[Openswan Users] ipsec newhostkey --configdir broken ???

Greg Scott GregScott at Infrasupport.com
Wed Jan 19 17:20:13 EST 2011

I ended up working around the problem by installing a Fedora RPM.  That system is running Fedora 12, and Red Hat has a 2.6.29-1 RPM for Fedora 12.  So that's what I ended up with.  But first, I removed 2.6.32 and installed 2.6.31 from source.  ipsec newhostkey with --configdir switch did not fail with 2.6.31, but it also finished immediately and didn't generate anything.  So I removed 2.6.31 and installed the Fedora RPM and all worked as expected.  
Go figure.  
This was how I built from source:
cp openswan-2.6.32.tar.gz /usr/local/src
cd /usr/local/src
tar zxvf openswan-2.6.32.tar.gz
cd openswan-2.6.32
make USE_LIBNSS=true programs install

I have a hunch when I built from source, I didn't get in whatever I needed for that NSS database and that was the root of my troubles.  
Is there any documentation for how to use this new NSS database?  I still don't know how to import and export keys to/from hostkey.secrets and this complicates firewall replacements and made my life more stressful today.  
- Greg Scott


From: users-bounces at openswan.org on behalf of Greg Scott
Sent: Wed 1/19/2011 2:37 PM
To: users at openswan.org
Subject: [Openswan Users] ipsec newhostkey --configdir broken ???

I'm in a world of hurt.  I am trying to setup openswan 2.6.32 on a live system that died.  This is an install from source.  I build a new empty nss database in /etc/ipsec.d like this:

certutil -N -d /etc/ipsec.d

and then try to generate a new hostkey, like this:

ipsec newhostkey --configdir /etc/ipsec.d \
 --output /etc/ipsec.d/hostkey.secrets \
 --verbose \
 --hostname xxx-fw

This fails with:

/usr/local/libexec/ipsec/rsasigkey: unrecognized option '--configdir'

So I do ipsec newhostkey without any --configdir parameter.  This runs to completion and generates a good hostkey.secrets file.  But I have a hunch it never populates any of the .db files in any nss database.

Later on when I start everything up, I see this in /ver/log/secure:

Jan 19 13:37:00 localhost pluto[13939]: "colo-hqmirror" #2: unable to locate my private key for RSA Signatur

And I'll bet that's because it's trying to read the key from that nss database, which doesn't get populated because that --configdir parameter seems to be broken.  This worked for at least 18 months and several installations with different versions.  But now it breaks with 2.6.32.  Or what am I doing wrong?


- Greg Scott

Users at openswan.org
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:

More information about the Users mailing list