[Openswan Users] Openswan 2.6.32-37.el6.x86_64 + CentOS 6.5

Madden, Joe Joe.Madden at mottmac.com
Fri Dec 5 09:03:13 EST 2014


Hi,

Your issue is :

Dec  5 10:34:13 nStest pluto[18891]:     could not open host cert with nick
name 'serverCert.pem' in NSS DB

You need to import your certificate into the NSS database in /etc/ipsec.d (Redhat)

You can do this by running the following command

pk12util -i YourName.p12 -d /etc/ipsec.d

This will import the certificate and key. Then use certutil -L -d /etc/ipsec.d to find out the certificate Nick Name,

And change your configuration like so:

conn RoadWarrior_x509
       authby=rsasig
       leftrsasigkey=%cert
       rightrsasigkey=%cert
       leftcert= CertificateNickName

ipsec.conf's manual says it should also be able to pick up certificates from directory's, however I've not found this to be the case despite adding absolute paths.

Please see here for more information:

https://libreswan.org/wiki/Using_NSS_with_libreswan

Thanks,

Joe.





-----Original Message-----
From: users-bounces at lists.openswan.org [mailto:users-bounces at lists.openswan.org] On Behalf Of Valentin
Sent: 05 December 2014 09:44
To: users at lists.openswan.org
Subject: [Openswan Users] Openswan 2.6.32-37.el6.x86_64 + CentOS 6.5

