<html>

  <head>

    <meta content="text/html; charset=windows-1252"

      http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    Hi,<br>

    <br>

    Check:<br>

    -the spelling of th filename, <br>

    -the directory, the <span style="background-color:rgb(255,255,255)"><font

        color="#ff0000">vpngateway.</font></span>key should be in

    /etc/ipsec.d/private<br>

    -the owner, the 'properties' of reading, writing, etc...<br>

    <br>

    good luck.<br>

    <br>

    Laurent<br>

    <br>

    <div class="moz-cite-prefix">Le 26/11/2014 10:15, Michael Leung a

      écrit :<br>

    </div>

    <blockquote

cite="mid:CAJ6sgmi1NwZs=PNTywrySxqi-OHNffoqg+v+a6pviWhcapBTVA@mail.gmail.com"

      type="cite">

      <div dir="ltr">HI Group

        <div><br>

        </div>

        <div><br>

        </div>

        <div><br>

        </div>

        <div>following is my ipsec.d/ipsec.secrets content</div>

        <div>#------------------------------------------------------------</div>

        <div>: RSA "<a moz-do-not-send="true"

            href="http://gateway.openswan.com">gateway.openswan.com</a>

          - HCA"<br>

        </div>

        <div><span style="background-color:rgb(255,255,255)"><font

              color="#ff0000">: RSA vpngateway.key "123123123ly"</font></span><br>

        </div>

        <div>#--------------------------------------------------------------</div>

        <div><br>

        </div>

        <div>after starting ipsec setup start</div>

        <div><br>

        </div>

        <div>we got debug info<br>

        </div>

        <div>-----------------------------------</div>

        <div>

          <div>    could not open host cert with nick name

            'vpngateway.key' in NSS DB</div>

          <div>"/etc/ipsec.d/ipsec.secrets" line 2: NSS certficate not

            found</div>

        </div>

        <div>-----------------------------------</div>

        <div><br>

        </div>

        <div>i notice that my OS is Centos 6.5 , i installed openswan

          from yum repository , which means openswan have turn

          use_nss=true on, so i can understand why we still have NSS

          certificate not found output</div>

        <div><br>

        </div>

        <div>but for which i am  wondering is </div>

        <div><br>

        </div>

        <div>we also have this debug output</div>

        <div><br>

        </div>

        <div>----------------------------------------</div>

        <div>

          <div>packet from <a moz-do-not-send="true"

              href="http://10.7.60.65:500">10.7.60.65:500</a>: received

            Vendor ID payload [RFC 3947] method set to=109 </div>

          <div>packet from <a moz-do-not-send="true"

              href="http://10.7.60.65:500">10.7.60.65:500</a>: received

            Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107,

            but already using method 109</div>

          <div>packet from <a moz-do-not-send="true"

              href="http://10.7.60.65:500">10.7.60.65:500</a>: received

            Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]

            meth=106, but already using method 109</div>

          <div>packet from <a moz-do-not-send="true"

              href="http://10.7.60.65:500">10.7.60.65:500</a>: received

            Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]</div>

          <div>packet from <a moz-do-not-send="true"

              href="http://10.7.60.65:500">10.7.60.65:500</a>: ignoring

            Vendor ID payload [FRAGMENTATION 80000000]</div>

          <div>packet from <a moz-do-not-send="true"

              href="http://10.7.60.65:500">10.7.60.65:500</a>: received

            Vendor ID payload [Dead Peer Detection]</div>

          <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: responding to Main Mode

            from unknown peer 10.7.60.65</div>

          <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state

            STATE_MAIN_R0 to state STATE_MAIN_R1</div>

          <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R1: sent MR1,

            expecting MI2</div>

          <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: NAT-Traversal: Result

            using RFC 3947 (NAT-Traversal): no NAT detected</div>

          <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state

            STATE_MAIN_R1 to state STATE_MAIN_R2</div>

          <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R2: sent MR2,

            expecting MI3</div>

          <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: Main mode peer ID is

            ID_DER_ASN1_DN: 'C=CN, ST=Guangd, O=HCA, OU=HCA, CN=<a

              moz-do-not-send="true" href="http://nexus.openswan.com">nexus.openswan.com</a>,

            E=<a moz-do-not-send="true"

              href="mailto:supurstart@openswan.com">supurstart@openswan.com</a>'</div>

          <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: I am sending my cert</div>

          <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: password file contains

            no data</div>

          <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: password file contains

            no data</div>

          <div><font color="#ff0000"><b>"L2TP-PSK-NAT"[1] 10.7.60.65 #1:

                Can't find the private key from the NSS CERT (err -8177)</b></font> </div>

          <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state

            STATE_MAIN_R2 to state STATE_MAIN_R3</div>

          <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R3: sent MR3,

            ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256

            prf=oakley_sha group=modp1024}</div>

        </div>

        <div><br>

        </div>

        <div>-----------------------------------------------------------------------------</div>

        <div><br>

        </div>

        <div>seems openswan dont load x509 certificate correctly </div>

        <div><br>

        </div>

        <div>i have transform x509 certificate to pkcs12 , and import

          them to NSS DB.</div>

        <div><br>

        </div>

        <div>-------------------------------------</div>

        <div>

          <div>[root@opensips log]# certutil -L -d /etc/ipsec.d/</div>

          <div><br>

          </div>

          <div>Certificate Nickname                                    

                Trust Attributes</div>

          <div>                                                         

               SSL,S/MIME,JAR/XPI</div>

          <div><br>

          </div>

          <div><a moz-do-not-send="true"

              href="http://nexus.openswan.com">nexus.openswan.com</a> -

            HCA                       u,u,u</div>

          <div>gateway.openswan - HCA                           u,u,u</div>

        </div>

        <div>-------------------------------------</div>

        <div><br>

        </div>

        <div>please give me some advice.</div>

        <div><br>

        </div>

        <div><br>

        </div>

        <div>--Michael Leung</div>

        <div><br>

        </div>

        <div><br>

        </div>

        <div> </div>

        <div><br>

        </div>

        <div><br>

        </div>

        <div><br>

        </div>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">_______________________________________________

<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a>

<a class="moz-txt-link-freetext" href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a>

Micropayments: <a class="moz-txt-link-freetext" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>

Building and Integrating Virtual Private Networks with Openswan:

<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>

</pre>

    </blockquote>

    <br>

  </body>

</html>