[Openswan Users] CKAIDNSS keyword not found where expected inRSAkey in /var/log/secure

Greg Scott GregScott at InfraSupportEtc.com
Wed Jul 8 18:40:42 EDT 2009


Renamed "nss-password.txt" to "nsspassword" at the HQ site.  Trying to
bring up a remote site, I see:

Jul  8 17:37:33 huge-fw pluto[6200]: "Eagan-Everywhere" #4: Can't find
the private key from the NSS CERT (err -12285)
Jul  8 17:37:33 huge-fw pluto[6200]: "Eagan-Everywhere" #4: transition
from state STATE_MAIN_I2 to state STATE_MAIN_I3

Does the NSS database need the keys from all sites?   If so, how do I
insert them?

- GReg

 

-----Original Message-----
From: Avesh Agarwal [mailto:avagarwa at redhat.com] 
Sent: Wednesday, July 08, 2009 4:59 PM
To: Greg Scott
Cc: users at lists.openswan.org
Subject: Re: [Openswan Users] CKAIDNSS keyword not found where expected
inRSAkey in /var/log/secure

Greg Scott wrote:
> Still not out of the woods.  After replacing my old key with the new 
> key all my remote sites, everyone's /var/log/secure file is going nuts

> with these errors:
>
> Jul  8 16:50:00 SF-fw2 pluto[27192]: "SFalls-Everywhere" #12: 
> Signature check (on @hq.local) failed (wrong key?); tried *AQPgHGxjC 
> Jul  8 16:50:00 SF-fw2 pluto[27192]: "SFalls-Everywhere" #12: sending 
> encrypted notification INVALID_KEY_INFORMATION to 66.173.42.146:500 
> Jul  8 16:50:10 SF-fw2 pluto[27192]: "SFalls-Everywhere" #12: Main 
> mode peer ID is ID_FQDN: '@hq.local'
> Jul  8 16:50:10 SF-fw2 pluto[27192]: "SFalls-Everywhere" #12: 
> Signature check (on @hq.local) failed (wrong key?); tried *AQPgHGxjC 
> Jul  8 16:50:10 SF-fw2 pluto[27192]: "SFalls-Everywhere" #12: sending 
> encrypted notification INVALID_KEY_INFORMATION to 66.173.42.146:500
>
> - Greg
>   
I think you did not create "nsspassword" file in the "/etc/ipsec.d" and
put the NSS database password in this file. and try again.

The password provided in the "nsspassword" file is read by pluto so that
it can authenticate to NSS database.

Avesh




More information about the Users mailing list