Kevin, you are too modest! I am sure you know OpenSwan far better than I. ^_^ .<br><br>I just play with it, testing this and that. with a hope of solving problems that may occur.<br><br>Indeed, we can't let bugs slip way, if there's one.<br>
<br><div class="gmail_quote">2011/7/29 Kevin Keane <span dir="ltr"><<a href="mailto:subscription@kkeane.com">subscription@kkeane.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div link="blue" vlink="purple" lang="EN-US"><div><p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">I would not be surprised at all if it turned out that the root cause was a misconfiguration on my end – I’m not the most experienced openswan user out there (i.e., I am only just starting to learn IPSec, although I have plenty of Linux experience).<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">A couple more notes:<u></u><u></u></span></p><p><u></u><span style="font-size:11.0pt;color:#1F497D"><span>-<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="font-size:11.0pt;color:#1F497D">The problem occurs by merely adding a certificate to the database into an otherwise working configuration (using PSK). The only things that changed are the three .db files. So I don’t think the Sonicwall has anything to with it.<u></u><u></u></span></p>
<p><u></u><span style="font-size:11.0pt;color:#1F497D"><span>-<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="font-size:11.0pt;color:#1F497D">The failure mode seems like a bug. A mere misconfiguration shouldn’t cause pluto to crash and restart.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">And of course you are right – I cannot even conceive that NSS is fundamentally broken; that would never slip by RedHat/CentOS quality control for such an extended period. Whatever the problem is must be an unusual set of circumstances.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">For all I know, it could even be a certificate that is somehow incompatible with openswan (mine was created by the CentOS certificate authority, aka dogtag). Still shouldn’t crash openswan.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"><u></u> <u></u></span></p><p class="MsoNormal"><b><span style="font-size:11.0pt;color:#1F497D">Kevin Keane<u></u><u></u></span></b></p><p class="MsoNormal">
<b><span style="font-size:11.0pt;color:#1F497D">The NetTech<u></u><u></u></span></b></p><p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"><a href="http://www.4nettech.com" target="_blank"><span style="color:blue">http://www.4nettech.com</span></a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"><u></u> <u></u></span></p><p class="MsoNormal"><b><span style="font-size:10.0pt">From:</span></b><span style="font-size:10.0pt"> <a href="mailto:users-bounces@openswan.org" target="_blank">users-bounces@openswan.org</a> [mailto:<a href="mailto:users-bounces@openswan.org" target="_blank">users-bounces@openswan.org</a>] <b>On Behalf Of </b>Curu Wong<br>
<b>Sent:</b> Wednesday, July 27, 2011 6:46 PM<br><b>To:</b> Richard Pickett<br><b>Cc:</b> <a href="mailto:users@openswan.org" target="_blank">users@openswan.org</a><br><b>Subject:</b> Re: [Openswan Users] nss DH woes<u></u><u></u></span></p>
<div><div></div><div class="h5"><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal" style="margin-bottom:12.0pt">I don't quite understand the problem here.<br><br>I have been using OpenSwan package from the official CentOS repository(of course with NSS) for 2 years, connecting several pair of Linux servers, all work fine.<br>
<br>Can it be configuration for SonicalWall that cause the problem? forgive me if I misunderstand this situation.<br><br><u></u><u></u></p><div><p class="MsoNormal">2011/7/27 Richard Pickett <<a href="mailto:richard.pickett@csrtechnologies.com" target="_blank">richard.pickett@csrtechnologies.com</a>><u></u><u></u></p>
<p class="MsoNormal">My rsa keys were 8k, I thought maybe nss was having a memory problem (like a static-size limit), so I created a whole ca/certs suite w/ 2k keys, same problem.<u></u><u></u></p><div><p class="MsoNormal">
<u></u> <u></u></p></div><div><p class="MsoNormal">Avesh, any ideas on how much longer you'll be looking at this?<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Thanks for your help!<u></u><u></u></p>
<div><div><p class="MsoNormal" style="margin-bottom:12.0pt"><br><br><u></u><u></u></p><div><p class="MsoNormal">On Tue, Jul 26, 2011 at 6:23 AM, Avesh Agarwal <<a href="mailto:avagarwa@redhat.com" target="_blank">avagarwa@redhat.com</a>> wrote:<u></u><u></u></p>
<div><p class="MsoNormal">On 07/26/2011 06:48 AM, Kevin Keane wrote:<br>> Hello Avesh,<br>><br>> Thank you so much! The log I sent was everything that I found in /var/log/secure with plutodebug=all; the only thing I did was scramble machine names and IP addresses since that could be sensitive.<br>
><br>> I added a report to bugzilla as #725699, but did not yet add the barf. There seems to be quite a bit of sensitive information in the barf, such as my iptables firewall configuration, my Sonicwall S/N, etc., things that I'd prefer not to have on bugzilla. Would you mind if I sent it to you by private email?<br>
><br>> Also, when the problem actually happens, my system becomes inaccessible. I have to then turn off ipsec on the other end. So the barf does not represent the exact moment the problem occurs; I took the barf a few minutes later (with the certs causing the problem still in the database).<br>
><br>> As for the steps I did to configure Openswan: it is the standard CentOS 5.6 Openswan RPM. openswan-2.6.21-5.el5_6.4 . So other than fiddling with the configuration, I have not done anything unusual.<br>><br>
> Come to think about it - is it possible that this is a kernel problem? This VM runs on a Rackspace VM, with a Rackspace kernel instead of a stock CentOS kernel.<br>><u></u><u></u></p></div><p class="MsoNormal">It does not seem to be a kernel at first issue as IKE exchange takes<br>
place in user space and NSS library is also user space. However, it is<br>surprising why it is happening.<u></u><u></u></p><div><div><p class="MsoNormal">>> Hello Paul, Kevin,<br>>> I can have a look at it. Kevin can you please put a complete output of ipsec barf instead of truncated ones somewhere, may be on <a href="http://bugzilla.redhat.com" target="_blank">bugzilla.redhat.com</a>? Also, if you can provide the exact steps you followed to configure openswan that would also help.<br>
>> --<br>>> Thanks and Regards<br>>> Avesh<br>> _______________________________________________<br>> <a href="mailto:Users@openswan.org" target="_blank">Users@openswan.org</a><br>> <a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
> Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>> Building and Integrating Virtual Private Networks with Openswan:<br>
> <a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br><br><br>--<br>Thanks and Regards<br>Avesh<br>
<br>_______________________________________________<br><a href="mailto:Users@openswan.org" target="_blank">Users@openswan.org</a><br><a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><u></u><u></u></p></div></div></div><p class="MsoNormal">
<u></u> <u></u></p></div></div></div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>_______________________________________________<br><a href="mailto:Users@openswan.org" target="_blank">Users@openswan.org</a><br><a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><u></u><u></u></p></div><p class="MsoNormal"><u></u> <u></u></p>
</div></div></div></div><br>_______________________________________________<br>
<a href="mailto:Users@openswan.org">Users@openswan.org</a><br>
<a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br></blockquote></div><br>