<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi,<br>
<br>
I've never used NSS stuff, I'm driving old way, freewan's way :)<br>
<br>
Well I found some stuff on this url: <br>
<br>
<a class="moz-txt-link-freetext" href="http://sophie.zarb.org/distrib/CentOS/5/i386/rpms/openswan-doc/files/12">http://sophie.zarb.org/distrib/CentOS/5/i386/rpms/openswan-doc/files/12</a><br>
<br>
NSS bring some new way:<br>
<pre class="filedata">Changes in the certificates usage with Pluto
------------------------------------------------
1) ipsec.conf changes
The only change is "leftcert" field must contain the nick name of the user
cert. For example if the nickname of the user cert is "xyz", then it can be
"leftcert=xyz".
2) ipsec.secrets changes
: RSA <user-cert-nick-name>
You just need to provide the user cert's nick name. For example if the nickname
of the user cert is "xyz", then
: RSA xyz
There is no need to provide private key file information or its password.
3) changes in the directories in /etc/ipsec.d/ (cacerts, certs, private)
i)You need not have "private" or "certs" directory.
</pre>
<br>
So<br>
<br>
If I anderstood you should have to use some <b>"</b> around your <i>leftcert_value</i><br>
<br>
: RSA "<a moz-do-not-send="true" href="http://gateway.openswan.com"
target="_blank">gateway.openswan.com</a> - HCA" <br>
=> <br>
: RSA <a moz-do-not-send="true" href="http://gateway.openswan.com"
target="_blank">gateway.openswan.com</a> - HCA<br>
<br>
But I guess that some space ' ' isn't welcome, maybe you should
change your certificate (strip the ' ') to get <a
moz-do-not-send="true" href="http://gateway.openswan.com"
target="_blank">gateway.openswan.com</a>-HCA instead of <a
moz-do-not-send="true" href="http://gateway.openswan.com"
target="_blank">gateway.openswan.com</a> - HCA<br>
<br>
Good luck.<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">Le 27/11/2014 02:58, Michael Leung a
écrit :<br>
</div>
<blockquote
cite="mid:CAJ6sgmhRVAWWs=fxFO5eJKvBH9HL-SQqaG2W_CH4NJmu1kNgDw@mail.gmail.com"
type="cite">
<p dir="ltr">: RSA file. Key "password"</p>
<p dir="ltr">I try this too, openswan would considered its a
nickname and then try to read it from NSS certification DB.</p>
<div class="gmail_quote">On Nov 26, 2014 11:25 PM, "Laurent
Jouannic" <<a moz-do-not-send="true"
href="mailto:laurent.jouannic@cbsa.fr">laurent.jouannic@cbsa.fr</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> This line is strange
isn't it...<br>
<br>
: RSA "<a moz-do-not-send="true"
href="http://gateway.openswan.com" target="_blank">gateway.openswan.com</a>
- HCA"<br>
<br>
It should be like:<br>
<br>
: RSA file.key "pass"<br>
<br>
<font color="#3333ff">OR</font><br>
<br>
@ID_connection: RSA {<br>
# RSA 2 pow n bits debian <i>date</i><br>
# for signatures only, UNSAFE FOR ENCRYPTION<br>
#pubkey=<i>pubkey</i><br>
#IN KEY xxxxx <br>
XYXYXYXYXYYXYYXY<br>
# blablabla<br>
Modulus: <br>
MODMOD<br>
PublicExponent: 51<br>
# everything after this point is secret<br>
PrivateExponent: 0xXXXXXX<br>
Prime1: 0xXXXXXX<br>
Prime2: 0xXXXXXX<br>
Exponent1: 0xXXXXXX<br>
Exponent2: 0xXXXXXX<br>
Coefficient: 0xXXXXXX<br>
}<br>
<br>
<br>
<br>
<br>
<br>
<div>Le 26/11/2014 10:35, Michael Leung a écrit :<br>
</div>
<blockquote type="cite">
<div dir="ltr">this is my ipsec.conf
<div><br>
</div>
<div>
<div>version 2.0 </div>
<div><br>
</div>
<div>config setup</div>
<div> protostack=netkey</div>
<div> nat_traversal=yes</div>
<div> virtual_private=%v4:<a
moz-do-not-send="true"
href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10"
target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10</a></div>
<div> oe=off</div>
<div> dumpdir=/var/run/pluto/</div>
<div> plutostderrlog=/var/log/pluto.log</div>
<div><br>
</div>
<div> conn L2TP-PSK-NAT<br>
</div>
<div> rightsubnet=vhost:%priv</div>
<div> also=L2TP-PSK-noNAT</div>
<div><br>
</div>
<div>conn L2TP-PSK-noNAT</div>
<div> authby=rsasig</div>
<div> pfs=no</div>
<div> auto=add</div>
<div> keyingtries=3</div>
<div> rekey=no</div>
<div> ikelifetime=8h</div>
<div> keylife=1h</div>
<div> type=transport</div>
<div><br>
</div>
<div> left=10.7.255.154</div>
<div> leftsubnet=<a moz-do-not-send="true"
href="http://192.168.7.0/24" target="_blank">192.168.7.0/24</a></div>
<div> leftprotoport=17/1701</div>
<div> leftsendcert=always</div>
<div> leftrsasigkey=%cert</div>
<div> leftcert="gateway.openswan - HCC"</div>
<div><br>
</div>
<div> right=%any</div>
<div> rightprotoport=17/%any</div>
<div> rightrsasigkey=%cert</div>
</div>
<div><br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Nov 26, 2014 at 5:15
PM, Michael Leung <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:gbcbooksmj@gmail.com"
target="_blank">gbcbooksmj@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px
0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr">HI Group
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>following is my ipsec.d/ipsec.secrets
content</div>
<div>#------------------------------------------------------------</div>
<div>: RSA "<a moz-do-not-send="true"
href="http://gateway.openswan.com"
target="_blank">gateway.openswan.com</a> -
HCA"<br>
</div>
<div><span
style="background-color:rgb(255,255,255)"><font
color="#ff0000">: RSA vpngateway.key
"123123123ly"</font></span><br>
</div>
<div>#--------------------------------------------------------------</div>
