[ale] openswan is unusable

David A. De Graaf dad at datix.us
Sat Oct 30 15:18:46 EDT 2010


On Sat, Oct 30, 2010 at 01:27:12PM -0400, Jim Kinney wrote:
> Dig on redhat docs for ipsec or vpn
> Nss is the "netscape secure sockets" that is viewed by many as more robust than
> ssl. Many keys are automagically stored and accessed in /etc/pki
> 
> On Oct 30, 2010 1:20 PM, "David A. De Graaf" <dad at datix.us> wrote:
> > I've posted this query on the fedora-list mailing list, but I think
> > the security experts at ALE might know the answers and be more
> > helpful.
> >
> >
> > Has anyone managed to configure an openswan tunnel under Fedora 13?
> > The instructions in /usr/share/doc/openswan-doc-2.6.29 may have been
> > correct once upon a time, but are simply wrong now.


NEVERMIND...    :-)

Thanks, Jim, but further depths of googling led me to discover
<doc>/README.nss where I found a hint.

The whole NSS password mess can be bypassed by NOT supplying a password
when creating the NSS db, eg
  certutil -N -d /etc/ipsec.d
    (just hit enter when prompted for a password)

Then create the RSA key without mentioning the --password option:
  ipsec newhostkey --configdir /etc/ipsec.d  \
    --output /etc/ipsec.d/ipsec.secrets
and continue normally to create the net2net.conf file containing the
left and right rsasigkey's.

My tunnel now connects properly.  Eureka.

-- 
	David A. De Graaf    DATIX, Inc.    Hendersonville, NC
	dad at datix.us         www.datix.us


More information about the Ale mailing list