[prev in list] [next in list] [prev in thread] [next in thread]
List: openswan-users
Subject: Re: [Openswan Users] NSS mandatory?
From: Curu Wong <prinbra () gmail ! com>
Date: 2011-07-24 9:57:49
Message-ID: CAFRgckK34q4=g7xmw+i8EZZvf_Zszaijkgf=4mY_oMY=FeWG3Q () mail ! gmail ! com
[Download RAW message or body]
in CentOS 5, the distribution openswan rpm package use NSS. and seems
there's no configuration option to disable that. Maybe you can download
the source RPM and recompile it without NSS.
2011/7/24 Richard Pickett <richard.pickett@csrtechnologies.com>
> Hi all (Hi Paul!),
>
> Sooooo, I've got openswan installed stock-rpm on centos 5.1. I didn't do
> anything special to recompile, install extra mods, etc.
>
> I'm using (as you guys probably know) x.509 auth on my connections. I
> really don't want to use nss, but can. I just don't need that level of
> lock-down.
>
> I'm thinking maybe NSS is mandatory now, I'm connecting w/ shrewsoft and as
> soon as the connection starts this is what hits the /var/log/secure:
>
> Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
> Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
> to=106
> Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set
> to=108
> Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> received Vendor ID payload [RFC 3947] method set to=109
> Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> ignoring Vendor ID payload [FRAGMENTATION 80000000]
> Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> received Vendor ID payload [Dead Peer Detection]
> Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> ignoring unknown Vendor ID payload [f14b94b7bff1fef02773b8c49feded26]
> Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> ignoring unknown Vendor ID payload
> [166f932d55eb64d8e4df4fd37e2313f0d0fd8451]
> Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> ignoring unknown Vendor ID payload [8404adf9cda05760b2ca292e4bff537b]
> Jul 23 18:37:18 vhost5 pluto[4810]: packet from 74.137.71.67:55197:
> received Vendor ID payload [Cisco-Unity]
> Jul 23 18:37:18 vhost5 pluto[4810]: "mobileaegisclient"[1] 74.137.71.67 #1:
> responding to Main Mode from unknown peer 74.137.71.67
> Jul 23 18:37:18 vhost5 pluto[4810]: "mobileaegisclient"[1] 74.137.71.67 #1:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jul 23 18:37:18 vhost5 pluto[4810]: "mobileaegisclient"[1] 74.137.71.67 #1:
> STATE_MAIN_R1: sent MR1, expecting MI2
> Jul 23 18:37:18 vhost5 pluto[4810]: "mobileaegisclient"[1] 74.137.71.67 #1:
> NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
> *Jul 23 18:37:18 vhost5 pluto[4810]: NSS: DH private key creation failed*
> Jul 23 18:37:29 vhost5 ipsec__plutorun: Restarting Pluto subsystem...
> *Jul 23 18:37:29 vhost5 pluto[5363]: nss directory plutomain: /etc/ipsec.d
> *
> *Jul 23 18:37:29 vhost5 pluto[5363]: NSS Initialized*
> Jul 23 18:37:29 vhost5 pluto[5363]: Not able to open
> /proc/sys/crypto/fips_enabled, returning non-fips mode
> Jul 23 18:37:29 vhost5 pluto[5363]: Not able to open
> /proc/sys/crypto/fips_enabled, returning non-fips mode
> Jul 23 18:37:29 vhost5 pluto[5363]: Starting Pluto (Openswan Version
> 2.6.21; Vendor ID OE~q\177kZNr}Wk) pid:5363
> Jul 23 18:37:29 vhost5 pluto[5363]: Setting NAT-Traversal port-4500
> floating to on
> Jul 23 18:37:29 vhost5 pluto[5363]: port floating activation criteria
> nat_t=1/port_float=1
> Jul 23 18:37:29 vhost5 pluto[5363]: including NAT-Traversal patch
> (Version 0.6c)
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> OAKLEY_TWOFISH_CBC: Ok (ret=0)
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> OAKLEY_SERPENT_CBC: Ok (ret=0)
