[Openswan Users] nss DH woes

Curu Wong prinbra at gmail.com
Fri Jul 29 08:35:46 EDT 2011


Kevin, you are too modest! I am sure you know OpenSwan far better than I.
^_^ .

I just play with it, testing this and that. with a hope of solving problems
that may occur.

Indeed, we can't let bugs slip way, if there's one.

2011/7/29 Kevin Keane <subscription at kkeane.com>

> I would not be surprised at all if it turned out that the root cause was a
> misconfiguration on my end – I’m not the most experienced openswan user out
> there (i.e., I am only just starting to learn IPSec, although I have plenty
> of Linux experience).****
>
> ** **
>
> A couple more notes:****
>
> **-          **The problem occurs by merely adding a certificate to the
> database into an otherwise working configuration (using PSK). The only
> things that changed are the three .db files. So I don’t think the Sonicwall
> has anything to with it.****
>
> **-          **The failure mode seems like a bug. A mere misconfiguration
> shouldn’t cause pluto to crash and restart.****
>
> ** **
>
> And of course you are right – I cannot even conceive that NSS is
> fundamentally broken; that would never slip by RedHat/CentOS quality control
> for such an extended period. Whatever the problem is must be an unusual set
> of circumstances.****
>
> ** **
>
> For all I know, it could even be a certificate that is somehow incompatible
> with openswan (mine was created by the CentOS certificate authority, aka
> dogtag). Still shouldn’t crash openswan.****
>
> ** **
>
> *Kevin Keane*
>
> *The NetTech*
>
> http://www.4nettech.com****
>
> ** **
>
> *From:* users-bounces at openswan.org [mailto:users-bounces at openswan.org] *On
> Behalf Of *Curu Wong
> *Sent:* Wednesday, July 27, 2011 6:46 PM
> *To:* Richard Pickett
> *Cc:* users at openswan.org
> *Subject:* Re: [Openswan Users] nss DH woes****
>
> ** **
>
> I don't quite understand the problem here.
>
> I have been using OpenSwan package from the official CentOS repository(of
> course with NSS) for 2 years, connecting several pair of Linux servers, all
> work fine.
>
> Can it be configuration for SonicalWall that cause the problem? forgive me
> if I misunderstand this situation.
>
> ****
>
> 2011/7/27 Richard Pickett <richard.pickett at csrtechnologies.com>****
>
> My rsa keys were 8k, I thought maybe nss was having a memory problem (like
> a static-size limit), so I created a whole ca/certs suite w/ 2k keys, same
> problem.****
>
> ** **
>
> Avesh, any ideas on how much longer you'll be looking at this?****
>
> ** **
>
> Thanks for your help!****
>
>
>
> ****
>
> On Tue, Jul 26, 2011 at 6:23 AM, Avesh Agarwal <avagarwa at redhat.com>
> wrote:****
>
> On 07/26/2011 06:48 AM, Kevin Keane wrote:
> > Hello Avesh,
> >
> > Thank you so much! The log I sent was everything that I found in
> /var/log/secure with plutodebug=all; the only thing I did was scramble
> machine names and IP addresses since that could be sensitive.
> >
> > I added a report to bugzilla as #725699, but did not yet add the barf.
> There seems to be quite a bit of sensitive information in the barf, such as
> my iptables firewall configuration, my Sonicwall S/N, etc., things that I'd
> prefer not to have on bugzilla. Would you mind if I sent it to you by
> private email?
> >
> > Also, when the problem actually happens, my system becomes inaccessible.
> I have to then turn off ipsec on the other end. So the barf does not
> represent the exact moment the problem occurs; I took the barf a few minutes
> later (with the certs causing the problem still in the database).
> >
> > As for the steps I did to configure Openswan: it is the standard CentOS
> 5.6 Openswan RPM. openswan-2.6.21-5.el5_6.4 . So other than fiddling with
> the configuration, I have not done anything unusual.
> >
> > Come to think about it - is it possible that this is a kernel problem?
> This VM runs on a Rackspace VM, with a Rackspace kernel instead of a stock
> CentOS kernel.
> >****
>
> It does not seem to be a kernel at first issue as IKE exchange takes
> place in user space and NSS library is also user space. However, it is
> surprising why it is happening.****
>
> >> Hello Paul, Kevin,
> >> I can have a look at it. Kevin can you please put a complete output of
> ipsec barf  instead of truncated ones somewhere, may be on
> bugzilla.redhat.com? Also, if you can provide the exact steps you followed
> to configure openswan that would also help.
> >> --
> >> Thanks and Regards
> >> Avesh
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
> --
> Thanks and Regards
> Avesh
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155**
> **
>
> ** **
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155**
> **
>
> ** **
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110729/e9e1105f/attachment.html 


More information about the Users mailing list