<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Hi Laurent<br>
    <br>
    do you compile openswan yourself ? <br>
    <br>
    actually i compile openswan this time instead of install it from yum
    repository.<br>
    <br>
    all certficate and private key are readed properly now , bu i am
    facing another issue now , please see the following.<br>
    <br>
    i compile openswan-2.6.42 with options USE_LIBNSS=false  in
    Makefile.inc<br>
    <br>
    i have highlght those lines which i think are important <br>
    <br>
    from the debug info , i think ipsec have pass phase 1 and going into
    phase , but stock in it.<br>
    no matter which authentication method i use , RSA or PSK, got the
    same error .<br>
    so i turn my force on ip command .  i think so they have
    relationship.<br>
    <br>
---------------------------------------------------------------------<br>
    [root@opensips openswan-2.6.42]# ipsec verify<br>
    Checking if IPsec got installed and started correctly:<br>
    <br>
    Version check and ipsec on-path                         [OK]<br>
    Openswan U2.6.42/K2.6.32-71.el6.x86_64 (netkey)<br>
    See `ipsec --copyright' for copyright information.<br>
    Checking for IPsec support in kernel                    [OK]<br>
     NETKEY: Testing XFRM related proc values<br>
             ICMP default/send_redirects                    [OK]<br>
             ICMP default/accept_redirects                  [OK]<br>
             XFRM larval drop                               [OK]<br>
    Hardware random device check                            [N/A]<br>
    Checking rp_filter                                      [OK]<br>
    Checking that pluto is running                          [OK]<br>
     Pluto listening for IKE on udp 500                     [OK]<br>
     Pluto listening for IKE on tcp 500                     [NOT
    IMPLEMENTED]<br>
     Pluto listening for IKE/NAT-T on udp 4500              [OK]<br>
     Pluto listening for IKE/NAT-T on tcp 4500              [NOT
    IMPLEMENTED]<br>
     Pluto listening for IKE on tcp 10000 (cisco)           [NOT
    IMPLEMENTED]<br>
    <font color="#ff0000">Checking NAT and
      MASQUERADEing                          [TEST INCOMPLETE]<br>
      Checking 'ip' command                                   [IP XFRM
      BROKEN]</font><br>
    Checking 'iptables' command                             [OK]<br>
-----------------------------------------------------------------------------------<br>
    -----------------------------------------------------------------<br>
    [root@opensips openswan-2.6.42]# iptables -t nat -nvL --line-number<br>
    Chain PREROUTING (policy ACCEPT 191 packets, 26716 bytes)<br>
    num   pkts bytes target     prot opt in     out    
    source               destination        <br>
    <br>
    Chain POSTROUTING (policy ACCEPT 470 packets, 28906 bytes)<br>
    num   pkts bytes target     prot opt in     out    
    source               destination        <br>
    <font color="#ff0000">1        0     0 MASQUERADE  all  --  *     
      eth0    192.168.7.0/24       0.0.0.0/0</font>          <br>
    <br>
    Chain OUTPUT (policy ACCEPT 470 packets, 28906 bytes)<br>
    num   pkts bytes target     prot opt in     out    
    source               destination      <br>
---------------------------------------------------------------------------------------------<br>
    <br>
    -------------------------------------------------------------------pluto
    debug log-----------<br>
    <br>
    <small>packet from 10.7.67.11:500: received Vendor ID payload [RFC
      3947] method set to=115 <br>
      packet from 10.7.67.11:500: received Vendor ID payload
      [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method
      115<br>
      packet from 10.7.67.11:500: received Vendor ID payload
      [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using
      method 115<br>
      packet from 10.7.67.11:500: received Vendor ID payload
      [draft-ietf-ipsec-nat-t-ike-00]<br>
      packet from 10.7.67.11:500: ignoring Vendor ID payload
      [FRAGMENTATION 80000000]<br>
      packet from 10.7.67.11:500: received Vendor ID payload [Dead Peer
      Detection]<br>
      "L2TP-PSK-NAT"[1] 10.7.67.11 #1: responding to Main Mode from
      unknown peer 10.7.67.11<br>
      "L2TP-PSK-NAT"[1] 10.7.67.11 #1: transition from state
      STATE_MAIN_R0 to state STATE_MAIN_R1<br>
      "L2TP-PSK-NAT"[1] 10.7.67.11 #1: STATE_MAIN_R1: sent MR1,
      expecting MI2<br>
