<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I almost have the same configuration except the leftid/rightid is
different (that is because I have the different subject for the
certificate when I generate it).<br>
The ipsec tunnel is established successfully. The log message in
your case is not an error. Maybe you can paste the whole log message
and configuration on both sides.<br>
<br>
<blockquote
cite="mid:6B273FF230BCEA46ABB68AFE8CA25C5DCD763F@SG70YWXCHMBA06.zap.alcatel-lucent.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
Hi,<br>
<br>
I'm having troubles getting X509 certs working with Openswan. I've
followed the directions in README.nss, except that I am using
EJBCA to create keys, sign certs, etc.<br>
I should only need to load the [host].p12 files on each host as it
contains the CA also. Both ends have identical configuration.<br>
<br>
<b>NSS Database Setup</b><b>:<br>
</b><br>
<tt>[root@mgmt2 ipsec.d]$ rm -f *db</tt><tt><br>
</tt><tt>[root@mgmt2 ipsec.d]$ pk12util -i mgmt2.p12 -d
/etc/ipsec.d</tt><tt><br>
</tt><tt>Enter a password which will be used to encrypt your keys.</tt><tt><br>
</tt><tt>The password should be at least 8 characters long,</tt><tt><br>
</tt><tt>and should contain at least one non-alphabetic character.</tt><tt><br>
</tt><tt><br>
</tt><tt>Enter new password: </tt><tt><br>
</tt><tt>Re-enter password: </tt><tt><br>
</tt><tt>Enter password for PKCS12 file: </tt><tt><br>
</tt><tt>pk12util: PKCS12 IMPORT SUCCESSFUL</tt><tt><br>
</tt><tt>[root@mgmt2 ipsec.d]$ certutil -M -n RootCA -t "C,C,C" -d
/etc/ipsec.d</tt><tt><br>
</tt><tt>[root@mgmt2 ipsec.d]$ certutil -L -d /etc/ipsec.d</tt><tt><br>
</tt><tt><br>
</tt><tt>Certificate
Nickname Trust
Attributes</tt><tt><br>
</tt><tt>
SSL,S/MIME,JAR/XPI</tt><tt><br>
</tt><tt><br>
</tt><tt>mgmt2
u,u,u</tt><tt><br>
</tt><tt>RootCA
C,C,C</tt><br>
<br>
<br>
<b>OpenSwan sees them fine:</b><b><br>
</b><tt><br>
</tt><tt>[root@mgmt2 ipsec.d]$ ipsec auto --listall</tt><tt><br>
</tt><tt>000 </tt><tt><br>
</tt><tt>000 List of Public Keys:</tt><tt><br>
</tt><tt>000 </tt><tt><br>
</tt><tt>000 May 01 23:39:16 2014, 1024 RSA Key ....... (no
private key), until May 31 09:58:26 2014 ok</tt><tt><br>
</tt><tt>000 ID_FQDN '@mgmt2'</tt><tt><br>
</tt><tt>000 Issuer 'CN=RootCA, O=</tt><tt><tt>xxxxx</tt>,
C=xx'</tt><tt><br>
</tt><tt>000 May 01 23:39:16 2014, 1024 RSA Key ....... (no
private key), until May 31 09:58:26 2014 ok</tt><tt><br>
</tt><tt>000 ID_DER_ASN1_DN 'CN=mgmt2'</tt><tt><br>
</tt><tt>000 Issuer 'CN=RootCA, O=</tt><tt><tt>xxxxx</tt>,
C=xx'</tt><tt><br>
</tt><tt>000 List of Pre-shared secrets (from /etc/ipsec.secrets)</tt><tt><br>
</tt><tt>000 </tt><tt><br>
</tt><tt>000 List of X.509 End Certificates:</tt><tt><br>
</tt><tt>000 </tt><tt><br>
</tt><tt>000 May 01 23:39:16 2014, count: 1</tt><tt><br>
</tt><tt>000 subject: 'CN=mgmt2'</tt><tt><br>
</tt><tt>000 issuer: 'CN=RootCA, O=</tt><tt><tt>xxxxx</tt>,
C=xx'</tt><tt><br>
</tt><tt>000 serial: 14:0e:c0:bf:04:34:d9:c4</tt><tt><br>
</tt><tt>000 pubkey: 1024 RSA Key .....</tt><tt><br>
</tt><tt>000 validity: not before May 01 09:58:26 2014 ok</tt><tt><br>
</tt><tt>000 not after May 31 09:58:26 2014
warning (expires in 29 days)</tt><tt><br>
</tt><tt>000 subjkey: xxxxxxxxxxxxx</tt><tt><br>
</tt><tt>000 authkey: xxxxxxxxxxxxx</tt><tt><br>
</tt><tt>000 </tt><tt><br>
</tt><tt>000 List of X.509 CA Certificates:</tt><tt><br>
</tt><tt>000 </tt><tt><br>
</tt><tt>000 May 01 23:39:16 2014, count: 1</tt><tt><br>
</tt><tt>000 subject: 'CN=RootCA, O=xxxxx, C=xx'</tt><tt><br>
</tt><tt>000 issuer: 'CN=RootCA, O=xxxxx, C=xx'</tt><tt><br>
</tt><tt>000 serial: 26:5f:11:73:bd:40:06:16</tt><tt><br>
</tt><tt>000 pubkey: 2048 RSA Key ....</tt><tt><br>
</tt><tt>000 validity: not before Mar 19 19:07:38 2014 ok</tt><tt><br>
</tt><tt>000 not after Mar 19 19:07:38 2034 ok</tt><tt><br>
</tt><tt>000 subjkey: xxxxxxxxxxxxx</tt><tt><br>
</tt><tt>000 authkey: xxxxxxxxxxxxx</tt><br>
<br>
<br>
However the authentication fails and it seems as though the secret
