[Openswan Users] can not load private key which is in ipsec.d/private

Michael Leung gbcbooksmj at gmail.com
Wed Nov 26 04:15:56 EST 2014 

HI Group



following is my ipsec.d/ipsec.secrets content
#------------------------------------------------------------
: RSA "gateway.openswan.com - HCA"
: RSA vpngateway.key "123123123ly"
#--------------------------------------------------------------

after starting ipsec setup start

we got debug info
-----------------------------------
    could not open host cert with nick name 'vpngateway.key' in NSS DB
"/etc/ipsec.d/ipsec.secrets" line 2: NSS certficate not found
-----------------------------------

i notice that my OS is Centos 6.5 , i installed openswan from yum
repository , which means openswan have turn use_nss=true on, so i can
understand why we still have NSS certificate not found output

but for which i am  wondering is

we also have this debug output

----------------------------------------
packet from 10.7.60.65:500: received Vendor ID payload [RFC 3947] method
set to=109
packet from 10.7.60.65:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
packet from 10.7.60.65:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
packet from 10.7.60.65:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
packet from 10.7.60.65:500: ignoring Vendor ID payload [FRAGMENTATION
80000000]
packet from 10.7.60.65:500: received Vendor ID payload [Dead Peer Detection]
"L2TP-PSK-NAT"[1] 10.7.60.65 #1: responding to Main Mode from unknown peer
10.7.60.65
"L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state STATE_MAIN_R0 to
state STATE_MAIN_R1
"L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R1: sent MR1, expecting MI2
"L2TP-PSK-NAT"[1] 10.7.60.65 #1: NAT-Traversal: Result using RFC 3947
(NAT-Traversal): no NAT detected
"L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state STATE_MAIN_R1 to
state STATE_MAIN_R2
"L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R2: sent MR2, expecting MI3
"L2TP-PSK-NAT"[1] 10.7.60.65 #1: Main mode peer ID is ID_DER_ASN1_DN:
'C=CN, ST=Guangd, O=HCA, OU=HCA, CN=nexus.openswan.com, E=
supurstart at openswan.com'
"L2TP-PSK-NAT"[1] 10.7.60.65 #1: I am sending my cert
"L2TP-PSK-NAT"[1] 10.7.60.65 #1: password file contains no data
"L2TP-PSK-NAT"[1] 10.7.60.65 #1: password file contains no data
*"L2TP-PSK-NAT"[1] 10.7.60.65 #1: Can't find the private key from the NSS
CERT (err -8177)*
"L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state STATE_MAIN_R2 to
state STATE_MAIN_R3
"L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA
established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha
group=modp1024}

-----------------------------------------------------------------------------

seems openswan dont load x509 certificate correctly

i have transform x509 certificate to pkcs12 , and import them to NSS DB.

-------------------------------------
[root at opensips log]# certutil -L -d /etc/ipsec.d/

Certificate Nickname                                         Trust
Attributes

 SSL,S/MIME,JAR/XPI

nexus.openswan.com - HCA                       u,u,u
gateway.openswan - HCA                           u,u,u
-------------------------------------

please give me some advice.


--Michael Leung
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20141126/6cbfc4c7/attachment-0001.html>

More information about the Users mailing list