<div><br>
</div>
<div>after starting ipsec setup start</div>
<div><br>
</div>
<div>we got debug info<br>
</div>
<div>-----------------------------------</div>
<div>
<div> could not open host cert with nick
name 'vpngateway.key' in NSS DB</div>
<div>"/etc/ipsec.d/ipsec.secrets" line 2: NSS
certficate not found</div>
</div>
<div>-----------------------------------</div>
<div><br>
</div>
<div>i notice that my OS is Centos 6.5 , i
installed openswan from yum repository , which
means openswan have turn use_nss=true on, so i
can understand why we still have NSS
certificate not found output</div>
<div><br>
</div>
<div>but for which i am wondering is </div>
<div><br>
</div>
<div>we also have this debug output</div>
<div><br>
</div>
<div>----------------------------------------</div>
<div>
<div>packet from <a moz-do-not-send="true"
href="http://10.7.60.65:500"
target="_blank">10.7.60.65:500</a>:
received Vendor ID payload [RFC 3947] method
set to=109 </div>
<div>packet from <a moz-do-not-send="true"
href="http://10.7.60.65:500"
target="_blank">10.7.60.65:500</a>:
received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107,
but already using method 109</div>
<div>packet from <a moz-do-not-send="true"
href="http://10.7.60.65:500"
target="_blank">10.7.60.65:500</a>:
received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but already using method 109</div>
<div>packet from <a moz-do-not-send="true"
href="http://10.7.60.65:500"
target="_blank">10.7.60.65:500</a>:
received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]</div>
<div>packet from <a moz-do-not-send="true"
href="http://10.7.60.65:500"
target="_blank">10.7.60.65:500</a>:
ignoring Vendor ID payload [FRAGMENTATION
80000000]</div>
<div>packet from <a moz-do-not-send="true"
href="http://10.7.60.65:500"
target="_blank">10.7.60.65:500</a>:
received Vendor ID payload [Dead Peer
Detection]</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1:
responding to Main Mode from unknown peer
10.7.60.65</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1:
transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1:
STATE_MAIN_R1: sent MR1, expecting MI2</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1:
NAT-Traversal: Result using RFC 3947
(NAT-Traversal): no NAT detected</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1:
transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1:
STATE_MAIN_R2: sent MR2, expecting MI3</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: Main
mode peer ID is ID_DER_ASN1_DN: 'C=CN,
ST=Guangd, O=HCA, OU=HCA, CN=<a
moz-do-not-send="true"
href="http://nexus.openswan.com"
target="_blank">nexus.openswan.com</a>, E=<a
moz-do-not-send="true"
href="mailto:supurstart@openswan.com"
target="_blank">supurstart@openswan.com</a>'</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: I am
sending my cert</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: password
file contains no data</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: password
file contains no data</div>
<div><font color="#ff0000"><b>"L2TP-PSK-NAT"[1]
10.7.60.65 #1: Can't find the private
key from the NSS CERT (err -8177)</b></font> </div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1:
transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA
established {auth=OAKLEY_RSA_SIG
cipher=aes_256 prf=oakley_sha
group=modp1024}</div>
</div>
<div><br>
</div>
<div>-----------------------------------------------------------------------------</div>
<div><br>
</div>
<div>seems openswan dont load x509 certificate
correctly </div>
<div><br>
</div>
<div>i have transform x509 certificate to pkcs12
, and import them to NSS DB.</div>
<div><br>
</div>
<div>-------------------------------------</div>
<div>
<div>[root@opensips log]# certutil -L -d
/etc/ipsec.d/</div>
<div><br>
</div>
<div>Certificate Nickname
Trust Attributes</div>
<div>
SSL,S/MIME,JAR/XPI</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="http://nexus.openswan.com"
target="_blank">nexus.openswan.com</a> -
HCA u,u,u</div>
<div>gateway.openswan - HCA
u,u,u</div>
</div>
<div>-------------------------------------</div>
<div><br>
</div>
<div>please give me some advice.</div>
<span><font color="#888888">
<div><br>
</div>
<div><br>
</div>
<div>--Michael Leung</div>
<div><br>
</div>
<div><br>
</div>
<div> </div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
<a moz-do-not-send="true" href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a>
<a moz-do-not-send="true" href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a moz-do-not-send="true" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a moz-do-not-send="true" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
<br>
</div>
<br>
_______________________________________________<br>
<a moz-do-not-send="true"
href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br>
<a moz-do-not-send="true"
href="https://lists.openswan.org/mailman/listinfo/users"
target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a moz-do-not-send="true"
href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy"
target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private Networks with
Openswan:<br>
<a moz-do-not-send="true"
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155"
target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>