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> OAKLEY_AES_CBC: Ok (ret=0)
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_hash(): Activating
> OAKLEY_SHA2_512: Ok (ret=0)
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_hash(): Activating
> OAKLEY_SHA2_256: Ok (ret=0)
> Jul 23 18:37:29 vhost5 pluto[5363]: starting up 3 cryptographic helpers
> Jul 23 18:37:29 vhost5 pluto[5363]: main fd(8) helper fd(9)
> Jul 23 18:37:29 vhost5 pluto[5363]: started helper (thread) pid=1097259328
> (fd:8)
> Jul 23 18:37:29 vhost5 pluto[5363]: main fd(10) helper fd(11)
> Jul 23 18:37:29 vhost5 pluto[5363]: started helper (thread) pid=1105652032
> (fd:10)
> Jul 23 18:37:29 vhost5 pluto[5363]: main fd(12) helper fd(13)
> Jul 23 18:37:29 vhost5 pluto[5363]: started helper (thread) pid=1114044736
> (fd:12)
> Jul 23 18:37:29 vhost5 pluto[5363]: Using Linux 2.6 IPsec interface code on
> 2.6.39.1-x86_64-linode19 (experimental code)
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> <NULL>: Ok (ret=0)
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already
> exists
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already
> exists
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already
> exists
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already
> exists
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already
> exists
> Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
> Jul 23 18:37:29 vhost5 pluto[5363]: Changed path to directory
> '/etc/ipsec.d/cacerts'
> Jul 23 18:37:29 vhost5 pluto[5363]: loaded CA cert file 'ca_crt.pem'
> (3816 bytes)
> Jul 23 18:37:29 vhost5 pluto[5363]: loaded CA cert file
> '0000-SERVER-CA.pem' (3816 bytes)
> Jul 23 18:37:29 vhost5 pluto[5363]: Could not change to directory
> '/etc/ipsec.d/aacerts': /etc/ipsec.d
> Jul 23 18:37:29 vhost5 pluto[5363]: Could not change to directory
> '/etc/ipsec.d/ocspcerts': /etc/ipsec.d
> Jul 23 18:37:29 vhost5 pluto[5363]: Changing to directory
> '/etc/ipsec.d/crls'
> Jul 23 18:37:29 vhost5 pluto[5363]: loaded crl file
> 'mobile_aegils_crl.pem' (1783 bytes)
> Jul 23 18:37:29 vhost5 pluto[5363]: | NSS: length of decrypted sig = 35
> Jul 23 18:37:29 vhost5 pluto[5363]: | NSS : RSA Signature verified, hash
> values matched
> Jul 23 18:37:29 vhost5 pluto[5363]: loading certificate from
> 0000-SERVER-CERT.pem
> Jul 23 18:37:29 vhost5 pluto[5363]: could not open host cert with nick
> name '0000-SERVER-CERT.pem' in NSS DB
> Jul 23 18:37:29 vhost5 pluto[5363]: added connection description
> "mobileaegisclient"
> Jul 23 18:37:29 vhost5 pluto[5363]: listening for IKE messages
> Jul 23 18:37:29 vhost5 pluto[5363]: adding interface eth0:cp1/eth0:cp1
> 192.168.141.50:500
> Jul 23 18:37:29 vhost5 pluto[5363]: adding interface eth0:cp1/eth0:cp1
> 192.168.141.50:4500
> Jul 23 18:37:29 vhost5 pluto[5363]: adding interface eth0/eth0
> 173.255.254.20:500
> Jul 23 18:37:29 vhost5 pluto[5363]: adding interface eth0/eth0
> 173.255.254.20:4500
> Jul 23 18:37:29 vhost5 pluto[5363]: adding interface lo/lo 127.0.0.1:500
> Jul 23 18:37:29 vhost5 pluto[5363]: adding interface lo/lo 127.0.0.1:4500
> Jul 23 18:37:29 vhost5 pluto[5363]: adding interface lo/lo ::1:500
> Jul 23 18:37:29 vhost5 pluto[5363]: loading secrets from
> "/etc/ipsec.secrets"
> Jul 23 18:37:29 vhost5 pluto[5363]: loading secrets from
> "/etc/ipsec.d/ca.secrets"
> *Jul 23 18:37:33 vhost5 pluto[5363]: packet from 74.137.71.67:55197: phase
> 1 message is part of an unknown exchange*
>
>
> Since it restarts pluto, naturally it has no idea what this message is,
> since it's already forgot this conversation.
