[Openswan Users] CKAIDNSS keyword not found where expected in RSAkey in /var/log/secure

[Greg Scott]

Lovely.  Nasty surprises are my friend.  :)  

In this case, I can get away with making new keys if needed, but I have to be up and running by 8AM, about 1 1/2 hours from now.  I am using RSA keys, how do I make keys inside the NSS database?  And what the heck is the NSS database anyway?

Thanks

- Greg
 

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Wednesday, July 08, 2009 5:00 AM
To: Greg Scott
Cc: users at lists.openswan.org
Subject: Re: [Openswan Users] CKAIDNSS keyword not found where expected in RSAkey in /var/log/secure

On Tue, 7 Jul 2009, Greg Scott wrote:

> Searching for "CKAIDNSS" with Google, I see a few references at 
> http://cvs.fedoraproject.org and http://cvs.fedora.redhat.com.  It 
> looks like a patch to Openswan 2.6.21.  I am running the bundled RPM 
> that came with Fedora 11.  If any folks from RedHat are reading this, 
> would it be possible to shed some light?  Please please please please 
> reassure me you didn't break old IPSEC secrets files!  I guess I will 
> find out tomorrow when I try to put this replacement system into production.

Ohhhh. It's the NSS code. Currently, they compile with NSS enabled, which means you currently cannot use PSK or any RSA key specified in ipsec.secrets or via X.509 keys outside the NSS database.

If you want the old things to work, change the spec file to not enable NSS and recompile. If they did not add an option in the spec file, look at the spec file in openswan-2.6.22/packaging/fedora/openswan.spec.

Paul