[Swan] Building site-to-site from old systems

[Paul Wouters]

On Mon, 22 Sep 2014, Alex wrote:

> So now I have the old certs that are going to expire at the end of the
> year. Now that both sides are fedora20, I should be able to just
> recreate new certs on each side and import both on both sides,
> correct?

Yup.

> One problem I did have along the way was when I tried to run "ipsec
> showhostkey --right", it would report the same key as when --left was
> provided instead.

You need to run showhostkey on the side that has the private key. The
option --right or --left will show change the output printing to use
leftrsasigkey= versus rightrsasigkey. So run the command with --left
on the left side and with --right on the right side. However, this is
only used for raw keys, so if you use certificates you do not use
ipsec showhostkey and only use left/rightrsasigkey=%cert

> Yes, much simpler now. When you had originally said to create a
> hostkey.secrets file with the ": RSA friendlyname" in it, I thought
> you meant in addition (appended to) to the hostkey.secrets file, where
> all the rest of the RSA key info is located. That caused all kinds of
> problems until I figured out the private key was also stored in the
> NSS databases.

That's right. Sorry for the confusion.

> It appears my processor indeed doesn't support AES/AVX2. How much
> overhead is required in software that otherwise would have been done
> by the processor?

It just means you have no AES acceleration. AES is still by far the best
choice for use performance wise even without AESNI instructions.

Paul