      "L2TP-PSK-NAT"[1] 10.7.67.11 #1: NAT-Traversal: Result using
      draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed<br>
      "L2TP-PSK-NAT"[1] 10.7.67.11 #1: transition from state
      STATE_MAIN_R1 to state STATE_MAIN_R2<br>
      "L2TP-PSK-NAT"[1] 10.7.67.11 #1: STATE_MAIN_R2: sent MR2,
      expecting MI3<br>
      "L2TP-PSK-NAT"[1] 10.7.67.11 #1: Main mode peer ID is
      ID_IPV4_ADDR: '172.16.67.157'<br>
      "L2TP-PSK-NAT"[1] 10.7.67.11 #1: switched from "L2TP-PSK-NAT" to
      "L2TP-PSK-NAT"<br>
      "L2TP-PSK-NAT"[2] 10.7.67.11 #1: deleting connection
      "L2TP-PSK-NAT" instance with peer 10.7.67.11 {isakmp=#0/ipsec=#0}<br>
      "L2TP-PSK-NAT"[2] 10.7.67.11 #1: transition from state
      STATE_MAIN_R2 to state STATE_MAIN_R3<br>
      "L2TP-PSK-NAT"[2] 10.7.67.11 #1: new NAT mapping for #1, was
      10.7.67.11:500, now 10.7.67.11:4500<br>
      "L2TP-PSK-NAT"[2] 10.7.67.11 #1: STATE_MAIN_R3: sent MR3, ISAKMP
      SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256
      prf=oakley_sha group=modp1024}<br>
      "L2TP-PSK-NAT"[2] 10.7.67.11 #1: the peer proposed:
      10.7.255.154/32:17/1701 -> 172.16.67.157/32:17/0<br>
      "L2TP-PSK-NAT"[2] 10.7.67.11 #2: responding to Quick Mode proposal
      {msgid:f0afdbca}<br>
      "L2TP-PSK-NAT"[2] 10.7.67.11 #2:     us:
      10.7.255.154<10.7.255.154>:17/1701<br>
      "L2TP-PSK-NAT"[2] 10.7.67.11 #2:   them:
      10.7.67.11[172.16.67.157]:17/0===172.16.67.157/32<br>
      <font color="#ff0000">| warning: NETKEY/XFRM in transport mode
        accepts ALL encrypted protoport packets between the hosts in
        violation of RFC 4301, Section 5.2</font><br>
      "L2TP-PSK-NAT"[2] 10.7.67.11 #2: transition from state
      STATE_QUICK_R0 to state STATE_QUICK_R1<br>
      "L2TP-PSK-NAT"[2] 10.7.67.11 #2: STATE_QUICK_R1: sent QR1, inbound
      IPsec SA installed, expecting QI2<br>
      <font color="#ff0000">| warning: NETKEY/XFRM in transport mode
        accepts ALL encrypted protoport packets between the hosts in
        violation of RFC 4301, Section 5.2</font><br>
      "L2TP-PSK-NAT"[2] 10.7.67.11 #2: transition from state
      STATE_QUICK_R1 to state STATE_QUICK_R2<br>
      "L2TP-PSK-NAT"[2] 10.7.67.11 #2: STATE_QUICK_R2: IPsec SA
      established tunnel mode {ESP=>0x05335c89 <0x961dc879
      xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=10.7.67.11:4500 DPD=none}</small><br>
    <br>
-------------------------------------------------------------------------------------------------------------------<br>
    <br>
    <br>
    --Michael Leung<br>
    <br>
    <br>
    <br>
    <br>
    <br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 11/29/2014 06:59 PM, Jouannic
      Laurent wrote:<br>
    </div>
    <blockquote cite="mid:5479A707.5020904@cbsa.fr" type="cite">
      <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
      Hi Michael,<br>
      <br>
      No,<br>
      <br>
      I did myself, my certificat with openssh with CA.sh wich is
      included with openssh<br>
      (But you need first to build your root Ca certificate with
      openssh), then:<br>
      <i>theGoodPath</i>/CA.sh -request<br>
      <i>theGoodPath</i>/CA.sh -sign<br>
      <br>
      You will get a newcert.pem and a newcert.key<br>
      <br>
      And then after with your newcert.pem, newcert.key and your
      rootCa.pem   , generate a newcert.p12 with openssh for the other
      side.   <br>
      <br>
      This is the only way I know.<br>
      <br>
      Good luck.<br>
      <br>
      Laurent<br>
      <br>
      <br>
      <br>
      <div class="moz-cite-prefix">Le 29/11/2014 07:18, MichaelLeung a
        écrit :<br>
      </div>
      <blockquote cite="mid:54796527.4070801@gmail.com" type="cite">
        <meta content="text/html; charset=utf-8"
          http-equiv="Content-Type">
        Hi Laurent<br>
        <br>
        I still can not private key from ipsec.secrets properly.<br>
        did you do something different ?<br>
        <br>
        --Michael Leung<br>
        <br>
        <div class="moz-cite-prefix">On 11/29/2014 12:25 AM, Laurent
          Jouannic wrote:<br>
        </div>
        <blockquote cite="mid:5478A20B.1060105@cbsa.fr" type="cite">
          <meta content="text/html; charset=utf-8"
            http-equiv="Content-Type">
          Hi Michael,<br>
          <br>
          Yes I used them for a while.<br>
          <br>
          <u>ipsec.conf:</u><br>
          <br>
          conn site_A<br>
                  leftid="C=FR, ST=FRANCE, L=city1, O=XXXX, OU=YYYY,