>
> Am I right about NSS? Is there a way to turn it off, or do I just have to
> bite the bullet? If I use NSS, how much of my ipsec rsa config gets changed?
>
> Thanks!
>
> _______________________________________________
> Users@openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
[Attachment #3 (text/html)]
in CentOS 5, the distribution openswan rpm package use NSS. and seems there's no \
configuration option to disable that. Maybe you can download the source RPM and \
recompile it without NSS.<br><br><br><div class="gmail_quote"> 2011/7/24 Richard \
Pickett <span dir="ltr"><<a \
href="mailto:richard.pickett@csrtechnologies.com">richard.pickett@csrtechnologies.com</a>></span><br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex;"> Hi all (Hi Paul!),
<div><br></div><div>Sooooo, I've got openswan installed stock-rpm on centos 5.1. \
I didn't do anything special to recompile, install extra mods, \
etc.</div><div><br></div><div>I'm using (as you guys probably know) x.509 auth on \
my connections. I really don't want to use nss, but can. I just don't need \
that level of lock-down.</div>
<div><br></div><div>I'm thinking maybe NSS is mandatory now, I'm connecting \
w/ shrewsoft and as soon as the connection starts this is what hits the \
/var/log/secure:</div><div><br></div><div><div>Jul 23 18:37:18 vhost5 pluto[4810]: \
packet from <a href="http://74.137.71.67:55197" \
target="_blank">74.137.71.67:55197</a>: received Vendor ID payload \
[draft-ietf-ipsec-nat-t-ike-00]</div>
<div>Jul 23 18:37:18 vhost5 pluto[4810]: packet from <a \
href="http://74.137.71.67:55197" target="_blank">74.137.71.67:55197</a>: ignoring \
unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]</div><div>Jul 23 \
18:37:18 vhost5 pluto[4810]: packet from <a href="http://74.137.71.67:55197" \
target="_blank">74.137.71.67:55197</a>: received Vendor ID payload \
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 </div>
<div>Jul 23 18:37:18 vhost5 pluto[4810]: packet from <a \
href="http://74.137.71.67:55197" target="_blank">74.137.71.67:55197</a>: received \
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108 </div><div>Jul 23 \
18:37:18 vhost5 pluto[4810]: packet from <a href="http://74.137.71.67:55197" \
target="_blank">74.137.71.67:55197</a>: received Vendor ID payload [RFC 3947] method \
set to=109 </div>
<div>Jul 23 18:37:18 vhost5 pluto[4810]: packet from <a \
href="http://74.137.71.67:55197" target="_blank">74.137.71.67:55197</a>: ignoring \
Vendor ID payload [FRAGMENTATION 80000000]</div><div>Jul 23 18:37:18 vhost5 \
pluto[4810]: packet from <a href="http://74.137.71.67:55197" \
target="_blank">74.137.71.67:55197</a>: received Vendor ID payload [Dead Peer \
Detection]</div>
<div>Jul 23 18:37:18 vhost5 pluto[4810]: packet from <a \
href="http://74.137.71.67:55197" target="_blank">74.137.71.67:55197</a>: ignoring \
unknown Vendor ID payload [f14b94b7bff1fef02773b8c49feded26]</div><div>Jul 23 \
18:37:18 vhost5 pluto[4810]: packet from <a href="http://74.137.71.67:55197" \
target="_blank">74.137.71.67:55197</a>: ignoring unknown Vendor ID payload \
[166f932d55eb64d8e4df4fd37e2313f0d0fd8451]</div>
<div>Jul 23 18:37:18 vhost5 pluto[4810]: packet from <a \
href="http://74.137.71.67:55197" target="_blank">74.137.71.67:55197</a>: ignoring \
unknown Vendor ID payload [8404adf9cda05760b2ca292e4bff537b]</div><div>Jul 23 \
18:37:18 vhost5 pluto[4810]: packet from <a href="http://74.137.71.67:55197" \
target="_blank">74.137.71.67:55197</a>: received Vendor ID payload \
[Cisco-Unity]</div>
<div>Jul 23 18:37:18 vhost5 pluto[4810]: "mobileaegisclient"[1] \
74.137.71.67 #1: responding to Main Mode from unknown peer 74.137.71.67</div><div>Jul \
23 18:37:18 vhost5 pluto[4810]: "mobileaegisclient"[1] 74.137.71.67 #1: \
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1</div>
<div>Jul 23 18:37:18 vhost5 pluto[4810]: "mobileaegisclient"[1] \
74.137.71.67 #1: STATE_MAIN_R1: sent MR1, expecting MI2</div><div>Jul 23 18:37:18 \
