<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Laurent<br>
<br>
do you compile openswan yourself ? <br>
<br>
actually i compile openswan this time instead of install it from yum
repository.<br>
<br>
all certficate and private key are readed properly now , bu i am
facing another issue now , please see the following.<br>
<br>
i compile openswan-2.6.42 with options USE_LIBNSS=false in
Makefile.inc<br>
<br>
i have highlght those lines which i think are important <br>
<br>
from the debug info , i think ipsec have pass phase 1 and going into
phase , but stock in it.<br>
no matter which authentication method i use , RSA or PSK, got the
same error .<br>
so i turn my force on ip command . i think so they have
relationship.<br>
<br>
---------------------------------------------------------------------<br>
[root@opensips openswan-2.6.42]# ipsec verify<br>
Checking if IPsec got installed and started correctly:<br>
<br>
Version check and ipsec on-path [OK]<br>
Openswan U2.6.42/K2.6.32-71.el6.x86_64 (netkey)<br>
See `ipsec --copyright' for copyright information.<br>
Checking for IPsec support in kernel [OK]<br>
NETKEY: Testing XFRM related proc values<br>
ICMP default/send_redirects [OK]<br>
ICMP default/accept_redirects [OK]<br>
XFRM larval drop [OK]<br>
Hardware random device check [N/A]<br>
Checking rp_filter [OK]<br>
Checking that pluto is running [OK]<br>
Pluto listening for IKE on udp 500 [OK]<br>
Pluto listening for IKE on tcp 500 [NOT
IMPLEMENTED]<br>
Pluto listening for IKE/NAT-T on udp 4500 [OK]<br>
Pluto listening for IKE/NAT-T on tcp 4500 [NOT
IMPLEMENTED]<br>
Pluto listening for IKE on tcp 10000 (cisco) [NOT
IMPLEMENTED]<br>
<font color="#ff0000">Checking NAT and
MASQUERADEing [TEST INCOMPLETE]<br>
Checking 'ip' command [IP XFRM
BROKEN]</font><br>
Checking 'iptables' command [OK]<br>
-----------------------------------------------------------------------------------<br>
-----------------------------------------------------------------<br>
[root@opensips openswan-2.6.42]# iptables -t nat -nvL --line-number<br>
Chain PREROUTING (policy ACCEPT 191 packets, 26716 bytes)<br>
num pkts bytes target prot opt in out
source destination <br>
<br>
Chain POSTROUTING (policy ACCEPT 470 packets, 28906 bytes)<br>
num pkts bytes target prot opt in out
source destination <br>
<font color="#ff0000">1 0 0 MASQUERADE all -- *
eth0 192.168.7.0/24 0.0.0.0/0</font> <br>
<br>
Chain OUTPUT (policy ACCEPT 470 packets, 28906 bytes)<br>
num pkts bytes target prot opt in out
source destination <br>
---------------------------------------------------------------------------------------------<br>
<br>
-------------------------------------------------------------------pluto
debug log-----------<br>
<br>
<small>packet from 10.7.67.11:500: received Vendor ID payload [RFC
3947] method set to=115 <br>
packet from 10.7.67.11:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method
115<br>
packet from 10.7.67.11:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using
method 115<br>
packet from 10.7.67.11:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]<br>
packet from 10.7.67.11:500: ignoring Vendor ID payload
[FRAGMENTATION 80000000]<br>
packet from 10.7.67.11:500: received Vendor ID payload [Dead Peer
Detection]<br>
"L2TP-PSK-NAT"[1] 10.7.67.11 #1: responding to Main Mode from
unknown peer 10.7.67.11<br>
"L2TP-PSK-NAT"[1] 10.7.67.11 #1: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1<br>
"L2TP-PSK-NAT"[1] 10.7.67.11 #1: STATE_MAIN_R1: sent MR1,
expecting MI2<br>
"L2TP-PSK-NAT"[1] 10.7.67.11 #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed<br>
"L2TP-PSK-NAT"[1] 10.7.67.11 #1: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2<br>
"L2TP-PSK-NAT"[1] 10.7.67.11 #1: STATE_MAIN_R2: sent MR2,
expecting MI3<br>
"L2TP-PSK-NAT"[1] 10.7.67.11 #1: Main mode peer ID is
ID_IPV4_ADDR: '172.16.67.157'<br>
"L2TP-PSK-NAT"[1] 10.7.67.11 #1: switched from "L2TP-PSK-NAT" to
"L2TP-PSK-NAT"<br>
"L2TP-PSK-NAT"[2] 10.7.67.11 #1: deleting connection