          CN=common_name1, <a moz-do-not-send="true"
            class="moz-txt-link-abbreviated"
            href="mailto:Email=common_name1@domaine.fr">Email=common_name1@domaine.fr</a>"<br>
                  leftsubnet=192.168.1.0/24<br>
                  leftcert=cert1.pem<br>
                  leftrsasigkey=%cert<br>
                  right=65.109.74.42<br>
                  rightsubnet=192.168.2.1/32<br>
                  rightid="C=FR, ST=Sud, L=city2, O=XXXX, OU=ZZZZ,
          CN=common_name2, <a moz-do-not-send="true"
            class="moz-txt-link-abbreviated"
            href="mailto:Email=common_name2@domaine.fr">Email=common_name2@domaine.fr</a>"<br>
                  rightcert=cert2.pem<br>
                  rightrsasigkey=%cert<br>
                  rightca="C=FR, ST=Rhone, L=city1, O=XXXX, OU=MMMM,
          CN=common_name_CA, <a moz-do-not-send="true"
            class="moz-txt-link-abbreviated"
            href="mailto:Email=common_name_CA@domaine.fr">Email=common_name_CA@domaine.fr</a>"<br>
                  auto=add<br>
                  pfs=yes<br>
          <br>
          <br>
          <u>ipsec.secrets</u> <br>
          <br>
          : RSA cert1.key "pass_phrase_for_private_key"<br>
          <br>
          <br>
          <u>files:</u><br>
          <br>
          /etc/ipsec.d/certs/cert1.pem<br>
          /etc/ipsec.d/certs/cert2.pem<br>
          /etc/ipsec.d/private/cert1.key<br>
          /etc/ipsec.d/private/cert2.key<br>
          /etc/ipsec.d/cacerts/ca_certificate.pem<br>
          <br>
          And on the Win7 box with shrew soft:<br>
          cert2.p12<br>
          <br>
          Cheers.<br>
          <br>
          Laurent<br>
          <br>
          <div class="moz-cite-prefix">Le 28/11/2014 13:33, Michael
            Leung a écrit :<br>
          </div>
          <blockquote
cite="mid:CAJ6sgmi7cbmen+TEbk=-87QmO2SYMx5Aox7nLaB4WXNe_N5C5Q@mail.gmail.com"
            type="cite">
            <div dir="ltr">Hi Laurent
              <div><br>
              </div>
              <div>did you find out a way how to let x509 work on
                lastest version openswan ?</div>
              <div><br>
              </div>
              <div><br>
              </div>
            </div>
            <div class="gmail_extra"><br>
              <div class="gmail_quote">On Thu, Nov 27, 2014 at 6:40 PM,
                Laurent Jouannic <span dir="ltr"><<a
                    moz-do-not-send="true"
                    href="mailto:laurent.jouannic@cbsa.fr"
                    target="_blank">laurent.jouannic@cbsa.fr</a>></span>
                wrote:<br>
                <blockquote class="gmail_quote" style="margin:0 0 0
                  .8ex;border-left:1px #ccc solid;padding-left:1ex">
                  <div bgcolor="#FFFFFF" text="#000000"> Well,<br>
                    <br>
                    I'm jocking a bit about old way, new way, <br>
                    <br>
                    But I've never used NSS stuff<br>
                    <br>
                    May be, you should generate an other pkcs12 file and
                    when you generate it change <a
                      moz-do-not-send="true"
                      href="http://nexus.openswan.com" target="_blank">nexus.openswan.com</a>
                    - HCA to <a moz-do-not-send="true"
                      href="http://nexus.openswan.com" target="_blank">nexus.openswan.com</a>-HCA<br>
                    <br>
                    Cheers.<br>
                    <br>
                    Laurent<br>
                    <br>
                    <div>Le 27/11/2014 10:51, Michael Leung a écrit :<br>
                    </div>
                    <div>
                      <div class="h5">
                        <blockquote type="cite">
                          <div dir="ltr">Hi 
                            <div><br>
                            </div>
                            <div>My user certificate is a pkcs12 one ,
                              it has to contain a private key in it , </div>
                            <div><br>
                            </div>
                            <div>and Certutil can not add it to its
                              database , so i have to use pk12util
                              instead of certutil to insert the
                              certificate to NSS certification DB, thus
                              , see below</div>
                            <div><br>
                            </div>
