[Openswan Users] ipsec auto --rereadkeys fails on Fedora 12 with NSS disable

Joe Ammann joe at pyx.ch
Mon Dec 28 17:26:41 EST 2009

Hi everybody

I'm just about to upgrade to Fedora 12 and learned the whole story about NSS. 
So for a quick start, I recompiled the RPM with NSS turned off. So I'm now 
running with Openswan 2.6.23, with my configuration migrated from Fedora 8 
(with Openswan 2.4.9), and have 2 problems left.

1) I have a tunnel authenticated with a certificate, and the following 
configuration in /etc/ipsec.d/pyx.secrets

	: RSA JoeLaptopKey.pem %prompt

When I start ipsec during boot, it says (as expected) "use ipsec 
auto --rereadkeys to load keys". When I try this, ipsec auto complains about 
an invalid configuration in the file with the configuration above. If I put 
the correct passphrase in place of the "%prompt%", it works as expected and 
the tunnel starts up.

2) If I put the correct passphrase and although the tunnel seems to come up 
correctly (at least it says "STATE_QUICK_I2: sent QI2, IPsec SA 
established"), communication is still not possible. Also, I'm missing any 
sign of the IP address and the routes being added. ip addr list and ip route 
list don't show anything about the IPsec addresses that I would expect.

Any hints, I'm a bit lost ?

	CU, Joe

More information about the Users mailing list