<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    This line is strange isn't it...<br>
    <br>
    : RSA "<a href="http://gateway.openswan.com" target="_blank">gateway.openswan.com</a>
    - HCA"<br>
    <br>
    It should be like:<br>
    <br>
    : RSA file.key<a href="http://gateway.openswan.com" target="_blank"></a>
    "pass"<br>
    <br>
    <font color="#3333ff">OR</font><br>
    <br>
    @ID_connection: RSA       {<br>
            # RSA 2 pow n bits   debian   <i>date</i><br>
            # for signatures only, UNSAFE FOR ENCRYPTION<br>
            #pubkey=<i>pubkey</i><br>
            #IN KEY  xxxxx <br>
    XYXYXYXYXYYXYYXY<br>
            # blablabla<br>
            Modulus: <br>
        MODMOD<br>
            PublicExponent: 51<br>
            # everything after this point is secret<br>
            PrivateExponent: 0xXXXXXX<br>
            Prime1: 0xXXXXXX<br>
            Prime2: 0xXXXXXX<br>
            Exponent1: 0xXXXXXX<br>
            Exponent2: 0xXXXXXX<br>
            Coefficient: 0xXXXXXX<br>
            }<br>
    <br>
    <br>
    <br>
    <br>
    <br>
    <div class="moz-cite-prefix">Le 26/11/2014 10:35, Michael Leung a
      écrit :<br>
    </div>
    <blockquote
cite="mid:CAJ6sgmi=Wj_xq6QEZGKXyAzqzJna1KnTaM=wQipCYU4LUDPinA@mail.gmail.com"
      type="cite">
      <div dir="ltr">this is my ipsec.conf
        <div><br>
        </div>
        <div>
          <div>version 2.0     </div>
          <div><br>
          </div>
          <div>config setup</div>
          <div>        protostack=netkey</div>
          <div>        nat_traversal=yes</div>
          <div>        virtual_private=%v4:<a moz-do-not-send="true"
href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10</a></div>
          <div>        oe=off</div>
          <div>        dumpdir=/var/run/pluto/</div>
          <div>        plutostderrlog=/var/log/pluto.log</div>
          <div><br>
          </div>
          <div>  conn L2TP-PSK-NAT<br>
          </div>
          <div>         rightsubnet=vhost:%priv</div>
          <div>         also=L2TP-PSK-noNAT</div>
          <div><br>
          </div>
          <div>conn L2TP-PSK-noNAT</div>
          <div>        authby=rsasig</div>
          <div>        pfs=no</div>
          <div>        auto=add</div>
          <div>        keyingtries=3</div>
          <div>        rekey=no</div>
          <div>        ikelifetime=8h</div>
          <div>        keylife=1h</div>
          <div>        type=transport</div>
          <div><br>
          </div>
          <div>        left=10.7.255.154</div>
          <div>        leftsubnet=<a moz-do-not-send="true"
              href="http://192.168.7.0/24">192.168.7.0/24</a></div>
          <div>        leftprotoport=17/1701</div>
          <div>        leftsendcert=always</div>
          <div>        leftrsasigkey=%cert</div>
          <div>        leftcert="gateway.openswan - HCC"</div>
          <div><br>
          </div>
          <div>        right=%any</div>
          <div>        rightprotoport=17/%any</div>
          <div>        rightrsasigkey=%cert</div>
        </div>
        <div><br>
        </div>
        <div class="gmail_extra"><br>
          <div class="gmail_quote">On Wed, Nov 26, 2014 at 5:15 PM,
            Michael Leung <span dir="ltr"><<a moz-do-not-send="true"
                href="mailto:gbcbooksmj@gmail.com" target="_blank">gbcbooksmj@gmail.com</a>></span>
            wrote:<br>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
              <div dir="ltr">HI Group
                <div><br>
                </div>
                <div><br>
                </div>
                <div><br>
                </div>
                <div>following is my ipsec.d/ipsec.secrets content</div>
                <div>#------------------------------------------------------------</div>
                <div>: RSA "<a moz-do-not-send="true"
                    href="http://gateway.openswan.com" target="_blank">gateway.openswan.com</a>
                  - HCA"<br>
                </div>
                <div><span style="background-color:rgb(255,255,255)"><font
                      color="#ff0000">: RSA vpngateway.key "123123123ly"</font></span><br>
                </div>
                <div>#--------------------------------------------------------------</div>
                <div><br>
                </div>
                <div>after starting ipsec setup start</div>
                <div><br>
                </div>
                <div>we got debug info<br>
                </div>
                <div>-----------------------------------</div>
                <div>
                  <div>    could not open host cert with nick name
                    'vpngateway.key' in NSS DB</div>
                  <div>"/etc/ipsec.d/ipsec.secrets" line 2: NSS
                    certficate not found</div>
                </div>
                <div>-----------------------------------</div>
                <div><br>
                </div>
                <div>i notice that my OS is Centos 6.5 , i installed
                  openswan from yum repository , which means openswan
                  have turn use_nss=true on, so i can understand why we
                  still have NSS certificate not found output</div>
                <div><br>
                </div>
                <div>but for which i am  wondering is </div>
                <div><br>
                </div>
                <div>we also have this debug output</div>
                <div><br>
                </div>
                <div>----------------------------------------</div>
                <div>
                  <div>packet from <a moz-do-not-send="true"
                      href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>:
                    received Vendor ID payload [RFC 3947] method set
                    to=109 </div>
                  <div>packet from <a moz-do-not-send="true"
                      href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>:
                    received Vendor ID payload
                    [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
                    already using method 109</div>
                  <div>packet from <a moz-do-not-send="true"
                      href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>:
                    received Vendor ID payload
                    [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
                    already using method 109</div>
                  <div>packet from <a moz-do-not-send="true"
                      href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>:
                    received Vendor ID payload
                    [draft-ietf-ipsec-nat-t-ike-00]</div>
                  <div>packet from <a moz-do-not-send="true"
                      href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>:
                    ignoring Vendor ID payload [FRAGMENTATION 80000000]</div>
                  <div>packet from <a moz-do-not-send="true"
                      href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>:
                    received Vendor ID payload [Dead Peer Detection]</div>
                  <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: responding to
                    Main Mode from unknown peer 10.7.60.65</div>
                  <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from
                    state STATE_MAIN_R0 to state STATE_MAIN_R1</div>
                  <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R1:
                    sent MR1, expecting MI2</div>
                  <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: NAT-Traversal:
                    Result using RFC 3947 (NAT-Traversal): no NAT
                    detected</div>
                  <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from
                    state STATE_MAIN_R1 to state STATE_MAIN_R2</div>
                  <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R2:
                    sent MR2, expecting MI3</div>
                  <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: Main mode peer
                    ID is ID_DER_ASN1_DN: 'C=CN, ST=Guangd, O=HCA,
                    OU=HCA, CN=<a moz-do-not-send="true"
                      href="http://nexus.openswan.com" target="_blank">nexus.openswan.com</a>,
                    E=<a moz-do-not-send="true"
                      href="mailto:supurstart@openswan.com"
                      target="_blank">supurstart@openswan.com</a>'</div>
                  <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: I am sending my
                    cert</div>
                  <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: password file
                    contains no data</div>
                  <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: password file
                    contains no data</div>
                  <div><font color="#ff0000"><b>"L2TP-PSK-NAT"[1]
                        10.7.60.65 #1: Can't find the private key from
                        the NSS CERT (err -8177)</b></font> </div>
                  <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from
                    state STATE_MAIN_R2 to state STATE_MAIN_R3</div>
                  <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R3:
                    sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
                    cipher=aes_256 prf=oakley_sha group=modp1024}</div>
                </div>
                <div><br>
                </div>
                <div>-----------------------------------------------------------------------------</div>
                <div><br>
                </div>
                <div>seems openswan dont load x509 certificate
                  correctly </div>
                <div><br>
                </div>
                <div>i have transform x509 certificate to pkcs12 , and
                  import them to NSS DB.</div>
                <div><br>
                </div>
                <div>-------------------------------------</div>
                <div>
                  <div>[root@opensips log]# certutil -L -d /etc/ipsec.d/</div>
                  <div><br>
                  </div>
                  <div>Certificate Nickname                            
                                Trust Attributes</div>
                  <div>                                                 
                               SSL,S/MIME,JAR/XPI</div>
                  <div><br>
                  </div>
                  <div><a moz-do-not-send="true"
                      href="http://nexus.openswan.com" target="_blank">nexus.openswan.com</a>
                    - HCA                       u,u,u</div>
                  <div>gateway.openswan - HCA                          
                    u,u,u</div>
                </div>
                <div>-------------------------------------</div>
                <div><br>
                </div>
                <div>please give me some advice.</div>
                <span class=""><font color="#888888">
                    <div><br>
                    </div>
                    <div><br>
                    </div>
                    <div>--Michael Leung</div>
                    <div><br>
                    </div>
                    <div><br>
                    </div>
                    <div> </div>
                    <div><br>
                    </div>
                    <div><br>
                    </div>
                    <div><br>
                    </div>
                  </font></span></div>
            </blockquote>
          </div>
          <br>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a class="moz-txt-link-freetext" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>