[Openswan Users] Fedora 12 - Can't find the private key from the NSS CERT (err -12285)
Saso Tavcar
fast at ais42.net
Mon May 31 17:30:57 EDT 2010
I've updated to the latest version of openswan-2.6.25-1.fc12 on Fedora
12
[root at tabu ~]# rpm -qa |grep swan
openswan-2.6.25-1.fc12.i686
openswan-doc-2.6.25-1.fc12.i686
And connection does not establish any more:
May 31 23:17:03 tabu pluto[2998]: "right-left" #1280: starting keying
attempt 651 of an unlimited number
May 31 23:17:03 tabu pluto[2998]: "right-left" #1281: initiating Main
Mode to replace #1280
May 31 23:17:03 tabu pluto[2998]: "right-left" #1281: ignoring unknown
Vendor ID payload [4f456d406b6753464548407f]
May 31 23:17:03 tabu pluto[2998]: "right-left" #1281: received Vendor
ID payload [Dead Peer Detection]
May 31 23:17:03 tabu pluto[2998]: "right-left" #1281: received Vendor
ID payload [RFC 3947] method set to=109
May 31 23:17:03 tabu pluto[2998]: "right-left" #1281: enabling
possible NAT-traversal with method 4
May 31 23:17:03 tabu pluto[2998]: "right-left" #1281: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
May 31 23:17:03 tabu pluto[2998]: "right-left" #1281: STATE_MAIN_I2:
sent MI2, expecting MR2
May 31 23:17:03 tabu pluto[2998]: "right-left" #1281: NAT-Traversal:
Result using RFC 3947 (NAT-Traversal): no NAT detected
May 31 23:17:03 tabu pluto[2998]: "right-left" #1281: Can't find the
private key from the NSS CERT (err -12285)
May 31 23:17:03 tabu pluto[2998]: "right-left" #1281: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
May 31 23:17:03 tabu pluto[2998]: "right-left" #1281: STATE_MAIN_I3:
sent MI3, expecting MR3
May 31 23:17:03 tabu pluto[2998]: "right-left" #1281: ignoring
informational payload, type INVALID_KEY_INFORMATION msgid=00000000
May 31 23:17:03 tabu pluto[2998]: "right-left" #1281: received and
ignored informational message
May 31 23:17:13 tabu pluto[2998]: "right-left" #1281: discarding
duplicate packet; already STATE_MAIN_I3
May 31 23:17:13 tabu pluto[2998]: "right-left" #1281: ignoring
informational payload, type INVALID_KEY_INFORMATION msgid=00000000
May 31 23:17:13 tabu pluto[2998]: "right-left" #1281: received and
ignored informational message
When I downgrade to openswan-2.6.23-1.fc12, everthing works:
[root at tabu ~]# rpm -Uvh --force openswan-2.6.23-1.fc12.i686.rpm
Preparing...
########################################### [100%]
1:openswan
########################################### [100%]
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/
fips_enabled
[root at tabu download]# service ipsec restart
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/
fips_enabled
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/
fips_enabled
ipsec_setup: Stopping Openswan IPsec...
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/
fips_enabled
ipsec_setup: Starting Openswan IPsec U2.6.23/K2.6.32.11-99.fc12.i686...
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/
crypto/fips_enabled
May 31 23:18:31 tabu pluto[28091]: "right-left" #1: initiating Main Mode
May 31 23:18:31 tabu pluto[28091]: "right-left" #1: received Vendor ID
payload [Openswan (this version) 2.6.23 ]
May 31 23:18:31 tabu pluto[28091]: "right-left" #1: received Vendor ID
payload [Dead Peer Detection]
May 31 23:18:31 tabu pluto[28091]: "right-left" #1: received Vendor ID
payload [RFC 3947] method set to=109
May 31 23:18:31 tabu pluto[28091]: "right-left" #1: enabling possible
NAT-traversal with method 4
May 31 23:18:31 tabu pluto[28091]: "right-left" #1: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
May 31 23:18:31 tabu pluto[28091]: "right-left" #1: STATE_MAIN_I2:
sent MI2, expecting MR2
May 31 23:18:31 tabu pluto[28091]: "right-left" #1: NAT-Traversal:
Result using RFC 3947 (NAT-Traversal): no NAT detected
May 31 23:18:31 tabu pluto[28091]: "right-left" #1: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
May 31 23:18:31 tabu pluto[28091]: "right-left" #1: STATE_MAIN_I3:
sent MI3, expecting MR3
May 31 23:18:31 tabu pluto[28091]: "right-left" #1: received Vendor ID
payload [CAN-IKEv2]
May 31 23:18:31 tabu pluto[28091]: "right-left" #1: Main mode peer ID
is ID_FQDN: '@fuego.right'
May 31 23:18:31 tabu pluto[28091]: "right-left" #1: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
May 31 23:18:31 tabu pluto[28091]: "right-left" #1: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128
prf=oakley_sha group=modp2048}
May 31 23:18:31 tabu pluto[28091]: "right-left" #2: initiating Quick
Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1
msgid:f6b380b7 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
May 31 23:18:31 tabu pluto[28091]: "right-left" #2: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
May 31 23:18:31 tabu pluto[28091]: "right-left" #2: STATE_QUICK_I2:
sent QI2, IPsec SA established tunnel mode {ESP=>0x6fc6da7c
<0xd4481df0 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
More information about the Users
mailing list