[Openswan Users] nss DH woes
Kevin Keane
subscription at kkeane.com
Mon Jul 25 06:17:44 EDT 2011
I have a feeling that there is a bug in the NSS DH code. I'm getting almost the same error (in my case, the last message is "NSS: slot for DH key gen is NULL" instead of your "NSS: DH private key creation failed"). In my case, the mere fact that I have a certificate in the database triggers this error.
I posted the full log with plutodebug=all a couple days ago, but so far haven't gotten a response.
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Richard Pickett
Sent: Sunday, July 24, 2011 8:30 PM
To: Openswan Users
Subject: [Openswan Users] nss DH woes
Still plunking around trying to get certs to work on openswan. Got them imported into nss just fine, and it reports in the log that it loads them correctly.
But when the first client connects, here's what hits the logs (notice the last line):
Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600<http://74.137.71.67:42600>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600<http://74.137.71.67:42600>: ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600<http://74.137.71.67:42600>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600<http://74.137.71.67:42600>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600<http://74.137.71.67:42600>: received Vendor ID payload [RFC 3947] method set to=109
Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600<http://74.137.71.67:42600>: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600<http://74.137.71.67:42600>: received Vendor ID payload [Dead Peer Detection]
Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600<http://74.137.71.67:42600>: ignoring unknown Vendor ID payload [f14b94b7bff1fef02773b8c49feded26]
Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600<http://74.137.71.67:42600>: ignoring unknown Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd8451]
Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600<http://74.137.71.67:42600>: ignoring unknown Vendor ID payload [8404adf9cda05760b2ca292e4bff537b]
Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600<http://74.137.71.67:42600>: received Vendor ID payload [Cisco-Unity]
Jul 24 22:26:44 vhost5 pluto[6039]: "mobileaegisclient"[1] 74.137.71.67 #1: responding to Main Mode from unknown peer 74.137.71.67
Jul 24 22:26:44 vhost5 pluto[6039]: "mobileaegisclient"[1] 74.137.71.67 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 24 22:26:44 vhost5 pluto[6039]: "mobileaegisclient"[1] 74.137.71.67 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 24 22:26:45 vhost5 pluto[6039]: "mobileaegisclient"[1] 74.137.71.67 #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
Jul 24 22:26:45 vhost5 pluto[6039]: NSS: DH private key creation failed
What would cause the NSS DH private key creation to fail? Is this a client config issue or server side?
Thanks for all your help!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110725/0a3477d4/attachment-0001.html
More information about the Users
mailing list