<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Hi,<br>
    <br>
    I've never used NSS stuff, I'm driving old way, freewan's way :)<br>
    <br>
    Well I found some stuff on this url: <br>
    <br>
<a class="moz-txt-link-freetext" href="http://sophie.zarb.org/distrib/CentOS/5/i386/rpms/openswan-doc/files/12">http://sophie.zarb.org/distrib/CentOS/5/i386/rpms/openswan-doc/files/12</a><br>
    <br>
    NSS bring some new way:<br>
    <pre class="filedata">Changes in the certificates usage with Pluto
------------------------------------------------
1) ipsec.conf changes

The only change is "leftcert" field must contain the nick name of the user
cert. For example if the nickname of the user cert is "xyz", then it can be
"leftcert=xyz".

2) ipsec.secrets changes

 : RSA <user-cert-nick-name> 

You just need to provide the user cert's nick name. For example if the nickname
of the user cert is "xyz", then

 : RSA xyz 

There is no need to provide private key file information or its password. 

3) changes in the directories in /etc/ipsec.d/ (cacerts, certs, private)  
i)You need not have "private" or "certs" directory.
</pre>
    <br>
    So<br>
    <br>
    If I anderstood you should have to use some <b>"</b> around your <i>leftcert_value</i><br>
    <br>
    : RSA "<a moz-do-not-send="true" href="http://gateway.openswan.com"
      target="_blank">gateway.openswan.com</a> - HCA"   <br>
    =>  <br>
    : RSA <a moz-do-not-send="true" href="http://gateway.openswan.com"
      target="_blank">gateway.openswan.com</a> - HCA<br>
    <br>
    But I guess that some space ' ' isn't welcome, maybe you should
    change your certificate  (strip the ' ') to get <a
      moz-do-not-send="true" href="http://gateway.openswan.com"
      target="_blank">gateway.openswan.com</a>-HCA instead of <a
      moz-do-not-send="true" href="http://gateway.openswan.com"
      target="_blank">gateway.openswan.com</a> - HCA<br>
    <br>
    Good luck.<br>
    <br>
    <br>
    <br>
    <div class="moz-cite-prefix">Le 27/11/2014 02:58, Michael Leung a
      écrit :<br>
    </div>
    <blockquote
cite="mid:CAJ6sgmhRVAWWs=fxFO5eJKvBH9HL-SQqaG2W_CH4NJmu1kNgDw@mail.gmail.com"
      type="cite">
      <p dir="ltr">: RSA file. Key "password"</p>
      <p dir="ltr">I try this too, openswan would considered its a
        nickname and then try to read it from NSS certification DB.</p>
      <div class="gmail_quote">On Nov 26, 2014 11:25 PM, "Laurent
        Jouannic" <<a moz-do-not-send="true"
          href="mailto:laurent.jouannic@cbsa.fr">laurent.jouannic@cbsa.fr</a>>
        wrote:<br type="attribution">
        <blockquote class="gmail_quote" style="margin:0 0 0
          .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div bgcolor="#FFFFFF" text="#000000"> This line is strange
            isn't it...<br>
            <br>
            : RSA "<a moz-do-not-send="true"
              href="http://gateway.openswan.com" target="_blank">gateway.openswan.com</a>
            - HCA"<br>
            <br>
            It should be like:<br>
            <br>
            : RSA file.key "pass"<br>
            <br>
            <font color="#3333ff">OR</font><br>
            <br>
            @ID_connection: RSA       {<br>
                    # RSA 2 pow n bits   debian   <i>date</i><br>
                    # for signatures only, UNSAFE FOR ENCRYPTION<br>
                    #pubkey=<i>pubkey</i><br>
                    #IN KEY  xxxxx <br>
            XYXYXYXYXYYXYYXY<br>
                    # blablabla<br>
                    Modulus: <br>
                MODMOD<br>
                    PublicExponent: 51<br>
                    # everything after this point is secret<br>
                    PrivateExponent: 0xXXXXXX<br>
                    Prime1: 0xXXXXXX<br>
                    Prime2: 0xXXXXXX<br>
                    Exponent1: 0xXXXXXX<br>
                    Exponent2: 0xXXXXXX<br>
                    Coefficient: 0xXXXXXX<br>
                    }<br>
            <br>
            <br>
            <br>
            <br>
            <br>
            <div>Le 26/11/2014 10:35, Michael Leung a écrit :<br>
            </div>
            <blockquote type="cite">
              <div dir="ltr">this is my ipsec.conf
                <div><br>
                </div>
                <div>
                  <div>version 2.0     </div>
                  <div><br>
                  </div>
                  <div>config setup</div>
                  <div>        protostack=netkey</div>
                  <div>        nat_traversal=yes</div>
                  <div>        virtual_private=%v4:<a
                      moz-do-not-send="true"
href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10"
                      target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10</a></div>
                  <div>        oe=off</div>
                  <div>        dumpdir=/var/run/pluto/</div>
                  <div>        plutostderrlog=/var/log/pluto.log</div>
                  <div><br>
                  </div>
                  <div>  conn L2TP-PSK-NAT<br>
                  </div>
                  <div>         rightsubnet=vhost:%priv</div>
                  <div>         also=L2TP-PSK-noNAT</div>
                  <div><br>
                  </div>
                  <div>conn L2TP-PSK-noNAT</div>
                  <div>        authby=rsasig</div>
                  <div>        pfs=no</div>
                  <div>        auto=add</div>
                  <div>        keyingtries=3</div>
                  <div>        rekey=no</div>
                  <div>        ikelifetime=8h</div>
                  <div>        keylife=1h</div>
                  <div>        type=transport</div>
                  <div><br>
                  </div>
                  <div>        left=10.7.255.154</div>
                  <div>        leftsubnet=<a moz-do-not-send="true"
                      href="http://192.168.7.0/24" target="_blank">192.168.7.0/24</a></div>
                  <div>        leftprotoport=17/1701</div>
                  <div>        leftsendcert=always</div>
                  <div>        leftrsasigkey=%cert</div>
                  <div>        leftcert="gateway.openswan - HCC"</div>
                  <div><br>
                  </div>
                  <div>        right=%any</div>
                  <div>        rightprotoport=17/%any</div>
                  <div>        rightrsasigkey=%cert</div>
                </div>
                <div><br>
                </div>
                <div class="gmail_extra"><br>
                  <div class="gmail_quote">On Wed, Nov 26, 2014 at 5:15
                    PM, Michael Leung <span dir="ltr"><<a
                        moz-do-not-send="true"
                        href="mailto:gbcbooksmj@gmail.com"
                        target="_blank">gbcbooksmj@gmail.com</a>></span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0px
