[Openswan Users] How to move from Openswan in F10 to F11? (fwd)
Scott Selvia
selvia_scott at hotmail.com
Fri Jul 3 16:32:56 EDT 2009
Strange, just sent a reply to my F11 issue and openswan. As noted the
link below solved my issue with F11:
http://fedoraforum.org/forum/showthread.php?t=224391
Now the down side until our Network Admin switches to user id's,
passwords, and X.509 certs I have to remember to recompile openswan if
there is a change in the version on RedHats repository.
Scott
On Fri, 2009-07-03 at 16:24 -0400, Paul Wouters wrote:
> This might be interesting to some people.
>
> Note that the fedora/epel/rhel version of Openswan does not support
> PSK at all, and requires raw RSA and X.509 keys to be migrated to
> use NSS support.
>
> Paul
>
> ---------- Forwarded message ----------
> Date: Thu, 25 Jun 2009 00:54:39 -0500
> From: Albert Chin <fedora-list at mlists.thewrittenword.com>
> Reply-To: fedora-list at redhat.com
> To: fedora-list at redhat.com
> Subject: How to move from Openswan in F10 to F11?
>
> I have IPsec working in F10 with Openswan. Cert handling in F11 is
> different because of NSS. How do I migrate? My F10 layout looks like:
> /etc/ipsec.d/cacerts
> /etc/ipsec.d/cacerts/ca.crt
> /etc/ipsec.d/certs
> /etc/ipsec.d/certs/china at thewrittenword.com.crt
> /etc/ipsec.d/certs/vpn.thewrittenword.com.crt
> /etc/ipsec.d/crls
> /etc/ipsec.d/private
> /etc/ipsec.d/private/local.key
> /etc/ipsec.d/private/local.pub
> /etc/ipsec.d/tww.conf
> /etc/ipsec.d/tww.secrets
>
> For F11, I copied the F10 config and then did the following:
> # cd /etc/ipsec.d
> # certutil -N -d /etc/ipsec.d
> Enter a password which will be used to encrypt your keys.
> The password should be at least 8 characters long,
> and should contain at least one non-alphabetic character.
>
> Enter new password: [empty]
> Re-enter password: [empty]
> # certutil -A -n china at thewrittenword.com -t "p,p,p" \
> -i certs/china at thewrittenword.com.crt -d /etc/ipsec.d
> # certutil -A -n vpn.thewrittenword.com -t "p,p,p" \
> -i certs/vpn.thewrittenword.com.crt -d /etc/ipsec.d
> # certutil -A -n "TWW CA" -t "C,C,C" \
> -i cacerts/ca.crt -d /etc/ipsec.d
>
> I made changes to the following files:
> [tww.conf]
> authby=rsasig
> rightrsasigkey=%cert
> rightid=@vpn.thewrittenword.com
> - rightcert=vpn.thewrittenword.com.crt
> + rightcert=vpn.thewrittenword.com
> leftrsasigkey=%cert
> leftid=china at thewrittenword.com
> - leftcert=china at thewrittenword.com.crt
> + leftcert=china at thewrittenword.com
> leftsendcert=always
>
> [tww.secrets]
> - at china@thewrittenword.com: RSA /etc/ipsec.d/private/local.key
> +: RSA china at thewrittenword.com
>
> When I run "/etc/init.d/ipsec restart", /var/log/messages has:
> Jun 25 00:35:16 localhost ipsec__plutorun: 002 loading certificate from china at thewrittenword.com
> Jun 25 00:35:16 localhost ipsec__plutorun: 002 loading certificate from vpn.thewrittenword.com
> Jun 25 00:35:16 localhost ipsec__plutorun: 002 added connection description "tww"
>
> Then, when I try to establish the IPsec connection:
> # ipsec auto --up tww
> ...
> 003 "tww" #1: Can't find the private key from the NSS CERT (err -8166)
>
> Any ideas?
>
> BTW, README.nss from openswan-2.6.21-nss.patch should be included in
> openswan-doc.
>
> --
> albert chin (china at thewrittenword.com)
>
More information about the Users
mailing list