Hello everyone,
Sorry for my bad english but I have a problem :
I would like to have a VPN tunnel (transport mode) using X509 certs and roadwarrior connection.
I've tested with PSK and it works ! but not with x509.
1. create directory
[root at nStest pki]# cd /etc/pki/CA
[root at nStest CA]# ll
total 40
drwxr-xr-x. 2 root root 4096  6 nov 13:36 certs drwxr-xr-x. 2 root root 4096  6 nov 13:36 crl -rw-r--r--. 1 root root  242  4 déc 17:15 index.txt
-rw-r--r--. 1 root root   21  4 déc 17:15 index.txt.attr
-rw-r--r--. 1 root root   21  4 déc 17:00 index.txt.attr.old
-rw-r--r--. 1 root root  112  4 déc 17:10 index.txt.old drwxr-xr-x. 2 root root 4096  4 déc 17:15 newcerts drwx------. 2 root root 4096  6 nov 13:36 private
-rw-r--r--. 1 root root    3  4 déc 17:15 serial
-rw-r--r--. 1 root root    3  4 déc 17:11 serial.old
nano index.txt
V       151204160041Z           02      unknown
/C=BE/ST=HA/O=xxx/OU=microelectronics/CN=test/emailAddress=test at xxx.com
V       151204161456Z           04      unknown
/C=BE/ST=HA/O=xxx/OU=microelectronics/CN=test_valentin/emailAddress=test_valent
in at xxx.com
2. I generated my file following Openswan by Paul Wouters / Ken Bantoft #openssl req -x509 -days 3650 -newkey rsa:1024 -keyout caKey.pem -out caCert.pe m # openssl req -newkey rsa:1024 -keyout server.key -out serverReq.pem # openssl ca -in serverReq.pem -days 365 -out serverCert.pem -notext -cert caCert.pem -keyfile caKey.pem and I repeated # openssl req -newkey rsa:1024 -keyout server.key -out serverReq.pem # openssl ca -in roadwarriorReq.pem -days 365 -out roadwarriorCert.pem -notext -cert caCert.pem -keyfile caKey.pem
------------
I placed correctly my files :
[root at nStest CA]# cd /etc/ipsec.d/
[root at nStest ipsec.d]# ll
total 188
drwxr-xr-x. 2 root root  4096  4 déc 17:01 cacerts -rw-r--r--. 1 root root  1834  4 déc 16:58 caKey.pem -rw-------. 1 root root 65536  5 déc 09:25 cert8.db -rw-------. 1 root root 65536 20 nov 18:23 cert8.db_old -rw-------. 1 root root 11264  5 déc 09:25 cert9.db drwxr-xr-x. 2 root root  4096  4 déc 17:43 certs
-rw-------. 1 root root    39  5 déc 09:31 ipsec.secrets
-rw-------. 1 root root 16384  5 déc 09:25 key3.db -rw-------. 1 root root 17408  5 déc 09:33 key4.db
-rw-------. 1 root root   434  4 déc 18:03 pkcs11.txt
drwx------. 2 root root  4096 20 nov 18:38 policies drwx------. 2 root root  4096  4 déc 17:43 private -rw-------. 1 root root 16384 20 nov 16:57 secmod.db -rw-r--r--. 1 root root  1131  4 déc 16:59 serverReq.pem -rw-r--r--. 1 root root  1155  4 déc 17:14 valentinReq.pem -rw-r--r--. 1 root root  3814  4 déc 17:18 winCert.p12 [root at nStest ipsec.d]# cd cacerts [root at nStest cacerts]# ll total 4 -rw-r--r--. 1 root root 1415  4 déc 16:58 caCert.pem [root at nStest ipsec.d]# cd certs [root at nStest certs]# ll total 8 -rw-r--r--. 1 root root 1444  4 déc 17:00 serverCert.pem -rw-r--r--. 1 root root 1468  4 déc 17:15 valentinCert.pem [root at nStest ipsec.d]# cd private [root at nStest private]# ll total 8 -rw-r--r--. 1 root root 1834  4 déc 16:59 server.key -rw-r--r--. 1 root root 1834  4 déc 17:14 valentin.key and my ipsec.conf is (nano /etc/ipsec.conf) config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
       # klipsdebug=none
       # plutodebug="control parsing"
       # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
       protostack=netkey
       nat_traversal=yes
       virtual_private=%v4:172.17.1.0/22
       oe=off
        # Enable this if you see "failed to find any available worker"
       # nhelpers=0
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
#include /etc/ipsec.d/*.conf
conn %default
        keyingtries=3
       #failureshunt=drop
       #keylife=1h
       #ikeylifetime=8h
conn RoadWarrior_x509
       authby=rsasig
       leftrsasigkey=%cert
       rightrsasigkey=%cert
       leftcert=serverCert.pem
       auto=add
       pfs=no
        type=transport
       left=193.190.210.88
       leftprotoport=17/1701
       right=%any
       rightprotoport=17/%any
       rightca="C=*, ST=*, O=*, OU=*, CN=*, E=*"
nano /ipsec.d/ipsec.secrets
---------------------------
include /etc/ipsec.d/*.secrets
#PSK TEST 25-11-2014
193.100.100.100 %any: PSK  "MyPassForPSK" #for PSK tunnel
: RSA serverKey.pem # for ... X509 ??
after :
I used the command on page 124 to convert to pkcs#12 and I imported CA and my valentin.p12 in mmc WINDOWS 7.