                      0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
                      <div dir="ltr">HI Group
                        <div><br>
                        </div>
                        <div><br>
                        </div>
                        <div><br>
                        </div>
                        <div>following is my ipsec.d/ipsec.secrets
                          content</div>
                        <div>#------------------------------------------------------------</div>
                        <div>: RSA "<a moz-do-not-send="true"
                            href="http://gateway.openswan.com"
                            target="_blank">gateway.openswan.com</a> -
                          HCA"<br>
                        </div>
                        <div><span
                            style="background-color:rgb(255,255,255)"><font
                              color="#ff0000">: RSA vpngateway.key
                              "123123123ly"</font></span><br>
                        </div>
                        <div>#--------------------------------------------------------------</div>
                        <div><br>
                        </div>
                        <div>after starting ipsec setup start</div>
                        <div><br>
                        </div>
                        <div>we got debug info<br>
                        </div>
                        <div>-----------------------------------</div>
                        <div>
                          <div>    could not open host cert with nick
                            name 'vpngateway.key' in NSS DB</div>
                          <div>"/etc/ipsec.d/ipsec.secrets" line 2: NSS
                            certficate not found</div>
                        </div>
                        <div>-----------------------------------</div>
                        <div><br>
                        </div>
                        <div>i notice that my OS is Centos 6.5 , i
                          installed openswan from yum repository , which
                          means openswan have turn use_nss=true on, so i
                          can understand why we still have NSS
                          certificate not found output</div>
                        <div><br>
                        </div>
                        <div>but for which i am  wondering is </div>
                        <div><br>
                        </div>
                        <div>we also have this debug output</div>
                        <div><br>
                        </div>
                        <div>----------------------------------------</div>
                        <div>
                          <div>packet from <a moz-do-not-send="true"
                              href="http://10.7.60.65:500"
                              target="_blank">10.7.60.65:500</a>:
                            received Vendor ID payload [RFC 3947] method
                            set to=109 </div>
                          <div>packet from <a moz-do-not-send="true"
                              href="http://10.7.60.65:500"
                              target="_blank">10.7.60.65:500</a>:
                            received Vendor ID payload
                            [draft-ietf-ipsec-nat-t-ike-02] meth=107,
                            but already using method 109</div>
                          <div>packet from <a moz-do-not-send="true"
                              href="http://10.7.60.65:500"
                              target="_blank">10.7.60.65:500</a>:
                            received Vendor ID payload
                            [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
                            but already using method 109</div>
                          <div>packet from <a moz-do-not-send="true"
                              href="http://10.7.60.65:500"
                              target="_blank">10.7.60.65:500</a>:
                            received Vendor ID payload
                            [draft-ietf-ipsec-nat-t-ike-00]</div>
                          <div>packet from <a moz-do-not-send="true"
                              href="http://10.7.60.65:500"
                              target="_blank">10.7.60.65:500</a>:
                            ignoring Vendor ID payload [FRAGMENTATION
                            80000000]</div>
                          <div>packet from <a moz-do-not-send="true"
                              href="http://10.7.60.65:500"
                              target="_blank">10.7.60.65:500</a>:
                            received Vendor ID payload [Dead Peer
                            Detection]</div>
                          <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1:
                            responding to Main Mode from unknown peer
                            10.7.60.65</div>
                          <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1:
                            transition from state STATE_MAIN_R0 to state
                            STATE_MAIN_R1</div>
                          <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1:
                            STATE_MAIN_R1: sent MR1, expecting MI2</div>
                          <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1:
                            NAT-Traversal: Result using RFC 3947
                            (NAT-Traversal): no NAT detected</div>
                          <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1:
                            transition from state STATE_MAIN_R1 to state
                            STATE_MAIN_R2</div>
                          <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1:
                            STATE_MAIN_R2: sent MR2, expecting MI3</div>
                          <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: Main
                            mode peer ID is ID_DER_ASN1_DN: 'C=CN,
                            ST=Guangd, O=HCA, OU=HCA, CN=<a
                              moz-do-not-send="true"
                              href="http://nexus.openswan.com"
                              target="_blank">nexus.openswan.com</a>, E=<a
                              moz-do-not-send="true"
                              href="mailto:supurstart@openswan.com"
                              target="_blank">supurstart@openswan.com</a>'</div>
                          <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: I am
                            sending my cert</div>
                          <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: password
                            file contains no data</div>
                          <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: password
                            file contains no data</div>
                          <div><font color="#ff0000"><b>"L2TP-PSK-NAT"[1]

