<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi,<br>
<br>
I'm having troubles getting X509 certs working with Openswan. I've followed the directions in README.nss, except that I am using EJBCA to create keys, sign certs, etc.<br>
I should only need to load the [host].p12 files on each host as it contains the CA also. Both ends have identical configuration.<br>
<br>
<b>NSS Database Setup</b><b>:<br>
</b><br>
<tt>[root@mgmt2 ipsec.d]$ rm -f *db</tt><tt><br>
</tt><tt>[root@mgmt2 ipsec.d]$ pk12util -i mgmt2.p12 -d /etc/ipsec.d</tt><tt><br>
</tt><tt>Enter a password which will be used to encrypt your keys.</tt><tt><br>
</tt><tt>The password should be at least 8 characters long,</tt><tt><br>
</tt><tt>and should contain at least one non-alphabetic character.</tt><tt><br>
</tt><tt><br>
</tt><tt>Enter new password: </tt><tt><br>
</tt><tt>Re-enter password: </tt><tt><br>
</tt><tt>Enter password for PKCS12 file: </tt><tt><br>
</tt><tt>pk12util: PKCS12 IMPORT SUCCESSFUL</tt><tt><br>
</tt><tt>[root@mgmt2 ipsec.d]$ certutil -M -n RootCA -t "C,C,C" -d /etc/ipsec.d</tt><tt><br>
</tt><tt>[root@mgmt2 ipsec.d]$ certutil -L -d /etc/ipsec.d</tt><tt><br>
</tt><tt><br>
</tt><tt>Certificate Nickname Trust Attributes</tt><tt><br>
</tt><tt> SSL,S/MIME,JAR/XPI</tt><tt><br>
</tt><tt><br>
</tt><tt>mgmt2 u,u,u</tt><tt><br>
</tt><tt>RootCA C,C,C</tt><br>
<br>
<br>
<b>OpenSwan sees them fine:</b><b><br>
</b><tt><br>
</tt><tt>[root@mgmt2 ipsec.d]$ ipsec auto --listall</tt><tt><br>
</tt><tt>000 </tt><tt><br>
</tt><tt>000 List of Public Keys:</tt><tt><br>
</tt><tt>000 </tt><tt><br>
</tt><tt>000 May 01 23:39:16 2014, 1024 RSA Key ....... (no private key), until May 31 09:58:26 2014 ok</tt><tt><br>
</tt><tt>000 ID_FQDN '@mgmt2'</tt><tt><br>
</tt><tt>000 Issuer 'CN=RootCA, O=</tt><tt><tt>xxxxx</tt>, C=xx'</tt><tt><br>
</tt><tt>000 May 01 23:39:16 2014, 1024 RSA Key ....... (no private key), until May 31 09:58:26 2014 ok</tt><tt><br>
</tt><tt>000 ID_DER_ASN1_DN 'CN=mgmt2'</tt><tt><br>
</tt><tt>000 Issuer 'CN=RootCA, O=</tt><tt><tt>xxxxx</tt>, C=xx'</tt><tt><br>
</tt><tt>000 List of Pre-shared secrets (from /etc/ipsec.secrets)</tt><tt><br>
</tt><tt>000 </tt><tt><br>
</tt><tt>000 List of X.509 End Certificates:</tt><tt><br>
</tt><tt>000 </tt><tt><br>
</tt><tt>000 May 01 23:39:16 2014, count: 1</tt><tt><br>
</tt><tt>000 subject: 'CN=mgmt2'</tt><tt><br>
</tt><tt>000 issuer: 'CN=RootCA, O=</tt><tt><tt>xxxxx</tt>, C=xx'</tt><tt><br>
</tt><tt>000 serial: 14:0e:c0:bf:04:34:d9:c4</tt><tt><br>
</tt><tt>000 pubkey: 1024 RSA Key .....</tt><tt><br>
</tt><tt>000 validity: not before May 01 09:58:26 2014 ok</tt><tt><br>
</tt><tt>000 not after May 31 09:58:26 2014 warning (expires in 29 days)</tt><tt><br>
</tt><tt>000 subjkey: xxxxxxxxxxxxx</tt><tt><br>
</tt><tt>000 authkey: xxxxxxxxxxxxx</tt><tt><br>