"L2TP-PSK-NAT" instance with peer 10.7.67.11 {isakmp=#0/ipsec=#0}<br>
"L2TP-PSK-NAT"[2] 10.7.67.11 #1: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3<br>
"L2TP-PSK-NAT"[2] 10.7.67.11 #1: new NAT mapping for #1, was
10.7.67.11:500, now 10.7.67.11:4500<br>
"L2TP-PSK-NAT"[2] 10.7.67.11 #1: STATE_MAIN_R3: sent MR3, ISAKMP
SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256
prf=oakley_sha group=modp1024}<br>
"L2TP-PSK-NAT"[2] 10.7.67.11 #1: the peer proposed:
10.7.255.154/32:17/1701 -> 172.16.67.157/32:17/0<br>
"L2TP-PSK-NAT"[2] 10.7.67.11 #2: responding to Quick Mode proposal
{msgid:f0afdbca}<br>
"L2TP-PSK-NAT"[2] 10.7.67.11 #2: us:
10.7.255.154<10.7.255.154>:17/1701<br>
"L2TP-PSK-NAT"[2] 10.7.67.11 #2: them:
10.7.67.11[172.16.67.157]:17/0===172.16.67.157/32<br>
<font color="#ff0000">| warning: NETKEY/XFRM in transport mode
accepts ALL encrypted protoport packets between the hosts in
violation of RFC 4301, Section 5.2</font><br>
"L2TP-PSK-NAT"[2] 10.7.67.11 #2: transition from state
STATE_QUICK_R0 to state STATE_QUICK_R1<br>
"L2TP-PSK-NAT"[2] 10.7.67.11 #2: STATE_QUICK_R1: sent QR1, inbound
IPsec SA installed, expecting QI2<br>
<font color="#ff0000">| warning: NETKEY/XFRM in transport mode
accepts ALL encrypted protoport packets between the hosts in
violation of RFC 4301, Section 5.2</font><br>
"L2TP-PSK-NAT"[2] 10.7.67.11 #2: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2<br>
"L2TP-PSK-NAT"[2] 10.7.67.11 #2: STATE_QUICK_R2: IPsec SA
established tunnel mode {ESP=>0x05335c89 <0x961dc879
xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=10.7.67.11:4500 DPD=none}</small><br>
<br>
-------------------------------------------------------------------------------------------------------------------<br>
<br>
<br>
--Michael Leung<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 11/29/2014 06:59 PM, Jouannic
Laurent wrote:<br>
</div>
<blockquote cite="mid:5479A707.5020904@cbsa.fr" type="cite">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
Hi Michael,<br>
<br>
No,<br>
<br>
I did myself, my certificat with openssh with CA.sh wich is
included with openssh<br>
(But you need first to build your root Ca certificate with
openssh), then:<br>
<i>theGoodPath</i>/CA.sh -request<br>
<i>theGoodPath</i>/CA.sh -sign<br>
<br>
You will get a newcert.pem and a newcert.key<br>
<br>
And then after with your newcert.pem, newcert.key and your
rootCa.pem , generate a newcert.p12 with openssh for the other
side. <br>
<br>
This is the only way I know.<br>
<br>
Good luck.<br>
<br>
Laurent<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">Le 29/11/2014 07:18, MichaelLeung a
écrit :<br>
</div>
<blockquote cite="mid:54796527.4070801@gmail.com" type="cite">
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
Hi Laurent<br>
<br>
I still can not private key from ipsec.secrets properly.<br>
did you do something different ?<br>
<br>
--Michael Leung<br>
<br>
<div class="moz-cite-prefix">On 11/29/2014 12:25 AM, Laurent
Jouannic wrote:<br>
</div>
<blockquote cite="mid:5478A20B.1060105@cbsa.fr" type="cite">
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
Hi Michael,<br>
<br>
Yes I used them for a while.<br>
<br>
<u>ipsec.conf:</u><br>
<br>
conn site_A<br>
leftid="C=FR, ST=FRANCE, L=city1, O=XXXX, OU=YYYY,
CN=common_name1, <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:Email=common_name1@domaine.fr">Email=common_name1@domaine.fr</a>"<br>
leftsubnet=192.168.1.0/24<br>
leftcert=cert1.pem<br>
leftrsasigkey=%cert<br>
right=65.109.74.42<br>
rightsubnet=192.168.2.1/32<br>
rightid="C=FR, ST=Sud, L=city2, O=XXXX, OU=ZZZZ,
CN=common_name2, <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:Email=common_name2@domaine.fr">Email=common_name2@domaine.fr</a>"<br>
rightcert=cert2.pem<br>
rightrsasigkey=%cert<br>
rightca="C=FR, ST=Rhone, L=city1, O=XXXX, OU=MMMM,
CN=common_name_CA, <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:Email=common_name_CA@domaine.fr">Email=common_name_CA@domaine.fr</a>"<br>
