<p dir="ltr">Hi Laurent<br>
Thanks for you reply, I have fix this issue already.</p>
<div class="gmail_quote">On Nov 27, 2014 3:14 AM, "Laurent Jouannic" <<a href="mailto:laurent.jouannic@cbsa.fr">laurent.jouannic@cbsa.fr</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Hi,<br>
<br>
Check:<br>
-the spelling of th filename, <br>
-the directory, the <span style="background-color:rgb(255,255,255)"><font color="#ff0000">vpngateway.</font></span>key should be in
/etc/ipsec.d/private<br>
-the owner, the 'properties' of reading, writing, etc...<br>
<br>
good luck.<br>
<br>
Laurent<br>
<br>
<div>Le 26/11/2014 10:15, Michael Leung a
écrit :<br>
</div>
<blockquote type="cite">
<div dir="ltr">HI Group
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>following is my ipsec.d/ipsec.secrets content</div>
<div>#------------------------------------------------------------</div>
<div>: RSA "<a href="http://gateway.openswan.com" target="_blank">gateway.openswan.com</a>
- HCA"<br>
</div>
<div><span style="background-color:rgb(255,255,255)"><font color="#ff0000">: RSA vpngateway.key "123123123ly"</font></span><br>
</div>
<div>#--------------------------------------------------------------</div>
<div><br>
</div>
<div>after starting ipsec setup start</div>
<div><br>
</div>
<div>we got debug info<br>
</div>
<div>-----------------------------------</div>
<div>
<div> could not open host cert with nick name
'vpngateway.key' in NSS DB</div>
<div>"/etc/ipsec.d/ipsec.secrets" line 2: NSS certficate not
found</div>
</div>
<div>-----------------------------------</div>
<div><br>
</div>
<div>i notice that my OS is Centos 6.5 , i installed openswan
from yum repository , which means openswan have turn
use_nss=true on, so i can understand why we still have NSS
certificate not found output</div>
<div><br>
</div>
<div>but for which i am wondering is </div>
<div><br>
</div>
<div>we also have this debug output</div>
<div><br>
</div>
<div>----------------------------------------</div>
<div>
<div>packet from <a href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>: received
Vendor ID payload [RFC 3947] method set to=109 </div>
<div>packet from <a href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107,
but already using method 109</div>
<div>packet from <a href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
meth=106, but already using method 109</div>
<div>packet from <a href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]</div>
<div>packet from <a href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>: ignoring
Vendor ID payload [FRAGMENTATION 80000000]</div>
<div>packet from <a href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>: received
Vendor ID payload [Dead Peer Detection]</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: responding to Main Mode
from unknown peer 10.7.60.65</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R1: sent MR1,
expecting MI2</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal): no NAT detected</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R2: sent MR2,
expecting MI3</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: Main mode peer ID is
ID_DER_ASN1_DN: 'C=CN, ST=Guangd, O=HCA, OU=HCA, CN=<a href="http://nexus.openswan.com" target="_blank">nexus.openswan.com</a>,
E=<a href="mailto:supurstart@openswan.com" target="_blank">supurstart@openswan.com</a>'</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: I am sending my cert</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: password file contains
no data</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: password file contains
no data</div>
<div><font color="#ff0000"><b>"L2TP-PSK-NAT"[1] 10.7.60.65 #1:
Can't find the private key from the NSS CERT (err -8177)</b></font> </div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3</div>
<div>"L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R3: sent MR3,
ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256
prf=oakley_sha group=modp1024}</div>
</div>
<div><br>
</div>
<div>-----------------------------------------------------------------------------</div>
<div><br>
</div>
<div>seems openswan dont load x509 certificate correctly </div>
<div><br>
</div>
<div>i have transform x509 certificate to pkcs12 , and import
them to NSS DB.</div>
<div><br>
</div>
<div>-------------------------------------</div>
<div>
<div>[root@opensips log]# certutil -L -d /etc/ipsec.d/</div>
<div><br>
</div>
<div>Certificate Nickname
Trust Attributes</div>
<div>
SSL,S/MIME,JAR/XPI</div>
<div><br>
</div>
<div><a href="http://nexus.openswan.com" target="_blank">nexus.openswan.com</a> -
HCA u,u,u</div>
<div>gateway.openswan - HCA u,u,u</div>
</div>
<div>-------------------------------------</div>
<div><br>
</div>
<div>please give me some advice.</div>
<div><br>
</div>
<div><br>
</div>
<div>--Michael Leung</div>
<div><br>
</div>
<div><br>
</div>
<div> </div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a>
<a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
<br>
</div>
<br>_______________________________________________<br>
<a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br>
<a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br></blockquote></div>