[Openswan Users] And now it looks like configuring a new hostkey is broken
Greg Scott
GregScott at Infrasupport.com
Thu Feb 10 22:10:59 EST 2011
Yes - that worked!! Thank you thank you thank you thank you!!!!!!!
- Greg
From: Curu Wong [mailto:prinbra at gmail.com]
Sent: Thursday, February 10, 2011 8:16 PM
To: Greg Scott
Subject: Re: [Openswan Users] And now it looks like configuring a new
hostkey is broken
This is a bug in the openswan-2.6.31 package on fedora 14.
Edit /usr/libexec/ipsec/newhostkey
at line 24
change
random=/dev/random
to
random="--random /dev/random"
2011/2/11 Greg Scott <GregScott at infrasupport.com>
Frustrating. Now I can't even create a new hostkey. Forget about
importing an old hostkey.secrets - trying to bite the bullet and just
create a new one. I wish some of this stuff would be documented and a
little more stable from release to release.
Running Fedora 14 with the newest Red Hat Openswan 2.6.31 RPM.
First I create a new NSS database, like this:
certutil -N -d /etc/ipsec.d
Next, I try to setup a new hostkey.secrets file, like this:
ipsec newhostkey --configdir /etc/ipsec.d \
--output /etc/ipsec.d/hostkey.secrets \
--verbose \
--hostname DRsite-fw
This **should** run for a long time generating what it needs. It used
to. But instead, it completes immediately and leaves me with an empty
hostkey.secrets file populated with nothing useful. And here I sit.
Another day older and deeper in debt.
What changed? This all used to work.
In fact - I just tested it on another Fedora 14 system running 2.6.29
and it worked. But this newer Fedora 14 system updated to 2.6.31 has
the problem. Maybe I'll just go back to 2.6.29 on the problem system.
But is this something that will be broken forever or just a bug with
this release?
[root at DRsite-fw ipsec.d]# ls
DR-ipsec.conf DR-updown.sh policies
[root at DRsite-fw ipsec.d]# certutil -N -d /etc/ipsec.d
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password:
Re-enter password:
[root at DRsite-fw ipsec.d]# ls
cert8.db DR-ipsec.conf DR-updown.sh key3.db policies secmod.db
[root at DRsite-fw ipsec.d]# ipsec newhostkey --configdir /etc/ipsec.d \
> --output /etc/ipsec.d/hostkey.secrets \
> --verbose \
> --hostname DRsite-fw
[root at DRsite-fw ipsec.d]#
[root at DRsite-fw ipsec.d]# ls
cert8.db DR-ipsec.conf DR-updown.sh hostkey.secrets key3.db
policies secmod.db
[root at DRsite-fw ipsec.d]#
[root at DRsite-fw ipsec.d]#
[root at DRsite-fw ipsec.d]# more hostkey.secrets
: RSA {
Usage: rsasigkey [--verbose] [--random device] [--configdir dir]
[--password password] nbits
}
# do not change the indenting of that "}"
[root at DRsite-fw ipsec.d]#
[root at DRsite-fw ipsec.d]#
[root at DRsite-fw ipsec.d]# certutil -L -d /etc/ipsec.d
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
[root at DRsite-fw ipsec.d]#
- Greg Scott
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110210/e0682c66/attachment.html
More information about the Users
mailing list