personal cert and the CA into the root certificate authority trusted.
BUT ... when i input my username and my pass which from chap-secrets, i have an error ...(already in the ipsec) [root at nStest private]# ipsec setup restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: ERROR: Module xfrm4_mode_transport is in use
ipsec_setup: ERROR: Module esp4 is in use
ipsec_setup: Starting Openswan IPsec U2.6.38dr2/K2.6.32-431.el6.x86_64...
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled IN the /var/log/secure
-----------------------
Dec  5 10:34:11 nStest pluto[18622]: shutting down Dec  5 10:34:11 nStest pluto[18622]: forgetting secrets Dec  5 10:34:11 nStest pluto[18622]: "RoadWarrior_x509": deleting connection Dec  5 10:34:11 nStest pluto[18622]: shutting down interface lo/lo ::1:500 Dec  5 10:34:11 nStest pluto[18622]: shutting down interface lo/lo
127.0.0.1:4500
Dec  5 10:34:11 nStest pluto[18622]: shutting down interface lo/lo 127.0.0.1:50
0
Dec  5 10:34:11 nStest pluto[18622]: shutting down interface eth0/eth0
172.17.6.254:4500
Dec  5 10:34:11 nStest pluto[18622]: shutting down interface eth0/eth0
172.17.6.254:500
Dec  5 10:34:11 nStest pluto[18622]: shutting down interface eth1/eth1
193.190.210.88:4500
Dec  5 10:34:11 nStest pluto[18622]: shutting down interface eth1/eth1
193.190.210.88:500
Dec  5 10:34:13 nStest ipsec__plutorun: Starting Pluto subsystem...
Dec  5 10:34:13 nStest pluto[18891]: nss directory plutomain: /etc/ipsec.d Dec  5 10:34:13 nStest pluto[18891]: NSS Initialized Dec  5 10:34:13 nStest pluto[18891]: Starting Pluto (Openswan Version 2.6.38dr2; Vendor ID OEKpRpA\177v[kY) pid:18891 Dec  5 10:34:13 nStest pluto[18891]: Non-fips mode set in /proc/sys/crypto/fips_enabled Dec  5 10:34:13 nStest pluto[18891]: LEAK_DETECTIVE support [disabled] Dec  5 10:34:13 nStest pluto[18891]: OCF support for IKE [disabled] Dec  5 10:34:13 nStest pluto[18891]: SAref support [disabled]: Protocol not available Dec  5 10:34:13 nStest pluto[18891]: SAbind support [disabled]: Protocol not available Dec  5 10:34:13 nStest pluto[18891]: NSS support [enabled] Dec  5 10:34:13 nStest pluto[18891]: HAVE_STATSD notification support not compiled in Dec  5 10:34:13 nStest pluto[18891]: Setting NAT-Traversal port-4500 floating to on
Dec  5 10:34:13 nStest pluto[18891]:    port floating activation criteria
nat_t=1/port_float=1
Dec  5 10:34:13 nStest pluto[18891]:    NAT-Traversal support  [enabled]
Dec  5 10:34:13 nStest pluto[18891]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Dec  5 10:34:13 nStest pluto[18891]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_512: Ok (ret=0)
Dec  5 10:34:13 nStest pluto[18891]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_256: Ok (ret=0)
Dec  5 10:34:13 nStest pluto[18891]: starting up 3 cryptographic helpers Dec  5 10:34:13 nStest pluto[18891]: started helper (thread)
pid=140297936140032 (fd:7)
Dec  5 10:34:13 nStest pluto[18891]: started helper (thread)
pid=140297858184960 (fd:9)
Dec  5 10:34:13 nStest pluto[18891]: started helper (thread)
pid=140297847695104 (fd:11)
Dec  5 10:34:13 nStest pluto[18891]: Using Linux 2.6 IPsec interface code on
2.6.32-431.el6.x86_64 (experimental code) Dec  5 10:34:13 nStest pluto[18891]: ike_alg_register_enc(): Activating
aes_ccm_8: Ok (ret=0)
Dec  5 10:34:13 nStest pluto[18891]: ike_alg_add(): ERROR: Algorithm already exists Dec  5 10:34:13 nStest pluto[18891]: ike_alg_register_enc(): Activating
aes_ccm_12: FAILED (ret=-17)
Dec  5 10:34:13 nStest pluto[18891]: ike_alg_add(): ERROR: Algorithm already exists Dec  5 10:34:13 nStest pluto[18891]: ike_alg_register_enc(): Activating
aes_gcm_16: FAILED (ret=-17)
Dec  5 10:34:13 nStest pluto[18891]: Changed path to directory '/etc/ipsec.d/cacerts'
Dec  5 10:34:13 nStest pluto[18891]:   loaded CA cert file 'caCert.pem'
(1415 bytes)
Dec  5 10:34:13 nStest pluto[18891]: Could not change to directory
'/etc/ipsec.d/aacerts': /
Dec  5 10:34:13 nStest pluto[18891]: Could not change to directory
'/etc/ipsec.d/ocspcerts': /
Dec  5 10:34:13 nStest pluto[18891]: Could not change to directory '/etc/ipsec.d/crls'
Dec  5 10:34:13 nStest pluto[18891]: loading certificate from serverCert.pem
Dec  5 10:34:13 nStest pluto[18891]:     could not open host cert with nick
name 'serverCert.pem' in NSS DB
Dec  5 10:34:13 nStest pluto[18891]: added connection description "RoadWarrior_x509"