                            <div>---------------------------------</div>
                            <div><br>
                            </div>
                            <div>
                              <div>[root@opensips certs]# pk12util -n
                                "nexus5.p12" -i
                                /root/ipsec/CA/nexus/nexus5.p12 -d
                                /etc/ipsec.d</div>
                              <div>Enter password for PKCS12 file: </div>
                              <div><font color="#ff0000"><b>pk12util: no
                                    nickname for cert in PKCS12 file.</b></font></div>
                              <div>pk12util: using nickname: <a
                                  moz-do-not-send="true"
                                  href="http://nexus.openswan.com"
                                  target="_blank">nexus.openswan.com</a>
                                - HCA</div>
                              <div>pk12util: PKCS12 IMPORT SUCCESSFUL</div>
                            </div>
                            <div><br>
                            </div>
                            <div>-------------------------------------------------------</div>
                            <div><br>
                            </div>
                            <div>i have specified the nickname which can
                              be use as a value in <i>leftcert</i> ,
                              but failed, pk12util will name its
                              nickname itself , unfortunately , it
                              contain the spaces,</div>
                            <div><br>
                            </div>
                            <div>that is why i have to put them in
                              quotation.</div>
                            <div><br>
                            </div>
                            <div>i am wondering  why old way did not
                              work , what is your openswan version ?</div>
                            <div><br>
                            </div>
                            <div>mine is <i>Linux Openswan
                                U2.6.32/K2.6.32-71.el6.x86_64 (netkey)</i></div>
                            <div><i><br>
                              </i></div>
                            <div><i><br>
                              </i></div>
                            <div><i>--</i>Micheal Leung</div>
                            <div><br>
                            </div>
                            <div><br>
                            </div>
                            <div><br>
                            </div>
                            <div><br>
                            </div>
                            <div><br>
                            </div>
                            <div><br>
                            </div>
                          </div>
                          <div class="gmail_extra"><br>
                            <div class="gmail_quote">On Thu, Nov 27,
                              2014 at 5:23 PM, Laurent Jouannic <span
                                dir="ltr"><<a moz-do-not-send="true"
                                  href="mailto:laurent.jouannic@cbsa.fr"
                                  target="_blank">laurent.jouannic@cbsa.fr</a>></span>
                              wrote:<br>
                              <blockquote class="gmail_quote"
                                style="margin:0 0 0 .8ex;border-left:1px
                                #ccc solid;padding-left:1ex">
                                <div bgcolor="#FFFFFF" text="#000000">
                                  Hi,<br>
                                  <br>
                                  I've never used NSS stuff, I'm driving
                                  old way, freewan's way :)<br>
                                  <br>
                                  Well I found some stuff on this url: <br>
                                  <br>
                                  <a moz-do-not-send="true"
href="http://sophie.zarb.org/distrib/CentOS/5/i386/rpms/openswan-doc/files/12"
                                    target="_blank">http://sophie.zarb.org/distrib/CentOS/5/i386/rpms/openswan-doc/files/12</a><br>
                                  <br>
                                  NSS bring some new way:<br>
                                  <pre>Changes in the certificates usage with Pluto
------------------------------------------------
1) ipsec.conf changes

