<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
This line is strange isn't it...<br>
<br>
: RSA "<a href="http://gateway.openswan.com" target="_blank">gateway.openswan.com</a>
- HCA"<br>
<br>
It should be like:<br>
<br>
: RSA file.key<a href="http://gateway.openswan.com" target="_blank"></a>
"pass"<br>
<br>
<font color="#3333ff">OR</font><br>
<br>
@ID_connection: RSA {<br>
# RSA 2 pow n bits debian <i>date</i><br>
# for signatures only, UNSAFE FOR ENCRYPTION<br>
#pubkey=<i>pubkey</i><br>
#IN KEY xxxxx <br>
XYXYXYXYXYYXYYXY<br>
# blablabla<br>
Modulus: <br>
MODMOD<br>
PublicExponent: 51<br>
# everything after this point is secret<br>
PrivateExponent: 0xXXXXXX<br>
Prime1: 0xXXXXXX<br>
Prime2: 0xXXXXXX<br>
Exponent1: 0xXXXXXX<br>
Exponent2: 0xXXXXXX<br>
Coefficient: 0xXXXXXX<br>
}<br>
<br>
<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">Le 26/11/2014 10:35, Michael Leung a
écrit :<br>
</div>
<blockquote
cite="mid:CAJ6sgmi=Wj_xq6QEZGKXyAzqzJna1KnTaM=wQipCYU4LUDPinA@mail.gmail.com"
type="cite">
<div dir="ltr">this is my ipsec.conf
<div><br>
</div>
<div>
<div>version 2.0 </div>
<div><br>
</div>
<div>config setup</div>
<div> protostack=netkey</div>
<div> nat_traversal=yes</div>
<div> virtual_private=%v4:<a moz-do-not-send="true"
href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10</a></div>
<div> oe=off</div>
<div> dumpdir=/var/run/pluto/</div>
<div> plutostderrlog=/var/log/pluto.log</div>
<div><br>
</div>
<div> conn L2TP-PSK-NAT<br>
</div>
<div> rightsubnet=vhost:%priv</div>
<div> also=L2TP-PSK-noNAT</div>
<div><br>
</div>
<div>conn L2TP-PSK-noNAT</div>
<div> authby=rsasig</div>
<div> pfs=no</div>
<div> auto=add</div>
<div> keyingtries=3</div>
<div> rekey=no</div>
<div> ikelifetime=8h</div>
<div> keylife=1h</div>
<div> type=transport</div>
<div><br>
</div>
<div> left=10.7.255.154</div>
<div> leftsubnet=<a moz-do-not-send="true"
href="http://192.168.7.0/24">192.168.7.0/24</a></div>
<div> leftprotoport=17/1701</div>
<div> leftsendcert=always</div>
<div> leftrsasigkey=%cert</div>
<div> leftcert="gateway.openswan - HCC"</div>
<div><br>
</div>
<div> right=%any</div>
<div> rightprotoport=17/%any</div>
<div> rightrsasigkey=%cert</div>
</div>
<div><br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Nov 26, 2014 at 5:15 PM,
Michael Leung <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:gbcbooksmj@gmail.com" target="_blank">gbcbooksmj@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr">HI Group
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>following is my ipsec.d/ipsec.secrets content</div>
<div>#------------------------------------------------------------</div>
<div>: RSA "<a moz-do-not-send="true"
href="http://gateway.openswan.com" target="_blank">gateway.openswan.com</a>
- HCA"<br>
</div>
<div><span style="background-color:rgb(255,255,255)"><font
color="#ff0000">: RSA vpngateway.key "123123123ly"</font></span><br>
</div>
<div>#--------------------------------------------------------------</div>
<div><br>
</div>
<div>after starting ipsec setup start</div>
<div><br>
</div>
<div>we got debug info<br>
</div>
<div>-----------------------------------</div>
<div>
<div> could not open host cert with nick name
'vpngateway.key' in NSS DB</div>
<div>"/etc/ipsec.d/ipsec.secrets" line 2: NSS
certficate not found</div>
</div>
<div>-----------------------------------</div>
<div><br>
</div>
<div>i notice that my OS is Centos 6.5 , i installed
openswan from yum repository , which means openswan
have turn use_nss=true on, so i can understand why we
still have NSS certificate not found output</div>
<div><br>
</div>
<div>but for which i am wondering is </div>
<div><br>
</div>
<div>we also have this debug output</div>
<div><br>
</div>
<div>----------------------------------------</div>
<div>
<div>packet from <a moz-do-not-send="true"
href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>:
received Vendor ID payload [RFC 3947] method set
to=109 </div>
<div>packet from <a moz-do-not-send="true"
href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>:
received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but
already using method 109</div>
<div>packet from <a moz-do-not-send="true"
href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>:
received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 109</div>
<div>packet from <a moz-do-not-send="true"
href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>:
received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]</div>
<div>packet from <a moz-do-not-send="true"
href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>:
ignoring Vendor ID payload [FRAGMENTATION 80000000]</div>
<div>packet from <a moz-do-not-send="true"
href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>:
received Vendor ID payload [Dead Peer Detection]</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: responding to
Main Mode from unknown peer 10.7.60.65</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R1:
sent MR1, expecting MI2</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: NAT-Traversal:
Result using RFC 3947 (NAT-Traversal): no NAT
detected</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R2:
sent MR2, expecting MI3</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: Main mode peer
ID is ID_DER_ASN1_DN: 'C=CN, ST=Guangd, O=HCA,
OU=HCA, CN=<a moz-do-not-send="true"
href="http://nexus.openswan.com" target="_blank">nexus.openswan.com</a>,
E=<a moz-do-not-send="true"
href="mailto:supurstart@openswan.com"
target="_blank">supurstart@openswan.com</a>'</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: I am sending my
cert</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: password file
contains no data</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: password file
contains no data</div>
<div><font color="#ff0000"><b>"L2TP-PSK-NAT"[1]
10.7.60.65 #1: Can't find the private key from
the NSS CERT (err -8177)</b></font> </div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from
state STATE_MAIN_R2 to state STATE_MAIN_R3</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R3:
sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=aes_256 prf=oakley_sha group=modp1024}</div>
</div>
<div><br>
</div>
<div>-----------------------------------------------------------------------------</div>
<div><br>
</div>
<div>seems openswan dont load x509 certificate
correctly </div>
<div><br>
</div>
<div>i have transform x509 certificate to pkcs12 , and
import them to NSS DB.</div>
<div><br>
</div>
<div>-------------------------------------</div>
<div>
<div>[root@opensips log]# certutil -L -d /etc/ipsec.d/</div>
<div><br>
</div>
<div>Certificate Nickname
Trust Attributes</div>
<div>
SSL,S/MIME,JAR/XPI</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="http://nexus.openswan.com" target="_blank">nexus.openswan.com</a>
- HCA u,u,u</div>
<div>gateway.openswan - HCA
u,u,u</div>
</div>
<div>-------------------------------------</div>
<div><br>
</div>
<div>please give me some advice.</div>
<span class=""><font color="#888888">
<div><br>
</div>
<div><br>
</div>
<div>--Michael Leung</div>
<div><br>
</div>
<div><br>
</div>
<div> </div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a class="moz-txt-link-freetext" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
<br>
</body>
</html>