[Openswan Users] Openswan on fc14 with nss and net-to-net

Alex mysqlstudent at gmail.com
Sat Jan 29 22:43:04 EST 2011


> KLIPS and netkey (and mast) are transports.  They better all be
> compatible or they are not compliant with the IPsec standard.  This is
> in the keying exchange, IAC.

Ah, that's really good to know.

>> > Assuming you are NOT using PSK...  If you are, do NOT post ANY from your
>> > secrets files!
>> No, no PSK here.
> Really?

If there are, then I understand less about this than I thought,
because I thought that's why I'm using keys.

> Ah...  Crap.  That's exactly the sort of thing I did not want you to
> post.  That's your private key.  Looks like you are using raw RSA keys.
> You might want to change that now.  :-P  Sorry.  Guess I should have
> been clearer.

Heh, it's okay. I thought the key part was the leftrsasigkey=... part,
but it's okay because I was pretty sure this would all be changing
again anyway.

>> It looks like the keys on the local and remote side are the same
>> here?!
> Er?  Each side should have their own keys.  You only trade public keys.

Yes, I just didn't realize they were different until I ran the
commands you provided. I'll definitely now work on starting over.

> Ok, seriously, are you really using the sample "*.example.com" certs or
> are you just obfuscating things for posting here?

Yes, just obfuscating. I thought there was a chance that would have
been misunderstood and that I should have clarified.

Do you know where I can find instructions on how to start with
generating the CA, then the host keys, etc, in a way that's intended
for my configuration?


More information about the Users mailing list