auto=add<br>
pfs=yes<br>
<br>
<br>
<u>ipsec.secrets</u> <br>
<br>
: RSA cert1.key "pass_phrase_for_private_key"<br>
<br>
<br>
<u>files:</u><br>
<br>
/etc/ipsec.d/certs/cert1.pem<br>
/etc/ipsec.d/certs/cert2.pem<br>
/etc/ipsec.d/private/cert1.key<br>
/etc/ipsec.d/private/cert2.key<br>
/etc/ipsec.d/cacerts/ca_certificate.pem<br>
<br>
And on the Win7 box with shrew soft:<br>
cert2.p12<br>
<br>
Cheers.<br>
<br>
Laurent<br>
<br>
<div class="moz-cite-prefix">Le 28/11/2014 13:33, Michael
Leung a écrit :<br>
</div>
<blockquote
cite="mid:CAJ6sgmi7cbmen+TEbk=-87QmO2SYMx5Aox7nLaB4WXNe_N5C5Q@mail.gmail.com"
type="cite">
<div dir="ltr">Hi Laurent
<div><br>
</div>
<div>did you find out a way how to let x509 work on
lastest version openswan ?</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Nov 27, 2014 at 6:40 PM,
Laurent Jouannic <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:laurent.jouannic@cbsa.fr"
target="_blank">laurent.jouannic@cbsa.fr</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Well,<br>
<br>
I'm jocking a bit about old way, new way, <br>
<br>
But I've never used NSS stuff<br>
<br>
May be, you should generate an other pkcs12 file and
when you generate it change <a
moz-do-not-send="true"
href="http://nexus.openswan.com" target="_blank">nexus.openswan.com</a>
- HCA to <a moz-do-not-send="true"
href="http://nexus.openswan.com" target="_blank">nexus.openswan.com</a>-HCA<br>
<br>
Cheers.<br>
<br>
Laurent<br>
<br>
<div>Le 27/11/2014 10:51, Michael Leung a écrit :<br>
</div>
<div>
<div class="h5">
<blockquote type="cite">
<div dir="ltr">Hi
<div><br>
</div>
<div>My user certificate is a pkcs12 one ,
it has to contain a private key in it , </div>
<div><br>
</div>
<div>and Certutil can not add it to its
database , so i have to use pk12util
instead of certutil to insert the
certificate to NSS certification DB, thus
, see below</div>
<div><br>
</div>
<div>---------------------------------</div>
<div><br>
</div>
<div>
<div>[root@opensips certs]# pk12util -n
"nexus5.p12" -i
/root/ipsec/CA/nexus/nexus5.p12 -d
/etc/ipsec.d</div>
<div>Enter password for PKCS12 file: </div>
<div><font color="#ff0000"><b>pk12util: no
nickname for cert in PKCS12 file.</b></font></div>
<div>pk12util: using nickname: <a
moz-do-not-send="true"
href="http://nexus.openswan.com"
target="_blank">nexus.openswan.com</a>
- HCA</div>
<div>pk12util: PKCS12 IMPORT SUCCESSFUL</div>
</div>
<div><br>
</div>
<div>-------------------------------------------------------</div>
<div><br>
</div>
<div>i have specified the nickname which can
be use as a value in <i>leftcert</i> ,
but failed, pk12util will name its
nickname itself , unfortunately , it
contain the spaces,</div>
<div><br>
</div>
<div>that is why i have to put them in
quotation.</div>
<div><br>
</div>
<div>i am wondering why old way did not
work , what is your openswan version ?</div>
<div><br>
</div>
<div>mine is <i>Linux Openswan
U2.6.32/K2.6.32-71.el6.x86_64 (netkey)</i></div>
<div><i><br>
</i></div>
<div><i><br>
</i></div>
<div><i>--</i>Micheal Leung</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Nov 27,
2014 at 5:23 PM, Laurent Jouannic <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:laurent.jouannic@cbsa.fr"
target="_blank">laurent.jouannic@cbsa.fr</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Hi,<br>
<br>
I've never used NSS stuff, I'm driving
old way, freewan's way :)<br>
<br>
Well I found some stuff on this url: <br>
<br>
<a moz-do-not-send="true"
href="http://sophie.zarb.org/distrib/CentOS/5/i386/rpms/openswan-doc/files/12"
target="_blank">http://sophie.zarb.org/distrib/CentOS/5/i386/rpms/openswan-doc/files/12</a><br>
<br>
NSS bring some new way:<br>
<pre>Changes in the certificates usage with Pluto
------------------------------------------------
1) ipsec.conf changes
The only change is "leftcert" field must contain the nick name of the user
cert. For example if the nickname of the user cert is "xyz", then it can be
"leftcert=xyz".
