[ale] openswan is unusable

Jim Kinney jim.kinney at gmail.com
Sat Oct 30 13:27:12 EDT 2010


Dig on redhat docs for ipsec or vpn
Nss is the "netscape secure sockets" that is viewed by many as more robust
than ssl. Many keys are automagically stored and accessed in /etc/pki
On Oct 30, 2010 1:20 PM, "David A. De Graaf" <dad at datix.us> wrote:
> I've posted this query on the fedora-list mailing list, but I think
> the security experts at ALE might know the answers and be more
> helpful.
>
>
> Has anyone managed to configure an openswan tunnel under Fedora 13?
> The instructions in /usr/share/doc/openswan-doc-2.6.29 may have been
> correct once upon a time, but are simply wrong now.
>
> Someone has judged that simple exchange of RSA public/private keys
> provides insufficient security, so that actual access to those keys is
> further restricted by something called "NSS support", whatever that is.
> Unfortunately, they neglected to tell anyone how to penetrate this extra
> veil of protection, as far as I have found, thus rendering a valuable
> security capability unusable by the good guys (me).
>
> Can anyone point me to lucid and complete documentation of how to use
> the "new openswan" system? After groping through random googleisms, I
> found a way to create the needed RSA keys. Instead of the documented
> ipsec newhostkey --output /etc/ipsec.secrets
> one must first create an NSS password, which goes God-knows-where:
> certutil -N -d /etc/ipsec.d
> and then
> ipsec newhostkey --configdir /etc/ipsec.d \
> --output /etc/ipsec.d/ipsec.secrets --password <thepasswd>
> to create the ipsec.secrets file, then move it up a level
> mv /etc/ipsec.d/ipsec.secrets /etc/ipsec.secrets
>
> Then you can display the public key in the usual way
> ipsec showhostkey --left
> and use it to construct /etc/ipsec.d/net2net.conf based on the example
> in <doc>/openswan-doc-2.6.29/config.html.
>
> After doing this on the local and remote gateway machines, so they know
> how to communicate and recognize each other, the tunnel ought to work.
> But it doesn't.
>
> When I try to start the tunnel there's a mysterious error
> ipsec auto --up net2net
> ...
> 003 "net2net" #1: Can't find the private key from the NSS CERT (err
-12285)
> ...
> and the negotiation fails.
>
> Can anyone give a clue how to access this very well hidden private key?
> Google can't.
>
>
> --
> David A. De Graaf DATIX, Inc. Hendersonville, NC
> dad at datix.us www.datix.us
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20101030/7964db9d/attachment.html 


More information about the Ale mailing list