[Openswan Users] Building Openswan from source using NSS; did 2.6.34 break the format of *.secrets?

Greg Scott GregScott at Infrasupport.com
Thu Jun 30 02:00:32 EDT 2011 

I don't want to make an RPM, just want to download and compile the
latest and greatest Openswan version.  I don't want an RPM because this
particular system is running on Fedora 12 and the latest Openswan RPM is
2.6.29.  But the latest Openswan version from ftp.openswan.org is
2.6.34.  I want to try 2.6.34 because I **still**  have tunnels that die
with 2.6.28 and my 2.6.28 flavor is using NSS. So I need to try 2.6.34,
also using NSS, and maybe it will fix whatever is making my tunnels die
occasionally.  I suppose I could try my hand at building a 2.6.34 for
Fedora 12 RPM, but I really don't know what I'm doing for building RPMs
and it's after midnight.  

So I tried all kinds of combinations to build Openswan from source using
NSS.  I tried:

make USE_LIBNSS=true programs install
make USE_FIPSCHECK=true USE_LIBNSS=true programs install

Neither of these included NSS. 

I also found a file named Makefile.inc.  I edited this file, changing
USE_LIBNSS=false to USE_LIBNSS=true.  Still no luck.  

Also, now when I startup 2.6.34, I noticed this error:

Jun 29 23:52:00 localhost pluto[1643]: loading secrets from
"/etc/ipsec.d/hostkey.secrets"
Jun 29 23:52:00 localhost pluto[1643]: "/etc/ipsec.d/hostkey.secrets"
line 14: malformed end of RSA private key -- indented '}' required

I think I might know what's going on.  I'll bet builds that include NSS
still report loading secrets from *.secrets files - but they don't
really do it, they just report it.  And for whatever reason, creating
new host keys under earlier versions with NSS included apparently
formatted the hostkey.secrets file wrong.

So am I stuck between a rock and a hard place again?  I have a
hostkey.secrets file that doesn't work and am unable to build support
for NSS.

This is what I see when starting up 2.6.28 - I set this up about a year
ago and it uses NSS. Public IP Addresses obfuscated.  

