[Swan-dev] ikev2-x509-02-eku
Paul Wouters
paul at nohats.ca
Fri Feb 8 05:53:00 UTC 2019
I suspect andrew’s kvm magic compile invocations to not yet enable IPsec profiles for nss
Sent from mobile device
> On Feb 8, 2019, at 00:32, D. Hugh Redelmeier <hugh at mimosa.com> wrote:
>
> The test is still failing. The same way.
>
> My guests have NSS 3.41.
>
> My host has 3.39. Could that matter? How?
>
> | From: Paul Wouters <paul at nohats.ca>
> | Date: Sat, 2 Feb 2019 21:57:42 -0500 (EST)
> |
> | On Sat, 2 Feb 2019, D. Hugh Redelmeier wrote:
> |
> | > Subject: [Swan-dev] ikev2-x509-02-eku
> | >
> | > This failed for me last night.
> | >
> | > +002 "ikev2-westnet-eastnet-x509-cr" #2: IKE SA authentication request
> | > rejected by peer: AUTHENTICATION_FAILED
> |
> | Seems due to:
> |
> | "ikev2-westnet-eastnet-x509-cr" #1: ERROR: Certificate key usage inadequate
> | for attempted operation.
> |
> | I guess you are not using the latest nss 3.41 ?
> |
> | Maybe run a yum update in your guests?
> | Easiest is to bring up east, west and nic
> |
> | ssh root at nic and issue /testing/guestbin/nic-internet
> |
> | Then ssh into west and east and run yum update
> |
> | with nss 3.39 the test fails. with 3.41 it passes.
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
More information about the Swan-dev
mailing list