[Openswan Users] can not load private key which is in ipsec.d/private
Laurent Jouannic
laurent.jouannic at cbsa.fr
Wed Nov 26 09:40:15 EST 2014
This line is strange isn't it...
: RSA "gateway.openswan.com <http://gateway.openswan.com> - HCA"
It should be like:
: RSA file.key<http://gateway.openswan.com> "pass"
OR
@ID_connection: RSA {
# RSA 2 pow n bits debian /date/
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=/pubkey/
#IN KEY xxxxx
XYXYXYXYXYYXYYXY
# blablabla
Modulus:
MODMOD
PublicExponent: 51
# everything after this point is secret
PrivateExponent: 0xXXXXXX
Prime1: 0xXXXXXX
Prime2: 0xXXXXXX
Exponent1: 0xXXXXXX
Exponent2: 0xXXXXXX
Coefficient: 0xXXXXXX
}
Le 26/11/2014 10:35, Michael Leung a écrit :
> this is my ipsec.conf
>
> version 2.0
>
> config setup
> protostack=netkey
> nat_traversal=yes
>
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
> <http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10>
> oe=off
> dumpdir=/var/run/pluto/
> plutostderrlog=/var/log/pluto.log
>
> conn L2TP-PSK-NAT
> rightsubnet=vhost:%priv
> also=L2TP-PSK-noNAT
>
> conn L2TP-PSK-noNAT
> authby=rsasig
> pfs=no
> auto=add
> keyingtries=3
> rekey=no
> ikelifetime=8h
> keylife=1h
> type=transport
>
> left=10.7.255.154
> leftsubnet=192.168.7.0/24 <http://192.168.7.0/24>
> leftprotoport=17/1701
> leftsendcert=always
> leftrsasigkey=%cert
> leftcert="gateway.openswan - HCC"
>
> right=%any
> rightprotoport=17/%any
> rightrsasigkey=%cert
>
>
> On Wed, Nov 26, 2014 at 5:15 PM, Michael Leung <gbcbooksmj at gmail.com
> <mailto:gbcbooksmj at gmail.com>> wrote:
>
> HI Group
>
>
>
> following is my ipsec.d/ipsec.secrets content
> #------------------------------------------------------------
> : RSA "gateway.openswan.com <http://gateway.openswan.com> - HCA"
> : RSA vpngateway.key "123123123ly"
> #--------------------------------------------------------------
>
> after starting ipsec setup start
>
> we got debug info
> -----------------------------------
> could not open host cert with nick name 'vpngateway.key' in NSS DB
> "/etc/ipsec.d/ipsec.secrets" line 2: NSS certficate not found
> -----------------------------------
>
> i notice that my OS is Centos 6.5 , i installed openswan from yum
> repository , which means openswan have turn use_nss=true on, so i
> can understand why we still have NSS certificate not found output
>
> but for which i am wondering is
>
> we also have this debug output
>
> ----------------------------------------
> packet from 10.7.60.65:500 <http://10.7.60.65:500>: received
> Vendor ID payload [RFC 3947] method set to=109
> packet from 10.7.60.65:500 <http://10.7.60.65:500>: received
> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
> already using method 109
> packet from 10.7.60.65:500 <http://10.7.60.65:500>: received
> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
> already using method 109
> packet from 10.7.60.65:500 <http://10.7.60.65:500>: received
> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> packet from 10.7.60.65:500 <http://10.7.60.65:500>: ignoring
> Vendor ID payload [FRAGMENTATION 80000000]
> packet from 10.7.60.65:500 <http://10.7.60.65:500>: received
> Vendor ID payload [Dead Peer Detection]
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: responding to Main Mode from
> unknown peer 10.7.60.65
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state
> STATE_MAIN_R0 to state STATE_MAIN_R1
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R1: sent MR1,
> expecting MI2
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: NAT-Traversal: Result using RFC
> 3947 (NAT-Traversal): no NAT detected
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state
> STATE_MAIN_R1 to state STATE_MAIN_R2
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R2: sent MR2,
> expecting MI3
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: Main mode peer ID is
> ID_DER_ASN1_DN: 'C=CN, ST=Guangd, O=HCA, OU=HCA,
> CN=nexus.openswan.com <http://nexus.openswan.com>,
> E=supurstart at openswan.com <mailto:supurstart at openswan.com>'
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: I am sending my cert
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: password file contains no data
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: password file contains no data
> *"L2TP-PSK-NAT"[1] 10.7.60.65 #1: Can't find the private key from
> the NSS CERT (err -8177)*
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state
> STATE_MAIN_R2 to state STATE_MAIN_R3
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R3: sent MR3, ISAKMP
> SA established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha
> group=modp1024}
>
> -----------------------------------------------------------------------------
>
> seems openswan dont load x509 certificate correctly
>
> i have transform x509 certificate to pkcs12 , and import them to
> NSS DB.
>
> -------------------------------------
> [root at opensips log]# certutil -L -d /etc/ipsec.d/
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> nexus.openswan.com <http://nexus.openswan.com> - HCA
> u,u,u
> gateway.openswan - HCA u,u,u
> -------------------------------------
>
> please give me some advice.
>
>
> --Michael Leung
>
>
>
>
>
>
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20141126/66758542/attachment.html>
More information about the Users
mailing list