[Openswan Users] nss DH woes

Kevin Keane subscription at kkeane.com
Fri Jul 29 08:07:47 EDT 2011 

I would not be surprised at all if it turned out that the root cause was a misconfiguration on my end - I'm not the most experienced openswan user out there (i.e., I am only just starting to learn IPSec, although I have plenty of Linux experience).

A couple more notes:

-          The problem occurs by merely adding a certificate to the database into an otherwise working configuration (using PSK). The only things that changed are the three .db files. So I don't think the Sonicwall has anything to with it.

-          The failure mode seems like a bug. A mere misconfiguration shouldn't cause pluto to crash and restart.

And of course you are right - I cannot even conceive that NSS is fundamentally broken; that would never slip by RedHat/CentOS quality control for such an extended period. Whatever the problem is must be an unusual set of circumstances.

For all I know, it could even be a certificate that is somehow incompatible with openswan (mine was created by the CentOS certificate authority, aka dogtag). Still shouldn't crash openswan.

Kevin Keane
The NetTech
http://www.4nettech.com

From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Curu Wong
Sent: Wednesday, July 27, 2011 6:46 PM
To: Richard Pickett
Cc: users at openswan.org
Subject: Re: [Openswan Users] nss DH woes

I don't quite understand the problem here.

I have been using OpenSwan package from the official CentOS repository(of course with NSS) for 2 years, connecting several pair of Linux servers, all work fine.

Can it be configuration for SonicalWall that cause the problem? forgive me if I misunderstand this situation.

2011/7/27 Richard Pickett <richard.pickett at csrtechnologies.com<mailto:richard.pickett at csrtechnologies.com>>
My rsa keys were 8k, I thought maybe nss was having a memory problem (like a static-size limit), so I created a whole ca/certs suite w/ 2k keys, same problem.

Avesh, any ideas on how much longer you'll be looking at this?

Thanks for your help!


On Tue, Jul 26, 2011 at 6:23 AM, Avesh Agarwal <avagarwa at redhat.com<mailto:avagarwa at redhat.com>> wrote:
On 07/26/2011 06:48 AM, Kevin Keane wrote:
> Hello Avesh,
>
> Thank you so much! The log I sent was everything that I found in /var/log/secure with plutodebug=all; the only thing I did was scramble machine names and IP addresses since that could be sensitive.
>
> I added a report to bugzilla as #725699, but did not yet add the barf. There seems to be quite a bit of sensitive information in the barf, such as my iptables firewall configuration, my Sonicwall S/N, etc., things that I'd prefer not to have on bugzilla. Would you mind if I sent it to you by private email?
>
> Also, when the problem actually happens, my system becomes inaccessible. I have to then turn off ipsec on the other end. So the barf does not represent the exact moment the problem occurs; I took the barf a few minutes later (with the certs causing the problem still in the database).
>
> As for the steps I did to configure Openswan: it is the standard CentOS 5.6 Openswan RPM. openswan-2.6.21-5.el5_6.4 . So other than fiddling with the configuration, I have not done anything unusual.
>
> Come to think about it - is it possible that this is a kernel problem? This VM runs on a Rackspace VM, with a Rackspace kernel instead of a stock CentOS kernel.
>
It does not seem to be a kernel at first issue as IKE exchange takes
place in user space and NSS library is also user space. However, it is
surprising why it is happening.
>> Hello Paul, Kevin,
>> I can have a look at it. Kevin can you please put a complete output of ipsec barf  instead of truncated ones somewhere, may be on bugzilla.redhat.com<http://bugzilla.redhat.com>? Also, if you can provide the exact steps you followed to configure openswan that would also help.
>> --
>> Thanks and Regards
>> Avesh
> _______________________________________________
> Users at openswan.org<mailto:Users at openswan.org>
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


--
Thanks and Regards
Avesh

_______________________________________________
Users at openswan.org<mailto:Users at openswan.org>
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


_______________________________________________
Users at openswan.org<mailto:Users at openswan.org>
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110729/e2d2c4f2/attachment-0001.html

More information about the Users mailing list