[Swan] NSS transition questions

[Greg Scott]

Looking forward to a long run with Libreswan - great to find you again!   I noticed a thread saying Libreswan now only uses NSS.  Is the old way with the key stored directly in ipsec.secrets and hostkey.secrets now gone forever?

If now forced to use NSS, is there a way to import old pre shared keys into an NSS database?  Here is the use case.  I have a central site with several branch sites, all running  various versions of Openswan.  Historically, when the time came to update any of these sites with new hardware, I could just copy the ipsec.secrets and hostkey.secrets file from the old to the new and everyone was happy. 

But with NSS, I have to generate new keys and modify CONN definitions all over the place because there was no way to import the older hostkey.secrets keys into a new NSS database.   So any time any site changed to/from NSS, I had to modify CONN definitions at the central site, which could potentially affect all sites if I wasn't careful.  

That was my major beef against NSS when Openswan first started using it.  Also, installing directly from the  .tar.gz sources had no provision to include NSS as I recall.  RPM builds included NSS, but source builds from .tar.gz files did not, and since new RPMs for any given Fedora release stop coming after a year or so, I went to .tar.gz packages.  For a while, some sites used NSS and others did not and this was a royal pain to go back and forth until I gradually updated everyone.  

Since we apparently have to use NSS now, is there anything in place to ease the transition from the old way to the new NSS way?  Or can I continue installing Libreswan from .tar.gz files without NSS?

Thanks

- Greg Scott


Greg Scott
Infrasupport Corporation
GregScott at Infrasupport.com

Direct 1-651-260-1051