Red Hat Bugzilla – Bug 509583
NSS support in Openswan breaks Pre-shared key support
Last modified: 2010-01-05 11:41:08 EST
NSS support which was added to openswan by Red Hat breaks Pre-shared key support for ipsec.
Pre-shared key authentication is required minimum part of ipsec.
If it's not possible to do it with nss, it must be implemented outside of nss.
Disabling authby=secret makes it nearly impossible to interoperate with major part of ipsec implementations.
Please fix this immidiately by not building with nss or by fixing nss to support pre shared key authentication.
I have to agree here. I am not looking forward to people contacting openswan on the mailinglists and irc channels looking to see why their F-10 -> F-11 completely breaks their tunnels. I'm pretty sure this would not be allowed for EL-x to EL-x+1
There is already a redhat bz 507844 to address this issue, and also a fix in place. I will make a release soon and will send the patch to Paul. With that, everything which works without NSS should work with NSS.
Fix for this is already there in the Fedora.
is this still an issue?
I just verified and it is fixed already.