vhost5 pluto[4810]: "mobileaegisclient"[1] 74.137.71.67 #1: NAT-Traversal: \
Result using RFC 3947 (NAT-Traversal): peer is NATed</div>
<div><b>Jul 23 18:37:18 vhost5 pluto[4810]: NSS: DH private key creation \
failed</b></div><div>Jul 23 18:37:29 vhost5 ipsec__plutorun: Restarting Pluto \
subsystem...</div><div><b>Jul 23 18:37:29 vhost5 pluto[5363]: nss directory \
plutomain: /etc/ipsec.d</b></div>
<div><b>Jul 23 18:37:29 vhost5 pluto[5363]: NSS Initialized</b></div><div>Jul 23 \
18:37:29 vhost5 pluto[5363]: Not able to open /proc/sys/crypto/fips_enabled, \
returning non-fips mode</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: Not able to \
open /proc/sys/crypto/fips_enabled, returning non-fips mode</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: Starting Pluto (Openswan Version 2.6.21; \
Vendor ID OE~q\177kZNr}Wk) pid:5363</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: \
Setting NAT-Traversal port-4500 floating to on</div><div>
Jul 23 18:37:29 vhost5 pluto[5363]: port floating activation criteria \
nat_t=1/port_float=1</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: including \
NAT-Traversal patch (Version 0.6c)</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: \
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating \
OAKLEY_TWOFISH_CBC: Ok (ret=0)</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: \
ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating \
OAKLEY_AES_CBC: Ok (ret=0)</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: \
ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_hash(): Activating \
OAKLEY_SHA2_512: Ok (ret=0)</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: \
ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)</div>
<div>
Jul 23 18:37:29 vhost5 pluto[5363]: starting up 3 cryptographic helpers</div><div>Jul \
23 18:37:29 vhost5 pluto[5363]: main fd(8) helper fd(9)</div><div>Jul 23 18:37:29 \
vhost5 pluto[5363]: started helper (thread) pid=1097259328 (fd:8)</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: main fd(10) helper fd(11)</div><div>Jul 23 \
18:37:29 vhost5 pluto[5363]: started helper (thread) pid=1105652032 \
(fd:10)</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: main fd(12) helper fd(13)</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: started helper (thread) pid=1114044736 \
(fd:12)</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: Using Linux 2.6 IPsec interface \
code on 2.6.39.1-x86_64-linode19 (experimental code)</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc alg=0 \
not found in constants.c:oakley_enc_names </div><div>Jul 23 18:37:29 vhost5 \
pluto[5363]: ike_alg_register_enc(): Activating <NULL>: Ok (ret=0)</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): WARNING: enc alg=0 \
not found in constants.c:oakley_enc_names </div><div>Jul 23 18:37:29 vhost5 \
pluto[5363]: ike_alg_add(): ERROR: Algorithm already exists</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): Activating \
<NULL>: FAILED (ret=-17)</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: \
ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names \
</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already \
exists</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): \
Activating <NULL>: FAILED (ret=-17)</div><div>Jul 23 18:37:29 vhost5 \
pluto[5363]: ike_alg_register_enc(): WARNING: enc alg=0 not found in \
constants.c:oakley_enc_names </div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already \
exists</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): \
Activating <NULL>: FAILED (ret=-17)</div><div>Jul 23 18:37:29 vhost5 \
pluto[5363]: ike_alg_register_enc(): WARNING: enc alg=0 not found in \
constants.c:oakley_enc_names </div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already \
exists</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): \
Activating <NULL>: FAILED (ret=-17)</div><div>Jul 23 18:37:29 vhost5 \
pluto[5363]: ike_alg_register_enc(): WARNING: enc alg=0 not found in \
