[Openswan Users] Installing OpenSwan on RHEL 6

Stéphane Spahni stephane.spahni at hcuge.ch
Tue Mar 27 02:45:45 EDT 2012


Hello,

I am trying to install OpenSwan 2.6.37 on my RHEL 6 system.
I installed the Fedora 16 distrib + dependencies (glibc, ...). The ipsec 
is starting but I have several errors that prevent it to work:

1) On the console:
ipsec_setup: Starting Openswan IPsec U2.6.37/K2.6.32-71.24.1.el6.x86_64...
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in 
/proc/sys/crypto/fips_enabled
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in 
/proc/sys/crypto/fips_enabled
...
(one per defined tunnel)

2) In /var/log/secure:
Mar 26 20:00:40 vmepsos pluto[5057]: Changed path to directory 
'/etc/ipsec.d/cacerts'
Mar 26 20:00:40 vmepsos pluto[5057]:   loaded CA cert file 
'tr_NCPSign_0.der' (1096 bytes)
Mar 26 20:00:40 vmepsos pluto[5057]:   loaded CA cert file 
'sk_NCPSign_0.der' (1366 bytes)
... (many others loaded)
Mar 26 20:00:40 vmepsos pluto[5057]: Changed path to directory 
'/etc/ipsec.d/aacerts'
Mar 26 20:00:40 vmepsos pluto[5057]: Changed path to directory 
'/etc/ipsec.d/ocspcerts'
Mar 26 20:00:40 vmepsos pluto[5057]: Changing to directory 
'/etc/ipsec.d/crls'
Mar 26 20:00:40 vmepsos pluto[5057]:   Warning: empty directory
Mar 26 20:00:40 vmepsos pluto[5057]: loading certificate from 
_ch_VPNGateway_0.der
Mar 26 20:00:40 vmepsos pluto[5057]:     could not open host cert with 
nick name '_ch_VPNGateway_0.der' in NSS DB
Mar 26 20:00:40 vmepsos pluto[5057]: loading certificate from 
_at_VPNGateway_0.der
Mar 26 20:00:40 vmepsos pluto[5057]:     could not open host cert with 
nick name '_at_VPNGateway_0.der' in NSS DB
Mar 26 20:00:40 vmepsos pluto[5057]: added connection description "at"

--> all certs referenced in my ipsec.conf file have the same error 
although they have been loaded during the "cacerts" loading (and the 
same certs are available in the "certs" directory).

and at the end:
Mar 26 20:00:40 vmepsos pluto[5057]: loading secrets from 
"/etc/ipsec.secrets"
Mar 26 20:00:40 vmepsos pluto[5057]:     could not open host cert with 
nick name 'VPNserver.key' in NSS DB
Mar 26 20:00:40 vmepsos pluto[5057]: "/etc/ipsec.secrets" line 1: NSS 
certficate not found

--> although my VPNserver.key is available (I tried PEM and DER formats).

Is there a problem with NSS on RHEL ? Or is FIPS mandatory ?

Thanks for any help or hint !

-- 
Stéphane Spahni
Département de l'imagerie et des
sciences de l'information médicale
Service de cybersanté et télémedecine
Rue Gabrielle-Perret-Gentil 4
CH-1211 Geneve 14



More information about the Users mailing list