[Openswan Users] nss DH woes
Avesh Agarwal
avagarwa at redhat.com
Mon Jul 25 11:38:48 EDT 2011
On 07/25/2011 11:30 AM, Paul Wouters wrote:
> On Mon, 25 Jul 2011, Kevin Keane wrote:
>
>> I have a feeling that there is a bug in the NSS DH code. I’m getting
>> almost the same error (in my case, the last message
>> is “NSS: slot for DH key gen is NULL” instead of your “NSS: DH
>> private key creation failed”). In my case, the mere fact
>> that I have a certificate in the database triggers this error.
>
>> I posted the full log with plutodebug=all a couple days ago, but so
>> far haven’t gotten a response.
>
> I was hoping Avesh would have a look at.
>
> I think it might be a misconfiguration of your NSS that causes this. I
> am not sure I want pluto to die
> and restart on this, instead of just failing this one connection (eg
> STF_FAIL)
>
> Paul
>
>> From: users-bounces at openswan.org [mailto:users-bounces at openswan.org]
>> On Behalf Of Richard Pickett
>> Sent: Sunday, July 24, 2011 8:30 PM
>> To: Openswan Users
>> Subject: [Openswan Users] nss DH woes
>>
>>
>>
>> Still plunking around trying to get certs to work on openswan. Got
>> them imported into nss just fine, and it reports in
>> the log that it loads them correctly.
>>
>>
>>
>> But when the first client connects, here's what hits the logs (notice
>> the last line):
>>
>>
>>
>> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600:
>> received Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-00]
>>
>> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600:
>> ignoring unknown Vendor ID payload
>> [16f6ca16e4a4066d83821a0f0aeaa862]
>>
>> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600:
>> received Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
>>
>> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600:
>> received Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-03] method set to=108
>>
>> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600:
>> received Vendor ID payload [RFC 3947] method set
>> to=109
>>
>> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600:
>> ignoring Vendor ID payload [FRAGMENTATION 80000000]
>>
>> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600:
>> received Vendor ID payload [Dead Peer Detection]
>>
>> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600:
>> ignoring unknown Vendor ID payload
>> [f14b94b7bff1fef02773b8c49feded26]
>>
>> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600:
>> ignoring unknown Vendor ID payload
>> [166f932d55eb64d8e4df4fd37e2313f0d0fd8451]
>>
>> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600:
>> ignoring unknown Vendor ID payload
>> [8404adf9cda05760b2ca292e4bff537b]
>>
>> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600:
>> received Vendor ID payload [Cisco-Unity]
>>
>> Jul 24 22:26:44 vhost5 pluto[6039]: "mobileaegisclient"[1]
>> 74.137.71.67 #1: responding to Main Mode from unknown peer
>> 74.137.71.67
>>
>> Jul 24 22:26:44 vhost5 pluto[6039]: "mobileaegisclient"[1]
>> 74.137.71.67 #1: transition from state STATE_MAIN_R0 to state
>> STATE_MAIN_R1
>>
>> Jul 24 22:26:44 vhost5 pluto[6039]: "mobileaegisclient"[1]
>> 74.137.71.67 #1: STATE_MAIN_R1: sent MR1, expecting MI2
>>
>> Jul 24 22:26:45 vhost5 pluto[6039]: "mobileaegisclient"[1]
>> 74.137.71.67 #1: NAT-Traversal: Result using RFC 3947
>> (NAT-Traversal): peer is NATed
>>
>> Jul 24 22:26:45 vhost5 pluto[6039]: NSS: DH private key creation failed
>>
>>
>>
>> What would cause the NSS DH private key creation to fail? Is this a
>> client config issue or server side?
>>
Hello Paul, Kevin,
I can have a look at it. Kevin can you please put a complete output of
ipsec barf instead of truncated ones somewhere, may be on
bugzilla.redhat.com? Also, if you can provide the exact steps you
followed to configure openswan that would also help.
>>
>>
>> Thanks for all your help!
>>
>>
>>
--
Thanks and Regards
Avesh
More information about the Users
mailing list