The only change is "leftcert" field must contain the nick name of the user
cert. For example if the nickname of the user cert is "xyz", then it can be
"leftcert=xyz".

2) ipsec.secrets changes

 : RSA <user-cert-nick-name> 

You just need to provide the user cert's nick name. For example if the nickname
of the user cert is "xyz", then

 : RSA xyz 

There is no need to provide private key file information or its password. 

3) changes in the directories in /etc/ipsec.d/ (cacerts, certs, private)  
i)You need not have "private" or "certs" directory.
</pre>
                                  <br>
                                  So<br>
                                  <br>
                                  If I anderstood you should have to use
                                  some <b>"</b> around your <i>leftcert_value</i><br>
                                  <br>
                                  : RSA "<a moz-do-not-send="true"
                                    href="http://gateway.openswan.com"
                                    target="_blank">gateway.openswan.com</a>
                                  - HCA"   <br>
                                  =>  <br>
                                  : RSA <a moz-do-not-send="true"
                                    href="http://gateway.openswan.com"
                                    target="_blank">gateway.openswan.com</a>
                                  - HCA<br>
                                  <br>
                                  But I guess that some space ' ' isn't
                                  welcome, maybe you should change your
                                  certificate  (strip the ' ') to get <a
                                    moz-do-not-send="true"
                                    href="http://gateway.openswan.com"
                                    target="_blank">gateway.openswan.com</a>-HCA




                                  instead of <a moz-do-not-send="true"
                                    href="http://gateway.openswan.com"
                                    target="_blank">gateway.openswan.com</a>
                                  - HCA<br>
                                  <br>
                                  Good luck.<br>
                                  <br>
                                  <br>
                                  <br>
                                  <div>Le 27/11/2014 02:58, Michael
                                    Leung a écrit :<br>
                                  </div>
                                  <div>
                                    <div>
                                      <blockquote type="cite">
                                        <p dir="ltr">: RSA file. Key
                                          "password"</p>
                                        <p dir="ltr">I try this too,
                                          openswan would considered its
                                          a nickname and then try to
                                          read it from NSS certification
                                          DB.</p>
                                        <div class="gmail_quote">On Nov
                                          26, 2014 11:25 PM, "Laurent
                                          Jouannic" <<a
                                            moz-do-not-send="true"
                                            href="mailto:laurent.jouannic@cbsa.fr"
                                            target="_blank">laurent.jouannic@cbsa.fr</a>>




                                          wrote:<br type="attribution">
                                          <blockquote
                                            class="gmail_quote"
                                            style="margin:0 0 0
                                            .8ex;border-left:1px #ccc
                                            solid;padding-left:1ex">
                                            <div bgcolor="#FFFFFF"
                                              text="#000000"> This line
                                              is strange isn't it...<br>
                                              <br>
                                              : RSA "<a
                                                moz-do-not-send="true"
                                                href="http://gateway.openswan.com"
                                                target="_blank">gateway.openswan.com</a>
                                              - HCA"<br>
                                              <br>
                                              It should be like:<br>
                                              <br>
                                              : RSA file.key "pass"<br>
                                              <br>
                                              <font color="#3333ff">OR</font><br>
                                              <br>
                                              @ID_connection: RSA      
                                              {<br>
                                                      # RSA 2 pow n
                                              bits   debian   <i>date</i><br>
                                                      # for signatures
                                              only, UNSAFE FOR
                                              ENCRYPTION<br>
                                                      #pubkey=<i>pubkey</i><br>
                                                      #IN KEY  xxxxx <br>
                                              XYXYXYXYXYYXYYXY<br>
                                                      # blablabla<br>
                                                      Modulus: <br>
                                                  MODMOD<br>
                                                      PublicExponent: 51<br>
                                                      # everything after
                                              this point is secret<br>
                                                      PrivateExponent:
                                              0xXXXXXX<br>
                                                      Prime1: 0xXXXXXX<br>
                                                      Prime2: 0xXXXXXX<br>
                                                      Exponent1:
                                              0xXXXXXX<br>
                                                      Exponent2:
                                              0xXXXXXX<br>
                                                      Coefficient:
                                              0xXXXXXX<br>
                                                      }<br>
                                              <br>
                                              <br>
                                              <br>
                                              <br>
                                              <br>
                                              <div>Le 26/11/2014 10:35,
                                                Michael Leung a écrit :<br>
                                              </div>
                                              <blockquote type="cite">
                                                <div dir="ltr">this is
                                                  my ipsec.conf
                                                  <div><br>
                                                  </div>
                                                  <div>
                                                    <div>version 2.0  
                                                        </div>
                                                    <div><br>
                                                    </div>
                                                    <div>config setup</div>
                                                    <div>       
                                                      protostack=netkey</div>
                                                    <div>       
                                                      nat_traversal=yes</div>
                                                    <div>       
                                                      virtual_private=%v4:<a
moz-do-not-send="true"
href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10"
                                                        target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10</a></div>
                                                    <div>        oe=off</div>
                                                    <div>       
                                                      dumpdir=/var/run/pluto/</div>
                                                    <div>       
                                                      plutostderrlog=/var/log/pluto.log</div>
                                                    <div><br>
                                                    </div>
                                                    <div>  conn
                                                      L2TP-PSK-NAT<br>
                                                    </div>
                                                    <div>       
                                                       rightsubnet=vhost:%priv</div>
                                                    <div>       
                                                       also=L2TP-PSK-noNAT</div>
                                                    <div><br>
                                                    </div>
                                                    <div>conn
                                                      L2TP-PSK-noNAT</div>
                                                    <div>       
                                                      authby=rsasig</div>
                                                    <div>        pfs=no</div>
                                                    <div>       
                                                      auto=add</div>
                                                    <div>       
                                                      keyingtries=3</div>
                                                    <div>       
                                                      rekey=no</div>
                                                    <div>       
                                                      ikelifetime=8h</div>
                                                    <div>       
                                                      keylife=1h</div>
                                                    <div>       
                                                      type=transport</div>
                                                    <div><br>
                                                    </div>
                                                    <div>       
                                                      left=10.7.255.154</div>
                                                    <div>       
                                                      leftsubnet=<a
                                                        moz-do-not-send="true"
href="http://192.168.7.0/24" target="_blank">192.168.7.0/24</a></div>
                                                    <div>       
                                                      leftprotoport=17/1701</div>
                                                    <div>       
                                                      leftsendcert=always</div>
                                                    <div>       
                                                      leftrsasigkey=%cert</div>
                                                    <div>       
                                                      leftcert="gateway.openswan
                                                      - HCC"</div>
                                                    <div><br>
                                                    </div>
                                                    <div>       
                                                      right=%any</div>
                                                    <div>       
                                                      rightprotoport=17/%any</div>
                                                    <div>       
                                                      rightrsasigkey=%cert</div>
                                                  </div>
                                                  <div><br>
                                                  </div>
                                                  <div
                                                    class="gmail_extra"><br>
                                                    <div
                                                      class="gmail_quote">On



