[Openswan Users] Openswan on fc14 with nss and net-to-net

Michael H. Warfield mhw at WittsEnd.com
Sat Jan 29 20:03:28 EST 2011


Greetings...

On Sat, 2011-01-29 at 17:05 -0500, Alex wrote: 
> Hi,

> I'm trying to convert my existing net-to-net config from freeswan to
> openswan on fc14 and having trouble with the whole NSS db problem.
> I've read Michael Warfield's comments about the cert names and
> importing the private keys, as well as Marek Greško's steps to import
> the keys and the REAMDE.css file) about creating the NSS database, but
> it's still not working for me.

> Among the error messages I currently receive when trying to start ipsec are:
> 
>   - unable to locate my private key for RSA Signature

Ok...  That's your first problem from which all else radiates.  We get
nowhere till that's solved.

Assuming you are NOT using PSK...  If you are, do NOT post ANY from your
secrets files!

Take it simple...  Post the following.

Output from:

certutil -L -d /etc/ipsec.d

Configuration values for your secrets (not the secrets themselves!).
(/etc/ipsec.secret /etc/ipsec.d/*.secrets)

Values for leftcert and rightcert for the connection.

> - STATE_MAIN_I2: sent MI2, expecting MR2
>   - sending notification AUTHENTICATION_FAILED

> Since I wasn't subscribed to the list when Michael posted his
> conversion script and only read it online, I had to just interpret
> what he was saying instead of seeing it. I'm not even sure that's my
> problem, actually. I think I'm very confused with the differences
> between the host cert and the CA cert, and when either should be used.
> 
> Does this seem to indicate that it can't find the private key still?
> 
> # ipsec whack --listall
> 
> 000 List of Public Keys:
> 000
> 000 Jan 29 16:53:29 2011, 1024 RSA Key AwEAAa92z (no private key),
> until Dec 31 21:10:25 2017 ok
> 000        ID_DER_ASN1_DN 'C=US, ST=XX, L=City, O=Company Inc,
> CN=remote.example.com'
> 000        Issuer 'C=US, ST=XX, L=City, O=Company Inc, OU=GDXO, CN=GO Authority'
> 000 Jan 29 16:53:29 2011, 1024 RSA Key AwEAAcmxw (no private key),
> until Dec 31 21:08:29 2017 ok
> 000        ID_DER_ASN1_DN 'C=US, ST=XX, L=City, O=Company Inc,
> CN=orion.example.com'
> 000        Issuer 'C=US, ST=XX, L=City, O=Company Inc, OU=GO, CN=GO Authority'
> 
> Is there some complete document that describes how to basically start
> from scratch on my openswan side and would clarify the NSS
> integration?
> 
> Is there a way to print out everything that's in the NSS database, and
> even confirm it's using (consulting) the NSS database in the first
> place?

To print the cert nic names in the NSS database you use...

certutil -L -d {path to database}

To list an individual certificate...

certutil -L -n {nic_name} -d {path to database}

Lots and lots of good doco on the NSS utilities are here:

http://www.mozilla.org/projects/security/pki/nss/tools/

> Thanks,
> Alex

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20110129/f1b99507/attachment.bin 


More information about the Users mailing list