2) ipsec.secrets changes
: RSA <user-cert-nick-name>
You just need to provide the user cert's nick name. For example if the nickname
of the user cert is "xyz", then
: RSA xyz
There is no need to provide private key file information or its password.
3) changes in the directories in /etc/ipsec.d/ (cacerts, certs, private)
i)You need not have "private" or "certs" directory.
</pre>
<br>
So<br>
<br>
If I anderstood you should have to use
some <b>"</b> around your <i>leftcert_value</i><br>
<br>
: RSA "<a moz-do-not-send="true"
href="http://gateway.openswan.com"
target="_blank">gateway.openswan.com</a>
- HCA" <br>
=> <br>
: RSA <a moz-do-not-send="true"
href="http://gateway.openswan.com"
target="_blank">gateway.openswan.com</a>
- HCA<br>
<br>
But I guess that some space ' ' isn't
welcome, maybe you should change your
certificate (strip the ' ') to get <a
moz-do-not-send="true"
href="http://gateway.openswan.com"
target="_blank">gateway.openswan.com</a>-HCA
instead of <a moz-do-not-send="true"
href="http://gateway.openswan.com"
target="_blank">gateway.openswan.com</a>
- HCA<br>
<br>
Good luck.<br>
<br>
<br>
<br>
<div>Le 27/11/2014 02:58, Michael
Leung a écrit :<br>
</div>
<div>
<div>
<blockquote type="cite">
<p dir="ltr">: RSA file. Key
"password"</p>
<p dir="ltr">I try this too,
openswan would considered its
a nickname and then try to
read it from NSS certification
DB.</p>
<div class="gmail_quote">On Nov
26, 2014 11:25 PM, "Laurent
Jouannic" <<a
moz-do-not-send="true"
href="mailto:laurent.jouannic@cbsa.fr"
target="_blank">laurent.jouannic@cbsa.fr</a>>
wrote:<br type="attribution">
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000"> This line
is strange isn't it...<br>
<br>
: RSA "<a
moz-do-not-send="true"
href="http://gateway.openswan.com"
target="_blank">gateway.openswan.com</a>
- HCA"<br>
<br>
It should be like:<br>
<br>
: RSA file.key "pass"<br>
<br>
<font color="#3333ff">OR</font><br>
<br>
@ID_connection: RSA
{<br>
# RSA 2 pow n
bits debian <i>date</i><br>
# for signatures
only, UNSAFE FOR
ENCRYPTION<br>
#pubkey=<i>pubkey</i><br>
#IN KEY xxxxx <br>
XYXYXYXYXYYXYYXY<br>
# blablabla<br>
Modulus: <br>
MODMOD<br>
PublicExponent: 51<br>
# everything after
this point is secret<br>
PrivateExponent:
0xXXXXXX<br>
Prime1: 0xXXXXXX<br>
Prime2: 0xXXXXXX<br>
Exponent1:
0xXXXXXX<br>
Exponent2:
0xXXXXXX<br>
Coefficient:
0xXXXXXX<br>
}<br>
<br>
<br>
<br>
<br>
<br>
<div>Le 26/11/2014 10:35,
Michael Leung a écrit :<br>
</div>
<blockquote type="cite">
<div dir="ltr">this is
my ipsec.conf
<div><br>
</div>
<div>
<div>version 2.0
</div>
<div><br>
</div>
<div>config setup</div>
<div>
protostack=netkey</div>
<div>
nat_traversal=yes</div>
<div>
virtual_private=%v4:<a
moz-do-not-send="true"
href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10"
target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10</a></div>
<div> oe=off</div>
<div>
dumpdir=/var/run/pluto/</div>
<div>
plutostderrlog=/var/log/pluto.log</div>
<div><br>
</div>
<div> conn
L2TP-PSK-NAT<br>
</div>
<div>
rightsubnet=vhost:%priv</div>
<div>
also=L2TP-PSK-noNAT</div>
<div><br>
</div>
<div>conn
L2TP-PSK-noNAT</div>
<div>
authby=rsasig</div>
<div> pfs=no</div>
<div>
auto=add</div>
<div>
keyingtries=3</div>
<div>
rekey=no</div>
<div>
ikelifetime=8h</div>
<div>
keylife=1h</div>
<div>
type=transport</div>
<div><br>
</div>
<div>
left=10.7.255.154</div>
<div>
leftsubnet=<a
moz-do-not-send="true"
href="http://192.168.7.0/24" target="_blank">192.168.7.0/24</a></div>
<div>
leftprotoport=17/1701</div>
<div>
leftsendcert=always</div>
<div>
leftrsasigkey=%cert</div>
<div>
leftcert="gateway.openswan