                                10.7.60.65 #1: Can't find the private
                                key from the NSS CERT (err -8177)</b></font> </div>
                          <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1:
                            transition from state STATE_MAIN_R2 to state
                            STATE_MAIN_R3</div>
                          <div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1:
                            STATE_MAIN_R3: sent MR3, ISAKMP SA
                            established {auth=OAKLEY_RSA_SIG
                            cipher=aes_256 prf=oakley_sha
                            group=modp1024}</div>
                        </div>
                        <div><br>
                        </div>
                        <div>-----------------------------------------------------------------------------</div>
                        <div><br>
                        </div>
                        <div>seems openswan dont load x509 certificate
                          correctly </div>
                        <div><br>
                        </div>
                        <div>i have transform x509 certificate to pkcs12
                          , and import them to NSS DB.</div>
                        <div><br>
                        </div>
                        <div>-------------------------------------</div>
                        <div>
                          <div>[root@opensips log]# certutil -L -d
                            /etc/ipsec.d/</div>
                          <div><br>
                          </div>
                          <div>Certificate Nickname                    
                                                Trust Attributes</div>
                          <div>                                         
                                               SSL,S/MIME,JAR/XPI</div>
                          <div><br>
                          </div>
                          <div><a moz-do-not-send="true"
                              href="http://nexus.openswan.com"
                              target="_blank">nexus.openswan.com</a> -
                            HCA                       u,u,u</div>
                          <div>gateway.openswan - HCA                  
                                    u,u,u</div>
                        </div>
                        <div>-------------------------------------</div>
                        <div><br>
                        </div>
                        <div>please give me some advice.</div>
                        <span><font color="#888888">
                            <div><br>
                            </div>
                            <div><br>
                            </div>
                            <div>--Michael Leung</div>
                            <div><br>
                            </div>
                            <div><br>
                            </div>
                            <div> </div>
                            <div><br>
                            </div>
                            <div><br>
                            </div>
                            <div><br>
                            </div>
                          </font></span></div>
                    </blockquote>
                  </div>
                  <br>
                </div>
              </div>
              <br>
              <fieldset></fieldset>
              <br>
              <pre>_______________________________________________
<a moz-do-not-send="true" href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a>
<a moz-do-not-send="true" href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a moz-do-not-send="true" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a moz-do-not-send="true" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
            </blockquote>
            <br>
          </div>
          <br>
          _______________________________________________<br>
          <a moz-do-not-send="true"
            href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br>
          <a moz-do-not-send="true"
            href="https://lists.openswan.org/mailman/listinfo/users"
            target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
          Micropayments: <a moz-do-not-send="true"
            href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy"
            target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
          Building and Integrating Virtual Private Networks with
          Openswan:<br>
          <a moz-do-not-send="true"
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155"
            target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
          <br>
        </blockquote>
      </div>
    </blockquote>
    <br>
  </body>
</html>