[Openswan Users] can not load private key which is in ipsec.d/private

Michael Leung gbcbooksmj at gmail.com
Wed Nov 26 20:58:48 EST 2014


: RSA file. Key "password"

I try this too, openswan would considered its a nickname and then try to
read it from NSS certification DB.
On Nov 26, 2014 11:25 PM, "Laurent Jouannic" <laurent.jouannic at cbsa.fr>
wrote:

>  This line is strange isn't it...
>
> : RSA "gateway.openswan.com - HCA"
>
> It should be like:
>
> : RSA file.key <http://gateway.openswan.com> "pass"
>
> OR
>
> @ID_connection: RSA       {
>         # RSA 2 pow n bits   debian   *date*
>         # for signatures only, UNSAFE FOR ENCRYPTION
>         #pubkey=*pubkey*
>         #IN KEY  xxxxx
> XYXYXYXYXYYXYYXY
>         # blablabla
>         Modulus:
>     MODMOD
>         PublicExponent: 51
>         # everything after this point is secret
>         PrivateExponent: 0xXXXXXX
>         Prime1: 0xXXXXXX
>         Prime2: 0xXXXXXX
>         Exponent1: 0xXXXXXX
>         Exponent2: 0xXXXXXX
>         Coefficient: 0xXXXXXX
>         }
>
>
>
>
>
> Le 26/11/2014 10:35, Michael Leung a écrit :
>
> this is my ipsec.conf
>
>  version 2.0
>
>  config setup
>         protostack=netkey
>         nat_traversal=yes
>         virtual_private=%v4:
> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
>         oe=off
>         dumpdir=/var/run/pluto/
>         plutostderrlog=/var/log/pluto.log
>
>    conn L2TP-PSK-NAT
>           rightsubnet=vhost:%priv
>          also=L2TP-PSK-noNAT
>
>  conn L2TP-PSK-noNAT
>         authby=rsasig
>         pfs=no
>         auto=add
>         keyingtries=3
>         rekey=no
>         ikelifetime=8h
>         keylife=1h
>         type=transport
>
>          left=10.7.255.154
>         leftsubnet=192.168.7.0/24
>         leftprotoport=17/1701
>         leftsendcert=always
>         leftrsasigkey=%cert
>         leftcert="gateway.openswan - HCC"
>
>          right=%any
>         rightprotoport=17/%any
>         rightrsasigkey=%cert
>
>
> On Wed, Nov 26, 2014 at 5:15 PM, Michael Leung <gbcbooksmj at gmail.com>
> wrote:
>
>> HI Group
>>
>>
>>
>>  following is my ipsec.d/ipsec.secrets content
>> #------------------------------------------------------------
>> : RSA "gateway.openswan.com - HCA"
>>  : RSA vpngateway.key "123123123ly"
>>  #--------------------------------------------------------------
>>
>>  after starting ipsec setup start
>>
>>  we got debug info
>>  -----------------------------------
>>      could not open host cert with nick name 'vpngateway.key' in NSS DB
>> "/etc/ipsec.d/ipsec.secrets" line 2: NSS certficate not found
>>  -----------------------------------
>>
>>  i notice that my OS is Centos 6.5 , i installed openswan from yum
>> repository , which means openswan have turn use_nss=true on, so i can
>> understand why we still have NSS certificate not found output
>>
>>  but for which i am  wondering is
>>
>>  we also have this debug output
>>
>>  ----------------------------------------
>>  packet from 10.7.60.65:500: received Vendor ID payload [RFC 3947]
>> method set to=109
>> packet from 10.7.60.65:500: received Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
>> packet from 10.7.60.65:500: received Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
>> packet from 10.7.60.65:500: received Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-00]
>> packet from 10.7.60.65:500: ignoring Vendor ID payload [FRAGMENTATION
>> 80000000]
>> packet from 10.7.60.65:500: received Vendor ID payload [Dead Peer
>> Detection]
>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: responding to Main Mode from unknown
>> peer 10.7.60.65
>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state STATE_MAIN_R0 to
>> state STATE_MAIN_R1
>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R1: sent MR1, expecting MI2
>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: NAT-Traversal: Result using RFC 3947
>> (NAT-Traversal): no NAT detected
>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state STATE_MAIN_R1 to
>> state STATE_MAIN_R2
>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R2: sent MR2, expecting MI3
>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: Main mode peer ID is ID_DER_ASN1_DN:
>> 'C=CN, ST=Guangd, O=HCA, OU=HCA, CN=nexus.openswan.com, E=
>> supurstart at openswan.com'
>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: I am sending my cert
>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: password file contains no data
>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: password file contains no data
>> *"L2TP-PSK-NAT"[1] 10.7.60.65 #1: Can't find the private key from the NSS
>> CERT (err -8177)*
>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: transition from state STATE_MAIN_R2 to
>> state STATE_MAIN_R3
>> "L2TP-PSK-NAT"[1] 10.7.60.65 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA
>> established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha
>> group=modp1024}
>>
>>
>> -----------------------------------------------------------------------------
>>
>>  seems openswan dont load x509 certificate correctly
>>
>>  i have transform x509 certificate to pkcs12 , and import them to NSS DB.
>>
>>  -------------------------------------
>>  [root at opensips log]# certutil -L -d /etc/ipsec.d/
>>
>>  Certificate Nickname                                         Trust
>> Attributes
>>
>>  SSL,S/MIME,JAR/XPI
>>
>>  nexus.openswan.com - HCA                       u,u,u
>> gateway.openswan - HCA                           u,u,u
>>  -------------------------------------
>>
>>  please give me some advice.
>>
>>
>>  --Michael Leung
>>
>>
>>
>>
>>
>>
>>
>
>
> _______________________________________________Users at lists.openswan.orghttps://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20141127/fa47a53b/attachment.html>


More information about the Users mailing list