                                                      Wed, Nov 26, 2014
                                                      at 5:15 PM,
                                                      Michael Leung <span
                                                        dir="ltr"><<a
moz-do-not-send="true" href="mailto:gbcbooksmj@gmail.com"
                                                          target="_blank">gbcbooksmj@gmail.com</a>></span>
                                                      wrote:<br>
                                                      <blockquote
                                                        class="gmail_quote"
                                                        style="margin:0px

                                                        0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
                                                        <div dir="ltr">HI

                                                          Group
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div>following
                                                          is my
                                                          ipsec.d/ipsec.secrets
                                                          content</div>
                                                          <div>#------------------------------------------------------------</div>
                                                          <div>: RSA "<a
moz-do-not-send="true" href="http://gateway.openswan.com"
                                                          target="_blank">gateway.openswan.com</a>
                                                          - HCA"<br>
                                                          </div>
                                                          <div><span
                                                          style="background-color:rgb(255,255,255)"><font
color="#ff0000">: RSA vpngateway.key "123123123ly"</font></span><br>
                                                          </div>
                                                          <div>#--------------------------------------------------------------</div>
                                                          <div><br>
                                                          </div>
                                                          <div>after
                                                          starting ipsec
                                                          setup start</div>
                                                          <div><br>
                                                          </div>
                                                          <div>we got
                                                          debug info<br>
                                                          </div>
                                                          <div>-----------------------------------</div>
                                                          <div>
                                                          <div>    could
                                                          not open host
                                                          cert with nick
                                                          name
                                                          'vpngateway.key'
                                                          in NSS DB</div>
                                                          <div>"/etc/ipsec.d/ipsec.secrets"




