[Openswan Users] nss DH woes
Kevin Keane
subscription at kkeane.com
Fri Jul 29 23:21:58 EDT 2011
I found my problem. It was a misconfiguration.
There still is a bug here: openswan fails very ungracefully in this situation, and the error messages give no hint as to what actually is wrong.
My nsspassword file was wrong. It should contain ONLY the password. I had a prefix in it, as follows:
NSS FIPS 140-2 Certificate DB:XXXXXXXXXXXXXXXXX
Kevin Keane
The NetTech
http://www.4nettech.com
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Kevin Keane
Sent: Friday, July 29, 2011 5:08 AM
Cc: users at openswan.org
Subject: Re: [Openswan Users] nss DH woes
I would not be surprised at all if it turned out that the root cause was a misconfiguration on my end - I'm not the most experienced openswan user out there (i.e., I am only just starting to learn IPSec, although I have plenty of Linux experience).
A couple more notes:
- The problem occurs by merely adding a certificate to the database into an otherwise working configuration (using PSK). The only things that changed are the three .db files. So I don't think the Sonicwall has anything to with it.
- The failure mode seems like a bug. A mere misconfiguration shouldn't cause pluto to crash and restart.
And of course you are right - I cannot even conceive that NSS is fundamentally broken; that would never slip by RedHat/CentOS quality control for such an extended period. Whatever the problem is must be an unusual set of circumstances.
For all I know, it could even be a certificate that is somehow incompatible with openswan (mine was created by the CentOS certificate authority, aka dogtag). Still shouldn't crash openswan.
Kevin Keane
The NetTech
http://www.4nettech.com
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Curu Wong
Sent: Wednesday, July 27, 2011 6:46 PM
To: Richard Pickett
Cc: users at openswan.org
Subject: Re: [Openswan Users] nss DH woes
I don't quite understand the problem here.
I have been using OpenSwan package from the official CentOS repository(of course with NSS) for 2 years, connecting several pair of Linux servers, all work fine.
Can it be configuration for SonicalWall that cause the problem? forgive me if I misunderstand this situation.
2011/7/27 Richard Pickett <richard.pickett at csrtechnologies.com<mailto:richard.pickett at csrtechnologies.com>>
My rsa keys were 8k, I thought maybe nss was having a memory problem (like a static-size limit), so I created a whole ca/certs suite w/ 2k keys, same problem.
Avesh, any ideas on how much longer you'll be looking at this?
Thanks for your help!
On Tue, Jul 26, 2011 at 6:23 AM, Avesh Agarwal <avagarwa at redhat.com<mailto:avagarwa at redhat.com>> wrote:
On 07/26/2011 06:48 AM, Kevin Keane wrote:
> Hello Avesh,
>
> Thank you so much! The log I sent was everything that I found in /var/log/secure with plutodebug=all; the only thing I did was scramble machine names and IP addresses since that could be sensitive.
>
> I added a report to bugzilla as #725699, but did not yet add the barf. There seems to be quite a bit of sensitive information in the barf, such as my iptables firewall configuration, my Sonicwall S/N, etc., things that I'd prefer not to have on bugzilla. Would you mind if I sent it to you by private email?
>
> Also, when the problem actually happens, my system becomes inaccessible. I have to then turn off ipsec on the other end. So the barf does not represent the exact moment the problem occurs; I took the barf a few minutes later (with the certs causing the problem still in the database).
>
> As for the steps I did to configure Openswan: it is the standard CentOS 5.6 Openswan RPM. openswan-2.6.21-5.el5_6.4 . So other than fiddling with the configuration, I have not done anything unusual.
>
> Come to think about it - is it possible that this is a kernel problem? This VM runs on a Rackspace VM, with a Rackspace kernel instead of a stock CentOS kernel.
>
It does not seem to be a kernel at first issue as IKE exchange takes
place in user space and NSS library is also user space. However, it is
surprising why it is happening.
>> Hello Paul, Kevin,
>> I can have a look at it. Kevin can you please put a complete output of ipsec barf instead of truncated ones somewhere, may be on bugzilla.redhat.com<http://bugzilla.redhat.com>? Also, if you can provide the exact steps you followed to configure openswan that would also help.
>> --
>> Thanks and Regards
>> Avesh
> _______________________________________________
> Users at openswan.org<mailto:Users at openswan.org>
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
--
Thanks and Regards
Avesh
_______________________________________________
Users at openswan.org<mailto:Users at openswan.org>
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
_______________________________________________
Users at openswan.org<mailto:Users at openswan.org>
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110729/d4139456/attachment.html
More information about the Users
mailing list