- HCC"</div>
<div><br>
</div>
<div>
right=%any</div>
<div>
rightprotoport=17/%any</div>
<div>
rightrsasigkey=%cert</div>
</div>
<div><br>
</div>
<div
class="gmail_extra"><br>
<div
class="gmail_quote">On
Wed, Nov 26, 2014
at 5:15 PM,
Michael Leung <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:gbcbooksmj@gmail.com"
target="_blank">gbcbooksmj@gmail.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0px
0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr">HI
Group
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>following
is my
ipsec.d/ipsec.secrets
content</div>
<div>#------------------------------------------------------------</div>
<div>: RSA "<a
moz-do-not-send="true" href="http://gateway.openswan.com"
target="_blank">gateway.openswan.com</a>
- HCA"<br>
</div>
<div><span
style="background-color:rgb(255,255,255)"><font
color="#ff0000">: RSA vpngateway.key "123123123ly"</font></span><br>
</div>
<div>#--------------------------------------------------------------</div>
<div><br>
</div>
<div>after
starting ipsec
setup start</div>
<div><br>
</div>
<div>we got
debug info<br>
</div>
<div>-----------------------------------</div>
<div>
<div> could
not open host
cert with nick
name
'vpngateway.key'
in NSS DB</div>
<div>"/etc/ipsec.d/ipsec.secrets"
line 2: NSS
certficate not
found</div>
</div>
<div>-----------------------------------</div>
<div><br>
</div>
<div>i notice
that my OS is
Centos 6.5 , i
installed
openswan from
yum repository
, which means
openswan have
turn
use_nss=true
on, so i can
understand why
we still have
NSS
certificate
not found
output</div>
<div><br>
</div>
<div>but for
which i am
wondering is </div>
<div><br>
</div>
<div>we also
have this
debug output</div>
<div><br>
</div>
<div>----------------------------------------</div>
<div>
<div>packet
from <a
moz-do-not-send="true"
href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>:
received
Vendor ID
payload [RFC
3947] method
set to=109 </div>
<div>packet
from <a
moz-do-not-send="true"
href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>:
received
Vendor ID
payload
[draft-ietf-ipsec-nat-t-ike-02]
meth=107, but
already using
method 109</div>
<div>packet
from <a
moz-do-not-send="true"
href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>:
received
Vendor ID
payload
[draft-ietf-ipsec-nat-t-ike-02_n]
meth=106, but
already using
method 109</div>
<div>packet
from <a
moz-do-not-send="true"
href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>:
received
Vendor ID
payload
[draft-ietf-ipsec-nat-t-ike-00]</div>
<div>packet
from <a
moz-do-not-send="true"
href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>:
ignoring
Vendor ID
payload
[FRAGMENTATION
80000000]</div>
<div>packet
from <a
moz-do-not-send="true"
href="http://10.7.60.65:500" target="_blank">10.7.60.65:500</a>:
received
Vendor ID
payload [Dead
Peer
Detection]</div>
<div>"L2TP-PSK-NAT"[1]
10.7.60.65 #1:
responding to
Main Mode from
unknown peer
10.7.60.65</div>
<div>"L2TP-PSK-NAT"[1]
10.7.60.65 #1:
transition
from state
STATE_MAIN_R0
to state
STATE_MAIN_R1</div>
<div>"L2TP-PSK-NAT"[1]
10.7.60.65 #1:
STATE_MAIN_R1:
sent MR1,
expecting MI2</div>
<div>"L2TP-PSK-NAT"[1]
10.7.60.65 #1:
NAT-Traversal:
Result using
RFC 3947
(NAT-Traversal):
no NAT
detected</div>
<div>"L2TP-PSK-NAT"[1]
10.7.60.65 #1:
transition
from state
STATE_MAIN_R1
to state
STATE_MAIN_R2</div>
<div>"L2TP-PSK-NAT"[1]
10.7.60.65 #1:
STATE_MAIN_R2:
sent MR2,
expecting MI3</div>
<div>"L2TP-PSK-NAT"[1]
10.7.60.65 #1:
Main mode peer
ID is
ID_DER_ASN1_DN:
'C=CN,
ST=Guangd,
O=HCA, OU=HCA,
CN=<a
moz-do-not-send="true"
