[Openswan Users] CKAIDNSS keyword not found where expected in RSAkey in /var/log/secure
Avesh Agarwal
avagarwa at redhat.com
Thu Jul 9 14:08:15 EDT 2009
Greg Scott wrote:
> OK - so now back to the issue at hand:
>
>
>> Renamed "nss-password.txt" to "nsspassword" at the HQ site. Trying to
>>
> bring up a remote site, I see:
>
>
>> Jul 8 17:37:33 huge-fw pluto[6200]: "Eagan-Everywhere" #4: Can't find
>>
>
>
>> the private key from the NSS CERT (err -12285) Jul 8 17:37:33 huge-fw
>>
>
>
>> pluto[6200]: "Eagan-Everywhere" #4: transition from state
>>
> STATE_MAIN_I2
>
>> to state STATE_MAIN_I3
>>
>
> OK, so now it looks like my right side can access its NSS database but
> now it can't find the left side's keys in there.
>
You need to provide left side key in ipsec.conf file the way it used to
be without NSS.
> Do both sides now need a copy of all the other sides' keys in their NSS
> databases?
No.
> If so, how do I put them in? And if the keys are in the NSS
> database, do we no longer need them in the CONN descriptions?
>
You need. Once you create the keys in NSS database, you have public key
in ipsec.secrets. file. After that the proedure is exactly same as it is
without NSS.
Avesh
> - Greg
>
>
>
> -----Original Message-----
> From: Avesh Agarwal [mailto:avagarwa at redhat.com]
> Sent: Thursday, July 09, 2009 8:26 AM
> To: Paul Wouters
> Cc: Greg Scott; users at lists.openswan.org
> Subject: Re: [Openswan Users] CKAIDNSS keyword not found where expected
> in RSAkey in /var/log/secure
>
> Paul Wouters wrote:
>
>> On Wed, 8 Jul 2009, Greg Scott wrote:
>>
>>
>>> [root at huge-fw ipsec.d]# ipsec newhostkey --random /dev/urandom
>>> --configdir /etc/ipsec.d/nssdb --password ZSE45tgb --output
>>> /etc/ipsec.d/hostkey.secrets Generated RSA key pair using the NSS
>>> database
>>>
>> Never use /dev/urandom for long term keys! Openswan knows when it
>> needs to use /dev/random and when it is not safe to use /dev/urandom.
>> Don't second guess it!
>>
>> Paul
>>
> Hi Paul,
>
> NSS does not change anything in the way /dev/random or /dev/urandom is
> used.
>
>
> Thanks
> Avesh
>
More information about the Users
mailing list