a href="http://74.137.71.67:42600" target="_blank">74.137.71.67:42600</a>:<br>
>> ignoring unknown Vendor ID payload<br>
>> [8404adf9cda05760b2ca292e4bff537b]<br>
>><br>
>> Jul 24 22:26:44 vhost5 pluto[6039]: packet from <a href="http://74.137.71.67:42600" target="_blank">74.137.71.67:42600</a>:<br>
>> received Vendor ID payload [Cisco-Unity]<br>
>><br>
>> Jul 24 22:26:44 vhost5 pluto[6039]: "mobileaegisclient"[1]<br>
>> 74.137.71.67 #1: responding to Main Mode from unknown peer<br>
>> 74.137.71.67<br>
>><br>
>> Jul 24 22:26:44 vhost5 pluto[6039]: "mobileaegisclient"[1]<br>
>> 74.137.71.67 #1: transition from state STATE_MAIN_R0 to state<br>
>> STATE_MAIN_R1<br>
>><br>
>> Jul 24 22:26:44 vhost5 pluto[6039]: "mobileaegisclient"[1]<br>
>> 74.137.71.67 #1: STATE_MAIN_R1: sent MR1, expecting MI2<br>
>><br>
>> Jul 24 22:26:45 vhost5 pluto[6039]: "mobileaegisclient"[1]<br>
>> 74.137.71.67 #1: NAT-Traversal: Result using RFC 3947<br>
>> (NAT-Traversal): peer is NATed<br>
>><br>
>> Jul 24 22:26:45 vhost5 pluto[6039]: NSS: DH private key creation failed<br>
>><br>
>><br>
>><br>
>> What would cause the NSS DH private key creation to fail? Is this a<br>
>> client config issue or server side?<br>
>><br>
<br>
</div></div>Hello Paul, Kevin,<br>
<br>
I can have a look at it. Kevin can you please put a complete output of<br>
ipsec barf instead of truncated ones somewhere, may be on<br>
<a href="http://bugzilla.redhat.com" target="_blank">bugzilla.redhat.com</a>? Also, if you can provide the exact steps you<br>
followed to configure openswan that would also help.<br>
<div class="im"><br>
>><br>
>><br>
>> Thanks for all your help!<br>
>><br>
>><br>
>><br>
<br>
<br>
</div>--<br>
Thanks and Regards<br>
<font color="#888888">Avesh<br>
</font><div><div></div><div class="h5"><br>
_______________________________________________<br>
<a href="mailto:Users@openswan.org">Users@openswan.org</a><br>
<a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
</div></div></blockquote></div><br></div>