I have IPsec working in F10 with Openswan. Cert handling in F11 is different because of NSS. How do I migrate? My F10 layout looks like: /etc/ipsec.d/cacerts /etc/ipsec.d/cacerts/ca.crt /etc/ipsec.d/certs /etc/ipsec.d/certs/ch...@thewrittenword.com.crt /etc/ipsec.d/certs/vpn.thewrittenword.com.crt /etc/ipsec.d/crls /etc/ipsec.d/private /etc/ipsec.d/private/local.key /etc/ipsec.d/private/local.pub /etc/ipsec.d/tww.conf /etc/ipsec.d/tww.secrets
For F11, I copied the F10 config and then did the following: # cd /etc/ipsec.d # certutil -N -d /etc/ipsec.d Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character. Enter new password: [empty] Re-enter password: [empty] # certutil -A -n ch...@thewrittenword.com -t "p,p,p" \ -i certs/ch...@thewrittenword.com.crt -d /etc/ipsec.d # certutil -A -n vpn.thewrittenword.com -t "p,p,p" \ -i certs/vpn.thewrittenword.com.crt -d /etc/ipsec.d # certutil -A -n "TWW CA" -t "C,C,C" \ -i cacerts/ca.crt -d /etc/ipsec.d I made changes to the following files: [tww.conf] authby=rsasig rightrsasigkey=%cert right...@vpn.thewrittenword.com - rightcert=vpn.thewrittenword.com.crt + rightcert=vpn.thewrittenword.com leftrsasigkey=%cert leftid=ch...@thewrittenword.com - leftcert=ch...@thewrittenword.com.crt + leftcert=ch...@thewrittenword.com leftsendcert=always [tww.secrets] -...@china@thewrittenword.com: RSA /etc/ipsec.d/private/local.key +: RSA ch...@thewrittenword.com When I run "/etc/init.d/ipsec restart", /var/log/messages has: Jun 25 00:35:16 localhost ipsec__plutorun: 002 loading certificate from ch...@thewrittenword.com Jun 25 00:35:16 localhost ipsec__plutorun: 002 loading certificate from vpn.thewrittenword.com Jun 25 00:35:16 localhost ipsec__plutorun: 002 added connection description "tww" Then, when I try to establish the IPsec connection: # ipsec auto --up tww ... 003 "tww" #1: Can't find the private key from the NSS CERT (err -8166) Any ideas? BTW, README.nss from openswan-2.6.21-nss.patch should be included in openswan-doc. -- albert chin (ch...@thewrittenword.com) -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines