[Openswan Users] nss DH woes

Richard Pickett richard.pickett at csrtechnologies.com
Mon Jul 25 14:39:41 EDT 2011 

Bug ID: 725518

This is pretty urgent on my side. I have one other box to try things on, in
the mean time I'm compiling without nss (yuck).


On Mon, Jul 25, 2011 at 10:38 AM, Avesh Agarwal <avagarwa at redhat.com> wrote:

> On 07/25/2011 11:30 AM, Paul Wouters wrote:
> > On Mon, 25 Jul 2011, Kevin Keane wrote:
> >
> >> I have a feeling that there is a bug in the NSS DH code. I’m getting
> >> almost the same error (in my case, the last message
> >> is “NSS: slot for DH key gen is NULL” instead of your “NSS: DH
> >> private key creation failed”). In my case, the mere fact
> >> that I have a certificate in the database triggers this error.
> >
> >> I posted the full log with plutodebug=all a couple days ago, but so
> >> far haven’t gotten a response.
> >
> > I was hoping Avesh would have a look at.
> >
> > I think it might be a misconfiguration of your NSS that causes this. I
> > am not sure I want pluto to die
> > and restart on this, instead of just failing this one connection (eg
> > STF_FAIL)
> >
> > Paul
> >
> >> From: users-bounces at openswan.org [mailto:users-bounces at openswan.org]
> >> On Behalf Of Richard Pickett
> >> Sent: Sunday, July 24, 2011 8:30 PM
> >> To: Openswan Users
> >> Subject: [Openswan Users] nss DH woes
> >>
> >>
> >>
> >> Still plunking around trying to get certs to work on openswan. Got
> >> them imported into nss just fine, and it reports in
> >> the log that it loads them correctly.
> >>
> >>
> >>
> >> But when the first client connects, here's what hits the logs (notice
> >> the last line):
> >>
> >>
> >>
> >> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600:
> >> received Vendor ID payload
> >> [draft-ietf-ipsec-nat-t-ike-00]
> >>
> >> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600:
> >> ignoring unknown Vendor ID payload
> >> [16f6ca16e4a4066d83821a0f0aeaa862]
> >>
> >> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600:
> >> received Vendor ID payload
> >> [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> >>
> >> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600:
> >> received Vendor ID payload
> >> [draft-ietf-ipsec-nat-t-ike-03] method set to=108
> >>
> >> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600:
> >> received Vendor ID payload [RFC 3947] method set
> >> to=109
> >>
> >> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600:
> >> ignoring Vendor ID payload [FRAGMENTATION 80000000]
> >>
> >> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600:
> >> received Vendor ID payload [Dead Peer Detection]
> >>
> >> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600:
> >> ignoring unknown Vendor ID payload
> >> [f14b94b7bff1fef02773b8c49feded26]
> >>
> >> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600:
> >> ignoring unknown Vendor ID payload
> >> [166f932d55eb64d8e4df4fd37e2313f0d0fd8451]
> >>
> >> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600:
> >> ignoring unknown Vendor ID payload
> >> [8404adf9cda05760b2ca292e4bff537b]
> >>
> >> Jul 24 22:26:44 vhost5 pluto[6039]: packet from 74.137.71.67:42600:
> >> received Vendor ID payload [Cisco-Unity]
> >>
> >> Jul 24 22:26:44 vhost5 pluto[6039]: "mobileaegisclient"[1]
> >> 74.137.71.67 #1: responding to Main Mode from unknown peer
> >> 74.137.71.67
> >>
> >> Jul 24 22:26:44 vhost5 pluto[6039]: "mobileaegisclient"[1]
> >> 74.137.71.67 #1: transition from state STATE_MAIN_R0 to state
> >> STATE_MAIN_R1
> >>
> >> Jul 24 22:26:44 vhost5 pluto[6039]: "mobileaegisclient"[1]
> >> 74.137.71.67 #1: STATE_MAIN_R1: sent MR1, expecting MI2
> >>
> >> Jul 24 22:26:45 vhost5 pluto[6039]: "mobileaegisclient"[1]
> >> 74.137.71.67 #1: NAT-Traversal: Result using RFC 3947
> >> (NAT-Traversal): peer is NATed
> >>
> >> Jul 24 22:26:45 vhost5 pluto[6039]: NSS: DH private key creation failed
> >>
> >>
> >>
> >> What would cause the NSS DH private key creation to fail? Is this a
> >> client config issue or server side?
> >>
>
> Hello Paul, Kevin,
>
> I can have a look at it. Kevin can you please put a complete output of
> ipsec barf  instead of truncated ones somewhere, may be on
> bugzilla.redhat.com? Also, if you can provide the exact steps you
> followed to configure openswan that would also help.
>
> >>
> >>
> >> Thanks for all your help!
> >>
> >>
> >>
>
>
> --
> Thanks and Regards
> Avesh
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110725/982dfd67/attachment.html

More information about the Users mailing list