On Mon, 22 Sep 2014, Alex wrote:

So now I have the old certs that are going to expire at the end of the
year. Now that both sides are fedora20, I should be able to just
recreate new certs on each side and import both on both sides,
correct?

Yup.

One problem I did have along the way was when I tried to run "ipsec
showhostkey --right", it would report the same key as when --left was
provided instead.

You need to run showhostkey on the side that has the private key. The
option --right or --left will show change the output printing to use
leftrsasigkey= versus rightrsasigkey. So run the command with --left
on the left side and with --right on the right side. However, this is
only used for raw keys, so if you use certificates you do not use
ipsec showhostkey and only use left/rightrsasigkey=%cert

Yes, much simpler now. When you had originally said to create a
hostkey.secrets file with the ": RSA friendlyname" in it, I thought
you meant in addition (appended to) to the hostkey.secrets file, where
all the rest of the RSA key info is located. That caused all kinds of
problems until I figured out the private key was also stored in the
NSS databases.

That's right. Sorry for the confusion.

It appears my processor indeed doesn't support AES/AVX2. How much
overhead is required in software that otherwise would have been done
by the processor?

It just means you have no AES acceleration. AES is still by far the best
choice for use performance wise even without AESNI instructions.

Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to