[Openswan Users] CKAIDNSS keyword not found where expected in RSAkey in /var/log/secure

Greg Scott GregScott at InfraSupportEtc.com
Tue Jul 7 23:16:45 EDT 2009

Searching for "CKAIDNSS" with Google, I see a few references at
http://cvs.fedoraproject.org and http://cvs.fedora.redhat.com.  It looks
like a patch to Openswan 2.6.21.  I am running the bundled RPM that came
with Fedora 11.  If any folks from RedHat are reading this, would it be
possible to shed some light?  Please please please please reassure me
you didn't break old IPSEC secrets files!  I guess I will find out
tomorrow when I try to put this replacement system into production.  
- Greg Scott


From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Greg Scott
Sent: Tuesday, July 07, 2009 6:43 PM
To: users at lists.openswan.org
Subject: [Openswan Users] CKAIDNSS keyword not found where expected in
RSAkey in /var/log/secure

What does "CKAIDNSS keyword not found where expected in RSA key" mean?
I have an aging system running Linux Openswan U2.4.5/K2.6.18-1.2798.fc6
(netkey).  I am replacing it with a new system running Linux Openswan
U2.6.21/K(no kernel code presently loaded).   The replacement system
will also run netkey, I just have Openswan shut down on it right now.  
So I copied the hostkey.secrets file and appropriate .conf files from
the old to the new system.  When I start IPSEC on the new system, I see
this message in /var/log/secure:
Jul  7 17:59:02 huge-fw pluto[4537]: "/etc/ipsec.d/hostkey.secrets" line
14: CKAIDNSS keyword not found where expected in RSA key

What does this mean?   I am replacing the HQ site and there are a couple
of branch sites in this case.  Did the format of the keys change and do
I need to generate a new key at the HQ site and fiddle with scripts at
all my branch sites to use the new key at the HQ site?
- Greg Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090707/4a1464b5/attachment.html 

More information about the Users mailing list