How to move from Openswan in F10 to F11?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I have IPsec working in F10 with Openswan. Cert handling in F11 is
different because of NSS. How do I migrate? My F10 layout looks like:
  /etc/ipsec.d/cacerts
  /etc/ipsec.d/cacerts/ca.crt
  /etc/ipsec.d/certs
  /etc/ipsec.d/certs/china@xxxxxxxxxxxxxxxxxxxxxx
  /etc/ipsec.d/certs/vpn.thewrittenword.com.crt
  /etc/ipsec.d/crls
  /etc/ipsec.d/private
  /etc/ipsec.d/private/local.key
  /etc/ipsec.d/private/local.pub
  /etc/ipsec.d/tww.conf
  /etc/ipsec.d/tww.secrets

For F11, I copied the F10 config and then did the following:
  # cd /etc/ipsec.d
  # certutil -N -d /etc/ipsec.d
  Enter a password which will be used to encrypt your keys.
  The password should be at least 8 characters long,
  and should contain at least one non-alphabetic character.

  Enter new password: [empty]
  Re-enter password: [empty]
  # certutil -A -n china@xxxxxxxxxxxxxxxxxx -t "p,p,p" \
  -i certs/china@xxxxxxxxxxxxxxxxxxxxxx -d /etc/ipsec.d
  # certutil -A -n vpn.thewrittenword.com -t "p,p,p" \
  -i certs/vpn.thewrittenword.com.crt -d /etc/ipsec.d
  # certutil -A -n "TWW CA" -t "C,C,C" \
  -i cacerts/ca.crt -d /etc/ipsec.d

I made changes to the following files:
  [tww.conf]
          authby=rsasig
          rightrsasigkey=%cert
          rightid=@xxxxxxxxxxxxxxxxxxxxxx
  -       rightcert=vpn.thewrittenword.com.crt
  +       rightcert=vpn.thewrittenword.com
          leftrsasigkey=%cert
          leftid=china@xxxxxxxxxxxxxxxxxx
  -       leftcert=china@xxxxxxxxxxxxxxxxxxxxxx
  +       leftcert=china@xxxxxxxxxxxxxxxxxx
          leftsendcert=always

  [tww.secrets]
  -@china@thewrittenword.com: RSA /etc/ipsec.d/private/local.key
  +: RSA china@xxxxxxxxxxxxxxxxxx

When I run "/etc/init.d/ipsec restart", /var/log/messages has:
  Jun 25 00:35:16 localhost ipsec__plutorun: 002 loading certificate from china@xxxxxxxxxxxxxxxxxx 
  Jun 25 00:35:16 localhost ipsec__plutorun: 002 loading certificate from vpn.thewrittenword.com 
  Jun 25 00:35:16 localhost ipsec__plutorun: 002 added connection description "tww"

Then, when I try to establish the IPsec connection:
  # ipsec auto --up tww
  ...
  003 "tww" #1: Can't find the private key from the NSS CERT (err -8166) 

Any ideas?

BTW, README.nss from openswan-2.6.21-nss.patch should be included in
openswan-doc.

-- 
albert chin (china@xxxxxxxxxxxxxxxxxx)

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux