[Openswan Users] And now it looks like configuring a new hostkey is broken

Greg Scott GregScott at Infrasupport.com
Thu Feb 10 22:10:59 EST 2011


Yes - that worked!!  Thank you thank you thank you thank you!!!!!!!

 

-          Greg

 

 

From: Curu Wong [mailto:prinbra at gmail.com] 
Sent: Thursday, February 10, 2011 8:16 PM
To: Greg Scott
Subject: Re: [Openswan Users] And now it looks like configuring a new
hostkey is broken

 

This is a bug in the openswan-2.6.31 package on fedora 14.
Edit /usr/libexec/ipsec/newhostkey
at line 24
change
 random=/dev/random
to
random="--random /dev/random"

2011/2/11 Greg Scott <GregScott at infrasupport.com>

Frustrating.  Now I can't even create a new hostkey.  Forget about
importing an old hostkey.secrets - trying to bite the bullet and just
create a new one.   I wish some of this stuff would be documented and a
little more stable from release to release.  

 

Running Fedora 14 with the newest Red Hat Openswan 2.6.31 RPM.

 

First I create a new NSS database, like this:

 

certutil -N -d /etc/ipsec.d

 

Next, I try to setup a new hostkey.secrets file, like this:

 

ipsec newhostkey --configdir /etc/ipsec.d \

                --output /etc/ipsec.d/hostkey.secrets \

                --verbose \

                --hostname DRsite-fw

 

This **should** run for a long time generating what it needs.  It used
to.  But instead, it completes immediately and leaves me with an empty
hostkey.secrets file populated with nothing useful.  And here I sit.
Another day older and deeper in debt.  

 

What changed?  This all used to work.

 

In fact - I just tested it on another Fedora 14 system running 2.6.29
and it worked.  But this newer Fedora 14 system updated to 2.6.31 has
the problem.  Maybe I'll just go back to 2.6.29 on the problem system.
But is this something that will be broken forever or just a bug with
this release?

 

 

[root at DRsite-fw ipsec.d]# ls

DR-ipsec.conf  DR-updown.sh  policies

[root at DRsite-fw ipsec.d]# certutil -N -d /etc/ipsec.d

Enter a password which will be used to encrypt your keys.

The password should be at least 8 characters long,

and should contain at least one non-alphabetic character.

 

Enter new password:

Re-enter password:

[root at DRsite-fw ipsec.d]# ls

cert8.db  DR-ipsec.conf  DR-updown.sh  key3.db  policies  secmod.db

[root at DRsite-fw ipsec.d]# ipsec newhostkey --configdir /etc/ipsec.d \

> --output /etc/ipsec.d/hostkey.secrets \

> --verbose \

> --hostname DRsite-fw

[root at DRsite-fw ipsec.d]#

[root at DRsite-fw ipsec.d]# ls

cert8.db  DR-ipsec.conf  DR-updown.sh  hostkey.secrets  key3.db
policies  secmod.db

[root at DRsite-fw ipsec.d]#

[root at DRsite-fw ipsec.d]#

[root at DRsite-fw ipsec.d]# more hostkey.secrets

: RSA   {

Usage:  rsasigkey [--verbose] [--random device] [--configdir dir]
[--password password] nbits

        }

# do not change the indenting of that "}"

[root at DRsite-fw ipsec.d]#

[root at DRsite-fw ipsec.d]#

[root at DRsite-fw ipsec.d]# certutil -L -d /etc/ipsec.d

 

Certificate Nickname                                         Trust
Attributes

 
SSL,S/MIME,JAR/XPI

 

[root at DRsite-fw ipsec.d]#

 

-          Greg Scott


_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110210/e0682c66/attachment.html 


More information about the Users mailing list