Dec  5 10:34:13 nStest pluto[18891]: listening for IKE messages Dec  5 10:34:13 nStest pluto[18891]: adding interface eth1/eth1
193.190.210.88:500
Dec  5 10:34:13 nStest pluto[18891]: adding interface eth1/eth1
193.190.210.88:4500
Dec  5 10:34:13 nStest pluto[18891]: adding interface eth0/eth0 172.17.6.254:50
0
Dec  5 10:34:13 nStest pluto[18891]: adding interface eth0/eth0
172.17.6.254:4500
Dec  5 10:34:13 nStest pluto[18891]: adding interface lo/lo 127.0.0.1:500 Dec  5 10:34:13 nStest pluto[18891]: adding interface lo/lo 127.0.0.1:4500 Dec  5 10:34:13 nStest pluto[18891]: adding interface lo/lo ::1:500 Dec  5 10:34:13 nStest pluto[18891]: loading secrets from "/etc/ipsec.secrets"
Dec  5 10:34:13 nStest pluto[18891]: loading secrets from "/etc/ipsec.d/ipsec.secrets"
Dec  5 10:34:13 nStest pluto[18891]:     could not open host cert with nick
name '/etc/ipsec.d/private/server.key' in NSS DB Dec  5 10:34:13 nStest pluto[18891]: "/etc/ipsec.d/ipsec.secrets" line 2:
NSS certficate not found
Dec  5 10:34:13 nStest pluto[18891]:     could not open host cert with nick
name 'serverKey.pem' in NSS DB
Dec  5 10:34:13 nStest pluto[18891]: "/etc/ipsec.secrets" line 5: NSS certficate not found When i connect my windows Dec  5 10:36:09 nStest pluto[18891]: packet from 193.100.100.100:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008] Dec  5 10:36:09 nStest pluto[18891]: packet from 193.100.100.100:500:
received Vendor ID payload [RFC 3947] method set to=109 Dec  5 10:36:09 nStest pluto[18891]: packet from 193.100.100.100:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109 Dec  5 10:36:09 nStest pluto[18891]: packet from 193.100.100.100:500:
ignoring Vendor ID payload [FRAGMENTATION] Dec  5 10:36:09 nStest pluto[18891]: packet from 193.100.100.100:500:
ignoring Vendor ID payload [MS-Negotiation Discovery Capable] Dec  5 10:36:09 nStest pluto[18891]: packet from 193.100.100.100:500:
ignoring Vendor ID payload [Vid-Initial-Contact] Dec  5 10:36:09 nStest pluto[18891]: packet from 193.100.100.100:500:
ignoring Vendor ID payload [IKE CGA version 1] Dec  5 10:36:09 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: responding to Main Mode from unknown peer 193.100.100.100 Dec  5 10:36:09 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION Dec  5 10:36:09 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION Dec  5 10:36:09 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Dec  5 10:36:09 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: STATE_MAIN_R1: sent MR1, expecting MI2 Dec  5 10:36:09 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed Dec  5 10:36:09 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 Dec  5 10:36:09 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: STATE_MAIN_R2: sent MR2, expecting MI3 Dec  5 10:36:09 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: Main mode peer ID is ID_DER_ASN1_DN: 'C=BE, ST=HA, O=xxx, OU=microelectronics, CN=test_valentin, E=test_valentin at xxx.com'
Dec  5 10:36:09 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: no crl from issuer "C=BE, ST=HA, L=Mons, O=xxx, OU=microelectronics, CN=test, E=test at xxx.com" found (strict=no) Dec  5 10:36:09 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: no suitable connection for peer 'C=BE, ST=HA, O=xxx, OU=microelectronics, CN=test_valentin, E=test_valentin at xxx.com'
Dec  5 10:36:09 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: sending encrypted notification INVALID_ID_INFORMATION to 193.100.100.100:50
0
Dec  5 10:36:11 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: Main mode peer ID is ID_DER_ASN1_DN: 'C=BE, ST=HA, O=xxx, OU=microelectronics, CN=test_valentin, E=test_valentin at xxx.com'
Dec  5 10:36:11 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: no crl from issuer "C=BE, ST=HA, L=Mons, O=xxx, OU=microelectronics, CN=test, E=test at xxx.com" found (strict=no) Dec  5 10:36:11 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: no suitable connection for peer 'C=BE, ST=HA, O=xxx, OU=microelectronics, CN=test_valentin, E=test_valentin at xxx.com'
Dec  5 10:36:11 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: sending encrypted notification INVALID_ID_INFORMATION to 193.100.100.100:50
0
Where is the problem ?
I think is in the NSS db. (I'm on unix system more or less just one week...).
Thanks you very much

_______________________________________________
Users at lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list