[Openswan Users] nss DH woes

Curu Wong prinbra at gmail.com
Thu Jul 28 06:58:23 EDT 2011 

In my production server, I import the rootCA to nss and config.

Here, I setup a test environment to show you this, all of this has been
tested, it shows that all works.

network topology:

gw2(192.168.2.133)---->NAT gateway1 ----> NAT gateway2
----Internet------>gw1(S.S.S.S)

on *gw1*:
yum install openswan
#initialize nss DB
certutil -N -d /etc/ipsec.d

#create the rootCA named "curuRootCA"
certutil -S -k rsa -n curuCA -s "CN=curuRootCA" -v 12 -d . -t "C,C,C" -x -d
/etc/ipsec.d

#create machine cert named "gw1"  for gw1
certutil -S -k rsa -c curuCA -n gw1 -s "CN=gw1" -v 12 -t "u,u,u" -d
/etc/ipsec.d

#create machine cert named "gw2" for gw2
certutil -S -k rsa -c curuCA -n gw2 -s "CN=gw2" -v 12 -t "u,u,u" -d
/etc/ipsec.d

#add gw1 to ipsec.secrets
echo " : RSA gw1" >> /etc/ipsec.secrets

/etc/ipsec.conf
------------------------------------------------------------------------
config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24
        oe=off
        nhelpers=0
conn gw1-gw2
        left=S.S.S.S
        leftid='CN=gw1'
        leftcert=gw1
        leftrsasigkey=%cert
        right=%any
        rightca=%same
        rightrsasigkey=%cert
        rightsubnet=vhost:%no,%priv
        auto=add
-----------------------------------------------------------------------------

#export gw2's cert
pk12util -o  gw2.p12 -n gw2 -d /etc/ipsec.d

#copy gw2.p12 to gw2 with your method
#restart ipsec
/etc/init.d/ipsec restart

on *gw2*:

yum install openswan

#initialize nss DB
certutil -N -d /etc/ipsec.d

#import gw2's own cert
pk12util -i gw2.p12 -n gw2 -d /etc/ipsec.d/

#modify CA's trust tag
certutil -M -n curuCA -t 'c,c,c' -d /etc/ipsec.d

#add gw2 to ipsec.secrets
echo " : RSA gw2" >> /etc/ipsec.secrets

/etc/ipsec.conf
--------------------------------------------------------------------------------
config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=
        oe=off
        nhelpers=0
conn gw1-gw2
        left=%defaultroute
        leftcert=gw2
        leftrsasigkey=%cert
        right=S.S.S.S
        rightid="CN=gw1"
        rightca=%same
        rightrsasigkey=%cert
        auto=start
------------------------------------------------------------------
#restart ipsec
/etc/init.d/ipsec restart


My test also confirms that even use openssl to generate the CA and certs,
export to pkcs12, then use pk12util to import to nss, all will works fine.

the two test box both use CentOS 5.6 with openswan-2.6.21-5.el5_6.4.  gw1 is
an KVM guest , and gw2 is an VMWare guest.




2011/7/28 Richard Pickett <richard.pickett at csrtechnologies.com>

> Curu,
>
> I'm not using sonic wall in my config as Kevin is (the other user reporting
> the same problem). The client side is shrewsoft, and it may be part of the
> problem, but it's odd that the nss on the server is throwing an error and
> causing pluto to die and restart, the client should never be able to cause
> that.
>
> Can you send me your config(s) and how you created your keys (did you
> create them in nss or import them?)
>
> It would help a lot, and I really appreciate you taking the time to help!
>
>
>
> On Wed, Jul 27, 2011 at 8:46 PM, Curu Wong <prinbra at gmail.com> wrote:
>
>> I don't quite understand the problem here.
>>
>> I have been using OpenSwan package from the official CentOS repository(of
>> course with NSS) for 2 years, connecting several pair of Linux servers, all
>> work fine.
>>
>> Can it be configuration for SonicalWall that cause the problem? forgive me
>> if I misunderstand this situation.
>>
>>
>>
>> 2011/7/27 Richard Pickett <richard.pickett at csrtechnologies.com>
>>
>>> My rsa keys were 8k, I thought maybe nss was having a memory problem
>>> (like a static-size limit), so I created a whole ca/certs suite w/ 2k keys,
>>> same problem.
>>>
>>> Avesh, any ideas on how much longer you'll be looking at this?
>>>
>>> Thanks for your help!
>>>
>>>
>>>
>>> On Tue, Jul 26, 2011 at 6:23 AM, Avesh Agarwal <avagarwa at redhat.com>wrote:
>>>
>>>> On 07/26/2011 06:48 AM, Kevin Keane wrote:
>>>> > Hello Avesh,
>>>> >
>>>> > Thank you so much! The log I sent was everything that I found in
>>>> /var/log/secure with plutodebug=all; the only thing I did was scramble
>>>> machine names and IP addresses since that could be sensitive.
>>>> >
>>>> > I added a report to bugzilla as #725699, but did not yet add the barf.
>>>> There seems to be quite a bit of sensitive information in the barf, such as
>>>> my iptables firewall configuration, my Sonicwall S/N, etc., things that I'd
>>>> prefer not to have on bugzilla. Would you mind if I sent it to you by
>>>> private email?
>>>> >
>>>> > Also, when the problem actually happens, my system becomes
>>>> inaccessible. I have to then turn off ipsec on the other end. So the barf
>>>> does not represent the exact moment the problem occurs; I took the barf a
>>>> few minutes later (with the certs causing the problem still in the
>>>> database).
>>>> >
>>>> > As for the steps I did to configure Openswan: it is the standard
>>>> CentOS 5.6 Openswan RPM. openswan-2.6.21-5.el5_6.4 . So other than fiddling
>>>> with the configuration, I have not done anything unusual.
>>>> >
>>>> > Come to think about it - is it possible that this is a kernel problem?
>>>> This VM runs on a Rackspace VM, with a Rackspace kernel instead of a stock
>>>> CentOS kernel.
>>>> >
>>>> It does not seem to be a kernel at first issue as IKE exchange takes
>>>> place in user space and NSS library is also user space. However, it is
>>>> surprising why it is happening.
>>>> >> Hello Paul, Kevin,
>>>> >> I can have a look at it. Kevin can you please put a complete output
>>>> of ipsec barf  instead of truncated ones somewhere, may be on
>>>> bugzilla.redhat.com? Also, if you can provide the exact steps you
>>>> followed to configure openswan that would also help.
>>>> >> --
>>>> >> Thanks and Regards
>>>> >> Avesh
>>>> > _______________________________________________
>>>> > Users at openswan.org
>>>> > http://lists.openswan.org/mailman/listinfo/users
>>>> > Micropayments:
>>>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>> > Building and Integrating Virtual Private Networks with Openswan:
>>>> >
>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>>
>>>>
>>>> --
>>>> Thanks and Regards
>>>> Avesh
>>>>
>>>> _______________________________________________
>>>> Users at openswan.org
>>>> http://lists.openswan.org/mailman/listinfo/users
>>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>>
>>>
>>>
>>> _______________________________________________
>>> Users at openswan.org
>>> http://lists.openswan.org/mailman/listinfo/users
>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110728/35dfe05f/attachment.html

More information about the Users mailing list