[Openswan Users] NSS mandatory?

Richard Pickett richard.pickett at csrtechnologies.com
Sat Jul 23 19:43:39 EDT 2011


Hi all (Hi Paul!),

Sooooo, I've got openswan installed stock-rpm on centos 5.1. I didn't do
anything special to recompile, install extra mods, etc.

I'm using (as you guys probably know) x.509 auth on my connections. I really
don't want to use nss, but can. I just don't need that level of lock-down.

I'm thinking maybe NSS is mandatory now, I'm connecting w/ shrewsoft and as
soon as the connection starts this is what hits the /var/log/secure:

Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197: ignoring
unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197: received
Vendor ID payload [RFC 3947] method set to=109
Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197: ignoring
Vendor ID payload [FRAGMENTATION 80000000]
Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197: received
Vendor ID payload [Dead Peer Detection]
Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197: ignoring
unknown Vendor ID payload [f14b94b7bff1fef02773b8c49feded26]
Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197: ignoring
unknown Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd8451]
Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197: ignoring
unknown Vendor ID payload [8404adf9cda05760b2ca292e4bff537b]
Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197: received
Vendor ID payload [Cisco-Unity]
Jul 23 18:37:18 vhost5 pluto[4810]: "mobileaegisclient"[1] 74.137.71.67 #1:
responding to Main Mode from unknown peer 74.137.71.67
Jul 23 18:37:18 vhost5 pluto[4810]: "mobileaegisclient"[1] 74.137.71.67 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 23 18:37:18 vhost5 pluto[4810]: "mobileaegisclient"[1] 74.137.71.67 #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Jul 23 18:37:18 vhost5 pluto[4810]: "mobileaegisclient"[1] 74.137.71.67 #1:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
*Jul 23 18:37:18 vhost5 pluto[4810]: NSS: DH private key creation failed*
Jul 23 18:37:29 vhost5 ipsec__plutorun: Restarting Pluto subsystem...
*Jul 23 18:37:29 vhost5 pluto[5363]: nss directory plutomain: /etc/ipsec.d*
*Jul 23 18:37:29 vhost5 pluto[5363]: NSS Initialized*
Jul 23 18:37:29 vhost5 pluto[5363]: Not able to open
/proc/sys/crypto/fips_enabled, returning non-fips mode
Jul 23 18:37:29 vhost5 pluto[5363]: Not able to open
/proc/sys/crypto/fips_enabled, returning non-fips mode
Jul 23 18:37:29 vhost5 pluto[5363]: Starting Pluto (Openswan Version 2.6.21;
Vendor ID OE~q\177kZNr}Wk) pid:5363
Jul 23 18:37:29 vhost5 pluto[5363]: Setting NAT-Traversal port-4500 floating
to on
Jul 23 18:37:29 vhost5 pluto[5363]:    port floating activation criteria
nat_t=1/port_float=1
Jul 23 18:37:29 vhost5 pluto[5363]:    including NAT-Traversal patch
(Version 0.6c)
Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC: Ok (ret=0)
Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
OAKLEY_SERPENT_CBC: Ok (ret=0)
Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_512: Ok (ret=0)
Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_256: Ok (ret=0)
Jul 23 18:37:29 vhost5 pluto[5363]: starting up 3 cryptographic helpers
Jul 23 18:37:29 vhost5 pluto[5363]: main fd(8) helper fd(9)
Jul 23 18:37:29 vhost5 pluto[5363]: started helper (thread) pid=1097259328
(fd:8)
Jul 23 18:37:29 vhost5 pluto[5363]: main fd(10) helper fd(11)
Jul 23 18:37:29 vhost5 pluto[5363]: started helper (thread) pid=1105652032
(fd:10)
Jul 23 18:37:29 vhost5 pluto[5363]: main fd(12) helper fd(13)
Jul 23 18:37:29 vhost5 pluto[5363]: started helper (thread) pid=1114044736
(fd:12)
Jul 23 18:37:29 vhost5 pluto[5363]: Using Linux 2.6 IPsec interface code on
2.6.39.1-x86_64-linode19 (experimental code)
Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
<NULL>: Ok (ret=0)
Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already
exists
Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already
exists
Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already
exists
Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already
exists
Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already
exists
Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Jul 23 18:37:29 vhost5 pluto[5363]: Changed path to directory
'/etc/ipsec.d/cacerts'
Jul 23 18:37:29 vhost5 pluto[5363]:   loaded CA cert file 'ca_crt.pem' (3816
bytes)
Jul 23 18:37:29 vhost5 pluto[5363]:   loaded CA cert file
'0000-SERVER-CA.pem' (3816 bytes)
Jul 23 18:37:29 vhost5 pluto[5363]: Could not change to directory
'/etc/ipsec.d/aacerts': /etc/ipsec.d
Jul 23 18:37:29 vhost5 pluto[5363]: Could not change to directory
'/etc/ipsec.d/ocspcerts': /etc/ipsec.d
Jul 23 18:37:29 vhost5 pluto[5363]: Changing to directory
'/etc/ipsec.d/crls'
Jul 23 18:37:29 vhost5 pluto[5363]:   loaded crl file
'mobile_aegils_crl.pem' (1783 bytes)
Jul 23 18:37:29 vhost5 pluto[5363]: | NSS: length of decrypted sig = 35
Jul 23 18:37:29 vhost5 pluto[5363]: | NSS : RSA Signature verified, hash
values matched
Jul 23 18:37:29 vhost5 pluto[5363]: loading certificate from
0000-SERVER-CERT.pem
Jul 23 18:37:29 vhost5 pluto[5363]:     could not open host cert with nick
name '0000-SERVER-CERT.pem' in NSS DB
Jul 23 18:37:29 vhost5 pluto[5363]: added connection description
"mobileaegisclient"
Jul 23 18:37:29 vhost5 pluto[5363]: listening for IKE messages
Jul 23 18:37:29 vhost5 pluto[5363]: adding interface eth0:cp1/eth0:cp1
192.168.141.50:500
Jul 23 18:37:29 vhost5 pluto[5363]: adding interface eth0:cp1/eth0:cp1
192.168.141.50:4500
Jul 23 18:37:29 vhost5 pluto[5363]: adding interface eth0/eth0
173.255.254.20:500
Jul 23 18:37:29 vhost5 pluto[5363]: adding interface eth0/eth0
173.255.254.20:4500
Jul 23 18:37:29 vhost5 pluto[5363]: adding interface lo/lo 127.0.0.1:500
Jul 23 18:37:29 vhost5 pluto[5363]: adding interface lo/lo 127.0.0.1:4500
Jul 23 18:37:29 vhost5 pluto[5363]: adding interface lo/lo ::1:500
Jul 23 18:37:29 vhost5 pluto[5363]: loading secrets from
"/etc/ipsec.secrets"
Jul 23 18:37:29 vhost5 pluto[5363]: loading secrets from
"/etc/ipsec.d/ca.secrets"
*Jul 23 18:37:33 vhost5 pluto[5363]: packet from 74.137.71.67:55197: phase 1
message is part of an unknown exchange*


Since it restarts pluto, naturally it has no idea what this message is,
since it's already forgot this conversation.

Am I right about NSS? Is there a way to turn it off, or do I just have to
bite the bullet? If I use NSS, how much of my ipsec rsa config gets changed?

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110723/c31f52f8/attachment.html 


More information about the Users mailing list