[Openswan Users] NSS mandatory?
Curu Wong
prinbra at gmail.com
Sun Jul 24 05:57:49 EDT 2011
in CentOS 5, the distribution openswan rpm package use NSS. and seems
there's no configuration option to disable that. Maybe you can download
the source RPM and recompile it without NSS.
2011/7/24 Richard Pickett <richard.pickett at csrtechnologies.com>
> Hi all (Hi Paul!),
>
> Sooooo, I've got openswan installed stock-rpm on centos 5.1. I didn't do
> anything special to recompile, install extra mods, etc.
>
> I'm using (as you guys probably know) x.509 auth on my connections. I
> really don't want to use nss, but can. I just don't need that level of
> lock-down.
>
> I'm thinking maybe NSS is mandatory now, I'm connecting w/ shrewsoft and as
> soon as the connection starts this is what hits the /var/log/secure:
>
> Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
> Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
> to=106
> Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set
> to=108
> Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> received Vendor ID payload [RFC 3947] method set to=109
> Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> ignoring Vendor ID payload [FRAGMENTATION 80000000]
> Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> received Vendor ID payload [Dead Peer Detection]
> Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> ignoring unknown Vendor ID payload [f14b94b7bff1fef02773b8c49feded26]
> Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> ignoring unknown Vendor ID payload
> [166f932d55eb64d8e4df4fd37e2313f0d0fd8451]
> Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> ignoring unknown Vendor ID payload [8404adf9cda05760b2ca292e4bff537b]
> Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> received Vendor ID payload [Cisco-Unity]
> Jul 23 18:37:18 vhost5 pluto[4810]: "mobileaegisclient"[1] 74.137.71.67 #1:
> responding to Main Mode from unknown peer 74.137.71.67
> Jul 23 18:37:18 vhost5 pluto[4810]: "mobileaegisclient"[1] 74.137.71.67 #1:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jul 23 18:37:18 vhost5 pluto[4810]: "mobileaegisclient"[1] 74.137.71.67 #1:
> STATE_MAIN_R1: sent MR1, expecting MI2
> Jul 23 18:37:18 vhost5 pluto[4810]: "mobileaegisclient"[1] 74.137.71.67 #1:
> NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
> *Jul 23 18:37:18 vhost5 pluto[4810]: NSS: DH private key creation failed*
> Jul 23 18:37:29 vhost5 ipsec__plutorun: Restarting Pluto subsystem...
> *Jul 23 18:37:29 vhost5 pluto[5363]: nss directory plutomain: /etc/ipsec.d
> *
> *Jul 23 18:37:29 vhost5 pluto[5363]: NSS Initialized*
> Jul 23 18:37:29 vhost5 pluto[5363]: Not able to open
> /proc/sys/crypto/fips_enabled, returning non-fips mode
> Jul 23 18:37:29 vhost5 pluto[5363]: Not able to open
> /proc/sys/crypto/fips_enabled, returning non-fips mode
> Jul 23 18:37:29 vhost5 pluto[5363]: Starting Pluto (Openswan Version
> 2.6.21; Vendor ID OE~q\177kZNr}Wk) pid:5363
> Jul 23 18:37:29 vhost5 pluto[5363]: Setting NAT-Traversal port-4500
> floating to on
> Jul 23 18:37:29 vhost5 pluto[5363]: port floating activation criteria
> nat_t=1/port_float=1
> Jul 23 18:37:29 vhost5 pluto[5363]: including NAT-Traversal patch
> (Version 0.6c)
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> OAKLEY_TWOFISH_CBC: Ok (ret=0)
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> OAKLEY_SERPENT_CBC: Ok (ret=0)
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> OAKLEY_AES_CBC: Ok (ret=0)
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_hash(): Activating
> OAKLEY_SHA2_512: Ok (ret=0)
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_hash(): Activating
