Can you tell us what has been fixed in libreswan 3.23 for nssdb issue? Regards, Shagun
-----Original Message----- From: Paul Wouters [mailto:[email protected]] Sent: Tuesday, May 15, 2018 7:24 PM To: Veetil, Vyshnav Cc: [email protected]; Maheshwari, Shagun Subject: [EXTERNAL] Re: [Swan-dev] nssdb is pointing to /etc/ipsec.d but it needs to point to the /usr/local/platform/.security/ipsec path provided in /etc/ipsec.conf On Tue, 15 May 2018, Veetil, Vyshnav wrote: > We are getting problem with ipsec connection in Centos7.4 > > Libreswan is unable to read the nssdir path > /usr/local/platform/.security/ipsec instead always trying to only read > /etc/ipsec.d Also, want to mention that /etc/ipsec.conf already has > ipsecdir=/usr/local/platform/.security/ipsec which was working earlier with > CentOS 7.3. > > In CentOS 7.3 libreswan-3.15-8.el7.x86_64 is used. > > In CentOS 7.4 libreswan-3.20-3.el7.x86_64 is used. > > What has been changed in libreswan-3.20-3.el7.x86_64 packages? Can you try CentOS 7.5 with libreswan 3.23 ? We fixed some things to ensure the nssdb could be in /var/lib/ipsec/nss for Debian, so it should really work for you as well. > For overcoming the pluto related issue, I have done some changes in > configuration file. > > I have removed the --stderrlog=directory in /etc/ipsec.conf That is a pluto commandline argument, not an ipsec.conf option? The option for that would be logfile=directory > And also replaced auth=esp and esp=aes128-sha1 with > phase2alg=aes128-sha1 in /etc/ipsec.d/conf/71221031513.conf > file . esp= and phase2alg= are aliases. Both can be used. There is no auth= option. There is authby= or leftauth= / rightauth= > What is differnce between nssdir and ipsecdir if we are using in > /etc/ipsec.conf file The /etc/ipsec.d directory contains a bunch of config files AND the nss binary db files. Now using ipsecdir and nssdir, you can split this and keep the configs in /etc/ipsec.d/ and keep the nss *db binary files in another dedicated nss directory (eg /var/lib/ipsec/nss on Debian) Paul _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
