[Openswan Users] nss DH woes

Paul Wouters paul at xelerance.com
Mon Jul 25 11:30:37 EDT 2011 

On Mon, 25 Jul 2011, Kevin Keane wrote:

> I have a feeling that there is a bug in the NSS DH code. I’m getting almost the same error (in my case, the last message
> is “NSS: slot for DH key gen is NULL” instead of your “NSS: DH private key creation failed”). In my case, the mere fact
> that I have a certificate in the database triggers this error.

> I posted the full log with plutodebug=all a couple days ago, but so far haven’t gotten a response.

I was hoping Avesh would have a look at.

I think it might be a misconfiguration of your NSS that causes this. I am not sure I want pluto to die
and restart on this, instead of just failing this one connection (eg STF_FAIL)

Paul

> From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Richard Pickett
> Sent: Sunday, July 24, 2011 8:30 PM
> To: Openswan Users
> Subject: [Openswan Users] nss DH woes
> 
>  
> 
> Still plunking around trying to get certs to work on openswan. Got them imported into nss just fine, and it reports in
> the log that it loads them correctly.
> 
>  
> 
> But when the first client connects, here's what hits the logs (notice the last line):
> 
>  
> 
> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-00]
> 
> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600: ignoring unknown Vendor ID payload
> [16f6ca16e4a4066d83821a0f0aeaa862]
> 
> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
> 
> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03] method set to=108 
> 
> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600: received Vendor ID payload [RFC 3947] method set
> to=109 
> 
> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600: ignoring Vendor ID payload [FRAGMENTATION 80000000]
> 
> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600: received Vendor ID payload [Dead Peer Detection]
> 
> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600: ignoring unknown Vendor ID payload
> [f14b94b7bff1fef02773b8c49feded26]
> 
> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600: ignoring unknown Vendor ID payload
> [166f932d55eb64d8e4df4fd37e2313f0d0fd8451]
> 
> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600: ignoring unknown Vendor ID payload
> [8404adf9cda05760b2ca292e4bff537b]
> 
> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600: received Vendor ID payload [Cisco-Unity]
> 
> Jul 24 22:26:44 vhost5 pluto[6039]: "mobileaegisclient"[1] 74.137.71.67 #1: responding to Main Mode from unknown peer
> 74.137.71.67
> 
> Jul 24 22:26:44 vhost5 pluto[6039]: "mobileaegisclient"[1] 74.137.71.67 #1: transition from state STATE_MAIN_R0 to state
> STATE_MAIN_R1
> 
> Jul 24 22:26:44 vhost5 pluto[6039]: "mobileaegisclient"[1] 74.137.71.67 #1: STATE_MAIN_R1: sent MR1, expecting MI2
> 
> Jul 24 22:26:45 vhost5 pluto[6039]: "mobileaegisclient"[1] 74.137.71.67 #1: NAT-Traversal: Result using RFC 3947
> (NAT-Traversal): peer is NATed
> 
> Jul 24 22:26:45 vhost5 pluto[6039]: NSS: DH private key creation failed
> 
>  
> 
> What would cause the NSS DH private key creation to fail? Is this a client config issue or server side?
> 
>  
> 
> Thanks for all your help!
> 
> 
>

More information about the Users mailing list