> OAKLEY_SHA2_256: Ok (ret=0)
> Jul 23 18:37:29 vhost5 pluto[5363]: starting up 3 cryptographic helpers
> Jul 23 18:37:29 vhost5 pluto[5363]: main fd(8) helper fd(9)
> Jul 23 18:37:29 vhost5 pluto[5363]: started helper (thread) pid=1097259328
> (fd:8)
> Jul 23 18:37:29 vhost5 pluto[5363]: main fd(10) helper fd(11)
> Jul 23 18:37:29 vhost5 pluto[5363]: started helper (thread) pid=1105652032
> (fd:10)
> Jul 23 18:37:29 vhost5 pluto[5363]: main fd(12) helper fd(13)
> Jul 23 18:37:29 vhost5 pluto[5363]: started helper (thread) pid=1114044736
> (fd:12)
> Jul 23 18:37:29 vhost5 pluto[5363]: Using Linux 2.6 IPsec interface code on
> 2.6.39.1-x86_64-linode19 (experimental code)
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> <NULL>: Ok (ret=0)
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already
> exists
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already
> exists
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already
> exists
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already
> exists
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already
> exists
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
> Jul 23 18:37:29 vhost5 pluto[5363]: Changed path to directory
> '/etc/ipsec.d/cacerts'
> Jul 23 18:37:29 vhost5 pluto[5363]: loaded CA cert file 'ca_crt.pem'
> (3816 bytes)
> Jul 23 18:37:29 vhost5 pluto[5363]: loaded CA cert file
> '0000-SERVER-CA.pem' (3816 bytes)
> Jul 23 18:37:29 vhost5 pluto[5363]: Could not change to directory
> '/etc/ipsec.d/aacerts': /etc/ipsec.d
> Jul 23 18:37:29 vhost5 pluto[5363]: Could not change to directory
> '/etc/ipsec.d/ocspcerts': /etc/ipsec.d
> Jul 23 18:37:29 vhost5 pluto[5363]: Changing to directory
> '/etc/ipsec.d/crls'
> Jul 23 18:37:29 vhost5 pluto[5363]: loaded crl file
> 'mobile_aegils_crl.pem' (1783 bytes)
> Jul 23 18:37:29 vhost5 pluto[5363]: | NSS: length of decrypted sig = 35
> Jul 23 18:37:29 vhost5 pluto[5363]: | NSS : RSA Signature verified, hash
> values matched
> Jul 23 18:37:29 vhost5 pluto[5363]: loading certificate from
> 0000-SERVER-CERT.pem
> Jul 23 18:37:29 vhost5 pluto[5363]: could not open host cert with nick
> name '0000-SERVER-CERT.pem' in NSS DB
> Jul 23 18:37:29 vhost5 pluto[5363]: added connection description
> "mobileaegisclient"
> Jul 23 18:37:29 vhost5 pluto[5363]: listening for IKE messages
> Jul 23 18:37:29 vhost5 pluto[5363]: adding interface eth0:cp1/eth0:cp1
> 192.168.141.50:500
> Jul 23 18:37:29 vhost5 pluto[5363]: adding interface eth0:cp1/eth0:cp1
> 192.168.141.50:4500
> Jul 23 18:37:29 vhost5 pluto[5363]: adding interface eth0/eth0
> 173.255.254.20:500
> Jul 23 18:37:29 vhost5 pluto[5363]: adding interface eth0/eth0
> 173.255.254.20:4500
> Jul 23 18:37:29 vhost5 pluto[5363]: adding interface lo/lo 127.0.0.1:500
> Jul 23 18:37:29 vhost5 pluto[5363]: adding interface lo/lo 127.0.0.1:4500
> Jul 23 18:37:29 vhost5 pluto[5363]: adding interface lo/lo ::1:500
> Jul 23 18:37:29 vhost5 pluto[5363]: loading secrets from
> "/etc/ipsec.secrets"
> Jul 23 18:37:29 vhost5 pluto[5363]: loading secrets from
> "/etc/ipsec.d/ca.secrets"
> *Jul 23 18:37:33 vhost5 pluto[5363]: packet from 74.137.71.67:55197: phase
> 1 message is part of an unknown exchange*
>
>
> Since it restarts pluto, naturally it has no idea what this message is,
> since it's already forgot this conversation.
>
> Am I right about NSS? Is there a way to turn it off, or do I just have to
> bite the bullet? If I use NSS, how much of my ipsec rsa config gets changed?
>
> Thanks!
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110724/f8c15e4b/attachment-0001.html
More information about the Users
mailing list