[Openswan Users] can not load private key which is in ipsec.d/private
Laurent Jouannic
laurent.jouannic at cbsa.fr
Wed Nov 26 04:33:59 EST 2014
Hi,
Check:
-the spelling of th filename,
-the directory, the vpngateway.key should be in /etc/ipsec.d/private
-the owner, the 'properties' of reading, writing, etc...
good luck.
Laurent
Le 26/11/2014 10:15, Michael Leung a écrit :
> HI Group
>
>
>
> following is my ipsec.d/ipsec.secrets content
> #------------------------------------------------------------
> : RSA "gateway.openswan.com <http://gateway.openswan.com> - HCA"
> : RSA vpngateway.key "123123123ly"
> #--------------------------------------------------------------
>
> after starting ipsec setup start
>
> we got debug info
> -----------------------------------
> could not open host cert with nick name 'vpngateway.key' in NSS DB
> "/etc/ipsec.d/ipsec.secrets" line 2: NSS certficate not found
> -----------------------------------
>
> i notice that my OS is Centos 6.5 , i installed openswan from yum
> repository , which means openswan have turn use_nss=true on, so i can
> understand why we still have NSS certificate not found output
>
> but for which i am wondering is
>
> we also have this debug output
>
> ----------------------------------------
> packet from 10.7.60.65:500 <http://10.7.60.65:500>: received Vendor ID
> payload [RFC 3947] method set to=109
> packet from 10.7.60.65:500 <http://10.7.60.65:500>: received Vendor ID
> payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using
> method 109
> packet from 10.7.60.65:500 <http://10.7.60.65:500>: received Vendor ID
> payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using
> method 109
> packet from 10.7.60.65:500 <http://10.7.60.65:500>: received Vendor ID
> payload [draft-ietf-ipsec-nat-t-ike-00]
> packet from 10.7.60.65:500 <http://10.7.60.65:500>: ignoring Vendor ID
> payload [FRAGMENTATION 80000000]
> packet from 10.7.60.65:500 <http://10.7.60.65:500>: received Vendor ID
> payload [Dead Peer Detection]
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: responding to Main Mode from unknown
> peer 10.7.60.65
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state STATE_MAIN_R0
> to state STATE_MAIN_R1
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R1: sent MR1, expecting MI2
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: NAT-Traversal: Result using RFC 3947
> (NAT-Traversal): no NAT detected
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state STATE_MAIN_R1
> to state STATE_MAIN_R2
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R2: sent MR2, expecting MI3
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: Main mode peer ID is ID_DER_ASN1_DN:
> 'C=CN, ST=Guangd, O=HCA, OU=HCA, CN=nexus.openswan.com
> <http://nexus.openswan.com>, E=supurstart at openswan.com
> <mailto:supurstart at openswan.com>'
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: I am sending my cert
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: password file contains no data
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: password file contains no data
> *"L2TP-PSK-NAT"[1] 10.7.60.65 #1: Can't find the private key from the
> NSS CERT (err -8177)*
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state STATE_MAIN_R2
> to state STATE_MAIN_R3
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA
> established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha
> group=modp1024}
>
> -----------------------------------------------------------------------------
>
> seems openswan dont load x509 certificate correctly
>
> i have transform x509 certificate to pkcs12 , and import them to NSS DB.
>
> -------------------------------------
> [root at opensips log]# certutil -L -d /etc/ipsec.d/
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> nexus.openswan.com <http://nexus.openswan.com> - HCA
> u,u,u
> gateway.openswan - HCA u,u,u
> -------------------------------------
>
> please give me some advice.
>
>
> --Michael Leung
>
>
>
>
>
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20141126/3254fdbd/attachment.html>
More information about the Users
mailing list