[Openswan Users] And now it looks like configuring a new hostkey is broken

Greg Scott GregScott at Infrasupport.com
Thu Feb 10 15:39:34 EST 2011 

Frustrating.  Now I can't even create a new hostkey.  Forget about
importing an old hostkey.secrets - trying to bite the bullet and just
create a new one.   I wish some of this stuff would be documented and a
little more stable from release to release.  

 

Running Fedora 14 with the newest Red Hat Openswan 2.6.31 RPM.

 

First I create a new NSS database, like this:

 

certutil -N -d /etc/ipsec.d

 

Next, I try to setup a new hostkey.secrets file, like this:

 

ipsec newhostkey --configdir /etc/ipsec.d \

                --output /etc/ipsec.d/hostkey.secrets \

                --verbose \

                --hostname DRsite-fw

 

This **should** run for a long time generating what it needs.  It used
to.  But instead, it completes immediately and leaves me with an empty
hostkey.secrets file populated with nothing useful.  And here I sit.
Another day older and deeper in debt.  

 

What changed?  This all used to work.

 

In fact - I just tested it on another Fedora 14 system running 2.6.29
and it worked.  But this newer Fedora 14 system updated to 2.6.31 has
the problem.  Maybe I'll just go back to 2.6.29 on the problem system.
But is this something that will be broken forever or just a bug with
this release?

 

 

[root at DRsite-fw ipsec.d]# ls

DR-ipsec.conf  DR-updown.sh  policies

[root at DRsite-fw ipsec.d]# certutil -N -d /etc/ipsec.d

Enter a password which will be used to encrypt your keys.

The password should be at least 8 characters long,

and should contain at least one non-alphabetic character.

 

Enter new password:

Re-enter password:

[root at DRsite-fw ipsec.d]# ls

cert8.db  DR-ipsec.conf  DR-updown.sh  key3.db  policies  secmod.db

[root at DRsite-fw ipsec.d]# ipsec newhostkey --configdir /etc/ipsec.d \

> --output /etc/ipsec.d/hostkey.secrets \

> --verbose \

> --hostname DRsite-fw

[root at DRsite-fw ipsec.d]#

[root at DRsite-fw ipsec.d]# ls

cert8.db  DR-ipsec.conf  DR-updown.sh  hostkey.secrets  key3.db
policies  secmod.db

[root at DRsite-fw ipsec.d]#

[root at DRsite-fw ipsec.d]#

[root at DRsite-fw ipsec.d]# more hostkey.secrets

: RSA   {

Usage:  rsasigkey [--verbose] [--random device] [--configdir dir]
[--password password] nbits

        }

# do not change the indenting of that "}"

[root at DRsite-fw ipsec.d]#

[root at DRsite-fw ipsec.d]#

[root at DRsite-fw ipsec.d]# certutil -L -d /etc/ipsec.d

 

Certificate Nickname                                         Trust
Attributes

 
SSL,S/MIME,JAR/XPI

 

[root at DRsite-fw ipsec.d]#

 

-          Greg Scott

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110210/a59636c1/attachment-0001.html

More information about the Users mailing list