                                                          line 2: NSS
                                                          certficate not
                                                          found</div>
                                                          </div>
                                                          <div>-----------------------------------</div>
                                                          <div><br>
                                                          </div>
                                                          <div>i notice
                                                          that my OS is
                                                          Centos 6.5 , i
                                                          installed
                                                          openswan from
                                                          yum repository
                                                          , which means
                                                          openswan have
                                                          turn
                                                          use_nss=true
                                                          on, so i can
                                                          understand why
                                                          we still have
                                                          NSS
                                                          certificate
                                                          not found
                                                          output</div>
                                                          <div><br>
                                                          </div>
                                                          <div>but for
                                                          which i am
                                                           wondering is </div>
                                                          <div><br>
                                                          </div>
                                                          <div>we also
                                                          have this
                                                          debug output</div>
                                                          <div><br>
                                                          </div>
                                                          <div>----------------------------------------</div>
                                                          <div>
                                                          <div>packet
                                                          from <a
                                                          moz-do-not-send="true"
href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>:
                                                          received
                                                          Vendor ID
                                                          payload [RFC
                                                          3947] method
                                                          set to=109 </div>
                                                          <div>packet
                                                          from <a
                                                          moz-do-not-send="true"
href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>:
                                                          received
                                                          Vendor ID
                                                          payload
                                                          [draft-ietf-ipsec-nat-t-ike-02]
                                                          meth=107, but
                                                          already using
                                                          method 109</div>
                                                          <div>packet
                                                          from <a
                                                          moz-do-not-send="true"
href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>:
                                                          received
                                                          Vendor ID
                                                          payload
                                                          [draft-ietf-ipsec-nat-t-ike-02_n]
                                                          meth=106, but
                                                          already using
                                                          method 109</div>
                                                          <div>packet
                                                          from <a
                                                          moz-do-not-send="true"
href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>:
                                                          received
                                                          Vendor ID
                                                          payload
                                                          [draft-ietf-ipsec-nat-t-ike-00]</div>
                                                          <div>packet
                                                          from <a
                                                          moz-do-not-send="true"
href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>:
                                                          ignoring
                                                          Vendor ID
                                                          payload
                                                          [FRAGMENTATION
                                                          80000000]</div>
                                                          <div>packet
                                                          from <a
                                                          moz-do-not-send="true"
href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>:
                                                          received
                                                          Vendor ID
                                                          payload [Dead
                                                          Peer
                                                          Detection]</div>
                                                          <div>"L2TP-PSK-NAT"[1]




                                                          10.7.60.65 #1:
                                                          responding to
                                                          Main Mode from
                                                          unknown peer
                                                          10.7.60.65</div>
                                                          <div>"L2TP-PSK-NAT"[1]




                                                          10.7.60.65 #1:
                                                          transition
                                                          from state
                                                          STATE_MAIN_R0
                                                          to state
                                                          STATE_MAIN_R1</div>
                                                          <div>"L2TP-PSK-NAT"[1]




                                                          10.7.60.65 #1:
                                                          STATE_MAIN_R1:
                                                          sent MR1,
                                                          expecting MI2</div>
                                                          <div>"L2TP-PSK-NAT"[1]




                                                          10.7.60.65 #1:
                                                          NAT-Traversal:
                                                          Result using
                                                          RFC 3947
                                                          (NAT-Traversal):
                                                          no NAT
                                                          detected</div>
                                                          <div>"L2TP-PSK-NAT"[1]




                                                          10.7.60.65 #1:
                                                          transition
                                                          from state
                                                          STATE_MAIN_R1
                                                          to state
                                                          STATE_MAIN_R2</div>
                                                          <div>"L2TP-PSK-NAT"[1]




                                                          10.7.60.65 #1:
                                                          STATE_MAIN_R2:
                                                          sent MR2,
                                                          expecting MI3</div>
                                                          <div>"L2TP-PSK-NAT"[1]




                                                          10.7.60.65 #1:
                                                          Main mode peer
                                                          ID is
                                                          ID_DER_ASN1_DN:
                                                          'C=CN,
                                                          ST=Guangd,
                                                          O=HCA, OU=HCA,
                                                          CN=<a
                                                          moz-do-not-send="true"
href="http://nexus.openswan.com" target="_blank">nexus.openswan.com</a>,
                                                          E=<a
                                                          moz-do-not-send="true"
href="mailto:supurstart@openswan.com" target="_blank">supurstart@openswan.com</a>'</div>
                                                          <div>"L2TP-PSK-NAT"[1]




                                                          10.7.60.65 #1:
                                                          I am sending
                                                          my cert</div>
                                                          <div>"L2TP-PSK-NAT"[1]




                                                          10.7.60.65 #1:
                                                          password file
                                                          contains no
                                                          data</div>
                                                          <div>"L2TP-PSK-NAT"[1]




                                                          10.7.60.65 #1:
                                                          password file
                                                          contains no
                                                          data</div>
                                                          <div><font
                                                          color="#ff0000"><b>"L2TP-PSK-NAT"[1]






                                                          10.7.60.65 #1:
                                                          Can't find the
                                                          private key
                                                          from the NSS
                                                          CERT (err
                                                          -8177)</b></font> </div>
                                                          <div>"L2TP-PSK-NAT"[1]




                                                          10.7.60.65 #1:
                                                          transition
                                                          from state
                                                          STATE_MAIN_R2
                                                          to state
                                                          STATE_MAIN_R3</div>
                                                          <div>"L2TP-PSK-NAT"[1]




