[Openswan Users] can not load private key which is in ipsec.d/private

Michael Leung gbcbooksmj at gmail.com
Wed Nov 26 20:41:59 EST 2014


Hi Laurent
Thanks for you reply, I have fix this issue already.
On Nov 27, 2014 3:14 AM, "Laurent Jouannic" <laurent.jouannic at cbsa.fr>
wrote:

>  Hi,
>
> Check:
> -the spelling of th filename,
> -the directory, the vpngateway.key should be in /etc/ipsec.d/private
> -the owner, the 'properties' of reading, writing, etc...
>
> good luck.
>
> Laurent
>
> Le 26/11/2014 10:15, Michael Leung a écrit :
>
> HI Group
>
>
>
>  following is my ipsec.d/ipsec.secrets content
> #------------------------------------------------------------
> : RSA "gateway.openswan.com - HCA"
>  : RSA vpngateway.key "123123123ly"
>  #--------------------------------------------------------------
>
>  after starting ipsec setup start
>
>  we got debug info
>  -----------------------------------
>      could not open host cert with nick name 'vpngateway.key' in NSS DB
> "/etc/ipsec.d/ipsec.secrets" line 2: NSS certficate not found
>  -----------------------------------
>
>  i notice that my OS is Centos 6.5 , i installed openswan from yum
> repository , which means openswan have turn use_nss=true on, so i can
> understand why we still have NSS certificate not found output
>
>  but for which i am  wondering is
>
>  we also have this debug output
>
>  ----------------------------------------
>  packet from 10.7.60.65:500: received Vendor ID payload [RFC 3947] method
> set to=109
> packet from 10.7.60.65:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
> packet from 10.7.60.65:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
> packet from 10.7.60.65:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-00]
> packet from 10.7.60.65:500: ignoring Vendor ID payload [FRAGMENTATION
> 80000000]
> packet from 10.7.60.65:500: received Vendor ID payload [Dead Peer
> Detection]
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: responding to Main Mode from unknown peer
> 10.7.60.65
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state STATE_MAIN_R0 to
> state STATE_MAIN_R1
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R1: sent MR1, expecting MI2
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: NAT-Traversal: Result using RFC 3947
> (NAT-Traversal): no NAT detected
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state STATE_MAIN_R1 to
> state STATE_MAIN_R2
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R2: sent MR2, expecting MI3
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: Main mode peer ID is ID_DER_ASN1_DN:
> 'C=CN, ST=Guangd, O=HCA, OU=HCA, CN=nexus.openswan.com, E=
> supurstart at openswan.com'
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: I am sending my cert
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: password file contains no data
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: password file contains no data
> *"L2TP-PSK-NAT"[1] 10.7.60.65 #1: Can't find the private key from the NSS
> CERT (err -8177)*
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state STATE_MAIN_R2 to
> state STATE_MAIN_R3
> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA
> established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha
> group=modp1024}
>
>
> -----------------------------------------------------------------------------
>
>  seems openswan dont load x509 certificate correctly
>
>  i have transform x509 certificate to pkcs12 , and import them to NSS DB.
>
>  -------------------------------------
>  [root at opensips log]# certutil -L -d /etc/ipsec.d/
>
>  Certificate Nickname                                         Trust
> Attributes
>
>  SSL,S/MIME,JAR/XPI
>
>  nexus.openswan.com - HCA                       u,u,u
> gateway.openswan - HCA                           u,u,u
>  -------------------------------------
>
>  please give me some advice.
>
>
>  --Michael Leung
>
>
>
>
>
>
>
>
> _______________________________________________Users at lists.openswan.orghttps://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20141127/d2f2bbc2/attachment-0001.html>


More information about the Users mailing list