[Openswan Users] How to move from Openswan in F10 to F11? (fwd)

Marek Greško gresko at thr.sk
Sat Jul 4 07:04:31 EDT 2009

On Pi 3. Júl 2009 22:24:14 Paul Wouters wrote:
> This might be interesting to some people.
> Note that the fedora/epel/rhel version of Openswan does not support
> PSK at all, and requires raw RSA and X.509 keys to be migrated to
> use NSS support.
> Paul

Note, that the method below does not import private key to nss db and it 
should. Thus it is not working.

You should either generate public/private key pair using nss. If you want to 
migrate certificates generated by openssl to nss db (the way I prefer) you can 
use the following method:

Firstly you should convert your key, certificate, CA certificate to PKCS#12 

openssl pkcs12 -export -in cert.pem -inkey key.pem -certfile cacert.pem -out 

You will get one file in PKCS#12 format containing all the required 
information. You could also use -name parameter to give a name to the 
certificate. If you leve it empty the following nss utils will pick one from 
the data in certificate.

Now we will create nss db and import the PKCS#12 file into it:

export NSS_DEFAULT_DB_TYPE="sql"
# to use sql format of nss db which fedora's openswan expects

certutil -N -d /etc/ipsec.d
# use empty passwords

pk12util -i certkey.p12 -d /etc/ipsec.d
# remember the name of the imported certificate pk12utils picked, if you 
specified it before it should be the same, if not the util picked one

Now certificates are imported into nss db in /etc/ipsec.d. Now we should 
configure openswan to use the nss database:

create file /etc/ipsec.d/nss.certs with the following:
@fqdn: RSA "name of certificate in nss db" ""

edit your connection and replace the leftcert/rightcert with the certifiate 
name with the same name of certificate in nss db.

Now everything should work. I hope I did not forget to mention something.

Hope this help you.


> ---------- Forwarded message ----------
> Date: Thu, 25 Jun 2009 00:54:39 -0500
> From: Albert Chin <fedora-list at mlists.thewrittenword.com>
> Reply-To: fedora-list at redhat.com
> To: fedora-list at redhat.com
> Subject: How to move from Openswan in F10 to F11?
> I have IPsec working in F10 with Openswan. Cert handling in F11 is
> different because of NSS. How do I migrate? My F10 layout looks like:
>    /etc/ipsec.d/cacerts
>    /etc/ipsec.d/cacerts/ca.crt
>    /etc/ipsec.d/certs
>    /etc/ipsec.d/certs/china at thewrittenword.com.crt
>    /etc/ipsec.d/certs/vpn.thewrittenword.com.crt
>    /etc/ipsec.d/crls
>    /etc/ipsec.d/private
>    /etc/ipsec.d/private/local.key
>    /etc/ipsec.d/private/local.pub
>    /etc/ipsec.d/tww.conf
>    /etc/ipsec.d/tww.secrets
> For F11, I copied the F10 config and then did the following:
>    # cd /etc/ipsec.d
>    # certutil -N -d /etc/ipsec.d
>    Enter a password which will be used to encrypt your keys.
>    The password should be at least 8 characters long,
>    and should contain at least one non-alphabetic character.
>    Enter new password: [empty]
>    Re-enter password: [empty]
>    # certutil -A -n china at thewrittenword.com -t "p,p,p" \
>    -i certs/china at thewrittenword.com.crt -d /etc/ipsec.d
>    # certutil -A -n vpn.thewrittenword.com -t "p,p,p" \
>    -i certs/vpn.thewrittenword.com.crt -d /etc/ipsec.d
>    # certutil -A -n "TWW CA" -t "C,C,C" \
>    -i cacerts/ca.crt -d /etc/ipsec.d
> I made changes to the following files:
>    [tww.conf]
>            authby=rsasig
>            rightrsasigkey=%cert
>            rightid=@vpn.thewrittenword.com
>    -       rightcert=vpn.thewrittenword.com.crt
>    +       rightcert=vpn.thewrittenword.com
>            leftrsasigkey=%cert
>            leftid=china at thewrittenword.com
>    -       leftcert=china at thewrittenword.com.crt
>    +       leftcert=china at thewrittenword.com
>            leftsendcert=always
>    [tww.secrets]
>    - at china@thewrittenword.com: RSA /etc/ipsec.d/private/local.key
>    +: RSA china at thewrittenword.com
> When I run "/etc/init.d/ipsec restart", /var/log/messages has:
>    Jun 25 00:35:16 localhost ipsec__plutorun: 002 loading certificate from
> china at thewrittenword.com Jun 25 00:35:16 localhost ipsec__plutorun: 002
> loading certificate from vpn.thewrittenword.com Jun 25 00:35:16 localhost
> ipsec__plutorun: 002 added connection description "tww"
> Then, when I try to establish the IPsec connection:
>    # ipsec auto --up tww
>    ...
>    003 "tww" #1: Can't find the private key from the NSS CERT (err -8166)
> Any ideas?
> BTW, README.nss from openswan-2.6.21-nss.patch should be included in
> openswan-doc.
> --
> albert chin (china at thewrittenword.com)

More information about the Users mailing list