[Openswan Users] Fedora 12 - Can't find the private key from the NSS CERT (err -12285)

Saso Tavcar fast at ais42.net
Mon May 31 17:30:57 EDT 2010


I've updated to the latest version of openswan-2.6.25-1.fc12 on Fedora  
12

[root at tabu ~]# rpm -qa |grep swan
openswan-2.6.25-1.fc12.i686
openswan-doc-2.6.25-1.fc12.i686

And connection does not establish any more:

May 31 23:17:03 tabu pluto[2998]: "right-left" #1280: starting keying  
attempt 651 of an unlimited number
May 31 23:17:03 tabu pluto[2998]: "right-left" #1281: initiating Main  
Mode to replace #1280
May 31 23:17:03 tabu pluto[2998]: "right-left" #1281: ignoring unknown  
Vendor ID payload [4f456d406b6753464548407f]
May 31 23:17:03 tabu pluto[2998]: "right-left" #1281: received Vendor  
ID payload [Dead Peer Detection]
May 31 23:17:03 tabu pluto[2998]: "right-left" #1281: received Vendor  
ID payload [RFC 3947] method set to=109
May 31 23:17:03 tabu pluto[2998]: "right-left" #1281: enabling  
possible NAT-traversal with method 4
May 31 23:17:03 tabu pluto[2998]: "right-left" #1281: transition from  
state STATE_MAIN_I1 to state STATE_MAIN_I2
May 31 23:17:03 tabu pluto[2998]: "right-left" #1281: STATE_MAIN_I2:  
sent MI2, expecting MR2
May 31 23:17:03 tabu pluto[2998]: "right-left" #1281: NAT-Traversal:  
Result using RFC 3947 (NAT-Traversal): no NAT detected
May 31 23:17:03 tabu pluto[2998]: "right-left" #1281: Can't find the  
private key from the NSS CERT (err -12285)
May 31 23:17:03 tabu pluto[2998]: "right-left" #1281: transition from  
state STATE_MAIN_I2 to state STATE_MAIN_I3
May 31 23:17:03 tabu pluto[2998]: "right-left" #1281: STATE_MAIN_I3:  
sent MI3, expecting MR3
May 31 23:17:03 tabu pluto[2998]: "right-left" #1281: ignoring  
informational payload, type INVALID_KEY_INFORMATION msgid=00000000
May 31 23:17:03 tabu pluto[2998]: "right-left" #1281: received and  
ignored informational message
May 31 23:17:13 tabu pluto[2998]: "right-left" #1281: discarding  
duplicate packet; already STATE_MAIN_I3
May 31 23:17:13 tabu pluto[2998]: "right-left" #1281: ignoring  
informational payload, type INVALID_KEY_INFORMATION msgid=00000000
May 31 23:17:13 tabu pluto[2998]: "right-left" #1281: received and  
ignored informational message


When I downgrade to openswan-2.6.23-1.fc12, everthing works:

[root at tabu ~]# rpm -Uvh --force openswan-2.6.23-1.fc12.i686.rpm
Preparing...                 
########################################### [100%]
    1:openswan                
########################################### [100%]
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/ 
fips_enabled


[root at tabu download]# service ipsec restart
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/ 
fips_enabled
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/ 
fips_enabled
ipsec_setup: Stopping Openswan IPsec...
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/ 
fips_enabled
ipsec_setup: Starting Openswan IPsec U2.6.23/K2.6.32.11-99.fc12.i686...
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/ 
crypto/fips_enabled


May 31 23:18:31 tabu pluto[28091]: "right-left" #1: initiating Main Mode
May 31 23:18:31 tabu pluto[28091]: "right-left" #1: received Vendor ID  
payload [Openswan (this version) 2.6.23 ]
May 31 23:18:31 tabu pluto[28091]: "right-left" #1: received Vendor ID  
payload [Dead Peer Detection]
May 31 23:18:31 tabu pluto[28091]: "right-left" #1: received Vendor ID  
payload [RFC 3947] method set to=109
May 31 23:18:31 tabu pluto[28091]: "right-left" #1: enabling possible  
NAT-traversal with method 4
May 31 23:18:31 tabu pluto[28091]: "right-left" #1: transition from  
state STATE_MAIN_I1 to state STATE_MAIN_I2
May 31 23:18:31 tabu pluto[28091]: "right-left" #1: STATE_MAIN_I2:  
sent MI2, expecting MR2
May 31 23:18:31 tabu pluto[28091]: "right-left" #1: NAT-Traversal:  
Result using RFC 3947 (NAT-Traversal): no NAT detected
May 31 23:18:31 tabu pluto[28091]: "right-left" #1: transition from  
state STATE_MAIN_I2 to state STATE_MAIN_I3
May 31 23:18:31 tabu pluto[28091]: "right-left" #1: STATE_MAIN_I3:  
sent MI3, expecting MR3
May 31 23:18:31 tabu pluto[28091]: "right-left" #1: received Vendor ID  
payload [CAN-IKEv2]
May 31 23:18:31 tabu pluto[28091]: "right-left" #1: Main mode peer ID  
is ID_FQDN: '@fuego.right'
May 31 23:18:31 tabu pluto[28091]: "right-left" #1: transition from  
state STATE_MAIN_I3 to state STATE_MAIN_I4
May 31 23:18:31 tabu pluto[28091]: "right-left" #1: STATE_MAIN_I4:  
ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128  
prf=oakley_sha group=modp2048}
May 31 23:18:31 tabu pluto[28091]: "right-left" #2: initiating Quick  
Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1  
msgid:f6b380b7 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
May 31 23:18:31 tabu pluto[28091]: "right-left" #2: transition from  
state STATE_QUICK_I1 to state STATE_QUICK_I2
May 31 23:18:31 tabu pluto[28091]: "right-left" #2: STATE_QUICK_I2:  
sent QI2, IPsec SA established tunnel mode {ESP=>0x6fc6da7c  
<0xd4481df0 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}





More information about the Users mailing list