[Openswan Users] nss DH woes

Curu Wong prinbra at gmail.com
Wed Jul 27 21:46:21 EDT 2011


I don't quite understand the problem here.

I have been using OpenSwan package from the official CentOS repository(of
course with NSS) for 2 years, connecting several pair of Linux servers, all
work fine.

Can it be configuration for SonicalWall that cause the problem? forgive me
if I misunderstand this situation.


2011/7/27 Richard Pickett <richard.pickett at csrtechnologies.com>

> My rsa keys were 8k, I thought maybe nss was having a memory problem (like
> a static-size limit), so I created a whole ca/certs suite w/ 2k keys, same
> problem.
>
> Avesh, any ideas on how much longer you'll be looking at this?
>
> Thanks for your help!
>
>
>
> On Tue, Jul 26, 2011 at 6:23 AM, Avesh Agarwal <avagarwa at redhat.com>wrote:
>
>> On 07/26/2011 06:48 AM, Kevin Keane wrote:
>> > Hello Avesh,
>> >
>> > Thank you so much! The log I sent was everything that I found in
>> /var/log/secure with plutodebug=all; the only thing I did was scramble
>> machine names and IP addresses since that could be sensitive.
>> >
>> > I added a report to bugzilla as #725699, but did not yet add the barf.
>> There seems to be quite a bit of sensitive information in the barf, such as
>> my iptables firewall configuration, my Sonicwall S/N, etc., things that I'd
>> prefer not to have on bugzilla. Would you mind if I sent it to you by
>> private email?
>> >
>> > Also, when the problem actually happens, my system becomes inaccessible.
>> I have to then turn off ipsec on the other end. So the barf does not
>> represent the exact moment the problem occurs; I took the barf a few minutes
>> later (with the certs causing the problem still in the database).
>> >
>> > As for the steps I did to configure Openswan: it is the standard CentOS
>> 5.6 Openswan RPM. openswan-2.6.21-5.el5_6.4 . So other than fiddling with
>> the configuration, I have not done anything unusual.
>> >
>> > Come to think about it - is it possible that this is a kernel problem?
>> This VM runs on a Rackspace VM, with a Rackspace kernel instead of a stock
>> CentOS kernel.
>> >
>> It does not seem to be a kernel at first issue as IKE exchange takes
>> place in user space and NSS library is also user space. However, it is
>> surprising why it is happening.
>> >> Hello Paul, Kevin,
>> >> I can have a look at it. Kevin can you please put a complete output of
>> ipsec barf  instead of truncated ones somewhere, may be on
>> bugzilla.redhat.com? Also, if you can provide the exact steps you
>> followed to configure openswan that would also help.
>> >> --
>> >> Thanks and Regards
>> >> Avesh
>> > _______________________________________________
>> > Users at openswan.org
>> > http://lists.openswan.org/mailman/listinfo/users
>> > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> > Building and Integrating Virtual Private Networks with Openswan:
>> >
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>
>> --
>> Thanks and Regards
>> Avesh
>>
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110728/1b8cd3ee/attachment.html 


More information about the Users mailing list