[Openswan Users] Openswan on fc14 with nss and net-to-net

Alex mysqlstudent at gmail.com
Sat Jan 29 17:05:29 EST 2011


Hi,

I'm trying to convert my existing net-to-net config from freeswan to
openswan on fc14 and having trouble with the whole NSS db problem.
I've read Michael Warfield's comments about the cert names and
importing the private keys, as well as Marek Greško's steps to import
the keys and the REAMDE.css file) about creating the NSS database, but
it's still not working for me.

Among the error messages I currently receive when trying to start ipsec are:

  - unable to locate my private key for RSA Signature
  - STATE_MAIN_I2: sent MI2, expecting MR2
  - sending notification AUTHENTICATION_FAILED

Since I wasn't subscribed to the list when Michael posted his
conversion script and only read it online, I had to just interpret
what he was saying instead of seeing it. I'm not even sure that's my
problem, actually. I think I'm very confused with the differences
between the host cert and the CA cert, and when either should be used.

Does this seem to indicate that it can't find the private key still?

# ipsec whack --listall

000 List of Public Keys:
000
000 Jan 29 16:53:29 2011, 1024 RSA Key AwEAAa92z (no private key),
until Dec 31 21:10:25 2017 ok
000        ID_DER_ASN1_DN 'C=US, ST=XX, L=City, O=Company Inc,
CN=remote.example.com'
000        Issuer 'C=US, ST=XX, L=City, O=Company Inc, OU=GDXO, CN=GO Authority'
000 Jan 29 16:53:29 2011, 1024 RSA Key AwEAAcmxw (no private key),
until Dec 31 21:08:29 2017 ok
000        ID_DER_ASN1_DN 'C=US, ST=XX, L=City, O=Company Inc,
CN=orion.example.com'
000        Issuer 'C=US, ST=XX, L=City, O=Company Inc, OU=GO, CN=GO Authority'

Is there some complete document that describes how to basically start
from scratch on my openswan side and would clarify the NSS
integration?

Is there a way to print out everything that's in the NSS database, and
even confirm it's using (consulting) the NSS database in the first
place?

Thanks,
Alex


More information about the Users mailing list