Jun 29 10:45:58 localhost ipsec__plutorun: Starting Pluto subsystem...
Jun 29 10:45:58 localhost pluto[27038]: nss directory plutomain:
/etc/ipsec.d
Jun 29 10:45:58 localhost pluto[27038]: NSS Initialized
Jun 29 10:45:58 localhost pluto[27038]: Starting Pluto (Openswan Version
2.6.28; Vendor ID OEQ{O\177nez{CQ) pid:27038
Jun 29 10:45:58 localhost pluto[27038]: Non-fips mode set in
/proc/sys/crypto/fips_enabled
Jun 29 10:45:58 localhost pluto[27038]: SAref support [disabled]:
Protocol not available
Jun 29 10:45:58 localhost pluto[27038]: SAbind support [disabled]:
Protocol not available
Jun 29 10:45:58 localhost pluto[27038]: Setting NAT-Traversal port-4500
floating to on
Jun 29 10:45:58 localhost pluto[27038]:    port floating activation
criteria nat_t=1/port_float=1
Jun 29 10:45:58 localhost pluto[27038]:    NAT-Traversal support
[enabled]
Jun 29 10:45:58 localhost pluto[27038]: 1 bad entries in virtual_private
- none loaded
Jun 29 10:45:59 localhost pluto[27038]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Jun 29 10:45:59 localhost pluto[27038]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Jun 29 10:45:59 localhost pluto[27038]: ike_alg_register_enc():
Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Jun 29 10:45:59 localhost pluto[27038]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Jun 29 10:45:59 localhost pluto[27038]: ike_alg_register_enc():
Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Jun 29 10:45:59 localhost pluto[27038]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)
Jun 29 10:45:59 localhost pluto[27038]: ike_alg_register_hash():
Activating OAKLEY_SHA2_256: Ok (ret=0)
Jun 29 10:45:59 localhost pluto[27038]: no helpers will be started, all
cryptographic operations will be done inline
Jun 29 10:45:59 localhost pluto[27038]: Using Linux 2.6 IPsec interface
code on 2.6.32.11-99.fc12.i686.PAE (experimental code)
Jun 29 10:45:59 localhost pluto[27038]: ike_alg_register_enc():
Activating aes_ccm_8: Ok (ret=0)
Jun 29 10:45:59 localhost pluto[27038]: ike_alg_add(): ERROR: Algorithm
already exists
Jun 29 10:45:59 localhost pluto[27038]: ike_alg_register_enc():
Activating aes_ccm_12: FAILED (ret=-17)
Jun 29 10:45:59 localhost pluto[27038]: ike_alg_add(): ERROR: Algorithm
already exists
Jun 29 10:45:59 localhost pluto[27038]: ike_alg_register_enc():
Activating aes_ccm_16: FAILED (ret=-17)
Jun 29 10:45:59 localhost pluto[27038]: ike_alg_add(): ERROR: Algorithm
already exists
Jun 29 10:45:59 localhost pluto[27038]: ike_alg_register_enc():
Activating aes_gcm_8: FAILED (ret=-17)
Jun 29 10:45:59 localhost pluto[27038]: ike_alg_add(): ERROR: Algorithm
already exists
Jun 29 10:45:59 localhost pluto[27038]: ike_alg_register_enc():
Activating aes_gcm_12: FAILED (ret=-17)
Jun 29 10:45:59 localhost pluto[27038]: ike_alg_add(): ERROR: Algorithm
already exists
Jun 29 10:45:59 localhost pluto[27038]: ike_alg_register_enc():
Activating aes_gcm_16: FAILED (ret=-17)
Jun 29 10:45:59 localhost pluto[27038]: Changed path to directory
'/etc/ipsec.d/cacerts'
Jun 29 10:45:59 localhost pluto[27038]: Changed path to directory
'/etc/ipsec.d/aacerts'
Jun 29 10:45:59 localhost pluto[27038]: Changed path to directory
'/etc/ipsec.d/ocspcerts'
Jun 29 10:45:59 localhost pluto[27038]: Changing to directory
'/etc/ipsec.d/crls'
Jun 29 10:45:59 localhost pluto[27038]:   Warning: empty directory
Jun 29 10:45:59 localhost pluto[27038]: added connection description
"garelick-hq"
Jun 29 10:45:59 localhost pluto[27038]: listening for IKE messages
Jun 29 10:45:59 localhost pluto[27038]: NAT-Traversal: Trying new style
NAT-T
Jun 29 10:45:59 localhost pluto[27038]: NAT-Traversal: ESPINUDP(1) setup
failed for new style NAT-T family IPv4 (errno=19)
Jun 29 10:45:59 localhost pluto[27038]: NAT-Traversal: Trying old style
NAT-T
Jun 29 10:45:59 localhost pluto[27038]: adding interface br0/br0
aaa.bbb.100.18:500
Jun 29 10:45:59 localhost pluto[27038]: adding interface br0/br0
aaa.bbb.100.18:4500
Jun 29 10:45:59 localhost pluto[27038]: adding interface eth3/eth3
10.10.10.72:500
Jun 29 10:45:59 localhost pluto[27038]: adding interface eth3/eth3
10.10.10.72:4500
Jun 29 10:45:59 localhost pluto[27038]: adding interface eth2/eth2
192.168.253.1:500
Jun 29 10:45:59 localhost pluto[27038]: adding interface eth2/eth2
192.168.253.1:4500
Jun 29 10:45:59 localhost pluto[27038]: adding interface eth1/eth1
10.86.2.1:500
Jun 29 10:45:59 localhost pluto[27038]: adding interface eth1/eth1
10.86.2.1:4500
Jun 29 10:45:59 localhost pluto[27038]: adding interface lo/lo
127.0.0.1:500
Jun 29 10:45:59 localhost pluto[27038]: adding interface lo/lo
127.0.0.1:4500
Jun 29 10:45:59 localhost pluto[27038]: adding interface lo/lo ::1:500
Jun 29 10:45:59 localhost pluto[27038]: loading secrets from
"/etc/ipsec.secrets"
Jun 29 10:45:59 localhost pluto[27038]: loading secrets from
"/etc/ipsec.d/hostkey.secrets"

This is what I see when starting up 2.6.34.  Nothing I try makes it
include NSS support:

