[Openswan Users] Troubleshooting pluto crash - NSS related

Kevin Keane subscription at kkeane.com
Thu Jul 21 05:41:32 EDT 2011 

I'm trying to get openswan to establish an IPSec connection to my Sonicwall firewall. It works fine with a shared secret, but I can't get openswan to work with certificates. I'm using CentOS 5.6, with openswan 2.6.21-5.el5_6.4

This version of Openswan uses NSS for certificate management. Unfortunately, as soon as I add my client certificate to the NSS database, pluto crashes with an error "NSS: slot for DH key gen is NULL" when the peer first tries to connect.

This seems to be strictly related to the certificate database, not to the actual connection configuration. It happens even if I leave my tunnel configured for shared secret. I can resolve the problem simply by deleting the three certificate DB files and restarting openswan; a new, empty, certificate database does not trigger this problem.

Any ideas how to solve this would be appreciated!

Here is an exerpt from /var/log/secure

Jul 21 06:18:12 mymachine pluto[10933]: loading secrets from "/etc/ipsec.secrets"
Jul 21 06:18:12 mymachine pluto[10933]: loading secrets from "/etc/ipsec.d/homeoffice.secrets"
Jul 21 06:19:07 mymachine pluto[10933]: packet from remoteip:500: ignoring Vendor ID payload [Sonicwall 1 (TZ 17
0 Standard?)]
Jul 21 06:19:07 mymachine pluto[10933]: packet from remoteip:500: ignoring unknown Vendor ID payload [<S/N>]
Jul 21 06:19:07 mymachine pluto[10933]: packet from remoteip:500: received Vendor ID payload [RFC 3947] meth=109
, but port floating is off
Jul 21 06:19:07 mymachine pluto[10933]: packet from remoteip:500: received Vendor ID payload [draft-ietf-ipsec-n
at-t-ike-03] meth=108, but port floating is off
Jul 21 06:19:07 mymachine pluto[10933]: packet from remoteip:500: received Vendor ID payload [draft-ietf-ipsec-n
at-t-ike-02_n] meth=106, but port floating is off
Jul 21 06:19:07 mymachine pluto[10933]: packet from remoteip:500: ignoring Vendor ID payload [draft-ietf-ipsec-n
at-t-ike-00]
Jul 21 06:19:07 mymachine pluto[10933]: packet from remoteip:500: ignoring Vendor ID payload [Sonicwall 2 (3.1.0
.12-86s?)]
Jul 21 06:19:07 mymachine pluto[10933]: packet from remoteip:500: received Vendor ID payload [Dead Peer Detectio
n]
Jul 21 06:19:07 mymachine pluto[10933]: packet from remoteip:500: received Vendor ID payload [XAUTH]
Jul 21 06:19:07 mymachine pluto[10933]: "homeoffice" #1: Aggressive mode peer ID is ID_FQDN: '@remoteFQDN'
Jul 21 06:19:07 mymachine pluto[10933]: "homeoffice" #1: responding to Aggressive Mode, state #1, connection "homeoff
ice" from remoteip
Jul 21 06:19:08 mymachine pluto[10933]: packet from remoteip:500: NSS: slot for DH key gen is NULL
Jul 21 06:19:19 mymachine ipsec__plutorun: Restarting Pluto subsystem...

Kevin Keane
The NetTech
http://www.4nettech.com

More information about the Users mailing list