                                                          10.7.60.65 #1:
                                                          STATE_MAIN_R3:
                                                          sent MR3,
                                                          ISAKMP SA
                                                          established
                                                          {auth=OAKLEY_RSA_SIG
                                                          cipher=aes_256
                                                          prf=oakley_sha
group=modp1024}</div>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div>-----------------------------------------------------------------------------</div>
                                                          <div><br>
                                                          </div>
                                                          <div>seems
                                                          openswan dont
                                                          load x509
                                                          certificate
                                                          correctly </div>
                                                          <div><br>
                                                          </div>
                                                          <div>i have
                                                          transform x509
                                                          certificate to
                                                          pkcs12 , and
                                                          import them to
                                                          NSS DB.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>-------------------------------------</div>
                                                          <div>
                                                          <div>[root@opensips



                                                          log]# certutil
                                                          -L -d
                                                          /etc/ipsec.d/</div>
                                                          <div><br>
                                                          </div>
                                                          <div>Certificate


                                                          Nickname      
                                                                       
                                                                       
                                                                Trust
                                                          Attributes</div>
                                                          <div>         
                                                                       
                                                                       
                                                                       
                                                                 
                                                           SSL,S/MIME,JAR/XPI</div>
                                                          <div><br>
                                                          </div>
                                                          <div><a
                                                          moz-do-not-send="true"
href="http://nexus.openswan.com" target="_blank">nexus.openswan.com</a>
                                                          - HCA        
                                                                       
                                                          u,u,u</div>
                                                          <div>gateway.openswan



                                                          - HCA        
                                                                       
                                                              u,u,u</div>
                                                          </div>
                                                          <div>-------------------------------------</div>
                                                          <div><br>
                                                          </div>
                                                          <div>please
                                                          give me some
                                                          advice.</div>
                                                          <span><font
                                                          color="#888888">
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div>--Michael
                                                          Leung</div>
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div> </div>
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          </font></span></div>
                                                      </blockquote>
                                                    </div>
                                                    <br>
                                                  </div>
                                                </div>
                                                <br>
                                                <fieldset></fieldset>
                                                <br>
                                                <pre>_______________________________________________
<a moz-do-not-send="true" href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a>
<a moz-do-not-send="true" href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a moz-do-not-send="true" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a moz-do-not-send="true" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
                                              </blockquote>
                                              <br>
                                            </div>
                                            <br>
_______________________________________________<br>
                                            <a moz-do-not-send="true"
                                              href="mailto:Users@lists.openswan.org"
                                              target="_blank">Users@lists.openswan.org</a><br>
                                            <a moz-do-not-send="true"
                                              href="https://lists.openswan.org/mailman/listinfo/users"
                                              target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
                                            Micropayments: <a
                                              moz-do-not-send="true"
                                              href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy"
                                              target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
                                            Building and Integrating
                                            Virtual Private Networks
                                            with Openswan:<br>
                                            <a moz-do-not-send="true"
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155"
                                              target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
                                            <br>
                                          </blockquote>
                                        </div>
                                      </blockquote>
                                      <br>
                                    </div>
                                  </div>
                                </div>
                              </blockquote>
                            </div>
                            <br>
                          </div>
                        </blockquote>
                        <br>
                      </div>
                    </div>
                  </div>
                </blockquote>
              </div>
              <br>
            </div>
          </blockquote>
          <br>
        </blockquote>
        <br>
      </blockquote>
      <br>
      <br>
      <br>
      <hr style="border:none; color:#909090; background-color:#B0B0B0;
        height: 1px; width: 99%;">
      <table style="border-collapse:collapse;border:none;">
        <tbody>
          <tr>
            <td style="border:none;padding:0px 15px 0px 8px"> <a
                moz-do-not-send="true" href="http://www.avast.com/"> <img
                  moz-do-not-send="true"
                  src="http://static.avast.com/emails/avast-mail-stamp.png"
                  border="0"> </a> </td>
            <td>
              <p style="color:#3d4d5a;
                font-family:"Calibri","Verdana","Arial","Helvetica";
                font-size:12pt;"> L'absence de virus dans ce courrier
                électronique a été vérifiée par le logiciel antivirus
                Avast. <br>
                <a moz-do-not-send="true" href="http://www.avast.com/">www.avast.com</a>
              </p>
            </td>
          </tr>
        </tbody>
      </table>
      <br>
    </blockquote>
    <br>
  </body>
</html>