<p>Dig on redhat docs for ipsec or vpn<br>
Nss is the "netscape secure sockets" that is viewed by many as more robust than ssl. Many keys are automagically stored and accessed in /etc/pki</p>
<div class="gmail_quote">On Oct 30, 2010 1:20 PM, "David A. De Graaf" <<a href="mailto:dad@datix.us">dad@datix.us</a>> wrote:<br type="attribution">> I've posted this query on the fedora-list mailing list, but I think<br>
> the security experts at ALE might know the answers and be more<br>> helpful.<br>> <br>> <br>> Has anyone managed to configure an openswan tunnel under Fedora 13?<br>> The instructions in /usr/share/doc/openswan-doc-2.6.29 may have been<br>
> correct once upon a time, but are simply wrong now.<br>> <br>> Someone has judged that simple exchange of RSA public/private keys<br>> provides insufficient security, so that actual access to those keys is<br>
> further restricted by something called "NSS support", whatever that is.<br>> Unfortunately, they neglected to tell anyone how to penetrate this extra<br>> veil of protection, as far as I have found, thus rendering a valuable<br>
> security capability unusable by the good guys (me).<br>> <br>> Can anyone point me to lucid and complete documentation of how to use<br>> the "new openswan" system? After groping through random googleisms, I<br>
> found a way to create the needed RSA keys. Instead of the documented<br>> ipsec newhostkey --output /etc/ipsec.secrets<br>> one must first create an NSS password, which goes God-knows-where: <br>> certutil -N -d /etc/ipsec.d<br>
> and then<br>> ipsec newhostkey --configdir /etc/ipsec.d \<br>> --output /etc/ipsec.d/ipsec.secrets --password <thepasswd><br>> to create the ipsec.secrets file, then move it up a level<br>> mv /etc/ipsec.d/ipsec.secrets /etc/ipsec.secrets<br>
> <br>> Then you can display the public key in the usual way<br>> ipsec showhostkey --left<br>> and use it to construct /etc/ipsec.d/net2net.conf based on the example<br>> in <doc>/openswan-doc-2.6.29/config.html.<br>
> <br>> After doing this on the local and remote gateway machines, so they know<br>> how to communicate and recognize each other, the tunnel ought to work.<br>> But it doesn't.<br>> <br>> When I try to start the tunnel there's a mysterious error<br>
> ipsec auto --up net2net<br>> ...<br>> 003 "net2net" #1: Can't find the private key from the NSS CERT (err -12285) <br>> ...<br>> and the negotiation fails.<br>> <br>> Can anyone give a clue how to access this very well hidden private key?<br>
> Google can't.<br>> <br>> <br>> -- <br>> David A. De Graaf DATIX, Inc. Hendersonville, NC<br>> <a href="mailto:dad@datix.us">dad@datix.us</a> <a href="http://www.datix.us">www.datix.us</a><br>
> _______________________________________________<br>> Ale mailing list<br>> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>> <a href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a><br>
> See JOBS, ANNOUNCE and SCHOOLS lists at<br>> <a href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a><br></div>