Jun 29 23:52:00 localhost ipsec__plutorun: Starting Pluto subsystem...
Jun 29 23:52:00 localhost pluto[1643]: Starting Pluto (Openswan Version
2.6.34; Vendor ID OE\177~c\177vyQ\177JZ) pid:1643
Jun 29 23:52:00 localhost pluto[1643]: LEAK_DETECTIVE support [disabled]
Jun 29 23:52:00 localhost pluto[1643]: OCF support for IKE [disabled]
Jun 29 23:52:00 localhost pluto[1643]: SAref support [disabled]:
Protocol not available
Jun 29 23:52:00 localhost pluto[1643]: SAbind support [disabled]:
Protocol not available
Jun 29 23:52:00 localhost pluto[1643]: NSS support [disabled]
Jun 29 23:52:00 localhost pluto[1643]: HAVE_STATSD notification support
not compiled in
Jun 29 23:52:00 localhost pluto[1643]: Setting NAT-Traversal port-4500
floating to on
Jun 29 23:52:00 localhost pluto[1643]:    port floating activation
criteria nat_t=1/port_float=1
Jun 29 23:52:00 localhost pluto[1643]:    NAT-Traversal support
[enabled]
Jun 29 23:52:00 localhost pluto[1643]: 1 bad entries in virtual_private
- none loaded
Jun 29 23:52:00 localhost pluto[1643]: using /dev/urandom as source of
random entropy
Jun 29 23:52:00 localhost pluto[1643]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Jun 29 23:52:00 localhost pluto[1643]: no helpers will be started, all
cryptographic operations will be done inline
Jun 29 23:52:00 localhost pluto[1643]: Using Linux 2.6 IPsec interface
code on 2.6.32.11-99.fc12.i686.PAE (experimental code)
Jun 29 23:52:00 localhost pluto[1643]: ike_alg_register_enc():
Activating aes_ccm_8: Ok (ret=0)
Jun 29 23:52:00 localhost pluto[1643]: ike_alg_add(): ERROR: Algorithm
already exists
Jun 29 23:52:00 localhost pluto[1643]: ike_alg_register_enc():
Activating aes_ccm_12: FAILED (ret=-17)
Jun 29 23:52:00 localhost pluto[1643]: ike_alg_add(): ERROR: Algorithm
already exists
Jun 29 23:52:00 localhost pluto[1643]: ike_alg_register_enc():
Activating aes_ccm_16: FAILED (ret=-17)
Jun 29 23:52:00 localhost pluto[1643]: ike_alg_add(): ERROR: Algorithm
already exists
Jun 29 23:52:00 localhost pluto[1643]: ike_alg_register_enc():
Activating aes_gcm_8: FAILED (ret=-17)
Jun 29 23:52:00 localhost pluto[1643]: ike_alg_add(): ERROR: Algorithm
already exists
Jun 29 23:52:00 localhost pluto[1643]: ike_alg_register_enc():
Activating aes_gcm_12: FAILED (ret=-17)
Jun 29 23:52:00 localhost pluto[1643]: ike_alg_add(): ERROR: Algorithm
already exists
Jun 29 23:52:00 localhost pluto[1643]: ike_alg_register_enc():
Activating aes_gcm_16: FAILED (ret=-17)
Jun 29 23:52:00 localhost pluto[1643]: Changed path to directory
'/etc/ipsec.d/cacerts'
Jun 29 23:52:00 localhost pluto[1643]: Changed path to directory
'/etc/ipsec.d/aacerts'
Jun 29 23:52:00 localhost pluto[1643]: Changed path to directory
'/etc/ipsec.d/ocspcerts'
Jun 29 23:52:00 localhost pluto[1643]: Changing to directory
'/etc/ipsec.d/crls'
Jun 29 23:52:00 localhost pluto[1643]:   Warning: empty directory
Jun 29 23:52:00 localhost pluto[1643]: added connection description
"garelick-hq"
Jun 29 23:52:00 localhost pluto[1643]: listening for IKE messages
Jun 29 23:52:00 localhost pluto[1643]: adding interface br0/br0
aaa.bbb.100.18:500
Jun 29 23:52:00 localhost pluto[1643]: adding interface br0/br0
aaa.bbb.100.18:4500
Jun 29 23:52:00 localhost pluto[1643]: adding interface eth3/eth3
10.10.10.72:500
Jun 29 23:52:00 localhost pluto[1643]: adding interface eth3/eth3
10.10.10.72:4500
Jun 29 23:52:00 localhost pluto[1643]: adding interface eth3/eth3
10.10.10.72:4500
Jun 29 23:52:00 localhost pluto[1643]: adding interface eth2/eth2
192.168.253.1:500
Jun 29 23:52:00 localhost pluto[1643]: adding interface eth2/eth2
192.168.253.1:4500
Jun 29 23:52:00 localhost pluto[1643]: adding interface eth1/eth1
10.86.2.1:500
Jun 29 23:52:00 localhost pluto[1643]: adding interface eth1/eth1
10.86.2.1:4500
Jun 29 23:52:00 localhost pluto[1643]: adding interface lo/lo
127.0.0.1:500
Jun 29 23:52:00 localhost pluto[1643]: adding interface lo/lo
127.0.0.1:4500
Jun 29 23:52:00 localhost pluto[1643]: adding interface lo/lo ::1:500
Jun 29 23:52:00 localhost pluto[1643]: loading secrets from
"/etc/ipsec.secrets"
Jun 29 23:52:00 localhost pluto[1643]: loading secrets from
"/etc/ipsec.d/hostkey.secrets"
Jun 29 23:52:00 localhost pluto[1643]: "/etc/ipsec.d/hostkey.secrets"
line 14: malformed end of RSA private key -- indented '}' required



1 - Is it possible to build Openswan from source with support for NSS
without making an RPM?

2 - Why is hostkey.secrets broken?  Or was this message from 2.6.28 not
completely true?

Thanks

- Greg Scott

More information about the Users mailing list