[Swan-dev] ikev2-x509-02-eku
Andrew Cagney
andrew.cagney at gmail.com
Sat Feb 9 03:47:37 UTC 2019
On Fri, 8 Feb 2019 at 00:53, Paul Wouters <paul at nohats.ca> wrote:
>
> I suspect andrew’s kvm magic compile invocations to not yet enable IPsec profiles for nss
Yea, it turned out getting it to auto-detect got messy - plutomain.c
likes to print the decision.
Just tweaking the KVM make line is likely easiest for now.
> Sent from mobile device
>
> > On Feb 8, 2019, at 00:32, D. Hugh Redelmeier <hugh at mimosa.com> wrote:
> >
> > The test is still failing. The same way.
> >
> > My guests have NSS 3.41.
> >
> > My host has 3.39. Could that matter? How?
> >
> > | From: Paul Wouters <paul at nohats.ca>
> > | Date: Sat, 2 Feb 2019 21:57:42 -0500 (EST)
> > |
> > | On Sat, 2 Feb 2019, D. Hugh Redelmeier wrote:
> > |
> > | > Subject: [Swan-dev] ikev2-x509-02-eku
> > | >
> > | > This failed for me last night.
> > | >
> > | > +002 "ikev2-westnet-eastnet-x509-cr" #2: IKE SA authentication request
> > | > rejected by peer: AUTHENTICATION_FAILED
> > |
> > | Seems due to:
> > |
> > | "ikev2-westnet-eastnet-x509-cr" #1: ERROR: Certificate key usage inadequate
> > | for attempted operation.
> > |
> > | I guess you are not using the latest nss 3.41 ?
> > |
> > | Maybe run a yum update in your guests?
> > | Easiest is to bring up east, west and nic
> > |
> > | ssh root at nic and issue /testing/guestbin/nic-internet
> > |
> > | Then ssh into west and east and run yum update
> > |
> > | with nss 3.39 the test fails. with 3.41 it passes.
> > _______________________________________________
> > Swan-dev mailing list
> > Swan-dev at lists.libreswan.org
> > https://lists.libreswan.org/mailman/listinfo/swan-dev
>
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
More information about the Swan-dev
mailing list