</tt><tt>000 </tt><tt><br>
</tt><tt>000 List of X.509 CA Certificates:</tt><tt><br>
</tt><tt>000 </tt><tt><br>
</tt><tt>000 May 01 23:39:16 2014, count: 1</tt><tt><br>
</tt><tt>000 subject: 'CN=RootCA, O=xxxxx, C=xx'</tt><tt><br>
</tt><tt>000 issuer: 'CN=RootCA, O=xxxxx, C=xx'</tt><tt><br>
</tt><tt>000 serial: 26:5f:11:73:bd:40:06:16</tt><tt><br>
</tt><tt>000 pubkey: 2048 RSA Key ....</tt><tt><br>
</tt><tt>000 validity: not before Mar 19 19:07:38 2014 ok</tt><tt><br>
</tt><tt>000 not after Mar 19 19:07:38 2034 ok</tt><tt><br>
</tt><tt>000 subjkey: xxxxxxxxxxxxx</tt><tt><br>
</tt><tt>000 authkey: xxxxxxxxxxxxx</tt><br>
<br>
<br>
However the authentication fails and it seems as though the secret mechanism isn't working properly:<br>
<br>
<blockquote><tt>May 1 09:30:11 mgmt2 pluto[6914]: | processing connection mgmt1-mgmt2</tt><br>
<tt>May 1 09:30:11 mgmt2 pluto[6914]: | started looking for secret for CN=mgmt2 ->xxx.xxx.xxx.xxx of kind PPK_PSK</tt><br>
<tt>May 1 09:30:11 mgmt2 pluto[6914]: | actually looking for secret for CN=mgmt2 ->xxx.xxx.xxx.xxx of kind PPK_PSK</tt><br>
<tt>May 1 09:30:11 mgmt2 pluto[6914]: | concluding with best_match=0 best=(nil) (lineno=-1)</tt><br>
<tt>May 1 09:30:11 mgmt2 pluto[6914]: | parent1 type: 7 group: 14 len: 2776</tt><br>
<tt>May 1 09:30:11 mgmt2 pluto[6914]: | 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1</tt><br>
<tt>May 1 09:30:11 mgmt2 pluto[6914]: | asking helper 0 to do compute dh+iv op on seq: 4 (len=2776, pcw_work=1)</tt><br>
<tt>May 1 09:30:11 mgmt2 pluto[6914]: | crypto helper write of request: cnt=2776<wlen=2776.</tt><br>
<tt>May 1 09:30:11 mgmt2 pluto[6914]: | inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #2</tt><br>
</blockquote>
<br>
<b>Secrets<br>
<br>
</b><b></b><tt>[root@mgmt2 ipsec.d]$ cat ../ipsec.secrets</tt><tt><br>
</tt><tt> : RSA mgmt2<br>
<br>
</tt><big><br>
</big><b>Config</b><b><br>
</b><tt><br>
[root@mgmt2 ipsec.d]$ cat ../ipsec.conf<br>
<br>
version 2.0<br>
<br>
config setup<br>
plutodebug="control parsing"<br>
dumpdir=/var/run/pluto<br>
#nat_traversal=yes<br>
virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8<br>
oe=off<br>
protostack=netkey<br>
<br>
conn %default<br>
type= tunnel<br>
pfs= no<br>
rekey= no<br>
auto= start<br>
<br>
conn mgmt1-mgmt2<br>
authby= rsasig<br>
leftid= "CN=mgmt1"<br>
leftcert= mgmt1<br>
leftrsasigkey= %cert<br>
left= xxx.xxx.xxx.xxx<br>
leftsourceip= 192.168.1.2<br>
leftsubnet= 192.168.1.0/24<br>
<br>
rightid= "CN=mgmt2"<br>
rightcert= mgmt2<br>
rightrsasigkey= %cert<br>
right= yyy.yyy.yyy.yyy<br>
rightsourceip= 192.168.20.1<br>
rightsubnet= 192.168.20.0/24<br>
<br>
<br>
</tt>Can anyone shed some light on what might the problem be? I'm stumped. I had the same hosts running with pre shared keys with no issues.<br>
<br>
Cheers <br>
Jason<br>
<br>
<tt></tt>
</body>
</html>