[Openswan Users] can not load private key which is in ipsec.d/private

Michael Leung gbcbooksmj at gmail.com
Wed Nov 26 06:49:54 EST 2014 

Hi ALL

i have figure out why my openswan got this issue

my NSS certification DB has a password to open itself , and i left
/etc/ipsec.d/nsspassword empty , indeed , we need to write the NSS
certification DB password into to it , or you left NSS Certification DB 's
password empty. so that openswan can read the private key from NSS
Certificatin DB .

-------------------------------------------------

but why my openswan can only work with pkcs12 certificate , any x509
certificate are not loaded properly .,
no matter which certificate i define in *leftcert=* , it will read that
string from NSS Certificate DB , and then you would see the error

    could not open host cert with nick name
'/etc/ipsec.d/private/vpngateway.key' in NSS DB
"/etc/ipsec.d/ipsec.secrets" line 5: NSS certficate not found

from debug output.

and the same with private key , which should be in path ipsec.d/private/


--Michael Leung



On Wed, Nov 26, 2014 at 5:36 PM, Michael Leung <gbcbooksmj at gmail.com> wrote:

> sorry,
>
> update:
>
> leftcert="gateway.openswan - HCC"
>
> leftcert="gateway.openswan - HCA"
>
> On Wed, Nov 26, 2014 at 5:35 PM, Michael Leung <gbcbooksmj at gmail.com>
> wrote:
>
>> this is my ipsec.conf
>>
>> version 2.0
>>
>> config setup
>>         protostack=netkey
>>         nat_traversal=yes
>>         virtual_private=%v4:
>> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
>>         oe=off
>>         dumpdir=/var/run/pluto/
>>         plutostderrlog=/var/log/pluto.log
>>
>>   conn L2TP-PSK-NAT
>>          rightsubnet=vhost:%priv
>>          also=L2TP-PSK-noNAT
>>
>> conn L2TP-PSK-noNAT
>>         authby=rsasig
>>         pfs=no
>>         auto=add
>>         keyingtries=3
>>         rekey=no
>>         ikelifetime=8h
>>         keylife=1h
>>         type=transport
>>
>>         left=10.7.255.154
>>         leftsubnet=192.168.7.0/24
>>         leftprotoport=17/1701
>>         leftsendcert=always
>>         leftrsasigkey=%cert
>>         leftcert="gateway.openswan - HCC"
>>
>>         right=%any
>>         rightprotoport=17/%any
>>         rightrsasigkey=%cert
>>
>>
>> On Wed, Nov 26, 2014 at 5:15 PM, Michael Leung <gbcbooksmj at gmail.com>
>> wrote:
>>
>>> HI Group
>>>
>>>
>>>
>>> following is my ipsec.d/ipsec.secrets content
>>> #------------------------------------------------------------
>>> : RSA "gateway.openswan.com - HCA"
>>> : RSA vpngateway.key "123123123ly"
>>> #--------------------------------------------------------------
>>>
>>> after starting ipsec setup start
>>>
>>> we got debug info
>>> -----------------------------------
>>>     could not open host cert with nick name 'vpngateway.key' in NSS DB
>>> "/etc/ipsec.d/ipsec.secrets" line 2: NSS certficate not found
>>> -----------------------------------
>>>
>>> i notice that my OS is Centos 6.5 , i installed openswan from yum
>>> repository , which means openswan have turn use_nss=true on, so i can
>>> understand why we still have NSS certificate not found output
>>>
>>> but for which i am  wondering is
>>>
>>> we also have this debug output
>>>
>>> ----------------------------------------
>>> packet from 10.7.60.65:500: received Vendor ID payload [RFC 3947]
>>> method set to=109
>>> packet from 10.7.60.65:500: received Vendor ID payload
>>> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
>>> packet from 10.7.60.65:500: received Vendor ID payload
>>> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
>>> packet from 10.7.60.65:500: received Vendor ID payload
>>> [draft-ietf-ipsec-nat-t-ike-00]
>>> packet from 10.7.60.65:500: ignoring Vendor ID payload [FRAGMENTATION
>>> 80000000]
>>> packet from 10.7.60.65:500: received Vendor ID payload [Dead Peer
>>> Detection]
>>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: responding to Main Mode from unknown
>>> peer 10.7.60.65
>>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state STATE_MAIN_R0 to
>>> state STATE_MAIN_R1
>>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R1: sent MR1, expecting MI2
>>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: NAT-Traversal: Result using RFC 3947
>>> (NAT-Traversal): no NAT detected
>>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state STATE_MAIN_R1 to
>>> state STATE_MAIN_R2
>>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R2: sent MR2, expecting MI3
>>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: Main mode peer ID is ID_DER_ASN1_DN:
>>> 'C=CN, ST=Guangd, O=HCA, OU=HCA, CN=nexus.openswan.com, E=
>>> supurstart at openswan.com'
>>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: I am sending my cert
>>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: password file contains no data
>>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: password file contains no data
>>> *"L2TP-PSK-NAT"[1] 10.7.60.65 #1: Can't find the private key from the
>>> NSS CERT (err -8177)*
>>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state STATE_MAIN_R2 to
>>> state STATE_MAIN_R3
>>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA
>>> established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha
>>> group=modp1024}
>>>
>>>
>>> -----------------------------------------------------------------------------
>>>
>>> seems openswan dont load x509 certificate correctly
>>>
>>> i have transform x509 certificate to pkcs12 , and import them to NSS DB.
>>>
>>> -------------------------------------
>>> [root at opensips log]# certutil -L -d /etc/ipsec.d/
>>>
>>> Certificate Nickname                                         Trust
>>> Attributes
>>>
>>>  SSL,S/MIME,JAR/XPI
>>>
>>> nexus.openswan.com - HCA                       u,u,u
>>> gateway.openswan - HCA                           u,u,u
>>> -------------------------------------
>>>
>>> please give me some advice.
>>>
>>>
>>> --Michael Leung
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20141126/38a6613c/attachment-0001.html>

More information about the Users mailing list