openswan is unusable



Has anyone managed to configure an openswan tunnel under Fedora 13?
The instructions in /usr/share/doc/openswan-doc-2.6.29 may have been
correct once upon a time, but are simply wrong now.

Someone has judged that simple exchange of RSA public/private keys
provides insufficient security, so that actual access to those keys is
further restricted by something called "NSS support", whatever that is.
Unfortunately, they neglected to tell anyone how to penetrate this extra
veil of protection, as far as I have found, thus rendering a valuable
security capability unusable by the good guys (me).

Can anyone point me to lucid and complete documentation of how to use
the "new openswan" system? After groping through random googleisms, I
found a way to create the needed RSA keys. Instead of the documented
ipsec newhostkey --output /etc/ipsec.secrets
one must first create an NSS password, which goes God-knows-where:
certutil -N -d /etc/ipsec.d
and then
ipsec newhostkey --configdir /etc/ipsec.d \
--output /etc/ipsec.d/ipsec.secrets --password <thepasswd>
to create the ipsec.secrets file, then move it up a level
mv /etc/ipsec.d/ipsec.secrets /etc/ipsec.secrets

Then you can display the public key in the usual way
ipsec showhostkey --left
and use it to construct /etc/ipsec.d/net2net.conf based on the example
in <doc>/openswan-doc-2.6.29/config.html.

After doing this on the local and remote gateway machines, so they know
how to communicate and recognize each other, the tunnel ought to work.
But it doesn't.

When I try to start the tunnel there's a mysterious error
ipsec auto --up net2net
...
003 "net2net" #1: Can't find the private key from the NSS CERT (err -12285)
...
and the negotiation fails.

Can anyone give a clue how to access this very well hidden private key?
Google can't.



--
David A. De Graaf DATIX, Inc. Hendersonville, NC
dad@xxxxxxxx www.datix.us
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines



Relevant Pages

  • SSH Forward port onlu
    ... I would like to configure OpenSSH that way, that user can login only ... using keys and he can only for example tunnel one port from local ... HOST should have access to SERVER only by keys ... and it would like to make port tunelling. ...
    (comp.security.ssh)
  • Re: =?ISO-8859-15?Q?WPA=2DVerschl=FCsselung?= - =?ISO-8859-15?Q?Verst=E4ndnisfra
    ... Mit hilfe des PSK handelt jeder ... Teilnehmer seine eigenen Keys mit dem AP aus. ... manchmal braucht man auch nen HTTPS Tunnel). ...
    (de.comp.security.misc)
  • Re: running shell command through ssh tunnel
    ... the authentication pairs are the client and domain.com; ... and the client and 192.168.1.20 (via the tunnel). ... makes a difference if you're using keys: ... would have both keys on the client machine, whereas in mine, you'd ...
    (SSH)