Hi Paul. Where did you see " authby=secret " ?
You mean the 'old' environment ( connections ) worked without NSS ? The new one I'm pretty sure that it uses the entries that I modified from 'CT' to 'P'. I do not know that I lied. I would say I do not know the ipsec stuff. Maybe I misconfigured libreswan but if the NSS was not used I did not know about. Thank you again. Best regards. Giuseppe -----Ursprüngliche Nachricht----- Von: Paul Wouters <[email protected]> Gesendet: Dienstag, 2. April 2019 18:35 An: LAURIA Giuseppe <[email protected]> Cc: [email protected] Betreff: [EXTERNAL] Re: AW: Re: AW: Re: AW: [Swan] INVALID_ID_INFORMATION On Tue, 2 Apr 2019, LAURIA Giuseppe wrote: > We finally managed to have it running. Great! > I did not realize that the NSS database has to be 'correct'! In the past the > NSS database was not; i.e. the peer public key was imported , but had the > 'Trust Attribute' set to 'CT,,'. This worked in libreswan version > libreswan-3.15-7.5.el6_9.x86_64. To be fair, all your connections showed authby=secret so no NSS database was used there. So you did lie a bit :) > certutil -d sql:. -M -n "<peer-cert-nickname>" -t "P,," > > > "NEW" > certutil -L -d sql:. > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > <peer-cert-nickname> P,, That's good to know, I didn't know that. I tend to just generate a CA and peers. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
