[Openswan Users] Openswan on fc14 with nss and net-to-net

Michael H. Warfield mhw at WittsEnd.com
Sat Jan 29 22:48:55 EST 2011

On Sat, 2011-01-29 at 22:43 -0500, Alex wrote: 
> Hi,
> > KLIPS and netkey (and mast) are transports.  They better all be
> > compatible or they are not compliant with the IPsec standard.  This is
> > in the keying exchange, IAC.
> Ah, that's really good to know.
> >> > Assuming you are NOT using PSK...  If you are, do NOT post ANY from your
> >> > secrets files!
> >
> >> No, no PSK here.
> >
> > Really?
> If there are, then I understand less about this than I thought,
> because I thought that's why I'm using keys.
> > Ah...  Crap.  That's exactly the sort of thing I did not want you to
> > post.  That's your private key.  Looks like you are using raw RSA keys.
> > You might want to change that now.  :-P  Sorry.  Guess I should have
> > been clearer.
> Heh, it's okay. I thought the key part was the leftrsasigkey=... part,
> but it's okay because I was pretty sure this would all be changing
> again anyway.
> >> It looks like the keys on the local and remote side are the same
> >> here?!
> >
> > Er?  Each side should have their own keys.  You only trade public keys.
> Yes, I just didn't realize they were different until I ran the
> commands you provided. I'll definitely now work on starting over.
> > Ok, seriously, are you really using the sample "*.example.com" certs or
> > are you just obfuscating things for posting here?

> Yes, just obfuscating. I thought there was a chance that would have
> been misunderstood and that I should have clarified.

> Do you know where I can find instructions on how to start with
> generating the CA, then the host keys, etc, in a way that's intended
> for my configuration?

I think what you will find in README.nss will cover just about what you
need in this case.  It has instructions on creating a CA and copying
that between machines and generating the individual host keys and certs.

> Thanks,
> Alex

Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20110129/c3b465fd/attachment.bin 

More information about the Users mailing list