mechanism isn't working properly:<br>
<br>
<blockquote><tt>May 1 09:30:11 mgmt2 pluto[6914]: | processing
connection mgmt1-mgmt2</tt><br>
<tt>May 1 09:30:11 mgmt2 pluto[6914]: | started looking for
secret for CN=mgmt2 ->xxx.xxx.xxx.xxx of kind PPK_PSK</tt><br>
<tt>May 1 09:30:11 mgmt2 pluto[6914]: | actually looking for
secret for CN=mgmt2 ->xxx.xxx.xxx.xxx of kind PPK_PSK</tt><br>
<tt>May 1 09:30:11 mgmt2 pluto[6914]: | concluding with
best_match=0 best=(nil) (lineno=-1)</tt><br>
<tt>May 1 09:30:11 mgmt2 pluto[6914]: | parent1 type: 7 group:
14 len: 2776</tt><br>
<tt>May 1 09:30:11 mgmt2 pluto[6914]: | 0: w->pcw_dead: 0
w->pcw_work: 0 cnt: 1</tt><br>
<tt>May 1 09:30:11 mgmt2 pluto[6914]: | asking helper 0 to do
compute dh+iv op on seq: 4 (len=2776, pcw_work=1)</tt><br>
<tt>May 1 09:30:11 mgmt2 pluto[6914]: | crypto helper write of
request: cnt=2776<wlen=2776.</tt><br>
<tt>May 1 09:30:11 mgmt2 pluto[6914]: | inserting event
EVENT_CRYPTO_FAILED, timeout in 300 seconds for #2</tt><br>
</blockquote>
<br>
<b>Secrets<br>
<br>
</b><tt>[root@mgmt2 ipsec.d]$ cat ../ipsec.secrets</tt><tt><br>
</tt><tt> : RSA mgmt2<br>
<br>
</tt><big><br>
</big><b>Config</b><b><br>
</b><tt><br>
[root@mgmt2 ipsec.d]$ cat ../ipsec.conf<br>
<br>
version 2.0<br>
<br>
config setup<br>
plutodebug="control parsing"<br>
dumpdir=/var/run/pluto<br>
#nat_traversal=yes<br>
virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8<br>
oe=off<br>
protostack=netkey<br>
<br>
conn %default<br>
type= tunnel<br>
pfs= no<br>
rekey= no<br>
auto= start<br>
<br>
conn mgmt1-mgmt2<br>
authby= rsasig<br>
leftid= "CN=mgmt1"<br>
leftcert= mgmt1<br>
leftrsasigkey= %cert<br>
left= xxx.xxx.xxx.xxx<br>
leftsourceip= 192.168.1.2<br>
leftsubnet= 192.168.1.0/24<br>
<br>
rightid= "CN=mgmt2"<br>
rightcert= mgmt2<br>
rightrsasigkey= %cert<br>
right= yyy.yyy.yyy.yyy<br>
rightsourceip= 192.168.20.1<br>
rightsubnet= 192.168.20.0/24<br>
<br>
<br>
</tt>Can anyone shed some light on what might the problem be? I'm
stumped. I had the same hosts running with pre shared keys with no
issues.<br>
<br>
Cheers <br>
Jason<br>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Jeff Chen
Software Engineer
Siemens Canada Limited
300 Applewood Crescent
Concord, ON, L4K 5C7
Tel: 905-482-4580
Fax: 905-856-1995
e-mail: <a class="moz-txt-link-abbreviated" href="mailto:jeff.chen@siemens.com">jeff.chen@siemens.com</a>
<a class="moz-txt-link-abbreviated" href="http://www.ruggedcom.com">www.ruggedcom.com</a>
This e-mail is intended only for the named recipient(s) and may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. No waiver of privilege, confidence or otherwise is intended by virtue of communication via the internet. Any unauthorized use, dissemination or copying is strictly prohibited. If you have received this e-mail in error, or are not named as a recipient, please immediately notify the sender and destroy all copies of this e-mail. Please be aware that internet communications are subject to the risk of data corruption and other transmission errors. For information of extraordinary sensitivity, we do not recommend communication by e-mail with us.
By submitting personal information to Siemens Canada Limited or its affiliates, service providers and agents, you consent to our collection, use and disclosure of such information for the purposes described in our Privacy Code available at <a class="moz-txt-link-abbreviated" href="http://www.siemens.ca">www.siemens.ca</a>. To the extent you provided us with personal information of another individual, you represent that you have the authority and/or have obtained all necessary consents from such individual to enable us to collect, use and disclose such information for the purposes described in our Privacy Code. To obtain further information, please contact our Chief Privacy Officer at <a class="moz-txt-link-abbreviated" href="mailto:privacy.panel.ca@siemens.com">privacy.panel.ca@siemens.com</a>.</pre>
</body>
</html>