[Swan] [libreswan/libreswan] ipsec.secrets with RSA to nssdb (#287)
Paul Wouters
paul at nohats.ca
Sat Nov 2 22:55:04 UTC 2019
On Fri, 1 Nov 2019, Anatoli wrote:
> I would like to know if there any tool to convert ipsec.secrets to nss db?
There is not, because NSS has no method of importing private keys, other
than via a PKCS#12
> And I notice some illogical behavior:
> ipsec auto --listpubkeys
> 000
> 000 List of Public Keys:
> 000
> 000 Nov 01 11:15:17 2019, 4096 RSA Key AQN2EwF/B (no private key), until --- -- --:--:-- ----
> ok (expires never)
> 000 ID_FQDN '@v10g1'
> 000 Nov 01 11:15:17 2019, 4096 RSA Key AQPyMQ+eW (has private key), until --- -- --:--:-- ----
> ok (expires never)
> 000 ID_FQDN '@n10gf1'
>
> ipsec auto --up n-v10g1
> 002 "n-v10g1" #2130: initiating v2 parent SA
> 181 "n-v10g1" #2130: initiate
> 181 "n-v10g1" #2130: STATE_PARENT_I1: sent v2I1, expected v2R1
> 003 "n-v10g1" #2130: Can't find the certificate or private key from the NSS CKA_ID
> 003 "n-v10g1" #2130: Failed to find our RSA key
>
> I can understand nss is here, but common pluto already knows all keys, why it wants to read it
> again?
It is a limitation in the current key/connection lookup that we are
looking at eliminating.
Paul
More information about the Swan
mailing list