[Swan] Looks like loading preshared keys does in fact need NSS

[Greg Scott]

Here is my next challenge.  I am upgrading a couple of older systems.  This is a pretty simple one with only 2 sites.  I copied my preshared keys from the old to the new systems, tried to start up ipsec and this is what my /var/log/secure shows.   So does this mean I have to build fresh keys to feed them into a new NSS database?

Not a big deal with this one because I'm updating both sites and they are physically close to each other, but will be more of a pain next week when I have to update one branch of a more complex VPN setup.

I thought I could just keep my preshared keys in ipsec.secrets or files it references.

[root at Garelick2013-fw etc]# systemctl start ipsec.service
[root at Garelick2013-fw etc]# tail /var/log/secure -f
Jun 27 23:05:37 localhost pluto[16056]: adding interface p2p1/p2p1 10.86.2.1:500
Jun 27 23:05:37 localhost pluto[16056]: adding interface p2p1/p2p1 10.86.2.1:4500
Jun 27 23:05:37 localhost pluto[16056]: adding interface p1p1/p1p1 66.173.100.18:500
Jun 27 23:05:37 localhost pluto[16056]: adding interface p1p1/p1p1 66.173.100.18:4500
Jun 27 23:05:37 localhost pluto[16056]: adding interface lo/lo 127.0.0.1:500
Jun 27 23:05:37 localhost pluto[16056]: adding interface lo/lo 127.0.0.1:4500
Jun 27 23:05:37 localhost pluto[16056]: adding interface lo/lo ::1:500
Jun 27 23:05:37 localhost pluto[16056]: loading secrets from "/etc/ipsec.secrets"
Jun 27 23:05:37 localhost pluto[16056]: loading secrets from "/etc/ipsec.d/hostkey.secrets"
Jun 27 23:05:37 localhost pluto[16056]: "/etc/ipsec.d/hostkey.secrets" line 14: CKAIDNSS keyword not found where expected in RSA key

Thanks


-          Greg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130628/80bc4a9d/attachment-0001.html>