On Fri, 8 Feb 2019 at 00:53, Paul Wouters <[email protected]> wrote: > > I suspect andrew’s kvm magic compile invocations to not yet enable IPsec > profiles for nss
Yea, it turned out getting it to auto-detect got messy - plutomain.c likes to print the decision. Just tweaking the KVM make line is likely easiest for now. > Sent from mobile device > > > On Feb 8, 2019, at 00:32, D. Hugh Redelmeier <[email protected]> wrote: > > > > The test is still failing. The same way. > > > > My guests have NSS 3.41. > > > > My host has 3.39. Could that matter? How? > > > > | From: Paul Wouters <[email protected]> > > | Date: Sat, 2 Feb 2019 21:57:42 -0500 (EST) > > | > > | On Sat, 2 Feb 2019, D. Hugh Redelmeier wrote: > > | > > | > Subject: [Swan-dev] ikev2-x509-02-eku > > | > > > | > This failed for me last night. > > | > > > | > +002 "ikev2-westnet-eastnet-x509-cr" #2: IKE SA authentication request > > | > rejected by peer: AUTHENTICATION_FAILED > > | > > | Seems due to: > > | > > | "ikev2-westnet-eastnet-x509-cr" #1: ERROR: Certificate key usage > > inadequate > > | for attempted operation. > > | > > | I guess you are not using the latest nss 3.41 ? > > | > > | Maybe run a yum update in your guests? > > | Easiest is to bring up east, west and nic > > | > > | ssh root@nic and issue /testing/guestbin/nic-internet > > | > > | Then ssh into west and east and run yum update > > | > > | with nss 3.39 the test fails. with 3.41 it passes. > > _______________________________________________ > > Swan-dev mailing list > > [email protected] > > https://lists.libreswan.org/mailman/listinfo/swan-dev > > _______________________________________________ > Swan-dev mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan-dev _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