href="http://nexus.openswan.com" target="_blank">nexus.openswan.com</a>,
E=<a
moz-do-not-send="true"
href="mailto:supurstart@openswan.com" target="_blank">supurstart@openswan.com</a>'</div>
<div>"L2TP-PSK-NAT"[1]
10.7.60.65 #1:
I am sending
my cert</div>
<div>"L2TP-PSK-NAT"[1]
10.7.60.65 #1:
password file
contains no
data</div>
<div>"L2TP-PSK-NAT"[1]
10.7.60.65 #1:
password file
contains no
data</div>
<div><font
color="#ff0000"><b>"L2TP-PSK-NAT"[1]
10.7.60.65 #1:
Can't find the
private key
from the NSS
CERT (err
-8177)</b></font> </div>
<div>"L2TP-PSK-NAT"[1]
10.7.60.65 #1:
transition
from state
STATE_MAIN_R2
to state
STATE_MAIN_R3</div>
<div>"L2TP-PSK-NAT"[1]
10.7.60.65 #1:
STATE_MAIN_R3:
sent MR3,
ISAKMP SA
established
{auth=OAKLEY_RSA_SIG
cipher=aes_256
prf=oakley_sha
group=modp1024}</div>
</div>
<div><br>
</div>
<div>-----------------------------------------------------------------------------</div>
<div><br>
</div>
<div>seems
openswan dont
load x509
certificate
correctly </div>
<div><br>
</div>
<div>i have
transform x509
certificate to
pkcs12 , and
import them to
NSS DB.</div>
<div><br>
</div>
<div>-------------------------------------</div>
<div>
<div>[root@opensips
log]# certutil
-L -d
/etc/ipsec.d/</div>
<div><br>
</div>
<div>Certificate
Nickname
Trust
Attributes</div>
<div>
SSL,S/MIME,JAR/XPI</div>
<div><br>
</div>
<div><a
moz-do-not-send="true"
href="http://nexus.openswan.com" target="_blank">nexus.openswan.com</a>
- HCA
u,u,u</div>
<div>gateway.openswan
- HCA
u,u,u</div>
</div>
<div>-------------------------------------</div>
<div><br>
</div>
<div>please
give me some
advice.</div>
<span><font
color="#888888">
<div><br>
</div>
<div><br>
</div>
<div>--Michael
Leung</div>
<div><br>
</div>
<div><br>
</div>
<div> </div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
<a moz-do-not-send="true" href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a>
<a moz-do-not-send="true" href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a moz-do-not-send="true" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a moz-do-not-send="true" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
<br>
</div>
<br>
_______________________________________________<br>
<a moz-do-not-send="true"
href="mailto:Users@lists.openswan.org"
target="_blank">Users@lists.openswan.org</a><br>
<a moz-do-not-send="true"
href="https://lists.openswan.org/mailman/listinfo/users"
target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a
moz-do-not-send="true"
href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy"
target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating
Virtual Private Networks
with Openswan:<br>
<a moz-do-not-send="true"
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155"
target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br>
</blockquote>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
<br>
<br>
<hr style="border:none; color:#909090; background-color:#B0B0B0;
height: 1px; width: 99%;">
<table style="border-collapse:collapse;border:none;">
<tbody>
<tr>
<td style="border:none;padding:0px 15px 0px 8px"> <a
moz-do-not-send="true" href="http://www.avast.com/"> <img
moz-do-not-send="true"
src="http://static.avast.com/emails/avast-mail-stamp.png"
border="0"> </a> </td>
<td>
<p style="color:#3d4d5a;
font-family:"Calibri","Verdana","Arial","Helvetica";
font-size:12pt;"> L'absence de virus dans ce courrier
électronique a été vérifiée par le logiciel antivirus
Avast. <br>
<a moz-do-not-send="true" href="http://www.avast.com/">www.avast.com</a>
</p>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<br>
</body>
</html>