constants.c:oakley_enc_names </div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_add(): ERROR: Algorithm already \
exists</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: ike_alg_register_enc(): \
Activating <NULL>: FAILED (ret=-17)</div><div>Jul 23 18:37:29 vhost5 \
pluto[5363]: Changed path to directory '/etc/ipsec.d/cacerts'</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: loaded CA cert file 'ca_crt.pem' \
(3816 bytes)</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: loaded CA cert file \
'0000-SERVER-CA.pem' (3816 bytes)</div><div>Jul 23 18:37:29 vhost5 \
pluto[5363]: Could not change to directory '/etc/ipsec.d/aacerts': \
/etc/ipsec.d</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: Could not change to directory \
'/etc/ipsec.d/ocspcerts': /etc/ipsec.d</div><div>Jul 23 18:37:29 vhost5 \
pluto[5363]: Changing to directory '/etc/ipsec.d/crls'</div><div>
Jul 23 18:37:29 vhost5 pluto[5363]: loaded crl file 'mobile_aegils_crl.pem' \
(1783 bytes)</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: | NSS: length of decrypted \
sig = 35</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: | NSS : RSA Signature \
verified, hash values matched</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: loading certificate from \
0000-SERVER-CERT.pem </div><div>Jul 23 18:37:29 vhost5 pluto[5363]: could not \
open host cert with nick name '0000-SERVER-CERT.pem' in NSS DB</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: added connection description \
"mobileaegisclient"</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: listening \
for IKE messages</div><div>Jul 23 18:37:29 vhost5 pluto[5363]: adding interface \
eth0:cp1/eth0:cp1 <a href="http://192.168.141.50:500" \
target="_blank">192.168.141.50:500</a></div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: adding interface eth0:cp1/eth0:cp1 <a \
href="http://192.168.141.50:4500" \
target="_blank">192.168.141.50:4500</a></div><div>Jul 23 18:37:29 vhost5 pluto[5363]: \
adding interface eth0/eth0 <a href="http://173.255.254.20:500" \
target="_blank">173.255.254.20:500</a></div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: adding interface eth0/eth0 <a \
href="http://173.255.254.20:4500" \
target="_blank">173.255.254.20:4500</a></div><div>Jul 23 18:37:29 vhost5 pluto[5363]: \
adding interface lo/lo <a href="http://127.0.0.1:500" \
target="_blank">127.0.0.1:500</a></div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: adding interface lo/lo <a \
href="http://127.0.0.1:4500" target="_blank">127.0.0.1:4500</a></div><div>Jul 23 \
18:37:29 vhost5 pluto[5363]: adding interface lo/lo ::1:500</div><div>Jul 23 18:37:29 \
vhost5 pluto[5363]: loading secrets from "/etc/ipsec.secrets"</div>
<div>Jul 23 18:37:29 vhost5 pluto[5363]: loading secrets from \
"/etc/ipsec.d/ca.secrets"</div><div><b>Jul 23 18:37:33 vhost5 pluto[5363]: \
packet from <a href="http://74.137.71.67:55197" \
target="_blank">74.137.71.67:55197</a>: phase 1 message is part of an unknown \
exchange</b></div>
</div><div><br></div><div><br></div><div>Since it restarts pluto, naturally it has no \
idea what this message is, since it's already forgot this \
conversation.</div><div><br></div><div>Am I right about NSS? Is there a way to turn \
it off, or do I just have to bite the bullet? If I use NSS, how much of my ipsec rsa \
config gets changed?</div>
<div><br></div><div>Thanks!</div>
<br>_______________________________________________<br>
<a href="mailto:Users@openswan.org">Users@openswan.org</a><br>
<a href="http://lists.openswan.org/mailman/listinfo/users" \
target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" \
target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br> \
Building and Integrating Virtual Private Networks with Openswan:<br> <a \
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" \
target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br></blockquote></div><br>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic