[Openswan Users] How do I import an existing *.secrets file into anNSS database?

Greg Scott GregScott at Infrasupport.com
Thu Feb 10 11:56:10 EST 2011

This is making me nuts!  I studied the script Mike Warfield put together and I've gone over and over and over README.nss.  And I'm totally lost.  It looks like Mike's script manipulates PKI stuff.  And tinkering with the pk12util program that README.nss mentions, it looks like it wants a file formatted a certain way and  ipsec.secrets doesn't work.  So it's not like I can just issue some commands and import ipsec.secrets into an NSS database.  The process is evidently more complex.  Or non-existent.  


In the pre NSS days, I could do this:


ipsec newhostkey with a bunch of parameters.  This would generate a clear text ASCII file with default name /etc/ipsec.secrets.  Since I'm using a Red Hat Fedora distro, I would append -output /etc/ipsec.d/ipsec.secrets and viola - I would have a file with what I needed in a directory that gets along with the Fedora distro.  Wonderful.  And portable - if a box breaks or to upgrade to a new version, I could quickly build up a new one, copy ipsec.secrets and other files where they belong, and get back up and running.  


But now we have this NSS database and somehow, the world is different.  Quoting from README.nss:


Ø  Public key information in ipsec.secrets is stored in the same way as before.

Ø  However, all the fields of the Private key information contain just a similar

Ø  ID. This ID is called CKA ID, which is used to locate private keys inside NSS

Ø  database during the IKE negotiation.


OK - so this seems to mean that the new ipsec.secrets is different than the old ipsec.secrets.  The new ipsec.secrets has an ID that points to a private key inside an NSS database.  And the Fedora flavor of Openswan expects the NSS database to be in /etc/ipsec.d.  OK, I can live with that.  


But I have an old ipsec.secrets file on an old Fedora box.  I don't have any certificates or certificate authorities or PKI infrastructure that I know of.  Just a bunch of ipsec.secrets files on each node.   Each node knows its own private key and the private key of its partner.  I want to replace this old box with a new box using the new version of ipsec and preserve the information in the old ipsec.secrets.  


Understanding the risks of doing it this way with PSKs - if one box is compromised, the badguys have all the keys to the whole VPN infrastructure - there's gotta be some way to use the old ipsec.secrets to create a new ipsec.secrets and NSS database.  And near as I can tell, README.nss is completely silent on this.  Or else it's staring me in the face and I don't get it.  




-          Greg




From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Greg Scott
Sent: Wednesday, February 09, 2011 4:39 PM
To: users at openswan.org
Subject: [Openswan Users] How do I import an existing *.secrets file into anNSS database?


This should be easy but I sure haven't figured out how to do it - I have a tunnel with an existing config, about 3 or so years old, that I want to upgrade to the newest version.  This site uses a hostkey.secrets file with its own private key.  The tunnels use pre shared keys - no certificates - and this branch site is old enough that it predates all the NSS stuff.  But now I need to upgrade it and I would prefer to keep using the private key I already have in place.  


So now we have this NSS database that's supposed to hold all the crypto stuff and the latest versions of IPSEC look there instead of the raw files we used to use.  


I know how to build a new, empty NSS database and put it in /etc/ipsec.d like this:


certutil -N -d /etc/ipsec.d


I know how to generate a new private key and populate my new NSS database:


ipsec newhostkey --configdir /etc/ipsec.d \

                --output /etc/ipsec.d/hostkey.secrets \

                --verbose \

                --hostname myhost


But what if I already have a private key named hostkey.secrets and I want to keep using it?  How do I import an existing hostkey.secrets file into an NSS database?




-          Greg Scott

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110210/cbcdc0d4/attachment.html 

More information about the Users mailing list