On Mon, 22 Sep 2014, Alex wrote:
So now I have the old certs that are going to expire at the end of the year. Now that both sides are fedora20, I should be able to just recreate new certs on each side and import both on both sides, correct?
Yup.
One problem I did have along the way was when I tried to run "ipsec showhostkey --right", it would report the same key as when --left was provided instead.
You need to run showhostkey on the side that has the private key. The option --right or --left will show change the output printing to use leftrsasigkey= versus rightrsasigkey. So run the command with --left on the left side and with --right on the right side. However, this is only used for raw keys, so if you use certificates you do not use ipsec showhostkey and only use left/rightrsasigkey=%cert
Yes, much simpler now. When you had originally said to create a hostkey.secrets file with the ": RSA friendlyname" in it, I thought you meant in addition (appended to) to the hostkey.secrets file, where all the rest of the RSA key info is located. That caused all kinds of problems until I figured out the private key was also stored in the NSS databases.
That's right. Sorry for the confusion.
It appears my processor indeed doesn't support AES/AVX2. How much overhead is required in software that otherwise would have been done by the processor?
It just means you have no AES acceleration. AES is still by far the best choice for use performance wise even without AESNI instructions. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
